mirror of
https://github.com/OpenVPN/openvpn.git
synced 2026-05-28 04:03:29 -04:00
8e87f2c34a
Some checks failed
Build / Check code style with Uncrustify (push) Has been cancelled
Build / gcc-mingw - x64 - OSSL (push) Has been cancelled
Build / gcc-mingw - x86 - OSSL (push) Has been cancelled
Build / gcc - ubuntu-24.04 - OpenSSL 3.0.13 --enable-pkcs11 (push) Has been cancelled
Build / gcc - ubuntu-22.04 - OpenSSL 3.0.2 --enable-pkcs11 (push) Has been cancelled
Build / gcc - ubuntu-22.04 - mbed TLS 2.28.0 (push) Has been cancelled
Build / clang-asan - ubuntu-22.04 - mbedtls (push) Has been cancelled
Build / clang-asan - ubuntu-22.04 - openssl (push) Has been cancelled
Build / clang-asan - ubuntu-24.04 - mbedtls (push) Has been cancelled
Build / clang-asan - ubuntu-24.04 - openssl (push) Has been cancelled
Build / macos-13 - libressl - asan (push) Has been cancelled
Build / macos-13 - openssl@1.1 - asan (push) Has been cancelled
Build / macos-13 - openssl@3 - asan (push) Has been cancelled
Build / macos-14 - libressl - asan (push) Has been cancelled
Build / macos-14 - openssl@1.1 - asan (push) Has been cancelled
Build / macos-14 - openssl@3 - asan (push) Has been cancelled
Build / macos-15 - libressl - asan (push) Has been cancelled
Build / macos-15 - openssl@1.1 - asan (push) Has been cancelled
Build / macos-15 - openssl@3 - asan (push) Has been cancelled
Build / macos-13 - libressl - normal (push) Has been cancelled
Build / macos-13 - openssl@1.1 - normal (push) Has been cancelled
Build / macos-13 - openssl@3 - normal (push) Has been cancelled
Build / macos-14 - libressl - normal (push) Has been cancelled
Build / macos-14 - openssl@1.1 - normal (push) Has been cancelled
Build / macos-14 - openssl@3 - normal (push) Has been cancelled
Build / macos-15 - libressl - normal (push) Has been cancelled
Build / macos-15 - openssl@1.1 - normal (push) Has been cancelled
Build / macos-15 - openssl@3 - normal (push) Has been cancelled
Build / msbuild - amd64 - openssl (push) Has been cancelled
Build / msbuild - arm64 - openssl (push) Has been cancelled
Build / msbuild - x86 - openssl (push) Has been cancelled
Build / clang asan - ubuntu-22.04 - libressl (push) Has been cancelled
Build / gcc normal - ubuntu-22.04 - libressl (push) Has been cancelled
Build / mingw unittest argv - x64 - OSSL (push) Has been cancelled
Build / mingw unittest auth_token - x64 - OSSL (push) Has been cancelled
Build / mingw unittest buffer - x64 - OSSL (push) Has been cancelled
Build / mingw unittest crypto - x64 - OSSL (push) Has been cancelled
Build / mingw unittest cryptoapi - x64 - OSSL (push) Has been cancelled
Build / mingw unittest misc - x64 - OSSL (push) Has been cancelled
Build / mingw unittest ncp - x64 - OSSL (push) Has been cancelled
Build / mingw unittest packet_id - x64 - OSSL (push) Has been cancelled
Build / mingw unittest pkt - x64 - OSSL (push) Has been cancelled
Build / mingw unittest provider - x64 - OSSL (push) Has been cancelled
Build / mingw unittest tls_crypt - x64 - OSSL (push) Has been cancelled
Build / mingw unittest argv - x86 - OSSL (push) Has been cancelled
Build / mingw unittest auth_token - x86 - OSSL (push) Has been cancelled
Build / mingw unittest buffer - x86 - OSSL (push) Has been cancelled
Build / mingw unittest crypto - x86 - OSSL (push) Has been cancelled
Build / mingw unittest cryptoapi - x86 - OSSL (push) Has been cancelled
Build / mingw unittest misc - x86 - OSSL (push) Has been cancelled
Build / mingw unittest ncp - x86 - OSSL (push) Has been cancelled
Build / mingw unittest packet_id - x86 - OSSL (push) Has been cancelled
Build / mingw unittest pkt - x86 - OSSL (push) Has been cancelled
Build / mingw unittest provider - x86 - OSSL (push) Has been cancelled
Build / mingw unittest tls_crypt - x86 - OSSL (push) Has been cancelled
version.m4, ChangeLog, Changes.rst
1604 lines
68 KiB
Text
1604 lines
68 KiB
Text
OpenVPN ChangeLog
|
|
Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
|
|
|
|
2026.04.22 -- Version 2.6.20
|
|
|
|
Arne Schwabe (2):
|
|
DCO Linux: Fix setting DCO ifmode failing on big endian archs
|
|
Ensure that buffer of freed session are not used
|
|
|
|
Frank Lichtenheld (2):
|
|
auth-pam: fix discards 'const' qualifier from pointer target type
|
|
openvpnmsica: Fix setting of iTicks in schedule_adapter_delete
|
|
|
|
Gert Doering (4):
|
|
configure.ac: adjust to native inotify support for FreeBSD 15+
|
|
dco_freebsd: use AF_LOCAL sockets for ioctl() communication with DCO driver
|
|
Fix copyright line in README
|
|
OpenVPN Release 2.6.20
|
|
|
|
Ralf Lici (5):
|
|
management: stop bytecount on client disconnection
|
|
doc: fix client-nat syntax and examples
|
|
dco: port core/context infrastructure needed for backport of commit 7791f53
|
|
dco: backport immediate notification processing on Linux and FreeBSD
|
|
dco-linux: enforce ifindex only for DEL_PEER notifications
|
|
|
|
Rudi Heitbaum (2):
|
|
ntlm: fix discards 'const' qualifier from pointer target type
|
|
dns: fix discards 'const' qualifier from pointer target type
|
|
|
|
Steffan Karger (1):
|
|
tls-crypt-v2: Avoid interpreting opcode as part of WKc
|
|
|
|
|
|
2026.02.04 -- Version 2.6.19
|
|
|
|
Arne Schwabe (1):
|
|
Add missing header in unit tests Makefile.am
|
|
|
|
2026.02.04 -- Version 2.6.18
|
|
|
|
Arne Schwabe (1):
|
|
Ensure that all unit tests use unbuffered stdout and stderr
|
|
|
|
Brandon Currell (1):
|
|
Add check for bind-dev in DCO options
|
|
|
|
Frank Lichtenheld (6):
|
|
configure: Try to use pkg-config to detect mbedTLS
|
|
configure.ac: Remove use of PKCS11_HELPER_LIBS in mbedTLS checks
|
|
tests: Allow to override openvpn binary used
|
|
multi: Warn about failing read in multi_process_file_closed()
|
|
tests/unit_tests: Port to cmocka 2.0.0 API
|
|
manage: Do not trigger actions on management disconnect if not authenticated
|
|
|
|
Gert Doering (2):
|
|
Repair interaction between DCO and persist-tun after reconnection
|
|
tunnel_server_*(): close correct inotify fd
|
|
|
|
Klemens Nanni (1):
|
|
Prevent crash on invalid server-ipv6 argument
|
|
|
|
Lev Stipakov (1):
|
|
tun.c: set IPv4 address temporary on Windows
|
|
|
|
Selva Nair (1):
|
|
pull-filter: improve documentation
|
|
|
|
|
|
2025.11.28 -- Version 2.6.17
|
|
|
|
Lev Stipakov (1):
|
|
interactive.c: harden pipe handling against misbehaving clients
|
|
|
|
Selva Nair (3):
|
|
vcpkg-ports/pkcs11-helper: bump version to 1.31
|
|
Harden interactive service pipe
|
|
Restrict access to the service pipe to SYSTEM and owner
|
|
|
|
2025.11.17 -- Version 2.6.16
|
|
|
|
Antonio Quartulli (1):
|
|
sitnl: set FD_CLOEXEC on socket to prevent abuse
|
|
|
|
Arne Schwabe (4):
|
|
Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
|
|
fix key_state_gen_auth_control_files probably checking file creation
|
|
Fix construction of invalid pointer in tls_pre_decrypt
|
|
Fix memcmp check for the hmac verification in the 3way handshake being inverted
|
|
|
|
Christian Kujau (2):
|
|
doc: Fix hyperlinks in openvpn(8)
|
|
doc: HTTPS upgrades and URL fixes throughout the tree
|
|
|
|
Frank Lichtenheld (2):
|
|
route: Fix a unused-but-set-variable warning on OpenBSD
|
|
route: Add #endif comment for uncrustify compliance
|
|
|
|
Heiko Hund (2):
|
|
iservice: check return value of MultiByteToWideChar
|
|
iservice: use interface index with netsh
|
|
|
|
Joshua Rogers (1):
|
|
tcp: apply CLOEXEC to accepted socket, not listener
|
|
|
|
Selva Nair (2):
|
|
openvpnserv: Disallow stdin as config unless user is authorized
|
|
Use correct undo_list when clearing DNS addresses
|
|
|
|
Steffan Karger (1):
|
|
ssl_mbedtls: fix missing perf_pop() call
|
|
|
|
|
|
2025.09.22 -- Version 2.6.15
|
|
|
|
Antonio Quartulli (1):
|
|
dco: add standard mi prefix handling to multi_process_incoming_dco()
|
|
|
|
Arne Schwabe (1):
|
|
Check message id/acked ids too when doing sessionid cookie checks
|
|
|
|
Frank Lichtenheld (6):
|
|
GHA: Pin version of CMake for MinGW build
|
|
GHA: Dependency and Actions update April 2025 (2.6)
|
|
GHA: Update dependencies July 2025 (2.6)
|
|
Fix compiler warning in reliable.c with --disable-debug
|
|
dco linux: avoid redefining ovpn enums (2.6)
|
|
Update text of GPL to latest version from FSF
|
|
|
|
Gert Doering (7):
|
|
unit_tests/plugins/auth-pam: fix stdint.h related build error on fedora 42
|
|
Remove use of 'dh dh2048.pem' from sample configs, remove 'dh2048.pem' file
|
|
replace assert() calls with ASSERT()
|
|
remove newline characters at the end of msg() calls
|
|
fix building of openvpnsrvmsg.dll from eventmsg.mc in mingw builds
|
|
Fix t_net.sh / networking_testdriver after 'broadcast' change
|
|
preparing release 2.6.15
|
|
|
|
Klemens Nanni (1):
|
|
Fix tmp-dir documentation
|
|
|
|
Kristof Provost (1):
|
|
dco: support float notifications on FreeBSD
|
|
|
|
Lev Stipakov (6):
|
|
dco-win: Ensure correct OVERLAPPED scope
|
|
win: replace wmic invocation with powershell
|
|
openvpnserv: Fix writing messages to the event log
|
|
Validate DNS domain name before powershell invocation
|
|
Makefile: fix 'make dist'
|
|
GHA: collect more artifacts for mingw builds
|
|
|
|
Ralf Lici (1):
|
|
dco: backport OS-independent part of peer float support
|
|
|
|
Sebastian Marsching (1):
|
|
Bugfix: Set broadcast address on interface.
|
|
|
|
rein.vanbaaren (1):
|
|
Fix MBEDTLS_DEPRECATED_REMOVED build errors
|
|
|
|
|
|
2025.04.02 -- Version 2.6.14
|
|
|
|
Arne Schwabe (1):
|
|
Allow tls-crypt-v2 to be setup only on initial packet of a session
|
|
|
|
Frank Lichtenheld (3):
|
|
GHA: Drop Ubuntu 20.04 and other maintenance (2.6)
|
|
crypto_backend: fix type of enc parameter
|
|
Fix compatibility with mbedTLS 2.28.10+ and 3.6.3+
|
|
|
|
Qingfang Deng (1):
|
|
dco: fix source IP selection when multihome
|
|
|
|
|
|
2025.01.15 -- Version 2.6.13
|
|
|
|
Arne Schwabe (2):
|
|
Refuse clients if username or password is longer than USER_PASS_LEN
|
|
Improve peer fingerprint documentation
|
|
|
|
Ben Boeckel (1):
|
|
console_systemd: remove the timeout when using 'systemd-ask-password'
|
|
|
|
Frank Lichtenheld (5):
|
|
Fix missing spaces in various messages
|
|
GHA: Update macOS runners
|
|
GHA: Simplify macOS builds
|
|
Various typo fixes
|
|
forward: Fix potential unaligned access in drop_if_recursive_routing
|
|
|
|
Gert Doering (2):
|
|
send uname() release as IV_PLAT_VER= on non-windows versions
|
|
preparing release 2.6.13
|
|
|
|
Gianmarco De Gregori (1):
|
|
Route: remove incorrect routes on exit
|
|
|
|
Lev Stipakov (1):
|
|
Use a more robust way to get dco-win version
|
|
|
|
Ralf Lici (1):
|
|
Fix check_addr_clash argument order
|
|
|
|
Rémi Farault (1):
|
|
Add calls to nvlist_destroy to avoid leaks
|
|
|
|
Selva Nair (3):
|
|
proxy.c: Clear sensitive data after use
|
|
Protect cached username, password and token on client
|
|
Fix more of uninitialized struct user_pass local vars
|
|
|
|
corubba (2):
|
|
Fix IPv6 in port-share journal
|
|
Fix port-share journal doc
|
|
|
|
|
|
2024.07.17 -- Version 2.6.12
|
|
|
|
Arne Schwabe (1):
|
|
Allow trailing \r and \n in control channel message
|
|
|
|
Frank Lichtenheld (1):
|
|
configure: Try to detect LZO with pkg-config
|
|
|
|
Gianmarco De Gregori (1):
|
|
Http-proxy: fix bug preventing proxy credentials caching
|
|
|
|
|
|
2024.06.20 -- Version 2.6.11
|
|
|
|
5andr0 (1):
|
|
Implement server_poll_timeout for socks
|
|
|
|
Arne Schwabe (6):
|
|
Use snprintf instead of sprintf for get_ssl_library_version
|
|
Add bracket in fingerprint message and do not warn about missing verification
|
|
Replace macos11 with macos14 in github runners
|
|
Only run coverity scan in OpenVPN/OpenVPN repository
|
|
Workaround issue in LibreSSL crashing when enumerating digests/ciphers
|
|
Properly handle null bytes and invalid characters in control messages
|
|
|
|
Franco Fichtner (1):
|
|
Allow to set ifmode for existing DCO interfaces in FreeBSD
|
|
|
|
Frank Lichtenheld (6):
|
|
samples: Update sample configurations
|
|
documentation: make section levels consistent
|
|
phase2_tcp_server: fix Coverity issue 'Dereference after null check'
|
|
script-options.rst: Update ifconfig_* variables
|
|
LZO: do not use lzoutils.h macros
|
|
Remove "experimental" denotation for --fast-io
|
|
|
|
Heiko Wundram (1):
|
|
Implement Windows CA template match for Crypto-API selector
|
|
|
|
Lev Stipakov (2):
|
|
misc.c: remove unused code
|
|
interactive.c: Improve access control for gui<->service pipe
|
|
|
|
Reynir Björnsson (1):
|
|
Only schedule_exit() once
|
|
|
|
|
|
2024.03.20 -- Version 2.6.10
|
|
|
|
Christoph Schug (1):
|
|
Update documentation references in systemd unit files
|
|
|
|
Frank Lichtenheld (6):
|
|
Fix typo --data-cipher-fallback
|
|
samples: Remove tls-*.conf
|
|
check_compression_settings_valid: Do not test for LZ4 in LZO check
|
|
t_client.sh: Allow to skip tests
|
|
Update Copyright statements to 2024
|
|
GHA: general update March 2024
|
|
|
|
Lev Stipakov (4):
|
|
win32: Enforce loading of plugins from a trusted directory
|
|
interactive.c: disable remote access to the service pipe
|
|
interactive.c: Fix potential stack overflow issue
|
|
Disable DCO if proxy is set via management
|
|
|
|
Martin Rys (1):
|
|
openvpn-[client|server].service: Remove syslog.target
|
|
|
|
Max Fillinger (1):
|
|
Remove license warning from README.mbedtls
|
|
|
|
Selva Nair (1):
|
|
Document that auth-user-pass may be inlined
|
|
|
|
wellweek (1):
|
|
remove repetitive words in documentation and comments
|
|
|
|
|
|
2024.02.11 -- Version 2.6.9
|
|
|
|
Arne Schwabe (15):
|
|
Remove unused function prototype crypto_adjust_frame_parameters
|
|
Log SSL alerts more prominently
|
|
Document tls-exit option mainly as test option
|
|
Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway
|
|
Fix check_session_buf_not_used using wrong index
|
|
Add missing check for nl_socket_alloc failure
|
|
Add check for nice in cmake config
|
|
Remove compat versionhelpers.h and remove cmake/configure check for it
|
|
Extend the error message when TLS 1.0 PRF fails
|
|
Fix unaligned access in macOS, FreeBSD, Solaris hwaddr
|
|
Check PRF availability on initialisation and add --force-tls-key-material-export
|
|
Make it more explicit and visible when pkg-config is not found
|
|
Clarify that the tls-crypt-v2-verify has a very limited env set
|
|
Implement the --tls-export-cert feature
|
|
Remove conditional text for Apache2 linking exception
|
|
|
|
David Sommerseth (2):
|
|
Remove --tls-export-cert
|
|
Remove superfluous x509_write_pem()
|
|
|
|
Frank Lichtenheld (14):
|
|
sample-keys: renew for the next 10 years
|
|
GHA: clean up libressl builds with newer libressl
|
|
configure.ac: Remove unused AC_TYPE_SIGNAL macro
|
|
documentation: remove reference to removed option --show-proxy-settings
|
|
unit_tests: remove includes for mock_msg.h
|
|
documentation: improve documentation of --x509-track
|
|
NTLM: add length check to add_security_buffer
|
|
NTLM: increase size of phase 2 response we can handle
|
|
proxy-options.rst: Add proper documentation for --http-proxy-user-pass
|
|
buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0'
|
|
--http-proxy-user-pass: allow to specify in either order with --http-proxy
|
|
README.cmake.md: Document minimum required CMake version for --preset
|
|
documentation: Update and fix documentation for --push-peer-info
|
|
documentation: Fixes for previous fixes to --push-peer-info
|
|
|
|
Gert Doering (4):
|
|
OpenBSD: repair --show-gateway
|
|
get_default_gateway() HWADDR overhaul
|
|
fix uncrustify complaints about previous patch
|
|
preparing release 2.6.9
|
|
|
|
Kristof Provost (1):
|
|
dco-freebsd: dynamically re-allocate buffer if it's too small
|
|
|
|
Lev Stipakov (1):
|
|
tun.c: don't attempt to delete DNS and WINS servers if they're not set
|
|
|
|
Marc Becker (1):
|
|
vcpkg-ports/pkcs11-helper: bump to version 1.30
|
|
|
|
Max Fillinger (4):
|
|
Add support for mbedtls 3.X.Y
|
|
Update README.mbedtls
|
|
Disable TLS 1.3 support with mbed TLS
|
|
Enable key export with mbed TLS 3.x.y
|
|
|
|
Reynir Bjoernsson (1):
|
|
protocol_dump: tls-crypt support
|
|
|
|
Steffan Karger (1):
|
|
Fix IPv6 route add/delete message log level
|
|
|
|
yatta (1):
|
|
fix(ssl): init peer_id when init tls_multi
|
|
|
|
|
|
2023.11.17 -- Version 2.6.8
|
|
|
|
Aquila Macedo (1):
|
|
doc: Correct typos in multiple documentation files
|
|
|
|
Arne Schwabe (1):
|
|
Do not check key_state buffers that are in S_UNDEF state
|
|
|
|
Frank Lichtenheld (1):
|
|
platform.c: Do not depend Windows build on HAVE_CHDIR
|
|
|
|
Lev Stipakov (3):
|
|
config.h: fix incorrect defines for _wopen()
|
|
Make --dns options apply for tap-windows6 driver
|
|
Warn if pushed options require DHCP
|
|
|
|
|
|
2023.11.08 -- Version 2.6.7
|
|
|
|
Antonio Quartulli (1):
|
|
dco: fix crash when --multihome is used with --proto tcp
|
|
|
|
Arne Schwabe (8):
|
|
Mock openvpn_exece on win32 also for test_tls_crypt
|
|
Add warning for the --show-groups command that some groups are missing
|
|
Print peer temporary key details
|
|
Add warning if a p2p NCP client connects to a p2mp server
|
|
Remove openssl engine method for loading the key
|
|
Remove saving initial frame code
|
|
Double check that we do not use a freed buffer when freeing a session
|
|
Fix using to_link buffer after freed
|
|
|
|
Frank Lichtenheld (7):
|
|
GHA: do not trigger builds in openvpn-build anymore
|
|
GHA: new workflow to submit scan to Coverity Scan service
|
|
buffer: use memcpy in buf_catrunc
|
|
vcpkg-ports/pkcs11-helper: Backport MinGW series from master to release/2.6
|
|
CMake: backport CMake buildsystem from master to release/2.6
|
|
Remove all traces of the previous MSVC build system
|
|
doc: fix argument name in --route-delay documentation
|
|
|
|
Heiko Hund (1):
|
|
dns option: remove support for exclude-domains
|
|
|
|
Lev Stipakov (3):
|
|
Warn user if INFO control command is too long
|
|
dco-win: get driver version
|
|
dco: warn if DATA_V1 packets are sent to userspace
|
|
|
|
Selva Nair (2):
|
|
Make cert_data.h and test_cryptoapi/pkcs11.c MSVC compliant
|
|
Log OpenSSL errors on failure to set certificate
|
|
|
|
orbea (1):
|
|
configure: disable engines if OPENSSL_NO_ENGINE is defined
|
|
|
|
|
|
2023.08.14 -- Version 2.6.6
|
|
|
|
Antonio Quartulli (1):
|
|
configure.ac: fix typ0 in LIBCAPNG_CFALGS
|
|
|
|
Arne Schwabe (8):
|
|
Avoid unused function warning/error on FreeBSD (and potientially others)
|
|
fix warning with gcc 12.2.0 (compiler bug?)
|
|
Fix CR_RESPONSE mangaement message using wrong key_id
|
|
Print a more user-friendly error when tls-crypt-v2 client auth fails
|
|
Ignore Ipv6 route delete request on Android and set ipv4 verbosity to 7
|
|
Revert commit 423ced962d
|
|
Implement using --peer-fingerprint without CA certificates
|
|
show extra info for OpenSSL errors
|
|
|
|
David Sommerseth (1):
|
|
ntlm: Clarify details on NTLM phase 3 decoding
|
|
|
|
Frank Lichtenheld (8):
|
|
dist: add more missing files only used in the MSVC build
|
|
dist: Include all documentation in distribution
|
|
unit_tests: Add missing cert_data.h to source list for unit tests
|
|
test_tls_crypt: Improve mock() usage to be more portable
|
|
Remove old Travis CI related files
|
|
options: Do not hide variables from parent scope
|
|
pkcs11_openssl: Disable unused code
|
|
route: Fix overriding return value of add_route3
|
|
|
|
George Pchelkin (1):
|
|
fix typo: dhcp-options to dhcp-option in vpn-network-options.rst
|
|
|
|
Gert Doering (1):
|
|
Make received OCC exit messages more visible in log.
|
|
|
|
Heiko Hund (1):
|
|
work around false positive warning with mingw 12
|
|
|
|
Lev Stipakov (3):
|
|
tun.c: enclose DNS domain in single quotes in WMIC call
|
|
manage.c: document missing KID parameter
|
|
Set WINS servers via interactice service
|
|
|
|
Sergey Korolev (1):
|
|
dco-linux: fix counter print format
|
|
|
|
|
|
2023.06.13 -- Version 2.6.5
|
|
|
|
Arne Schwabe (1):
|
|
Fix use-after-free with EVP_CIPHER_free
|
|
|
|
Frank Lichtenheld (6):
|
|
dco_linux: properly close dco version file
|
|
DCO: fix memory leak in dco_get_peer_stats_multi for Linux
|
|
Fix two unused assignments
|
|
sample-plugins: Fix memleak in client-connect example plugin
|
|
options: remove --key-method from usage message
|
|
msvc-generate: include version.m4.in in tarball
|
|
|
|
Ilya Shipitsin (1):
|
|
src/openvpn/dco_freebsd.c: handle malloc failure
|
|
|
|
Lev Stipakov (2):
|
|
dco-win: support for --dev-node
|
|
tapctl: generate driver-specific adapter names
|
|
|
|
Selva Nair (2):
|
|
Correctly handle Unicode names for exit event
|
|
Interactive service: do not force a target desktop for openvpn.exe
|
|
|
|
|
|
2023.05.11 -- Version 2.6.4
|
|
|
|
Arne Schwabe (3):
|
|
Remove unused variable line
|
|
Add Apache2 linking with for new commits
|
|
Fix compile error on TARGET_ANDROID
|
|
|
|
Frank Lichtenheld (2):
|
|
man page: Remove cruft from --topology documentation
|
|
tests: do not include t_client.sh in dist
|
|
|
|
Kristof Provost (1):
|
|
DCO: support key rotation notifications
|
|
|
|
Michael Nix (1):
|
|
fix typo in help text: --ignore-unknown-option
|
|
|
|
Selva Nair (2):
|
|
Format Windows error message in Unicode
|
|
Bugfix: dangling pointer passed to pkcs11-helper
|
|
|
|
|
|
2023.04.13 -- Version 2.6.3
|
|
|
|
Frank Lichtenheld (3):
|
|
GHA: remove Ubuntu 18.04 builds
|
|
vcpkg: request "tools" feature of openssl for MSVC build
|
|
doc: run rst2* with --strict to catch warnings
|
|
|
|
Lev Stipakov (1):
|
|
Support of DNS domain for DHCP-less drivers
|
|
|
|
Selva Nair (1):
|
|
Bug-fix: segfault in dco_get_peer_stats()
|
|
|
|
2023.03.24 -- Version 2.6.2
|
|
|
|
Antonio Quartulli (6):
|
|
dco: don't use NetLink to exchange control packets
|
|
dco: print version to log if available
|
|
dco-linux: remove M_ERRNO flag when printing netlink error message
|
|
multi: don't call DCO APIs if DCO is disabled
|
|
dco-freebsd: use m->instances[] instead of m->hash
|
|
dco-linux: implement dco_get_peer_stats{, multi} API
|
|
|
|
Arne Schwabe (12):
|
|
Set netlink socket to be non-blocking
|
|
Ensure n = 2 is set in key2 struct in tls_crypt_v2_unwrap_client_key
|
|
Fix memory leaks in open_tun_dco()
|
|
Fix memory leaks in HMAC initial packet generation
|
|
Use key_state instead of multi for tls_send_payload parameter
|
|
Make sending plain text control message session aware
|
|
Only update frame calculation if we have a valid link sockets
|
|
Improve description of compat-mode
|
|
Simplify --compress parsing in options.c
|
|
Refuse connection if server pushes an option contradicting allow-compress
|
|
Add 'allow-compression stub-only' internally for DCO
|
|
Parse compression options and bail out when compression is disabled
|
|
|
|
Frank Lichtenheld (1):
|
|
tests/unit_tests: Fix 'make distcheck' with subdir-objects enabled
|
|
|
|
Gert Doering (1):
|
|
preparing release 2.6.2
|
|
|
|
Heiko Hund (1):
|
|
dns option: allow up to eight addresses per server
|
|
|
|
Kristof Provost (1):
|
|
dco: print FreeBSD version
|
|
|
|
Lev Stipakov (4):
|
|
Support --inactive option for DCO
|
|
Fix '--inactive <time> 0' behavior for DCO
|
|
Print DCO client stats on SIGUSR2
|
|
Don't overwrite socket flags when using DCO on Windows
|
|
|
|
Michael Baentsch (1):
|
|
using OpenSSL3 API for EVP PKEY type name reporting
|
|
|
|
Selva Nair (8):
|
|
Bugfix: Convert ECDSA signature form pkcs11-helper to DER encoded form
|
|
Import some sample certificates into Windows store for testing
|
|
Add tests for finding certificates in Windows cert store
|
|
Refactor SSL_CTX_use_CryptoAPI_certificate()
|
|
Add a test for signing with certificates in Windows store
|
|
Unit tests: add test for SSL_CTX_use_Cryptoapi_certificate()
|
|
Improve error message on short read from socks proxy
|
|
Make error in setting metric for IPv6 interface non-fatal
|
|
|
|
|
|
2023.03.08 -- Version 2.6.1
|
|
|
|
Arne Schwabe (13):
|
|
Fix unaligned access in auth-token
|
|
Update LibreSSL to 3.7.0 in Github actions
|
|
Add printing USAN stack trace on github actions
|
|
Fix LibreSSL not building in Github Actions
|
|
Add missing stdint.h includes in unit tests files
|
|
Combine extra_tun/frame parameter of frame_calculate_payload_overhead
|
|
Update the last sections in the man page to a be a bit less outdated
|
|
Add building unit tests with mingw to github actions
|
|
Revise the cipher negotiation info about OpenVPN3 in the man page
|
|
Exit if a proper message instead of segfault on Android without management
|
|
Use proper print format/casting when converting msg_channel handle
|
|
Reduce initialisation spam from verb <= 3 and print summary instead
|
|
Dynamic tls-crypt for secure soft_reset/session renegotiation
|
|
|
|
Frank Lichtenheld (8):
|
|
Changes.rst: document removal of --keysize
|
|
Windows: fix unused function setenv_foreign_option
|
|
Windows: fix unused variables in delete_route_ipv6
|
|
Windows: fix wrong printf format in x_check_status
|
|
Windows: fix unused variable in win32_get_arch
|
|
configure: enable DCO by default on FreeBSD/Linux
|
|
Windows: fix signedness errors with recv/send
|
|
configure: fix formatting of --disable-lz4 and --enable-comp-stub
|
|
|
|
Gert Doering (2):
|
|
Get rid of unused 'bool tuntap_buffer' arguments.
|
|
FreeBSD 12.x workaround for IPv6 ifconfig is needed on 12.4 as well
|
|
|
|
Kristof Provost (3):
|
|
options.c: enforce a minimal fragment size
|
|
configure: improve FreeBSD DCO check
|
|
dco: define OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT on FreeBSD
|
|
|
|
Lev Stipakov (6):
|
|
Allow certain DHCP options to be used without DHCP server
|
|
dco-win: use proper calling convention on x86
|
|
Improve format specifier for socket handle in Windows
|
|
Disable DCO if proxy is set via management
|
|
Add logging for windows driver selection process
|
|
Avoid management log loop with verb >= 6
|
|
|
|
Matthias Andree (1):
|
|
make dist: Ship ovpn_dco_freebsd.h, too
|
|
|
|
Selva Nair (9):
|
|
block-dns using iservice: fix a potential double free
|
|
Conditionally add subdir-objects option to automake
|
|
Build unit tests in mingw Windows build
|
|
cyryptapi.c: log the selected certificate's name
|
|
cryptoapi.c: remove pre OpenSSL-3.01 support
|
|
cryptoapi.c: simplify parsing of thumbprint hex string
|
|
Option --cryptoapicert: support issuer name as a selector
|
|
Add a unit test for functions in cryptoapi.c
|
|
Do not save pointer to 'struct passwd' returned by getpwnam etc.
|
|
|
|
|
|
2023.01.25 -- Version 2.6.0
|
|
|
|
Antonio Quartulli (1):
|
|
dco_linux: update license for ovpn_dco_linux.h
|
|
|
|
Arne Schwabe (1):
|
|
Workaround: make ovpn-dco more reliable
|
|
|
|
Gert Doering (3):
|
|
Fix OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT breakage on FreeBSD+DCO
|
|
Repair special-casing of EEXIST for Linux/SITNL route install
|
|
preparing release 2.6.0
|
|
|
|
Lev Stipakov (3):
|
|
openvpnmsica: remove dco installer custom actions
|
|
openvpnmsica: remove unused declarations
|
|
openvpnmsica: fix adapters discovery logic for DCO
|
|
|
|
Selva Nair (4):
|
|
Define and use macros for route addition status code
|
|
Warn when pkcs11-id or pkcs11-id-management options are ignored
|
|
Cleanup route error and debug logging on Windows
|
|
Fix one more 'existing route may get deleted' case
|
|
|
|
Timo Rothenpieler (1):
|
|
Don't clear capability bounding set on capng_change_id
|
|
|
|
|
|
2023.01.12 -- Version 2.6_rc2
|
|
|
|
Antonio Quartulli (4):
|
|
dco: properly re-initialize dco_del_peer_reason
|
|
dco: bail out when no peer-specific message is delivered
|
|
dco: improve comment about hidden debug message
|
|
dco: print proper message in case of transport disconnection
|
|
|
|
Arne Schwabe (3):
|
|
Add connect-freq-initial option to limit initial connection responses
|
|
Log peer-id if loglevel is D_DCO_DEBUG and dco is enabled
|
|
Deprecate OCC checking
|
|
|
|
Frank Lichtenheld (7):
|
|
options.c: fix format security error when compiling without optimization
|
|
options.c: update usage description of --cipher
|
|
Update copyright year to 2023
|
|
xkey_pkcs11h_sign: fix dangling pointer
|
|
options: Always define options->management_flags
|
|
check_engine_keys: make pass with OpenSSL 3
|
|
documentation: update 'unsupported options' section
|
|
|
|
Gert Doering (3):
|
|
Undo FreeBSD 12.x workaround on IPv6 ifconfig for 12.4 and up
|
|
Reduce logspam about 'dco_update_keys: peer_id=-1' in p2p server mode
|
|
preparing release 2.6_rc2
|
|
|
|
Lev Stipakov (1):
|
|
tun: move print_windows_driver() out of tun.h
|
|
|
|
Selva Nair (11):
|
|
Properly unmap ring buffer file-map in interactive service
|
|
Use undo_lists for saving ring-buffer handles in interactive service
|
|
Cleanup: Close duplicated handles in interactive service
|
|
Preparing for better signal handling: some code refactoring
|
|
Refactor signal handling in openvpn_getaddrinfo
|
|
Use IPAPI for setting ipv6 routes when iservice not available
|
|
Fix signal handling on Windows
|
|
Assign and honour signal priority order
|
|
Distinguish route addition errors from route already exists
|
|
Propagate route error to initialization_completed()
|
|
Include CE_DISABLED status of remote in "remote-entry-get" response
|
|
|
|
|
|
2022.12.29 -- Version 2.6_rc1
|
|
|
|
Arne Schwabe (17):
|
|
Ensure that argument to parse_line has always space for final sentinel
|
|
Improve documentation on user/password requirement and unicodize function
|
|
Eliminate or comment empty blocks and switch fallthrough
|
|
Remove unused gc_arena
|
|
Fix corner case that might lead to leaked file descriptor
|
|
Deprecate NTLMv1 proxy auth method.
|
|
Use include "buffer.h" instead of include <buffer.h>
|
|
Ensure that dco keepalive and mssfix options are also set in pure p2p mode
|
|
Make management password check constant time
|
|
Rename TM_UNTRUSTED to TM_INITIAL, always start session in TM_INITIAL rather than TM_ACTIVE or TM_INITIAL
|
|
Move dco_installed back to link_socket from link_socket.info.actual
|
|
Do not set nl socket buffer size
|
|
Also drop incoming dco packet content when dropping the packet
|
|
Improve logging when seeing a message for an unkown peer
|
|
Ignore OVPN_DEL_PEER_REASON_USERSPACE to avoid race conditions
|
|
Replace custom min macro and use more C99 style in man_remote_entry_get
|
|
Replace realloc with new gc_realloc function
|
|
|
|
David Sommerseth (1):
|
|
ssl_verify: Fix memleak if creating deferred auth control files fails
|
|
|
|
Gert Doering (1):
|
|
bandaid fix for TCP multipoint server crash with Linux-DCO
|
|
|
|
Lev Stipakov (2):
|
|
git-version.py: proper support for tags
|
|
msvc: upgrade to Visual Studio 2022
|
|
|
|
Selva Nair (7):
|
|
Reduce default restart pause to 1 second
|
|
Do not include auth-token in pulled option digest
|
|
Persist DCO client data channel traffic stats on restart
|
|
Add remote-count and remote-entry query via management
|
|
Permit unlimited connection entries and remotes
|
|
Use a template for 'unsupported management commands' error
|
|
Allow skipping multple remotes via management interface
|
|
|
|
|
|
2022.12.15 -- Version 2.6_beta2
|
|
|
|
Antonio Quartulli (1):
|
|
disable DCO if --secret is specified
|
|
|
|
Arne Schwabe (7):
|
|
Fix connection cookie not including address and fix endianness in test
|
|
Fix unit test of test_pkt on little endian Linux
|
|
Disable DCO when TLS mode is not used
|
|
Ignore connection attempts while server is shutting down
|
|
Improve debug logging of DCO swap key message and Linux dco_new_peer
|
|
Trigger a USR1 if dco_update_keys fails
|
|
Set DCO_NOT_INSTALLED also for keys not in the get_key_scan range
|
|
|
|
Frank Lichtenheld (1):
|
|
ChangeLog: Fix encoding
|
|
|
|
Kristof Provost (4):
|
|
Read DCO traffic stats from the kernel
|
|
dco: Update counters when a client disconnects
|
|
Read the peer deletion reason from the kernel
|
|
dco: cleanup FreeBSD dco_do_read()
|
|
|
|
Lev Stipakov (3):
|
|
Rename dco_get_peer_stats to dco_get_peer_stats_multi
|
|
management: add timer to output BYTECOUNT
|
|
Introduce dco_get_peer_stats API and Windows implementation
|
|
|
|
Marc Becker (4):
|
|
unify code path for adding PKCS#11 providers
|
|
use new pkcs11-helper interface to add providers
|
|
special handling for PKCS11 providers on win32
|
|
vcpkg-ports/pkcs11-helper: support loader flags
|
|
|
|
Max Fillinger (2):
|
|
Correct tls-crypt-v2 metadata length in man page
|
|
Fix message for too long tls-crypt-v2 metadata
|
|
|
|
|
|
2022.12.01 -- Version 2.6_beta1
|
|
|
|
Adrian (1):
|
|
Fix error in example firewall.sh script
|
|
|
|
Antonio Quartulli (99):
|
|
tun.c: remove unused variable
|
|
openssl: fix EVP_PKEY_CTX memory leak
|
|
openssl: avoid NULL pointer dereference
|
|
ssl: remove unneeded if block
|
|
options: check for blanks in fingerprints and reject string if found
|
|
crypto: respect ECB argument type from prototype
|
|
Add documentation on EVENT_READ/EVENT_WRITE constants
|
|
windows: use appropriate and portable format specifier for 64bit pointer
|
|
windows: define variable only where used
|
|
windows: list all enum values in switch block
|
|
forward: get rid of useless declarations for actually static functions
|
|
mbedtls: do not define mbedtls_ctr_drbg_update_ret when not needed
|
|
route.c: pass the right parameter to IN6_IS_ADDR_UNSPECIFIED
|
|
man/protocol-options: add missing ending metachar
|
|
compat-mode: allow user to specify version to be compatible with
|
|
reject compression by default
|
|
Remove support for PF (Packet Filter)
|
|
configure: search also for rst2{man, html}.py
|
|
multi: remove extra brackets in multi_process_incoming_link()
|
|
do not include --cipher value in data-ciphers
|
|
compat-mode: add --data-cipher-fallback auomatically if requested
|
|
Set TLS 1.2 as minimum by default
|
|
doc: fix indentation in protocol-options.rst
|
|
networking: add and implement net_addr_ll_set() API
|
|
networking: add missing brackets
|
|
set_lladdr: use networking API net_addr_ll_set() on Linux
|
|
configure: remove useless -Wno-* from default CFLAGS
|
|
options.c: fix version reported in --cipher warning message
|
|
doc/cipher-negotiation.rst: avoid warning by fixing indentation
|
|
doc: remove PF leftovers from documentation
|
|
sig.c: define signal_handler on non-windows only
|
|
GitHub Actions: ensure Ubuntu builds are made with the chosen SSL library
|
|
ssl.c: use arrow operator to access object member
|
|
use 'static inline' instead of 'inline static'
|
|
GitHub Actions: add other config flavours
|
|
unit-test: fix test_crypto when USE_COMP is not defined
|
|
update copyright year to 2022
|
|
keyingmaterialexporter.c: include strings.h
|
|
crypto: move validation logic from cipher_get to cipher_valid
|
|
crypto: move OpenSSL specific FIPS check to its backend
|
|
Get rid of README.IPv6 and TODO.IPv6
|
|
auth_token/tls_crypt: fix usage of md_valid()
|
|
crypto: unify key_type creation code
|
|
remove unused sitnl.h file
|
|
options: drop useless netmask variable
|
|
networking: use OPENVPN_ETH_ALEN instead of ETH_ALEN
|
|
networking: silence warnings about unused arguments
|
|
networking_iproute2: don't pass M_WARN to openvpn_execve_check()
|
|
networking: implement net_iface_new and net_iface_del APIs
|
|
t_net.sh: delete dummy iface using iproute command
|
|
auth-pam.c: add missing include limits.h
|
|
dco: introduce low-level code for handling ovpn-dco in the Linux kernel
|
|
dco: add helper function to detect if DCO is enabled or not
|
|
dco: create DCO interface using SITNL
|
|
tls-crypt-v2: bail out if the client key is too small
|
|
dco: use specific metric when installing routes
|
|
networking: fix doc for net_iface_new() API
|
|
options: don't export local function pre_connect_save()
|
|
networking_sitnl: always return negative error code in case of failure
|
|
networking: add net_iface_type API
|
|
tun: create tun_name_is_fixed helper
|
|
dco: add option check - disable DCO if conflict is detected
|
|
dco: allow user to disable it at runtime
|
|
GitHub Actions: add Linux DCO build (on Ubuntu 20.04)
|
|
dco: introduce open_tun_dco_generic() to open dynamic or fixed-name DCO devices
|
|
dco: initialize context and save pointer in TLS object
|
|
dco: configure keys in DCO right after generating them
|
|
disable DCO if no --dev was specified
|
|
dco: periodically check and possibly rotate/delete keys
|
|
dco: split option parsing routines
|
|
push: fix compilation with --disable-management and --enable-werror
|
|
dco: check that pulled options are compatible
|
|
dco: implement dco support for p2p/client code path
|
|
dco: add documentation for ovpn-dco-linux
|
|
dco: implement dco support for p2mp/server code path
|
|
dco: perform pull options check only if we pulled any option
|
|
dco: disable DCO if --allow-compress yes/asym was specified
|
|
dco: turn supported ciphers list into a function
|
|
do_open_tun: restyle 'can preserve TUN' check
|
|
do_close_tun: get rid of one level of indentation
|
|
ovpn-dco: print some netlink messages to debug level
|
|
dco: move message to DCO debug level and reword a bit
|
|
dco: properly name variables
|
|
dco: don't pass VPN IPs to NEW_PEER API in P2P mode
|
|
dco-win: ensure the DCO API is not used when running on Windows
|
|
ssl_util: fix prototype style
|
|
dco: move availability check to the end of check_option_conflict() function
|
|
dco-win: introduce low-level code for handling ovpn-dco-win in Windows
|
|
dco-win: check for incompatible options
|
|
dco-win: implement ovpn-dco support in P2P Windows code path
|
|
dco-win: add documentation to README.dco.md
|
|
dco-win: update GH Actions config file
|
|
dco: trigger ping timeout event only if the peer expired
|
|
delete_routes(_ipv6): avoid memleak if RT_DEFINED is not set
|
|
solaris/open_tun: prevent crash when dev is empty string
|
|
do not push route-ipv6 entries that are also in the iroute-ipv6 list
|
|
auth-user-pass: add support for inline credentials
|
|
get_user_pass_cr: get password from stdin if missing inline
|
|
close_tun: print interface type consistently in message
|
|
|
|
Arne Schwabe (289):
|
|
Fix client's poor man NCP fallback
|
|
Refactor key_state_export_keying_material functions
|
|
Fix compilation with older mbed TLS versions (mbedtls_tls_prf_types undefined)
|
|
Fix client NCP OCC fallback when server and client cipher are identical
|
|
Move openvpn specific key expansion into its own function
|
|
Allow 'none' cipher being specified in --data-ciphers
|
|
Implement generating data channel keys via EKM/RFC 5705
|
|
Ignore deprecation warning for daemon on macOS
|
|
Add function for common env setting of verify user/pass calls
|
|
Inline function tls_get_peer_info
|
|
Align reliable_free with other free methods to accept NULL
|
|
Remove NULL checks before calling free
|
|
Remove explicit setting of peer_id to false
|
|
Remove --disable-def-auth configure argument
|
|
Replace key_scan array of static pointers with inline function
|
|
Add more documentation about our internal TLS functions
|
|
Improve keys out of sync message
|
|
Clean up tls_authentication_status and document it
|
|
Rename DECRYPT_KEY_ENABLED to TLS_AUTHENTICATED
|
|
Send AUTH_FAILED message to clients on renegotiation failures
|
|
Make any auth failure tls_authentication_status return auth failed
|
|
Fix auth-token not being updated if auth-nocache is set
|
|
Remove auth_user_pass.wait_for_push variable
|
|
Fix port-share option with TLS-Crypt v2
|
|
Zero initialise msghdr prior to calling sendmesg
|
|
Fix tls-auth mismatch OCC message when tls-cryptv2 is used.
|
|
Remove inetd support from OpenVPN
|
|
Change pull request timeout use a timeout rather than a number
|
|
Check return values in md_ctx_init and hmac_ctx_init
|
|
Implement client side handling of AUTH_PENDING message
|
|
Introduce management client state for AUTH_PENDING notifications
|
|
Add S_EXITCODE flag for openvpn_run_script to report exit code
|
|
Prefer TLS libraries TLS PRF function, fix OpenVPN in FIPS mode
|
|
Implement server side of AUTH_PENDING with extending timeout
|
|
Refactor extract_var_peer_info into standalone function and add ssl_util.c
|
|
Change parameter of send_auth_pending_messages from context to tls_multi
|
|
Allow pending auth to be send from a auth plugin
|
|
Avoid generating unecessary mbed debug messages
|
|
Add README.wolfssl documentating the state of WolfSSL in OpenVPN
|
|
Fix multiple problems when compiling with LLVM/Windows (clang-cl)
|
|
Move extract_iv_proto to ssl_util.c/h
|
|
Extend verify-hash to allow multiple hashes
|
|
Implement peer-fingerprint to check fingerprint of peer certificate
|
|
Document the simple self-signed certificate setup in examples
|
|
Deprecate the --verify-hash option
|
|
Remove empty dummy functions
|
|
Move restoring pre pull options to initialising of c2 context
|
|
Move NCP saving and restore to the prepush restore code
|
|
Restore also ping related options on a reconnect
|
|
Make buffer related function conversion explicit when narrowing
|
|
Fix socket related functions using int instead of socket_descriptor_t
|
|
Use correct types for OpenSSL and Windows APIs
|
|
Cleanup print_details and add signature/ED certificate print
|
|
Remove flexible array member autoconf check
|
|
Remove support for non ISO C99 vararg support
|
|
Fix #elif TARGET_LINUX missing defined() call
|
|
Remove superflous ifdefs around enum like defines
|
|
Rename tunnel_server_udp_single_threaded to tunnel_server_udp
|
|
Remove code for aligning non-swapped compression
|
|
Remove pointless tun_adjust_frame_parameters function
|
|
Remove unused field txqueuelen from struct tuntap
|
|
Remove unused function tls_test_auth_deferred_interval
|
|
Remove unused variable pass_config_info
|
|
Move is_proto function to the socket.h header
|
|
Implement '--compress migrate' to migrate to non-compression setup
|
|
Remove thread_mode field of multi_context
|
|
Extract multi_assign_peer_id into its own function
|
|
Remove do_init_socket_2 and do_init_socket_1 wrapper function
|
|
Always disable TLS renegotiations
|
|
Allow running a default configuration with TLS libraries without BF-CBC
|
|
Deprecate non TLS mode in OpenVPN
|
|
Remove deprecated option '--keysize'
|
|
Move auth deferred related members into its own struct
|
|
log file descriptor in more socket related error messages
|
|
Fix async push broken after auth deferred refactor
|
|
Remove conditionals compilation for P2MP, ENABLE_SHAPER and TIME_BACKTRACK_PROTECTION
|
|
Remove check for socket functions and Win XP compatbility code
|
|
Remove checks for uint* types that are part of C99
|
|
Remove a number of checks for functions/headers that are always present
|
|
Use EVP_CTRL_AEAD_* instead EVP_CTRL_GCM_*
|
|
Remove OpenSSL configure checks
|
|
Always save/restore pull options
|
|
Also restore/save compress related options in reconnects
|
|
Also restore/save route-gateway options on SIGUSR1 reconnects
|
|
Remove LibreSSL specific defines not needed for modern LibreSSL
|
|
Add parsing of dhcp-option PROXY_HTTP
|
|
Ensure using const variables with EVP_PKEY_get0_*
|
|
Move context_auth from context_2 to tls_multi and name it multi_state
|
|
Fix condition to generate session keys
|
|
Remove always enabled USE_64_BIT_COUNTERS define
|
|
Fix a number of mingw warnings
|
|
Move tls_select_primary_key into its own function
|
|
Allow all GCM ciphers
|
|
Change options->data_channel_use_ekm to flags
|
|
Implement deferred auth for scripts
|
|
Use functions to access key_state instead direct member access
|
|
Avoid failing_test unused warning in example_test
|
|
Move direct.h header where it is used
|
|
Replace OS_SPECIFIC_DIRSEP with PATH_SEPARATOR
|
|
Remove a number of platform specific checks in configure.ac
|
|
Remove --disable-multihome option
|
|
Remove support for blocking connect()
|
|
Fix memory leak in misc unit test
|
|
Fix binary and (&) used in auth-token check instead of logical and (&&)
|
|
Add missing free_key_ctx for auth_token
|
|
Remove explicit struct iovec check (HAVE_IOVEC)
|
|
Remove getpeername, getpid check
|
|
Inline do_init_auth_token_key
|
|
Add noreturn attribute for MSVC to assert_failed method.
|
|
Move utility function from win32.c to win32-util.c
|
|
Document stub-v2 being basically an alias for no compression at all
|
|
Return cached result in tls_authentication_status
|
|
Use exponential backoff for caching in tls_authentication_status
|
|
Add github actions
|
|
Silence warning about format string in check_ca_required
|
|
Implement auth-token-user
|
|
Move auth_token_state from multi to key_state
|
|
Add connection_established as state in tls_multi->context_auth
|
|
Make waiting on auth an explicit state in the context state machine
|
|
Ensure tls session is authenticated before sending push reply
|
|
Extracting key_state deferred auth status update into function
|
|
Move examples into openvpn-examples(5) man page
|
|
Introduce S_GENERATED_KEYS state and generate keys only when authenticated
|
|
Fix tls-cert-profile broken on OpenSSL 1.1+
|
|
Cleanup handling of initial auth token
|
|
Remove --ncp-disable option
|
|
Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
|
|
Support NCP in pure P2P VPN setups
|
|
Remove unistd.h from unit test
|
|
Introduce webauth auth pending method and deprecate openurl
|
|
Include Chacha20-Poly1305 into default --data-ciphers when available
|
|
Detect unusable ciphers on patched OpenSSL of RHEL/Centos
|
|
Fix Ubuntu spelling and duplicate run in Github Actions
|
|
Add message when decoding PKCS12 file fails.
|
|
Add small unit test for testing HMAC
|
|
Deprecate --ecdh-curve with OpenSSL 3.0 and adjust mbed TLS message
|
|
Use EVP_PKEY based API for loading DH keys
|
|
Remove DES check with OpenSSL 3.0
|
|
Remove DES key fixup code
|
|
Do not allow CTS ciphers
|
|
Use new EVP_MAC API for HMAC implementation
|
|
Add --with-openssl-engine autoconf option (auto|yes|no)
|
|
Use EVP_PKEY_get_group_name to query group name
|
|
Replace EVP_get_cipherbyname with EVP_CIPHER_fetch
|
|
Use EVP_MD_get0_name instead EV_MD_name
|
|
Remove dependency on BF-CBC existance from test_ncp
|
|
Implement DES ECB encrypt via EVP_CIPHER api
|
|
Fix error when BF-CBC is not available
|
|
Fix function name in DH error message
|
|
Add insecure tls-cert-profile options
|
|
Remove custom PRNG function
|
|
Completely remove DES checks
|
|
Refactor early initialisation and uninitialisation into methods
|
|
Use TYPE_do_all_provided function for listing cipher/digest
|
|
Add macos OpenSSL 3.0 and ASAN builds
|
|
Allow loading of non default providers
|
|
Move IV_TCPNL from comp_generate_peer_info_string to push_peer_info
|
|
Implement optional cipher in --data-ciphers prefixed with ?
|
|
Directly use hardcoed OPENVPN_AEAD_TAG_LENGTH instead lookup
|
|
Remove cipher_kt_var_key_size and remaining --keysize documentation
|
|
Remove cipher_ctx_get_cipher_kt and replace with direct context calls
|
|
Remove key_type->cipher_length field
|
|
Remove key_type->hmac_length
|
|
Fix handling an optional invalid cipher at the end of data-ciphers
|
|
Make --nobind default for --pull
|
|
Remove ENABLE_CRYPTO_OPENSSL ifdef inside ENABLE_CRYPTO_OPENSSL ifdef
|
|
Remove max_size from buffer_list_new
|
|
Add argv_insert_head__empty_argv__head_only to argv tests
|
|
Remove cipher_kt_t and change type to const char* in API
|
|
Move deprecation of SWEET32/64bit block size ciphers to 2.7
|
|
Adjust cipher-negotiation.rst with compat-mode changes
|
|
Remove md_kt_t and change crypto API to use const char*
|
|
Initialise kt_cipher even when no crypto is enabled
|
|
Remove align_adjust frame code
|
|
Fix triggering assertion of ks->authenticated after tls_deauthenticate
|
|
Document frame related function and variables a bit more
|
|
Remove post_open_mtu code
|
|
Make github actions names nicer, include Ubuntu18+OpenSSL 1.0.2
|
|
Add helper functions to calculate header/payload sizes
|
|
Decouple MSS fix calculation from frame calculation
|
|
Rework occ link-mtu calculation
|
|
Remove pointless do_init_frame_tls function
|
|
Remove BUFFER_LIST_AGGREGATE_TEST test code
|
|
Deprecate link-mtu
|
|
Fix mssfix and frame calculation in CBC mode
|
|
Change buffer allocation calculation and checks to be more static
|
|
Fix datagram_overhead and assorted functions
|
|
Implement optional mtu parameter for mssfix
|
|
Remove link_mtu parameter when running up/down scripts
|
|
Replace TUN_MTU_SIZE with frame->tun_mtu
|
|
Change the default for mssfix to mssfix 1492 mtu
|
|
Add mtu paramter to --fragment and change fragment calculation
|
|
Update fragment and mssfix related warnings
|
|
Use new frame header methods to calculate OCC_MTU_LOAD payload size
|
|
Remove extra_link from frame
|
|
Remove frame->link_mtu
|
|
Remove frame.extra_frame and frame.extra_buffer
|
|
Default to --cipher BF-CBC if not set and compat-mode < 2.4.0
|
|
Fix 'defined but not used' warnings with enable-small/disable-management
|
|
Add Werror to github action ubuntu build
|
|
Add better documentation for CAS_* states
|
|
Add unit test for mssfix with compression involved
|
|
Remove FRAME_HEADROOM, PAYLOAD_SIZE, EXTRA_FRAME and TUN_LINK_DELTA macros
|
|
Fix mbed TLS compile if OpenSSL headers are not available
|
|
Remove unused function cipher_var_key_size
|
|
Implement fixed MSS value for mssfix and use it for non default MTUs
|
|
networking: remove duplicate methods from networking_sitnl.c
|
|
Remove dead PID_TEST code
|
|
Remove inc_pid argument from reliable_mark_deleted that is always true
|
|
Remove EXPONENTIAL_BACKOFF define
|
|
Remove tls_init_control_channel_frame_parameters wrapper function
|
|
Add documentation for swap_hmac function
|
|
Make buf_write_u8/16/32 take the type they pretend to take
|
|
Move pre decrypt lite check to its own function
|
|
Extend tls_pre_decrypt_lite to return type of packet and keep state
|
|
Move ssl function related to control channel wrap/unwrap to ssl_pkt.c/h
|
|
Add unit tests for test_tls_decrypt_lite
|
|
Split out reliable_ack_parse from reliable_ack_read
|
|
Refactor tls-auth/tls-crypt wrapping into into own function
|
|
Extract session_move_pre_start as own function, use local buffer variable
|
|
Change FULL_SYNC macro to no_pending_reliable_packets function
|
|
Extract session_move_active into its own function
|
|
Move tls_process_state into its own function
|
|
Remove pointless indentation from tls_process.
|
|
Move CRL reload to key_state_init from S_START transition
|
|
Change reliable_get_buf_sequenced to reliable_get_entry_sequenced
|
|
Implement constructing a control channel reset client as standalone function
|
|
Implement stateless HMAC-based sesssion-id three-way-handshake
|
|
Extract read_incoming_tls_ciphertext into function
|
|
Fix format specifier for printing size_t on 32bit size_t platforms
|
|
Remove workaround for Android 4.4
|
|
Implement HMAC based session id for tls-crypt v2
|
|
Optimise three-way handshake condition for S_PRE_START to S_START
|
|
Extract read_incoming_tls_plaintext into its own function
|
|
Add uncrustify check to github actions
|
|
Add ubuntu 22.04 to Github Actions
|
|
Implement ED448 and ED25519 support in xkey_provider
|
|
Translate OpenSSL 3.0 digest names to OpenSSL 1.1 digest names
|
|
Fix client-pending-auth error message to say ERROR instead of SUCCESS
|
|
Remove useless empty line from CR_RESPONSE message
|
|
Remove leftover frame_set_mtu_dynamic definitions in mtu.h
|
|
Inline frame_add_to_extra_tun function and remove frame_defined
|
|
tun: extract close_tun_handle into its own fucntion and print correct type
|
|
Error out if both remap-usr1 SIGHUP and config stdin are used
|
|
Fix segfault when no --config argument is given
|
|
Extract check_session_cipher into standalone function
|
|
Cleanup receive_auth_failed and simplify method
|
|
Fix IV_PLAT_VER and UV_ variables sent without push-peer-info
|
|
Rename OPT_P_IPWIN32 to OPT_P_DHCPDNS and include --dns in it
|
|
Include DCO status in GLOBAL_STATS status v2 output
|
|
Github Actions: Add libreSSL actions
|
|
Include libressl and macOS 12 to macOS github actions
|
|
Fix declaration of pubkeys in test_provider.c in MSVC builds
|
|
Change command help to match man page and implementation
|
|
Implement --client-crresponse script options and plugin interface
|
|
Add example script demonstrating TOTP via auth-pending
|
|
Add OpenSSL 3.0 to mingw build
|
|
Update android.txt to reflect more recent changes.
|
|
Allow scripts and plugins to set a custom AUTH_FAILED message
|
|
Implement exit notification via control channel
|
|
Implement AUTH_FAIL, TEMP message support
|
|
Document/cleanup event_timeout functions
|
|
Fix OpenVPN querying user/password if auth-token with user expires
|
|
Enable -Werror on macOS builds
|
|
Ensure only CBC, CFB, OFB and AEAD ciphers are considered valid data ciphers
|
|
Change exit signal in P2P to be a SIGUSR1 and delayed CC exit in P2MP
|
|
Allow Authtoken lifetime to be short than renegotiation time
|
|
Allows renegotiation only to start if session is fully established
|
|
Fix renewal spelling and actually allow external-auth with renewal time
|
|
Fix regression of ignoring --user
|
|
Refactor/optimise code sending TLS control channel messages
|
|
Add unit test for reliable_get_num_output_sequenced_available
|
|
Allow setting control channel packet size with max-packet-size
|
|
Always include ACKs for the last seen control packets
|
|
Add workaround for Softether server dropping P_ACK_V1 with >= 5 acks
|
|
Improve data key id not found error message
|
|
Add packet type in accept/reject messages for HMAC packet
|
|
Fix md_kt_size in mbed TLS when queried for size of "none"
|
|
Add algorithm and bits used in key_print2 method and refactor method
|
|
Remove unused addr_inet4or6, addr_guess_family and inline addr_copy_sa
|
|
Allow tun-mtu to be pushed
|
|
Push server mtu to client when supported and support occ mtu
|
|
Fix logic error in checking early negotiation support check
|
|
Move dco_installed from sock->info to sock->info.lsa.actual
|
|
Use dedicated multi->dco_peer_id for DCO instead of multi->peer_id
|
|
Add section about common error with OpenVPN 2.6 and OpenSSL 3.0
|
|
Introduce connection state for reconnecting peer in p2p
|
|
Signal USR1 when connection initialising fails
|
|
Allow reconnecting in p2p mode work under FreeBSD
|
|
|
|
Camille Guérin (1):
|
|
Removed error message for an option flag not supported with --server-ipv6
|
|
|
|
David Korczynski (1):
|
|
Fix argv leaks in add_route() and add_route_ipv6()
|
|
|
|
David Sommerseth (18):
|
|
man: Add missing --server-ipv6
|
|
man: Improve --remote entry
|
|
sample-plugins: Partially autotoolize the sample-plugins build
|
|
build: Fix make distclean/distcheck
|
|
compat/lz4: Update to v1.9.2
|
|
build: Fix missing install of man page in certain environments
|
|
build: Remove compat-lz4
|
|
Update copyrights
|
|
doc: Use generic rules for man/html generation
|
|
man: Clarify IV_HWADDR
|
|
crypto: Fix OPENSSL_FIPS enabled builds
|
|
sample-plugin: New plugin for testing multiple auth plugins
|
|
plugins: Remove defer/simple.c sample plugin
|
|
plug-ins: Disallow multiple deferred authentication plug-ins
|
|
dev-tools: Remove no longer needed openvpn-plugin.h.in patching
|
|
dev-tools: Remove uncrustify -p
|
|
dev-tools: Avoid uncrustify mangling MAC_FMT macro
|
|
The Great Reformatting of 2022
|
|
|
|
Dmitry Zelenkovsky (1):
|
|
implement --session-timeout
|
|
|
|
Domagoj Pensa (3):
|
|
Fix too early argv freeing when registering DNS
|
|
Remove 1 second delay before running netsh
|
|
Skip DHCP renew with Wintun adapter
|
|
|
|
Eric Thorpe (1):
|
|
Fixes a bug in management_callback_send_cc_message, should be strlen instead of sizeof
|
|
|
|
Frank Lichtenheld (18):
|
|
doc/Makefile: rebuild rst docs if input files change
|
|
doc: fix misc documentation issues
|
|
doc/options: clean up documentation for --proto and related options
|
|
Reformat for sp_after_comma=add
|
|
uncrustify: add sp_after_comma=add
|
|
uncrustify: have exactly one newline at the end of files
|
|
t_client: Allow to force FAIL on prerequisite fails
|
|
systemd: remove generated service files on clean
|
|
Reduce usage of __DATE__
|
|
config-version.h: remove unused includes
|
|
t_client.sh: do not require fping6
|
|
doc: cleanup for --data-ciphers and related
|
|
test_crypto: fix test_occ_mtu_calculation with --disable-fragment
|
|
msvc: always call git-version.py
|
|
GitHub Issues: add note to Changes as well
|
|
GitHub Issues: add new links to INSTALL and README
|
|
GitHub Issues: Create first issue template (Bug)
|
|
documentation: avoid recommending --user nobody
|
|
|
|
Gert Doering (67):
|
|
Change version.m4 to 2.6_git
|
|
Fix stack overflow in OpenSolaris NEXTADDR()
|
|
Workaround FreeBSD 12+ race condition on tun/tap open with IPv6.
|
|
Document that --push-remove is generally more suitable than --push-reset
|
|
Fix error detection / abort in --inetd corner case.
|
|
Fix TUNSETGROUP compatibility with very old Linux systems.
|
|
Fix handling of 'route remote_host' for IPv6 transport case.
|
|
Replace 'echo -n' with 'printf' in tests/t_lpback.sh
|
|
Fix description of --client-disconnect calling convention in manpage.
|
|
Handle NULL returns from calloc() in sample plugins.
|
|
Fix --show-gateway for IPv6 on NetBSD/i386.
|
|
socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes
|
|
Fix netbits setting (in TAP mode) for IPv6 on Windows.
|
|
If IPv6 pool specification sets pool start to ::0 address, increment.
|
|
Add demo plugin that excercises "CLIENT_CONNECT" and "CLIENT_CONNECT_V2" paths
|
|
Fix combination of --dev tap and --topology subnet across multiple platforms.
|
|
Fix redirecting of IPv4 default gateway if connecting over IPv6.
|
|
Fix compilation on pre-EKM mbedTLS libraries.
|
|
Avoid passing NULL to argv_printf_cat() in temp_file error case.
|
|
Change travis build scripts to use https when fetching prerequisites.
|
|
Fix line number reporting on config file errors after <inline> segments
|
|
Clarify --block-ipv6 intent and direction.
|
|
Document common uses of 'echo' directive, re-enable logging for 'echo'.
|
|
Make OPENVPN_PLUGIN_ENABLE_PF failures FATAL
|
|
clean up / rewrite sample-plugins/defer/simple.c
|
|
Fix EVP_PKEY_CTX_... compilation with LibreSSL
|
|
Require at least 100MB of mlock()-able memory if --mlock is used.
|
|
Get rid of last PLUGIN_DEF_AUTH #ifdef
|
|
Fix 'compress migrate' for 2.2 clients.
|
|
Fix potential NULL ptr crash if compiled with DMALLOC
|
|
Repair --secret deprecation warning.
|
|
rewrite parse_hash_fingerprint()
|
|
Ignore leading whitespace and comment lines for peer-fingerprint.
|
|
Add error reporting to get_console_input_win32().
|
|
Ignore --explicit-exit-notify in TCP mode.
|
|
Use more C99 initialization in add_route/add_route_ipv6().
|
|
Include --push-remove in the output of --help.
|
|
Move '--push-peer-info' documentation from 'server' to 'client options'
|
|
add test case(s) to notice 'openvpn --show-cipher' crashing
|
|
Repair --inactive with 'bytes' argument larger 2Gbytes.
|
|
Fix --mtu-disc maybe|yes on Linux.
|
|
Fix trailing-whitespace errors in last patch.
|
|
Exclude the last two whitespace-only uncrustify fixes from git blame output.
|
|
Implement --mtu-disc for IPv6 UDP sockets.
|
|
Fix non-compliant whitespace introduced by commit 54800aa975418fe35.
|
|
Pass proper sockaddr_* structure for IPv6 socket errors.
|
|
Fix error message about extended errors for IPv4-only sockets.
|
|
Break 'try 256 dco devices' loop on EPERM
|
|
Cleanup: get rid of 'dynamic' argument of open_tun_generic()
|
|
Remove outdated information from ChangeLog, point at release branches.
|
|
Apply uncrustify changes that were forgotten in the last patch.
|
|
Apply uncrustify changes that were forgotten in the FreeBSD DCO 1/2 patch.
|
|
FreeBSD-DCO: repair device iteration to find first free interface.
|
|
DCO: require valid netbits setting for non-primary iroutes.
|
|
Adjust Linux+FreeBSD DCO device name handling to 'non DCO linux style'
|
|
cleanup open_tun() for TARGET_NETBSD
|
|
t_client: add per-instance arguments to fping
|
|
introduce V= level to manage t_client.sh output verbosity
|
|
un-break undo_ifconfig_ipv4()/_ipv6() on all non-linux/non-win32 platforms
|
|
use boolean '||' to join two bools, not bitwise '|'
|
|
denoise tests/t_lpback.sh
|
|
FreeBSD: for topology subnet, put tun interface into IFF_BROADCAST mode
|
|
FreeBSD DCO: introduce real subnet mode
|
|
Improve documentation for --dev and --dev-node.
|
|
Update PORTS
|
|
rework INSTALL and README to prepare for 2.6 release
|
|
Preparing release 2.6_beta1
|
|
|
|
Greg Cox (5):
|
|
Fix naming error in sample-plugins/defer/simple.c
|
|
Documentation fixes around openvpn_plugin_func_v3 in openvpn-plugin.h.in
|
|
Update openvpn_plugin_func_v2 to _v3 in sample-plugins/defer/simple.c
|
|
More explicit versioning compatibility in sample-plugins/defer/simple.c
|
|
Explain structver usage in sample defer plugin.
|
|
|
|
Heiko Hund (10):
|
|
add support for --dns option
|
|
Add git pre-commit hook script to uncrustify
|
|
pre-commit: uncrustify based on staged changes
|
|
remove foreign_option() call for IPv6 DNS servers
|
|
remove dead foreign-option parsing code
|
|
rename foreign_option() and move it up
|
|
doc: fix literal block in tls-options.rst
|
|
dns: also (re)place foreign dhcp options in env
|
|
signal --dns support in peer info
|
|
make %x destination unsigned
|
|
|
|
Ilya Ponetayev (1):
|
|
fix compilation issues with small and w/o debug
|
|
|
|
Ilya Shipitsin (2):
|
|
CI: github actions: keep "pdb" in artifacts
|
|
BUILD: enable CFG and Spectre mitigation for MSVC
|
|
|
|
Jan Mikkelsen (1):
|
|
cipher-negotiation.rst missing from doc/Makefile.am
|
|
|
|
Jan Seeger (1):
|
|
Added 'route_ipv6_metric_NN' environment variable for IPv6 route metric.
|
|
|
|
Jason A. Donenfeld (1):
|
|
Support fingerprint authentication without CA certificate
|
|
|
|
Jeff (1):
|
|
duplicate function declaration.
|
|
|
|
Juliusz Sosinowicz (4):
|
|
EVP_DigestSignFinal siglen parameter correction
|
|
Support for wolfSSL in OpenVPN
|
|
build: Add support for pkg-config < 0.28 for old autoconf versions
|
|
README.wolfssl Update
|
|
|
|
Kristof Provost (6):
|
|
Handle exceeding 'max-clients'
|
|
ovpn-dco: introduce FreeBSD data-channel offload support
|
|
Support creating iroute route entries on FreeBSD
|
|
FreeBSD networking cleanup
|
|
FreeBSD DCO: support AES-192-GCM
|
|
dco: pass control packets through the socket on FreeBSD
|
|
|
|
Lev Stipakov (68):
|
|
tun.c: enable using wintun driver under SYSTEM
|
|
openvpnmsica: make adapter renaming non-fatal
|
|
msvc: better support for 32bit architecture
|
|
Alias ADAPTER_DOMAIN_SUFFIX to DOMAIN
|
|
ssl_common.h: fix 'not all control paths return a value' msvc warning
|
|
Remove compat-lz4 references from VS project files
|
|
tapctl: support for ovpn-dco Windows driver
|
|
msvc: add ARM64 configuration
|
|
win32: add missing include header
|
|
openvpnmsica: properly schedule reboot in the end of installation
|
|
options.c: fix msvc build error
|
|
msvc: standalone building
|
|
contrib/vcpkg-ports: add pkcs11-helper port
|
|
vcpkg-ports: restore trailing whitespaces in .patch files
|
|
GitHub actions: add MSVC build
|
|
crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606)
|
|
contrib/vcpkg-ports: add openssl port with --no-autoload-config option set (CVE-2121-3606)
|
|
Fix console prompts with redirected log
|
|
GitHub Actions: fix MSVC builds
|
|
contrib/vcpkg-ports: remove openssl port
|
|
Add building man page on Windows
|
|
GitHub Actions: remove Ubuntu 16.04 environment
|
|
Fix loading PKCS12 files on Windows
|
|
msvc: fix product version display
|
|
config-msvc.h: fix OpenSSL-related defines
|
|
GitHub Actions: use latest working lukka/run-vcpkg
|
|
Use network address for emulated DHCP server as a default
|
|
Load OpenSSL config on Windows from trusted location
|
|
ring_buffer.h: fix GCC warning about unused function
|
|
ssh_openssl.h: remove unused declaration
|
|
vcpkg/pkcs11-helper: compatibility with latest vcpkg
|
|
config-msvc.h: indicate key material export support
|
|
auth_token.c: add NULL initialization
|
|
tun: remove tun_finalize()
|
|
vcpkg-ports/pkcs11-helper: bump to release 1.28
|
|
vcpkg-ports/pkcs11-helper: indicate OpenSSL EC support
|
|
xkey: fix msvc build
|
|
msvc: switch to openssl3
|
|
msvc: cleanup
|
|
vcpkg: link lzo statically
|
|
openvpnmsica: add ovpn-dco custom actions
|
|
vcpkg-ports/pkcs11-helper: adapt to new upstream URL
|
|
vcpkg-ports\pkcs11-helper: shorten patch filename
|
|
vcpkg-ports\openssl3: update to 3.0.2
|
|
Fix incorrect default mssfix value in server mode
|
|
msvc: adjust build options to harden binaries
|
|
vcpkg: switch to manifest
|
|
Fix M_ERRNO behavior on Windows
|
|
GitHub Actions: trigger openvpn-build GHA on success
|
|
Set o->use_peer_id flag for p2p mode
|
|
openvpnmsica: remove OpenVPNService state check code
|
|
tun.c: remove unused gc_arena from init_tun()
|
|
error.c: remove unused crash() function
|
|
tun: properly handle device interface list
|
|
dco.h: fix return type when DCO is not enabled
|
|
dco-win: use run-time dynamic linking for GetOverlappedResultEx
|
|
vcpkg: bump baseline version
|
|
do_persist_tuntap: remove indentation level
|
|
msvc: remove .filters files
|
|
dco.c: check certain options only on startup
|
|
Use DCO on Windows by default
|
|
doc: add "ovpn-dco" to usage and man page
|
|
dco-win: support for --persist-tun
|
|
msvc: add branch name and commit hash to version output
|
|
vcpkg: use the latest versions of dependency ports
|
|
win32: detect arm64 architecture and emulations
|
|
INSTALL: update Windows notes
|
|
dco: disable dco on Windows if --remote is not defined
|
|
|
|
Magnus Kroken (2):
|
|
doc: fix typos in cipher-negotiation.rst
|
|
Changes.rst: fix mistyped option names
|
|
|
|
Marc Becker (2):
|
|
vcpkg-ports/pkcs11-helper: bump to release 1.29
|
|
fix GitHub workflow working directories in MinGW builds
|
|
|
|
Martin Janů (1):
|
|
Update the replay-window backtrack log message
|
|
|
|
Matthias Andree (1):
|
|
Fix SIGSEGV (NULL deref) receiving push "echo"
|
|
|
|
Max Fillinger (15):
|
|
Wipe Socks5 credentials after use
|
|
Fix build with mbedtls w/o SSL renegotiation support
|
|
In init_ssl, open the correct CRL path pre-chroot
|
|
Abort if CRL file can't be stat-ed in ssl_init
|
|
Update Fox e-mail address in copyright notices
|
|
Replace deprecated mbedtls DRBG update function
|
|
Fix build with compression disabled
|
|
Don't manually free DH params in OpenSSL 3
|
|
Remove unused havege.h header
|
|
Don't use BF-CBC in unit tests if we don't have it
|
|
Add warning about mbed TLS licensing problem
|
|
Don't "undo" ifconfig on exit if it wasn't done
|
|
Update openssl_compat.h for newer LibreSSL
|
|
Handle EVP_MD_CTX as an opaque struct
|
|
Check if pkcs11_cert is NULL before freeing it
|
|
|
|
Michael Baentsch (1):
|
|
Enable usage of TLS groups not identified by a NID in OpenSSL 3
|
|
|
|
Paolo Cerrito (1):
|
|
Insert client connection data into PAM environment
|
|
|
|
Richard Bonhomme (6):
|
|
Improve error msg when all TAP adapters are in use 'or disabled'
|
|
Man page sections corrections
|
|
Do not print Diffie Hellman parameters file to log file
|
|
Log messages: Replace NCP with --data-ciphers (NFC)
|
|
doc link-options.rst: Use free open-source dynamic-DNS provider URL
|
|
doc/protocol-options.rst: Correct default for --allow-compression
|
|
|
|
Saifur Rahman Mohsin (1):
|
|
Ignore deprecation warning for daemon() on macOS (plugin/auth-pam)
|
|
|
|
Selva Nair (64):
|
|
Improve the documentation for --dhcp-option
|
|
In tap.c use DiInstallDevice to install the driver on a new adapter
|
|
Add a remark on dropping privileges when --mlock is used
|
|
Allow --dhcp-option in config file when windows-driver is wintun
|
|
Set DNS Domain using iservice
|
|
Improve documentation of --username-as-common-name
|
|
Quote the domain name argument passed to the wmic command
|
|
Remove automatic service
|
|
tun.c on WIN32: remove more unused variables
|
|
Make it explicit that WIndows build requires UNICODE support
|
|
Use C standard compliant format specs in wprintf functions
|
|
Print format spec changes for tapctl and openvpnmscia
|
|
Replace TEXT(__FUNCTION__) by __FUNCTION__ in openvpnmscia.c
|
|
Fix parsing of IV_SSO string
|
|
Do not require CA when peer-fingerprint is used
|
|
Improve documentation of AUTH_PENDING related directives
|
|
Apply the connect-retry backoff to only one side of a connection
|
|
Fix client-pending-auth help message in management interface
|
|
Minor doc correction: tls-crypt-v2 key generation
|
|
Fix the "default" tls-version-min setting
|
|
Fix some more wrong defines in config-msvc.h
|
|
Require Windows CNG keys for cryptoapicert
|
|
Remove error injection into OpenSSL from cryptoapi.c
|
|
Require EC key support in Windows builds
|
|
Ensure the current common_name is in the environment for scripts
|
|
Avoid memory leak in hmac_ctx_new (OpenSSL 3.0 only)
|
|
Fix tls-version-min default once again
|
|
A built-in provider for using external key with OpenSSL 3.0
|
|
Implement KEYMGMT in the xkey provider
|
|
Implement SIGNATURE operations in xkey provider
|
|
Implement import of custom external keys
|
|
Initialize the xkey provider and use it in SSL context
|
|
A helper function to import private key for management-external-key
|
|
Add xkey_provider sources and includes to MSVC project
|
|
Enable signing via provider for management-external-key
|
|
Add a function to encode digests with PKCS1 DigestInfo wrapper
|
|
Allow management client to announce pss padding support
|
|
Respect algorithm support announced by management client
|
|
Support sending DigestSign request to management client
|
|
Increase ERR_BUF_SIZE when management interface support is enabled
|
|
Add a generic key loading helper function for xkey provider
|
|
pkcs11: Interface the xkey provider with pkcs11-helper
|
|
Enable signing using CNG through xkey provider
|
|
Add a unit test for external key provider
|
|
xkey: Use a custom error level for debug messages
|
|
Fix max saltlen calculation in cryptoapi.c
|
|
Support PSS signing using pkcs11-helper >= 1.28
|
|
Do not error when md_kt_size() is called with mdname="none"
|
|
Fix a potential memory leak in tls_ctx_use_management_external_key
|
|
pkcs11_openssl.c: check EVP_get_digestbyname() != NULL
|
|
Fix crash in xkey-provider in msvc builds
|
|
Remove management_write_peer_info_file and related code
|
|
Log the actual management interface port in use
|
|
Log address of management client on accept
|
|
In x_check_status() read errno early
|
|
xkey_provider: fix building with --disable-management
|
|
Do not skip ERROR:/SUCCESS: response from management interface
|
|
Allow a few levels of recursion in virtual_output_callback()
|
|
Fix auth-token usage with management-def-auth
|
|
Ensure --auth-nocache is handled during renegotiation
|
|
Purge auth-token as well while purging passwords
|
|
Do not copy auth_token username to itself
|
|
Do not add leading space to pushed options
|
|
pull-filter: ignore leading "spaces" in option names
|
|
|
|
Sergio E. Nemirowski (1):
|
|
resolvconf fails with -p
|
|
|
|
Simon Rozman (9):
|
|
iservice: Resolve MSVC C4996 warnings
|
|
openvpnserv: Cache last error before it is overridden
|
|
netsh: Specify interfaces by index rather than name
|
|
netsh: Clear existing IPv6 DNS servers before configuring new ones
|
|
netsh: Delete WINS servers on TUN close
|
|
openvpnmsica: Simplify find_adapters() to void return
|
|
tun.c: Remove dead code
|
|
interactive.c: Resolve MSVC C4996 warning
|
|
tapctl: Resolve MSVC C4996 warnings
|
|
|
|
Steffan Karger (5):
|
|
networking_iproute2: fix memory leak in net_iface_mtu_set()
|
|
Simplify key material exporter backend API
|
|
tls-crypt-v2: fix server memory leak
|
|
tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key)
|
|
reliable: retransmit if 3 follow-up ACKs are received
|
|
|
|
Timo Rothenpieler (5):
|
|
Linux: Retain CAP_NET_ADMIN when dropping privileges
|
|
GitHub Actions: Add new libcap-ng-dev dependency
|
|
Github Actions: update used actions
|
|
dco: disable DCO if --user specified but unable to retain capabilities
|
|
dco: turn platform config checks into separate function
|
|
|
|
Todd Zullinger (2):
|
|
Update IRC information in CONTRIBUTING.rst
|
|
doc/man (vpn-network-options): fix foreign_option_{n} typo
|
|
|
|
Tõivo Leedjärv (1):
|
|
Stop using deprecated getpass()
|
|
|
|
Ville Skyttä (1):
|
|
README.down-root: Fix plugin module name
|
|
|
|
Vladislav Grishenko (8):
|
|
Fix best gateway selection over netlink
|
|
Fix fatal error at switching remotes (#629)
|
|
Fix update_time() and openvpn_gettimeofday() coexistence
|
|
Selectively reformat too long lines
|
|
Speedup TCP remote hosts connections
|
|
Support X509 field list to be username
|
|
Fix IPv4 default gateway with multiple route tables
|
|
Add CRL extractor script for --crl-verify dir mode
|
|
|