-
v2.5.10
OpenVPN v2.5.10 release 2024.03.21 -- Version 2.5.10 Arne Schwabe (1): Add Apache2 linking with for new commits George Pchelkin (1): fix typo: dhcp-options to dhcp-option in vpn-network-options.rst Lev Stipakov (3): win32: Enforce loading of plugins from a trusted directory interactive.c: disable remote access to the service pipe interactive.c: Fix potential stack overflow issue -
v2.6.10
OpenVPN Release v2.6.10 2024.03.20 -- Version 2.6.10 Christoph Schug (1): Update documentation references in systemd unit files Frank Lichtenheld (6): Fix typo --data-cipher-fallback samples: Remove tls-*.conf check_compression_settings_valid: Do not test for LZ4 in LZO check t_client.sh: Allow to skip tests Update Copyright statements to 2024 GHA: general update March 2024 Lev Stipakov (4): win32: Enforce loading of plugins from a trusted directory interactive.c: disable remote access to the service pipe interactive.c: Fix potential stack overflow issue Disable DCO if proxy is set via management Martin Rys (1): openvpn-[client|server].service: Remove syslog.target Max Fillinger (1): Remove license warning from README.mbedtls Selva Nair (1): Document that auth-user-pass may be inlined wellweek (1): remove repetitive words in documentation and comments -
v2.6.9
OpenVPN Release v2.6.9 2024.02.11 -- Version 2.6.9 Arne Schwabe (15): Remove unused function prototype crypto_adjust_frame_parameters Log SSL alerts more prominently Document tls-exit option mainly as test option Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway Fix check_session_buf_not_used using wrong index Add missing check for nl_socket_alloc failure Add check for nice in cmake config Remove compat versionhelpers.h and remove cmake/configure check for it Extend the error message when TLS 1.0 PRF fails Fix unaligned access in macOS, FreeBSD, Solaris hwaddr Check PRF availability on initialisation and add --force-tls-key-material-export Make it more explicit and visible when pkg-config is not found Clarify that the tls-crypt-v2-verify has a very limited env set Implement the --tls-export-cert feature Remove conditional text for Apache2 linking exception David Sommerseth (2): Remove --tls-export-cert Remove superfluous x509_write_pem() Frank Lichtenheld (14): sample-keys: renew for the next 10 years GHA: clean up libressl builds with newer libressl configure.ac: Remove unused AC_TYPE_SIGNAL macro documentation: remove reference to removed option --show-proxy-settings unit_tests: remove includes for mock_msg.h documentation: improve documentation of --x509-track NTLM: add length check to add_security_buffer NTLM: increase size of phase 2 response we can handle proxy-options.rst: Add proper documentation for --http-proxy-user-pass buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0' --http-proxy-user-pass: allow to specify in either order with --http-proxy README.cmake.md: Document minimum required CMake version for --preset documentation: Update and fix documentation for --push-peer-info documentation: Fixes for previous fixes to --push-peer-info Gert Doering (4): OpenBSD: repair --show-gateway get_default_gateway() HWADDR overhaul fix uncrustify complaints about previous patch preparing release 2.6.9 Kristof Provost (1): dco-freebsd: dynamically re-allocate buffer if it's too small Lev Stipakov (1): tun.c: don't attempt to delete DNS and WINS servers if they're not set Marc Becker (1): vcpkg-ports/pkcs11-helper: bump to version 1.30 Max Fillinger (4): Add support for mbedtls 3.X.Y Update README.mbedtls Disable TLS 1.3 support with mbed TLS Enable key export with mbed TLS 3.x.y Reynir Bjoernsson (1): protocol_dump: tls-crypt support Steffan Karger (1): Fix IPv6 route add/delete message log level yatta (1): fix(ssl): init peer_id when init tls_multi -
v2.6.8
OpenVPN Release v2.6.8 2023.11.17 -- Version 2.6.8 Aquila Macedo (1): doc: Correct typos in multiple documentation files Arne Schwabe (1): Do not check key_state buffers that are in S_UNDEF state Frank Lichtenheld (1): platform.c: Do not depend Windows build on HAVE_CHDIR Lev Stipakov (3): config.h: fix incorrect defines for _wopen() Make --dns options apply for tap-windows6 driver Warn if pushed options require DHCP -
v2.6.7
OpenVPN v2.6.7 release 2023.11.08 -- Version 2.6.7 Antonio Quartulli (1): dco: fix crash when --multihome is used with --proto tcp Arne Schwabe (8): Mock openvpn_exece on win32 also for test_tls_crypt Add warning for the --show-groups command that some groups are missing Print peer temporary key details Add warning if a p2p NCP client connects to a p2mp server Remove openssl engine method for loading the key Remove saving initial frame code Double check that we do not use a freed buffer when freeing a session Fix using to_link buffer after freed Frank Lichtenheld (7): GHA: do not trigger builds in openvpn-build anymore GHA: new workflow to submit scan to Coverity Scan service buffer: use memcpy in buf_catrunc vcpkg-ports/pkcs11-helper: Backport MinGW series from master to release/2.6 CMake: backport CMake buildsystem from master to release/2.6 Remove all traces of the previous MSVC build system doc: fix argument name in --route-delay documentation Heiko Hund (1): dns option: remove support for exclude-domains Lev Stipakov (3): Warn user if INFO control command is too long dco-win: get driver version dco: warn if DATA_V1 packets are sent to userspace Selva Nair (2): Make cert_data.h and test_cryptoapi/pkcs11.c MSVC compliant Log OpenSSL errors on failure to set certificate orbea (1): configure: disable engines if OPENSSL_NO_ENGINE is defined -
v2.6.6
OpenVPN Relase v2.6.6 2023.08.14 -- Version 2.6.6 Antonio Quartulli (1): configure.ac: fix typ0 in LIBCAPNG_CFALGS Arne Schwabe (8): Avoid unused function warning/error on FreeBSD (and potientially others) fix warning with gcc 12.2.0 (compiler bug?) Fix CR_RESPONSE mangaement message using wrong key_id Print a more user-friendly error when tls-crypt-v2 client auth fails Ignore Ipv6 route delete request on Android and set ipv4 verbosity to 7 Revert commit 423ced962d Implement using --peer-fingerprint without CA certificates show extra info for OpenSSL errors David Sommerseth (1): ntlm: Clarify details on NTLM phase 3 decoding Frank Lichtenheld (8): dist: add more missing files only used in the MSVC build dist: Include all documentation in distribution unit_tests: Add missing cert_data.h to source list for unit tests test_tls_crypt: Improve mock() usage to be more portable Remove old Travis CI related files options: Do not hide variables from parent scope pkcs11_openssl: Disable unused code route: Fix overriding return value of add_route3 George Pchelkin (1): fix typo: dhcp-options to dhcp-option in vpn-network-options.rst Gert Doering (1): Make received OCC exit messages more visible in log. Heiko Hund (1): work around false positive warning with mingw 12 Lev Stipakov (3): tun.c: enclose DNS domain in single quotes in WMIC call manage.c: document missing KID parameter Set WINS servers via interactice service Sergey Korolev (1): dco-linux: fix counter print format -
v2.6.5
OpenVPN v2.6.5 release 2023.06.13 -- Version 2.6.5 Arne Schwabe (1): Fix use-after-free with EVP_CIPHER_free Frank Lichtenheld (6): dco_linux: properly close dco version file DCO: fix memory leak in dco_get_peer_stats_multi for Linux Fix two unused assignments sample-plugins: Fix memleak in client-connect example plugin options: remove --key-method from usage message msvc-generate: include version.m4.in in tarball Ilya Shipitsin (1): src/openvpn/dco_freebsd.c: handle malloc failure Lev Stipakov (2): dco-win: support for --dev-node tapctl: generate driver-specific adapter names Selva Nair (2): Correctly handle Unicode names for exit event Interactive service: do not force a target desktop for openvpn.exe -
v2.6.4
OpenVPN v2.6.4 release 2023.05.11 -- Version 2.6.4 Arne Schwabe (3): Remove unused variable line Add Apache2 linking with for new commits Fix compile error on TARGET_ANDROID Frank Lichtenheld (2): man page: Remove cruft from --topology documentation tests: do not include t_client.sh in dist Kristof Provost (1): DCO: support key rotation notifications Michael Nix (1): fix typo in help text: --ignore-unknown-option Selva Nair (2): Format Windows error message in Unicode Bugfix: dangling pointer passed to pkcs11-helper -
v2.6.3
OpenVPN v2.6.3 release 2023.04.13 -- Version 2.6.3 Frank Lichtenheld (3): GHA: remove Ubuntu 18.04 builds vcpkg: request "tools" feature of openssl for MSVC build doc: run rst2* with --strict to catch warnings Lev Stipakov (1): Support of DNS domain for DHCP-less drivers Selva Nair (1): Bug-fix: segfault in dco_get_peer_stats() -
v2.6.2
OpenVPN v2.6.2 release 2023.03.24 -- Version 2.6.2 Antonio Quartulli (6): dco: don't use NetLink to exchange control packets dco: print version to log if available dco-linux: remove M_ERRNO flag when printing netlink error message multi: don't call DCO APIs if DCO is disabled dco-freebsd: use m->instances[] instead of m->hash dco-linux: implement dco_get_peer_stats{, multi} API Arne Schwabe (12): Set netlink socket to be non-blocking Ensure n = 2 is set in key2 struct in tls_crypt_v2_unwrap_client_key Fix memory leaks in open_tun_dco() Fix memory leaks in HMAC initial packet generation Use key_state instead of multi for tls_send_payload parameter Make sending plain text control message session aware Only update frame calculation if we have a valid link sockets Improve description of compat-mode Simplify --compress parsing in options.c Refuse connection if server pushes an option contradicting allow-compress Add 'allow-compression stub-only' internally for DCO Parse compression options and bail out when compression is disabled Frank Lichtenheld (1): tests/unit_tests: Fix 'make distcheck' with subdir-objects enabled Gert Doering (1): preparing release 2.6.2 Heiko Hund (1): dns option: allow up to eight addresses per server Kristof Provost (1): dco: print FreeBSD version Lev Stipakov (4): Support --inactive option for DCO Fix '--inactive <time> 0' behavior for DCO Print DCO client stats on SIGUSR2 Don't overwrite socket flags when using DCO on Windows Michael Baentsch (1): using OpenSSL3 API for EVP PKEY type name reporting Selva Nair (8): Bugfix: Convert ECDSA signature form pkcs11-helper to DER encoded form Import some sample certificates into Windows store for testing Add tests for finding certificates in Windows cert store Refactor SSL_CTX_use_CryptoAPI_certificate() Add a test for signing with certificates in Windows store Unit tests: add test for SSL_CTX_use_Cryptoapi_certificate() Improve error message on short read from socks proxy Make error in setting metric for IPv6 interface non-fatal -
v2.6.1
OpenVPN v2.6.1 release 2023.03.08 -- Version 2.6.1 Arne Schwabe (13): Fix unaligned access in auth-token Update LibreSSL to 3.7.0 in Github actions Add printing USAN stack trace on github actions Fix LibreSSL not building in Github Actions Add missing stdint.h includes in unit tests files Combine extra_tun/frame parameter of frame_calculate_payload_overhead Update the last sections in the man page to a be a bit less outdated Add building unit tests with mingw to github actions Revise the cipher negotiation info about OpenVPN3 in the man page Exit if a proper message instead of segfault on Android without management Use proper print format/casting when converting msg_channel handle Reduce initialisation spam from verb <= 3 and print summary instead Dynamic tls-crypt for secure soft_reset/session renegotiation Frank Lichtenheld (8): Changes.rst: document removal of --keysize Windows: fix unused function setenv_foreign_option Windows: fix unused variables in delete_route_ipv6 Windows: fix wrong printf format in x_check_status Windows: fix unused variable in win32_get_arch configure: enable DCO by default on FreeBSD/Linux Windows: fix signedness errors with recv/send configure: fix formatting of --disable-lz4 and --enable-comp-stub Gert Doering (2): Get rid of unused 'bool tuntap_buffer' arguments. FreeBSD 12.x workaround for IPv6 ifconfig is needed on 12.4 as well Kristof Provost (3): options.c: enforce a minimal fragment size configure: improve FreeBSD DCO check dco: define OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT on FreeBSD Lev Stipakov (6): Allow certain DHCP options to be used without DHCP server dco-win: use proper calling convention on x86 Improve format specifier for socket handle in Windows Disable DCO if proxy is set via management Add logging for windows driver selection process Avoid management log loop with verb >= 6 Matthias Andree (1): make dist: Ship ovpn_dco_freebsd.h, too Selva Nair (9): block-dns using iservice: fix a potential double free Conditionally add subdir-objects option to automake Build unit tests in mingw Windows build cyryptapi.c: log the selected certificate's name cryptoapi.c: remove pre OpenSSL-3.01 support cryptoapi.c: simplify parsing of thumbprint hex string Option --cryptoapicert: support issuer name as a selector Add a unit test for functions in cryptoapi.c Do not save pointer to 'struct passwd' returned by getpwnam etc. -
v2.5.9
OpenVPN v2.5.9 release 2023.02.14 -- Version 2.5.9 Arne Schwabe (6): Implement optional cipher in --data-ciphers prefixed with ? Fix handling an optional invalid cipher at the end of data-ciphers Ensure that argument to parse_line has always space for final sentinel Improve documentation on user/password requirement and unicodize function Remove unused gc_arena Fix corner case that might lead to leaked file descriptor Frank Lichtenheld (1): msvc: always call git-version.py Lev Stipakov (1): git-version.py: proper support for tags Max Fillinger (1): Check if pkcs11_cert is NULL before freeing it Selva Nair (3): Do not add leading space to pushed options pull-filter: ignore leading "spaces" in option names Do not include auth-token in pulled option digest -
v2.6.0
OpenVPN v2.6.0 release 2023.01.25 -- Version 2.6.0 Antonio Quartulli (1): dco_linux: update license for ovpn_dco_linux.h Arne Schwabe (1): Workaround: make ovpn-dco more reliable Gert Doering (3): Fix OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT breakage on FreeBSD+DCO Repair special-casing of EEXIST for Linux/SITNL route install preparing release 2.6.0 Lev Stipakov (3): openvpnmsica: remove dco installer custom actions openvpnmsica: remove unused declarations openvpnmsica: fix adapters discovery logic for DCO Selva Nair (4): Define and use macros for route addition status code Warn when pkcs11-id or pkcs11-id-management options are ignored Cleanup route error and debug logging on Windows Fix one more 'existing route may get deleted' case Timo Rothenpieler (1): Don't clear capability bounding set on capng_change_id -
v2.6_rc2
OpenVPN v2.6_rc2 2023.01.12 -- Version 2.6_rc2 Antonio Quartulli (4): dco: properly re-initialize dco_del_peer_reason dco: bail out when no peer-specific message is delivered dco: improve comment about hidden debug message dco: print proper message in case of transport disconnection Arne Schwabe (3): Add connect-freq-initial option to limit initial connection responses Log peer-id if loglevel is D_DCO_DEBUG and dco is enabled Deprecate OCC checking Frank Lichtenheld (7): options.c: fix format security error when compiling without optimization options.c: update usage description of --cipher Update copyright year to 2023 xkey_pkcs11h_sign: fix dangling pointer options: Always define options->management_flags check_engine_keys: make pass with OpenSSL 3 documentation: update 'unsupported options' section Gert Doering (3): Undo FreeBSD 12.x workaround on IPv6 ifconfig for 12.4 and up Reduce logspam about 'dco_update_keys: peer_id=-1' in p2p server mode preparing release 2.6_rc2 Lev Stipakov (1): tun: move print_windows_driver() out of tun.h Selva Nair (11): Properly unmap ring buffer file-map in interactive service Use undo_lists for saving ring-buffer handles in interactive service Cleanup: Close duplicated handles in interactive service Preparing for better signal handling: some code refactoring Refactor signal handling in openvpn_getaddrinfo Use IPAPI for setting ipv6 routes when iservice not available Fix signal handling on Windows Assign and honour signal priority order Distinguish route addition errors from route already exists Propagate route error to initialization_completed() Include CE_DISABLED status of remote in "remote-entry-get" response -
v2.6_rc1
OpenVPN v2.6_rc1 2022.12.29 -- Version 2.6_rc1 Arne Schwabe (17): Ensure that argument to parse_line has always space for final sentinel Improve documentation on user/password requirement and unicodize function Eliminate or comment empty blocks and switch fallthrough Remove unused gc_arena Fix corner case that might lead to leaked file descriptor Deprecate NTLMv1 proxy auth method. Use include "buffer.h" instead of include <buffer.h> Ensure that dco keepalive and mssfix options are also set in pure p2p mode Make management password check constant time Rename TM_UNTRUSTED to TM_INITIAL, always start session in TM_INITIAL rather than TM_ACTIVE or TM_INITIAL Move dco_installed back to link_socket from link_socket.info.actual Do not set nl socket buffer size Also drop incoming dco packet content when dropping the packet Improve logging when seeing a message for an unkown peer Ignore OVPN_DEL_PEER_REASON_USERSPACE to avoid race conditions Replace custom min macro and use more C99 style in man_remote_entry_get Replace realloc with new gc_realloc function David Sommerseth (1): ssl_verify: Fix memleak if creating deferred auth control files fails Gert Doering (1): bandaid fix for TCP multipoint server crash with Linux-DCO Lev Stipakov (2): git-version.py: proper support for tags msvc: upgrade to Visual Studio 2022 Selva Nair (7): Reduce default restart pause to 1 second Do not include auth-token in pulled option digest Persist DCO client data channel traffic stats on restart Add remote-count and remote-entry query via management Permit unlimited connection entries and remotes Use a template for 'unsupported management commands' error Allow skipping multple remotes via management interface -
v2.6_beta2
OpenVPN v2.6_beta2 2022.12.15 -- Version 2.6_beta2 Antonio Quartulli (1): disable DCO if --secret is specified Arne Schwabe (7): Fix connection cookie not including address and fix endianness in test Fix unit test of test_pkt on little endian Linux Disable DCO when TLS mode is not used Ignore connection attempts while server is shutting down Improve debug logging of DCO swap key message and Linux dco_new_peer Trigger a USR1 if dco_update_keys fails Set DCO_NOT_INSTALLED also for keys not in the get_key_scan range Frank Lichtenheld (1): ChangeLog: Fix encoding Kristof Provost (4): Read DCO traffic stats from the kernel dco: Update counters when a client disconnects Read the peer deletion reason from the kernel dco: cleanup FreeBSD dco_do_read() Lev Stipakov (3): Rename dco_get_peer_stats to dco_get_peer_stats_multi management: add timer to output BYTECOUNT Introduce dco_get_peer_stats API and Windows implementation Marc Becker (4): unify code path for adding PKCS#11 providers use new pkcs11-helper interface to add providers special handling for PKCS11 providers on win32 vcpkg-ports/pkcs11-helper: support loader flags Max Fillinger (2): Correct tls-crypt-v2 metadata length in man page Fix message for too long tls-crypt-v2 metadata -
v2.6_branched
add a tag so it's easier to see what happened in master after release/2.6 was branched off
-
v2.6_beta1
OpenVPN v2.6_beta1 2022.12.01 -- Version 2.6_beta1 Adrian (1): Fix error in example firewall.sh script Antonio Quartulli (99): tun.c: remove unused variable openssl: fix EVP_PKEY_CTX memory leak openssl: avoid NULL pointer dereference ssl: remove unneeded if block options: check for blanks in fingerprints and reject string if found crypto: respect ECB argument type from prototype Add documentation on EVENT_READ/EVENT_WRITE constants windows: use appropriate and portable format specifier for 64bit pointer windows: define variable only where used windows: list all enum values in switch block forward: get rid of useless declarations for actually static functions mbedtls: do not define mbedtls_ctr_drbg_update_ret when not needed route.c: pass the right parameter to IN6_IS_ADDR_UNSPECIFIED man/protocol-options: add missing ending metachar compat-mode: allow user to specify version to be compatible with reject compression by default Remove support for PF (Packet Filter) configure: search also for rst2{man, html}.py multi: remove extra brackets in multi_process_incoming_link() do not include --cipher value in data-ciphers compat-mode: add --data-cipher-fallback auomatically if requested Set TLS 1.2 as minimum by default doc: fix indentation in protocol-options.rst networking: add and implement net_addr_ll_set() API networking: add missing brackets set_lladdr: use networking API net_addr_ll_set() on Linux configure: remove useless -Wno-* from default CFLAGS options.c: fix version reported in --cipher warning message doc/cipher-negotiation.rst: avoid warning by fixing indentation doc: remove PF leftovers from documentation sig.c: define signal_handler on non-windows only GitHub Actions: ensure Ubuntu builds are made with the chosen SSL library ssl.c: use arrow operator to access object member use 'static inline' instead of 'inline static' GitHub Actions: add other config flavours unit-test: fix test_crypto when USE_COMP is not defined update copyright year to 2022 keyingmaterialexporter.c: include strings.h crypto: move validation logic from cipher_get to cipher_valid crypto: move OpenSSL specific FIPS check to its backend Get rid of README.IPv6 and TODO.IPv6 auth_token/tls_crypt: fix usage of md_valid() crypto: unify key_type creation code remove unused sitnl.h file options: drop useless netmask variable networking: use OPENVPN_ETH_ALEN instead of ETH_ALEN networking: silence warnings about unused arguments networking_iproute2: don't pass M_WARN to openvpn_execve_check() networking: implement net_iface_new and net_iface_del APIs t_net.sh: delete dummy iface using iproute command auth-pam.c: add missing include limits.h dco: introduce low-level code for handling ovpn-dco in the Linux kernel dco: add helper function to detect if DCO is enabled or not dco: create DCO interface using SITNL tls-crypt-v2: bail out if the client key is too small dco: use specific metric when installing routes networking: fix doc for net_iface_new() API options: don't export local function pre_connect_save() networking_sitnl: always return negative error code in case of failure networking: add net_iface_type API tun: create tun_name_is_fixed helper dco: add option check - disable DCO if conflict is detected dco: allow user to disable it at runtime GitHub Actions: add Linux DCO build (on Ubuntu 20.04) dco: introduce open_tun_dco_generic() to open dynamic or fixed-name DCO devices dco: initialize context and save pointer in TLS object dco: configure keys in DCO right after generating them disable DCO if no --dev was specified dco: periodically check and possibly rotate/delete keys dco: split option parsing routines push: fix compilation with --disable-management and --enable-werror dco: check that pulled options are compatible dco: implement dco support for p2p/client code path dco: add documentation for ovpn-dco-linux dco: implement dco support for p2mp/server code path dco: perform pull options check only if we pulled any option dco: disable DCO if --allow-compress yes/asym was specified dco: turn supported ciphers list into a function do_open_tun: restyle 'can preserve TUN' check do_close_tun: get rid of one level of indentation ovpn-dco: print some netlink messages to debug level dco: move message to DCO debug level and reword a bit dco: properly name variables dco: don't pass VPN IPs to NEW_PEER API in P2P mode dco-win: ensure the DCO API is not used when running on Windows ssl_util: fix prototype style dco: move availability check to the end of check_option_conflict() function dco-win: introduce low-level code for handling ovpn-dco-win in Windows dco-win: check for incompatible options dco-win: implement ovpn-dco support in P2P Windows code path dco-win: add documentation to README.dco.md dco-win: update GH Actions config file dco: trigger ping timeout event only if the peer expired delete_routes(_ipv6): avoid memleak if RT_DEFINED is not set solaris/open_tun: prevent crash when dev is empty string do not push route-ipv6 entries that are also in the iroute-ipv6 list auth-user-pass: add support for inline credentials get_user_pass_cr: get password from stdin if missing inline close_tun: print interface type consistently in message Arne Schwabe (289): Fix client's poor man NCP fallback Refactor key_state_export_keying_material functions Fix compilation with older mbed TLS versions (mbedtls_tls_prf_types undefined) Fix client NCP OCC fallback when server and client cipher are identical Move openvpn specific key expansion into its own function Allow 'none' cipher being specified in --data-ciphers Implement generating data channel keys via EKM/RFC 5705 Ignore deprecation warning for daemon on macOS Add function for common env setting of verify user/pass calls Inline function tls_get_peer_info Align reliable_free with other free methods to accept NULL Remove NULL checks before calling free Remove explicit setting of peer_id to false Remove --disable-def-auth configure argument Replace key_scan array of static pointers with inline function Add more documentation about our internal TLS functions Improve keys out of sync message Clean up tls_authentication_status and document it Rename DECRYPT_KEY_ENABLED to TLS_AUTHENTICATED Send AUTH_FAILED message to clients on renegotiation failures Make any auth failure tls_authentication_status return auth failed Fix auth-token not being updated if auth-nocache is set Remove auth_user_pass.wait_for_push variable Fix port-share option with TLS-Crypt v2 Zero initialise msghdr prior to calling sendmesg Fix tls-auth mismatch OCC message when tls-cryptv2 is used. Remove inetd support from OpenVPN Change pull request timeout use a timeout rather than a number Check return values in md_ctx_init and hmac_ctx_init Implement client side handling of AUTH_PENDING message Introduce management client state for AUTH_PENDING notifications Add S_EXITCODE flag for openvpn_run_script to report exit code Prefer TLS libraries TLS PRF function, fix OpenVPN in FIPS mode Implement server side of AUTH_PENDING with extending timeout Refactor extract_var_peer_info into standalone function and add ssl_util.c Change parameter of send_auth_pending_messages from context to tls_multi Allow pending auth to be send from a auth plugin Avoid generating unecessary mbed debug messages Add README.wolfssl documentating the state of WolfSSL in OpenVPN Fix multiple problems when compiling with LLVM/Windows (clang-cl) Move extract_iv_proto to ssl_util.c/h Extend verify-hash to allow multiple hashes Implement peer-fingerprint to check fingerprint of peer certificate Document the simple self-signed certificate setup in examples Deprecate the --verify-hash option Remove empty dummy functions Move restoring pre pull options to initialising of c2 context Move NCP saving and restore to the prepush restore code Restore also ping related options on a reconnect Make buffer related function conversion explicit when narrowing Fix socket related functions using int instead of socket_descriptor_t Use correct types for OpenSSL and Windows APIs Cleanup print_details and add signature/ED certificate print Remove flexible array member autoconf check Remove support for non ISO C99 vararg support Fix #elif TARGET_LINUX missing defined() call Remove superflous ifdefs around enum like defines Rename tunnel_server_udp_single_threaded to tunnel_server_udp Remove code for aligning non-swapped compression Remove pointless tun_adjust_frame_parameters function Remove unused field txqueuelen from struct tuntap Remove unused function tls_test_auth_deferred_interval Remove unused variable pass_config_info Move is_proto function to the socket.h header Implement '--compress migrate' to migrate to non-compression setup Remove thread_mode field of multi_context Extract multi_assign_peer_id into its own function Remove do_init_socket_2 and do_init_socket_1 wrapper function Always disable TLS renegotiations Allow running a default configuration with TLS libraries without BF-CBC Deprecate non TLS mode in OpenVPN Remove deprecated option '--keysize' Move auth deferred related members into its own struct log file descriptor in more socket related error messages Fix async push broken after auth deferred refactor Remove conditionals compilation for P2MP, ENABLE_SHAPER and TIME_BACKTRACK_PROTECTION Remove check for socket functions and Win XP compatbility code Remove checks for uint* types that are part of C99 Remove a number of checks for functions/headers that are always present Use EVP_CTRL_AEAD_* instead EVP_CTRL_GCM_* Remove OpenSSL configure checks Always save/restore pull options Also restore/save compress related options in reconnects Also restore/save route-gateway options on SIGUSR1 reconnects Remove LibreSSL specific defines not needed for modern LibreSSL Add parsing of dhcp-option PROXY_HTTP Ensure using const variables with EVP_PKEY_get0_* Move context_auth from context_2 to tls_multi and name it multi_state Fix condition to generate session keys Remove always enabled USE_64_BIT_COUNTERS define Fix a number of mingw warnings Move tls_select_primary_key into its own function Allow all GCM ciphers Change options->data_channel_use_ekm to flags Implement deferred auth for scripts Use functions to access key_state instead direct member access Avoid failing_test unused warning in example_test Move direct.h header where it is used Replace OS_SPECIFIC_DIRSEP with PATH_SEPARATOR Remove a number of platform specific checks in configure.ac Remove --disable-multihome option Remove support for blocking connect() Fix memory leak in misc unit test Fix binary and (&) used in auth-token check instead of logical and (&&) Add missing free_key_ctx for auth_token Remove explicit struct iovec check (HAVE_IOVEC) Remove getpeername, getpid check Inline do_init_auth_token_key Add noreturn attribute for MSVC to assert_failed method. Move utility function from win32.c to win32-util.c Document stub-v2 being basically an alias for no compression at all Return cached result in tls_authentication_status Use exponential backoff for caching in tls_authentication_status Add github actions Silence warning about format string in check_ca_required Implement auth-token-user Move auth_token_state from multi to key_state Add connection_established as state in tls_multi->context_auth Make waiting on auth an explicit state in the context state machine Ensure tls session is authenticated before sending push reply Extracting key_state deferred auth status update into function Move examples into openvpn-examples(5) man page Introduce S_GENERATED_KEYS state and generate keys only when authenticated Fix tls-cert-profile broken on OpenSSL 1.1+ Cleanup handling of initial auth token Remove --ncp-disable option Add detailed man page section to setup a OpenVPN setup with peer-fingerprint Support NCP in pure P2P VPN setups Remove unistd.h from unit test Introduce webauth auth pending method and deprecate openurl Include Chacha20-Poly1305 into default --data-ciphers when available Detect unusable ciphers on patched OpenSSL of RHEL/Centos Fix Ubuntu spelling and duplicate run in Github Actions Add message when decoding PKCS12 file fails. Add small unit test for testing HMAC Deprecate --ecdh-curve with OpenSSL 3.0 and adjust mbed TLS message Use EVP_PKEY based API for loading DH keys Remove DES check with OpenSSL 3.0 Remove DES key fixup code Do not allow CTS ciphers Use new EVP_MAC API for HMAC implementation Add --with-openssl-engine autoconf option (auto|yes|no) Use EVP_PKEY_get_group_name to query group name Replace EVP_get_cipherbyname with EVP_CIPHER_fetch Use EVP_MD_get0_name instead EV_MD_name Remove dependency on BF-CBC existance from test_ncp Implement DES ECB encrypt via EVP_CIPHER api Fix error when BF-CBC is not available Fix function name in DH error message Add insecure tls-cert-profile options Remove custom PRNG function Completely remove DES checks Refactor early initialisation and uninitialisation into methods Use TYPE_do_all_provided function for listing cipher/digest Add macos OpenSSL 3.0 and ASAN builds Allow loading of non default providers Move IV_TCPNL from comp_generate_peer_info_string to push_peer_info Implement optional cipher in --data-ciphers prefixed with ? Directly use hardcoed OPENVPN_AEAD_TAG_LENGTH instead lookup Remove cipher_kt_var_key_size and remaining --keysize documentation Remove cipher_ctx_get_cipher_kt and replace with direct context calls Remove key_type->cipher_length field Remove key_type->hmac_length Fix handling an optional invalid cipher at the end of data-ciphers Make --nobind default for --pull Remove ENABLE_CRYPTO_OPENSSL ifdef inside ENABLE_CRYPTO_OPENSSL ifdef Remove max_size from buffer_list_new Add argv_insert_head__empty_argv__head_only to argv tests Remove cipher_kt_t and change type to const char* in API Move deprecation of SWEET32/64bit block size ciphers to 2.7 Adjust cipher-negotiation.rst with compat-mode changes Remove md_kt_t and change crypto API to use const char* Initialise kt_cipher even when no crypto is enabled Remove align_adjust frame code Fix triggering assertion of ks->authenticated after tls_deauthenticate Document frame related function and variables a bit more Remove post_open_mtu code Make github actions names nicer, include Ubuntu18+OpenSSL 1.0.2 Add helper functions to calculate header/payload sizes Decouple MSS fix calculation from frame calculation Rework occ link-mtu calculation Remove pointless do_init_frame_tls function Remove BUFFER_LIST_AGGREGATE_TEST test code Deprecate link-mtu Fix mssfix and frame calculation in CBC mode Change buffer allocation calculation and checks to be more static Fix datagram_overhead and assorted functions Implement optional mtu parameter for mssfix Remove link_mtu parameter when running up/down scripts Replace TUN_MTU_SIZE with frame->tun_mtu Change the default for mssfix to mssfix 1492 mtu Add mtu paramter to --fragment and change fragment calculation Update fragment and mssfix related warnings Use new frame header methods to calculate OCC_MTU_LOAD payload size Remove extra_link from frame Remove frame->link_mtu Remove frame.extra_frame and frame.extra_buffer Default to --cipher BF-CBC if not set and compat-mode < 2.4.0 Fix 'defined but not used' warnings with enable-small/disable-management Add Werror to github action ubuntu build Add better documentation for CAS_* states Add unit test for mssfix with compression involved Remove FRAME_HEADROOM, PAYLOAD_SIZE, EXTRA_FRAME and TUN_LINK_DELTA macros Fix mbed TLS compile if OpenSSL headers are not available Remove unused function cipher_var_key_size Implement fixed MSS value for mssfix and use it for non default MTUs networking: remove duplicate methods from networking_sitnl.c Remove dead PID_TEST code Remove inc_pid argument from reliable_mark_deleted that is always true Remove EXPONENTIAL_BACKOFF define Remove tls_init_control_channel_frame_parameters wrapper function Add documentation for swap_hmac function Make buf_write_u8/16/32 take the type they pretend to take Move pre decrypt lite check to its own function Extend tls_pre_decrypt_lite to return type of packet and keep state Move ssl function related to control channel wrap/unwrap to ssl_pkt.c/h Add unit tests for test_tls_decrypt_lite Split out reliable_ack_parse from reliable_ack_read Refactor tls-auth/tls-crypt wrapping into into own function Extract session_move_pre_start as own function, use local buffer variable Change FULL_SYNC macro to no_pending_reliable_packets function Extract session_move_active into its own function Move tls_process_state into its own function Remove pointless indentation from tls_process. Move CRL reload to key_state_init from S_START transition Change reliable_get_buf_sequenced to reliable_get_entry_sequenced Implement constructing a control channel reset client as standalone function Implement stateless HMAC-based sesssion-id three-way-handshake Extract read_incoming_tls_ciphertext into function Fix format specifier for printing size_t on 32bit size_t platforms Remove workaround for Android 4.4 Implement HMAC based session id for tls-crypt v2 Optimise three-way handshake condition for S_PRE_START to S_START Extract read_incoming_tls_plaintext into its own function Add uncrustify check to github actions Add ubuntu 22.04 to Github Actions Implement ED448 and ED25519 support in xkey_provider Translate OpenSSL 3.0 digest names to OpenSSL 1.1 digest names Fix client-pending-auth error message to say ERROR instead of SUCCESS Remove useless empty line from CR_RESPONSE message Remove leftover frame_set_mtu_dynamic definitions in mtu.h Inline frame_add_to_extra_tun function and remove frame_defined tun: extract close_tun_handle into its own fucntion and print correct type Error out if both remap-usr1 SIGHUP and config stdin are used Fix segfault when no --config argument is given Extract check_session_cipher into standalone function Cleanup receive_auth_failed and simplify method Fix IV_PLAT_VER and UV_ variables sent without push-peer-info Rename OPT_P_IPWIN32 to OPT_P_DHCPDNS and include --dns in it Include DCO status in GLOBAL_STATS status v2 output Github Actions: Add libreSSL actions Include libressl and macOS 12 to macOS github actions Fix declaration of pubkeys in test_provider.c in MSVC builds Change command help to match man page and implementation Implement --client-crresponse script options and plugin interface Add example script demonstrating TOTP via auth-pending Add OpenSSL 3.0 to mingw build Update android.txt to reflect more recent changes. Allow scripts and plugins to set a custom AUTH_FAILED message Implement exit notification via control channel Implement AUTH_FAIL, TEMP message support Document/cleanup event_timeout functions Fix OpenVPN querying user/password if auth-token with user expires Enable -Werror on macOS builds Ensure only CBC, CFB, OFB and AEAD ciphers are considered valid data ciphers Change exit signal in P2P to be a SIGUSR1 and delayed CC exit in P2MP Allow Authtoken lifetime to be short than renegotiation time Allows renegotiation only to start if session is fully established Fix renewal spelling and actually allow external-auth with renewal time Fix regression of ignoring --user Refactor/optimise code sending TLS control channel messages Add unit test for reliable_get_num_output_sequenced_available Allow setting control channel packet size with max-packet-size Always include ACKs for the last seen control packets Add workaround for Softether server dropping P_ACK_V1 with >= 5 acks Improve data key id not found error message Add packet type in accept/reject messages for HMAC packet Fix md_kt_size in mbed TLS when queried for size of "none" Add algorithm and bits used in key_print2 method and refactor method Remove unused addr_inet4or6, addr_guess_family and inline addr_copy_sa Allow tun-mtu to be pushed Push server mtu to client when supported and support occ mtu Fix logic error in checking early negotiation support check Move dco_installed from sock->info to sock->info.lsa.actual Use dedicated multi->dco_peer_id for DCO instead of multi->peer_id Add section about common error with OpenVPN 2.6 and OpenSSL 3.0 Introduce connection state for reconnecting peer in p2p Signal USR1 when connection initialising fails Allow reconnecting in p2p mode work under FreeBSD Camille Guérin (1): Removed error message for an option flag not supported with --server-ipv6 David Korczynski (1): Fix argv leaks in add_route() and add_route_ipv6() David Sommerseth (18): man: Add missing --server-ipv6 man: Improve --remote entry sample-plugins: Partially autotoolize the sample-plugins build build: Fix make distclean/distcheck compat/lz4: Update to v1.9.2 build: Fix missing install of man page in certain environments build: Remove compat-lz4 Update copyrights doc: Use generic rules for man/html generation man: Clarify IV_HWADDR crypto: Fix OPENSSL_FIPS enabled builds sample-plugin: New plugin for testing multiple auth plugins plugins: Remove defer/simple.c sample plugin plug-ins: Disallow multiple deferred authentication plug-ins dev-tools: Remove no longer needed openvpn-plugin.h.in patching dev-tools: Remove uncrustify -p dev-tools: Avoid uncrustify mangling MAC_FMT macro The Great Reformatting of 2022 Dmitry Zelenkovsky (1): implement --session-timeout Domagoj Pensa (3): Fix too early argv freeing when registering DNS Remove 1 second delay before running netsh Skip DHCP renew with Wintun adapter Eric Thorpe (1): Fixes a bug in management_callback_send_cc_message, should be strlen instead of sizeof Frank Lichtenheld (18): doc/Makefile: rebuild rst docs if input files change doc: fix misc documentation issues doc/options: clean up documentation for --proto and related options Reformat for sp_after_comma=add uncrustify: add sp_after_comma=add uncrustify: have exactly one newline at the end of files t_client: Allow to force FAIL on prerequisite fails systemd: remove generated service files on clean Reduce usage of __DATE__ config-version.h: remove unused includes t_client.sh: do not require fping6 doc: cleanup for --data-ciphers and related test_crypto: fix test_occ_mtu_calculation with --disable-fragment msvc: always call git-version.py GitHub Issues: add note to Changes as well GitHub Issues: add new links to INSTALL and README GitHub Issues: Create first issue template (Bug) documentation: avoid recommending --user nobody Gert Doering (67): Change version.m4 to 2.6_git Fix stack overflow in OpenSolaris NEXTADDR() Workaround FreeBSD 12+ race condition on tun/tap open with IPv6. Document that --push-remove is generally more suitable than --push-reset Fix error detection / abort in --inetd corner case. Fix TUNSETGROUP compatibility with very old Linux systems. Fix handling of 'route remote_host' for IPv6 transport case. Replace 'echo -n' with 'printf' in tests/t_lpback.sh Fix description of --client-disconnect calling convention in manpage. Handle NULL returns from calloc() in sample plugins. Fix --show-gateway for IPv6 on NetBSD/i386. socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes Fix netbits setting (in TAP mode) for IPv6 on Windows. If IPv6 pool specification sets pool start to ::0 address, increment. Add demo plugin that excercises "CLIENT_CONNECT" and "CLIENT_CONNECT_V2" paths Fix combination of --dev tap and --topology subnet across multiple platforms. Fix redirecting of IPv4 default gateway if connecting over IPv6. Fix compilation on pre-EKM mbedTLS libraries. Avoid passing NULL to argv_printf_cat() in temp_file error case. Change travis build scripts to use https when fetching prerequisites. Fix line number reporting on config file errors after <inline> segments Clarify --block-ipv6 intent and direction. Document common uses of 'echo' directive, re-enable logging for 'echo'. Make OPENVPN_PLUGIN_ENABLE_PF failures FATAL clean up / rewrite sample-plugins/defer/simple.c Fix EVP_PKEY_CTX_... compilation with LibreSSL Require at least 100MB of mlock()-able memory if --mlock is used. Get rid of last PLUGIN_DEF_AUTH #ifdef Fix 'compress migrate' for 2.2 clients. Fix potential NULL ptr crash if compiled with DMALLOC Repair --secret deprecation warning. rewrite parse_hash_fingerprint() Ignore leading whitespace and comment lines for peer-fingerprint. Add error reporting to get_console_input_win32(). Ignore --explicit-exit-notify in TCP mode. Use more C99 initialization in add_route/add_route_ipv6(). Include --push-remove in the output of --help. Move '--push-peer-info' documentation from 'server' to 'client options' add test case(s) to notice 'openvpn --show-cipher' crashing Repair --inactive with 'bytes' argument larger 2Gbytes. Fix --mtu-disc maybe|yes on Linux. Fix trailing-whitespace errors in last patch. Exclude the last two whitespace-only uncrustify fixes from git blame output. Implement --mtu-disc for IPv6 UDP sockets. Fix non-compliant whitespace introduced by commit 54800aa975418fe35. Pass proper sockaddr_* structure for IPv6 socket errors. Fix error message about extended errors for IPv4-only sockets. Break 'try 256 dco devices' loop on EPERM Cleanup: get rid of 'dynamic' argument of open_tun_generic() Remove outdated information from ChangeLog, point at release branches. Apply uncrustify changes that were forgotten in the last patch. Apply uncrustify changes that were forgotten in the FreeBSD DCO 1/2 patch. FreeBSD-DCO: repair device iteration to find first free interface. DCO: require valid netbits setting for non-primary iroutes. Adjust Linux+FreeBSD DCO device name handling to 'non DCO linux style' cleanup open_tun() for TARGET_NETBSD t_client: add per-instance arguments to fping introduce V= level to manage t_client.sh output verbosity un-break undo_ifconfig_ipv4()/_ipv6() on all non-linux/non-win32 platforms use boolean '||' to join two bools, not bitwise '|' denoise tests/t_lpback.sh FreeBSD: for topology subnet, put tun interface into IFF_BROADCAST mode FreeBSD DCO: introduce real subnet mode Improve documentation for --dev and --dev-node. Update PORTS rework INSTALL and README to prepare for 2.6 release Preparing release 2.6_beta1 Greg Cox (5): Fix naming error in sample-plugins/defer/simple.c Documentation fixes around openvpn_plugin_func_v3 in openvpn-plugin.h.in Update openvpn_plugin_func_v2 to _v3 in sample-plugins/defer/simple.c More explicit versioning compatibility in sample-plugins/defer/simple.c Explain structver usage in sample defer plugin. Heiko Hund (10): add support for --dns option Add git pre-commit hook script to uncrustify pre-commit: uncrustify based on staged changes remove foreign_option() call for IPv6 DNS servers remove dead foreign-option parsing code rename foreign_option() and move it up doc: fix literal block in tls-options.rst dns: also (re)place foreign dhcp options in env signal --dns support in peer info make %x destination unsigned Ilya Ponetayev (1): fix compilation issues with small and w/o debug Ilya Shipitsin (2): CI: github actions: keep "pdb" in artifacts BUILD: enable CFG and Spectre mitigation for MSVC Jan Mikkelsen (1): cipher-negotiation.rst missing from doc/Makefile.am Jan Seeger (1): Added 'route_ipv6_metric_NN' environment variable for IPv6 route metric. Jason A. Donenfeld (1): Support fingerprint authentication without CA certificate Jeff (1): duplicate function declaration. Juliusz Sosinowicz (4): EVP_DigestSignFinal siglen parameter correction Support for wolfSSL in OpenVPN build: Add support for pkg-config < 0.28 for old autoconf versions README.wolfssl Update Kristof Provost (6): Handle exceeding 'max-clients' ovpn-dco: introduce FreeBSD data-channel offload support Support creating iroute route entries on FreeBSD FreeBSD networking cleanup FreeBSD DCO: support AES-192-GCM dco: pass control packets through the socket on FreeBSD Lev Stipakov (68): tun.c: enable using wintun driver under SYSTEM openvpnmsica: make adapter renaming non-fatal msvc: better support for 32bit architecture Alias ADAPTER_DOMAIN_SUFFIX to DOMAIN ssl_common.h: fix 'not all control paths return a value' msvc warning Remove compat-lz4 references from VS project files tapctl: support for ovpn-dco Windows driver msvc: add ARM64 configuration win32: add missing include header openvpnmsica: properly schedule reboot in the end of installation options.c: fix msvc build error msvc: standalone building contrib/vcpkg-ports: add pkcs11-helper port vcpkg-ports: restore trailing whitespaces in .patch files GitHub actions: add MSVC build crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606) contrib/vcpkg-ports: add openssl port with --no-autoload-config option set (CVE-2121-3606) Fix console prompts with redirected log GitHub Actions: fix MSVC builds contrib/vcpkg-ports: remove openssl port Add building man page on Windows GitHub Actions: remove Ubuntu 16.04 environment Fix loading PKCS12 files on Windows msvc: fix product version display config-msvc.h: fix OpenSSL-related defines GitHub Actions: use latest working lukka/run-vcpkg Use network address for emulated DHCP server as a default Load OpenSSL config on Windows from trusted location ring_buffer.h: fix GCC warning about unused function ssh_openssl.h: remove unused declaration vcpkg/pkcs11-helper: compatibility with latest vcpkg config-msvc.h: indicate key material export support auth_token.c: add NULL initialization tun: remove tun_finalize() vcpkg-ports/pkcs11-helper: bump to release 1.28 vcpkg-ports/pkcs11-helper: indicate OpenSSL EC support xkey: fix msvc build msvc: switch to openssl3 msvc: cleanup vcpkg: link lzo statically openvpnmsica: add ovpn-dco custom actions vcpkg-ports/pkcs11-helper: adapt to new upstream URL vcpkg-ports\pkcs11-helper: shorten patch filename vcpkg-ports\openssl3: update to 3.0.2 Fix incorrect default mssfix value in server mode msvc: adjust build options to harden binaries vcpkg: switch to manifest Fix M_ERRNO behavior on Windows GitHub Actions: trigger openvpn-build GHA on success Set o->use_peer_id flag for p2p mode openvpnmsica: remove OpenVPNService state check code tun.c: remove unused gc_arena from init_tun() error.c: remove unused crash() function tun: properly handle device interface list dco.h: fix return type when DCO is not enabled dco-win: use run-time dynamic linking for GetOverlappedResultEx vcpkg: bump baseline version do_persist_tuntap: remove indentation level msvc: remove .filters files dco.c: check certain options only on startup Use DCO on Windows by default doc: add "ovpn-dco" to usage and man page dco-win: support for --persist-tun msvc: add branch name and commit hash to version output vcpkg: use the latest versions of dependency ports win32: detect arm64 architecture and emulations INSTALL: update Windows notes dco: disable dco on Windows if --remote is not defined Magnus Kroken (2): doc: fix typos in cipher-negotiation.rst Changes.rst: fix mistyped option names Marc Becker (2): vcpkg-ports/pkcs11-helper: bump to release 1.29 fix GitHub workflow working directories in MinGW builds Martin Janů (1): Update the replay-window backtrack log message Matthias Andree (1): Fix SIGSEGV (NULL deref) receiving push "echo" Max Fillinger (15): Wipe Socks5 credentials after use Fix build with mbedtls w/o SSL renegotiation support In init_ssl, open the correct CRL path pre-chroot Abort if CRL file can't be stat-ed in ssl_init Update Fox e-mail address in copyright notices Replace deprecated mbedtls DRBG update function Fix build with compression disabled Don't manually free DH params in OpenSSL 3 Remove unused havege.h header Don't use BF-CBC in unit tests if we don't have it Add warning about mbed TLS licensing problem Don't "undo" ifconfig on exit if it wasn't done Update openssl_compat.h for newer LibreSSL Handle EVP_MD_CTX as an opaque struct Check if pkcs11_cert is NULL before freeing it Michael Baentsch (1): Enable usage of TLS groups not identified by a NID in OpenSSL 3 Paolo Cerrito (1): Insert client connection data into PAM environment Richard Bonhomme (3): Improve error msg when all TAP adapters are in use 'or disabled' Man page sections corrections Do not print Diffie Hellman parameters file to log file Richard T Bonhomme (3): Log messages: Replace NCP with --data-ciphers (NFC) doc link-options.rst: Use free open-source dynamic-DNS provider URL doc/protocol-options.rst: Correct default for --allow-compression Saifur Rahman Mohsin (1): Ignore deprecation warning for daemon() on macOS (plugin/auth-pam) Selva Nair (64): Improve the documentation for --dhcp-option In tap.c use DiInstallDevice to install the driver on a new adapter Add a remark on dropping privileges when --mlock is used Allow --dhcp-option in config file when windows-driver is wintun Set DNS Domain using iservice Improve documentation of --username-as-common-name Quote the domain name argument passed to the wmic command Remove automatic service tun.c on WIN32: remove more unused variables Make it explicit that WIndows build requires UNICODE support Use C standard compliant format specs in wprintf functions Print format spec changes for tapctl and openvpnmscia Replace TEXT(__FUNCTION__) by __FUNCTION__ in openvpnmscia.c Fix parsing of IV_SSO string Do not require CA when peer-fingerprint is used Improve documentation of AUTH_PENDING related directives Apply the connect-retry backoff to only one side of a connection Fix client-pending-auth help message in management interface Minor doc correction: tls-crypt-v2 key generation Fix the "default" tls-version-min setting Fix some more wrong defines in config-msvc.h Require Windows CNG keys for cryptoapicert Remove error injection into OpenSSL from cryptoapi.c Require EC key support in Windows builds Ensure the current common_name is in the environment for scripts Avoid memory leak in hmac_ctx_new (OpenSSL 3.0 only) Fix tls-version-min default once again A built-in provider for using external key with OpenSSL 3.0 Implement KEYMGMT in the xkey provider Implement SIGNATURE operations in xkey provider Implement import of custom external keys Initialize the xkey provider and use it in SSL context A helper function to import private key for management-external-key Add xkey_provider sources and includes to MSVC project Enable signing via provider for management-external-key Add a function to encode digests with PKCS1 DigestInfo wrapper Allow management client to announce pss padding support Respect algorithm support announced by management client Support sending DigestSign request to management client Increase ERR_BUF_SIZE when management interface support is enabled Add a generic key loading helper function for xkey provider pkcs11: Interface the xkey provider with pkcs11-helper Enable signing using CNG through xkey provider Add a unit test for external key provider xkey: Use a custom error level for debug messages Fix max saltlen calculation in cryptoapi.c Support PSS signing using pkcs11-helper >= 1.28 Do not error when md_kt_size() is called with mdname="none" Fix a potential memory leak in tls_ctx_use_management_external_key pkcs11_openssl.c: check EVP_get_digestbyname() != NULL Fix crash in xkey-provider in msvc builds Remove management_write_peer_info_file and related code Log the actual management interface port in use Log address of management client on accept In x_check_status() read errno early xkey_provider: fix building with --disable-management Do not skip ERROR:/SUCCESS: response from management interface Allow a few levels of recursion in virtual_output_callback() Fix auth-token usage with management-def-auth Ensure --auth-nocache is handled during renegotiation Purge auth-token as well while purging passwords Do not copy auth_token username to itself Do not add leading space to pushed options pull-filter: ignore leading "spaces" in option names Sergio E. Nemirowski (1): resolvconf fails with -p Simon Rozman (9): iservice: Resolve MSVC C4996 warnings openvpnserv: Cache last error before it is overridden netsh: Specify interfaces by index rather than name netsh: Clear existing IPv6 DNS servers before configuring new ones netsh: Delete WINS servers on TUN close openvpnmsica: Simplify find_adapters() to void return tun.c: Remove dead code interactive.c: Resolve MSVC C4996 warning tapctl: Resolve MSVC C4996 warnings Steffan Karger (5): networking_iproute2: fix memory leak in net_iface_mtu_set() Simplify key material exporter backend API tls-crypt-v2: fix server memory leak tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key) reliable: retransmit if 3 follow-up ACKs are received Timo Rothenpieler (5): Linux: Retain CAP_NET_ADMIN when dropping privileges GitHub Actions: Add new libcap-ng-dev dependency Github Actions: update used actions dco: disable DCO if --user specified but unable to retain capabilities dco: turn platform config checks into separate function Todd Zullinger (2): Update IRC information in CONTRIBUTING.rst doc/man (vpn-network-options): fix foreign_option_{n} typo Tõivo Leedjärv (1): Stop using deprecated getpass() Ville Skyttä (1): README.down-root: Fix plugin module name Vladislav Grishenko (8): Fix best gateway selection over netlink Fix fatal error at switching remotes (#629) Fix update_time() and openvpn_gettimeofday() coexistence Selectively reformat too long lines Speedup TCP remote hosts connections Support X509 field list to be username Fix IPv4 default gateway with multiple route tables Add CRL extractor script for --crl-verify dir mode -
v2.5.8
OpenVPN v2.5.8 release 2022.10.27 -- Version 2.5.8 Antonio Quartulli (1): tls-crypt-v2: bail out if the client key is too small Arne Schwabe (4): Remove useless empty line from CR_RESPONSE message Allow running a default configuration with TLS libraries without BF-CBC Change command help to match man page and implementation Fix OpenVPN querying user/password if auth-token with user expires Frank Lichtenheld (2): t_client: Allow to force FAIL on prerequisite fails t_client.sh: do not require fping6 Gert Doering (1): Preparing release 2.5.8 Lev Stipakov (1): msvc: add branch name and commit hash to version output Martin Janů (1): Update the replay-window backtrack log message Selva Nair (5): Do not skip ERROR:/SUCCESS: response from management interface Fix auth-token usage with management-def-auth Allow a few levels of recursion in virtual_output_callback() Ensure --auth-nocache is handled during renegotiation Purge auth-token as well while purging passwords Do not copy auth_token username to itself -
v2.5.7
OpenVPN v2.5.7 release 2022.05.24 -- Version 2.5.7 Antonio Quartulli (4): networking: use OPENVPN_ETH_ALEN instead of ETH_ALEN networking_iproute2: don't pass M_WARN to openvpn_execve_check() t_net.sh: delete dummy iface using iproute command auth-pam.c: add missing include limits.h Arne Schwabe (11): Add insecure tls-cert-profile options Refactor early initialisation and uninitialisation into methods Allow loading of non default providers Add ubuntu 22.04 to Github Actions Add macos OpenSSL 3.0 and ASAN builds Add --with-openssl-engine autoconf option (auto|yes|no) Fix allowing/showing unsupported ciphers and digests Remove dependency on BF-CBC existance from test_ncp Add message when decoding PKCS12 file fails. Translate OpenSSL 3.0 digest names to OpenSSL 1.1 digest names Fix client-pending-auth error message to say ERROR instead of SUCCESS Gert Doering (1): Preparing release 2.5.7 Jan Mikkelsen (1): cipher-negotiation.rst missing from doc/Makefile.am Lev Stipakov (5): vcpkg-ports\pkcs11-helper: shorten patch filename msvc: adjust build options to harden binaries vcpkg-ports: remove openssl port vcpkg: switch to manifest Fix M_ERRNO behavior on Windows Marc Becker (1): vcpkg-ports/pkcs11-helper: bump to release 1.29 Simon Rozman (1): tapctl: Resolve MSVC C4996 warnings