-
v2.4.12
OpenVPN v2.4.12 release 2022.03.16 -- Version 2.4.12 Arne Schwabe (1): Remove always enabled USE_64_BIT_COUNTERS define David Korczynski (1): Fix argv leaks in add_route() and add_route_ipv6() David Sommerseth (1): plug-ins: Disallow multiple deferred authentication plug-ins Gert Doering (2): Revert "Remove always enabled USE_64_BIT_COUNTERS define" Fix --mtu-disc maybe|yes on Linux. Richard T Bonhomme (1): doc openvpn.8: Use free open-source dynamic-DNS provider URL Selva Nair (2): Apply the connect-retry backoff to only one side of a connection Ensure the current common_name is in the environment for scripts -
v2.5.6
OpenVPN v2.5.6 release 2022.03.16 -- Version 2.5.6 Antonio Quartulli (4): GitHub Actions: update script to same version as master update copyright year to 2022 keyingmaterialexporter.c: include strings.h remove unused sitnl.h file David Sommerseth (2): sample-plugin: New plugin for testing multiple auth plugins plug-ins: Disallow multiple deferred authentication plug-ins Frank Lichtenheld (2): doc/Makefile: rebuild rst docs if input files change doc/options: clean up documentation for --proto and related options Gert Doering (4): fix Changes.rst errors in 2.5.3 and 2.5.5 announcement Repair --inactive with 'bytes' argument larger 2Gbytes. Fix --mtu-disc maybe|yes on Linux. Preparing release 2.5.6 Ilya Shipitsin (1): CI: github actions: keep "pdb" in artifacts Lev Stipakov (7): auth_token.c: add NULL initialization vcpkg-ports/pkcs11-helper: bump to release 1.28 vcpkg-ports/pkcs11-helper: indicate OpenSSL EC support msvc: cleanup vcpkg: link lzo statically vcpkg-ports/pkcs11-helper: adapt to new upstream URL vcpkg-ports: add openssl 1.1.1n -
v2.5.5
OpenVPN v2.5.5 release 2021.12.14 -- Version 2.5.5 Adrian (1): Fix error in example firewall.sh script Antonio Quartulli (1): configure: remove useless -Wno-* from default CFLAGS Arne Schwabe (2): Add argv_insert_head__empty_argv__head_only to argv tests Move deprecation of SWEET32/64bit block size ciphers to 2.7 Gert Doering (3): Include --push-remove in the output of --help. Move '--push-peer-info' documentation from 'server' to 'client options' add test case(s) to notice 'openvpn --show-cipher' crashing Ilya Shipitsin (1): BUILD: enable CFG and Spectre mitigation for MSVC Lev Stipakov (12): Fix loading PKCS12 files on Windows msvc: fix product version display msvc: add missing header to project file config-msvc.h: fix OpenSSL-related defines contrib/vcpkg-ports: remove openssl port GitHub Actions: use latest working lukka/run-vcpkg Use network address for emulated DHCP server as a default Load OpenSSL config on Windows from trusted location ring_buffer.h: fix GCC warning about unused function ssh_openssl.h: remove unused declaration vcpkg/pkcs11-helper: compatibility with latest vcpkg config-msvc.h: indicate key material export support Max Fillinger (2): Don't use BF-CBC in unit tests if we don't have it Define have_blowfish variable in ncp unit tests Richard T Bonhomme (1): doc link-options.rst: Use free open-source dynamic-DNS provider URL Selva Nair (3): Fix some more wrong defines in config-msvc.h Ensure the current common_name is in the environment for scripts Require EC key support in Windows builds Sergio E. Nemirowski (1): resolvconf fails with -p Todd Zullinger (2): Update IRC information in CONTRIBUTING.rst doc/man (vpn-network-options): fix foreign_option_{n} typo Ville Skytt (1): README.down-root: Fix plugin module name -
v2.5.4
OpenVPN v2.5.4 release 2021.10.04 -- Version 2.5.4 Antonio Quartulli (3): route.c: pass the right parameter to IN6_IS_ADDR_UNSPECIFIED configure: search also for rst2{man, html}.py networking: add networking API net_addr_ll_set() and use it on Linux Arne Schwabe (1): Move examples into openvpn-examples(5) man page David Korczynski (1): Fix argv leaks in add_route() and add_route_ipv6() David Sommerseth (2): doc: Use generic rules for man/html generation man: Clarify IV_HWADDR Gert Doering (1): Add error reporting to get_console_input_win32(). Lev Stipakov (3): Fix console prompts with redirected log Add building man page on Windows GitHub Actions: remove Ubuntu 16.04 environment Max Fillinger (1): Update Fox e-mail address in copyright notices Selva Nair (1): Minor doc correction: tls-crypt-v2 key generation -
v2.5.3
OpenVPN v2.5.3 release 2021.06.17 -- Version 2.5.3 Arne Schwabe (3): Add missing free_key_ctx for auth_token Add github actions Implement auth-token-user David Sommerseth (1): Update copyrights Gert Doering (1): Preparing release 2.5.3 Lev Stipakov (8): openvpnmsica: properly schedule reboot in the end of installation msvc: add ARM64 configuration msvc: standalone building contrib/vcpkg-ports: add pkcs11-helper port vcpkg-ports: restore trailing whitespaces in .patch files GitHub actions: add MSVC build crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606) contrib/vcpkg-ports: add openssl port with --no-autoload-config option set (CVE-2121-3606) Matthias Andree (1): Fix SIGSEGV (NULL deref) receiving push "echo" Max Fillinger (1): Fix build with mbedtls w/o SSL renegotiation support Selva Nair (2): Improve documentation of AUTH_PENDING related directives Apply the connect-retry backoff to only one side of a connection -
v2.4.11
OpenVPN v2.4.11 release 2021.04.20 -- Version 2.4.11 Arne Schwabe (1): Ensure key state is authenticated before sending push reply Gert Doering (2): clean up / rewrite sample-plugins/defer/simple.c Fix potential NULL ptr crash if compiled with DMALLOC Greg Cox (5): Fix naming error in sample-plugins/defer/simple.c Documentation fixes around openvpn_plugin_func_v3 in openvpn-plugin.h.in Update openvpn_plugin_func_v2 to _v3 in sample-plugins/defer/simple.c More explicit versioning compatibility in sample-plugins/defer/simple.c Explain structver usage in sample defer plugin. -
v2.5.2
OpenVPN v2.5.2 release 2021.04.20 -- Version 2.5.2 Arne Schwabe (10): Avoid generating unecessary mbed debug messages Restore also ping related options on a reconnect Cleanup print_details and add signature/ED certificate print Always disable TLS renegotiations Also restore/save route-gateway options on SIGUSR1 reconnects Move context_auth from context_2 to tls_multi and name it multi_state Fix condition to generate session keys Move auth_token_state from multi to key_state Ensure auth-token is only sent on a fully authenticated session Ensure key state is authenticated before sending push reply Gert Doering (2): Fix potential NULL ptr crash if compiled with DMALLOC Max Fillinger (2): In init_ssl, open the correct CRL path pre-chroot Abort if CRL file can't be stat-ed in ssl_init Richard Bonhomme (1): Do not print Diffie Hellman parameters file to log file Simon Rozman (1): openvpnserv: Cache last error before it is overridden Vladislav Grishenko (1): Fix IPv4 default gateway with multiple route tables -
v2.5.1
OpenVPN v2.5.1 release 2021.02.24 -- Version 2.5.1 Arne Schwabe (5): Fix auth-token not being updated if auth-nocache is set Remove auth_user_pass.wait_for_push variable Fix port-share option with TLS-Crypt v2 Zero initialise msghdr prior to calling sendmesg Fix tls-auth mismatch OCC message when tls-cryptv2 is used. David Sommerseth (1): build: Fix missing install of man page in certain environments Domagoj Pensa (3): Fix too early argv freeing when registering DNS Remove 1 second delay before running netsh Skip DHCP renew with Wintun adapter Gert Doering (6): Change travis build scripts to use https when fetching prerequisites. Fix line number reporting on config file errors after <inline> segments Clarify --block-ipv6 intent and direction. Document common uses of 'echo' directive, re-enable logging for 'echo'. Make OPENVPN_PLUGIN_ENABLE_PF failures FATAL clean up / rewrite sample-plugins/defer/simple.c Greg Cox (5): Fix naming error in sample-plugins/defer/simple.c Documentation fixes around openvpn_plugin_func_v3 in openvpn-plugin.h.in Update openvpn_plugin_func_v2 to _v3 in sample-plugins/defer/simple.c More explicit versioning compatibility in sample-plugins/defer/simple.c Explain structver usage in sample defer plugin. Richard Bonhomme (1): Man page sections corrections Selva Nair (1): Quote the domain name argument passed to the wmic command Steffan Karger (2): tls-crypt-v2: fix server memory leak tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key) -
v2.4.10
OpenVPN v2.4.10 release 2020.12.09 -- Version 2.4.10 Antonio Quartulli (1): pool: prevent IPv6 pools to be larger than 2^16 addresses Arne Schwabe (5): Fix tls_ctx_client/server_new leaving error on OpenSSL error stack Normalise ncp-ciphers option and restrict it to 127 bytes Also announce IV_CIPHERS as client in OpenVPN 2.4 Fix auth-token not being updated if auth-nocache is set Remove auth_user_pass.wait_for_push variable David Sommerseth (1): compat/lz4: Update to v1.9.2 Gert Doering (12): Fix stack overflow in OpenSolaris NEXTADDR() Document that --push-remove is generally more suitable than --push-reset Fix error detection / abort in --inetd corner case. Fix TUNSETGROUP compatibility with very old Linux systems. Fix handling of 'route remote_host' for IPv6 transport case. Fix description of --client-disconnect calling convention in manpage. Handle NULL returns from calloc() in sample plugins. Fix --show-gateway for IPv6 on NetBSD/i386. socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes Fix redirecting of IPv4 default gateway if connecting over IPv6. Change travis build scripts to use https when fetching prerequisites. Fix line number reporting on config file errors after <inline> segments Jeremy Evans (1): Switch assertion failure to returning false Matthias Andree (1): Fix stack buffer overruns in NEXTADDR() macro: Selva Nair (3): Parse static challenge response in auth-pam plugin Accept empty password and/or response in auth-pam plugin Persist management-query-remote and proxy prompts Vladislav Grishenko (2): Log serial number of revoked certificate Fix fatal error at switching remotes (#629) -
v2.5.0
OpenVPN v2.5.0 release 2020.10.27 -- Version 2.5.0 (no changes relative to v2.5_rc3) -
v2.5_rc3
OpenVPN v2.5_rc3 release 2020.10.15 -- Version 2.5_rc3 Arne Schwabe (2): Allow 'none' cipher being specified in --data-ciphers Add function for common env setting of verify user/pass calls David Sommerseth (1): compat/lz4: Update to v1.9.2 Gert Doering (2): Fix redirecting of IPv4 default gateway if connecting over IPv6. Avoid passing NULL to argv_printf_cat() in temp_file error case. Jan Seeger (1): Added 'route_ipv6_metric_NN' environment variable for IPv6 route metric. Richard Bonhomme (1): Improve error msg when all TAP adapters are in use 'or disabled' Steffan Karger (1): networking_iproute2: fix memory leak in net_iface_mtu_set() Vladislav Grishenko (2): Selectively reformat too long lines Speedup TCP remote hosts connections -
v2.5_rc2
OpenVPN v2.5_rc2 release 2020.09.30 -- Version 2.5_rc2 Lev Stipakov (1): Alias ADAPTER_DOMAIN_SUFFIX to DOMAIN Selva Nair (2): Set DNS Domain using iservice Improve documentation of --username-as-common-name Simon Rozman (4): netsh: Specify interfaces by index rather than name netsh: Clear existing IPv6 DNS servers before configuring new ones netsh: Delete WINS servers on TUN close openvpnmsica: Simplify find_adapters() to void return Vladislav Grishenko (1): Fix update_time() and openvpn_gettimeofday() coexistence -
v2.5_rc1
OpenVPN v2.5_rc1 release 2020.09.21 -- Version 2.5_rc1 David Sommerseth (4): man: Add missing --server-ipv6 man: Improve --remote entry sample-plugins: Partially autotoolize the sample-plugins build build: Fix make distclean/distcheck Gert Doering (10): Fix handling of 'route remote_host' for IPv6 transport case. Replace 'echo -n' with 'printf' in tests/t_lpback.sh Fix description of --client-disconnect calling convention in manpage. Handle NULL returns from calloc() in sample plugins. Fix --show-gateway for IPv6 on NetBSD/i386. socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes Fix netbits setting (in TAP mode) for IPv6 on Windows. If IPv6 pool specification sets pool start to ::0 address, increment. Add demo plugin that excercises "CLIENT_CONNECT" and "CLIENT_CONNECT_V2" paths Fix combination of --dev tap and --topology subnet across multiple platforms. Lev Stipakov (1): msvc: better support for 32bit architecture Selva Nair (2): Add a remark on dropping privileges when --mlock is used Allow --dhcp-option in config file when windows-driver is wintun Vladislav Grishenko (1): Fix fatal error at switching remotes (#629) -
v2.5_beta4
OpenVPN v2.5_beta4 release 2020.09.10 -- Version 2.5_beta4 Gert Doering (3): Document that --push-remove is generally more suitable than --push-reset Fix error detection / abort in --inetd corner case. Fix TUNSETGROUP compatibility with very old Linux systems. Lev Stipakov (1): openvpnmsica: make adapter renaming non-fatal Selva Nair (1): In tap.c use DiInstallDevice to install the driver on a new adapter Vladislav Grishenko (1): Fix best gateway selection over netlink -
v2.5_beta3
OpenVPN v2.5_beta3 release 2020.08.31 -- Version 2.5_beta3 Arne Schwabe (1): Fix client NCP OCC fallback when server and client cipher are identical -
v2.5_beta2
OpenVPN v2.5_beta2 release 2020.08.26 -- Version 2.5_beta2 Arne Schwabe (1): Fix client's poor man NCP fallback Eric Thorpe (1): Fixes a bug in management_callback_send_cc_message, should be strlen instead of sizeof Gert Doering (2): Fix stack overflow in OpenSolaris NEXTADDR() Workaround FreeBSD 12+ race condition on tun/tap open with IPv6. Lev Stipakov (1): tun.c: enable using wintun driver under SYSTEM Magnus Kroken (2): doc: fix typos in cipher-negotiation.rst Changes.rst: fix mistyped option names Selva Nair (1): Improve the documentation for --dhcp-option -
v2.5_beta1
OpenVPN v2.5_beta1 2020.08.12 -- Version 2.5_beta1 Adam Ciarcin?ski (1): Fix subnet topology on NetBSD. Antonio Quartulli (113): attempt to add IPv6 route even when no IPv6 address was configured fix redirect-gateway behaviour when an IPv4 default route does not exist CRL: use time_t instead of struct timespec to store last mtime ignore remote-random-hostname if a numeric host is provided Ignore auth-nocache for auth-user-pass if auth-token is pushed crypto: correct typ0 in error message use M_ERRNO instead of explicitly printing errno don't print errno twice ntlm: avoid useless cast ntlm: unwrap multiple function calls route: improve error message management: preserve wait_for_push field when asking for user/pass tls-crypt: avoid warnings when --disable-crypto is used ntlm: convert binary buffers to uint8_t * ntlm: restyle compressed multiple function calls ntlm: improve code style and readability OpenSSL: remove unreachable call to SSL_CTX_get0_privatekey() make function declarations C99 compliant remove unused functions use NULL instead of 0 when assigning pointers add missing static attribute to functions ntlm: avoid breaking anti-aliasing rules remove the --disable-multi config switch rename mroute_extract_addr_ipv4 to mroute_extract_addr_ip route: avoid definition of unused variables in certain configurations fix a couple of typ0s in comments and strings fragment.c: simplify boolean expression tcp-server: ensure AF family is propagated to child context Remove ENABLE_CRYPTO Remove option to disable crypto engine Remove ENABLE_PUSH_PEER_INFO Remove SSL_LIB_VER_STR Remove MD5SUM reload HTTP proxy credentials when moving to the next connection profile Allow learning iroutes with network made up of all 0s (only if netbits < 8) mbedtls: fix typ0 in comment manpage: fix simple typ0 pool: restyle ipv4/ipv6 members to improve readability pool: convert pool 'type' to enum tun: ensure gc and argv are properly handled tun: always pass a valid tt pointer tun: get rid of tt->did_ifconfig member tun: ensure interface can be configured with IPv6 only add support for %lu in argv_printf and prevent ASSERT windows: properly configure TAP driver when no IPv4 is configured socket: make stream_buf_* functions static crypto: always reload tls-auth/crypt key contexts make tls-auth and tls-crypt per-connection-block options pf: restyle pf_c2c/addr_test() to make them 'struct context' agnostic merge *-inline.h files with their main header ensure function declarations are compiled with their definitions buffer_list: add functions documentation ifconfig-ipv6(-push): allow using hostnames tls-crypt: properly cast time_t to uint64_t implement platform generic networking API implement networking API for iproute2 introduce sitnl: Simplified Interface To NetLink tun.c: use new networking API to handle tun interface on Linux travis.yml: add test for iproute2 net implementation route.c: use new networking API to handle routing table on Linux unit tests: implement test for sitnl t_net.sh: make bash dep explicit and run only if SITNL is compiled t_net.sh: properly perform sudo check and print test steps route.c: fix windows build by removing mismatching function parameter t_net.sh: fixes for the networking test script route.c: use sitnl to implement get_default_gateway_ipv6() networking/best_gw: remove useless prefixlen parameter sitnl: harden strncpy() by forcing arguments to have the same length mbedtls: fix segfault by calling mbedtls_cipher_free() in cipher_ctx_free() networking: extend API for better memory management tun.c: undo_ifconfig_ipv4/6 remove useless gc argument networking_sitnl.c: uncrustify file route.c: simplify ifdef logic t_net.sh: wait for NO-CARRIER bit to settle before starting test t_net.sh: execute sleep after checking exit code of previous command maddr: create helper function to populate maddr object from eth_addr VLAN: add basic VLAN tagging support maddr: export VLAN ID from client context to maddr object VLAN: filter multicast and client-to-client unicast traffic is_ipv_X: add support for parsing IP header inside a 802.1q frame VLAN: implement support for forwarding only pre-tagged VLAN packets VLAN: allow forwarding tagged and untagged packets on the server TAP device VLAN: add documentation to manpage socks: use the right function when printing struct openvpn_sockaddr add -Wno-stringop-truncation to CFLAGS on linux get rid of 'broadcast' argument when configuring the tun device auth_token_kt: ensure key_type object is initialized auth.c: make cast explicit in the crypto API travis: compile with -Werror on Linux travis: fix CFLAGS assignment error and add -Werror only when compiling on Linux for Linux sitnl: fix failure reporting by keeping error negative sitnl: fix TUN/TAP confusion in error messages sitnl: fix ignoring EEXIST when sending a netlink command t_net.sh: use dummy interface instead of tun remove bogus file check on --genkey argument t_net.sh: assign MAC address directly during interface creation convert *_inline attributes to bool options: fix inlining auth-gen-token-secret file tls-crypt-v2: fix testing of inline key get rid of INLINE_FILE_TAG constant pool: prevent IPv6 pools to be larger than 2^16 addresses pool: allow to configure an IPv6-only ifconfig-pool allow usage of --server-ipv6 even when no --server is specified pool: add support for ifconfig-pool-persist with IPv6 only route: warn on IPv4 routes installation when no IPv4 is configured options: enable IPv4 redirection logic only if really required ipv6-pool: get rid of size constraint pool: remove useless 'options.h' include multi: skip IPv4 logic in multi_select_virtual_addr() if no pool is configured multi.c: use mi->cc_config instead of config variable options: don't leak inline'd key material in logfile t_net.sh: drop hard dependency on t_client.rc travis: don't run t_net.sh test Arne Schwabe (124): Set tls-cipher restriction before loading certificates Print ec bit details, refuse management-external-key if key is not RSA Replace buffer backed strings for management_android_control with simple stack variables Treat dhcp-option DNS6 and DNS identical show the right string for key-direction Add MTU to Android IFCONFIG6 control command Properly free tuntap struct on android when emulating persist-tun Add OpenSSL compat definition for RSA_meth_set_sign Skip error about ioctl(SIOCGIFCONF) failed on Android Factor out convert_tls_list_to_openssl method Remove AUTO_USERID feature Remove MANAGMENT_EXTERNAL_KEY, MANAGMENT_IN_EXTRA, ENABLE_CLIENT_CR Add support for tls-ciphersuites for TLS 1.3 Add better support for showing TLS 1.3 ciphersuites in --show-tls Use right function to set TLS1.3 restrictions in show-tls Refuse mbed TLS external key with non RSA certificates Add message explaining early TLS client hello failure Add tls-crypt-v2 to the list of supported inline options Implement block-ipv6 Fallback to password authentication when auth-token fails Fix loading inline tls-crypt-v2 keys with mbed TLS Refactor tls_crypt_v2_write_server_key_file into crypto.c Add send_control_channel_string_dowork variant Rename tls_crypt_v2_read_keyfile into generic pem_read_key_file Fix poll.h logic in syshead.h Write key to stdout if filename is not given Implement --genkey type keyfile syntax and migrate tls-crypt-v2 Add generate_ephemeral_key that allows a random ephermal key Remove -no-cpp-precomp flag from Darwin builds Fix check if iface name is set Adjust Android code after sitnl patch merge Rewrite auth-token-gen to be based on HMAC based tokens Implement a permanent session id in auth-token Sent indication that a session is expired to clients Implement unit tests for auth-gen-token Make tls_version_max return the actual maximum version Add support for OpenSSL TLS 1.3 when using management-external-key Document tls-ciphersuites also in --help output Only announce IV_NCP=2 when we are willing to support these ciphers Add strsep compat function Implement dynamic NCP negotiation Warn about insecure ciphers also in init_key_type Move NCP related function into a seperate file and add unit tests Normalise ncp-ciphers option and restrict it to 127 bytes Fetch OpenSSL versions via source/old links Fix OpenSSL error stack handling of tls_ctx_add_extra_certs Fix off-by-one in tls-crypt-v2 client wrapping with custom metadata Fix OpenSSL 1.1.1 not using auto elliptic curve selection Refactor counting number of element in a : delimited list into function Minor style change to improve code style Another round of uncrustify code cleanup. Fix tls_ctx_client/server_new leaving error on OpenSSL error stack Add tls-crypt-v2 test writing metadata Use crypto library functions for const time memcmp when possible Fix session id in env missing first byte Document reneweal mechanic of auth-token in manual Fix session id and initial timestamp not being preserved Do not write extra 0 byte for --gen-key with auth-token/tls-crypt-v2 Refuse server mode on Android Add .git-blame-ignore-revs with reformat commits Make cipher_kt_name always return normalised cipher name Make cipher_kt_get also accept OpenVPN config cipher name Implement parsing and sending INFO and INFO_PRE control messages Implement support for signalling IV_SSO to server Implement sending response to challenge via CR_RESPONSE Implement sending AUTH_PENDING challenges to clients Implement forwarding client CR_RESPONSE messages to management Add unit test for cipher name translations Make compression asymmetric by default and add warnings Reformat files using uncrustify Remove parameter config from multi_client_connect_mda Remove push_reply_deferred variable Remove did_open_context, defined and connection_established_flag merge key_state->authenticated and key_state->auth_deferred Simplify multi_connection_established. Deprecate ncp-disable and add improved ncp to Changes.rst Make key_state->authenticated more state machine like Extract process_incoming_push_reply from process_incoming_push_msg Removed unused definition Code cleanup: remove superflous variable Move protocol option negotiation from push_prepare to new function Generate data channel keys after connect options have been parsed Cleanup: Remove special case code for old poor man's NCP. Allow changing fallback cipher from ccd files/client-connect client-connect: Change cas_context from int to enum client-connect: Move adding inotify watch into its own function reformat multi_client_generate_tls_keys according to uncrustify client-connect: Add CC_RET_DEFERRED and cope with deferred client-connect Remove CAS_PARTIAL state client-connect: Use inotify for the deferred client-connect status file client-connect: Implement deferred connect support for plugin API v2 Drop support for OpenSSL 1.0.1 Require AEAD support in the crypto library Remove key-method 1 Remove ENABLE_OCC #define Implement tls-groups option to specify eliptic curves/groups Avoid sending --cipher to clients not supporting NCP Indicate that a client is in pull mode in IV_PROTO Deprecate --inetd Include utun device number in utun error messages Simplify calling logic of check_connection_established_dowork Avoid sending push request after receving push reply Rename ncp-ciphers to data-ciphers Add a note that ncp-ciphers is replaced by data-ciphers client-connect: Add documentation for the deferred client connect feature Rework NCP compability logic and drop BF-CBC support by default Document different behaviour of dynamic cipher negotiation Minor cleanup in push.c Clean up a number of leftover C89 initialisations in ssl.c Remove buf argument from link_socket_set_outgoing_addr Remove a number of check/do_work wrapper calls from coarse_timers Split pf_check_reload check and check timer in process_coarse_timers Rename check_ping_restart_dowork to trigger_ping_timeout_signal Eliminate check_fragment function Eliminate check_incoming_control_channel wrapper function Eliminate check_tls wrapper function Merge check_coarse_timers and check_coarse_timers_dowork Skip existing interfaces on opening the first available utun on macOS Move parsing IV_PROTO to separate function Remove S_OP_NORMAL key state. Document comp-lzo no and compress being incompatible Refactor/Reformat tls_pre_decrypt Cleanup tls_pre_decrypt_lite and tls_pre_encrypt Improve sections about older OpenVPN clients in cipher-negotiation.rst Bertrand Bonnefoy-Claudet (1): Fix typo in error message: "optione" -> "option" Christian Ehrhardt (1): systemd: extend CapabilityBoundingSet for auth_pam Christian Hesse (7): man: fix formatting for alternative option systemd: Use automake tools to install unit files systemd: Do not race on RuntimeDirectory systemd: Add more security feature for systemd units Clean up plugin path handling plugin: Remove GNUism in openvpn-plugin.h generation fix typo in notification message Christopher Schenk (3): Set the correct mtu on windows based systems Log a note if someone wants to set a MTU below 1280 on IPv6 Unified success messages for setting mtu Conrad Hoffmann (2): Use provided env vars in up/down script. Document down-root plugin usage in client.down David Sommerseth (64): docs: Further enhance the documentation related to SWEET32 man: Remove references to no longer present IV_RGI6 peer-info build: Ensure Changes.rst is shipped and installed as a doc file management: >REMOTE operation would overwrite ce change indicator management: Remove a redundant #ifdef block git: Merge .gitignore files into a single file systemd: Move the READY=1 signalling to an earlier point dev-tools: Simple tool which automates rebasing LZ4 compat library dev-tools: lz4-rebaser tool carried a typo plugin: Improve the handling of default plug-in directory cleanup: Remove faulty env processing functions auth-token: Ensure tokens are always wiped on de-auth docs: Fixed man-page warnings discoverd by rpmlint Make --cipher/--auth none more explicit on the risks Require minimum OpenSSL 1.0.1 Fix broken ./configure on systems without openssl.pc plugin: Fix documentation typo for type_mask plugin: Export secure_memzero() to plug-ins crypto: Enable SHA256 fingerprint checking in --verify-hash copyright: Update GPLv2 license texts dev-tools: Script generating the source releases in an automated fashion auth-token with auth-nocache fix broke --disable-crypto builds doc: The CRL processing is not a deprecated feature cleanup: Move write_pid() to where it is being used contrib: Remove keychain-mcd code cleanup: Move init_random_seed() to where it is being used Highlight deprecated features Use consistent version references docs: Replace all PolarSSL references to mbed TLS systemd: Ensure systemd shuts down OpenVPN in a proper way systemd: Enable systemd's auto-restart feature for server profiles lz4: Move towards a newer LZ4 API lz4: Fix confused version check lz4: Fix broken builds when pkg-config is not present but system library is Remove references to keychain-mcd in Changes.rst lz4: Rebase compat-lz4 against upstream v1.7.5 systemd: Add and ship README.systemd Update copyright to include 2018 plus company name change man: Add .TQ groff support macro man: Reword --management to prefer unix sockets over TCP management: Warn if TCP port is used without password plugin: Export base64 encode and decode functions build: Fix build warnings related to get_random() build: Fix another compile warning in console_systemd.c cleanup: Remove RPM openvpn.spec build approach docs: Update INSTALL build: Package missing mock_msg.h auth-token: Fix building with --disable-server auth-token: Fix compiler complaints with --disable-management Improve the comments related to auth-token-hmac patches Documented all the argv related code with minor refactoring build: Remove --disable-server from ./configure options: Fix failing inline tls-auth/crypt with persist-key options: Restore --tls-crypt-v2 inline file capability doc/man: convert openvpn.8 to split-up .rst files doc/man: Mark compression options as deprecated doc/man: Adopt compression documentation doc/man: Documentation for --bind-dev / VRFs on Linux doc/man: Add misssing renegotiation.rst to Makefile.am Remove --no-iv doc/man: Do not install man *.rst files travis: Fix make distcheck failure Remove --ifconfig-pool-linear Remove --client-cert-not-required Domagoj Pensa (2): Fix linking issues on MinGW Skip DNS address validation Emmanuel Deloget (20): OpenSSL: check for the SSL reason, not the full error OpenSSL: don't use direct access to the internal of X509_STORE_CTX OpenSSL: don't use direct access to the internal of SSL_CTX OpenSSL: don't use direct access to the internal of X509_STORE OpenSSL: don't use direct access to the internal of X509_OBJECT OpenSSL: don't use direct access to the internal of RSA_METHOD OpenSSL: SSLeay symbols are no longer available in OpenSSL 1.1 OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit() OpenSSL: don't use direct access to the internal of X509 OpenSSL: don't use direct access to the internal of EVP_PKEY OpenSSL: don't use direct access to the internal of RSA OpenSSL: don't use direct access to the internal of DSA OpenSSL: force meth->name as non-const when we free() it OpenSSL: don't use direct access to the internal of EVP_MD_CTX OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX OpenSSL: don't use direct access to the internal of HMAC_CTX OpenSSL: remove pre-1.1 function from the OpenSSL compat interface OpenSSL: remove EVP_CIPHER_CTX_new() from the compat layer OpenSSL: remove EVP_CIPHER_CTX_free() from the compat layer OpenSSL: check EVP_PKEY key types before returning the pkey Eric Thorpe (1): Fix Building Using MSVC Fabian Knittel (7): client-connect: Split multi_connection_established into separate functions client-connect: Refactor multi_client_connect_source_ccd client-connect: Move multi_client_connect_setenv into early_setup client-connect: Refactor to use return values instead of modifying a passed-in flag client-connect: Refactor client-connect handling to calling a bunch of hooks in a loop client-connect: Add deferred support to the client-connect script handler client-connect: Add deferred support to the client-connect v1 plugin handler Gert Doering (50): Remove IV_RGI6=1 peer-info signalling. Add openssl_compat.h to openvpn_SOURCES Fix '--dev null' Fix installation of IPv6 host route to VPN server when using iservice. Make ENABLE_OCC no longer depend on !ENABLE_SMALL Fix NCP behaviour on TLS reconnect. Remove erroneous limitation on max number of args for --plugin proxy.c refactoring: remove always-NULL gc parameter Fix edge case with clients failing to set up cipher on empty PUSH_REPLY. Fix potential 1-byte overread in TCP option parsing. Fix remotely-triggerable ASSERT() on malformed IPv6 packet. Update Changes.rst with relevant info for 2.4.3 release. Remove warning on pushed tun-ipv6 option. Fix removal of on-link prefix on windows with netsh Fix potential double-free() in Interactive Service (CVE-2018-9336) Add %d, %u and %lu tests to test_argv unit tests. Extend push-remove to also handle 'ifconfig'. Print lzo_init() return code in case of errors Uncrustify sample-plugin sources according to code style uncrustify openvpnserv/ sources uncrustify openvpn/ sources Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6. Stop complaining about IPv6 routes without gateway address. Copy one byte less in strncpynt() Remove cmocka submodule, rely on system-wide installation instead. Increase listen() backlog queue to 32 repair tap mode on OpenSolaris/OpenIndiana Fix IPv6 routes on tap interfaces on OpenSolaris/OpenIndiana OpenSolaris/OpenIllumos: use /bin/bash if available for test scripts. Force combinationation of --socks-proxy and --proto UDP to use IPv4. Uncrustify the tests/unit_tests/ part of our tree. Change client side of t_lpback.sh configs to use inline material. Simplify pool size handling, fix possible array overrun on pool reading. Change timestamps in file-based logging to ISO 8601 time format. Depreciation warning for --topology net30 on servers with IPv4 pools. Convert plugin/auth-pam.c from stderr logging to plugin_log(). Add c1ff8f247f91c88a2df5502eeedf42857f9a6831 (engine, pool, SSO) to .git-blame-ignore-revs Linux: do not change --txqueuelen OS default if not configured. Fix 'engine' unit test on FreeBSD (specifically 'not GNU make') t_client.sh: correctly report all failed instances in summary Remove --writepid file on program exit. Handle connecting clients without NCP or OCC without crashing. Add deferred authentication support to plugin-auth-pam Separate handling of non-deferred return values for client-connect-scripts. Repair --inetd Fix sequence of events for async plugin v1 handler. Abort client-connect handler loop after first handler sets 'disable'. Add depreciation notice for --ncp-disable to protocol-options.rst Changes.rst updates in preparation to 2.5_beta1 Preparing release 2.5_beta1 Gert van Dijk (7): Warn that DH config option is only meaningful in a tls-server context Add generated openvpn.doxyfile to .gitignore manpage: improve description of --status and --status-version Add negotiated cipher to status file format 2 and 3 Minor reliability layer documentation fixes Make second parameter to reliable_send_purge() const Remove unneeded newline in debug message in reliable.c Gisle Vanem (2): Crash in options.c Wrong FILETYPE in .rc files Guido Vranken (6): refactor my_strupr Fix 2 memory leaks in proxy authentication routine Fix memory leak in add_option() for option 'connection' Ensure option array p[] is always NULL-terminated Fix a null-pointer dereference in establish_http_proxy_passthru() Prevent two kinds of stack buffer OOB reads and a crash for invalid input data Heiko Hund (3): re-implement argv_printf_*() argv: do fewer memory re-allocations Add gc_arena to struct argv to save allocations Hilko Bengen (1): Do not set pkcs11-helper 'safe fork mode' Hristo Venev (1): Fix extract_x509_field_ssl for external objects, v2 Ilya Shipitsin (18): Resolve several travis-ci issues github: Add PR template with contributor related information travis-ci: add 'make distcheck' to test scenario, V2 travis-ci: remove unused files v4, travis-ci: add 2 mingw "build only" configurations travis-ci: added gcc and clang openssl-1.1.0 builds travis-ci: update openssl to 1.0.2l, update mbedtls to 2.5.1 travis-ci: update pkcs11-helper to 1.22 travis-ci: add brew cache, remove ccache travis-ci: modify openssl build script to support openssl-1.1.0 travis-ci: cleanup, refactor, upgrade ssl libraries travis-ci: add "linux-ppc64le" to build matrix travis-ci: change trusty image to xenial travis-ci: update osx to xcode9.4 and modernize brew management configure.ac: fix compile-time error in argv_testdriver travis-ci: fix osx builds travis-ci: update components versions travis-ci: add arm64, s390x builds. James Bekkema (2): Resolves small IV_GUI_VER typo in the documentation. Adds support for setting the default IPv6 gateway for routes using the route-ipv6-gateway option. James Bottomley (7): autoconf: Fix engine checks for openssl 1.1 openssl: add engine method for loading the key crypto_openssl: add initialization to pick up local configuration crypto_openssl: add include for openssl/conf.h Add unit tests for engine keys Fix make distcheck for new engine key unit test engine-key tests: make check_engine_keys.sh work with --enable-small Jan Just Keijser (1): Added support for DHCP option 119 (dns search suffix list) for Windows. Jeremie Courreges-Anglas (5): Cast time_t to long long in order to print it. Print time_t as long long and suseconds_t as long Cast and print another suseconds_t as long Use long long to format time_t-related environment variables Fix build with LibreSSL Jeremy Evans (1): Switch assertion failure to returning false Jonathan K. Bullard (1): Clarify and expand management interface documentation Jonathan Tooker (1): Fix various spelling mistakes Joost Rijneveld (1): Make return code external tls key match docs Jrmie Courrges-Anglas (2): Fix an unaligned access on OpenBSD/sparc64 Missing include for socket-flags TCP_NODELAY on OpenBSD Kyle Evans (1): tests/t_lpback.sh: Switch sed(1) to POSIX-compatible regex. Lev Stipakov (46): win: support for Visual Studio 2017 Refactor NCP-negotiable options handling init.c: refine functions names and description openvpnserv: clarify return values type crypto.h: remove unused function declaration interactive.c: fix usage of potentially uninitialized variable options.c: fix broken unary minus usage Introduce openvpn_swprintf() with nul termination guarantee Wrap openvpn_swprintf into Windows define test_tls_crypt.c: fix global-buffer-overflow found by AddressSanitizer crypto_openssl.c: fix heap-buffer-overflow found by AddressSanitizer Fix various compiler warnings Fix broken fragment/mssfix with NCP crypto.c: fix Visual Studio build tun.h: change tun_set() return value type to void tun.h: remove TUN_PASS_BUFFER define tapctl: add optional 'hardware id' parameter vcxproj: add missing source files push.c: fix Visual Studio build Visual Studio: make it easier to build with VS msvc: OpenSSL 1.1.x support travis: add Visual Studio build Visual Studio: upgrade project files to VS2019 wintun: add --windows-driver config option wintun: implement opening wintun device travis: bump MSVC to 2019 travis: bump clang version wintun: ring buffers based I/O wintun: interactive service support wintun: set adapter properties via interactive service wintun: clear adapter settings on tun close tun.c: refactor open_tun() implementation tun.c: do not add/remove on-link IPv4 route on tun open/close options.c: do not force route delay when not using DHCP configure.ac: simplify AC_CHECK_FUNCS statements cryptoapi.c: fix run-time check failure in msvc debugger interactive.c: remove unused function tun.c: fix 'use after free' error Fix building with --enable-async-push in FreeBSD Fix broken async push with NCP is used Fix illegal client float (CVE-2020-11810) msvc: fix various level2 warnings tap.c: fix adapter renaming Improve Windows version detection with manifest wintun: remove SYSTEM elevation hack Fix compilation with --disable-lzo and --disable-lz4 Matthias Andree (3): Make openvpn-plugin.h self-contained again. Merge Makefile.am's AUTOMAKE_OPTIONS into configure.ac's AM_INIT_AUTOMAKE. Fix stack buffer overruns in NEXTADDR() macro: Maxim Plotnikov (1): OpenSSL: Fix --crl-verify not loading multiple CRLs in one file Maximilian Wilhelm (1): Add --bind-dev option. Michal Soltys (1): man: correct the description of --capath and --crl-verify regarding CRLs Mykola Baibuz (1): Fix typo in NTLM proxy debug message Olivier Wahrenberger (1): Fix building with LibreSSL 2.5.1 by cleaning a hack. Richard Bonhomme (3): man: Corrections to doc/openvpn.8 Ignore --pull-filter for --mode server doc/man: Update --txqueuelen default setting (Now OS default) Richard van den Berg via Openvpn-devel (1): Fix error message when using RHEL init script Rosen Penev (2): Remove wrong poll.h include openssl: Fix compilation without deprecated OpenSSL 1.1 APIs Samy Mahmoudi (1): man: correct a --redirection-gateway option flag Santtu Lakkala (1): Fix OpenSSL private key passphrase notices Selva Nair (55): Fix push options digest update Always release dhcp address in close_tun() on Windows. Add a check for -Wl, --wrap support in linker Fix user's group membership check in interactive service to work with domains In auth-pam plugin clear the password after use Pass correct buffer size to GetModuleFileNameW() Check whether in pull_mode before warning about previous connection blocks Avoid illegal memory access when malformed data is read from the pipe Fix missing check for return value of malloc'd buffer Return NULL if GetAdaptersInfo fails Use RSA_meth_free instead of free Bring cryptoapi.c upto speed with openssl 1.1 Add SSL_CTX_get_max_proto_version() not in openssl 1.0 TLS v1.2 support for cryptoapicert -- RSA only Refactor ssl_openssl.c in prep for external EC key support Refactor get_interface_metric to return metric and auto flag separately Add management client version Prompt for signature using '>PK_SIGN' if the client supports it Allow external EC key through --management-external-key Ensure strings read from registry are null-terminated Make most registry values optional Use lowest metric interface when multiple interfaces match a route Move code to free cd to a function CAPI_DATA_free() Disable external ec key support when building with libressl Adapt to RegGetValue brokenness in Windows 7 Fix format spec errors in Windows builds Move setting private key to a function in prep for EC support Support EC certificates with cryptoapicert Delete the IPv6 route to the "connected" network on tun close Management: warn about password only when the option is in use Avoid overflow in wakeup time computation Replace M_DEBUG with D_LOW as the former is too verbose Correct the declaration of handle in 'struct openvpn_plugin_args_open_return' Parse static challenge response in auth-pam plugin Bump version of openvpn plugin argument structs to 5 Accept empty password and/or response in auth-pam plugin Pass the hash without the DigestInfo header to NCryptSignHash() Move get system directory to a separate function Enable dhcp on tap adapter using interactive service Refactor sending commands to interactive service Declare Windows version of openvpn_execve() before use White-list pull-filter and script-security in interactive service Move OpenSSL vs CNG signature digest type mapping to a function Handle PSS padding in cryptoapicert Better error message when script fails due to script-security setting Correct the return value of cryptoapi RSA signature callbacks Fix ACL_CHECK_ADD_COMPILE_FLAGS to work with clang Swap the order of checks for validating interactive service user Skip expired certificates in Windows certificate store Allow unicode search string in --cryptoapicert option Fix possibly uninitialized return value in GetOpenvpnSettings() Fix possible access of uninitialized pipe handles Move querying username/password from management to a function When auth-user-pass file has no password query the management interface (if available). Persist management-query-remote and proxy prompts Simon Matter (2): Fix segfault when using crypto lib without AES-256-CTR or SHA256 Add per session pseudo-random jitter to --reneg-sec intervals Simon Rozman (67): Local functions are not supported in MSVC. Bummer. Mixing wide and regular strings in concatenations is not allowed in MSVC. RtlIpv6AddressToStringW() and RtlIpv4AddressToStringW() require mstcpip.h Simplify iphlpapi.dll API calls Fix local #include to use quoted form Document ">PASSWORD:Auth-Token" real-time message Fix typo in "verb" command examples Uniform swprintf() across MinGW and MSVC compilers MSVC meta files added to .gitignore list openvpnserv: Review MSVC down-casting warnings openvpnserv: Add support for multi-instances Document missing OpenVPN states Add Interactive Service developer documentation Change quoted to angled form when #including external .h files Signed/unsigned warnings of MSVC resolved Reference msvc-generate from compat to assure correct build order msvc: Move common project settings to reusable property sheets msvc: Unify Unicode/MultiByte string setting across all cfg|plat Introduce tapctl.exe utility and openvpnmsica.dll MSI CA Set output name to libopenvpnmsica.dll in MSVC builds too Prevent __stdcall name mangling of MSVC Define _WIN32_WINNT=_WIN32_WINNT_VISTA in MSVC Add MSI custom action for reliable Windows 10 detection Detect TAP interfaces with root-enumerated hardware ID Change C++ to C comments Make MSI custom action debug pop-up more informative Delete TAP interface before the TAP driver is uninstalled Add detection of active VPN connections for MSI packages Add a MSI custom actions to close and relaunch OpenVPN GUI Make DriverCertification MSI property public Extend FindSystemInfo custom action to detect OpenVPNService state Uncrustify tapctl and openvpnmsica Strip _stdcall suffixes (@nn) for 32-bit builds Detect missing TAP driver and bail out gracefully Disambiguate thread local storage references from TLS Add NULL checks Add user manual and developer notes URL for tapctl.exe Refactor OpenVPNService state detection code Add developer notes URL for openvpnmsica.dll Limit tapctl.exe and openvpnmsica.dll to TAP-Windows6 adapters only msvc: Add vlan.c/h tun.c: make Windows device lookup functions more general tun.c: upgrade get_device_guid() to return the Windows driver type tun.c: make wintun_register_ring_buffer() non-fatal on failures wintun: register ring buffers when iterating adapters wintun: add support for --dev-node tun.c: reword the at_least_one_tap_win() error wintun: stop sending TAP-Windows6 ioctls to NDIS device wintun: refactor code to use enum driver type tun.c: refactor driver detection and make it case-insensitive tun.c: uncrustify wintun: check for conflicting options openvpnmsica: Remove required Windows driver certification detection openvpnmsica: Fix TAPInterface.DisplayName field interpretation tapctl: Update documentation wintun: upgrade error message in case of ring registration failure tun.c: reorder IPv6 ifconfig on Windows tapctl: Add functions for enabling/disabling adapters openvpnmsica: Revise MSI custom actions interop openvpnmsica: Simplify static function names openvpnmsica, tapctl: "interface" => "adapter" openvpnmsica: "TAP" => "TUN/TAP" openvpnmsica: Extend to support arbitrary HWID network adapters openvpnmsica, tapctl: Revise default hardware ID management openvpnmsica: Merge FindTUNTAPAdapters into FindSystemInfo tapctl: Support multiple hardware IDs tun.c: revise the IPv4 ifconfig flow on Windows Stefan Strogin (1): Use correct ifdefs for LibreSSL support Steffan Karger (122): Document that RSA_SIGN can also request TLS 1.2 signatures man: encourage user to read on about --tls-crypt Textual fixes for Changes.rst Remove deprecated --no-iv option More broadly enforce Allman style and braces-around-conditionals Use SHA256 for the internal digest, instead of MD5 OpenSSL: 1.1 fallout - fix configure on old autoconf Fix types in WIN32 socket_listen_accept() Remove duplicate X509 env variables Fix non-C99-compliant builds: don't use const size_t as array length Deprecate --ns-cert-type Be less picky about keyUsage extensions cleanup: merge packet_id_alloc_outgoing() into packet_id_write() Don't run packet_id unit tests for --disable-crypto builds Fix Changes.rst layout Fix memory leak in x509_verify_cert_ku() mbedtls: correctly check return value in pkcs11_certificate_dn() Restore pre-NCP frame parameters for new sessions Always clear username/password from memory on error Document tls-crypt security considerations in man page Don't assert out on receiving too-large control packets (CVE-2017-7478) Drop packets instead of assert out if packet id rolls over (CVE-2017-7479) Log the negotiated (NCP) cipher Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c) Skip tls-crypt unit tests if required crypto mode not supported openssl: fix overflow check for long --tls-cipher option Add a DSA test key/cert pair to sample-keys Fix mbedtls fingerprint calculation mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522) mbedtls: require C-string compatible types for --x509-username-field Fix remote-triggerable memory leaks (CVE-2017-7521) Restrict --x509-alt-username extension types Fix potential double-free in --x509-alt-username (CVE-2017-7521) Fix typo in extract_x509_extension() debug message init_key_ctx: key and iv arguments can (now) be const Move adjust_power_of_2() to integer.h Undo cipher push in client options state if cipher is rejected Remove strerror_ts() Move openvpn_sleep() to manage.c fixup: also change missed openvpn_sleep() occurrences Always use default keysize for NCP'd ciphers Move create_temp_file() out of #ifdef ENABLE_CRYPTO sample-plugins: fix ASN1_STRING_to_UTF8 return value checks Deprecate --keysize Move run_up_down() to init.c tls-crypt: introduce tls_crypt_kt() crypto: create function to initialize encrypt and decrypt key Add coverity static analysis to Travis CI config tls-crypt: don't leak memory for incorrect tls-crypt messages travis: reorder matrix to speed up build Fix bounds check in read_key() buffer_list_aggregate_separator(): add unit tests doxygen: add make target and use relative paths Simplify and inline clear_buf() Add --tls-cert-profile option. pf: clean up temporary files if plugin init fails pf: reject client if PF plugin is configured, but init fails Don't throw fatal errors from create_temp_file() create_temp_file/gen_path: prevent memory leak if gc == NULL Use P_DATA_V2 for server->client packets too Fix memory leak in buffer unit tests travis: use clang's -fsanitize=address to catch more bugs Don't throw fatal errors from verify_cert_export_cert() buffer_list_aggregate_separator(): update list size after aggregating buffer_list_aggregate_separator(): don't exceed max_len buffer_list_aggregate_separator(): prevent 0-byte malloc Fix types around buffer_list_push(_data) ssl_openssl: fix compiler warning by removing getbio() wrapper Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+ Add support for TLS 1.3 in --tls-version-{min, max} tls_ctx_set_tls_versions: move verify_flags to where it is used Plug memory leak if push is interrupted Log pre-handshake packet drops using D_MULTI_DROPPED Enable stricter compiler warnings by default reliable: remove reliable_unique_retry() Get rid of ax_check_compile_flag.m4 mbedtls: don't use API deprecated in mbed 2.7 Warn if tls-version-max < tls-version-min Check for more data in control channel Move env helper functions into their own module/file man: add security considerations to --compress section openssl: don't use deprecated SSLEAY/SSLeay symbols openssl: add missing #include statements Move file-related functions from misc.c to platform.c Move execve/run_script helper functions to run_command.c Add crypto_pem_{encode,decode}() Introduce buffer_write_file() mbedtls: print warning if random personalisation fails Fix memory leak after sighup Remove unused void_ptr_hash_function and void_ptr_compare_function Do not load certificate from tls_ctx_use_external_private_key() mbedtls: make external signing code generic mbedtls: remove dependency on mbedtls pkcs11 module Fix memory leak in SSL_CTX_use_certificate travis: add OpenSSL 1.1 Windows build Fix use-after-free in tls_ctx_use_management_external_key Simplify --genkey option syntax Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth' Add support for CHACHA20-POLY1305 in the data channel List ChaCha20-Poly1305 as stream cipher mbedtls: don't print unsupported ciphers in insecure cipher list Fix mbedtls unit tests buffer_list_aggregate_separator(): simplify code tls-crypt-v2: add specification to doc/ tls-crypt-v2: generate tls-crypt-v2 keys tls-crypt-v2: add unwrap_client_key tls-crypt-v2: add P_CONTROL_HARD_RESET_CLIENT_V3 opcode tls-crypt-v2: implement tls-crypt-v2 handshake tls-crypt-v2: add script hook to verify metadata tls-crypt-v2: clarify --tls-crypt-v2-genkey man page section tls-crypt-v2: fix client reconnect bug Remove deprecated --compat-x509-names and --no-name-remapping Extend tls-crypt-v2 unit tests Fix tls-auth/crypt in connection blocks with --persist-key cmocka: use relative paths tests: remove dependency on base64 configure.ac: add lzo CFLAGS/LIBS to the test flags Update sample configs to use modern cipher, remove static key examples mbedtls: add RFC 5705 keying material exporter support Move keying material exporter check from syshead.h to configure.ac Make openvpn --version exit with exit code 0 Gently push users towards --data-ciphers in --show-ciphers output Steven McDonald (1): Fix gateway detection with OpenBSD routing domains Szilrd Pfeiffer (1): OpenSSL: Always set SSL_OP_CIPHER_SERVER_PREFERENCE flag Thomas Quinot (1): Fix documentation of tls-verify script argument Thomas Veerman via Openvpn-devel (1): Fix socks_proxy_port pointing to invalid data Tom van Leeuwen (1): mbedTLS: Make sure TLS session survives move ValdikSS (1): Set a low interface metric for tap adapter when block-outside-dns is in use Vladislav Grishenko (1): Log serial number of revoked certificate WGH (1): docs: Add reference to X509_LOOKUP_hash_dir(3) hashiz (1): Fix '--bind ipv6only' tincanteksup (1): Correct error message for --tls-crypt-v2-genkey client -
v2.4.9
OpenVPN v2.4.9 release 2020.04.16 -- Version 2.4.9 Antonio Quartulli (1): socks: use the right function when printing struct openvpn_sockaddr Arne Schwabe (3): Fetch OpenSSL versions via source/old links Fix OpenSSL error stack handling of tls_ctx_add_extra_certs Fix OpenSSL 1.1.1 not using auto elliptic curve selection Lev Stipakov (4): Fix broken fragmentation logic when using NCP Fix building with --enable-async-push in FreeBSD Fix broken async push with NCP is used Fix illegal client float (CVE-2020-11810) Maxim Plotnikov (1): OpenSSL: Fix --crl-verify not loading multiple CRLs in one file Santtu Lakkala (1): Fix OpenSSL private key passphrase notices Selva Nair (7): Swap the order of checks for validating interactive service user Move querying username/password from management interface to a function When auth-user-pass file has no password query the management interface (if available). Fix possibly uninitialized return value in GetOpenvpnSettings() Fix possible access of uninitialized pipe handles Skip expired certificates in Windows certificate store Allow unicode search string in --cryptoapicert option Tom van Leeuwen (1): mbedTLS: Make sure TLS session survives move WGH (1): docs: Add reference to X509_LOOKUP_hash_dir(3) -
v2.4.8
OpenVPN v2.4.8 release 2019.10.30 -- Version 2.4.8 Antonio Quartulli (1): mbedtls: fix segfault by calling mbedtls_cipher_free() in cipher_ctx_free() Arne Schwabe (1): Remove -no-cpp-precomp flag from Darwin builds David Sommerseth (3): cleanup: Remove RPM openvpn.spec build approach docs: Update INSTALL build: Package missing mock_msg.h Gert Doering (5): repair windows builds (2.4) Increase listen() backlog queue to 32 Force combinationation of --socks-proxy and --proto UDP to use IPv4. Fix IPv6 routes on tap interfaces on OpenSolaris/OpenIndiana preparing release v2.4.8 (ChangeLog, version.m4, Changes.rst) Gisle Vanem (1): Wrong FILETYPE in .rc files Hilko Bengen (1): Do not set pkcs11-helper 'safe fork mode' Ilya Shipitsin (2): travis-ci: add "linux-ppc64le" to build matrix, change trusty image to xenial, update osx to xcode9.4 and modernize brew management travis-ci: fix osx builds Kyle Evans (1): tests/t_lpback.sh: Switch sed(1) to POSIX-compatible regex. Lev Stipakov (1): Fix various compiler warnings Matthias Andree (1): Fix regression, reinstate LibreSSL support. Michal Soltys (1): man: correct the description of --capath and --crl-verify regarding CRLs Mykola Baibuz (1): Fix typo in NTLM proxy debug message Richard Bonhomme (1): Ignore --pull-filter for --mode server Rosen Penev (1): openssl: Fix compilation without deprecated OpenSSL 1.1 APIs Selva Nair (3): Better error message when script fails due to script-security setting Correct the return value of cryptoapi RSA signature callbacks Handle PSS padding in cryptoapicert Steffan Karger (1): cmocka: use relative paths Thomas Quinot (1): Fix documentation of tls-verify script argument -
v2.4.7
OpenVPN v2.4.7 release 2019.02.19 -- Version 2.4.7 Adam Ciarcin?ski (1): Fix subnet topology on NetBSD (2.4). Antonio Quartulli (3): add support for %lu in argv_printf and prevent ASSERT buffer_list: add functions documentation ifconfig-ipv6(-push): allow using hostnames Arne Schwabe (7): Properly free tuntap struct on android when emulating persist-tun Add OpenSSL compat definition for RSA_meth_set_sign Add support for tls-ciphersuites for TLS 1.3 Add better support for showing TLS 1.3 ciphersuites in --show-tls Use right function to set TLS1.3 restrictions in show-tls Add message explaining early TLS client hello failure Fallback to password authentication when auth-token fails Christian Ehrhardt (1): systemd: extend CapabilityBoundingSet for auth_pam David Sommerseth (1): plugin: Export base64 encode and decode functions Gert Doering (4): Add %d, %u and %lu tests to test_argv unit tests. Fix combination of --dev tap and --topology subnet across multiple platforms. Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6. preparing release v2.4.7 (ChangeLog, version.m4, Changes.rst) Gert van Dijk (1): Minor reliability layer documentation fixes James Bekkema (1): Resolves small IV_GUI_VER typo in the documentation. Jonathan K. Bullard (1): Clarify and expand management interface documentation Lev Stipakov (5): Refactor NCP-negotiable options handling init.c: refine functions names and description interactive.c: fix usage of potentially uninitialized variable options.c: fix broken unary minus usage Remove extra token after #endif Richard van den Berg via Openvpn-devel (1): Fix error message when using RHEL init script Samy Mahmoudi (1): man: correct a --redirection-gateway option flag Selva Nair (7): Replace M_DEBUG with D_LOW as the former is too verbose Correct the declaration of handle in 'struct openvpn_plugin_args_open_return' Bump version of openvpn plugin argument structs to 5 Move get system directory to a separate function Enable dhcp on tap adapter using interactive service Pass the hash without the DigestInfo header to NCryptSignHash() White-list pull-filter and script-security in interactive service Simon Rozman (2): Add Interactive Service developer documentation Detect TAP interfaces with root-enumerated hardware ID Steffan Karger (7): man: add security considerations to --compress section mbedtls: print warning if random personalisation fails Fix memory leak after sighup travis: add OpenSSL 1.1 Windows build Fix --disable-crypto build Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth' buffer_list_aggregate_separator(): simplify code