...
|
...
|
@@ -1,5 +1,899 @@
|
1
|
1
|
OpenVPN Change Log
|
2
|
|
-Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
|
|
2
|
+Copyright (C) 2002-2020 OpenVPN Inc <sales@openvpn.net>
|
|
3
|
+
|
|
4
|
+2020.08.12 -- Version 2.5_beta1
|
|
5
|
+
|
|
6
|
+Adam Ciarcin?ski (1):
|
|
7
|
+ Fix subnet topology on NetBSD.
|
|
8
|
+
|
|
9
|
+Antonio Quartulli (113):
|
|
10
|
+ attempt to add IPv6 route even when no IPv6 address was configured
|
|
11
|
+ fix redirect-gateway behaviour when an IPv4 default route does not exist
|
|
12
|
+ CRL: use time_t instead of struct timespec to store last mtime
|
|
13
|
+ ignore remote-random-hostname if a numeric host is provided
|
|
14
|
+ Ignore auth-nocache for auth-user-pass if auth-token is pushed
|
|
15
|
+ crypto: correct typ0 in error message
|
|
16
|
+ use M_ERRNO instead of explicitly printing errno
|
|
17
|
+ don't print errno twice
|
|
18
|
+ ntlm: avoid useless cast
|
|
19
|
+ ntlm: unwrap multiple function calls
|
|
20
|
+ route: improve error message
|
|
21
|
+ management: preserve wait_for_push field when asking for user/pass
|
|
22
|
+ tls-crypt: avoid warnings when --disable-crypto is used
|
|
23
|
+ ntlm: convert binary buffers to uint8_t *
|
|
24
|
+ ntlm: restyle compressed multiple function calls
|
|
25
|
+ ntlm: improve code style and readability
|
|
26
|
+ OpenSSL: remove unreachable call to SSL_CTX_get0_privatekey()
|
|
27
|
+ make function declarations C99 compliant
|
|
28
|
+ remove unused functions
|
|
29
|
+ use NULL instead of 0 when assigning pointers
|
|
30
|
+ add missing static attribute to functions
|
|
31
|
+ ntlm: avoid breaking anti-aliasing rules
|
|
32
|
+ remove the --disable-multi config switch
|
|
33
|
+ rename mroute_extract_addr_ipv4 to mroute_extract_addr_ip
|
|
34
|
+ route: avoid definition of unused variables in certain configurations
|
|
35
|
+ fix a couple of typ0s in comments and strings
|
|
36
|
+ fragment.c: simplify boolean expression
|
|
37
|
+ tcp-server: ensure AF family is propagated to child context
|
|
38
|
+ Remove ENABLE_CRYPTO
|
|
39
|
+ Remove option to disable crypto engine
|
|
40
|
+ Remove ENABLE_PUSH_PEER_INFO
|
|
41
|
+ Remove SSL_LIB_VER_STR
|
|
42
|
+ Remove MD5SUM
|
|
43
|
+ reload HTTP proxy credentials when moving to the next connection profile
|
|
44
|
+ Allow learning iroutes with network made up of all 0s (only if netbits < 8)
|
|
45
|
+ mbedtls: fix typ0 in comment
|
|
46
|
+ manpage: fix simple typ0
|
|
47
|
+ pool: restyle ipv4/ipv6 members to improve readability
|
|
48
|
+ pool: convert pool 'type' to enum
|
|
49
|
+ tun: ensure gc and argv are properly handled
|
|
50
|
+ tun: always pass a valid tt pointer
|
|
51
|
+ tun: get rid of tt->did_ifconfig member
|
|
52
|
+ tun: ensure interface can be configured with IPv6 only
|
|
53
|
+ add support for %lu in argv_printf and prevent ASSERT
|
|
54
|
+ windows: properly configure TAP driver when no IPv4 is configured
|
|
55
|
+ socket: make stream_buf_* functions static
|
|
56
|
+ crypto: always reload tls-auth/crypt key contexts
|
|
57
|
+ make tls-auth and tls-crypt per-connection-block options
|
|
58
|
+ pf: restyle pf_c2c/addr_test() to make them 'struct context' agnostic
|
|
59
|
+ merge *-inline.h files with their main header
|
|
60
|
+ ensure function declarations are compiled with their definitions
|
|
61
|
+ buffer_list: add functions documentation
|
|
62
|
+ ifconfig-ipv6(-push): allow using hostnames
|
|
63
|
+ tls-crypt: properly cast time_t to uint64_t
|
|
64
|
+ implement platform generic networking API
|
|
65
|
+ implement networking API for iproute2
|
|
66
|
+ introduce sitnl: Simplified Interface To NetLink
|
|
67
|
+ tun.c: use new networking API to handle tun interface on Linux
|
|
68
|
+ travis.yml: add test for iproute2 net implementation
|
|
69
|
+ route.c: use new networking API to handle routing table on Linux
|
|
70
|
+ unit tests: implement test for sitnl
|
|
71
|
+ t_net.sh: make bash dep explicit and run only if SITNL is compiled
|
|
72
|
+ t_net.sh: properly perform sudo check and print test steps
|
|
73
|
+ route.c: fix windows build by removing mismatching function parameter
|
|
74
|
+ t_net.sh: fixes for the networking test script
|
|
75
|
+ route.c: use sitnl to implement get_default_gateway_ipv6()
|
|
76
|
+ networking/best_gw: remove useless prefixlen parameter
|
|
77
|
+ sitnl: harden strncpy() by forcing arguments to have the same length
|
|
78
|
+ mbedtls: fix segfault by calling mbedtls_cipher_free() in cipher_ctx_free()
|
|
79
|
+ networking: extend API for better memory management
|
|
80
|
+ tun.c: undo_ifconfig_ipv4/6 remove useless gc argument
|
|
81
|
+ networking_sitnl.c: uncrustify file
|
|
82
|
+ route.c: simplify ifdef logic
|
|
83
|
+ t_net.sh: wait for NO-CARRIER bit to settle before starting test
|
|
84
|
+ t_net.sh: execute sleep after checking exit code of previous command
|
|
85
|
+ maddr: create helper function to populate maddr object from eth_addr
|
|
86
|
+ VLAN: add basic VLAN tagging support
|
|
87
|
+ maddr: export VLAN ID from client context to maddr object
|
|
88
|
+ VLAN: filter multicast and client-to-client unicast traffic
|
|
89
|
+ is_ipv_X: add support for parsing IP header inside a 802.1q frame
|
|
90
|
+ VLAN: implement support for forwarding only pre-tagged VLAN packets
|
|
91
|
+ VLAN: allow forwarding tagged and untagged packets on the server TAP device
|
|
92
|
+ VLAN: add documentation to manpage
|
|
93
|
+ socks: use the right function when printing struct openvpn_sockaddr
|
|
94
|
+ add -Wno-stringop-truncation to CFLAGS on linux
|
|
95
|
+ get rid of 'broadcast' argument when configuring the tun device
|
|
96
|
+ auth_token_kt: ensure key_type object is initialized
|
|
97
|
+ auth.c: make cast explicit in the crypto API
|
|
98
|
+ travis: compile with -Werror on Linux
|
|
99
|
+ travis: fix CFLAGS assignment error and add -Werror only when compiling on Linux for Linux
|
|
100
|
+ sitnl: fix failure reporting by keeping error negative
|
|
101
|
+ sitnl: fix TUN/TAP confusion in error messages
|
|
102
|
+ sitnl: fix ignoring EEXIST when sending a netlink command
|
|
103
|
+ t_net.sh: use dummy interface instead of tun
|
|
104
|
+ remove bogus file check on --genkey argument
|
|
105
|
+ t_net.sh: assign MAC address directly during interface creation
|
|
106
|
+ convert *_inline attributes to bool
|
|
107
|
+ options: fix inlining auth-gen-token-secret file
|
|
108
|
+ tls-crypt-v2: fix testing of inline key
|
|
109
|
+ get rid of INLINE_FILE_TAG constant
|
|
110
|
+ pool: prevent IPv6 pools to be larger than 2^16 addresses
|
|
111
|
+ pool: allow to configure an IPv6-only ifconfig-pool
|
|
112
|
+ allow usage of --server-ipv6 even when no --server is specified
|
|
113
|
+ pool: add support for ifconfig-pool-persist with IPv6 only
|
|
114
|
+ route: warn on IPv4 routes installation when no IPv4 is configured
|
|
115
|
+ options: enable IPv4 redirection logic only if really required
|
|
116
|
+ ipv6-pool: get rid of size constraint
|
|
117
|
+ pool: remove useless 'options.h' include
|
|
118
|
+ multi: skip IPv4 logic in multi_select_virtual_addr() if no pool is configured
|
|
119
|
+ multi.c: use mi->cc_config instead of config variable
|
|
120
|
+ options: don't leak inline'd key material in logfile
|
|
121
|
+ t_net.sh: drop hard dependency on t_client.rc
|
|
122
|
+ travis: don't run t_net.sh test
|
|
123
|
+
|
|
124
|
+Arne Schwabe (124):
|
|
125
|
+ Set tls-cipher restriction before loading certificates
|
|
126
|
+ Print ec bit details, refuse management-external-key if key is not RSA
|
|
127
|
+ Replace buffer backed strings for management_android_control with simple stack variables
|
|
128
|
+ Treat dhcp-option DNS6 and DNS identical
|
|
129
|
+ show the right string for key-direction
|
|
130
|
+ Add MTU to Android IFCONFIG6 control command
|
|
131
|
+ Properly free tuntap struct on android when emulating persist-tun
|
|
132
|
+ Add OpenSSL compat definition for RSA_meth_set_sign
|
|
133
|
+ Skip error about ioctl(SIOCGIFCONF) failed on Android
|
|
134
|
+ Factor out convert_tls_list_to_openssl method
|
|
135
|
+ Remove AUTO_USERID feature
|
|
136
|
+ Remove MANAGMENT_EXTERNAL_KEY, MANAGMENT_IN_EXTRA, ENABLE_CLIENT_CR
|
|
137
|
+ Add support for tls-ciphersuites for TLS 1.3
|
|
138
|
+ Add better support for showing TLS 1.3 ciphersuites in --show-tls
|
|
139
|
+ Use right function to set TLS1.3 restrictions in show-tls
|
|
140
|
+ Refuse mbed TLS external key with non RSA certificates
|
|
141
|
+ Add message explaining early TLS client hello failure
|
|
142
|
+ Add tls-crypt-v2 to the list of supported inline options
|
|
143
|
+ Implement block-ipv6
|
|
144
|
+ Fallback to password authentication when auth-token fails
|
|
145
|
+ Fix loading inline tls-crypt-v2 keys with mbed TLS
|
|
146
|
+ Refactor tls_crypt_v2_write_server_key_file into crypto.c
|
|
147
|
+ Add send_control_channel_string_dowork variant
|
|
148
|
+ Rename tls_crypt_v2_read_keyfile into generic pem_read_key_file
|
|
149
|
+ Fix poll.h logic in syshead.h
|
|
150
|
+ Write key to stdout if filename is not given
|
|
151
|
+ Implement --genkey type keyfile syntax and migrate tls-crypt-v2
|
|
152
|
+ Add generate_ephemeral_key that allows a random ephermal key
|
|
153
|
+ Remove -no-cpp-precomp flag from Darwin builds
|
|
154
|
+ Fix check if iface name is set
|
|
155
|
+ Adjust Android code after sitnl patch merge
|
|
156
|
+ Rewrite auth-token-gen to be based on HMAC based tokens
|
|
157
|
+ Implement a permanent session id in auth-token
|
|
158
|
+ Sent indication that a session is expired to clients
|
|
159
|
+ Implement unit tests for auth-gen-token
|
|
160
|
+ Make tls_version_max return the actual maximum version
|
|
161
|
+ Add support for OpenSSL TLS 1.3 when using management-external-key
|
|
162
|
+ Document tls-ciphersuites also in --help output
|
|
163
|
+ Only announce IV_NCP=2 when we are willing to support these ciphers
|
|
164
|
+ Add strsep compat function
|
|
165
|
+ Implement dynamic NCP negotiation
|
|
166
|
+ Warn about insecure ciphers also in init_key_type
|
|
167
|
+ Move NCP related function into a seperate file and add unit tests
|
|
168
|
+ Normalise ncp-ciphers option and restrict it to 127 bytes
|
|
169
|
+ Fetch OpenSSL versions via source/old links
|
|
170
|
+ Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
|
|
171
|
+ Fix off-by-one in tls-crypt-v2 client wrapping with custom metadata
|
|
172
|
+ Fix OpenSSL 1.1.1 not using auto elliptic curve selection
|
|
173
|
+ Refactor counting number of element in a : delimited list into function
|
|
174
|
+ Minor style change to improve code style
|
|
175
|
+ Another round of uncrustify code cleanup.
|
|
176
|
+ Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
|
|
177
|
+ Add tls-crypt-v2 test writing metadata
|
|
178
|
+ Use crypto library functions for const time memcmp when possible
|
|
179
|
+ Fix session id in env missing first byte
|
|
180
|
+ Document reneweal mechanic of auth-token in manual
|
|
181
|
+ Fix session id and initial timestamp not being preserved
|
|
182
|
+ Do not write extra 0 byte for --gen-key with auth-token/tls-crypt-v2
|
|
183
|
+ Refuse server mode on Android
|
|
184
|
+ Add .git-blame-ignore-revs with reformat commits
|
|
185
|
+ Make cipher_kt_name always return normalised cipher name
|
|
186
|
+ Make cipher_kt_get also accept OpenVPN config cipher name
|
|
187
|
+ Implement parsing and sending INFO and INFO_PRE control messages
|
|
188
|
+ Implement support for signalling IV_SSO to server
|
|
189
|
+ Implement sending response to challenge via CR_RESPONSE
|
|
190
|
+ Implement sending AUTH_PENDING challenges to clients
|
|
191
|
+ Implement forwarding client CR_RESPONSE messages to management
|
|
192
|
+ Add unit test for cipher name translations
|
|
193
|
+ Make compression asymmetric by default and add warnings
|
|
194
|
+ Reformat files using uncrustify
|
|
195
|
+ Remove parameter config from multi_client_connect_mda
|
|
196
|
+ Remove push_reply_deferred variable
|
|
197
|
+ Remove did_open_context, defined and connection_established_flag
|
|
198
|
+ merge key_state->authenticated and key_state->auth_deferred
|
|
199
|
+ Simplify multi_connection_established.
|
|
200
|
+ Deprecate ncp-disable and add improved ncp to Changes.rst
|
|
201
|
+ Make key_state->authenticated more state machine like
|
|
202
|
+ Extract process_incoming_push_reply from process_incoming_push_msg
|
|
203
|
+ Removed unused definition
|
|
204
|
+ Code cleanup: remove superflous variable
|
|
205
|
+ Move protocol option negotiation from push_prepare to new function
|
|
206
|
+ Generate data channel keys after connect options have been parsed
|
|
207
|
+ Cleanup: Remove special case code for old poor man's NCP.
|
|
208
|
+ Allow changing fallback cipher from ccd files/client-connect
|
|
209
|
+ client-connect: Change cas_context from int to enum
|
|
210
|
+ client-connect: Move adding inotify watch into its own function
|
|
211
|
+ reformat multi_client_generate_tls_keys according to uncrustify
|
|
212
|
+ client-connect: Add CC_RET_DEFERRED and cope with deferred client-connect
|
|
213
|
+ Remove CAS_PARTIAL state
|
|
214
|
+ client-connect: Use inotify for the deferred client-connect status file
|
|
215
|
+ client-connect: Implement deferred connect support for plugin API v2
|
|
216
|
+ Drop support for OpenSSL 1.0.1
|
|
217
|
+ Require AEAD support in the crypto library
|
|
218
|
+ Remove key-method 1
|
|
219
|
+ Remove ENABLE_OCC #define
|
|
220
|
+ Implement tls-groups option to specify eliptic curves/groups
|
|
221
|
+ Avoid sending --cipher to clients not supporting NCP
|
|
222
|
+ Indicate that a client is in pull mode in IV_PROTO
|
|
223
|
+ Deprecate --inetd
|
|
224
|
+ Include utun device number in utun error messages
|
|
225
|
+ Simplify calling logic of check_connection_established_dowork
|
|
226
|
+ Avoid sending push request after receving push reply
|
|
227
|
+ Rename ncp-ciphers to data-ciphers
|
|
228
|
+ Add a note that ncp-ciphers is replaced by data-ciphers
|
|
229
|
+ client-connect: Add documentation for the deferred client connect feature
|
|
230
|
+ Rework NCP compability logic and drop BF-CBC support by default
|
|
231
|
+ Document different behaviour of dynamic cipher negotiation
|
|
232
|
+ Minor cleanup in push.c
|
|
233
|
+ Clean up a number of leftover C89 initialisations in ssl.c
|
|
234
|
+ Remove buf argument from link_socket_set_outgoing_addr
|
|
235
|
+ Remove a number of check/do_work wrapper calls from coarse_timers
|
|
236
|
+ Split pf_check_reload check and check timer in process_coarse_timers
|
|
237
|
+ Rename check_ping_restart_dowork to trigger_ping_timeout_signal
|
|
238
|
+ Eliminate check_fragment function
|
|
239
|
+ Eliminate check_incoming_control_channel wrapper function
|
|
240
|
+ Eliminate check_tls wrapper function
|
|
241
|
+ Merge check_coarse_timers and check_coarse_timers_dowork
|
|
242
|
+ Skip existing interfaces on opening the first available utun on macOS
|
|
243
|
+ Move parsing IV_PROTO to separate function
|
|
244
|
+ Remove S_OP_NORMAL key state.
|
|
245
|
+ Document comp-lzo no and compress being incompatible
|
|
246
|
+ Refactor/Reformat tls_pre_decrypt
|
|
247
|
+ Cleanup tls_pre_decrypt_lite and tls_pre_encrypt
|
|
248
|
+ Improve sections about older OpenVPN clients in cipher-negotiation.rst
|
|
249
|
+
|
|
250
|
+Bertrand Bonnefoy-Claudet (1):
|
|
251
|
+ Fix typo in error message: "optione" -> "option"
|
|
252
|
+
|
|
253
|
+Christian Ehrhardt (1):
|
|
254
|
+ systemd: extend CapabilityBoundingSet for auth_pam
|
|
255
|
+
|
|
256
|
+Christian Hesse (7):
|
|
257
|
+ man: fix formatting for alternative option
|
|
258
|
+ systemd: Use automake tools to install unit files
|
|
259
|
+ systemd: Do not race on RuntimeDirectory
|
|
260
|
+ systemd: Add more security feature for systemd units
|
|
261
|
+ Clean up plugin path handling
|
|
262
|
+ plugin: Remove GNUism in openvpn-plugin.h generation
|
|
263
|
+ fix typo in notification message
|
|
264
|
+
|
|
265
|
+Christopher Schenk (3):
|
|
266
|
+ Set the correct mtu on windows based systems
|
|
267
|
+ Log a note if someone wants to set a MTU below 1280 on IPv6
|
|
268
|
+ Unified success messages for setting mtu
|
|
269
|
+
|
|
270
|
+Conrad Hoffmann (2):
|
|
271
|
+ Use provided env vars in up/down script.
|
|
272
|
+ Document down-root plugin usage in client.down
|
|
273
|
+
|
|
274
|
+David Sommerseth (64):
|
|
275
|
+ docs: Further enhance the documentation related to SWEET32
|
|
276
|
+ man: Remove references to no longer present IV_RGI6 peer-info
|
|
277
|
+ build: Ensure Changes.rst is shipped and installed as a doc file
|
|
278
|
+ management: >REMOTE operation would overwrite ce change indicator
|
|
279
|
+ management: Remove a redundant #ifdef block
|
|
280
|
+ git: Merge .gitignore files into a single file
|
|
281
|
+ systemd: Move the READY=1 signalling to an earlier point
|
|
282
|
+ dev-tools: Simple tool which automates rebasing LZ4 compat library
|
|
283
|
+ dev-tools: lz4-rebaser tool carried a typo
|
|
284
|
+ plugin: Improve the handling of default plug-in directory
|
|
285
|
+ cleanup: Remove faulty env processing functions
|
|
286
|
+ auth-token: Ensure tokens are always wiped on de-auth
|
|
287
|
+ docs: Fixed man-page warnings discoverd by rpmlint
|
|
288
|
+ Make --cipher/--auth none more explicit on the risks
|
|
289
|
+ Require minimum OpenSSL 1.0.1
|
|
290
|
+ Fix broken ./configure on systems without openssl.pc
|
|
291
|
+ plugin: Fix documentation typo for type_mask
|
|
292
|
+ plugin: Export secure_memzero() to plug-ins
|
|
293
|
+ crypto: Enable SHA256 fingerprint checking in --verify-hash
|
|
294
|
+ copyright: Update GPLv2 license texts
|
|
295
|
+ dev-tools: Script generating the source releases in an automated fashion
|
|
296
|
+ auth-token with auth-nocache fix broke --disable-crypto builds
|
|
297
|
+ doc: The CRL processing is not a deprecated feature
|
|
298
|
+ cleanup: Move write_pid() to where it is being used
|
|
299
|
+ contrib: Remove keychain-mcd code
|
|
300
|
+ cleanup: Move init_random_seed() to where it is being used
|
|
301
|
+ Highlight deprecated features
|
|
302
|
+ Use consistent version references
|
|
303
|
+ docs: Replace all PolarSSL references to mbed TLS
|
|
304
|
+ systemd: Ensure systemd shuts down OpenVPN in a proper way
|
|
305
|
+ systemd: Enable systemd's auto-restart feature for server profiles
|
|
306
|
+ lz4: Move towards a newer LZ4 API
|
|
307
|
+ lz4: Fix confused version check
|
|
308
|
+ lz4: Fix broken builds when pkg-config is not present but system library is
|
|
309
|
+ Remove references to keychain-mcd in Changes.rst
|
|
310
|
+ lz4: Rebase compat-lz4 against upstream v1.7.5
|
|
311
|
+ systemd: Add and ship README.systemd
|
|
312
|
+ Update copyright to include 2018 plus company name change
|
|
313
|
+ man: Add .TQ groff support macro
|
|
314
|
+ man: Reword --management to prefer unix sockets over TCP
|
|
315
|
+ management: Warn if TCP port is used without password
|
|
316
|
+ plugin: Export base64 encode and decode functions
|
|
317
|
+ build: Fix build warnings related to get_random()
|
|
318
|
+ build: Fix another compile warning in console_systemd.c
|
|
319
|
+ cleanup: Remove RPM openvpn.spec build approach
|
|
320
|
+ docs: Update INSTALL
|
|
321
|
+ build: Package missing mock_msg.h
|
|
322
|
+ auth-token: Fix building with --disable-server
|
|
323
|
+ auth-token: Fix compiler complaints with --disable-management
|
|
324
|
+ Improve the comments related to auth-token-hmac patches
|
|
325
|
+ Documented all the argv related code with minor refactoring
|
|
326
|
+ build: Remove --disable-server from ./configure
|
|
327
|
+ options: Fix failing inline tls-auth/crypt with persist-key
|
|
328
|
+ options: Restore --tls-crypt-v2 inline file capability
|
|
329
|
+ doc/man: convert openvpn.8 to split-up .rst files
|
|
330
|
+ doc/man: Mark compression options as deprecated
|
|
331
|
+ doc/man: Adopt compression documentation
|
|
332
|
+ doc/man: Documentation for --bind-dev / VRFs on Linux
|
|
333
|
+ doc/man: Add misssing renegotiation.rst to Makefile.am
|
|
334
|
+ Remove --no-iv
|
|
335
|
+ doc/man: Do not install man *.rst files
|
|
336
|
+ travis: Fix make distcheck failure
|
|
337
|
+ Remove --ifconfig-pool-linear
|
|
338
|
+ Remove --client-cert-not-required
|
|
339
|
+
|
|
340
|
+Domagoj Pensa (2):
|
|
341
|
+ Fix linking issues on MinGW
|
|
342
|
+ Skip DNS address validation
|
|
343
|
+
|
|
344
|
+Emmanuel Deloget (20):
|
|
345
|
+ OpenSSL: check for the SSL reason, not the full error
|
|
346
|
+ OpenSSL: don't use direct access to the internal of X509_STORE_CTX
|
|
347
|
+ OpenSSL: don't use direct access to the internal of SSL_CTX
|
|
348
|
+ OpenSSL: don't use direct access to the internal of X509_STORE
|
|
349
|
+ OpenSSL: don't use direct access to the internal of X509_OBJECT
|
|
350
|
+ OpenSSL: don't use direct access to the internal of RSA_METHOD
|
|
351
|
+ OpenSSL: SSLeay symbols are no longer available in OpenSSL 1.1
|
|
352
|
+ OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit()
|
|
353
|
+ OpenSSL: don't use direct access to the internal of X509
|
|
354
|
+ OpenSSL: don't use direct access to the internal of EVP_PKEY
|
|
355
|
+ OpenSSL: don't use direct access to the internal of RSA
|
|
356
|
+ OpenSSL: don't use direct access to the internal of DSA
|
|
357
|
+ OpenSSL: force meth->name as non-const when we free() it
|
|
358
|
+ OpenSSL: don't use direct access to the internal of EVP_MD_CTX
|
|
359
|
+ OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX
|
|
360
|
+ OpenSSL: don't use direct access to the internal of HMAC_CTX
|
|
361
|
+ OpenSSL: remove pre-1.1 function from the OpenSSL compat interface
|
|
362
|
+ OpenSSL: remove EVP_CIPHER_CTX_new() from the compat layer
|
|
363
|
+ OpenSSL: remove EVP_CIPHER_CTX_free() from the compat layer
|
|
364
|
+ OpenSSL: check EVP_PKEY key types before returning the pkey
|
|
365
|
+
|
|
366
|
+Eric Thorpe (1):
|
|
367
|
+ Fix Building Using MSVC
|
|
368
|
+
|
|
369
|
+Fabian Knittel (7):
|
|
370
|
+ client-connect: Split multi_connection_established into separate functions
|
|
371
|
+ client-connect: Refactor multi_client_connect_source_ccd
|
|
372
|
+ client-connect: Move multi_client_connect_setenv into early_setup
|
|
373
|
+ client-connect: Refactor to use return values instead of modifying a passed-in flag
|
|
374
|
+ client-connect: Refactor client-connect handling to calling a bunch of hooks in a loop
|
|
375
|
+ client-connect: Add deferred support to the client-connect script handler
|
|
376
|
+ client-connect: Add deferred support to the client-connect v1 plugin handler
|
|
377
|
+
|
|
378
|
+Gert Doering (50):
|
|
379
|
+ Remove IV_RGI6=1 peer-info signalling.
|
|
380
|
+ Add openssl_compat.h to openvpn_SOURCES
|
|
381
|
+ Fix '--dev null'
|
|
382
|
+ Fix installation of IPv6 host route to VPN server when using iservice.
|
|
383
|
+ Make ENABLE_OCC no longer depend on !ENABLE_SMALL
|
|
384
|
+ Fix NCP behaviour on TLS reconnect.
|
|
385
|
+ Remove erroneous limitation on max number of args for --plugin
|
|
386
|
+ proxy.c refactoring: remove always-NULL gc parameter
|
|
387
|
+ Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
|
|
388
|
+ Fix potential 1-byte overread in TCP option parsing.
|
|
389
|
+ Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
|
|
390
|
+ Update Changes.rst with relevant info for 2.4.3 release.
|
|
391
|
+ Remove warning on pushed tun-ipv6 option.
|
|
392
|
+ Fix removal of on-link prefix on windows with netsh
|
|
393
|
+ Fix potential double-free() in Interactive Service (CVE-2018-9336)
|
|
394
|
+ Add %d, %u and %lu tests to test_argv unit tests.
|
|
395
|
+ Extend push-remove to also handle 'ifconfig'.
|
|
396
|
+ Print lzo_init() return code in case of errors
|
|
397
|
+ Uncrustify sample-plugin sources according to code style
|
|
398
|
+ uncrustify openvpnserv/ sources
|
|
399
|
+ uncrustify openvpn/ sources
|
|
400
|
+ Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6.
|
|
401
|
+ Stop complaining about IPv6 routes without gateway address.
|
|
402
|
+ Copy one byte less in strncpynt()
|
|
403
|
+ Remove cmocka submodule, rely on system-wide installation instead.
|
|
404
|
+ Increase listen() backlog queue to 32
|
|
405
|
+ repair tap mode on OpenSolaris/OpenIndiana
|
|
406
|
+ Fix IPv6 routes on tap interfaces on OpenSolaris/OpenIndiana
|
|
407
|
+ OpenSolaris/OpenIllumos: use /bin/bash if available for test scripts.
|
|
408
|
+ Force combinationation of --socks-proxy and --proto UDP to use IPv4.
|
|
409
|
+ Uncrustify the tests/unit_tests/ part of our tree.
|
|
410
|
+ Change client side of t_lpback.sh configs to use inline material.
|
|
411
|
+ Simplify pool size handling, fix possible array overrun on pool reading.
|
|
412
|
+ Change timestamps in file-based logging to ISO 8601 time format.
|
|
413
|
+ Depreciation warning for --topology net30 on servers with IPv4 pools.
|
|
414
|
+ Convert plugin/auth-pam.c from stderr logging to plugin_log().
|
|
415
|
+ Add c1ff8f247f91c88a2df5502eeedf42857f9a6831 (engine, pool, SSO) to .git-blame-ignore-revs
|
|
416
|
+ Linux: do not change --txqueuelen OS default if not configured.
|
|
417
|
+ Fix 'engine' unit test on FreeBSD (specifically 'not GNU make')
|
|
418
|
+ t_client.sh: correctly report all failed instances in summary
|
|
419
|
+ Remove --writepid file on program exit.
|
|
420
|
+ Handle connecting clients without NCP or OCC without crashing.
|
|
421
|
+ Add deferred authentication support to plugin-auth-pam
|
|
422
|
+ Separate handling of non-deferred return values for client-connect-scripts.
|
|
423
|
+ Repair --inetd
|
|
424
|
+ Fix sequence of events for async plugin v1 handler.
|
|
425
|
+ Abort client-connect handler loop after first handler sets 'disable'.
|
|
426
|
+ Add depreciation notice for --ncp-disable to protocol-options.rst
|
|
427
|
+ Changes.rst updates in preparation to 2.5_beta1
|
|
428
|
+ Preparing release 2.5_beta1
|
|
429
|
+
|
|
430
|
+Gert van Dijk (7):
|
|
431
|
+ Warn that DH config option is only meaningful in a tls-server context
|
|
432
|
+ Add generated openvpn.doxyfile to .gitignore
|
|
433
|
+ manpage: improve description of --status and --status-version
|
|
434
|
+ Add negotiated cipher to status file format 2 and 3
|
|
435
|
+ Minor reliability layer documentation fixes
|
|
436
|
+ Make second parameter to reliable_send_purge() const
|
|
437
|
+ Remove unneeded newline in debug message in reliable.c
|
|
438
|
+
|
|
439
|
+Gisle Vanem (2):
|
|
440
|
+ Crash in options.c
|
|
441
|
+ Wrong FILETYPE in .rc files
|
|
442
|
+
|
|
443
|
+Guido Vranken (6):
|
|
444
|
+ refactor my_strupr
|
|
445
|
+ Fix 2 memory leaks in proxy authentication routine
|
|
446
|
+ Fix memory leak in add_option() for option 'connection'
|
|
447
|
+ Ensure option array p[] is always NULL-terminated
|
|
448
|
+ Fix a null-pointer dereference in establish_http_proxy_passthru()
|
|
449
|
+ Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
|
|
450
|
+
|
|
451
|
+Heiko Hund (3):
|
|
452
|
+ re-implement argv_printf_*()
|
|
453
|
+ argv: do fewer memory re-allocations
|
|
454
|
+ Add gc_arena to struct argv to save allocations
|
|
455
|
+
|
|
456
|
+Hilko Bengen (1):
|
|
457
|
+ Do not set pkcs11-helper 'safe fork mode'
|
|
458
|
+
|
|
459
|
+Hristo Venev (1):
|
|
460
|
+ Fix extract_x509_field_ssl for external objects, v2
|
|
461
|
+
|
|
462
|
+Ilya Shipitsin (18):
|
|
463
|
+ Resolve several travis-ci issues
|
|
464
|
+ github: Add PR template with contributor related information
|
|
465
|
+ travis-ci: add 'make distcheck' to test scenario, V2
|
|
466
|
+ travis-ci: remove unused files
|
|
467
|
+ v4, travis-ci: add 2 mingw "build only" configurations
|
|
468
|
+ travis-ci: added gcc and clang openssl-1.1.0 builds
|
|
469
|
+ travis-ci: update openssl to 1.0.2l, update mbedtls to 2.5.1
|
|
470
|
+ travis-ci: update pkcs11-helper to 1.22
|
|
471
|
+ travis-ci: add brew cache, remove ccache
|
|
472
|
+ travis-ci: modify openssl build script to support openssl-1.1.0
|
|
473
|
+ travis-ci: cleanup, refactor, upgrade ssl libraries
|
|
474
|
+ travis-ci: add "linux-ppc64le" to build matrix
|
|
475
|
+ travis-ci: change trusty image to xenial
|
|
476
|
+ travis-ci: update osx to xcode9.4 and modernize brew management
|
|
477
|
+ configure.ac: fix compile-time error in argv_testdriver
|
|
478
|
+ travis-ci: fix osx builds
|
|
479
|
+ travis-ci: update components versions
|
|
480
|
+ travis-ci: add arm64, s390x builds.
|
|
481
|
+
|
|
482
|
+James Bekkema (2):
|
|
483
|
+ Resolves small IV_GUI_VER typo in the documentation.
|
|
484
|
+ Adds support for setting the default IPv6 gateway for routes using the route-ipv6-gateway option.
|
|
485
|
+
|
|
486
|
+James Bottomley (7):
|
|
487
|
+ autoconf: Fix engine checks for openssl 1.1
|
|
488
|
+ openssl: add engine method for loading the key
|
|
489
|
+ crypto_openssl: add initialization to pick up local configuration
|
|
490
|
+ crypto_openssl: add include for openssl/conf.h
|
|
491
|
+ Add unit tests for engine keys
|
|
492
|
+ Fix make distcheck for new engine key unit test
|
|
493
|
+ engine-key tests: make check_engine_keys.sh work with --enable-small
|
|
494
|
+
|
|
495
|
+Jan Just Keijser (1):
|
|
496
|
+ Added support for DHCP option 119 (dns search suffix list) for Windows.
|
|
497
|
+
|
|
498
|
+Jeremie Courreges-Anglas (5):
|
|
499
|
+ Cast time_t to long long in order to print it.
|
|
500
|
+ Print time_t as long long and suseconds_t as long
|
|
501
|
+ Cast and print another suseconds_t as long
|
|
502
|
+ Use long long to format time_t-related environment variables
|
|
503
|
+ Fix build with LibreSSL
|
|
504
|
+
|
|
505
|
+Jeremy Evans (1):
|
|
506
|
+ Switch assertion failure to returning false
|
|
507
|
+
|
|
508
|
+Jonathan K. Bullard (1):
|
|
509
|
+ Clarify and expand management interface documentation
|
|
510
|
+
|
|
511
|
+Jonathan Tooker (1):
|
|
512
|
+ Fix various spelling mistakes
|
|
513
|
+
|
|
514
|
+Joost Rijneveld (1):
|
|
515
|
+ Make return code external tls key match docs
|
|
516
|
+
|
|
517
|
|
|
518
|
+ Fix an unaligned access on OpenBSD/sparc64
|
|
519
|
+ Missing include for socket-flags TCP_NODELAY on OpenBSD
|
|
520
|
+
|
|
521
|
+Kyle Evans (1):
|
|
522
|
+ tests/t_lpback.sh: Switch sed(1) to POSIX-compatible regex.
|
|
523
|
+
|
|
524
|
+Lev Stipakov (46):
|
|
525
|
+ win: support for Visual Studio 2017
|
|
526
|
+ Refactor NCP-negotiable options handling
|
|
527
|
+ init.c: refine functions names and description
|
|
528
|
+ openvpnserv: clarify return values type
|
|
529
|
+ crypto.h: remove unused function declaration
|
|
530
|
+ interactive.c: fix usage of potentially uninitialized variable
|
|
531
|
+ options.c: fix broken unary minus usage
|
|
532
|
+ Introduce openvpn_swprintf() with nul termination guarantee
|
|
533
|
+ Wrap openvpn_swprintf into Windows define
|
|
534
|
+ test_tls_crypt.c: fix global-buffer-overflow found by AddressSanitizer
|
|
535
|
+ crypto_openssl.c: fix heap-buffer-overflow found by AddressSanitizer
|
|
536
|
+ Fix various compiler warnings
|
|
537
|
+ Fix broken fragment/mssfix with NCP
|
|
538
|
+ crypto.c: fix Visual Studio build
|
|
539
|
+ tun.h: change tun_set() return value type to void
|
|
540
|
+ tun.h: remove TUN_PASS_BUFFER define
|
|
541
|
+ tapctl: add optional 'hardware id' parameter
|
|
542
|
+ vcxproj: add missing source files
|
|
543
|
+ push.c: fix Visual Studio build
|
|
544
|
+ Visual Studio: make it easier to build with VS
|
|
545
|
+ msvc: OpenSSL 1.1.x support
|
|
546
|
+ travis: add Visual Studio build
|
|
547
|
+ Visual Studio: upgrade project files to VS2019
|
|
548
|
+ wintun: add --windows-driver config option
|
|
549
|
+ wintun: implement opening wintun device
|
|
550
|
+ travis: bump MSVC to 2019
|
|
551
|
+ travis: bump clang version
|
|
552
|
+ wintun: ring buffers based I/O
|
|
553
|
+ wintun: interactive service support
|
|
554
|
+ wintun: set adapter properties via interactive service
|
|
555
|
+ wintun: clear adapter settings on tun close
|
|
556
|
+ tun.c: refactor open_tun() implementation
|
|
557
|
+ tun.c: do not add/remove on-link IPv4 route on tun open/close
|
|
558
|
+ options.c: do not force route delay when not using DHCP
|
|
559
|
+ configure.ac: simplify AC_CHECK_FUNCS statements
|
|
560
|
+ cryptoapi.c: fix run-time check failure in msvc debugger
|
|
561
|
+ interactive.c: remove unused function
|
|
562
|
+ tun.c: fix 'use after free' error
|
|
563
|
+ Fix building with --enable-async-push in FreeBSD
|
|
564
|
+ Fix broken async push with NCP is used
|
|
565
|
+ Fix illegal client float (CVE-2020-11810)
|
|
566
|
+ msvc: fix various level2 warnings
|
|
567
|
+ tap.c: fix adapter renaming
|
|
568
|
+ Improve Windows version detection with manifest
|
|
569
|
+ wintun: remove SYSTEM elevation hack
|
|
570
|
+ Fix compilation with --disable-lzo and --disable-lz4
|
|
571
|
+
|
|
572
|
+Matthias Andree (3):
|
|
573
|
+ Make openvpn-plugin.h self-contained again.
|
|
574
|
+ Merge Makefile.am's AUTOMAKE_OPTIONS into configure.ac's AM_INIT_AUTOMAKE.
|
|
575
|
+ Fix stack buffer overruns in NEXTADDR() macro:
|
|
576
|
+
|
|
577
|
+Maxim Plotnikov (1):
|
|
578
|
+ OpenSSL: Fix --crl-verify not loading multiple CRLs in one file
|
|
579
|
+
|
|
580
|
+Maximilian Wilhelm (1):
|
|
581
|
+ Add --bind-dev option.
|
|
582
|
+
|
|
583
|
+Michal Soltys (1):
|
|
584
|
+ man: correct the description of --capath and --crl-verify regarding CRLs
|
|
585
|
+
|
|
586
|
+Mykola Baibuz (1):
|
|
587
|
+ Fix typo in NTLM proxy debug message
|
|
588
|
+
|
|
589
|
+Olivier Wahrenberger (1):
|
|
590
|
+ Fix building with LibreSSL 2.5.1 by cleaning a hack.
|
|
591
|
+
|
|
592
|
+Richard Bonhomme (3):
|
|
593
|
+ man: Corrections to doc/openvpn.8
|
|
594
|
+ Ignore --pull-filter for --mode server
|
|
595
|
+ doc/man: Update --txqueuelen default setting (Now OS default)
|
|
596
|
+
|
|
597
|
+Richard van den Berg via Openvpn-devel (1):
|
|
598
|
+ Fix error message when using RHEL init script
|
|
599
|
+
|
|
600
|
+Rosen Penev (2):
|
|
601
|
+ Remove wrong poll.h include
|
|
602
|
+ openssl: Fix compilation without deprecated OpenSSL 1.1 APIs
|
|
603
|
+
|
|
604
|
+Samy Mahmoudi (1):
|
|
605
|
+ man: correct a --redirection-gateway option flag
|
|
606
|
+
|
|
607
|
+Santtu Lakkala (1):
|
|
608
|
+ Fix OpenSSL private key passphrase notices
|
|
609
|
+
|
|
610
|
+Selva Nair (55):
|
|
611
|
+ Fix push options digest update
|
|
612
|
+ Always release dhcp address in close_tun() on Windows.
|
|
613
|
+ Add a check for -Wl, --wrap support in linker
|
|
614
|
+ Fix user's group membership check in interactive service to work with domains
|
|
615
|
+ In auth-pam plugin clear the password after use
|
|
616
|
+ Pass correct buffer size to GetModuleFileNameW()
|
|
617
|
+ Check whether in pull_mode before warning about previous connection blocks
|
|
618
|
+ Avoid illegal memory access when malformed data is read from the pipe
|
|
619
|
+ Fix missing check for return value of malloc'd buffer
|
|
620
|
+ Return NULL if GetAdaptersInfo fails
|
|
621
|
+ Use RSA_meth_free instead of free
|
|
622
|
+ Bring cryptoapi.c upto speed with openssl 1.1
|
|
623
|
+ Add SSL_CTX_get_max_proto_version() not in openssl 1.0
|
|
624
|
+ TLS v1.2 support for cryptoapicert -- RSA only
|
|
625
|
+ Refactor ssl_openssl.c in prep for external EC key support
|
|
626
|
+ Refactor get_interface_metric to return metric and auto flag separately
|
|
627
|
+ Add management client version
|
|
628
|
+ Prompt for signature using '>PK_SIGN' if the client supports it
|
|
629
|
+ Allow external EC key through --management-external-key
|
|
630
|
+ Ensure strings read from registry are null-terminated
|
|
631
|
+ Make most registry values optional
|
|
632
|
+ Use lowest metric interface when multiple interfaces match a route
|
|
633
|
+ Move code to free cd to a function CAPI_DATA_free()
|
|
634
|
+ Disable external ec key support when building with libressl
|
|
635
|
+ Adapt to RegGetValue brokenness in Windows 7
|
|
636
|
+ Fix format spec errors in Windows builds
|
|
637
|
+ Move setting private key to a function in prep for EC support
|
|
638
|
+ Support EC certificates with cryptoapicert
|
|
639
|
+ Delete the IPv6 route to the "connected" network on tun close
|
|
640
|
+ Management: warn about password only when the option is in use
|
|
641
|
+ Avoid overflow in wakeup time computation
|
|
642
|
+ Replace M_DEBUG with D_LOW as the former is too verbose
|
|
643
|
+ Correct the declaration of handle in 'struct openvpn_plugin_args_open_return'
|
|
644
|
+ Parse static challenge response in auth-pam plugin
|
|
645
|
+ Bump version of openvpn plugin argument structs to 5
|
|
646
|
+ Accept empty password and/or response in auth-pam plugin
|
|
647
|
+ Pass the hash without the DigestInfo header to NCryptSignHash()
|
|
648
|
+ Move get system directory to a separate function
|
|
649
|
+ Enable dhcp on tap adapter using interactive service
|
|
650
|
+ Refactor sending commands to interactive service
|
|
651
|
+ Declare Windows version of openvpn_execve() before use
|
|
652
|
+ White-list pull-filter and script-security in interactive service
|
|
653
|
+ Move OpenSSL vs CNG signature digest type mapping to a function
|
|
654
|
+ Handle PSS padding in cryptoapicert
|
|
655
|
+ Better error message when script fails due to script-security setting
|
|
656
|
+ Correct the return value of cryptoapi RSA signature callbacks
|
|
657
|
+ Fix ACL_CHECK_ADD_COMPILE_FLAGS to work with clang
|
|
658
|
+ Swap the order of checks for validating interactive service user
|
|
659
|
+ Skip expired certificates in Windows certificate store
|
|
660
|
+ Allow unicode search string in --cryptoapicert option
|
|
661
|
+ Fix possibly uninitialized return value in GetOpenvpnSettings()
|
|
662
|
+ Fix possible access of uninitialized pipe handles
|
|
663
|
+ Move querying username/password from management to a function
|
|
664
|
+ When auth-user-pass file has no password query the management interface (if available).
|
|
665
|
+ Persist management-query-remote and proxy prompts
|
|
666
|
+
|
|
667
|
+Simon Matter (2):
|
|
668
|
+ Fix segfault when using crypto lib without AES-256-CTR or SHA256
|
|
669
|
+ Add per session pseudo-random jitter to --reneg-sec intervals
|
|
670
|
+
|
|
671
|
+Simon Rozman (67):
|
|
672
|
+ Local functions are not supported in MSVC. Bummer.
|
|
673
|
+ Mixing wide and regular strings in concatenations is not allowed in MSVC.
|
|
674
|
+ RtlIpv6AddressToStringW() and RtlIpv4AddressToStringW() require mstcpip.h
|
|
675
|
+ Simplify iphlpapi.dll API calls
|
|
676
|
+ Fix local #include to use quoted form
|
|
677
|
+ Document ">PASSWORD:Auth-Token" real-time message
|
|
678
|
+ Fix typo in "verb" command examples
|
|
679
|
+ Uniform swprintf() across MinGW and MSVC compilers
|
|
680
|
+ MSVC meta files added to .gitignore list
|
|
681
|
+ openvpnserv: Review MSVC down-casting warnings
|
|
682
|
+ openvpnserv: Add support for multi-instances
|
|
683
|
+ Document missing OpenVPN states
|
|
684
|
+ Add Interactive Service developer documentation
|
|
685
|
+ Change quoted to angled form when #including external .h files
|
|
686
|
+ Signed/unsigned warnings of MSVC resolved
|
|
687
|
+ Reference msvc-generate from compat to assure correct build order
|
|
688
|
+ msvc: Move common project settings to reusable property sheets
|
|
689
|
+ msvc: Unify Unicode/MultiByte string setting across all cfg|plat
|
|
690
|
+ Introduce tapctl.exe utility and openvpnmsica.dll MSI CA
|
|
691
|
+ Set output name to libopenvpnmsica.dll in MSVC builds too
|
|
692
|
+ Prevent __stdcall name mangling of MSVC
|
|
693
|
+ Define _WIN32_WINNT=_WIN32_WINNT_VISTA in MSVC
|
|
694
|
+ Add MSI custom action for reliable Windows 10 detection
|
|
695
|
+ Detect TAP interfaces with root-enumerated hardware ID
|
|
696
|
+ Change C++ to C comments
|
|
697
|
+ Make MSI custom action debug pop-up more informative
|
|
698
|
+ Delete TAP interface before the TAP driver is uninstalled
|
|
699
|
+ Add detection of active VPN connections for MSI packages
|
|
700
|
+ Add a MSI custom actions to close and relaunch OpenVPN GUI
|
|
701
|
+ Make DriverCertification MSI property public
|
|
702
|
+ Extend FindSystemInfo custom action to detect OpenVPNService state
|
|
703
|
+ Uncrustify tapctl and openvpnmsica
|
|
704
|
+ Strip _stdcall suffixes (@nn) for 32-bit builds
|
|
705
|
+ Detect missing TAP driver and bail out gracefully
|
|
706
|
+ Disambiguate thread local storage references from TLS
|
|
707
|
+ Add NULL checks
|
|
708
|
+ Add user manual and developer notes URL for tapctl.exe
|
|
709
|
+ Refactor OpenVPNService state detection code
|
|
710
|
+ Add developer notes URL for openvpnmsica.dll
|
|
711
|
+ Limit tapctl.exe and openvpnmsica.dll to TAP-Windows6 adapters only
|
|
712
|
+ msvc: Add vlan.c/h
|
|
713
|
+ tun.c: make Windows device lookup functions more general
|
|
714
|
+ tun.c: upgrade get_device_guid() to return the Windows driver type
|
|
715
|
+ tun.c: make wintun_register_ring_buffer() non-fatal on failures
|
|
716
|
+ wintun: register ring buffers when iterating adapters
|
|
717
|
+ wintun: add support for --dev-node
|
|
718
|
+ tun.c: reword the at_least_one_tap_win() error
|
|
719
|
+ wintun: stop sending TAP-Windows6 ioctls to NDIS device
|
|
720
|
+ wintun: refactor code to use enum driver type
|
|
721
|
+ tun.c: refactor driver detection and make it case-insensitive
|
|
722
|
+ tun.c: uncrustify
|
|
723
|
+ wintun: check for conflicting options
|
|
724
|
+ openvpnmsica: Remove required Windows driver certification detection
|
|
725
|
+ openvpnmsica: Fix TAPInterface.DisplayName field interpretation
|
|
726
|
+ tapctl: Update documentation
|
|
727
|
+ wintun: upgrade error message in case of ring registration failure
|
|
728
|
+ tun.c: reorder IPv6 ifconfig on Windows
|
|
729
|
+ tapctl: Add functions for enabling/disabling adapters
|
|
730
|
+ openvpnmsica: Revise MSI custom actions interop
|
|
731
|
+ openvpnmsica: Simplify static function names
|
|
732
|
+ openvpnmsica, tapctl: "interface" => "adapter"
|
|
733
|
+ openvpnmsica: "TAP" => "TUN/TAP"
|
|
734
|
+ openvpnmsica: Extend to support arbitrary HWID network adapters
|
|
735
|
+ openvpnmsica, tapctl: Revise default hardware ID management
|
|
736
|
+ openvpnmsica: Merge FindTUNTAPAdapters into FindSystemInfo
|
|
737
|
+ tapctl: Support multiple hardware IDs
|
|
738
|
+ tun.c: revise the IPv4 ifconfig flow on Windows
|
|
739
|
+
|
|
740
|
+Stefan Strogin (1):
|
|
741
|
+ Use correct ifdefs for LibreSSL support
|
|
742
|
+
|
|
743
|
+Steffan Karger (122):
|
|
744
|
+ Document that RSA_SIGN can also request TLS 1.2 signatures
|
|
745
|
+ man: encourage user to read on about --tls-crypt
|
|
746
|
+ Textual fixes for Changes.rst
|
|
747
|
+ Remove deprecated --no-iv option
|
|
748
|
+ More broadly enforce Allman style and braces-around-conditionals
|
|
749
|
+ Use SHA256 for the internal digest, instead of MD5
|
|
750
|
+ OpenSSL: 1.1 fallout - fix configure on old autoconf
|
|
751
|
+ Fix types in WIN32 socket_listen_accept()
|
|
752
|
+ Remove duplicate X509 env variables
|
|
753
|
+ Fix non-C99-compliant builds: don't use const size_t as array length
|
|
754
|
+ Deprecate --ns-cert-type
|
|
755
|
+ Be less picky about keyUsage extensions
|
|
756
|
+ cleanup: merge packet_id_alloc_outgoing() into packet_id_write()
|
|
757
|
+ Don't run packet_id unit tests for --disable-crypto builds
|
|
758
|
+ Fix Changes.rst layout
|
|
759
|
+ Fix memory leak in x509_verify_cert_ku()
|
|
760
|
+ mbedtls: correctly check return value in pkcs11_certificate_dn()
|
|
761
|
+ Restore pre-NCP frame parameters for new sessions
|
|
762
|
+ Always clear username/password from memory on error
|
|
763
|
+ Document tls-crypt security considerations in man page
|
|
764
|
+ Don't assert out on receiving too-large control packets (CVE-2017-7478)
|
|
765
|
+ Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
|
|
766
|
+ Log the negotiated (NCP) cipher
|
|
767
|
+ Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
|
|
768
|
+ Skip tls-crypt unit tests if required crypto mode not supported
|
|
769
|
+ openssl: fix overflow check for long --tls-cipher option
|
|
770
|
+ Add a DSA test key/cert pair to sample-keys
|
|
771
|
+ Fix mbedtls fingerprint calculation
|
|
772
|
+ mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)
|
|
773
|
+ mbedtls: require C-string compatible types for --x509-username-field
|
|
774
|
+ Fix remote-triggerable memory leaks (CVE-2017-7521)
|
|
775
|
+ Restrict --x509-alt-username extension types
|
|
776
|
+ Fix potential double-free in --x509-alt-username (CVE-2017-7521)
|
|
777
|
+ Fix typo in extract_x509_extension() debug message
|
|
778
|
+ init_key_ctx: key and iv arguments can (now) be const
|
|
779
|
+ Move adjust_power_of_2() to integer.h
|
|
780
|
+ Undo cipher push in client options state if cipher is rejected
|
|
781
|
+ Remove strerror_ts()
|
|
782
|
+ Move openvpn_sleep() to manage.c
|
|
783
|
+ fixup: also change missed openvpn_sleep() occurrences
|
|
784
|
+ Always use default keysize for NCP'd ciphers
|
|
785
|
+ Move create_temp_file() out of #ifdef ENABLE_CRYPTO
|
|
786
|
+ sample-plugins: fix ASN1_STRING_to_UTF8 return value checks
|
|
787
|
+ Deprecate --keysize
|
|
788
|
+ Move run_up_down() to init.c
|
|
789
|
+ tls-crypt: introduce tls_crypt_kt()
|
|
790
|
+ crypto: create function to initialize encrypt and decrypt key
|
|
791
|
+ Add coverity static analysis to Travis CI config
|
|
792
|
+ tls-crypt: don't leak memory for incorrect tls-crypt messages
|
|
793
|
+ travis: reorder matrix to speed up build
|
|
794
|
+ Fix bounds check in read_key()
|
|
795
|
+ buffer_list_aggregate_separator(): add unit tests
|
|
796
|
+ doxygen: add make target and use relative paths
|
|
797
|
+ Simplify and inline clear_buf()
|
|
798
|
+ Add --tls-cert-profile option.
|
|
799
|
+ pf: clean up temporary files if plugin init fails
|
|
800
|
+ pf: reject client if PF plugin is configured, but init fails
|
|
801
|
+ Don't throw fatal errors from create_temp_file()
|
|
802
|
+ create_temp_file/gen_path: prevent memory leak if gc == NULL
|
|
803
|
+ Use P_DATA_V2 for server->client packets too
|
|
804
|
+ Fix memory leak in buffer unit tests
|
|
805
|
+ travis: use clang's -fsanitize=address to catch more bugs
|
|
806
|
+ Don't throw fatal errors from verify_cert_export_cert()
|
|
807
|
+ buffer_list_aggregate_separator(): update list size after aggregating
|
|
808
|
+ buffer_list_aggregate_separator(): don't exceed max_len
|
|
809
|
+ buffer_list_aggregate_separator(): prevent 0-byte malloc
|
|
810
|
+ Fix types around buffer_list_push(_data)
|
|
811
|
+ ssl_openssl: fix compiler warning by removing getbio() wrapper
|
|
812
|
+ Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
|
|
813
|
+ Add support for TLS 1.3 in --tls-version-{min, max}
|
|
814
|
+ tls_ctx_set_tls_versions: move verify_flags to where it is used
|
|
815
|
+ Plug memory leak if push is interrupted
|
|
816
|
+ Log pre-handshake packet drops using D_MULTI_DROPPED
|
|
817
|
+ Enable stricter compiler warnings by default
|
|
818
|
+ reliable: remove reliable_unique_retry()
|
|
819
|
+ Get rid of ax_check_compile_flag.m4
|
|
820
|
+ mbedtls: don't use API deprecated in mbed 2.7
|
|
821
|
+ Warn if tls-version-max < tls-version-min
|
|
822
|
+ Check for more data in control channel
|
|
823
|
+ Move env helper functions into their own module/file
|
|
824
|
+ man: add security considerations to --compress section
|
|
825
|
+ openssl: don't use deprecated SSLEAY/SSLeay symbols
|
|
826
|
+ openssl: add missing #include statements
|
|
827
|
+ Move file-related functions from misc.c to platform.c
|
|
828
|
+ Move execve/run_script helper functions to run_command.c
|
|
829
|
+ Add crypto_pem_{encode,decode}()
|
|
830
|
+ Introduce buffer_write_file()
|
|
831
|
+ mbedtls: print warning if random personalisation fails
|
|
832
|
+ Fix memory leak after sighup
|
|
833
|
+ Remove unused void_ptr_hash_function and void_ptr_compare_function
|
|
834
|
+ Do not load certificate from tls_ctx_use_external_private_key()
|
|
835
|
+ mbedtls: make external signing code generic
|
|
836
|
+ mbedtls: remove dependency on mbedtls pkcs11 module
|
|
837
|
+ Fix memory leak in SSL_CTX_use_certificate
|
|
838
|
+ travis: add OpenSSL 1.1 Windows build
|
|
839
|
+ Fix use-after-free in tls_ctx_use_management_external_key
|
|
840
|
+ Simplify --genkey option syntax
|
|
841
|
+ Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth'
|
|
842
|
+ Add support for CHACHA20-POLY1305 in the data channel
|
|
843
|
+ List ChaCha20-Poly1305 as stream cipher
|
|
844
|
+ mbedtls: don't print unsupported ciphers in insecure cipher list
|
|
845
|
+ Fix mbedtls unit tests
|
|
846
|
+ buffer_list_aggregate_separator(): simplify code
|
|
847
|
+ tls-crypt-v2: add specification to doc/
|
|
848
|
+ tls-crypt-v2: generate tls-crypt-v2 keys
|
|
849
|
+ tls-crypt-v2: add unwrap_client_key
|
|
850
|
+ tls-crypt-v2: add P_CONTROL_HARD_RESET_CLIENT_V3 opcode
|
|
851
|
+ tls-crypt-v2: implement tls-crypt-v2 handshake
|
|
852
|
+ tls-crypt-v2: add script hook to verify metadata
|
|
853
|
+ tls-crypt-v2: clarify --tls-crypt-v2-genkey man page section
|
|
854
|
+ tls-crypt-v2: fix client reconnect bug
|
|
855
|
+ Remove deprecated --compat-x509-names and --no-name-remapping
|
|
856
|
+ Extend tls-crypt-v2 unit tests
|
|
857
|
+ Fix tls-auth/crypt in connection blocks with --persist-key
|
|
858
|
+ cmocka: use relative paths
|
|
859
|
+ tests: remove dependency on base64
|
|
860
|
+ configure.ac: add lzo CFLAGS/LIBS to the test flags
|
|
861
|
+ Update sample configs to use modern cipher, remove static key examples
|
|
862
|
+ mbedtls: add RFC 5705 keying material exporter support
|
|
863
|
+ Move keying material exporter check from syshead.h to configure.ac
|
|
864
|
+ Make openvpn --version exit with exit code 0
|
|
865
|
+ Gently push users towards --data-ciphers in --show-ciphers output
|
|
866
|
+
|
|
867
|
+Steven McDonald (1):
|
|
868
|
+ Fix gateway detection with OpenBSD routing domains
|
|
869
|
+
|
|
870
|
|
|
871
|
+ OpenSSL: Always set SSL_OP_CIPHER_SERVER_PREFERENCE flag
|
|
872
|
+
|
|
873
|
+Thomas Quinot (1):
|
|
874
|
+ Fix documentation of tls-verify script argument
|
|
875
|
+
|
|
876
|
+Thomas Veerman via Openvpn-devel (1):
|
|
877
|
+ Fix socks_proxy_port pointing to invalid data
|
|
878
|
+
|
|
879
|
+Tom van Leeuwen (1):
|
|
880
|
+ mbedTLS: Make sure TLS session survives move
|
|
881
|
+
|
|
882
|
+ValdikSS (1):
|
|
883
|
+ Set a low interface metric for tap adapter when block-outside-dns is in use
|
|
884
|
+
|
|
885
|
+Vladislav Grishenko (1):
|
|
886
|
+ Log serial number of revoked certificate
|
|
887
|
+
|
|
888
|
+WGH (1):
|
|
889
|
+ docs: Add reference to X509_LOOKUP_hash_dir(3)
|
|
890
|
+
|
|
891
|
+hashiz (1):
|
|
892
|
+ Fix '--bind ipv6only'
|
|
893
|
+
|
|
894
|
+tincanteksup (1):
|
|
895
|
+ Correct error message for --tls-crypt-v2-genkey client
|
|
896
|
+
|
3
|
897
|
|
4
|
898
|
2016.12.16 -- Version 2.4_rc2
|
5
|
899
|
David Sommerseth (9):
|