From: Frank Lichtenheld Date: Mon, 26 May 2025 14:09:00 +0000 (+0200) Subject: OpenVPN Release 2.7_alpha1 X-Git-Tag: v2.7_alpha1^0 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5d3f3556a1f7cb26a2fb5e1c8299f03d0487cc6f;p=thirdparty%2Fopenvpn.git OpenVPN Release 2.7_alpha1 version.m4, ChangeLog, Changes.rst (ChangeLog in "master" will revert to its normal state of "empty" after release/2.7 is forked off into its own branch) Additionally, add test_common.h to tests/unit_tests/openvpn/Makefile.am (..._SOURCES) so it's packed into the "make dist" tarball Change-Id: I80a14b77fcc2fabf51af9f2d5ea0c36362cccb91 Signed-off-by: Frank Lichtenheld --- diff --git a/ChangeLog b/ChangeLog index c26dd2e3..c6e626bf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,759 @@ OpenVPN ChangeLog -Copyright (C) 2002-2024 OpenVPN Inc +Copyright (C) 2002-2025 OpenVPN Inc + +2025.05.28 -- Version 2.7_alpha1 + +5andr0 (1): + Implement server_poll_timeout for socks + +Alexander von Gluck (4): + Haiku: Introduce basic platform / tun support + Haiku: Add calls to manage routing table + Haiku: change del to delete in route command. del is undocumented + Haiku: Fix short interface path length + +Antonio Quartulli (32): + disable DCO if --secret is specified + dco: properly re-initialize dco_del_peer_reason + dco: bail out when no peer-specific message is delivered + dco: improve comment about hidden debug message + dco: print proper message in case of transport disconnection + dco_linux: update license for ovpn_dco_linux.h + Update issue templates + Avoid warning about missing braces when initialising key struct + dco: don't use NetLink to exchange control packets + dco: print version to log if available + dco-linux: remove M_ERRNO flag when printing netlink error message + multi: don't call DCO APIs if DCO is disabled + dco-freebsd: use m->instances[] instead of m->hash + dco-linux: implement dco_get_peer_stats{, multi} API + configure.ac: fix typ0 in LIBCAPNG_CFALGS + dco: fix crash when --multihome is used with --proto tcp + dco: mark peer as deleted from kernel after receiving CMD_DEL_PEER notification + event/multi: add event_arg object to make event handling more generic + pass link_socket object to i/o functions + io_work: convert shift argument to uintptr_t + io_work: pass event_arg object to event handler in case of socket event + sitnl: replace NLMSG_TAIL macro with noinline function + override ai_family if 'local' numeric address was specified + Adapt socket handling to support listening on multiple sockets + allow user to specify 'local' multiple times in config files + dco_linux: extend netlink error cb with extra info + man: extend --persist-tun section + dco: pass remoteaddr only for UDP peers + socket: use remote proto when creating client sockets + dco_linux: fix peer stats parsing with new ovpn kernel module + socket: don't transfer bind family to socket in case of ANY address + dco_linux: avoid bogus text when netlink message is not parsed + +Aquila Macedo (1): + doc: Correct typos in multiple documentation files + +Arne Schwabe (190): + Fix connection cookie not including address and fix endianness in test + Fix unit test of test_pkt on little endian Linux + Disable DCO when TLS mode is not used + Ignore connection attempts while server is shutting down + Improve debug logging of DCO swap key message and Linux dco_new_peer + Trigger a USR1 if dco_update_keys fails + Set DCO_NOT_INSTALLED also for keys not in the get_key_scan range + Ensure that argument to parse_line has always space for final sentinel + Improve documentation on user/password requirement and unicodize function + Eliminate or comment empty blocks and switch fallthrough + Remove unused gc_arena + Fix corner case that might lead to leaked file descriptor + Deprecate NTLMv1 proxy auth method. + Use include "buffer.h" instead of include + Ensure that dco keepalive and mssfix options are also set in pure p2p mode + Make management password check constant time + Rename TM_UNTRUSTED to TM_INITIAL, always start session in TM_INITIAL rather than TM_ACTIVE or TM_INITIAL + Move dco_installed back to link_socket from link_socket.info.actual + Do not set nl socket buffer size + Also drop incoming dco packet content when dropping the packet + Improve logging when seeing a message for an unkown peer + Ignore OVPN_DEL_PEER_REASON_USERSPACE to avoid race conditions + Replace custom min macro and use more C99 style in man_remote_entry_get + Replace realloc with new gc_realloc function + Add connect-freq-initial option to limit initial connection responses + Log peer-id if loglevel is D_DCO_DEBUG and dco is enabled + Deprecate OCC checking + Workaround: make ovpn-dco more reliable + Fix unaligned access in auth-token + Update LibreSSL to 3.7.0 in Github actions + Add printing USAN stack trace on github actions + Fix LibreSSL not building in Github Actions + Add missing stdint.h includes in unit tests files + Combine extra_tun/frame parameter of frame_calculate_payload_overhead + Update the last sections in the man page to a be a bit less outdated + Add building unit tests with mingw to github actions + Revise the cipher negotiation info about OpenVPN3 in the man page + Exit if a proper message instead of segfault on Android without management + Use proper print format/casting when converting msg_channel handle + Reduce initialisation spam from verb <= 3 and print summary instead + Dynamic tls-crypt for secure soft_reset/session renegotiation + Set netlink socket to be non-blocking + Ensure n = 2 is set in key2 struct in tls_crypt_v2_unwrap_client_key + Fix memory leaks in open_tun_dco() + Fix memory leaks in HMAC initial packet generation + Use key_state instead of multi for tls_send_payload parameter + Make sending plain text control message session aware + Only update frame calculation if we have a valid link sockets + Improve description of compat-mode + Simplify --compress parsing in options.c + Refuse connection if server pushes an option contradicting allow-compress + Add 'allow-compression stub-only' internally for DCO + Parse compression options and bail out when compression is disabled + Remove unused variable line + Add Apache2 linking with for new commits + Fix compile error on TARGET_ANDROID + Fix use-after-free with EVP_CIPHER_free + Remove key_type argument from generate_key_random + add basic CMake based build + Avoid unused function warning/error on FreeBSD (and potientially others) + Do not blindly assume python3 is also the interpreter that runs rst2html + Only add -Wno-stringop-truncation on supported compilers + fix warning with gcc 12.2.0 (compiler bug?) + Fix CR_RESPONSE mangaement message using wrong key_id + Print a more user-friendly error when tls-crypt-v2 client auth fails + Ignore Ipv6 route delete request on Android and set ipv4 verbosity to 7 + Mock openvpn_exece on win32 also for test_tls_crypt + Check if the -wrap argument is actually supported by the platform's ld + Revert commit 423ced962d + Implement using --peer-fingerprint without CA certificates + show extra info for OpenSSL errors + Remove ability to use configurations without TLS by default + Add warning for the --show-groups command that some groups are missing + Print peer temporary key details + Add warning if a p2p NCP client connects to a p2mp server + Remove openssl engine method for loading the key + Add undefined and abort on error to clang sanitize builds + Add --enable-werror to all platforms in Github Actions + Remove saving initial frame code + Double check that we do not use a freed buffer when freeing a session + Fix using to_link buffer after freed + Remove CMake custom compiler flags for RELEASE and DEBUG build + Do not check key_state buffers that are in S_UNDEF state + Remove unused function prototype crypto_adjust_frame_parameters + Introduce report_command_status helper function + Log SSL alerts more prominently + Remove unused/unneeded/add missing defines from configure/cmake + Document tls-exit option mainly as test option + Remove dead remains of extract_x509_field_test + Replace character_class_debug with proper unit test + Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway + Fix check_session_buf_not_used using wrong index + Add missing check for nl_socket_alloc failure + Add check for nice in cmake config + Minimal Solaris/OpenIndiana support to Cmake and clean up -Werror + Remove compat versionhelpers.h and remove cmake/configure check for it + Rename state_change to continue_tls_process + Move tls_get_cipher_name_pair and get_num_elements to ssl_utils.c + Fix building mbed TLS with CMake and allow specifying custom directories + Extend the error message when TLS 1.0 PRF fails + Fix unaligned access in macOS, FreeBSD, Solaris hwaddr + Check PRF availability on initialisation and add --force-tls-key-material-export + Make it more explicit and visible when pkg-config is not found + Clarify that the tls-crypt-v2-verify has a very limited env set + Move get_tmp_dir to win32-util.c and error out on failure + Implement the --tls-export-cert feature + Use mingw compile definition also to unit tests + Add test_ssl unit test and test export of PEM to file + Remove conditional text for Apache2 linking exception + Fix ssl unit tests on OpenSSL 1.0.2 + Ensure that all unit tests use unbuffered stdout and stderr + Allow unit tests to fall back to hard coded location + Add unit test for encrypting/decrypting data channel + Print SSL peer signature information in handshake debug details + Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs + Turn dead list test code into unit test + Use snprintf instead of sprintf for get_ssl_library_version + Fix snprintf/swnprintf related compiler warnings + Add bracket in fingerprint message and do not warn about missing verification + Match ifdef for get_sigtype function with if ifdef of caller + Remove/combine redundant call of EVP_CipherInit before EVP_CipherInit_Ex + Add missing EVP_KDF_CTX_free in ssl_tls1_PRF + Replace macos11 with macos14 in github runners + Remove openvpn_snprintf and similar functions + Repeat the unknown command in errors from management interface + Only run coverity scan in OpenVPN/OpenVPN repository + Support OpenBSD with cmake + Workaround issue in LibreSSL crashing when enumerating digests/ciphers + Remove OpenSSL 1.0.2 support + Remove custom TLS 1.0 PRF implementation only used by LibreSSL/wolfSSL + Allow the TLS session to send out TLS alerts + Properly handle null bytes and invalid characters in control messages + Allow trailing \r and \n in control channel message + Add Ubuntu 24.04 runner to Github Actions + Implement support for AEAD tag at the end + Remove check for anonymous unions from configure and cmake config + Make read/write_tun_header static + Avoid SIGUSR1 to SIGHUP remapping when the configuration is read from stdin + Move to common backend_driver type in struct tuntap + Introduce DRIVER_AFUNIX backend for use with lwipovpn + Change dev null to be a driver type instead of a special mode of tun/tap + Use print_tun_backend_driver instead of custom code to print type + Automatically enable ifconfig-exec/route-exec behaviour for afunix tun/tap + Ensure that the AF_UNIX socket pair has at least 65k of buffer space + Fix check for CMake not detecting struct cmsg + Remove null check after checking for checking for did_open_tun + Remove a large number of unused structs and functions + Remove unused methods write_key/read_key + Refuse clients if username or password is longer than USER_PASS_LEN + Move should_trigger_renegotiation into its own function + Change --reneg-bytes and --reneg-packets to 64 bit counters + Use XOR instead of concatenation for calculation of IV from implicit IV + Trigger renegotiation of data key if getting close to the AEAD usage limit + Implement HKDF expand function based on RFC 8446 + Split init_key_ctx_bi into send/recv init + Move initialisation of implicit IVs to init_key_ctx_bi methods + Change internal id of packet id to uint64 + Add small unit test for buf_chomp + Add building/testing with msbuild and the clang compiler + Ensure that Python3 is available + Change API of init_key_ctx to use struct key_parameters + Allow DEFAULT in data-ciphers and report both expanded and user set option + Do not attempt to decrypt packets anymore after 2**36 failed decryptions + Add methods to read/write packet ids for epoch data + Implement methods to generate and manage OpenVPN Epoch keys + Rename aead-tag-at-end to aead-epoch + Improve peer fingerprint documentation + Remove comparing username to NULL in tls_lock_username + Print warnings/errors when numerical parameters cannot be parsed + Add unit tests for atoi parsing options helper + Improve error reporting from AF_UNIX tun/tap support + Fix typo in positive_atoi + Fix oversight of link socket code change in Android code path + Implement epoch key data format + Extend the unit test for data channel packets with aead limit tests + Add (fake) Android cmake building + Add android build to Github Actions + Reconnect when TCP is on use on network-change management command + Implement override-username + Fix incorrect condition for checking password related check + Directly use _countof in array initialisation + Improve documentation for override-username + Mention address if not unspecific on DNS failure + Do not leave half-initialised key wrap struct when dynamic tls-crypt fails + Allow tls-crypt-v2 to be setup only on initial packet of a session + Use SSL_get0_peer_signature_name instead of SSL_get_peer_signature_nid + Use USER_PASS_LEN instead of TLS_USERNAME_LEN for override-username + Also print key agreement when printing negotiated details + Fix mbed TLS key exporter functionality in 3.6.x and cmake + Make --dh none behaviour default if not specified + +Ben Boeckel (1): + console_systemd: remove the timeout when using 'systemd-ask-password' + +Christoph Schug (1): + Update documentation references in systemd unit files + +Corubba Smith (3): + Support IPv6 towards port-share proxy receiver + Document x509-username-fields oid usage + Remove x509-username-fields uppercasing + +David Sommerseth (4): + ssl_verify: Fix memleak if creating deferred auth control files fails + ntlm: Clarify details on NTLM phase 3 decoding + Remove --tls-export-cert + Remove superfluous x509_write_pem() + +Franco Fichtner (1): + Allow to set ifmode for existing DCO interfaces in FreeBSD + +Frank Lichtenheld (174): + options.c: fix format security error when compiling without optimization + options.c: update usage description of --cipher + Update copyright year to 2023 + xkey_pkcs11h_sign: fix dangling pointer + options: Always define options->management_flags + check_engine_keys: make pass with OpenSSL 3 + documentation: update 'unsupported options' section + Changes.rst: document removal of --keysize + Windows: fix unused function setenv_foreign_option + Windows: fix unused variables in delete_route_ipv6 + Windows: fix wrong printf format in x_check_status + Windows: fix unused variable in win32_get_arch + configure: enable DCO by default on FreeBSD/Linux + Windows: fix signedness errors with recv/send + configure: fix formatting of --disable-lz4 and --enable-comp-stub + tests/unit_tests: Fix 'make distcheck' with subdir-objects enabled + GHA: remove Ubuntu 18.04 builds + vcpkg: request "tools" feature of openssl for MSVC build + Do not include net/in_systm.h + version.sh: remove + doc: run rst2* with --strict to catch warnings + man page: Remove cruft from --topology documentation + tests: do not include t_client.sh in dist + vcpkg-ports/pkcs11-helper: Make compatible with mingw build + vcpkg-ports/pkcs11-helper: Convert CONTROL to vcpkg.json + vcpkg-ports/pkcs11-helper: reference upstream PRs in patches + dco_linux: properly close dco version file + DCO: fix memory leak in dco_get_peer_stats_multi for Linux + Fix two unused assignments + sample-plugins: Fix memleak in client-connect example plugin + tests: Allow to override openvpn binary used + test_buffer: add tests for buf_catrunc and its caller format_hex_ex + buffer: use memcpy in buf_catrunc + options: remove --key-method from usage message + msvc-generate: include version.m4.in in tarball + dist: add more missing files only used in the MSVC build + vcpkg-ports/pkcs11-helper: rename patches to make file names shorter + unit_tests: Add missing cert_data.h to source list for unit tests + dist: Include all documentation in distribution + CMake: Add complete MinGW and MSVC build + Remove all traces of the previous MSVC build system + CMake: Add /Brepro to MSVC link options + GHA: update to run-vcpkg@v11 + test_tls_crypt: Improve mock() usage to be more portable + CMake: Throw a clear error when config.h in top-level source directory + CMake: Support doc builds on Windows machines that do not have .py file association + Remove old Travis CI related files + README.cmake.md: Add new documentation for CMake buildsystem + GHA: refactor mingw UTs and add missing tls_crypt + GHA: Add macos-13 + options: Do not hide variables from parent scope + pkcs11_openssl: Disable unused code + route: Fix overriding return value of add_route3 + CMake: various small non-functional improvements + GHA: do not trigger builds in openvpn-build anymore + Remove --no-replay option + GHA: new workflow to submit scan to Coverity Scan service + doc: fix argument name in --route-delay documentation + Change type of frame.mss_fix to uint16_t + Remove last uses of inet_ntoa + mss/mtu: make all size calculations use size_t + dev-tools/gerrit-send-mail.py: tool to send Gerrit patchsets to Patchwork + gerrit-send-mail.py: Add patch version to subject + Add mbedtls3 GHA build + platform.c: Do not depend Windows build on HAVE_CHDIR + sample-keys: renew for the next 10 years + GHA: clean up libressl builds with newer libressl + configure.ac: Remove unused AC_TYPE_SIGNAL macro + documentation: remove reference to removed option --show-proxy-settings + unit_tests: remove includes for mock_msg.h + buffer: add documentation for string_mod and extend related UT + tests: disable automake serial_tests + documentation: improve documentation of --x509-track + configure: allow to disable NTLM + configure: enable silent rules by default + misc: make get_auth_challenge static + Remove support for NTLM v1 proxy authentication + GHA: increase verbosity for make check + NTLM: add length check to add_security_buffer + NTLM: increase size of phase 2 response we can handle + Fix various 'Uninitialized scalar variable' warnings from Coverity + proxy-options.rst: Add proper documentation for --http-proxy-user-pass + NTLM: when NTLMv1 is requested, try NTLMv2 instead + buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0' + --http-proxy-user-pass: allow to specify in either order with --http-proxy + test_user_pass: new UT for get_user_pass + test_user_pass: Add UTs for character filtering + gerrit-send-mail: Make output consistent across systems + README.cmake.md: Document minimum required CMake version for --preset + documentation: Update and fix documentation for --push-peer-info + documentation: Fixes for previous fixes to --push-peer-info + test_user_pass: add basic tests for static/dynamic challenges + Fix typo --data-cipher-fallback + samples: Remove tls-*.conf + check_compression_settings_valid: Do not test for LZ4 in LZO check + t_client.sh: Allow to skip tests + gerrit-send-mail: add missing Signed-off-by + Update Copyright statements to 2024 + GHA: general update March 2024 + samples: Update sample configurations + documentation: make section levels consistent + phase2_tcp_server: fix Coverity issue 'Dereference after null check' + script-options.rst: Update ifconfig_* variables + crypto_backend: fix type of enc parameter + tests: fork default automake test-driver + forked-test-driver: Show test output always + Change default of "topology" to "subnet" + Use topology default of "subnet" only for server mode + Fix 'binary or' vs 'boolean or' related to server_bridge_proxy_dhcp + configure: update old copy of pkg.m4 + LZO: do not use lzoutils.h macros + test_user_pass: Fix building with --enable-systemd + Remove "experimental" denotation for --fast-io + t_server_null.sh: Fix failure case + configure: Add -Wstrict-prototypes and -Wold-style-definition + configure: Try to detect LZO with pkg-config + configure: Switch to C11 by default + Fix missing spaces in various messages + console_systemd: rename query_user_exec to query_user_systemd + configure: Allow to detect git checkout if .git is not a directory + GHA: Configure Renovate + configure: Try to use pkg-config to detect mbedTLS + tun: use is_tun_p2p more consistently + Various fixes for -Wconversion errors + generate_auth_token: simplify code + GHA: Update dependency Mbed-TLS/mbedtls to v3.6.1 + GHA: Enable t_server_null tests + configure: Handle libnl-genl and libcap-ng consistent with other libs + configure: Review use of standard AC macros + socket: Change return types of link_socket_write* to ssize_t + GHA: Pin dependencies + GHA: Update macOS runners + GHA: Simplify macOS builds + Remove support for compression on send + Fix wrong doxygen comments + Various typo fixes + macOS: Assume that net/if_utun.h is always present + Fix some formatting related to if/else and macros + Fix memory leak in ntlm_support + forward: Fix potential unaligned access in drop_if_recursive_routing + GHA: General update December 2024 + Review doxygen warnings + Regenerate doxygen config file with doxygen -u + Fix 'uninitialized pointer read' in openvpn_decrypt_aead + ssl_openssl: Clean up unused functions and add missing "static" + Fix some trivial sign-compare compiler warnings + tls_crypt_v2_write_client_key_file: Fix missing-field-initializers compiler warning + openvpnserv: Fix some inconsistent usages of TEXT() + Fix doxygen warnings in crypto_epoch.h + GHA: Drop Ubuntu 20.04 and other maintenance + GHA: Publish Doxygen documentation to Github Pages + Add more 'intentional fallthrough' comments + Remove various unused function parameters + Remove unused function check_subnet_conflict + options: Cleanup and simplify options_postprocess_verify_ce + Apply text-removal.sh script to Windows codebase + openvpnserv: Clean up use of TEXT() from DNS patches + Post tchar.h removal cleanup + Fix compatibility with mbedTLS 2.28.10+ and 3.6.3+ + t_server_null_default.rc: Add some tests with --data-ciphers + GHA: Pin version of CMake for all builds + GHA: Dependency and Actions update April 2025 + GHA: Make sure renovate notifies us about AWS LC releases + Doxygen: Fix obsolete links to OpenSSL documentation + GHA: Use CMake 4.0 and apply required fixes + Doxygen: Clean up tls-crypt documentation + Doxygen: Remove useless Python information + Manually reformat some long trailing comments + CMake: Make sure to treat UNIT_TEST_SOURCEDIR as path + CMake: Sync list of compiler flags with configure.ac + CMake: Reorganize header and symbol tests + GHA: Dependency and Actions update May 2025 + Doxygen: Fix missing parameter warnings + Changes.rst: Collect, fix, and improve entries for 2.7 release + +George Pchelkin (1): + fix typo: dhcp-options to dhcp-option in vpn-network-options.rst + +Gert Doering (21): + Change version.m4 to 2.7_git + bandaid fix for TCP multipoint server crash with Linux-DCO + Undo FreeBSD 12.x workaround on IPv6 ifconfig for 12.4 and up + Reduce logspam about 'dco_update_keys: peer_id=-1' in p2p server mode + Fix OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT breakage on FreeBSD+DCO + Repair special-casing of EEXIST for Linux/SITNL route install + Get rid of unused 'bool tuntap_buffer' arguments. + FreeBSD 12.x workaround for IPv6 ifconfig is needed on 12.4 as well + Make received OCC exit messages more visible in log. + OpenBSD: repair --show-gateway + get_default_gateway() HWADDR overhaul + make t_server_null 'server alive?' check more robust + t_client.sh: conditionally skip ifconfig+route check + send uname() release as IV_PLAT_VER= on non-windows versions + options: add IPv4 support to '--show-gateway ' + get_default_gateway(): implement platform support for Linux/SITNL + get_default_gateway(): implement platform support for Linux/IPROUTE2 + add missing (void) to win32 function declarations + add more (void) to windows specific function prototypes and declarations + Make 'lport 0' no longer sufficient to do '--bind'. + Add information-gathering about DNS resolvers configured to t_client.sh(.in) + +Gianmarco De Gregori (17): + Persist-key: enable persist-key option by default + Minor fix to process_ip_header + Http-proxy: fix bug preventing proxy credentials caching + Ensures all params are ready before invoking dco_set_peer() + Route: remove incorrect routes on exit + Fix for msbuild/mingw GHA failures + multiproto: move generic event handling code in dedicated files + Fix PASS_BY_VALUE issue in options_postprocess_mutate_le() + mroute: adapt to new protocol handling and hashing improvements + mroute/management: repair mgmt client-kill for mroute with proto + Add support for simultaneous use of UDP and TCP sockets + Rename occurences of 'struct link_socket' from 'ls' to 'sock' + Fix FreeBSD-DCO and Multisocket interaction + manpage: fix HTML format for --local + Fix dco_win and multisocket interaction + dco_linux: Introduce new uAPIs + Explicit-exit-notify and multisocket interaction + +Heiko Hund (21): + dns option: allow up to eight addresses per server + work around false positive warning with mingw 12 + dns option: remove support for exclude-domains + cmake: create and link compile_commands.json file + cmake: symlink whole build dir not just .json file + Windows: enforce 'block-local' with WFP filters + add and send IV_PROTO_DNS_OPTION_V2 flag + dns: store IPv4 addresses in network byte order + dns: clone options via pointer instead of copy + service: add utf8to16 function that takes a size + dns: support multiple domains without DHCP + dns: do not use netsh to set name server addresses + win: calculate address string buffer size + win: implement --dns option support with NRPT + dns: apply settings via script on unixoid systems + fix typo in haikuos dns-updown script + dns: support running up/down command with privsep + dns: don't publish env vars to non-dns scripts + dns: fix potential NULL pointer dereference + win: match search domains when creating exclude rules + win: fix collecting DNS exclude data + +Heiko Wundram (1): + Implement Windows CA template match for Crypto-API selector + +Ilia Shipitsin (3): + src/openvpn/init.c: handle strdup failures + sample/sample-plugins/defer/multi-auth.c: handle strdup errors + tests/unit_tests/openvpn/test_auth_token.c: handle strdup errors + +Ilya Shipitsin (1): + src/openvpn/dco_freebsd.c: handle malloc failure + +Juliusz Sosinowicz (1): + Change include order for tests + +Klemens Nanni (1): + Fix tmp-dir documentation + +Kristof Provost (10): + Read DCO traffic stats from the kernel + dco: Update counters when a client disconnects + Read the peer deletion reason from the kernel + dco: cleanup FreeBSD dco_do_read() + options.c: enforce a minimal fragment size + configure: improve FreeBSD DCO check + dco: define OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT on FreeBSD + dco: print FreeBSD version + DCO: support key rotation notifications + dco-freebsd: dynamically re-allocate buffer if it's too small + +Lev Stipakov (63): + Rename dco_get_peer_stats to dco_get_peer_stats_multi + management: add timer to output BYTECOUNT + Introduce dco_get_peer_stats API and Windows implementation + git-version.py: proper support for tags + msvc: upgrade to Visual Studio 2022 + tun: move print_windows_driver() out of tun.h + openvpnmsica: remove dco installer custom actions + openvpnmsica: remove unused declarations + openvpnmsica: fix adapters discovery logic for DCO + Allow certain DHCP options to be used without DHCP server + dco-win: use proper calling convention on x86 + Improve format specifier for socket handle in Windows + Disable DCO if proxy is set via management + Add logging for windows driver selection process + Avoid management log loop with verb >= 6 + Support --inactive option for DCO + Fix '--inactive