From: Gert Doering Date: Thu, 1 Dec 2022 15:32:02 +0000 (+0100) Subject: Preparing release 2.6_beta1 X-Git-Tag: v2.6_beta1^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e778a6fd26d849dc0232950aab6a82ba10789a9e;p=thirdparty%2Fopenvpn.git Preparing release 2.6_beta1 version.m4, ChangeLog, branching off release/2.6 from master. Signed-off-by: Gert Doering --- diff --git a/ChangeLog b/ChangeLog index 2685d3307..d1a47dec2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,812 @@ OpenVPN ChangeLog Copyright (C) 2002-2022 OpenVPN Inc -This file is not maintained in this branch of the OpenVPN git repository. +2022.12.01 -- Version 2.6_beta1 + +Adrian (1): + Fix error in example firewall.sh script + +Antonio Quartulli (99): + tun.c: remove unused variable + openssl: fix EVP_PKEY_CTX memory leak + openssl: avoid NULL pointer dereference + ssl: remove unneeded if block + options: check for blanks in fingerprints and reject string if found + crypto: respect ECB argument type from prototype + Add documentation on EVENT_READ/EVENT_WRITE constants + windows: use appropriate and portable format specifier for 64bit pointer + windows: define variable only where used + windows: list all enum values in switch block + forward: get rid of useless declarations for actually static functions + mbedtls: do not define mbedtls_ctr_drbg_update_ret when not needed + route.c: pass the right parameter to IN6_IS_ADDR_UNSPECIFIED + man/protocol-options: add missing ending metachar + compat-mode: allow user to specify version to be compatible with + reject compression by default + Remove support for PF (Packet Filter) + configure: search also for rst2{man, html}.py + multi: remove extra brackets in multi_process_incoming_link() + do not include --cipher value in data-ciphers + compat-mode: add --data-cipher-fallback auomatically if requested + Set TLS 1.2 as minimum by default + doc: fix indentation in protocol-options.rst + networking: add and implement net_addr_ll_set() API + networking: add missing brackets + set_lladdr: use networking API net_addr_ll_set() on Linux + configure: remove useless -Wno-* from default CFLAGS + options.c: fix version reported in --cipher warning message + doc/cipher-negotiation.rst: avoid warning by fixing indentation + doc: remove PF leftovers from documentation + sig.c: define signal_handler on non-windows only + GitHub Actions: ensure Ubuntu builds are made with the chosen SSL library + ssl.c: use arrow operator to access object member + use 'static inline' instead of 'inline static' + GitHub Actions: add other config flavours + unit-test: fix test_crypto when USE_COMP is not defined + update copyright year to 2022 + keyingmaterialexporter.c: include strings.h + crypto: move validation logic from cipher_get to cipher_valid + crypto: move OpenSSL specific FIPS check to its backend + Get rid of README.IPv6 and TODO.IPv6 + auth_token/tls_crypt: fix usage of md_valid() + crypto: unify key_type creation code + remove unused sitnl.h file + options: drop useless netmask variable + networking: use OPENVPN_ETH_ALEN instead of ETH_ALEN + networking: silence warnings about unused arguments + networking_iproute2: don't pass M_WARN to openvpn_execve_check() + networking: implement net_iface_new and net_iface_del APIs + t_net.sh: delete dummy iface using iproute command + auth-pam.c: add missing include limits.h + dco: introduce low-level code for handling ovpn-dco in the Linux kernel + dco: add helper function to detect if DCO is enabled or not + dco: create DCO interface using SITNL + tls-crypt-v2: bail out if the client key is too small + dco: use specific metric when installing routes + networking: fix doc for net_iface_new() API + options: don't export local function pre_connect_save() + networking_sitnl: always return negative error code in case of failure + networking: add net_iface_type API + tun: create tun_name_is_fixed helper + dco: add option check - disable DCO if conflict is detected + dco: allow user to disable it at runtime + GitHub Actions: add Linux DCO build (on Ubuntu 20.04) + dco: introduce open_tun_dco_generic() to open dynamic or fixed-name DCO devices + dco: initialize context and save pointer in TLS object + dco: configure keys in DCO right after generating them + disable DCO if no --dev was specified + dco: periodically check and possibly rotate/delete keys + dco: split option parsing routines + push: fix compilation with --disable-management and --enable-werror + dco: check that pulled options are compatible + dco: implement dco support for p2p/client code path + dco: add documentation for ovpn-dco-linux + dco: implement dco support for p2mp/server code path + dco: perform pull options check only if we pulled any option + dco: disable DCO if --allow-compress yes/asym was specified + dco: turn supported ciphers list into a function + do_open_tun: restyle 'can preserve TUN' check + do_close_tun: get rid of one level of indentation + ovpn-dco: print some netlink messages to debug level + dco: move message to DCO debug level and reword a bit + dco: properly name variables + dco: don't pass VPN IPs to NEW_PEER API in P2P mode + dco-win: ensure the DCO API is not used when running on Windows + ssl_util: fix prototype style + dco: move availability check to the end of check_option_conflict() function + dco-win: introduce low-level code for handling ovpn-dco-win in Windows + dco-win: check for incompatible options + dco-win: implement ovpn-dco support in P2P Windows code path + dco-win: add documentation to README.dco.md + dco-win: update GH Actions config file + dco: trigger ping timeout event only if the peer expired + delete_routes(_ipv6): avoid memleak if RT_DEFINED is not set + solaris/open_tun: prevent crash when dev is empty string + do not push route-ipv6 entries that are also in the iroute-ipv6 list + auth-user-pass: add support for inline credentials + get_user_pass_cr: get password from stdin if missing inline + close_tun: print interface type consistently in message + +Arne Schwabe (289): + Fix client's poor man NCP fallback + Refactor key_state_export_keying_material functions + Fix compilation with older mbed TLS versions (mbedtls_tls_prf_types undefined) + Fix client NCP OCC fallback when server and client cipher are identical + Move openvpn specific key expansion into its own function + Allow 'none' cipher being specified in --data-ciphers + Implement generating data channel keys via EKM/RFC 5705 + Ignore deprecation warning for daemon on macOS + Add function for common env setting of verify user/pass calls + Inline function tls_get_peer_info + Align reliable_free with other free methods to accept NULL + Remove NULL checks before calling free + Remove explicit setting of peer_id to false + Remove --disable-def-auth configure argument + Replace key_scan array of static pointers with inline function + Add more documentation about our internal TLS functions + Improve keys out of sync message + Clean up tls_authentication_status and document it + Rename DECRYPT_KEY_ENABLED to TLS_AUTHENTICATED + Send AUTH_FAILED message to clients on renegotiation failures + Make any auth failure tls_authentication_status return auth failed + Fix auth-token not being updated if auth-nocache is set + Remove auth_user_pass.wait_for_push variable + Fix port-share option with TLS-Crypt v2 + Zero initialise msghdr prior to calling sendmesg + Fix tls-auth mismatch OCC message when tls-cryptv2 is used. + Remove inetd support from OpenVPN + Change pull request timeout use a timeout rather than a number + Check return values in md_ctx_init and hmac_ctx_init + Implement client side handling of AUTH_PENDING message + Introduce management client state for AUTH_PENDING notifications + Add S_EXITCODE flag for openvpn_run_script to report exit code + Prefer TLS libraries TLS PRF function, fix OpenVPN in FIPS mode + Implement server side of AUTH_PENDING with extending timeout + Refactor extract_var_peer_info into standalone function and add ssl_util.c + Change parameter of send_auth_pending_messages from context to tls_multi + Allow pending auth to be send from a auth plugin + Avoid generating unecessary mbed debug messages + Add README.wolfssl documentating the state of WolfSSL in OpenVPN + Fix multiple problems when compiling with LLVM/Windows (clang-cl) + Move extract_iv_proto to ssl_util.c/h + Extend verify-hash to allow multiple hashes + Implement peer-fingerprint to check fingerprint of peer certificate + Document the simple self-signed certificate setup in examples + Deprecate the --verify-hash option + Remove empty dummy functions + Move restoring pre pull options to initialising of c2 context + Move NCP saving and restore to the prepush restore code + Restore also ping related options on a reconnect + Make buffer related function conversion explicit when narrowing + Fix socket related functions using int instead of socket_descriptor_t + Use correct types for OpenSSL and Windows APIs + Cleanup print_details and add signature/ED certificate print + Remove flexible array member autoconf check + Remove support for non ISO C99 vararg support + Fix #elif TARGET_LINUX missing defined() call + Remove superflous ifdefs around enum like defines + Rename tunnel_server_udp_single_threaded to tunnel_server_udp + Remove code for aligning non-swapped compression + Remove pointless tun_adjust_frame_parameters function + Remove unused field txqueuelen from struct tuntap + Remove unused function tls_test_auth_deferred_interval + Remove unused variable pass_config_info + Move is_proto function to the socket.h header + Implement '--compress migrate' to migrate to non-compression setup + Remove thread_mode field of multi_context + Extract multi_assign_peer_id into its own function + Remove do_init_socket_2 and do_init_socket_1 wrapper function + Always disable TLS renegotiations + Allow running a default configuration with TLS libraries without BF-CBC + Deprecate non TLS mode in OpenVPN + Remove deprecated option '--keysize' + Move auth deferred related members into its own struct + log file descriptor in more socket related error messages + Fix async push broken after auth deferred refactor + Remove conditionals compilation for P2MP, ENABLE_SHAPER and TIME_BACKTRACK_PROTECTION + Remove check for socket functions and Win XP compatbility code + Remove checks for uint* types that are part of C99 + Remove a number of checks for functions/headers that are always present + Use EVP_CTRL_AEAD_* instead EVP_CTRL_GCM_* + Remove OpenSSL configure checks + Always save/restore pull options + Also restore/save compress related options in reconnects + Also restore/save route-gateway options on SIGUSR1 reconnects + Remove LibreSSL specific defines not needed for modern LibreSSL + Add parsing of dhcp-option PROXY_HTTP + Ensure using const variables with EVP_PKEY_get0_* + Move context_auth from context_2 to tls_multi and name it multi_state + Fix condition to generate session keys + Remove always enabled USE_64_BIT_COUNTERS define + Fix a number of mingw warnings + Move tls_select_primary_key into its own function + Allow all GCM ciphers + Change options->data_channel_use_ekm to flags + Implement deferred auth for scripts + Use functions to access key_state instead direct member access + Avoid failing_test unused warning in example_test + Move direct.h header where it is used + Replace OS_SPECIFIC_DIRSEP with PATH_SEPARATOR + Remove a number of platform specific checks in configure.ac + Remove --disable-multihome option + Remove support for blocking connect() + Fix memory leak in misc unit test + Fix binary and (&) used in auth-token check instead of logical and (&&) + Add missing free_key_ctx for auth_token + Remove explicit struct iovec check (HAVE_IOVEC) + Remove getpeername, getpid check + Inline do_init_auth_token_key + Add noreturn attribute for MSVC to assert_failed method. + Move utility function from win32.c to win32-util.c + Document stub-v2 being basically an alias for no compression at all + Return cached result in tls_authentication_status + Use exponential backoff for caching in tls_authentication_status + Add github actions + Silence warning about format string in check_ca_required + Implement auth-token-user + Move auth_token_state from multi to key_state + Add connection_established as state in tls_multi->context_auth + Make waiting on auth an explicit state in the context state machine + Ensure tls session is authenticated before sending push reply + Extracting key_state deferred auth status update into function + Move examples into openvpn-examples(5) man page + Introduce S_GENERATED_KEYS state and generate keys only when authenticated + Fix tls-cert-profile broken on OpenSSL 1.1+ + Cleanup handling of initial auth token + Remove --ncp-disable option + Add detailed man page section to setup a OpenVPN setup with peer-fingerprint + Support NCP in pure P2P VPN setups + Remove unistd.h from unit test + Introduce webauth auth pending method and deprecate openurl + Include Chacha20-Poly1305 into default --data-ciphers when available + Detect unusable ciphers on patched OpenSSL of RHEL/Centos + Fix Ubuntu spelling and duplicate run in Github Actions + Add message when decoding PKCS12 file fails. + Add small unit test for testing HMAC + Deprecate --ecdh-curve with OpenSSL 3.0 and adjust mbed TLS message + Use EVP_PKEY based API for loading DH keys + Remove DES check with OpenSSL 3.0 + Remove DES key fixup code + Do not allow CTS ciphers + Use new EVP_MAC API for HMAC implementation + Add --with-openssl-engine autoconf option (auto|yes|no) + Use EVP_PKEY_get_group_name to query group name + Replace EVP_get_cipherbyname with EVP_CIPHER_fetch + Use EVP_MD_get0_name instead EV_MD_name + Remove dependency on BF-CBC existance from test_ncp + Implement DES ECB encrypt via EVP_CIPHER api + Fix error when BF-CBC is not available + Fix function name in DH error message + Add insecure tls-cert-profile options + Remove custom PRNG function + Completely remove DES checks + Refactor early initialisation and uninitialisation into methods + Use TYPE_do_all_provided function for listing cipher/digest + Add macos OpenSSL 3.0 and ASAN builds + Allow loading of non default providers + Move IV_TCPNL from comp_generate_peer_info_string to push_peer_info + Implement optional cipher in --data-ciphers prefixed with ? + Directly use hardcoed OPENVPN_AEAD_TAG_LENGTH instead lookup + Remove cipher_kt_var_key_size and remaining --keysize documentation + Remove cipher_ctx_get_cipher_kt and replace with direct context calls + Remove key_type->cipher_length field + Remove key_type->hmac_length + Fix handling an optional invalid cipher at the end of data-ciphers + Make --nobind default for --pull + Remove ENABLE_CRYPTO_OPENSSL ifdef inside ENABLE_CRYPTO_OPENSSL ifdef + Remove max_size from buffer_list_new + Add argv_insert_head__empty_argv__head_only to argv tests + Remove cipher_kt_t and change type to const char* in API + Move deprecation of SWEET32/64bit block size ciphers to 2.7 + Adjust cipher-negotiation.rst with compat-mode changes + Remove md_kt_t and change crypto API to use const char* + Initialise kt_cipher even when no crypto is enabled + Remove align_adjust frame code + Fix triggering assertion of ks->authenticated after tls_deauthenticate + Document frame related function and variables a bit more + Remove post_open_mtu code + Make github actions names nicer, include Ubuntu18+OpenSSL 1.0.2 + Add helper functions to calculate header/payload sizes + Decouple MSS fix calculation from frame calculation + Rework occ link-mtu calculation + Remove pointless do_init_frame_tls function + Remove BUFFER_LIST_AGGREGATE_TEST test code + Deprecate link-mtu + Fix mssfix and frame calculation in CBC mode + Change buffer allocation calculation and checks to be more static + Fix datagram_overhead and assorted functions + Implement optional mtu parameter for mssfix + Remove link_mtu parameter when running up/down scripts + Replace TUN_MTU_SIZE with frame->tun_mtu + Change the default for mssfix to mssfix 1492 mtu + Add mtu paramter to --fragment and change fragment calculation + Update fragment and mssfix related warnings + Use new frame header methods to calculate OCC_MTU_LOAD payload size + Remove extra_link from frame + Remove frame->link_mtu + Remove frame.extra_frame and frame.extra_buffer + Default to --cipher BF-CBC if not set and compat-mode < 2.4.0 + Fix 'defined but not used' warnings with enable-small/disable-management + Add Werror to github action ubuntu build + Add better documentation for CAS_* states + Add unit test for mssfix with compression involved + Remove FRAME_HEADROOM, PAYLOAD_SIZE, EXTRA_FRAME and TUN_LINK_DELTA macros + Fix mbed TLS compile if OpenSSL headers are not available + Remove unused function cipher_var_key_size + Implement fixed MSS value for mssfix and use it for non default MTUs + networking: remove duplicate methods from networking_sitnl.c + Remove dead PID_TEST code + Remove inc_pid argument from reliable_mark_deleted that is always true + Remove EXPONENTIAL_BACKOFF define + Remove tls_init_control_channel_frame_parameters wrapper function + Add documentation for swap_hmac function + Make buf_write_u8/16/32 take the type they pretend to take + Move pre decrypt lite check to its own function + Extend tls_pre_decrypt_lite to return type of packet and keep state + Move ssl function related to control channel wrap/unwrap to ssl_pkt.c/h + Add unit tests for test_tls_decrypt_lite + Split out reliable_ack_parse from reliable_ack_read + Refactor tls-auth/tls-crypt wrapping into into own function + Extract session_move_pre_start as own function, use local buffer variable + Change FULL_SYNC macro to no_pending_reliable_packets function + Extract session_move_active into its own function + Move tls_process_state into its own function + Remove pointless indentation from tls_process. + Move CRL reload to key_state_init from S_START transition + Change reliable_get_buf_sequenced to reliable_get_entry_sequenced + Implement constructing a control channel reset client as standalone function + Implement stateless HMAC-based sesssion-id three-way-handshake + Extract read_incoming_tls_ciphertext into function + Fix format specifier for printing size_t on 32bit size_t platforms + Remove workaround for Android 4.4 + Implement HMAC based session id for tls-crypt v2 + Optimise three-way handshake condition for S_PRE_START to S_START + Extract read_incoming_tls_plaintext into its own function + Add uncrustify check to github actions + Add ubuntu 22.04 to Github Actions + Implement ED448 and ED25519 support in xkey_provider + Translate OpenSSL 3.0 digest names to OpenSSL 1.1 digest names + Fix client-pending-auth error message to say ERROR instead of SUCCESS + Remove useless empty line from CR_RESPONSE message + Remove leftover frame_set_mtu_dynamic definitions in mtu.h + Inline frame_add_to_extra_tun function and remove frame_defined + tun: extract close_tun_handle into its own fucntion and print correct type + Error out if both remap-usr1 SIGHUP and config stdin are used + Fix segfault when no --config argument is given + Extract check_session_cipher into standalone function + Cleanup receive_auth_failed and simplify method + Fix IV_PLAT_VER and UV_ variables sent without push-peer-info + Rename OPT_P_IPWIN32 to OPT_P_DHCPDNS and include --dns in it + Include DCO status in GLOBAL_STATS status v2 output + Github Actions: Add libreSSL actions + Include libressl and macOS 12 to macOS github actions + Fix declaration of pubkeys in test_provider.c in MSVC builds + Change command help to match man page and implementation + Implement --client-crresponse script options and plugin interface + Add example script demonstrating TOTP via auth-pending + Add OpenSSL 3.0 to mingw build + Update android.txt to reflect more recent changes. + Allow scripts and plugins to set a custom AUTH_FAILED message + Implement exit notification via control channel + Implement AUTH_FAIL, TEMP message support + Document/cleanup event_timeout functions + Fix OpenVPN querying user/password if auth-token with user expires + Enable -Werror on macOS builds + Ensure only CBC, CFB, OFB and AEAD ciphers are considered valid data ciphers + Change exit signal in P2P to be a SIGUSR1 and delayed CC exit in P2MP + Allow Authtoken lifetime to be short than renegotiation time + Allows renegotiation only to start if session is fully established + Fix renewal spelling and actually allow external-auth with renewal time + Fix regression of ignoring --user + Refactor/optimise code sending TLS control channel messages + Add unit test for reliable_get_num_output_sequenced_available + Allow setting control channel packet size with max-packet-size + Always include ACKs for the last seen control packets + Add workaround for Softether server dropping P_ACK_V1 with >= 5 acks + Improve data key id not found error message + Add packet type in accept/reject messages for HMAC packet + Fix md_kt_size in mbed TLS when queried for size of "none" + Add algorithm and bits used in key_print2 method and refactor method + Remove unused addr_inet4or6, addr_guess_family and inline addr_copy_sa + Allow tun-mtu to be pushed + Push server mtu to client when supported and support occ mtu + Fix logic error in checking early negotiation support check + Move dco_installed from sock->info to sock->info.lsa.actual + Use dedicated multi->dco_peer_id for DCO instead of multi->peer_id + Add section about common error with OpenVPN 2.6 and OpenSSL 3.0 + Introduce connection state for reconnecting peer in p2p + Signal USR1 when connection initialising fails + Allow reconnecting in p2p mode work under FreeBSD + +Camille Guérin (1): + Removed error message for an option flag not supported with --server-ipv6 + +David Korczynski (1): + Fix argv leaks in add_route() and add_route_ipv6() + +David Sommerseth (18): + man: Add missing --server-ipv6 + man: Improve --remote entry + sample-plugins: Partially autotoolize the sample-plugins build + build: Fix make distclean/distcheck + compat/lz4: Update to v1.9.2 + build: Fix missing install of man page in certain environments + build: Remove compat-lz4 + Update copyrights + doc: Use generic rules for man/html generation + man: Clarify IV_HWADDR + crypto: Fix OPENSSL_FIPS enabled builds + sample-plugin: New plugin for testing multiple auth plugins + plugins: Remove defer/simple.c sample plugin + plug-ins: Disallow multiple deferred authentication plug-ins + dev-tools: Remove no longer needed openvpn-plugin.h.in patching + dev-tools: Remove uncrustify -p + dev-tools: Avoid uncrustify mangling MAC_FMT macro + The Great Reformatting of 2022 + +Dmitry Zelenkovsky (1): + implement --session-timeout + +Domagoj Pensa (3): + Fix too early argv freeing when registering DNS + Remove 1 second delay before running netsh + Skip DHCP renew with Wintun adapter + +Eric Thorpe (1): + Fixes a bug in management_callback_send_cc_message, should be strlen instead of sizeof + +Frank Lichtenheld (18): + doc/Makefile: rebuild rst docs if input files change + doc: fix misc documentation issues + doc/options: clean up documentation for --proto and related options + Reformat for sp_after_comma=add + uncrustify: add sp_after_comma=add + uncrustify: have exactly one newline at the end of files + t_client: Allow to force FAIL on prerequisite fails + systemd: remove generated service files on clean + Reduce usage of __DATE__ + config-version.h: remove unused includes + t_client.sh: do not require fping6 + doc: cleanup for --data-ciphers and related + test_crypto: fix test_occ_mtu_calculation with --disable-fragment + msvc: always call git-version.py + GitHub Issues: add note to Changes as well + GitHub Issues: add new links to INSTALL and README + GitHub Issues: Create first issue template (Bug) + documentation: avoid recommending --user nobody + +Gert Doering (67): + Change version.m4 to 2.6_git + Fix stack overflow in OpenSolaris NEXTADDR() + Workaround FreeBSD 12+ race condition on tun/tap open with IPv6. + Document that --push-remove is generally more suitable than --push-reset + Fix error detection / abort in --inetd corner case. + Fix TUNSETGROUP compatibility with very old Linux systems. + Fix handling of 'route remote_host' for IPv6 transport case. + Replace 'echo -n' with 'printf' in tests/t_lpback.sh + Fix description of --client-disconnect calling convention in manpage. + Handle NULL returns from calloc() in sample plugins. + Fix --show-gateway for IPv6 on NetBSD/i386. + socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes + Fix netbits setting (in TAP mode) for IPv6 on Windows. + If IPv6 pool specification sets pool start to ::0 address, increment. + Add demo plugin that excercises "CLIENT_CONNECT" and "CLIENT_CONNECT_V2" paths + Fix combination of --dev tap and --topology subnet across multiple platforms. + Fix redirecting of IPv4 default gateway if connecting over IPv6. + Fix compilation on pre-EKM mbedTLS libraries. + Avoid passing NULL to argv_printf_cat() in temp_file error case. + Change travis build scripts to use https when fetching prerequisites. + Fix line number reporting on config file errors after segments + Clarify --block-ipv6 intent and direction. + Document common uses of 'echo' directive, re-enable logging for 'echo'. + Make OPENVPN_PLUGIN_ENABLE_PF failures FATAL + clean up / rewrite sample-plugins/defer/simple.c + Fix EVP_PKEY_CTX_... compilation with LibreSSL + Require at least 100MB of mlock()-able memory if --mlock is used. + Get rid of last PLUGIN_DEF_AUTH #ifdef + Fix 'compress migrate' for 2.2 clients. + Fix potential NULL ptr crash if compiled with DMALLOC + Repair --secret deprecation warning. + rewrite parse_hash_fingerprint() + Ignore leading whitespace and comment lines for peer-fingerprint. + Add error reporting to get_console_input_win32(). + Ignore --explicit-exit-notify in TCP mode. + Use more C99 initialization in add_route/add_route_ipv6(). + Include --push-remove in the output of --help. + Move '--push-peer-info' documentation from 'server' to 'client options' + add test case(s) to notice 'openvpn --show-cipher' crashing + Repair --inactive with 'bytes' argument larger 2Gbytes. + Fix --mtu-disc maybe|yes on Linux. + Fix trailing-whitespace errors in last patch. + Exclude the last two whitespace-only uncrustify fixes from git blame output. + Implement --mtu-disc for IPv6 UDP sockets. + Fix non-compliant whitespace introduced by commit 54800aa975418fe35. + Pass proper sockaddr_* structure for IPv6 socket errors. + Fix error message about extended errors for IPv4-only sockets. + Break 'try 256 dco devices' loop on EPERM + Cleanup: get rid of 'dynamic' argument of open_tun_generic() + Remove outdated information from ChangeLog, point at release branches. + Apply uncrustify changes that were forgotten in the last patch. + Apply uncrustify changes that were forgotten in the FreeBSD DCO 1/2 patch. + FreeBSD-DCO: repair device iteration to find first free interface. + DCO: require valid netbits setting for non-primary iroutes. + Adjust Linux+FreeBSD DCO device name handling to 'non DCO linux style' + cleanup open_tun() for TARGET_NETBSD + t_client: add per-instance arguments to fping + introduce V= level to manage t_client.sh output verbosity + un-break undo_ifconfig_ipv4()/_ipv6() on all non-linux/non-win32 platforms + use boolean '||' to join two bools, not bitwise '|' + denoise tests/t_lpback.sh + FreeBSD: for topology subnet, put tun interface into IFF_BROADCAST mode + FreeBSD DCO: introduce real subnet mode + Improve documentation for --dev and --dev-node. + Update PORTS + rework INSTALL and README to prepare for 2.6 release + Preparing release 2.6_beta1 + +Greg Cox (5): + Fix naming error in sample-plugins/defer/simple.c + Documentation fixes around openvpn_plugin_func_v3 in openvpn-plugin.h.in + Update openvpn_plugin_func_v2 to _v3 in sample-plugins/defer/simple.c + More explicit versioning compatibility in sample-plugins/defer/simple.c + Explain structver usage in sample defer plugin. + +Heiko Hund (10): + add support for --dns option + Add git pre-commit hook script to uncrustify + pre-commit: uncrustify based on staged changes + remove foreign_option() call for IPv6 DNS servers + remove dead foreign-option parsing code + rename foreign_option() and move it up + doc: fix literal block in tls-options.rst + dns: also (re)place foreign dhcp options in env + signal --dns support in peer info + make %x destination unsigned + +Ilya Ponetayev (1): + fix compilation issues with small and w/o debug + +Ilya Shipitsin (2): + CI: github actions: keep "pdb" in artifacts + BUILD: enable CFG and Spectre mitigation for MSVC + +Jan Mikkelsen (1): + cipher-negotiation.rst missing from doc/Makefile.am + +Jan Seeger (1): + Added 'route_ipv6_metric_NN' environment variable for IPv6 route metric. + +Jason A. Donenfeld (1): + Support fingerprint authentication without CA certificate + +Jeff (1): + duplicate function declaration. + +Juliusz Sosinowicz (4): + EVP_DigestSignFinal siglen parameter correction + Support for wolfSSL in OpenVPN + build: Add support for pkg-config < 0.28 for old autoconf versions + README.wolfssl Update + +Kristof Provost (6): + Handle exceeding 'max-clients' + ovpn-dco: introduce FreeBSD data-channel offload support + Support creating iroute route entries on FreeBSD + FreeBSD networking cleanup + FreeBSD DCO: support AES-192-GCM + dco: pass control packets through the socket on FreeBSD + +Lev Stipakov (68): + tun.c: enable using wintun driver under SYSTEM + openvpnmsica: make adapter renaming non-fatal + msvc: better support for 32bit architecture + Alias ADAPTER_DOMAIN_SUFFIX to DOMAIN + ssl_common.h: fix 'not all control paths return a value' msvc warning + Remove compat-lz4 references from VS project files + tapctl: support for ovpn-dco Windows driver + msvc: add ARM64 configuration + win32: add missing include header + openvpnmsica: properly schedule reboot in the end of installation + options.c: fix msvc build error + msvc: standalone building + contrib/vcpkg-ports: add pkcs11-helper port + vcpkg-ports: restore trailing whitespaces in .patch files + GitHub actions: add MSVC build + crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606) + contrib/vcpkg-ports: add openssl port with --no-autoload-config option set (CVE-2121-3606) + Fix console prompts with redirected log + GitHub Actions: fix MSVC builds + contrib/vcpkg-ports: remove openssl port + Add building man page on Windows + GitHub Actions: remove Ubuntu 16.04 environment + Fix loading PKCS12 files on Windows + msvc: fix product version display + config-msvc.h: fix OpenSSL-related defines + GitHub Actions: use latest working lukka/run-vcpkg + Use network address for emulated DHCP server as a default + Load OpenSSL config on Windows from trusted location + ring_buffer.h: fix GCC warning about unused function + ssh_openssl.h: remove unused declaration + vcpkg/pkcs11-helper: compatibility with latest vcpkg + config-msvc.h: indicate key material export support + auth_token.c: add NULL initialization + tun: remove tun_finalize() + vcpkg-ports/pkcs11-helper: bump to release 1.28 + vcpkg-ports/pkcs11-helper: indicate OpenSSL EC support + xkey: fix msvc build + msvc: switch to openssl3 + msvc: cleanup + vcpkg: link lzo statically + openvpnmsica: add ovpn-dco custom actions + vcpkg-ports/pkcs11-helper: adapt to new upstream URL + vcpkg-ports\pkcs11-helper: shorten patch filename + vcpkg-ports\openssl3: update to 3.0.2 + Fix incorrect default mssfix value in server mode + msvc: adjust build options to harden binaries + vcpkg: switch to manifest + Fix M_ERRNO behavior on Windows + GitHub Actions: trigger openvpn-build GHA on success + Set o->use_peer_id flag for p2p mode + openvpnmsica: remove OpenVPNService state check code + tun.c: remove unused gc_arena from init_tun() + error.c: remove unused crash() function + tun: properly handle device interface list + dco.h: fix return type when DCO is not enabled + dco-win: use run-time dynamic linking for GetOverlappedResultEx + vcpkg: bump baseline version + do_persist_tuntap: remove indentation level + msvc: remove .filters files + dco.c: check certain options only on startup + Use DCO on Windows by default + doc: add "ovpn-dco" to usage and man page + dco-win: support for --persist-tun + msvc: add branch name and commit hash to version output + vcpkg: use the latest versions of dependency ports + win32: detect arm64 architecture and emulations + INSTALL: update Windows notes + dco: disable dco on Windows if --remote is not defined + +Magnus Kroken (2): + doc: fix typos in cipher-negotiation.rst + Changes.rst: fix mistyped option names + +Marc Becker (2): + vcpkg-ports/pkcs11-helper: bump to release 1.29 + fix GitHub workflow working directories in MinGW builds + +Martin Janů (1): + Update the replay-window backtrack log message + +Matthias Andree (1): + Fix SIGSEGV (NULL deref) receiving push "echo" + +Max Fillinger (15): + Wipe Socks5 credentials after use + Fix build with mbedtls w/o SSL renegotiation support + In init_ssl, open the correct CRL path pre-chroot + Abort if CRL file can't be stat-ed in ssl_init + Update Fox e-mail address in copyright notices + Replace deprecated mbedtls DRBG update function + Fix build with compression disabled + Don't manually free DH params in OpenSSL 3 + Remove unused havege.h header + Don't use BF-CBC in unit tests if we don't have it + Add warning about mbed TLS licensing problem + Don't "undo" ifconfig on exit if it wasn't done + Update openssl_compat.h for newer LibreSSL + Handle EVP_MD_CTX as an opaque struct + Check if pkcs11_cert is NULL before freeing it + +Michael Baentsch (1): + Enable usage of TLS groups not identified by a NID in OpenSSL 3 + +Paolo Cerrito (1): + Insert client connection data into PAM environment + +Richard Bonhomme (3): + Improve error msg when all TAP adapters are in use 'or disabled' + Man page sections corrections + Do not print Diffie Hellman parameters file to log file + +Richard T Bonhomme (3): + Log messages: Replace NCP with --data-ciphers (NFC) + doc link-options.rst: Use free open-source dynamic-DNS provider URL + doc/protocol-options.rst: Correct default for --allow-compression + +Saifur Rahman Mohsin (1): + Ignore deprecation warning for daemon() on macOS (plugin/auth-pam) + +Selva Nair (64): + Improve the documentation for --dhcp-option + In tap.c use DiInstallDevice to install the driver on a new adapter + Add a remark on dropping privileges when --mlock is used + Allow --dhcp-option in config file when windows-driver is wintun + Set DNS Domain using iservice + Improve documentation of --username-as-common-name + Quote the domain name argument passed to the wmic command + Remove automatic service + tun.c on WIN32: remove more unused variables + Make it explicit that WIndows build requires UNICODE support + Use C standard compliant format specs in wprintf functions + Print format spec changes for tapctl and openvpnmscia + Replace TEXT(__FUNCTION__) by __FUNCTION__ in openvpnmscia.c + Fix parsing of IV_SSO string + Do not require CA when peer-fingerprint is used + Improve documentation of AUTH_PENDING related directives + Apply the connect-retry backoff to only one side of a connection + Fix client-pending-auth help message in management interface + Minor doc correction: tls-crypt-v2 key generation + Fix the "default" tls-version-min setting + Fix some more wrong defines in config-msvc.h + Require Windows CNG keys for cryptoapicert + Remove error injection into OpenSSL from cryptoapi.c + Require EC key support in Windows builds + Ensure the current common_name is in the environment for scripts + Avoid memory leak in hmac_ctx_new (OpenSSL 3.0 only) + Fix tls-version-min default once again + A built-in provider for using external key with OpenSSL 3.0 + Implement KEYMGMT in the xkey provider + Implement SIGNATURE operations in xkey provider + Implement import of custom external keys + Initialize the xkey provider and use it in SSL context + A helper function to import private key for management-external-key + Add xkey_provider sources and includes to MSVC project + Enable signing via provider for management-external-key + Add a function to encode digests with PKCS1 DigestInfo wrapper + Allow management client to announce pss padding support + Respect algorithm support announced by management client + Support sending DigestSign request to management client + Increase ERR_BUF_SIZE when management interface support is enabled + Add a generic key loading helper function for xkey provider + pkcs11: Interface the xkey provider with pkcs11-helper + Enable signing using CNG through xkey provider + Add a unit test for external key provider + xkey: Use a custom error level for debug messages + Fix max saltlen calculation in cryptoapi.c + Support PSS signing using pkcs11-helper >= 1.28 + Do not error when md_kt_size() is called with mdname="none" + Fix a potential memory leak in tls_ctx_use_management_external_key + pkcs11_openssl.c: check EVP_get_digestbyname() != NULL + Fix crash in xkey-provider in msvc builds + Remove management_write_peer_info_file and related code + Log the actual management interface port in use + Log address of management client on accept + In x_check_status() read errno early + xkey_provider: fix building with --disable-management + Do not skip ERROR:/SUCCESS: response from management interface + Allow a few levels of recursion in virtual_output_callback() + Fix auth-token usage with management-def-auth + Ensure --auth-nocache is handled during renegotiation + Purge auth-token as well while purging passwords + Do not copy auth_token username to itself + Do not add leading space to pushed options + pull-filter: ignore leading "spaces" in option names + +Sergio E. Nemirowski (1): + resolvconf fails with -p + +Simon Rozman (9): + iservice: Resolve MSVC C4996 warnings + openvpnserv: Cache last error before it is overridden + netsh: Specify interfaces by index rather than name + netsh: Clear existing IPv6 DNS servers before configuring new ones + netsh: Delete WINS servers on TUN close + openvpnmsica: Simplify find_adapters() to void return + tun.c: Remove dead code + interactive.c: Resolve MSVC C4996 warning + tapctl: Resolve MSVC C4996 warnings + +Steffan Karger (5): + networking_iproute2: fix memory leak in net_iface_mtu_set() + Simplify key material exporter backend API + tls-crypt-v2: fix server memory leak + tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key) + reliable: retransmit if 3 follow-up ACKs are received + +Timo Rothenpieler (5): + Linux: Retain CAP_NET_ADMIN when dropping privileges + GitHub Actions: Add new libcap-ng-dev dependency + Github Actions: update used actions + dco: disable DCO if --user specified but unable to retain capabilities + dco: turn platform config checks into separate function + +Todd Zullinger (2): + Update IRC information in CONTRIBUTING.rst + doc/man (vpn-network-options): fix foreign_option_{n} typo + +Tõivo Leedjärv (1): + Stop using deprecated getpass() + +Ville Skyttä (1): + README.down-root: Fix plugin module name + +Vladislav Grishenko (8): + Fix best gateway selection over netlink + Fix fatal error at switching remotes (#629) + Fix update_time() and openvpn_gettimeofday() coexistence + Selectively reformat too long lines + Speedup TCP remote hosts connections + Support X509 field list to be username + Fix IPv4 default gateway with multiple route tables + Add CRL extractor script for --crl-verify dir mode -Release branches (release/2.5, release/2.4, etc) have individual ChangeLog -files with all changes relevant for these releases. diff --git a/version.m4 b/version.m4 index b72586279..0422525a0 100644 --- a/version.m4 +++ b/version.m4 @@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [6]) -define([PRODUCT_VERSION_PATCH], [_git]) +define([PRODUCT_VERSION_PATCH], [_beta1]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) -define([PRODUCT_VERSION_RESOURCE], [2,6,0,0]) +define([PRODUCT_VERSION_RESOURCE], [2,6,0,1]) dnl define the TAP version define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])