mirror of
https://github.com/OpenVPN/openvpn.git
synced 2026-02-03 20:39:40 -05:00
706fcc7d1a
Some checks failed
Build / Check code style with clang-format (push) Has been cancelled
Build / Android - arm64-v8a (push) Has been cancelled
Build / gcc-mingw - x64 - Debug - OSSL (push) Has been cancelled
Build / gcc-mingw - x64 - Release - OSSL (push) Has been cancelled
Build / gcc-mingw - x86 - Debug - OSSL (push) Has been cancelled
Build / gcc-mingw - x86 - Release - OSSL (push) Has been cancelled
Build / gcc - ubuntu-24.04 - OpenSSL 3.0.13 --enable-pkcs11 (push) Has been cancelled
Build / gcc - ubuntu-22.04 - OpenSSL 3.0.2 --enable-pkcs11 (push) Has been cancelled
Build / clang-asan - ubuntu-22.04 - openssl (push) Has been cancelled
Build / clang-asan - ubuntu-24.04 - openssl (push) Has been cancelled
Build / macos-14 - libressl - asan (push) Has been cancelled
Build / macos-14 - openssl@3 - asan (push) Has been cancelled
Build / macos-15 - libressl - asan (push) Has been cancelled
Build / macos-15 - openssl@3 - asan (push) Has been cancelled
Build / macos-26 - libressl - asan (push) Has been cancelled
Build / macos-26 - openssl@3 - asan (push) Has been cancelled
Build / macos-14 - libressl - normal (push) Has been cancelled
Build / macos-14 - openssl@3 - normal (push) Has been cancelled
Build / macos-15 - libressl - normal (push) Has been cancelled
Build / macos-15 - openssl@3 - normal (push) Has been cancelled
Build / macos-26 - libressl - normal (push) Has been cancelled
Build / macos-26 - openssl@3 - normal (push) Has been cancelled
Build / msbuild - amd64 - openssl (push) Has been cancelled
Build / msbuild - amd64-clang - openssl (push) Has been cancelled
Build / msbuild - arm64 - openssl (push) Has been cancelled
Build / msbuild - x86 - openssl (push) Has been cancelled
Build / msbuild - x86-clang - openssl (push) Has been cancelled
Build / clang asan - ubuntu-22.04 - libressl (push) Has been cancelled
Build / gcc normal - ubuntu-22.04 - libressl (push) Has been cancelled
Build / clang asan - ubuntu-22.04 - mbedtls4 (push) Has been cancelled
Build / gcc normal - ubuntu-22.04 - mbedtls4 (push) Has been cancelled
Build / clang asan - ubuntu-24.04 - awslc (push) Has been cancelled
Build / gcc normal - ubuntu-24.04 - awslc (push) Has been cancelled
Deploy Doxygen documentation to Pages / build (push) Has been cancelled
Build / mingw unittest argv - x64 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest auth_token - x64 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest buffer - x64 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest crypto - x64 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest cryptoapi - x64 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest misc - x64 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest ncp - x64 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest openvpnserv - x64 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest options_parse - x64 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest packet_id - x64 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest pkt - x64 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest provider - x64 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest ssl - x64 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest tls_crypt - x64 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest user_pass - x64 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest argv - x64 - Release - OSSL (push) Has been cancelled
Build / mingw unittest auth_token - x64 - Release - OSSL (push) Has been cancelled
Build / mingw unittest buffer - x64 - Release - OSSL (push) Has been cancelled
Build / mingw unittest crypto - x64 - Release - OSSL (push) Has been cancelled
Build / mingw unittest cryptoapi - x64 - Release - OSSL (push) Has been cancelled
Build / mingw unittest misc - x64 - Release - OSSL (push) Has been cancelled
Build / mingw unittest ncp - x64 - Release - OSSL (push) Has been cancelled
Build / mingw unittest openvpnserv - x64 - Release - OSSL (push) Has been cancelled
Build / mingw unittest options_parse - x64 - Release - OSSL (push) Has been cancelled
Build / mingw unittest packet_id - x64 - Release - OSSL (push) Has been cancelled
Build / mingw unittest pkt - x64 - Release - OSSL (push) Has been cancelled
Build / mingw unittest provider - x64 - Release - OSSL (push) Has been cancelled
Build / mingw unittest ssl - x64 - Release - OSSL (push) Has been cancelled
Build / mingw unittest tls_crypt - x64 - Release - OSSL (push) Has been cancelled
Build / mingw unittest user_pass - x64 - Release - OSSL (push) Has been cancelled
Build / mingw unittest argv - x86 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest auth_token - x86 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest buffer - x86 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest crypto - x86 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest cryptoapi - x86 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest misc - x86 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest ncp - x86 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest openvpnserv - x86 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest options_parse - x86 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest packet_id - x86 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest pkt - x86 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest provider - x86 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest ssl - x86 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest tls_crypt - x86 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest user_pass - x86 - Debug - OSSL (push) Has been cancelled
Build / mingw unittest argv - x86 - Release - OSSL (push) Has been cancelled
Build / mingw unittest auth_token - x86 - Release - OSSL (push) Has been cancelled
Build / mingw unittest buffer - x86 - Release - OSSL (push) Has been cancelled
Build / mingw unittest crypto - x86 - Release - OSSL (push) Has been cancelled
Build / mingw unittest cryptoapi - x86 - Release - OSSL (push) Has been cancelled
Build / mingw unittest misc - x86 - Release - OSSL (push) Has been cancelled
Build / mingw unittest ncp - x86 - Release - OSSL (push) Has been cancelled
Build / mingw unittest openvpnserv - x86 - Release - OSSL (push) Has been cancelled
Build / mingw unittest options_parse - x86 - Release - OSSL (push) Has been cancelled
Build / mingw unittest packet_id - x86 - Release - OSSL (push) Has been cancelled
Build / mingw unittest pkt - x86 - Release - OSSL (push) Has been cancelled
Build / mingw unittest provider - x86 - Release - OSSL (push) Has been cancelled
Build / mingw unittest ssl - x86 - Release - OSSL (push) Has been cancelled
Build / mingw unittest tls_crypt - x86 - Release - OSSL (push) Has been cancelled
Build / mingw unittest user_pass - x86 - Release - OSSL (push) Has been cancelled
Deploy Doxygen documentation to Pages / deploy (push) Has been cancelled
version.m4, ChangeLog, Changes.rst
Changes.rst has not received an "2.7_rc6" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta/rc*
releases it's better to look at git log to see what has been added/fixed.
Notable changes rc5 -> rc6 are:
- bugfix on restarting a p2mp server instance with SIGUSR1 (inadvertedly
closing fd 0, causing a crash on the next restart - GH #966)
- prevent NULL pointer crash on suitable combination of --dns-updown
statements in openvpn config file (not pushable)
- prevent inappropriate management interface activity if a password is
set and --management-forget-disconnect or --management-signal are active
- more conversion warnings fixed
- Windows: interactive service - some initial unit tests added for the
most complex string conversion function (ConvertItfDnsDomains())
- remove #ifdefs around socket sendbuf/receive buf handling, assuming that
all platforms that have POSIX sockets have this.
- add mbedTLS 4 support
- fix check for failed fork() in port-share code
Signed-off-by: Gert Doering <gert@greenie.muc.de>
1385 lines
62 KiB
Text
1385 lines
62 KiB
Text
OpenVPN ChangeLog
|
|
Copyright (C) 2002-2026 OpenVPN Inc <sales@openvpn.net>
|
|
|
|
2026.01.28 -- Version 2.7_rc6
|
|
|
|
Arne Schwabe (1):
|
|
Silence compiler truncation warning by checking snprintf return value
|
|
|
|
Frank Lichtenheld (16):
|
|
crypto_openssl: Fix various conversion warnings
|
|
cryptoapi: Avoid conversion warnings
|
|
ssl_verify_openssl: Avoid conversion warning in x509_verify_cert_ku
|
|
socket: Avoid conversion warning in get_addr_generic
|
|
ssl_ncp: Avoid conversion warning in replace_default_in_ncp_ciphers_option
|
|
port-share: Check return value of fork()
|
|
openvpnserv: Fix conversion warnings in interactive.c
|
|
openvpnserv: Factor out the string conversion from GetItfDnsDomains
|
|
openvpnserv: Add a first unit test
|
|
GHA: Update mbedtls to v4
|
|
route: Fix conversion warnings on BSDs
|
|
socket: Remove ifdef for SO_{RCV, SND}BUF
|
|
test_openvpnserv: Make sure to include config.h
|
|
GHA: Run openvpnserv UT for MinGW builds
|
|
status: Avoid conversion warnings in status_read/status_printf
|
|
manage: Do not trigger actions on management disconnect if not authenticated
|
|
|
|
Gert Doering (1):
|
|
tunnel_server(): close correct inotify fd
|
|
|
|
Heiko Hund (1):
|
|
Prevent NULL pointer dereference with --dns-updown
|
|
|
|
Max Fillinger (1):
|
|
Add support for Mbed TLS 4
|
|
|
|
|
|
2026.01.15 -- Version 2.7_rc5
|
|
|
|
Arne Schwabe (5):
|
|
Ensure wolfSSL uses old pre 1.1.0 OpenSSL path for getting ciphers
|
|
Allow test-crypto to work without the --secret argument
|
|
Fix warnings on Android about unused variables/methods
|
|
Require script-security 2 when using unix: tun
|
|
Correctly handle sender jumping exactly epoch_data_keys_future_count
|
|
|
|
Frank Lichtenheld (12):
|
|
tests/unit_tests: Port to cmocka 2.0.0 API
|
|
GHA: Maintenance update January 2026
|
|
Update Copyright statements to 2026
|
|
Fix building test_tls_crypt with cmocka 2.0
|
|
configure.ac: Clean up systemd support
|
|
socks: Replace magic "10" for socks header with macro
|
|
socks: Fix wrong success check in socks_username_password_auth
|
|
socket: Remove old 'dynamic remote' feature
|
|
socks: In establish_socks_proxy_udpassoc check result of recv_socks_reply
|
|
ssl_verify: Fix parsing of timeout from auth pending file
|
|
error: Remove our implementation of static_assert
|
|
forward: Avoid conversion warning in ipv6_send_icmp_unreachable
|
|
|
|
Gert Doering (3):
|
|
remove ENABLE_X509ALTUSERNAME conditional
|
|
Repair interaction between DCO and persist-tun after reconnection
|
|
OpenVPN Release 2.7_rc5
|
|
|
|
|
|
2025.12.17 -- Version 2.7_rc4
|
|
|
|
Arne Schwabe (4):
|
|
Clarify some code in epoch with better comments
|
|
Add a section about wolfSSL GPLv3 and point out missing TLS PRF support
|
|
Fix dco with null cipher being enabled without auth none
|
|
Change ssl_ctx in struct tls_options to be a pointer
|
|
|
|
Frank Lichtenheld (19):
|
|
Documentation: Various syntax fixes and text improvements
|
|
CMake: For VS build, switch from /W2 to /W3
|
|
socket: Initialize struct in_addr_t in getaddr()
|
|
GHA: Add minGW Release build
|
|
tun: Refactor BSD write_tun/read_tun
|
|
tun: Change return type of write_tun/read_tun to ssize_t
|
|
Remove some obsolete references to --windows-driver
|
|
options: Remove some verbose error messages for options deprecated in 2.4
|
|
Correct documentation for --ns-cert-type
|
|
buffer: Change limits for array_mult_safe
|
|
mbuf: Add unit tests
|
|
options: Avoid some conversion warnings
|
|
schedule: Rework documentation for schedule_add_entry
|
|
multi: Fix wrong sigma value in multi_push_restart_schedule_exit
|
|
multi: Fix type handling for hashes, mostly inotify_watchers
|
|
multi: Fix various conversion warnings
|
|
manage: Avoid several conversion warnings by using the correct types
|
|
buffer: Change buf_prepend and buf_advance to accept ssize_t for length
|
|
multi: Warn about failing read in multi_process_file_closed()
|
|
|
|
Gianmarco De Gregori (2):
|
|
mudp: fix unaligned 32-bit read when parsing peer ID
|
|
Deprecate --fast-io option
|
|
|
|
Heiko Hund (1):
|
|
iservice: set adapter DNS only with search domains
|
|
|
|
Klemens Nanni (1):
|
|
Prevent crash on invalid server-ipv6 argument
|
|
|
|
Lev Stipakov (1):
|
|
tun.c: set IPv4 address temporary on Windows
|
|
|
|
Max Fillinger (1):
|
|
Drop Mbed TLS 2.X compatibility
|
|
|
|
Moritz Fain (1):
|
|
PUSH_UPDATE: fix option reset logic in continuation messages
|
|
|
|
Selva Nair (2):
|
|
Set UTF-8 as the codepage using manifest declaration
|
|
pull-filter: improve documentation
|
|
|
|
Simon Matter (1):
|
|
Add CAP_SYS_NICE to the positive list in systemd service files
|
|
|
|
Steffan Karger (1):
|
|
mbedtls: gracefully exit if certificate file is NULL
|
|
|
|
|
|
2025.11.28 -- Version 2.7_rc3
|
|
|
|
Frank Lichtenheld (9):
|
|
doc: Document potential filesystem pitfalls of client-config-dir
|
|
GHA: Maintenance update November 2025
|
|
GHA: Add macos-26 and remove OpenSSL 1.1 builds on macOS
|
|
tls_crypt: Fix Coverity complaint in tls_crypt_v2_check_client_key_age
|
|
Changes.rst: Fix various syntax errors and typos
|
|
error: Allow status argument to check_status to be ssize_t
|
|
Linux: Assume we have a kernel that was release in the last 15 years
|
|
configure/CMake: Remove unused checks
|
|
configure/CMake: Unify Windows handling
|
|
|
|
Gert Doering (4):
|
|
Change '--multihome' behaviour regarding egress interface selection.
|
|
extract_x509_field_ssl(): verify that X509_NAME is not NULL.
|
|
Remove remainders of --no-name-remapping option
|
|
OpenVPN Release 2.7_rc3
|
|
|
|
Gianmarco De Gregori (2):
|
|
multi-socket: remove duplicated/dead code
|
|
multi-socket: do not return tuntap flags on server-side
|
|
|
|
Heiko Hund (9):
|
|
iservice: fix buffer size in call to FormatMessage
|
|
iservice: make sure buffer size is not zero
|
|
iservice: make sure registry string is terminated
|
|
iservice: check for NULL pointer
|
|
iservice: fix calculation of converted domains size
|
|
iservice: return correct size when domains are truncated
|
|
iservice: handle ignoring itf domains correctly
|
|
iservice: fix off by one error
|
|
iservice: rename one_glyph to glyph_size
|
|
|
|
Lev Stipakov (1):
|
|
interactive.c: harden pipe handling against misbehaving clients
|
|
|
|
Marco Baffo (1):
|
|
route: handle default gateway (net_gateway) and nexthop towards VPN server separately
|
|
|
|
Max Fillinger (1):
|
|
Add option to check tls-crypt-v2 key timestamps
|
|
|
|
Ralf Lici (1):
|
|
dco: process messages immediately after read
|
|
|
|
Selva Nair (3):
|
|
vcpkg-ports/pkcs11-helper: bump version to 1.31
|
|
Harden interactive service pipe
|
|
Restrict access to the service pipe to SYSTEM and owner
|
|
|
|
|
|
2025.11.17 -- Version 2.7_rc2
|
|
|
|
Antonio Quartulli (4):
|
|
test_networking: use appropriate assert helpers
|
|
unit_tests: prefer proper cmocka assert helpers
|
|
init: make some functions static
|
|
options: remove --opt-verify functionality
|
|
|
|
Arne Schwabe (3):
|
|
Do not underestimate number of encrypted/decrypted AEAD blocks
|
|
Fix construction of invalid pointer in tls_pre_decrypt
|
|
Fix memcmp check for the hmac verification in the 3way handshake being inverted
|
|
|
|
Frank Lichtenheld (17):
|
|
manage: Correctly handle port 65535 in man_kill
|
|
pkcs11_openssl: Silence a conversion warning
|
|
Enable -Wtype-limits by default (via -Wextra)
|
|
ssl: Change tls_send_payload size argument to size_t
|
|
openssl_compat: Avoid conversion warning for SSL_get_negotiated_group
|
|
pkcs11: Avoid some conversion warnings
|
|
ssl: change return type of calc_control_channel_frame_overhead to size_t
|
|
otime: Fix various conversion warnings
|
|
interval: Fix conversion warning
|
|
forward: Change context_reschedule_sec sec argument to time_t
|
|
tls_crypt: Avoid some conversion warnings
|
|
ssl: Fix conversion warning in tls_prepend_opcode_v1
|
|
ssl: Change update argument of compute_earliest_wakeup to time_t
|
|
ssl: Clean up type handling in write_string()
|
|
ssl: Clean up type handling in export_user_keying_material()
|
|
ssl: Clean up type handling in parse_early_negotiation_tlvs()
|
|
ssl_pkt: Avoid conversion warnings
|
|
|
|
Gert Doering (5):
|
|
FreeBSD DCO: repair incoming 'delete peer' notifications in p2p client mode
|
|
dco_freebsd.c: add D_DCO_DEBUG messages for counters and notifications
|
|
dco_freebsd: implement dco_get_peer_stats()
|
|
FreeBSD DCO: repair --inactive
|
|
dco_freebsd.c: fix integer warnings
|
|
|
|
Heiko Hund (7):
|
|
iservice: fix DNS address list generation
|
|
msvc: fix struct initialization for v19 compilers
|
|
iservice: validate config path better
|
|
win: remove checks for PATHCCH_ENSURE_TRAILING_SLASH
|
|
iservice: validate config path case-insensitive
|
|
iservice: make sure directories have trailing backslash
|
|
iservice: use saved iface index to restore metric
|
|
|
|
Lev Stipakov (5):
|
|
tapctl: use better wording for adapters
|
|
tapctl: factor out command handlers
|
|
recursive routing: fixes and clean-ups
|
|
tapctl: make output of 'list' and 'create' commands more verbose
|
|
tapctl: refactor 'create' command
|
|
|
|
Marco Baffo (1):
|
|
PUSH_UPDATE server: update reporting_addr after ifconfig update
|
|
|
|
Mikhail Khachaiants (1):
|
|
socket: reject mismatched address family in get_addr_generic
|
|
|
|
Selva Nair (2):
|
|
openvpnserv: Disallow stdin as config unless user is authorized
|
|
Use correct undo_list when clearing DNS addresses
|
|
|
|
|
|
2025.10.29 -- Version 2.7_rc1
|
|
|
|
Antonio Quartulli (1):
|
|
sitnl: set FD_CLOEXEC on socket to prevent abuse
|
|
|
|
Arne Schwabe (12):
|
|
Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
|
|
Avoid possible race condition that kill OpenVPN itself
|
|
Add ASSERT to afunix code that dev_node is always set up the way we expect
|
|
Warn if push is used without --mode server/--server/--server-bridge
|
|
Fix logic when pushed cipher triggers tun reopen and ignore more options
|
|
Install host routes for out-of-subnet ifconfig-push addresses when DCO is enabled
|
|
Remove --memstats feature
|
|
clean up environment variable handling in verify_user_pass_script
|
|
fix key_state_gen_auth_control_files probably checking file creation
|
|
Fix warnings about conversion from int to unsigned char/uint8_t
|
|
Ensure return value of snprintf is correctly checked
|
|
Ensure that get_sigtype always return non-NULL
|
|
|
|
Christian Kujau (2):
|
|
doc: Fix hyperlinks in openvpn(8)
|
|
doc: HTTPS upgrades and URL fixes throughout the tree
|
|
|
|
Frank Lichtenheld (18):
|
|
test_dhcp: Start a dhcp helper functions UT
|
|
CONTRIBUTING: Update outdated/obsolete information
|
|
schedule: Fix conversion warning
|
|
win32: Change some APIs to use DWORD instead of size_t
|
|
dhcp: Clean up type handling of write_dhcp_*
|
|
init: Fix datav2_enabled check in options import
|
|
socket: Wrap winsock functions to avoid common conversion warnings
|
|
proxy: factor out recv_char code common with socks proxy
|
|
proxy: factor out send code common with socks proxy
|
|
push_util: Make send_push_update static
|
|
ssl_util: Fix conversion warning in get_num_elements
|
|
push_util: Fix conversion warnings
|
|
multi: Fix wrong usage of mroute_extract_openvpn_sockaddr
|
|
mroute: Remove unused mask argument of mroute_get_in*
|
|
gremlin: Avoid some conversion warnings
|
|
crypto_backend: Change len argument of md_ctx_update to size_t
|
|
mudp/mtcp: Remove -Wconversion pragmas
|
|
manage: Change kill_by_addr to use better types for port/proto
|
|
|
|
Gert Doering (3):
|
|
remove redundant PULL_DEFINED() macro definition
|
|
zeroize struct image in packet_id_persist_save() before writing to disk
|
|
OpenVPN Release 2.7_rc1
|
|
|
|
Heiko Hund (2):
|
|
iservice: use interface index with netsh
|
|
iservice: check return value of MultiByteToWideChar
|
|
|
|
Joshua Rogers (1):
|
|
tcp: apply CLOEXEC to accepted socket, not listener
|
|
|
|
Lev Stipakov (1):
|
|
interactive.c: add the upper bound for startupdata size
|
|
|
|
Marco Baffo (2):
|
|
PUSH_UPDATE server: remove old IP(s) from vhash after sending a message containing ifconfig(-ipv6)
|
|
PUSH_UPDATE server: invalid read bug-fix and unit-tests improvements
|
|
|
|
Max Fillinger (1):
|
|
Zeroize tls-crypt-v2 client keys
|
|
|
|
Ralf Lici (5):
|
|
options: warn and ignore --reneg-bytes/pkts when DCO is enabled
|
|
dco-freebsd: store peer stats directly in c2
|
|
dco: remove dco_read/write_bytes from dco_context_t
|
|
dco-freebsd: fix peer stats storage on client instances
|
|
management: ensure consistent BYTECOUNT timing on server
|
|
|
|
Selva Nair (3):
|
|
pkcs11_management_id_get: Free certificate object after use
|
|
Canonicalize config_dir before comparing with the config file location
|
|
Add -lpathcch for mingw32 builds using autotools
|
|
|
|
Steffan Karger (1):
|
|
Remove perf.c/perf.h
|
|
|
|
|
|
2025.10.13 -- Version 2.7_beta3
|
|
|
|
Arne Schwabe (2):
|
|
Allowing installing FreeBSD routes with interface instead of next-hop
|
|
Allow route_ipv6_match_host to be used outside of route.c
|
|
|
|
Frank Lichtenheld (33):
|
|
GHA: Dependency updates September 2025
|
|
comp-lz4: Fix types in call to LZ4_decompress_safe
|
|
dco_win: In dco_new_key, document size assumptions for the integer casts
|
|
dco_linux: Fix -Wconversion warnings
|
|
ssl_openssl: Use uint16_t internally for TLS versions
|
|
dco: Change sd argument to dco_new_peer from int to socket_descriptor_t
|
|
crypto_epoch: Clean up type handling in ovpn_expand_label()
|
|
route: Fix a unused-but-set-variable warning on OpenBSD
|
|
platform: Do not assume uid_t/gid_t are signed
|
|
mtu: Trivial -Wconversion fix
|
|
Review CMocka assertion usage
|
|
dhcp: Fix conversion warnings
|
|
COPYING: Remove licenses for software bundled in the Windows client
|
|
sitnl: Clean up type handling
|
|
options: Factor out parsing code to separate options_parse.c
|
|
unit_tests: Remove useless wrapping for argv/buffer tests
|
|
crypto: Make some casts to int explicit
|
|
test_options_parse: Start new UT for options_parse.c
|
|
buffer: Fix buf_parse eating input
|
|
test_options_parse: Add test for read_config_string
|
|
vlan: Remove -Wconversion override
|
|
GHA: Run options_parse test for MinGW
|
|
test_options_parse: Do not use uintmax_t instead of LargestIntegralType
|
|
proto: Clean up conversion warnings related to checksum macros
|
|
test_options_parse: Remove --wrap
|
|
lzo: Fix conversion warning
|
|
options_util: Fix conversion warning in atoi_constrained
|
|
options: Review use of positive_atoi vs atoi_constrained
|
|
console: Simplify query_user_add interface
|
|
socks: Fix conversion warnings with MinGW
|
|
Move build_dhcp_options_string from tun to dhcp
|
|
dhcp: Replace DHCP Option types with defines
|
|
test_user_pass: Check fatal errors for empty username/password
|
|
|
|
Lev Stipakov (4):
|
|
dco-win: fix broken ASSERT in dco_new_key
|
|
dco-win: support for epoch data channel
|
|
Preserve ifconfig(_ipv6)_local across reconnect
|
|
Make recursive routing check more fine-grained
|
|
|
|
Marco Baffo (4):
|
|
PUSH_UPDATE: disabling PUSH_UPDATE server and client if DCO is enabled
|
|
PUSH_UPDATE server: bug-fix, reset buffer after processing
|
|
PUSH_UPDATE server: check IV_PROTO before sending the message to the client
|
|
redirect-gateway: only redirect traffic through TUN if address families match
|
|
|
|
Selva Nair (1):
|
|
Fix PIN cache time in test_pkcs11.c
|
|
|
|
Steffan Karger (1):
|
|
Document that tls-crypt-v2 can be used in connection profile
|
|
|
|
|
|
2025.09.25 -- Version 2.7_beta2
|
|
|
|
Antonio Quartulli (1):
|
|
dco: add standard mi prefix handling to multi_process_incoming_dco()
|
|
|
|
Arne Schwabe (1):
|
|
Switch test_ssl certificate from RSA 2048 to secp384r1
|
|
|
|
Frank Lichtenheld (22):
|
|
openvpn_PRF: Change API to use size_t for lengths
|
|
ssl_common: Make sure ssl flags are treated as unsigned
|
|
options: Factor out usages of strtoll and atoll
|
|
ps: Clean up conversion warnings in journal_add function
|
|
events: Make sure rwflags are treated as unsigned
|
|
manage: Change command_line_* API to use size_t for lengths
|
|
Introduce msglvl_t to unify msglevel type handling
|
|
socket: Change resolve flags to unsigned int
|
|
list: Make types of hash elements consistent
|
|
ssl: Fix -Wconversion warnings in pem_password_callback
|
|
ssl_verify: Change backend_x509_* functions to size_t for lengths
|
|
Handle return type of EVP_MD_size
|
|
Clean up conversion warnings related to base64_{en, de}code
|
|
configure.ac: Make ACL_CHECK_ADD_COMPILE_FLAGS append instead of prepend
|
|
Enable a subset of -Wextra
|
|
socks: factor out socks_proxy_recv_char()
|
|
multi_io_init: simplify
|
|
dns: Fix bug in error handling when talking to script
|
|
Enable -Wconversion -Wno-sign-conversion by default
|
|
Make unit tests -Wconversion clean
|
|
ps: Fix conversion warnings related to send/recv return values
|
|
event: Silence conversion warning in tv_to_ms_timeout
|
|
|
|
Gert Doering (5):
|
|
replace assert() calls with ASSERT()
|
|
remove newline characters at the end of msg() calls
|
|
dev-tools/gerrit-send-mail.py: include Gerrit URL into the commit message
|
|
fix building of openvpnsrvmsg.dll from eventmsg.mc in mingw builds
|
|
Fix t_net.sh / networking_testdriver after 'broadcast' change
|
|
|
|
Gianmarco De Gregori (2):
|
|
Multi-socket win: avoid repeated socket_set()
|
|
Fix multi-socket and dco-win interaction
|
|
|
|
Lev Stipakov (5):
|
|
Preserve --dhcp-option values from local config
|
|
win: replace wmic invocation with powershell
|
|
openvpnserv: Fix writing messages to the event log
|
|
GHA: collect more artifacts for mingw builds
|
|
Validate DNS parameters
|
|
|
|
Marco Baffo (1):
|
|
push-update-server: comment about buf_string_compare_advance() usage in send_single_push_update()
|
|
|
|
Max Fillinger (1):
|
|
Rename Fox Crypto to Sentyron in copyright notices
|
|
|
|
Sebastian Marsching (1):
|
|
Bugfix: Set broadcast address on interface.
|
|
|
|
|
|
2025.09.04 -- Version 2.7_beta1
|
|
|
|
Arne Schwabe (1):
|
|
Check message id/acked ids too when doing sessionid cookie checks
|
|
|
|
Frank Lichtenheld (27):
|
|
Update text of GPL to latest version from FSF
|
|
Update GPL header in all source files to current recommended version
|
|
Define a .clang-format file for the project
|
|
Disable clang-format for some code parts
|
|
Update git-pre-commit-uncrustify.sh to handle clang-format
|
|
GHA: enable -Werror for mbedTLS v3 and AWS LC builds
|
|
Reformat the whole project with clang-format
|
|
Fix build error with clang-cl on latest Windows SDK
|
|
clang-format: Switch to ColumnLimit 0
|
|
Add clang-format reformat commit to .git-blame-ignore-revs
|
|
Remove uncrustify config and reformat-all.sh
|
|
buffer: remove unused function buf_write_alloc_prepend
|
|
t_client.sh: Do not wait 3 seconds for OpenVPN to come up
|
|
Collect trivial conversion fixes
|
|
options: Fix --hash-size virtual argument
|
|
Clean up documentation for --tun-mtu-max
|
|
comp: Make sure comp flags are treated as unsigned
|
|
crypto: Make sure crypto flags are treated as unsigned
|
|
options: Make sure option types are treated as unsigned
|
|
route: Make sure various route flags are treated as unsigned
|
|
socket: Create socket_util with non-socket functions
|
|
Add new unit test module test_socket
|
|
socket_util: Clean up conversion warnings in add_in6_addr
|
|
manage: Make sure various management flags are treated as unsigned
|
|
forward: Make sure pip flags are treated as unsigned
|
|
options: Introduce atoi_constrained and review usages of atoi_warn
|
|
ssl_openssl: Fix type of sslopts argument to SSL_CTX_set_options
|
|
|
|
Gert Doering (3):
|
|
Remove use of 'dh dh2048.pem' from sample configs, remove 'dh2048.pem' file
|
|
Introduce env variables to communicate desired gateway redirection to NM.
|
|
OpenVPN Release 2.7_beta1
|
|
|
|
Gianmarco De Gregori (1):
|
|
dco: avoid printing mi prefix on debug messages
|
|
|
|
Heiko Hund (1):
|
|
dns: fix systemd dns-updown script
|
|
|
|
Ilia Shipitsin (1):
|
|
GHA: limit 'Deploy Doxygen documentation' to main repo only
|
|
|
|
Lev Stipakov (3):
|
|
Log setting DNS via NRPT
|
|
dco-win: add support for multipeer stats
|
|
Refactor management bytecount tracking
|
|
|
|
Marco Baffo (1):
|
|
PUSH_UPDATE message sender: enabling the server to send PUSH_UPDATE control messages
|
|
|
|
Ralf Lici (3):
|
|
management: resync timer on bytecount interval change
|
|
dco_linux: validate tun interface before fetching stats
|
|
management: stop bytecount on client disconnection
|
|
|
|
Samuli Seppänen (2):
|
|
Add sample FFDH parameters file and use that in t_server_null tests
|
|
|
|
|
|
2025.07.31 -- Version 2.7_alpha3
|
|
|
|
Antonio Quartulli (10):
|
|
README.dco: update Linux instructions
|
|
dco_linux: fix case statement by using proper error value
|
|
dco_linux: use M_FATAL instead of M_ERR in netlink error code paths
|
|
dco_linux: rearrange functions
|
|
multi: store multi_context address inside top instance
|
|
dco: only pass struct context to init function
|
|
dco_linux: factor out netlink notification code
|
|
dco_linux: fix async message reception
|
|
multi: make some multi_*() functions static
|
|
dco_linux: clean up PEER_GET trigger and parser
|
|
|
|
Arne Schwabe (1):
|
|
Cleanup/simplify mbed TLS related define from autoconf
|
|
|
|
Christian Schürmann (1):
|
|
Replace deprecated OpenSSL.crypto.load_crl
|
|
|
|
Frank Lichtenheld (8):
|
|
packet_id: Fix build with --disable-debug
|
|
Fix new doxygen warnings about using @return in void functions
|
|
Fix compiler warning in reliable.c with --disable-debug
|
|
reliable: Review and fix gc_arena usage
|
|
configure.ac: Remove use of PKCS11_HELPER_LIBS in mbedTLS checks
|
|
GHA: Dependency updates July 2025
|
|
plugins: Clean up -Wconversion warnings
|
|
options: Simplify function setenv_foreign_option
|
|
|
|
Gert Doering (3):
|
|
mudp.c, multi.c, multi_io.c: get rid of 'all three DCO platforms' #ifdefs
|
|
unit_tests/plugins/auth-pam: fix stdint.h related build error on fedora 42
|
|
OpenVPN Release 2.7_alpha3
|
|
|
|
Gianmarco De Gregori (2):
|
|
Route: add support for user defined routing table
|
|
Multi-socket: Fix assert triggered by stale peer-id reuse
|
|
|
|
Heiko Hund (9):
|
|
dns: add updown script for macOS
|
|
fix macOS dns-updown handling of parallel full redirects
|
|
run forced --dns-updown without --script-security
|
|
dns: create NRPT registry key if it doesn't exist
|
|
dns: do not run updown scripts with lwipovpn
|
|
prevent search domain races with macOS dns-updown
|
|
move macOS dns-updown common code into functions
|
|
mac dns: compare servers before restoring backup
|
|
mac dns: do not run dns-updown in parallel
|
|
|
|
Kristof Provost (3):
|
|
dco: support float notifications on FreeBSD
|
|
dco-freebsd: always enable float notification support
|
|
dco-freebsd: pass address scope to the kernel
|
|
|
|
Lev Stipakov (4):
|
|
Fix broken DHCP options
|
|
Fix --dns options for TAP adapter
|
|
Fix DNS options duplication on PUSH_UPDATE
|
|
Fix wrong byte order of --dns server
|
|
|
|
Marco Baffo (3):
|
|
PUSH_UPDATE: Allow OpenVPN in client mode to receive and handle PUSH UPDATE control messages to allow options updating at runtime.
|
|
PUSH_UPDATE: Added remove_option() and do_update().
|
|
PUSH_UPDATE: Added update_option() function.
|
|
|
|
Ralf Lici (5):
|
|
dco linux: avoid redefining ovpn enums
|
|
dco linux: avoid sending local port to ovpn
|
|
dco: Add support for float notifications
|
|
improve float collision logging
|
|
add flag to print addresses in a consistent format during float
|
|
|
|
Samuli Seppänen (2):
|
|
t_server_null: add multi-socket testing
|
|
t_server_null: match test numbers with server numbers
|
|
|
|
Terrance (1):
|
|
Update systemd service name param to match command
|
|
|
|
rein.vanbaaren (1):
|
|
Added PQE to WolfSSL
|
|
|
|
|
|
2025.06.18 -- Version 2.7_alpha2
|
|
|
|
Antonio Quartulli (1):
|
|
dco_linux: enable extended netlink error reporting
|
|
|
|
Arne Schwabe (1):
|
|
Add missing header in unit tests Makefile.am
|
|
|
|
Frank Lichtenheld (6):
|
|
Remove contrib/pull-resolv-conf
|
|
Update copyright statements to 2025
|
|
Do not segfault on missing --dh in server config
|
|
Delete old sample-windows file and obsolete Windows sample handling
|
|
t_server_null: Test different permutations of --dh
|
|
Fix various badly placed comments in preparation for reformat
|
|
|
|
Gert Doering (1):
|
|
OpenVPN Release 2.7_alpha2
|
|
|
|
Gianmarco De Gregori (1):
|
|
Multi-socket: local_list clean-up
|
|
|
|
Heiko Hund (2):
|
|
fix typo in haikuos dns-updown script
|
|
dns: deal with --dhcp-options when --dns is active
|
|
|
|
Max Fillinger (2):
|
|
Use mbedtls_ssl_export_keying_material()
|
|
mbedtls: Allow TLS 1.3 if available
|
|
|
|
Ralf Lici (1):
|
|
Preserve socket protocol during float processing
|
|
|
|
Samuli Seppänen (1):
|
|
t_server_null: print error when server startup fails
|
|
|
|
|
|
2025.05.28 -- Version 2.7_alpha1
|
|
|
|
5andr0 (1):
|
|
Implement server_poll_timeout for socks
|
|
|
|
Alexander von Gluck (4):
|
|
Haiku: Introduce basic platform / tun support
|
|
Haiku: Add calls to manage routing table
|
|
Haiku: change del to delete in route command. del is undocumented
|
|
Haiku: Fix short interface path length
|
|
|
|
Antonio Quartulli (32):
|
|
disable DCO if --secret is specified
|
|
dco: properly re-initialize dco_del_peer_reason
|
|
dco: bail out when no peer-specific message is delivered
|
|
dco: improve comment about hidden debug message
|
|
dco: print proper message in case of transport disconnection
|
|
dco_linux: update license for ovpn_dco_linux.h
|
|
Update issue templates
|
|
Avoid warning about missing braces when initialising key struct
|
|
dco: don't use NetLink to exchange control packets
|
|
dco: print version to log if available
|
|
dco-linux: remove M_ERRNO flag when printing netlink error message
|
|
multi: don't call DCO APIs if DCO is disabled
|
|
dco-freebsd: use m->instances[] instead of m->hash
|
|
dco-linux: implement dco_get_peer_stats{, multi} API
|
|
configure.ac: fix typ0 in LIBCAPNG_CFALGS
|
|
dco: fix crash when --multihome is used with --proto tcp
|
|
dco: mark peer as deleted from kernel after receiving CMD_DEL_PEER notification
|
|
event/multi: add event_arg object to make event handling more generic
|
|
pass link_socket object to i/o functions
|
|
io_work: convert shift argument to uintptr_t
|
|
io_work: pass event_arg object to event handler in case of socket event
|
|
sitnl: replace NLMSG_TAIL macro with noinline function
|
|
override ai_family if 'local' numeric address was specified
|
|
Adapt socket handling to support listening on multiple sockets
|
|
allow user to specify 'local' multiple times in config files
|
|
dco_linux: extend netlink error cb with extra info
|
|
man: extend --persist-tun section
|
|
dco: pass remoteaddr only for UDP peers
|
|
socket: use remote proto when creating client sockets
|
|
dco_linux: fix peer stats parsing with new ovpn kernel module
|
|
socket: don't transfer bind family to socket in case of ANY address
|
|
dco_linux: avoid bogus text when netlink message is not parsed
|
|
|
|
Aquila Macedo (1):
|
|
doc: Correct typos in multiple documentation files
|
|
|
|
Arne Schwabe (190):
|
|
Fix connection cookie not including address and fix endianness in test
|
|
Fix unit test of test_pkt on little endian Linux
|
|
Disable DCO when TLS mode is not used
|
|
Ignore connection attempts while server is shutting down
|
|
Improve debug logging of DCO swap key message and Linux dco_new_peer
|
|
Trigger a USR1 if dco_update_keys fails
|
|
Set DCO_NOT_INSTALLED also for keys not in the get_key_scan range
|
|
Ensure that argument to parse_line has always space for final sentinel
|
|
Improve documentation on user/password requirement and unicodize function
|
|
Eliminate or comment empty blocks and switch fallthrough
|
|
Remove unused gc_arena
|
|
Fix corner case that might lead to leaked file descriptor
|
|
Deprecate NTLMv1 proxy auth method.
|
|
Use include "buffer.h" instead of include <buffer.h>
|
|
Ensure that dco keepalive and mssfix options are also set in pure p2p mode
|
|
Make management password check constant time
|
|
Rename TM_UNTRUSTED to TM_INITIAL, always start session in TM_INITIAL rather than TM_ACTIVE or TM_INITIAL
|
|
Move dco_installed back to link_socket from link_socket.info.actual
|
|
Do not set nl socket buffer size
|
|
Also drop incoming dco packet content when dropping the packet
|
|
Improve logging when seeing a message for an unkown peer
|
|
Ignore OVPN_DEL_PEER_REASON_USERSPACE to avoid race conditions
|
|
Replace custom min macro and use more C99 style in man_remote_entry_get
|
|
Replace realloc with new gc_realloc function
|
|
Add connect-freq-initial option to limit initial connection responses
|
|
Log peer-id if loglevel is D_DCO_DEBUG and dco is enabled
|
|
Deprecate OCC checking
|
|
Workaround: make ovpn-dco more reliable
|
|
Fix unaligned access in auth-token
|
|
Update LibreSSL to 3.7.0 in Github actions
|
|
Add printing USAN stack trace on github actions
|
|
Fix LibreSSL not building in Github Actions
|
|
Add missing stdint.h includes in unit tests files
|
|
Combine extra_tun/frame parameter of frame_calculate_payload_overhead
|
|
Update the last sections in the man page to a be a bit less outdated
|
|
Add building unit tests with mingw to github actions
|
|
Revise the cipher negotiation info about OpenVPN3 in the man page
|
|
Exit if a proper message instead of segfault on Android without management
|
|
Use proper print format/casting when converting msg_channel handle
|
|
Reduce initialisation spam from verb <= 3 and print summary instead
|
|
Dynamic tls-crypt for secure soft_reset/session renegotiation
|
|
Set netlink socket to be non-blocking
|
|
Ensure n = 2 is set in key2 struct in tls_crypt_v2_unwrap_client_key
|
|
Fix memory leaks in open_tun_dco()
|
|
Fix memory leaks in HMAC initial packet generation
|
|
Use key_state instead of multi for tls_send_payload parameter
|
|
Make sending plain text control message session aware
|
|
Only update frame calculation if we have a valid link sockets
|
|
Improve description of compat-mode
|
|
Simplify --compress parsing in options.c
|
|
Refuse connection if server pushes an option contradicting allow-compress
|
|
Add 'allow-compression stub-only' internally for DCO
|
|
Parse compression options and bail out when compression is disabled
|
|
Remove unused variable line
|
|
Add Apache2 linking with for new commits
|
|
Fix compile error on TARGET_ANDROID
|
|
Fix use-after-free with EVP_CIPHER_free
|
|
Remove key_type argument from generate_key_random
|
|
add basic CMake based build
|
|
Avoid unused function warning/error on FreeBSD (and potientially others)
|
|
Do not blindly assume python3 is also the interpreter that runs rst2html
|
|
Only add -Wno-stringop-truncation on supported compilers
|
|
fix warning with gcc 12.2.0 (compiler bug?)
|
|
Fix CR_RESPONSE mangaement message using wrong key_id
|
|
Print a more user-friendly error when tls-crypt-v2 client auth fails
|
|
Ignore Ipv6 route delete request on Android and set ipv4 verbosity to 7
|
|
Mock openvpn_exece on win32 also for test_tls_crypt
|
|
Check if the -wrap argument is actually supported by the platform's ld
|
|
Revert commit 423ced962d
|
|
Implement using --peer-fingerprint without CA certificates
|
|
show extra info for OpenSSL errors
|
|
Remove ability to use configurations without TLS by default
|
|
Add warning for the --show-groups command that some groups are missing
|
|
Print peer temporary key details
|
|
Add warning if a p2p NCP client connects to a p2mp server
|
|
Remove openssl engine method for loading the key
|
|
Add undefined and abort on error to clang sanitize builds
|
|
Add --enable-werror to all platforms in Github Actions
|
|
Remove saving initial frame code
|
|
Double check that we do not use a freed buffer when freeing a session
|
|
Fix using to_link buffer after freed
|
|
Remove CMake custom compiler flags for RELEASE and DEBUG build
|
|
Do not check key_state buffers that are in S_UNDEF state
|
|
Remove unused function prototype crypto_adjust_frame_parameters
|
|
Introduce report_command_status helper function
|
|
Log SSL alerts more prominently
|
|
Remove unused/unneeded/add missing defines from configure/cmake
|
|
Document tls-exit option mainly as test option
|
|
Remove dead remains of extract_x509_field_test
|
|
Replace character_class_debug with proper unit test
|
|
Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway
|
|
Fix check_session_buf_not_used using wrong index
|
|
Add missing check for nl_socket_alloc failure
|
|
Add check for nice in cmake config
|
|
Minimal Solaris/OpenIndiana support to Cmake and clean up -Werror
|
|
Remove compat versionhelpers.h and remove cmake/configure check for it
|
|
Rename state_change to continue_tls_process
|
|
Move tls_get_cipher_name_pair and get_num_elements to ssl_utils.c
|
|
Fix building mbed TLS with CMake and allow specifying custom directories
|
|
Extend the error message when TLS 1.0 PRF fails
|
|
Fix unaligned access in macOS, FreeBSD, Solaris hwaddr
|
|
Check PRF availability on initialisation and add --force-tls-key-material-export
|
|
Make it more explicit and visible when pkg-config is not found
|
|
Clarify that the tls-crypt-v2-verify has a very limited env set
|
|
Move get_tmp_dir to win32-util.c and error out on failure
|
|
Implement the --tls-export-cert feature
|
|
Use mingw compile definition also to unit tests
|
|
Add test_ssl unit test and test export of PEM to file
|
|
Remove conditional text for Apache2 linking exception
|
|
Fix ssl unit tests on OpenSSL 1.0.2
|
|
Ensure that all unit tests use unbuffered stdout and stderr
|
|
Allow unit tests to fall back to hard coded location
|
|
Add unit test for encrypting/decrypting data channel
|
|
Print SSL peer signature information in handshake debug details
|
|
Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs
|
|
Turn dead list test code into unit test
|
|
Use snprintf instead of sprintf for get_ssl_library_version
|
|
Fix snprintf/swnprintf related compiler warnings
|
|
Add bracket in fingerprint message and do not warn about missing verification
|
|
Match ifdef for get_sigtype function with if ifdef of caller
|
|
Remove/combine redundant call of EVP_CipherInit before EVP_CipherInit_Ex
|
|
Add missing EVP_KDF_CTX_free in ssl_tls1_PRF
|
|
Replace macos11 with macos14 in github runners
|
|
Remove openvpn_snprintf and similar functions
|
|
Repeat the unknown command in errors from management interface
|
|
Only run coverity scan in OpenVPN/OpenVPN repository
|
|
Support OpenBSD with cmake
|
|
Workaround issue in LibreSSL crashing when enumerating digests/ciphers
|
|
Remove OpenSSL 1.0.2 support
|
|
Remove custom TLS 1.0 PRF implementation only used by LibreSSL/wolfSSL
|
|
Allow the TLS session to send out TLS alerts
|
|
Properly handle null bytes and invalid characters in control messages
|
|
Allow trailing \r and \n in control channel message
|
|
Add Ubuntu 24.04 runner to Github Actions
|
|
Implement support for AEAD tag at the end
|
|
Remove check for anonymous unions from configure and cmake config
|
|
Make read/write_tun_header static
|
|
Avoid SIGUSR1 to SIGHUP remapping when the configuration is read from stdin
|
|
Move to common backend_driver type in struct tuntap
|
|
Introduce DRIVER_AFUNIX backend for use with lwipovpn
|
|
Change dev null to be a driver type instead of a special mode of tun/tap
|
|
Use print_tun_backend_driver instead of custom code to print type
|
|
Automatically enable ifconfig-exec/route-exec behaviour for afunix tun/tap
|
|
Ensure that the AF_UNIX socket pair has at least 65k of buffer space
|
|
Fix check for CMake not detecting struct cmsg
|
|
Remove null check after checking for checking for did_open_tun
|
|
Remove a large number of unused structs and functions
|
|
Remove unused methods write_key/read_key
|
|
Refuse clients if username or password is longer than USER_PASS_LEN
|
|
Move should_trigger_renegotiation into its own function
|
|
Change --reneg-bytes and --reneg-packets to 64 bit counters
|
|
Use XOR instead of concatenation for calculation of IV from implicit IV
|
|
Trigger renegotiation of data key if getting close to the AEAD usage limit
|
|
Implement HKDF expand function based on RFC 8446
|
|
Split init_key_ctx_bi into send/recv init
|
|
Move initialisation of implicit IVs to init_key_ctx_bi methods
|
|
Change internal id of packet id to uint64
|
|
Add small unit test for buf_chomp
|
|
Add building/testing with msbuild and the clang compiler
|
|
Ensure that Python3 is available
|
|
Change API of init_key_ctx to use struct key_parameters
|
|
Allow DEFAULT in data-ciphers and report both expanded and user set option
|
|
Do not attempt to decrypt packets anymore after 2**36 failed decryptions
|
|
Add methods to read/write packet ids for epoch data
|
|
Implement methods to generate and manage OpenVPN Epoch keys
|
|
Rename aead-tag-at-end to aead-epoch
|
|
Improve peer fingerprint documentation
|
|
Remove comparing username to NULL in tls_lock_username
|
|
Print warnings/errors when numerical parameters cannot be parsed
|
|
Add unit tests for atoi parsing options helper
|
|
Improve error reporting from AF_UNIX tun/tap support
|
|
Fix typo in positive_atoi
|
|
Fix oversight of link socket code change in Android code path
|
|
Implement epoch key data format
|
|
Extend the unit test for data channel packets with aead limit tests
|
|
Add (fake) Android cmake building
|
|
Add android build to Github Actions
|
|
Reconnect when TCP is on use on network-change management command
|
|
Implement override-username
|
|
Fix incorrect condition for checking password related check
|
|
Directly use _countof in array initialisation
|
|
Improve documentation for override-username
|
|
Mention address if not unspecific on DNS failure
|
|
Do not leave half-initialised key wrap struct when dynamic tls-crypt fails
|
|
Allow tls-crypt-v2 to be setup only on initial packet of a session
|
|
Use SSL_get0_peer_signature_name instead of SSL_get_peer_signature_nid
|
|
Use USER_PASS_LEN instead of TLS_USERNAME_LEN for override-username
|
|
Also print key agreement when printing negotiated details
|
|
Fix mbed TLS key exporter functionality in 3.6.x and cmake
|
|
Make --dh none behaviour default if not specified
|
|
|
|
Ben Boeckel (1):
|
|
console_systemd: remove the timeout when using 'systemd-ask-password'
|
|
|
|
Christoph Schug (1):
|
|
Update documentation references in systemd unit files
|
|
|
|
Corubba Smith (3):
|
|
Support IPv6 towards port-share proxy receiver
|
|
Document x509-username-fields oid usage
|
|
Remove x509-username-fields uppercasing
|
|
|
|
David Sommerseth (4):
|
|
ssl_verify: Fix memleak if creating deferred auth control files fails
|
|
ntlm: Clarify details on NTLM phase 3 decoding
|
|
Remove --tls-export-cert
|
|
Remove superfluous x509_write_pem()
|
|
|
|
Franco Fichtner (1):
|
|
Allow to set ifmode for existing DCO interfaces in FreeBSD
|
|
|
|
Frank Lichtenheld (174):
|
|
options.c: fix format security error when compiling without optimization
|
|
options.c: update usage description of --cipher
|
|
Update copyright year to 2023
|
|
xkey_pkcs11h_sign: fix dangling pointer
|
|
options: Always define options->management_flags
|
|
check_engine_keys: make pass with OpenSSL 3
|
|
documentation: update 'unsupported options' section
|
|
Changes.rst: document removal of --keysize
|
|
Windows: fix unused function setenv_foreign_option
|
|
Windows: fix unused variables in delete_route_ipv6
|
|
Windows: fix wrong printf format in x_check_status
|
|
Windows: fix unused variable in win32_get_arch
|
|
configure: enable DCO by default on FreeBSD/Linux
|
|
Windows: fix signedness errors with recv/send
|
|
configure: fix formatting of --disable-lz4 and --enable-comp-stub
|
|
tests/unit_tests: Fix 'make distcheck' with subdir-objects enabled
|
|
GHA: remove Ubuntu 18.04 builds
|
|
vcpkg: request "tools" feature of openssl for MSVC build
|
|
Do not include net/in_systm.h
|
|
version.sh: remove
|
|
doc: run rst2* with --strict to catch warnings
|
|
man page: Remove cruft from --topology documentation
|
|
tests: do not include t_client.sh in dist
|
|
vcpkg-ports/pkcs11-helper: Make compatible with mingw build
|
|
vcpkg-ports/pkcs11-helper: Convert CONTROL to vcpkg.json
|
|
vcpkg-ports/pkcs11-helper: reference upstream PRs in patches
|
|
dco_linux: properly close dco version file
|
|
DCO: fix memory leak in dco_get_peer_stats_multi for Linux
|
|
Fix two unused assignments
|
|
sample-plugins: Fix memleak in client-connect example plugin
|
|
tests: Allow to override openvpn binary used
|
|
test_buffer: add tests for buf_catrunc and its caller format_hex_ex
|
|
buffer: use memcpy in buf_catrunc
|
|
options: remove --key-method from usage message
|
|
msvc-generate: include version.m4.in in tarball
|
|
dist: add more missing files only used in the MSVC build
|
|
vcpkg-ports/pkcs11-helper: rename patches to make file names shorter
|
|
unit_tests: Add missing cert_data.h to source list for unit tests
|
|
dist: Include all documentation in distribution
|
|
CMake: Add complete MinGW and MSVC build
|
|
Remove all traces of the previous MSVC build system
|
|
CMake: Add /Brepro to MSVC link options
|
|
GHA: update to run-vcpkg@v11
|
|
test_tls_crypt: Improve mock() usage to be more portable
|
|
CMake: Throw a clear error when config.h in top-level source directory
|
|
CMake: Support doc builds on Windows machines that do not have .py file association
|
|
Remove old Travis CI related files
|
|
README.cmake.md: Add new documentation for CMake buildsystem
|
|
GHA: refactor mingw UTs and add missing tls_crypt
|
|
GHA: Add macos-13
|
|
options: Do not hide variables from parent scope
|
|
pkcs11_openssl: Disable unused code
|
|
route: Fix overriding return value of add_route3
|
|
CMake: various small non-functional improvements
|
|
GHA: do not trigger builds in openvpn-build anymore
|
|
Remove --no-replay option
|
|
GHA: new workflow to submit scan to Coverity Scan service
|
|
doc: fix argument name in --route-delay documentation
|
|
Change type of frame.mss_fix to uint16_t
|
|
Remove last uses of inet_ntoa
|
|
mss/mtu: make all size calculations use size_t
|
|
dev-tools/gerrit-send-mail.py: tool to send Gerrit patchsets to Patchwork
|
|
gerrit-send-mail.py: Add patch version to subject
|
|
Add mbedtls3 GHA build
|
|
platform.c: Do not depend Windows build on HAVE_CHDIR
|
|
sample-keys: renew for the next 10 years
|
|
GHA: clean up libressl builds with newer libressl
|
|
configure.ac: Remove unused AC_TYPE_SIGNAL macro
|
|
documentation: remove reference to removed option --show-proxy-settings
|
|
unit_tests: remove includes for mock_msg.h
|
|
buffer: add documentation for string_mod and extend related UT
|
|
tests: disable automake serial_tests
|
|
documentation: improve documentation of --x509-track
|
|
configure: allow to disable NTLM
|
|
configure: enable silent rules by default
|
|
misc: make get_auth_challenge static
|
|
Remove support for NTLM v1 proxy authentication
|
|
GHA: increase verbosity for make check
|
|
NTLM: add length check to add_security_buffer
|
|
NTLM: increase size of phase 2 response we can handle
|
|
Fix various 'Uninitialized scalar variable' warnings from Coverity
|
|
proxy-options.rst: Add proper documentation for --http-proxy-user-pass
|
|
NTLM: when NTLMv1 is requested, try NTLMv2 instead
|
|
buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0'
|
|
--http-proxy-user-pass: allow to specify in either order with --http-proxy
|
|
test_user_pass: new UT for get_user_pass
|
|
test_user_pass: Add UTs for character filtering
|
|
gerrit-send-mail: Make output consistent across systems
|
|
README.cmake.md: Document minimum required CMake version for --preset
|
|
documentation: Update and fix documentation for --push-peer-info
|
|
documentation: Fixes for previous fixes to --push-peer-info
|
|
test_user_pass: add basic tests for static/dynamic challenges
|
|
Fix typo --data-cipher-fallback
|
|
samples: Remove tls-*.conf
|
|
check_compression_settings_valid: Do not test for LZ4 in LZO check
|
|
t_client.sh: Allow to skip tests
|
|
gerrit-send-mail: add missing Signed-off-by
|
|
Update Copyright statements to 2024
|
|
GHA: general update March 2024
|
|
samples: Update sample configurations
|
|
documentation: make section levels consistent
|
|
phase2_tcp_server: fix Coverity issue 'Dereference after null check'
|
|
script-options.rst: Update ifconfig_* variables
|
|
crypto_backend: fix type of enc parameter
|
|
tests: fork default automake test-driver
|
|
forked-test-driver: Show test output always
|
|
Change default of "topology" to "subnet"
|
|
Use topology default of "subnet" only for server mode
|
|
Fix 'binary or' vs 'boolean or' related to server_bridge_proxy_dhcp
|
|
configure: update old copy of pkg.m4
|
|
LZO: do not use lzoutils.h macros
|
|
test_user_pass: Fix building with --enable-systemd
|
|
Remove "experimental" denotation for --fast-io
|
|
t_server_null.sh: Fix failure case
|
|
configure: Add -Wstrict-prototypes and -Wold-style-definition
|
|
configure: Try to detect LZO with pkg-config
|
|
configure: Switch to C11 by default
|
|
Fix missing spaces in various messages
|
|
console_systemd: rename query_user_exec to query_user_systemd
|
|
configure: Allow to detect git checkout if .git is not a directory
|
|
GHA: Configure Renovate
|
|
configure: Try to use pkg-config to detect mbedTLS
|
|
tun: use is_tun_p2p more consistently
|
|
Various fixes for -Wconversion errors
|
|
generate_auth_token: simplify code
|
|
GHA: Update dependency Mbed-TLS/mbedtls to v3.6.1
|
|
GHA: Enable t_server_null tests
|
|
configure: Handle libnl-genl and libcap-ng consistent with other libs
|
|
configure: Review use of standard AC macros
|
|
socket: Change return types of link_socket_write* to ssize_t
|
|
GHA: Pin dependencies
|
|
GHA: Update macOS runners
|
|
GHA: Simplify macOS builds
|
|
Remove support for compression on send
|
|
Fix wrong doxygen comments
|
|
Various typo fixes
|
|
macOS: Assume that net/if_utun.h is always present
|
|
Fix some formatting related to if/else and macros
|
|
Fix memory leak in ntlm_support
|
|
forward: Fix potential unaligned access in drop_if_recursive_routing
|
|
GHA: General update December 2024
|
|
Review doxygen warnings
|
|
Regenerate doxygen config file with doxygen -u
|
|
Fix 'uninitialized pointer read' in openvpn_decrypt_aead
|
|
ssl_openssl: Clean up unused functions and add missing "static"
|
|
Fix some trivial sign-compare compiler warnings
|
|
tls_crypt_v2_write_client_key_file: Fix missing-field-initializers compiler warning
|
|
openvpnserv: Fix some inconsistent usages of TEXT()
|
|
Fix doxygen warnings in crypto_epoch.h
|
|
GHA: Drop Ubuntu 20.04 and other maintenance
|
|
GHA: Publish Doxygen documentation to Github Pages
|
|
Add more 'intentional fallthrough' comments
|
|
Remove various unused function parameters
|
|
Remove unused function check_subnet_conflict
|
|
options: Cleanup and simplify options_postprocess_verify_ce
|
|
Apply text-removal.sh script to Windows codebase
|
|
openvpnserv: Clean up use of TEXT() from DNS patches
|
|
Post tchar.h removal cleanup
|
|
Fix compatibility with mbedTLS 2.28.10+ and 3.6.3+
|
|
t_server_null_default.rc: Add some tests with --data-ciphers
|
|
GHA: Pin version of CMake for all builds
|
|
GHA: Dependency and Actions update April 2025
|
|
GHA: Make sure renovate notifies us about AWS LC releases
|
|
Doxygen: Fix obsolete links to OpenSSL documentation
|
|
GHA: Use CMake 4.0 and apply required fixes
|
|
Doxygen: Clean up tls-crypt documentation
|
|
Doxygen: Remove useless Python information
|
|
Manually reformat some long trailing comments
|
|
CMake: Make sure to treat UNIT_TEST_SOURCEDIR as path
|
|
CMake: Sync list of compiler flags with configure.ac
|
|
CMake: Reorganize header and symbol tests
|
|
GHA: Dependency and Actions update May 2025
|
|
Doxygen: Fix missing parameter warnings
|
|
Changes.rst: Collect, fix, and improve entries for 2.7 release
|
|
|
|
George Pchelkin (1):
|
|
fix typo: dhcp-options to dhcp-option in vpn-network-options.rst
|
|
|
|
Gert Doering (21):
|
|
Change version.m4 to 2.7_git
|
|
bandaid fix for TCP multipoint server crash with Linux-DCO
|
|
Undo FreeBSD 12.x workaround on IPv6 ifconfig for 12.4 and up
|
|
Reduce logspam about 'dco_update_keys: peer_id=-1' in p2p server mode
|
|
Fix OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT breakage on FreeBSD+DCO
|
|
Repair special-casing of EEXIST for Linux/SITNL route install
|
|
Get rid of unused 'bool tuntap_buffer' arguments.
|
|
FreeBSD 12.x workaround for IPv6 ifconfig is needed on 12.4 as well
|
|
Make received OCC exit messages more visible in log.
|
|
OpenBSD: repair --show-gateway
|
|
get_default_gateway() HWADDR overhaul
|
|
make t_server_null 'server alive?' check more robust
|
|
t_client.sh: conditionally skip ifconfig+route check
|
|
send uname() release as IV_PLAT_VER= on non-windows versions
|
|
options: add IPv4 support to '--show-gateway <arg>'
|
|
get_default_gateway(): implement platform support for Linux/SITNL
|
|
get_default_gateway(): implement platform support for Linux/IPROUTE2
|
|
add missing (void) to win32 function declarations
|
|
add more (void) to windows specific function prototypes and declarations
|
|
Make 'lport 0' no longer sufficient to do '--bind'.
|
|
Add information-gathering about DNS resolvers configured to t_client.sh(.in)
|
|
|
|
Gianmarco De Gregori (17):
|
|
Persist-key: enable persist-key option by default
|
|
Minor fix to process_ip_header
|
|
Http-proxy: fix bug preventing proxy credentials caching
|
|
Ensures all params are ready before invoking dco_set_peer()
|
|
Route: remove incorrect routes on exit
|
|
Fix for msbuild/mingw GHA failures
|
|
multiproto: move generic event handling code in dedicated files
|
|
Fix PASS_BY_VALUE issue in options_postprocess_mutate_le()
|
|
mroute: adapt to new protocol handling and hashing improvements
|
|
mroute/management: repair mgmt client-kill for mroute with proto
|
|
Add support for simultaneous use of UDP and TCP sockets
|
|
Rename occurences of 'struct link_socket' from 'ls' to 'sock'
|
|
Fix FreeBSD-DCO and Multisocket interaction
|
|
manpage: fix HTML format for --local
|
|
Fix dco_win and multisocket interaction
|
|
dco_linux: Introduce new uAPIs
|
|
Explicit-exit-notify and multisocket interaction
|
|
|
|
Heiko Hund (21):
|
|
dns option: allow up to eight addresses per server
|
|
work around false positive warning with mingw 12
|
|
dns option: remove support for exclude-domains
|
|
cmake: create and link compile_commands.json file
|
|
cmake: symlink whole build dir not just .json file
|
|
Windows: enforce 'block-local' with WFP filters
|
|
add and send IV_PROTO_DNS_OPTION_V2 flag
|
|
dns: store IPv4 addresses in network byte order
|
|
dns: clone options via pointer instead of copy
|
|
service: add utf8to16 function that takes a size
|
|
dns: support multiple domains without DHCP
|
|
dns: do not use netsh to set name server addresses
|
|
win: calculate address string buffer size
|
|
win: implement --dns option support with NRPT
|
|
dns: apply settings via script on unixoid systems
|
|
fix typo in haikuos dns-updown script
|
|
dns: support running up/down command with privsep
|
|
dns: don't publish env vars to non-dns scripts
|
|
dns: fix potential NULL pointer dereference
|
|
win: match search domains when creating exclude rules
|
|
win: fix collecting DNS exclude data
|
|
|
|
Heiko Wundram (1):
|
|
Implement Windows CA template match for Crypto-API selector
|
|
|
|
Ilia Shipitsin (3):
|
|
src/openvpn/init.c: handle strdup failures
|
|
sample/sample-plugins/defer/multi-auth.c: handle strdup errors
|
|
tests/unit_tests/openvpn/test_auth_token.c: handle strdup errors
|
|
|
|
Ilya Shipitsin (1):
|
|
src/openvpn/dco_freebsd.c: handle malloc failure
|
|
|
|
Juliusz Sosinowicz (1):
|
|
Change include order for tests
|
|
|
|
Klemens Nanni (1):
|
|
Fix tmp-dir documentation
|
|
|
|
Kristof Provost (10):
|
|
Read DCO traffic stats from the kernel
|
|
dco: Update counters when a client disconnects
|
|
Read the peer deletion reason from the kernel
|
|
dco: cleanup FreeBSD dco_do_read()
|
|
options.c: enforce a minimal fragment size
|
|
configure: improve FreeBSD DCO check
|
|
dco: define OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT on FreeBSD
|
|
dco: print FreeBSD version
|
|
DCO: support key rotation notifications
|
|
dco-freebsd: dynamically re-allocate buffer if it's too small
|
|
|
|
Lev Stipakov (63):
|
|
Rename dco_get_peer_stats to dco_get_peer_stats_multi
|
|
management: add timer to output BYTECOUNT
|
|
Introduce dco_get_peer_stats API and Windows implementation
|
|
git-version.py: proper support for tags
|
|
msvc: upgrade to Visual Studio 2022
|
|
tun: move print_windows_driver() out of tun.h
|
|
openvpnmsica: remove dco installer custom actions
|
|
openvpnmsica: remove unused declarations
|
|
openvpnmsica: fix adapters discovery logic for DCO
|
|
Allow certain DHCP options to be used without DHCP server
|
|
dco-win: use proper calling convention on x86
|
|
Improve format specifier for socket handle in Windows
|
|
Disable DCO if proxy is set via management
|
|
Add logging for windows driver selection process
|
|
Avoid management log loop with verb >= 6
|
|
Support --inactive option for DCO
|
|
Fix '--inactive <time> 0' behavior for DCO
|
|
Print DCO client stats on SIGUSR2
|
|
Don't overwrite socket flags when using DCO on Windows
|
|
Support of DNS domain for DHCP-less drivers
|
|
dco-win: support for --dev-node
|
|
tapctl: generate driver-specific adapter names
|
|
openvpnmsica: link C runtime statically
|
|
tun.c: enclose DNS domain in single quotes in WMIC call
|
|
manage.c: document missing KID parameter
|
|
Set WINS servers via interactice service
|
|
CMake: fix broken daemonization and syslog functionality
|
|
Warn user if INFO control command is too long
|
|
CMake: fix HAVE_DAEMON detection on Linux
|
|
dco-win: get driver version
|
|
dco: warn if DATA_V1 packets are sent to userspace
|
|
config.h: fix incorrect defines for _wopen()
|
|
Make --dns options apply for tap-windows6 driver
|
|
Warn if pushed options require DHCP
|
|
tun.c: don't attempt to delete DNS and WINS servers if they're not set
|
|
win32: Enforce loading of plugins from a trusted directory
|
|
interactive.c: disable remote access to the service pipe
|
|
interactive.c: Fix potential stack overflow issue
|
|
Disable DCO if proxy is set via management
|
|
misc.c: remove unused code
|
|
interactive.c: Improve access control for gui<->service pipe
|
|
Use a more robust way to get dco-win version
|
|
dco: better naming for function parameters
|
|
repair DNS address option
|
|
dco-win: factor out getting dco version
|
|
dco-win: enable mode server on supported configuration
|
|
dco-win: simplify do_close_link_socket()
|
|
route.c: change the signature of get_default_gateway()
|
|
route.c: improve get_default_gateway() logic on Windows
|
|
mudp.c: keep offset value when resetting buffer
|
|
multi.c: add iroutes after dco peer is added
|
|
dco-win: disable dco in server mode if multiple --local options defined
|
|
dco-win: multipeer support
|
|
dco-win: simplify control packets prepend code
|
|
dco-win: kernel notifications
|
|
dco-win: support for iroutes
|
|
dco-win: Fix crash when cancelling pending operation
|
|
Remove UINT8_MAX definition
|
|
win: allow OpenVPN service account to use any command-line options
|
|
ssl_openssl.c: Prevent potential double-free
|
|
win: refactor get_windows_version()
|
|
win: create adapter on demand
|
|
win: remove Wintun support
|
|
|
|
Marc Becker (5):
|
|
unify code path for adding PKCS#11 providers
|
|
use new pkcs11-helper interface to add providers
|
|
special handling for PKCS11 providers on win32
|
|
vcpkg-ports/pkcs11-helper: support loader flags
|
|
vcpkg-ports/pkcs11-helper: bump to version 1.30
|
|
|
|
Marco Baffo (3):
|
|
tun: removed unnecessary route installations
|
|
IPv6 MADDR LOG: Wrap IPv6 addresses in square brackets and print port when the port is specified
|
|
get_default_gateway(): Prevent passing IPV4_INVALID_ADDR as a destination
|
|
|
|
Martin Rys (1):
|
|
openvpn-[client|server].service: Remove syslog.target
|
|
|
|
Matthias Andree (1):
|
|
make dist: Ship ovpn_dco_freebsd.h, too
|
|
|
|
Max Fillinger (10):
|
|
Correct tls-crypt-v2 metadata length in man page
|
|
Fix message for too long tls-crypt-v2 metadata
|
|
Add support for mbedtls 3.X.Y
|
|
Update README.mbedtls
|
|
Disable TLS 1.3 support with mbed TLS
|
|
Enable key export with mbed TLS 3.x.y
|
|
Remove license warning from README.mbedtls
|
|
mbedtls: Remove support for old TLS versions
|
|
mbedtls: Warn if --tls-version-min is too low
|
|
Remove HAVE_EXPORT_KEYING_MATERIAL macro
|
|
|
|
Michael Baentsch (1):
|
|
using OpenSSL3 API for EVP PKEY type name reporting
|
|
|
|
Michael Nix (1):
|
|
fix typo in help text: --ignore-unknown-option
|
|
|
|
Qingfang Deng (1):
|
|
dco: fix source IP selection when multihome
|
|
|
|
Ralf Lici (3):
|
|
Fix check_addr_clash argument order
|
|
Handle missing DCO peer by restarting the session
|
|
Implement ovpn version detection
|
|
|
|
Reynir Björnsson (2):
|
|
protocol_dump: tls-crypt support
|
|
Only schedule_exit() once
|
|
|
|
Rémi Farault (1):
|
|
Add calls to nvlist_destroy to avoid leaks
|
|
|
|
Samuli Seppänen (6):
|
|
Add t_server_null test suite
|
|
t_server_null: multiple improvements and fixes
|
|
t_server_null: persist test log files
|
|
t_server_null: forcibly kill misbehaving servers
|
|
t_server_null: use wait instead of marker files
|
|
Add lwip support to t_server_null
|
|
|
|
Selva Nair (63):
|
|
Reduce default restart pause to 1 second
|
|
Do not include auth-token in pulled option digest
|
|
Persist DCO client data channel traffic stats on restart
|
|
Add remote-count and remote-entry query via management
|
|
Permit unlimited connection entries and remotes
|
|
Use a template for 'unsupported management commands' error
|
|
Allow skipping multple remotes via management interface
|
|
Properly unmap ring buffer file-map in interactive service
|
|
Use undo_lists for saving ring-buffer handles in interactive service
|
|
Cleanup: Close duplicated handles in interactive service
|
|
Preparing for better signal handling: some code refactoring
|
|
Refactor signal handling in openvpn_getaddrinfo
|
|
Use IPAPI for setting ipv6 routes when iservice not available
|
|
Fix signal handling on Windows
|
|
Assign and honour signal priority order
|
|
Distinguish route addition errors from route already exists
|
|
Propagate route error to initialization_completed()
|
|
Include CE_DISABLED status of remote in "remote-entry-get" response
|
|
Define and use macros for route addition status code
|
|
Warn when pkcs11-id or pkcs11-id-management options are ignored
|
|
Cleanup route error and debug logging on Windows
|
|
Fix one more 'existing route may get deleted' case
|
|
block-dns using iservice: fix a potential double free
|
|
Conditionally add subdir-objects option to automake
|
|
Build unit tests in mingw Windows build
|
|
cyryptapi.c: log the selected certificate's name
|
|
cryptoapi.c: remove pre OpenSSL-3.01 support
|
|
cryptoapi.c: simplify parsing of thumbprint hex string
|
|
Option --cryptoapicert: support issuer name as a selector
|
|
Add a unit test for functions in cryptoapi.c
|
|
Do not save pointer to 'struct passwd' returned by getpwnam etc.
|
|
Bugfix: Convert ECDSA signature form pkcs11-helper to DER encoded form
|
|
Import some sample certificates into Windows store for testing
|
|
Add tests for finding certificates in Windows cert store
|
|
Refactor SSL_CTX_use_CryptoAPI_certificate()
|
|
Add a test for signing with certificates in Windows store
|
|
Unit tests: add test for SSL_CTX_use_Cryptoapi_certificate()
|
|
Improve error message on short read from socks proxy
|
|
Make error in setting metric for IPv6 interface non-fatal
|
|
Bug-fix: segfault in dco_get_peer_stats()
|
|
Move digest_sign_verify out of test_cryptoapi.c
|
|
Unit tests: Test for PKCS#11 using a softhsm2 token
|
|
Enable pkcs11 an dtest_pkcs11 in github actions
|
|
Make cert_data.h and test_cryptoapi/pkcs11.c MSVC compliant
|
|
Format Windows error message in Unicode
|
|
Bugfix: dangling pointer passed to pkcs11-helper
|
|
Correctly handle Unicode names for exit event
|
|
Interactive service: do not force a target desktop for openvpn.exe
|
|
Improve signal handling using POSIX sigaction
|
|
signal_reset(): combine check and reset operations
|
|
Log OpenSSL errors on failure to set certificate
|
|
Document that auth-user-pass may be inlined
|
|
test_pkcs11.c: set file offset to 0 after ftruncate
|
|
proxy.c: Clear sensitive data after use
|
|
Protect cached username, password and token on client
|
|
Interpret --key and --cert option argument as URI
|
|
Add a test for loading certificate and key to ssl context
|
|
Add a test for loading certificate and key using file: URI
|
|
Initialize before use struct user_pass in ui_reader()
|
|
Static-challenge concatenation option
|
|
Add test for static-challenge concatenation option
|
|
Fix more of uninitialized struct user_pass local vars
|
|
Do not stop reading from file/uri when OPENSSL_STORE_load() returns error
|
|
|
|
Sergey Korolev (1):
|
|
dco-linux: fix counter print format
|
|
|
|
Shubham Mittal (2):
|
|
Add compatibility to build OpenVPN with AWS-LC.
|
|
Adding AWS-LC to the OpenVPN CI
|
|
|
|
Shuji Furukawa (1):
|
|
Improve shuffling algorithm of connection list
|
|
|
|
Steffan Karger (2):
|
|
Fix IPv6 route add/delete message log level
|
|
Improve data channel crypto error messages
|
|
|
|
Timo Rothenpieler (1):
|
|
Don't clear capability bounding set on capng_change_id
|
|
|
|
corubba (2):
|
|
Fix IPv6 in port-share journal
|
|
Fix port-share journal doc
|
|
|
|
orbea (1):
|
|
configure: disable engines if OPENSSL_NO_ENGINE is defined
|
|
|
|
rein.vanbaaren (1):
|
|
Fix MBEDTLS_DEPRECATED_REMOVED build errors
|
|
|
|
wellweek (1):
|
|
remove repetitive words in documentation and comments
|
|
|
|
yatta (1):
|
|
fix(ssl): init peer_id when init tls_multi
|
|
|
|
|