| | 1 | {{{ |
| | 2 | Adam Ciarciński (1): |
| | 3 | Fix subnet topology on NetBSD. |
| | 4 | |
| | 5 | Antonio Quartulli (113): |
| | 6 | attempt to add IPv6 route even when no IPv6 address was configured |
| | 7 | fix redirect-gateway behaviour when an IPv4 default route does not exist |
| | 8 | CRL: use time_t instead of struct timespec to store last mtime |
| | 9 | ignore remote-random-hostname if a numeric host is provided |
| | 10 | Ignore auth-nocache for auth-user-pass if auth-token is pushed |
| | 11 | crypto: correct typ0 in error message |
| | 12 | use M_ERRNO instead of explicitly printing errno |
| | 13 | don't print errno twice |
| | 14 | ntlm: avoid useless cast |
| | 15 | ntlm: unwrap multiple function calls |
| | 16 | route: improve error message |
| | 17 | management: preserve wait_for_push field when asking for user/pass |
| | 18 | tls-crypt: avoid warnings when --disable-crypto is used |
| | 19 | ntlm: convert binary buffers to uint8_t * |
| | 20 | ntlm: restyle compressed multiple function calls |
| | 21 | ntlm: improve code style and readability |
| | 22 | OpenSSL: remove unreachable call to SSL_CTX_get0_privatekey() |
| | 23 | make function declarations C99 compliant |
| | 24 | remove unused functions |
| | 25 | use NULL instead of 0 when assigning pointers |
| | 26 | add missing static attribute to functions |
| | 27 | ntlm: avoid breaking anti-aliasing rules |
| | 28 | remove the --disable-multi config switch |
| | 29 | rename mroute_extract_addr_ipv4 to mroute_extract_addr_ip |
| | 30 | route: avoid definition of unused variables in certain configurations |
| | 31 | fix a couple of typ0s in comments and strings |
| | 32 | fragment.c: simplify boolean expression |
| | 33 | tcp-server: ensure AF family is propagated to child context |
| | 34 | Remove ENABLE_CRYPTO |
| | 35 | Remove option to disable crypto engine |
| | 36 | Remove ENABLE_PUSH_PEER_INFO |
| | 37 | Remove SSL_LIB_VER_STR |
| | 38 | Remove MD5SUM |
| | 39 | reload HTTP proxy credentials when moving to the next connection profile |
| | 40 | Allow learning iroutes with network made up of all 0s (only if netbits < 8) |
| | 41 | mbedtls: fix typ0 in comment |
| | 42 | manpage: fix simple typ0 |
| | 43 | pool: restyle ipv4/ipv6 members to improve readability |
| | 44 | pool: convert pool 'type' to enum |
| | 45 | tun: ensure gc and argv are properly handled |
| | 46 | tun: always pass a valid tt pointer |
| | 47 | tun: get rid of tt->did_ifconfig member |
| | 48 | tun: ensure interface can be configured with IPv6 only |
| | 49 | add support for %lu in argv_printf and prevent ASSERT |
| | 50 | windows: properly configure TAP driver when no IPv4 is configured |
| | 51 | socket: make stream_buf_* functions static |
| | 52 | crypto: always reload tls-auth/crypt key contexts |
| | 53 | make tls-auth and tls-crypt per-connection-block options |
| | 54 | pf: restyle pf_c2c/addr_test() to make them 'struct context' agnostic |
| | 55 | merge *-inline.h files with their main header |
| | 56 | ensure function declarations are compiled with their definitions |
| | 57 | buffer_list: add functions documentation |
| | 58 | ifconfig-ipv6(-push): allow using hostnames |
| | 59 | tls-crypt: properly cast time_t to uint64_t |
| | 60 | implement platform generic networking API |
| | 61 | implement networking API for iproute2 |
| | 62 | introduce sitnl: Simplified Interface To NetLink |
| | 63 | tun.c: use new networking API to handle tun interface on Linux |
| | 64 | travis.yml: add test for iproute2 net implementation |
| | 65 | route.c: use new networking API to handle routing table on Linux |
| | 66 | unit tests: implement test for sitnl |
| | 67 | t_net.sh: make bash dep explicit and run only if SITNL is compiled |
| | 68 | t_net.sh: properly perform sudo check and print test steps |
| | 69 | route.c: fix windows build by removing mismatching function parameter |
| | 70 | t_net.sh: fixes for the networking test script |
| | 71 | route.c: use sitnl to implement get_default_gateway_ipv6() |
| | 72 | networking/best_gw: remove useless prefixlen parameter |
| | 73 | sitnl: harden strncpy() by forcing arguments to have the same length |
| | 74 | mbedtls: fix segfault by calling mbedtls_cipher_free() in cipher_ctx_free() |
| | 75 | networking: extend API for better memory management |
| | 76 | tun.c: undo_ifconfig_ipv4/6 remove useless gc argument |
| | 77 | networking_sitnl.c: uncrustify file |
| | 78 | route.c: simplify ifdef logic |
| | 79 | t_net.sh: wait for NO-CARRIER bit to settle before starting test |
| | 80 | t_net.sh: execute sleep after checking exit code of previous command |
| | 81 | maddr: create helper function to populate maddr object from eth_addr |
| | 82 | VLAN: add basic VLAN tagging support |
| | 83 | maddr: export VLAN ID from client context to maddr object |
| | 84 | VLAN: filter multicast and client-to-client unicast traffic |
| | 85 | is_ipv_X: add support for parsing IP header inside a 802.1q frame |
| | 86 | VLAN: implement support for forwarding only pre-tagged VLAN packets |
| | 87 | VLAN: allow forwarding tagged and untagged packets on the server TAP device |
| | 88 | VLAN: add documentation to manpage |
| | 89 | socks: use the right function when printing struct openvpn_sockaddr |
| | 90 | add -Wno-stringop-truncation to CFLAGS on linux |
| | 91 | get rid of 'broadcast' argument when configuring the tun device |
| | 92 | auth_token_kt: ensure key_type object is initialized |
| | 93 | auth.c: make cast explicit in the crypto API |
| | 94 | travis: compile with -Werror on Linux |
| | 95 | travis: fix CFLAGS assignment error and add -Werror only when compiling on Linux for Linux |
| | 96 | sitnl: fix failure reporting by keeping error negative |
| | 97 | sitnl: fix TUN/TAP confusion in error messages |
| | 98 | sitnl: fix ignoring EEXIST when sending a netlink command |
| | 99 | t_net.sh: use dummy interface instead of tun |
| | 100 | remove bogus file check on --genkey argument |
| | 101 | t_net.sh: assign MAC address directly during interface creation |
| | 102 | convert *_inline attributes to bool |
| | 103 | options: fix inlining auth-gen-token-secret file |
| | 104 | tls-crypt-v2: fix testing of inline key |
| | 105 | get rid of INLINE_FILE_TAG constant |
| | 106 | pool: prevent IPv6 pools to be larger than 2^16 addresses |
| | 107 | pool: allow to configure an IPv6-only ifconfig-pool |
| | 108 | allow usage of --server-ipv6 even when no --server is specified |
| | 109 | pool: add support for ifconfig-pool-persist with IPv6 only |
| | 110 | route: warn on IPv4 routes installation when no IPv4 is configured |
| | 111 | options: enable IPv4 redirection logic only if really required |
| | 112 | ipv6-pool: get rid of size constraint |
| | 113 | pool: remove useless 'options.h' include |
| | 114 | multi: skip IPv4 logic in multi_select_virtual_addr() if no pool is configured |
| | 115 | multi.c: use mi->cc_config instead of config variable |
| | 116 | options: don't leak inline'd key material in logfile |
| | 117 | t_net.sh: drop hard dependency on t_client.rc |
| | 118 | travis: don't run t_net.sh test |
| | 119 | |
| | 120 | Arne Schwabe (124): |
| | 121 | Set tls-cipher restriction before loading certificates |
| | 122 | Print ec bit details, refuse management-external-key if key is not RSA |
| | 123 | Replace buffer backed strings for management_android_control with simple stack variables |
| | 124 | Treat dhcp-option DNS6 and DNS identical |
| | 125 | show the right string for key-direction |
| | 126 | Add MTU to Android IFCONFIG6 control command |
| | 127 | Properly free tuntap struct on android when emulating persist-tun |
| | 128 | Add OpenSSL compat definition for RSA_meth_set_sign |
| | 129 | Skip error about ioctl(SIOCGIFCONF) failed on Android |
| | 130 | Factor out convert_tls_list_to_openssl method |
| | 131 | Remove AUTO_USERID feature |
| | 132 | Remove MANAGMENT_EXTERNAL_KEY, MANAGMENT_IN_EXTRA, ENABLE_CLIENT_CR |
| | 133 | Add support for tls-ciphersuites for TLS 1.3 |
| | 134 | Add better support for showing TLS 1.3 ciphersuites in --show-tls |
| | 135 | Use right function to set TLS1.3 restrictions in show-tls |
| | 136 | Refuse mbed TLS external key with non RSA certificates |
| | 137 | Add message explaining early TLS client hello failure |
| | 138 | Add tls-crypt-v2 to the list of supported inline options |
| | 139 | Implement block-ipv6 |
| | 140 | Fallback to password authentication when auth-token fails |
| | 141 | Fix loading inline tls-crypt-v2 keys with mbed TLS |
| | 142 | Refactor tls_crypt_v2_write_server_key_file into crypto.c |
| | 143 | Add send_control_channel_string_dowork variant |
| | 144 | Rename tls_crypt_v2_read_keyfile into generic pem_read_key_file |
| | 145 | Fix poll.h logic in syshead.h |
| | 146 | Write key to stdout if filename is not given |
| | 147 | Implement --genkey type keyfile syntax and migrate tls-crypt-v2 |
| | 148 | Add generate_ephemeral_key that allows a random ephermal key |
| | 149 | Remove -no-cpp-precomp flag from Darwin builds |
| | 150 | Fix check if iface name is set |
| | 151 | Adjust Android code after sitnl patch merge |
| | 152 | Rewrite auth-token-gen to be based on HMAC based tokens |
| | 153 | Implement a permanent session id in auth-token |
| | 154 | Sent indication that a session is expired to clients |
| | 155 | Implement unit tests for auth-gen-token |
| | 156 | Make tls_version_max return the actual maximum version |
| | 157 | Add support for OpenSSL TLS 1.3 when using management-external-key |
| | 158 | Document tls-ciphersuites also in --help output |
| | 159 | Only announce IV_NCP=2 when we are willing to support these ciphers |
| | 160 | Add strsep compat function |
| | 161 | Implement dynamic NCP negotiation |
| | 162 | Warn about insecure ciphers also in init_key_type |
| | 163 | Move NCP related function into a seperate file and add unit tests |
| | 164 | Normalise ncp-ciphers option and restrict it to 127 bytes |
| | 165 | Fetch OpenSSL versions via source/old links |
| | 166 | Fix OpenSSL error stack handling of tls_ctx_add_extra_certs |
| | 167 | Fix off-by-one in tls-crypt-v2 client wrapping with custom metadata |
| | 168 | Fix OpenSSL 1.1.1 not using auto elliptic curve selection |
| | 169 | Refactor counting number of element in a : delimited list into function |
| | 170 | Minor style change to improve code style |
| | 171 | Another round of uncrustify code cleanup. |
| | 172 | Fix tls_ctx_client/server_new leaving error on OpenSSL error stack |
| | 173 | Add tls-crypt-v2 test writing metadata |
| | 174 | Use crypto library functions for const time memcmp when possible |
| | 175 | Fix session id in env missing first byte |
| | 176 | Document reneweal mechanic of auth-token in manual |
| | 177 | Fix session id and initial timestamp not being preserved |
| | 178 | Do not write extra 0 byte for --gen-key with auth-token/tls-crypt-v2 |
| | 179 | Refuse server mode on Android |
| | 180 | Add .git-blame-ignore-revs with reformat commits |
| | 181 | Make cipher_kt_name always return normalised cipher name |
| | 182 | Make cipher_kt_get also accept OpenVPN config cipher name |
| | 183 | Implement parsing and sending INFO and INFO_PRE control messages |
| | 184 | Implement support for signalling IV_SSO to server |
| | 185 | Implement sending response to challenge via CR_RESPONSE |
| | 186 | Implement sending AUTH_PENDING challenges to clients |
| | 187 | Implement forwarding client CR_RESPONSE messages to management |
| | 188 | Add unit test for cipher name translations |
| | 189 | Make compression asymmetric by default and add warnings |
| | 190 | Reformat files using uncrustify |
| | 191 | Remove parameter config from multi_client_connect_mda |
| | 192 | Remove push_reply_deferred variable |
| | 193 | Remove did_open_context, defined and connection_established_flag |
| | 194 | merge key_state->authenticated and key_state->auth_deferred |
| | 195 | Simplify multi_connection_established. |
| | 196 | Deprecate ncp-disable and add improved ncp to Changes.rst |
| | 197 | Make key_state->authenticated more state machine like |
| | 198 | Extract process_incoming_push_reply from process_incoming_push_msg |
| | 199 | Removed unused definition |
| | 200 | Code cleanup: remove superflous variable |
| | 201 | Move protocol option negotiation from push_prepare to new function |
| | 202 | Generate data channel keys after connect options have been parsed |
| | 203 | Cleanup: Remove special case code for old poor man's NCP. |
| | 204 | Allow changing fallback cipher from ccd files/client-connect |
| | 205 | client-connect: Change cas_context from int to enum |
| | 206 | client-connect: Move adding inotify watch into its own function |
| | 207 | reformat multi_client_generate_tls_keys according to uncrustify |
| | 208 | client-connect: Add CC_RET_DEFERRED and cope with deferred client-connect |
| | 209 | Remove CAS_PARTIAL state |
| | 210 | client-connect: Use inotify for the deferred client-connect status file |
| | 211 | client-connect: Implement deferred connect support for plugin API v2 |
| | 212 | Drop support for OpenSSL 1.0.1 |
| | 213 | Require AEAD support in the crypto library |
| | 214 | Remove key-method 1 |
| | 215 | Remove ENABLE_OCC #define |
| | 216 | Implement tls-groups option to specify eliptic curves/groups |
| | 217 | Avoid sending --cipher to clients not supporting NCP |
| | 218 | Indicate that a client is in pull mode in IV_PROTO |
| | 219 | Deprecate --inetd |
| | 220 | Include utun device number in utun error messages |
| | 221 | Simplify calling logic of check_connection_established_dowork |
| | 222 | Avoid sending push request after receving push reply |
| | 223 | Rename ncp-ciphers to data-ciphers |
| | 224 | Add a note that ncp-ciphers is replaced by data-ciphers |
| | 225 | client-connect: Add documentation for the deferred client connect feature |
| | 226 | Rework NCP compability logic and drop BF-CBC support by default |
| | 227 | Document different behaviour of dynamic cipher negotiation |
| | 228 | Minor cleanup in push.c |
| | 229 | Clean up a number of leftover C89 initialisations in ssl.c |
| | 230 | Remove buf argument from link_socket_set_outgoing_addr |
| | 231 | Remove a number of check/do_work wrapper calls from coarse_timers |
| | 232 | Split pf_check_reload check and check timer in process_coarse_timers |
| | 233 | Rename check_ping_restart_dowork to trigger_ping_timeout_signal |
| | 234 | Eliminate check_fragment function |
| | 235 | Eliminate check_incoming_control_channel wrapper function |
| | 236 | Eliminate check_tls wrapper function |
| | 237 | Merge check_coarse_timers and check_coarse_timers_dowork |
| | 238 | Skip existing interfaces on opening the first available utun on macOS |
| | 239 | Move parsing IV_PROTO to separate function |
| | 240 | Remove S_OP_NORMAL key state. |
| | 241 | Document comp-lzo no and compress being incompatible |
| | 242 | Refactor/Reformat tls_pre_decrypt |
| | 243 | Cleanup tls_pre_decrypt_lite and tls_pre_encrypt |
| | 244 | Improve sections about older OpenVPN clients in cipher-negotiation.rst |
| | 245 | |
| | 246 | Bertrand Bonnefoy-Claudet (1): |
| | 247 | Fix typo in error message: "optione" -> "option" |
| | 248 | |
| | 249 | Christian Ehrhardt (1): |
| | 250 | systemd: extend CapabilityBoundingSet for auth_pam |
| | 251 | |
| | 252 | Christian Hesse (7): |
| | 253 | man: fix formatting for alternative option |
| | 254 | systemd: Use automake tools to install unit files |
| | 255 | systemd: Do not race on RuntimeDirectory |
| | 256 | systemd: Add more security feature for systemd units |
| | 257 | Clean up plugin path handling |
| | 258 | plugin: Remove GNUism in openvpn-plugin.h generation |
| | 259 | fix typo in notification message |
| | 260 | |
| | 261 | Christopher Schenk (3): |
| | 262 | Set the correct mtu on windows based systems |
| | 263 | Log a note if someone wants to set a MTU below 1280 on IPv6 |
| | 264 | Unified success messages for setting mtu |
| | 265 | |
| | 266 | Conrad Hoffmann (2): |
| | 267 | Use provided env vars in up/down script. |
| | 268 | Document down-root plugin usage in client.down |
| | 269 | |
| | 270 | David Sommerseth (72): |
| | 271 | dev-tools: Added script for updating copyright years in files |
| | 272 | dev-tools: Added script for updating copyright years in files |
| | 273 | Update copyrights |
| | 274 | Update copyrights |
| | 275 | docs: Further enhance the documentation related to SWEET32 |
| | 276 | docs: Further enhance the documentation related to SWEET32 |
| | 277 | man: Remove references to no longer present IV_RGI6 peer-info |
| | 278 | man: Remove references to no longer present IV_RGI6 peer-info |
| | 279 | build: Ensure Changes.rst is shipped and installed as a doc file |
| | 280 | build: Ensure Changes.rst is shipped and installed as a doc file |
| | 281 | Preparing OpenVPN v2.4.0 release |
| | 282 | management: >REMOTE operation would overwrite ce change indicator |
| | 283 | management: Remove a redundant #ifdef block |
| | 284 | git: Merge .gitignore files into a single file |
| | 285 | systemd: Move the READY=1 signalling to an earlier point |
| | 286 | dev-tools: Simple tool which automates rebasing LZ4 compat library |
| | 287 | dev-tools: lz4-rebaser tool carried a typo |
| | 288 | plugin: Improve the handling of default plug-in directory |
| | 289 | cleanup: Remove faulty env processing functions |
| | 290 | auth-token: Ensure tokens are always wiped on de-auth |
| | 291 | docs: Fixed man-page warnings discoverd by rpmlint |
| | 292 | Make --cipher/--auth none more explicit on the risks |
| | 293 | Require minimum OpenSSL 1.0.1 |
| | 294 | Fix broken ./configure on systems without openssl.pc |
| | 295 | plugin: Fix documentation typo for type_mask |
| | 296 | plugin: Export secure_memzero() to plug-ins |
| | 297 | crypto: Enable SHA256 fingerprint checking in --verify-hash |
| | 298 | copyright: Update GPLv2 license texts |
| | 299 | dev-tools: Script generating the source releases in an automated fashion |
| | 300 | auth-token with auth-nocache fix broke --disable-crypto builds |
| | 301 | doc: The CRL processing is not a deprecated feature |
| | 302 | cleanup: Move write_pid() to where it is being used |
| | 303 | contrib: Remove keychain-mcd code |
| | 304 | cleanup: Move init_random_seed() to where it is being used |
| | 305 | Highlight deprecated features |
| | 306 | Use consistent version references |
| | 307 | docs: Replace all PolarSSL references to mbed TLS |
| | 308 | systemd: Ensure systemd shuts down OpenVPN in a proper way |
| | 309 | systemd: Enable systemd's auto-restart feature for server profiles |
| | 310 | lz4: Move towards a newer LZ4 API |
| | 311 | lz4: Fix confused version check |
| | 312 | lz4: Fix broken builds when pkg-config is not present but system library is |
| | 313 | Remove references to keychain-mcd in Changes.rst |
| | 314 | lz4: Rebase compat-lz4 against upstream v1.7.5 |
| | 315 | systemd: Add and ship README.systemd |
| | 316 | Update copyright to include 2018 plus company name change |
| | 317 | man: Add .TQ groff support macro |
| | 318 | man: Reword --management to prefer unix sockets over TCP |
| | 319 | management: Warn if TCP port is used without password |
| | 320 | plugin: Export base64 encode and decode functions |
| | 321 | build: Fix build warnings related to get_random() |
| | 322 | build: Fix another compile warning in console_systemd.c |
| | 323 | cleanup: Remove RPM openvpn.spec build approach |
| | 324 | docs: Update INSTALL |
| | 325 | build: Package missing mock_msg.h |
| | 326 | auth-token: Fix building with --disable-server |
| | 327 | auth-token: Fix compiler complaints with --disable-management |
| | 328 | Improve the comments related to auth-token-hmac patches |
| | 329 | Documented all the argv related code with minor refactoring |
| | 330 | build: Remove --disable-server from ./configure |
| | 331 | options: Fix failing inline tls-auth/crypt with persist-key |
| | 332 | options: Restore --tls-crypt-v2 inline file capability |
| | 333 | doc/man: convert openvpn.8 to split-up .rst files |
| | 334 | doc/man: Mark compression options as deprecated |
| | 335 | doc/man: Adopt compression documentation |
| | 336 | doc/man: Documentation for --bind-dev / VRFs on Linux |
| | 337 | doc/man: Add misssing renegotiation.rst to Makefile.am |
| | 338 | Remove --no-iv |
| | 339 | doc/man: Do not install man *.rst files |
| | 340 | travis: Fix make distcheck failure |
| | 341 | Remove --ifconfig-pool-linear |
| | 342 | Remove --client-cert-not-required |
| | 343 | |
| | 344 | Domagoj Pensa (2): |
| | 345 | Fix linking issues on MinGW |
| | 346 | Skip DNS address validation |
| | 347 | |
| | 348 | Emmanuel Deloget (20): |
| | 349 | OpenSSL: check for the SSL reason, not the full error |
| | 350 | OpenSSL: don't use direct access to the internal of X509_STORE_CTX |
| | 351 | OpenSSL: don't use direct access to the internal of SSL_CTX |
| | 352 | OpenSSL: don't use direct access to the internal of X509_STORE |
| | 353 | OpenSSL: don't use direct access to the internal of X509_OBJECT |
| | 354 | OpenSSL: don't use direct access to the internal of RSA_METHOD |
| | 355 | OpenSSL: SSLeay symbols are no longer available in OpenSSL 1.1 |
| | 356 | OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit() |
| | 357 | OpenSSL: don't use direct access to the internal of X509 |
| | 358 | OpenSSL: don't use direct access to the internal of EVP_PKEY |
| | 359 | OpenSSL: don't use direct access to the internal of RSA |
| | 360 | OpenSSL: don't use direct access to the internal of DSA |
| | 361 | OpenSSL: force meth->name as non-const when we free() it |
| | 362 | OpenSSL: don't use direct access to the internal of EVP_MD_CTX |
| | 363 | OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX |
| | 364 | OpenSSL: don't use direct access to the internal of HMAC_CTX |
| | 365 | OpenSSL: remove pre-1.1 function from the OpenSSL compat interface |
| | 366 | OpenSSL: remove EVP_CIPHER_CTX_new() from the compat layer |
| | 367 | OpenSSL: remove EVP_CIPHER_CTX_free() from the compat layer |
| | 368 | OpenSSL: check EVP_PKEY key types before returning the pkey |
| | 369 | |
| | 370 | Eric Thorpe (1): |
| | 371 | Fix Building Using MSVC |
| | 372 | |
| | 373 | Fabian Knittel (7): |
| | 374 | client-connect: Split multi_connection_established into separate functions |
| | 375 | client-connect: Refactor multi_client_connect_source_ccd |
| | 376 | client-connect: Move multi_client_connect_setenv into early_setup |
| | 377 | client-connect: Refactor to use return values instead of modifying a passed-in flag |
| | 378 | client-connect: Refactor client-connect handling to calling a bunch of hooks in a loop |
| | 379 | client-connect: Add deferred support to the client-connect script handler |
| | 380 | client-connect: Add deferred support to the client-connect v1 plugin handler |
| | 381 | |
| | 382 | Gert Doering (51): |
| | 383 | Remove IV_RGI6=1 peer-info signalling. |
| | 384 | Remove IV_RGI6=1 peer-info signalling. |
| | 385 | Add openssl_compat.h to openvpn_SOURCES |
| | 386 | Fix '--dev null' |
| | 387 | Fix installation of IPv6 host route to VPN server when using iservice. |
| | 388 | Make ENABLE_OCC no longer depend on !ENABLE_SMALL |
| | 389 | Fix NCP behaviour on TLS reconnect. |
| | 390 | Remove erroneous limitation on max number of args for --plugin |
| | 391 | proxy.c refactoring: remove always-NULL gc parameter |
| | 392 | Fix edge case with clients failing to set up cipher on empty PUSH_REPLY. |
| | 393 | Fix potential 1-byte overread in TCP option parsing. |
| | 394 | Fix remotely-triggerable ASSERT() on malformed IPv6 packet. |
| | 395 | Update Changes.rst with relevant info for 2.4.3 release. |
| | 396 | Remove warning on pushed tun-ipv6 option. |
| | 397 | Fix removal of on-link prefix on windows with netsh |
| | 398 | Fix potential double-free() in Interactive Service (CVE-2018-9336) |
| | 399 | Add %d, %u and %lu tests to test_argv unit tests. |
| | 400 | Extend push-remove to also handle 'ifconfig'. |
| | 401 | Print lzo_init() return code in case of errors |
| | 402 | Uncrustify sample-plugin sources according to code style |
| | 403 | uncrustify openvpnserv/ sources |
| | 404 | uncrustify openvpn/ sources |
| | 405 | Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6. |
| | 406 | Stop complaining about IPv6 routes without gateway address. |
| | 407 | Copy one byte less in strncpynt() |
| | 408 | Remove cmocka submodule, rely on system-wide installation instead. |
| | 409 | Increase listen() backlog queue to 32 |
| | 410 | repair tap mode on OpenSolaris/OpenIndiana |
| | 411 | Fix IPv6 routes on tap interfaces on OpenSolaris/OpenIndiana |
| | 412 | OpenSolaris/OpenIllumos: use /bin/bash if available for test scripts. |
| | 413 | Force combinationation of --socks-proxy and --proto UDP to use IPv4. |
| | 414 | Uncrustify the tests/unit_tests/ part of our tree. |
| | 415 | Change client side of t_lpback.sh configs to use inline material. |
| | 416 | Simplify pool size handling, fix possible array overrun on pool reading. |
| | 417 | Change timestamps in file-based logging to ISO 8601 time format. |
| | 418 | Depreciation warning for --topology net30 on servers with IPv4 pools. |
| | 419 | Convert plugin/auth-pam.c from stderr logging to plugin_log(). |
| | 420 | Add c1ff8f247f91c88a2df5502eeedf42857f9a6831 (engine, pool, SSO) to .git-blame-ignore-revs |
| | 421 | Linux: do not change --txqueuelen OS default if not configured. |
| | 422 | Fix 'engine' unit test on FreeBSD (specifically 'not GNU make') |
| | 423 | t_client.sh: correctly report all failed instances in summary |
| | 424 | Remove --writepid file on program exit. |
| | 425 | Handle connecting clients without NCP or OCC without crashing. |
| | 426 | Add deferred authentication support to plugin-auth-pam |
| | 427 | Separate handling of non-deferred return values for client-connect-scripts. |
| | 428 | Repair --inetd |
| | 429 | Fix sequence of events for async plugin v1 handler. |
| | 430 | Abort client-connect handler loop after first handler sets 'disable'. |
| | 431 | Add depreciation notice for --ncp-disable to protocol-options.rst |
| | 432 | Changes.rst updates in preparation to 2.5_beta1 |
| | 433 | Preparing release 2.5_beta1 |
| | 434 | |
| | 435 | Gert van Dijk (7): |
| | 436 | Warn that DH config option is only meaningful in a tls-server context |
| | 437 | Add generated openvpn.doxyfile to .gitignore |
| | 438 | manpage: improve description of --status and --status-version |
| | 439 | Add negotiated cipher to status file format 2 and 3 |
| | 440 | Minor reliability layer documentation fixes |
| | 441 | Make second parameter to reliable_send_purge() const |
| | 442 | Remove unneeded newline in debug message in reliable.c |
| | 443 | |
| | 444 | Gisle Vanem (2): |
| | 445 | Crash in options.c |
| | 446 | Wrong FILETYPE in .rc files |
| | 447 | |
| | 448 | Guido Vranken (6): |
| | 449 | refactor my_strupr |
| | 450 | Fix 2 memory leaks in proxy authentication routine |
| | 451 | Fix memory leak in add_option() for option 'connection' |
| | 452 | Ensure option array p[] is always NULL-terminated |
| | 453 | Fix a null-pointer dereference in establish_http_proxy_passthru() |
| | 454 | Prevent two kinds of stack buffer OOB reads and a crash for invalid input data |
| | 455 | |
| | 456 | Heiko Hund (3): |
| | 457 | re-implement argv_printf_*() |
| | 458 | argv: do fewer memory re-allocations |
| | 459 | Add gc_arena to struct argv to save allocations |
| | 460 | |
| | 461 | Hilko Bengen (1): |
| | 462 | Do not set pkcs11-helper 'safe fork mode' |
| | 463 | |
| | 464 | Hristo Venev (1): |
| | 465 | Fix extract_x509_field_ssl for external objects, v2 |
| | 466 | |
| | 467 | Ilya Shipitsin (18): |
| | 468 | Resolve several travis-ci issues |
| | 469 | github: Add PR template with contributor related information |
| | 470 | travis-ci: add 'make distcheck' to test scenario, V2 |
| | 471 | travis-ci: remove unused files |
| | 472 | v4, travis-ci: add 2 mingw "build only" configurations |
| | 473 | travis-ci: added gcc and clang openssl-1.1.0 builds |
| | 474 | travis-ci: update openssl to 1.0.2l, update mbedtls to 2.5.1 |
| | 475 | travis-ci: update pkcs11-helper to 1.22 |
| | 476 | travis-ci: add brew cache, remove ccache |
| | 477 | travis-ci: modify openssl build script to support openssl-1.1.0 |
| | 478 | travis-ci: cleanup, refactor, upgrade ssl libraries |
| | 479 | travis-ci: add "linux-ppc64le" to build matrix |
| | 480 | travis-ci: change trusty image to xenial |
| | 481 | travis-ci: update osx to xcode9.4 and modernize brew management |
| | 482 | configure.ac: fix compile-time error in argv_testdriver |
| | 483 | travis-ci: fix osx builds |
| | 484 | travis-ci: update components versions |
| | 485 | travis-ci: add arm64, s390x builds. |
| | 486 | |
| | 487 | James Bekkema (2): |
| | 488 | Resolves small IV_GUI_VER typo in the documentation. |
| | 489 | Adds support for setting the default IPv6 gateway for routes using the route-ipv6-gateway option. |
| | 490 | |
| | 491 | James Bottomley (7): |
| | 492 | autoconf: Fix engine checks for openssl 1.1 |
| | 493 | openssl: add engine method for loading the key |
| | 494 | crypto_openssl: add initialization to pick up local configuration |
| | 495 | crypto_openssl: add include for openssl/conf.h |
| | 496 | Add unit tests for engine keys |
| | 497 | Fix make distcheck for new engine key unit test |
| | 498 | engine-key tests: make check_engine_keys.sh work with --enable-small |
| | 499 | |
| | 500 | Jan Just Keijser (1): |
| | 501 | Added support for DHCP option 119 (dns search suffix list) for Windows. |
| | 502 | |
| | 503 | Jeremie Courreges-Anglas (5): |
| | 504 | Cast time_t to long long in order to print it. |
| | 505 | Print time_t as long long and suseconds_t as long |
| | 506 | Cast and print another suseconds_t as long |
| | 507 | Use long long to format time_t-related environment variables |
| | 508 | Fix build with LibreSSL |
| | 509 | |
| | 510 | Jeremy Evans (1): |
| | 511 | Switch assertion failure to returning false |
| | 512 | |
| | 513 | Jonathan K. Bullard (1): |
| | 514 | Clarify and expand management interface documentation |
| | 515 | |
| | 516 | Jonathan Tooker (1): |
| | 517 | Fix various spelling mistakes |
| | 518 | |
| | 519 | Joost Rijneveld (1): |
| | 520 | Make return code external tls key match docs |
| | 521 | |
| | 522 | Jérémie Courrèges-Anglas (2): |
| | 523 | Fix an unaligned access on OpenBSD/sparc64 |
| | 524 | Missing include for socket-flags TCP_NODELAY on OpenBSD |
| | 525 | |
| | 526 | Kyle Evans (1): |
| | 527 | tests/t_lpback.sh: Switch sed(1) to POSIX-compatible regex. |
| | 528 | |
| | 529 | Lev Stipakov (46): |
| | 530 | win: support for Visual Studio 2017 |
| | 531 | Refactor NCP-negotiable options handling |
| | 532 | init.c: refine functions names and description |
| | 533 | openvpnserv: clarify return values type |
| | 534 | crypto.h: remove unused function declaration |
| | 535 | interactive.c: fix usage of potentially uninitialized variable |
| | 536 | options.c: fix broken unary minus usage |
| | 537 | Introduce openvpn_swprintf() with nul termination guarantee |
| | 538 | Wrap openvpn_swprintf into Windows define |
| | 539 | test_tls_crypt.c: fix global-buffer-overflow found by AddressSanitizer |
| | 540 | crypto_openssl.c: fix heap-buffer-overflow found by AddressSanitizer |
| | 541 | Fix various compiler warnings |
| | 542 | Fix broken fragment/mssfix with NCP |
| | 543 | crypto.c: fix Visual Studio build |
| | 544 | tun.h: change tun_set() return value type to void |
| | 545 | tun.h: remove TUN_PASS_BUFFER define |
| | 546 | tapctl: add optional 'hardware id' parameter |
| | 547 | vcxproj: add missing source files |
| | 548 | push.c: fix Visual Studio build |
| | 549 | Visual Studio: make it easier to build with VS |
| | 550 | msvc: OpenSSL 1.1.x support |
| | 551 | travis: add Visual Studio build |
| | 552 | Visual Studio: upgrade project files to VS2019 |
| | 553 | wintun: add --windows-driver config option |
| | 554 | wintun: implement opening wintun device |
| | 555 | travis: bump MSVC to 2019 |
| | 556 | travis: bump clang version |
| | 557 | wintun: ring buffers based I/O |
| | 558 | wintun: interactive service support |
| | 559 | wintun: set adapter properties via interactive service |
| | 560 | wintun: clear adapter settings on tun close |
| | 561 | tun.c: refactor open_tun() implementation |
| | 562 | tun.c: do not add/remove on-link IPv4 route on tun open/close |
| | 563 | options.c: do not force route delay when not using DHCP |
| | 564 | configure.ac: simplify AC_CHECK_FUNCS statements |
| | 565 | cryptoapi.c: fix run-time check failure in msvc debugger |
| | 566 | interactive.c: remove unused function |
| | 567 | tun.c: fix 'use after free' error |
| | 568 | Fix building with --enable-async-push in FreeBSD |
| | 569 | Fix broken async push with NCP is used |
| | 570 | Fix illegal client float (CVE-2020-11810) |
| | 571 | msvc: fix various level2 warnings |
| | 572 | tap.c: fix adapter renaming |
| | 573 | Improve Windows version detection with manifest |
| | 574 | wintun: remove SYSTEM elevation hack |
| | 575 | Fix compilation with --disable-lzo and --disable-lz4 |
| | 576 | |
| | 577 | Matthias Andree (3): |
| | 578 | Make openvpn-plugin.h self-contained again. |
| | 579 | Merge Makefile.am's AUTOMAKE_OPTIONS into configure.ac's AM_INIT_AUTOMAKE. |
| | 580 | Fix stack buffer overruns in NEXTADDR() macro: |
| | 581 | |
| | 582 | Maxim Plotnikov (1): |
| | 583 | OpenSSL: Fix --crl-verify not loading multiple CRLs in one file |
| | 584 | |
| | 585 | Maximilian Wilhelm (1): |
| | 586 | Add --bind-dev option. |
| | 587 | |
| | 588 | Michal Soltys (1): |
| | 589 | man: correct the description of --capath and --crl-verify regarding CRLs |
| | 590 | |
| | 591 | Mykola Baibuz (1): |
| | 592 | Fix typo in NTLM proxy debug message |
| | 593 | |
| | 594 | Olivier Wahrenberger (1): |
| | 595 | Fix building with LibreSSL 2.5.1 by cleaning a hack. |
| | 596 | |
| | 597 | Richard Bonhomme (3): |
| | 598 | man: Corrections to doc/openvpn.8 |
| | 599 | Ignore --pull-filter for --mode server |
| | 600 | doc/man: Update --txqueuelen default setting (Now OS default) |
| | 601 | |
| | 602 | Richard van den Berg via Openvpn-devel (1): |
| | 603 | Fix error message when using RHEL init script |
| | 604 | |
| | 605 | Rosen Penev (2): |
| | 606 | Remove wrong poll.h include |
| | 607 | openssl: Fix compilation without deprecated OpenSSL 1.1 APIs |
| | 608 | |
| | 609 | Samy Mahmoudi (1): |
| | 610 | man: correct a --redirection-gateway option flag |
| | 611 | |
| | 612 | Santtu Lakkala (1): |
| | 613 | Fix OpenSSL private key passphrase notices |
| | 614 | |
| | 615 | Selva Nair (55): |
| | 616 | Fix push options digest update |
| | 617 | Always release dhcp address in close_tun() on Windows. |
| | 618 | Add a check for -Wl, --wrap support in linker |
| | 619 | Fix user's group membership check in interactive service to work with domains |
| | 620 | In auth-pam plugin clear the password after use |
| | 621 | Pass correct buffer size to GetModuleFileNameW() |
| | 622 | Check whether in pull_mode before warning about previous connection blocks |
| | 623 | Avoid illegal memory access when malformed data is read from the pipe |
| | 624 | Fix missing check for return value of malloc'd buffer |
| | 625 | Return NULL if GetAdaptersInfo fails |
| | 626 | Use RSA_meth_free instead of free |
| | 627 | Bring cryptoapi.c upto speed with openssl 1.1 |
| | 628 | Add SSL_CTX_get_max_proto_version() not in openssl 1.0 |
| | 629 | TLS v1.2 support for cryptoapicert -- RSA only |
| | 630 | Refactor ssl_openssl.c in prep for external EC key support |
| | 631 | Refactor get_interface_metric to return metric and auto flag separately |
| | 632 | Add management client version |
| | 633 | Prompt for signature using '>PK_SIGN' if the client supports it |
| | 634 | Allow external EC key through --management-external-key |
| | 635 | Ensure strings read from registry are null-terminated |
| | 636 | Make most registry values optional |
| | 637 | Use lowest metric interface when multiple interfaces match a route |
| | 638 | Move code to free cd to a function CAPI_DATA_free() |
| | 639 | Disable external ec key support when building with libressl |
| | 640 | Adapt to RegGetValue brokenness in Windows 7 |
| | 641 | Fix format spec errors in Windows builds |
| | 642 | Move setting private key to a function in prep for EC support |
| | 643 | Support EC certificates with cryptoapicert |
| | 644 | Delete the IPv6 route to the "connected" network on tun close |
| | 645 | Management: warn about password only when the option is in use |
| | 646 | Avoid overflow in wakeup time computation |
| | 647 | Replace M_DEBUG with D_LOW as the former is too verbose |
| | 648 | Correct the declaration of handle in 'struct openvpn_plugin_args_open_return' |
| | 649 | Parse static challenge response in auth-pam plugin |
| | 650 | Bump version of openvpn plugin argument structs to 5 |
| | 651 | Accept empty password and/or response in auth-pam plugin |
| | 652 | Pass the hash without the DigestInfo header to NCryptSignHash() |
| | 653 | Move get system directory to a separate function |
| | 654 | Enable dhcp on tap adapter using interactive service |
| | 655 | Refactor sending commands to interactive service |
| | 656 | Declare Windows version of openvpn_execve() before use |
| | 657 | White-list pull-filter and script-security in interactive service |
| | 658 | Move OpenSSL vs CNG signature digest type mapping to a function |
| | 659 | Handle PSS padding in cryptoapicert |
| | 660 | Better error message when script fails due to script-security setting |
| | 661 | Correct the return value of cryptoapi RSA signature callbacks |
| | 662 | Fix ACL_CHECK_ADD_COMPILE_FLAGS to work with clang |
| | 663 | Swap the order of checks for validating interactive service user |
| | 664 | Skip expired certificates in Windows certificate store |
| | 665 | Allow unicode search string in --cryptoapicert option |
| | 666 | Fix possibly uninitialized return value in GetOpenvpnSettings() |
| | 667 | Fix possible access of uninitialized pipe handles |
| | 668 | Move querying username/password from management to a function |
| | 669 | When auth-user-pass file has no password query the management interface (if available). |
| | 670 | Persist management-query-remote and proxy prompts |
| | 671 | |
| | 672 | Simon Matter (2): |
| | 673 | Fix segfault when using crypto lib without AES-256-CTR or SHA256 |
| | 674 | Add per session pseudo-random jitter to --reneg-sec intervals |
| | 675 | |
| | 676 | Simon Rozman (67): |
| | 677 | Local functions are not supported in MSVC. Bummer. |
| | 678 | Mixing wide and regular strings in concatenations is not allowed in MSVC. |
| | 679 | RtlIpv6AddressToStringW() and RtlIpv4AddressToStringW() require mstcpip.h |
| | 680 | Simplify iphlpapi.dll API calls |
| | 681 | Fix local #include to use quoted form |
| | 682 | Document ">PASSWORD:Auth-Token" real-time message |
| | 683 | Fix typo in "verb" command examples |
| | 684 | Uniform swprintf() across MinGW and MSVC compilers |
| | 685 | MSVC meta files added to .gitignore list |
| | 686 | openvpnserv: Review MSVC down-casting warnings |
| | 687 | openvpnserv: Add support for multi-instances |
| | 688 | Document missing OpenVPN states |
| | 689 | Add Interactive Service developer documentation |
| | 690 | Change quoted to angled form when #including external .h files |
| | 691 | Signed/unsigned warnings of MSVC resolved |
| | 692 | Reference msvc-generate from compat to assure correct build order |
| | 693 | msvc: Move common project settings to reusable property sheets |
| | 694 | msvc: Unify Unicode/MultiByte string setting across all cfg|plat |
| | 695 | Introduce tapctl.exe utility and openvpnmsica.dll MSI CA |
| | 696 | Set output name to libopenvpnmsica.dll in MSVC builds too |
| | 697 | Prevent __stdcall name mangling of MSVC |
| | 698 | Define _WIN32_WINNT=_WIN32_WINNT_VISTA in MSVC |
| | 699 | Add MSI custom action for reliable Windows 10 detection |
| | 700 | Detect TAP interfaces with root-enumerated hardware ID |
| | 701 | Change C++ to C comments |
| | 702 | Make MSI custom action debug pop-up more informative |
| | 703 | Delete TAP interface before the TAP driver is uninstalled |
| | 704 | Add detection of active VPN connections for MSI packages |
| | 705 | Add a MSI custom actions to close and relaunch OpenVPN GUI |
| | 706 | Make DriverCertification MSI property public |
| | 707 | Extend FindSystemInfo custom action to detect OpenVPNService state |
| | 708 | Uncrustify tapctl and openvpnmsica |
| | 709 | Strip _stdcall suffixes (@nn) for 32-bit builds |
| | 710 | Detect missing TAP driver and bail out gracefully |
| | 711 | Disambiguate thread local storage references from TLS |
| | 712 | Add NULL checks |
| | 713 | Add user manual and developer notes URL for tapctl.exe |
| | 714 | Refactor OpenVPNService state detection code |
| | 715 | Add developer notes URL for openvpnmsica.dll |
| | 716 | Limit tapctl.exe and openvpnmsica.dll to TAP-Windows6 adapters only |
| | 717 | msvc: Add vlan.c/h |
| | 718 | tun.c: make Windows device lookup functions more general |
| | 719 | tun.c: upgrade get_device_guid() to return the Windows driver type |
| | 720 | tun.c: make wintun_register_ring_buffer() non-fatal on failures |
| | 721 | wintun: register ring buffers when iterating adapters |
| | 722 | wintun: add support for --dev-node |
| | 723 | tun.c: reword the at_least_one_tap_win() error |
| | 724 | wintun: stop sending TAP-Windows6 ioctls to NDIS device |
| | 725 | wintun: refactor code to use enum driver type |
| | 726 | tun.c: refactor driver detection and make it case-insensitive |
| | 727 | tun.c: uncrustify |
| | 728 | wintun: check for conflicting options |
| | 729 | openvpnmsica: Remove required Windows driver certification detection |
| | 730 | openvpnmsica: Fix TAPInterface.DisplayName field interpretation |
| | 731 | tapctl: Update documentation |
| | 732 | wintun: upgrade error message in case of ring registration failure |
| | 733 | tun.c: reorder IPv6 ifconfig on Windows |
| | 734 | tapctl: Add functions for enabling/disabling adapters |
| | 735 | openvpnmsica: Revise MSI custom actions interop |
| | 736 | openvpnmsica: Simplify static function names |
| | 737 | openvpnmsica, tapctl: "interface" => "adapter" |
| | 738 | openvpnmsica: "TAP" => "TUN/TAP" |
| | 739 | openvpnmsica: Extend to support arbitrary HWID network adapters |
| | 740 | openvpnmsica, tapctl: Revise default hardware ID management |
| | 741 | openvpnmsica: Merge FindTUNTAPAdapters into FindSystemInfo |
| | 742 | tapctl: Support multiple hardware IDs |
| | 743 | tun.c: revise the IPv4 ifconfig flow on Windows |
| | 744 | |
| | 745 | Stefan Strogin (1): |
| | 746 | Use correct ifdefs for LibreSSL support |
| | 747 | |
| | 748 | Steffan Karger (126): |
| | 749 | Bump master to version 2.5_git |
| | 750 | Document that RSA_SIGN can also request TLS 1.2 signatures |
| | 751 | man: encourage user to read on about --tls-crypt |
| | 752 | Document that RSA_SIGN can also request TLS 1.2 signatures |
| | 753 | man: encourage user to read on about --tls-crypt |
| | 754 | Textual fixes for Changes.rst |
| | 755 | Textual fixes for Changes.rst |
| | 756 | Remove deprecated --no-iv option |
| | 757 | More broadly enforce Allman style and braces-around-conditionals |
| | 758 | Use SHA256 for the internal digest, instead of MD5 |
| | 759 | OpenSSL: 1.1 fallout - fix configure on old autoconf |
| | 760 | Fix types in WIN32 socket_listen_accept() |
| | 761 | Remove duplicate X509 env variables |
| | 762 | Fix non-C99-compliant builds: don't use const size_t as array length |
| | 763 | Deprecate --ns-cert-type |
| | 764 | Be less picky about keyUsage extensions |
| | 765 | cleanup: merge packet_id_alloc_outgoing() into packet_id_write() |
| | 766 | Don't run packet_id unit tests for --disable-crypto builds |
| | 767 | Fix Changes.rst layout |
| | 768 | Fix memory leak in x509_verify_cert_ku() |
| | 769 | mbedtls: correctly check return value in pkcs11_certificate_dn() |
| | 770 | Restore pre-NCP frame parameters for new sessions |
| | 771 | Always clear username/password from memory on error |
| | 772 | Document tls-crypt security considerations in man page |
| | 773 | Don't assert out on receiving too-large control packets (CVE-2017-7478) |
| | 774 | Drop packets instead of assert out if packet id rolls over (CVE-2017-7479) |
| | 775 | Log the negotiated (NCP) cipher |
| | 776 | Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c) |
| | 777 | Skip tls-crypt unit tests if required crypto mode not supported |
| | 778 | openssl: fix overflow check for long --tls-cipher option |
| | 779 | Add a DSA test key/cert pair to sample-keys |
| | 780 | Fix mbedtls fingerprint calculation |
| | 781 | mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522) |
| | 782 | mbedtls: require C-string compatible types for --x509-username-field |
| | 783 | Fix remote-triggerable memory leaks (CVE-2017-7521) |
| | 784 | Restrict --x509-alt-username extension types |
| | 785 | Fix potential double-free in --x509-alt-username (CVE-2017-7521) |
| | 786 | Fix typo in extract_x509_extension() debug message |
| | 787 | init_key_ctx: key and iv arguments can (now) be const |
| | 788 | Move adjust_power_of_2() to integer.h |
| | 789 | Undo cipher push in client options state if cipher is rejected |
| | 790 | Remove strerror_ts() |
| | 791 | Move openvpn_sleep() to manage.c |
| | 792 | fixup: also change missed openvpn_sleep() occurrences |
| | 793 | Always use default keysize for NCP'd ciphers |
| | 794 | Move create_temp_file() out of #ifdef ENABLE_CRYPTO |
| | 795 | sample-plugins: fix ASN1_STRING_to_UTF8 return value checks |
| | 796 | Deprecate --keysize |
| | 797 | Move run_up_down() to init.c |
| | 798 | tls-crypt: introduce tls_crypt_kt() |
| | 799 | crypto: create function to initialize encrypt and decrypt key |
| | 800 | Add coverity static analysis to Travis CI config |
| | 801 | tls-crypt: don't leak memory for incorrect tls-crypt messages |
| | 802 | travis: reorder matrix to speed up build |
| | 803 | Fix bounds check in read_key() |
| | 804 | buffer_list_aggregate_separator(): add unit tests |
| | 805 | doxygen: add make target and use relative paths |
| | 806 | Simplify and inline clear_buf() |
| | 807 | Add --tls-cert-profile option. |
| | 808 | pf: clean up temporary files if plugin init fails |
| | 809 | pf: reject client if PF plugin is configured, but init fails |
| | 810 | Don't throw fatal errors from create_temp_file() |
| | 811 | create_temp_file/gen_path: prevent memory leak if gc == NULL |
| | 812 | Use P_DATA_V2 for server->client packets too |
| | 813 | Fix memory leak in buffer unit tests |
| | 814 | travis: use clang's -fsanitize=address to catch more bugs |
| | 815 | Don't throw fatal errors from verify_cert_export_cert() |
| | 816 | buffer_list_aggregate_separator(): update list size after aggregating |
| | 817 | buffer_list_aggregate_separator(): don't exceed max_len |
| | 818 | buffer_list_aggregate_separator(): prevent 0-byte malloc |
| | 819 | Fix types around buffer_list_push(_data) |
| | 820 | ssl_openssl: fix compiler warning by removing getbio() wrapper |
| | 821 | Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+ |
| | 822 | Add support for TLS 1.3 in --tls-version-{min, max} |
| | 823 | tls_ctx_set_tls_versions: move verify_flags to where it is used |
| | 824 | Plug memory leak if push is interrupted |
| | 825 | Log pre-handshake packet drops using D_MULTI_DROPPED |
| | 826 | Enable stricter compiler warnings by default |
| | 827 | reliable: remove reliable_unique_retry() |
| | 828 | Get rid of ax_check_compile_flag.m4 |
| | 829 | mbedtls: don't use API deprecated in mbed 2.7 |
| | 830 | Warn if tls-version-max < tls-version-min |
| | 831 | Check for more data in control channel |
| | 832 | Move env helper functions into their own module/file |
| | 833 | man: add security considerations to --compress section |
| | 834 | openssl: don't use deprecated SSLEAY/SSLeay symbols |
| | 835 | openssl: add missing #include statements |
| | 836 | Move file-related functions from misc.c to platform.c |
| | 837 | Move execve/run_script helper functions to run_command.c |
| | 838 | Add crypto_pem_{encode,decode}() |
| | 839 | Introduce buffer_write_file() |
| | 840 | mbedtls: print warning if random personalisation fails |
| | 841 | Fix memory leak after sighup |
| | 842 | Remove unused void_ptr_hash_function and void_ptr_compare_function |
| | 843 | Do not load certificate from tls_ctx_use_external_private_key() |
| | 844 | mbedtls: make external signing code generic |
| | 845 | mbedtls: remove dependency on mbedtls pkcs11 module |
| | 846 | Fix memory leak in SSL_CTX_use_certificate |
| | 847 | travis: add OpenSSL 1.1 Windows build |
| | 848 | Fix use-after-free in tls_ctx_use_management_external_key |
| | 849 | Simplify --genkey option syntax |
| | 850 | Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth' |
| | 851 | Add support for CHACHA20-POLY1305 in the data channel |
| | 852 | List ChaCha20-Poly1305 as stream cipher |
| | 853 | mbedtls: don't print unsupported ciphers in insecure cipher list |
| | 854 | Fix mbedtls unit tests |
| | 855 | buffer_list_aggregate_separator(): simplify code |
| | 856 | tls-crypt-v2: add specification to doc/ |
| | 857 | tls-crypt-v2: generate tls-crypt-v2 keys |
| | 858 | tls-crypt-v2: add unwrap_client_key |
| | 859 | tls-crypt-v2: add P_CONTROL_HARD_RESET_CLIENT_V3 opcode |
| | 860 | tls-crypt-v2: implement tls-crypt-v2 handshake |
| | 861 | tls-crypt-v2: add script hook to verify metadata |
| | 862 | tls-crypt-v2: clarify --tls-crypt-v2-genkey man page section |
| | 863 | tls-crypt-v2: fix client reconnect bug |
| | 864 | Remove deprecated --compat-x509-names and --no-name-remapping |
| | 865 | Extend tls-crypt-v2 unit tests |
| | 866 | Fix tls-auth/crypt in connection blocks with --persist-key |
| | 867 | cmocka: use relative paths |
| | 868 | tests: remove dependency on base64 |
| | 869 | configure.ac: add lzo CFLAGS/LIBS to the test flags |
| | 870 | Update sample configs to use modern cipher, remove static key examples |
| | 871 | mbedtls: add RFC 5705 keying material exporter support |
| | 872 | Move keying material exporter check from syshead.h to configure.ac |
| | 873 | Make openvpn --version exit with exit code 0 |
| | 874 | Gently push users towards --data-ciphers in --show-ciphers output |
| | 875 | |
| | 876 | Steven McDonald (1): |
| | 877 | Fix gateway detection with OpenBSD routing domains |
| | 878 | |
| | 879 | Szilárd Pfeiffer (1): |
| | 880 | OpenSSL: Always set SSL_OP_CIPHER_SERVER_PREFERENCE flag |
| | 881 | |
| | 882 | Thomas Quinot (1): |
| | 883 | Fix documentation of tls-verify script argument |
| | 884 | |
| | 885 | Thomas Veerman via Openvpn-devel (1): |
| | 886 | Fix socks_proxy_port pointing to invalid data |
| | 887 | |
| | 888 | Tom van Leeuwen (1): |
| | 889 | mbedTLS: Make sure TLS session survives move |
| | 890 | |
| | 891 | ValdikSS (1): |
| | 892 | Set a low interface metric for tap adapter when block-outside-dns is in use |
| | 893 | |
| | 894 | Vladislav Grishenko (1): |
| | 895 | Log serial number of revoked certificate |
| | 896 | |
| | 897 | WGH (1): |
| | 898 | docs: Add reference to X509_LOOKUP_hash_dir(3) |
| | 899 | |
| | 900 | hashiz (1): |
| | 901 | Fix '--bind ipv6only' |
| | 902 | |
| | 903 | tincanteksup (1): |
| | 904 | Correct error message for --tls-crypt-v2-genkey client |
| | 905 | }}} |
