| 1 | {{{ |
| 2 | Adam Ciarciński (1): |
| 3 | Fix subnet topology on NetBSD. |
| 4 | |
| 5 | Antonio Quartulli (113): |
| 6 | attempt to add IPv6 route even when no IPv6 address was configured |
| 7 | fix redirect-gateway behaviour when an IPv4 default route does not exist |
| 8 | CRL: use time_t instead of struct timespec to store last mtime |
| 9 | ignore remote-random-hostname if a numeric host is provided |
| 10 | Ignore auth-nocache for auth-user-pass if auth-token is pushed |
| 11 | crypto: correct typ0 in error message |
| 12 | use M_ERRNO instead of explicitly printing errno |
| 13 | don't print errno twice |
| 14 | ntlm: avoid useless cast |
| 15 | ntlm: unwrap multiple function calls |
| 16 | route: improve error message |
| 17 | management: preserve wait_for_push field when asking for user/pass |
| 18 | tls-crypt: avoid warnings when --disable-crypto is used |
| 19 | ntlm: convert binary buffers to uint8_t * |
| 20 | ntlm: restyle compressed multiple function calls |
| 21 | ntlm: improve code style and readability |
| 22 | OpenSSL: remove unreachable call to SSL_CTX_get0_privatekey() |
| 23 | make function declarations C99 compliant |
| 24 | remove unused functions |
| 25 | use NULL instead of 0 when assigning pointers |
| 26 | add missing static attribute to functions |
| 27 | ntlm: avoid breaking anti-aliasing rules |
| 28 | remove the --disable-multi config switch |
| 29 | rename mroute_extract_addr_ipv4 to mroute_extract_addr_ip |
| 30 | route: avoid definition of unused variables in certain configurations |
| 31 | fix a couple of typ0s in comments and strings |
| 32 | fragment.c: simplify boolean expression |
| 33 | tcp-server: ensure AF family is propagated to child context |
| 34 | Remove ENABLE_CRYPTO |
| 35 | Remove option to disable crypto engine |
| 36 | Remove ENABLE_PUSH_PEER_INFO |
| 37 | Remove SSL_LIB_VER_STR |
| 38 | Remove MD5SUM |
| 39 | reload HTTP proxy credentials when moving to the next connection profile |
| 40 | Allow learning iroutes with network made up of all 0s (only if netbits < 8) |
| 41 | mbedtls: fix typ0 in comment |
| 42 | manpage: fix simple typ0 |
| 43 | pool: restyle ipv4/ipv6 members to improve readability |
| 44 | pool: convert pool 'type' to enum |
| 45 | tun: ensure gc and argv are properly handled |
| 46 | tun: always pass a valid tt pointer |
| 47 | tun: get rid of tt->did_ifconfig member |
| 48 | tun: ensure interface can be configured with IPv6 only |
| 49 | add support for %lu in argv_printf and prevent ASSERT |
| 50 | windows: properly configure TAP driver when no IPv4 is configured |
| 51 | socket: make stream_buf_* functions static |
| 52 | crypto: always reload tls-auth/crypt key contexts |
| 53 | make tls-auth and tls-crypt per-connection-block options |
| 54 | pf: restyle pf_c2c/addr_test() to make them 'struct context' agnostic |
| 55 | merge *-inline.h files with their main header |
| 56 | ensure function declarations are compiled with their definitions |
| 57 | buffer_list: add functions documentation |
| 58 | ifconfig-ipv6(-push): allow using hostnames |
| 59 | tls-crypt: properly cast time_t to uint64_t |
| 60 | implement platform generic networking API |
| 61 | implement networking API for iproute2 |
| 62 | introduce sitnl: Simplified Interface To NetLink |
| 63 | tun.c: use new networking API to handle tun interface on Linux |
| 64 | travis.yml: add test for iproute2 net implementation |
| 65 | route.c: use new networking API to handle routing table on Linux |
| 66 | unit tests: implement test for sitnl |
| 67 | t_net.sh: make bash dep explicit and run only if SITNL is compiled |
| 68 | t_net.sh: properly perform sudo check and print test steps |
| 69 | route.c: fix windows build by removing mismatching function parameter |
| 70 | t_net.sh: fixes for the networking test script |
| 71 | route.c: use sitnl to implement get_default_gateway_ipv6() |
| 72 | networking/best_gw: remove useless prefixlen parameter |
| 73 | sitnl: harden strncpy() by forcing arguments to have the same length |
| 74 | mbedtls: fix segfault by calling mbedtls_cipher_free() in cipher_ctx_free() |
| 75 | networking: extend API for better memory management |
| 76 | tun.c: undo_ifconfig_ipv4/6 remove useless gc argument |
| 77 | networking_sitnl.c: uncrustify file |
| 78 | route.c: simplify ifdef logic |
| 79 | t_net.sh: wait for NO-CARRIER bit to settle before starting test |
| 80 | t_net.sh: execute sleep after checking exit code of previous command |
| 81 | maddr: create helper function to populate maddr object from eth_addr |
| 82 | VLAN: add basic VLAN tagging support |
| 83 | maddr: export VLAN ID from client context to maddr object |
| 84 | VLAN: filter multicast and client-to-client unicast traffic |
| 85 | is_ipv_X: add support for parsing IP header inside a 802.1q frame |
| 86 | VLAN: implement support for forwarding only pre-tagged VLAN packets |
| 87 | VLAN: allow forwarding tagged and untagged packets on the server TAP device |
| 88 | VLAN: add documentation to manpage |
| 89 | socks: use the right function when printing struct openvpn_sockaddr |
| 90 | add -Wno-stringop-truncation to CFLAGS on linux |
| 91 | get rid of 'broadcast' argument when configuring the tun device |
| 92 | auth_token_kt: ensure key_type object is initialized |
| 93 | auth.c: make cast explicit in the crypto API |
| 94 | travis: compile with -Werror on Linux |
| 95 | travis: fix CFLAGS assignment error and add -Werror only when compiling on Linux for Linux |
| 96 | sitnl: fix failure reporting by keeping error negative |
| 97 | sitnl: fix TUN/TAP confusion in error messages |
| 98 | sitnl: fix ignoring EEXIST when sending a netlink command |
| 99 | t_net.sh: use dummy interface instead of tun |
| 100 | remove bogus file check on --genkey argument |
| 101 | t_net.sh: assign MAC address directly during interface creation |
| 102 | convert *_inline attributes to bool |
| 103 | options: fix inlining auth-gen-token-secret file |
| 104 | tls-crypt-v2: fix testing of inline key |
| 105 | get rid of INLINE_FILE_TAG constant |
| 106 | pool: prevent IPv6 pools to be larger than 2^16 addresses |
| 107 | pool: allow to configure an IPv6-only ifconfig-pool |
| 108 | allow usage of --server-ipv6 even when no --server is specified |
| 109 | pool: add support for ifconfig-pool-persist with IPv6 only |
| 110 | route: warn on IPv4 routes installation when no IPv4 is configured |
| 111 | options: enable IPv4 redirection logic only if really required |
| 112 | ipv6-pool: get rid of size constraint |
| 113 | pool: remove useless 'options.h' include |
| 114 | multi: skip IPv4 logic in multi_select_virtual_addr() if no pool is configured |
| 115 | multi.c: use mi->cc_config instead of config variable |
| 116 | options: don't leak inline'd key material in logfile |
| 117 | t_net.sh: drop hard dependency on t_client.rc |
| 118 | travis: don't run t_net.sh test |
| 119 | |
| 120 | Arne Schwabe (124): |
| 121 | Set tls-cipher restriction before loading certificates |
| 122 | Print ec bit details, refuse management-external-key if key is not RSA |
| 123 | Replace buffer backed strings for management_android_control with simple stack variables |
| 124 | Treat dhcp-option DNS6 and DNS identical |
| 125 | show the right string for key-direction |
| 126 | Add MTU to Android IFCONFIG6 control command |
| 127 | Properly free tuntap struct on android when emulating persist-tun |
| 128 | Add OpenSSL compat definition for RSA_meth_set_sign |
| 129 | Skip error about ioctl(SIOCGIFCONF) failed on Android |
| 130 | Factor out convert_tls_list_to_openssl method |
| 131 | Remove AUTO_USERID feature |
| 132 | Remove MANAGMENT_EXTERNAL_KEY, MANAGMENT_IN_EXTRA, ENABLE_CLIENT_CR |
| 133 | Add support for tls-ciphersuites for TLS 1.3 |
| 134 | Add better support for showing TLS 1.3 ciphersuites in --show-tls |
| 135 | Use right function to set TLS1.3 restrictions in show-tls |
| 136 | Refuse mbed TLS external key with non RSA certificates |
| 137 | Add message explaining early TLS client hello failure |
| 138 | Add tls-crypt-v2 to the list of supported inline options |
| 139 | Implement block-ipv6 |
| 140 | Fallback to password authentication when auth-token fails |
| 141 | Fix loading inline tls-crypt-v2 keys with mbed TLS |
| 142 | Refactor tls_crypt_v2_write_server_key_file into crypto.c |
| 143 | Add send_control_channel_string_dowork variant |
| 144 | Rename tls_crypt_v2_read_keyfile into generic pem_read_key_file |
| 145 | Fix poll.h logic in syshead.h |
| 146 | Write key to stdout if filename is not given |
| 147 | Implement --genkey type keyfile syntax and migrate tls-crypt-v2 |
| 148 | Add generate_ephemeral_key that allows a random ephermal key |
| 149 | Remove -no-cpp-precomp flag from Darwin builds |
| 150 | Fix check if iface name is set |
| 151 | Adjust Android code after sitnl patch merge |
| 152 | Rewrite auth-token-gen to be based on HMAC based tokens |
| 153 | Implement a permanent session id in auth-token |
| 154 | Sent indication that a session is expired to clients |
| 155 | Implement unit tests for auth-gen-token |
| 156 | Make tls_version_max return the actual maximum version |
| 157 | Add support for OpenSSL TLS 1.3 when using management-external-key |
| 158 | Document tls-ciphersuites also in --help output |
| 159 | Only announce IV_NCP=2 when we are willing to support these ciphers |
| 160 | Add strsep compat function |
| 161 | Implement dynamic NCP negotiation |
| 162 | Warn about insecure ciphers also in init_key_type |
| 163 | Move NCP related function into a seperate file and add unit tests |
| 164 | Normalise ncp-ciphers option and restrict it to 127 bytes |
| 165 | Fetch OpenSSL versions via source/old links |
| 166 | Fix OpenSSL error stack handling of tls_ctx_add_extra_certs |
| 167 | Fix off-by-one in tls-crypt-v2 client wrapping with custom metadata |
| 168 | Fix OpenSSL 1.1.1 not using auto elliptic curve selection |
| 169 | Refactor counting number of element in a : delimited list into function |
| 170 | Minor style change to improve code style |
| 171 | Another round of uncrustify code cleanup. |
| 172 | Fix tls_ctx_client/server_new leaving error on OpenSSL error stack |
| 173 | Add tls-crypt-v2 test writing metadata |
| 174 | Use crypto library functions for const time memcmp when possible |
| 175 | Fix session id in env missing first byte |
| 176 | Document reneweal mechanic of auth-token in manual |
| 177 | Fix session id and initial timestamp not being preserved |
| 178 | Do not write extra 0 byte for --gen-key with auth-token/tls-crypt-v2 |
| 179 | Refuse server mode on Android |
| 180 | Add .git-blame-ignore-revs with reformat commits |
| 181 | Make cipher_kt_name always return normalised cipher name |
| 182 | Make cipher_kt_get also accept OpenVPN config cipher name |
| 183 | Implement parsing and sending INFO and INFO_PRE control messages |
| 184 | Implement support for signalling IV_SSO to server |
| 185 | Implement sending response to challenge via CR_RESPONSE |
| 186 | Implement sending AUTH_PENDING challenges to clients |
| 187 | Implement forwarding client CR_RESPONSE messages to management |
| 188 | Add unit test for cipher name translations |
| 189 | Make compression asymmetric by default and add warnings |
| 190 | Reformat files using uncrustify |
| 191 | Remove parameter config from multi_client_connect_mda |
| 192 | Remove push_reply_deferred variable |
| 193 | Remove did_open_context, defined and connection_established_flag |
| 194 | merge key_state->authenticated and key_state->auth_deferred |
| 195 | Simplify multi_connection_established. |
| 196 | Deprecate ncp-disable and add improved ncp to Changes.rst |
| 197 | Make key_state->authenticated more state machine like |
| 198 | Extract process_incoming_push_reply from process_incoming_push_msg |
| 199 | Removed unused definition |
| 200 | Code cleanup: remove superflous variable |
| 201 | Move protocol option negotiation from push_prepare to new function |
| 202 | Generate data channel keys after connect options have been parsed |
| 203 | Cleanup: Remove special case code for old poor man's NCP. |
| 204 | Allow changing fallback cipher from ccd files/client-connect |
| 205 | client-connect: Change cas_context from int to enum |
| 206 | client-connect: Move adding inotify watch into its own function |
| 207 | reformat multi_client_generate_tls_keys according to uncrustify |
| 208 | client-connect: Add CC_RET_DEFERRED and cope with deferred client-connect |
| 209 | Remove CAS_PARTIAL state |
| 210 | client-connect: Use inotify for the deferred client-connect status file |
| 211 | client-connect: Implement deferred connect support for plugin API v2 |
| 212 | Drop support for OpenSSL 1.0.1 |
| 213 | Require AEAD support in the crypto library |
| 214 | Remove key-method 1 |
| 215 | Remove ENABLE_OCC #define |
| 216 | Implement tls-groups option to specify eliptic curves/groups |
| 217 | Avoid sending --cipher to clients not supporting NCP |
| 218 | Indicate that a client is in pull mode in IV_PROTO |
| 219 | Deprecate --inetd |
| 220 | Include utun device number in utun error messages |
| 221 | Simplify calling logic of check_connection_established_dowork |
| 222 | Avoid sending push request after receving push reply |
| 223 | Rename ncp-ciphers to data-ciphers |
| 224 | Add a note that ncp-ciphers is replaced by data-ciphers |
| 225 | client-connect: Add documentation for the deferred client connect feature |
| 226 | Rework NCP compability logic and drop BF-CBC support by default |
| 227 | Document different behaviour of dynamic cipher negotiation |
| 228 | Minor cleanup in push.c |
| 229 | Clean up a number of leftover C89 initialisations in ssl.c |
| 230 | Remove buf argument from link_socket_set_outgoing_addr |
| 231 | Remove a number of check/do_work wrapper calls from coarse_timers |
| 232 | Split pf_check_reload check and check timer in process_coarse_timers |
| 233 | Rename check_ping_restart_dowork to trigger_ping_timeout_signal |
| 234 | Eliminate check_fragment function |
| 235 | Eliminate check_incoming_control_channel wrapper function |
| 236 | Eliminate check_tls wrapper function |
| 237 | Merge check_coarse_timers and check_coarse_timers_dowork |
| 238 | Skip existing interfaces on opening the first available utun on macOS |
| 239 | Move parsing IV_PROTO to separate function |
| 240 | Remove S_OP_NORMAL key state. |
| 241 | Document comp-lzo no and compress being incompatible |
| 242 | Refactor/Reformat tls_pre_decrypt |
| 243 | Cleanup tls_pre_decrypt_lite and tls_pre_encrypt |
| 244 | Improve sections about older OpenVPN clients in cipher-negotiation.rst |
| 245 | |
| 246 | Bertrand Bonnefoy-Claudet (1): |
| 247 | Fix typo in error message: "optione" -> "option" |
| 248 | |
| 249 | Christian Ehrhardt (1): |
| 250 | systemd: extend CapabilityBoundingSet for auth_pam |
| 251 | |
| 252 | Christian Hesse (7): |
| 253 | man: fix formatting for alternative option |
| 254 | systemd: Use automake tools to install unit files |
| 255 | systemd: Do not race on RuntimeDirectory |
| 256 | systemd: Add more security feature for systemd units |
| 257 | Clean up plugin path handling |
| 258 | plugin: Remove GNUism in openvpn-plugin.h generation |
| 259 | fix typo in notification message |
| 260 | |
| 261 | Christopher Schenk (3): |
| 262 | Set the correct mtu on windows based systems |
| 263 | Log a note if someone wants to set a MTU below 1280 on IPv6 |
| 264 | Unified success messages for setting mtu |
| 265 | |
| 266 | Conrad Hoffmann (2): |
| 267 | Use provided env vars in up/down script. |
| 268 | Document down-root plugin usage in client.down |
| 269 | |
| 270 | David Sommerseth (72): |
| 271 | dev-tools: Added script for updating copyright years in files |
| 272 | dev-tools: Added script for updating copyright years in files |
| 273 | Update copyrights |
| 274 | Update copyrights |
| 275 | docs: Further enhance the documentation related to SWEET32 |
| 276 | docs: Further enhance the documentation related to SWEET32 |
| 277 | man: Remove references to no longer present IV_RGI6 peer-info |
| 278 | man: Remove references to no longer present IV_RGI6 peer-info |
| 279 | build: Ensure Changes.rst is shipped and installed as a doc file |
| 280 | build: Ensure Changes.rst is shipped and installed as a doc file |
| 281 | Preparing OpenVPN v2.4.0 release |
| 282 | management: >REMOTE operation would overwrite ce change indicator |
| 283 | management: Remove a redundant #ifdef block |
| 284 | git: Merge .gitignore files into a single file |
| 285 | systemd: Move the READY=1 signalling to an earlier point |
| 286 | dev-tools: Simple tool which automates rebasing LZ4 compat library |
| 287 | dev-tools: lz4-rebaser tool carried a typo |
| 288 | plugin: Improve the handling of default plug-in directory |
| 289 | cleanup: Remove faulty env processing functions |
| 290 | auth-token: Ensure tokens are always wiped on de-auth |
| 291 | docs: Fixed man-page warnings discoverd by rpmlint |
| 292 | Make --cipher/--auth none more explicit on the risks |
| 293 | Require minimum OpenSSL 1.0.1 |
| 294 | Fix broken ./configure on systems without openssl.pc |
| 295 | plugin: Fix documentation typo for type_mask |
| 296 | plugin: Export secure_memzero() to plug-ins |
| 297 | crypto: Enable SHA256 fingerprint checking in --verify-hash |
| 298 | copyright: Update GPLv2 license texts |
| 299 | dev-tools: Script generating the source releases in an automated fashion |
| 300 | auth-token with auth-nocache fix broke --disable-crypto builds |
| 301 | doc: The CRL processing is not a deprecated feature |
| 302 | cleanup: Move write_pid() to where it is being used |
| 303 | contrib: Remove keychain-mcd code |
| 304 | cleanup: Move init_random_seed() to where it is being used |
| 305 | Highlight deprecated features |
| 306 | Use consistent version references |
| 307 | docs: Replace all PolarSSL references to mbed TLS |
| 308 | systemd: Ensure systemd shuts down OpenVPN in a proper way |
| 309 | systemd: Enable systemd's auto-restart feature for server profiles |
| 310 | lz4: Move towards a newer LZ4 API |
| 311 | lz4: Fix confused version check |
| 312 | lz4: Fix broken builds when pkg-config is not present but system library is |
| 313 | Remove references to keychain-mcd in Changes.rst |
| 314 | lz4: Rebase compat-lz4 against upstream v1.7.5 |
| 315 | systemd: Add and ship README.systemd |
| 316 | Update copyright to include 2018 plus company name change |
| 317 | man: Add .TQ groff support macro |
| 318 | man: Reword --management to prefer unix sockets over TCP |
| 319 | management: Warn if TCP port is used without password |
| 320 | plugin: Export base64 encode and decode functions |
| 321 | build: Fix build warnings related to get_random() |
| 322 | build: Fix another compile warning in console_systemd.c |
| 323 | cleanup: Remove RPM openvpn.spec build approach |
| 324 | docs: Update INSTALL |
| 325 | build: Package missing mock_msg.h |
| 326 | auth-token: Fix building with --disable-server |
| 327 | auth-token: Fix compiler complaints with --disable-management |
| 328 | Improve the comments related to auth-token-hmac patches |
| 329 | Documented all the argv related code with minor refactoring |
| 330 | build: Remove --disable-server from ./configure |
| 331 | options: Fix failing inline tls-auth/crypt with persist-key |
| 332 | options: Restore --tls-crypt-v2 inline file capability |
| 333 | doc/man: convert openvpn.8 to split-up .rst files |
| 334 | doc/man: Mark compression options as deprecated |
| 335 | doc/man: Adopt compression documentation |
| 336 | doc/man: Documentation for --bind-dev / VRFs on Linux |
| 337 | doc/man: Add misssing renegotiation.rst to Makefile.am |
| 338 | Remove --no-iv |
| 339 | doc/man: Do not install man *.rst files |
| 340 | travis: Fix make distcheck failure |
| 341 | Remove --ifconfig-pool-linear |
| 342 | Remove --client-cert-not-required |
| 343 | |
| 344 | Domagoj Pensa (2): |
| 345 | Fix linking issues on MinGW |
| 346 | Skip DNS address validation |
| 347 | |
| 348 | Emmanuel Deloget (20): |
| 349 | OpenSSL: check for the SSL reason, not the full error |
| 350 | OpenSSL: don't use direct access to the internal of X509_STORE_CTX |
| 351 | OpenSSL: don't use direct access to the internal of SSL_CTX |
| 352 | OpenSSL: don't use direct access to the internal of X509_STORE |
| 353 | OpenSSL: don't use direct access to the internal of X509_OBJECT |
| 354 | OpenSSL: don't use direct access to the internal of RSA_METHOD |
| 355 | OpenSSL: SSLeay symbols are no longer available in OpenSSL 1.1 |
| 356 | OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit() |
| 357 | OpenSSL: don't use direct access to the internal of X509 |
| 358 | OpenSSL: don't use direct access to the internal of EVP_PKEY |
| 359 | OpenSSL: don't use direct access to the internal of RSA |
| 360 | OpenSSL: don't use direct access to the internal of DSA |
| 361 | OpenSSL: force meth->name as non-const when we free() it |
| 362 | OpenSSL: don't use direct access to the internal of EVP_MD_CTX |
| 363 | OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX |
| 364 | OpenSSL: don't use direct access to the internal of HMAC_CTX |
| 365 | OpenSSL: remove pre-1.1 function from the OpenSSL compat interface |
| 366 | OpenSSL: remove EVP_CIPHER_CTX_new() from the compat layer |
| 367 | OpenSSL: remove EVP_CIPHER_CTX_free() from the compat layer |
| 368 | OpenSSL: check EVP_PKEY key types before returning the pkey |
| 369 | |
| 370 | Eric Thorpe (1): |
| 371 | Fix Building Using MSVC |
| 372 | |
| 373 | Fabian Knittel (7): |
| 374 | client-connect: Split multi_connection_established into separate functions |
| 375 | client-connect: Refactor multi_client_connect_source_ccd |
| 376 | client-connect: Move multi_client_connect_setenv into early_setup |
| 377 | client-connect: Refactor to use return values instead of modifying a passed-in flag |
| 378 | client-connect: Refactor client-connect handling to calling a bunch of hooks in a loop |
| 379 | client-connect: Add deferred support to the client-connect script handler |
| 380 | client-connect: Add deferred support to the client-connect v1 plugin handler |
| 381 | |
| 382 | Gert Doering (51): |
| 383 | Remove IV_RGI6=1 peer-info signalling. |
| 384 | Remove IV_RGI6=1 peer-info signalling. |
| 385 | Add openssl_compat.h to openvpn_SOURCES |
| 386 | Fix '--dev null' |
| 387 | Fix installation of IPv6 host route to VPN server when using iservice. |
| 388 | Make ENABLE_OCC no longer depend on !ENABLE_SMALL |
| 389 | Fix NCP behaviour on TLS reconnect. |
| 390 | Remove erroneous limitation on max number of args for --plugin |
| 391 | proxy.c refactoring: remove always-NULL gc parameter |
| 392 | Fix edge case with clients failing to set up cipher on empty PUSH_REPLY. |
| 393 | Fix potential 1-byte overread in TCP option parsing. |
| 394 | Fix remotely-triggerable ASSERT() on malformed IPv6 packet. |
| 395 | Update Changes.rst with relevant info for 2.4.3 release. |
| 396 | Remove warning on pushed tun-ipv6 option. |
| 397 | Fix removal of on-link prefix on windows with netsh |
| 398 | Fix potential double-free() in Interactive Service (CVE-2018-9336) |
| 399 | Add %d, %u and %lu tests to test_argv unit tests. |
| 400 | Extend push-remove to also handle 'ifconfig'. |
| 401 | Print lzo_init() return code in case of errors |
| 402 | Uncrustify sample-plugin sources according to code style |
| 403 | uncrustify openvpnserv/ sources |
| 404 | uncrustify openvpn/ sources |
| 405 | Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6. |
| 406 | Stop complaining about IPv6 routes without gateway address. |
| 407 | Copy one byte less in strncpynt() |
| 408 | Remove cmocka submodule, rely on system-wide installation instead. |
| 409 | Increase listen() backlog queue to 32 |
| 410 | repair tap mode on OpenSolaris/OpenIndiana |
| 411 | Fix IPv6 routes on tap interfaces on OpenSolaris/OpenIndiana |
| 412 | OpenSolaris/OpenIllumos: use /bin/bash if available for test scripts. |
| 413 | Force combinationation of --socks-proxy and --proto UDP to use IPv4. |
| 414 | Uncrustify the tests/unit_tests/ part of our tree. |
| 415 | Change client side of t_lpback.sh configs to use inline material. |
| 416 | Simplify pool size handling, fix possible array overrun on pool reading. |
| 417 | Change timestamps in file-based logging to ISO 8601 time format. |
| 418 | Depreciation warning for --topology net30 on servers with IPv4 pools. |
| 419 | Convert plugin/auth-pam.c from stderr logging to plugin_log(). |
| 420 | Add c1ff8f247f91c88a2df5502eeedf42857f9a6831 (engine, pool, SSO) to .git-blame-ignore-revs |
| 421 | Linux: do not change --txqueuelen OS default if not configured. |
| 422 | Fix 'engine' unit test on FreeBSD (specifically 'not GNU make') |
| 423 | t_client.sh: correctly report all failed instances in summary |
| 424 | Remove --writepid file on program exit. |
| 425 | Handle connecting clients without NCP or OCC without crashing. |
| 426 | Add deferred authentication support to plugin-auth-pam |
| 427 | Separate handling of non-deferred return values for client-connect-scripts. |
| 428 | Repair --inetd |
| 429 | Fix sequence of events for async plugin v1 handler. |
| 430 | Abort client-connect handler loop after first handler sets 'disable'. |
| 431 | Add depreciation notice for --ncp-disable to protocol-options.rst |
| 432 | Changes.rst updates in preparation to 2.5_beta1 |
| 433 | Preparing release 2.5_beta1 |
| 434 | |
| 435 | Gert van Dijk (7): |
| 436 | Warn that DH config option is only meaningful in a tls-server context |
| 437 | Add generated openvpn.doxyfile to .gitignore |
| 438 | manpage: improve description of --status and --status-version |
| 439 | Add negotiated cipher to status file format 2 and 3 |
| 440 | Minor reliability layer documentation fixes |
| 441 | Make second parameter to reliable_send_purge() const |
| 442 | Remove unneeded newline in debug message in reliable.c |
| 443 | |
| 444 | Gisle Vanem (2): |
| 445 | Crash in options.c |
| 446 | Wrong FILETYPE in .rc files |
| 447 | |
| 448 | Guido Vranken (6): |
| 449 | refactor my_strupr |
| 450 | Fix 2 memory leaks in proxy authentication routine |
| 451 | Fix memory leak in add_option() for option 'connection' |
| 452 | Ensure option array p[] is always NULL-terminated |
| 453 | Fix a null-pointer dereference in establish_http_proxy_passthru() |
| 454 | Prevent two kinds of stack buffer OOB reads and a crash for invalid input data |
| 455 | |
| 456 | Heiko Hund (3): |
| 457 | re-implement argv_printf_*() |
| 458 | argv: do fewer memory re-allocations |
| 459 | Add gc_arena to struct argv to save allocations |
| 460 | |
| 461 | Hilko Bengen (1): |
| 462 | Do not set pkcs11-helper 'safe fork mode' |
| 463 | |
| 464 | Hristo Venev (1): |
| 465 | Fix extract_x509_field_ssl for external objects, v2 |
| 466 | |
| 467 | Ilya Shipitsin (18): |
| 468 | Resolve several travis-ci issues |
| 469 | github: Add PR template with contributor related information |
| 470 | travis-ci: add 'make distcheck' to test scenario, V2 |
| 471 | travis-ci: remove unused files |
| 472 | v4, travis-ci: add 2 mingw "build only" configurations |
| 473 | travis-ci: added gcc and clang openssl-1.1.0 builds |
| 474 | travis-ci: update openssl to 1.0.2l, update mbedtls to 2.5.1 |
| 475 | travis-ci: update pkcs11-helper to 1.22 |
| 476 | travis-ci: add brew cache, remove ccache |
| 477 | travis-ci: modify openssl build script to support openssl-1.1.0 |
| 478 | travis-ci: cleanup, refactor, upgrade ssl libraries |
| 479 | travis-ci: add "linux-ppc64le" to build matrix |
| 480 | travis-ci: change trusty image to xenial |
| 481 | travis-ci: update osx to xcode9.4 and modernize brew management |
| 482 | configure.ac: fix compile-time error in argv_testdriver |
| 483 | travis-ci: fix osx builds |
| 484 | travis-ci: update components versions |
| 485 | travis-ci: add arm64, s390x builds. |
| 486 | |
| 487 | James Bekkema (2): |
| 488 | Resolves small IV_GUI_VER typo in the documentation. |
| 489 | Adds support for setting the default IPv6 gateway for routes using the route-ipv6-gateway option. |
| 490 | |
| 491 | James Bottomley (7): |
| 492 | autoconf: Fix engine checks for openssl 1.1 |
| 493 | openssl: add engine method for loading the key |
| 494 | crypto_openssl: add initialization to pick up local configuration |
| 495 | crypto_openssl: add include for openssl/conf.h |
| 496 | Add unit tests for engine keys |
| 497 | Fix make distcheck for new engine key unit test |
| 498 | engine-key tests: make check_engine_keys.sh work with --enable-small |
| 499 | |
| 500 | Jan Just Keijser (1): |
| 501 | Added support for DHCP option 119 (dns search suffix list) for Windows. |
| 502 | |
| 503 | Jeremie Courreges-Anglas (5): |
| 504 | Cast time_t to long long in order to print it. |
| 505 | Print time_t as long long and suseconds_t as long |
| 506 | Cast and print another suseconds_t as long |
| 507 | Use long long to format time_t-related environment variables |
| 508 | Fix build with LibreSSL |
| 509 | |
| 510 | Jeremy Evans (1): |
| 511 | Switch assertion failure to returning false |
| 512 | |
| 513 | Jonathan K. Bullard (1): |
| 514 | Clarify and expand management interface documentation |
| 515 | |
| 516 | Jonathan Tooker (1): |
| 517 | Fix various spelling mistakes |
| 518 | |
| 519 | Joost Rijneveld (1): |
| 520 | Make return code external tls key match docs |
| 521 | |
| 522 | Jérémie Courrèges-Anglas (2): |
| 523 | Fix an unaligned access on OpenBSD/sparc64 |
| 524 | Missing include for socket-flags TCP_NODELAY on OpenBSD |
| 525 | |
| 526 | Kyle Evans (1): |
| 527 | tests/t_lpback.sh: Switch sed(1) to POSIX-compatible regex. |
| 528 | |
| 529 | Lev Stipakov (46): |
| 530 | win: support for Visual Studio 2017 |
| 531 | Refactor NCP-negotiable options handling |
| 532 | init.c: refine functions names and description |
| 533 | openvpnserv: clarify return values type |
| 534 | crypto.h: remove unused function declaration |
| 535 | interactive.c: fix usage of potentially uninitialized variable |
| 536 | options.c: fix broken unary minus usage |
| 537 | Introduce openvpn_swprintf() with nul termination guarantee |
| 538 | Wrap openvpn_swprintf into Windows define |
| 539 | test_tls_crypt.c: fix global-buffer-overflow found by AddressSanitizer |
| 540 | crypto_openssl.c: fix heap-buffer-overflow found by AddressSanitizer |
| 541 | Fix various compiler warnings |
| 542 | Fix broken fragment/mssfix with NCP |
| 543 | crypto.c: fix Visual Studio build |
| 544 | tun.h: change tun_set() return value type to void |
| 545 | tun.h: remove TUN_PASS_BUFFER define |
| 546 | tapctl: add optional 'hardware id' parameter |
| 547 | vcxproj: add missing source files |
| 548 | push.c: fix Visual Studio build |
| 549 | Visual Studio: make it easier to build with VS |
| 550 | msvc: OpenSSL 1.1.x support |
| 551 | travis: add Visual Studio build |
| 552 | Visual Studio: upgrade project files to VS2019 |
| 553 | wintun: add --windows-driver config option |
| 554 | wintun: implement opening wintun device |
| 555 | travis: bump MSVC to 2019 |
| 556 | travis: bump clang version |
| 557 | wintun: ring buffers based I/O |
| 558 | wintun: interactive service support |
| 559 | wintun: set adapter properties via interactive service |
| 560 | wintun: clear adapter settings on tun close |
| 561 | tun.c: refactor open_tun() implementation |
| 562 | tun.c: do not add/remove on-link IPv4 route on tun open/close |
| 563 | options.c: do not force route delay when not using DHCP |
| 564 | configure.ac: simplify AC_CHECK_FUNCS statements |
| 565 | cryptoapi.c: fix run-time check failure in msvc debugger |
| 566 | interactive.c: remove unused function |
| 567 | tun.c: fix 'use after free' error |
| 568 | Fix building with --enable-async-push in FreeBSD |
| 569 | Fix broken async push with NCP is used |
| 570 | Fix illegal client float (CVE-2020-11810) |
| 571 | msvc: fix various level2 warnings |
| 572 | tap.c: fix adapter renaming |
| 573 | Improve Windows version detection with manifest |
| 574 | wintun: remove SYSTEM elevation hack |
| 575 | Fix compilation with --disable-lzo and --disable-lz4 |
| 576 | |
| 577 | Matthias Andree (3): |
| 578 | Make openvpn-plugin.h self-contained again. |
| 579 | Merge Makefile.am's AUTOMAKE_OPTIONS into configure.ac's AM_INIT_AUTOMAKE. |
| 580 | Fix stack buffer overruns in NEXTADDR() macro: |
| 581 | |
| 582 | Maxim Plotnikov (1): |
| 583 | OpenSSL: Fix --crl-verify not loading multiple CRLs in one file |
| 584 | |
| 585 | Maximilian Wilhelm (1): |
| 586 | Add --bind-dev option. |
| 587 | |
| 588 | Michal Soltys (1): |
| 589 | man: correct the description of --capath and --crl-verify regarding CRLs |
| 590 | |
| 591 | Mykola Baibuz (1): |
| 592 | Fix typo in NTLM proxy debug message |
| 593 | |
| 594 | Olivier Wahrenberger (1): |
| 595 | Fix building with LibreSSL 2.5.1 by cleaning a hack. |
| 596 | |
| 597 | Richard Bonhomme (3): |
| 598 | man: Corrections to doc/openvpn.8 |
| 599 | Ignore --pull-filter for --mode server |
| 600 | doc/man: Update --txqueuelen default setting (Now OS default) |
| 601 | |
| 602 | Richard van den Berg via Openvpn-devel (1): |
| 603 | Fix error message when using RHEL init script |
| 604 | |
| 605 | Rosen Penev (2): |
| 606 | Remove wrong poll.h include |
| 607 | openssl: Fix compilation without deprecated OpenSSL 1.1 APIs |
| 608 | |
| 609 | Samy Mahmoudi (1): |
| 610 | man: correct a --redirection-gateway option flag |
| 611 | |
| 612 | Santtu Lakkala (1): |
| 613 | Fix OpenSSL private key passphrase notices |
| 614 | |
| 615 | Selva Nair (55): |
| 616 | Fix push options digest update |
| 617 | Always release dhcp address in close_tun() on Windows. |
| 618 | Add a check for -Wl, --wrap support in linker |
| 619 | Fix user's group membership check in interactive service to work with domains |
| 620 | In auth-pam plugin clear the password after use |
| 621 | Pass correct buffer size to GetModuleFileNameW() |
| 622 | Check whether in pull_mode before warning about previous connection blocks |
| 623 | Avoid illegal memory access when malformed data is read from the pipe |
| 624 | Fix missing check for return value of malloc'd buffer |
| 625 | Return NULL if GetAdaptersInfo fails |
| 626 | Use RSA_meth_free instead of free |
| 627 | Bring cryptoapi.c upto speed with openssl 1.1 |
| 628 | Add SSL_CTX_get_max_proto_version() not in openssl 1.0 |
| 629 | TLS v1.2 support for cryptoapicert -- RSA only |
| 630 | Refactor ssl_openssl.c in prep for external EC key support |
| 631 | Refactor get_interface_metric to return metric and auto flag separately |
| 632 | Add management client version |
| 633 | Prompt for signature using '>PK_SIGN' if the client supports it |
| 634 | Allow external EC key through --management-external-key |
| 635 | Ensure strings read from registry are null-terminated |
| 636 | Make most registry values optional |
| 637 | Use lowest metric interface when multiple interfaces match a route |
| 638 | Move code to free cd to a function CAPI_DATA_free() |
| 639 | Disable external ec key support when building with libressl |
| 640 | Adapt to RegGetValue brokenness in Windows 7 |
| 641 | Fix format spec errors in Windows builds |
| 642 | Move setting private key to a function in prep for EC support |
| 643 | Support EC certificates with cryptoapicert |
| 644 | Delete the IPv6 route to the "connected" network on tun close |
| 645 | Management: warn about password only when the option is in use |
| 646 | Avoid overflow in wakeup time computation |
| 647 | Replace M_DEBUG with D_LOW as the former is too verbose |
| 648 | Correct the declaration of handle in 'struct openvpn_plugin_args_open_return' |
| 649 | Parse static challenge response in auth-pam plugin |
| 650 | Bump version of openvpn plugin argument structs to 5 |
| 651 | Accept empty password and/or response in auth-pam plugin |
| 652 | Pass the hash without the DigestInfo header to NCryptSignHash() |
| 653 | Move get system directory to a separate function |
| 654 | Enable dhcp on tap adapter using interactive service |
| 655 | Refactor sending commands to interactive service |
| 656 | Declare Windows version of openvpn_execve() before use |
| 657 | White-list pull-filter and script-security in interactive service |
| 658 | Move OpenSSL vs CNG signature digest type mapping to a function |
| 659 | Handle PSS padding in cryptoapicert |
| 660 | Better error message when script fails due to script-security setting |
| 661 | Correct the return value of cryptoapi RSA signature callbacks |
| 662 | Fix ACL_CHECK_ADD_COMPILE_FLAGS to work with clang |
| 663 | Swap the order of checks for validating interactive service user |
| 664 | Skip expired certificates in Windows certificate store |
| 665 | Allow unicode search string in --cryptoapicert option |
| 666 | Fix possibly uninitialized return value in GetOpenvpnSettings() |
| 667 | Fix possible access of uninitialized pipe handles |
| 668 | Move querying username/password from management to a function |
| 669 | When auth-user-pass file has no password query the management interface (if available). |
| 670 | Persist management-query-remote and proxy prompts |
| 671 | |
| 672 | Simon Matter (2): |
| 673 | Fix segfault when using crypto lib without AES-256-CTR or SHA256 |
| 674 | Add per session pseudo-random jitter to --reneg-sec intervals |
| 675 | |
| 676 | Simon Rozman (67): |
| 677 | Local functions are not supported in MSVC. Bummer. |
| 678 | Mixing wide and regular strings in concatenations is not allowed in MSVC. |
| 679 | RtlIpv6AddressToStringW() and RtlIpv4AddressToStringW() require mstcpip.h |
| 680 | Simplify iphlpapi.dll API calls |
| 681 | Fix local #include to use quoted form |
| 682 | Document ">PASSWORD:Auth-Token" real-time message |
| 683 | Fix typo in "verb" command examples |
| 684 | Uniform swprintf() across MinGW and MSVC compilers |
| 685 | MSVC meta files added to .gitignore list |
| 686 | openvpnserv: Review MSVC down-casting warnings |
| 687 | openvpnserv: Add support for multi-instances |
| 688 | Document missing OpenVPN states |
| 689 | Add Interactive Service developer documentation |
| 690 | Change quoted to angled form when #including external .h files |
| 691 | Signed/unsigned warnings of MSVC resolved |
| 692 | Reference msvc-generate from compat to assure correct build order |
| 693 | msvc: Move common project settings to reusable property sheets |
| 694 | msvc: Unify Unicode/MultiByte string setting across all cfg|plat |
| 695 | Introduce tapctl.exe utility and openvpnmsica.dll MSI CA |
| 696 | Set output name to libopenvpnmsica.dll in MSVC builds too |
| 697 | Prevent __stdcall name mangling of MSVC |
| 698 | Define _WIN32_WINNT=_WIN32_WINNT_VISTA in MSVC |
| 699 | Add MSI custom action for reliable Windows 10 detection |
| 700 | Detect TAP interfaces with root-enumerated hardware ID |
| 701 | Change C++ to C comments |
| 702 | Make MSI custom action debug pop-up more informative |
| 703 | Delete TAP interface before the TAP driver is uninstalled |
| 704 | Add detection of active VPN connections for MSI packages |
| 705 | Add a MSI custom actions to close and relaunch OpenVPN GUI |
| 706 | Make DriverCertification MSI property public |
| 707 | Extend FindSystemInfo custom action to detect OpenVPNService state |
| 708 | Uncrustify tapctl and openvpnmsica |
| 709 | Strip _stdcall suffixes (@nn) for 32-bit builds |
| 710 | Detect missing TAP driver and bail out gracefully |
| 711 | Disambiguate thread local storage references from TLS |
| 712 | Add NULL checks |
| 713 | Add user manual and developer notes URL for tapctl.exe |
| 714 | Refactor OpenVPNService state detection code |
| 715 | Add developer notes URL for openvpnmsica.dll |
| 716 | Limit tapctl.exe and openvpnmsica.dll to TAP-Windows6 adapters only |
| 717 | msvc: Add vlan.c/h |
| 718 | tun.c: make Windows device lookup functions more general |
| 719 | tun.c: upgrade get_device_guid() to return the Windows driver type |
| 720 | tun.c: make wintun_register_ring_buffer() non-fatal on failures |
| 721 | wintun: register ring buffers when iterating adapters |
| 722 | wintun: add support for --dev-node |
| 723 | tun.c: reword the at_least_one_tap_win() error |
| 724 | wintun: stop sending TAP-Windows6 ioctls to NDIS device |
| 725 | wintun: refactor code to use enum driver type |
| 726 | tun.c: refactor driver detection and make it case-insensitive |
| 727 | tun.c: uncrustify |
| 728 | wintun: check for conflicting options |
| 729 | openvpnmsica: Remove required Windows driver certification detection |
| 730 | openvpnmsica: Fix TAPInterface.DisplayName field interpretation |
| 731 | tapctl: Update documentation |
| 732 | wintun: upgrade error message in case of ring registration failure |
| 733 | tun.c: reorder IPv6 ifconfig on Windows |
| 734 | tapctl: Add functions for enabling/disabling adapters |
| 735 | openvpnmsica: Revise MSI custom actions interop |
| 736 | openvpnmsica: Simplify static function names |
| 737 | openvpnmsica, tapctl: "interface" => "adapter" |
| 738 | openvpnmsica: "TAP" => "TUN/TAP" |
| 739 | openvpnmsica: Extend to support arbitrary HWID network adapters |
| 740 | openvpnmsica, tapctl: Revise default hardware ID management |
| 741 | openvpnmsica: Merge FindTUNTAPAdapters into FindSystemInfo |
| 742 | tapctl: Support multiple hardware IDs |
| 743 | tun.c: revise the IPv4 ifconfig flow on Windows |
| 744 | |
| 745 | Stefan Strogin (1): |
| 746 | Use correct ifdefs for LibreSSL support |
| 747 | |
| 748 | Steffan Karger (126): |
| 749 | Bump master to version 2.5_git |
| 750 | Document that RSA_SIGN can also request TLS 1.2 signatures |
| 751 | man: encourage user to read on about --tls-crypt |
| 752 | Document that RSA_SIGN can also request TLS 1.2 signatures |
| 753 | man: encourage user to read on about --tls-crypt |
| 754 | Textual fixes for Changes.rst |
| 755 | Textual fixes for Changes.rst |
| 756 | Remove deprecated --no-iv option |
| 757 | More broadly enforce Allman style and braces-around-conditionals |
| 758 | Use SHA256 for the internal digest, instead of MD5 |
| 759 | OpenSSL: 1.1 fallout - fix configure on old autoconf |
| 760 | Fix types in WIN32 socket_listen_accept() |
| 761 | Remove duplicate X509 env variables |
| 762 | Fix non-C99-compliant builds: don't use const size_t as array length |
| 763 | Deprecate --ns-cert-type |
| 764 | Be less picky about keyUsage extensions |
| 765 | cleanup: merge packet_id_alloc_outgoing() into packet_id_write() |
| 766 | Don't run packet_id unit tests for --disable-crypto builds |
| 767 | Fix Changes.rst layout |
| 768 | Fix memory leak in x509_verify_cert_ku() |
| 769 | mbedtls: correctly check return value in pkcs11_certificate_dn() |
| 770 | Restore pre-NCP frame parameters for new sessions |
| 771 | Always clear username/password from memory on error |
| 772 | Document tls-crypt security considerations in man page |
| 773 | Don't assert out on receiving too-large control packets (CVE-2017-7478) |
| 774 | Drop packets instead of assert out if packet id rolls over (CVE-2017-7479) |
| 775 | Log the negotiated (NCP) cipher |
| 776 | Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c) |
| 777 | Skip tls-crypt unit tests if required crypto mode not supported |
| 778 | openssl: fix overflow check for long --tls-cipher option |
| 779 | Add a DSA test key/cert pair to sample-keys |
| 780 | Fix mbedtls fingerprint calculation |
| 781 | mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522) |
| 782 | mbedtls: require C-string compatible types for --x509-username-field |
| 783 | Fix remote-triggerable memory leaks (CVE-2017-7521) |
| 784 | Restrict --x509-alt-username extension types |
| 785 | Fix potential double-free in --x509-alt-username (CVE-2017-7521) |
| 786 | Fix typo in extract_x509_extension() debug message |
| 787 | init_key_ctx: key and iv arguments can (now) be const |
| 788 | Move adjust_power_of_2() to integer.h |
| 789 | Undo cipher push in client options state if cipher is rejected |
| 790 | Remove strerror_ts() |
| 791 | Move openvpn_sleep() to manage.c |
| 792 | fixup: also change missed openvpn_sleep() occurrences |
| 793 | Always use default keysize for NCP'd ciphers |
| 794 | Move create_temp_file() out of #ifdef ENABLE_CRYPTO |
| 795 | sample-plugins: fix ASN1_STRING_to_UTF8 return value checks |
| 796 | Deprecate --keysize |
| 797 | Move run_up_down() to init.c |
| 798 | tls-crypt: introduce tls_crypt_kt() |
| 799 | crypto: create function to initialize encrypt and decrypt key |
| 800 | Add coverity static analysis to Travis CI config |
| 801 | tls-crypt: don't leak memory for incorrect tls-crypt messages |
| 802 | travis: reorder matrix to speed up build |
| 803 | Fix bounds check in read_key() |
| 804 | buffer_list_aggregate_separator(): add unit tests |
| 805 | doxygen: add make target and use relative paths |
| 806 | Simplify and inline clear_buf() |
| 807 | Add --tls-cert-profile option. |
| 808 | pf: clean up temporary files if plugin init fails |
| 809 | pf: reject client if PF plugin is configured, but init fails |
| 810 | Don't throw fatal errors from create_temp_file() |
| 811 | create_temp_file/gen_path: prevent memory leak if gc == NULL |
| 812 | Use P_DATA_V2 for server->client packets too |
| 813 | Fix memory leak in buffer unit tests |
| 814 | travis: use clang's -fsanitize=address to catch more bugs |
| 815 | Don't throw fatal errors from verify_cert_export_cert() |
| 816 | buffer_list_aggregate_separator(): update list size after aggregating |
| 817 | buffer_list_aggregate_separator(): don't exceed max_len |
| 818 | buffer_list_aggregate_separator(): prevent 0-byte malloc |
| 819 | Fix types around buffer_list_push(_data) |
| 820 | ssl_openssl: fix compiler warning by removing getbio() wrapper |
| 821 | Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+ |
| 822 | Add support for TLS 1.3 in --tls-version-{min, max} |
| 823 | tls_ctx_set_tls_versions: move verify_flags to where it is used |
| 824 | Plug memory leak if push is interrupted |
| 825 | Log pre-handshake packet drops using D_MULTI_DROPPED |
| 826 | Enable stricter compiler warnings by default |
| 827 | reliable: remove reliable_unique_retry() |
| 828 | Get rid of ax_check_compile_flag.m4 |
| 829 | mbedtls: don't use API deprecated in mbed 2.7 |
| 830 | Warn if tls-version-max < tls-version-min |
| 831 | Check for more data in control channel |
| 832 | Move env helper functions into their own module/file |
| 833 | man: add security considerations to --compress section |
| 834 | openssl: don't use deprecated SSLEAY/SSLeay symbols |
| 835 | openssl: add missing #include statements |
| 836 | Move file-related functions from misc.c to platform.c |
| 837 | Move execve/run_script helper functions to run_command.c |
| 838 | Add crypto_pem_{encode,decode}() |
| 839 | Introduce buffer_write_file() |
| 840 | mbedtls: print warning if random personalisation fails |
| 841 | Fix memory leak after sighup |
| 842 | Remove unused void_ptr_hash_function and void_ptr_compare_function |
| 843 | Do not load certificate from tls_ctx_use_external_private_key() |
| 844 | mbedtls: make external signing code generic |
| 845 | mbedtls: remove dependency on mbedtls pkcs11 module |
| 846 | Fix memory leak in SSL_CTX_use_certificate |
| 847 | travis: add OpenSSL 1.1 Windows build |
| 848 | Fix use-after-free in tls_ctx_use_management_external_key |
| 849 | Simplify --genkey option syntax |
| 850 | Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth' |
| 851 | Add support for CHACHA20-POLY1305 in the data channel |
| 852 | List ChaCha20-Poly1305 as stream cipher |
| 853 | mbedtls: don't print unsupported ciphers in insecure cipher list |
| 854 | Fix mbedtls unit tests |
| 855 | buffer_list_aggregate_separator(): simplify code |
| 856 | tls-crypt-v2: add specification to doc/ |
| 857 | tls-crypt-v2: generate tls-crypt-v2 keys |
| 858 | tls-crypt-v2: add unwrap_client_key |
| 859 | tls-crypt-v2: add P_CONTROL_HARD_RESET_CLIENT_V3 opcode |
| 860 | tls-crypt-v2: implement tls-crypt-v2 handshake |
| 861 | tls-crypt-v2: add script hook to verify metadata |
| 862 | tls-crypt-v2: clarify --tls-crypt-v2-genkey man page section |
| 863 | tls-crypt-v2: fix client reconnect bug |
| 864 | Remove deprecated --compat-x509-names and --no-name-remapping |
| 865 | Extend tls-crypt-v2 unit tests |
| 866 | Fix tls-auth/crypt in connection blocks with --persist-key |
| 867 | cmocka: use relative paths |
| 868 | tests: remove dependency on base64 |
| 869 | configure.ac: add lzo CFLAGS/LIBS to the test flags |
| 870 | Update sample configs to use modern cipher, remove static key examples |
| 871 | mbedtls: add RFC 5705 keying material exporter support |
| 872 | Move keying material exporter check from syshead.h to configure.ac |
| 873 | Make openvpn --version exit with exit code 0 |
| 874 | Gently push users towards --data-ciphers in --show-ciphers output |
| 875 | |
| 876 | Steven McDonald (1): |
| 877 | Fix gateway detection with OpenBSD routing domains |
| 878 | |
| 879 | Szilárd Pfeiffer (1): |
| 880 | OpenSSL: Always set SSL_OP_CIPHER_SERVER_PREFERENCE flag |
| 881 | |
| 882 | Thomas Quinot (1): |
| 883 | Fix documentation of tls-verify script argument |
| 884 | |
| 885 | Thomas Veerman via Openvpn-devel (1): |
| 886 | Fix socks_proxy_port pointing to invalid data |
| 887 | |
| 888 | Tom van Leeuwen (1): |
| 889 | mbedTLS: Make sure TLS session survives move |
| 890 | |
| 891 | ValdikSS (1): |
| 892 | Set a low interface metric for tap adapter when block-outside-dns is in use |
| 893 | |
| 894 | Vladislav Grishenko (1): |
| 895 | Log serial number of revoked certificate |
| 896 | |
| 897 | WGH (1): |
| 898 | docs: Add reference to X509_LOOKUP_hash_dir(3) |
| 899 | |
| 900 | hashiz (1): |
| 901 | Fix '--bind ipv6only' |
| 902 | |
| 903 | tincanteksup (1): |
| 904 | Correct error message for --tls-crypt-v2-genkey client |
| 905 | }}} |