openvpn-devel Mailing List for OpenVPN

cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1034?usp=email ) Change subject: Remove contrib/pull-resolv-conf ...................................................................... Remove contrib/pull-resolv-conf We have an official solution for this now. Change-Id: Ic30f8514b50f561e7ea8f1ce12d740ac53f202e5 Signed-off-by: Frank Lichtenheld <fr...@li...> Acked-by: Gert Doering <ge...@gr...> Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg31820.html Signed-off-by: Gert Doering <ge...@gr...> --- D contrib/pull-resolv-conf/client.down D contrib/pull-resolv-conf/client.up 2 files changed, 0 insertions(+), 155 deletions(-) diff --git a/contrib/pull-resolv-conf/client.down b/contrib/pull-resolv-conf/client.down deleted file mode 100644 index 0cbb476..0000000 --- a/contrib/pull-resolv-conf/client.down +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/sh - -# Copyright (c) 2005-2018 OpenVPN Inc -# Licensed under the GPL version 2 - -# First version by Jesse Adelman -# someone at boldandbusted dink com -# http://www.boldandbusted.com/ - -# PURPOSE: This script automatically removes the /etc/resolv.conf entries previously -# set by the companion script "client.up". - -# INSTALL NOTES: -# Place this in /etc/openvpn/client.down -# Then, add the following to your /etc/openvpn/<clientconfig>.conf: -# client -# up /etc/openvpn/client.up -# down /etc/openvpn/client.down -# Next, "chmod a+x /etc/openvpn/client.down" - -# USAGE NOTES: -# Note that this script is best served with the companion "client.up" -# script. - -# Tested under Debian lenny with OpenVPN 2.1_rc11 -# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf - -# This runs with the context of the OpenVPN UID/GID -# at the time of execution. This generally means that -# the client "up" script will run fine, but the "down" script -# will require the use of the OpenVPN "down-root" plugin -# which is in the plugins/ directory of the OpenVPN source tree -# The config example above would have to be changed to: -# client -# up /etc/openvpn/client.up -# plugin openvpn-plugin-down-root.so "/etc/openvpn/client.down" - -# A horrid work around, from a security perspective, -# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have -# been WARNED. -PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin - -if type resolvconf >/dev/null 2>&1; then - resolvconf -d "${dev}" -f -elif [ -e /etc/resolv.conf.ovpnsave ] ; then - # cp + rm rather than mv in case it's a symlink - cp /etc/resolv.conf.ovpnsave /etc/resolv.conf - rm -f /etc/resolv.conf.ovpnsave -fi - -exit 0 diff --git a/contrib/pull-resolv-conf/client.up b/contrib/pull-resolv-conf/client.up deleted file mode 100644 index 220aeb7..0000000 --- a/contrib/pull-resolv-conf/client.up +++ /dev/null @@ -1,104 +0,0 @@ -#!/bin/sh - -# Copyright (c) 2005-2018 OpenVPN Inc -# Licensed under the GPL version 2 - -# First version by Jesse Adelman -# someone at boldandbusted dink com -# http://www.boldandbusted.com/ - -# PURPOSE: This script automatically sets the proper /etc/resolv.conf entries -# as pulled down from an OpenVPN server. - -# INSTALL NOTES: -# Place this in /etc/openvpn/client.up -# Then, add the following to your /etc/openvpn/<clientconfig>.conf: -# client -# up /etc/openvpn/client.up -# Next, "chmod a+x /etc/openvpn/client.up" - -# USAGE NOTES: -# Note that this script is best served with the companion "client.down" -# script. - -# Tested under Debian lenny with OpenVPN 2.1_rc11 -# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf - -# This runs with the context of the OpenVPN UID/GID -# at the time of execution. This generally means that -# the client "up" script will run fine, but the "down" script -# will require the use of the OpenVPN "down-root" plugin -# which is in the plugins/ directory of the OpenVPN source tree - -# A horrid work around, from a security perspective, -# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have -# been WARNED. -PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin - -# init variables - -i=1 -domains= -fopt= -ndoms=0 -nns=0 -nl=' -' - -# $foreign_option_<n> is something like -# "dhcp-option DOMAIN example.com" (multiple allowed) -# or -# "dhcp-option DNS 10.10.10.10" (multiple allowed) - -# each DNS option becomes a "nameserver" option in resolv.conf -# if we get one DOMAIN, that becomes "domain" in resolv.conf -# if we get multiple DOMAINS, those become "search" lines in resolv.conf -# if we get no DOMAINS, then don't use either domain or search. - -while true; do - eval fopt=\$foreign_option_${i} - [ -z "${fopt}" ] && break - - case ${fopt} in -	dhcp-option\ DOMAIN\ *) - ndoms=$((ndoms + 1)) - domains="${domains} ${fopt#dhcp-option DOMAIN }" - ;; -	dhcp-option\ DNS\ *) - nns=$((nns + 1)) - if [ $nns -le 3 ]; then - dns="${dns}${dns:+$nl}nameserver ${fopt#dhcp-option DNS }" - else - printf "%s\n" "Too many nameservers - ignoring after third" >&2 - fi - ;; - *) - printf "%s\n" "Unknown option \"${fopt}\" - ignored" >&2 - ;; -	esac - i=$((i + 1)) -done - -ds="" -if [ $ndoms -eq 1 ]; then - ds="${nl}domain" -elif [ $ndoms -gt 1 ]; then - ds="${nl}search" -fi - -# This is the complete file - "$domains" has a leading space already -out="# resolv.conf autogenerated by ${0} (${dev})${nl}${dns}${ds}${domains}" - -# use resolvconf if it's available -if type resolvconf >/dev/null 2>&1; then - printf "%s\n" "${out}" | resolvconf -a "${dev}" -else - # Preserve the existing resolv.conf - if [ -e /etc/resolv.conf ] ; then - cp /etc/resolv.conf /etc/resolv.conf.ovpnsave - fi - printf "%s\n" "${out}" > /etc/resolv.conf - chmod 644 /etc/resolv.conf -fi - -exit 0 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1034?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic30f8514b50f561e7ea8f1ce12d740ac53f202e5 Gerrit-Change-Number: 1034 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: merged 

cron2 has uploaded a new patch set (#2) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/1034?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: Remove contrib/pull-resolv-conf ...................................................................... Remove contrib/pull-resolv-conf We have an official solution for this now. Change-Id: Ic30f8514b50f561e7ea8f1ce12d740ac53f202e5 Signed-off-by: Frank Lichtenheld <fr...@li...> Acked-by: Gert Doering <ge...@gr...> Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg31820.html Signed-off-by: Gert Doering <ge...@gr...> --- D contrib/pull-resolv-conf/client.down D contrib/pull-resolv-conf/client.up 2 files changed, 0 insertions(+), 155 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/34/1034/2 diff --git a/contrib/pull-resolv-conf/client.down b/contrib/pull-resolv-conf/client.down deleted file mode 100644 index 0cbb476..0000000 --- a/contrib/pull-resolv-conf/client.down +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/sh - -# Copyright (c) 2005-2018 OpenVPN Inc -# Licensed under the GPL version 2 - -# First version by Jesse Adelman -# someone at boldandbusted dink com -# http://www.boldandbusted.com/ - -# PURPOSE: This script automatically removes the /etc/resolv.conf entries previously -# set by the companion script "client.up". - -# INSTALL NOTES: -# Place this in /etc/openvpn/client.down -# Then, add the following to your /etc/openvpn/<clientconfig>.conf: -# client -# up /etc/openvpn/client.up -# down /etc/openvpn/client.down -# Next, "chmod a+x /etc/openvpn/client.down" - -# USAGE NOTES: -# Note that this script is best served with the companion "client.up" -# script. - -# Tested under Debian lenny with OpenVPN 2.1_rc11 -# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf - -# This runs with the context of the OpenVPN UID/GID -# at the time of execution. This generally means that -# the client "up" script will run fine, but the "down" script -# will require the use of the OpenVPN "down-root" plugin -# which is in the plugins/ directory of the OpenVPN source tree -# The config example above would have to be changed to: -# client -# up /etc/openvpn/client.up -# plugin openvpn-plugin-down-root.so "/etc/openvpn/client.down" - -# A horrid work around, from a security perspective, -# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have -# been WARNED. -PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin - -if type resolvconf >/dev/null 2>&1; then - resolvconf -d "${dev}" -f -elif [ -e /etc/resolv.conf.ovpnsave ] ; then - # cp + rm rather than mv in case it's a symlink - cp /etc/resolv.conf.ovpnsave /etc/resolv.conf - rm -f /etc/resolv.conf.ovpnsave -fi - -exit 0 diff --git a/contrib/pull-resolv-conf/client.up b/contrib/pull-resolv-conf/client.up deleted file mode 100644 index 220aeb7..0000000 --- a/contrib/pull-resolv-conf/client.up +++ /dev/null @@ -1,104 +0,0 @@ -#!/bin/sh - -# Copyright (c) 2005-2018 OpenVPN Inc -# Licensed under the GPL version 2 - -# First version by Jesse Adelman -# someone at boldandbusted dink com -# http://www.boldandbusted.com/ - -# PURPOSE: This script automatically sets the proper /etc/resolv.conf entries -# as pulled down from an OpenVPN server. - -# INSTALL NOTES: -# Place this in /etc/openvpn/client.up -# Then, add the following to your /etc/openvpn/<clientconfig>.conf: -# client -# up /etc/openvpn/client.up -# Next, "chmod a+x /etc/openvpn/client.up" - -# USAGE NOTES: -# Note that this script is best served with the companion "client.down" -# script. - -# Tested under Debian lenny with OpenVPN 2.1_rc11 -# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf - -# This runs with the context of the OpenVPN UID/GID -# at the time of execution. This generally means that -# the client "up" script will run fine, but the "down" script -# will require the use of the OpenVPN "down-root" plugin -# which is in the plugins/ directory of the OpenVPN source tree - -# A horrid work around, from a security perspective, -# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have -# been WARNED. -PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin - -# init variables - -i=1 -domains= -fopt= -ndoms=0 -nns=0 -nl=' -' - -# $foreign_option_<n> is something like -# "dhcp-option DOMAIN example.com" (multiple allowed) -# or -# "dhcp-option DNS 10.10.10.10" (multiple allowed) - -# each DNS option becomes a "nameserver" option in resolv.conf -# if we get one DOMAIN, that becomes "domain" in resolv.conf -# if we get multiple DOMAINS, those become "search" lines in resolv.conf -# if we get no DOMAINS, then don't use either domain or search. - -while true; do - eval fopt=\$foreign_option_${i} - [ -z "${fopt}" ] && break - - case ${fopt} in -	dhcp-option\ DOMAIN\ *) - ndoms=$((ndoms + 1)) - domains="${domains} ${fopt#dhcp-option DOMAIN }" - ;; -	dhcp-option\ DNS\ *) - nns=$((nns + 1)) - if [ $nns -le 3 ]; then - dns="${dns}${dns:+$nl}nameserver ${fopt#dhcp-option DNS }" - else - printf "%s\n" "Too many nameservers - ignoring after third" >&2 - fi - ;; - *) - printf "%s\n" "Unknown option \"${fopt}\" - ignored" >&2 - ;; -	esac - i=$((i + 1)) -done - -ds="" -if [ $ndoms -eq 1 ]; then - ds="${nl}domain" -elif [ $ndoms -gt 1 ]; then - ds="${nl}search" -fi - -# This is the complete file - "$domains" has a leading space already -out="# resolv.conf autogenerated by ${0} (${dev})${nl}${dns}${ds}${domains}" - -# use resolvconf if it's available -if type resolvconf >/dev/null 2>&1; then - printf "%s\n" "${out}" | resolvconf -a "${dev}" -else - # Preserve the existing resolv.conf - if [ -e /etc/resolv.conf ] ; then - cp /etc/resolv.conf /etc/resolv.conf.ovpnsave - fi - printf "%s\n" "${out}" > /etc/resolv.conf - chmod 644 /etc/resolv.conf -fi - -exit 0 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1034?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic30f8514b50f561e7ea8f1ce12d740ac53f202e5 Gerrit-Change-Number: 1034 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: newpatchset 

Indeed - "because why ship something which is not doing a good job when we have something new that does a better job" ;-) - and out it goes. Your patch has been applied to the master branch. commit 26a5c094bddbf528be4f6f2f26d9831717d5139d Author: Frank Lichtenheld Date: Wed May 28 21:11:20 2025 +0200 Remove contrib/pull-resolv-conf Signed-off-by: Frank Lichtenheld <fr...@li...> Acked-by: Gert Doering <ge...@gr...> Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg31820.html Signed-off-by: Gert Doering <ge...@gr...> -- kind regards, Gert Doering 

From: Frank Lichtenheld <fr...@li...> We have an official solution for this now. Change-Id: Ic30f8514b50f561e7ea8f1ce12d740ac53f202e5 Signed-off-by: Frank Lichtenheld <fr...@li...> Acked-by: Gert Doering <ge...@gr...> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1034 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering <ge...@gr...> diff --git a/contrib/pull-resolv-conf/client.down b/contrib/pull-resolv-conf/client.down deleted file mode 100644 index 0cbb476..0000000 --- a/contrib/pull-resolv-conf/client.down +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/sh - -# Copyright (c) 2005-2018 OpenVPN Inc -# Licensed under the GPL version 2 - -# First version by Jesse Adelman -# someone at boldandbusted dink com -# http://www.boldandbusted.com/ - -# PURPOSE: This script automatically removes the /etc/resolv.conf entries previously -# set by the companion script "client.up". - -# INSTALL NOTES: -# Place this in /etc/openvpn/client.down -# Then, add the following to your /etc/openvpn/<clientconfig>.conf: -# client -# up /etc/openvpn/client.up -# down /etc/openvpn/client.down -# Next, "chmod a+x /etc/openvpn/client.down" - -# USAGE NOTES: -# Note that this script is best served with the companion "client.up" -# script. - -# Tested under Debian lenny with OpenVPN 2.1_rc11 -# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf - -# This runs with the context of the OpenVPN UID/GID -# at the time of execution. This generally means that -# the client "up" script will run fine, but the "down" script -# will require the use of the OpenVPN "down-root" plugin -# which is in the plugins/ directory of the OpenVPN source tree -# The config example above would have to be changed to: -# client -# up /etc/openvpn/client.up -# plugin openvpn-plugin-down-root.so "/etc/openvpn/client.down" - -# A horrid work around, from a security perspective, -# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have -# been WARNED. -PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin - -if type resolvconf >/dev/null 2>&1; then - resolvconf -d "${dev}" -f -elif [ -e /etc/resolv.conf.ovpnsave ] ; then - # cp + rm rather than mv in case it's a symlink - cp /etc/resolv.conf.ovpnsave /etc/resolv.conf - rm -f /etc/resolv.conf.ovpnsave -fi - -exit 0 diff --git a/contrib/pull-resolv-conf/client.up b/contrib/pull-resolv-conf/client.up deleted file mode 100644 index 220aeb7..0000000 --- a/contrib/pull-resolv-conf/client.up +++ /dev/null @@ -1,104 +0,0 @@ -#!/bin/sh - -# Copyright (c) 2005-2018 OpenVPN Inc -# Licensed under the GPL version 2 - -# First version by Jesse Adelman -# someone at boldandbusted dink com -# http://www.boldandbusted.com/ - -# PURPOSE: This script automatically sets the proper /etc/resolv.conf entries -# as pulled down from an OpenVPN server. - -# INSTALL NOTES: -# Place this in /etc/openvpn/client.up -# Then, add the following to your /etc/openvpn/<clientconfig>.conf: -# client -# up /etc/openvpn/client.up -# Next, "chmod a+x /etc/openvpn/client.up" - -# USAGE NOTES: -# Note that this script is best served with the companion "client.down" -# script. - -# Tested under Debian lenny with OpenVPN 2.1_rc11 -# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf - -# This runs with the context of the OpenVPN UID/GID -# at the time of execution. This generally means that -# the client "up" script will run fine, but the "down" script -# will require the use of the OpenVPN "down-root" plugin -# which is in the plugins/ directory of the OpenVPN source tree - -# A horrid work around, from a security perspective, -# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have -# been WARNED. -PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin - -# init variables - -i=1 -domains= -fopt= -ndoms=0 -nns=0 -nl=' -' - -# $foreign_option_<n> is something like -# "dhcp-option DOMAIN example.com" (multiple allowed) -# or -# "dhcp-option DNS 10.10.10.10" (multiple allowed) - -# each DNS option becomes a "nameserver" option in resolv.conf -# if we get one DOMAIN, that becomes "domain" in resolv.conf -# if we get multiple DOMAINS, those become "search" lines in resolv.conf -# if we get no DOMAINS, then don't use either domain or search. - -while true; do - eval fopt=\$foreign_option_${i} - [ -z "${fopt}" ] && break - - case ${fopt} in -	dhcp-option\ DOMAIN\ *) - ndoms=$((ndoms + 1)) - domains="${domains} ${fopt#dhcp-option DOMAIN }" - ;; -	dhcp-option\ DNS\ *) - nns=$((nns + 1)) - if [ $nns -le 3 ]; then - dns="${dns}${dns:+$nl}nameserver ${fopt#dhcp-option DNS }" - else - printf "%s\n" "Too many nameservers - ignoring after third" >&2 - fi - ;; - *) - printf "%s\n" "Unknown option \"${fopt}\" - ignored" >&2 - ;; -	esac - i=$((i + 1)) -done - -ds="" -if [ $ndoms -eq 1 ]; then - ds="${nl}domain" -elif [ $ndoms -gt 1 ]; then - ds="${nl}search" -fi - -# This is the complete file - "$domains" has a leading space already -out="# resolv.conf autogenerated by ${0} (${dev})${nl}${dns}${ds}${domains}" - -# use resolvconf if it's available -if type resolvconf >/dev/null 2>&1; then - printf "%s\n" "${out}" | resolvconf -a "${dev}" -else - # Preserve the existing resolv.conf - if [ -e /etc/resolv.conf ] ; then - cp /etc/resolv.conf /etc/resolv.conf.ovpnsave - fi - printf "%s\n" "${out}" > /etc/resolv.conf - chmod 644 /etc/resolv.conf -fi - -exit 0 

Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1034?usp=email ) Change subject: Remove contrib/pull-resolv-conf ...................................................................... Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1034?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic30f8514b50f561e7ea8f1ce12d740ac53f202e5 Gerrit-Change-Number: 1034 Gerrit-PatchSet: 1 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Wed, 28 May 2025 19:10:55 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment 

cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1032?usp=email ) Change subject: OpenVPN Release 2.7_alpha1 ...................................................................... OpenVPN Release 2.7_alpha1 version.m4, ChangeLog, Changes.rst (ChangeLog in "master" will revert to its normal state of "empty" after release/2.7 is forked off into its own branch) Additionally, add test_common.h to tests/unit_tests/openvpn/Makefile.am (..._SOURCES) so it's packed into the "make dist" tarball Change-Id: I80a14b77fcc2fabf51af9f2d5ea0c36362cccb91 Signed-off-by: Frank Lichtenheld <fr...@li...> --- M ChangeLog M Changes.rst M tests/unit_tests/openvpn/Makefile.am M version.m4 4 files changed, 903 insertions(+), 46 deletions(-) diff --git a/ChangeLog b/ChangeLog index c26dd2e..c6e626b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,759 @@ OpenVPN ChangeLog -Copyright (C) 2002-2024 OpenVPN Inc <sa...@op...> +Copyright (C) 2002-2025 OpenVPN Inc <sa...@op...> -This file is not maintained in this branch of the OpenVPN git repository. +2025.05.28 -- Version 2.7_alpha1 -Release branches (release/2.5, release/2.4, etc) have individual ChangeLog -files with all changes relevant for these releases. +5andr0 (1): + Implement server_poll_timeout for socks + +Alexander von Gluck (4): + Haiku: Introduce basic platform / tun support + Haiku: Add calls to manage routing table + Haiku: change del to delete in route command. del is undocumented + Haiku: Fix short interface path length + +Antonio Quartulli (32): + disable DCO if --secret is specified + dco: properly re-initialize dco_del_peer_reason + dco: bail out when no peer-specific message is delivered + dco: improve comment about hidden debug message + dco: print proper message in case of transport disconnection + dco_linux: update license for ovpn_dco_linux.h + Update issue templates + Avoid warning about missing braces when initialising key struct + dco: don't use NetLink to exchange control packets + dco: print version to log if available + dco-linux: remove M_ERRNO flag when printing netlink error message + multi: don't call DCO APIs if DCO is disabled + dco-freebsd: use m->instances[] instead of m->hash + dco-linux: implement dco_get_peer_stats{, multi} API + configure.ac: fix typ0 in LIBCAPNG_CFALGS + dco: fix crash when --multihome is used with --proto tcp + dco: mark peer as deleted from kernel after receiving CMD_DEL_PEER notification + event/multi: add event_arg object to make event handling more generic + pass link_socket object to i/o functions + io_work: convert shift argument to uintptr_t + io_work: pass event_arg object to event handler in case of socket event + sitnl: replace NLMSG_TAIL macro with noinline function + override ai_family if 'local' numeric address was specified + Adapt socket handling to support listening on multiple sockets + allow user to specify 'local' multiple times in config files + dco_linux: extend netlink error cb with extra info + man: extend --persist-tun section + dco: pass remoteaddr only for UDP peers + socket: use remote proto when creating client sockets + dco_linux: fix peer stats parsing with new ovpn kernel module + socket: don't transfer bind family to socket in case of ANY address + dco_linux: avoid bogus text when netlink message is not parsed + +Aquila Macedo (1): + doc: Correct typos in multiple documentation files + +Arne Schwabe (190): + Fix connection cookie not including address and fix endianness in test + Fix unit test of test_pkt on little endian Linux + Disable DCO when TLS mode is not used + Ignore connection attempts while server is shutting down + Improve debug logging of DCO swap key message and Linux dco_new_peer + Trigger a USR1 if dco_update_keys fails + Set DCO_NOT_INSTALLED also for keys not in the get_key_scan range + Ensure that argument to parse_line has always space for final sentinel + Improve documentation on user/password requirement and unicodize function + Eliminate or comment empty blocks and switch fallthrough + Remove unused gc_arena + Fix corner case that might lead to leaked file descriptor + Deprecate NTLMv1 proxy auth method. + Use include "buffer.h" instead of include <buffer.h> + Ensure that dco keepalive and mssfix options are also set in pure p2p mode + Make management password check constant time + Rename TM_UNTRUSTED to TM_INITIAL, always start session in TM_INITIAL rather than TM_ACTIVE or TM_INITIAL + Move dco_installed back to link_socket from link_socket.info.actual + Do not set nl socket buffer size + Also drop incoming dco packet content when dropping the packet + Improve logging when seeing a message for an unkown peer + Ignore OVPN_DEL_PEER_REASON_USERSPACE to avoid race conditions + Replace custom min macro and use more C99 style in man_remote_entry_get + Replace realloc with new gc_realloc function + Add connect-freq-initial option to limit initial connection responses + Log peer-id if loglevel is D_DCO_DEBUG and dco is enabled + Deprecate OCC checking + Workaround: make ovpn-dco more reliable + Fix unaligned access in auth-token + Update LibreSSL to 3.7.0 in Github actions + Add printing USAN stack trace on github actions + Fix LibreSSL not building in Github Actions + Add missing stdint.h includes in unit tests files + Combine extra_tun/frame parameter of frame_calculate_payload_overhead + Update the last sections in the man page to a be a bit less outdated + Add building unit tests with mingw to github actions + Revise the cipher negotiation info about OpenVPN3 in the man page + Exit if a proper message instead of segfault on Android without management + Use proper print format/casting when converting msg_channel handle + Reduce initialisation spam from verb <= 3 and print summary instead + Dynamic tls-crypt for secure soft_reset/session renegotiation + Set netlink socket to be non-blocking + Ensure n = 2 is set in key2 struct in tls_crypt_v2_unwrap_client_key + Fix memory leaks in open_tun_dco() + Fix memory leaks in HMAC initial packet generation + Use key_state instead of multi for tls_send_payload parameter + Make sending plain text control message session aware + Only update frame calculation if we have a valid link sockets + Improve description of compat-mode + Simplify --compress parsing in options.c + Refuse connection if server pushes an option contradicting allow-compress + Add 'allow-compression stub-only' internally for DCO + Parse compression options and bail out when compression is disabled + Remove unused variable line + Add Apache2 linking with for new commits + Fix compile error on TARGET_ANDROID + Fix use-after-free with EVP_CIPHER_free + Remove key_type argument from generate_key_random + add basic CMake based build + Avoid unused function warning/error on FreeBSD (and potientially others) + Do not blindly assume python3 is also the interpreter that runs rst2html + Only add -Wno-stringop-truncation on supported compilers + fix warning with gcc 12.2.0 (compiler bug?) + Fix CR_RESPONSE mangaement message using wrong key_id + Print a more user-friendly error when tls-crypt-v2 client auth fails + Ignore Ipv6 route delete request on Android and set ipv4 verbosity to 7 + Mock openvpn_exece on win32 also for test_tls_crypt + Check if the -wrap argument is actually supported by the platform's ld + Revert commit 423ced962d + Implement using --peer-fingerprint without CA certificates + show extra info for OpenSSL errors + Remove ability to use configurations without TLS by default + Add warning for the --show-groups command that some groups are missing + Print peer temporary key details + Add warning if a p2p NCP client connects to a p2mp server + Remove openssl engine method for loading the key + Add undefined and abort on error to clang sanitize builds + Add --enable-werror to all platforms in Github Actions + Remove saving initial frame code + Double check that we do not use a freed buffer when freeing a session + Fix using to_link buffer after freed + Remove CMake custom compiler flags for RELEASE and DEBUG build + Do not check key_state buffers that are in S_UNDEF state + Remove unused function prototype crypto_adjust_frame_parameters + Introduce report_command_status helper function + Log SSL alerts more prominently + Remove unused/unneeded/add missing defines from configure/cmake + Document tls-exit option mainly as test option + Remove dead remains of extract_x509_field_test + Replace character_class_debug with proper unit test + Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway + Fix check_session_buf_not_used using wrong index + Add missing check for nl_socket_alloc failure + Add check for nice in cmake config + Minimal Solaris/OpenIndiana support to Cmake and clean up -Werror + Remove compat versionhelpers.h and remove cmake/configure check for it + Rename state_change to continue_tls_process + Move tls_get_cipher_name_pair and get_num_elements to ssl_utils.c + Fix building mbed TLS with CMake and allow specifying custom directories + Extend the error message when TLS 1.0 PRF fails + Fix unaligned access in macOS, FreeBSD, Solaris hwaddr + Check PRF availability on initialisation and add --force-tls-key-material-export + Make it more explicit and visible when pkg-config is not found + Clarify that the tls-crypt-v2-verify has a very limited env set + Move get_tmp_dir to win32-util.c and error out on failure + Implement the --tls-export-cert feature + Use mingw compile definition also to unit tests + Add test_ssl unit test and test export of PEM to file + Remove conditional text for Apache2 linking exception + Fix ssl unit tests on OpenSSL 1.0.2 + Ensure that all unit tests use unbuffered stdout and stderr + Allow unit tests to fall back to hard coded location + Add unit test for encrypting/decrypting data channel + Print SSL peer signature information in handshake debug details + Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs + Turn dead list test code into unit test + Use snprintf instead of sprintf for get_ssl_library_version + Fix snprintf/swnprintf related compiler warnings + Add bracket in fingerprint message and do not warn about missing verification + Match ifdef for get_sigtype function with if ifdef of caller + Remove/combine redundant call of EVP_CipherInit before EVP_CipherInit_Ex + Add missing EVP_KDF_CTX_free in ssl_tls1_PRF + Replace macos11 with macos14 in github runners + Remove openvpn_snprintf and similar functions + Repeat the unknown command in errors from management interface + Only run coverity scan in OpenVPN/OpenVPN repository + Support OpenBSD with cmake + Workaround issue in LibreSSL crashing when enumerating digests/ciphers + Remove OpenSSL 1.0.2 support + Remove custom TLS 1.0 PRF implementation only used by LibreSSL/wolfSSL + Allow the TLS session to send out TLS alerts + Properly handle null bytes and invalid characters in control messages + Allow trailing \r and \n in control channel message + Add Ubuntu 24.04 runner to Github Actions + Implement support for AEAD tag at the end + Remove check for anonymous unions from configure and cmake config + Make read/write_tun_header static + Avoid SIGUSR1 to SIGHUP remapping when the configuration is read from stdin + Move to common backend_driver type in struct tuntap + Introduce DRIVER_AFUNIX backend for use with lwipovpn + Change dev null to be a driver type instead of a special mode of tun/tap + Use print_tun_backend_driver instead of custom code to print type + Automatically enable ifconfig-exec/route-exec behaviour for afunix tun/tap + Ensure that the AF_UNIX socket pair has at least 65k of buffer space + Fix check for CMake not detecting struct cmsg + Remove null check after checking for checking for did_open_tun + Remove a large number of unused structs and functions + Remove unused methods write_key/read_key + Refuse clients if username or password is longer than USER_PASS_LEN + Move should_trigger_renegotiation into its own function + Change --reneg-bytes and --reneg-packets to 64 bit counters + Use XOR instead of concatenation for calculation of IV from implicit IV + Trigger renegotiation of data key if getting close to the AEAD usage limit + Implement HKDF expand function based on RFC 8446 + Split init_key_ctx_bi into send/recv init + Move initialisation of implicit IVs to init_key_ctx_bi methods + Change internal id of packet id to uint64 + Add small unit test for buf_chomp + Add building/testing with msbuild and the clang compiler + Ensure that Python3 is available + Change API of init_key_ctx to use struct key_parameters + Allow DEFAULT in data-ciphers and report both expanded and user set option + Do not attempt to decrypt packets anymore after 2**36 failed decryptions + Add methods to read/write packet ids for epoch data + Implement methods to generate and manage OpenVPN Epoch keys + Rename aead-tag-at-end to aead-epoch + Improve peer fingerprint documentation + Remove comparing username to NULL in tls_lock_username + Print warnings/errors when numerical parameters cannot be parsed + Add unit tests for atoi parsing options helper + Improve error reporting from AF_UNIX tun/tap support + Fix typo in positive_atoi + Fix oversight of link socket code change in Android code path + Implement epoch key data format + Extend the unit test for data channel packets with aead limit tests + Add (fake) Android cmake building + Add android build to Github Actions + Reconnect when TCP is on use on network-change management command + Implement override-username + Fix incorrect condition for checking password related check + Directly use _countof in array initialisation + Improve documentation for override-username + Mention address if not unspecific on DNS failure + Do not leave half-initialised key wrap struct when dynamic tls-crypt fails + Allow tls-crypt-v2 to be setup only on initial packet of a session + Use SSL_get0_peer_signature_name instead of SSL_get_peer_signature_nid + Use USER_PASS_LEN instead of TLS_USERNAME_LEN for override-username + Also print key agreement when printing negotiated details + Fix mbed TLS key exporter functionality in 3.6.x and cmake + Make --dh none behaviour default if not specified + +Ben Boeckel (1): + console_systemd: remove the timeout when using 'systemd-ask-password' + +Christoph Schug (1): + Update documentation references in systemd unit files + +Corubba Smith (3): + Support IPv6 towards port-share proxy receiver + Document x509-username-fields oid usage + Remove x509-username-fields uppercasing + +David Sommerseth (4): + ssl_verify: Fix memleak if creating deferred auth control files fails + ntlm: Clarify details on NTLM phase 3 decoding + Remove --tls-export-cert + Remove superfluous x509_write_pem() + +Franco Fichtner (1): + Allow to set ifmode for existing DCO interfaces in FreeBSD + +Frank Lichtenheld (174): + options.c: fix format security error when compiling without optimization + options.c: update usage description of --cipher + Update copyright year to 2023 + xkey_pkcs11h_sign: fix dangling pointer + options: Always define options->management_flags + check_engine_keys: make pass with OpenSSL 3 + documentation: update 'unsupported options' section + Changes.rst: document removal of --keysize + Windows: fix unused function setenv_foreign_option + Windows: fix unused variables in delete_route_ipv6 + Windows: fix wrong printf format in x_check_status + Windows: fix unused variable in win32_get_arch + configure: enable DCO by default on FreeBSD/Linux + Windows: fix signedness errors with recv/send + configure: fix formatting of --disable-lz4 and --enable-comp-stub + tests/unit_tests: Fix 'make distcheck' with subdir-objects enabled + GHA: remove Ubuntu 18.04 builds + vcpkg: request "tools" feature of openssl for MSVC build + Do not include net/in_systm.h + version.sh: remove + doc: run rst2* with --strict to catch warnings + man page: Remove cruft from --topology documentation + tests: do not include t_client.sh in dist + vcpkg-ports/pkcs11-helper: Make compatible with mingw build + vcpkg-ports/pkcs11-helper: Convert CONTROL to vcpkg.json + vcpkg-ports/pkcs11-helper: reference upstream PRs in patches + dco_linux: properly close dco version file + DCO: fix memory leak in dco_get_peer_stats_multi for Linux + Fix two unused assignments + sample-plugins: Fix memleak in client-connect example plugin + tests: Allow to override openvpn binary used + test_buffer: add tests for buf_catrunc and its caller format_hex_ex + buffer: use memcpy in buf_catrunc + options: remove --key-method from usage message + msvc-generate: include version.m4.in in tarball + dist: add more missing files only used in the MSVC build + vcpkg-ports/pkcs11-helper: rename patches to make file names shorter + unit_tests: Add missing cert_data.h to source list for unit tests + dist: Include all documentation in distribution + CMake: Add complete MinGW and MSVC build + Remove all traces of the previous MSVC build system + CMake: Add /Brepro to MSVC link options + GHA: update to run-vcpkg@v11 + test_tls_crypt: Improve mock() usage to be more portable + CMake: Throw a clear error when config.h in top-level source directory + CMake: Support doc builds on Windows machines that do not have .py file association + Remove old Travis CI related files + README.cmake.md: Add new documentation for CMake buildsystem + GHA: refactor mingw UTs and add missing tls_crypt + GHA: Add macos-13 + options: Do not hide variables from parent scope + pkcs11_openssl: Disable unused code + route: Fix overriding return value of add_route3 + CMake: various small non-functional improvements + GHA: do not trigger builds in openvpn-build anymore + Remove --no-replay option + GHA: new workflow to submit scan to Coverity Scan service + doc: fix argument name in --route-delay documentation + Change type of frame.mss_fix to uint16_t + Remove last uses of inet_ntoa + mss/mtu: make all size calculations use size_t + dev-tools/gerrit-send-mail.py: tool to send Gerrit patchsets to Patchwork + gerrit-send-mail.py: Add patch version to subject + Add mbedtls3 GHA build + platform.c: Do not depend Windows build on HAVE_CHDIR + sample-keys: renew for the next 10 years + GHA: clean up libressl builds with newer libressl + configure.ac: Remove unused AC_TYPE_SIGNAL macro + documentation: remove reference to removed option --show-proxy-settings + unit_tests: remove includes for mock_msg.h + buffer: add documentation for string_mod and extend related UT + tests: disable automake serial_tests + documentation: improve documentation of --x509-track + configure: allow to disable NTLM + configure: enable silent rules by default + misc: make get_auth_challenge static + Remove support for NTLM v1 proxy authentication + GHA: increase verbosity for make check + NTLM: add length check to add_security_buffer + NTLM: increase size of phase 2 response we can handle + Fix various 'Uninitialized scalar variable' warnings from Coverity + proxy-options.rst: Add proper documentation for --http-proxy-user-pass + NTLM: when NTLMv1 is requested, try NTLMv2 instead + buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0' + --http-proxy-user-pass: allow to specify in either order with --http-proxy + test_user_pass: new UT for get_user_pass + test_user_pass: Add UTs for character filtering + gerrit-send-mail: Make output consistent across systems + README.cmake.md: Document minimum required CMake version for --preset + documentation: Update and fix documentation for --push-peer-info + documentation: Fixes for previous fixes to --push-peer-info + test_user_pass: add basic tests for static/dynamic challenges + Fix typo --data-cipher-fallback + samples: Remove tls-*.conf + check_compression_settings_valid: Do not test for LZ4 in LZO check + t_client.sh: Allow to skip tests + gerrit-send-mail: add missing Signed-off-by + Update Copyright statements to 2024 + GHA: general update March 2024 + samples: Update sample configurations + documentation: make section levels consistent + phase2_tcp_server: fix Coverity issue 'Dereference after null check' + script-options.rst: Update ifconfig_* variables + crypto_backend: fix type of enc parameter + tests: fork default automake test-driver + forked-test-driver: Show test output always + Change default of "topology" to "subnet" + Use topology default of "subnet" only for server mode + Fix 'binary or' vs 'boolean or' related to server_bridge_proxy_dhcp + configure: update old copy of pkg.m4 + LZO: do not use lzoutils.h macros + test_user_pass: Fix building with --enable-systemd + Remove "experimental" denotation for --fast-io + t_server_null.sh: Fix failure case + configure: Add -Wstrict-prototypes and -Wold-style-definition + configure: Try to detect LZO with pkg-config + configure: Switch to C11 by default + Fix missing spaces in various messages + console_systemd: rename query_user_exec to query_user_systemd + configure: Allow to detect git checkout if .git is not a directory + GHA: Configure Renovate + configure: Try to use pkg-config to detect mbedTLS + tun: use is_tun_p2p more consistently + Various fixes for -Wconversion errors + generate_auth_token: simplify code + GHA: Update dependency Mbed-TLS/mbedtls to v3.6.1 + GHA: Enable t_server_null tests + configure: Handle libnl-genl and libcap-ng consistent with other libs + configure: Review use of standard AC macros + socket: Change return types of link_socket_write* to ssize_t + GHA: Pin dependencies + GHA: Update macOS runners + GHA: Simplify macOS builds + Remove support for compression on send + Fix wrong doxygen comments + Various typo fixes + macOS: Assume that net/if_utun.h is always present + Fix some formatting related to if/else and macros + Fix memory leak in ntlm_support + forward: Fix potential unaligned access in drop_if_recursive_routing + GHA: General update December 2024 + Review doxygen warnings + Regenerate doxygen config file with doxygen -u + Fix 'uninitialized pointer read' in openvpn_decrypt_aead + ssl_openssl: Clean up unused functions and add missing "static" + Fix some trivial sign-compare compiler warnings + tls_crypt_v2_write_client_key_file: Fix missing-field-initializers compiler warning + openvpnserv: Fix some inconsistent usages of TEXT() + Fix doxygen warnings in crypto_epoch.h + GHA: Drop Ubuntu 20.04 and other maintenance + GHA: Publish Doxygen documentation to Github Pages + Add more 'intentional fallthrough' comments + Remove various unused function parameters + Remove unused function check_subnet_conflict + options: Cleanup and simplify options_postprocess_verify_ce + Apply text-removal.sh script to Windows codebase + openvpnserv: Clean up use of TEXT() from DNS patches + Post tchar.h removal cleanup + Fix compatibility with mbedTLS 2.28.10+ and 3.6.3+ + t_server_null_default.rc: Add some tests with --data-ciphers + GHA: Pin version of CMake for all builds + GHA: Dependency and Actions update April 2025 + GHA: Make sure renovate notifies us about AWS LC releases + Doxygen: Fix obsolete links to OpenSSL documentation + GHA: Use CMake 4.0 and apply required fixes + Doxygen: Clean up tls-crypt documentation + Doxygen: Remove useless Python information + Manually reformat some long trailing comments + CMake: Make sure to treat UNIT_TEST_SOURCEDIR as path + CMake: Sync list of compiler flags with configure.ac + CMake: Reorganize header and symbol tests + GHA: Dependency and Actions update May 2025 + Doxygen: Fix missing parameter warnings + Changes.rst: Collect, fix, and improve entries for 2.7 release + +George Pchelkin (1): + fix typo: dhcp-options to dhcp-option in vpn-network-options.rst + +Gert Doering (21): + Change version.m4 to 2.7_git + bandaid fix for TCP multipoint server crash with Linux-DCO + Undo FreeBSD 12.x workaround on IPv6 ifconfig for 12.4 and up + Reduce logspam about 'dco_update_keys: peer_id=-1' in p2p server mode + Fix OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT breakage on FreeBSD+DCO + Repair special-casing of EEXIST for Linux/SITNL route install + Get rid of unused 'bool tuntap_buffer' arguments. + FreeBSD 12.x workaround for IPv6 ifconfig is needed on 12.4 as well + Make received OCC exit messages more visible in log. + OpenBSD: repair --show-gateway + get_default_gateway() HWADDR overhaul + make t_server_null 'server alive?' check more robust + t_client.sh: conditionally skip ifconfig+route check + send uname() release as IV_PLAT_VER= on non-windows versions + options: add IPv4 support to '--show-gateway <arg>' + get_default_gateway(): implement platform support for Linux/SITNL + get_default_gateway(): implement platform support for Linux/IPROUTE2 + add missing (void) to win32 function declarations + add more (void) to windows specific function prototypes and declarations + Make 'lport 0' no longer sufficient to do '--bind'. + Add information-gathering about DNS resolvers configured to t_client.sh(.in) + +Gianmarco De Gregori (17): + Persist-key: enable persist-key option by default + Minor fix to process_ip_header + Http-proxy: fix bug preventing proxy credentials caching + Ensures all params are ready before invoking dco_set_peer() + Route: remove incorrect routes on exit + Fix for msbuild/mingw GHA failures + multiproto: move generic event handling code in dedicated files + Fix PASS_BY_VALUE issue in options_postprocess_mutate_le() + mroute: adapt to new protocol handling and hashing improvements + mroute/management: repair mgmt client-kill for mroute with proto + Add support for simultaneous use of UDP and TCP sockets + Rename occurences of 'struct link_socket' from 'ls' to 'sock' + Fix FreeBSD-DCO and Multisocket interaction + manpage: fix HTML format for --local + Fix dco_win and multisocket interaction + dco_linux: Introduce new uAPIs + Explicit-exit-notify and multisocket interaction + +Heiko Hund (21): + dns option: allow up to eight addresses per server + work around false positive warning with mingw 12 + dns option: remove support for exclude-domains + cmake: create and link compile_commands.json file + cmake: symlink whole build dir not just .json file + Windows: enforce 'block-local' with WFP filters + add and send IV_PROTO_DNS_OPTION_V2 flag + dns: store IPv4 addresses in network byte order + dns: clone options via pointer instead of copy + service: add utf8to16 function that takes a size + dns: support multiple domains without DHCP + dns: do not use netsh to set name server addresses + win: calculate address string buffer size + win: implement --dns option support with NRPT + dns: apply settings via script on unixoid systems + fix typo in haikuos dns-updown script + dns: support running up/down command with privsep + dns: don't publish env vars to non-dns scripts + dns: fix potential NULL pointer dereference + win: match search domains when creating exclude rules + win: fix collecting DNS exclude data + +Heiko Wundram (1): + Implement Windows CA template match for Crypto-API selector + +Ilia Shipitsin (3): + src/openvpn/init.c: handle strdup failures + sample/sample-plugins/defer/multi-auth.c: handle strdup errors + tests/unit_tests/openvpn/test_auth_token.c: handle strdup errors + +Ilya Shipitsin (1): + src/openvpn/dco_freebsd.c: handle malloc failure + +Juliusz Sosinowicz (1): + Change include order for tests + +Klemens Nanni (1): + Fix tmp-dir documentation + +Kristof Provost (10): + Read DCO traffic stats from the kernel + dco: Update counters when a client disconnects + Read the peer deletion reason from the kernel + dco: cleanup FreeBSD dco_do_read() + options.c: enforce a minimal fragment size + configure: improve FreeBSD DCO check + dco: define OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT on FreeBSD + dco: print FreeBSD version + DCO: support key rotation notifications + dco-freebsd: dynamically re-allocate buffer if it's too small + +Lev Stipakov (63): + Rename dco_get_peer_stats to dco_get_peer_stats_multi + management: add timer to output BYTECOUNT + Introduce dco_get_peer_stats API and Windows implementation + git-version.py: proper support for tags + msvc: upgrade to Visual Studio 2022 + tun: move print_windows_driver() out of tun.h + openvpnmsica: remove dco installer custom actions + openvpnmsica: remove unused declarations + openvpnmsica: fix adapters discovery logic for DCO + Allow certain DHCP options to be used without DHCP server + dco-win: use proper calling convention on x86 + Improve format specifier for socket handle in Windows + Disable DCO if proxy is set via management + Add logging for windows driver selection process + Avoid management log loop with verb >= 6 + Support --inactive option for DCO + Fix '--inactive <time> 0' behavior for DCO + Print DCO client stats on SIGUSR2 + Don't overwrite socket flags when using DCO on Windows + Support of DNS domain for DHCP-less drivers + dco-win: support for --dev-node + tapctl: generate driver-specific adapter names + openvpnmsica: link C runtime statically + tun.c: enclose DNS domain in single quotes in WMIC call + manage.c: document missing KID parameter + Set WINS servers via interactice service + CMake: fix broken daemonization and syslog functionality + Warn user if INFO control command is too long + CMake: fix HAVE_DAEMON detection on Linux + dco-win: get driver version + dco: warn if DATA_V1 packets are sent to userspace + config.h: fix incorrect defines for _wopen() + Make --dns options apply for tap-windows6 driver + Warn if pushed options require DHCP + tun.c: don't attempt to delete DNS and WINS servers if they're not set + win32: Enforce loading of plugins from a trusted directory + interactive.c: disable remote access to the service pipe + interactive.c: Fix potential stack overflow issue + Disable DCO if proxy is set via management + misc.c: remove unused code + interactive.c: Improve access control for gui<->service pipe + Use a more robust way to get dco-win version + dco: better naming for function parameters + repair DNS address option + dco-win: factor out getting dco version + dco-win: enable mode server on supported configuration + dco-win: simplify do_close_link_socket() + route.c: change the signature of get_default_gateway() + route.c: improve get_default_gateway() logic on Windows + mudp.c: keep offset value when resetting buffer + multi.c: add iroutes after dco peer is added + dco-win: disable dco in server mode if multiple --local options defined + dco-win: multipeer support + dco-win: simplify control packets prepend code + dco-win: kernel notifications + dco-win: support for iroutes + dco-win: Fix crash when cancelling pending operation + Remove UINT8_MAX definition + win: allow OpenVPN service account to use any command-line options + ssl_openssl.c: Prevent potential double-free + win: refactor get_windows_version() + win: create adapter on demand + win: remove Wintun support + +Marc Becker (5): + unify code path for adding PKCS#11 providers + use new pkcs11-helper interface to add providers + special handling for PKCS11 providers on win32 + vcpkg-ports/pkcs11-helper: support loader flags + vcpkg-ports/pkcs11-helper: bump to version 1.30 + +Marco Baffo (3): + tun: removed unnecessary route installations + IPv6 MADDR LOG: Wrap IPv6 addresses in square brackets and print port when the port is specified + get_default_gateway(): Prevent passing IPV4_INVALID_ADDR as a destination + +Martin Rys (1): + openvpn-[client|server].service: Remove syslog.target + +Matthias Andree (1): + make dist: Ship ovpn_dco_freebsd.h, too + +Max Fillinger (10): + Correct tls-crypt-v2 metadata length in man page + Fix message for too long tls-crypt-v2 metadata + Add support for mbedtls 3.X.Y + Update README.mbedtls + Disable TLS 1.3 support with mbed TLS + Enable key export with mbed TLS 3.x.y + Remove license warning from README.mbedtls + mbedtls: Remove support for old TLS versions + mbedtls: Warn if --tls-version-min is too low + Remove HAVE_EXPORT_KEYING_MATERIAL macro + +Michael Baentsch (1): + using OpenSSL3 API for EVP PKEY type name reporting + +Michael Nix (1): + fix typo in help text: --ignore-unknown-option + +Qingfang Deng (1): + dco: fix source IP selection when multihome + +Ralf Lici (3): + Fix check_addr_clash argument order + Handle missing DCO peer by restarting the session + Implement ovpn version detection + +Reynir Björnsson (2): + protocol_dump: tls-crypt support + Only schedule_exit() once + +Rémi Farault (1): + Add calls to nvlist_destroy to avoid leaks + +Samuli Seppänen (6): + Add t_server_null test suite + t_server_null: multiple improvements and fixes + t_server_null: persist test log files + t_server_null: forcibly kill misbehaving servers + t_server_null: use wait instead of marker files + Add lwip support to t_server_null + +Selva Nair (63): + Reduce default restart pause to 1 second + Do not include auth-token in pulled option digest + Persist DCO client data channel traffic stats on restart + Add remote-count and remote-entry query via management + Permit unlimited connection entries and remotes + Use a template for 'unsupported management commands' error + Allow skipping multple remotes via management interface + Properly unmap ring buffer file-map in interactive service + Use undo_lists for saving ring-buffer handles in interactive service + Cleanup: Close duplicated handles in interactive service + Preparing for better signal handling: some code refactoring + Refactor signal handling in openvpn_getaddrinfo + Use IPAPI for setting ipv6 routes when iservice not available + Fix signal handling on Windows + Assign and honour signal priority order + Distinguish route addition errors from route already exists + Propagate route error to initialization_completed() + Include CE_DISABLED status of remote in "remote-entry-get" response + Define and use macros for route addition status code + Warn when pkcs11-id or pkcs11-id-management options are ignored + Cleanup route error and debug logging on Windows + Fix one more 'existing route may get deleted' case + block-dns using iservice: fix a potential double free + Conditionally add subdir-objects option to automake + Build unit tests in mingw Windows build + cyryptapi.c: log the selected certificate's name + cryptoapi.c: remove pre OpenSSL-3.01 support + cryptoapi.c: simplify parsing of thumbprint hex string + Option --cryptoapicert: support issuer name as a selector + Add a unit test for functions in cryptoapi.c + Do not save pointer to 'struct passwd' returned by getpwnam etc. + Bugfix: Convert ECDSA signature form pkcs11-helper to DER encoded form + Import some sample certificates into Windows store for testing + Add tests for finding certificates in Windows cert store + Refactor SSL_CTX_use_CryptoAPI_certificate() + Add a test for signing with certificates in Windows store + Unit tests: add test for SSL_CTX_use_Cryptoapi_certificate() + Improve error message on short read from socks proxy + Make error in setting metric for IPv6 interface non-fatal + Bug-fix: segfault in dco_get_peer_stats() + Move digest_sign_verify out of test_cryptoapi.c + Unit tests: Test for PKCS#11 using a softhsm2 token + Enable pkcs11 an dtest_pkcs11 in github actions + Make cert_data.h and test_cryptoapi/pkcs11.c MSVC compliant + Format Windows error message in Unicode + Bugfix: dangling pointer passed to pkcs11-helper + Correctly handle Unicode names for exit event + Interactive service: do not force a target desktop for openvpn.exe + Improve signal handling using POSIX sigaction + signal_reset(): combine check and reset operations + Log OpenSSL errors on failure to set certificate + Document that auth-user-pass may be inlined + test_pkcs11.c: set file offset to 0 after ftruncate + proxy.c: Clear sensitive data after use + Protect cached username, password and token on client + Interpret --key and --cert option argument as URI + Add a test for loading certificate and key to ssl context + Add a test for loading certificate and key using file: URI + Initialize before use struct user_pass in ui_reader() + Static-challenge concatenation option + Add test for static-challenge concatenation option + Fix more of uninitialized struct user_pass local vars + Do not stop reading from file/uri when OPENSSL_STORE_load() returns error + +Sergey Korolev (1): + dco-linux: fix counter print format + +Shubham Mittal (2): + Add compatibility to build OpenVPN with AWS-LC. + Adding AWS-LC to the OpenVPN CI + +Shuji Furukawa (1): + Improve shuffling algorithm of connection list + +Steffan Karger (2): + Fix IPv6 route add/delete message log level + Improve data channel crypto error messages + +Timo Rothenpieler (1): + Don't clear capability bounding set on capng_change_id + +corubba (2): + Fix IPv6 in port-share journal + Fix port-share journal doc + +orbea (1): + configure: disable engines if OPENSSL_NO_ENGINE is defined + +rein.vanbaaren (1): + Fix MBEDTLS_DEPRECATED_REMOVED build errors + +wellweek (1): + remove repetitive words in documentation and comments + +yatta (1): + fix(ssl): init peer_id when init tls_multi + + diff --git a/Changes.rst b/Changes.rst index e297334..3ffa2cb 100644 --- a/Changes.rst +++ b/Changes.rst @@ -2,25 +2,58 @@ ========================== New features ------------ -TLS alerts - OpenVPN 2.7 will send out TLS alerts to peers informing them if the TLS - session shuts down or when the TLS implementation informs the peer about - an error in the TLS session (e.g. mismatching TLS versions). This improves - the user experience as the client shows an error instead of running into - a timeout when the server just stops responding completely. +Multi-socket support for servers + OpenVPN servers now can listen on multiple sockets at the same time. + Multiple ``--local`` statements in the configuration can be used to + configure this. This way the same server can e.g. listen for UDP + and TCP connections at the same time, or listen on multiple addresses + and/or ports. -Support for tun/tap via unix domain socket and lwipovpn support - To allow better testing and emulating a full client with a full - network stack OpenVPN now allows a program executed to provide - a tun/tap device instead of opening a device. +Client implementations for DNS options sent by server for Linux/BSD + Linux and BSD versions of OpenVPN now ship with a default ``dns-updown`` + script that implements proper handling of DNS configuration sent + by the server. The scripts should work on systems that use + ``systemd`` or ``resolveconf`` to manage the DNS setup, as well as + raw ``/etc/resolv.conf`` files. However, the exact features supported + will depend on the configuration method. On Linux this should usually + mean that split-DNS configurations are supported out-of-the-box now. - The co-developed lwipovpn program based on lwIP stack allows to - simulate full IP stack and an OpenVPN client using - ``--dev-node unix:/path/to/lwipovpn`` can emulate a full client that - can be pinged, can serve a website and more without requiring any - elevated permission. This can make testing OpenVPN much easier. + Note that this new script will not be used by default if a ``--up`` + script is already in use to reduce problems with + backwards compatibility. - For more details see [lwipovpn on Gihtub](https://github.com/OpenVPN/lwipovpn). + See documentation for ``--dns-updown`` and ``--dns`` for more details. + +New client implementation for DNS options sent by server for Windows + The Windows client now uses NRPT (Name Resolution Policy Table) to + handle DNS configurations. This adds support for split-DNS and DNSSEC + and improves the compatbility with local DNS resolvers. Requires the + interactive service. + +On Windows the ``block-local`` flag is now enforced with WFP filters. + The ``block-local`` flag to ``--redirect-gateway`` and + ``--redirect-private`` is now also enforced via the Windows Firewall, + making sure packets can't be sent to the local network. + This provides stronger protection against TunnelCrack-style attacks. + +Windows network adapters are now generated on demand + This means that on systems that run multiple OpenVPN connections at + the same time the users don't need to manually create enough network + adapters anymore (in addition to the ones created by the installer). + +Windows automatic service now runs as an unpriviledged user + All tasks that need privileges are now delegated to the interactive + service. + +Support for new version of Linux DCO module + OpenVPN DCO module is moving upstream and being merged into the + main Linux kernel. For this process some API changes were required. + OpenVPN 2.7 will only support the new API. The new module is called + ``ovpn``. Out-of-tree builds for older kernels are available. Please + see the release announcements for futher information. + +Support for server mode in win-dco driver + On Windows the win-dco driver can now be used in server setups. Enforcement of AES-GCM usage limit OpenVPN will now enforce the usage limits on AES-GCM with the same @@ -30,11 +63,6 @@ https://datatracker.ietf.org/doc/draft-irtf-cfrg-aead-limits/ -Default ciphers in ``--data-ciphers`` - Ciphers in ``--data-ciphers`` can contain the string DEFAULT that is - replaced by the default ciphers used by OpenVPN, making it easier to - add an allowed cipher without having to spell out the default ciphers. - Epoch data keys and packet format This introduces the epoch data format for AEAD data channel ciphers in TLS mode ciphers. This new data format has a number of @@ -49,15 +77,46 @@ - IV constructed with XOR instead of concatenation to not have (parts) of the real IV on the wire +Default ciphers in ``--data-ciphers`` + Ciphers in ``--data-ciphers`` can contain the string DEFAULT that is + replaced by the default ciphers used by OpenVPN, making it easier to + add an allowed cipher without having to spell out the default ciphers. + +TLS alerts + OpenVPN 2.7 will send out TLS alerts to peers informing them if the TLS + session shuts down or when the TLS implementation informs the peer about + an error in the TLS session (e.g. mismatching TLS versions). This improves + the user experience as the client shows an error instead of running into + a timeout when the server just stops responding completely. + +Support for tun/tap via unix domain socket and lwipovpn support + To allow better testing and emulating a full client with a full + network stack OpenVPN now allows a program executed to provide + a tun/tap device instead of opening a device. + + The co-developed lwipovpn program based on lwIP stack allows to + simulate full IP stack. An OpenVPN client using + ``--dev-node unix:/path/to/lwipovpn`` can emulate a full client that + can be pinged, can serve a website and more without requiring any + elevated permission. This can make testing OpenVPN much easier. + + For more details see [lwipovpn on Gihtub](https://github.com/OpenVPN/lwipovpn). + Allow overriding username with ``--override-username`` This is intended to allow using auth-gen-token in scenarios where the clients use certificates and multi-factor authentication. This will also generate a 'push "auth-token-user newusername"' directives in push replies. +``--port-share`` now properly supports IPv6 + Issues with logging of IPv6 addresses were fixed. The feature now allows + IPv6 connections towards the proxy receiver. + +Support for Haiku OS + Deprecated features ------------------- -``secret`` support has been removed by default. +``secret`` support has been removed (by default). static key mode (non-TLS) is no longer considered "good and secure enough" for today's requirements. Use TLS mode instead. If deploying a PKI CA is considered "too complicated", using ``--peer-fingerprint`` makes @@ -67,6 +126,14 @@ ``--allow-deprecated-insecure-static-crypto`` but will be removed in OpenVPN 2.8. +Support for wintun Windows driver has been removed. + OpenVPN 2.6 added support for the new dco-win driver, so it supported + three different device drivers: dco-win, wintun, and tap-windows6. + OpenVPN 2.7 now drops the support for wintun driver. By default + all modern configs should be supported by dco-win driver. In all + other cases OpenVPN will fall back automatically to tap-windows6 + driver. + NTLMv1 authentication support for HTTP proxies has been removed. This is considered an insecure method of authentication that uses obsolete crypto algorithms. @@ -78,28 +145,34 @@ ``persist-key`` option has been enabled by default. All the keys will be kept in memory across restart. -Default for ``--topology`` changed to ``subnet`` for ``--mode server`` - Previous releases always used ``net30`` as default. This only affects - configs with ``--mode server`` or ``--server`` (the latter implies the - former), and ``--dev tun``, and only if IPv4 is enabled. - Note that this changes the semantics of ``--ifconfig``, so if you have - manual settings for that in your config but not set ``--topology`` - your config might fail to parse with the new version. Just adding - ``--topology net30`` to the config should fix the problem. - By default ``--topology`` is pushed from server to client. - -OpenSSL 1.0.2 support +OpenSSL 1.0.2 support has been removed. Support for building with OpenSSL 1.0.2 has been removed. The minimum supported OpenSSL version is now 1.1.0. -Compression on send +Support for mbedTLS older than 2.18.0 has been removed. + We now require all SSL libraries to have support for exporting + keying material. The only previously supported library versions + this affects are older mbedTLS releases. + +Compression on send has been removed. OpenVPN 2.7 will never compress data before sending. Decompression of received data is still supported. ``--allow-compression yes`` is now an alias for ``--allow-compression asym``. + User-visible Changes -------------------- +- Default for ``--topology`` changed to ``subnet`` for ``--mode server``. + Previous releases always used ``net30`` as default. This only affects + configs with ``--mode server`` or ``--server`` (the latter implies the + former), and ``--dev tun``, and only if IPv4 is enabled. + Note that this changes the semantics of ``--ifconfig``, so if you have + manual settings for that in your config but not set ``--topology`` + your config might fail to parse with the new version. Just adding + ``--topology net30`` to the config should fix the problem. + By default ``--topology`` is pushed from server to client. + - ``--x509-username-field`` will no longer automatically convert fieldnames to uppercase. This is deprecated since OpenVPN 2.4, and has now been removed. @@ -108,6 +181,38 @@ And finite field Diffie Hellman is in the proces of being deprecated (see draft-ietf-tls-deprecate-obsolete-kex) +- ``--lport 0`` does not imply ``--bind`` anymore. + +- ``--redirect--gateway`` now works correctly if the VPN remote is not + reachable by the default gateway. + +- ``--show-gateway`` now supports querying the gateway for IPv4 addresses. + +- ``--static-challenge`` option now has a third parameter ``format`` that + can change how password and challenge response should be combined. + +- ``--key`` and ``--cert`` now accept URIs implemented in OpenSSL 3 as well as + optional OpenSSL 3 providers loaded using ``--providers`` option. + +- ``--cryptoapicert`` now supports issuer name as well as Windows CA template + name or OID as selector string. + +- TLS handshake debugging information contains much more details now when + using recent versions of OpenSSL. + +- The ``IV_PLAT_VER`` variable sent by Windows clients now contains the + full Windows build version to make it possible to determine the + Windows 10 or Windows 11 version used. + +- The ``--windows-driver`` option to select between various windows + drivers will no longer do anything - it's kept so existing configs + will not become invalid, but it is ignored with a warning. The default + is now ``ovpn-dco`` if all options used are compatible with DCO, with + a fallback to ``tap-windows6``. To force TAP (for example because a + server pushes DCO incompatible options), use the ``--disable-dco`` + option. + + Overview of changes in 2.6 ========================== diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am index 471389b..fc47287 100644 --- a/tests/unit_tests/openvpn/Makefile.am +++ b/tests/unit_tests/openvpn/Makefile.am @@ -43,7 +43,7 @@ argv_testdriver_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat @TEST_CFLAGS@ argv_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn -Wl,--wrap=parse_line -argv_testdriver_SOURCES = test_argv.c mock_msg.c mock_msg.h \ +argv_testdriver_SOURCES = test_argv.c mock_msg.c mock_msg.h test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/platform.c \	$(top_srcdir)/src/openvpn/buffer.c \ @@ -52,7 +52,7 @@ buffer_testdriver_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat @TEST_CFLAGS@ buffer_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn -Wl,--wrap=parse_line -buffer_testdriver_SOURCES = test_buffer.c mock_msg.c mock_msg.h \ +buffer_testdriver_SOURCES = test_buffer.c mock_msg.c mock_msg.h test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/win32-util.c \	$(top_srcdir)/src/openvpn/platform.c @@ -61,7 +61,7 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ crypto_testdriver_LDFLAGS = @TEST_LDFLAGS@ -crypto_testdriver_SOURCES = test_crypto.c mock_msg.c mock_msg.h \ +crypto_testdriver_SOURCES = test_crypto.c mock_msg.c mock_msg.h test_common.h \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/crypto.c \	$(top_srcdir)/src/openvpn/crypto_mbedtls.c \ @@ -78,7 +78,7 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ ssl_testdriver_LDFLAGS = @TEST_LDFLAGS@ $(OPTIONAL_CRYPTO_LIBS) -ssl_testdriver_SOURCES = test_ssl.c mock_msg.c mock_msg.h \ +ssl_testdriver_SOURCES = test_ssl.c mock_msg.c mock_msg.h test_common.h \	mock_management.c mock_ssl_dependencies.c mock_win32_execve.c \	$(top_srcdir)/src/openvpn/argv.c \	$(top_srcdir)/src/openvpn/base64.c \ @@ -114,7 +114,7 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ packet_id_testdriver_LDFLAGS = @TEST_LDFLAGS@ -packet_id_testdriver_SOURCES = test_packet_id.c mock_msg.c mock_msg.h \ +packet_id_testdriver_SOURCES = test_packet_id.c mock_msg.c mock_msg.h test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/otime.c \ @@ -128,7 +128,7 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ pkt_testdriver_LDFLAGS = @TEST_LDFLAGS@ -pkt_testdriver_SOURCES = test_pkt.c mock_msg.c mock_msg.h mock_win32_execve.c \ +pkt_testdriver_SOURCES = test_pkt.c mock_msg.c mock_msg.h mock_win32_execve.c test_common.h \	$(top_srcdir)/src/openvpn/argv.c \	$(top_srcdir)/src/openvpn/base64.c \	$(top_srcdir)/src/openvpn/buffer.c \ @@ -156,7 +156,7 @@	-Wl,--wrap=buffer_write_file \	-Wl,--wrap=parse_line \	-Wl,--wrap=rand_bytes -tls_crypt_testdriver_SOURCES = test_tls_crypt.c mock_msg.c mock_msg.h \ +tls_crypt_testdriver_SOURCES = test_tls_crypt.c mock_msg.c mock_msg.h test_common.h \	mock_win32_execve.c \	$(top_srcdir)/src/openvpn/argv.c \	$(top_srcdir)/src/openvpn/base64.c \ diff --git a/version.m4 b/version.m4 index 091cc5d..4c3b7c8 100644 --- a/version.m4 +++ b/version.m4 @@ -3,7 +3,7 @@ define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [7]) -define([PRODUCT_VERSION_PATCH], [_git]) +define([PRODUCT_VERSION_PATCH], [_alpha1]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1032?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I80a14b77fcc2fabf51af9f2d5ea0c36362cccb91 Gerrit-Change-Number: 1032 Gerrit-PatchSet: 7 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: cron2 <ge...@gr...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-CC: selvanair <sel...@gm...> Gerrit-CC: stipa <lst...@gm...> Gerrit-MessageType: merged 

cron2 has uploaded a new patch set (#7) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/1032?usp=email ) Change subject: OpenVPN Release 2.7_alpha1 ...................................................................... OpenVPN Release 2.7_alpha1 version.m4, ChangeLog, Changes.rst (ChangeLog in "master" will revert to its normal state of "empty" after release/2.7 is forked off into its own branch) Additionally, add test_common.h to tests/unit_tests/openvpn/Makefile.am (..._SOURCES) so it's packed into the "make dist" tarball Change-Id: I80a14b77fcc2fabf51af9f2d5ea0c36362cccb91 Signed-off-by: Frank Lichtenheld <fr...@li...> --- M ChangeLog M Changes.rst M tests/unit_tests/openvpn/Makefile.am M version.m4 4 files changed, 903 insertions(+), 46 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/32/1032/7 diff --git a/ChangeLog b/ChangeLog index c26dd2e..c6e626b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,759 @@ OpenVPN ChangeLog -Copyright (C) 2002-2024 OpenVPN Inc <sa...@op...> +Copyright (C) 2002-2025 OpenVPN Inc <sa...@op...> -This file is not maintained in this branch of the OpenVPN git repository. +2025.05.28 -- Version 2.7_alpha1 -Release branches (release/2.5, release/2.4, etc) have individual ChangeLog -files with all changes relevant for these releases. +5andr0 (1): + Implement server_poll_timeout for socks + +Alexander von Gluck (4): + Haiku: Introduce basic platform / tun support + Haiku: Add calls to manage routing table + Haiku: change del to delete in route command. del is undocumented + Haiku: Fix short interface path length + +Antonio Quartulli (32): + disable DCO if --secret is specified + dco: properly re-initialize dco_del_peer_reason + dco: bail out when no peer-specific message is delivered + dco: improve comment about hidden debug message + dco: print proper message in case of transport disconnection + dco_linux: update license for ovpn_dco_linux.h + Update issue templates + Avoid warning about missing braces when initialising key struct + dco: don't use NetLink to exchange control packets + dco: print version to log if available + dco-linux: remove M_ERRNO flag when printing netlink error message + multi: don't call DCO APIs if DCO is disabled + dco-freebsd: use m->instances[] instead of m->hash + dco-linux: implement dco_get_peer_stats{, multi} API + configure.ac: fix typ0 in LIBCAPNG_CFALGS + dco: fix crash when --multihome is used with --proto tcp + dco: mark peer as deleted from kernel after receiving CMD_DEL_PEER notification + event/multi: add event_arg object to make event handling more generic + pass link_socket object to i/o functions + io_work: convert shift argument to uintptr_t + io_work: pass event_arg object to event handler in case of socket event + sitnl: replace NLMSG_TAIL macro with noinline function + override ai_family if 'local' numeric address was specified + Adapt socket handling to support listening on multiple sockets + allow user to specify 'local' multiple times in config files + dco_linux: extend netlink error cb with extra info + man: extend --persist-tun section + dco: pass remoteaddr only for UDP peers + socket: use remote proto when creating client sockets + dco_linux: fix peer stats parsing with new ovpn kernel module + socket: don't transfer bind family to socket in case of ANY address + dco_linux: avoid bogus text when netlink message is not parsed + +Aquila Macedo (1): + doc: Correct typos in multiple documentation files + +Arne Schwabe (190): + Fix connection cookie not including address and fix endianness in test + Fix unit test of test_pkt on little endian Linux + Disable DCO when TLS mode is not used + Ignore connection attempts while server is shutting down + Improve debug logging of DCO swap key message and Linux dco_new_peer + Trigger a USR1 if dco_update_keys fails + Set DCO_NOT_INSTALLED also for keys not in the get_key_scan range + Ensure that argument to parse_line has always space for final sentinel + Improve documentation on user/password requirement and unicodize function + Eliminate or comment empty blocks and switch fallthrough + Remove unused gc_arena + Fix corner case that might lead to leaked file descriptor + Deprecate NTLMv1 proxy auth method. + Use include "buffer.h" instead of include <buffer.h> + Ensure that dco keepalive and mssfix options are also set in pure p2p mode + Make management password check constant time + Rename TM_UNTRUSTED to TM_INITIAL, always start session in TM_INITIAL rather than TM_ACTIVE or TM_INITIAL + Move dco_installed back to link_socket from link_socket.info.actual + Do not set nl socket buffer size + Also drop incoming dco packet content when dropping the packet + Improve logging when seeing a message for an unkown peer + Ignore OVPN_DEL_PEER_REASON_USERSPACE to avoid race conditions + Replace custom min macro and use more C99 style in man_remote_entry_get + Replace realloc with new gc_realloc function + Add connect-freq-initial option to limit initial connection responses + Log peer-id if loglevel is D_DCO_DEBUG and dco is enabled + Deprecate OCC checking + Workaround: make ovpn-dco more reliable + Fix unaligned access in auth-token + Update LibreSSL to 3.7.0 in Github actions + Add printing USAN stack trace on github actions + Fix LibreSSL not building in Github Actions + Add missing stdint.h includes in unit tests files + Combine extra_tun/frame parameter of frame_calculate_payload_overhead + Update the last sections in the man page to a be a bit less outdated + Add building unit tests with mingw to github actions + Revise the cipher negotiation info about OpenVPN3 in the man page + Exit if a proper message instead of segfault on Android without management + Use proper print format/casting when converting msg_channel handle + Reduce initialisation spam from verb <= 3 and print summary instead + Dynamic tls-crypt for secure soft_reset/session renegotiation + Set netlink socket to be non-blocking + Ensure n = 2 is set in key2 struct in tls_crypt_v2_unwrap_client_key + Fix memory leaks in open_tun_dco() + Fix memory leaks in HMAC initial packet generation + Use key_state instead of multi for tls_send_payload parameter + Make sending plain text control message session aware + Only update frame calculation if we have a valid link sockets + Improve description of compat-mode + Simplify --compress parsing in options.c + Refuse connection if server pushes an option contradicting allow-compress + Add 'allow-compression stub-only' internally for DCO + Parse compression options and bail out when compression is disabled + Remove unused variable line + Add Apache2 linking with for new commits + Fix compile error on TARGET_ANDROID + Fix use-after-free with EVP_CIPHER_free + Remove key_type argument from generate_key_random + add basic CMake based build + Avoid unused function warning/error on FreeBSD (and potientially others) + Do not blindly assume python3 is also the interpreter that runs rst2html + Only add -Wno-stringop-truncation on supported compilers + fix warning with gcc 12.2.0 (compiler bug?) + Fix CR_RESPONSE mangaement message using wrong key_id + Print a more user-friendly error when tls-crypt-v2 client auth fails + Ignore Ipv6 route delete request on Android and set ipv4 verbosity to 7 + Mock openvpn_exece on win32 also for test_tls_crypt + Check if the -wrap argument is actually supported by the platform's ld + Revert commit 423ced962d + Implement using --peer-fingerprint without CA certificates + show extra info for OpenSSL errors + Remove ability to use configurations without TLS by default + Add warning for the --show-groups command that some groups are missing + Print peer temporary key details + Add warning if a p2p NCP client connects to a p2mp server + Remove openssl engine method for loading the key + Add undefined and abort on error to clang sanitize builds + Add --enable-werror to all platforms in Github Actions + Remove saving initial frame code + Double check that we do not use a freed buffer when freeing a session + Fix using to_link buffer after freed + Remove CMake custom compiler flags for RELEASE and DEBUG build + Do not check key_state buffers that are in S_UNDEF state + Remove unused function prototype crypto_adjust_frame_parameters + Introduce report_command_status helper function + Log SSL alerts more prominently + Remove unused/unneeded/add missing defines from configure/cmake + Document tls-exit option mainly as test option + Remove dead remains of extract_x509_field_test + Replace character_class_debug with proper unit test + Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway + Fix check_session_buf_not_used using wrong index + Add missing check for nl_socket_alloc failure + Add check for nice in cmake config + Minimal Solaris/OpenIndiana support to Cmake and clean up -Werror + Remove compat versionhelpers.h and remove cmake/configure check for it + Rename state_change to continue_tls_process + Move tls_get_cipher_name_pair and get_num_elements to ssl_utils.c + Fix building mbed TLS with CMake and allow specifying custom directories + Extend the error message when TLS 1.0 PRF fails + Fix unaligned access in macOS, FreeBSD, Solaris hwaddr + Check PRF availability on initialisation and add --force-tls-key-material-export + Make it more explicit and visible when pkg-config is not found + Clarify that the tls-crypt-v2-verify has a very limited env set + Move get_tmp_dir to win32-util.c and error out on failure + Implement the --tls-export-cert feature + Use mingw compile definition also to unit tests + Add test_ssl unit test and test export of PEM to file + Remove conditional text for Apache2 linking exception + Fix ssl unit tests on OpenSSL 1.0.2 + Ensure that all unit tests use unbuffered stdout and stderr + Allow unit tests to fall back to hard coded location + Add unit test for encrypting/decrypting data channel + Print SSL peer signature information in handshake debug details + Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs + Turn dead list test code into unit test + Use snprintf instead of sprintf for get_ssl_library_version + Fix snprintf/swnprintf related compiler warnings + Add bracket in fingerprint message and do not warn about missing verification + Match ifdef for get_sigtype function with if ifdef of caller + Remove/combine redundant call of EVP_CipherInit before EVP_CipherInit_Ex + Add missing EVP_KDF_CTX_free in ssl_tls1_PRF + Replace macos11 with macos14 in github runners + Remove openvpn_snprintf and similar functions + Repeat the unknown command in errors from management interface + Only run coverity scan in OpenVPN/OpenVPN repository + Support OpenBSD with cmake + Workaround issue in LibreSSL crashing when enumerating digests/ciphers + Remove OpenSSL 1.0.2 support + Remove custom TLS 1.0 PRF implementation only used by LibreSSL/wolfSSL + Allow the TLS session to send out TLS alerts + Properly handle null bytes and invalid characters in control messages + Allow trailing \r and \n in control channel message + Add Ubuntu 24.04 runner to Github Actions + Implement support for AEAD tag at the end + Remove check for anonymous unions from configure and cmake config + Make read/write_tun_header static + Avoid SIGUSR1 to SIGHUP remapping when the configuration is read from stdin + Move to common backend_driver type in struct tuntap + Introduce DRIVER_AFUNIX backend for use with lwipovpn + Change dev null to be a driver type instead of a special mode of tun/tap + Use print_tun_backend_driver instead of custom code to print type + Automatically enable ifconfig-exec/route-exec behaviour for afunix tun/tap + Ensure that the AF_UNIX socket pair has at least 65k of buffer space + Fix check for CMake not detecting struct cmsg + Remove null check after checking for checking for did_open_tun + Remove a large number of unused structs and functions + Remove unused methods write_key/read_key + Refuse clients if username or password is longer than USER_PASS_LEN + Move should_trigger_renegotiation into its own function + Change --reneg-bytes and --reneg-packets to 64 bit counters + Use XOR instead of concatenation for calculation of IV from implicit IV + Trigger renegotiation of data key if getting close to the AEAD usage limit + Implement HKDF expand function based on RFC 8446 + Split init_key_ctx_bi into send/recv init + Move initialisation of implicit IVs to init_key_ctx_bi methods + Change internal id of packet id to uint64 + Add small unit test for buf_chomp + Add building/testing with msbuild and the clang compiler + Ensure that Python3 is available + Change API of init_key_ctx to use struct key_parameters + Allow DEFAULT in data-ciphers and report both expanded and user set option + Do not attempt to decrypt packets anymore after 2**36 failed decryptions + Add methods to read/write packet ids for epoch data + Implement methods to generate and manage OpenVPN Epoch keys + Rename aead-tag-at-end to aead-epoch + Improve peer fingerprint documentation + Remove comparing username to NULL in tls_lock_username + Print warnings/errors when numerical parameters cannot be parsed + Add unit tests for atoi parsing options helper + Improve error reporting from AF_UNIX tun/tap support + Fix typo in positive_atoi + Fix oversight of link socket code change in Android code path + Implement epoch key data format + Extend the unit test for data channel packets with aead limit tests + Add (fake) Android cmake building + Add android build to Github Actions + Reconnect when TCP is on use on network-change management command + Implement override-username + Fix incorrect condition for checking password related check + Directly use _countof in array initialisation + Improve documentation for override-username + Mention address if not unspecific on DNS failure + Do not leave half-initialised key wrap struct when dynamic tls-crypt fails + Allow tls-crypt-v2 to be setup only on initial packet of a session + Use SSL_get0_peer_signature_name instead of SSL_get_peer_signature_nid + Use USER_PASS_LEN instead of TLS_USERNAME_LEN for override-username + Also print key agreement when printing negotiated details + Fix mbed TLS key exporter functionality in 3.6.x and cmake + Make --dh none behaviour default if not specified + +Ben Boeckel (1): + console_systemd: remove the timeout when using 'systemd-ask-password' + +Christoph Schug (1): + Update documentation references in systemd unit files + +Corubba Smith (3): + Support IPv6 towards port-share proxy receiver + Document x509-username-fields oid usage + Remove x509-username-fields uppercasing + +David Sommerseth (4): + ssl_verify: Fix memleak if creating deferred auth control files fails + ntlm: Clarify details on NTLM phase 3 decoding + Remove --tls-export-cert + Remove superfluous x509_write_pem() + +Franco Fichtner (1): + Allow to set ifmode for existing DCO interfaces in FreeBSD + +Frank Lichtenheld (174): + options.c: fix format security error when compiling without optimization + options.c: update usage description of --cipher + Update copyright year to 2023 + xkey_pkcs11h_sign: fix dangling pointer + options: Always define options->management_flags + check_engine_keys: make pass with OpenSSL 3 + documentation: update 'unsupported options' section + Changes.rst: document removal of --keysize + Windows: fix unused function setenv_foreign_option + Windows: fix unused variables in delete_route_ipv6 + Windows: fix wrong printf format in x_check_status + Windows: fix unused variable in win32_get_arch + configure: enable DCO by default on FreeBSD/Linux + Windows: fix signedness errors with recv/send + configure: fix formatting of --disable-lz4 and --enable-comp-stub + tests/unit_tests: Fix 'make distcheck' with subdir-objects enabled + GHA: remove Ubuntu 18.04 builds + vcpkg: request "tools" feature of openssl for MSVC build + Do not include net/in_systm.h + version.sh: remove + doc: run rst2* with --strict to catch warnings + man page: Remove cruft from --topology documentation + tests: do not include t_client.sh in dist + vcpkg-ports/pkcs11-helper: Make compatible with mingw build + vcpkg-ports/pkcs11-helper: Convert CONTROL to vcpkg.json + vcpkg-ports/pkcs11-helper: reference upstream PRs in patches + dco_linux: properly close dco version file + DCO: fix memory leak in dco_get_peer_stats_multi for Linux + Fix two unused assignments + sample-plugins: Fix memleak in client-connect example plugin + tests: Allow to override openvpn binary used + test_buffer: add tests for buf_catrunc and its caller format_hex_ex + buffer: use memcpy in buf_catrunc + options: remove --key-method from usage message + msvc-generate: include version.m4.in in tarball + dist: add more missing files only used in the MSVC build + vcpkg-ports/pkcs11-helper: rename patches to make file names shorter + unit_tests: Add missing cert_data.h to source list for unit tests + dist: Include all documentation in distribution + CMake: Add complete MinGW and MSVC build + Remove all traces of the previous MSVC build system + CMake: Add /Brepro to MSVC link options + GHA: update to run-vcpkg@v11 + test_tls_crypt: Improve mock() usage to be more portable + CMake: Throw a clear error when config.h in top-level source directory + CMake: Support doc builds on Windows machines that do not have .py file association + Remove old Travis CI related files + README.cmake.md: Add new documentation for CMake buildsystem + GHA: refactor mingw UTs and add missing tls_crypt + GHA: Add macos-13 + options: Do not hide variables from parent scope + pkcs11_openssl: Disable unused code + route: Fix overriding return value of add_route3 + CMake: various small non-functional improvements + GHA: do not trigger builds in openvpn-build anymore + Remove --no-replay option + GHA: new workflow to submit scan to Coverity Scan service + doc: fix argument name in --route-delay documentation + Change type of frame.mss_fix to uint16_t + Remove last uses of inet_ntoa + mss/mtu: make all size calculations use size_t + dev-tools/gerrit-send-mail.py: tool to send Gerrit patchsets to Patchwork + gerrit-send-mail.py: Add patch version to subject + Add mbedtls3 GHA build + platform.c: Do not depend Windows build on HAVE_CHDIR + sample-keys: renew for the next 10 years + GHA: clean up libressl builds with newer libressl + configure.ac: Remove unused AC_TYPE_SIGNAL macro + documentation: remove reference to removed option --show-proxy-settings + unit_tests: remove includes for mock_msg.h + buffer: add documentation for string_mod and extend related UT + tests: disable automake serial_tests + documentation: improve documentation of --x509-track + configure: allow to disable NTLM + configure: enable silent rules by default + misc: make get_auth_challenge static + Remove support for NTLM v1 proxy authentication + GHA: increase verbosity for make check + NTLM: add length check to add_security_buffer + NTLM: increase size of phase 2 response we can handle + Fix various 'Uninitialized scalar variable' warnings from Coverity + proxy-options.rst: Add proper documentation for --http-proxy-user-pass + NTLM: when NTLMv1 is requested, try NTLMv2 instead + buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0' + --http-proxy-user-pass: allow to specify in either order with --http-proxy + test_user_pass: new UT for get_user_pass + test_user_pass: Add UTs for character filtering + gerrit-send-mail: Make output consistent across systems + README.cmake.md: Document minimum required CMake version for --preset + documentation: Update and fix documentation for --push-peer-info + documentation: Fixes for previous fixes to --push-peer-info + test_user_pass: add basic tests for static/dynamic challenges + Fix typo --data-cipher-fallback + samples: Remove tls-*.conf + check_compression_settings_valid: Do not test for LZ4 in LZO check + t_client.sh: Allow to skip tests + gerrit-send-mail: add missing Signed-off-by + Update Copyright statements to 2024 + GHA: general update March 2024 + samples: Update sample configurations + documentation: make section levels consistent + phase2_tcp_server: fix Coverity issue 'Dereference after null check' + script-options.rst: Update ifconfig_* variables + crypto_backend: fix type of enc parameter + tests: fork default automake test-driver + forked-test-driver: Show test output always + Change default of "topology" to "subnet" + Use topology default of "subnet" only for server mode + Fix 'binary or' vs 'boolean or' related to server_bridge_proxy_dhcp + configure: update old copy of pkg.m4 + LZO: do not use lzoutils.h macros + test_user_pass: Fix building with --enable-systemd + Remove "experimental" denotation for --fast-io + t_server_null.sh: Fix failure case + configure: Add -Wstrict-prototypes and -Wold-style-definition + configure: Try to detect LZO with pkg-config + configure: Switch to C11 by default + Fix missing spaces in various messages + console_systemd: rename query_user_exec to query_user_systemd + configure: Allow to detect git checkout if .git is not a directory + GHA: Configure Renovate + configure: Try to use pkg-config to detect mbedTLS + tun: use is_tun_p2p more consistently + Various fixes for -Wconversion errors + generate_auth_token: simplify code + GHA: Update dependency Mbed-TLS/mbedtls to v3.6.1 + GHA: Enable t_server_null tests + configure: Handle libnl-genl and libcap-ng consistent with other libs + configure: Review use of standard AC macros + socket: Change return types of link_socket_write* to ssize_t + GHA: Pin dependencies + GHA: Update macOS runners + GHA: Simplify macOS builds + Remove support for compression on send + Fix wrong doxygen comments + Various typo fixes + macOS: Assume that net/if_utun.h is always present + Fix some formatting related to if/else and macros + Fix memory leak in ntlm_support + forward: Fix potential unaligned access in drop_if_recursive_routing + GHA: General update December 2024 + Review doxygen warnings + Regenerate doxygen config file with doxygen -u + Fix 'uninitialized pointer read' in openvpn_decrypt_aead + ssl_openssl: Clean up unused functions and add missing "static" + Fix some trivial sign-compare compiler warnings + tls_crypt_v2_write_client_key_file: Fix missing-field-initializers compiler warning + openvpnserv: Fix some inconsistent usages of TEXT() + Fix doxygen warnings in crypto_epoch.h + GHA: Drop Ubuntu 20.04 and other maintenance + GHA: Publish Doxygen documentation to Github Pages + Add more 'intentional fallthrough' comments + Remove various unused function parameters + Remove unused function check_subnet_conflict + options: Cleanup and simplify options_postprocess_verify_ce + Apply text-removal.sh script to Windows codebase + openvpnserv: Clean up use of TEXT() from DNS patches + Post tchar.h removal cleanup + Fix compatibility with mbedTLS 2.28.10+ and 3.6.3+ + t_server_null_default.rc: Add some tests with --data-ciphers + GHA: Pin version of CMake for all builds + GHA: Dependency and Actions update April 2025 + GHA: Make sure renovate notifies us about AWS LC releases + Doxygen: Fix obsolete links to OpenSSL documentation + GHA: Use CMake 4.0 and apply required fixes + Doxygen: Clean up tls-crypt documentation + Doxygen: Remove useless Python information + Manually reformat some long trailing comments + CMake: Make sure to treat UNIT_TEST_SOURCEDIR as path + CMake: Sync list of compiler flags with configure.ac + CMake: Reorganize header and symbol tests + GHA: Dependency and Actions update May 2025 + Doxygen: Fix missing parameter warnings + Changes.rst: Collect, fix, and improve entries for 2.7 release + +George Pchelkin (1): + fix typo: dhcp-options to dhcp-option in vpn-network-options.rst + +Gert Doering (21): + Change version.m4 to 2.7_git + bandaid fix for TCP multipoint server crash with Linux-DCO + Undo FreeBSD 12.x workaround on IPv6 ifconfig for 12.4 and up + Reduce logspam about 'dco_update_keys: peer_id=-1' in p2p server mode + Fix OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT breakage on FreeBSD+DCO + Repair special-casing of EEXIST for Linux/SITNL route install + Get rid of unused 'bool tuntap_buffer' arguments. + FreeBSD 12.x workaround for IPv6 ifconfig is needed on 12.4 as well + Make received OCC exit messages more visible in log. + OpenBSD: repair --show-gateway + get_default_gateway() HWADDR overhaul + make t_server_null 'server alive?' check more robust + t_client.sh: conditionally skip ifconfig+route check + send uname() release as IV_PLAT_VER= on non-windows versions + options: add IPv4 support to '--show-gateway <arg>' + get_default_gateway(): implement platform support for Linux/SITNL + get_default_gateway(): implement platform support for Linux/IPROUTE2 + add missing (void) to win32 function declarations + add more (void) to windows specific function prototypes and declarations + Make 'lport 0' no longer sufficient to do '--bind'. + Add information-gathering about DNS resolvers configured to t_client.sh(.in) + +Gianmarco De Gregori (17): + Persist-key: enable persist-key option by default + Minor fix to process_ip_header + Http-proxy: fix bug preventing proxy credentials caching + Ensures all params are ready before invoking dco_set_peer() + Route: remove incorrect routes on exit + Fix for msbuild/mingw GHA failures + multiproto: move generic event handling code in dedicated files + Fix PASS_BY_VALUE issue in options_postprocess_mutate_le() + mroute: adapt to new protocol handling and hashing improvements + mroute/management: repair mgmt client-kill for mroute with proto + Add support for simultaneous use of UDP and TCP sockets + Rename occurences of 'struct link_socket' from 'ls' to 'sock' + Fix FreeBSD-DCO and Multisocket interaction + manpage: fix HTML format for --local + Fix dco_win and multisocket interaction + dco_linux: Introduce new uAPIs + Explicit-exit-notify and multisocket interaction + +Heiko Hund (21): + dns option: allow up to eight addresses per server + work around false positive warning with mingw 12 + dns option: remove support for exclude-domains + cmake: create and link compile_commands.json file + cmake: symlink whole build dir not just .json file + Windows: enforce 'block-local' with WFP filters + add and send IV_PROTO_DNS_OPTION_V2 flag + dns: store IPv4 addresses in network byte order + dns: clone options via pointer instead of copy + service: add utf8to16 function that takes a size + dns: support multiple domains without DHCP + dns: do not use netsh to set name server addresses + win: calculate address string buffer size + win: implement --dns option support with NRPT + dns: apply settings via script on unixoid systems + fix typo in haikuos dns-updown script + dns: support running up/down command with privsep + dns: don't publish env vars to non-dns scripts + dns: fix potential NULL pointer dereference + win: match search domains when creating exclude rules + win: fix collecting DNS exclude data + +Heiko Wundram (1): + Implement Windows CA template match for Crypto-API selector + +Ilia Shipitsin (3): + src/openvpn/init.c: handle strdup failures + sample/sample-plugins/defer/multi-auth.c: handle strdup errors + tests/unit_tests/openvpn/test_auth_token.c: handle strdup errors + +Ilya Shipitsin (1): + src/openvpn/dco_freebsd.c: handle malloc failure + +Juliusz Sosinowicz (1): + Change include order for tests + +Klemens Nanni (1): + Fix tmp-dir documentation + +Kristof Provost (10): + Read DCO traffic stats from the kernel + dco: Update counters when a client disconnects + Read the peer deletion reason from the kernel + dco: cleanup FreeBSD dco_do_read() + options.c: enforce a minimal fragment size + configure: improve FreeBSD DCO check + dco: define OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT on FreeBSD + dco: print FreeBSD version + DCO: support key rotation notifications + dco-freebsd: dynamically re-allocate buffer if it's too small + +Lev Stipakov (63): + Rename dco_get_peer_stats to dco_get_peer_stats_multi + management: add timer to output BYTECOUNT + Introduce dco_get_peer_stats API and Windows implementation + git-version.py: proper support for tags + msvc: upgrade to Visual Studio 2022 + tun: move print_windows_driver() out of tun.h + openvpnmsica: remove dco installer custom actions + openvpnmsica: remove unused declarations + openvpnmsica: fix adapters discovery logic for DCO + Allow certain DHCP options to be used without DHCP server + dco-win: use proper calling convention on x86 + Improve format specifier for socket handle in Windows + Disable DCO if proxy is set via management + Add logging for windows driver selection process + Avoid management log loop with verb >= 6 + Support --inactive option for DCO + Fix '--inactive <time> 0' behavior for DCO + Print DCO client stats on SIGUSR2 + Don't overwrite socket flags when using DCO on Windows + Support of DNS domain for DHCP-less drivers + dco-win: support for --dev-node + tapctl: generate driver-specific adapter names + openvpnmsica: link C runtime statically + tun.c: enclose DNS domain in single quotes in WMIC call + manage.c: document missing KID parameter + Set WINS servers via interactice service + CMake: fix broken daemonization and syslog functionality + Warn user if INFO control command is too long + CMake: fix HAVE_DAEMON detection on Linux + dco-win: get driver version + dco: warn if DATA_V1 packets are sent to userspace + config.h: fix incorrect defines for _wopen() + Make --dns options apply for tap-windows6 driver + Warn if pushed options require DHCP + tun.c: don't attempt to delete DNS and WINS servers if they're not set + win32: Enforce loading of plugins from a trusted directory + interactive.c: disable remote access to the service pipe + interactive.c: Fix potential stack overflow issue + Disable DCO if proxy is set via management + misc.c: remove unused code + interactive.c: Improve access control for gui<->service pipe + Use a more robust way to get dco-win version + dco: better naming for function parameters + repair DNS address option + dco-win: factor out getting dco version + dco-win: enable mode server on supported configuration + dco-win: simplify do_close_link_socket() + route.c: change the signature of get_default_gateway() + route.c: improve get_default_gateway() logic on Windows + mudp.c: keep offset value when resetting buffer + multi.c: add iroutes after dco peer is added + dco-win: disable dco in server mode if multiple --local options defined + dco-win: multipeer support + dco-win: simplify control packets prepend code + dco-win: kernel notifications + dco-win: support for iroutes + dco-win: Fix crash when cancelling pending operation + Remove UINT8_MAX definition + win: allow OpenVPN service account to use any command-line options + ssl_openssl.c: Prevent potential double-free + win: refactor get_windows_version() + win: create adapter on demand + win: remove Wintun support + +Marc Becker (5): + unify code path for adding PKCS#11 providers + use new pkcs11-helper interface to add providers + special handling for PKCS11 providers on win32 + vcpkg-ports/pkcs11-helper: support loader flags + vcpkg-ports/pkcs11-helper: bump to version 1.30 + +Marco Baffo (3): + tun: removed unnecessary route installations + IPv6 MADDR LOG: Wrap IPv6 addresses in square brackets and print port when the port is specified + get_default_gateway(): Prevent passing IPV4_INVALID_ADDR as a destination + +Martin Rys (1): + openvpn-[client|server].service: Remove syslog.target + +Matthias Andree (1): + make dist: Ship ovpn_dco_freebsd.h, too + +Max Fillinger (10): + Correct tls-crypt-v2 metadata length in man page + Fix message for too long tls-crypt-v2 metadata + Add support for mbedtls 3.X.Y + Update README.mbedtls + Disable TLS 1.3 support with mbed TLS + Enable key export with mbed TLS 3.x.y + Remove license warning from README.mbedtls + mbedtls: Remove support for old TLS versions + mbedtls: Warn if --tls-version-min is too low + Remove HAVE_EXPORT_KEYING_MATERIAL macro + +Michael Baentsch (1): + using OpenSSL3 API for EVP PKEY type name reporting + +Michael Nix (1): + fix typo in help text: --ignore-unknown-option + +Qingfang Deng (1): + dco: fix source IP selection when multihome + +Ralf Lici (3): + Fix check_addr_clash argument order + Handle missing DCO peer by restarting the session + Implement ovpn version detection + +Reynir Björnsson (2): + protocol_dump: tls-crypt support + Only schedule_exit() once + +Rémi Farault (1): + Add calls to nvlist_destroy to avoid leaks + +Samuli Seppänen (6): + Add t_server_null test suite + t_server_null: multiple improvements and fixes + t_server_null: persist test log files + t_server_null: forcibly kill misbehaving servers + t_server_null: use wait instead of marker files + Add lwip support to t_server_null + +Selva Nair (63): + Reduce default restart pause to 1 second + Do not include auth-token in pulled option digest + Persist DCO client data channel traffic stats on restart + Add remote-count and remote-entry query via management + Permit unlimited connection entries and remotes + Use a template for 'unsupported management commands' error + Allow skipping multple remotes via management interface + Properly unmap ring buffer file-map in interactive service + Use undo_lists for saving ring-buffer handles in interactive service + Cleanup: Close duplicated handles in interactive service + Preparing for better signal handling: some code refactoring + Refactor signal handling in openvpn_getaddrinfo + Use IPAPI for setting ipv6 routes when iservice not available + Fix signal handling on Windows + Assign and honour signal priority order + Distinguish route addition errors from route already exists + Propagate route error to initialization_completed() + Include CE_DISABLED status of remote in "remote-entry-get" response + Define and use macros for route addition status code + Warn when pkcs11-id or pkcs11-id-management options are ignored + Cleanup route error and debug logging on Windows + Fix one more 'existing route may get deleted' case + block-dns using iservice: fix a potential double free + Conditionally add subdir-objects option to automake + Build unit tests in mingw Windows build + cyryptapi.c: log the selected certificate's name + cryptoapi.c: remove pre OpenSSL-3.01 support + cryptoapi.c: simplify parsing of thumbprint hex string + Option --cryptoapicert: support issuer name as a selector + Add a unit test for functions in cryptoapi.c + Do not save pointer to 'struct passwd' returned by getpwnam etc. + Bugfix: Convert ECDSA signature form pkcs11-helper to DER encoded form + Import some sample certificates into Windows store for testing + Add tests for finding certificates in Windows cert store + Refactor SSL_CTX_use_CryptoAPI_certificate() + Add a test for signing with certificates in Windows store + Unit tests: add test for SSL_CTX_use_Cryptoapi_certificate() + Improve error message on short read from socks proxy + Make error in setting metric for IPv6 interface non-fatal + Bug-fix: segfault in dco_get_peer_stats() + Move digest_sign_verify out of test_cryptoapi.c + Unit tests: Test for PKCS#11 using a softhsm2 token + Enable pkcs11 an dtest_pkcs11 in github actions + Make cert_data.h and test_cryptoapi/pkcs11.c MSVC compliant + Format Windows error message in Unicode + Bugfix: dangling pointer passed to pkcs11-helper + Correctly handle Unicode names for exit event + Interactive service: do not force a target desktop for openvpn.exe + Improve signal handling using POSIX sigaction + signal_reset(): combine check and reset operations + Log OpenSSL errors on failure to set certificate + Document that auth-user-pass may be inlined + test_pkcs11.c: set file offset to 0 after ftruncate + proxy.c: Clear sensitive data after use + Protect cached username, password and token on client + Interpret --key and --cert option argument as URI + Add a test for loading certificate and key to ssl context + Add a test for loading certificate and key using file: URI + Initialize before use struct user_pass in ui_reader() + Static-challenge concatenation option + Add test for static-challenge concatenation option + Fix more of uninitialized struct user_pass local vars + Do not stop reading from file/uri when OPENSSL_STORE_load() returns error + +Sergey Korolev (1): + dco-linux: fix counter print format + +Shubham Mittal (2): + Add compatibility to build OpenVPN with AWS-LC. + Adding AWS-LC to the OpenVPN CI + +Shuji Furukawa (1): + Improve shuffling algorithm of connection list + +Steffan Karger (2): + Fix IPv6 route add/delete message log level + Improve data channel crypto error messages + +Timo Rothenpieler (1): + Don't clear capability bounding set on capng_change_id + +corubba (2): + Fix IPv6 in port-share journal + Fix port-share journal doc + +orbea (1): + configure: disable engines if OPENSSL_NO_ENGINE is defined + +rein.vanbaaren (1): + Fix MBEDTLS_DEPRECATED_REMOVED build errors + +wellweek (1): + remove repetitive words in documentation and comments + +yatta (1): + fix(ssl): init peer_id when init tls_multi + + diff --git a/Changes.rst b/Changes.rst index e297334..3ffa2cb 100644 --- a/Changes.rst +++ b/Changes.rst @@ -2,25 +2,58 @@ ========================== New features ------------ -TLS alerts - OpenVPN 2.7 will send out TLS alerts to peers informing them if the TLS - session shuts down or when the TLS implementation informs the peer about - an error in the TLS session (e.g. mismatching TLS versions). This improves - the user experience as the client shows an error instead of running into - a timeout when the server just stops responding completely. +Multi-socket support for servers + OpenVPN servers now can listen on multiple sockets at the same time. + Multiple ``--local`` statements in the configuration can be used to + configure this. This way the same server can e.g. listen for UDP + and TCP connections at the same time, or listen on multiple addresses + and/or ports. -Support for tun/tap via unix domain socket and lwipovpn support - To allow better testing and emulating a full client with a full - network stack OpenVPN now allows a program executed to provide - a tun/tap device instead of opening a device. +Client implementations for DNS options sent by server for Linux/BSD + Linux and BSD versions of OpenVPN now ship with a default ``dns-updown`` + script that implements proper handling of DNS configuration sent + by the server. The scripts should work on systems that use + ``systemd`` or ``resolveconf`` to manage the DNS setup, as well as + raw ``/etc/resolv.conf`` files. However, the exact features supported + will depend on the configuration method. On Linux this should usually + mean that split-DNS configurations are supported out-of-the-box now. - The co-developed lwipovpn program based on lwIP stack allows to - simulate full IP stack and an OpenVPN client using - ``--dev-node unix:/path/to/lwipovpn`` can emulate a full client that - can be pinged, can serve a website and more without requiring any - elevated permission. This can make testing OpenVPN much easier. + Note that this new script will not be used by default if a ``--up`` + script is already in use to reduce problems with + backwards compatibility. - For more details see [lwipovpn on Gihtub](https://github.com/OpenVPN/lwipovpn). + See documentation for ``--dns-updown`` and ``--dns`` for more details. + +New client implementation for DNS options sent by server for Windows + The Windows client now uses NRPT (Name Resolution Policy Table) to + handle DNS configurations. This adds support for split-DNS and DNSSEC + and improves the compatbility with local DNS resolvers. Requires the + interactive service. + +On Windows the ``block-local`` flag is now enforced with WFP filters. + The ``block-local`` flag to ``--redirect-gateway`` and + ``--redirect-private`` is now also enforced via the Windows Firewall, + making sure packets can't be sent to the local network. + This provides stronger protection against TunnelCrack-style attacks. + +Windows network adapters are now generated on demand + This means that on systems that run multiple OpenVPN connections at + the same time the users don't need to manually create enough network + adapters anymore (in addition to the ones created by the installer). + +Windows automatic service now runs as an unpriviledged user + All tasks that need privileges are now delegated to the interactive + service. + +Support for new version of Linux DCO module + OpenVPN DCO module is moving upstream and being merged into the + main Linux kernel. For this process some API changes were required. + OpenVPN 2.7 will only support the new API. The new module is called + ``ovpn``. Out-of-tree builds for older kernels are available. Please + see the release announcements for futher information. + +Support for server mode in win-dco driver + On Windows the win-dco driver can now be used in server setups. Enforcement of AES-GCM usage limit OpenVPN will now enforce the usage limits on AES-GCM with the same @@ -30,11 +63,6 @@ https://datatracker.ietf.org/doc/draft-irtf-cfrg-aead-limits/ -Default ciphers in ``--data-ciphers`` - Ciphers in ``--data-ciphers`` can contain the string DEFAULT that is - replaced by the default ciphers used by OpenVPN, making it easier to - add an allowed cipher without having to spell out the default ciphers. - Epoch data keys and packet format This introduces the epoch data format for AEAD data channel ciphers in TLS mode ciphers. This new data format has a number of @@ -49,15 +77,46 @@ - IV constructed with XOR instead of concatenation to not have (parts) of the real IV on the wire +Default ciphers in ``--data-ciphers`` + Ciphers in ``--data-ciphers`` can contain the string DEFAULT that is + replaced by the default ciphers used by OpenVPN, making it easier to + add an allowed cipher without having to spell out the default ciphers. + +TLS alerts + OpenVPN 2.7 will send out TLS alerts to peers informing them if the TLS + session shuts down or when the TLS implementation informs the peer about + an error in the TLS session (e.g. mismatching TLS versions). This improves + the user experience as the client shows an error instead of running into + a timeout when the server just stops responding completely. + +Support for tun/tap via unix domain socket and lwipovpn support + To allow better testing and emulating a full client with a full + network stack OpenVPN now allows a program executed to provide + a tun/tap device instead of opening a device. + + The co-developed lwipovpn program based on lwIP stack allows to + simulate full IP stack. An OpenVPN client using + ``--dev-node unix:/path/to/lwipovpn`` can emulate a full client that + can be pinged, can serve a website and more without requiring any + elevated permission. This can make testing OpenVPN much easier. + + For more details see [lwipovpn on Gihtub](https://github.com/OpenVPN/lwipovpn). + Allow overriding username with ``--override-username`` This is intended to allow using auth-gen-token in scenarios where the clients use certificates and multi-factor authentication. This will also generate a 'push "auth-token-user newusername"' directives in push replies. +``--port-share`` now properly supports IPv6 + Issues with logging of IPv6 addresses were fixed. The feature now allows + IPv6 connections towards the proxy receiver. + +Support for Haiku OS + Deprecated features ------------------- -``secret`` support has been removed by default. +``secret`` support has been removed (by default). static key mode (non-TLS) is no longer considered "good and secure enough" for today's requirements. Use TLS mode instead. If deploying a PKI CA is considered "too complicated", using ``--peer-fingerprint`` makes @@ -67,6 +126,14 @@ ``--allow-deprecated-insecure-static-crypto`` but will be removed in OpenVPN 2.8. +Support for wintun Windows driver has been removed. + OpenVPN 2.6 added support for the new dco-win driver, so it supported + three different device drivers: dco-win, wintun, and tap-windows6. + OpenVPN 2.7 now drops the support for wintun driver. By default + all modern configs should be supported by dco-win driver. In all + other cases OpenVPN will fall back automatically to tap-windows6 + driver. + NTLMv1 authentication support for HTTP proxies has been removed. This is considered an insecure method of authentication that uses obsolete crypto algorithms. @@ -78,28 +145,34 @@ ``persist-key`` option has been enabled by default. All the keys will be kept in memory across restart. -Default for ``--topology`` changed to ``subnet`` for ``--mode server`` - Previous releases always used ``net30`` as default. This only affects - configs with ``--mode server`` or ``--server`` (the latter implies the - former), and ``--dev tun``, and only if IPv4 is enabled. - Note that this changes the semantics of ``--ifconfig``, so if you have - manual settings for that in your config but not set ``--topology`` - your config might fail to parse with the new version. Just adding - ``--topology net30`` to the config should fix the problem. - By default ``--topology`` is pushed from server to client. - -OpenSSL 1.0.2 support +OpenSSL 1.0.2 support has been removed. Support for building with OpenSSL 1.0.2 has been removed. The minimum supported OpenSSL version is now 1.1.0. -Compression on send +Support for mbedTLS older than 2.18.0 has been removed. + We now require all SSL libraries to have support for exporting + keying material. The only previously supported library versions + this affects are older mbedTLS releases. + +Compression on send has been removed. OpenVPN 2.7 will never compress data before sending. Decompression of received data is still supported. ``--allow-compression yes`` is now an alias for ``--allow-compression asym``. + User-visible Changes -------------------- +- Default for ``--topology`` changed to ``subnet`` for ``--mode server``. + Previous releases always used ``net30`` as default. This only affects + configs with ``--mode server`` or ``--server`` (the latter implies the + former), and ``--dev tun``, and only if IPv4 is enabled. + Note that this changes the semantics of ``--ifconfig``, so if you have + manual settings for that in your config but not set ``--topology`` + your config might fail to parse with the new version. Just adding + ``--topology net30`` to the config should fix the problem. + By default ``--topology`` is pushed from server to client. + - ``--x509-username-field`` will no longer automatically convert fieldnames to uppercase. This is deprecated since OpenVPN 2.4, and has now been removed. @@ -108,6 +181,38 @@ And finite field Diffie Hellman is in the proces of being deprecated (see draft-ietf-tls-deprecate-obsolete-kex) +- ``--lport 0`` does not imply ``--bind`` anymore. + +- ``--redirect--gateway`` now works correctly if the VPN remote is not + reachable by the default gateway. + +- ``--show-gateway`` now supports querying the gateway for IPv4 addresses. + +- ``--static-challenge`` option now has a third parameter ``format`` that + can change how password and challenge response should be combined. + +- ``--key`` and ``--cert`` now accept URIs implemented in OpenSSL 3 as well as + optional OpenSSL 3 providers loaded using ``--providers`` option. + +- ``--cryptoapicert`` now supports issuer name as well as Windows CA template + name or OID as selector string. + +- TLS handshake debugging information contains much more details now when + using recent versions of OpenSSL. + +- The ``IV_PLAT_VER`` variable sent by Windows clients now contains the + full Windows build version to make it possible to determine the + Windows 10 or Windows 11 version used. + +- The ``--windows-driver`` option to select between various windows + drivers will no longer do anything - it's kept so existing configs + will not become invalid, but it is ignored with a warning. The default + is now ``ovpn-dco`` if all options used are compatible with DCO, with + a fallback to ``tap-windows6``. To force TAP (for example because a + server pushes DCO incompatible options), use the ``--disable-dco`` + option. + + Overview of changes in 2.6 ========================== diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am index 471389b..fc47287 100644 --- a/tests/unit_tests/openvpn/Makefile.am +++ b/tests/unit_tests/openvpn/Makefile.am @@ -43,7 +43,7 @@ argv_testdriver_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat @TEST_CFLAGS@ argv_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn -Wl,--wrap=parse_line -argv_testdriver_SOURCES = test_argv.c mock_msg.c mock_msg.h \ +argv_testdriver_SOURCES = test_argv.c mock_msg.c mock_msg.h test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/platform.c \	$(top_srcdir)/src/openvpn/buffer.c \ @@ -52,7 +52,7 @@ buffer_testdriver_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat @TEST_CFLAGS@ buffer_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn -Wl,--wrap=parse_line -buffer_testdriver_SOURCES = test_buffer.c mock_msg.c mock_msg.h \ +buffer_testdriver_SOURCES = test_buffer.c mock_msg.c mock_msg.h test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/win32-util.c \	$(top_srcdir)/src/openvpn/platform.c @@ -61,7 +61,7 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ crypto_testdriver_LDFLAGS = @TEST_LDFLAGS@ -crypto_testdriver_SOURCES = test_crypto.c mock_msg.c mock_msg.h \ +crypto_testdriver_SOURCES = test_crypto.c mock_msg.c mock_msg.h test_common.h \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/crypto.c \	$(top_srcdir)/src/openvpn/crypto_mbedtls.c \ @@ -78,7 +78,7 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ ssl_testdriver_LDFLAGS = @TEST_LDFLAGS@ $(OPTIONAL_CRYPTO_LIBS) -ssl_testdriver_SOURCES = test_ssl.c mock_msg.c mock_msg.h \ +ssl_testdriver_SOURCES = test_ssl.c mock_msg.c mock_msg.h test_common.h \	mock_management.c mock_ssl_dependencies.c mock_win32_execve.c \	$(top_srcdir)/src/openvpn/argv.c \	$(top_srcdir)/src/openvpn/base64.c \ @@ -114,7 +114,7 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ packet_id_testdriver_LDFLAGS = @TEST_LDFLAGS@ -packet_id_testdriver_SOURCES = test_packet_id.c mock_msg.c mock_msg.h \ +packet_id_testdriver_SOURCES = test_packet_id.c mock_msg.c mock_msg.h test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/otime.c \ @@ -128,7 +128,7 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ pkt_testdriver_LDFLAGS = @TEST_LDFLAGS@ -pkt_testdriver_SOURCES = test_pkt.c mock_msg.c mock_msg.h mock_win32_execve.c \ +pkt_testdriver_SOURCES = test_pkt.c mock_msg.c mock_msg.h mock_win32_execve.c test_common.h \	$(top_srcdir)/src/openvpn/argv.c \	$(top_srcdir)/src/openvpn/base64.c \	$(top_srcdir)/src/openvpn/buffer.c \ @@ -156,7 +156,7 @@	-Wl,--wrap=buffer_write_file \	-Wl,--wrap=parse_line \	-Wl,--wrap=rand_bytes -tls_crypt_testdriver_SOURCES = test_tls_crypt.c mock_msg.c mock_msg.h \ +tls_crypt_testdriver_SOURCES = test_tls_crypt.c mock_msg.c mock_msg.h test_common.h \	mock_win32_execve.c \	$(top_srcdir)/src/openvpn/argv.c \	$(top_srcdir)/src/openvpn/base64.c \ diff --git a/version.m4 b/version.m4 index 091cc5d..4c3b7c8 100644 --- a/version.m4 +++ b/version.m4 @@ -3,7 +3,7 @@ define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [7]) -define([PRODUCT_VERSION_PATCH], [_git]) +define([PRODUCT_VERSION_PATCH], [_alpha1]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1032?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I80a14b77fcc2fabf51af9f2d5ea0c36362cccb91 Gerrit-Change-Number: 1032 Gerrit-PatchSet: 7 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: cron2 <ge...@gr...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-CC: selvanair <sel...@gm...> Gerrit-CC: stipa <lst...@gm...> Gerrit-MessageType: newpatchset 

Attention is currently required from: flichtenheld, plaisthos. Hello cron2, flichtenheld, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/1033?usp=email to look at the new patch set (#3). The change is no longer submittable: checks~ChecksSubmitRule is unsatisfied now. Change subject: Add missing header in unit tests Makefile.am ...................................................................... Add missing header in unit tests Makefile.am make distcheck fails since we are not listing all headers that are used by the unit tests. Change-Id: I674af04e1a6449544b7def0725337c3b353ea276 --- M tests/unit_tests/openvpn/Makefile.am 1 file changed, 24 insertions(+), 12 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/33/1033/3 diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am index 471389b..c6c1699 100644 --- a/tests/unit_tests/openvpn/Makefile.am +++ b/tests/unit_tests/openvpn/Makefile.am @@ -43,7 +43,8 @@ argv_testdriver_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat @TEST_CFLAGS@ argv_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn -Wl,--wrap=parse_line -argv_testdriver_SOURCES = test_argv.c mock_msg.c mock_msg.h \ +argv_testdriver_SOURCES = test_argv.c \ +	mock_msg.c mock_msg.h test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/platform.c \	$(top_srcdir)/src/openvpn/buffer.c \ @@ -52,7 +53,8 @@ buffer_testdriver_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat @TEST_CFLAGS@ buffer_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn -Wl,--wrap=parse_line -buffer_testdriver_SOURCES = test_buffer.c mock_msg.c mock_msg.h \ +buffer_testdriver_SOURCES = test_buffer.c \ +	mock_msg.c mock_msg.h test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/win32-util.c \	$(top_srcdir)/src/openvpn/platform.c @@ -61,7 +63,8 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ crypto_testdriver_LDFLAGS = @TEST_LDFLAGS@ -crypto_testdriver_SOURCES = test_crypto.c mock_msg.c mock_msg.h \ +crypto_testdriver_SOURCES = test_crypto.c \ +	mock_msg.c mock_msg.h test_common.h \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/crypto.c \	$(top_srcdir)/src/openvpn/crypto_mbedtls.c \ @@ -78,8 +81,10 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ ssl_testdriver_LDFLAGS = @TEST_LDFLAGS@ $(OPTIONAL_CRYPTO_LIBS) -ssl_testdriver_SOURCES = test_ssl.c mock_msg.c mock_msg.h \ -	mock_management.c mock_ssl_dependencies.c mock_win32_execve.c \ +ssl_testdriver_SOURCES = test_ssl.c \ +	mock_msg.c mock_msg.h test_common.h \ +	mock_management.c \ +	mock_ssl_dependencies.c mock_win32_execve.c \	$(top_srcdir)/src/openvpn/argv.c \	$(top_srcdir)/src/openvpn/base64.c \	$(top_srcdir)/src/openvpn/buffer.c \ @@ -114,7 +119,8 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ packet_id_testdriver_LDFLAGS = @TEST_LDFLAGS@ -packet_id_testdriver_SOURCES = test_packet_id.c mock_msg.c mock_msg.h \ +packet_id_testdriver_SOURCES = test_packet_id.c \ +	mock_msg.c mock_msg.h test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/otime.c \ @@ -156,7 +162,8 @@	-Wl,--wrap=buffer_write_file \	-Wl,--wrap=parse_line \	-Wl,--wrap=rand_bytes -tls_crypt_testdriver_SOURCES = test_tls_crypt.c mock_msg.c mock_msg.h \ +tls_crypt_testdriver_SOURCES = test_tls_crypt.c \ +	mock_msg.c mock_msg.h test_common.h \	mock_win32_execve.c \	$(top_srcdir)/src/openvpn/argv.c \	$(top_srcdir)/src/openvpn/base64.c \ @@ -229,7 +236,8 @@	@TEST_CFLAGS@ $(OPTIONAL_CRYPTO_CFLAGS) pkcs11_testdriver_LDFLAGS = @TEST_LDFLAGS@ \	$(OPTIONAL_CRYPTO_LIBS) -pkcs11_testdriver_SOURCES = test_pkcs11.c mock_msg.c \ +pkcs11_testdriver_SOURCES = test_pkcs11.c \ +	mock_msg.c test_common.h \	pkey_test_utils.c cert_data.h mock_get_random.c \	$(top_srcdir)/src/openvpn/xkey_helper.c \	$(top_srcdir)/src/openvpn/xkey_provider.c \ @@ -251,7 +259,8 @@ auth_token_testdriver_LDFLAGS = @TEST_LDFLAGS@ \	$(OPTIONAL_CRYPTO_LIBS) -auth_token_testdriver_SOURCES = test_auth_token.c mock_msg.c \ +auth_token_testdriver_SOURCES = test_auth_token.c \ +	mock_msg.c test_common.h \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/crypto.c \	$(top_srcdir)/src/openvpn/crypto_epoch.c \ @@ -269,7 +278,8 @@	@TEST_CFLAGS@ user_pass_testdriver_LDFLAGS = @TEST_LDFLAGS@ -user_pass_testdriver_SOURCES = test_user_pass.c mock_msg.c \ +user_pass_testdriver_SOURCES = test_user_pass.c \ +	mock_msg.c test_common.h \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/console.c \	$(top_srcdir)/src/openvpn/env_set.c \ @@ -287,7 +297,8 @@ ncp_testdriver_LDFLAGS = @TEST_LDFLAGS@ \	$(OPTIONAL_CRYPTO_LIBS) -ncp_testdriver_SOURCES = test_ncp.c mock_msg.c \ +ncp_testdriver_SOURCES = test_ncp.c \ +	mock_msg.c test_common.h \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/crypto.c \	$(top_srcdir)/src/openvpn/crypto_epoch.c \ @@ -306,7 +317,8 @@ misc_testdriver_LDFLAGS = @TEST_LDFLAGS@ -misc_testdriver_SOURCES = test_misc.c mock_msg.c \ +misc_testdriver_SOURCES = test_misc.c \ +	mock_msg.c test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/options_util.c \ -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1033?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I674af04e1a6449544b7def0725337c3b353ea276 Gerrit-Change-Number: 1033 Gerrit-PatchSet: 3 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-MessageType: newpatchset 

From: Arne Schwabe <ar...@rf...> make distcheck fails since we are not listing all headers that are used by the unit tests. Change-Id: I674af04e1a6449544b7def0725337c3b353ea276 Signed-off-by: Arne Schwabe <arn...@rf...> Acked-by: Gert Doering <ge...@gr...> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1033 This mail reflects revision 3 of this Change. Signed-off-by line for the author was added as per our policy. Acked-by according to Gerrit (reflected above): Gert Doering <ge...@gr...> diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am index 471389b..c6c1699 100644 --- a/tests/unit_tests/openvpn/Makefile.am +++ b/tests/unit_tests/openvpn/Makefile.am @@ -43,7 +43,8 @@ argv_testdriver_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat @TEST_CFLAGS@ argv_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn -Wl,--wrap=parse_line -argv_testdriver_SOURCES = test_argv.c mock_msg.c mock_msg.h \ +argv_testdriver_SOURCES = test_argv.c \ +	mock_msg.c mock_msg.h test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/platform.c \	$(top_srcdir)/src/openvpn/buffer.c \ @@ -52,7 +53,8 @@ buffer_testdriver_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat @TEST_CFLAGS@ buffer_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn -Wl,--wrap=parse_line -buffer_testdriver_SOURCES = test_buffer.c mock_msg.c mock_msg.h \ +buffer_testdriver_SOURCES = test_buffer.c \ +	mock_msg.c mock_msg.h test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/win32-util.c \	$(top_srcdir)/src/openvpn/platform.c @@ -61,7 +63,8 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ crypto_testdriver_LDFLAGS = @TEST_LDFLAGS@ -crypto_testdriver_SOURCES = test_crypto.c mock_msg.c mock_msg.h \ +crypto_testdriver_SOURCES = test_crypto.c \ +	mock_msg.c mock_msg.h test_common.h \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/crypto.c \	$(top_srcdir)/src/openvpn/crypto_mbedtls.c \ @@ -78,8 +81,10 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ ssl_testdriver_LDFLAGS = @TEST_LDFLAGS@ $(OPTIONAL_CRYPTO_LIBS) -ssl_testdriver_SOURCES = test_ssl.c mock_msg.c mock_msg.h \ -	mock_management.c mock_ssl_dependencies.c mock_win32_execve.c \ +ssl_testdriver_SOURCES = test_ssl.c \ +	mock_msg.c mock_msg.h test_common.h \ +	mock_management.c \ +	mock_ssl_dependencies.c mock_win32_execve.c \	$(top_srcdir)/src/openvpn/argv.c \	$(top_srcdir)/src/openvpn/base64.c \	$(top_srcdir)/src/openvpn/buffer.c \ @@ -114,7 +119,8 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ packet_id_testdriver_LDFLAGS = @TEST_LDFLAGS@ -packet_id_testdriver_SOURCES = test_packet_id.c mock_msg.c mock_msg.h \ +packet_id_testdriver_SOURCES = test_packet_id.c \ +	mock_msg.c mock_msg.h test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/otime.c \ @@ -156,7 +162,8 @@	-Wl,--wrap=buffer_write_file \	-Wl,--wrap=parse_line \	-Wl,--wrap=rand_bytes -tls_crypt_testdriver_SOURCES = test_tls_crypt.c mock_msg.c mock_msg.h \ +tls_crypt_testdriver_SOURCES = test_tls_crypt.c \ +	mock_msg.c mock_msg.h test_common.h \	mock_win32_execve.c \	$(top_srcdir)/src/openvpn/argv.c \	$(top_srcdir)/src/openvpn/base64.c \ @@ -229,7 +236,8 @@	@TEST_CFLAGS@ $(OPTIONAL_CRYPTO_CFLAGS) pkcs11_testdriver_LDFLAGS = @TEST_LDFLAGS@ \	$(OPTIONAL_CRYPTO_LIBS) -pkcs11_testdriver_SOURCES = test_pkcs11.c mock_msg.c \ +pkcs11_testdriver_SOURCES = test_pkcs11.c \ +	mock_msg.c test_common.h \	pkey_test_utils.c cert_data.h mock_get_random.c \	$(top_srcdir)/src/openvpn/xkey_helper.c \	$(top_srcdir)/src/openvpn/xkey_provider.c \ @@ -251,7 +259,8 @@ auth_token_testdriver_LDFLAGS = @TEST_LDFLAGS@ \	$(OPTIONAL_CRYPTO_LIBS) -auth_token_testdriver_SOURCES = test_auth_token.c mock_msg.c \ +auth_token_testdriver_SOURCES = test_auth_token.c \ +	mock_msg.c test_common.h \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/crypto.c \	$(top_srcdir)/src/openvpn/crypto_epoch.c \ @@ -269,7 +278,8 @@	@TEST_CFLAGS@ user_pass_testdriver_LDFLAGS = @TEST_LDFLAGS@ -user_pass_testdriver_SOURCES = test_user_pass.c mock_msg.c \ +user_pass_testdriver_SOURCES = test_user_pass.c \ +	mock_msg.c test_common.h \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/console.c \	$(top_srcdir)/src/openvpn/env_set.c \ @@ -287,7 +297,8 @@ ncp_testdriver_LDFLAGS = @TEST_LDFLAGS@ \	$(OPTIONAL_CRYPTO_LIBS) -ncp_testdriver_SOURCES = test_ncp.c mock_msg.c \ +ncp_testdriver_SOURCES = test_ncp.c \ +	mock_msg.c test_common.h \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/crypto.c \	$(top_srcdir)/src/openvpn/crypto_epoch.c \ @@ -306,7 +317,8 @@ misc_testdriver_LDFLAGS = @TEST_LDFLAGS@ -misc_testdriver_SOURCES = test_misc.c mock_msg.c \ +misc_testdriver_SOURCES = test_misc.c \ +	mock_msg.c test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/options_util.c \ 

Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/1034?usp=email to review the following change. Change subject: Remove contrib/pull-resolv-conf ...................................................................... Remove contrib/pull-resolv-conf We have an official solution for this now. Change-Id: Ic30f8514b50f561e7ea8f1ce12d740ac53f202e5 Signed-off-by: Frank Lichtenheld <fr...@li...> --- D contrib/pull-resolv-conf/client.down D contrib/pull-resolv-conf/client.up 2 files changed, 0 insertions(+), 155 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/34/1034/1 diff --git a/contrib/pull-resolv-conf/client.down b/contrib/pull-resolv-conf/client.down deleted file mode 100644 index 0cbb476..0000000 --- a/contrib/pull-resolv-conf/client.down +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/sh - -# Copyright (c) 2005-2018 OpenVPN Inc -# Licensed under the GPL version 2 - -# First version by Jesse Adelman -# someone at boldandbusted dink com -# http://www.boldandbusted.com/ - -# PURPOSE: This script automatically removes the /etc/resolv.conf entries previously -# set by the companion script "client.up". - -# INSTALL NOTES: -# Place this in /etc/openvpn/client.down -# Then, add the following to your /etc/openvpn/<clientconfig>.conf: -# client -# up /etc/openvpn/client.up -# down /etc/openvpn/client.down -# Next, "chmod a+x /etc/openvpn/client.down" - -# USAGE NOTES: -# Note that this script is best served with the companion "client.up" -# script. - -# Tested under Debian lenny with OpenVPN 2.1_rc11 -# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf - -# This runs with the context of the OpenVPN UID/GID -# at the time of execution. This generally means that -# the client "up" script will run fine, but the "down" script -# will require the use of the OpenVPN "down-root" plugin -# which is in the plugins/ directory of the OpenVPN source tree -# The config example above would have to be changed to: -# client -# up /etc/openvpn/client.up -# plugin openvpn-plugin-down-root.so "/etc/openvpn/client.down" - -# A horrid work around, from a security perspective, -# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have -# been WARNED. -PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin - -if type resolvconf >/dev/null 2>&1; then - resolvconf -d "${dev}" -f -elif [ -e /etc/resolv.conf.ovpnsave ] ; then - # cp + rm rather than mv in case it's a symlink - cp /etc/resolv.conf.ovpnsave /etc/resolv.conf - rm -f /etc/resolv.conf.ovpnsave -fi - -exit 0 diff --git a/contrib/pull-resolv-conf/client.up b/contrib/pull-resolv-conf/client.up deleted file mode 100644 index 220aeb7..0000000 --- a/contrib/pull-resolv-conf/client.up +++ /dev/null @@ -1,104 +0,0 @@ -#!/bin/sh - -# Copyright (c) 2005-2018 OpenVPN Inc -# Licensed under the GPL version 2 - -# First version by Jesse Adelman -# someone at boldandbusted dink com -# http://www.boldandbusted.com/ - -# PURPOSE: This script automatically sets the proper /etc/resolv.conf entries -# as pulled down from an OpenVPN server. - -# INSTALL NOTES: -# Place this in /etc/openvpn/client.up -# Then, add the following to your /etc/openvpn/<clientconfig>.conf: -# client -# up /etc/openvpn/client.up -# Next, "chmod a+x /etc/openvpn/client.up" - -# USAGE NOTES: -# Note that this script is best served with the companion "client.down" -# script. - -# Tested under Debian lenny with OpenVPN 2.1_rc11 -# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf - -# This runs with the context of the OpenVPN UID/GID -# at the time of execution. This generally means that -# the client "up" script will run fine, but the "down" script -# will require the use of the OpenVPN "down-root" plugin -# which is in the plugins/ directory of the OpenVPN source tree - -# A horrid work around, from a security perspective, -# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have -# been WARNED. -PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin - -# init variables - -i=1 -domains= -fopt= -ndoms=0 -nns=0 -nl=' -' - -# $foreign_option_<n> is something like -# "dhcp-option DOMAIN example.com" (multiple allowed) -# or -# "dhcp-option DNS 10.10.10.10" (multiple allowed) - -# each DNS option becomes a "nameserver" option in resolv.conf -# if we get one DOMAIN, that becomes "domain" in resolv.conf -# if we get multiple DOMAINS, those become "search" lines in resolv.conf -# if we get no DOMAINS, then don't use either domain or search. - -while true; do - eval fopt=\$foreign_option_${i} - [ -z "${fopt}" ] && break - - case ${fopt} in -	dhcp-option\ DOMAIN\ *) - ndoms=$((ndoms + 1)) - domains="${domains} ${fopt#dhcp-option DOMAIN }" - ;; -	dhcp-option\ DNS\ *) - nns=$((nns + 1)) - if [ $nns -le 3 ]; then - dns="${dns}${dns:+$nl}nameserver ${fopt#dhcp-option DNS }" - else - printf "%s\n" "Too many nameservers - ignoring after third" >&2 - fi - ;; - *) - printf "%s\n" "Unknown option \"${fopt}\" - ignored" >&2 - ;; -	esac - i=$((i + 1)) -done - -ds="" -if [ $ndoms -eq 1 ]; then - ds="${nl}domain" -elif [ $ndoms -gt 1 ]; then - ds="${nl}search" -fi - -# This is the complete file - "$domains" has a leading space already -out="# resolv.conf autogenerated by ${0} (${dev})${nl}${dns}${ds}${domains}" - -# use resolvconf if it's available -if type resolvconf >/dev/null 2>&1; then - printf "%s\n" "${out}" | resolvconf -a "${dev}" -else - # Preserve the existing resolv.conf - if [ -e /etc/resolv.conf ] ; then - cp /etc/resolv.conf /etc/resolv.conf.ovpnsave - fi - printf "%s\n" "${out}" > /etc/resolv.conf - chmod 644 /etc/resolv.conf -fi - -exit 0 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1034?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic30f8514b50f561e7ea8f1ce12d740ac53f202e5 Gerrit-Change-Number: 1034 Gerrit-PatchSet: 1 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-MessageType: newchange 

From: Max Fillinger <max...@fo...> make distcheck fails since we are not listing all headers that are used by the unit tests. Change-Id: I674af04e1a6449544b7def0725337c3b353ea276 Signed-off-by: Arne Schwabe <arn...@rf...> Acked-by: Gert Doering <ge...@gr...> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1033 This mail reflects revision 2 of this Change. Signed-off-by line for the author was added as per our policy. Acked-by according to Gerrit (reflected above): Gert Doering <ge...@gr...> diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am index 471389b..c6c1699 100644 --- a/tests/unit_tests/openvpn/Makefile.am +++ b/tests/unit_tests/openvpn/Makefile.am @@ -43,7 +43,8 @@ argv_testdriver_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat @TEST_CFLAGS@ argv_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn -Wl,--wrap=parse_line -argv_testdriver_SOURCES = test_argv.c mock_msg.c mock_msg.h \ +argv_testdriver_SOURCES = test_argv.c \ +	mock_msg.c mock_msg.h test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/platform.c \	$(top_srcdir)/src/openvpn/buffer.c \ @@ -52,7 +53,8 @@ buffer_testdriver_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat @TEST_CFLAGS@ buffer_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn -Wl,--wrap=parse_line -buffer_testdriver_SOURCES = test_buffer.c mock_msg.c mock_msg.h \ +buffer_testdriver_SOURCES = test_buffer.c \ +	mock_msg.c mock_msg.h test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/win32-util.c \	$(top_srcdir)/src/openvpn/platform.c @@ -61,7 +63,8 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ crypto_testdriver_LDFLAGS = @TEST_LDFLAGS@ -crypto_testdriver_SOURCES = test_crypto.c mock_msg.c mock_msg.h \ +crypto_testdriver_SOURCES = test_crypto.c \ +	mock_msg.c mock_msg.h test_common.h \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/crypto.c \	$(top_srcdir)/src/openvpn/crypto_mbedtls.c \ @@ -78,8 +81,10 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ ssl_testdriver_LDFLAGS = @TEST_LDFLAGS@ $(OPTIONAL_CRYPTO_LIBS) -ssl_testdriver_SOURCES = test_ssl.c mock_msg.c mock_msg.h \ -	mock_management.c mock_ssl_dependencies.c mock_win32_execve.c \ +ssl_testdriver_SOURCES = test_ssl.c \ +	mock_msg.c mock_msg.h test_common.h \ +	mock_management.c \ +	mock_ssl_dependencies.c mock_win32_execve.c \	$(top_srcdir)/src/openvpn/argv.c \	$(top_srcdir)/src/openvpn/base64.c \	$(top_srcdir)/src/openvpn/buffer.c \ @@ -114,7 +119,8 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ packet_id_testdriver_LDFLAGS = @TEST_LDFLAGS@ -packet_id_testdriver_SOURCES = test_packet_id.c mock_msg.c mock_msg.h \ +packet_id_testdriver_SOURCES = test_packet_id.c \ +	mock_msg.c mock_msg.h test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/otime.c \ @@ -156,7 +162,8 @@	-Wl,--wrap=buffer_write_file \	-Wl,--wrap=parse_line \	-Wl,--wrap=rand_bytes -tls_crypt_testdriver_SOURCES = test_tls_crypt.c mock_msg.c mock_msg.h \ +tls_crypt_testdriver_SOURCES = test_tls_crypt.c \ +	mock_msg.c mock_msg.h test_common.h \	mock_win32_execve.c \	$(top_srcdir)/src/openvpn/argv.c \	$(top_srcdir)/src/openvpn/base64.c \ @@ -229,7 +236,8 @@	@TEST_CFLAGS@ $(OPTIONAL_CRYPTO_CFLAGS) pkcs11_testdriver_LDFLAGS = @TEST_LDFLAGS@ \	$(OPTIONAL_CRYPTO_LIBS) -pkcs11_testdriver_SOURCES = test_pkcs11.c mock_msg.c \ +pkcs11_testdriver_SOURCES = test_pkcs11.c \ +	mock_msg.c test_common.h \	pkey_test_utils.c cert_data.h mock_get_random.c \	$(top_srcdir)/src/openvpn/xkey_helper.c \	$(top_srcdir)/src/openvpn/xkey_provider.c \ @@ -251,7 +259,8 @@ auth_token_testdriver_LDFLAGS = @TEST_LDFLAGS@ \	$(OPTIONAL_CRYPTO_LIBS) -auth_token_testdriver_SOURCES = test_auth_token.c mock_msg.c \ +auth_token_testdriver_SOURCES = test_auth_token.c \ +	mock_msg.c test_common.h \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/crypto.c \	$(top_srcdir)/src/openvpn/crypto_epoch.c \ @@ -269,7 +278,8 @@	@TEST_CFLAGS@ user_pass_testdriver_LDFLAGS = @TEST_LDFLAGS@ -user_pass_testdriver_SOURCES = test_user_pass.c mock_msg.c \ +user_pass_testdriver_SOURCES = test_user_pass.c \ +	mock_msg.c test_common.h \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/console.c \	$(top_srcdir)/src/openvpn/env_set.c \ @@ -287,7 +297,8 @@ ncp_testdriver_LDFLAGS = @TEST_LDFLAGS@ \	$(OPTIONAL_CRYPTO_LIBS) -ncp_testdriver_SOURCES = test_ncp.c mock_msg.c \ +ncp_testdriver_SOURCES = test_ncp.c \ +	mock_msg.c test_common.h \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/crypto.c \	$(top_srcdir)/src/openvpn/crypto_epoch.c \ @@ -306,7 +317,8 @@ misc_testdriver_LDFLAGS = @TEST_LDFLAGS@ -misc_testdriver_SOURCES = test_misc.c mock_msg.c \ +misc_testdriver_SOURCES = test_misc.c \ +	mock_msg.c test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/options_util.c \ 

Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1033?usp=email ) Change subject: Add missing header in unit tests Makefile.am ...................................................................... Patch Set 2: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1033?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I674af04e1a6449544b7def0725337c3b353ea276 Gerrit-Change-Number: 1033 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Wed, 28 May 2025 11:59:24 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment 

Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/1033?usp=email to look at the new patch set (#2). Change subject: Add missing header in unit tests Makefile.am ...................................................................... Add missing header in unit tests Makefile.am make distcheck fails since we are not listing all headers that are used by the unit tests. Change-Id: I674af04e1a6449544b7def0725337c3b353ea276 --- M tests/unit_tests/openvpn/Makefile.am 1 file changed, 24 insertions(+), 12 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/33/1033/2 diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am index 471389b..c6c1699 100644 --- a/tests/unit_tests/openvpn/Makefile.am +++ b/tests/unit_tests/openvpn/Makefile.am @@ -43,7 +43,8 @@ argv_testdriver_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat @TEST_CFLAGS@ argv_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn -Wl,--wrap=parse_line -argv_testdriver_SOURCES = test_argv.c mock_msg.c mock_msg.h \ +argv_testdriver_SOURCES = test_argv.c \ +	mock_msg.c mock_msg.h test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/platform.c \	$(top_srcdir)/src/openvpn/buffer.c \ @@ -52,7 +53,8 @@ buffer_testdriver_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat @TEST_CFLAGS@ buffer_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn -Wl,--wrap=parse_line -buffer_testdriver_SOURCES = test_buffer.c mock_msg.c mock_msg.h \ +buffer_testdriver_SOURCES = test_buffer.c \ +	mock_msg.c mock_msg.h test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/win32-util.c \	$(top_srcdir)/src/openvpn/platform.c @@ -61,7 +63,8 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ crypto_testdriver_LDFLAGS = @TEST_LDFLAGS@ -crypto_testdriver_SOURCES = test_crypto.c mock_msg.c mock_msg.h \ +crypto_testdriver_SOURCES = test_crypto.c \ +	mock_msg.c mock_msg.h test_common.h \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/crypto.c \	$(top_srcdir)/src/openvpn/crypto_mbedtls.c \ @@ -78,8 +81,10 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ ssl_testdriver_LDFLAGS = @TEST_LDFLAGS@ $(OPTIONAL_CRYPTO_LIBS) -ssl_testdriver_SOURCES = test_ssl.c mock_msg.c mock_msg.h \ -	mock_management.c mock_ssl_dependencies.c mock_win32_execve.c \ +ssl_testdriver_SOURCES = test_ssl.c \ +	mock_msg.c mock_msg.h test_common.h \ +	mock_management.c \ +	mock_ssl_dependencies.c mock_win32_execve.c \	$(top_srcdir)/src/openvpn/argv.c \	$(top_srcdir)/src/openvpn/base64.c \	$(top_srcdir)/src/openvpn/buffer.c \ @@ -114,7 +119,8 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ packet_id_testdriver_LDFLAGS = @TEST_LDFLAGS@ -packet_id_testdriver_SOURCES = test_packet_id.c mock_msg.c mock_msg.h \ +packet_id_testdriver_SOURCES = test_packet_id.c \ +	mock_msg.c mock_msg.h test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/otime.c \ @@ -156,7 +162,8 @@	-Wl,--wrap=buffer_write_file \	-Wl,--wrap=parse_line \	-Wl,--wrap=rand_bytes -tls_crypt_testdriver_SOURCES = test_tls_crypt.c mock_msg.c mock_msg.h \ +tls_crypt_testdriver_SOURCES = test_tls_crypt.c \ +	mock_msg.c mock_msg.h test_common.h \	mock_win32_execve.c \	$(top_srcdir)/src/openvpn/argv.c \	$(top_srcdir)/src/openvpn/base64.c \ @@ -229,7 +236,8 @@	@TEST_CFLAGS@ $(OPTIONAL_CRYPTO_CFLAGS) pkcs11_testdriver_LDFLAGS = @TEST_LDFLAGS@ \	$(OPTIONAL_CRYPTO_LIBS) -pkcs11_testdriver_SOURCES = test_pkcs11.c mock_msg.c \ +pkcs11_testdriver_SOURCES = test_pkcs11.c \ +	mock_msg.c test_common.h \	pkey_test_utils.c cert_data.h mock_get_random.c \	$(top_srcdir)/src/openvpn/xkey_helper.c \	$(top_srcdir)/src/openvpn/xkey_provider.c \ @@ -251,7 +259,8 @@ auth_token_testdriver_LDFLAGS = @TEST_LDFLAGS@ \	$(OPTIONAL_CRYPTO_LIBS) -auth_token_testdriver_SOURCES = test_auth_token.c mock_msg.c \ +auth_token_testdriver_SOURCES = test_auth_token.c \ +	mock_msg.c test_common.h \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/crypto.c \	$(top_srcdir)/src/openvpn/crypto_epoch.c \ @@ -269,7 +278,8 @@	@TEST_CFLAGS@ user_pass_testdriver_LDFLAGS = @TEST_LDFLAGS@ -user_pass_testdriver_SOURCES = test_user_pass.c mock_msg.c \ +user_pass_testdriver_SOURCES = test_user_pass.c \ +	mock_msg.c test_common.h \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/console.c \	$(top_srcdir)/src/openvpn/env_set.c \ @@ -287,7 +297,8 @@ ncp_testdriver_LDFLAGS = @TEST_LDFLAGS@ \	$(OPTIONAL_CRYPTO_LIBS) -ncp_testdriver_SOURCES = test_ncp.c mock_msg.c \ +ncp_testdriver_SOURCES = test_ncp.c \ +	mock_msg.c test_common.h \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/crypto.c \	$(top_srcdir)/src/openvpn/crypto_epoch.c \ @@ -306,7 +317,8 @@ misc_testdriver_LDFLAGS = @TEST_LDFLAGS@ -misc_testdriver_SOURCES = test_misc.c mock_msg.c \ +misc_testdriver_SOURCES = test_misc.c \ +	mock_msg.c test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/options_util.c \ -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1033?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I674af04e1a6449544b7def0725337c3b353ea276 Gerrit-Change-Number: 1033 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-MessageType: newpatchset 

Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/1033?usp=email to review the following change. Change subject: Add missing header in unit tests Makefile.am ...................................................................... Add missing header in unit tests Makefile.am make distcheck fails since we are not listing all headers that are used by the unit tests. Change-Id: I674af04e1a6449544b7def0725337c3b353ea276 --- M tests/unit_tests/openvpn/Makefile.am 1 file changed, 24 insertions(+), 12 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/33/1033/1 diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am index 471389b..d395bba 100644 --- a/tests/unit_tests/openvpn/Makefile.am +++ b/tests/unit_tests/openvpn/Makefile.am @@ -43,7 +43,8 @@ argv_testdriver_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat @TEST_CFLAGS@ argv_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn -Wl,--wrap=parse_line -argv_testdriver_SOURCES = test_argv.c mock_msg.c mock_msg.h \ +argv_testdriver_SOURCES = test_argv.c \ +	mock_msg.c mock_msg.h test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/platform.c \	$(top_srcdir)/src/openvpn/buffer.c \ @@ -52,7 +53,8 @@ buffer_testdriver_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat @TEST_CFLAGS@ buffer_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn -Wl,--wrap=parse_line -buffer_testdriver_SOURCES = test_buffer.c mock_msg.c mock_msg.h \ +buffer_testdriver_SOURCES = test_buffer.c \ + mock_msg.c mock_msg.h test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/win32-util.c \	$(top_srcdir)/src/openvpn/platform.c @@ -61,7 +63,8 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ crypto_testdriver_LDFLAGS = @TEST_LDFLAGS@ -crypto_testdriver_SOURCES = test_crypto.c mock_msg.c mock_msg.h \ +crypto_testdriver_SOURCES = test_crypto.c \ + mock_msg.c mock_msg.h test_common.h \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/crypto.c \	$(top_srcdir)/src/openvpn/crypto_mbedtls.c \ @@ -78,8 +81,10 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ ssl_testdriver_LDFLAGS = @TEST_LDFLAGS@ $(OPTIONAL_CRYPTO_LIBS) -ssl_testdriver_SOURCES = test_ssl.c mock_msg.c mock_msg.h \ -	mock_management.c mock_ssl_dependencies.c mock_win32_execve.c \ +ssl_testdriver_SOURCES = test_ssl.c \ + mock_msg.c mock_msg.h test_common.h \ +	mock_management.c \ +	mock_ssl_dependencies.c mock_win32_execve.c \	$(top_srcdir)/src/openvpn/argv.c \	$(top_srcdir)/src/openvpn/base64.c \	$(top_srcdir)/src/openvpn/buffer.c \ @@ -114,7 +119,8 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ packet_id_testdriver_LDFLAGS = @TEST_LDFLAGS@ -packet_id_testdriver_SOURCES = test_packet_id.c mock_msg.c mock_msg.h \ +packet_id_testdriver_SOURCES = test_packet_id.c \ + mock_msg.c mock_msg.h test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/otime.c \ @@ -156,7 +162,8 @@	-Wl,--wrap=buffer_write_file \	-Wl,--wrap=parse_line \	-Wl,--wrap=rand_bytes -tls_crypt_testdriver_SOURCES = test_tls_crypt.c mock_msg.c mock_msg.h \ +tls_crypt_testdriver_SOURCES = test_tls_crypt.c \ + mock_msg.c mock_msg.h test_common.h \	mock_win32_execve.c \	$(top_srcdir)/src/openvpn/argv.c \	$(top_srcdir)/src/openvpn/base64.c \ @@ -229,7 +236,8 @@	@TEST_CFLAGS@ $(OPTIONAL_CRYPTO_CFLAGS) pkcs11_testdriver_LDFLAGS = @TEST_LDFLAGS@ \	$(OPTIONAL_CRYPTO_LIBS) -pkcs11_testdriver_SOURCES = test_pkcs11.c mock_msg.c \ +pkcs11_testdriver_SOURCES = test_pkcs11.c \ +	mock_msg.c test_common.h \	pkey_test_utils.c cert_data.h mock_get_random.c \	$(top_srcdir)/src/openvpn/xkey_helper.c \	$(top_srcdir)/src/openvpn/xkey_provider.c \ @@ -251,7 +259,8 @@ auth_token_testdriver_LDFLAGS = @TEST_LDFLAGS@ \	$(OPTIONAL_CRYPTO_LIBS) -auth_token_testdriver_SOURCES = test_auth_token.c mock_msg.c \ +auth_token_testdriver_SOURCES = test_auth_token.c \ + mock_msg.c test_common.h \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/crypto.c \	$(top_srcdir)/src/openvpn/crypto_epoch.c \ @@ -269,7 +278,8 @@	@TEST_CFLAGS@ user_pass_testdriver_LDFLAGS = @TEST_LDFLAGS@ -user_pass_testdriver_SOURCES = test_user_pass.c mock_msg.c \ +user_pass_testdriver_SOURCES = test_user_pass.c \ +	mock_msg.c test_common.h \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/console.c \	$(top_srcdir)/src/openvpn/env_set.c \ @@ -287,7 +297,8 @@ ncp_testdriver_LDFLAGS = @TEST_LDFLAGS@ \	$(OPTIONAL_CRYPTO_LIBS) -ncp_testdriver_SOURCES = test_ncp.c mock_msg.c \ +ncp_testdriver_SOURCES = test_ncp.c \ +	mock_msg.c test_common.h \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/crypto.c \	$(top_srcdir)/src/openvpn/crypto_epoch.c \ @@ -306,7 +317,8 @@ misc_testdriver_LDFLAGS = @TEST_LDFLAGS@ -misc_testdriver_SOURCES = test_misc.c mock_msg.c \ +misc_testdriver_SOURCES = test_misc.c \ +	mock_msg.c test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/options_util.c \ -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1033?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I674af04e1a6449544b7def0725337c3b353ea276 Gerrit-Change-Number: 1033 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-MessageType: newchange 

Attention is currently required from: cron2, plaisthos, selvanair, stipa. cron2 has uploaded a new patch set (#6) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/1032?usp=email ) Change subject: OpenVPN Release 2.7_alpha1 ...................................................................... OpenVPN Release 2.7_alpha1 version.m4, ChangeLog, Changes.rst (ChangeLog in "master" will revert to its normal state of "empty" after release/2.7 is forked off into its own branch) Additionally, add test_common.h to tests/unit_tests/openvpn/Makefile.am (..._SOURCES) so it's packed into the "make dist" tarball Change-Id: I80a14b77fcc2fabf51af9f2d5ea0c36362cccb91 Signed-off-by: Frank Lichtenheld <fr...@li...> --- M ChangeLog M Changes.rst M tests/unit_tests/openvpn/Makefile.am M version.m4 4 files changed, 894 insertions(+), 46 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/32/1032/6 diff --git a/ChangeLog b/ChangeLog index c26dd2e..c6e626b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,759 @@ OpenVPN ChangeLog -Copyright (C) 2002-2024 OpenVPN Inc <sa...@op...> +Copyright (C) 2002-2025 OpenVPN Inc <sa...@op...> -This file is not maintained in this branch of the OpenVPN git repository. +2025.05.28 -- Version 2.7_alpha1 -Release branches (release/2.5, release/2.4, etc) have individual ChangeLog -files with all changes relevant for these releases. +5andr0 (1): + Implement server_poll_timeout for socks + +Alexander von Gluck (4): + Haiku: Introduce basic platform / tun support + Haiku: Add calls to manage routing table + Haiku: change del to delete in route command. del is undocumented + Haiku: Fix short interface path length + +Antonio Quartulli (32): + disable DCO if --secret is specified + dco: properly re-initialize dco_del_peer_reason + dco: bail out when no peer-specific message is delivered + dco: improve comment about hidden debug message + dco: print proper message in case of transport disconnection + dco_linux: update license for ovpn_dco_linux.h + Update issue templates + Avoid warning about missing braces when initialising key struct + dco: don't use NetLink to exchange control packets + dco: print version to log if available + dco-linux: remove M_ERRNO flag when printing netlink error message + multi: don't call DCO APIs if DCO is disabled + dco-freebsd: use m->instances[] instead of m->hash + dco-linux: implement dco_get_peer_stats{, multi} API + configure.ac: fix typ0 in LIBCAPNG_CFALGS + dco: fix crash when --multihome is used with --proto tcp + dco: mark peer as deleted from kernel after receiving CMD_DEL_PEER notification + event/multi: add event_arg object to make event handling more generic + pass link_socket object to i/o functions + io_work: convert shift argument to uintptr_t + io_work: pass event_arg object to event handler in case of socket event + sitnl: replace NLMSG_TAIL macro with noinline function + override ai_family if 'local' numeric address was specified + Adapt socket handling to support listening on multiple sockets + allow user to specify 'local' multiple times in config files + dco_linux: extend netlink error cb with extra info + man: extend --persist-tun section + dco: pass remoteaddr only for UDP peers + socket: use remote proto when creating client sockets + dco_linux: fix peer stats parsing with new ovpn kernel module + socket: don't transfer bind family to socket in case of ANY address + dco_linux: avoid bogus text when netlink message is not parsed + +Aquila Macedo (1): + doc: Correct typos in multiple documentation files + +Arne Schwabe (190): + Fix connection cookie not including address and fix endianness in test + Fix unit test of test_pkt on little endian Linux + Disable DCO when TLS mode is not used + Ignore connection attempts while server is shutting down + Improve debug logging of DCO swap key message and Linux dco_new_peer + Trigger a USR1 if dco_update_keys fails + Set DCO_NOT_INSTALLED also for keys not in the get_key_scan range + Ensure that argument to parse_line has always space for final sentinel + Improve documentation on user/password requirement and unicodize function + Eliminate or comment empty blocks and switch fallthrough + Remove unused gc_arena + Fix corner case that might lead to leaked file descriptor + Deprecate NTLMv1 proxy auth method. + Use include "buffer.h" instead of include <buffer.h> + Ensure that dco keepalive and mssfix options are also set in pure p2p mode + Make management password check constant time + Rename TM_UNTRUSTED to TM_INITIAL, always start session in TM_INITIAL rather than TM_ACTIVE or TM_INITIAL + Move dco_installed back to link_socket from link_socket.info.actual + Do not set nl socket buffer size + Also drop incoming dco packet content when dropping the packet + Improve logging when seeing a message for an unkown peer + Ignore OVPN_DEL_PEER_REASON_USERSPACE to avoid race conditions + Replace custom min macro and use more C99 style in man_remote_entry_get + Replace realloc with new gc_realloc function + Add connect-freq-initial option to limit initial connection responses + Log peer-id if loglevel is D_DCO_DEBUG and dco is enabled + Deprecate OCC checking + Workaround: make ovpn-dco more reliable + Fix unaligned access in auth-token + Update LibreSSL to 3.7.0 in Github actions + Add printing USAN stack trace on github actions + Fix LibreSSL not building in Github Actions + Add missing stdint.h includes in unit tests files + Combine extra_tun/frame parameter of frame_calculate_payload_overhead + Update the last sections in the man page to a be a bit less outdated + Add building unit tests with mingw to github actions + Revise the cipher negotiation info about OpenVPN3 in the man page + Exit if a proper message instead of segfault on Android without management + Use proper print format/casting when converting msg_channel handle + Reduce initialisation spam from verb <= 3 and print summary instead + Dynamic tls-crypt for secure soft_reset/session renegotiation + Set netlink socket to be non-blocking + Ensure n = 2 is set in key2 struct in tls_crypt_v2_unwrap_client_key + Fix memory leaks in open_tun_dco() + Fix memory leaks in HMAC initial packet generation + Use key_state instead of multi for tls_send_payload parameter + Make sending plain text control message session aware + Only update frame calculation if we have a valid link sockets + Improve description of compat-mode + Simplify --compress parsing in options.c + Refuse connection if server pushes an option contradicting allow-compress + Add 'allow-compression stub-only' internally for DCO + Parse compression options and bail out when compression is disabled + Remove unused variable line + Add Apache2 linking with for new commits + Fix compile error on TARGET_ANDROID + Fix use-after-free with EVP_CIPHER_free + Remove key_type argument from generate_key_random + add basic CMake based build + Avoid unused function warning/error on FreeBSD (and potientially others) + Do not blindly assume python3 is also the interpreter that runs rst2html + Only add -Wno-stringop-truncation on supported compilers + fix warning with gcc 12.2.0 (compiler bug?) + Fix CR_RESPONSE mangaement message using wrong key_id + Print a more user-friendly error when tls-crypt-v2 client auth fails + Ignore Ipv6 route delete request on Android and set ipv4 verbosity to 7 + Mock openvpn_exece on win32 also for test_tls_crypt + Check if the -wrap argument is actually supported by the platform's ld + Revert commit 423ced962d + Implement using --peer-fingerprint without CA certificates + show extra info for OpenSSL errors + Remove ability to use configurations without TLS by default + Add warning for the --show-groups command that some groups are missing + Print peer temporary key details + Add warning if a p2p NCP client connects to a p2mp server + Remove openssl engine method for loading the key + Add undefined and abort on error to clang sanitize builds + Add --enable-werror to all platforms in Github Actions + Remove saving initial frame code + Double check that we do not use a freed buffer when freeing a session + Fix using to_link buffer after freed + Remove CMake custom compiler flags for RELEASE and DEBUG build + Do not check key_state buffers that are in S_UNDEF state + Remove unused function prototype crypto_adjust_frame_parameters + Introduce report_command_status helper function + Log SSL alerts more prominently + Remove unused/unneeded/add missing defines from configure/cmake + Document tls-exit option mainly as test option + Remove dead remains of extract_x509_field_test + Replace character_class_debug with proper unit test + Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway + Fix check_session_buf_not_used using wrong index + Add missing check for nl_socket_alloc failure + Add check for nice in cmake config + Minimal Solaris/OpenIndiana support to Cmake and clean up -Werror + Remove compat versionhelpers.h and remove cmake/configure check for it + Rename state_change to continue_tls_process + Move tls_get_cipher_name_pair and get_num_elements to ssl_utils.c + Fix building mbed TLS with CMake and allow specifying custom directories + Extend the error message when TLS 1.0 PRF fails + Fix unaligned access in macOS, FreeBSD, Solaris hwaddr + Check PRF availability on initialisation and add --force-tls-key-material-export + Make it more explicit and visible when pkg-config is not found + Clarify that the tls-crypt-v2-verify has a very limited env set + Move get_tmp_dir to win32-util.c and error out on failure + Implement the --tls-export-cert feature + Use mingw compile definition also to unit tests + Add test_ssl unit test and test export of PEM to file + Remove conditional text for Apache2 linking exception + Fix ssl unit tests on OpenSSL 1.0.2 + Ensure that all unit tests use unbuffered stdout and stderr + Allow unit tests to fall back to hard coded location + Add unit test for encrypting/decrypting data channel + Print SSL peer signature information in handshake debug details + Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs + Turn dead list test code into unit test + Use snprintf instead of sprintf for get_ssl_library_version + Fix snprintf/swnprintf related compiler warnings + Add bracket in fingerprint message and do not warn about missing verification + Match ifdef for get_sigtype function with if ifdef of caller + Remove/combine redundant call of EVP_CipherInit before EVP_CipherInit_Ex + Add missing EVP_KDF_CTX_free in ssl_tls1_PRF + Replace macos11 with macos14 in github runners + Remove openvpn_snprintf and similar functions + Repeat the unknown command in errors from management interface + Only run coverity scan in OpenVPN/OpenVPN repository + Support OpenBSD with cmake + Workaround issue in LibreSSL crashing when enumerating digests/ciphers + Remove OpenSSL 1.0.2 support + Remove custom TLS 1.0 PRF implementation only used by LibreSSL/wolfSSL + Allow the TLS session to send out TLS alerts + Properly handle null bytes and invalid characters in control messages + Allow trailing \r and \n in control channel message + Add Ubuntu 24.04 runner to Github Actions + Implement support for AEAD tag at the end + Remove check for anonymous unions from configure and cmake config + Make read/write_tun_header static + Avoid SIGUSR1 to SIGHUP remapping when the configuration is read from stdin + Move to common backend_driver type in struct tuntap + Introduce DRIVER_AFUNIX backend for use with lwipovpn + Change dev null to be a driver type instead of a special mode of tun/tap + Use print_tun_backend_driver instead of custom code to print type + Automatically enable ifconfig-exec/route-exec behaviour for afunix tun/tap + Ensure that the AF_UNIX socket pair has at least 65k of buffer space + Fix check for CMake not detecting struct cmsg + Remove null check after checking for checking for did_open_tun + Remove a large number of unused structs and functions + Remove unused methods write_key/read_key + Refuse clients if username or password is longer than USER_PASS_LEN + Move should_trigger_renegotiation into its own function + Change --reneg-bytes and --reneg-packets to 64 bit counters + Use XOR instead of concatenation for calculation of IV from implicit IV + Trigger renegotiation of data key if getting close to the AEAD usage limit + Implement HKDF expand function based on RFC 8446 + Split init_key_ctx_bi into send/recv init + Move initialisation of implicit IVs to init_key_ctx_bi methods + Change internal id of packet id to uint64 + Add small unit test for buf_chomp + Add building/testing with msbuild and the clang compiler + Ensure that Python3 is available + Change API of init_key_ctx to use struct key_parameters + Allow DEFAULT in data-ciphers and report both expanded and user set option + Do not attempt to decrypt packets anymore after 2**36 failed decryptions + Add methods to read/write packet ids for epoch data + Implement methods to generate and manage OpenVPN Epoch keys + Rename aead-tag-at-end to aead-epoch + Improve peer fingerprint documentation + Remove comparing username to NULL in tls_lock_username + Print warnings/errors when numerical parameters cannot be parsed + Add unit tests for atoi parsing options helper + Improve error reporting from AF_UNIX tun/tap support + Fix typo in positive_atoi + Fix oversight of link socket code change in Android code path + Implement epoch key data format + Extend the unit test for data channel packets with aead limit tests + Add (fake) Android cmake building + Add android build to Github Actions + Reconnect when TCP is on use on network-change management command + Implement override-username + Fix incorrect condition for checking password related check + Directly use _countof in array initialisation + Improve documentation for override-username + Mention address if not unspecific on DNS failure + Do not leave half-initialised key wrap struct when dynamic tls-crypt fails + Allow tls-crypt-v2 to be setup only on initial packet of a session + Use SSL_get0_peer_signature_name instead of SSL_get_peer_signature_nid + Use USER_PASS_LEN instead of TLS_USERNAME_LEN for override-username + Also print key agreement when printing negotiated details + Fix mbed TLS key exporter functionality in 3.6.x and cmake + Make --dh none behaviour default if not specified + +Ben Boeckel (1): + console_systemd: remove the timeout when using 'systemd-ask-password' + +Christoph Schug (1): + Update documentation references in systemd unit files + +Corubba Smith (3): + Support IPv6 towards port-share proxy receiver + Document x509-username-fields oid usage + Remove x509-username-fields uppercasing + +David Sommerseth (4): + ssl_verify: Fix memleak if creating deferred auth control files fails + ntlm: Clarify details on NTLM phase 3 decoding + Remove --tls-export-cert + Remove superfluous x509_write_pem() + +Franco Fichtner (1): + Allow to set ifmode for existing DCO interfaces in FreeBSD + +Frank Lichtenheld (174): + options.c: fix format security error when compiling without optimization + options.c: update usage description of --cipher + Update copyright year to 2023 + xkey_pkcs11h_sign: fix dangling pointer + options: Always define options->management_flags + check_engine_keys: make pass with OpenSSL 3 + documentation: update 'unsupported options' section + Changes.rst: document removal of --keysize + Windows: fix unused function setenv_foreign_option + Windows: fix unused variables in delete_route_ipv6 + Windows: fix wrong printf format in x_check_status + Windows: fix unused variable in win32_get_arch + configure: enable DCO by default on FreeBSD/Linux + Windows: fix signedness errors with recv/send + configure: fix formatting of --disable-lz4 and --enable-comp-stub + tests/unit_tests: Fix 'make distcheck' with subdir-objects enabled + GHA: remove Ubuntu 18.04 builds + vcpkg: request "tools" feature of openssl for MSVC build + Do not include net/in_systm.h + version.sh: remove + doc: run rst2* with --strict to catch warnings + man page: Remove cruft from --topology documentation + tests: do not include t_client.sh in dist + vcpkg-ports/pkcs11-helper: Make compatible with mingw build + vcpkg-ports/pkcs11-helper: Convert CONTROL to vcpkg.json + vcpkg-ports/pkcs11-helper: reference upstream PRs in patches + dco_linux: properly close dco version file + DCO: fix memory leak in dco_get_peer_stats_multi for Linux + Fix two unused assignments + sample-plugins: Fix memleak in client-connect example plugin + tests: Allow to override openvpn binary used + test_buffer: add tests for buf_catrunc and its caller format_hex_ex + buffer: use memcpy in buf_catrunc + options: remove --key-method from usage message + msvc-generate: include version.m4.in in tarball + dist: add more missing files only used in the MSVC build + vcpkg-ports/pkcs11-helper: rename patches to make file names shorter + unit_tests: Add missing cert_data.h to source list for unit tests + dist: Include all documentation in distribution + CMake: Add complete MinGW and MSVC build + Remove all traces of the previous MSVC build system + CMake: Add /Brepro to MSVC link options + GHA: update to run-vcpkg@v11 + test_tls_crypt: Improve mock() usage to be more portable + CMake: Throw a clear error when config.h in top-level source directory + CMake: Support doc builds on Windows machines that do not have .py file association + Remove old Travis CI related files + README.cmake.md: Add new documentation for CMake buildsystem + GHA: refactor mingw UTs and add missing tls_crypt + GHA: Add macos-13 + options: Do not hide variables from parent scope + pkcs11_openssl: Disable unused code + route: Fix overriding return value of add_route3 + CMake: various small non-functional improvements + GHA: do not trigger builds in openvpn-build anymore + Remove --no-replay option + GHA: new workflow to submit scan to Coverity Scan service + doc: fix argument name in --route-delay documentation + Change type of frame.mss_fix to uint16_t + Remove last uses of inet_ntoa + mss/mtu: make all size calculations use size_t + dev-tools/gerrit-send-mail.py: tool to send Gerrit patchsets to Patchwork + gerrit-send-mail.py: Add patch version to subject + Add mbedtls3 GHA build + platform.c: Do not depend Windows build on HAVE_CHDIR + sample-keys: renew for the next 10 years + GHA: clean up libressl builds with newer libressl + configure.ac: Remove unused AC_TYPE_SIGNAL macro + documentation: remove reference to removed option --show-proxy-settings + unit_tests: remove includes for mock_msg.h + buffer: add documentation for string_mod and extend related UT + tests: disable automake serial_tests + documentation: improve documentation of --x509-track + configure: allow to disable NTLM + configure: enable silent rules by default + misc: make get_auth_challenge static + Remove support for NTLM v1 proxy authentication + GHA: increase verbosity for make check + NTLM: add length check to add_security_buffer + NTLM: increase size of phase 2 response we can handle + Fix various 'Uninitialized scalar variable' warnings from Coverity + proxy-options.rst: Add proper documentation for --http-proxy-user-pass + NTLM: when NTLMv1 is requested, try NTLMv2 instead + buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0' + --http-proxy-user-pass: allow to specify in either order with --http-proxy + test_user_pass: new UT for get_user_pass + test_user_pass: Add UTs for character filtering + gerrit-send-mail: Make output consistent across systems + README.cmake.md: Document minimum required CMake version for --preset + documentation: Update and fix documentation for --push-peer-info + documentation: Fixes for previous fixes to --push-peer-info + test_user_pass: add basic tests for static/dynamic challenges + Fix typo --data-cipher-fallback + samples: Remove tls-*.conf + check_compression_settings_valid: Do not test for LZ4 in LZO check + t_client.sh: Allow to skip tests + gerrit-send-mail: add missing Signed-off-by + Update Copyright statements to 2024 + GHA: general update March 2024 + samples: Update sample configurations + documentation: make section levels consistent + phase2_tcp_server: fix Coverity issue 'Dereference after null check' + script-options.rst: Update ifconfig_* variables + crypto_backend: fix type of enc parameter + tests: fork default automake test-driver + forked-test-driver: Show test output always + Change default of "topology" to "subnet" + Use topology default of "subnet" only for server mode + Fix 'binary or' vs 'boolean or' related to server_bridge_proxy_dhcp + configure: update old copy of pkg.m4 + LZO: do not use lzoutils.h macros + test_user_pass: Fix building with --enable-systemd + Remove "experimental" denotation for --fast-io + t_server_null.sh: Fix failure case + configure: Add -Wstrict-prototypes and -Wold-style-definition + configure: Try to detect LZO with pkg-config + configure: Switch to C11 by default + Fix missing spaces in various messages + console_systemd: rename query_user_exec to query_user_systemd + configure: Allow to detect git checkout if .git is not a directory + GHA: Configure Renovate + configure: Try to use pkg-config to detect mbedTLS + tun: use is_tun_p2p more consistently + Various fixes for -Wconversion errors + generate_auth_token: simplify code + GHA: Update dependency Mbed-TLS/mbedtls to v3.6.1 + GHA: Enable t_server_null tests + configure: Handle libnl-genl and libcap-ng consistent with other libs + configure: Review use of standard AC macros + socket: Change return types of link_socket_write* to ssize_t + GHA: Pin dependencies + GHA: Update macOS runners + GHA: Simplify macOS builds + Remove support for compression on send + Fix wrong doxygen comments + Various typo fixes + macOS: Assume that net/if_utun.h is always present + Fix some formatting related to if/else and macros + Fix memory leak in ntlm_support + forward: Fix potential unaligned access in drop_if_recursive_routing + GHA: General update December 2024 + Review doxygen warnings + Regenerate doxygen config file with doxygen -u + Fix 'uninitialized pointer read' in openvpn_decrypt_aead + ssl_openssl: Clean up unused functions and add missing "static" + Fix some trivial sign-compare compiler warnings + tls_crypt_v2_write_client_key_file: Fix missing-field-initializers compiler warning + openvpnserv: Fix some inconsistent usages of TEXT() + Fix doxygen warnings in crypto_epoch.h + GHA: Drop Ubuntu 20.04 and other maintenance + GHA: Publish Doxygen documentation to Github Pages + Add more 'intentional fallthrough' comments + Remove various unused function parameters + Remove unused function check_subnet_conflict + options: Cleanup and simplify options_postprocess_verify_ce + Apply text-removal.sh script to Windows codebase + openvpnserv: Clean up use of TEXT() from DNS patches + Post tchar.h removal cleanup + Fix compatibility with mbedTLS 2.28.10+ and 3.6.3+ + t_server_null_default.rc: Add some tests with --data-ciphers + GHA: Pin version of CMake for all builds + GHA: Dependency and Actions update April 2025 + GHA: Make sure renovate notifies us about AWS LC releases + Doxygen: Fix obsolete links to OpenSSL documentation + GHA: Use CMake 4.0 and apply required fixes + Doxygen: Clean up tls-crypt documentation + Doxygen: Remove useless Python information + Manually reformat some long trailing comments + CMake: Make sure to treat UNIT_TEST_SOURCEDIR as path + CMake: Sync list of compiler flags with configure.ac + CMake: Reorganize header and symbol tests + GHA: Dependency and Actions update May 2025 + Doxygen: Fix missing parameter warnings + Changes.rst: Collect, fix, and improve entries for 2.7 release + +George Pchelkin (1): + fix typo: dhcp-options to dhcp-option in vpn-network-options.rst + +Gert Doering (21): + Change version.m4 to 2.7_git + bandaid fix for TCP multipoint server crash with Linux-DCO + Undo FreeBSD 12.x workaround on IPv6 ifconfig for 12.4 and up + Reduce logspam about 'dco_update_keys: peer_id=-1' in p2p server mode + Fix OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT breakage on FreeBSD+DCO + Repair special-casing of EEXIST for Linux/SITNL route install + Get rid of unused 'bool tuntap_buffer' arguments. + FreeBSD 12.x workaround for IPv6 ifconfig is needed on 12.4 as well + Make received OCC exit messages more visible in log. + OpenBSD: repair --show-gateway + get_default_gateway() HWADDR overhaul + make t_server_null 'server alive?' check more robust + t_client.sh: conditionally skip ifconfig+route check + send uname() release as IV_PLAT_VER= on non-windows versions + options: add IPv4 support to '--show-gateway <arg>' + get_default_gateway(): implement platform support for Linux/SITNL + get_default_gateway(): implement platform support for Linux/IPROUTE2 + add missing (void) to win32 function declarations + add more (void) to windows specific function prototypes and declarations + Make 'lport 0' no longer sufficient to do '--bind'. + Add information-gathering about DNS resolvers configured to t_client.sh(.in) + +Gianmarco De Gregori (17): + Persist-key: enable persist-key option by default + Minor fix to process_ip_header + Http-proxy: fix bug preventing proxy credentials caching + Ensures all params are ready before invoking dco_set_peer() + Route: remove incorrect routes on exit + Fix for msbuild/mingw GHA failures + multiproto: move generic event handling code in dedicated files + Fix PASS_BY_VALUE issue in options_postprocess_mutate_le() + mroute: adapt to new protocol handling and hashing improvements + mroute/management: repair mgmt client-kill for mroute with proto + Add support for simultaneous use of UDP and TCP sockets + Rename occurences of 'struct link_socket' from 'ls' to 'sock' + Fix FreeBSD-DCO and Multisocket interaction + manpage: fix HTML format for --local + Fix dco_win and multisocket interaction + dco_linux: Introduce new uAPIs + Explicit-exit-notify and multisocket interaction + +Heiko Hund (21): + dns option: allow up to eight addresses per server + work around false positive warning with mingw 12 + dns option: remove support for exclude-domains + cmake: create and link compile_commands.json file + cmake: symlink whole build dir not just .json file + Windows: enforce 'block-local' with WFP filters + add and send IV_PROTO_DNS_OPTION_V2 flag + dns: store IPv4 addresses in network byte order + dns: clone options via pointer instead of copy + service: add utf8to16 function that takes a size + dns: support multiple domains without DHCP + dns: do not use netsh to set name server addresses + win: calculate address string buffer size + win: implement --dns option support with NRPT + dns: apply settings via script on unixoid systems + fix typo in haikuos dns-updown script + dns: support running up/down command with privsep + dns: don't publish env vars to non-dns scripts + dns: fix potential NULL pointer dereference + win: match search domains when creating exclude rules + win: fix collecting DNS exclude data + +Heiko Wundram (1): + Implement Windows CA template match for Crypto-API selector + +Ilia Shipitsin (3): + src/openvpn/init.c: handle strdup failures + sample/sample-plugins/defer/multi-auth.c: handle strdup errors + tests/unit_tests/openvpn/test_auth_token.c: handle strdup errors + +Ilya Shipitsin (1): + src/openvpn/dco_freebsd.c: handle malloc failure + +Juliusz Sosinowicz (1): + Change include order for tests + +Klemens Nanni (1): + Fix tmp-dir documentation + +Kristof Provost (10): + Read DCO traffic stats from the kernel + dco: Update counters when a client disconnects + Read the peer deletion reason from the kernel + dco: cleanup FreeBSD dco_do_read() + options.c: enforce a minimal fragment size + configure: improve FreeBSD DCO check + dco: define OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT on FreeBSD + dco: print FreeBSD version + DCO: support key rotation notifications + dco-freebsd: dynamically re-allocate buffer if it's too small + +Lev Stipakov (63): + Rename dco_get_peer_stats to dco_get_peer_stats_multi + management: add timer to output BYTECOUNT + Introduce dco_get_peer_stats API and Windows implementation + git-version.py: proper support for tags + msvc: upgrade to Visual Studio 2022 + tun: move print_windows_driver() out of tun.h + openvpnmsica: remove dco installer custom actions + openvpnmsica: remove unused declarations + openvpnmsica: fix adapters discovery logic for DCO + Allow certain DHCP options to be used without DHCP server + dco-win: use proper calling convention on x86 + Improve format specifier for socket handle in Windows + Disable DCO if proxy is set via management + Add logging for windows driver selection process + Avoid management log loop with verb >= 6 + Support --inactive option for DCO + Fix '--inactive <time> 0' behavior for DCO + Print DCO client stats on SIGUSR2 + Don't overwrite socket flags when using DCO on Windows + Support of DNS domain for DHCP-less drivers + dco-win: support for --dev-node + tapctl: generate driver-specific adapter names + openvpnmsica: link C runtime statically + tun.c: enclose DNS domain in single quotes in WMIC call + manage.c: document missing KID parameter + Set WINS servers via interactice service + CMake: fix broken daemonization and syslog functionality + Warn user if INFO control command is too long + CMake: fix HAVE_DAEMON detection on Linux + dco-win: get driver version + dco: warn if DATA_V1 packets are sent to userspace + config.h: fix incorrect defines for _wopen() + Make --dns options apply for tap-windows6 driver + Warn if pushed options require DHCP + tun.c: don't attempt to delete DNS and WINS servers if they're not set + win32: Enforce loading of plugins from a trusted directory + interactive.c: disable remote access to the service pipe + interactive.c: Fix potential stack overflow issue + Disable DCO if proxy is set via management + misc.c: remove unused code + interactive.c: Improve access control for gui<->service pipe + Use a more robust way to get dco-win version + dco: better naming for function parameters + repair DNS address option + dco-win: factor out getting dco version + dco-win: enable mode server on supported configuration + dco-win: simplify do_close_link_socket() + route.c: change the signature of get_default_gateway() + route.c: improve get_default_gateway() logic on Windows + mudp.c: keep offset value when resetting buffer + multi.c: add iroutes after dco peer is added + dco-win: disable dco in server mode if multiple --local options defined + dco-win: multipeer support + dco-win: simplify control packets prepend code + dco-win: kernel notifications + dco-win: support for iroutes + dco-win: Fix crash when cancelling pending operation + Remove UINT8_MAX definition + win: allow OpenVPN service account to use any command-line options + ssl_openssl.c: Prevent potential double-free + win: refactor get_windows_version() + win: create adapter on demand + win: remove Wintun support + +Marc Becker (5): + unify code path for adding PKCS#11 providers + use new pkcs11-helper interface to add providers + special handling for PKCS11 providers on win32 + vcpkg-ports/pkcs11-helper: support loader flags + vcpkg-ports/pkcs11-helper: bump to version 1.30 + +Marco Baffo (3): + tun: removed unnecessary route installations + IPv6 MADDR LOG: Wrap IPv6 addresses in square brackets and print port when the port is specified + get_default_gateway(): Prevent passing IPV4_INVALID_ADDR as a destination + +Martin Rys (1): + openvpn-[client|server].service: Remove syslog.target + +Matthias Andree (1): + make dist: Ship ovpn_dco_freebsd.h, too + +Max Fillinger (10): + Correct tls-crypt-v2 metadata length in man page + Fix message for too long tls-crypt-v2 metadata + Add support for mbedtls 3.X.Y + Update README.mbedtls + Disable TLS 1.3 support with mbed TLS + Enable key export with mbed TLS 3.x.y + Remove license warning from README.mbedtls + mbedtls: Remove support for old TLS versions + mbedtls: Warn if --tls-version-min is too low + Remove HAVE_EXPORT_KEYING_MATERIAL macro + +Michael Baentsch (1): + using OpenSSL3 API for EVP PKEY type name reporting + +Michael Nix (1): + fix typo in help text: --ignore-unknown-option + +Qingfang Deng (1): + dco: fix source IP selection when multihome + +Ralf Lici (3): + Fix check_addr_clash argument order + Handle missing DCO peer by restarting the session + Implement ovpn version detection + +Reynir Björnsson (2): + protocol_dump: tls-crypt support + Only schedule_exit() once + +Rémi Farault (1): + Add calls to nvlist_destroy to avoid leaks + +Samuli Seppänen (6): + Add t_server_null test suite + t_server_null: multiple improvements and fixes + t_server_null: persist test log files + t_server_null: forcibly kill misbehaving servers + t_server_null: use wait instead of marker files + Add lwip support to t_server_null + +Selva Nair (63): + Reduce default restart pause to 1 second + Do not include auth-token in pulled option digest + Persist DCO client data channel traffic stats on restart + Add remote-count and remote-entry query via management + Permit unlimited connection entries and remotes + Use a template for 'unsupported management commands' error + Allow skipping multple remotes via management interface + Properly unmap ring buffer file-map in interactive service + Use undo_lists for saving ring-buffer handles in interactive service + Cleanup: Close duplicated handles in interactive service + Preparing for better signal handling: some code refactoring + Refactor signal handling in openvpn_getaddrinfo + Use IPAPI for setting ipv6 routes when iservice not available + Fix signal handling on Windows + Assign and honour signal priority order + Distinguish route addition errors from route already exists + Propagate route error to initialization_completed() + Include CE_DISABLED status of remote in "remote-entry-get" response + Define and use macros for route addition status code + Warn when pkcs11-id or pkcs11-id-management options are ignored + Cleanup route error and debug logging on Windows + Fix one more 'existing route may get deleted' case + block-dns using iservice: fix a potential double free + Conditionally add subdir-objects option to automake + Build unit tests in mingw Windows build + cyryptapi.c: log the selected certificate's name + cryptoapi.c: remove pre OpenSSL-3.01 support + cryptoapi.c: simplify parsing of thumbprint hex string + Option --cryptoapicert: support issuer name as a selector + Add a unit test for functions in cryptoapi.c + Do not save pointer to 'struct passwd' returned by getpwnam etc. + Bugfix: Convert ECDSA signature form pkcs11-helper to DER encoded form + Import some sample certificates into Windows store for testing + Add tests for finding certificates in Windows cert store + Refactor SSL_CTX_use_CryptoAPI_certificate() + Add a test for signing with certificates in Windows store + Unit tests: add test for SSL_CTX_use_Cryptoapi_certificate() + Improve error message on short read from socks proxy + Make error in setting metric for IPv6 interface non-fatal + Bug-fix: segfault in dco_get_peer_stats() + Move digest_sign_verify out of test_cryptoapi.c + Unit tests: Test for PKCS#11 using a softhsm2 token + Enable pkcs11 an dtest_pkcs11 in github actions + Make cert_data.h and test_cryptoapi/pkcs11.c MSVC compliant + Format Windows error message in Unicode + Bugfix: dangling pointer passed to pkcs11-helper + Correctly handle Unicode names for exit event + Interactive service: do not force a target desktop for openvpn.exe + Improve signal handling using POSIX sigaction + signal_reset(): combine check and reset operations + Log OpenSSL errors on failure to set certificate + Document that auth-user-pass may be inlined + test_pkcs11.c: set file offset to 0 after ftruncate + proxy.c: Clear sensitive data after use + Protect cached username, password and token on client + Interpret --key and --cert option argument as URI + Add a test for loading certificate and key to ssl context + Add a test for loading certificate and key using file: URI + Initialize before use struct user_pass in ui_reader() + Static-challenge concatenation option + Add test for static-challenge concatenation option + Fix more of uninitialized struct user_pass local vars + Do not stop reading from file/uri when OPENSSL_STORE_load() returns error + +Sergey Korolev (1): + dco-linux: fix counter print format + +Shubham Mittal (2): + Add compatibility to build OpenVPN with AWS-LC. + Adding AWS-LC to the OpenVPN CI + +Shuji Furukawa (1): + Improve shuffling algorithm of connection list + +Steffan Karger (2): + Fix IPv6 route add/delete message log level + Improve data channel crypto error messages + +Timo Rothenpieler (1): + Don't clear capability bounding set on capng_change_id + +corubba (2): + Fix IPv6 in port-share journal + Fix port-share journal doc + +orbea (1): + configure: disable engines if OPENSSL_NO_ENGINE is defined + +rein.vanbaaren (1): + Fix MBEDTLS_DEPRECATED_REMOVED build errors + +wellweek (1): + remove repetitive words in documentation and comments + +yatta (1): + fix(ssl): init peer_id when init tls_multi + + diff --git a/Changes.rst b/Changes.rst index e297334..eb3d65b 100644 --- a/Changes.rst +++ b/Changes.rst @@ -2,25 +2,58 @@ ========================== New features ------------ -TLS alerts - OpenVPN 2.7 will send out TLS alerts to peers informing them if the TLS - session shuts down or when the TLS implementation informs the peer about - an error in the TLS session (e.g. mismatching TLS versions). This improves - the user experience as the client shows an error instead of running into - a timeout when the server just stops responding completely. +Multi-socket support for servers + OpenVPN servers now can listen on multiple sockets at the same time. + Multiple ``--local`` statements in the configuration can be used to + configure this. This way the same server can e.g. listen for UDP + and TCP connections at the same time, or listen on multiple addresses + and/or ports. -Support for tun/tap via unix domain socket and lwipovpn support - To allow better testing and emulating a full client with a full - network stack OpenVPN now allows a program executed to provide - a tun/tap device instead of opening a device. +Client implementations for DNS options sent by server for Linux/BSD + Linux and BSD versions of OpenVPN now ship with a default ``dns-updown`` + script that implements proper handling of DNS configuration sent + by the server. The scripts should work on systems that use + ``systemd`` or ``resolveconf`` to manage the DNS setup, as well as + raw ``/etc/resolv.conf`` files. However, the exact features supported + will depend on the configuration method. On Linux this should usually + mean that split-DNS configurations are supported out-of-the-box now. - The co-developed lwipovpn program based on lwIP stack allows to - simulate full IP stack and an OpenVPN client using - ``--dev-node unix:/path/to/lwipovpn`` can emulate a full client that - can be pinged, can serve a website and more without requiring any - elevated permission. This can make testing OpenVPN much easier. + Note that this new script will not be used by default if a ``--up`` + script is already in use to reduce problems with + backwards compatibility. - For more details see [lwipovpn on Gihtub](https://github.com/OpenVPN/lwipovpn). + See documentation for ``--dns-updown`` and ``--dns`` for more details. + +New client implementation for DNS options sent by server for Windows + The Windows client now uses NRPT (Name Resolution Policy Table) to + handle DNS configurations. This adds support for split-DNS and DNSSEC + and improves the compatbility with local DNS resolvers. Requires the + interactive service. + +On Windows the ``block-local`` flag is now enforced with WFP filters. + The ``block-local`` flag to ``--redirect-gateway`` and + ``--redirect-private`` is now also enforced via the Windows Firewall, + making sure packets can't be sent to the local network. + This provides stronger protection against TunnelCrack-style attacks. + +Windows network adapters are now generated on demand + This means that on systems that run multiple OpenVPN connections at + the same time the users don't need to manually create enough network + adapters anymore (in addition to the ones created by the installer). + +Windows automatic service now runs as an unpriviledged user + All tasks that need privileges are now delegated to the interactive + service. + +Support for new version of Linux DCO module + OpenVPN DCO module is moving upstream and being merged into the + main Linux kernel. For this process some API changes were required. + OpenVPN 2.7 will only support the new API. The new module is called + ``ovpn``. Out-of-tree builds for older kernels are available. Please + see the release announcements for futher information. + +Support for server mode in win-dco driver + On Windows the win-dco driver can now be used in server setups. Enforcement of AES-GCM usage limit OpenVPN will now enforce the usage limits on AES-GCM with the same @@ -30,11 +63,6 @@ https://datatracker.ietf.org/doc/draft-irtf-cfrg-aead-limits/ -Default ciphers in ``--data-ciphers`` - Ciphers in ``--data-ciphers`` can contain the string DEFAULT that is - replaced by the default ciphers used by OpenVPN, making it easier to - add an allowed cipher without having to spell out the default ciphers. - Epoch data keys and packet format This introduces the epoch data format for AEAD data channel ciphers in TLS mode ciphers. This new data format has a number of @@ -49,15 +77,46 @@ - IV constructed with XOR instead of concatenation to not have (parts) of the real IV on the wire +Default ciphers in ``--data-ciphers`` + Ciphers in ``--data-ciphers`` can contain the string DEFAULT that is + replaced by the default ciphers used by OpenVPN, making it easier to + add an allowed cipher without having to spell out the default ciphers. + +TLS alerts + OpenVPN 2.7 will send out TLS alerts to peers informing them if the TLS + session shuts down or when the TLS implementation informs the peer about + an error in the TLS session (e.g. mismatching TLS versions). This improves + the user experience as the client shows an error instead of running into + a timeout when the server just stops responding completely. + +Support for tun/tap via unix domain socket and lwipovpn support + To allow better testing and emulating a full client with a full + network stack OpenVPN now allows a program executed to provide + a tun/tap device instead of opening a device. + + The co-developed lwipovpn program based on lwIP stack allows to + simulate full IP stack. An OpenVPN client using + ``--dev-node unix:/path/to/lwipovpn`` can emulate a full client that + can be pinged, can serve a website and more without requiring any + elevated permission. This can make testing OpenVPN much easier. + + For more details see [lwipovpn on Gihtub](https://github.com/OpenVPN/lwipovpn). + Allow overriding username with ``--override-username`` This is intended to allow using auth-gen-token in scenarios where the clients use certificates and multi-factor authentication. This will also generate a 'push "auth-token-user newusername"' directives in push replies. +``--port-share`` now properly supports IPv6 + Issues with logging of IPv6 addresses were fixed. The feature now allows + IPv6 connections towards the proxy receiver. + +Support for Haiku OS + Deprecated features ------------------- -``secret`` support has been removed by default. +``secret`` support has been removed (by default). static key mode (non-TLS) is no longer considered "good and secure enough" for today's requirements. Use TLS mode instead. If deploying a PKI CA is considered "too complicated", using ``--peer-fingerprint`` makes @@ -67,6 +126,14 @@ ``--allow-deprecated-insecure-static-crypto`` but will be removed in OpenVPN 2.8. +Support for wintun Windows driver has been removed. + OpenVPN 2.6 added support for the new dco-win driver, so it supported + three different device drivers: dco-win, wintun, and tap-windows6. + OpenVPN 2.7 now drops the support for wintun driver. By default + all modern configs should be supported by dco-win driver. In all + other cases OpenVPN will fall back automatically to tap-windows6 + driver. + NTLMv1 authentication support for HTTP proxies has been removed. This is considered an insecure method of authentication that uses obsolete crypto algorithms. @@ -78,28 +145,34 @@ ``persist-key`` option has been enabled by default. All the keys will be kept in memory across restart. -Default for ``--topology`` changed to ``subnet`` for ``--mode server`` - Previous releases always used ``net30`` as default. This only affects - configs with ``--mode server`` or ``--server`` (the latter implies the - former), and ``--dev tun``, and only if IPv4 is enabled. - Note that this changes the semantics of ``--ifconfig``, so if you have - manual settings for that in your config but not set ``--topology`` - your config might fail to parse with the new version. Just adding - ``--topology net30`` to the config should fix the problem. - By default ``--topology`` is pushed from server to client. - -OpenSSL 1.0.2 support +OpenSSL 1.0.2 support has been removed. Support for building with OpenSSL 1.0.2 has been removed. The minimum supported OpenSSL version is now 1.1.0. -Compression on send +Support for mbedTLS older than 2.18.0 has been removed. + We now require all SSL libraries to have support for exporting + keying material. The only previously supported library versions + this affects are older mbedTLS releases. + +Compression on send has been removed. OpenVPN 2.7 will never compress data before sending. Decompression of received data is still supported. ``--allow-compression yes`` is now an alias for ``--allow-compression asym``. + User-visible Changes -------------------- +- Default for ``--topology`` changed to ``subnet`` for ``--mode server``. + Previous releases always used ``net30`` as default. This only affects + configs with ``--mode server`` or ``--server`` (the latter implies the + former), and ``--dev tun``, and only if IPv4 is enabled. + Note that this changes the semantics of ``--ifconfig``, so if you have + manual settings for that in your config but not set ``--topology`` + your config might fail to parse with the new version. Just adding + ``--topology net30`` to the config should fix the problem. + By default ``--topology`` is pushed from server to client. + - ``--x509-username-field`` will no longer automatically convert fieldnames to uppercase. This is deprecated since OpenVPN 2.4, and has now been removed. @@ -108,6 +181,29 @@ And finite field Diffie Hellman is in the proces of being deprecated (see draft-ietf-tls-deprecate-obsolete-kex) +- ``--lport 0`` does not imply ``--bind`` anymore. + +- ``--redirect--gateway`` now works correctly if the VPN remote is not + reachable by the default gateway. + +- ``--show-gateway`` now supports querying the gateway for IPv4 addresses. + +- ``--static-challenge`` option now has a third parameter ``format`` that + can change how password and challenge response should be combined. + +- ``--key`` and ``--cert`` now accept URIs implemented in OpenSSL 3 as well as + optional OpenSSL 3 providers loaded using ``--providers`` option. + +- ``--cryptoapicert`` now supports issuer name as well as Windows CA template + name or OID as selector string. + +- TLS handshake debugging information contains much more details now when + using recent versions of OpenSSL. + +- The ``IV_PLAT_VER`` variable sent by Windows clients now contains the + full Windows build version to make it possible to determine the + Windows 10 or Windows 11 version used. + Overview of changes in 2.6 ========================== diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am index 471389b..fc47287 100644 --- a/tests/unit_tests/openvpn/Makefile.am +++ b/tests/unit_tests/openvpn/Makefile.am @@ -43,7 +43,7 @@ argv_testdriver_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat @TEST_CFLAGS@ argv_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn -Wl,--wrap=parse_line -argv_testdriver_SOURCES = test_argv.c mock_msg.c mock_msg.h \ +argv_testdriver_SOURCES = test_argv.c mock_msg.c mock_msg.h test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/platform.c \	$(top_srcdir)/src/openvpn/buffer.c \ @@ -52,7 +52,7 @@ buffer_testdriver_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat @TEST_CFLAGS@ buffer_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn -Wl,--wrap=parse_line -buffer_testdriver_SOURCES = test_buffer.c mock_msg.c mock_msg.h \ +buffer_testdriver_SOURCES = test_buffer.c mock_msg.c mock_msg.h test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/win32-util.c \	$(top_srcdir)/src/openvpn/platform.c @@ -61,7 +61,7 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ crypto_testdriver_LDFLAGS = @TEST_LDFLAGS@ -crypto_testdriver_SOURCES = test_crypto.c mock_msg.c mock_msg.h \ +crypto_testdriver_SOURCES = test_crypto.c mock_msg.c mock_msg.h test_common.h \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/crypto.c \	$(top_srcdir)/src/openvpn/crypto_mbedtls.c \ @@ -78,7 +78,7 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ ssl_testdriver_LDFLAGS = @TEST_LDFLAGS@ $(OPTIONAL_CRYPTO_LIBS) -ssl_testdriver_SOURCES = test_ssl.c mock_msg.c mock_msg.h \ +ssl_testdriver_SOURCES = test_ssl.c mock_msg.c mock_msg.h test_common.h \	mock_management.c mock_ssl_dependencies.c mock_win32_execve.c \	$(top_srcdir)/src/openvpn/argv.c \	$(top_srcdir)/src/openvpn/base64.c \ @@ -114,7 +114,7 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ packet_id_testdriver_LDFLAGS = @TEST_LDFLAGS@ -packet_id_testdriver_SOURCES = test_packet_id.c mock_msg.c mock_msg.h \ +packet_id_testdriver_SOURCES = test_packet_id.c mock_msg.c mock_msg.h test_common.h \	mock_get_random.c \	$(top_srcdir)/src/openvpn/buffer.c \	$(top_srcdir)/src/openvpn/otime.c \ @@ -128,7 +128,7 @@	-I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \	@TEST_CFLAGS@ pkt_testdriver_LDFLAGS = @TEST_LDFLAGS@ -pkt_testdriver_SOURCES = test_pkt.c mock_msg.c mock_msg.h mock_win32_execve.c \ +pkt_testdriver_SOURCES = test_pkt.c mock_msg.c mock_msg.h mock_win32_execve.c test_common.h \	$(top_srcdir)/src/openvpn/argv.c \	$(top_srcdir)/src/openvpn/base64.c \	$(top_srcdir)/src/openvpn/buffer.c \ @@ -156,7 +156,7 @@	-Wl,--wrap=buffer_write_file \	-Wl,--wrap=parse_line \	-Wl,--wrap=rand_bytes -tls_crypt_testdriver_SOURCES = test_tls_crypt.c mock_msg.c mock_msg.h \ +tls_crypt_testdriver_SOURCES = test_tls_crypt.c mock_msg.c mock_msg.h test_common.h \	mock_win32_execve.c \	$(top_srcdir)/src/openvpn/argv.c \	$(top_srcdir)/src/openvpn/base64.c \ diff --git a/version.m4 b/version.m4 index 091cc5d..4c3b7c8 100644 --- a/version.m4 +++ b/version.m4 @@ -3,7 +3,7 @@ define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [7]) -define([PRODUCT_VERSION_PATCH], [_git]) +define([PRODUCT_VERSION_PATCH], [_alpha1]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1032?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I80a14b77fcc2fabf51af9f2d5ea0c36362cccb91 Gerrit-Change-Number: 1032 Gerrit-PatchSet: 6 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: cron2 <ge...@gr...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-CC: selvanair <sel...@gm...> Gerrit-CC: stipa <lst...@gm...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: cron2 <ge...@gr...> Gerrit-Attention: selvanair <sel...@gm...> Gerrit-Attention: stipa <lst...@gm...> Gerrit-MessageType: newpatchset 

Attention is currently required from: cron2, plaisthos, selvanair, stipa. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1032?usp=email ) Change subject: Changes.rst: Collect, fix, and improve entries for 2.7 release ...................................................................... Patch Set 5: (2 comments) File Changes.rst: http://gerrit.openvpn.net/c/openvpn/+/1032/comment/286d5aa2_96afacd6 : PS4, Line 189: which is the case for many OpenSSL 3 providers. > Technically its not really depend on SSL library (OpenSSL 3 required) but on providers which can be […] Done http://gerrit.openvpn.net/c/openvpn/+/1032/comment/612f9e6d_647a9899 : PS4, Line 190: > --cryptopapicert now supports issuer name as well as Windows CA template name or OID as selector str […] Done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1032?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I80a14b77fcc2fabf51af9f2d5ea0c36362cccb91 Gerrit-Change-Number: 1032 Gerrit-PatchSet: 5 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: cron2 <ge...@gr...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-CC: selvanair <sel...@gm...> Gerrit-CC: stipa <lst...@gm...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: cron2 <ge...@gr...> Gerrit-Attention: selvanair <sel...@gm...> Gerrit-Attention: stipa <lst...@gm...> Gerrit-Comment-Date: Wed, 28 May 2025 09:40:54 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: selvanair <sel...@gm...> Gerrit-MessageType: comment 

Attention is currently required from: cron2, plaisthos, selvanair, stipa. Hello plaisthos, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/1032?usp=email to look at the new patch set (#5). Change subject: Changes.rst: Collect, fix, and improve entries for 2.7 release ...................................................................... Changes.rst: Collect, fix, and improve entries for 2.7 release Change-Id: I80a14b77fcc2fabf51af9f2d5ea0c36362cccb91 Signed-off-by: Frank Lichtenheld <fr...@li...> --- M Changes.rst 1 file changed, 130 insertions(+), 34 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/32/1032/5 diff --git a/Changes.rst b/Changes.rst index e297334..eb3d65b 100644 --- a/Changes.rst +++ b/Changes.rst @@ -2,25 +2,58 @@ ========================== New features ------------ -TLS alerts - OpenVPN 2.7 will send out TLS alerts to peers informing them if the TLS - session shuts down or when the TLS implementation informs the peer about - an error in the TLS session (e.g. mismatching TLS versions). This improves - the user experience as the client shows an error instead of running into - a timeout when the server just stops responding completely. +Multi-socket support for servers + OpenVPN servers now can listen on multiple sockets at the same time. + Multiple ``--local`` statements in the configuration can be used to + configure this. This way the same server can e.g. listen for UDP + and TCP connections at the same time, or listen on multiple addresses + and/or ports. -Support for tun/tap via unix domain socket and lwipovpn support - To allow better testing and emulating a full client with a full - network stack OpenVPN now allows a program executed to provide - a tun/tap device instead of opening a device. +Client implementations for DNS options sent by server for Linux/BSD + Linux and BSD versions of OpenVPN now ship with a default ``dns-updown`` + script that implements proper handling of DNS configuration sent + by the server. The scripts should work on systems that use + ``systemd`` or ``resolveconf`` to manage the DNS setup, as well as + raw ``/etc/resolv.conf`` files. However, the exact features supported + will depend on the configuration method. On Linux this should usually + mean that split-DNS configurations are supported out-of-the-box now. - The co-developed lwipovpn program based on lwIP stack allows to - simulate full IP stack and an OpenVPN client using - ``--dev-node unix:/path/to/lwipovpn`` can emulate a full client that - can be pinged, can serve a website and more without requiring any - elevated permission. This can make testing OpenVPN much easier. + Note that this new script will not be used by default if a ``--up`` + script is already in use to reduce problems with + backwards compatibility. - For more details see [lwipovpn on Gihtub](https://github.com/OpenVPN/lwipovpn). + See documentation for ``--dns-updown`` and ``--dns`` for more details. + +New client implementation for DNS options sent by server for Windows + The Windows client now uses NRPT (Name Resolution Policy Table) to + handle DNS configurations. This adds support for split-DNS and DNSSEC + and improves the compatbility with local DNS resolvers. Requires the + interactive service. + +On Windows the ``block-local`` flag is now enforced with WFP filters. + The ``block-local`` flag to ``--redirect-gateway`` and + ``--redirect-private`` is now also enforced via the Windows Firewall, + making sure packets can't be sent to the local network. + This provides stronger protection against TunnelCrack-style attacks. + +Windows network adapters are now generated on demand + This means that on systems that run multiple OpenVPN connections at + the same time the users don't need to manually create enough network + adapters anymore (in addition to the ones created by the installer). + +Windows automatic service now runs as an unpriviledged user + All tasks that need privileges are now delegated to the interactive + service. + +Support for new version of Linux DCO module + OpenVPN DCO module is moving upstream and being merged into the + main Linux kernel. For this process some API changes were required. + OpenVPN 2.7 will only support the new API. The new module is called + ``ovpn``. Out-of-tree builds for older kernels are available. Please + see the release announcements for futher information. + +Support for server mode in win-dco driver + On Windows the win-dco driver can now be used in server setups. Enforcement of AES-GCM usage limit OpenVPN will now enforce the usage limits on AES-GCM with the same @@ -30,11 +63,6 @@ https://datatracker.ietf.org/doc/draft-irtf-cfrg-aead-limits/ -Default ciphers in ``--data-ciphers`` - Ciphers in ``--data-ciphers`` can contain the string DEFAULT that is - replaced by the default ciphers used by OpenVPN, making it easier to - add an allowed cipher without having to spell out the default ciphers. - Epoch data keys and packet format This introduces the epoch data format for AEAD data channel ciphers in TLS mode ciphers. This new data format has a number of @@ -49,15 +77,46 @@ - IV constructed with XOR instead of concatenation to not have (parts) of the real IV on the wire +Default ciphers in ``--data-ciphers`` + Ciphers in ``--data-ciphers`` can contain the string DEFAULT that is + replaced by the default ciphers used by OpenVPN, making it easier to + add an allowed cipher without having to spell out the default ciphers. + +TLS alerts + OpenVPN 2.7 will send out TLS alerts to peers informing them if the TLS + session shuts down or when the TLS implementation informs the peer about + an error in the TLS session (e.g. mismatching TLS versions). This improves + the user experience as the client shows an error instead of running into + a timeout when the server just stops responding completely. + +Support for tun/tap via unix domain socket and lwipovpn support + To allow better testing and emulating a full client with a full + network stack OpenVPN now allows a program executed to provide + a tun/tap device instead of opening a device. + + The co-developed lwipovpn program based on lwIP stack allows to + simulate full IP stack. An OpenVPN client using + ``--dev-node unix:/path/to/lwipovpn`` can emulate a full client that + can be pinged, can serve a website and more without requiring any + elevated permission. This can make testing OpenVPN much easier. + + For more details see [lwipovpn on Gihtub](https://github.com/OpenVPN/lwipovpn). + Allow overriding username with ``--override-username`` This is intended to allow using auth-gen-token in scenarios where the clients use certificates and multi-factor authentication. This will also generate a 'push "auth-token-user newusername"' directives in push replies. +``--port-share`` now properly supports IPv6 + Issues with logging of IPv6 addresses were fixed. The feature now allows + IPv6 connections towards the proxy receiver. + +Support for Haiku OS + Deprecated features ------------------- -``secret`` support has been removed by default. +``secret`` support has been removed (by default). static key mode (non-TLS) is no longer considered "good and secure enough" for today's requirements. Use TLS mode instead. If deploying a PKI CA is considered "too complicated", using ``--peer-fingerprint`` makes @@ -67,6 +126,14 @@ ``--allow-deprecated-insecure-static-crypto`` but will be removed in OpenVPN 2.8. +Support for wintun Windows driver has been removed. + OpenVPN 2.6 added support for the new dco-win driver, so it supported + three different device drivers: dco-win, wintun, and tap-windows6. + OpenVPN 2.7 now drops the support for wintun driver. By default + all modern configs should be supported by dco-win driver. In all + other cases OpenVPN will fall back automatically to tap-windows6 + driver. + NTLMv1 authentication support for HTTP proxies has been removed. This is considered an insecure method of authentication that uses obsolete crypto algorithms. @@ -78,28 +145,34 @@ ``persist-key`` option has been enabled by default. All the keys will be kept in memory across restart. -Default for ``--topology`` changed to ``subnet`` for ``--mode server`` - Previous releases always used ``net30`` as default. This only affects - configs with ``--mode server`` or ``--server`` (the latter implies the - former), and ``--dev tun``, and only if IPv4 is enabled. - Note that this changes the semantics of ``--ifconfig``, so if you have - manual settings for that in your config but not set ``--topology`` - your config might fail to parse with the new version. Just adding - ``--topology net30`` to the config should fix the problem. - By default ``--topology`` is pushed from server to client. - -OpenSSL 1.0.2 support +OpenSSL 1.0.2 support has been removed. Support for building with OpenSSL 1.0.2 has been removed. The minimum supported OpenSSL version is now 1.1.0. -Compression on send +Support for mbedTLS older than 2.18.0 has been removed. + We now require all SSL libraries to have support for exporting + keying material. The only previously supported library versions + this affects are older mbedTLS releases. + +Compression on send has been removed. OpenVPN 2.7 will never compress data before sending. Decompression of received data is still supported. ``--allow-compression yes`` is now an alias for ``--allow-compression asym``. + User-visible Changes -------------------- +- Default for ``--topology`` changed to ``subnet`` for ``--mode server``. + Previous releases always used ``net30`` as default. This only affects + configs with ``--mode server`` or ``--server`` (the latter implies the + former), and ``--dev tun``, and only if IPv4 is enabled. + Note that this changes the semantics of ``--ifconfig``, so if you have + manual settings for that in your config but not set ``--topology`` + your config might fail to parse with the new version. Just adding + ``--topology net30`` to the config should fix the problem. + By default ``--topology`` is pushed from server to client. + - ``--x509-username-field`` will no longer automatically convert fieldnames to uppercase. This is deprecated since OpenVPN 2.4, and has now been removed. @@ -108,6 +181,29 @@ And finite field Diffie Hellman is in the proces of being deprecated (see draft-ietf-tls-deprecate-obsolete-kex) +- ``--lport 0`` does not imply ``--bind`` anymore. + +- ``--redirect--gateway`` now works correctly if the VPN remote is not + reachable by the default gateway. + +- ``--show-gateway`` now supports querying the gateway for IPv4 addresses. + +- ``--static-challenge`` option now has a third parameter ``format`` that + can change how password and challenge response should be combined. + +- ``--key`` and ``--cert`` now accept URIs implemented in OpenSSL 3 as well as + optional OpenSSL 3 providers loaded using ``--providers`` option. + +- ``--cryptoapicert`` now supports issuer name as well as Windows CA template + name or OID as selector string. + +- TLS handshake debugging information contains much more details now when + using recent versions of OpenSSL. + +- The ``IV_PLAT_VER`` variable sent by Windows clients now contains the + full Windows build version to make it possible to determine the + Windows 10 or Windows 11 version used. + Overview of changes in 2.6 ========================== -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1032?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I80a14b77fcc2fabf51af9f2d5ea0c36362cccb91 Gerrit-Change-Number: 1032 Gerrit-PatchSet: 5 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: cron2 <ge...@gr...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-CC: selvanair <sel...@gm...> Gerrit-CC: stipa <lst...@gm...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: cron2 <ge...@gr...> Gerrit-Attention: selvanair <sel...@gm...> Gerrit-Attention: stipa <lst...@gm...> Gerrit-MessageType: newpatchset 

Attention is currently required from: MaxF, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1041?usp=email ) Change subject: Use mbedtls_ssl_export_keying_material() ...................................................................... Patch Set 3: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1041?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1204bc2ff85952160a86f0b9d1caae90e5065bc4 Gerrit-Change-Number: 1041 Gerrit-PatchSet: 3 Gerrit-Owner: MaxF <ma...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: MaxF <ma...@ma...> Gerrit-Comment-Date: Wed, 28 May 2025 09:26:06 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment 

Attention is currently required from: MaxF. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1042?usp=email ) Change subject: mbedtls: Allow TLS 1.3 if available ...................................................................... Patch Set 3: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1042?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: If5e832866b312a2f8a1ce6b4e00d40e3dcf63681 Gerrit-Change-Number: 1042 Gerrit-PatchSet: 3 Gerrit-Owner: MaxF <ma...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: MaxF <ma...@ma...> Gerrit-Comment-Date: Wed, 28 May 2025 09:22:20 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment 

Use bitops.h for replay window to simplify code. Signed-off-by: Qingfang Deng <dq...@gm...> --- drivers/net/ovpn/pktid.c | 11 ++++------- drivers/net/ovpn/pktid.h | 2 +- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/drivers/net/ovpn/pktid.c b/drivers/net/ovpn/pktid.c index 2f29049897e3..f1c243b84463 100644 --- a/drivers/net/ovpn/pktid.c +++ b/drivers/net/ovpn/pktid.c @@ -65,7 +65,7 @@ int ovpn_pktid_recv(struct ovpn_pktid_recv *pr, u32 pkt_id, u32 pkt_time)	if (likely(pkt_id == pr->id + 1)) {	/* well-formed ID sequence (incremented by 1) */	pr->base = REPLAY_INDEX(pr->base, -1); -	pr->history[pr->base / 8] |= (1 << (pr->base % 8)); +	__set_bit(pr->base, pr->history);	if (pr->extent < REPLAY_WINDOW_SIZE)	++pr->extent;	pr->id = pkt_id; @@ -77,14 +77,14 @@ int ovpn_pktid_recv(struct ovpn_pktid_recv *pr, u32 pkt_id, u32 pkt_time)	unsigned int i;	pr->base = REPLAY_INDEX(pr->base, -delta); -	pr->history[pr->base / 8] |= (1 << (pr->base % 8)); +	__set_bit(pr->base, pr->history);	pr->extent += delta;	if (pr->extent > REPLAY_WINDOW_SIZE)	pr->extent = REPLAY_WINDOW_SIZE;	for (i = 1; i < delta; ++i) {	unsigned int newb = REPLAY_INDEX(pr->base, i); -	pr->history[newb / 8] &= ~BIT(newb % 8); +	__clear_bit(newb, pr->history);	}	} else {	pr->base = 0; @@ -103,14 +103,11 @@ int ovpn_pktid_recv(struct ovpn_pktid_recv *pr, u32 pkt_id, u32 pkt_time)	if (pkt_id > pr->id_floor) {	const unsigned int ri = REPLAY_INDEX(pr->base, delta); -	u8 *p = &pr->history[ri / 8]; -	const u8 mask = (1 << (ri % 8)); -	if (*p & mask) { +	if (__test_and_set_bit(ri, pr->history)) {	ret = -EINVAL;	goto out;	} -	*p |= mask;	} else {	ret = -EINVAL;	goto out; diff --git a/drivers/net/ovpn/pktid.h b/drivers/net/ovpn/pktid.h index 0262d026d15e..21845f353bc8 100644 --- a/drivers/net/ovpn/pktid.h +++ b/drivers/net/ovpn/pktid.h @@ -34,7 +34,7 @@ struct ovpn_pktid_xmit { */ struct ovpn_pktid_recv {	/* "sliding window" bitmask of recent packet IDs received */ -	u8 history[REPLAY_WINDOW_BYTES]; +	DECLARE_BITMAP(history, REPLAY_WINDOW_SIZE);	/* bit position of deque base in history */	unsigned int base;	/* extent (in bits) of deque in history */ -- 2.43.0 

Attention is currently required from: cron2, plaisthos, selvanair, stipa. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1032?usp=email ) Change subject: Changes.rst: Collect, fix, and improve entries for 2.7 release ...................................................................... Patch Set 4: (1 comment) File Changes.rst: http://gerrit.openvpn.net/c/openvpn/+/1032/comment/667a62fd_cac5bd3a : PS4, Line 187: > New option --providers to load optional OpenSSL3 providers That one was backported to 2.6 as part of the OpenSSL 3 support, so it is not actually new in 2.7. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1032?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I80a14b77fcc2fabf51af9f2d5ea0c36362cccb91 Gerrit-Change-Number: 1032 Gerrit-PatchSet: 4 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: cron2 <ge...@gr...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-CC: selvanair <sel...@gm...> Gerrit-CC: stipa <lst...@gm...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: cron2 <ge...@gr...> Gerrit-Attention: selvanair <sel...@gm...> Gerrit-Attention: stipa <lst...@gm...> Gerrit-Comment-Date: Wed, 28 May 2025 08:52:05 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: selvanair <sel...@gm...> Gerrit-MessageType: comment 

Attention is currently required from: cron2, flichtenheld, plaisthos, stipa. selvanair has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1032?usp=email ) Change subject: Changes.rst: Collect, fix, and improve entries for 2.7 release ...................................................................... Patch Set 4: (3 comments) File Changes.rst: http://gerrit.openvpn.net/c/openvpn/+/1032/comment/4b70288b_e5365aa6 : PS4, Line 187: New option --providers to load optional OpenSSL3 providers http://gerrit.openvpn.net/c/openvpn/+/1032/comment/7f3955a7_08db94c6 : PS4, Line 189: which is the case for many OpenSSL 3 providers. Technically its not really depend on SSL library (OpenSSL 3 required) but on providers which can be loaded by the user. A more correct wording would be "--key`` and ``--cert`` now accept URIs implemented in OpenSSL 3 as well as optional OpenSSL 3 providers loaded using --providers option." http://gerrit.openvpn.net/c/openvpn/+/1032/comment/65bba08f_975e28d1 : PS4, Line 190: --cryptopapicert now supports issuer name as well as Windows CA template name or OID as selector string. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1032?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I80a14b77fcc2fabf51af9f2d5ea0c36362cccb91 Gerrit-Change-Number: 1032 Gerrit-PatchSet: 4 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: cron2 <ge...@gr...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-CC: selvanair <sel...@gm...> Gerrit-CC: stipa <lst...@gm...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: cron2 <ge...@gr...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: stipa <lst...@gm...> Gerrit-Comment-Date: Wed, 28 May 2025 01:02:06 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment