-
v2.3_rc2a2f40aac · ·
2012.12.17 -- Version 2.3_rc2 Adriaan de Jong (1): Fix --show-pkcs11-ids (Bug #239) Arne Schwabe (4): Error message if max-routes used incorrectly Properly require --key even if defined(MANAGMENT_EXTERNAL_KEY) Remove dnsflags_to_socktype, it is not used anywhere Fix the proto is used inconsistently warning David Sommerseth (3): Fix double-free issue in pf_destroy_context() The get_default_gateway() function uses warn() instead of msg() Avoid recursion in virtual_output_callback_func() Gert Doering (2): Implement --mssfix handling for IPv6 packets. Fix option inconsistency warnings about "proto" and "tun-ipv6" Joachim Schipper (2): doc/management-notes.txt: fix typo Fix typo in ./configure message -
v2.3_rc178a6afee · ·
2012.10.31 -- Version 2.3_rc1 Adriaan de Jong (1): Fixed a bug where PolarSSL gave an error when using an inline file tag. Arne Schwabe (2): Document man agent-external-key Options parsing demands unnecessary configuration if PKCS11 is used David Sommerseth (2): Make git ignore some more files Remove the support for using system() when executing external programs or scripts Heiko Hund (2): Fix display of plugin hook types Support UTF-8 --client-config-dir Kenneth Rose (1): Fix v3 plugins to support returning values back to OpenVPN. -
v2.3_beta16abd293e · ·
v2.3_beta1 Arne Schwabe (7): Fixes error: --key fails with EXTERNAL_PRIVATE_KEY: No such file or directory if --management-external-key is used Merge almost identical create_socket_tcp and create_socket_tcp6 Document the inlining of files in openvpn and document key-direction Merge getaddr_multi and getaddr6 into one function Document --management-client and --management-signal a bit better Document that keep alive will double the second value in server mode and give a short explanation why the value is chosen. Add checks for external-key-managements David Sommerseth (1): Fix reconnect issues when --push and UDP is used on the server Gert Doering (4): Reduce --version string detail about IPv6 to just "[IPv6]". Put actual OpenVPN command line on top of corresponding log file. Keep pre-existing tun/tap devices around on *BSD make "ipv6 ifconfig" on linux compatible with busybox ifconfig Heiko Hund (6): fix regression with --http-proxy[-*] options add x_msg_va() log function add API for plug-ins to write to openvpn log remove stale _openssl_get_subject() prototype remove unused flag SSLF_NO_NAME_REMAPPING Add --compat-names option -
v2.3_alpha36dcb1265 · ·
2012.07.20 -- Version 2.3_alpha3 Arne Schwabe (1): Fix compiling with --disable-management Gert Doering (1): Repair "tap server" mode brokenness caused by <stdbool.h> fallout Heiko Hund (4): make non-blocking connect work on Windows don't treat socket related errors special anymore remove unused show_connection_list debug function add option --management-query-proxy -
v2.3_alpha2dc734600 · ·
2012.06.29 -- Version 2.3_alpha2 Adriaan de Jong (11): Fixed off-by-one in serial length calculation Migrated x509_get_subject to use of the garbage collector Migrated x509_get_serial to use the garbage collector Migrated x509_get_sha1_hash to use the garbage collector Ensure sys/un.h autoconf detection includes sys/socket.h Added support for new PolarSSL 1.1 RNG Added a configuration option to enable prediction resistance in the PolarSSL random number generator. Use POLARSSL_CFLAGS instead of POLARSSL_CRYPTO_CFLAGS in configure.ac Removed support for PolarSSL < 1.1 Updated README.polarssl with build system changes. Removed stray "Fox-IT hardening" string. Alon Bar-Lev (94): build: version should not contain '-' package: rpm: strip should be handled by package management cleanup: options.c: remove redundant include cleanup: remove C++ warnings cleanup: win32.c: wrong printf format cleanup: remove redundant ';' cleanup: crypto_openssl.c: remove support for pre-openssl-0.9.6 cleanup: tun.c: fix incorrect option in message (ip-win32) cleanup: memcmp.c: remove unused source fixup: init.c: add missing conditional for ENABLE_CLIENT_CR build: correct place to alter WINVER is at build system Update .gitignore build: handle printf style format in mingw build: rename plugin directory to plugins build: plugins: properly use CC, CFLAGS and LDFLAGS build: we need the sample.ovpn in future Remove install-win32 Remove easy-rsa Remove tap-win32 cleanup: rename tap-windows function from win32 to win build: remove windows specific build system build: split acinclude.m4 into m4/* build: m4/ax_varargs.m4: cleanup build: m4/ax_emptyarray.m4: cleanup build: m4/ax_socklen_t.m4: cleanup build: autotools: first pass of trivial autotools changes build: autoconf: remove OPENVPN_ADD_LIBS useless macro build: remove awk and non-standard autoconf output processing build: standard directory layout build: add libtool + windows resources for executables build: autoconf: commands as environment build: libdl usage build: properly detect and use socket libs build: autoconf: minor cleanups build: proper selinux detection and usage build: distribute pkg.m4 build: proper pkcs11-helper detection and usage build: properly process lzo-stub build: proper lzo detection and usage build: proper crypto detection and usage build: autoconf: update defaults for options build: win-msvc: msbuild format build: move out config.h include from syshead build: split out compat build: move gettimeofday() emulation to compat build: move daemon() emulation into compat build: move inet_ntop(), inet_pton() emulation into compat cleanup: move console related function into its own module build: move wrappers into platform module build: windows: install version.sh to allow installer read version build: distribute samples in windows build: use tap-windows.h as external dependency build: ax_varargs.m4: fixups build: autoconf: misc sockets fixups build: enable lzo by default build: windows: set vendor to openvpn project + cleanups build: assume dlfcn is available on all supported platforms build: openbsd: detect netinet/ip.h correctly build: tap: search for tap header build: msvc: upgrade to Visual Studio 2010 + fixups Enable pedantic in windows compilation cleanup: flags should not be bool cleanup: avoid using ~0 - generic cleanup: avoid using ~0 - ipv6 cleanup: avoid using ~0 - netmask cleanup: avoid using ~0 - windows cleanup: gc usage build: fix some statement left from conversion build: properly detect netinet/ip.h structs build: properly detect TUNSETPERSIST cleanup: plugin: support C++ plugin cleanup: remove C++ comments cleanup: add .gitattributes to control eol style explicitly crash: packet_id_debug_print: sl may be null build: use stdbool.h if available build: fix typo in --enable-save-password build: windows: convert resources to UTF-8 build: check minimum polarssl version cleanup: update .gitignore cleanup: spec: make space/tab consistent build: spec: we support openssl >= 0.9.7 build: insall README* document using build system build: detect sys/wait.h required for *bsd build: add git revision to --version output if build from git repository build: cleanup: yet another forgotten brackets build: update INSTALL to recent changes build: support platforms that does not need explicit tun headers build: do not support <polarssl-1.1.0 build: add --with-special-build to provide special build string cleanup: pkcs11.c: resolve wanings build: integrate plugins build into core build build: plugins: set defaults based on platform cleanup: windows: convert argv (UCS-2 to UTF-8) at earliest build: msvc: chdir with change drive to script location Arne Schwabe (7): Add the query to the error message. Explain that route-nopull also causes the client to ignore dhcp options. Add the name of the context where option is not allowed to the error message. Only use tmpdir if tmp_dir is really used. Completely remove ancient IANA port warning. Remove ENABLE_INLINE_FILES conditionals Remove ENABLE_CONNECTIONS ifdefs David Sommerseth (5): Clean-up: Presume that Linux is always IPv6 capable at build time Simplify check_cmd_access() function Change version to indicate the master branch is not a version Some filesystems don't like ':', which is a path 'make dist' would use Remove two unused functions Frank de Brabander (1): Fix reported compile issues on OSX 10.6.8 Gert Doering (10): repair t_client.sh test after build system revolution t_client.sh iproute2 script fixes t_client.sh - fix for iproute2, print summary line Implement search for "first free" tun/tap device on Solaris cleanup and redefine metric handling for IPv6 routes remove "*option" element in "struct route_ipv6" Remove warning about explicit support for IPv6 support not provided MacOS X Add missing pieces to IPv6 route gateway handling. Update TODO.IPv6 list Remove #include "config.h" from ssl_polarssl.h Heiko Hund (3): remove wrapper code for Windows CryptoAPI function fix warnings in event.c when building for win32-64 remove the --auto-proxy option from openvpn Igor Novgorodov (1): Remove calls to OpenSSL when building with --disable-ssl Jonathan K. Bullard (2): Fix file access checks on commands Clarified the docs and help screen about what a 'cmd' is Samuli Seppänen (1): Added notes about upgrading from 2.3-alpha1 and earlier to INSTALL-win32.txt -
v2.3-alpha1d3ae271f · ·
2012.02.21 -- Version 2.3-alpha1 Adriaan de Jong (127): Added Doxygen doxyfile Changed configure to accept --with-ssl-type=openssl Refactored to rand_bytes for OpenSSL-independency Refactored OpenSSL-specific constants Refactored maximum cipher and hmac length constants Refactored show_available_* functions Refactored SSL_clear_error() Refactored crypto initialisation functions Refactored DES key manipulation functions Refactored NTLM DES key generation Refactored message digest type functions Refactored message digest functions Refactored HMAC functions Refactored cipher key types Refactored cipher functions Added PRNG doxygen Refactored: Moved crypto.h inline functions to end of file Removed stale OpenSSL defines from crypto.h Added a check for Openssl or PolarSSL defines Refactored: Added stubs for new files Refactored SSL initialisation functions Refactored TLS_PRF to new hmac and md primitives Refactored tls_show_available_ciphers Refactored get_highest_preference_tls_cipher Refactored root SSL context initialisation Refactored new external key code Refactored DH paramater loading Refactored root TLS option settings Refactored PKCS#12 key loading Refactored PKCS#11 loading Refactored windows cert loading Refactored load certificate functions Refactored private key loading code Refactored external key loading from management Refactored CA and extra certs code Refactored cipher restriction code Refactored tls_options, key_state, and key_source data structures Refactored initalisation of key_states Refactored key_state free code Refactored print_details Refactored key_state read code (including bio_read()) Refactored key_state write functions Refactored: Moved BIO debug functions to OpenSSL backend Refactored: removed ks and ks_lame macro for clarity Refactored: moved write_empty_string function back Refactored Doxygen for tls_multi functions Migrated data structures needed by verification functions to ssl_common.h Refactored client_config_dir_exclusive function Refactored certificate hash lock checks Refactored common name locking functions Refactored username and password authentication code Add some extra comments Refactored: split verify_callback into two parts Added function to extract and verify the subject from a certificate Added function to verify and extract the username Refactored: removed global x509_username_field Refactored: separated environment setup during verification Refactored: Netscape certificate type verification Refactored key usage verification code Refactored EKU verification Refactored tls-remote checking Refactored tls-verify-plugin code Refactored tls-verify script code Refactored CRL checks Minor cleanup in verify_cert: Refactored: Moved verify_cert to ssl_verify Cleaned up ssl.h Refactored: made M_SSL dependent on USE_OPENSSL Refactored: renamed X509 functions from verify_* Separated OpenSSL-specific parts of the PKCS#11 driver Modified base64 code in preparation for PolarSSL merge Final cleanup before PolarSSL addition: Refactored X509 track feature to be contained within the openssl backend Added PolarSSL support: Fixed a missing include in ssl_backend.h Fixed a bug in the hash generation in ssl_verify_openssl.c Added SHA_DIGEST_SIZE definition Changed PolarSSL crypto backend to support v0.99-pre5 Updated ssl_polarssl.c to work with 0.99-pre5 Fixed a compilation warning for size_t key sizes Added a warning that the PolarSSL library does not support pkcs12 files. Added warning that --capath is not available with PolarSSL Disable CryptoAPI when not using OpenSSL, and document that fact. Removed support for management external keys in PolarSSL Removed stray X509_free from ssl.c Refactored (and disabled for PolarSSL) support for writing external cert files in scripts Added an extra define to allow building without PKCS#11 Added SSL library to title string Disabled X.509 track and username selection for PolarSSL Hardening: periodically reset the PRNG's nonce value Fixes for the plugin system: Further improvements to plugin support: Fixed an unintentional change in the options calculated key size. Moved print messages back to generic crypto.c from cipher backends Moved HMAC prints back to main crypto module Added back checks for ks->authenticated in verify_user_pass Moved gc_new and gc_free to begin end of function Fixed a bug in the return value of ssl_verify when pre_verify failed Unified verification function return values: Removed a stray Fox-IT tag Fixed a typo: print the subject instead of the serial for verification errors Made SSL_CIPHER const in print_details, to fix warning Moved to PolarSSL 1.0.0: Added missing #ifdef to allow --disable-managent to work again Fixed disabling crypto and SSL Got rid of a few magic numbers in ntlm.c Removed obsolete des_cblock and des_keyschedule Further removal of des_old.h based calls Fixed missing comma in plugin.h Moved prng_uninit out of crypto_uninit_lib Moved CryptoAPI header include to the ssl_openssl.c Reordered functions to ensure warning-free Windows build Added options to switch between OpenSSL and PolarSSL and PKCS11... Moved from strsep to strtok, for Windows compatibility Minor cleanup to enable warning-free Windows build: Fixed a typo when initialising cryptoapi certs Minor code cleanup: cleaned up error handling in verify_cert. Moved out of memory prototype to error.h, as the definition is in error.c Removed support for calling gc_malloc with a NULL gc_arena struct (The follwing patches from Adriaan was mistakenly merged with the wrong commit author in the git tree) Doxygen: Added data channel crypto docs Added control channel crypto docs Added compression docs Added reliability layer documentation Added memory management documentation Added data channel fragmentation docs Added main/control docs Moved doxygen-specific files to a separate directory Byron Ellacott (1): autoconf fixes for building on OSX David Sommerseth (50): Provide 'dev_type' environment variable to plug-ins and script hooks Define the new openvpn_plugin_{open,func}_v3() API Implement the core v3 plug-in function calls. Extend the v3 plug-in API to send over X509 certificates Added a simple plug-in demonstrating the v3 plug-in API. Separate the general plug-in version constant and v3 plug-in structs version Use a version-less version identifier on the master branch Fix the --client-cert-not-required feature Change the default --tmp-dir path to a more suitable path Improve the mysprintf() issue in openvpnserv.c Add a simple comment regarding openvpn_snprintf() is duplicated Merge branch 'feat_ipv6_transport' Merge branch 'feat_ipv6_payload' Merge branch 'svn-branch-2.1' into merge Solved hidden merge conflicts between master and svn-branch-2.1 Fix const declarations in plug-in v3 structs Merge remote-tracking branch 'cron2/feat_ipv6_payload_2.3' Don't define ENABLE_PUSH_PEER_INFO if SSL is not available Fix compiling issues with pkcs11 when --disable-management is configured Remove support for Linux 2.2 configuration fallback Revert "Add new openssl.cnf to easy-rsa/Windows" Merge remote branch SVN 2.1 into the git tree Merge branch 'svn-merger' Fix Microsoft Visual Studio incompatibility in plugin.c Fixed compile issues on FreeBSD and Solaris Fix PolarSSL and --pkcs12 option issues Fix FreeBSD/OpenBSD/NetBSD compiler warnings in get_default_gateway() Make '--win-sys env' default Do some file/directory tests before really starting openvpn Fix bug after removing Linux 2.2 support Don't look for 'stdin' file when using --auth-user-pass Fix compiling with --disable-crypto and/or --disable-ssl Fix a couple of issues in openvpn_execve() Move away from openvpn_basename() over to platform provided basename() Enable access() when building in Visual Studio New Windows build fixes Fix compilation errors on Linux platforms without SO_MARK autotools ./configure don't like compat.h Fix pool logging when IPv6 is not enabled Don't check for file presence on inline files Add --route-pre-down/OPENVPN_PLUGIN_ROUTE_PREDOWN script/plug-in hook Enhance the error handling in _openssl_get_subject() Fix assert() situations where gc_malloc() is called without a gc_arena object Fix compile issues when plug-ins are disabled. Remove --show-gateway if debug info is not enabled (--disable-debug) Fix compile issues with status.c Connection entry {tun,link}_mtu_defined not set correctly Makefile.am referenced a now non-existing config-win32.h Makefile.am was missing ssl_common.h Revamp check_file_access() checks in stdin scenarios Davide Guerri (1): New feauture: Add --stale-routes-check Frank de Brabander (1): Fixed wrong return type of cipher_kt_mode Frederic Crozat (1): Add support to forward console query to systemd Gert Doering (45): Add more detailed explanation regarding the function of "--rdns-internal" Enable IPv6 Payload in OpenVPN p2mp tun server mode. 20100104-1 release. remove NOTES file from commit - private scribbling NetBSD fixes - on 4.0 and up, use multi-af mode. new feature: "ifconfig-ipv6-push" (from ccd/ config) add some TODOs to TODO.IPv6 undo accidential duplication of existing "--iroute" line in the help text basic documentation of IPv6 related options and their syntax Enable IPv6 Payload in OpenVPN p2mp tun server mode. remove NOTES file from commit - private scribbling env_block(): if PATH is not set, add standard PATH setting to env add IPv6 route add / route delete code for windows (using "netsh") - Win32 IPv6 ifconfig support, using "netsh" calls drop "book ipv6" from open_tun() and tuncfg() prototypes document recent changes and open TODOs, adapt --version info, tag release Win32: set next-hop for IPv6 routes according to TUN/TAP mode when deleting a route on win32, also add gateway address WIN32: if IPv6 requested in TUN mode, check if TUN/TAP driver < 9.7 revert unconditionally-enabling of setenv_es() logging implement IPv6 ifconfig + route setup/deletion on OpenBSD full "VPN client connect" test framework for OpenVPN t_client.rc-sample renamed t_client.sh to t_client.sh.in 2.2-beta3 has a signed TAP driver with the IPv6 code - test for 9.8 correct URL for "more information about IPv6 patch is *here*" bugfix for linux/iproute2: IPv6 ifconfig code block was not called for "dev tun"+"topology subnet" bump IPv6 version number (openvpn --version) to 20100922-1 Implement "ipv6 ifconfig" for TAP interfaces on Solaris interfaces rebased to 2.2RC2 (beta 2.2 branch) Windows IPv6 cleanup - properly remove IPv6 routes and interface config For all accesses to "struct route_list * rl", check first that rl is non-NULL Replace 32-bit-based add_in6_addr() implementation by an 8-bit based one Platform cleanup for NetBSD Move block for "stale-routes-check" config inside #ifdef P2MP_SERVER block add missing break between "case IPv4" and "case IPv6" bump tap driver version from 9.8 to 9.9 log error message and exit for "win32, tun mode, tap driver version 9.8" work around inet_ntop/inet_pton problems for MSVC builds on WinXP Fix build-up of duplicate IPv6 routes on reconnect. Fix list-overrun checks in copy_route_[ipv6_]option_list() add "print test titles" and "use sudo" functionality to t_client.rc Platform cleanup for FreeBSD Implement IPv6 interface config with non-/64 prefix lengths. Fix RUN_SUDO functionality for t_client.sh Document IPv6-related environment variables. Platform cleanup for OpenBSD Gisle Vanem (1): Avoid re-defining uint32_t when using mingw compiler Gustavo Zacarias (1): Fix compile issues when using --enable-small and --disable-ssl/--disable-crypto Heiko Hund (16): add .gitignore to official repository remove function is_proto_tcp() remove legacy code to query IE proxy information lowercase include header name in syshead.h define IN6_ARE_ADDR_EQUAL macro for WIN32 add --mark option to set SO_MARK sockopt Windows UTF-8 input/output UTF-8 X.509 distinguished names set Windows environment variables as UCS-2 handle Windows unicode paths replace check for TARGET_WIN32 with WIN32 do not use mode_t on Windows use the underscore version of stat on Windows make MSVC link against shell32 as well move variable declaration to top of function define access mode flag X_OK as 0 on Windows Igor Novgorodov (1): The code blocks enabled by ENABLE_CLIENT_CR depends on management James Yonan (57): Added "management-external-key" option. Minor addition of logging info before and after execution of Windows net commands. Misc fixes to r6708. Added --x509-track option. * added --management-up-down option to allow management interface to be notified of tunnel up/down events. Fixed minor compile issue triggered on builds where MANAGEMENT_DEF_AUTH is not enabled. Implemented get_default_gateway_mac_addr for Mac OS X Fixes to r6925. Properly handle certificate serial numbers > 32 bits. Added "client-nat" option for stateless, one-to-one NAT on the client side. Renamed branch to reflect that it is no longer beta. env_filter_match now includes the serial number of all certs Fixed issue where a client might receive multiple push replies from a server Fixed bug introduced in r7031 that might cause this error message: Extended "client-kill" management interface command (server-side) Client will now try to reconnect if no push reply received within handshake-window seconds. Version 2.1.3n Fixed compiling issues when using --disable-crypto Added "management-external-key" option. Misc fixes to r6708. win/sign.py now accepts an optional tap-dir argument. Added "auth-token" client directive Added ./configure --enable-osxipconfig option for Mac OS X Added more packet ID debug info at debug level 3 for debugging false positive packet replays. Fixed bug that incorrectly placed stricter TCP packet replay rules on UDP sessions Fixed bug in port-share that could cause port share process to crash For Mac OSX, when DARWIN_USE_IPCONFIG is defined, retry ipconfig command on failure Version 2.1.3t Revert r7092 and r7151, i.e. remove --enable-osxipconfig configure option. Added 'dir' flag to "crl-verify" (see man page for info). Added new "extra-certs" and "verify-hash" options Fixed compile issues on Windows. Added --enable-lzo-stub configure option to build an OpenVPN client without LZO Added optional journal directory argument to "port-share" directive Reduce log verbosity at level 3, with a focus on removing excessive log verbosity generated by port-share activity. env_filter_match now includes the serial number of all certs in chain Added support for static challenge/response protocol. r7316 fixes. Added redirect-gateway block-local flag, with support for Linux, Mac OS X Extended x509-track to allow SHA1 certificate hash to be extracted Added "management-query-remote" directive (client) to allow the management interface to override the "remote" directive. Version 2.1.5. Fixed MSVC compile error related to r7408. Redact "echo" directive strings from log, since these strings (going forward) could conceivably contain security-sensitive data. Modified sanitize_control_message to remove redacted data from control string rather than blotting it out with "_" chars. Changed CC_PRINT character class to allow UTF-8 chars. Increased the --verb threshold for "PID_ERR replay" messages to 4 from 3. Fixed issue where redirect-gateway block-local code was not correctly calculating... CC_PRINT character class now allows any 8-bit character value >= 32. "status" management interface command (version >= 2) will now include the username for each connected user. Minor fix to CC_PRINT char class Fixed management interface bug where >FATAL notifications were not being output properly Raised D_PID_DEBUG_LOW from level 3 to 4 to reduce replay error verbosity at level 3. Added "memstats" option to maintain real-time operating stats in a memory-mapped file. Fixed client issues with DHCP Router option extraction/deletion when using layer 2 with DHCP proxy: Allow "tap-win32 dynamic <offset>" to be used in topology subnet mode. Added support for "on-link" routes on Linux client Jan Just Keijser (1): Made some options connection-entry specific Joe Patterson (1): common_name passing in auth_pam plugin JuanJo Ciarlante (40): * rebased openvpn-2.1_rc1b.jjo.20061206.d.patch * created getaddr6(), use it from resolve_remote() * migrated all getaddrinfo() to getaddr6 * socket.c: use USE_PF_INET6 in switch constructs to actually toss them out, * support --disable-ipv6 build properly: * important fix for tcp6 reconnection was incorrectly creating a PF_INET socket * added README.ipv6.txt * fixed win32 non-ipv6 build * ipv6 on win32 "milestone": 1st snapshot that passes all unittests * document ipv6 milestone status * doc update w/unittests results * make possible to x-compile openvpn/win32 in Linux * correctly setup hints.ai_socktype for getaddrinfo(), althought sorta hacky, see TODO.ipv6. * renamed README.ipv6{.txt,} * updated {README,TODO}.ipv6 from feedback at openvpn-devel mlist * init.c: document the ENABLE_MANAGEMENT place to work on * init.c: small in-doc tweaks * fix multi-tcp crash (corrected assertion) * TODO.ipv6 update * socket.c: better buf logic in print_sockaddr_ex * fixed segfault for undef address family in print_sockaddr_ex (thanks Marcel!) * doc updates * openbsd: no IFF_MULTICAST, #ifdef around it * no new funcionality, just small cleanups * (prototype) fix for supporting "redirect-gateway" for tunneled ipv4 over ipv6 endpoints * polished redirect-gateway (ipv4 on ipv6 endpoints) support * updated doc * fix --disable-ipv6 build * doc updates * rebased to v2.1.1 release * undo mroute.c changes related to ipv6 payload * fix --multihome for ipv4 * fix --multihome for ipv6 * ipv6-0.4.14: fix xinetd usage * ipv6-0.4.15: add --multihome support to xBSD * ipv6-0.4.15b: rebase over openvpn-testing-master * ipv6-0.4.16: fix mingw32 build * make ipv6_payload compile under windowze USE_PF_INET6 by default for v2.3 fix ipv6 compilation under macosx >= 1070 - v3 Markus Koetter (1): Add extv3 X509 field support to --x509-username-field Matthew L. Creech (1): Fix 2.2.0 build failure when management interface disabled Matthias Andree (1): Skip rather than fail test in addressless FreeBSD jails. Robert Fischer (8): Update man page with info about --capath Update man page with info about --connect-timeout Added info about --show-proxy-settings Documented --x509-username-field option Documented --errors-to-stderr option Documented --push-peer-info option Update man page with info about --remote-random-hostname Added man page entry for --management-client Samuli Seppänen (19): Add man page entry for --redirect-private Change all CRLF linefeeds to LF linefeeds Fix a bug in devcon source code handling Removed Win2k from supported platforms list in INSTALL and win/openvpn.nsi Fixed copying of tapinstall.exe to dist/bin when using prebuilt TAP-drivers Fixed a bug with GUI icon deletion on upgrade from 2.2-RC or earlier Fix a build-ca issue on Windows Add new openssl.cnf to easy-rsa/Windows Updated "easy-rsa" for OpenSSL 1.0.0 Made domake-win builds to use easy-rsa/2.0/openssl-1.0.0.cnf Fixes to easy-rsa/2.0 Merged TODO.IPv6 with TODO.ipv6 and README.IPv6 with README.ipv6 Fixed a number of fatal build errors on Visual Studio 2008 Fix a Visual Studio 2008 build issue in socket.c Additional Visual Studio 2008 build fixes to tun.c Fixed a typo in win32.h that prevented building with Visual Studio Fixed a regression causing VS2008/Python build failure Fix a Visual Studio 2008 build error in tun.c Fix a Visual Studio 2008 build error in options.c Simon Matter (1): Fix issues with some older GCC compilers Stefan Hellermann (2): plugin.h: update prototype of plugin_call dummy in !ENABLE_PLUGIN case Fixed typo in plugin.h chantra (1): Clarify --tmp-dir option smos (1): Change the netsh.exe command from "add" to "set". 2011.12.25 -- Version 2.x-master James Yonan (1): Added support for "on-link" routes on Linux client -- these are routes where the gateway is specified as an interface rather than an address. This allows redirect-gateway to work on Linux clients whose connection to the internet is via a point-to-point link such as PPP. Note that at the moment, this capability is incompatible with the "redirect-gateway block-local" directive -- this is because the block-local directive blocks all traffic from the local LAN except for the local and gateway addresses. Since a PPP link is essentially a subnet of two addresses, local and remote (i.e. gateway), the set of addresses that would be blocked by block-local is empty. Therefore, the "redirect-gateway block-local" directive will be ignored on PPP links. To view the OpenVPN client's current determination of the default gateway, use this command: ./openvpn --show-gateway -
v2.2.212158e5a · ·
2011.12.14 -- Version 2.2.2 David Sommerseth (1): Only warn about non-tackled IPv6 packets once Gert Doering (3): add missing break between "case IPv4" and "case IPv6" bump tap driver version from 9.8 to 9.9 log error message and exit for "win32, tun mode, tap driver version 9.8" Samuli Seppänen (1): Backported pkcs11-related parts of 7a8d707237bb18 to 2.2 branch -
v2.2.168deffc8 · ·
2011.07.01 -- Versoin 2.2.1 David Sommerseth (5): Don't define ENABLE_PUSH_PEER_INFO if SSL is not available Fix compiling issues with pkcs11 when --disable-management is configured Remove support for Linux 2.2 configuration fallback Revert "Add new openssl.cnf to easy-rsa/Windows" Prepared for releasing OpenVPN 2.2.1 Gustavo Zacarias (1): Fix compile issues when using --enable-small and --disable-ssl/--disable-crypto Matthew L. Creech (1): Fix 2.2.0 build failure when management interface disabled Robert Fischer (2): Added info about --show-proxy-settings Documented --x509-username-field option Samuli Seppänen (5): Fix a build-ca issue on Windows Add new openssl.cnf to easy-rsa/Windows Updated "easy-rsa" for OpenSSL 1.0.0 Made domake-win builds to use easy-rsa/2.0/openssl-1.0.0.cnf Fixes to easy-rsa/2.0 Simon Matter (1): Fix issues with some older GCC compilers -
v2.2.01ed76da8 · ·
2011.04.21 -- Version 2.2.0 David Sommerseth (4): Fix the --client-cert-not-required feature Change the default --tmp-dir path to a more suitable path Improve the mysprintf() issue in openvpnserv.c Add a simple comment regarding openvpn_snprintf() is duplicated Gert Doering (1): Add more detailed explanation regarding the function of "--rdns-internal" Gisle Vanem (1): Avoid re-defining uint32_t when using mingw compiler James Yonan (1): Fixed bug in port-share that could cause port share process to crash with output like this: Robert Fischer / rf (4): Update man page with info about --capath Update man page with info about --connect-timeout Update man page with info about --remote-random-hostname Added man page entry for --management-client Samuli Seppänen (6): Add man page entry for --redirect-private Change all CRLF linefeeds to LF linefeeds Fix a bug in devcon source code handling Removed Win2k from supported platforms list in INSTALL and win/openvpn.nsi Fixed copying of tapinstall.exe to dist/bin when using prebuilt TAP-drivers Fixed a bug with GUI icon deletion on upgrade from 2.2-RC or earlier chantra (1): Clarify --tmp-dir option -
v2.2-RC2338b6948 · ·
2011.03.24 -- Version 2.2-RC2 Alon Bar-Lev (1): Windows cross-compile cleanup David Sommerseth (2): Open log files as text files on Windows Clarify default value for the --inactive option. Gert Doering (1): Implement IPv6 in TUN mode for Windows TAP driver. Samuli Seppänen (6): Added support for prebuilt TAP-drivers. Automated embedding manifests. Fixes to win/openvpn.nsi Replaced config-win32.h with win/config.h.in Updated INSTALL-win32.txt Fixes to Makefile.am Clarified --client-config-dir section on the man-page. Ville Skyttä (1): Fix line continuation in chkconfig init script description. -
v2.2-RC26eaa885 · ·
2011.02.28 -- Version 2.2-RC David Sommerseth (3): Make the --x509-username-field feature an opt-in feature Fix compiler warning when compiling against OpenSSL 1.0.0 Fix packaging of config-win32.h and service-win32/msvc.mak James Yonan (1): Minor addition of logging info before and after execution of Windows net commands. Matthias Andree (1): Change variadic macros to C99 style. Samuli Seppänen (15): Added ENABLE_PASSWORD_SAVE to config-win32.h Added a nmake makefile for openvpnserv.exe building Moved TAP-driver version info to version.m4. Cleaned up win/settings.in. Added helper functionality to win/wb.py Added support for viewing config-win32.h paramters to win/show.py Added comments and made small modifications to win/msvc.mak.in Added command-line switch to win/build_all.py to skip TAP driver building Added configure.h and version.m4 variable parsing to win/config.py Added openvpnserv.exe building to win/build.py Added comments to win/build_ddk.py Several modifications to win/make_dist.py to allow building the NSI installer Copied install-win32/setpath.nsi to win/setpath.nsi Added first version of NSI installer script to win/openvpn.nsi Changes to buildsystem patchset Temporary snprintf-related fix to service-win32/openvpnserv.c -
v2.2-beta514f7e0f2 · ·
2010.11.25 -- Version 2.2-beta5 Samuli Seppänen (1): Fixed an issue causing a build failure with MS Visual Studio 2008. -
v2.2-beta44729263d · ·
2010.11.18 -- Version 2.2-beta4 David Sommerseth (10): Clarified --explicit-exit-notify man page entry Clean-up: Remove pthread and mutex locking code Clean-up: Remove more dead and inactive code paths Clean-up: Removing useless code - hash related functions Use stricter snprintf() formatting in socks_username_password_auth() (v3) Fix compiler warnings about not used dummy() functions Fixed potential misinterpretation of boolean logic Only add some functions when really needed Removed functions not being used anywhere Merged add_bypass_address() and add_host_route_if_nonlocal() Gert Doering (3): Integrate support for TAP mode on Solaris, written by Kazuyoshi Aizawa <[email protected]>. Make "topology subnet" work on Solaris Improved man page entry for script_type James Yonan (5): Fixed initialization bug in route_list_add_default_gateway (Gert Doering). Implement challenge/response authentication support in client mode Make base64.h have the same conditional compilation expression as base64.c. Fixed compiling issues when using --disable-crypto In verify_callback, the subject var should be freed by OPENSSL_free, not free Jesse Young (1): Remove hardcoded path to resolvconf Lars Hupel (1): Add HTTP/1.1 Host header Pierre Bourdon (1): Adding support for SOCKS plain text authentication Samuli Seppänen (2): Added check for variable CONFIGURE_DEFINES into options.c Added command-line option parser and an unsigned build option to build_all.py -
v2.1.44eb21d22 · ·
2010.11.04 -- Version 2.1.4 * Fix problem with special case route targets ('remote_host') The init_route() function will leave &netlist untouched for get_special_addr() routes ("remote_host" being one of them). netlist is on stack, contains random garbage, and netlist.len will not be 0 - thus, random stack data is copied from netlist.data[] until the route_list is full. Thanks to Teodo MICU and Gert Doering for finding and fixing this issue. -
v2.2-beta3842783a9 · ·
2010.08.21 -- Version 2.2-beta3 * Attempt to fix issue where domake-win build system was not properly signing drivers and .exe files. Added win/tap_span.py for building multiple versions of the TAP driver and tapinstall binaries using different DDK versions to span from Win2K to Win7 and beyond. * Community patches David Sommerseth (2): Test framework improvment - Do not FAIL if t_client.rc is missing More t_client.sh updates - exit with SKIP when we want to skip Gert Doering (4): Fix compile problems on NetBSD and OpenBSD Fix <net/if.h> compile time problems on OpenBSD for good full "VPN client connect" test framework for OpenVPN Build t_client.sh by configure at run-time. chantra (1): Fixes openssl-1.0.0 compilation warning -
-
v2.2-beta239cd9376 · ·
2010.08.16 -- Version 2.2-beta2 * Windows security issue: Fixed potential local privilege escalation vulnerability in Windows service. The Windows service did not properly quote the executable filename passed to CreateService. A local attacker with write access to the root directory C:\ could create an executable that would be run with the same privilege level as the OpenVPN Windows service. However, since non-Administrative users normally lack write permission on C:\, this vulnerability is generally not exploitable except on older versions of Windows (such as Win2K) where the default permissions on C:\ would allow any user to create files there. Credit: Scott Laurie, MWR InfoSecurity * Added Python-based based alternative build system for Windows using Visual Studio 2008 (in win directory). * Fixed compiler warning in ssl.c when compiling with --enable-strict
-
v2.2-beta14c1938aa · ·
2010.08.10 -- Version 2.2-beta1 * When aborting in a non-graceful way, try to execute do_close_tun in init.c prior to daemon exit to ensure that the tun/tap interface is closed and any added routes are deleted. * Fixed an issue where AUTH_FAILED was not being properly delivered to the client when a bad password is given for mid-session reauth, causing the connection to fail without an error indication. * Don't advance to the next connection profile on AUTH_FAILED errors. * Fixed an issue in the Management Interface that could cause a process hang with 100% CPU utilization in --management-client mode if the management interface client disconnected at the point where credentials are queried. * Fixed an issue where if reneg-sec was set to 0 on the client, so that the server-side value would take precedence, the auth_deferred_expire_window function would incorrectly return a window period of 0 seconds. In this case, the correct window period should be the handshake window period. * Modified ">PASSWORD:Verification Failed" management interface notification to include a client reason string: >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING'] * Enable exponential backoff in reliability layer retransmits. * Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after socket is created rather than waiting until after connect/listen. * Management interface performance optimizations: 1. Added env-filter MI command to perform filtering on env vars passed through as a part of --management-client-auth 2. man_write will now try to aggregate output into larger blocks (up to 1024 bytes) for more efficient i/o * Fixed minor issue in Windows TAP driver DEBUG builds where non-null-terminated unicode strings were being printed incorrectly. * Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support was not being compiled in. * Proxy improvements: Improved the ability of http-auth "auto" flag to dynamically detect the auth method required by the proxy. Added http-auth "auto-nct" flag to reject weak proxy auth methods. Added HTTP proxy digest authentication method. Removed extraneous openvpn_sleep calls from proxy.c. * Implemented http-proxy-override and http-proxy-fallback directives to make it easier for OpenVPN client UIs to start a pre-existing client config file with proxy options, or to adaptively fall back to a proxy connection if a direct connection fails. * Implemented a key/value auth channel from client to server. * Fixed issue where bad creds provided by the management interface for HTTP Proxy Basic Authentication would go into an infinite retry-fail loop instead of requerying the management interface for new creds. * Added support for MSVC debugging of openvpn.exe in settings.in: # Build debugging version of openvpn.exe !define PRODUCT_OPENVPN_DEBUG * Implemented multi-address DNS expansion on the network field of route commands. When only a single IP address is desired from a multi-address DNS expansion, use the first address rather than a random selection. * Added --register-dns option for Windows. Fixed some issues on Windows with --log, subprocess creation for command execution, and stdout/stderr redirection. * Fixed an issue where application payload transmissions on the TLS control channel (such as AUTH_FAILED) that occur during or immediately after a TLS renegotiation might be dropped. * Added warning about tls-remote option in man page. * Community patches (from openvpn-testing.git tree) Alberto Gonzalez Iniesta (1): Debian patch: Fix spelling in log message Dan Nelson (1): bash->bourne script cleanup Daniel Johnson (1): auth-pam plugin update: Support DOMAIN+USERNAME in config David Sommerseth (22): Reworked the eurephia patch for inclusion to the openvpn-testing tree Added mapping files from SVN commit ID to more descriptive commit IDs. verb 5 logging wrongly reports received bytes On TARGET_LINUX define _GNU_SOURCE if not defined Fix autotools cross-compiling support Add comile time information/settings from ./configure to --version Make use of counter_type instead of int when counting bytes and network packets Updated the man page to reflect the behavioural change of create_temp_file() Removed no longer needed delete_file() call Fixed potential NULL pointer issue Fix dependency checking for configure.h (v2) Make use of automake CLEANFILES variable instead of clean-local rule Don't add compile time information if --enable-small is used Harden create_temp_filename() (version 2) Renamed all calls to create_temp_filename() Updated the man page to reflect the behavioural change of create_temp_file() Removed no longer needed delete_file() call Avoid repetition of "this config may cache passwords in memory" (v2) Revamped the script-security warning logging (version 2) Fixed client hang when server don't PUSH (aka the NO_SOUP_FOR_YOU patch) Solved hidden merge conflict between changes in feat_misc and bugfix2.1 Fix multiple configured scripts conflicts issue (version 2) Davide Brini (6): OCSP_check.sh: new check logic The man page does not mention that the default value of "mssfix" is 1450. Enhance contrib/pull-resolv-conf/client.{up,down} scripts Fix missing /bin/bash -> /bin/sh Fix certificate serial number export Exclude ping and control packets from activity Emilien Mantel (2): Choose a different field in X509 to be username Fixed static defined length check to use sizeof() Enrico Scholz (1): Allow 'lport 0' setup for random port binding Fabian Knittel (1): ssl.c: fix use of openvpn_run_script()'s return value Gert Doering (3): remove duplicate code in FREEBSD+DRAGONFLY system-dependent ifconfig Implement IPv6 in TUN mode for Windows TAP driver. fix date format mistake in PRODUCT_TAP_RELDATE (Peter Stuge) Jan Brinkmann (1): The man page needs dash escaping in UTF-8 environments Karl O. Pinc (2): Change verify-cn so cn is no longer hardcoded in openvpn's config file Several updates to openvpn.8 (man page updates) Mathieu GIANNECCHINI (1): enhance tls-verify possibility Wil Cooley (1): pkitool lacks expected option "--help" chantra (2): Handle non standard subnets in PF grammar Fix errors in openvpn-plugin.h documentation -