OpenVPN ChangeLog Copyright (C) 2002-2023 OpenVPN Inc 2024.02.11 -- Version 2.6.9 Arne Schwabe (15): Remove unused function prototype crypto_adjust_frame_parameters Log SSL alerts more prominently Document tls-exit option mainly as test option Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway Fix check_session_buf_not_used using wrong index Add missing check for nl_socket_alloc failure Add check for nice in cmake config Remove compat versionhelpers.h and remove cmake/configure check for it Extend the error message when TLS 1.0 PRF fails Fix unaligned access in macOS, FreeBSD, Solaris hwaddr Check PRF availability on initialisation and add --force-tls-key-material-export Make it more explicit and visible when pkg-config is not found Clarify that the tls-crypt-v2-verify has a very limited env set Implement the --tls-export-cert feature Remove conditional text for Apache2 linking exception David Sommerseth (2): Remove --tls-export-cert Remove superfluous x509_write_pem() Frank Lichtenheld (14): sample-keys: renew for the next 10 years GHA: clean up libressl builds with newer libressl configure.ac: Remove unused AC_TYPE_SIGNAL macro documentation: remove reference to removed option --show-proxy-settings unit_tests: remove includes for mock_msg.h documentation: improve documentation of --x509-track NTLM: add length check to add_security_buffer NTLM: increase size of phase 2 response we can handle proxy-options.rst: Add proper documentation for --http-proxy-user-pass buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0' --http-proxy-user-pass: allow to specify in either order with --http-proxy README.cmake.md: Document minimum required CMake version for --preset documentation: Update and fix documentation for --push-peer-info documentation: Fixes for previous fixes to --push-peer-info Gert Doering (4): OpenBSD: repair --show-gateway get_default_gateway() HWADDR overhaul fix uncrustify complaints about previous patch preparing release 2.6.9 Kristof Provost (1): dco-freebsd: dynamically re-allocate buffer if it's too small Lev Stipakov (1): tun.c: don't attempt to delete DNS and WINS servers if they're not set Marc Becker (1): vcpkg-ports/pkcs11-helper: bump to version 1.30 Max Fillinger (4): Add support for mbedtls 3.X.Y Update README.mbedtls Disable TLS 1.3 support with mbed TLS Enable key export with mbed TLS 3.x.y Reynir Bjoernsson (1): protocol_dump: tls-crypt support Steffan Karger (1): Fix IPv6 route add/delete message log level yatta (1): fix(ssl): init peer_id when init tls_multi 2023.11.17 -- Version 2.6.8 Aquila Macedo (1): doc: Correct typos in multiple documentation files Arne Schwabe (1): Do not check key_state buffers that are in S_UNDEF state Frank Lichtenheld (1): platform.c: Do not depend Windows build on HAVE_CHDIR Lev Stipakov (3): config.h: fix incorrect defines for _wopen() Make --dns options apply for tap-windows6 driver Warn if pushed options require DHCP 2023.11.08 -- Version 2.6.7 Antonio Quartulli (1): dco: fix crash when --multihome is used with --proto tcp Arne Schwabe (8): Mock openvpn_exece on win32 also for test_tls_crypt Add warning for the --show-groups command that some groups are missing Print peer temporary key details Add warning if a p2p NCP client connects to a p2mp server Remove openssl engine method for loading the key Remove saving initial frame code Double check that we do not use a freed buffer when freeing a session Fix using to_link buffer after freed Frank Lichtenheld (7): GHA: do not trigger builds in openvpn-build anymore GHA: new workflow to submit scan to Coverity Scan service buffer: use memcpy in buf_catrunc vcpkg-ports/pkcs11-helper: Backport MinGW series from master to release/2.6 CMake: backport CMake buildsystem from master to release/2.6 Remove all traces of the previous MSVC build system doc: fix argument name in --route-delay documentation Heiko Hund (1): dns option: remove support for exclude-domains Lev Stipakov (3): Warn user if INFO control command is too long dco-win: get driver version dco: warn if DATA_V1 packets are sent to userspace Selva Nair (2): Make cert_data.h and test_cryptoapi/pkcs11.c MSVC compliant Log OpenSSL errors on failure to set certificate orbea (1): configure: disable engines if OPENSSL_NO_ENGINE is defined 2023.08.14 -- Version 2.6.6 Antonio Quartulli (1): configure.ac: fix typ0 in LIBCAPNG_CFALGS Arne Schwabe (8): Avoid unused function warning/error on FreeBSD (and potientially others) fix warning with gcc 12.2.0 (compiler bug?) Fix CR_RESPONSE mangaement message using wrong key_id Print a more user-friendly error when tls-crypt-v2 client auth fails Ignore Ipv6 route delete request on Android and set ipv4 verbosity to 7 Revert commit 423ced962d Implement using --peer-fingerprint without CA certificates show extra info for OpenSSL errors David Sommerseth (1): ntlm: Clarify details on NTLM phase 3 decoding Frank Lichtenheld (8): dist: add more missing files only used in the MSVC build dist: Include all documentation in distribution unit_tests: Add missing cert_data.h to source list for unit tests test_tls_crypt: Improve mock() usage to be more portable Remove old Travis CI related files options: Do not hide variables from parent scope pkcs11_openssl: Disable unused code route: Fix overriding return value of add_route3 George Pchelkin (1): fix typo: dhcp-options to dhcp-option in vpn-network-options.rst Gert Doering (1): Make received OCC exit messages more visible in log. Heiko Hund (1): work around false positive warning with mingw 12 Lev Stipakov (3): tun.c: enclose DNS domain in single quotes in WMIC call manage.c: document missing KID parameter Set WINS servers via interactice service Sergey Korolev (1): dco-linux: fix counter print format 2023.06.13 -- Version 2.6.5 Arne Schwabe (1): Fix use-after-free with EVP_CIPHER_free Frank Lichtenheld (6): dco_linux: properly close dco version file DCO: fix memory leak in dco_get_peer_stats_multi for Linux Fix two unused assignments sample-plugins: Fix memleak in client-connect example plugin options: remove --key-method from usage message msvc-generate: include version.m4.in in tarball Ilya Shipitsin (1): src/openvpn/dco_freebsd.c: handle malloc failure Lev Stipakov (2): dco-win: support for --dev-node tapctl: generate driver-specific adapter names Selva Nair (2): Correctly handle Unicode names for exit event Interactive service: do not force a target desktop for openvpn.exe 2023.05.11 -- Version 2.6.4 Arne Schwabe (3): Remove unused variable line Add Apache2 linking with for new commits Fix compile error on TARGET_ANDROID Frank Lichtenheld (2): man page: Remove cruft from --topology documentation tests: do not include t_client.sh in dist Kristof Provost (1): DCO: support key rotation notifications Michael Nix (1): fix typo in help text: --ignore-unknown-option Selva Nair (2): Format Windows error message in Unicode Bugfix: dangling pointer passed to pkcs11-helper 2023.04.13 -- Version 2.6.3 Frank Lichtenheld (3): GHA: remove Ubuntu 18.04 builds vcpkg: request "tools" feature of openssl for MSVC build doc: run rst2* with --strict to catch warnings Lev Stipakov (1): Support of DNS domain for DHCP-less drivers Selva Nair (1): Bug-fix: segfault in dco_get_peer_stats() 2023.03.24 -- Version 2.6.2 Antonio Quartulli (6): dco: don't use NetLink to exchange control packets dco: print version to log if available dco-linux: remove M_ERRNO flag when printing netlink error message multi: don't call DCO APIs if DCO is disabled dco-freebsd: use m->instances[] instead of m->hash dco-linux: implement dco_get_peer_stats{, multi} API Arne Schwabe (12): Set netlink socket to be non-blocking Ensure n = 2 is set in key2 struct in tls_crypt_v2_unwrap_client_key Fix memory leaks in open_tun_dco() Fix memory leaks in HMAC initial packet generation Use key_state instead of multi for tls_send_payload parameter Make sending plain text control message session aware Only update frame calculation if we have a valid link sockets Improve description of compat-mode Simplify --compress parsing in options.c Refuse connection if server pushes an option contradicting allow-compress Add 'allow-compression stub-only' internally for DCO Parse compression options and bail out when compression is disabled Frank Lichtenheld (1): tests/unit_tests: Fix 'make distcheck' with subdir-objects enabled Gert Doering (1): preparing release 2.6.2 Heiko Hund (1): dns option: allow up to eight addresses per server Kristof Provost (1): dco: print FreeBSD version Lev Stipakov (4): Support --inactive option for DCO Fix '--inactive