2011.03.24 -- Version 2.2-RC2
Alon Bar-Lev (1):
Windows cross-compile cleanup
David Sommerseth (2):
Open log files as text files on Windows
Clarify default value for the --inactive option.
Gert Doering (1):
Implement IPv6 in TUN mode for Windows TAP driver.
Samuli Seppänen (6):
Added support for prebuilt TAP-drivers. Automated embedding manifests.
Fixes to win/openvpn.nsi
Replaced config-win32.h with win/config.h.in
Updated INSTALL-win32.txt
Fixes to Makefile.am
Clarified --client-config-dir section on the man-page.
Ville Skyttä (1):
Fix line continuation in chkconfig init script description.
2011.02.28 -- Version 2.2-RC
David Sommerseth (3):
Make the --x509-username-field feature an opt-in feature
Fix compiler warning when compiling against OpenSSL 1.0.0
Fix packaging of config-win32.h and service-win32/msvc.mak
James Yonan (1):
Minor addition of logging info before and after execution of Windows net commands.
Matthias Andree (1):
Change variadic macros to C99 style.
Samuli Seppänen (15):
Added ENABLE_PASSWORD_SAVE to config-win32.h
Added a nmake makefile for openvpnserv.exe building
Moved TAP-driver version info to version.m4. Cleaned up win/settings.in.
Added helper functionality to win/wb.py
Added support for viewing config-win32.h paramters to win/show.py
Added comments and made small modifications to win/msvc.mak.in
Added command-line switch to win/build_all.py to skip TAP driver building
Added configure.h and version.m4 variable parsing to win/config.py
Added openvpnserv.exe building to win/build.py
Added comments to win/build_ddk.py
Several modifications to win/make_dist.py to allow building the NSI installer
Copied install-win32/setpath.nsi to win/setpath.nsi
Added first version of NSI installer script to win/openvpn.nsi
Changes to buildsystem patchset
Temporary snprintf-related fix to service-win32/openvpnserv.c
2010.11.25 -- Version 2.2-beta5
Samuli Seppänen (1):
Fixed an issue causing a build failure with MS Visual Studio 2008.
2010.11.18 -- Version 2.2-beta4
David Sommerseth (10):
Clarified --explicit-exit-notify man page entry
Clean-up: Remove pthread and mutex locking code
Clean-up: Remove more dead and inactive code paths
Clean-up: Removing useless code - hash related functions
Use stricter snprintf() formatting in socks_username_password_auth() (v3)
Fix compiler warnings about not used dummy() functions
Fixed potential misinterpretation of boolean logic
Only add some functions when really needed
Removed functions not being used anywhere
Merged add_bypass_address() and add_host_route_if_nonlocal()
Gert Doering (3):
Integrate support for TAP mode on Solaris, written by Kazuyoshi Aizawa admin2@whiteboard.ne.jp.
Make "topology subnet" work on Solaris
Improved man page entry for script_type
James Yonan (5):
Fixed initialization bug in route_list_add_default_gateway (Gert Doering).
Implement challenge/response authentication support in client mode
Make base64.h have the same conditional compilation expression as base64.c.
Fixed compiling issues when using --disable-crypto
In verify_callback, the subject var should be freed by OPENSSL_free, not free
Jesse Young (1):
Remove hardcoded path to resolvconf
Lars Hupel (1):
Add HTTP/1.1 Host header
Pierre Bourdon (1):
Adding support for SOCKS plain text authentication
Samuli Seppänen (2):
Added check for variable CONFIGURE_DEFINES into options.c
Added command-line option parser and an unsigned build option to build_all.py
2010.11.04 -- Version 2.1.4
Fix problem with special case route targets ('remote_host')
The init_route() function will leave &netlist untouched for
get_special_addr() routes ("remote_host" being one of them).
netlist is on stack, contains random garbage, and
netlist.len will not be 0 - thus, random stack data is copied from
netlist.data[] until the route_list is full.
Thanks to Teodo MICU and Gert Doering for finding and fixing this issue.
2010.08.21 -- Version 2.2-beta3
Attempt to fix issue where domake-win build system was not properly
signing drivers and .exe files.
Added win/tap_span.py for building multiple versions of the TAP driver
and tapinstall binaries using different DDK versions to span from Win2K
to Win7 and beyond.
Community patches
David Sommerseth (2):
Test framework improvment - Do not FAIL if t_client.rc is missing
More t_client.sh updates - exit with SKIP when we want to skip
Gert Doering (4):
Fix compile problems on NetBSD and OpenBSD
Fix <net/if.h> compile time problems on OpenBSD for good
full "VPN client connect" test framework for OpenVPN
Build t_client.sh by configure at run-time.
chantra (1):
Fixes openssl-1.0.0 compilation warning
2010.08.16 -- Version 2.2-beta2
Windows security issue:
Fixed potential local privilege escalation vulnerability in
Windows service. The Windows service did not properly quote the
executable filename passed to CreateService. A local attacker
with write access to the root directory C:\ could create an
executable that would be run with the same privilege level as
the OpenVPN Windows service. However, since non-Administrative
users normally lack write permission on C:, this vulnerability
is generally not exploitable except on older versions of Windows
(such as Win2K) where the default permissions on C:\ would allow
any user to create files there.
Credit: Scott Laurie, MWR InfoSecurity
Added Python-based based alternative build system for Windows using
Visual Studio 2008 (in win directory).
Fixed compiler warning in ssl.c when compiling with --enable-strict
2010.08.10 -- Version 2.2-beta1
When aborting in a non-graceful way, try to execute do_close_tun in
init.c prior to daemon exit to ensure that the tun/tap interface is
closed and any added routes are deleted.
Fixed an issue where AUTH_FAILED was not being properly delivered
to the client when a bad password is given for mid-session reauth,
causing the connection to fail without an error indication.
Don't advance to the next connection profile on AUTH_FAILED errors.
Fixed an issue in the Management Interface that could cause
a process hang with 100% CPU utilization in --management-client
mode if the management interface client disconnected at the
point where credentials are queried.
Fixed an issue where if reneg-sec was set to 0 on the client,
so that the server-side value would take precedence,
the auth_deferred_expire_window function would incorrectly
return a window period of 0 seconds. In this case, the
correct window period should be the handshake window
period.
Modified ">PASSWORD:Verification Failed" management interface
notification to include a client reason string:
PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING']
Enable exponential backoff in reliability layer
retransmits.
Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after
socket is created rather than waiting until after connect/listen.
Management interface performance optimizations:
Added env-filter MI command to perform filtering on env vars
passed through as a part of --management-client-auth
man_write will now try to aggregate output into larger blocks
(up to 1024 bytes) for more efficient i/o
Fixed minor issue in Windows TAP driver DEBUG builds
where non-null-terminated unicode strings were being
printed incorrectly.
Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support
was not being compiled in.
Proxy improvements:
Improved the ability of http-auth "auto" flag to dynamically detect
the auth method required by the proxy.
Added http-auth "auto-nct" flag to reject weak proxy auth methods.
Added HTTP proxy digest authentication method.
Removed extraneous openvpn_sleep calls from proxy.c.
Implemented http-proxy-override and http-proxy-fallback directives to make it
easier for OpenVPN client UIs to start a pre-existing client config file with
proxy options, or to adaptively fall back to a proxy connection if a direct
connection fails.
Implemented a key/value auth channel from client to server.
Fixed issue where bad creds provided by the management interface
for HTTP Proxy Basic Authentication would go into an infinite
retry-fail loop instead of requerying the management interface for
new creds.
Added support for MSVC debugging of openvpn.exe in settings.in:
!define PRODUCT_OPENVPN_DEBUG
Implemented multi-address DNS expansion on the network field of route
commands.
When only a single IP address is desired from a multi-address DNS
expansion, use the first address rather than a random selection.
Added --register-dns option for Windows.
Fixed some issues on Windows with --log, subprocess creation
for command execution, and stdout/stderr redirection.
Fixed an issue where application payload transmissions on the
TLS control channel (such as AUTH_FAILED) that occur during
or immediately after a TLS renegotiation might be dropped.
Added warning about tls-remote option in man page.
Community patches (from openvpn-testing.git tree)
Alberto Gonzalez Iniesta (1):
Debian patch: Fix spelling in log message
Dan Nelson (1):
bash->bourne script cleanup
Daniel Johnson (1):
auth-pam plugin update: Support DOMAIN+USERNAME in config
David Sommerseth (22):
Reworked the eurephia patch for inclusion to the openvpn-testing tree
Added mapping files from SVN commit ID to more descriptive commit IDs.
verb 5 logging wrongly reports received bytes
On TARGET_LINUX define _GNU_SOURCE if not defined
Fix autotools cross-compiling support
Add comile time information/settings from ./configure to --version
Make use of counter_type instead of int when counting bytes and network packets
Updated the man page to reflect the behavioural change of create_temp_file()
Removed no longer needed delete_file() call
Fixed potential NULL pointer issue
Fix dependency checking for configure.h (v2)
Make use of automake CLEANFILES variable instead of clean-local rule
Don't add compile time information if --enable-small is used
Harden create_temp_filename() (version 2)
Renamed all calls to create_temp_filename()
Updated the man page to reflect the behavioural change of create_temp_file()
Removed no longer needed delete_file() call
Avoid repetition of "this config may cache passwords in memory" (v2)
Revamped the script-security warning logging (version 2)
Fixed client hang when server don't PUSH (aka the NO_SOUP_FOR_YOU patch)
Solved hidden merge conflict between changes in feat_misc and bugfix2.1
Fix multiple configured scripts conflicts issue (version 2)
Davide Brini (6):
OCSP_check.sh: new check logic
The man page does not mention that the default value of "mssfix" is 1450.
Enhance contrib/pull-resolv-conf/client.{up,down} scripts
Fix missing /bin/bash -> /bin/sh
Fix certificate serial number export
Exclude ping and control packets from activity
Emilien Mantel (2):
Choose a different field in X509 to be username
Fixed static defined length check to use sizeof()
Enrico Scholz (1):
Allow 'lport 0' setup for random port binding
Fabian Knittel (1):
ssl.c: fix use of openvpn_run_script()'s return value
Gert Doering (3):
remove duplicate code in FREEBSD+DRAGONFLY system-dependent ifconfig
Implement IPv6 in TUN mode for Windows TAP driver.
fix date format mistake in PRODUCT_TAP_RELDATE (Peter Stuge)
Jan Brinkmann (1):
The man page needs dash escaping in UTF-8 environments
Karl O. Pinc (2):
Change verify-cn so cn is no longer hardcoded in openvpn's config file
Several updates to openvpn.8 (man page updates)
Mathieu GIANNECCHINI (1):
enhance tls-verify possibility
Wil Cooley (1):
pkitool lacks expected option "--help"
chantra (2):
Handle non standard subnets in PF grammar
Fix errors in openvpn-plugin.h documentation