diff options
author | David Sommerseth | 2012-02-21 11:12:42 +0100 |
---|---|---|
committer | David Sommerseth | 2012-02-21 11:55:42 +0100 |
commit | d3ae271f719a83e41c2eda3306156d02933203f8 (patch) | |
tree | 15895f9b7b16090b1c22a31a388ebb85f7500310 | |
parent | a4de190b92f9464602222454dd753072eecc0407 (diff) | |
download | openvpn-2.3-alpha1.zip openvpn-2.3-alpha1.tar.gz |
Preparing OpenVPN 2.3-alpha1 releasev2.3-alpha1
Signed-off-by: David Sommerseth <davids@redhat.com>
-rw-r--r-- | ChangeLog | 431 | ||||
-rw-r--r-- | version.m4 | 2 |
2 files changed, 432 insertions, 1 deletions
@@ -1,6 +1,437 @@ OpenVPN Change Log Copyright (C) 2002-2011 OpenVPN Technologies, Inc. <sales@openvpn.net> +2012.02.21 -- Version 2.3-alpha1 +Adriaan de Jong (127): + Added Doxygen doxyfile + Changed configure to accept --with-ssl-type=openssl + Refactored to rand_bytes for OpenSSL-independency + Refactored OpenSSL-specific constants + Refactored maximum cipher and hmac length constants + Refactored show_available_* functions + Refactored SSL_clear_error() + Refactored crypto initialisation functions + Refactored DES key manipulation functions + Refactored NTLM DES key generation + Refactored message digest type functions + Refactored message digest functions + Refactored HMAC functions + Refactored cipher key types + Refactored cipher functions + Added PRNG doxygen + Refactored: Moved crypto.h inline functions to end of file + Removed stale OpenSSL defines from crypto.h + Added a check for Openssl or PolarSSL defines + Refactored: Added stubs for new files + Refactored SSL initialisation functions + Refactored TLS_PRF to new hmac and md primitives + Refactored tls_show_available_ciphers + Refactored get_highest_preference_tls_cipher + Refactored root SSL context initialisation + Refactored new external key code + Refactored DH paramater loading + Refactored root TLS option settings + Refactored PKCS#12 key loading + Refactored PKCS#11 loading + Refactored windows cert loading + Refactored load certificate functions + Refactored private key loading code + Refactored external key loading from management + Refactored CA and extra certs code + Refactored cipher restriction code + Refactored tls_options, key_state, and key_source data structures + Refactored initalisation of key_states + Refactored key_state free code + Refactored print_details + Refactored key_state read code (including bio_read()) + Refactored key_state write functions + Refactored: Moved BIO debug functions to OpenSSL backend + Refactored: removed ks and ks_lame macro for clarity + Refactored: moved write_empty_string function back + Refactored Doxygen for tls_multi functions + Migrated data structures needed by verification functions to ssl_common.h + Refactored client_config_dir_exclusive function + Refactored certificate hash lock checks + Refactored common name locking functions + Refactored username and password authentication code + Add some extra comments + Refactored: split verify_callback into two parts + Added function to extract and verify the subject from a certificate + Added function to verify and extract the username + Refactored: removed global x509_username_field + Refactored: separated environment setup during verification + Refactored: Netscape certificate type verification + Refactored key usage verification code + Refactored EKU verification + Refactored tls-remote checking + Refactored tls-verify-plugin code + Refactored tls-verify script code + Refactored CRL checks + Minor cleanup in verify_cert: + Refactored: Moved verify_cert to ssl_verify + Cleaned up ssl.h + Refactored: made M_SSL dependent on USE_OPENSSL + Refactored: renamed X509 functions from verify_* + Separated OpenSSL-specific parts of the PKCS#11 driver + Modified base64 code in preparation for PolarSSL merge + Final cleanup before PolarSSL addition: + Refactored X509 track feature to be contained within the openssl backend + Added PolarSSL support: + Fixed a missing include in ssl_backend.h + Fixed a bug in the hash generation in ssl_verify_openssl.c + Added SHA_DIGEST_SIZE definition + Changed PolarSSL crypto backend to support v0.99-pre5 + Updated ssl_polarssl.c to work with 0.99-pre5 + Fixed a compilation warning for size_t key sizes + Added a warning that the PolarSSL library does not support pkcs12 files. + Added warning that --capath is not available with PolarSSL + Disable CryptoAPI when not using OpenSSL, and document that fact. + Removed support for management external keys in PolarSSL + Removed stray X509_free from ssl.c + Refactored (and disabled for PolarSSL) support for writing external cert files in scripts + Added an extra define to allow building without PKCS#11 + Added SSL library to title string + Disabled X.509 track and username selection for PolarSSL + Hardening: periodically reset the PRNG's nonce value + Fixes for the plugin system: + Further improvements to plugin support: + Fixed an unintentional change in the options calculated key size. + Moved print messages back to generic crypto.c from cipher backends + Moved HMAC prints back to main crypto module + Added back checks for ks->authenticated in verify_user_pass + Moved gc_new and gc_free to begin end of function + Fixed a bug in the return value of ssl_verify when pre_verify failed + Unified verification function return values: + Removed a stray Fox-IT tag + Fixed a typo: print the subject instead of the serial for verification errors + Made SSL_CIPHER const in print_details, to fix warning + Moved to PolarSSL 1.0.0: + Added missing #ifdef to allow --disable-managent to work again + Fixed disabling crypto and SSL + Got rid of a few magic numbers in ntlm.c + Removed obsolete des_cblock and des_keyschedule + Further removal of des_old.h based calls + Fixed missing comma in plugin.h + Moved prng_uninit out of crypto_uninit_lib + Moved CryptoAPI header include to the ssl_openssl.c + Reordered functions to ensure warning-free Windows build + Added options to switch between OpenSSL and PolarSSL and PKCS11... + Moved from strsep to strtok, for Windows compatibility + Minor cleanup to enable warning-free Windows build: + Fixed a typo when initialising cryptoapi certs + Minor code cleanup: cleaned up error handling in verify_cert. + Moved out of memory prototype to error.h, as the definition is in error.c + Removed support for calling gc_malloc with a NULL gc_arena struct + + (The follwing patches from Adriaan was mistakenly merged with + the wrong commit author in the git tree) + Doxygen: Added data channel crypto docs + Added control channel crypto docs + Added compression docs + Added reliability layer documentation + Added memory management documentation + Added data channel fragmentation docs + Added main/control docs + Moved doxygen-specific files to a separate directory + +Byron Ellacott (1): + autoconf fixes for building on OSX + +David Sommerseth (50): + Provide 'dev_type' environment variable to plug-ins and script hooks + Define the new openvpn_plugin_{open,func}_v3() API + Implement the core v3 plug-in function calls. + Extend the v3 plug-in API to send over X509 certificates + Added a simple plug-in demonstrating the v3 plug-in API. + Separate the general plug-in version constant and v3 plug-in structs version + Use a version-less version identifier on the master branch + Fix the --client-cert-not-required feature + Change the default --tmp-dir path to a more suitable path + Improve the mysprintf() issue in openvpnserv.c + Add a simple comment regarding openvpn_snprintf() is duplicated + Merge branch 'feat_ipv6_transport' + Merge branch 'feat_ipv6_payload' + Merge branch 'svn-branch-2.1' into merge + Solved hidden merge conflicts between master and svn-branch-2.1 + Fix const declarations in plug-in v3 structs + Merge remote-tracking branch 'cron2/feat_ipv6_payload_2.3' + Don't define ENABLE_PUSH_PEER_INFO if SSL is not available + Fix compiling issues with pkcs11 when --disable-management is configured + Remove support for Linux 2.2 configuration fallback + Revert "Add new openssl.cnf to easy-rsa/Windows" + Merge remote branch SVN 2.1 into the git tree + Merge branch 'svn-merger' + Fix Microsoft Visual Studio incompatibility in plugin.c + Fixed compile issues on FreeBSD and Solaris + Fix PolarSSL and --pkcs12 option issues + Fix FreeBSD/OpenBSD/NetBSD compiler warnings in get_default_gateway() + Make '--win-sys env' default + Do some file/directory tests before really starting openvpn + Fix bug after removing Linux 2.2 support + Don't look for 'stdin' file when using --auth-user-pass + Fix compiling with --disable-crypto and/or --disable-ssl + Fix a couple of issues in openvpn_execve() + Move away from openvpn_basename() over to platform provided basename() + Enable access() when building in Visual Studio + New Windows build fixes + Fix compilation errors on Linux platforms without SO_MARK + autotools ./configure don't like compat.h + Fix pool logging when IPv6 is not enabled + Don't check for file presence on inline files + Add --route-pre-down/OPENVPN_PLUGIN_ROUTE_PREDOWN script/plug-in hook + Enhance the error handling in _openssl_get_subject() + Fix assert() situations where gc_malloc() is called without a gc_arena object + Fix compile issues when plug-ins are disabled. + Remove --show-gateway if debug info is not enabled (--disable-debug) + Fix compile issues with status.c + Connection entry {tun,link}_mtu_defined not set correctly + Makefile.am referenced a now non-existing config-win32.h + Makefile.am was missing ssl_common.h + Revamp check_file_access() checks in stdin scenarios + +Davide Guerri (1): + New feauture: Add --stale-routes-check + +Frank de Brabander (1): + Fixed wrong return type of cipher_kt_mode + +Frederic Crozat (1): + Add support to forward console query to systemd + +Gert Doering (45): + Add more detailed explanation regarding the function of "--rdns-internal" + Enable IPv6 Payload in OpenVPN p2mp tun server mode. 20100104-1 release. + remove NOTES file from commit - private scribbling + NetBSD fixes - on 4.0 and up, use multi-af mode. + new feature: "ifconfig-ipv6-push" (from ccd/ config) + add some TODOs to TODO.IPv6 + undo accidential duplication of existing "--iroute" line in the help text + basic documentation of IPv6 related options and their syntax + Enable IPv6 Payload in OpenVPN p2mp tun server mode. + remove NOTES file from commit - private scribbling + env_block(): if PATH is not set, add standard PATH setting to env + add IPv6 route add / route delete code for windows (using "netsh") + - Win32 IPv6 ifconfig support, using "netsh" calls + drop "book ipv6" from open_tun() and tuncfg() prototypes + document recent changes and open TODOs, adapt --version info, tag release + Win32: set next-hop for IPv6 routes according to TUN/TAP mode + when deleting a route on win32, also add gateway address + WIN32: if IPv6 requested in TUN mode, check if TUN/TAP driver < 9.7 + revert unconditionally-enabling of setenv_es() logging + implement IPv6 ifconfig + route setup/deletion on OpenBSD + full "VPN client connect" test framework for OpenVPN t_client.rc-sample + renamed t_client.sh to t_client.sh.in + 2.2-beta3 has a signed TAP driver with the IPv6 code - test for 9.8 + correct URL for "more information about IPv6 patch is *here*" + bugfix for linux/iproute2: IPv6 ifconfig code block was not called for "dev tun"+"topology subnet" + bump IPv6 version number (openvpn --version) to 20100922-1 + Implement "ipv6 ifconfig" for TAP interfaces on Solaris interfaces + rebased to 2.2RC2 (beta 2.2 branch) + Windows IPv6 cleanup - properly remove IPv6 routes and interface config + For all accesses to "struct route_list * rl", check first that rl is non-NULL + Replace 32-bit-based add_in6_addr() implementation by an 8-bit based one + Platform cleanup for NetBSD + Move block for "stale-routes-check" config inside #ifdef P2MP_SERVER block + add missing break between "case IPv4" and "case IPv6" + bump tap driver version from 9.8 to 9.9 + log error message and exit for "win32, tun mode, tap driver version 9.8" + work around inet_ntop/inet_pton problems for MSVC builds on WinXP + Fix build-up of duplicate IPv6 routes on reconnect. + Fix list-overrun checks in copy_route_[ipv6_]option_list() + add "print test titles" and "use sudo" functionality to t_client.rc + Platform cleanup for FreeBSD + Implement IPv6 interface config with non-/64 prefix lengths. + Fix RUN_SUDO functionality for t_client.sh + Document IPv6-related environment variables. + Platform cleanup for OpenBSD + +Gisle Vanem (1): + Avoid re-defining uint32_t when using mingw compiler + +Gustavo Zacarias (1): + Fix compile issues when using --enable-small and --disable-ssl/--disable-crypto + +Heiko Hund (16): + add .gitignore to official repository + remove function is_proto_tcp() + remove legacy code to query IE proxy information + lowercase include header name in syshead.h + define IN6_ARE_ADDR_EQUAL macro for WIN32 + add --mark option to set SO_MARK sockopt + Windows UTF-8 input/output + UTF-8 X.509 distinguished names + set Windows environment variables as UCS-2 + handle Windows unicode paths + replace check for TARGET_WIN32 with WIN32 + do not use mode_t on Windows + use the underscore version of stat on Windows + make MSVC link against shell32 as well + move variable declaration to top of function + define access mode flag X_OK as 0 on Windows + +Igor Novgorodov (1): + The code blocks enabled by ENABLE_CLIENT_CR depends on management + +James Yonan (57): + Added "management-external-key" option. + Minor addition of logging info before and after execution of Windows net commands. + Misc fixes to r6708. + Added --x509-track option. + * added --management-up-down option to allow management interface to be notified of tunnel up/down events. + Fixed minor compile issue triggered on builds where MANAGEMENT_DEF_AUTH is not enabled. + Implemented get_default_gateway_mac_addr for Mac OS X + Fixes to r6925. + Properly handle certificate serial numbers > 32 bits. + Added "client-nat" option for stateless, one-to-one NAT on the client side. + Renamed branch to reflect that it is no longer beta. + env_filter_match now includes the serial number of all certs + Fixed issue where a client might receive multiple push replies from a server + Fixed bug introduced in r7031 that might cause this error message: + Extended "client-kill" management interface command (server-side) + Client will now try to reconnect if no push reply received within handshake-window seconds. + Version 2.1.3n + Fixed compiling issues when using --disable-crypto + Added "management-external-key" option. + Misc fixes to r6708. + win/sign.py now accepts an optional tap-dir argument. + Added "auth-token" client directive + Added ./configure --enable-osxipconfig option for Mac OS X + Added more packet ID debug info at debug level 3 for debugging false positive packet replays. + Fixed bug that incorrectly placed stricter TCP packet replay rules on UDP sessions + Fixed bug in port-share that could cause port share process to crash + For Mac OSX, when DARWIN_USE_IPCONFIG is defined, retry ipconfig command on failure + Version 2.1.3t + Revert r7092 and r7151, i.e. remove --enable-osxipconfig configure option. + Added 'dir' flag to "crl-verify" (see man page for info). + Added new "extra-certs" and "verify-hash" options + Fixed compile issues on Windows. + Added --enable-lzo-stub configure option to build an OpenVPN client without LZO + Added optional journal directory argument to "port-share" directive + Reduce log verbosity at level 3, with a focus on removing excessive log verbosity generated by port-share activity. + env_filter_match now includes the serial number of all certs in chain + Added support for static challenge/response protocol. + r7316 fixes. + Added redirect-gateway block-local flag, with support for Linux, Mac OS X + Extended x509-track to allow SHA1 certificate hash to be extracted + Added "management-query-remote" directive (client) to allow the management interface to override the "remote" directive. + Version 2.1.5. + Fixed MSVC compile error related to r7408. + Redact "echo" directive strings from log, since these strings (going forward) could conceivably contain security-sensitive data. + Modified sanitize_control_message to remove redacted data from control string rather than blotting it out with "_" chars. + Changed CC_PRINT character class to allow UTF-8 chars. + Increased the --verb threshold for "PID_ERR replay" messages to 4 from 3. + Fixed issue where redirect-gateway block-local code was not correctly calculating... + CC_PRINT character class now allows any 8-bit character value >= 32. + "status" management interface command (version >= 2) will now include the username for each connected user. + Minor fix to CC_PRINT char class + Fixed management interface bug where >FATAL notifications were not being output properly + Raised D_PID_DEBUG_LOW from level 3 to 4 to reduce replay error verbosity at level 3. + Added "memstats" option to maintain real-time operating stats in a memory-mapped file. + Fixed client issues with DHCP Router option extraction/deletion when using layer 2 with DHCP proxy: + Allow "tap-win32 dynamic <offset>" to be used in topology subnet mode. + Added support for "on-link" routes on Linux client + +Jan Just Keijser (1): + Made some options connection-entry specific + +Joe Patterson (1): + common_name passing in auth_pam plugin + +JuanJo Ciarlante (40): + * rebased openvpn-2.1_rc1b.jjo.20061206.d.patch + * created getaddr6(), use it from resolve_remote() + * migrated all getaddrinfo() to getaddr6 + * socket.c: use USE_PF_INET6 in switch constructs to actually toss them out, + * support --disable-ipv6 build properly: + * important fix for tcp6 reconnection was incorrectly creating a PF_INET socket + * added README.ipv6.txt + * fixed win32 non-ipv6 build + * ipv6 on win32 "milestone": 1st snapshot that passes all unittests + * document ipv6 milestone status + * doc update w/unittests results + * make possible to x-compile openvpn/win32 in Linux + * correctly setup hints.ai_socktype for getaddrinfo(), althought sorta hacky, see TODO.ipv6. + * renamed README.ipv6{.txt,} + * updated {README,TODO}.ipv6 from feedback at openvpn-devel mlist + * init.c: document the ENABLE_MANAGEMENT place to work on + * init.c: small in-doc tweaks + * fix multi-tcp crash (corrected assertion) + * TODO.ipv6 update + * socket.c: better buf logic in print_sockaddr_ex + * fixed segfault for undef address family in print_sockaddr_ex (thanks Marcel!) + * doc updates + * openbsd: no IFF_MULTICAST, #ifdef around it + * no new funcionality, just small cleanups + * (prototype) fix for supporting "redirect-gateway" for tunneled ipv4 over ipv6 endpoints + * polished redirect-gateway (ipv4 on ipv6 endpoints) support + * updated doc + * fix --disable-ipv6 build + * doc updates + * rebased to v2.1.1 release + * undo mroute.c changes related to ipv6 payload + * fix --multihome for ipv4 + * fix --multihome for ipv6 + * ipv6-0.4.14: fix xinetd usage + * ipv6-0.4.15: add --multihome support to xBSD + * ipv6-0.4.15b: rebase over openvpn-testing-master + * ipv6-0.4.16: fix mingw32 build + * make ipv6_payload compile under windowze + USE_PF_INET6 by default for v2.3 + fix ipv6 compilation under macosx >= 1070 - v3 + +Markus Koetter (1): + Add extv3 X509 field support to --x509-username-field + +Matthew L. Creech (1): + Fix 2.2.0 build failure when management interface disabled + +Matthias Andree (1): + Skip rather than fail test in addressless FreeBSD jails. + +Robert Fischer (8): + Update man page with info about --capath + Update man page with info about --connect-timeout + Added info about --show-proxy-settings + Documented --x509-username-field option + Documented --errors-to-stderr option + Documented --push-peer-info option + Update man page with info about --remote-random-hostname + Added man page entry for --management-client + +Samuli Seppänen (19): + Add man page entry for --redirect-private + Change all CRLF linefeeds to LF linefeeds + Fix a bug in devcon source code handling + Removed Win2k from supported platforms list in INSTALL and win/openvpn.nsi + Fixed copying of tapinstall.exe to dist/bin when using prebuilt TAP-drivers + Fixed a bug with GUI icon deletion on upgrade from 2.2-RC or earlier + Fix a build-ca issue on Windows + Add new openssl.cnf to easy-rsa/Windows + Updated "easy-rsa" for OpenSSL 1.0.0 + Made domake-win builds to use easy-rsa/2.0/openssl-1.0.0.cnf + Fixes to easy-rsa/2.0 + Merged TODO.IPv6 with TODO.ipv6 and README.IPv6 with README.ipv6 + Fixed a number of fatal build errors on Visual Studio 2008 + Fix a Visual Studio 2008 build issue in socket.c + Additional Visual Studio 2008 build fixes to tun.c + Fixed a typo in win32.h that prevented building with Visual Studio + Fixed a regression causing VS2008/Python build failure + Fix a Visual Studio 2008 build error in tun.c + Fix a Visual Studio 2008 build error in options.c + +Simon Matter (1): + Fix issues with some older GCC compilers + +Stefan Hellermann (2): + plugin.h: update prototype of plugin_call dummy in !ENABLE_PLUGIN case + Fixed typo in plugin.h + +chantra (1): + Clarify --tmp-dir option + +smos (1): + Change the netsh.exe command from "add" to "set". + 2011.12.25 -- Version 2.x-master James Yonan (1): Added support for "on-link" routes on Linux client -- these are @@ -1,5 +1,5 @@ dnl define the OpenVPN version -define(PRODUCT_VERSION,[2.x-master]) +define(PRODUCT_VERSION,[2.3-alpha1]) dnl define the TAP version define(PRODUCT_TAP_ID,[tap0901]) define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9]) |