diff options
| -rw-r--r-- | ChangeLog | 56 | ||||
| -rw-r--r-- | Changes.rst | 56 | ||||
| -rw-r--r-- | version.m4 | 4 |
3 files changed, 114 insertions, 2 deletions
@@ -1,6 +1,62 @@ OpenVPN ChangeLog Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net> +2023.03.24 -- Version 2.6.2 + +Antonio Quartulli (6): + dco: don't use NetLink to exchange control packets + dco: print version to log if available + dco-linux: remove M_ERRNO flag when printing netlink error message + multi: don't call DCO APIs if DCO is disabled + dco-freebsd: use m->instances[] instead of m->hash + dco-linux: implement dco_get_peer_stats{, multi} API + +Arne Schwabe (12): + Set netlink socket to be non-blocking + Ensure n = 2 is set in key2 struct in tls_crypt_v2_unwrap_client_key + Fix memory leaks in open_tun_dco() + Fix memory leaks in HMAC initial packet generation + Use key_state instead of multi for tls_send_payload parameter + Make sending plain text control message session aware + Only update frame calculation if we have a valid link sockets + Improve description of compat-mode + Simplify --compress parsing in options.c + Refuse connection if server pushes an option contradicting allow-compress + Add 'allow-compression stub-only' internally for DCO + Parse compression options and bail out when compression is disabled + +Frank Lichtenheld (1): + tests/unit_tests: Fix 'make distcheck' with subdir-objects enabled + +Gert Doering (1): + preparing release 2.6.2 + +Heiko Hund (1): + dns option: allow up to eight addresses per server + +Kristof Provost (1): + dco: print FreeBSD version + +Lev Stipakov (4): + Support --inactive option for DCO + Fix '--inactive <time> 0' behavior for DCO + Print DCO client stats on SIGUSR2 + Don't overwrite socket flags when using DCO on Windows + +Michael Baentsch (1): + using OpenSSL3 API for EVP PKEY type name reporting + +Selva Nair (8): + Bugfix: Convert ECDSA signature form pkcs11-helper to DER encoded form + Import some sample certificates into Windows store for testing + Add tests for finding certificates in Windows cert store + Refactor SSL_CTX_use_CryptoAPI_certificate() + Add a test for signing with certificates in Windows store + Unit tests: add test for SSL_CTX_use_Cryptoapi_certificate() + Improve error message on short read from socks proxy + Make error in setting metric for IPv6 interface non-fatal + + 2023.03.08 -- Version 2.6.1 Arne Schwabe (13): diff --git a/Changes.rst b/Changes.rst index a61fea3..4fc1f3b 100644 --- a/Changes.rst +++ b/Changes.rst @@ -1,12 +1,68 @@ Overview of changes in 2.6.2 ============================ +New features +------------ +- implement byte counter statistics for DCO Linux (p2mp server and client) + +- implement byte counter statistics for DCO Windows (client only) + +- '--dns server <n> address ...' now permits up to 8 v4 or v6 addresses + +- fix a few cases of possibly undefined behaviour detected by ASAN + +- add more unit tests for Windows cryptoapi interface + + Bug fixes --------- - sending of AUTH_PENDING and INFO_PRE messages fixed (OpenVPN/openvpn#256) +- Windows: do not treat "setting IPv6 interface metric failed" as fatal + error on "block-dns" install - this can happen if IPv6 is disabled on + the interface and is not harmful in itself (GH #294) + +- fix '--inactive' if DCO is in use + NOTE: on FreeBSD, this is not working yet (missing per-peer stats) + +- DCO-Linux: do not print errno on netlink errors (errno is not set by NL) + +- SOCKS client: improve error reporting on server disconnects + +- DCO-Linux: fix lockups due to netlink buffer overflows on high + client connect/disconnect activity. See "User visible changes" for + more details of this. + +- fix some uses of the OpenSSL3 API for non-default providers + (enable use of quantum-crypto OpenSSL provider) + +- fix memory leak of approx. 1600 bytes per incoming initial TLS packet + +- fix bug when using ECDSA signatures with OpenSSL 3.0.x and pkcs11-helper + (data format conversion was not done properly) + +- fix 'make distcheck' - unexpected side effect of 'subdir-objects' + +- fix ASSERT() with dynamic tls-crypt and --tls-crypt-v2 (GH #272) + + User visible changes -------------------- +- print (kernel) DCO version on startup - helpful for getting a more + complete picture of the environment in use. + +- New control packets flow for data channel offloading on Linux. + 2.6.2+ changes the way OpenVPN control packets are handled on + Linux when DCO is active, fixing the lockups observed with 2.6.0/2.6.1 + under high client connect/disconnect activity. + This is an *INCOMPATIBLE* change and therefore an ovpn-dco kernel + module older than v0.2.20230323 (commit ID 726fdfe0fa21) will not + work anymore and must be upgraded. The kernel module was renamed to + "ovpn-dco-v2.ko" in order to highlight this change and ensure that + users and userspace software could easily understand which version + is loaded. Attempting to use the old ovpn-dco with 2.6.2+ will + lead to disabling DCO at runtime. + - The ``client-pending-auth`` management command now requires also the key id. The management version has been changed to 5 to indicate this change. @@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [6]) -define([PRODUCT_VERSION_PATCH], [.1]) +define([PRODUCT_VERSION_PATCH], [.2]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) -define([PRODUCT_VERSION_RESOURCE], [2,6,1,0]) +define([PRODUCT_VERSION_RESOURCE], [2,6,2,0]) dnl define the TAP version define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) define([PRODUCT_TAP_WIN_MIN_MAJOR], [9]) |