commit 136c5f015c3e7eceecc07a45655d5da5616e9131
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Tue Aug 25 06:16:47 2020 +0200

    Fix compilation with older mbed TLS versions (mbedtls_tls_prf_types undefined)
    
    The usage of the new keying material methods was not properly guarded.
    
    To avoid a number of ifdefs this commit uses a dummy struct and function.
    When we eventually drop support for non-EKM mbed TLS version we can remove
    these.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20200825041647.26235-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20812.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 5e19cc2c1bf22d44f10dc585ba69d48951dc7a86
Author: Gert Doering <gert@greenie.muc.de>
Date:   Thu Jul 23 14:19:49 2020 +0200

    Workaround FreeBSD 12+ race condition on tun/tap open with IPv6.
    
    On FreeBSD 12 (tested and verified on 12.1-RELEASE-p2), after "ifconfig
    inet6" for a tun/tap interface, there sometimes is a race condition
    where the "IFDISABLED" flag shows up after a short time frame, under
    a second, and never clears itself.  This disables use of the configured
    IPv6 address on the interface, breaking IPv6 over tun/tap operation.
    
    This only happens if ipv6_activate_all_interfaces="YES" is not
    set in /etc/rc.conf - but there might be reasons why this is not so.
    
    As a workaround until this can be fixed on the FreeBSD side (or a
    better workaround is found), sleep(1) after ifconfig, then call
    "ifconfig $dev inet6 -ifdisable".
    
    Yes, this is massively ugly but makes the problem completely go
    away for my test systems.
    
    (The same effect can be achieved with an --up script that does this,
    but it's even less pretty - see trac ticket)
    
    FreeBSD: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248172
    
    v2: reword text, refer to FreeBSD bug with much more details
    
    Trac: 1226
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <20200723121949.78223-1-gert@greenie.muc.de>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20553.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 10abd656a3ae279cea7344055ce23637b7a62f6b
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Fri Aug 14 16:51:53 2020 +0200

    Refactor key_state_export_keying_material functions
    
    This refactors the common code between mbed SSL and OpenSSL into
    export_user_keying_material and also prepares the backend functions
    to export more than one key.
    
    Also fix checking the return value of SSL_export_keying_material
    only 1 is a success, -1 is also an error.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    
    Patch V2: Cache secrets for mbed TLS instead generating all ekms
              in the call back function
    
    Patch V3: comment is no longer a lie. (fixed doxygen)
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Steffan Karger <steffan@karger.me>
    Message-Id: <20200814145153.12895-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20739.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 62560e2a29144ffefec231ae7147eb4e9c7dfebf
Author: Eric Thorpe <eric@sparklabs.com>
Date:   Wed Aug 19 18:42:58 2020 -0700

    Fixes a bug in management_callback_send_cc_message, should be strlen instead of sizeof
    
    Signed-off-by: Eric Thorpe <eric@sparklabs.com>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <20200820014258.38377-1-eric@sparklabs.com>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20783.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 2ab0a92442dce1d82fcb9e2b305313ef668d40bf
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Fri Aug 14 10:06:19 2020 +0200

    Fix client's poor man NCP fallback
    
    This commit fixes two separate issues which are closely linked.
    
    First, a 2.5 client cannot connect to a server which does not support NCP
    and is not using one of the default --data-ciphers (AES-*-GCM).
    
    This is because the 2.5 client does not use its configured --data-ciphers
    cipher in the "fall back to OCC based cipher negotiation" case.  Fix this.
    
    Second, do not allow the 2.5 client to use --data-ciphers-fallback in the
    above situation because that is not it's intended use (only to be used if
    there is no pushed cipher [NCP] and no OCC provided cipher).
    
    To reproduce the error use a client with only --data-ciphers set against
    a server without NCP.
    
            OPTIONS ERROR: failed to negotiate cipher with server.
            Add the server's cipher  ('AES-256-CBC') to --data-ciphers
            (currently 'AES-256-CBC') if you want to connect to this server.
    
    Reported by: Richard Bonhomme <tincanteksup@gmail.com>
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Steffan Karger <steffan@karger.me>
    Message-Id: <20200814080619.2108-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20734.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit ed47c097db63f8334f32bf9482da488928ff909b
Author: Lev Stipakov <lev@openvpn.net>
Date:   Wed Aug 19 10:07:46 2020 +0300

    tun.c: enable using wintun driver under SYSTEM
    
    Commit 6d19775a468 has removed SYSTEM elevation hack,
    but introduced regression - inability to use wintun without
    interactive service.
    
    Proceed with ring buffers registration even if iservice is unavailable
    and display relevant error message.
    
    Trac: #1318
    
    Signed-off-by: Lev Stipakov <lev@openvpn.net>
    Acked-by: Selva Nair <selva.nair@gmail.com>
    Message-Id: <20200819070746.197-1-lstipakov@gmail.com>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20780.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 2da29362cc93aa1b8c24386e162b9cdd3b55c3b1
Author: Selva Nair <selva@gaas2.nanotech.utoronto.ca>
Date:   Sun Aug 16 15:06:39 2020 -0400

    Improve the documentation for --dhcp-option
    
    - Stress that these are handled internally only on some platforms
    - Correct the statement about wintun
    - Document DOMAIN-SEARCH
    
    Signed-off-by: Selva Nair <selva.nair@gmail.com>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <1597604799-23135-1-git-send-email-selva.nair@gmail.com>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20759.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit bf911882532f87ae866fc3662bf7e1e136a2195e
Author: Magnus Kroken <mkroken@gmail.com>
Date:   Sat Aug 15 14:05:21 2020 +0200

    Changes.rst: fix mistyped option names
    
    Signed-off-by: Magnus Kroken <mkroken@gmail.com>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20200815120522.1404-2-mkroken@gmail.com>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20749.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit e33f44754a5f81ea013070dba3cdc162f41d1257
Author: Magnus Kroken <mkroken@gmail.com>
Date:   Sat Aug 15 14:05:22 2020 +0200

    doc: fix typos in cipher-negotiation.rst
    
    Signed-off-by: Magnus Kroken <mkroken@gmail.com>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20200815120522.1404-3-mkroken@gmail.com>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20748.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 7e65483d1227adfb855844467e4d30894ffc355d
Author: Gert Doering <gert@greenie.muc.de>
Date:   Thu Aug 13 12:13:01 2020 +0200

    Fix stack overflow in OpenSolaris NEXTADDR()
    
    Commit 5fde831c5807 fixed NEXTADDR() for all *BSDs and MacOS.
    
    OpenSolaris has to use a slightly different macro due to lack of
    sockaddr->sa_len - but it has the same problem, first rounding up,
    then memmove()'ing.  Switch order.
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <20200813101301.12720-1-gert@greenie.muc.de>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20731.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit f7432a97fe41ad5ac282899a85ae72a93db99d62
Author: Gert Doering <gert@greenie.muc.de>
Date:   Wed Aug 12 12:34:59 2020 +0200

    Change version.m4 to 2.6_git
    
    2.5 has been branched off as release/2.5 now (2.5_beta1),
    so this is what will become 2.6.0 one day.
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit c1c43d46ee6e1689fd898ca43a6a6494e02dc7ff
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Wed Aug 12 10:54:12 2020 +0200

    Improve sections about older OpenVPN clients in cipher-negotiation.rst
    
     - Explain the IV_NCP=2 client situation in 2.4 a bit better.
     - Make more clear what exact versions are meant in the old client section
     - add a missing - in a heading
    
    Thanks to Richard Bohnhomme for initial proof reading.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20200812085412.19178-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20714.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 26b658ea10256a749f9cc55bd89dd2e65aea9772
Author: Gert Doering <gert@greenie.muc.de>
Date:   Wed Aug 12 12:08:21 2020 +0200

    Changes.rst updates in preparation to 2.5_beta1
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 079fca54b4ff5fc28520e56235cdd3c2192dd92a
Author: Gert Doering <gert@greenie.muc.de>
Date:   Wed Aug 12 12:20:33 2020 +0200

    Add depreciation notice for --ncp-disable to protocol-options.rst
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 162499591d03155e853ed44c90c12771307ee0eb
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Mon Aug 10 16:36:52 2020 +0200

    Cleanup tls_pre_decrypt_lite and tls_pre_encrypt
    
    Mostly C90 -> C99 cleanups and "return immediately" instead of
    wrapping function body into if.
    
    (Review with ignore whitespace)
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20200810143707.5834-3-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20676.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit a6a15f7030b25f374a527de57dba199dc64745a3
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Tue Aug 11 12:55:41 2020 +0200

    Refactor/Reformat tls_pre_decrypt
    
    - Extract data packet handling to its own function
    - Replace two instances of
              if (x) { code }
      with
              if (!x) return; code
    
    - Remove extra curly braces that were used for pre C99 code style
      to be able to declare variables in the middle of a block
    
    This patch is easier to review with "ignore white space" as the
    diff is then a lot smaller in that case and the changes more obvious.
    
    Patch V2: Fix function name spelling, cleanup goto code in the new
              handle_data_channel_packet function
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20200811105541.2543-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20707.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit e02616d82105aeb77f8f811c94fd595ca1a96eae
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Tue Aug 11 13:02:48 2020 +0200

    Document comp-lzo no and compress being incompatible
    
    Most of the new compress but not v2 version do use swap operation. For
    'compress lzo' the swap option is not used for backwards compatibility.
    For lz4 the swap option is also not a problem since there is no version
    without swap. Unfortunately, compress introduced a second stub format
    with swap, contrary to the one in 'comp-lzo no' that does not use swap.
    
    Document this weirdness to let not others fall into this trap.
    
    v2: redo patch for rst man pages
    
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20200811110248.3396-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20708.html
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit c13d20fae3961ba67de3c4c85c75ebd1ac802b26
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Mon Aug 10 16:37:03 2020 +0200

    Remove S_OP_NORMAL key state.
    
    The key state is virtually identical S_ACTIVE and we only did the state
    state transition form S_ACTIVE to S_OP_NORMAL at the point where we
    normally would have timed out the TLS negotiation. This is not a very
    useful information to have and indeed we never use it anywhere.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20200810143707.5834-14-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20674.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 4b4f5fe22f8ac0ffaf32185ac995da08d524dcbd
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Mon Aug 10 16:37:06 2020 +0200

    Move parsing IV_PROTO to separate function
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20200810143707.5834-17-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20679.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 4edcf5710d043d366d8fd52a53b259399678309a
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Mon Aug 10 16:37:04 2020 +0200

    Skip existing interfaces on opening the first available utun on macOS
    
    This avoids the error messages trying to open already used utuns.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Lev Stipakov <lstipakov@gmail.com>
    Message-Id: <20200810143707.5834-15-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20665.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 42b39e987d55150b035c18c8b73c7ec08ef70d19
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Mon Aug 10 16:37:02 2020 +0200

    Merge check_coarse_timers and check_coarse_timers_dowork
    
    This simplifies the code a bit and makes the code flow clearer as
    it only adds three curly brackets in check_coarse_timers. Merging the
    resulting check_coarse_timers_dowork function into the caller and
    called function as with the other function does not make sense here
    since it does more than similar function.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20200810143707.5834-13-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20671.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit cd88d947b100deb55bb8388fd2f1e95e0af4a658
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Mon Aug 10 16:37:01 2020 +0200

    Eliminate check_tls wrapper function
    
    Move check into caller.
    
    Remove two in function forward declarations that are not needed from
    check_tls_errors.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20200810143707.5834-12-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20670.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit eed645b34760955a060b8002dd69901cefefd0aa
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Mon Aug 10 16:37:00 2020 +0200

    Eliminate check_incoming_control_channel wrapper function
    
    Move the check that calls this function into the calling function.
    Also eliminate the if (len) check in the
    check_incoming_control_channel_dowork function as it is only called
    if len is > 0 anyway and replace it with a ASSERT.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20200810143707.5834-11-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20680.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit b7aebba25645e9e9c1359313fc35724f7e0e8529
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Mon Aug 10 16:36:59 2020 +0200

    Eliminate check_fragment function
    
    This another of the small wrapper function where the check is
    better move into the calling function.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20200810143707.5834-10-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20672.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 76ea0859c5d0549f5d6193cbd5e43873e22d5906
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Mon Aug 10 16:36:58 2020 +0200

    Rename check_ping_restart_dowork to trigger_ping_timeout_signal
    
    Rename the function to better capture its actual function.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20200810143707.5834-9-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20675.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit ce7ddaaf314553b6a4228f6bd4593b0a0a4badb4
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Mon Aug 10 16:36:57 2020 +0200

    Split pf_check_reload check and check timer in process_coarse_timers
    
    This moves the timer check into process_coarse_timers and makes it
    in line with the other functions. The the pf.enabled check is also moved
    into process_coarse_timers to make it more clear this only is used if
    pf is enabled at all.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20200810143707.5834-8-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20664.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit feacd01c584898977c3450bf48d1ea5cbb9029f1
Author: Antonio Quartulli <a@unstable.cc>
Date:   Mon Aug 10 18:17:23 2020 +0200

    travis: don't run t_net.sh test
    
    Not all travis instances are fit for running t_net.sh test due to
    various configurations knob that we have no access to.
    
    Prevent failures by not running t_net.sh on travis at all.
    The t_net.sh is executed by other test rigs which we have more control
    over.
    
    The test is skipped by specifying RUN_SUDO=false which will make any
    pre-test fail, forcing the Makefile to skip that particular test.
    
    Signed-off-by: Antonio Quartulli <a@unstable.cc>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20200810161723.25576-1-a@unstable.cc>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20684.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit e963904474ad97e0f8dfb0c9ccb57b1440cfb8f6
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Mon Aug 10 16:36:56 2020 +0200

    Remove a number of check/do_work wrapper calls from coarse_timers
    
    This indirection is not very helpful in understanding the code
    flow.  Move the check to process_coarse_timers, remove the
    check function, rename the do_work function to the "real" thing
    and then drop the do_work wrapper as it does no longer serve a
    purpose.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20200810143707.5834-7-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20668.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 60200b9e1a977c32e64907ed67406dd4208e8abf
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Mon Aug 10 16:36:55 2020 +0200

    Remove buf argument from link_socket_set_outgoing_addr
    
    This was only used in a check that is better suited in the calling
    functions. This also removes passing the buf argument to
    link_socket_connection_initiated that also does not use that
    parameter at all.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20200810143707.5834-6-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20677.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 33773a02082e7602053938ce5d0af284214dabc4
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Mon Aug 10 16:36:53 2020 +0200

    Clean up a number of leftover C89 initialisations in ssl.c
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20200810143707.5834-4-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20666.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 2fdd332979a69d6064706ba3bb875385333b6720
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Mon Aug 10 16:36:54 2020 +0200

    Minor cleanup in push.c
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20200810143707.5834-5-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20678.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit bf42466dd00c56b8b61f5cd0c7f451882e5bc861
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Mon Aug 10 11:00:32 2020 +0200

    Document different behaviour of dynamic cipher negotiation
    
    This adds a section in the man page that details the various behaviour
    of older client/servers when using OpenVPN 2.5.
    
    Patch V2: Include grammar/spelling fixes from
              Richard Bonhomme <tincanteksup@gmail.com>
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20200810090032.4220-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20660.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 2c1d8c33d99d1d6d7902ea5845d7327aa6db9363
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Sun Aug 9 16:19:21 2020 +0200

    Rework NCP compability logic and drop BF-CBC support by default
    
    This reworks the NCP logic to be more strict about what is
    considered an acceptable result of an NCP negotiation. It also
    allows us to finally drop support for BF-CBC as default cipher.
    
    All new behaviour is currently limited to server/client
    mode with pull enabled. P2p mode without pull does not change.
    
    New Server behaviour:
    - when a client announces its supported ciphers through either
      OCC or IV_CIPHER/IV_NCP we reject the client with a
      AUTH_FAILED message if we have no common cipher.
    
    - When a client does not announce any cipher in either
      OCC or NCP we reject it unless data-ciphers-fallback is
      specified in either ccd/ or config.
    
    New client behaviour:
    - When no cipher is pushed (or a cipher we refused to support)
      and we also cannot support the server's cipher announced in
      OCC we fail the connection and log why
    
    - If there is no cipher in OCC but data-ciphers-fallback is
      specified we will use the fallback cipher instead of failing the
      connection
    
    Both client and server behaviour:
    - We only announce --cipher xyz in occ if we are willing
      to support that cipher (always announce the cipher if
      NCP is disabled or not in --client mode)
    
      It means that we only announce the fallback-cipher if
      it is also contained in --data-ciphers
    
    Compatibility behaviour:
    
    In 2.5 both client and server will use a --cipher xyz present
    in the config to automatically set --data-ciphers-fallback xyz
    and also append this cipher to the end of data-ciphers.
    
    We log a warning about this and point to --data-ciphers and
    --data-ciphers-fallback This also happens if the configuration
    contains an explicit --cipher BF-CBC.
    
    If --cipher is not set, we only warn that previous versions
    allowed BF-CBC and point out how to re-enable BF-CBC. This will
    break configs where someone connects a 2.3 client (or older)
    to a 2.5 server AND has no explicit --cipher setting in the
    server config.  We still do it, because at some point we need
    to drop the BF-CBC default - and affected users already had the
    scary SWEET32 warning in their logs for a long time.
    
    In short: If --cipher is explicitly set then 2.5 will work the
    same as 2.4 did. When --cipher is not set, BF-CBC support is
    dropped and we warn about it.
    
    Examples how breaking the default BF-CBC will be logged:
    
    Client side:
     - Client connecting to server that does not push cipher but
       has --cipher in OCC
    
        OPTIONS ERROR: failed to negotiate cipher with server.  Add the
                server's cipher ('BF-CBC') to --data-ciphers (currently
                'AES-256-GCM:AES-128-CBC') if you want to connect to this server.
    
     - Client connecting to a server that does not support OCC:
    
        OPTIONS ERROR: failed to negotiate cipher with server. Configure
                --data-ciphers-fallback if you want connect to this server.
    
    Server Side:
    - Server has a client only supporting BF-CBC connecting:
    
      styx/IP PUSH: No common cipher between server and client. Server
              data-ciphers: 'CHACHA20-POLY1305:AES-128-GCM:AES-256-GCM:AES-256-CBC:AES-128-CBC', client supports cipher 'BF-CBC'.
    
     - Client without OCC:
    
       styx/IP PUSH:No NCP or OCC cipher data received from peer.
       styx/IP Use --data-ciphers-fallback with the cipher the client is using
               if you want to allow the client to connect
    
    In all cases the client is rejected with this message:
    
       AUTH: Received control message: AUTH_FAILED,Data channel cipher
             negotiation failed (no shared cipher)
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    
    Patch V2: rename fallback-cipher to data-ciphers-fallback
              add all corrections from Steffan
              Ignore occ cipher for clients sending IV_CIPHERS
              move client side ncp in its own function
              do not print INSECURE cipher warning if BF-CBC is not allowed
    
    Patch V3: fix minor style, add null check when client sends no peerinfo at
              all
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20200809141922.7853-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20656.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit dab34fdd0639c6de8c5ca759cca00b7e60da32f1
Author: Lev Stipakov <lstipakov@gmail.com>
Date:   Wed Aug 5 06:25:48 2020 +0000

    Fix compilation with --disable-lzo and --disable-lz4
    
    struct compress_options is defined under USE_COMP, therefore
    compilation fails when it is referenced without that define.
    
    Since function show_compression_warning, which uses aforementioned
    struct, is only called under USE_COMP, it is safe to wrap its definition
    under USE_COMP, which fixes compilation issue.
    
    Trac: #1308
    
    Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20200805062548.38082-1-lstipakov@gmail.com>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20637.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 992e9cec40539a155afa9eae10502aa62f617965
Author: Vladislav Grishenko <themiron@yandex-team.ru>
Date:   Wed Aug 5 15:23:33 2020 +0500

    Log serial number of revoked certificate
    
    As it appears commit 767e4c56becbfeea525e4695a810593f373883cd "Log
    serial number of revoked certificate" hasn't survive refactoring
    of CRL handling.
    
    In most of situations admin of OpenVPN server needs to know which
    particular certificate is used by client.
    In the case when certificate is valid, environment variable can be
    used for that but once it is revoked, no user scripts are invoked
    so there is no way to get serial number, only subject is logged.
    
    Let's log certificate serial in case it is revoked and additionally
    log certificate depth & subject in crl-verify "dir" mode for better
    consistency with crl file (non-dir) mode.
    
    v2: log if serial is not availble, require it in crl-verify dir mode
    
    Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
    Acked-by: Lev Stipakov <lstipakov@gmail.com>
    Message-Id: <20200805102333.3109-1-themiron@yandex-team.ru>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20642.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 71d56aea895cc13aad06048066251979162db3f3
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Mon Jul 20 16:27:03 2020 +0200

    client-connect: Add documentation for the deferred client connect feature
    
    Signed-off-by: David Sommerseth <davids@openvpn.net>
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    
    Patch V5: Fix typos, clarify man page section about deferred client-connect
              script. Add section to Changes.rst
    
    Patch V6: Convert manpage to rst
    
              It also incorporates suggested changes from Richard Bonhomme
              <tincanteksup@gmail.com> [0]
    
    [0] Message-ID: <82c2d70f-e2f9-f810-2c55-788358a0cb08@gmail.com>
        URL:
    https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20331.h
    tml
    
    Patch V7: Re-include the changes of Changes.rst and openvpn-plugin.h
              Clarify some parts of the documentation.
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20200720142703.3324-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20511.html
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
