commit 1387f52682dcd3789c56c9979ccedca281ff88f4
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Mon Nov 30 13:38:13 2020 +0100

    Fix port-share option with TLS-Crypt v2
    
    The port-share option assumed that all openvpn initial reset packets
    are between 14 and 255 bytes long. This is not true for tls-crypt-v2.
    
    Patch V2: use correct length for TLS-Crypt v2, use length variable
              non-tlscryptv2 test
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Steffan Karger <steffan.karger@foxcrypto.com>
    Message-Id: <20201130123813.21388-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21290.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 4d307ed431bf18d554f524ebaf111f5e136147fe
Author: Steffan Karger <steffan@karger.me>
Date:   Thu Dec 3 16:49:51 2020 +0100

    tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key)
    
    This allows tls-crypt-v2 servers to drop privileges after reading the
    keys. Without it, the server would try to read the key file for each
    connecting client. (And clients for each reconnect.)
    
    As with the previous patch, the pre-loading was developed in parallel
    with tls-crypt-v2, and the tls-crypt-v2 patches were never amended to
    implement the pre-loading.
    
    Also as with the previous patch, it would be nicer if servers would not
    reload the tls-crypt-v2 server key for each connecting client. But let's
    first fix the issue, and see if we can improve later.
    
    Signed-off-by: Steffan Karger <steffan@karger.me>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <20201203154951.29382-2-steffan@karger.me>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21307.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit fb169c3b8fdfa9792c0eee8441956f062dfd7982
Author: Steffan Karger <steffan@karger.me>
Date:   Thu Dec 3 19:22:30 2020 +0100

    tls-crypt-v2: fix server memory leak
    
    tls-crypt-v2 was developed in parallel with the changes that allowed to
    use tls-auth/tls-crypt in connection blocks. The tls-crypt-v2 patch set
    was never updated to the new reality after commit 5817b49b, causing a
    memory leak of about 600 bytes for each connecting client.
    
    It would be nicer to not reload the tls-crypt-v2 server key for each
    connecting client, but that requires more refactoring (and thus more time
    to get right). So for now just plug the leak by free'ing the memory when
    we close a client connection.
    
    To test this easily, compile openvpn with -fsanity=address, run a server
    with tls-crypt-v2, connect a client, stop the server.
    
    Signed-off-by: Steffan Karger <steffan@karger.me>
    Acked-by: Antonio Quartulli <antonio@openvpn.net>
    Message-Id: <20201203182230.33552-1-steffan@karger.me>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21310.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit dfd624b52bce7ddd0eeaab516df9848e432f3242
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Wed Dec 2 12:59:28 2020 +0100

    Remove auth_user_pass.wait_for_push variable
    
    This variable was first introduce in earlier attempt to fix the
    auth-token problems with auth-nocache before user_password and
    auth_token were split into two variables. The idea of the variable it
    is being set if --pull is in use. However the variable was not always
    set correctly, especially if username/password are queried after an
    expired auth-token. Instead using that variable use session->opt->pull
    directly.
    
    Patch V2: rename delayed_auth_pass_purge to ssl_clean_user_pass to give
              a more fitting name since this function is not only used in
              the delayed code path and also the new name aligns with
              ssl_clean_auth_token. Also fix a leftover wait_for_push
              in that function
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20201202115928.16615-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21297.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit fb789947ab1eba3e68fb8e4b3551d095a53962bd
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Mon Nov 30 13:39:28 2020 +0100

    Fix auth-token not being updated if auth-nocache is set
    
    This fixes the auth-token not being updated if auth-nocache is set. Our
    set_auth_token method ensures that the auth-token always has a username
    but is a little bit too strict in the check.
    
    Also add doxygen documentation and remove null checks. We use this function
    only with non-null pointers and it makes it a bit nicer to read.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20201130123928.21837-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21291.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 88dc4276485bf2a4cecae3cff55d2e146dcd31ca
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Fri Oct 23 14:02:59 2020 +0200

    Make any auth failure tls_authentication_status return auth failed
    
    Previously tls_authentication_status only return
    TLS_AUTHENTICATION_FAILED if there is no usable key at all. This
    behaviour allows continuing using the still valid keys
    (see --tran-window). However, the OpenVPN protocol lacks a way of
    communicating that key is not useable to client once it reached
    the TLS authenticated status (eg cert checks pass but connect or
    user-pass verify fail). To avoid these desynchronisation issues
    during deferred auth and renegotiation OpenVPN quietly only starts
    using a new key after the hand-window has passed.
    
    With this change any failure on a renogiation will lead to a
    deauthentication of a client. This also fixes a number of bugs that
    expiring auth-token and failed deferred auth is leading to key desync
    or unexpected continuation of the VPN session.
    
    The behaviour of deauthentication of all keys on deferred auth failure
    has been already been used for years if authentication is done via
    management interface. This commit also aligns the code paths for both.
    
    A side effect might be that we also deauth clients earlier in some
    other corner cases but the behaviour of continuing using an old
    authenticated session while we already a failed authentication for the
    client is most times unexpected behaviour from the user (admin).
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20201023120259.29783-7-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21223.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 55d5eaa3e021a21b9537a474c46636d4c2dcdac5
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Fri Oct 23 14:02:58 2020 +0200

    Send AUTH_FAILED message to clients on renegotiation failures
    
    This changes the exit in server mode on renegotiation to an exit that
    also sends an AUTH_FAILED to the client. Any previously set failed auth
    reason is passed to the client.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20201023120259.29783-6-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21222.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 3ac8e5923a12390f68aa901e04ab3204e326d243
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Fri Oct 23 14:02:57 2020 +0200

    Rename DECRYPT_KEY_ENABLED to TLS_AUTHENTICATED
    
    The macro's name suggests that the key is enabled and being used. But
    the macro actually something different but similar enough that the name
    was probably right at some point.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20201023120259.29783-5-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21221.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit f9d3fbf9bc87ae6c05fc592712f610491a77d78b
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Fri Oct 23 14:02:56 2020 +0200

    Clean up tls_authentication_status and document it
    
    The gain of the used optimisation approach of using a array with a
    calculated index in favour of simple ifs is questionable with modern
    compilers and the readability of the function suffers.
    
    Also change the return type from simple int to an enum and add comments
    and doxygen documentation.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20201023120259.29783-4-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21224.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit f1f0f074bf6e7b91673bfa8cb08b3be44ebda76b
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Fri Oct 23 14:02:55 2020 +0200

    Improve keys out of sync message
    
    The current message basically lacks the information to actually figure
    out why the keys are out of sync. This adds the missing information to
    that diagnostic message.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20201023120259.29783-3-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21226.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 8292102b102ff62d6b7ed1254076b822cb113162
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Fri Oct 23 14:02:54 2020 +0200

    Add more documentation about our internal TLS functions
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20201023120259.29783-2-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21220.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit cc5a71637139557a7eaa024251ff75a0acb22bc8
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Fri Oct 23 14:02:53 2020 +0200

    Replace key_scan array of static pointers with inline function
    
    The key_scan array is (was) an array that is setup as a reference to
    members of itself that have static offsets. Replace this pointer
    indirection with an inline function. This has also the advantage
    that the compiler can inline the function and just just a direct
    offset into the struct.
    
    Replacing the implicit indirection with the pointer array with an
    explicit indirection with the inline function also makes the code a
    bit easier to follow.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20201023120259.29783-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21225.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit fc25ca3a7cf720fbb53889fdba6ac0154c7c9c1a
Author: David Sommerseth <davids@openvpn.net>
Date:   Thu Oct 29 22:32:59 2020 +0100

    build: Fix missing install of man page in certain environments
    
    It turns out the logic for dist_man_MANS was incorrectly put inside the
    HAVE_PYDOCUTILS block.  This results in the man page being installed
    only if python-docutils is installed and available.
    
    The solution is simple, move the dist_man_MANS part outside the
    python-docutils block.  The openvpn.8 file is prebuilt in source
    tarballs and will thus be available.
    
    Reported-By: Philip Brown <philip@pbdigital.org>
    Tested-By: Philip Brown <philip@pbdigital.org>
    Signed-off-by: David Sommerseth <davids@openvpn.net>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20201029213259.1636-1-davids@openvpn.net>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21236.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 0d4069e41d3ba7178be30f78f1174f689dbdfa59
Author: Gert Doering <gert@greenie.muc.de>
Date:   Tue Nov 24 17:13:13 2020 +0100

    Change travis build scripts to use https when fetching prerequisites.
    
    Reported by "jub0bs" on hackerone.com (#1039504)
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <20201124161313.18831-1-gert@greenie.muc.de>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21264.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
