commit 5ac8c3c7a2a761b8430ad2a494afcda8b48fca76
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Sat Apr 3 14:24:44 2021 +0200

    Fix async push broken after auth deferred refactor
    
    Commit c5fec838e moved the auth control file related
    states into its own struct. Unfortunately I forgot
    to also do the part inside #if defined(ENABLE_ASYNC_PUSH)
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210403122444.17090-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22007.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 8ccce69dc1b7ffdb533939cf5e5d054c64e23617
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Sat Apr 3 14:30:00 2021 +0200

    log file descriptor in more socket related error messages
    
    This add the fd to the epoll event error message and the x_check_status
    message. This helps debugging when thing go wrong with event handling.
    
    Also add logging when ep_del fails to remove a socket from the structure.
    In constract to ep_ctl that has this as a FATAL message (M_ERR), we only
    log here since the code has been ignoring the status forever there might
    be corner cases where a FATAL message could trigger an unintened
    regression.
    
    PATCH v2: Fix wrong order of fd,code in printed message.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210403123000.17688-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22008.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit c5fec838e749e4a1806a42c1f593f195c2d60b3b
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Wed Mar 17 14:03:11 2021 +0100

    Move auth deferred related members into its own struct
    
    This structures the code a bit nicer and also prepares for deferred
    scripts that needs their own set of files.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210317130312.8585-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21671.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 6ea62d5072b81ba07b1cd1c6d97b16a571b93d40
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Thu Apr 1 14:37:51 2021 +0200

    Remove deprecated option '--keysize'
    
    This option has been deprecated in OpenVPN 2.4 and the ciphers that allow
    using this option fall all into the SWEET32 category of ciphers with
    64 bit block size.
    
    Patch V2: Remove superflous check in OpenSSL codepath to check keysize
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Antonio Quartulli <antonio@openvpn.net>
    Message-Id: <20210401123751.31756-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21943.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 60f5889ae6f73c710c6d96a2ee71a41654d3d091
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Sun Mar 28 11:05:30 2021 +0200

    Deprecate non TLS mode in OpenVPN
    
    The non-TLS mode is a relict from OpenVPN 1.x or 2.0. When TLS mode was
    introduced the advantages of TLS over non-TLS were small but TLS mode
    evolved to include a lot more features (NCP, multipeer, AEAD ciphers to
    name a few).
    
    Today VPN setups that use --secret are mainly used because this mode is
    easier to setup and does not require setting up a PKI.  This shortcoming
    of TLS mode should be addressed now with the peer-fingerprint option.
    
    The primary reason to deprecate --secret is that it is not secure enough
    anymore for modern environments.  This mode uses a fixed pre-shared key and
    no session keys.  Thus, no forward secrecy is possible, which means that
    any captured VPN traffic can be decrypted later should the --secret key
    get into the wrong hands.  The cryptography overall used here was okay
    when --secret was introduced but is not acceptable by today's standard
    anymore.
    
    Finally, modern hardware-accelerated crypto modes like AES-GCM can only
    be used in TLS mode (due to IV requirements).
    
    Patch V2: Improve commit message
    
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210328090530.10653-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21868.html
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 79ff3f79ebd98b880e77f323bd591eeb85df8411
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Fri Feb 19 17:52:52 2021 +0100

    Allow running a default configuration with TLS libraries without BF-CBC
    
    Modern TLS libraries might drop Blowfish by default or distributions
    might disable Blowfish in OpenSSL/mbed TLS. We still signal OCC
    options with BF-CBC compatible strings. To avoid requiring BF-CBC
    for this, special this one usage of BF-CBC enough to avoid a hard
    requirement on Blowfish in the default configuration.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    
    Patch v2: add more clarifying comment, do not warn about OCC only insecure
              ciphers, code improvements
    
    Patch V3: Put ciphername resolution via ciper_kt_name in the right branch
    
    Patch V4: Fix cornercase of BF-CBC in data-ciphers not itialising cipher.
    
    Patch v5: I accidently resend v3 as v4. So v5 is just a resend of the real
    v4
    Acked-by: Antonio Quartulli <antonio@openvpn.net>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210219165252.4562-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21577.html
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 9e702a5d0f1d8ca0443d95ba13fc821deaa81d48
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Thu Apr 1 13:00:03 2021 +0200

    Always disable TLS renegotiations
    
    Renegotiations have been troublesome in the past and also the recent
    OpenSSL security problem (CVE-2021-3449) is only exploitable if
    TLS renegotiation is enabled.
    
    mbed TLS disables it by default and says in the documentation:
    
    Warning: It is recommended to always disable renegotation unless you
    know you need it and you know what you're doing. In the past, there
    have been several issues associated with renegotiation or a poor
    understanding of its properties.
    
    TLS renegotiation can be used to restart a session with different
    parameters (e.g. now with client certs). This something that OpenVPN does
    not use.
    
    For OpenSSL 1.0.2 the workaround to disable renegotiation is rather
    cumbersome. So we keep this to 1.1.1 only since 1.0.2 is on its way to
    deprecation anyway.
    
    Furthermore because of all these problems, also TLS 1.3 completely
    drops support for renegotiations.
    
    Patch V2: Improve comments and commit message
    Patch V3: Only disable renegotiation where the SSL_OP_NO_RENEGOTIATION
              define is available. LibreSSL, wolfSSL and OpenSSL 1.0.2 are
              lacking this macro.
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Antonio Quartulli <antonio@openvpn.net>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210401110003.19689-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21939.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 203afbe95ee324ec941e35399f6655dc4f669f12
Author: Steffan Karger <steffan.karger@fox-it.com>
Date:   Wed Mar 31 20:03:23 2021 +0200

    reliable: retransmit if 3 follow-up ACKs are received
    
    To improve the control channel performance under packet loss conditions,
    add a more aggressive retransmit policy similar to what many TCP
    implementations do: retransmit a packet if the ACK timeout expires (like
    we already do), *or* if three ACKs for follow-up packets are received.
    
    The rationale behind this is that if follow-up packets *are* received, the
    connection is apparently functional and we should be able to retransmit
    immediately. This significantly improves performance for connections with
    low (up to a few percent) packet loss.
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <E1lRfW3-0001sy-VM@sfs-ml-4.v29.lw.sourceforge.com>
    URL: https://www.mail-archive.com/search?l=mid&q=E1lRfW3-0001sy-VM@sfs-ml-4.v29.lw.sourceforge.com
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 343b61195b76796632b8948674fd1068889bb6c7
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Thu Apr 1 15:13:37 2021 +0200

    Remove do_init_socket_2 and do_init_socket_1 wrapper function
    
    These two function basically just pass a number of fields of context to
    the linit_socket_init1/2 functions. This wrapper add little to no value
    in understanding the code, especially since the linit_socket_init1 will
    just copy them to yet another structure.
    
    Remove these wrapper functions and pass context directly to the called
    function.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210401131337.3684-15-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21954.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 9fe0b2c287609cefe79aec30ff33f7a65cafd684
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Thu Apr 1 15:13:35 2021 +0200

    Extract multi_assign_peer_id into its own function
    
    This makes multi_get_create_instance_udp a bit shorter and better
    structured and also prepares this method to be called from the
    mutlti TCP context with DCO which will also need to assign unique peer
    ids to instances.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210401131337.3684-13-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21959.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 18b4a8380ba3237e870e84b25edf3f6e15145296
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Thu Apr 1 15:13:33 2021 +0200

    Remove thread_mode field of multi_context
    
    This is leftover of a never functional multi threaded openvpn
    implementation attempt. It serves no purposes anymore.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210401131337.3684-11-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21952.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit aba8776e6721030565b7b4ba3f88ac537ddcc5e0
Author: Gert Doering <gert@greenie.muc.de>
Date:   Fri Apr 2 15:45:29 2021 +0200

    Fix 'compress migrate' for 2.2 clients.
    
    Commit 8fa8a17528c001a introduces "compress migrate" to move old clients
    that have "compress" or "comp-lzo" in their config towards a connection
    without compression.  This is done by looking at incoming OCC strings
    to see if the client has compression enabled, and at incoming IV_
    strings to see whether it can do "compress stub-v2" or needs to be sent
    "comp-lzo no".
    
    That check fails for 2.2 clients that do not send *any* peer-info by
    default, so the server will not push back any "disable compression"
    command.  It works if the client connects with "--push-peer-info".
    
    Fix: turn around the order of checks, treat "no peer_info" the same
    as "peer_info does not contain IV_COMP_STUBv2".
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <20210402134529.27866-1-gert@greenie.muc.de>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21974.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 8fa8a17528c001abc7d5f45e9c2ffa3ed2f6af43
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Wed Mar 24 23:08:53 2021 +0100

    Implement '--compress migrate' to migrate to non-compression setup
    
    This option allow migration to a non compression server config while
    still retraining compatibility with client that have a compression
    setting in their config.
    
    For existing setups that used to have comp-lzo no or another
    compression setting in their configs it is a difficult to migrate to
    a setup without compression without replacing all client configs at
    once especially if OpenVPN 2.3 or earlier clients are in the mix that
    do not support pushing stub-v2. Even with OpenVPN 2.4 and later clients
    that support pushing this is not a satisfying solution as the clients
    log occ mismatches and the "push stub-v2" needs to be in the server
    config "forever".
    
    If the new migrate option to compress is set and  a client is detected
    that indicates that compression is used (via OCC), the server will
    automatically add ``--push compress stub-v2`` to the client specific
    configuration if stub-v2 is supported by the client and otherwise
    switch to ``comp-lzo no`` and add ``--push comp-lzo`` to the client
    specific configuration.
    
    Patch v2: better commit message/man page, add USE_COMP ifdefs, various
              style fixes
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Antonio Quartulli <antonio@openvpn.net>
    Message-Id: <20210324220853.31246-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21801.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 72e1ecb5b5d282c591cc32bbd378efbebfb03918
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Thu Apr 1 15:13:32 2021 +0200

    Move is_proto function to the socket.h header
    
    These functions are small enough to be inlined and also avoids
    dependency on socket.c from unit_tests using those functions.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210401131337.3684-10-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21950.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 9eb285f42f73bcfb270adbae527947951615df7d
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Thu Apr 1 15:13:28 2021 +0200

    Remove unused variable pass_config_info
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210401131337.3684-6-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21948.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit c0b36e9f29c9849892909a7e377e13db6aa59f95
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Thu Apr 1 15:13:31 2021 +0200

    Remove unused function tls_test_auth_deferred_interval
    
    This function appears to completely unused and has not been touched
    since 2008.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210401131337.3684-9-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21949.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 3667df1d668420374d91607685b67a0efbcee328
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Thu Apr 1 15:13:30 2021 +0200

    Remove unused field txqueuelen from struct tuntap
    
    The code uses tuntap->options.txqueuelen instead.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210401131337.3684-8-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21947.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 14061e3e06075065fba1939d3716fbd09f9adf70
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Thu Apr 1 15:13:29 2021 +0200

    Remove pointless tun_adjust_frame_parameters function
    
    This functions seem to serve no purpose other than to add confusion.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210401131337.3684-7-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21957.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 137eb6705e57d3324fe45367419413e34a424976
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Thu Apr 1 15:13:24 2021 +0200

    Remove code for aligning non-swapped compression
    
    This is an optimisation for memory alignment for lzo. Compression is
    deprecated so this optimisation is not very important anymore.
    
    Furthermore it is conditionally compiled on !defined(ENABLE_LZ4), which
    makes the code not compiled in by default anyway.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210401131337.3684-2-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21946.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit bdc11ae462d61f0cdee5f539c7f028f58513a914
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Thu Apr 1 15:13:26 2021 +0200

    Rename tunnel_server_udp_single_threaded to tunnel_server_udp
    
    This also eliminates the confusing name and eliminates
    tunnel_server_udp as wrapper that only calls
    tunnel_server_udp_single_threaded
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210401131337.3684-4-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21955.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 213fd3ee49e670124d911634c2f52061a82357af
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Thu Apr 1 15:13:25 2021 +0200

    Remove superflous ifdefs around enum like defines
    
    The variables are not used without the configured options but the
    ifdef around them does not help readibility either.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210401131337.3684-3-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21958.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 997b006a266145c2797f7625eccb6f3623b7a59c
Author: Gert Doering <gert@greenie.muc.de>
Date:   Thu Apr 1 10:29:34 2021 +0200

    Get rid of last PLUGIN_DEF_AUTH #ifdef
    
    Commit 99d217b200 attempted to get rid of all #ifdef related to
    --disable-def-auth but one of them managed to hide.  Remove.
    
    The effect of this is that the "openvpn_acf_...tmp" files get not
    removed after when an async auth plugin is in use.  This is can
    get very annoying on a busy server.
    
    Trac: #1186
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Antonio Quartulli <antonio@openvpn.net>
    Message-Id: <20210401082934.29922-1-gert@greenie.muc.de>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21933.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 76ccc62d4884721b6ecc11078abef747ea60d8d0
Author: Tõivo Leedjärv <toivol@gmail.com>
Date:   Sun Mar 28 17:11:51 2021 +0000

    Stop using deprecated getpass()
    
    The getpass() function is present in SUSv2, but marked LEGACY. It is
    removed in POSIX.1-2001. Additionally, on Solaris getpass() returns
    maximum 9 bytes. This will make longer passwords fail with no
    possibility for user to know what is happening.
    
    This patch removes usage of getpass() completely and replaces it with
    direct implementation of what getpass() does: opens tty (existing code),
    outputs the prompt (existing code), turns off echoing (new code), reads
    one line (existing code shared with echoed mode), restores tty state
    (new code) and closes tty (existing code).
    
    Patch v2: incorporate review feedback, incl. style fixes, merge
              termios.h check in configure.ac with an existing
              AC_CHECK_HEADERS, add error check and logging after
              tcsettattr() when restoring tty settings
    
    Signed-off-by: Tõivo Leedjärv <toivol@gmail.com>
    Acked-by: Antonio Quartulli <antonio@openvpn.net>
    Message-Id: <20210328171151.12056-1-toivol@gmail.com>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21889.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 2d5c437f7cf5b4f7d43c297373827d2c3597e955
Author: Selva Nair <selva.nair@gmail.com>
Date:   Mon Mar 29 00:23:18 2021 -0400

    Remove automatic service
    
    This has been replaced by openvpnserv2 since 2.4.0 and we have
    stopped setting up this service in the installer since 2.5.0.
    
    Get rid of the unused code. The mechanics of supporting multiple
    services with the same executable is retained for possible future use.
    
    For backwards compatibility, the command line option -instance
    is unchanged as "-instance <name> id" although <name>="interactive"
    is the only supported value now.
    
    Signed-off-by: Selva Nair <selva.nair@gmail.com>
    Acked-by: Lev Stipakov <lstipakov@gmail.com>
    Message-Id: <1616991798-7179-1-git-send-email-selva.nair@gmail.com>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21890.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit d11c273b07c422dde358e1b1caafd12bf8682e70
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Sun Mar 28 16:36:33 2021 +0200

    Fix #elif TARGET_LINUX missing defined() call
    
    I found this when playing with building OpenVPN with cmake.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210328143633.10300-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21884.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit f91e21163708b5dc01115806cb71643144d6c3d1
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Sun Mar 28 16:20:38 2021 +0200

    Remove support for non ISO C99 vararg support
    
    We require ISO C99 as minimum support for our source code and all compilers
    should support the ISO C99 macros. Especially gcc does not need
    the gcc extensions anymore. Also MSVC has support for it (as defined
    in the config-msvc.h but also double checked)
    
    LCLINT seems to be a C analyzer that history has forgotten about. I could
    only find https://splint.org/release1.3.html and an similarly old research
    paper.
    
    Patch V2: Also remove AX_ macros from configure.ac
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Steffan Karger <steffan.karger@foxcrypto.com>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210328142038.8826-2-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21883.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 7975e33bd9122045d26d1a47294f2c47854a5f0e
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Sun Mar 28 16:20:37 2021 +0200

    Remove flexible array member autoconf check
    
    This is configure macro that tries out how to declare a variable array
    at the end of struct. This has been standardised in C99, so there is
    no more need for non C99 magic. See also this stackoverflow discussion:
    
    https://stackoverflow.com/questions/14643406/whats-the-need-of-array-with-z
    ero-elements
    
    Patch V2: Also remove AX_EMPTY_ARRAY from configure.ac
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Steffan Karger <steffan.karger@foxcrypto.com>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210328142038.8826-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21882.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit ca57070630a1b2935ee606cc1309005b56eb925f
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Fri Mar 26 18:57:50 2021 +0100

    Cleanup print_details and add signature/ED certificate print
    
    This commit cleans up the logic in the function a bit. It also makes it
    more clear the the details printed in the second part of the message are
    details about the peer certificate and not the TLS connection as such.
    Also print the signature algorithm as this might help to identify
    peer certificate that still use SHA1.
    
    The new format with for TLS 1.3 and an EC certificate.
    
    Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer
    certificate: 384 bit EC, curve secp384r1, signature: ecdsa-with-SHA256
    
    Using the more generic OpenSSL functions also allows use to correctly
    print details about ED certificates:
    
    Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer
    certificate: 253 bit ED25519, signature: ED25519
    
    Patch v2: Cleanup multiple calls to EVP_PKEY_id, minor code restructuring
    
    Patch v3: Always initialise sig.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Antonio Quartulli <antonio@openvpn.net>
    Message-Id: <20210326175750.4772-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21861.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 467b16dc65df711c0f1b3a8640b1fadc09c56803
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Wed Mar 24 23:23:30 2021 +0100

    Use correct types for OpenSSL and Windows APIs
    
    The error code of OpenSSL is a long. On most Unics systems
    (mac, Linux...) this happens to be the same as size_t. But on Windows
    as LP64, long is a 32 bit type and size_t is a 64 bit type. So use the
    same type as OpenSSL.
    
    When calling the Windows API use DWORD for the functions that want a
    DWORD.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210324222330.455-4-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21803.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit e756e12adb33e93f712281361ae61a1522d3df93
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Wed Mar 24 23:23:29 2021 +0100

    Fix socket related functions using int instead of socket_descriptor_t
    
    On windows the SOCKET type is a UINT_PTR, which is a 64 bit pointer,
    so using an int worked so far but is actually quite wrong.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210324222330.455-3-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21806.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 7fc608da4ec388c9209bd009cd5053ac0ff7df38
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Wed Mar 24 23:23:27 2021 +0100

    Make buffer related function conversion explicit when narrowing
    
    Clang and gcc do report many of the narrowing conversion that MSVC
    reports, like these:
    
     warning C4267: 'function': conversion from 'size_t' to 'int', possible
    loss of data
    
    This commit changes int to size_t where it is safe
    (e.g. checked by buf_size_valid) and add casts where necessary.
    
    In the function buffer_read_from_file the return value of fread is
    size_t (at least on Linux/Windows/macOS and cppreference), so fix the
    check to actually make sense.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210324222330.455-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21805.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 5a2ed714d14acb2312d27fe40e300be96d970c27
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Wed Mar 17 17:00:38 2021 +0100

    Restore also ping related options on a reconnect
    
    This fixes the issue that if a client reconnects the next connection
    entries inherits the keepalive settings that were pushed or set by
    the previous entry. Since UDP+PULL entries have an implicit 120s
    timeout, this timeout also got applied to a TCP session after an
    UDP entry.
    
    Patch v2: rebase on master
    
    Reported-By: Jan Just Keijser <janjust@nikhef.nl>
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Antonio Quartulli <antonio@openvpn.net>
    Message-Id: <20210317160038.25828-3-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21675.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 7064ccb9fd3578c0b25713b1c8e620ad9449f7f4
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Wed Mar 17 17:00:37 2021 +0100

    Move NCP saving and restore to the prepush restore code
    
    This unifies save/restoring options that might be changed by a push
    from the server. It also removes using the context_1 to store something
    that is not related to a SIGHUP lifetime.
    
    Patch v2: rebase on master.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Antonio Quartulli <antonio@openvpn.net>
    Message-Id: <20210317160038.25828-2-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21674.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 528a78fb144ff6a3d5865c871a402ba98fdfe21e
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Wed Mar 17 17:00:36 2021 +0100

    Move restoring pre pull options to initialising of c2 context
    
    We currently delay restoring these options until we actually must
    restore them. Since there is no reason to do so apart from the very
    minor saving to not have to execute that code when a connection fails,
    move them it into the general context_2 initialisation.
    
    Patch V2: rebase on master.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Antonio Quartulli <antonio@openvpn.net>
    Message-Id: <20210317160038.25828-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21676.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 1e938c50930f29124909e120a29fb116d4c46576
Author: Simon Rozman <simon@rozman.si>
Date:   Mon Mar 22 11:39:57 2021 +0100

    openvpnserv: Cache last error before it is overridden
    
    FormatMessage() sets the last error according to its own success. This
    looses the original error code leading to mismatched error message and
    error number when sprintfted together resulting in confusing event log
    message.
    
    Signed-off-by: Simon Rozman <simon@rozman.si>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210322103957.1234-1-simon@rozman.si>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21789.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 1b71f8597f9de843b14c500d03bb7c9f99859667
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Mon Mar 22 11:21:19 2021 +0100

    Remove empty dummy functions
    
    These functions seem to have been added to avoid MSVC compiler warnigns.
    However nowadays, they trigger compiler warnings from Clang (e.g. when
    using --disable-lzo and --disable-lz4):
    
    src/openvpn/fdmisc.c
    /Users/arne/oss/openvpn-git/src/openvpn/comp-lz4.c:315:1: error: unused
    function 'dummy' [-Werror,-Wunused-function]
    dummy(void)
    ^
    1 error generated.
    
    Testing with MSVC shows that removing these functions does not trigger
    warnings with MSVC either.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210322102119.14322-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21787.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 5b8a1231b90697774ae1dea98603bbbb9b5d9809
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Mon Mar 22 10:16:21 2021 +0100

    Deprecate the --verify-hash option
    
    Despite trying to figure out with multiple people what the use case for
    this option is, we could not come up with a good one. Checking that only
    a specific CA is used can be also done by only using that CA in the --ca
    directive.
    
    Although it feels a bit strange to deprecate the option after improving
    it with peer-fingerprint patches, all the improvements are needed for
    --peer-fingerprint and making them specify to --peer-fingerprint would
    have added more (unecessary) changes.
    
    Patch v3: rebased on v3 version of other patches.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Antonio Quartulli <antonio@openvpn.net>
    Message-Id: <20210322091621.7864-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21779.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 26117a82d70dbd90f2260dd9895620394f040239
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Tue Sep 8 17:41:57 2020 +0200

    Document the simple self-signed certificate setup in examples
    
    Also remove the static key setup example as it is less secure and we
    want to avoid it for new setups as we want to slowly deprecate these.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Antonio Quartulli <antonio@openvpn.net>
    Message-Id: <20200908154157.13809-5-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20904.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 423ced962db3129b4ed551c489624faba4340652
Author: Jason A. Donenfeld <Jason@zx2c4.com>
Date:   Mon Mar 22 10:14:14 2021 +0100

    Support fingerprint authentication without CA certificate
    
    OpenVPN traditionally works around CAs. However many TLS-based protocols
    also
    allow an alternative simpler mode in which rather than verify certificates
    against CAs, the certificate itself is hashed and compared against a
    pre-known set of acceptable hashes. This is usually referred to as
    "fingerprint verification". It's popular across SMTP servers, IRC servers,
    XMPP servers, and even in the context of HTTP with pinning.
    
       * Allow not specifying the --ca parameter, to specify that
         certificates should not be checked against a CA.
    
    I've included some instructions on how to use all of this.
    
    Server side:
    ============
    
    Make self-signed cert:
    $ openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout
    serverkey.pem -out servercert.pem -nodes -sha256 -days 3650 -subj
    '/CN=server'
    
    Record our fingerprint in an environment variable for the client to use
    later:
    $ server_fingerprint="$(openssl x509 -in servercert.pem -noout -sha256
    -fingerprint | sed 's/.*=//;s/\(.*\)/\1/')"
    
    Client side:
    ============
    Make self-signed cert:
    $ openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout
    clientkey.pem -out clientcert.pem -nodes -sha256 -days 3650 -subj
    '/CN=client'
    
    Record our fingerprint in an environment variable for the server to use
    later:
    $ client_fingerprint="$(openssl x509 -in clientcert.pem -noout -sha256
    -fingerprint | sed 's/.*=//;s/\(.*\)/\1/')"
    
    Start server/client
    ===================
    
    Start openvpn with peer fingerprint verification:
    
    $ sudo openvpn --server 10.66.0.0 255.255.255.0 --dev tun --dh none --cert
    servercert.pem --key serverkey.pem --peer-fingerprint "$client_fingerprint"
    
    $ sudo openvpn --client --remote 127.0.0.1 --dev tun --cert clientcert.pem
    --key clientkey.pem --peer-fingerprint "$server_fingerprint" --nobind
    
    Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
    
    Patch V2: Changes in V2 (by Arne Schwabe):
              - Only check peer certificates, not all cert levels, if you need
                multiple levels of certificate you should use a real CA
              - Use peer-fingerprint instead tls-verify on server side in
    example.
              - rename variable ca_file_none to verify_hash_no_ca
              - do no require --ca none but allow --ca simply
                to be absent when --peer-fingprint is present
              - adjust warnings/errors messages to also point to
                peer-fingerprint as valid verification method.
              - Fix mbed TLS version of not requiring CA
                not working
    
    Patch v3: Fix minor style. Remove unessary check of verify_hash_no_ca in
    ssl.c.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Antonio Quartulli <antonio@openvpn.net>
    Message-Id: <20210322091414.7533-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/search?l=mid&q=20210322091414.7533-1-arne@rfc2549.org
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit e5e9a07e8baee4065b7dfd65736bfa77b8329cfc
Author: Simon Rozman via Openvpn-devel <openvpn-devel@lists.sourceforge.net>
Date:   Mon Mar 22 08:43:59 2021 +0100

    tapctl: Resolve MSVC C4996 warnings
    
    wcsncat() was declared unsafe in favour of wcsncat_s(). However, the
    string concatenation follows the string length check, making wcsncat()
    safe too. Code analysis is just not smart enough (yet) to detect this.
    
    The code was refactored to use wcscat_s() MSVC is considering as "safe".
    
    Signed-off-by: Simon Rozman <simon@rozman.si>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210322074359.527-1-simon@rozman.si>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21774.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit c3a7065d5bec0ca4ad479e27c124e74fbd7c2234
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Sun Mar 21 15:33:53 2021 +0100

    Implement peer-fingerprint to check fingerprint of peer certificate
    
    This option allows to pin one or more more peer certificates. It also
    prepares for doing TLS authentication without a CA and just
    self-signed certificates.
    
    Patch V2: Allow peer-fingerprint to be specified multiple times
              to allow multiple peers without needing to use inline
              syntax. (e.g. on command line).
    
    Patch V3: rebase on v3 of 1/4, reword message of verify-hash and
              peer-fingerpring incompatibility
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Antonio Quartulli <antonio@openvpn.net>
    Message-Id: <20210321143353.2677-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/search?l=mid&q=20210321143353.2677-1-arne@rfc2549.org
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit d1fe6d52ca066ec2d49712081d5056825c8973b2
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Sun Mar 21 15:25:38 2021 +0100

    Extend verify-hash to allow multiple hashes
    
    This patch introduces support for verify-hash inlining.
    When inlined, this options now allows to specify multiple fingerprints,
    one per line.
    
    Since this is a new syntax, there is no backwards compatibility to take
    care of, therefore we can drop support for SHA1. Inlined fingerprints
    are assumed be to SHA-256 only.
    
    Also print a warning about SHA1 hash being deprecated to verify
    certificates as it is not "industry standard" anymore.
    
    Patch v2: fix/clarify various comments, fix a few minor problems, allow
              the option to be specified multiple times and have that
              added to the list.
    
    Patch v3: Remove leftover variable, always call
              parse_hash_fingerprint_multiline, add comments clarifying list
              appending
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Antonio Quartulli <antonio@openvpn.net>
    Message-Id: <20210321142538.1656-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/search?l=mid&q=20210321142538.1656-1-arne@rfc2549.org
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit df471f4de8af0cbcf23a4e36910554bea7bd9058
Author: Simon Rozman <simon@rozman.si>
Date:   Sun Mar 21 15:46:27 2021 +0100

    iservice: Resolve MSVC C4996 warnings
    
    Lots of string functions were declared unsafe in favor of ..._s()
    counterparts. However, the code already is careful about the buffer
    size. Code analysis is just not smart enough (yet) to detect this.
    
    The code was refactored to use ..._s() variants MSVC is considering as
    "safe".
    
    Signed-off-by: Simon Rozman <simon@rozman.si>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <20210321144627.1621-5-simon@rozman.si>
    URL: https://www.mail-archive.com/search?l=mid&q=20210321144627.1621-5-simon@rozman.si
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 709c3810a1d67e2c4049e852529a0a0d1338c797
Author: Simon Rozman via Openvpn-devel <openvpn-devel@lists.sourceforge.net>
Date:   Sun Mar 21 15:46:25 2021 +0100

    interactive.c: Resolve MSVC C4996 warning
    
    It's about using a standard recommended alias for the wcsdup():
    
    > warning C4996: 'wcsdup': The POSIX name for this item is deprecated.
    > Instead, use the ISO C and C++ conformant name: _wcsdup. See online
    > help for details.
    
    And the documentation says:
    
    > The Microsoft-implemented POSIX function names strdup and wcsdup are
    > deprecated aliases for the _strdup and _wcsdup functions. By default,
    > they generate Compiler warning (level 3) C4996. The names are
    > deprecated because they don't follow the Standard C rules for
    > implementation-specific names. However, the functions are still
    > supported.
    >
    > We recommend you use _strdup and _wcsdup instead. Or, you can continue
    > to use these function names, and disable the warning. For more
    > information, see Turn off the warning and POSIX function names.
    
    Reference:
    https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/strdup-wcs
    dup
    Signed-off-by: Simon Rozman <simon@rozman.si>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <20210321144627.1621-3-simon@rozman.si>
    URL: https://www.mail-archive.com/search?l=mid&q=20210321144627.1621-3-simon@rozman.si
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 26540310efa8c8955f38974969b317460c075dd4
Author: Simon Rozman via Openvpn-devel <openvpn-devel@lists.sourceforge.net>
Date:   Sun Mar 21 15:46:24 2021 +0100

    tun.c: Remove dead code
    
    Signed-off-by: Simon Rozman <simon@rozman.si>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <20210321144627.1621-2-simon@rozman.si>
    URL: https://www.mail-archive.com/search?l=mid&q=20210321144627.1621-2-simon@rozman.si
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 6eb28f7cb4c6746465b4cfd3892e521391d596fb
Author: Max Fillinger <max@max-fillinger.net>
Date:   Fri Mar 19 22:54:48 2021 +0100

    Wipe Socks5 credentials after use
    
    Plaintext authentication is not exactly high security, but we might as
    well memzero the credentials before leaving the function.
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210319215448.38350-1-max@max-fillinger.net>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21738.html
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit f9d9fe55754dd019bb4c4add180dd780f9102b44
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Fri Mar 19 16:31:28 2021 +0100

    Move extract_iv_proto to ssl_util.c/h
    
    This function is used by both NCP and push, so move it to a more proper
    place.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: David Sommerseth <davids@openvpn.net>
    Message-Id: <20210319153129.8734-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21732.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 45e7d4124c258b8c5b682909b1a0e93ded4cd0cf
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Fri Mar 19 12:46:31 2021 +0100

    Fix multiple problems when compiling with LLVM/Windows (clang-cl)
    
    When using the LLVM clang compiler instead the MSVC cl.exe but with
    the same build environment as MSVC, clang encounters a few errors:
    
    src\openvpn\socket.c(3550,23): warning: assigning to 'CHAR *' (aka 'char
    *') from 'uint8_t *' (aka 'unsigned char *') converts between pointers to
    integer types with different sign [-Wpointer-sign]
            wsabuf[0].buf = BPTR(&sock->reads.buf);
                          ^ ~~~~~~~~~~~~~~~~~~~~~~
    src\openvpn\socket.c(3670,23): warning: assigning to 'CHAR *' (aka 'char
    *') from 'uint8_t *' (aka 'unsigned char *') converts between pointers to
    integer types with different sign [-Wpointer-sign]
            wsabuf[0].buf = BPTR(&sock->writes.buf);
                          ^ ~~~~~~~~~~~~~~~~~~~~~~~
    
    Use BSTR instead of BPTR, which casts to the correct type that is
    expected.
    
    src\compat\compat-gettimeofday.c(105,18): error: assignment to cast is
    illegal, lvalue casts are not supported
        tv->tv_sec = (long)last_sec = (long)sec;
    
    Split into two assignments to avoid the illegal cast
    
    include\stdint.h(18,28): error: typedef redefinition with different types
    ('signed char' vs 'char')
    typedef signed char        int8_t;
                               ^
    openvpn\config-msvc.h(162,16): note: previous definition is here
    typedef __int8 int8_t;
    
    Removes our custom int type typdefs from config-msvc.h and replace it
    with an include of inttypes.h.
    
    C:\Program Files (x86)\Windows
    Kits\10\include\10.0.19041.0\shared\tcpmib.h(56,3): error: typedef
    redefinition with different types ('enum MIB_TCP_STATE' vs 'int')
    } MIB_TCP_STATE;
      ^
    C:\Users\User\source\repos\openvpn\src\openvpn/syshead.h(369,13): note:
    previous definition is here
    typedef int MIB_TCP_STATE;
                ^
    1 error generated.
    
    This seems to be for mingw32 only, so guard this with a mingw32
    compiler guard.
    
    \src\openvpn\tun.c(3727,34): warning: passing 'char [256]' to parameter of
    type 'LPBYTE' (aka 'unsigned char *') converts between pointers to integer
    types with different sign [-Wpointer-sign]
                                     net_cfg_instance_id,
                                     ^~~~~~~~~~~~~~~~~~~
    C:\Program Files (x86)\Windows
    Kits\10\include\10.0.19041.0\um\winreg.h(955,88): note: passing argument
    to parameter 'lpData' here
    
    This is windows specific code, use the Windows LPBTYE in the
    definitions. (long pointer to BYTE (long pointer as far/near pointer
    relict from windows 16 bit times, in moddern words (unsigned char *))
    
    Fix also a few other char vs uint8/unisgned char/BYTE issues in tun.c
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210319114631.20459-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21719.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 1480903e1c52b3064250672c5221f71f95d8b5a5
Author: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date:   Fri Mar 19 14:43:22 2021 +0100

    README.wolfssl Update
    
    Updates for the wolfSSL README file:
    - fix typos
    - correct wolfSSL company spelling
    - add a point of contact for users having problems using OpenVPN + wolfSSL
    
    Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210319134322.131905-1-juliusz@wolfssl.com>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21722.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 9b2e80340d247bc7c73752d542be4d15511eb04e
Author: Lev Stipakov <lev@openvpn.net>
Date:   Fri Mar 19 04:33:17 2021 +0200

    Remove compat-lz4 references from VS project files
    
    Commit 24596b25 ("build: Remove compat-lz4") removed lz4 compat layer,
    but didn't remove references from VS project files.
    
    Signed-off-by: Lev Stipakov <lev@openvpn.net>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210319023317.15050-1-lstipakov@gmail.com>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21723.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 60c18b45c04f4c86241d9f6e4dc422c5c07405a1
Author: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date:   Thu Mar 18 19:12:58 2021 +0100

    build: Add support for pkg-config < 0.28 for old autoconf versions
    
    The PKG_CHECK_VAR() macro is not available on versions of pkgconfig before
    0.28, which breaks configure on RHEL-7, Ubuntu 16, and others.
    
    This patch copies the definition generated by newer versions of autoconf
    to be used for compatibility with older versions. Tested with automake
    1.14.1-2ubuntu1 and autoconf 2.69-6 on Ubuntu 14.
    
    Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
    Acked-by: David Sommerseth <davids@openvpn.net>
    Message-Id: <20210318181258.89704-1-juliusz@wolfssl.com>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21708.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit f38819b7e42ea99f6ae218be6e6345c397c1af4c
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Fri Apr 17 09:43:45 2020 +0200

    Add README.wolfssl documentating the state of WolfSSL in OpenVPN
    
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20200417074345.5694-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19758.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit f6dca235ae560597a0763f0c98fcc9130b80ccf4
Author: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date:   Wed Mar 17 19:11:53 2021 +0100

    Support for wolfSSL in OpenVPN
    
    This patch adds support for wolfSSL in OpenVPN. Support is added by using
    wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged
    and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is
    linked against the wolfSSL library. The wolfSSL installation directory is
    detected using pkg-config.
    
    As requested by OpenVPN maintainers, this patch does not include
    wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN
    in the configure script wolfSSL will include wolfssl/options.h on its own
    (change added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch
    adds an option `--disable-wolfssl-options-h` in case the user would like
    to supply their own settings file for wolfSSL.
    
    wolfSSL:
    Support added in: https://github.com/wolfSSL/wolfssl/pull/2503
    ```
    git clone https://github.com/wolfSSL/wolfssl.git
    cd wolfssl
    ./autogen.sh
    ./configure --enable-openvpn
    make
    sudo make install
    ```
    
    OpenVPN:
    ```
    autoreconf -i -v -f
    ./configure --with-crypto-library=wolfssl
    make
    make check
    sudo make install
    ```
    
    Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <20210317181153.83716-1-juliusz@wolfssl.com>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21686.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 4524feb2bbbb6d1bd463a0c5c2d53aae5bdf360a
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Tue Mar 16 13:44:21 2021 +0100

    Avoid generating unecessary mbed debug messages
    
    The main motivation to make this change is to avoid a crash in mbed TLS
    2.25 with --verb < 8.
    
    mbed TLS 2.25 has a nasty bug that the print function for Montgomery style
    EC curves (Curve25519 and Curve448) does segfault. See also the issue
    reported here: https://github.com/ARMmbed/mbedtls/issues/4208
    
    We request always debug level 3 from mbed TLS but filter out any debug
    output of level 3 unless verb 8 or higher is set. This commeit sets
    the debug level to 2 to avoid this problem by makeing mbed TLS not
    generatin the problematic debug output.
    
    For the affected version to still use --verb 8 with mbed TLS 2.25 is to
    restrict the EC groups to ones that do not crash the print function
    like with '--tls-groups secp521r1:secp384r1:secp256r1'.
    
    This patch has no patch on user-visible behaviour on unaffected mbed TLS
    versions.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    
    Patch V2: Replace magic constant with proper define. Highlight more this
              avoding generating unessary debug output than crash workaround.
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Steffan Karger <steffan@karger.me>
    Message-Id: <20210316124421.1635-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21667.html
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 24596b258aa3a9c0bd79e7e7bd4753c48a435408
Author: David Sommerseth <davids@openvpn.net>
Date:   Wed Mar 17 23:06:42 2021 +0100

    build: Remove compat-lz4
    
    Since 2014, the OpenVPN project has shipped an adopted LZ4 library to be
    enabled if no LZ4 libraries was found on the system.  This was due to
    the LZ4 library not being available on all platforms and it was vastly
    better than the older LZO compression algorithm.  But this was years
    before VORACLE and related attack vectors affecting VPN connections,
    where compression is considered a vulnerability.
    
    The OpenVPN project is gradually moving away from supporting compression,
    so shipping our own LZ4 library is no longer wanted.  It will now only
    use the LZ4 compression libraries found on the host, and can otherwise
    be disabled completely with ./configure --disable-lz4.
    
    Signed-off-by: David Sommerseth <davids@openvpn.net>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210317220642.38741-1-openvpn@sf.lists.topphemmelig.net>
    URL: https://www.mail-archive.com/search?l=mid&q=20210317220642.38741-1-openvpn@sf.lists.topphemmelig.net
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 4170da0778b926cea748c319163fdcfc7c6bc445
Author: Richard Bonhomme <tincanteksup@gmail.com>
Date:   Wed Mar 17 22:34:48 2021 +0000

    Do not print Diffie Hellman parameters file to log file
    
    Suppress printing the complete Diffie Hellman parameters file
    to the log file when it has been configured as an inline file.
    
    Signed-off-by: Richard Bonhomme <tincanteksup@gmail.com>
    Acked-by: Antonio Quartulli <antonio@openvpn.net>
    Message-Id: <20210317223448.1278818-1-tincanteksup@gmail.com>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21688.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 476990d41ad78ac4419a3743cdab55c85c41b041
Author: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date:   Fri Mar 12 16:06:29 2021 +0100

    EVP_DigestSignFinal siglen parameter correction
    
    In the EVP_DigestSignFinal API, "before the call the siglen parameter
    should contain the length of the sig buffer".
    
    Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <20210312150629.57302-1-juliusz@wolfssl.com>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21663.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit b0bff5590152fbcc5b4d47c18817838fd00c58c3
Author: Gert Doering <gert@greenie.muc.de>
Date:   Wed Mar 10 13:48:08 2021 +0100

    Require at least 100MB of mlock()-able memory if --mlock is used.
    
    If --mlock is used, the amount of memory OpenVPN can use is guarded
    by the RLIMIT_MEMLOCK value (see mlockall(2)).  The OS default for this
    is usually 64 Kbyte, which is enough for OpenVPN to initialize, but
    as soon as the first TLS handshake comes it, OpenVPN will crash due
    to "ouf of memory", and might even end up in a crash loop.
    
    Steady-state OpenVPN requires between 8 MB and 30-50 MB (servers with
    many concurrent clients) of memory.  TLS renegotiation with EC keys
    requires up to 90 MB of transient memory.
    
    So: with this patch, we check if getrlimit() is available, and if yes,
    log the amount of mlock'able memory.  If the amount is below 100 MB,
    which is an arbitrary value "large enough for most smaller deployments",
    we try to increase the limits to 100 MB, and abort if this fails.
    
    v2:
      change arbitrary number to 100 MB, introduce #define for it
      not only check but also increase with setrlimit()
      uncrustify fixes
    
    v3:
      OpenSolaris has mlockall() and getrlimit(), but no RLIMIT_MEMLOCK -
        make code conditional on HAVE_GETRLIMIT *and* RLIMIT_MEMLOCK
      add Changes.rst entry
    
    Trac: #1390
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Selva Nair <selva.nair@gmail.com>
    Message-Id: <20210310124808.14741-1-gert@greenie.muc.de>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21657.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit fdb4f27685f38621b72467e3038c2116f0e809c4
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Mon Jan 25 13:56:25 2021 +0100

    Allow pending auth to be send from a auth plugin
    
    Patch v2: removed change that slipped into this patch and belongs
              into the next
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: David Sommerseth <davids@openvpn.net>
    Message-Id: <20210125125628.30364-9-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21489.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit d8ed59320e619eb5c9e5ba2acbac1a4fecae36b1
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Wed Mar 10 11:28:23 2021 +0100

    Change parameter of send_auth_pending_messages from context to tls_multi
    
    This prepares send_auth_pending_messages to be used a in context that
    does not have context c available but also does not need to schedule
    an immediate sending of the message (auth plugin/script)
    
    Patch V2: Adjust the comment of reschedule_multi_process to actually fit a
              function.
    
    Patch V3: Rebase needed because v3 of 3/11
    
    Patch V4: Send with push.h prototype
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Lev Stipakov <lstipakov@gmail.com>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210310102823.29508-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/search?l=mid&q=20210310102823.29508-1-arne@rfc2549.org
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 88664aba69a8aab0e600200c445024fbaf7bab80
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Fri Feb 26 12:10:12 2021 +0100

    Refactor extract_var_peer_info into standalone function and add ssl_util.c
    
    Our "natural" place for this function would be ssl.c but ssl.c has a lot of
    dependencies on all kinds of other compilation units so including ssl.c
    into
    unit tests is near impossible currently. Instead create a new file
    ssl_util.c
    that holds small utility functions like this one.
    
    Patch v2: add newline add the end of sll_util.h and ssl_util.c
    
    Patch v3: Refactor/clean up the function even more as suggested by Gert.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Lev Stipakov <lstipakov@gmail.com>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <20210226111012.21269-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21585.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 53229047a259b2edb9034802a33fe27636675ff9
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Wed Mar 3 13:38:18 2021 +0100

    Implement server side of AUTH_PENDING with extending timeout
    
    Patch V2: eliminate parse_kid function, fix style
    Patch V3: adding missing parameter in function, this was added
              by a later patch in the original series
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Lev Stipakov <lstipakov@gmail.com>
    Message-Id: <20210303123818.16012-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21596.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 4cf01c8e4381403998341aa32f79f4bf24c7ccb1
Author: Gert Doering <gert@greenie.muc.de>
Date:   Mon Mar 8 12:44:05 2021 +0100

    Fix EVP_PKEY_CTX_... compilation with LibreSSL
    
    Commit 06f6cf3ff850f29 introduced use of newer OpenSSL functions
    for the TLS 1.0-1.1 PRF, to make OpenVPN work with FIPS-enabled OpenSSL.
    
    LibreSSL masquerades as "very new OpenSSL" but does not have these
    functions (or at least not on the OpenBSD system tested), so compilationg
    breaks.
    
    Add a "but not if LibreSSL" check to the OpenSSL version check, as we
    do in other places.
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <20210308114405.19066-1-gert@greenie.muc.de>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21628.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>

commit 06f6cf3ff850f2930bf4a864ae9898407e94ffb9
Author: Arne Schwabe <arne@rfc2549.org>
Date:   Fri Mar 5 15:13:52 2021 +0100

    Prefer TLS libraries TLS PRF function, fix OpenVPN in FIPS mode
    
    This moves from using our own copy of the TLS1 PRF function to using
    TLS library provided function where possible. This includes currently
    OpenSSL 1.1.0+ and mbed TLS 2.18+.
    
    For the libraries where it is not possible to use the library's own
    function, we still use our own implementation. mbed TLS will continue
    to use our own old PRF function while for OpenSSL we will use a
    adapted version from OpenSSL 1.0.2t code. The version allows to be
    used in a FIPS enabled environment.
    
    The old OpenSSL and mbed TLS implementation could have shared some
    more code but as we will eventually drop support for older TLS
    libraries, the separation makes it easier it remove that code
    invdidually.
    
    In FIPS mode MD5 is normally forbidden, the TLS1 PRF1 function we
    use, makes uses of MD5, which in the past has caused OpenVPN to segfault.
    The new implementation for OpenSSL version of our custom implementation
    has added the special flags that tell OpenSSL that this specific use
    of MD5 is allowed in FIPS mode.
    
    No FIPS conformitiy testing etc has been done, this is only about
    allowing OpenVPN on a system where FIPS mode has been enabled system
    wide (e.g. on RHEL derivates).
    
    Patch v4: Handle the unlikely case that PRF generation fails. More
    formatting
              fixes.
    Patch v5: v4 with the formatting fixes actually commited. sigh.
    
    Patch v6: More formatting fixes, make OpenSSL fucntion return bool instead
              of int.
    
    Signed-off-by: Arne Schwabe <arne@rfc2549.org>
    Acked-by: Antonio Quartulli <antonio@openvpn.net>
    Message-Id: <20210305141352.21847-1-arne@rfc2549.org>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21612.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
