Ubuntu
openvpn package

Merge ~lvoytek/ubuntu/+source/openvpn:openvpn-merge-2.6.5 into ubuntu/+source/openvpn:ubuntu/devel

Proposed by Lena Voytek on 2023-07-11

Status:

Merged

Approved by:

git-ubuntu bot on 2023-07-13

Approved revision:

not available

Merge reported by:

Lena Voytek

Merged at revision:

81aa2326b2e0bce8d9a82d40db431b3ba4429bc9

Proposed branch:

~lvoytek/ubuntu/+source/openvpn:openvpn-merge-2.6.5

Merge into:

ubuntu/+source/openvpn:ubuntu/devel

Diff against target:

1827 lines (+414/-592)

41 files modified

COPYING (+47/-0)
ChangeLog (+47/-0)
Changes.rst (+70/-1)
Makefile.in (+2/-2)
build/msvc/msvc-generate/Makefile.am (+2/-1)
build/msvc/msvc-generate/Makefile.in (+2/-1)
build/msvc/msvc-generate/version.m4.in (+3/-0)
configure (+13/-13)
debian/changelog (+10/-0)
debian/control (+2/-1)
debian/patches/series (+0/-2)
dev/null (+0/-463)
doc/man-sections/vpn-network-options.rst (+2/-7)
doc/openvpn.8 (+2/-7)
doc/openvpn.8.html (+2/-7)
include/openvpn-plugin.h (+1/-1)
sample/sample-plugins/Makefile (+13/-13)
sample/sample-plugins/client-connect/sample-client-connect.c (+6/-0)
sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c (+2/-2)
src/openvpn/crypto_openssl.c (+1/-1)
src/openvpn/dco_freebsd.c (+8/-0)
src/openvpn/dco_freebsd.h (+1/-0)
src/openvpn/dco_linux.c (+6/-1)
src/openvpn/error.c (+10/-5)
src/openvpn/forward.c (+21/-11)
src/openvpn/multi.c (+4/-0)
src/openvpn/options.c (+3/-5)
src/openvpn/ovpn_dco_freebsd.h (+1/-0)
src/openvpn/pkcs11_openssl.c (+1/-1)
src/openvpn/pool.c (+0/-2)
src/openvpn/push.c (+0/-1)
src/openvpn/socket.c (+1/-1)
src/openvpn/ssl.c (+6/-0)
src/openvpn/ssl.h (+3/-0)
src/openvpn/tun.c (+2/-3)
src/openvpn/win32.c (+6/-5)
src/openvpnserv/interactive.c (+0/-1)
src/tapctl/main.c (+105/-27)
tests/Makefile.am (+3/-1)
tests/Makefile.in (+4/-4)
version.m4 (+2/-2)

Undecided

Fix Released

Link a bug report

Reviewer	Date Requested	Status
git-ubuntu bot		Approve on 2023-07-13
Lucas Kanashiro (community)	2023-07-11	Approve on 2023-07-13
Canonical Server Reporter	2023-07-11	Pending
Review via email: mp+446546@code.launchpad.net

Description of the change

Update OpenVPN to 2.6.5. Unfortunately Debian is still on 2.6.3 so I added upstream's source directly.

PPA: https://launchpad.net/~lvoytek/+archive/ubuntu/openvpn-update-mantic

Autopkgtest results:

  openvpn @ amd64:
    11.07.23 17:55:38 Log 🗒️ ✅ Triggers: openvpn/2.6.5-0ubuntu1~ppa1
  openvpn @ arm64:
    11.07.23 18:01:20 Log 🗒️ ✅ Triggers: openvpn/2.6.5-0ubuntu1~ppa1
  openvpn @ armhf:
    11.07.23 17:53:15 Log 🗒️ ✅ Triggers: openvpn/2.6.5-0ubuntu1~ppa1
  openvpn @ s390x:
    11.07.23 17:56:16 Log 🗒️ ✅ Triggers: openvpn/2.6.5-0ubuntu1~ppa1

~lvoytek/ubuntu/+source/openvpn:openvpn-merge-2.6.5 updated on 2023-07-11

81aa232... by Lena Voytek on 2023-07-11: changelog

Revision history for this message

Lucas Kanashiro (lucaskanashiro) wrote on 2023-07-13:

I am going to review this MP.

Revision history for this message

Lucas Kanashiro (lucaskanashiro) wrote on 2023-07-13:

Thanks for this MP Lena! The changes LGTM, +1.

review: Approve

Revision history for this message

git-ubuntu bot (git-ubuntu-bot) wrote on 2023-07-13:

Approvers: lvoytek, lucaskanashiro
Uploaders: lvoytek, lucaskanashiro
MP auto-approved

review: Approve

Revision history for this message

Lena Voytek (lvoytek) wrote on 2023-07-13:

Thanks! uploaded

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Lena Voytek

git-ubuntu developers

 diff --git a/COPYING b/COPYING
 index e12c514..ab59cef 100644
 --- a/COPYING
 +++ b/COPYING
@@ -31,6 +31,53 @@ OpenVPN license:
    file, but you are not obligated to do so.  If you do not wish to
    do so, delete this exception statement from your version.
++Apache2 linking exception:
++---------------------------
++OpenVPN is currently undergoing a license change to add an exception for
++Apache 2 linking. The following exception is only valid for new contributions
++after 2023-05-03 and past contribution where the authors have already agreed
++to the exception.
++
++  In addition, as a special exception, OpenVPN Inc and the
++  contributors give permission to link the code of this program to
++  libraries (the "Libraries") licensed under the Apache License
++  version 2.0 (this work and any linked library the "Combined Work")
++  and copy and distribute the Combined Work without an obligation to
++  license the Libraries under the GNU General Public License v2
++  (GPL-2.0) as required by Section 2 of the GPL-2.0, and without an
++  obligation to refrain from imposing any additional restrictions in
++  the Apache License version 2 that are not in the GPL-2.0, as
++  required by Section 6 of the GPL-2.0.  You must comply with the
++  GPL-2.0 in all other respects for the Combined Work, including
++  the obligation to provide source code.  If you modify this file, you
++  may extend this exception to your version of the file, but you are
++  not obligated to do so.  If you do not wish to do so, delete this
++  exception statement from your version.
++
++For better understanding, in plain non-legalese English this basically says:
++
++ * The intention for this license exception is to allow OpenVPN to be
++   linked against APL-2 licensed libraries, even where the GPL-2.0 and
++   APL-2 licenses conflict from a legal perspective.
++
++ * OpenVPN itself will stay GPL-2.0 and the code belonging to the
++   OpenVPN project must comply to the GPL-2.0 license.  This is NOT
++   dual-licensing of the OpenVPN code base.
++
++ * This license exception DOES NOT require NOR expect a license change
++   of the APL-2 based library.  This exception allows using the APL-2
++   library as-is.  However, when distributing a compiled OpenVPN binary
++   linking against APL-2 libraries ("Combined Work"), the REQUIREMENT is
++   that the APL-2 library MUST also be available on similar terms as in
++   GPL-2.0, like providing the source code of the library upon request,
++   except in the two specific ways mentioned.
++
++ * If the APL-2 based library forbids such linking and distribution,
++   this license exception DOES NOT overrule the restriction of the APL-2
++   based library.  If the APL-2 library cannot satisfy the requirements
++   in this license exception, you CANNOT distribute an OpenVPN binary
++   linked with this library.
++
  LZO license:
  ------------
 diff --git a/ChangeLog b/ChangeLog
 index 32e9ffc..4678c06 100644
 --- a/ChangeLog
 +++ b/ChangeLog
@@ -1,6 +1,53 @@
  OpenVPN ChangeLog
  Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
++2023.06.13 -- Version 2.6.5
++
++Arne Schwabe (1):
++      Fix use-after-free with EVP_CIPHER_free
++
++Frank Lichtenheld (6):
++      dco_linux: properly close dco version file
++      DCO: fix memory leak in dco_get_peer_stats_multi for Linux
++      Fix two unused assignments
++      sample-plugins: Fix memleak in client-connect example plugin
++      options: remove --key-method from usage message
++      msvc-generate: include version.m4.in in tarball
++
++Ilya Shipitsin (1):
++      src/openvpn/dco_freebsd.c: handle malloc failure
++
++Lev Stipakov (2):
++      dco-win: support for --dev-node
++      tapctl: generate driver-specific adapter names
++
++Selva Nair (2):
++      Correctly handle Unicode names for exit event
++      Interactive service: do not force a target desktop for openvpn.exe
++
++
++2023.05.11 -- Version 2.6.4
++
++Arne Schwabe (3):
++      Remove unused variable line
++      Add Apache2 linking with for new commits
++      Fix compile error on TARGET_ANDROID
++
++Frank Lichtenheld (2):
++      man page: Remove cruft from --topology documentation
++      tests: do not include t_client.sh in dist
++
++Kristof Provost (1):
++      DCO: support key rotation notifications
++
++Michael Nix (1):
++      fix typo in help text: --ignore-unknown-option
++
++Selva Nair (2):
++      Format Windows error message in Unicode
++      Bugfix: dangling pointer passed to pkcs11-helper
++
++
 .04.13 -- Version 2.6.3
  Frank Lichtenheld (3):
 diff --git a/Changes.rst b/Changes.rst
 index f4d7487..e47d6b0 100644
 --- a/Changes.rst
 +++ b/Changes.rst
@@ -1,3 +1,72 @@
++Overview of changes in 2.6.5
++============================
++
++User visible changes
++--------------------
++- tapctl (windows): generate driver-specific names (if using tapctl to
++  create additional tap/wintun/dco devices, and not using --name)
++  (Github #337)
++
++- interactive service (windows): do not force target desktop for
++  openvpn.exe - this has no impact for normal use, but enables running
++  of OpenVPN in a scripted way when no user is logged on (for example,
++  via task scheduler) (Github OpenVPN/openvpn-gui#626)
++
++Bug fixes
++---------
++- fix use-after-free with EVP_CIPHER_free
++
++- fix building with MSVC from release tarball (missing version.m4.in)
++
++- dco-win: repair use of --dev-node to select specific DCO drivers
++  (Github #336)
++
++- fix missing malloc() return check in dco_freebsd.c
++
++- windows: correctly handle unicode names for "exit event"
++
++- fix memleak in client-connect example plugin
++
++- fix fortify build problem in keying-material-exporter-demo plugin
++
++- fix memleak in dco_linux.c/dco_get_peer_stats_multi() - this will
++  leak a small amount of memory every 15s on DCO enabled servers,
++  leading to noticeable memory waste for long-running processes.
++
++- dco_linux.c: properly close dco version file (fd leak)
++
++
++Overview of changes in 2.6.4
++============================
++
++User visible changes
++--------------------
++- License amendment: all NEW commits fall under a modified license that
++  explicitly permits linking with Apache2 libraries (mbedTLS, OpenSSL) -
++  see COPYING for details.  Existing code will fall under the new license
++  as soon as all contributors have agreed to the change - work ongoing.
++
++New features
++------------
++- DCO: support kernel-triggered key rotation (avoid IV reuse after 2^32
++  packets).  This is the userland side, accepting a message from kernel,
++  and initiating a TLS renegotiation.  As of release, only implemented in
++  FreeBSD kernel.
++
++Bug fixes
++---------
++- fix pkcs#11 usage with OpenSSL 3.x and PSS signing (Github #323)
++
++- fix compile error on TARGET_ANDROID
++
++- fix typo in help text
++
++- manpage updates (--topology)
++
++- encoding of non-ASCII windows error messages in log + management fixed
++  (use UTF8 "as for everything else", not ANSI codepages)  (Github #319)
++
++
  Overview of changes in 2.6.3
  ============================
@@ -21,7 +90,7 @@ Bug fixes
  - Windows DCO driver: use correct crypto library so it loads on x86,
    see GH OpenVPN/ovpn-dco-win#43
--
++
  Overview of changes in 2.6.2
 diff --git a/Makefile.in b/Makefile.in
 index 07c5246..fc46921 100644
 --- a/Makefile.in
 +++ b/Makefile.in
@@ -219,8 +219,8 @@ am__define_uniq_tagged_files = \
  DIST_SUBDIRS = $(SUBDIRS)
  am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in \
  	$(srcdir)/version.sh.in AUTHORS COPYING ChangeLog INSTALL NEWS \
--	README compile config.guess config.sub install-sh ltmain.sh \
--	missing
++	README compile config.guess config.sub depcomp install-sh \
++	ltmain.sh missing
  DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
  distdir = $(PACKAGE)-$(VERSION)
  top_distdir = $(distdir)
 diff --git a/build/msvc/msvc-generate/Makefile.am b/build/msvc/msvc-generate/Makefile.am
 index aa4f0da..9d04326 100644
 --- a/build/msvc/msvc-generate/Makefile.am
 +++ b/build/msvc/msvc-generate/Makefile.am
@@ -15,4 +15,5 @@ MAINTAINERCLEANFILES = \
  dist_noinst_DATA = \
  	msvc-generate.vcxproj \
  	Makefile.mak \
--	msvc-generate.js
++	msvc-generate.js \
++	version.m4.in
 diff --git a/build/msvc/msvc-generate/Makefile.in b/build/msvc/msvc-generate/Makefile.in
 index 5920425..06fcf6c 100644
 --- a/build/msvc/msvc-generate/Makefile.in
 +++ b/build/msvc/msvc-generate/Makefile.in
@@ -337,7 +337,8 @@ MAINTAINERCLEANFILES = \
  dist_noinst_DATA = \
  	msvc-generate.vcxproj \
  	Makefile.mak \
--	msvc-generate.js
++	msvc-generate.js \
++	version.m4.in
  all: all-am
 diff --git a/build/msvc/msvc-generate/version.m4.in b/build/msvc/msvc-generate/version.m4.in
 new file mode 100644
 index 0000000..cbb4fef
 --- /dev/null
 +++ b/build/msvc/msvc-generate/version.m4.in
@@ -0,0 +1,3 @@
++define([OPENVPN_VERSION_MAJOR], [@PRODUCT_VERSION_MAJOR@])
++define([OPENVPN_VERSION_MINOR], [@PRODUCT_VERSION_MINOR@])
++define([OPENVPN_VERSION_PATCH], [@PRODUCT_VERSION_PATCH@])
 diff --git a/configure b/configure
 index 42f8b80..ac890a3 100755
 --- a/configure
 +++ b/configure
@@ -1,6 +1,6 @@
  #! /bin/sh
  # Guess values for system-dependent variables and create Makefiles.
--# Generated by GNU Autoconf 2.71 for OpenVPN 2.6.3.
++# Generated by GNU Autoconf 2.71 for OpenVPN 2.6.5.
+ #
  # Report bugs to <openvpn-users@lists.sourceforge.net>.
+ #
@@ -621,8 +621,8 @@ MAKEFLAGS=
  # Identity of this package.
  PACKAGE_NAME='OpenVPN'
  PACKAGE_TARNAME='openvpn'
--PACKAGE_VERSION='2.6.3'
--PACKAGE_STRING='OpenVPN 2.6.3'
++PACKAGE_VERSION='2.6.5'
++PACKAGE_STRING='OpenVPN 2.6.5'
  PACKAGE_BUGREPORT='openvpn-users@lists.sourceforge.net'
  PACKAGE_URL=''
@@ -1522,7 +1522,7 @@ if test "$ac_init_help" = "long"; then
    # Omit some internal or obsolete options to make the list less imposing.
    # This message is too long to be a string in the A/UX 3.1 sh.
    cat <<_ACEOF
--\`configure' configures OpenVPN 2.6.3 to adapt to many kinds of systems.
++\`configure' configures OpenVPN 2.6.5 to adapt to many kinds of systems.
  Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1593,7 +1593,7 @@ fi
  if test -n "$ac_init_help"; then
    case $ac_init_help in
--     short | recursive ) echo "Configuration of OpenVPN 2.6.3:";;
++     short | recursive ) echo "Configuration of OpenVPN 2.6.5:";;
     esac
    cat <<\_ACEOF
@@ -1830,7 +1830,7 @@ fi
  test -n "$ac_init_help" && exit $ac_status
  if $ac_init_version; then
    cat <<\_ACEOF
--OpenVPN configure 2.6.3
++OpenVPN configure 2.6.5
  generated by GNU Autoconf 2.71
  Copyright (C) 2021 Free Software Foundation, Inc.
@@ -2487,7 +2487,7 @@ cat >config.log <<_ACEOF
  This file contains any messages produced by compilers while
  running configure, to aid debugging if configure makes a mistake.
--It was created by OpenVPN $as_me 2.6.3, which was
++It was created by OpenVPN $as_me 2.6.5, which was
  generated by GNU Autoconf 2.71.  Invocation command line was
    $ $0$ac_configure_args_raw
@@ -3267,13 +3267,13 @@ if test -z "${htmldir}"; then
  fi
--printf "%s\n" "#define OPENVPN_VERSION_RESOURCE 2,6,3,0" >>confdefs.h
++printf "%s\n" "#define OPENVPN_VERSION_RESOURCE 2,6,5,0" >>confdefs.h
  OPENVPN_VERSION_MAJOR=2
  OPENVPN_VERSION_MINOR=6
--OPENVPN_VERSION_PATCH=.3
++OPENVPN_VERSION_PATCH=.5
  printf "%s\n" "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h
@@ -3282,7 +3282,7 @@ printf "%s\n" "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h
  printf "%s\n" "#define OPENVPN_VERSION_MINOR 6" >>confdefs.h
--printf "%s\n" "#define OPENVPN_VERSION_PATCH \".3\"" >>confdefs.h
++printf "%s\n" "#define OPENVPN_VERSION_PATCH \".5\"" >>confdefs.h
@@ -3811,7 +3811,7 @@ fi
  # Define the identity of the package.
   PACKAGE='openvpn'
-- VERSION='2.6.3'
++ VERSION='2.6.5'
  printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -20072,7 +20072,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
  # report actual input values of CONFIG_FILES etc. instead of their
  # values after options handling.
  ac_log="
--This file was extended by OpenVPN $as_me 2.6.3, which was
++This file was extended by OpenVPN $as_me 2.6.5, which was
  generated by GNU Autoconf 2.71.  Invocation command line was
    CONFIG_FILES    = $CONFIG_FILES
@@ -20140,7 +20140,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\
  cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
  ac_cs_config='$ac_cs_config_escaped'
  ac_cs_version="\\
--OpenVPN config.status 2.6.3
++OpenVPN config.status 2.6.5
  configured by $0, generated by GNU Autoconf 2.71,
    with options \\"\$ac_cs_config\\"
 diff --git a/debian/changelog b/debian/changelog
 index 339f1ca..b713198 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,13 @@
++openvpn (2.6.5-0ubuntu1) mantic; urgency=medium
++
++  * New Upstream release 2.6.5 (LP: #2018095)
++  * d/p/fix-dangling-pointer-in-pkcs11.patch:
++    Remove - fixed upstream in 2.6.4
++  * d/p/fix-memleak-in-dco_get_peer_stats_multi.patch:
++    Remove - fixed upstream in 2.6.5
++
++ -- Lena Voytek <lena.voytek@canonical.com>  Tue, 11 Jul 2023 09:36:08 -0700
++
  openvpn (2.6.3-2ubuntu1) mantic; urgency=low
    * Merge from Debian unstable. Remaining changes:
 diff --git a/debian/control b/debian/control
 index 3708bd7..4eb5de3 100644
 --- a/debian/control
 +++ b/debian/control
@@ -1,7 +1,8 @@
  Source: openvpn
  Section: net
  Priority: optional
--Maintainer: Bernhard Schmidt <berni@debian.org>
++Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
++XSBC-Original-Maintainer: Bernhard Schmidt <berni@debian.org>
  Uploaders: Jörg Frings-Fürst <debian@jff.email>
  Build-Depends:
   debhelper-compat (= 12),
 diff --git a/debian/patches/fix-dangling-pointer-in-pkcs11.patch b/debian/patches/fix-dangling-pointer-in-pkcs11.patch
 deleted file mode 100644
 index 3ca2ad5..0000000
 --- a/debian/patches/fix-dangling-pointer-in-pkcs11.patch
 +++ /dev/null
@@ -1,37 +0,0 @@
--From 7e4becb4cd8be7f0d5ff80cf80877ea152f99830 Mon Sep 17 00:00:00 2001
--From: Selva Nair <selva.nair@gmail.com>
--Date: Tue, 9 May 2023 13:05:17 -0400
--Subject: [PATCH] Bugfix: dangling pointer passed to pkcs11-helper
--
--Github: Fixes OpenVPN/openvpn#323
--
--Signed-off-by: Selva Nair <selva.nair@gmail.com>
--Acked-by: Gert Doering <gert@greenie.muc.de>
--Message-Id: <20230509170517.2637245-1-selva.nair@gmail.com>
--URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26640.html
--Signed-off-by: Gert Doering <gert@greenie.muc.de>
--(cherry picked from commit f4850745709c5b80ab7d09c03a86c5ceea6d10a2)
-----
-- src/openvpn/pkcs11_openssl.c | 2 +-
-- 1 file changed, 1 insertion(+), 1 deletion(-)
--
--diff --git a/src/openvpn/pkcs11_openssl.c b/src/openvpn/pkcs11_openssl.c
--index eee86e17b6f..9b0ab39f9cf 100644
----- a/src/openvpn/pkcs11_openssl.c
--+++ b/src/openvpn/pkcs11_openssl.c
--@@ -165,6 +165,7 @@ xkey_pkcs11h_sign(void *handle, unsigned char *sig,
-- {
--     pkcs11h_certificate_t cert = handle;
--     CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0}; /* default value */
--+    CK_RSA_PKCS_PSS_PARAMS pss_params = {0};
--
--     unsigned char buf[EVP_MAX_MD_SIZE];
--     size_t buflen;
--@@ -203,7 +204,6 @@ xkey_pkcs11h_sign(void *handle, unsigned char *sig,
--         }
--         else if (!strcmp(sigalg.padmode, "pss"))
--         {
---            CK_RSA_PKCS_PSS_PARAMS pss_params = {0};
--             mech.mechanism = CKM_RSA_PKCS_PSS;
--
--             if (!set_pss_params(&pss_params, sigalg, cert))
 diff --git a/debian/patches/fix-memleak-in-dco_get_peer_stats_multi.patch b/debian/patches/fix-memleak-in-dco_get_peer_stats_multi.patch
 deleted file mode 100644
 index 8f4aedf..0000000
 --- a/debian/patches/fix-memleak-in-dco_get_peer_stats_multi.patch
 +++ /dev/null
@@ -1,33 +0,0 @@
--From 5e8a571af165c867ccb9c4c9e6334620f42013ac Mon Sep 17 00:00:00 2001
--From: Frank Lichtenheld <frank@lichtenheld.com>
--Date: Mon, 15 May 2023 16:21:16 +0200
--Subject: [PATCH] DCO: fix memory leak in dco_get_peer_stats_multi for Linux
--
--Leaks a small amount of memory every 15s.
--
--Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
--Acked-by: Antonio Quartulli <a@unstable.cc>
--Message-Id: <20230515142116.33135-1-frank@lichtenheld.com>
--URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26659.html
--Signed-off-by: Gert Doering <gert@greenie.muc.de>
--(cherry picked from commit 276f7c86d70666bc2ab4e6192ef5f1dcbd6a230f)
-----
-- src/openvpn/dco_linux.c | 5 ++++-
-- 1 file changed, 4 insertions(+), 1 deletion(-)
--
--diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c
--index 796e6f25da4..2bfdf980a3a 100644
----- a/src/openvpn/dco_linux.c
--+++ b/src/openvpn/dco_linux.c
--@@ -925,7 +925,10 @@ dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m)
--
--     nlmsg_hdr(nl_msg)->nlmsg_flags |= NLM_F_DUMP;
--
---    return ovpn_nl_msg_send(dco, nl_msg, dco_parse_peer_multi, m, __func__);
--+    int ret = ovpn_nl_msg_send(dco, nl_msg, dco_parse_peer_multi, m, __func__);
--+
--+    nlmsg_free(nl_msg);
--+    return ret;
-- }
--
-- static int
 diff --git a/debian/patches/series b/debian/patches/series
 index dcd22e8..cd8779c 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -3,5 +3,3 @@ auth-pam_libpam_so_filename.patch
  #debian_nogroup_for_sample_files.patch
  openvpn-pkcs11warn.patch
  systemd.patch
--fix-dangling-pointer-in-pkcs11.patch
--fix-memleak-in-dco_get_peer_stats_multi.patch
 diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst
 index 8e3c92e..abf9f24 100644
 --- a/doc/man-sections/vpn-network-options.rst
 +++ b/doc/man-sections/vpn-network-options.rst
@@ -499,7 +499,7 @@ routing.
      Use a point-to-point topology, by allocating one /30 subnet
      per client. This is designed to allow point-to-point semantics when some
      or all of the connecting clients might be Windows systems. This is the
--    default on OpenVPN 2.0.
++    default.
    :code:`p2p`
      Use a point-to-point topology where the remote endpoint of
@@ -513,12 +513,7 @@ routing.
      configuring the tun interface with a local IP address and subnet mask,
      similar to the topology used in ``--dev tap`` and ethernet bridging
      mode. This mode allocates a single IP address per connecting client and
--    works on Windows as well. Only available when server and clients are
--    OpenVPN 2.1 or higher, or OpenVPN 2.0.x which has been manually patched
--    with the ``--topology`` directive code. When used on Windows, requires
--    version 8.2 or higher of the TAP-Win32 driver. When used on \*nix,
--    requires that the tun driver supports an ``ifconfig``\(8) command which
--    sets a subnet instead of a remote endpoint IP address.
++    works on Windows as well.
    *Note:* Using ``--topology subnet`` changes the interpretation of the
    arguments of ``--ifconfig`` to mean "address netmask", no longer "local
 diff --git a/doc/openvpn.8 b/doc/openvpn.8
 index 5b5ad52..c539404 100644
 --- a/doc/openvpn.8
 +++ b/doc/openvpn.8
@@ -5234,7 +5234,7 @@ always be compatible between client and server.
  Use a point\-to\-point topology, by allocating one /30 subnet
  per client. This is designed to allow point\-to\-point semantics when some
  or all of the connecting clients might be Windows systems. This is the
--default on OpenVPN 2.0.
++default.
  .TP
  .B \fBp2p\fP
  Use a point\-to\-point topology where the remote endpoint of
@@ -5248,12 +5248,7 @@ Use a subnet rather than a point\-to\-point topology by
  configuring the tun interface with a local IP address and subnet mask,
  similar to the topology used in \fB\-\-dev tap\fP and ethernet bridging
  mode. This mode allocates a single IP address per connecting client and
--works on Windows as well. Only available when server and clients are
--OpenVPN 2.1 or higher, or OpenVPN 2.0.x which has been manually patched
--with the \fB\-\-topology\fP directive code. When used on Windows, requires
--version 8.2 or higher of the TAP\-Win32 driver. When used on *nix,
--requires that the tun driver supports an \fBifconfig\fP(8) command which
--sets a subnet instead of a remote endpoint IP address.
++works on Windows as well.
  .UNINDENT
  .sp
  \fINote:\fP Using \fB\-\-topology subnet\fP changes the interpretation of the
 diff --git a/doc/openvpn.8.html b/doc/openvpn.8.html
 index 91939ab..5e90af1 100644
 --- a/doc/openvpn.8.html
 +++ b/doc/openvpn.8.html
@@ -4568,7 +4568,7 @@ always be compatible between client and server.</p>
  <dd>Use a point-to-point topology, by allocating one /30 subnet
  per client. This is designed to allow point-to-point semantics when some
  or all of the connecting clients might be Windows systems. This is the
--default on OpenVPN 2.0.</dd>
++default.</dd>
  <dt><code>p2p</code></dt>
  <dd>Use a point-to-point topology where the remote endpoint of
  the client's tun interface always points to the local endpoint of the
@@ -4580,12 +4580,7 @@ Windows systems.</dd>
  configuring the tun interface with a local IP address and subnet mask,
  similar to the topology used in <tt class="docutils literal"><span class="pre">--dev</span> tap</tt> and ethernet bridging
  mode. This mode allocates a single IP address per connecting client and
--works on Windows as well. Only available when server and clients are
--OpenVPN 2.1 or higher, or OpenVPN 2.0.x which has been manually patched
--with the <tt class="docutils literal"><span class="pre">--topology</span></tt> directive code. When used on Windows, requires
--version 8.2 or higher of the TAP-Win32 driver. When used on *nix,
--requires that the tun driver supports an <tt class="docutils literal">ifconfig</tt>(8) command which
--sets a subnet instead of a remote endpoint IP address.</dd>
++works on Windows as well.</dd>
  </dl>
  <p class="last"><em>Note:</em> Using <tt class="docutils literal"><span class="pre">--topology</span> subnet</tt> changes the interpretation of the
  arguments of <tt class="docutils literal"><span class="pre">--ifconfig</span></tt> to mean &quot;address netmask&quot;, no longer &quot;local
 diff --git a/include/openvpn-plugin.h b/include/openvpn-plugin.h
 index 6306d3c..64ceb06 100644
 --- a/include/openvpn-plugin.h
 +++ b/include/openvpn-plugin.h
@@ -53,7 +53,7 @@ extern "C" {
   */
  #define OPENVPN_VERSION_MAJOR 2
  #define OPENVPN_VERSION_MINOR 6
--#define OPENVPN_VERSION_PATCH ".3"
++#define OPENVPN_VERSION_PATCH ".5"
  /*
   * Plug-in types.  These types correspond to the set of script callbacks
 diff --git a/sample/sample-plugins/Makefile b/sample/sample-plugins/Makefile
 index 840d929..8777cc9 100644
 --- a/sample/sample-plugins/Makefile
 +++ b/sample/sample-plugins/Makefile
@@ -152,7 +152,7 @@ AUTOMAKE = ${SHELL} '/home/flichtenheld/openvpn/community/openvpn-build/src/open
  AWK = gawk
  CC = gcc
  CCDEPMODE = depmode=gcc3
--CFLAGS = -Wall -Wno-stringop-truncation -g -O2 -std=c99 -I/usr/include/libnl3
++CFLAGS = -Wall -Wno-stringop-truncation -g -O2 -std=c99
  CMOCKA_CFLAGS =
  CMOCKA_LIBS = -lcmocka
  CPP = gcc -E
@@ -187,19 +187,19 @@ LD = /usr/bin/ld -m elf_x86_64
  LDFLAGS =
  LIBCAPNG_CFLAGS =
  LIBCAPNG_LIBS = -lcap-ng
--LIBNL_GENL_CFLAGS = -I/usr/include/libnl3
--LIBNL_GENL_LIBS = -lnl-genl-3 -lnl-3
++LIBNL_GENL_CFLAGS =
++LIBNL_GENL_LIBS =
  LIBOBJS =
  LIBPAM_CFLAGS =
  LIBPAM_LIBS = -lpam
--LIBS =  -lnl-genl-3 -lnl-3 -lcap-ng
++LIBS =  -lcap-ng
  LIBTOOL = $(SHELL) $(top_builddir)/libtool
  LIPO =
  LN_S = ln -s
  LTLIBOBJS =
  LT_SYS_LIBRARY_PATH =
  LZ4_CFLAGS =
--LZ4_LIBS = -llz4
++LZ4_LIBS =
  LZO_CFLAGS =
  LZO_LIBS = -llzo2
  MAKEINFO = ${SHELL} '/home/flichtenheld/openvpn/community/openvpn-build/src/openvpn/missing' makeinfo
@@ -216,16 +216,16 @@ OPENSSL_CFLAGS =
  OPENSSL_LIBS = -lssl -lcrypto
  OPENVPN_VERSION_MAJOR = 2
  OPENVPN_VERSION_MINOR = 6
--OPENVPN_VERSION_PATCH = .3
++OPENVPN_VERSION_PATCH = .5
  OPTIONAL_CRYPTO_CFLAGS =
  OPTIONAL_CRYPTO_LIBS =  -lssl -lcrypto
  OPTIONAL_DL_LIBS = -ldl
  OPTIONAL_INOTIFY_CFLAGS =
  OPTIONAL_INOTIFY_LIBS =
  OPTIONAL_LZ4_CFLAGS =
--OPTIONAL_LZ4_LIBS = -llz4
++OPTIONAL_LZ4_LIBS =
  OPTIONAL_LZO_CFLAGS =
--OPTIONAL_LZO_LIBS = -llzo2
++OPTIONAL_LZO_LIBS =
  OPTIONAL_PKCS11_HELPER_CFLAGS =
  OPTIONAL_PKCS11_HELPER_LIBS =
  OPTIONAL_SELINUX_LIBS =
@@ -237,10 +237,10 @@ P11KIT_LIBS =
  PACKAGE = openvpn
  PACKAGE_BUGREPORT = openvpn-users@lists.sourceforge.net
  PACKAGE_NAME = OpenVPN
--PACKAGE_STRING = OpenVPN 2.6.3
++PACKAGE_STRING = OpenVPN 2.6.5
  PACKAGE_TARNAME = openvpn
  PACKAGE_URL =
--PACKAGE_VERSION = 2.6.3
++PACKAGE_VERSION = 2.6.5
  PATH_SEPARATOR = :
  PKCS11_HELPER_CFLAGS =
  PKCS11_HELPER_LIBS = -lpthread -ldl -lcrypto -lpkcs11-helper
@@ -249,7 +249,7 @@ PKG_CONFIG_LIBDIR =
  PKG_CONFIG_PATH =
  PLUGINDIR =
  PLUGIN_AUTH_PAM_CFLAGS =
--PLUGIN_AUTH_PAM_LIBS = -lpam
++PLUGIN_AUTH_PAM_LIBS =
  RANLIB = ranlib
  RC =
  ROUTE = /usr/sbin/route
@@ -268,9 +268,9 @@ TAP_WIN_COMPONENT_ID = tap0901
  TAP_WIN_MIN_MAJOR = 9
  TAP_WIN_MIN_MINOR = 9
  TEST_CFLAGS =     -I$(top_srcdir)/include
--TEST_LDFLAGS =  -lssl -lcrypto  -llzo2 -lcmocka
++TEST_LDFLAGS =  -lssl -lcrypto   -lcmocka
  TMPFILES_DIR =
--VERSION = 2.6.3
++VERSION = 2.6.5
  WOLFSSL_CFLAGS =
  WOLFSSL_INCLUDEDIR =
  WOLFSSL_LIBS =
 diff --git a/sample/sample-plugins/client-connect/sample-client-connect.c b/sample/sample-plugins/client-connect/sample-client-connect.c
 index 391de34..eb24212 100644
 --- a/sample/sample-plugins/client-connect/sample-client-connect.c
 +++ b/sample/sample-plugins/client-connect/sample-client-connect.c
@@ -454,6 +454,9 @@ openvpn_plugin_client_connect_v2(struct plugin_context *context,
      if (!rl->name || !rl->value)
+     {
          plugin_log(PLOG_ERR, MODULE, "malloc(return_list->xx) failed");
++        free(rl->name);
++        free(rl->value);
++        free(rl);
          return OPENVPN_PLUGIN_FUNC_ERROR;
+     }
@@ -509,6 +512,9 @@ openvpn_plugin_client_connect_defer_v2(struct plugin_context *context,
      if (!rl->name || !rl->value)
+     {
          plugin_log(PLOG_ERR, MODULE, "malloc(return_list->xx) failed");
++        free(rl->name);
++        free(rl->value);
++        free(rl);
          return OPENVPN_PLUGIN_FUNC_ERROR;
+     }
 diff --git a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
 index 6a0a1f6..71badf2 100644
 --- a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
 +++ b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
@@ -155,7 +155,7 @@ session_user_set(struct session *sess, X509 *x509)
          if (!strncasecmp(objbuf, "CN", 2))
+         {
--            snprintf(sess->user, sizeof(sess->user) - 1, (char *)buf);
++            strncpy(sess->user, (char *)buf, sizeof(sess->user) - 1);
+         }
          OPENSSL_free(buf);
@@ -234,7 +234,7 @@ tls_final(struct openvpn_plugin_args_func_in const *args,
          return OPENVPN_PLUGIN_FUNC_ERROR;
+     }
--    snprintf(sess->key, sizeof(sess->key) - 1, "%s", key);
++    strncpy(sess->key, key, sizeof(sess->key) - 1);
      ovpn_note("app session key:  %s", sess->key);
      switch (plugin->type)
 diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
 index c2ac80b..f5372f8 100644
 --- a/src/openvpn/crypto_openssl.c
 +++ b/src/openvpn/crypto_openssl.c
@@ -839,9 +839,9 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key,
          crypto_msg(M_FATAL, "EVP cipher init #2");
+     }
--    EVP_CIPHER_free(kt);
      /* make sure we used a big enough key */
      ASSERT(EVP_CIPHER_CTX_key_length(ctx) <= EVP_CIPHER_key_length(kt));
++    EVP_CIPHER_free(kt);
+ }
  int
 diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c
 index a334d5d..af7776b 100644
 --- a/src/openvpn/dco_freebsd.c
 +++ b/src/openvpn/dco_freebsd.c
@@ -550,6 +550,10 @@ dco_do_read(dco_context_t *dco)
              dco->dco_message_type = OVPN_CMD_DEL_PEER;
              break;
++        case OVPN_NOTIF_ROTATE_KEY:
++            dco->dco_message_type = OVPN_CMD_SWAP_KEYS;
++            break;
++
          default:
              msg(M_WARN, "Unknown kernel notification %d", type);
              break;
@@ -590,6 +594,10 @@ dco_available(int msglevel)
+     }
      buf = malloc(ifcr.ifcr_total * IFNAMSIZ);
++    if (!buf)
++    {
++        goto out;
++    }
      ifcr.ifcr_count = ifcr.ifcr_total;
      ifcr.ifcr_buffer = buf;
 diff --git a/src/openvpn/dco_freebsd.h b/src/openvpn/dco_freebsd.h
 index a07f9b6..e1a054e 100644
 --- a/src/openvpn/dco_freebsd.h
 +++ b/src/openvpn/dco_freebsd.h
@@ -35,6 +35,7 @@ typedef enum ovpn_key_cipher dco_cipher_t;
  enum ovpn_message_type_t {
      OVPN_CMD_DEL_PEER,
      OVPN_CMD_PACKET,
++    OVPN_CMD_SWAP_KEYS,
  };
  enum ovpn_del_reason_t {
 diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c
 index 41540c0..2bfdf98 100644
 --- a/src/openvpn/dco_linux.c
 +++ b/src/openvpn/dco_linux.c
@@ -925,7 +925,10 @@ dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m)
      nlmsg_hdr(nl_msg)->nlmsg_flags |= NLM_F_DUMP;
--    return ovpn_nl_msg_send(dco, nl_msg, dco_parse_peer_multi, m, __func__);
++    int ret = ovpn_nl_msg_send(dco, nl_msg, dco_parse_peer_multi, m, __func__);
++
++    nlmsg_free(nl_msg);
++    return ret;
+ }
  static int
@@ -1020,6 +1023,7 @@ dco_version_string(struct gc_arena *gc)
      if (!fgets(BSTR(&out), BCAP(&out), fp))
+     {
++        fclose(fp);
          return "ERR";
+     }
@@ -1031,6 +1035,7 @@ dco_version_string(struct gc_arena *gc)
          *nl = '\0';
+     }
++    fclose(fp);
      return BSTR(&out);
+ }
 diff --git a/src/openvpn/error.c b/src/openvpn/error.c
 index a2c9aa4..9a234e6 100644
 --- a/src/openvpn/error.c
 +++ b/src/openvpn/error.c
@@ -970,19 +970,24 @@ strerror_win32(DWORD errnum, struct gc_arena *gc)
      /* format a windows error message */
+     {
--        char message[256];
++        wchar_t wmessage[256];
++        char *message = NULL;
          struct buffer out = alloc_buf_gc(256, gc);
--        const int status =  FormatMessage(
++        const DWORD status =  FormatMessageW(
              FORMAT_MESSAGE_IGNORE_INSERTS
              | FORMAT_MESSAGE_FROM_SYSTEM
              | FORMAT_MESSAGE_ARGUMENT_ARRAY,
              NULL,
              errnum,
 ,
--            message,
--            sizeof(message),
++            wmessage,
++            SIZE(wmessage),
              NULL);
--        if (!status)
++        if (status)
++        {
++            message = utf16to8(wmessage, gc);
++        }
++        if (!status || !message)
+         {
              buf_printf(&out, "[Unknown Win32 Error]");
+         }
 diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
 index b3e0ba5..5bffe07 100644
 --- a/src/openvpn/forward.c
 +++ b/src/openvpn/forward.c
@@ -1232,20 +1232,30 @@ process_incoming_dco(struct context *c)
          return;
+     }
--    if (dco->dco_message_type != OVPN_CMD_DEL_PEER)
++    switch (dco->dco_message_type)
+     {
--        msg(D_DCO_DEBUG, "%s: received message of type %u - ignoring", __func__,
--            dco->dco_message_type);
--        return;
--    }
++        case OVPN_CMD_DEL_PEER:
++            if (dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_EXPIRED)
++            {
++                msg(D_DCO_DEBUG, "%s: received peer expired notification of for peer-id "
++                    "%d", __func__, dco->dco_message_peer_id);
++                trigger_ping_timeout_signal(c);
++                return;
++            }
++            break;
--    if (dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_EXPIRED)
--    {
--        msg(D_DCO_DEBUG, "%s: received peer expired notification of for peer-id "
--            "%d", __func__, dco->dco_message_peer_id);
--        trigger_ping_timeout_signal(c);
--        return;
++        case OVPN_CMD_SWAP_KEYS:
++            msg(D_DCO_DEBUG, "%s: received key rotation notification for peer-id %d",
++                __func__, dco->dco_message_peer_id);
++            tls_session_soft_reset(c->c2.tls_multi);
++            break;
++
++        default:
++            msg(D_DCO_DEBUG, "%s: received message of type %u - ignoring", __func__,
++                dco->dco_message_type);
++            return;
+     }
++
  #endif /* if defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD)) */
+ }
 diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
 index 5444e75..6fb9cff 100644
 --- a/src/openvpn/multi.c
 +++ b/src/openvpn/multi.c
@@ -3284,6 +3284,10 @@ multi_process_incoming_dco(struct multi_context *m)
+         {
              process_incoming_del_peer(m, mi, dco);
+         }
++        else if (dco->dco_message_type == OVPN_CMD_SWAP_KEYS)
++        {
++            tls_session_soft_reset(mi->context.c2.tls_multi);
++        }
+     }
      else
+     {
 diff --git a/src/openvpn/options.c b/src/openvpn/options.c
 index 2680f26..efddc58 100644
 --- a/src/openvpn/options.c
 +++ b/src/openvpn/options.c
@@ -248,7 +248,7 @@ static const char usage_message[] =
      "--setenv name value : Set a custom environmental variable to pass to script.\n"
      "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
      "                  directives for future OpenVPN versions to be ignored.\n"
--    "--ignore-unkown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
++    "--ignore-unknown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
      "                  these options to be ignored when unknown\n"
      "--script-security level: Where level can be:\n"
      "                  0 -- strictly no calling of external programs\n"
@@ -569,8 +569,6 @@ static const char usage_message[] =
      "(These options are meaningful only for TLS-mode)\n"
      "--tls-server    : Enable TLS and assume server role during TLS handshake.\n"
      "--tls-client    : Enable TLS and assume client role during TLS handshake.\n"
--    "--key-method m  : (DEPRECATED) Data channel key exchange method.  m should be a method\n"
--    "                  number, such as 1 (default), 2, etc.\n"
      "--ca file       : Certificate authority file in .pem format containing\n"
      "                  root certificate.\n"
  #ifndef ENABLE_CRYPTO_MBEDTLS
@@ -3771,14 +3769,14 @@ options_postprocess_mutate(struct options *o, struct env_set *es)
              o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
+         }
+     }
--#endif
--
++#else  /* _WIN32 */
      if (dco_enabled(o) && o->dev_node)
+     {
          msg(M_WARN, "Note: ignoring --dev-node as it has no effect when using "
              "data channel offload");
          o->dev_node = NULL;
+     }
++#endif /* _WIN32 */
      /* this depends on o->windows_driver, which is set above */
      options_postprocess_mutate_invariant(o);
 diff --git a/src/openvpn/ovpn_dco_freebsd.h b/src/openvpn/ovpn_dco_freebsd.h
 index fec3383..53f94df 100644
 --- a/src/openvpn/ovpn_dco_freebsd.h
 +++ b/src/openvpn/ovpn_dco_freebsd.h
@@ -36,6 +36,7 @@
  enum ovpn_notif_type {
      OVPN_NOTIF_DEL_PEER,
++    OVPN_NOTIF_ROTATE_KEY,
  };
  enum ovpn_del_reason {
 diff --git a/src/openvpn/pkcs11_openssl.c b/src/openvpn/pkcs11_openssl.c
 index eee86e1..9b0ab39 100644
 --- a/src/openvpn/pkcs11_openssl.c
 +++ b/src/openvpn/pkcs11_openssl.c
@@ -165,6 +165,7 @@ xkey_pkcs11h_sign(void *handle, unsigned char *sig,
+ {
      pkcs11h_certificate_t cert = handle;
      CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0}; /* default value */
++    CK_RSA_PKCS_PSS_PARAMS pss_params = {0};
      unsigned char buf[EVP_MAX_MD_SIZE];
      size_t buflen;
@@ -203,7 +204,6 @@ xkey_pkcs11h_sign(void *handle, unsigned char *sig,
+         }
          else if (!strcmp(sigalg.padmode, "pss"))
+         {
--            CK_RSA_PKCS_PSS_PARAMS pss_params = {0};
              mech.mechanism = CKM_RSA_PKCS_PSS;
              if (!set_pss_params(&pss_params, sigalg, cert))
 diff --git a/src/openvpn/pool.c b/src/openvpn/pool.c
 index f899b95..4af9bcb 100644
 --- a/src/openvpn/pool.c
 +++ b/src/openvpn/pool.c
@@ -608,7 +608,6 @@ ifconfig_pool_read(struct ifconfig_pool_persist *persist, struct ifconfig_pool *
          struct gc_arena gc = gc_new();
          struct buffer in = alloc_buf_gc(256, &gc);
          char *cn_buf, *ip_buf, *ip6_buf;
--        int line = 0;
          ALLOC_ARRAY_CLEAR_GC(cn_buf, char, buf_size, &gc);
          ALLOC_ARRAY_CLEAR_GC(ip_buf, char, buf_size, &gc);
@@ -621,7 +620,6 @@ ifconfig_pool_read(struct ifconfig_pool_persist *persist, struct ifconfig_pool *
+             {
                  break;
+             }
--            ++line;
              if (!BLEN(&in))
+             {
                  continue;
 diff --git a/src/openvpn/push.c b/src/openvpn/push.c
 index 54e53f6..8e96271 100644
 --- a/src/openvpn/push.c
 +++ b/src/openvpn/push.c
@@ -713,7 +713,6 @@ send_push_options(struct context *c, struct buffer *buf,
+ {
      struct push_entry *e = push_list->head;
--    e = push_list->head;
      while (e)
+     {
          if (e->enable)
 diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
 index ab8cc75..fc643c1 100644
 --- a/src/openvpn/socket.c
 +++ b/src/openvpn/socket.c
@@ -1165,7 +1165,7 @@ protect_fd_nonlocal(int fd, const struct sockaddr *addr)
+ {
      if (!management)
+     {
--        msg(M_FATAL, "Required management interface not available.")
++        msg(M_FATAL, "Required management interface not available.");
+     }
      /* pass socket FD to management interface to pass on to VPNService API
 diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
 index 60aaee8..8641a51 100644
 --- a/src/openvpn/ssl.c
 +++ b/src/openvpn/ssl.c
@@ -1918,6 +1918,12 @@ key_state_soft_reset(struct tls_session *session)
      ks->remote_addr = ks_lame->remote_addr;
+ }
++void
++tls_session_soft_reset(struct tls_multi *tls_multi)
++{
++    key_state_soft_reset(&tls_multi->session[TM_ACTIVE]);
++}
++
  /*
   * Read/write strings from/to a struct buffer with a u16 length prefix.
   */
 diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
 index 4ed4cfa..3c40fbe 100644
 --- a/src/openvpn/ssl.h
 +++ b/src/openvpn/ssl.h
@@ -573,6 +573,9 @@ bool
  tls_session_generate_data_channel_keys(struct tls_multi *multi,
                                         struct tls_session *session);
++void
++tls_session_soft_reset(struct tls_multi *multi);
++
  /**
   * Load ovpn.xkey provider used for external key signing
   */
 diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
 index 2320e8b..4ef390a 100644
 --- a/src/openvpn/tun.c
 +++ b/src/openvpn/tun.c
@@ -4200,7 +4200,7 @@ show_tap_win_adapters(int msglev, int warnlev)
      const struct tap_reg *tap_reg = get_tap_reg(&gc);
      const struct panel_reg *panel_reg = get_panel_reg(&gc);
--    msg(msglev, "Available TAP-WIN32 / Wintun adapters [name, GUID, driver]:");
++    msg(msglev, "Available adapters [name, GUID, driver]:");
      /* loop through each TAP-Windows adapter registry entry */
      for (tr = tap_reg; tr != NULL; tr = tr->next)
@@ -4337,7 +4337,6 @@ get_unspecified_device_guid(const int device_number,
                              struct gc_arena *gc)
+ {
      const struct tap_reg *tap_reg = tap_reg_src;
--    struct buffer ret = clear_buf();
      struct buffer actual = clear_buf();
      int i;
@@ -4381,7 +4380,7 @@ get_unspecified_device_guid(const int device_number,
+     }
      /* Save GUID for return value */
--    ret = alloc_buf_gc(256, gc);
++    struct buffer ret = alloc_buf_gc(256, gc);
      buf_printf(&ret, "%s", tap_reg->guid);
      if (windows_driver != NULL)
+     {
 diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c
 index 1ae3723..25da54a 100644
 --- a/src/openvpn/win32.c
 +++ b/src/openvpn/win32.c
@@ -509,19 +509,19 @@ win32_signal_open(struct win32_signal *ws,
          && !HANDLE_DEFINED(ws->in.read) && exit_event_name)
+     {
          struct security_attributes sa;
++        struct gc_arena gc = gc_new();
++        const wchar_t *exit_event_nameW = wide_string(exit_event_name, &gc);
          if (!init_security_attributes_allow_all(&sa))
+         {
              msg(M_ERR, "Error: win32_signal_open: init SA failed");
+         }
--        ws->in.read = CreateEvent(&sa.sa,
--                                  TRUE,
--                                  exit_event_initial_state ? TRUE : FALSE,
--                                  exit_event_name);
++        ws->in.read = CreateEventW(&sa.sa, TRUE, exit_event_initial_state ? TRUE : FALSE,
++                                   exit_event_nameW);
          if (ws->in.read == NULL)
+         {
--            msg(M_WARN|M_ERRNO, "NOTE: CreateEvent '%s' failed", exit_event_name);
++            msg(M_WARN|M_ERRNO, "NOTE: CreateEventW '%s' failed", exit_event_name);
+         }
          else
+         {
@@ -534,6 +534,7 @@ win32_signal_open(struct win32_signal *ws,
                  ws->mode = WSO_MODE_SERVICE;
+             }
+         }
++        gc_free(&gc);
+     }
      /* set the ctrl handler in both console and service modes */
      if (!SetConsoleCtrlHandler((PHANDLER_ROUTINE) win_ctrl_handler, true))
 diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
 index ec19627..d73cef0 100644
 --- a/src/openvpnserv/interactive.c
 +++ b/src/openvpnserv/interactive.c
@@ -1868,7 +1868,6 @@ RunOpenvpn(LPVOID p)
+     }
      startup_info.cb = sizeof(startup_info);
--    startup_info.lpDesktop = L"winsta0\\default";
      startup_info.dwFlags = STARTF_USESTDHANDLES;
      startup_info.hStdInput = stdin_read;
      startup_info.hStdOutput = stdout_write;
 diff --git a/src/tapctl/main.c b/src/tapctl/main.c
 index 1194036..d76d553 100644
 --- a/src/tapctl/main.c
 +++ b/src/tapctl/main.c
@@ -126,6 +126,85 @@ usage(void)
                title_string);
+ }
++/**
++ * Checks if adapter with given name doesn't already exist
++ */
++static BOOL
++is_adapter_name_available(LPCTSTR name, struct tap_adapter_node *adapter_list, BOOL log)
++{
++    for (struct tap_adapter_node *a = adapter_list; a; a = a->pNext)
++    {
++        if (_tcsicmp(name, a->szName) == 0)
++        {
++            if (log)
++            {
++                LPOLESTR adapter_id = NULL;
++                StringFromIID((REFIID)&a->guid, &adapter_id);
++                _ftprintf(stderr, TEXT("Adapter \"%") TEXT(PRIsLPTSTR) TEXT("\" already exists (GUID %")
++                          TEXT(PRIsLPOLESTR) TEXT(").\n"), a->szName, adapter_id);
++                CoTaskMemFree(adapter_id);
++            }
++
++            return FALSE;
++        }
++    }
++
++    return TRUE;
++}
++
++/**
++ * Returns unique adapter name based on hwid or NULL if name cannot be generated.
++ * Caller is responsible for freeing it.
++ */
++static LPTSTR
++get_unique_adapter_name(LPCTSTR hwid, struct tap_adapter_node *adapter_list)
++{
++    if (hwid == NULL)
++    {
++        return NULL;
++    }
++
++    LPCTSTR base_name;
++    if (_tcsicmp(hwid, TEXT("ovpn-dco")) == 0)
++    {
++        base_name = TEXT("OpenVPN Data Channel Offload");
++    }
++    else if (_tcsicmp(hwid, TEXT("wintun")) == 0)
++    {
++        base_name = TEXT("OpenVPN Wintun");
++    }
++    else if (_tcsicmp(hwid, TEXT("root\\") TEXT(TAP_WIN_COMPONENT_ID)) == 0)
++    {
++        base_name = TEXT("OpenVPN TAP-Windows6");
++    }
++    else
++    {
++        return NULL;
++    }
++
++    if (is_adapter_name_available(base_name, adapter_list, FALSE))
++    {
++        return _tcsdup(base_name);
++    }
++
++    size_t name_len = _tcslen(base_name) + 10;
++    LPTSTR name = malloc(name_len * sizeof(TCHAR));
++    if (name == NULL)
++    {
++        return NULL;
++    }
++    for (int i = 1; i < 100; ++i)
++    {
++        _stprintf_s(name, name_len, TEXT("%ls #%d"), base_name, i);
++
++        if (is_adapter_name_available(name, adapter_list, FALSE))
++        {
++            return name;
++        }
++    }
++
++    return NULL;
++}
  /**
   * Program entry point
@@ -210,50 +289,49 @@ _tmain(int argc, LPCTSTR argv[])
              iResult = 1; goto quit;
+         }
--        if (szName)
++        /* Get existing network adapters. */
++        struct tap_adapter_node *pAdapterList = NULL;
++        dwResult = tap_list_adapters(NULL, NULL, &pAdapterList);
++        if (dwResult != ERROR_SUCCESS)
+         {
--            /* Get existing network adapters. */
--            struct tap_adapter_node *pAdapterList = NULL;
--            dwResult = tap_list_adapters(NULL, NULL, &pAdapterList);
--            if (dwResult != ERROR_SUCCESS)
--            {
--                _ftprintf(stderr, TEXT("Enumerating adapters failed (error 0x%x).\n"), dwResult);
--                iResult = 1; goto create_delete_adapter;
--            }
++            _ftprintf(stderr, TEXT("Enumerating adapters failed (error 0x%x).\n"), dwResult);
++            iResult = 1;
++            goto create_delete_adapter;
++        }
--            /* Check for duplicates. */
--            for (struct tap_adapter_node *pAdapter = pAdapterList; pAdapter; pAdapter = pAdapter->pNext)
++        LPTSTR adapter_name = szName ? _tcsdup(szName) : get_unique_adapter_name(szHwId, pAdapterList);
++        if (adapter_name)
++        {
++            /* Check for duplicates when name was specified,
++             * otherwise get_adapter_default_name() takes care of it */
++            if (szName && !is_adapter_name_available(adapter_name, pAdapterList, TRUE))
+             {
--                if (_tcsicmp(szName, pAdapter->szName) == 0)
--                {
--                    StringFromIID((REFIID)&pAdapter->guid, &szAdapterId);
--                    _ftprintf(stderr, TEXT("Adapter \"%") TEXT(PRIsLPTSTR) TEXT("\" already exists (GUID %")
--                              TEXT(PRIsLPOLESTR) TEXT(").\n"), pAdapter->szName, szAdapterId);
--                    CoTaskMemFree(szAdapterId);
--                    iResult = 1; goto create_cleanup_pAdapterList;
--                }
++                iResult = 1;
++                goto create_cleanup_pAdapterList;
+             }
              /* Rename the adapter. */
--            dwResult = tap_set_adapter_name(&guidAdapter, szName, FALSE);
++            dwResult = tap_set_adapter_name(&guidAdapter, adapter_name, FALSE);
              if (dwResult != ERROR_SUCCESS)
+             {
                  StringFromIID((REFIID)&guidAdapter, &szAdapterId);
                  _ftprintf(stderr, TEXT("Renaming TUN/TAP adapter %") TEXT(PRIsLPOLESTR)
                            TEXT(" to \"%") TEXT(PRIsLPTSTR) TEXT("\" failed (error 0x%x).\n"),
--                          szAdapterId, szName, dwResult);
++                          szAdapterId, adapter_name, dwResult);
                  CoTaskMemFree(szAdapterId);
                  iResult = 1; goto quit;
+             }
++        }
--            iResult = 0;
++        iResult = 0;
  create_cleanup_pAdapterList:
--            tap_free_adapter_list(pAdapterList);
--            if (iResult)
--            {
--                goto create_delete_adapter;
--            }
++        free(adapter_name);
++
++        tap_free_adapter_list(pAdapterList);
++        if (iResult)
++        {
++            goto create_delete_adapter;
+         }
          /* Output adapter GUID. */
 diff --git a/tests/Makefile.am b/tests/Makefile.am
 index a46f257..80673d5 100644
 --- a/tests/Makefile.am
 +++ b/tests/Makefile.am
@@ -25,8 +25,10 @@ TESTS_ENVIRONMENT = top_srcdir="$(top_srcdir)"
  TESTS = $(test_scripts)
  dist_noinst_SCRIPTS = \
--	$(test_scripts) \
++	t_cltsrv.sh \
  	t_cltsrv-down.sh \
++	t_lpback.sh \
++	t_net.sh \
  	update_t_client_ips.sh
  dist_noinst_DATA = \
 diff --git a/tests/Makefile.in b/tests/Makefile.in
 index 969579a..5783eb7 100644
 --- a/tests/Makefile.in
 +++ b/tests/Makefile.in
@@ -111,15 +111,13 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_socklen_t.m4 \
  	$(top_srcdir)/configure.ac
  am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
  	$(ACLOCAL_M4)
--DIST_COMMON = $(srcdir)/Makefile.am $(am__dist_noinst_SCRIPTS_DIST) \
++DIST_COMMON = $(srcdir)/Makefile.am $(dist_noinst_SCRIPTS) \
  	$(dist_noinst_DATA) $(am__DIST_COMMON)
  mkinstalldirs = $(install_sh) -d
  CONFIG_HEADER = $(top_builddir)/config.h \
  	$(top_builddir)/include/openvpn-plugin.h
  CONFIG_CLEAN_FILES = t_client.sh
  CONFIG_CLEAN_VPATH_FILES =
--am__dist_noinst_SCRIPTS_DIST = t_client.sh t_lpback.sh t_cltsrv.sh \
--	t_net.sh t_cltsrv-down.sh update_t_client_ips.sh
  SCRIPTS = $(dist_noinst_SCRIPTS)
  AM_V_P = $(am__v_P_@AM_V@)
  am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
@@ -425,8 +423,10 @@ SUBDIRS = unit_tests
  TESTS_ENVIRONMENT = top_srcdir="$(top_srcdir)"
  TESTS = $(test_scripts)
  dist_noinst_SCRIPTS = \
--	$(test_scripts) \
++	t_cltsrv.sh \
  	t_cltsrv-down.sh \
++	t_lpback.sh \
++	t_net.sh \
  	update_t_client_ips.sh
  dist_noinst_DATA = \
 diff --git a/tests/t_client.sh b/tests/t_client.sh
 deleted file mode 100755
 index 37635a1..0000000
 --- a/tests/t_client.sh
 +++ /dev/null
@@ -1,463 +0,0 @@
--#!/bin/bash
--#
--# run OpenVPN client against ``test reference'' server
--# - check that ping, http, ... via tunnel works
--# - check that interface config / routes are properly cleaned after test end
--#
--# prerequisites:
--# - openvpn binary in current directory
--# - writable current directory to create subdir for logs
--# - t_client.rc in current directory OR source dir that specifies tests
--# - for "ping4" checks: fping binary in $PATH
--# - for "ping6" checks: fping (4.0+) or fping6 binary in $PATH
--#
--
--# by changing this to 1 we can force automated builds to fail
--# that are expected to have all the prerequisites
--TCLIENT_SKIP_RC="${TCLIENT_SKIP_RC:-77}"
--
--srcdir="${srcdir:-.}"
--top_builddir="${top_builddir:-..}"
--if [ -r "${top_builddir}"/t_client.rc ] ; then
--    . "${top_builddir}"/t_client.rc
--elif [ -r "${srcdir}"/t_client.rc ] ; then
--    . "${srcdir}"/t_client.rc
--else
--    echo "$0: cannot find 't_client.rc' in build dir ('${top_builddir}')" >&2
--    echo "$0: or source directory ('${srcdir}'). SKIPPING TEST." >&2
--    exit "${TCLIENT_SKIP_RC}"
--fi
--
--# Check for external dependencies
--FPING="fping"
--FPING6="fping6"
--which fping > /dev/null
--if [ $? -ne 0 ]; then
--    echo "$0: fping is not available in \$PATH" >&2
--    exit "${TCLIENT_SKIP_RC}"
--fi
--which fping6 > /dev/null
--if [ $? -ne 0 ]; then
--    echo "$0: fping6 is not available in \$PATH, assuming fping 4.0 or later" >&2
--    FPING="fping -4"
--    FPING6="fping -6"
--fi
--
--KILL_EXEC=`which kill`
--if [ $? -ne 0 ]; then
--    echo "$0: kill not found in \$PATH" >&2
--    exit "${TCLIENT_SKIP_RC}"
--fi
--
--if [ ! -x "${top_builddir}/src/openvpn/openvpn" ]
--then
--    echo "no (executable) openvpn binary in current build tree. FAIL." >&2
--    exit 1
--fi
--
--if [ ! -w . ]
--then
--    echo "current directory is not writable (required for logging). FAIL." >&2
--    exit 1
--fi
--
--if [ -z "$CA_CERT" ] ; then
--    echo "CA_CERT not defined in 't_client.rc'. SKIP test." >&2
--    exit "${TCLIENT_SKIP_RC}"
--fi
--
--if [ -z "$TEST_RUN_LIST" ] ; then
--    echo "TEST_RUN_LIST empty, no tests defined.  SKIP test." >&2
--    exit "${TCLIENT_SKIP_RC}"
--fi
--
--# Ensure PREFER_KSU is in a known state
--PREFER_KSU="${PREFER_KSU:-0}"
--
--# make sure we have permissions to run ifconfig/route from OpenVPN
--# can't use "id -u" here - doesn't work on Solaris
--ID=`id`
--if expr "$ID" : "uid=0" >/dev/null
--then :
--else
--    if [ "${PREFER_KSU}" -eq 1 ];
--    then
--        # Check if we have a valid kerberos ticket
--        klist -l 1>/dev/null 2>/dev/null
--        if [ $? -ne 0 ];
--        then
--            # No kerberos ticket found, skip ksu and fallback to RUN_SUDO
--            PREFER_KSU=0
--            echo "$0: No Kerberos ticket available.  Will not use ksu."
--        else
--            RUN_SUDO="ksu -q -e"
--        fi
--    fi
--
--    if [ -z "$RUN_SUDO" ]
--    then
--        echo "$0: this test must run be as root, or RUN_SUDO=... " >&2
--        echo "      must be set correctly in 't_client.rc'. SKIP." >&2
--        exit "${TCLIENT_SKIP_RC}"
--    else
--        # We have to use sudo. Make sure that we (hopefully) do not have
--        # to ask the users password during the test. This is done to
--        # prevent timing issues, e.g. when the waits for openvpn to start
--	if $RUN_SUDO $KILL_EXEC -0 $$
--	then
--	    echo "$0: $RUN_SUDO $KILL_EXEC -0 succeeded, good."
--	else
--	    echo "$0: $RUN_SUDO $KILL_EXEC -0 failed, cannot go on. SKIP." >&2
--	    exit "${TCLIENT_SKIP_RC}"
--	fi
--    fi
--fi
--
--LOGDIR=t_client-`hostname`-`date +%Y%m%d-%H%M%S`
--if mkdir $LOGDIR
--then :
--else
--    echo "can't create log directory '$LOGDIR'. FAIL." >&2
--    exit 1
--fi
--
--# verbosity, defaults to "1"
--V="${V:-1}"
--
--exit_code=0
--
--# ----------------------------------------------------------
--# helper functions
--# ----------------------------------------------------------
--
--# output progress information
--#  depending on verbosity level, collect & print only on failure
--output_start()
--{
--    case $V in
--	0) outbuf="" ;;			# no per-test output at all
--	1) echo -e "$@"			# compact, details only on failure
--           outbuf="\n" ;;
--	*) echo -e "\n$@\n" ;;		# print all, with a bit formatting
--    esac
--}
--
--output()
--{
--    NO_NL=''; if [ "X$1" = "X-n" ] ; then NO_NL=$1 ; shift ; fi
--    case $V in
--	0) ;;				# no per-test output at all
--	1) outbuf="$outbuf$@" 		# print details only on failure
--	   test -z "$NO_NL" && outbuf="$outbuf\n"
--           ;;
--	*) echo -e $NO_NL "$@" ;;	# print everything
--    esac
--}
--
--# print failure message, increase FAIL counter
--fail()
--{
--    output "FAIL: $@\n"
--    fail_count=$(( $fail_count + 1 ))
--}
--
--# print "all interface IP addresses" + "all routes"
--# this is higly system dependent...
--get_ifconfig_route()
--{
--    # linux / iproute2? (-> if configure got a path)
--    if [ -n "/usr/sbin/ip" ]
--    then
--	echo "-- linux iproute2 --"
--	/usr/sbin/ip addr show     | grep -v valid_lft
--	/usr/sbin/ip route show
--	/usr/sbin/ip -o -6 route show | grep -v ' cache' | sed -E -e 's/ expires [0-9]*sec//' -e 's/ (mtu|hoplimit|cwnd|ssthresh) [0-9]+//g' -e 's/ (rtt|rttvar) [0-9]+ms//g'
--	return
--    fi
--
--    # try uname
--    case `uname -s` in
--	Linux)
--	   echo "-- linux / ifconfig --"
--	   LANG=C /usr/sbin/ifconfig -a |egrep  "( addr:|encap:)"
--	   LANG=C netstat -rn -4 -6
--	   return
--	   ;;
--	FreeBSD|NetBSD|Darwin)
--	   echo "-- FreeBSD/NetBSD/Darwin [MacOS X] --"
--	   /usr/sbin/ifconfig -a | egrep "(flags=|inet)"
--	   netstat -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }'
--	   return
--	   ;;
--	OpenBSD)
--	   echo "-- OpenBSD --"
--	   /usr/sbin/ifconfig -a | egrep "(flags=|inet)" | \
--		sed -e 's/pltime [0-9]*//' -e 's/vltime [0-9]*//'
--	   netstat -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }'
--	   return
--	   ;;
--	SunOS)
--	   echo "-- Solaris --"
--	   /usr/sbin/ifconfig -a | egrep "(flags=|inet)"
--	   netstat -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$6 }'
--	   return
--	   ;;
--	AIX)
--	   echo "-- AIX --"
--	   /usr/sbin/ifconfig -a | egrep "(flags=|inet)"
--	   netstat -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$6 }'
--	   return
--	   ;;
--    esac
--
--    echo "get_ifconfig_route(): no idea how to get info on your OS.  FAIL." >&2
--    exit 20
--}
--
--# ----------------------------------------------------------
--# check ifconfig
--#  arg1: "4" or "6" -> for message
--#  arg2: IPv4/IPv6 address that must show up in out of "get_ifconfig_route"
--check_ifconfig()
--{
--    proto=$1 ; shift
--    expect_list="$@"
--
--    if [ -z "$expect_list" ] ; then return ; fi
--
--    for expect in $expect_list
--    do
--	if get_ifconfig_route | fgrep "$expect" >/dev/null
--	then :
--	else
--	    fail "check_ifconfig(): expected IPv$proto address '$expect' not found in ifconfig output."
--	fi
--    done
--}
--
--# ----------------------------------------------------------
--# run pings
--#  arg1: "4" or "6" -> fping/fing6
--#  arg2: "want_ok" or "want_fail" (expected ping result)
--#  arg3... -> fping arguments (host list)
--run_ping_tests()
--{
--    proto=$1 ; want=$2 ; shift ; shift
--    targetlist="$@"
--
--    # "no targets" is fine
--    if [ -z "$targetlist" ] ; then return ; fi
--
--    case $proto in
--	4) cmd="$FPING" ;;
--	6) cmd="$FPING6" ;;
--	*) echo "internal error in run_ping_tests arg 1: '$proto'" >&2
--	   exit 1 ;;
--    esac
--
--    case $want in
--	want_ok)   sizes_list="64 1440 3000" ;;
--	want_fail) sizes_list="64" ;;
--    esac
--
--    for bytes in $sizes_list
--    do
--	output "run IPv$proto ping tests ($want), $bytes byte packets..."
--
--	echo "$cmd -b $bytes -C 20 -p 250 -q $fping_args $targetlist" >>$LOGDIR/$SUF:fping.out
--	$cmd -b $bytes -C 20 -p 250 -q $fping_args $targetlist >>$LOGDIR/$SUF:fping.out 2>&1
--
--	# while OpenVPN is running, pings must succeed (want='want_ok')
--	# before OpenVPN is up, pings must NOT succeed (want='want_fail')
--
--	rc=$?
--	if [ $rc = 0 ] 				# all ping OK
--	then
--	    if [ $want = "want_fail" ]		# not what we want
--	    then
--		fail "IPv$proto ping test succeeded, but needs to *fail*."
--	    fi
--	else					# ping failed
--	    if [ $want = "want_ok" ]		# not what we wanted
--	    then
--		fail "IPv$proto ping test ($bytes bytes) failed, but should succeed."
--	    fi
--	fi
--    done
--}
--
--# ----------------------------------------------------------
--# main test loop
--# ----------------------------------------------------------
--SUMMARY_OK=
--SUMMARY_FAIL=
--
--for SUF in $TEST_RUN_LIST
--do
--    # get config variables
--    eval test_prep=\"\$PREPARE_$SUF\"
--    eval test_postinit=\"\$POSTINIT_CMD_$SUF\"
--    eval test_cleanup=\"\$CLEANUP_$SUF\"
--    eval test_run_title=\"\$RUN_TITLE_$SUF\"
--    eval openvpn_conf=\"\$OPENVPN_CONF_$SUF\"
--    eval expect_ifconfig4=\"\$EXPECT_IFCONFIG4_$SUF\"
--    eval expect_ifconfig6=\"\$EXPECT_IFCONFIG6_$SUF\"
--    eval ping4_hosts=\"\$PING4_HOSTS_$SUF\"
--    eval ping6_hosts=\"\$PING6_HOSTS_$SUF\"
--    eval fping_args=\"\$FPING_EXTRA_ARGS \$FPING_ARGS_$SUF\"
--
--    # If EXCEPT_IFCONFIG* variables for this test are missing, run an --up
--    # script to generate them dynamically.
--    if [ -z "$expect_ifconfig4" ] || [ -z "$expect_ifconfig6" ]; then
--        up="--setenv TESTNUM $SUF --setenv TOP_BUILDDIR ${top_builddir} --script-security 2 --up ${srcdir}/update_t_client_ips.sh"
--    else
--        up=""
--    fi
--
--    output_start "### test run $SUF: '$test_run_title' ###"
--    fail_count=0
--
--    if [ -n "$test_prep" ]; then
--        output "running preparation: '$test_prep'"
--        eval $test_prep
--    fi
--
--    output "save pre-openvpn ifconfig + route"
--    get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route_pre.txt
--
--    output "\nrun pre-openvpn ping tests - targets must not be reachable..."
--    run_ping_tests 4 want_fail "$ping4_hosts"
--    run_ping_tests 6 want_fail "$ping6_hosts"
--    if [ "$fail_count" = 0 ] ; then
--        output "OK.\n"
--    else
--	fail "make sure that ping hosts are ONLY reachable via VPN, SKIP test $SUF."
--	SUMMARY_FAIL="$SUMMARY_FAIL $SUF"
--	exit_code=31
--	echo -e "$outbuf" ; continue
--    fi
--
--    pidfile="${top_builddir}/tests/$LOGDIR/openvpn-$SUF.pid"
--    openvpn_conf="$openvpn_conf --writepid $pidfile $up"
--    output " run openvpn $openvpn_conf"
--    echo "# src/openvpn/openvpn $openvpn_conf" >$LOGDIR/$SUF:openvpn.log
--    umask 022
--    $RUN_SUDO "${top_builddir}/src/openvpn/openvpn" $openvpn_conf >>$LOGDIR/$SUF:openvpn.log &
--    sudopid=$!
--
--    # Check if OpenVPN has initialized before continuing.  It will check every 3rd second up
--    # to $ovpn_init_check times.
--    ovpn_init_check=10
--    ovpn_init_success=0
--    while [ $ovpn_init_check -gt 0 ];
--    do
--       sleep 3  # Wait for OpenVPN to initialize and have had time to write the pid file
--       grep "Initialization Sequence Completed" $LOGDIR/$SUF:openvpn.log >/dev/null
--       if [ $? -eq 0 ]; then
--           ovpn_init_check=0
--           ovpn_init_success=1
--       fi
--       ovpn_init_check=$(( $ovpn_init_check - 1 ))
--    done
--
--    opid=`cat $pidfile`
--    if [ -n "$opid" ]; then
--        output "  OpenVPN running with PID $opid"
--    else
--        output "  Could not read OpenVPN PID file"
--    fi
--
--    # If OpenVPN did not start
--    if [ $ovpn_init_success -ne 1 -o -z "$opid" ]; then
--        output "$0:  OpenVPN did not initialize in a reasonable time"
--        if [ -n "$opid" ]; then
--           $RUN_SUDO $KILL_EXEC $opid
--        fi
--        $RUN_SUDO $KILL_EXEC $sudopid
--	output "tail -5 $SUF:openvpn.log"
--	output "`tail -5 $LOGDIR/$SUF:openvpn.log`"
--	fail "skip rest of sub-tests for test run $SUF."
--	trap - 0 1 2 3 15
--	SUMMARY_FAIL="$SUMMARY_FAIL $SUF"
--	exit_code=30
--	echo -e "$outbuf" ; continue
--    fi
--
--    # make sure openvpn client is terminated in case shell exits
--    trap "$RUN_SUDO $KILL_EXEC $opid" 0
--    trap "$RUN_SUDO $KILL_EXEC $opid ; trap - 0 ; exit 1" 1 2 3 15
--
--    # compare whether anything changed in ifconfig/route setup?
--    output "save ifconfig+route"
--    get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route.txt
--
--    output -n "compare pre-openvpn ifconfig+route with current values..."
--    if diff $LOGDIR/$SUF:ifconfig_route_pre.txt \
--	    $LOGDIR/$SUF:ifconfig_route.txt >/dev/null
--    then
--	fail "no differences between ifconfig/route before OpenVPN start and now."
--    else
--	output " OK!\n"
--    fi
--
--    # post init script needed?
--    if [ -n "$test_postinit" ]; then
--        output "running post-init cmd: '$test_postinit'"
--        eval $test_postinit
--    fi
--
--    # expected ifconfig values in there?
--    check_ifconfig 4 "$expect_ifconfig4"
--    check_ifconfig 6 "$expect_ifconfig6"
--
--    run_ping_tests 4 want_ok "$ping4_hosts"
--    run_ping_tests 6 want_ok "$ping6_hosts"
--    output "ping tests done.\n"
--
--    output "stopping OpenVPN"
--    $RUN_SUDO $KILL_EXEC $opid
--    wait $!
--    rc=$?
--    if [ $rc != 0 ] ; then
--	fail "OpenVPN return code $rc, expect 0"
--    fi
--
--    output "\nsave post-openvpn ifconfig + route..."
--    get_ifconfig_route >$LOGDIR/$SUF:ifconfig_route_post.txt
--
--    output -n "compare pre- and post-openvpn ifconfig + route..."
--    if diff $LOGDIR/$SUF:ifconfig_route_pre.txt \
--	    $LOGDIR/$SUF:ifconfig_route_post.txt >$LOGDIR/$SUF:ifconfig_route_diff.txt
--    then
--	output " OK.\n"
--    else
--	output "\n\n" "`cat $LOGDIR/$SUF:ifconfig_route_diff.txt`" "\n"
--	fail "differences between pre- and post-ifconfig/route."
--    fi
--    if [ "$fail_count" = 0 ] ; then
--        output "test run $SUF: all tests OK.\n"
--	SUMMARY_OK="$SUMMARY_OK $SUF"
--    else
--	if [ "$V" -gt 0 ] ; then
--	    echo -e -n "$outbuf"
--	    echo -e "test run $SUF: $fail_count test failures. FAIL.\n"
--        fi
--	SUMMARY_FAIL="$SUMMARY_FAIL $SUF"
--	exit_code=30
--    fi
--
--    if [ -n "$test_cleanup" ]; then
--        echo -e "cleaning up: '$test_cleanup'"
--        eval $test_cleanup
--    fi
--
--done
--
--if [ -z "$SUMMARY_OK" ] ; then SUMMARY_OK=" none"; fi
--if [ -z "$SUMMARY_FAIL" ] ; then SUMMARY_FAIL=" none"; fi
--echo "Test sets succeeded:$SUMMARY_OK."
--echo "Test sets failed:$SUMMARY_FAIL."
--
--# remove trap handler
--trap - 0 1 2 3 15
--exit $exit_code
 diff --git a/version.m4 b/version.m4
 index 2776b82..fd6aab3 100644
 --- a/version.m4
 +++ b/version.m4
@@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN])
  define([PRODUCT_TARNAME], [openvpn])
  define([PRODUCT_VERSION_MAJOR], [2])
  define([PRODUCT_VERSION_MINOR], [6])
--define([PRODUCT_VERSION_PATCH], [.3])
++define([PRODUCT_VERSION_PATCH], [.5])
  m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
  m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
  m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
  define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])
--define([PRODUCT_VERSION_RESOURCE], [2,6,3,0])
++define([PRODUCT_VERSION_RESOURCE], [2,6,5,0])
  dnl define the TAP version
  define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
  define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])

Ubuntuopenvpn package

Merge ~lvoytek/ubuntu/+source/openvpn:openvpn-merge-2.6.5 into ubuntu/+source/openvpn:ubuntu/devel

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
openvpn package