4491 commits

This branch

This branch

All branches

Author	SHA1	Message	Date
Gert Doering	706fcc7d1a	OpenVPN Release 2.7_rc6 ... version.m4, ChangeLog, Changes.rst Changes.rst has not received an "2.7_rc6" section - it has the "highlevel" overview of what is new in 2.7, but for alpha/beta/rc* releases it's better to look at git log to see what has been added/fixed. Notable changes rc5 -> rc6 are: - bugfix on restarting a p2mp server instance with SIGUSR1 (inadvertedly closing fd 0, causing a crash on the next restart - GH #966) - prevent NULL pointer crash on suitable combination of --dns-updown statements in openvpn config file (not pushable) - prevent inappropriate management interface activity if a password is set and --management-forget-disconnect or --management-signal are active - more conversion warnings fixed - Windows: interactive service - some initial unit tests added for the most complex string conversion function (ConvertItfDnsDomains()) - remove #ifdefs around socket sendbuf/receive buf handling, assuming that all platforms that have POSIX sockets have this. - add mbedTLS 4 support - fix check for failed fork() in port-share code Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-28 15:04:31 +01:00
Gert Doering	5521872f80	tunnel_server(): close correct inotify fd ... On a full SIGUSR1 restart of a p2mp server compiled with --enable-async-push, tunnel_server() will try to close and reopen the "inotify" control file descriptor. For whatever reason, the original code referenced the wrong context, always closing fd 0. As a consequence of this, on the second SIGUSR1 restart, the server will close() the first active socket file descriptor, and if there are active DCO clients, the resulting event confusion will lead to an ASSERT(!mi->halt). Fix by closing the correct FD. Add logging. Github: fixes OpenVPN/openvpn#966 Change-Id: Iabc117848ad7b67d240c392f1a6aa2d7531fd5bb Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1497 Message-Id: <20260128110425.24350-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35478.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-28 14:19:40 +01:00
Heiko Hund	62a17417de	Prevent NULL pointer dereference with --dns-updown ... If the dns-updown option appears in the config twice, there is a chance of a NULL pointer dereference when comparing the script path to the default script path. This happens when a custom script is set, after the dns-updown script was disabled first. In that case the script path is NULL, which leads to the deref during a strcmp(3). Reported-by: <aarnav@srlabs.de> Change-Id: Id530d890ba01cffb74d3dc04ad10b153f7bea1d4 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1498 Message-Id: <20260128110443.24410-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35479.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-28 14:16:42 +01:00
Frank Lichtenheld	4bf05d487c	manage: Do not trigger actions on management disconnect if not authenticated ... If the management interface requires authentication via password and the remote did not specify it, do not do trigger actions requested by --management-forget-disconnect and --management-signal on disconnect. Reported-By: Joshua Rogers <contact@joshua.hu> Found-By: ZeroPath (https://zeropath.com) Github: openvpn-private-issues#5 Change-Id: I575d65912ce9065a0b0868e73998b4a9aece62af Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1484 Message-Id: <20260122125707.108048-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35390.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-27 15:19:07 +01:00
Frank Lichtenheld	e1e3b9aed1	status: Avoid conversion warnings in status_read/status_printf ... Just use explicit casts. len is limited by BCAP and c is limited by being from buf_read_u8. So they are safe. In case of status_printf this is only for Windows. len is limited by sizeof(buf), so also a safe cast. Change-Id: Iff1343a2f8cc7e32b8f36b359a00248e4dc3e8c9 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1485 Message-Id: <20260122154751.155227-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35398.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-26 17:31:49 +01:00
Frank Lichtenheld	447d04fe50	GHA: Run openvpnserv UT for MinGW builds ... Should have been added in commit b10ee38ccd. Note that test_openvpnserv.exe lives in a separate directory, so we need to make the code a bit more flexible. Change-Id: If61a91b4580864fd22162c94467ba3dda2045b7b Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1487 Message-Id: <20260126151122.588-1-gert@greenie.muc.de> Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-26 16:37:10 +01:00
Frank Lichtenheld	83f9c55efb	test_openvpnserv: Make sure to include config.h ... Otherwise the check for cmocka version doesn't work. Includes the update to vcpkg in GHA since that exposed the problem. chore(deps): update vcpkg digest to 6d332a0 Change-Id: I3b246bcc36ba35c2ed9630dc18e97aff436eaa0b Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1488 Message-Id: <20260126145558.31460-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35437.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-26 16:32:26 +01:00
Frank Lichtenheld	57e701129e	socket: Remove ifdef for SO_{RCV, SND}BUF ... Seems all our platforms define it. Reported-by: Marc Heuse <marc@srlabs.de> Github: Fixes OpenVPN/openvpn#965 Change-Id: I87679949bdef6319d7490d561f0136633244c2b9 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1486 Message-Id: <20260126145432.31249-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35435.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-26 16:29:20 +01:00
Frank Lichtenheld	22a7010f5b	route: Fix conversion warnings on BSDs ... Mostly just use better types. And in some places remove overloading of variables with nicer C11 code. Change-Id: Idbb5c0fff759a2e645a8b4f62266509e32e3a44e Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1481 Message-Id: <20260122133050.117000-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35394.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-25 18:37:34 +01:00
Frank Lichtenheld	c7fbd8a302	GHA: Update mbedtls to v4 ... Also switch from Make to CMake for building it because the former is not supported anymore. Change-Id: I658b1b24da304938225a8f834d7484671a63360f Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Yuriy Darnobyt <yura.uddr@gmail.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1474 Message-Id: <20260124181814.30331-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35421.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-24 23:10:44 +01:00
Max Fillinger	494fb71804	Add support for Mbed TLS 4 ... This commit adds support for Mbed TLS 4. This version comes with some drastic changes. The crypto library has been completely redesigned, so the contents of crypto_mbedtls.c are moved to crypto_mbedtls_legacy.c and crypto_mbedtls.c handles the crypto for version 4. Mbed TLS 4 also removed the feature for looking up a crypto algorithm by name, so we need to translate algorithm names to Mbed TLS numbers in OpenVPN. The tables are not yet complete. For symmetric algorithms, I have added AES and Chacha-Poly which should be enough for most use cases. Change-Id: Ib251d546d993b96ed3bd8cb9111bcc627cdb0fae Signed-off-by: Max Fillinger <maximilian.fillinger@sentyron.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1441 Message-Id: <20260123164746.7333-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35401.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-24 18:49:44 +01:00
Frank Lichtenheld	b10ee38ccd	openvpnserv: Add a first unit test ... This adds the required build infrastructure and adds tests for two functions related to GetItfDnsDomains(). Change-Id: I33583e51e1143c53fbe0aef16546fa3f602b17c0 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1459 Message-Id: <20260119215058.27888-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35345.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-24 18:23:05 +01:00
Frank Lichtenheld	cd533c483a	openvpnserv: Factor out the string conversion from GetItfDnsDomains ... Mostly so that we can actually test it. Since that code does some in-place conversions a test would be good. Change-Id: Ib517457015b754d59aeb70827c4795aa6154728c Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Heiko Hund <heiko@openvpn.net> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1458 Message-Id: <20260119214927.27766-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35343.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-24 17:27:38 +01:00
Frank Lichtenheld	fdfe0abeef	openvpnserv: Fix conversion warnings in interactive.c ... Mostly DWORD vs. size_t conversions where we have no choice but to cast. Change-Id: I864cd4a718886f437b72e93d0286f90fcb73592b Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Heiko Hund <heiko@openvpn.net> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1457 Message-Id: <20260120155547.116088-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35356.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-24 16:54:01 +01:00
Arne Schwabe	1fe958183f	Silence compiler truncation warning by checking snprintf return value ... On the more recent mingw compilers (homebrew mingw 13.0.0, GCC 15.2.0) the compiler complains about a potential truncation in these two places. src/openvpn/tun.c:3806:57: error: '%s' directive output may be truncated writing up to 255 bytes into a region of size 178 [-Werror=format-truncation=] This not very helpful but checking the snprintf return value will make the compiler not warn about this. Change-Id: I54b11a5540fb236580a3b80c6d1e8678b24bd852 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1272 Message-Id: <20260121121830.27244-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35367.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-24 16:47:48 +01:00
Frank Lichtenheld	1a31efb495	port-share: Check return value of fork() ... While here, do some small C11 code cleanup. Reported-By: Joshua Rogers <contact@joshua.hu> Found-By: ZeroPath (https://zeropath.com) Github: openvpn-private-issues#12 Change-Id: I5eac1b31ae40eb957e2c12ca6c37b491fef32847 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1470 Message-Id: <20260119171216.6100-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35337.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-24 14:36:34 +01:00
Frank Lichtenheld	b28321edfe	ssl_ncp: Avoid conversion warning in replace_default_in_ncp_ciphers_option ... Change-Id: I380e842b7429060d13bc0264e55fa5c06ab427df Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1452 Message-Id: <20260122125829.108470-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35391.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-24 14:33:22 +01:00
Frank Lichtenheld	2cc00e80bc	socket: Avoid conversion warning in get_addr_generic ... We already check earlier that bits is smaller that max_bits, so the cast is safe. While reviewing the callers, remove some unused variables. Change-Id: I5ad13bc6674b3403251cc552d1f2c0f057431817 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1475 Message-Id: <20260119122556.15225-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35324.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-19 18:07:50 +01:00
Frank Lichtenheld	de3ef0dc65	ssl_verify_openssl: Avoid conversion warning in x509_verify_cert_ku ... Just use the correct types. v2: - Change type of expected_len argument to size_t Change-Id: Ia6c3f0395bd6cd67064fe77420d9df2b66763049 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1445 Message-Id: <20260119122058.14865-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35322.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-19 18:05:08 +01:00
Frank Lichtenheld	2ece9a5df5	cryptoapi: Avoid conversion warnings ... Due to the differences in the types of APIs between xkey provider and Windows cryptoapi we can't avoid the casts. And they should be safe generally since the involved sizes should be small compared to the maximum values. So just add asserts and explicit cast to avoid the warnings. Change-Id: I789022af7c4977c4dff4f7671f491fe5836828fa Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Selva Nair <selva.nair@gmail.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1464 Message-Id: <20260116135729.40545-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35304.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-19 12:38:50 +01:00
Frank Lichtenheld	07fc73025b	crypto_openssl: Fix various conversion warnings ... EVP_CIPHER_CTX_flags is documented to output int in OpenSSL, but is actually unsigned long in OpenSSL 3. In libressl it is correctly documented to output unsigned long. Change-Id: I99bc4692526f9143a913e29b266a1816295dfd51 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1446 Message-Id: <20260116172010.25278-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35311.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-17 17:24:21 +01:00
Gert Doering	957f0713ea	OpenVPN Release 2.7_rc5 ... version.m4, ChangeLog, Changes.rst Changes.rst has not received an "2.7_rc5" section - it has the "highlevel" overview of what is new in 2.7, but for alpha/beta/rc* releases it's better to look at git log to see what has been added/fixed. Notable changes rc4 -> rc5 are: - CVE 2025-15497 in epoch key handling (an authenticated remote system can send a valid OpenVPN data packet that triggers an edge case where a too-strict check would trigger an ASSERT(), exiting OpenVPN) - remove "resolve --remote on incoming TCP connects on --tcp-server" code base, because that did not work in a long time (since 2.4) and is seen as too obscure and too complicated to rescue. - repair interaction between DCO and persist-tun after reconnection (in this case the client side would fail to set up the DCO event handler, and not notice further --ping timeouts - GH: #947) - remove ENABLE_X509ALTUSERNAME conditional, always enabling "configure --enable-x509-alt-username". Effectively no change in code size, and one less build variant to maintain and test (GH: #917). - require "script-security 2" when using --dev unix:<program> - socks client: fix and improve various code parts - configure etc: drop support for systemd 216 and older, adapt other checks to reflect modern systemd setups - fix unit test building with libcmocka 2.0+ - fix Android build warnings about unused variables/methods - allow --test-crypto to run without --secret (prepare for removal of --secret after 2.7) - improve WolfSSL build compatibility Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-15 12:54:15 +01:00
Arne Schwabe	e0e0720ac3	Correctly handle sender jumping exactly epoch_data_keys_future_count ... When the sender jumps forwards exactly epoch_data_keys_future_count in its epoch key use the housekeeping logic does not handle this correctly and triggers an ASSERT. Change the code to correctly implement the special case when the new epoch key of the sender is the highest valid key epoch in the current window of valid epoch keys for receiving data. Change-Id: Ib581c02a29b974184256a9f4ad0ce15ba5f9db3b Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-By: Max Fillinger <maximilian.fillinger@sentyron.com> Reported-By: Pavel Kohout of Aisle Research <pavel.kohout@aisle.com> Github: closes OpenVPN/openvpn-private-issues#103 CVE: 2025-15497	2026-01-15 11:10:56 +01:00
Frank Lichtenheld	8c3671dbd5	forward: Avoid conversion warning in ipv6_send_icmp_unreachable ... Since all values are limited by MAX_ICMPV6LEN we can just cast to uint16_t. While here remove a unused gc arena in neighbouring code. Change-Id: I701f9e0a96a7b43f278f8e6089e9156feab772c8 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1472 Message-Id: <20260115091124.23360-1-gert@greenie.muc.de> URL: https://sourceforge.net/p/openvpn/mailman/message/59283657/ Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-15 11:08:19 +01:00
Frank Lichtenheld	6768ef1dab	error: Remove our implementation of static_assert ... It is C11, so it should be present in all our compilers. Change-Id: I9cb14b9f44409ec5c78044ddb216a2b4dced0f9b Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1471 Message-Id: <20260115092552.25011-1-gert@greenie.muc.de> URL: https://sourceforge.net/p/openvpn/mailman/message/59283672/ Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-15 11:04:50 +01:00
Frank Lichtenheld	b34dc9279d	ssl_verify: Fix parsing of timeout from auth pending file ... Make sure the value is not negative before casting it to unsigned. Change-Id: I8a5efb2ed009a702f10dc8f40c677f014547b4c8 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1451 Message-Id: <20260115093235.25635-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35275.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-15 10:36:11 +01:00
Frank Lichtenheld	b2cc5c2ec4	socks: In establish_socks_proxy_udpassoc check result of recv_socks_reply ... Not just check the return value but also that relay_addr is valid. recv_socks_reply doesn't care whether the answer is what we expected. This is probably a very unlikely edge case but it doesn't hurt to check for it here. Reported-By: Joshua Rogers <contact@joshua.hu> Found-By: ZeroPath (https://zeropath.com) Github: openvpn-private-issues#13 Change-Id: Ic1c8f24de423541bdc85e70b5a688213800d86de Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1469 Message-Id: <20260114135807.20637-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35249.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-14 19:38:28 +01:00
Frank Lichtenheld	d61d3c2a71	socket: Remove old 'dynamic remote' feature ... So apparently when using --proto tcp-server --tls-server --remote, AND the remote is not resolvable on startup then we would preserve the remote name and resolve it later on connect. Except that when the remote is not resolvable I never managed to get it to create a listening socket in the first place. Originally I looked into this code because ZeroPath claimed it was broken. I think that report was correct but I think it is much easier to declare this feature dead instead of trying to fix it. It is undocumented and if it is usable then only in very specific circumstances that are hard to figure out. Github: openvpn-private-issues#13 Change-Id: I0141945469dd11340bfb42ec37a3c5f90ed0ff52 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1468 Message-Id: <20260113121512.12057-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35232.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-14 14:30:40 +01:00
Gert Doering	52c3b435b1	Repair interaction between DCO and persist-tun after reconnection ... When --persist-tun is active, openvpn userland on Linux and FreeBSD fails to re-enable "poll for DCO events" after a reconnect (e.g. triggered by a ping timeout). The reconnect will still work fine, but the *next* DCO event notification from the kernel will not be received by OpenVPN userland, and so the system will get into an inconsistent state (Userland assumes "all is well", kernel DCO has disconnected the peer, connection is broken until the next tls-renegotion and/or manual restart, *and* the next DCO key setup might fail due to "peer id gone"). This only affects client side, --server tun is always "persistent", and there is no "full restart" (and the code path in question is also only used for client and p2p server). The root cause is an incorrect check for "is this interface up?" when calling dco_event_set() in forard.c::io_wait() - "c2.did_open_tun" is only true if the tun interface was actually configured on this reconnect, which it isn't if --persist-tun is active. Replace with a check for "do we have a tuntap structure, and if yes, do we have active DCO?" which reflects the original intent much better. The original code also had a check for "out_socket & EVENT_READ" there, which did to some extend avoid calling dco_event_set() for every single UDP packet sent and received by userland - but this only worked on initial connection, and is always true on reconnect, so this condition was removed for simplicity. We should come back here... v2: - some language fixes on the commit message - do not check ->dco.open in forward.c, as this is not available if not on FreeBSD, or if compiled with --disable-dco. FreeBSD DCO does the "if (!dco || !dco->open)" check in dco_event_set() anyway, so it's not needed, and Linux DCO has "dco->nl_sock", which is also reliably set/unset, and checked by dco_event_set() already. Github: OpenVPN/openvpn#947 Change-Id: Idbd0a47ba4d297a833a350611a23f19fd9a797b5 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@mandelbit.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1473 Message-Id: <20260114112403.7046-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35239.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-14 12:29:58 +01:00
Gert Doering	faac9681cc	remove ENABLE_X509ALTUSERNAME conditional ... This is one of the #ifdef producing compile-time variants that make the code harder to read and harder to test. The extra code size due to turning it on is marginal. The mbedTLS backend does not (yet) support it. To cope with that, add a minimum function x509_username_field_ext_supported() that always returns "false", and omit the --x509-username-field from the help text if ENABLE_CRYPTO_MBEDTLS. Implement this on another day. Github: closes OpenVPN/openvpn#917 Change-Id: I3f661cf305c52652e430b8d219df5186dd8ea4f7 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1442 Message-Id: <20260114110452.4976-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35237.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-14 12:13:47 +01:00
Arne Schwabe	4a15d4e51d	Require script-security 2 when using unix: tun ... Since this executes an executable from an arbitrary path, it should follow the same rules as other scripts/executable. Reported-By: Petr Simecek, Pavel Kohout and Stanislav Fort from Aisle Research Change-Id: I89dcab24ba510094ce1672e382960bf15def310a Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1465 Message-Id: <20260113072750.16015-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35223.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-13 09:19:48 +01:00
Frank Lichtenheld	d104917e34	socks: Fix wrong success check in socks_username_password_auth ... Due to wrong boolean operator the function did not correctly detect when the authentication failed. Reported-By: Joshua Rogers <contact@joshua.hu> Found-By: ZeroPath (https://zeropath.com) Github: openvpn-private-issues#4 Change-Id: I13b411fb3e8b913ae049c6ca8a1cf5a2edbab0fb Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1466 Message-Id: <20260112180304.8742-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35219.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-13 08:19:45 +01:00
Frank Lichtenheld	e2d0e85606	socks: Replace magic "10" for socks header with macro ... So that it is easier to check that we indeed have reserved this prior to assuming we have. Github: openvpn-private-issues#4 Change-Id: I0aca7e7d9aa190541f11745cf72193cb6b39540a Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1467 Message-Id: <20260112171122.3994-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35214.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-12 18:59:45 +01:00
Frank Lichtenheld	50a6b663e4	configure.ac: Clean up systemd support ... - Do not try to handle very old systemd that was released over ten years ago (remove SYSTEMD_NEWER_THAN_216) - Do not require systemd.pc. I can't find any indication that we use any of the variables defined by it. (It does not define any libraries, just variables) - Remove check for sd-daemon.h. We did not use the conditional and assumed it was there already. - Allow libsystemd.pc to define cflags. Previously we ignored those. Change-Id: Ie59e03ce01575acaeaf690f582eb5cfa80eb37fc Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1463 Message-Id: <20260109163514.23051-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35203.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-09 18:19:26 +01:00
Frank Lichtenheld	20f8127bcd	Fix building test_tls_crypt with cmocka 2.0 ... This was missed in commit 6db186e0b1 since we only built with cmocka 2.0 on macOS and that doesn't build test_tls_crypt. Now that we build with cmocka 2.0 also on Debian Sid we noticed the additional issues. Change-Id: Ibc964c13724316ca96276ba6b7d34dbbfcf52064 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1460 Message-Id: <20260108154248.21706-1-gert@greenie.muc.de> Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-08 16:50:36 +01:00
Frank Lichtenheld	f94a3ad2ba	Update Copyright statements to 2026 ... Change-Id: I1728fcb75284ba106e5c37ef53f6e568b64fb647 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1456 Message-Id: <20260108074915.9417-1-gert@greenie.muc.de> URL: https://sourceforge.net/p/openvpn/mailman/message/59280815/ Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-08 10:59:57 +01:00
Frank Lichtenheld	13e339e976	GHA: Maintenance update January 2026 ... Includes the following renovate changes: - chore(deps): update dependency aws/aws-lc to v1.66.2 - Update lukka/get-cmake action to v4.2.1 - chore(deps): update github actions - chore(deps): update vcpkg digest to eeb00f1 Change-Id: I637cc37f82d96a7d15738cc39523664777714e97 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Yuriy Darnobyt <yura.uddr@gmail.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1455 Message-Id: <20260107173402.5614-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35175.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-07 22:10:56 +01:00
Arne Schwabe	4859d259f2	Fix warnings on Android about unused variables/methods ... Add the things we do not use to the print message to avoid ifdefs around the otherwise unused variables. Change-Id: I33d1d04b59c62e87ab61d768a7201124ccdabd07 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/894 Message-Id: <20251219134706.164040-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35156.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-12-29 16:58:54 +01:00
Arne Schwabe	927b45dde7	Allow test-crypto to work without the --secret argument ... The --test-crypto still requires the --secret argument. Since --secret will be removed in OpenVPN 2.8 but we want to keep test-crypt, remove the dependency of test-crypto on --static. Instead we will just generate a random key for this selftest method. This also removes the extra logic that is a leftover from the early multi-thread implementation attempt. Change-Id: I72947bd4f0213fd118327f740daeb1d86ae166de Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1435 Message-Id: <20251219135110.166468-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35157.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-12-22 13:09:24 +01:00
Frank Lichtenheld	6db186e0b1	tests/unit_tests: Port to cmocka 2.0.0 API ... But add compat layer so that we can still build against older versions of cmocka. Mostly this is trivial but the custom check function changed its prototype, so that requires some more work. Change-Id: Ifb6594700db71d219643a29c581099c778bcbbc6 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1449 Message-Id: <20251218104042.5961-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35144.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-12-18 12:21:28 +01:00
Arne Schwabe	ab5887cfbd	Ensure wolfSSL uses old pre 1.1.0 OpenSSL path for getting ciphers ... Normally when wolfSSL is compiled with --enable-openvpn it reports an OpenSSL version before 1.1.0. When compiled normally it reports an OpenSSL version higher than this. So explicitly check for wolfSSL instead of relying on its OpenSSL version trickery. Change-Id: I47fc0dc93a7ed6b71feb611194cee02a81d91769 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1448 Message-Id: <20251217130743.28786-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35127.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-12-18 11:28:22 +01:00
Gert Doering	7e052cf29a	OpenVPN Release 2.7_rc4 ... version.m4, ChangeLog, Changes.rst Changes.rst has not received an "2.7_rc4" section - it has the "highlevel" overview of what is new in 2.7, but for alpha/beta/rc* releases it's better to look at git log to see what has been added/fixed. Notable changes rc3 -> rc4 are: - Windows interactive service: do not configure adapter DNS if there are no search-domains but there are resolve-domains (which get resolved via NRPT rules) - GH: OpenVPN/openvpn#473 - improve documentation and error messages for a number of deprecated options - improve documentation for not-really-deprecated-yet ``--ns-cert-type`` - Windows IPv4 configuration with netsh.exe: ensure addresses are added with "store=active" (ensure proper cleanup) - GH: OpenVPN/openvpn#915 - Windows: set UTF8 code page in openvpn.exe manifest, to make cert/key loading work again for files with non-ASCII characters in their file name (GH: OpenVPN/openvpn#920) - tun.c: unify read_tun()/write_tun() functions for all BSD platforms - more type conversion related cleanups - add NULL check before freeaddrinfo() call, which might lead to a crash on OpenBSD (GH: OpenVPN/openvpn#930) - add NULL check to mbedtls handling of external and inline certificates - add check for auth none / cipher none on FreeBSD DCO - add CAP_SYS_NICE to positive list in Linux systemd unit files (GH: OpenVPN/openvpn#834) - drop mbedtls 2.x support (which is end of life, and work on mbedtls 4 is much simplified by not having to take care of 2.x compat as well) - PUSH_UPDATE: bugfix for the client side where split/continued messages (due to large number of "route" statements) would not correctly handle the full set of routes. Add unit test. (GH: OpenVPN/openvpn#925) - new unit test module for mbuf handling - deprecate --fast-io option (it got partially broken by the multisocket implementation, and the benefits of the existing implementation did not outweigh the extra code complexity to make it work again) - change the ssl_ctx in struct tls_options to be a pointer - this is a shared data structure between various contexts, but previously it was shallow-copied, leading to needless CRL reloading - and when working on implementing the new OpenSSL CRL API, to segfaults (the existing code works, as these new APIs are not used yet). Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-12-17 15:48:47 +01:00
Arne Schwabe	44dd39b3ef	Change ssl_ctx in struct tls_options to be a pointer ... The SSL CTX is shared between all of the instances. So any change to the SSL CTX will affect all instances. Currently the CRL is also reloaded potentially multiple times as each copy of tls_root_ctx has its own crl_last_mtime and crl_last_size values that will be checked if the CRL reload is necessary. Changing it to a pointer will make it more clear that this is shared and also the CRL being reloaded multiple times. Change-Id: I21251a42f94fa1d9de083d2acd95b887658c5760 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: MaxF <max@max-fillinger.net> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1431 Message-Id: <20251216144207.12171-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35116.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-12-16 18:20:06 +01:00
Frank Lichtenheld	18d1b1fe00	multi: Warn about failing read in multi_process_file_closed() ... Handle failure explicitly instead of the implicit handling by "while (buffer_i < r)". That error checking was previously broken but was fixed by commit 5e5ead5ba0. Reported-by: Marc Heuse <marc@srlabs.de> Github: openvpn-private-issues#101 Change-Id: Ie982f620a8af80564a70d993e6e84ec4e525236a Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1443 Message-Id: <20251215155652.23362-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35095.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-12-15 18:24:29 +01:00
Frank Lichtenheld	cb4d5426d0	buffer: Change buf_prepend and buf_advance to accept ssize_t for length ... We already have tests to make sure the value is sane. Changing the argument to ssize_t allows to use it in more places without needing to do a cast before the checks. Change-Id: I123002255b37160d48ef6481f68a89d03073236b Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1437 Message-Id: <20251215160541.24237-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35099.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-12-15 17:09:22 +01:00
Frank Lichtenheld	a4b51e68ff	manage: Avoid several conversion warnings by using the correct types ... Change-Id: I0c5ef13d6fa6c1dd15da934a33e904c2fdacb731 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1438 Message-Id: <20251215152355.20654-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35077.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-12-15 16:48:31 +01:00
Frank Lichtenheld	5e5ead5ba0	multi: Fix various conversion warnings ... Mostly make required casts explicit. Change-Id: I88cd7e1ebb49e97db33bad75c4fbbe23d196e964 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1313 Message-Id: <20251215145840.18310-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35073.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-12-15 16:42:13 +01:00
Frank Lichtenheld	e2c97f3833	multi: Fix type handling for hashes, mostly inotify_watchers ... Change-Id: Idede28c850def5e3b4a17dcbd0a5771f15cfc668 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1312 Message-Id: <20251215145528.18047-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35072.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-12-15 16:37:26 +01:00
Frank Lichtenheld	310c6b9e78	multi: Fix wrong sigma value in multi_push_restart_schedule_exit ... Sigma was computed based on the absolute time and not the delta. Note that this probably makes no actual difference in practice. The sigma value is irrelevant on first call and multi_push_restart_schedule_exit should not be called multiple times since it is only called if deferred_shutdown_signal.signal_received is not set, yet. Change-Id: I62b8263f18c4e2e7f5ecacb4616737f5ba836303 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1311 Message-Id: <20251215150500.18898-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35075.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-12-15 16:32:56 +01:00
Frank Lichtenheld	223192a092	schedule: Rework documentation for schedule_add_entry ... The previous documentation was very misleading and made it hard to understand how the sigma parameter is used. Rewrite it so that it better reflects the actual implementation. Change-Id: Idd79f7cbd38e8b0831f15866339c3677a367cd49 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1439 Message-Id: <20251215144656.17299-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35070.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-12-15 16:29:53 +01:00