Arne Schwabe [Wed, 29 Oct 2025 16:38:43 +0000 (17:38 +0100)]
Remove --memstats feature
The ``--mememstat`` was largely undocumented and there is no known
user of this feature. This feature provided very limited statistics
(number of users, link bytes read/written) and we do not except any
usage because of this.
The only documentation was a mention in --help without any mention of
the (binary) format of the mmap file or other usage instructions.
This deals also with issues reported by zeropath regarding potentially
insecure handling of the file permission of the memory mapped file.
Reported-by: Joshua Rogers <contact@joshua.hu> Found-by: ZeroPath (https://zeropath.com/)
Change-Id: I5f57e7bf52e3f6289462ef05e1f6e81ab0133d0d Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1329
Message-Id: <20251029163849.446-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34021.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 29 Oct 2025 07:06:56 +0000 (08:06 +0100)]
Install host routes for out-of-subnet ifconfig-push addresses when DCO is enabled
ifconfig-push and ifconfig-ipv6-push can configure the IP address of a
client. If this IP address lies inside the network that is configured
on the ovpn/tun device this works as expected as the routing table point to
the ovpn/tun interface. However, if the IP address is outside that range,
the IP packets are not forwarded to the ovpn/tun interface and Linux
and FreeBSD DCO implementations need a "connected" route so kernel
routing knows that the IP in question is a peer VPN IP.
This patch adds logic to add host routes for these ifconfig-push +
ifconfig-ipv6-push addresses to ensure that traffic for these IP
addresses is also directed to the VPN.
For Linux it is important that these extra routes are routes using scope
link rather than static since otherwise indirect routes via these IP
addresses, like iroute, will not work. On FreeBSD we also use interface
routes as that works and routes that target interfaces instead of
next-hop IP addresses are less brittle.
This setups an ifconfig-push addresses outside the --server/--server-ipv6
network and additionally configures a iroute behind that client. The
setenv-safe configure lwipovpn to use that additional IP addresses to allow
testing via ping.
Windows behaves like the user space implementation. It does not require these
special routes but instead (like user space) needs static routes to redirect
IP traffic for these IP addresses to the tunnel interface. E.g. in the example
above the server config needs to have:
Gert Doering [Tue, 28 Oct 2025 20:31:50 +0000 (21:31 +0100)]
zeroize struct image in packet_id_persist_save() before writing to disk
while this really is only a debug function, ensuring that no uninitialized
heap content ends up in padding in the structure and thus to disk is good
practice.
Reported-by: Joshua Rogers <contact@joshua.hu> Found-by: ZeroPath (https://zeropath.com/)
Change-Id: I7f4c7b0ca748975defca1e5104e7077a761cd49c Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1323
Message-Id: <20251028203156.11697-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33983.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 28 Oct 2025 20:32:10 +0000 (21:32 +0100)]
remove redundant PULL_DEFINED() macro definition
this seems to be a leftover of the time when we had conditional
compilation for "--disable-server" or thus. Commit d6a0cf599
removed PUSH_DEFINED() nearby but overlooked this one.
Change-Id: I9118333bb65cd5db0836abefa5d45a729f0142cc Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1322
Message-Id: <20251028203219.11737-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33984.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Ralf Lici [Tue, 21 Oct 2025 07:08:20 +0000 (09:08 +0200)]
management: ensure consistent BYTECOUNT timing on server
The BYTECOUNT notification is expected to be emitted every N seconds
when a management client issues the 'bytecount N' command. However, the
server currently relies on timeouts from unrelated periodic operations,
resulting in irregular notification timing.
This issue is especially noticeable with low bytecount intervals and DCO
enabled, as openvpn handles less traffic in userspace, causing the main
loop to run less frequently.
To address this, refactor the timeout logic and pass the timeval
reference to management_check_bytecount_server so that the timeout is
correctly set and notifications adhere to the specified interval.
Change-Id: Ifb1c49fce75e671f699f5db5f6da7246f6e0b519 Signed-off-by: Ralf Lici <ralf@mandelbit.com> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20251021070825.20773-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33812.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 23 Oct 2025 15:56:08 +0000 (17:56 +0200)]
Warn if push is used without --mode server/--server/--server-bridge
This is not a supported configuration and will often work good enough
to get a connection working but will operate more in a weird pre P2P
negotiation compatibility way rather than actually negotiating
protocol features.
While at it, remove an unused macro (PUSH_DEFINED).
Change-Id: I82c7c61be07593ecd5bf2f854767dda74ab5170c Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1288
Message-Id: <20251023155614.20642-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33856.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Joshua Rogers [Tue, 21 Oct 2025 17:20:52 +0000 (01:20 +0800)]
tcp: apply CLOEXEC to accepted socket, not listener
The accept path calls set_cloexec(sd) after accept(). That re-flags the
listening socket, which is already CLOEXEC from create_socket_tcp(), and
leaves new_sd inheritable. As a result, client-connect and auth scripts
spawned after accept can inherit the connected socket and read or write
the raw TCP stream. This defeats the stated intent to prevent scripts from
accessing the client socket.
This bug was found using ZeroPath.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <-MNw5Hu8h0rHV18x36ISt7V0UHchIO4i-JoAeV_wlxS1AmDIAe7YVYNput3_r2hiu3HhwxkhGyUhv4-iH_E7mf7nGjvocmGXlDq7Tjly5cE=@joshua.hu>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33823.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Since OpenVPN spawns various child processes, it is important
that sockets are closed after calling exec.
The sitnl socket didn't have the right flag set, resulting
in it surviving in, for example, connect/disconnect scripts
and giving the latter a chance to abuse the socket.
Ensure this doesn't happen by setting FD_CLOEXEC on
this socket right after creation.
Reported-by: Joshua Rogers <contact@joshua.hu> Found-by: ZeroPath (https://zeropath.com/)
Change-Id: I54845bf4dd17d06cfc3b402f188795f74f4b1d3e Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1314
Message-Id: <20251028162843.18189-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33952.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Ralf Lici [Tue, 28 Oct 2025 11:33:05 +0000 (12:33 +0100)]
dco-freebsd: fix peer stats storage on client instances
Commit bf01a96 introduced a bug in the dco-freebsd path by attempting to
store peer statistics in a structure that only exists on server
instances. This leads to a SIGSEGV on non-server instances due to a NULL
multi_context pointer.
Resolve this by checking what mode the current instance is running in
and storing peer stats accordingly.
Steffan Karger [Sun, 26 Oct 2025 14:20:52 +0000 (15:20 +0100)]
Remove perf.c/perf.h
This code was always disabled by ENABLE_PERFORMANCE_METRICS being
commented out in perf.h. There was no configure flag. None of the
active developers remembers using it, the git log shows no actual
code changes since at least the project structure overhaul of 2012,
and tools like gprof are nowadays the go-to tool for performance
profiling. So, out with our custom implementation.
This was triggered by a bug report submitted by Joshua Rogers, who
used ZeroPath to discover we missed a perf_pop() call in one of the
error paths of ssl_mbedtls.c. This commit resolves that using git rm.
Arne Schwabe [Thu, 23 Oct 2025 11:11:33 +0000 (13:11 +0200)]
Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
These ciphers claim to be CBC but since they are also include an HMAC
are more a mix of AEAD and CBC. Nevertheless, we do not support these
and also have no (good) reason to support them.
This patch defines the flag if the SSL library does not define the flag
to also work when the SSL library is upgraded after OpenVPN has been compiled.
Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1294
Message-Id: <20251023111138.25245-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33846.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Ralf Lici [Fri, 17 Oct 2025 20:58:31 +0000 (22:58 +0200)]
dco: remove dco_read/write_bytes from dco_context_t
Remove dco_read_bytes and dco_write_bytes from all dco_context_t
structures, as peer statistics are now stored directly in the
corresponding c2 fields across all DCO interfaces.
Ralf Lici [Sun, 19 Oct 2025 17:02:42 +0000 (19:02 +0200)]
dco-freebsd: store peer stats directly in c2
The dco_context_t structure includes a reference to the general context
structure c, which allows us to store dco_read_bytes and dco_write_bytes
directly as c2 fields. This aligns the FreeBSD implementation with how
we handle DCO peer stats on Linux and Windows.
Marco Baffo [Fri, 17 Oct 2025 20:19:12 +0000 (22:19 +0200)]
PUSH_UPDATE server: remove old IP(s) from vhash after sending a message containing ifconfig(-ipv6)
When sending a PUSH_UPDATE containing an ifconfig(-ipv6) option, we must add the new IP to the
multi_context vhash (hash table of the clients indexed by virtual IPs). Now in addition to
adding new client IPs, old IPs are also removed from vhash, allowing for a more complete update.
Change-Id: I07a8ddd9026eef64b6f5abde98702a9801616a5f Signed-off-by: Marco Baffo <marco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1253
Message-Id: <20251017201916.21697-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33412.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Ralf Lici [Fri, 17 Oct 2025 19:16:06 +0000 (21:16 +0200)]
options: warn and ignore --reneg-bytes/pkts when DCO is enabled
Thresholds specified by --reneg-bytes and --reneg-pkts cannot be
enforced when DCO is enabled, as it only provides global statistics.
Rather than adding complexity to support these options, ignore them when
DCO is enabled. Print a warning to inform users and update the manpage
accordingly.
win32: Change some APIs to use DWORD instead of size_t
This is what the Win32 APIs use. Since we put static
integers into this (e.g. sizeof()) this doesn't
result in new conversion warnings at the caller sites.
Change-Id: Ia836e3c05a868a7e8419c2bb2f547d968260783c Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1269
Message-Id: <20251013162221.2156-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59246222/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
Christian Kujau [Mon, 6 Oct 2025 14:42:48 +0000 (16:42 +0200)]
doc: HTTPS upgrades and URL fixes throughout the tree
* HTTPS upgrades
* 404 fixes, with hopefully better helpful links to the relevant documentation
* some trailing white space fixes
* resurrect utun-demo.c from a different source
* Don't touch openvpn.doxyfile.in though, as it was autogenerated
* Don't touch COPYING as it's an external license file
* The openvpn.net URLs will be addressed some other time
Signed-off-by: Christian Kujau <github@nerdbynature.de> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20251006144249.23672-3-lists@nerdbynature.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59242866/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
Christian Kujau [Mon, 6 Oct 2025 14:42:47 +0000 (16:42 +0200)]
doc: Fix hyperlinks in openvpn(8)
* http://www.cs.ucsd.edu/users/mihir/papers/hmac.html - 404, RFC104 basically
* http://sites.inka.de/sites/bigred/devel/tcp-tcp.html - 404, unfortunately
* http://www.ietf.org/rfc/rfc2246.txt - HTTPS upgrade to the HTML version
Signed-off-by: Christian Kujau <github@nerdbynature.de> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20251006144249.23672-2-lists@nerdbynature.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59242864/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Sun, 12 Oct 2025 16:59:36 +0000 (18:59 +0200)]
OpenVPN Release 2.7_beta3
version.m4, ChangeLog, Changes.rst
Changes.rst has not received an "2.7_beta3" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta releases
it's better to look at git log to see what has been added/fixed.
Notable changes beta2 -> beta3 are:
- even more of signed/unsigned related warnings have been fixed
- document that PUSH_UPDATE is (as of now) not compatible with DCO,
and add adequate checks
- improvements on PUSH_UPDATE handling on the server side
- bugfixes reconnect and PUSH_UPDATE handling on the client side
(notably handling of ifconfig/ifconfig-ipv6/redirect-gateway ipv6
if the server is not always pushing the same address families)
- improve "recursive routing checks", prepare the way for a
policy-based setup where "packets to VPN server" could end up
in the tunnel without interfering with OpenVPN operations
- improve unit testing, add more unit tests, fix unit test bugs
- add support for "eoch" data format to DCO on Windows
(needs dco-win driver 2.8.0+)
- clean up and remove outdated stuff from COPYING
Lev Stipakov [Sat, 11 Oct 2025 11:44:42 +0000 (13:44 +0200)]
Make recursive routing check more fine-grained
The existing recursive routing check drops TUN packets
if their address matches the remote. While this works in
most cases, a more fine-grained check is preferable for
complex routing rules.
Since we only need to drop traffic originating from OpenVPN,
all of the following values must match between the packet
and the link:
- IP protocol
- Transport protocol (TCP/UDP)
- Destination address
- Destination port
GitHub: #699
Change-Id: I6841e2f2a85275254a04e2d8ae3defe4420db8f6 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/903
Message-Id: <20251011114448.14501-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59245301/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
test_user_pass: Check fatal errors for empty username/password
Required a fix to mock_msg to make tests of M_FATAL
possible at all.
This also tests some cases which arguably should throw
a fatal error but do not.
v2:
- Suppress LeakSanitizer errors for fatal error tests.
Due to aborting the function, the memory will not be
cleaned up, but that is expected.
v3:
- Disable assert tests with MSVC. Does not seem to catch
the error correctly.
- Rebase on top of parallel-tests series to get
AM_TESTS_ENVIRONMENT.
v8:
- Update srcdir handling according to master.
v10:
- Update mock_msg.c fatal handling to be compatible
with NO_CMOCKA.
Change-Id: Icabc8acf75638c86c8c395e9ffecba7a7226cd97 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/474
Message-Id: <20251010211154.2780-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59245149/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
Marco Baffo [Thu, 9 Oct 2025 18:28:49 +0000 (20:28 +0200)]
PUSH_UPDATE server: check IV_PROTO before sending the message to the client
Before sending the PUSH_UPDATE message to the client, we must verify that
the client has actually sent IV_PROTO_PUSH_UPDATE to the server, declaring that
it supports push-updates.
Also fixed a gc_arena memory leak in one of the error paths and asserted
mi->context.c2.tls_multi .
Change-Id: I7c28da72be11c7efbed3068fbfc65f2959227bec Signed-off-by: Marco Baffo <marco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1255
Message-Id: <20251009182855.18712-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59244566/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
Marco Baffo [Fri, 10 Oct 2025 14:19:56 +0000 (16:19 +0200)]
PUSH_UPDATE server: bug-fix, reset buffer after processing
In the send_single_push_update() function the buffer containing
the message was not reset after processing, so o in a push-update-broad
the messages sent starting from the second client would have been
shrunk (offset advanced and size decreased).
Change-Id: I41d08a9a2e79ac1f1104e72dd5b7b7617e2071a0 Signed-off-by: Marco Baffo <marco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1264
Message-Id: <20251010142002.27308-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59244933/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Removes unused field prompt_len
- Change field reponse_len to int since that
is what the code actually expects. Most callers
user a constant either way.
Change-Id: I04542e678f81d5d4a853b4370d9b8adc4dac1212 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1216
Message-Id: <20251010094753.2825-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59244794/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Thu, 9 Oct 2025 17:19:11 +0000 (19:19 +0200)]
Preserve ifconfig(_ipv6)_local across reconnect
Turns out that ifconfig_(ipv6)_local options are set once
and are not reset on a reconnect.
Consider following scenario:
- connect first time, server pushes ifconfig-ipv6
- add a ipv6 network route because ifconfig_ipv6_local is set
- reconnect, server doesn't push ifconfig-ipv6
Because of ifconfig_ipv6_local is not reset and holds the value
set by the first connect, client adds a ipv6 network route -
but this is wrong, since ipv6 wasn't pushed this time by the server.
Fix by saving/restoring ifconfig(_ipv6)_local in a
struct options_pre_connect along with other options which
preserves the initial values until --pull modifications
are applied.
Github: OpenVPN/openvpn#850
Change-Id: I9b099924286f9bccb6833e1e40606abe72714bbb Signed-off-by: Lev Stipakov <lev@openvpn.net>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1248
Message-Id: <20251009171916.12811-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59244523/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
After removing --wrap from some other tests in
a previous commit I got confused here myself.
--wrap is really only needed when you have the
original function linked in. Somehow I thought
the call ordering and mocking logic needed this.
But this is wrong, so no need to use --wrap here
since we currently do not link any of those
functions.
Change-Id: I60df1e61ed89be52e9d032b5b49133a784f9811e Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1258
Message-Id: <20251008161357.5679-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59244071/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
test_options_parse: Do not use uintmax_t instead of LargestIntegralType
At least on OpenBSD it seems that uintmax_t maps
to unsigned long long always, but LargestIntegralType
is unsigned long. So if we have a version of cmocka.h
that defines LargestIntegralType then respect that.
Change-Id: I59a49696acd665d43b21e5c23f24b86c15989cd6 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1256
Message-Id: <20251008133338.23652-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59243971/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Wed, 8 Oct 2025 12:37:51 +0000 (14:37 +0200)]
dco-win: support for epoch data channel
Starting from 2.8.0, dco-win driver supports epoch data channel.
This commit adds missing userspace part to query DCO drivers for epoch
data format support (always "false" for now for Linux and FreeBSD, true
if Win-DCO driver is 2.8 or later), and pass "CRYPTO_OPTIONS_EPOCH"
flag via a new OVPN_IOCTL_NEW_KEY_V2 ioctl() to windows driver to turn
it on, if negotiated.
Change-Id: Ib5ed5969dcd405a47e34ed8479b7ffaaa5c43080 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1219
Message-Id: <20251008123757.18670-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59243920/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
Only Debian 11 (GCC 10) complains about this.
We decided not to add work-arounds for GCC 10
and older and instead accept that they do not
build -Werror clean.
Change-Id: I73c46ac630834a8cf8894aaa2dcc429fbedd3db7 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1179
Message-Id: <20251008105507.9997-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33285.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
When parsing a "line" that is longer than the
available line buffer, then buf_parse was
eating up to 2 characters. It advanced past
them but they were not part of the output.
This can lead to unexpected results if buf_parse
is used in a while loop on unrestricted input,
like e.g. when reading configs (see in_src_get()
used for check_inline_file_via_buf()).
Change-Id: I3724660bf0f8336ee58c172acfb7c4f38e457393 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1246
Message-Id: <20251008103001.7696-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59243829/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
Marco Baffo [Wed, 8 Oct 2025 08:30:41 +0000 (10:30 +0200)]
PUSH_UPDATE: disabling PUSH_UPDATE server and client if DCO is enabled
The PUSH_UPDATE currently doesn't work with DCO.
For example, in server, if a new ifconfig is sent, the DCO
doesn't receive the new peer address and the connection drops.
Similarly in the client when a PUSH_UPDATE is received, the tun is
closed and reopened but the DCO doesn't receive the peer info.
Change-Id: Ibe78949435bb2f26ad68301e2710321bf37c9486 Signed-off-by: Marco Baffo <marco@mandelbit.com> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1245
Message-Id: <20251008083046.27209-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59243711/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Tue, 7 Oct 2025 20:28:10 +0000 (22:28 +0200)]
Document that tls-crypt-v2 can be used in connection profile
As reported in https://github.com/OpenVPN/openvpn/issues/795,
tls-crypt-v2 was not documented as an option that was allowed to be used
in <connection> blocks. This is a documentation mistake - it has from
it's introduction been possible to do so.
- Make some type casts explicit. Due to the types used
in our networking API and the netlink APIs respectively
this can't be avoided.
- In many cases just use correct types from the start, e.g.
where we use constants anyway.
Change-Id: I20205ebd06bbf7cbee8c9be93f399961f5b74fcc Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1251
Message-Id: <20251007122747.16064-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59243289/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
COPYING: Remove licenses for software bundled in the Windows client
This is wildly outdated:
- we do not use NSIS or devcon.exe,
- the OpenSSL license hasn't been updated
In general this file is confusing, since clearly it only
applies to the Windows client. It does not document the
licenses used throughout the source code.
So instead of updating it here, move the duty of documenting
the licenses to the Windows installer build (in
openvpn-build repository).
v2:
- add back LZO linking exception, this is required for anyone
who wants to distribute openvpn binaries not just us.
Change-Id: I1aeed74dedf6dd5f559f4eb5cc84645f149ba788 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1249
Message-Id: <20251007104820.7781-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59243256/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
uid_t/gid_t are int on many platform but unsigned
on at least Linux. So rewrite the code in a way that
does not make any assumptions about the types. Mainly
this means storing the information whether the value
is valid in a separate bool and not in the value
itself.
Note that this changes the return behavior of
platform_{user,group}_get but a review of the
callers determined that this makes no actual
difference.
Change-Id: Ie6b4c41d13544d5ba71d441cc794c7abd12408f3 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: MaxF <max@max-fillinger.net>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1206
Message-Id: <20251003100602.375062-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33266.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Mon, 29 Sep 2025 15:28:41 +0000 (17:28 +0200)]
dco-win: fix broken ASSERT in dco_new_key
Commit
e77c343 ("dco_win: In dco_new_key, document size assumptions for the integer casts")
has added an ASSERT on key-id, but didn't take into account that
key-id 0 is a perfectly valid value and is the first key-id. This
essentially broke dco-win.
Fix by adjusting ASSERT to >= 0.
Change-Id: I3b1243461ec9b6e85897f452f78dc4b05f7e126d Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1223
Message-Id: <20250929152841.177424-1-frank@lichtenheld.com>
URL: https://sourceforge.net/p/openvpn/mailman/message/59240115/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
ssl_openssl: Use uint16_t internally for TLS versions
libressl changed the API for the involved functions. Since
uint16_t is a true subset of int it should be safe to switch
to that for all OpenSSL variants.
One trivial drive-by fix in unrelated code to be able
to enable -Wconversion fully for the file. This just
adds a cast where the comment says we intend a cast.
Change-Id: I9ea87531afb553f789289787403900a4758b8e1c Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: MaxF <max@max-fillinger.net>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1212
Message-Id: <20250924150300.29318-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59238230/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 24 Sep 2025 20:35:52 +0000 (22:35 +0200)]
OpenVPN Release 2.7_beta2
version.m4, ChangeLog, Changes.rst
Changes.rst has not received an "2.7_beta2" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta releases
it's better to look at git log to see what has been added/fixed.
Notable changes beta1 -> beta2 are:
- even more of signed/unsigned related warnings have been fixed
- #pragmas have been added to all to-be-fixed source files, so we can
now always enable -Wconversion to see if new code brings new warnings
(and the CI infra builds with -Werror)
- add proper input sanitation to DNS strings to prevent an attack
coming from a trusted-but-malicous OpenVPN server (CVE: 2025-10680,
affects unixoid systems with --dns-updown scripts and windows using
the built-in powershell call)
- greatly improved event log handling for the Windows interactive service
- this brings build system changes and a new openvpnservmsg.dll
- bugfixes when using multi-socket on windows
(properly recognize that TCP server mode does not work with DCO,
properly handle TCP multi-socket server setups without DCO)
- bring back configuring of IPv4 broadcast addresses on Linux
(also backported to 2.6.15)
- Rename Fox Crypto to Sentyron in copyright notices
- Switch test_ssl certificate from RSA 2048 to secp384r1
(so "make check" runs with OpenSSL set to @SECLEVEL=3)
- repair "--dhcp-option DNS" setting in combination with DHCP (TAP)
or --up scripts (GH issue #839, #840)
- clean up MI prefix handling
- replace all assert() calls with OpenVPN ASSERT()
On Linux (and similar platforms), those options are written to a tmp file,
which is later sourced by a script running as root. Since options are
controlled by the server, it is possible for a malicious server to
execute script injection attack by pushing something like
--dns search-domains x;id
in which case "id" command will be executed as a root.
On Windows, the value of DOMAIN/ADAPTER_DOMAIN_SUFFIX is passed to
a powershell script. A malicious server could push:
--dhcp-option DOMAIN a';Restart-Computer'
and if openvpn is not using DHCP (this is the default, with dco-win driver)
and running without interactive service, that powershell command will be
executed.
Validation is performed in a way that value only contains following
symbols:
[A-Za-z0-9.-_\x80-\0xff]
Reported-By: Stanislav Fort <disclosure@aisle.com>
CVE: 2025-10680
Change-Id: I09209ccd785cc368b2fcf467a3d211fbd41005c6 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1213
Message-Id: <20250924201601.25304-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59238367/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
Enable -Wconversion -Wno-sign-conversion by default
Grand-father all known locations of existing errors,
so that -Werror builds still pass and we do not spam
build logs.
Still, this should give us a much better roadmap to
work on these issues one by one while still enabling
the warnings for a lot of code-paths.
In general I did go for least amount of pragmas, so
usually there is only one override per file, covering
ALL of the failures in that file. While this protects
a lot of code that doesn't need it, it also cut down
the amount of pragmas by a lot.
This does cover gcc builds including mingw and clang
builds. Does not cover MSVC.
Once the amount of issues has been suitable reduced
more warnings could be enabled.
Change-Id: Iad5b00c35a1f1993b1fa99e8b945ab17b230ef59 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1168
Message-Id: <20250924122755.14391-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33181.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dns: Fix bug in error handling when talking to script
Comparing the result of read/write to a size_t value
is dangerous C. Since ssize_t and size_t have the same
size ssize_t is promoted to size_t, so -1 becomes
size_t max value and is not smaller than the expected
length.
Make sure to compare ssize_t to ssize_t to avoid any
suprises.
We take two values and try to massage them in various
ways. But this function only has one caller and that
puts exactly the same value into both of them. So
simplify the code.
Change-Id: I9cb8aa6ef01445cb99758583aba8ae8f9ded0862 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1209
Message-Id: <20250923160459.32273-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33176.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Includes fixes for
- -Wimplicit-fallthrough=2
(=3 is default but requires replacing all
fallthrough comments)
- -Wmissing-field-initializers
- -Wold-style-declaration
- All other warnings that would need fixes are
disabled for now.
Change-Id: I9ce664d073a4e6a6d433e9e6f986a5086dae8aa1 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1202
Message-Id: <20250923140854.21766-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59237558/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Mon, 22 Sep 2025 08:02:59 +0000 (10:02 +0200)]
Fix t_net.sh / networking_testdriver after 'broadcast' change
Commit 0df0edc49c re-introduced explicit setting of broadcast addresses
for Linux IPv4 interfaces. t_net.sh verifies that the built-in netlink
code (sitnl) achieves the same result as "equivalent" iproute2 statements
- and we missed adjusting of these iproute2 statements (printed by
networking_testdriver). Done.
Change-Id: I5fea6ca1ccadb434b5c4f4b49881524a079a9d15 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1203
Message-Id: <20250922080305.18477-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59236810/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
projects / thirdparty / openvpn.git / log
