Gert Doering [Thu, 31 Jul 2025 06:51:26 +0000 (08:51 +0200)]
OpenVPN Release 2.7_alpha3
version.m4, ChangeLog, Changes.rst
Changes.rst has not received an "2.7_alpha3" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta releases
it's better to look at git log to see what has been added/fixed.
New features alpha2 -> alpha3 are
- --dns-updown script for macOS
- client-side support for PUSH_UPDATE handling
- support for floating TLS clients when DCO is active
(handling float notifications sent from kernel to userland)
- use of user-defined routing tables on Linux
- PQE support for WolfSSL
Besides new features, alpha3 sees a rewrite of the way kernel events
are handled by the linux DCO module, because under certain circumstances
notifications could get lost, leading to problems later.
Lev Stipakov [Thu, 31 Jul 2025 12:24:05 +0000 (14:24 +0200)]
Fix DNS options duplication on PUSH_UPDATE
Commit
2dfc4f ("dns: deal with --dhcp-options when --dns is active")
has removed reset of tuntap DNS options. Due to that, incoming --dns
options are added to existing ones instead of overwriting them.
It has also added a new storage for --dhcp-option. The push-update
code didn't clear it and as a result, incoming --dhcp-option options
were added to existing ones instead of overwriting them.
Fixed by:
- resetting tuntap DNS options (regression from abovementioned commit)
- clearing dhcp options storage in push-update code
GitHub: fixes OpenVPN/openvpn#804
Change-Id: Ife4d8fc5f8e2183e61226d66a76bbaa02c06f787 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Heiko Hund <heiko@openvpn.net>
Message-Id: <20250731122410.12200-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32448.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Update systemd service name param to match command
The service name displays `%I` which invokes systemd's path mangling
(notably, converting `-` to `/`), suggesting you need to provide an
encoded parameter (via e.g. `systemd-escape`), but the start command
itself uses `%i` which doesn't do the conversion.
This updates the service name to match the start command.
Signed-off-by: Terrance <git@terrance.allofti.me> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250729180014.11550-2-sourceforge@terrance.allofti.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32423.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Thu, 31 Jul 2025 10:48:27 +0000 (12:48 +0200)]
Fix --dns options for TAP adapter
Commit
2dfc4f ("dns: deal with --dhcp-options when --dns is active")
has accidentally removed setting of the DHCP_OPTIONS_DHCP_OPTIONAL
flag when copying --dns options. This flag is required to apply options
via DHCP string, which we do for TAP adapter. As a result, --dns options
stopped working for TAP.
Fix by setting this flag when copying --dns options to tuntap_options.
Change-Id: Id95cd14095a03afb3140a03ae96e9f5679e4fe89 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250731104833.23305-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32436.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Wed, 30 Jul 2025 18:04:26 +0000 (20:04 +0200)]
Fix broken DHCP options
Commit
2dfc4f ("dns: deal with --dhcp-options when --dns is active")
broke support for --dhcp-options. It removed the setting of the
DHCP_OPTIONS_DHCP_OPTIONAL flag for some DHCP options. This flag is
required for those options to be applied correctly, as it is used
when building the DHCP options string that is passed to the TAP driver.
This commit fixes the issue by restoring the setting of this flag.
GitHub: fixes OpenVPN/openvpn#791
Change-Id: I0d75efcceb826d06e74abd003d5377468ff9fe3b Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250730180527.25339-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32427.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
To support link-local (IPv6) addresses we must pass the scope to the kernel as
well. We should also extract it from the kernel notification for float events.
Signed-off-by: Kristof Provost <kprovost@netgate.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250729093857.37832-1-kprovost@netgate.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32401.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Marco Baffo [Tue, 29 Jul 2025 10:41:01 +0000 (12:41 +0200)]
PUSH_UPDATE: Added update_option() function.
When the function receives an option to update, it first checks whether it has
already received an option of the same type within the same update message.
If it has already received it, it simply calls add_option(), otherwise it
deletes all the values already present for that option first.
Change-Id: Ia45c99e6df7b3ad24020c10b8a9b3577984ecdc2 Signed-off-by: Marco Baffo <marco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250729104110.27704-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32408.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Marco Baffo [Tue, 29 Jul 2025 10:40:50 +0000 (12:40 +0200)]
PUSH_UPDATE: Added remove_option() and do_update().
* Added remove_option() function and some utility functions to remove options at
runtime following the push-update logic.
* Added do_update() function to close and reopen the tun and apply option updates.
Change-Id: I507180d7397b6959844a30908010132bc3411067 Signed-off-by: Marco Baffo <marco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250729104056.27634-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32407.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Marco Baffo [Tue, 29 Jul 2025 10:40:39 +0000 (12:40 +0200)]
PUSH_UPDATE: Allow OpenVPN in client mode to receive and handle PUSH UPDATE control messages to allow options updating at runtime.
* Added IV_PROTO_PUSH_UPDATE flag bit to support push-updates.
* Added process_incoming_push_update(), in a separate file to create tests more easily.
* Modified incoming_push_message(), process_incoming_push_msg(), apply_push_options(),
apply_pull_filter() to process also push-update messages.
* Added the check_push_update_option_flags() function used in apply_pull_filter() to
check options formatting inside push-update messages, if the options are updatables
and to check for '?' and '-' flags that may be present in front of the options.
The '-' flag is used to indicate that the option in question should be removed,
while the '?' indicates that the option is optional and to do not generate
errors if the client cannot update that option.
For more info you can read the RFC at https://github.com/OpenVPN/openvpn-rfc .
* Created some unit tests for the push-update message handling in test_push_update_msg.c.
Change-Id: I6ecd4cb47571cc8c20e46de8595c742aeec6064a Signed-off-by: Marco Baffo <marco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250729104045.27582-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32406.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dco-freebsd: always enable float notification support
If the kernel doesn't support it we'll simply never get the notification. In
other words, there's no downside to always enabling this, so let's do that.
Signed-off-by: Kristof Provost <kprovost@netgate.com>
Message-Id: <20250729093907.37849-1-kprovost@netgate.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32402.html Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: Gert Doering <gert@greenie.muc.de>
This was relatively complex for the actual usage.
Looked at the code because of -Wconversion warnings
related to the len argument. So this should also be
gone.
Change-Id: I7efc77f63734501dfa8a8f5bed17b1a1b4e9e201 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250728125647.26992-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32396.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Mon, 28 Jul 2025 08:42:49 +0000 (10:42 +0200)]
mudp.c, multi.c, multi_io.c: get rid of 'all three DCO platforms' #ifdefs
With commit b66b80b2a all three platforms with DCO support have DCO float
notifications now, so the #ifdef inside multi_process_incoming_dco() is
no longer needed.
Also, the whole notification block (process_incoming_del_peer() and
multi_process_incoming_dco()) was surrounded by an
#ifdef ENABLE_DCO "and all 3 platforms"
which is also not making sense anymore (if we add a fourth DCO platform,
we need to aim for having "all notifications from day 1", at least having
the stubs and defines).
Last not least, the event stuff in mudp.c and multi_io.c had grown the
same construct - and we'll need events for any future DCO platform, too.
So, fix those #ifdef as well, while at it.
Change-Id: I6977d23b5289eba5db436608e0500216e0e689ec Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Message-Id: <20250728084255.1824-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32377.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch is intended to reduce code duplication and
cleanup the DCO code around the PEER_GET command.
Specifically it:
* unified PEER_GET reply parser for `multi` and
`non-multi` case
* unified PEER_GET request trigger for `multi` and
`non-multi` case
* dropped struct multi_context from the argument list of
dco_get_peer_stats_multi()
Github: closes OpenVPN/openvpn#800
Change-Id: Icbc70225d53ca678b8c22ed437b424c16e199d66 Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250727102245.24931-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32361.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
add flag to print addresses in a consistent format during float
Introduce the MAPF_SHOW_FAMILY flag to prepend the address family to the
address when printing an mroute_addr object, similar to
print_sockaddr_ex(). This ensures that when logging a float operation,
both the old and new addresses are printed in the same format:
$proto:[$family]$address:$port.
Note: when using this flag with an IPv4-mapped IPv6 address, the output
will appear as: [AF_INET6]a.b.c.d
Change-Id: I43cd3d564d8c6ad4e41de5a38130d90cb6778395 Signed-off-by: Ralf Lici <ralf@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250725194147.17517-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32345.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Currently whenever we send a PEER_GET request to ovpn, we also
set the CB that is supposed to parse the reply.
However, due to the async nature of netlink messages, we could
get an unrelated notification, sent by ovpn (kernel) upon some event,
after userland has set the CB, but before parsing the awaited reply.
When this happens, the notification is then parsed with the
configured CB instead of the notification parser, thus effectively
rejecting the notification and losing the event.
To fix this inconsistency, make ovpn_handle_msg() the default and
only netlink parser CB. It is configured upon DCO initialization
and is never removed.
ovpn_handle_msg() will check the message type and will call the
corresponding handler. This way, no matter what message we get at
what time, we'll always parse it correctly.
As a bonus we can also simplify the nl_sendmsg() API as we
don't need to pass the cb and its argument anymore.
The ID of the NLCTRL family is now also stored in the DCO
context as we need it to check when we receive a mcast ID
lookup message.
Change-Id: I23ad79e14844aefde9ece34dadef0b75ff267201
Github: closes OpenVPN/openvpn#793 Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250725172708.19456-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32339.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
ovpn_handle_msg() is soon becoming the main entry point for parsing
*all* incoming netlink messages. For this reason it is essential
that this function is kept simple and slim.
Move all code parsing netlink multicast notifications to their own
helpers and then invoke them.
This patch does not introduce any functional change.
It is intended in preparation for extending ovpn_handle_msg() to
become a genering netlink message parser.
Change-Id: I7bbc40b7b66f6e0512cd2cf9791766bcc4970461 Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250723153224.13708-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32298.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Future DCO code will require accessing the `multi` member of the
context object.
For this reason a pointer to the context has to be stored in the
DCO context along with the rest.
At this point, rather than making the call to ovpn_dco_init()
longer with more and more parameters, pass the struct context
only and let the implementation extract the needed fields.
Change-Id: I673a17f8c5dec66cc6c28c1ed44780a7a63927d7 Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250723133918.19431-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32293.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
In preparation for the implementation of a generic netlink
message parser, move all parsing functions above ovpn_handle_msg().
The latter is soon going to become a generic message parser which
will invoke specific handlers, thus they are required to be defined
earlier in the file.
No functional change is intended.
This patch is only meant to reduce entropy in the patch which will do
the real netlink parser change.
Better reviewed with: git show --color-moved
Change-Id: I94004579aef4a1ccccdbcf8edd7b722e5a611c72 Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250723060747.19524-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32263.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dco_linux: use M_FATAL instead of M_ERR in netlink error code paths
Netlink code doesn't set errno upon error (with the exception of
any *alloc() function which probably inherits the errno=ENOMEM
from the underlying malloc call), therefore we should not print
error messages with M_ERR, but rather rely on M_FATAL.
M_ERR is equivalent to M_FATAL with the addition of appending
": $errno" to the error string.
Since errno is not meaningful in this context, we can just opt
for the less confusing M_FATAL.
Change-Id: Ifc442b4426c02de7282d0f69629e8a10b679c589 Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250723063039.25449-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32271.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Extend the log message printed when an instance floats to an address
already taken by another instance with the same certificate. The updated
message now includes the instance being closed, the reason it's being
closed, and the new instance taking over that address.
Change-Id: I217cfb319b85fd75a88f7d4d50c374d28771df28 Signed-off-by: Ralf Lici <ralf@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250718191702.9451-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32226.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Multi-socket: Fix assert triggered by stale peer-id reuse
Fixed a bug where clients using different transport
protocols (UDP, TCP) could interfere with each other
after a server restart.
The issue occurred when a client reused a previously
assigned peer-id that was now associated with a
different client using a different transport protocol.
For example, a UDP client could send packets with a
peer-id now assigned to a TCP client, which lacks
a valid context->c2.from which is filled by the
recvfrom(), causing an assert to be triggered.
A protocol check has been added to prevent packets
from different protocols from hijacking active
connections.
Github: OpenVPN/openvpn#773
Change-Id: Iecbbcf32c0059f2b16a05333b3794599060d7d6a Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250718185559.4515-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32220.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
When a peer changes its UDP endpoint, the DCO module emits a
notification to userpace. The message is parsed and the relevant
information are extracted in order to process the floating operation.
Note that we preserve IPv4-mapped IPv6 addresses in userspace when
receiving a pure IPv4 address from the module, otherwise openvpn
wouldn't be able to retrieve the multi_instance using the transport
address hash table lookup.
It may happen that a netlink notification gets lost, causing us to skip
a float step. If the peer then floats back to its previous address,
userspace closes the only valid instance while trying to process the
float, leading to a segfault. To prevent this, we ignore float attempts
to an address already taken by a peer with the same peer ID.
Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f Signed-off-by: Ralf Lici <ralf@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20250718122230.14008-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32210.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
configure.ac: Remove use of PKCS11_HELPER_LIBS in mbedTLS checks
This code was copied over and over since many years,
since commit 9a3f670248d6f519a399e65a7232e2196b5115db
("Fixed autoconf script to properly detect missing pkcs11
with polarssl"). It is unclear what exact purpose it
served back then but probably it is obsolete. It is
definitely wrong since it means that you get
PKCS11_HELPER_LIBS even if you do not specify
--enable-pkcs11.
Change-Id: I317be5253d6563906dd3826421dc81f737beba76 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250716151857.385959-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32187.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
In case more than one openvpn connection is coming up or going down at
the same time, there is potential for breakage, since the operations
performed are not atomic.
Introduce a locking mechanism, which let's scripts run in sequence, to
prevent races between them.
Change-Id: I7adfaa08df6a17545cca8264d7230b5e65e49719 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250711100700.241668-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32108.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
In case anything changed the global DNS server addresses, while the
tunnel was connected, do not restore the backup of the global DNS
configuration we made when connecting. Doing so would likely change
DNS to something unexpected. Instead just clear the backup and leave
a message in the log.
Change-Id: I1aabd62e60dd18408a57baccbb0f4ebd6d2f8d67 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250711152309.286177-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32110.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 15 Jul 2025 12:29:49 +0000 (14:29 +0200)]
Cleanup/simplify mbed TLS related define from autoconf
Instead of a custom logic using 0/1 to be defined when the functions
are present or not, use the standard check and adjust the source code
accordingly.
Also not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
The helper methods are only used when we don't have
MBEDTLS_SSL_KEYING_MATERIAL_EXPORT and mbedtls_ssl_export_keying_material.
Remove AEAD check that tests for presence of mbedtls_cipher_write_tag
and mbedtls_cipher_check_tag. Having an mbed TLS version that does not
support that is highly unlikely. It might have been a good check in
PolarSSL's time but is not today anymore.
This also adds some missing support for mbed 2.x related defines to
cmake based build.
Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250715122957.22311-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32145.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
When connections go up and down there are situations where search
domains of a split DNS connection are either lost, or survive the
lifetime of the connction. This can happen when there is also a
connection that modifies the global DNS setting. When it backs-up the
global settings before modifying them, or when it restores the backup,
the search domains could contain or miss VPN domains from other
connections, leading to misconfiguration.
The fix is to also update the backed-up search domains when a split DNS
connection comes up or goes down. That way the backup is always up to
date and restoring it will keep the global search domains as expected.
Change-Id: Ide2cddad193c636eb440c9752751176dae0a6897 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250714160903.7479-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32127.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenSSL.crypto.load_crl was deprecated with with pyOpenSSL 23.3.0 and
eventually removed in 24.3.0. pyOpenSSL recommends using cryptography.x509's
CRL functions as a replacement.
See also: https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst
Signed-off-by: Christian Schürmann <spike@fedoraproject.org> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20250704082813.99654-2-spike@fedoraproject.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32037.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This adds a new multi-socket server that listens on IPv4 and IPv6
localhost addresses for TCP and UDP connections respectively. It also
adds two success tests and one failure test with wrong protocol defined
at the client side.
Change-Id: I4ebe1158c36a641888131e824f59004a0f8fb4c5 Signed-off-by: Samuli Seppänen <sasepp@pm.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250708073359.32549-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32061.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Fri, 27 Jun 2025 08:24:53 +0000 (10:24 +0200)]
dns: create NRPT registry key if it doesn't exist
Windows 2019 Server by default does not have the key where local system
NRPT rules are stored. Tests have determined that NRPT is actually
working when rules are created under the key. So, instead of failing if
the key doesn't exist, we create it, and things will start working.
Github: OpenVPN/openvpn#768
Change-Id: I46132ebaf3bf3b16798b6f2416f7bf7272f5646b Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20250627082500.17075-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32001.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Thu, 26 Jun 2025 09:30:00 +0000 (11:30 +0200)]
run forced --dns-updown without --script-security
Due to a shortcut in the `--dns-updown force' implementation, running the
default dns-updown script required `--script-security 2'. This makes the
forced default script run without --script-security set.
Change-Id: I55940b78e35f0e3d74aa6cba14378afed97a444e Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250626093006.24789-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31994.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Thu, 26 Jun 2025 09:19:52 +0000 (11:19 +0200)]
fix macOS dns-updown handling of parallel full redirects
The script didn't handle scenarios well where two or more parallel VPN
connections want to replace the default DNS server. The DNS configuration
has a chance to get broken by the connections going down in a different
order than they came up in.
Disallowing all but the first connection to modify the default DNS server
will effectively prevent this issue. While it may break DNS for the
latter connections, it is the best we can do without knowing specifics
about the configurations.
Change-Id: I7b413578a8fc0c65fca26f72b901a9f7bc34b137 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250626091959.23505-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31988.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Ralf Lici [Wed, 25 Jun 2025 16:26:31 +0000 (18:26 +0200)]
dco linux: avoid sending local port to ovpn
When sending an OVPN_CMD_NEW_PEER netlink message to ovpn, we currently
attempt to include the local port along with the local address. However,
`dco_multi_get_localaddr()` does not record the port, so we end up
sending a zero value. This zero is rejected by ovpn's netlink policy,
leading to an error and aborted connection.
Since openvpn does not actually need to send the local port because the
module retrieves it directly from the socket, this commit ensures that
only the local address is sent.
Change-Id: I5d9535d46e5a5488f4a2b637a6fcb99aad668fee Signed-off-by: Ralf Lici <ralf@mandelbit.com> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Message-Id: <20250625162638.7769-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31971.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Ralf Lici [Mon, 23 Jun 2025 14:07:43 +0000 (16:07 +0200)]
dco linux: avoid redefining ovpn enums
Starting with Linux kernel version 6.16, a couple of ovpn-related enum
definitions were introduced in the `include/uapi/linux/if_link.h`
header. Redefining them in openvpn when they are already present in the
system headers can lead to conflicts or build issues.
This commit ensures that enum redefinitions are avoided by conditionally
using the existing definitions from the system header when available.
Add the ability for users to specify a custom
routing table where routes should be installed in.
As of now routes are always installed in the main
routing table of the operating system, however,
with the new --route-table option it is possibile
to specify the ID of the default routing table
to be used by --route(-ipv6).
Please note: this feature is currently supported
only by Linux/SITNL.
Support for other platforms should be added in related backends.
Trac #1399
Change-Id: I3e4ebef484d2a04a383a65ede5617ee98bf218a7 Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250622110311.1140-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31946.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 18 Jun 2025 13:37:38 +0000 (15:37 +0200)]
OpenVPN Release 2.7_alpha2
version.m4, ChangeLog
Changes.rst has not received an "2.7_alpha2" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta releases
it's better to look at git log to see what has been added/fixed.
The only new feature alpha1 -> alpha2 is "TLS 1.3 support with
bleeding-edge mbedTLS versions"
Optimize the current local_list implementation
by replacing the static array with a resizable
one, as the static allocation serves no real
purpose, particularly on the client side.
Github: OpenVPN/openvpn#682
Change-Id: I32effed9e273fbe8986d1f4e8da4a4d0ac216463 Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250618140016.2766-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31927.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 18 Jun 2025 12:48:29 +0000 (14:48 +0200)]
dns: deal with --dhcp-options when --dns is active
Since --dns settings overrule DNS related --dhcp-options,
remove the latter when values were defined via --dns.
To stay as backward compatible as possible, we add foreign_options to
the script hook environment from the --dns values when a --up script
is defined. In that case the default --dns-updown is not run, even
when --dns values are present, to prevent double DNS configuration.
This way an existing --up script that deals with DNS can run, without
the immediate need to change after an openvpn upgrade and a server
pushing --dns options.
If you specify a custom --dns-updown, or force running the default
dns-updown that comes with openvpn, those compat env vars are not set
for --up scripts and the dns-updown command is run, even when there's
an --up script present.
Since Android uses the DNS values from tuntap_options, we always
override those with --dns stuff unconditionally. Also on Windows when
--ip-win32 is dynamic or adaptive, since DHCP relies on these as well.
Change-Id: I635c4018fb43b5976a39b6a90cb2e9cb2570cd6a Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250618124835.24737-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31922.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Ralf Lici [Tue, 17 Jun 2025 08:41:28 +0000 (10:41 +0200)]
Preserve socket protocol during float processing
During a float operation, we remove the old `mroute` object
corresponding to the current multi instance from the hash table and
insert a new one. With the introduction of the multi-socket feature, the
`mroute` structure gained a `proto` field, which must also be set in the
new instance, otherwise, hash table lookups will fail.
This commit ensures that the `proto` field is propagated from the
original to the new `mroute` object during float processing.
The ovpn netlink code reports more verbose error
strings to help userspace understand what went wrong,
rather than just returning, for example, -EINVAL.
However, userspace must instruct the kernel netlink
subsystem that it wants to receive such strings.
code for parsing such strings has always been present
but it was never used.
Set the socket option which enables such reporting.
Change-Id: I4457b1d7262e0a39c275d33aaef6c4bcbeae6ab3 Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250609100216.3997-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31885.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Delete old sample-windows file and obsolete Windows sample handling
This file is apparently over 20 years old and
was never updated besides fixing some obvious
syntax errors with new versions.
So let's just get rid of it. AFAICT the Windows
installer does not use it. Only the
{server,client}.ovpn. And even there, it just uses
the files directly from the build directory and
does not depend on us renaming them (which is
obvious since we do not use the Makefile at all
in the Windows build, only CMake).
Github: Closes OpenVPN/openvpn#758
Change-Id: I15c730c9eb3f1338019577e7c665c0ca5b1edcd4 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250602153900.29646-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31850.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Tue, 20 May 2025 08:55:06 +0000 (10:55 +0200)]
win: fix collecting DNS exclude data
The size of the returned MULTI_SZ wide domains string was calculated
wrongly. Instead of adding the size of a WCHAR, only the size of a char
was used. As a result, the domains string was stored too short and was
missing the final string terminator.
DHCP assigned DNS server addresses are separated by space, not comma.
These spaces were not replaced by semicolon, as the spec requires.
Heiko Hund [Tue, 20 May 2025 10:51:12 +0000 (12:51 +0200)]
win: match search domains when creating exclude rules
Compare local domains for exclude rules to search domains and skip
matching ones. This prevents the creation of exclude rules when the
server indicates that the domain should be resolved via the VPN, by
pushing the search domain.
Change-Id: I4919af2b845a47787c08f454b108ef376ea5c0f6 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20250520105119.10431-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31731.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Tue, 20 May 2025 07:33:48 +0000 (09:33 +0200)]
dns: fix potential NULL pointer dereference
Fix issue reported by Coverity (CID 1646952): Dereferencing a pointer
that might be NULL dvf when calling env_set_write_file.
In addition to the fix, inline the write_dns_vars_file() helper function.
Also output a log line in case this error happens, because when it
happens it will hinder communication with the updown runner process, i.e.
setting up / tearing down DNS things will not work as expected.
Change-Id: I275bf939f43577427e14890e7093d63c5213ae5d Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250520073354.17091-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31720.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This fixes almost all of the remaining warnings in our
doxygen. Mostly about missing parameters in otherwise
documented functions (completely undocumented functions
do not cause warnings).
Other changes:
- Exclude out/ directory (used by CMakePresets.json)
- Output doxygen warnings into a separate file, which
can be used by CI systems to check for new warnings
- Increase DOT_GRAPH_MAX_NODES to avoid warnings about
some of the central header files (syshead.h and buffer.h)
Change-Id: I3bf775bbdea742575210606e174ccafe840677c9 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250519143550.21761-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31712.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
socket: don't transfer bind family to socket in case of ANY address
With the introduction of multisocket, we need to transfer the
AI family of the bound address to the socket, as it may differ
from what was set globally.
However, this operation makes sense only when getaddrinfo()
for bind is performed on a non-empty hostname.
An empty hostname (ANY) may return AF_INET which will break
following connection attempts to v6 only remotes.
Change-Id: I27f305d3ae9bf650bab409e99173688d9f88ab65 Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250325090121.28813-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31235.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sun, 18 May 2025 22:02:39 +0000 (00:02 +0200)]
Make --dh none behaviour default if not specified
Nowadays ciphers that are using still DH and not ECDH are rarely chosen
as best cipher suite. Our man page even indicates that OpenSSL 1.0.1+
supports ECDH cipher suites. So it does not feel useful to force
specifying --dh anymore.
Side note: Custom generated Diffie Hellmann parameters are also
discouraged nowadays. The newest OpenSSL FIPS libraries even flat
out reject them:
FIPS 186-4 type domain parameters no longer allowed in FIPS mode,
since the required validation routines were removed from FIPS 186-5
But instead of adding support for loading the well-known curve just make
dh none the default and the recommended option as finite field Diffie
Hellmann is being deprecated anyway
(https://datatracker.ietf.org/doc/draft-ietf-tls-deprecate-obsolete-kex/)
and not supported by TLS 1.3 at all.
Change-Id: Ica02244c9f0ac9b4690a51f940fda9d900465289 Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250518220245.24489-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31695.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Sat, 17 May 2025 09:26:26 +0000 (11:26 +0200)]
dns: don't publish env vars to non-dns scripts
With --dns-updown in place we no longer need --dns option related vars in
the environment for other script hooks. Code for doing that is removed and
the function to set --dns stuff made static, for internal use only.
Change-Id: I3fb01ab76cf3df0874ba92e08f371d17607a8369 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250517092637.2103-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20250517092637.2103-1-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Sat, 17 May 2025 08:38:27 +0000 (10:38 +0200)]
dns: support running up/down command with privsep
With --user privileges are dropped after init. Unfortunately this
affects --dns-updown when undoing previous modifications.
To keep the privileges for just that, the concept of a dns updown runner
in introduced. It's basically a fork of openvpn at the time the
modifications to DNS are made. Its only capability is running the
--dns-updown command when asked to. The parent openvpn process signals
this by writing to a pipe the runner is waiting on.
Commands need to be ready to receive variables from a file instead of the
process environment. A shameless and effective workaround to keep the
protocol between the two processes simple.
Change-Id: I6b67e3a00dd84bf348b6af28115ee11138c3a111 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250517083833.28728-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31668.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Ralf Lici [Thu, 15 May 2025 15:00:31 +0000 (17:00 +0200)]
Implement ovpn version detection
Add detection of the ovpn kernel module type: if a backported
(out-of-tree) version is loaded, the MODULE_VERSION string is read from
sysfs; otherwise, for the in-tree module, the function reports the
kernel release and version.
Change-Id: I7fc033a7ffee73045316763356a95d75ef23f5ad Signed-off-by: Ralf Lici <ralf@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250515150038.30097-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31652.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 14 May 2025 13:53:27 +0000 (15:53 +0200)]
dns: apply settings via script on unixoid systems
This introduces a new script hook, the dns-updown, and implements such a
command script for a few popular systems (and a default for the not so
popular ones). Like the name suggests this hook is soleley for dealing
with modifying how names are resolved when the VPN pushes some --dns
settings.
The default dns updown command is part of the distribution and is
installed with openvpn. You can change the path the command is located
at as a compile time option, defaults to libexecdir.
You can compile-time disable that the default dns-updown hook is
run by passing --disable-dns-updown-by-default to configure or
ccmake ENABLE_DNS_UPDOWN_BY_DEFAULT to OFF.
There's also a new runtime option --dns-updown, which can run a custom
command, force running the default when disabled or disable execution
of the dns-updown altogether.
Change-Id: Ifbe4ffb44d3bfcaa50adb38cacb3436fcdc71b10 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250514135334.14377-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31639.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Tue, 13 May 2025 15:09:59 +0000 (17:09 +0200)]
win: remove Wintun support
Since DCO supports modern ciphers and server mode,
there is no reason to support Wintun anymore.
This also removes --windows-driver option support. The
default driver is DCO, as it has been since 2.6. If for
some reasons one doesn't want to use it, --disable-dco
multiplatform option will switch to tap-windows6.
Change-Id: I43ec390040bffeec05270271ea7fb54fb219c536 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250513151006.13617-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31631.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Sat, 10 May 2025 18:19:30 +0000 (20:19 +0200)]
win: create adapter on demand
The installer currently creates one adapter per driver. When a user tries
to start a second VPN connection while another is active, the client
fails with an unclear error message:
"All ovpn-dco adapters on this system are currently in use or disabled."
This message does not guide the user toward resolving the issue, such as by
running the shortcut "Add a new dco-win virtual network adapter."
To improve user experience, the client will now create an adapter on demand
when no available adapters exist. The client sends a command specifying
the adapter type to the interactive service, which then executes tapctl.exe
to create a new adapter.
This feature requires the interactive service, but this should not pose a
problem since even our automatic service has recently started relying on the
interactive service.
GitHub: OpenVPN/openvpn#728
Change-Id: I621d44ec6b0facc524875c15ddfd11ec47b06c15 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20250510181937.2993-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31617.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
When we check for the header and then symbols
in that header combine this so that the
relationship between the tests is clear and
that we do not do tests we know will fail.
Change-Id: I0c4fce76c81c5297ff5469d787114f1279bf35e5 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250508174624.7504-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31602.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
CMake: Make sure to treat UNIT_TEST_SOURCEDIR as path
This makes sure that it is properly normalized, and
on Windows seems to prevent CMake from using back
slashes which would break the build due to "unknown escape
sequence" errors.
Change-Id: I2551edfaaf5107649398a3fa1db2009ee8644671 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250507121226.13824-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31587.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Mon, 5 May 2025 14:22:16 +0000 (16:22 +0200)]
Add information-gathering about DNS resolvers configured to t_client.sh(.in)
With the patchsets to add DNS configuration on Unix+MacOS systems, and
the addition of test stanzas to excercise and verify the OS specific
"dns-updown" script, it becomes important to trace test failures
("did it not ping because the DNS was not installed, or did something
else fail?") and also verify that DNS config is properly restored at
the end of each test.
Linux is probed with "resolvectl status", if available, and
"cat resolv.conf" if not. MacOS uses scutil --dns.
All other platforms use "cat resolv.conf" for now (because even if
"a tool to maintain DNS config" is available, in the end resolv.conf
is always where the final config lands).
Include a bit of restructuring to handle linux iproute2 testing in the
"Linux" branch, and make the control flow more amenable to having a
second case / esac block.
Change-Id: I9cae7314203424e4a604073c5445559260172477 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250505142224.24935-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31568.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Mention its default (on non-Windows systems), rephrase for brevity, fix
grammar, correct the module environment variable name and remove a wrong
default mentioned in a related option. Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250426121903.67930-1-kn@openbsd.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31514.html
Arne Schwabe [Fri, 25 Apr 2025 13:09:54 +0000 (15:09 +0200)]
Fix mbed TLS key exporter functionality in 3.6.x and cmake
Cmake did not check for the mbedtls_ssl_set_export_keys_cb symbol
when generating an mbed TLS configuration. This causes no actual
working key exporter to be in the binary.
Also add an explicit #error to catch this situation during compilation.
Change-Id: If38e80e268dc0ee7e57de2c175c5b4db0ce55ed0 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250425131002.21772-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31510.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Thu, 17 Apr 2025 13:46:30 +0000 (15:46 +0200)]
ssl_openssl.c: Prevent potential double-free
Fixes a potential double-free issue in tls_ctx_load_cert_uri()
by explicitly nullifying the pointer immediately after calling
OSSL_STORE_INFO_free(info).
This ensures that subsequent cleanup won't attempt to free the same
structure again.
Github: closes OpenVPN/openvpn#726
Change-Id: I4507be07cd5573b2117e837ef03187535a38a4b1 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Message-Id: <20250417134636.21279-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31478.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
projects / thirdparty / openvpn.git / log
