cryptoapi: Change signature of parse_hexstring to match code
parse_hexdigest is a function that is used in
exactly one place (not counting tests). So
change the types in a way that they match what
the caller actually wants (DWORD) and so we
do not have any unnecessary conversions.
Change-Id: I525a5b1b9b6f173cdf12341aefc44d58f0d43aed Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1492
Message-Id: <20260304164502.15449-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35901.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
buffer: Add checked_snprintf function and use it in the code
This reintroduces a function that converts the result
of snprintf to a boolean since the check is always the
same but annoyingly verbose. And it gets worse when you add
-Wsign-compare.
So in preparation of introducing -Wsign-compare wrap this
check in the function.
This somewhat reverts the removal of openvpn_snprintf.
But note that that was originally introduced to work
around the broken snprintf of Windows. So this is not
exactly the same. For this reason I also classified this
as a buffer function and not a compat function.
Change-Id: Ia3477b8ee7a637c15aad7f285144280595cda5d5 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1489
Message-Id: <20260304110455.15859-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35872.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
buffer: Add BLENZ macro that returns size_t and use it where required
The big int-vs-size_t length confusion in buffer and its
users can't be solved easily or quickly. So as a first step
document which users of BLEN actually already want a size_t
return. This is better than adding manual size_t casts since
it should be easier to change the API later.
This will also help with the -Wsign-compare introduction.
This does not actually change any behavior. The compiler
already did all of these casts implicitly. We just make
them explicit.
Change-Id: I4e75ba1dbc6d9a0f75298bc900f713b67e60d096 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1132
Message-Id: <20260304105944.15386-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35870.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 16 Feb 2026 16:22:31 +0000 (17:22 +0100)]
Merge stream_buf_get_next and stream_buf_set_next
The stream_buf_set_next prepares a buffer in the stream_buf
structure that will be retrieved by stream_buf_get the next
time it is used.
This temporary copy of the buffer is unnecessary as the buffer
next can also be constructed on the fly.
This also fixes a rare crash when read buffer are not initialised and
read is still signalled as the initialisation of next will now happen
whenever it is required.
This assertion happens when we do not expect a read event from the socket
and then in link_socket_read_tcp the function stream_buf_get_next can
trigger an assert on ASSERT(buf_defined(&sb->next));
To avoid this weird corner case, just always initialise the read buffer
whether or not we expect a read to occur.
This also adds documentation about the methods and field associated with
the stream_buf structure.
Reproducing this bug requires very special circumstances. To reproduce,
run a client with
openvpn --client --proto tcp --dev tap --ifconfig noexec ...
The client side must be on Linux. Other platforms do not reproduce this
bug.
Note that the client will not configure any IP or IPv6 on the interface
and will also not bring up the interface. The server must also send at least
one real data packet to the client (no keepalive ping). Just having the
interface up normally produces enough traffic.
Now forcefully reset the TCP connection. E.g. by executing on the client
sudo ss --kill dport <server port>
This will now trigger the assertion. This happens since OpenVPN waits
forever to get a write back from the poll from the tun/tap device but
this never happens since the device is not up.
As long as we do not get back the tun device for writing, we also do
not put the socket back into the EVENT_READ state. And this also means
that code to initialise the read buffer (stream_buf_set_next) is never
run.
But the reset on the TCP socket triggers the TCP socket to be available
for read, even if it is just for a read of 0 bytes to indicate the reset.
So the function link_socket_read_tcp will run into the assert.
Change-Id: Ifd3e953104a67c8bf2a225e179865e3dbd0dbfbc Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1477
Message-Id: <20260216162236.22304-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35673.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Max Fillinger [Mon, 2 Mar 2026 14:20:39 +0000 (15:20 +0100)]
Avoid unbounded allocations in pkcs11_mbedtls.c
The PKCS#11 provider can crash OpenVPN by making it try to allocate
2^64 bytes for a certificate. To avoid this, set a maximum size for
certificates. If the size is exceeded, don't try to allocate memory and
instead exit pkcs11_get_x509_cert with an error.
The chosen maximum size is 100.000 bytes which is twice the size of
a SLH-DSA (aka SPHINCS+) signature.
Switch libressl and mbedTLS 4 builds to Ubuntu 24.04.
Includes the following renovate changes:
- chore(deps): update dependency aws/aws-lc to v1.67.0
- chore(deps): update github actions
- chore(deps): update vcpkg digest to e5a1490
Change-Id: I4536e06b082ae17baba1490246244b5923063c93 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1540
Message-Id: <20260302152510.11918-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35813.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
options: drop useless init_gc param for init_options()
The init_option() function is always invoked with the second
param "init_gc" set to "true".
This makes the parameter useless and it can therefore be removed
while always taking the "true" branch in the related logic.
This way we can also drop the options->gc_owned member as it
would also be always set to true.
Change-Id: I633d8cbf75ab4da85e16df44684aef60523811c5 Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1536
Message-Id: <20260217135605.154129-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35695.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Fri, 27 Feb 2026 22:47:39 +0000 (23:47 +0100)]
dco_freebsd: use AF_LOCAL sockets for ioctl() communication with DCO driver
DCO FreeBSD uses ioctl() calls for userland -> driver communication, on
a socket() file descriptor. The original code uses AF_INET sockets,
which fails if using a kernel compiled without IPv4 support.
The kernel side ioctl() handling does not differentiate between AF_INET,
AF_INET6 and AF_LOCAL sockets, and only the latter are guaranteed to be
present.
While add it, add a clear message if the socket() call in dco_available()
fails (it will lead to disabling of DCO).
FreeBSD PR: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=286263 Reported-by: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
Change-Id: I84fe7a11391eafde3660d25a3c99094a0c525f3d Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1551
Message-Id: <20260227224745.3175-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35795.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 24 Feb 2026 21:30:30 +0000 (22:30 +0100)]
Fixup version command on management interface
All commands to the management interface are supposed to be
responded with either a one-line "SUCCESS:/ERROR:" message
or a multi-line reply terminated by "END". But, curently we
silently accept the "version n" command wih no response. This
causes clients like OpenVPN-GUI lock-up if version command is
used, waiting for ever for a reply.
Fix this by adding a SUCCESS response if client version
is set to a value >= 4. As the highest client version in use
until now is 3, this should not affect any work-arounds in
existing clients. ERROR response is generated if the version
parameter is null which never happens in practice.
Gert Doering [Fri, 20 Feb 2026 10:20:58 +0000 (11:20 +0100)]
configure.ac: adjust to native inotify support for FreeBSD 15+
FreeBSD 15 has native inotify support, and no "libinotify.pc" pkg config
file anymore, plus no extra includes are needed. This works fine if we
conditionalize the FreeBSD check to "freebsd-1[0-4]".
Due to m4 involvement double braces are needed for quoting.
See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293176
Reported-by: Ivo Karabojkov <karabojkov@kit.bg> Reported-by: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
Change-Id: Ie3f209a641c2f56494dfc7720b13f2a2ba3001a8 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1535
Message-Id: <20260220102106.32024-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35761.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fix various loop index types to avoid sign-compare issues
Just uses the correct types i.e. the same as the limit.
Since the index is usually only used as a non-negative
array index the type change does not cause any behavioral
changes.
But it avoids -Wsign-compare complaints and is just
cleaner.
Change-Id: Ib6c3e154fbe14113ff990f13347f85a7c93dd3e0 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1491
Message-Id: <20260216212805.7808-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35682.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 19 Feb 2026 11:09:48 +0000 (12:09 +0100)]
DCO Linux: Fix setting DCO ifmode failing on big endian archs
The problem is that SITNL_ADDATTR is not forcing type safety and on
big endian architcutre passing a smaller size than the underlying
integer type of data causes only the more significant byte(s) to be passed
instead.
A proper fix would be to add specific methods for common integer types like
SITNL_ADDATTR_u8, SITNL_ADDATTR_u16, SITNL_ADDATTR_u32 like netlink library
does with NLA_PUT_U32, NLA_PUT_U16, NLA_PUT_U8.
Change-Id: I560f45fb0011180be8ca2b0e7fbc63030fa10f35
Github: closes OpenVPN/ovpn-dco#96 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1547
Message-Id: <20260219110954.21471-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35752.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Rudi Heitbaum [Wed, 18 Feb 2026 21:47:33 +0000 (22:47 +0100)]
dns: fix discards 'const' qualifier from pointer target type
Since glibc-2.43:
For ISO C23, the functions bsearch, memchr, strchr, strpbrk, strrchr,
strstr, wcschr, wcspbrk, wcsrchr, wcsstr and wmemchr that return pointers
into their input arrays now have definitions as macros that return a
pointer to a const-qualified type when the input argument is a pointer
to a const-qualified type.
fixes:
src/openvpn/dns.c: In function 'dns_server_addr_parse':
src/openvpn/dns.c:67:25: warning: initialization discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
67 | char *first_colon = strchr(addr, ':');
| ^~~~~~
src/openvpn/dns.c:68:24: warning: initialization discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
68 | char *last_colon = strrchr(addr, ':');
| ^~~~~~~
Change-Id: I262705189edfbd9aa9a32bcd712840fffa592435 Signed-off-by: Rudi Heitbaum <rudi@heitbaum.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1542 Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20260218214738.27158-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35730.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 11 Feb 2026 15:06:48 +0000 (16:06 +0100)]
rework all occurrences of 'M_ERR | M_ERRNO'
M_ERR is defined as (M_FATAL | M_ERRNO), so 'msg(M_ERR | M_ERRNO, ...)'
is just the same as 'msg(M_ERR, ...)'.
The occurances in tun.c and dco_freebsd.c are really "if this happens,
we can not go on" errors, so 'M_ERR' (= FATAL, plus log errno string)
is the correct thing to do.
The occurances in dns.c do come with error handling and cleanup after
the msg() call, so the right thing is 'M_WARN | M_ERRNO' instead
(warning, plus log errno string).
Github: fixes OpenVPN/openvpn#939
Change-Id: I14395665f197349e374a81b56f28536ff88937a8 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1517
Message-Id: <20260211150648.113547-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35594.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 11 Feb 2026 11:33:10 +0000 (12:33 +0100)]
port-share: log incoming connections at verb 3 only
From "day 1" the message "Non-OpenVPN client protocol detected" was
logged at D_STREAM_ERRORS level (verb 1), while it is not anything
erroneous in this context (it's inside an "port share" only block).
Bump this to D_PS_PROXY (verb 3).
Github: closes OpenVPN/openvpn#976
Change-Id: Ie5c9a88050de959cfb02e5f804323a8081ddb667 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1516
Message-Id: <20260211113315.25776-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35589.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Fri, 13 Feb 2026 12:10:24 +0000 (13:10 +0100)]
start release/2.8 development cycle
this commit starts work on "master" after branching off "release/2.7"
-> version.m4 set to "2.8_git", ChangeLog emptied, Changes.rst prepared
for notable news in Release 2.8
Gert Doering [Wed, 28 Jan 2026 13:33:08 +0000 (14:33 +0100)]
OpenVPN Release 2.7_rc6
version.m4, ChangeLog, Changes.rst
Changes.rst has not received an "2.7_rc6" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta/rc*
releases it's better to look at git log to see what has been added/fixed.
Notable changes rc5 -> rc6 are:
- bugfix on restarting a p2mp server instance with SIGUSR1 (inadvertedly
closing fd 0, causing a crash on the next restart - GH #966)
- prevent NULL pointer crash on suitable combination of --dns-updown
statements in openvpn config file (not pushable)
- prevent inappropriate management interface activity if a password is
set and --management-forget-disconnect or --management-signal are active
- more conversion warnings fixed
- Windows: interactive service - some initial unit tests added for the
most complex string conversion function (ConvertItfDnsDomains())
- remove #ifdefs around socket sendbuf/receive buf handling, assuming that
all platforms that have POSIX sockets have this.
- add mbedTLS 4 support
- fix check for failed fork() in port-share code
Gert Doering [Wed, 28 Jan 2026 11:04:19 +0000 (12:04 +0100)]
tunnel_server(): close correct inotify fd
On a full SIGUSR1 restart of a p2mp server compiled with
--enable-async-push, tunnel_server() will try to close and reopen
the "inotify" control file descriptor. For whatever reason, the
original code referenced the wrong context, always closing fd 0.
As a consequence of this, on the second SIGUSR1 restart, the server
will close() the first active socket file descriptor, and if there
are active DCO clients, the resulting event confusion will lead to
an ASSERT(!mi->halt).
Fix by closing the correct FD. Add logging.
Github: fixes OpenVPN/openvpn#966
Change-Id: Iabc117848ad7b67d240c392f1a6aa2d7531fd5bb Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1497
Message-Id: <20260128110425.24350-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35478.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 28 Jan 2026 11:04:37 +0000 (12:04 +0100)]
Prevent NULL pointer dereference with --dns-updown
If the dns-updown option appears in the config twice, there is a chance
of a NULL pointer dereference when comparing the script path to the
default script path. This happens when a custom script is set, after the
dns-updown script was disabled first. In that case the script path is
NULL, which leads to the deref during a strcmp(3).
manage: Do not trigger actions on management disconnect if not authenticated
If the management interface requires authentication via password
and the remote did not specify it, do not do trigger actions
requested by --management-forget-disconnect and --management-signal
on disconnect.
Reported-By: Joshua Rogers <contact@joshua.hu> Found-By: ZeroPath (https://zeropath.com)
Github: openvpn-private-issues#5
Change-Id: I575d65912ce9065a0b0868e73998b4a9aece62af Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1484
Message-Id: <20260122125707.108048-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35390.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Max Fillinger [Fri, 23 Jan 2026 16:47:39 +0000 (17:47 +0100)]
Add support for Mbed TLS 4
This commit adds support for Mbed TLS 4. This version comes with some
drastic changes. The crypto library has been completely redesigned, so
the contents of crypto_mbedtls.c are moved to crypto_mbedtls_legacy.c
and crypto_mbedtls.c handles the crypto for version 4.
Mbed TLS 4 also removed the feature for looking up a crypto algorithm by
name, so we need to translate algorithm names to Mbed TLS numbers in
OpenVPN. The tables are not yet complete. For symmetric algorithms, I
have added AES and Chacha-Poly which should be enough for most use
cases.
Change-Id: Ib251d546d993b96ed3bd8cb9111bcc627cdb0fae Signed-off-by: Max Fillinger <maximilian.fillinger@sentyron.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1441
Message-Id: <20260123164746.7333-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35401.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 21 Jan 2026 12:18:30 +0000 (13:18 +0100)]
Silence compiler truncation warning by checking snprintf return value
On the more recent mingw compilers (homebrew mingw 13.0.0, GCC 15.2.0) the
compiler complains about a potential truncation in these two places.
src/openvpn/tun.c:3806:57:
error: '%s' directive output may be truncated writing up
to 255 bytes into a region of size 178
[-Werror=format-truncation=]
This not very helpful but checking the snprintf return value
will make the compiler not warn about this.
Change-Id: I54b11a5540fb236580a3b80c6d1e8678b24bd852 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1272
Message-Id: <20260121121830.27244-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35367.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Due to the differences in the types of APIs
between xkey provider and Windows cryptoapi
we can't avoid the casts. And they should be
safe generally since the involved sizes should
be small compared to the maximum values. So
just add asserts and explicit cast to avoid
the warnings.
EVP_CIPHER_CTX_flags is documented to output
int in OpenSSL, but is actually unsigned long
in OpenSSL 3.
In libressl it is correctly documented to output
unsigned long.
Change-Id: I99bc4692526f9143a913e29b266a1816295dfd51 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1446
Message-Id: <20260116172010.25278-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35311.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 14 Jan 2026 18:21:19 +0000 (19:21 +0100)]
OpenVPN Release 2.7_rc5
version.m4, ChangeLog, Changes.rst
Changes.rst has not received an "2.7_rc5" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta/rc*
releases it's better to look at git log to see what has been added/fixed.
Notable changes rc4 -> rc5 are:
- CVE 2025-15497 in epoch key handling (an authenticated remote system
can send a valid OpenVPN data packet that triggers an edge case
where a too-strict check would trigger an ASSERT(), exiting OpenVPN)
- remove "resolve --remote on incoming TCP connects on --tcp-server"
code base, because that did not work in a long time (since 2.4) and
is seen as too obscure and too complicated to rescue.
- repair interaction between DCO and persist-tun after reconnection
(in this case the client side would fail to set up the DCO event
handler, and not notice further --ping timeouts - GH: #947)
- remove ENABLE_X509ALTUSERNAME conditional, always enabling
"configure --enable-x509-alt-username". Effectively no change in
code size, and one less build variant to maintain and test (GH: #917).
- require "script-security 2" when using --dev unix:<program>
- socks client: fix and improve various code parts
- configure etc: drop support for systemd 216 and older, adapt
other checks to reflect modern systemd setups
- fix unit test building with libcmocka 2.0+
- fix Android build warnings about unused variables/methods
- allow --test-crypto to run without --secret
(prepare for removal of --secret after 2.7)
- improve WolfSSL build compatibility
When the sender jumps forwards exactly epoch_data_keys_future_count in its
epoch key use the housekeeping logic does not handle this correctly and
triggers an ASSERT.
Change the code to correctly implement the special case when the new epoch
key of the sender is the highest valid key epoch in the current window of
valid epoch keys for receiving data.
Change-Id: Ib581c02a29b974184256a9f4ad0ce15ba5f9db3b Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-By: Max Fillinger <maximilian.fillinger@sentyron.com> Reported-By: Pavel Kohout of Aisle Research <pavel.kohout@aisle.com>
Github: closes OpenVPN/openvpn-private-issues#103
CVE: 2025-15497
socks: In establish_socks_proxy_udpassoc check result of recv_socks_reply
Not just check the return value but also that relay_addr
is valid. recv_socks_reply doesn't care whether the answer
is what we expected. This is probably a very unlikely edge
case but it doesn't hurt to check for it here.
Reported-By: Joshua Rogers <contact@joshua.hu> Found-By: ZeroPath (https://zeropath.com)
Github: openvpn-private-issues#13
Change-Id: Ic1c8f24de423541bdc85e70b5a688213800d86de Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1469
Message-Id: <20260114135807.20637-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35249.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
So apparently when using --proto tcp-server --tls-server
--remote, AND the remote is not resolvable on startup
then we would preserve the remote name and resolve it
later on connect. Except that when the remote is not
resolvable I never managed to get it to create a
listening socket in the first place.
Originally I looked into this code because ZeroPath
claimed it was broken. I think that report was
correct but I think it is much easier to declare this
feature dead instead of trying to fix it. It is
undocumented and if it is usable then only in very
specific circumstances that are hard to figure out.
Github: openvpn-private-issues#13
Change-Id: I0141945469dd11340bfb42ec37a3c5f90ed0ff52 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1468
Message-Id: <20260113121512.12057-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35232.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 14 Jan 2026 11:23:49 +0000 (12:23 +0100)]
Repair interaction between DCO and persist-tun after reconnection
When --persist-tun is active, openvpn userland on Linux and FreeBSD fails
to re-enable "poll for DCO events" after a reconnect (e.g. triggered by
a ping timeout). The reconnect will still work fine, but the *next*
DCO event notification from the kernel will not be received by OpenVPN
userland, and so the system will get into an inconsistent state (Userland
assumes "all is well", kernel DCO has disconnected the peer, connection
is broken until the next tls-renegotion and/or manual restart, *and* the
next DCO key setup might fail due to "peer id gone").
This only affects client side, --server tun is always "persistent", and
there is no "full restart" (and the code path in question is also
only used for client and p2p server).
The root cause is an incorrect check for "is this interface up?" when
calling dco_event_set() in forard.c::io_wait() - "c2.did_open_tun" is
only true if the tun interface was actually configured on this reconnect,
which it isn't if --persist-tun is active. Replace with a check for
"do we have a tuntap structure, and if yes, do we have active DCO?"
which reflects the original intent much better.
The original code also had a check for "out_socket & EVENT_READ" there,
which did to some extend avoid calling dco_event_set() for every single
UDP packet sent and received by userland - but this only worked on initial
connection, and is always true on reconnect, so this condition was removed
for simplicity. We should come back here...
v2:
- some language fixes on the commit message
- do not check ->dco.open in forward.c, as this is not available if
not on FreeBSD, or if compiled with --disable-dco.
FreeBSD DCO does the "if (!dco || !dco->open)" check in dco_event_set()
anyway, so it's not needed, and Linux DCO has "dco->nl_sock", which is
also reliably set/unset, and checked by dco_event_set() already.
Github: OpenVPN/openvpn#947
Change-Id: Idbd0a47ba4d297a833a350611a23f19fd9a797b5 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1473
Message-Id: <20260114112403.7046-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35239.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 14 Jan 2026 11:04:47 +0000 (12:04 +0100)]
remove ENABLE_X509ALTUSERNAME conditional
This is one of the #ifdef producing compile-time variants that make the
code harder to read and harder to test. The extra code size due to
turning it on is marginal.
The mbedTLS backend does not (yet) support it. To cope with that,
add a minimum function x509_username_field_ext_supported() that always
returns "false", and omit the --x509-username-field from the help
text if ENABLE_CRYPTO_MBEDTLS. Implement this on another day.
Github: closes OpenVPN/openvpn#917
Change-Id: I3f661cf305c52652e430b8d219df5186dd8ea4f7 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1442
Message-Id: <20260114110452.4976-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35237.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 13 Jan 2026 07:27:45 +0000 (08:27 +0100)]
Require script-security 2 when using unix: tun
Since this executes an executable from an arbitrary path, it should follow
the same rules as other scripts/executable.
Reported-By: Petr Simecek, Pavel Kohout and Stanislav Fort from Aisle Research
Change-Id: I89dcab24ba510094ce1672e382960bf15def310a Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1465
Message-Id: <20260113072750.16015-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35223.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Do not try to handle very old systemd that was released
over ten years ago (remove SYSTEMD_NEWER_THAN_216)
- Do not require systemd.pc. I can't find any indication
that we use any of the variables defined by it. (It
does not define any libraries, just variables)
- Remove check for sd-daemon.h. We did not use the
conditional and assumed it was there already.
- Allow libsystemd.pc to define cflags. Previously we
ignored those.
Change-Id: Ie59e03ce01575acaeaf690f582eb5cfa80eb37fc Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1463
Message-Id: <20260109163514.23051-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35203.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Includes the following renovate changes:
- chore(deps): update dependency aws/aws-lc to v1.66.2
- Update lukka/get-cmake action to v4.2.1
- chore(deps): update github actions
- chore(deps): update vcpkg digest to eeb00f1
Arne Schwabe [Fri, 19 Dec 2025 13:51:10 +0000 (14:51 +0100)]
Allow test-crypto to work without the --secret argument
The --test-crypto still requires the --secret argument. Since --secret
will be removed in OpenVPN 2.8 but we want to keep test-crypt, remove
the dependency of test-crypto on --static.
Instead we will just generate a random key for this selftest method.
This also removes the extra logic that is a leftover from the early
multi-thread implementation attempt.
Change-Id: I72947bd4f0213fd118327f740daeb1d86ae166de Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1435
Message-Id: <20251219135110.166468-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35157.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
But add compat layer so that we can still build
against older versions of cmocka. Mostly this is
trivial but the custom check function changed its
prototype, so that requires some more work.
Change-Id: Ifb6594700db71d219643a29c581099c778bcbbc6 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1449
Message-Id: <20251218104042.5961-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35144.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 17 Dec 2025 13:07:38 +0000 (14:07 +0100)]
Ensure wolfSSL uses old pre 1.1.0 OpenSSL path for getting ciphers
Normally when wolfSSL is compiled with --enable-openvpn it reports an
OpenSSL version before 1.1.0. When compiled normally it reports an
OpenSSL version higher than this.
So explicitly check for wolfSSL instead of relying on its OpenSSL version
trickery.
Change-Id: I47fc0dc93a7ed6b71feb611194cee02a81d91769 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1448
Message-Id: <20251217130743.28786-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35127.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 10 Dec 2025 09:53:55 +0000 (10:53 +0100)]
OpenVPN Release 2.7_rc4
version.m4, ChangeLog, Changes.rst
Changes.rst has not received an "2.7_rc4" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta/rc*
releases it's better to look at git log to see what has been added/fixed.
Notable changes rc3 -> rc4 are:
- Windows interactive service: do not configure adapter DNS if
there are no search-domains but there are resolve-domains (which
get resolved via NRPT rules) - GH: OpenVPN/openvpn#473
- improve documentation and error messages for a number of deprecated
options
- improve documentation for not-really-deprecated-yet ``--ns-cert-type``
- Windows IPv4 configuration with netsh.exe: ensure addresses are added
with "store=active" (ensure proper cleanup) - GH: OpenVPN/openvpn#915
- Windows: set UTF8 code page in openvpn.exe manifest, to make cert/key
loading work again for files with non-ASCII characters in their file
name (GH: OpenVPN/openvpn#920)
- tun.c: unify read_tun()/write_tun() functions for all BSD platforms
- more type conversion related cleanups
- add NULL check before freeaddrinfo() call, which might lead to a
crash on OpenBSD (GH: OpenVPN/openvpn#930)
- add NULL check to mbedtls handling of external and inline certificates
- add check for auth none / cipher none on FreeBSD DCO
- add CAP_SYS_NICE to positive list in Linux systemd unit files
(GH: OpenVPN/openvpn#834)
- drop mbedtls 2.x support (which is end of life, and work on mbedtls 4
is much simplified by not having to take care of 2.x compat as well)
- PUSH_UPDATE: bugfix for the client side where split/continued messages
(due to large number of "route" statements) would not correctly handle
the full set of routes. Add unit test. (GH: OpenVPN/openvpn#925)
- new unit test module for mbuf handling
- deprecate --fast-io option (it got partially broken by the multisocket
implementation, and the benefits of the existing implementation did
not outweigh the extra code complexity to make it work again)
- change the ssl_ctx in struct tls_options to be a pointer - this is
a shared data structure between various contexts, but previously it
was shallow-copied, leading to needless CRL reloading - and when
working on implementing the new OpenSSL CRL API, to segfaults
(the existing code works, as these new APIs are not used yet).
Arne Schwabe [Tue, 16 Dec 2025 14:42:00 +0000 (15:42 +0100)]
Change ssl_ctx in struct tls_options to be a pointer
The SSL CTX is shared between all of the instances. So any change to the
SSL CTX will affect all instances. Currently the CRL is also reloaded
potentially multiple times as each copy of tls_root_ctx has its own
crl_last_mtime and crl_last_size values that will be checked if the CRL
reload is necessary.
Changing it to a pointer will make it more clear that this is shared
and also the CRL being reloaded multiple times.
Change-Id: I21251a42f94fa1d9de083d2acd95b887658c5760 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: MaxF <max@max-fillinger.net>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1431
Message-Id: <20251216144207.12171-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35116.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
multi: Warn about failing read in multi_process_file_closed()
Handle failure explicitly instead of the implicit
handling by "while (buffer_i < r)". That error
checking was previously broken but was fixed by
commit 5e5ead5ba019fc2a8266f77a7d840b30fd545198.
Reported-by: Marc Heuse <marc@srlabs.de>
Github: openvpn-private-issues#101
Change-Id: Ie982f620a8af80564a70d993e6e84ec4e525236a Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1443
Message-Id: <20251215155652.23362-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35095.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
buffer: Change buf_prepend and buf_advance to accept ssize_t for length
We already have tests to make sure the value is sane.
Changing the argument to ssize_t allows to use it in
more places without needing to do a cast before the
checks.
Change-Id: I123002255b37160d48ef6481f68a89d03073236b Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1437
Message-Id: <20251215160541.24237-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35099.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
multi: Fix wrong sigma value in multi_push_restart_schedule_exit
Sigma was computed based on the absolute time and
not the delta.
Note that this probably makes no actual difference in
practice. The sigma value is irrelevant on first call
and multi_push_restart_schedule_exit should not be
called multiple times since it is only called
if deferred_shutdown_signal.signal_received is not set,
yet.
Change-Id: I62b8263f18c4e2e7f5ecacb4616737f5ba836303 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1311
Message-Id: <20251215150500.18898-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35075.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
While fixing the conversion warning I was
somewhat confused how this works, so added
UTs to verify I understood it.
v2:
- disable assert test for MS VS
- add define for memory-intensive UTs and
only enable it by default for CMake builds,
so we do not break a lot of builds out there
due to memory allocation failures
Change-Id: Icab68a5fd1b6288955f0073179f1ddde1468d951 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1432
Message-Id: <20251212120352.17402-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35050.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Lower the limit to 1GB on 32bit systems.
The limit of 4GB-1 makes no sense on systems that usually
don't allow a single process to allocate anything near to
this limit.
- Increate the limit from 4GB-1 to 4GB on other systems. It
makes no difference in protection but makes it much easier
to use the limit in other contexts, e.g. if dividing it.
Change-Id: I4f95edd7ce2098180aa620a231727217f333a12d Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1436
Message-Id: <20251212100920.7671-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35044.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Moritz Fain [Mon, 1 Dec 2025 14:04:18 +0000 (15:04 +0100)]
PUSH_UPDATE: fix option reset logic in continuation messages
Previously, the logic for resetting push options (like 'route') was based on
`update_options_found` which was local to `apply_push_options`. This meant
that if a PUSH_UPDATE was split across multiple continuation messages,
the state was lost, causing routes to be reset multiple times (once per
message chunk) rather than once per update sequence.
This patch moves the state tracking to `struct options` as
`push_update_options_found`, allowing it to persist across the entire
PUSH_UPDATE sequence.
This fixes an issue where large route lists sent via PUSH_UPDATE would
result in only the last chunk's routes being applied, or previous routes
being continuously deleted and re-added.
Added unit test `test_incoming_push_continuation_route_accumulation` to
verify the fix.
Github: OpenVPN/openvpn#925
Signed-off-by: Moritz Fain <moritz-openvpn@fain.io> Acked-by: Marco Baffo <marco@mandelbit.com>
Message-Id: <CAM8w-qEE6vHj=yUOpTFbM7DqPKzUV0NupvEG4rUefY=kNB2DxQ@mail.gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34814.html
mudp: fix unaligned 32-bit read when parsing peer ID
The code previously read a 32-bit value from a uint8_t
buffer using a direct cast and dereference.
This can cause unaligned memory access and undefined
behavior on architectures that do not support unaligned
reads, potentially leading to a one-packet crash.
Fix this by reading the bytes individually and
combining them manually.
Reported-By: Joshua Rogers <contact@joshua.hu> Found-By: ZeroPath (https://zeropath.com)
Change-Id: Id0bb4c45d373437ab8dbaff7a311745f9b538cbf Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1348
Message-Id: <20251210104839.8270-1-gert@greenie.muc.de> Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 10 Dec 2025 07:29:44 +0000 (08:29 +0100)]
iservice: set adapter DNS only with search domains
With NRPT the adapter name server configuration is not needed
theoretically. However DNS config is not showing with traditional
tools like ipconfig if they are left out. More importantly if
there are no DNS servers configured for an adapter the adapter
specific search domains are not recognized by the Windows resolver.
However, adding the servers to the adapter has the side effect, that
general look-ups are now also done using this adapter, which might
come as unexpected and yield wrong results, if there is some trickery
happening with the default DNS, for example.
As a workaround, set the adapter DNS only when strictly needed.
Lev Stipakov [Wed, 10 Dec 2025 07:59:00 +0000 (08:59 +0100)]
tun.c: set IPv4 address temporary on Windows
Use store=active to set IPv4 address temporary so that
it will be removed on reboot. This makes the behavior
consistent with deletion and IPv6, where we already use
store=active.
tun: Change return type of write_tun/read_tun to ssize_t
So we can directly give back the actual return
type from write/read. Even if we then cast it
back to int. The cast should be safe since we
also specify an int as we also put an int in
as length.
Change-Id: I67f5bf53b80f53fd2e349f844479ed172a7b3aa1 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1376
Message-Id: <20251209153715.15832-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34961.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
projects / thirdparty / openvpn.git / log
