While fixing the conversion warning I was
somewhat confused how this works, so added
UTs to verify I understood it.
v2:
- disable assert test for MS VS
- add define for memory-intensive UTs and
only enable it by default for CMake builds,
so we do not break a lot of builds out there
due to memory allocation failures
Change-Id: Icab68a5fd1b6288955f0073179f1ddde1468d951 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1432
Message-Id: <20251212120352.17402-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35050.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Lower the limit to 1GB on 32bit systems.
The limit of 4GB-1 makes no sense on systems that usually
don't allow a single process to allocate anything near to
this limit.
- Increate the limit from 4GB-1 to 4GB on other systems. It
makes no difference in protection but makes it much easier
to use the limit in other contexts, e.g. if dividing it.
Change-Id: I4f95edd7ce2098180aa620a231727217f333a12d Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1436
Message-Id: <20251212100920.7671-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35044.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Moritz Fain [Mon, 1 Dec 2025 14:04:18 +0000 (15:04 +0100)]
PUSH_UPDATE: fix option reset logic in continuation messages
Previously, the logic for resetting push options (like 'route') was based on
`update_options_found` which was local to `apply_push_options`. This meant
that if a PUSH_UPDATE was split across multiple continuation messages,
the state was lost, causing routes to be reset multiple times (once per
message chunk) rather than once per update sequence.
This patch moves the state tracking to `struct options` as
`push_update_options_found`, allowing it to persist across the entire
PUSH_UPDATE sequence.
This fixes an issue where large route lists sent via PUSH_UPDATE would
result in only the last chunk's routes being applied, or previous routes
being continuously deleted and re-added.
Added unit test `test_incoming_push_continuation_route_accumulation` to
verify the fix.
Github: OpenVPN/openvpn#925
Signed-off-by: Moritz Fain <moritz-openvpn@fain.io> Acked-by: Marco Baffo <marco@mandelbit.com>
Message-Id: <CAM8w-qEE6vHj=yUOpTFbM7DqPKzUV0NupvEG4rUefY=kNB2DxQ@mail.gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34814.html
mudp: fix unaligned 32-bit read when parsing peer ID
The code previously read a 32-bit value from a uint8_t
buffer using a direct cast and dereference.
This can cause unaligned memory access and undefined
behavior on architectures that do not support unaligned
reads, potentially leading to a one-packet crash.
Fix this by reading the bytes individually and
combining them manually.
Reported-By: Joshua Rogers <contact@joshua.hu> Found-By: ZeroPath (https://zeropath.com)
Change-Id: Id0bb4c45d373437ab8dbaff7a311745f9b538cbf Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1348
Message-Id: <20251210104839.8270-1-gert@greenie.muc.de> Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 10 Dec 2025 07:29:44 +0000 (08:29 +0100)]
iservice: set adapter DNS only with search domains
With NRPT the adapter name server configuration is not needed
theoretically. However DNS config is not showing with traditional
tools like ipconfig if they are left out. More importantly if
there are no DNS servers configured for an adapter the adapter
specific search domains are not recognized by the Windows resolver.
However, adding the servers to the adapter has the side effect, that
general look-ups are now also done using this adapter, which might
come as unexpected and yield wrong results, if there is some trickery
happening with the default DNS, for example.
As a workaround, set the adapter DNS only when strictly needed.
Lev Stipakov [Wed, 10 Dec 2025 07:59:00 +0000 (08:59 +0100)]
tun.c: set IPv4 address temporary on Windows
Use store=active to set IPv4 address temporary so that
it will be removed on reboot. This makes the behavior
consistent with deletion and IPv6, where we already use
store=active.
tun: Change return type of write_tun/read_tun to ssize_t
So we can directly give back the actual return
type from write/read. Even if we then cast it
back to int. The cast should be safe since we
also specify an int as we also put an int in
as length.
Change-Id: I67f5bf53b80f53fd2e349f844479ed172a7b3aa1 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1376
Message-Id: <20251209153715.15832-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34961.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 9 Dec 2025 07:02:11 +0000 (08:02 +0100)]
pull-filter: improve documentation
Pull-filter uses a simple string comparison and could be defeated by
unusual formatting of pushed option strings. Document that this
option is not meant to be used as a security measure.
But exclude the added checks that currently have failures
so that we can keep /WX enabled.
Basically this excludes -Wconversion and -Wsign-compare,
as expected from our GCC/Clang flags.
Github: #382
Change-Id: Iffc114939cb37129057e9c4864fae9e09c3c7fe4 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1417
Message-Id: <20251208113636.9650-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34876.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Documentation: Various syntax fixes and text improvements
This started as a fix for OpenVPN/openvpn#606 but while
reviewing the documentation referenced from there I
identified more and more issues.
There a few classes of changes in here:
- Fix wrong `...` syntax, which makes no sense in rst.
- Remove some very old references to OpenVPN v1 behavior.
- Fix typos or other small text issues.
Note: The usage of ``...`` vs :code:`...` is very
inconsistent, but fixing that is outside of the scope
of this patch. I have tried to make it at least
locally consistent.
Github: Fixes OpenVPN/openvpn#606
Change-Id: Iee535f1502ab3dcb7bde7f2593c2e122d27d9189 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1414
Message-Id: <20251208114224.10223-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34878.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 4 Dec 2025 13:45:16 +0000 (14:45 +0100)]
Fix dco with null cipher being enabled without auth none
This is a corner case and only the FreeBSD DCO module support the
none encryption but as long as it supports it, we should only
enable it when the configuration actually allows to enable it.
Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1369
Message-Id: <20251204134521.20025-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34847.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Max Fillinger [Mon, 1 Dec 2025 13:39:50 +0000 (14:39 +0100)]
Drop Mbed TLS 2.X compatibility
Mbed TLS 2.28 is out of support since March and adding support for
Mbed TLS 4 will get ugly enough without the old compatibility code lying
around too.
Mbed TLS 2.28 still ships on some supported distributions
(e.g. Ubuntu 24.04) but nobody is maintaining openvpn-mbedtls packages
there. This commit will probably break on some test machines.
Change-Id: Ia4afabcb6006dc9304a4c09f824d9c7c2d4d64ad Signed-off-by: Max Fillinger <maximilian.fillinger@sentyron.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1412
Message-Id: <20251201133956.29880-1-gert@greenie.muc.de> Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Mon, 1 Dec 2025 09:01:03 +0000 (10:01 +0100)]
Set UTF-8 as the codepage using manifest declaration
Works on Windows 10+. This ensures any UTF-8 string we pass to
ANSI API will not get interpreted in some local code page
in effect at runtime.
Although we do not use any such API, OpenSSL dll we link to
does (e.g., the store API used for reading certificate and
key from files). OpenSSL may fix this in future versions,
but this is an easy workaround that looks harmless and appropriate.
Fixes failure to read certificates when filenames contain non-ascii
characters reported by: Carsten Mietzsch <Carsten.Mietzsch@atelios.de>
Gert Doering [Thu, 27 Nov 2025 08:49:36 +0000 (09:49 +0100)]
OpenVPN Release 2.7_rc3
version.m4, ChangeLog, Changes.rst
Changes.rst has not received an "2.7_rc3" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta/rc*
releases it's better to look at git log to see what has been added/fixed.
Notable changes rc2 -> rc3 are:
- Windows/Interactive Service bugfixes
many small bugfixes to registry-related DNS domain handling
- Windows/Interactive Service: harden service pipe handling
close a small race condition, and add restrictive ACLs
- Windows/Interactive Service: CVE-2025-13751
fix bug where the interactive service would error-exit in
certain error conditions instead of just logging the fact and
continuing. After the error-exit, OpenVPN connections will no
longer work until the service is restarted (or the system rebooted).
This can be triggered by any authenticated local user, and has
thus been classified as a "local denial of service" attack.
- more type conversion related warnings have been fixed
- --multihome behaviour regarding egress interface selection has been
changed. See Changes.rst and manpage for details.
- cleanup dead code in event handling code (leftover of the multisocket
patch set)
- add new feature, --tls-crypt-v2-max-age n. See Changes.rst and
manpage for details.
- improve documentation to point out the pitfalls of case-insensitive
filesystems and --client-config-dir
- split default gateway query logic in two:
- for --redirect-gateway functionality, query for the gateway towards
the actual IP address of the VPN server connecting to
- for the "net_gateway" special destination for --route, and the
corresponding environment variable, always query for 0.0.0.0 / ::
(this will only make a difference in certain scenarios using a local
proxy, or on a system with multiple interfaces, not using the "default
route" for the VPN connection - see github#890)
- upgrade embedded pkcs11-helper vcpkg + pkcs11-uri patch to 1.31
- CMake / autoconf cleanup wrt unused checks, outdated old-Linux checks,
Windows oddities
- DCO (primarily Linux): improve handling of bulk notifications from
kernel (do not lose notifications, do not crash) (github#900)
Lev Stipakov [Mon, 24 Nov 2025 10:09:23 +0000 (12:09 +0200)]
interactive.c: harden pipe handling against misbehaving clients
- Handle ConnectNamedPipe ERROR_NO_DATA as a normal
connect/drop race: log the drop, disconnect/reset
that instance, and keep listening instead of letting
a trivial local DoS stop the service.
- Add a timed peek for startup data so a client that
connects and sends nothing is timed out (IO_TIMEOUT)
and rejected, instead of leaving a worker thread blocked
forever and piling up handles.
- Protect the accept loop from resource exhaustion: before
spawning a worker, check the wait set and reject the client
if adding another handle would exceed MAXIMUM_WAIT_OBJECTS;
also skip FlushFileBuffers when no startup data was received
to avoid hangs on silent clients.
Without these fixes, a malicious local windows user can make the OpenVPN
Interactive Service exit-on-error, thus breaking all OpenVPN connections
until the service is restarted (or the system rebooted). Thus this has
been classified as "local denial of service" and CVE-2025-13751 has been
assigned.
Ralf Lici [Fri, 28 Nov 2025 11:26:59 +0000 (12:26 +0100)]
dco: process messages immediately after read
Currently, reading and processing of incoming DCO messages are
decoupled: notifications are read, parsed, and the relevant information
is stored in fields of dco_context_t for later processing (with the only
exception being stats). This approach is problematic on Linux, since
libnl does not allow reading a single netlink message at a time, which
can result in loss of information when multiple notifications are
available.
This change adopts a read -> parse -> process paradigm. On Linux,
processing is now invoked directly from within the parsing callback,
which libnl calls for each received netlink packet. The other interfaces
are adapted accordingly to unify the processing model across all
platforms.
On Linux, however, a DEL_PEER notification from the kernel triggers a
GET_PEER request from userspace, which clutters the netlink
communication logic and can lead to errors or even process exit when
multiple simultaneous DEL_PEER notifications are received. To avoid
this, introduce a lock that prevents requesting stats while we are still
busy parsing other messages.
Gert Doering [Thu, 27 Nov 2025 11:35:12 +0000 (12:35 +0100)]
extract_x509_field_ssl(): verify that X509_NAME is not NULL.
This seems to be unlikely to ever happen, but this check won't harm
- as a matter of coding convention, we do not ensure this inside
extract_x509_field_ssl(), but in the (single) caller.
While at it, fix pre-C99 local-variable indent block, and missing {}
block in else/#endif construction.
Reported-By: Joshua Rogers <contact@joshua.hu> Found-by: ZeroPath (https://zeropath.com/)
Change-Id: I1e9c7eee06bf5f2e8aed8cd2523684539294ac8b Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1388
Message-Id: <20251127113517.1352-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34748.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Some things were detected in configure.ac and just
hard-coded in CMake. Move the hard-coding to
syshead.h instead and remove the additional code
in configure.ac. These are really Windows-specific
so I think not dynamically detecting is okay.
Change-Id: Ic55e1288b0d3160e68eef07ff4edbb070a03dd31 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1410
Message-Id: <20251127103710.29341-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34736.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
error: Allow status argument to check_status to be ssize_t
We only check for < 0 so no reason not to allow bigger
signed values. This makes it easier to feed result
values of read/write to it. Fixes a conversion warning
in process_outgoing_tun.
Also changes register_activity to int64_t for similar
reasons.
Change-Id: I750a46246c0d2447a6691e5c25c4732e3d335a63 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1357
Message-Id: <20251126114047.10280-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34701.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Traditional OpenVPN ``--multihome`` behaviour is to send packets out the
same interface that they were received on (copy ipi_ifindex from ingress
to egress packet info). For some scenarios this makes sense, for other
scenarios it is breaking connectivity when there are no routes pointing
out the ingress interface (intentionally asymmetric traffic).
For 2.7.0, change the default(!) to always send out packets with
ipi_ifindex = 0, to follow normal system interface selection rules.
Add a flag ``--multihome same-interface`` to restore the pre-2.7 behavior
of copying ipi_ifindex from ingress to egress packets. There are use
cases for this, and we want to give users a chance to read the release
notes and adjust their setups to "not break after upgrading to 2.7.0".
Heiko Hund [Mon, 24 Nov 2025 17:00:50 +0000 (18:00 +0100)]
iservice: rename one_glyph to glyph_size
Throughout the function variables which deal with byte counts have a
_size postfix. one_glyph is the number of bytes in one character.
Reading the code is easier and more consistent this way.
Heiko Hund [Wed, 26 Nov 2025 10:49:32 +0000 (11:49 +0100)]
iservice: fix off by one error
In case there is more than one non-ignored interface domain, the start
of the next domain was off by one glyph. That meant that all but the
first domain was ignored when converting to MULTI_SZ.
Reported-by: Marc Heuse <marc@srlabs.de> Reported-by: stephan@srlabs.de
Change-Id: I3ebf30f6d9edc66eb54fb3f1b5634c96d156b1ca Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1395
Message-Id: <20251126104938.5612-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34678.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 26 Nov 2025 10:47:01 +0000 (11:47 +0100)]
iservice: handle ignoring itf domains correctly
GetItfDnsDomains() does ignore domains, which are in the search domains
list. Handling of this was done wrong if there was more than one
interface domain. In any case the size returned to the caller was
calculated wrong.
Reported-by: Marc Heuse <marc@srlabs.de> Reported-by: stephan@srlabs.de
Change-Id: I02e2c7b27b5a39b11556e4753c648baa05344ffc Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1394
Message-Id: <20251126104706.5378-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34677.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 26 Nov 2025 10:43:07 +0000 (11:43 +0100)]
iservice: return correct size when domains are truncated
In case not all domains can be converted in the available buffer, return
the size of the already converted domains size plus the second terminating
zero for the MULTI_SZ.
Reported-by: Marc Heuse <marc@srlabs.de> Reported-by: stephan@srlabs.de
Change-Id: Iabad046c930dd0f38ec50d1c43d8b3288816df7d Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1391
Message-Id: <20251126104315.4776-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34680.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 26 Nov 2025 10:34:21 +0000 (11:34 +0100)]
iservice: fix calculation of converted domains size
To keep track of how much of the buffer is already used, the difference
of the current position and the start of the buffer needs to be
multiplied with the size of a character / glyph to bet the byte count,
with which calculations are done further down below.
Reported-by: Marc Heuse <marc@srlabs.de> Reported-by: stephan@srlabs.de
Change-Id: I16f9426e57f4802ba038ab51f5b70161464b9428 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1390
Message-Id: <20251126103427.4085-1-gert@greenie.muc.de> Signed-off-by: Gert Doering <gert@greenie.muc.de>
multi-socket: do not return tuntap flags on server-side
Tuntap flags are already handled within
multi_io_process_io() so return them by
multi_io_process_flags() would be redoundant,
since we need them only for tun_set().
While at it, removed part of the I/O process
from multi_process_io_udp() since those are
also handled within multi_io_process_io(),
removed the FILE_CLOSED and FILE_SHIFT
defines since we now handle that kind of
event in multi_io_process_io() through
the MULTI_IO_FILE_CLOSE_WRITE define.
Change-Id: I6a5110a0583b8b33496b06d9c27c1084df38e842 Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1364
Message-Id: <20251124175832.21352-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34650.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Mon, 24 Nov 2025 16:53:47 +0000 (17:53 +0100)]
Restrict access to the service pipe to SYSTEM and owner
Access is restricted to SYSTEM and pipe client user
(the user starting openvpn.exe). The default is
full access to Administrtors, owner, and read access
to everyone. This hardens the pipe further.
Heiko Hund [Sun, 23 Nov 2025 11:58:46 +0000 (12:58 +0100)]
iservice: make sure registry string is terminated
When reading the interface domains from the registry, check that the
string is zero terminated, since the code in GetItfDnsDomains depends
on the fact when doing size calculations during the conversion.
Reported-by: Marc Heuse <marc@srlabs.de> Reported-by: stephan@srlabs.de
Change-Id: Icaeca22bdbd8ead0cb12345b1bcc2b5c0f46236f Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1392
Message-Id: <20251123115851.19555-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34610.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
tls_crypt: Fix Coverity complaint in tls_crypt_v2_check_client_key_age
Coverity complained about "overflow_before_widen" because
there is a theoretical overflow that can happen even though
the target value is wide enough. For useful values of max_days
this is irrelevant but Coverity is not wrong, so change the
code accordingly.
Change-Id: Ie7308d549182a95b86cd113e4a8cc65ff45ba3d7 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1385
Message-Id: <20251122162553.12254-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34585.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
GHA: Add macos-26 and remove OpenSSL 1.1 builds on macOS
The new runner doesn't have OpenSSL 1.1 available anymore
via homebrew. The formula is also marked as "deprecated"
for older macOS versions. So I think it is okay to drop
it.
Change-Id: I1633ee6207443e041434e9f0dda98afd5a22e1b4 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Yuriy Darnobyt <yura.uddr@gmail.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1382
Message-Id: <20251119162934.15672-1-gert@greenie.muc.de> Signed-off-by: Gert Doering <gert@greenie.muc.de>
Marco Baffo [Wed, 19 Nov 2025 11:40:35 +0000 (12:40 +0100)]
route: handle default gateway (net_gateway) and nexthop towards VPN server separately
Right now there is the assumption that the gateway used for net_gateway is the same used to reach the VPN server.
However, these two gateways may be different (i.e. when there is a specific hostroute for the VPN server using a different nexthop).
For this reason we must adapt init_route_list() to fetch the two gateways separately.
Github: fixes OpenVPN/openvpn#890
Change-Id: I16d90221d0a75193035253817ff195f6da9dc0b3 Signed-off-by: Marco Baffo <marco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1222
Message-Id: <20251119114041.17665-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34529.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Sat, 15 Nov 2025 17:16:12 +0000 (18:16 +0100)]
OpenVPN Release 2.7_rc2
version.m4, ChangeLog, Changes.rst
Changes.rst has not received an "2.7_rc2" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta releases
it's better to look at git log to see what has been added/fixed.
Notable changes rc1 -> rc2 are:
- IPv6 address parsing: fix buffer overread on invalid input
(CVE-2025-12106)
- HMAC verification check: fix incorrect memcmp() call
(CVE-2025-13086)
- even more type conversion related warnings have been fixed
- DCO FreeBSD improvements:
improving debug messages (verb 6)
implement client-side counter handling
repair --inactive (and document shortcomings)
repair handling of DCO disconnection notifications in --client mode
- Windows/Service improvements, hardening, bugfixes
fix DNS address list generation (if 3 or more --dns addresses in use)
fix DNS server undo_list
disallow "stdin" as config name unless user has OpenVPN admin privs
fix compilation errors with MSVC v19
iservice: improve validation of config path (pathcc lib)
[NOTE: this breaks OpenVPN compatibility with Windows 7]
tapctl: refactor, improve output, change driver default to ovpn-dco
iservice: when restoring iface metrics, enforce correct ifindex
- improve cmocka unit test assert() handling
- PUSH_UPDATE server: fix reporting of client IPs in ``status`` output
after pushing a new IPv4/IPv6 address to client
- AEAD cipher safety margins: fix calculation of AEAD blocks in use
(old code would undercount blocks)
- fix invalid pointer creation / memory overread in tls_pre_decrypt
- deprecate ``--opt-verify`` (change into no-op + warning)
Arne Schwabe [Mon, 27 Oct 2025 09:05:55 +0000 (10:05 +0100)]
Fix memcmp check for the hmac verification in the 3way handshake being inverted
This is a stupid mistake but causes all hmac cookies to be accepted,
thus breaking source IP address validation. As a consequence, TLS
sessions can be openend and state can be consumed in the server from
IP addresses that did not initiate an initial connection.
While at it, fix check to only allow [t-2;t] timeslots, disallowing
HMACs coming in from a future timeslot.
Github: OpenVPN/openvpn-private-issues#56
CVE: 2025-13086
Reported-By: Joshua Rogers <contact@joshua.hu> Found-by: ZeroPath (https://zeropath.com/) Reported-By: stefan@srlabs.de
Change-Id: I9cbe2bf535575b47ddd7f34e985c5c1c6953a6fc Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Max Fillinger <max@max-fillinger.net>
ssl: Clean up type handling in export_user_keying_material()
For this we actually change the API of the
format_hex{,_ex} functions by changing int
to size_t for length parameters. While we
call this function with int paramters in
a lot of places (usually BLEN), this will
not produce warnings under
-Wno-sign-conversion. And we're sure those
values are positive since format_hex already
uses size_t internally.
Change-Id: Id7bacec23edc6dcd94465c308ea2144c7329a0c1 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1301
Message-Id: <20251030145231.2792-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34036.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
ssl: Change update argument of compute_earliest_wakeup to time_t
Since we usually input a diff of two time_t values here
the input value will be officially time_t. So avoid
conversion warnings at almost every caller site.
We can safely cast it to interval_t here because we
checked that it is smaller than the interval_t value
earliest. And all negative values are treated equal,
so exact value doesn't matter.
Change-Id: I6bc3147d10ca50291110335cd9fc3be961280c1b Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1299
Message-Id: <20251116183622.11727-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34482.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Sun, 16 Nov 2025 12:11:40 +0000 (13:11 +0100)]
tapctl: refactor 'create' command
Make default adapter name selection logic more robust -
sometimes renaming fails because the deleted adapter name
might present in the registry even though adapter is not shown
anymore in enumeration.
Ensure that adapter name doesn't contain disallowed symbols.
Use --hwid ovpn-dco by default and update documentation.
Change-Id: I270f679505c90ef78a5afbad1e05219f166be089 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1374
Message-Id: <20251116121146.4067-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34455.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Fri, 14 Nov 2025 11:50:22 +0000 (12:50 +0100)]
recursive routing: fixes and clean-ups
- get rid of atoi() for getting the remote transport port.
It doesn't change, so no point to do in on every packet.
In addition, atoi() breaks when we use service names as ports.
- ensure we correctly handle IPv4 headers with options
- directly use buf parameter in place of c->c2.buf
GitHub: closes OpenVPN/openvpn#902
Change-Id: I8a0a8029da02fc63adc918e8d98e9f676ff4ea0d Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1377
Message-Id: <20251114115029.17432-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34415.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 12 Nov 2025 21:51:00 +0000 (22:51 +0100)]
iservice: use saved iface index to restore metric
When adding block rules, the interface metric of the VPN adapter is
temporarily modified so that an old version of Windows 10 would pick
it up first when looking up stuff via DNS. These metrics are reverted to
the old value when the block is removed.
When reverting them, instead of using the stored interface index where
the original values were read from, we were using the interface index
passed to the service with the wfp block message. That index could
theoretically be different from the one stored, which would result in
the metric being set to the wrong interface.
ssl: change return type of calc_control_channel_frame_overhead to size_t
This avoids dealing with conversion warnings inside
the function. Since we only add values that are
supposed to be positive this should be safe.
Note that we now cast the return value to int at
the caller side. There we actually substract it and
want to catch the case where the result gets negative.
Since all the involved values are quite small compared
to INT_MAX I decided to just cast it without further
checks.
Change-Id: I71e9d4a61d37483685723c16e98f59755694cadf Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1297
Message-Id: <20251111172437.7634-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34326.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 12 Nov 2025 14:13:28 +0000 (15:13 +0100)]
Fix construction of invalid pointer in tls_pre_decrypt
In tls_pre_decrypt we construct a pointer ks with an invalid i if
i is TM_SIZE, doing a out-of-bounds read in multi->session.
This is a something that exists at least since 2.3.0 (I didn't go further
back but probalby exists in earlier version as well as the commits date
back to SVN beta21 branch).
So we construct the pointer but do not do anything with it if it is
invalid as we check i *after* we construct the pointer `ks`.
I suspect that the compiler optimises the bug away in any higher
optimisation level.
Assuming there is no optimisation, let's check what is possible.
Since we never use the value `ks` if it is invalid, we do not have
worry if it ends up invalid or not. The only thing that we have to
worry about is whether
`session + offsetof(struct tls_session, key[KS_PRIMARY])` is pointing
to memory that is valid to read to construct the `ks` pointer.
This is outside the tls_multi struct, so this is not guaranteed to be
allocated memory but at the same time it is also only few bytes (or few
tens/hundred) after the struct, so it the propability is very high that
it will be be in a memory region that will not cause a segfault on read.
Every time this condition is hit and we construct the invalid pointer,
the log message "TLS Error: Unroutable control packet received" is
printed at `verb 1` or higher. And this is a quite common log message,
which serves as indication as well that a crash is not something that
typically happens but either the optimisation fixes or the memory
region of the invalid access is valid to read from.
Based on this this was categorized as "bug, but no way to exploit
this, thus no CVE".
openssl_compat: Avoid conversion warning for SSL_get_negotiated_group
SSL_get_negotiated_group is documented to return
int and SSL_group_to_name definitely expects an int.
But SSL_get_negotiated_group is actually a macro
implemented by SSL_ctrl, which does return a long.
So to avoid the conversion warning we need the cast.
Change-Id: I31024f93d9d9d0f678fb39d4758a7e870bf00873 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1359
Message-Id: <20251111153230.29865-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34316.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
ssl: Change tls_send_payload size argument to size_t
There is only one caller of this function and it
wants it to be size_t. So move the size_t to int
conversion one step down in the call chain. Do not
switch key_state_write_plaintext_const, yet, since
that is a backend function and so needs way more
work.
Change-Id: Ic90c5a0e48bda4a02d5e11c4c161f388cc8805af Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1355
Message-Id: <20251111155239.31747-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34320.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 12 Nov 2025 11:21:27 +0000 (12:21 +0100)]
Do not underestimate number of encrypted/decrypted AEAD blocks
Even though the current code typically counts all the encrypted/decrypted
traffic, this is only the case because of the specific implementation
of OpenSSL at the moment.
Instead of counting the length returned by one call only, count all
the encrypted/decrypted bytes.
Other implementations that use AES-GCM (like IPSec, MacSEC, TLS 1.2)
(currently) do not honour these usage limits at all. This is the reason that
I also currently do not consider the lack/improper validation in our code
to be a security vulnerability. In the current state implementations/protocol
that lack this feature altogether are not considered vulnerable.
Reported by: <stephan@srlabs.de>
Change-Id: I429d768fb33ef2c58484287d4091440ad8599053 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1358
Message-Id: <20251112112133.1325-1-gert@greenie.muc.de> Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Sun, 9 Nov 2025 15:44:31 +0000 (16:44 +0100)]
iservice: make sure directories have trailing backslash
At least in the case of the config dir this matters, since the value is
used to validate input data for the interactive service. A missing \
at the end would allow a string compare to succeed, if the last element of
the path to compare starts with the same substring. The trailing slash
ensures that the last element of a path must match completely.
Heiko Hund [Wed, 12 Nov 2025 09:22:38 +0000 (10:22 +0100)]
iservice: validate config path better
Instead of just rejecting any path that contains ".." use some WIN32 API
functions to combine, canonicalize and then check if the resulting
path is located under the config directory. Makes the code prettier
and more correct.
Removes a few smaller instances:
- Fix return type check for socket() on Windows/Unixy
- Ignore a few instances related to WSAWaitForMultipleEvents.
The compiler says the check is currently useless, but
we follow the API documentation.
Change-Id: Iaabddb6f81cd94863291b193aae9d384a8f9d871 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1207
Message-Id: <20251111154846.31360-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34317.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Fri, 7 Nov 2025 17:48:05 +0000 (18:48 +0100)]
dco_freebsd.c: fix integer warnings
Fix all nvlist_get_number() related warnings by explicitly casting - these
are all messages coming from DCO, which we trust in this (nothing will
crash if a number is truncated, just "things will not work correctly").
Remove #pragmas.
Change-Id: Ief19ba87b0832baa6530ea8bf039d85115434e3e Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1361
Message-Id: <20251107174810.31851-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34256.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Sun, 9 Nov 2025 08:42:31 +0000 (09:42 +0100)]
FreeBSD DCO: repair --inactive
--inactive on DCO requires a working DCO counters query function
(dco_get_peer_stats(), implemented in the previous commit) and
that the DCO implementation in use fills the "tun_{read,write}_bytes"
fields for the peer context.
FreeBSD DCO only fills the "dco_{read,write}_bytes" counters - which is
something we can't fix in OpenVPN, this needs kernel enhancements.
So, to make the feature (mostly) work, check the other set of counters
on FreeBSD. Caveat: this will count encryption overhead and keepalives,
so it will still not work for `--inactive <n>` without a byte count, or
for byte counts with too tight thresholds.
Adding the #ifdef to forward.c was considered the least bad alternative.
Gert Doering [Sun, 9 Nov 2025 08:41:23 +0000 (09:41 +0100)]
dco_freebsd: implement dco_get_peer_stats()
This is "fetch read/write statistics for a single peer", complementing
dco_get_peer_stats_multi() "... for all peers", and it is called in
--client mode, and (!) in p2mp mode to check if --inactive thresholds
are reached.
The FreeBSD DCO module has no "give me stats for a single peer" call, so
we just call dco_get_peer_stats_multi() to get all of them - and that
function is modified to handle p2p or p2mp mode by checking mode == CM_TOP.
(dco_linux does about the same in dco_get_peer*() -> ovpn_handle_peer(),
after a few iterations, except that it can query for "just one peer")
"--inactive" still does not work on FreeBSD, because the code in forward.c
looks at counters that are not set by FreeBSD DCO.
v2:
on AUTH_FAIL, 'dco' struct is not initialized yet -> SIGSEGV crash,
verify that dco_peer_id is >= 0 before calling dco_get_peer_stats_multi()
The only caller of this function uses a constant
for this parameter, so this is all quite safe. Add
an ASSERT for good measure anyway to make the assumption
explicit.
Change-Id: I6079bf9e7f6b37cb2e2d7f28851a77d0b08be995 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1352
Message-Id: <20251106133936.30264-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34209.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Fri, 7 Nov 2025 16:50:29 +0000 (17:50 +0100)]
dco_freebsd.c: add D_DCO_DEBUG messages for counters and notifications
Some of these debug messages only existed on Linux, and made debugging
DCO issues on FreeBSD more difficult. Add them, using the same style as
used for dco_linux.c
While at it, change all format strings for "peerid" to "%u" (wherever
appropriate, dco->dco_message_peer_id is an "int" today and changing
this to uint32_t is out of scope for "make better logging")
Change-Id: Ife55cb78401dad921b75f6c86d9bd0642f6a6e83 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1349
Message-Id: <20251107165038.26171-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34250.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
commit 4a48841da2 introduced a workaround for spurious DCO notifications
"with no useful content" on Linux - namely, ignoring dco_message_type==0
in forward.c, process_incoming_dco(), "because Linux has no message
type 0 anyway".
Each DCO platform uses its own enum for these notification messages
*inside* OpenVPN (which might not have the best design decision ever),
and FreeBSD had OVPN_CMD_DEL_PEER in the enum on "position 0"...
Fix by changing the enum to start with 1. Tested with DEL_PEER in p2p
client and DEL_PEER & FLOAT in p2mp server mode.
v2:
introduce OVPN_CMD_NO_MESSAGE in position 0, and a comment explaining why.
A future commit can then clean up forward.c and dco_linux.c to use the
constant, and not "magic 0 which happens to be in there after CLEAR()".
Github: fixes OpenVPN/openvpn#881
Change-Id: I991d6053776efed771bc1a3880acb80b55959cbc Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1353
Message-Id: <20251107141333.12056-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34237.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
projects / thirdparty / openvpn.git / log
