options: Cleanup and simplify options_postprocess_verify_ce
- Reuse the MUST_BE_UNDEF macro in more places
- Add a second parameter so it actually reports the
correct option name
- Add MUST_BE_FALSE for similar cases
- Reorder the checks for cert/key options to make
more sense. Some of the checks could have never
fired due to wrong placement of the management
checks
- Some other small cleanups like missing spaces
in multiline string literal
Change-Id: I4f766fa22865eaf4466c31cf55e3d73b00008c38 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250318155320.32573-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31155.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 12 Mar 2025 10:11:50 +0000 (11:11 +0100)]
dns: do not use netsh to set name server addresses
Instead of spawning a netsh process, set the name server addresses
directly in the registry hive of the VPN interface.
This is a first step to get rid of the use of command line tools in the
service and move to a more API driven style of modifying the VPN adapter
configuration.
Change-Id: Id2bed0908e84c19b8fb6fe806376316793e550b4 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20250312101156.5756-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59159531/
URL: https://gerrit.openvpn.net/c/openvpn/+/825 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 12 Mar 2025 09:22:53 +0000 (10:22 +0100)]
dns: support multiple domains without DHCP
Instead of using wmic on Windows to set one (the first) DNS domain,
modify the registry directly and let the resolver know that something
changed.
This fixes that more than one search domain suffix could only be applied
when DHCP and the tap driver was used. Now this works as well in netsh
mode with the interactive service.
If possible the search domains are stored with the rest of the VPN interface
parameter values. However, a global search list and one which is
distributed via group policy have priority (in that order), so we probe
for the existence of those first. In order to be able to restore the
original list in any case we store an "initial list" as a backup of the
search list before we modify it.
Arne Schwabe [Tue, 11 Mar 2025 15:59:04 +0000 (16:59 +0100)]
Implement override-username
This allow the server to set and override the username that is assumed
for the client for interaction with the client after the authentication.
This is especially intended to allow the of use auth-gen-token in
scenarios where the clients use certificates and multi-factor
authentication.
It allows a client to successfully roam to a different server and have
a correct username and auth-token that can be accepted by that server as
fully authenticated user without requiring MFA again.
The scenario that this feature is probably most useful
when --management-client-auth is in use as in this mode the OpenVPN
server can accept clients without username/password but still use
--auth-gen-token with username and password to accept auth-token as
alternative authentication. A client without a username will also not
use the pushed auth-token. So setting/pushing an auth-token-user
will ensure that the client has a username.
Github: OpenVPN/openvpn#299
Change-Id: Ia4095518d5e4447992a2974e0d7a159d79ba6b6f Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250311155904.4446-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31091.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
TCP connected sockets do not need any remote addr
because the destination is fixed.
For this reason we can avoid sending the remote addr
along the peer-new dco call.
This change is important on Linux because the new 'ovpn'
kernel module is stricter when it comes to accepting
netlink messages and will reject calls with TCP sockets
if a remote address is specified.
Change-Id: I76e2e616c6ffe436a9627fa71aaace74030b2f4a Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250309153017.5163-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31078.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Ralf Lici [Wed, 5 Mar 2025 17:17:30 +0000 (18:17 +0100)]
Handle missing DCO peer by restarting the session
Occasionally, CMD_DEL_PEER is not delivered to userspace, preventing the
openvpn process from registering the event. To handle this case, we
check if calls to the Linux DCO module return an error, and, if so, send
a SIGUSR1 signal to reset the session.
Most DCO commands that return an error already trigger a SIGUSR1 signal
or even call _exit(1). This commit extends that behavior to include
dco_get_peer_stats_multi() and dco_get_peer_stats().
Change-Id: Ib118426c5a69256894040c69856a4003d9f4637c Signed-off-by: Ralf Lici <ralf@mandelbit.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250305171730.250444-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31022.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Rename occurences of 'struct link_socket' from 'ls' to 'sock'
This commit renames all instances of 'struct link_socket'
from the abbreviation 'ls' to the more descriptive 'sock'
making it clearer that the variables represent
socket-related structures.
No functional changes have been introduced.
Change-Id: Iff12c4dbac84a814612aa8b5b89224be08bb9058 Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250306101339.12985-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59156800/
URL: https://gerrit.openvpn.net/c/openvpn/+/874 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Add support for simultaneous use of UDP and TCP sockets
Add all the bound sockets to the event loop.
The main server loop has been updated to handle both
TCP and UDP connections.
The hash function has also been modified to include the
protocol during the creation of new client instances.
There are also a couple of refinements to make the
whole code flow management capable of handling
different kind of clients:
MULTI: properly remove TCP instances by checking the multi_instance
protocol instead of the global one.
TLS: set the tls_option xmit_hold bool value to true only in case of
TCP child instance to avoid checking the global protocol
value.
INIT: initialize the c->c2.event_set in the inherit_context_top()
by default and not only in case of UDP since we could have
multiple different sockets.
Change-Id: I31bbf87e4e568021445c7512ecefadfd4a69b363 Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250306095928.10229-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31028.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Thu, 20 Feb 2025 12:42:05 +0000 (13:42 +0100)]
dco-win: support for iroutes
Unlike Linux/FreeBSD, dco-win doesn't have access to a
system routing table, so we have to maintain internal routing
table in the driver. For that, we have 4 ioctls to add/delete
IPv4/IPv6 iroutes. When adding iroute, we pass peer-id, so that
the driver is able to associate a subnet with a peer context.
Change-Id: I36a5442c0a5667628f419bc64efe5fb562ad3b57 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250220124205.27502-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30958.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Corubba Smith [Sat, 15 Feb 2025 19:00:33 +0000 (20:00 +0100)]
Remove x509-username-fields uppercasing
The uppercasing was first introduced together with the
x509-username-field option in commit 935c62be, and first released with
v2.2.0 in 2011. The uppercasing was later deprecated with commit f4e0ad82 and release v2.4.0 in 2016. It think it is time to finally
remove it.
This deprecated feature prevents you from using non-extension
all-lowercase fieldnames like `name`, because these are converted to
uppercase and then cause an error. The deprecation warning is also shown
in cases where there is no actual uppercasing happening, for example
with numerical forms (aka oids) like `2.5.4.41` (oid of `name`).
Signed-off-by: Corubba Smith <corubba@gmx.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <cb8317eb-bfb6-47e8-9bc3-ae5cc603ff21@gmx.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30915.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Corubba Smith [Sat, 15 Feb 2025 19:01:44 +0000 (20:01 +0100)]
Document x509-username-fields oid usage
When built against OpenSSL, the parameters of the x509-username-fields
option are in extract_x509_field_ssl() fed through OBJ_txt2obj() [0]
which accepts "long names and short names [...] as well as numerical
forms." Because of this, you can for example use `x509-username-field
2.5.4.41` to make OpenVPN read the `name` field [1].
x509-username-fields is currently not implemented for mbed TLS, so that
can be ignored.
Lev Stipakov [Thu, 20 Feb 2025 08:09:07 +0000 (09:09 +0100)]
dco-win: kernel notifications
The driver supports notifications mechanism, which
is used to notify userspace about various events,
such as peer keepalive timeout, key expire and so on.
This uses existing framework of subscribing and
receiving dco notifications, used by FreeBSD and Linux
implementations. On Windows we use overlapped IO,
which state we keep in DCO context. We create an event,
which is associated with overlapped operation,
and inject it into openvpn event loop. When event is
signalled, we read overlapped result into DCO context,
which is later used by already existing code which
handles peer deletion.
Change-Id: Iedc10616225f6769c66d3c29d4a462b622ebbc6e Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250220080907.9298-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30950.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Wed, 19 Feb 2025 21:54:17 +0000 (22:54 +0100)]
dco-win: multipeer support
This is the main commit for dco-win multipeer
implementation.
This adds concept of "mode" to DCO implementation,
which is peer-to-peer or multipeer. Depending on mode,
some functions use MP-specific IOCTL commands, which
include peer-id as a part of input.
The driver initialization accomodates server mode,
in which tun device is created before transport.
Since on Windows the socket is visible to the kernel only,
control channel packets have to be prepended with remote
sockaddr of the peer - this allows userspace to distinguish
among peers. Sadly there is no reliable way to get peer local
address, such as on Linux/FreeBSD, so we have to do a bit of
guesswork to figure out IP address based on remote IP and local
routing table, which may backfire if there are multiple IPs
assigned to the same network adapter. However, as for now
peer-specific local IP is not used by the driver. We use
instead the result of bind() to the listening address.
Existing sockethandle_finalize() function has been refactored
to accomodate packets with possibly prepended sockaddr.
Change-Id: Ia267276d61fa1425ba205f54ba6eb89021f32dba Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250219215417.18260-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30935.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sat, 15 Feb 2025 15:24:56 +0000 (16:24 +0100)]
Reconnect when TCP is on use on network-change management command
On some newer Android handsets, changing to a different network
often does not trigger a TCP reset but continues using the old
connection (e.g. using mobile connection when WiFi becomes available)
Force a reconnect in these situation to have a more expected beheaviour.
Change-Id: Id4febcceecab33ee5189cd67b249a15d12b84799 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250215152456.5691-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30908.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Marco Baffo [Fri, 14 Feb 2025 15:34:34 +0000 (16:34 +0100)]
get_default_gateway(): Prevent passing IPV4_INVALID_ADDR as a destination
When using --redirect-gateway (IPv4) while connected to an IPv6 remote,
OpenVPN still attempts to determine the IPv4 default gateway,
so link_socket_current_remote() returns IPV4_INVALID_ADDR (0xffffffff)
as the destination, leading to unintended behavior:
- the IPv4 default gateway (rl->rgi.gateway.addr) gets wiped.
- this prevents proper restoration of the original route when needed.
To fix this, if link_socket_current_remote() returns IPV4_INVALID_ADDR,
we now pass INADDR_ANY (0x00000000) to get_default_gateway(),
ensuring the function behaves correctly.
Change-Id: I02afe6817433ca21aae76671c35151ec6a066933 Signed-off-by: Marco Baffo <marco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250214153434.18539-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30895.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 14 Feb 2025 12:52:38 +0000 (13:52 +0100)]
Add (fake) Android cmake building
There is a mode to build with a real Android NDK that requires setting
up cmake to build with the NDK and so.
For quick&dirty compile tests that do not actually use the Android NDK
on Linux, -DFAKE_ANDROID on Linux can be used to compile a binary using
TARGET_ANDROID.
Change-Id: If6afa1108f9234f98afdbe0de7b7320403871772 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250214125238.17558-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30885.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Drop Ubuntu 20.04
GHA runners will go away in April 2025
- Change ubuntu-latest to ubuntu-24.04
to make sure we are not surprised by
future changes.
- Update vcpkg digest to latest 33e9c99
- Update github actions to latest
Change-Id: I29b68675143988c3304395d9d5ec62289cf519a7 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Yuriy Darnobyt <yura.uddr@gmail.com>
Message-Id: <20250212215151.619-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30852.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 12 Feb 2025 16:13:11 +0000 (17:13 +0100)]
Implement epoch key data format
With DCO and possible future hardware assisted OpenVPN acceleration we
are approaching the point where 32 bit IVs are not cutting it any more,
especially if we are limiting the IVs to the safe limits of AES-GCM where
the limit is more 2^29.
To illustrate the problem, some back of the envelope math here:
If we want to keep the current 3600s renegotiation interval and have
a safety margin of 25% (when we trigger renegotiation) we have about
3.2 million packets (2*32 * 0.7) to work with. That translates to
about 835k packets per second. Currently, implementation trigger the
renegotiation at 0xff00000000 or at 7/8 of the AEAD usage limit.
With 1300 Byte packets that translates into 8-9 Gbit/s. That is far
from unrealistic any more. Current DCO implementations are already in
spitting distance to that or might even reach (for a single client
connection) that if you have extremely fast
single core performance CPU.
With the AEAD usage limit, these limits are almost a factor of 8 lower
so with the limit becomes 1-2 GBit/s. This is already reached without
DCO on some platforms.
This introduces the epoch data format for AEAD data channel
ciphers in TLS mode ciphers. No effort has been made to support
larger packet counters in any other scenario since those are all legacy.
This uses the same approach of epoch keys as (D)TLS 1.3 does and switches
the data channel regularly for affected AEAD ciphers when reaching the
usage limit.
For Chacha20-Poly1305, which does not suffer the same problems as AES-GCM,
the full 48 bit of packet counter are used only after that the same logic
to switch to a new key as with AES-GCM is done.
Change-Id: I00751c42cb04e30205ba8e6584530831e0d143c5 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: MaxF <max@max-fillinger.net>
Message-Id: <20250212161311.16888-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30845.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Sat, 1 Feb 2025 12:11:02 +0000 (13:11 +0100)]
multi.c: add iroutes after dco peer is added
This doesn't matter for Linux and FreeBSD but matters
for dco-win, where iroute subnet is mapped to a peer
context, which means that peer has to be created before
iroute is added.
Change-Id: I1cac0f036504c87205a3c97589a94a662cf79b99 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250201121102.27395-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30780.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sat, 1 Feb 2025 12:20:06 +0000 (13:20 +0100)]
Improve error reporting from AF_UNIX tun/tap support
When having a non-existent lwipovpn binary or similar problems, the
error reporting would often only report read error that were harder to
identify the real problem. Add the openvpn_waitpid_check method
that checks for error conditions and reports a better message in cases
of problems.
Change-Id: I81cbecd19018290d85c6c77fba7769f040d66233 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250201122006.32098-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30782.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Tue, 21 Jan 2025 16:10:25 +0000 (17:10 +0100)]
mudp.c: keep offset value when resetting buffer
dco-win requires control packets to be prepended
with sockaddr. For that, an offset value in buffer
must be kept. Doing it always doesn't harm and makes
code cleaner compared to adding "if (dco_win_server)"
condition.
Change-Id: I145573555aaace5e94774b5f977d032d3747ed72 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250121161025.37545-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30519.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Fri, 31 Jan 2025 15:41:35 +0000 (16:41 +0100)]
route.c: improve get_default_gateway() logic on Windows
When adding host route for IPv4, we use the default gateway. There are
cases, however, when this does not work - for example when remote
is not accessible via default gateway but via dedicated route.
Factor out code to look for the best gateway to reach the host from
get_default_gateway_ipv6() and generalize is for IPv4/6.
Change-Id: I6c7e1cef637fe9fb3f3bc6ff4fb2c65599cd86fb Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250131154135.32169-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30769.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Fri, 31 Jan 2025 08:47:07 +0000 (09:47 +0100)]
get_default_gateway(): implement platform support for Linux/IPROUTE2
Remove the old "read /proc/net/route and try to parse it" implementation
and always use the sitnl/netlink implementation of net_route_v4_best_gw().
This was kept "because we had it and it was working" but does not really
provide any benefit - netlink for route queries is there for v6 anyway,
and the main argument for keeping --enable-iproute2 is "some users want
to run non-standard 'ip' binaries to do things" - which is not affected
by this change.
Change-Id: I6f17140109106b37e6b0e690df1d87720ccf6f91 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20250131084707.24905-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30748.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 29 Jan 2025 17:30:07 +0000 (18:30 +0100)]
options: add IPv4 support to '--show-gateway <arg>'
This is an old debug option, which used to print "the default routes found"
for IPv4 and IPv6, and optionally "a route to a particular IPv6 target"
if passed an argument.
With the work started in commit 0fcfc8381f60d we want this to handle
IPv4 as well, mostly to be able to easily test per-platform
get_default_gateway() implementations.
The implementation is simplistic - if <arg> can be parsed as an IPv4 or
IPv6 address, that particular protocol lookup will do "the host route"
and the other one will stick to "the default route".
NOTE: as of this commit, there is no backend functionality for IPv4, so
it will not actually print anything interesting. This will be added in
further platform dependent commits.
v2: amend --help output
v3: uncrustify (#ifdef block too long, comments at #endif required now)
Change-Id: Ic438c583a782035ecb9b5ea65702a768ae2585f5 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20250129173007.3280-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30728.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
mroute/management: repair mgmt client-kill for mroute with proto
Fix issue reported by Coverity:
CID 1641564: Uninitialized variables (UNINIT)
Using unitialized value "maddr.proto" when
calling "mroute_addr_equal()".
Due to changes at the mroute structure
which now includes the protocol, the mgmt
iface client-kill-by-addr feature has been
updated to include this new value along
with IP:port.
While at it, changed the
mroute_addr_print_ex() format to display
the protocol only in case of MR_WITH_PROTO
avoid doing it on virtual addresses when
MR_WITH_PORT is not specified.
Change-Id: I4be0ff4d308213d2ef8ba66bd3178eee1f60fff1 Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250129161609.19202-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30716.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Shubham Mittal [Tue, 28 Jan 2025 22:09:32 +0000 (14:09 -0800)]
Add compatibility to build OpenVPN with AWS-LC.
Additional context from PR on Github about changes in ssl_openssl.c
around line 1900:
This change addresses a subtle behavioral difference between AWS-LC
and OpenSSL regarding object ownership semantics in
SSL_CTX_set_client_CA_list(ctx->ctx, cert_names).
OpenSSL Behavior:
Stores a reference to the provided cert_names stack
cert_names remains valid after SSL_CTX_set_client_CA_list
AWS-LC Behavior:
Creates a copy of the parameter cert_names (which is a stack of type
X509_NAME) and converts it to a stack of CRYPTO_BUFFER (how we internally
represent X509_NAME, it's an opaque byte string). Then frees the original
passed in cert_names.
After SSL_CTX_set_client_CA_list, cert_names no longer points to valid
memory.
The proposed changes reorder operations to getting the size of the
stack before the set operation as opposed to after the set operation.
No operations between the setter and stack size check modify
cert_names. Therefore, the logical outcome should remain the same
- and this would also handle the subtle behavioral difference in
AWS-LC.
Github: closes OpenVPN/openvpn#672 Signed-off-by: Shubham Mittal <smittals@amazon.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20250128220932.2113-1-smittals@amazon.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30682.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Wed, 29 Jan 2025 09:50:38 +0000 (10:50 +0100)]
route.c: change the signature of get_default_gateway()
As a preparation of an upcoming refactoring of
get_default_gateway(), add `dest` parameter to
specify destination address to which we are looking
the best route.
Change-Id: I58735fb24bc4a94c803b7dfcd6de87af0f75522a Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250129095038.19056-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30685.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Haiku uses full paths for interface names, 16 characters
isn't enough.
Change-Id: I6de60ed5c03ea45e1d7a3f7777bfc8ed5075e84d Signed-off-by: Alexander von Gluck <alex@terarocket.io> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250128124026.108992-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30654.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Haiku: change del to delete in route command. del is undocumented
Change-Id: Ieca0f8aa07413682d39e73dd3ed21a0038d41f49 Signed-off-by: Alexander von Gluck <alex@terarocket.io> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250128124129.109647-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30655.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dco_linux: extend netlink error cb with extra info
A netlink error may contain more specific attributes: i.e.
missing attributes or missing neted objects.
Parse and print this information too.
Note that we are re-defining some enum entries that exist
in netlink.h starting with linux-6.1.
Since we do support distros not shipping an up-to-date
netlink.h, we had to re-define the entries we need for
this patch.
Change-Id: I9e27ff335d892429334137d028f8503da4e4ca5b Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250128134454.2888-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30658.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 27 Jan 2025 12:25:31 +0000 (13:25 +0100)]
Print warnings/errors when numerical parameters cannot be parsed
Using the atoi method is a best effort method that parses as much of the
input string as possible as integer and ignores the rest or return 0
if the string cannot be parsed. This is lead to unexpected results.
Change the behaviour by printing a warning in these cases instead. When
parsing a configuration, these warnings will error out since the msglevel
is M_USAGE in this case. Example:
openvpnserv: Fix some inconsistent usages of TEXT()
In general you can't use multiple strings as argument
to TEXT() since it just adds a L in front of the argument.
So if you specifiy multiple arguments the later argument
strings do not get the L.
This does not seem to directly cause problems with our
ASCII strings, but make the usage consistent with all
the other code. That will help in case we remove the
usage of TEXT().
Also include tapctl/basic.h in openvpnserv to make
the macro environment consistent with tapctl and
openvpnmsica.
Change-Id: Iea477ac96b0dbaee24ca8d097a2e1958f70c5dd3 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20250127091102.26983-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30603.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
mroute: adapt to new protocol handling and hashing improvements
Repurposing an unused field and renaming it to 'proto'
instead of introducing a new field. The hashing now
begins at the 'proto' field rather than the 'type'
field. Additionally, the changes ensure that the
correct protocol is consistently used with virtual
addresses ensuring alignment.
Change-Id: Ic66eccb5058fe9c0fae64d8e2ca88728068a92ab Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250124205135.18765-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30579.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fix PASS_BY_VALUE issue in options_postprocess_mutate_le()
Fix issue reported by Coverity:
CID 1641424: Performance inefficiencies (PASS_BY_VALUE)
Passing parameter ce of type "struct connection_entry"
(size 208 bytes) by value, which exceeds the low
threshold of 128 bytes.
Commit 8466c2ca unintentionally introduced a performance
penalty due to passing struct connection_entry 'ce'
by value to options_postprocess_mutate_le().
fix this by passing 'ce' by address.
Change-Id: I0542df021ae0ba9c982335fed7bbd10ed326dd0f Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250124130000.20067-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30566.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Marco Baffo [Fri, 17 Jan 2025 11:04:22 +0000 (12:04 +0100)]
IPv6 MADDR LOG: Wrap IPv6 addresses in square brackets and print port when the port is specified
Updated the mroute_addr_print_ex() function to wrap IPv6 addresses in square
brackets and printing the port when the port is specified, e.g., [2001:db8::1]:8080 .
When the port is not specified the IPv6 address formatting remain the same, e.g., 2001:db8::1 .
Change-Id: Ia58cff107d14e29e51df0a988e8337cbb70ebfbb Signed-off-by: Marco Baffo <marco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250117110422.921-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30480.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Ben Boeckel [Tue, 31 Dec 2024 20:46:29 +0000 (21:46 +0100)]
console_systemd: remove the timeout when using 'systemd-ask-password'
Without this, the password request will expire after 90 seconds leaving
no way to provide the password without OpenVPN asking for it again.
Given that interactive use will wait for input without a timeout, it
makes sense to have non-interactive usage also wait until the user is
ready instead of forcing users to race against the timeout.
Change-Id: I2791d09ab698d89dc7e0183151f77b84024ad6d1 Signed-off-by: Ben Boeckel <ben.boeckel@kitware.com> Acked-By: David Sommerseth <davids@openvpn.net>
Message-Id: <20241231204629.1210040-2-ben.boeckel@kitware.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30336.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 9 Jan 2025 21:28:03 +0000 (22:28 +0100)]
Rename aead-tag-at-end to aead-epoch
Since we introduce aead at the end and epoch data keys together
and only allow the aead tag at the end if epoch data keys are
used, we can use just one flag for both of them
Change-Id: I9e9433b56dcbaa538d9bed30e50cf74948c647cc Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: MaxF <max@max-fillinger.net>
Message-Id: <20250109212803.11505-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30395.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 27 Dec 2024 12:46:32 +0000 (13:46 +0100)]
Allow DEFAULT in data-ciphers and report both expanded and user set option
This adds support for parsing DEFAULT in data-ciphers, the idea is that people
can modify the default without repeating the default ciphers.
In the past we have seem that people will use data-ciphers BF-CBC or
data-ciphers AES-128-CBC when getting the warning that the cipher is not
supported by the server. This commit aims to provide a better way for
these situation as we still want people to rely on default cipher selection
from OpenVPN when possible.
Change-Id: Ia1c5209022d3ab4c0dac6438c41891c7d059f812 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20241227124632.110920-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30245.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Tue, 31 Dec 2024 14:54:17 +0000 (15:54 +0100)]
dco-win: simplify do_close_link_socket()
c->c2.link_socket_owned is true in client mode
and for the global context in the server mode -
those are exactly the cases when we want to
set sd to undefined when using dco-win.
Change-Id: I3232dd8d855ca3f198b4ca3b2ef4f67cec49f3d4 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241231145417.12128-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30328.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Adapt socket handling to support listening on multiple sockets
Introduce internal changes preparing the server to
handle multiple sockets concurrently for both
TCP and UDP protocols. While no user-visible
features are implemented yet, these modifications
are essential for enabling future functionality
such as listening on multiple ports.
Key changes are: converting link_socket from a
single pointer to an array in various contexts,
in order to be able to store multiple sockets
at once.
Change-Id: Ia0a889e800f0b36aed770ee36e31afeec5df6084 Signed-off-by: Antonio Quartulli <a@unstable.cc> Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241230162338.21401-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30309.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Shuji Furukawa [Mon, 18 Nov 2024 14:20:20 +0000 (23:20 +0900)]
Improve shuffling algorithm of connection list
This patch implements the Fisher-Yates shuffle algorithm to ensure that all
permutations of the connection target list are generated with equal
probability, eliminating biases present in the previous shuffling method. In
the Fisher-Yates algorithm, there's only one way to obtain each permutation
through a series of element swaps, so all permutations occur with equal
probability in theory.
Signed-off-by: Shuji Furukawa <shujifurukawa1213@gmail.com> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20241118142019.31045-1-shujifurukawa1213@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29837.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
override ai_family if 'local' numeric address was specified
This change ensures that when a numeric IP address is specified
as argument to a 'local' directive, its ai_family overrides
the one extracted from the 'proto' config option.
Change-Id: Ie2471e6b2d6974e70423b09918ad1c2136253754 Signed-off-by: Antonio Quartulli <a@unstable.cc> Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241227161755.4010-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30257.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
We write doxygen comments but we do not verify them. So
quite some errors have crept in. Trying to reduce them
by reviewing the warnings output of doxygen and addressing
most of them.
Did generally ignore "The following parameter is not documented"
warnings (except those caused by typos). Fixing those will
require more work.
Usual errors fixed:
- Wrong usage of @file
- Wrong spellings of @param
- Desync between function declaration and comment
(usually param names)
Change-Id: I7a852eb5fafae3a0e85dd89ea6d4c91fcf2fab4e Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20241227161648.3350-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30256.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 27 Dec 2024 11:11:33 +0000 (12:11 +0100)]
Change API of init_key_ctx to use struct key_parameters
This introduces a new structure key_parameters. The reason is that the
current struct serves both as an internal struct as well as an
on-wire/in-file format. Separate these two different usages to allow
extending the struct.
Change-Id: I4a981c5a70717e2276d89bf83a06c7fdbe6712d7 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20241227111133.5893-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30228.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Update dependency libressl/portable to v4
- Requires setting LIBRESSL_GIT_OPTIONS
since the default is --depth=8 which is
unusable for checking out tags.
- Update dependency Mbed-TLS/mbedtls to v3.6.2
- Update mingw ubuntu runner to v24
- Do NOT update the uncrustify runner since newer uncrustify
is not usable with the current config
- Update vcpkg digest to 80d54ff
- Update github actions
Additionally change the action reference pinning
to consistently refer to the tags instead of the branches.
Change-Id: I91f68317450c3c0d69be2c489276739211ccb422 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Yuriy Darnobyt <yura.uddr@gmail.com> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20241227143652.147284-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30251.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 27 Dec 2024 11:22:55 +0000 (12:22 +0100)]
Ensure that Python3 is available
Use the more standard cmake find_package to search for Python3 and make it required. This also provides
a better error message than "version.cmake" not found when python3 is missing.
Change-Id: I350fd615ed8474d34392a057a5f8bded78173949 Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20241227112255.11992-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30232.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 27 Dec 2024 11:22:07 +0000 (12:22 +0100)]
Add building/testing with msbuild and the clang compiler
The LLVM/clang compiler warning and error message are easier too read
than their MSVC cl counterparts. Also compiling/running tests on Windows
with a different compiler has the benefit of a better coverage.
This includes a few minor changes to allow clang-cl to compile the
project.
Change-Id: I43d84034f3e920a45731c4aab4f851a60921290d Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20241227112209.11572-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30231.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Corubba Smith [Sat, 14 Dec 2024 19:56:56 +0000 (20:56 +0100)]
Support IPv6 towards port-share proxy receiver
While port-share already supports IPv6 connections from clients, it only
supported IPv4 connections towards the proxy receiver. The used
common/shared OpenVPN machinery is already IPv6-ready, so all needed was
to use properly-sized `sockaddr` structs and removing hardcoded IPv4
restrictions.
Signed-off-by: Corubba Smith <corubba@gmx.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <dcc7e538-2035-4697-b306-10eb470632f3@gmx.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30115.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Tue, 24 Dec 2024 17:42:33 +0000 (18:42 +0100)]
repair DNS address option
Commit
6f2d222 ("dns: store IPv4 addresses in network byte order")
changed the internal representation of IPv4 address within DNS
settings to network byte order, however later this value is copied into
tuntap_options, where IPv4 addresses are assumed to be in host byte
order (see lots of occurences of "htonl(tt->" in tun.c). As a
consequence, DNS server address is set incorrectly, like 4.4.8.8 instead
of 8.8.4.4
Fix by converting address to host byte order when copying from DNS
options to tuntap_options.
Change-Id: I87e4593e6a548bacd40b840cd241950019fa457d Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241224174233.13005-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30195.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sun, 22 Dec 2024 21:45:41 +0000 (22:45 +0100)]
Move initialisation of implicit IVs to init_key_ctx_bi methods
This is really more a function of initialising the data cipher and key
context and putting it into the init_key_ctx_bi makes more sense.
It will allow calling init_key_ctx_bi to fully initialise a
data channel key without calling some extra functions after that
which will make the (upcoming) epoch key implementation cleaner.
Also ensure that free_ctx_bi actually also sets initialized to false.
Change-Id: Id223612c7bcab91d49c013fb775024bd64ab0836 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241222214541.11021-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30170.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sat, 21 Dec 2024 22:39:05 +0000 (23:39 +0100)]
Split init_key_ctx_bi into send/recv init
This allows for only initialising one of the keys. This is needed
for epoch keys where key rotation of send/recv key can happen at
different time points.
Change-Id: If9e029bdac264dcc05b2d256c4d323315904a92b Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241221223905.18820-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30151.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Sat, 21 Dec 2024 22:41:36 +0000 (23:41 +0100)]
service: add utf8to16 function that takes a size
utf8to16_size() takes the size of the to be converted string. This is
needed to convert MULTI_SZ strings, which contain inline NUL characters,
but can be useful in other cases as well.
Change-Id: I6b4aa3d63c0b684bf95841271c04bc5d9c37793b Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241221224136.20984-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30158.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sat, 21 Dec 2024 15:37:30 +0000 (16:37 +0100)]
Trigger renegotiation of data key if getting close to the AEAD usage limit
This implements the limitation of AEAD key usage[1] with a confidentiality
margin of 2^-57, the same as TLS 1.3. In this implementation, unlike
TLS 1.3 that counts the number of records, we count the actual number of
packets and plaintext blocks. TLS 1.3 can reasonable assume that for
large data transfers, full records are used and therefore the maximum
record size of 2**14 (2*10 blocks) is used to calculate the number of
records before a new key needs to be used.
For a VPN like OpenVPN, the same calculation would either require using a
pessimistic assumption of using a MTU size of 65k which limits us to
2^24 packets, which equals only 24 GB with more common MTU/MSS of 1400
or requiring a dynamic calculation which includes the actual MTU that
we allow to send. For 1500 the calculation yields 2*29.4 which is a
quite significant higher number of packets (923 GB at 1400 MSS/MTU).
To avoid this dynamic calculation and also avoid needing to know the
MSS/MTU size in the crypto layer, this implementation foregoes the
simplification of counting just packets but will count blocks and packets
instead and determines the limit from that.
This also has the side effect that connections with a lot of small packets
(like TCP ACKs) mixed with large packets will be able to keep using the same
key much longer until requiring a renegotiation.
This patch will set the limit where to trigger the renegotiation at 7/8
of the recommended maximum value.
The easiest way to test if this patch works as
intended is to manually change the return value of cipher_get_aead_limits
to some silly low value like 2048. After a bit of VPN traffic, a soft
reset should occur that indicates being over the
Heiko Hund [Fri, 13 Dec 2024 16:45:52 +0000 (17:45 +0100)]
dns: store IPv4 addresses in network byte order
This is done so that inet_ntop(3) can be used with IPv4 name server
addresses. It expects the binary address in network byte order. If they
are not that way the address octets are reversed.
Change-Id: I81d4bb0abdd421f5ba260c10c610918652334a4d Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20241213164552.265863-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30111.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 12 Dec 2024 14:38:45 +0000 (15:38 +0100)]
Use XOR instead of concatenation for calculation of IV from implicit IV
This change prepares the extended packet id data where also the packet id
part of the IV will be derived using xor. Using xor also in the AEAD
case where this degenerates to a concatenation allows using the same
IV generation code later.
Change-Id: I74216d776d3e0a8dc987ec7b1671c8e8dcccdbd6 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: MaxF <max@max-fillinger.net> Acked-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241212143845.4090-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30097.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
forward: Fix potential unaligned access in drop_if_recursive_routing
ASAN error:
forward.c:1433:13: runtime error: member access within misaligned
address 0x51e00002f52e for type 'const struct in6_addr', which
requires 4 byte alignment
replace IN6_ARE_ADDR_EQUAL() which uses 32bit compares on Linux - alignment
sensitive - with our own OPENVPN_IN6_ARE_ADDR_EQUAL() macro, which always
does memcpy() and does not care for alignment.
v2: Use memcmp instead of memcpy
Change-Id: I74a9eec4954f3f9d208792b6b34357571f76ae4c Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20241211171349.8892-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30074.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
corubba [Sat, 7 Dec 2024 23:17:05 +0000 (00:17 +0100)]
Fix IPv6 in port-share journal
getpeername() and getsockname() will truncate the result if it is
larger than the passed-in length. Because here always the size of the
`sa` IPv4 union member was passed in, all larger (aka IPv6) results
were truncated. Instead use the size of the `addr` union, which is the
maximum size of all union members.
Note: the full functionality of these changes depends on
https://review.haiku-os.org/c/haiku/+/8592
Signed-off-by: Alexander von Gluck <alex@terarocket.io> Acked-by: Gert Doering <gert@greenie.muc.de>
Change-Id: I1a22724f28c5cd47f6df178b49f44087d7c2b6fd
Message-Id: <20241205172459.4783-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30023.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
projects / thirdparty / openvpn.git / log
