Luca Boccassi [Mon, 30 Mar 2026 18:08:54 +0000 (20:08 +0200)]
management: add base64 multi-line input for passwords
Allow management clients to send long passwords via the
usual multi-line base64 encoded protocol.
A client declares MCV 5 support and sends a 'password <type>'
line, followed by as many lines (each up to 1024 bytes) as
needed, in base64 encoded format, terminated by 'END'.
This is useful when a password is a JIT-generated use-once
token.
test_packet_id: Add a check after malloc to ensure value is valid
cppcheck complains about a potential null pointer dereference
in reliable_get_num_output_sequenced_available. That is mostly
theoretical, but still add a check.
Change-Id: I64da2328591ef2b9ee7502e574c878651cdf356a Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1621
Message-Id: <20260406074729.29903-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36516.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
By default the first enum value is 0.
But we check whether we set the flag by doing
BOOL dnssec = (msg->flags & nrpt_dnssec) != 0;
This can't ever be true.
Found by cppcheck.
Change-Id: Iff5be978817bfc0cd4d78818e7be7b90bad71f3c Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1606
Message-Id: <20260405102209.31528-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36487.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sat, 4 Apr 2026 07:23:30 +0000 (09:23 +0200)]
Use ASN1_BIT_STRING_get_bit to check for netscape certificate usage
The ASN_BIT_STRING object has become opaque in OpenSSL 4.0. So instead
of accessing the internal, we have to use a method now to check these
attributes.
The bit counting in ASN.1 and of this method is a bit strange and
it will count bits from the left instead of the right, so the previous
mask of 0x80 for clients is now 0 and 0x40 for server is now 1.
Change-Id: I77500d435f212a4bf42ee8cfca07d0285fe694f2 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1587
Message-Id: <20260404072336.30014-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36446.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Greg Cox [Mon, 30 Mar 2026 23:13:56 +0000 (23:13 +0000)]
Update --learn-address man page with ipv6 information
The `--learn-address` option is very v4-specific in its man page.
This expands the docs based on things I tripped over when bringing
up a dual-stack server.
ssl_ncp: Fix type of "found" parameter of check_pull_client_ncp
In commit 91fd9614f980b02772e4dfbb09144c822ec97df0 type
of "found" was changed to uint64_t. But due to -Wconversion
not yet enabled in all of init.c one occurence of the old
type was missed.
Change-Id: I1a6dfc175075636bc7a5761215547077a9dc397a Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1594
Message-Id: <20260331060112.5195-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36364.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
wfp_block: Avoid sign-compare warning with Fwpm* return types
FWP_E_ALREADY_EXISTS is explictly casted to HRESULT which
is LONG. But Fwpm* return DWORD. So if you compare an expected
result with the actual result you get an sign-compare warning...
Change-Id: I2f6502da1832edcb273a0dfa9b3ef940bec2d711 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1506
Message-Id: <20260330113826.20057-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36337.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 3 Mar 2026 14:28:14 +0000 (15:28 +0100)]
Add an optional username-only flag for auth-user-pass
Specify "--auth-user-pass username-only" for openvpn to prompt
for only username, not password. Prompt via management interface
uses the usual ">PASSWORD 'Auth' " prompt with type "username"
instead of "username/password".
Internally, the password gets set as "[[BLANK]]" which is currently
used as tag for blank password.
Not compatible with --static-challenge or when username and
password are inlined or read from a file. In such cases, the user
hard-code a dummy password in the file instead.
socket: restore per-connection lport override over global default
OpenVPN 2.7.x introduced a regression where --lport specified
inside a <connection> block did not override a globally defined
local port. As a result, the socket was bound to the global
default port instead of the per-connection value.
Adjust the socket local_port selection logic to honour
local_port_defined when set for the active connection profile.
This change restores the documented and previously working
behaviour from 2.6.x, where connection-level lport takes
precedence over global defaults.
Github: closes OpenVPN/openvpn#995
Change-Id: I7cf5d5ef7e2531f397ad97baf4663e3763072f6b Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1555
Message-Id: <20260316134841.28362-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36164.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Haixiao Yan [Thu, 26 Mar 2026 06:20:16 +0000 (14:20 +0800)]
tests: skip test execution when cross-compiling
The auth-pam unit test Makefile.am unconditionally assigns the TESTS variable,
causing test execution to fail during cross-compilation because the target
binaries are not executable on the build host.
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Acked-By: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20260326062016.3856597-1-haixiao.yan.cn@windriver.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36288.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 25 Mar 2026 12:43:38 +0000 (13:43 +0100)]
Change type of option flag from unsigned int to uint64_t
We currently use all 32 bits of the unsigned int for option classes.
While we can probably can retire 2-3 of the existing options, at some
point we will hit the limit again.
Instead of fully rewriting this logic to use a different approach or
structure, changing the type from unsigned int to uint64_t seem to be
a lot less intrusive approach.
Change-Id: I8ca07e2bbb5de229204191d61e90f084a58969af Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1583
Message-Id: <20260325124338.123477-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36266.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
auth_token: Clean up type handling in verify_auth_token and its UT
First of all remove the testing of renegotiation_seconds.
Commit 9a5161704173e31f2510d3f5c29361f76e275d0f made it
irrelevant for verify_auth_token but still left UTs for it.
But AFAICT these UTs only test that renegotiation_seconds
is bigger than auth_token_renewal, so it tests the UT
setup routine...
Also improve the code to require less casts under
-Wsign-compare.
Add a comment that this code is not y38 safe if time_t
is 32bit. Probably nothing we want to do from our side
since in that case everything that uses "now" is borked.
So we trust in the OS here...
Change-Id: I73dba29719ea685f0427a3c479e7f1f176f09eba Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1510
Message-Id: <20260312173144.15602-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36079.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 25 Mar 2026 12:45:26 +0000 (13:45 +0100)]
Increase default size of internal hash maps to 4 * --max-clients
The default of 256 seems quite low as with (at least) 1024 possible
entries (the --max-clients default setting) we have a guaranteed
collisions. Using 4 times the number of possible entries for real
addresses should reduce collisions quite a bit while also leaving
some headroom for the virtual addresses hash where a client might
have more than one address.
A reason to keep the limit so low are the memory requirements. Each
bucket has the size of one linked-list pointer (4 byte or 32 bit and
8 byte for 64 bit). So 256 buckets use 1 or 2 kB while 4096 will use
16 kB or 32 kB.
When the current limit was set 20 years ago this might have been a
meaningful memory saving but today the collision probability is
more important.
Change-Id: Ia699b0dfa407ac377970bb130434298eaaec592b Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1563
Message-Id: <20260325124526.124049-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36268.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sun, 22 Mar 2026 11:12:01 +0000 (12:12 +0100)]
Do not support tls_ctx_set_cert_profile on AWS-LC
SSL_CTX_set_security_level does nothing on AWS-LC and gives a deprecated
warning on compile. It is better to give the user a warning than to
effectively silently ignore it as well.
Change-Id: I74841d3611c62d3c59fc839bc73a0c83ce025262 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1579
Message-Id: <20260322111207.8346-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36243.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Rudi Heitbaum [Mon, 23 Mar 2026 12:19:00 +0000 (13:19 +0100)]
ssl_verify_openssl: use official ASN1_STRING_ API
ASN1_STRING are now opaque types in OpenSSL 4.x — the internal data and
length fields are no longer directly accessible. Use the accessor API
instead. Accessors have been available since OpenSSL 1.1.0
The ASN1_STRING_length accessor is already in use, but not consistently
applied. Standardise on using ASN1_STRING_length and ASN1_STRING_get0_data
which allows for successful build of OpenSSL 4.x
Arne Schwabe [Mon, 16 Mar 2026 12:11:48 +0000 (13:11 +0100)]
Remove unnecessary OpenSSL init and cleanup commands in unit tests
After the removal of OpenSSL 1.0.2 support these instructions are
no longer needed and the main OpenVPN program also no longer calls
them in init_ssl_lib or free_ssl_lib.
Also remove them from the unit tests. This also solves a
deprecation warning on EVP_cleanup when compiling with aws-lc
Change-Id: I228f6fd9ff18256f09d4348df1fc48853f8e7306 Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1568
Message-Id: <20260316121148.25189-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36153.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
crypto: Change cipher_kt_*_size to return unsigned instead of int
OpenSSL uses int but never returns negative values.
mbedTLS < 4 uses size_t and mbedTLS >= 4 doesn't have
its own implementation, so we can choose.
We chose unsigned int since size_t seems a bit silly for
values that are never even close to UINT_MAX.
Making it unsigned makes it easier in most cases to write
code that doesn't have sign-compare issues.
Also change cipher_ctx_iv_length and cipher_ctx_block_size
to return an unsigned value for similar reasons.
v7:
- switch to unsigned int instead of size_t
Change-Id: I1bc576c4c7ffacbb9300608d98b06b22f2475fd9 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1508
Message-Id: <20260313175209.12024-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36114.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
systemd: Change LimitNPROC to TasksMax and increase limit
There were some complaints about valid setups
that ran into problems with LimitNPROC. This
is especially true since LimitNPROC limits
the total amounts of threads running for the
same uid, so if multiple openvpn services run
under the same user, they will compete for
resources. As suggested in the systemd
documentation change this to TasksMax which
really counts the threads running in one
specific service.
Also increase the limit. When using e.g.
resolvconf for DNS configuration the limit
can be exhausted just due to the amount of
nested shell scripts.
Github: Fixes OpenVPN/openvpn#929
Change-Id: Ic877f9a9c6459c6eb97cde1099f47f0b196b8084 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1539
Message-Id: <20260313223833.3813-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36123.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 13 Mar 2026 17:53:16 +0000 (18:53 +0100)]
Show version and double check we use the right TLS library in Github Actions
We recently discovered that the AWS-LC builds in Github Actions were
actually using OpenSSL. This will now cause an error if something like
this happens in the future again.
Change-Id: Ia929c949cceaabe21a2937ad3217052aec4b2b4c Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1566
Message-Id: <20260313175324.12121-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36115.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Fri, 13 Mar 2026 15:30:01 +0000 (16:30 +0100)]
GHA: Install aws-lc under /opt/aws-lc
The previous installation inside the OpenVPN workspace directory
caused the AWS-LC installation to be deleted. And that caused to OpenSSL
to be used instead of AWS-LC during the build
This also removes the --enable-werror flag from AWS-LC because it
currently not even close to build without warnings.
Change-Id: I090f5b201d67f51d2e42df1914a8466bcfcb6bf8 Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1565
Message-Id: <20260313153007.31810-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36106.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 12 Mar 2026 15:33:23 +0000 (16:33 +0100)]
Add siphash reference implementation
OpenSSL only supports SIPHASH with OpenSSL 3.1 and newer. The source code of
siphash is quite small and has very liberal CC0 license, so include it instead
of pulling an extra library for it.
Change-Id: I1292894fe7f537049a97bee97af4419e5e854a00 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: MaxF <max@max-fillinger.net>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/29
Message-Id: <20260312153329.4700-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36072.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Previously we had a weird mix of int and DWORD. But the
Win32 APIs seem to be consistent (they have different names,
but NET_IFINDEX is ULONG is DWORD). So use that.
Note that this fixes some smaller issues in surrounding
code that are not strictly related but were found while
scanning the code. Mostly about needlessly converting
all DWORD values to int for printf().
Change-Id: I38bb2d1fa66c543e8bcf47b7d77b6154d1895f81 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1519
Message-Id: <20260311163852.21387-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36021.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
ssl_verify_openssl: Clean up extract_x509_extension
* Avoid sign-compare warning when comparing string
lengths
* Use the nicer alias rfc822Name instead of the general ia5
from the GENERAL_NAME union.
* Use the official ASN1_STRING_length API instead of accessing
the struct directly.
* C11 changes
Change-Id: I23cc00aee47aef007ab2e7d50b52c6de299505db Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1507
Message-Id: <20260309133236.29732-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35980.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fix various sign-compare warnings due to write return value
write takes size_t as count (unsigned int on
Windows) and returns ssize_t (int on Windows).
But we often want to compare the return value
to the count.
Generally we can just rely on the fact that
sizeof(ssize_t) == sizeof(size_t) and use that
for all values. (Until we want to introduce
-Wsign-conversion that is...)
Change-Id: I3eb4581980f532cb2960b37a6fa43a7baee4b603 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1513
Message-Id: <20260306163337.2756-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35963.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
cryptoapi: Change signature of parse_hexstring to match code
parse_hexdigest is a function that is used in
exactly one place (not counting tests). So
change the types in a way that they match what
the caller actually wants (DWORD) and so we
do not have any unnecessary conversions.
Change-Id: I525a5b1b9b6f173cdf12341aefc44d58f0d43aed Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1492
Message-Id: <20260304164502.15449-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35901.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
buffer: Add checked_snprintf function and use it in the code
This reintroduces a function that converts the result
of snprintf to a boolean since the check is always the
same but annoyingly verbose. And it gets worse when you add
-Wsign-compare.
So in preparation of introducing -Wsign-compare wrap this
check in the function.
This somewhat reverts the removal of openvpn_snprintf.
But note that that was originally introduced to work
around the broken snprintf of Windows. So this is not
exactly the same. For this reason I also classified this
as a buffer function and not a compat function.
Change-Id: Ia3477b8ee7a637c15aad7f285144280595cda5d5 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1489
Message-Id: <20260304110455.15859-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35872.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
buffer: Add BLENZ macro that returns size_t and use it where required
The big int-vs-size_t length confusion in buffer and its
users can't be solved easily or quickly. So as a first step
document which users of BLEN actually already want a size_t
return. This is better than adding manual size_t casts since
it should be easier to change the API later.
This will also help with the -Wsign-compare introduction.
This does not actually change any behavior. The compiler
already did all of these casts implicitly. We just make
them explicit.
Change-Id: I4e75ba1dbc6d9a0f75298bc900f713b67e60d096 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1132
Message-Id: <20260304105944.15386-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35870.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 16 Feb 2026 16:22:31 +0000 (17:22 +0100)]
Merge stream_buf_get_next and stream_buf_set_next
The stream_buf_set_next prepares a buffer in the stream_buf
structure that will be retrieved by stream_buf_get the next
time it is used.
This temporary copy of the buffer is unnecessary as the buffer
next can also be constructed on the fly.
This also fixes a rare crash when read buffer are not initialised and
read is still signalled as the initialisation of next will now happen
whenever it is required.
This assertion happens when we do not expect a read event from the socket
and then in link_socket_read_tcp the function stream_buf_get_next can
trigger an assert on ASSERT(buf_defined(&sb->next));
To avoid this weird corner case, just always initialise the read buffer
whether or not we expect a read to occur.
This also adds documentation about the methods and field associated with
the stream_buf structure.
Reproducing this bug requires very special circumstances. To reproduce,
run a client with
openvpn --client --proto tcp --dev tap --ifconfig noexec ...
The client side must be on Linux. Other platforms do not reproduce this
bug.
Note that the client will not configure any IP or IPv6 on the interface
and will also not bring up the interface. The server must also send at least
one real data packet to the client (no keepalive ping). Just having the
interface up normally produces enough traffic.
Now forcefully reset the TCP connection. E.g. by executing on the client
sudo ss --kill dport <server port>
This will now trigger the assertion. This happens since OpenVPN waits
forever to get a write back from the poll from the tun/tap device but
this never happens since the device is not up.
As long as we do not get back the tun device for writing, we also do
not put the socket back into the EVENT_READ state. And this also means
that code to initialise the read buffer (stream_buf_set_next) is never
run.
But the reset on the TCP socket triggers the TCP socket to be available
for read, even if it is just for a read of 0 bytes to indicate the reset.
So the function link_socket_read_tcp will run into the assert.
Change-Id: Ifd3e953104a67c8bf2a225e179865e3dbd0dbfbc Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1477
Message-Id: <20260216162236.22304-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35673.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Max Fillinger [Mon, 2 Mar 2026 14:20:39 +0000 (15:20 +0100)]
Avoid unbounded allocations in pkcs11_mbedtls.c
The PKCS#11 provider can crash OpenVPN by making it try to allocate
2^64 bytes for a certificate. To avoid this, set a maximum size for
certificates. If the size is exceeded, don't try to allocate memory and
instead exit pkcs11_get_x509_cert with an error.
The chosen maximum size is 100.000 bytes which is twice the size of
a SLH-DSA (aka SPHINCS+) signature.
Switch libressl and mbedTLS 4 builds to Ubuntu 24.04.
Includes the following renovate changes:
- chore(deps): update dependency aws/aws-lc to v1.67.0
- chore(deps): update github actions
- chore(deps): update vcpkg digest to e5a1490
Change-Id: I4536e06b082ae17baba1490246244b5923063c93 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1540
Message-Id: <20260302152510.11918-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35813.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
options: drop useless init_gc param for init_options()
The init_option() function is always invoked with the second
param "init_gc" set to "true".
This makes the parameter useless and it can therefore be removed
while always taking the "true" branch in the related logic.
This way we can also drop the options->gc_owned member as it
would also be always set to true.
Change-Id: I633d8cbf75ab4da85e16df44684aef60523811c5 Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1536
Message-Id: <20260217135605.154129-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35695.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Fri, 27 Feb 2026 22:47:39 +0000 (23:47 +0100)]
dco_freebsd: use AF_LOCAL sockets for ioctl() communication with DCO driver
DCO FreeBSD uses ioctl() calls for userland -> driver communication, on
a socket() file descriptor. The original code uses AF_INET sockets,
which fails if using a kernel compiled without IPv4 support.
The kernel side ioctl() handling does not differentiate between AF_INET,
AF_INET6 and AF_LOCAL sockets, and only the latter are guaranteed to be
present.
While add it, add a clear message if the socket() call in dco_available()
fails (it will lead to disabling of DCO).
FreeBSD PR: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=286263 Reported-by: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
Change-Id: I84fe7a11391eafde3660d25a3c99094a0c525f3d Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1551
Message-Id: <20260227224745.3175-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35795.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 24 Feb 2026 21:30:30 +0000 (22:30 +0100)]
Fixup version command on management interface
All commands to the management interface are supposed to be
responded with either a one-line "SUCCESS:/ERROR:" message
or a multi-line reply terminated by "END". But, curently we
silently accept the "version n" command wih no response. This
causes clients like OpenVPN-GUI lock-up if version command is
used, waiting for ever for a reply.
Fix this by adding a SUCCESS response if client version
is set to a value >= 4. As the highest client version in use
until now is 3, this should not affect any work-arounds in
existing clients. ERROR response is generated if the version
parameter is null which never happens in practice.
Gert Doering [Fri, 20 Feb 2026 10:20:58 +0000 (11:20 +0100)]
configure.ac: adjust to native inotify support for FreeBSD 15+
FreeBSD 15 has native inotify support, and no "libinotify.pc" pkg config
file anymore, plus no extra includes are needed. This works fine if we
conditionalize the FreeBSD check to "freebsd-1[0-4]".
Due to m4 involvement double braces are needed for quoting.
See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293176
Reported-by: Ivo Karabojkov <karabojkov@kit.bg> Reported-by: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
Change-Id: Ie3f209a641c2f56494dfc7720b13f2a2ba3001a8 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1535
Message-Id: <20260220102106.32024-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35761.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fix various loop index types to avoid sign-compare issues
Just uses the correct types i.e. the same as the limit.
Since the index is usually only used as a non-negative
array index the type change does not cause any behavioral
changes.
But it avoids -Wsign-compare complaints and is just
cleaner.
Change-Id: Ib6c3e154fbe14113ff990f13347f85a7c93dd3e0 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1491
Message-Id: <20260216212805.7808-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35682.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 19 Feb 2026 11:09:48 +0000 (12:09 +0100)]
DCO Linux: Fix setting DCO ifmode failing on big endian archs
The problem is that SITNL_ADDATTR is not forcing type safety and on
big endian architcutre passing a smaller size than the underlying
integer type of data causes only the more significant byte(s) to be passed
instead.
A proper fix would be to add specific methods for common integer types like
SITNL_ADDATTR_u8, SITNL_ADDATTR_u16, SITNL_ADDATTR_u32 like netlink library
does with NLA_PUT_U32, NLA_PUT_U16, NLA_PUT_U8.
Change-Id: I560f45fb0011180be8ca2b0e7fbc63030fa10f35
Github: closes OpenVPN/ovpn-dco#96 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1547
Message-Id: <20260219110954.21471-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35752.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Rudi Heitbaum [Wed, 18 Feb 2026 21:47:33 +0000 (22:47 +0100)]
dns: fix discards 'const' qualifier from pointer target type
Since glibc-2.43:
For ISO C23, the functions bsearch, memchr, strchr, strpbrk, strrchr,
strstr, wcschr, wcspbrk, wcsrchr, wcsstr and wmemchr that return pointers
into their input arrays now have definitions as macros that return a
pointer to a const-qualified type when the input argument is a pointer
to a const-qualified type.
fixes:
src/openvpn/dns.c: In function 'dns_server_addr_parse':
src/openvpn/dns.c:67:25: warning: initialization discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
67 | char *first_colon = strchr(addr, ':');
| ^~~~~~
src/openvpn/dns.c:68:24: warning: initialization discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
68 | char *last_colon = strrchr(addr, ':');
| ^~~~~~~
Change-Id: I262705189edfbd9aa9a32bcd712840fffa592435 Signed-off-by: Rudi Heitbaum <rudi@heitbaum.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1542 Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20260218214738.27158-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35730.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 11 Feb 2026 15:06:48 +0000 (16:06 +0100)]
rework all occurrences of 'M_ERR | M_ERRNO'
M_ERR is defined as (M_FATAL | M_ERRNO), so 'msg(M_ERR | M_ERRNO, ...)'
is just the same as 'msg(M_ERR, ...)'.
The occurances in tun.c and dco_freebsd.c are really "if this happens,
we can not go on" errors, so 'M_ERR' (= FATAL, plus log errno string)
is the correct thing to do.
The occurances in dns.c do come with error handling and cleanup after
the msg() call, so the right thing is 'M_WARN | M_ERRNO' instead
(warning, plus log errno string).
Github: fixes OpenVPN/openvpn#939
Change-Id: I14395665f197349e374a81b56f28536ff88937a8 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1517
Message-Id: <20260211150648.113547-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35594.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 11 Feb 2026 11:33:10 +0000 (12:33 +0100)]
port-share: log incoming connections at verb 3 only
From "day 1" the message "Non-OpenVPN client protocol detected" was
logged at D_STREAM_ERRORS level (verb 1), while it is not anything
erroneous in this context (it's inside an "port share" only block).
Bump this to D_PS_PROXY (verb 3).
Github: closes OpenVPN/openvpn#976
Change-Id: Ie5c9a88050de959cfb02e5f804323a8081ddb667 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1516
Message-Id: <20260211113315.25776-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35589.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Fri, 13 Feb 2026 12:10:24 +0000 (13:10 +0100)]
start release/2.8 development cycle
this commit starts work on "master" after branching off "release/2.7"
-> version.m4 set to "2.8_git", ChangeLog emptied, Changes.rst prepared
for notable news in Release 2.8
Gert Doering [Wed, 28 Jan 2026 13:33:08 +0000 (14:33 +0100)]
OpenVPN Release 2.7_rc6
version.m4, ChangeLog, Changes.rst
Changes.rst has not received an "2.7_rc6" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta/rc*
releases it's better to look at git log to see what has been added/fixed.
Notable changes rc5 -> rc6 are:
- bugfix on restarting a p2mp server instance with SIGUSR1 (inadvertedly
closing fd 0, causing a crash on the next restart - GH #966)
- prevent NULL pointer crash on suitable combination of --dns-updown
statements in openvpn config file (not pushable)
- prevent inappropriate management interface activity if a password is
set and --management-forget-disconnect or --management-signal are active
- more conversion warnings fixed
- Windows: interactive service - some initial unit tests added for the
most complex string conversion function (ConvertItfDnsDomains())
- remove #ifdefs around socket sendbuf/receive buf handling, assuming that
all platforms that have POSIX sockets have this.
- add mbedTLS 4 support
- fix check for failed fork() in port-share code
Gert Doering [Wed, 28 Jan 2026 11:04:19 +0000 (12:04 +0100)]
tunnel_server(): close correct inotify fd
On a full SIGUSR1 restart of a p2mp server compiled with
--enable-async-push, tunnel_server() will try to close and reopen
the "inotify" control file descriptor. For whatever reason, the
original code referenced the wrong context, always closing fd 0.
As a consequence of this, on the second SIGUSR1 restart, the server
will close() the first active socket file descriptor, and if there
are active DCO clients, the resulting event confusion will lead to
an ASSERT(!mi->halt).
Fix by closing the correct FD. Add logging.
Github: fixes OpenVPN/openvpn#966
Change-Id: Iabc117848ad7b67d240c392f1a6aa2d7531fd5bb Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1497
Message-Id: <20260128110425.24350-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35478.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 28 Jan 2026 11:04:37 +0000 (12:04 +0100)]
Prevent NULL pointer dereference with --dns-updown
If the dns-updown option appears in the config twice, there is a chance
of a NULL pointer dereference when comparing the script path to the
default script path. This happens when a custom script is set, after the
dns-updown script was disabled first. In that case the script path is
NULL, which leads to the deref during a strcmp(3).
manage: Do not trigger actions on management disconnect if not authenticated
If the management interface requires authentication via password
and the remote did not specify it, do not do trigger actions
requested by --management-forget-disconnect and --management-signal
on disconnect.
Reported-By: Joshua Rogers <contact@joshua.hu> Found-By: ZeroPath (https://zeropath.com)
Github: openvpn-private-issues#5
Change-Id: I575d65912ce9065a0b0868e73998b4a9aece62af Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1484
Message-Id: <20260122125707.108048-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35390.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
projects / thirdparty / openvpn.git / log
