Inlined credentials: read missing password from management interface
When commit 39619b7fab added support for inlining username only,
fallback for password was from console. This is not ideal when
graphical UI is in use as there is no console. Instead, query the
management interface when possible.
This patch just extends a similar fix when username is read from
a file and password is missing. As before, any username read
from file or inlined is not peserved as we currently have no way
of locking the username in the management interface prompt.
Change-Id: Ieeb2f980330d485739dbf3d722f107c1dbf704fc Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1599
Message-Id: <20260414055900.17132-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36608.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 287acce1acaad25a92f2112e967b9686418ef72a)
David Benjamin [Thu, 16 Apr 2026 17:41:35 +0000 (19:41 +0200)]
ssl_openssl: Fix some CRL mixups
There are two ways to load CRLs in OpenSSL. They can be loaded at the
X509_STORE, shared across verifications, or loaded per verification at
the X509_STORE_CTX.
OpenVPN currently does the former. However, it also supports CRL
reloading, and tries to reload the CRL file before each connection.
OpenSSL does not really have a good way to unload objects from an
X509_STORE. OpenVPN currently does it by grabbing the
STACK_OF(X509_OBJECT) out of the X509_STORE and manually deleting all
the CRLs from it.
This mutates an OpenSSL internal object which bumps into problems if
OpenSSL ever switches to a more efficient representation. See
https://github.com/openssl/openssl/pull/28599
(It's also not thread-safe, though it doesn't look like that impacts
OpenVPN? Actually even reading that list doesn't work. See
CVE-2024-0397. This OpenSSL API was simply broken.)
Additionally, this seems to cause two OpenVPN features to not work
together. I gather backend_tls_ctx_reload_crl is trying to clear the
CRLs loaded from last time it ran. But tls_ctx_load_ca with a ca_file
can also load CRLs. tls_ctx_load_ca with ca_path will also pick up CRLs
and backend_tls_ctx_reload_crl actually ends up clobbering some state
X509_LOOKUP_hash_dir internally maintains on the X509_STORE. Likewise,
tls_verify_crl_missing can get confused between
backend_tls_ctx_reload_crl's crl_file-based CRLs and CRLs from
tls_ctx_load_ca.
Avoid all this by tracking the two CRLs separately. crl_file-based CRLs
now go onto a STACK_OF(X509_CRL) tracked on the tls_root_ctx. Now this
field can be freely reloaded by OpenVPN without reconfiguring OpenSSL.
Instead, pass the current value into OpenSSL at verification time. To
do so, we need to use the SSL_CTX_set_cert_verify_callback, which allows
swapping out the X509_verify_cert call, and also tweaking the
X509_STORE_CTX configuration before starting certificate verification.
Context: SSL_CTX_set_cert_verify_callback and the existing
verify_callback are not the same. SSL_CTX_set_cert_verify_callback wraps
the verification while verify_callback is called multiple times
throughout verification. It's too late to reconfigure X509_STORE_CTX in
verify_callback. verify_callback is usually not what you want.
Sometimes current_cert and error_depth don't quite line up, and
cert_hash_remember may end up called multiple times for a single
certificate.
I suspect some of the other verify_callback logic would also be better
done in the new callback, but I've left it alone to keep this change
minimal. verify_callback is really only usable for suppressing errors.
Application bookkeeping is better down elsewhere.
Add .clang-format section for STACK_OF since we otherwise format the
line as STACK_OF(X509_CRL) * crls
Github: see also openssl/openssl#28599 Signed-off-by: David Benjamin <davidben@google.com>
Change-Id: I31ac2a763209114267c35c4a9182a12d8d82f6fe Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: MaxF <max@max-fillinger.net>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1289
Message-Id: <20260416174142.28918-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36641.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2befad4de1b4da3c06c5fb3537a767ac1d058eb3)
Luca Boccassi [Mon, 30 Mar 2026 18:08:54 +0000 (20:08 +0200)]
management: add base64 multi-line input for passwords
Allow management clients to send long passwords via the
usual multi-line base64 encoded protocol.
A client declares MCV 5 support and sends a 'password <type>'
line, followed by as many lines (each up to 1024 bytes) as
needed, in base64 encoded format, terminated by 'END'.
This is useful when a password is a JIT-generated use-once
token.
By default the first enum value is 0.
But we check whether we set the flag by doing
BOOL dnssec = (msg->flags & nrpt_dnssec) != 0;
This can't ever be true.
Found by cppcheck.
Change-Id: Iff5be978817bfc0cd4d78818e7be7b90bad71f3c Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1606
Message-Id: <20260405102209.31528-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36487.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 08a19843a184c6cb8850ac9e6bf7ce0cd4d15d37)
Arne Schwabe [Sat, 4 Apr 2026 07:23:30 +0000 (09:23 +0200)]
Use ASN1_BIT_STRING_get_bit to check for netscape certificate usage
The ASN_BIT_STRING object has become opaque in OpenSSL 4.0. So instead
of accessing the internal, we have to use a method now to check these
attributes.
The bit counting in ASN.1 and of this method is a bit strange and
it will count bits from the left instead of the right, so the previous
mask of 0x80 for clients is now 0 and 0x40 for server is now 1.
Change-Id: I77500d435f212a4bf42ee8cfca07d0285fe694f2 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1587
Message-Id: <20260404072336.30014-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36446.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 8ce6f8d166acf02d6833b9f37fb5cd2ca903a4a5)
Greg Cox [Mon, 30 Mar 2026 23:13:56 +0000 (23:13 +0000)]
Update --learn-address man page with ipv6 information
The `--learn-address` option is very v4-specific in its man page.
This expands the docs based on things I tripped over when bringing
up a dual-stack server.
Selva Nair [Tue, 3 Mar 2026 14:28:14 +0000 (15:28 +0100)]
Add an optional username-only flag for auth-user-pass
Specify "--auth-user-pass username-only" for openvpn to prompt
for only username, not password. Prompt via management interface
uses the usual ">PASSWORD 'Auth' " prompt with type "username"
instead of "username/password".
Internally, the password gets set as "[[BLANK]]" which is currently
used as tag for blank password.
Not compatible with --static-challenge or when username and
password are inlined or read from a file. In such cases, the user
hard-code a dummy password in the file instead.
Change-Id: I788f76e6a70a9c20bca3367140d2741bd0551582 Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1548
Message-Id: <20260303142819.6123-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35855.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit dfbf80b0a04a986fc5b5d5fef67d86ce68439b0b)
socket: restore per-connection lport override over global default
OpenVPN 2.7.x introduced a regression where --lport specified
inside a <connection> block did not override a globally defined
local port. As a result, the socket was bound to the global
default port instead of the per-connection value.
Adjust the socket local_port selection logic to honour
local_port_defined when set for the active connection profile.
This change restores the documented and previously working
behaviour from 2.6.x, where connection-level lport takes
precedence over global defaults.
Github: closes OpenVPN/openvpn#995
Change-Id: I7cf5d5ef7e2531f397ad97baf4663e3763072f6b Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1555
Message-Id: <20260316134841.28362-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36164.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7ac5f89023b2c2870a210016a862ec042f709bb7)
Haixiao Yan [Thu, 26 Mar 2026 06:20:16 +0000 (14:20 +0800)]
tests: skip test execution when cross-compiling
The auth-pam unit test Makefile.am unconditionally assigns the TESTS variable,
causing test execution to fail during cross-compilation because the target
binaries are not executable on the build host.
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Acked-By: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20260326062016.3856597-1-haixiao.yan.cn@windriver.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36288.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 690aace41a68292412da3f313389e79d4a12bfbc)
Arne Schwabe [Wed, 25 Mar 2026 12:45:26 +0000 (13:45 +0100)]
Increase default size of internal hash maps to 4 * --max-clients
The default of 256 seems quite low as with (at least) 1024 possible
entries (the --max-clients default setting) we have a guaranteed
collisions. Using 4 times the number of possible entries for real
addresses should reduce collisions quite a bit while also leaving
some headroom for the virtual addresses hash where a client might
have more than one address.
A reason to keep the limit so low are the memory requirements. Each
bucket has the size of one linked-list pointer (4 byte or 32 bit and
8 byte for 64 bit). So 256 buckets use 1 or 2 kB while 4096 will use
16 kB or 32 kB.
When the current limit was set 20 years ago this might have been a
meaningful memory saving but today the collision probability is
more important.
Change-Id: Ia699b0dfa407ac377970bb130434298eaaec592b Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1563
Message-Id: <20260325124526.124049-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36268.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7b5ebf7c447db16953c9541fdd00c7aa56124fc5)
Arne Schwabe [Sun, 22 Mar 2026 11:12:01 +0000 (12:12 +0100)]
Do not support tls_ctx_set_cert_profile on AWS-LC
SSL_CTX_set_security_level does nothing on AWS-LC and gives a deprecated
warning on compile. It is better to give the user a warning than to
effectively silently ignore it as well.
Change-Id: I74841d3611c62d3c59fc839bc73a0c83ce025262 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1579
Message-Id: <20260322111207.8346-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36243.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 07954eea058996d753f7196859c25a0e076ef896)
Rudi Heitbaum [Mon, 23 Mar 2026 12:19:00 +0000 (13:19 +0100)]
ssl_verify_openssl: use official ASN1_STRING_ API
ASN1_STRING are now opaque types in OpenSSL 4.x — the internal data and
length fields are no longer directly accessible. Use the accessor API
instead. Accessors have been available since OpenSSL 1.1.0
The ASN1_STRING_length accessor is already in use, but not consistently
applied. Standardise on using ASN1_STRING_length and ASN1_STRING_get0_data
which allows for successful build of OpenSSL 4.x
Change-Id: I8adffc3152b5b502a820a8ae0f901717e4831f81 Signed-off-by: Rudi Heitbaum <rudi@heitbaum.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1584
Message-Id: <20260323121908.730-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36254.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit dc4a9255f12840eb96a3a150332ccd26c4c41d7f)
ssl_verify_openssl: Clean up extract_x509_extension
* Avoid sign-compare warning when comparing string
lengths
* Use the nicer alias rfc822Name instead of the general ia5
from the GENERAL_NAME union.
* Use the official ASN1_STRING_length API instead of accessing
the struct directly.
* C11 changes
Github: OpenVPN/openvpn#1003
Change-Id: I23cc00aee47aef007ab2e7d50b52c6de299505db Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1507
Message-Id: <20260309133236.29732-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35980.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 66060627a8cf05c8761d75985e76482d20df4f29)
Arne Schwabe [Mon, 16 Mar 2026 12:11:48 +0000 (13:11 +0100)]
Remove unnecessary OpenSSL init and cleanup commands in unit tests
After the removal of OpenSSL 1.0.2 support these instructions are
no longer needed and the main OpenVPN program also no longer calls
them in init_ssl_lib or free_ssl_lib.
Also remove them from the unit tests. This also solves a
deprecation warning on EVP_cleanup when compiling with aws-lc
Change-Id: I228f6fd9ff18256f09d4348df1fc48853f8e7306 Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1568
Message-Id: <20260316121148.25189-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36153.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 369c7510788d44747b75fceb61edbf30b87638f0)
systemd: Change LimitNPROC to TasksMax and increase limit
There were some complaints about valid setups
that ran into problems with LimitNPROC. This
is especially true since LimitNPROC limits
the total amounts of threads running for the
same uid, so if multiple openvpn services run
under the same user, they will compete for
resources. As suggested in the systemd
documentation change this to TasksMax which
really counts the threads running in one
specific service.
Also increase the limit. When using e.g.
resolvconf for DNS configuration the limit
can be exhausted just due to the amount of
nested shell scripts.
Github: Fixes OpenVPN/openvpn#929
Change-Id: Ic877f9a9c6459c6eb97cde1099f47f0b196b8084 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1539
Message-Id: <20260313223833.3813-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36123.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c02964f0b20d860176545dbeaf54b11127e9f8a3)
Arne Schwabe [Fri, 13 Mar 2026 17:53:16 +0000 (18:53 +0100)]
Show version and double check we use the right TLS library in Github Actions
We recently discovered that the AWS-LC builds in Github Actions were
actually using OpenSSL. This will now cause an error if something like
this happens in the future again.
Change-Id: Ia929c949cceaabe21a2937ad3217052aec4b2b4c Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1566
Message-Id: <20260313175324.12121-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36115.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a659605d8c14be58d9b556bc82ea8660b4fe4192)
Arne Schwabe [Fri, 13 Mar 2026 15:30:01 +0000 (16:30 +0100)]
GHA: Install aws-lc under /opt/aws-lc
The previous installation inside the OpenVPN workspace directory
caused the AWS-LC installation to be deleted. And that caused to OpenSSL
to be used instead of AWS-LC during the build
This also removes the --enable-werror flag from AWS-LC because it
currently not even close to build without warnings.
Change-Id: I090f5b201d67f51d2e42df1914a8466bcfcb6bf8 Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1565
Message-Id: <20260313153007.31810-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36106.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 30c1c8cd61db9eb35f6c263a0ca3ec0714c88eb4)
buffer: Add checked_snprintf function and use it in the code
This reintroduces a function that converts the result
of snprintf to a boolean since the check is always the
same but annoyingly verbose. And it gets worse when you add
-Wsign-compare.
So in preparation of introducing -Wsign-compare wrap this
check in the function.
This somewhat reverts the removal of openvpn_snprintf.
But note that that was originally introduced to work
around the broken snprintf of Windows. So this is not
exactly the same. For this reason I also classified this
as a buffer function and not a compat function.
Change-Id: Ia3477b8ee7a637c15aad7f285144280595cda5d5 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1489
Message-Id: <20260304110455.15859-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35872.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 1ec71fe0c0cd3f593036197abdc9486ce3665c38)
Arne Schwabe [Mon, 16 Feb 2026 16:22:31 +0000 (17:22 +0100)]
Merge stream_buf_get_next and stream_buf_set_next
The stream_buf_set_next prepares a buffer in the stream_buf
structure that will be retrieved by stream_buf_get the next
time it is used.
This temporary copy of the buffer is unnecessary as the buffer
next can also be constructed on the fly.
This also fixes a rare crash when read buffer are not initialised and
read is still signalled as the initialisation of next will now happen
whenever it is required.
This assertion happens when we do not expect a read event from the socket
and then in link_socket_read_tcp the function stream_buf_get_next can
trigger an assert on ASSERT(buf_defined(&sb->next));
To avoid this weird corner case, just always initialise the read buffer
whether or not we expect a read to occur.
This also adds documentation about the methods and field associated with
the stream_buf structure.
Reproducing this bug requires very special circumstances. To reproduce,
run a client with
openvpn --client --proto tcp --dev tap --ifconfig noexec ...
The client side must be on Linux. Other platforms do not reproduce this
bug.
Note that the client will not configure any IP or IPv6 on the interface
and will also not bring up the interface. The server must also send at least
one real data packet to the client (no keepalive ping). Just having the
interface up normally produces enough traffic.
Now forcefully reset the TCP connection. E.g. by executing on the client
sudo ss --kill dport <server port>
This will now trigger the assertion. This happens since OpenVPN waits
forever to get a write back from the poll from the tun/tap device but
this never happens since the device is not up.
As long as we do not get back the tun device for writing, we also do
not put the socket back into the EVENT_READ state. And this also means
that code to initialise the read buffer (stream_buf_set_next) is never
run.
But the reset on the TCP socket triggers the TCP socket to be available
for read, even if it is just for a read of 0 bytes to indicate the reset.
So the function link_socket_read_tcp will run into the assert.
Change-Id: Ifd3e953104a67c8bf2a225e179865e3dbd0dbfbc Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1477
Message-Id: <20260216162236.22304-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35673.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5e85c3491fcf75f1a006d410d1a2a7720c2d3f09)
Max Fillinger [Mon, 2 Mar 2026 14:20:39 +0000 (15:20 +0100)]
Avoid unbounded allocations in pkcs11_mbedtls.c
The PKCS#11 provider can crash OpenVPN by making it try to allocate
2^64 bytes for a certificate. To avoid this, set a maximum size for
certificates. If the size is exceeded, don't try to allocate memory and
instead exit pkcs11_get_x509_cert with an error.
The chosen maximum size is 100.000 bytes which is twice the size of
a SLH-DSA (aka SPHINCS+) signature.
Switch libressl and mbedTLS 4 builds to Ubuntu 24.04.
Includes the following renovate changes:
- chore(deps): update dependency aws/aws-lc to v1.67.0
- chore(deps): update github actions
- chore(deps): update vcpkg digest to e5a1490
Change-Id: I4536e06b082ae17baba1490246244b5923063c93 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1540
Message-Id: <20260302152510.11918-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35813.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 44045a6041e8a907c538cda67bf716b525218e4e)
options: drop useless init_gc param for init_options()
The init_option() function is always invoked with the second
param "init_gc" set to "true".
This makes the parameter useless and it can therefore be removed
while always taking the "true" branch in the related logic.
This way we can also drop the options->gc_owned member as it
would also be always set to true.
Change-Id: I633d8cbf75ab4da85e16df44684aef60523811c5 Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1536
Message-Id: <20260217135605.154129-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35695.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 92937c267b20e3e1ffd4e0e80d8048a57da7edb6)
Gert Doering [Fri, 27 Feb 2026 22:47:39 +0000 (23:47 +0100)]
dco_freebsd: use AF_LOCAL sockets for ioctl() communication with DCO driver
DCO FreeBSD uses ioctl() calls for userland -> driver communication, on
a socket() file descriptor. The original code uses AF_INET sockets,
which fails if using a kernel compiled without IPv4 support.
The kernel side ioctl() handling does not differentiate between AF_INET,
AF_INET6 and AF_LOCAL sockets, and only the latter are guaranteed to be
present.
While add it, add a clear message if the socket() call in dco_available()
fails (it will lead to disabling of DCO).
FreeBSD PR: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=286263 Reported-by: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
Change-Id: I84fe7a11391eafde3660d25a3c99094a0c525f3d Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1551
Message-Id: <20260227224745.3175-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35795.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5f19355d15da17cbc70624f833171f162adc4ea4)
Selva Nair [Tue, 24 Feb 2026 21:30:30 +0000 (22:30 +0100)]
Fixup version command on management interface
All commands to the management interface are supposed to be
responded with either a one-line "SUCCESS:/ERROR:" message
or a multi-line reply terminated by "END". But, curently we
silently accept the "version n" command wih no response. This
causes clients like OpenVPN-GUI lock-up if version command is
used, waiting for ever for a reply.
Fix this by adding a SUCCESS response if client version
is set to a value >= 4. As the highest client version in use
until now is 3, this should not affect any work-arounds in
existing clients. ERROR response is generated if the version
parameter is null which never happens in practice.
Change-Id: I76dc80a9d9b29e401b7bbd59e0c46baf751d2e4a Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1528
Message-Id: <20260224213036.31845-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35782.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit adc0febaeac0d83246dbd2cc77b2a5d80e41741e)
Gert Doering [Fri, 20 Feb 2026 10:20:58 +0000 (11:20 +0100)]
configure.ac: adjust to native inotify support for FreeBSD 15+
FreeBSD 15 has native inotify support, and no "libinotify.pc" pkg config
file anymore, plus no extra includes are needed. This works fine if we
conditionalize the FreeBSD check to "freebsd-1[0-4]".
Due to m4 involvement double braces are needed for quoting.
See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293176
Reported-by: Ivo Karabojkov <karabojkov@kit.bg> Reported-by: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
Change-Id: Ie3f209a641c2f56494dfc7720b13f2a2ba3001a8 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1535
Message-Id: <20260220102106.32024-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35761.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 38243844f225517fa1d288517db9a34a33c5ad13)
Arne Schwabe [Thu, 19 Feb 2026 11:09:48 +0000 (12:09 +0100)]
DCO Linux: Fix setting DCO ifmode failing on big endian archs
The problem is that SITNL_ADDATTR is not forcing type safety and on
big endian architcutre passing a smaller size than the underlying
integer type of data causes only the more significant byte(s) to be passed
instead.
A proper fix would be to add specific methods for common integer types like
SITNL_ADDATTR_u8, SITNL_ADDATTR_u16, SITNL_ADDATTR_u32 like netlink library
does with NLA_PUT_U32, NLA_PUT_U16, NLA_PUT_U8.
Change-Id: I560f45fb0011180be8ca2b0e7fbc63030fa10f35
Github: closes OpenVPN/ovpn-dco#96 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1547
Message-Id: <20260219110954.21471-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35752.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b3e0e8696b162794beefc22aad7406b328471cf6)
Rudi Heitbaum [Wed, 18 Feb 2026 21:44:31 +0000 (22:44 +0100)]
ntlm: fix discards 'const' qualifier from pointer target type
Since glibc-2.43:
For ISO C23, the functions bsearch, memchr, strchr, strpbrk, strrchr,
strstr, wcschr, wcspbrk, wcsrchr, wcsstr and wmemchr that return pointers
into their input arrays now have definitions as macros that return a
pointer to a const-qualified type when the input argument is a pointer
to a const-qualified type.
fixes:
src/openvpn/ntlm.c: In function 'ntlm_phase_3':
src/openvpn/ntlm.c:241:15: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
241 | separator = strchr(p->up.username, '\\');
| ^
Change-Id: I2703f15144661f9cadfc8750884db270f3a5bfc6 Signed-off-by: Rudi Heitbaum <rudi@heitbaum.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1546 Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20260218214437.26912-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35723.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b5087dcf3fe3d4aa226dd3e727991bfe8a3a5efb)
Rudi Heitbaum [Wed, 18 Feb 2026 21:47:33 +0000 (22:47 +0100)]
dns: fix discards 'const' qualifier from pointer target type
Since glibc-2.43:
For ISO C23, the functions bsearch, memchr, strchr, strpbrk, strrchr,
strstr, wcschr, wcspbrk, wcsrchr, wcsstr and wmemchr that return pointers
into their input arrays now have definitions as macros that return a
pointer to a const-qualified type when the input argument is a pointer
to a const-qualified type.
fixes:
src/openvpn/dns.c: In function 'dns_server_addr_parse':
src/openvpn/dns.c:67:25: warning: initialization discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
67 | char *first_colon = strchr(addr, ':');
| ^~~~~~
src/openvpn/dns.c:68:24: warning: initialization discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
68 | char *last_colon = strrchr(addr, ':');
| ^~~~~~~
Change-Id: I262705189edfbd9aa9a32bcd712840fffa592435 Signed-off-by: Rudi Heitbaum <rudi@heitbaum.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1542 Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20260218214738.27158-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35730.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0157e7fb8ae29b637537a6b98ce85217c6daf5a3)
Gert Doering [Wed, 11 Feb 2026 15:06:48 +0000 (16:06 +0100)]
rework all occurrences of 'M_ERR | M_ERRNO'
M_ERR is defined as (M_FATAL | M_ERRNO), so 'msg(M_ERR | M_ERRNO, ...)'
is just the same as 'msg(M_ERR, ...)'.
The occurances in tun.c and dco_freebsd.c are really "if this happens,
we can not go on" errors, so 'M_ERR' (= FATAL, plus log errno string)
is the correct thing to do.
The occurances in dns.c do come with error handling and cleanup after
the msg() call, so the right thing is 'M_WARN | M_ERRNO' instead
(warning, plus log errno string).
Github: fixes OpenVPN/openvpn#939
Change-Id: I14395665f197349e374a81b56f28536ff88937a8 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1517
Message-Id: <20260211150648.113547-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35594.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f349b0a61499d3d36e69e2aa4dbbb7692b7d1df8)
Gert Doering [Wed, 11 Feb 2026 11:33:10 +0000 (12:33 +0100)]
port-share: log incoming connections at verb 3 only
From "day 1" the message "Non-OpenVPN client protocol detected" was
logged at D_STREAM_ERRORS level (verb 1), while it is not anything
erroneous in this context (it's inside an "port share" only block).
Bump this to D_PS_PROXY (verb 3).
Github: closes OpenVPN/openvpn#976
Change-Id: Ie5c9a88050de959cfb02e5f804323a8081ddb667 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1516
Message-Id: <20260211113315.25776-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35589.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6f9ab9647cf0a3bc53e42e609437f892ce009e7a)
Gert Doering [Wed, 28 Jan 2026 13:33:08 +0000 (14:33 +0100)]
OpenVPN Release 2.7_rc6
version.m4, ChangeLog, Changes.rst
Changes.rst has not received an "2.7_rc6" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta/rc*
releases it's better to look at git log to see what has been added/fixed.
Notable changes rc5 -> rc6 are:
- bugfix on restarting a p2mp server instance with SIGUSR1 (inadvertedly
closing fd 0, causing a crash on the next restart - GH #966)
- prevent NULL pointer crash on suitable combination of --dns-updown
statements in openvpn config file (not pushable)
- prevent inappropriate management interface activity if a password is
set and --management-forget-disconnect or --management-signal are active
- more conversion warnings fixed
- Windows: interactive service - some initial unit tests added for the
most complex string conversion function (ConvertItfDnsDomains())
- remove #ifdefs around socket sendbuf/receive buf handling, assuming that
all platforms that have POSIX sockets have this.
- add mbedTLS 4 support
- fix check for failed fork() in port-share code
Gert Doering [Wed, 28 Jan 2026 11:04:19 +0000 (12:04 +0100)]
tunnel_server(): close correct inotify fd
On a full SIGUSR1 restart of a p2mp server compiled with
--enable-async-push, tunnel_server() will try to close and reopen
the "inotify" control file descriptor. For whatever reason, the
original code referenced the wrong context, always closing fd 0.
As a consequence of this, on the second SIGUSR1 restart, the server
will close() the first active socket file descriptor, and if there
are active DCO clients, the resulting event confusion will lead to
an ASSERT(!mi->halt).
Fix by closing the correct FD. Add logging.
Github: fixes OpenVPN/openvpn#966
Change-Id: Iabc117848ad7b67d240c392f1a6aa2d7531fd5bb Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1497
Message-Id: <20260128110425.24350-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35478.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 28 Jan 2026 11:04:37 +0000 (12:04 +0100)]
Prevent NULL pointer dereference with --dns-updown
If the dns-updown option appears in the config twice, there is a chance
of a NULL pointer dereference when comparing the script path to the
default script path. This happens when a custom script is set, after the
dns-updown script was disabled first. In that case the script path is
NULL, which leads to the deref during a strcmp(3).
manage: Do not trigger actions on management disconnect if not authenticated
If the management interface requires authentication via password
and the remote did not specify it, do not do trigger actions
requested by --management-forget-disconnect and --management-signal
on disconnect.
Reported-By: Joshua Rogers <contact@joshua.hu> Found-By: ZeroPath (https://zeropath.com)
Github: openvpn-private-issues#5
Change-Id: I575d65912ce9065a0b0868e73998b4a9aece62af Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1484
Message-Id: <20260122125707.108048-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35390.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Max Fillinger [Fri, 23 Jan 2026 16:47:39 +0000 (17:47 +0100)]
Add support for Mbed TLS 4
This commit adds support for Mbed TLS 4. This version comes with some
drastic changes. The crypto library has been completely redesigned, so
the contents of crypto_mbedtls.c are moved to crypto_mbedtls_legacy.c
and crypto_mbedtls.c handles the crypto for version 4.
Mbed TLS 4 also removed the feature for looking up a crypto algorithm by
name, so we need to translate algorithm names to Mbed TLS numbers in
OpenVPN. The tables are not yet complete. For symmetric algorithms, I
have added AES and Chacha-Poly which should be enough for most use
cases.
Change-Id: Ib251d546d993b96ed3bd8cb9111bcc627cdb0fae Signed-off-by: Max Fillinger <maximilian.fillinger@sentyron.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1441
Message-Id: <20260123164746.7333-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35401.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 21 Jan 2026 12:18:30 +0000 (13:18 +0100)]
Silence compiler truncation warning by checking snprintf return value
On the more recent mingw compilers (homebrew mingw 13.0.0, GCC 15.2.0) the
compiler complains about a potential truncation in these two places.
src/openvpn/tun.c:3806:57:
error: '%s' directive output may be truncated writing up
to 255 bytes into a region of size 178
[-Werror=format-truncation=]
This not very helpful but checking the snprintf return value
will make the compiler not warn about this.
Change-Id: I54b11a5540fb236580a3b80c6d1e8678b24bd852 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1272
Message-Id: <20260121121830.27244-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35367.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Due to the differences in the types of APIs
between xkey provider and Windows cryptoapi
we can't avoid the casts. And they should be
safe generally since the involved sizes should
be small compared to the maximum values. So
just add asserts and explicit cast to avoid
the warnings.
EVP_CIPHER_CTX_flags is documented to output
int in OpenSSL, but is actually unsigned long
in OpenSSL 3.
In libressl it is correctly documented to output
unsigned long.
Change-Id: I99bc4692526f9143a913e29b266a1816295dfd51 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1446
Message-Id: <20260116172010.25278-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35311.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 14 Jan 2026 18:21:19 +0000 (19:21 +0100)]
OpenVPN Release 2.7_rc5
version.m4, ChangeLog, Changes.rst
Changes.rst has not received an "2.7_rc5" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta/rc*
releases it's better to look at git log to see what has been added/fixed.
Notable changes rc4 -> rc5 are:
- CVE 2025-15497 in epoch key handling (an authenticated remote system
can send a valid OpenVPN data packet that triggers an edge case
where a too-strict check would trigger an ASSERT(), exiting OpenVPN)
- remove "resolve --remote on incoming TCP connects on --tcp-server"
code base, because that did not work in a long time (since 2.4) and
is seen as too obscure and too complicated to rescue.
- repair interaction between DCO and persist-tun after reconnection
(in this case the client side would fail to set up the DCO event
handler, and not notice further --ping timeouts - GH: #947)
- remove ENABLE_X509ALTUSERNAME conditional, always enabling
"configure --enable-x509-alt-username". Effectively no change in
code size, and one less build variant to maintain and test (GH: #917).
- require "script-security 2" when using --dev unix:<program>
- socks client: fix and improve various code parts
- configure etc: drop support for systemd 216 and older, adapt
other checks to reflect modern systemd setups
- fix unit test building with libcmocka 2.0+
- fix Android build warnings about unused variables/methods
- allow --test-crypto to run without --secret
(prepare for removal of --secret after 2.7)
- improve WolfSSL build compatibility
When the sender jumps forwards exactly epoch_data_keys_future_count in its
epoch key use the housekeeping logic does not handle this correctly and
triggers an ASSERT.
Change the code to correctly implement the special case when the new epoch
key of the sender is the highest valid key epoch in the current window of
valid epoch keys for receiving data.
Change-Id: Ib581c02a29b974184256a9f4ad0ce15ba5f9db3b Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-By: Max Fillinger <maximilian.fillinger@sentyron.com> Reported-By: Pavel Kohout of Aisle Research <pavel.kohout@aisle.com>
Github: closes OpenVPN/openvpn-private-issues#103
CVE: 2025-15497
socks: In establish_socks_proxy_udpassoc check result of recv_socks_reply
Not just check the return value but also that relay_addr
is valid. recv_socks_reply doesn't care whether the answer
is what we expected. This is probably a very unlikely edge
case but it doesn't hurt to check for it here.
Reported-By: Joshua Rogers <contact@joshua.hu> Found-By: ZeroPath (https://zeropath.com)
Github: openvpn-private-issues#13
Change-Id: Ic1c8f24de423541bdc85e70b5a688213800d86de Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1469
Message-Id: <20260114135807.20637-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35249.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
So apparently when using --proto tcp-server --tls-server
--remote, AND the remote is not resolvable on startup
then we would preserve the remote name and resolve it
later on connect. Except that when the remote is not
resolvable I never managed to get it to create a
listening socket in the first place.
Originally I looked into this code because ZeroPath
claimed it was broken. I think that report was
correct but I think it is much easier to declare this
feature dead instead of trying to fix it. It is
undocumented and if it is usable then only in very
specific circumstances that are hard to figure out.
Github: openvpn-private-issues#13
Change-Id: I0141945469dd11340bfb42ec37a3c5f90ed0ff52 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1468
Message-Id: <20260113121512.12057-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35232.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 14 Jan 2026 11:23:49 +0000 (12:23 +0100)]
Repair interaction between DCO and persist-tun after reconnection
When --persist-tun is active, openvpn userland on Linux and FreeBSD fails
to re-enable "poll for DCO events" after a reconnect (e.g. triggered by
a ping timeout). The reconnect will still work fine, but the *next*
DCO event notification from the kernel will not be received by OpenVPN
userland, and so the system will get into an inconsistent state (Userland
assumes "all is well", kernel DCO has disconnected the peer, connection
is broken until the next tls-renegotion and/or manual restart, *and* the
next DCO key setup might fail due to "peer id gone").
This only affects client side, --server tun is always "persistent", and
there is no "full restart" (and the code path in question is also
only used for client and p2p server).
The root cause is an incorrect check for "is this interface up?" when
calling dco_event_set() in forard.c::io_wait() - "c2.did_open_tun" is
only true if the tun interface was actually configured on this reconnect,
which it isn't if --persist-tun is active. Replace with a check for
"do we have a tuntap structure, and if yes, do we have active DCO?"
which reflects the original intent much better.
The original code also had a check for "out_socket & EVENT_READ" there,
which did to some extend avoid calling dco_event_set() for every single
UDP packet sent and received by userland - but this only worked on initial
connection, and is always true on reconnect, so this condition was removed
for simplicity. We should come back here...
v2:
- some language fixes on the commit message
- do not check ->dco.open in forward.c, as this is not available if
not on FreeBSD, or if compiled with --disable-dco.
FreeBSD DCO does the "if (!dco || !dco->open)" check in dco_event_set()
anyway, so it's not needed, and Linux DCO has "dco->nl_sock", which is
also reliably set/unset, and checked by dco_event_set() already.
Github: OpenVPN/openvpn#947
Change-Id: Idbd0a47ba4d297a833a350611a23f19fd9a797b5 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1473
Message-Id: <20260114112403.7046-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35239.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 14 Jan 2026 11:04:47 +0000 (12:04 +0100)]
remove ENABLE_X509ALTUSERNAME conditional
This is one of the #ifdef producing compile-time variants that make the
code harder to read and harder to test. The extra code size due to
turning it on is marginal.
The mbedTLS backend does not (yet) support it. To cope with that,
add a minimum function x509_username_field_ext_supported() that always
returns "false", and omit the --x509-username-field from the help
text if ENABLE_CRYPTO_MBEDTLS. Implement this on another day.
Github: closes OpenVPN/openvpn#917
Change-Id: I3f661cf305c52652e430b8d219df5186dd8ea4f7 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1442
Message-Id: <20260114110452.4976-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35237.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 13 Jan 2026 07:27:45 +0000 (08:27 +0100)]
Require script-security 2 when using unix: tun
Since this executes an executable from an arbitrary path, it should follow
the same rules as other scripts/executable.
Reported-By: Petr Simecek, Pavel Kohout and Stanislav Fort from Aisle Research
Change-Id: I89dcab24ba510094ce1672e382960bf15def310a Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1465
Message-Id: <20260113072750.16015-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35223.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Do not try to handle very old systemd that was released
over ten years ago (remove SYSTEMD_NEWER_THAN_216)
- Do not require systemd.pc. I can't find any indication
that we use any of the variables defined by it. (It
does not define any libraries, just variables)
- Remove check for sd-daemon.h. We did not use the
conditional and assumed it was there already.
- Allow libsystemd.pc to define cflags. Previously we
ignored those.
Change-Id: Ie59e03ce01575acaeaf690f582eb5cfa80eb37fc Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1463
Message-Id: <20260109163514.23051-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35203.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Includes the following renovate changes:
- chore(deps): update dependency aws/aws-lc to v1.66.2
- Update lukka/get-cmake action to v4.2.1
- chore(deps): update github actions
- chore(deps): update vcpkg digest to eeb00f1
projects / thirdparty / openvpn.git / log
