4505 commits

This branch

This branch

All branches

Author	SHA1	Message	Date
Max Fillinger	cb7446c239	Unbreak Mbed TLS 4 build ... The previous Mbed TLS 4 change removed the mbedtls/version.h include from syshead.h. But this include in mbedtls_compat.h where it's needed. Also fix a warning by removing a size_t < 0 comparison. Change-Id: Ia5d330fe5c922aaa6948c1fb05c9a4947c833311 Signed-off-by: Max Fillinger <maximilian.fillinger@sentyron.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1538 Message-Id: <20260217171306.31229-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35701.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-02-17 19:26:34 +01:00
Arne Schwabe	6ac80e9909	Change stream_buf_read_setup_dowork parameter to struct steam_buf ... This methods only ever access sock->stream_buf so make the method simpler by just having a parameter sb. Change-Id: I3deb7cd75db3cb280fa8d9c637cd3bde3881d6e3 Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1483 Message-Id: <20260211150747.113906-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35595.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-02-16 17:23:56 +01:00
Frank Lichtenheld	74e88cf066	crypto_backend: Improve signature of md_full to avoid conversions ... Change-Id: I201abb9ef013c061fb568823098edcca32cb2df3 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1512 Message-Id: <20260216150711.16130-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35657.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-02-16 16:31:08 +01:00
Max Fillinger	880bd69254	Mbed TLS 3: Remove prediction resistance option ... The option --use-prediction-resistance causes the random number generator to be reseeded for every call. This is excessive. This commit removes that option. Github: closes OpenVPN/openvpn#964 Change-Id: I6298795f140c2c62252638f9e0cd6df19cb3d7ed Signed-off-by: Max Fillinger <maximilian.fillinger@sentyron.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1530 Message-Id: <20260216151033.16585-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35658.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-02-16 16:20:55 +01:00
Frank Lichtenheld	70ab9347f8	Remove NTLM support ... Since Microsoft has abandonded this I think it is time for us to do the same for OpenVPN 2.8. Leaves a stub ntlm_support in to make cross-branch t_client.rc easier to maintain. Change-Id: I1f5724476862935284f620c54afa510eea03e3f9 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1453 Message-Id: <20260216145205.14958-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35650.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-02-16 16:14:13 +01:00
Gert Doering	f349b0a614	rework all occurrences of 'M_ERR | M_ERRNO' ... M_ERR is defined as (M_FATAL | M_ERRNO), so 'msg(M_ERR | M_ERRNO, ...)' is just the same as 'msg(M_ERR, ...)'. The occurances in tun.c and dco_freebsd.c are really "if this happens, we can not go on" errors, so 'M_ERR' (= FATAL, plus log errno string) is the correct thing to do. The occurances in dns.c do come with error handling and cleanup after the msg() call, so the right thing is 'M_WARN | M_ERRNO' instead (warning, plus log errno string). Github: fixes OpenVPN/openvpn#939 Change-Id: I14395665f197349e374a81b56f28536ff88937a8 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1517 Message-Id: <20260211150648.113547-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35594.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-02-16 15:52:26 +01:00
Frank Lichtenheld	344f13fcdf	clang-format: Add missing InsertBraces: true ... This takes care to add missing braces in case of one-line if-statements or loops. Apparently we never tested this specific error and we had no existing cases in the code when we did the reformat. Noticed this during a code review. Change-Id: Idb1e96a4d0a618089db4290c5980d192985b5d29 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1529 Message-Id: <20260216123026.3310-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35635.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-02-16 15:29:54 +01:00
Gert Doering	6f9ab9647c	port-share: log incoming connections at verb 3 only ... From "day 1" the message "Non-OpenVPN client protocol detected" was logged at D_STREAM_ERRORS level (verb 1), while it is not anything erroneous in this context (it's inside an "port share" only block). Bump this to D_PS_PROXY (verb 3). Github: closes OpenVPN/openvpn#976 Change-Id: Ie5c9a88050de959cfb02e5f804323a8081ddb667 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1516 Message-Id: <20260211113315.25776-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35589.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-02-13 23:03:10 +01:00
Gert Doering	0f4e9de2ad	start release/2.8 development cycle ... this commit starts work on "master" after branching off "release/2.7" -> version.m4 set to "2.8_git", ChangeLog emptied, Changes.rst prepared for notable news in Release 2.8 Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-02-13 13:11:33 +01:00
Gert Doering	ee1577744f	OpenVPN Release 2.7.0 ... version.m4, ChangeLog, Changes.rst Only very minor differences to the last release candidate, 2.7_rc6. Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-02-11 11:48:21 +01:00
Frank Lichtenheld	5836ccdff4	Review Changes.rst for 2.7.0 release ... Fixes various issues, either errors or things that got outdated during development. Change-Id: Idd079f42fac1189c08c6cf42ea84fa8c0383e1a8 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1515 Message-Id: <20260210162038.7915-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35574.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-02-10 18:40:20 +01:00
Frank Lichtenheld	44a5b33021	Update the clang-format reference version to 21.1.8 ... Latest v21.x version. Changes a few file in Windows specific code due to bug fixes. Change-Id: Iaf0d8f528211f1971f163a8006b054efb4917e2a Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1514 Message-Id: <20260210151639.913-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35563.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-02-10 16:29:04 +01:00
Frank Lichtenheld	f6004dc45e	crypto: Do not claim we will remove support for BF-CBC in 2.7 ... Change-Id: Ie35099b114c510e55292090c34b9d950b1f03947 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1511 Message-Id: <20260210152035.1273-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35565.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-02-10 16:27:50 +01:00
Max Fillinger	2183eb5d54	Mbed TLS 4: Add more algorithms ... Expand the tables of hash functions and elliptic curve groups, and also check if they are compiled in. Change-Id: I740991f22b728fe2f5a48bc18d5ca4b62f56f399 Signed-off-by: Max Fillinger <maximilian.fillinger@sentyron.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1500 Message-Id: <20260130071137.14398-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35507.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-02-10 12:06:45 +01:00
Gert Doering	706fcc7d1a	OpenVPN Release 2.7_rc6 ... version.m4, ChangeLog, Changes.rst Changes.rst has not received an "2.7_rc6" section - it has the "highlevel" overview of what is new in 2.7, but for alpha/beta/rc* releases it's better to look at git log to see what has been added/fixed. Notable changes rc5 -> rc6 are: - bugfix on restarting a p2mp server instance with SIGUSR1 (inadvertedly closing fd 0, causing a crash on the next restart - GH #966) - prevent NULL pointer crash on suitable combination of --dns-updown statements in openvpn config file (not pushable) - prevent inappropriate management interface activity if a password is set and --management-forget-disconnect or --management-signal are active - more conversion warnings fixed - Windows: interactive service - some initial unit tests added for the most complex string conversion function (ConvertItfDnsDomains()) - remove #ifdefs around socket sendbuf/receive buf handling, assuming that all platforms that have POSIX sockets have this. - add mbedTLS 4 support - fix check for failed fork() in port-share code Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-28 15:04:31 +01:00
Gert Doering	5521872f80	tunnel_server(): close correct inotify fd ... On a full SIGUSR1 restart of a p2mp server compiled with --enable-async-push, tunnel_server() will try to close and reopen the "inotify" control file descriptor. For whatever reason, the original code referenced the wrong context, always closing fd 0. As a consequence of this, on the second SIGUSR1 restart, the server will close() the first active socket file descriptor, and if there are active DCO clients, the resulting event confusion will lead to an ASSERT(!mi->halt). Fix by closing the correct FD. Add logging. Github: fixes OpenVPN/openvpn#966 Change-Id: Iabc117848ad7b67d240c392f1a6aa2d7531fd5bb Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1497 Message-Id: <20260128110425.24350-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35478.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-28 14:19:40 +01:00
Heiko Hund	62a17417de	Prevent NULL pointer dereference with --dns-updown ... If the dns-updown option appears in the config twice, there is a chance of a NULL pointer dereference when comparing the script path to the default script path. This happens when a custom script is set, after the dns-updown script was disabled first. In that case the script path is NULL, which leads to the deref during a strcmp(3). Reported-by: <aarnav@srlabs.de> Change-Id: Id530d890ba01cffb74d3dc04ad10b153f7bea1d4 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1498 Message-Id: <20260128110443.24410-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35479.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-28 14:16:42 +01:00
Frank Lichtenheld	4bf05d487c	manage: Do not trigger actions on management disconnect if not authenticated ... If the management interface requires authentication via password and the remote did not specify it, do not do trigger actions requested by --management-forget-disconnect and --management-signal on disconnect. Reported-By: Joshua Rogers <contact@joshua.hu> Found-By: ZeroPath (https://zeropath.com) Github: openvpn-private-issues#5 Change-Id: I575d65912ce9065a0b0868e73998b4a9aece62af Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1484 Message-Id: <20260122125707.108048-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35390.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-27 15:19:07 +01:00
Frank Lichtenheld	e1e3b9aed1	status: Avoid conversion warnings in status_read/status_printf ... Just use explicit casts. len is limited by BCAP and c is limited by being from buf_read_u8. So they are safe. In case of status_printf this is only for Windows. len is limited by sizeof(buf), so also a safe cast. Change-Id: Iff1343a2f8cc7e32b8f36b359a00248e4dc3e8c9 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1485 Message-Id: <20260122154751.155227-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35398.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-26 17:31:49 +01:00
Frank Lichtenheld	447d04fe50	GHA: Run openvpnserv UT for MinGW builds ... Should have been added in commit b10ee38ccd. Note that test_openvpnserv.exe lives in a separate directory, so we need to make the code a bit more flexible. Change-Id: If61a91b4580864fd22162c94467ba3dda2045b7b Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1487 Message-Id: <20260126151122.588-1-gert@greenie.muc.de> Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-26 16:37:10 +01:00
Frank Lichtenheld	83f9c55efb	test_openvpnserv: Make sure to include config.h ... Otherwise the check for cmocka version doesn't work. Includes the update to vcpkg in GHA since that exposed the problem. chore(deps): update vcpkg digest to 6d332a0 Change-Id: I3b246bcc36ba35c2ed9630dc18e97aff436eaa0b Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1488 Message-Id: <20260126145558.31460-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35437.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-26 16:32:26 +01:00
Frank Lichtenheld	57e701129e	socket: Remove ifdef for SO_{RCV, SND}BUF ... Seems all our platforms define it. Reported-by: Marc Heuse <marc@srlabs.de> Github: Fixes OpenVPN/openvpn#965 Change-Id: I87679949bdef6319d7490d561f0136633244c2b9 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1486 Message-Id: <20260126145432.31249-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35435.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-26 16:29:20 +01:00
Frank Lichtenheld	22a7010f5b	route: Fix conversion warnings on BSDs ... Mostly just use better types. And in some places remove overloading of variables with nicer C11 code. Change-Id: Idbb5c0fff759a2e645a8b4f62266509e32e3a44e Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1481 Message-Id: <20260122133050.117000-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35394.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-25 18:37:34 +01:00
Frank Lichtenheld	c7fbd8a302	GHA: Update mbedtls to v4 ... Also switch from Make to CMake for building it because the former is not supported anymore. Change-Id: I658b1b24da304938225a8f834d7484671a63360f Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Yuriy Darnobyt <yura.uddr@gmail.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1474 Message-Id: <20260124181814.30331-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35421.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-24 23:10:44 +01:00
Max Fillinger	494fb71804	Add support for Mbed TLS 4 ... This commit adds support for Mbed TLS 4. This version comes with some drastic changes. The crypto library has been completely redesigned, so the contents of crypto_mbedtls.c are moved to crypto_mbedtls_legacy.c and crypto_mbedtls.c handles the crypto for version 4. Mbed TLS 4 also removed the feature for looking up a crypto algorithm by name, so we need to translate algorithm names to Mbed TLS numbers in OpenVPN. The tables are not yet complete. For symmetric algorithms, I have added AES and Chacha-Poly which should be enough for most use cases. Change-Id: Ib251d546d993b96ed3bd8cb9111bcc627cdb0fae Signed-off-by: Max Fillinger <maximilian.fillinger@sentyron.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1441 Message-Id: <20260123164746.7333-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35401.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-24 18:49:44 +01:00
Frank Lichtenheld	b10ee38ccd	openvpnserv: Add a first unit test ... This adds the required build infrastructure and adds tests for two functions related to GetItfDnsDomains(). Change-Id: I33583e51e1143c53fbe0aef16546fa3f602b17c0 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1459 Message-Id: <20260119215058.27888-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35345.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-24 18:23:05 +01:00
Frank Lichtenheld	cd533c483a	openvpnserv: Factor out the string conversion from GetItfDnsDomains ... Mostly so that we can actually test it. Since that code does some in-place conversions a test would be good. Change-Id: Ib517457015b754d59aeb70827c4795aa6154728c Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Heiko Hund <heiko@openvpn.net> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1458 Message-Id: <20260119214927.27766-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35343.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-24 17:27:38 +01:00
Frank Lichtenheld	fdfe0abeef	openvpnserv: Fix conversion warnings in interactive.c ... Mostly DWORD vs. size_t conversions where we have no choice but to cast. Change-Id: I864cd4a718886f437b72e93d0286f90fcb73592b Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Heiko Hund <heiko@openvpn.net> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1457 Message-Id: <20260120155547.116088-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35356.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-24 16:54:01 +01:00
Arne Schwabe	1fe958183f	Silence compiler truncation warning by checking snprintf return value ... On the more recent mingw compilers (homebrew mingw 13.0.0, GCC 15.2.0) the compiler complains about a potential truncation in these two places. src/openvpn/tun.c:3806:57: error: '%s' directive output may be truncated writing up to 255 bytes into a region of size 178 [-Werror=format-truncation=] This not very helpful but checking the snprintf return value will make the compiler not warn about this. Change-Id: I54b11a5540fb236580a3b80c6d1e8678b24bd852 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1272 Message-Id: <20260121121830.27244-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35367.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-24 16:47:48 +01:00
Frank Lichtenheld	1a31efb495	port-share: Check return value of fork() ... While here, do some small C11 code cleanup. Reported-By: Joshua Rogers <contact@joshua.hu> Found-By: ZeroPath (https://zeropath.com) Github: openvpn-private-issues#12 Change-Id: I5eac1b31ae40eb957e2c12ca6c37b491fef32847 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1470 Message-Id: <20260119171216.6100-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35337.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-24 14:36:34 +01:00
Frank Lichtenheld	b28321edfe	ssl_ncp: Avoid conversion warning in replace_default_in_ncp_ciphers_option ... Change-Id: I380e842b7429060d13bc0264e55fa5c06ab427df Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1452 Message-Id: <20260122125829.108470-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35391.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-24 14:33:22 +01:00
Frank Lichtenheld	2cc00e80bc	socket: Avoid conversion warning in get_addr_generic ... We already check earlier that bits is smaller that max_bits, so the cast is safe. While reviewing the callers, remove some unused variables. Change-Id: I5ad13bc6674b3403251cc552d1f2c0f057431817 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1475 Message-Id: <20260119122556.15225-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35324.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-19 18:07:50 +01:00
Frank Lichtenheld	de3ef0dc65	ssl_verify_openssl: Avoid conversion warning in x509_verify_cert_ku ... Just use the correct types. v2: - Change type of expected_len argument to size_t Change-Id: Ia6c3f0395bd6cd67064fe77420d9df2b66763049 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1445 Message-Id: <20260119122058.14865-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35322.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-19 18:05:08 +01:00
Frank Lichtenheld	2ece9a5df5	cryptoapi: Avoid conversion warnings ... Due to the differences in the types of APIs between xkey provider and Windows cryptoapi we can't avoid the casts. And they should be safe generally since the involved sizes should be small compared to the maximum values. So just add asserts and explicit cast to avoid the warnings. Change-Id: I789022af7c4977c4dff4f7671f491fe5836828fa Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Selva Nair <selva.nair@gmail.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1464 Message-Id: <20260116135729.40545-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35304.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-19 12:38:50 +01:00
Frank Lichtenheld	07fc73025b	crypto_openssl: Fix various conversion warnings ... EVP_CIPHER_CTX_flags is documented to output int in OpenSSL, but is actually unsigned long in OpenSSL 3. In libressl it is correctly documented to output unsigned long. Change-Id: I99bc4692526f9143a913e29b266a1816295dfd51 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1446 Message-Id: <20260116172010.25278-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35311.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-17 17:24:21 +01:00
Gert Doering	957f0713ea	OpenVPN Release 2.7_rc5 ... version.m4, ChangeLog, Changes.rst Changes.rst has not received an "2.7_rc5" section - it has the "highlevel" overview of what is new in 2.7, but for alpha/beta/rc* releases it's better to look at git log to see what has been added/fixed. Notable changes rc4 -> rc5 are: - CVE 2025-15497 in epoch key handling (an authenticated remote system can send a valid OpenVPN data packet that triggers an edge case where a too-strict check would trigger an ASSERT(), exiting OpenVPN) - remove "resolve --remote on incoming TCP connects on --tcp-server" code base, because that did not work in a long time (since 2.4) and is seen as too obscure and too complicated to rescue. - repair interaction between DCO and persist-tun after reconnection (in this case the client side would fail to set up the DCO event handler, and not notice further --ping timeouts - GH: #947) - remove ENABLE_X509ALTUSERNAME conditional, always enabling "configure --enable-x509-alt-username". Effectively no change in code size, and one less build variant to maintain and test (GH: #917). - require "script-security 2" when using --dev unix:<program> - socks client: fix and improve various code parts - configure etc: drop support for systemd 216 and older, adapt other checks to reflect modern systemd setups - fix unit test building with libcmocka 2.0+ - fix Android build warnings about unused variables/methods - allow --test-crypto to run without --secret (prepare for removal of --secret after 2.7) - improve WolfSSL build compatibility Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-15 12:54:15 +01:00
Arne Schwabe	e0e0720ac3	Correctly handle sender jumping exactly epoch_data_keys_future_count ... When the sender jumps forwards exactly epoch_data_keys_future_count in its epoch key use the housekeeping logic does not handle this correctly and triggers an ASSERT. Change the code to correctly implement the special case when the new epoch key of the sender is the highest valid key epoch in the current window of valid epoch keys for receiving data. Change-Id: Ib581c02a29b974184256a9f4ad0ce15ba5f9db3b Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-By: Max Fillinger <maximilian.fillinger@sentyron.com> Reported-By: Pavel Kohout of Aisle Research <pavel.kohout@aisle.com> Github: closes OpenVPN/openvpn-private-issues#103 CVE: 2025-15497	2026-01-15 11:10:56 +01:00
Frank Lichtenheld	8c3671dbd5	forward: Avoid conversion warning in ipv6_send_icmp_unreachable ... Since all values are limited by MAX_ICMPV6LEN we can just cast to uint16_t. While here remove a unused gc arena in neighbouring code. Change-Id: I701f9e0a96a7b43f278f8e6089e9156feab772c8 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1472 Message-Id: <20260115091124.23360-1-gert@greenie.muc.de> URL: https://sourceforge.net/p/openvpn/mailman/message/59283657/ Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-15 11:08:19 +01:00
Frank Lichtenheld	6768ef1dab	error: Remove our implementation of static_assert ... It is C11, so it should be present in all our compilers. Change-Id: I9cb14b9f44409ec5c78044ddb216a2b4dced0f9b Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1471 Message-Id: <20260115092552.25011-1-gert@greenie.muc.de> URL: https://sourceforge.net/p/openvpn/mailman/message/59283672/ Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-15 11:04:50 +01:00
Frank Lichtenheld	b34dc9279d	ssl_verify: Fix parsing of timeout from auth pending file ... Make sure the value is not negative before casting it to unsigned. Change-Id: I8a5efb2ed009a702f10dc8f40c677f014547b4c8 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1451 Message-Id: <20260115093235.25635-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35275.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-15 10:36:11 +01:00
Frank Lichtenheld	b2cc5c2ec4	socks: In establish_socks_proxy_udpassoc check result of recv_socks_reply ... Not just check the return value but also that relay_addr is valid. recv_socks_reply doesn't care whether the answer is what we expected. This is probably a very unlikely edge case but it doesn't hurt to check for it here. Reported-By: Joshua Rogers <contact@joshua.hu> Found-By: ZeroPath (https://zeropath.com) Github: openvpn-private-issues#13 Change-Id: Ic1c8f24de423541bdc85e70b5a688213800d86de Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1469 Message-Id: <20260114135807.20637-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35249.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-14 19:38:28 +01:00
Frank Lichtenheld	d61d3c2a71	socket: Remove old 'dynamic remote' feature ... So apparently when using --proto tcp-server --tls-server --remote, AND the remote is not resolvable on startup then we would preserve the remote name and resolve it later on connect. Except that when the remote is not resolvable I never managed to get it to create a listening socket in the first place. Originally I looked into this code because ZeroPath claimed it was broken. I think that report was correct but I think it is much easier to declare this feature dead instead of trying to fix it. It is undocumented and if it is usable then only in very specific circumstances that are hard to figure out. Github: openvpn-private-issues#13 Change-Id: I0141945469dd11340bfb42ec37a3c5f90ed0ff52 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1468 Message-Id: <20260113121512.12057-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35232.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-14 14:30:40 +01:00
Gert Doering	52c3b435b1	Repair interaction between DCO and persist-tun after reconnection ... When --persist-tun is active, openvpn userland on Linux and FreeBSD fails to re-enable "poll for DCO events" after a reconnect (e.g. triggered by a ping timeout). The reconnect will still work fine, but the *next* DCO event notification from the kernel will not be received by OpenVPN userland, and so the system will get into an inconsistent state (Userland assumes "all is well", kernel DCO has disconnected the peer, connection is broken until the next tls-renegotion and/or manual restart, *and* the next DCO key setup might fail due to "peer id gone"). This only affects client side, --server tun is always "persistent", and there is no "full restart" (and the code path in question is also only used for client and p2p server). The root cause is an incorrect check for "is this interface up?" when calling dco_event_set() in forard.c::io_wait() - "c2.did_open_tun" is only true if the tun interface was actually configured on this reconnect, which it isn't if --persist-tun is active. Replace with a check for "do we have a tuntap structure, and if yes, do we have active DCO?" which reflects the original intent much better. The original code also had a check for "out_socket & EVENT_READ" there, which did to some extend avoid calling dco_event_set() for every single UDP packet sent and received by userland - but this only worked on initial connection, and is always true on reconnect, so this condition was removed for simplicity. We should come back here... v2: - some language fixes on the commit message - do not check ->dco.open in forward.c, as this is not available if not on FreeBSD, or if compiled with --disable-dco. FreeBSD DCO does the "if (!dco || !dco->open)" check in dco_event_set() anyway, so it's not needed, and Linux DCO has "dco->nl_sock", which is also reliably set/unset, and checked by dco_event_set() already. Github: OpenVPN/openvpn#947 Change-Id: Idbd0a47ba4d297a833a350611a23f19fd9a797b5 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@mandelbit.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1473 Message-Id: <20260114112403.7046-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35239.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-14 12:29:58 +01:00
Gert Doering	faac9681cc	remove ENABLE_X509ALTUSERNAME conditional ... This is one of the #ifdef producing compile-time variants that make the code harder to read and harder to test. The extra code size due to turning it on is marginal. The mbedTLS backend does not (yet) support it. To cope with that, add a minimum function x509_username_field_ext_supported() that always returns "false", and omit the --x509-username-field from the help text if ENABLE_CRYPTO_MBEDTLS. Implement this on another day. Github: closes OpenVPN/openvpn#917 Change-Id: I3f661cf305c52652e430b8d219df5186dd8ea4f7 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1442 Message-Id: <20260114110452.4976-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35237.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-14 12:13:47 +01:00
Arne Schwabe	4a15d4e51d	Require script-security 2 when using unix: tun ... Since this executes an executable from an arbitrary path, it should follow the same rules as other scripts/executable. Reported-By: Petr Simecek, Pavel Kohout and Stanislav Fort from Aisle Research Change-Id: I89dcab24ba510094ce1672e382960bf15def310a Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1465 Message-Id: <20260113072750.16015-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35223.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-13 09:19:48 +01:00
Frank Lichtenheld	d104917e34	socks: Fix wrong success check in socks_username_password_auth ... Due to wrong boolean operator the function did not correctly detect when the authentication failed. Reported-By: Joshua Rogers <contact@joshua.hu> Found-By: ZeroPath (https://zeropath.com) Github: openvpn-private-issues#4 Change-Id: I13b411fb3e8b913ae049c6ca8a1cf5a2edbab0fb Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1466 Message-Id: <20260112180304.8742-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35219.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-13 08:19:45 +01:00
Frank Lichtenheld	e2d0e85606	socks: Replace magic "10" for socks header with macro ... So that it is easier to check that we indeed have reserved this prior to assuming we have. Github: openvpn-private-issues#4 Change-Id: I0aca7e7d9aa190541f11745cf72193cb6b39540a Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1467 Message-Id: <20260112171122.3994-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35214.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-12 18:59:45 +01:00
Frank Lichtenheld	50a6b663e4	configure.ac: Clean up systemd support ... - Do not try to handle very old systemd that was released over ten years ago (remove SYSTEMD_NEWER_THAN_216) - Do not require systemd.pc. I can't find any indication that we use any of the variables defined by it. (It does not define any libraries, just variables) - Remove check for sd-daemon.h. We did not use the conditional and assumed it was there already. - Allow libsystemd.pc to define cflags. Previously we ignored those. Change-Id: Ie59e03ce01575acaeaf690f582eb5cfa80eb37fc Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1463 Message-Id: <20260109163514.23051-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35203.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-09 18:19:26 +01:00
Frank Lichtenheld	20f8127bcd	Fix building test_tls_crypt with cmocka 2.0 ... This was missed in commit 6db186e0b1 since we only built with cmocka 2.0 on macOS and that doesn't build test_tls_crypt. Now that we build with cmocka 2.0 also on Debian Sid we noticed the additional issues. Change-Id: Ibc964c13724316ca96276ba6b7d34dbbfcf52064 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1460 Message-Id: <20260108154248.21706-1-gert@greenie.muc.de> Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-08 16:50:36 +01:00
Frank Lichtenheld	f94a3ad2ba	Update Copyright statements to 2026 ... Change-Id: I1728fcb75284ba106e5c37ef53f6e568b64fb647 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1456 Message-Id: <20260108074915.9417-1-gert@greenie.muc.de> URL: https://sourceforge.net/p/openvpn/mailman/message/59280815/ Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-08 10:59:57 +01:00