4602 commits

This branch

This branch

All branches

Author	SHA1	Message	Date
Frank Lichtenheld	8485518dce	GHA: Factor out building SSL libs to a reusable workflow ... We amassed a lot of code duplication there. Make it easier to track the differences between the libraries. Change-Id: I3d89016ccae297cfa596897c11a518f1ffbe3dc8 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Yuriy Darnobyt <yura.uddr@gmail.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1630 Message-Id: <20260420160732.9492-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36686.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-20 19:04:44 +02:00
Frank Lichtenheld	7f870c0753	dns: Change arguments to setenv_dns_option to avoid sign-compare warning ... The change is a bit big to fix just one compare warning, but that is due to the highly interdependent code. Change-Id: Ibfcc350c772227cfc0f2244fa2b1625dcb7e6fb5 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1558 Message-Id: <20260407094643.28090-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36531.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-19 18:19:10 +02:00
Frank Lichtenheld	22062deb5d	Remove various redundant conditionals ... These are all already proven to be true by surrounding code. Identified by cppcheck. Change-Id: Iacf06c113e8db5b7c78270f361ee76938ef1db47 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1613 Message-Id: <20260419135116.22170-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36666.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-19 17:51:47 +02:00
Frank Lichtenheld	6d54d7ca5d	tapctl: Remove unused function dont_mute ... Identified by cppcheck. Change-Id: I87c40dc94035345add1162e5029e51288811cb09 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1615 Message-Id: <20260419133947.21215-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36662.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-19 17:45:49 +02:00
Selva Nair	287acce1ac	Inlined credentials: read missing password from management interface ... When commit 39619b7fab added support for inlining username only, fallback for password was from console. This is not ideal when graphical UI is in use as there is no console. Instead, query the management interface when possible. This patch just extends a similar fix when username is read from a file and password is missing. As before, any username read from file or inlined is not peserved as we currently have no way of locking the username in the management interface prompt. Change-Id: Ieeb2f980330d485739dbf3d722f107c1dbf704fc Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1599 Message-Id: <20260414055900.17132-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36608.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-19 16:00:59 +02:00
Selva Nair	c610746a2c	verify_x509_name: Improve the error message on failure ... Print the actual string that was used for the match instead of the whole subject. Github: closes OpenVPN/openvpn#992 Change-Id: I6e7947ab81cf229f0d27714dd563a07ace6bd38a Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1624 Message-Id: <20260414055830.17032-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36606.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-19 13:40:56 +02:00
Arne Schwabe	36174520e9	GHA: Add OpenSSL 4.0 build ... Change-Id: Ic9c993cb8dcfedfd6f99f416c286e0968eb45255 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1601 Message-Id: <20260417110942.16538-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36648.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-18 20:33:13 +02:00
Arne Schwabe	353ec724f9	OpenSSL 4.0: Use X509_check_certificate_times instead of X509_cmp_time ... The X509_cmp_time function is deprecated in OpenSSL 4.0. So we avoid it and use the new API. Change-Id: I6c2eda0e5bbb3a70b404f821e25ded81f0f5ddd5 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1595 Message-Id: <20260417164644.17897-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36651.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-18 20:05:25 +02:00
David Benjamin	2befad4de1	ssl_openssl: Fix some CRL mixups ... There are two ways to load CRLs in OpenSSL. They can be loaded at the X509_STORE, shared across verifications, or loaded per verification at the X509_STORE_CTX. OpenVPN currently does the former. However, it also supports CRL reloading, and tries to reload the CRL file before each connection. OpenSSL does not really have a good way to unload objects from an X509_STORE. OpenVPN currently does it by grabbing the STACK_OF(X509_OBJECT) out of the X509_STORE and manually deleting all the CRLs from it. This mutates an OpenSSL internal object which bumps into problems if OpenSSL ever switches to a more efficient representation. See https://github.com/openssl/openssl/pull/28599 (It's also not thread-safe, though it doesn't look like that impacts OpenVPN? Actually even reading that list doesn't work. See CVE-2024-0397. This OpenSSL API was simply broken.) Additionally, this seems to cause two OpenVPN features to not work together. I gather backend_tls_ctx_reload_crl is trying to clear the CRLs loaded from last time it ran. But tls_ctx_load_ca with a ca_file can also load CRLs. tls_ctx_load_ca with ca_path will also pick up CRLs and backend_tls_ctx_reload_crl actually ends up clobbering some state X509_LOOKUP_hash_dir internally maintains on the X509_STORE. Likewise, tls_verify_crl_missing can get confused between backend_tls_ctx_reload_crl's crl_file-based CRLs and CRLs from tls_ctx_load_ca. Avoid all this by tracking the two CRLs separately. crl_file-based CRLs now go onto a STACK_OF(X509_CRL) tracked on the tls_root_ctx. Now this field can be freely reloaded by OpenVPN without reconfiguring OpenSSL. Instead, pass the current value into OpenSSL at verification time. To do so, we need to use the SSL_CTX_set_cert_verify_callback, which allows swapping out the X509_verify_cert call, and also tweaking the X509_STORE_CTX configuration before starting certificate verification. Context: SSL_CTX_set_cert_verify_callback and the existing verify_callback are not the same. SSL_CTX_set_cert_verify_callback wraps the verification while verify_callback is called multiple times throughout verification. It's too late to reconfigure X509_STORE_CTX in verify_callback. verify_callback is usually not what you want. Sometimes current_cert and error_depth don't quite line up, and cert_hash_remember may end up called multiple times for a single certificate. I suspect some of the other verify_callback logic would also be better done in the new callback, but I've left it alone to keep this change minimal. verify_callback is really only usable for suppressing errors. Application bookkeeping is better down elsewhere. Add .clang-format section for STACK_OF since we otherwise format the line as STACK_OF(X509_CRL) * crls Github: see also openssl/openssl#28599 Signed-off-by: David Benjamin <davidben@google.com> Change-Id: I31ac2a763209114267c35c4a9182a12d8d82f6fe Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: MaxF <max@max-fillinger.net> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1289 Message-Id: <20260416174142.28918-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36641.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-17 11:30:24 +02:00
Selva Nair	25c5c42ac2	Add unit tests for 'auth-user-pass username-only' ... Input from stdin is tested. Change-Id: I1c18b3cf4a454444a61941d88a702a140b0ac23d Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1602 Message-Id: <20260414055805.16974-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36605.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-15 11:46:15 +02:00
Dorian Harmans	0188c62ac4	Add ARIA ciphersuite IANA name translations ... Signed-off-by: Dorian Harmans <me@dorianharmans.nl> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20260414142209.584424-1-me@dorianharmans.nl> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36613.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-15 11:20:25 +02:00
Frank Lichtenheld	9a6e364661	ssl_mbedtls: Fix format string in get_ssl_library_version ... These are unsigned values, so treat them as such. Identified by cppcheck. Change-Id: I232fba91cfcca6c35d37696bc86890a366f5967f Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1626 Message-Id: <20260414055927.17252-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36607.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-14 18:41:26 +02:00
Luis Cruz	fbaf4a3837	build: Use info fetched from version.m4 ... Change-Id: I3157e1a228ac7058fca6a88f94076052e33d2e01 Signed-off-by: Luis Cruz <luis.cruz@nordsec.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1605 Message-Id: <20260414125637.42082-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36612.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-14 18:31:31 +02:00
Selva Nair	fd1fd077ea	Log when writing username/password to TLS buffer fails ... Currently we get an unhelpful "Key Method #2 failed" error. Add a more specific warning message. Change-Id: I9468811fd434e17645957fc12770aa2b9ed98fb8 Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1600 Message-Id: <20260414055721.16857-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36604.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-14 18:23:04 +02:00
Frank Lichtenheld	0e1899971e	Change type of max_clients to uint32_t ... peer_id is mostly this already (except in DCO context for some reason), and max_peerid was defined as uint32_t as well. So changing max_clients to uint32_t avoids many -Wsign-compare warnings. While here fix limit for max_clients in options parsing. It is not allowed to be MAX_PEER_ID exactly. Change-Id: I8d6b7bc1b7744dc6d57aaed3231b8901275752f2 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1564 Message-Id: <20260407112434.5588-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36535.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-12 17:13:28 +02:00
Frank Lichtenheld	9760928e39	networking_sitnl: Make sitnl_parse_rtattr* return void ... It returned a constant value so it didn't actually do anything. Identified by cppcheck. Change-Id: Idfe2afd9616e17f0f80a914ff054ae18f0b6972b Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Antonio Quartulli <antonio@mandelbit.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1614 Message-Id: <20260408204213.9892-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36559.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-12 17:11:06 +02:00
Arne Schwabe	ab3ba0cab7	Optimise iterating over all clients by remembering highest peer id ... This keeps track of the highest peer id that is currently allocated to avoid iterating over the empty tail of the m->instances array. Change-Id: If797f3fe178fba3f43fb12898e5484bfb38f05c3 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1557 Message-Id: <20260412125356.32261-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36577.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-12 15:47:55 +02:00
Arne Schwabe	930968086d	Remove multi_context->iter ... The multi_context->iter is basically a hash with only one bucket. This makes m->iter a linear list. Instead of maintaining this extra list use m->instances instead. This is a fixed sized continuous array, so iterating over it should be very quick. When the number of connected clients approaches max_clients, iterating over a static array should be faster than a linked list, especially when considering cache locality. Of the several places where m->iter is used only one is potentially on a critical path: the usage of m->iter in multi_bcast. However this performance difference would be only visible with a lightly loaded server with very few clients. And even in this scenario I could not manage to measure a difference. Change-Id: Ibf8865e451866e1fffc8dbc8ad5ecf6bc5577ce4 Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1556 Message-Id: <20260313104955.16748-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36087.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-12 14:50:34 +02:00
Arne Schwabe	b4cb98b5bb	Try to emphasise the transition from old ovpn-dco to new ovpn module ... This tries to ensure that the difference between the old and new module is clearer. Also removed a duplicate section about --disable-dco from the manual page. This also changes one instance of ovpn-dco to ovpn that is probably a bug when reusing a tun device. Change-Id: Iff9f6811fdf553f59f2afee0072d7bf90133d328 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@mandelbit.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1550 Message-Id: <20260411090625.18343-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36573.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-11 16:38:41 +02:00
Frank Lichtenheld	1491fc8e05	Clarify operator precedence in a & b ? c : d ... As suggested by cppcheck. Change-Id: Ia153e0de888c0ee21199b192f3471ce4c08cb5c7 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1619 Message-Id: <20260407205235.31126-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36545.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-08 14:35:01 +02:00
Frank Lichtenheld	df430b03d5	openvpnserv: Remove redundant bit-wise operation ... Found by cppcheck. Change-Id: I7f983168c263e49da7665fc20bd1ecdd426c21d0 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1623 Message-Id: <20260407205344.31263-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36547.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-08 14:33:40 +02:00
Frank Lichtenheld	798884d6df	test_buffer: Add test for buf_null_terminate ... Change-Id: I01683153a68e1809a4d7ab455eb346f53780e219 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1580 Message-Id: <20260407095044.28528-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36532.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-07 12:53:42 +02:00
Luca Boccassi	49ff16dd54	management: add base64 multi-line input for passwords ... Allow management clients to send long passwords via the usual multi-line base64 encoded protocol. A client declares MCV 5 support and sends a 'password <type>' line, followed by as many lines (each up to 1024 bytes) as needed, in base64 encoded format, terminated by 'END'. This is useful when a password is a JIT-generated use-once token. Declare management version 6 for this feature. Change-Id: Ib99f171fb69d51f2260b44edf8ebe21ac958f233 Signed-off-by: Luca Boccassi <luca.boccassi@gmail.com> Acked-by: Selva Nair <selva.nair@gmail.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1593 Message-Id: <20260330180900.16608-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36360.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-06 12:38:55 +02:00
Frank Lichtenheld	5d7068fa18	push: Make prepare_push_reply return void ... It returned a constant value so it didn't actually mean anything. While here also make it static. Identified by cppcheck. Change-Id: Ied966413948cf3c935a8a1eb91172ef7a6948bdd Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1616 Message-Id: <20260406072617.27790-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36514.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-06 12:01:28 +02:00
Frank Lichtenheld	cdb0fbde26	test_packet_id: Add a check after malloc to ensure value is valid ... cppcheck complains about a potential null pointer dereference in reliable_get_num_output_sequenced_available. That is mostly theoretical, but still add a check. Change-Id: I64da2328591ef2b9ee7502e574c878651cdf356a Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1621 Message-Id: <20260406074729.29903-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36516.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-06 12:00:30 +02:00
Frank Lichtenheld	08a19843a1	win: Fix nrpt_dnssec flag handling ... By default the first enum value is 0. But we check whether we set the flag by doing BOOL dnssec = (msg->flags & nrpt_dnssec) != 0; This can't ever be true. Found by cppcheck. Change-Id: Iff5be978817bfc0cd4d78818e7be7b90bad71f3c Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1606 Message-Id: <20260405102209.31528-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36487.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-05 16:28:20 +02:00
Frank Lichtenheld	7b44e01b96	crypto_backend: Remove md_full ... There was only one user for mbedtls < 4.0, so remove all the unused implementations. Identified by cppcheck. Change-Id: Ie2285f5bf52f5c669fb01f9ae36d6aa1674f0929 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1612 Message-Id: <20260405103110.32401-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36495.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-05 16:25:18 +02:00
Frank Lichtenheld	d44ed886c2	mtcp: Remove noop statement in multi_tcp_process_outgoing_link_ready ... Assigning to a parameter here has no effect. I can see no obvious alternative statement that might have been intended. Found by cppcheck. Change-Id: I04a01cf536ee6d48d54ba623dda460c4a98859f9 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1609 Message-Id: <20260404203335.30650-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36478.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-05 12:26:48 +02:00
Frank Lichtenheld	b6cea99f4a	Remove various unused structs ... Change-Id: I46499ff1f40dbdb94b84d58d17457d0ccdd75288 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1607 Message-Id: <20260404203615.30863-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36468.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-05 12:19:12 +02:00
Frank Lichtenheld	4494a34396	openvpnmsica: Fix setting of iTicks in schedule_adapter_delete ... Increase the integer, not the pointer. Found by cppcheck. Change-Id: I4d6501ddfb321f57a76841f29ff92c5a412908bb Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1608 Message-Id: <20260404203525.30790-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36476.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-05 12:15:41 +02:00
Arne Schwabe	59934618e7	Do not access internals of ASN1_INTEGER to print hex of serial ... OpenSSL 4.0 does not allow internal access to to these data structures anymore. So use public methods to get the serial data and convert it to hex. Change-Id: I5158fbb0762443ea4954e5745f520e83e019ed30 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1589 Message-Id: <20260404155726.7696-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36459.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-04 22:12:46 +02:00
Frank Lichtenheld	ecda555404	doc: Remove some explanations for pre-2.3 configurations ... Just streamline the documentation a bit. Change-Id: Ieaaf3a79642c8f7914f9bfc6762ad601c4f5695b Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1603 Message-Id: <20260402120435.39983-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36434.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-04 17:51:44 +02:00
Arne Schwabe	9b663a0824	OpenSSL 4.0: Make X509 objects const ... In OpenSSL 4.0 a lot of the APIs have changed to return const objects. Adjust our source code to use const objects as well. Change-Id: Iea1d13c160599f134587c6f1c2f4a90e7f5e3991 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1596 Message-Id: <20260402121049.41102-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36437.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-04 17:24:04 +02:00
Arne Schwabe	27d1b9a0da	Add unit test for printing various details of certificates ... These unit tests will ensure that refactoring of these methods does not change the output. Change-Id: Iacbd8195cdedc7226bddc686ca8dccf9f25f8842 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1598 Message-Id: <20260331173403.3082-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36389.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-04 16:08:29 +02:00
Arne Schwabe	579046470f	Rename key* to privkey* in cert_data.h ... The name key2 conflicts with our struct key2 and prevents these test keys from being used in test_ssl.c Change-Id: Id8680e6555a66024417d6eb9322d4fde79922453 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1597 Message-Id: <20260401102247.21915-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36401.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-04 16:01:05 +02:00
Arne Schwabe	8ce6f8d166	Use ASN1_BIT_STRING_get_bit to check for netscape certificate usage ... The ASN_BIT_STRING object has become opaque in OpenSSL 4.0. So instead of accessing the internal, we have to use a method now to check these attributes. The bit counting in ASN.1 and of this method is a bit strange and it will count bits from the left instead of the right, so the previous mask of 0x80 for clients is now 0 and 0x40 for server is now 1. Change-Id: I77500d435f212a4bf42ee8cfca07d0285fe694f2 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1587 Message-Id: <20260404072336.30014-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36446.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-04 15:45:46 +02:00
Greg Cox	c39742d1a7	Update --learn-address man page with ipv6 information ... The `--learn-address` option is very v4-specific in its man page. This expands the docs based on things I tripped over when bringing up a dual-stack server. Signed-off-by: Greg Cox <gcox@mozilla.com> Github: closes OpenVPN/openvpn#1009 Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20260330231355.84547-2-gcox@mozilla.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36363.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-03-31 15:51:44 +02:00
Frank Lichtenheld	3ba7602243	ssl_ncp: Fix type of "found" parameter of check_pull_client_ncp ... In commit 91fd9614f9 type of "found" was changed to uint64_t. But due to -Wconversion not yet enabled in all of init.c one occurence of the old type was missed. Change-Id: I1a6dfc175075636bc7a5761215547077a9dc397a Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1594 Message-Id: <20260331060112.5195-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36364.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-03-31 09:59:22 +02:00
Frank Lichtenheld	bee158db0f	buffer: Avoid sign-compare warnings ... - Switch buffer_list size and max_size to size_t - Guard some unavoidable size_t -> int conversions Change-Id: Iecc3e3d5d13cb85c1f287ad4816e1e6a7b2bcdef Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1561 Message-Id: <20260330113648.19896-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36335.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-03-30 14:55:32 +02:00
Frank Lichtenheld	88325a9a75	wfp_block: Avoid sign-compare warning with Fwpm* return types ... FWP_E_ALREADY_EXISTS is explictly casted to HRESULT which is LONG. But Fwpm* return DWORD. So if you compare an expected result with the actual result you get an sign-compare warning... Change-Id: I2f6502da1832edcb273a0dfa9b3ef940bec2d711 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1506 Message-Id: <20260330113826.20057-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36337.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-03-30 14:53:04 +02:00
Selva Nair	dfbf80b0a0	Add an optional username-only flag for auth-user-pass ... Specify "--auth-user-pass username-only" for openvpn to prompt for only username, not password. Prompt via management interface uses the usual ">PASSWORD 'Auth' " prompt with type "username" instead of "username/password". Internally, the password gets set as "[[BLANK]]" which is currently used as tag for blank password. Not compatible with --static-challenge or when username and password are inlined or read from a file. In such cases, the user hard-code a dummy password in the file instead. Change-Id: I788f76e6a70a9c20bca3367140d2741bd0551582 Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1548 Message-Id: <20260303142819.6123-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35855.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-03-30 13:58:45 +02:00
Gianmarco De Gregori	7ac5f89023	socket: restore per-connection lport override over global default ... OpenVPN 2.7.x introduced a regression where --lport specified inside a <connection> block did not override a globally defined local port. As a result, the socket was bound to the global default port instead of the per-connection value. Adjust the socket local_port selection logic to honour local_port_defined when set for the active connection profile. This change restores the documented and previously working behaviour from 2.6.x, where connection-level lport takes precedence over global defaults. Github: closes OpenVPN/openvpn#995 Change-Id: I7cf5d5ef7e2531f397ad97baf4663e3763072f6b Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Antonio Quartulli <antonio@mandelbit.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1555 Message-Id: <20260316134841.28362-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36164.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-03-30 13:08:40 +02:00
Haixiao Yan	690aace41a	tests: skip test execution when cross-compiling ... The auth-pam unit test Makefile.am unconditionally assigns the TESTS variable, causing test execution to fail during cross-compilation because the target binaries are not executable on the build host. Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Acked-By: Frank Lichtenheld <frank@lichtenheld.com> Message-Id: <20260326062016.3856597-1-haixiao.yan.cn@windriver.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36288.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-03-30 13:05:14 +02:00
Arne Schwabe	91fd9614f9	Change type of option flag from unsigned int to uint64_t ... We currently use all 32 bits of the unsigned int for option classes. While we can probably can retire 2-3 of the existing options, at some point we will hit the limit again. Instead of fully rewriting this logic to use a different approach or structure, changing the type from unsigned int to uint64_t seem to be a lot less intrusive approach. Change-Id: I8ca07e2bbb5de229204191d61e90f084a58969af Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1583 Message-Id: <20260325124338.123477-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36266.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-03-27 18:46:29 +01:00
Frank Lichtenheld	5933af1620	auth_token: Clean up type handling in verify_auth_token and its UT ... First of all remove the testing of renegotiation_seconds. Commit 9a51617041 made it irrelevant for verify_auth_token but still left UTs for it. But AFAICT these UTs only test that renegotiation_seconds is bigger than auth_token_renewal, so it tests the UT setup routine... Also improve the code to require less casts under -Wsign-compare. Add a comment that this code is not y38 safe if time_t is 32bit. Probably nothing we want to do from our side since in that case everything that uses "now" is borked. So we trust in the OS here... Change-Id: I73dba29719ea685f0427a3c479e7f1f176f09eba Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1510 Message-Id: <20260312173144.15602-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36079.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-03-26 17:46:10 +01:00
Arne Schwabe	7b5ebf7c44	Increase default size of internal hash maps to 4 * --max-clients ... The default of 256 seems quite low as with (at least) 1024 possible entries (the --max-clients default setting) we have a guaranteed collisions. Using 4 times the number of possible entries for real addresses should reduce collisions quite a bit while also leaving some headroom for the virtual addresses hash where a client might have more than one address. A reason to keep the limit so low are the memory requirements. Each bucket has the size of one linked-list pointer (4 byte or 32 bit and 8 byte for 64 bit). So 256 buckets use 1 or 2 kB while 4096 will use 16 kB or 32 kB. When the current limit was set 20 years ago this might have been a meaningful memory saving but today the collision probability is more important. Change-Id: Ia699b0dfa407ac377970bb130434298eaaec592b Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@mandelbit.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1563 Message-Id: <20260325124526.124049-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36268.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-03-26 15:45:49 +01:00
Arne Schwabe	3316a18ebe	Use const specifices in extract_x509_field_ssl ... The new OpenSSL 4.0 will return const objects from these objects, so make them const in our code as well. Change-Id: Ia43bb88d9ddf2e82c638011353a64c770f2c2c0a Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1588 Message-Id: <20260326110658.25741-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36291.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-03-26 15:16:40 +01:00
Arne Schwabe	07954eea05	Do not support tls_ctx_set_cert_profile on AWS-LC ... SSL_CTX_set_security_level does nothing on AWS-LC and gives a deprecated warning on compile. It is better to give the user a warning than to effectively silently ignore it as well. Change-Id: I74841d3611c62d3c59fc839bc73a0c83ce025262 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1579 Message-Id: <20260322111207.8346-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36243.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-03-26 15:08:10 +01:00
Rudi Heitbaum	dc4a9255f1	ssl_verify_openssl: use official ASN1_STRING_ API ... ASN1_STRING are now opaque types in OpenSSL 4.x — the internal data and length fields are no longer directly accessible. Use the accessor API instead. Accessors have been available since OpenSSL 1.1.0 The ASN1_STRING_length accessor is already in use, but not consistently applied. Standardise on using ASN1_STRING_length and ASN1_STRING_get0_data which allows for successful build of OpenSSL 4.x Change-Id: I8adffc3152b5b502a820a8ae0f901717e4831f81 Signed-off-by: Rudi Heitbaum <rudi@heitbaum.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1584 Message-Id: <20260323121908.730-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36254.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-03-26 15:01:25 +01:00
Arne Schwabe	ee2af6655d	Use openssl_err_t typedef to deal with difference between TLS libraries ... AWS-LC and OpenSSL disagree on the type of that errors are reported in. Instead of having a lot of glue code and casting back and forth, use a typedef to always use the right type. Change-Id: I4adbdf0c8b82fd7de309aa5f6f3b0c8157c5ffe7 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1578 Message-Id: <20260322111131.8251-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36242.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-03-22 12:59:19 +01:00