2687 commits

Author	SHA1	Message	Date
Selva Nair	96781b42f2	Add an optional username-only flag for auth-user-pass ... Specify "--auth-user-pass username-only" for openvpn to prompt for only username, not password. Prompt via management interface uses the usual ">PASSWORD 'Auth' " prompt with type "username" instead of "username/password". Internally, the password gets set as "[[BLANK]]" which is currently used as tag for blank password. Not compatible with --static-challenge or when username and password are inlined or read from a file. In such cases, the user hard-code a dummy password in the file instead. Change-Id: I788f76e6a70a9c20bca3367140d2741bd0551582 Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1548 Message-Id: <20260303142819.6123-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35855.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit dfbf80b0a0)	2026-03-30 14:35:49 +02:00
Gianmarco De Gregori	b5039975bf	socket: restore per-connection lport override over global default ... OpenVPN 2.7.x introduced a regression where --lport specified inside a <connection> block did not override a globally defined local port. As a result, the socket was bound to the global default port instead of the per-connection value. Adjust the socket local_port selection logic to honour local_port_defined when set for the active connection profile. This change restores the documented and previously working behaviour from 2.6.x, where connection-level lport takes precedence over global defaults. Github: closes OpenVPN/openvpn#995 Change-Id: I7cf5d5ef7e2531f397ad97baf4663e3763072f6b Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Antonio Quartulli <antonio@mandelbit.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1555 Message-Id: <20260316134841.28362-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36164.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 7ac5f89023)	2026-03-30 13:27:44 +02:00
Arne Schwabe	216c76324d	Increase default size of internal hash maps to 4 * --max-clients ... The default of 256 seems quite low as with (at least) 1024 possible entries (the --max-clients default setting) we have a guaranteed collisions. Using 4 times the number of possible entries for real addresses should reduce collisions quite a bit while also leaving some headroom for the virtual addresses hash where a client might have more than one address. A reason to keep the limit so low are the memory requirements. Each bucket has the size of one linked-list pointer (4 byte or 32 bit and 8 byte for 64 bit). So 256 buckets use 1 or 2 kB while 4096 will use 16 kB or 32 kB. When the current limit was set 20 years ago this might have been a meaningful memory saving but today the collision probability is more important. Change-Id: Ia699b0dfa407ac377970bb130434298eaaec592b Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@mandelbit.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1563 Message-Id: <20260325124526.124049-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36268.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 7b5ebf7c44)	2026-03-26 15:48:10 +01:00
Arne Schwabe	82f676574d	Use const specifices in extract_x509_field_ssl ... The new OpenSSL 4.0 will return const objects from these objects, so make them const in our code as well. Change-Id: Ia43bb88d9ddf2e82c638011353a64c770f2c2c0a Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1588 Message-Id: <20260326110658.25741-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36291.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 3316a18ebe)	2026-03-26 15:17:35 +01:00
Arne Schwabe	4577a0dc21	Do not support tls_ctx_set_cert_profile on AWS-LC ... SSL_CTX_set_security_level does nothing on AWS-LC and gives a deprecated warning on compile. It is better to give the user a warning than to effectively silently ignore it as well. Change-Id: I74841d3611c62d3c59fc839bc73a0c83ce025262 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1579 Message-Id: <20260322111207.8346-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36243.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 07954eea05)	2026-03-26 15:10:16 +01:00
Rudi Heitbaum	3888007826	ssl_verify_openssl: use official ASN1_STRING_ API ... ASN1_STRING are now opaque types in OpenSSL 4.x — the internal data and length fields are no longer directly accessible. Use the accessor API instead. Accessors have been available since OpenSSL 1.1.0 The ASN1_STRING_length accessor is already in use, but not consistently applied. Standardise on using ASN1_STRING_length and ASN1_STRING_get0_data which allows for successful build of OpenSSL 4.x Change-Id: I8adffc3152b5b502a820a8ae0f901717e4831f81 Signed-off-by: Rudi Heitbaum <rudi@heitbaum.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1584 Message-Id: <20260323121908.730-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36254.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit dc4a9255f1)	2026-03-26 15:02:04 +01:00
Frank Lichtenheld	5f0a168311	ssl_verify_openssl: Clean up extract_x509_extension ... * Avoid sign-compare warning when comparing string lengths * Use the nicer alias rfc822Name instead of the general ia5 from the GENERAL_NAME union. * Use the official ASN1_STRING_length API instead of accessing the struct directly. * C11 changes Github: OpenVPN/openvpn#1003 Change-Id: I23cc00aee47aef007ab2e7d50b52c6de299505db Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1507 Message-Id: <20260309133236.29732-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35980.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 66060627a8)	2026-03-23 13:42:13 +01:00
Arne Schwabe	ca6c9a8886	Use openssl_err_t typedef to deal with difference between TLS libraries ... AWS-LC and OpenSSL disagree on the type of that errors are reported in. Instead of having a lot of glue code and casting back and forth, use a typedef to always use the right type. Change-Id: I4adbdf0c8b82fd7de309aa5f6f3b0c8157c5ffe7 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1578 Message-Id: <20260322111131.8251-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36242.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit ee2af6655d)	2026-03-22 13:01:00 +01:00
Arne Schwabe	068598717a	AWS-LC: Add missing return and cast in ssl_tls1_PRF ... Change-Id: I7843ff1422cc3b46870749b2daab1698646d43eb Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1567 Message-Id: <20260313153034.31872-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36107.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 3541226a8b)	2026-03-13 18:40:32 +01:00
Selva Nair	6a1ae7f24d	Use USER_PASS_LEN for private key password buffer size ... GitHub: fixes OpenVPN/openvpn#993 Change-Id: I5e17e184f666317df21460108da4f70670358ece Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1553 Message-Id: <20260305065952.24348-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35914.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 5f7b1c548b)	2026-03-06 17:22:39 +01:00
Frank Lichtenheld	c0e792112a	buffer: Add checked_snprintf function and use it in the code ... This reintroduces a function that converts the result of snprintf to a boolean since the check is always the same but annoyingly verbose. And it gets worse when you add -Wsign-compare. So in preparation of introducing -Wsign-compare wrap this check in the function. This somewhat reverts the removal of openvpn_snprintf. But note that that was originally introduced to work around the broken snprintf of Windows. So this is not exactly the same. For this reason I also classified this as a buffer function and not a compat function. Change-Id: Ia3477b8ee7a637c15aad7f285144280595cda5d5 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1489 Message-Id: <20260304110455.15859-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35872.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 1ec71fe0c0)	2026-03-04 14:14:55 +01:00
Arne Schwabe	4d6cf3dcb8	Merge stream_buf_get_next and stream_buf_set_next ... The stream_buf_set_next prepares a buffer in the stream_buf structure that will be retrieved by stream_buf_get the next time it is used. This temporary copy of the buffer is unnecessary as the buffer next can also be constructed on the fly. This also fixes a rare crash when read buffer are not initialised and read is still signalled as the initialisation of next will now happen whenever it is required. This assertion happens when we do not expect a read event from the socket and then in link_socket_read_tcp the function stream_buf_get_next can trigger an assert on ASSERT(buf_defined(&sb->next)); To avoid this weird corner case, just always initialise the read buffer whether or not we expect a read to occur. This also adds documentation about the methods and field associated with the stream_buf structure. Reproducing this bug requires very special circumstances. To reproduce, run a client with openvpn --client --proto tcp --dev tap --ifconfig noexec ... The client side must be on Linux. Other platforms do not reproduce this bug. Note that the client will not configure any IP or IPv6 on the interface and will also not bring up the interface. The server must also send at least one real data packet to the client (no keepalive ping). Just having the interface up normally produces enough traffic. Now forcefully reset the TCP connection. E.g. by executing on the client sudo ss --kill dport <server port> This will now trigger the assertion. This happens since OpenVPN waits forever to get a write back from the poll from the tun/tap device but this never happens since the device is not up. As long as we do not get back the tun device for writing, we also do not put the socket back into the EVENT_READ state. And this also means that code to initialise the read buffer (stream_buf_set_next) is never run. But the reset on the TCP socket triggers the TCP socket to be available for read, even if it is just for a read of 0 bytes to indicate the reset. So the function link_socket_read_tcp will run into the assert. Change-Id: Ifd3e953104a67c8bf2a225e179865e3dbd0dbfbc Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1477 Message-Id: <20260216162236.22304-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35673.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 5e85c3491f)	2026-03-04 10:29:28 +01:00
Selva Nair	cb154f0363	Document management client versions ... Also add an enum to keep track of client version updates. Change-Id: I1c01fa1bc7d65ac060b334724feb56ef4d0b5d35 Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1552 Message-Id: <20260302141811.5697-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35805.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit d5814ecd23)	2026-03-02 22:54:40 +01:00
Max Fillinger	bf7f8548c7	Avoid unbounded allocations in pkcs11_mbedtls.c ... The PKCS#11 provider can crash OpenVPN by making it try to allocate 2^64 bytes for a certificate. To avoid this, set a maximum size for certificates. If the size is exceeded, don't try to allocate memory and instead exit pkcs11_get_x509_cert with an error. The chosen maximum size is 100.000 bytes which is twice the size of a SLH-DSA (aka SPHINCS+) signature. Found-by: ZeroPath (https://zeropath.com/) Reported-by: Joshua Rogers <contact@joshua.hu> Github: closes OpenVPN/openvpn-private-issues#42 Change-Id: I53d47e4a0d33c380ee95e0e33aecad3db3197940 Signed-off-by: Max Fillinger <maximilian.fillinger@sentyron.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1549 Message-Id: <20260302142045.5954-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35807.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 0a8e80aaf9)	2026-03-02 22:49:11 +01:00
Antonio Quartulli	acbe874c71	options: drop useless init_gc param for init_options() ... The init_option() function is always invoked with the second param "init_gc" set to "true". This makes the parameter useless and it can therefore be removed while always taking the "true" branch in the related logic. This way we can also drop the options->gc_owned member as it would also be always set to true. Change-Id: I633d8cbf75ab4da85e16df44684aef60523811c5 Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1536 Message-Id: <20260217135605.154129-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35695.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 92937c267b)	2026-02-28 10:55:38 +01:00
Gert Doering	b215499c30	dco_freebsd: use AF_LOCAL sockets for ioctl() communication with DCO driver ... DCO FreeBSD uses ioctl() calls for userland -> driver communication, on a socket() file descriptor. The original code uses AF_INET sockets, which fails if using a kernel compiled without IPv4 support. The kernel side ioctl() handling does not differentiate between AF_INET, AF_INET6 and AF_LOCAL sockets, and only the latter are guaranteed to be present. While add it, add a clear message if the socket() call in dco_available() fails (it will lead to disabling of DCO). FreeBSD PR: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=286263 Reported-by: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> Change-Id: I84fe7a11391eafde3660d25a3c99094a0c525f3d Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@mandelbit.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1551 Message-Id: <20260227224745.3175-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35795.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 5f19355d15)	2026-02-28 10:25:32 +01:00
Selva Nair	d88e902393	Fixup version command on management interface ... All commands to the management interface are supposed to be responded with either a one-line "SUCCESS:/ERROR:" message or a multi-line reply terminated by "END". But, curently we silently accept the "version n" command wih no response. This causes clients like OpenVPN-GUI lock-up if version command is used, waiting for ever for a reply. Fix this by adding a SUCCESS response if client version is set to a value >= 4. As the highest client version in use until now is 3, this should not affect any work-arounds in existing clients. ERROR response is generated if the version parameter is null which never happens in practice. Change-Id: I76dc80a9d9b29e401b7bbd59e0c46baf751d2e4a Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1528 Message-Id: <20260224213036.31845-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35782.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit adc0febaea)	2026-02-25 09:40:10 +01:00
Arne Schwabe	1c9f9bfa5c	DCO Linux: Fix setting DCO ifmode failing on big endian archs ... The problem is that SITNL_ADDATTR is not forcing type safety and on big endian architcutre passing a smaller size than the underlying integer type of data causes only the more significant byte(s) to be passed instead. A proper fix would be to add specific methods for common integer types like SITNL_ADDATTR_u8, SITNL_ADDATTR_u16, SITNL_ADDATTR_u32 like netlink library does with NLA_PUT_U32, NLA_PUT_U16, NLA_PUT_U8. Change-Id: I560f45fb0011180be8ca2b0e7fbc63030fa10f35 Github: closes OpenVPN/ovpn-dco#96 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@mandelbit.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1547 Message-Id: <20260219110954.21471-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35752.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit b3e0e8696b)	2026-02-19 16:48:02 +01:00
Rudi Heitbaum	18b38ffc69	ntlm: fix discards 'const' qualifier from pointer target type ... Since glibc-2.43: For ISO C23, the functions bsearch, memchr, strchr, strpbrk, strrchr, strstr, wcschr, wcspbrk, wcsrchr, wcsstr and wmemchr that return pointers into their input arrays now have definitions as macros that return a pointer to a const-qualified type when the input argument is a pointer to a const-qualified type. fixes: src/openvpn/ntlm.c: In function 'ntlm_phase_3': src/openvpn/ntlm.c:241:15: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] 241 | separator = strchr(p->up.username, '\\'); | ^ Change-Id: I2703f15144661f9cadfc8750884db270f3a5bfc6 Signed-off-by: Rudi Heitbaum <rudi@heitbaum.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1546 Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Message-Id: <20260218214437.26912-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35723.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit b5087dcf3f)	2026-02-19 13:07:31 +01:00
Frank Lichtenheld	2fd42e6d1d	auth-pam: fix discards 'const' qualifier from pointer target type ... strstr now returns const char*. Change-Id: I632368451923116e0a169ddb5b6e86a8f8486afc Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1543 Message-Id: <20260218214712.27119-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35728.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit eeaedd1362)	2026-02-19 10:33:47 +01:00
Rudi Heitbaum	188d3d6885	dns: fix discards 'const' qualifier from pointer target type ... Since glibc-2.43: For ISO C23, the functions bsearch, memchr, strchr, strpbrk, strrchr, strstr, wcschr, wcspbrk, wcsrchr, wcsstr and wmemchr that return pointers into their input arrays now have definitions as macros that return a pointer to a const-qualified type when the input argument is a pointer to a const-qualified type. fixes: src/openvpn/dns.c: In function 'dns_server_addr_parse': src/openvpn/dns.c:67:25: warning: initialization discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] 67 | char *first_colon = strchr(addr, ':'); | ^~~~~~ src/openvpn/dns.c:68:24: warning: initialization discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] 68 | char *last_colon = strrchr(addr, ':'); | ^~~~~~~ Change-Id: I262705189edfbd9aa9a32bcd712840fffa592435 Signed-off-by: Rudi Heitbaum <rudi@heitbaum.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1542 Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Message-Id: <20260218214738.27158-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35730.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 0157e7fb8a)	2026-02-19 10:10:20 +01:00
Arne Schwabe	9c8d28c722	Change stream_buf_read_setup_dowork parameter to struct steam_buf ... This methods only ever access sock->stream_buf so make the method simpler by just having a parameter sb. Change-Id: I3deb7cd75db3cb280fa8d9c637cd3bde3881d6e3 Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1483 Message-Id: <20260211150747.113906-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35595.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 6ac80e9909)	2026-02-16 17:26:43 +01:00
Gert Doering	158f1fa1ef	rework all occurrences of 'M_ERR | M_ERRNO' ... M_ERR is defined as (M_FATAL | M_ERRNO), so 'msg(M_ERR | M_ERRNO, ...)' is just the same as 'msg(M_ERR, ...)'. The occurances in tun.c and dco_freebsd.c are really "if this happens, we can not go on" errors, so 'M_ERR' (= FATAL, plus log errno string) is the correct thing to do. The occurances in dns.c do come with error handling and cleanup after the msg() call, so the right thing is 'M_WARN | M_ERRNO' instead (warning, plus log errno string). Github: fixes OpenVPN/openvpn#939 Change-Id: I14395665f197349e374a81b56f28536ff88937a8 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1517 Message-Id: <20260211150648.113547-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35594.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit f349b0a614)	2026-02-16 15:53:59 +01:00
Gert Doering	27505a5f2c	port-share: log incoming connections at verb 3 only ... From "day 1" the message "Non-OpenVPN client protocol detected" was logged at D_STREAM_ERRORS level (verb 1), while it is not anything erroneous in this context (it's inside an "port share" only block). Bump this to D_PS_PROXY (verb 3). Github: closes OpenVPN/openvpn#976 Change-Id: Ie5c9a88050de959cfb02e5f804323a8081ddb667 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1516 Message-Id: <20260211113315.25776-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35589.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 6f9ab9647c)	2026-02-13 23:04:10 +01:00
Frank Lichtenheld	44a5b33021	Update the clang-format reference version to 21.1.8 ... Latest v21.x version. Changes a few file in Windows specific code due to bug fixes. Change-Id: Iaf0d8f528211f1971f163a8006b054efb4917e2a Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1514 Message-Id: <20260210151639.913-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35563.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-02-10 16:29:04 +01:00
Frank Lichtenheld	f6004dc45e	crypto: Do not claim we will remove support for BF-CBC in 2.7 ... Change-Id: Ie35099b114c510e55292090c34b9d950b1f03947 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1511 Message-Id: <20260210152035.1273-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35565.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-02-10 16:27:50 +01:00
Max Fillinger	2183eb5d54	Mbed TLS 4: Add more algorithms ... Expand the tables of hash functions and elliptic curve groups, and also check if they are compiled in. Change-Id: I740991f22b728fe2f5a48bc18d5ca4b62f56f399 Signed-off-by: Max Fillinger <maximilian.fillinger@sentyron.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1500 Message-Id: <20260130071137.14398-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35507.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-02-10 12:06:45 +01:00
Gert Doering	5521872f80	tunnel_server(): close correct inotify fd ... On a full SIGUSR1 restart of a p2mp server compiled with --enable-async-push, tunnel_server() will try to close and reopen the "inotify" control file descriptor. For whatever reason, the original code referenced the wrong context, always closing fd 0. As a consequence of this, on the second SIGUSR1 restart, the server will close() the first active socket file descriptor, and if there are active DCO clients, the resulting event confusion will lead to an ASSERT(!mi->halt). Fix by closing the correct FD. Add logging. Github: fixes OpenVPN/openvpn#966 Change-Id: Iabc117848ad7b67d240c392f1a6aa2d7531fd5bb Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1497 Message-Id: <20260128110425.24350-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35478.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-28 14:19:40 +01:00
Heiko Hund	62a17417de	Prevent NULL pointer dereference with --dns-updown ... If the dns-updown option appears in the config twice, there is a chance of a NULL pointer dereference when comparing the script path to the default script path. This happens when a custom script is set, after the dns-updown script was disabled first. In that case the script path is NULL, which leads to the deref during a strcmp(3). Reported-by: <aarnav@srlabs.de> Change-Id: Id530d890ba01cffb74d3dc04ad10b153f7bea1d4 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1498 Message-Id: <20260128110443.24410-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35479.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-28 14:16:42 +01:00
Frank Lichtenheld	4bf05d487c	manage: Do not trigger actions on management disconnect if not authenticated ... If the management interface requires authentication via password and the remote did not specify it, do not do trigger actions requested by --management-forget-disconnect and --management-signal on disconnect. Reported-By: Joshua Rogers <contact@joshua.hu> Found-By: ZeroPath (https://zeropath.com) Github: openvpn-private-issues#5 Change-Id: I575d65912ce9065a0b0868e73998b4a9aece62af Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1484 Message-Id: <20260122125707.108048-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35390.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-27 15:19:07 +01:00
Frank Lichtenheld	e1e3b9aed1	status: Avoid conversion warnings in status_read/status_printf ... Just use explicit casts. len is limited by BCAP and c is limited by being from buf_read_u8. So they are safe. In case of status_printf this is only for Windows. len is limited by sizeof(buf), so also a safe cast. Change-Id: Iff1343a2f8cc7e32b8f36b359a00248e4dc3e8c9 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1485 Message-Id: <20260122154751.155227-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35398.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-26 17:31:49 +01:00
Frank Lichtenheld	57e701129e	socket: Remove ifdef for SO_{RCV, SND}BUF ... Seems all our platforms define it. Reported-by: Marc Heuse <marc@srlabs.de> Github: Fixes OpenVPN/openvpn#965 Change-Id: I87679949bdef6319d7490d561f0136633244c2b9 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1486 Message-Id: <20260126145432.31249-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35435.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-26 16:29:20 +01:00
Frank Lichtenheld	22a7010f5b	route: Fix conversion warnings on BSDs ... Mostly just use better types. And in some places remove overloading of variables with nicer C11 code. Change-Id: Idbb5c0fff759a2e645a8b4f62266509e32e3a44e Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1481 Message-Id: <20260122133050.117000-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35394.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-25 18:37:34 +01:00
Max Fillinger	494fb71804	Add support for Mbed TLS 4 ... This commit adds support for Mbed TLS 4. This version comes with some drastic changes. The crypto library has been completely redesigned, so the contents of crypto_mbedtls.c are moved to crypto_mbedtls_legacy.c and crypto_mbedtls.c handles the crypto for version 4. Mbed TLS 4 also removed the feature for looking up a crypto algorithm by name, so we need to translate algorithm names to Mbed TLS numbers in OpenVPN. The tables are not yet complete. For symmetric algorithms, I have added AES and Chacha-Poly which should be enough for most use cases. Change-Id: Ib251d546d993b96ed3bd8cb9111bcc627cdb0fae Signed-off-by: Max Fillinger <maximilian.fillinger@sentyron.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1441 Message-Id: <20260123164746.7333-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35401.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-24 18:49:44 +01:00
Frank Lichtenheld	b10ee38ccd	openvpnserv: Add a first unit test ... This adds the required build infrastructure and adds tests for two functions related to GetItfDnsDomains(). Change-Id: I33583e51e1143c53fbe0aef16546fa3f602b17c0 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1459 Message-Id: <20260119215058.27888-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35345.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-24 18:23:05 +01:00
Frank Lichtenheld	cd533c483a	openvpnserv: Factor out the string conversion from GetItfDnsDomains ... Mostly so that we can actually test it. Since that code does some in-place conversions a test would be good. Change-Id: Ib517457015b754d59aeb70827c4795aa6154728c Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Heiko Hund <heiko@openvpn.net> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1458 Message-Id: <20260119214927.27766-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35343.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-24 17:27:38 +01:00
Frank Lichtenheld	fdfe0abeef	openvpnserv: Fix conversion warnings in interactive.c ... Mostly DWORD vs. size_t conversions where we have no choice but to cast. Change-Id: I864cd4a718886f437b72e93d0286f90fcb73592b Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Heiko Hund <heiko@openvpn.net> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1457 Message-Id: <20260120155547.116088-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35356.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-24 16:54:01 +01:00
Arne Schwabe	1fe958183f	Silence compiler truncation warning by checking snprintf return value ... On the more recent mingw compilers (homebrew mingw 13.0.0, GCC 15.2.0) the compiler complains about a potential truncation in these two places. src/openvpn/tun.c:3806:57: error: '%s' directive output may be truncated writing up to 255 bytes into a region of size 178 [-Werror=format-truncation=] This not very helpful but checking the snprintf return value will make the compiler not warn about this. Change-Id: I54b11a5540fb236580a3b80c6d1e8678b24bd852 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1272 Message-Id: <20260121121830.27244-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35367.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-24 16:47:48 +01:00
Frank Lichtenheld	1a31efb495	port-share: Check return value of fork() ... While here, do some small C11 code cleanup. Reported-By: Joshua Rogers <contact@joshua.hu> Found-By: ZeroPath (https://zeropath.com) Github: openvpn-private-issues#12 Change-Id: I5eac1b31ae40eb957e2c12ca6c37b491fef32847 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1470 Message-Id: <20260119171216.6100-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35337.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-24 14:36:34 +01:00
Frank Lichtenheld	b28321edfe	ssl_ncp: Avoid conversion warning in replace_default_in_ncp_ciphers_option ... Change-Id: I380e842b7429060d13bc0264e55fa5c06ab427df Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1452 Message-Id: <20260122125829.108470-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35391.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-24 14:33:22 +01:00
Frank Lichtenheld	2cc00e80bc	socket: Avoid conversion warning in get_addr_generic ... We already check earlier that bits is smaller that max_bits, so the cast is safe. While reviewing the callers, remove some unused variables. Change-Id: I5ad13bc6674b3403251cc552d1f2c0f057431817 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1475 Message-Id: <20260119122556.15225-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35324.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-19 18:07:50 +01:00
Frank Lichtenheld	de3ef0dc65	ssl_verify_openssl: Avoid conversion warning in x509_verify_cert_ku ... Just use the correct types. v2: - Change type of expected_len argument to size_t Change-Id: Ia6c3f0395bd6cd67064fe77420d9df2b66763049 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1445 Message-Id: <20260119122058.14865-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35322.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-19 18:05:08 +01:00
Frank Lichtenheld	2ece9a5df5	cryptoapi: Avoid conversion warnings ... Due to the differences in the types of APIs between xkey provider and Windows cryptoapi we can't avoid the casts. And they should be safe generally since the involved sizes should be small compared to the maximum values. So just add asserts and explicit cast to avoid the warnings. Change-Id: I789022af7c4977c4dff4f7671f491fe5836828fa Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Selva Nair <selva.nair@gmail.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1464 Message-Id: <20260116135729.40545-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35304.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-19 12:38:50 +01:00
Frank Lichtenheld	07fc73025b	crypto_openssl: Fix various conversion warnings ... EVP_CIPHER_CTX_flags is documented to output int in OpenSSL, but is actually unsigned long in OpenSSL 3. In libressl it is correctly documented to output unsigned long. Change-Id: I99bc4692526f9143a913e29b266a1816295dfd51 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1446 Message-Id: <20260116172010.25278-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35311.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-17 17:24:21 +01:00
Arne Schwabe	e0e0720ac3	Correctly handle sender jumping exactly epoch_data_keys_future_count ... When the sender jumps forwards exactly epoch_data_keys_future_count in its epoch key use the housekeeping logic does not handle this correctly and triggers an ASSERT. Change the code to correctly implement the special case when the new epoch key of the sender is the highest valid key epoch in the current window of valid epoch keys for receiving data. Change-Id: Ib581c02a29b974184256a9f4ad0ce15ba5f9db3b Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-By: Max Fillinger <maximilian.fillinger@sentyron.com> Reported-By: Pavel Kohout of Aisle Research <pavel.kohout@aisle.com> Github: closes OpenVPN/openvpn-private-issues#103 CVE: 2025-15497	2026-01-15 11:10:56 +01:00
Frank Lichtenheld	8c3671dbd5	forward: Avoid conversion warning in ipv6_send_icmp_unreachable ... Since all values are limited by MAX_ICMPV6LEN we can just cast to uint16_t. While here remove a unused gc arena in neighbouring code. Change-Id: I701f9e0a96a7b43f278f8e6089e9156feab772c8 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1472 Message-Id: <20260115091124.23360-1-gert@greenie.muc.de> URL: https://sourceforge.net/p/openvpn/mailman/message/59283657/ Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-15 11:08:19 +01:00
Frank Lichtenheld	6768ef1dab	error: Remove our implementation of static_assert ... It is C11, so it should be present in all our compilers. Change-Id: I9cb14b9f44409ec5c78044ddb216a2b4dced0f9b Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1471 Message-Id: <20260115092552.25011-1-gert@greenie.muc.de> URL: https://sourceforge.net/p/openvpn/mailman/message/59283672/ Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-15 11:04:50 +01:00
Frank Lichtenheld	b34dc9279d	ssl_verify: Fix parsing of timeout from auth pending file ... Make sure the value is not negative before casting it to unsigned. Change-Id: I8a5efb2ed009a702f10dc8f40c677f014547b4c8 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1451 Message-Id: <20260115093235.25635-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35275.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-15 10:36:11 +01:00
Frank Lichtenheld	b2cc5c2ec4	socks: In establish_socks_proxy_udpassoc check result of recv_socks_reply ... Not just check the return value but also that relay_addr is valid. recv_socks_reply doesn't care whether the answer is what we expected. This is probably a very unlikely edge case but it doesn't hurt to check for it here. Reported-By: Joshua Rogers <contact@joshua.hu> Found-By: ZeroPath (https://zeropath.com) Github: openvpn-private-issues#13 Change-Id: Ic1c8f24de423541bdc85e70b5a688213800d86de Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1469 Message-Id: <20260114135807.20637-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35249.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-14 19:38:28 +01:00
Frank Lichtenheld	d61d3c2a71	socket: Remove old 'dynamic remote' feature ... So apparently when using --proto tcp-server --tls-server --remote, AND the remote is not resolvable on startup then we would preserve the remote name and resolve it later on connect. Except that when the remote is not resolvable I never managed to get it to create a listening socket in the first place. Originally I looked into this code because ZeroPath claimed it was broken. I think that report was correct but I think it is much easier to declare this feature dead instead of trying to fix it. It is undocumented and if it is usable then only in very specific circumstances that are hard to figure out. Github: openvpn-private-issues#13 Change-Id: I0141945469dd11340bfb42ec37a3c5f90ed0ff52 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1468 Message-Id: <20260113121512.12057-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35232.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-14 14:30:40 +01:00