openvpn

mirror of https://github.com/OpenVPN/openvpn.git synced 2026-05-28 04:03:29 -04:00

Author	SHA1	Message	Date
Gert Doering	8e9e91f4ca	OpenVPN Release 2.7.4 Some checks failed Build / mingw unittest argv - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest auth_token - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest buffer - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest crypto - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest cryptoapi - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest misc - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest ncp - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest openvpnserv - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest options_parse - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest packet_id - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest pkt - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest provider - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest ssl - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest tls_crypt - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest user_pass - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest argv - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest auth_token - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest buffer - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest crypto - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest cryptoapi - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest misc - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest ncp - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest openvpnserv - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest options_parse - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest packet_id - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest pkt - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest provider - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest ssl - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest tls_crypt - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest user_pass - x86 - Release - OSSL (push) Has been cancelled Details version.m4, ChangeLog, Changes.rst Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-30 15:45:57 +02:00
Frank Lichtenheld	6528ae0152	dns-scripts: Fix dnssec values in comments and Copyright statement format - Fix the example value of dnssec to an actual valid one - Fix the formatting of the Copyright statements to be consistent with all other files in the project Change-Id: Id6832e3f56420debc8b19d0144d53ca41abb678b Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1645 Message-Id: <20260430130354.25337-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36800.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `64fbcb69a3`)	2026-04-30 15:20:26 +02:00
Selva Nair	9683e1fe27	dns: minimalist fix for dnssec setting Github: fixes OpenVPN/openvpn#1024 Change-Id: I0cb093e0116e92d874162d51be777aa43674c115 Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1644 Message-Id: <20260430124020.23066-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36797.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `919f5ced7d`)	2026-04-30 15:11:58 +02:00
Frank Lichtenheld	064f912b4d	GHA: Add caching for vcpkg builds The nice automatic caching was removed last year, so go back to manual caching of the binary cache dir. While here, also update vcpkg to latest master. Change-Id: I933227aa4bc4f05b58d0e754b4330da807504d01 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Yuriy Darnobyt <yura.uddr@gmail.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1642 Message-Id: <20260429093938.23601-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36775.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `1570877364`)	2026-04-29 14:36:45 +02:00
Frank Lichtenheld	8c7bacc45f	GHA: Maintenance Update April 2026 - Updates GHA actions - Switch clang-format job to archive: false supported in new actions/upload-artifact version. This way the file is not encapsulated in a zip - Drop macos-14 builds. This runner is considered deprecated and will be removed later this year. Change-Id: I43851d96c28af0ebcf0c6beab21659e68919d0c6 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Yuriy Darnobyt <yura.uddr@gmail.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1641 Message-Id: <20260429093957.23705-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36776.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `cc2926fd5d`)	2026-04-29 13:23:21 +02:00
Luis Cruz	5a97413a9a	Fix pkgcs11 vcpkg port installing debug files on release builds Change-Id: Icfa559d9923d7dacb4b72e47b22688a4225c4708 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1640 Message-Id: <20260428124810.29709-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36762.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `01d5562ed7`)	2026-04-28 15:55:14 +02:00
Frank Lichtenheld	352d234bee	configure: Remove --enable-strict Both -Wsign-compare (via -Wextra) and -Wuninitalized (via -Wall) are enabled by default. So this does not do anything anymore. While here also remove rest of --enable-strict-options which was mostly removed in commit `2104ea6243` Change-Id: I53e7b984980cb1e2b3f68e80358b61c9e1045725 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1590 Message-Id: <20260427174757.4075-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36752.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `ac62337dd5`)	2026-04-28 15:00:59 +02:00
Max Fillinger	573ccf82e9	Mbed TLS: Error out if we have no valid tls-groups Previously, when no valid groups were specified with the tls-groups option, the Mbed TLS build of OpenVPN would start up and run, but fail to complete a handshake, while the OpenSSL build would exit with an error. This commit changes the behavior of the Mbed TLS build to match the OpenSSL version. Change-Id: Ica5f37e525c3812609021750ecd3986c1420e2a4 Signed-off-by: Max Fillinger <maximilian.fillinger@sentyron.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1633 Message-Id: <20260421055357.21708-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36699.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `b2e3e0f0cf`)	2026-04-27 17:54:01 +02:00
Gert Doering	6ad8be3f36	OpenVPN Release 2.7.3 version.m4, ChangeLog, Changes.rst	2026-04-25 22:34:09 +02:00
Selva Nair	8d512db3fc	Fixup: prompting password from management Some checks failed Build / mingw unittest argv - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest auth_token - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest buffer - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest crypto - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest cryptoapi - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest misc - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest ncp - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest openvpnserv - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest options_parse - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest packet_id - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest pkt - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest provider - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest ssl - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest tls_crypt - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest user_pass - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest argv - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest auth_token - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest buffer - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest crypto - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest cryptoapi - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest misc - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest ncp - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest openvpnserv - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest options_parse - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest packet_id - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest pkt - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest provider - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest ssl - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest tls_crypt - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest user_pass - x86 - Release - OSSL (push) Has been cancelled Details Commit `b450414` added logic for reading password from management when not in file or inline, but it was made conditional on `response_from_stdin` which is always true! Fix by explicitly checking for `password_from_stdin`. Github: fixes OpenVPN/openvpn#1021 Change-Id: I4d46c3672691b159cbd98a17020c4f30782bc202 Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1638 Message-Id: <20260424161840.5767-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36739.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `9ac9a41b82`)	2026-04-25 19:34:27 +02:00
Gert Doering	5974878949	OpenVPN Release 2.7.2 Some checks failed Build / mingw unittest argv - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest auth_token - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest buffer - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest crypto - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest cryptoapi - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest misc - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest ncp - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest openvpnserv - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest options_parse - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest packet_id - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest pkt - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest provider - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest ssl - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest tls_crypt - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest user_pass - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest argv - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest auth_token - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest buffer - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest crypto - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest cryptoapi - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest misc - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest ncp - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest openvpnserv - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest options_parse - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest packet_id - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest pkt - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest provider - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest ssl - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest tls_crypt - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest user_pass - x86 - Release - OSSL (push) Has been cancelled Details version.m4, ChangeLog, Changes.rst	2026-04-21 18:47:44 +02:00
Arne Schwabe	4a2c827c25	Ensure that buffer of freed session are not used In a race condition an old TLS session could still try to send a packet but also get replaced by a new session. In this case, the buffer of the new session is still referenced. Add the check_session_buf_not_used function to mitigate this problem. Also make the check if the to_link pointer is in one of the memory regions a bit better even though this not make a difference with the way we use these structs. But better safe than sorry. A better solution to remove the TM_INITIAL state and handle reconnecting session in their own complete tls_multi is a more involved fix that requires a lot more refactoring. CVE: 2026-40215 Reported-By: XlabAI Team of Tencent Xuanwu Lab (xlabai@tencent.com) Reported-By: Guannan Wang (wgnbuaa@gmail.com Reported-By: Zhanpeng Liu (pkugenuine@gmail.com) Reported-By: Guancheng Li (lgcpku@gmail.com) Signed-off-by: Arne Schwabe <arne@rfc2549.org> Change-Id: I7c5fa2a7a2563b7a8955d386411f3ceffe5b092f Private-URL: https://github.com/OpenVPN/openvpn-private-issues/issues/112 Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit b2a15fb84d85790eeae4a2e12b431cbfd0b0302f)	2026-04-21 08:19:42 +02:00
Steffan Karger	607e2fcb9c	tls-crypt-v2: Avoid interpreting opcode as part of WKc The buffer we pass to tls_crypt_v2_extract_client_key contains the entire received control channel packet. We should skip the opcode before trying to read WKC. This logic error is a second bug behind the XlabAI finding, next too the too-strict ASSERT in tls_crypt_unwrap. Also remove a too strict ASSERT in tls_crypt_unwrap. We already check a few lines later for a too short packet and return a proper error ("packet too short"). XlabAI found a way of triggering this ASSERT that requires a tls-crypt-v2 client key that has a specific property (a specific byte need to have a specific value, about 1/256 probability). If an attacker can get hold of such a tls-crypt-v2 client key or observe a handshake using such a key, the attacker can trigger the ASSERT, crashing the server. Setups that do not use tls-crypt-v2 are not affected. Independently, Cisco Talos reported a way to trigger this ASSERT with any tls-crypt-v2 key but this requires the attacker to be also in possession of the private key part of the tls-crypt-v2 client key or to inject packet into a live session of a client session. CVE: 2026-35058 Reported-By: XlabAI Team of Tencent Xuanwu Lab (xlabai@tencent.com) Reported-By: Guannan Wang (wgnbuaa@gmail.com Reported-By: Zhanpeng Liu (pkugenuine@gmail.com) Reported-By: Guancheng Li (lgcpku@gmail.com) Reported-By: Emma Reuter of Cisco ASIG (TALOS-2026-2381) Signed-off-by: Steffan Karger <steffan@karger.me> Signed-off-by: Arne Schwabe <arne@rfc2549.org> Change-Id: I623733c0476c98f436d19009ee8990693c1579b5 Private-URL: https://github.com/OpenVPN/openvpn-private-issues/issues/111 Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 18270324a5fd43122ca1b8c29b224c5dd5905429)	2026-04-21 08:19:42 +02:00
Gert Doering	bac8be0761	Fix copyright line in README Some checks failed Build / mingw unittest argv - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest auth_token - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest buffer - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest crypto - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest cryptoapi - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest misc - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest ncp - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest openvpnserv - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest options_parse - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest packet_id - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest pkt - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest provider - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest ssl - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest tls_crypt - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest user_pass - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest argv - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest auth_token - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest buffer - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest crypto - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest cryptoapi - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest misc - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest ncp - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest openvpnserv - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest options_parse - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest packet_id - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest pkt - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest provider - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest ssl - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest tls_crypt - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest user_pass - x86 - Release - OSSL (push) Has been cancelled Details 2022->2026 Github: OpenVPN/openvpn#1012 Change-Id: Ie838a5491089cc6b11970aee313a18ba52fc4856 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Yuriy Darnobyt <yura.uddr@gmail.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1629 Message-Id: <20260420174735.18824-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36696.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `25a3cec98d`)	2026-04-21 08:18:25 +02:00
Frank Lichtenheld	66be31fe49	GHA: Factor out building SSL libs to a reusable workflow Some checks are pending Build / mingw unittest pkt - x86 - Release - OSSL (push) Blocked by required conditions Details Build / mingw unittest provider - x86 - Release - OSSL (push) Blocked by required conditions Details Build / mingw unittest ssl - x86 - Release - OSSL (push) Blocked by required conditions Details Build / mingw unittest tls_crypt - x86 - Release - OSSL (push) Blocked by required conditions Details Build / mingw unittest user_pass - x86 - Release - OSSL (push) Blocked by required conditions Details Build / gcc - ubuntu-24.04 - OpenSSL 3.0.13 --enable-pkcs11 (push) Waiting to run Details Build / gcc - ubuntu-22.04 - OpenSSL 3.0.2 --enable-pkcs11 (push) Waiting to run Details Build / clang-asan - ubuntu-22.04 - openssl (push) Waiting to run Details Build / clang-asan - ubuntu-24.04 - openssl (push) Waiting to run Details Build / macos-14 - libressl - asan (push) Waiting to run Details Build / macos-14 - openssl@3 - asan (push) Waiting to run Details Build / macos-15 - libressl - asan (push) Waiting to run Details Build / macos-15 - openssl@3 - asan (push) Waiting to run Details Build / macos-26 - libressl - asan (push) Waiting to run Details Build / macos-26 - openssl@3 - asan (push) Waiting to run Details Build / macos-14 - libressl - normal (push) Waiting to run Details Build / macos-14 - openssl@3 - normal (push) Waiting to run Details Build / macos-15 - libressl - normal (push) Waiting to run Details Build / macos-15 - openssl@3 - normal (push) Waiting to run Details Build / macos-26 - libressl - normal (push) Waiting to run Details Build / macos-26 - openssl@3 - normal (push) Waiting to run Details Build / msbuild - amd64 - openssl (push) Waiting to run Details Build / msbuild - amd64-clang - openssl (push) Waiting to run Details Build / msbuild - arm64 - openssl (push) Waiting to run Details Build / msbuild - x86 - openssl (push) Waiting to run Details Build / msbuild - x86-clang - openssl (push) Waiting to run Details Build / libressl (push) Waiting to run Details Build / openssl4 (push) Waiting to run Details Build / mbedtls4 (push) Waiting to run Details Build / aws-lc (push) Waiting to run Details We amassed a lot of code duplication there. Make it easier to track the differences between the libraries. Change-Id: I3d89016ccae297cfa596897c11a518f1ffbe3dc8 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Yuriy Darnobyt <yura.uddr@gmail.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1630 Message-Id: <20260420160732.9492-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36686.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `8485518dce`)	2026-04-20 19:05:46 +02:00
Selva Nair	b450414d10	Inlined credentials: read missing password from management interface When commit `39619b7fab` added support for inlining username only, fallback for password was from console. This is not ideal when graphical UI is in use as there is no console. Instead, query the management interface when possible. This patch just extends a similar fix when username is read from a file and password is missing. As before, any username read from file or inlined is not peserved as we currently have no way of locking the username in the management interface prompt. Change-Id: Ieeb2f980330d485739dbf3d722f107c1dbf704fc Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1599 Message-Id: <20260414055900.17132-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36608.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `287acce1ac`)	2026-04-19 16:07:10 +02:00
Selva Nair	20b4ecd934	verify_x509_name: Improve the error message on failure Print the actual string that was used for the match instead of the whole subject. Github: closes OpenVPN/openvpn#992 Change-Id: I6e7947ab81cf229f0d27714dd563a07ace6bd38a Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1624 Message-Id: <20260414055830.17032-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36606.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `c610746a2c`)	2026-04-19 15:35:15 +02:00
Arne Schwabe	e57d16c820	GHA: Add OpenSSL 4.0 build Change-Id: Ic9c993cb8dcfedfd6f99f416c286e0968eb45255 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1601 Message-Id: <20260417110942.16538-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36648.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `36174520e9`)	2026-04-18 20:33:46 +02:00
Arne Schwabe	8747fcf641	OpenSSL 4.0: Use X509_check_certificate_times instead of X509_cmp_time The X509_cmp_time function is deprecated in OpenSSL 4.0. So we avoid it and use the new API. Change-Id: I6c2eda0e5bbb3a70b404f821e25ded81f0f5ddd5 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1595 Message-Id: <20260417164644.17897-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36651.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `353ec724f9`)	2026-04-18 20:09:42 +02:00
David Benjamin	0588668f4d	ssl_openssl: Fix some CRL mixups There are two ways to load CRLs in OpenSSL. They can be loaded at the X509_STORE, shared across verifications, or loaded per verification at the X509_STORE_CTX. OpenVPN currently does the former. However, it also supports CRL reloading, and tries to reload the CRL file before each connection. OpenSSL does not really have a good way to unload objects from an X509_STORE. OpenVPN currently does it by grabbing the STACK_OF(X509_OBJECT) out of the X509_STORE and manually deleting all the CRLs from it. This mutates an OpenSSL internal object which bumps into problems if OpenSSL ever switches to a more efficient representation. See https://github.com/openssl/openssl/pull/28599 (It's also not thread-safe, though it doesn't look like that impacts OpenVPN? Actually even reading that list doesn't work. See CVE-2024-0397. This OpenSSL API was simply broken.) Additionally, this seems to cause two OpenVPN features to not work together. I gather backend_tls_ctx_reload_crl is trying to clear the CRLs loaded from last time it ran. But tls_ctx_load_ca with a ca_file can also load CRLs. tls_ctx_load_ca with ca_path will also pick up CRLs and backend_tls_ctx_reload_crl actually ends up clobbering some state X509_LOOKUP_hash_dir internally maintains on the X509_STORE. Likewise, tls_verify_crl_missing can get confused between backend_tls_ctx_reload_crl's crl_file-based CRLs and CRLs from tls_ctx_load_ca. Avoid all this by tracking the two CRLs separately. crl_file-based CRLs now go onto a STACK_OF(X509_CRL) tracked on the tls_root_ctx. Now this field can be freely reloaded by OpenVPN without reconfiguring OpenSSL. Instead, pass the current value into OpenSSL at verification time. To do so, we need to use the SSL_CTX_set_cert_verify_callback, which allows swapping out the X509_verify_cert call, and also tweaking the X509_STORE_CTX configuration before starting certificate verification. Context: SSL_CTX_set_cert_verify_callback and the existing verify_callback are not the same. SSL_CTX_set_cert_verify_callback wraps the verification while verify_callback is called multiple times throughout verification. It's too late to reconfigure X509_STORE_CTX in verify_callback. verify_callback is usually not what you want. Sometimes current_cert and error_depth don't quite line up, and cert_hash_remember may end up called multiple times for a single certificate. I suspect some of the other verify_callback logic would also be better done in the new callback, but I've left it alone to keep this change minimal. verify_callback is really only usable for suppressing errors. Application bookkeeping is better down elsewhere. Add .clang-format section for STACK_OF since we otherwise format the line as STACK_OF(X509_CRL) * crls Github: see also openssl/openssl#28599 Signed-off-by: David Benjamin <davidben@google.com> Change-Id: I31ac2a763209114267c35c4a9182a12d8d82f6fe Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: MaxF <max@max-fillinger.net> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1289 Message-Id: <20260416174142.28918-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36641.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `2befad4de1`)	2026-04-17 11:35:03 +02:00
Selva Nair	e722fde4aa	Add unit tests for 'auth-user-pass username-only' Some checks failed Build / mingw unittest argv - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest auth_token - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest buffer - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest crypto - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest cryptoapi - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest misc - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest ncp - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest openvpnserv - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest options_parse - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest packet_id - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest pkt - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest provider - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest ssl - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest tls_crypt - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest user_pass - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest argv - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest auth_token - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest buffer - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest crypto - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest cryptoapi - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest misc - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest ncp - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest openvpnserv - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest options_parse - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest packet_id - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest pkt - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest provider - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest ssl - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest tls_crypt - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest user_pass - x86 - Release - OSSL (push) Has been cancelled Details Input from stdin is tested. Change-Id: I1c18b3cf4a454444a61941d88a702a140b0ac23d Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1602 Message-Id: <20260414055805.16974-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36605.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `25c5c42ac2`)	2026-04-15 11:48:32 +02:00
Luis Cruz	de598fc931	build: Use info fetched from version.m4 Some checks are pending Build / mingw unittest ssl - x86 - Release - OSSL (push) Blocked by required conditions Details Build / mingw unittest tls_crypt - x86 - Release - OSSL (push) Blocked by required conditions Details Build / mingw unittest user_pass - x86 - Release - OSSL (push) Blocked by required conditions Details Build / gcc - ubuntu-24.04 - OpenSSL 3.0.13 --enable-pkcs11 (push) Waiting to run Details Build / gcc - ubuntu-22.04 - OpenSSL 3.0.2 --enable-pkcs11 (push) Waiting to run Details Build / clang-asan - ubuntu-22.04 - openssl (push) Waiting to run Details Build / clang-asan - ubuntu-24.04 - openssl (push) Waiting to run Details Build / macos-14 - libressl - asan (push) Waiting to run Details Build / macos-14 - openssl@3 - asan (push) Waiting to run Details Build / macos-15 - libressl - asan (push) Waiting to run Details Build / macos-15 - openssl@3 - asan (push) Waiting to run Details Build / macos-26 - libressl - asan (push) Waiting to run Details Build / macos-26 - openssl@3 - asan (push) Waiting to run Details Build / macos-14 - libressl - normal (push) Waiting to run Details Build / macos-14 - openssl@3 - normal (push) Waiting to run Details Build / macos-15 - libressl - normal (push) Waiting to run Details Build / macos-15 - openssl@3 - normal (push) Waiting to run Details Build / macos-26 - libressl - normal (push) Waiting to run Details Build / macos-26 - openssl@3 - normal (push) Waiting to run Details Build / msbuild - amd64 - openssl (push) Waiting to run Details Build / msbuild - amd64-clang - openssl (push) Waiting to run Details Build / msbuild - arm64 - openssl (push) Waiting to run Details Build / msbuild - x86 - openssl (push) Waiting to run Details Build / msbuild - x86-clang - openssl (push) Waiting to run Details Build / clang asan - ubuntu-24.04 - libressl (push) Waiting to run Details Build / gcc normal - ubuntu-24.04 - libressl (push) Waiting to run Details Build / clang asan - ubuntu-24.04 - mbedtls4 (push) Waiting to run Details Build / gcc normal - ubuntu-24.04 - mbedtls4 (push) Waiting to run Details Build / clang asan - ubuntu-24.04 - awslc (push) Waiting to run Details Build / gcc normal - ubuntu-24.04 - awslc (push) Waiting to run Details Change-Id: I3157e1a228ac7058fca6a88f94076052e33d2e01 Signed-off-by: Luis Cruz <luis.cruz@nordsec.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1605 Message-Id: <20260414125637.42082-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36612.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `fbaf4a3837`)	2026-04-14 18:32:37 +02:00
Selva Nair	784ba7a201	Log when writing username/password to TLS buffer fails Currently we get an unhelpful "Key Method #2 failed" error. Add a more specific warning message. Change-Id: I9468811fd434e17645957fc12770aa2b9ed98fb8 Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1600 Message-Id: <20260414055721.16857-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36604.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `fd1fd077ea`)	2026-04-14 18:25:20 +02:00
Arne Schwabe	a4936d3163	Try to emphasise the transition from old ovpn-dco to new ovpn module Some checks failed Build / mingw unittest argv - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest auth_token - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest buffer - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest crypto - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest cryptoapi - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest misc - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest ncp - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest openvpnserv - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest options_parse - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest packet_id - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest pkt - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest provider - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest ssl - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest tls_crypt - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest user_pass - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest argv - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest auth_token - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest buffer - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest crypto - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest cryptoapi - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest misc - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest ncp - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest openvpnserv - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest options_parse - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest packet_id - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest pkt - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest provider - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest ssl - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest tls_crypt - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest user_pass - x86 - Release - OSSL (push) Has been cancelled Details This tries to ensure that the difference between the old and new module is clearer. Also removed a duplicate section about --disable-dco from the manual page. This also changes one instance of ovpn-dco to ovpn that is probably a bug when reusing a tun device. Change-Id: Iff9f6811fdf553f59f2afee0072d7bf90133d328 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@mandelbit.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1550 Message-Id: <20260411090625.18343-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36573.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `b4cb98b5bb`)	2026-04-11 16:39:04 +02:00
Luca Boccassi	d9b48759fe	management: add base64 multi-line input for passwords Some checks failed Build / mingw unittest argv - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest auth_token - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest buffer - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest crypto - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest cryptoapi - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest misc - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest ncp - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest openvpnserv - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest options_parse - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest packet_id - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest pkt - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest provider - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest ssl - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest tls_crypt - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest user_pass - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest argv - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest auth_token - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest buffer - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest crypto - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest cryptoapi - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest misc - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest ncp - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest openvpnserv - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest options_parse - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest packet_id - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest pkt - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest provider - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest ssl - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest tls_crypt - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest user_pass - x86 - Release - OSSL (push) Has been cancelled Details Allow management clients to send long passwords via the usual multi-line base64 encoded protocol. A client declares MCV 5 support and sends a 'password <type>' line, followed by as many lines (each up to 1024 bytes) as needed, in base64 encoded format, terminated by 'END'. This is useful when a password is a JIT-generated use-once token. Declare management version 6 for this feature. Change-Id: Ib99f171fb69d51f2260b44edf8ebe21ac958f233 Signed-off-by: Luca Boccassi <luca.boccassi@gmail.com> Acked-by: Selva Nair <selva.nair@gmail.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1593 Message-Id: <20260330180900.16608-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36360.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `49ff16dd54`)	2026-04-06 12:41:43 +02:00
Frank Lichtenheld	2aaa5e4d7c	win: Fix nrpt_dnssec flag handling Some checks are pending Build / mingw unittest ssl - x86 - Release - OSSL (push) Blocked by required conditions Details Build / mingw unittest tls_crypt - x86 - Release - OSSL (push) Blocked by required conditions Details Build / mingw unittest user_pass - x86 - Release - OSSL (push) Blocked by required conditions Details Build / gcc - ubuntu-24.04 - OpenSSL 3.0.13 --enable-pkcs11 (push) Waiting to run Details Build / gcc - ubuntu-22.04 - OpenSSL 3.0.2 --enable-pkcs11 (push) Waiting to run Details Build / clang-asan - ubuntu-22.04 - openssl (push) Waiting to run Details Build / clang-asan - ubuntu-24.04 - openssl (push) Waiting to run Details Build / macos-14 - libressl - asan (push) Waiting to run Details Build / macos-14 - openssl@3 - asan (push) Waiting to run Details Build / macos-15 - libressl - asan (push) Waiting to run Details Build / macos-15 - openssl@3 - asan (push) Waiting to run Details Build / macos-26 - libressl - asan (push) Waiting to run Details Build / macos-26 - openssl@3 - asan (push) Waiting to run Details Build / macos-14 - libressl - normal (push) Waiting to run Details Build / macos-14 - openssl@3 - normal (push) Waiting to run Details Build / macos-15 - libressl - normal (push) Waiting to run Details Build / macos-15 - openssl@3 - normal (push) Waiting to run Details Build / macos-26 - libressl - normal (push) Waiting to run Details Build / macos-26 - openssl@3 - normal (push) Waiting to run Details Build / msbuild - amd64 - openssl (push) Waiting to run Details Build / msbuild - amd64-clang - openssl (push) Waiting to run Details Build / msbuild - arm64 - openssl (push) Waiting to run Details Build / msbuild - x86 - openssl (push) Waiting to run Details Build / msbuild - x86-clang - openssl (push) Waiting to run Details Build / clang asan - ubuntu-24.04 - libressl (push) Waiting to run Details Build / gcc normal - ubuntu-24.04 - libressl (push) Waiting to run Details Build / clang asan - ubuntu-24.04 - mbedtls4 (push) Waiting to run Details Build / gcc normal - ubuntu-24.04 - mbedtls4 (push) Waiting to run Details Build / clang asan - ubuntu-24.04 - awslc (push) Waiting to run Details Build / gcc normal - ubuntu-24.04 - awslc (push) Waiting to run Details By default the first enum value is 0. But we check whether we set the flag by doing BOOL dnssec = (msg->flags & nrpt_dnssec) != 0; This can't ever be true. Found by cppcheck. Change-Id: Iff5be978817bfc0cd4d78818e7be7b90bad71f3c Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1606 Message-Id: <20260405102209.31528-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36487.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `08a19843a1`)	2026-04-05 16:31:49 +02:00
Frank Lichtenheld	f466964258	openvpnmsica: Fix setting of iTicks in schedule_adapter_delete Some checks are pending Build / mingw unittest ssl - x86 - Release - OSSL (push) Blocked by required conditions Details Build / mingw unittest tls_crypt - x86 - Release - OSSL (push) Blocked by required conditions Details Build / mingw unittest user_pass - x86 - Release - OSSL (push) Blocked by required conditions Details Build / gcc - ubuntu-24.04 - OpenSSL 3.0.13 --enable-pkcs11 (push) Waiting to run Details Build / gcc - ubuntu-22.04 - OpenSSL 3.0.2 --enable-pkcs11 (push) Waiting to run Details Build / clang-asan - ubuntu-22.04 - openssl (push) Waiting to run Details Build / clang-asan - ubuntu-24.04 - openssl (push) Waiting to run Details Build / macos-14 - libressl - asan (push) Waiting to run Details Build / macos-14 - openssl@3 - asan (push) Waiting to run Details Build / macos-15 - libressl - asan (push) Waiting to run Details Build / macos-15 - openssl@3 - asan (push) Waiting to run Details Build / macos-26 - libressl - asan (push) Waiting to run Details Build / macos-26 - openssl@3 - asan (push) Waiting to run Details Build / macos-14 - libressl - normal (push) Waiting to run Details Build / macos-14 - openssl@3 - normal (push) Waiting to run Details Build / macos-15 - libressl - normal (push) Waiting to run Details Build / macos-15 - openssl@3 - normal (push) Waiting to run Details Build / macos-26 - libressl - normal (push) Waiting to run Details Build / macos-26 - openssl@3 - normal (push) Waiting to run Details Build / msbuild - amd64 - openssl (push) Waiting to run Details Build / msbuild - amd64-clang - openssl (push) Waiting to run Details Build / msbuild - arm64 - openssl (push) Waiting to run Details Build / msbuild - x86 - openssl (push) Waiting to run Details Build / msbuild - x86-clang - openssl (push) Waiting to run Details Build / clang asan - ubuntu-24.04 - libressl (push) Waiting to run Details Build / gcc normal - ubuntu-24.04 - libressl (push) Waiting to run Details Build / clang asan - ubuntu-24.04 - mbedtls4 (push) Waiting to run Details Build / gcc normal - ubuntu-24.04 - mbedtls4 (push) Waiting to run Details Build / clang asan - ubuntu-24.04 - awslc (push) Waiting to run Details Build / gcc normal - ubuntu-24.04 - awslc (push) Waiting to run Details Increase the integer, not the pointer. Found by cppcheck. Change-Id: I4d6501ddfb321f57a76841f29ff92c5a412908bb Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1608 Message-Id: <20260404203525.30790-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36476.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `4494a34396`)	2026-04-05 12:17:14 +02:00
Arne Schwabe	c3dd2ab23e	Do not access internals of ASN1_INTEGER to print hex of serial Some checks are pending Build / mingw unittest ssl - x86 - Release - OSSL (push) Blocked by required conditions Details Build / mingw unittest tls_crypt - x86 - Release - OSSL (push) Blocked by required conditions Details Build / mingw unittest user_pass - x86 - Release - OSSL (push) Blocked by required conditions Details Build / gcc - ubuntu-24.04 - OpenSSL 3.0.13 --enable-pkcs11 (push) Waiting to run Details Build / gcc - ubuntu-22.04 - OpenSSL 3.0.2 --enable-pkcs11 (push) Waiting to run Details Build / clang-asan - ubuntu-22.04 - openssl (push) Waiting to run Details Build / clang-asan - ubuntu-24.04 - openssl (push) Waiting to run Details Build / macos-14 - libressl - asan (push) Waiting to run Details Build / macos-14 - openssl@3 - asan (push) Waiting to run Details Build / macos-15 - libressl - asan (push) Waiting to run Details Build / macos-15 - openssl@3 - asan (push) Waiting to run Details Build / macos-26 - libressl - asan (push) Waiting to run Details Build / macos-26 - openssl@3 - asan (push) Waiting to run Details Build / macos-14 - libressl - normal (push) Waiting to run Details Build / macos-14 - openssl@3 - normal (push) Waiting to run Details Build / macos-15 - libressl - normal (push) Waiting to run Details Build / macos-15 - openssl@3 - normal (push) Waiting to run Details Build / macos-26 - libressl - normal (push) Waiting to run Details Build / macos-26 - openssl@3 - normal (push) Waiting to run Details Build / msbuild - amd64 - openssl (push) Waiting to run Details Build / msbuild - amd64-clang - openssl (push) Waiting to run Details Build / msbuild - arm64 - openssl (push) Waiting to run Details Build / msbuild - x86 - openssl (push) Waiting to run Details Build / msbuild - x86-clang - openssl (push) Waiting to run Details Build / clang asan - ubuntu-24.04 - libressl (push) Waiting to run Details Build / gcc normal - ubuntu-24.04 - libressl (push) Waiting to run Details Build / clang asan - ubuntu-24.04 - mbedtls4 (push) Waiting to run Details Build / gcc normal - ubuntu-24.04 - mbedtls4 (push) Waiting to run Details Build / clang asan - ubuntu-24.04 - awslc (push) Waiting to run Details Build / gcc normal - ubuntu-24.04 - awslc (push) Waiting to run Details OpenSSL 4.0 does not allow internal access to to these data structures anymore. So use public methods to get the serial data and convert it to hex. Change-Id: I5158fbb0762443ea4954e5745f520e83e019ed30 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1589 Message-Id: <20260404155726.7696-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36459.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `59934618e7`)	2026-04-04 22:16:40 +02:00
Frank Lichtenheld	06a0d8bcb1	doc: Remove some explanations for pre-2.3 configurations Just streamline the documentation a bit. Change-Id: Ieaaf3a79642c8f7914f9bfc6762ad601c4f5695b Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1603 Message-Id: <20260402120435.39983-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36434.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `ecda555404`)	2026-04-04 17:53:24 +02:00
Arne Schwabe	120bc506b0	OpenSSL 4.0: Make X509 objects const In OpenSSL 4.0 a lot of the APIs have changed to return const objects. Adjust our source code to use const objects as well. Change-Id: Iea1d13c160599f134587c6f1c2f4a90e7f5e3991 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1596 Message-Id: <20260402121049.41102-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36437.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `9b663a0824`)	2026-04-04 17:31:19 +02:00
Arne Schwabe	490364ce09	Add unit test for printing various details of certificates These unit tests will ensure that refactoring of these methods does not change the output. Change-Id: Iacbd8195cdedc7226bddc686ca8dccf9f25f8842 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1598 Message-Id: <20260331173403.3082-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36389.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `27d1b9a0da`)	2026-04-04 16:09:55 +02:00
Arne Schwabe	4d16f2a604	Rename key* to privkey* in cert_data.h The name key2 conflicts with our struct key2 and prevents these test keys from being used in test_ssl.c Change-Id: Id8680e6555a66024417d6eb9322d4fde79922453 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1597 Message-Id: <20260401102247.21915-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36401.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `579046470f`)	2026-04-04 16:02:30 +02:00
Arne Schwabe	86d272cd6d	Use ASN1_BIT_STRING_get_bit to check for netscape certificate usage The ASN_BIT_STRING object has become opaque in OpenSSL 4.0. So instead of accessing the internal, we have to use a method now to check these attributes. The bit counting in ASN.1 and of this method is a bit strange and it will count bits from the left instead of the right, so the previous mask of 0x80 for clients is now 0 and 0x40 for server is now 1. Change-Id: I77500d435f212a4bf42ee8cfca07d0285fe694f2 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1587 Message-Id: <20260404072336.30014-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36446.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `8ce6f8d166`)	2026-04-04 15:49:55 +02:00
Greg Cox	081eb6ec44	Update --learn-address man page with ipv6 information Some checks failed Build / mingw unittest argv - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest auth_token - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest buffer - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest crypto - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest cryptoapi - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest misc - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest ncp - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest openvpnserv - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest options_parse - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest packet_id - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest pkt - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest provider - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest ssl - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest tls_crypt - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest user_pass - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest argv - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest auth_token - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest buffer - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest crypto - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest cryptoapi - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest misc - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest ncp - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest openvpnserv - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest options_parse - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest packet_id - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest pkt - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest provider - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest ssl - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest tls_crypt - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest user_pass - x86 - Release - OSSL (push) Has been cancelled Details The `--learn-address` option is very v4-specific in its man page. This expands the docs based on things I tripped over when bringing up a dual-stack server. Signed-off-by: Greg Cox <gcox@mozilla.com> Github: closes OpenVPN/openvpn#1009 Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20260330231355.84547-2-gcox@mozilla.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36363.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `c39742d1a7`)	2026-03-31 15:52:08 +02:00
Gert Doering	5c4e4c0867	OpenVPN Release 2.7.1 version.m4, ChangeLog, Changes.rst Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-03-30 18:49:56 +02:00
Selva Nair	96781b42f2	Add an optional username-only flag for auth-user-pass Some checks are pending Build / mingw unittest ssl - x86 - Release - OSSL (push) Blocked by required conditions Details Build / mingw unittest tls_crypt - x86 - Release - OSSL (push) Blocked by required conditions Details Build / mingw unittest user_pass - x86 - Release - OSSL (push) Blocked by required conditions Details Build / gcc - ubuntu-24.04 - OpenSSL 3.0.13 --enable-pkcs11 (push) Waiting to run Details Build / gcc - ubuntu-22.04 - OpenSSL 3.0.2 --enable-pkcs11 (push) Waiting to run Details Build / clang-asan - ubuntu-22.04 - openssl (push) Waiting to run Details Build / clang-asan - ubuntu-24.04 - openssl (push) Waiting to run Details Build / macos-14 - libressl - asan (push) Waiting to run Details Build / macos-14 - openssl@3 - asan (push) Waiting to run Details Build / macos-15 - libressl - asan (push) Waiting to run Details Build / macos-15 - openssl@3 - asan (push) Waiting to run Details Build / macos-26 - libressl - asan (push) Waiting to run Details Build / macos-26 - openssl@3 - asan (push) Waiting to run Details Build / macos-14 - libressl - normal (push) Waiting to run Details Build / macos-14 - openssl@3 - normal (push) Waiting to run Details Build / macos-15 - libressl - normal (push) Waiting to run Details Build / macos-15 - openssl@3 - normal (push) Waiting to run Details Build / macos-26 - libressl - normal (push) Waiting to run Details Build / macos-26 - openssl@3 - normal (push) Waiting to run Details Build / msbuild - amd64 - openssl (push) Waiting to run Details Build / msbuild - amd64-clang - openssl (push) Waiting to run Details Build / msbuild - arm64 - openssl (push) Waiting to run Details Build / msbuild - x86 - openssl (push) Waiting to run Details Build / msbuild - x86-clang - openssl (push) Waiting to run Details Build / clang asan - ubuntu-24.04 - libressl (push) Waiting to run Details Build / gcc normal - ubuntu-24.04 - libressl (push) Waiting to run Details Build / clang asan - ubuntu-24.04 - mbedtls4 (push) Waiting to run Details Build / gcc normal - ubuntu-24.04 - mbedtls4 (push) Waiting to run Details Build / clang asan - ubuntu-24.04 - awslc (push) Waiting to run Details Build / gcc normal - ubuntu-24.04 - awslc (push) Waiting to run Details Specify "--auth-user-pass username-only" for openvpn to prompt for only username, not password. Prompt via management interface uses the usual ">PASSWORD 'Auth' " prompt with type "username" instead of "username/password". Internally, the password gets set as "[[BLANK]]" which is currently used as tag for blank password. Not compatible with --static-challenge or when username and password are inlined or read from a file. In such cases, the user hard-code a dummy password in the file instead. Change-Id: I788f76e6a70a9c20bca3367140d2741bd0551582 Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1548 Message-Id: <20260303142819.6123-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35855.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `dfbf80b0a0`)	2026-03-30 14:35:49 +02:00
Gianmarco De Gregori	b5039975bf	socket: restore per-connection lport override over global default OpenVPN 2.7.x introduced a regression where --lport specified inside a <connection> block did not override a globally defined local port. As a result, the socket was bound to the global default port instead of the per-connection value. Adjust the socket local_port selection logic to honour local_port_defined when set for the active connection profile. This change restores the documented and previously working behaviour from 2.6.x, where connection-level lport takes precedence over global defaults. Github: closes OpenVPN/openvpn#995 Change-Id: I7cf5d5ef7e2531f397ad97baf4663e3763072f6b Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Antonio Quartulli <antonio@mandelbit.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1555 Message-Id: <20260316134841.28362-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36164.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `7ac5f89023`)	2026-03-30 13:27:44 +02:00
Haixiao Yan	66989b384d	tests: skip test execution when cross-compiling The auth-pam unit test Makefile.am unconditionally assigns the TESTS variable, causing test execution to fail during cross-compilation because the target binaries are not executable on the build host. Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Acked-By: Frank Lichtenheld <frank@lichtenheld.com> Message-Id: <20260326062016.3856597-1-haixiao.yan.cn@windriver.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36288.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `690aace41a`)	2026-03-30 13:05:38 +02:00
Arne Schwabe	216c76324d	Increase default size of internal hash maps to 4 * --max-clients Some checks failed Build / mingw unittest argv - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest auth_token - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest buffer - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest crypto - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest cryptoapi - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest misc - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest ncp - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest openvpnserv - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest options_parse - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest packet_id - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest pkt - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest provider - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest ssl - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest tls_crypt - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest user_pass - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest argv - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest auth_token - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest buffer - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest crypto - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest cryptoapi - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest misc - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest ncp - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest openvpnserv - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest options_parse - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest packet_id - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest pkt - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest provider - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest ssl - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest tls_crypt - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest user_pass - x86 - Release - OSSL (push) Has been cancelled Details The default of 256 seems quite low as with (at least) 1024 possible entries (the --max-clients default setting) we have a guaranteed collisions. Using 4 times the number of possible entries for real addresses should reduce collisions quite a bit while also leaving some headroom for the virtual addresses hash where a client might have more than one address. A reason to keep the limit so low are the memory requirements. Each bucket has the size of one linked-list pointer (4 byte or 32 bit and 8 byte for 64 bit). So 256 buckets use 1 or 2 kB while 4096 will use 16 kB or 32 kB. When the current limit was set 20 years ago this might have been a meaningful memory saving but today the collision probability is more important. Change-Id: Ia699b0dfa407ac377970bb130434298eaaec592b Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@mandelbit.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1563 Message-Id: <20260325124526.124049-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36268.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `7b5ebf7c44`)	2026-03-26 15:48:10 +01:00
Arne Schwabe	82f676574d	Use const specifices in extract_x509_field_ssl The new OpenSSL 4.0 will return const objects from these objects, so make them const in our code as well. Change-Id: Ia43bb88d9ddf2e82c638011353a64c770f2c2c0a Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1588 Message-Id: <20260326110658.25741-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36291.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `3316a18ebe`)	2026-03-26 15:17:35 +01:00
Arne Schwabe	4577a0dc21	Do not support tls_ctx_set_cert_profile on AWS-LC SSL_CTX_set_security_level does nothing on AWS-LC and gives a deprecated warning on compile. It is better to give the user a warning than to effectively silently ignore it as well. Change-Id: I74841d3611c62d3c59fc839bc73a0c83ce025262 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1579 Message-Id: <20260322111207.8346-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36243.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `07954eea05`)	2026-03-26 15:10:16 +01:00
Rudi Heitbaum	3888007826	ssl_verify_openssl: use official ASN1_STRING_ API ASN1_STRING are now opaque types in OpenSSL 4.x — the internal data and length fields are no longer directly accessible. Use the accessor API instead. Accessors have been available since OpenSSL 1.1.0 The ASN1_STRING_length accessor is already in use, but not consistently applied. Standardise on using ASN1_STRING_length and ASN1_STRING_get0_data which allows for successful build of OpenSSL 4.x Change-Id: I8adffc3152b5b502a820a8ae0f901717e4831f81 Signed-off-by: Rudi Heitbaum <rudi@heitbaum.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1584 Message-Id: <20260323121908.730-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36254.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `dc4a9255f1`)	2026-03-26 15:02:04 +01:00
Frank Lichtenheld	5f0a168311	ssl_verify_openssl: Clean up extract_x509_extension Some checks failed Build / mingw unittest argv - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest auth_token - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest buffer - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest crypto - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest cryptoapi - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest misc - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest ncp - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest openvpnserv - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest options_parse - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest packet_id - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest pkt - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest provider - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest ssl - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest tls_crypt - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest user_pass - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest argv - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest auth_token - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest buffer - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest crypto - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest cryptoapi - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest misc - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest ncp - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest openvpnserv - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest options_parse - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest packet_id - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest pkt - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest provider - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest ssl - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest tls_crypt - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest user_pass - x86 - Release - OSSL (push) Has been cancelled Details * Avoid sign-compare warning when comparing string lengths * Use the nicer alias rfc822Name instead of the general ia5 from the GENERAL_NAME union. * Use the official ASN1_STRING_length API instead of accessing the struct directly. * C11 changes Github: OpenVPN/openvpn#1003 Change-Id: I23cc00aee47aef007ab2e7d50b52c6de299505db Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1507 Message-Id: <20260309133236.29732-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35980.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `66060627a8`)	2026-03-23 13:42:13 +01:00
Arne Schwabe	ca6c9a8886	Use openssl_err_t typedef to deal with difference between TLS libraries Some checks are pending Build / mingw unittest ssl - x86 - Release - OSSL (push) Blocked by required conditions Details Build / mingw unittest tls_crypt - x86 - Release - OSSL (push) Blocked by required conditions Details Build / mingw unittest user_pass - x86 - Release - OSSL (push) Blocked by required conditions Details Build / gcc - ubuntu-24.04 - OpenSSL 3.0.13 --enable-pkcs11 (push) Waiting to run Details Build / gcc - ubuntu-22.04 - OpenSSL 3.0.2 --enable-pkcs11 (push) Waiting to run Details Build / clang-asan - ubuntu-22.04 - openssl (push) Waiting to run Details Build / clang-asan - ubuntu-24.04 - openssl (push) Waiting to run Details Build / macos-14 - libressl - asan (push) Waiting to run Details Build / macos-14 - openssl@3 - asan (push) Waiting to run Details Build / macos-15 - libressl - asan (push) Waiting to run Details Build / macos-15 - openssl@3 - asan (push) Waiting to run Details Build / macos-26 - libressl - asan (push) Waiting to run Details Build / macos-26 - openssl@3 - asan (push) Waiting to run Details Build / macos-14 - libressl - normal (push) Waiting to run Details Build / macos-14 - openssl@3 - normal (push) Waiting to run Details Build / macos-15 - libressl - normal (push) Waiting to run Details Build / macos-15 - openssl@3 - normal (push) Waiting to run Details Build / macos-26 - libressl - normal (push) Waiting to run Details Build / macos-26 - openssl@3 - normal (push) Waiting to run Details Build / msbuild - amd64 - openssl (push) Waiting to run Details Build / msbuild - amd64-clang - openssl (push) Waiting to run Details Build / msbuild - arm64 - openssl (push) Waiting to run Details Build / msbuild - x86 - openssl (push) Waiting to run Details Build / msbuild - x86-clang - openssl (push) Waiting to run Details Build / clang asan - ubuntu-24.04 - libressl (push) Waiting to run Details Build / gcc normal - ubuntu-24.04 - libressl (push) Waiting to run Details Build / clang asan - ubuntu-24.04 - mbedtls4 (push) Waiting to run Details Build / gcc normal - ubuntu-24.04 - mbedtls4 (push) Waiting to run Details Build / clang asan - ubuntu-24.04 - awslc (push) Waiting to run Details Build / gcc normal - ubuntu-24.04 - awslc (push) Waiting to run Details AWS-LC and OpenSSL disagree on the type of that errors are reported in. Instead of having a lot of glue code and casting back and forth, use a typedef to always use the right type. Change-Id: I4adbdf0c8b82fd7de309aa5f6f3b0c8157c5ffe7 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1578 Message-Id: <20260322111131.8251-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36242.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `ee2af6655d`)	2026-03-22 13:01:00 +01:00
Arne Schwabe	6dc947e21d	GHA: Cache built crypto libraries Semver code changes by Frank Change-Id: Ie21fdb01b843a7af09fcd469b08c775eee7e3745 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1577 Message-Id: <20260322103820.4717-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36238.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `a84f8cf60c`)	2026-03-22 11:42:22 +01:00
Arne Schwabe	0bb9a25021	Remove unnecessary OpenSSL init and cleanup commands in unit tests Some checks failed Build / mingw unittest argv - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest auth_token - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest buffer - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest crypto - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest cryptoapi - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest misc - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest ncp - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest openvpnserv - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest options_parse - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest packet_id - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest pkt - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest provider - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest ssl - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest tls_crypt - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest user_pass - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest argv - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest auth_token - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest buffer - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest crypto - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest cryptoapi - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest misc - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest ncp - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest openvpnserv - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest options_parse - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest packet_id - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest pkt - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest provider - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest ssl - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest tls_crypt - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest user_pass - x86 - Release - OSSL (push) Has been cancelled Details After the removal of OpenSSL 1.0.2 support these instructions are no longer needed and the main OpenVPN program also no longer calls them in init_ssl_lib or free_ssl_lib. Also remove them from the unit tests. This also solves a deprecation warning on EVP_cleanup when compiling with aws-lc Change-Id: I228f6fd9ff18256f09d4348df1fc48853f8e7306 Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1568 Message-Id: <20260316121148.25189-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36153.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `369c751078`)	2026-03-16 14:47:34 +01:00
Heiko Hund	40050f3786	doc: fix typo with --ingore-unknown-option Some checks failed Build / mingw unittest argv - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest auth_token - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest buffer - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest crypto - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest cryptoapi - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest misc - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest ncp - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest openvpnserv - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest options_parse - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest packet_id - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest pkt - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest provider - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest ssl - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest tls_crypt - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest user_pass - x86 - Debug - OSSL (push) Has been cancelled Details Build / mingw unittest argv - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest auth_token - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest buffer - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest crypto - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest cryptoapi - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest misc - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest ncp - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest openvpnserv - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest options_parse - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest packet_id - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest pkt - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest provider - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest ssl - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest tls_crypt - x86 - Release - OSSL (push) Has been cancelled Details Build / mingw unittest user_pass - x86 - Release - OSSL (push) Has been cancelled Details Change-Id: Ie502c982bda67d55ee74e4f2f66c26ea82698e60 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1575 Message-Id: <20260313104615.15951-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36085.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `c26437c0d3`)	2026-03-14 17:55:12 +01:00
Heiko Hund	78314ce757	doc: improve Windows-specific options section Change-Id: I29a33ac23f3c1a7cf16196aecc46ec3597a22175 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1574 Message-Id: <20260313103707.14534-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36084.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `3459f09f49`)	2026-03-14 17:53:21 +01:00
Frank Lichtenheld	8a156abb4b	systemd: Change LimitNPROC to TasksMax and increase limit There were some complaints about valid setups that ran into problems with LimitNPROC. This is especially true since LimitNPROC limits the total amounts of threads running for the same uid, so if multiple openvpn services run under the same user, they will compete for resources. As suggested in the systemd documentation change this to TasksMax which really counts the threads running in one specific service. Also increase the limit. When using e.g. resolvconf for DNS configuration the limit can be exhausted just due to the amount of nested shell scripts. Github: Fixes OpenVPN/openvpn#929 Change-Id: Ic877f9a9c6459c6eb97cde1099f47f0b196b8084 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1539 Message-Id: <20260313223833.3813-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36123.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `c02964f0b2`)	2026-03-14 11:48:48 +01:00
Arne Schwabe	1b2518e67c	Show version and double check we use the right TLS library in Github Actions Some checks are pending Build / mingw unittest ssl - x86 - Release - OSSL (push) Blocked by required conditions Details Build / mingw unittest tls_crypt - x86 - Release - OSSL (push) Blocked by required conditions Details Build / mingw unittest user_pass - x86 - Release - OSSL (push) Blocked by required conditions Details Build / gcc - ubuntu-24.04 - OpenSSL 3.0.13 --enable-pkcs11 (push) Waiting to run Details Build / gcc - ubuntu-22.04 - OpenSSL 3.0.2 --enable-pkcs11 (push) Waiting to run Details Build / clang-asan - ubuntu-22.04 - openssl (push) Waiting to run Details Build / clang-asan - ubuntu-24.04 - openssl (push) Waiting to run Details Build / macos-14 - libressl - asan (push) Waiting to run Details Build / macos-14 - openssl@3 - asan (push) Waiting to run Details Build / macos-15 - libressl - asan (push) Waiting to run Details Build / macos-15 - openssl@3 - asan (push) Waiting to run Details Build / macos-26 - libressl - asan (push) Waiting to run Details Build / macos-26 - openssl@3 - asan (push) Waiting to run Details Build / macos-14 - libressl - normal (push) Waiting to run Details Build / macos-14 - openssl@3 - normal (push) Waiting to run Details Build / macos-15 - libressl - normal (push) Waiting to run Details Build / macos-15 - openssl@3 - normal (push) Waiting to run Details Build / macos-26 - libressl - normal (push) Waiting to run Details Build / macos-26 - openssl@3 - normal (push) Waiting to run Details Build / msbuild - amd64 - openssl (push) Waiting to run Details Build / msbuild - amd64-clang - openssl (push) Waiting to run Details Build / msbuild - arm64 - openssl (push) Waiting to run Details Build / msbuild - x86 - openssl (push) Waiting to run Details Build / msbuild - x86-clang - openssl (push) Waiting to run Details Build / clang asan - ubuntu-24.04 - libressl (push) Waiting to run Details Build / gcc normal - ubuntu-24.04 - libressl (push) Waiting to run Details Build / clang asan - ubuntu-24.04 - mbedtls4 (push) Waiting to run Details Build / gcc normal - ubuntu-24.04 - mbedtls4 (push) Waiting to run Details Build / clang asan - ubuntu-24.04 - awslc (push) Waiting to run Details Build / gcc normal - ubuntu-24.04 - awslc (push) Waiting to run Details We recently discovered that the AWS-LC builds in Github Actions were actually using OpenSSL. This will now cause an error if something like this happens in the future again. Change-Id: Ia929c949cceaabe21a2937ad3217052aec4b2b4c Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1566 Message-Id: <20260313175324.12121-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36115.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit `a659605d8c`)	2026-03-13 23:26:50 +01:00

1 2 3 4 5 ...

4568 commits