* http://www.cs.ucsd.edu/users/mihir/papers/hmac.html - 404, RFC104 basically
* http://sites.inka.de/sites/bigred/devel/tcp-tcp.html - 404, unfortunately
* http://www.ietf.org/rfc/rfc2246.txt - HTTPS upgrade to the HTML version

Signed-off-by: Christian Kujau <github@nerdbynature.de>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20251006144249.23672-2-lists@nerdbynature.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59242864/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3199fce)

* HTTPS upgrades
* 404 fixes, with hopefully better helpful links to the relevant documentation
* some trailing white space fixes
* resurrect utun-demo.c from a different source
* Don't touch openvpn.doxyfile.in though, as it was autogenerated
* Don't touch COPYING as it's an external license file
* The openvpn.net URLs will be addressed some other time

Signed-off-by: Christian Kujau <github@nerdbynature.de>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20251006144249.23672-3-lists@nerdbynature.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59242866/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 8c53b12)

So we could enable -Werror for OpenBSD builds.

Change-Id: Ic971604beb1320d7b9d6121cd8e8519ccc1a7eb9
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: MaxF <max@max-fillinger.net>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1214
Message-Id: <20251004141935.17815-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59242246/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 9243ea8)

Cherry-pick dca6b03
broke uncrustify compliance. Apparently this one added
line pushed it over the limit to require the #endif
comment.

Change-Id: I46d0e4be82a5cc7e466d6e8f658e5b131b5401c4
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1284
Message-Id: <20251017205730.8450-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33428.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

These ciphers claim to be CBC but since they are also include an HMAC
are more a mix of AEAD and CBC. Nevertheless, we do not support these
and also have no (good) reason to support them.

Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1295
Message-Id: <20251023153514.18691-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33849.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

This was triggered by a bug report submitted by Joshua Rogers, who
used ZeroPath to discover we missed a perf_pop() call in one of the
error paths of ssl_mbedtls.c.

Move an existing perf_pop call a bit upwards to fix that.

The perf code is always disabled by ENABLE_PERFORMANCE_METRICS being
commented out in perf.h. There is no configure flag. None of the active
developers remembers using it and the git log shows no actual code changes
since at least the project structure overhaul of 2012. So this has no
real-world impact.

Change-Id: I5b6881dc73358c8d1249ee2ceb968ede295105b0
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1305
Message-Id: <20251026143521.13291-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33870.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

Since OpenVPN spawns various child processes, it is important
that sockets are closed after calling exec.

The sitnl socket didn't have the right flag set, resulting
in it surviving in, for example, connect/disconnect scripts
and giving the latter a chance to abuse the socket.

Ensure this doesn't happen by setting FD_CLOEXEC on
this socket right after creation.

Reported-by: Joshua Rogers <contact@joshua.hu>
Found-by: ZeroPath (https://zeropath.com/)
Change-Id: I54845bf4dd17d06cfc3b402f188795f74f4b1d3e
Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1314
Message-Id: <20251028162843.18189-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33952.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b9b5470)

The accept path calls set_cloexec(sd) after accept(). That re-flags the
listening socket, which is already CLOEXEC from create_socket_tcp(), and
leaves new_sd inheritable. As a result, client-connect and auth scripts
spawned after accept can inherit the connected socket and read or write
the raw TCP stream. This defeats the stated intent to prevent scripts from
accessing the client socket.

This bug was found using ZeroPath.

Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <-MNw5Hu8h0rHV18x36ISt7V0UHchIO4i-JoAeV_wlxS1AmDIAe7YVYNput3_r2hiu3HhwxkhGyUhv4-iH_E7mf7nGjvocmGXlDq7Tjly5cE=@joshua.hu>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33823.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c0d96fd)

When the auth_failed_reason_file was added, it was forgotten to also add it
to the conditions that determine if the file creation was successful.

Reported-by: Joshua Rogers <contact@joshua.hu>
Found-by: ZeroPath (https://zeropath.com/)
Change-Id: I94d2bdd234a1c416b78924d044bf7e57f1bed8c4
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1327
Message-Id: <20251030193940.1295-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34067.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2f8cbf5)

If the first call to MultiByteToWideChar returns 0, something must have
failed, because it returns the required buffer size including the
terminating zero. When it does return 0, just return NULL and indicate
that the call to utf8to16(_size) failed.

Found by ZeroPath.

Reported-By: Joshua Rogers <contact@joshua.hu>
Change-Id: I92804da010bab36cd0326759c04f955f2bda74de
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1306
Message-Id: <20251030194736.2151-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34071.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit fdd4072)

We use the interface index with netsh everywhere else, so convert the
remaining invocations of netsh to index use as well.

Change-Id: I5cf45cfe0567da8fb5d47118a432a35b358f3809
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1337
Message-Id: <20251103091525.22108-1-gert@greenie.muc.de>
Signed-off-by: Gert Doering <gert@greenie.muc.de>

Reported by: <stephan@srlabs.de>

Change-Id: I356faeebfade1eed9b40d6700b13621c357ec5ac
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1343
Message-Id: <20251103150002.23187-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34156.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a3d8c40)

Reported by: <aarnav@srlabs.de>

Change-Id: Iafac2b8f319457de8e36b427f26ebc27c040c6f7
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1344
Message-Id: <20251103212523.31409-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34171.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 59fed2a)

In tls_pre_decrypt we construct a pointer ks with an invalid i if
i is TM_SIZE, doing a out-of-bounds read in multi->session.

This is a something that exists at least since 2.3.0 (I didn't go further
back but probalby exists in earlier version as well as the commits date
back to SVN beta21 branch).

So we construct the pointer but do not do anything with it if it is
invalid as we check i *after* we construct the pointer `ks`.

I suspect that the compiler optimises the bug away in any higher
optimisation level.

Assuming there is no optimisation, let's check what is possible.
Since we never use the value `ks` if it is invalid, we do not have
worry if it ends up invalid or not. The only thing that we have to
worry about is whether
`session + offsetof(struct tls_session, key[KS_PRIMARY])` is pointing
to memory that is valid to read to construct the `ks` pointer.
This is outside the tls_multi struct, so this is not guaranteed to be
allocated memory but at the same time it is also only few bytes (or few
tens/hundred) after the struct, so it the propability is very high that
it will be be in a memory region that will not cause a segfault on read.

Every time this condition is hit and we construct the invalid pointer,
the log message "TLS Error: Unroutable control packet received" is
printed at `verb 1` or higher. And this is a quite common log message,
which serves as indication as well that a crash is not something that
typically happens but either the optimisation fixes or the memory
region of the invalid access is valid to read from.

Based on this this was categorized as "bug, but no way to exploit
this, thus no CVE".

Change-Id: Ided1ac7c804487055b175d8766535bead257b7d5

Reported-By: Jon Chiappetta <root@fossjon.com>
Reported-By: Joshua Rogers <contact@joshua.hu>
Found-by: ZeroPath (https://zeropath.com/)

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1373
Message-Id: <20251112141335.17417-1-gert@greenie.muc.de>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5cdf3f9)

…g inverted

This is a stupid mistake but causes all hmac cookies to be accepted,
thus breaking source IP address validation.   As a consequence, TLS
sessions can be openend and state can be consumed in the server from
IP addresses that did not initiate an initial connection.

While at it, fix check to only allow [t-2;t] timeslots, disallowing
HMACs coming in from a future timeslot.

Github: OpenVPN/openvpn-private-issues#56

CVE: 2025-13086

Reported-By: Joshua Rogers <contact@joshua.hu>
Found-by: ZeroPath (https://zeropath.com/)
Reported-By: stefan@srlabs.de

Change-Id: I9cbe2bf535575b47ddd7f34e985c5c1c6953a6fc
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <max@max-fillinger.net>
(cherry picked from commit 68ec931e7fb4af11d5ba0d4283df0350083fd373)

version.m4, ChangeLog, Changes.rst

Signed-off-by: Gert Doering <gert@greenie.muc.de>