`get_addr_generic()` expects `openvpn_getaddrinfo()` to return a newly
allocated struct, but getaddrinfo(3) failure leaves `*ai = NULL` as-is.

On OpenBSD, unlike free(3), freegetaddrinfo(3) requires a valid struct,
thus callers must check the argument to avoid NULL-deref or double-free:

```
$ openvpn --server-ipv6 ''
2025-12-06 11:59:18 RESOLVE: Cannot resolve host address: :[AF_INET6] (no address associated with name)
Segmentation fault (core dumped)
```

Guard against empty `ai`, i.e. failure, like similar code already does:

```
$ ./openvpn --server-ipv6 ''
2025-12-06 12:05:11 RESOLVE: Cannot resolve host address: :[AF_INET6] (no address associated with name)
Options error: error parsing --server-ipv6 parameter
Use --help for more information.
```

Spotted through a configuration typo "server-ipv6 fd00:/64" with 2.6.17,
reproduced with and tested against 2.7rc3 on OpenBSD/amd64 7.8-current.

NB: Standards are unclear wrt. freeaddrinfo(3)'s NULL handling;
    Linux, FreeBSD and illumos do check it and thus not crash.

Github: fixes #930

Change-Id: I99a6604fdfc682f9609bfe7672aa78285084dcb9
Signed-off-by: Klemens Nanni <kn@openbsd.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1418
Message-Id: <20251207210529.9949-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34870.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0ff66c0)

mbedTLS does not seem to have pkg-config support on e.g.
Debian/Ubuntu, so we definitely need to keep the
fallback check as well.

Change-Id: I5d0da76018e874cda5dbab9202a2b817ad5e4692
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Yuriy Darnobyt <yura.uddr@gmail.com>
Message-Id: <20240906160510.76387-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29090.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1422
(cherry picked from commit c829f57)
Message-Id: <20251208194151.17419-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34911.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

This code was copied over and over since many years,
since commit 9a3f670
("Fixed autoconf script to properly detect missing pkcs11
with polarssl"). It is unclear what exact purpose it
served back then but probably it is obsolete. It is
definitely wrong since it means that you get
PKCS11_HELPER_LIBS even if you do not specify
--enable-pkcs11.

Change-Id: I317be5253d6563906dd3826421dc81f737beba76
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250716151857.385959-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32187.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1423
(cherry picked from commit ed690d1)
Message-Id: <20251208194242.17520-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34913.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

This makes it easy to test an installed binary for
example.

Change-Id: Ida7a64a299cd5bf7ae4f0cc725756b5f5cc408f9
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230511101253.369196-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26648.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1424
(cherry picked from commit d623aa6)
Message-Id: <20251208193950.16969-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34907.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

Pull-filter uses a simple string comparison and could be defeated by
unusual formatting of pushed option strings. Document that this
option is not meant to be used as a security measure.

Reported by: <aarnav@srlabs.de>

Change-Id: I2c8d40038e52fbdff1c56f93db1e6a2f9255c59a
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1415
Message-Id: <20251209070218.4467-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34930.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d3e03b9)

Use store=active to set IPv4 address temporary so that
it will be removed on reboot. This makes the behavior
consistent with deletion and IPv6, where we already use
store=active.

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/netsh-interface

GitHub: fixes #915

Change-Id: I07311f397e6cd278b90c33f024e927c282cd03e4
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1430
Message-Id: <20251210075906.27693-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34975.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 93c9b47)

Handle failure explicitly instead of the implicit
handling by "while (buffer_i < r)".

Backport of 18d1b1f and the relevant
type fix of 5e5ead5

Reported-by: Marc Heuse <marc@srlabs.de>
Github: openvpn-private-issues#101
Change-Id: I950863eeba67b8c006c794245a1a08752cd79fb0
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1444
Message-Id: <20251216111544.27133-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35113.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

When --persist-tun is active, openvpn userland on Linux and FreeBSD fails
to re-enable "poll for DCO events" after a reconnect (e.g. triggered by
a ping timeout).  The reconnect will still work fine, but the *next*
DCO event notification from the kernel will not be received by OpenVPN
userland, and so the system will get into an inconsistent state (Userland
assumes "all is well", kernel DCO has disconnected the peer, connection
is broken until the next tls-renegotion and/or manual restart, *and* the
next DCO key setup might fail due to "peer id gone").

This only affects client side, --server tun is always "persistent", and
there is no "full restart" (and the code path in question is also
only used for client and p2p server).

The root cause is an incorrect check for "is this interface up?" when
calling dco_event_set() in forard.c::io_wait() - "c2.did_open_tun" is
only true if the tun interface was actually configured on this reconnect,
which it isn't if --persist-tun is active.  Replace with a check for
"do we have a tuntap structure, and if yes, do we have active DCO?"
which reflects the original intent much better.

The original code also had a check for "out_socket & EVENT_READ" there,
which did to some extend avoid calling dco_event_set() for every single
UDP packet sent and received by userland - but this only worked on initial
connection, and is always true on reconnect, so this condition was removed
for simplicity.  We should come back here...

v2:
  - some language fixes on the commit message
  - do not check ->dco.open in forward.c, as this is not available if
    not on FreeBSD, or if compiled with --disable-dco.
    FreeBSD DCO does the "if (!dco || !dco->open)" check in dco_event_set()
    anyway, so it's not needed, and Linux DCO has "dco->nl_sock", which is
    also reliably set/unset, and checked by dco_event_set() already.

Github: #947

Change-Id: Idbd0a47ba4d297a833a350611a23f19fd9a797b5
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1473
Message-Id: <20260114112403.7046-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35239.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 52c3b43)

Github: #683

Change-Id: I5d5fca3f5f7a724b4f9ec98832d3a785459f36a5
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1447
Message-Id: <20260114160238.31321-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35260.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

stderr is normally always unbuffered but stdout can be buffered. Especially,
when stdout is redirected it will become buffered while it is normally
unbuffered when connected to a terminal. This mean that if the unit exits
prematurely, the output in the buffered output will be lost.

As the unit test x_msg mock implementation prints even fatal on stdout
we ensure with this setup method that stdout is also unbuffered.

Change-Id: I5c06dc13e9d8ab73997f79b13c30ee8949e5e993
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28122.html
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1461
(cherry picked from commit 7869617)
Message-Id: <20260115082807.18596-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35272.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

But add compat layer so that we can still build
against older versions of cmocka. Mostly this is
trivial but the custom check function changed its
prototype, so that requires some more work.

This backport commit additionally includes the fix
for test_tls_crypt from commit
6246f2113f6e1fda13bca8de863dd5cc396ab6ef since the
other test fixes from the original commit are not
relevant to release/2.6.

Change-Id: Ifb6594700db71d219643a29c581099c778bcbbc6
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1462
(cherry picked from commit 6db186e)
Message-Id: <20260115082817.18618-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35273.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

…ticated

If the management interface requires authentication via password
and the remote did not specify it, do not do trigger actions
requested by --management-forget-disconnect and --management-signal
on disconnect.

Reported-By: Joshua Rogers <contact@joshua.hu>
Found-By: ZeroPath (https://zeropath.com)
Github: openvpn-private-issues#5
Change-Id: I575d65912ce9065a0b0868e73998b4a9aece62af
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1484
Message-Id: <20260122125707.108048-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35390.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4bf05d4)

On a full SIGUSR1 restart of a p2mp server compiled with
--enable-async-push, tunnel_server_{udp,tcp}() will try to close and
reopen the "inotify" control file descriptor.  For whatever reason,
the original code referenced the wrong context, always closing fd 0.

As a consequence of this, on the second SIGUSR1 restart, the server
will close() the first active socket file descriptor, and if there
are active DCO clients, the resulting event confusion will lead to
an ASSERT(!mi->halt).

Fix by closing the correct FD. Add logging.

This is a backport of commit 5521872 to the "old p2mp code"
with a separate mudp.c and mtcp.c for UDP and TCP servers, respectively.

Github: fixes #966

Change-Id: Idcb1421b9f7fcbee9620fd1d45cceab050751373
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1499
Message-Id: <20260128150640.13867-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35493.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

version.m4, ChangeLog, Changes.rst

Signed-off-by: Gert Doering <gert@greenie.muc.de>

make distcheck fails since we are not listing all headers that are
used by the unit tests.

Change-Id: I674af04e1a6449544b7def0725337c3b353ea276
Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org>
(cherry picked from commit c2776ee)
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1509
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35534.html
Message-Id: <20260204161322.149284-1-frank@lichtenheld.com>
Signed-off-by: Gert Doering <gert@greenie.muc.de>

version.m4, ChangeLog, Changes.rst

Signed-off-by: Gert Doering <gert@greenie.muc.de>