RFC7512 patch for pkcs11-uri is rebased to current master,
fixing minor conflicts.

Change-Id: I032a573df6deaa44b4afce3c2d2fd54f69df6e7a
Signed-off-by: Selva Nair <[email protected]>
Acked-by: Frank Lichtenheld <[email protected]>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1368
Message-Id: <[email protected]>
URL: https://www.mail-archive.com/[email protected]/msg34527.html
Signed-off-by: Gert Doering <[email protected]>
(cherry picked from commit 3d0d4b1)

- Append a version 4 uuid to ovpn_pipe_name to make it less
  predictable
- Do not allow remote access to the pipe

This greatly reduces the possibility of a rogue process racing to
open the pipe before CreateFile() is called in the worker thread.

Reported-by: Marc Heuse <[email protected]>
Change-Id: Ie66a142751354e421d48b273784fc79bcb9f7208
Signed-off-by: Selva Nair <[email protected]>
Acked-by: Gert Doering <[email protected]>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1401
Message-Id: <[email protected]>
URL: https://www.mail-archive.com/[email protected]/msg34654.html
Signed-off-by: Gert Doering <[email protected]>

Access is restricted to SYSTEM and pipe client user
(the user starting openvpn.exe). The default is
full access to Administrtors, owner, and read access
to everyone. This hardens the pipe further.

Change-Id: I8aa1cf1585e2320fca9329bdd0227976606fe71e
Signed-off-by: Selva Nair <[email protected]>
Acked-by: Gert Doering <[email protected]>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1402
Message-Id: <[email protected]>
URL: https://www.mail-archive.com/[email protected]/msg34656.html
Signed-off-by: Gert Doering <[email protected]>

 - Handle ConnectNamedPipe ERROR_NO_DATA as a normal
   connect/drop race: log the drop, disconnect/reset
   that instance, and keep listening instead of letting
   a trivial local DoS stop the service.

 - Add a timed peek for startup data so a client that
   connects and sends nothing is timed out (IO_TIMEOUT)
   and rejected, instead of leaving a worker thread blocked
   forever and piling up handles.

 - Protect the accept loop from resource exhaustion: before
   spawning a worker, check the wait set and reject the client
   if adding another handle would exceed MAXIMUM_WAIT_OBJECTS;
   also skip FlushFileBuffers when no startup data was received
   to avoid hangs on silent clients.

Without these fixes, a malicious local windows user can make the OpenVPN
Interactive Service exit-on-error, thus breaking all OpenVPN connections
until the service is restarted (or the system rebooted).  Thus this has
been classified as "local denial of service" and CVE-2025-13751 has been
assigned.

The patch in release/2.6 and release/2.5 is identical to the commit in
2.7_rc3, except for context diffs (formatting change) and L"" to TEXT("")
adjustments.

CVE: 2025-13751
Change-Id: Id6a13b0c8124117bcea2926b16607ef39344015a
Signed-off-by: Lev Stipakov <[email protected]>
Acked-by: Selva Nair <[email protected]>

version.m4, ChangeLog, Changes.rst

Signed-off-by: Gert Doering <[email protected]>