From 3b46b64d13f720ab941e244994971d51af64751b Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@openvpn.net>
Date: Mon, 31 Jul 2023 17:28:32 +0200
Subject: [PATCH 01/13] Do not enforce DH parameters in TLS server mode

As also explained in OpenVPN 2.x commit bd9aa06feb4, Diffie Hellman
key exchanges can be optionally be disabled and OpenSSL will then use
only ECDH instead.

Signed-off-by: Arne Schwabe <arne@openvpn.net>
---
 openvpn/mbedtls/ssl/sslctx.hpp |  2 +-
 openvpn/openssl/ssl/sslctx.hpp | 15 ++++++++-------
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/openvpn/mbedtls/ssl/sslctx.hpp b/openvpn/mbedtls/ssl/sslctx.hpp
index d65ed2eb..275e484d 100644
--- a/openvpn/mbedtls/ssl/sslctx.hpp
+++ b/openvpn/mbedtls/ssl/sslctx.hpp
@@ -533,7 +533,7 @@ class MbedTLSContext : public SSLFactoryAPI
             }
 
             // DH
-            if (mode.is_server())
+            if (mode.is_server() && opt.exists("dh"))
             {
                 const std::string &dh_txt = opt.get("dh", 1, Option::MULTILINE);
                 load_dh(dh_txt);
diff --git a/openvpn/openssl/ssl/sslctx.hpp b/openvpn/openssl/ssl/sslctx.hpp
index f77f0147..804ed393 100644
--- a/openvpn/openssl/ssl/sslctx.hpp
+++ b/openvpn/openssl/ssl/sslctx.hpp
@@ -434,7 +434,7 @@ class OpenSSLContext : public SSLFactoryAPI
             }
 
             // DH
-            if (mode.is_server())
+            if (mode.is_server() && opt.exists("dh"))
             {
                 const std::string &dh_txt = opt.get("dh", 1, Option::MULTILINE);
                 load_dh(dh_txt);
@@ -1194,15 +1194,16 @@ class OpenSSLContext : public SSLFactoryAPI
                 throw OpenSSLException("OpenSSLContext: SSL_CTX_new_ex failed for server method");
 
             // Set DH object
-            if (!config->dh.defined())
-                OPENVPN_THROW(ssl_context_error, "OpenSSLContext: DH not defined");
+            if (config->dh.defined())
+            {
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
-            if (!SSL_CTX_set0_tmp_dh_pkey(ctx.get(), config->dh.obj_release()))
-                throw OpenSSLException("OpenSSLContext: SSL_CTX_set0_tmp_dh_pkey failed");
+                if (!SSL_CTX_set0_tmp_dh_pkey(ctx.get(), config->dh.obj_release()))
+                    throw OpenSSLException("OpenSSLContext: SSL_CTX_set0_tmp_dh_pkey failed");
 #else
-            if (!SSL_CTX_set_tmp_dh(ctx.get(), config->dh.obj()))
-                throw OpenSSLException("OpenSSLContext: SSL_CTX_set_tmp_dh failed");
+                if (!SSL_CTX_set_tmp_dh(ctx.get(), config->dh.obj()))
+                    throw OpenSSLException("OpenSSLContext: SSL_CTX_set_tmp_dh failed");
 #endif
+            }
             if (config->flags & SSLConst::SERVER_TO_SERVER)
                 SSL_CTX_set_purpose(ctx.get(), X509_PURPOSE_SSL_SERVER);
 

From 53614a0cce7775ba0ae4a43887ee03aa2fa098cc Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@openvpn.net>
Date: Mon, 31 Jul 2023 12:43:44 +0200
Subject: [PATCH 02/13] Properly implement OpenVPN3 checking of --client mode

Earlier implementations just assumed that --client mode is always
present in the config, which lead to config behaving different in
OpenVPN 2.x and 3.x. This creates hard to debug corner cases.

Additionally OpenVPN 3.x was not parsing the tls-client and pull
options. This lead to OpenVPN 3.x erroring on a perfectly legal
config with --pull in it.

Note the original patch was by Merten Fermont <merten.fermont@gmail.com>
but his patch got mangled in the email and when I started to apply
it manually I instead wrote my own version of it since we need
unit tests anyway.
---
 openvpn/client/cliopt.hpp       |  6 ++--
 openvpn/client/cliopthelper.hpp |  2 +-
 test/unittests/test_cliopt.cpp  | 54 ++++++++++++++++++++++++++++-----
 3 files changed, 51 insertions(+), 11 deletions(-)

diff --git a/openvpn/client/cliopt.hpp b/openvpn/client/cliopt.hpp
index f7be44a8..ddddf82c 100644
--- a/openvpn/client/cliopt.hpp
+++ b/openvpn/client/cliopt.hpp
@@ -595,6 +595,9 @@ class ClientOptions : public RC<thread_unsafe_refcount>
         if (opt.exists("fragment"))
             throw option_error("sorry, 'fragment' directive is not supported, nor is connecting to a server that uses 'fragment' directive");
 
+        if (!opt.exists("client"))
+            throw option_error("Neither 'client' nor both 'tls-client' and 'pull' options declared. OpenVPN3 client only supports --client mode.");
+
         // Only p2p mode accept
         if (opt.exists("mode"))
         {
@@ -801,7 +804,6 @@ class ClientOptions : public RC<thread_unsafe_refcount>
         "replay-persist", /* Makes little sense in TLS mode */
         "script-security",
         "sndbuf",
-        "tls-client", /* Always enabled */
         "tmp-dir",
         "tun-ipv6",   /* ignored in v2 as well */
         "txqueuelen", /* so platforms evaluate that in tun, some do not, do not warn about that */
@@ -1180,8 +1182,6 @@ class ClientOptions : public RC<thread_unsafe_refcount>
         cc->set_tls_cert_profile_override(config.tls_cert_profile_override);
         cc->set_tls_cipher_list(config.tls_cipher_list);
         cc->set_tls_ciphersuite_list(config.tls_ciphersuite_list);
-        if (!cc->get_mode().is_client())
-            throw option_error("only client configuration supported");
 
         // client ProtoContext config
         Client::ProtoConfig::Ptr cp(new Client::ProtoConfig());
diff --git a/openvpn/client/cliopthelper.hpp b/openvpn/client/cliopthelper.hpp
index 95aa6664..20384a9e 100644
--- a/openvpn/client/cliopthelper.hpp
+++ b/openvpn/client/cliopthelper.hpp
@@ -367,7 +367,7 @@ class ParseClientConfig
             bool added = false;
 
             // client
-            if (!options.exists("client"))
+            if (options.exists("tls-client") && options.exists("pull"))
             {
                 Option opt;
                 opt.push_back("client");
diff --git a/test/unittests/test_cliopt.cpp b/test/unittests/test_cliopt.cpp
index 9ba72609..ab842067 100644
--- a/test/unittests/test_cliopt.cpp
+++ b/test/unittests/test_cliopt.cpp
@@ -27,13 +27,16 @@ std::string dummysecp256key = "-----BEGIN PRIVATE KEY-----\n"
                               "3oP+eSyQewIqu8XJECJhmt8NoXqNNYRUF0P+Jit8LC2a+2WZeyAwuIYT\n"
                               "-----END PRIVATE KEY-----\n";
 
-std::string minimalConfig = "remote wooden.box\n"
-                            "<ca>\n"
-                            + dummysecp256cert + "</ca>\n"
-                            + "<cert>\n"
-                            + dummysecp256cert + "</cert>\n"
-                            + "<key>\n" + dummysecp256key
-                            + "</key>\n";
+std::string certconfig = "<ca>\n"
+                         + dummysecp256cert + "</ca>\n"
+                         + "<cert>\n"
+                         + dummysecp256cert + "</cert>\n"
+                         + "<key>\n" + dummysecp256key
+                         + "</key>\n";
+
+std::string minimalConfig = certconfig + "\n"
+                            + "client\n"
+                              "remote wooden.box\n";
 
 void load_client_config(const std::string &config_content)
 {
@@ -178,3 +181,40 @@ TEST(config, dco_compatibility)
             "option_error: dco_compatibility: config/options are not compatible with dco");
     }
 }
+
+TEST(config, client_missing_in_config)
+{
+    std::string configNoClient = certconfig + "\nremote 1.2.3.4\n";
+    OVPN_EXPECT_THROW(
+        load_client_config(configNoClient),
+        option_error,
+        "option_error: Neither 'client' nor both 'tls-client' and 'pull' options declared. OpenVPN3 client only supports --client mode.");
+}
+
+TEST(config, pull_and_tlsclient_in_config)
+{
+    std::string configNoClient = certconfig + "\nremote 1.2.3.4\ntls-client\npull\n";
+    /* Should not trigger an error, even without --client in place */
+    load_client_config(configNoClient);
+}
+
+TEST(config, pull_and_client_and_tlsclient_in_config)
+{
+    std::string configNoClient = certconfig + "\nremote 1.2.3.4\ntls-client\npull\nclient\n";
+    /* Should not trigger an error. Redundant options are no problem */
+    load_client_config(configNoClient);
+}
+
+TEST(config, onlypullortlsclient)
+{
+    std::array<std::string, 2> options{"tls-client", "pull"};
+
+    for (const auto &opt : options)
+    {
+        std::string configNoClient = certconfig + "\nremote 1.2.3.4\n" + opt + "\n";
+        OVPN_EXPECT_THROW(
+            load_client_config(configNoClient),
+            option_error,
+            "option_error: Neither 'client' nor both 'tls-client' and 'pull' options declared. OpenVPN3 client only supports --client mode.");
+    }
+}
\ No newline at end of file

From 85b92afe96ee1ed3d8fd5c153c8dda07c00b79bd Mon Sep 17 00:00:00 2001
From: Lev Stipakov <lev@openvpn.net>
Date: Fri, 28 Jul 2023 14:09:26 +0300
Subject: [PATCH 03/13] win/client/tunsetup.hpp: fix IPv4 redirect-gw with IPv6
 remote

redirect-gw is implemented by changing default route to
a GW provided by VPN. For IPv4 before doing that we add
a bypass route to a remote. This is needed only when remote
is not on local network.

The check "is remote on local network" has a wrong assumtion
that remote is IPv4. This is obviously not always the case
since remote could be IPv6. In this case if we want to redirect
IPv4 traffic an exception is thrown inside BestGateway class
while trying to convert IPv6 address to IPv4.

Fix by specifying correct address family based on remote's "ipv6"
flag. Later we add bypass route only if remote is IPv4.

Fixes OVPN3-1004.

Signed-off-by: Lev Stipakov <lev@openvpn.net>
---
 openvpn/tun/win/client/tunsetup.hpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/openvpn/tun/win/client/tunsetup.hpp b/openvpn/tun/win/client/tunsetup.hpp
index ef0f4848..e3543a02 100644
--- a/openvpn/tun/win/client/tunsetup.hpp
+++ b/openvpn/tun/win/client/tunsetup.hpp
@@ -549,7 +549,8 @@ class Setup : public SetupBase
         if (pull.reroute_gw.ipv4)
         {
             // get default gateway
-            const Util::BestGateway gw{AF_INET, pull.remote_address.address, tap.index};
+            ADDRESS_FAMILY af = pull.remote_address.ipv6 ? AF_INET6 : AF_INET;
+            const Util::BestGateway gw{af, pull.remote_address.address, tap.index};
 
             if (!gw.local_route())
             {

From df5f6d58102f5f5e03f5345ae0fbf3146fea3182 Mon Sep 17 00:00:00 2001
From: Frank Lichtenheld <frank@lichtenheld.com>
Date: Mon, 31 Jul 2023 17:03:16 +0200
Subject: [PATCH 04/13] mingw/build: Fix xxHash build

Adapt to vcpkg changes.

Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
---
 scripts/mingw/build | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/scripts/mingw/build b/scripts/mingw/build
index 248ce4a8..232ae99d 100755
--- a/scripts/mingw/build
+++ b/scripts/mingw/build
@@ -55,9 +55,9 @@ download_deps()
 
     rm -rf xxHash
     git clone https://github.com/Cyan4973/xxHash.git
-    portfile_url=https://raw.githubusercontent.com/microsoft/vcpkg/master/ports/xxhash/portfile.cmake
-    gitref=$(wget -q -O- "$portfile_url" | grep -oP '\bREF\s+\S+' | cut -d' ' -f2)
-    git -C xxHash checkout "${gitref}"
+    portfile_url=https://raw.githubusercontent.com/microsoft/vcpkg/master/ports/xxhash/vcpkg.json
+    gitref=$(wget -q -O- "$portfile_url" | grep -oP '\"version": \"\S+' | cut -d' ' -f2 | tr -d "\",")
+    git -C xxHash checkout "v${gitref}"
 
     popd
 }

From b755783a13257237f85d633fe2ae60e4118415a0 Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@openvpn.net>
Date: Wed, 9 Aug 2023 18:07:32 +0200
Subject: [PATCH 05/13] Fix reading MAC address on macOS

The confusing overlapping structs and memory accesses with the
struct lead to use missing a few bytes from being copied. Fix
this by copying from the correct struct.

Signed-off-by: Arne Schwabe <arne@openvpn.net>
---
 openvpn/tun/mac/gwv4.hpp | 41 +++++++++++++++++++++++++++-------------
 1 file changed, 28 insertions(+), 13 deletions(-)

diff --git a/openvpn/tun/mac/gwv4.hpp b/openvpn/tun/mac/gwv4.hpp
index 6508f91f..5cd1ffe0 100644
--- a/openvpn/tun/mac/gwv4.hpp
+++ b/openvpn/tun/mac/gwv4.hpp
@@ -201,7 +201,7 @@ class MacGatewayInfoV4
             struct ifconf ifc;
             const int bufsize = 4096;
 
-            std::unique_ptr<char[]> buffer(new char[bufsize]);
+            const std::unique_ptr<char[]> buffer(new char[bufsize]);
             std::memset(buffer.get(), 0, bufsize);
             sockfd.reset(socket(AF_INET, SOCK_DGRAM, 0));
             if (!sockfd.defined())
@@ -218,26 +218,41 @@ class MacGatewayInfoV4
             {
                 ifreq ifr = {};
                 std::memcpy(&ifr, cp, sizeof(ifr));
-                const size_t len = sizeof(ifr.ifr_name) + std::max(sizeof(ifr.ifr_addr), size_t(ifr.ifr_addr.sa_len));
+                const size_t len = sizeof(ifr.ifr_name) + std::max(sizeof(ifr.ifr_addr), size_t{ifr.ifr_addr.sa_len});
+
                 if (!ifr.ifr_addr.sa_family)
                     break;
                 if (!::strncmp(ifr.ifr_name, iface_, IFNAMSIZ))
                 {
                     if (ifr.ifr_addr.sa_family == AF_LINK)
                     {
-                        /* This is a broken member access. struct sockaddr_dl has
-                         * 20 bytes while if_addr has only 16 bytes. But sockaddr_dl
-                         * has 12 bytes space for the hw address and Ethernet only uses
-                         * 6 bytes. So the last 4 that are truncated can be ignored here
+                        /* This is a confusing member access on multiple levels.
                          *
-                         * So we use a memcpy here to avoid the warnings with ASAN that we
-                         * are doing a very nasty cast here
+                         * struct sockaddr_dl is 20 bytes in size and has
+                         * 12 bytes space for the hw address (6 bytes)
+                         * and Ethernet interface name (max 16 bytes)
+                         *
+                         * So if the interface name is more than 6 byte, it
+                         * extends beyond the struct.
+                         *
+                         * This struct is embedded into ifreq that has
+                         * 16 bytes for a sockaddr and also expects this
+                         * struct to potentially extend beyond the bounds of
+                         * the struct.
+                         *
+                         * Since we only copied 32 bytes from cp to ifr but sdl
+                         * might extend after ifr's end, we  need to copy from
+                         * cp directly to avoid missing out on extra bytes
+                         * behind the struct
                          */
-                        static_assert(sizeof(ifr.ifr_addr) >= 12, "size of if_addr too small to contain MAC");
-                        static_assert(sizeof(sockaddr_dl) >= sizeof(ifr.ifr_addr), "dest struct needs to be larger than source struct");
-                        sockaddr_dl sdl{};
-                        std::memcpy(&sdl, &ifr.ifr_addr, sizeof(ifr.ifr_addr));
-                        hwaddr_.reset((const unsigned char *)LLADDR(&sdl));
+                        const size_t sock_dl_len = std::max(sizeof(sockaddr_dl), size_t{ifr.ifr_addr.sa_len});
+
+                        const std::unique_ptr<char[]> sock_dl_buf(new char[sock_dl_len]);
+                        std::memcpy(sock_dl_buf.get(), cp + offsetof(struct ifreq, ifr_addr), sock_dl_len);
+
+                        const struct sockaddr_dl *sockaddr_dl = reinterpret_cast<struct sockaddr_dl *>(sock_dl_buf.get());
+
+                        hwaddr_.reset(reinterpret_cast<unsigned char *>(LLADDR(sockaddr_dl)));
                         flags_ |= HWADDR_DEFINED;
                     }
                 }

From 1fa0e9589f367fb72629aa1bf7513310150c3eb1 Mon Sep 17 00:00:00 2001
From: Frank Lichtenheld <frank@lichtenheld.com>
Date: Wed, 23 Aug 2023 11:56:01 +0200
Subject: [PATCH 06/13] deps: update mbedTLS to 2.28.4

We're specifically interested in the fix for the unit tests.
("Update test data to avoid failures of unit tests after
2023-08-07")

Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
---
 deps/lib-versions                             |  4 +--
 .../0001-relax-x509-date-format-check.patch   | 35 ++++++++-----------
 2 files changed, 17 insertions(+), 22 deletions(-)

diff --git a/deps/lib-versions b/deps/lib-versions
index 1b2f9b79..77aabcfa 100644
--- a/deps/lib-versions
+++ b/deps/lib-versions
@@ -4,8 +4,8 @@ export ASIO_CSUM=cbcaaba0f66722787b1a7c33afe1befb3a012b5af3ad7da7ff0f6b8c9b7a8a5
 export LZ4_VERSION=lz4-1.8.3
 export LZ4_CSUM=33af5936ac06536805f9745e0b6d61da606a1f8b4cc5c04dd3cbaca3b9b4fc43
 
-export MBEDTLS_VERSION=mbedtls-2.28.2
-export MBEDTLS_CSUM=bc55232bf71fd66045122ba9050a29ea7cb2e8f99b064a9e6334a82f715881a0
+export MBEDTLS_VERSION=mbedtls-2.28.4
+export MBEDTLS_CSUM=578c4dcd15bbff3f5cd56aa07cd4f850fc733634e3d5947be4f7157d5bfd81ac
 
 export JSONCPP_VERSION=1.8.4
 export JSONCPP_CSUM=c49deac9e0933bcb7044f08516861a2d560988540b23de2ac1ad443b219afdb6
diff --git a/deps/mbedtls/patches/0001-relax-x509-date-format-check.patch b/deps/mbedtls/patches/0001-relax-x509-date-format-check.patch
index d5406e90..c4ebde64 100644
--- a/deps/mbedtls/patches/0001-relax-x509-date-format-check.patch
+++ b/deps/mbedtls/patches/0001-relax-x509-date-format-check.patch
@@ -12,39 +12,34 @@ diff --git a/library/x509.c b/library/x509.c
 index 264c7fb0c..9372bcb92 100644
 --- a/library/x509.c
 +++ b/library/x509.c
-@@ -556,13 +556,20 @@ static int x509_parse_time( unsigned char **p, size_t len, size_t yearlen,
+@@ -624,11 +624,16 @@ static int x509_parse_time(unsigned char
      /*
       * Parse seconds if present
       */
--    if ( len >= 2 )
-+    if ( len >= 2 && **p >= '0' && **p <= '9' )
-     {
-         CHECK( x509_parse_int( p, 2, &tm->sec ) );
+-    if (len >= 2) {
++    if (len >= 2 && **p >= '0' && **p <= '9') {
+         CHECK(x509_parse_int(p, 2, &tm->sec));
          len -= 2;
-     }
-     else
-+    {
+     } else {
 +#if defined(MBEDTLS_RELAXED_X509_DATE)
-+	/* if relaxed mode, allow seconds to be absent */
-+	tm->sec = 0;
++        /* if relaxed mode, allow seconds to be absent */
++        tm->sec = 0;
 +#else
-         return ( MBEDTLS_ERR_X509_INVALID_DATE );
+         return MBEDTLS_ERR_X509_INVALID_DATE;
 +#endif
-+    }
+     }
  
      /*
-      * Parse trailing 'Z' if present
-@@ -572,6 +579,15 @@ static int x509_parse_time( unsigned char **p, size_t len, size_t yearlen,
+@@ -638,6 +643,14 @@ static int x509_parse_time(unsigned char
          (*p)++;
          len--;
      }
 +#if defined(MBEDTLS_RELAXED_X509_DATE)
-+    else if ( len == 5 && **p == '+' )
-+    {
-+	int tz; /* throwaway timezone */
-+	(*p)++;
-+	CHECK( x509_parse_int( p, 4, &tz ) );
-+	return 0;
++    else if ( len == 5 && **p == '+' ) {
++        int tz; /* throwaway timezone */
++        (*p)++;
++        CHECK( x509_parse_int( p, 4, &tz ) );
++        return 0;
 +    }
 +#endif
  

From 0a690f5dff6516cbc3a66c3b023b021e5fefe579 Mon Sep 17 00:00:00 2001
From: David Sommerseth <davids@openvpn.net>
Date: Wed, 23 Aug 2023 15:54:58 +0200
Subject: [PATCH 07/13] ssl/proto: Clarify sending peer-info debug details

Making it more explicit that the listed items is data being sent to the
server.

Signed-off-by: David Sommerseth <davids@openvpn.net>
---
 openvpn/ssl/proto.hpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/openvpn/ssl/proto.hpp b/openvpn/ssl/proto.hpp
index ae11583d..77b005a3 100644
--- a/openvpn/ssl/proto.hpp
+++ b/openvpn/ssl/proto.hpp
@@ -997,8 +997,8 @@ class ProtoContext
             if (relay_mode)
                 out << "IV_RELAY=1\n";
             const std::string ret = out.str();
-            OPENVPN_LOG_PROTO("Peer Info:" << std::endl
-                                           << ret);
+            OPENVPN_LOG_PROTO("Sending Peer Info:" << std::endl
+                                                   << ret);
             return ret;
         }
 

From 7fc0b701a119bbb4f9d963086faeed405ea5acde Mon Sep 17 00:00:00 2001
From: Lev Stipakov <lev@openvpn.net>
Date: Thu, 24 Aug 2023 15:48:59 +0300
Subject: [PATCH 08/13] Parse meta options from content_list

At the moment meta options are parsed only from
content. This doesn't work well with iOS where
config is imported via content_list. The config might
contain meta options, which currently won't be
recognized as meta and connection won't be established
due to "unknown option" error.

This adds meta options parsing to content_list.

Signed-off-by: Lev Stipakov <lev@openvpn.net>
---
 openvpn/client/cliopthelper.hpp |  2 +-
 openvpn/common/options.hpp      | 21 +++++++++++++++++----
 test/unittests/test_cliopt.cpp  | 26 +++++++++++++++++++++++++-
 3 files changed, 43 insertions(+), 6 deletions(-)

diff --git a/openvpn/client/cliopthelper.hpp b/openvpn/client/cliopthelper.hpp
index 20384a9e..5bb3050b 100644
--- a/openvpn/client/cliopthelper.hpp
+++ b/openvpn/client/cliopthelper.hpp
@@ -358,7 +358,7 @@ class ParseClientConfig
             if (content_list)
             {
                 content_list->preprocess();
-                options.parse_from_key_value_list(*content_list, &limits);
+                options.parse_from_key_value_list(*content_list, "OVPN_ACCESS_SERVER", &limits);
             }
             process_setenv_opt(options);
             options.update_map();
diff --git a/openvpn/common/options.hpp b/openvpn/common/options.hpp
index d594c41a..0fea4483 100644
--- a/openvpn/common/options.hpp
+++ b/openvpn/common/options.hpp
@@ -710,12 +710,22 @@ class OptionList : public std::vector<Option>, public RCCopyable<thread_unsafe_r
             return key.length() + value.length();
         }
 
-        Option convert_to_option(Limits *lim) const
+        Option convert_to_option(Limits *lim, const std::string &meta_prefix) const
         {
             bool newline_present = false;
             Option opt;
             const std::string unesc_value = unescape(value, newline_present);
-            opt.push_back(key);
+
+            if (string::starts_with(key, meta_prefix))
+            {
+                opt.push_back(std::string(key, meta_prefix.length()));
+                opt.set_meta();
+            }
+            else
+            {
+                opt.push_back(key);
+            }
+
             if (newline_present || singular_arg(key))
                 opt.push_back(unesc_value);
             else if (unesc_value != "NOARGS")
@@ -966,14 +976,17 @@ class OptionList : public std::vector<Option>, public RCCopyable<thread_unsafe_r
 
     // caller may want to call list.preprocess() before this function
     // caller should call update_map() after this function
-    void parse_from_key_value_list(const KeyValueList &list, Limits *lim)
+    void parse_from_key_value_list(const KeyValueList &list, const std::string &meta_tag, Limits *lim)
     {
+        const std::string meta_prefix = meta_tag + "_";
+
         for (KeyValueList::const_iterator i = list.begin(); i != list.end(); ++i)
         {
             const KeyValue &kv = **i;
             if (lim)
                 lim->add_bytes(kv.combined_length());
-            const Option opt = kv.convert_to_option(lim);
+
+            Option opt = kv.convert_to_option(lim, meta_prefix);
             if (lim)
             {
                 lim->add_opt();
diff --git a/test/unittests/test_cliopt.cpp b/test/unittests/test_cliopt.cpp
index ab842067..25a4a840 100644
--- a/test/unittests/test_cliopt.cpp
+++ b/test/unittests/test_cliopt.cpp
@@ -217,4 +217,28 @@ TEST(config, onlypullortlsclient)
             option_error,
             "option_error: Neither 'client' nor both 'tls-client' and 'pull' options declared. OpenVPN3 client only supports --client mode.");
     }
-}
\ No newline at end of file
+}
+
+TEST(config, meta_option_in_content)
+{
+    OptionList options;
+    auto cfg = minimalConfig + "\n# OVPN_ACCESS_SERVER_AAA=BBB";
+
+    OptionList::KeyValueList kvl;
+    kvl.push_back(new OptionList::KeyValue("OVPN_ACCESS_SERVER_CCC", "DDD"));
+
+    auto parsed_config = ParseClientConfig::parse(cfg, &kvl, options);
+
+    ClientOptions::Config config;
+    config.dco_compatible = true;
+    config.proto_context_options.reset(new ProtoContextOptions());
+    ClientOptions cliopt(options, config);
+
+    auto opt = options.get("AAA");
+    ASSERT_TRUE(opt.meta());
+    ASSERT_EQ(opt.get(1, 256), "BBB");
+
+    opt = options.get("CCC");
+    ASSERT_TRUE(opt.meta());
+    ASSERT_EQ(opt.get(1, 256), "DDD");
+}

From a5914b80faf8675945e9019fce5906231657a0a3 Mon Sep 17 00:00:00 2001
From: Frank Lichtenheld <frank@lichtenheld.com>
Date: Fri, 25 Aug 2023 13:55:44 +0000
Subject: [PATCH 09/13] test_sitnl: Allow to pass on systems with iproute 6.1.0

On some systems, probably depending on the glibc version,
the ipv6 address will be truncated in the output.
Currently affects only Fedora 38.

Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
---
 test/unittests/test_sitnl.cpp | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/test/unittests/test_sitnl.cpp b/test/unittests/test_sitnl.cpp
index 3a222adf..8fa2254d 100644
--- a/test/unittests/test_sitnl.cpp
+++ b/test/unittests/test_sitnl.cpp
@@ -251,21 +251,27 @@ TEST_F(SitnlTest, TestAddRoute6)
     ASSERT_EQ(SITNL::net_route_add(IP::Route6(route6), IPv6::Addr::from_string(gw6), dev, 0, 0), 0);
 
     std::string dst{"fe80:20c3:cccc:dddd:cccc:dddd:eeee:ffff"};
+    /* Bug in iproute 6.1.0 with glibc 2.37+ that truncates
+       long ipv6 addresses due to strcpy on overlapping buffers.
+       See also https://bugzilla.redhat.com/show_bug.cgi?id=2209701 */
+    std::string dst_trunc{dst};
+    dst_trunc.resize(31);
 
-    ip_route_get(dst, [this, &dst](std::vector<std::string> &v1, const std::string &out, bool &called)
+    ip_route_get(dst, [this, &dst, &dst_trunc](std::vector<std::string> &v1, const std::string &out, bool &called)
                  {
-	  if (v1[0] == dst)
+	  if (v1[0] == dst || v1[0] == dst_trunc)
 	  {
+	    std::string dst_out = (v1[0] == dst) ? dst : dst_trunc;
 	    called = true;
 	    v1.resize(7);
-	    // iptools 4.15 (Ubuntu 18)
-	    auto expected1 = std::vector<std::string>{dst, "from", "::", "via", gw6, "dev", dev};
+	    // iproute 4.15 (Ubuntu 18)
+	    auto expected1 = std::vector<std::string>{dst_out, "from", "::", "via", gw6, "dev", dev};
 	    auto ok1 = (v1 == expected1);
 
 	    auto v2 = v1;
 	    v2.resize(5);
-	    // iptools 4.11 (CentOS 7)
-	    auto expected2 = std::vector<std::string>{dst, "via", gw6, "dev", dev};
+	    // iproute 4.11 (CentOS 7)
+	    auto expected2 = std::vector<std::string>{dst_out, "via", gw6, "dev", dev};
 	    auto ok2 = (v2 == expected2);
 
 	    if (!ok1 && !ok2)

From 6f538ca0fd84fd0454a3de06786d6c68968ab0cf Mon Sep 17 00:00:00 2001
From: Heiko Hund <heiko@openvpn.net>
Date: Thu, 31 Aug 2023 13:28:55 +0200
Subject: [PATCH 10/13] dns option: fix split DNS on Windows

Unlike OpenVPN v2, v3 support split DNS already, so we need to make sure
that --dns options are added in a way that results in NRPT rules to be set. At
this time that means the --dns resolve-domains are added as search
domains and --dns search-domains (only the first one really) as an
adapter specific domain suffix.

Signed-off-by: Heiko Hund <heiko@openvpn.net>
---
 openvpn/tun/client/tunprop.hpp | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/openvpn/tun/client/tunprop.hpp b/openvpn/tun/client/tunprop.hpp
index 0eeb7c1b..e830d9cd 100644
--- a/openvpn/tun/client/tunprop.hpp
+++ b/openvpn/tun/client/tunprop.hpp
@@ -546,8 +546,9 @@ class TunProp
         DnsOptions dns_options(opt);
         for (const auto &domain : dns_options.search_domains)
         {
-            if (!tb->tun_builder_add_search_domain(domain))
-                throw tun_prop_dhcp_option_error("tun_builder_add_search_domain failed");
+            if (!tb->tun_builder_set_adapter_domain_suffix(domain))
+                throw tun_prop_dhcp_option_error("tun_builder_set_adapter_domain_suffix");
+            break; // use only the first domain for now
         }
         for (const auto &keyval : dns_options.servers)
         {
@@ -564,6 +565,11 @@ class TunProp
                     throw tun_prop_dhcp_option_error("tun_builder_add_dns_server failed");
                 flags |= F_ADD_DNS;
             }
+            for (const auto &domain : server.domains)
+            {
+                if (!tb->tun_builder_add_search_domain(domain))
+                    throw tun_prop_dhcp_option_error("tun_builder_add_search_domain failed");
+            }
         }
 
         OptionList::IndexMap::const_iterator dopt = opt.map().find("dhcp-option"); // DIRECTIVE
@@ -589,7 +595,7 @@ class TunProp
                             throw tun_prop_dhcp_option_error("tun_builder_add_dns_server failed");
                         flags |= F_ADD_DNS;
                     }
-                    else if ((type == "DOMAIN" || type == "DOMAIN-SEARCH") && dns_options.search_domains.empty())
+                    else if ((type == "DOMAIN" || type == "DOMAIN-SEARCH") && dns_options.servers.empty())
                     {
                         o.min_args(3);
                         for (size_t j = 2; j < o.size(); ++j)
@@ -603,7 +609,7 @@ class TunProp
                             }
                         }
                     }
-                    else if (type == "ADAPTER_DOMAIN_SUFFIX")
+                    else if (type == "ADAPTER_DOMAIN_SUFFIX" && dns_options.search_domains.empty())
                     {
                         o.exact_args(3);
                         const std::string &adapter_domain_suffix = o.get(2, 256);

From 358280f72f507a719867e2576cd96d333998402f Mon Sep 17 00:00:00 2001
From: Frank Lichtenheld <frank@lichtenheld.com>
Date: Fri, 8 Sep 2023 12:10:36 +0200
Subject: [PATCH 11/13] deps/mbedtls: drop old patch

mbedtls clearly don't want to apply this patch. So
affected users will need to find other solutions.

Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
---
 deps/mbedtls/build-mbedtls                    |  2 -
 .../0001-relax-x509-date-format-check.patch   | 50 -------------------
 deps/vcpkg-ports/mbedtls/portfile.cmake       |  2 -
 3 files changed, 54 deletions(-)
 delete mode 100644 deps/mbedtls/patches/0001-relax-x509-date-format-check.patch

diff --git a/deps/mbedtls/build-mbedtls b/deps/mbedtls/build-mbedtls
index 8cc26efb..d32fabc1 100755
--- a/deps/mbedtls/build-mbedtls
+++ b/deps/mbedtls/build-mbedtls
@@ -50,8 +50,6 @@ else
 
     # enable MD4 (needed for NTLM auth)
     perl -pi -e 's/^\/\/// if /#define MBEDTLS_MD4_C/' include/mbedtls/config.h
-
-    apply_patches "mbedtls"
 fi
 
 if [ "x$NO_BUILD" == x1 ]; then
diff --git a/deps/mbedtls/patches/0001-relax-x509-date-format-check.patch b/deps/mbedtls/patches/0001-relax-x509-date-format-check.patch
deleted file mode 100644
index c4ebde64..00000000
--- a/deps/mbedtls/patches/0001-relax-x509-date-format-check.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 0554efae4e27b6a764def80f600394519ef1addb Mon Sep 17 00:00:00 2001
-From: Antonio Quartulli <antonio@openvpn.net>
-Date: Tue, 20 Mar 2018 09:35:47 +0800
-Subject: [PATCH 1/2] relax x509 date format check
-
-Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
----
- library/x509.c | 18 +++++++++++++++++-
- 1 file changed, 17 insertions(+), 1 deletion(-)
-
-diff --git a/library/x509.c b/library/x509.c
-index 264c7fb0c..9372bcb92 100644
---- a/library/x509.c
-+++ b/library/x509.c
-@@ -624,11 +624,16 @@ static int x509_parse_time(unsigned char
-     /*
-      * Parse seconds if present
-      */
--    if (len >= 2) {
-+    if (len >= 2 && **p >= '0' && **p <= '9') {
-         CHECK(x509_parse_int(p, 2, &tm->sec));
-         len -= 2;
-     } else {
-+#if defined(MBEDTLS_RELAXED_X509_DATE)
-+        /* if relaxed mode, allow seconds to be absent */
-+        tm->sec = 0;
-+#else
-         return MBEDTLS_ERR_X509_INVALID_DATE;
-+#endif
-     }
- 
-     /*
-@@ -638,6 +643,14 @@ static int x509_parse_time(unsigned char
-         (*p)++;
-         len--;
-     }
-+#if defined(MBEDTLS_RELAXED_X509_DATE)
-+    else if ( len == 5 && **p == '+' ) {
-+        int tz; /* throwaway timezone */
-+        (*p)++;
-+        CHECK( x509_parse_int( p, 4, &tz ) );
-+        return 0;
-+    }
-+#endif
- 
-     /*
-      * We should have parsed all characters at this point
--- 
-2.18.0
-
diff --git a/deps/vcpkg-ports/mbedtls/portfile.cmake b/deps/vcpkg-ports/mbedtls/portfile.cmake
index b8d3a0fb..135b81d0 100644
--- a/deps/vcpkg-ports/mbedtls/portfile.cmake
+++ b/deps/vcpkg-ports/mbedtls/portfile.cmake
@@ -8,8 +8,6 @@ vcpkg_from_github(
     REF mbedtls-2.7.12
     SHA512 bfad5588804e52827ecba81ca030fe570c9772f633fbf470d71a781db4366541da69b85ee10941bf500a987c4da825caa049afc2c0e6ec0ecc55d50efd74e5a6
     HEAD_REF master
-    PATCHES
-        ..\\..\\mbedtls\\patches\\0001-relax-x509-date-format-check.patch
 )
 
 vcpkg_configure_cmake(

From 6c3aa11aaa7099cd42e74ec6b21de6ad2c54ae17 Mon Sep 17 00:00:00 2001
From: Frank Lichtenheld <frank@lichtenheld.com>
Date: Fri, 8 Sep 2023 12:11:58 +0200
Subject: [PATCH 12/13] vcpkg-ports/mbedtls: unused, removed

We haven't done any mbedtls builds for Windows in a long
time. Let's not pretend that is something we support by
having this cruft lying around.

Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
---
 deps/vcpkg-ports/mbedtls/CONTROL        |  4 ----
 deps/vcpkg-ports/mbedtls/portfile.cmake | 27 -------------------------
 2 files changed, 31 deletions(-)
 delete mode 100644 deps/vcpkg-ports/mbedtls/CONTROL
 delete mode 100644 deps/vcpkg-ports/mbedtls/portfile.cmake

diff --git a/deps/vcpkg-ports/mbedtls/CONTROL b/deps/vcpkg-ports/mbedtls/CONTROL
deleted file mode 100644
index 31e56c91..00000000
--- a/deps/vcpkg-ports/mbedtls/CONTROL
+++ /dev/null
@@ -1,4 +0,0 @@
-Source: mbedtls
-Version: 2.7.12-1
-Homepage: https://github.com/ARMmbed/mbedtls
-Description: An open source, portable, easy to use, readable and flexible SSL library
diff --git a/deps/vcpkg-ports/mbedtls/portfile.cmake b/deps/vcpkg-ports/mbedtls/portfile.cmake
deleted file mode 100644
index 135b81d0..00000000
--- a/deps/vcpkg-ports/mbedtls/portfile.cmake
+++ /dev/null
@@ -1,27 +0,0 @@
-include(vcpkg_common_functions)
-
-set(VCPKG_LIBRARY_LINKAGE static)
-
-vcpkg_from_github(
-    OUT_SOURCE_PATH SOURCE_PATH
-    REPO ARMmbed/mbedtls
-    REF mbedtls-2.7.12
-    SHA512 bfad5588804e52827ecba81ca030fe570c9772f633fbf470d71a781db4366541da69b85ee10941bf500a987c4da825caa049afc2c0e6ec0ecc55d50efd74e5a6
-    HEAD_REF master
-)
-
-vcpkg_configure_cmake(
-    SOURCE_PATH ${SOURCE_PATH}
-    PREFER_NINJA
-    OPTIONS
-        -DENABLE_TESTING=OFF
-        -DENABLE_PROGRAMS=OFF
-)
-
-vcpkg_install_cmake()
-
-file(REMOVE_RECURSE ${CURRENT_PACKAGES_DIR}/debug/include)
-
-file(INSTALL ${SOURCE_PATH}/LICENSE DESTINATION ${CURRENT_PACKAGES_DIR}/share/mbedtls RENAME copyright)
-
-vcpkg_copy_pdbs()

From ea747cba84756a09239e876da305b2c7af0c18df Mon Sep 17 00:00:00 2001
From: David Sommerseth <davids@openvpn.net>
Date: Wed, 13 Sep 2023 15:02:35 +0200
Subject: [PATCH 13/13] Release: OpenVPN 3 Core Library, version 3.8.2

Signed-off-by: David Sommerseth <davids@openvpn.net>
---
 openvpn/common/version.hpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/openvpn/common/version.hpp b/openvpn/common/version.hpp
index b99c5da1..8a06ceb2 100644
--- a/openvpn/common/version.hpp
+++ b/openvpn/common/version.hpp
@@ -24,5 +24,5 @@
 #pragma once
 
 #ifndef OPENVPN_VERSION
-#define OPENVPN_VERSION "3.8.1"
+#define OPENVPN_VERSION "3.8.2"
 #endif