Add certificate to EvalConfig

Clients need access to the server VPN ca for whitelisting reasons so it is now available inside the EvalConfig structure. Implemented the change and added a unit test for same. Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.net>
2024-09-19 19:52:15 +02:00 · 2024-05-28 11:05:57 +00:00 · 2024-05-28 11:05:57 +00:00 · 75d9d0fae5
commit 75d9d0fae5
parent 272d0ef07d
4 changed files with 42 additions and 5 deletions
--- a/client/ovpncli.cpp
+++ b/client/ovpncli.cpp
@ -4,7 +4,7 @@
 //               packet encryption, packet authentication, and
 //               packet compression.
 //
-//    Copyright (C) 2012-2022 OpenVPN Inc.
+//    Copyright (C) 2012 - 2024 OpenVPN Inc.
 //
 //    This program is free software: you can redistribute it and/or modify
 //    it under the terms of the GNU Affero General Public License Version 3
@ -650,6 +650,7 @@ OPENVPN_CLIENT_EXPORT void OpenVPNClientHelper::parse_config(const Config &confi
        eval.friendlyName = cc.friendlyName();
        eval.autologin = cc.autologin();
        eval.externalPki = cc.externalPki();
+        eval.vpnCa = cc.vpnCa();
        eval.staticChallenge = cc.staticChallenge();
        eval.staticChallengeEcho = cc.staticChallengeEcho();
        eval.privateKeyPasswordRequired = cc.privateKeyPasswordRequired();
--- a/client/ovpncli.hpp
+++ b/client/ovpncli.hpp
@ -4,7 +4,7 @@
 //               packet encryption, packet authentication, and
 //               packet compression.
 //
-//    Copyright (C) 2012-2022 OpenVPN Inc.
+//    Copyright (C) 2012 - 2024 OpenVPN Inc.
 //
 //    This program is free software: you can redistribute it and/or modify
 //    it under the terms of the GNU Affero General Public License Version 3
@ -53,8 +53,14 @@ struct ServerEntry
    std::string friendlyName;
 };

-// return properties of config
-// (client reads)
+/**
+    @brief Struct containing configuration details parsed from an OpenVPN configuration file.
+    @details
+    This struct holds various properties extracted from an OpenVPN configuration file, such as
+    error status, profile name, autologin flag, external PKI flag, VPN server CA, static
+    challenge, private key password requirement, remote host information, list of selectable VPN
+    servers, Windows driver, and DCO compatibility details.
+*/
 struct EvalConfig
 {
    // true if error
@ -78,6 +84,13 @@ struct EvalConfig
    // if true, this is an External PKI profile (no cert or key directives)
    bool externalPki = false;

+    // VPN server CA in PEM format as given in the configuration. This is the CA, the
+    // VPN server certificate is checked against. This is not a parsed version so it
+    // can have extra lines around the actual certificates that an X509 parser would
+    // ignore.
+    // Note that this can can be empty if the profile uses --peer-fingerprint instead of traditional PKI check.
+    std::string vpnCa;
+
    // static challenge, may be empty, ignored if autologin
    std::string staticChallenge;

--- a/openvpn/client/cliopthelper.hpp
+++ b/openvpn/client/cliopthelper.hpp
@ -4,7 +4,7 @@
 //               packet encryption, packet authentication, and
 //               packet compression.
 //
-//    Copyright (C) 2012-2022 OpenVPN Inc.
+//    Copyright (C) 2012 - 2024 OpenVPN Inc.
 //
 //    This program is free software: you can redistribute it and/or modify
 //    it under the terms of the GNU Affero General Public License Version 3
@ -224,6 +224,12 @@ class ParseClientConfig
                }
            }

+            {
+                const Option *o = options.get_ptr("ca");
+                if (o)
+                    vpnCa_ = o->get(1, Option::MULTILINE);
+            }
+
            // profile name
            {
                const Option *o = options.get_ptr("PROFILE");
@ -461,6 +467,11 @@ class ParseClientConfig
        return externalPki_;
    }

+    std::string vpnCa() const
+    {
+        return vpnCa_;
+    }
+
    // static challenge, may be empty, ignored if autologin
    const std::string &staticChallenge() const
    {
@ -786,6 +797,7 @@ class ParseClientConfig
    bool autologin_;
    bool clientCertEnabled_;
    bool externalPki_;
+    std::string vpnCa_;
    bool pushPeerInfo_;
    std::string staticChallenge_;
    bool staticChallengeEcho_;
--- a/test/unittests/test_cliopt.cpp
+++ b/test/unittests/test_cliopt.cpp
@ -195,6 +195,17 @@ TEST(config, dco_compatibility)
    }
 }

+TEST(config, server_cert_in_eval)
+{
+    ClientAPI::Config api_config;
+    api_config.content = minimalConfig;
+
+    ClientAPI::OpenVPNClientHelper client_helper;
+    auto eval = client_helper.eval_config(api_config);
+
+    EXPECT_FALSE(eval.vpnCa.empty());
+}
+

 TEST(config, server_options_present_in_error_msg)
 {