This is very noisy with lots of false positives, especially
in newer version of GCC. So for now disable this.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit d7e8375fc5)
- Use CURRENT source and binary dir to make this work even
if used as a sub-directory in another project.
- Make USE_MDFILE_AS_MAINPAGE actually work. It is only
used when part of the INPUT and does not automatically
add it to INPUT.
- Make sure CMake uses the latest version of README.rst
by using configure_file instead of file(COPY).
- Improve EXCLUDE_PATTERNS.
- Add NUM_PROC_THREADS.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 474de6c93f)
By adding the asio includes first we have a better
chance to force using "our" asio. This can be important
since some parts of the code require a patched version.
The actual "core" parts of the code work fine with
upstream asio however, so I also do not want to
force the patched asio by requiring a special header
name or directory structure.
So this is a compromise solution which hopefully works
for most use-cases.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit bc7f4be01b)
We do not want to force a dependency on powershell.
Copying the right dlls is rather trivial.
Same change as commit commit e9e49239ce
for build-vcpkg script.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 1f5aa58223)
Helpfully the comment above the code actually provided
a solution...
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit db7ea3d96a)
Always use find_package for all libraries.
Add missing Find*.cmake modules.
Always define an IMPORTED library in Find*
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit d7b3419f8e)
Fixes problems when calling find_package on asio multiple
times.
Originally fixed by commit cba75f1aa08374733dcc79abebeca262ae94118a
in vcpkg#28299.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 71cf5f48fe)
We do not want to force a dependency on powershell.
Copying the right dlls is rather trivial.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit e9e49239ce)
This makes it easier to see what is going on when looking at
individual CMakeLists.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 4c81069564)
This is important since it allows us to avoid
the JsonCPP dependency on non-Win/non-Apple
systems.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit a9570cb780)
Make sure we find vcpkg and system packages on all
platforms.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit e720bf3aba)
Use add_library to define a target so that we do not
need to apply all the setting manually.
Use find_package_message() to avoid printing the
message more than once.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 2fb5d08ea0)
- Fix PATCHES to work on Linux
- While here, fix version number
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit fb9bee5ad6)
- Increase required version to 3.10. That is the version in
Ubuntu Bionic and currently the oldest one we still want
to support.
- Enable CTest for test target
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 50271ee02a)
With the change to OpenSSL 3 and introducing insecure as profile we
actually allowed MD5 again. Update the warning to reflect this.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The purpose of this change is to allow headers that require the
logbase.hpp classes to compile in executables using logsimple.hpp.
By munging classes and macros into both headers, an avoidable conflict
of macro re-definition is created. This commit separates the classes
from the macros into new headers. Then propagates the mistake into the
current headers so none of the existing code is broken. ;-)
Signed-off-by: Mark Deric <jmark@openvpn.net>
Currently we error out on the first unsupported
option which belongs to the "fatal" category, such as
"removed deprecated option" or "Option allowed only to
be pushed by the server".
To improve user experice and allow application code
to display all problematic options and their categories,
collect options into a category->options map and then
serialize it into multiline string:
cat1: opt1,opt2
cat2: opt3
Introduce a new error code UNUSED_OPTIONS, which is
placed into ClientAPI::Status::status. The serialized
options map is placed into ClientAPI::Status::message.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
- Add notes regarding some unexpected behaviors in sslctx
- Add unit tests specifically for sslctx, including simple in-memory
handshaking with both success and failure examples.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
Out of all the suggestions by Coverity I picked
the ones that move non-Ptr objects into variables
or attributes.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
If we get a valid but almost empty PKCS7 structure we otherwise try
to access invalid fields.
CVE: CVE-2023-6247
Reported-by: Bahaa Naamneh <bahaa.cpl@gmail.com>
Signed-off-by: Arne Schwabe <arne@openvpn.net>
- Split big classes into declaration and definition
- Added doxygen
The goal here is to add make the classes easier to reason about by
splitting them into declaration and definition and then adding
doxygen.
The notify parts are left intentionally undocumented for now.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
ClientEvent::Base is the base class for many other classes including
a few that add data members. If at some point one of these enhanced
derived classes is referenced and then deleted via a base class
pointer, some memory could leak.
I don't think we do that yet, but it seems worth preventing.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
When compiling against OpenSSL 3.0, use the newer API for generating the
TLS 1.0 PRF. Older OpenSSL versions will use the OpenSSL 1.x API.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The NTLM protocol implementation does not validate the length of
the proxy server’s response. If the response is shorter than
expected, the code will access the response buffer out of bounds,
which will raise an exception. This change checks and explicitly
raises an exception with an informative message if the response
is too short.
This was never a security issue as such but might result in a client
terminating early and without a nice diagnostic.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
CID 11851: (#1 of 1): Structurally dead code (UNREACHABLE)
unreachable: This code cannot be reached
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Instead of exposing protected data to the global environment, provide
a special purpose accessor to satisfy AppControl needs.
Signed-off-by: Mark Deric <jmark@openvpn.net>
Currently PG only allows to either send or withhold the reason to the
client but there are certain circumstances where you want to have more
detailed internal reason but still want to send some reason to the
client.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Some systems like to see the mapped IPv4 addresses as real IP addresses.
This commit adds the ability to show IP addresses as such.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This adds the capability to implement a custom app level protocol
that support message passing over the OpenVPN control channel.
The protocol is agnostic to the data that is transported over it
and the message splitting/reassmbly is handled transparently by the
OpenVPN library itself.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
