Data channel packet ids (in the formats that OpenVPN 3.x supports)
are plain 32 or 64 bit ids while control channel is a 32 bit time + 32
bit counter id. Seperate these more clearly and let CBC mode use the
same Packet ID implementation that AEAD mode uses.
Also add more unit tests related to data channel tests packets by
adapting the control channel test where applicable and add a few more
related to packet id wrapping
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This mode is only relevant for old OpenVPN 2.3.x clients in CBC mode
ciphers when using kovpn. Remove the mode from PID control and move
logic to kovpn key logic.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Commit
adacc16 ("push update: base implementation")
added apply_push_update() method to TunClient class
but didn't add doxygen comments. This adds missing
comments.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This implements apply_push_update() method for
tunbuilder tun client.
For tunbuilder tun client, no specific actions are required
except calling stop() and tun_start(). This will undo
existing options and apply the merged ones.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Rename BufferAllocated --> BufferAllocatedRc
Buffer: split RC from BufferAllocated
Also make changes as needed where BufferAllocated is used
Buffer: Split allocation flags into own struct
Leaving flags in template causes each alias to have identical flags
by different names, which requires each type to pointlessly use
the nested name.
Make RC: Clean up headers buffer.hpp, make_rc.hpp
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
Remove unused include directives.
Change internal member C-style array to std::arry for better safety.
Adjust methods to use std::array.
Default constructor.
Use std::copy_n algorithm to clearly express intention.
Signed-off-by: Leonard Ossa <leonard.ossa@openvpn.com>
When running the unit test with mbed TLS 3.0, the library does not support
BF-CBC anymore. So we need to exclude BF-CBC from the expected result in
this case.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
These unit tests are quite nosiy on a normal unit test run. Lower the
SSL verbosity for them to avoid a lot of debug output during unit tests.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
OpenVPN 2.7/master will no longer suppress TLS Alerts but send them
out to the client. Create event for the common events that occur and
notify them to the UI process.
Jira: OVPN-1215
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Split the implementation of the packet counter for normal packet ID
that includes the "weird" long format for long 64 bit packet ids used
in tls-auth and tls-crypt and a simplified implementation for AEAD that
only does 32 bit and 64 bit flat counters.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Instead of passing around a number of individual argument, use a data
holder class to describe all the settings. This will also allow adding
more data channel parameters in the future (tag location, 64 bit IV)
easier. This has a slight cost of something passing more parameters
than needed.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This is part of a series of patches instrumenting crash checks.
Classes that implement SendBase can optionally collect debug
information for various scenarios, and create a string here that
presents them in human-readable form when requested.
Signed-off-by: Razvan Cojocaru <razvan.cojocaru@openvpn.com>
This change is intended to safeguard against potential
post-stop() management activity that could result in
management agent getting into a bad state.
Signed-off-by: James Yonan <james@openvpn.net>
Without the change and in the absence of a clang-format command in the
user's PATH, the script will fail in line 79 of the hook due to set
-e. It will fail to produce the error message starting at line 83.
The change allows the error message to print.
Signed-off-by: Mark Deric <jmark@openvpn.net>
The Windows Service class did not specify its destructor as virtual, but
has other virtual function. Not specifying the d'tor virtual is an
anti-pattern in this case.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
In the code base three different syntaxes for overriding virtual member
functions could be found:
1) virtual ... override
2) virtual ...
3) ... override
This converts all of them to the third syntax, as recommended by the ISO
C++ core guidelines in C.128
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Add a single template function implementing the logging logic,
parametrized by log level, and have the log_{trace, info, ...}
functions call that.
While at it, const-ify a couple of member functions.
Signed-off-by: Razvan Cojocaru <razvan.cojocaru@openvpn.com>
Without this fix, the openvpn3-linux build is broken whenever a
dependency enables -Wnon-virtual-dtor (which protobuf 27.3
currently does on Arch Linux). The openvpn3-linux build treats
warnings as errors.
Jira: OVPN3-1242
Signed-off-by: Razvan Cojocaru <razvan.cojocaru@openvpn.com>
This adds support for parsing PUSH_UPDATE
control command, which enables to update
options "on the fly", without reconnect.
The options presented in the PUSH_UPDATE list
overwrite current options with the name. To unset
an option, it has to be prefixed with the "-".
For example:
PUSH_UPDATE,route 10.10.10.0 255.255.255.0,-dns
Replaces all existing routes with this new one
and removes all "dns" options.
If the client doesn't support updating certain option,
it reconnects. Except when option is prefixed with "?" -
in this case option is considered "optional".
For example, this message
PUSH_UPDATE,?unsupported_option_a
does nothing, but this one:
PUSH_UPDATE,dns 0,block-ipv6,unsupported_option_b
makes client reconnect, since it contains mandatory unsupported option.
OVPN3-1234
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Reduced the pasted implementations of the LOGGER_LOG_<VERBOSITY>
macros to a single macro with a verbosity parameter, in an attempt
to make the code easier to read by reducing the line count, and
hopefully reduce the probability of copy / paste bugs
(LOGGER_LOG_ERROR() was already checking against LOG_LEVEL_INFO).
Signed-off-by: Razvan Cojocaru <razvan.cojocaru@openvpn.com>
Returning OPENSSL_VERSION_TEXT will return the value of the library at
compile time. We rather want to know the version of the library that is
actually running, so use OpenSSL_version instead.
Jira: OVPN3-1227
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Use empty braces to initalise the structs to zero since they
use sub structs and clang wants us to otherwise use {{ 0 }}
Ensure that methods with a return value do not return without a
value or exception by throwing an exception.
Add missing override in the unit test
Signed-off-by: Arne Schwabe <arne@openvpn.net>
In numeric_cast when casting from signed to unsigned, the second part
of the conditional might be const in some cases. This is intended to
ensure the second runtime check is only present if possibly needed.
This is better and avoids a Coverity performance warning
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
