Data channel packet ids (in the formats that OpenVPN 3.x supports)
are plain 32 or 64 bit ids while control channel is a 32 bit time + 32
bit counter id. Seperate these more clearly and let CBC mode use the
same Packet ID implementation that AEAD mode uses.
Also add more unit tests related to data channel tests packets by
adapting the control channel test where applicable and add a few more
related to packet id wrapping
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This mode is only relevant for old OpenVPN 2.3.x clients in CBC mode
ciphers when using kovpn. Remove the mode from PID control and move
logic to kovpn key logic.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Rename BufferAllocated --> BufferAllocatedRc
Buffer: split RC from BufferAllocated
Also make changes as needed where BufferAllocated is used
Buffer: Split allocation flags into own struct
Leaving flags in template causes each alias to have identical flags
by different names, which requires each type to pointlessly use
the nested name.
Make RC: Clean up headers buffer.hpp, make_rc.hpp
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
When running the unit test with mbed TLS 3.0, the library does not support
BF-CBC anymore. So we need to exclude BF-CBC from the expected result in
this case.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
These unit tests are quite nosiy on a normal unit test run. Lower the
SSL verbosity for them to avoid a lot of debug output during unit tests.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
OpenVPN 2.7/master will no longer suppress TLS Alerts but send them
out to the client. Create event for the common events that occur and
notify them to the UI process.
Jira: OVPN-1215
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Split the implementation of the packet counter for normal packet ID
that includes the "weird" long format for long 64 bit packet ids used
in tls-auth and tls-crypt and a simplified implementation for AEAD that
only does 32 bit and 64 bit flat counters.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Instead of passing around a number of individual argument, use a data
holder class to describe all the settings. This will also allow adding
more data channel parameters in the future (tag location, 64 bit IV)
easier. This has a slight cost of something passing more parameters
than needed.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
In the code base three different syntaxes for overriding virtual member
functions could be found:
1) virtual ... override
2) virtual ...
3) ... override
This converts all of them to the third syntax, as recommended by the ISO
C++ core guidelines in C.128
Signed-off-by: Heiko Hund <heiko@openvpn.net>
This adds support for parsing PUSH_UPDATE
control command, which enables to update
options "on the fly", without reconnect.
The options presented in the PUSH_UPDATE list
overwrite current options with the name. To unset
an option, it has to be prefixed with the "-".
For example:
PUSH_UPDATE,route 10.10.10.0 255.255.255.0,-dns
Replaces all existing routes with this new one
and removes all "dns" options.
If the client doesn't support updating certain option,
it reconnects. Except when option is prefixed with "?" -
in this case option is considered "optional".
For example, this message
PUSH_UPDATE,?unsupported_option_a
does nothing, but this one:
PUSH_UPDATE,dns 0,block-ipv6,unsupported_option_b
makes client reconnect, since it contains mandatory unsupported option.
OVPN3-1234
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Use empty braces to initalise the structs to zero since they
use sub structs and clang wants us to otherwise use {{ 0 }}
Ensure that methods with a return value do not return without a
value or exception by throwing an exception.
Add missing override in the unit test
Signed-off-by: Arne Schwabe <arne@openvpn.net>
* origin/releaseprep/3.10:
Do not reject control message with trailing newlines
aws: account for RandomAPI change
Allow disabling TLS 1.3 in certcheck to more easily debug problems
Implement changes to allow test dpc certcheck to be tested
Allow setting a maximum TLS version
Change cxa1 protocol tag to dpc1
Fix spelling errors raised by Debian linter
mac agent: reinstall host route during restart
Preparing QA cycle for OpenVPN 3 Core library release v3.10
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
The previous fix to reject invalid control message was a bit too aggressive
as scripts often accidentally include an extra newline at the end of the
control message.
Jira: OVPN3-1225
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This is reusing the auth pending method as this is just another method where
the final authentication decision is pending on some results. In this case
custom messages going back and forth. This can be tested using
client-pending-auth 5 1 "ACC:1000 A:6 cck1:certcheck:cxa1:fortune" 60'
with OpenVPN 2.x servers easily.
Also correctly use ClientEvent::Base::Ptr with the Clientevents to avoid
problems with not correctly using RCPtr
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Clients need access to the server VPN ca for whitelisting reasons
so it is now available inside the EvalConfig structure. Implemented
the change and added a unit test for same.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.net>
This allow debugging the certificates the server sends. It did this as hack
two times before. I think it is now time to get this officially in.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This also moves some of the reasonsibility from ClientProto to
OpenVPNClient. This plays better with the EPKI implementation and also
does not break the idea of the current certcheck implementation as we now
just give the certcheck in client protocol a preconfigured SSL Config instead
of all the certificates individually.
Allow to set a program to get root (e.g. "sudo").
This allows to run the sitnl tests via ctest.
Only required on Linux, since those tests are
Linux-only.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Previously this logic was encoded in Jenkinsfile by
running the UTs manually. Much preferable to just
use ctest.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
The AppControl feature provides an internal communications channel that
is described in detail in the relevant commits that implement it. This
change adds two intrinsic app control 'protocols' to the list of
supported handlers in the client. The new protocols are:
- cxa1: This is a request for the client to begin a TLS handshake via
the app control channel.
- cck1: This is the protocol that allows the exchange of the requested
TLS handshake data.
The 'cxa1' handler parses the request and initiates the handshake from
the client. This handshake is exchanged via the 'cck1' protocol and
serves to prove to the server that the client has access to the required
private key.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
Previous to this --dns and DNS related --dhcp-options shared the same
code to apply the settings to Windows and macOS systems. So, both
options were pretty much just aliases, with --dns offering more and
finer grained settings that were mostly ignored.
Now --dhcp-options are applied the way they have always been and --dns
does it its own - the new - way. Reason for this behavioral change is
foremost that we want it to be the same between openvpn version 2 and
version 3. But there are also a few new features (e.g. DNSSEC), previously
not present with the --dhcp-options.
The name server and split-domain configuration is exclusively set via
NRPT on Windows, since it overrules any other resolver setting. If there
is no split DNS configured and all domains are resolved using the pushed
name server, we make sure that local domain names are still resolvable by
adding so called exclude NRPT rules, that make sure local domains get
resolved by their local DNS resolvers.
Since Windows does not know about alternative secure transports, the
'transport' and 'sni' settings are ignored.
For macOS the 'dnssec' setting is ignored in addition to that. Besides
that not much does change on that platform. In case of --dns options the
explicit values are used now. The API in use may be changed at a later time.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Functions from_utf8() and to_utf8() added one extra '\0' glyph to the
output string, i.e. if the input basic_string::size() was 8 the output
was 9. Normally this would not make a difference since for most string
usage, as the extra NUL at the end would mostly be ignored. However if
you used the output string to append to another string the extra NULs
were actually also appended, resulting in a string with embedded NUL
characters. Which is a problem with the next use case.
The pack_string_vector() function failed to produce a wide MULTI_SZ
string from a vector of strings, unlike advertised. The extra NUL
actually led to the MULTI_SZ string always being terminated after the
first string. Besides that, the function actually never terminated the
MULTI_SZ in the first place and also failed to handle empty vectors
gracefully.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
OpenVPN uses a idiosyncrasy that all ciphers are uppercase but none is
spelt lowercase and excepts this idiosyncrasy also in IV_CIPHERS
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The reauthentication logic differs from openvpn2
and the code is a bit hard to follow. Simplify
the code and make it behave like in openvpn2.
- password is cached by default
- password is purged when auth-nocache is presented in a local config or pushed
- when AUTH_FAILED is received and we have no session-id, throw a fatal error
- when AUTH_FAILED is received and user interaction is required for
authentication (MFA), throw a fatal error
- when AUTH_FAILED is received, user interaction is not required
for authentication and either we have a cached password OR password is not
needed, we reconnect.
Password is "needed" when non-empty password is provided.
User interaction is required for static/dynamic challenge and SAML.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
We currently accept cipher none as pushed cipher when legacy ciphers are
enabled but do not announce support for it in IV_CIPHERS. This means we
currently display inconsistent behaviour. Servers that ignore IV_CIPHERS
can use none but server that are correctly working cannot.
With compression logic now being able to be tuned at runtime the
different executable to allow a different define for the compression
log level is no longer needed.
Prefix the defines of test_proto.cpp with PROTO_ to avoid collision of
these very generic named defines
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The openvpn3-linux ships with a netcfg-cli client, which is essentially
the same code as test/ovpncli/cli.cpp but it uses the
net.openvpn.v3.netcfg D-Bus service to create the virtual network
adapter and the related network and DNS configuration. This is a useful
test client when only wanting to test the Network Configuration service
openvpn3-linux ships with.
As part of the refactoring of the D-Bus implementation in
openvpn3-linux, the supporting D-Bus setup needs to be adjusted to the
new D-Bus API.
It has been considered to support both types of APIs, but the legacy
D-Bus API is deprecated and will not be used any more after the release
of OpenVPN 3 Linux v22_dev. Prior releases will depend on an older
OpenVPN 3 Core library version, which contains the old API.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Currently the protocontext is used as kind of composition but not really
and makes following the code harder, since this inheritance not only serves
for composition but also as callbacks through virtual method inheritance.
Making ProtoContext a normal field and definining a callback interface makes
the class relationship easier to understand.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
When correcting conversion issues in RouteBase a to_string bug was
introduced which caused some characters to be escaped when inserted
to the string, for example a prefix_len of 0 would render as "\0"
rather than inserting '0'. The std::ios::binary flag does not seem
to prevent this for std::ostringstream so I have cast the data member
up to uint16_t which should be safe, and solves the issue.
Added a unit test to demonstrate the issue. Old code output was
"0.0.0.0/\0", now outputs "0.0.0.0/0" as expected.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
The sys/socket.h header is not available on Windows. This issue was
introduced in commit 1b4f736bb9, so the same fencing used in
that commit was also added around the #include statement.
Signed-off-by: David Sommerseth <davids@openvpn.net>
ERR_INVALID_OPTION_DNS -- invalid value for some of DNS\Domain options
ERR_INVALID_OPTION_CRYPTO -- invalid value for some of SSL\Crypto option
ERR_INVALID_CONFIG -- missing option or not supported option
ERR_INVALID_OPTION_PUSHED -- pushed to server option error
ERR_INVALID_OPTION_VAL -- invalid value for some general option
Signed-off-by: Illia Polishchuk <illia.polishchuk@openvpn.com>
This also move the building IV_HWADDR peer info variable to the point
that the server address is actually available.
This also avoids failing to connect when push-peer-info is enabled and
there is no IPv4 default gateway. The new code will always pick the device
that holds the route to the current remote.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Config
client
pull
was not correctly handled like client + tls-client
since the code short-circuited if tls-client wasn't set
and so didn't touch pull option.
Github: #277
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Always use find_package for all libraries.
Add missing Find*.cmake modules.
Always define an IMPORTED library in Find*
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit d7b3419f8e)
This makes it easier to see what is going on when looking at
individual CMakeLists.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 4c81069564)
- Increase required version to 3.10. That is the version in
Ubuntu Bionic and currently the oldest one we still want
to support.
- Enable CTest for test target
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 50271ee02a)
