Fixed one issue while at it, with parse() not clearing
the username and password arguments.
The general issue that overflow doesn't throw is reflected in
a disabled test. This will need to be fixed in SplitLines,
probably.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
The psid cookie defense is designed to thwart resource exhaustion and
amplification attacks wherein a malicious client sends the server a
flood of CONTROL_HARD_RESET_CLIENT_V2 packets with spooofed source
addresses. This patch allows the server to defer client tracking
state creation until the client responds to the server's
CONTROL_HARD_RESET_SERVER_V2 message.
Signed-off-by: Mark Deric <jmark@openvpn.net>
The undefined behavior is unary negation of T:min of a signed type
attempting to get a positive value of the same signed type.
This commit adds a unit test that exposes the original bug and well as
a fix for it.
Signed-off-by: Mark Deric <jmark@openvpn.net>
This fixes deprecation warnings with latest CMake.
("Compatibility with CMake < 3.5 will be removed
from a future version of CMake.")
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
When the test/ssl/proto was migrated to a unit test, all the
build time tuneables for changing the test scope got lost.
This change re-introduces these parameters in the appropriate
CMakeLists.txt. Further, it adds an improved README in .rst format
that describes the parameters; this is based on the original README
file in test/ssl.
In addition, it adds improved handling of the directory where the test
certificates and key files are located; now they can be adjusted more
easily.
Signed-off-by: Mark Deric <jmark@openvpn.net>
The new test file, test_proto.cpp, is moved from test/ssl/proto.cpp
and only minimally changed. The 2nd executable is based upon
core_tests.cpp, same as the 1st executable. But note that the CMake
file has differences between the executables.
Signed-off-by: Mark Deric <jmark@openvpn.net>
Always use find_package for all libraries.
Add missing Find*.cmake modules.
Always define an IMPORTED library in Find*
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
- Increase required version to 3.10. That is the version in
Ubuntu Bionic and currently the oldest one we still want
to support.
- Enable CTest for test target
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
This commit adds two useful numeric limiting functions in
two headers plus a third supporting header and unit tests.
The unit tests cover all code paths and many conditions
but may not be 100% complete from a viewpoint of
covering all edge cases.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.net>
Previously, ConstBuffer was simply a BufferType with a const
data type. However this model, and the fact that BufferType
has a vtable, makes it difficult to efficiently cast Buffer
to ConstBuffer via static_cast without introducing an unsafe
downcast.
This commit tries a different approach by factoring out const
BufferType operations into a new base class ConstBufferType.
In the new model, BufferType inherits from ConstBufferType.
Member functions that treat the underlying data buffer as
const have been moved to ConstBufferType while member
functions that treat it as mutable remain in BufferType.
This makes casting BufferType to ConstBufferType a trivial
upcast while also greatly simplifying const_buffer_ref().
Signed-off-by: James Yonan <james@openvpn.net>
Adds a library method C2os:cast() that converts an iterable container,
i.e., one that can be a range-expression in a range-based for loop,
into a type that can be inserted into an ostream. This only addresses
the container semantics in the ostream insertion. The underlying
contained type T (if the container were stl, the value_type) must work
with ostream<<.
The result of the operator<< insertion is a square bracket enclosed,
comma delimited string of the items in the container. Note that the
commit includes ideas on expanding choices of container rendering
details.
Attribution to James Yonan. Made significant contribution to
expanding the scope of collections. And reduced code complexity.
Also to Charlie Vigue; eliminated the "first" test inside the loop.
Signed-off-by: Mark Deric <jmark@openvpn.net>
This commit removes the ability to pass down the windows sizes for ack
windows down from the configuration. This capability was never used and
instead the receive and send window were both hardcoded at 4. Also
change the receive window to 12 and the send window to 6 like
OpenVPN 2.6 does.
Also to improve control channel reliability, resend previous ACKs in MRU
fashion if there is still room for them in a control channel packet.
This patch is based on a patch was written
by Charlie Vigue <charlie.vigue@openvpn.net>.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The tests in common were based on running main(); the tests have been
converted to the gtest framework and are now part of the automated
unit test suite.
Signed-off-by: Mark Deric <jmark@openvpn.net>
Previously, we only supported int64 serial numbers.
This change renames get_sn() method to serial_number_as_int64()
for code that cares about 64-bit serial numbers.
Signed-off-by: James Yonan <james@openvpn.net>
This commit add several improvements to dealing with unknown options
in client configuration files:
- implement ignore-unknown-option
- categorise the OpenVPN2 options in multiple categories and
warn/error out depending on the category
- error out when unsupported/unknown options are found. This avoids
problems like with --tls-crypt/--tls-crypt-v2 before where client
would ignore these options and not connect at all
Signed-off-by: Arne Schwabe <arne@openvpn.net>
As a first step towards DNS configuration in openvpn and a unified way
to push DNS related settings to clients in v2 and v3, this commit adds
support for parsing the new --dns option. Later commits will add support
for setting up DNS on different platforms.
For now, --dns and DNS related --dhcp-option can be used together for
smoother transition. Settings from --dns will override ones --dhcp-option
where applicable.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
- Test for CAP_NET_ADMIN instead of root.
This correctly skips the test if you're root but have
dropped capabilities, e.g. inside docker.
- Fix TestSetMTU to correctly ignore any additional lines
in the output.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
The old API is deprecated in OpenSSL 3.0 and the new API does not yet
exist in OpenSSL 1.1. Emulating the new API or using one class with
ifdefs would be more complex than just having two implementations. So
this adds a new implementation for OpenSSL 3.0.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This might not be the final fix. Note the extensive code comment
inside the cmake file if(). The comment suggest a potentially better
fix, but it's unlikely.
Signed-off-by: Mark Deric <jmark@openvpn.net>
Removed declared_size_defined in favor of just setting
declared_size to a special value (SIZE_UNDEF) when it's
undefined.
Signed-off-by: James Yonan <james@openvpn.net>
This option lets you specify the SHA256 fingerprint of a peer's self-signed
certificate. The peer's certificate, presented during connection bring-up,
is compared to the fingerprint. The connection fails if it doesn't
match.
So, this serves as an easy, yet secure, alternative to setting up a PKI,
but can also be used in conjunction with one to add one more check during
leaf certificate validation.
The option can also be given as inline block, for easier management for
multiple fingerprints:
<peer-fingerprint>
00:11:22:33:...:BB:CC:DD:FF
BB:CC:DD:FF:...:00:11:22:33
</peer-fingerprint>
Signed-off-by: Heiko Hund <heiko@openvpn.net>
The CMakeLists.txt settings from the project root directory are
inherited by the defined subdirectories automatically.
Also switch to a simpler way of setting the CMAKE_MODULE_PATH.
According to the CMake documentation, this variable is empty by
default [1] and should not need to pull in existing settings.
Finally remove the comment regarding CMake's use case, as we are
moving towards full CMake support for OpenVPN 3.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Add the option from openvpn2. If given, prepend hostnames
from remote options with six random hex bytes before
DNS resolution is taking place, e.g.
host.domain -> e3b17bf7cd57.host.domain
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Use ::CreateIpForwardEntry2() to add route instead of
expensive netsh call. Make it as a default choce.
Add unit test.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Use ::CreateIpForwardEntry2() to add route instead of
expensive netsh call. Make it as a default choce.
Add unit test.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Commit 941104cf4 refactored the way how test files are added, but
broke (disabled) execution of sitnl and cputime tests. Fix that.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
These functions are found in openvpn/mbedtls/pki/x509certinfo.hpp.
This change also adds support to build coreUnitTests against mbed TLS
instead of OpenSSL (default) by providing -DUSE_MBEDTLS=true to cmake.
Signed-off-by: David Sommerseth <davids@openvpn.net>
This adds some basic unit tests for the various functions retrieving
information from a X.509 certificate.
Signed-off-by: David Sommerseth <davids@openvpn.net>
This new VerifyX509Name class handles both extracting and parsing the
appropriate --verify-x509-name option and is able to verify if a given
subject or hostname is matching the expectation.
Signed-off-by: David Sommerseth <davids@openvpn.net>
This test attempts to assure that the measurements we get from
openvpn::cpu_time() is within a reasonable range of what we should
normally expect.
This is achieved by using a simple worker thread which ensures the
process is not "idling" (like it would with sleep()) but in a real busy
loop which takes some time. Then we measure the time spent in the busy
loop, both using a simplistic time() and comparing that with what
cpu_time() returns.
This unit test also supports measuring multiple running threads
individually too.
Signed-off-by: David Sommerseth <davids@openvpn.net>