With OpenSSL3, these algorithms are no longer allowed. With this change
we do the same regardless of the crypto library. Note that in contrast
to OpenSSL3, we include here 3DES into the legacy algorithms.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
We already load the certificates from the config and need the SSL
library context initialised there to allow loading of keys encrypted
with legacy algorithm. Also ensure that enable legacy provider is
set before actually attempting to load the private keys.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
- Test for CAP_NET_ADMIN instead of root.
This correctly skips the test if you're root but have
dropped capabilities, e.g. inside docker.
- Fix TestSetMTU to correctly ignore any additional lines
in the output.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
This also makes most of them non-static to avoid the problem that these
functions depend on Initprocess::Init being instantiated before being
called.
Rename the local variables eval to eval_cfg to avoid shadowing the
class field of the same name.
cli -Z <file> is used by automated test scripts to write the
SSO URL to a file rather than launch a browser with the URL.
Recently this behavior changed on Linux where -Z now both
writes the URL to a file and also launches a browser with
the URL. This patch reverts behavior back to only writing
the file.
Signed-off-by: James Yonan <james@openvpn.net>
With OpenSSL 3.0 the name with MD5 no longer makes sense as it affects
not only MD5 but also SHA1 and number of other settings. So replace the
define with a more fitting name.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This allows use to load non default providers while also not touching
the default library context. THis is necessary to have profile with and
without legacy library for example
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The old API is deprecated in OpenSSL 3.0 and the new API does not yet
exist in OpenSSL 1.1. Emulating the new API or using one class with
ifdefs would be more complex than just having two implementations. So
this adds a new implementation for OpenSSL 3.0.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Since IPv4/IPv6 should be treated equally, we should have also
the opportunity to block IPv4. With this change we follow the API
that also Android provides and expliticly tell tunbuilder what to
do with address families that are not used by the VPN. If a
address family is used by the VPN, nothing changes.
This also remove IV_IPV6 as it is not used.
Add cache lifetime related tests.
* define cache-lifetime
* override lifetime via push
* override decayed cache
* make sure unresolvable items are kept during re-run
* make sure indexed items can be updated, with addr index reset
* make sure valid cache entries stay untouched
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Returning a reference can be harmful, since Items can potentially disappear
during lookup of hostnames. Thus, return a refcounted Ptr instead, so
that external references to internal data doesn't restrict RemoteList in
its daily business.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Since we're now using it to also re-lookup stale RemoteList items the
new name makes more sense. Also changed the NotifyCallback method to
bulk_resolve_done().
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Test that all addresses added from the resolver results are tried,
when iterating through the RemoteList with next().
Signed-off-by: Heiko Hund <heiko@openvpn.net>
This uses the rather lowlevel EVP_* interfaces directly instead of
using OpenVPN's own PKI classes since this a very specific code
and reusability outside the testing scope is very limited.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This might not be the final fix. Note the extensive code comment
inside the cmake file if(). The comment suggest a potentially better
fix, but it's unlikely.
Signed-off-by: Mark Deric <jmark@openvpn.net>
Since in a config file we support both, multiple --peer-fingerprint options
as well as multiple fingerprints within a <peer-fingerprint> section, a
maximum size doesn't make much sense. Other inline sections do not limit
the size either and the individual fingerprint size is checked when
parsing them individually.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
When a test steps on Log::global_log, save and restore previous
Log::global_log so as not to mess up other tests when running a
multiple-compilation-unit build.
Signed-off-by: James Yonan <james@openvpn.net>
Support CR_TEXT type challenge/response exchanges. The challenge flags are
ignored currently, but displayed with the challenge text for debug purposes.
Thus, input is always echoed and it is assumed that a response is
required.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Local DNS resolvers, such as Umbrella Roaming Client,
change DNS settings on adapters to 127.0.0.1.
This may not work with openvpn3 because:
- NRPT rule might be created for "." zone,
which redirects all DNS requests to the server
specified in rule. This takes precendence over adapters'
DNS settings.
- DNS requests might be blocked on all adapters
except TAP (tap-windows6/wintun/ovpn-dco-win) to prevent
DNS leaks.
To enable compatibility with local DNS resolvers, add
"allowLocalDnsResolvers" core config option, which,
when enabled, makes core to
- avoid creating NRPT rule for "." zone
- permit DNS requests to 127.0.0.1 / ::1
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Instead of throwing an exception with --remote-random-hostname, when
no RNG is present during construction, we treat an explicit null RNG
as a choice not to randomize the hosts. To make that choice explicit,
the default value for the RNG is removed, so that callers need to
decide which behavior they want.
Closes#53 in the openvpn3-linux issue tracker.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
In PacketStream, don't validate upper bound on message size
if BufferAllocated::GROW is set, allowing it to range up to
64kb.
Signed-off-by: James Yonan <james@openvpn.net>
Removed declared_size_defined in favor of just setting
declared_size to a special value (SIZE_UNDEF) when it's
undefined.
Signed-off-by: James Yonan <james@openvpn.net>
Useful in unit tests for which the input vector should be properly
sorted by the code under test. This function is very similar to
getSortedJoinedString(), but it avoids sorting. Because of the
similarity, the getSortedJoinedString() function is refactored to use
the new getJoinedString() function.
Signed-off-by: Mark Deric <jmark@openvpn.net>
keepalive_timeout_early defines the keepalive_timeout
parameter early in the connection before the KeyContext
reaches ACTIVE.
It is set via the optional third parameter to the
"keepalive" directive, for example:
keepalive 1 8 4
sets keepalive_timeout_early to 4 seconds. If unspecified,
keepalive_timeout_early defaults to keepalive_timeout.
keepalive_timeout_early is useful on the server side to
reduce the resource footprint of abandoned connections,
and can be tuned to mitigate DDoS and UDP amplification
attacks.
Signed-off-by: James Yonan <james@openvpn.net>
DCO only supports a limited set of ciphers, currently it is
discovered quite late if a unsupported algorithm is configured
(or pushed).
This introduces CryptoAlgs::allow_dc_algs() with which the
supported set of data channel algorithms can be specified.
The DCO code makes use of this, at the time a new_controller()
is created.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Windows agent has been moved from common to core,
so for consistency move mac agent too.
Since agent and agent-enabled client depend on jsoncpp,
also move jsoncpp build scripts.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
By default, the proto test uses a relatively small
handshake_window to intentionally trigger
KEV_NEGOTIATE_ERROR, so that we can test mid-session error
recovery. However if KEV_NEGOTIATE_ERROR is hit on the
first primary key (i.e. first KeyContext with key_id == 0),
it is fatal to the session and will trigger a disconnect.
This change introduces a retry to prevent this
low-probability, false-positive corner case from
blowing up the test.
Signed-off-by: James Yonan <james@openvpn.net>
If DCO support is compiled in, detect if it is available (i.e. Windows driver
or Linux kernel module is loaded) and then use it, if it is.
This changes the default configuration for DCO from off to on, so users of
the library need to set ClientAPI::Config::dco to false in case they do not
want to use dco for a connection.
The change is also reflected in the reference client "ovpncli". If DCO is
enabled in a build, it will detect and use it. The previously available
"ovpncliovpndco" and "ovpncliovpndcowin" clients have thus been removed.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
In case of an assertion throwing an exception decdata would never be
freed from the heap. Use a unique_ptr, so that stack unwinding does the
job in any case.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
The new element ClientAPI::Config::protoVersionOverride can be set
to 4 or 6 respectively, to override the transport protocol IP version
used by RemoteList::Item entries. Clients can force all --remotes
to use IPv4 or IPv6 using this entry, if they know that only one of
the two is available in the current network.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Make it possible to enforce the protocol family by appending 4/6 to
to the protocol, e.g. tcp6 or udp4. While it is already possible to
have protocol options like these in the configuration, they are not
enforced so far. Thus you could still be connected to a v6 address
even though the config requested v4 only.
Since v2.3 the openvpn 2.x series behaves like this. So, this is also
to catch up with the behavior there.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
This option lets you specify the SHA256 fingerprint of a peer's self-signed
certificate. The peer's certificate, presented during connection bring-up,
is compared to the fingerprint. The connection fails if it doesn't
match.
So, this serves as an easy, yet secure, alternative to setting up a PKI,
but can also be used in conjunction with one to add one more check during
leaf certificate validation.
The option can also be given as inline block, for easier management for
multiple fingerprints:
<peer-fingerprint>
00:11:22:33:...:BB:CC:DD:FF
BB:CC:DD:FF:...:00:11:22:33
</peer-fingerprint>
Signed-off-by: Heiko Hund <heiko@openvpn.net>
The README file had several deprecated ways of building various test
binaries. Clean up this and direct users towards using CMake
everywhere.
The change to test/ssl/CMakeLists.txt covers various build-time
parameters the deprecated build script supported.
Signed-off-by: David Sommerseth <davids@openvpn.net>
The CMakeLists.txt settings from the project root directory are
inherited by the defined subdirectories automatically.
Also switch to a simpler way of setting the CMAKE_MODULE_PATH.
According to the CMake documentation, this variable is empty by
default [1] and should not need to pull in existing settings.
Finally remove the comment regarding CMake's use case, as we are
moving towards full CMake support for OpenVPN 3.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Port script only copies uapi header, same way it is done for tap-windows6.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Extend struct ProvideCreds so that it can also hold HTTP proxy
credentials. This makes it possible to use proxy settings from
options, but provide credentials separately.
This is in contrast to the already existing struct Config::proxy*
which need to be given as a complete set to override eventual
HTTP proxy options.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Add the option from openvpn2. If given, prepend hostnames
from remote options with six random hex bytes before
DNS resolution is taking place, e.g.
host.domain -> e3b17bf7cd57.host.domain
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Googletest has issues with ASSERT macros in class
constructors or functions/methods that return values,
so we need to create our own suite of ASSERT macros.
Signed-off-by: James Yonan <james@openvpn.net>
To enable logging in new threads, add this line to the
beginning of your thread function:
Log::Context log_context(testLog->log_wrapper());
Signed-off-by: James Yonan <james@openvpn.net>
This test also takes more than one minute to run on my mac with
a debug build and consume 99% of the time of the test run.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Use ::CreateIpForwardEntry2() to add route instead of
expensive netsh call. Make it as a default choce.
Add unit test.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Use ::CreateIpForwardEntry2() to add route instead of
expensive netsh call. Make it as a default choce.
Add unit test.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Commit 941104cf4 refactored the way how test files are added, but
broke (disabled) execution of sitnl and cputime tests. Fix that.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Although the init calls were protected by a mutex more than consumer of
the API will the second one if the uninit was called too early.
While at it, move from explicit init/uninit calls to RAII.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Add dependency to libnl-genl, which is C library
for generic netlink communication.
Implement C++ wrapper for libnl-genl, inspired by
ovpn-cli - a test client for ovpn-dco kernel module.
Implement ovpn-dco netlink commands:
- OVPN_CMD_START_VPN - pass transport socket,
protocol (UDP) and mode (client).
- OVPN_CMD_NEW_PEER - pass local and remote
endpoint info.
- OVPN_CMD_PACKET - move (control channel) packets
between userspace and kernel.
- OVPN_CMD_DEL_PEER - sent by kernel when peer is deleted
due to keepalive timeout (causes reconnect) or any other
reason (considered as fatal).
This change allows to perform openvpn handshake and
establish connection which doesn't work, since data channel
keys are not passed to kernel yet.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Add tun/transport client skeleton for ovpn-dco,
which doesn't do any work except creating/removing
ovpn-dco device.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
In preparation of ovpn-dco support, split dco transport
client into two parts:
- generic dco support in dcocli.hpp
- kovpn-specific code in kovpncli.hpp
Add build directory (used by VS Code) to .gitignore
Use #pragma once instead of #ifndef/#define/#endif
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Macro OPENVPN_USE_SITNL should be defined before
inclusion of client/ovpncli.cpp.
Include tuncli.hpp for consistency with mac-specific code below.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
If the OPENVPN_USE_SITNL is defined as compiler arguments or set
earlier if cli.cpp was used in an #include statement, the compiler
would warn about OPENVPN_USE_SITNL being redefined.
We want OPENVPN_USE_SITNL by default, but the code does not need
to explicitly define it if it is already defined.
Signed-off-by: David Sommerseth <davids@openvpn.net>
OpenSSL 1.1+ by default only allows signatures and key exchange from the
default list of X25519:secp256r1:X448:secp521r1:secp384r1. Since in
TLS1.3 key exchange is independent from the signature/key of the
certificates, allowing all groups per default is not a sensible choice
anymore and the shorter lister is reasonable.
However, when using certificates with exotic curves the signatures of
this certificates will no longer be accepted. This option allows to
modify the list for these corner cases.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This is needed for the tls-cipehr/tls-ciphersuites to have an
initialised OpenSSL when using OpenSSL < 1.1.0
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This option has been very likely been to fix some incompatibilities
between some TLS libraries. But nobody really remember what it fixes
and its usage today is questionable. So remove the option instead
of supporting an option we cannot even test anymore.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Added a unit test to confirm the fix.
Other changes:
* In Base64 decode(), avoid the use of std::strlen() in favor
of std::string length() method since a std::string could
conceivably contain embedded null chars.
* In Base64 unit test, renamed b64_test_bad() to
b64_test_bad_decode() for clarity.
Signed-off-by: James Yonan <james@openvpn.net>
This is useful for running a command from a worker thread
where signals have been blocked, but we want the child
process to run with the original pre-blocked signal configuration.
Signed-off-by: James Yonan <james@openvpn.net>
The added IV_CIPHER string that we send, brought the Frame used in
the proto test client over the 256 byte limit. Change the proto test
to use a larger test frame of 378 byte.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Linux filesystem is case-sensitive and all
mingw includes are in lower case. Also use
Linux directory separator, since it works on both
Linux and Windows.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
These functions are found in openvpn/mbedtls/pki/x509certinfo.hpp.
This change also adds support to build coreUnitTests against mbed TLS
instead of OpenSSL (default) by providing -DUSE_MBEDTLS=true to cmake.
Signed-off-by: David Sommerseth <davids@openvpn.net>
This adds some basic unit tests for the various functions retrieving
information from a X.509 certificate.
Signed-off-by: David Sommerseth <davids@openvpn.net>
This new VerifyX509Name class handles both extracting and parsing the
appropriate --verify-x509-name option and is able to verify if a given
subject or hostname is matching the expectation.
Signed-off-by: David Sommerseth <davids@openvpn.net>
This avoids the mistake of using the insecure MTRand in anything but
a unit test and has the advantage that not all MTRand in a unit test
suite report being secure
Signed-off-by: Arne Schwabe <arne@openvpn.net>
To support the pre unittest tests that compare the output against an
expected output without fully rewriting them, this logger provides a
facility to integrate them in the unit test framework
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This avoid a linkage problem encountered when building core with two
compilation units and OPENVPN_EXTERN being used.
Also adjust core unit tests with regard to now different extern usage
This also removes unittest.vcxproj from solution, since
it is deprecated in favor of CMake-based unit tests.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This test attempts to assure that the measurements we get from
openvpn::cpu_time() is within a reasonable range of what we should
normally expect.
This is achieved by using a simple worker thread which ensures the
process is not "idling" (like it would with sleep()) but in a real busy
loop which takes some time. Then we measure the time spent in the busy
loop, both using a simplistic time() and comparing that with what
cpu_time() returns.
This unit test also supports measuring multiple running threads
individually too.
Signed-off-by: David Sommerseth <davids@openvpn.net>
This introduces experimental support for Wintun
as an alternative for tap-windows6.
In order to use wintun, set "ClientAPI::Config::wintun"
flag to "true" or use "-w" option in test client.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This takes into use new TunSetup API which enables to create bypass
routes before establishing connection.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
There are two ways how Linux tun can be manipulated -
by using iproute2 or netlink. Both implementations have
defined identical Setup class implementation.
This commit factors out Setup class from tun implementations
and templatizes it, which removes need in duplicated code.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This uses Windows-specific wchar_t override of std::ifstream
to make it work with UNICODE paths. It is assumed that caller
passes UTF8-encoded string.
To support passing non-ASCII chars via command line, we
read it as wstring and then convert to UTF-8 encoded string.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This requires cli.cpp to be included in openvpn3-linux build environment
and the right defines set before the test.cpp is included.
This workaround is necessary since the dbus dependencies are not part
of the core and to adding an extra copy of cli.cpp to openvpn3-linux
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The metadata that may be possibly be contained in the WKc has to be
verified by means of a user implemented behaviour.
Implement an abstract class that exports a verify() method to be
used for this purpose.
Users can extend this class and override the verify() method with
their own.
A basic implementation is also provided: it will just ignore the
metadata (if any) and report success to the core.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
On the linux client we need the information to which remote the client
is connecting to query the route information to ultimately discover the
device. On other platform that do not need these extra information we
ignore the extra arguments
The API uses std::string and bool instead of passing of passing IPAddr as
the API needs to be understand by Swig/Java and similar methods also opt in
favour of call by value and simply types.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
If the PROF env variable is already set, respect that original value
instead of enforcing a value which might be wrong on the build host.
Signed-off-by: David Sommerseth <davids@openvpn.net>