Before the OpenSSL 1.1 conversion, we used HMAC_CTX as a field and the
variable initalised to signal if it is initialised. Since it
got converted to a pointer with OpenSSL 1.1 we can remove the
initialised variable just check if ctx != nullptr if it is initialised.
HMAC_CTX_free is (like free()) also allowed on a nullptr.
This also fixes a ctx might not be initialised warning on Fedora 31
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Since the memory layout of the IPAddr class has the field ver behind
the union of u.v4 and u.v6, the whole u is always guaranteed to be
valid and can be copied. This avoid the compiler warning that
u.v6[1] might be undefined.
Also initialise the union u by default.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
If HTTPCLI_RANDOMIZE_RESULTS_REQUIRED is defined, cause a compile-time
error if Asio is not compiled with results.randomize() method.
If HTTPCLI_RANDOMIZE_RESULTS_REQUIRED is NOT defined, opportunistically
compile results.randomize() usage only if available in Asio.
Signed-off-by: James Yonan <james@openvpn.net>
This is used to enable connectivity to a different remote
when force-tunneling is used and current VPN connection is broken.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This method generates /sbin/route commands which
create and delete bypass route for given host.
It is needed to enable connectivity to a different remote
when force-tunneling is used and current VPN connection is broken.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Our OpenSSL init code depends on calling the OpenSSL init code
from ASIO. Fortunately that init code is no longer needed with
OpenSSL 1.1.0+, so remove the call and dependency when we are
using OpenSSL 1.1.0+
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Implemented as in openvpn2.
If --management option includes "stdin",
client immediately prompts for password.
When there is incoming OMI connection, client
prompts for password and, if it doesn't match
the one entered via stdin, closes OMI connection.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
* HTTP client and server now support unix domain sockets
via AsioPolySock abstraction.
* HTTP server now supports Basic auth credentials.
* HTTP server now supports peercred authentication
over unix domain sockets.
* HTTP server now supports file creation permission
bits on unix domain socket.
* Added udstest tool to test HTTP client over unix domain
sockets.
The original commit has some unintended side effects
that break server-side code.
This commit tries a different approach: do an early
return from http_in() when buffer size is zero.
Signed-off-by: James Yonan <james@openvpn.net>
I observed a case where http_in() (running as a client) called
parent().base_http_done_handler() twice for the same transaction!
Normally the 'ready' var blocks this sort of behavior, but with
a high-speed persistent session, the 'ready' var can transition
so quickly as to create a window for a double-done race.
The fix is to use a more robust filter against unsolicited input
after base_http_done_handler() is called by setting rr_status to
REQUEST_REPLY::Parser::undefined. This value is never matched
in httpcommon, so it effectively turns http_in() into a no-op when
set.
There is also the question of whether unsolicited input should
be considered a fatal error on a persistent session. It probably
should, but this fix focuses on a corner case where http_in()
is called with a zero-length buffer, presumably from the SSL/TLS
layer.
Signed-off-by: James Yonan <james@openvpn.net>
