Rename BufferAllocated --> BufferAllocatedRc
Buffer: split RC from BufferAllocated
Also make changes as needed where BufferAllocated is used
Buffer: Split allocation flags into own struct
Leaving flags in template causes each alias to have identical flags
by different names, which requires each type to pointlessly use
the nested name.
Make RC: Clean up headers buffer.hpp, make_rc.hpp
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
Split the implementation of the packet counter for normal packet ID
that includes the "weird" long format for long 64 bit packet ids used
in tls-auth and tls-crypt and a simplified implementation for AEAD that
only does 32 bit and 64 bit flat counters.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This is part of a series of patches instrumenting crash checks.
Classes that implement SendBase can optionally collect debug
information for various scenarios, and create a string here that
presents them in human-readable form when requested.
Signed-off-by: Razvan Cojocaru <razvan.cojocaru@openvpn.com>
This change is intended to safeguard against potential
post-stop() management activity that could result in
management agent getting into a bad state.
Signed-off-by: James Yonan <james@openvpn.net>
In the code base three different syntaxes for overriding virtual member
functions could be found:
1) virtual ... override
2) virtual ...
3) ... override
This converts all of them to the third syntax, as recommended by the ISO
C++ core guidelines in C.128
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Instead of silently ignoring errors in control channel message and removing
invalid characters, we should be more strict and reject these message.
A similar change has been also submitted to OpenVPN 2.x
Currently the protocontext is used as kind of composition but not really
and makes following the code harder, since this inheritance not only serves
for composition but also as callbacks through virtual method inheritance.
Making ProtoContext a normal field and definining a callback interface makes
the class relationship easier to understand.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Currently PG only allows to either send or withhold the reason to the
client but there are certain circumstances where you want to have more
detailed internal reason but still want to send some reason to the
client.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Some systems like to see the mapped IPv4 addresses as real IP addresses.
This commit adds the ability to show IP addresses as such.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This adds the capability to implement a custom app level protocol
that support message passing over the OpenVPN control channel.
The protocol is agnostic to the data that is transported over it
and the message splitting/reassmbly is handled transparently by the
OpenVPN library itself.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This is an obscure and never used feature to trigger sending
the SSO web auth URL from the client instead of server.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
By default, the Netblock constructor already sets the server
gateway to the .1 address of the subnet, but the new method
override_server_gw() can now be used to override that
setting.
Signed-off-by: James Yonan <james@openvpn.net>
-- disambiguate new_obj(): new_man_obj(), new_tun_obj
-- remove obfuscatory typedef <class> Base; use <class>
-- in servproto.hpp typedef ProtoContext::ProtoConfig to ProtoConfig
since Arne's already disambiguated Config
-- disambiguate Link<>: TCPLink<>, UDPLink<>
Added TODO comment on unneeded version of control_net_recv()
Signed-off-by: Mark Deric <jmark@openvpn.net>
The psid cookie defense is designed to thwart resource exhaustion and
amplification attacks wherein a malicious client sends the server a
flood of CONTROL_HARD_RESET_CLIENT_V2 packets with spooofed source
addresses. This patch allows the server to defer client tracking
state creation until the client responds to the server's
CONTROL_HARD_RESET_SERVER_V2 message.
Signed-off-by: Mark Deric <jmark@openvpn.net>
This refactoring moves all generic methods into SendBase
that are independent of VPN protocol, while OpenVPN
protocol-specific methods will remain in Send.
Signed-off-by: James Yonan <james@openvpn.net>
The name Config is very generic and often leads to confusion which
class in particular is used in a given context. Rename Config to
ProtoConfig to give some more clue about the context.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This is the result after running 'clang-format -i' on all C++ files and
headers, with the defined formatting rules in .clang-format.
Only the openvpn/common/unicode-impl.hpp has been excluded, as that is
mostly a copy of an external project.
Signed-off-by: David Sommerseth <davids@openvpn.net>
VPN Binding Profiles (previously committed as VPN Connection
Profiles) contain information on an active VPN client session
such as local VPN IPs, gateway, and DNS resolver addresses
that can be directly used by higher-layer HTTP/REST-API
clients to (a) ensure that sessions are routed over the VPN,
and (b) privately use the VPN-server-pushed DNS resolvers
without publishing them in /etc/resolv.conf.
Signed-off-by: James Yonan <james@openvpn.net>
A VPN connection profile is basically a JSON representation
of the server-pushed parameters of a VPN session such as
VPN IPs, Gateway IPs, and DNS servers. It can be obtained
on the client via TunBuilderCapture::to_json()
This patch allows an HTTP client or server to bind to the
VPN connection profile, so that the VPN IP is used as the
local address, the Gateway IP is optionally used as the
destination address, and DNS lookups are performed using
the pushed DNS servers (without needing to overwrite
/etc/resolv.conf).
For example, suppose the VPN connection profile
is in /pg/uplink-connection-info
Then we can bind to the VPN IP addresses on the server side:
http-listen @/pg/uplink-connection-info 8443 tcp4 ssl
http-listen @/pg/uplink-connection-info 8443 tcp6 ssl
Or connect to a remote REST API using the VPN session
and VPN server-provided resolvers.
<aws-client>
host mybucket.s3.amazonaws.com
port 443
vpn-connection-info /pg/uplink-connection-info
...
</aws-client>
Signed-off-by: James Yonan <james@openvpn.net>
AllowVPNClientConnectionProfile tells us to support
special address case for WS::ViaVPN, where address
begins with '@' followed by a client connection
profile filename.
Signed-off-by: James Yonan <james@openvpn.net>
This removes the feature of allowing directive to be a
prefix, but I didn't find any users of this method that
require it.
Signed-off-by: James Yonan <james@openvpn.net>
Change method signature from
void Protocol::mod_addr_version(const IP::Addr&)
to
void Protocol::mod_addr_version(const IP::Addr::Version)
This is done in preparation for allowing to override the protocol
version of a RemoteList::Item, where mod_addr_version() will be used.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Renamed expand_ports() to expand_ports_by_n_threads() and
added expand_ports_by_unit(). Both methods extend a set
of Listen::Item entries to span a port range.
Signed-off-by: James Yonan <james@openvpn.net>