* origin/releaseprep/3.10:
Do not reject control message with trailing newlines
aws: account for RandomAPI change
Allow disabling TLS 1.3 in certcheck to more easily debug problems
Implement changes to allow test dpc certcheck to be tested
Allow setting a maximum TLS version
Change cxa1 protocol tag to dpc1
Fix spelling errors raised by Debian linter
mac agent: reinstall host route during restart
Preparing QA cycle for OpenVPN 3 Core library release v3.10
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
We are now only initializing TLS-related objects if TLS auth mode
is enabled.
This fixes internal Jira issue PG-122.
Signed-off-by: Razvan Cojocaru <razvan.cojocaru@openvpn.com>
The previous fix to reject invalid control message was a bit too aggressive
as scripts often accidentally include an extra newline at the end of the
control message.
Jira: OVPN3-1225
Signed-off-by: Arne Schwabe <arne@openvpn.net>
- Remove dependency build. For normal use cases on a
recent distro, installing all dependencies from distro
should be fine. Tested on Ubuntu 20.04 (mbedTLS too old,
otherwise okay) and Ubuntu 22.04.
- Document more dependencies. With the added dependencies a
clean build and ctest run is possible starting with the
default ubuntu:<version> containers.
- Use ninja. We use this for all of our non-VC builds, so
recommend it here as well.
Based on a smaller change proposed in Github#301
by Scruel Tao.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
This is something useful for debugging. We do not expose this feature
to avoid it being used for real connections.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Prior to this branch the various instances of the LoggerMixin were
coincidentally shared, depending on whether the default levels had
the same values in the template arguments or not. Since it's not clear
this sharing was intended or accidental I made it possible to tag if
desired to ensure the similarly tagged instances are unique.
The host route to the VPN server disappeared when a mac client, using
the agent, was reconnecting. That was causing --redirect-gateway tunnels
to break because no traffic could be sent anymore. Cause for this was
some internal state in the agent not being reset when the utun device
is temporarily removed during the restart.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
log_level() was returning a function (log_.log_level instead
of log_.log_level()). Now fixed.
Signed-off-by: Razvan Cojocaru <razvan.cojocaru@openvpn.com>
This is reusing the auth pending method as this is just another method where
the final authentication decision is pending on some results. In this case
custom messages going back and forth. This can be tested using
client-pending-auth 5 1 "ACC:1000 A:6 cck1:certcheck:cxa1:fortune" 60'
with OpenVPN 2.x servers easily.
Also correctly use ClientEvent::Base::Ptr with the Clientevents to avoid
problems with not correctly using RCPtr
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Commit 0c5e356 ("Simplify client options classes") has
indeed simplified options handling by consolidating
options into the base class. However "disble_client_cert"
option was copied, not moved, from its original location.
As a consequence, it become broken.
Fix by removing unneeded copy of this option and use the
one from correct location in options base class.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Instead of silently ignoring errors in control channel message and removing
invalid characters, we should be more strict and reject these message.
A similar change has been also submitted to OpenVPN 2.x
Clients need access to the server VPN ca for whitelisting reasons
so it is now available inside the EvalConfig structure. Implemented
the change and added a unit test for same.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.net>
The syslog.h UNIX header already #defines LOG_{DEBUG, INFO} as
log-level constants, which means that we can't have code that
includes both openvpn/log/logger.hpp and syslog.h.
This patch renames all the LOG_<LEVEL>() macros to
OVPN_LOG_<LEVEL>(), to hopefully eliminate "macro already defined"
conflicts in the future.
Signed-off-by: Razvan Cojocaru <razvan.cojocaru@openvpn.com>
This allow debugging the certificates the server sends. It did this as hack
two times before. I think it is now time to get this officially in.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Compilers will otherwise complain about unused function when this header
is included in a compilation unit that only uses a subset of the functions
(e.g. in a unit test).
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Before this commit traffic to loopback was limited when only DNS
(port 53) was blocked, due to the "not loopback" match condition being
replaced instead of the match condition being made more specific.
This broke the client option to override access to DNS servers listening
on loopback.
To fix this three things are done:
1) do not add DNS block rules if the override option is active.
2) explicitly block port 53 on loopback, except when the override
option is active.
3) remove the implicit block of port 53 on loopback and instead let
the firewall rule for non-loopback devices only.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
This also moves some of the reasonsibility from ClientProto to
OpenVPNClient. This plays better with the EPKI implementation and also
does not break the idea of the current certcheck implementation as we now
just give the certcheck in client protocol a preconfigured SSL Config instead
of all the certificates individually.
The implementation would previously return the alias the client library
requested to use but would not allow to have multiple different
external aliases be correctly used. This adds supports to have the
correct alias being used as part of the signature callback.
Instead of relying on passing an empty domain name into the NRPT class
for the '.' rule not to be created, skip calling the NRPT code
altogether. Since there's no rule generated in the case where local
resolvers should be used when no split DNS is to be configured, skipping
the NRPT call is more readable and less magic, when viewed from the
setup class. Also more effective during runtime.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
This is meant to help with the following scenario: main thread
creates secondary threads, each secondary thread asks the context
store for its own context, then goes into a "forever" scheduling
loop. Main thread waits for the secondary threads to finish, and
owns the context store. It would be nice to be able to have yet
another thread (say, a SIGINT handler) be able to call .stop()
on all the contexts managed by the context store, thus being able
to end the loops in the secondary threads and allow the main
thread to exit.
Signed-off-by: Razvan Cojocaru <razvan.cojocaru@openvpn.com>
Allow to set a program to get root (e.g. "sudo").
This allows to run the sitnl tests via ctest.
Only required on Linux, since those tests are
Linux-only.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>