By resetting the timer on each incoming packet, we can capture more gaps.
Consider the following examples:
Old logic:
0 seconds: openvpn3 starts with an inactive timeout of 60 seconds.
30 seconds: An ICMP packet was received with 48 bytes.
60 seconds: 48 bytes received for the last 60 seconds, continue...
90 seconds: An ICMP packet was received with 48 bytes.
120 seconds: 48 bytes received...
New logic:
0 seconds: openvpn3 starts with an inactive timeout of 60 seconds.
30 seconds: An ICMP packet was received with 48 bytes.
Inactive timeout reset!.
90 seconds: Inactive timeout triggered. Terminating session..."
Signed-off-by: illia.polishchuk illia.polishchuk@openvpn.com
When correcting conversion issues in RouteBase a to_string bug was
introduced which caused some characters to be escaped when inserted
to the string, for example a prefix_len of 0 would render as "\0"
rather than inserting '0'. The std::ios::binary flag does not seem
to prevent this for std::ostringstream so I have cast the data member
up to uint16_t which should be safe, and solves the issue.
Added a unit test to demonstrate the issue. Old code output was
"0.0.0.0/\0", now outputs "0.0.0.0/0" as expected.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
A refactoring of the logging code in commit 9ffa263b removed
conventional #ifndef header guards and replaced them with #pragma
once. Some consumers of the code used the header #defines to guide
their behavior. The missing guards caused the consumers to log
incorrectly. The fix was to still rely on the #pragma once for
guarding, but to reinstate the #defines from the original headers.
Signed-off-by: Mark Deric <jmark@openvpn.net>
So that we override values from the global Ops
configuration we do not like.
While here change rebaseWhen. Since we do rebase
everything before merge anyway, let's renovate
do it for us.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
ERR_INVALID_OPTION_DNS -- invalid value for some of DNS\Domain options
ERR_INVALID_OPTION_CRYPTO -- invalid value for some of SSL\Crypto option
ERR_INVALID_CONFIG -- missing option or not supported option
ERR_INVALID_OPTION_PUSHED -- pushed to server option error
ERR_INVALID_OPTION_VAL -- invalid value for some general option
Signed-off-by: Illia Polishchuk <illia.polishchuk@openvpn.com>
The OPENVPN_EXCEPTION_WITH_CODE(C, DEFAULT_CODE, ...)
macro creates enum C_code with __VA_ARGS__ codes
and constructor with the C_code as first argument which
adds label at the beginning of error message, other
constructors add DEFAULT_CODE label
Signed-off-by: Illia Polishchuk <illia.polishchuk@openvpn.com>
Until now sitnl was just default to metric 0 when installing routes,
while ignoring any value that may have been passed by the user.
Extend logic to properly accept a user value.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
When the user specifies no metric (i.e. value is -1), the TunBuilder
should pass the default value down the stack.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
- Group GHA updates and set them to monthly schedule to
drastically reduce the numbers of PRs
- Notify about GoogleTest updates
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
It was noted that the SITNL unit test is always failing for no clear
reason.
It turned out that commit 22ba196429
("SITNL: revert change of sitnl_send return type, return int"),
that was supposed to be a simple revert of
ae663c573a ("Using new numeric
conversion tools") is actually converting two "return ret" into
return -1 and return -EINVAL accordingly.
This accidental change results in two functions always returning
an error despite terminating succesfully.
This behaviour was obviously fooling the unitest which failed in result.
Fix both functions by properly returning "ret" as it was originally.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
The purpose of this change is to allow headers that require the
logbase.hpp classes to compile in executables using logsimple.hpp.
By munging classes and macros into both headers, an avoidable conflict
of macro re-definition is created. This commit separates the classes
from the macros into new headers. Then propagates the mistake into the
current headers so none of the existing code is broken. ;-)
Signed-off-by: Mark Deric <jmark@openvpn.net>
Currently we error out on the first unsupported
option which belongs to the "fatal" category, such as
"removed deprecated option" or "Option allowed only to
be pushed by the server".
To improve user experice and allow application code
to display all problematic options and their categories,
collect options into a category->options map and then
serialize it into multiline string:
cat1: opt1,opt2
cat2: opt3
Introduce a new error code UNUSED_OPTIONS, which is
placed into ClientAPI::Status::status. The serialized
options map is placed into ClientAPI::Status::message.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
- Add notes regarding some unexpected behaviors in sslctx
- Add unit tests specifically for sslctx, including simple in-memory
handshaking with both success and failure examples.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
Out of all the suggestions by Coverity I picked
the ones that move non-Ptr objects into variables
or attributes.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
If we get a valid but almost empty PKCS7 structure we otherwise try
to access invalid fields.
CVE: CVE-2023-6247
Reported-by: Bahaa Naamneh <bahaa.cpl@gmail.com>
Signed-off-by: Arne Schwabe <arne@openvpn.net>
- Split big classes into declaration and definition
- Added doxygen
The goal here is to add make the classes easier to reason about by
splitting them into declaration and definition and then adding
doxygen.
The notify parts are left intentionally undocumented for now.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
ClientEvent::Base is the base class for many other classes including
a few that add data members. If at some point one of these enhanced
derived classes is referenced and then deleted via a base class
pointer, some memory could leak.
I don't think we do that yet, but it seems worth preventing.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
When compiling against OpenSSL 3.0, use the newer API for generating the
TLS 1.0 PRF. Older OpenSSL versions will use the OpenSSL 1.x API.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The NTLM protocol implementation does not validate the length of
the proxy server’s response. If the response is shorter than
expected, the code will access the response buffer out of bounds,
which will raise an exception. This change checks and explicitly
raises an exception with an informative message if the response
is too short.
This was never a security issue as such but might result in a client
terminating early and without a nice diagnostic.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
CID 11851: (#1 of 1): Structurally dead code (UNREACHABLE)
unreachable: This code cannot be reached
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Instead of exposing protected data to the global environment, provide
a special purpose accessor to satisfy AppControl needs.
Signed-off-by: Mark Deric <jmark@openvpn.net>
Currently PG only allows to either send or withhold the reason to the
client but there are certain circumstances where you want to have more
detailed internal reason but still want to send some reason to the
client.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Some systems like to see the mapped IPv4 addresses as real IP addresses.
This commit adds the ability to show IP addresses as such.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
