OpenVPN 2.7/master will no longer suppress TLS Alerts but send them
out to the client. Create event for the common events that occur and
notify them to the UI process.
Jira: OVPN-1215
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Split the implementation of the packet counter for normal packet ID
that includes the "weird" long format for long 64 bit packet ids used
in tls-auth and tls-crypt and a simplified implementation for AEAD that
only does 32 bit and 64 bit flat counters.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Instead of passing around a number of individual argument, use a data
holder class to describe all the settings. This will also allow adding
more data channel parameters in the future (tag location, 64 bit IV)
easier. This has a slight cost of something passing more parameters
than needed.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This is part of a series of patches instrumenting crash checks.
Classes that implement SendBase can optionally collect debug
information for various scenarios, and create a string here that
presents them in human-readable form when requested.
Signed-off-by: Razvan Cojocaru <razvan.cojocaru@openvpn.com>
This change is intended to safeguard against potential
post-stop() management activity that could result in
management agent getting into a bad state.
Signed-off-by: James Yonan <james@openvpn.net>
Without the change and in the absence of a clang-format command in the
user's PATH, the script will fail in line 79 of the hook due to set
-e. It will fail to produce the error message starting at line 83.
The change allows the error message to print.
Signed-off-by: Mark Deric <jmark@openvpn.net>
The Windows Service class did not specify its destructor as virtual, but
has other virtual function. Not specifying the d'tor virtual is an
anti-pattern in this case.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
In the code base three different syntaxes for overriding virtual member
functions could be found:
1) virtual ... override
2) virtual ...
3) ... override
This converts all of them to the third syntax, as recommended by the ISO
C++ core guidelines in C.128
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Add a single template function implementing the logging logic,
parametrized by log level, and have the log_{trace, info, ...}
functions call that.
While at it, const-ify a couple of member functions.
Signed-off-by: Razvan Cojocaru <razvan.cojocaru@openvpn.com>
Without this fix, the openvpn3-linux build is broken whenever a
dependency enables -Wnon-virtual-dtor (which protobuf 27.3
currently does on Arch Linux). The openvpn3-linux build treats
warnings as errors.
Jira: OVPN3-1242
Signed-off-by: Razvan Cojocaru <razvan.cojocaru@openvpn.com>
This adds support for parsing PUSH_UPDATE
control command, which enables to update
options "on the fly", without reconnect.
The options presented in the PUSH_UPDATE list
overwrite current options with the name. To unset
an option, it has to be prefixed with the "-".
For example:
PUSH_UPDATE,route 10.10.10.0 255.255.255.0,-dns
Replaces all existing routes with this new one
and removes all "dns" options.
If the client doesn't support updating certain option,
it reconnects. Except when option is prefixed with "?" -
in this case option is considered "optional".
For example, this message
PUSH_UPDATE,?unsupported_option_a
does nothing, but this one:
PUSH_UPDATE,dns 0,block-ipv6,unsupported_option_b
makes client reconnect, since it contains mandatory unsupported option.
OVPN3-1234
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Reduced the pasted implementations of the LOGGER_LOG_<VERBOSITY>
macros to a single macro with a verbosity parameter, in an attempt
to make the code easier to read by reducing the line count, and
hopefully reduce the probability of copy / paste bugs
(LOGGER_LOG_ERROR() was already checking against LOG_LEVEL_INFO).
Signed-off-by: Razvan Cojocaru <razvan.cojocaru@openvpn.com>
Returning OPENSSL_VERSION_TEXT will return the value of the library at
compile time. We rather want to know the version of the library that is
actually running, so use OpenSSL_version instead.
Jira: OVPN3-1227
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Use empty braces to initalise the structs to zero since they
use sub structs and clang wants us to otherwise use {{ 0 }}
Ensure that methods with a return value do not return without a
value or exception by throwing an exception.
Add missing override in the unit test
Signed-off-by: Arne Schwabe <arne@openvpn.net>
In numeric_cast when casting from signed to unsigned, the second part
of the conditional might be const in some cases. This is intended to
ensure the second runtime check is only present if possibly needed.
This is better and avoids a Coverity performance warning
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
* origin/releaseprep/3.10:
Do not reject control message with trailing newlines
aws: account for RandomAPI change
Allow disabling TLS 1.3 in certcheck to more easily debug problems
Implement changes to allow test dpc certcheck to be tested
Allow setting a maximum TLS version
Change cxa1 protocol tag to dpc1
Fix spelling errors raised by Debian linter
mac agent: reinstall host route during restart
Preparing QA cycle for OpenVPN 3 Core library release v3.10
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
We are now only initializing TLS-related objects if TLS auth mode
is enabled.
This fixes internal Jira issue PG-122.
Signed-off-by: Razvan Cojocaru <razvan.cojocaru@openvpn.com>