Config
client
pull
was not correctly handled like client + tls-client
since the code short-circuited if tls-client wasn't set
and so didn't touch pull option.
Github: #277
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
- Group GHA updates and set them to monthly schedule to
drastically reduce the numbers of PRs
- Notify about GoogleTest updates
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
It was noted that the SITNL unit test is always failing for no clear
reason.
It turned out that commit 22ba196429
("SITNL: revert change of sitnl_send return type, return int"),
that was supposed to be a simple revert of
ae663c573a ("Using new numeric
conversion tools") is actually converting two "return ret" into
return -1 and return -EINVAL accordingly.
This accidental change results in two functions always returning
an error despite terminating succesfully.
This behaviour was obviously fooling the unitest which failed in result.
Fix both functions by properly returning "ret" as it was originally.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Makes it easier to test with -Wconversion, e.g. in Jenkins.
For now disable -Wsign-conversion. That is the default in g++,
but not clang++. Once we have fixed all -Wsign-conversion
warnings, we can enable it for both.
For now disable -Wenum-enum-conversion. Only present in clang++.
Not clear whether cleaning those up will be worth the effort.
Disable -ferror-limit in clang++. This ensures that it always
displays all errors.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 6e7a98b5f4)
- Set CXX_STANDARD_REQUIRED ON so that we error out early
if CMake thinks that the compiler does not support the
used standard.
- Set CXX_EXTENSIONS OFF so that we get less compiler
specific behavior.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 9b8797fe5e)
Using the <max> argument to cmake_minimum_required will
set all policies up to <max> to NEW. We might need to
fix some issues arising from that, but this means that
modern CMake can already behave like it wants even with
leaving <min> so that we can support old distros (currently
Debian 10).
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 268bf42b9e)
On modern CMake this gets us swig dependency management,
which should reduce problems for incremental builds.
Also it is just cleaner.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 72275db1d5)
The earlier were deprecated since CMake 3.12.
Since CMake 3.27 this causes deprecation warnings.
Should be safe nowadays to require CMake 3.12.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit bb61350ae5)
This is very noisy with lots of false positives, especially
in newer version of GCC. So for now disable this.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit d7e8375fc5)
- Use CURRENT source and binary dir to make this work even
if used as a sub-directory in another project.
- Make USE_MDFILE_AS_MAINPAGE actually work. It is only
used when part of the INPUT and does not automatically
add it to INPUT.
- Make sure CMake uses the latest version of README.rst
by using configure_file instead of file(COPY).
- Improve EXCLUDE_PATTERNS.
- Add NUM_PROC_THREADS.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 474de6c93f)
By adding the asio includes first we have a better
chance to force using "our" asio. This can be important
since some parts of the code require a patched version.
The actual "core" parts of the code work fine with
upstream asio however, so I also do not want to
force the patched asio by requiring a special header
name or directory structure.
So this is a compromise solution which hopefully works
for most use-cases.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit bc7f4be01b)
We do not want to force a dependency on powershell.
Copying the right dlls is rather trivial.
Same change as commit commit e9e49239ce
for build-vcpkg script.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 1f5aa58223)
Helpfully the comment above the code actually provided
a solution...
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit db7ea3d96a)
Always use find_package for all libraries.
Add missing Find*.cmake modules.
Always define an IMPORTED library in Find*
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit d7b3419f8e)
Fixes problems when calling find_package on asio multiple
times.
Originally fixed by commit cba75f1aa08374733dcc79abebeca262ae94118a
in vcpkg#28299.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 71cf5f48fe)
We do not want to force a dependency on powershell.
Copying the right dlls is rather trivial.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit e9e49239ce)
This makes it easier to see what is going on when looking at
individual CMakeLists.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 4c81069564)
This is important since it allows us to avoid
the JsonCPP dependency on non-Win/non-Apple
systems.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit a9570cb780)
Make sure we find vcpkg and system packages on all
platforms.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit e720bf3aba)
Use add_library to define a target so that we do not
need to apply all the setting manually.
Use find_package_message() to avoid printing the
message more than once.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 2fb5d08ea0)
- Fix PATCHES to work on Linux
- While here, fix version number
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit fb9bee5ad6)
- Increase required version to 3.10. That is the version in
Ubuntu Bionic and currently the oldest one we still want
to support.
- Enable CTest for test target
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 50271ee02a)
With the change to OpenSSL 3 and introducing insecure as profile we
actually allowed MD5 again. Update the warning to reflect this.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The purpose of this change is to allow headers that require the
logbase.hpp classes to compile in executables using logsimple.hpp.
By munging classes and macros into both headers, an avoidable conflict
of macro re-definition is created. This commit separates the classes
from the macros into new headers. Then propagates the mistake into the
current headers so none of the existing code is broken. ;-)
Signed-off-by: Mark Deric <jmark@openvpn.net>
Currently we error out on the first unsupported
option which belongs to the "fatal" category, such as
"removed deprecated option" or "Option allowed only to
be pushed by the server".
To improve user experice and allow application code
to display all problematic options and their categories,
collect options into a category->options map and then
serialize it into multiline string:
cat1: opt1,opt2
cat2: opt3
Introduce a new error code UNUSED_OPTIONS, which is
placed into ClientAPI::Status::status. The serialized
options map is placed into ClientAPI::Status::message.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
- Add notes regarding some unexpected behaviors in sslctx
- Add unit tests specifically for sslctx, including simple in-memory
handshaking with both success and failure examples.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
Out of all the suggestions by Coverity I picked
the ones that move non-Ptr objects into variables
or attributes.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
If we get a valid but almost empty PKCS7 structure we otherwise try
to access invalid fields.
CVE: CVE-2023-6247
Reported-by: Bahaa Naamneh <bahaa.cpl@gmail.com>
Signed-off-by: Arne Schwabe <arne@openvpn.net>
- Split big classes into declaration and definition
- Added doxygen
The goal here is to add make the classes easier to reason about by
splitting them into declaration and definition and then adding
doxygen.
The notify parts are left intentionally undocumented for now.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
ClientEvent::Base is the base class for many other classes including
a few that add data members. If at some point one of these enhanced
derived classes is referenced and then deleted via a base class
pointer, some memory could leak.
I don't think we do that yet, but it seems worth preventing.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
When compiling against OpenSSL 3.0, use the newer API for generating the
TLS 1.0 PRF. Older OpenSSL versions will use the OpenSSL 1.x API.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The NTLM protocol implementation does not validate the length of
the proxy server’s response. If the response is shorter than
expected, the code will access the response buffer out of bounds,
which will raise an exception. This change checks and explicitly
raises an exception with an informative message if the response
is too short.
This was never a security issue as such but might result in a client
terminating early and without a nice diagnostic.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>