Always use find_package for all libraries.
Add missing Find*.cmake modules.
Always define an IMPORTED library in Find*
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit d7b3419f8e)
This makes it easier to see what is going on when looking at
individual CMakeLists.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 4c81069564)
- Increase required version to 3.10. That is the version in
Ubuntu Bionic and currently the oldest one we still want
to support.
- Enable CTest for test target
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 50271ee02a)
Currently we error out on the first unsupported
option which belongs to the "fatal" category, such as
"removed deprecated option" or "Option allowed only to
be pushed by the server".
To improve user experice and allow application code
to display all problematic options and their categories,
collect options into a category->options map and then
serialize it into multiline string:
cat1: opt1,opt2
cat2: opt3
Introduce a new error code UNUSED_OPTIONS, which is
placed into ClientAPI::Status::status. The serialized
options map is placed into ClientAPI::Status::message.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
If we get a valid but almost empty PKCS7 structure we otherwise try
to access invalid fields.
CVE: CVE-2023-6247
Reported-by: Bahaa Naamneh <bahaa.cpl@gmail.com>
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Also this is a very rare option to be used today as it was for compatibility
with OpenVPN 1.x we should still not error out when it is present.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
On some systems, probably depending on the glibc version,
the ipv6 address will be truncated in the output.
Currently affects only Fedora 38.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
At the moment meta options are parsed only from
content. This doesn't work well with iOS where
config is imported via content_list. The config might
contain meta options, which currently won't be
recognized as meta and connection won't be established
due to "unknown option" error.
This adds meta options parsing to content_list.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Earlier implementations just assumed that --client mode is always
present in the config, which lead to config behaving different in
OpenVPN 2.x and 3.x. This creates hard to debug corner cases.
Additionally OpenVPN 3.x was not parsing the tls-client and pull
options. This lead to OpenVPN 3.x erroring on a perfectly legal
config with --pull in it.
Note the original patch was by Merten Fermont <merten.fermont@gmail.com>
but his patch got mangled in the email and when I started to apply
it manually I instead wrote my own version of it since we need
unit tests anyway.
When parsing config, check DCO compatibility. Following
options break DCO compatibility:
- http-proxy
- compress
- comp-lzo
Same for config settings:
- non-preferred-algorithms
- legacy-algorithms
- proxyHost
DCO compatibility could be checked with
- bool EvalConfig::dcoCompatible
- std::string dcoIncompatibilityReason
If client nevertheless tries to connect, an exception
will be thrown:
connect error: option_error: dco_compatibility: config/options are not
compatible with dco
Fixes OVPN3-960.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Password is not echoed and submitted when Enter is pressed.
This requires not removing ENABLE_PROCESSED_INPUT and ENABLE_LINE_INPUT
flags.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
We do not allow SHA1 in other instances using this profile and while
SHA1 is still fine as HMAC in these situation, people freak out when
seeing SHA1 and also the description and documentation will state
that SHA1 is not allowed in other context (certificate signature),
causing confusion. So better not allow it in this context as well.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Addresses coverity issue 11442 and corrects a comment that
misunderstands the compiler's generation of move operations.
Signed-off-by: Mark Deric <jmark@openvpn.net>
(cherry picked from commit 83289ae99b)
Newer mbed TLS version changed the API. This fixes our usage of the API and
also removed the micro optimisation of reusing the buffer for plain and cipher
text.
It also adds a unit test to ensure the data is correctly encrypted/decrypted.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
we often have configuration files where a directive is duplicated and
the later one wins. This is quite common and should not rais an error. We
still warn about these as this might an error/oversight.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The current mixing of signed and unsigned is undefined behaviour. Avoid
it by explicitly only using unsiged integers.
Also fix the same issue in the test_prefixlen unit test
Reported-By: Trail of Bits (TOB-OVPN3-5)
Previously, ConstBuffer was simply a BufferType with a const
data type. However this model, and the fact that BufferType
has a vtable, makes it difficult to efficiently cast Buffer
to ConstBuffer via static_cast without introducing an unsafe
downcast.
This commit tries a different approach by factoring out const
BufferType operations into a new base class ConstBufferType.
In the new model, BufferType inherits from ConstBufferType.
Member functions that treat the underlying data buffer as
const have been moved to ConstBufferType while member
functions that treat it as mutable remain in BufferType.
This makes casting BufferType to ConstBufferType a trivial
upcast while also greatly simplifying const_buffer_ref().
Signed-off-by: James Yonan <james@openvpn.net>
This is the result after running 'clang-format -i' on all C++ files and
headers, with the defined formatting rules in .clang-format.
Only the openvpn/common/unicode-impl.hpp has been excluded, as that is
mostly a copy of an external project.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Adds a library method C2os:cast() that converts an iterable container,
i.e., one that can be a range-expression in a range-based for loop,
into a type that can be inserted into an ostream. This only addresses
the container semantics in the ostream insertion. The underlying
contained type T (if the container were stl, the value_type) must work
with ostream<<.
The result of the operator<< insertion is a square bracket enclosed,
comma delimited string of the items in the container. Note that the
commit includes ideas on expanding choices of container rendering
details.
Attribution to James Yonan. Made significant contribution to
expanding the scope of collections. And reduced code complexity.
Also to Charlie Vigue; eliminated the "first" test inside the loop.
Signed-off-by: Mark Deric <jmark@openvpn.net>
This commit removes the ability to pass down the windows sizes for ack
windows down from the configuration. This capability was never used and
instead the receive and send window were both hardcoded at 4. Also
change the receive window to 12 and the send window to 6 like
OpenVPN 2.6 does.
Also to improve control channel reliability, resend previous ACKs in MRU
fashion if there is still room for them in a control channel packet.
This patch is based on a patch was written
by Charlie Vigue <charlie.vigue@openvpn.net>.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The tests in common were based on running main(); the tests have been
converted to the gtest framework and are now part of the automated
unit test suite.
Signed-off-by: Mark Deric <jmark@openvpn.net>
Previously, we only supported int64 serial numbers.
This change renames get_sn() method to serial_number_as_int64()
for code that cares about 64-bit serial numbers.
Signed-off-by: James Yonan <james@openvpn.net>
Found by clang:
ovpn3/core/test/ovpncli/cli.cpp:664:16: warning:
'remote_override' overrides a member function but is not marked 'override'
[-Winconsistent-missing-override]
virtual void remote_override(ClientAPI::RemoteOverride& ro)
^
ovpn3/core/cmake/../client/ovpncli.hpp:658:20: note:
overridden virtual function is here
virtual void remote_override(RemoteOverride&);
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Both OPENVPN_REMOTE_OVERRIDE and PRIVATE_TUNNEL_PROXY
only enable features and do not change the behavior unless
configuration is also changed. Since the kovpn variant
is internal anyway, this should be safe to enable.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
This commit add several improvements to dealing with unknown options
in client configuration files:
- implement ignore-unknown-option
- categorise the OpenVPN2 options in multiple categories and
warn/error out depending on the category
- error out when unsupported/unknown options are found. This avoids
problems like with --tls-crypt/--tls-crypt-v2 before where client
would ignore these options and not connect at all
Signed-off-by: Arne Schwabe <arne@openvpn.net>
We already use IPAPI to add routes, so there is no reason
not to use it to add excluded routes. Example from server config:
push "redirect-gateway def1"
push "route 192.168.0.0 255.255.0.0 net_gateway"
This should redirect all traffic to VPN except one route. What
we should see in logs is:
IPHelper: add route 192.168.0.0/16 21 100.64.0.1 metric=-1
(where 100.64 is a default gw on my machine)
Reported-by: Arul Thileeban <arulthileeban@vt.edu>
Signed-off-by: Lev Stipakov <lev@openvpn.net>
clang 13 complains:
test/unittests/test_cpu_time.cpp:110:16:
error: variable 'd' set but not used [-Werror,-Wunused-but-set-variable]
double d=0;
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 9367513b4a)
Since we didn't have any regular builds against
OpenSSL 3.0 so far we didn't notice that it was
broken by commit 291e675748
(Move SSL context from OpenSSL Context to OpenSSL Config)
Since context is now part of config, we need to use
separate configs.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 6715afd4c7)
When the OpenVPN3 Core library was carved out,
the existing test cases in test/misc were not
analyzed whether they only test functionality
in the library.
Import all tests for which that is true now,
including their history. Note that many of
the commit messages from this history already
exist in the OpenVPN3 repository from the first
creation of the Core library repository. So we
prefix all commit messages in this import with
[test/misc] to make it easy to see where they
are coming from.
Required changes to CMakeLists.txt will be done
after this merge.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>