In PacketStream, don't validate upper bound on message size
if BufferAllocated::GROW is set, allowing it to range up to
64kb.
Signed-off-by: James Yonan <james@openvpn.net>
Removed declared_size_defined in favor of just setting
declared_size to a special value (SIZE_UNDEF) when it's
undefined.
Signed-off-by: James Yonan <james@openvpn.net>
Useful in unit tests for which the input vector should be properly
sorted by the code under test. This function is very similar to
getSortedJoinedString(), but it avoids sorting. Because of the
similarity, the getSortedJoinedString() function is refactored to use
the new getJoinedString() function.
Signed-off-by: Mark Deric <jmark@openvpn.net>
By removing the explicit copy constructor, we fall back to
a default copy constructor which would do a bitwise copy
of the object, which should be okay for this object, and
would have no potential to throw an exception.
Signed-off-by: James Yonan <james@openvpn.net>
The class CryptoOvpnHMACContext is used for handling the --tls-auth
option. Since tls-auth is a control channel feature, checking for
a valid data channel digest is wrong.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
The main difference between these and linux-cpp is that
linux-clang defines a different default DEP_DIR
($HOME/linux-clang) so that gcc and clang profiles can be
run on the same machine.
Signed-off-by: James Yonan <james@openvpn.net>
keepalive_timeout_early defines the keepalive_timeout
parameter early in the connection before the KeyContext
reaches ACTIVE.
It is set via the optional third parameter to the
"keepalive" directive, for example:
keepalive 1 8 4
sets keepalive_timeout_early to 4 seconds. If unspecified,
keepalive_timeout_early defaults to keepalive_timeout.
keepalive_timeout_early is useful on the server side to
reduce the resource footprint of abandoned connections,
and can be tuned to mitigate DDoS and UDP amplification
attacks.
Signed-off-by: James Yonan <james@openvpn.net>
Instead of sending static AES-GCM plus a few others, iterate
over supported data channel ciphers and send all of them.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Moving interpretation of the flags into the class in preparation
of submitting only supported data channel ciphers in IV_CIPHERS.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
DCO only supports a limited set of ciphers, currently it is
discovered quite late if a unsupported algorithm is configured
(or pushed).
This introduces CryptoAlgs::allow_dc_algs() with which the
supported set of data channel algorithms can be specified.
The DCO code makes use of this, at the time a new_controller()
is created.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Remove constexpr in preparation for making it possible to modify the
data channel ciphers. Use std::array so the SIZE can be specified.
Remove the unused CryptoAlgs:get_index_ptr() function.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
This is release fixes an issue with the building of the OpenSSL
dependency on Windows, where the OpenSSL library could load an
OpenSSL configuration file, resulting in loading external third-party
libraries.
Signed-off-by: David Sommerseth <davids@openvpn.net>
In default configuration OpenSSL loads config from
certain location on disk, which may pose a security risk.
There is "no-autoload-config" config option for OpenSSL
which disables this functionality:
https://github.com/openssl/openssl/pull/5959
however it is not "exported" to vcpkg.
This adds openssl port overlay which sets "no-autoload-config"
config option. Here is the diff:
diff --git a/ports/openssl/windows/portfile.cmake
b/ports/openssl/windows/portfile.cmake
index 7a3bf08ed..c873eb756 100644
--- a/ports/openssl/windows/portfile.cmake
+++ b/ports/openssl/windows/portfile.cmake
@@ -21,6 +21,7 @@ set(CONFIGURE_OPTIONS
enable-capieng
no-ssl2
no-tests
+ no-autoload-config
-utf-8
${OPENSSL_SHARED}
)
There is also corresponsing PR to vcpkg:
https://github.com/microsoft/vcpkg/pull/18389
When above PR is merged, this port overlay can be removed.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Windows agent has been moved from common to core,
so for consistency move mac agent too.
Since agent and agent-enabled client depend on jsoncpp,
also move jsoncpp build scripts.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This method is called to enable connectivity to a different remote
when force-tunneling is used and current VPN connection is broken.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This adds a watchdog thread, which wakes up when client
process exits and closes tun. Watchdog is removed
when agent process exits.
To monitor process exit, we use kqueue's NOTE_EXIT event,
to interrupt waiting on graceful exit we use self-pipe trick.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
httpcliset : when preserve_http_state is false, close out
the HTTPStateContainer before calling completion callback,
so as to improve reentrancy-safety if completion callback
tries to queue a new request.
The problem with the above commit is that it breaks
the interprocess socket-passing technique in
UnixCommandAgent::establish(), requiring that we deploy a
WS::ClientSet::SyncPersistState object to extend the
lifetime of the HTTP connection state.
std::strerror() doesn't claim to be thread-safe, so
add openvpn::strerror_str() which is thread-safe by
virtue of the fact that it backs to strerror_r().
Signed-off-by: James Yonan <james@openvpn.net>
ASIO 1.18 enabled UNIX domain sockets on Windows,
which breaks our code, since we use Linux-specific
API to work with sockets.
Fix by disabling UNIX domain (local in ASIO terminology)
sockets on Windows.
Bump ASIO version to 1.18.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
There are two things addressed here.
1) regression introduced by commit f1bdbe5088:
Since TCP is not an alias for TCPv4 anymore the occ string
contained TCP_CLIENT as proto, which is not understood by peers.
Since only the "v4" version of the proto strings are understood
the code was simplified.
2) wrong occ proto string for TCP servers:
Servers were also sending out the proto with client suffix. Fixed
by passing in a boolean and returning the server version if true.
Also renamed the method to reflect better what it is used for.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
The DCO component now implements the SessionStats::DCOTransportSource interface.
This interface is already used by ovpncli.cpp to retrieve the peer stats
from DCO.
With this patch, also the OvpnDcoCli object can be used to retrieve the
peer stats from kernel space.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
After invoking the get_peer() API, let the DCOClient component
extract the statistics and store them locally.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
The get_peer API allows userspace to retrieve the data about a specific
peer. Implement the userspace counterpart so that OpenVPN can retrieve
the peer data when it needs to updte the client statistics.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Explicitly specify the return type of lambda expressions
so that we can avoid casting the return value.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
The compat.hpp header had issues when building on Debian 9, where it
complained about SSL_CTX_set1_curves() not being defined. This was
due to openssl/ssl.h not being included inside the #if block where the
compat wrapper was defined.
Signed-off-by: David Sommerseth <davids@openvpn.net>
By default, the proto test uses a relatively small
handshake_window to intentionally trigger
KEV_NEGOTIATE_ERROR, so that we can test mid-session error
recovery. However if KEV_NEGOTIATE_ERROR is hit on the
first primary key (i.e. first KeyContext with key_id == 0),
it is fatal to the session and will trigger a disconnect.
This change introduces a retry to prevent this
low-probability, false-positive corner case from
blowing up the test.
Signed-off-by: James Yonan <james@openvpn.net>
