This allows use to load non default providers while also not touching
the default library context. THis is necessary to have profile with and
without legacy library for example
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The old API is deprecated in OpenSSL 3.0 and the new API does not yet
exist in OpenSSL 1.1. Emulating the new API or using one class with
ifdefs would be more complex than just having two implementations. So
this adds a new implementation for OpenSSL 3.0.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Since IPv4/IPv6 should be treated equally, we should have also
the opportunity to block IPv4. With this change we follow the API
that also Android provides and expliticly tell tunbuilder what to
do with address families that are not used by the VPN. If a
address family is used by the VPN, nothing changes.
This also remove IV_IPV6 as it is not used.
Add cache lifetime related tests.
* define cache-lifetime
* override lifetime via push
* override decayed cache
* make sure unresolvable items are kept during re-run
* make sure indexed items can be updated, with addr index reset
* make sure valid cache entries stay untouched
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Returning a reference can be harmful, since Items can potentially disappear
during lookup of hostnames. Thus, return a refcounted Ptr instead, so
that external references to internal data doesn't restrict RemoteList in
its daily business.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Since we're now using it to also re-lookup stale RemoteList items the
new name makes more sense. Also changed the NotifyCallback method to
bulk_resolve_done().
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Test that all addresses added from the resolver results are tried,
when iterating through the RemoteList with next().
Signed-off-by: Heiko Hund <heiko@openvpn.net>
This uses the rather lowlevel EVP_* interfaces directly instead of
using OpenVPN's own PKI classes since this a very specific code
and reusability outside the testing scope is very limited.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This might not be the final fix. Note the extensive code comment
inside the cmake file if(). The comment suggest a potentially better
fix, but it's unlikely.
Signed-off-by: Mark Deric <jmark@openvpn.net>
Since in a config file we support both, multiple --peer-fingerprint options
as well as multiple fingerprints within a <peer-fingerprint> section, a
maximum size doesn't make much sense. Other inline sections do not limit
the size either and the individual fingerprint size is checked when
parsing them individually.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
When a test steps on Log::global_log, save and restore previous
Log::global_log so as not to mess up other tests when running a
multiple-compilation-unit build.
Signed-off-by: James Yonan <james@openvpn.net>
Support CR_TEXT type challenge/response exchanges. The challenge flags are
ignored currently, but displayed with the challenge text for debug purposes.
Thus, input is always echoed and it is assumed that a response is
required.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Local DNS resolvers, such as Umbrella Roaming Client,
change DNS settings on adapters to 127.0.0.1.
This may not work with openvpn3 because:
- NRPT rule might be created for "." zone,
which redirects all DNS requests to the server
specified in rule. This takes precendence over adapters'
DNS settings.
- DNS requests might be blocked on all adapters
except TAP (tap-windows6/wintun/ovpn-dco-win) to prevent
DNS leaks.
To enable compatibility with local DNS resolvers, add
"allowLocalDnsResolvers" core config option, which,
when enabled, makes core to
- avoid creating NRPT rule for "." zone
- permit DNS requests to 127.0.0.1 / ::1
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Instead of throwing an exception with --remote-random-hostname, when
no RNG is present during construction, we treat an explicit null RNG
as a choice not to randomize the hosts. To make that choice explicit,
the default value for the RNG is removed, so that callers need to
decide which behavior they want.
Closes#53 in the openvpn3-linux issue tracker.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
In PacketStream, don't validate upper bound on message size
if BufferAllocated::GROW is set, allowing it to range up to
64kb.
Signed-off-by: James Yonan <james@openvpn.net>
Removed declared_size_defined in favor of just setting
declared_size to a special value (SIZE_UNDEF) when it's
undefined.
Signed-off-by: James Yonan <james@openvpn.net>
Useful in unit tests for which the input vector should be properly
sorted by the code under test. This function is very similar to
getSortedJoinedString(), but it avoids sorting. Because of the
similarity, the getSortedJoinedString() function is refactored to use
the new getJoinedString() function.
Signed-off-by: Mark Deric <jmark@openvpn.net>
keepalive_timeout_early defines the keepalive_timeout
parameter early in the connection before the KeyContext
reaches ACTIVE.
It is set via the optional third parameter to the
"keepalive" directive, for example:
keepalive 1 8 4
sets keepalive_timeout_early to 4 seconds. If unspecified,
keepalive_timeout_early defaults to keepalive_timeout.
keepalive_timeout_early is useful on the server side to
reduce the resource footprint of abandoned connections,
and can be tuned to mitigate DDoS and UDP amplification
attacks.
Signed-off-by: James Yonan <james@openvpn.net>
DCO only supports a limited set of ciphers, currently it is
discovered quite late if a unsupported algorithm is configured
(or pushed).
This introduces CryptoAlgs::allow_dc_algs() with which the
supported set of data channel algorithms can be specified.
The DCO code makes use of this, at the time a new_controller()
is created.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Windows agent has been moved from common to core,
so for consistency move mac agent too.
Since agent and agent-enabled client depend on jsoncpp,
also move jsoncpp build scripts.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
By default, the proto test uses a relatively small
handshake_window to intentionally trigger
KEV_NEGOTIATE_ERROR, so that we can test mid-session error
recovery. However if KEV_NEGOTIATE_ERROR is hit on the
first primary key (i.e. first KeyContext with key_id == 0),
it is fatal to the session and will trigger a disconnect.
This change introduces a retry to prevent this
low-probability, false-positive corner case from
blowing up the test.
Signed-off-by: James Yonan <james@openvpn.net>
If DCO support is compiled in, detect if it is available (i.e. Windows driver
or Linux kernel module is loaded) and then use it, if it is.
This changes the default configuration for DCO from off to on, so users of
the library need to set ClientAPI::Config::dco to false in case they do not
want to use dco for a connection.
The change is also reflected in the reference client "ovpncli". If DCO is
enabled in a build, it will detect and use it. The previously available
"ovpncliovpndco" and "ovpncliovpndcowin" clients have thus been removed.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
In case of an assertion throwing an exception decdata would never be
freed from the heap. Use a unique_ptr, so that stack unwinding does the
job in any case.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
The new element ClientAPI::Config::protoVersionOverride can be set
to 4 or 6 respectively, to override the transport protocol IP version
used by RemoteList::Item entries. Clients can force all --remotes
to use IPv4 or IPv6 using this entry, if they know that only one of
the two is available in the current network.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Make it possible to enforce the protocol family by appending 4/6 to
to the protocol, e.g. tcp6 or udp4. While it is already possible to
have protocol options like these in the configuration, they are not
enforced so far. Thus you could still be connected to a v6 address
even though the config requested v4 only.
Since v2.3 the openvpn 2.x series behaves like this. So, this is also
to catch up with the behavior there.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
This option lets you specify the SHA256 fingerprint of a peer's self-signed
certificate. The peer's certificate, presented during connection bring-up,
is compared to the fingerprint. The connection fails if it doesn't
match.
So, this serves as an easy, yet secure, alternative to setting up a PKI,
but can also be used in conjunction with one to add one more check during
leaf certificate validation.
The option can also be given as inline block, for easier management for
multiple fingerprints:
<peer-fingerprint>
00:11:22:33:...:BB:CC:DD:FF
BB:CC:DD:FF:...:00:11:22:33
</peer-fingerprint>
Signed-off-by: Heiko Hund <heiko@openvpn.net>
The README file had several deprecated ways of building various test
binaries. Clean up this and direct users towards using CMake
everywhere.
The change to test/ssl/CMakeLists.txt covers various build-time
parameters the deprecated build script supported.
Signed-off-by: David Sommerseth <davids@openvpn.net>
The CMakeLists.txt settings from the project root directory are
inherited by the defined subdirectories automatically.
Also switch to a simpler way of setting the CMAKE_MODULE_PATH.
According to the CMake documentation, this variable is empty by
default [1] and should not need to pull in existing settings.
Finally remove the comment regarding CMake's use case, as we are
moving towards full CMake support for OpenVPN 3.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Port script only copies uapi header, same way it is done for tap-windows6.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Extend struct ProvideCreds so that it can also hold HTTP proxy
credentials. This makes it possible to use proxy settings from
options, but provide credentials separately.
This is in contrast to the already existing struct Config::proxy*
which need to be given as a complete set to override eventual
HTTP proxy options.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Add the option from openvpn2. If given, prepend hostnames
from remote options with six random hex bytes before
DNS resolution is taking place, e.g.
host.domain -> e3b17bf7cd57.host.domain
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Googletest has issues with ASSERT macros in class
constructors or functions/methods that return values,
so we need to create our own suite of ASSERT macros.
Signed-off-by: James Yonan <james@openvpn.net>
To enable logging in new threads, add this line to the
beginning of your thread function:
Log::Context log_context(testLog->log_wrapper());
Signed-off-by: James Yonan <james@openvpn.net>
