We haven't done any mbedtls builds for Windows in a long
time. Let's not pretend that is something we support by
having this cruft lying around.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
mbedtls clearly don't want to apply this patch. So
affected users will need to find other solutions.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Unlike OpenVPN v2, v3 support split DNS already, so we need to make sure
that --dns options are added in a way that results in NRPT rules to be set. At
this time that means the --dns resolve-domains are added as search
domains and --dns search-domains (only the first one really) as an
adapter specific domain suffix.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
On some systems, probably depending on the glibc version,
the ipv6 address will be truncated in the output.
Currently affects only Fedora 38.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
At the moment meta options are parsed only from
content. This doesn't work well with iOS where
config is imported via content_list. The config might
contain meta options, which currently won't be
recognized as meta and connection won't be established
due to "unknown option" error.
This adds meta options parsing to content_list.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
The name Config is very generic and often leads to confusion which
class in particular is used in a given context. Rename Config to
ProtoConfig to give some more clue about the context.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This might have been used or intended to be used for more than compression
but currently it is only used for compression, so rename it accordingly.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
control_recv looks at the incoming messages and dispatches it to
different handlers depending on the message. Split of these handlers
into their own methods. Also rename/align process_halt_restart to
recv_halt_rest to make all handlers consistent.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
We're specifically interested in the fix for the unit tests.
("Update test data to avoid failures of unit tests after
2023-08-07")
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
- Used static_cast instead of direct type conversions in places where
it's safe
- Used numeric_cast where failure is possible
- Changed types of arguments and locals when practical
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
The confusing overlapping structs and memory accesses with the
struct lead to use missing a few bytes from being copied. Fix
this by copying from the correct struct.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The undefined behavior is unary negation of T:min of a signed type
attempting to get a positive value of the same signed type.
This commit adds a unit test that exposes the original bug and well as
a fix for it.
Signed-off-by: Mark Deric <jmark@openvpn.net>
This commit mostly reverts a previous commit:
commit b7bc687396
Avoid compiler warning with gcc by not using move semantics
The previous commit changed the semantics of the client
callback to use copy instead of move semantics on the
filename string to placate a compiler warning which was
later determined to be a false positive.
We revert to calling the client-provided func()
with move semantics on the filename parameter.
We also retain the use of std::invoke to call the
client-provided callback.
Signed-off-by: James Yonan <james@openvpn.net>
Reduce default set from /W3 to /W2 and disable two
additional warnings that we do not care about.
With these settings successful builds with /WX are possible.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
This is very noisy with lots of false positives, especially
in newer version of GCC. So for now disable this.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
The earlier were deprecated since CMake 3.12.
Since CMake 3.27 this causes deprecation warnings.
Should be safe nowadays to require CMake 3.12.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Since we use C++17 now, the attribute is guaranteed
to be available.
Should silence some Coverity warnings.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
This fixes deprecation warnings with latest CMake.
("Compatibility with CMake < 3.5 will be removed
from a future version of CMake.")
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
redirect-gw is implemented by changing default route to
a GW provided by VPN. For IPv4 before doing that we add
a bypass route to a remote. This is needed only when remote
is not on local network.
The check "is remote on local network" has a wrong assumtion
that remote is IPv4. This is obviously not always the case
since remote could be IPv6. In this case if we want to redirect
IPv4 traffic an exception is thrown inside BestGateway class
while trying to convert IPv6 address to IPv4.
Fix by specifying correct address family based on remote's "ipv6"
flag. Later we add bypass route only if remote is IPv4.
Fixes OVPN3-1004.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Earlier implementations just assumed that --client mode is always
present in the config, which lead to config behaving different in
OpenVPN 2.x and 3.x. This creates hard to debug corner cases.
Additionally OpenVPN 3.x was not parsing the tls-client and pull
options. This lead to OpenVPN 3.x erroring on a perfectly legal
config with --pull in it.
Note the original patch was by Merten Fermont <merten.fermont@gmail.com>
but his patch got mangled in the email and when I started to apply
it manually I instead wrote my own version of it since we need
unit tests anyway.
As also explained in OpenVPN 2.x commit bd9aa06feb4, Diffie Hellman
key exchanges can be optionally be disabled and OpenSSL will then use
only ECDH instead.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This makes this option have the same style as the other options in
the client config to ensure consistencyv
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This is not required in ClientConfigParsed, and actually makes
the object significantly bigger, due to the contained certificates.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The current passing of client options is very confusing since it is
three classes that largely have the same attributes and the code is
copying them around between the classes.
Instead create a new base class that hold the settings that can be shared
between the classes and only parse/copy the settings that need special
handling. This might keep an extra copy of some settings around but in
constract greatly reduces the code complexity of the options handling.
Also move the check_dco_compatibility function to client options to
be able to avoid carrying around the dco_compatiblity flag.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
A main thread might attempt to stop livecycle thread by stopping the runloop
and waiting on joining the lifecycle thread. However if this happens
before lifecycle thread has started runloop, main thread will hang on join
since runloop won't be stopped.
Fix by introducing atomic bool "halt" flag, which is set in the main
thread when it wants to stop the livecycle thread. Before starting runloop,
a one-shot timer task is scheduled to be executed, which checks halt
and stops runloop if needed.
Fixes OVPN3-992.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
We need to ensure that there is only one copy of these algorithms defined
as we modify them with the method allow_default_dc_algs to set the
F_DC_ALLOW flag on. Having more than one copy means that we have different
copies with different flags which we want to avoid.
The use of inline to a normal variable is a C++17 feature.
From https://en.cppreference.com/w/cpp/language/inline
An inline function or variable (since C++17) with external linkage
(e.g. not declared static) has the following additional properties:
There may be more than one definition of an inline function or variable
(since C++17) in the program as long as each definition appears in a
different translation unit and (for non-static inline functions and
variables (since C++17)) all definitions are identical. For example,
an inline function or an inline variable (since C++17) may be defined
in a header file that is included in multiple source files.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Commit 5b524b1f ("WS::ClientSet: added new TransactionSet flag
retry_on_http_4xx") sets E_BAD_REQUEST transport status in case of
HTTP 400. This breaks replace_create_route() behavior, which
doesn't expect transport error for ReplaceRoute and fails the
whole transaction set.
Fix by setting retry_on_http_4xx flag to false before executing
ReplaceRoute. We expect to get 400 if route doesn't exist, so no
need to retry.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This is though to be a bug in the GCC compiler.
Ignore these warnings on GCC 12/13 to avoid breaking
Werror.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
gcc 12+ warn about temporary that used after its lifetime when we use
the move semantics here. Since the code here is not super performance
critical just remove the move semantics to be able to compile with
Werror.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
All of these cases are safe casts since the
value is checked before-hand. So convert them
to explicit casts.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>