Remove constexpr in preparation for making it possible to modify the
data channel ciphers. Use std::array so the SIZE can be specified.
Remove the unused CryptoAlgs:get_index_ptr() function.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
This is release fixes an issue with the building of the OpenSSL
dependency on Windows, where the OpenSSL library could load an
OpenSSL configuration file, resulting in loading external third-party
libraries.
Signed-off-by: David Sommerseth <davids@openvpn.net>
In default configuration OpenSSL loads config from
certain location on disk, which may pose a security risk.
There is "no-autoload-config" config option for OpenSSL
which disables this functionality:
https://github.com/openssl/openssl/pull/5959
however it is not "exported" to vcpkg.
This adds openssl port overlay which sets "no-autoload-config"
config option. Here is the diff:
diff --git a/ports/openssl/windows/portfile.cmake
b/ports/openssl/windows/portfile.cmake
index 7a3bf08ed..c873eb756 100644
--- a/ports/openssl/windows/portfile.cmake
+++ b/ports/openssl/windows/portfile.cmake
@@ -21,6 +21,7 @@ set(CONFIGURE_OPTIONS
enable-capieng
no-ssl2
no-tests
+ no-autoload-config
-utf-8
${OPENSSL_SHARED}
)
There is also corresponsing PR to vcpkg:
https://github.com/microsoft/vcpkg/pull/18389
When above PR is merged, this port overlay can be removed.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Windows agent has been moved from common to core,
so for consistency move mac agent too.
Since agent and agent-enabled client depend on jsoncpp,
also move jsoncpp build scripts.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This method is called to enable connectivity to a different remote
when force-tunneling is used and current VPN connection is broken.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This adds a watchdog thread, which wakes up when client
process exits and closes tun. Watchdog is removed
when agent process exits.
To monitor process exit, we use kqueue's NOTE_EXIT event,
to interrupt waiting on graceful exit we use self-pipe trick.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
httpcliset : when preserve_http_state is false, close out
the HTTPStateContainer before calling completion callback,
so as to improve reentrancy-safety if completion callback
tries to queue a new request.
The problem with the above commit is that it breaks
the interprocess socket-passing technique in
UnixCommandAgent::establish(), requiring that we deploy a
WS::ClientSet::SyncPersistState object to extend the
lifetime of the HTTP connection state.
std::strerror() doesn't claim to be thread-safe, so
add openvpn::strerror_str() which is thread-safe by
virtue of the fact that it backs to strerror_r().
Signed-off-by: James Yonan <james@openvpn.net>
ASIO 1.18 enabled UNIX domain sockets on Windows,
which breaks our code, since we use Linux-specific
API to work with sockets.
Fix by disabling UNIX domain (local in ASIO terminology)
sockets on Windows.
Bump ASIO version to 1.18.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
There are two things addressed here.
1) regression introduced by commit f1bdbe5088:
Since TCP is not an alias for TCPv4 anymore the occ string
contained TCP_CLIENT as proto, which is not understood by peers.
Since only the "v4" version of the proto strings are understood
the code was simplified.
2) wrong occ proto string for TCP servers:
Servers were also sending out the proto with client suffix. Fixed
by passing in a boolean and returning the server version if true.
Also renamed the method to reflect better what it is used for.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
The DCO component now implements the SessionStats::DCOTransportSource interface.
This interface is already used by ovpncli.cpp to retrieve the peer stats
from DCO.
With this patch, also the OvpnDcoCli object can be used to retrieve the
peer stats from kernel space.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
After invoking the get_peer() API, let the DCOClient component
extract the statistics and store them locally.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
The get_peer API allows userspace to retrieve the data about a specific
peer. Implement the userspace counterpart so that OpenVPN can retrieve
the peer data when it needs to updte the client statistics.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Explicitly specify the return type of lambda expressions
so that we can avoid casting the return value.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
The compat.hpp header had issues when building on Debian 9, where it
complained about SSL_CTX_set1_curves() not being defined. This was
due to openssl/ssl.h not being included inside the #if block where the
compat wrapper was defined.
Signed-off-by: David Sommerseth <davids@openvpn.net>
By default, the proto test uses a relatively small
handshake_window to intentionally trigger
KEV_NEGOTIATE_ERROR, so that we can test mid-session error
recovery. However if KEV_NEGOTIATE_ERROR is hit on the
first primary key (i.e. first KeyContext with key_id == 0),
it is fatal to the session and will trigger a disconnect.
This change introduces a retry to prevent this
low-probability, false-positive corner case from
blowing up the test.
Signed-off-by: James Yonan <james@openvpn.net>
When copying strings, it appears sufficient to reserve()
space in the destination string equal to the length() of
the source string.
Signed-off-by: James Yonan <james@openvpn.net>
If sigaction() fails the d'tor will throw a signal_error. However,
looking at the reasons sigaction() can fail (i.e. the sorce of the
exception), it is safe to assume things are wrong enough to terminate().
So, marking the d'tor potentially-throwing is the right thing to do here.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
If DCO support is compiled in, detect if it is available (i.e. Windows driver
or Linux kernel module is loaded) and then use it, if it is.
This changes the default configuration for DCO from off to on, so users of
the library need to set ClientAPI::Config::dco to false in case they do not
want to use dco for a connection.
The change is also reflected in the reference client "ovpncli". If DCO is
enabled in a build, it will detect and use it. The previously available
"ovpncliovpndco" and "ovpncliovpndcowin" clients have thus been removed.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
It is not recommended to allocate big blocks on the stack, however
the sitnl sending routine is stacking a 16KB large buffer.
Allocate it using heap memory and avoid using the stack.
Addresses-Coverity: ("Large stack use")
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
When cycling through matching routes, the most specific (i.e. having the
longest prefix) should be selected. To achieve that, we must store the
prefix len of any selected route, so that it can be compared with the
next (if more than one is found).
As result, we return the prefix len of the matching route in the
route_res_t object.
Addresses-Coverity: ("Self assignment")
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Add missing includes that allow the file to be included without having to
include them before including compat.hpp
Signed-off-by: Arne Schwabe <arne@openvpn.net>
AltRoutingShimFactory::connect_timeout() returns an int, not an unsigned.
With that the if condition below makes sense again.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
match_ptr is not used after this statement. It is then overridden by a new
value in both surrounding loops in case there's more iterations. Thus the
incremented value is not inspected in any case.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
