We currently accept cipher none as pushed cipher when legacy ciphers are
enabled but do not announce support for it in IV_CIPHERS. This means we
currently display inconsistent behaviour. Servers that ignore IV_CIPHERS
can use none but server that are correctly working cannot.
Setting ADAPTER_DOMAIN_SUFFIX for non-DHCP adapters requires
registry modification. For that, we need adapter GUID.
This passes adapter GUID from agent to client via /tun-open call
and then from client to agent via /tun-setup call, when adapter
domain suffix is set.
Github: #304
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Signed-off-by: Krasovskiy Saveliy Igorevich <skrasovskiy@ozon.ru>
With compression logic now being able to be tuned at runtime the
different executable to allow a different define for the compression
log level is no longer needed.
Prefix the defines of test_proto.cpp with PROTO_ to avoid collision of
these very generic named defines
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This allows the test_proto.cpp to supress all the logging of this
class. This is also the only place in our project that actually uses
a non-default loglevel for this class. A lot of files were defining the
OPENVPN_LOG_SSL(x) macro to be what the also remove ssllog.hpp would do
anyway if it were not defined.
The removed debug_level field only controlled the mssfix
logging and is now controlled by the general protocol logging instead.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This template base class allows specifying a maximum log level that
can be used to make the logging function empty above that level.
This allows us to make our logging more structured and move to a more
standard logging approach. The use of if constexpr ensures that logging of
very high level is not emitting code.
This also add a few macros (LOG_VERBOSE, LOG_INFO, LOG_TRACE) that are drop
in replacements for the old OPENVPN_xx_LOG and OPENVPN_xx_LOG_VERBOSE macros
and also ensure not to do string construction if logging at a certain level
is already disabled at compile time.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The openvpn3-linux ships with a netcfg-cli client, which is essentially
the same code as test/ovpncli/cli.cpp but it uses the
net.openvpn.v3.netcfg D-Bus service to create the virtual network
adapter and the related network and DNS configuration. This is a useful
test client when only wanting to test the Network Configuration service
openvpn3-linux ships with.
As part of the refactoring of the D-Bus implementation in
openvpn3-linux, the supporting D-Bus setup needs to be adjusted to the
new D-Bus API.
It has been considered to support both types of APIs, but the legacy
D-Bus API is deprecated and will not be used any more after the release
of OpenVPN 3 Linux v22_dev. Prior releases will depend on an older
OpenVPN 3 Core library version, which contains the old API.
Signed-off-by: David Sommerseth <davids@openvpn.net>
The code in dco/dcocli.hpp used #if ENABLE_KOVPN, which will
fail on newer compilers if the macro is defined in a source
file. Compilers may not complain if the macro is defined on
the command line, via -D.
This type of checks should use either #ifdef or #if defined(...).
The #if conditional expects a boolean expression.
Since these code blocks also depended on #elif (also expects
a boolean expression , the defined(...) approach was chosen
throughout this file.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Currently the protocontext is used as kind of composition but not really
and makes following the code harder, since this inheritance not only serves
for composition but also as callbacks through virtual method inheritance.
Making ProtoContext a normal field and definining a callback interface makes
the class relationship easier to understand.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
By resetting the timer on each incoming packet, we can capture more gaps.
Consider the following examples:
Old logic:
0 seconds: openvpn3 starts with an inactive timeout of 60 seconds.
30 seconds: An ICMP packet was received with 48 bytes.
60 seconds: 48 bytes received for the last 60 seconds, continue...
90 seconds: An ICMP packet was received with 48 bytes.
120 seconds: 48 bytes received...
New logic:
0 seconds: openvpn3 starts with an inactive timeout of 60 seconds.
30 seconds: An ICMP packet was received with 48 bytes.
Inactive timeout reset!.
90 seconds: Inactive timeout triggered. Terminating session..."
Signed-off-by: illia.polishchuk illia.polishchuk@openvpn.com
When correcting conversion issues in RouteBase a to_string bug was
introduced which caused some characters to be escaped when inserted
to the string, for example a prefix_len of 0 would render as "\0"
rather than inserting '0'. The std::ios::binary flag does not seem
to prevent this for std::ostringstream so I have cast the data member
up to uint16_t which should be safe, and solves the issue.
Added a unit test to demonstrate the issue. Old code output was
"0.0.0.0/\0", now outputs "0.0.0.0/0" as expected.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
A refactoring of the logging code in commit 9ffa263b removed
conventional #ifndef header guards and replaced them with #pragma
once. Some consumers of the code used the header #defines to guide
their behavior. The missing guards caused the consumers to log
incorrectly. The fix was to still rely on the #pragma once for
guarding, but to reinstate the #defines from the original headers.
Signed-off-by: Mark Deric <jmark@openvpn.net>
So that we override values from the global Ops
configuration we do not like.
While here change rebaseWhen. Since we do rebase
everything before merge anyway, let's renovate
do it for us.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
The previous commit restructured the way how peer info was built and
accidentally move those into its own method without calling the method.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The sys/socket.h header is not available on Windows. This issue was
introduced in commit 1b4f736bb9, so the same fencing used in
that commit was also added around the #include statement.
Signed-off-by: David Sommerseth <davids@openvpn.net>
In commit 1b4f736bb9, an additional parentheses was added to
the MacGatewayInfo constructor. This results in code which cannot be
compiled.
Signed-off-by: David Sommerseth <davids@openvpn.net>
A few minor changes:
- add ORGANIZATION meta option to ignore list
- remove excessive OVPN_ACCESS_SERVER_ prefix from NO_WEB meta option
- Increase status message length from 256 to 2048 to be able to show
the full list of unsupported options
Signed-off-by: Lev Stipakov <lev@openvpn.net>
ERR_INVALID_OPTION_DNS -- invalid value for some of DNS\Domain options
ERR_INVALID_OPTION_CRYPTO -- invalid value for some of SSL\Crypto option
ERR_INVALID_CONFIG -- missing option or not supported option
ERR_INVALID_OPTION_PUSHED -- pushed to server option error
ERR_INVALID_OPTION_VAL -- invalid value for some general option
Signed-off-by: Illia Polishchuk <illia.polishchuk@openvpn.com>
The OPENVPN_EXCEPTION_WITH_CODE(C, DEFAULT_CODE, ...)
macro creates enum C_code with __VA_ARGS__ codes
and constructor with the C_code as first argument which
adds label at the beginning of error message, other
constructors add DEFAULT_CODE label
Signed-off-by: Illia Polishchuk <illia.polishchuk@openvpn.com>
Until now sitnl was just default to metric 0 when installing routes,
while ignoring any value that may have been passed by the user.
Extend logic to properly accept a user value.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
When the user specifies no metric (i.e. value is -1), the TunBuilder
should pass the default value down the stack.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
This also move the building IV_HWADDR peer info variable to the point
that the server address is actually available.
This also avoids failing to connect when push-peer-info is enabled and
there is no IPv4 default gateway. The new code will always pick the device
that holds the route to the current remote.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Config
client
pull
was not correctly handled like client + tls-client
since the code short-circuited if tls-client wasn't set
and so didn't touch pull option.
Github: #277
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
- Group GHA updates and set them to monthly schedule to
drastically reduce the numbers of PRs
- Notify about GoogleTest updates
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
It was noted that the SITNL unit test is always failing for no clear
reason.
It turned out that commit 22ba196429
("SITNL: revert change of sitnl_send return type, return int"),
that was supposed to be a simple revert of
ae663c573a ("Using new numeric
conversion tools") is actually converting two "return ret" into
return -1 and return -EINVAL accordingly.
This accidental change results in two functions always returning
an error despite terminating succesfully.
This behaviour was obviously fooling the unitest which failed in result.
Fix both functions by properly returning "ret" as it was originally.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Makes it easier to test with -Wconversion, e.g. in Jenkins.
For now disable -Wsign-conversion. That is the default in g++,
but not clang++. Once we have fixed all -Wsign-conversion
warnings, we can enable it for both.
For now disable -Wenum-enum-conversion. Only present in clang++.
Not clear whether cleaning those up will be worth the effort.
Disable -ferror-limit in clang++. This ensures that it always
displays all errors.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 6e7a98b5f4)
- Set CXX_STANDARD_REQUIRED ON so that we error out early
if CMake thinks that the compiler does not support the
used standard.
- Set CXX_EXTENSIONS OFF so that we get less compiler
specific behavior.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 9b8797fe5e)
Using the <max> argument to cmake_minimum_required will
set all policies up to <max> to NEW. We might need to
fix some issues arising from that, but this means that
modern CMake can already behave like it wants even with
leaving <min> so that we can support old distros (currently
Debian 10).
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 268bf42b9e)
On modern CMake this gets us swig dependency management,
which should reduce problems for incremental builds.
Also it is just cleaner.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 72275db1d5)
The earlier were deprecated since CMake 3.12.
Since CMake 3.27 this causes deprecation warnings.
Should be safe nowadays to require CMake 3.12.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit bb61350ae5)
This is very noisy with lots of false positives, especially
in newer version of GCC. So for now disable this.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit d7e8375fc5)
- Use CURRENT source and binary dir to make this work even
if used as a sub-directory in another project.
- Make USE_MDFILE_AS_MAINPAGE actually work. It is only
used when part of the INPUT and does not automatically
add it to INPUT.
- Make sure CMake uses the latest version of README.rst
by using configure_file instead of file(COPY).
- Improve EXCLUDE_PATTERNS.
- Add NUM_PROC_THREADS.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 474de6c93f)
By adding the asio includes first we have a better
chance to force using "our" asio. This can be important
since some parts of the code require a patched version.
The actual "core" parts of the code work fine with
upstream asio however, so I also do not want to
force the patched asio by requiring a special header
name or directory structure.
So this is a compromise solution which hopefully works
for most use-cases.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit bc7f4be01b)