We do not want to force a dependency on powershell.
Copying the right dlls is rather trivial.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit e9e49239ce)
This makes it easier to see what is going on when looking at
individual CMakeLists.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 4c81069564)
This is important since it allows us to avoid
the JsonCPP dependency on non-Win/non-Apple
systems.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit a9570cb780)
Make sure we find vcpkg and system packages on all
platforms.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit e720bf3aba)
Use add_library to define a target so that we do not
need to apply all the setting manually.
Use find_package_message() to avoid printing the
message more than once.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 2fb5d08ea0)
- Fix PATCHES to work on Linux
- While here, fix version number
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit fb9bee5ad6)
- Increase required version to 3.10. That is the version in
Ubuntu Bionic and currently the oldest one we still want
to support.
- Enable CTest for test target
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 50271ee02a)
With the change to OpenSSL 3 and introducing insecure as profile we
actually allowed MD5 again. Update the warning to reflect this.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Currently we error out on the first unsupported
option which belongs to the "fatal" category, such as
"removed deprecated option" or "Option allowed only to
be pushed by the server".
To improve user experice and allow application code
to display all problematic options and their categories,
collect options into a category->options map and then
serialize it into multiline string:
cat1: opt1,opt2
cat2: opt3
Introduce a new error code UNUSED_OPTIONS, which is
placed into ClientAPI::Status::status. The serialized
options map is placed into ClientAPI::Status::message.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
If we get a valid but almost empty PKCS7 structure we otherwise try
to access invalid fields.
CVE: CVE-2023-6247
Reported-by: Bahaa Naamneh <bahaa.cpl@gmail.com>
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The option compress is extremely seldom used since there virtually no sense
in using it as all clients that support the compress option also support
pushing compression, so adding a stub only compression method by default
in the configuration does not give any benefit, only downsides.
When compress is in the config *and* the server never pushes any compression
option (even "push compress" is fine), we initialise "comp-lzo no" instead.
And comp-lzo and compress are different compression stub methods (byte swap
vs no byte swap) that are incompatible.
compress without argument in config is extremely seldom used.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Some commits targeted for the Core v3.8.3 release did not end up
in the released branch and got lost. These were already approved
for the Core v3.8.3 release. This marks the starting point for
the Core v3.8.4 release.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Also this is a very rare option to be used today as it was for compatibility
with OpenVPN 1.x we should still not error out when it is present.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
When setting IP address with "gateway" option,
Windows by some reasons creates 0.0.0.0/0 route
which we later remove. However for a few seconds
while this route exists it might interfer with routing.
To work around that, we initially set tun interface metric to
very high, which makes Windows create a rougue route with
high metric. After a few seconds we delete that route and
set metric to a lowest value.
Fixes https://github.com/OpenVPN/openvpn3/issues/281
Signed-off-by: Lev Stipakov <lev@openvpn.net>
We haven't done any mbedtls builds for Windows in a long
time. Let's not pretend that is something we support by
having this cruft lying around.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
mbedtls clearly don't want to apply this patch. So
affected users will need to find other solutions.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Unlike OpenVPN v2, v3 support split DNS already, so we need to make sure
that --dns options are added in a way that results in NRPT rules to be set. At
this time that means the --dns resolve-domains are added as search
domains and --dns search-domains (only the first one really) as an
adapter specific domain suffix.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
On some systems, probably depending on the glibc version,
the ipv6 address will be truncated in the output.
Currently affects only Fedora 38.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
At the moment meta options are parsed only from
content. This doesn't work well with iOS where
config is imported via content_list. The config might
contain meta options, which currently won't be
recognized as meta and connection won't be established
due to "unknown option" error.
This adds meta options parsing to content_list.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
We're specifically interested in the fix for the unit tests.
("Update test data to avoid failures of unit tests after
2023-08-07")
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
The confusing overlapping structs and memory accesses with the
struct lead to use missing a few bytes from being copied. Fix
this by copying from the correct struct.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
redirect-gw is implemented by changing default route to
a GW provided by VPN. For IPv4 before doing that we add
a bypass route to a remote. This is needed only when remote
is not on local network.
The check "is remote on local network" has a wrong assumtion
that remote is IPv4. This is obviously not always the case
since remote could be IPv6. In this case if we want to redirect
IPv4 traffic an exception is thrown inside BestGateway class
while trying to convert IPv6 address to IPv4.
Fix by specifying correct address family based on remote's "ipv6"
flag. Later we add bypass route only if remote is IPv4.
Fixes OVPN3-1004.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Earlier implementations just assumed that --client mode is always
present in the config, which lead to config behaving different in
OpenVPN 2.x and 3.x. This creates hard to debug corner cases.
Additionally OpenVPN 3.x was not parsing the tls-client and pull
options. This lead to OpenVPN 3.x erroring on a perfectly legal
config with --pull in it.
Note the original patch was by Merten Fermont <merten.fermont@gmail.com>
but his patch got mangled in the email and when I started to apply
it manually I instead wrote my own version of it since we need
unit tests anyway.
As also explained in OpenVPN 2.x commit bd9aa06feb4, Diffie Hellman
key exchanges can be optionally be disabled and OpenSSL will then use
only ECDH instead.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
A main thread might attempt to stop livecycle thread by stopping the runloop
and waiting on joining the lifecycle thread. However if this happens
before lifecycle thread has started runloop, main thread will hang on join
since runloop won't be stopped.
Fix by introducing atomic bool "halt" flag, which is set in the main
thread when it wants to stop the livecycle thread. Before starting runloop,
a one-shot timer task is scheduled to be executed, which checks halt
and stops runloop if needed.
Fixes OVPN3-992.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
We need to ensure that there is only one copy of these algorithms defined
as we modify them with the method allow_default_dc_algs to set the
F_DC_ALLOW flag on. Having more than one copy means that we have different
copies with different flags which we want to avoid.
The use of inline to a normal variable is a C++17 feature.
From https://en.cppreference.com/w/cpp/language/inline
An inline function or variable (since C++17) with external linkage
(e.g. not declared static) has the following additional properties:
There may be more than one definition of an inline function or variable
(since C++17) in the program as long as each definition appears in a
different translation unit and (for non-static inline functions and
variables (since C++17)) all definitions are identical. For example,
an inline function or an inline variable (since C++17) may be defined
in a header file that is included in multiple source files.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Commit 5b524b1f ("WS::ClientSet: added new TransactionSet flag
retry_on_http_4xx") sets E_BAD_REQUEST transport status in case of
HTTP 400. This breaks replace_create_route() behavior, which
doesn't expect transport error for ReplaceRoute and fails the
whole transaction set.
Fix by setting retry_on_http_4xx flag to false before executing
ReplaceRoute. We expect to get 400 if route doesn't exist, so no
need to retry.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Use copy by reference, otherwise "touched" flag is
not preserved and option is marked as "not used" with
warning being printed.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
While there should be no problem of having these basically static
definition multiple times, avoiding multiple copies of it is a good
thing.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
In all other places we check only if USE_OPENSSL is defined but not
if it is 0/1. Use the same check in definitions.hpp
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This removes need of calling EVP_MD_CTX_free() manually.
Since init() and erase() are only called from contructor
and destructor, remove those. And since we moved to unique_ptr,
explicit destructor is not needed anymore.
OpenSSL 1.0.1 requires usage of EVP_MD_CTX_cleanup(). So we wrap
this call into #ifdef and add to compat's implementation
of EVP_MD_CTX_free().
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Digest API calculates MD4/MD5 digests etc which
are deprecated. In order to use those one needs to
load OpenSSL legacy provider and EVP_MD_fetch() to
fetch digest implementation from all loaded providers.
EVP_MD_fetch() takes library context as an argument,
so we need to pass it there through the digest api stack.
Signed-off-by: Lev Stipakov <lev@openvpn.net>