* origin/releaseprep/3.10:
Do not reject control message with trailing newlines
aws: account for RandomAPI change
Allow disabling TLS 1.3 in certcheck to more easily debug problems
Implement changes to allow test dpc certcheck to be tested
Allow setting a maximum TLS version
Change cxa1 protocol tag to dpc1
Fix spelling errors raised by Debian linter
mac agent: reinstall host route during restart
Preparing QA cycle for OpenVPN 3 Core library release v3.10
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
The previous fix to reject invalid control message was a bit too aggressive
as scripts often accidentally include an extra newline at the end of the
control message.
Jira: OVPN3-1225
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This is reusing the auth pending method as this is just another method where
the final authentication decision is pending on some results. In this case
custom messages going back and forth. This can be tested using
client-pending-auth 5 1 "ACC:1000 A:6 cck1:certcheck:cxa1:fortune" 60'
with OpenVPN 2.x servers easily.
Also correctly use ClientEvent::Base::Ptr with the Clientevents to avoid
problems with not correctly using RCPtr
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Clients need access to the server VPN ca for whitelisting reasons
so it is now available inside the EvalConfig structure. Implemented
the change and added a unit test for same.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.net>
This allow debugging the certificates the server sends. It did this as hack
two times before. I think it is now time to get this officially in.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This also moves some of the reasonsibility from ClientProto to
OpenVPNClient. This plays better with the EPKI implementation and also
does not break the idea of the current certcheck implementation as we now
just give the certcheck in client protocol a preconfigured SSL Config instead
of all the certificates individually.
Allow to set a program to get root (e.g. "sudo").
This allows to run the sitnl tests via ctest.
Only required on Linux, since those tests are
Linux-only.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Previously this logic was encoded in Jenkinsfile by
running the UTs manually. Much preferable to just
use ctest.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
The AppControl feature provides an internal communications channel that
is described in detail in the relevant commits that implement it. This
change adds two intrinsic app control 'protocols' to the list of
supported handlers in the client. The new protocols are:
- cxa1: This is a request for the client to begin a TLS handshake via
the app control channel.
- cck1: This is the protocol that allows the exchange of the requested
TLS handshake data.
The 'cxa1' handler parses the request and initiates the handshake from
the client. This handshake is exchanged via the 'cck1' protocol and
serves to prove to the server that the client has access to the required
private key.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
Previous to this --dns and DNS related --dhcp-options shared the same
code to apply the settings to Windows and macOS systems. So, both
options were pretty much just aliases, with --dns offering more and
finer grained settings that were mostly ignored.
Now --dhcp-options are applied the way they have always been and --dns
does it its own - the new - way. Reason for this behavioral change is
foremost that we want it to be the same between openvpn version 2 and
version 3. But there are also a few new features (e.g. DNSSEC), previously
not present with the --dhcp-options.
The name server and split-domain configuration is exclusively set via
NRPT on Windows, since it overrules any other resolver setting. If there
is no split DNS configured and all domains are resolved using the pushed
name server, we make sure that local domain names are still resolvable by
adding so called exclude NRPT rules, that make sure local domains get
resolved by their local DNS resolvers.
Since Windows does not know about alternative secure transports, the
'transport' and 'sni' settings are ignored.
For macOS the 'dnssec' setting is ignored in addition to that. Besides
that not much does change on that platform. In case of --dns options the
explicit values are used now. The API in use may be changed at a later time.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Functions from_utf8() and to_utf8() added one extra '\0' glyph to the
output string, i.e. if the input basic_string::size() was 8 the output
was 9. Normally this would not make a difference since for most string
usage, as the extra NUL at the end would mostly be ignored. However if
you used the output string to append to another string the extra NULs
were actually also appended, resulting in a string with embedded NUL
characters. Which is a problem with the next use case.
The pack_string_vector() function failed to produce a wide MULTI_SZ
string from a vector of strings, unlike advertised. The extra NUL
actually led to the MULTI_SZ string always being terminated after the
first string. Besides that, the function actually never terminated the
MULTI_SZ in the first place and also failed to handle empty vectors
gracefully.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
OpenVPN uses a idiosyncrasy that all ciphers are uppercase but none is
spelt lowercase and excepts this idiosyncrasy also in IV_CIPHERS
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The reauthentication logic differs from openvpn2
and the code is a bit hard to follow. Simplify
the code and make it behave like in openvpn2.
- password is cached by default
- password is purged when auth-nocache is presented in a local config or pushed
- when AUTH_FAILED is received and we have no session-id, throw a fatal error
- when AUTH_FAILED is received and user interaction is required for
authentication (MFA), throw a fatal error
- when AUTH_FAILED is received, user interaction is not required
for authentication and either we have a cached password OR password is not
needed, we reconnect.
Password is "needed" when non-empty password is provided.
User interaction is required for static/dynamic challenge and SAML.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
We currently accept cipher none as pushed cipher when legacy ciphers are
enabled but do not announce support for it in IV_CIPHERS. This means we
currently display inconsistent behaviour. Servers that ignore IV_CIPHERS
can use none but server that are correctly working cannot.
With compression logic now being able to be tuned at runtime the
different executable to allow a different define for the compression
log level is no longer needed.
Prefix the defines of test_proto.cpp with PROTO_ to avoid collision of
these very generic named defines
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The openvpn3-linux ships with a netcfg-cli client, which is essentially
the same code as test/ovpncli/cli.cpp but it uses the
net.openvpn.v3.netcfg D-Bus service to create the virtual network
adapter and the related network and DNS configuration. This is a useful
test client when only wanting to test the Network Configuration service
openvpn3-linux ships with.
As part of the refactoring of the D-Bus implementation in
openvpn3-linux, the supporting D-Bus setup needs to be adjusted to the
new D-Bus API.
It has been considered to support both types of APIs, but the legacy
D-Bus API is deprecated and will not be used any more after the release
of OpenVPN 3 Linux v22_dev. Prior releases will depend on an older
OpenVPN 3 Core library version, which contains the old API.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Currently the protocontext is used as kind of composition but not really
and makes following the code harder, since this inheritance not only serves
for composition but also as callbacks through virtual method inheritance.
Making ProtoContext a normal field and definining a callback interface makes
the class relationship easier to understand.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
When correcting conversion issues in RouteBase a to_string bug was
introduced which caused some characters to be escaped when inserted
to the string, for example a prefix_len of 0 would render as "\0"
rather than inserting '0'. The std::ios::binary flag does not seem
to prevent this for std::ostringstream so I have cast the data member
up to uint16_t which should be safe, and solves the issue.
Added a unit test to demonstrate the issue. Old code output was
"0.0.0.0/\0", now outputs "0.0.0.0/0" as expected.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
The sys/socket.h header is not available on Windows. This issue was
introduced in commit 1b4f736bb9, so the same fencing used in
that commit was also added around the #include statement.
Signed-off-by: David Sommerseth <davids@openvpn.net>
ERR_INVALID_OPTION_DNS -- invalid value for some of DNS\Domain options
ERR_INVALID_OPTION_CRYPTO -- invalid value for some of SSL\Crypto option
ERR_INVALID_CONFIG -- missing option or not supported option
ERR_INVALID_OPTION_PUSHED -- pushed to server option error
ERR_INVALID_OPTION_VAL -- invalid value for some general option
Signed-off-by: Illia Polishchuk <illia.polishchuk@openvpn.com>
This also move the building IV_HWADDR peer info variable to the point
that the server address is actually available.
This also avoids failing to connect when push-peer-info is enabled and
there is no IPv4 default gateway. The new code will always pick the device
that holds the route to the current remote.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Config
client
pull
was not correctly handled like client + tls-client
since the code short-circuited if tls-client wasn't set
and so didn't touch pull option.
Github: #277
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Always use find_package for all libraries.
Add missing Find*.cmake modules.
Always define an IMPORTED library in Find*
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit d7b3419f8e)
This makes it easier to see what is going on when looking at
individual CMakeLists.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 4c81069564)
- Increase required version to 3.10. That is the version in
Ubuntu Bionic and currently the oldest one we still want
to support.
- Enable CTest for test target
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
(cherry picked from commit 50271ee02a)
Currently we error out on the first unsupported
option which belongs to the "fatal" category, such as
"removed deprecated option" or "Option allowed only to
be pushed by the server".
To improve user experice and allow application code
to display all problematic options and their categories,
collect options into a category->options map and then
serialize it into multiline string:
cat1: opt1,opt2
cat2: opt3
Introduce a new error code UNUSED_OPTIONS, which is
placed into ClientAPI::Status::status. The serialized
options map is placed into ClientAPI::Status::message.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
- Add notes regarding some unexpected behaviors in sslctx
- Add unit tests specifically for sslctx, including simple in-memory
handshaking with both success and failure examples.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
Out of all the suggestions by Coverity I picked
the ones that move non-Ptr objects into variables
or attributes.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
If we get a valid but almost empty PKCS7 structure we otherwise try
to access invalid fields.
CVE: CVE-2023-6247
Reported-by: Bahaa Naamneh <bahaa.cpl@gmail.com>
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Some systems like to see the mapped IPv4 addresses as real IP addresses.
This commit adds the ability to show IP addresses as such.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This adds the capability to implement a custom app level protocol
that support message passing over the OpenVPN control channel.
The protocol is agnostic to the data that is transported over it
and the message splitting/reassmbly is handled transparently by the
OpenVPN library itself.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
It was only supported by mbedTLS and is very easily used wrong since it
is just a boolean value. Other TLS stacks were using the regular strength
PRNG no matter what. Also we should not weaken a crypto strength PRNG,
now that we have the StrongRandomAPI type in place. It might give the
wrong sense of strength, when in reality we might reseed a hundred times
less often.
In places where prng was passed as true before, use MTRand now instead.
Signed-off-by: Heiko Hund <heiko@openvpn.net>