The need of having to call the assert_crypto() member function to ensure
that a cryptographically strong RNG is used where needed, was reported
as potentially insecure, since calling it manually can easily be missed.
In the commit the two new classes StrongRandomAPI and WeakRandomAPI are
introduced. They are to be used instead of just RandomAPI, unless it
doesn't matter what strength the RNG is.
All the places the assert_crypto() was called were converted to using
StrongRandomAPI instead. Also the RNGs for which assert_crypto() was not
throwing are now inheriting from StrongRandomAPI.
Variable names, which have the StrongRandomAPI type, but were called
prng, are changed to rng instead to follow the source code convention.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
This adds two routines:
AWS::Route::create_route_table
This creates route table in given VPC and
assigns "Name" tag to it with provided value.
AWS::Route::get_route_table_by_name
This searches for route table with given "Name"
tag and either returns route table id or empty string
if route table doesn't exist.
These routines are used by Linux client AWS addon.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Commit 5b524b1f ("WS::ClientSet: added new TransactionSet flag
retry_on_http_4xx") sets E_BAD_REQUEST transport status in case of
HTTP 400. This breaks replace_create_route() behavior, which
doesn't expect transport error for ReplaceRoute and fails the
whole transaction set.
Fix by setting retry_on_http_4xx flag to false before executing
ReplaceRoute. We expect to get 400 if route doesn't exist, so no
need to retry.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
We do not allow SHA1 in other instances using this profile and while
SHA1 is still fine as HMAC in these situation, people freak out when
seeing SHA1 and also the description and documentation will state
that SHA1 is not allowed in other context (certificate signature),
causing confusion. So better not allow it in this context as well.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This is the result after running 'clang-format -i' on all C++ files and
headers, with the defined formatting rules in .clang-format.
Only the openvpn/common/unicode-impl.hpp has been excluded, as that is
mostly a copy of an external project.
Signed-off-by: David Sommerseth <davids@openvpn.net>
When enabled, retry_on_http_4xx indicates that HTTP status
codes between 400 and 499 should be considered a
retryable error. AWS appears to need this.
Note that error codes between 500 and 599 are always
considered to be retryable.
Signed-off-by: James Yonan <james@openvpn.net>
VPN Binding Profiles (previously committed as VPN Connection
Profiles) contain information on an active VPN client session
such as local VPN IPs, gateway, and DNS resolver addresses
that can be directly used by higher-layer HTTP/REST-API
clients to (a) ensure that sessions are routed over the VPN,
and (b) privately use the VPN-server-pushed DNS resolvers
without publishing them in /etc/resolv.conf.
Signed-off-by: James Yonan <james@openvpn.net>
A VPN connection profile is basically a JSON representation
of the server-pushed parameters of a VPN session such as
VPN IPs, Gateway IPs, and DNS servers. It can be obtained
on the client via TunBuilderCapture::to_json()
This patch allows an HTTP client or server to bind to the
VPN connection profile, so that the VPN IP is used as the
local address, the Gateway IP is optionally used as the
destination address, and DNS lookups are performed using
the pushed DNS servers (without needing to overwrite
/etc/resolv.conf).
For example, suppose the VPN connection profile
is in /pg/uplink-connection-info
Then we can bind to the VPN IP addresses on the server side:
http-listen @/pg/uplink-connection-info 8443 tcp4 ssl
http-listen @/pg/uplink-connection-info 8443 tcp6 ssl
Or connect to a remote REST API using the VPN session
and VPN server-provided resolvers.
<aws-client>
host mybucket.s3.amazonaws.com
port 443
vpn-connection-info /pg/uplink-connection-info
...
</aws-client>
Signed-off-by: James Yonan <james@openvpn.net>
Different distros store CA certs in different places.
Try paths one by one until CA is found and
throw exception if not.
This is required to make AWS Addon for Linux client
work on non-Debian based distros.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Load AWS certificates from provided directory and use them
for pkcs7 signature validation. If directory is not provided,
use default hardcoded certificate.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
- add optional token parameter, which is required when
using temporary credentials
- add optional role parameter to fetch
temporary credentials
- make route API param more fine grained
Signed-off-by: Lev Stipakov <lev@openvpn.net>
- add optional token parameter, which is required when
using temporary credentials
- add optional role parameter to fetch
temporary credentials
- make route API param more fine grained
Signed-off-by: Lev Stipakov <lev@openvpn.net>
- add optional token parameter, which is required when
using temporary credentials
- add optional role parameter to fetch
temporary credentials
- make route API param more fine grained
Signed-off-by: Lev Stipakov <lev@openvpn.net>
* HostRetry, which is essentially a string vector, now
inherits directly from std::vector<std::string>
* WS::ClientSet doesn't need a crypto-grade RNG, so rename
rng to prng.
* WS::ClientSet almost always contains a single client
object, so use std::map instead of std::unordered_map
to contain it so as to reduce overhead.
Signed-off-by: James Yonan <james@openvpn.net>
Created a lightweight abstraction layer so that another i/o
reactor can be dropped in place of asio.
This commit includes:
* Added ASIO=1 to many "go" scripts that require asio
* Renamed "asio::" to "openvpn_io::".
Signed-off-by: James Yonan <james@openvpn.net>
- add optional token parameter, which is required when
using temporary credentials
- add optional role parameter to fetch
temporary credentials
- make route API param more fine grained
Signed-off-by: Lev Stipakov <lev@openvpn.net>