When correcting conversion issues in RouteBase a to_string bug was
introduced which caused some characters to be escaped when inserted
to the string, for example a prefix_len of 0 would render as "\0"
rather than inserting '0'. The std::ios::binary flag does not seem
to prevent this for std::ostringstream so I have cast the data member
up to uint16_t which should be safe, and solves the issue.
Added a unit test to demonstrate the issue. Old code output was
"0.0.0.0/\0", now outputs "0.0.0.0/0" as expected.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
ERR_INVALID_OPTION_DNS -- invalid value for some of DNS\Domain options
ERR_INVALID_OPTION_CRYPTO -- invalid value for some of SSL\Crypto option
ERR_INVALID_CONFIG -- missing option or not supported option
ERR_INVALID_OPTION_PUSHED -- pushed to server option error
ERR_INVALID_OPTION_VAL -- invalid value for some general option
Signed-off-by: Illia Polishchuk <illia.polishchuk@openvpn.com>
Currently we error out on the first unsupported
option which belongs to the "fatal" category, such as
"removed deprecated option" or "Option allowed only to
be pushed by the server".
To improve user experice and allow application code
to display all problematic options and their categories,
collect options into a category->options map and then
serialize it into multiline string:
cat1: opt1,opt2
cat2: opt3
Introduce a new error code UNUSED_OPTIONS, which is
placed into ClientAPI::Status::status. The serialized
options map is placed into ClientAPI::Status::message.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
- Add notes regarding some unexpected behaviors in sslctx
- Add unit tests specifically for sslctx, including simple in-memory
handshaking with both success and failure examples.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
Out of all the suggestions by Coverity I picked
the ones that move non-Ptr objects into variables
or attributes.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
If we get a valid but almost empty PKCS7 structure we otherwise try
to access invalid fields.
CVE: CVE-2023-6247
Reported-by: Bahaa Naamneh <bahaa.cpl@gmail.com>
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Some systems like to see the mapped IPv4 addresses as real IP addresses.
This commit adds the ability to show IP addresses as such.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This adds the capability to implement a custom app level protocol
that support message passing over the OpenVPN control channel.
The protocol is agnostic to the data that is transported over it
and the message splitting/reassmbly is handled transparently by the
OpenVPN library itself.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
It was only supported by mbedTLS and is very easily used wrong since it
is just a boolean value. Other TLS stacks were using the regular strength
PRNG no matter what. Also we should not weaken a crypto strength PRNG,
now that we have the StrongRandomAPI type in place. It might give the
wrong sense of strength, when in reality we might reseed a hundred times
less often.
In places where prng was passed as true before, use MTRand now instead.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Since session ids should always be truly random require a
cryptographically strong random number generator.
Since all places in the codes (besides tests) already pass a strong
random source, this is just a formality.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
The need of having to call the assert_crypto() member function to ensure
that a cryptographically strong RNG is used where needed, was reported
as potentially insecure, since calling it manually can easily be missed.
In the commit the two new classes StrongRandomAPI and WeakRandomAPI are
introduced. They are to be used instead of just RandomAPI, unless it
doesn't matter what strength the RNG is.
All the places the assert_crypto() was called were converted to using
StrongRandomAPI instead. Also the RNGs for which assert_crypto() was not
throwing are now inheriting from StrongRandomAPI.
Variable names, which have the StrongRandomAPI type, but were called
prng, are changed to rng instead to follow the source code convention.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Fixed one issue while at it, with parse() not clearing
the username and password arguments.
The general issue that overflow doesn't throw is reflected in
a disabled test. This will need to be fixed in SplitLines,
probably.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Also this is a very rare option to be used today as it was for compatibility
with OpenVPN 1.x we should still not error out when it is present.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
-- Instantiate the PsidCookieImpl and spot check it's correctness
-- Check for client replies within and outside of the allowable time
window
Signed-off-by: Mark Deric <jmark@openvpn.net>
Instead of magic constant say what we want to say.
So that randrange also produces the correct output
type.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
The psid cookie defense is designed to thwart resource exhaustion and
amplification attacks wherein a malicious client sends the server a
flood of CONTROL_HARD_RESET_CLIENT_V2 packets with spooofed source
addresses. This patch allows the server to defer client tracking
state creation until the client responds to the server's
CONTROL_HARD_RESET_SERVER_V2 message.
Signed-off-by: Mark Deric <jmark@openvpn.net>
Usually caused by the only use being in macros that do not
necessarily expand to code depending on the preprocessor
flags.
While here, convert existing work-arounds to [[maybe_unused]]
as well.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
PacketStream was originally used in the OpenVPN protocol
to segment a TCP stream into packets. Then we realized
it could perform the same function for the DNS protocol.
Now there are other protocols of interest (such as the
Vici protocol in Strongswan) that also use stream
segmentation, but use a different word size for the
stream length as represented on the wire protocol.
OpenVPN and DNS use a 16 bit word size, while Vici uses
a 32 bit word size. Both use network-endian encoding
of the word size.
So this patch makes the stream length word size a
template parameter.
Signed-off-by: James Yonan <james@openvpn.net>
On some systems, probably depending on the glibc version,
the ipv6 address will be truncated in the output.
Currently affects only Fedora 38.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
At the moment meta options are parsed only from
content. This doesn't work well with iOS where
config is imported via content_list. The config might
contain meta options, which currently won't be
recognized as meta and connection won't be established
due to "unknown option" error.
This adds meta options parsing to content_list.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
The name Config is very generic and often leads to confusion which
class in particular is used in a given context. Rename Config to
ProtoConfig to give some more clue about the context.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This might have been used or intended to be used for more than compression
but currently it is only used for compression, so rename it accordingly.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
- Used static_cast instead of direct type conversions in places where
it's safe
- Used numeric_cast where failure is possible
- Changed types of arguments and locals when practical
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
The undefined behavior is unary negation of T:min of a signed type
attempting to get a positive value of the same signed type.
This commit adds a unit test that exposes the original bug and well as
a fix for it.
Signed-off-by: Mark Deric <jmark@openvpn.net>
This fixes deprecation warnings with latest CMake.
("Compatibility with CMake < 3.5 will be removed
from a future version of CMake.")
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Earlier implementations just assumed that --client mode is always
present in the config, which lead to config behaving different in
OpenVPN 2.x and 3.x. This creates hard to debug corner cases.
Additionally OpenVPN 3.x was not parsing the tls-client and pull
options. This lead to OpenVPN 3.x erroring on a perfectly legal
config with --pull in it.
Note the original patch was by Merten Fermont <merten.fermont@gmail.com>
but his patch got mangled in the email and when I started to apply
it manually I instead wrote my own version of it since we need
unit tests anyway.
This makes this option have the same style as the other options in
the client config to ensure consistencyv
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The current passing of client options is very confusing since it is
three classes that largely have the same attributes and the code is
copying them around between the classes.
Instead create a new base class that hold the settings that can be shared
between the classes and only parse/copy the settings that need special
handling. This might keep an extra copy of some settings around but in
constract greatly reduces the code complexity of the options handling.
Also move the check_dco_compatibility function to client options to
be able to avoid carrying around the dco_compatiblity flag.
Signed-off-by: Arne Schwabe <arne@openvpn.net>