With OpenSSL3, these algorithms are no longer allowed. With this change
we do the same regardless of the crypto library. Note that in contrast
to OpenSSL3, we include here 3DES into the legacy algorithms.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
We already load the certificates from the config and need the SSL
library context initialised there to allow loading of keys encrypted
with legacy algorithm. Also ensure that enable legacy provider is
set before actually attempting to load the private keys.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
- Test for CAP_NET_ADMIN instead of root.
This correctly skips the test if you're root but have
dropped capabilities, e.g. inside docker.
- Fix TestSetMTU to correctly ignore any additional lines
in the output.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
This changes the static delete_ call that get always called with
the same arguments to be just a normal member function.
GCC11 with address sanitizer otherwise complains that the destructor
might do a memset that writes to unallocated memory.
The Option class is lacking a way to take a std::vector of option values
and append those values to an option.
This is needed when importing an already pre-parsed configuration profile
into an OptionList object.
Signed-off-by: David Sommerseth <davids@openvpn.net>
This also makes most of them non-static to avoid the problem that these
functions depend on Initprocess::Init being instantiated before being
called.
Rename the local variables eval to eval_cfg to avoid shadowing the
class field of the same name.
Control packets are retransmitted if ACK hasn't been
received with certain time. This often happens with PUSH_REQUEST,
since it might take a while for the client to set up tun device and routing.
In this case client doesn't send ACK fast enough and server retransmits.
When using tls-auth (like in case of CloudVPN), most control packets
contain "packet-id" field. On retransmit, openvpn3 doesn't increment
packet-id value, unlike openvpn2. This triggers high verbosity replay
protection warnings in openvpn2 clients. Openvpn3 client also generates
replay errors, but they're only dumped to log at the end of session.
Fix by storing unencapsulated packets in send reliability object and
do encapculation on send and retransmit. This way packet-id will
be incremented on retransmit and no replay errors will occur on the
client side.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
The compat function had a logic error (inverted condition) and
the size we gave to the function only 8 (size of a size_t) instead
of the size of the array. Use a std::array for the buffer to also have
a better size function than sizeof
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This change replaces the boolean add_bypass_routes with a new
flags parameter -- set the TunConfigFlags::ADD_BYPASS_ROUTES
flag to achieve the same functionality.
We also add some new flags for finer-grained control over
actions taken by tun_config:
* TunConfigFlags::DISABLE_IFACE_UP -- disable bringing the interface up
* TunConfigFlags::DISABLE_REROUTE_GW -- disable redirect-gateway
Signed-off-by: James Yonan <james@openvpn.net>
Added SetUserGroupRetainCap, which inherits from SetUserGroup,
and allows a privilege downgrade to retain one or more
Linux Capabilities.
Signed-off-by: James Yonan <james@openvpn.net>
cli -Z <file> is used by automated test scripts to write the
SSO URL to a file rather than launch a browser with the URL.
Recently this behavior changed on Linux where -Z now both
writes the URL to a file and also launches a browser with
the URL. This patch reverts behavior back to only writing
the file.
Signed-off-by: James Yonan <james@openvpn.net>
TunIO only requires a Frame::Context, not an entire frame
object (which is an array of Frame::Context objects).
Signed-off-by: James Yonan <james@openvpn.net>
The return value of cipher_type() is an allocated object,
therefore it needs to be held by a CIPHER_unique_ptr so
that it is properly freed.
Suggested-by: Arne Schwabe <arne@openvpn.net>
Signed-off-by: James Yonan <james@openvpn.net>
In commit 0baa4f19eb the features.h file was added to the include
list. This breaks builds non-Linux platforms. But it seems it is not
needed to have see the __GLIBC__ macro.
Signed-off-by: David Sommerseth <davids@openvpn.net>
The OpenVPN 3 Linux projects uses the OpenVPN 3 based OpenSSL API in one
of its unit tests. This revealed a couple of missing #include files in
the the OpenSSL < 3.0 compat layer.
All testing was done on RHEL-8.5 with openssl-1.1.1k-4.el8.
Signed-off-by: David Sommerseth <davids@openvpn.net>
This commit will build with ASAN when the environment variable ASAN=1.
Building with ASAN:
- Add "-fsanitize=address" to enable ASAN checks
- Add "-ggdb3" for higher-fidelity stack traces
- Add "-fno-omit-frame-pointer" to maintain fp info on call stacks
If both ASAN=1 and VAL=1, ASAN takes precedence.
Signed-off-by: Jeff Lucovsky <jeff.lucovsky@openvpn.net>
The commit "tunbuilder: Fix inverted family block/allow logic"
(commit 5ba7fc1671) is incomplete without this additional
patch.
Signed-off-by: James Yonan <james@openvpn.net>
Otherwise ExternalProject_add defaults to "master"
which is not only was a changing target but now it
doesn't even exist anymore since they renamed it to
"main".
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
When compiling this code using the musl libc instead of glibc, it fails
with this error:
./openvpn3-core/openvpn/common/endian64.hpp: In function 'uint64_t openvpn::Endian::rev64(uint64_t)':
./openvpn3-core/openvpn/common/endian64.hpp:53:14: error: '__bswap_constant_64' was not declared in this scope
53 | return __bswap_constant_64(value);
| ^~~~~~~~~~~~~~~~~~~
The __bswap_constant_64() is a function provided by the glibc library
and is not available in all other libc implementations. To avoid this,
we fallback to the same solution used for Clang, which builds fine. But
to avoid missing a match on the MINGW32 or MSC environments, the #if
condition checks are slightly reordered.
Signed-off-by: David Sommerseth <davids@openvpn.net>
The #if conditional need to check macros using defined(), otherwise the
behaviour is not ending up with the expected code. In most compilers
these sections will never match.
Signed-off-by: David Sommerseth <davids@openvpn.net>
We have a ton of legacy configurations that have no --cipher directive
and still use. Without this patch, the connection will fail when
calculating the OCC string. By hardcoding the values for BF-CBC we
can skip initialising the BF-CBC at this point. Almost all modern
OpenVPN server should push AES-256-GCM or another stronger cipher. If
the server does not push a cipher we will fail later with
Client exception in transport_recv: crypto_alg: BF-CBC: bad cipher for data channel use
Signed-off-by: Arne Schwabe <arne@openvpn.net>
With OpenSSL 3.0 the name with MD5 no longer makes sense as it affects
not only MD5 but also SHA1 and number of other settings. So replace the
define with a more fitting name.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
When running with the old FIPS mode in OpenSSL 1.0.2 and the Red Hat
patched OpenSSL 1.1.1 RHEL8 we need to check if the ciphers are actually
usable. Otherwise we get nasty errors when trying to use them later.
Note that OPenSSL 1.0.2 will still fail when the server picks
the OpenVPN PRF as we do not have a FIPS compatible PRF function for
OpenSSL 1.0.2.
Signed-off-by: Arne Schwabe <arne@openvpn.net>