-- disambiguate new_obj(): new_man_obj(), new_tun_obj
-- remove obfuscatory typedef <class> Base; use <class>
-- in servproto.hpp typedef ProtoContext::ProtoConfig to ProtoConfig
since Arne's already disambiguated Config
-- disambiguate Link<>: TCPLink<>, UDPLink<>
Added TODO comment on unneeded version of control_net_recv()
Signed-off-by: Mark Deric <jmark@openvpn.net>
The psid cookie defense is designed to thwart resource exhaustion and
amplification attacks wherein a malicious client sends the server a
flood of CONTROL_HARD_RESET_CLIENT_V2 packets with spooofed source
addresses. This patch allows the server to defer client tracking
state creation until the client responds to the server's
CONTROL_HARD_RESET_SERVER_V2 message.
Signed-off-by: Mark Deric <jmark@openvpn.net>
Usually caused by the only use being in macros that do not
necessarily expand to code depending on the preprocessor
flags.
While here, convert existing work-arounds to [[maybe_unused]]
as well.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
PacketStream was originally used in the OpenVPN protocol
to segment a TCP stream into packets. Then we realized
it could perform the same function for the DNS protocol.
Now there are other protocols of interest (such as the
Vici protocol in Strongswan) that also use stream
segmentation, but use a different word size for the
stream length as represented on the wire protocol.
OpenVPN and DNS use a 16 bit word size, while Vici uses
a 32 bit word size. Both use network-endian encoding
of the word size.
So this patch makes the stream length word size a
template parameter.
Signed-off-by: James Yonan <james@openvpn.net>
- Used static_cast instead of direct type conversions in places where
it's safe
- Used numeric_cast where failure is possible
- Changed types of arguments and locals when practical
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
Digest API calculates MD4/MD5 digests etc which
are deprecated. In order to use those one needs to
load OpenSSL legacy provider and EVP_MD_fetch() to
fetch digest implementation from all loaded providers.
EVP_MD_fetch() takes library context as an argument,
so we need to pass it there through the digest api stack.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Instead if displaying resolved family address (v4/v6),
display the one which is configured - either in ovpn profile
or config override options.
This is already the case for TCP.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This was introduced in commit
613aa6bf ("Win: support for local DNS resolvers")
but got removed by mistake in commit
fd065596 ("Merge release of OpenVPN Core library 3.6.4 to master")
Besides, this never worked for DCO, so fix that too.
Fixes OVPN3-964.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This is the result after running 'clang-format -i' on all C++ files and
headers, with the defined formatting rules in .clang-format.
Only the openvpn/common/unicode-impl.hpp has been excluded, as that is
mostly a copy of an external project.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Add DcoTunPersist object to DCO::TunConfig.
DcoTunPersist stores:
- device handle
- tun settings
- adapter index/name
- pointer to TunSetup object, which itself
stores commands to undo tun settings
When intializing client options, instantiate DcoTunPersist
object within the scope of ClientConfig, which serves as
transport and tun factory for dco. Indicate that "sock" object
(device handle) should be preserved - not replaced when persisting
tun settings.
When establishing dco-win connection in OvpnDcoWinClient,
either use tun_persist created above (if persistance is enabled)
or instantiate it in-place (no persistance).
If nothing is stored in tun_persist (means this is first
connection or reconnect without persistance), acquire device
handle from tun_setup, wrap it into ASIO's basic_stream_handle
and store it in OvpnDcoWinClient - no need to persist it yet.
When starting tun, check if persisted tun session matches
to-be-created session. If no - clear previous tun settings,
set up tun and persist tun state. If device handle is already
stored in tun_persist, it won't be replaced.
On tun stop, send DEL_PEER command, which deletes peer
from the driver but keeps adapter in connected state. Then
close locally stored ASIO handle and reset tun_persist.
In case of "short term persistance" this will undo tun settings
and close device handle. For long term persistence, tun_persist
is also stored in ClientConfig and handle won't be closed yet.
In case of disconnect, ClientConfig::finalize(disconnect=true)
is called, which resets tun_persist, which in turn
undoes tun settings and closes device handle.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Add support for default mssfix, which is calculated
based on upper bound value 1492 minus payload and
encapculation overhead.
Payload overhead includes:
- compression byte (except for V2, which doesn't add overhead)
- pktid (in CBC)
- IPv4 and TCP headers
Encapculation overhead:
- crypto overhead (for AEAD 16 bytes auth tag, 4 bytes pktid, 4 bytes opcode/peer-id = 24)
- 2 bytes packet size for TCP transport
Also for CBC we must take padding [1..blocksize] into account.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This is done to silence the inconsistent-missing-override warning, which
is new, since we introduced override into the files. I guess it is best
practise anyway, since C++11. So, no hard feelings.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Take option value if pushed for the next round of remote address
caching.
Since the push replies are processed in Session, we need to extend the
transport slightly to process pushed options. There was no need so far,
since transport options are used before the session starts. The remote
cache timeout is currently the only exception to this rule.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
In PacketStream, don't validate upper bound on message size
if BufferAllocated::GROW is set, allowing it to range up to
64kb.
Signed-off-by: James Yonan <james@openvpn.net>
Removed declared_size_defined in favor of just setting
declared_size to a special value (SIZE_UNDEF) when it's
undefined.
Signed-off-by: James Yonan <james@openvpn.net>
There are two things addressed here.
1) regression introduced by commit f1bdbe5088:
Since TCP is not an alias for TCPv4 anymore the occ string
contained TCP_CLIENT as proto, which is not understood by peers.
Since only the "v4" version of the proto strings are understood
the code was simplified.
2) wrong occ proto string for TCP servers:
Servers were also sending out the proto with client suffix. Fixed
by passing in a boolean and returning the server version if true.
Also renamed the method to reflect better what it is used for.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Make it possible to enforce the protocol family by appending 4/6 to
to the protocol, e.g. tcp6 or udp4. While it is already possible to
have protocol options like these in the configuration, they are not
enforced so far. Thus you could still be connected to a v6 address
even though the config requested v4 only.
Since v2.3 the openvpn 2.x series behaves like this. So, this is also
to catch up with the behavior there.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Change method signature from
void Protocol::mod_addr_version(const IP::Addr&)
to
void Protocol::mod_addr_version(const IP::Addr::Version)
This is done in preparation for allowing to override the protocol
version of a RemoteList::Item, where mod_addr_version() will be used.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Do not try other auth methods, if a specific method was given
as a third parameter to the --http-proxy config option.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
To properly implement support for ovpn-dco, we need the TCP/UDP
transport clients to allow the parent to retrieve the server port and
the native handle (socket fd).
Both are used when informing ovpn-dco about the new peer.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
As other transport clients, call socket_protect()
before establishing connection.
This gives ability to create bypass route.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
- use explicit for non copy single argument constructor
- add override where applicable
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Signed-off-by: David Sommerseth <davids@openvpn.net>
d8d14e1991 implemented a new logic which
allows the DNS resolution to happen in a detachable thread. Since then,
we must execute async_resolve_lock() before performing the resolution so
that the main event queue is kept alive, while the core is busy
resolving the hostname.
Failing to do so will result in the main event queue terminating due to
"no events in the queue" and thus closing the core process.
Add lock (and related cancel) around resolution operation to guarantee
the core process stays alive during resolution.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
This enables socket_protect call for all transports / platforms
with default implemenation being no-op.
This is needed for better round-robin DNS
fix for Connect clients (OVPN3-427).
Signed-off-by: Lev Stipakov <lev@openvpn.net>
In case of error along the TCP RX path it is better to grab the error
coming with the exception and report it back up.
For this reason, catch ExceptionCode objects rather than std::exception
as the former carries the error code together with the text message.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
The SSL factory holds the config used by the link implementation during
various SSL operations.
For this reason we have to make the sure the Factory is not destroyed
(and thus the config) while the TLS link is alive.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
On the server side, we add the abstract base class
SNIHandlerBase to provide a hook (sni_hello) where
servers can inspect the SNI name given in the client
hello message and possibly return a different SSLFactoryAPI.
In other changes, we rename the ENABLE_SNI flag to
ENABLE_CLIENT_SNI to be clear that this flag only affects
the client-side SNI implementation.
We also add the NO_VERIFY_HOSTNAME flag on the client side
to allow the SNI name to be transmitted to the server
without requiring a match between the SNI name and the
common name or subject alternative name in the server
certificate.
Signed-off-by: James Yonan <james@openvpn.net>
That API was introduced in commit 5c00943
to implement persistence for macOS. That functionality
was refactored in 0609c76, but framework was left intact.
Since socket_protect() is called almost at the
same time as ip_hole_punch() and also receives
remote address, there is no need in this unused
API anymore.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
When ASIO performs an async DNS resolution, it relies on the
getaddrinfo() syscall in order to obtain a result.
This syscall is non-interruptible by design, which means that, in case
of sudden stop command received by the user, the core will not be able
to terminate all its threads until the getaddrinfo() has returned
(either by timeout or with a result).
If the the external core user is synchronously waiting for it to
terminate (i.e. like a UI), this behaviour will lead to the entire
client hanging.
To avoid this issue, this commit converts each asynchronous DNS
resolution to a synchrnous one performed in a detached thread.
This way, if the core wants to stop, it can do so without waiting for
the DNS thread to join. Otherwise, this change should not lead to any
functional difference.
Signed-off-by: Yuriy Barnovych <yuriy@openvpn.net>
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
