Merge OpenVPN 3 Core library version 3.10.2 to master

Signed-off-by: David Sommerseth <davids@openvpn.net>

CMakePresets.json

@@ -59,6 +59,20 @@
                 }
             }
         },
+        {
+            "name": "base-mac",
+            "hidden": true,
+            "binaryDir": "${sourceDir}/out/build/${presetName}",
+            "cacheVariables": {
+                "CMAKE_INSTALL_PREFIX": "${sourceDir}/out/install/${presetName}",
+                "CMAKE_C_COMPILER": "/usr/bin/clang",
+                "CMAKE_CXX_COMPILER": "/usr/bin/clang++",
+                "CLI_NULLTUN": {
+                    "value": "ON",
+                    "type": "BOOL"
+                }
+            }
+        },
         {
             "name": "base-mingw",
             "hidden": true,
@@ -285,6 +299,20 @@
                 "debug",
                 "tunbuilder"
             ]
+        },
+        {
+            "name": "mac-debug",
+            "inherits": [
+                "base-mac",
+                "debug"
+            ]
+        },
+        {
+            "name": "mac-release",
+            "inherits": [
+                "base-mac",
+                "release"
+            ]
         }
     ],
     "buildPresets": [
@@ -357,6 +385,16 @@
             "name": "linux-x64-debug-tunbuilder",
             "configurePreset": "linux-x64-debug-tunbuilder",
             "configuration": "Debug"
+        },
+        {
+            "name": "mac-debug",
+            "configurePreset": "mac-debug",
+            "configuration": "Debug"
+        },
+        {
+            "name": "mac-release",
+            "configurePreset": "mac-release",
+            "configuration": "Release"
         }
     ],
     "testPresets": [

openvpn/addr/ipv4.hpp

@@ -90,6 +90,10 @@ class Addr // NOTE: must be union-legal, so default constructor does not initial
         ret.sin_family = AF_INET;
         ret.sin_port = htons(port);
         ret.sin_addr.s_addr = htonl(u.addr);
+#if defined(__APPLE__) || defined(__FreeBSD__)
+        /* macOS and FreeBSD have the sin_len member */
+        ret.sin_len = sizeof(struct sockaddr_in);
+#endif
         return ret;
     }
 

openvpn/client/cliconnect.hpp

@@ -597,6 +597,14 @@ class ClientConnect : ClientProto::NotifyCallback,
                 case Error::TLS_ALERT_CERTIFICATE_REVOKED:
                     add_error_and_stop<ClientEvent::TLSAlertCertificateRevoked>(fatal_code);
                     break;
+                case Error::NEED_CREDS:
+                    {
+                        ClientEvent::Base::Ptr ev = new ClientEvent::NeedCreds();
+                        client_options->events().add_event(std::move(ev));
+                        client_options->stats().error(Error::NEED_CREDS);
+                        stop();
+                    }
+                    break;
                 default:
                     throw client_connect_unhandled_exception();
                 }

openvpn/client/clicreds.hpp

@@ -154,12 +154,14 @@ class ClientCreds : public RC<thread_unsafe_refcount>
 
     void purge_session_id()
     {
+        OPENVPN_LOG("Clearing session-id");
         session_id.clear();
         session_id_username.clear();
     }
 
     void purge_user_pass()
     {
+        OPENVPN_LOG("Clearing credentials");
         username.clear();
         password.clear();
     }
@@ -196,10 +198,14 @@ class ClientCreds : public RC<thread_unsafe_refcount>
         }
         else if (response.empty())
         {
-            if (!session_id_username.empty() || !username.empty())
+            if (!username.empty())
             {
                 ret += "Username";
             }
+            else if (!session_id_username.empty())
+            {
+                ret += "UsernameSessionId";
+            }
             else
             {
                 ret += "UsernameEmpty";

openvpn/client/clievent.hpp

@@ -89,6 +89,7 @@ enum Type
     COMPRESS_ERROR,
     NTLM_MISSING_CRYPTO,
     SESSION_EXPIRED,
+    NEED_CREDS,
 
     N_TYPES
 };
@@ -158,7 +159,8 @@ inline const char *event_name(const Type type)
         "RELAY_ERROR",
         "COMPRESS_ERROR",
         "NTLM_MISSING_CRYPTO",
-        "SESSION_EXPIRED"};
+        "SESSION_EXPIRED",
+        "NEED_CREDS"};
 
     static_assert(N_TYPES == array_size(names), "event names array inconsistency");
     if (type < N_TYPES)
@@ -484,6 +486,14 @@ struct Connected : public Base
     }
 };
 
+struct NeedCreds : public Base
+{
+    NeedCreds()
+        : Base(NEED_CREDS)
+    {
+    }
+};
+
 struct ReasonBase : public Base
 {
     ReasonBase(const Type id, const std::string &reason_arg)

openvpn/client/cliopt.hpp

@@ -164,7 +164,6 @@ class ClientOptions : public RC<thread_unsafe_refcount>
         bool alt_proxy = false;
         bool synchronous_dns_lookup = false;
         int default_key_direction = -1;
-        bool allow_local_lan_access = false;
 
         PeerInfo::Set::Ptr extra_peer_info;
 #ifdef OPENVPN_PLATFORM_ANDROID
@@ -392,7 +391,7 @@ class ClientOptions : public RC<thread_unsafe_refcount>
                 tunconf->builder = config.builder;
                 tunconf->tun_prop.session_name = session_name;
                 tunconf->tun_prop.google_dns_fallback = config.clientconf.googleDnsFallback;
-                tunconf->tun_prop.allow_local_lan_access = config.allow_local_lan_access;
+                tunconf->tun_prop.allow_local_lan_access = config.clientconf.allowLocalLanAccess;
                 if (tun_mtu)
                     tunconf->tun_prop.mtu = tun_mtu;
                 tunconf->tun_prop.mtu_max = tun_mtu_max;

openvpn/client/cliproto.hpp

@@ -433,12 +433,21 @@ class Session : ProtoContextCallbackInterface,
             if (buf.size())
             {
                 const ProtoContext::ProtoConfig &c = proto_context.conf();
+
+                bool df = true;
+
+                if (IPCommon::version(buf[0]) == IPCommon::IPv4 && buf.size() >= sizeof(struct IPv4Header))
+                {
+                    df = IPv4Header::is_df_set(buf.c_data());
+                }
+
                 // when calculating mss, we take IPv4 and TCP headers into account
                 // here we need to add it back since we check the whole IP packet size, not just TCP payload
                 constexpr size_t MinTcpHeader = 20;
                 constexpr size_t MinIpHeader = 20;
                 size_t mss_no_tcp_ip_encap = c.mss_fix + (MinTcpHeader + MinIpHeader);
-                if (c.mss_fix > 0 && buf.size() > mss_no_tcp_ip_encap)
+
+                if (df && c.mss_fix > 0 && buf.size() > mss_no_tcp_ip_encap)
                 {
                     Ptb::generate_icmp_ptb(buf, clamp_to_typerange<unsigned short>(mss_no_tcp_ip_encap));
                     tun->tun_send(buf);
@@ -1200,6 +1209,10 @@ class Session : ProtoContextCallbackInterface,
         if (creds && !proto_context.conf().relay_mode)
         {
             OPENVPN_LOG("Creds: " << creds->auth_info());
+            if (!creds->session_id_defined() && creds->password_needed() && !creds->password_defined())
+            {
+                throw ErrorCode(Error::NEED_CREDS, true, "missing password");
+            }
             proto_context.write_auth_string(creds->get_username(), buf);
 #ifdef OPENVPN_DISABLE_AUTH_TOKEN // debugging only
             if (creds->session_id_defined())

openvpn/error/error.hpp

@@ -90,7 +90,8 @@ enum Type
     EARLY_NEG_INVALID,                    // Early protoctol negotiation information invalid/parse error
     NTLM_MISSING_CRYPTO,                  // crypto primitives requires for NTLM are unavailable
     UNUSED_OPTIONS,                       // unused/unknown options found in configuration
-    SESSION_EXPIRED,                      // authentication error when using session-id and password is not cached
+    SESSION_EXPIRED,                      // authentication error when using session-id and password is not cache
+    NEED_CREDS,                           // credentials are required but are missing (likely due to auth-nocache)
 
     // key event errors
     KEV_NEGOTIATE_ERROR,
@@ -185,6 +186,7 @@ inline const char *name(const size_t type)
         "NTLM_MISSING_CRYPTO",
         "UNUSED_OPTIONS_ERROR",
         "SESSION_EXPIRED",
+        "NEED_CREDS",
         "KEV_NEGOTIATE_ERROR",
         "KEV_PENDING_ERROR",
         "N_KEV_EXPIRE",

openvpn/ip/ip4.hpp

@@ -33,6 +33,12 @@ struct IPv4Header
         return static_cast<uint8_t>(((len >> 2) & 0x0F) | (version & 0x0F) << 4);
     }
 
+    static bool is_df_set(const unsigned char *data)
+    {
+        auto *hdr = reinterpret_cast<const IPv4Header *>(data);
+        return ntohs(hdr->frag_off) & IPv4Header::DF;
+    }
+
     std::uint8_t version_len;
 
     std::uint8_t tos;
@@ -42,6 +48,7 @@ struct IPv4Header
     enum
     {
         OFFMASK = 0x1fff,
+        DF = 0x4000,
     };
     std::uint16_t frag_off;
 

openvpn/tun/mac/client/tunsetup.hpp

@@ -29,7 +29,7 @@
 #include <openvpn/tun/layer.hpp>
 #include <openvpn/tun/mac/tunutil.hpp>
 #include <openvpn/tun/mac/utun.hpp>
-#include <openvpn/tun/mac/macgw.hpp>
+#include <openvpn/tun/mac/gw.hpp>
 #include <openvpn/tun/mac/macdns_watchdog.hpp>
 #include <openvpn/tun/proxy.hpp>
 #include <openvpn/tun/mac/macproxy.hpp>
@@ -292,9 +292,6 @@ class Setup : public TunBuilderSetup::Base
                            ActionList &destroy,
                            std::ostream &os)
     {
-        // get default gateway
-        MacGWInfo gw;
-
         // set local4 and local6 to point to IPv4/6 route configurations
         const TunBuilderCapture::RouteAddress *local4 = nullptr;
         const TunBuilderCapture::RouteAddress *local6 = nullptr;
@@ -369,23 +366,27 @@ class Setup : public TunBuilderSetup::Base
         // Process exclude routes
         if (!pull.exclude_routes.empty())
         {
+            // get default gateways
+            MacGatewayInfo gw4{IP::Addr::from_ipv4(IPv4::Addr::from_zero())};
+            MacGatewayInfo gw6{IP::Addr::from_ipv6(IPv6::Addr::from_zero())};
+
             for (std::vector<TunBuilderCapture::Route>::const_iterator i = pull.exclude_routes.begin(); i != pull.exclude_routes.end(); ++i)
             {
                 const TunBuilderCapture::Route &route = *i;
                 if (route.ipv6)
                 {
                     if (!pull.block_ipv6)
                     {
-                        if (gw.v6.defined())
-                            add_del_route(route.address, route.prefix_length, gw.v6.router.to_string(), gw.v6.iface, R_IPv6 | R_IFACE_HINT, create, destroy);
+                        if (gw6.flags() & MacGatewayInfo::ADDR_DEFINED)
+                            add_del_route(route.address, route.prefix_length, gw6.gateway_addr_str(), gw6.iface(), R_IPv6 | R_IFACE_HINT, create, destroy);
                         else
                             os << "NOTE: cannot determine gateway for exclude IPv6 routes" << std::endl;
                     }
                 }
                 else
                 {
-                    if (gw.v4.defined())
-                        add_del_route(route.address, route.prefix_length, gw.v4.router.to_string(), gw.v4.iface, 0, create, destroy);
+                    if (gw4.flags() & MacGatewayInfo::ADDR_DEFINED)
+                        add_del_route(route.address, route.prefix_length, gw4.gateway_addr_str(), gw4.iface(), 0, create, destroy);
                     else
                         os << "NOTE: cannot determine gateway for exclude IPv4 routes" << std::endl;
                 }
@@ -395,13 +396,14 @@ class Setup : public TunBuilderSetup::Base
         // Process IPv4 redirect-gateway
         if (pull.reroute_gw.ipv4)
         {
+            MacGatewayInfo gw4{IP::Addr::from_ipv4(IPv4::Addr::from_string(pull.remote_address.address))};
             // add server bypass route
-            if (gw.v4.defined())
+            if (gw4.flags() & MacGatewayInfo::ADDR_DEFINED)
             {
                 if (!pull.remote_address.ipv6 && !(pull.reroute_gw.flags & RedirectGatewayFlags::RG_LOCAL))
                 {
                     Action::Ptr c, d;
-                    add_del_route(pull.remote_address.address, 32, gw.v4.router.to_string(), gw.v4.iface, 0, c, d);
+                    add_del_route(pull.remote_address.address, 32, gw4.gateway_addr_str(), gw4.iface(), 0, c, d);
                     create.add(c);
                     destroy.add(d);
                     // add_del_route(gw.v4.router.to_string(), 32, "", gw.v4.iface, R_ONLINK, create, destroy); // fixme -- needed for block-local
@@ -420,13 +422,14 @@ class Setup : public TunBuilderSetup::Base
         // Process IPv6 redirect-gateway
         if (pull.reroute_gw.ipv6 && !pull.block_ipv6)
         {
+            MacGatewayInfo gw6{IP::Addr::from_ipv6(IPv6::Addr::from_string(pull.remote_address.address))};
             // add server bypass route
-            if (gw.v6.defined())
+            if (gw6.flags() & MacGatewayInfo::ADDR_DEFINED)
             {
                 if (pull.remote_address.ipv6 && !(pull.reroute_gw.flags & RedirectGatewayFlags::RG_LOCAL))
                 {
                     Action::Ptr c, d;
-                    add_del_route(pull.remote_address.address, 128, gw.v6.router.to_string(), gw.v6.iface, R_IPv6 | R_IFACE_HINT, c, d);
+                    add_del_route(pull.remote_address.address, 128, gw6.gateway_addr_str(), gw6.iface(), R_IPv6 | R_IFACE_HINT, c, d);
                     create.add(c);
                     destroy.add(d);
                     // add_del_route(gw.v6.router.to_string(), 128, "", gw.v6.iface, R_IPv6|R_ONLINK, create, destroy); // fixme -- needed for block-local
@@ -479,17 +482,17 @@ class Setup : public TunBuilderSetup::Base
                                  ActionList &add_cmds,
                                  ActionList &remove_cmds_bypass_gw)
     {
-        MacGWInfo gw;
-
-        if (!ipv6)
-        {
-            if (gw.v4.defined())
-                add_del_route(route, 32, gw.v4.router.to_string(), gw.v4.iface, 0, add_cmds, remove_cmds_bypass_gw);
-        }
-        else
+        MacGatewayInfo gw{IP::Addr{route}};
+        if (gw.flags() & MacGatewayInfo::ADDR_DEFINED)
         {
-            if (gw.v6.defined())
-                add_del_route(route, 128, gw.v6.router.to_string(), gw.v6.iface, R_IPv6 | R_IFACE_HINT, add_cmds, remove_cmds_bypass_gw);
+            if (!ipv6)
+            {
+                add_del_route(route, 32, gw.gateway_addr_str(), gw.iface(), 0, add_cmds, remove_cmds_bypass_gw);
+            }
+            else
+            {
+                add_del_route(route, 128, gw.gateway_addr_str(), gw.iface(), R_IPv6 | R_IFACE_HINT, add_cmds, remove_cmds_bypass_gw);
+            }
         }
     }
 };