Skip to content

Commit

Permalink
Merge OpenVPN 3 Core library version 3.8.5 to master
Browse files Browse the repository at this point in the history
Signed-off-by: David Sommerseth <davids@openvpn.net>
  • Loading branch information
dsommers committed May 3, 2024
2 parents 74ff4c9 + 03236ed commit 149ec03
Show file tree
Hide file tree
Showing 14 changed files with 233 additions and 206 deletions.
2 changes: 1 addition & 1 deletion client/ovpncli.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -1053,7 +1053,7 @@ OPENVPN_CLIENT_EXPORT Status OpenVPNClient::status_from_exception(const std::exc
{
Status ret;
ret.error = true;
ret.message = Unicode::utf8_printable<std::string>(e.what(), 256 | Unicode::UTF8_PASS_FMT);
ret.message = Unicode::utf8_printable<std::string>(e.what(), 2048 | Unicode::UTF8_PASS_FMT);

// if exception is an ExceptionCode, translate the code
// to return status string
Expand Down
4 changes: 2 additions & 2 deletions openvpn/addr/ip.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -335,9 +335,9 @@ class Addr
static Addr from_sockaddr(const struct sockaddr *sa)
{
if (sa->sa_family == AF_INET)
return from_ipv4(IPv4::Addr::from_sockaddr((struct sockaddr_in *)sa));
return from_ipv4(IPv4::Addr::from_sockaddr(reinterpret_cast<const struct sockaddr_in *>(sa)));
else if (sa->sa_family == AF_INET6)
return from_ipv6(IPv6::Addr::from_sockaddr((struct sockaddr_in6 *)sa));
return from_ipv6(IPv6::Addr::from_sockaddr(reinterpret_cast<const struct sockaddr_in6 *>(sa)));
else
return Addr();
}
Expand Down
4 changes: 4 additions & 0 deletions openvpn/addr/ipv6.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,10 @@ class Addr // NOTE: must be union-legal, so default constructor does not initial
ret.sin6_port = htons(port);
host_to_network_order((union ipv6addr *)&ret.sin6_addr.s6_addr, &u);
ret.sin6_scope_id = scope_id_;
#ifdef SIN6_LEN
/* This is defined on both macOS and FreeBSD that have the sin6_len member */
ret.sin6_len = sizeof(sockaddr_in6);
#endif
return ret;
}

Expand Down
31 changes: 16 additions & 15 deletions openvpn/client/cliopt.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -958,8 +958,8 @@ class ClientOptions : public RC<thread_unsafe_refcount>
"WSHOST",
"WEB_CA_BUNDLE",
"IS_OPENVPN_WEB_CA",
"OVPN_ACCESS_SERVER_NO_WEB",
};
"NO_WEB",
"ORGANIZATION"};

std::unordered_set<std::string> ignore_unknown_option_list;

Expand Down Expand Up @@ -1069,6 +1069,19 @@ class ClientOptions : public RC<thread_unsafe_refcount>

if (pcc.pushPeerInfo())
{
/* If we override the HWADDR, we add it at this time statically. If we need to
* dynamically discover it from the transport it will be added in
* \c build_connect_time_peer_info_string instead */
if (!config.clientconf.hwAddrOverride.empty())
{
pi->emplace_back("IV_HWADDR", config.clientconf.hwAddrOverride);
}

pi->emplace_back("IV_SSL", get_ssl_library_version());

if (!config.clientconf.platformVersion.empty())
pi->emplace_back("IV_PLAT_VER", config.clientconf.platformVersion);

/* ensure that we use only one variable with the same name */
std::unordered_map<std::string, std::string> extra_values;

Expand Down Expand Up @@ -1106,19 +1119,6 @@ class ClientOptions : public RC<thread_unsafe_refcount>
if (!config.clientconf.appCustomProtocols.empty())
pi->emplace_back("IV_ACC", "2048,6:A," + config.clientconf.appCustomProtocols);

// MAC address
if (pcc.pushPeerInfo())
{
std::string hwaddr = get_hwaddr();
if (!config.clientconf.hwAddrOverride.empty())
pi->emplace_back("IV_HWADDR", config.clientconf.hwAddrOverride);
else if (!hwaddr.empty())
pi->emplace_back("IV_HWADDR", hwaddr);
pi->emplace_back("IV_SSL", get_ssl_library_version());

if (!config.clientconf.platformVersion.empty())
pi->emplace_back("IV_PLAT_VER", config.clientconf.platformVersion);
}
return pi;
}

Expand Down Expand Up @@ -1326,6 +1326,7 @@ class ClientOptions : public RC<thread_unsafe_refcount>
cp->load(opt, *proto_context_options, config.default_key_direction, false);
cp->set_xmit_creds(!autologin || pcc.hasEmbeddedPassword() || autologin_sessions);
cp->extra_peer_info = build_peer_info(config, pcc, autologin_sessions);
cp->extra_peer_info_push_peerinfo = pcc.pushPeerInfo();
cp->frame = frame;
cp->now = &now_;
cp->rng = rng;
Expand Down
8 changes: 6 additions & 2 deletions openvpn/client/cliopthelper.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -367,8 +367,12 @@ class ParseClientConfig
// add in missing options
bool added = false;

// client
if (options.exists("tls-client") && options.exists("pull"))
/* client
Ensure that we always look at both options, so they register as touched */
const bool tls_client_exists = options.exists("tls-client");
const bool pull_exists = options.exists("pull");

if (tls_client_exists && pull_exists)
{
Option opt;
opt.push_back("client");
Expand Down
3 changes: 2 additions & 1 deletion openvpn/client/cliproto.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -508,6 +508,7 @@ class Session : ProtoContextCallbackInterface,
{
try
{
proto_context.conf().build_connect_time_peer_info_string(transport);
OPENVPN_LOG("Connecting to " << server_endpoint_render());
proto_context.set_protocol(transport->transport_protocol());
proto_context.start();
Expand Down Expand Up @@ -1131,7 +1132,7 @@ class Session : ProtoContextCallbackInterface,

if (tls_warnings & SSLAPI::TLS_WARN_SIG_MD5)
{
ClientEvent::Base::Ptr ev = new ClientEvent::Warn("TLS: received certificate signed with MD5. Please inform your admin to upgrade to a stronger algorithm. Support for MD5 will be dropped at end of Apr 2018");
ClientEvent::Base::Ptr ev = new ClientEvent::Warn("TLS: received certificate signed with MD5. Please inform your admin to upgrade to a stronger algorithm. Support for MD5 will be dropped in the near future");
cli_events->add_event(std::move(ev));
}

Expand Down
16 changes: 8 additions & 8 deletions openvpn/dco/dcocli.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -36,22 +36,22 @@
#include <openvpn/tun/builder/capture.hpp>
#include <openvpn/tun/client/tunbase.hpp>

#ifndef ENABLE_OVPNDCOWIN
#if !defined(ENABLE_OVPNDCOWIN)
#include <openvpn/tun/linux/client/tunmethods.hpp>
#endif

#ifdef ENABLE_KOVPN
#if defined(ENABLE_KOVPN)
#include <openvpn/kovpn/kodevtun.hpp>
#include <openvpn/kovpn/kostats.hpp>
#include <openvpn/kovpn/kovpn.hpp>
#include <openvpn/kovpn/rps_xps.hpp>
#elif ENABLE_OVPNDCO
#elif defined(ENABLE_OVPNDCO)
#include <openvpn/buffer/buffer.hpp>
#include <openvpn/common/uniqueptr.hpp>
#include <openvpn/dco/key.hpp>
#include <openvpn/tun/linux/client/genl.hpp>
#include <openvpn/tun/linux/client/sitnl.hpp>
#elif ENABLE_OVPNDCOWIN
#elif defined(ENABLE_OVPNDCOWIN)
#include <bcrypt.h>
#include <openvpn/dco/key.hpp>
#include <openvpn/dco/ovpn-dco.h>
Expand Down Expand Up @@ -92,7 +92,7 @@ class ClientConfig : public DCO,

virtual void finalize(const bool disconnected) override
{
#ifdef ENABLE_OVPNDCOWIN
#if defined(ENABLE_OVPNDCOWIN)
if (disconnected)
tun.tun_persist.reset();
#endif
Expand Down Expand Up @@ -286,7 +286,7 @@ class Client : public TransportClient,
uint32_t peer_id;
};

#ifdef ENABLE_KOVPN
#if defined(ENABLE_KOVPN)
#include <openvpn/kovpn/kovpncli.hpp>
inline DCO::Ptr new_controller(TunBuilderBase *)
{
Expand All @@ -298,7 +298,7 @@ ClientConfig::new_transport_client_obj(openvpn_io::io_context &io_context,
{
return TransportClient::Ptr(new KovpnClient(io_context, this, parent));
}
#elif ENABLE_OVPNDCO
#elif defined(ENABLE_OVPNDCO)
#include <openvpn/dco/ovpndcocli.hpp>
inline DCO::Ptr new_controller(TunBuilderBase *tb)
{
Expand All @@ -317,7 +317,7 @@ ClientConfig::new_transport_client_obj(openvpn_io::io_context &io_context,
{
return TransportClient::Ptr(new OvpnDcoClient(io_context, this, parent));
}
#elif ENABLE_OVPNDCOWIN
#elif defined(ENABLE_OVPNDCOWIN)
#include <openvpn/dco/ovpndcowincli.hpp>
inline DCO::Ptr new_controller(TunBuilderBase *tb)
{
Expand Down
6 changes: 3 additions & 3 deletions openvpn/netconf/hwaddr.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -32,13 +32,13 @@
#if defined(OPENVPN_PLATFORM_WIN) && !defined(OPENVPN_PLATFORM_UWP)
#include <openvpn/tun/win/tunutil.hpp>
#elif defined(OPENVPN_PLATFORM_MAC)
#include <openvpn/tun/mac/gwv4.hpp>
#include <openvpn/tun/mac/gw.hpp>
#elif defined(TARGET_OS_IPHONE)
#include <UIKit/UIKit.h>
#endif

namespace openvpn {
inline std::string get_hwaddr()
inline std::string get_hwaddr([[maybe_unused]] IP::Addr server_addr)
{
#if defined(OPENVPN_PLATFORM_WIN) && !defined(OPENVPN_PLATFORM_UWP)
const TunWin::Util::BestGateway dg{AF_INET};
Expand All @@ -53,7 +53,7 @@ inline std::string get_hwaddr()
}
}
#elif defined(OPENVPN_PLATFORM_MAC)
const MacGatewayInfoV4 gw;
const MacGatewayInfo gw{server_addr};
if (gw.hwaddr_defined())
{
const MACAddr &mac = gw.hwaddr();
Expand Down
7 changes: 7 additions & 0 deletions openvpn/ssl/peerinfo.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,13 @@ struct Set : public std::vector<KeyValue>, public RCCopyable<thread_unsafe_refco
emplace_back(kv.key, kv.value);
}

[[nodiscard]] bool contains_key(const std::string &key)
{
return std::find_if(begin(), end(), [&](const PeerInfo::KeyValue &kv)
{ return kv.key == key; })
!= end();
}

Ptr copy() const
{
return new Set(*this);
Expand Down
33 changes: 32 additions & 1 deletion openvpn/ssl/proto.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -77,13 +77,15 @@
#include <openvpn/ssl/mssparms.hpp>
#include <openvpn/transport/mssfix.hpp>
#include <openvpn/transport/protocol.hpp>
#include <openvpn/transport/client/transbase.hpp>
#include <openvpn/tun/layer.hpp>
#include <openvpn/tun/tunmtu.hpp>
#include <openvpn/compress/compress.hpp>
#include <openvpn/ssl/proto_context_options.hpp>
#include <openvpn/ssl/peerinfo.hpp>
#include <openvpn/crypto/crypto_aead.hpp>
#include <openvpn/ssl/customcontrolchannel.hpp>
#include <openvpn/netconf/hwaddr.hpp>

#ifndef OPENVPN_DEBUG_PROTO
#define OPENVPN_DEBUG_PROTO 1
Expand Down Expand Up @@ -409,12 +411,19 @@ class ProtoContext : public logging::LoggingMixin<OPENVPN_DEBUG_PROTO, logging::
Time::Duration keepalive_timeout; // timeout period after primary KeyContext reaches ACTIVE state
Time::Duration keepalive_timeout_early; // timeout period before primary KeyContext reaches ACTIVE state

// extra peer info key/value pairs generated by client app
//! extra peer info key/value pairs generated by client app
PeerInfo::Set::Ptr extra_peer_info;

// App control config
AppControlMessageConfig app_control_config;
AppControlMessageReceiver app_control_recv;
/** extra peer information that depends on the state of the underlying transport and needs to be initialised
* after the transport is initialised but before the IV variables are sent */
PeerInfo::Set::Ptr extra_peer_info_transport;

/** When the extra_peer_info_transport is being built, we need to remember if it should include the more
* sensitive information that push-peer-info includes */
bool extra_peer_info_push_peerinfo = false;

// op header
bool enable_op32 = false;
Expand Down Expand Up @@ -1027,6 +1036,26 @@ class ProtoContext : public logging::LoggingMixin<OPENVPN_DEBUG_PROTO, logging::
return initial_options;
}

/**
* This method adds the parts of the peer info string that depend on the state of the
* connection, especially the remote that we are connecting to.
*/
void build_connect_time_peer_info_string(TransportClient::Ptr transport)
{
extra_peer_info_transport.reset(new PeerInfo::Set{});
if (extra_peer_info_push_peerinfo)
{
/* check if the IV_HWADDR is already present in the extra_peer_info set as it has then been
* statically been overridden */
if (!extra_peer_info->contains_key("IV_HWADDR"))
{
std::string hwaddr = get_hwaddr(transport->server_endpoint_addr());
if (!hwaddr.empty())
extra_peer_info_transport->emplace_back("IV_HWADDR", hwaddr);
}
}
}

// generate a string summarizing information about the client
// including capabilities
std::string peer_info_string() const
Expand Down Expand Up @@ -1085,6 +1114,8 @@ class ProtoContext : public logging::LoggingMixin<OPENVPN_DEBUG_PROTO, logging::
out << compstr;
if (extra_peer_info)
out << extra_peer_info->to_string();
if (extra_peer_info_transport)
out << extra_peer_info_transport->to_string();
if (is_bs64_cipher(dc.cipher()))
out << "IV_BS64DL=1\n"; // indicate support for data limits when using 64-bit block-size ciphers, version 1 (CVE-2016-6329)
if (relay_mode)
Expand Down
Loading

0 comments on commit 149ec03

Please sign in to comment.