The reauthentication logic differs from openvpn2
and the code is a bit hard to follow. Simplify
the code and make it behave like in openvpn2.
- password is cached by default
- password is purged when auth-nocache is presented in a local config or pushed
- when AUTH_FAILED is received and we have no session-id, throw a fatal error
- when AUTH_FAILED is received and user interaction is required for
authentication (MFA), throw a fatal error
- when AUTH_FAILED is received, user interaction is not required
for authentication and either we have a cached password OR password is not
needed, we reconnect.
Password is "needed" when non-empty password is provided.
User interaction is required for static/dynamic challenge and SAML.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
The openvpn3-linux ships with a netcfg-cli client, which is essentially
the same code as test/ovpncli/cli.cpp but it uses the
net.openvpn.v3.netcfg D-Bus service to create the virtual network
adapter and the related network and DNS configuration. This is a useful
test client when only wanting to test the Network Configuration service
openvpn3-linux ships with.
As part of the refactoring of the D-Bus implementation in
openvpn3-linux, the supporting D-Bus setup needs to be adjusted to the
new D-Bus API.
It has been considered to support both types of APIs, but the legacy
D-Bus API is deprecated and will not be used any more after the release
of OpenVPN 3 Linux v22_dev. Prior releases will depend on an older
OpenVPN 3 Core library version, which contains the old API.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Currently we error out on the first unsupported
option which belongs to the "fatal" category, such as
"removed deprecated option" or "Option allowed only to
be pushed by the server".
To improve user experice and allow application code
to display all problematic options and their categories,
collect options into a category->options map and then
serialize it into multiline string:
cat1: opt1,opt2
cat2: opt3
Introduce a new error code UNUSED_OPTIONS, which is
placed into ClientAPI::Status::status. The serialized
options map is placed into ClientAPI::Status::message.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This adds the capability to implement a custom app level protocol
that support message passing over the OpenVPN control channel.
The protocol is agnostic to the data that is transported over it
and the message splitting/reassmbly is handled transparently by the
OpenVPN library itself.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
It was only supported by mbedTLS and is very easily used wrong since it
is just a boolean value. Other TLS stacks were using the regular strength
PRNG no matter what. Also we should not weaken a crypto strength PRNG,
now that we have the StrongRandomAPI type in place. It might give the
wrong sense of strength, when in reality we might reseed a hundred times
less often.
In places where prng was passed as true before, use MTRand now instead.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
The need of having to call the assert_crypto() member function to ensure
that a cryptographically strong RNG is used where needed, was reported
as potentially insecure, since calling it manually can easily be missed.
In the commit the two new classes StrongRandomAPI and WeakRandomAPI are
introduced. They are to be used instead of just RandomAPI, unless it
doesn't matter what strength the RNG is.
All the places the assert_crypto() was called were converted to using
StrongRandomAPI instead. Also the RNGs for which assert_crypto() was not
throwing are now inheriting from StrongRandomAPI.
Variable names, which have the StrongRandomAPI type, but were called
prng, are changed to rng instead to follow the source code convention.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Usually caused by the only use being in macros that do not
necessarily expand to code depending on the preprocessor
flags.
While here, convert existing work-arounds to [[maybe_unused]]
as well.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
This makes this option have the same style as the other options in
the client config to ensure consistencyv
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The code for browser opening on Unix platforms assumes some includes to
be always present but nulltun + FreeBSD actually do not have include them.
So include them explicitly. And since this break windows, ensure that
process.hpp does nothing on that platform.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
When parsing config, check DCO compatibility. Following
options break DCO compatibility:
- http-proxy
- compress
- comp-lzo
Same for config settings:
- non-preferred-algorithms
- legacy-algorithms
- proxyHost
DCO compatibility could be checked with
- bool EvalConfig::dcoCompatible
- std::string dcoIncompatibilityReason
If client nevertheless tries to connect, an exception
will be thrown:
connect error: option_error: dco_compatibility: config/options are not
compatible with dco
Fixes OVPN3-960.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Password is not echoed and submitted when Enter is pressed.
This requires not removing ENABLE_PROCESSED_INPUT and ENABLE_LINE_INPUT
flags.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This is the result after running 'clang-format -i' on all C++ files and
headers, with the defined formatting rules in .clang-format.
Only the openvpn/common/unicode-impl.hpp has been excluded, as that is
mostly a copy of an external project.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Found by clang:
ovpn3/core/test/ovpncli/cli.cpp:664:16: warning:
'remote_override' overrides a member function but is not marked 'override'
[-Winconsistent-missing-override]
virtual void remote_override(ClientAPI::RemoteOverride& ro)
^
ovpn3/core/cmake/../client/ovpncli.hpp:658:20: note:
overridden virtual function is here
virtual void remote_override(RemoteOverride&);
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
The xkey provider has been originally implemented by Selva Nair for
OpenVPN 2.x and he has agreed to allow me to reuse the provider for
OpenSSL 3.0
This brings the xkey provider to OpenSSL to Openvpn3. The xkey_provider.c
file is kept as close as possible to the original OpenVPN 2 source.
From xkey_helper only the parts that were needed were picked up and used
in xkey.hpp.
This also changes the requests for clients wanting to implementing the
API, generally making them more work (adding PSS/PKCS1 padding and hashing)
but this is a good thing since especially external keys/HSM often do not
like doing raw signatures and often require to do padding/hashing themselves.
This commit also updates the test client's EPKI implementation to work
with the new requirements of the new API.
Since most of OpenVPN3's code base assumes having only one compilation unit
and the xkey_provider.c, this commit introduces the ENABLE_EXTERNAL_PKI
define. Only if this is set external key support is supported (and the
xkey_provider.c compilation unit needed).
This commit furthermore removes the pragma statements from extpki.hpp that
supressed warnings when being compiled with OpenSSL 3.0+ as this is header file
longer compiled with OpenSSL 3.0+. (Technically xkey is >= 3.0.1 but we have
no target that is OpenSSL 3.0.0).
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The event is of type INFO_JSON and is formatted:
TUN_BUILDER_CAPTURE:{...}
This info is useful to determine the properties of a
VPN client session such as VPN IPs, Gateway IPs,
and DNS resolvers, and can be directly used as
a VPN Connection Profile.
This patch also adds the
cli --tbc <file>
option to write the TunBuilderCapture JSON to a file.
Signed-off-by: James Yonan <james@openvpn.net>
Introduced in commit
1b5d913503
CID 11054 (#1 of 1): Missing break in switch (MISSING_BREAK)
unterminated_case: The case for value 71 is not terminated
by a break statement
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
We already load the certificates from the config and need the SSL
library context initialised there to allow loading of keys encrypted
with legacy algorithm. Also ensure that enable legacy provider is
set before actually attempting to load the private keys.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This also makes most of them non-static to avoid the problem that these
functions depend on Initprocess::Init being instantiated before being
called.
Rename the local variables eval to eval_cfg to avoid shadowing the
class field of the same name.
cli -Z <file> is used by automated test scripts to write the
SSO URL to a file rather than launch a browser with the URL.
Recently this behavior changed on Linux where -Z now both
writes the URL to a file and also launches a browser with
the URL. This patch reverts behavior back to only writing
the file.
Signed-off-by: James Yonan <james@openvpn.net>
With OpenSSL 3.0 the name with MD5 no longer makes sense as it affects
not only MD5 but also SHA1 and number of other settings. So replace the
define with a more fitting name.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Since IPv4/IPv6 should be treated equally, we should have also
the opportunity to block IPv4. With this change we follow the API
that also Android provides and expliticly tell tunbuilder what to
do with address families that are not used by the VPN. If a
address family is used by the VPN, nothing changes.
This also remove IV_IPV6 as it is not used.
This uses the rather lowlevel EVP_* interfaces directly instead of
using OpenVPN's own PKI classes since this a very specific code
and reusability outside the testing scope is very limited.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Support CR_TEXT type challenge/response exchanges. The challenge flags are
ignored currently, but displayed with the challenge text for debug purposes.
Thus, input is always echoed and it is assumed that a response is
required.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Local DNS resolvers, such as Umbrella Roaming Client,
change DNS settings on adapters to 127.0.0.1.
This may not work with openvpn3 because:
- NRPT rule might be created for "." zone,
which redirects all DNS requests to the server
specified in rule. This takes precendence over adapters'
DNS settings.
- DNS requests might be blocked on all adapters
except TAP (tap-windows6/wintun/ovpn-dco-win) to prevent
DNS leaks.
To enable compatibility with local DNS resolvers, add
"allowLocalDnsResolvers" core config option, which,
when enabled, makes core to
- avoid creating NRPT rule for "." zone
- permit DNS requests to 127.0.0.1 / ::1
Signed-off-by: Lev Stipakov <lev@openvpn.net>
If DCO support is compiled in, detect if it is available (i.e. Windows driver
or Linux kernel module is loaded) and then use it, if it is.
This changes the default configuration for DCO from off to on, so users of
the library need to set ClientAPI::Config::dco to false in case they do not
want to use dco for a connection.
The change is also reflected in the reference client "ovpncli". If DCO is
enabled in a build, it will detect and use it. The previously available
"ovpncliovpndco" and "ovpncliovpndcowin" clients have thus been removed.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Extend struct ProvideCreds so that it can also hold HTTP proxy
credentials. This makes it possible to use proxy settings from
options, but provide credentials separately.
This is in contrast to the already existing struct Config::proxy*
which need to be given as a complete set to override eventual
HTTP proxy options.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Although the init calls were protected by a mutex more than consumer of
the API will the second one if the uninit was called too early.
While at it, move from explicit init/uninit calls to RAII.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Macro OPENVPN_USE_SITNL should be defined before
inclusion of client/ovpncli.cpp.
Include tuncli.hpp for consistency with mac-specific code below.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
If the OPENVPN_USE_SITNL is defined as compiler arguments or set
earlier if cli.cpp was used in an #include statement, the compiler
would warn about OPENVPN_USE_SITNL being redefined.
We want OPENVPN_USE_SITNL by default, but the code does not need
to explicitly define it if it is already defined.
Signed-off-by: David Sommerseth <davids@openvpn.net>
