Squashed 'Sources/OpenVPN3/' changes from 1f92c424e1..407fc5fdb3

3e56f9a644 Finalizing OpenVPN 3 Core library release v3.5.6
a290b87d1a mssparms: do not fail on invalid mssfix values
59f201be90 Finalizing OpenVPN 3 Core library release v3.5.5
bbcf90171f Upgrade OpenSSL to 1.1.1g
a88f2379c3 win/tunutil.hpp: fix TAP adapter name query
abb7857452 Bump openssl version to 1.1.1f
89a3283944 Fix variable name typo in build-openssl
34435cbf65 Support optional HTTP Status Code reason
d5471e1846 Increase OpenSSL version to 1.1.1e
6daf928edb Merge branch 'hotfix/3.4' into released
40f1419b38 Merge branch 'hotfix/3.3' into hotfix/3.4
f225fcd058 Finalizing OpenVPN 3 release v3.3.4
44e8dd8c01 Fix build issues against OpenSSL 1.0.x
65a5e959bc Fix typo in OpenSSL error mapping
042502c932 Additional mappings for OpenSSL errors to OpenVPN error codes
c824c032b1 deps: Update to mbedtls-2.7.13
8b302a01c8 Finalizing OpenVPN 3 release v3.4.2
85bd50a577 Finalizing OpenVPN 3 release v3.3.3

git-subtree-dir: Sources/OpenVPN3
git-subtree-split: 407fc5fdb3bc73cf99dcd85a7fb3c1cbef833f0e

deps/lib-versions

@@ -4,8 +4,8 @@ export ASIO_CSUM=bdb01a649c24d73ca4a836662e7af442d935313ed6deef6b07f17f3bc5f78d7
 export LZ4_VERSION=lz4-1.8.3
 export LZ4_CSUM=33af5936ac06536805f9745e0b6d61da606a1f8b4cc5c04dd3cbaca3b9b4fc43
 
-export MBEDTLS_VERSION=mbedtls-2.7.12
-export MBEDTLS_CSUM=d3a36dbc9f607747daa6875c1ab2e41f49eff5fc99d3436b4f3ac90c89f3c143
+export MBEDTLS_VERSION=mbedtls-2.7.13
+export MBEDTLS_CSUM=6772fe21c7755dc513920e84adec629d39188b6451542ebaece428f0eba655c9
 
 export JSONCPP_VERSION=1.8.4
 export JSONCPP_CSUM=c49deac9e0933bcb7044f08516861a2d560988540b23de2ac1ad443b219afdb6
@@ -19,6 +19,7 @@ export CITYHASH_CSUM=f70368facd15735dffc77fe2b27ab505bfdd05be5e9166d94149a8744c2
 export LZO_VERSION=lzo-2.10
 export LZO_CSUM=c0f892943208266f9b6543b3ae308fab6284c5c90e627931446fb49b4221a072
 
-export OPENSSL_VERSION=openssl-1.1.1d
-export OPENSSL_CSUM=1e3a91bc1f9dfce01af26026f856e064eab4c8ee0a8f457b5ae30b40b8b711f2
+export OPENSSL_VERSION=openssl-1.1.1g
+export OPENSSL_CSUM=ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46
+
 

deps/openssl/build-openssl

@@ -38,7 +38,7 @@ fi
 # source helper functions
 . $O3/core/deps/functions.sh
 
-FNAME=openssl-${OPNESSL_VERSION}.tar.gz
+FNAME=openssl-${OPENSSL_VERSION}.tar.gz
 URL=https://www.openssl.org/source/${OPENSSL_VERSION}.tar.gz
 CSUM=${OPENSSL_CSUM}
 

openvpn/common/version.hpp

@@ -24,5 +24,5 @@
 #pragma once
 
 #ifndef OPENVPN_VERSION
-#define OPENVPN_VERSION "3.5.4"
+#define OPENVPN_VERSION "3.5.6"
 #endif

openvpn/error/error.hpp

@@ -61,6 +61,9 @@ namespace openvpn {
       UDP_CONNECT_ERROR,   // client error on UDP connect
       SSL_ERROR,           // errors resulting from read/write on SSL object
       SSL_PARTIAL_WRITE,   // SSL object did not process all written cleartext
+      SSL_CA_MD_TOO_WEAK,  // CA message digest is too weak
+      SSL_CA_KEY_TOO_SMALL, // CA key is too small
+      SSL_DH_KEY_TOO_SMALL, // DH key is too small
       ENCAPSULATION_ERROR, // exceptions thrown during packet encapsulation
       EPKI_CERT_ERROR,     // error obtaining certificate from External PKI provider
       EPKI_SIGN_ERROR,     // error obtaining RSA signature from External PKI provider
@@ -139,6 +142,9 @@ namespace openvpn {
 	"UDP_CONNECT_ERROR",
 	"SSL_ERROR",
 	"SSL_PARTIAL_WRITE",
+	"SSL_CA_MD_TOO_WEAK",
+	"SSL_CA_KEY_TOO_SMALL",
+	"SSL_DH_KEY_TOO_SMALL",
 	"ENCAPSULATION_ERROR",
 	"EPKI_CERT_ERROR",
 	"EPKI_SIGN_ERROR",

openvpn/http/reply.hpp

@@ -245,7 +245,12 @@ namespace openvpn {
 		return fail;
 	      }
 	  case status_text_start:
-	    if (!Util::is_char(input) || Util::is_ctl(input) || Util::is_tspecial(input))
+	    if (input == '\r')
+	      {
+		state_ = expecting_newline_1;
+		return pending;
+	      }
+	    else if (!Util::is_char(input) || Util::is_ctl(input) || Util::is_tspecial(input))
 	      {
 		return fail;
 	      }

openvpn/openssl/util/error.hpp

@@ -144,6 +144,18 @@ namespace openvpn {
 	    case SSL_R_UNSUPPORTED_PROTOCOL:
 	      set_code(Error::TLS_VERSION_MIN, true);
 	      break;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+            // These error codes are not available in older OpenSSL versions
+	    case SSL_R_CA_MD_TOO_WEAK:
+	      set_code(Error::SSL_CA_MD_TOO_WEAK, true);
+	      break;
+	    case SSL_R_CA_KEY_TOO_SMALL:
+	      set_code(Error::SSL_CA_KEY_TOO_SMALL, true);
+	      break;
+#endif // OpenSSL >= 1.1.0
+	    case SSL_R_DH_KEY_TOO_SMALL:
+	      set_code(Error::SSL_DH_KEY_TOO_SMALL, true);
+	      break;
 	    }
 	}
       errtxt = tmp.str();

openvpn/ssl/mssparms.hpp

@@ -33,18 +33,41 @@ namespace openvpn {
     {
     }
 
-    void parse(const OptionList& opt)
+    void parse(const OptionList& opt, bool nothrow=false)
     {
       const Option *o = opt.get_ptr("mssfix");
       if (o)
 	{
-	  const bool status = parse_number_validate<decltype(mssfix)>(o->get(1, 16),
+	  const std::string* val = o->get_ptr(1, 16);
+	  if (val == nullptr)
+	    {
+	      if (nothrow)
+		{
+		  OPENVPN_LOG("Missing mssfix value, mssfix functionality disabled");
+		  return;
+		}
+	      else
+		throw option_error("mssfix must have a value");
+	    }
+
+	  const bool status = parse_number_validate<decltype(mssfix)>(*val,
 								      16,
 								      576,
 								      65535,
 								      &mssfix);
 	  if (!status)
-	    throw option_error("mssfix: parse/range issue");
+	    {
+	      if (nothrow)
+		{
+		  // no need to warn if mssfix is actually 0
+		  if (*val != "0")
+		    {
+		      OPENVPN_LOG("Invalid mssfix value " << *val << ", mssfix functionality disabled");
+		    }
+		}
+	      else
+		throw option_error("mssfix: parse/range issue");
+	    }
 	  mtu = (o->get_optional(2, 16) == "mtu");
 	}
     }

openvpn/ssl/proto.hpp

@@ -561,7 +561,7 @@ namespace openvpn {
 	tun_mtu = parse_tun_mtu(opt, tun_mtu);
 
 	// mssfix
-	mss_parms.parse(opt);
+	mss_parms.parse(opt, true);
 
 	// load parameters that can be present in both config file or pushed options
 	load_common(opt, pco, server ? LOAD_COMMON_SERVER : LOAD_COMMON_CLIENT);

openvpn/tun/win/tunutil.hpp

@@ -288,15 +288,16 @@ namespace openvpn {
 		  continue;
 
 		wchar_t wbuf[256] = L"";
+		DWORD cbwbuf = sizeof(wbuf);
 		status = ::RegQueryValueExW(connection_key(),
 					    L"Name",
 					    nullptr,
 					    &data_type,
 					    (LPBYTE)wbuf,
-					    &len);
+					    &cbwbuf);
 		if (status != ERROR_SUCCESS || data_type != REG_SZ)
 		  continue;
-		wbuf[(sizeof(wbuf) / sizeof(wchar_t)) - 1] = L'\0';
+		wbuf[(cbwbuf / sizeof(wchar_t)) - 1] = L'\0';
 
 		// iterate through self and try to patch the name
 		{