From f81b84d64d895cc87ecb7e3b4d9b9b2ce73bef4b Mon Sep 17 00:00:00 2001 From: Sergey Abramchuk Date: Tue, 18 Aug 2020 13:48:40 +0300 Subject: [PATCH] Squashed 'Sources/OpenVPN3/' changes from 1f92c424e1..407fc5fdb3 3e56f9a644 Finalizing OpenVPN 3 Core library release v3.5.6 a290b87d1a mssparms: do not fail on invalid mssfix values 59f201be90 Finalizing OpenVPN 3 Core library release v3.5.5 bbcf90171f Upgrade OpenSSL to 1.1.1g a88f2379c3 win/tunutil.hpp: fix TAP adapter name query abb7857452 Bump openssl version to 1.1.1f 89a3283944 Fix variable name typo in build-openssl 34435cbf65 Support optional HTTP Status Code reason d5471e1846 Increase OpenSSL version to 1.1.1e 6daf928edb Merge branch 'hotfix/3.4' into released 40f1419b38 Merge branch 'hotfix/3.3' into hotfix/3.4 f225fcd058 Finalizing OpenVPN 3 release v3.3.4 44e8dd8c01 Fix build issues against OpenSSL 1.0.x 65a5e959bc Fix typo in OpenSSL error mapping 042502c932 Additional mappings for OpenSSL errors to OpenVPN error codes c824c032b1 deps: Update to mbedtls-2.7.13 8b302a01c8 Finalizing OpenVPN 3 release v3.4.2 85bd50a577 Finalizing OpenVPN 3 release v3.3.3 git-subtree-dir: Sources/OpenVPN3 git-subtree-split: 407fc5fdb3bc73cf99dcd85a7fb3c1cbef833f0e --- deps/lib-versions | 9 +++++---- deps/openssl/build-openssl | 2 +- openvpn/common/version.hpp | 2 +- openvpn/error/error.hpp | 6 ++++++ openvpn/http/reply.hpp | 7 ++++++- openvpn/openssl/util/error.hpp | 12 ++++++++++++ openvpn/ssl/mssparms.hpp | 29 ++++++++++++++++++++++++++--- openvpn/ssl/proto.hpp | 2 +- openvpn/tun/win/tunutil.hpp | 5 +++-- 9 files changed, 61 insertions(+), 13 deletions(-) diff --git a/deps/lib-versions b/deps/lib-versions index 6e4efab..66af65f 100644 --- a/deps/lib-versions +++ b/deps/lib-versions @@ -4,8 +4,8 @@ export ASIO_CSUM=bdb01a649c24d73ca4a836662e7af442d935313ed6deef6b07f17f3bc5f78d7 export LZ4_VERSION=lz4-1.8.3 export LZ4_CSUM=33af5936ac06536805f9745e0b6d61da606a1f8b4cc5c04dd3cbaca3b9b4fc43 -export MBEDTLS_VERSION=mbedtls-2.7.12 -export MBEDTLS_CSUM=d3a36dbc9f607747daa6875c1ab2e41f49eff5fc99d3436b4f3ac90c89f3c143 +export MBEDTLS_VERSION=mbedtls-2.7.13 +export MBEDTLS_CSUM=6772fe21c7755dc513920e84adec629d39188b6451542ebaece428f0eba655c9 export JSONCPP_VERSION=1.8.4 export JSONCPP_CSUM=c49deac9e0933bcb7044f08516861a2d560988540b23de2ac1ad443b219afdb6 @@ -19,6 +19,7 @@ export CITYHASH_CSUM=f70368facd15735dffc77fe2b27ab505bfdd05be5e9166d94149a8744c2 export LZO_VERSION=lzo-2.10 export LZO_CSUM=c0f892943208266f9b6543b3ae308fab6284c5c90e627931446fb49b4221a072 -export OPENSSL_VERSION=openssl-1.1.1d -export OPENSSL_CSUM=1e3a91bc1f9dfce01af26026f856e064eab4c8ee0a8f457b5ae30b40b8b711f2 +export OPENSSL_VERSION=openssl-1.1.1g +export OPENSSL_CSUM=ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46 + diff --git a/deps/openssl/build-openssl b/deps/openssl/build-openssl index 200dc6e..ea15ffa 100755 --- a/deps/openssl/build-openssl +++ b/deps/openssl/build-openssl @@ -38,7 +38,7 @@ fi # source helper functions . $O3/core/deps/functions.sh -FNAME=openssl-${OPNESSL_VERSION}.tar.gz +FNAME=openssl-${OPENSSL_VERSION}.tar.gz URL=https://www.openssl.org/source/${OPENSSL_VERSION}.tar.gz CSUM=${OPENSSL_CSUM} diff --git a/openvpn/common/version.hpp b/openvpn/common/version.hpp index f740016..6c880a2 100644 --- a/openvpn/common/version.hpp +++ b/openvpn/common/version.hpp @@ -24,5 +24,5 @@ #pragma once #ifndef OPENVPN_VERSION -#define OPENVPN_VERSION "3.5.4" +#define OPENVPN_VERSION "3.5.6" #endif diff --git a/openvpn/error/error.hpp b/openvpn/error/error.hpp index 59cc61e..75a1070 100644 --- a/openvpn/error/error.hpp +++ b/openvpn/error/error.hpp @@ -61,6 +61,9 @@ namespace openvpn { UDP_CONNECT_ERROR, // client error on UDP connect SSL_ERROR, // errors resulting from read/write on SSL object SSL_PARTIAL_WRITE, // SSL object did not process all written cleartext + SSL_CA_MD_TOO_WEAK, // CA message digest is too weak + SSL_CA_KEY_TOO_SMALL, // CA key is too small + SSL_DH_KEY_TOO_SMALL, // DH key is too small ENCAPSULATION_ERROR, // exceptions thrown during packet encapsulation EPKI_CERT_ERROR, // error obtaining certificate from External PKI provider EPKI_SIGN_ERROR, // error obtaining RSA signature from External PKI provider @@ -139,6 +142,9 @@ namespace openvpn { "UDP_CONNECT_ERROR", "SSL_ERROR", "SSL_PARTIAL_WRITE", + "SSL_CA_MD_TOO_WEAK", + "SSL_CA_KEY_TOO_SMALL", + "SSL_DH_KEY_TOO_SMALL", "ENCAPSULATION_ERROR", "EPKI_CERT_ERROR", "EPKI_SIGN_ERROR", diff --git a/openvpn/http/reply.hpp b/openvpn/http/reply.hpp index 9c303af..377141a 100644 --- a/openvpn/http/reply.hpp +++ b/openvpn/http/reply.hpp @@ -245,7 +245,12 @@ namespace openvpn { return fail; } case status_text_start: - if (!Util::is_char(input) || Util::is_ctl(input) || Util::is_tspecial(input)) + if (input == '\r') + { + state_ = expecting_newline_1; + return pending; + } + else if (!Util::is_char(input) || Util::is_ctl(input) || Util::is_tspecial(input)) { return fail; } diff --git a/openvpn/openssl/util/error.hpp b/openvpn/openssl/util/error.hpp index 8f1695f..2c78680 100644 --- a/openvpn/openssl/util/error.hpp +++ b/openvpn/openssl/util/error.hpp @@ -144,6 +144,18 @@ namespace openvpn { case SSL_R_UNSUPPORTED_PROTOCOL: set_code(Error::TLS_VERSION_MIN, true); break; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + // These error codes are not available in older OpenSSL versions + case SSL_R_CA_MD_TOO_WEAK: + set_code(Error::SSL_CA_MD_TOO_WEAK, true); + break; + case SSL_R_CA_KEY_TOO_SMALL: + set_code(Error::SSL_CA_KEY_TOO_SMALL, true); + break; +#endif // OpenSSL >= 1.1.0 + case SSL_R_DH_KEY_TOO_SMALL: + set_code(Error::SSL_DH_KEY_TOO_SMALL, true); + break; } } errtxt = tmp.str(); diff --git a/openvpn/ssl/mssparms.hpp b/openvpn/ssl/mssparms.hpp index af50b5a..6ad3754 100644 --- a/openvpn/ssl/mssparms.hpp +++ b/openvpn/ssl/mssparms.hpp @@ -33,18 +33,41 @@ namespace openvpn { { } - void parse(const OptionList& opt) + void parse(const OptionList& opt, bool nothrow=false) { const Option *o = opt.get_ptr("mssfix"); if (o) { - const bool status = parse_number_validate(o->get(1, 16), + const std::string* val = o->get_ptr(1, 16); + if (val == nullptr) + { + if (nothrow) + { + OPENVPN_LOG("Missing mssfix value, mssfix functionality disabled"); + return; + } + else + throw option_error("mssfix must have a value"); + } + + const bool status = parse_number_validate(*val, 16, 576, 65535, &mssfix); if (!status) - throw option_error("mssfix: parse/range issue"); + { + if (nothrow) + { + // no need to warn if mssfix is actually 0 + if (*val != "0") + { + OPENVPN_LOG("Invalid mssfix value " << *val << ", mssfix functionality disabled"); + } + } + else + throw option_error("mssfix: parse/range issue"); + } mtu = (o->get_optional(2, 16) == "mtu"); } } diff --git a/openvpn/ssl/proto.hpp b/openvpn/ssl/proto.hpp index c838054..e75cc6e 100644 --- a/openvpn/ssl/proto.hpp +++ b/openvpn/ssl/proto.hpp @@ -561,7 +561,7 @@ namespace openvpn { tun_mtu = parse_tun_mtu(opt, tun_mtu); // mssfix - mss_parms.parse(opt); + mss_parms.parse(opt, true); // load parameters that can be present in both config file or pushed options load_common(opt, pco, server ? LOAD_COMMON_SERVER : LOAD_COMMON_CLIENT); diff --git a/openvpn/tun/win/tunutil.hpp b/openvpn/tun/win/tunutil.hpp index 6e2752f..7bb7737 100644 --- a/openvpn/tun/win/tunutil.hpp +++ b/openvpn/tun/win/tunutil.hpp @@ -288,15 +288,16 @@ namespace openvpn { continue; wchar_t wbuf[256] = L""; + DWORD cbwbuf = sizeof(wbuf); status = ::RegQueryValueExW(connection_key(), L"Name", nullptr, &data_type, (LPBYTE)wbuf, - &len); + &cbwbuf); if (status != ERROR_SUCCESS || data_type != REG_SZ) continue; - wbuf[(sizeof(wbuf) / sizeof(wchar_t)) - 1] = L'\0'; + wbuf[(cbwbuf / sizeof(wchar_t)) - 1] = L'\0'; // iterate through self and try to patch the name {