Squashed 'OpenVPN Adapter/Vendors/openvpn/' changes from 098fd412a..e6d68831a

e6d68831a deps: update mbedTLS to 2.7.0 59de63fa6 cli.cpp: added OPENVPN_REMOTE_OVERRIDE caf9cf6c1 RedirectPipe: added additional flags for flexibility 68595de4d ClientAPI::RemoteOverride: added error status 37d848ca2 Log lines from C++ exceptions should contain the text "exception" f05802cf9 Increase server validation of password size to 16KB to support bundling SAML messages. 52e4d4a5f Increase client validation of password/response size to 16KB to support bundling SAML messages. a0416ed92 [OVPN3-209] win: add dependencies checksum verification f6eadbc4d [OVPN3-206] Refactor Windows build system 7b30c2f12 [OVPN3-220] proto.hpp: send initial options set on rekeying 33dd2f29e mbedtls: backport fixes for CVE-2018-0487 0912a9b62 [OVPN3-213] build system: mbedtls timing tests 98fa55576 deps: update asio to 1.12.0 620531101 [OVPN3-215] asio: apply external patches f4a73bde5 [OVPN3-215] asio: rebase external patches on top of our current commit ID a61cac928 mbedtls: Patches from 2.7 to fix timing test failures c892f41fb win: tune dependencies build 8a394a37d [OVPN3-213] build system: mbedtls timing tests 0a3dd67da [OVPN3-190] tun linux: add to/from_json methods 44c6cdfdc [OVPN3-206] readme: update Windows build instructions 0edec4a09 [OVPN3-206] win: update directories in VS projects 3d6fd62cb mac build: improve unittest stability 758ae98c6 [OVPN3-209] win: add dependencies checksum verification a7642ee82 [OVPN3-205] win: apply mbedTLS patches ac94b6eb7 [OVPN3-206] Refactor Windows build system c5bc3859e mbedTLS: don't set endpoint twice in conf object 3d5dd9ee3 [OVPN3-199] mac build: do not overwrite DEP_DIR b713762ba mbedtls: Patches from 2.7 to fix timing test failures 37ab79fa6 tun linux: apply changes from 362acf0 6a7aee2c9 [OVPN3-190] tun: implement persistence 1d2ebb07f [OVPN3-190] tun: move tun creation to separate class 53e33d634 [OVPN3-190] tun: move content of tun to tuncli 85d3377c2 [OVPN3-190] tun: move tun setup methods to separate file 735b985eb i/o layer: wrap raw pointers embedded in closures 322ae24b5 OptionList: support variadic template parameter pack in constructors 8a012b454 lz4: added namespace and improved error handling 34998e94a zlib: removed verbose parameter 846ed217d OpenSSL: set SSL_MODE_RELEASE_BUFFERS to conserve memory by releasing unneeded buffers 32e3ea117 OptionList: added show_unused_options() method fe38233a8 Buffer: added typedefs for thread-safe refcounts b34b6271e compression: added compress_lz4() and decompress_lz4() 755e1a181 linux/core.hpp: added exclude_from_core() function a7f6fe64f ManClientInstance::Send: added userprop_local_update() virtual method 94526ac19 BufferAllocated: fixed regression in buffer copy 33c16812e [OVPN3-144] mbedTLS: fix support for 4096bit encrypted keys f249ab4bd [OVPN3-144] build-mbedtls: run make check before compiling 5040aef4c [OVPN3-144] build-mbedtls: apply patches using git-apply instead of patch 8a5e838ab [OVPN3-144] mbedTLS: fix incompatibility with PKI created by OpenSSL 1.1 e7badefd7 proto.hpp/tls-crypt: fix access to ACK IDs during packet validation 73fa974db proto.hpp: print buffer exception in case of packet access error 79ad5eded Estblishing a stable branch 1c5f20ab0 Hide the @ sign in logs if username is empty 01ee1f5a4 Added ClientAPI::Config::retryOnAuthFailed parameter 05880b136 Added ProfileParseLimits::MAX_SERVER_LIST_SIZE and raise limit to 4096 eedee4fa6 cli.cpp: allow -s server override to reference a friendly name 6e350e9f9 Linux tun setup: use LinuxGW46 to obtain gateway info 3e044c6c7 top-level .gitignore was missing a trailing newline a27355ac7 Use C++11 push_back(std::move(...))) for pushing objects onto vectors 8c3af2704 HostPort::split_host_port: support unix socket filename as an alternative kind of host 14b588c86 asio: added asio_resolver_results_to_string() fd6e8e9bf AsioPolySock: minor changes to remote_endpoint_str() 06f5e4d71 AsioBoundSocket::Socket: added to_string() method 8fd968532 RemoteList: minor cleanup in set_endpoint_range() f9fc2f54e BufferAllocated: improve movability 8cb8d52cd string: added first_line() method a26b1646b AsioPolySock: extend AltRouting support ef3a40c27 Listen::Item: added AltRouting mode 02e786bc9 write_binary_atomic: support ConstBuffer 6745799c9 fileunix: added read_binary_unix_fast() 5689c2d9c write_binary_unix(): added ConstBuffer variant 2b0e76453 enum_dir: refactor to allow enumeration via lambda 116a5bd5e bufstr: added const_buf_from_string() method f8ec81413 Buffer: added const_buffer_ref() variant accepting a const argument ae98aa8b6 AsioPolySock: support AltRouting 8f81479f1 AsioBoundSocket::Socket: support inheritance 9598918e9 ServerProto: added schedule_disconnect() method. 4516cf67b ServerProto: reset CoarseTime object when AsioTimer is canceled 0ffc76a0b Route: implement operator< so Route objects can be used as map/set keys. c4af9f68b event_loop_wait_barrier: raise default timeout to 30 seconds d7fe87540 appversion.hpp: rename VERSION -> BUILD_VERSION git-subtree-dir: OpenVPN Adapter/Vendors/openvpn git-subtree-split: e6d68831a71131b7d92fbea93d3b9cbe10ba2068
2026-04-24 00:00:05 +08:00 · 2018-04-04 12:34:20 +03:00
parent 055bb04c14
commit 84ad2a289f
81 changed files with 5189 additions and 856 deletions
@@ -93,7 +93,7 @@ namespace openvpn {
      }
      catch (const std::exception& e)
 	{
-	  OPENVPN_LOG("ActionThread Exception: " << e.what());
+	  OPENVPN_LOG("ActionThread exception: " << e.what());
 	}
      openvpn_io::post(io_context, [self=Ptr(this), status]()
 		 {
@@ -22,12 +22,12 @@
 #ifndef OPENVPN_COMMON_APPVERSION_H
 #define OPENVPN_COMMON_APPVERSION_H

-// VERSION version can be passed on build command line
+// BUILD_VERSION version can be passed on build command line

 #include <openvpn/common/stringize.hpp>

-#ifdef VERSION
-#define MY_VERSION OPENVPN_STRINGIZE(VERSION)
+#ifdef BUILD_VERSION
+#define MY_VERSION OPENVPN_STRINGIZE(BUILD_VERSION)
 #else
 #define MY_VERSION "0.1.0"
 #endif
@@ -34,10 +34,28 @@
 #include <openvpn/common/size.hpp>
 #include <openvpn/common/exception.hpp>
 #include <openvpn/common/uniqueptr.hpp>
+#include <openvpn/common/function.hpp>

 namespace openvpn {
  OPENVPN_EXCEPTION(enum_dir_error);

+  inline bool enum_dir(const std::string& dirname,
+		       Function<void(std::string fn)> func)
+  {
+    unique_ptr_del<DIR> dir(::opendir(dirname.c_str()), [](DIR* d) { ::closedir(d); });
+    if (!dir)
+      return false;
+
+    struct dirent *e;
+    while ((e = ::readdir(dir.get())) != nullptr)
+      {
+	std::string fn(e->d_name);
+	if (fn != "." && fn != "..")
+	  func(std::move(fn));
+      }
+    return true;
+  }
+
  inline std::vector<std::string> enum_dir(const std::string& dirname,
 					   const size_t size_hint=0,
 					   const bool sort=false)
@@ -45,23 +63,18 @@ namespace openvpn {
    std::vector<std::string> ret;
    if (size_hint)
      ret.reserve(size_hint);
-    unique_ptr_del<DIR> dir(::opendir(dirname.c_str()), [](DIR* d) { ::closedir(d); });
-    if (!dir)
-      throw enum_dir_error(dirname + ": cannot open directory");

-    struct dirent *e;
-    while ((e = ::readdir(dir.get())) != nullptr)
-      {
-	std::string fn(e->d_name);
-	if (fn != "." && fn != "..")
+    if (!enum_dir(dirname, [&ret](std::string fn) {
 	  ret.push_back(std::move(fn));
-      }
+	}))
+      throw enum_dir_error(dirname + ": cannot open directory");

    if (sort)
      std::sort(ret.begin(), ret.end());

    return ret;
  }
+
 }

 #endif
@@ -47,7 +47,7 @@ namespace openvpn {
  inline void write_binary_atomic(const std::string& fn,
 				  const std::string& tmpdir,
 				  const mode_t mode,
-				  const Buffer& buf,
+				  const ConstBuffer& buf,
 				  RandomAPI& rng)
  {
    // generate temporary filename
@@ -65,6 +65,15 @@ namespace openvpn {
 	OPENVPN_THROW(file_unix_error, "error moving '" << tfn << "' -> '" << fn << "' : " << strerror_str(eno));
      }
  }
+
+  inline void write_binary_atomic(const std::string& fn,
+				  const std::string& tmpdir,
+				  const mode_t mode,
+				  const Buffer& buf,
+				  RandomAPI& rng)
+  {
+    return write_binary_atomic(fn, tmpdir, mode, const_buffer_ref(buf), rng);
+  }
 }

 #endif
@@ -82,6 +82,13 @@ namespace openvpn {
    write_binary_unix(fn, mode, buf.c_data(), buf.size());
  }

+  inline void write_binary_unix(const std::string& fn,
+				const mode_t mode,
+				const ConstBuffer& buf)
+  {
+    write_binary_unix(fn, mode, buf.c_data(), buf.size());
+  }
+
  inline void write_text_unix(const std::string& fn,
 			      const mode_t mode,
 			      const std::string& content)
@@ -140,6 +147,19 @@ namespace openvpn {
    return bp;
  }

+  inline bool read_binary_unix_fast(const std::string& fn,
+				    Buffer& out)
+  {
+    ScopedFD fd(::open(fn.c_str(), O_RDONLY|O_CLOEXEC));
+    if (!fd.defined())
+	return errno;
+    const ssize_t status = ::read(fd(), out.data_end(), out.remaining(0));
+    if (status < 0)
+      return errno;
+    out.inc_size(status);
+    return 0;
+  }
+
  inline std::string read_text_unix(const std::string& filename,
 				    const std::uint64_t max_size = 0,
 				    const unsigned int buffer_flags = 0)
@@ -85,6 +85,23 @@ namespace openvpn {
      return true;
    }

+    inline bool is_valid_unix_sock_char(const unsigned char c)
+    {
+      return c >= 0x21 && c <= 0x7E;
+    }
+
+    inline bool is_valid_unix_sock(const std::string& host)
+    {
+      if (!host.length() || host.length() > 256)
+	return false;
+      for (const auto &c : host)
+	{
+	  if (!is_valid_unix_sock_char(c))
+	    return false;
+	}
+      return true;
+    }
+
    inline void validate_host(const std::string& host, const std::string& title)
    {
      if (!is_valid_host(host))
@@ -95,8 +112,11 @@ namespace openvpn {
 				std::string& host,
 				std::string& port,
 				const std::string& default_port,
+				const bool allow_unix,
 				unsigned int *port_save = nullptr)
    {
+      if (port_save)
+	*port_save = 0;
      const size_t pos = str.find_last_of(':');
      const size_t cb = str.find_last_of(']');
      if (pos != std::string::npos && (cb == std::string::npos || pos > cb))
@@ -118,7 +138,10 @@ namespace openvpn {
      if (host.length() >= 2 && host[0] == '[' && host[host.length()-1] == ']')
 	host = host.substr(1, host.length()-2);

-      return is_valid_host(host) && is_valid_port(port, port_save);
+      if (allow_unix && port == "unix")
+	return is_valid_unix_sock(host);
+      else
+	return is_valid_host(host) && is_valid_port(port, port_save);
    }

  }
@@ -104,7 +104,7 @@ namespace openvpn {
    Option(T first, Args... args)
    {
      reserve(1 + sizeof...(args));
-      from_list(first, args...);
+      from_list(std::move(first), std::forward<Args>(args)...);
    }

    static validate_status validate(const std::string& str, const size_t max_len)
@@ -360,8 +360,8 @@ namespace openvpn {
    template<typename T, typename... Args>
    void from_list(T first, Args... args)
    {
-      from_list(first);
-      from_list(args...);
+      from_list(std::move(first));
+      from_list(std::forward<Args>(args)...);
    }

    volatile mutable bool touched_ = false;
@@ -661,6 +661,18 @@ namespace openvpn {
      }
    };

+    OptionList()
+    {
+    }
+
+    template<typename T, typename... Args>
+    OptionList(T first, Args... args)
+    {
+      reserve(1 + sizeof...(args));
+      from_list(std::move(first), std::forward<Args>(args)...);
+      update_map();
+    }
+
    static OptionList parse_from_csv_static(const std::string& str, Limits* lim)
    {
      OptionList ret;
@@ -1268,6 +1280,17 @@ namespace openvpn {
      return n;
    }

+    void show_unused_options(const char *title=nullptr) const
+    {
+      // show unused options
+      if (n_unused())
+	{
+	  if (!title)
+	    title = "NOTE: Unused Options";
+	  OPENVPN_LOG_NTNL(title << std::endl << render(Option::RENDER_TRUNC_64|Option::RENDER_NUMBER|Option::RENDER_BRACKET|Option::RENDER_UNUSED));
+	}
+    }
+
    // Add item to underlying option list while updating map as well.
    void add_item(const Option& opt) 
    {
@@ -1401,6 +1424,18 @@ namespace openvpn {
      OPENVPN_THROW(option_error, "line " << line_num << " is too long");
    }

+    void from_list(Option opt)
+    {
+      push_back(std::move(opt));
+    }
+
+    template<typename T, typename... Args>
+    void from_list(T first, Args... args)
+    {
+      from_list(std::move(first));
+      from_list(std::forward<Args>(args)...);
+    }
+
    IndexMap map_;
  };

@@ -118,11 +118,13 @@ namespace openvpn {
 			const Argv& argv,
 			const Environ* env,
 			RedirectPipe::InOut& inout,
-			const bool combine_out_err)
+			unsigned int redirect_pipe_flags)
  {
    SignalBlockerPipe sbpipe;
    RedirectPipe remote;
-    RedirectPipe local(remote, combine_out_err, !inout.in.empty());
+    if (!inout.in.empty())
+      redirect_pipe_flags |= RedirectPipe::ENABLE_IN;
+    RedirectPipe local(remote, redirect_pipe_flags);
    const pid_t pid = system_cmd_async(cmd, argv, env, &remote);
    if (pid < pid_t(0))
      return -1;
@@ -159,7 +161,7 @@ namespace openvpn {
 	    os << "Error: command failed to execute" << std::endl;
 #else
 	  RedirectPipe::InOut inout;
-	  const int status = system_cmd(argv[0], argv, nullptr, inout, true);
+	  const int status = system_cmd(argv[0], argv, nullptr, inout, RedirectPipe::COMBINE_OUT_ERR);
 	  if (status < 0)
 	    os << "Error: command failed to execute" << std::endl;
 	  os << inout.out;
@@ -202,6 +202,14 @@ namespace openvpn {
  class RedirectPipe : public RedirectStdFD
  {
  public:
+    enum {
+      COMBINE_OUT_ERR = (1<<0),  // capture combined stdout/stderr using a pipe
+      ENABLE_IN       = (1<<1),  // make a string -> stdin pipe, otherwise redirect stdin from /dev/null
+      IGNORE_IN       = (1<<2),  // don't touch stdin
+      IGNORE_OUT      = (1<<3),  // don't touch stdout
+      IGNORE_ERR      = (1<<4),  // don't touch stderr
+    };
+
    struct InOut
    {
      std::string in;
@@ -212,40 +220,50 @@ namespace openvpn {
    RedirectPipe() {}

    RedirectPipe(RedirectStdFD& remote,
-		 const bool combine_out_err_arg,
-		 const bool enable_in)
+		 const unsigned int flags_arg)
+      : flags(flags_arg)
    {
-      int fd[2];
-
      // stdout
-      Pipe::make_pipe(fd);
-      out.reset(cloexec(fd[0]));
-      remote.out.reset(fd[1]);
+      if (!(flags & IGNORE_OUT))
+	{
+	  int fd[2];
+	  Pipe::make_pipe(fd);
+	  out.reset(cloexec(fd[0]));
+	  remote.out.reset(fd[1]);
+	}

      // stderr
-      combine_out_err = remote.combine_out_err = combine_out_err_arg;
-      if (!combine_out_err)
+      if (!(flags & IGNORE_ERR))
 	{
-	  Pipe::make_pipe(fd);
-	  err.reset(cloexec(fd[0]));
-	  remote.err.reset(fd[1]);
+	  combine_out_err = remote.combine_out_err = ((flags & (COMBINE_OUT_ERR|IGNORE_OUT)) == COMBINE_OUT_ERR);
+	  if (!combine_out_err)
+	    {
+	      int fd[2];
+	      Pipe::make_pipe(fd);
+	      err.reset(cloexec(fd[0]));
+	      remote.err.reset(fd[1]);
+	    }
 	}

      // stdin
-      if (enable_in)
+      if (!(flags & IGNORE_IN))
 	{
-	  Pipe::make_pipe(fd);
-	  in.reset(cloexec(fd[1]));
-	  remote.in.reset(fd[0]);
-	}
-      else
-	{
-	  // open /dev/null for stdin
-	  remote.in.reset(::open("/dev/null", O_RDONLY, 0));
-	  if (!remote.in.defined())
+	  if (flags & ENABLE_IN)
 	    {
-	      const int eno = errno;
-	      OPENVPN_THROW(redirect_std_err, "error opening /dev/null : " << strerror_str(eno));
+	      int fd[2];
+	      Pipe::make_pipe(fd);
+	      in.reset(cloexec(fd[1]));
+	      remote.in.reset(fd[0]);
+	    }
+	  else
+	    {
+	      // open /dev/null for stdin
+	      remote.in.reset(::open("/dev/null", O_RDONLY, 0));
+	      if (!remote.in.defined())
+		{
+		  const int eno = errno;
+		  OPENVPN_THROW(redirect_std_err, "error opening /dev/null : " << strerror_str(eno));
+		}
 	    }
 	}
    }
@@ -253,12 +271,24 @@ namespace openvpn {
    void transact(InOut& inout)
    {
      openvpn_io::io_context io_context(1);
-      Pipe::SD_OUT send_in(io_context, inout.in, in);
-      Pipe::SD_IN recv_out(io_context, out);
-      Pipe::SD_IN recv_err(io_context, err);
+
+      std::unique_ptr<Pipe::SD_OUT> send_in;
+      std::unique_ptr<Pipe::SD_IN> recv_out;
+      std::unique_ptr<Pipe::SD_IN> recv_err;
+
+      if (!(flags & IGNORE_IN))
+	send_in.reset(new Pipe::SD_OUT(io_context, inout.in, in));
+      if (!(flags & IGNORE_OUT))
+	recv_out.reset(new Pipe::SD_IN(io_context, out));
+      if (!(flags & IGNORE_ERR))
+	recv_err.reset(new Pipe::SD_IN(io_context, err));
+
      io_context.run();
-      inout.out = recv_out.content();
-      inout.err = recv_err.content();
+
+      if (recv_out)
+	inout.out = recv_out->content();
+      if (recv_err)
+	inout.err = recv_err->content();
    }

  private:
@@ -273,6 +303,7 @@ namespace openvpn {
      return fd;
    }

+    const unsigned int flags = 0;
  };
 }

@@ -222,6 +222,16 @@ namespace openvpn {
      return str.find_first_of('\n') != std::string::npos;
    }

+    // return the first line (without newline) of a multi-line string
+    std::string first_line(const std::string& str)
+    {
+      const size_t pos = str.find_first_of('\n');
+      if (pos != std::string::npos)
+	return str.substr(0, pos);
+      else
+	return str;
+    }
+
    // Define a common interpretation of what constitutes a space character.
    // Return true if c is a space char.
    inline bool is_space(const char c)
@@ -24,6 +24,6 @@
 #ifndef OPENVPN_COMMON_VERSION_H
 #define OPENVPN_COMMON_VERSION_H

-#define OPENVPN_VERSION "3.1.2"
+#define OPENVPN_VERSION "3.git:master"

 #endif // OPENVPN_COMMON_VERSION_H
@@ -28,7 +28,7 @@
 namespace openvpn {
  template <typename THREAD_COMMON>
  inline void event_loop_wait_barrier(THREAD_COMMON& tc,
-				      const unsigned int seconds=10)
+				      const unsigned int seconds=30)
  {
    // barrier prior to event-loop entry
    switch (tc.event_loop_bar.wait(seconds))