Squashed 'Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/' changes from 275cf80efb..7db7a009b0

7db7a009b0 proto: Client complains about stub compressors
390154d0e4 Update Build instructions for OSX
1b92069834 deps: Update to mbedtls-2.7.12
8cab79540d compression: Extend compression alert to include server pushes
67b4641a99 CompressContext: Add is_any_stub() method
cdf9e7bece compression: Issue an Event if compression is activated
fa38064403 build script: added a new PROF type "auto" that tries to automatically determine the local platform
7ce7b52b7c MTRand: added OPENVPN_INSECURE_RANDOM compile flag that allows MTRand to masquerade as a secure RNG
85e7e49f72 MTRand: added constructor accepting an initialization seed
1fa3229a10 IPv4, IPv6: added #include <openvpn/common/hash.hpp>
48e9217d26 vcxproj: add missing header file
d2a2601b2f Wintun: unmap ring buffers
e320bc63ff openssl: Improve OpenSSLContext fencing against multiple declarations
2f8fe2d318 openssl: Missing inline keyword in a couple of compat functions
32b984c0ff enum_dir: use a function template
725ee04593 VPNServerNetblock::Netblock::to_string(): show prefix_len
409d1c52b8 ManClientInstance::Send::describe_user(): added bool show_userprop parameter
e05fc16b20 string::indent(): try to fix all the corner cases
4e1645ea80 RunContext: mark virtual Stop* async_stop() with override attribute
e8b31c5454 cli: advertise "openurl" as supported SSO method
80b45731eb ICMPv6: added DEST_UNREACH code
679003094d AsioTimerSafe: refactor to allow as drop-in replacement for AsioTimer
f7845578f1 RunContext: check for halt in timer closure
84483eda25 AsioPolySock: add support for socket shutdown
1b3402aec3 tcplinkcommon.hpp: added missing include
2e26c7565c time: added nanotime_t typedef
c3c8ab7f6b string: added additional detail to split() comment
95ce4f22c8 string: added to_delim() method then redefined first_line() method to use it
448218b1e1 string: added add_leading() method
e3b0bf4f5c MSF iterator: allow conversion from ordinary iterator and added exists() method
11412ac50a AsioPolySock: in remote_endpoint_str() method, test for alt_routing_enabled()
9fb4e705f9 Added TimeSkew to skew a time duration by a random flux
7496383002 write_binary_atomic: reduce the length of the temporary filename
b31d9c0191 auth-token-user: increase size limit to 340 chars
c82644c03a Added BufferLineIterator
115cb656b6 RandomAPI: added randbyte() and randbool() methods
4fa8348689 RunContext: ASIO SIGNAL message now shows signal name rather than number
ebfce58513 Added StaticBuffer, a constant-length Buffer for writing that cannot be extended
c8f9cb88a4 string::split(): call reserve() on return vector
f15e566065 read_binary_unix_fast: should return an int (i.e. errno), not a bool
60501b4513 random: factor out rand32_distribute() from RandomAPI::randrange32()
90123495a5 wintun: get device interfaces list only once
ec790df73b wintun: read packets in bulk
0f85d3f729 wintun: use correct io_context when performing initial read
a6151cdeab wintun: use auto-reset events
29acfd95f3 libs: update ASIO to 1.14.0
438a0ef287 Remove outdated and unused android build files
e9df57969f Merge remote-tracking branch 'origin/released'
44725ad094 ssl: Fix building with OpenSSL 1.0.2
efe3f1f635 version: Reset version reference for git master
8c79c06d94 Make tls-crypt/tls-cryptv2 compile with multiple compilation units
4d18aaeb88 Fix LLVM warnings reported during OS X build
8c9496bb4d Use const_cast for SSL_session_reused
33be562a39 Add missing override keywords to openssl/sslctx.hpp
2c5435a000 dcocli: use compile time define for Tun methods instead of hardcoded iproute
7c39088f00 Allow overriding reported HW_ADDR and support IV_PLAT_VER
7bb1ea19ee Move sending IV_UI_VER and IV_SSO to build_peer_info
23959fa705 Add reporting of IV_SSL_VER
63ab5b5e46 Only initialise static member in OpenSSLContext once
ecebb40304 Merge remote-tracking branch 'origin/qa'
52c9702502 wintun: replace volatiles with atomics
d720c7104c appveyor: install Strawberry perl
60a253a7ef appveyor: update to VS2019
48f2b5100b wintun: support for privilege separation
6f266be3d8 wintun: ring buffers support
baa1ce2ccf vcxproj: bump VS version to 2019
98bfd037e3 tun/win: factor out ClientConfig into separate header
aeb5ce0ad7 wintun: open device with SetupAPI
3998d303ce Finalizing the OpenVPN 3 Core library 3.3 release
728733aee7 deps/mbedtls: rebase "enable unsupported critical extensions" patch
43e36ca45a lib-version: update to mbedtls-2.7.11
4dbcd85e50 openssl/cipher.hpp: add missing include <compat.hpp>
69d72ed64f DCOTransport: Fix server side specific trunk handling
ff732e3b5d Fix OpenVPN Core build with OpenSSL 1.1.0
0da42f393f Do not use deprecated OpenSSL 1.1.0 methods
35062c0b60 travis.yml: update environment
47046cf6d2 Merge branch 'qa'
6933c395a4 [OVPN3-423] cliconnect.hpp: fix reconnect on Windows after sleep
462c36c813 random_subnet(): added comment
ac1d447156 IP::Addr::from_byte_string(): fixed bug for IPv6 case
d6eaea3468 string::split(): minor implementation tweaks
ca15b7cdf4 hexstr: added dump_hex() variant accepting void *
0e61a2afd7 SessionIDType::find_weak: added conflict parameter
089aec00b1 DCOTransport: new routing code for trunk links
5befbd430f build: added CAP=1 -- build with libcap
eb85ada21e signals: added trivial signal_name() function
f89013ef92 RunContext: don't try to catch SIGQUIT by default
e0ee540135 SessionIDType: added hash() method
f0e1f8aa42 logging: added basic components for logrotate
fbb0c81f29 UMask: added UMaskDaemon, a umask context object appropriate for daemons
1c7bac90d9 build script: when building with DEBUG=1 on Linux, use -ggdb instead of -g
73cce80e43 OpenSSL: added openssl_reseed_rng() function
25780cf798 OpenSSL: fixed some memory leaks in CipherContextGCM and TokenEncrypt
168dba95f5 OpenSSL: define OPENSSL_SERVER_SNI when OpenSSL version is at least 1.1
84e78d8fed SNI: added OpenVPN client support for SNI (currently OpenSSL only)
310766b270 build: added MTLS_DIST setting
4eaa46a879 MbedTLS: added MBEDTLS_DISABLE_NAME_CONSTRAINTS preprocessor flag
16226d1b05 OpenSSLSign: updated for OpenSSL 1.1
aed0678c96 SSL: added SNI::Metadata, an abstract base class for packaging app-specific SNI metadata in AuthCert
001b731fe2 SNI: create SNI namespace and rename SNIHandlerBase -> SNI::HandlerBase
4bd5869305 README.rst: Make Windows-specific build steps up to date.
ac365ee977 wintun: support for 0.4
9245056a2a wintun: support for 0.3
b73d484950 mbedtls: throw exception on unsupported SSL:Const::PEER_CERT_OPTIONAL option
1d6bae4b5b tcplinkcommon: bubble up real exception error
c18c8bd156 tcpcli: ensure SSL Factory survives as long as TLS link
4192193087 tls: parse and load TLS specific CA
2a19b7fcff win/tuncli.hpp: fix Wintun padding calculation
44cb9f44da appveyor: make ReleaseOpenSSL default configuration
5485de19a2 win/impersonate: refactor impersonate logic
29a655147b win/tunsetup.hpp: remove unneeded parameter
61794b0efd win: link OpenSSL dynamically
e569b84465 win/tuncli.hpp: fix indentation
374c57e708 frame_init.hpp: tweak wintun read buf size
c3c45c9b38 tun: added Error::TUN_HALT for tun_error() signaling
acd7af5e9a RandomAPI: added randrange32() method
c1a7f8cc68 std::clamp() is useful but only available in C++17 and up, so we add our own clamp()
f8c71ef1ce Minor change to Error::INACTIVE_TIMEOUT handler
3202ab5fce OpenSSLSign: renamed OpenSSLPKI::X509Base to OpenSSLPKI::X509 to conform to changes in OpenSSLPKI
8d767febb5 ReachabilityBase: added virtual destructor
6a4826965f MbedTLS: update json_override() prototype
bee0d8d187 SSL: added SSLConst::SEND_CLIENT_CA_LIST server-side flag and implemented for OpenSSL
5eb39c1dea AuthCert: save the SNI name
3b34449d0e SSLAPI: auth_cert() can now be const
a672e91631 SNI server-side: support additional JSON configuration settings
95e761f3cc OpenSSL PKI cleanup
d5eb77c53c AuthCert::Fail cleanup
6e98b9aadc SSLAPI: move PKType from SSLConfigAPI into standalone header to avoid dependency inversion
bbae814864 OpenSSL: added SNI implementation
5def1d23ab OpenSSLContext: in constructor, removed redundant if statement
1a0747e783 OpenSSLContext: in constructor, consolidate sslopt fixed flags
eef9868816 OpenSSLContext::SSL::ssl_handshake_details(): include leaf-cert CN in details
f9631cd90f AuthCert::Fail: use std::string for the reason string (instead of const char *)
a17b77641f OpenSSLPKI::X509: copy constructor doesn't need erase() and define X509::Ptr
78cae5bb52 OpenSSLPKI::DH: copy constructor doesn't need erase()
c0d43a4153 RCPtr: added static_pointer_cast() method
34a3f264f5 [OVPN-314] Add support for signalling SSO support via IV_SSO
7d112eb3e5 cli: enable utf8 console output
980ef1eff8 win/call.hpp: re-encode command output to utf8
fddb440e99 unicode.hpp: customize utf16 conversion routine
4d7c12ac4d [OVPN3-405] Support for non-ASCII profile path on Windows

git-subtree-dir: Sources/OpenVPNAdapter/Libraries/Vendors/openvpn
git-subtree-split: 7db7a009b0b4eca0fc3733c99c50aff7f7c2556f

openvpn/client/cliconnect.hpp

@@ -460,6 +460,14 @@ namespace openvpn {
 		    stop();
 		  }
 		  break;
+		case Error::TUN_REGISTER_RINGS_ERROR:
+		  {
+		    ClientEvent::Base::Ptr ev = new ClientEvent::TunSetupFailed(client->fatal_reason());
+		    client_options->events().add_event(std::move(ev));
+		    client_options->stats().error(Error::TUN_REGISTER_RINGS_ERROR);
+		    stop();
+		  }
+		  break;
 		case Error::TUN_IFACE_CREATE:
 		  {
 		    ClientEvent::Base::Ptr ev = new ClientEvent::TunIfaceCreate(client->fatal_reason());
@@ -473,7 +481,7 @@ namespace openvpn {
 		    ClientEvent::Base::Ptr ev = new ClientEvent::TunIfaceDisabled(client->fatal_reason());
 		    client_options->events().add_event(std::move(ev));
 		    client_options->stats().error(Error::TUN_IFACE_DISABLED);
-		    stop();
+		    queue_restart(5000);
 		  }
 		  break;
 		case Error::PROXY_ERROR:
@@ -529,7 +537,10 @@ namespace openvpn {
 		    ClientEvent::Base::Ptr ev = new ClientEvent::InactiveTimeout();
 		    client_options->events().add_event(std::move(ev));
 		    client_options->stats().error(Error::INACTIVE_TIMEOUT);
-		    graceful_stop();
+
+		    // explicit exit notify is sent earlier by
+		    // ClientProto::Session::inactive_callback()
+		    stop();
 		  }
 		  break;
 		case Error::TRANSPORT_ERROR:
@@ -548,6 +559,14 @@ namespace openvpn {
 		    queue_restart(5000);
 		  }
 		  break;
+		case Error::TUN_HALT:
+		  {
+		    ClientEvent::Base::Ptr ev = new ClientEvent::TunHalt(client->fatal_reason());
+		    client_options->events().add_event(std::move(ev));
+		    client_options->stats().error(Error::TUN_HALT);
+		    stop();
+		  }
+		  break;
 		case Error::RELAY:
 		  {
 		    ClientEvent::Base::Ptr ev = new ClientEvent::Relay();

openvpn/client/clievent.hpp

@@ -55,6 +55,7 @@ namespace openvpn {
       PAUSE,
       RESUME,
       RELAY,
+      COMPRESSION_ENABLED,
       UNSUPPORTED_FEATURE,
 
       // start of nonfatal errors, must be marked by NONFATAL_ERROR_START below
@@ -68,6 +69,7 @@ namespace openvpn {
       TLS_VERSION_MIN,
       CLIENT_HALT,
       CLIENT_SETUP,
+      TUN_HALT,
       CONNECTION_TIMEOUT,
       INACTIVE_TIMEOUT,
       DYNAMIC_CHALLENGE,
@@ -108,6 +110,7 @@ namespace openvpn {
 	"PAUSE",
 	"RESUME",
 	"RELAY",
+	"COMPRESSION_ENABLED",
 	"UNSUPPORTED_FEATURE",
 
 	// nonfatal errors
@@ -121,6 +124,7 @@ namespace openvpn {
 	"TLS_VERSION_MIN",
 	"CLIENT_HALT",
 	"CLIENT_SETUP",
+	"TUN_HALT",
 	"CONNECTION_TIMEOUT",
 	"INACTIVE_TIMEOUT",
 	"DYNAMIC_CHALLENGE",
@@ -361,6 +365,11 @@ namespace openvpn {
       ClientRestart(std::string reason) : ReasonBase(CLIENT_RESTART, std::move(reason)) {}
     };
 
+    struct TunHalt : public ReasonBase
+    {
+      TunHalt(std::string reason) : ReasonBase(TUN_HALT, std::move(reason)) {}
+    };
+
     struct RelayError : public ReasonBase
     {
       RelayError(std::string reason) : ReasonBase(RELAY_ERROR, std::move(reason)) {}
@@ -456,6 +465,14 @@ namespace openvpn {
       }
     };
 
+    struct CompressionEnabled : public ReasonBase
+    {
+       CompressionEnabled(std::string msg)
+         : ReasonBase(COMPRESSION_ENABLED, std::move(msg))
+       {
+       }
+    };
+
     class Queue : public RC<thread_unsafe_refcount>
     {
     public:

openvpn/client/cliopt.hpp

@@ -120,8 +120,11 @@ namespace openvpn {
     struct Config
     {
       std::string gui_version;
+      std::string sso_methods;
       std::string server_override;
       std::string port_override;
+      std::string hw_addr_override;
+      std::string platform_version;
       Protocol proto_override;
       IPv6Setting ipv6;
       int conn_timeout = 0;
@@ -308,6 +311,13 @@ namespace openvpn {
 
       synchronous_dns_lookup = config.synchronous_dns_lookup;
 
+#ifdef OPENVPN_TLS_LINK
+      if (opt.exists("tls-ca"))
+	{
+	  tls_ca = opt.cat("tls-ca");
+	}
+#endif
+
       // init transport config
       const std::string session_name = load_transport_config();
 
@@ -534,14 +544,27 @@ namespace openvpn {
       // setenv UV_ options
       pi->append_foreign_set_ptr(pcc.peerInfoUV());
 
+      // UI version
+      if (!config.gui_version.empty())
+	pi->emplace_back("IV_GUI_VER", config.gui_version);
+
+      // Supported SSO methods
+      if (!config.sso_methods.empty())
+	pi->emplace_back("IV_SSO", config.sso_methods);
+
       // MAC address
       if (pcc.pushPeerInfo())
 	{
 	  std::string hwaddr = get_hwaddr();
-	  if (!hwaddr.empty())
+	  if (!config.hw_addr_override.empty())
+	    pi->emplace_back("IV_HWADDR", config.hw_addr_override);
+	  else if (!hwaddr.empty())
 	    pi->emplace_back("IV_HWADDR", hwaddr);
-	}
+	  pi->emplace_back ("IV_SSL", get_ssl_library_version());
 
+	  if (!config.platform_version.empty())
+	    pi->emplace_back("IV_PLAT_VER", config.platform_version);
+	}
       return pi;
     }
 
@@ -716,7 +739,6 @@ namespace openvpn {
       cp->ssl_factory = cc->new_factory();
       cp->load(opt, *proto_context_options, config.default_key_direction, false);
       cp->set_xmit_creds(!autologin || pcc.hasEmbeddedPassword() || autologin_sessions);
-      cp->gui_version = config.gui_version;
       cp->force_aes_cbc_ciphersuites = config.force_aes_cbc_ciphersuites; // also used to disable proto V2
       cp->extra_peer_info = build_peer_info(config, pcc, autologin_sessions);
       cp->frame = frame;
@@ -825,6 +847,7 @@ namespace openvpn {
 #ifdef OPENVPN_TLS_LINK
 	      if (transport_protocol.is_tls())
 		tcpconf->use_tls = true;
+	      tcpconf->tls_ca = tls_ca;
 #endif
 #ifdef OPENVPN_GREMLIN
 	      tcpconf->gremlin_config = gremlin_config;
@@ -881,6 +904,9 @@ namespace openvpn {
     DCO::Ptr dco;
 #ifdef OPENVPN_EXTERNAL_TRANSPORT_FACTORY
     ExternalTransport::Factory* extern_transport_factory;
+#endif
+#ifdef OPENVPN_TLS_LINK
+    std::string tls_ca;
 #endif
   };
 }

openvpn/client/cliopthelper.hpp

@@ -558,8 +558,8 @@ namespace openvpn {
 
         // JSON config is aimed to users, therefore we do not export the raw private
         // key, but only some basic info
-        SSLConfigAPI::PKType priv_key_type = sslConfig->private_key_type();
-        if (priv_key_type != SSLConfigAPI::PK_NONE)
+        PKType::Type priv_key_type = sslConfig->private_key_type();
+        if (priv_key_type != PKType::PK_NONE)
         {
 	  root["key"] = Json::Value(Json::objectValue);
 	  root["key"]["type"] = Json::Value(sslConfig->private_key_type_string());

openvpn/client/cliproto.hpp

@@ -506,7 +506,7 @@ namespace openvpn {
 	{
 	  const Option* o = opt.get_ptr("auth-token-user");
 	  if (o)
-	    username = base64->decode(o->get(1, 256));
+	    username = base64->decode(o->get(1, 340)); // 255 chars after base64 decode
 	}
 
 	// auth-token
@@ -601,6 +601,20 @@ namespace openvpn {
 
 		// send the Connected event
 		cli_events->add_event(connected_);
+
+		// Issue an event if compression is enabled
+		CompressContext::Type comp_type = Base::conf().comp_ctx.type();
+		if (comp_type != CompressContext::NONE
+		    && !CompressContext::is_any_stub(comp_type))
+		{
+		  std::ostringstream msg;
+		  msg << (proto_context_options->is_comp_asym()
+			  ? "Asymmetric compression enabled.  Server may send compressed data."
+			  : "Compression enabled.");
+		  msg << "  This may be a potential security issue.";
+		  ClientEvent::Base::Ptr ev = new ClientEvent::CompressionEnabled(msg.str());
+		  cli_events->add_event(std::move(ev));
+		}
 	      }
 	    else
 	      OPENVPN_LOG("Options continuation...");
@@ -739,6 +753,8 @@ namespace openvpn {
 
       virtual void tun_error(const Error::Type fatal_err, const std::string& err_text)
       {
+	if (fatal_err == Error::TUN_HALT)
+	  send_explicit_exit_notify();
 	if (fatal_err != Error::UNDEF)
 	  {
 	    fatal_ = fatal_err;

openvpn/client/remotelist.hpp

@@ -759,7 +759,7 @@ namespace openvpn {
 
     // return the current primary index (into list) and raise an exception
     // if it is undefined
-    const size_t primary_index() const
+    size_t primary_index() const
     {
       const size_t pri = index.primary();
       if (pri < list.size())
@@ -890,7 +890,7 @@ namespace openvpn {
 		  }
 		else
 		  e->server_port = default_port;
-		if (o.size() >= 4+adj)
+		if (o.size() >= (size_t)(4+adj))
 		  e->transport_protocol = Protocol::parse(o.get(3+adj, 16), Protocol::CLIENT_SUFFIX);
 		else
 		  e->transport_protocol = default_proto;