Squashed 'OpenVPN Adapter/Vendors/openvpn/' changes from 098fd412a..e6d68831a

e6d68831a deps: update mbedTLS to 2.7.0 59de63fa6 cli.cpp: added OPENVPN_REMOTE_OVERRIDE caf9cf6c1 RedirectPipe: added additional flags for flexibility 68595de4d ClientAPI::RemoteOverride: added error status 37d848ca2 Log lines from C++ exceptions should contain the text "exception" f05802cf9 Increase server validation of password size to 16KB to support bundling SAML messages. 52e4d4a5f Increase client validation of password/response size to 16KB to support bundling SAML messages. a0416ed92 [OVPN3-209] win: add dependencies checksum verification f6eadbc4d [OVPN3-206] Refactor Windows build system 7b30c2f12 [OVPN3-220] proto.hpp: send initial options set on rekeying 33dd2f29e mbedtls: backport fixes for CVE-2018-0487 0912a9b62 [OVPN3-213] build system: mbedtls timing tests 98fa55576 deps: update asio to 1.12.0 620531101 [OVPN3-215] asio: apply external patches f4a73bde5 [OVPN3-215] asio: rebase external patches on top of our current commit ID a61cac928 mbedtls: Patches from 2.7 to fix timing test failures c892f41fb win: tune dependencies build 8a394a37d [OVPN3-213] build system: mbedtls timing tests 0a3dd67da [OVPN3-190] tun linux: add to/from_json methods 44c6cdfdc [OVPN3-206] readme: update Windows build instructions 0edec4a09 [OVPN3-206] win: update directories in VS projects 3d6fd62cb mac build: improve unittest stability 758ae98c6 [OVPN3-209] win: add dependencies checksum verification a7642ee82 [OVPN3-205] win: apply mbedTLS patches ac94b6eb7 [OVPN3-206] Refactor Windows build system c5bc3859e mbedTLS: don't set endpoint twice in conf object 3d5dd9ee3 [OVPN3-199] mac build: do not overwrite DEP_DIR b713762ba mbedtls: Patches from 2.7 to fix timing test failures 37ab79fa6 tun linux: apply changes from 362acf0 6a7aee2c9 [OVPN3-190] tun: implement persistence 1d2ebb07f [OVPN3-190] tun: move tun creation to separate class 53e33d634 [OVPN3-190] tun: move content of tun to tuncli 85d3377c2 [OVPN3-190] tun: move tun setup methods to separate file 735b985eb i/o layer: wrap raw pointers embedded in closures 322ae24b5 OptionList: support variadic template parameter pack in constructors 8a012b454 lz4: added namespace and improved error handling 34998e94a zlib: removed verbose parameter 846ed217d OpenSSL: set SSL_MODE_RELEASE_BUFFERS to conserve memory by releasing unneeded buffers 32e3ea117 OptionList: added show_unused_options() method fe38233a8 Buffer: added typedefs for thread-safe refcounts b34b6271e compression: added compress_lz4() and decompress_lz4() 755e1a181 linux/core.hpp: added exclude_from_core() function a7f6fe64f ManClientInstance::Send: added userprop_local_update() virtual method 94526ac19 BufferAllocated: fixed regression in buffer copy 33c16812e [OVPN3-144] mbedTLS: fix support for 4096bit encrypted keys f249ab4bd [OVPN3-144] build-mbedtls: run make check before compiling 5040aef4c [OVPN3-144] build-mbedtls: apply patches using git-apply instead of patch 8a5e838ab [OVPN3-144] mbedTLS: fix incompatibility with PKI created by OpenSSL 1.1 e7badefd7 proto.hpp/tls-crypt: fix access to ACK IDs during packet validation 73fa974db proto.hpp: print buffer exception in case of packet access error 79ad5eded Estblishing a stable branch 1c5f20ab0 Hide the @ sign in logs if username is empty 01ee1f5a4 Added ClientAPI::Config::retryOnAuthFailed parameter 05880b136 Added ProfileParseLimits::MAX_SERVER_LIST_SIZE and raise limit to 4096 eedee4fa6 cli.cpp: allow -s server override to reference a friendly name 6e350e9f9 Linux tun setup: use LinuxGW46 to obtain gateway info 3e044c6c7 top-level .gitignore was missing a trailing newline a27355ac7 Use C++11 push_back(std::move(...))) for pushing objects onto vectors 8c3af2704 HostPort::split_host_port: support unix socket filename as an alternative kind of host 14b588c86 asio: added asio_resolver_results_to_string() fd6e8e9bf AsioPolySock: minor changes to remote_endpoint_str() 06f5e4d71 AsioBoundSocket::Socket: added to_string() method 8fd968532 RemoteList: minor cleanup in set_endpoint_range() f9fc2f54e BufferAllocated: improve movability 8cb8d52cd string: added first_line() method a26b1646b AsioPolySock: extend AltRouting support ef3a40c27 Listen::Item: added AltRouting mode 02e786bc9 write_binary_atomic: support ConstBuffer 6745799c9 fileunix: added read_binary_unix_fast() 5689c2d9c write_binary_unix(): added ConstBuffer variant 2b0e76453 enum_dir: refactor to allow enumeration via lambda 116a5bd5e bufstr: added const_buf_from_string() method f8ec81413 Buffer: added const_buffer_ref() variant accepting a const argument ae98aa8b6 AsioPolySock: support AltRouting 8f81479f1 AsioBoundSocket::Socket: support inheritance 9598918e9 ServerProto: added schedule_disconnect() method. 4516cf67b ServerProto: reset CoarseTime object when AsioTimer is canceled 0ffc76a0b Route: implement operator< so Route objects can be used as map/set keys. c4af9f68b event_loop_wait_barrier: raise default timeout to 30 seconds d7fe87540 appversion.hpp: rename VERSION -> BUILD_VERSION git-subtree-dir: OpenVPN Adapter/Vendors/openvpn git-subtree-split: e6d68831a71131b7d92fbea93d3b9cbe10ba2068
2026-02-22 00:00:06 +08:00 · 2018-04-04 12:34:20 +03:00
parent 055bb04c14
commit 84ad2a289f
81 changed files with 5189 additions and 856 deletions
--- a/openvpn/buffer/buffer.hpp
+++ b/openvpn/buffer/buffer.hpp
@@ -53,7 +53,7 @@
 #include <string>
 #include <cstring>
 #include <algorithm>
-#include <type_traits> // for std::is_nothrow_move_constructible
+#include <type_traits> // for std::is_nothrow_move_constructible, std::remove_const

 #ifndef OPENVPN_NO_IO
 #include <openvpn/io/io.hpp>
@@ -136,11 +136,17 @@ namespace openvpn {
    Status status_;
  };

+  template <typename T, typename R>
+  class BufferAllocatedType;
+
  template <typename T>
  class BufferType {
+    template <typename, typename> friend class BufferAllocatedType;
+
  public:
    typedef T* type;
    typedef const T* const_type;
+    typedef typename std::remove_const<T>::type NCT; // non-const type

    BufferType()
    {
@@ -469,14 +475,14 @@ namespace openvpn {
      prepend((const T*)data, size);
    }

-    void read(T* data, const size_t size)
+    void read(NCT* data, const size_t size)
    {
      std::memcpy(data, read_alloc(size), size * sizeof(T));
    }

    void read(void* data, const size_t size)
    {
-      read((T*)data, size);
+      read((NCT*)data, size);
    }

    T* write_alloc(const size_t size)
@@ -575,7 +581,7 @@ namespace openvpn {
    size_t capacity_;  // maximum number of array objects of type T for which memory is allocated, starting at data_
  };

-  template <typename T, typename R = thread_unsafe_refcount>
+  template <typename T, typename R>
  class BufferAllocatedType : public BufferType<T>, public RC<R>
  {
    using BufferType<T>::data_;
@@ -583,6 +589,8 @@ namespace openvpn {
    using BufferType<T>::size_;
    using BufferType<T>::capacity_;

+    template <typename, typename> friend class BufferAllocatedType;
+
  public:
    enum {
      CONSTRUCT_ZERO = (1<<0),  // if enabled, constructors/init will zero allocated space
@@ -636,19 +644,19 @@ namespace openvpn {
        }
    }

-    template <typename OT>
-    BufferAllocatedType(const BufferType<OT>& other, const unsigned int flags)
+    template <typename T_>
+    BufferAllocatedType(const BufferType<T_>& other, const unsigned int flags)
    {
-      static_assert(sizeof(T) == sizeof(OT), "size inconsistency");
-      offset_ = other.offset();
-      size_ = other.size();
-      capacity_ = other.capacity();
+      static_assert(sizeof(T) == sizeof(T_), "size inconsistency");
+      offset_ = other.offset_;
+      size_ = other.size_;
+      capacity_ = other.capacity_;
      flags_ = flags;
      if (capacity_)
 	{
 	  data_ = new T[capacity_];
 	  if (size_)
-	    std::memcpy(data_ + offset_, other.c_data(), size_ * sizeof(T));
+	    std::memcpy(data_ + offset_, other.data_ + offset_, size_ * sizeof(T));
 	}
    }

@@ -724,16 +732,17 @@ namespace openvpn {
      BufferType<T>::init_headroom(headroom);
    }

-    void move(BufferAllocatedType& other)
+    template <typename T_, typename R_>
+    void move(BufferAllocatedType<T_, R_>& other)
    {
      if (data_)
 	delete_(data_, capacity_, flags_);
      move_(other);
    }

-    RCPtr<BufferAllocatedType<T>> move_to_ptr()
+    RCPtr<BufferAllocatedType<T, R>> move_to_ptr()
    {
-      RCPtr<BufferAllocatedType<T>> bp = new BufferAllocatedType<T>();
+      RCPtr<BufferAllocatedType<T, R>> bp = new BufferAllocatedType<T, R>();
      bp->move(*this);
      return bp;
    }
@@ -747,7 +756,8 @@ namespace openvpn {
      std::swap(flags_, other.flags_);
    }

-    BufferAllocatedType(BufferAllocatedType&& other) noexcept
+    template <typename T_, typename R_>
+    BufferAllocatedType(BufferAllocatedType<T_, R_>&& other) noexcept
    {
      move_(other);
    }
@@ -812,7 +822,8 @@ namespace openvpn {
      capacity_ = newcap;
    }

-    void move_(BufferAllocatedType& other)
+    template <typename T_, typename R_>
+    void move_(BufferAllocatedType<T_, R_>& other)
    {
      data_ = other.data_;
      offset_ = other.offset_;
@@ -844,17 +855,30 @@ namespace openvpn {
    unsigned int flags_;
  };

+  // specializations of BufferType for unsigned char
  typedef BufferType<unsigned char> Buffer;
  typedef BufferType<const unsigned char> ConstBuffer;
-  typedef BufferAllocatedType<unsigned char> BufferAllocated;
+  typedef BufferAllocatedType<unsigned char, thread_unsafe_refcount> BufferAllocated;
  typedef RCPtr<BufferAllocated> BufferPtr;

+  // BufferAllocated with thread-safe refcount
+  typedef BufferAllocatedType<unsigned char, thread_safe_refcount> BufferAllocatedTS;
+  typedef RCPtr<BufferAllocatedTS> BufferPtrTS;
+
+  // cast BufferType<T> to BufferType<const T>
+
  template <typename T>
  inline BufferType<const T>& const_buffer_ref(BufferType<T>& src)
  {
    return (BufferType<const T>&)src;
  }

+  template <typename T>
+  inline const BufferType<const T>& const_buffer_ref(const BufferType<T>& src)
+  {
+    return (const BufferType<const T>&)src;
+  }
+
 } // namespace openvpn

 #endif // OPENVPN_BUFFER_BUFFER_H
--- a/openvpn/buffer/bufstr.hpp
+++ b/openvpn/buffer/bufstr.hpp
@@ -98,6 +98,13 @@ namespace openvpn {
  {
    buf.write((unsigned char *)str, std::strlen(str));
  }
+
+  // Note: ConstBuffer deep links to str, so returned ConstBuffer
+  // is only defined while str is in scope.
+  inline ConstBuffer const_buf_from_string(const std::string& str)
+  {
+    return ConstBuffer((const unsigned char *)str.c_str(), str.size(), true);
+  }
 }

 #endif
--- a/openvpn/buffer/lz4.hpp
+++ b/openvpn/buffer/lz4.hpp
@@ -0,0 +1,96 @@
+//    OpenVPN -- An application to securely tunnel IP networks
+//               over a single port, with support for SSL/TLS-based
+//               session authentication and key exchange,
+//               packet encryption, packet authentication, and
+//               packet compression.
+//
+//    Copyright (C) 2012-2017 OpenVPN Inc.
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU Affero General Public License Version 3
+//    as published by the Free Software Foundation.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU Affero General Public License for more details.
+//
+//    You should have received a copy of the GNU Affero General Public License
+//    along with this program in the COPYING file.
+//    If not, see <http://www.gnu.org/licenses/>.
+
+#pragma once
+
+#include <cstdint> // for std::uint32_t, uint64_t, etc.
+
+#include <lz4.h>
+
+#include <openvpn/common/exception.hpp>
+#include <openvpn/common/socktypes.hpp> // for ntohl/htonl
+#include <openvpn/buffer/buffer.hpp>
+
+namespace openvpn {
+  namespace LZ4 {
+    OPENVPN_EXCEPTION(lz4_error);
+
+    inline BufferPtr compress(const ConstBuffer& src,
+			      const size_t headroom,
+			      const size_t tailroom)
+    {
+      // sanity check
+      if (src.size() > LZ4_MAX_INPUT_SIZE)
+	OPENVPN_THROW(lz4_error, "compress buffer size=" << src.size() << " exceeds LZ4_MAX_INPUT_SIZE=" << LZ4_MAX_INPUT_SIZE);
+
+      // allocate dest buffer
+      BufferPtr dest = new BufferAllocated(sizeof(std::uint32_t) + headroom + tailroom + LZ4_COMPRESSBOUND(src.size()), 0);
+      dest->init_headroom(headroom);
+
+      // as a hint to receiver, write the decompressed size
+      {
+	const std::uint32_t size = htonl(src.size());
+	dest->write(&size, sizeof(size));
+      }
+
+      // compress
+      const int comp_size = ::LZ4_compress_default((const char *)src.c_data(), (char *)dest->data_end(),
+						   (int)src.size(), (int)dest->remaining(tailroom));
+      if (comp_size <= 0)
+	OPENVPN_THROW(lz4_error, "LZ4_compress_default returned error status=" << comp_size);
+      dest->inc_size(comp_size);
+      return dest;
+    }
+
+    inline BufferPtr decompress(const ConstBuffer& source,
+				const size_t headroom,
+				const size_t tailroom,
+				size_t max_decompressed_size=LZ4_MAX_INPUT_SIZE)
+    {
+      // get the decompressed size
+      ConstBuffer src(source);
+      if (src.size() < sizeof(std::uint32_t))
+	OPENVPN_THROW(lz4_error, "decompress buffer size=" << src.size() << " is too small");
+      std::uint32_t size;
+      src.read(&size, sizeof(size));
+      size = ntohl(size);
+      if (max_decompressed_size > LZ4_MAX_INPUT_SIZE)
+	max_decompressed_size = LZ4_MAX_INPUT_SIZE;
+      if (max_decompressed_size && size > max_decompressed_size)
+	OPENVPN_THROW(lz4_error, "decompress expansion size=" << size << " is too large (must be <= " << max_decompressed_size << ')');
+
+      // allocate dest buffer
+      BufferPtr dest = new BufferAllocated(headroom + tailroom + size, 0);
+      dest->init_headroom(headroom);
+
+      // decompress
+      const int decomp_size = LZ4_decompress_safe((const char *)src.c_data(), (char *)dest->data(),
+						  (int)src.size(), size);
+      if (decomp_size <= 0)
+	OPENVPN_THROW(lz4_error, "LZ4_decompress_safe returned error status=" << decomp_size);
+      if (decomp_size != size)
+	OPENVPN_THROW(lz4_error, "decompress size inconsistency expected_size=" << size << " actual_size=" << decomp_size);
+      dest->inc_size(decomp_size);
+      return dest;
+    }
+
+  }
+}
--- a/openvpn/buffer/zlib.hpp
+++ b/openvpn/buffer/zlib.hpp
@@ -22,12 +22,6 @@
 #ifndef OPENVPN_BUFFER_ZLIB_H
 #define OPENVPN_BUFFER_ZLIB_H

-#ifdef OPENVPN_GZIP_DEBUG
-#define OPENVPN_GZIP_VERBOSE true
-#else
-#define OPENVPN_GZIP_VERBOSE false
-#endif
-
 #ifdef HAVE_ZLIB

 #include <cstring> // for std::memset
@@ -57,7 +51,6 @@ namespace openvpn {
 				   const size_t headroom,
 				   const size_t tailroom,
 				   const int level,
-				   const bool verbose=OPENVPN_GZIP_VERBOSE,
 				   const int window_bits=15,
 				   const int mem_level=8)
    {
@@ -90,8 +83,6 @@ namespace openvpn {
 	  if (status != Z_STREAM_END)
 	    OPENVPN_THROW(zlib_error, "zlib deflate failed, error=" << status);
 	  b->set_size(zs.s.total_out);
-	  if (verbose)
-	    OPENVPN_LOG("*** COMPRESS " << src->size() << " -> " << b->size());
 	  return b;
 	}
      else
@@ -102,7 +93,6 @@ namespace openvpn {
 				     const size_t headroom,
 				     const size_t tailroom,
 				     const size_t max_size,
-				     const bool verbose=OPENVPN_GZIP_VERBOSE,
 				     const size_t block_size=4096,
 				     const int window_bits=15)
    {
@@ -142,8 +132,6 @@ namespace openvpn {
 	      OPENVPN_THROW(zlib_error, "zlib inflate max_size " << max_size << " exceeded");
 	    hr = tr = 0;
 	  } while (status == Z_OK);
-	  if (verbose)
-	    OPENVPN_LOG("*** DECOMPRESS " << src->size() << " -> " << blist.join_size());
 	  return blist.join(headroom, tailroom, true);
 	}
      else