Merge OpenVPN 3 Core Library version 3.10 into released

Signed-off-by: David Sommerseth <[email protected]>

.github/workflows/coverity-scan.yml

@@ -10,7 +10,7 @@ jobs:
     steps:
       - name: Check submission cache
         id: check_submit
-        uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
+        uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: |
             cov-int
@@ -21,20 +21,20 @@ jobs:
         run: sudo apt update && sudo apt install -y libcap-dev libjsoncpp-dev liblzo2-dev liblz4-dev libssl-dev swig
       - name: Checkout OpenVPN 3
         if: steps.check_submit.outputs.cache-hit != 'true'
-        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
         with:
           path: openvpn3
       - name: Checkout asio
         if: steps.check_submit.outputs.cache-hit != 'true'
-        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
         with:
           # versioning=regex:^asio-(?<major>\d+)-(?<minor>\d+)-(?<patch>\d+)$
           repository: chriskohlhoff/asio
           ref: asio-1-30-2
           path: asio
       - name: Checkout xxHash
         if: steps.check_submit.outputs.cache-hit != 'true'
-        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
         with:
           # versioning=semver-coerced
           repository: Cyan4973/xxHash
@@ -77,7 +77,7 @@ jobs:
 
       - name: Cache submission
         if: steps.check_submit.outputs.cache-hit != 'true'
-        uses: actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
+        uses: actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: |
             cov-int

.github/workflows/msbuild.yml

@@ -14,34 +14,34 @@ jobs:
 
     runs-on: windows-latest
     steps:
-    - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4
+    - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
     - uses: lukka/get-cmake@4931ab1fc1604964c055eb330edb3f6b26ba0cfa # v3.29.2
-    - uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1
+    - uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
       with:
         arch: ${{ matrix.arch }}
 
     - name: Restore from cache and install vcpkg
-      uses: lukka/run-vcpkg@v11
+      uses: lukka/run-vcpkg@5e0cab206a5ea620130caf672fce3e4a6b5666a1 # v11.5
       with:
         vcpkgGitCommitId: 8b04a7bd93bef991818fc372bb83ce00ec1c1c16
         vcpkgJsonGlob: '**/windows/vcpkg.json'
 
     - name: Run CMake with vcpkg.json manifest
-      uses: lukka/run-cmake@v10
+      uses: lukka/run-cmake@2ce8982be71b8e9a3c4d5e432135035afd1e76a7 # v10.7
       if: ${{ matrix.arch != 'amd64_arm64' }}
       with:
         configurePreset: win-${{ matrix.arch }}-release
         buildPreset: win-${{ matrix.arch }}-release
         testPreset: win-${{ matrix.arch }}-release
 
     - name: Run CMake with vcpkg.json manifest (NO TESTS)
-      uses: lukka/run-cmake@v10
+      uses: lukka/run-cmake@2ce8982be71b8e9a3c4d5e432135035afd1e76a7 # v10.7
       if: ${{ matrix.arch == 'amd64_arm64' }}
       with:
         configurePreset: win-${{ matrix.arch }}-release
         buildPreset: win-${{ matrix.arch }}-release
 
-    - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4
+    - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: openvpn3-msvc-${{ matrix.arch }}
         path: |
@@ -61,25 +61,25 @@ jobs:
 
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4
+    - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
     - uses: lukka/get-cmake@4931ab1fc1604964c055eb330edb3f6b26ba0cfa # v3.29.2
 
     - name: Install dependencies
       run: sudo apt update && sudo apt install -y mingw-w64 unzip cmake build-essential
 
     - name: Restore from cache and install vcpkg
-      uses: lukka/run-vcpkg@v11
+      uses: lukka/run-vcpkg@5e0cab206a5ea620130caf672fce3e4a6b5666a1 # v11.5
       with:
         vcpkgGitCommitId: 8b04a7bd93bef991818fc372bb83ce00ec1c1c16
         vcpkgJsonGlob: '**/mingw/vcpkg.json'
 
     - name: Run CMake with vcpkg.json manifest
-      uses: lukka/run-cmake@v10
+      uses: lukka/run-cmake@2ce8982be71b8e9a3c4d5e432135035afd1e76a7 # v10.7
       with:
         configurePreset: mingw-${{ matrix.arch }}-release
         buildPreset: mingw-${{ matrix.arch }}-release
 
-    - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4
+    - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: openvpn3-mingw-${{ matrix.arch }}
         path: |

client/ovpncli.cpp

@@ -4,7 +4,7 @@
 //               packet encryption, packet authentication, and
 //               packet compression.
 //
-//    Copyright (C) 2012-2022 OpenVPN Inc.
+//    Copyright (C) 2012 - 2024 OpenVPN Inc.
 //
 //    This program is free software: you can redistribute it and/or modify
 //    it under the terms of the GNU Affero General Public License Version 3
@@ -650,6 +650,7 @@ OPENVPN_CLIENT_EXPORT void OpenVPNClientHelper::parse_config(const Config &confi
         eval.friendlyName = cc.friendlyName();
         eval.autologin = cc.autologin();
         eval.externalPki = cc.externalPki();
+        eval.vpnCa = cc.vpnCa();
         eval.staticChallenge = cc.staticChallenge();
         eval.staticChallengeEcho = cc.staticChallengeEcho();
         eval.privateKeyPasswordRequired = cc.privateKeyPasswordRequired();
@@ -1128,15 +1129,16 @@ OPENVPN_CLIENT_EXPORT void OpenVPNClient::external_pki_error(const ExternalPKIRe
     }
 }
 
-OPENVPN_CLIENT_EXPORT bool OpenVPNClient::sign(const std::string &data,
+OPENVPN_CLIENT_EXPORT bool OpenVPNClient::sign(const std::string &alias,
+                                               const std::string &data,
                                                std::string &sig,
                                                const std::string &algorithm,
                                                const std::string &hashalg,
                                                const std::string &saltlen)
 {
     ExternalPKISignRequest req;
+    req.alias = alias;
     req.data = data;
-    req.alias = state->clientconf.external_pki_alias;
     req.algorithm = algorithm;
     req.hashalg = hashalg;
     req.saltlen = saltlen;
@@ -1335,6 +1337,85 @@ OPENVPN_CLIENT_EXPORT void OpenVPNClient::send_app_control_channel_msg(const std
     }
 }
 
+static SSLLib::SSLAPI::Config::Ptr setup_certcheck_ssl_config(const std::string &client_cert,
+                                                              const std::string &extra_certs,
+                                                              const std::optional<const std::string> &ca,
+                                                              bool disabletls13)
+{
+    SSLLib::SSLAPI::Config::Ptr config = new SSLLib::SSLAPI::Config;
+    config->set_frame(new Frame(Frame::Context(128, 4096, 4096 - 128, 0, 16, 0)));
+    config->set_mode(Mode(Mode::CLIENT));
+    config->load_cert(client_cert, extra_certs);
+    unsigned int flags = SSLConst::LOG_VERIFY_STATUS;
+
+    if (ca)
+        config->load_ca(*ca, false);
+    else
+        flags |= SSLConfigAPI::LF_ALLOW_CLIENT_CERT_NOT_REQUIRED;
+
+    if (disabletls13)
+        config->set_tls_version_max(TLSVersion::Type::V1_2);
+
+    config->set_flags(flags);
+
+    return config;
+}
+
+/**
+  @brief Start up the cert check handshake using the given certs and key
+  @param client_cert String containing the properly encoded client certificate
+  @param clientkey String containing the properly encoded private key for \p client_cert
+  @param ca String containing the properly encoded authority
+  @param disableTLS13 disable TLS 1.3 support
+
+      Creates, initializes,and installs an SSLLib::SSLAPI::Config object into the TLS
+      handshake object we use for the certcheck function. Then begins the handshake
+      with Client Hello via the ACC by calling start_acc_certcheck.
+*/
+OPENVPN_CLIENT_EXPORT void OpenVPNClient::start_cert_check(const std::string &client_cert,
+                                                           const std::string &clientkey,
+                                                           const std::optional<const std::string> &ca,
+                                                           bool disableTLS13)
+{
+    if (state->is_foreign_thread_access())
+    {
+        ClientConnect *session = state->session.get();
+        if (session)
+        {
+            SSLLib::SSLAPI::Config::Ptr config = setup_certcheck_ssl_config(client_cert, "", ca, disableTLS13);
+            config->load_private_key(clientkey);
+
+            session->start_acc_certcheck(config);
+        }
+    }
+}
+
+OPENVPN_CLIENT_EXPORT void OpenVPNClient::start_cert_check_epki(const std::string &alias, const std::optional<const std::string> &ca, bool disableTLS13)
+{
+    if (state->is_foreign_thread_access())
+    {
+        ClientConnect *session = state->session.get();
+        if (session)
+        {
+            ClientAPI::ExternalPKICertRequest req;
+            req.alias = alias;
+            external_pki_cert_request(req);
+
+            if (req.error)
+            {
+                external_pki_error(req, Error::EPKI_CERT_ERROR);
+                return;
+            }
+
+            SSLLib::SSLAPI::Config::Ptr config = setup_certcheck_ssl_config(req.cert, req.supportingChain, ca, disableTLS13);
+
+            config->set_external_pki_callback(this, alias);
+
+
+            session->start_acc_certcheck(config);
+        }
+    }
+}
 
 OPENVPN_CLIENT_EXPORT void OpenVPNClient::clock_tick()
 {

client/ovpncli.hpp

@@ -4,7 +4,7 @@
 //               packet encryption, packet authentication, and
 //               packet compression.
 //
-//    Copyright (C) 2012-2022 OpenVPN Inc.
+//    Copyright (C) 2012 - 2024 OpenVPN Inc.
 //
 //    This program is free software: you can redistribute it and/or modify
 //    it under the terms of the GNU Affero General Public License Version 3
@@ -28,6 +28,7 @@
 #include <unordered_set>
 #include <utility>
 #include <vector>
+#include <optional>
 
 #include <openvpn/tun/builder/base.hpp>
 #include <openvpn/tun/extern/fw.hpp>
@@ -52,8 +53,14 @@ struct ServerEntry
     std::string friendlyName;
 };
 
-// return properties of config
-// (client reads)
+/**
+    @brief Struct containing configuration details parsed from an OpenVPN configuration file.
+    @details
+    This struct holds various properties extracted from an OpenVPN configuration file, such as
+    error status, profile name, autologin flag, external PKI flag, VPN server CA, static
+    challenge, private key password requirement, remote host information, list of selectable VPN
+    servers, Windows driver, and DCO compatibility details.
+*/
 struct EvalConfig
 {
     // true if error
@@ -77,6 +84,13 @@ struct EvalConfig
     // if true, this is an External PKI profile (no cert or key directives)
     bool externalPki = false;
 
+    // VPN server CA in PEM format as given in the configuration. This is the CA, the
+    // VPN server certificate is checked against. This is not a parsed version so it
+    // can have extra lines around the actual certificates that an X509 parser would
+    // ignore.
+    // Note that this can can be empty if the profile uses --peer-fingerprint instead of traditional PKI check.
+    std::string vpnCa;
+
     // static challenge, may be empty, ignored if autologin
     std::string staticChallenge;
 
@@ -679,6 +693,31 @@ class OpenVPNClient : public TunBuilderBase,             // expose tun builder v
 
     // send custom app control channel message
     void send_app_control_channel_msg(const std::string &protocol, const std::string &msg);
+    /**
+      @brief Start up the cert check handshake using the given certs and key
+      @param client_cert String containing the properly encoded client certificate
+      @param clientkey String containing the properly encoded private key for \p client_cert
+      @param ca Optional string containing the properly encoded authority
+
+      This function forwards to ClientProto::Session::start_acc_certcheck, which sets up the
+      session ACC certcheck TLS handshake object. Every time this function is called the state of
+      the handshake object will be reset and the handshake will be restarted.
+    */
+    void start_cert_check(const std::string &client_cert,
+                          const std::string &clientkey,
+                          const std::optional<const std::string> &ca = std::nullopt,
+                          bool disableTLS13 = false);
+
+    /**
+      @brief Start up the cert check handshake using the given epki_alias string
+      @param alias     string containing the epki used for callbacks for certificate and signing operations
+      @param ca Optional string containing the properly encoded authority
+
+      This function forwards to ClientProto::Session::start_acc_certcheck, which sets up the
+      session ACC certcheck TLS handshake object. Every time this function is called the state of
+      the handshake object will be reset and the handshake will be restarted.
+    */
+    void start_cert_check_epki(const std::string &alias, const std::optional<const std::string> &ca, bool disableTLS13 = false);
 
     // Callback for delivering events during connect() call.
     // Will be called from the thread executing connect().
@@ -735,7 +774,8 @@ class OpenVPNClient : public TunBuilderBase,             // expose tun builder v
     void on_disconnect();
 
     // from ExternalPKIBase
-    bool sign(const std::string &data,
+    bool sign(const std::string &alias,
+              const std::string &data,
               std::string &sig,
               const std::string &algorithm,
               const std::string &hashalg,