Merge OpenVPN 3 Core library 3.10.4

Signed-off-by: David Sommerseth <[email protected]>
OpenVPN · Nov 14, 2024 · 84facdf · 84facdf
2 parents 7726283 + dc174ee
commit 84facdf
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 7 deletions.
diff --git a/openvpn/tun/mac/client/tunsetup.hpp b/openvpn/tun/mac/client/tunsetup.hpp
@@ -367,8 +367,8 @@ class Setup : public TunBuilderSetup::Base
         if (!pull.exclude_routes.empty())
         {
             // get default gateways
-            MacGatewayInfo gw4{IP::Addr::from_ipv4(IPv4::Addr::from_zero())};
-            MacGatewayInfo gw6{IP::Addr::from_ipv6(IPv6::Addr::from_zero())};
+            MacGatewayInfo gw4{IP::Addr::from_ipv4(IPv4::Addr::from_zero()), &os};
+            MacGatewayInfo gw6{IP::Addr::from_ipv6(IPv6::Addr::from_zero()), &os};
 
             for (std::vector<TunBuilderCapture::Route>::const_iterator i = pull.exclude_routes.begin(); i != pull.exclude_routes.end(); ++i)
             {
@@ -399,7 +399,7 @@ class Setup : public TunBuilderSetup::Base
             // add server bypass route if remote is also IPv4
             if (!pull.remote_address.ipv6)
             {
-                MacGatewayInfo gw4{IP::Addr::from_ipv4(IPv4::Addr::from_string(pull.remote_address.address))};
+                MacGatewayInfo gw4{IP::Addr::from_ipv4(IPv4::Addr::from_string(pull.remote_address.address)), &os};
                 if (gw4.flags() & MacGatewayInfo::ADDR_DEFINED)
                 {
                     if (!pull.remote_address.ipv6 && !(pull.reroute_gw.flags & RedirectGatewayFlags::RG_LOCAL))
@@ -433,7 +433,7 @@ class Setup : public TunBuilderSetup::Base
             // add server bypass route if remote is also ipv6
             if (pull.remote_address.ipv6)
             {
-                MacGatewayInfo gw6{IP::Addr::from_ipv6(IPv6::Addr::from_string(pull.remote_address.address))};
+                MacGatewayInfo gw6{IP::Addr::from_ipv6(IPv6::Addr::from_string(pull.remote_address.address)), &os};
                 if (gw6.flags() & MacGatewayInfo::ADDR_DEFINED)
                 {
                     if (pull.remote_address.ipv6 && !(pull.reroute_gw.flags & RedirectGatewayFlags::RG_LOCAL))

diff --git a/openvpn/tun/mac/gw.hpp b/openvpn/tun/mac/gw.hpp
@@ -66,7 +66,7 @@ class MacGatewayInfo
         IFACE_DEFINED = (1 << 3),   /* set if iface is defined */
     };
 
-    MacGatewayInfo(IP::Addr dest)
+    MacGatewayInfo(IP::Addr dest, std::ostream *os = nullptr)
     {
         /* setup data to send to routing socket */
         int seq = 0;
@@ -105,8 +105,15 @@ class MacGatewayInfo
 
         auto ret = ::write(sockfd(), &m_rtmsg, m_rtmsg.m_rtm.rtm_msglen);
         if (ret < 0)
-            throw route_gateway_error("GDG: problem writing to routing socket: " + std::to_string(ret)
-                                      + " errno: " + std::to_string(errno) + " msg: " + ::strerror(errno));
+        {
+            // likely no default gw or IPv6 connectivity
+            if (os)
+            {
+                *os << "GDG: problem writing to routing socket: " << std::to_string(ret) << " errno: " << std::to_string(errno) << " msg: " << ::strerror(errno) << std::endl;
+            }
+
+            return;
+        }
 
         int l = 0;
         int pid = ::getpid();

diff --git a/openvpn/tun/win/dns.hpp b/openvpn/tun/win/dns.hpp
@@ -571,6 +571,65 @@ class Dns
          * @return bool to indicate if the reload was initiated
          */
         bool apply_gpol_nrtp_rules()
+        {
+            SYSTEM_INFO si;
+            ::GetSystemInfo(&si);
+            const bool win_32bit = si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_INTEL;
+
+            return win_32bit ? apply_gpol_nrtp_rules_32() : apply_gpol_nrtp_rules_64();
+        }
+
+        /**
+         * @brief Signal the DNS resolver (and others potentially) to reload the
+         *        NRTP rules group policy settings on 32 bit Windows systems
+         *
+         * @return bool to indicate if the reload was initiated
+         */
+        bool apply_gpol_nrtp_rules_32()
+        {
+            bool res = false;
+
+            using publish_fn_t = NTSTATUS(__stdcall *)(
+                DWORD StateNameLo,
+                DWORD StateNameHi,
+                DWORD TypeId,
+                DWORD Buffer,
+                DWORD Length,
+                DWORD ExplicitScope);
+            publish_fn_t RtlPublishWnfStateData;
+            constexpr DWORD WNF_GPOL_SYSTEM_CHANGES_HI = 0x0D891E2A;
+            constexpr DWORD WNF_GPOL_SYSTEM_CHANGES_LO = 0xA3BC0875;
+
+            HMODULE ntdll = ::LoadLibraryA("ntdll.dll");
+            if (ntdll == NULL)
+            {
+                goto out;
+            }
+
+            RtlPublishWnfStateData = reinterpret_cast<publish_fn_t>(::GetProcAddress(ntdll, "RtlPublishWnfStateData"));
+            if (RtlPublishWnfStateData == NULL)
+            {
+                goto out;
+            }
+
+            if (RtlPublishWnfStateData(WNF_GPOL_SYSTEM_CHANGES_LO, WNF_GPOL_SYSTEM_CHANGES_HI, 0, 0, 0, 0) != ERROR_SUCCESS)
+            {
+                goto out;
+            }
+
+            res = true;
+
+        out:
+            return res;
+        }
+
+        /**
+         * @brief Signal the DNS resolver (and others potentially) to reload the
+         *        NRTP rules group policy settings on 64 bit Windows systems
+         *
+         * @return bool to indicate if the reload was initiated
+         */
+        bool apply_gpol_nrtp_rules_64()
         {
             bool res = false;