mirror/openvpn3
0
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn3.git synced 2024-09-20 12:12:15 +02:00
Code
ad7da751ea
openvpn3/openvpn/client/cliproto.hpp

1112 lines
31 KiB
C++
Raw Normal View History

Added AGPL copyright/licensing language.
2014-07-21 05:22:06 +02:00
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
Global edit to add copyright notice at head of each source file.
2012-08-24 23:13:42 +02:00
//
[OVPN3-140] Update company names in copyrights OpenVPN Technologies, Inc. change their name to OpenVPN Inc. during the autumn of 2017. Signed-off-by: David Sommerseth <davids@openvpn.net>
2017-12-21 22:15:36 +01:00
// Copyright (C) 2012-2017 OpenVPN Inc.
Global edit to add copyright notice at head of each source file.
2012-08-24 23:13:42 +02:00
//
Added AGPL copyright/licensing language.
2014-07-21 05:22:06 +02:00
// This program is free software: you can redistribute it and/or modify
[OVPN3-140] Relicense back to AGPLv3 This is essentially a revert of commit 04b2a3c9b7f92583 and commit ef42e59e051a0b4d. Signed-off-by: David Sommerseth <davids@openvpn.net>
2017-12-21 21:42:20 +01:00
// it under the terms of the GNU Affero General Public License Version 3
Added AGPL copyright/licensing language.
2014-07-21 05:22:06 +02:00
// as published by the Free Software Foundation.
Global edit to add copyright notice at head of each source file.
2012-08-24 23:13:42 +02:00
//
Added AGPL copyright/licensing language.
2014-07-21 05:22:06 +02:00
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
[OVPN3-140] Relicense back to AGPLv3 This is essentially a revert of commit 04b2a3c9b7f92583 and commit ef42e59e051a0b4d. Signed-off-by: David Sommerseth <davids@openvpn.net>
2017-12-21 21:42:20 +01:00
// GNU Affero General Public License for more details.
Added AGPL copyright/licensing language.
2014-07-21 05:22:06 +02:00
//
[OVPN3-140] Relicense back to AGPLv3 This is essentially a revert of commit 04b2a3c9b7f92583 and commit ef42e59e051a0b4d. Signed-off-by: David Sommerseth <davids@openvpn.net>
2017-12-21 21:42:20 +01:00
// You should have received a copy of the GNU Affero General Public License
Added AGPL copyright/licensing language.
2014-07-21 05:22:06 +02:00
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
Global edit to add copyright notice at head of each source file.
2012-08-24 23:13:42 +02:00
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
#ifndef OPENVPN_CLIENT_CLIPROTO_H
#define OPENVPN_CLIENT_CLIPROTO_H
Added head comments to all source files. Minor reorganization of unicode code.
2012-11-23 07:18:43 +01:00
// This is a middle-layer object in the OpenVPN client protocol stack.
// It is above the general OpenVPN protocol implementation in
ProtoContext<CRYPTO_API> is no longer a template, it is now just class ProtoContext.
2014-10-20 20:55:58 +02:00
// class ProtoContext but below the top
Added head comments to all source files. Minor reorganization of unicode code.
2012-11-23 07:18:43 +01:00
// level object in a client connect (ClientConnect). See ClientConnect for
// a fuller description of the full client stack.
//
// This layer deals with setting up an OpenVPN client connection:
//
// 1. handles creation of transport-layer handler via TransportClientFactory
// 2. handles creation of tun-layer handler via TunClientFactory
// 3. handles sending PUSH_REQUEST to server and processing reply of server-pushed options
ProtoContext<CRYPTO_API> is no longer a template, it is now just class ProtoContext.
2014-10-20 20:55:58 +02:00
// 4. manages the underlying OpenVPN protocol object (class ProtoContext)
Added head comments to all source files. Minor reorganization of unicode code.
2012-11-23 07:18:43 +01:00
// 5. handles timers on behalf of the underlying OpenVPN protocol object
// 6. acts as an exception dispatcher for errors occuring in any of the underlying layers
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
#include <string>
#include <vector>
INFO message : buffer INFO control-channel messages received near Connected event to fire one second after Connected event, to reduce the chance of race conditions in the client app, if the INFO event triggers the client app to perform an operation that requires the VPN tunnel to be ready.
2016-08-17 23:23:26 +02:00
#include <memory>
Core: speed up client-side PUSH_REQUEST transmission to server at 0, 1, 2, 3, 3, ... seconds. Previously, transmission occurred at 1, 3, 3, ... seconds.
2014-08-18 06:25:26 +02:00
#include <algorithm> // for std::min
C++11 update: mass replace of boost::uint/int to std::uint/int.
2015-04-24 01:55:07 +02:00
#include <cstdint> // for std::uint...
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
Added i/o abstraction layer. Created a lightweight abstraction layer so that another i/o reactor can be dropped in place of asio. The basic approach is to rename all references to asio::xxx types to openvpn_io::xxx and then make openvpn_io a preprocessor variable that points to the top-level namespace of the i/o reactor implementation. All of the source files that currently include <asio.hpp> now include <openvpn/io/io.hpp> instead: This gives us a lightweight abstraction layer that allows us to define openvpn_io to be something other than asio. Other changes: * Inclusion of asio by scripts/build is now optional, and is enabled by passing ASIO=1 or ASIO_DIR=<dir>. * Refactored openvpn/common/socktypes.hpp to no longer require asio. * Refactored openvpn/log/logthread.hpp to no longer require asio. * Added openvpn::get_hostname() method as alternative to calling asio directly. * openvpn/openssl/util/init.hpp will now #error if USE_ASIO is undefined. Signed-off-by: James Yonan <james@openvpn.net>
2017-03-30 23:10:56 +02:00
#include <openvpn/io/io.hpp>
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
#include <openvpn/common/rc.hpp>
Moved count_t to its own header file.
2015-05-17 21:17:24 +02:00
#include <openvpn/common/count.hpp>
Boost dependency elimination -- change boost::algorithm usage (for string algorithms) to use methods of our own implementation in openvpn/common/string.hpp.
2015-06-05 03:22:59 +02:00
#include <openvpn/common/string.hpp>
Support autologin sessions in client.
2016-01-27 09:32:48 +01:00
#include <openvpn/common/base64.hpp>
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
#include <openvpn/tun/client/tunbase.hpp>
#include <openvpn/transport/client/transbase.hpp>
Added Relay capability, a kind of proxy function similar to HTTP CONNECT but implemented over the OpenVPN protocol. 1. Client connects to relay server as if it were connecting to an ordinary OpenVPN server. 2. Client authenticates to relay server using its client certificate. 3. Client sends a PUSH_REQUEST method to relay server which then replies with a RELAY message instead of PUSH_REPLY. 4. On receiving the RELAY message, the client attempts to reconnect using the existing transport socket. The server will proxy this new connection (at the transport layer) to a second server (chosen by the relay server) that is the target of proxy. 5. The client must establish and authenticate a new session from scratch with the target server, only reusing the transport layer socket from the original connection to the relay server. 6. The relay acts as a man-in-the-middle only at the transport layer (like most proxies), i.e. it forwards the encrypted session between client and target server without decrypting or having the capability to decrypt the session. 7. The client is designed to protect against potentially untrusted or malicious relays: (a) The client never transmits the target server username/password credentials to the relay server. (b) The relay forwards the encrypted OpenVPN session between client and target server without having access to the session keys. (c) The client configuration has a special directive for relay server CA (<relay-extra-ca>) and relay server tls-auth key (<relay-tls-auth>) to allow for separation of TLS/crypto configuration between relay and target servers. (d) The client will reject any PUSH_REPLY messages from the relay itself to prevent the relay from trying to establish a tunnel directly with the client. Example configuring a client for relay: # remote addresses point to the relay server remote ... 1194 udp remote ... 443 tcp # include all other directives for connecting # to the target server # enable relay mode relay-mode # constrain the relay server's cert type relay-ns-cert-type server # include extra CAs that validate the relay # server cert (optional). <relay-extra-ca> -----BEGIN CERTIFICATE----- . . . -----END CERTIFICATE----- </relay-extra-ca> # specify the TLS auth key for the relay server relay-key-direction 1 <relay-tls-auth> -----BEGIN OpenVPN Static key V1----- . . . -----END OpenVPN Static key V1----- </relay-tls-auth>
2016-11-20 21:06:35 +01:00
#include <openvpn/transport/client/relay.hpp>
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
#include <openvpn/options/continuation.hpp>
Android 4 client: * Added OpenVPN log file page view in advanced preferences. * Added OpenSSL verify_callback. * Support ns-cert-type * Sanitize logged data to remove Session ID.
2012-03-08 11:30:43 +01:00
#include <openvpn/options/sanitize.hpp>
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
#include <openvpn/client/clievent.hpp>
Android 4 client fixes: Fixed session ID -> password replacement. Allow username to be specified as profile/username.
2012-02-28 00:00:29 +01:00
#include <openvpn/client/clicreds.hpp>
Added parser size validation constants in openvpn/client/cliconstants.hpp
2012-11-12 02:52:03 +01:00
#include <openvpn/client/cliconstants.hpp>
Misc client and pre-server cleanup.
2012-11-26 02:51:24 +01:00
#include <openvpn/client/clihalt.hpp>
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
#include <openvpn/time/asiotimer.hpp>
#include <openvpn/time/coarsetime.hpp>
Moved load_duration_parm and set_duration_parm out of proto.hpp and into a new file openvpn/time/durhelper.hpp. Added skew_duration() to durhelper.hpp to randomly skew duration values. Added Duration::operator+(const int delta) method to allow modification of raw duration value by an int.
2015-01-08 23:30:58 +01:00
#include <openvpn/time/durhelper.hpp>
Minor exception code cleanup.
2012-11-14 17:41:33 +01:00
#include <openvpn/error/excode.hpp>
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
#include <openvpn/ssl/proto.hpp>
#ifdef OPENVPN_DEBUG_CLIPROTO
#define OPENVPN_LOG_CLIPROTO(x) OPENVPN_LOG(x)
#else
#define OPENVPN_LOG_CLIPROTO(x)
#endif
namespace openvpn {
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
namespace ClientProto {
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Added ClientConnect class which implements an "always-try-to-reconnect" approach, with remote list rotation. Only gives up on auth failure.
2012-02-07 12:37:35 +01:00
struct NotifyCallback {
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
virtual void client_proto_terminate() = 0;
Added ClientConnect class which implements an "always-try-to-reconnect" approach, with remote list rotation. Only gives up on auth failure.
2012-02-07 12:37:35 +01:00
virtual void client_proto_connected() {}
Added "remote" option list handling. Added ClientProtoTerminateCallback abstraction to ClientProto. Added ClientProto::Config for configuration parameters, rather than passing parameters individually to ClientProto constructor.
2012-02-06 09:28:05 +01:00
};
ProtoContext<CRYPTO_API> is no longer a template, it is now just class ProtoContext.
2014-10-20 20:55:58 +02:00
class Session : ProtoContext,
Moved the inheritance of public RC<thread_unsafe_refcount> from ProtoContext to ClientProto::Session.
2014-08-14 19:18:53 +02:00
TransportClientParent,
TunClientParent,
public RC<thread_unsafe_refcount>
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
{
ProtoContext<CRYPTO_API> is no longer a template, it is now just class ProtoContext.
2014-10-20 20:55:58 +02:00
typedef ProtoContext Base;
Removed some typename qualifiers from proto.hpp and cliproto.hpp that are no longer necessary since ProtoContext is no longer a class template.
2014-10-20 21:01:40 +02:00
typedef Base::PacketType PacketType;
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
using Base::now;
"last packet received n seconds ago" stat is now provided by core.
2012-09-06 00:03:26 +02:00
using Base::stat;
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
public:
Renamed boost::intrusive_ptr<T> usage to RCPtr<T>.
2015-05-18 05:26:53 +02:00
typedef RCPtr<Session> Ptr;
Removed some typename qualifiers from proto.hpp and cliproto.hpp that are no longer necessary since ProtoContext is no longer a class template.
2014-10-20 21:01:40 +02:00
typedef Base::Config ProtoConfig;
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
OPENVPN_EXCEPTION(client_exception);
Fixed a race condition issue with "hot connect", i.e. sending a connect intent to service when already connected. One of the ramifications of the "hot connect" fix above is that OpenVPNClientBase.is_active() will now return a value that is instantaneously up-to-date, whereas events might lag because of the mechanics of inter-thread message posting. Keep this in mind when correlating received events to is_active() values. For C++ core threads, increased allowed thread-stop delay to 2.5 seconds before thread is marked as unresponsive and abandoned. Previous delay was 1 second. This delay can't be made too long, otherwise Android will tell the user that the app is unresponsive and invite them to kill it. When closing out an abandoned core thread, indicate this condition with a new event type called CORE_THREAD_ABANDONED. If the thread is abandoned due to lack of response to a disconnect request, then the CORE_THREAD_ABANDONED event will occur followed by CORE_THREAD_INACTIVE. For core threads that properly exit, the DISCONNECTED event will be followed by CORE_THREAD_INACTIVE. Added save_as_filename parameter to importProfileRemote method for controlling the filename that the imported profile is saved as. This parameter may be set to null to have the method choose an appropriate name. To have an imported profile replace an existing profile, the filenames much match. Added UI_OVERLOADED debugging constant to OpenVPNClient to allow the UI to connect to a profile when already connected to another profile in order to test "hot connect". Added new events CLIENT_HALT and CLIENT_RESTART for compatibility with an Access Server feature that allows the server to remotely kill or restart the client. When connecting a profile, the core will now automatically fill in the username if it is not specified for userlocked profiles. Version 0.902.
2012-03-31 18:08:20 +02:00
OPENVPN_EXCEPTION(client_halt_restart);
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
OPENVPN_EXCEPTION(tun_exception);
OPENVPN_EXCEPTION(transport_exception);
Android 4 client port is almost working (need to get an Android build that includes tun driver to test further).
2012-02-19 02:36:50 +01:00
OPENVPN_EXCEPTION(max_pushed_options_exceeded);
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
OPENVPN_SIMPLE_EXCEPTION(session_invalidated);
Added ClientConnect class which implements an "always-try-to-reconnect" approach, with remote list rotation. Only gives up on auth failure.
2012-02-07 12:37:35 +01:00
OPENVPN_SIMPLE_EXCEPTION(authentication_failed);
Implemented "inactive" directive.
2013-05-25 03:19:50 +02:00
OPENVPN_SIMPLE_EXCEPTION(inactive_timer_expired);
Added Relay capability, a kind of proxy function similar to HTTP CONNECT but implemented over the OpenVPN protocol. 1. Client connects to relay server as if it were connecting to an ordinary OpenVPN server. 2. Client authenticates to relay server using its client certificate. 3. Client sends a PUSH_REQUEST method to relay server which then replies with a RELAY message instead of PUSH_REPLY. 4. On receiving the RELAY message, the client attempts to reconnect using the existing transport socket. The server will proxy this new connection (at the transport layer) to a second server (chosen by the relay server) that is the target of proxy. 5. The client must establish and authenticate a new session from scratch with the target server, only reusing the transport layer socket from the original connection to the relay server. 6. The relay acts as a man-in-the-middle only at the transport layer (like most proxies), i.e. it forwards the encrypted session between client and target server without decrypting or having the capability to decrypt the session. 7. The client is designed to protect against potentially untrusted or malicious relays: (a) The client never transmits the target server username/password credentials to the relay server. (b) The relay forwards the encrypted OpenVPN session between client and target server without having access to the session keys. (c) The client configuration has a special directive for relay server CA (<relay-extra-ca>) and relay server tls-auth key (<relay-tls-auth>) to allow for separation of TLS/crypto configuration between relay and target servers. (d) The client will reject any PUSH_REPLY messages from the relay itself to prevent the relay from trying to establish a tunnel directly with the client. Example configuring a client for relay: # remote addresses point to the relay server remote ... 1194 udp remote ... 443 tcp # include all other directives for connecting # to the target server # enable relay mode relay-mode # constrain the relay server's cert type relay-ns-cert-type server # include extra CAs that validate the relay # server cert (optional). <relay-extra-ca> -----BEGIN CERTIFICATE----- . . . -----END CERTIFICATE----- </relay-extra-ca> # specify the TLS auth key for the relay server relay-key-direction 1 <relay-tls-auth> -----BEGIN OpenVPN Static key V1----- . . . -----END OpenVPN Static key V1----- </relay-tls-auth>
2016-11-20 21:06:35 +01:00
OPENVPN_SIMPLE_EXCEPTION(relay_event);
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
Initial HTTP proxy implementation in core, with support for non-authenticated proxies and Basic Auth. Includes new PROXY_ERROR and PROXY_NEED_CREDS events. Still to do: Digest and NTLM auth.
2012-10-24 08:38:20 +02:00
OPENVPN_EXCEPTION(proxy_exception);
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
struct Config : public RC<thread_unsafe_refcount>
{
Renamed boost::intrusive_ptr<T> usage to RCPtr<T>.
2015-05-18 05:26:53 +02:00
typedef RCPtr<Config> Ptr;
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
Android 4 client port is almost working (need to get an Android build that includes tun driver to test further).
2012-02-19 02:36:50 +01:00
Config()
Added parser size validation constants in openvpn/client/cliconstants.hpp
2012-11-12 02:52:03 +01:00
: pushed_options_limit("server-pushed options data too large",
ProfileParseLimits::MAX_PUSH_SIZE,
ProfileParseLimits::OPT_OVERHEAD,
ProfileParseLimits::TERM_OVERHEAD,
More profile validation.
2012-11-14 03:35:50 +01:00
0,
cliproto : in struct Config, added C++11 member initializers.
2016-03-28 08:24:01 +02:00
ProfileParseLimits::MAX_DIRECTIVE_SIZE)
Android 4 client port is almost working (need to get an Android build that includes tun driver to test further).
2012-02-19 02:36:50 +01:00
{}
Removed some typename qualifiers from proto.hpp and cliproto.hpp that are no longer necessary since ProtoContext is no longer a class template.
2014-10-20 21:01:40 +02:00
ProtoConfig::Ptr proto_context_config;
Compression selector in mobile clients is now 3-state: yes -- support compression on both uplink and downlink asym -- support compression on downlink only no (default) -- no compression (stubs only) Added our own internal LZO decompressor, which is enabled when HAVE_LZO is undefined and the standard LZO library is not linked. This allows clients to support LZO in downlink mode only if the library isn't available.
2012-09-08 03:36:54 +02:00
ProtoContextOptions::Ptr proto_context_options;
OpenVPN 1.0 Beta 21 (iOS) Implemented IPv6 in iOS client. Added new flags to redirect-gateway to control whether redirection occurs at IPv4 or IPv6 levels (or both): * ipv4 (default) * !ipv4 * ipv6 * !ipv6 Added new directive "redirect-dns yes|no". If yes, all DNS requests will be forwarded through pushed DNS servers. If no, only DNS requests that match domains enumerated in "dhcp-option DOMAIN" directives will be forwarded. If redirect-dns is omitted, it will default to yes if redirect-gateway is specified at the IPv4 level (this is the normal pre-existing behavior). Allow the following aggregated options that are normally pushed by the server to be defined in the config file as well. These options will be combined with server-pushed options: * route * route-ipv6 * redirect-gateway * redirect-private * dhcp-option Allow the following singleton options (i.e. options that don't aggregate), that are normally pushed, to be defined in the config file (note that server-pushed singleton options will override the config file setting): * redirect-dns The Connection Details section of the UI now displays VPN IP addresses for IPv4 and IPv6. Added new pushable option "client-ip IP_ADDR" that can be pushed by the server with the client's IP address as seen by the server. The client will then show the address in the Connection Details section of the UI.
2012-10-03 11:03:02 +02:00
PushOptionsBase::Ptr push_base;
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
TransportClientFactory::Ptr transport_factory;
TunClientFactory::Ptr tun_factory;
SessionStats::Ptr cli_stats;
ClientEvent::Queue::Ptr cli_events;
Android 4 client fixes: Fixed session ID -> password replacement. Allow username to be specified as profile/username.
2012-02-28 00:00:29 +01:00
ClientCreds::Ptr creds;
Added parser size validation constants in openvpn/client/cliconstants.hpp
2012-11-12 02:52:03 +01:00
OptionList::Limits pushed_options_limit;
Implemented route-nopull (second attempt).
2013-03-14 03:54:58 +01:00
OptionList::FilterBase::Ptr pushed_options_filter;
cliproto : in struct Config, added C++11 member initializers.
2016-03-28 08:24:01 +02:00
unsigned int tcp_queue_limit = 0;
bool echo = false;
Added INFO notification to OpenVPN control channel protocol: INFO,<payload> Payload can be any UTF-8 printable string under 64 KB (multiple lines are okay). INFO notifications can be sent from server to client in real-time, on any active client connection. The client will attach the payload to an INFO event and forward it to the controlling app via the event callback: virtual void event(const Event&) = 0;
2016-05-11 01:53:09 +02:00
bool info = false;
autologin sessions : automatically retry connection on expired session.
2016-06-29 08:57:24 +02:00
bool autologin_sessions = false;
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
};
Added i/o abstraction layer. Created a lightweight abstraction layer so that another i/o reactor can be dropped in place of asio. The basic approach is to rename all references to asio::xxx types to openvpn_io::xxx and then make openvpn_io a preprocessor variable that points to the top-level namespace of the i/o reactor implementation. All of the source files that currently include <asio.hpp> now include <openvpn/io/io.hpp> instead: This gives us a lightweight abstraction layer that allows us to define openvpn_io to be something other than asio. Other changes: * Inclusion of asio by scripts/build is now optional, and is enabled by passing ASIO=1 or ASIO_DIR=<dir>. * Refactored openvpn/common/socktypes.hpp to no longer require asio. * Refactored openvpn/log/logthread.hpp to no longer require asio. * Added openvpn::get_hostname() method as alternative to calling asio directly. * openvpn/openssl/util/init.hpp will now #error if USE_ASIO is undefined. Signed-off-by: James Yonan <james@openvpn.net>
2017-03-30 23:10:56 +02:00
Session(openvpn_io::io_context& io_context_arg,
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
const Config& config,
Added ClientConnect class which implements an "always-try-to-reconnect" approach, with remote list rotation. Only gives up on auth failure.
2012-02-07 12:37:35 +01:00
NotifyCallback* notify_callback_arg)
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
: Base(config.proto_context_config, config.cli_stats),
Don't use deprecated asio features.
2015-06-30 08:05:37 +02:00
io_context(io_context_arg),
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
transport_factory(config.transport_factory),
tun_factory(config.tun_factory),
Implemented tcp-queue-limit parameter for OpenVPN 3 client, with a default value of 64 (this is the same parameter name and default from OpenVPN 2 server). tcp-queue-limit sets a maximum size limit on the outgoing TCP packet queue and will drop packets and increment the TCP_OVERFLOW counter if the limit would be exceeded. Previously, the limit was hardcoded at 1024 packets and would result in a disconnect/reconnect if exceeded rather than merely dropping the packet.
2015-10-19 08:32:13 +02:00
tcp_queue_limit(config.tcp_queue_limit),
Added ClientConnect class which implements an "always-try-to-reconnect" approach, with remote list rotation. Only gives up on auth failure.
2012-02-07 12:37:35 +01:00
notify_callback(notify_callback_arg),
Don't use deprecated asio features.
2015-06-30 08:05:37 +02:00
housekeeping_timer(io_context_arg),
push_request_timer(io_context_arg),
OpenVPN 1.0 Beta 21 (iOS) Implemented IPv6 in iOS client. Added new flags to redirect-gateway to control whether redirection occurs at IPv4 or IPv6 levels (or both): * ipv4 (default) * !ipv4 * ipv6 * !ipv6 Added new directive "redirect-dns yes|no". If yes, all DNS requests will be forwarded through pushed DNS servers. If no, only DNS requests that match domains enumerated in "dhcp-option DOMAIN" directives will be forwarded. If redirect-dns is omitted, it will default to yes if redirect-gateway is specified at the IPv4 level (this is the normal pre-existing behavior). Allow the following aggregated options that are normally pushed by the server to be defined in the config file as well. These options will be combined with server-pushed options: * route * route-ipv6 * redirect-gateway * redirect-private * dhcp-option Allow the following singleton options (i.e. options that don't aggregate), that are normally pushed, to be defined in the config file (note that server-pushed singleton options will override the config file setting): * redirect-dns The Connection Details section of the UI now displays VPN IP addresses for IPv4 and IPv6. Added new pushable option "client-ip IP_ADDR" that can be pushed by the server with the client's IP address as seen by the server. The client will then show the address in the Connection Details section of the UI.
2012-10-03 11:03:02 +02:00
received_options(config.push_base),
Android 4 client fixes: Fixed session ID -> password replacement. Allow username to be specified as profile/username.
2012-02-28 00:00:29 +01:00
creds(config.creds),
Compression selector in mobile clients is now 3-state: yes -- support compression on both uplink and downlink asym -- support compression on downlink only no (default) -- no compression (stubs only) Added our own internal LZO decompressor, which is enabled when HAVE_LZO is undefined and the standard LZO library is not linked. This allows clients to support LZO in downlink mode only if the library isn't available.
2012-09-08 03:36:54 +02:00
proto_context_options(config.proto_context_options),
Added support to new core for remote-cert-tls, remote-cert-ku, and remote-cert-eku directives.
2012-10-31 15:46:40 +01:00
cli_stats(config.cli_stats),
Added ClientConnect class which implements an "always-try-to-reconnect" approach, with remote list rotation. Only gives up on auth failure.
2012-02-07 12:37:35 +01:00
cli_events(config.cli_events),
ovpn3 client : added support for pushed "echo" directives to be transmitted to app via event channel using new ECHO event.
2016-03-28 08:31:35 +02:00
echo(config.echo),
Added INFO notification to OpenVPN control channel protocol: INFO,<payload> Payload can be any UTF-8 printable string under 64 KB (multiple lines are okay). INFO notifications can be sent from server to client in real-time, on any active client connection. The client will attach the payload to an INFO event and forward it to the controlling app via the event callback: virtual void event(const Event&) = 0;
2016-05-11 01:53:09 +02:00
info(config.info),
autologin sessions : automatically retry connection on expired session.
2016-06-29 08:57:24 +02:00
autologin_sessions(config.autologin_sessions),
Implemented route-nopull (second attempt).
2013-03-14 03:54:58 +01:00
pushed_options_limit(config.pushed_options_limit),
Implemented "inactive" directive.
2013-05-25 03:19:50 +02:00
pushed_options_filter(config.pushed_options_filter),
INFO message : buffer INFO control-channel messages received near Connected event to fire one second after Connected event, to reduce the chance of race conditions in the client app, if the INFO event triggers the client app to perform an operation that requires the VPN tunnel to be ready.
2016-08-17 23:23:26 +02:00
inactive_timer(io_context_arg),
info_hold_timer(io_context_arg)
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
{
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
#ifdef OPENVPN_PACKET_LOG
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
packet_log.open(OPENVPN_PACKET_LOG, std::ios::binary);
if (!packet_log)
OPENVPN_THROW(open_file_error, "cannot open packet log for output: " << OPENVPN_PACKET_LOG);
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
#endif
Android client successfully tested with null tun/tap.
2012-02-16 21:46:38 +01:00
Base::update_now();
Base::reset();
Allow test/ssl/proto.cpp to be run on Mac OS X with PolarSSL used as both client and server implementation. Added DH support to PolarSSL. Added CLIENT_NO_RENEG and SERVER_NO_RENEG flags to test code in proto.cpp to allow scenarios to be tested where either the server, client, or both initiate renegotiation. Updated test/ovpncli/cli.cpp with new command line options and will now run on Mac OS X. Updated Android and iOS build systems to no longer include any LZO support, and to include Snappy support instead.
2012-09-15 08:56:18 +02:00
//Base::enable_strict_openvpn_2x();
INFO message : buffer INFO control-channel messages received near Connected event to fire one second after Connected event, to reduce the chance of race conditions in the client app, if the INFO event triggers the client app to perform an operation that requires the VPN tunnel to be ready.
2016-08-17 23:23:26 +02:00
info_hold.reset(new std::vector<ClientEvent::Base::Ptr>());
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
}
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
bool first_packet_received() const { return first_packet_received_; }
Added "remote" option list handling. Added ClientProtoTerminateCallback abstraction to ClientProto. Added ClientProto::Config for configuration parameters, rather than passing parameters individually to ClientProto constructor.
2012-02-06 09:28:05 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
void start()
{
Added ClientConnect class which implements an "always-try-to-reconnect" approach, with remote list rotation. Only gives up on auth failure.
2012-02-07 12:37:35 +01:00
if (!halt)
{
Bug fixes: * raise default headroom/tailroom to 512 for worst-case compression expansion * for TCP connections use async_connect instead of connect * for Time and Time::Duration, handle subtraction reasonably with infinite values * handle possible infinite duration in to_posix_duration * fix overflow in Time::Duration::to_milliseconds * call Base::update_now() in ClientProto::start
2012-02-07 21:52:40 +01:00
Base::update_now();
Added ClientConnect class which implements an "always-try-to-reconnect" approach, with remote list rotation. Only gives up on auth failure.
2012-02-07 12:37:35 +01:00
// coarse wakeup range
housekeeping_schedule.init(Time::Duration::binary_ms(512), Time::Duration::binary_ms(1024));
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Added ClientConnect class which implements an "always-try-to-reconnect" approach, with remote list rotation. Only gives up on auth failure.
2012-02-07 12:37:35 +01:00
// initialize transport-layer packet handler
Added Relay capability, a kind of proxy function similar to HTTP CONNECT but implemented over the OpenVPN protocol. 1. Client connects to relay server as if it were connecting to an ordinary OpenVPN server. 2. Client authenticates to relay server using its client certificate. 3. Client sends a PUSH_REQUEST method to relay server which then replies with a RELAY message instead of PUSH_REPLY. 4. On receiving the RELAY message, the client attempts to reconnect using the existing transport socket. The server will proxy this new connection (at the transport layer) to a second server (chosen by the relay server) that is the target of proxy. 5. The client must establish and authenticate a new session from scratch with the target server, only reusing the transport layer socket from the original connection to the relay server. 6. The relay acts as a man-in-the-middle only at the transport layer (like most proxies), i.e. it forwards the encrypted session between client and target server without decrypting or having the capability to decrypt the session. 7. The client is designed to protect against potentially untrusted or malicious relays: (a) The client never transmits the target server username/password credentials to the relay server. (b) The relay forwards the encrypted OpenVPN session between client and target server without having access to the session keys. (c) The client configuration has a special directive for relay server CA (<relay-extra-ca>) and relay server tls-auth key (<relay-tls-auth>) to allow for separation of TLS/crypto configuration between relay and target servers. (d) The client will reject any PUSH_REPLY messages from the relay itself to prevent the relay from trying to establish a tunnel directly with the client. Example configuring a client for relay: # remote addresses point to the relay server remote ... 1194 udp remote ... 443 tcp # include all other directives for connecting # to the target server # enable relay mode relay-mode # constrain the relay server's cert type relay-ns-cert-type server # include extra CAs that validate the relay # server cert (optional). <relay-extra-ca> -----BEGIN CERTIFICATE----- . . . -----END CERTIFICATE----- </relay-extra-ca> # specify the TLS auth key for the relay server relay-key-direction 1 <relay-tls-auth> -----BEGIN OpenVPN Static key V1----- . . . -----END OpenVPN Static key V1----- </relay-tls-auth>
2016-11-20 21:06:35 +01:00
transport = transport_factory->new_transport_client_obj(io_context, this);
Implemented tcp-queue-limit parameter for OpenVPN 3 client, with a default value of 64 (this is the same parameter name and default from OpenVPN 2 server). tcp-queue-limit sets a maximum size limit on the outgoing TCP packet queue and will drop packets and increment the TCP_OVERFLOW counter if the limit would be exceeded. Previously, the limit was hardcoded at 1024 packets and would result in a disconnect/reconnect if exceeded rather than merely dropping the packet.
2015-10-19 08:32:13 +02:00
transport_has_send_queue = transport->transport_has_send_queue();
Added Relay capability, a kind of proxy function similar to HTTP CONNECT but implemented over the OpenVPN protocol. 1. Client connects to relay server as if it were connecting to an ordinary OpenVPN server. 2. Client authenticates to relay server using its client certificate. 3. Client sends a PUSH_REQUEST method to relay server which then replies with a RELAY message instead of PUSH_REPLY. 4. On receiving the RELAY message, the client attempts to reconnect using the existing transport socket. The server will proxy this new connection (at the transport layer) to a second server (chosen by the relay server) that is the target of proxy. 5. The client must establish and authenticate a new session from scratch with the target server, only reusing the transport layer socket from the original connection to the relay server. 6. The relay acts as a man-in-the-middle only at the transport layer (like most proxies), i.e. it forwards the encrypted session between client and target server without decrypting or having the capability to decrypt the session. 7. The client is designed to protect against potentially untrusted or malicious relays: (a) The client never transmits the target server username/password credentials to the relay server. (b) The relay forwards the encrypted OpenVPN session between client and target server without having access to the session keys. (c) The client configuration has a special directive for relay server CA (<relay-extra-ca>) and relay server tls-auth key (<relay-tls-auth>) to allow for separation of TLS/crypto configuration between relay and target servers. (d) The client will reject any PUSH_REPLY messages from the relay itself to prevent the relay from trying to establish a tunnel directly with the client. Example configuring a client for relay: # remote addresses point to the relay server remote ... 1194 udp remote ... 443 tcp # include all other directives for connecting # to the target server # enable relay mode relay-mode # constrain the relay server's cert type relay-ns-cert-type server # include extra CAs that validate the relay # server cert (optional). <relay-extra-ca> -----BEGIN CERTIFICATE----- . . . -----END CERTIFICATE----- </relay-extra-ca> # specify the TLS auth key for the relay server relay-key-direction 1 <relay-tls-auth> -----BEGIN OpenVPN Static key V1----- . . . -----END OpenVPN Static key V1----- </relay-tls-auth>
2016-11-20 21:06:35 +01:00
if (transport_factory->is_relay())
transport_connecting();
else
transport->transport_start();
Added ClientConnect class which implements an "always-try-to-reconnect" approach, with remote list rotation. Only gives up on auth failure.
2012-02-07 12:37:35 +01:00
}
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
}
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Added Relay capability, a kind of proxy function similar to HTTP CONNECT but implemented over the OpenVPN protocol. 1. Client connects to relay server as if it were connecting to an ordinary OpenVPN server. 2. Client authenticates to relay server using its client certificate. 3. Client sends a PUSH_REQUEST method to relay server which then replies with a RELAY message instead of PUSH_REPLY. 4. On receiving the RELAY message, the client attempts to reconnect using the existing transport socket. The server will proxy this new connection (at the transport layer) to a second server (chosen by the relay server) that is the target of proxy. 5. The client must establish and authenticate a new session from scratch with the target server, only reusing the transport layer socket from the original connection to the relay server. 6. The relay acts as a man-in-the-middle only at the transport layer (like most proxies), i.e. it forwards the encrypted session between client and target server without decrypting or having the capability to decrypt the session. 7. The client is designed to protect against potentially untrusted or malicious relays: (a) The client never transmits the target server username/password credentials to the relay server. (b) The relay forwards the encrypted OpenVPN session between client and target server without having access to the session keys. (c) The client configuration has a special directive for relay server CA (<relay-extra-ca>) and relay server tls-auth key (<relay-tls-auth>) to allow for separation of TLS/crypto configuration between relay and target servers. (d) The client will reject any PUSH_REPLY messages from the relay itself to prevent the relay from trying to establish a tunnel directly with the client. Example configuring a client for relay: # remote addresses point to the relay server remote ... 1194 udp remote ... 443 tcp # include all other directives for connecting # to the target server # enable relay mode relay-mode # constrain the relay server's cert type relay-ns-cert-type server # include extra CAs that validate the relay # server cert (optional). <relay-extra-ca> -----BEGIN CERTIFICATE----- . . . -----END CERTIFICATE----- </relay-extra-ca> # specify the TLS auth key for the relay server relay-key-direction 1 <relay-tls-auth> -----BEGIN OpenVPN Static key V1----- . . . -----END OpenVPN Static key V1----- </relay-tls-auth>
2016-11-20 21:06:35 +01:00
TransportClientFactory::Ptr transport_factory_relay()
{
TransportClient::Ptr tc(new TransportRelayFactory::TransportClientNull(transport.get()));
tc.swap(transport);
return new TransportRelayFactory(io_context, std::move(tc), this);
}
void transport_factory_override(TransportClientFactory::Ptr factory)
{
transport_factory = std::move(factory);
}
explicit-exit-notify fixes.
2012-02-27 09:16:27 +01:00
void send_explicit_exit_notify()
{
if (!halt)
Base::send_explicit_exit_notify();
}
Added disconnect bool to TunBuilderBase::tun_builder_teardown: + // Indicates that tunnel is being torn down. + // If disconnect == true, then the teardown is occurring + // prior to final disconnect. + virtual void tun_builder_teardown(bool disconnect) {}
2014-08-25 07:09:16 +02:00
void tun_set_disconnect()
{
if (tun)
tun->set_disconnect();
}
protocol : allow client UI to post client -> server control channel messages using the new ClientAPI::OpenVPNClient::post_cc_msg() method: // post control channel message void post_cc_msg(const std::string& msg);
2016-12-08 23:23:01 +01:00
void post_cc_msg(const std::string& msg)
{
Base::update_now();
Base::write_control_string(msg);
Base::flush(true);
set_housekeeping_timer();
}
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
void stop(const bool call_terminate_callback)
{
Added ClientConnect class which implements an "always-try-to-reconnect" approach, with remote list rotation. Only gives up on auth failure.
2012-02-07 12:37:35 +01:00
if (!halt)
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
{
Added ClientConnect class which implements an "always-try-to-reconnect" approach, with remote list rotation. Only gives up on auth failure.
2012-02-07 12:37:35 +01:00
halt = true;
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
housekeeping_timer.cancel();
push_request_timer.cancel();
Implemented "inactive" directive.
2013-05-25 03:19:50 +02:00
inactive_timer.cancel();
INFO message : buffer INFO control-channel messages received near Connected event to fire one second after Connected event, to reduce the chance of race conditions in the client app, if the INFO event triggers the client app to perform an operation that requires the VPN tunnel to be ready.
2016-08-17 23:23:26 +02:00
info_hold_timer.cancel();
Added disconnect bool to TunBuilderBase::tun_builder_teardown: + // Indicates that tunnel is being torn down. + // If disconnect == true, then the teardown is occurring + // prior to final disconnect. + virtual void tun_builder_teardown(bool disconnect) {}
2014-08-25 07:09:16 +02:00
if (notify_callback && call_terminate_callback)
notify_callback->client_proto_terminate();
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
if (tun)
Added disconnect bool to TunBuilderBase::tun_builder_teardown: + // Indicates that tunnel is being torn down. + // If disconnect == true, then the teardown is occurring + // prior to final disconnect. + virtual void tun_builder_teardown(bool disconnect) {}
2014-08-25 07:09:16 +02:00
tun->stop(); // call after client_proto_terminate() so it can call back to tun_set_disconnect
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
if (transport)
transport->stop();
}
}
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Added i/o abstraction layer. Created a lightweight abstraction layer so that another i/o reactor can be dropped in place of asio. The basic approach is to rename all references to asio::xxx types to openvpn_io::xxx and then make openvpn_io a preprocessor variable that points to the top-level namespace of the i/o reactor implementation. All of the source files that currently include <asio.hpp> now include <openvpn/io/io.hpp> instead: This gives us a lightweight abstraction layer that allows us to define openvpn_io to be something other than asio. Other changes: * Inclusion of asio by scripts/build is now optional, and is enabled by passing ASIO=1 or ASIO_DIR=<dir>. * Refactored openvpn/common/socktypes.hpp to no longer require asio. * Refactored openvpn/log/logthread.hpp to no longer require asio. * Added openvpn::get_hostname() method as alternative to calling asio directly. * openvpn/openssl/util/init.hpp will now #error if USE_ASIO is undefined. Signed-off-by: James Yonan <james@openvpn.net>
2017-03-30 23:10:56 +02:00
void stop_on_signal(const openvpn_io::error_code& error, int signal_number)
Added ClientConnect class which implements an "always-try-to-reconnect" approach, with remote list rotation. Only gives up on auth failure.
2012-02-07 12:37:35 +01:00
{
stop(true);
}
events : in client core, delay transmission of "Connected" event to the last possible moment to avoid premature trigger of post-connect events.
2016-09-02 20:52:21 +02:00
bool reached_connected_state() const { return bool(connected_); }
Added ClientConnect class which implements an "always-try-to-reconnect" approach, with remote list rotation. Only gives up on auth failure.
2012-02-07 12:37:35 +01:00
Added new explicit TRANSPORT_ERROR event that is triggered when the transport layer socket (UDP, TCP, or HTTP proxy) encounters a send error that indicates potential network reconfiguration at the system level. TRANSPORT_ERROR will trigger a core-level reconnect in 5 seconds (higher than the usual 2), and also notify the higher levels (above ClientAPI::OpenVPNClient), allowing them to schedule their own network reachability tests to preempt the default 5-second reconnect.
2014-08-22 23:32:35 +02:00
// If fatal() returns something other than Error::UNDEF, it
// is intended to flag the higher levels (cliconnect.hpp)
// that special handling is required. This handling might include
// considering the error to be fatal and stopping future connect
// retries, or emitting a special event. See cliconnect.hpp
// for actual implementation.
Android 4 client port is almost working (need to get an Android build that includes tun driver to test further).
2012-02-19 02:36:50 +01:00
Error::Type fatal() const { return fatal_; }
const std::string& fatal_reason() const { return fatal_reason_; }
Added AuthFailed as an event type.
2012-02-15 19:19:34 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
virtual ~Session()
{
stop(false);
}
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
private:
Core changes to TransportClient and TransportClientParent: * Allow users to specify if OpenVPN protocol is to be used via transport_is_openvpn_protocol(). This allows the transport classes to be used for non-OpenVPN protocols such as HTTPS. * Added transport_send_queue_empty() and transport_needs_send() methods for flow control when using non-OpenVPN protocols.
2015-05-06 09:20:00 +02:00
virtual bool transport_is_openvpn_protocol()
{
return true;
}
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
// transport obj calls here with incoming packets
virtual void transport_recv(BufferAllocated& buf)
{
try {
Allow test/ssl/proto.cpp to be run on Mac OS X with PolarSSL used as both client and server implementation. Added DH support to PolarSSL. Added CLIENT_NO_RENEG and SERVER_NO_RENEG flags to test code in proto.cpp to allow scenarios to be tested where either the server, client, or both initiate renegotiation. Updated test/ovpncli/cli.cpp with new command line options and will now run on Mac OS X. Updated Android and iOS build systems to no longer include any LZO support, and to include Snappy support instead.
2012-09-15 08:56:18 +02:00
OPENVPN_LOG_CLIPROTO("Transport RECV " << server_endpoint_render() << ' ' << Base::dump_packet(buf));
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
// update current time
Base::update_now();
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
"last packet received n seconds ago" stat is now provided by core.
2012-09-06 00:03:26 +02:00
// update last packet received
stat().update_last_packet_received(now());
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
// log connecting event (only on first packet received)
if (!first_packet_received_)
{
ClientEvent::Base::Ptr ev = new ClientEvent::Connecting();
ClientEvent : Use C++11 rvalue/move semantics in client event handling.
2016-05-11 05:26:34 +02:00
cli_events->add_event(std::move(ev));
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
first_packet_received_ = true;
}
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
// get packet type
Removed some typename qualifiers from proto.hpp and cliproto.hpp that are no longer necessary since ProtoContext is no longer a class template.
2014-10-20 21:01:40 +02:00
Base::PacketType pt = Base::packet_type(buf);
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
// process packet
Fixed core bug that could cause reconnected TCP sessions to lock up with repeating replay errors if server sends data channel packets immediately after KeyContext goes ACTIVE but before tun object in ClientProto is initialized.
2013-05-22 06:56:48 +02:00
if (pt.is_data())
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
{
// data packet
Base::data_decrypt(pt, buf);
if (buf.size())
{
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
#ifdef OPENVPN_PACKET_LOG
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
log_packet(buf, false);
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
#endif
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
// make packet appear as incoming on tun interface
Fixed core bug that could cause reconnected TCP sessions to lock up with repeating replay errors if server sends data channel packets immediately after KeyContext goes ACTIVE but before tun object in ClientProto is initialized.
2013-05-22 06:56:48 +02:00
if (tun)
{
OPENVPN_LOG_CLIPROTO("TUN send, size=" << buf.size());
tun->tun_send(buf);
}
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
}
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
// do a lightweight flush
Base::flush(false);
}
else if (pt.is_control())
{
// control packet
OpenVPN protocol core : when passing objects to methods that may assert ownership over them, use C++11 rvalue/move semantics.
2016-05-10 21:02:11 +02:00
Base::control_net_recv(pt, std::move(buf));
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
// do a full flush
Base::flush(true);
}
ovpn3 core : Added automatic data limits for Blowfish, Triple DES, and other 64-bit block-size ciphers vulnerable to "Sweet32" birthday attack (CVE-2016-6329). Limit such cipher keys to no more than 64 MB of data encrypted/decrypted. While our overall goal is to limit data-limited keys to 64 MB, we trigger a renegotiation at 48 MB to compensate for possible delays in renegotiation and rollover to the new key. This client-side implementation extends data limit protection to the entire session, even when the server doesn't implement data limits. This capability is advertised to servers via the a peer info setting: IV_BS64DL=1 meaning "Block-Size 64-bit Data Limit". The "1" indicates the implementation version. The implementation currently has some limitations: * Keys are renegotiated at a maximum rate of once per 5 seconds to reduce the likelihood of loss of synchronization between peers. * The maximum renegotiation rate may be further extended if the peer delays rollover from the old to new key after renegotiation. Added N_KEY_LIMIT_RENEG stats counter to count the number of data-limit-triggered renegotiations. Added new stats counter KEY_STATE_ERROR which roughly corresponds to the OpenVPN 2.x error "TLS Error: local/remote TLS keys are out of sync". Prevously, the TLS ack/retransmit timeout was hardcoded to 2 seconds. Now we lower the default to 1 second and make it variable using the (pushable) "tls-timeout" directive. Additionally, the tls-timeout directive can be specified in milliseconds instead of seconds by using the "tls-timeout-ms" form of the directive. Made the "become primary" time duration configurable via the (pushable) "become-primary" directive which accepts a number-of-seconds parameter. become-primary indicates the time delay between renegotiation and rollover to the new key for encryption/transmission. become-primary defaults to the handshake-window which in turn defaults to 60 seconds. Incremented core version to 3.0.20.
2016-09-01 23:19:00 +02:00
else
cli_stats->error(Error::KEY_STATE_ERROR);
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
// schedule housekeeping wakeup
set_housekeeping_timer();
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
}
Added support to new core for remote-cert-tls, remote-cert-ku, and remote-cert-eku directives.
2012-10-31 15:46:40 +01:00
catch (const ExceptionCode& e)
{
Added parser size validation constants in openvpn/client/cliconstants.hpp
2012-11-12 02:52:03 +01:00
if (e.code_defined())
{
if (e.fatal())
transport_error((Error::Type)e.code(), e.what());
else
cli_stats->error((Error::Type)e.code());
}
Added support to new core for remote-cert-tls, remote-cert-ku, and remote-cert-eku directives.
2012-10-31 15:46:40 +01:00
else
Minor exception code cleanup.
2012-11-14 17:41:33 +01:00
process_exception(e, "transport_recv_excode");
}
catch (const std::exception& e)
{
process_exception(e, "transport_recv");
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
}
}
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Core changes to TransportClient and TransportClientParent: * Allow users to specify if OpenVPN protocol is to be used via transport_is_openvpn_protocol(). This allows the transport classes to be used for non-OpenVPN protocols such as HTTPS. * Added transport_send_queue_empty() and transport_needs_send() methods for flow control when using non-OpenVPN protocols.
2015-05-06 09:20:00 +02:00
virtual void transport_needs_send()
{
}
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
// tun i/o driver calls here with incoming packets
virtual void tun_recv(BufferAllocated& buf)
{
try {
OPENVPN_LOG_CLIPROTO("TUN recv, size=" << buf.size());
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
// update current time
Base::update_now();
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Implemented tcp-queue-limit parameter for OpenVPN 3 client, with a default value of 64 (this is the same parameter name and default from OpenVPN 2 server). tcp-queue-limit sets a maximum size limit on the outgoing TCP packet queue and will drop packets and increment the TCP_OVERFLOW counter if the limit would be exceeded. Previously, the limit was hardcoded at 1024 packets and would result in a disconnect/reconnect if exceeded rather than merely dropping the packet.
2015-10-19 08:32:13 +02:00
// log packet
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
#ifdef OPENVPN_PACKET_LOG
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
log_packet(buf, true);
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
#endif
Implemented tcp-queue-limit parameter for OpenVPN 3 client, with a default value of 64 (this is the same parameter name and default from OpenVPN 2 server). tcp-queue-limit sets a maximum size limit on the outgoing TCP packet queue and will drop packets and increment the TCP_OVERFLOW counter if the limit would be exceeded. Previously, the limit was hardcoded at 1024 packets and would result in a disconnect/reconnect if exceeded rather than merely dropping the packet.
2015-10-19 08:32:13 +02:00
// if transport layer has an output queue, check if it's full
if (transport_has_send_queue)
{
if (transport->transport_send_queue_size() > tcp_queue_limit)
{
buf.reset_size(); // queue full, drop packet
cli_stats->error(Error::TCP_OVERFLOW);
}
}
// encrypt packet
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
if (buf.size())
{
Implemented tcp-queue-limit parameter for OpenVPN 3 client, with a default value of 64 (this is the same parameter name and default from OpenVPN 2 server). tcp-queue-limit sets a maximum size limit on the outgoing TCP packet queue and will drop packets and increment the TCP_OVERFLOW counter if the limit would be exceeded. Previously, the limit was hardcoded at 1024 packets and would result in a disconnect/reconnect if exceeded rather than merely dropping the packet.
2015-10-19 08:32:13 +02:00
Base::data_encrypt(buf);
if (buf.size())
{
// send packet via transport to destination
OPENVPN_LOG_CLIPROTO("Transport SEND " << server_endpoint_render() << ' ' << Base::dump_packet(buf));
if (transport->transport_send(buf))
Base::update_last_sent();
else if (halt)
return;
}
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
}
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
// do a lightweight flush
Base::flush(false);
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
// schedule housekeeping wakeup
set_housekeeping_timer();
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
}
Search/replace of: std::exception& e to: const std::exception& e
2012-02-17 20:28:44 +01:00
catch (const std::exception& e)
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
{
First working iOS build.
2012-07-01 17:37:46 +02:00
process_exception(e, "tun_recv");
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
}
}
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
keepalive : added is_keepalive_enabled() method.
2016-07-13 07:15:35 +02:00
// Return true if keepalive parameter(s) are enabled.
virtual bool is_keepalive_enabled() const
{
return Base::is_keepalive_enabled();
}
Added client hooks for DCO (Data Channel offload). Updated tun implementation on Linux.
2015-06-17 09:48:33 +02:00
// Disable keepalive for rest of session, but fetch
// the keepalive parameters (in seconds).
virtual void disable_keepalive(unsigned int& keepalive_ping,
unsigned int& keepalive_timeout)
{
Base::disable_keepalive(keepalive_ping, keepalive_timeout);
}
New implementation of tunPersist for Mac OS X based on FailsafeBlock strategy, where the default route and DNS client are redirected to localhost during pause/reconnect.
2014-03-31 07:21:28 +02:00
virtual void ip_hole_punch(const IP::Addr& addr)
{
tun_factory->ip_hole_punch(addr);
}
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
virtual void transport_pre_resolve()
{
ClientEvent::Base::Ptr ev = new ClientEvent::Resolve();
ClientEvent : Use C++11 rvalue/move semantics in client event handling.
2016-05-11 05:26:34 +02:00
cli_events->add_event(std::move(ev));
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
}
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
std::string server_endpoint_render()
{
std::string server_host, server_port, server_proto, server_ip;
transport->server_endpoint_info(server_host, server_port, server_proto, server_ip);
std::ostringstream out;
In client, when logging IP:port pairs, bracket the IP to avoid confusion with IPv6.
2016-02-04 23:48:33 +01:00
out << '[' << server_host << "]:" << server_port << " (" << server_ip << ") via " << server_proto;
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
return out.str();
}
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Android 1.1.4 build 17 Better differentiation between "waiting for proxy" vs. "waiting for server" in UI event messaging.
2012-10-31 19:54:02 +01:00
virtual void transport_wait_proxy()
{
ClientEvent::Base::Ptr ev = new ClientEvent::WaitProxy();
ClientEvent : Use C++11 rvalue/move semantics in client event handling.
2016-05-11 05:26:34 +02:00
cli_events->add_event(std::move(ev));
Android 1.1.4 build 17 Better differentiation between "waiting for proxy" vs. "waiting for server" in UI event messaging.
2012-10-31 19:54:02 +01:00
}
virtual void transport_wait()
{
ClientEvent::Base::Ptr ev = new ClientEvent::Wait();
ClientEvent : Use C++11 rvalue/move semantics in client event handling.
2016-05-11 05:26:34 +02:00
cli_events->add_event(std::move(ev));
Android 1.1.4 build 17 Better differentiation between "waiting for proxy" vs. "waiting for server" in UI event messaging.
2012-10-31 19:54:02 +01:00
}
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
virtual void transport_connecting()
{
try {
OPENVPN_LOG("Connecting to " << server_endpoint_render());
Added Relay capability, a kind of proxy function similar to HTTP CONNECT but implemented over the OpenVPN protocol. 1. Client connects to relay server as if it were connecting to an ordinary OpenVPN server. 2. Client authenticates to relay server using its client certificate. 3. Client sends a PUSH_REQUEST method to relay server which then replies with a RELAY message instead of PUSH_REPLY. 4. On receiving the RELAY message, the client attempts to reconnect using the existing transport socket. The server will proxy this new connection (at the transport layer) to a second server (chosen by the relay server) that is the target of proxy. 5. The client must establish and authenticate a new session from scratch with the target server, only reusing the transport layer socket from the original connection to the relay server. 6. The relay acts as a man-in-the-middle only at the transport layer (like most proxies), i.e. it forwards the encrypted session between client and target server without decrypting or having the capability to decrypt the session. 7. The client is designed to protect against potentially untrusted or malicious relays: (a) The client never transmits the target server username/password credentials to the relay server. (b) The relay forwards the encrypted OpenVPN session between client and target server without having access to the session keys. (c) The client configuration has a special directive for relay server CA (<relay-extra-ca>) and relay server tls-auth key (<relay-tls-auth>) to allow for separation of TLS/crypto configuration between relay and target servers. (d) The client will reject any PUSH_REPLY messages from the relay itself to prevent the relay from trying to establish a tunnel directly with the client. Example configuring a client for relay: # remote addresses point to the relay server remote ... 1194 udp remote ... 443 tcp # include all other directives for connecting # to the target server # enable relay mode relay-mode # constrain the relay server's cert type relay-ns-cert-type server # include extra CAs that validate the relay # server cert (optional). <relay-extra-ca> -----BEGIN CERTIFICATE----- . . . -----END CERTIFICATE----- </relay-extra-ca> # specify the TLS auth key for the relay server relay-key-direction 1 <relay-tls-auth> -----BEGIN OpenVPN Static key V1----- . . . -----END OpenVPN Static key V1----- </relay-tls-auth>
2016-11-20 21:06:35 +01:00
Base::set_protocol(transport->transport_protocol());
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
Base::start();
Base::flush(true);
set_housekeeping_timer();
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
}
Search/replace of: std::exception& e to: const std::exception& e
2012-02-17 20:28:44 +01:00
catch (const std::exception& e)
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
{
First working iOS build.
2012-07-01 17:37:46 +02:00
process_exception(e, "transport_connecting");
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
}
}
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Did some refactoring to make it easier for tun and transport objects to communicate specific errors or warnings. Added TUN_IFACE_CREATE event, which indicates an error creating the tun interface. Added REROUTE_GW_NO_DNS error stat, which indicates that redirect-gateway (IPv4) was processed without an accompanying DNS directive.
2012-10-24 11:32:15 +02:00
virtual void transport_error(const Error::Type fatal_err, const std::string& err_text)
Initial HTTP proxy implementation in core, with support for non-authenticated proxies and Basic Auth. Includes new PROXY_ERROR and PROXY_NEED_CREDS events. Still to do: Digest and NTLM auth.
2012-10-24 08:38:20 +02:00
{
Did some refactoring to make it easier for tun and transport objects to communicate specific errors or warnings. Added TUN_IFACE_CREATE event, which indicates an error creating the tun interface. Added REROUTE_GW_NO_DNS error stat, which indicates that redirect-gateway (IPv4) was processed without an accompanying DNS directive.
2012-10-24 11:32:15 +02:00
if (fatal_err != Error::UNDEF)
{
fatal_ = fatal_err;
fatal_reason_ = err_text;
}
Initial HTTP proxy implementation in core, with support for non-authenticated proxies and Basic Auth. Includes new PROXY_ERROR and PROXY_NEED_CREDS events. Still to do: Digest and NTLM auth.
2012-10-24 08:38:20 +02:00
if (notify_callback)
{
Did some refactoring to make it easier for tun and transport objects to communicate specific errors or warnings. Added TUN_IFACE_CREATE event, which indicates an error creating the tun interface. Added REROUTE_GW_NO_DNS error stat, which indicates that redirect-gateway (IPv4) was processed without an accompanying DNS directive.
2012-10-24 11:32:15 +02:00
OPENVPN_LOG("Transport Error: " << err_text);
Initial HTTP proxy implementation in core, with support for non-authenticated proxies and Basic Auth. Includes new PROXY_ERROR and PROXY_NEED_CREDS events. Still to do: Digest and NTLM auth.
2012-10-24 08:38:20 +02:00
stop(true);
}
else
Did some refactoring to make it easier for tun and transport objects to communicate specific errors or warnings. Added TUN_IFACE_CREATE event, which indicates an error creating the tun interface. Added REROUTE_GW_NO_DNS error stat, which indicates that redirect-gateway (IPv4) was processed without an accompanying DNS directive.
2012-10-24 11:32:15 +02:00
throw transport_exception(err_text);
Initial HTTP proxy implementation in core, with support for non-authenticated proxies and Basic Auth. Includes new PROXY_ERROR and PROXY_NEED_CREDS events. Still to do: Digest and NTLM auth.
2012-10-24 08:38:20 +02:00
}
Did some refactoring to make it easier for tun and transport objects to communicate specific errors or warnings. Added TUN_IFACE_CREATE event, which indicates an error creating the tun interface. Added REROUTE_GW_NO_DNS error stat, which indicates that redirect-gateway (IPv4) was processed without an accompanying DNS directive.
2012-10-24 11:32:15 +02:00
virtual void proxy_error(const Error::Type fatal_err, const std::string& err_text)
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
{
Did some refactoring to make it easier for tun and transport objects to communicate specific errors or warnings. Added TUN_IFACE_CREATE event, which indicates an error creating the tun interface. Added REROUTE_GW_NO_DNS error stat, which indicates that redirect-gateway (IPv4) was processed without an accompanying DNS directive.
2012-10-24 11:32:15 +02:00
if (fatal_err != Error::UNDEF)
{
fatal_ = fatal_err;
fatal_reason_ = err_text;
}
Added ClientConnect class which implements an "always-try-to-reconnect" approach, with remote list rotation. Only gives up on auth failure.
2012-02-07 12:37:35 +01:00
if (notify_callback)
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
{
Did some refactoring to make it easier for tun and transport objects to communicate specific errors or warnings. Added TUN_IFACE_CREATE event, which indicates an error creating the tun interface. Added REROUTE_GW_NO_DNS error stat, which indicates that redirect-gateway (IPv4) was processed without an accompanying DNS directive.
2012-10-24 11:32:15 +02:00
OPENVPN_LOG("Proxy Error: " << err_text);
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
stop(true);
}
else
Did some refactoring to make it easier for tun and transport objects to communicate specific errors or warnings. Added TUN_IFACE_CREATE event, which indicates an error creating the tun interface. Added REROUTE_GW_NO_DNS error stat, which indicates that redirect-gateway (IPv4) was processed without an accompanying DNS directive.
2012-10-24 11:32:15 +02:00
throw proxy_exception(err_text);
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
}
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
void extract_auth_token(const OptionList& opt)
{
Autologin Session fix: client core will now set the password to "auth-token-request" to request the server to issue an Autologin Session. ClientCreds::set_session_id() now also accepts a username argument, since the combination of username/token-id defines the session.
2016-02-04 19:31:08 +01:00
std::string username;
Support autologin sessions in client.
2016-01-27 09:32:48 +01:00
// auth-token-user
{
const Option* o = opt.get_ptr("auth-token-user");
if (o)
Autologin Session fix: client core will now set the password to "auth-token-request" to request the server to issue an Autologin Session. ClientCreds::set_session_id() now also accepts a username argument, since the combination of username/token-id defines the session.
2016-02-04 19:31:08 +01:00
username = base64->decode(o->get(1, 256));
Support autologin sessions in client.
2016-01-27 09:32:48 +01:00
}
// auth-token
{
// if auth-token is present, use it as the password for future renegotiations
const Option* o = opt.get_ptr("auth-token");
if (o)
{
const std::string& sess_id = o->get(1, 256);
if (creds)
{
Autologin Session fix: client core will now set the password to "auth-token-request" to request the server to issue an Autologin Session. ClientCreds::set_session_id() now also accepts a username argument, since the combination of username/token-id defines the session.
2016-02-04 19:31:08 +01:00
if (!username.empty())
OPENVPN_LOG("Session user: " << username);
Android 4 client: * Added OpenVPN log file page view in advanced preferences. * Added OpenSSL verify_callback. * Support ns-cert-type * Sanitize logged data to remove Session ID.
2012-03-08 11:30:43 +01:00
#ifdef OPENVPN_SHOW_SESSION_TOKEN
Support autologin sessions in client.
2016-01-27 09:32:48 +01:00
OPENVPN_LOG("Session token: " << sess_id);
Android 4 client: * Added OpenVPN log file page view in advanced preferences. * Added OpenSSL verify_callback. * Support ns-cert-type * Sanitize logged data to remove Session ID.
2012-03-08 11:30:43 +01:00
#else
Support autologin sessions in client.
2016-01-27 09:32:48 +01:00
OPENVPN_LOG("Session token: [redacted]");
Android 4 client: * Added OpenVPN log file page view in advanced preferences. * Added OpenSSL verify_callback. * Support ns-cert-type * Sanitize logged data to remove Session ID.
2012-03-08 11:30:43 +01:00
#endif
Autologin Session fix: client core will now set the password to "auth-token-request" to request the server to issue an Autologin Session. ClientCreds::set_session_id() now also accepts a username argument, since the combination of username/token-id defines the session.
2016-02-04 19:31:08 +01:00
creds->set_session_id(username, sess_id);
Support autologin sessions in client.
2016-01-27 09:32:48 +01:00
}
}
}
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
}
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
// proto base class calls here for control channel network sends
virtual void control_net_send(const Buffer& net_buf)
{
Allow test/ssl/proto.cpp to be run on Mac OS X with PolarSSL used as both client and server implementation. Added DH support to PolarSSL. Added CLIENT_NO_RENEG and SERVER_NO_RENEG flags to test code in proto.cpp to allow scenarios to be tested where either the server, client, or both initiate renegotiation. Updated test/ovpncli/cli.cpp with new command line options and will now run on Mac OS X. Updated Android and iOS build systems to no longer include any LZO support, and to include Snappy support instead.
2012-09-15 08:56:18 +02:00
OPENVPN_LOG_CLIPROTO("Transport SEND " << server_endpoint_render() << ' ' << Base::dump_packet(net_buf));
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
if (transport->transport_send_const(net_buf))
Base::update_last_sent();
}
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
// proto base class calls here for app-level control-channel messages received
OpenVPN protocol core : when passing objects to methods that may assert ownership over them, use C++11 rvalue/move semantics.
2016-05-10 21:02:11 +02:00
virtual void control_recv(BufferPtr&& app_bp)
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
{
More profile validation.
2012-11-14 03:35:50 +01:00
const std::string msg = Unicode::utf8_printable(Base::template read_control_string<std::string>(*app_bp),
Added INFO notification to OpenVPN control channel protocol: INFO,<payload> Payload can be any UTF-8 printable string under 64 KB (multiple lines are okay). INFO notifications can be sent from server to client in real-time, on any active client connection. The client will attach the payload to an INFO event and forward it to the controlling app via the event callback: virtual void event(const Event&) = 0;
2016-05-11 01:53:09 +02:00
Unicode::UTF8_FILTER|Unicode::UTF8_PASS_FMT);
More profile validation.
2012-11-14 03:35:50 +01:00
OpenVPN 1.0 Beta 21 (iOS) Implemented IPv6 in iOS client. Added new flags to redirect-gateway to control whether redirection occurs at IPv4 or IPv6 levels (or both): * ipv4 (default) * !ipv4 * ipv6 * !ipv6 Added new directive "redirect-dns yes|no". If yes, all DNS requests will be forwarded through pushed DNS servers. If no, only DNS requests that match domains enumerated in "dhcp-option DOMAIN" directives will be forwarded. If redirect-dns is omitted, it will default to yes if redirect-gateway is specified at the IPv4 level (this is the normal pre-existing behavior). Allow the following aggregated options that are normally pushed by the server to be defined in the config file as well. These options will be combined with server-pushed options: * route * route-ipv6 * redirect-gateway * redirect-private * dhcp-option Allow the following singleton options (i.e. options that don't aggregate), that are normally pushed, to be defined in the config file (note that server-pushed singleton options will override the config file setting): * redirect-dns The Connection Details section of the UI now displays VPN IP addresses for IPv4 and IPv6. Added new pushable option "client-ip IP_ADDR" that can be pushed by the server with the client's IP address as seen by the server. The client will then show the address in the Connection Details section of the UI.
2012-10-03 11:03:02 +02:00
//OPENVPN_LOG("SERVER: " << sanitize_control_message(msg));
Added parser size validation constants in openvpn/client/cliconstants.hpp
2012-11-12 02:52:03 +01:00
Boost dependency elimination -- change boost::algorithm usage (for string algorithms) to use methods of our own implementation in openvpn/common/string.hpp.
2015-06-05 03:22:59 +02:00
if (!received_options.complete() && string::starts_with(msg, "PUSH_REPLY,"))
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
{
// parse the received options
Implemented route-nopull (second attempt).
2013-03-14 03:54:58 +01:00
received_options.add(OptionList::parse_from_csv_static(msg.substr(11), &pushed_options_limit),
pushed_options_filter.get());
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
if (received_options.complete())
{
// show options
Log unused options, i.e. options specified in config file that were unrecognized, ignored, or unused. This behavior is somewhat different (by design) to 2.x branch, which will raise a fatal exception if an unrecognized option is encountered.
2013-06-10 02:42:19 +02:00
OPENVPN_LOG("OPTIONS:" << std::endl << render_options_sanitized(received_options, Option::RENDER_PASS_FMT|Option::RENDER_NUMBER|Option::RENDER_BRACKET));
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Added Relay capability, a kind of proxy function similar to HTTP CONNECT but implemented over the OpenVPN protocol. 1. Client connects to relay server as if it were connecting to an ordinary OpenVPN server. 2. Client authenticates to relay server using its client certificate. 3. Client sends a PUSH_REQUEST method to relay server which then replies with a RELAY message instead of PUSH_REPLY. 4. On receiving the RELAY message, the client attempts to reconnect using the existing transport socket. The server will proxy this new connection (at the transport layer) to a second server (chosen by the relay server) that is the target of proxy. 5. The client must establish and authenticate a new session from scratch with the target server, only reusing the transport layer socket from the original connection to the relay server. 6. The relay acts as a man-in-the-middle only at the transport layer (like most proxies), i.e. it forwards the encrypted session between client and target server without decrypting or having the capability to decrypt the session. 7. The client is designed to protect against potentially untrusted or malicious relays: (a) The client never transmits the target server username/password credentials to the relay server. (b) The relay forwards the encrypted OpenVPN session between client and target server without having access to the session keys. (c) The client configuration has a special directive for relay server CA (<relay-extra-ca>) and relay server tls-auth key (<relay-tls-auth>) to allow for separation of TLS/crypto configuration between relay and target servers. (d) The client will reject any PUSH_REPLY messages from the relay itself to prevent the relay from trying to establish a tunnel directly with the client. Example configuring a client for relay: # remote addresses point to the relay server remote ... 1194 udp remote ... 443 tcp # include all other directives for connecting # to the target server # enable relay mode relay-mode # constrain the relay server's cert type relay-ns-cert-type server # include extra CAs that validate the relay # server cert (optional). <relay-extra-ca> -----BEGIN CERTIFICATE----- . . . -----END CERTIFICATE----- </relay-extra-ca> # specify the TLS auth key for the relay server relay-key-direction 1 <relay-tls-auth> -----BEGIN OpenVPN Static key V1----- . . . -----END OpenVPN Static key V1----- </relay-tls-auth>
2016-11-20 21:06:35 +01:00
// relay servers are not allowed to establish a tunnel with us
if (Base::conf().relay_mode)
{
tun_error(Error::RELAY_ERROR, "tunnel not permitted to relay server");
return;
}
ovpn3 client : added support for pushed "echo" directives to be transmitted to app via event channel using new ECHO event.
2016-03-28 08:31:35 +02:00
// process "echo" directives
if (echo)
process_echo(received_options);
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
// process auth-token
extract_auth_token(received_options);
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
// modify proto config (cipher, auth, and compression methods)
Compression selector in mobile clients is now 3-state: yes -- support compression on both uplink and downlink asym -- support compression on downlink only no (default) -- no compression (stubs only) Added our own internal LZO decompressor, which is enabled when HAVE_LZO is undefined and the standard LZO library is not linked. This allows clients to support LZO in downlink mode only if the library isn't available.
2012-09-08 03:36:54 +02:00
Base::process_push(received_options, *proto_context_options);
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Added client hooks for DCO (Data Channel offload). Updated tun implementation on Linux.
2015-06-17 09:48:33 +02:00
// initialize tun/routing
Don't use deprecated asio features.
2015-06-30 08:05:37 +02:00
tun = tun_factory->new_tun_client_obj(io_context, *this, transport.get());
Added client hooks for DCO (Data Channel offload). Updated tun implementation on Linux.
2015-06-17 09:48:33 +02:00
tun->tun_start(received_options, *transport, Base::dc_settings());
events : in client core, delay transmission of "Connected" event to the last possible moment to avoid premature trigger of post-connect events.
2016-09-02 20:52:21 +02:00
// we should be connected at this point
if (!connected_)
throw tun_exception("not connected");
Added client hooks for DCO (Data Channel offload). Updated tun implementation on Linux.
2015-06-17 09:48:33 +02:00
// initialize data channel after pushed options have been processed
Base::init_data_channel();
Major protocol upgrades: * peer_id/DATA_V2/op32 client -> server: IV_PROTO=2 server -> client : push "peer-id 1234" push "peer-id -1" * AEAD/GCM support client -> server: IV_NCP=2 server -> client: push "cipher AES-256-GCM" * Compression V2 client -> server: IV_LZ4v2=1 IV_COMP_STUBv2=1 server -> client: push "compress stub-v2" push "compress lz4-v2" * TCP non-linear packet ID client -> server: IV_TCPNL=1 server -> client: [always enabled]
2014-12-21 18:32:37 +01:00
// Allow ProtoContext to suggest an alignment adjustment
// hint for transport layer.
transport->reset_align_adjust(Base::align_adjust_hint());
Implemented "inactive" directive.
2013-05-25 03:19:50 +02:00
// process "inactive" directive
Added client hooks for DCO (Data Channel offload). Updated tun implementation on Linux.
2015-06-17 09:48:33 +02:00
process_inactive(received_options);
events : in client core, delay transmission of "Connected" event to the last possible moment to avoid premature trigger of post-connect events.
2016-09-02 20:52:21 +02:00
// tell parent that we are connected
if (notify_callback)
notify_callback->client_proto_connected();
// start info-hold timer
schedule_info_hold_callback();
// send the Connected event
cli_events->add_event(connected_);
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
}
else
OPENVPN_LOG("Options continuation...");
}
Boost dependency elimination -- change boost::algorithm usage (for string algorithms) to use methods of our own implementation in openvpn/common/string.hpp.
2015-06-05 03:22:59 +02:00
else if (string::starts_with(msg, "AUTH_FAILED"))
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
{
Added cachePassword boolean to ProvideCreds struct in core API. Separated the functionality of replacePasswordWithSessionID and cachePassword, and allow them to be used together, in which case the session ID will be used as the password until it expires or is invalidated, then the cached password will be used to reauth.
2013-01-25 03:34:20 +01:00
std::string reason;
std::string log_reason;
// get reason (if it exists) for authentication failure
Added AuthFailed as an event type.
2012-02-15 19:19:34 +01:00
if (msg.length() >= 13)
Boost dependency elimination -- change boost::algorithm usage (for string algorithms) to use methods of our own implementation in openvpn/common/string.hpp.
2015-06-05 03:22:59 +02:00
reason = string::trim_left_copy(std::string(msg, 12));
Added cachePassword boolean to ProvideCreds struct in core API. Separated the functionality of replacePasswordWithSessionID and cachePassword, and allow them to be used together, in which case the session ID will be used as the password until it expires or is invalidated, then the cached password will be used to reauth.
2013-01-25 03:34:20 +01:00
// If session token problem (such as expiration), and we have a cached
// password, retry with it. Otherwise, fail without retry.
Boost dependency elimination -- change boost::algorithm usage (for string algorithms) to use methods of our own implementation in openvpn/common/string.hpp.
2015-06-05 03:22:59 +02:00
if (string::starts_with(reason, "SESSION:")
autologin sessions : automatically retry connection on expired session.
2016-06-29 08:57:24 +02:00
&& (autologin_sessions
|| (creds && creds->can_retry_auth_with_cached_password())))
Added cachePassword boolean to ProvideCreds struct in core API. Separated the functionality of replacePasswordWithSessionID and cachePassword, and allow them to be used together, in which case the session ID will be used as the password until it expires or is invalidated, then the cached password will be used to reauth.
2013-01-25 03:34:20 +01:00
{
log_reason = "SESSION_AUTH_FAILED";
}
else
{
fatal_ = Error::AUTH_FAILED;
fatal_reason_ = reason;
log_reason = "AUTH_FAILED";
}
Added ClientConnect class which implements an "always-try-to-reconnect" approach, with remote list rotation. Only gives up on auth failure.
2012-02-07 12:37:35 +01:00
if (notify_callback)
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
{
Added cachePassword boolean to ProvideCreds struct in core API. Separated the functionality of replacePasswordWithSessionID and cachePassword, and allow them to be used together, in which case the session ID will be used as the password until it expires or is invalidated, then the cached password will be used to reauth.
2013-01-25 03:34:20 +01:00
OPENVPN_LOG(log_reason);
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
stop(true);
}
else
Added ClientConnect class which implements an "always-try-to-reconnect" approach, with remote list rotation. Only gives up on auth failure.
2012-02-07 12:37:35 +01:00
throw authentication_failed();
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
}
Fixed a race condition issue with "hot connect", i.e. sending a connect intent to service when already connected. One of the ramifications of the "hot connect" fix above is that OpenVPNClientBase.is_active() will now return a value that is instantaneously up-to-date, whereas events might lag because of the mechanics of inter-thread message posting. Keep this in mind when correlating received events to is_active() values. For C++ core threads, increased allowed thread-stop delay to 2.5 seconds before thread is marked as unresponsive and abandoned. Previous delay was 1 second. This delay can't be made too long, otherwise Android will tell the user that the app is unresponsive and invite them to kill it. When closing out an abandoned core thread, indicate this condition with a new event type called CORE_THREAD_ABANDONED. If the thread is abandoned due to lack of response to a disconnect request, then the CORE_THREAD_ABANDONED event will occur followed by CORE_THREAD_INACTIVE. For core threads that properly exit, the DISCONNECTED event will be followed by CORE_THREAD_INACTIVE. Added save_as_filename parameter to importProfileRemote method for controlling the filename that the imported profile is saved as. This parameter may be set to null to have the method choose an appropriate name. To have an imported profile replace an existing profile, the filenames much match. Added UI_OVERLOADED debugging constant to OpenVPNClient to allow the UI to connect to a profile when already connected to another profile in order to test "hot connect". Added new events CLIENT_HALT and CLIENT_RESTART for compatibility with an Access Server feature that allows the server to remotely kill or restart the client. When connecting a profile, the core will now automatically fill in the username if it is not specified for userlocked profiles. Version 0.902.
2012-03-31 18:08:20 +02:00
else if (ClientHalt::match(msg))
{
ClientHalt : added unicode_filter flag.
2016-05-05 08:22:09 +02:00
const ClientHalt ch(msg, true);
Fixed a race condition issue with "hot connect", i.e. sending a connect intent to service when already connected. One of the ramifications of the "hot connect" fix above is that OpenVPNClientBase.is_active() will now return a value that is instantaneously up-to-date, whereas events might lag because of the mechanics of inter-thread message posting. Keep this in mind when correlating received events to is_active() values. For C++ core threads, increased allowed thread-stop delay to 2.5 seconds before thread is marked as unresponsive and abandoned. Previous delay was 1 second. This delay can't be made too long, otherwise Android will tell the user that the app is unresponsive and invite them to kill it. When closing out an abandoned core thread, indicate this condition with a new event type called CORE_THREAD_ABANDONED. If the thread is abandoned due to lack of response to a disconnect request, then the CORE_THREAD_ABANDONED event will occur followed by CORE_THREAD_INACTIVE. For core threads that properly exit, the DISCONNECTED event will be followed by CORE_THREAD_INACTIVE. Added save_as_filename parameter to importProfileRemote method for controlling the filename that the imported profile is saved as. This parameter may be set to null to have the method choose an appropriate name. To have an imported profile replace an existing profile, the filenames much match. Added UI_OVERLOADED debugging constant to OpenVPNClient to allow the UI to connect to a profile when already connected to another profile in order to test "hot connect". Added new events CLIENT_HALT and CLIENT_RESTART for compatibility with an Access Server feature that allows the server to remotely kill or restart the client. When connecting a profile, the core will now automatically fill in the username if it is not specified for userlocked profiles. Version 0.902.
2012-03-31 18:08:20 +02:00
process_halt_restart(ch);
}
Added INFO notification to OpenVPN control channel protocol: INFO,<payload> Payload can be any UTF-8 printable string under 64 KB (multiple lines are okay). INFO notifications can be sent from server to client in real-time, on any active client connection. The client will attach the payload to an INFO event and forward it to the controlling app via the event callback: virtual void event(const Event&) = 0;
2016-05-11 01:53:09 +02:00
else if (info && string::starts_with(msg, "INFO,"))
{
INFO message : buffer INFO control-channel messages received near Connected event to fire one second after Connected event, to reduce the chance of race conditions in the client app, if the INFO event triggers the client app to perform an operation that requires the VPN tunnel to be ready.
2016-08-17 23:23:26 +02:00
// Buffer INFO messages received near Connected event to fire
// one second after Connected event, to reduce the chance of
// race conditions in the client app, if the INFO event
// triggers the client app to perform an operation that
// requires the VPN tunnel to be ready.
Added INFO notification to OpenVPN control channel protocol: INFO,<payload> Payload can be any UTF-8 printable string under 64 KB (multiple lines are okay). INFO notifications can be sent from server to client in real-time, on any active client connection. The client will attach the payload to an INFO event and forward it to the controlling app via the event callback: virtual void event(const Event&) = 0;
2016-05-11 01:53:09 +02:00
ClientEvent::Base::Ptr ev = new ClientEvent::Info(msg.substr(5));
INFO message : buffer INFO control-channel messages received near Connected event to fire one second after Connected event, to reduce the chance of race conditions in the client app, if the INFO event triggers the client app to perform an operation that requires the VPN tunnel to be ready.
2016-08-17 23:23:26 +02:00
if (info_hold)
info_hold->push_back(std::move(ev));
else
cli_events->add_event(std::move(ev));
Added INFO notification to OpenVPN control channel protocol: INFO,<payload> Payload can be any UTF-8 printable string under 64 KB (multiple lines are okay). INFO notifications can be sent from server to client in real-time, on any active client connection. The client will attach the payload to an INFO event and forward it to the controlling app via the event callback: virtual void event(const Event&) = 0;
2016-05-11 01:53:09 +02:00
}
Implemented client-side AUTH_PENDING protocol state AUTH_PENDING is a control channel message sent from server to client before PUSH_REPLY or AUTH_FAILED and is intended to signal the client that a browser-based out-of-band authentication challenge (such as SAML) needs to occur before the connection request can succeed or fail. When the core receives the AUTH_PENDING message, it will enter the AUTH_PENDING state and forward the message to the client UI as an event. The core will also dial back the PUSH_REQUEST transmit frequency to one message every 8 seconds, and the server is expected to reply with an AUTH_PENDING message after every PUSH_REQUEST. This is done as a sort of keepalive replacement since the normal OpenVPN protocol keepalive functionality isn't enabled until the crypto state is established, which doesn't happen until the PUSH_REPLY message is received from the server. During the AUTH_PENDING state, the server will likely want to push INFO messages to the client UI (such as INFO,OPEN_URL:) to facilitate the out-of-band authentication challenge. Normally, the client core buffers early INFO messages and doesn't release them to the UI until 1 second after the CONNECTED event. This is done because it was presumed that the server wouldn't want the client to act on the INFO messages until the tunnel is established. But the AUTH_PENDING state creates a need for an unbuffered INFO message, since the server may want to message the client UI during the AUTH_PENDING state and have that message be immediately processed. I've solved this problem by introducing a new control channel message called "INFO_PRE". INFO_PRE is handled exactly the same as INFO except it is never buffered. Also, note that INFO_PRE messages are delivered to the client UI as ordinary INFO events (I didn't actually create a new client event for INFO_PRE since I can't think of a reason why the client UI would need to distinguish between them). Signed-off-by: James Yonan <james@openvpn.net>
2018-04-12 22:32:14 +02:00
else if (info && string::starts_with(msg, "INFO_PRE,"))
{
// INFO_PRE is like INFO but it is never buffered
ClientEvent::Base::Ptr ev = new ClientEvent::Info(msg.substr(9));
cli_events->add_event(std::move(ev));
}
else if (msg == "AUTH_PENDING")
{
// AUTH_PENDING indicates an out-of-band authentication step must
// be performed before the server will send the PUSH_REPLY message.
if (!auth_pending)
{
auth_pending = true;
ClientEvent::Base::Ptr ev = new ClientEvent::AuthPending();
cli_events->add_event(std::move(ev));
}
}
Added Relay capability, a kind of proxy function similar to HTTP CONNECT but implemented over the OpenVPN protocol. 1. Client connects to relay server as if it were connecting to an ordinary OpenVPN server. 2. Client authenticates to relay server using its client certificate. 3. Client sends a PUSH_REQUEST method to relay server which then replies with a RELAY message instead of PUSH_REPLY. 4. On receiving the RELAY message, the client attempts to reconnect using the existing transport socket. The server will proxy this new connection (at the transport layer) to a second server (chosen by the relay server) that is the target of proxy. 5. The client must establish and authenticate a new session from scratch with the target server, only reusing the transport layer socket from the original connection to the relay server. 6. The relay acts as a man-in-the-middle only at the transport layer (like most proxies), i.e. it forwards the encrypted session between client and target server without decrypting or having the capability to decrypt the session. 7. The client is designed to protect against potentially untrusted or malicious relays: (a) The client never transmits the target server username/password credentials to the relay server. (b) The relay forwards the encrypted OpenVPN session between client and target server without having access to the session keys. (c) The client configuration has a special directive for relay server CA (<relay-extra-ca>) and relay server tls-auth key (<relay-tls-auth>) to allow for separation of TLS/crypto configuration between relay and target servers. (d) The client will reject any PUSH_REPLY messages from the relay itself to prevent the relay from trying to establish a tunnel directly with the client. Example configuring a client for relay: # remote addresses point to the relay server remote ... 1194 udp remote ... 443 tcp # include all other directives for connecting # to the target server # enable relay mode relay-mode # constrain the relay server's cert type relay-ns-cert-type server # include extra CAs that validate the relay # server cert (optional). <relay-extra-ca> -----BEGIN CERTIFICATE----- . . . -----END CERTIFICATE----- </relay-extra-ca> # specify the TLS auth key for the relay server relay-key-direction 1 <relay-tls-auth> -----BEGIN OpenVPN Static key V1----- . . . -----END OpenVPN Static key V1----- </relay-tls-auth>
2016-11-20 21:06:35 +01:00
else if (msg == "RELAY")
{
if (Base::conf().relay_mode)
{
fatal_ = Error::RELAY;
fatal_reason_ = "";
}
else
{
fatal_ = Error::RELAY_ERROR;
fatal_reason_ = "not in relay mode";
}
if (notify_callback)
{
OPENVPN_LOG(Error::name(fatal_) << ' ' << fatal_reason_);
stop(true);
}
else
throw relay_event();
}
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
}
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
virtual void tun_pre_tun_config()
{
ClientEvent::Base::Ptr ev = new ClientEvent::AssignIP();
ClientEvent : Use C++11 rvalue/move semantics in client event handling.
2016-05-11 05:26:34 +02:00
cli_events->add_event(std::move(ev));
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
}
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
virtual void tun_pre_route_config()
{
ClientEvent::Base::Ptr ev = new ClientEvent::AddRoutes();
ClientEvent : Use C++11 rvalue/move semantics in client event handling.
2016-05-11 05:26:34 +02:00
cli_events->add_event(std::move(ev));
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
}
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
virtual void tun_connected()
{
OPENVPN_LOG("Connected via " + tun->tun_name());
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
ClientEvent::Connected::Ptr ev = new ClientEvent::Connected();
Android 4 client fixes: Fixed session ID -> password replacement. Allow username to be specified as profile/username.
2012-02-28 00:00:29 +01:00
if (creds)
Android 4 UI work: * Multi-profile support. * UI now only shows required fields for each profile. * Added support for server field. * Added support for static challenge/response. * Persist profile/server settings to preferences store.
2012-03-01 09:11:00 +01:00
ev->user = creds->get_username();
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
transport->server_endpoint_info(ev->server_host, ev->server_port, ev->server_proto, ev->server_ip);
OpenVPN 1.0 Beta 21 (iOS) Implemented IPv6 in iOS client. Added new flags to redirect-gateway to control whether redirection occurs at IPv4 or IPv6 levels (or both): * ipv4 (default) * !ipv4 * ipv6 * !ipv6 Added new directive "redirect-dns yes|no". If yes, all DNS requests will be forwarded through pushed DNS servers. If no, only DNS requests that match domains enumerated in "dhcp-option DOMAIN" directives will be forwarded. If redirect-dns is omitted, it will default to yes if redirect-gateway is specified at the IPv4 level (this is the normal pre-existing behavior). Allow the following aggregated options that are normally pushed by the server to be defined in the config file as well. These options will be combined with server-pushed options: * route * route-ipv6 * redirect-gateway * redirect-private * dhcp-option Allow the following singleton options (i.e. options that don't aggregate), that are normally pushed, to be defined in the config file (note that server-pushed singleton options will override the config file setting): * redirect-dns The Connection Details section of the UI now displays VPN IP addresses for IPv4 and IPv6. Added new pushable option "client-ip IP_ADDR" that can be pushed by the server with the client's IP address as seen by the server. The client will then show the address in the Connection Details section of the UI.
2012-10-03 11:03:02 +02:00
ev->vpn_ip4 = tun->vpn_ip4();
ev->vpn_ip6 = tun->vpn_ip6();
ovpn3 client API : added VPN gateway (IPv4 and IPv6) to ClientAPI::ConnectionInfo object returned by ClientAPI::OpenVPNClient::connection_info()
2016-06-27 06:23:08 +02:00
ev->vpn_gw4 = tun->vpn_gw4();
ev->vpn_gw6 = tun->vpn_gw6();
OpenVPN 1.0 Beta 21 (iOS) Implemented IPv6 in iOS client. Added new flags to redirect-gateway to control whether redirection occurs at IPv4 or IPv6 levels (or both): * ipv4 (default) * !ipv4 * ipv6 * !ipv6 Added new directive "redirect-dns yes|no". If yes, all DNS requests will be forwarded through pushed DNS servers. If no, only DNS requests that match domains enumerated in "dhcp-option DOMAIN" directives will be forwarded. If redirect-dns is omitted, it will default to yes if redirect-gateway is specified at the IPv4 level (this is the normal pre-existing behavior). Allow the following aggregated options that are normally pushed by the server to be defined in the config file as well. These options will be combined with server-pushed options: * route * route-ipv6 * redirect-gateway * redirect-private * dhcp-option Allow the following singleton options (i.e. options that don't aggregate), that are normally pushed, to be defined in the config file (note that server-pushed singleton options will override the config file setting): * redirect-dns The Connection Details section of the UI now displays VPN IP addresses for IPv4 and IPv6. Added new pushable option "client-ip IP_ADDR" that can be pushed by the server with the client's IP address as seen by the server. The client will then show the address in the Connection Details section of the UI.
2012-10-03 11:03:02 +02:00
try {
More profile validation.
2012-11-14 03:35:50 +01:00
std::string client_ip = received_options.get_optional("client-ip", 1, 256);
Ignore pushed "client-ip" directive unless it is a valid IP address.
2012-10-07 10:57:41 +02:00
if (!client_ip.empty())
ev->client_ip = IP::Addr::validate(client_ip, "client-ip");
OpenVPN 1.0 Beta 21 (iOS) Implemented IPv6 in iOS client. Added new flags to redirect-gateway to control whether redirection occurs at IPv4 or IPv6 levels (or both): * ipv4 (default) * !ipv4 * ipv6 * !ipv6 Added new directive "redirect-dns yes|no". If yes, all DNS requests will be forwarded through pushed DNS servers. If no, only DNS requests that match domains enumerated in "dhcp-option DOMAIN" directives will be forwarded. If redirect-dns is omitted, it will default to yes if redirect-gateway is specified at the IPv4 level (this is the normal pre-existing behavior). Allow the following aggregated options that are normally pushed by the server to be defined in the config file as well. These options will be combined with server-pushed options: * route * route-ipv6 * redirect-gateway * redirect-private * dhcp-option Allow the following singleton options (i.e. options that don't aggregate), that are normally pushed, to be defined in the config file (note that server-pushed singleton options will override the config file setting): * redirect-dns The Connection Details section of the UI now displays VPN IP addresses for IPv4 and IPv6. Added new pushable option "client-ip IP_ADDR" that can be pushed by the server with the client's IP address as seen by the server. The client will then show the address in the Connection Details section of the UI.
2012-10-03 11:03:02 +02:00
}
catch (const std::exception& e)
{
Log lines from C++ exceptions should contain the text "exception" This makes it easier to scan log files for exceptions. Signed-off-by: James Yonan <james@openvpn.net>
2018-03-07 23:59:07 +01:00
OPENVPN_LOG("exception parsing client-ip: " << e.what());
OpenVPN 1.0 Beta 21 (iOS) Implemented IPv6 in iOS client. Added new flags to redirect-gateway to control whether redirection occurs at IPv4 or IPv6 levels (or both): * ipv4 (default) * !ipv4 * ipv6 * !ipv6 Added new directive "redirect-dns yes|no". If yes, all DNS requests will be forwarded through pushed DNS servers. If no, only DNS requests that match domains enumerated in "dhcp-option DOMAIN" directives will be forwarded. If redirect-dns is omitted, it will default to yes if redirect-gateway is specified at the IPv4 level (this is the normal pre-existing behavior). Allow the following aggregated options that are normally pushed by the server to be defined in the config file as well. These options will be combined with server-pushed options: * route * route-ipv6 * redirect-gateway * redirect-private * dhcp-option Allow the following singleton options (i.e. options that don't aggregate), that are normally pushed, to be defined in the config file (note that server-pushed singleton options will override the config file setting): * redirect-dns The Connection Details section of the UI now displays VPN IP addresses for IPv4 and IPv6. Added new pushable option "client-ip IP_ADDR" that can be pushed by the server with the client's IP address as seen by the server. The client will then show the address in the Connection Details section of the UI.
2012-10-03 11:03:02 +02:00
}
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
ev->tun_name = tun->tun_name();
events : in client core, delay transmission of "Connected" event to the last possible moment to avoid premature trigger of post-connect events.
2016-09-02 20:52:21 +02:00
connected_ = std::move(ev);
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
}
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Did some refactoring to make it easier for tun and transport objects to communicate specific errors or warnings. Added TUN_IFACE_CREATE event, which indicates an error creating the tun interface. Added REROUTE_GW_NO_DNS error stat, which indicates that redirect-gateway (IPv4) was processed without an accompanying DNS directive.
2012-10-24 11:32:15 +02:00
virtual void tun_error(const Error::Type fatal_err, const std::string& err_text)
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
{
Did some refactoring to make it easier for tun and transport objects to communicate specific errors or warnings. Added TUN_IFACE_CREATE event, which indicates an error creating the tun interface. Added REROUTE_GW_NO_DNS error stat, which indicates that redirect-gateway (IPv4) was processed without an accompanying DNS directive.
2012-10-24 11:32:15 +02:00
if (fatal_err != Error::UNDEF)
{
fatal_ = fatal_err;
fatal_reason_ = err_text;
}
Added ClientConnect class which implements an "always-try-to-reconnect" approach, with remote list rotation. Only gives up on auth failure.
2012-02-07 12:37:35 +01:00
if (notify_callback)
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
{
Did some refactoring to make it easier for tun and transport objects to communicate specific errors or warnings. Added TUN_IFACE_CREATE event, which indicates an error creating the tun interface. Added REROUTE_GW_NO_DNS error stat, which indicates that redirect-gateway (IPv4) was processed without an accompanying DNS directive.
2012-10-24 11:32:15 +02:00
OPENVPN_LOG("TUN Error: " << err_text);
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
stop(true);
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
}
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
else
Did some refactoring to make it easier for tun and transport objects to communicate specific errors or warnings. Added TUN_IFACE_CREATE event, which indicates an error creating the tun interface. Added REROUTE_GW_NO_DNS error stat, which indicates that redirect-gateway (IPv4) was processed without an accompanying DNS directive.
2012-10-24 11:32:15 +02:00
throw tun_exception(err_text);
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
}
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
// proto base class calls here to get auth credentials
virtual void client_auth(Buffer& buf)
{
Added Relay capability, a kind of proxy function similar to HTTP CONNECT but implemented over the OpenVPN protocol. 1. Client connects to relay server as if it were connecting to an ordinary OpenVPN server. 2. Client authenticates to relay server using its client certificate. 3. Client sends a PUSH_REQUEST method to relay server which then replies with a RELAY message instead of PUSH_REPLY. 4. On receiving the RELAY message, the client attempts to reconnect using the existing transport socket. The server will proxy this new connection (at the transport layer) to a second server (chosen by the relay server) that is the target of proxy. 5. The client must establish and authenticate a new session from scratch with the target server, only reusing the transport layer socket from the original connection to the relay server. 6. The relay acts as a man-in-the-middle only at the transport layer (like most proxies), i.e. it forwards the encrypted session between client and target server without decrypting or having the capability to decrypt the session. 7. The client is designed to protect against potentially untrusted or malicious relays: (a) The client never transmits the target server username/password credentials to the relay server. (b) The relay forwards the encrypted OpenVPN session between client and target server without having access to the session keys. (c) The client configuration has a special directive for relay server CA (<relay-extra-ca>) and relay server tls-auth key (<relay-tls-auth>) to allow for separation of TLS/crypto configuration between relay and target servers. (d) The client will reject any PUSH_REPLY messages from the relay itself to prevent the relay from trying to establish a tunnel directly with the client. Example configuring a client for relay: # remote addresses point to the relay server remote ... 1194 udp remote ... 443 tcp # include all other directives for connecting # to the target server # enable relay mode relay-mode # constrain the relay server's cert type relay-ns-cert-type server # include extra CAs that validate the relay # server cert (optional). <relay-extra-ca> -----BEGIN CERTIFICATE----- . . . -----END CERTIFICATE----- </relay-extra-ca> # specify the TLS auth key for the relay server relay-key-direction 1 <relay-tls-auth> -----BEGIN OpenVPN Static key V1----- . . . -----END OpenVPN Static key V1----- </relay-tls-auth>
2016-11-20 21:06:35 +01:00
// we never send creds to a relay server
if (creds && !Base::conf().relay_mode)
Android 4 client fixes: Fixed session ID -> password replacement. Allow username to be specified as profile/username.
2012-02-28 00:00:29 +01:00
{
Core creds changes: * Added better API documentation in ovpncli.hpp about the meaning of replacePasswordWithSessionID and cachePassword. * Log when creds are passed to server, including info about whether creds are blank and whether a Session ID was used in place of a password. Also indicate when creds are a response to a static or dynamic challenge. * Changed RESTART handling. When receiving a RESTART, always attempt a restart, never halt. When receiving a RESTART with psid==0, clear out any cached Session ID (if one exists) before doing the restart. * If can_retry_auth_with_cached_password() is called and modifies the password, make sure to clear the did_replace_password_with_session_id flag.
2014-01-08 05:32:37 +01:00
OPENVPN_LOG("Creds: " << creds->auth_info());
Android 4 UI work: * Multi-profile support. * UI now only shows required fields for each profile. * Added support for server field. * Added support for static challenge/response. * Persist profile/server settings to preferences store.
2012-03-01 09:11:00 +01:00
Base::write_auth_string(creds->get_username(), buf);
Base::write_auth_string(creds->get_password(), buf);
Android 4 client fixes: Fixed session ID -> password replacement. Allow username to be specified as profile/username.
2012-02-28 00:00:29 +01:00
}
else
{
Core creds changes: * Added better API documentation in ovpncli.hpp about the meaning of replacePasswordWithSessionID and cachePassword. * Log when creds are passed to server, including info about whether creds are blank and whether a Session ID was used in place of a password. Also indicate when creds are a response to a static or dynamic challenge. * Changed RESTART handling. When receiving a RESTART, always attempt a restart, never halt. When receiving a RESTART with psid==0, clear out any cached Session ID (if one exists) before doing the restart. * If can_retry_auth_with_cached_password() is called and modifies the password, make sure to clear the did_replace_password_with_session_id flag.
2014-01-08 05:32:37 +01:00
OPENVPN_LOG("Creds: None");
Android 4 client fixes: Fixed session ID -> password replacement. Allow username to be specified as profile/username.
2012-02-28 00:00:29 +01:00
Base::write_empty_string(buf); // username
Base::write_empty_string(buf); // password
}
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
}
Core: speed up client-side PUSH_REQUEST transmission to server at 0, 1, 2, 3, 3, ... seconds. Previously, transmission occurred at 1, 3, 3, ... seconds.
2014-08-18 06:25:26 +02:00
void send_push_request_callback(const Time::Duration& dur,
Added i/o abstraction layer. Created a lightweight abstraction layer so that another i/o reactor can be dropped in place of asio. The basic approach is to rename all references to asio::xxx types to openvpn_io::xxx and then make openvpn_io a preprocessor variable that points to the top-level namespace of the i/o reactor implementation. All of the source files that currently include <asio.hpp> now include <openvpn/io/io.hpp> instead: This gives us a lightweight abstraction layer that allows us to define openvpn_io to be something other than asio. Other changes: * Inclusion of asio by scripts/build is now optional, and is enabled by passing ASIO=1 or ASIO_DIR=<dir>. * Refactored openvpn/common/socktypes.hpp to no longer require asio. * Refactored openvpn/log/logthread.hpp to no longer require asio. * Added openvpn::get_hostname() method as alternative to calling asio directly. * openvpn/openssl/util/init.hpp will now #error if USE_ASIO is undefined. Signed-off-by: James Yonan <james@openvpn.net>
2017-03-30 23:10:56 +02:00
const openvpn_io::error_code& e)
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
{
try {
Bug fixes: * raise default headroom/tailroom to 512 for worst-case compression expansion * for TCP connections use async_connect instead of connect * for Time and Time::Duration, handle subtraction reasonably with infinite values * handle possible infinite duration in to_posix_duration * fix overflow in Time::Duration::to_milliseconds * call Base::update_now() in ClientProto::start
2012-02-07 21:52:40 +01:00
if (!e && !halt && !received_options.partial())
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
{
Base::update_now();
if (!sent_push_request)
{
ClientEvent::Base::Ptr ev = new ClientEvent::GetConfig();
ClientEvent : Use C++11 rvalue/move semantics in client event handling.
2016-05-11 05:26:34 +02:00
cli_events->add_event(std::move(ev));
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
sent_push_request = true;
}
OPENVPN_LOG("Sending PUSH_REQUEST to server...");
Base::write_control_string(std::string("PUSH_REQUEST"));
Base::flush(true);
set_housekeeping_timer();
Core: speed up client-side PUSH_REQUEST transmission to server at 0, 1, 2, 3, 3, ... seconds. Previously, transmission occurred at 1, 3, 3, ... seconds.
2014-08-18 06:25:26 +02:00
{
Implemented client-side AUTH_PENDING protocol state AUTH_PENDING is a control channel message sent from server to client before PUSH_REPLY or AUTH_FAILED and is intended to signal the client that a browser-based out-of-band authentication challenge (such as SAML) needs to occur before the connection request can succeed or fail. When the core receives the AUTH_PENDING message, it will enter the AUTH_PENDING state and forward the message to the client UI as an event. The core will also dial back the PUSH_REQUEST transmit frequency to one message every 8 seconds, and the server is expected to reply with an AUTH_PENDING message after every PUSH_REQUEST. This is done as a sort of keepalive replacement since the normal OpenVPN protocol keepalive functionality isn't enabled until the crypto state is established, which doesn't happen until the PUSH_REPLY message is received from the server. During the AUTH_PENDING state, the server will likely want to push INFO messages to the client UI (such as INFO,OPEN_URL:) to facilitate the out-of-band authentication challenge. Normally, the client core buffers early INFO messages and doesn't release them to the UI until 1 second after the CONNECTED event. This is done because it was presumed that the server wouldn't want the client to act on the INFO messages until the tunnel is established. But the AUTH_PENDING state creates a need for an unbuffered INFO message, since the server may want to message the client UI during the AUTH_PENDING state and have that message be immediately processed. I've solved this problem by introducing a new control channel message called "INFO_PRE". INFO_PRE is handled exactly the same as INFO except it is never buffered. Also, note that INFO_PRE messages are delivered to the client UI as ordinary INFO events (I didn't actually create a new client event for INFO_PRE since I can't think of a reason why the client UI would need to distinguish between them). Signed-off-by: James Yonan <james@openvpn.net>
2018-04-12 22:32:14 +02:00
if (auth_pending)
{
// With auth_pending, we can dial back the PUSH_REQUEST
// frequency, but we still need back-and-forth network
// activity to avoid an inactivity timeout, since the crypto
// layer (and hence keepalive ping) is not initialized until
// we receive the PUSH_REPLY from the server.
schedule_push_request_callback(Time::Duration::seconds(8));
}
else
{
// step function with ceiling: 1 sec, 2 secs, 3 secs, 3, 3, ...
const Time::Duration newdur = std::min(dur + Time::Duration::seconds(1),
Time::Duration::seconds(3));
schedule_push_request_callback(newdur);
}
Core: speed up client-side PUSH_REQUEST transmission to server at 0, 1, 2, 3, 3, ... seconds. Previously, transmission occurred at 1, 3, 3, ... seconds.
2014-08-18 06:25:26 +02:00
}
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
}
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
}
Search/replace of: std::exception& e to: const std::exception& e
2012-02-17 20:28:44 +01:00
catch (const std::exception& e)
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
{
First working iOS build.
2012-07-01 17:37:46 +02:00
process_exception(e, "send_push_request_callback");
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
}
}
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Core: speed up client-side PUSH_REQUEST transmission to server at 0, 1, 2, 3, 3, ... seconds. Previously, transmission occurred at 1, 3, 3, ... seconds.
2014-08-18 06:25:26 +02:00
void schedule_push_request_callback(const Time::Duration& dur)
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
{
if (!received_options.partial())
{
AsioTimer: use expires_after() method when possible. A common AsioTimer usage pattern is: expires_at(Time::now() + duration) This is more succinctly and efficiently stated as: expires_after(duration). Signed-off-by: James Yonan <james@openvpn.net>
2017-04-12 22:01:11 +02:00
push_request_timer.expires_after(dur);
Added i/o abstraction layer. Created a lightweight abstraction layer so that another i/o reactor can be dropped in place of asio. The basic approach is to rename all references to asio::xxx types to openvpn_io::xxx and then make openvpn_io a preprocessor variable that points to the top-level namespace of the i/o reactor implementation. All of the source files that currently include <asio.hpp> now include <openvpn/io/io.hpp> instead: This gives us a lightweight abstraction layer that allows us to define openvpn_io to be something other than asio. Other changes: * Inclusion of asio by scripts/build is now optional, and is enabled by passing ASIO=1 or ASIO_DIR=<dir>. * Refactored openvpn/common/socktypes.hpp to no longer require asio. * Refactored openvpn/log/logthread.hpp to no longer require asio. * Added openvpn::get_hostname() method as alternative to calling asio directly. * openvpn/openssl/util/init.hpp will now #error if USE_ASIO is undefined. Signed-off-by: James Yonan <james@openvpn.net>
2017-03-30 23:10:56 +02:00
push_request_timer.async_wait([self=Ptr(this), dur](const openvpn_io::error_code& error)
Obsoleted asiodispatch in favor of C++11 lambdas.
2015-06-25 21:59:12 +02:00
{
[OVPN3-211] bigmutex: introduce macro to ensure thread-safety Platforms like UWP and iOS may call core methods from another threads. Since core is not thread-safe, we provide OPENVPN_ASYNC_HANDLER macro which instantiates lock guard. It follows RAII principle and locks global mutex in constructor and unlocks in destructor. This guarantees that code in block protected with this macro won't be called simultaneously from different threads. Signed-off-by: Lev Stipakov <lev@openvpn.net>
2018-03-23 15:23:45 +01:00
OPENVPN_ASYNC_HANDLER;
Obsoleted asiodispatch in favor of C++11 lambdas.
2015-06-25 21:59:12 +02:00
self->send_push_request_callback(dur, error);
});
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
}
}
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
cliproto: react to tls_warnings Upon activation of the primary keycontext, check if any tls warning was set by the SSL session object. If so, trigger an event to the CLI/UI. Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2017-12-06 09:04:02 +01:00
// react to any tls warning triggered during the tls-handshake
virtual void check_tls_warnings()
{
uint32_t tls_warnings = get_tls_warnings();
if (tls_warnings & SSLAPI::TLS_WARN_SIG_MD5)
[OVPN3-184] mbedtls: handle Name Constraints Introduce profile flag "allow-name-constraints". mbedTLS doesn't support x509v3 'Name Constrains' extension. To allow client to connect, make mbedTLS not to fail on this extension and drop a warning to UI. This depends on "Enable allowing unsupported critical extensions in runtime" patch to mbedTLS. Signed-off-by: Lev Stipakov <lev@openvpn.net>
2018-02-28 10:07:43 +01:00
{
ClientEvent::Base::Ptr ev = new ClientEvent::Warn("TLS: received certificate signed with MD5. Please inform your admin to upgrade to a stronger algorithm. Support for MD5 will be dropped at end of Apr 2018");
cli_events->add_event(std::move(ev));
}
if (tls_warnings & SSLAPI::TLS_WARN_NAME_CONSTRAINTS)
{
ClientEvent::Base::Ptr ev = new ClientEvent::Warn("TLS: Your CA contains a 'x509v3 Name Constraints' extension, but its validation is not supported. This might be a security breach, please contact your administrator.");
cli_events->add_event(std::move(ev));
}
cliproto: react to tls_warnings Upon activation of the primary keycontext, check if any tls warning was set by the SSL session object. If so, trigger an event to the CLI/UI. Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2017-12-06 09:04:02 +01:00
}
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
// base class calls here when primary session transitions to ACTIVE state
virtual void active()
{
OPENVPN_LOG("Session is ACTIVE");
cliproto: react to tls_warnings Upon activation of the primary keycontext, check if any tls warning was set by the SSL session object. If so, trigger an event to the CLI/UI. Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
2017-12-06 09:04:02 +01:00
check_tls_warnings();
Core: speed up client-side PUSH_REQUEST transmission to server at 0, 1, 2, 3, 3, ... seconds. Previously, transmission occurred at 1, 3, 3, ... seconds.
2014-08-18 06:25:26 +02:00
schedule_push_request_callback(Time::Duration::seconds(0));
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
}
Added i/o abstraction layer. Created a lightweight abstraction layer so that another i/o reactor can be dropped in place of asio. The basic approach is to rename all references to asio::xxx types to openvpn_io::xxx and then make openvpn_io a preprocessor variable that points to the top-level namespace of the i/o reactor implementation. All of the source files that currently include <asio.hpp> now include <openvpn/io/io.hpp> instead: This gives us a lightweight abstraction layer that allows us to define openvpn_io to be something other than asio. Other changes: * Inclusion of asio by scripts/build is now optional, and is enabled by passing ASIO=1 or ASIO_DIR=<dir>. * Refactored openvpn/common/socktypes.hpp to no longer require asio. * Refactored openvpn/log/logthread.hpp to no longer require asio. * Added openvpn::get_hostname() method as alternative to calling asio directly. * openvpn/openssl/util/init.hpp will now #error if USE_ASIO is undefined. Signed-off-by: James Yonan <james@openvpn.net>
2017-03-30 23:10:56 +02:00
void housekeeping_callback(const openvpn_io::error_code& e)
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
{
try {
Bug fixes: * raise default headroom/tailroom to 512 for worst-case compression expansion * for TCP connections use async_connect instead of connect * for Time and Time::Duration, handle subtraction reasonably with infinite values * handle possible infinite duration in to_posix_duration * fix overflow in Time::Duration::to_milliseconds * call Base::update_now() in ClientProto::start
2012-02-07 21:52:40 +01:00
if (!e && !halt)
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
{
// update current time
Base::update_now();
housekeeping_schedule.reset();
Base::housekeeping();
if (Base::invalidated())
{
Added ClientConnect class which implements an "always-try-to-reconnect" approach, with remote list rotation. Only gives up on auth failure.
2012-02-07 12:37:35 +01:00
if (notify_callback)
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
{
"Session invalidated" errors will now explicitly reference a reason code.
2013-05-22 09:46:52 +02:00
OPENVPN_LOG("Session invalidated: " << Error::name(Base::invalidation_reason()));
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
stop(true);
}
else
throw session_invalidated();
}
set_housekeeping_timer();
}
}
Search/replace of: std::exception& e to: const std::exception& e
2012-02-17 20:28:44 +01:00
catch (const std::exception& e)
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
{
First working iOS build.
2012-07-01 17:37:46 +02:00
process_exception(e, "housekeeping_callback");
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
}
}
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
void set_housekeeping_timer()
{
Core: in cliproto.hpp, don't set housekeeping timer if object is halted. This solves a disconnect delay seen on Mac command-line client.
2015-04-07 07:00:48 +02:00
if (halt)
return;
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
Time next = Base::next_housekeeping();
if (!housekeeping_schedule.similar(next))
{
if (!next.is_infinite())
{
next.max(now());
housekeeping_schedule.reset(next);
housekeeping_timer.expires_at(next);
Added i/o abstraction layer. Created a lightweight abstraction layer so that another i/o reactor can be dropped in place of asio. The basic approach is to rename all references to asio::xxx types to openvpn_io::xxx and then make openvpn_io a preprocessor variable that points to the top-level namespace of the i/o reactor implementation. All of the source files that currently include <asio.hpp> now include <openvpn/io/io.hpp> instead: This gives us a lightweight abstraction layer that allows us to define openvpn_io to be something other than asio. Other changes: * Inclusion of asio by scripts/build is now optional, and is enabled by passing ASIO=1 or ASIO_DIR=<dir>. * Refactored openvpn/common/socktypes.hpp to no longer require asio. * Refactored openvpn/log/logthread.hpp to no longer require asio. * Added openvpn::get_hostname() method as alternative to calling asio directly. * openvpn/openssl/util/init.hpp will now #error if USE_ASIO is undefined. Signed-off-by: James Yonan <james@openvpn.net>
2017-03-30 23:10:56 +02:00
housekeeping_timer.async_wait([self=Ptr(this)](const openvpn_io::error_code& error)
Obsoleted asiodispatch in favor of C++11 lambdas.
2015-06-25 21:59:12 +02:00
{
[OVPN3-211] bigmutex: introduce macro to ensure thread-safety Platforms like UWP and iOS may call core methods from another threads. Since core is not thread-safe, we provide OPENVPN_ASYNC_HANDLER macro which instantiates lock guard. It follows RAII principle and locks global mutex in constructor and unlocks in destructor. This guarantees that code in block protected with this macro won't be called simultaneously from different threads. Signed-off-by: Lev Stipakov <lev@openvpn.net>
2018-03-23 15:23:45 +01:00
OPENVPN_ASYNC_HANDLER;
Obsoleted asiodispatch in favor of C++11 lambdas.
2015-06-25 21:59:12 +02:00
self->housekeeping_callback(error);
});
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
}
else
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
{
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
housekeeping_timer.cancel();
ClientProto: reset CoarseTime object when AsioTimer is canceled CoarseTime objects that track an AsioTimer must always be reset when the AsioTimer is cancelled. Not doing so can cause a bug if the AsioTimer is reused after cancellation. Signed-off-by: James Yonan <james@openvpn.net>
2017-10-20 23:17:23 +02:00
housekeeping_schedule.reset();
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
}
}
}
Added client hooks for DCO (Data Channel offload). Updated tun implementation on Linux.
2015-06-17 09:48:33 +02:00
void process_inactive(const OptionList& opt)
Implemented "inactive" directive.
2013-05-25 03:19:50 +02:00
{
try {
ovpn3 core : Added automatic data limits for Blowfish, Triple DES, and other 64-bit block-size ciphers vulnerable to "Sweet32" birthday attack (CVE-2016-6329). Limit such cipher keys to no more than 64 MB of data encrypted/decrypted. While our overall goal is to limit data-limited keys to 64 MB, we trigger a renegotiation at 48 MB to compensate for possible delays in renegotiation and rollover to the new key. This client-side implementation extends data limit protection to the entire session, even when the server doesn't implement data limits. This capability is advertised to servers via the a peer info setting: IV_BS64DL=1 meaning "Block-Size 64-bit Data Limit". The "1" indicates the implementation version. The implementation currently has some limitations: * Keys are renegotiated at a maximum rate of once per 5 seconds to reduce the likelihood of loss of synchronization between peers. * The maximum renegotiation rate may be further extended if the peer delays rollover from the old to new key after renegotiation. Added N_KEY_LIMIT_RENEG stats counter to count the number of data-limit-triggered renegotiations. Added new stats counter KEY_STATE_ERROR which roughly corresponds to the OpenVPN 2.x error "TLS Error: local/remote TLS keys are out of sync". Prevously, the TLS ack/retransmit timeout was hardcoded to 2 seconds. Now we lower the default to 1 second and make it variable using the (pushable) "tls-timeout" directive. Additionally, the tls-timeout directive can be specified in milliseconds instead of seconds by using the "tls-timeout-ms" form of the directive. Made the "become primary" time duration configurable via the (pushable) "become-primary" directive which accepts a number-of-seconds parameter. become-primary indicates the time delay between renegotiation and rollover to the new key for encryption/transmission. become-primary defaults to the handshake-window which in turn defaults to 60 seconds. Incremented core version to 3.0.20.
2016-09-01 23:19:00 +02:00
const Option *o = load_duration_parm(inactive_duration, "inactive", opt, 1, false, false);
Implemented "inactive" directive.
2013-05-25 03:19:50 +02:00
if (o)
{
if (o->size() >= 3)
inactive_bytes = parse_number_throw<unsigned int>(o->get(2, 16), "inactive bytes");
schedule_inactive_timer();
}
}
catch (const std::exception& e)
{
Log lines from C++ exceptions should contain the text "exception" This makes it easier to scan log files for exceptions. Signed-off-by: James Yonan <james@openvpn.net>
2018-03-07 23:59:07 +01:00
OPENVPN_LOG("exception parsing inactive: " << e.what());
Implemented "inactive" directive.
2013-05-25 03:19:50 +02:00
}
}
void schedule_inactive_timer()
{
AsioTimer: use expires_after() method when possible. A common AsioTimer usage pattern is: expires_at(Time::now() + duration) This is more succinctly and efficiently stated as: expires_after(duration). Signed-off-by: James Yonan <james@openvpn.net>
2017-04-12 22:01:11 +02:00
inactive_timer.expires_after(inactive_duration);
Added i/o abstraction layer. Created a lightweight abstraction layer so that another i/o reactor can be dropped in place of asio. The basic approach is to rename all references to asio::xxx types to openvpn_io::xxx and then make openvpn_io a preprocessor variable that points to the top-level namespace of the i/o reactor implementation. All of the source files that currently include <asio.hpp> now include <openvpn/io/io.hpp> instead: This gives us a lightweight abstraction layer that allows us to define openvpn_io to be something other than asio. Other changes: * Inclusion of asio by scripts/build is now optional, and is enabled by passing ASIO=1 or ASIO_DIR=<dir>. * Refactored openvpn/common/socktypes.hpp to no longer require asio. * Refactored openvpn/log/logthread.hpp to no longer require asio. * Added openvpn::get_hostname() method as alternative to calling asio directly. * openvpn/openssl/util/init.hpp will now #error if USE_ASIO is undefined. Signed-off-by: James Yonan <james@openvpn.net>
2017-03-30 23:10:56 +02:00
inactive_timer.async_wait([self=Ptr(this)](const openvpn_io::error_code& error)
Obsoleted asiodispatch in favor of C++11 lambdas.
2015-06-25 21:59:12 +02:00
{
[OVPN3-211] bigmutex: introduce macro to ensure thread-safety Platforms like UWP and iOS may call core methods from another threads. Since core is not thread-safe, we provide OPENVPN_ASYNC_HANDLER macro which instantiates lock guard. It follows RAII principle and locks global mutex in constructor and unlocks in destructor. This guarantees that code in block protected with this macro won't be called simultaneously from different threads. Signed-off-by: Lev Stipakov <lev@openvpn.net>
2018-03-23 15:23:45 +01:00
OPENVPN_ASYNC_HANDLER;
Obsoleted asiodispatch in favor of C++11 lambdas.
2015-06-25 21:59:12 +02:00
self->inactive_callback(error);
});
Implemented "inactive" directive.
2013-05-25 03:19:50 +02:00
}
Added i/o abstraction layer. Created a lightweight abstraction layer so that another i/o reactor can be dropped in place of asio. The basic approach is to rename all references to asio::xxx types to openvpn_io::xxx and then make openvpn_io a preprocessor variable that points to the top-level namespace of the i/o reactor implementation. All of the source files that currently include <asio.hpp> now include <openvpn/io/io.hpp> instead: This gives us a lightweight abstraction layer that allows us to define openvpn_io to be something other than asio. Other changes: * Inclusion of asio by scripts/build is now optional, and is enabled by passing ASIO=1 or ASIO_DIR=<dir>. * Refactored openvpn/common/socktypes.hpp to no longer require asio. * Refactored openvpn/log/logthread.hpp to no longer require asio. * Added openvpn::get_hostname() method as alternative to calling asio directly. * openvpn/openssl/util/init.hpp will now #error if USE_ASIO is undefined. Signed-off-by: James Yonan <james@openvpn.net>
2017-03-30 23:10:56 +02:00
void inactive_callback(const openvpn_io::error_code& e) // fixme for DCO
Implemented "inactive" directive.
2013-05-25 03:19:50 +02:00
{
try {
if (!e && !halt)
{
// update current time
Base::update_now();
const count_t sample = cli_stats->get_stat(SessionStats::TUN_BYTES_IN) + cli_stats->get_stat(SessionStats::TUN_BYTES_OUT);
const count_t delta = sample - inactive_last_sample;
//OPENVPN_LOG("*** INACTIVE SAMPLE " << delta << ' ' << inactive_bytes);
if (delta <= count_t(inactive_bytes))
{
fatal_ = Error::INACTIVE_TIMEOUT;
send_explicit_exit_notify();
if (notify_callback)
{
OPENVPN_LOG("inactive timer expired");
stop(true);
}
else
throw inactive_timer_expired();
}
else
{
inactive_last_sample = sample;
schedule_inactive_timer();
}
}
}
catch (const std::exception& e)
{
process_exception(e, "inactive_callback");
}
}
ovpn3 client : added support for pushed "echo" directives to be transmitted to app via event channel using new ECHO event.
2016-03-28 08:31:35 +02:00
void process_echo(const OptionList& opt)
{
OptionList::IndexMap::const_iterator echo_opt = opt.map().find("echo");
if (echo_opt != opt.map().end())
{
for (OptionList::IndexList::const_iterator i = echo_opt->second.begin(); i != echo_opt->second.end(); ++i)
{
const Option& o = opt[*i];
o.touch();
const std::string& value = o.get(1, 512);
ClientEvent::Base::Ptr ev = new ClientEvent::Echo(value);
ClientEvent : Use C++11 rvalue/move semantics in client event handling.
2016-05-11 05:26:34 +02:00
cli_events->add_event(std::move(ev));
ovpn3 client : added support for pushed "echo" directives to be transmitted to app via event channel using new ECHO event.
2016-03-28 08:31:35 +02:00
}
}
}
First working iOS build.
2012-07-01 17:37:46 +02:00
void process_exception(const std::exception& e, const char *method_name)
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
{
Added ClientConnect class which implements an "always-try-to-reconnect" approach, with remote list rotation. Only gives up on auth failure.
2012-02-07 12:37:35 +01:00
if (notify_callback)
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
{
First working iOS build.
2012-07-01 17:37:46 +02:00
OPENVPN_LOG("Client exception in " << method_name << ": " << e.what());
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
stop(true);
}
else
throw client_exception(e.what());
}
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Fixed a race condition issue with "hot connect", i.e. sending a connect intent to service when already connected. One of the ramifications of the "hot connect" fix above is that OpenVPNClientBase.is_active() will now return a value that is instantaneously up-to-date, whereas events might lag because of the mechanics of inter-thread message posting. Keep this in mind when correlating received events to is_active() values. For C++ core threads, increased allowed thread-stop delay to 2.5 seconds before thread is marked as unresponsive and abandoned. Previous delay was 1 second. This delay can't be made too long, otherwise Android will tell the user that the app is unresponsive and invite them to kill it. When closing out an abandoned core thread, indicate this condition with a new event type called CORE_THREAD_ABANDONED. If the thread is abandoned due to lack of response to a disconnect request, then the CORE_THREAD_ABANDONED event will occur followed by CORE_THREAD_INACTIVE. For core threads that properly exit, the DISCONNECTED event will be followed by CORE_THREAD_INACTIVE. Added save_as_filename parameter to importProfileRemote method for controlling the filename that the imported profile is saved as. This parameter may be set to null to have the method choose an appropriate name. To have an imported profile replace an existing profile, the filenames much match. Added UI_OVERLOADED debugging constant to OpenVPNClient to allow the UI to connect to a profile when already connected to another profile in order to test "hot connect". Added new events CLIENT_HALT and CLIENT_RESTART for compatibility with an Access Server feature that allows the server to remotely kill or restart the client. When connecting a profile, the core will now automatically fill in the username if it is not specified for userlocked profiles. Version 0.902.
2012-03-31 18:08:20 +02:00
void process_halt_restart(const ClientHalt& ch)
{
Core creds changes: * Added better API documentation in ovpncli.hpp about the meaning of replacePasswordWithSessionID and cachePassword. * Log when creds are passed to server, including info about whether creds are blank and whether a Session ID was used in place of a password. Also indicate when creds are a response to a static or dynamic challenge. * Changed RESTART handling. When receiving a RESTART, always attempt a restart, never halt. When receiving a RESTART with psid==0, clear out any cached Session ID (if one exists) before doing the restart. * If can_retry_auth_with_cached_password() is called and modifies the password, make sure to clear the did_replace_password_with_session_id flag.
2014-01-08 05:32:37 +01:00
if (!ch.psid() && creds)
creds->can_retry_auth_with_cached_password(); // purge session ID
if (ch.restart())
Fixed a race condition issue with "hot connect", i.e. sending a connect intent to service when already connected. One of the ramifications of the "hot connect" fix above is that OpenVPNClientBase.is_active() will now return a value that is instantaneously up-to-date, whereas events might lag because of the mechanics of inter-thread message posting. Keep this in mind when correlating received events to is_active() values. For C++ core threads, increased allowed thread-stop delay to 2.5 seconds before thread is marked as unresponsive and abandoned. Previous delay was 1 second. This delay can't be made too long, otherwise Android will tell the user that the app is unresponsive and invite them to kill it. When closing out an abandoned core thread, indicate this condition with a new event type called CORE_THREAD_ABANDONED. If the thread is abandoned due to lack of response to a disconnect request, then the CORE_THREAD_ABANDONED event will occur followed by CORE_THREAD_INACTIVE. For core threads that properly exit, the DISCONNECTED event will be followed by CORE_THREAD_INACTIVE. Added save_as_filename parameter to importProfileRemote method for controlling the filename that the imported profile is saved as. This parameter may be set to null to have the method choose an appropriate name. To have an imported profile replace an existing profile, the filenames much match. Added UI_OVERLOADED debugging constant to OpenVPNClient to allow the UI to connect to a profile when already connected to another profile in order to test "hot connect". Added new events CLIENT_HALT and CLIENT_RESTART for compatibility with an Access Server feature that allows the server to remotely kill or restart the client. When connecting a profile, the core will now automatically fill in the username if it is not specified for userlocked profiles. Version 0.902.
2012-03-31 18:08:20 +02:00
fatal_ = Error::CLIENT_RESTART;
else
fatal_ = Error::CLIENT_HALT;
fatal_reason_ = ch.reason();
if (notify_callback)
{
OPENVPN_LOG("Client halt/restart: " << ch.render());
stop(true);
}
else
throw client_halt_restart(ch.render());
}
INFO message : buffer INFO control-channel messages received near Connected event to fire one second after Connected event, to reduce the chance of race conditions in the client app, if the INFO event triggers the client app to perform an operation that requires the VPN tunnel to be ready.
2016-08-17 23:23:26 +02:00
void schedule_info_hold_callback()
{
events : in client core, delay transmission of "Connected" event to the last possible moment to avoid premature trigger of post-connect events.
2016-09-02 20:52:21 +02:00
Base::update_now();
AsioTimer: use expires_after() method when possible. A common AsioTimer usage pattern is: expires_at(Time::now() + duration) This is more succinctly and efficiently stated as: expires_after(duration). Signed-off-by: James Yonan <james@openvpn.net>
2017-04-12 22:01:11 +02:00
info_hold_timer.expires_after(Time::Duration::seconds(1));
Added i/o abstraction layer. Created a lightweight abstraction layer so that another i/o reactor can be dropped in place of asio. The basic approach is to rename all references to asio::xxx types to openvpn_io::xxx and then make openvpn_io a preprocessor variable that points to the top-level namespace of the i/o reactor implementation. All of the source files that currently include <asio.hpp> now include <openvpn/io/io.hpp> instead: This gives us a lightweight abstraction layer that allows us to define openvpn_io to be something other than asio. Other changes: * Inclusion of asio by scripts/build is now optional, and is enabled by passing ASIO=1 or ASIO_DIR=<dir>. * Refactored openvpn/common/socktypes.hpp to no longer require asio. * Refactored openvpn/log/logthread.hpp to no longer require asio. * Added openvpn::get_hostname() method as alternative to calling asio directly. * openvpn/openssl/util/init.hpp will now #error if USE_ASIO is undefined. Signed-off-by: James Yonan <james@openvpn.net>
2017-03-30 23:10:56 +02:00
info_hold_timer.async_wait([self=Ptr(this)](const openvpn_io::error_code& error)
INFO message : buffer INFO control-channel messages received near Connected event to fire one second after Connected event, to reduce the chance of race conditions in the client app, if the INFO event triggers the client app to perform an operation that requires the VPN tunnel to be ready.
2016-08-17 23:23:26 +02:00
{
[OVPN3-211] bigmutex: introduce macro to ensure thread-safety Platforms like UWP and iOS may call core methods from another threads. Since core is not thread-safe, we provide OPENVPN_ASYNC_HANDLER macro which instantiates lock guard. It follows RAII principle and locks global mutex in constructor and unlocks in destructor. This guarantees that code in block protected with this macro won't be called simultaneously from different threads. Signed-off-by: Lev Stipakov <lev@openvpn.net>
2018-03-23 15:23:45 +01:00
OPENVPN_ASYNC_HANDLER;
INFO message : buffer INFO control-channel messages received near Connected event to fire one second after Connected event, to reduce the chance of race conditions in the client app, if the INFO event triggers the client app to perform an operation that requires the VPN tunnel to be ready.
2016-08-17 23:23:26 +02:00
self->info_hold_callback(error);
});
}
Added i/o abstraction layer. Created a lightweight abstraction layer so that another i/o reactor can be dropped in place of asio. The basic approach is to rename all references to asio::xxx types to openvpn_io::xxx and then make openvpn_io a preprocessor variable that points to the top-level namespace of the i/o reactor implementation. All of the source files that currently include <asio.hpp> now include <openvpn/io/io.hpp> instead: This gives us a lightweight abstraction layer that allows us to define openvpn_io to be something other than asio. Other changes: * Inclusion of asio by scripts/build is now optional, and is enabled by passing ASIO=1 or ASIO_DIR=<dir>. * Refactored openvpn/common/socktypes.hpp to no longer require asio. * Refactored openvpn/log/logthread.hpp to no longer require asio. * Added openvpn::get_hostname() method as alternative to calling asio directly. * openvpn/openssl/util/init.hpp will now #error if USE_ASIO is undefined. Signed-off-by: James Yonan <james@openvpn.net>
2017-03-30 23:10:56 +02:00
void info_hold_callback(const openvpn_io::error_code& e)
INFO message : buffer INFO control-channel messages received near Connected event to fire one second after Connected event, to reduce the chance of race conditions in the client app, if the INFO event triggers the client app to perform an operation that requires the VPN tunnel to be ready.
2016-08-17 23:23:26 +02:00
{
try {
if (!e && !halt)
{
Base::update_now();
if (info_hold)
{
for (auto &ev : *info_hold)
cli_events->add_event(std::move(ev));
info_hold.reset();
}
}
}
catch (const std::exception& e)
{
process_exception(e, "info_hold_callback");
}
}
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
#ifdef OPENVPN_PACKET_LOG
void log_packet(const Buffer& buf, const bool out)
{
if (buf.size())
{
C++11 update: mass replace of boost::uint/int to std::uint/int.
2015-04-24 01:55:07 +02:00
std::uint16_t len = buf.size() & 0x7FFF;
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
if (out)
len |= 0x8000;
packet_log.write((const char *)&len, sizeof(len));
packet_log.write((const char *)buf.c_data(), buf.size());
}
}
#endif
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Added i/o abstraction layer. Created a lightweight abstraction layer so that another i/o reactor can be dropped in place of asio. The basic approach is to rename all references to asio::xxx types to openvpn_io::xxx and then make openvpn_io a preprocessor variable that points to the top-level namespace of the i/o reactor implementation. All of the source files that currently include <asio.hpp> now include <openvpn/io/io.hpp> instead: This gives us a lightweight abstraction layer that allows us to define openvpn_io to be something other than asio. Other changes: * Inclusion of asio by scripts/build is now optional, and is enabled by passing ASIO=1 or ASIO_DIR=<dir>. * Refactored openvpn/common/socktypes.hpp to no longer require asio. * Refactored openvpn/log/logthread.hpp to no longer require asio. * Added openvpn::get_hostname() method as alternative to calling asio directly. * openvpn/openssl/util/init.hpp will now #error if USE_ASIO is undefined. Signed-off-by: James Yonan <james@openvpn.net>
2017-03-30 23:10:56 +02:00
openvpn_io::io_context& io_context;
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
TransportClientFactory::Ptr transport_factory;
TransportClient::Ptr transport;
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
TunClientFactory::Ptr tun_factory;
TunClient::Ptr tun;
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Implemented tcp-queue-limit parameter for OpenVPN 3 client, with a default value of 64 (this is the same parameter name and default from OpenVPN 2 server). tcp-queue-limit sets a maximum size limit on the outgoing TCP packet queue and will drop packets and increment the TCP_OVERFLOW counter if the limit would be exceeded. Previously, the limit was hardcoded at 1024 packets and would result in a disconnect/reconnect if exceeded rather than merely dropping the packet.
2015-10-19 08:32:13 +02:00
unsigned int tcp_queue_limit;
C++11 : use member initializers in cliproto.hpp
2016-08-17 22:30:22 +02:00
bool transport_has_send_queue = false;
Implemented tcp-queue-limit parameter for OpenVPN 3 client, with a default value of 64 (this is the same parameter name and default from OpenVPN 2 server). tcp-queue-limit sets a maximum size limit on the outgoing TCP packet queue and will drop packets and increment the TCP_OVERFLOW counter if the limit would be exceeded. Previously, the limit was hardcoded at 1024 packets and would result in a disconnect/reconnect if exceeded rather than merely dropping the packet.
2015-10-19 08:32:13 +02:00
Added ClientConnect class which implements an "always-try-to-reconnect" approach, with remote list rotation. Only gives up on auth failure.
2012-02-07 12:37:35 +01:00
NotifyCallback* notify_callback;
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
CoarseTime housekeeping_schedule;
AsioTimer housekeeping_timer;
AsioTimer push_request_timer;
C++11 : use member initializers in cliproto.hpp
2016-08-17 22:30:22 +02:00
bool halt = false;
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
OptionListContinuation received_options;
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Android 4 client fixes: Fixed session ID -> password replacement. Allow username to be specified as profile/username.
2012-02-28 00:00:29 +01:00
ClientCreds::Ptr creds;
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
Compression selector in mobile clients is now 3-state: yes -- support compression on both uplink and downlink asym -- support compression on downlink only no (default) -- no compression (stubs only) Added our own internal LZO decompressor, which is enabled when HAVE_LZO is undefined and the standard LZO library is not linked. This allows clients to support LZO in downlink mode only if the library isn't available.
2012-09-08 03:36:54 +02:00
ProtoContextOptions::Ptr proto_context_options;
iOS version: 1.0 Beta 17 Android version: 1.1 beta 1 More alignment of iOS and Android clients: * Normalized building of dependencies for Android and iOS: This build adds some new library dependencies: The library versions required are enumerated in ovpn3/lib-versions, currently: export BOOST_VERSION=boost_1_51_0 export OPENSSL_VERSION=openssl-1.0.1c export POLARSSL_VERSION=polarssl-1.1.4 export LZO_VERSION=lzo-2.06 To build, first mkdir ~/src/android and ~/src/mac if they don't already exist. Set the env var O3 to point to the ovpn3 dir, usually ~/src/ovpn3. Build on iOS: [set PATH to include NDK] cd ~/src/android $O3/scripts/android/build-boost $O3/scripts/android/build-minicrypto $O3/scripts/android/build-polarssl $O3/scripts/android/build-lzo Build on Android: [set PATH to include NDK] cd ~/src/android $O3/scripts/android/build-boost $O3/scripts/android/build-minicrypto $O3/scripts/android/build-polarssl $O3/scripts/android/build-lzo * Integrated Minicrypto library (an assembly language library of low-level crypto functions adapted from OpenSSL). * Added LZO compression with a preference/settings item to enable or disable. * Added special compression handling to support older servers that ignore compression handshake -- this will handle receiving compressed packets even if we didn't ask for them. * Normalized profile naming conventions. iOS changes: * Log tunnel performance stats immediately on disconnection of tunnel. Android changes: * Client now supports loading profiles as attachments opened from other apps. * Added Import Private Tunnel menu item, however current Private Tunnel download page needs to be adapted to fit requirements of Android download manager. * Enter key should advance to the next input field, or connect if entered from the last field. * Import from Access Server now provides the option to download autologin vs. userlogin profiles. * "About" page now shows copyright text for included libraries/content (except for LZO and PolarSSL which will presumably be commercially licensed).
2012-09-05 03:09:34 +02:00
C++11 : use member initializers in cliproto.hpp
2016-08-17 22:30:22 +02:00
bool first_packet_received_ = false;
bool sent_push_request = false;
Implemented client-side AUTH_PENDING protocol state AUTH_PENDING is a control channel message sent from server to client before PUSH_REPLY or AUTH_FAILED and is intended to signal the client that a browser-based out-of-band authentication challenge (such as SAML) needs to occur before the connection request can succeed or fail. When the core receives the AUTH_PENDING message, it will enter the AUTH_PENDING state and forward the message to the client UI as an event. The core will also dial back the PUSH_REQUEST transmit frequency to one message every 8 seconds, and the server is expected to reply with an AUTH_PENDING message after every PUSH_REQUEST. This is done as a sort of keepalive replacement since the normal OpenVPN protocol keepalive functionality isn't enabled until the crypto state is established, which doesn't happen until the PUSH_REPLY message is received from the server. During the AUTH_PENDING state, the server will likely want to push INFO messages to the client UI (such as INFO,OPEN_URL:) to facilitate the out-of-band authentication challenge. Normally, the client core buffers early INFO messages and doesn't release them to the UI until 1 second after the CONNECTED event. This is done because it was presumed that the server wouldn't want the client to act on the INFO messages until the tunnel is established. But the AUTH_PENDING state creates a need for an unbuffered INFO message, since the server may want to message the client UI during the AUTH_PENDING state and have that message be immediately processed. I've solved this problem by introducing a new control channel message called "INFO_PRE". INFO_PRE is handled exactly the same as INFO except it is never buffered. Also, note that INFO_PRE messages are delivered to the client UI as ordinary INFO events (I didn't actually create a new client event for INFO_PRE since I can't think of a reason why the client UI would need to distinguish between them). Signed-off-by: James Yonan <james@openvpn.net>
2018-04-12 22:32:14 +02:00
bool auth_pending = false;
Added support to new core for remote-cert-tls, remote-cert-ku, and remote-cert-eku directives.
2012-10-31 15:46:40 +01:00
SessionStats::Ptr cli_stats;
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
ClientEvent::Queue::Ptr cli_events;
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
events : in client core, delay transmission of "Connected" event to the last possible moment to avoid premature trigger of post-connect events.
2016-09-02 20:52:21 +02:00
ClientEvent::Connected::Ptr connected_;
Android 4 client port is almost working (need to get an Android build that includes tun driver to test further).
2012-02-19 02:36:50 +01:00
ovpn3 client : added support for pushed "echo" directives to be transmitted to app via event channel using new ECHO event.
2016-03-28 08:31:35 +02:00
bool echo;
Added INFO notification to OpenVPN control channel protocol: INFO,<payload> Payload can be any UTF-8 printable string under 64 KB (multiple lines are okay). INFO notifications can be sent from server to client in real-time, on any active client connection. The client will attach the payload to an INFO event and forward it to the controlling app via the event callback: virtual void event(const Event&) = 0;
2016-05-11 01:53:09 +02:00
bool info;
autologin sessions : automatically retry connection on expired session.
2016-06-29 08:57:24 +02:00
bool autologin_sessions;
ovpn3 client : added support for pushed "echo" directives to be transmitted to app via event channel using new ECHO event.
2016-03-28 08:31:35 +02:00
C++11 : use member initializers in cliproto.hpp
2016-08-17 22:30:22 +02:00
Error::Type fatal_ = Error::UNDEF;
Android 4 client port is almost working (need to get an Android build that includes tun driver to test further).
2012-02-19 02:36:50 +01:00
std::string fatal_reason_;
Added parser size validation constants in openvpn/client/cliconstants.hpp
2012-11-12 02:52:03 +01:00
OptionList::Limits pushed_options_limit;
Implemented route-nopull (second attempt).
2013-03-14 03:54:58 +01:00
OptionList::FilterBase::Ptr pushed_options_filter;
Added ClientConnect class which implements an "always-try-to-reconnect" approach, with remote list rotation. Only gives up on auth failure.
2012-02-07 12:37:35 +01:00
Implemented "inactive" directive.
2013-05-25 03:19:50 +02:00
AsioTimer inactive_timer;
Time::Duration inactive_duration;
C++11 : use member initializers in cliproto.hpp
2016-08-17 22:30:22 +02:00
unsigned int inactive_bytes = 0;
count_t inactive_last_sample = 0;
Implemented "inactive" directive.
2013-05-25 03:19:50 +02:00
INFO message : buffer INFO control-channel messages received near Connected event to fire one second after Connected event, to reduce the chance of race conditions in the client app, if the INFO event triggers the client app to perform an operation that requires the VPN tunnel to be ready.
2016-08-17 23:23:26 +02:00
std::unique_ptr<std::vector<ClientEvent::Base::Ptr>> info_hold;
AsioTimer info_hold_timer;
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
#ifdef OPENVPN_PACKET_LOG
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
std::ofstream packet_log;
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
#endif
Top-level client refactoring, to move configuration functionality from cli.cpp to ClientOptions in openvpn/client/cliopt.hpp.
2012-02-06 21:39:10 +01:00
};
}
Start process of moving client logic out of cli.cpp into general-purpose classes. Rename ProtoStats to SessionStats and make it more flexible by using an abstract base class model. Add a client event queue for the beginnings of a client-backend API. Added logic to ProtoContext to invalidate session on certain kinds of errors in TCP that would be normally be okay in UDP such as HMAC_ERROR, DECRYPT_ERROR, etc. Add some alignment adjustment logic for READ_LINK_TCP (3 bytes) and READ_LINK_UDP (1 byte).
2012-02-04 11:24:54 +01:00
}
#endif
Copy Permalink