2014-08-25 09:02:40 +02:00
|
|
|
// OpenVPN -- An application to securely tunnel IP networks
|
|
|
|
|
// over a single port, with support for SSL/TLS-based
|
|
|
|
|
// session authentication and key exchange,
|
|
|
|
|
// packet encryption, packet authentication, and
|
|
|
|
|
// packet compression.
|
2013-01-31 16:00:45 +01:00
|
|
|
//
|
2017-12-21 22:15:36 +01:00
|
|
|
// Copyright (C) 2012-2017 OpenVPN Inc.
|
2013-01-31 16:00:45 +01:00
|
|
|
//
|
2014-08-25 09:02:40 +02:00
|
|
|
// This program is free software: you can redistribute it and/or modify
|
2017-12-21 21:42:20 +01:00
|
|
|
// it under the terms of the GNU Affero General Public License Version 3
|
2014-08-25 09:02:40 +02:00
|
|
|
// as published by the Free Software Foundation.
|
2013-01-31 16:00:45 +01:00
|
|
|
//
|
2014-08-25 09:02:40 +02:00
|
|
|
// This program is distributed in the hope that it will be useful,
|
|
|
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
2017-12-21 21:42:20 +01:00
|
|
|
// GNU Affero General Public License for more details.
|
2014-08-25 09:02:40 +02:00
|
|
|
//
|
2017-12-21 21:42:20 +01:00
|
|
|
// You should have received a copy of the GNU Affero General Public License
|
2014-08-25 09:02:40 +02:00
|
|
|
// along with this program in the COPYING file.
|
|
|
|
|
// If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
|
|
// OpenVPN 3 test client
|
2013-01-31 16:00:45 +01:00
|
|
|
|
2012-09-15 08:56:18 +02:00
|
|
|
#include <stdlib.h> // for atoi
|
|
|
|
|
|
2012-09-10 01:10:20 +02:00
|
|
|
#include <string>
|
|
|
|
|
#include <iostream>
|
2015-05-11 04:04:22 +02:00
|
|
|
#include <thread>
|
2015-11-26 03:51:12 +01:00
|
|
|
#include <memory>
|
2016-04-09 08:57:21 +02:00
|
|
|
#include <mutex>
|
2015-04-11 07:48:24 +02:00
|
|
|
|
2016-08-11 22:05:33 +02:00
|
|
|
#include <openvpn/common/platform.hpp>
|
|
|
|
|
|
|
|
|
|
#ifdef OPENVPN_PLATFORM_MAC
|
|
|
|
|
#include <CoreFoundation/CFBundle.h>
|
|
|
|
|
#include <ApplicationServices/ApplicationServices.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
2015-11-25 19:31:24 +01:00
|
|
|
// If enabled, don't direct ovpn3 core logging to
|
|
|
|
|
// ClientAPI::OpenVPNClient::log() virtual method.
|
|
|
|
|
// Instead, logging will go to LogBaseSimple::log().
|
|
|
|
|
// In this case, make sure to define:
|
|
|
|
|
// LogBaseSimple log;
|
|
|
|
|
// at the top of your main() function to receive
|
|
|
|
|
// log messages from all threads.
|
|
|
|
|
// Also, note that the OPENVPN_LOG_GLOBAL setting
|
|
|
|
|
// MUST be consistent across all compilation units.
|
2015-11-26 03:51:12 +01:00
|
|
|
#ifdef OPENVPN_USE_LOG_BASE_SIMPLE
|
2015-11-25 19:31:24 +01:00
|
|
|
#define OPENVPN_LOG_GLOBAL // use global rather than thread-local log object pointer
|
|
|
|
|
#include <openvpn/log/logbasesimple.hpp>
|
|
|
|
|
#endif
|
2012-09-10 01:10:20 +02:00
|
|
|
|
2015-11-25 19:31:24 +01:00
|
|
|
// don't export core symbols
|
|
|
|
|
#define OPENVPN_CORE_API_VISIBILITY_HIDDEN
|
2012-09-10 01:10:20 +02:00
|
|
|
|
2015-11-25 19:31:24 +01:00
|
|
|
// should be included before other openvpn includes,
|
|
|
|
|
// with the exception of openvpn/log includes
|
|
|
|
|
#include <client/ovpncli.cpp>
|
2012-09-10 01:10:20 +02:00
|
|
|
|
2012-09-12 01:51:37 +02:00
|
|
|
#include <openvpn/common/exception.hpp>
|
2015-11-26 03:51:12 +01:00
|
|
|
#include <openvpn/common/string.hpp>
|
2012-11-26 02:51:24 +01:00
|
|
|
#include <openvpn/common/signal.hpp>
|
2012-09-15 08:56:18 +02:00
|
|
|
#include <openvpn/common/file.hpp>
|
2014-02-08 05:49:32 +01:00
|
|
|
#include <openvpn/common/getopt.hpp>
|
2014-03-26 16:44:52 +01:00
|
|
|
#include <openvpn/common/getpw.hpp>
|
2015-11-26 03:51:12 +01:00
|
|
|
#include <openvpn/common/cleanup.hpp>
|
2012-09-15 08:56:18 +02:00
|
|
|
#include <openvpn/time/timestr.hpp>
|
2015-09-22 04:42:24 +02:00
|
|
|
#include <openvpn/ssl/peerinfo.hpp>
|
mbedTLS: Port from polarssl-1.3 to mbedtls-2.3 (functional)
This patch builds on work by David Sommerseth <davids@openvpn.net>
to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which
has significant differences in some areas.
- Strings containing keys, certificates, CRLs, and DH parameters
need to be NULL-terminated and the length argument provided to
the corresponding mbedtls parse function must be able to read
the NULL-terminator. These places have been modified with a
'+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp,
pkctx.hpp).
- The SSL context object has been split up in mbedtls-2.3
Now many of the SSL configurations are done in a separate
SSL config object, which is added to the SSL context once
configured. In addition private/public keys are now stored
in a separate pk_context, which is later on attached to the
SSL context. Due to this, many of the calls setting either
SSL configuration parameters or working with pk_contexts have
been refactored. (sslctx.hpp)
- The older API loading the CA chain took a hostname argument.
The new API requires mbedtls_ssl_set_hostname() explicitly to
be called setting hostname. Some refactoring was needed here
too (sslctx.hpp).
- x509_oid_get_description() is now replaced by
mbedtls_oid_get_extended_key_usage().
- when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return
value was changed so that a return value of 0 now means equal
rather than not-equal.
- mbedtls/platform.h must be loaded before any other mbedtls
include files (sslchoose.hpp).
- All functions and macros related to mbedTLS are now prefixed
with mbedtls_/MBEDTLS_
- Refactored External PKI and added some options to cli.cpp
to make it easier to test that the feature still works
correctly. This included removing the sig_type var and
standardizing on a PKCS#1 digest prefix per RFC 3447.
- Updated test keys to 2048 bits.
- Updated dependency build scripts to build mbedTLS.
- Enable MD4 in mbedTLS build script (needed for NTLM auth).
- Use an allow-all X509 cert profile to preserve compatibility
with older configs. Going forward, we will implement new
options to increase strictness on minimum RSA key size and
required cert signing algs.
- Added human-readable reason strings that explain why
a given cert in the chain wasn't accepted.
- This patch doesn't rename any files or rename internal
OpenVPN 3 symbols such as PolarSSLContext. This will
be done in a separate commit.
Signed-off-by: James Yonan <james@openvpn.net>
2017-02-23 23:20:31 +01:00
|
|
|
#include <openvpn/ssl/sslchoose.hpp>
|
|
|
|
|
|
2018-03-11 00:01:46 +01:00
|
|
|
#ifdef OPENVPN_REMOTE_OVERRIDE
|
|
|
|
|
#include <openvpn/common/process.hpp>
|
|
|
|
|
#endif
|
|
|
|
|
|
2017-02-24 00:59:51 +01:00
|
|
|
#if defined(USE_MBEDTLS)
|
|
|
|
|
#include <openvpn/mbedtls/util/pkcs1.hpp>
|
mbedTLS: Port from polarssl-1.3 to mbedtls-2.3 (functional)
This patch builds on work by David Sommerseth <davids@openvpn.net>
to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which
has significant differences in some areas.
- Strings containing keys, certificates, CRLs, and DH parameters
need to be NULL-terminated and the length argument provided to
the corresponding mbedtls parse function must be able to read
the NULL-terminator. These places have been modified with a
'+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp,
pkctx.hpp).
- The SSL context object has been split up in mbedtls-2.3
Now many of the SSL configurations are done in a separate
SSL config object, which is added to the SSL context once
configured. In addition private/public keys are now stored
in a separate pk_context, which is later on attached to the
SSL context. Due to this, many of the calls setting either
SSL configuration parameters or working with pk_contexts have
been refactored. (sslctx.hpp)
- The older API loading the CA chain took a hostname argument.
The new API requires mbedtls_ssl_set_hostname() explicitly to
be called setting hostname. Some refactoring was needed here
too (sslctx.hpp).
- x509_oid_get_description() is now replaced by
mbedtls_oid_get_extended_key_usage().
- when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return
value was changed so that a return value of 0 now means equal
rather than not-equal.
- mbedtls/platform.h must be loaded before any other mbedtls
include files (sslchoose.hpp).
- All functions and macros related to mbedTLS are now prefixed
with mbedtls_/MBEDTLS_
- Refactored External PKI and added some options to cli.cpp
to make it easier to test that the feature still works
correctly. This included removing the sig_type var and
standardizing on a PKCS#1 digest prefix per RFC 3447.
- Updated test keys to 2048 bits.
- Updated dependency build scripts to build mbedTLS.
- Enable MD4 in mbedTLS build script (needed for NTLM auth).
- Use an allow-all X509 cert profile to preserve compatibility
with older configs. Going forward, we will implement new
options to increase strictness on minimum RSA key size and
required cert signing algs.
- Added human-readable reason strings that explain why
a given cert in the chain wasn't accepted.
- This patch doesn't rename any files or rename internal
OpenVPN 3 symbols such as PolarSSLContext. This will
be done in a separate commit.
Signed-off-by: James Yonan <james@openvpn.net>
2017-02-23 23:20:31 +01:00
|
|
|
#endif
|
2012-09-12 01:51:37 +02:00
|
|
|
|
2014-02-16 09:13:26 +01:00
|
|
|
#if defined(OPENVPN_PLATFORM_WIN)
|
|
|
|
|
#include <openvpn/win/console.hpp>
|
2019-04-30 14:58:40 +02:00
|
|
|
#include <shellapi.h>
|
2014-02-16 09:13:26 +01:00
|
|
|
#endif
|
|
|
|
|
|
2018-11-10 16:31:58 +01:00
|
|
|
#ifdef USE_NETCFG
|
|
|
|
|
#include "client/core-client-netcfg.hpp"
|
|
|
|
|
#endif
|
|
|
|
|
|
2019-03-21 11:20:19 +01:00
|
|
|
#if defined(OPENVPN_PLATFORM_LINUX)
|
|
|
|
|
|
|
|
|
|
// use SITNL by default
|
|
|
|
|
#ifndef OPENVPN_USE_IPROUTE2
|
|
|
|
|
#define OPENVPN_USE_SITNL
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#include <openvpn/tun/linux/client/tuncli.hpp>
|
|
|
|
|
|
|
|
|
|
// we use a static polymorphism and define a
|
|
|
|
|
// platform-specific TunSetup class, responsible
|
|
|
|
|
// for setting up tun device
|
2019-03-25 12:35:53 +01:00
|
|
|
#define TUN_CLASS_SETUP TunLinuxSetup::Setup<TUN_LINUX>
|
2019-03-21 11:20:19 +01:00
|
|
|
#elif defined(OPENVPN_PLATFORM_MAC)
|
|
|
|
|
#include <openvpn/tun/mac/client/tuncli.hpp>
|
|
|
|
|
#define TUN_CLASS_SETUP TunMac::Setup
|
|
|
|
|
#endif
|
|
|
|
|
|
2012-09-15 08:56:18 +02:00
|
|
|
using namespace openvpn;
|
2012-09-10 01:10:20 +02:00
|
|
|
|
2015-11-26 03:51:12 +01:00
|
|
|
namespace {
|
|
|
|
|
OPENVPN_SIMPLE_EXCEPTION(usage);
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-21 11:20:19 +01:00
|
|
|
#ifdef USE_TUN_BUILDER
|
|
|
|
|
class ClientBase : public ClientAPI::OpenVPNClient
|
|
|
|
|
{
|
|
|
|
|
public:
|
|
|
|
|
bool tun_builder_new() override
|
|
|
|
|
{
|
|
|
|
|
tbc.tun_builder_set_mtu(1500);
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int tun_builder_establish() override
|
|
|
|
|
{
|
|
|
|
|
if (!tun)
|
|
|
|
|
{
|
|
|
|
|
tun.reset(new TUN_CLASS_SETUP());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
TUN_CLASS_SETUP::Config config;
|
|
|
|
|
config.layer = Layer(Layer::Type::OSI_LAYER_3);
|
2019-04-19 09:55:51 +02:00
|
|
|
// no need to add bypass routes on establish since we do it on socket_protect
|
|
|
|
|
config.add_bypass_routes_on_establish = false;
|
2019-03-21 11:20:19 +01:00
|
|
|
return tun->establish(tbc, &config, nullptr, std::cout);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool tun_builder_add_address(const std::string& address,
|
|
|
|
|
int prefix_length,
|
|
|
|
|
const std::string& gateway, // optional
|
|
|
|
|
bool ipv6,
|
|
|
|
|
bool net30) override
|
|
|
|
|
{
|
|
|
|
|
return tbc.tun_builder_add_address(address, prefix_length, gateway, ipv6, net30);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool tun_builder_add_route(const std::string& address,
|
|
|
|
|
int prefix_length,
|
|
|
|
|
int metric,
|
|
|
|
|
bool ipv6) override
|
|
|
|
|
{
|
|
|
|
|
return tbc.tun_builder_add_route(address, prefix_length, metric, ipv6);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool tun_builder_reroute_gw(bool ipv4,
|
|
|
|
|
bool ipv6,
|
|
|
|
|
unsigned int flags) override
|
|
|
|
|
{
|
|
|
|
|
return tbc.tun_builder_reroute_gw(ipv4, ipv6, flags);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool tun_builder_set_remote_address(const std::string& address,
|
|
|
|
|
bool ipv6) override
|
|
|
|
|
{
|
|
|
|
|
return tbc.tun_builder_set_remote_address(address, ipv6);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool tun_builder_set_session_name(const std::string& name) override
|
|
|
|
|
{
|
|
|
|
|
return tbc.tun_builder_set_session_name(name);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool tun_builder_add_dns_server(const std::string& address, bool ipv6) override
|
|
|
|
|
{
|
|
|
|
|
return tbc.tun_builder_add_dns_server(address, ipv6);
|
|
|
|
|
}
|
|
|
|
|
|
2019-04-19 09:55:51 +02:00
|
|
|
void tun_builder_teardown(bool disconnect) override
|
|
|
|
|
{
|
|
|
|
|
std::ostringstream os;
|
|
|
|
|
auto os_print = Cleanup([&os](){ OPENVPN_LOG_STRING(os.str()); });
|
|
|
|
|
tun->destroy(os);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool socket_protect(int socket, std::string remote, bool ipv6) override
|
|
|
|
|
{
|
|
|
|
|
(void)socket;
|
|
|
|
|
std::ostringstream os;
|
|
|
|
|
auto os_print = Cleanup([&os](){ OPENVPN_LOG_STRING(os.str()); });
|
|
|
|
|
return tun->add_bypass_route(remote, ipv6, os);
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-21 11:20:19 +01:00
|
|
|
private:
|
2019-04-19 09:55:51 +02:00
|
|
|
TUN_CLASS_SETUP::Ptr tun = new TUN_CLASS_SETUP();
|
2019-03-21 11:20:19 +01:00
|
|
|
TunBuilderCapture tbc;
|
|
|
|
|
};
|
|
|
|
|
#else // USE_TUN_BUILDER
|
2019-04-19 09:55:51 +02:00
|
|
|
class ClientBase : public ClientAPI::OpenVPNClient
|
|
|
|
|
{
|
|
|
|
|
public:
|
|
|
|
|
bool socket_protect(int socket, std::string remote, bool ipv6) override
|
|
|
|
|
{
|
|
|
|
|
std::cout << "NOT IMPLEMENTED: *** socket_protect " << socket << " " << remote << std::endl;
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
};
|
2019-03-21 11:20:19 +01:00
|
|
|
#endif
|
|
|
|
|
|
2019-04-19 09:55:51 +02:00
|
|
|
class Client : public ClientBase
|
2012-09-10 01:10:20 +02:00
|
|
|
{
|
2015-05-10 23:39:57 +02:00
|
|
|
public:
|
2017-04-12 20:37:41 +02:00
|
|
|
enum ClockTickAction {
|
|
|
|
|
CT_UNDEF,
|
|
|
|
|
CT_STOP,
|
|
|
|
|
CT_RECONNECT,
|
|
|
|
|
CT_PAUSE,
|
|
|
|
|
CT_RESUME,
|
|
|
|
|
CT_STATS,
|
|
|
|
|
};
|
|
|
|
|
|
2015-05-10 23:39:57 +02:00
|
|
|
bool is_dynamic_challenge() const
|
|
|
|
|
{
|
|
|
|
|
return !dc_cookie.empty();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
std::string dynamic_challenge_cookie()
|
|
|
|
|
{
|
|
|
|
|
return dc_cookie;
|
|
|
|
|
}
|
|
|
|
|
|
mbedTLS: Port from polarssl-1.3 to mbedtls-2.3 (functional)
This patch builds on work by David Sommerseth <davids@openvpn.net>
to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which
has significant differences in some areas.
- Strings containing keys, certificates, CRLs, and DH parameters
need to be NULL-terminated and the length argument provided to
the corresponding mbedtls parse function must be able to read
the NULL-terminator. These places have been modified with a
'+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp,
pkctx.hpp).
- The SSL context object has been split up in mbedtls-2.3
Now many of the SSL configurations are done in a separate
SSL config object, which is added to the SSL context once
configured. In addition private/public keys are now stored
in a separate pk_context, which is later on attached to the
SSL context. Due to this, many of the calls setting either
SSL configuration parameters or working with pk_contexts have
been refactored. (sslctx.hpp)
- The older API loading the CA chain took a hostname argument.
The new API requires mbedtls_ssl_set_hostname() explicitly to
be called setting hostname. Some refactoring was needed here
too (sslctx.hpp).
- x509_oid_get_description() is now replaced by
mbedtls_oid_get_extended_key_usage().
- when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return
value was changed so that a return value of 0 now means equal
rather than not-equal.
- mbedtls/platform.h must be loaded before any other mbedtls
include files (sslchoose.hpp).
- All functions and macros related to mbedTLS are now prefixed
with mbedtls_/MBEDTLS_
- Refactored External PKI and added some options to cli.cpp
to make it easier to test that the feature still works
correctly. This included removing the sig_type var and
standardizing on a PKCS#1 digest prefix per RFC 3447.
- Updated test keys to 2048 bits.
- Updated dependency build scripts to build mbedTLS.
- Enable MD4 in mbedTLS build script (needed for NTLM auth).
- Use an allow-all X509 cert profile to preserve compatibility
with older configs. Going forward, we will implement new
options to increase strictness on minimum RSA key size and
required cert signing algs.
- Added human-readable reason strings that explain why
a given cert in the chain wasn't accepted.
- This patch doesn't rename any files or rename internal
OpenVPN 3 symbols such as PolarSSLContext. This will
be done in a separate commit.
Signed-off-by: James Yonan <james@openvpn.net>
2017-02-23 23:20:31 +01:00
|
|
|
std::string epki_ca;
|
|
|
|
|
std::string epki_cert;
|
2017-02-24 00:59:51 +01:00
|
|
|
#if defined(USE_MBEDTLS)
|
|
|
|
|
MbedTLSPKI::PKContext epki_ctx; // external PKI context
|
mbedTLS: Port from polarssl-1.3 to mbedtls-2.3 (functional)
This patch builds on work by David Sommerseth <davids@openvpn.net>
to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which
has significant differences in some areas.
- Strings containing keys, certificates, CRLs, and DH parameters
need to be NULL-terminated and the length argument provided to
the corresponding mbedtls parse function must be able to read
the NULL-terminator. These places have been modified with a
'+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp,
pkctx.hpp).
- The SSL context object has been split up in mbedtls-2.3
Now many of the SSL configurations are done in a separate
SSL config object, which is added to the SSL context once
configured. In addition private/public keys are now stored
in a separate pk_context, which is later on attached to the
SSL context. Due to this, many of the calls setting either
SSL configuration parameters or working with pk_contexts have
been refactored. (sslctx.hpp)
- The older API loading the CA chain took a hostname argument.
The new API requires mbedtls_ssl_set_hostname() explicitly to
be called setting hostname. Some refactoring was needed here
too (sslctx.hpp).
- x509_oid_get_description() is now replaced by
mbedtls_oid_get_extended_key_usage().
- when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return
value was changed so that a return value of 0 now means equal
rather than not-equal.
- mbedtls/platform.h must be loaded before any other mbedtls
include files (sslchoose.hpp).
- All functions and macros related to mbedTLS are now prefixed
with mbedtls_/MBEDTLS_
- Refactored External PKI and added some options to cli.cpp
to make it easier to test that the feature still works
correctly. This included removing the sig_type var and
standardizing on a PKCS#1 digest prefix per RFC 3447.
- Updated test keys to 2048 bits.
- Updated dependency build scripts to build mbedTLS.
- Enable MD4 in mbedTLS build script (needed for NTLM auth).
- Use an allow-all X509 cert profile to preserve compatibility
with older configs. Going forward, we will implement new
options to increase strictness on minimum RSA key size and
required cert signing algs.
- Added human-readable reason strings that explain why
a given cert in the chain wasn't accepted.
- This patch doesn't rename any files or rename internal
OpenVPN 3 symbols such as PolarSSLContext. This will
be done in a separate commit.
Signed-off-by: James Yonan <james@openvpn.net>
2017-02-23 23:20:31 +01:00
|
|
|
#endif
|
|
|
|
|
|
2017-04-12 20:37:41 +02:00
|
|
|
void set_clock_tick_action(const ClockTickAction action)
|
|
|
|
|
{
|
|
|
|
|
clock_tick_action = action;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void print_stats()
|
|
|
|
|
{
|
|
|
|
|
const int n = stats_n();
|
|
|
|
|
std::vector<long long> stats = stats_bundle();
|
|
|
|
|
|
|
|
|
|
std::cout << "STATS:" << std::endl;
|
|
|
|
|
for (int i = 0; i < n; ++i)
|
|
|
|
|
{
|
|
|
|
|
const long long value = stats[i];
|
|
|
|
|
if (value)
|
|
|
|
|
std::cout << " " << stats_name(i) << " : " << value << std::endl;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-11 00:01:46 +01:00
|
|
|
#ifdef OPENVPN_REMOTE_OVERRIDE
|
|
|
|
|
void set_remote_override_cmd(const std::string& cmd)
|
|
|
|
|
{
|
|
|
|
|
remote_override_cmd = cmd;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2012-09-10 01:10:20 +02:00
|
|
|
private:
|
2017-04-12 20:37:41 +02:00
|
|
|
virtual void event(const ClientAPI::Event& ev) override
|
2012-09-10 01:10:20 +02:00
|
|
|
{
|
2012-09-15 08:56:18 +02:00
|
|
|
std::cout << date_time() << " EVENT: " << ev.name;
|
|
|
|
|
if (!ev.info.empty())
|
|
|
|
|
std::cout << ' ' << ev.info;
|
2016-04-01 04:24:28 +02:00
|
|
|
if (ev.fatal)
|
|
|
|
|
std::cout << " [FATAL-ERR]";
|
|
|
|
|
else if (ev.error)
|
2012-09-15 08:56:18 +02:00
|
|
|
std::cout << " [ERR]";
|
2015-05-10 23:39:57 +02:00
|
|
|
std::cout << std::endl;
|
|
|
|
|
if (ev.name == "DYNAMIC_CHALLENGE")
|
|
|
|
|
{
|
|
|
|
|
dc_cookie = ev.info;
|
|
|
|
|
|
|
|
|
|
ClientAPI::DynamicChallenge dc;
|
|
|
|
|
if (ClientAPI::OpenVPNClient::parse_dynamic_challenge(ev.info, dc)) {
|
|
|
|
|
std::cout << "DYNAMIC CHALLENGE" << std::endl;
|
|
|
|
|
std::cout << "challenge: " << dc.challenge << std::endl;
|
|
|
|
|
std::cout << "echo: " << dc.echo << std::endl;
|
|
|
|
|
std::cout << "responseRequired: " << dc.responseRequired << std::endl;
|
|
|
|
|
std::cout << "stateID: " << dc.stateID << std::endl;
|
|
|
|
|
}
|
|
|
|
|
}
|
2016-08-11 22:05:33 +02:00
|
|
|
else if (ev.name == "INFO" && (string::starts_with(ev.info, "OPEN_URL:http://")
|
|
|
|
|
|| string::starts_with(ev.info, "OPEN_URL:https://")))
|
|
|
|
|
{
|
2016-08-17 23:26:08 +02:00
|
|
|
// launch URL
|
2016-08-11 22:05:33 +02:00
|
|
|
const std::string url_str = ev.info.substr(9);
|
|
|
|
|
#ifdef OPENVPN_PLATFORM_MAC
|
|
|
|
|
std::thread thr([url_str]() {
|
|
|
|
|
CFURLRef url = CFURLCreateWithBytes(
|
|
|
|
|
NULL, // allocator
|
|
|
|
|
(UInt8*)url_str.c_str(), // URLBytes
|
|
|
|
|
url_str.length(), // length
|
|
|
|
|
kCFStringEncodingUTF8, // encoding
|
|
|
|
|
NULL // baseURL
|
|
|
|
|
);
|
|
|
|
|
LSOpenCFURLRef(url, 0);
|
|
|
|
|
CFRelease(url);
|
|
|
|
|
});
|
|
|
|
|
thr.detach();
|
|
|
|
|
#else
|
|
|
|
|
std::cout << "No implementation to launch " << url_str << std::endl;
|
|
|
|
|
#endif
|
|
|
|
|
}
|
2012-09-10 01:10:20 +02:00
|
|
|
}
|
|
|
|
|
|
2017-04-12 20:37:41 +02:00
|
|
|
virtual void log(const ClientAPI::LogInfo& log) override
|
2012-09-10 01:10:20 +02:00
|
|
|
{
|
2016-04-09 08:57:21 +02:00
|
|
|
std::lock_guard<std::mutex> lock(log_mutex);
|
2017-08-24 12:06:15 +02:00
|
|
|
std::cout << date_time() << ' ' << log.text << std::flush;
|
2012-09-10 01:10:20 +02:00
|
|
|
}
|
|
|
|
|
|
2017-04-12 20:37:41 +02:00
|
|
|
virtual void clock_tick() override
|
|
|
|
|
{
|
|
|
|
|
const ClockTickAction action = clock_tick_action;
|
|
|
|
|
clock_tick_action = CT_UNDEF;
|
|
|
|
|
|
|
|
|
|
switch (action)
|
|
|
|
|
{
|
|
|
|
|
case CT_STOP:
|
|
|
|
|
std::cout << "signal: CT_STOP" << std::endl;
|
|
|
|
|
stop();
|
|
|
|
|
break;
|
|
|
|
|
case CT_RECONNECT:
|
|
|
|
|
std::cout << "signal: CT_RECONNECT" << std::endl;
|
|
|
|
|
reconnect(0);
|
|
|
|
|
break;
|
|
|
|
|
case CT_PAUSE:
|
|
|
|
|
std::cout << "signal: CT_PAUSE" << std::endl;
|
|
|
|
|
pause("clock-tick pause");
|
|
|
|
|
break;
|
|
|
|
|
case CT_RESUME:
|
|
|
|
|
std::cout << "signal: CT_RESUME" << std::endl;
|
|
|
|
|
resume();
|
|
|
|
|
break;
|
|
|
|
|
case CT_STATS:
|
|
|
|
|
std::cout << "signal: CT_STATS" << std::endl;
|
|
|
|
|
print_stats();
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
virtual void external_pki_cert_request(ClientAPI::ExternalPKICertRequest& certreq) override
|
2012-09-10 01:10:20 +02:00
|
|
|
{
|
mbedTLS: Port from polarssl-1.3 to mbedtls-2.3 (functional)
This patch builds on work by David Sommerseth <davids@openvpn.net>
to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which
has significant differences in some areas.
- Strings containing keys, certificates, CRLs, and DH parameters
need to be NULL-terminated and the length argument provided to
the corresponding mbedtls parse function must be able to read
the NULL-terminator. These places have been modified with a
'+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp,
pkctx.hpp).
- The SSL context object has been split up in mbedtls-2.3
Now many of the SSL configurations are done in a separate
SSL config object, which is added to the SSL context once
configured. In addition private/public keys are now stored
in a separate pk_context, which is later on attached to the
SSL context. Due to this, many of the calls setting either
SSL configuration parameters or working with pk_contexts have
been refactored. (sslctx.hpp)
- The older API loading the CA chain took a hostname argument.
The new API requires mbedtls_ssl_set_hostname() explicitly to
be called setting hostname. Some refactoring was needed here
too (sslctx.hpp).
- x509_oid_get_description() is now replaced by
mbedtls_oid_get_extended_key_usage().
- when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return
value was changed so that a return value of 0 now means equal
rather than not-equal.
- mbedtls/platform.h must be loaded before any other mbedtls
include files (sslchoose.hpp).
- All functions and macros related to mbedTLS are now prefixed
with mbedtls_/MBEDTLS_
- Refactored External PKI and added some options to cli.cpp
to make it easier to test that the feature still works
correctly. This included removing the sig_type var and
standardizing on a PKCS#1 digest prefix per RFC 3447.
- Updated test keys to 2048 bits.
- Updated dependency build scripts to build mbedTLS.
- Enable MD4 in mbedTLS build script (needed for NTLM auth).
- Use an allow-all X509 cert profile to preserve compatibility
with older configs. Going forward, we will implement new
options to increase strictness on minimum RSA key size and
required cert signing algs.
- Added human-readable reason strings that explain why
a given cert in the chain wasn't accepted.
- This patch doesn't rename any files or rename internal
OpenVPN 3 symbols such as PolarSSLContext. This will
be done in a separate commit.
Signed-off-by: James Yonan <james@openvpn.net>
2017-02-23 23:20:31 +01:00
|
|
|
if (!epki_cert.empty())
|
|
|
|
|
{
|
|
|
|
|
certreq.cert = epki_cert;
|
|
|
|
|
certreq.supportingChain = epki_ca;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
certreq.error = true;
|
|
|
|
|
certreq.errorText = "external_pki_cert_request not implemented";
|
|
|
|
|
}
|
2012-09-10 01:10:20 +02:00
|
|
|
}
|
|
|
|
|
|
2017-04-12 20:37:41 +02:00
|
|
|
virtual void external_pki_sign_request(ClientAPI::ExternalPKISignRequest& signreq) override
|
2012-09-10 01:10:20 +02:00
|
|
|
{
|
2017-02-24 00:59:51 +01:00
|
|
|
#if defined(USE_MBEDTLS)
|
mbedTLS: Port from polarssl-1.3 to mbedtls-2.3 (functional)
This patch builds on work by David Sommerseth <davids@openvpn.net>
to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which
has significant differences in some areas.
- Strings containing keys, certificates, CRLs, and DH parameters
need to be NULL-terminated and the length argument provided to
the corresponding mbedtls parse function must be able to read
the NULL-terminator. These places have been modified with a
'+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp,
pkctx.hpp).
- The SSL context object has been split up in mbedtls-2.3
Now many of the SSL configurations are done in a separate
SSL config object, which is added to the SSL context once
configured. In addition private/public keys are now stored
in a separate pk_context, which is later on attached to the
SSL context. Due to this, many of the calls setting either
SSL configuration parameters or working with pk_contexts have
been refactored. (sslctx.hpp)
- The older API loading the CA chain took a hostname argument.
The new API requires mbedtls_ssl_set_hostname() explicitly to
be called setting hostname. Some refactoring was needed here
too (sslctx.hpp).
- x509_oid_get_description() is now replaced by
mbedtls_oid_get_extended_key_usage().
- when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return
value was changed so that a return value of 0 now means equal
rather than not-equal.
- mbedtls/platform.h must be loaded before any other mbedtls
include files (sslchoose.hpp).
- All functions and macros related to mbedTLS are now prefixed
with mbedtls_/MBEDTLS_
- Refactored External PKI and added some options to cli.cpp
to make it easier to test that the feature still works
correctly. This included removing the sig_type var and
standardizing on a PKCS#1 digest prefix per RFC 3447.
- Updated test keys to 2048 bits.
- Updated dependency build scripts to build mbedTLS.
- Enable MD4 in mbedTLS build script (needed for NTLM auth).
- Use an allow-all X509 cert profile to preserve compatibility
with older configs. Going forward, we will implement new
options to increase strictness on minimum RSA key size and
required cert signing algs.
- Added human-readable reason strings that explain why
a given cert in the chain wasn't accepted.
- This patch doesn't rename any files or rename internal
OpenVPN 3 symbols such as PolarSSLContext. This will
be done in a separate commit.
Signed-off-by: James Yonan <james@openvpn.net>
2017-02-23 23:20:31 +01:00
|
|
|
if (epki_ctx.defined())
|
|
|
|
|
{
|
|
|
|
|
try {
|
|
|
|
|
// decode base64 sign request
|
|
|
|
|
BufferAllocated signdata(256, BufferAllocated::GROW);
|
|
|
|
|
base64->decode(signdata, signreq.data);
|
|
|
|
|
|
|
|
|
|
// get MD alg
|
2017-02-24 00:59:51 +01:00
|
|
|
const mbedtls_md_type_t md_alg = PKCS1::DigestPrefix::MbedTLSParse().alg_from_prefix(signdata);
|
mbedTLS: Port from polarssl-1.3 to mbedtls-2.3 (functional)
This patch builds on work by David Sommerseth <davids@openvpn.net>
to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which
has significant differences in some areas.
- Strings containing keys, certificates, CRLs, and DH parameters
need to be NULL-terminated and the length argument provided to
the corresponding mbedtls parse function must be able to read
the NULL-terminator. These places have been modified with a
'+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp,
pkctx.hpp).
- The SSL context object has been split up in mbedtls-2.3
Now many of the SSL configurations are done in a separate
SSL config object, which is added to the SSL context once
configured. In addition private/public keys are now stored
in a separate pk_context, which is later on attached to the
SSL context. Due to this, many of the calls setting either
SSL configuration parameters or working with pk_contexts have
been refactored. (sslctx.hpp)
- The older API loading the CA chain took a hostname argument.
The new API requires mbedtls_ssl_set_hostname() explicitly to
be called setting hostname. Some refactoring was needed here
too (sslctx.hpp).
- x509_oid_get_description() is now replaced by
mbedtls_oid_get_extended_key_usage().
- when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return
value was changed so that a return value of 0 now means equal
rather than not-equal.
- mbedtls/platform.h must be loaded before any other mbedtls
include files (sslchoose.hpp).
- All functions and macros related to mbedTLS are now prefixed
with mbedtls_/MBEDTLS_
- Refactored External PKI and added some options to cli.cpp
to make it easier to test that the feature still works
correctly. This included removing the sig_type var and
standardizing on a PKCS#1 digest prefix per RFC 3447.
- Updated test keys to 2048 bits.
- Updated dependency build scripts to build mbedTLS.
- Enable MD4 in mbedTLS build script (needed for NTLM auth).
- Use an allow-all X509 cert profile to preserve compatibility
with older configs. Going forward, we will implement new
options to increase strictness on minimum RSA key size and
required cert signing algs.
- Added human-readable reason strings that explain why
a given cert in the chain wasn't accepted.
- This patch doesn't rename any files or rename internal
OpenVPN 3 symbols such as PolarSSLContext. This will
be done in a separate commit.
Signed-off-by: James Yonan <james@openvpn.net>
2017-02-23 23:20:31 +01:00
|
|
|
|
|
|
|
|
// log info
|
2017-02-24 00:59:51 +01:00
|
|
|
OPENVPN_LOG("SIGN[" << PKCS1::DigestPrefix::MbedTLSParse::to_string(md_alg) << ',' << signdata.size() << "]: " << render_hex_generic(signdata));
|
mbedTLS: Port from polarssl-1.3 to mbedtls-2.3 (functional)
This patch builds on work by David Sommerseth <davids@openvpn.net>
to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which
has significant differences in some areas.
- Strings containing keys, certificates, CRLs, and DH parameters
need to be NULL-terminated and the length argument provided to
the corresponding mbedtls parse function must be able to read
the NULL-terminator. These places have been modified with a
'+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp,
pkctx.hpp).
- The SSL context object has been split up in mbedtls-2.3
Now many of the SSL configurations are done in a separate
SSL config object, which is added to the SSL context once
configured. In addition private/public keys are now stored
in a separate pk_context, which is later on attached to the
SSL context. Due to this, many of the calls setting either
SSL configuration parameters or working with pk_contexts have
been refactored. (sslctx.hpp)
- The older API loading the CA chain took a hostname argument.
The new API requires mbedtls_ssl_set_hostname() explicitly to
be called setting hostname. Some refactoring was needed here
too (sslctx.hpp).
- x509_oid_get_description() is now replaced by
mbedtls_oid_get_extended_key_usage().
- when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return
value was changed so that a return value of 0 now means equal
rather than not-equal.
- mbedtls/platform.h must be loaded before any other mbedtls
include files (sslchoose.hpp).
- All functions and macros related to mbedTLS are now prefixed
with mbedtls_/MBEDTLS_
- Refactored External PKI and added some options to cli.cpp
to make it easier to test that the feature still works
correctly. This included removing the sig_type var and
standardizing on a PKCS#1 digest prefix per RFC 3447.
- Updated test keys to 2048 bits.
- Updated dependency build scripts to build mbedTLS.
- Enable MD4 in mbedTLS build script (needed for NTLM auth).
- Use an allow-all X509 cert profile to preserve compatibility
with older configs. Going forward, we will implement new
options to increase strictness on minimum RSA key size and
required cert signing algs.
- Added human-readable reason strings that explain why
a given cert in the chain wasn't accepted.
- This patch doesn't rename any files or rename internal
OpenVPN 3 symbols such as PolarSSLContext. This will
be done in a separate commit.
Signed-off-by: James Yonan <james@openvpn.net>
2017-02-23 23:20:31 +01:00
|
|
|
|
|
|
|
|
// allocate buffer for signature
|
|
|
|
|
BufferAllocated sig(mbedtls_pk_get_len(epki_ctx.get()), BufferAllocated::ARRAY);
|
|
|
|
|
|
|
|
|
|
// sign it
|
|
|
|
|
size_t sig_size = 0;
|
|
|
|
|
const int status = mbedtls_pk_sign(epki_ctx.get(),
|
|
|
|
|
md_alg,
|
|
|
|
|
signdata.c_data(),
|
|
|
|
|
signdata.size(),
|
|
|
|
|
sig.data(),
|
|
|
|
|
&sig_size,
|
|
|
|
|
rng_callback,
|
|
|
|
|
this);
|
|
|
|
|
if (status != 0)
|
|
|
|
|
throw Exception("mbedtls_pk_sign failed, err=" + openvpn::to_string(status));
|
|
|
|
|
if (sig.size() != sig_size)
|
|
|
|
|
throw Exception("unexpected signature size");
|
|
|
|
|
|
|
|
|
|
// encode base64 signature
|
|
|
|
|
signreq.sig = base64->encode(sig);
|
|
|
|
|
OPENVPN_LOG("SIGNATURE[" << sig_size << "]: " << signreq.sig);
|
|
|
|
|
}
|
|
|
|
|
catch (const std::exception& e)
|
|
|
|
|
{
|
|
|
|
|
signreq.error = true;
|
|
|
|
|
signreq.errorText = std::string("external_pki_sign_request: ") + e.what();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
#endif
|
|
|
|
|
{
|
|
|
|
|
signreq.error = true;
|
|
|
|
|
signreq.errorText = "external_pki_sign_request not implemented";
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// RNG callback
|
|
|
|
|
static int rng_callback(void *arg, unsigned char *data, size_t len)
|
|
|
|
|
{
|
|
|
|
|
Client *self = (Client *)arg;
|
|
|
|
|
if (!self->rng)
|
|
|
|
|
{
|
|
|
|
|
self->rng.reset(new SSLLib::RandomAPI(false));
|
|
|
|
|
self->rng->assert_crypto();
|
|
|
|
|
}
|
|
|
|
|
return self->rng->rand_bytes_noexcept(data, len) ? 0 : -1; // using -1 as a general-purpose mbed TLS error code
|
2012-09-10 01:10:20 +02:00
|
|
|
}
|
2012-10-24 08:38:20 +02:00
|
|
|
|
2017-04-12 20:37:41 +02:00
|
|
|
virtual bool pause_on_connection_timeout() override
|
2012-10-24 08:38:20 +02:00
|
|
|
{
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2015-05-10 23:39:57 +02:00
|
|
|
|
2018-03-11 00:01:46 +01:00
|
|
|
#ifdef OPENVPN_REMOTE_OVERRIDE
|
|
|
|
|
virtual bool remote_override_enabled() override
|
|
|
|
|
{
|
|
|
|
|
return !remote_override_cmd.empty();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
virtual void remote_override(ClientAPI::RemoteOverride& ro)
|
|
|
|
|
{
|
|
|
|
|
RedirectPipe::InOut pio;
|
|
|
|
|
Argv argv;
|
|
|
|
|
argv.emplace_back(remote_override_cmd);
|
|
|
|
|
OPENVPN_LOG(argv.to_string());
|
|
|
|
|
const int status = system_cmd(remote_override_cmd,
|
|
|
|
|
argv,
|
|
|
|
|
nullptr,
|
|
|
|
|
pio,
|
|
|
|
|
RedirectPipe::IGNORE_ERR);
|
|
|
|
|
if (!status)
|
|
|
|
|
{
|
|
|
|
|
const std::string out = string::first_line(pio.out);
|
|
|
|
|
OPENVPN_LOG("REMOTE OVERRIDE: " << out);
|
|
|
|
|
auto svec = string::split(out, ',');
|
|
|
|
|
if (svec.size() == 4)
|
|
|
|
|
{
|
|
|
|
|
ro.host = svec[0];
|
|
|
|
|
ro.ip = svec[1];
|
|
|
|
|
ro.port = svec[2];
|
|
|
|
|
ro.proto = svec[3];
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
ro.error = "cannot parse remote-override, expecting host,ip,port,proto (at least one or both of host and ip must be defined)";
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
ro.error = "status=" + std::to_string(status);
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2016-04-09 08:57:21 +02:00
|
|
|
std::mutex log_mutex;
|
2015-05-10 23:39:57 +02:00
|
|
|
std::string dc_cookie;
|
mbedTLS: Port from polarssl-1.3 to mbedtls-2.3 (functional)
This patch builds on work by David Sommerseth <davids@openvpn.net>
to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which
has significant differences in some areas.
- Strings containing keys, certificates, CRLs, and DH parameters
need to be NULL-terminated and the length argument provided to
the corresponding mbedtls parse function must be able to read
the NULL-terminator. These places have been modified with a
'+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp,
pkctx.hpp).
- The SSL context object has been split up in mbedtls-2.3
Now many of the SSL configurations are done in a separate
SSL config object, which is added to the SSL context once
configured. In addition private/public keys are now stored
in a separate pk_context, which is later on attached to the
SSL context. Due to this, many of the calls setting either
SSL configuration parameters or working with pk_contexts have
been refactored. (sslctx.hpp)
- The older API loading the CA chain took a hostname argument.
The new API requires mbedtls_ssl_set_hostname() explicitly to
be called setting hostname. Some refactoring was needed here
too (sslctx.hpp).
- x509_oid_get_description() is now replaced by
mbedtls_oid_get_extended_key_usage().
- when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return
value was changed so that a return value of 0 now means equal
rather than not-equal.
- mbedtls/platform.h must be loaded before any other mbedtls
include files (sslchoose.hpp).
- All functions and macros related to mbedTLS are now prefixed
with mbedtls_/MBEDTLS_
- Refactored External PKI and added some options to cli.cpp
to make it easier to test that the feature still works
correctly. This included removing the sig_type var and
standardizing on a PKCS#1 digest prefix per RFC 3447.
- Updated test keys to 2048 bits.
- Updated dependency build scripts to build mbedTLS.
- Enable MD4 in mbedTLS build script (needed for NTLM auth).
- Use an allow-all X509 cert profile to preserve compatibility
with older configs. Going forward, we will implement new
options to increase strictness on minimum RSA key size and
required cert signing algs.
- Added human-readable reason strings that explain why
a given cert in the chain wasn't accepted.
- This patch doesn't rename any files or rename internal
OpenVPN 3 symbols such as PolarSSLContext. This will
be done in a separate commit.
Signed-off-by: James Yonan <james@openvpn.net>
2017-02-23 23:20:31 +01:00
|
|
|
RandomAPI::Ptr rng; // random data source for epki
|
2017-04-12 20:37:41 +02:00
|
|
|
volatile ClockTickAction clock_tick_action = CT_UNDEF;
|
2018-03-11 00:01:46 +01:00
|
|
|
|
|
|
|
|
#ifdef OPENVPN_REMOTE_OVERRIDE
|
|
|
|
|
std::string remote_override_cmd;
|
|
|
|
|
#endif
|
2012-09-10 01:10:20 +02:00
|
|
|
};
|
|
|
|
|
|
2015-11-26 03:51:12 +01:00
|
|
|
static Client *the_client = nullptr; // GLOBAL
|
2012-09-10 01:10:20 +02:00
|
|
|
|
2015-11-26 03:51:12 +01:00
|
|
|
static void worker_thread()
|
2012-09-10 01:10:20 +02:00
|
|
|
{
|
2017-04-12 20:37:41 +02:00
|
|
|
#if !defined(OPENVPN_OVPNCLI_SINGLE_THREAD)
|
2017-03-30 23:10:56 +02:00
|
|
|
openvpn_io::detail::signal_blocker signal_blocker; // signals should be handled by parent thread
|
2017-04-12 20:37:41 +02:00
|
|
|
#endif
|
2012-09-10 01:10:20 +02:00
|
|
|
try {
|
|
|
|
|
std::cout << "Thread starting..." << std::endl;
|
2012-09-15 08:56:18 +02:00
|
|
|
ClientAPI::Status connect_status = the_client->connect();
|
2012-09-10 01:10:20 +02:00
|
|
|
if (connect_status.error)
|
2012-11-16 05:13:48 +01:00
|
|
|
{
|
|
|
|
|
std::cout << "connect error: ";
|
|
|
|
|
if (!connect_status.status.empty())
|
|
|
|
|
std::cout << connect_status.status << ": ";
|
|
|
|
|
std::cout << connect_status.message << std::endl;
|
|
|
|
|
}
|
2012-09-10 01:10:20 +02:00
|
|
|
}
|
|
|
|
|
catch (const std::exception& e)
|
|
|
|
|
{
|
2012-09-15 08:56:18 +02:00
|
|
|
std::cout << "Connect thread exception: " << e.what() << std::endl;
|
2012-09-10 01:10:20 +02:00
|
|
|
}
|
|
|
|
|
std::cout << "Thread finished" << std::endl;
|
|
|
|
|
}
|
|
|
|
|
|
2017-04-12 20:37:41 +02:00
|
|
|
static std::string read_profile(const char *fn, const std::string* profile_content)
|
|
|
|
|
{
|
|
|
|
|
if (!string::strcasecmp(fn, "http") && profile_content && !profile_content->empty())
|
|
|
|
|
return *profile_content;
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
ProfileMerge pm(fn, "ovpn", "", ProfileMerge::FOLLOW_FULL,
|
|
|
|
|
ProfileParseLimits::MAX_LINE_SIZE, ProfileParseLimits::MAX_PROFILE_SIZE);
|
|
|
|
|
if (pm.status() != ProfileMerge::MERGE_SUCCESS)
|
|
|
|
|
OPENVPN_THROW_EXCEPTION("merge config error: " << pm.status_string() << " : " << pm.error());
|
|
|
|
|
return pm.profile_content();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#if defined(OPENVPN_PLATFORM_WIN)
|
|
|
|
|
|
|
|
|
|
static void start_thread(Client& client)
|
2014-03-24 23:53:19 +01:00
|
|
|
{
|
2017-04-12 20:37:41 +02:00
|
|
|
// Set Windows title bar
|
|
|
|
|
const std::string title_text = "F2:Stats F3:Reconnect F4:Stop F5:Pause";
|
|
|
|
|
Win::Console::Title title(ClientAPI::OpenVPNClient::platform() + " " + title_text);
|
|
|
|
|
Win::Console::Input console;
|
2014-03-24 23:53:19 +01:00
|
|
|
|
2017-04-12 20:37:41 +02:00
|
|
|
// start connect thread
|
|
|
|
|
std::unique_ptr<std::thread> thread;
|
|
|
|
|
volatile bool thread_exit = false;
|
|
|
|
|
the_client = &client;
|
|
|
|
|
thread.reset(new std::thread([&thread_exit]() {
|
|
|
|
|
worker_thread();
|
|
|
|
|
thread_exit = true;
|
|
|
|
|
}));
|
|
|
|
|
|
|
|
|
|
// wait for connect thread to exit, also check for keypresses
|
|
|
|
|
while (!thread_exit)
|
2014-03-24 23:53:19 +01:00
|
|
|
{
|
2017-04-12 20:37:41 +02:00
|
|
|
while (true)
|
|
|
|
|
{
|
|
|
|
|
const unsigned int c = console.get();
|
|
|
|
|
if (!c)
|
|
|
|
|
break;
|
|
|
|
|
else if (c == 0x3C) // F2
|
|
|
|
|
the_client->print_stats();
|
|
|
|
|
else if (c == 0x3D) // F3
|
|
|
|
|
the_client->reconnect(0);
|
|
|
|
|
else if (c == 0x3E) // F4
|
|
|
|
|
the_client->stop();
|
|
|
|
|
else if (c == 0x3F) // F5
|
|
|
|
|
the_client->pause("user-pause");
|
|
|
|
|
}
|
|
|
|
|
Sleep(1000);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// wait for connect thread to exit
|
|
|
|
|
thread->join();
|
|
|
|
|
|
|
|
|
|
the_client = nullptr;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#elif defined(OPENVPN_OVPNCLI_SINGLE_THREAD)
|
|
|
|
|
|
|
|
|
|
static void handler(int signum)
|
|
|
|
|
{
|
|
|
|
|
switch (signum)
|
|
|
|
|
{
|
|
|
|
|
case SIGTERM:
|
|
|
|
|
case SIGINT:
|
|
|
|
|
if (the_client)
|
|
|
|
|
the_client->set_clock_tick_action(Client::CT_STOP);
|
|
|
|
|
break;
|
|
|
|
|
case SIGHUP:
|
|
|
|
|
if (the_client)
|
|
|
|
|
the_client->set_clock_tick_action(Client::CT_RECONNECT);
|
|
|
|
|
break;
|
|
|
|
|
case SIGUSR1:
|
|
|
|
|
if (the_client)
|
|
|
|
|
the_client->set_clock_tick_action(Client::CT_STATS);
|
|
|
|
|
break;
|
|
|
|
|
case SIGUSR2:
|
|
|
|
|
{
|
|
|
|
|
// toggle pause/resume
|
|
|
|
|
static bool hup = false;
|
|
|
|
|
if (the_client)
|
|
|
|
|
{
|
|
|
|
|
if (hup)
|
|
|
|
|
the_client->set_clock_tick_action(Client::CT_RESUME);
|
|
|
|
|
else
|
|
|
|
|
the_client->set_clock_tick_action(Client::CT_PAUSE);
|
|
|
|
|
hup = !hup;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
break;
|
2014-03-24 23:53:19 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-04-12 20:37:41 +02:00
|
|
|
static void start_thread(Client& client)
|
|
|
|
|
{
|
|
|
|
|
the_client = &client;
|
|
|
|
|
|
|
|
|
|
// capture signals that might occur while we're in worker_thread
|
|
|
|
|
Signal signal(handler, Signal::F_SIGINT|Signal::F_SIGTERM|Signal::F_SIGHUP|Signal::F_SIGUSR1|Signal::F_SIGUSR2);
|
|
|
|
|
|
|
|
|
|
// run the client
|
|
|
|
|
worker_thread();
|
|
|
|
|
|
|
|
|
|
the_client = nullptr;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#else
|
|
|
|
|
|
2015-11-26 03:51:12 +01:00
|
|
|
static void handler(int signum)
|
2012-09-10 01:10:20 +02:00
|
|
|
{
|
2012-09-12 01:51:37 +02:00
|
|
|
switch (signum)
|
|
|
|
|
{
|
|
|
|
|
case SIGTERM:
|
|
|
|
|
case SIGINT:
|
2012-09-15 08:56:18 +02:00
|
|
|
std::cout << "received stop signal " << signum << std::endl;
|
2012-09-12 01:51:37 +02:00
|
|
|
if (the_client)
|
|
|
|
|
the_client->stop();
|
|
|
|
|
break;
|
|
|
|
|
case SIGHUP:
|
2012-09-15 08:56:18 +02:00
|
|
|
std::cout << "received reconnect signal " << signum << std::endl;
|
2012-09-12 01:51:37 +02:00
|
|
|
if (the_client)
|
2014-02-16 09:13:26 +01:00
|
|
|
the_client->reconnect(0);
|
2012-09-12 01:51:37 +02:00
|
|
|
break;
|
2014-03-24 23:53:19 +01:00
|
|
|
case SIGUSR1:
|
|
|
|
|
if (the_client)
|
2017-04-12 20:37:41 +02:00
|
|
|
the_client->print_stats();
|
2014-03-24 23:53:19 +01:00
|
|
|
break;
|
|
|
|
|
case SIGUSR2:
|
|
|
|
|
{
|
|
|
|
|
// toggle pause/resume
|
|
|
|
|
static bool hup = false;
|
|
|
|
|
std::cout << "received pause/resume toggle signal " << signum << std::endl;
|
|
|
|
|
if (the_client)
|
|
|
|
|
{
|
|
|
|
|
if (hup)
|
|
|
|
|
the_client->resume();
|
|
|
|
|
else
|
|
|
|
|
the_client->pause("pause-resume-signal");
|
|
|
|
|
hup = !hup;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
2012-09-12 01:51:37 +02:00
|
|
|
default:
|
2012-09-15 08:56:18 +02:00
|
|
|
std::cout << "received unknown signal " << signum << std::endl;
|
2012-09-12 01:51:37 +02:00
|
|
|
break;
|
|
|
|
|
}
|
2012-09-10 01:10:20 +02:00
|
|
|
}
|
|
|
|
|
|
2017-04-12 20:37:41 +02:00
|
|
|
static void start_thread(Client& client)
|
2015-11-26 03:51:12 +01:00
|
|
|
{
|
2017-04-12 20:37:41 +02:00
|
|
|
std::unique_ptr<std::thread> thread;
|
|
|
|
|
|
|
|
|
|
// start connect thread
|
|
|
|
|
the_client = &client;
|
|
|
|
|
thread.reset(new std::thread([]() {
|
|
|
|
|
worker_thread();
|
|
|
|
|
}));
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
// catch signals that might occur while we're in join()
|
|
|
|
|
Signal signal(handler, Signal::F_SIGINT|Signal::F_SIGTERM|Signal::F_SIGHUP|Signal::F_SIGUSR1|Signal::F_SIGUSR2);
|
|
|
|
|
|
|
|
|
|
// wait for connect thread to exit
|
|
|
|
|
thread->join();
|
|
|
|
|
}
|
|
|
|
|
the_client = nullptr;
|
2015-11-26 03:51:12 +01:00
|
|
|
}
|
|
|
|
|
|
2017-04-12 20:37:41 +02:00
|
|
|
#endif
|
|
|
|
|
|
2015-11-26 03:51:12 +01:00
|
|
|
int openvpn_client(int argc, char *argv[], const std::string* profile_content)
|
2012-09-10 01:10:20 +02:00
|
|
|
{
|
2012-09-15 08:56:18 +02:00
|
|
|
static const struct option longopts[] = {
|
2015-05-17 10:53:37 +02:00
|
|
|
{ "username", required_argument, nullptr, 'u' },
|
|
|
|
|
{ "password", required_argument, nullptr, 'p' },
|
|
|
|
|
{ "response", required_argument, nullptr, 'r' },
|
|
|
|
|
{ "dc", required_argument, nullptr, 'D' },
|
|
|
|
|
{ "proto", required_argument, nullptr, 'P' },
|
2016-02-05 20:16:20 +01:00
|
|
|
{ "ipv6", required_argument, nullptr, '6' },
|
2015-05-17 10:53:37 +02:00
|
|
|
{ "server", required_argument, nullptr, 's' },
|
2017-10-21 00:24:37 +02:00
|
|
|
{ "port", required_argument, nullptr, 'R' },
|
2015-05-17 10:53:37 +02:00
|
|
|
{ "timeout", required_argument, nullptr, 't' },
|
|
|
|
|
{ "compress", required_argument, nullptr, 'c' },
|
|
|
|
|
{ "pk-password", required_argument, nullptr, 'z' },
|
|
|
|
|
{ "tvm-override", required_argument, nullptr, 'M' },
|
|
|
|
|
{ "proxy-host", required_argument, nullptr, 'h' },
|
|
|
|
|
{ "proxy-port", required_argument, nullptr, 'q' },
|
|
|
|
|
{ "proxy-username", required_argument, nullptr, 'U' },
|
|
|
|
|
{ "proxy-password", required_argument, nullptr, 'W' },
|
2015-09-22 04:42:24 +02:00
|
|
|
{ "peer-info", required_argument, nullptr, 'I' },
|
Added gremlin option to client, controllable via
ClientAPI::Config::gremlinConfig string.
The gremlin option allows extra packet latency
or unreliability to be added to the tunnel.
The format of the option is a comma-separated list
of numerical parameters:
send_delay_ms, recv_delay_ms, send_drop_prob, recv_drop_prob
Parameter description:
send_delay_ms : delay packets by n milliseconds before
transmission (UDP/TCP).
recv_delay_ms : delay received packets by n milliseconds
before processing them (UDP/TCP).
send_drop_prob : drop sent packets with probability 1/n
(UDP only).
recv_drop_prob : drop received packets with probability
1/n (UDP only).
Set any parameter to 0 to disable.
Gremlin parameters currently work with UDP and TCP
transport as documented above, but not for proxy transport.
Client must be built with the OPENVPN_GREMLIN flag to compile
gremlin functionality.
Command-line client can set the gremlin config
string using --gremlin or -G, for example:
--gremlin=250,250,64,64
When using the above parameters, an extra 500 milliseconds
will be added to round-trip latency, and 1/64 sent or
received packets will be dropped.
2016-01-26 08:27:11 +01:00
|
|
|
{ "gremlin", required_argument, nullptr, 'G' },
|
2015-05-17 10:53:37 +02:00
|
|
|
{ "proxy-basic", no_argument, nullptr, 'B' },
|
|
|
|
|
{ "alt-proxy", no_argument, nullptr, 'A' },
|
2015-06-17 09:48:33 +02:00
|
|
|
{ "dco", no_argument, nullptr, 'd' },
|
2015-05-17 10:53:37 +02:00
|
|
|
{ "eval", no_argument, nullptr, 'e' },
|
|
|
|
|
{ "self-test", no_argument, nullptr, 'T' },
|
|
|
|
|
{ "cache-password", no_argument, nullptr, 'C' },
|
|
|
|
|
{ "no-cert", no_argument, nullptr, 'x' },
|
|
|
|
|
{ "force-aes-cbc", no_argument, nullptr, 'f' },
|
|
|
|
|
{ "google-dns", no_argument, nullptr, 'g' },
|
|
|
|
|
{ "persist-tun", no_argument, nullptr, 'j' },
|
2019-05-17 10:49:36 +02:00
|
|
|
{ "wintun", no_argument, nullptr, 'w' },
|
2015-05-17 10:53:37 +02:00
|
|
|
{ "def-keydir", required_argument, nullptr, 'k' },
|
|
|
|
|
{ "merge", no_argument, nullptr, 'm' },
|
|
|
|
|
{ "version", no_argument, nullptr, 'v' },
|
2016-02-04 19:39:44 +01:00
|
|
|
{ "auto-sess", no_argument, nullptr, 'a' },
|
2018-02-06 22:12:58 +01:00
|
|
|
{ "auth-retry", no_argument, nullptr, 'Y' },
|
2017-02-28 19:50:28 +01:00
|
|
|
{ "tcprof-override", required_argument, nullptr, 'X' },
|
2016-08-05 04:43:43 +02:00
|
|
|
{ "ssl-debug", required_argument, nullptr, 1 },
|
mbedTLS: Port from polarssl-1.3 to mbedtls-2.3 (functional)
This patch builds on work by David Sommerseth <davids@openvpn.net>
to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which
has significant differences in some areas.
- Strings containing keys, certificates, CRLs, and DH parameters
need to be NULL-terminated and the length argument provided to
the corresponding mbedtls parse function must be able to read
the NULL-terminator. These places have been modified with a
'+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp,
pkctx.hpp).
- The SSL context object has been split up in mbedtls-2.3
Now many of the SSL configurations are done in a separate
SSL config object, which is added to the SSL context once
configured. In addition private/public keys are now stored
in a separate pk_context, which is later on attached to the
SSL context. Due to this, many of the calls setting either
SSL configuration parameters or working with pk_contexts have
been refactored. (sslctx.hpp)
- The older API loading the CA chain took a hostname argument.
The new API requires mbedtls_ssl_set_hostname() explicitly to
be called setting hostname. Some refactoring was needed here
too (sslctx.hpp).
- x509_oid_get_description() is now replaced by
mbedtls_oid_get_extended_key_usage().
- when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return
value was changed so that a return value of 0 now means equal
rather than not-equal.
- mbedtls/platform.h must be loaded before any other mbedtls
include files (sslchoose.hpp).
- All functions and macros related to mbedTLS are now prefixed
with mbedtls_/MBEDTLS_
- Refactored External PKI and added some options to cli.cpp
to make it easier to test that the feature still works
correctly. This included removing the sig_type var and
standardizing on a PKCS#1 digest prefix per RFC 3447.
- Updated test keys to 2048 bits.
- Updated dependency build scripts to build mbedTLS.
- Enable MD4 in mbedTLS build script (needed for NTLM auth).
- Use an allow-all X509 cert profile to preserve compatibility
with older configs. Going forward, we will implement new
options to increase strictness on minimum RSA key size and
required cert signing algs.
- Added human-readable reason strings that explain why
a given cert in the chain wasn't accepted.
- This patch doesn't rename any files or rename internal
OpenVPN 3 symbols such as PolarSSLContext. This will
be done in a separate commit.
Signed-off-by: James Yonan <james@openvpn.net>
2017-02-23 23:20:31 +01:00
|
|
|
{ "epki-cert", required_argument, nullptr, 2 },
|
|
|
|
|
{ "epki-ca", required_argument, nullptr, 3 },
|
|
|
|
|
{ "epki-key", required_argument, nullptr, 4 },
|
2018-03-11 00:01:46 +01:00
|
|
|
#ifdef OPENVPN_REMOTE_OVERRIDE
|
|
|
|
|
{ "remote-override",required_argument, nullptr, 5 },
|
|
|
|
|
#endif
|
2015-05-17 10:53:37 +02:00
|
|
|
{ nullptr, 0, nullptr, 0 }
|
2012-09-15 08:56:18 +02:00
|
|
|
};
|
|
|
|
|
|
2014-08-11 00:44:09 +02:00
|
|
|
int ret = 0;
|
2015-11-26 03:51:12 +01:00
|
|
|
auto cleanup = Cleanup([]() {
|
|
|
|
|
the_client = nullptr;
|
|
|
|
|
});
|
2015-11-25 19:31:24 +01:00
|
|
|
|
2012-09-10 01:10:20 +02:00
|
|
|
try {
|
|
|
|
|
if (argc >= 2)
|
|
|
|
|
{
|
2012-09-15 08:56:18 +02:00
|
|
|
std::string username;
|
|
|
|
|
std::string password;
|
2012-11-18 19:53:10 +01:00
|
|
|
std::string response;
|
2015-05-10 23:39:57 +02:00
|
|
|
std::string dynamicChallengeCookie;
|
2012-09-15 08:56:18 +02:00
|
|
|
std::string proto;
|
2016-02-05 20:16:20 +01:00
|
|
|
std::string ipv6;
|
2012-09-15 08:56:18 +02:00
|
|
|
std::string server;
|
2017-10-21 00:24:37 +02:00
|
|
|
std::string port;
|
2012-09-15 08:56:18 +02:00
|
|
|
int timeout = 0;
|
|
|
|
|
std::string compress;
|
2012-11-15 23:48:13 +01:00
|
|
|
std::string privateKeyPassword;
|
2015-02-05 04:29:43 +01:00
|
|
|
std::string tlsVersionMinOverride;
|
2017-02-28 19:50:28 +01:00
|
|
|
std::string tlsCertProfileOverride;
|
2012-10-24 08:38:20 +02:00
|
|
|
std::string proxyHost;
|
|
|
|
|
std::string proxyPort;
|
|
|
|
|
std::string proxyUsername;
|
|
|
|
|
std::string proxyPassword;
|
2015-09-22 04:42:24 +02:00
|
|
|
std::string peer_info;
|
Added gremlin option to client, controllable via
ClientAPI::Config::gremlinConfig string.
The gremlin option allows extra packet latency
or unreliability to be added to the tunnel.
The format of the option is a comma-separated list
of numerical parameters:
send_delay_ms, recv_delay_ms, send_drop_prob, recv_drop_prob
Parameter description:
send_delay_ms : delay packets by n milliseconds before
transmission (UDP/TCP).
recv_delay_ms : delay received packets by n milliseconds
before processing them (UDP/TCP).
send_drop_prob : drop sent packets with probability 1/n
(UDP only).
recv_drop_prob : drop received packets with probability
1/n (UDP only).
Set any parameter to 0 to disable.
Gremlin parameters currently work with UDP and TCP
transport as documented above, but not for proxy transport.
Client must be built with the OPENVPN_GREMLIN flag to compile
gremlin functionality.
Command-line client can set the gremlin config
string using --gremlin or -G, for example:
--gremlin=250,250,64,64
When using the above parameters, an extra 500 milliseconds
will be added to round-trip latency, and 1/64 sent or
received packets will be dropped.
2016-01-26 08:27:11 +01:00
|
|
|
std::string gremlin;
|
2012-11-15 23:48:13 +01:00
|
|
|
bool eval = false;
|
2013-06-14 02:34:49 +02:00
|
|
|
bool self_test = false;
|
2012-11-18 19:53:10 +01:00
|
|
|
bool cachePassword = false;
|
2013-01-24 14:34:17 +01:00
|
|
|
bool disableClientCert = false;
|
2013-03-26 18:07:38 +01:00
|
|
|
bool proxyAllowCleartextAuth = false;
|
2013-01-28 02:11:28 +01:00
|
|
|
int defaultKeyDirection = -1;
|
2013-12-27 23:16:05 +01:00
|
|
|
bool forceAesCbcCiphersuites = false;
|
2016-08-05 04:43:43 +02:00
|
|
|
int sslDebugLevel = 0;
|
2014-03-03 22:41:25 +01:00
|
|
|
bool googleDnsFallback = false;
|
2016-02-04 19:39:44 +01:00
|
|
|
bool autologinSessions = false;
|
2018-02-06 22:12:58 +01:00
|
|
|
bool retryOnAuthFailed = false;
|
2014-02-16 09:04:19 +01:00
|
|
|
bool tunPersist = false;
|
2019-05-17 10:49:36 +02:00
|
|
|
bool wintun = false;
|
2013-12-29 04:12:21 +01:00
|
|
|
bool merge = false;
|
2014-01-15 00:34:03 +01:00
|
|
|
bool version = false;
|
2015-02-03 07:11:51 +01:00
|
|
|
bool altProxy = false;
|
2015-06-17 09:48:33 +02:00
|
|
|
bool dco = false;
|
mbedTLS: Port from polarssl-1.3 to mbedtls-2.3 (functional)
This patch builds on work by David Sommerseth <davids@openvpn.net>
to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which
has significant differences in some areas.
- Strings containing keys, certificates, CRLs, and DH parameters
need to be NULL-terminated and the length argument provided to
the corresponding mbedtls parse function must be able to read
the NULL-terminator. These places have been modified with a
'+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp,
pkctx.hpp).
- The SSL context object has been split up in mbedtls-2.3
Now many of the SSL configurations are done in a separate
SSL config object, which is added to the SSL context once
configured. In addition private/public keys are now stored
in a separate pk_context, which is later on attached to the
SSL context. Due to this, many of the calls setting either
SSL configuration parameters or working with pk_contexts have
been refactored. (sslctx.hpp)
- The older API loading the CA chain took a hostname argument.
The new API requires mbedtls_ssl_set_hostname() explicitly to
be called setting hostname. Some refactoring was needed here
too (sslctx.hpp).
- x509_oid_get_description() is now replaced by
mbedtls_oid_get_extended_key_usage().
- when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return
value was changed so that a return value of 0 now means equal
rather than not-equal.
- mbedtls/platform.h must be loaded before any other mbedtls
include files (sslchoose.hpp).
- All functions and macros related to mbedTLS are now prefixed
with mbedtls_/MBEDTLS_
- Refactored External PKI and added some options to cli.cpp
to make it easier to test that the feature still works
correctly. This included removing the sig_type var and
standardizing on a PKCS#1 digest prefix per RFC 3447.
- Updated test keys to 2048 bits.
- Updated dependency build scripts to build mbedTLS.
- Enable MD4 in mbedTLS build script (needed for NTLM auth).
- Use an allow-all X509 cert profile to preserve compatibility
with older configs. Going forward, we will implement new
options to increase strictness on minimum RSA key size and
required cert signing algs.
- Added human-readable reason strings that explain why
a given cert in the chain wasn't accepted.
- This patch doesn't rename any files or rename internal
OpenVPN 3 symbols such as PolarSSLContext. This will
be done in a separate commit.
Signed-off-by: James Yonan <james@openvpn.net>
2017-02-23 23:20:31 +01:00
|
|
|
std::string epki_cert_fn;
|
|
|
|
|
std::string epki_ca_fn;
|
|
|
|
|
std::string epki_key_fn;
|
2018-03-11 00:01:46 +01:00
|
|
|
#ifdef OPENVPN_REMOTE_OVERRIDE
|
|
|
|
|
std::string remote_override_cmd;
|
|
|
|
|
#endif
|
2012-10-24 08:38:20 +02:00
|
|
|
|
2012-09-15 08:56:18 +02:00
|
|
|
int ch;
|
2015-12-11 20:11:25 +01:00
|
|
|
optind = 1;
|
2019-05-17 10:49:36 +02:00
|
|
|
while ((ch = getopt_long(argc, argv, "BAdeTCxfgjwmvaYu:p:r:D:P:6:s:t:c:z:M:h:q:U:W:I:G:k:X:R:", longopts, nullptr)) != -1)
|
2012-09-15 08:56:18 +02:00
|
|
|
{
|
|
|
|
|
switch (ch)
|
|
|
|
|
{
|
mbedTLS: Port from polarssl-1.3 to mbedtls-2.3 (functional)
This patch builds on work by David Sommerseth <davids@openvpn.net>
to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which
has significant differences in some areas.
- Strings containing keys, certificates, CRLs, and DH parameters
need to be NULL-terminated and the length argument provided to
the corresponding mbedtls parse function must be able to read
the NULL-terminator. These places have been modified with a
'+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp,
pkctx.hpp).
- The SSL context object has been split up in mbedtls-2.3
Now many of the SSL configurations are done in a separate
SSL config object, which is added to the SSL context once
configured. In addition private/public keys are now stored
in a separate pk_context, which is later on attached to the
SSL context. Due to this, many of the calls setting either
SSL configuration parameters or working with pk_contexts have
been refactored. (sslctx.hpp)
- The older API loading the CA chain took a hostname argument.
The new API requires mbedtls_ssl_set_hostname() explicitly to
be called setting hostname. Some refactoring was needed here
too (sslctx.hpp).
- x509_oid_get_description() is now replaced by
mbedtls_oid_get_extended_key_usage().
- when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return
value was changed so that a return value of 0 now means equal
rather than not-equal.
- mbedtls/platform.h must be loaded before any other mbedtls
include files (sslchoose.hpp).
- All functions and macros related to mbedTLS are now prefixed
with mbedtls_/MBEDTLS_
- Refactored External PKI and added some options to cli.cpp
to make it easier to test that the feature still works
correctly. This included removing the sig_type var and
standardizing on a PKCS#1 digest prefix per RFC 3447.
- Updated test keys to 2048 bits.
- Updated dependency build scripts to build mbedTLS.
- Enable MD4 in mbedTLS build script (needed for NTLM auth).
- Use an allow-all X509 cert profile to preserve compatibility
with older configs. Going forward, we will implement new
options to increase strictness on minimum RSA key size and
required cert signing algs.
- Added human-readable reason strings that explain why
a given cert in the chain wasn't accepted.
- This patch doesn't rename any files or rename internal
OpenVPN 3 symbols such as PolarSSLContext. This will
be done in a separate commit.
Signed-off-by: James Yonan <james@openvpn.net>
2017-02-23 23:20:31 +01:00
|
|
|
case 1: // ssl-debug
|
2016-08-05 04:43:43 +02:00
|
|
|
sslDebugLevel = ::atoi(optarg);
|
|
|
|
|
break;
|
mbedTLS: Port from polarssl-1.3 to mbedtls-2.3 (functional)
This patch builds on work by David Sommerseth <davids@openvpn.net>
to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which
has significant differences in some areas.
- Strings containing keys, certificates, CRLs, and DH parameters
need to be NULL-terminated and the length argument provided to
the corresponding mbedtls parse function must be able to read
the NULL-terminator. These places have been modified with a
'+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp,
pkctx.hpp).
- The SSL context object has been split up in mbedtls-2.3
Now many of the SSL configurations are done in a separate
SSL config object, which is added to the SSL context once
configured. In addition private/public keys are now stored
in a separate pk_context, which is later on attached to the
SSL context. Due to this, many of the calls setting either
SSL configuration parameters or working with pk_contexts have
been refactored. (sslctx.hpp)
- The older API loading the CA chain took a hostname argument.
The new API requires mbedtls_ssl_set_hostname() explicitly to
be called setting hostname. Some refactoring was needed here
too (sslctx.hpp).
- x509_oid_get_description() is now replaced by
mbedtls_oid_get_extended_key_usage().
- when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return
value was changed so that a return value of 0 now means equal
rather than not-equal.
- mbedtls/platform.h must be loaded before any other mbedtls
include files (sslchoose.hpp).
- All functions and macros related to mbedTLS are now prefixed
with mbedtls_/MBEDTLS_
- Refactored External PKI and added some options to cli.cpp
to make it easier to test that the feature still works
correctly. This included removing the sig_type var and
standardizing on a PKCS#1 digest prefix per RFC 3447.
- Updated test keys to 2048 bits.
- Updated dependency build scripts to build mbedTLS.
- Enable MD4 in mbedTLS build script (needed for NTLM auth).
- Use an allow-all X509 cert profile to preserve compatibility
with older configs. Going forward, we will implement new
options to increase strictness on minimum RSA key size and
required cert signing algs.
- Added human-readable reason strings that explain why
a given cert in the chain wasn't accepted.
- This patch doesn't rename any files or rename internal
OpenVPN 3 symbols such as PolarSSLContext. This will
be done in a separate commit.
Signed-off-by: James Yonan <james@openvpn.net>
2017-02-23 23:20:31 +01:00
|
|
|
case 2: // --epki-cert
|
|
|
|
|
epki_cert_fn = optarg;
|
|
|
|
|
break;
|
|
|
|
|
case 3: // --epki-ca
|
|
|
|
|
epki_ca_fn = optarg;
|
|
|
|
|
break;
|
|
|
|
|
case 4: // --epki-key
|
|
|
|
|
epki_key_fn = optarg;
|
|
|
|
|
break;
|
2018-03-11 00:01:46 +01:00
|
|
|
#ifdef OPENVPN_REMOTE_OVERRIDE
|
|
|
|
|
case 5: // --remote-override
|
|
|
|
|
remote_override_cmd = optarg;
|
|
|
|
|
break;
|
|
|
|
|
#endif
|
2012-11-15 23:48:13 +01:00
|
|
|
case 'e':
|
|
|
|
|
eval = true;
|
|
|
|
|
break;
|
2013-06-14 02:34:49 +02:00
|
|
|
case 'T':
|
|
|
|
|
self_test = true;
|
|
|
|
|
break;
|
2012-11-18 19:53:10 +01:00
|
|
|
case 'C':
|
|
|
|
|
cachePassword = true;
|
|
|
|
|
break;
|
2013-01-24 14:34:17 +01:00
|
|
|
case 'x':
|
|
|
|
|
disableClientCert = true;
|
|
|
|
|
break;
|
2012-09-15 08:56:18 +02:00
|
|
|
case 'u':
|
|
|
|
|
username = optarg;
|
|
|
|
|
break;
|
|
|
|
|
case 'p':
|
|
|
|
|
password = optarg;
|
|
|
|
|
break;
|
2012-11-18 19:53:10 +01:00
|
|
|
case 'r':
|
|
|
|
|
response = optarg;
|
|
|
|
|
break;
|
2012-09-15 08:56:18 +02:00
|
|
|
case 'P':
|
|
|
|
|
proto = optarg;
|
|
|
|
|
break;
|
2016-02-05 20:16:20 +01:00
|
|
|
case '6':
|
|
|
|
|
ipv6 = optarg;
|
|
|
|
|
break;
|
2012-09-15 08:56:18 +02:00
|
|
|
case 's':
|
|
|
|
|
server = optarg;
|
|
|
|
|
break;
|
2017-10-21 00:24:37 +02:00
|
|
|
case 'R':
|
|
|
|
|
port = optarg;
|
|
|
|
|
break;
|
2012-09-15 08:56:18 +02:00
|
|
|
case 't':
|
2013-01-28 02:11:28 +01:00
|
|
|
timeout = ::atoi(optarg);
|
2012-09-15 08:56:18 +02:00
|
|
|
break;
|
|
|
|
|
case 'c':
|
|
|
|
|
compress = optarg;
|
|
|
|
|
break;
|
2012-11-15 23:48:13 +01:00
|
|
|
case 'z':
|
|
|
|
|
privateKeyPassword = optarg;
|
|
|
|
|
break;
|
2015-02-05 04:29:43 +01:00
|
|
|
case 'M':
|
|
|
|
|
tlsVersionMinOverride = optarg;
|
|
|
|
|
break;
|
2017-02-28 19:50:28 +01:00
|
|
|
case 'X':
|
|
|
|
|
tlsCertProfileOverride = optarg;
|
|
|
|
|
break;
|
2012-10-24 08:38:20 +02:00
|
|
|
case 'h':
|
|
|
|
|
proxyHost = optarg;
|
|
|
|
|
break;
|
|
|
|
|
case 'q':
|
|
|
|
|
proxyPort = optarg;
|
|
|
|
|
break;
|
|
|
|
|
case 'U':
|
|
|
|
|
proxyUsername = optarg;
|
|
|
|
|
break;
|
|
|
|
|
case 'W':
|
|
|
|
|
proxyPassword = optarg;
|
|
|
|
|
break;
|
2013-03-26 18:07:38 +01:00
|
|
|
case 'B':
|
|
|
|
|
proxyAllowCleartextAuth = true;
|
|
|
|
|
break;
|
2015-02-03 07:11:51 +01:00
|
|
|
case 'A':
|
|
|
|
|
altProxy = true;
|
|
|
|
|
break;
|
2015-06-17 09:48:33 +02:00
|
|
|
case 'd':
|
|
|
|
|
dco = true;
|
|
|
|
|
break;
|
2013-12-27 23:16:05 +01:00
|
|
|
case 'f':
|
|
|
|
|
forceAesCbcCiphersuites = true;
|
|
|
|
|
break;
|
2014-03-03 22:41:25 +01:00
|
|
|
case 'g':
|
|
|
|
|
googleDnsFallback = true;
|
|
|
|
|
break;
|
2016-02-04 19:39:44 +01:00
|
|
|
case 'a':
|
|
|
|
|
autologinSessions = true;
|
|
|
|
|
break;
|
2018-02-06 22:12:58 +01:00
|
|
|
case 'Y':
|
|
|
|
|
retryOnAuthFailed = true;
|
|
|
|
|
break;
|
2014-02-16 09:04:19 +01:00
|
|
|
case 'j':
|
|
|
|
|
tunPersist = true;
|
|
|
|
|
break;
|
2019-05-17 10:49:36 +02:00
|
|
|
case 'w':
|
|
|
|
|
wintun = true;
|
|
|
|
|
break;
|
2013-12-29 04:12:21 +01:00
|
|
|
case 'm':
|
|
|
|
|
merge = true;
|
|
|
|
|
break;
|
2014-01-15 00:34:03 +01:00
|
|
|
case 'v':
|
|
|
|
|
version = true;
|
|
|
|
|
break;
|
2013-01-28 02:11:28 +01:00
|
|
|
case 'k':
|
|
|
|
|
{
|
|
|
|
|
const std::string arg = optarg;
|
|
|
|
|
if (arg == "bi" || arg == "bidirectional")
|
|
|
|
|
defaultKeyDirection = -1;
|
|
|
|
|
else if (arg == "0")
|
|
|
|
|
defaultKeyDirection = 0;
|
|
|
|
|
else if (arg == "1")
|
|
|
|
|
defaultKeyDirection = 1;
|
|
|
|
|
else
|
|
|
|
|
OPENVPN_THROW_EXCEPTION("bad default key-direction: " << arg);
|
|
|
|
|
}
|
|
|
|
|
break;
|
2015-05-10 23:39:57 +02:00
|
|
|
case 'D':
|
|
|
|
|
dynamicChallengeCookie = optarg;
|
|
|
|
|
break;
|
2015-09-22 04:42:24 +02:00
|
|
|
case 'I':
|
|
|
|
|
peer_info = optarg;
|
|
|
|
|
break;
|
Added gremlin option to client, controllable via
ClientAPI::Config::gremlinConfig string.
The gremlin option allows extra packet latency
or unreliability to be added to the tunnel.
The format of the option is a comma-separated list
of numerical parameters:
send_delay_ms, recv_delay_ms, send_drop_prob, recv_drop_prob
Parameter description:
send_delay_ms : delay packets by n milliseconds before
transmission (UDP/TCP).
recv_delay_ms : delay received packets by n milliseconds
before processing them (UDP/TCP).
send_drop_prob : drop sent packets with probability 1/n
(UDP only).
recv_drop_prob : drop received packets with probability
1/n (UDP only).
Set any parameter to 0 to disable.
Gremlin parameters currently work with UDP and TCP
transport as documented above, but not for proxy transport.
Client must be built with the OPENVPN_GREMLIN flag to compile
gremlin functionality.
Command-line client can set the gremlin config
string using --gremlin or -G, for example:
--gremlin=250,250,64,64
When using the above parameters, an extra 500 milliseconds
will be added to round-trip latency, and 1/64 sent or
received packets will be dropped.
2016-01-26 08:27:11 +01:00
|
|
|
case 'G':
|
|
|
|
|
gremlin = optarg;
|
|
|
|
|
break;
|
2012-09-15 08:56:18 +02:00
|
|
|
default:
|
2015-11-26 03:51:12 +01:00
|
|
|
throw usage();
|
2012-09-15 08:56:18 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
argc -= optind;
|
|
|
|
|
argv += optind;
|
|
|
|
|
|
2014-01-15 00:34:03 +01:00
|
|
|
if (version)
|
|
|
|
|
{
|
|
|
|
|
std::cout << "OpenVPN cli 1.0" << std::endl;
|
|
|
|
|
std::cout << ClientAPI::OpenVPNClient::platform() << std::endl;
|
|
|
|
|
std::cout << ClientAPI::OpenVPNClient::copyright() << std::endl;
|
|
|
|
|
}
|
|
|
|
|
else if (self_test)
|
2012-09-10 01:10:20 +02:00
|
|
|
{
|
2013-06-14 02:34:49 +02:00
|
|
|
std::cout << ClientAPI::OpenVPNClient::crypto_self_test();
|
2012-09-10 01:10:20 +02:00
|
|
|
}
|
2013-12-29 04:12:21 +01:00
|
|
|
else if (merge)
|
|
|
|
|
{
|
|
|
|
|
if (argc != 1)
|
2015-11-26 03:51:12 +01:00
|
|
|
throw usage();
|
|
|
|
|
std::cout << read_profile(argv[0], profile_content);
|
2013-12-29 04:12:21 +01:00
|
|
|
}
|
2012-09-10 01:10:20 +02:00
|
|
|
else
|
|
|
|
|
{
|
2015-12-28 21:23:39 +01:00
|
|
|
if (argc < 1)
|
2015-11-26 03:51:12 +01:00
|
|
|
throw usage();
|
2013-06-14 02:34:49 +02:00
|
|
|
|
2015-05-10 23:39:57 +02:00
|
|
|
bool retry;
|
|
|
|
|
do {
|
|
|
|
|
retry = false;
|
|
|
|
|
|
|
|
|
|
ClientAPI::Config config;
|
|
|
|
|
config.guiVersion = "cli 1.0";
|
2019-04-30 14:58:40 +02:00
|
|
|
#if defined(OPENVPN_PLATFORM_WIN)
|
|
|
|
|
int nargs = 0;
|
|
|
|
|
auto argvw = CommandLineToArgvW(GetCommandLineW(), &nargs);
|
|
|
|
|
UTF8 utf8(Win::utf8(argvw[nargs - 1]));
|
|
|
|
|
config.content = read_profile(utf8.get(), profile_content);
|
|
|
|
|
#else
|
2015-11-26 03:51:12 +01:00
|
|
|
config.content = read_profile(argv[0], profile_content);
|
2019-04-30 14:58:40 +02:00
|
|
|
#endif
|
2015-12-28 21:23:39 +01:00
|
|
|
for (int i = 1; i < argc; ++i)
|
|
|
|
|
{
|
|
|
|
|
config.content += argv[i];
|
|
|
|
|
config.content += '\n';
|
|
|
|
|
}
|
2015-05-10 23:39:57 +02:00
|
|
|
config.serverOverride = server;
|
2017-10-21 00:24:37 +02:00
|
|
|
config.portOverride = port;
|
2015-05-10 23:39:57 +02:00
|
|
|
config.protoOverride = proto;
|
|
|
|
|
config.connTimeout = timeout;
|
|
|
|
|
config.compressionMode = compress;
|
2016-02-05 20:16:20 +01:00
|
|
|
config.ipv6 = ipv6;
|
2015-05-10 23:39:57 +02:00
|
|
|
config.privateKeyPassword = privateKeyPassword;
|
|
|
|
|
config.tlsVersionMinOverride = tlsVersionMinOverride;
|
2017-02-28 19:50:28 +01:00
|
|
|
config.tlsCertProfileOverride = tlsCertProfileOverride;
|
2015-05-10 23:39:57 +02:00
|
|
|
config.disableClientCert = disableClientCert;
|
|
|
|
|
config.proxyHost = proxyHost;
|
|
|
|
|
config.proxyPort = proxyPort;
|
|
|
|
|
config.proxyUsername = proxyUsername;
|
|
|
|
|
config.proxyPassword = proxyPassword;
|
|
|
|
|
config.proxyAllowCleartextAuth = proxyAllowCleartextAuth;
|
|
|
|
|
config.altProxy = altProxy;
|
2015-06-17 09:48:33 +02:00
|
|
|
config.dco = dco;
|
2015-05-10 23:39:57 +02:00
|
|
|
config.defaultKeyDirection = defaultKeyDirection;
|
|
|
|
|
config.forceAesCbcCiphersuites = forceAesCbcCiphersuites;
|
2016-08-05 04:43:43 +02:00
|
|
|
config.sslDebugLevel = sslDebugLevel;
|
2015-05-10 23:39:57 +02:00
|
|
|
config.googleDnsFallback = googleDnsFallback;
|
2016-02-04 19:39:44 +01:00
|
|
|
config.autologinSessions = autologinSessions;
|
2018-02-06 22:12:58 +01:00
|
|
|
config.retryOnAuthFailed = retryOnAuthFailed;
|
2015-05-10 23:39:57 +02:00
|
|
|
config.tunPersist = tunPersist;
|
Added gremlin option to client, controllable via
ClientAPI::Config::gremlinConfig string.
The gremlin option allows extra packet latency
or unreliability to be added to the tunnel.
The format of the option is a comma-separated list
of numerical parameters:
send_delay_ms, recv_delay_ms, send_drop_prob, recv_drop_prob
Parameter description:
send_delay_ms : delay packets by n milliseconds before
transmission (UDP/TCP).
recv_delay_ms : delay received packets by n milliseconds
before processing them (UDP/TCP).
send_drop_prob : drop sent packets with probability 1/n
(UDP only).
recv_drop_prob : drop received packets with probability
1/n (UDP only).
Set any parameter to 0 to disable.
Gremlin parameters currently work with UDP and TCP
transport as documented above, but not for proxy transport.
Client must be built with the OPENVPN_GREMLIN flag to compile
gremlin functionality.
Command-line client can set the gremlin config
string using --gremlin or -G, for example:
--gremlin=250,250,64,64
When using the above parameters, an extra 500 milliseconds
will be added to round-trip latency, and 1/64 sent or
received packets will be dropped.
2016-01-26 08:27:11 +01:00
|
|
|
config.gremlinConfig = gremlin;
|
2016-05-11 01:53:09 +02:00
|
|
|
config.info = true;
|
2019-05-17 10:49:36 +02:00
|
|
|
config.wintun = wintun;
|
2019-09-07 06:14:32 +02:00
|
|
|
config.ssoMethods = "openurl";
|
2017-04-12 20:37:41 +02:00
|
|
|
#if defined(OPENVPN_OVPNCLI_SINGLE_THREAD)
|
|
|
|
|
config.clockTickMS = 250;
|
|
|
|
|
#endif
|
mbedTLS: Port from polarssl-1.3 to mbedtls-2.3 (functional)
This patch builds on work by David Sommerseth <davids@openvpn.net>
to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which
has significant differences in some areas.
- Strings containing keys, certificates, CRLs, and DH parameters
need to be NULL-terminated and the length argument provided to
the corresponding mbedtls parse function must be able to read
the NULL-terminator. These places have been modified with a
'+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp,
pkctx.hpp).
- The SSL context object has been split up in mbedtls-2.3
Now many of the SSL configurations are done in a separate
SSL config object, which is added to the SSL context once
configured. In addition private/public keys are now stored
in a separate pk_context, which is later on attached to the
SSL context. Due to this, many of the calls setting either
SSL configuration parameters or working with pk_contexts have
been refactored. (sslctx.hpp)
- The older API loading the CA chain took a hostname argument.
The new API requires mbedtls_ssl_set_hostname() explicitly to
be called setting hostname. Some refactoring was needed here
too (sslctx.hpp).
- x509_oid_get_description() is now replaced by
mbedtls_oid_get_extended_key_usage().
- when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return
value was changed so that a return value of 0 now means equal
rather than not-equal.
- mbedtls/platform.h must be loaded before any other mbedtls
include files (sslchoose.hpp).
- All functions and macros related to mbedTLS are now prefixed
with mbedtls_/MBEDTLS_
- Refactored External PKI and added some options to cli.cpp
to make it easier to test that the feature still works
correctly. This included removing the sig_type var and
standardizing on a PKCS#1 digest prefix per RFC 3447.
- Updated test keys to 2048 bits.
- Updated dependency build scripts to build mbedTLS.
- Enable MD4 in mbedTLS build script (needed for NTLM auth).
- Use an allow-all X509 cert profile to preserve compatibility
with older configs. Going forward, we will implement new
options to increase strictness on minimum RSA key size and
required cert signing algs.
- Added human-readable reason strings that explain why
a given cert in the chain wasn't accepted.
- This patch doesn't rename any files or rename internal
OpenVPN 3 symbols such as PolarSSLContext. This will
be done in a separate commit.
Signed-off-by: James Yonan <james@openvpn.net>
2017-02-23 23:20:31 +01:00
|
|
|
|
|
|
|
|
if (!epki_cert_fn.empty())
|
|
|
|
|
config.externalPkiAlias = "epki"; // dummy string
|
|
|
|
|
|
2015-09-22 04:42:24 +02:00
|
|
|
PeerInfo::Set::parse_csv(peer_info, config.peerInfo);
|
2015-05-10 23:39:57 +02:00
|
|
|
|
2018-01-27 10:14:48 +01:00
|
|
|
// allow -s server override to reference a friendly name
|
|
|
|
|
// in the config.
|
|
|
|
|
// setenv SERVER <HOST>/<FRIENDLY_NAME>
|
|
|
|
|
if (!config.serverOverride.empty())
|
|
|
|
|
{
|
|
|
|
|
const ClientAPI::EvalConfig eval = ClientAPI::OpenVPNClient::eval_config_static(config);
|
|
|
|
|
for (auto &se : eval.serverList)
|
|
|
|
|
{
|
|
|
|
|
if (config.serverOverride == se.friendlyName)
|
|
|
|
|
{
|
|
|
|
|
config.serverOverride = se.server;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-10 23:39:57 +02:00
|
|
|
if (eval)
|
|
|
|
|
{
|
2018-01-27 10:14:48 +01:00
|
|
|
const ClientAPI::EvalConfig eval = ClientAPI::OpenVPNClient::eval_config_static(config);
|
2015-05-10 23:39:57 +02:00
|
|
|
std::cout << "EVAL PROFILE" << std::endl;
|
|
|
|
|
std::cout << "error=" << eval.error << std::endl;
|
|
|
|
|
std::cout << "message=" << eval.message << std::endl;
|
|
|
|
|
std::cout << "userlockedUsername=" << eval.userlockedUsername << std::endl;
|
|
|
|
|
std::cout << "profileName=" << eval.profileName << std::endl;
|
|
|
|
|
std::cout << "friendlyName=" << eval.friendlyName << std::endl;
|
|
|
|
|
std::cout << "autologin=" << eval.autologin << std::endl;
|
|
|
|
|
std::cout << "externalPki=" << eval.externalPki << std::endl;
|
|
|
|
|
std::cout << "staticChallenge=" << eval.staticChallenge << std::endl;
|
|
|
|
|
std::cout << "staticChallengeEcho=" << eval.staticChallengeEcho << std::endl;
|
|
|
|
|
std::cout << "privateKeyPasswordRequired=" << eval.privateKeyPasswordRequired << std::endl;
|
|
|
|
|
std::cout << "allowPasswordSave=" << eval.allowPasswordSave << std::endl;
|
|
|
|
|
|
2018-01-27 10:14:48 +01:00
|
|
|
if (!config.serverOverride.empty())
|
|
|
|
|
std::cout << "server=" << config.serverOverride << std::endl;
|
|
|
|
|
|
2015-05-10 23:39:57 +02:00
|
|
|
for (size_t i = 0; i < eval.serverList.size(); ++i)
|
|
|
|
|
{
|
|
|
|
|
const ClientAPI::ServerEntry& se = eval.serverList[i];
|
|
|
|
|
std::cout << '[' << i << "] " << se.server << '/' << se.friendlyName << std::endl;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2018-11-10 16:31:58 +01:00
|
|
|
#if defined(USE_NETCFG)
|
|
|
|
|
DBus conn(G_BUS_TYPE_SYSTEM);
|
|
|
|
|
conn.Connect();
|
|
|
|
|
NetCfgTunBuilder<Client> client(conn.GetConnection());
|
|
|
|
|
#else
|
2015-05-10 23:39:57 +02:00
|
|
|
Client client;
|
2018-11-10 16:31:58 +01:00
|
|
|
#endif
|
2018-01-27 10:14:48 +01:00
|
|
|
const ClientAPI::EvalConfig eval = client.eval_config(config);
|
2015-05-10 23:39:57 +02:00
|
|
|
if (eval.error)
|
|
|
|
|
OPENVPN_THROW_EXCEPTION("eval config error: " << eval.message);
|
|
|
|
|
if (eval.autologin)
|
|
|
|
|
{
|
|
|
|
|
if (!username.empty() || !password.empty())
|
|
|
|
|
std::cout << "NOTE: creds were not needed" << std::endl;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
if (username.empty())
|
|
|
|
|
OPENVPN_THROW_EXCEPTION("need creds");
|
|
|
|
|
ClientAPI::ProvideCreds creds;
|
|
|
|
|
if (password.empty() && dynamicChallengeCookie.empty())
|
|
|
|
|
password = get_password("Password:");
|
|
|
|
|
creds.username = username;
|
|
|
|
|
creds.password = password;
|
|
|
|
|
creds.response = response;
|
|
|
|
|
creds.dynamicChallengeCookie = dynamicChallengeCookie;
|
|
|
|
|
creds.replacePasswordWithSessionID = true;
|
|
|
|
|
creds.cachePassword = cachePassword;
|
|
|
|
|
ClientAPI::Status creds_status = client.provide_creds(creds);
|
|
|
|
|
if (creds_status.error)
|
|
|
|
|
OPENVPN_THROW_EXCEPTION("creds error: " << creds_status.message);
|
|
|
|
|
}
|
|
|
|
|
|
mbedTLS: Port from polarssl-1.3 to mbedtls-2.3 (functional)
This patch builds on work by David Sommerseth <davids@openvpn.net>
to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which
has significant differences in some areas.
- Strings containing keys, certificates, CRLs, and DH parameters
need to be NULL-terminated and the length argument provided to
the corresponding mbedtls parse function must be able to read
the NULL-terminator. These places have been modified with a
'+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp,
pkctx.hpp).
- The SSL context object has been split up in mbedtls-2.3
Now many of the SSL configurations are done in a separate
SSL config object, which is added to the SSL context once
configured. In addition private/public keys are now stored
in a separate pk_context, which is later on attached to the
SSL context. Due to this, many of the calls setting either
SSL configuration parameters or working with pk_contexts have
been refactored. (sslctx.hpp)
- The older API loading the CA chain took a hostname argument.
The new API requires mbedtls_ssl_set_hostname() explicitly to
be called setting hostname. Some refactoring was needed here
too (sslctx.hpp).
- x509_oid_get_description() is now replaced by
mbedtls_oid_get_extended_key_usage().
- when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return
value was changed so that a return value of 0 now means equal
rather than not-equal.
- mbedtls/platform.h must be loaded before any other mbedtls
include files (sslchoose.hpp).
- All functions and macros related to mbedTLS are now prefixed
with mbedtls_/MBEDTLS_
- Refactored External PKI and added some options to cli.cpp
to make it easier to test that the feature still works
correctly. This included removing the sig_type var and
standardizing on a PKCS#1 digest prefix per RFC 3447.
- Updated test keys to 2048 bits.
- Updated dependency build scripts to build mbedTLS.
- Enable MD4 in mbedTLS build script (needed for NTLM auth).
- Use an allow-all X509 cert profile to preserve compatibility
with older configs. Going forward, we will implement new
options to increase strictness on minimum RSA key size and
required cert signing algs.
- Added human-readable reason strings that explain why
a given cert in the chain wasn't accepted.
- This patch doesn't rename any files or rename internal
OpenVPN 3 symbols such as PolarSSLContext. This will
be done in a separate commit.
Signed-off-by: James Yonan <james@openvpn.net>
2017-02-23 23:20:31 +01:00
|
|
|
// external PKI
|
|
|
|
|
if (!epki_cert_fn.empty())
|
|
|
|
|
{
|
|
|
|
|
client.epki_cert = read_text_utf8(epki_cert_fn);
|
|
|
|
|
if (!epki_ca_fn.empty())
|
|
|
|
|
client.epki_ca = read_text_utf8(epki_ca_fn);
|
2017-02-24 00:59:51 +01:00
|
|
|
#if defined(USE_MBEDTLS)
|
mbedTLS: Port from polarssl-1.3 to mbedtls-2.3 (functional)
This patch builds on work by David Sommerseth <davids@openvpn.net>
to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which
has significant differences in some areas.
- Strings containing keys, certificates, CRLs, and DH parameters
need to be NULL-terminated and the length argument provided to
the corresponding mbedtls parse function must be able to read
the NULL-terminator. These places have been modified with a
'+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp,
pkctx.hpp).
- The SSL context object has been split up in mbedtls-2.3
Now many of the SSL configurations are done in a separate
SSL config object, which is added to the SSL context once
configured. In addition private/public keys are now stored
in a separate pk_context, which is later on attached to the
SSL context. Due to this, many of the calls setting either
SSL configuration parameters or working with pk_contexts have
been refactored. (sslctx.hpp)
- The older API loading the CA chain took a hostname argument.
The new API requires mbedtls_ssl_set_hostname() explicitly to
be called setting hostname. Some refactoring was needed here
too (sslctx.hpp).
- x509_oid_get_description() is now replaced by
mbedtls_oid_get_extended_key_usage().
- when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return
value was changed so that a return value of 0 now means equal
rather than not-equal.
- mbedtls/platform.h must be loaded before any other mbedtls
include files (sslchoose.hpp).
- All functions and macros related to mbedTLS are now prefixed
with mbedtls_/MBEDTLS_
- Refactored External PKI and added some options to cli.cpp
to make it easier to test that the feature still works
correctly. This included removing the sig_type var and
standardizing on a PKCS#1 digest prefix per RFC 3447.
- Updated test keys to 2048 bits.
- Updated dependency build scripts to build mbedTLS.
- Enable MD4 in mbedTLS build script (needed for NTLM auth).
- Use an allow-all X509 cert profile to preserve compatibility
with older configs. Going forward, we will implement new
options to increase strictness on minimum RSA key size and
required cert signing algs.
- Added human-readable reason strings that explain why
a given cert in the chain wasn't accepted.
- This patch doesn't rename any files or rename internal
OpenVPN 3 symbols such as PolarSSLContext. This will
be done in a separate commit.
Signed-off-by: James Yonan <james@openvpn.net>
2017-02-23 23:20:31 +01:00
|
|
|
if (!epki_key_fn.empty())
|
|
|
|
|
{
|
|
|
|
|
const std::string epki_key_txt = read_text_utf8(epki_key_fn);
|
|
|
|
|
client.epki_ctx.parse(epki_key_txt, "EPKI", privateKeyPassword);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
OPENVPN_THROW_EXCEPTION("--epki-key must be specified");
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-11 00:01:46 +01:00
|
|
|
#ifdef OPENVPN_REMOTE_OVERRIDE
|
|
|
|
|
client.set_remote_override_cmd(remote_override_cmd);
|
|
|
|
|
#endif
|
|
|
|
|
|
2015-05-10 23:39:57 +02:00
|
|
|
std::cout << "CONNECTING..." << std::endl;
|
2013-06-14 02:34:49 +02:00
|
|
|
|
2017-04-12 20:37:41 +02:00
|
|
|
// start the client thread
|
|
|
|
|
start_thread(client);
|
2013-06-14 02:34:49 +02:00
|
|
|
|
2015-05-10 23:39:57 +02:00
|
|
|
// Get dynamic challenge response
|
|
|
|
|
if (client.is_dynamic_challenge())
|
|
|
|
|
{
|
|
|
|
|
std::cout << "ENTER RESPONSE" << std::endl;
|
|
|
|
|
std::getline(std::cin, response);
|
|
|
|
|
if (!response.empty())
|
|
|
|
|
{
|
|
|
|
|
dynamicChallengeCookie = client.dynamic_challenge_cookie();
|
|
|
|
|
retry = true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
// print closing stats
|
2017-04-12 20:37:41 +02:00
|
|
|
client.print_stats();
|
2015-05-10 23:39:57 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} while (retry);
|
2012-11-15 23:48:13 +01:00
|
|
|
}
|
2012-09-10 01:10:20 +02:00
|
|
|
}
|
|
|
|
|
else
|
2015-11-26 03:51:12 +01:00
|
|
|
throw usage();
|
|
|
|
|
}
|
|
|
|
|
catch (const usage&)
|
|
|
|
|
{
|
|
|
|
|
std::cout << "OpenVPN Client (ovpncli)" << std::endl;
|
2015-12-28 21:23:39 +01:00
|
|
|
std::cout << "usage: cli [options] <config-file> [extra-config-directives...]" << std::endl;
|
2017-11-05 19:44:47 +01:00
|
|
|
std::cout << "--version, -v : show version info" << std::endl;
|
|
|
|
|
std::cout << "--eval, -e : evaluate profile only (standalone)" << std::endl;
|
|
|
|
|
std::cout << "--merge, -m : merge profile into unified format (standalone)" << std::endl;
|
|
|
|
|
std::cout << "--username, -u : username" << std::endl;
|
|
|
|
|
std::cout << "--password, -p : password" << std::endl;
|
|
|
|
|
std::cout << "--response, -r : static response" << std::endl;
|
|
|
|
|
std::cout << "--dc, -D : dynamic challenge/response cookie" << std::endl;
|
|
|
|
|
std::cout << "--proto, -P : protocol override (udp|tcp)" << std::endl;
|
|
|
|
|
std::cout << "--server, -s : server override" << std::endl;
|
|
|
|
|
std::cout << "--port, -R : port override" << std::endl;
|
2018-03-11 00:01:46 +01:00
|
|
|
#ifdef OPENVPN_REMOTE_OVERRIDE
|
|
|
|
|
std::cout << "--remote-override : command to run to generate next remote (returning host,ip,port,proto)" << std::endl;
|
|
|
|
|
#endif
|
2017-11-05 19:44:47 +01:00
|
|
|
std::cout << "--ipv6, -6 : IPv6 (yes|no|default)" << std::endl;
|
|
|
|
|
std::cout << "--timeout, -t : timeout" << std::endl;
|
|
|
|
|
std::cout << "--compress, -c : compression mode (yes|no|asym)" << std::endl;
|
|
|
|
|
std::cout << "--pk-password, -z : private key password" << std::endl;
|
|
|
|
|
std::cout << "--tvm-override, -M : tls-version-min override (disabled, default, tls_1_x)" << std::endl;
|
|
|
|
|
std::cout << "--tcprof-override, -X : tls-cert-profile override (" <<
|
2017-12-06 08:02:20 +01:00
|
|
|
#ifdef OPENVPN_USE_TLS_MD5
|
2017-11-05 19:44:47 +01:00
|
|
|
"insecure, " <<
|
|
|
|
|
#endif
|
|
|
|
|
"legacy, preferred, etc.)" << std::endl;
|
|
|
|
|
std::cout << "--proxy-host, -h : HTTP proxy hostname/IP" << std::endl;
|
|
|
|
|
std::cout << "--proxy-port, -q : HTTP proxy port" << std::endl;
|
|
|
|
|
std::cout << "--proxy-username, -U : HTTP proxy username" << std::endl;
|
|
|
|
|
std::cout << "--proxy-password, -W : HTTP proxy password" << std::endl;
|
|
|
|
|
std::cout << "--proxy-basic, -B : allow HTTP basic auth" << std::endl;
|
|
|
|
|
std::cout << "--alt-proxy, -A : enable alternative proxy module" << std::endl;
|
|
|
|
|
std::cout << "--dco, -d : enable data channel offload" << std::endl;
|
|
|
|
|
std::cout << "--cache-password, -C : cache password" << std::endl;
|
|
|
|
|
std::cout << "--no-cert, -x : disable client certificate" << std::endl;
|
|
|
|
|
std::cout << "--def-keydir, -k : default key direction ('bi', '0', or '1')" << std::endl;
|
|
|
|
|
std::cout << "--force-aes-cbc, -f : force AES-CBC ciphersuites" << std::endl;
|
|
|
|
|
std::cout << "--ssl-debug : SSL debug level" << std::endl;
|
|
|
|
|
std::cout << "--google-dns, -g : enable Google DNS fallback" << std::endl;
|
|
|
|
|
std::cout << "--auto-sess, -a : request autologin session" << std::endl;
|
2018-02-06 22:12:58 +01:00
|
|
|
std::cout << "--auth-retry, -Y : retry connection on auth failure" << std::endl;
|
2017-11-05 19:44:47 +01:00
|
|
|
std::cout << "--persist-tun, -j : keep TUN interface open across reconnects" << std::endl;
|
2019-05-17 10:49:36 +02:00
|
|
|
std::cout << "--wintun, -w : use WinTun instead of TAP-Windows6 on Windows" << std::endl;
|
2017-11-05 19:44:47 +01:00
|
|
|
std::cout << "--peer-info, -I : peer info key/value list in the form K1=V1,K2=V2,..." << std::endl;
|
|
|
|
|
std::cout << "--gremlin, -G : gremlin info (send_delay_ms, recv_delay_ms, send_drop_prob, recv_drop_prob)" << std::endl;
|
|
|
|
|
std::cout << "--epki-ca : simulate external PKI cert supporting intermediate/root certs" << std::endl;
|
|
|
|
|
std::cout << "--epki-cert : simulate external PKI cert" << std::endl;
|
|
|
|
|
std::cout << "--epki-key : simulate external PKI private key" << std::endl;
|
2015-11-26 03:51:12 +01:00
|
|
|
ret = 2;
|
|
|
|
|
}
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifndef OPENVPN_OVPNCLI_OMIT_MAIN
|
|
|
|
|
|
|
|
|
|
int main(int argc, char *argv[])
|
|
|
|
|
{
|
|
|
|
|
int ret = 0;
|
|
|
|
|
|
|
|
|
|
#ifdef OPENVPN_LOG_LOGBASE_H
|
|
|
|
|
LogBaseSimple log;
|
|
|
|
|
#endif
|
|
|
|
|
|
2019-05-06 16:09:23 +02:00
|
|
|
#if defined(OPENVPN_PLATFORM_WIN)
|
|
|
|
|
SetConsoleOutputCP(CP_UTF8);
|
|
|
|
|
#endif
|
|
|
|
|
|
2015-11-26 03:51:12 +01:00
|
|
|
try {
|
|
|
|
|
Client::init_process();
|
|
|
|
|
ret = openvpn_client(argc, argv, nullptr);
|
2012-09-10 01:10:20 +02:00
|
|
|
}
|
|
|
|
|
catch (const std::exception& e)
|
|
|
|
|
{
|
2012-09-15 08:56:18 +02:00
|
|
|
std::cout << "Main thread exception: " << e.what() << std::endl;
|
2014-08-11 00:44:09 +02:00
|
|
|
ret = 1;
|
2013-06-14 02:34:49 +02:00
|
|
|
}
|
2014-08-11 00:44:09 +02:00
|
|
|
Client::uninit_process();
|
|
|
|
|
return ret;
|
2012-09-10 01:10:20 +02:00
|
|
|
}
|
2015-11-26 03:51:12 +01:00
|
|
|
|
|
|
|
|
#endif
|