2014-07-21 05:22:06 +02:00
|
|
|
// OpenVPN -- An application to securely tunnel IP networks
|
|
|
|
|
// over a single port, with support for SSL/TLS-based
|
|
|
|
|
// session authentication and key exchange,
|
|
|
|
|
// packet encryption, packet authentication, and
|
|
|
|
|
// packet compression.
|
2012-08-24 23:13:42 +02:00
|
|
|
//
|
2017-03-18 20:11:09 +01:00
|
|
|
// Copyright (C) 2012-2017 OpenVPN Technologies, Inc.
|
2012-08-24 23:13:42 +02:00
|
|
|
//
|
2014-07-21 05:22:06 +02:00
|
|
|
// This program is free software: you can redistribute it and/or modify
|
2017-03-16 09:41:16 +01:00
|
|
|
// it under the terms of the GNU General Public License Version 3
|
2014-07-21 05:22:06 +02:00
|
|
|
// as published by the Free Software Foundation.
|
2012-08-24 23:13:42 +02:00
|
|
|
//
|
2014-07-21 05:22:06 +02:00
|
|
|
// This program is distributed in the hope that it will be useful,
|
|
|
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
2017-03-16 09:41:16 +01:00
|
|
|
// GNU General Public License for more details.
|
2014-07-21 05:22:06 +02:00
|
|
|
//
|
2017-03-16 09:41:16 +01:00
|
|
|
// You should have received a copy of the GNU General Public License
|
2014-07-21 05:22:06 +02:00
|
|
|
// along with this program in the COPYING file.
|
|
|
|
|
// If not, see <http://www.gnu.org/licenses/>.
|
2012-08-24 23:13:42 +02:00
|
|
|
|
2012-05-23 15:50:41 +02:00
|
|
|
// API for OpenVPN Client, may be used standalone or wrapped by swig.
|
|
|
|
|
// Use ovpncli.i to wrap the API for swig.
|
2012-03-01 09:11:00 +01:00
|
|
|
// The crux of the API is defined in OpenVPNClient (below)
|
|
|
|
|
// and TunBuilderBase.
|
2012-02-25 08:37:31 +01:00
|
|
|
|
2012-02-19 18:43:42 +01:00
|
|
|
#include <string>
|
2012-03-01 09:11:00 +01:00
|
|
|
#include <vector>
|
2016-11-20 18:57:57 +01:00
|
|
|
#include <utility>
|
2012-02-19 18:43:42 +01:00
|
|
|
|
|
|
|
|
#include <openvpn/tun/builder/base.hpp>
|
2017-04-13 21:28:34 +02:00
|
|
|
#include <openvpn/tun/extern/fw.hpp>
|
2012-03-06 07:06:54 +01:00
|
|
|
#include <openvpn/pki/epkibase.hpp>
|
2017-10-09 15:59:46 +02:00
|
|
|
#include <openvpn/transport/client/extern/fw.hpp>
|
2012-02-19 18:43:42 +01:00
|
|
|
|
2012-02-11 15:02:51 +01:00
|
|
|
namespace openvpn {
|
2012-02-15 15:45:55 +01:00
|
|
|
class OptionList;
|
2012-11-12 02:52:03 +01:00
|
|
|
class ProfileMerge;
|
2016-06-27 07:00:37 +02:00
|
|
|
class Stop;
|
2012-02-11 15:02:51 +01:00
|
|
|
|
2012-02-15 15:45:55 +01:00
|
|
|
namespace ClientAPI {
|
2012-03-01 09:11:00 +01:00
|
|
|
// Represents an OpenVPN server and its friendly name
|
2012-05-25 19:54:53 +02:00
|
|
|
// (client reads)
|
2012-10-18 14:24:14 +02:00
|
|
|
struct ServerEntry
|
|
|
|
|
{
|
2012-03-01 09:11:00 +01:00
|
|
|
std::string server;
|
|
|
|
|
std::string friendlyName;
|
|
|
|
|
};
|
|
|
|
|
|
2012-02-15 15:45:55 +01:00
|
|
|
// return properties of config
|
2012-05-25 19:54:53 +02:00
|
|
|
// (client reads)
|
2012-02-15 15:45:55 +01:00
|
|
|
struct EvalConfig
|
2012-02-11 15:02:51 +01:00
|
|
|
{
|
2012-02-25 08:37:31 +01:00
|
|
|
// true if error
|
2016-02-04 00:30:02 +01:00
|
|
|
bool error = false;
|
2012-02-25 08:37:31 +01:00
|
|
|
|
|
|
|
|
// if error, message given here
|
|
|
|
|
std::string message;
|
|
|
|
|
|
2012-03-01 09:11:00 +01:00
|
|
|
// this username must be used with profile
|
|
|
|
|
std::string userlockedUsername;
|
|
|
|
|
|
|
|
|
|
// profile name of config
|
|
|
|
|
std::string profileName;
|
|
|
|
|
|
|
|
|
|
// "friendly" name of config
|
|
|
|
|
std::string friendlyName;
|
|
|
|
|
|
2012-02-25 08:37:31 +01:00
|
|
|
// true: no creds required, false: username/password required
|
2016-02-04 00:30:02 +01:00
|
|
|
bool autologin = false;
|
2012-02-25 08:37:31 +01:00
|
|
|
|
2012-03-05 00:05:26 +01:00
|
|
|
// if true, this is an External PKI profile (no cert or key directives)
|
2016-02-04 00:30:02 +01:00
|
|
|
bool externalPki = false;
|
2012-03-05 00:05:26 +01:00
|
|
|
|
2012-02-25 08:37:31 +01:00
|
|
|
// static challenge, may be empty, ignored if autologin
|
|
|
|
|
std::string staticChallenge;
|
2012-02-15 15:45:55 +01:00
|
|
|
|
2012-02-25 08:37:31 +01:00
|
|
|
// true if static challenge response should be echoed to UI, ignored if autologin
|
2016-02-04 00:30:02 +01:00
|
|
|
bool staticChallengeEcho = false;
|
2012-03-01 09:11:00 +01:00
|
|
|
|
2012-11-15 23:48:13 +01:00
|
|
|
// true if this profile requires a private key password
|
2016-02-04 00:30:02 +01:00
|
|
|
bool privateKeyPasswordRequired = false;
|
2012-11-15 23:48:13 +01:00
|
|
|
|
2012-11-18 09:55:27 +01:00
|
|
|
// true if user is allowed to save authentication password in UI
|
2016-02-04 00:30:02 +01:00
|
|
|
bool allowPasswordSave = false;
|
2012-11-18 09:55:27 +01:00
|
|
|
|
2016-03-28 08:29:16 +02:00
|
|
|
// information about the first remote item in config
|
|
|
|
|
std::string remoteHost; // will be overridden by Config::serverOverride if defined
|
|
|
|
|
std::string remotePort;
|
|
|
|
|
std::string remoteProto;
|
|
|
|
|
|
2012-03-01 09:11:00 +01:00
|
|
|
// optional list of user-selectable VPN servers
|
|
|
|
|
std::vector<ServerEntry> serverList;
|
2012-02-11 15:02:51 +01:00
|
|
|
};
|
|
|
|
|
|
2012-08-21 23:32:51 +02:00
|
|
|
// used to pass credentials to VPN core
|
2012-05-25 19:54:53 +02:00
|
|
|
// (client writes)
|
2012-02-11 15:02:51 +01:00
|
|
|
struct ProvideCreds
|
|
|
|
|
{
|
|
|
|
|
std::string username;
|
|
|
|
|
std::string password;
|
2012-02-28 00:00:29 +01:00
|
|
|
|
2012-03-01 09:11:00 +01:00
|
|
|
// response to challenge
|
|
|
|
|
std::string response;
|
|
|
|
|
|
2012-07-01 17:37:46 +02:00
|
|
|
// Dynamic challenge/response cookie
|
2012-03-03 03:56:58 +01:00
|
|
|
std::string dynamicChallengeCookie;
|
2012-02-28 00:00:29 +01:00
|
|
|
|
|
|
|
|
// If true, on successful connect, we will replace the password
|
2014-01-08 05:32:37 +01:00
|
|
|
// with the session ID we receive from the server (if provided).
|
|
|
|
|
// If false, the password will be cached for future reconnects
|
|
|
|
|
// and will not be replaced with a session ID, even if the
|
|
|
|
|
// server provides one.
|
2016-02-04 00:30:02 +01:00
|
|
|
bool replacePasswordWithSessionID = false;
|
2013-01-25 03:34:20 +01:00
|
|
|
|
2014-01-08 05:32:37 +01:00
|
|
|
// If true, and if replacePasswordWithSessionID is true, and if
|
|
|
|
|
// we actually receive a session ID from the server, cache
|
|
|
|
|
// the user-provided password for future use before replacing
|
|
|
|
|
// the active password with the session ID.
|
2016-02-04 00:30:02 +01:00
|
|
|
bool cachePassword = false;
|
2012-02-11 15:02:51 +01:00
|
|
|
};
|
|
|
|
|
|
2012-08-21 23:32:51 +02:00
|
|
|
// used to get session token from VPN core
|
|
|
|
|
// (client reads)
|
|
|
|
|
struct SessionToken
|
|
|
|
|
{
|
|
|
|
|
std::string username;
|
|
|
|
|
std::string session_id; // an OpenVPN Session ID, used as a proxy for password
|
|
|
|
|
};
|
|
|
|
|
|
2012-05-25 19:54:53 +02:00
|
|
|
// used to query challenge/response from user
|
|
|
|
|
// (client reads)
|
2012-03-03 03:56:58 +01:00
|
|
|
struct DynamicChallenge
|
|
|
|
|
{
|
|
|
|
|
std::string challenge;
|
2016-02-04 00:30:02 +01:00
|
|
|
bool echo = false;
|
|
|
|
|
bool responseRequired = false;
|
2015-05-10 23:39:57 +02:00
|
|
|
|
|
|
|
|
std::string stateID;
|
2012-03-03 03:56:58 +01:00
|
|
|
};
|
|
|
|
|
|
Initial Apple VPN-On-Demand implementation:
* VoD profiles can be defined using the iPhone Configuration utility:
1. Connection Type should be set to Custom SSL
2. Identifier should be set to net.openvpn.OpenVPN-Connect.vpnplugin
3. Server can be set to a hostname, or "DEFAULT" to use the
hostname(s) from the OpenVPN configuration.
4. User Authentication should be set to Certificate, and the client
certificate+key should be attached as a PKCS#12 file.
5. VPN On Demand should be enabled and match entries should be
defined.
In addition, the OpenVPN client configuration file may be defined
via key/value pairs:
1. VoD requires an autologin profile.
2. Define each OpenVPN directive as a key, with arguments
specified as the value.
3. For Access server meta-directives such as
OVPN_ACCESS_SERVER_USERNAME, remove the "OVPN_ACCESS_SERVER_"
prefix, giving USERNAME as the directive.
4. If no arguments are present, use "NOARGS" as the value.
5. If multiple instances of the same directive are present,
number the directives in the order they should be processed by
appending .<n> to the directive, where n is an integer,
such as remote.1 or remote.2
6. For multi-line directives such as <ca> and <tls-auth>, you must
convert the multi-line argument to a single line by specifying
line breaks as \n -- also note that because of
this escaping model, you must use \\ to pass backslash itself.
* VoD profiles are recognized and listed by the app.
* The app can disconnect but not connect a VoD profile.
* Most app-level functionality such as logging and preferences
work correctly for VoD profiles.
Core changes:
* Added support for key-direction parameter in core.
2012-11-06 18:50:30 +01:00
|
|
|
// a basic key/value pair, used in Config below when OpenVPN profile is
|
|
|
|
|
// passed as a dictionary
|
|
|
|
|
struct KeyValue
|
|
|
|
|
{
|
2015-09-22 04:42:24 +02:00
|
|
|
KeyValue() {}
|
|
|
|
|
|
2016-11-20 18:57:57 +01:00
|
|
|
KeyValue(std::string key_arg, std::string value_arg)
|
|
|
|
|
: key(std::move(key_arg)),
|
|
|
|
|
value(std::move(value_arg)) {}
|
2015-09-22 04:42:24 +02:00
|
|
|
|
Initial Apple VPN-On-Demand implementation:
* VoD profiles can be defined using the iPhone Configuration utility:
1. Connection Type should be set to Custom SSL
2. Identifier should be set to net.openvpn.OpenVPN-Connect.vpnplugin
3. Server can be set to a hostname, or "DEFAULT" to use the
hostname(s) from the OpenVPN configuration.
4. User Authentication should be set to Certificate, and the client
certificate+key should be attached as a PKCS#12 file.
5. VPN On Demand should be enabled and match entries should be
defined.
In addition, the OpenVPN client configuration file may be defined
via key/value pairs:
1. VoD requires an autologin profile.
2. Define each OpenVPN directive as a key, with arguments
specified as the value.
3. For Access server meta-directives such as
OVPN_ACCESS_SERVER_USERNAME, remove the "OVPN_ACCESS_SERVER_"
prefix, giving USERNAME as the directive.
4. If no arguments are present, use "NOARGS" as the value.
5. If multiple instances of the same directive are present,
number the directives in the order they should be processed by
appending .<n> to the directive, where n is an integer,
such as remote.1 or remote.2
6. For multi-line directives such as <ca> and <tls-auth>, you must
convert the multi-line argument to a single line by specifying
line breaks as \n -- also note that because of
this escaping model, you must use \\ to pass backslash itself.
* VoD profiles are recognized and listed by the app.
* The app can disconnect but not connect a VoD profile.
* Most app-level functionality such as logging and preferences
work correctly for VoD profiles.
Core changes:
* Added support for key-direction parameter in core.
2012-11-06 18:50:30 +01:00
|
|
|
std::string key;
|
|
|
|
|
std::string value;
|
|
|
|
|
};
|
|
|
|
|
|
2012-02-11 15:02:51 +01:00
|
|
|
// OpenVPN config-file/profile
|
2012-05-25 19:54:53 +02:00
|
|
|
// (client writes)
|
2012-02-11 15:02:51 +01:00
|
|
|
struct Config
|
|
|
|
|
{
|
2012-10-18 14:24:14 +02:00
|
|
|
// OpenVPN profile as a string
|
2012-02-11 15:02:51 +01:00
|
|
|
std::string content;
|
2012-03-03 12:09:05 +01:00
|
|
|
|
Initial Apple VPN-On-Demand implementation:
* VoD profiles can be defined using the iPhone Configuration utility:
1. Connection Type should be set to Custom SSL
2. Identifier should be set to net.openvpn.OpenVPN-Connect.vpnplugin
3. Server can be set to a hostname, or "DEFAULT" to use the
hostname(s) from the OpenVPN configuration.
4. User Authentication should be set to Certificate, and the client
certificate+key should be attached as a PKCS#12 file.
5. VPN On Demand should be enabled and match entries should be
defined.
In addition, the OpenVPN client configuration file may be defined
via key/value pairs:
1. VoD requires an autologin profile.
2. Define each OpenVPN directive as a key, with arguments
specified as the value.
3. For Access server meta-directives such as
OVPN_ACCESS_SERVER_USERNAME, remove the "OVPN_ACCESS_SERVER_"
prefix, giving USERNAME as the directive.
4. If no arguments are present, use "NOARGS" as the value.
5. If multiple instances of the same directive are present,
number the directives in the order they should be processed by
appending .<n> to the directive, where n is an integer,
such as remote.1 or remote.2
6. For multi-line directives such as <ca> and <tls-auth>, you must
convert the multi-line argument to a single line by specifying
line breaks as \n -- also note that because of
this escaping model, you must use \\ to pass backslash itself.
* VoD profiles are recognized and listed by the app.
* The app can disconnect but not connect a VoD profile.
* Most app-level functionality such as logging and preferences
work correctly for VoD profiles.
Core changes:
* Added support for key-direction parameter in core.
2012-11-06 18:50:30 +01:00
|
|
|
// OpenVPN profile as series of key/value pairs (may be provided exclusively
|
|
|
|
|
// or in addition to content string above).
|
|
|
|
|
std::vector<KeyValue> contentList;
|
|
|
|
|
|
2014-01-07 19:49:48 +01:00
|
|
|
// Set to identity OpenVPN GUI version.
|
|
|
|
|
// Format should be "<gui_identifier><space><version>"
|
2014-01-09 22:30:12 +01:00
|
|
|
// Passed to server as IV_GUI_VER.
|
2014-01-07 19:49:48 +01:00
|
|
|
std::string guiVersion;
|
|
|
|
|
|
2012-10-24 08:38:20 +02:00
|
|
|
// Use a different server than that specified in "remote"
|
2012-10-18 14:24:14 +02:00
|
|
|
// option of profile
|
2012-03-03 12:09:05 +01:00
|
|
|
std::string serverOverride;
|
|
|
|
|
|
2017-10-21 00:24:37 +02:00
|
|
|
// Use a different port than that specified in "remote"
|
|
|
|
|
// option of profile
|
|
|
|
|
std::string portOverride;
|
|
|
|
|
|
2012-10-24 08:38:20 +02:00
|
|
|
// Force a given transport protocol
|
2012-11-07 23:03:10 +01:00
|
|
|
// Should be tcp, udp, or adaptive.
|
2012-03-03 12:09:05 +01:00
|
|
|
std::string protoOverride;
|
2012-03-05 00:05:26 +01:00
|
|
|
|
2016-02-05 20:16:20 +01:00
|
|
|
// IPv6 preference
|
|
|
|
|
// no -- disable IPv6, so tunnel will be IPv4-only
|
|
|
|
|
// yes -- request combined IPv4/IPv6 tunnel
|
|
|
|
|
// default (or empty string) -- leave decision to server
|
|
|
|
|
std::string ipv6;
|
|
|
|
|
|
2012-03-07 12:21:09 +01:00
|
|
|
// Connection timeout in seconds, or 0 to retry indefinitely
|
2016-02-04 00:30:02 +01:00
|
|
|
int connTimeout = 0;
|
2012-03-07 12:21:09 +01:00
|
|
|
|
2012-10-21 11:43:03 +02:00
|
|
|
// Keep tun interface active during pauses or reconnections
|
2016-02-04 00:30:02 +01:00
|
|
|
bool tunPersist = false;
|
2012-10-21 11:43:03 +02:00
|
|
|
|
2012-10-24 14:37:24 +02:00
|
|
|
// If true and a redirect-gateway profile doesn't also define
|
|
|
|
|
// DNS servers, use the standard Google DNS servers.
|
2016-02-04 00:30:02 +01:00
|
|
|
bool googleDnsFallback = false;
|
2012-10-24 14:37:24 +02:00
|
|
|
|
2017-10-09 14:03:55 +02:00
|
|
|
// if true, do synchronous DNS lookup.
|
|
|
|
|
bool synchronousDnsLookup = false;
|
|
|
|
|
|
2016-02-04 19:39:44 +01:00
|
|
|
// Enable autologin sessions
|
2016-04-14 20:29:04 +02:00
|
|
|
bool autologinSessions = true;
|
2016-02-04 19:39:44 +01:00
|
|
|
|
2012-03-06 07:06:54 +01:00
|
|
|
// An ID used for get-certificate and RSA signing callbacks
|
2012-03-05 00:05:26 +01:00
|
|
|
// for External PKI profiles.
|
|
|
|
|
std::string externalPkiAlias;
|
2012-09-05 03:09:34 +02:00
|
|
|
|
2013-01-24 14:34:17 +01:00
|
|
|
// If true, don't send client cert/key to peer.
|
2016-02-04 00:30:02 +01:00
|
|
|
bool disableClientCert = false;
|
2013-01-24 14:34:17 +01:00
|
|
|
|
2016-08-05 04:43:43 +02:00
|
|
|
// SSL library debug level
|
|
|
|
|
int sslDebugLevel = 0;
|
|
|
|
|
|
2012-09-08 03:36:54 +02:00
|
|
|
// Compression mode, one of:
|
2012-09-09 01:02:09 +02:00
|
|
|
// yes -- allow compression on both uplink and downlink
|
|
|
|
|
// asym -- allow compression on downlink only (i.e. server -> client)
|
2012-09-08 03:36:54 +02:00
|
|
|
// no (default if empty) -- support compression stubs only
|
|
|
|
|
std::string compressionMode;
|
2012-10-24 08:38:20 +02:00
|
|
|
|
2012-11-15 23:48:13 +01:00
|
|
|
// private key password (optional)
|
|
|
|
|
std::string privateKeyPassword;
|
|
|
|
|
|
2013-01-28 02:11:28 +01:00
|
|
|
// Default key direction parameter for tls-auth (0, 1, or
|
|
|
|
|
// -1 (bidirectional -- default)) if no key-direction parameter
|
|
|
|
|
// defined in profile. Generally should be -1 (bidirectional)
|
|
|
|
|
// for compatibility with 2.x branch
|
2016-02-04 00:30:02 +01:00
|
|
|
int defaultKeyDirection = -1;
|
2013-01-28 02:11:28 +01:00
|
|
|
|
2013-12-27 23:16:05 +01:00
|
|
|
// If true, force ciphersuite to be one of:
|
|
|
|
|
// 1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA, or
|
|
|
|
|
// 2. TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|
|
|
|
|
// and disable setting TLS minimum version.
|
|
|
|
|
// This is intended for compatibility with legacy systems.
|
2016-02-04 00:30:02 +01:00
|
|
|
bool forceAesCbcCiphersuites = false;
|
2013-12-27 23:16:05 +01:00
|
|
|
|
2015-02-05 04:29:43 +01:00
|
|
|
// Override the minimum TLS version:
|
|
|
|
|
// disabled -- don't specify a minimum, and disable any minimum
|
|
|
|
|
// specified in profile
|
|
|
|
|
// default or "" -- use profile minimum
|
|
|
|
|
// tls_1_0 -- use TLS 1.0 minimum (overrides profile)
|
|
|
|
|
// tls_1_1 -- use TLS 1.1 minimum (overrides profile)
|
|
|
|
|
// tls_1_2 -- use TLS 1.2 minimum (overrides profile)
|
|
|
|
|
std::string tlsVersionMinOverride;
|
|
|
|
|
|
2017-02-28 19:50:28 +01:00
|
|
|
// Override or default the tls-cert-profile setting:
|
|
|
|
|
// default or "" -- use profile default
|
|
|
|
|
// legacy -- allow 1024-bit RSA certs signed with SHA1
|
|
|
|
|
// preferred -- require at least 2048-bit RSA certs signed
|
|
|
|
|
// with SHA256 or higher
|
|
|
|
|
// suiteb -- require NSA Suite-B
|
|
|
|
|
// legacy-default -- use legacy as the default if profile
|
|
|
|
|
// doesn't specify tls-cert-profile
|
|
|
|
|
// preferred-default -- use preferred as the default if profile
|
|
|
|
|
// doesn't specify tls-cert-profile
|
|
|
|
|
std::string tlsCertProfileOverride;
|
|
|
|
|
|
2015-09-22 04:42:24 +02:00
|
|
|
// Pass custom key/value pairs to OpenVPN server.
|
|
|
|
|
std::vector<KeyValue> peerInfo;
|
|
|
|
|
|
2012-10-24 08:38:20 +02:00
|
|
|
// HTTP Proxy parameters (optional)
|
2012-10-28 11:07:32 +01:00
|
|
|
std::string proxyHost; // hostname or IP address of proxy
|
|
|
|
|
std::string proxyPort; // port number of proxy
|
|
|
|
|
std::string proxyUsername; // proxy credentials (optional)
|
|
|
|
|
std::string proxyPassword; // proxy credentials (optional)
|
2016-02-04 00:30:02 +01:00
|
|
|
bool proxyAllowCleartextAuth = false; // enables HTTP Basic auth
|
2015-02-03 07:11:51 +01:00
|
|
|
|
|
|
|
|
// Custom proxy implementation
|
2016-02-04 00:30:02 +01:00
|
|
|
bool altProxy = false;
|
2015-06-17 09:48:33 +02:00
|
|
|
|
|
|
|
|
// Custom Data Channel Offload implementation
|
2016-02-04 00:30:02 +01:00
|
|
|
bool dco = false;
|
Added gremlin option to client, controllable via
ClientAPI::Config::gremlinConfig string.
The gremlin option allows extra packet latency
or unreliability to be added to the tunnel.
The format of the option is a comma-separated list
of numerical parameters:
send_delay_ms, recv_delay_ms, send_drop_prob, recv_drop_prob
Parameter description:
send_delay_ms : delay packets by n milliseconds before
transmission (UDP/TCP).
recv_delay_ms : delay received packets by n milliseconds
before processing them (UDP/TCP).
send_drop_prob : drop sent packets with probability 1/n
(UDP only).
recv_drop_prob : drop received packets with probability
1/n (UDP only).
Set any parameter to 0 to disable.
Gremlin parameters currently work with UDP and TCP
transport as documented above, but not for proxy transport.
Client must be built with the OPENVPN_GREMLIN flag to compile
gremlin functionality.
Command-line client can set the gremlin config
string using --gremlin or -G, for example:
--gremlin=250,250,64,64
When using the above parameters, an extra 500 milliseconds
will be added to round-trip latency, and 1/64 sent or
received packets will be dropped.
2016-01-26 08:27:11 +01:00
|
|
|
|
2016-03-28 08:31:35 +02:00
|
|
|
// pass through pushed "echo" directives via "ECHO" event
|
|
|
|
|
bool echo = false;
|
|
|
|
|
|
2016-05-11 01:53:09 +02:00
|
|
|
// pass through control channel INFO notifications via "INFO" event
|
|
|
|
|
bool info = false;
|
|
|
|
|
|
2017-04-12 20:37:41 +02:00
|
|
|
// Periodic convenience clock tick in milliseconds.
|
|
|
|
|
// Will call clock_tick() at a frequency defined by this parameter.
|
|
|
|
|
// Set to 0 to disable.
|
|
|
|
|
unsigned int clockTickMS = 0;
|
|
|
|
|
|
Added gremlin option to client, controllable via
ClientAPI::Config::gremlinConfig string.
The gremlin option allows extra packet latency
or unreliability to be added to the tunnel.
The format of the option is a comma-separated list
of numerical parameters:
send_delay_ms, recv_delay_ms, send_drop_prob, recv_drop_prob
Parameter description:
send_delay_ms : delay packets by n milliseconds before
transmission (UDP/TCP).
recv_delay_ms : delay received packets by n milliseconds
before processing them (UDP/TCP).
send_drop_prob : drop sent packets with probability 1/n
(UDP only).
recv_drop_prob : drop received packets with probability
1/n (UDP only).
Set any parameter to 0 to disable.
Gremlin parameters currently work with UDP and TCP
transport as documented above, but not for proxy transport.
Client must be built with the OPENVPN_GREMLIN flag to compile
gremlin functionality.
Command-line client can set the gremlin config
string using --gremlin or -G, for example:
--gremlin=250,250,64,64
When using the above parameters, an extra 500 milliseconds
will be added to round-trip latency, and 1/64 sent or
received packets will be dropped.
2016-01-26 08:27:11 +01:00
|
|
|
// Gremlin configuration (requires that the core is built with OPENVPN_GREMLIN)
|
|
|
|
|
std::string gremlinConfig;
|
2012-02-11 15:02:51 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// used to communicate VPN events such as connect, disconnect, etc.
|
2012-05-25 19:54:53 +02:00
|
|
|
// (client reads)
|
2012-02-11 15:02:51 +01:00
|
|
|
struct Event
|
|
|
|
|
{
|
2016-04-01 04:24:28 +02:00
|
|
|
bool error = false; // true if error (fatal or nonfatal)
|
|
|
|
|
bool fatal = false; // true if fatal error (will disconnect)
|
2012-02-11 15:02:51 +01:00
|
|
|
std::string name; // event name
|
|
|
|
|
std::string info; // additional event info
|
|
|
|
|
};
|
|
|
|
|
|
2012-07-02 22:52:58 +02:00
|
|
|
// used to communicate extra details about successful connection
|
|
|
|
|
// (client reads)
|
|
|
|
|
struct ConnectionInfo
|
|
|
|
|
{
|
2016-02-04 00:30:02 +01:00
|
|
|
bool defined = false;
|
2012-07-02 22:52:58 +02:00
|
|
|
std::string user;
|
|
|
|
|
std::string serverHost;
|
|
|
|
|
std::string serverPort;
|
|
|
|
|
std::string serverProto;
|
|
|
|
|
std::string serverIp;
|
2012-10-03 11:03:02 +02:00
|
|
|
std::string vpnIp4;
|
|
|
|
|
std::string vpnIp6;
|
2016-06-27 06:23:08 +02:00
|
|
|
std::string gw4;
|
|
|
|
|
std::string gw6;
|
2012-10-03 11:03:02 +02:00
|
|
|
std::string clientIp;
|
2012-07-02 22:52:58 +02:00
|
|
|
std::string tunName;
|
|
|
|
|
};
|
|
|
|
|
|
2012-02-11 15:02:51 +01:00
|
|
|
// returned by some methods as a status/error indication
|
2012-05-25 19:54:53 +02:00
|
|
|
// (client reads)
|
2012-02-11 15:02:51 +01:00
|
|
|
struct Status
|
|
|
|
|
{
|
2016-02-04 00:30:02 +01:00
|
|
|
bool error = false; // true if error
|
2012-11-16 05:13:48 +01:00
|
|
|
std::string status; // an optional short error label that identifies the error
|
2012-02-11 15:02:51 +01:00
|
|
|
std::string message; // if error, message given here
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// used to pass log lines
|
2012-05-25 19:54:53 +02:00
|
|
|
// (client reads)
|
2017-08-24 12:06:15 +02:00
|
|
|
struct LogInfo
|
2012-02-11 15:02:51 +01:00
|
|
|
{
|
2016-03-28 08:16:18 +02:00
|
|
|
LogInfo() {}
|
2017-08-24 23:11:21 +02:00
|
|
|
LogInfo(std::string str)
|
|
|
|
|
: text(std::move(str)) {}
|
2017-08-24 12:06:15 +02:00
|
|
|
std::string text; // log output (usually but not always one line)
|
2012-02-11 15:02:51 +01:00
|
|
|
};
|
|
|
|
|
|
2016-03-15 22:02:01 +01:00
|
|
|
// receives log messages
|
|
|
|
|
struct LogReceiver
|
|
|
|
|
{
|
|
|
|
|
virtual void log(const LogInfo&) = 0;
|
2016-05-07 23:16:05 +02:00
|
|
|
virtual ~LogReceiver() {}
|
2016-03-15 22:02:01 +01:00
|
|
|
};
|
|
|
|
|
|
2012-07-01 17:37:46 +02:00
|
|
|
// used to pass stats for an interface
|
|
|
|
|
struct InterfaceStats
|
|
|
|
|
{
|
2012-09-06 00:03:26 +02:00
|
|
|
long long bytesIn;
|
|
|
|
|
long long packetsIn;
|
|
|
|
|
long long errorsIn;
|
|
|
|
|
long long bytesOut;
|
|
|
|
|
long long packetsOut;
|
|
|
|
|
long long errorsOut;
|
2012-07-01 17:37:46 +02:00
|
|
|
};
|
|
|
|
|
|
2012-07-24 11:16:43 +02:00
|
|
|
// used to pass basic transport stats
|
|
|
|
|
struct TransportStats
|
|
|
|
|
{
|
2012-09-06 00:03:26 +02:00
|
|
|
long long bytesIn;
|
|
|
|
|
long long bytesOut;
|
|
|
|
|
long long packetsIn;
|
|
|
|
|
long long packetsOut;
|
|
|
|
|
|
|
|
|
|
// number of binary milliseconds (1/1024th of a second) since
|
|
|
|
|
// last packet was received, or -1 if undefined
|
|
|
|
|
int lastPacketReceived;
|
2012-07-24 11:16:43 +02:00
|
|
|
};
|
|
|
|
|
|
2012-11-12 02:52:03 +01:00
|
|
|
// return value of merge_config methods
|
2012-10-18 14:24:14 +02:00
|
|
|
struct MergeConfig
|
|
|
|
|
{
|
|
|
|
|
std::string status; // ProfileMerge::Status codes rendered as string
|
|
|
|
|
std::string errorText; // error string (augments status)
|
|
|
|
|
std::string basename; // profile basename
|
|
|
|
|
std::string profileContent; // unified profile
|
|
|
|
|
std::vector<std::string> refPathList; // list of all reference paths successfully read
|
|
|
|
|
};
|
|
|
|
|
|
2012-03-06 07:06:54 +01:00
|
|
|
// base class for External PKI queries
|
2012-10-18 14:24:14 +02:00
|
|
|
struct ExternalPKIRequestBase
|
|
|
|
|
{
|
2016-03-28 08:18:03 +02:00
|
|
|
bool error = false; // true if error occurred (client writes)
|
|
|
|
|
std::string errorText; // text describing error (client writes)
|
|
|
|
|
bool invalidAlias = false; // true if the error is caused by an invalid alias (client writes)
|
|
|
|
|
std::string alias; // the alias string, used to query cert/key (client reads)
|
2012-03-06 07:06:54 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// used to query for External PKI certificate
|
|
|
|
|
struct ExternalPKICertRequest : public ExternalPKIRequestBase
|
|
|
|
|
{
|
2012-10-19 12:29:12 +02:00
|
|
|
// leaf cert
|
2012-05-25 19:54:53 +02:00
|
|
|
std::string cert; // (client writes)
|
2012-10-19 12:29:12 +02:00
|
|
|
|
|
|
|
|
// chain of intermediates and root (optional)
|
|
|
|
|
std::string supportingChain; // (client writes)
|
2012-03-06 07:06:54 +01:00
|
|
|
};
|
|
|
|
|
|
mbedTLS: Port from polarssl-1.3 to mbedtls-2.3 (functional)
This patch builds on work by David Sommerseth <davids@openvpn.net>
to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which
has significant differences in some areas.
- Strings containing keys, certificates, CRLs, and DH parameters
need to be NULL-terminated and the length argument provided to
the corresponding mbedtls parse function must be able to read
the NULL-terminator. These places have been modified with a
'+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp,
pkctx.hpp).
- The SSL context object has been split up in mbedtls-2.3
Now many of the SSL configurations are done in a separate
SSL config object, which is added to the SSL context once
configured. In addition private/public keys are now stored
in a separate pk_context, which is later on attached to the
SSL context. Due to this, many of the calls setting either
SSL configuration parameters or working with pk_contexts have
been refactored. (sslctx.hpp)
- The older API loading the CA chain took a hostname argument.
The new API requires mbedtls_ssl_set_hostname() explicitly to
be called setting hostname. Some refactoring was needed here
too (sslctx.hpp).
- x509_oid_get_description() is now replaced by
mbedtls_oid_get_extended_key_usage().
- when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return
value was changed so that a return value of 0 now means equal
rather than not-equal.
- mbedtls/platform.h must be loaded before any other mbedtls
include files (sslchoose.hpp).
- All functions and macros related to mbedTLS are now prefixed
with mbedtls_/MBEDTLS_
- Refactored External PKI and added some options to cli.cpp
to make it easier to test that the feature still works
correctly. This included removing the sig_type var and
standardizing on a PKCS#1 digest prefix per RFC 3447.
- Updated test keys to 2048 bits.
- Updated dependency build scripts to build mbedTLS.
- Enable MD4 in mbedTLS build script (needed for NTLM auth).
- Use an allow-all X509 cert profile to preserve compatibility
with older configs. Going forward, we will implement new
options to increase strictness on minimum RSA key size and
required cert signing algs.
- Added human-readable reason strings that explain why
a given cert in the chain wasn't accepted.
- This patch doesn't rename any files or rename internal
OpenVPN 3 symbols such as PolarSSLContext. This will
be done in a separate commit.
Signed-off-by: James Yonan <james@openvpn.net>
2017-02-23 23:20:31 +01:00
|
|
|
// Used to request an RSA signature.
|
|
|
|
|
// Data will be prefixed by an optional PKCS#1 digest prefix
|
|
|
|
|
// per RFC 3447.
|
2012-03-06 07:06:54 +01:00
|
|
|
struct ExternalPKISignRequest : public ExternalPKIRequestBase
|
|
|
|
|
{
|
2012-05-25 19:54:53 +02:00
|
|
|
std::string data; // data rendered as base64 (client reads)
|
|
|
|
|
std::string sig; // RSA signature, rendered as base64 (client writes)
|
2012-03-06 07:06:54 +01:00
|
|
|
};
|
|
|
|
|
|
2016-07-02 09:00:09 +02:00
|
|
|
// used to override "remote" directives
|
|
|
|
|
struct RemoteOverride
|
|
|
|
|
{
|
|
|
|
|
// components of "remote" directive (client writes),
|
|
|
|
|
std::string host; // either one of host
|
|
|
|
|
std::string ip; // or ip must be defined (or both)
|
|
|
|
|
std::string port;
|
|
|
|
|
std::string proto;
|
|
|
|
|
};
|
|
|
|
|
|
2012-02-11 15:02:51 +01:00
|
|
|
namespace Private {
|
2016-06-27 07:00:37 +02:00
|
|
|
class ClientState;
|
2012-02-11 15:02:51 +01:00
|
|
|
};
|
|
|
|
|
|
2012-07-01 17:37:46 +02:00
|
|
|
// Top-level OpenVPN client class.
|
2017-04-13 21:28:34 +02:00
|
|
|
class OpenVPNClient : public TunBuilderBase, // expose tun builder virtual methods
|
|
|
|
|
public LogReceiver, // log message notification
|
|
|
|
|
public ExternalTun::Factory, // low-level tun override
|
2017-10-09 15:59:46 +02:00
|
|
|
public ExternalTransport::Factory,// low-level transport override
|
2017-04-13 21:28:34 +02:00
|
|
|
private ExternalPKIBase
|
|
|
|
|
{
|
2012-02-11 15:02:51 +01:00
|
|
|
public:
|
2012-03-01 09:11:00 +01:00
|
|
|
OpenVPNClient();
|
|
|
|
|
virtual ~OpenVPNClient();
|
2012-02-11 15:02:51 +01:00
|
|
|
|
2012-07-01 17:37:46 +02:00
|
|
|
// Call me first, before calling any other method (static or instance methods)
|
|
|
|
|
// in this class.
|
|
|
|
|
static void init_process();
|
|
|
|
|
|
2014-08-11 00:44:09 +02:00
|
|
|
// Release any resources allocated by init_process.
|
|
|
|
|
static void uninit_process();
|
|
|
|
|
|
2012-10-18 14:24:14 +02:00
|
|
|
// Read an OpenVPN profile that might contain external
|
|
|
|
|
// file references, returning a unified profile.
|
2012-11-12 02:52:03 +01:00
|
|
|
static MergeConfig merge_config_static(const std::string& path, bool follow_references);
|
|
|
|
|
|
|
|
|
|
// Read an OpenVPN profile that might contain external
|
|
|
|
|
// file references, returning a unified profile.
|
|
|
|
|
static MergeConfig merge_config_string_static(const std::string& config_content);
|
2012-10-18 14:24:14 +02:00
|
|
|
|
|
|
|
|
// Parse profile and determine needed credentials statically.
|
2012-11-14 03:35:50 +01:00
|
|
|
static EvalConfig eval_config_static(const Config& config);
|
2012-02-15 15:45:55 +01:00
|
|
|
|
2012-11-12 02:52:03 +01:00
|
|
|
// Maximum size of profile that should be allowed
|
|
|
|
|
static long max_profile_size();
|
|
|
|
|
|
2012-03-03 03:56:58 +01:00
|
|
|
// Parse a dynamic challenge cookie, placing the result in dc.
|
|
|
|
|
// Return true on success or false if parse error.
|
|
|
|
|
static bool parse_dynamic_challenge(const std::string& cookie, DynamicChallenge& dc);
|
|
|
|
|
|
2012-02-11 15:02:51 +01:00
|
|
|
// Parse OpenVPN configuration file.
|
2012-03-03 12:09:05 +01:00
|
|
|
EvalConfig eval_config(const Config&);
|
2012-02-11 15:02:51 +01:00
|
|
|
|
2012-03-03 03:56:58 +01:00
|
|
|
// Provide credentials and other options. Call before connect().
|
|
|
|
|
Status provide_creds(const ProvideCreds&);
|
2012-02-11 15:02:51 +01:00
|
|
|
|
2012-02-27 06:11:22 +01:00
|
|
|
// Callback to "protect" a socket from being routed through the tunnel.
|
|
|
|
|
// Will be called from the thread executing connect().
|
2012-02-19 18:43:42 +01:00
|
|
|
virtual bool socket_protect(int socket) = 0;
|
|
|
|
|
|
2012-02-11 15:02:51 +01:00
|
|
|
// Primary VPN client connect method, doesn't return until disconnect.
|
|
|
|
|
// Should be called by a worker thread. This method will make callbacks
|
2012-02-15 15:45:55 +01:00
|
|
|
// to event() and log() functions. Make sure to call eval_config()
|
|
|
|
|
// and possibly provide_creds() as well before this function.
|
|
|
|
|
Status connect();
|
2012-02-11 15:02:51 +01:00
|
|
|
|
2012-07-02 22:52:58 +02:00
|
|
|
// Return information about the most recent connection. Should be called
|
|
|
|
|
// after an event of type "CONNECTED".
|
|
|
|
|
ConnectionInfo connection_info();
|
|
|
|
|
|
2012-08-21 23:32:51 +02:00
|
|
|
// Writes current session token to tok and returns true.
|
|
|
|
|
// If session token is unavailable, false is returned and
|
|
|
|
|
// tok is unmodified.
|
|
|
|
|
bool session_token(SessionToken& tok);
|
|
|
|
|
|
2012-02-11 15:02:51 +01:00
|
|
|
// Stop the client. Only meaningful when connect() is running.
|
2012-02-15 15:45:55 +01:00
|
|
|
// May be called asynchronously from a different thread
|
2012-02-11 15:02:51 +01:00
|
|
|
// when connect() is running.
|
|
|
|
|
void stop();
|
|
|
|
|
|
2012-02-27 06:11:22 +01:00
|
|
|
// Pause the client -- useful to avoid continuous reconnection attempts
|
|
|
|
|
// when network is down. May be called from a different thread
|
|
|
|
|
// when connect() is running.
|
2014-03-25 00:28:46 +01:00
|
|
|
void pause(const std::string& reason);
|
2012-02-27 06:11:22 +01:00
|
|
|
|
|
|
|
|
// Resume the client after it has been paused. May be called from a
|
|
|
|
|
// different thread when connect() is running.
|
|
|
|
|
void resume();
|
|
|
|
|
|
|
|
|
|
// Do a disconnect/reconnect cycle n seconds from now. May be called
|
|
|
|
|
// from a different thread when connect() is running.
|
|
|
|
|
void reconnect(int seconds);
|
|
|
|
|
|
2012-10-23 15:10:39 +02:00
|
|
|
// When a connection is close to timeout, the core will call this
|
|
|
|
|
// method. If it returns false, the core will disconnect with a
|
|
|
|
|
// CONNECTION_TIMEOUT event. If true, the core will enter a PAUSE
|
|
|
|
|
// state.
|
|
|
|
|
virtual bool pause_on_connection_timeout() = 0;
|
|
|
|
|
|
2012-02-27 06:11:22 +01:00
|
|
|
// Get stats/error info. May be called from a different thread
|
|
|
|
|
// when connect() is running.
|
2012-02-25 08:37:31 +01:00
|
|
|
|
|
|
|
|
// number of stats
|
|
|
|
|
static int stats_n();
|
|
|
|
|
|
|
|
|
|
// return a stats name, index should be >= 0 and < stats_n()
|
|
|
|
|
static std::string stats_name(int index);
|
|
|
|
|
|
|
|
|
|
// return a stats value, index should be >= 0 and < stats_n()
|
|
|
|
|
long long stats_value(int index) const;
|
2012-02-11 15:02:51 +01:00
|
|
|
|
2012-03-07 12:21:09 +01:00
|
|
|
// return all stats in a bundle
|
|
|
|
|
std::vector<long long> stats_bundle() const;
|
|
|
|
|
|
2012-07-01 17:37:46 +02:00
|
|
|
// return tun stats only
|
|
|
|
|
InterfaceStats tun_stats() const;
|
|
|
|
|
|
2012-07-24 11:16:43 +02:00
|
|
|
// return transport stats only
|
|
|
|
|
TransportStats transport_stats() const;
|
|
|
|
|
|
2016-12-08 23:23:01 +01:00
|
|
|
// post control channel message
|
|
|
|
|
void post_cc_msg(const std::string& msg);
|
|
|
|
|
|
2012-02-11 15:02:51 +01:00
|
|
|
// Callback for delivering events during connect() call.
|
2012-02-27 06:11:22 +01:00
|
|
|
// Will be called from the thread executing connect().
|
2012-02-11 15:02:51 +01:00
|
|
|
virtual void event(const Event&) = 0;
|
|
|
|
|
|
|
|
|
|
// Callback for logging.
|
2012-02-27 06:11:22 +01:00
|
|
|
// Will be called from the thread executing connect().
|
2012-02-11 15:02:51 +01:00
|
|
|
virtual void log(const LogInfo&) = 0;
|
|
|
|
|
|
2012-03-06 07:06:54 +01:00
|
|
|
// External PKI callbacks
|
|
|
|
|
// Will be called from the thread executing connect().
|
|
|
|
|
virtual void external_pki_cert_request(ExternalPKICertRequest&) = 0;
|
|
|
|
|
virtual void external_pki_sign_request(ExternalPKISignRequest&) = 0;
|
|
|
|
|
|
2016-07-02 09:00:09 +02:00
|
|
|
// Remote override callback (disabled by default).
|
|
|
|
|
virtual bool remote_override_enabled();
|
|
|
|
|
virtual void remote_override(RemoteOverride&);
|
|
|
|
|
|
2017-04-12 20:37:41 +02:00
|
|
|
// Periodic convenience clock tick, controlled by Config::clock_tick_ms
|
|
|
|
|
virtual void clock_tick();
|
|
|
|
|
|
2013-06-14 02:34:49 +02:00
|
|
|
// Do a crypto library self test
|
|
|
|
|
static std::string crypto_self_test();
|
|
|
|
|
|
2012-03-10 05:55:32 +01:00
|
|
|
// Returns date/time of app expiration as a unix time value
|
|
|
|
|
static int app_expire();
|
|
|
|
|
|
2014-01-15 00:28:29 +01:00
|
|
|
// Returns platform description string
|
|
|
|
|
static std::string platform();
|
|
|
|
|
|
2012-04-18 00:12:27 +02:00
|
|
|
// Returns core copyright
|
|
|
|
|
static std::string copyright();
|
|
|
|
|
|
2016-06-27 06:57:36 +02:00
|
|
|
// Hide protected methods/data from SWIG
|
|
|
|
|
#ifdef SWIGJAVA
|
|
|
|
|
private:
|
|
|
|
|
#else
|
2015-04-12 19:27:58 +02:00
|
|
|
protected:
|
2016-06-27 06:57:36 +02:00
|
|
|
#endif
|
|
|
|
|
|
2015-04-12 19:27:58 +02:00
|
|
|
Status do_connect();
|
|
|
|
|
|
|
|
|
|
virtual void connect_attach();
|
|
|
|
|
virtual void connect_pre_run();
|
|
|
|
|
virtual void connect_run();
|
|
|
|
|
virtual void connect_session_stop();
|
|
|
|
|
|
2016-06-27 07:00:37 +02:00
|
|
|
virtual Stop* get_async_stop();
|
|
|
|
|
|
2015-04-12 19:27:58 +02:00
|
|
|
Private::ClientState* state;
|
|
|
|
|
|
2012-02-11 15:02:51 +01:00
|
|
|
private:
|
2017-04-18 07:28:36 +02:00
|
|
|
void connect_setup(Status&, bool&);
|
|
|
|
|
void do_connect_async();
|
|
|
|
|
static Status status_from_exception(const std::exception&);
|
2012-03-03 12:09:05 +01:00
|
|
|
static void parse_config(const Config&, EvalConfig&, OptionList&);
|
|
|
|
|
void parse_extras(const Config&, EvalConfig&);
|
2017-04-18 07:28:36 +02:00
|
|
|
void external_pki_error(const ExternalPKIRequestBase&, const size_t);
|
|
|
|
|
void process_epki_cert_chain(const ExternalPKICertRequest&);
|
2012-03-10 05:55:32 +01:00
|
|
|
void check_app_expired();
|
2012-11-12 02:52:03 +01:00
|
|
|
static MergeConfig build_merge_config(const ProfileMerge&);
|
2012-03-06 07:06:54 +01:00
|
|
|
|
2017-04-12 20:37:41 +02:00
|
|
|
friend class MyClientEvents;
|
|
|
|
|
void on_disconnect();
|
|
|
|
|
|
2012-03-06 07:06:54 +01:00
|
|
|
// from ExternalPKIBase
|
mbedTLS: Port from polarssl-1.3 to mbedtls-2.3 (functional)
This patch builds on work by David Sommerseth <davids@openvpn.net>
to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which
has significant differences in some areas.
- Strings containing keys, certificates, CRLs, and DH parameters
need to be NULL-terminated and the length argument provided to
the corresponding mbedtls parse function must be able to read
the NULL-terminator. These places have been modified with a
'+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp,
pkctx.hpp).
- The SSL context object has been split up in mbedtls-2.3
Now many of the SSL configurations are done in a separate
SSL config object, which is added to the SSL context once
configured. In addition private/public keys are now stored
in a separate pk_context, which is later on attached to the
SSL context. Due to this, many of the calls setting either
SSL configuration parameters or working with pk_contexts have
been refactored. (sslctx.hpp)
- The older API loading the CA chain took a hostname argument.
The new API requires mbedtls_ssl_set_hostname() explicitly to
be called setting hostname. Some refactoring was needed here
too (sslctx.hpp).
- x509_oid_get_description() is now replaced by
mbedtls_oid_get_extended_key_usage().
- when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return
value was changed so that a return value of 0 now means equal
rather than not-equal.
- mbedtls/platform.h must be loaded before any other mbedtls
include files (sslchoose.hpp).
- All functions and macros related to mbedTLS are now prefixed
with mbedtls_/MBEDTLS_
- Refactored External PKI and added some options to cli.cpp
to make it easier to test that the feature still works
correctly. This included removing the sig_type var and
standardizing on a PKCS#1 digest prefix per RFC 3447.
- Updated test keys to 2048 bits.
- Updated dependency build scripts to build mbedTLS.
- Enable MD4 in mbedTLS build script (needed for NTLM auth).
- Use an allow-all X509 cert profile to preserve compatibility
with older configs. Going forward, we will implement new
options to increase strictness on minimum RSA key size and
required cert signing algs.
- Added human-readable reason strings that explain why
a given cert in the chain wasn't accepted.
- This patch doesn't rename any files or rename internal
OpenVPN 3 symbols such as PolarSSLContext. This will
be done in a separate commit.
Signed-off-by: James Yonan <james@openvpn.net>
2017-02-23 23:20:31 +01:00
|
|
|
virtual bool sign(const std::string& data, std::string& sig);
|
2012-02-15 15:45:55 +01:00
|
|
|
|
2016-06-27 06:58:23 +02:00
|
|
|
// disable copy and assignment
|
|
|
|
|
OpenVPNClient(const OpenVPNClient&) = delete;
|
|
|
|
|
OpenVPNClient& operator=(const OpenVPNClient&) = delete;
|
2012-02-11 15:02:51 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
}
|