Use ::CreateIpForwardEntry2() to add route instead of
expensive netsh call. Make it as a default choce.
Add unit test.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Commit 941104cf4 refactored the way how test files are added, but
broke (disabled) execution of sitnl and cputime tests. Fix that.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Although the init calls were protected by a mutex more than consumer of
the API will the second one if the uninit was called too early.
While at it, move from explicit init/uninit calls to RAII.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Add dependency to libnl-genl, which is C library
for generic netlink communication.
Implement C++ wrapper for libnl-genl, inspired by
ovpn-cli - a test client for ovpn-dco kernel module.
Implement ovpn-dco netlink commands:
- OVPN_CMD_START_VPN - pass transport socket,
protocol (UDP) and mode (client).
- OVPN_CMD_NEW_PEER - pass local and remote
endpoint info.
- OVPN_CMD_PACKET - move (control channel) packets
between userspace and kernel.
- OVPN_CMD_DEL_PEER - sent by kernel when peer is deleted
due to keepalive timeout (causes reconnect) or any other
reason (considered as fatal).
This change allows to perform openvpn handshake and
establish connection which doesn't work, since data channel
keys are not passed to kernel yet.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Add tun/transport client skeleton for ovpn-dco,
which doesn't do any work except creating/removing
ovpn-dco device.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
In preparation of ovpn-dco support, split dco transport
client into two parts:
- generic dco support in dcocli.hpp
- kovpn-specific code in kovpncli.hpp
Add build directory (used by VS Code) to .gitignore
Use #pragma once instead of #ifndef/#define/#endif
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Macro OPENVPN_USE_SITNL should be defined before
inclusion of client/ovpncli.cpp.
Include tuncli.hpp for consistency with mac-specific code below.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
If the OPENVPN_USE_SITNL is defined as compiler arguments or set
earlier if cli.cpp was used in an #include statement, the compiler
would warn about OPENVPN_USE_SITNL being redefined.
We want OPENVPN_USE_SITNL by default, but the code does not need
to explicitly define it if it is already defined.
Signed-off-by: David Sommerseth <davids@openvpn.net>
OpenSSL 1.1+ by default only allows signatures and key exchange from the
default list of X25519:secp256r1:X448:secp521r1:secp384r1. Since in
TLS1.3 key exchange is independent from the signature/key of the
certificates, allowing all groups per default is not a sensible choice
anymore and the shorter lister is reasonable.
However, when using certificates with exotic curves the signatures of
this certificates will no longer be accepted. This option allows to
modify the list for these corner cases.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This is needed for the tls-cipehr/tls-ciphersuites to have an
initialised OpenSSL when using OpenSSL < 1.1.0
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This option has been very likely been to fix some incompatibilities
between some TLS libraries. But nobody really remember what it fixes
and its usage today is questionable. So remove the option instead
of supporting an option we cannot even test anymore.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Added a unit test to confirm the fix.
Other changes:
* In Base64 decode(), avoid the use of std::strlen() in favor
of std::string length() method since a std::string could
conceivably contain embedded null chars.
* In Base64 unit test, renamed b64_test_bad() to
b64_test_bad_decode() for clarity.
Signed-off-by: James Yonan <james@openvpn.net>
This is useful for running a command from a worker thread
where signals have been blocked, but we want the child
process to run with the original pre-blocked signal configuration.
Signed-off-by: James Yonan <james@openvpn.net>
The added IV_CIPHER string that we send, brought the Frame used in
the proto test client over the 256 byte limit. Change the proto test
to use a larger test frame of 378 byte.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Linux filesystem is case-sensitive and all
mingw includes are in lower case. Also use
Linux directory separator, since it works on both
Linux and Windows.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
These functions are found in openvpn/mbedtls/pki/x509certinfo.hpp.
This change also adds support to build coreUnitTests against mbed TLS
instead of OpenSSL (default) by providing -DUSE_MBEDTLS=true to cmake.
Signed-off-by: David Sommerseth <davids@openvpn.net>
This adds some basic unit tests for the various functions retrieving
information from a X.509 certificate.
Signed-off-by: David Sommerseth <davids@openvpn.net>
This new VerifyX509Name class handles both extracting and parsing the
appropriate --verify-x509-name option and is able to verify if a given
subject or hostname is matching the expectation.
Signed-off-by: David Sommerseth <davids@openvpn.net>
This avoids the mistake of using the insecure MTRand in anything but
a unit test and has the advantage that not all MTRand in a unit test
suite report being secure
Signed-off-by: Arne Schwabe <arne@openvpn.net>
To support the pre unittest tests that compare the output against an
expected output without fully rewriting them, this logger provides a
facility to integrate them in the unit test framework
Signed-off-by: Arne Schwabe <arne@openvpn.net>
