OVPN3-229 compression
Approved-by: Arne Schwabe <arne@openvpn.net>
Approved-by: Antonio Quartulli <antonio@openvpn.net>
Approved-by: James Yonan <james@openvpn.net>
Approved-by: Lev Stipakov <lev@openvpn.net>
Platforms like UWP and iOS may call core methods
from another threads. Since core is not thread-safe,
we provide OPENVPN_ASYNC_HANDLER macro which instantiates
lock guard. It follows RAII principle and locks global
mutex in constructor and unlocks in destructor. This
guarantees that code in block protected with this macro
won't be called simultaneously from different threads.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Implement domain autocompletion by adding ADAPTER_DOMAIN_SUFFIX value
to SearchDomains (see https://support.apple.com/en-ca/HT200303).
Note that autocompletion won't work in case of split-DNS, when macOS
uses network adapter's domain suffix instead of one provided by VPN.
Exclude split-DNS domains from autocompletion list.
Do not add "dhcp-option DOMAIN" values to SearchDomains
when redirecting DNS to not to use them for autocompletion.
This fixes OC-70 and OC-72.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
do not add DOMAIN values to search domains when redirect DNS
The OMI model (OpenVPN management interface) can't deal
with control characters in credentials, so we add a strict
flag to ValidateCreds::is_valid() that when true will
validate according to OMI requirements.
Also increased max length for credentials under strict=true
to 512 for OMI.
Signed-off-by: James Yonan <james@openvpn.net>
* Added schedule_auth_pending_timeout()
* Removed the throw_on_error parameter to set_acl_index()
* Forward all PUSH_REQUEST messages to the management layer,
not just the first message.
* Added enum DisconnectType for labeling the disconnect type,
since there are now several different disconnect types
including halt/restart, relay transition, and auth pending.
Signed-off-by: James Yonan <james@openvpn.net>
AUTH_PENDING is a control channel message sent from server
to client before PUSH_REPLY or AUTH_FAILED and is intended
to signal the client that a browser-based out-of-band
authentication challenge (such as SAML) needs to occur
before the connection request can succeed or fail.
When the core receives the AUTH_PENDING message, it will
enter the AUTH_PENDING state and forward the message
to the client UI as an event.
The core will also dial back the PUSH_REQUEST transmit
frequency to one message every 8 seconds, and the server is
expected to reply with an AUTH_PENDING message after every
PUSH_REQUEST. This is done as a sort of keepalive
replacement since the normal OpenVPN protocol keepalive
functionality isn't enabled until the crypto state is
established, which doesn't happen until the PUSH_REPLY
message is received from the server.
During the AUTH_PENDING state, the server will likely want to
push INFO messages to the client UI (such as INFO,OPEN_URL:)
to facilitate the out-of-band authentication challenge.
Normally, the client core buffers early INFO messages
and doesn't release them to the UI until 1 second after
the CONNECTED event. This is done because it was
presumed that the server wouldn't want the client to
act on the INFO messages until the tunnel is established.
But the AUTH_PENDING state creates a need for an unbuffered
INFO message, since the server may want to message the client
UI during the AUTH_PENDING state and have that message
be immediately processed.
I've solved this problem by introducing a new control channel
message called "INFO_PRE". INFO_PRE is handled exactly the
same as INFO except it is never buffered. Also, note that
INFO_PRE messages are delivered to the client UI as
ordinary INFO events (I didn't actually create a new client
event for INFO_PRE since I can't think of a reason why the
client UI would need to distinguish between them).
Signed-off-by: James Yonan <james@openvpn.net>
Abort connection if server pushes unsupported compression.
Degrade compression to asym (server->client) if server pushes compression
which is supported but disabled.
This fixes problem with non-working tunnel - server pushes compression,
client has compression disabled and instantiates stub. As a result,
server uses compression and client uses stub.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
When compiled with -DOPENVPN_TLS_LINK, the core will
ship support for the TLS Transport component.
However, note that its implementation must be provided
externally.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
This class is an "interface" for TCP Links. It can be used by Transport
layers instead of the actual concrete Link class.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
To allow other types of TCP Link to be implemented,
factor out code that can be re-used by other implementations
and move it to the LinkCommon class.
TCPTransport::Link now inherits from LinkCommon.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Introduce profile flag "allow-name-constraints".
mbedTLS doesn't support x509v3 'Name Constrains'
extension. To allow client to connect, make mbedTLS
not to fail on this extension and drop a warning to UI.
This depends on "Enable allowing unsupported critical extensions in runtime"
patch to mbedTLS.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Also, don't fail (client-side) a username containing spaces
since the server side will already accept this.
Signed-off-by: James Yonan <james@openvpn.net>
To maintain compatibility with openvpn2, we need to send initial options
on rekeying instead of possible NCP-caused modifications.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Preserve tun and routes across reconnects. Store tun descriptor in
TunPersist object, which is member of TunClientFactory. Handle
add/remove commands inside TunBuilderSetup::Base instance, which is
owned by TunPersist.
Tunnel is recreated if new tunnel options are different from previous
ones.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Found some cases where raw pointers embedded in closures and
passed via asio async methods could potentially leak if the
io_context is destroyed before the run() method is called.
With C++14 and higher supporting generalized lambda capture,
we can now wrap these pointers in a std::unique_ptr for
minimal cost.
Signed-off-by: James Yonan <james@openvpn.net>
* Put all methods in the LZ4 namespace.
* Throw errors instead of returning null BufferPtr().
* For decompress(), make sure that max_decompressed_size
doesn't exceed LZ4_MAX_INPUT_SIZE.
This commit only affects the standalone LZ4 helper functions,
not the LZ4 module that is part of the OpenVPN protocol.
Signed-off-by: James Yonan <james@openvpn.net>