Modify build script of lz4/mbedtls to allow src only builds of dependencies
Approved-by: Lev Stipakov <lev@openvpn.net>
Approved-by: James Yonan <james@openvpn.net>
OVPN3-229 compression
Approved-by: Arne Schwabe <arne@openvpn.net>
Approved-by: Antonio Quartulli <antonio@openvpn.net>
Approved-by: James Yonan <james@openvpn.net>
Approved-by: Lev Stipakov <lev@openvpn.net>
Platforms like UWP and iOS may call core methods
from another threads. Since core is not thread-safe,
we provide OPENVPN_ASYNC_HANDLER macro which instantiates
lock guard. It follows RAII principle and locks global
mutex in constructor and unlocks in destructor. This
guarantees that code in block protected with this macro
won't be called simultaneously from different threads.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Implement domain autocompletion by adding ADAPTER_DOMAIN_SUFFIX value
to SearchDomains (see https://support.apple.com/en-ca/HT200303).
Note that autocompletion won't work in case of split-DNS, when macOS
uses network adapter's domain suffix instead of one provided by VPN.
Exclude split-DNS domains from autocompletion list.
Do not add "dhcp-option DOMAIN" values to SearchDomains
when redirecting DNS to not to use them for autocompletion.
This fixes OC-70 and OC-72.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
do not add DOMAIN values to search domains when redirect DNS
The OMI model (OpenVPN management interface) can't deal
with control characters in credentials, so we add a strict
flag to ValidateCreds::is_valid() that when true will
validate according to OMI requirements.
Also increased max length for credentials under strict=true
to 512 for OMI.
Signed-off-by: James Yonan <james@openvpn.net>
* Added schedule_auth_pending_timeout()
* Removed the throw_on_error parameter to set_acl_index()
* Forward all PUSH_REQUEST messages to the management layer,
not just the first message.
* Added enum DisconnectType for labeling the disconnect type,
since there are now several different disconnect types
including halt/restart, relay transition, and auth pending.
Signed-off-by: James Yonan <james@openvpn.net>
AUTH_PENDING is a control channel message sent from server
to client before PUSH_REPLY or AUTH_FAILED and is intended
to signal the client that a browser-based out-of-band
authentication challenge (such as SAML) needs to occur
before the connection request can succeed or fail.
When the core receives the AUTH_PENDING message, it will
enter the AUTH_PENDING state and forward the message
to the client UI as an event.
The core will also dial back the PUSH_REQUEST transmit
frequency to one message every 8 seconds, and the server is
expected to reply with an AUTH_PENDING message after every
PUSH_REQUEST. This is done as a sort of keepalive
replacement since the normal OpenVPN protocol keepalive
functionality isn't enabled until the crypto state is
established, which doesn't happen until the PUSH_REPLY
message is received from the server.
During the AUTH_PENDING state, the server will likely want to
push INFO messages to the client UI (such as INFO,OPEN_URL:)
to facilitate the out-of-band authentication challenge.
Normally, the client core buffers early INFO messages
and doesn't release them to the UI until 1 second after
the CONNECTED event. This is done because it was
presumed that the server wouldn't want the client to
act on the INFO messages until the tunnel is established.
But the AUTH_PENDING state creates a need for an unbuffered
INFO message, since the server may want to message the client
UI during the AUTH_PENDING state and have that message
be immediately processed.
I've solved this problem by introducing a new control channel
message called "INFO_PRE". INFO_PRE is handled exactly the
same as INFO except it is never buffered. Also, note that
INFO_PRE messages are delivered to the client UI as
ordinary INFO events (I didn't actually create a new client
event for INFO_PRE since I can't think of a reason why the
client UI would need to distinguish between them).
Signed-off-by: James Yonan <james@openvpn.net>
Abort connection if server pushes unsupported compression.
Degrade compression to asym (server->client) if server pushes compression
which is supported but disabled.
This fixes problem with non-working tunnel - server pushes compression,
client has compression disabled and instantiates stub. As a result,
server uses compression and client uses stub.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
When compiled with -DOPENVPN_TLS_LINK, the core will
ship support for the TLS Transport component.
However, note that its implementation must be provided
externally.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
This class is an "interface" for TCP Links. It can be used by Transport
layers instead of the actual concrete Link class.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
To allow other types of TCP Link to be implemented,
factor out code that can be re-used by other implementations
and move it to the LinkCommon class.
TCPTransport::Link now inherits from LinkCommon.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
When 'git apply' is run inside repository folder, it ignores files
missing in index. To make it work, run 'git apply' outside of repository.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Introduce profile flag "allow-name-constraints".
mbedTLS doesn't support x509v3 'Name Constrains'
extension. To allow client to connect, make mbedTLS
not to fail on this extension and drop a warning to UI.
This depends on "Enable allowing unsupported critical extensions in runtime"
patch to mbedTLS.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
