As a first step towards DNS configuration in openvpn and a unified way
to push DNS related settings to clients in v2 and v3, this commit adds
support for parsing the new --dns option. Later commits will add support
for setting up DNS on different platforms.
For now, --dns and DNS related --dhcp-option can be used together for
smoother transition. Settings from --dns will override ones --dhcp-option
where applicable.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
- Test for CAP_NET_ADMIN instead of root.
This correctly skips the test if you're root but have
dropped capabilities, e.g. inside docker.
- Fix TestSetMTU to correctly ignore any additional lines
in the output.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
The old API is deprecated in OpenSSL 3.0 and the new API does not yet
exist in OpenSSL 1.1. Emulating the new API or using one class with
ifdefs would be more complex than just having two implementations. So
this adds a new implementation for OpenSSL 3.0.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This might not be the final fix. Note the extensive code comment
inside the cmake file if(). The comment suggest a potentially better
fix, but it's unlikely.
Signed-off-by: Mark Deric <jmark@openvpn.net>
Removed declared_size_defined in favor of just setting
declared_size to a special value (SIZE_UNDEF) when it's
undefined.
Signed-off-by: James Yonan <james@openvpn.net>
This option lets you specify the SHA256 fingerprint of a peer's self-signed
certificate. The peer's certificate, presented during connection bring-up,
is compared to the fingerprint. The connection fails if it doesn't
match.
So, this serves as an easy, yet secure, alternative to setting up a PKI,
but can also be used in conjunction with one to add one more check during
leaf certificate validation.
The option can also be given as inline block, for easier management for
multiple fingerprints:
<peer-fingerprint>
00:11:22:33:...:BB:CC:DD:FF
BB:CC:DD:FF:...:00:11:22:33
</peer-fingerprint>
Signed-off-by: Heiko Hund <heiko@openvpn.net>
The CMakeLists.txt settings from the project root directory are
inherited by the defined subdirectories automatically.
Also switch to a simpler way of setting the CMAKE_MODULE_PATH.
According to the CMake documentation, this variable is empty by
default [1] and should not need to pull in existing settings.
Finally remove the comment regarding CMake's use case, as we are
moving towards full CMake support for OpenVPN 3.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Add the option from openvpn2. If given, prepend hostnames
from remote options with six random hex bytes before
DNS resolution is taking place, e.g.
host.domain -> e3b17bf7cd57.host.domain
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Use ::CreateIpForwardEntry2() to add route instead of
expensive netsh call. Make it as a default choce.
Add unit test.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Use ::CreateIpForwardEntry2() to add route instead of
expensive netsh call. Make it as a default choce.
Add unit test.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Commit 941104cf4 refactored the way how test files are added, but
broke (disabled) execution of sitnl and cputime tests. Fix that.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
These functions are found in openvpn/mbedtls/pki/x509certinfo.hpp.
This change also adds support to build coreUnitTests against mbed TLS
instead of OpenSSL (default) by providing -DUSE_MBEDTLS=true to cmake.
Signed-off-by: David Sommerseth <davids@openvpn.net>
This adds some basic unit tests for the various functions retrieving
information from a X.509 certificate.
Signed-off-by: David Sommerseth <davids@openvpn.net>
This new VerifyX509Name class handles both extracting and parsing the
appropriate --verify-x509-name option and is able to verify if a given
subject or hostname is matching the expectation.
Signed-off-by: David Sommerseth <davids@openvpn.net>
This test attempts to assure that the measurements we get from
openvpn::cpu_time() is within a reasonable range of what we should
normally expect.
This is achieved by using a simple worker thread which ensures the
process is not "idling" (like it would with sleep()) but in a real busy
loop which takes some time. Then we measure the time spent in the busy
loop, both using a simplistic time() and comparing that with what
cpu_time() returns.
This unit test also supports measuring multiple running threads
individually too.
Signed-off-by: David Sommerseth <davids@openvpn.net>