When server responds with AUTH_FAILED/dynamic challenge,
openvpn stores dc cookie and prompts omi client for response. After receiving
response, openvpn sends it to server along with dc cookie.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
OpenSSL 1.1+ by default only allows signatures and key exchange from the
default list of X25519:secp256r1:X448:secp521r1:secp384r1. Since in
TLS1.3 key exchange is independent from the signature/key of the
certificates, allowing all groups per default is not a sensible choice
anymore and the shorter lister is reasonable.
However, when using certificates with exotic curves the signatures of
this certificates will no longer be accepted. This option allows to
modify the list for these corner cases.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The recent commit "IP address/route classes: cleanup title
usage with template approach" left in the old code and
allowed it to be re-enabled by defining
OPENVPN_LEGACY_TITLE_ABSTRACTION. This commit removes
OPENVPN_LEGACY_TITLE_ABSTRACTION and makes the new
code permanent.
Signed-off-by: James Yonan <james@openvpn.net>
The asio patch adds a virtual method to basic_socket. This triggers
compiler warnings about a non-virtual destructor. Fix this by also
making the destructor virtual.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The concept of "title" in IP address/route parsing is that
when parse errors occur, we want a human-readable string
that can be included in the error message that gives the
context for the error.
For example if a bad IP address is specified in JSON data,
we might want the name of the dictionary in the JSON to be
given as title, so it can be a part of the error message.
Previously we did this by implementing multiple
constructors that accepted title as a std::string, const
char *, or allowed the title to be omitted.
The new model is to templatize title, so that title can
be anything: a std::string, const char *, nullptr,
or a custom class (such as IndexedTitle) that supports
to_string() and empty() methods.
Having a custom class for title is useful for performance
because then you can use lazy evaluation techniques that
don't have to expensively pre-format a std::string for
every possible instance of title on the off-chance that
you might throw an error. The formatting only occurs when
the to_string() method is called, after an error has already
been confirmed.
Note: since this code has a lot of users, some of which
I haven't considered (such as Swig), I'm leaving an out
where you can revert back to the previous code by
defining OPENVPN_LEGACY_TITLE_ABSTRACTION.
Signed-off-by: James Yonan <james@openvpn.net>
Previously we would convert to a std::string, then call the
empty() method on the string object. Just calling the
empty() method by itself seems smarter since all of the
objects that currently match against this method signature
have an empty() method.
Signed-off-by: James Yonan <james@openvpn.net>
The new message will look like this:
SSL Handshake: peer certificate: CN=OpenVPN Server, 4096 bit RSA, cipher: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
compared to the old message
SSL Handshake: CN=OpenVPN Access Server, TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 3072 bit RSA
The new message uses the SSL_CIPHER_description method and its
formatting instead out homegrown format. It also moves the xxx bit RSA
part closer to the certificate to make it more obvious that those belong
together
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Previous attempt to fix the issue resulted in most TapNameGuidPair
structs in the list having no name. Last parameter passed to
RegQueryValueExW has to represent the amount of bytes available at wbuf.
Doing otherwise will either cause SEGFAULT or return ERROR_MORE_DATA.
Signed-off-by: Dmitriy Dudnik <dmytro.dudnik@openvpn.net>
In HTTP 1.1 specification reason phrase in HTTP Status becomes optional.
For example, Tomcat 9 doesn't provide it.
See details: https://bz.apache.org/bugzilla/show_bug.cgi?id=60183
We need to make changes in our HTTP response parser accordingly.
Signed-off-by: Yuriy Barnovych yuriy@openvpn.net
Adds a patch formed from ovpn-asio repository:
- branch 1-14-ovpn
- commit df7759c141a31159d0ca4267b63f64dfd2a385b1
The patch adds kovpn route_id support to endpoints for sendto/recvfrom.
Signed-off-by: Jani Väyrynen <jani.vayrynen@openvpn.net>
This is mostly used by Linux client, which supports
among other distros CentOS7, Ubuntu 16 and Ubuntu 18 -
all of them have different tinyxml2 versions.
Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
This is needed for the tls-cipehr/tls-ciphersuites to have an
initialised OpenSSL when using OpenSSL < 1.1.0
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This option has been very likely been to fix some incompatibilities
between some TLS libraries. But nobody really remember what it fixes
and its usage today is questionable. So remove the option instead
of supporting an option we cannot even test anymore.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
When OMI is stopped, we must cancel wait on
exit event, otherwise ASIO won't terminate event loop
and process won't exit.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
pkg_check_modules() sets PKG_CONFIG_PATH by
joining values of CMAKE_PREFIX_PATH list and then replacing
separator ";" with ":". However, replacing was broken for mingw and
was fixed very recently. As a workaroud, create CMAKE_PREFIX_PATH
with single value to avoid broken join.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
mingw produces incorrect result when converting
from utf8 to wchar_t using codecvt_utf8.
https://sourceforge.net/p/mingw-w64/bugs/538/
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Added a unit test to confirm the fix.
Other changes:
* In Base64 decode(), avoid the use of std::strlen() in favor
of std::string length() method since a std::string could
conceivably contain embedded null chars.
* In Base64 unit test, renamed b64_test_bad() to
b64_test_bad_decode() for clarity.
Signed-off-by: James Yonan <james@openvpn.net>
The Time code was originally designed to be efficient on 32-bit
processors. On 64-bit processors, define OPENVPN_TIME_NO_BASE
to optimize out the base_ variable. This also has the benefit
of allowing Time to represent any arbitrary time_t value.
Signed-off-by: James Yonan <james@openvpn.net>
The two prior changes broke OpenSSL 1.0.x support, due to the
SSL_R_CA_MD_TOO_WEAK and SSL_R_CA_KEY_TOO_SMALL error codes arrived
first in OpenSSL 1.1.0
Signed-off-by: David Sommerseth <davids@openvpn.net>
