Added LogSetup, an abstract base class with a virtual method
reopen() that accomplishes the log file reopen.
Added RunContext::set_log_reopen() method that accepts
a LogSetup object and calls its reopen() method on
SIGHUP.
daemonize() and log_setup() methods in daemon.hpp
now return a LogSetup object.
Signed-off-by: James Yonan <james@openvpn.net>
For example, the following client directive will push the SNI name
"test@example.com" to the server:
sni "test@example.com"
Signed-off-by: James Yonan <james@openvpn.net>
Starting from 0.3, Wintun expects client to pass
the same buffer for every read (and also write) call
with the same length, which at the first call is mapped
to kernel memory.
For read we have to disable triggering reads in parallel, since
each read uses own buffer.
For write, we perform "registration" - do the first call
with max length buffer filled by zeroes. Kernel will map buffer
and return error while attempting to read packets - this is expected.
Due to core buffer manipulations, buffer address passed to write call
varies, so we have to have a dedicated write buffer and perform copy
on every write.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
In case of error along the TCP RX path it is better to grab the error
coming with the exception and report it back up.
For this reason, catch ExceptionCode objects rather than std::exception
as the former carries the error code together with the text message.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
The SSL factory holds the config used by the link implementation during
various SSL operations.
For this reason we have to make the sure the Factory is not destroyed
(and thus the config) while the TLS link is alive.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Error::TUN_HALT, when passed up via tun_error(), now
sends an Explicit Exit Notify message before disconnect.
Signed-off-by: James Yonan <james@openvpn.net>
Previously, the Error::INACTIVE_TIMEOUT handler in cliconnect.hpp
called graceful_stop() to ensure that the Explicit Exit Notify
message is sent to the server prior to disconnect.
But actually, the Explicit Exit Notify message is sent earlier
by the inactive_callback() method in cliproto.hpp, and the
graceful_stop() call in the Error::INACTIVE_TIMEOUT handler
is redundant and unnecessary.
So this patch changes the graceful_stop() call to stop().
Signed-off-by: James Yonan <james@openvpn.net>
If SEND_CLIENT_CA_LIST is enabled, we will call SSL_CTX_add_client_CA
for each CA specified in the config. This will direct OpenSSL to
transmit a list of client CA names to the client so it can choose
an appropriate client certificate.
Signed-off-by: James Yonan <james@openvpn.net>
auth_cert() can now be const because OpenSSL rebuild_authcert()
is never called unless authcert has already been allocated,
making
authcert.reset(new AuthCert());
redundant. Once the above statement is removed,
rebuild_authcert() becomes const.
Signed-off-by: James Yonan <james@openvpn.net>
Allow per-SNI JSON configurations to include more settings
such as:
* ca
* cert
* extra_certs
* key
* ns_cert_type
* remote_cert_tls
* tls_cert_profile
* tls_version_min
Signed-off-by: James Yonan <james@openvpn.net>
* Added C++11 features such as move constructor and move
assignment method.
* Since these classes are already object wrappers, it's
redundant to manage them via RC.
* Use the "::" prefix to denote OpenSSL symbols from the
top-level namespace.
Signed-off-by: James Yonan <james@openvpn.net>
* Make error code priority more rational, where the composite
error code of the whole object (i.e. the get_code() return
value) is the most severe error of any added failure.
* For clarity, rename OTHER to CERT_FAIL.
Signed-off-by: James Yonan <james@openvpn.net>
Attempting to build a standalone program that includes
openvpn/openssl/pki/pkey.hpp will fail because it depends
on the PKType enum in openvpn/ssl/sslapi.hpp which
is not explicitly included by pkey.hpp.
Rather than having pkey.hpp include sslapi.hpp (which
seems like a dependency inversion), put PKType into
its own header file.
Signed-off-by: James Yonan <james@openvpn.net>
On the server side, we add the abstract base class
SNIHandlerBase to provide a hook (sni_hello) where
servers can inspect the SNI name given in the client
hello message and possibly return a different SSLFactoryAPI.
In other changes, we rename the ENABLE_SNI flag to
ENABLE_CLIENT_SNI to be clear that this flag only affects
the client-side SNI implementation.
We also add the NO_VERIFY_HOSTNAME flag on the client side
to allow the SNI name to be transmitted to the server
without requiring a match between the SNI name and the
common name or subject alternative name in the server
certificate.
Signed-off-by: James Yonan <james@openvpn.net>
Only the assignment constructor needs to erase the
current value.
Also, in keeping with convention, define X509::Ptr as
an alias for RCPtr<X509>.
Signed-off-by: James Yonan <james@openvpn.net>