The new message will look like this:
SSL Handshake: peer certificate: CN=OpenVPN Server, 4096 bit RSA, cipher: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
compared to the old message
SSL Handshake: CN=OpenVPN Access Server, TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 3072 bit RSA
The new message uses the SSL_CIPHER_description method and its
formatting instead out homegrown format. It also moves the xxx bit RSA
part closer to the certificate to make it more obvious that those belong
together
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This is mostly used by Linux client, which supports
among other distros CentOS7, Ubuntu 16 and Ubuntu 18 -
all of them have different tinyxml2 versions.
Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
This option has been very likely been to fix some incompatibilities
between some TLS libraries. But nobody really remember what it fixes
and its usage today is questionable. So remove the option instead
of supporting an option we cannot even test anymore.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
When OMI is stopped, we must cancel wait on
exit event, otherwise ASIO won't terminate event loop
and process won't exit.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
mingw produces incorrect result when converting
from utf8 to wchar_t using codecvt_utf8.
https://sourceforge.net/p/mingw-w64/bugs/538/
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Added a unit test to confirm the fix.
Other changes:
* In Base64 decode(), avoid the use of std::strlen() in favor
of std::string length() method since a std::string could
conceivably contain embedded null chars.
* In Base64 unit test, renamed b64_test_bad() to
b64_test_bad_decode() for clarity.
Signed-off-by: James Yonan <james@openvpn.net>
The Time code was originally designed to be efficient on 32-bit
processors. On 64-bit processors, define OPENVPN_TIME_NO_BASE
to optimize out the base_ variable. This also has the benefit
of allowing Time to represent any arbitrary time_t value.
Signed-off-by: James Yonan <james@openvpn.net>
The get_integer_optional select the type to get from the JSON
dependent on the default_value parameter, making it simple to ensure
that the returned value will fit the requested type and range.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This is useful for running a command from a worker thread
where signals have been blocked, but we want the child
process to run with the original pre-blocked signal configuration.
Signed-off-by: James Yonan <james@openvpn.net>
Before the OpenSSL 1.1 changes ctx was a struct and not a pointer, so
the extra variable was necessary
This also solves a defect reported by Coverity of ctx not always
initialised.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This also changes the mbed TLS implementation from using the AES GCM
specific API to the generic AEAD API in mbed TLS. As result we can
refactor the commonly used parts of AEAD and normal cipher into a
common class.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This code is MSVC specific (other compilers
don't support SEH) and is only useful during
debugging.
It is better to remove it and mute exception
in debugger, than add ifdefs for other compilers.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
c++17 provides overload, which accepts
std::filestream::path, which accepts wchar_t,
MSVS provides overload, which directly accepts wchar_t.
In other cases use char constructor. This likely breaks
support of non-ascii profile paths.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Having capture without initializer after nested struct
is broken in GCC 7.x and is fixed starting from GCC 8.1
(see https://stackoverflow.com/questions/60110629/).
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Linux filesystem is case-sensitive and all
mingw includes are in lower case. Also use
Linux directory separator, since it works on both
Linux and Windows.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Parse --windows-driver and set corresponding
value of config properties.
Could be used by clients to replicate openvpn2
behavior - use wintun driver if config contains
"--windows-driver wintun".
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This is needed to make openvpn-gui client work with openpvn3.
openvpn-gui passes all information, required to start vpn session,
to agent via named pipe. Agent impersonates another end of pipe,
which is gui process, running under user privileges, and starts
openvpn process.
openvpn-gui generates a random password, which is written by agent
into openvpn process's stdin. That password is used by openvpn-gui to
connect to openvpn's management interface.
openvpn-gui creates an event with unique name, which it is passed
to openvpn via command line. When user disconnects VPN session, gui
sets event into signalled state. openvpn waits on event and, when it is signalled, quits.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
