On the linux client we need the information to which remote the client
is connecting to query the route information to ultimately discover the
device. On other platform that do not need these extra information we
ignore the extra arguments
The API uses std::string and bool instead of passing of passing IPAddr as
the API needs to be understand by Swig/Java and similar methods also opt in
favour of call by value and simply types.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
If the PROF env variable is already set, respect that original value
instead of enforcing a value which might be wrong on the build host.
Signed-off-by: David Sommerseth <davids@openvpn.net>
For testing, add the capability to get the next "remote"
directive from the output of an external script or binary.
Signed-off-by: James Yonan <james@openvpn.net>
// If true, consider AUTH_FAILED to be a non-fatal error,
// and retry the connection after a pause.
bool retryOnAuthFailed = false;
Signed-off-by: James Yonan <james@openvpn.net>
The OpenVPN 3 config file parser allows an embedded server list,
given as:
setenv SERVER <HOST1>/<FRIENDLY_NAME1>
setenv SERVER <HOST2>/<FRIENDLY_NAME2>
. . .
This patch allows the -s server override to specify
a friendly name and will substitute the host or IP
address given in the server list.
Signed-off-by: James Yonan <james@openvpn.net>
Following an high number of users complaints, it was suggested
to re-enable MD5 and to give our users a notice period of some
months before dropping its support entirely.
With this patch we add a new certificate profile called "insecure"
which is equal to "legacy" with the addition of MD5.
By default OpenVPN3 still use legacy and the insecure profile
must be enabled explicitly by the client app.
The new profile is also enveloped in an ifdef so that
such support is not introduced, unless who builds the core
knows about it.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Allow source files that require JSON library functionality
to include a single file (openvpn/common/jsonlib.hpp) which
will then draw in the appropriate JSON library header based
on configuration #defines.
Code can #ifdef on HAVE_JSON to test whether or not JSON
functionality is available (previously, HAVE_JSONCPP
was used).
Currently supports JsonCpp and an OpenVPN-internal JSON
implementation.
This model assumes that alternative JSON implementations
are API-compatible with JsonCpp.
Signed-off-by: James Yonan <james@openvpn.net>
By default tls-crypt is now enabled instead of tls-auth.
It can be easily changed by editing the define at the top
of test/ssl/proto.hpp
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Not really important, but worth fixing to avoid polluting
any memchecker output with unreleased (leaked) resources.
Release process resources before exiting the main function.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
* enabled by OPENVPN_OVPNCLI_SINGLE_THREAD compile flag.
* turns off the signal blocker.
* Adds overrideable clock_tick() virtual method with
configurable frequency that is used when processing
signals when the OpenVPN client is running in
single-thread mode.
Signed-off-by: James Yonan <james@openvpn.net>
Created a lightweight abstraction layer so that another i/o
reactor can be dropped in place of asio.
The basic approach is to rename all references to asio::xxx
types to openvpn_io::xxx and then make openvpn_io a
preprocessor variable that points to the top-level namespace
of the i/o reactor implementation.
All of the source files that currently include <asio.hpp> now
include <openvpn/io/io.hpp> instead:
This gives us a lightweight abstraction layer that allows us
to define openvpn_io to be something other than asio.
Other changes:
* Inclusion of asio by scripts/build is now optional, and is
enabled by passing ASIO=1 or ASIO_DIR=<dir>.
* Refactored openvpn/common/socktypes.hpp to no longer
require asio.
* Refactored openvpn/log/logthread.hpp to no longer require
asio.
* Added openvpn::get_hostname() method as alternative to
calling asio directly.
* openvpn/openssl/util/init.hpp will now #error
if USE_ASIO is undefined.
Signed-off-by: James Yonan <james@openvpn.net>
legacy -- allow 1024-bit RSA certs signed with SHA1
preferred -- require at least 2048-bit RSA certs signed
with SHA256 or higher
suiteb -- require NSA Suite-B
The current default is legacy.
The directive can be set in the profile or overridden/defaulted
in the client API via ClientAPI::Config::tlsCertProfileOverride
var.
TODO: implement for OpenSSL.
This patch builds on work by David Sommerseth <davids@openvpn.net>
to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which
has significant differences in some areas.
- Strings containing keys, certificates, CRLs, and DH parameters
need to be NULL-terminated and the length argument provided to
the corresponding mbedtls parse function must be able to read
the NULL-terminator. These places have been modified with a
'+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp,
pkctx.hpp).
- The SSL context object has been split up in mbedtls-2.3
Now many of the SSL configurations are done in a separate
SSL config object, which is added to the SSL context once
configured. In addition private/public keys are now stored
in a separate pk_context, which is later on attached to the
SSL context. Due to this, many of the calls setting either
SSL configuration parameters or working with pk_contexts have
been refactored. (sslctx.hpp)
- The older API loading the CA chain took a hostname argument.
The new API requires mbedtls_ssl_set_hostname() explicitly to
be called setting hostname. Some refactoring was needed here
too (sslctx.hpp).
- x509_oid_get_description() is now replaced by
mbedtls_oid_get_extended_key_usage().
- when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return
value was changed so that a return value of 0 now means equal
rather than not-equal.
- mbedtls/platform.h must be loaded before any other mbedtls
include files (sslchoose.hpp).
- All functions and macros related to mbedTLS are now prefixed
with mbedtls_/MBEDTLS_
- Refactored External PKI and added some options to cli.cpp
to make it easier to test that the feature still works
correctly. This included removing the sig_type var and
standardizing on a PKCS#1 digest prefix per RFC 3447.
- Updated test keys to 2048 bits.
- Updated dependency build scripts to build mbedTLS.
- Enable MD4 in mbedTLS build script (needed for NTLM auth).
- Use an allow-all X509 cert profile to preserve compatibility
with older configs. Going forward, we will implement new
options to increase strictness on minimum RSA key size and
required cert signing algs.
- Added human-readable reason strings that explain why
a given cert in the chain wasn't accepted.
- This patch doesn't rename any files or rename internal
OpenVPN 3 symbols such as PolarSSLContext. This will
be done in a separate commit.
Signed-off-by: James Yonan <james@openvpn.net>
Triple DES, and other 64-bit block-size ciphers vulnerable
to "Sweet32" birthday attack (CVE-2016-6329). Limit such
cipher keys to no more than 64 MB of data
encrypted/decrypted. While our overall goal is to limit
data-limited keys to 64 MB, we trigger a renegotiation
at 48 MB to compensate for possible delays in renegotiation
and rollover to the new key.
This client-side implementation extends data limit
protection to the entire session, even when the server
doesn't implement data limits.
This capability is advertised to servers via the a
peer info setting:
IV_BS64DL=1
meaning "Block-Size 64-bit Data Limit". The "1" indicates
the implementation version.
The implementation currently has some limitations:
* Keys are renegotiated at a maximum rate of once per
5 seconds to reduce the likelihood of loss of
synchronization between peers.
* The maximum renegotiation rate may be further extended
if the peer delays rollover from the old to new key
after renegotiation.
Added N_KEY_LIMIT_RENEG stats counter to count the number
of data-limit-triggered renegotiations.
Added new stats counter KEY_STATE_ERROR which roughly
corresponds to the OpenVPN 2.x error "TLS Error:
local/remote TLS keys are out of sync".
Prevously, the TLS ack/retransmit timeout was hardcoded to
2 seconds. Now we lower the default to 1 second and make
it variable using the (pushable) "tls-timeout" directive.
Additionally, the tls-timeout directive can be specified
in milliseconds instead of seconds by using the
"tls-timeout-ms" form of the directive.
Made the "become primary" time duration configurable via
the (pushable) "become-primary" directive which accepts
a number-of-seconds parameter. become-primary indicates
the time delay between renegotiation and rollover to the
new key for encryption/transmission. become-primary
defaults to the handshake-window which in turn defaults
to 60 seconds.
Incremented core version to 3.0.20.
INFO,<payload>
Payload can be any UTF-8 printable string under 64 KB
(multiple lines are okay).
INFO notifications can be sent from server to client
in real-time, on any active client connection.
The client will attach the payload to an INFO event and
forward it to the controlling app via the event callback:
virtual void event(const Event&) = 0;
receive path to reassemble messages fragmented by the
SSL layer up to a max message size of 64 KB.
Ramifications:
* Peer info data and pushed options can be significantly
larger (i.e. approaching 64 KB).
* Less need for the options continuation feature.
Limitations:
* While this patch doesn't change the underlying OpenVPN
protocol, it can result in messages being sent that are
fragmented by the receiving SSL implementation into
multiple buffers. Implementations that lack reassembly
capabilities (such as OpenVPN 2.x at this point in time)
would see each buffer fragment as a separate message.
* This patch running on the server will break negotiation
with pre-peer-info clients. Basically this means it will
interoperate with any OpenVPN 3 version or OpenVPN 2.x
version that includes the June 2010 commit "Implemented a
key/value auth channel from client to server.
Version 2.1.1i".
(instead of 2):
(a) ordinary events such as CONNECTING, CONNECTED,
(b) nonfatal errors such as TRANSPORT_ERROR that will
automatically trigger a reconnect, and
(c) fatal errors such as AUTH_FAILED, that will be followed
by a DISCONNECT
In ClientAPI::Event, added a new "fatal" boolean to indicate
when errors are fatal.
Added a new non-fatal event TUN_ERROR that triggers a
reconnect when errors are indicated in tunio.hpp.
ClientAPI::Config::ipv6 string:
IPv6 preference
no -- disable IPv6, so tunnel will be IPv4-only
yes -- request combined IPv4/IPv6 tunnel
default (or empty string) -- leave decision to server
bool ClientAPI::Config::autologinSessions and default
to false. Previously, the logic was hardcoded to true.
Autologin Sessions can be enabled in the cli.cpp wrapper
using the -a flag.
ClientAPI::Config::gremlinConfig string.
The gremlin option allows extra packet latency
or unreliability to be added to the tunnel.
The format of the option is a comma-separated list
of numerical parameters:
send_delay_ms, recv_delay_ms, send_drop_prob, recv_drop_prob
Parameter description:
send_delay_ms : delay packets by n milliseconds before
transmission (UDP/TCP).
recv_delay_ms : delay received packets by n milliseconds
before processing them (UDP/TCP).
send_drop_prob : drop sent packets with probability 1/n
(UDP only).
recv_drop_prob : drop received packets with probability
1/n (UDP only).
Set any parameter to 0 to disable.
Gremlin parameters currently work with UDP and TCP
transport as documented above, but not for proxy transport.
Client must be built with the OPENVPN_GREMLIN flag to compile
gremlin functionality.
Command-line client can set the gremlin config
string using --gremlin or -G, for example:
--gremlin=250,250,64,64
When using the above parameters, an extra 500 milliseconds
will be added to round-trip latency, and 1/64 sent or
received packets will be dropped.