The ClientAPI::EvalConfig::privateKeyPasswordRequired bool flag was not
set correctly when the private key was an encrypted EC key.
This flag is set in EvalConfig by OpenVPNClient::parse_config()
when it calls ParseClientConfig::privateKeyPasswordRequired().
Signed-off-by: David Sommerseth <davids@openvpn.net>
This is used to enable connectivity to a different remote
when force-tunneling is used and current VPN connection is broken.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This method generates /sbin/route commands which
create and delete bypass route for given host.
It is needed to enable connectivity to a different remote
when force-tunneling is used and current VPN connection is broken.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
As documentation says:
> If lpOverlapped is NULL, lpBytesReturned cannot be NULL
While on Windows 10 passing NULL works by accident,
on Windows 7 it crashes.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Before debug logging, HTTP headers should be passed through
HTTP::headers_redact() to prevent the creds from being logged.
Signed-off-by: James Yonan <james@openvpn.net>
d8d14e1991 implemented a new logic which
allows the DNS resolution to happen in a detachable thread. Since then,
we must execute async_resolve_lock() before performing the resolution so
that the main event queue is kept alive, while the core is busy
resolving the hostname.
Failing to do so will result in the main event queue terminating due to
"no events in the queue" and thus closing the core process.
Add lock (and related cancel) around resolution operation to guarantee
the core process stays alive during resolution.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
These functions are found in openvpn/mbedtls/pki/x509certinfo.hpp.
This change also adds support to build coreUnitTests against mbed TLS
instead of OpenSSL (default) by providing -DUSE_MBEDTLS=true to cmake.
Signed-off-by: David Sommerseth <davids@openvpn.net>
This is the mbed TLS counter part to the OpenSSL change in
commit e0fd92f30756. These two methods are generic and not
tied to the MbedTLSContext in any particular way.
This is needed to be able to add a unit test for the x509_get_*()
functions.
Signed-off-by: David Sommerseth <davids@openvpn.net>
This adds some basic unit tests for the various functions retrieving
information from a X.509 certificate.
Signed-off-by: David Sommerseth <davids@openvpn.net>
This moves generic OpenSSL related functions used to extract X.509
certificate information to an independent file which can be used more
freely. This code does not contain anything specific to the
OpenSSLContext class group and works nicely as a separate unit.
This is needed to be able to add unit test code for the x509_get_*()
functions.
Signed-off-by: David Sommerseth <davids@openvpn.net>
This implements the --verify-x509-name support for builds with OpenSSL.
This change requires the x509_get_subject() to be extended to provide
the subject field in a newer format, which requires using a different
OpenSSL API. Since we have code which might require the old format as
well, x509_get_subject() will default to use the old format.
The --verify-x509-name supports matching both against the full subject
line and the X.509 Certificate Common Name, which means we need to check
which mode is configured and extract the proper value before calling the
VerifyX509Name::verify() method.
Signed-off-by: David Sommerseth <davids@openvpn.net>
This new VerifyX509Name class handles both extracting and parsing the
appropriate --verify-x509-name option and is able to verify if a given
subject or hostname is matching the expectation.
Signed-off-by: David Sommerseth <davids@openvpn.net>
In some situations, the local6 variable is nullptr but a default IPv6
route has been configured. This causes a segfault later in the call
chain when add_del_route() is being called.
We already have avoid a similar situation with IPv4, so implement the
same kind of safe guard for IPv6: If no local IPv6 address has been
configured, don't attempt to add IPv6 routes.
Signed-off-by: David Sommerseth <davids@openvpn.net>
This avoids the mistake of using the insecure MTRand in anything but
a unit test and has the advantage that not all MTRand in a unit test
suite report being secure
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Also increase minimum OS version to 10.12 since the 10.8 target defaults
to libstdc++, which is not available on modern macOS versions
Signed-off-by: Arne Schwabe <arne@openvpn.net>
To support the pre unittest tests that compare the output against an
expected output without fully rewriting them, this logger provides a
facility to integrate them in the unit test framework
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This adds port overlays for asio and mbedtls. Those
are required because we use patched versions of those libraries.
Signed-off-by: Lev Stipakov <lev@openvpn.net>