Introduced in commit
1b5d913503
CID 11054 (#1 of 1): Missing break in switch (MISSING_BREAK)
unterminated_case: The case for value 71 is not terminated
by a break statement
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
We already load the certificates from the config and need the SSL
library context initialised there to allow loading of keys encrypted
with legacy algorithm. Also ensure that enable legacy provider is
set before actually attempting to load the private keys.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This also makes most of them non-static to avoid the problem that these
functions depend on Initprocess::Init being instantiated before being
called.
Rename the local variables eval to eval_cfg to avoid shadowing the
class field of the same name.
cli -Z <file> is used by automated test scripts to write the
SSO URL to a file rather than launch a browser with the URL.
Recently this behavior changed on Linux where -Z now both
writes the URL to a file and also launches a browser with
the URL. This patch reverts behavior back to only writing
the file.
Signed-off-by: James Yonan <james@openvpn.net>
With OpenSSL 3.0 the name with MD5 no longer makes sense as it affects
not only MD5 but also SHA1 and number of other settings. So replace the
define with a more fitting name.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Since IPv4/IPv6 should be treated equally, we should have also
the opportunity to block IPv4. With this change we follow the API
that also Android provides and expliticly tell tunbuilder what to
do with address families that are not used by the VPN. If a
address family is used by the VPN, nothing changes.
This also remove IV_IPV6 as it is not used.
This uses the rather lowlevel EVP_* interfaces directly instead of
using OpenVPN's own PKI classes since this a very specific code
and reusability outside the testing scope is very limited.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Support CR_TEXT type challenge/response exchanges. The challenge flags are
ignored currently, but displayed with the challenge text for debug purposes.
Thus, input is always echoed and it is assumed that a response is
required.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Local DNS resolvers, such as Umbrella Roaming Client,
change DNS settings on adapters to 127.0.0.1.
This may not work with openvpn3 because:
- NRPT rule might be created for "." zone,
which redirects all DNS requests to the server
specified in rule. This takes precendence over adapters'
DNS settings.
- DNS requests might be blocked on all adapters
except TAP (tap-windows6/wintun/ovpn-dco-win) to prevent
DNS leaks.
To enable compatibility with local DNS resolvers, add
"allowLocalDnsResolvers" core config option, which,
when enabled, makes core to
- avoid creating NRPT rule for "." zone
- permit DNS requests to 127.0.0.1 / ::1
Signed-off-by: Lev Stipakov <lev@openvpn.net>
If DCO support is compiled in, detect if it is available (i.e. Windows driver
or Linux kernel module is loaded) and then use it, if it is.
This changes the default configuration for DCO from off to on, so users of
the library need to set ClientAPI::Config::dco to false in case they do not
want to use dco for a connection.
The change is also reflected in the reference client "ovpncli". If DCO is
enabled in a build, it will detect and use it. The previously available
"ovpncliovpndco" and "ovpncliovpndcowin" clients have thus been removed.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Extend struct ProvideCreds so that it can also hold HTTP proxy
credentials. This makes it possible to use proxy settings from
options, but provide credentials separately.
This is in contrast to the already existing struct Config::proxy*
which need to be given as a complete set to override eventual
HTTP proxy options.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Although the init calls were protected by a mutex more than consumer of
the API will the second one if the uninit was called too early.
While at it, move from explicit init/uninit calls to RAII.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Macro OPENVPN_USE_SITNL should be defined before
inclusion of client/ovpncli.cpp.
Include tuncli.hpp for consistency with mac-specific code below.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
If the OPENVPN_USE_SITNL is defined as compiler arguments or set
earlier if cli.cpp was used in an #include statement, the compiler
would warn about OPENVPN_USE_SITNL being redefined.
We want OPENVPN_USE_SITNL by default, but the code does not need
to explicitly define it if it is already defined.
Signed-off-by: David Sommerseth <davids@openvpn.net>
This is useful for running a command from a worker thread
where signals have been blocked, but we want the child
process to run with the original pre-blocked signal configuration.
Signed-off-by: James Yonan <james@openvpn.net>
This introduces experimental support for Wintun
as an alternative for tap-windows6.
In order to use wintun, set "ClientAPI::Config::wintun"
flag to "true" or use "-w" option in test client.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This takes into use new TunSetup API which enables to create bypass
routes before establishing connection.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
There are two ways how Linux tun can be manipulated -
by using iproute2 or netlink. Both implementations have
defined identical Setup class implementation.
This commit factors out Setup class from tun implementations
and templatizes it, which removes need in duplicated code.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This uses Windows-specific wchar_t override of std::ifstream
to make it work with UNICODE paths. It is assumed that caller
passes UTF8-encoded string.
To support passing non-ASCII chars via command line, we
read it as wstring and then convert to UTF-8 encoded string.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This requires cli.cpp to be included in openvpn3-linux build environment
and the right defines set before the test.cpp is included.
This workaround is necessary since the dbus dependencies are not part
of the core and to adding an extra copy of cli.cpp to openvpn3-linux
Signed-off-by: Arne Schwabe <arne@openvpn.net>
On the linux client we need the information to which remote the client
is connecting to query the route information to ultimately discover the
device. On other platform that do not need these extra information we
ignore the extra arguments
The API uses std::string and bool instead of passing of passing IPAddr as
the API needs to be understand by Swig/Java and similar methods also opt in
favour of call by value and simply types.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
For testing, add the capability to get the next "remote"
directive from the output of an external script or binary.
Signed-off-by: James Yonan <james@openvpn.net>
// If true, consider AUTH_FAILED to be a non-fatal error,
// and retry the connection after a pause.
bool retryOnAuthFailed = false;
Signed-off-by: James Yonan <james@openvpn.net>
The OpenVPN 3 config file parser allows an embedded server list,
given as:
setenv SERVER <HOST1>/<FRIENDLY_NAME1>
setenv SERVER <HOST2>/<FRIENDLY_NAME2>
. . .
This patch allows the -s server override to specify
a friendly name and will substitute the host or IP
address given in the server list.
Signed-off-by: James Yonan <james@openvpn.net>
Following an high number of users complaints, it was suggested
to re-enable MD5 and to give our users a notice period of some
months before dropping its support entirely.
With this patch we add a new certificate profile called "insecure"
which is equal to "legacy" with the addition of MD5.
By default OpenVPN3 still use legacy and the insecure profile
must be enabled explicitly by the client app.
The new profile is also enveloped in an ifdef so that
such support is not introduced, unless who builds the core
knows about it.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
