Merge branch 'release/0.4.0'

8d4c8c3ce4 asio version 1.14.0 released
30336a0873 Revision history.
2a1f68845a On Windows, ensure global object destructors are run.
6f55aeecd0 Fix move-based async_accept between sockets with different executor types.
c1c068c6ad The executor is copied, not moved, when the I/O object moves.
37c8d91d21 Add runtime detection of native I/O executors when using polymorphic wrapper.

git-subtree-dir: Sources/OpenVPNAdapter/Libraries/Vendors/asio
git-subtree-split: 8d4c8c3ce43c866f609d2eda9a43fe5b334620be

.gitignore

@@ -48,3 +48,33 @@ playground.xcworkspace
 # Carthage/Checkouts
 
 Carthage/Build
+
+## macOS generated
+
+# General
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk

Configuration/Info-Framework.plist

@@ -15,7 +15,7 @@
 	<key>CFBundlePackageType</key>
 	<string>FMWK</string>
 	<key>CFBundleShortVersionString</key>
-	<string>0.3.0</string>
+	<string>0.4.0</string>
 	<key>CFBundleVersion</key>
 	<string>$(CURRENT_PROJECT_VERSION)</string>
 	<key>NSPrincipalClass</key>

OpenVPNAdapter.podspec

@@ -3,7 +3,7 @@ Pod::Spec.new do |s|
   # ―――  Spec Metadata  ―――――――――――――――――――――――――――――――――――――――――――――――――――――――――― #
 
   s.name = "OpenVPNAdapter"
-  s.version = "0.3.0"
+  s.version = "0.4.0"
   s.summary   = "Objective-C wrapper for OpenVPN library. Compatible with iOS and macOS."
   s.description = <<-DESC
     OpenVPNAdapter is an Objective-C framework that allows to easily configure and establish VPN connection using OpenVPN protocol.

OpenVPNAdapter.xcodeproj/project.pbxproj

@@ -1137,6 +1137,7 @@
 				SDKROOT = iphoneos;
 				SKIP_INSTALL = YES;
 				SUPPORTED_PLATFORMS = "iphonesimulator iphoneos";
+				SUPPORTS_MACCATALYST = NO;
 				SWIFT_ACTIVE_COMPILATION_CONDITIONS = DEBUG;
 				SWIFT_OPTIMIZATION_LEVEL = "-Onone";
 				SWIFT_VERSION = 4.0;
@@ -1185,6 +1186,7 @@
 				SDKROOT = iphoneos;
 				SKIP_INSTALL = YES;
 				SUPPORTED_PLATFORMS = "iphonesimulator iphoneos";
+				SUPPORTS_MACCATALYST = NO;
 				SWIFT_OPTIMIZATION_LEVEL = "-Owholemodule";
 				SWIFT_VERSION = 4.0;
 				VERSIONING_SYSTEM = "apple-generic";

README.md

@@ -33,7 +33,7 @@ To install OpenVPNAdapter with Cocoapods, add the following lines to your `Podfi
 ```ruby
 target 'Your Target Name' do
   use_frameworks!
-  pod 'OpenVPNAdapter', :git => 'https://github.com/ss-abramchuk/OpenVPNAdapter.git', :tag => '0.3.0'
+  pod 'OpenVPNAdapter', :git => 'https://github.com/ss-abramchuk/OpenVPNAdapter.git', :tag => '0.4.0'
 end
 ```
 
@@ -177,6 +177,9 @@ class PacketTunnelProvider: NEPacketTunnelProvider {
             // Additional parameters as key:value pairs may be provided here
         ]
 
+        // Add this line if you want to keep TUN interface active during pauses or reconnections
+        configuration.tunPersist = true
+
         // Apply OpenVPN configuration
         let properties: OpenVPNProperties
         do {

Sources/OpenVPNAdapter/Libraries/Vendors/asio/asio/README

@@ -1,4 +1,4 @@
-asio version 1.13.0
+asio version 1.14.0
-Released Tuesday, 12 March 2019.
+Released Sunday, 14 April 2019.
 
 See doc/index.html for API documentation and a tutorial.

Sources/OpenVPNAdapter/Libraries/Vendors/asio/asio/configure.ac

@@ -1,4 +1,4 @@
-AC_INIT(asio, [1.13.0])
+AC_INIT(asio, [1.14.0])
 AC_CONFIG_SRCDIR(include/asio.hpp)
 AM_MAINTAINER_MODE
 AM_INIT_AUTOMAKE([tar-ustar])

Sources/OpenVPNAdapter/Libraries/Vendors/asio/asio/include/asio/detail/io_object_impl.hpp

@@ -24,8 +24,34 @@
 #include "asio/detail/push_options.hpp"
 
 namespace asio {
+
+class executor;
+
 namespace detail {
 
+inline bool is_native_io_executor(const io_context::executor_type&)
+{
+  return true;
+}
+
+template <typename Executor>
+inline bool is_native_io_executor(const Executor&,
+    typename enable_if<!is_same<Executor, executor>::value>::type* = 0)
+{
+  return false;
+}
+
+template <typename Executor>
+inline bool is_native_io_executor(const Executor& ex,
+    typename enable_if<is_same<Executor, executor>::value>::type* = 0)
+{
+#if !defined (ASIO_NO_TYPEID)
+  return ex.target_type() == typeid(io_context::executor_type);
+#else // !defined (ASIO_NO_TYPEID)
+  return false;
+#endif // !defined (ASIO_NO_TYPEID)
+}
+
 template <typename IoObjectService,
     typename Executor = io_context::executor_type>
 class io_object_impl
@@ -46,8 +72,7 @@ public:
   // Construct an I/O object using an executor.
   explicit io_object_impl(const executor_type& ex)
     : service_(&asio::use_service<IoObjectService>(ex.context())),
-      implementation_executor_(ex,
+      implementation_executor_(ex, (is_native_io_executor)(ex))
-        is_same<Executor, io_context::executor_type>::value)
   {
     service_->construct(implementation_);
   }
@@ -68,9 +93,7 @@ public:
   // Move-construct an I/O object.
   io_object_impl(io_object_impl&& other)
     : service_(&other.get_service()),
-      implementation_executor_(
+      implementation_executor_(other.get_implementation_executor())
-        ASIO_MOVE_CAST(implementation_executor_type)(
-          other.implementation_executor_))
   {
     service_->move_construct(implementation_, other.implementation_);
   }

Sources/OpenVPNAdapter/Libraries/Vendors/asio/asio/include/asio/detail/reactive_socket_accept_op.hpp

@@ -151,8 +151,10 @@ private:
 template <typename Protocol, typename PeerIoExecutor,
     typename Handler, typename IoExecutor>
 class reactive_socket_move_accept_op :
-  private Protocol::socket,
+  private Protocol::socket::template rebind_executor<PeerIoExecutor>::other,
-  public reactive_socket_accept_op_base<typename Protocol::socket, Protocol>
+  public reactive_socket_accept_op_base<
+    typename Protocol::socket::template rebind_executor<PeerIoExecutor>::other,
+    Protocol>
 {
 public:
   ASIO_DEFINE_HANDLER_PTR(reactive_socket_move_accept_op);
@@ -161,8 +163,8 @@ public:
       socket_type socket, socket_ops::state_type state,
       const Protocol& protocol, typename Protocol::endpoint* peer_endpoint,
       Handler& handler, const IoExecutor& io_ex)
-    : Protocol::socket(peer_io_ex),
+    : peer_socket_type(peer_io_ex),
-      reactive_socket_accept_op_base<typename Protocol::socket, Protocol>(
+      reactive_socket_accept_op_base<peer_socket_type, Protocol>(
         socket, state, *this, protocol, peer_endpoint,
         &reactive_socket_move_accept_op::do_complete),
       handler_(ASIO_MOVE_CAST(Handler)(handler)),
@@ -194,9 +196,9 @@ public:
     // to ensure that any owning sub-object remains valid until after we have
     // deallocated the memory here.
     detail::move_binder2<Handler,
-      asio::error_code, typename Protocol::socket>
+      asio::error_code, peer_socket_type>
         handler(0, ASIO_MOVE_CAST(Handler)(o->handler_), o->ec_,
-          ASIO_MOVE_CAST(typename Protocol::socket)(*o));
+          ASIO_MOVE_CAST(peer_socket_type)(*o));
     p.h = asio::detail::addressof(handler.handler_);
     p.reset();
 
@@ -211,6 +213,9 @@ public:
   }
 
 private:
+  typedef typename Protocol::socket::template
+    rebind_executor<PeerIoExecutor>::other peer_socket_type;
+
   Handler handler_;
   IoExecutor io_executor_;
 };

Sources/OpenVPNAdapter/Libraries/Vendors/asio/asio/include/asio/detail/win_global.hpp

@@ -35,7 +35,7 @@ struct win_global_impl
 
   static win_global_impl instance_;
   static static_mutex mutex_;
-  static T* ptr_;
+  T* ptr_;
   static tss_ptr<T> tss_ptr_;
 };
 
@@ -45,9 +45,6 @@ win_global_impl<T> win_global_impl<T>::instance_ = { 0 };
 template <typename T>
 static_mutex win_global_impl<T>::mutex_ = ASIO_STATIC_MUTEX_INIT;
 
-template <typename T>
-T* win_global_impl<T>::ptr_ = 0;
-
 template <typename T>
 tss_ptr<T> win_global_impl<T>::tss_ptr_;
 
@@ -58,9 +55,9 @@ T& win_global()
   {
     win_global_impl<T>::mutex_.init();
     static_mutex::scoped_lock lock(win_global_impl<T>::mutex_);
-    if (win_global_impl<T>::ptr_ == 0)
+    if (win_global_impl<T>::instance_.ptr_ == 0)
-      win_global_impl<T>::ptr_ = new T;
+      win_global_impl<T>::instance_.ptr_ = new T;
-    win_global_impl<T>::tss_ptr_ = win_global_impl<T>::ptr_;
+    win_global_impl<T>::tss_ptr_ = win_global_impl<T>::instance_.ptr_;
   }
 
   return *win_global_impl<T>::tss_ptr_;

Sources/OpenVPNAdapter/Libraries/Vendors/asio/asio/include/asio/detail/win_iocp_socket_accept_op.hpp

@@ -262,9 +262,9 @@ public:
     // to ensure that any owning sub-object remains valid until after we have
     // deallocated the memory here.
     detail::move_binder2<Handler,
-      asio::error_code, typename Protocol::socket>
+      asio::error_code, peer_socket_type>
         handler(0, ASIO_MOVE_CAST(Handler)(o->handler_), ec,
-          ASIO_MOVE_CAST(typename Protocol::socket)(o->peer_));
+          ASIO_MOVE_CAST(peer_socket_type)(o->peer_));
     p.h = asio::detail::addressof(handler.handler_);
     p.reset();
 
@@ -279,10 +279,13 @@ public:
   }
 
 private:
+  typedef typename Protocol::socket::template
+    rebind_executor<PeerIoExecutor>::other peer_socket_type;
+
   win_iocp_socket_service_base& socket_service_;
   socket_type socket_;
   socket_holder new_socket_;
-  typename Protocol::socket peer_;
+  peer_socket_type peer_;
   Protocol protocol_;
   typename Protocol::endpoint* peer_endpoint_;
   unsigned char output_buffer_[(sizeof(sockaddr_storage_type) + 16) * 2];

Sources/OpenVPNAdapter/Libraries/Vendors/asio/asio/include/asio/version.hpp

@@ -18,6 +18,6 @@
 // ASIO_VERSION % 100 is the sub-minor version
 // ASIO_VERSION / 100 % 1000 is the minor version
 // ASIO_VERSION / 100000 is the major version
-#define ASIO_VERSION 101300 // 1.13.0
+#define ASIO_VERSION 101400 // 1.14.0
 
 #endif // ASIO_VERSION_HPP

Sources/OpenVPNAdapter/Libraries/Vendors/asio/asio/src/doc/history.qbk

@@ -7,6 +7,21 @@
 
 [section:history Revision History]
 
+[heading Asio 1.14.0]
+
+* Improved I/O object performance by adding runtime detection of native I/O
+  executors when using the polymorphic executor wrapper.
+
+* Changed I/O object move constructors so that the executor is copied, not
+  moved. This ensures that the moved-from I/O object is left in the same state
+  as if constructed with a valid executor but without a resource.
+
+* On Windows, fixed an issue where global object destructors were not being
+  run.
+
+* Fixed move-based `async_accept` between sockets with different executor
+  types.
+
 [heading Asio 1.13.0]
 
 * Added custom I/O executor support to I/O objects.

Sources/OpenVPNAdapter/Libraries/Vendors/asio/asio/src/tests/unit/ip/tcp.cpp

@@ -729,6 +729,17 @@ struct move_accept_handler
 private:
   move_accept_handler(const move_accept_handler&) {}
 };
+
+struct move_accept_ioc_handler
+{
+  move_accept_ioc_handler() {}
+  void operator()(const asio::error_code&,
+      asio::basic_stream_socket<asio::ip::tcp,
+        asio::io_context::executor_type>) {}
+  move_accept_ioc_handler(move_accept_handler&&) {}
+private:
+  move_accept_ioc_handler(const move_accept_handler&) {}
+};
 #endif // defined(ASIO_HAS_MOVE)
 
 void test()
@@ -913,8 +924,12 @@ void test()
 #if defined(ASIO_HAS_MOVE)
     acceptor1.async_accept(move_accept_handler());
     acceptor1.async_accept(ioc, move_accept_handler());
+    acceptor1.async_accept(ioc_ex, move_accept_handler());
+    acceptor1.async_accept(ioc_ex, move_accept_ioc_handler());
     acceptor1.async_accept(peer_endpoint, move_accept_handler());
     acceptor1.async_accept(ioc, peer_endpoint, move_accept_handler());
+    acceptor1.async_accept(ioc_ex, peer_endpoint, move_accept_handler());
+    acceptor1.async_accept(ioc_ex, peer_endpoint, move_accept_ioc_handler());
 #endif // defined(ASIO_HAS_MOVE)
   }
   catch (std::exception&)

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/aesni.h

@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_AESNI_H
 #define MBEDTLS_AESNI_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "aes.h"
 
 #define MBEDTLS_AESNI_AES      0x02000000u

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/asn1write.h

@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_ASN1_WRITE_H
 #define MBEDTLS_ASN1_WRITE_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "asn1.h"
 
 #define MBEDTLS_ASN1_CHK_ADD(g, f) do { if( ( ret = f ) < 0 ) return( ret ); else   \
@@ -183,24 +189,27 @@ int mbedtls_asn1_write_ia5_string( unsigned char **p, unsigned char *start,
                            const char *text, size_t text_len );
 
 /**
- * \brief           Write a bitstring tag (MBEDTLS_ASN1_BIT_STRING) and
+ * \brief           Write a bitstring tag (#MBEDTLS_ASN1_BIT_STRING) and
- *                  value in ASN.1 format
+ *                  value in ASN.1 format.
- *                  Note: function works backwards in data buffer
  *
- * \param p         reference to current position pointer
+ * \note            This function works backwards in data buffer.
- * \param start     start of the buffer (for bounds-checking)
- * \param buf       the bitstring
- * \param bits      the total number of bits in the bitstring
  *
- * \return          the length written or a negative error code
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param buf       The bitstring to write.
+ * \param bits      The total number of bits in the bitstring.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
  */
 int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start,
                           const unsigned char *buf, size_t bits );
 
 /**
- * \brief           Write an octet string tag (MBEDTLS_ASN1_OCTET_STRING) and
+ * \brief           Write an octet string tag (#MBEDTLS_ASN1_OCTET_STRING)
- *                  value in ASN.1 format
+ *                  and value in ASN.1 format.
- *                  Note: function works backwards in data buffer
+ *
+ * \note            This function works backwards in data buffer.
  *
  * \param p         reference to current position pointer
  * \param start     start of the buffer (for bounds-checking)

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/base64.h

@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_BASE64_H
 #define MBEDTLS_BASE64_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include <stddef.h>
 
 #define MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL               -0x002A  /**< Output buffer too small. */

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/bn_mul.h

@@ -38,6 +38,12 @@
 #ifndef MBEDTLS_BN_MUL_H
 #define MBEDTLS_BN_MUL_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "bignum.h"
 
 #if defined(MBEDTLS_HAVE_ASM)
@@ -170,19 +176,19 @@
 
 #define MULADDC_INIT                        \
     asm(                                    \
-        "xorq   %%r8, %%r8          \n\t"
+        "xorq   %%r8, %%r8\n"
 
 #define MULADDC_CORE                        \
-        "movq   (%%rsi), %%rax      \n\t"   \
+        "movq   (%%rsi), %%rax\n"           \
-        "mulq   %%rbx               \n\t"   \
+        "mulq   %%rbx\n"                    \
-        "addq   $8,      %%rsi      \n\t"   \
+        "addq   $8, %%rsi\n"                \
-        "addq   %%rcx,   %%rax      \n\t"   \
+        "addq   %%rcx, %%rax\n"             \
-        "movq   %%r8,    %%rcx      \n\t"   \
+        "movq   %%r8, %%rcx\n"              \
-        "adcq   $0,      %%rdx      \n\t"   \
+        "adcq   $0, %%rdx\n"                \
-        "nop                        \n\t"   \
+        "nop    \n"                         \
-        "addq   %%rax,   (%%rdi)    \n\t"   \
+        "addq   %%rax, (%%rdi)\n"           \
-        "adcq   %%rdx,   %%rcx      \n\t"   \
+        "adcq   %%rdx, %%rcx\n"             \
-        "addq   $8,      %%rdi      \n\t"
+        "addq   $8, %%rdi\n"
 
 #define MULADDC_STOP                        \
         : "+c" (c), "+D" (d), "+S" (s)      \
@@ -734,7 +740,7 @@
         "sw     $10, %2         \n\t"   \
         : "=m" (c), "=m" (d), "=m" (s)                      \
         : "m" (s), "m" (d), "m" (c), "m" (b)                \
-        : "$9", "$10", "$11", "$12", "$13", "$14", "$15"    \
+        : "$9", "$10", "$11", "$12", "$13", "$14", "$15", "lo", "hi" \
     );
 
 #endif /* MIPS */

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/ccm.h

@@ -34,6 +34,12 @@
 #ifndef MBEDTLS_CCM_H
 #define MBEDTLS_CCM_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "cipher.h"
 
 #define MBEDTLS_ERR_CCM_BAD_INPUT       -0x000D /**< Bad input parameters to the function. */

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/certs.h

@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_CERTS_H
 #define MBEDTLS_CERTS_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include <stddef.h>
 
 #ifdef __cplusplus

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/check_config.h

@@ -118,10 +118,15 @@
     !defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)   &&                  \
     !defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) &&                  \
     !defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) &&                  \
-    !defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) ) )
+    !defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) ) )
 #error "MBEDTLS_ECP_C defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_ASN1_PARSE_C)
+#error "MBEDTLS_PK_PARSE_C defined, but not all prerequesites"
+#endif
+
 #if defined(MBEDTLS_ENTROPY_C) && (!defined(MBEDTLS_SHA512_C) &&      \
                                     !defined(MBEDTLS_SHA256_C))
 #error "MBEDTLS_ENTROPY_C defined, but not all prerequisites"
@@ -667,7 +672,7 @@
 /*
  * Avoid warning from -pedantic. This is a convenient place for this
  * workaround since this is included by every single file before the
- * #if defined(MBEDTLS_xxx_C) that results in emtpy translation units.
+ * #if defined(MBEDTLS_xxx_C) that results in empty translation units.
  */
 typedef int mbedtls_iso_c_forbids_empty_translation_units;
 

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/cmac.h

@@ -26,6 +26,12 @@
 #ifndef MBEDTLS_CMAC_H
 #define MBEDTLS_CMAC_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "cipher.h"
 
 #ifdef __cplusplus

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/compat-1.3.h

@@ -25,6 +25,12 @@
  *  This file is part of mbed TLS (https://tls.mbed.org)
  */
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #if ! defined(MBEDTLS_DEPRECATED_REMOVED)
 
 #if defined(MBEDTLS_DEPRECATED_WARNING)

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/config.h

@@ -112,7 +112,7 @@
  * \def MBEDTLS_HAVE_TIME_DATE
  *
  * System has time.h and time(), gmtime() and the clock is correct.
- * The time needs to be correct (not necesarily very accurate, but at least
+ * The time needs to be correct (not necessarily very accurate, but at least
  * the date should be correct). This is used to verify the validity period of
  * X.509 certificates.
  *
@@ -318,7 +318,7 @@
  * \note Because of a signature change, the core AES encryption and decryption routines are
  *       currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt,
  *       respectively. When setting up alternative implementations, these functions should
- *       be overriden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt
+ *       be overridden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt
  *       must stay untouched.
  *
  * \note If you use the AES_xxx_ALT macros, then is is recommended to also set
@@ -333,6 +333,16 @@
  *            dependencies on them, and considering stronger message digests
  *            and ciphers instead.
  *
+ * \warning   If both MBEDTLS_ECDSA_SIGN_ALT and MBEDTLS_ECDSA_DETERMINISTIC are
+ *            enabled, then the deterministic ECDH signature functions pass the
+ *            the static HMAC-DRBG as RNG to mbedtls_ecdsa_sign(). Therefore
+ *            alternative implementations should use the RNG only for generating
+ *            the ephemeral key and nothing else. If this is not possible, then
+ *            MBEDTLS_ECDSA_DETERMINISTIC should be disabled and an alternative
+ *            implementation should be provided for mbedtls_ecdsa_sign_det_ext()
+ *            (and for mbedtls_ecdsa_sign_det() too if backward compatibility is
+ *            desirable).
+ *
  */
 //#define MBEDTLS_MD2_PROCESS_ALT
 //#define MBEDTLS_MD4_PROCESS_ALT
@@ -556,6 +566,26 @@
  */
 #define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
 
+/**
+ * \def MBEDTLS_REMOVE_3DES_CIPHERSUITES
+ *
+ * Remove 3DES ciphersuites by default in SSL / TLS.
+ * This flag removes the ciphersuites based on 3DES from the default list as
+ * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible
+ * to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including
+ * them explicitly.
+ *
+ * A man-in-the-browser attacker can recover authentication tokens sent through
+ * a TLS connection using a 3DES based cipher suite (see "On the Practical
+ * (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaëtan
+ * Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls
+ * in your threat model or you are unsure, then you should keep this option
+ * enabled to remove 3DES based cipher suites.
+ *
+ * Comment this macro to keep 3DES in the default ciphersuite list.
+ */
+#define MBEDTLS_REMOVE_3DES_CIPHERSUITES
+
 /**
  * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
  *
@@ -1188,7 +1218,7 @@
 /**
  * \def MBEDTLS_SSL_RENEGOTIATION
  *
- * Disable support for TLS renegotiation.
+ * Enable support for TLS renegotiation.
  *
  * The two main uses of renegotiation are (1) refresh keys on long-lived
  * connections and (2) client authentication after the initial handshake.
@@ -1372,7 +1402,7 @@
  * \def MBEDTLS_SSL_SESSION_TICKETS
  *
  * Enable support for RFC 5077 session tickets in SSL.
- * Client-side, provides full support for session tickets (maintainance of a
+ * Client-side, provides full support for session tickets (maintenance of a
  * session store remains the responsibility of the application, though).
  * Server-side, you also need to provide callbacks for writing and parsing
  * tickets, including authenticated encryption and key management. Example
@@ -1538,7 +1568,7 @@
  *
  * \warning TLS-level compression MAY REDUCE SECURITY! See for example the
  * CRIME attack. Before enabling this option, you should examine with care if
- * CRIME or similar exploits may be a applicable to your use case.
+ * CRIME or similar exploits may be applicable to your use case.
  *
  * \note Currently compression can't be used with DTLS.
  *
@@ -2734,7 +2764,7 @@
 //#define MBEDTLS_PLATFORM_STD_TIME            time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
 //#define MBEDTLS_PLATFORM_STD_FPRINTF      fprintf /**< Default fprintf to use, can be undefined */
 //#define MBEDTLS_PLATFORM_STD_PRINTF        printf /**< Default printf to use, can be undefined */
-/* Note: your snprintf must correclty zero-terminate the buffer! */
+/* Note: your snprintf must correctly zero-terminate the buffer! */
 //#define MBEDTLS_PLATFORM_STD_SNPRINTF    snprintf /**< Default snprintf to use, can be undefined */
 //#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS       0 /**< Default exit value to use, can be undefined */
 //#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE       1 /**< Default exit value to use, can be undefined */
@@ -2751,7 +2781,7 @@
 //#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO       time_t /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
 //#define MBEDTLS_PLATFORM_FPRINTF_MACRO      fprintf /**< Default fprintf macro to use, can be undefined */
 //#define MBEDTLS_PLATFORM_PRINTF_MACRO        printf /**< Default printf macro to use, can be undefined */
-/* Note: your snprintf must correclty zero-terminate the buffer! */
+/* Note: your snprintf must correctly zero-terminate the buffer! */
 //#define MBEDTLS_PLATFORM_SNPRINTF_MACRO    snprintf /**< Default snprintf macro to use, can be undefined */
 //#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO   mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
 //#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO  mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/ctr_drbg.h

@@ -28,6 +28,12 @@
 #ifndef MBEDTLS_CTR_DRBG_H
 #define MBEDTLS_CTR_DRBG_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "aes.h"
 
 #if defined(MBEDTLS_THREADING_C)
@@ -227,14 +233,37 @@ int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
  *
  * \param ctx           The CTR_DRBG context.
  * \param additional    The data to update the state with.
- * \param add_len       Length of \p additional data.
+ * \param add_len       Length of \p additional in bytes. This must be at
+ *                      most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
  *
- * \note     If \p add_len is greater than #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT,
+ * \return              \c 0 on success.
- *           only the first #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT Bytes are used.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if
+ *                      \p add_len is more than
+ *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
+ * \return              An error from the underlying AES cipher on failure.
+ */
+int mbedtls_ctr_drbg_update_ret( mbedtls_ctr_drbg_context *ctx,
+                                 const unsigned char *additional,
+                                 size_t add_len );
+
+/**
+ * \brief               This function updates the state of the CTR_DRBG context.
+ *
+ * \warning             This function cannot report errors. You should use
+ *                      mbedtls_ctr_drbg_update_ret() instead.
+ *
+ * \note                If \p add_len is greater than
+ *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT, only the first
+ *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT Bytes are used.
  *                      The remaining Bytes are silently discarded.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param additional    The data to update the state with.
+ * \param add_len       Length of \p additional data.
  */
 void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
-                      const unsigned char *additional, size_t add_len );
+                              const unsigned char *additional,
+                              size_t add_len );
 
 /**
  * \brief   This function updates a CTR_DRBG instance with additional

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/ecdh.h

@@ -33,6 +33,12 @@
 #ifndef MBEDTLS_ECDH_H
 #define MBEDTLS_ECDH_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "ecp.h"
 
 #ifdef __cplusplus

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/ecdsa.h

@@ -31,6 +31,12 @@
 #ifndef MBEDTLS_ECDSA_H
 #define MBEDTLS_ECDSA_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "ecp.h"
 #include "md.h"
 
@@ -101,6 +107,20 @@ int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
  *                  Usage of the Digital Signature Algorithm (DSA) and Elliptic
  *                  Curve Digital Signature Algorithm (ECDSA)</em>.
  *
+ *
+ * \warning         Since the output of the internal RNG is always the same for
+ *                  the same key and message, this limits the efficiency of
+ *                  blinding and leaks information through side channels. For
+ *                  secure behavior use mbedtls_ecdsa_sign_det_ext() instead.
+ *
+ *                  (Optimally the blinding is a random value that is different
+ *                  on every execution. In this case the blinding is still
+ *                  random from the attackers perspective, but is the same on
+ *                  each execution. This means that this blinding does not
+ *                  prevent attackers from recovering secrets by combining
+ *                  several measurement traces, but may prevent some attacks
+ *                  that exploit relationships between secret data.)
+ *
  * \param grp       The ECP group.
  * \param r         The first output integer.
  * \param s         The second output integer.
@@ -121,9 +141,56 @@ int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
  *
  * \see             ecp.h
  */
-int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
+int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r,
-                    const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+                            mbedtls_mpi *s, const mbedtls_mpi *d,
+                            const unsigned char *buf, size_t blen,
                             mbedtls_md_type_t md_alg );
+/**
+ * \brief           This function computes the ECDSA signature of a
+ *                  previously-hashed message, deterministic version.
+ *
+ *                  For more information, see <em>RFC-6979: Deterministic
+ *                  Usage of the Digital Signature Algorithm (DSA) and Elliptic
+ *                  Curve Digital Signature Algorithm (ECDSA)</em>.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.3, step 5.
+ *
+ * \see             ecp.h
+ *
+ * \param grp           The context for the elliptic curve to use.
+ *                      This must be initialized and have group parameters
+ *                      set, for example through mbedtls_ecp_group_load().
+ * \param r             The MPI context in which to store the first part
+ *                      the signature. This must be initialized.
+ * \param s             The MPI context in which to store the second part
+ *                      the signature. This must be initialized.
+ * \param d             The private signing key. This must be initialized
+ *                      and setup, for example through mbedtls_ecp_gen_privkey().
+ * \param buf           The hashed content to be signed. This must be a readable
+ *                      buffer of length \p blen Bytes. It may be \c NULL if
+ *                      \p blen is zero.
+ * \param blen          The length of \p buf in Bytes.
+ * \param md_alg        The hash algorithm used to hash the original data.
+ * \param f_rng_blind   The RNG function used for blinding. This must not be
+ *                      \c NULL.
+ * \param p_rng_blind   The RNG context to be passed to \p f_rng. This may be
+ *                      \c NULL if \p f_rng doesn't need a context parameter.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
+ *                  error code on failure.
+ */
+int mbedtls_ecdsa_sign_det_ext( mbedtls_ecp_group *grp, mbedtls_mpi *r,
+                                mbedtls_mpi *s, const mbedtls_mpi *d,
+                                const unsigned char *buf, size_t blen,
+                                mbedtls_md_type_t md_alg,
+                                int (*f_rng_blind)(void *, unsigned char *,
+                                                   size_t),
+                                void *p_rng_blind );
 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
 
 /**

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/ecjpake.h

@@ -40,6 +40,11 @@
  * The payloads are serialized in a way suitable for use in TLS, but could
  * also be use outside TLS.
  */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
 
 #include "ecp.h"
 #include "md.h"

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/ecp.h

@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_ECP_H
 #define MBEDTLS_ECP_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "bignum.h"
 
 /*
@@ -595,6 +601,22 @@ int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp, const mbedtls_ecp_po
  */
 int mbedtls_ecp_check_privkey( const mbedtls_ecp_group *grp, const mbedtls_mpi *d );
 
+/**
+ * \brief           Generate a private key
+ *
+ * \param grp       ECP group
+ * \param d         Destination MPI (secret part)
+ * \param f_rng     RNG function
+ * \param p_rng     RNG parameter
+ *
+ * \return          0 if successful,
+ *                  or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code
+ */
+int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
+                     mbedtls_mpi *d,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng );
+
 /**
  * \brief           Generate a keypair with configurable base point
  *

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/ecp_internal.h

@@ -61,6 +61,12 @@
 #ifndef MBEDTLS_ECP_INTERNAL_H
 #define MBEDTLS_ECP_INTERNAL_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #if defined(MBEDTLS_ECP_INTERNAL_ALT)
 
 /**

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/error.h

@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_ERROR_H
 #define MBEDTLS_ERROR_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include <stddef.h>
 
 /**

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/gcm.h

@@ -31,6 +31,12 @@
 #ifndef MBEDTLS_GCM_H
 #define MBEDTLS_GCM_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "cipher.h"
 
 #include <stdint.h>

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/havege.h

@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_HAVEGE_H
 #define MBEDTLS_HAVEGE_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include <stddef.h>
 
 #define MBEDTLS_HAVEGE_COLLECT_SIZE 1024

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/hmac_drbg.h

@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_HMAC_DRBG_H
 #define MBEDTLS_HMAC_DRBG_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "md.h"
 
 #if defined(MBEDTLS_THREADING_C)
@@ -76,7 +82,7 @@ extern "C" {
  */
 typedef struct
 {
-    /* Working state: the key K is not stored explicitely,
+    /* Working state: the key K is not stored explicitly,
      * but is implied by the HMAC context */
     mbedtls_md_context_t md_ctx;                    /*!< HMAC context (inc. K)  */
     unsigned char V[MBEDTLS_MD_MAX_SIZE];  /*!< V in the spec          */
@@ -195,11 +201,31 @@ void mbedtls_hmac_drbg_set_reseed_interval( mbedtls_hmac_drbg_context *ctx,
  * \param additional    Additional data to update state with, or NULL
  * \param add_len       Length of additional data, or 0
  *
+ * \return              \c 0 on success, or an error from the underlying
+ *                      hash calculation.
+ *
+ * \note                Additional data is optional, pass NULL and 0 as second
+ *                      third argument if no additional data is being used.
+ */
+int mbedtls_hmac_drbg_update_ret( mbedtls_hmac_drbg_context *ctx,
+                       const unsigned char *additional, size_t add_len );
+
+/**
+ * \brief               HMAC_DRBG update state
+ *
+ * \warning             This function cannot report errors. You should use
+ *                      mbedtls_hmac_drbg_update_ret() instead.
+ *
+ * \param ctx           HMAC_DRBG context
+ * \param additional    Additional data to update state with, or NULL
+ * \param add_len       Length of additional data, or 0
+ *
  * \note                Additional data is optional, pass NULL and 0 as second
  *                      third argument if no additional data is being used.
  */
 void mbedtls_hmac_drbg_update( mbedtls_hmac_drbg_context *ctx,
-                       const unsigned char *additional, size_t add_len );
+                               const unsigned char *additional,
+                               size_t add_len );
 
 /**
  * \brief               HMAC_DRBG reseeding (extracts data from entropy source)

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/net.h

@@ -23,6 +23,11 @@
  *
  *  This file is part of mbed TLS (https://tls.mbed.org)
  */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
 
 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
 #include "net_sockets.h"

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/padlock.h

@@ -25,6 +25,12 @@
 #ifndef MBEDTLS_PADLOCK_H
 #define MBEDTLS_PADLOCK_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "aes.h"
 
 #define MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED               -0x0030  /**< Input data should be aligned. */

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/pem.h

@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_PEM_H
 #define MBEDTLS_PEM_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include <stddef.h>
 
 /**

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/pk.h

@@ -343,6 +343,10 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options,
  *
  * \note            For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0.
  *                  For ECDSA, md_alg may never be MBEDTLS_MD_NONE.
+ *
+ * \note            In order to ensure enough space for the signature, the
+ *                  \p sig buffer size must be of at least
+ *                  `max(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)` bytes.
  */
 int mbedtls_pk_sign( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
              const unsigned char *hash, size_t hash_len,

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/pkcs12.h

@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_PKCS12_H
 #define MBEDTLS_PKCS12_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "md.h"
 #include "cipher.h"
 #include "asn1.h"
@@ -46,6 +52,8 @@
 extern "C" {
 #endif
 
+#if defined(MBEDTLS_ASN1_PARSE_C)
+
 /**
  * \brief            PKCS12 Password Based function (encryption / decryption)
  *                   for pbeWithSHAAnd128BitRC4
@@ -87,6 +95,8 @@ int mbedtls_pkcs12_pbe( mbedtls_asn1_buf *pbe_params, int mode,
                 const unsigned char *input, size_t len,
                 unsigned char *output );
 
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
 /**
  * \brief            The PKCS#12 derivation function uses a password and a salt
  *                   to produce pseudo-random bits for a particular "purpose".

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/pkcs5.h

@@ -26,6 +26,12 @@
 #ifndef MBEDTLS_PKCS5_H
 #define MBEDTLS_PKCS5_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "asn1.h"
 #include "md.h"
 
@@ -44,6 +50,8 @@
 extern "C" {
 #endif
 
+#if defined(MBEDTLS_ASN1_PARSE_C)
+
 /**
  * \brief          PKCS#5 PBES2 function
  *
@@ -62,6 +70,8 @@ int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode,
                  const unsigned char *data, size_t datalen,
                  unsigned char *output );
 
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
 /**
  * \brief          PKCS#5 PBKDF2 using HMAC
  *

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/rsa.h

@@ -146,13 +146,13 @@ mbedtls_rsa_context;
  * \note           The choice of padding mode is strictly enforced for private key
  *                 operations, since there might be security concerns in
  *                 mixing padding modes. For public key operations it is
- *                 a default value, which can be overriden by calling specific
+ *                 a default value, which can be overridden by calling specific
  *                 \c rsa_rsaes_xxx or \c rsa_rsassa_xxx functions.
  *
  * \note           The hash selected in \p hash_id is always used for OEAP
  *                 encryption. For PSS signatures, it is always used for
- *                 making signatures, but can be overriden for verifying them.
+ *                 making signatures, but can be overridden for verifying them.
- *                 If set to #MBEDTLS_MD_NONE, it is always overriden.
+ *                 If set to #MBEDTLS_MD_NONE, it is always overridden.
  */
 void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
                        int padding,
@@ -819,6 +819,7 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
  *
  * \note           The \p sig buffer must be as large as the size
  *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *                 A buffer length of #MBEDTLS_MPI_MAX_SIZE is always safe.
  *
  * \note           For PKCS#1 v2.1 encoding, see comments on
  *                 mbedtls_rsa_rsassa_pss_sign() for details on
@@ -862,6 +863,7 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
  *
  * \note           The \p sig buffer must be as large as the size
  *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *                 A buffer length of #MBEDTLS_MPI_MAX_SIZE is always safe.
  */
 int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
                                int (*f_rng)(void *, unsigned char *, size_t),
@@ -902,6 +904,7 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
  *
  * \note           The \p sig buffer must be as large as the size
  *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *                 A buffer length of #MBEDTLS_MPI_MAX_SIZE is always safe.
  *
  * \note           The \p hash_id in the RSA context is the one used for the
  *                 encoding. \p md_alg in the function call is the type of hash

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/ssl.h

@@ -1611,7 +1611,7 @@ void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
  *                 provision more than one cert/key pair (eg one ECDSA, one
  *                 RSA with SHA-256, one RSA with SHA-1). An adequate
  *                 certificate will be selected according to the client's
- *                 advertised capabilities. In case mutliple certificates are
+ *                 advertised capabilities. In case multiple certificates are
  *                 adequate, preference is given to the one set by the first
  *                 call to this function, then second, etc.
  *
@@ -1622,6 +1622,14 @@ void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
  *                 whether it matches those preferences - the server can then
  *                 decide what it wants to do with it.
  *
+ * \note           The provided \p pk_key needs to match the public key in the
+ *                 first certificate in \p own_cert, or all handshakes using
+ *                 that certificate will fail. It is your responsibility
+ *                 to ensure that; this function will not perform any check.
+ *                 You may use mbedtls_pk_check_pair() in order to perform
+ *                 this check yourself, but be aware that this function can
+ *                 be computationally expensive on some key types.
+ *
  * \param conf     SSL configuration
  * \param own_cert own public certificate chain
  * \param pk_key   own private key
@@ -2102,12 +2110,27 @@ void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
 
 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
 /**
- * \brief          Set the maximum fragment length to emit and/or negotiate
+ * \brief          Set the maximum fragment length to emit and/or negotiate.
- *                 (Default: MBEDTLS_SSL_MAX_CONTENT_LEN, usually 2^14 bytes)
+ *                 (Typical: #MBEDTLS_SSL_MAX_CONTENT_LEN, by default that is
+ *                 set to `2^14` bytes)
  *                 (Server: set maximum fragment length to emit,
- *                 usually negotiated by the client during handshake
+ *                 usually negotiated by the client during handshake)
  *                 (Client: set maximum fragment length to emit *and*
  *                 negotiate with the server during handshake)
+ *                 (Default: #MBEDTLS_SSL_MAX_FRAG_LEN_NONE)
+ *
+ * \note           With TLS, this currently only affects ApplicationData (sent
+ *                 with \c mbedtls_ssl_read()), not handshake messages.
+ *                 With DTLS, this affects both ApplicationData and handshake.
+ *
+ * \note           On the client side, the maximum fragment length extension
+ *                 *will not* be used, unless the maximum fragment length has
+ *                 been set via this function to a value different than
+ *                 #MBEDTLS_SSL_MAX_FRAG_LEN_NONE.
+ *
+ * \note           This sets the maximum length for a record's payload,
+ *                 excluding record overhead that will be added to it, see
+ *                 \c mbedtls_ssl_get_record_expansion().
  *
  * \param conf     SSL configuration
  * \param mfl_code Code for maximum fragment length (allowed values:
@@ -2309,13 +2332,14 @@ size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl );
 /**
  * \brief          Return the result of the certificate verification
  *
- * \param ssl      SSL context
+ * \param ssl      The SSL context to use.
  *
- * \return         0 if successful,
+ * \return         \c 0 if the certificate verification was successful.
- *                 -1 if result is not available (eg because the handshake was
+ * \return         \c -1u if the result is not available. This may happen
- *                 aborted too early), or
+ *                 e.g. if the handshake aborts early, or a verification
- *                 a combination of BADCERT_xxx and BADCRL_xxx flags, see
+ *                 callback returned a fatal error.
- *                 x509.h
+ * \return         A bitwise combination of \c MBEDTLS_X509_BADCERT_XXX
+ *                 and \c MBEDTLS_X509_BADCRL_XXX failure flags; see x509.h.
  */
 uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl );
 
@@ -2610,7 +2634,7 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl );
  *                 mbedtls_ssl_config_defaults() or mbedtls_ssl_config_free().
  *
  * \note           You need to call mbedtls_ssl_config_defaults() unless you
- *                 manually set all of the relevent fields yourself.
+ *                 manually set all of the relevant fields yourself.
  *
  * \param conf     SSL configuration context
  */

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/ssl_cache.h

@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_SSL_CACHE_H
 #define MBEDTLS_SSL_CACHE_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "ssl.h"
 
 #if defined(MBEDTLS_THREADING_C)

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/ssl_ciphersuites.h

@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_SSL_CIPHERSUITES_H
 #define MBEDTLS_SSL_CIPHERSUITES_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "pk.h"
 #include "cipher.h"
 #include "md.h"

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/ssl_cookie.h

@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_SSL_COOKIE_H
 #define MBEDTLS_SSL_COOKIE_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "ssl.h"
 
 #if defined(MBEDTLS_THREADING_C)

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/ssl_internal.h

@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_SSL_INTERNAL_H
 #define MBEDTLS_SSL_INTERNAL_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "ssl.h"
 #include "cipher.h"
 

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/ssl_ticket.h

@@ -24,6 +24,12 @@
 #ifndef MBEDTLS_SSL_TICKET_H
 #define MBEDTLS_SSL_TICKET_H
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 /*
  * This implementation of the session ticket callbacks includes key
  * management, rotating the keys periodically in order to preserve forward
@@ -111,14 +117,14 @@ int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
 /**
  * \brief           Implementation of the ticket write callback
  *
- * \note            See \c mbedlts_ssl_ticket_write_t for description
+ * \note            See \c mbedtls_ssl_ticket_write_t for description
  */
 mbedtls_ssl_ticket_write_t mbedtls_ssl_ticket_write;
 
 /**
  * \brief           Implementation of the ticket parse callback
  *
- * \note            See \c mbedlts_ssl_ticket_parse_t for description
+ * \note            See \c mbedtls_ssl_ticket_parse_t for description
  */
 mbedtls_ssl_ticket_parse_t mbedtls_ssl_ticket_parse;
 

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/version.h

@@ -40,16 +40,16 @@
  */
 #define MBEDTLS_VERSION_MAJOR  2
 #define MBEDTLS_VERSION_MINOR  7
-#define MBEDTLS_VERSION_PATCH  5
+#define MBEDTLS_VERSION_PATCH  12
 
 /**
  * The single version number has the following structure:
  *    MMNNPP00
  *    Major version | Minor version | Patch version
  */
-#define MBEDTLS_VERSION_NUMBER         0x02070500
+#define MBEDTLS_VERSION_NUMBER         0x02070C00
-#define MBEDTLS_VERSION_STRING         "2.7.5"
+#define MBEDTLS_VERSION_STRING         "2.7.12"
-#define MBEDTLS_VERSION_STRING_FULL    "mbed TLS 2.7.5"
+#define MBEDTLS_VERSION_STRING_FULL    "mbed TLS 2.7.12"
 
 #if defined(MBEDTLS_VERSION_C)
 

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/x509.h

@@ -77,7 +77,7 @@
 #define MBEDTLS_ERR_X509_ALLOC_FAILED                     -0x2880  /**< Allocation of memory failed. */
 #define MBEDTLS_ERR_X509_FILE_IO_ERROR                    -0x2900  /**< Read/write of file failed. */
 #define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL                 -0x2980  /**< Destination buffer is too small. */
-#define MBEDTLS_ERR_X509_FATAL_ERROR                      -0x3000  /**< A fatal error occured, eg the chain is too long or the vrfy callback failed. */
+#define MBEDTLS_ERR_X509_FATAL_ERROR                      -0x3000  /**< A fatal error occurred, eg the chain is too long or the vrfy callback failed. */
 /* \} name */
 
 /**
@@ -250,7 +250,7 @@ int mbedtls_x509_serial_gets( char *buf, size_t size, const mbedtls_x509_buf *se
  *
  * \param to       mbedtls_x509_time to check
  *
- * \return         1 if the given time is in the past or an error occured,
+ * \return         1 if the given time is in the past or an error occurred,
  *                 0 otherwise.
  */
 int mbedtls_x509_time_is_past( const mbedtls_x509_time *to );
@@ -264,7 +264,7 @@ int mbedtls_x509_time_is_past( const mbedtls_x509_time *to );
  *
  * \param from     mbedtls_x509_time to check
  *
- * \return         1 if the given time is in the future or an error occured,
+ * \return         1 if the given time is in the future or an error occurred,
  *                 0 otherwise.
  */
 int mbedtls_x509_time_is_future( const mbedtls_x509_time *from );

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/x509_crl.h

@@ -111,7 +111,7 @@ int mbedtls_x509_crl_parse_der( mbedtls_x509_crl *chain,
 /**
  * \brief          Parse one or more CRLs and append them to the chained list
  *
- * \note           Mutliple CRLs are accepted only if using PEM format
+ * \note           Multiple CRLs are accepted only if using PEM format
  *
  * \param chain    points to the start of the chain
  * \param buf      buffer holding the CRL data in PEM or DER format
@@ -126,7 +126,7 @@ int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, s
 /**
  * \brief          Load one or more CRLs and append them to the chained list
  *
- * \note           Mutliple CRLs are accepted only if using PEM format
+ * \note           Multiple CRLs are accepted only if using PEM format
  *
  * \param chain    points to the start of the chain
  * \param path     filename to read the CRLs from (in PEM or DER encoding)

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/x509_crt.h

@@ -100,7 +100,7 @@ mbedtls_x509_crt;
  * Build flag from an algorithm/curve identifier (pk, md, ecp)
  * Since 0 is always XXX_NONE, ignore it.
  */
-#define MBEDTLS_X509_ID_FLAG( id )   ( 1 << ( id - 1 ) )
+#define MBEDTLS_X509_ID_FLAG( id )   ( 1 << ( ( id ) - 1 ) )
 
 /**
  * Security profile for certificate verification.
@@ -177,19 +177,34 @@ int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *bu
                         size_t buflen );
 
 /**
- * \brief          Parse one or more certificates and add them
+ * \brief          Parse one DER-encoded or one or more concatenated PEM-encoded
- *                 to the chained list. Parses permissively. If some
+ *                 certificates and add them to the chained list.
- *                 certificates can be parsed, the result is the number
- *                 of failed certificates it encountered. If none complete
- *                 correctly, the first error is returned.
  *
- * \param chain    points to the start of the chain
+ *                 For CRTs in PEM encoding, the function parses permissively:
- * \param buf      buffer holding the certificate data in PEM or DER format
+ *                 if at least one certificate can be parsed, the function
- * \param buflen   size of the buffer
+ *                 returns the number of certificates for which parsing failed
- *                 (including the terminating null byte for PEM data)
+ *                 (hence \c 0 if all certificates were parsed successfully).
+ *                 If no certificate could be parsed, the function returns
+ *                 the first (negative) error encountered during parsing.
+ *
+ *                 PEM encoded certificates may be interleaved by other data
+ *                 such as human readable descriptions of their content, as
+ *                 long as the certificates are enclosed in the PEM specific
+ *                 '-----{BEGIN/END} CERTIFICATE-----' delimiters.
+ *
+ * \param chain    The chain to which to add the parsed certificates.
+ * \param buf      The buffer holding the certificate data in PEM or DER format.
+ *                 For certificates in PEM encoding, this may be a concatenation
+ *                 of multiple certificates; for DER encoding, the buffer must
+ *                 comprise exactly one certificate.
+ * \param buflen   The size of \p buf, including the terminating \c NULL byte
+ *                 in case of PEM encoded data.
+ *
+ * \return         \c 0 if all certificates were parsed successfully.
+ * \return         The (positive) number of certificates that couldn't
+ *                 be parsed if parsing was partly successful (see above).
+ * \return         A negative X509 or PEM error code otherwise.
  *
- * \return         0 if all certificates parsed successfully, a positive number
- *                 if partly successful or a specific X509 or PEM error code
  */
 int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen );
 

Sources/OpenVPNAdapter/Libraries/Vendors/mbedtls/include/mbedtls/x509_csr.h

@@ -205,6 +205,14 @@ void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_ty
  * \param key_usage key usage flags to set
  *
  * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ *
+ * \note            The <code>decipherOnly</code> flag from the Key Usage
+ *                  extension is represented by bit 8 (i.e.
+ *                  <code>0x8000</code>), which cannot typically be represented
+ *                  in an unsigned char. Therefore, the flag
+ *                  <code>decipherOnly</code> (i.e.
+ *                  #MBEDTLS_X509_KU_DECIPHER_ONLY) cannot be set using this
+ *                  function.
  */
 int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage );
 

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/.travis.yml

@@ -1,19 +1,17 @@
-dist: trusty
+dist: bionic
-
 os: linux
-
 language: cpp
 
 env:
   global:
     - secure: "dqiLqbzug/xs6F4Q9ei1pGpNf9Q6H3+iKN1W+P0TtODbCXPr/mLWdvHGVMIMqr7H7rBrIUPFPrfqd80nu3jQuQonjcHK/XyJJfmf5hUdhGAszSaixhWnGfVmn/VSV7/5+9DGAU3l9S6YZg4lvi12+cOrlblNgx8GeI5VdN/6HBSHkEqKNI56qn3Y+ugSdLeL1opmzlY58vRsCCmpBH8Ronn4tmSyi85/WZXfF43o9FGGJcygdh6QVWA1CDdNMeLTCt9ld+oToUIiFLiUrhfS1JpSvzysz2xsuEntxZaTMDYPyL4+O8Mj/scl6ejLLXzxTNa7AZOgySLBahf+F4b+yhL1deSVuu40MfxPW6XiM1jKy3KPH/GlYgM8CZQ3D1hQIq1CIUg8DgnTa06RUzevsR5DqDvz+EcPanFHE7dHGrPy9Rs/0y59dNHp3qWKjWMoSA06GerbF61XFOb4mcE29053kV8uxqIa5ZShZ/ndoLeVpQ4mZ+/XSkUybysVl0gWrKnnNNEPtqrdmKf+jlmKY0jyRPdwf425Ldn+wcbGw9ZEnkosYzqAhDBDX4OETAKLi8G0FEYECKKQcd1OX+HNvsOIyOAoLOj7H30F8UkPsjR3ysdIEmc6702ly06gDYjWmwQaCigL/1ktRKgf7ePB0HS+8fOa5SML7619kQrGrWA="
     - PREFIX="${HOME}/opt"
-    - ASIO_VERSION="862aed305dcf91387535519c9549c17630339a12"
+    - ASIO_VERSION="90f32660cd503494b3707840cfbd5434d8e9dabe"
     - LZ4_VERSION="1.8.3"
     - MBEDTLS_VERSION="2.7.5"
     - MBEDTLS_CFLAGS="-I${PREFIX}/include"
     - MBEDTLS_LIBS="-lmbedtls -lmbedx509 -lmbedcrypto"
-    - OPENSSL_VERSION="1.0.2l"
+    - OPENSSL_VERSION="1.0.2s"
     - OPENSSL_CFLAGS="-I${PREFIX}/include"
     - OPENSSL_LIBS="-lssl -lcrypto"
     - COVERITY_BRANCH="master"
@@ -22,9 +20,11 @@ matrix:
   include:
     - env: SSLLIB="openssl"
       os: osx
+      osx_image: xcode10.2
       compiler: clang
     - env: SSLLIB="mbedtls"
       os: osx
+      osx_image: xcode10.2
       compiler: clang
     - env: SSLLIB="openssl" RUN_COVERITY_SCAN="1"
       os: linux

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/.travis/build-check.sh

@@ -25,11 +25,11 @@ else
 fi
 
 LIBS="${SSL_LIBS} -llz4"
-CXXFLAGS="-O3 -std=c++11 -Wall -pthread \
+CXXFLAGS="-O3 -std=c++14 -Wall -pthread \
           -DOPENVPN_SHOW_SESSION_TOKEN -DHAVE_LZ4 \
           -DUSE_ASIO -DASIO_STANDALONE -DASIO_NO_DEPRECATED ${SSL_CFLAGS}"
 
-if [[ "${CC}" == "gcc"* ]]; then
+if [ "${CC}" = "gcc" ]; then
     CXXFLAGS="${CXXFLAGS} -fwhole-program -flto=4"
 fi
 

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/README.rst

@@ -117,6 +117,7 @@ not required for Mac builds.
 
 Build the dependencies::
 
+    $ DL=~/Downloads
     $ OSX_ONLY=1 $O3/core/scripts/mac/build-all
 
 Now build the OpenVPN 3 client executable::
@@ -125,7 +126,7 @@ Now build the OpenVPN 3 client executable::
     $ . vars/vars-osx64
     $ . vars/setpath
     $ cd test/ovpncli
-    $ MTLS=1 LZ4=1 build cli
+    $ MTLS=1 LZ4=1 ASIO=1 build cli
 
 This will build the OpenVPN 3 client library with a small client
 wrapper (``cli``).  It will also statically link in all external
@@ -151,8 +152,9 @@ Building the OpenVPN 3 client on Windows
 
 Prerequisites:
 
- - Visual Studio 2017
+* Visual Studio 2017
- - Python 2.7
+* Python 2.7
+* Perl (for building openssl)
 
 Clone the OpenVPN 3 source repo::
 
@@ -160,19 +162,19 @@ Clone the OpenVPN 3 source repo::
   > c:\Temp>cd O3
   > c:\Temp\O3>git clone https://github.com/OpenVPN/openvpn3.git core
 
+Add environment variable ``O3`` with value ``c:\Temp\O3`` and reopen commmand prompt.
+
 Download and build dependencies::
 
   > c:\Temp\O3>cd core\win
-  > c:\Temp\O3\core\win>set O3=C:\Temp\O3 && python buildep.py
+  > c:\Temp\O3\core\win>set STATIC=1&& set DEBUG=1&& python buildep.py
 
-Build test client::
+Now you can open project in Visual Studio. Project and solution files are
+located in ``O3\core\win`` directory.
 
-  > c:\Temp\O3\core\win>set O3=C:\Temp\O3 && python build.py
+You can also build the test client from command prompt::
-
-Visual Studio 2017 project and solution files are located in ``O3\core\win`` directory.
-Before opening project you need to build dependencies and define OVPN3_ROOT
-environmental variable (``C:\Temp\O3`` from example above).
 
+  > c:\Temp\O3\core\win>set STATIC=1&& set DEBUG=1&& python build.py
 
 Testing
 -------

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/appveyor.yml

@@ -1,24 +1,32 @@
 version: 1.0.{build}
 
-image: Visual Studio 2017
+image: Visual Studio 2019
 
 clone_folder: c:\ovpn3\core
 
 install:
 - pip install rfc6266 requests
+- if not exist "C:\strawberry" choco install strawberryperl -y
+- set PATH=C:\strawberry\c\bin;C:\strawberry\perl\site\bin;C:\strawberry\perl\bin;%PATH%
 
 environment:
-  MSVC_DIR: C:\Program Files (x86)\Microsoft Visual Studio\2017\Community
+  MSVC_DIR: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community
   O3: C:\ovpn3
   STATIC: 1
 
 before_build:
 - cmd: cd win && python buildep.py
 
+after_build:
+- cmd: copy c:\ovpn3\deps\amd64\openssl\out32dll\ssleay32.dll c:\ovpn3\core\win\x64\ReleaseOpenSSL\
+- cmd: copy c:\ovpn3\deps\amd64\openssl\out32dll\libeay32.dll c:\ovpn3\core\win\x64\ReleaseOpenSSL\
+
 platform: x64
 
-configuration: Release
+configuration: ReleaseOpenSSL
 
 artifacts:
-  - path: win\x64\Release\cli.exe
+  - path: win\x64\ReleaseOpenSSL\cli.exe
+  - path: win\x64\ReleaseOpenSSL\*.dll
+
 

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/client/ovpncli.cpp

@@ -262,7 +262,13 @@ namespace openvpn {
       bool socket_protect(int socket, IP::Addr endpoint) override
       {
 	if (parent)
+	  {
+#if defined(OPENVPN_COMMAND_AGENT) && defined(OPENVPN_PLATFORM_WIN)
+	    return WinCommandAgent::add_bypass_route(endpoint);
+#else
 	    return parent->socket_protect(socket, endpoint.to_string(), endpoint.is_ipv6());
+#endif
+	  }
 	else
 	  return true;
       }
@@ -436,7 +442,10 @@ namespace openvpn {
 	std::string tls_version_min_override;
 	std::string tls_cert_profile_override;
 	std::string gui_version;
+	std::string sso_methods;
 	bool allow_local_lan_access;
+	std::string hw_addr_override;
+	std::string platform_version;
 	ProtoContextOptions::Ptr proto_context_options;
 	PeerInfo::Set::Ptr extra_peer_info;
 	HTTPProxyTransport::Options::Ptr http_proxy_options;
@@ -656,7 +665,7 @@ namespace openvpn {
       catch (const std::exception& e)
 	{
 	  eval.error = true;
-	  eval.message = Unicode::utf8_printable<std::string>(e.what(), 256);
+	  eval.message = Unicode::utf8_printable<std::string>(std::string("ERR_PROFILE_GENERIC: ") + e.what(), 256);
 	}
     }
 
@@ -689,6 +698,9 @@ namespace openvpn {
 	state->tls_cert_profile_override = config.tlsCertProfileOverride;
 	state->allow_local_lan_access = config.allowLocalLanAccess;
 	state->gui_version = config.guiVersion;
+	state->sso_methods = config.ssoMethods;
+	state->platform_version = config.platformVersion;
+	state->hw_addr_override = config.hwAddrOverride;
 	state->alt_proxy = config.altProxy;
 	state->dco = config.dco;
 	state->echo = config.echo;
@@ -801,6 +813,11 @@ namespace openvpn {
       return ret;
     }
 
+    OPENVPN_CLIENT_EXPORT bool OpenVPNClient::socket_protect(int socket, std::string remote, bool ipv6)
+    {
+      return true;
+    }
+
     OPENVPN_CLIENT_EXPORT bool OpenVPNClient::parse_dynamic_challenge(const std::string& cookie, DynamicChallenge& dc)
     {
       try {
@@ -962,14 +979,17 @@ namespace openvpn {
       cc.tls_version_min_override = state->tls_version_min_override;
       cc.tls_cert_profile_override = state->tls_cert_profile_override;
       cc.gui_version = state->gui_version;
+      cc.sso_methods = state->sso_methods;
+      cc.hw_addr_override = state->hw_addr_override;
+      cc.platform_version = state->platform_version;
       cc.extra_peer_info = state->extra_peer_info;
       cc.stop = state->async_stop_local();
       cc.allow_local_lan_access = state->allow_local_lan_access;
 #ifdef OPENVPN_GREMLIN
       cc.gremlin_config = state->gremlin_config;
 #endif
-#if defined(USE_TUN_BUILDER)
       cc.socket_protect = &state->socket_protect;
+#if defined(USE_TUN_BUILDER)
       cc.builder = this;
 #endif
 #if defined(OPENVPN_EXTERNAL_TUN_FACTORY)

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/client/ovpncli.hpp

@@ -172,6 +172,20 @@ namespace openvpn {
       // Passed to server as IV_GUI_VER.
       std::string guiVersion;
 
+      // Set to a comma seperated list of supported SSO mechanisms that may
+      // be signalled via INFO_PRE to the client.
+      // "openurl" is to continue authentication by opening an url in a browser
+      // "crtext" gives a challenge response in text format that needs to
+      // responded via control channel. (
+      // Passed to the server as IV_SSO
+      std::string ssoMethods;
+
+      // Override the string that is passed as IV_HWADDR to the server
+      std::string hwAddrOverride;
+
+      // Set the string that is passed to the server as IV_PLAT_VER
+      std::string platformVersion;
+
       // Use a different server than that specified in "remote"
       // option of profile
       std::string serverOverride;
@@ -481,7 +495,7 @@ namespace openvpn {
       // Callback to "protect" a socket from being routed through the tunnel.
       // Will be called from the thread executing connect().
       // The remote and ipv6 are the remote host this socket will connect to
-      virtual bool socket_protect(int socket, std::string remote, bool ipv6) = 0;
+      virtual bool socket_protect(int socket, std::string remote, bool ipv6);
 
       // Primary VPN client connect method, doesn't return until disconnect.
       // Should be called by a worker thread.  This method will make callbacks

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/deps/lib-versions

@@ -1,11 +1,11 @@
-export ASIO_VERSION=asio-1-13-0
+export ASIO_VERSION=asio-1-14-0
-export ASIO_CSUM=54a1208d20f2104dbd6b7a04a9262f5ab649f4b7a9faf7eac4c2294e9e104c06
+export ASIO_CSUM=bdb01a649c24d73ca4a836662e7af442d935313ed6deef6b07f17f3bc5f78d7a
 
 export LZ4_VERSION=lz4-1.8.3
 export LZ4_CSUM=33af5936ac06536805f9745e0b6d61da606a1f8b4cc5c04dd3cbaca3b9b4fc43
 
-export MBEDTLS_VERSION=mbedtls-2.7.5
+export MBEDTLS_VERSION=mbedtls-2.7.12
-export MBEDTLS_CSUM=a1302ad9094aabb9880d2755927b466a6bac8e02b68e04dee77321f3859e9b40
+export MBEDTLS_CSUM=d3a36dbc9f607747daa6875c1ab2e41f49eff5fc99d3436b4f3ac90c89f3c143
 
 export JSONCPP_VERSION=1.8.4
 export JSONCPP_CSUM=c49deac9e0933bcb7044f08516861a2d560988540b23de2ac1ad443b219afdb6

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/deps/mbedtls/patches/0002-Enable-allowing-unsupported-critical-extensions-in-r.patch

@@ -1,8 +1,7 @@
-From c6963e33209e7fd40d65513e06c1bbb20319abe3 Mon Sep 17 00:00:00 2001
+From 076f1437fe82de0b1f0ecf9a7ca031cd94c0c579 Mon Sep 17 00:00:00 2001
 From: Lev Stipakov <lev@openvpn.net>
 Date: Fri, 23 Feb 2018 17:12:49 +0200
-Subject: [PATCH 2/2] Enable allowing unsupported critical extensions in
+Subject: [PATCH] Enable allowing unsupported critical extensions in runtime
- runtime
 
 When compile time flag MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
 is not set, certificate parsing fails if certificate contains unsupported critical extension.
@@ -55,7 +54,7 @@ index 408645ece..b116736f8 100644
  
  /**
 diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
-index c6e453274..72374e36b 100644
+index 5fd6969da..1087ea166 100644
 --- a/include/mbedtls/ssl.h
 +++ b/include/mbedtls/ssl.h
 @@ -696,6 +696,10 @@ struct mbedtls_ssl_config
@@ -69,7 +68,7 @@ index c6e453274..72374e36b 100644
  #if defined(MBEDTLS_SSL_RENEGOTIATION)
      int renego_max_records;         /*!< grace period for renegotiation     */
      unsigned char renego_period[8]; /*!< value of the record counters
-@@ -2275,6 +2279,24 @@ void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
+@@ -2298,6 +2302,24 @@ void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
                                     const unsigned char period[8] );
  #endif /* MBEDTLS_SSL_RENEGOTIATION */
  
@@ -95,7 +94,7 @@ index c6e453274..72374e36b 100644
   * \brief          Return the number of data bytes available to read
   *
 diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
-index ac23cffe8..2e489915f 100644
+index e72231ee8..9df19e52c 100644
 --- a/include/mbedtls/x509_crt.h
 +++ b/include/mbedtls/x509_crt.h
 @@ -90,6 +90,8 @@ typedef struct mbedtls_x509_crt
@@ -220,10 +219,10 @@ index edea950f8..a756d2801 100644
  static const mbedtls_oid_descriptor_t oid_ext_key_usage[] =
  {
 diff --git a/library/ssl_tls.c b/library/ssl_tls.c
-index ca9b8c432..dba0d5122 100644
+index 1270ee9b8..2ce3f9b7d 100644
 --- a/library/ssl_tls.c
 +++ b/library/ssl_tls.c
-@@ -4656,6 +4656,9 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
+@@ -4668,6 +4668,9 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
  
      mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
  
@@ -233,7 +232,7 @@ index ca9b8c432..dba0d5122 100644
      i += 3;
  
      while( i < ssl->in_hslen )
-@@ -6586,6 +6589,11 @@ void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
+@@ -6626,6 +6629,11 @@ void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
  }
  #endif /* MBEDTLS_SSL_RENEGOTIATION */
  
@@ -246,18 +245,18 @@ index ca9b8c432..dba0d5122 100644
  #if defined(MBEDTLS_SSL_CLI_C)
  void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets )
 diff --git a/library/x509_crt.c b/library/x509_crt.c
-index 6751da0d2..149149b96 100644
+index 3ad53a715..130b3ad1b 100644
 --- a/library/x509_crt.c
 +++ b/library/x509_crt.c
-@@ -530,6 +530,7 @@ static int x509_get_crt_ext( unsigned char **p,
+@@ -539,6 +539,7 @@ static int x509_get_crt_ext( unsigned char **p,
      int ret;
      size_t len;
      unsigned char *end_ext_data, *end_ext_octet;
 +    int is_supported;
  
-     if( ( ret = mbedtls_x509_get_ext( p, end, &crt->v3_ext, 3 ) ) != 0 )
+     if( *p == end )
-     {
+         return( 0 );
-@@ -589,9 +590,9 @@ static int x509_get_crt_ext( unsigned char **p,
+@@ -593,9 +594,9 @@ static int x509_get_crt_ext( unsigned char **p,
          /*
           * Detect supported extensions
           */
@@ -269,7 +268,7 @@ index 6751da0d2..149149b96 100644
          {
              /* No parser found, skip extension */
              *p = end_ext_octet;
-@@ -599,6 +600,10 @@ static int x509_get_crt_ext( unsigned char **p,
+@@ -603,6 +604,10 @@ static int x509_get_crt_ext( unsigned char **p,
  #if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
              if( is_critical )
              {
@@ -280,7 +279,7 @@ index 6751da0d2..149149b96 100644
                  /* Data is marked as critical: fail */
                  return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
                          MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
-@@ -952,6 +957,7 @@ int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *bu
+@@ -956,6 +961,7 @@ int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *bu
  
          prev = crt;
          mbedtls_x509_crt_init( crt->next );
@@ -315,10 +314,10 @@ index 000000000..7e0c56134
 +OwQ6w1HweApjB46bGyILpGUi9MZhvCnoLWg+cN3/wQ==
 +-----END CERTIFICATE-----
 diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
-index 406cf5931..212a2825a 100644
+index 0fe68cb06..e39f065e2 100644
 --- a/tests/suites/test_suite_x509parse.data
 +++ b/tests/suites/test_suite_x509parse.data
-@@ -1766,6 +1766,12 @@ X509 File parse (trailing spaces, OK)
+@@ -1798,6 +1798,12 @@ X509 File parse (trailing spaces, OK)
  depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
  x509parse_crt_file:"data_files/server7_trailing_space.crt":0
  
@@ -332,10 +331,10 @@ index 406cf5931..212a2825a 100644
  depends_on:MBEDTLS_X509_USE_C
  x509_get_time:MBEDTLS_ASN1_UTC_TIME:"500101000000Z":0:1950:1:1:0:0:0
 diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
-index 06f010828..75936010f 100644
+index 584ee822b..c12a0e0ef 100644
 --- a/tests/suites/test_suite_x509parse.function
 +++ b/tests/suites/test_suite_x509parse.function
-@@ -437,6 +437,21 @@ exit:
+@@ -448,6 +448,21 @@ exit:
  }
  /* END_CASE */
  
@@ -358,5 +357,5 @@ index 06f010828..75936010f 100644
  void x509parse_crt( char *crt_data, char *result_str, int result )
  {
 -- 
-2.18.0
+2.22.0.windows.1
 

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/addr/ip.hpp

@@ -268,7 +268,7 @@ namespace openvpn {
 	  }
 	else
 	  {
-	    a.ver = V4;
+	    a.ver = V6;
 	    a.u.v6 = IPv6::Addr::from_byte_string(bytestr);
 	  }
 	return a;

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/addr/ipv4.hpp

@@ -35,6 +35,7 @@
 #include <openvpn/common/socktypes.hpp>
 #include <openvpn/common/ffs.hpp>
 #include <openvpn/common/hexstr.hpp>
+#include <openvpn/common/hash.hpp>
 #include <openvpn/addr/iperr.hpp>
 
 namespace openvpn {

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/addr/ipv6.hpp

@@ -34,6 +34,7 @@
 #include <openvpn/common/socktypes.hpp>
 #include <openvpn/common/ffs.hpp>
 #include <openvpn/common/hexstr.hpp>
+#include <openvpn/common/hash.hpp>
 #include <openvpn/addr/ipv4.hpp>
 #include <openvpn/addr/iperr.hpp>
 

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/addr/randaddr.hpp

@@ -53,6 +53,7 @@ namespace openvpn {
 	}
     }
 
+    // bit positions between templ.prefix_len and prefix_len are randomized
     inline Route random_subnet(const Route& templ,
 			       const unsigned int prefix_len,
 			       RandomAPI& prng)

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/apple/reachable.hpp

@@ -202,6 +202,8 @@ namespace openvpn {
     virtual Type vtype() const = 0;
     virtual Status vstatus(const SCNetworkReachabilityFlags flags) const = 0;
 
+    virtual ~ReachabilityBase() {}
+
     CF::NetworkReachability reach;
   };
 

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/asio/asiopolysock.hpp

@@ -48,6 +48,12 @@
 
 namespace openvpn {
   namespace AsioPolySock {
+    // for shutdown()
+    enum ShutdownFlags {
+      SHUTDOWN_SEND = (1<<0),
+      SHUTDOWN_RECV = (1<<1),
+    };
+
     class Base : public RC<thread_unsafe_refcount>
     {
     public:
@@ -66,6 +72,8 @@ namespace openvpn {
 
       virtual void close() = 0;
 
+      virtual void shutdown(const unsigned int flags) {}
+
       virtual void tcp_nodelay() {}
       virtual void set_cloexec() {}
 
@@ -171,6 +179,14 @@ namespace openvpn {
       }
 #endif
 
+      virtual void shutdown(const unsigned int flags) override
+      {
+	if (flags & SHUTDOWN_SEND)
+	  socket.shutdown(openvpn_io::ip::tcp::socket::shutdown_send);
+	else if (flags & SHUTDOWN_RECV)
+	  socket.shutdown(openvpn_io::ip::tcp::socket::shutdown_receive);
+      }
+
       virtual void close() override
       {
 	socket.close();
@@ -194,7 +210,8 @@ namespace openvpn {
 #if defined(OPENVPN_POLYSOCK_SUPPORTS_ALT_ROUTING)
       virtual std::string remote_endpoint_str() const override
       {
-	return "TCP ALT " + socket.to_string();
+	const char *proto = (socket.alt_routing_enabled() ? "TCP ALT " : "TCP ");
+	return proto + socket.to_string();
       }
 
       virtual bool alt_routing_enabled() override
@@ -261,6 +278,14 @@ namespace openvpn {
 	  SockOpt::set_cloexec(fd);
       }
 
+      virtual void shutdown(const unsigned int flags) override
+      {
+	if (flags & SHUTDOWN_SEND)
+	  socket.shutdown(openvpn_io::ip::tcp::socket::shutdown_send);
+	else if (flags & SHUTDOWN_RECV)
+	  socket.shutdown(openvpn_io::ip::tcp::socket::shutdown_receive);
+      }
+
       virtual void close() override
       {
 	socket.close();

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/asio/asiosignal.hpp

@@ -78,7 +78,6 @@ namespace openvpn {
 		         S_SIGINT
 		       | S_SIGTERM
 #ifndef OPENVPN_PLATFORM_WIN
-		       | S_SIGQUIT
 		       | S_SIGHUP
 		       | S_SIGUSR1
 		       | S_SIGUSR2

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/auth/authcert.hpp

@@ -35,14 +35,16 @@
 #include <openvpn/common/binprefix.hpp>
 #include <openvpn/common/to_string.hpp>
 #include <openvpn/pki/x509track.hpp>
+#include <openvpn/ssl/sni_metadata.hpp>
 
 namespace openvpn {
 
     class OpenSSLContext;
     class MbedTLSContext;
 
-    struct AuthCert : public RC<thread_unsafe_refcount>
+    class AuthCert : public RC<thread_unsafe_refcount>
     {
+    public:
       // AuthCert needs to friend SSL implementation classes
       friend class OpenSSLContext;
       friend class MbedTLSContext;
@@ -52,16 +54,18 @@ namespace openvpn {
       class Fail
       {
       public:
-	// ordered by priority
+	// Ordered by severity.  If many errors are present, the
+	// most severe error will be returned by get_code().
 	enum Type {
 	  OK=0,                // OK MUST be 0
-	  OTHER,
+	  EXPIRED,             // less severe...
 	  BAD_CERT_TYPE,
-	  EXPIRED,
+	  CERT_FAIL,
+	  SNI_ERROR,           // more severe...
 	  N
 	};
 
-	void add_fail(const size_t depth, const Type new_code, const char *reason)
+	void add_fail(const size_t depth, const Type new_code, std::string reason)
 	{
 	  if (new_code > code)
 	    code = new_code;
@@ -69,7 +73,7 @@ namespace openvpn {
 	    errors.emplace_back();
 	  std::string& err = errors[depth];
 	  if (err.empty())
-	    err = reason;
+	    err = std::move(reason);
 	  else if (err.find(reason) == std::string::npos)
 	    {
 	      err += ", ";
@@ -111,19 +115,21 @@ namespace openvpn {
 	  return ret;
 	}
 
-	static const char *render_code(const Type code)
+	static std::string render_code(const Type code)
 	{
 	  switch (code)
 	    {
 	    case OK:
 	      return "OK";
-	    case OTHER:
+	    case CERT_FAIL:
 	    default:
 	      return "CERT_FAIL";
 	    case BAD_CERT_TYPE:
 	      return "BAD_CERT_TYPE";
 	    case EXPIRED:
 	      return "EXPIRED";
+	    case SNI_ERROR:
+	      return "SNI_ERROR";
 	    }
 	}
 
@@ -143,6 +149,11 @@ namespace openvpn {
 	return sn >= 0;
       }
 
+      bool sni_defined() const
+      {
+	return !sni.empty();
+      }
+
       bool cn_defined() const
       {
 	return !cn.empty();
@@ -161,7 +172,7 @@ namespace openvpn {
 
       bool operator==(const AuthCert& other) const
       {
-	return cn == other.cn && sn == other.sn && !std::memcmp(issuer_fp, other.issuer_fp, sizeof(issuer_fp));
+	return sni == other.sni && cn == other.cn && sn == other.sn && !std::memcmp(issuer_fp, other.issuer_fp, sizeof(issuer_fp));
       }
 
       bool operator!=(const AuthCert& other) const
@@ -172,6 +183,10 @@ namespace openvpn {
       std::string to_string() const
       {
 	std::ostringstream os;
+	if (!sni.empty())
+	  os << "SNI=" << sni << ' ';
+	if (sni_metadata)
+	  os << "SNI_CN=" << sni_metadata->sni_client_name(*this) << ' ';
 	os << "CN=" << cn
 	   << " SN=" << sn
 	   << " ISSUER_FP=" << issuer_fp_str(false);
@@ -194,6 +209,21 @@ namespace openvpn {
 	  return cn;
       }
 
+      // Allow sni_metadata object, if it exists, to generate the client name.
+      // Otherwise fall back to normalize_cn().
+      std::string sni_client_name() const
+      {
+	if (sni_metadata)
+	  return sni_metadata->sni_client_name(*this);
+	else
+	  return normalize_cn();
+      }
+
+      const std::string& get_sni() const
+      {
+	return sni;
+      }
+
       const std::string& get_cn() const
       {
 	return cn;
@@ -214,11 +244,11 @@ namespace openvpn {
 	return std::move(x509_track);
       }
 
-      void add_fail(const size_t depth, const Fail::Type new_code, const char *reason)
+      void add_fail(const size_t depth, const Fail::Type new_code, std::string reason)
       {
 	if (!fail)
 	  fail.reset(new Fail());
-	fail->add_fail(depth, new_code, reason);
+	fail->add_fail(depth, new_code, std::move(reason));
       }
 
       bool is_fail() const
@@ -231,13 +261,23 @@ namespace openvpn {
 	return fail.get();
       }
 
+      std::string fail_str() const
+      {
+	if (fail)
+	  return fail->to_string(true);
+	else
+	  return "OK";
+      }
+
     private:
+      std::string sni;               // SNI (server name indication)
       std::string cn;                // common name
       long sn;                       // serial number
       unsigned char issuer_fp[20];   // issuer cert fingerprint
 
       std::unique_ptr<Fail> fail;
       std::unique_ptr<X509Track::Set> x509_track;
+      SNI::Metadata::UPtr sni_metadata;
     };
 }
 

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/buffer/buflineiter.hpp

@@ -0,0 +1,58 @@
+//    OpenVPN -- An application to securely tunnel IP networks
+//               over a single port, with support for SSL/TLS-based
+//               session authentication and key exchange,
+//               packet encryption, packet authentication, and
+//               packet compression.
+//
+//    Copyright (C) 2012-2019 OpenVPN Inc.
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU Affero General Public License Version 3
+//    as published by the Free Software Foundation.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU Affero General Public License for more details.
+//
+//    You should have received a copy of the GNU Affero General Public License
+//    along with this program in the COPYING file.
+//    If not, see <http://www.gnu.org/licenses/>.
+
+#pragma once
+
+#include <openvpn/buffer/buffer.hpp>
+
+namespace openvpn {
+
+  // Iterate over the lines in a buffer by returning
+  // a sub-buffer for each line.  Zero-copy.
+  class BufferLineIterator
+  {
+  public:
+    BufferLineIterator(const ConstBuffer& buf)
+      : src(buf)
+    {
+    }
+
+    // Returns a zero-length buffer at end of iteration
+    ConstBuffer next()
+    {
+      return src.read_alloc_buf(line_len());
+    }
+
+  private:
+    size_t line_len() const
+    {
+      const unsigned char *const data = src.c_data();
+      size_t i = 0;
+      while (i < src.size())
+	if (data[i++] == '\n')
+	  break;
+      return i;
+    }
+
+    ConstBuffer src;
+  };
+
+}

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/buffer/bufstatic.hpp

@@ -0,0 +1,45 @@
+//    OpenVPN -- An application to securely tunnel IP networks
+//               over a single port, with support for SSL/TLS-based
+//               session authentication and key exchange,
+//               packet encryption, packet authentication, and
+//               packet compression.
+//
+//    Copyright (C) 2012-2019 OpenVPN Inc.
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU Affero General Public License Version 3
+//    as published by the Free Software Foundation.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU Affero General Public License for more details.
+//
+//    You should have received a copy of the GNU Affero General Public License
+//    along with this program in the COPYING file.
+//    If not, see <http://www.gnu.org/licenses/>.
+
+#pragma once
+
+#include <openvpn/buffer/buffer.hpp>
+
+namespace openvpn {
+
+  // constant-length Buffer for writing that cannot be extended
+  template <std::size_t N>
+  class StaticBuffer : public Buffer
+  {
+  public:
+    StaticBuffer()
+      : Buffer(data, N, false)
+    {
+    }
+
+    StaticBuffer(const StaticBuffer&) = delete;
+    StaticBuffer& operator=(const StaticBuffer&) = delete;
+
+  private:
+    unsigned char data[N];
+  };
+
+}

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/buffer/safestr.hpp

@@ -71,12 +71,12 @@ namespace openvpn {
       return buf_to_string(data);
     }
 
-    const size_t length() const
+    size_t length() const
     {
       return data.size();
     }
 
-    const bool empty() const
+    bool empty() const
     {
       return !length();
     }

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/client/cliconnect.hpp

@@ -460,6 +460,14 @@ namespace openvpn {
 		    stop();
 		  }
 		  break;
+		case Error::TUN_REGISTER_RINGS_ERROR:
+		  {
+		    ClientEvent::Base::Ptr ev = new ClientEvent::TunSetupFailed(client->fatal_reason());
+		    client_options->events().add_event(std::move(ev));
+		    client_options->stats().error(Error::TUN_REGISTER_RINGS_ERROR);
+		    stop();
+		  }
+		  break;
 		case Error::TUN_IFACE_CREATE:
 		  {
 		    ClientEvent::Base::Ptr ev = new ClientEvent::TunIfaceCreate(client->fatal_reason());
@@ -473,7 +481,7 @@ namespace openvpn {
 		    ClientEvent::Base::Ptr ev = new ClientEvent::TunIfaceDisabled(client->fatal_reason());
 		    client_options->events().add_event(std::move(ev));
 		    client_options->stats().error(Error::TUN_IFACE_DISABLED);
-		    stop();
+		    queue_restart(5000);
 		  }
 		  break;
 		case Error::PROXY_ERROR:
@@ -529,7 +537,10 @@ namespace openvpn {
 		    ClientEvent::Base::Ptr ev = new ClientEvent::InactiveTimeout();
 		    client_options->events().add_event(std::move(ev));
 		    client_options->stats().error(Error::INACTIVE_TIMEOUT);
-		    graceful_stop();
+
+		    // explicit exit notify is sent earlier by
+		    // ClientProto::Session::inactive_callback()
+		    stop();
 		  }
 		  break;
 		case Error::TRANSPORT_ERROR:
@@ -548,6 +559,14 @@ namespace openvpn {
 		    queue_restart(5000);
 		  }
 		  break;
+		case Error::TUN_HALT:
+		  {
+		    ClientEvent::Base::Ptr ev = new ClientEvent::TunHalt(client->fatal_reason());
+		    client_options->events().add_event(std::move(ev));
+		    client_options->stats().error(Error::TUN_HALT);
+		    stop();
+		  }
+		  break;
 		case Error::RELAY:
 		  {
 		    ClientEvent::Base::Ptr ev = new ClientEvent::Relay();

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/client/clievent.hpp

@@ -55,6 +55,7 @@ namespace openvpn {
       PAUSE,
       RESUME,
       RELAY,
+      COMPRESSION_ENABLED,
       UNSUPPORTED_FEATURE,
 
       // start of nonfatal errors, must be marked by NONFATAL_ERROR_START below
@@ -68,6 +69,7 @@ namespace openvpn {
       TLS_VERSION_MIN,
       CLIENT_HALT,
       CLIENT_SETUP,
+      TUN_HALT,
       CONNECTION_TIMEOUT,
       INACTIVE_TIMEOUT,
       DYNAMIC_CHALLENGE,
@@ -108,6 +110,7 @@ namespace openvpn {
 	"PAUSE",
 	"RESUME",
 	"RELAY",
+	"COMPRESSION_ENABLED",
 	"UNSUPPORTED_FEATURE",
 
 	// nonfatal errors
@@ -121,6 +124,7 @@ namespace openvpn {
 	"TLS_VERSION_MIN",
 	"CLIENT_HALT",
 	"CLIENT_SETUP",
+	"TUN_HALT",
 	"CONNECTION_TIMEOUT",
 	"INACTIVE_TIMEOUT",
 	"DYNAMIC_CHALLENGE",
@@ -361,6 +365,11 @@ namespace openvpn {
       ClientRestart(std::string reason) : ReasonBase(CLIENT_RESTART, std::move(reason)) {}
     };
 
+    struct TunHalt : public ReasonBase
+    {
+      TunHalt(std::string reason) : ReasonBase(TUN_HALT, std::move(reason)) {}
+    };
+
     struct RelayError : public ReasonBase
     {
       RelayError(std::string reason) : ReasonBase(RELAY_ERROR, std::move(reason)) {}
@@ -456,6 +465,14 @@ namespace openvpn {
       }
     };
 
+    struct CompressionEnabled : public ReasonBase
+    {
+       CompressionEnabled(std::string msg)
+         : ReasonBase(COMPRESSION_ENABLED, std::move(msg))
+       {
+       }
+    };
+
     class Queue : public RC<thread_unsafe_refcount>
     {
     public:

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/client/cliopt.hpp

@@ -120,8 +120,11 @@ namespace openvpn {
     struct Config
     {
       std::string gui_version;
+      std::string sso_methods;
       std::string server_override;
       std::string port_override;
+      std::string hw_addr_override;
+      std::string platform_version;
       Protocol proto_override;
       IPv6Setting ipv6;
       int conn_timeout = 0;
@@ -308,6 +311,13 @@ namespace openvpn {
 
       synchronous_dns_lookup = config.synchronous_dns_lookup;
 
+#ifdef OPENVPN_TLS_LINK
+      if (opt.exists("tls-ca"))
+	{
+	  tls_ca = opt.cat("tls-ca");
+	}
+#endif
+
       // init transport config
       const std::string session_name = load_transport_config();
 
@@ -428,9 +438,11 @@ namespace openvpn {
 	    if (config.tun_persist)
 	      {
 		tunconf->tun_persist.reset(new TunWin::TunPersist(true, false, nullptr));
-	      tunconf->tun_prop.remote_bypass = true;
+#ifndef OPENVPN_COMMAND_AGENT
 		/* remote_list is required by remote_bypass to work */
+		tunconf->tun_prop.remote_bypass = true;
 		tunconf->tun_prop.remote_list = remote_list;
+#endif
 	      }
 #ifdef OPENVPN_COMMAND_AGENT
 	    tunconf->tun_setup_factory = WinCommandAgent::new_agent(opt);
@@ -534,14 +546,27 @@ namespace openvpn {
       // setenv UV_ options
       pi->append_foreign_set_ptr(pcc.peerInfoUV());
 
+      // UI version
+      if (!config.gui_version.empty())
+	pi->emplace_back("IV_GUI_VER", config.gui_version);
+
+      // Supported SSO methods
+      if (!config.sso_methods.empty())
+	pi->emplace_back("IV_SSO", config.sso_methods);
+
       // MAC address
       if (pcc.pushPeerInfo())
 	{
 	  std::string hwaddr = get_hwaddr();
-	  if (!hwaddr.empty())
+	  if (!config.hw_addr_override.empty())
+	    pi->emplace_back("IV_HWADDR", config.hw_addr_override);
+	  else if (!hwaddr.empty())
 	    pi->emplace_back("IV_HWADDR", hwaddr);
-	}
+	  pi->emplace_back ("IV_SSL", get_ssl_library_version());
 
+	  if (!config.platform_version.empty())
+	    pi->emplace_back("IV_PLAT_VER", config.platform_version);
+	}
       return pi;
     }
 
@@ -716,7 +741,6 @@ namespace openvpn {
       cp->ssl_factory = cc->new_factory();
       cp->load(opt, *proto_context_options, config.default_key_direction, false);
       cp->set_xmit_creds(!autologin || pcc.hasEmbeddedPassword() || autologin_sessions);
-      cp->gui_version = config.gui_version;
       cp->force_aes_cbc_ciphersuites = config.force_aes_cbc_ciphersuites; // also used to disable proto V2
       cp->extra_peer_info = build_peer_info(config, pcc, autologin_sessions);
       cp->frame = frame;
@@ -825,6 +849,7 @@ namespace openvpn {
 #ifdef OPENVPN_TLS_LINK
 	      if (transport_protocol.is_tls())
 		tcpconf->use_tls = true;
+	      tcpconf->tls_ca = tls_ca;
 #endif
 #ifdef OPENVPN_GREMLIN
 	      tcpconf->gremlin_config = gremlin_config;
@@ -881,6 +906,9 @@ namespace openvpn {
     DCO::Ptr dco;
 #ifdef OPENVPN_EXTERNAL_TRANSPORT_FACTORY
     ExternalTransport::Factory* extern_transport_factory;
+#endif
+#ifdef OPENVPN_TLS_LINK
+    std::string tls_ca;
 #endif
   };
 }

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/client/cliopthelper.hpp

@@ -97,7 +97,7 @@ namespace openvpn {
 		  if (arg1 == "GENERIC_CONFIG")
 		    {
 		      error_ = true;
-		      message_ = "SERVER_LOCKED_UNSUPPORTED: server locked profiles are currently unsupported";
+		      message_ = "ERR_PROFILE_SERVER_LOCKED_UNSUPPORTED: server locked profiles are currently unsupported";
 		      return;
 		    }
 		  else if (arg1 == "ALLOW_PASSWORD_SAVE")
@@ -307,7 +307,7 @@ namespace openvpn {
       catch (const std::exception& e)
 	{
 	  error_ = true;
-	  message_ = Unicode::utf8_printable<std::string>(e.what(), 256);
+	  message_ = Unicode::utf8_printable<std::string>(std::string("ERR_PROFILE_GENERIC: ") + e.what(), 256);
 	}
     }
 
@@ -374,7 +374,7 @@ namespace openvpn {
 	{
 	  ParseClientConfig ret;
 	  ret.error_ = true;
-	  ret.message_ = Unicode::utf8_printable<std::string>(e.what(), 256);
+	  ret.message_ = Unicode::utf8_printable<std::string>(std::string("ERR_PROFILE_GENERIC: ") + e.what(), 256);
           return ret;
 	}
     }
@@ -558,8 +558,8 @@ namespace openvpn {
 
         // JSON config is aimed to users, therefore we do not export the raw private
         // key, but only some basic info
-        SSLConfigAPI::PKType priv_key_type = sslConfig->private_key_type();
+        PKType::Type priv_key_type = sslConfig->private_key_type();
-        if (priv_key_type != SSLConfigAPI::PK_NONE)
+        if (priv_key_type != PKType::PK_NONE)
         {
 	  root["key"] = Json::Value(Json::objectValue);
 	  root["key"]["type"] = Json::Value(sslConfig->private_key_type_string());

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/client/cliproto.hpp

@@ -506,7 +506,7 @@ namespace openvpn {
 	{
 	  const Option* o = opt.get_ptr("auth-token-user");
 	  if (o)
-	    username = base64->decode(o->get(1, 256));
+	    username = base64->decode(o->get(1, 340)); // 255 chars after base64 decode
 	}
 
 	// auth-token
@@ -601,6 +601,20 @@ namespace openvpn {
 
 		// send the Connected event
 		cli_events->add_event(connected_);
+
+		// Issue an event if compression is enabled
+		CompressContext::Type comp_type = Base::conf().comp_ctx.type();
+		if (comp_type != CompressContext::NONE
+		    && !CompressContext::is_any_stub(comp_type))
+		{
+		  std::ostringstream msg;
+		  msg << (proto_context_options->is_comp_asym()
+			  ? "Asymmetric compression enabled.  Server may send compressed data."
+			  : "Compression enabled.");
+		  msg << "  This may be a potential security issue.";
+		  ClientEvent::Base::Ptr ev = new ClientEvent::CompressionEnabled(msg.str());
+		  cli_events->add_event(std::move(ev));
+		}
 	      }
 	    else
 	      OPENVPN_LOG("Options continuation...");
@@ -739,6 +753,8 @@ namespace openvpn {
 
       virtual void tun_error(const Error::Type fatal_err, const std::string& err_text)
       {
+	if (fatal_err == Error::TUN_HALT)
+	  send_explicit_exit_notify();
 	if (fatal_err != Error::UNDEF)
 	  {
 	    fatal_ = fatal_err;

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/client/remotelist.hpp

@@ -759,7 +759,7 @@ namespace openvpn {
 
     // return the current primary index (into list) and raise an exception
     // if it is undefined
-    const size_t primary_index() const
+    size_t primary_index() const
     {
       const size_t pri = index.primary();
       if (pri < list.size())
@@ -890,7 +890,7 @@ namespace openvpn {
 		  }
 		else
 		  e->server_port = default_port;
-		if (o.size() >= 4+adj)
+		if (o.size() >= (size_t)(4+adj))
 		  e->transport_protocol = Protocol::parse(o.get(3+adj, 16), Protocol::CLIENT_SUFFIX);
 		else
 		  e->transport_protocol = default_proto;

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/common/clamp.hpp

@@ -0,0 +1,39 @@
+//    OpenVPN -- An application to securely tunnel IP networks
+//               over a single port, with support for SSL/TLS-based
+//               session authentication and key exchange,
+//               packet encryption, packet authentication, and
+//               packet compression.
+//
+//    Copyright (C) 2012-2019 OpenVPN Inc.
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU Affero General Public License Version 3
+//    as published by the Free Software Foundation.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU Affero General Public License for more details.
+//
+//    You should have received a copy of the GNU Affero General Public License
+//    along with this program in the COPYING file.
+//    If not, see <http://www.gnu.org/licenses/>.
+
+#pragma once
+
+// loose emulation of std::clamp for pre-C++17
+
+namespace openvpn {
+
+  template <typename T>
+  T clamp(T value, T low, T high)
+  {
+    if (value < low)
+      return low;
+    else if (value > high)
+      return high;
+    else
+      return value;
+  }
+
+}

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/common/daemon.hpp

@@ -34,12 +34,47 @@
 #include <openvpn/common/logrotate.hpp>
 #include <openvpn/common/redir.hpp>
 #include <openvpn/common/usergroup.hpp>
+#include <openvpn/common/logsetup.hpp>
 
 namespace openvpn {
 
   OPENVPN_EXCEPTION(daemon_err);
 
-  inline void log_setup(const std::string& log_fn,
+  class LogReopen : public LogSetup
+  {
+  public:
+    LogReopen(const std::string& log_fn,
+	      const bool combine_out_err)
+      : log_fn_(log_fn),
+	combine_out_err_(combine_out_err)
+    {
+    }
+
+    virtual void reopen() const override
+    {
+      try {
+	// open redirection log file, but don't redirect yet
+	RedirectStd redir(std::string(),
+			  log_fn_,
+			  RedirectStd::FLAGS_APPEND,
+			  RedirectStd::MODE_USER_GROUP,
+			  combine_out_err_);
+
+	// now do the redirect
+	redir.redirect();
+      }
+      catch (const std::exception& e)
+	{
+	  std::cerr << "LogReopen: " << e.what() << std::endl;
+	}
+    }
+
+  private:
+    const std::string log_fn_;
+    const bool combine_out_err_;
+  };
+
+  inline LogSetup::Ptr log_setup(const std::string& log_fn,
 				 const SetUserGroup* user_group,
 				 const bool log_append,
 				 const int log_versions,
@@ -62,6 +97,12 @@ namespace openvpn {
       {
       }
     redir.redirect();
+
+    // possibly return a LogReopen object
+    if (!log_versions)
+      return LogSetup::Ptr(new LogReopen(log_fn, combine_out_err));
+    else
+      return LogSetup::Ptr();
   }
 
   inline void daemonize()
@@ -70,13 +111,14 @@ namespace openvpn {
       throw daemon_err("daemon() failed");
   }
 
-  inline void daemonize(const std::string& log_fn,
+  inline LogSetup::Ptr daemonize(const std::string& log_fn,
 				 const SetUserGroup* user_group,
 				 const bool log_append,
 				 const int log_versions)
   {
-    log_setup(log_fn, user_group, log_append, log_versions, true, true);
+    LogSetup::Ptr ret = log_setup(log_fn, user_group, log_append, log_versions, true, true);
     daemonize();
+    return ret;
   }
 
   inline void write_pid(const std::string& fn)

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/common/enumdir.hpp

@@ -34,13 +34,13 @@
 #include <openvpn/common/size.hpp>
 #include <openvpn/common/exception.hpp>
 #include <openvpn/common/uniqueptr.hpp>
-#include <openvpn/common/function.hpp>
 
 namespace openvpn {
   OPENVPN_EXCEPTION(enum_dir_error);
 
+  template <typename F>
   inline bool enum_dir(const std::string& dirname,
-		       Function<void(std::string fn)> func)
+		       F func)
   {
     unique_ptr_del<DIR> dir(::opendir(dirname.c_str()), [](DIR* d) { ::closedir(d); });
     if (!dir)

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/common/extern.hpp

@@ -23,6 +23,10 @@
 #define OPENVPN_COMMON_EXTERN_H
 
 #ifndef OPENVPN_EXTERN
+// Remember that OPENVPN_EXTERN was not defined since something like
+// #if OPENVPN_EXTERN == extern or OPENVPN_EXTERN == "" is not allowed
+// in C/C++ preprocessor
+#define OPENVPN_NO_EXTERN
 #define OPENVPN_EXTERN
 #endif
 

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/common/file.hpp

@@ -35,6 +35,10 @@
 #include <openvpn/buffer/bufstr.hpp>
 #include <openvpn/buffer/buflist.hpp>
 
+#if defined(OPENVPN_PLATFORM_WIN)
+#include <openvpn/win/unicode.hpp>
+#endif
+
 namespace openvpn {
 
   OPENVPN_UNTAGGED_EXCEPTION(file_exception);
@@ -61,7 +65,12 @@ namespace openvpn {
 			       const std::uint64_t max_size = 0,
 			       const unsigned int buffer_flags = 0)
   {
+#if defined(OPENVPN_PLATFORM_WIN)
+    Win::UTF16 filenamew(Win::utf16(filename));
+    std::ifstream ifs(filenamew.get(), std::ios::binary);
+#else
     std::ifstream ifs(filename.c_str(), std::ios::binary);
+#endif
     if (!ifs)
       OPENVPN_THROW(open_file_error, "cannot open for read: " << filename);
 

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/common/fileatomic.hpp

@@ -55,7 +55,7 @@ namespace openvpn {
     // generate temporary filename
     unsigned char data[16];
     rng.rand_fill(data);
-    const std::string tfn = path::join(tmpdir, '.' + path::basename(fn) + '.' + render_hex(data, sizeof(data)));
+    const std::string tfn = path::join(tmpdir, '.' + path::basename(fn).substr(0, 64) + '.' + render_hex(data, sizeof(data)));
 
     // write to temporary file
     write_binary_unix(tfn, mode, mtime_ns, buf);

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/common/fileunix.hpp

@@ -158,7 +158,7 @@ namespace openvpn {
     return bp;
   }
 
-  inline bool read_binary_unix_fast(const std::string& fn,
+  inline int read_binary_unix_fast(const std::string& fn,
 				   Buffer& out)
   {
     ScopedFD fd(::open(fn.c_str(), O_RDONLY|O_CLOEXEC));

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/common/hexstr.hpp

@@ -279,6 +279,21 @@ namespace openvpn {
     return os.str();
   }
 
+  /**
+   *  Renders a combined hexadecimal and character dump of a buffer,
+   *  with the typical 16 bytes split between hexadecimal and character
+   *  separation per line.
+   *
+   *  @param  data  Void pointer to the buffer to dump.
+   *  @param  size  Size of the buffer to render.
+   *
+   *  @return Returns a string containing a preformatted output of the
+   *          hexadecimal dump.
+   */
+  inline std::string dump_hex(void* data, size_t size)
+  {
+    return dump_hex((const unsigned char *)data, size);
+  }
 
   /**
    *  Renders a combined hexadecimal and character dump of a std::string buffer,

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/common/logsetup.hpp

@@ -0,0 +1,36 @@
+//    OpenVPN -- An application to securely tunnel IP networks
+//               over a single port, with support for SSL/TLS-based
+//               session authentication and key exchange,
+//               packet encryption, packet authentication, and
+//               packet compression.
+//
+//    Copyright (C) 2012-2019 OpenVPN Inc.
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU Affero General Public License Version 3
+//    as published by the Free Software Foundation.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU Affero General Public License for more details.
+//
+//    You should have received a copy of the GNU Affero General Public License
+//    along with this program in the COPYING file.
+//    If not, see <http://www.gnu.org/licenses/>.
+
+#pragma once
+
+#include <openvpn/common/rc.hpp>
+
+namespace openvpn {
+
+  class LogSetup : public RC<thread_unsafe_refcount>
+  {
+  public:
+    typedef RCPtr<LogSetup> Ptr;
+
+    virtual void reopen() const = 0;
+  };
+
+}

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/common/msfind.hpp

@@ -29,16 +29,23 @@
 namespace openvpn {
   namespace MSF {
 
-    template <typename MAP_SET, typename ITERATOR>
+    template <typename ITERATOR>
     class Iter : public ITERATOR
     {
     public:
+      template <typename MAP_SET>
       Iter(const MAP_SET& ms, ITERATOR&& iter)
 	: ITERATOR(std::move(iter)),
 	  exists_(*this != ms.end())
       {
       }
 
+      Iter(ITERATOR&& iter)
+	: ITERATOR(std::move(iter)),
+	  exists_(true)
+      {
+      }
+
       explicit operator bool() const
       {
 	return exists_;
@@ -50,11 +57,34 @@ namespace openvpn {
 
     // Like ordinary map/set find, but returns an iterator
     // that defines an operator bool() method for testing if
-    // the iterator is defined, i.e. iter != map_or_set.end()
+    // the iterator is defined, so instead of:
+    //
+    //   if (iter != map.end())
+    //     do_stuff();
+    //
+    // you can say:
+    //
+    //   if (iter)
+    //     do_stuff();
+    //
     template <typename MAP_SET, typename KEY>
     inline auto find(MAP_SET& ms, const KEY& k)
     {
-      return Iter<MAP_SET, decltype(ms.find(k))>(ms, ms.find(k));
+      return Iter<decltype(ms.find(k))>(ms, ms.find(k));
+    }
+
+    // Does key exist in map/set?
+    template <typename MAP_SET, typename KEY>
+    inline bool exists(MAP_SET& ms, const KEY& k)
+    {
+      return ms.find(k) != ms.end();
+    }
+
+    // Convert an ordinary, dereferenceable iterator to an MSF::Iter
+    template <typename ITERATOR>
+    inline auto iter(ITERATOR i)
+    {
+      return Iter<ITERATOR>(std::move(i));
     }
   }
 }

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/common/rc.hpp

@@ -196,6 +196,12 @@ namespace openvpn {
       return px != rhs.px;
     }
 
+    template <typename U>
+    RCPtr<U> static_pointer_cast() const noexcept
+    {
+      return RCPtr<U>(static_cast<U*>(px));
+    }
+
     template <typename U>
     RCPtr<U> dynamic_pointer_cast() const noexcept
     {

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/common/runcontext.hpp

@@ -37,6 +37,7 @@
 #include <mutex>
 #include <memory>
 #include <type_traits> // for std::is_nothrow_move_constructible
+#include <utility>
 
 #include <openvpn/common/platform.hpp>
 #include <openvpn/common/exception.hpp>
@@ -45,10 +46,12 @@
 #include <openvpn/common/stop.hpp>
 #include <openvpn/common/environ.hpp>
 #include <openvpn/common/number.hpp>
+#include <openvpn/common/signal_name.hpp>
 #include <openvpn/asio/asiosignal.hpp>
 #include <openvpn/time/time.hpp>
 #include <openvpn/time/asiotimer.hpp>
 #include <openvpn/time/timestr.hpp>
+#include <openvpn/common/logsetup.hpp>
 
 #ifdef ASIO_HAS_LOCAL_SOCKETS
 #include <openvpn/common/scoped_fd.hpp>
@@ -131,6 +134,11 @@ namespace openvpn {
       async_stop_ = async_stop;
     }
 
+    void set_log_reopen(LogSetup::Ptr lr)
+    {
+      log_reopen = std::move(lr);
+    }
+
     void set_thread(const unsigned int unit, std::thread* thread)
     {
       while (threadlist.size() <= unit)
@@ -312,7 +320,7 @@ namespace openvpn {
       stats = stats_arg;
     }
 
-    virtual Stop* async_stop()
+    virtual Stop* async_stop() override
     {
       return async_stop_;
     }
@@ -342,14 +350,11 @@ namespace openvpn {
     {
       if (!error && !halt)
 	{
-	  OPENVPN_LOG("ASIO SIGNAL " << signum);
+	  OPENVPN_LOG("ASIO SIGNAL: " << signal_name(signum));
 	  switch (signum)
 	    {
 	    case SIGINT:
 	    case SIGTERM:
-#if !defined(OPENVPN_PLATFORM_WIN)
-	    case SIGQUIT:
-#endif
 	      cancel();
 	      break;
 #if !defined(OPENVPN_PLATFORM_WIN)
@@ -358,6 +363,11 @@ namespace openvpn {
 		OPENVPN_LOG(stats->dump());
 	      signal_rearm();
 	      break;
+	    case SIGHUP:
+	      if (log_reopen)
+		log_reopen->reopen();
+	      signal_rearm();
+	      break;
 #endif
 	    default:
 	      signal_rearm();
@@ -385,7 +395,7 @@ namespace openvpn {
       exit_timer.expires_after(Time::Duration::seconds(n_sec));
       exit_timer.async_wait([self=Ptr(this)](const openvpn_io::error_code& error)
                             {
-			      if (error)
+			      if (error || self->halt)
 				return;
 			      OPENVPN_LOG("DEBUG EXIT");
 			      self->cancel();
@@ -420,6 +430,7 @@ namespace openvpn {
     // logging
     Log::Context log_context;
     Log::Context::Wrapper log_wrap; // must be constructed after log_context
+    LogSetup::Ptr log_reopen;
 
   protected:
     volatile bool halt = false;

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/common/sess_id.hpp

@@ -115,6 +115,12 @@ namespace openvpn {
       return u.dataz[0];
     }
 
+    template <typename HASH>
+    void hash(HASH& h) const
+    {
+      h(u.dataz[0]);
+    }
+
     // Use a URL-safe base64 encoding.
     std::string to_string() const
     {
@@ -160,13 +166,15 @@ namespace openvpn {
     }
 
     // Find an element in an unordered map (keyed by Session ID)
-    // using weak equality.
+    // using weak equality.  If conflict is true, only return
+    // element that is present by weak equality, but which is
+    // not equal to *this by strong equality.
     template <typename UNORDERED_MAP>
-    const SessionIDType* find_weak(const UNORDERED_MAP& m) const
+    const SessionIDType* find_weak(const UNORDERED_MAP& m, const bool conflict) const
     {
       const size_t bi = m.bucket(*this);
       for (auto i = m.cbegin(bi); i != m.cend(bi); ++i)
-	if (shortform() == i->first.shortform())
+	if (shortform() == i->first.shortform() && (!conflict || *this != i->first))
 	  return &i->first;
       return nullptr;
     }

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/common/signal_name.hpp

@@ -0,0 +1,50 @@
+//    OpenVPN -- An application to securely tunnel IP networks
+//               over a single port, with support for SSL/TLS-based
+//               session authentication and key exchange,
+//               packet encryption, packet authentication, and
+//               packet compression.
+//
+//    Copyright (C) 2012-2019 OpenVPN Inc.
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU Affero General Public License Version 3
+//    as published by the Free Software Foundation.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU Affero General Public License for more details.
+//
+//    You should have received a copy of the GNU Affero General Public License
+//    along with this program in the COPYING file.
+//    If not, see <http://www.gnu.org/licenses/>.
+
+#pragma once
+
+#include <string>
+#include <signal.h>
+
+namespace openvpn {
+
+  inline std::string signal_name(const int signum)
+  {
+    switch (signum)
+      {
+      case SIGINT:
+	return "SIGINT";
+      case SIGTERM:
+	return "SIGTERM";
+      case SIGHUP:
+	return "SIGHUP";
+      case SIGUSR1:
+	return "SIGUSR1";
+      case SIGUSR2:
+	return "SIGUSR2";
+      case SIGPIPE:
+	return "SIGPIPE";
+      default:
+	return std::to_string(signum);
+      }
+  }
+
+}

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/common/string.hpp

@@ -150,6 +150,21 @@ namespace openvpn {
 	return false;
     }
 
+    // Prepend leading characters (c) to str to obtain a minimum string length (min_len).
+    // Useful for adding leading zeros to numeric values or formatting tables.
+    inline std::string add_leading(const std::string& str, const size_t min_len, const char c)
+    {
+      if (min_len <= str.length())
+	return str;
+      size_t len = min_len - str.length();
+      std::string ret;
+      ret.reserve(min_len);
+      while (len--)
+	ret += c;
+      ret += str;
+      return ret;
+    }
+
     // make sure that string ends with char c, if not append it
     inline std::string add_trailing_copy(const std::string& str, const char c)
     {
@@ -235,16 +250,23 @@ namespace openvpn {
       return str.find_first_of('\n') != std::string::npos;
     }
 
-    // return the first line (without newline) of a multi-line string
+    // Return string up to a delimiter (without the delimiter).
-    inline std::string first_line(const std::string& str)
+    // Returns the entire string if no delimiter is found.
+    inline std::string to_delim(const std::string& str, const char delim)
     {
-      const size_t pos = str.find_first_of('\n');
+      const size_t pos = str.find_first_of(delim);
       if (pos != std::string::npos)
 	return str.substr(0, pos);
       else
 	return str;
     }
 
+    // return the first line (without newline) of a multi-line string
+    inline std::string first_line(const std::string& str)
+    {
+      return to_delim(str, '\n');
+    }
+
     // Define a common interpretation of what constitutes a space character.
     // Return true if c is a space char.
     inline bool is_space(const char c)
@@ -385,12 +407,16 @@ namespace openvpn {
     // indent a multiline string
     inline std::string indent(const std::string& str, const int first, const int remaining)
     {
-      std::string ret = spaces(first);
+      std::string ret;
+      int n_spaces = first;
       for (auto &c : str)
 	{
+	  if (n_spaces)
+	    ret += spaces(n_spaces);
+	  n_spaces = 0;
 	  ret += c;
 	  if (c == '\n')
-	    ret += spaces(remaining);
+	    n_spaces = remaining;
 	}
       return ret;
     }
@@ -447,7 +473,8 @@ namespace openvpn {
     }
 
     // Split a string on sep delimiter.  The size of the
-    // returned string list will be at most maxsplit + 1.
+    // returned string vector will be at least 1 and at
+    // most maxsplit + 1 (unless maxsplit is passed as -1).
     inline std::vector<std::string> split(const std::string& str,
 					  const char sep,
 					  const int maxsplit = -1)
@@ -456,13 +483,16 @@ namespace openvpn {
       int nterms = 0;
       std::string term;
 
-      for (auto &c : str)
+      if (maxsplit >= 0)
+	ret.reserve(maxsplit + 1);
+
+      for (const auto c : str)
 	{
 	  if (c == sep && (maxsplit < 0 || nterms < maxsplit))
 	    {
 	      ret.push_back(std::move(term));
 	      ++nterms;
-	      term = "";
+	      term.clear();
 	    }
 	  else
 	    term += c;

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/common/umask.hpp

@@ -56,5 +56,13 @@ namespace openvpn {
     {
     }
   };
+
+  struct UMaskDaemon : public UMask
+  {
+    UMaskDaemon()
+      : UMask(S_IWOTH)
+    {
+    }
+  };
 }
 #endif

Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/openvpn/common/usergroup.hpp

@@ -76,6 +76,16 @@ namespace openvpn {
 	}
     }
 
+    const std::string& user() const
+    {
+      return user_name;
+    }
+
+    const std::string& group() const
+    {
+      return group_name;
+    }
+
     void activate() const
     {
       if (gr)