Minor changes to Android 4 client and core:

* clear_auth() now clears username field. * OpenSSL impl in core now logs TLS handshake details. * Added build-openssl-small to build a trimmed-down version of OpenSSL.
2024-09-20 04:02:15 +02:00 · 2012-03-11 04:59:51 +00:00 · 2012-03-11 04:59:51 +00:00 · eca10fa23d
commit eca10fa23d
parent e82d3986d9
8 changed files with 71 additions and 2 deletions
--- a/javacli/build-android
+++ b/javacli/build-android
@ -1,11 +1,12 @@
 #!/usr/bin/env bash
 # generate expire time in python: time.mktime((2012, 5, 1, 0, 0, 0, 0, 0, -1))
+# -flto=4 -Wl,--no-as-needed \
 set -e
 swig -c++ -java -package net.openvpn.openvpn -I$OVPN3_DIR ovpncli.i
 $GPP_CMD \
    --sysroot=$NDK/platforms/android-9/arch-arm \
    -DAPP_EXPIRE_TIME=1335852000 \
-    -g -O3 -fPIC \
+    -O3 -fPIC \
    -fno-strict-aliasing \
    -Wall -Wno-sign-compare -Wno-unused-parameter \
    -fwhole-program "-DSWIGEXPORT=__attribute__((externally_visible))" \
--- a/javacli/ovpncli.ipp
+++ b/javacli/ovpncli.ipp
@ -8,7 +8,7 @@
 // debug settings

 #define OPENVPN_DEBUG
-#define OPENVPN_SSL_DEBUG // fixme
+//#define OPENVPN_SSL_DEBUG
 //#define OPENVPN_DEBUG_CLIPROTO
 //#define OPENVPN_FORCE_TUN_NULL
 //#define OPENVPN_DEBUG_PROTO
--- a/openvpn/applecrypto/ssl/sslctx.hpp
+++ b/openvpn/applecrypto/ssl/sslctx.hpp
@ -209,6 +209,11 @@ namespace openvpn {
 	return ct_out.read_buf();
      }

+      std::string ssl_handshake_details() const // fixme -- code me
+      {
+	return "[not implemented]";
+      }
+
      ~SSL()
      {
 	ssl_erase();
--- a/openvpn/openssl/ssl/sslctx.hpp
+++ b/openvpn/openssl/ssl/sslctx.hpp
@ -2,6 +2,7 @@
 #define OPENVPN_OPENSSL_SSL_SSLCTX_H

 #include <cstring>
+#include <sstream>

 #include <openssl/ssl.h>

@ -279,12 +280,44 @@ namespace openvpn {
 	return bmq_stream::memq_from_bio(ct_out)->read_buf();
      }

+      std::string ssl_handshake_details() const
+      {
+	return ssl_handshake_details(ssl);
+      }
+
      ~SSL()
      {
 	ssl_erase();
      }

    private:
+      // Print a one line summary of SSL/TLS session handshake.
+      static std::string ssl_handshake_details (const ::SSL *c_ssl)
+      {
+	std::ostringstream os;
+
+	const SSL_CIPHER *ciph = SSL_get_current_cipher (c_ssl);
+	os << SSL_get_version (c_ssl) << ", cipher " << SSL_CIPHER_get_version (ciph) << ' ' << SSL_CIPHER_get_name (ciph);
+
+	::X509 *cert = SSL_get_peer_certificate (c_ssl);
+	if (cert != NULL)
+	  {
+	    EVP_PKEY *pkey = X509_get_pubkey (cert);
+	    if (pkey != NULL)
+	      {
+		if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL && pkey->pkey.rsa->n != NULL)
+		  os << ", " << BN_num_bits (pkey->pkey.rsa->n) << " bit RSA";
+#ifndef OPENSSL_NO_DSA
+		else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL && pkey->pkey.dsa->p != NULL)
+		  os << ", " << BN_num_bits (pkey->pkey.dsa->p) << " bit DSA";
+#endif
+		EVP_PKEY_free (pkey);
+	      }
+	    X509_free (cert);
+	  }
+	return os.str();
+      }
+
      void ssl_clear()
      {
 	ssl_bio_linkage = false;
--- a/openvpn/openssl/util/engine.hpp
+++ b/openvpn/openssl/util/engine.hpp
@ -3,7 +3,9 @@

 #include <string>

+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif

 #include <openvpn/common/exception.hpp>
 #include <openvpn/openssl/util/error.hpp>
@ -14,6 +16,7 @@ namespace openvpn {

  void openssl_setup_engine (const std::string& engine)
  {
+#ifndef OPENSSL_NO_ENGINE
    ENGINE_load_builtin_engines ();

    if (engine == "auto")
@ -27,6 +30,7 @@ namespace openvpn {
      throw openssl_engine_error();
    if (!ENGINE_set_default (e, ENGINE_METHOD_ALL))
      throw openssl_engine_error();
+#endif
  }

 } // namespace openvpn
--- a/openvpn/ssl/proto.hpp
+++ b/openvpn/ssl/proto.hpp
@ -1284,6 +1284,7 @@ namespace openvpn {

      void active()
      {
+	OPENVPN_LOG("SSL Handshake: " << Base::ssl_handshake_details());
 	generate_session_keys();
 	while (!app_pre_write_queue.empty())
 	  {
--- a/openvpn/ssl/protostack.hpp
+++ b/openvpn/ssl/protostack.hpp
@ -196,6 +196,11 @@ namespace openvpn {
 	}
    }

+    std::string ssl_handshake_details() const
+    {
+      return ssl_->ssl_handshake_details();
+    }
+
    virtual ~ProtoStackBase() {}

  private:
--- a/scripts/android/build-openssl-small
+++ b/scripts/android/build-openssl-small
@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+set -e
+export OPENSSL=openssl-1.0.0g
+export TPRE=arm-linux-androideabi
+export DIST=$(pwd)/openssl
+export BIN=$TC/bin
+rm -rf $OPENSSL $DIST
+tar xfz ~/Downloads/$OPENSSL.tar.gz
+cd $OPENSSL
+NO_FLAGS="no-engine no-hw no-ssl2 no-ssl3 no-zlib no-rc2 no-idea no-des no-cast no-md2 no-mdc2 no-ripemd no-rc5 no-camellia no-seed no-krb5 no-socks no-ecdsa no-ec no-ecdh no-md2 no-md4 no-whirlpool no-dsa no-cms no-jpake no-gost"
+./Configure linux-armv4 no-shared threads no-idea no-mdc2 no-rc5 $NO_FLAGS --prefix=$DIST
+#sed -i "" -e 's|-O3|-O3 -flto|' Makefile
+#sed -i "" -e 's|^all:.*$|all: Makefile build_all libssl.pc libcrypto.pc|' Makefile
+#sed -i "" -e 's|^build_all:.*$|build_all: build_libs|' Makefile
+make CC="$BIN/$TPRE-gcc" AR="$BIN/$TPRE-ar r" RANLIB="$BIN/$TPRE-ranlib" build_libs
+touch apps/openssl
+touch openssl.pc
+touch libcrypto.pc
+touch libssl.pc
+make install_sw