We haven't done any mbedtls builds for Windows in a long
time. Let's not pretend that is something we support by
having this cruft lying around.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
mbedtls clearly don't want to apply this patch. So
affected users will need to find other solutions.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
We're specifically interested in the fix for the unit tests.
("Update test data to avoid failures of unit tests after
2023-08-07")
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Newer mbed TLS version changed the API. This fixes our usage of the API and
also removed the micro optimisation of reusing the buffer for plain and cipher
text.
It also adds a unit test to ensure the data is correctly encrypted/decrypted.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Fixes problems when calling find_package on asio multiple
times.
Originally fixed by commit cba75f1aa08374733dcc79abebeca262ae94118a
in vcpkg#28299.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
- the OpenSSL build script for all platform, was only
used on macOS and better alternatives like homebrew exit there
- mac build scripts in general, cmake/homebrew is a better alternative
- vars for Android, Android uses CMake based build, see ics-openvpn for an example
- lzo build scripts. Core can do lzo decompress witout it and if used, system lzo can
be used
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Most of these haven't been used in years and are
probably useless now. If required they can always
be recovered from the git history.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
lz4 and mbedtls are currently the only deps
that are built for linux (asio and xxHash
are only copied, not built).
If LTO flag is specified (which is a variable
already supported by scrips/build) and target
is linux then enable -flto but allow to
speficy a random-seed to allow reproducibility.
We want to upgrade to OpenSSL 1.1.1l, but instead of upgrading
our local port we can now rely on the OpenSSL version shipped
with the vcpkg's upstream repo.
We can now do so because starting from vcpkg's commit
06f8fd63 ("[OpenSSL] support for "no-autoload-config" config option
(#18389)") support for the OpenSSL no-autoload-config build option
has been added upstream. This option is required by our builds.
Until now this option was hardcoded in our custom port, but now we
can turn it on by defining our custom triplets "<arch>-windows-ovpn3".
Given the above, we can now drop the custom port and directly rely
on the upstream repo shipping the most recent OpenSSL version.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
In default configuration OpenSSL loads config from
certain location on disk, which may pose a security risk.
There is "no-autoload-config" config option for OpenSSL
which disables this functionality:
https://github.com/openssl/openssl/pull/5959
however it is not "exported" to vcpkg.
This adds openssl port overlay which sets "no-autoload-config"
config option. Here is the diff:
diff --git a/ports/openssl/windows/portfile.cmake
b/ports/openssl/windows/portfile.cmake
index 7a3bf08ed..c873eb756 100644
--- a/ports/openssl/windows/portfile.cmake
+++ b/ports/openssl/windows/portfile.cmake
@@ -21,6 +21,7 @@ set(CONFIGURE_OPTIONS
enable-capieng
no-ssl2
no-tests
+ no-autoload-config
-utf-8
${OPENSSL_SHARED}
)
There is also corresponsing PR to vcpkg:
https://github.com/microsoft/vcpkg/pull/18389
When above PR is merged, this port overlay can be removed.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Windows agent has been moved from common to core,
so for consistency move mac agent too.
Since agent and agent-enabled client depend on jsoncpp,
also move jsoncpp build scripts.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
ASIO 1.18 enabled UNIX domain sockets on Windows,
which breaks our code, since we use Linux-specific
API to work with sockets.
Fix by disabling UNIX domain (local in ASIO terminology)
sockets on Windows.
Bump ASIO version to 1.18.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Port script only copies uapi header, same way it is done for tap-windows6.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Signed-off-by: Heiko Hund <heiko@openvpn.net>
The code that requires xxHash requires a fairly new xxHash version, so
add a local copy of 0.8.0 to build with this header only library.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This code was originally used in the Connect clients to allow PKIs that
use the (not commonly used) Name constraints feature. This is a
potential security risk but was done to allow PKIs that used that
feature. OpenSSL natively supports Name constraints and will check these.
Remove this hacky feature as feature as it also breaks compiling with
an unpatched mbed TLS and is not used by code anymore.
This seems like a more general solution for developing resolver results mutators
such as randomize and filter by IP version.
Signed-off-by: James Yonan <james@openvpn.net>
The asio patch adds a virtual method to basic_socket. This triggers
compiler warnings about a non-virtual destructor. Fix this by also
making the destructor virtual.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
