This patch builds on work by David Sommerseth <davids@openvpn.net>
to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which
has significant differences in some areas.
- Strings containing keys, certificates, CRLs, and DH parameters
need to be NULL-terminated and the length argument provided to
the corresponding mbedtls parse function must be able to read
the NULL-terminator. These places have been modified with a
'+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp,
pkctx.hpp).
- The SSL context object has been split up in mbedtls-2.3
Now many of the SSL configurations are done in a separate
SSL config object, which is added to the SSL context once
configured. In addition private/public keys are now stored
in a separate pk_context, which is later on attached to the
SSL context. Due to this, many of the calls setting either
SSL configuration parameters or working with pk_contexts have
been refactored. (sslctx.hpp)
- The older API loading the CA chain took a hostname argument.
The new API requires mbedtls_ssl_set_hostname() explicitly to
be called setting hostname. Some refactoring was needed here
too (sslctx.hpp).
- x509_oid_get_description() is now replaced by
mbedtls_oid_get_extended_key_usage().
- when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return
value was changed so that a return value of 0 now means equal
rather than not-equal.
- mbedtls/platform.h must be loaded before any other mbedtls
include files (sslchoose.hpp).
- All functions and macros related to mbedTLS are now prefixed
with mbedtls_/MBEDTLS_
- Refactored External PKI and added some options to cli.cpp
to make it easier to test that the feature still works
correctly. This included removing the sig_type var and
standardizing on a PKCS#1 digest prefix per RFC 3447.
- Updated test keys to 2048 bits.
- Updated dependency build scripts to build mbedTLS.
- Enable MD4 in mbedTLS build script (needed for NTLM auth).
- Use an allow-all X509 cert profile to preserve compatibility
with older configs. Going forward, we will implement new
options to increase strictness on minimum RSA key size and
required cert signing algs.
- Added human-readable reason strings that explain why
a given cert in the chain wasn't accepted.
- This patch doesn't rename any files or rename internal
OpenVPN 3 symbols such as PolarSSLContext. This will
be done in a separate commit.
Signed-off-by: James Yonan <james@openvpn.net>
1. Use os.path.join(parms['BUILD'], parms['ARCH']) as the build
directory, to allow concurrent build directories to exist for
multiple architectures.
2. Allow extra build parameters to be specified out-of-tree
in c:/src/ovpn3/common/deps/win/extra.py
* Added support for x86_xp target for Windows XP, but
note that this requires that vcvarsall.patch be
applied.
* Fixed issue where wipetree() was failing if target
directory didn't exist.
* build.py can now infer trailing .cpp on argument.
* Updated SDK and NDK to Android 5:
android-sdk_r24.0.2-macosx.zip
android-ndk-r10d-darwin-x86_64.bin
* Updated build-toolchain to build both ARM
and ARM64 toolchains.
* Added ARMv8-a architecture (64-bit) to all
core builds.
* Patched "Page Size" issue in boost_1_57_0.
* Disable minicrypto for now in both Android and Apple builds.
* In deps/polarssl/build-polarssl, don't apply the minicrypto
patch unless "$USE_MINICRYPTO" = "1".
