When porting this patch I accidentally got the conflict backwards and
the resulting patch is nonsense. I am not sure how this managed to
survive a full Jenkins run.
ASIO's code for returning error messages doesn't play well with
non-ASCII chars. This quick fix makes ASIO use English.
A proper fix, which is more invasive (use FormatMessageW and
WideCharToMultiByte with UTF-8) will be provided separately.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
The deprecated macro of LZ4 1.8.0 breaks in newer LLVM/Clang version:
include/lz4.h:446:12: error: an attribute list cannot appear here
LZ4LIB_API LZ4_DEPRECATED("use LZ4_decompress_safe() instead") int
LZ4_uncompress_unknownOutputSize (const char* source, char* dest,
int isize, int maxOutputSize);
Using -DLZ4_DISABLE_DEPRECATE_WARNINGS allows including these headers
with modern LLVM/Clang version
The new lz4 version (1.8.3) fixes this problem.
Mbedtls 2.7.5 included a bugfix (e08754762d) that ASM code in bn_mul.h
was only enabled with -O0 instead of not enabling it with -O0
unfortenately the old gcc version (4.9.x) we use for our Android
build does not handle this. Fall back to not using ASM code on the
gcc/Android combination.
Update dep on mbedTLS to latest maintenance release
of the 2.7 branch.
Mst of our private patches are now upstream and can
be removed.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
When 'git apply' is run inside repository folder, it ignores files
missing in index. To make it work, run 'git apply' outside of repository.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
At the same time rebase patches on top of ne wversion
and get rid of fixes that have been merged upstream.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Backport patches from mbedTLS-2.7.0 to address the CVE
in the subject:
28a0c727 RSA: Fix buffer overflow in PSS signature verification
6a54b024 RSA: Fix another buffer overflow in PSS signature verification
139108af RSA PSS: fix minimum length check for keys of size 8N+1
b00b0da4 RSA PSS: fix first byte check for keys of size 8N+1
91048a3a RSA PSS: remove redundant check; changelog
This bug can be exploited by sending a malicious certificate
chain signed using RSASSA-PSS.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
we currently have some external patches that should be abbplied
on asio before using it in our projects.
However, these patches have always been applied manually in the
past and therefore they are not part of our automatic build
system.
Modify the buil-asio script so that it auto-applies our
patches everytime it is invoked. This change will ensure
that the same "asio version" is used when building the core or
other apps.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
When we moved to asio-862aed305 we have not updated our external
patches acconrdingly.
This change takes care of rebasing our patches on top of 862aed305
so that they can cleanly apply again.
0001-Android-appears-to-not-support-pthread_condattr_setc.patch has
been dropped as this issue has been tackled upstream.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
mbedTLS commit 8873bcc4def433aa0edfbe260083f32f04aa097e
Timing self test: increased duration
Increase the duration of the self test, otherwise it tends to fail on
a busy machine even with the recently upped tolerance. But run the
loop only once, it's enough for a simple smoke test.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This will ensure that mbedtls is still passing all its
unit test before building it.
It is important to run the checks because we backport patches
on our own and they may break during the process.
Checks are perfomed only when building for linux or for osx.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Please check the commit messages of the new patches for a better
description.
In a nutshell, this change allows mbedTLS to properly decrypt
keys created by OpenSSL using PKCS#5v2 with PRF different from
SHA1.
This change also add their related unit-tests.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Apparently sha256sum is not available on macOS.
To allow users to properly use our build system on this platform
we need to migrate to something available on macOS too.
Change the sha256sum invocation to shasum -a 256.
The output of both commands is the same.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
With this change a dep build script will now download
the related tarball automatically if not already present.
This way, we ensure that the core is built with the dep
package version specified in lib-versions.
After finding or downloading a tarball, its checksum is
computed and compared with the one in lib-versions to
ensure that the file is the expected one.
This logic has been applied to asio, mbedtls and lz4.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
some CA provides certificates that do not fully follow
the RFC in terms of date format.
This patch relaxes the constrains in mbedTLS so that also
not sully compliant certificates can be accepted.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
This patch builds on work by David Sommerseth <davids@openvpn.net>
to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which
has significant differences in some areas.
- Strings containing keys, certificates, CRLs, and DH parameters
need to be NULL-terminated and the length argument provided to
the corresponding mbedtls parse function must be able to read
the NULL-terminator. These places have been modified with a
'+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp,
pkctx.hpp).
- The SSL context object has been split up in mbedtls-2.3
Now many of the SSL configurations are done in a separate
SSL config object, which is added to the SSL context once
configured. In addition private/public keys are now stored
in a separate pk_context, which is later on attached to the
SSL context. Due to this, many of the calls setting either
SSL configuration parameters or working with pk_contexts have
been refactored. (sslctx.hpp)
- The older API loading the CA chain took a hostname argument.
The new API requires mbedtls_ssl_set_hostname() explicitly to
be called setting hostname. Some refactoring was needed here
too (sslctx.hpp).
- x509_oid_get_description() is now replaced by
mbedtls_oid_get_extended_key_usage().
- when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return
value was changed so that a return value of 0 now means equal
rather than not-equal.
- mbedtls/platform.h must be loaded before any other mbedtls
include files (sslchoose.hpp).
- All functions and macros related to mbedTLS are now prefixed
with mbedtls_/MBEDTLS_
- Refactored External PKI and added some options to cli.cpp
to make it easier to test that the feature still works
correctly. This included removing the sig_type var and
standardizing on a PKCS#1 digest prefix per RFC 3447.
- Updated test keys to 2048 bits.
- Updated dependency build scripts to build mbedTLS.
- Enable MD4 in mbedTLS build script (needed for NTLM auth).
- Use an allow-all X509 cert profile to preserve compatibility
with older configs. Going forward, we will implement new
options to increase strictness on minimum RSA key size and
required cert signing algs.
- Added human-readable reason strings that explain why
a given cert in the chain wasn't accepted.
- This patch doesn't rename any files or rename internal
OpenVPN 3 symbols such as PolarSSLContext. This will
be done in a separate commit.
Signed-off-by: James Yonan <james@openvpn.net>
