This option has been very likely been to fix some incompatibilities
between some TLS libraries. But nobody really remember what it fixes
and its usage today is questionable. So remove the option instead
of supporting an option we cannot even test anymore.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Add support for AES-256-CTR (used by tls-crypt) in the crypto
layer and make sure that each SSL library plugin is aware of it.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
In keeping with Apple terminology, do the following renames:
CF::BORROW -> CF::GET
CF::OWN -> CF::CREATE
This more clearly ties into Apple's "Get" and "Create" rules
for object allocation and wrapping.
Signed-off-by: James Yonan <james@openvpn.net>
simplify cf.hpp dependency profile so that it
can easily be included without drawing in too many other
dependencies. In particular, move code that depends
on buffer.hpp to cfhelper.hpp and remove dependency on
exception.hpp.
Signed-off-by: James Yonan <james@openvpn.net>
both cryptographic and non-cryptographic algorithms, as
a failsafe, add a new virtual method assert_crypto()
that will throw an exception if the algorithm is not
crypto strength. assert_crypto() should now be called
before any RNG is used for crypto purposes.
* rename BOOST_NOEXCEPT to noexcept
* verify that certain classes are noexcept move constructable
including Option, Buffer, BufferAllocated, RunContext::Thread
* Performance degradation from recent commit was occurring
in PRNG.
* Allow RNG to be used in place of PRNG. For PolarSSL
at least, this change completely reverses the
polymorphic ProtoContext performance degradation
and turns it into a net performance gain.
* Added bool prng to RNG constructors to allow
the implementation to optimize for PRNG
(only PolarSSL currently supports this).
Documented different use-cases for RNG vs. PRNG
in ProtoContext:
RNG -- Random number generator.
Use-cases demand highest cryptographic strength
such as key generation.
PRNG -- Pseudo-random number generator.
Use-cases demand cryptographic strength
combined with high performance. Used for
IV and ProtoSessionID generation.
considered to be reachable if both internet.status() and
wifi.status() both return ReachabilityBase::ReachableViaWiFi.
Previously for WiFi, we only checked internet.status().
* Renamed SSL method write_ciphertext_ready() to
read_cleartext_ready() for clarity.
* It's important that read_cleartext_ready() returns an accurate
status. To this end, add ssl_get_bytes_avail to the return
expression for PolarSSL:
return !ct_in.empty() || ssl_get_bytes_avail(ssl);
This will also consider buffering inside of PolarSSL,
and avoid potential deadlocks.
Other SSL modules (AppleCrypto and OpenSSL) have been
commented to warn of this issue.
* Factored out constants such as SHOULD_RETRY to namespace
SSLConst.
* Added flags var to SSL configs.
* Added new SSL flag LOG_VERIFY_STATUS. If disabled,
makes for a quiet SSL negotiation if no errors.
* Detect SSL partial writes and designate a new error status
code (SSL_PARTIAL_WRITE).
* In ProtoStackBase, detect unclassified errors from SSL layer
(throw unknown_status_from_ssl_layer).
* PolarSSL module now recognizes Close Notify status and returns
SSLConst::PEER_CLOSE_NOTIFY.
* In ProtoStackBase, factored out some error handling into
common method.
(MacLifeCycle).
Monitor connection lifecycle notifications, such as sleep, wakeup,
network-unavailable, and network-available.
Note that not all platforms define a lifecycle object. Some
platforms such as Android and iOS manage lifecycle notifications at
the service level, and they call pause(), resume(), reconnect(),
etc. as needed using the main ovpncli API.
Also, added a reason string to Pause event.
* More flexible type casting.
* Support C++11 move constructors.
* Added some additional dictionary and array methods.
* mutable_dict_copy now verifies that passed src dictionary
is defined.
Ported iOS client and OpenVPN 3 core to ARM-64.
Now building a "fat binary" with Xcode 5.0.1 that
targets arm7, arm7s, and arm64.
Outstanding issues:
* IPv6 doesn't route through tunnel on iOS7
* Client doesn't install on iOS 5.1.1.
will build the app as if it was running on the simulator, i.e. with
null tun device, but will build for an actual iOS device.
OPENVPN_SSL_DEBUG defined in ovpncli.cpp is now a debug level and
can be set to an integer value (or 0 to disable).
