Created a lightweight abstraction layer so that another i/o
reactor can be dropped in place of asio.
The basic approach is to rename all references to asio::xxx
types to openvpn_io::xxx and then make openvpn_io a
preprocessor variable that points to the top-level namespace
of the i/o reactor implementation.
All of the source files that currently include <asio.hpp> now
include <openvpn/io/io.hpp> instead:
This gives us a lightweight abstraction layer that allows us
to define openvpn_io to be something other than asio.
Other changes:
* Inclusion of asio by scripts/build is now optional, and is
enabled by passing ASIO=1 or ASIO_DIR=<dir>.
* Refactored openvpn/common/socktypes.hpp to no longer
require asio.
* Refactored openvpn/log/logthread.hpp to no longer require
asio.
* Added openvpn::get_hostname() method as alternative to
calling asio directly.
* openvpn/openssl/util/init.hpp will now #error
if USE_ASIO is undefined.
Signed-off-by: James Yonan <james@openvpn.net>
PROF=<platform> -- source vars/vars-<platform> before running
ASIO_DIR=<dir> -- specify ASIO tree
MTLS_SYS=1 -- use system mbedTLS
LZ4_SYS=1 -- build with system LZ4 compression library
This patch builds on work by David Sommerseth <davids@openvpn.net>
to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which
has significant differences in some areas.
- Strings containing keys, certificates, CRLs, and DH parameters
need to be NULL-terminated and the length argument provided to
the corresponding mbedtls parse function must be able to read
the NULL-terminator. These places have been modified with a
'+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp,
pkctx.hpp).
- The SSL context object has been split up in mbedtls-2.3
Now many of the SSL configurations are done in a separate
SSL config object, which is added to the SSL context once
configured. In addition private/public keys are now stored
in a separate pk_context, which is later on attached to the
SSL context. Due to this, many of the calls setting either
SSL configuration parameters or working with pk_contexts have
been refactored. (sslctx.hpp)
- The older API loading the CA chain took a hostname argument.
The new API requires mbedtls_ssl_set_hostname() explicitly to
be called setting hostname. Some refactoring was needed here
too (sslctx.hpp).
- x509_oid_get_description() is now replaced by
mbedtls_oid_get_extended_key_usage().
- when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return
value was changed so that a return value of 0 now means equal
rather than not-equal.
- mbedtls/platform.h must be loaded before any other mbedtls
include files (sslchoose.hpp).
- All functions and macros related to mbedTLS are now prefixed
with mbedtls_/MBEDTLS_
- Refactored External PKI and added some options to cli.cpp
to make it easier to test that the feature still works
correctly. This included removing the sig_type var and
standardizing on a PKCS#1 digest prefix per RFC 3447.
- Updated test keys to 2048 bits.
- Updated dependency build scripts to build mbedTLS.
- Enable MD4 in mbedTLS build script (needed for NTLM auth).
- Use an allow-all X509 cert profile to preserve compatibility
with older configs. Going forward, we will implement new
options to increase strictness on minimum RSA key size and
required cert signing algs.
- Added human-readable reason strings that explain why
a given cert in the chain wasn't accepted.
- This patch doesn't rename any files or rename internal
OpenVPN 3 symbols such as PolarSSLContext. This will
be done in a separate commit.
Signed-off-by: James Yonan <james@openvpn.net>
* Added EXTRA_CPP var for specifying additional .cpp files
to be built as separate compilation units.
* Don't emit -fwhole-program flag if compile-only flag
(CO) is enabled or EXTRA_CPP is defined.
* Clear out EXTRA_SRC_OBJ if compile-only flag (CO) is
enabled to avoid warnings.
minor edits:
* Don't build OpenSSL.
* Edited ovpncli/README.txt with updated build command.
* Enabled C++11 in compiler flags, and turned off
some spurious warnings.
* Added CXX_COMPILER_FLAGS build flag to allow
C++-only flags to be defined.
Changes to build script as well:
* Honor OTHER_COMPILER_FLAGS and CXX_COMPILER_FLAGS
settings.
* For debug builds, DEBUG_BUILD=1 setting should be placed
in vars-x. Existing build DEBUG=1 setting now only
sets -g.
* For clang builds, don't emit -fvisibility=hidden because
that should be placed in OTHER_COMPILER_FLAGS in vars-x.
(MacLifeCycle).
Monitor connection lifecycle notifications, such as sleep, wakeup,
network-unavailable, and network-available.
Note that not all platforms define a lifecycle object. Some
platforms such as Android and iOS manage lifecycle notifications at
the service level, and they call pause(), resume(), reconnect(),
etc. as needed using the main ovpncli API.
Also, added a reason string to Pause event.
These scripts
scripts/mac/build-minicrypto
scripts/mac/build-polarssl
will now build PolarSSL (on OSX) with libminicrypto linkage.
Currently, only SHA1/256/512 implementations from OpenSSL are
built in libminicrypto. We leave the current PolarSSL AES
implementation as-is since it now implements AES-NI.
Also added portable openssl/build-openssl script.
BOOST_ASIO_DISABLE_KQUEUE is left undefined. To enable
fallback to Mac TunTap driver, MAC_TUNTAP_FALLBACK
and BOOST_ASIO_DISABLE_KQUEUE must be defined.
Dusted off LZ4 implementation and enabled in iOS
and cli.cpp builds.
Tested LZ4 as well with OpenVPN 3 acting as the client,
with a hacked AS and OpenVPN 2.3 (JY) acting as the server
(see lz4hack patches).
Ported iOS client and OpenVPN 3 core to ARM-64.
Now building a "fat binary" with Xcode 5.0.1 that
targets arm7, arm7s, and arm64.
Outstanding issues:
* IPv6 doesn't route through tunnel on iOS7
* Client doesn't install on iOS 5.1.1.
organization.
Added scripts under scripts/linux for building dependent
libraries.
Added test/ovpncli/cli.cpp to provide a command line client that
exercises ovpncli.hpp API and can be built via build script.
Android version: 1.1 beta 1
More alignment of iOS and Android clients:
* Normalized building of dependencies for Android and iOS:
This build adds some new library dependencies:
The library versions required are enumerated in
ovpn3/lib-versions, currently:
export BOOST_VERSION=boost_1_51_0
export OPENSSL_VERSION=openssl-1.0.1c
export POLARSSL_VERSION=polarssl-1.1.4
export LZO_VERSION=lzo-2.06
To build, first mkdir ~/src/android and ~/src/mac if they don't
already exist. Set the env var O3 to point to the ovpn3 dir,
usually ~/src/ovpn3.
Build on iOS:
[set PATH to include NDK]
cd ~/src/android
$O3/scripts/android/build-boost
$O3/scripts/android/build-minicrypto
$O3/scripts/android/build-polarssl
$O3/scripts/android/build-lzo
Build on Android:
[set PATH to include NDK]
cd ~/src/android
$O3/scripts/android/build-boost
$O3/scripts/android/build-minicrypto
$O3/scripts/android/build-polarssl
$O3/scripts/android/build-lzo
* Integrated Minicrypto library (an assembly language library
of low-level crypto functions adapted from OpenSSL).
* Added LZO compression with a preference/settings item
to enable or disable.
* Added special compression handling to support older servers
that ignore compression handshake -- this will handle receiving
compressed packets even if we didn't ask for them.
* Normalized profile naming conventions.
iOS changes:
* Log tunnel performance stats immediately on disconnection
of tunnel.
Android changes:
* Client now supports loading profiles as attachments
opened from other apps.
* Added Import Private Tunnel menu item, however current
Private Tunnel download page needs to be adapted to fit
requirements of Android download manager.
* Enter key should advance to the next input field,
or connect if entered from the last field.
* Import from Access Server now provides the option to
download autologin vs. userlogin profiles.
* "About" page now shows copyright text for included
libraries/content (except for LZO and PolarSSL
which will presumably be commercially licensed).