- Remove dependency build. For normal use cases on a
recent distro, installing all dependencies from distro
should be fine. Tested on Ubuntu 20.04 (mbedTLS too old,
otherwise okay) and Ubuntu 22.04.
- Document more dependencies. With the added dependencies a
clean build and ctest run is possible starting with the
default ubuntu:<version> containers.
- Use ninja. We use this for all of our non-VC builds, so
recommend it here as well.
Based on a smaller change proposed in Github#301
by Scruel Tao.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
The need of having to call the assert_crypto() member function to ensure
that a cryptographically strong RNG is used where needed, was reported
as potentially insecure, since calling it manually can easily be missed.
In the commit the two new classes StrongRandomAPI and WeakRandomAPI are
introduced. They are to be used instead of just RandomAPI, unless it
doesn't matter what strength the RNG is.
All the places the assert_crypto() was called were converted to using
StrongRandomAPI instead. Also the RNGs for which assert_crypto() was not
throwing are now inheriting from StrongRandomAPI.
Variable names, which have the StrongRandomAPI type, but were called
prng, are changed to rng instead to follow the source code convention.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
The name Config is very generic and often leads to confusion which
class in particular is used in a given context. Rename Config to
ProtoConfig to give some more clue about the context.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
- test_cpu_time: fix unused variable
- Allow GIT version to be reported as part of platform (version) string
- Update OpenSSL to 3.0.5, build fat lib for macos, drop 32 bit on iOS
- README.rst: some fixes for macOS instructions
- extpki.hpp: ignore deprecated EC_KEY_* functions
- mingw: fix OpenSSL on x86_64
- mingw: fix broken OpenSSL checkout
- test_ssl: fix ssl.enablelegacyProvider
- dco/GeNL: ignore message for unrelated interfaces
Signed-off-by: David Sommerseth <davids@openvpn.net>
- Fix rst syntax error
- Add pkg-config to list of brew packages to
install. While here, order them alphabetically.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Remove the vars-osx64 and vars-iossim files which are no longer used.
The IOS simulator does not support the VPN API and builds for the
IOS simulator have not been done in a very long time nor are they
particular useful.
Also switch to pkg-config for jsoncpp by default.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
If DCO support is compiled in, detect if it is available (i.e. Windows driver
or Linux kernel module is loaded) and then use it, if it is.
This changes the default configuration for DCO from off to on, so users of
the library need to set ClientAPI::Config::dco to false in case they do not
want to use dco for a connection.
The change is also reflected in the reference client "ovpncli". If DCO is
enabled in a build, it will detect and use it. The previously available
"ovpncliovpndco" and "ovpncliovpndcowin" clients have thus been removed.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
The README file had several deprecated ways of building various test
binaries. Clean up this and direct users towards using CMake
everywhere.
The change to test/ssl/CMakeLists.txt covers various build-time
parameters the deprecated build script supported.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Add vcpkg manifest with list of dependencies, which got
consumed by cmake configure phase and stored per-project.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
The GitHub rendering was not optimal and commit fa2919b27c added a few
more changes disabling HTML rendering completely. This moves the
formatting closer to the .rst format GitHub supports.
Also fix a few various typ0s and a slight sentence improvement in the
new ovpn-dco section.
Signed-off-by: David Sommerseth <davids@openvpn.net>
The existing instructions didn't work, and expected a couple of steps which I found and added.
Reviewed-by: David Sommerseth <davids@openvpn.net>
Reviewed-by: Lev Stipakov <lev@openvpn.net>
This introduces experimental support for Wintun
as an alternative for tap-windows6.
In order to use wintun, set "ClientAPI::Config::wintun"
flag to "true" or use "-w" option in test client.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This patch builds on work by David Sommerseth <davids@openvpn.net>
to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which
has significant differences in some areas.
- Strings containing keys, certificates, CRLs, and DH parameters
need to be NULL-terminated and the length argument provided to
the corresponding mbedtls parse function must be able to read
the NULL-terminator. These places have been modified with a
'+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp,
pkctx.hpp).
- The SSL context object has been split up in mbedtls-2.3
Now many of the SSL configurations are done in a separate
SSL config object, which is added to the SSL context once
configured. In addition private/public keys are now stored
in a separate pk_context, which is later on attached to the
SSL context. Due to this, many of the calls setting either
SSL configuration parameters or working with pk_contexts have
been refactored. (sslctx.hpp)
- The older API loading the CA chain took a hostname argument.
The new API requires mbedtls_ssl_set_hostname() explicitly to
be called setting hostname. Some refactoring was needed here
too (sslctx.hpp).
- x509_oid_get_description() is now replaced by
mbedtls_oid_get_extended_key_usage().
- when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return
value was changed so that a return value of 0 now means equal
rather than not-equal.
- mbedtls/platform.h must be loaded before any other mbedtls
include files (sslchoose.hpp).
- All functions and macros related to mbedTLS are now prefixed
with mbedtls_/MBEDTLS_
- Refactored External PKI and added some options to cli.cpp
to make it easier to test that the feature still works
correctly. This included removing the sig_type var and
standardizing on a PKCS#1 digest prefix per RFC 3447.
- Updated test keys to 2048 bits.
- Updated dependency build scripts to build mbedTLS.
- Enable MD4 in mbedTLS build script (needed for NTLM auth).
- Use an allow-all X509 cert profile to preserve compatibility
with older configs. Going forward, we will implement new
options to increase strictness on minimum RSA key size and
required cert signing algs.
- Added human-readable reason strings that explain why
a given cert in the chain wasn't accepted.
- This patch doesn't rename any files or rename internal
OpenVPN 3 symbols such as PolarSSLContext. This will
be done in a separate commit.
Signed-off-by: James Yonan <james@openvpn.net>