This is to prevent an attacker from using knowledge about the hash
table bucket hashing function to maliciously attempt to create
unbalanced hash buckets, which in turn could lead to DoS.
test/ovpncli/README.txt -- C++11 is the default mode, so
remove info about how to enable it.
test/ssl/README.txt -- include note about building proto
with Profile-Guided Optimization on Linux.
* Performance degradation from recent commit was occurring
in PRNG.
* Allow RNG to be used in place of PRNG. For PolarSSL
at least, this change completely reverses the
polymorphic ProtoContext performance degradation
and turns it into a net performance gain.
* Added bool prng to RNG constructors to allow
the implementation to optimize for PRNG
(only PolarSSL currently supports this).
Documented different use-cases for RNG vs. PRNG
in ProtoContext:
RNG -- Random number generator.
Use-cases demand highest cryptographic strength
such as key generation.
PRNG -- Pseudo-random number generator.
Use-cases demand cryptographic strength
combined with high performance. Used for
IV and ProtoSessionID generation.
three-level factory model:
CryptoDCFactory -- builds CryptoDCContext objects for a given
cipher/digest
CryptoDCContext -- builds CryptoDCBase objects for a given key ID
CryptoDCBase -- encrypt/decrypt data channel
minor edits:
* Don't build OpenSSL.
* Edited ovpncli/README.txt with updated build command.
* Enabled C++11 in compiler flags, and turned off
some spurious warnings.
* Added CXX_COMPILER_FLAGS build flag to allow
C++-only flags to be defined.
Changes to build script as well:
* Honor OTHER_COMPILER_FLAGS and CXX_COMPILER_FLAGS
settings.
* For debug builds, DEBUG_BUILD=1 setting should be placed
in vars-x. Existing build DEBUG=1 setting now only
sets -g.
* For clang builds, don't emit -fvisibility=hidden because
that should be placed in OTHER_COMPILER_FLAGS in vars-x.
These scripts
scripts/mac/build-minicrypto
scripts/mac/build-polarssl
will now build PolarSSL (on OSX) with libminicrypto linkage.
Currently, only SHA1/256/512 implementations from OpenSSL are
built in libminicrypto. We leave the current PolarSSL AES
implementation as-is since it now implements AES-NI.
Also added portable openssl/build-openssl script.
* Fixed compile issue due to need to replace cc.enable_debug()
with cc.ssl_debug_level = 1.
* Added RENEG var to control number of "virtual seconds" between
SSL renegotiations.
* Doc changes in README.txt.
on Mac OS X 10.6. Going forward on OS X, we will probably need to
move away from HYBRID model to pure PolarSSL. AES-NI support in
PolarSSL 1.3 helps us here.
Implemented full TunClient class for Windows with TAP driver
support. For now, we use netsh (rather than TAP driver DHCP)
to set all tunnel adapter properties, as this appears to work
great on Windows 7.
IPv6 is fully supported.
Known isues:
* netsh doesn't have a command for adding DNS search domains, so
we don't support them yet.
* While we always try to remove routes and added properties from
TAP adapter instance when we close out the session, for robustness,
when we bring up TAP adapter, we should try to delete any stale
routes on interface left over from previous session.
* Right now we call netsh with system(). For security and
compatibility with Windows apps (not only console apps),
we should use CreateProcess instead.
Dusted off LZ4 implementation and enabled in iOS
and cli.cpp builds.
Tested LZ4 as well with OpenVPN 3 acting as the client,
with a hacked AS and OpenVPN 2.3 (JY) acting as the server
(see lz4hack patches).
Core: Added forceAesCbcCiphersuites config flag. When enabled,
the TLS implementation will not set a minimum TLS version for
peer negotiation (even if tls-version-min is specified), but
will instead force one of these two ciphersuites:
1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA, or
2. TLS_DHE_RSA_WITH_AES_128_CBC_SHA
When forceAesCbcCiphersuites is disabled, no explicit set of
ciphersuites will be forced, but the TLS minimum version will
be set to 1.0 or (or higher if tls-version-min is specified).
Also added iOS preference and cli.cpp option to control the
forceAesCbcCiphersuites flag.
Ported iOS client and OpenVPN 3 core to ARM-64.
Now building a "fat binary" with Xcode 5.0.1 that
targets arm7, arm7s, and arm64.
Outstanding issues:
* IPv6 doesn't route through tunnel on iOS7
* Client doesn't install on iOS 5.1.1.
like the rest of the core.
Added verbose() method to class SessionStats so that clients can
know whether to pass extra text data to error() virtual method.
OpenVPN 1.1.11 build 43 (Android)
Fixed issue with NTLM proxy authentication where connections
through Squid proxies would produce the error "NTLM phase-2
Content-Length is not zero".
Separated the functionality of replacePasswordWithSessionID
and cachePassword, and allow them to be used together,
in which case the session ID will be used as the password
until it expires or is invalidated, then the cached
password will be used to reauth.
Android: 1.1.9 build 31
* Reverted key-direction back to a default of 1.
* Raise fatal error if "fragment" option is used.
* Made TunBuilderCapture more useful as a base class for
tun construction on various platforms.
* Added disableClientCert flag at ovpncli.hpp API.
* Updated help FAQ with more details on how to
properly set key-direction, and notes about
possible network disconnect during voice calls.
* Updated to Xcode 4.5 and tested client build on iOS6.
* Note that it is no longer necessary to copy the private
SystemConfiguration header files for the VPN API into the
Xcode tree. The OpenVPN Xcode project file will now
reference them directly from the ovpn3 tree.
* Note that in Xcode 4.5, the iPhoneOSProductTypes.xcspec file that
must be edited to allow bundle signing is now a binary plist.
Use the Mac plutil tool to convert it to JSON so it can be edited
then convert back to binary:
$ cp iPhoneOSProductTypes.xcspec iPhoneOSProductTypes.xcspec.backup
$ plutil -convert json -r iPhoneOSProductTypes.xcspec
[ edit iPhoneOSProductTypes.xcspec according to instructions in
ovpn3/doc/Build_VPN_App_and_Plugin.pdf ]
$ plutil -convert binary1 iPhoneOSProductTypes.xcspec
* The ARM assembler provided in Xcode 4.5 is no longer able to
assemble the Minicrypto ASM algorithms. As a workaround, before
updating to Xcode 4.5, preserve the previous clang binary by
copying it to ~/clang3/clang -- the build-minicrypto script will
expect it to exist. This is the version of clang that must be used:
$ ~/clang3/clang --version
Apple clang version 3.0 (tags/Apple/clang-211.10.1) (based on LLVM 3.0svn)
Target: x86_64-apple-darwin11.4.2
Thread model: posix
* Make sure to update your PATH to include the new Xcode 4.5 clang and
rebuild all libraries. I found that updating to Xcode 4.5 left the
old clang in /usr/bin. The Xcode 4.5 clang should show this version
info:
$ clang --version
Apple clang version 4.1 (tags/Apple/clang-421.11.65) (based on LLVM 3.1svn)
Target: x86_64-apple-darwin11.4.2
Thread model: posix
* Added $O3/scripts/mac/build-all script to build all Mac/iOS
dependencies.
used as both client and server implementation.
Added DH support to PolarSSL.
Added CLIENT_NO_RENEG and SERVER_NO_RENEG flags to test code
in proto.cpp to allow scenarios to be tested where either
the server, client, or both initiate renegotiation.
Updated test/ovpncli/cli.cpp with new command line options
and will now run on Mac OS X.
Updated Android and iOS build systems to no longer include
any LZO support, and to include Snappy support instead.
array instead of concatenated string, and to resolve issue on OS X
where signals were being ignored after system() was called.
C++ iterators incremented in a for statement should usually use
a preincrement syntax.
functionality (including LZO-Asym) except for LZO stub:
NO_LZO -- disable all LZO functionality except for stub
HAVE_LZO -- use LZO library for compression/decompression
default -- use LZO-Asym decompressor (no compression)
Added init_process call to start of test/ovpncli/cli.cpp
organization.
Added scripts under scripts/linux for building dependent
libraries.
Added test/ovpncli/cli.cpp to provide a command line client that
exercises ovpncli.hpp API and can be built via build script.
general-purpose classes.
Rename ProtoStats to SessionStats and make it more flexible
by using an abstract base class model.
Add a client event queue for the beginnings of a client-backend
API.
Added logic to ProtoContext to invalidate session on certain
kinds of errors in TCP that would be normally be okay in UDP
such as HMAC_ERROR, DECRYPT_ERROR, etc.
Add some alignment adjustment logic for READ_LINK_TCP (3 bytes)
and READ_LINK_UDP (1 byte).
Fixed rare bug where client receives auth, goes ACTIVE, but the ACK
response back to the server is dropped causing the server to receive
post-ACTIVE app messages from the client while it's still stuck
in the S_WAIT_AUTH_ACK state.
