Adds a patch formed from ovpn-asio repository:
- branch 1-14-ovpn
- commit df7759c141a31159d0ca4267b63f64dfd2a385b1
The patch adds kovpn route_id support to endpoints for sendto/recvfrom.
Signed-off-by: Jani Väyrynen <jani.vayrynen@openvpn.net>
Also increase minimum OS version to 10.12 since the 10.8 target defaults
to libstdc++, which is not available on modern macOS versions
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This adds port overlays for asio and mbedtls. Those
are required because we use patched versions of those libraries.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
When porting this patch I accidentally got the conflict backwards and
the resulting patch is nonsense. I am not sure how this managed to
survive a full Jenkins run.
ASIO's code for returning error messages doesn't play well with
non-ASCII chars. This quick fix makes ASIO use English.
A proper fix, which is more invasive (use FormatMessageW and
WideCharToMultiByte with UTF-8) will be provided separately.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
The deprecated macro of LZ4 1.8.0 breaks in newer LLVM/Clang version:
include/lz4.h:446:12: error: an attribute list cannot appear here
LZ4LIB_API LZ4_DEPRECATED("use LZ4_decompress_safe() instead") int
LZ4_uncompress_unknownOutputSize (const char* source, char* dest,
int isize, int maxOutputSize);
Using -DLZ4_DISABLE_DEPRECATE_WARNINGS allows including these headers
with modern LLVM/Clang version
The new lz4 version (1.8.3) fixes this problem.
Mbedtls 2.7.5 included a bugfix (e08754762d) that ASM code in bn_mul.h
was only enabled with -O0 instead of not enabling it with -O0
unfortenately the old gcc version (4.9.x) we use for our Android
build does not handle this. Fall back to not using ASM code on the
gcc/Android combination.
Update dep on mbedTLS to latest maintenance release
of the 2.7 branch.
Mst of our private patches are now upstream and can
be removed.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
When 'git apply' is run inside repository folder, it ignores files
missing in index. To make it work, run 'git apply' outside of repository.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
At the same time rebase patches on top of ne wversion
and get rid of fixes that have been merged upstream.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Backport patches from mbedTLS-2.7.0 to address the CVE
in the subject:
28a0c727 RSA: Fix buffer overflow in PSS signature verification
6a54b024 RSA: Fix another buffer overflow in PSS signature verification
139108af RSA PSS: fix minimum length check for keys of size 8N+1
b00b0da4 RSA PSS: fix first byte check for keys of size 8N+1
91048a3a RSA PSS: remove redundant check; changelog
This bug can be exploited by sending a malicious certificate
chain signed using RSASSA-PSS.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
we currently have some external patches that should be abbplied
on asio before using it in our projects.
However, these patches have always been applied manually in the
past and therefore they are not part of our automatic build
system.
Modify the buil-asio script so that it auto-applies our
patches everytime it is invoked. This change will ensure
that the same "asio version" is used when building the core or
other apps.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
When we moved to asio-862aed305 we have not updated our external
patches acconrdingly.
This change takes care of rebasing our patches on top of 862aed305
so that they can cleanly apply again.
0001-Android-appears-to-not-support-pthread_condattr_setc.patch has
been dropped as this issue has been tackled upstream.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
mbedTLS commit 8873bcc4def433aa0edfbe260083f32f04aa097e
Timing self test: increased duration
Increase the duration of the self test, otherwise it tends to fail on
a busy machine even with the recently upped tolerance. But run the
loop only once, it's enough for a simple smoke test.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This will ensure that mbedtls is still passing all its
unit test before building it.
It is important to run the checks because we backport patches
on our own and they may break during the process.
Checks are perfomed only when building for linux or for osx.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>