* Added native_handle() virtual method
* Use AltRouting abstract socket when
OPENVPN_POLYSOCK_SUPPORTS_ALT_ROUTING is defined
Signed-off-by: James Yonan <james@openvpn.net>
CoarseTime objects that track an AsioTimer must always be
reset when the AsioTimer is cancelled. Not doing so can
cause a bug if the AsioTimer is reused after cancellation.
Signed-off-by: James Yonan <james@openvpn.net>
Whitelist TLS ciphersuites that include the ECDSA algorithm.
This way EC certificates can be finally used.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Apparently sha256sum is not available on macOS.
To allow users to properly use our build system on this platform
we need to migrate to something available on macOS too.
Change the sha256sum invocation to shasum -a 256.
The output of both commands is the same.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Jenkins is not used for this repository, therefore
remove the Jenkinsfile for good and avoid misunderstandings.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Upon activation of the primary keycontext, check if any
tls warning was set by the SSL session object.
If so, trigger an event to the CLI/UI.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Ensure that the tls_warning attribute stored in a SSL session
object is properly bubbled up to the upper layers for proper
processing
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
The SSLAPI instance should use this new attribute to
report potential issues detected during the tls handshake.
Upper layers will process this attribute when needed.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
An instance of this object should be treated like an important
`Info`.
The App/UI should show its `reason` to the user in a striking manner.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
After setting up IP address and specifying gateway, Windows creates
unneeded default route 0.0.0.0/0, which might cause routing issues.
Delete route after a small delay (to ensure that Windows has created
a profile for a new network).
Signed-off-by: Lev Stipakov <lev@openvpn.net>
The core libraries together with the all the SWIG output files
are now archived and saved in the O3 folder for later usage.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
the scripts/android/build-all script is now in charge of
performing all the steps required to build a full android core.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
With this change a dep build script will now download
the related tarball automatically if not already present.
This way, we ensure that the core is built with the dep
package version specified in lib-versions.
After finding or downloading a tarball, its checksum is
computed and compared with the one in lib-versions to
ensure that the file is the expected one.
This logic has been applied to asio, mbedtls and lz4.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Android is missing std::to_string() support, therefore
we should make sure the compiler has a chance to use
the openvpn::to_string() implementation provided in the core.
Remove the 'std::' prefix in time.hpp to accommodate the
behaviour described above.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Following an high number of users complaints, it was suggested
to re-enable MD5 and to give our users a notice period of some
months before dropping its support entirely.
With this patch we add a new certificate profile called "insecure"
which is equal to "legacy" with the addition of MD5.
By default OpenVPN3 still use legacy and the insecure profile
must be enabled explicitly by the client app.
The new profile is also enveloped in an ifdef so that
such support is not introduced, unless who builds the core
knows about it.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
some CA provides certificates that do not fully follow
the RFC in terms of date format.
This patch relaxes the constrains in mbedTLS so that also
not sully compliant certificates can be accepted.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
SSL_CBC_RECORD_SPLITTING is not enabled in OpenVPN-2.x
therefore we have to disable it by defaultin OpenVPN-3 as well
to keep wire compatibility.
This feature can cause nasty behaviours when communicating over
TLS-1.0. Crashes of servers running openvpn < 2.3.7 have also
been witnessed due to an assert on the packet size (assert has been
removed in 2.3.7).
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>