Commit Graph

18 Commits

Author SHA1 Message Date
Davide De Rosa 5e0d044bd3
Fix warnings about const qualifier 2024-01-27 10:21:14 +01:00
Davide De Rosa 6ab1759e04
Update copyright 2024-01-14 14:33:14 +01:00
Davide De Rosa 3bafce9a8e
HMAC breaking due to dangling OSSL_PARAM (#405) 2024-01-05 23:13:04 +01:00
Davide De Rosa faa3c94391
Set SSL security level explicitly (#406)
Default value may have been raised in OpenSSL 3, disrupting
operation with less secure certificates.
2024-01-05 23:10:53 +01:00
Davide De Rosa f56dfa313c
Use OpenSSL 3 (#347)
- Replace deprecated peer cert calls
- Use atomic HMAC
- Upgrade HMAC to EVP_MAC
2023-12-13 21:17:38 +01:00
Davide De Rosa 8ca928a13b
Convert encryption tests to proper unit tests (#348) 2023-12-13 09:59:57 +01:00
Davide De Rosa d7fbeb0d90 Update copyright 2023-03-17 16:58:36 +01:00
Tejas Mehta 5ecd732cc2
Add Complete XOR Patch Functionality (#255)
Co-authored-by: Davide De Rosa <keeshux@gmail.com>
2022-11-06 17:46:10 +01:00
Davide De Rosa 6dc1140d5b Revert "Work around segfault in Xcode 13.3 "Release""
This reverts commit 02e702d97b.
2022-09-23 16:11:37 +02:00
Davide De Rosa 02e702d97b Work around segfault in Xcode 13.3 "Release"
Surely some Xcode bug. Doesn't like NSCAssert in inline function.
2022-04-12 21:18:03 +02:00
Davide De Rosa 2646762bb4 [ci skip] Update copyright 2022-02-04 12:57:40 +01:00
Davide De Rosa 9c63b856cb
Verify CA from on-disk file (#237)
* Verify CA from on-disk file

Revert part of #213 again, because `SSL_CTX_load_verify_locations`
is just more reliable at setting up the trust store.

It looks like it's able to reference the .pem multiple times in
those cases where the root issuer of the CA is also embedded in
the file (which is the case with e.g. Let's Encrypt).

This is better than the current implementation, and I couldn't
easily find a way to do the same in-memory. I'd rather use the
standard API here.

See 7a85d3cac7
2021-11-27 12:32:30 +01:00
Davide De Rosa 7a85d3cac7
Restore and fix former PEM caching PR (#235)
This reverts commit 995009121a.

* Improve error handling

* Trust intermediate CA

* Update CHANGELOG
2021-11-25 12:36:17 +01:00
Davide De Rosa b6d3cdc3b1
Revert to OpenSSL (#233)
* Use an OpenSSL binary without Bitcode
* Restore TLS security level override
* Disable Bitcode completely in Demo
2021-11-24 16:40:19 +01:00
Davide De Rosa 74f38d335b Move TunnelKit errors specific to OpenVPN
Use local error domain in LZO to not depend on anything.
2021-11-23 19:17:43 +01:00
Davide De Rosa 995009121a Revert "Avoid caching PEMs on disk (#213)"
This reverts commit 00d908cc89.
2021-11-18 12:05:06 +01:00
Davide De Rosa bc776eda85 Replace OpenSSL with BoringSSL from SwiftNIO SSL
- Raise iOS target to 13
- Drop support for TLS security level
- Address warnings about integer conversion (iOS)
2021-11-12 10:00:46 +01:00
Davide De Rosa 50064fc3d0 Increase components granularity
Minimize target dependency on OpenSSL (easier to drop later).

Outside of OpenVPN tunnel extension, OpenSSL is only used to
decrypt encrypted private keys in CryptoContainer (found in
TunnelKitOpenVPNCore, therefore "temporarily" dependent on
CTunnelKitOpenVPNAppExtension for TLSBox/CryptoBox).
2021-11-11 15:18:03 +01:00