Add X.509 certificate authentication to reflector

Support for X.509 certificate handling and TLS encryption has been added
to SvxLink/Async. That is used to authenticate as well as encrypt
connections to the SvxReflector server. The TCP connection is encrypted
using TLS and the UDP connection is encrypted using a custom shared key
scheme. The cipher used by default is AES128 GCM. The implementation is
based on OpenSSL.

Both the server and the client requires authentication. The AUTH_KEY
authentication method that were previously used is deprecated. The
certificate generation process is mostly automated. The contents of the
certificate can be customized using the configuration variables with
name prefix CERT_. Default values are good in most cases. CERT_EMAIL may
be good to specify so that the SvxLink node owner can be contacted. Ask
the reflector sysop what the convention is.

The reflector server need to be updated to use this version of SvxLink on a
reflector client. If the server is older and only support the version 2
protocol, you must use TYPE=ReflectorV2 in the ReflectorLogic config.

All PKI (Public Key Infrastructure) files will be stored in the directory
given by the CERT_PKI_DIR configuration variable. The path defaults to
something like /var/lib/svxlink/pki but the exact default path depend on
build configuration. In any case, that path need to be created and made
writable for SvxLink. That should be done automatically by "make install".

Signing client certificates are done on the reflector server via a PTY
command (e.g. echo CA SIGN SM0XYZ >/dev/shm/reflector_ctrl). There are
more subcommands for listing and removing certificates/CSRs but
those have not been fully implemented yet. However, those operations can
be performed using standard OS utilities like 'ls' and 'rm' within the
PKI subdirectory.

In short, this is how to implement the new authentication scheme in a
reflector network:

- Update the reflector server
- Ensure that COMMAND_PTY is set up in the reflector config
- Set up SERVER_CERT/COMMON_NAME to be the public hostname of the
  reflector server
- When the reflector server start it will generate a CA root
  certificate, an issuing (signing) certificate and a signed server
  certificate for the reflector server. The root certificate will be
  used as the CA bundle by default.
- Update reflector clients
- When the client starts it will generate a private key and a CSR
  (certificate signing request)
- When the client connect to the server it will download the CA bundle
  and send the CSR to the reflector server
- The reflector sysop use the "CA SIGN callsign" command to sign the
  CSR, creating a certificate
- The signed certificate will be sent to the client
- The client will reconnect using the signed client certificate
- The reflector sysop can now remove the specific user configuration for
  that client in the reflector.

Both older clients and updated clients will be able to connect to the
updated reflector. AUTH_KEY will still work for both old and updated
clients.

Building SvxLink require a new dependency on OpenSSL so the development
package for that library need to be installed (e.g. install package
libssl-dev if on a Debian based distro).

These are some features of the new implementation:

- TLS encryption implemented in the Async::TcpConnection class
- Subject Alternative Name support
- Client check remote host name of reflector server
- New classes: Async::Digest, Async::SslKeypair, Async::SslCertSigningReq,
  Async::SslContext, Async::X509, Async::X509Extensions,
  Async::X509ExtSubjectAltName
- Send signed CA bundle to client if requested
- Add SSL to the AsyncHttpServer_demo
- Intermediate signing cert support
- OpenSSL 1.1.0l compatibility
- The reflector server use CN in the cert as callsign
- The CSR CN is checked so that it really looks like a callsign
- Ensure that the public key is the same for an updated CSR
- Create the PKI subdirectory with "make install"
- UDP encryption
- Reflector server send signed certificate to client
- The reflector client autogenerate key and csr

And also some other fixes:

- Don't show unauthenticated nodes in HTTP /status
- Better info message for client side reflector protocol downgrade
- Implement more robust protocol version negotiation in reflector
- Bugfix in TcpConnection constructor
- Support connecting v3 client to v2 server through the new ReflectorV2
  logic plugin

INSTALL.adoc

@@ -31,6 +31,7 @@ or "-devel".
 * *librtlsdr*: Support for RTL2832U DVB-T/SDR USB dongles (Optional)
 * *libgpiod*: More modern approach for GPIO support (Optional)
 * *libqt*: Version 4. Framework for graphical applications (Optional)
+* *libssl*: OpenSSL Cryptography and SSL/TLS Toolkit
 
 There also are some runtime dependencies which normally is needed to run a
 SvxLink system.

README.adoc

@@ -26,6 +26,7 @@ either C++ or TCL. Examples of modules are:
 * *SelCall*            -- Send selective calling sequences by entering DTMF codes
 * *MetarInformation*   -- Play airport weather information
 * *Frn*                -- Connect to Free Radio Network (FRN) servers
+* *Trx*                -- Remote control tranceivers using DTMF
 
 == Qtel ==
 Qtel, the Qt EchoLink client, is a graphical application used to access the
@@ -39,16 +40,14 @@ These are some of the resources connected to SvxLink:
 :gh_issues:   https://github.com/sm0svx/svxlink/issues
 :gh_releases: https://github.com/sm0svx/svxlink/releases
 :gh_sndclips: https://github.com/sm0svx/svxlink-sounds-en_US-heather/releases
-:sf_lists:    http://sourceforge.net/p/svxlink/mailman
 :gh_main:     https://github.com/sm0svx/svxlink
-:sf_summary:  https://sourceforge.net/projects/svxlink
+:gi_svxlink:  https://groups.io/g/svxlink
 
 * {gh_pages}[Project Home Page] -- The main project page
 * {gh_wiki}[Wiki Pages] -- Main documentation
 * {gh_issues}[Issue Tracker] -- Report bugs and feature requests
 * {gh_releases}[Download Releases] -- Download source code releases here
 * {gh_sndclips}[Download Sound Clips] -- Download English sound clip files for
   SvxLink Server from here
-* {sf_lists}[Mailing Lists] -- Communicate with other SvxLink users
 * {gh_main}[GitHub Main Page] -- The project site on GitHub
-* {sf_summary}[The SvxLink SourcForge Site] -- Old project site
+* {gi_svxlink}[Groups.io SvxLink] -- Communicate with other SvxLink users

src/CMakeLists.txt

@@ -161,6 +161,11 @@ if(NOT DEFINED SVX_SPOOL_INSTALL_DIR)
   set(SVX_SPOOL_INSTALL_DIR ${LOCAL_STATE_DIR}/spool/svxlink)
 endif(NOT DEFINED SVX_SPOOL_INSTALL_DIR)
 
+# Where to put SvxLink variable files
+if(NOT DEFINED SVX_LOCAL_STATE_DIR)
+  set(SVX_LOCAL_STATE_DIR ${LOCAL_STATE_DIR}/lib/svxlink)
+endif(NOT DEFINED SVX_LOCAL_STATE_DIR)
+
 # Where to install SvxLink architecture independent files
 if(NOT DEFINED SVX_SHARE_INSTALL_DIR)
   set(SVX_SHARE_INSTALL_DIR ${SHARE_INSTALL_PREFIX}/svxlink)

src/async/ChangeLog

@@ -1,8 +1,10 @@
- 1.7.1 -- ?? ??? ????
+ 1.8.0 -- ?? ??? ????
 ----------------------
 
 * Code cleanup of Async::Pty, fixing a small memory leak.
 
+* TLS connection support added. Build require OpenSSL development files.
+
 
 
  1.7.0 -- 25 Feb 2024

src/async/core/AsyncDigest.cpp

@@ -0,0 +1,134 @@
+/**
+@file   MyNamespaceTemplate.cpp
+@brief  A_brief_description_for_this_file
+@author Tobias Blomberg / SM0SVX
+@date   2024-
+
+A_detailed_description_for_this_file
+
+\verbatim
+<A brief description of the program or library this file belongs to>
+Copyright (C) 2003-2024 Tobias Blomberg / SM0SVX
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+\endverbatim
+*/
+
+/****************************************************************************
+ *
+ * System Includes
+ *
+ ****************************************************************************/
+
+
+
+/****************************************************************************
+ *
+ * Project Includes
+ *
+ ****************************************************************************/
+
+
+
+/****************************************************************************
+ *
+ * Local Includes
+ *
+ ****************************************************************************/
+
+#include "MyNamespaceTemplate.h"
+
+
+/****************************************************************************
+ *
+ * Namespaces to use
+ *
+ ****************************************************************************/
+
+using namespace MyNamespace;
+
+
+/****************************************************************************
+ *
+ * Defines & typedefs
+ *
+ ****************************************************************************/
+
+
+
+/****************************************************************************
+ *
+ * Static class variables
+ *
+ ****************************************************************************/
+
+
+
+/****************************************************************************
+ *
+ * Local class definitions
+ *
+ ****************************************************************************/
+
+namespace {
+
+
+/****************************************************************************
+ *
+ * Local functions
+ *
+ ****************************************************************************/
+
+
+
+}; /* End of anonymous namespace */
+
+/****************************************************************************
+ *
+ * Public member functions
+ *
+ ****************************************************************************/
+
+Template::Template(void)
+{
+
+} /* Template::Template */
+
+
+Template::~Template(void)
+{
+
+} /* Template::~Template */
+
+
+/****************************************************************************
+ *
+ * Protected member functions
+ *
+ ****************************************************************************/
+
+
+
+/****************************************************************************
+ *
+ * Private member functions
+ *
+ ****************************************************************************/
+
+
+
+/*
+ * This file has not been truncated
+ */