Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

2017-02-20 Thread Christian Hesse 
Christian Hesse  on Mon, 2017/02/20 16:02:
> Emmanuel Deloget  on Mon, 2017/02/20 15:52:
> > On Mon, Feb 20, 2017 at 2:53 PM, Emmanuel Deloget 
> > wrote:  
> > > Hi again,
> > >
> > > On Mon, Feb 20, 2017 at 2:33 PM, Emmanuel Deloget 
> > > wrote:
> > >> Hi Christian,
> > >>
> > >> On Mon, Feb 20, 2017 at 1:29 PM, Christian Hesse 
> > >> wrote:
> > >>> That matches my findings. Built against openssl 1.1.0e (Arch Linux
> > >>> package openssl 1.1.0.e-1 [0]) the build itself succeeds, but 'make
> > >>> check' reports lots of cipher failures.
> > >>>
> > >>> Are your patches available from a public git repository?
> > >>
> > >> I will make my patches available on github ASAP.
> > >
> > > I did as fast as I could, here they are:
> > >
> > > https://github.com/emmanuel-deloget/openvpn/commits/openvpn-1.1
> > 
> > BTW, sorry for the branch name. I believe my fingers got stuck to a
> > limited number of characters. This should have been openssl-1.1 but
> > it's not too late to change it :)  
> 
> Ah, I checked out the wrong branch. :-p
> 
> Redoing my test...

That one looks good! Build and tested against ArchLinux package
openssl 1.1.0e.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpTFnINrW3gD.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

2017-02-20 Thread Christian Hesse 
Emmanuel Deloget  on Mon, 2017/02/20 15:52:
> On Mon, Feb 20, 2017 at 2:53 PM, Emmanuel Deloget  wrote:
> > Hi again,
> >
> > On Mon, Feb 20, 2017 at 2:33 PM, Emmanuel Deloget 
> > wrote:  
> >> Hi Christian,
> >>
> >> On Mon, Feb 20, 2017 at 1:29 PM, Christian Hesse  wrote:  
> >>> That matches my findings. Built against openssl 1.1.0e (Arch Linux
> >>> package openssl 1.1.0.e-1 [0]) the build itself succeeds, but 'make
> >>> check' reports lots of cipher failures.
> >>>
> >>> Are your patches available from a public git repository?  
> >>
> >> I will make my patches available on github ASAP.  
> >
> > I did as fast as I could, here they are:
> >
> > https://github.com/emmanuel-deloget/openvpn/commits/openvpn-1.1  
> 
> BTW, sorry for the branch name. I believe my fingers got stuck to a
> limited number of characters. This should have been openssl-1.1 but
> it's not too late to change it :)

Ah, I checked out the wrong branch. :-p

Redoing my test...
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpm9G60bKpi6.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

2017-02-20 Thread Emmanuel Deloget 
On Mon, Feb 20, 2017 at 2:53 PM, Emmanuel Deloget  wrote:
> Hi again,
>
> On Mon, Feb 20, 2017 at 2:33 PM, Emmanuel Deloget  wrote:
>> Hi Christian,
>>
>> On Mon, Feb 20, 2017 at 1:29 PM, Christian Hesse  wrote:
>>> That matches my findings. Built against openssl 1.1.0e (Arch Linux package
>>> openssl 1.1.0.e-1 [0]) the build itself succeeds, but 'make check' reports
>>> lots of cipher failures.
>>>
>>> Are your patches available from a public git repository?
>>
>> I will make my patches available on github ASAP.
>
> I did as fast as I could, here they are:
>
> https://github.com/emmanuel-deloget/openvpn/commits/openvpn-1.1

BTW, sorry for the branch name. I believe my fingers got stuck to a
limited number of characters. This should have been openssl-1.1 but
it's not too late to change it :)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

2017-02-20 Thread Emmanuel Deloget 
Hi again,

On Mon, Feb 20, 2017 at 2:33 PM, Emmanuel Deloget  wrote:
> Hi Christian,
>
> On Mon, Feb 20, 2017 at 1:29 PM, Christian Hesse  wrote:
>> That matches my findings. Built against openssl 1.1.0e (Arch Linux package
>> openssl 1.1.0.e-1 [0]) the build itself succeeds, but 'make check' reports
>> lots of cipher failures.
>>
>> Are your patches available from a public git repository?
>
> I will make my patches available on github ASAP.

I did as fast as I could, here they are:

https://github.com/emmanuel-deloget/openvpn/commits/openvpn-1.1

I post the PATCH V2 in a few minutes

-- Emmanuel Deloget

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

2017-02-20 Thread Emmanuel Deloget 
Hi,

On Mon, Feb 20, 2017 at 1:37 PM, Gert Doering  wrote:
>
> Interesting.  Anything useful in openvpn's logs?
>

Mon Feb 20 11:57:56 2017 us=371715 OpenSSL: error:0607B083:digital
envelope routines:EVP_CipherInit_ex:no cipher set
Mon Feb 20 11:57:56 2017 us=371746 EVP cipher init #2

I found the culprit: OpenSSL's EVP_CipherInit() changed way too much
for a 3 lines function. Prior to v1.1, the code did a check on cipher
parameter and cleared the EVP context only if cipher was not null. In
1.1, it clears the context unconditionnaly. Having to cope with
changes in the interface is not that fun, having to cope with behavior
changes is even worse :)

I'm producing an additional commit to work around that change (the
proposed change does not depend on the OpenSSL version).

>> I don't have much time to test with other OpenSSL versions but I guess
>> you have the infrastructure that will help.
>
> Well, *I* do not have specific "test across various OpenSSL versions"
> infrastructure, but compiling across our buildbot zoo gives us quite a
> bit of coverage...  and I assume Steffan has more coverage on SSL library
> versions.
>
> thanks for your work!
>
> gert

Well, thanks to everyone involved -- all of you have been really kind
with me (for now :))

Best regards,

-- Emmanuel Deloget

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

2017-02-20 Thread Emmanuel Deloget 
Hi Christian,

On Mon, Feb 20, 2017 at 1:29 PM, Christian Hesse  wrote:
> That matches my findings. Built against openssl 1.1.0e (Arch Linux package
> openssl 1.1.0.e-1 [0]) the build itself succeeds, but 'make check' reports
> lots of cipher failures.
>
> Are your patches available from a public git repository?

I will make my patches available on github ASAP.

Best regards

-- Emmanuel Deloget

On Mon, Feb 20, 2017 at 1:29 PM, Christian Hesse  wrote:
> Emmanuel Deloget  on Mon, 2017/02/20 12:45:
>> Hello,
>>
>> On Sun, Feb 19, 2017 at 6:49 PM, Gert Doering  wrote:
>> > Hi,
>> >
>> > On Sun, Feb 19, 2017 at 01:03:45PM +0100, Steffan Karger wrote:
>> >> Thank you very much.  You approach looks good to me, and quite closely
>> >> matches what I had in mind for when I would find the time to tackle
>> >> this.  (Which might have taken me a while, so really happy to see these
>> >> patches!)
>> > [..]
>> >> Also very good that this is split up into small and independently
>> >> reviewable patches.  I'll start review soon.
>> >
>> > While Steffan is our resident expert on nasty crypto libraries, I just
>> > want to echo the sentiment - having these "chunks" tackle one API function
>> > at a time, they are easily testable, and in case something explodes, it's
>> > much easier to bisect to find the problematic one.
>> >
>> > Now back to being a commit slave for Steffan's ACKs :-)  (I do not know
>> > the APIs well enough to properly comment on the changes, I can only run
>> > tests...)
>>
>> I resumed the work this morning. So far the results are :
>>
>> * 0.9.8zh --> EVP_PKEY_id() is not defined. I'm adding this to
>> openssl_compat.h and will provide a v2 patch with the change. Once
>> added, OpenVPN compiled successfully and was able to connect to my
>> /2.3 server.
>>
>> * 1.0.0t --> compile OK, connect OK
>>
>> * 1.0.1u --> compile OK, connect OK
>>
>> * 1.0.2.k --> compile OK, connect OK
>>
>> * 1.1.0-git --> compile OK, failure to connect. I'm currently
>> investigating this issue. I'll  provide a patch as soon as I fix this
>> (this is a bit ironic ; I may have forgotten something somewhere...).
>
> That matches my findings. Built against openssl 1.1.0e (Arch Linux package
> openssl 1.1.0.e-1 [0]) the build itself succeeds, but 'make check' reports
> lots of cipher failures.
>
> Are your patches available from a public git repository?
>
> [0] https://www.archlinux.org/packages/staging/x86_64/openssl/
> --
> main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
> "CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
> putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

2017-02-20 Thread Gert Doering 
Hi,

On Mon, Feb 20, 2017 at 12:45:24PM +0100, Emmanuel Deloget wrote:
> * 0.9.8zh --> EVP_PKEY_id() is not defined. I'm adding this to
> openssl_compat.h and will provide a v2 patch with the change. Once
> added, OpenVPN compiled successfully and was able to connect to my
> /2.3 server.

If possible, please do only resend the commit that got changed, not all
of it (easier to keep track when Steffan starts sending reviews).

> * 1.0.0t --> compile OK, connect OK
> 
> * 1.0.1u --> compile OK, connect OK
> 
> * 1.0.2.k --> compile OK, connect OK

Great :-)

> * 1.1.0-git --> compile OK, failure to connect. I'm currently
> investigating this issue. I'll  provide a patch as soon as I fix this
> (this is a bit ironic ; I may have forgotten something somewhere...).

Interesting.  Anything useful in openvpn's logs?

> I don't have much time to test with other OpenSSL versions but I guess
> you have the infrastructure that will help.

Well, *I* do not have specific "test across various OpenSSL versions"
infrastructure, but compiling across our buildbot zoo gives us quite a
bit of coverage...  and I assume Steffan has more coverage on SSL library
versions.

thanks for your work!

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

2017-02-20 Thread Christian Hesse 
Emmanuel Deloget  on Mon, 2017/02/20 12:45:
> Hello,
> 
> On Sun, Feb 19, 2017 at 6:49 PM, Gert Doering  wrote:
> > Hi,
> >
> > On Sun, Feb 19, 2017 at 01:03:45PM +0100, Steffan Karger wrote:  
> >> Thank you very much.  You approach looks good to me, and quite closely
> >> matches what I had in mind for when I would find the time to tackle
> >> this.  (Which might have taken me a while, so really happy to see these
> >> patches!)  
> > [..]  
> >> Also very good that this is split up into small and independently
> >> reviewable patches.  I'll start review soon.  
> >
> > While Steffan is our resident expert on nasty crypto libraries, I just
> > want to echo the sentiment - having these "chunks" tackle one API function
> > at a time, they are easily testable, and in case something explodes, it's
> > much easier to bisect to find the problematic one.
> >
> > Now back to being a commit slave for Steffan's ACKs :-)  (I do not know
> > the APIs well enough to properly comment on the changes, I can only run
> > tests...)  
> 
> I resumed the work this morning. So far the results are :
> 
> * 0.9.8zh --> EVP_PKEY_id() is not defined. I'm adding this to
> openssl_compat.h and will provide a v2 patch with the change. Once
> added, OpenVPN compiled successfully and was able to connect to my
> /2.3 server.
> 
> * 1.0.0t --> compile OK, connect OK
> 
> * 1.0.1u --> compile OK, connect OK
> 
> * 1.0.2.k --> compile OK, connect OK
> 
> * 1.1.0-git --> compile OK, failure to connect. I'm currently
> investigating this issue. I'll  provide a patch as soon as I fix this
> (this is a bit ironic ; I may have forgotten something somewhere...).

That matches my findings. Built against openssl 1.1.0e (Arch Linux package
openssl 1.1.0.e-1 [0]) the build itself succeeds, but 'make check' reports
lots of cipher failures.

Are your patches available from a public git repository?

[0] https://www.archlinux.org/packages/staging/x86_64/openssl/
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpUrshXYFkya.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

2017-02-20 Thread Emmanuel Deloget 
Hello,

On Sun, Feb 19, 2017 at 6:49 PM, Gert Doering  wrote:
> Hi,
>
> On Sun, Feb 19, 2017 at 01:03:45PM +0100, Steffan Karger wrote:
>> Thank you very much.  You approach looks good to me, and quite closely
>> matches what I had in mind for when I would find the time to tackle
>> this.  (Which might have taken me a while, so really happy to see these
>> patches!)
> [..]
>> Also very good that this is split up into small and independently
>> reviewable patches.  I'll start review soon.
>
> While Steffan is our resident expert on nasty crypto libraries, I just
> want to echo the sentiment - having these "chunks" tackle one API function
> at a time, they are easily testable, and in case something explodes, it's
> much easier to bisect to find the problematic one.
>
> Now back to being a commit slave for Steffan's ACKs :-)  (I do not know
> the APIs well enough to properly comment on the changes, I can only run
> tests...)

I resumed the work this morning. So far the results are :

* 0.9.8zh --> EVP_PKEY_id() is not defined. I'm adding this to
openssl_compat.h and will provide a v2 patch with the change. Once
added, OpenVPN compiled successfully and was able to connect to my
/2.3 server.

* 1.0.0t --> compile OK, connect OK

* 1.0.1u --> compile OK, connect OK

* 1.0.2.k --> compile OK, connect OK

* 1.1.0-git --> compile OK, failure to connect. I'm currently
investigating this issue. I'll  provide a patch as soon as I fix this
(this is a bit ironic ; I may have forgotten something somewhere...).

I don't have much time to test with other OpenSSL versions but I guess
you have the infrastructure that will help.

> gert

Best regards,

-- Emmanuel Deloget

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

2017-02-19 Thread Gert Doering 
Hi,

On Sun, Feb 19, 2017 at 01:03:45PM +0100, Steffan Karger wrote:
> Thank you very much.  You approach looks good to me, and quite closely
> matches what I had in mind for when I would find the time to tackle
> this.  (Which might have taken me a while, so really happy to see these
> patches!)
[..]
> Also very good that this is split up into small and independently
> reviewable patches.  I'll start review soon.

While Steffan is our resident expert on nasty crypto libraries, I just
want to echo the sentiment - having these "chunks" tackle one API function
at a time, they are easily testable, and in case something explodes, it's
much easier to bisect to find the problematic one.

Now back to being a commit slave for Steffan's ACKs :-)  (I do not know
the APIs well enough to properly comment on the changes, I can only run
tests...)

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

2017-02-19 Thread Steffan Karger 

On 19-02-17 15:58, David Sommerseth wrote:
> On 19/02/17 13:03, Steffan Karger wrote:
> 
>> As discussed in other threads, we do want to support building on RHEL6,
>> which is why we would prefer to be compatible with (patched) OpenSSL
>> 0.9.8.  I haven't tested anything yet, but looking at the patches this
>> might very well just work, or otherwise just needs some minor tweaking.
> 
> RHEL6 ships with OpenSSL 1.0.1e.  We don't need anything older for git
> master, and I would even argue release/2.4.
> 
> RHEL5 (which goes EOL by end of next month) ships with OpenSSL 0.9.8e.
> So I vote for ditching 0.9.8e now.

Oh, very good.  I messed up the versions again...

The other big long-term-support distro, SLES, does still ship and
support 0.9.8 in SELS11 until 2019 (2022 for extended support), but can
be updated to 1.0.1.

As far as I'm concerned, that is enough reason to only support OpenSSL
1.0.1+ for OpenVPN 2.4 (and newer).

-Steffan

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

2017-02-19 Thread Emmanuel Deloget 
Hello,

On Sun, Feb 19, 2017 at 1:03 PM, Steffan Karger  wrote:
>
> Hi Emmanuel,
>
> Thank you very much.  You approach looks good to me, and quite closely
> matches what I had in mind for when I would find the time to tackle
> this.  (Which might have taken me a while, so really happy to see these
> patches!)
>

Thanks Steffan,

> As discussed in other threads, we do want to support building on RHEL6,
> which is why we would prefer to be compatible with (patched) OpenSSL
> 0.9.8.  I haven't tested anything yet, but looking at the patches this
> might very well just work, or otherwise just needs some minor tweaking.

I haven't tested compilation with 0.9.8 but unless some massive
changes in the interface occured, this should not be a problem. I'd do
that at the beginning of next week.

> Also very good that this is split up into small and independently
> reviewable patches.  I'll start review soon.
>
> -Steffan

For the record, most of the patches deal with changing how the code
access to one selected OpenSSL type. I hope it will ease review -- in
the sense that people who are accustomed to the code might be able to
see if something is missing.

BR,

-- Emmanuel Deloget

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

2017-02-19 Thread David Sommerseth 
On 19/02/17 13:03, Steffan Karger wrote:

> As discussed in other threads, we do want to support building on RHEL6,
> which is why we would prefer to be compatible with (patched) OpenSSL
> 0.9.8.  I haven't tested anything yet, but looking at the patches this
> might very well just work, or otherwise just needs some minor tweaking.

RHEL6 ships with OpenSSL 1.0.1e.  We don't need anything older for git
master, and I would even argue release/2.4.

RHEL5 (which goes EOL by end of next month) ships with OpenSSL 0.9.8e.
So I vote for ditching 0.9.8e now.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

2017-02-19 Thread Steffan Karger 
Hi Emmanuel,

On 17-02-17 23:00, log...@free.fr wrote:
> From: Emmanuel Deloget 
> 
> The purpose of this RFC series is to make the latest master of OpenVPN
> (2.5-git) linkable with OpenSSL v1.1.x. It may not be complete (I may
> have missed something due to my work environment, but any missing pieces
> will be added next week) so be a bit cautious with this. The 
> configuration I used (--without-systemd, --without-lzo) seems to work
> but I must confess I did not tested much. 
> 
> As you may know, the important information about the API of OpenSSL 1.1
> if that it no longer provide access to the content of its objects. The
> structure types are now opaque and various functions have been added to
> fetch information from these objects. 
> 
> Once theses patches have been applied, it is possible to compile 
> OpenSSL with the latest 1.0.1 and with the latest 1.1.0. I still have to
> check whether compilation with 1.0.0 and 0.9.8 works. I don't try to 
> get the OpenSSL version -- I instead decided to check for the presence
> of individual functions in the library and chose to reimplement the 
> missing ones. Then I changed caller code in order to use this new
> interface. The net result is that OpenVPN is now using the OpenSSL 1.1
> API -- regardless of the real version of OpenSSL. This might make futur
> changes simpler at the cost of adding more functions in the 
> openssl_compat.h file. 
> 
> Las but not least, because of the way I worked I introduced some strange 
> artefacts (I believe they are not really relevant but some of them are 
> weird enough to need some explaination). 
> 
> * I had to introduce a function of the 1.0 API in the 1.1 code. In the
>   1.0 API, HMAC_CTX is populated with HMAC_CTX_init() and cleaned with
>   HMAC_CTX_cleanup(). In 1.1 these two functions are gone and replaced
>   with HMAC_CTX_reset(). I decided to use _reset() to implement 
>   _cleanup() but since I then could not use it for _init() (that would
>   break an OpenVPN linked with 1.0) I created a small wrapper in 1.1
>   mode. So, in 1.1, HMAC_CTX_init() calls _reset() -- and everybody is
>   happy (well, maybe not everybody).  
>   
> * HMAC_CTX, EVP_MD_CTX and a few other objects cannot be allocated using
>   malloc() so I had to change the way these object are used and 
>   initialized. I introduces a few new functions in the crypto backend to
>   handle this.
> 
> * x509_verify_ns_cert_type() checks had to be changed. OpenSSL 1.1 does 
>   not provide any solution to access both X509::ex_flags and 
>   X509::ex_nscert so the check could not be implemented this way. The
>   only solution I found was to use X509_check_purpose() but I'm worried
>   that the implemented test is now far more strict. 
> 
> * weirdly enough, it's no longer possible to duplicate the n parameter
>   of a RSA public key into another RSA public key. If you do so, you
>   also need to duplicate the e parameter. The reason is that you cannot
>   have (n && !e) or (!n && e) (see RSA_set0_key[1]). I deciced to go
>   the same route in my implementation and thus I needed to change the
>   code in tls_ctx_use_external_private_key(). 
> 
> Thanks for your comprehension, 
> 
> [1] https://github.com/openssl/openssl/blob/master/crypto/rsa/rsa_lib.c#L191
> 
> -- Emmanuel Deloget

Thank you very much.  You approach looks good to me, and quite closely
matches what I had in mind for when I would find the time to tackle
this.  (Which might have taken me a while, so really happy to see these
patches!)

As discussed in other threads, we do want to support building on RHEL6,
which is why we would prefer to be compatible with (patched) OpenSSL
0.9.8.  I haven't tested anything yet, but looking at the patches this
might very well just work, or otherwise just needs some minor tweaking.

Also very good that this is split up into small and independently
reviewable patches.  I'll start review soon.

-Steffan

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel