rongly opposed. This was I
> > believe, in part, because it is fairly easy to block Google Analytics if
> > one so wishes.
> >
Wouldn't it be easier to use a server-side script to do the same
thing? There are many "analytics" scripts out there that don't rely on
google or any o
rc/openvpn/ssl_openssl.c| 32 +++-
> > src/openvpn/ssl_verify_openssl.c | 1 +
> > 3 files changed, 41 insertions(+), 1 deletion(-)
Can you give a better explanation of the issue ? (I'm sorry, I try to
follow the discussions on the ML, but I'm kind of slow (and busy,
wh
Hello,
and sorry for the delay (things like 'real life', you know).
On Sat, Jan 20, 2018 at 3:22 PM, Selva Nair <selva.n...@gmail.com> wrote:
> Hi,
>
> On Sat, Jan 20, 2018 at 6:30 AM, Steffan Karger <stef...@karger.me> wrote:
> > Hi,
> >
> > On
Of course, this one is not strictly needed. If you want to keep the
function around, feel free to ignore the patch.
Given the relative simplicity of the change, one can also consider that if
the function is needed again we could simply revert this patch.
Best regards,
-- Emmanuel Deloget
The function is no longer used so we don't need to keep it in the
OpenSSL 1.1 compatibility layer.
Signed-off-by: Emmanuel Deloget <log...@free.fr>
---
configure.ac | 1 -
src/openvpn/openssl_compat.h | 14 --
2 files changed, 15 deletions(-)
diff
Hello,
On Wed, Jan 17, 2018 at 1:16 PM, Steffan Karger <stef...@karger.me> wrote:
> Hi,
>
> On 15 January 2018 at 23:33, Emmanuel Deloget <log...@free.fr> wrote:
> > For the variables outside the ifs, the next C standard should allow us to
> > write some
Hello Selva,
On Tue, Jan 16, 2018 at 12:10 AM, Selva Nair <selva.n...@gmail.com> wrote:
>
>
> On Mon, Jan 15, 2018 at 5:33 PM, Emmanuel Deloget <log...@free.fr> wrote:
>
>> Hello Steffan,
>>
>> On Sun, Jan 14, 2018 at 11:26 AM, Steffan Karg
Hi James,
On Tue, Jan 16, 2018 at 12:18 AM, James Bottomley <
james.bottom...@hansenpartnership.com> wrote:
> On Tue, 2018-01-16 at 00:07 +0100, Emmanuel Deloget wrote:
> > While the number of required changes were quite small (and have no
> > impact on openvpn), this w
Hello Steffan,
Sorry for the delay - I was busy doing "things" :)
On Sat, Jan 6, 2018 at 12:11 AM, Steffan Karger <stef...@karger.me> wrote:
> Hi Emmanuel,
>
> On 03-01-18 18:13, Emmanuel Deloget wrote:
> > Hello Steffan,
> >
> > On Mon, J
Hello Steffan,
On Sun, Jan 14, 2018 at 11:26 AM, Steffan Karger <stef...@karger.me> wrote:
> Hi,
>
> On 12-01-18 22:37, Emmanuel Deloget wrote:
> > Calling EVP_KEY_id() before EVP_PKEY_get0_*() is unnecessary as
> > the same check is also performed in the later.
&g
gt; @@ -1144,7 +1144,7 @@ err:
> {
> if (rsa_meth)
> {
> -free(rsa_meth);
> +RSA_meth_free(rsa_meth);
> }
> }
> crypto_msg(M_FATAL, "Cannot enable SSL external private key
> capability");
&g
Hello,
The whole series is also viewable on github at
https://github.com/emmanuel-deloget/openvpn/commits/fix-evp-pkey
Best regards,
-- Emmanuel Deloget
--
Check out the vibrant tech community on one of the world's
in the code).
Signed-off-by: Emmanuel Deloget <log...@free.fr>
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 711bba11..7943fb2c 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -1699,22 +1699,13 @@ print_details(struct key_state_ssl *ks_ssl,
Hello Selva,
On Fri, Jan 12, 2018 at 6:09 PM, Selva Nair <selva.n...@gmail.com> wrote:
> Hi,
>
> I will defer to crypto experts for a proper review, but a quick remark
>
> On Fri, Jan 12, 2018 at 11:48 AM, Emmanuel Deloget <log...@free.fr> wrote:
> > Calling E
The internal EVP_PKEY::pkey member is an union thus we need to check for
the real key type before we can return the corresponding RSA, DSA or EC
public key.
Reported-by: Selva Nair <selva.n...@gmail.com>
Signed-off-by: Emmanuel Deloget <log...@free.fr>
diff --git a/src/openvpn/openss
used (although I'd
understand if one wants to keep this function around).
Hopefully, this is the last time I have to correct a bug by the previous
commiter (I will not name him. That would sound too weird). Next time,
he'll have to do it by himself :)
Best regards,
-- Emmanuel Deloget
Emmanuel
in the code).
Signed-off-by: Emmanuel Deloget <log...@free.fr>
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 711bba11..9f74acaa 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -1699,22 +1699,13 @@ print_details(struct key_state_ssl *ks_ssl,
The function is no longer used so we don't need to keep it in the
OpenSSL 1.1 compatibility layer.
Signed-off-by: Emmanuel Deloget <log...@free.fr>
diff --git a/configure.ac b/configure.ac
index b4fd1b3f..716b45dc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -925,7 +925,6 @@ i
Hello Steffan,
On Mon, Jan 1, 2018 at 4:36 PM, Steffan Karger <stef...@karger.me> wrote:
> Hi,
>
> On 01-01-18 14:57, Emmanuel Deloget wrote:
> > I'm trying to get openvpn read my certificates from a TPM2 using a
> > specially crafted PKCS#11 provider (the existing tpm
ey. I guess I wrongly assumed it was a struct
(BTW, the code it replaced seemed to also assume pkey->pkey was a struct;
that does not excuse my own failure).
So a better (as in: more complete) fix would be to also correct
EVP_PKEY_get0_DSA() and EVP_PKEY_get0_EC_KEY() and to remove unnecessary
calls to EVP
if there is some document (design or anything, really) that
could help me to understand what openvpn wants exactly in order for me to
provide the missing bits. I've read the documents at [1] but found nothing
here of interest (for me).
So, does someone have any pointer?
Best regards,
-- Emmanuel Deloget
I'm writing that from my phone.
>
> To add to the NAK, such a move would make integration to various embedded
> distribution more difficult, as maintainers may have to deal with 2 versions
> of the
> same lib (with possibly different behavior needed by different binaries).
>
nnoying noise :)
Best regards,
-- Emmanuel Deloget
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
removed.
Signed-off-by: Emmanuel Deloget <log...@free.fr>
---
configure.ac | 1 -
src/openvpn/openssl_compat.h | 13 -
2 files changed, 14 deletions(-)
diff --git a/configure.ac b/configure.ac
index cb121795..60bb4658 100644
--- a/configure.ac
+++ b/config
removed.
Signed-off-by: Emmanuel Deloget <log...@free.fr>
---
configure.ac | 1 -
src/openvpn/openssl_compat.h | 15 ---
2 files changed, 16 deletions(-)
diff --git a/configure.ac b/configure.ac
index 22f91cb6..cb121795 100644
--- a/configure.ac
+++ b/config
On Thu, Jun 22, 2017 at 6:08 PM, Antonio Quartulli <a...@unstable.cc> wrote:
>
> On Thu, Jun 22, 2017 at 05:33:44PM +0200, Emmanuel Deloget wrote:
> > Hi Antonio, Steffan,
> >
> > On Thu, Jun 22, 2017 at 3:31 PM, Antonio Quartulli <a...@unstable.cc> wrote:
>
> kind regards,
>
> David Sommerseth
> OpenVPN Technologies, Inc
>
>
BR,
-- Emmanuel Deloget
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link
anks to you, Steffan, David, and all the other who helped me.
>
> commit aba98e9050eb54d72d921e70bcd422cb892b9c6c (master)
> commit 2bf4aee4b043151bd2abe7101421fd74763f1230 (release/2.4)
> Author: Emmanuel Deloget
> Date: Mon Jun 12 15:43:29 2017 +0200
>
> Ope
)/reset() thing before applying (if you agree that this
> is better), but if this is the only thing left to get 1.1 support into
> our next release that shouldn't block applying the patch.
>
> So, basically, ACK :)
>
> -Steffan
>
BR,
-- Emmanuel Delo
too different by now --
it's good to see than some of the API is still the same (for any definition
of good ; I guess the folk at LibreSSL find this a bit discouraging...).
Best regards,
-- Emmanuel Deloget
--
Check out
Hi Gert,
On Fri, May 19, 2017 at 1:41 PM, Gert Doering <g...@greenie.muc.de> wrote:
> Hi,
>
> On Fri, May 19, 2017 at 12:37:17PM +0200, Emmanuel Deloget wrote:
> > > I'm wondering where this got stuck - are you waiting for us to move
> > > forward (like, missing
OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including EVP_CIPHER_CTX. We have to use the defined
functions to do so.
Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.
Signed-off-by: Emmanuel
OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including RSA. We have to use the defined
functions to do so.
Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.
Signed-off-by: Emmanuel Deloget
n the user if there is a discrepancy between the X509_check_purpose()
return value and our internal, less strict check.
Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.
Signed-off-by: Emmanuel Deloget <log...@free.fr>
-
OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including HMAC_CTX. We have to use the defined
functions to do so.
Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.
Signed-off-by: Emmanuel
OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including EVP_MD_CTX. We have to use the defined
functions to do so.
Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.
Signed-off-by: Emmanuel
OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including EVP_PKEY. We have to use the defined
functions to do so.
Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.
Signed-off-by: Emmanuel
OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including DSA. We have to use the defined
functions to do so.
Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.
Signed-off-by: Emmanuel Deloget
Hi Gert,
On Thu, May 18, 2017 at 10:49 PM, Gert Doering <g...@greenie.muc.de> wrote:
>
> Hi Emmanuel,
>
> On Mon, Mar 27, 2017 at 05:49:48PM +0200, Emmanuel Deloget wrote:
> > I'll post my new patches as soon as I get over every issues
> > that have been talked o
Hi,
I'm not sure why but it seems this mail (that I send yesterday) never found
its way to the ML. So I re-send it.
Sorry for the inconvenience.
BR,
-- Emmanuel Deloget
On Mon, Mar 27, 2017 at 5:49 PM, Emmanuel Deloget <log...@free.fr> wrote:
> Hi everyone,
>
> I got some tim
the end of this week).
I found a solution to overcome the big X509_check_purpose() issue, so now
I'm able to propose a solution that does not change the behavior of OpenVPN.
BR,
-- Emmanuel Deloget
--
Check out the vibrant
t convoluted and I don't like it much).
Good news: the same code should work with nearly all the
previous versions of OpenSSL.
>
>
>
> --
> kind regards,
>
> David Sommerseth
> OpenVPN Technologies, Inc
>
I'll post my new p
ither but I cannot think of a
better solution.
> -Steffan
Best regards,
-- Emmanuel Deloget
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/sla
t that might just create more
> confusion...
Unfortunately, I am overbooked right now and I'm not sure I'll be able
to do this fast (say, in less than 2 weeks). I'd be grateful of
someone else does it.
> -Steffan
Best regards,
-- Emmanuel Deloget
ebase from the master tree. Individual
commits can be viewed at
https://github.com/emmanuel-deloget/openvpn/commits/openssl-1.1-v3
(This time, the branch name is correct :))
Changes v2 --> v3:
* RSA_METHOD (04/15): rsa_meth->name is now a dup of the name parameter;
it's freed in RSA_meth
OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including RSA_METHOD. We have to use the defined
functions to do so.
Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.
Signed-off-by: Emmanuel
Hi Steffan,
On Wed, Feb 22, 2017 at 11:13 PM, Steffan Karger <stef...@karger.me> wrote:
> Hi,
>
> On 17-02-17 23:00, log...@free.fr wrote:
>> From: Emmanuel Deloget <log...@free.fr>
>>
>> OpenSSL 1.1 does not allow us to directly access the internal of
>
for tap-windows.h... no
>> checking whether TUNSETPERSIST is declared... yes
>> checking for setcon in -lselinux... yes
>> checking for pam_start in -lpam... yes
>> checking for PKCS11_HELPER... no
>> ./configure: line 21440: syntax error near unexpected token `fi'
&g
On Mon, Feb 20, 2017 at 2:53 PM, Emmanuel Deloget <log...@free.fr> wrote:
> Hi again,
>
> On Mon, Feb 20, 2017 at 2:33 PM, Emmanuel Deloget <log...@free.fr> wrote:
>> Hi Christian,
>>
>> On Mon, Feb 20, 2017 at 1:29 PM, Christian Hesse <l...@eworm.de&g
OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including EVP_PKEY. We have to use the defined
functions to do so.
Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.
Signed-off-by: Emmanuel
by EVP_CipherInit_ex() which has been part of the
OpenSSL interface since the dawn of time (0.9.8 already has it). Thus,
the change allows us to get the old behavior back instead of relying
on dirty tricks.
Signed-off-by: Emmanuel Deloget <log...@free.fr>
---
src/openvpn/crypto_openssl.c | 4 ++--
1 file chan
ot;OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit()"
This version has been compile-tested with the following versions:
* 0.9.8zh
* 1.0.0t
* 1.0.1u
* 1.0.2k
* 1.1.0-git
Each compilation test was followed by a connection test to an OpenVPN
server (v2.3). So far, everything seems to work
Hi again,
On Mon, Feb 20, 2017 at 2:33 PM, Emmanuel Deloget <log...@free.fr> wrote:
> Hi Christian,
>
> On Mon, Feb 20, 2017 at 1:29 PM, Christian Hesse <l...@eworm.de> wrote:
>> That matches my findings. Built against openssl 1.1.0e (Arch Linux package
>> openss
ry
> versions.
>
> thanks for your work!
>
> gert
Well, thanks to everyone involved -- all of you have been really kind
with me (for now :))
Best regards,
-- Emmanuel Deloget
--
Check out the vibra
our patches available from a public git repository?
I will make my patches available on github ASAP.
Best regards
-- Emmanuel Deloget
On Mon, Feb 20, 2017 at 1:29 PM, Christian Hesse <l...@eworm.de> wrote:
> Emmanuel Deloget <log...@free.fr> on Mon, 2017/02/20 12:45:
>> He
currently
investigating this issue. I'll provide a patch as soon as I fix this
(this is a bit ironic ; I may have forgotten something somewhere...).
I don't have much time to test with other OpenSSL versions but I guess
you have the infrastructure that will help.
> gert
Best regards,
code might be able to
see if something is missing.
BR,
-- Emmanuel Deloget
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Hello,
On Fri, Feb 17, 2017 at 6:42 PM, Gert Doering <g...@greenie.muc.de> wrote:
> Hi,
>
> On Fri, Feb 17, 2017 at 06:37:04PM +0100, Emmanuel Deloget wrote:
>> I guess the answer to the riddle is: "how long will the 2.4 branch
>> live?". v2.3 shippe
Hello,
On Fri, Feb 17, 2017 at 5:41 PM, Gert Doering <g...@greenie.muc.de> wrote:
> Hi,
>
> On Fri, Feb 17, 2017 at 05:35:04PM +0100, Emmanuel Deloget wrote:
>> I understand that I'm the new guy in town, but can you allow me to
>> make the formal request to ditch Ope
l request to ditch OpenSSL 0.9.8, 1.0.0 and 1.0.1 and
require at least version 1.0.2?
Best regards,
-- Emmanuel Deloget
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http:/
60 matches
Mail list logo