[Openvpn-devel] [PATCH] OpenSSL: remove pre-1.1 function from the OpenSSL compat interface

2017-06-19 Thread logout
From: Emmanuel Deloget HMAC_CTX_init() has been removed from OpenSSL 1.1. Both this function and function HMAC_CTX_cleanup() has been replaced by HMAC_CTX_reset(). Commit aba98e9050eb54d72d921e70bcd422cb892b9c6c introduced support for HMAC_CTX_init() for OpenSSL 1.1+ while other

[Openvpn-devel] [PATCH 8/8] OpenSSL: force meth->name as non-const when we free() it

2017-06-12 Thread logout
From: Emmanuel Deloget We are in control of meth->name (we string_alloc() it in RSA_meth_new()) so we know that we can free() it when it's no longer needed. Yet we have to force the value to be non-const to avoid a compiler warning -- due to the fact that OpenSSL defines the

[Openvpn-devel] [PATCH 7/8] OpenSSL: don't use direct access to the internal of HMAC_CTX

2017-06-12 Thread logout
From: Emmanuel Deloget OpenSSL 1.1 does not allow us to directly access the internal of any data type, including HMAC_CTX. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in the

[Openvpn-devel] [PATCH 6/8] OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX

2017-06-12 Thread logout
From: Emmanuel Deloget OpenSSL 1.1 does not allow us to directly access the internal of any data type, including EVP_CIPHER_CTX. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found

[Openvpn-devel] [PATCH 2/8] OpenSSL: don't use direct access to the internal of EVP_PKEY

2017-06-12 Thread logout
From: Emmanuel Deloget OpenSSL 1.1 does not allow us to directly access the internal of any data type, including EVP_PKEY. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in the

[Openvpn-devel] [PATCH 5/8] OpenSSL: don't use direct access to the internal of EVP_MD_CTX

2017-06-12 Thread logout
From: Emmanuel Deloget OpenSSL 1.1 does not allow us to directly access the internal of any data type, including EVP_MD_CTX. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in

[Openvpn-devel] [PATCH v7 0/8] OpenSSL: support for version 1.1

2017-06-12 Thread logout
This is version 7 of the OpenSSL 1.1 patch series. It has been rebased on top of the latest git revision. It builds upon the previous version and adds the following: * fix a memory leak when playing with internal ASN1 strings * introduce RSA_bits() and DSA_bits() * add a few comments to explain

[Openvpn-devel] [PATCH 3/8] OpenSSL: don't use direct access to the internal of RSA

2017-06-12 Thread logout
From: Emmanuel Deloget OpenSSL 1.1 does not allow us to directly access the internal of any data type, including RSA. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in the

[Openvpn-devel] [PATCH 4/8] OpenSSL: don't use direct access to the internal of DSA

2017-06-12 Thread logout
From: Emmanuel Deloget OpenSSL 1.1 does not allow us to directly access the internal of any data type, including DSA. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in the

[Openvpn-devel] [PATCH 1/8] OpenSSL: don't use direct access to the internal of X509

2017-06-12 Thread logout
From: Emmanuel Deloget OpenSSL 1.1 does not allow us to directly access the internal of any data type, including X509. We have to use the defined functions to do so. In x509_verify_ns_cert_type() in particular, this means that we cannot directly check for the extended flags to

[Openvpn-devel] [RFC PATCH v1 12/15] OpenSSL: don't use direct access to the internal of HMAC_CTX

2017-02-17 Thread logout
From: Emmanuel Deloget OpenSSL 1.1 does not allow us to directly access the internal of any data type, including HMAC_CTX. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in the

[Openvpn-devel] [RFC PATCH v1 14/15] OpenSSL: check for the SSL reason, not the full error

2017-02-17 Thread logout
From: Emmanuel Deloget OpenSSL 1.1 changed the SSLv3 API and removed many SSL_L_SSL3_* constants. Moreover, new code might use different function code for the same error. Thus, we extract the error reason from the error code before we compare it instead of trying to rebuild an

[Openvpn-devel] [RFC PATCH v1 15/15] OpenSSL: constify getbio() parameters

2017-02-17 Thread logout
From: Emmanuel Deloget Although it is required by BIO_new() to have a non-const object, this is merely an OpenSSL interface accident. Newer versions of OpenSSL (i.e. OpenSSL 1.1) have are a bit better w.r.t. constification and changed this. As a result, we can safely constify

[Openvpn-devel] [RFC PATCH v1 10/15] OpenSSL: don't use direct access to the internal of EVP_MD_CTX

2017-02-17 Thread logout
From: Emmanuel Deloget OpenSSL 1.1 does not allow us to directly access the internal of any data type, including EVP_MD_CTX. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in

[Openvpn-devel] [RFC PATCH v1 09/15] OpenSSL: don't use direct access to the internal of X509_STORE_CTX

2017-02-17 Thread logout
From: Emmanuel Deloget OpenSSL 1.1 does not allow us to directly access the internal of any data type, including X509_STORE_CTX. We have to use the defined functions to do so. Fortunately, these functions have existed since the dawn of time so we don't have any compatibility

[Openvpn-devel] [RFC PATCH v1 01/15] OpenSSL: don't use direct access to the internal of SSL_CTX

2017-02-17 Thread logout
From: Emmanuel Deloget OpenSSL 1.1 does not allow us to directly access the internal of any data type, including SSL_CTX. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in the

[Openvpn-devel] [RFC PATCH v1 13/15] OpenSSL: SSLeay symbols are no longer available in OpenSSL 1.1

2017-02-17 Thread logout
From: Emmanuel Deloget The old symbols do not exist anymore but the library gained new equivalent symbols (OSSL). Use them instead of the old ones Signed-off-by: Emmanuel Deloget --- src/openvpn/openssl_compat.h | 5 + src/openvpn/ssl_openssl.c| 2 +- 2

[Openvpn-devel] [RFC PATCH v1 03/15] OpenSSL: don't use direct access to the internal of X509_OBJECT

2017-02-17 Thread logout
From: Emmanuel Deloget OpenSSL 1.1 does not allow us to directly access the internal of any data type, including X509_OBJECT. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in

[Openvpn-devel] [RFC PATCH v1 11/15] OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX

2017-02-17 Thread logout
From: Emmanuel Deloget OpenSSL 1.1 does not allow us to directly access the internal of any data type, including EVP_CIPHER_CTX. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found

[Openvpn-devel] [RFC PATCH v1 05/15] OpenSSL: don't use direct access to the internal of X509

2017-02-17 Thread logout
From: Emmanuel Deloget OpenSSL 1.1 does not allow us to directly access the internal of any data type, including X509. We have to use the defined functions to do so. In x509_verify_ns_cert_type() in particular, this means that we cannot directly check for the extended flags to

[Openvpn-devel] [RFC PATCH v1 07/15] OpenSSL: don't use direct access to the internal of RSA

2017-02-17 Thread logout
From: Emmanuel Deloget OpenSSL 1.1 does not allow us to directly access the internal of any data type, including RSA. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in the

[Openvpn-devel] [RFC PATCH v1 08/15] OpenSSL: don't use direct access to the internal of DSA

2017-02-17 Thread logout
From: Emmanuel Deloget OpenSSL 1.1 does not allow us to directly access the internal of any data type, including DSA. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in the

[Openvpn-devel] [RFC PATCH v1 06/15] OpenSSL: don't use direct access to the internal of EVP_PKEY

2017-02-17 Thread logout
From: Emmanuel Deloget OpenSSL 1.1 does not allow us to directly access the internal of any data type, including EVP_PKEY. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in the

[Openvpn-devel] [RFC PATCH v1 02/15] OpenSSL: don't use direct access to the internal of X509_STORE

2017-02-17 Thread logout
From: Emmanuel Deloget OpenSSL 1.1 does not allow us to directly access the internal of any data type, including X509_STORE. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in

[Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

2017-02-17 Thread logout
From: Emmanuel Deloget The purpose of this RFC series is to make the latest master of OpenVPN (2.5-git) linkable with OpenSSL v1.1.x. It may not be complete (I may have missed something due to my work environment, but any missing pieces will be added next week) so be a bit