On Thu, 2011-07-07 at 09:35 +0200, David Sommerseth wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 07/07/11 01:08, chantra wrote: > > Samuli, > > > > You will need patch openvpn-plugin.h > > > > diff --git a/openvpn-plugin.h b/openvpn-plugin.h > > index 9cce9d8..529a1c6 100644 > > --- a/openvpn-plugin.h > > +++ b/openvpn-plugin.h > > @@ -25,12 +25,8 @@ > > #ifndef OPENVPN_PLUGIN_H_ > > #define OPENVPN_PLUGIN_H_ > > > > -#ifdef USE_OPENSSL > > -#include "ssl_verify_openssl.h" > > -#endif > > -#ifdef USE_POLARSSL > > -#include "ssl_verify_polarssl.h" > > -#endif > > +struct x509_cert; > > +typedef struct x509_cert x509_cert_t; > > > > That will get the plugin to compile, but will break when using openssl. > > This is the wrong approach, as this will break the SSL modularity begin > implemented.
Dont get me wrong, I did not mean to say that it was the right approach, but auth-pam plugin, like the plugins I wrote, just dont use SSL certs hence here is no need to include SSL headers. It was rather a quick fix for Samuli to be able to compile the plugin and test the polar ssl backend which I understood was the idea here. The dependency to SSL got introduce in OPENVPN_PLUGIN_VERSION 3 [1] While before it was using rather common openssl headers [2], with the introduction of Adriaan changes, chances of getting the right headers might be lower. [1] http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=blob;f=openvpn-plugin.h;h=24aa36cbf48d792920ac79f6855ef1074929bb2d;hb=HEAD [2] http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=blob;f=openvpn-plugin.h;h=24aa36cbf48d792920ac79f6855ef1074929bb2d;hb=HEAD#l25 chantra > > > I believe the plugins should not need to know if openvpn uses polarssl or > > openssl... that might meant that openvpn will need to provide a generic > > x509 cert library to be used by openvpn plugins. > > For now, I say the plug-ins will need to be SSL implementation aware. This > is especially important for the plugin-v3 API. This API provides a parsed > X509 struct to the plug-ins with the certificate information. So this API > needs to be adopted to support both PolarSSL and OpenSSL, and plug-ins need > to use the appropriate SSL library which OpenVPN uses. > > To provide a generic X509 cert library sounds good, but I believe the > efforts of providing such a layer will be far more costly (in time) than to > have SSL implementation aware plug-ins. And it might give far more > challenges in regards to supported features. > > So for now, I recommend plug-ins to support OpenSSL and/or PolarSSL > natively. If someone can come up with a sensible X509 API layer which can > be used instead, lets review that if someone provides it. > > > kind regards, > > David Sommerseth > > > > On Wed, 2011-07-06 at 12:20 -0700, Samuli Seppänen wrote: > >> Hi Adriaan, > >> > >> I tried building your tree on Debian 5 (amd64) VM and got this error: > >> > >> #make plugins > >> /usr/bin/make -C plugin/auth-pam/ > >> make[1]: Entering directory > >> `/home/buildslave/andj-openvpn-ssl-refactoring-4970f14/plugin/auth-pam' > >> gcc -O2 -Wall -DDLOPEN_PAM=0 -fPIC -c -I../.. auth-pam.c > >> In file included from auth-pam.c:49: > >> ../../openvpn-plugin.h:283: error: expected specifier-qualifier-list > >> before ‘x509_cert_t’ > >> make[1]: *** [auth-pam.o] Error 1 > >> make[1]: Leaving directory > >> `/home/buildslave/andj-openvpn-ssl-refactoring-4970f14/plugin/auth-pam' > >> make: *** [build-stamp] Error 2 > >> > >> The same VM has been used to successfully build the official release > >> packages. > >> > >> Samuli > >> > >> > [...snip...] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk4VYa0ACgkQDC186MBRfroUDACfXevwkwEQAlFxI/3jIffz2Hbo > kJYAniv9+oLrqafN1zq/1oUG59rbIgPX > =QthI > -----END PGP SIGNATURE----- > -- http://www.debuntu.org
