Am 15.07.20 um 10:26 schrieb Juliusz Sosinowicz: > Hi Everyone, > > do you have an update on the latest patch I sent? There have been > updates to wolfSSL to fix the remaining issues brought up last time. >
Yes. I looked at this today in the expectation that I just compile test, do a few quick tests and the ACK+merge it: However during our preperation for the next OpenVPN release, we reevaluated the minimum OpenSSL version and decided that OpenSSL 1.0.2 is our minimum target for the next release and removed the OpenSSL 1.0.1 compatibility defines. I was not aware that WolfSSL depended on the compatibility to 1.0.1 but rather surprised since we added all the tests compatibility in autoconf that made the OpenSSL 1.1.0+ API checks also work for WolfSSL. We also removed the option to compile OpenVPN without AEAD support and since WolfSSL supports TLS 1.3, I also did not expect that this would be problematic for WolfSSL. The missing functions that I can see quickly are: SSL_CTX_set1_curves/SSL_CTX_set1_groups SSL_CTX_get0_certificate X509_get0_notBefore X509_get0_notAfter SSL_CTX_set_ecdh_auto (Would not be need if WolfSSL declared >= 1.1.0 version) CRYPTO_memcmp Also EVP_CIPH_FLAG_AEAD_CIPHER was undefined. It looks that in the older version/patch the use of the define was ifdef'ed under the assumption that support of AEAD implies existence of the macro, which is seems not to have been true in the case of WolfSSL. None of the offending functions looks particularly bad. The get0 are just the more modern name of older identical OpenSSL version. The set groups is probably already somehow support but not exposed and I would be surprised if a constant time memcmp does not already exist in WolfSSL. Reverting the patch that removed 1.0.1 feel like a bad option at this point and will also raise (rightfully) eyebrows and questions. Arne
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
