Hi Arne,
thank you for your feedback. I tested the patch on the latest master
version at the time of writing and it looks like these requirements were
added in the last week which is why I wasn't able to address them
before.I will look into the new issues and get back to you when they are
fixed.
I agree that most of these functions only require exposing existing
functionality on our side.
Sincerely
Juliusz
On 22/07/2020 15:37, Arne Schwabe wrote:
Am 15.07.20 um 10:26 schrieb Juliusz Sosinowicz:
Hi Everyone,
do you have an update on the latest patch I sent? There have been
updates to wolfSSL to fix the remaining issues brought up last time.
Yes. I looked at this today in the expectation that I just compile test,
do a few quick tests and the ACK+merge it:
However during our preperation for the next OpenVPN release, we
reevaluated the minimum OpenSSL version and decided that OpenSSL 1.0.2
is our minimum target for the next release and removed the OpenSSL 1.0.1
compatibility defines. I was not aware that WolfSSL depended on the
compatibility to 1.0.1 but rather surprised since we added all the tests
compatibility in autoconf that made the OpenSSL 1.1.0+ API checks also
work for WolfSSL. We also removed the option to compile OpenVPN without
AEAD support and since WolfSSL supports TLS 1.3, I also did not expect
that this would be problematic for WolfSSL.
The missing functions that I can see quickly are:
SSL_CTX_set1_curves/SSL_CTX_set1_groups
SSL_CTX_get0_certificate
X509_get0_notBefore
X509_get0_notAfter
SSL_CTX_set_ecdh_auto (Would not be need if WolfSSL declared >= 1.1.0
version)
CRYPTO_memcmp
Also EVP_CIPH_FLAG_AEAD_CIPHER was undefined. It looks that in the older
version/patch the use of the define was ifdef'ed under the assumption
that support of AEAD implies existence of the macro, which is seems not
to have been true in the case of WolfSSL.
None of the offending functions looks particularly bad. The get0 are
just the more modern name of older identical OpenSSL version. The set
groups is probably already somehow support but not exposed and I would
be surprised if a constant time memcmp does not already exist in WolfSSL.
Reverting the patch that removed 1.0.1 feel like a bad option at this
point and will also raise (rightfully) eyebrows and questions.
Arne
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
