Re: [Openvpn-devel] Adding Google Analytics code to Trac?

y was strongly opposed. This was I > > believe, in part, because it is fairly easy to block Google Analytics if > > one so wishes. > > Wouldn't it be easier to use a server-side script to do the same thing? There are many "analytics" scripts out there that don'

Re: [Openvpn-devel] [PATCH] OpenSSL: Fix compilation with deprecated APIs disabled on 1.1

rc/openvpn/ssl_openssl.c| 32 +++- > > src/openvpn/ssl_verify_openssl.c | 1 + > > 3 files changed, 41 insertions(+), 1 deletion(-) Can you give a better explanation of the issue ? (I'm sorry, I try to follow the discussions on the ML, but I'm kind of slow (an

Re: [Openvpn-devel] [PATCH v3 1/2] OpenSSL: remove some EVP_PKEY type checks

Hello, and sorry for the delay (things like 'real life', you know). On Sat, Jan 20, 2018 at 3:22 PM, Selva Nair wrote: > Hi, > > On Sat, Jan 20, 2018 at 6:30 AM, Steffan Karger wrote: > > Hi, > > > > On 17-01-18 14:10, Emmanuel Deloget wrote: > >&

Re: [Openvpn-devel] [PATCH v3 2/2] OpenSSL: remove EVP_PKEY_id()

​Of course, this one is not strictly needed. If you want to keep the function around, feel free to ignore the patch. Given the relative simplicity of the change, one can also consider that if the function is needed again we could simply revert this patch. Best regards, -- Emmanuel Deloget

[Openvpn-devel] [PATCH v3 1/2] OpenSSL: remove some EVP_PKEY type checks

the code). Signed-off-by: Emmanuel Deloget --- src/openvpn/ssl_openssl.c | 33 + 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 86318d4c..7061f536 100644 --- a/src/openvpn/ssl_openssl.c

[Openvpn-devel] [PATCH v3 2/2] OpenSSL: remove EVP_PKEY_id()

The function is no longer used so we don't need to keep it in the OpenSSL 1.1 compatibility layer. Signed-off-by: Emmanuel Deloget --- configure.ac | 1 - src/openvpn/openssl_compat.h | 14 -- 2 files changed, 15 deletions(-) diff --git a/configure

Re: [Openvpn-devel] [PATCH v2 2/3] OpenSSL: remove some EVP_PKEY type checks

Hello, On Wed, Jan 17, 2018 at 1:16 PM, Steffan Karger wrote: > Hi, > > On 15 January 2018 at 23:33, Emmanuel Deloget wrote: > > For the variables outside the ifs, the next C standard should allow us to > > write something like: > > > > if ((RSA *rsa =

Re: [Openvpn-devel] [PATCH v2 2/3] OpenSSL: remove some EVP_PKEY type checks

Hello Selva, On Tue, Jan 16, 2018 at 12:10 AM, Selva Nair wrote: > > > On Mon, Jan 15, 2018 at 5:33 PM, Emmanuel Deloget wrote: > >> Hello Steffan, >> >> On Sun, Jan 14, 2018 at 11:26 AM, Steffan Karger >> wrote: >> >>> Hi, >>>

Re: [Openvpn-devel] PKCS#11 - a little bit of help?

Hi James, On Tue, Jan 16, 2018 at 12:18 AM, James Bottomley < james.bottom...@hansenpartnership.com> wrote: > On Tue, 2018-01-16 at 00:07 +0100, Emmanuel Deloget wrote: > > While the number of required changes were quite small (and have no > > impact on openvpn), this w

Re: [Openvpn-devel] PKCS#11 - a little bit of help?

Hello Steffan, ​​Sorry fo​r the delay - I was busy doing "things​" :) On Sat, Jan 6, 2018 at 12:11 AM, Steffan Karger wrote: > Hi Emmanuel, > > On 03-01-18 18:13, Emmanuel Deloget wrote: > > Hello Steffan, > > > > On Mon, Jan 1, 2018 at 4:36 PM, Steffa

Re: [Openvpn-devel] [PATCH v2 2/3] OpenSSL: remove some EVP_PKEY type checks

Hello Steffan, On Sun, Jan 14, 2018 at 11:26 AM, Steffan Karger wrote: > Hi, > > On 12-01-18 22:37, Emmanuel Deloget wrote: > > Calling EVP_KEY_id() before EVP_PKEY_get0_*() is unnecessary as > > the same check is also performed in the later. > > > > We also

Re: [Openvpn-devel] [PATCH] Use RSA_meth_free instead of free

rsa_meth) > { > -free(rsa_meth); > +RSA_meth_free(rsa_meth); > } > } > crypto_msg(M_FATAL, "Cannot enable SSL external private key > capability"); > -- > 2.1.4 > &g

Re: [Openvpn-devel] [PATCH 0/3] Fix EVP_PKEY key types handling

Hello, The whole series is also viewable on github at https://github.com/emmanuel-deloget/openvpn/commits/fix-evp-pkey Best regards, ​-- Emmanuel Deloget​ -- Check out the vibrant tech community on one of the world&#

[Openvpn-devel] [PATCH v2 2/3] OpenSSL: remove some EVP_PKEY type checks

the code). Signed-off-by: Emmanuel Deloget diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 711bba11..7943fb2c 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1699,22 +1699,13 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix

Re: [Openvpn-devel] [PATCH 2/3] OpenSSL: remove some EVP_PKEY type checks

Hello Selva, On Fri, Jan 12, 2018 at 6:09 PM, Selva Nair wrote: > Hi, > > I will defer to crypto experts for a proper review, but a quick remark > > On Fri, Jan 12, 2018 at 11:48 AM, Emmanuel Deloget wrote: > > Calling EVP_KEY_id() before EVP_PKEY_get0_*() is unnecessary

[Openvpn-devel] [PATCH 1/3] OpenSSL: check EVP_PKEY key types before returning the pkey

The internal EVP_PKEY::pkey member is an union thus we need to check for the real key type before we can return the corresponding RSA, DSA or EC public key. Reported-by: Selva Nair Signed-off-by: Emmanuel Deloget diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index

[Openvpn-devel] [PATCH 0/3] Fix EVP_PKEY key types handling

no longer used (although I'd understand if one wants to keep this function around). Hopefully, this is the last time I have to correct a bug by the previous commiter (I will not name him. That would sound too weird). Next time, he'll have to do it by himself :) Best regards, -- Emmanu

[Openvpn-devel] [PATCH 2/3] OpenSSL: remove some EVP_PKEY type checks

the code). Signed-off-by: Emmanuel Deloget diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 711bba11..9f74acaa 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1699,22 +1699,13 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix

[Openvpn-devel] [PATCH 3/3] OpenSSL: remove EVP_PKEY_id()

The function is no longer used so we don't need to keep it in the OpenSSL 1.1 compatibility layer. Signed-off-by: Emmanuel Deloget diff --git a/configure.ac b/configure.ac index b4fd1b3f..716b45dc 100644 --- a/configure.ac +++ b/configure.ac @@ -925,7 +925,6 @@ if test "${with_cryp

Re: [Openvpn-devel] PKCS#11 - a little bit of help?

Hello Steffan, On Mon, Jan 1, 2018 at 4:36 PM, Steffan Karger wrote: > Hi, > > On 01-01-18 14:57, Emmanuel Deloget wrote: > > I'm trying to get openvpn read my certificates from a TPM2 using a > > specially crafted PKCS#11 provider (the existing tpm2-pk11 is quite

Re: [Openvpn-devel] openvpn segfaults on --management-external-key with ECC certificate

rongly assumed it was a struct (BTW, the code it replaced seemed to also assume pkey->pkey was a struct; that does not excuse my own failure). So a better (as in: more complete) fix would be to also correct EVP_PKEY_get0_DSA() and EVP_PKEY_get0_EC_KEY() and to remove unnecessary calls to EVP_PKEY_id

[Openvpn-devel] PKCS#11 - a little bit of help?

o know if there is some document (design or anything, really) that could help me to understand what openvpn wants exactly in order for me to provide the missing bits. I've read the documents at [1] but found nothing here of interest (for me). So, does someone have any pointer? Best regards,

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

ng that from my phone. > > To add to the NAK, such a move would make integration to various embedded > distribution more difficult, as maintainers may have to deal with 2 versions > of the > same lib (with possibly different behavior needed by different binaries). > > Do I would adv

Re: [Openvpn-devel] [PATCH 1/2] OpenSSL: remove EVP_CIPHER_CTX_new() from the compat layer

me). So: sorry for the annoying noise :) Best regards, -- Emmanuel Deloget -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot __

[Openvpn-devel] [PATCH 2/2] OpenSSL: remove EVP_CIPHER_CTX_free() from the compat layer

removed. Signed-off-by: Emmanuel Deloget --- configure.ac | 1 - src/openvpn/openssl_compat.h | 13 - 2 files changed, 14 deletions(-) diff --git a/configure.ac b/configure.ac index cb121795..60bb4658 100644 --- a/configure.ac +++ b/configure.ac @@ -919,7 +919,6 @@ if

[Openvpn-devel] [PATCH 1/2] OpenSSL: remove EVP_CIPHER_CTX_new() from the compat layer

removed. Signed-off-by: Emmanuel Deloget --- configure.ac | 1 - src/openvpn/openssl_compat.h | 15 --- 2 files changed, 16 deletions(-) diff --git a/configure.ac b/configure.ac index 22f91cb6..cb121795 100644 --- a/configure.ac +++ b/configure.ac @@ -919,7 +919,6

Re: [Openvpn-devel] [PATCH v2] Move adjust_power_of_2() to integer.h

On Thu, Jun 22, 2017 at 6:08 PM, Antonio Quartulli wrote: > > On Thu, Jun 22, 2017 at 05:33:44PM +0200, Emmanuel Deloget wrote: > > Hi Antonio, Steffan, > > > > On Thu, Jun 22, 2017 at 3:31 PM, Antonio Quartulli wrote: > > > > > Thanks for sending v2 Steff

Re: [Openvpn-devel] [PATCH v2] Move adjust_power_of_2() to integer.h

alue will yield the desired result. Again, the function is not used extensively, so you can ignore this suggestion as it will not speed up openvpn at all :) > Cheers, > ​​ > ​BR, -- Emmanuel Deloget​ -- Check o

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

> kind regards, > > David Sommerseth > OpenVPN Technologies, Inc > > ​BR, -- Emmanuel Deloget​ -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm

Re: [Openvpn-devel] [PATCH applied] Re: OpenSSL: don't use direct access to the internal of HMAC_CTX

effan, David, and all the other who helped me. ​ > > commit aba98e9050eb54d72d921e70bcd422cb892b9c6c (master) > commit 2bf4aee4b043151bd2abe7101421fd74763f1230 (release/2.4) > Author: Emmanuel Deloget > Date: Mon Jun 12 15:43:29 2017 +0200 > > OpenSSL: don't use dir

Re: [Openvpn-devel] [PATCH 7/8] OpenSSL: don't use direct access to the internal of HMAC_CTX

thing before applying (if you agree that this > is better), but if this is the only thing left to get 1.1 support into > our next release that shouldn't block applying the patch. > > So, basically, ACK :) > > -Steffan > ​BR, --

Re: [Openvpn-devel] [PATCH v7 0/8] OpenSSL: support for version 1.1

by now -- it's good to see than some of the API is still the same (for any definition of good ; I guess the folk at LibreSSL find this a bit discouraging...). Best regards, -- Emmanuel Deloget -- Check out the vibrant

Re: [Openvpn-devel] OpenSSL 1.1 patch set - status?

Hi Gert, On Fri, May 19, 2017 at 1:41 PM, Gert Doering wrote: > Hi, > > On Fri, May 19, 2017 at 12:37:17PM +0200, Emmanuel Deloget wrote: > > > I'm wondering where this got stuck - are you waiting for us to move > > > forward (like, missing review of pa

[Openvpn-devel] [PATCH 6/7] OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX

OpenSSL 1.1 does not allow us to directly access the internal of any data type, including EVP_CIPHER_CTX. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in the library. Signed-off-by: Emmanuel

[Openvpn-devel] [PATCH 3/7] OpenSSL: don't use direct access to the internal of RSA

OpenSSL 1.1 does not allow us to directly access the internal of any data type, including RSA. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in the library. Signed-off-by: Emmanuel Deloget

[Openvpn-devel] [PATCH 1/7] OpenSSL: don't use direct access to the internal of X509

ser if there is a discrepancy between the X509_check_purpose() return value and our internal, less strict check. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in the library. Signed-off-by: Emmanuel Deloget --- configure.ac

[Openvpn-devel] [PATCH 7/7] OpenSSL: don't use direct access to the internal of HMAC_CTX

OpenSSL 1.1 does not allow us to directly access the internal of any data type, including HMAC_CTX. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in the library. Signed-off-by: Emmanuel

[Openvpn-devel] [PATCH 5/7] OpenSSL: don't use direct access to the internal of EVP_MD_CTX

OpenSSL 1.1 does not allow us to directly access the internal of any data type, including EVP_MD_CTX. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in the library. Signed-off-by: Emmanuel

[Openvpn-devel] [PATCH 2/7] OpenSSL: don't use direct access to the internal of EVP_PKEY

OpenSSL 1.1 does not allow us to directly access the internal of any data type, including EVP_PKEY. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in the library. Signed-off-by: Emmanuel

[Openvpn-devel] [PATCH 4/7] OpenSSL: don't use direct access to the internal of DSA

OpenSSL 1.1 does not allow us to directly access the internal of any data type, including DSA. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in the library. Signed-off-by: Emmanuel Deloget

Re: [Openvpn-devel] OpenSSL 1.1 patch set - status?

Hi Gert, On Thu, May 18, 2017 at 10:49 PM, Gert Doering wrote: > > Hi Emmanuel, > > On Mon, Mar 27, 2017 at 05:49:48PM +0200, Emmanuel Deloget wrote: > > I'll post my new patches as soon as I get over every issues > > that have been talked on the ML (is that even a

Re: [Openvpn-devel] [RFC PATCH v1 05/15] OpenSSL: don't use direct access to the internal of X509

Hi, I'm not sure why but it seems this mail (that I send yesterday) never found its way to the ML. So I re-send it. Sorry for the inconvenience. BR, -- Emmanuel Deloget On Mon, Mar 27, 2017 at 5:49 PM, Emmanuel Deloget wrote: > Hi everyone, > > I got some time to try to fix

Re: [Openvpn-devel] building HEAD + openssl 1.1 api fails @ "crypto.c:823:32: error: invalid application of ???sizeof??? to incomplete type ???cipher_ctx_t"

found a solution to overcome the big X509_check_purpose() issue, so now I'm able to propose a solution that does not change the behavior of OpenVPN. BR, -- Emmanuel Deloget -- Check out the vibrant tech co

Re: [Openvpn-devel] [RFC PATCH v1 05/15] OpenSSL: don't use direct access to the internal of X509

thing to do (but it's a bit convoluted and I don't like it much). ​Good news: the same code should work with nearly all the previous versions of OpenSSL. > ​ > > > -- > kind regards, > > David Sommerseth > OpenVPN Tec

Re: [Openvpn-devel] [PATCH applied] Re: OpenSSL: don't use direct access to the internal of RSA_METHOD

#x27;t like it much either but I cannot think of a better solution. > -Steffan Best regards, -- Emmanuel Deloget -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http:/

Re: [Openvpn-devel] [RFC PATCH v1 05/15] OpenSSL: don't use direct access to the internal of X509

hat might just create more > confusion... Unfortunately, I am overbooked right now and I'm not sure I'll be able to do this fast (say, in less than 2 weeks). I'd be grateful of someone else does it. > -Steffan Best regards, -- Emmanuel Deloget --

[Openvpn-devel] [PATCH v3 07/15] OpenSSL: don't use direct access to the internal of RSA

OpenSSL 1.1 does not allow us to directly access the internal of any data type, including RSA. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in the library. Signed-off-by: Emmanuel Deloget

[Openvpn-devel] [PATCH v3 00/15] Add support for OpenSSL 1.1.x

rebase from the master tree. Individual commits can be viewed at https://github.com/emmanuel-deloget/openvpn/commits/openssl-1.1-v3 (This time, the branch name is correct :)) Changes v2 --> v3: * RSA_METHOD (04/15): rsa_meth->name is now a dup of the name parameter; it's freed i

[Openvpn-devel] [PATCH v3 04/15] OpenSSL: don't use direct access to the internal of RSA_METHOD

OpenSSL 1.1 does not allow us to directly access the internal of any data type, including RSA_METHOD. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in the library. Signed-off-by: Emmanuel

Re: [Openvpn-devel] [RFC PATCH v1 04/15] OpenSSL: don't use direct access to the internal of RSA_METHOD

Hi Steffan, On Wed, Feb 22, 2017 at 11:13 PM, Steffan Karger wrote: > Hi, > > On 17-02-17 23:00, log...@free.fr wrote: >> From: Emmanuel Deloget >> >> OpenSSL 1.1 does not allow us to directly access the internal of >> any data type, including RSA_METHOD. We hav

Re: [Openvpn-devel] [RFC PATCH v1 01/15] OpenSSL: don't use direct access to the internal of SSL_CTX

o >> checking whether TUNSETPERSIST is declared... yes >> checking for setcon in -lselinux... yes >> checking for pam_start in -lpam... yes >> checking for PKCS11_HELPER... no >> ./configure: line 21440: syntax error near unexpected token `fi' >

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

On Mon, Feb 20, 2017 at 2:53 PM, Emmanuel Deloget wrote: > Hi again, > > On Mon, Feb 20, 2017 at 2:33 PM, Emmanuel Deloget wrote: >> Hi Christian, >> >> On Mon, Feb 20, 2017 at 1:29 PM, Christian Hesse wrote: >>> That matches my findings. Built agains

[Openvpn-devel] [RFC PATCH v2 06/15] OpenSSL: don't use direct access to the internal of EVP_PKEY

OpenSSL 1.1 does not allow us to directly access the internal of any data type, including EVP_PKEY. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in the library. Signed-off-by: Emmanuel

[Openvpn-devel] [RFC PATCH v2 15/15] OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit()

EVP_CipherInit_ex() which has been part of the OpenSSL interface since the dawn of time (0.9.8 already has it). Thus, the change allows us to get the old behavior back instead of relying on dirty tricks. Signed-off-by: Emmanuel Deloget --- src/openvpn/crypto_openssl.c | 4 ++-- 1 file changed, 2 insertions(+), 2

[Openvpn-devel] [RFC PATCH v2 00/15] Add support for OpenSSL 1.1.x

* "OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit()" This version has been compile-tested with the following versions: * 0.9.8zh * 1.0.0t * 1.0.1u * 1.0.2k * 1.1.0-git Each compilation test was followed by a connection test to an OpenVPN server (v2.3). So far, everything seems to

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

Hi again, On Mon, Feb 20, 2017 at 2:33 PM, Emmanuel Deloget wrote: > Hi Christian, > > On Mon, Feb 20, 2017 at 1:29 PM, Christian Hesse wrote: >> That matches my findings. Built against openssl 1.1.0e (Arch Linux package >> openssl 1.1.0.e-1 [0]) the build itself succ

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

ions. > > thanks for your work! > > gert Well, thanks to everyone involved -- all of you have been really kind with me (for now :)) Best regards, -- Emmanuel Deloget -- Check out the vibrant tech community

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

s available from a public git repository? I will make my patches available on github ASAP. Best regards -- Emmanuel Deloget On Mon, Feb 20, 2017 at 1:29 PM, Christian Hesse wrote: > Emmanuel Deloget on Mon, 2017/02/20 12:45: >> Hello, >> >> On Sun, Feb 19, 2017 at 6:49 PM,

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

currently investigating this issue. I'll provide a patch as soon as I fix this (this is a bit ironic ; I may have forgotten something somewhere...). I don't have much time to test with other OpenSSL versions but I guess you have the infrastructure that will help. > gert Best regards,

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

ll and independently > reviewable patches. I'll start review soon. > > -Steffan For the record, most of the patches deal with changing how the code access to one selected OpenSSL type. I hope it will ease review -- in the sense that people who are accustomed to the code mig

Re: [Openvpn-devel] build against openssl 1.1.0

Hello, On Fri, Feb 17, 2017 at 6:42 PM, Gert Doering wrote: > Hi, > > On Fri, Feb 17, 2017 at 06:37:04PM +0100, Emmanuel Deloget wrote: >> I guess the answer to the riddle is: "how long will the 2.4 branch >> live?". v2.3 shipped in May 2013. If we assume that v2

Re: [Openvpn-devel] build against openssl 1.1.0

Hello, On Fri, Feb 17, 2017 at 5:41 PM, Gert Doering wrote: > Hi, > > On Fri, Feb 17, 2017 at 05:35:04PM +0100, Emmanuel Deloget wrote: >> I understand that I'm the new guy in town, but can you allow me to >> make the formal request to ditch OpenSSL 0.9.8, 1.0.0 and 1.0

Re: [Openvpn-devel] build against openssl 1.1.0

wn, but can you allow me to make the formal request to ditch OpenSSL 0.9.8, 1.0.0 and 1.0.1 and require at least version 1.0.2? Best regards, -- Emmanuel Deloget -- Check out the vibrant tech community on one of the world