Re: [Openvpn-devel] [PATCH 02/02] Remove calls to OpenSSL when building with --disable-ssl

[David Sommerseth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 28/02/12 12:16, Igor Novgorodov wrote:
>> On 28/02/12 06:54, Igor Novgorodov wrote:
>>> Then maybe we should move these calls to crypto_openssl.c into 
>>> crypto_init_lib() function to make crypto.c
>>> library-independent? And why OpenSSL_add_all_algorithms() and
>>> stuff is called only when USE_SSL is not defined?
>>> 
>>> And if these calls are for 0.9.8, maybe add a check for
>>> OpenSSL version?
>> Remember that OpenSSL covers two parts.  One part is the SSL
>> stuff, the other part is the crypto layer.  So even if the SSL
>> stuff isn't used, the crypto stuff most likely is.  In the crypto
>> stuff, also all the hashing algorithms are included.  However,
>> using SSL without crypto doesn't make sense.  If it's not needed
>> any more by OpenSSL 1.0.0, then make it version dependent.  Can
>> probably be done at compile time.
> Well, i'm no expert in OpenSSL programming, but looking through 
> internet, i haven't found an evidence that this stuff should not be
> called during initialization in OpenSSL 1.0.x
> 
> So, just to make OpenVPN possible to build with --ssl-type=polarssl
> and --disable-ssl, i propose the attached patch that moves calls to
> these functions into crypto_openssl.c
> 
>> Removing the ERR_load_crypto_strings() call will most likely
>> break the error logging too, which is used by the msg() function.
>> It will not make the crypto/SSL errors more understandable, how I
>> understand it.
>> 
>> May I suggest that both ERR_load_crypto_strings() and 
>> SSL_load_error_strings() (gotta love the consistency of function
>> naming) is loaded by default, unless ENABLE_SMALL is defined?
> I agree, added the check for ENABLE_SMALL in ssl_openssl.c and 
> crypto_openssl.c to the attached patch.
> 
>> Right now, this patch makes me really concerned and scared.  For
>> this to be accepted, a lot of testing must be done - and most
>> likely by people understanding the darker sides of crypto far
>> better than I.  We can't risk that we're regressing on a well
>> proved and tested encryption layer. There are people located in
>> not so democratic countries who use OpenVPN to access a
>> not-restricted/censored Internet - and their safety may rely on
>> the security OpenVPN provides.
> 
> I agree fully. So if we just move these calls into
> crypto_openssl.c, no regression would occur i think.

Your patch has now been applied to the master branches on the -stable
and -testing git trees.

commit 39b54baa36e8625fd29d0a1ed6482f83fa78d322
Author: Igor Novgorodov 
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Tue Feb 28 15:16:01 2012 +0400

Remove calls to OpenSSL when building with --disable-ssl

Move OpenSSL calls out from the generic crypto layer and into the
OpenSSL specific layer.  Also don't load all algortihms if SSL
isn't enabled.

Error strings will also not be loaded into memory if ENABLE_SMALL
is configured.

Signed-off-by: Igor Novgorodov 
Acked-by: Adriaan de Jong 
Acked-by: David Sommerseth 
Signed-off-by: David Sommerseth 


Thank you very much for you contribution!


kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk90WRoACgkQDC186MBRfrqcawCeOudeBqhCzBH7PPXcE3J6otAJ
dTQAnjccy239NSzTJodNHrCFtNnH25/E
=CtJw
-END PGP SIGNATURE-

Re: [Openvpn-devel] [PATCH 02/02] Remove calls to OpenSSL when building with --disable-ssl

[Adriaan de Jong]

On 02/28/2012 12:48 PM, David Sommerseth wrote:
> On 28/02/12 12:40, Igor Novgorodov wrote:
>> On 28.02.2012 15:34, David Sommerseth wrote:


>> And when building with SSL support, it won't be called here, but
>> in ssl_openssl.c in tls_init_lib() instead.
> 
> Indeed.  This looks good.  So unless Adriaan see some other
> concerns.
> 
> Again, sorry about the noise!
> 

Ack! Thanks, that looks good.

Adriaan

Re: [Openvpn-devel] [PATCH 02/02] Remove calls to OpenSSL when building with --disable-ssl

[David Sommerseth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 28/02/12 12:40, Igor Novgorodov wrote:
> On 28.02.2012 15:34, David Sommerseth wrote:
>> On 28/02/12 12:16, Igor Novgorodov wrote:
>>> On 28.02.2012 14:39, David Sommerseth wrote:
 On 28/02/12 06:54, Igor Novgorodov wrote:
[...snip...]
 Right now, this patch makes me really concerned and scared.
 For this to be accepted, a lot of testing must be done - and
 most likely by people understanding the darker sides of crypto
 far better than I.  We can't risk that we're regressing on a
 well proved and tested encryption layer. There are people
 located in not so democratic countries who use OpenVPN to access
 a not-restricted/censored Internet - and their safety may rely
 on the security OpenVPN provides.
>>> I agree fully. So if we just move these calls into
>>> crypto_openssl.c, no regression would occur i think.
>> Agreed, I think it makes sense to move all native OpenSSL calls
>> into *_openssl.[ch] files.
>> 
>> I'm still not convinced about this part though.
>> 
>> +#ifndef USE_SSL +#ifndef ENABLE_SMALL +  ERR_load_crypto_strings
>> (); +#endif +  OpenSSL_add_all_algorithms (); +#endif
>> 
>> OpenSSL_add_algorithms() is also needed for *non-SSL* stuff.  It is 
>> populates the internal OpenSSL lookup tables, so you can lookup
>> strings like "MD5", "SHA512", "AES256", etc,  etc via
>> EVP_get_digestbyname() and EVP_get_cipherbyname() which will return
>> the proper EVP_* objects back. And neither of these are strictly
>> SSL, they are all crypto related.  SSL depends on the crypto part,
>> but the crypto doesn't need SSL.
> Well, it's the #ifNdef directive used, so when building *without* SSL 
> support, the OpenSSL_add_all_algorithms() will be called here, in
> crypto_openssl.c

Duh!  Sorry!!!  I didn't see the 'n' in the #ifndef.  Thanks for
highlighting that.  It all makes sense now.

> And when building with SSL support, it won't be called here, but in 
> ssl_openssl.c in tls_init_lib() instead.

Indeed.  This looks good.  So unless Adriaan see some other concerns.

Again, sorry about the noise!


kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9Mvv8ACgkQDC186MBRfrq/fgCeJRL5uESQF8aK+qaGxb0rRyw9
V0cAn0k3HXnDa5X8hxfgRNDuwAjsXggY
=SqO3
-END PGP SIGNATURE-

Re: [Openvpn-devel] [PATCH 02/02] Remove calls to OpenSSL when building with --disable-ssl

[Igor Novgorodov]

On 28.02.2012 15:34, David Sommerseth wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 28/02/12 12:16, Igor Novgorodov wrote:

On 28.02.2012 14:39, David Sommerseth wrote:

On 28/02/12 06:54, Igor Novgorodov wrote:

Then maybe we should move these calls to crypto_openssl.c into
crypto_init_lib() function to make crypto.c library-independent?
And why OpenSSL_add_all_algorithms() and stuff is called only
when USE_SSL is not defined?

And if these calls are for 0.9.8, maybe add a check for OpenSSL
version?

Remember that OpenSSL covers two parts.  One part is the SSL stuff,
the other part is the crypto layer.  So even if the SSL stuff isn't
used, the crypto stuff most likely is.  In the crypto stuff, also
all the hashing algorithms are included.  However, using SSL without
crypto doesn't make sense.  If it's not needed any more by OpenSSL
1.0.0, then make it version dependent.  Can probably be done at
compile time.

Well, i'm no expert in OpenSSL programming, but looking through
internet, i haven't found an evidence that this stuff should not be
called during initialization in OpenSSL 1.0.x

So, just to make OpenVPN possible to build with --ssl-type=polarssl
and --disable-ssl, i propose the attached patch that moves calls to
these functions into crypto_openssl.c


Removing the ERR_load_crypto_strings() call will most likely break
the error logging too, which is used by the msg() function.  It will
not make the crypto/SSL errors more understandable, how I understand
it.

May I suggest that both ERR_load_crypto_strings() and
SSL_load_error_strings() (gotta love the consistency of function
naming) is loaded by default, unless ENABLE_SMALL is defined?

I agree, added the check for ENABLE_SMALL in ssl_openssl.c and
crypto_openssl.c to the attached patch.


Right now, this patch makes me really concerned and scared.  For
this to be accepted, a lot of testing must be done - and most likely
by people understanding the darker sides of crypto far better than
I.  We can't risk that we're regressing on a well proved and tested
encryption layer. There are people located in not so democratic
countries who use OpenVPN to access a not-restricted/censored
Internet - and their safety may rely on the security OpenVPN
provides.

I agree fully. So if we just move these calls into crypto_openssl.c,
no regression would occur i think.

Agreed, I think it makes sense to move all native OpenSSL calls into
*_openssl.[ch] files.

I'm still not convinced about this part though.

+#ifndef USE_SSL
+#ifndef ENABLE_SMALL
+  ERR_load_crypto_strings ();
+#endif
+  OpenSSL_add_all_algorithms ();
+#endif

OpenSSL_add_algorithms() is also needed for *non-SSL* stuff.  It is
populates the internal OpenSSL lookup tables, so you can lookup strings
like "MD5", "SHA512", "AES256", etc,  etc via EVP_get_digestbyname() and
EVP_get_cipherbyname() which will return the proper EVP_* objects back.
  And neither of these are strictly SSL, they are all crypto related.  SSL
depends on the crypto part, but the crypto doesn't need SSL.
Well, it's the #ifNdef directive used, so when building *without* SSL 
support, the

OpenSSL_add_all_algorithms() will be called here, in crypto_openssl.c

And when building with SSL support, it won't be called here, but in 
ssl_openssl.c in tls_init_lib() instead.


Looks fine to me.


Adriaan, what do you think?


kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9Mu80ACgkQDC186MBRfrpj2QCfYPpJa8CbFNZwJvGbyAHIpLBI
dgwAn2P2QD6YKq2qU9N6MaKhTl2OX94M
=ticZ
-END PGP SIGNATURE-

Re: [Openvpn-devel] [PATCH 02/02] Remove calls to OpenSSL when building with --disable-ssl

[David Sommerseth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 28/02/12 12:16, Igor Novgorodov wrote:
> On 28.02.2012 14:39, David Sommerseth wrote:
>> On 28/02/12 06:54, Igor Novgorodov wrote:
>>> Then maybe we should move these calls to crypto_openssl.c into 
>>> crypto_init_lib() function to make crypto.c library-independent?
>>> And why OpenSSL_add_all_algorithms() and stuff is called only
>>> when USE_SSL is not defined?
>>> 
>>> And if these calls are for 0.9.8, maybe add a check for OpenSSL 
>>> version?
>> Remember that OpenSSL covers two parts.  One part is the SSL stuff,
>> the other part is the crypto layer.  So even if the SSL stuff isn't
>> used, the crypto stuff most likely is.  In the crypto stuff, also
>> all the hashing algorithms are included.  However, using SSL without
>> crypto doesn't make sense.  If it's not needed any more by OpenSSL
>> 1.0.0, then make it version dependent.  Can probably be done at
>> compile time.
> Well, i'm no expert in OpenSSL programming, but looking through
> internet, i haven't found an evidence that this stuff should not be
> called during initialization in OpenSSL 1.0.x
> 
> So, just to make OpenVPN possible to build with --ssl-type=polarssl
> and --disable-ssl, i propose the attached patch that moves calls to
> these functions into crypto_openssl.c
> 
>> Removing the ERR_load_crypto_strings() call will most likely break
>> the error logging too, which is used by the msg() function.  It will
>> not make the crypto/SSL errors more understandable, how I understand
>> it.
>> 
>> May I suggest that both ERR_load_crypto_strings() and 
>> SSL_load_error_strings() (gotta love the consistency of function
>> naming) is loaded by default, unless ENABLE_SMALL is defined?
> I agree, added the check for ENABLE_SMALL in ssl_openssl.c and 
> crypto_openssl.c to the attached patch.
> 
>> Right now, this patch makes me really concerned and scared.  For
>> this to be accepted, a lot of testing must be done - and most likely
>> by people understanding the darker sides of crypto far better than
>> I.  We can't risk that we're regressing on a well proved and tested
>> encryption layer. There are people located in not so democratic
>> countries who use OpenVPN to access a not-restricted/censored
>> Internet - and their safety may rely on the security OpenVPN
>> provides.
> 
> I agree fully. So if we just move these calls into crypto_openssl.c,
> no regression would occur i think.

Agreed, I think it makes sense to move all native OpenSSL calls into
*_openssl.[ch] files.

I'm still not convinced about this part though.

+#ifndef USE_SSL
+#ifndef ENABLE_SMALL
+  ERR_load_crypto_strings ();
+#endif
+  OpenSSL_add_all_algorithms ();
+#endif

OpenSSL_add_algorithms() is also needed for *non-SSL* stuff.  It is
populates the internal OpenSSL lookup tables, so you can lookup strings
like "MD5", "SHA512", "AES256", etc,  etc via EVP_get_digestbyname() and
EVP_get_cipherbyname() which will return the proper EVP_* objects back.
 And neither of these are strictly SSL, they are all crypto related.  SSL
depends on the crypto part, but the crypto doesn't need SSL.

Adriaan, what do you think?


kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9Mu80ACgkQDC186MBRfrpj2QCfYPpJa8CbFNZwJvGbyAHIpLBI
dgwAn2P2QD6YKq2qU9N6MaKhTl2OX94M
=ticZ
-END PGP SIGNATURE-

Re: [Openvpn-devel] [PATCH 02/02] Remove calls to OpenSSL when building with --disable-ssl

[Igor Novgorodov]

On 28.02.2012 14:39, David Sommerseth wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 28/02/12 06:54, Igor Novgorodov wrote:

Then maybe we should move these calls to crypto_openssl.c into
crypto_init_lib() function to make crypto.c library-independent? And
why OpenSSL_add_all_algorithms() and stuff is called only when
USE_SSL is not defined?

And if these calls are for 0.9.8, maybe add a check for OpenSSL
version?

Remember that OpenSSL covers two parts.  One part is the SSL stuff, the
other part is the crypto layer.  So even if the SSL stuff isn't used, the
crypto stuff most likely is.  In the crypto stuff, also all the hashing
algorithms are included.  However, using SSL without crypto doesn't make
sense.  If it's not needed any more by OpenSSL 1.0.0, then make it
version dependent.  Can probably be done at compile time.
Well, i'm no expert in OpenSSL programming, but looking through 
internet, i haven't
found an evidence that this stuff should not be called during 
initialization in OpenSSL 1.0.x


So, just to make OpenVPN possible to build with --ssl-type=polarssl and 
--disable-ssl,
i propose the attached patch that moves calls to these functions into 
crypto_openssl.c



Removing the ERR_load_crypto_strings() call will most likely break the
error logging too, which is used by the msg() function.  It will not make
the crypto/SSL errors more understandable, how I understand it.

May I suggest that both ERR_load_crypto_strings() and
SSL_load_error_strings() (gotta love the consistency of function naming)
is loaded by default, unless ENABLE_SMALL is defined?
I agree, added the check for ENABLE_SMALL in ssl_openssl.c and 
crypto_openssl.c to the attached patch.



Right now, this patch makes me really concerned and scared.  For this to
be accepted, a lot of testing must be done - and most likely by people
understanding the darker sides of crypto far better than I.  We can't
risk that we're regressing on a well proved and tested encryption layer.
  There are people located in not so democratic countries who use OpenVPN
to access a not-restricted/censored Internet - and their safety may rely
on the security OpenVPN provides.
I agree fully. So if we just move these calls into crypto_openssl.c, no 
regression would occur

i think.



kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9MrvEACgkQDC186MBRfroaSgCdGkPFPLK7D9XKiJa30lkfWmaV
BJkAnAyAg+GbYmA3OrQ3HmNL+4AQTisq
=kilG
-END PGP SIGNATURE-


--- openvpn/crypto.c2012-02-27 23:10:53.613624010 +0400
+++ openvpn.mod/crypto.c2012-02-27 23:45:02.128929211 +0400
@@ -1378,8 +1378,6 @@
 void
 init_ssl_lib (void)
 {
-  ERR_load_crypto_strings ();
-  OpenSSL_add_all_algorithms ();
   crypto_init_lib ();
 }

@@ -1388,8 +1386,6 @@
 {
   crypto_uninit_lib ();
   prng_uninit();
-  EVP_cleanup ();
-  ERR_free_strings ();
 }

 #endif /* USE_SSL */
--- openvpn/crypto_openssl.c2012-02-27 23:10:53.613624010 +0400
+++ openvpn.mod/crypto_openssl.c2012-02-28 15:10:54.924689605 +0400
@@ -249,11 +249,19 @@
 void
 crypto_init_lib (void)
 {
+#ifndef USE_SSL
+#ifndef ENABLE_SMALL
+  ERR_load_crypto_strings ();
+#endif
+  OpenSSL_add_all_algorithms ();
+#endif
+
   /*
* If you build the OpenSSL library and OpenVPN with
* CRYPTO_MDEBUG, you will get a listing of OpenSSL
* memory leaks on program termination.
*/
+
 #ifdef CRYPTO_MDEBUG
   CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
 #endif
@@ -262,6 +270,13 @@
 void
 crypto_uninit_lib (void)
 {
+#ifndef USE_SSL
+  EVP_cleanup ();
+#ifndef ENABLE_SMALL
+  ERR_free_strings ();
+#endif
+#endif
+
 #ifdef CRYPTO_MDEBUG
   FILE* fp = fopen ("sdlog", "w");
   ASSERT (fp);
--- openvpn/ssl_openssl.c   2012-02-27 23:10:53.623623694 +0400
+++ openvpn.mod/ssl_openssl.c   2012-02-28 15:11:44.243156781 +0400
@@ -63,7 +63,9 @@
 tls_init_lib()
 {
   SSL_library_init();
+#ifndef ENABLE_SMALL
   SSL_load_error_strings();
+#endif
   OpenSSL_add_all_algorithms ();

   mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL, NULL);
@@ -74,7 +76,9 @@
 tls_free_lib()
 {
   EVP_cleanup();
+#ifndef ENABLE_SMALL
   ERR_free_strings();
+#endif
 }

 void

Re: [Openvpn-devel] [PATCH 02/02] Remove calls to OpenSSL when building with --disable-ssl

[David Sommerseth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 28/02/12 06:54, Igor Novgorodov wrote:
> Then maybe we should move these calls to crypto_openssl.c into 
> crypto_init_lib() function to make crypto.c library-independent? And 
> why OpenSSL_add_all_algorithms() and stuff is called only when
> USE_SSL is not defined?
> 
> And if these calls are for 0.9.8, maybe add a check for OpenSSL 
> version?

Remember that OpenSSL covers two parts.  One part is the SSL stuff, the
other part is the crypto layer.  So even if the SSL stuff isn't used, the
crypto stuff most likely is.  In the crypto stuff, also all the hashing
algorithms are included.  However, using SSL without crypto doesn't make
sense.  If it's not needed any more by OpenSSL 1.0.0, then make it
version dependent.  Can probably be done at compile time.

Removing the ERR_load_crypto_strings() call will most likely break the
error logging too, which is used by the msg() function.  It will not make
the crypto/SSL errors more understandable, how I understand it.

May I suggest that both ERR_load_crypto_strings() and
SSL_load_error_strings() (gotta love the consistency of function naming)
is loaded by default, unless ENABLE_SMALL is defined?

Right now, this patch makes me really concerned and scared.  For this to
be accepted, a lot of testing must be done - and most likely by people
understanding the darker sides of crypto far better than I.  We can't
risk that we're regressing on a well proved and tested encryption layer.
 There are people located in not so democratic countries who use OpenVPN
to access a not-restricted/censored Internet - and their safety may rely
on the security OpenVPN provides.


kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9MrvEACgkQDC186MBRfroaSgCdGkPFPLK7D9XKiJa30lkfWmaV
BJkAnAyAg+GbYmA3OrQ3HmNL+4AQTisq
=kilG
-END PGP SIGNATURE-

Re: [Openvpn-devel] [PATCH 02/02] Remove calls to OpenSSL when building with --disable-ssl

[Alon Bar-Lev]

Hmmm
I really can't tell... maybe can be removed until someone reports an issue...
I just remember that there were cases it was needed and cases it wasn't.
It will not hurt to call these in any case.

On Tue, Feb 28, 2012 at 7:54 AM, Igor Novgorodov  wrote:
> Then maybe we should move these calls to crypto_openssl.c into
> crypto_init_lib() function to make crypto.c library-independent?
> And why OpenSSL_add_all_algorithms() and stuff is called only when USE_SSL
> is not defined?
>
> And if these calls are for 0.9.8, maybe add a check for OpenSSL version?
>
>
> On 28.02.2012 0:10, Alon Bar-Lev wrote:
>>
>> These are needed for 0.9.8 as far as I remember.
>> On Mon, Feb 27, 2012 at 10:06 PM, Igor Novgorodov  wrote:
>>>
>>> The attached patch removes deprecated(?) calls to OpenSSL functions from
>>> crypro.c,
>>> which are called when USE_SSL is not defined.
>>>
>>> I'm not so deep into OpenVPN, so maybe these functions are needed, but i
>>> thought that all crypto-lib
>>> dependent functions should be moved to the corresponding crypto_LIB.c
>>> files.
>>>
>>> If they are needed, we should #ifdef them, so that PolarSSL-based build
>>> won't break on it.
>>>
>>>
>>> --
>>> Try before you buy = See our experts in action!
>>> The most comprehensive online learning library for Microsoft developers
>>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>>> Metro Style Apps, more. Free future releases when you subscribe now!
>>> http://p.sf.net/sfu/learndevnow-dev2
>>> ___
>>> Openvpn-devel mailing list
>>> Openvpn-devel@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>>>
>

Re: [Openvpn-devel] [PATCH 02/02] Remove calls to OpenSSL when building with --disable-ssl

[Igor Novgorodov]

Then maybe we should move these calls to crypto_openssl.c into 
crypto_init_lib() function to make crypto.c library-independent?
And why OpenSSL_add_all_algorithms() and stuff is called only when 
USE_SSL is not defined?


And if these calls are for 0.9.8, maybe add a check for OpenSSL version?

On 28.02.2012 0:10, Alon Bar-Lev wrote:

These are needed for 0.9.8 as far as I remember.
On Mon, Feb 27, 2012 at 10:06 PM, Igor Novgorodov  wrote:

The attached patch removes deprecated(?) calls to OpenSSL functions from
crypro.c,
which are called when USE_SSL is not defined.

I'm not so deep into OpenVPN, so maybe these functions are needed, but i
thought that all crypto-lib
dependent functions should be moved to the corresponding crypto_LIB.c files.

If they are needed, we should #ifdef them, so that PolarSSL-based build
won't break on it.

--
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 02/02] Remove calls to OpenSSL when building with --disable-ssl

[Alon Bar-Lev]

These are needed for 0.9.8 as far as I remember.

On Mon, Feb 27, 2012 at 10:06 PM, Igor Novgorodov  wrote:
> The attached patch removes deprecated(?) calls to OpenSSL functions from
> crypro.c,
> which are called when USE_SSL is not defined.
>
> I'm not so deep into OpenVPN, so maybe these functions are needed, but i
> thought that all crypto-lib
> dependent functions should be moved to the corresponding crypto_LIB.c files.
>
> If they are needed, we should #ifdef them, so that PolarSSL-based build
> won't break on it.
>
> --
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>

[Openvpn-devel] [PATCH 02/02] Remove calls to OpenSSL when building with --disable-ssl

[Igor Novgorodov]

The attached patch removes deprecated(?) calls to OpenSSL functions from 
crypro.c,

which are called when USE_SSL is not defined.

I'm not so deep into OpenVPN, so maybe these functions are needed, but i 
thought that all crypto-lib

dependent functions should be moved to the corresponding crypto_LIB.c files.

If they are needed, we should #ifdef them, so that PolarSSL-based build 
won't break on it.
--- openvpn/crypto.c2012-02-27 23:10:53.613624010 +0400
+++ openvpn.mod/crypto.c2012-02-27 23:45:02.128929211 +0400
@@ -1378,8 +1378,6 @@
 void
 init_ssl_lib (void)
 {
-  ERR_load_crypto_strings ();
-  OpenSSL_add_all_algorithms ();
   crypto_init_lib ();
 }

@@ -1388,8 +1386,6 @@
 {
   crypto_uninit_lib ();
   prng_uninit();
-  EVP_cleanup ();
-  ERR_free_strings ();
 }

 #endif /* USE_SSL */