Re: [Openvpn-devel] [PATCH 02/02] Remove calls to OpenSSL when building with --disable-ssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/02/12 12:16, Igor Novgorodov wrote: >> On 28/02/12 06:54, Igor Novgorodov wrote: >>> Then maybe we should move these calls to crypto_openssl.c into >>> crypto_init_lib() function to make crypto.c >>> library-independent? And why OpenSSL_add_all_algorithms() and >>> stuff is called only when USE_SSL is not defined? >>> >>> And if these calls are for 0.9.8, maybe add a check for >>> OpenSSL version? >> Remember that OpenSSL covers two parts. One part is the SSL >> stuff, the other part is the crypto layer. So even if the SSL >> stuff isn't used, the crypto stuff most likely is. In the crypto >> stuff, also all the hashing algorithms are included. However, >> using SSL without crypto doesn't make sense. If it's not needed >> any more by OpenSSL 1.0.0, then make it version dependent. Can >> probably be done at compile time. > Well, i'm no expert in OpenSSL programming, but looking through > internet, i haven't found an evidence that this stuff should not be > called during initialization in OpenSSL 1.0.x > > So, just to make OpenVPN possible to build with --ssl-type=polarssl > and --disable-ssl, i propose the attached patch that moves calls to > these functions into crypto_openssl.c > >> Removing the ERR_load_crypto_strings() call will most likely >> break the error logging too, which is used by the msg() function. >> It will not make the crypto/SSL errors more understandable, how I >> understand it. >> >> May I suggest that both ERR_load_crypto_strings() and >> SSL_load_error_strings() (gotta love the consistency of function >> naming) is loaded by default, unless ENABLE_SMALL is defined? > I agree, added the check for ENABLE_SMALL in ssl_openssl.c and > crypto_openssl.c to the attached patch. > >> Right now, this patch makes me really concerned and scared. For >> this to be accepted, a lot of testing must be done - and most >> likely by people understanding the darker sides of crypto far >> better than I. We can't risk that we're regressing on a well >> proved and tested encryption layer. There are people located in >> not so democratic countries who use OpenVPN to access a >> not-restricted/censored Internet - and their safety may rely on >> the security OpenVPN provides. > > I agree fully. So if we just move these calls into > crypto_openssl.c, no regression would occur i think. Your patch has now been applied to the master branches on the -stable and -testing git trees. commit 39b54baa36e8625fd29d0a1ed6482f83fa78d322 Author: Igor NovgorodovList-Post: openvpn-devel@lists.sourceforge.net Date: Tue Feb 28 15:16:01 2012 +0400 Remove calls to OpenSSL when building with --disable-ssl Move OpenSSL calls out from the generic crypto layer and into the OpenSSL specific layer. Also don't load all algortihms if SSL isn't enabled. Error strings will also not be loaded into memory if ENABLE_SMALL is configured. Signed-off-by: Igor Novgorodov Acked-by: Adriaan de Jong Acked-by: David Sommerseth Signed-off-by: David Sommerseth Thank you very much for you contribution! kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk90WRoACgkQDC186MBRfrqcawCeOudeBqhCzBH7PPXcE3J6otAJ dTQAnjccy239NSzTJodNHrCFtNnH25/E =CtJw -END PGP SIGNATURE-
Re: [Openvpn-devel] [PATCH 02/02] Remove calls to OpenSSL when building with --disable-ssl
On 02/28/2012 12:48 PM, David Sommerseth wrote: > On 28/02/12 12:40, Igor Novgorodov wrote: >> On 28.02.2012 15:34, David Sommerseth wrote: >> And when building with SSL support, it won't be called here, but >> in ssl_openssl.c in tls_init_lib() instead. > > Indeed. This looks good. So unless Adriaan see some other > concerns. > > Again, sorry about the noise! > Ack! Thanks, that looks good. Adriaan
Re: [Openvpn-devel] [PATCH 02/02] Remove calls to OpenSSL when building with --disable-ssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/02/12 12:40, Igor Novgorodov wrote: > On 28.02.2012 15:34, David Sommerseth wrote: >> On 28/02/12 12:16, Igor Novgorodov wrote: >>> On 28.02.2012 14:39, David Sommerseth wrote: On 28/02/12 06:54, Igor Novgorodov wrote: [...snip...] Right now, this patch makes me really concerned and scared. For this to be accepted, a lot of testing must be done - and most likely by people understanding the darker sides of crypto far better than I. We can't risk that we're regressing on a well proved and tested encryption layer. There are people located in not so democratic countries who use OpenVPN to access a not-restricted/censored Internet - and their safety may rely on the security OpenVPN provides. >>> I agree fully. So if we just move these calls into >>> crypto_openssl.c, no regression would occur i think. >> Agreed, I think it makes sense to move all native OpenSSL calls >> into *_openssl.[ch] files. >> >> I'm still not convinced about this part though. >> >> +#ifndef USE_SSL +#ifndef ENABLE_SMALL + ERR_load_crypto_strings >> (); +#endif + OpenSSL_add_all_algorithms (); +#endif >> >> OpenSSL_add_algorithms() is also needed for *non-SSL* stuff. It is >> populates the internal OpenSSL lookup tables, so you can lookup >> strings like "MD5", "SHA512", "AES256", etc, etc via >> EVP_get_digestbyname() and EVP_get_cipherbyname() which will return >> the proper EVP_* objects back. And neither of these are strictly >> SSL, they are all crypto related. SSL depends on the crypto part, >> but the crypto doesn't need SSL. > Well, it's the #ifNdef directive used, so when building *without* SSL > support, the OpenSSL_add_all_algorithms() will be called here, in > crypto_openssl.c Duh! Sorry!!! I didn't see the 'n' in the #ifndef. Thanks for highlighting that. It all makes sense now. > And when building with SSL support, it won't be called here, but in > ssl_openssl.c in tls_init_lib() instead. Indeed. This looks good. So unless Adriaan see some other concerns. Again, sorry about the noise! kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9Mvv8ACgkQDC186MBRfrq/fgCeJRL5uESQF8aK+qaGxb0rRyw9 V0cAn0k3HXnDa5X8hxfgRNDuwAjsXggY =SqO3 -END PGP SIGNATURE-
Re: [Openvpn-devel] [PATCH 02/02] Remove calls to OpenSSL when building with --disable-ssl
On 28.02.2012 15:34, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/02/12 12:16, Igor Novgorodov wrote: On 28.02.2012 14:39, David Sommerseth wrote: On 28/02/12 06:54, Igor Novgorodov wrote: Then maybe we should move these calls to crypto_openssl.c into crypto_init_lib() function to make crypto.c library-independent? And why OpenSSL_add_all_algorithms() and stuff is called only when USE_SSL is not defined? And if these calls are for 0.9.8, maybe add a check for OpenSSL version? Remember that OpenSSL covers two parts. One part is the SSL stuff, the other part is the crypto layer. So even if the SSL stuff isn't used, the crypto stuff most likely is. In the crypto stuff, also all the hashing algorithms are included. However, using SSL without crypto doesn't make sense. If it's not needed any more by OpenSSL 1.0.0, then make it version dependent. Can probably be done at compile time. Well, i'm no expert in OpenSSL programming, but looking through internet, i haven't found an evidence that this stuff should not be called during initialization in OpenSSL 1.0.x So, just to make OpenVPN possible to build with --ssl-type=polarssl and --disable-ssl, i propose the attached patch that moves calls to these functions into crypto_openssl.c Removing the ERR_load_crypto_strings() call will most likely break the error logging too, which is used by the msg() function. It will not make the crypto/SSL errors more understandable, how I understand it. May I suggest that both ERR_load_crypto_strings() and SSL_load_error_strings() (gotta love the consistency of function naming) is loaded by default, unless ENABLE_SMALL is defined? I agree, added the check for ENABLE_SMALL in ssl_openssl.c and crypto_openssl.c to the attached patch. Right now, this patch makes me really concerned and scared. For this to be accepted, a lot of testing must be done - and most likely by people understanding the darker sides of crypto far better than I. We can't risk that we're regressing on a well proved and tested encryption layer. There are people located in not so democratic countries who use OpenVPN to access a not-restricted/censored Internet - and their safety may rely on the security OpenVPN provides. I agree fully. So if we just move these calls into crypto_openssl.c, no regression would occur i think. Agreed, I think it makes sense to move all native OpenSSL calls into *_openssl.[ch] files. I'm still not convinced about this part though. +#ifndef USE_SSL +#ifndef ENABLE_SMALL + ERR_load_crypto_strings (); +#endif + OpenSSL_add_all_algorithms (); +#endif OpenSSL_add_algorithms() is also needed for *non-SSL* stuff. It is populates the internal OpenSSL lookup tables, so you can lookup strings like "MD5", "SHA512", "AES256", etc, etc via EVP_get_digestbyname() and EVP_get_cipherbyname() which will return the proper EVP_* objects back. And neither of these are strictly SSL, they are all crypto related. SSL depends on the crypto part, but the crypto doesn't need SSL. Well, it's the #ifNdef directive used, so when building *without* SSL support, the OpenSSL_add_all_algorithms() will be called here, in crypto_openssl.c And when building with SSL support, it won't be called here, but in ssl_openssl.c in tls_init_lib() instead. Looks fine to me. Adriaan, what do you think? kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9Mu80ACgkQDC186MBRfrpj2QCfYPpJa8CbFNZwJvGbyAHIpLBI dgwAn2P2QD6YKq2qU9N6MaKhTl2OX94M =ticZ -END PGP SIGNATURE-
Re: [Openvpn-devel] [PATCH 02/02] Remove calls to OpenSSL when building with --disable-ssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/02/12 12:16, Igor Novgorodov wrote: > On 28.02.2012 14:39, David Sommerseth wrote: >> On 28/02/12 06:54, Igor Novgorodov wrote: >>> Then maybe we should move these calls to crypto_openssl.c into >>> crypto_init_lib() function to make crypto.c library-independent? >>> And why OpenSSL_add_all_algorithms() and stuff is called only >>> when USE_SSL is not defined? >>> >>> And if these calls are for 0.9.8, maybe add a check for OpenSSL >>> version? >> Remember that OpenSSL covers two parts. One part is the SSL stuff, >> the other part is the crypto layer. So even if the SSL stuff isn't >> used, the crypto stuff most likely is. In the crypto stuff, also >> all the hashing algorithms are included. However, using SSL without >> crypto doesn't make sense. If it's not needed any more by OpenSSL >> 1.0.0, then make it version dependent. Can probably be done at >> compile time. > Well, i'm no expert in OpenSSL programming, but looking through > internet, i haven't found an evidence that this stuff should not be > called during initialization in OpenSSL 1.0.x > > So, just to make OpenVPN possible to build with --ssl-type=polarssl > and --disable-ssl, i propose the attached patch that moves calls to > these functions into crypto_openssl.c > >> Removing the ERR_load_crypto_strings() call will most likely break >> the error logging too, which is used by the msg() function. It will >> not make the crypto/SSL errors more understandable, how I understand >> it. >> >> May I suggest that both ERR_load_crypto_strings() and >> SSL_load_error_strings() (gotta love the consistency of function >> naming) is loaded by default, unless ENABLE_SMALL is defined? > I agree, added the check for ENABLE_SMALL in ssl_openssl.c and > crypto_openssl.c to the attached patch. > >> Right now, this patch makes me really concerned and scared. For >> this to be accepted, a lot of testing must be done - and most likely >> by people understanding the darker sides of crypto far better than >> I. We can't risk that we're regressing on a well proved and tested >> encryption layer. There are people located in not so democratic >> countries who use OpenVPN to access a not-restricted/censored >> Internet - and their safety may rely on the security OpenVPN >> provides. > > I agree fully. So if we just move these calls into crypto_openssl.c, > no regression would occur i think. Agreed, I think it makes sense to move all native OpenSSL calls into *_openssl.[ch] files. I'm still not convinced about this part though. +#ifndef USE_SSL +#ifndef ENABLE_SMALL + ERR_load_crypto_strings (); +#endif + OpenSSL_add_all_algorithms (); +#endif OpenSSL_add_algorithms() is also needed for *non-SSL* stuff. It is populates the internal OpenSSL lookup tables, so you can lookup strings like "MD5", "SHA512", "AES256", etc, etc via EVP_get_digestbyname() and EVP_get_cipherbyname() which will return the proper EVP_* objects back. And neither of these are strictly SSL, they are all crypto related. SSL depends on the crypto part, but the crypto doesn't need SSL. Adriaan, what do you think? kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9Mu80ACgkQDC186MBRfrpj2QCfYPpJa8CbFNZwJvGbyAHIpLBI dgwAn2P2QD6YKq2qU9N6MaKhTl2OX94M =ticZ -END PGP SIGNATURE-
Re: [Openvpn-devel] [PATCH 02/02] Remove calls to OpenSSL when building with --disable-ssl
On 28.02.2012 14:39, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/02/12 06:54, Igor Novgorodov wrote: Then maybe we should move these calls to crypto_openssl.c into crypto_init_lib() function to make crypto.c library-independent? And why OpenSSL_add_all_algorithms() and stuff is called only when USE_SSL is not defined? And if these calls are for 0.9.8, maybe add a check for OpenSSL version? Remember that OpenSSL covers two parts. One part is the SSL stuff, the other part is the crypto layer. So even if the SSL stuff isn't used, the crypto stuff most likely is. In the crypto stuff, also all the hashing algorithms are included. However, using SSL without crypto doesn't make sense. If it's not needed any more by OpenSSL 1.0.0, then make it version dependent. Can probably be done at compile time. Well, i'm no expert in OpenSSL programming, but looking through internet, i haven't found an evidence that this stuff should not be called during initialization in OpenSSL 1.0.x So, just to make OpenVPN possible to build with --ssl-type=polarssl and --disable-ssl, i propose the attached patch that moves calls to these functions into crypto_openssl.c Removing the ERR_load_crypto_strings() call will most likely break the error logging too, which is used by the msg() function. It will not make the crypto/SSL errors more understandable, how I understand it. May I suggest that both ERR_load_crypto_strings() and SSL_load_error_strings() (gotta love the consistency of function naming) is loaded by default, unless ENABLE_SMALL is defined? I agree, added the check for ENABLE_SMALL in ssl_openssl.c and crypto_openssl.c to the attached patch. Right now, this patch makes me really concerned and scared. For this to be accepted, a lot of testing must be done - and most likely by people understanding the darker sides of crypto far better than I. We can't risk that we're regressing on a well proved and tested encryption layer. There are people located in not so democratic countries who use OpenVPN to access a not-restricted/censored Internet - and their safety may rely on the security OpenVPN provides. I agree fully. So if we just move these calls into crypto_openssl.c, no regression would occur i think. kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9MrvEACgkQDC186MBRfroaSgCdGkPFPLK7D9XKiJa30lkfWmaV BJkAnAyAg+GbYmA3OrQ3HmNL+4AQTisq =kilG -END PGP SIGNATURE- --- openvpn/crypto.c2012-02-27 23:10:53.613624010 +0400 +++ openvpn.mod/crypto.c2012-02-27 23:45:02.128929211 +0400 @@ -1378,8 +1378,6 @@ void init_ssl_lib (void) { - ERR_load_crypto_strings (); - OpenSSL_add_all_algorithms (); crypto_init_lib (); } @@ -1388,8 +1386,6 @@ { crypto_uninit_lib (); prng_uninit(); - EVP_cleanup (); - ERR_free_strings (); } #endif /* USE_SSL */ --- openvpn/crypto_openssl.c2012-02-27 23:10:53.613624010 +0400 +++ openvpn.mod/crypto_openssl.c2012-02-28 15:10:54.924689605 +0400 @@ -249,11 +249,19 @@ void crypto_init_lib (void) { +#ifndef USE_SSL +#ifndef ENABLE_SMALL + ERR_load_crypto_strings (); +#endif + OpenSSL_add_all_algorithms (); +#endif + /* * If you build the OpenSSL library and OpenVPN with * CRYPTO_MDEBUG, you will get a listing of OpenSSL * memory leaks on program termination. */ + #ifdef CRYPTO_MDEBUG CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); #endif @@ -262,6 +270,13 @@ void crypto_uninit_lib (void) { +#ifndef USE_SSL + EVP_cleanup (); +#ifndef ENABLE_SMALL + ERR_free_strings (); +#endif +#endif + #ifdef CRYPTO_MDEBUG FILE* fp = fopen ("sdlog", "w"); ASSERT (fp); --- openvpn/ssl_openssl.c 2012-02-27 23:10:53.623623694 +0400 +++ openvpn.mod/ssl_openssl.c 2012-02-28 15:11:44.243156781 +0400 @@ -63,7 +63,9 @@ tls_init_lib() { SSL_library_init(); +#ifndef ENABLE_SMALL SSL_load_error_strings(); +#endif OpenSSL_add_all_algorithms (); mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL, NULL); @@ -74,7 +76,9 @@ tls_free_lib() { EVP_cleanup(); +#ifndef ENABLE_SMALL ERR_free_strings(); +#endif } void
Re: [Openvpn-devel] [PATCH 02/02] Remove calls to OpenSSL when building with --disable-ssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/02/12 06:54, Igor Novgorodov wrote: > Then maybe we should move these calls to crypto_openssl.c into > crypto_init_lib() function to make crypto.c library-independent? And > why OpenSSL_add_all_algorithms() and stuff is called only when > USE_SSL is not defined? > > And if these calls are for 0.9.8, maybe add a check for OpenSSL > version? Remember that OpenSSL covers two parts. One part is the SSL stuff, the other part is the crypto layer. So even if the SSL stuff isn't used, the crypto stuff most likely is. In the crypto stuff, also all the hashing algorithms are included. However, using SSL without crypto doesn't make sense. If it's not needed any more by OpenSSL 1.0.0, then make it version dependent. Can probably be done at compile time. Removing the ERR_load_crypto_strings() call will most likely break the error logging too, which is used by the msg() function. It will not make the crypto/SSL errors more understandable, how I understand it. May I suggest that both ERR_load_crypto_strings() and SSL_load_error_strings() (gotta love the consistency of function naming) is loaded by default, unless ENABLE_SMALL is defined? Right now, this patch makes me really concerned and scared. For this to be accepted, a lot of testing must be done - and most likely by people understanding the darker sides of crypto far better than I. We can't risk that we're regressing on a well proved and tested encryption layer. There are people located in not so democratic countries who use OpenVPN to access a not-restricted/censored Internet - and their safety may rely on the security OpenVPN provides. kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9MrvEACgkQDC186MBRfroaSgCdGkPFPLK7D9XKiJa30lkfWmaV BJkAnAyAg+GbYmA3OrQ3HmNL+4AQTisq =kilG -END PGP SIGNATURE-
Re: [Openvpn-devel] [PATCH 02/02] Remove calls to OpenSSL when building with --disable-ssl
Hmmm I really can't tell... maybe can be removed until someone reports an issue... I just remember that there were cases it was needed and cases it wasn't. It will not hurt to call these in any case. On Tue, Feb 28, 2012 at 7:54 AM, Igor Novgorodovwrote: > Then maybe we should move these calls to crypto_openssl.c into > crypto_init_lib() function to make crypto.c library-independent? > And why OpenSSL_add_all_algorithms() and stuff is called only when USE_SSL > is not defined? > > And if these calls are for 0.9.8, maybe add a check for OpenSSL version? > > > On 28.02.2012 0:10, Alon Bar-Lev wrote: >> >> These are needed for 0.9.8 as far as I remember. >> On Mon, Feb 27, 2012 at 10:06 PM, Igor Novgorodov wrote: >>> >>> The attached patch removes deprecated(?) calls to OpenSSL functions from >>> crypro.c, >>> which are called when USE_SSL is not defined. >>> >>> I'm not so deep into OpenVPN, so maybe these functions are needed, but i >>> thought that all crypto-lib >>> dependent functions should be moved to the corresponding crypto_LIB.c >>> files. >>> >>> If they are needed, we should #ifdef them, so that PolarSSL-based build >>> won't break on it. >>> >>> >>> -- >>> Try before you buy = See our experts in action! >>> The most comprehensive online learning library for Microsoft developers >>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, >>> Metro Style Apps, more. Free future releases when you subscribe now! >>> http://p.sf.net/sfu/learndevnow-dev2 >>> ___ >>> Openvpn-devel mailing list >>> Openvpn-devel@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/openvpn-devel >>> >
Re: [Openvpn-devel] [PATCH 02/02] Remove calls to OpenSSL when building with --disable-ssl
Then maybe we should move these calls to crypto_openssl.c into crypto_init_lib() function to make crypto.c library-independent? And why OpenSSL_add_all_algorithms() and stuff is called only when USE_SSL is not defined? And if these calls are for 0.9.8, maybe add a check for OpenSSL version? On 28.02.2012 0:10, Alon Bar-Lev wrote: These are needed for 0.9.8 as far as I remember. On Mon, Feb 27, 2012 at 10:06 PM, Igor Novgorodovwrote: The attached patch removes deprecated(?) calls to OpenSSL functions from crypro.c, which are called when USE_SSL is not defined. I'm not so deep into OpenVPN, so maybe these functions are needed, but i thought that all crypto-lib dependent functions should be moved to the corresponding crypto_LIB.c files. If they are needed, we should #ifdef them, so that PolarSSL-based build won't break on it. -- Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 02/02] Remove calls to OpenSSL when building with --disable-ssl
These are needed for 0.9.8 as far as I remember. On Mon, Feb 27, 2012 at 10:06 PM, Igor Novgorodovwrote: > The attached patch removes deprecated(?) calls to OpenSSL functions from > crypro.c, > which are called when USE_SSL is not defined. > > I'm not so deep into OpenVPN, so maybe these functions are needed, but i > thought that all crypto-lib > dependent functions should be moved to the corresponding crypto_LIB.c files. > > If they are needed, we should #ifdef them, so that PolarSSL-based build > won't break on it. > > -- > Try before you buy = See our experts in action! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-dev2 > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel >
[Openvpn-devel] [PATCH 02/02] Remove calls to OpenSSL when building with --disable-ssl
The attached patch removes deprecated(?) calls to OpenSSL functions from crypro.c, which are called when USE_SSL is not defined. I'm not so deep into OpenVPN, so maybe these functions are needed, but i thought that all crypto-lib dependent functions should be moved to the corresponding crypto_LIB.c files. If they are needed, we should #ifdef them, so that PolarSSL-based build won't break on it. --- openvpn/crypto.c2012-02-27 23:10:53.613624010 +0400 +++ openvpn.mod/crypto.c2012-02-27 23:45:02.128929211 +0400 @@ -1378,8 +1378,6 @@ void init_ssl_lib (void) { - ERR_load_crypto_strings (); - OpenSSL_add_all_algorithms (); crypto_init_lib (); } @@ -1388,8 +1386,6 @@ { crypto_uninit_lib (); prng_uninit(); - EVP_cleanup (); - ERR_free_strings (); } #endif /* USE_SSL */