[Openvpn-devel,for,2.5] Require EC key support in Windows builds

Message ID 20211019165053.26345-1-selva.nair@gmail.com
State Accepted
Headers show
Series
  • [Openvpn-devel,for,2.5] Require EC key support in Windows builds
Related show

Commit Message

Selva Nair Oct. 19, 2021, 4:50 p.m.
From: Selva Nair <selva.nair@gmail.com>

Do not support the use of OPENSSL_NO_EC on Windows.

We build Windows releases with EC key support enabled in
OpenSSL and there is no reason to disable it in OpenVPN.

ECDSA signature for cryptoapicert is handled only with OpenSSL
1.1.0 or later. That restriction is retained.

Same as commit ec9f698 in 2.6, except for context changes.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
---
 src/openvpn/crypto_openssl.c | 4 ++++
 src/openvpn/cryptoapi.c      | 4 ++--
 2 files changed, 6 insertions(+), 2 deletions(-)

Comments

Gert Doering Nov. 1, 2021, 7:52 p.m. | #1
Acked-by: Gert Doering <gert@greenie.muc.de>

No idea what took me so long - the patch file was saved to the right
place for "next: ack, merge, push" but then something got in the way.

But now :-) - thanks.

Your patch has been applied to the release/2.5 branch.

commit 6bb4edf4f778128672f405c0e33c3c785afcc479
Author: Selva Nair
Date:   Tue Oct 19 12:50:53 2021 -0400

     Require EC key support in Windows builds

     Signed-off-by: Selva Nair <selva.nair@gmail.com>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20211019165053.26345-1-selva.nair@gmail.com>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22968.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 79fbab40..c9dc9d0a 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -51,6 +51,10 @@ 
 #include <openssl/rand.h>
 #include <openssl/ssl.h>
 
+#if defined(_WIN32) && defined(OPENSSL_NO_EC)
+#error Windows build with OPENSSL_NO_EC: disabling EC key is not supported.
+#endif
+
 /*
  * Check for key size creepage.
  */
diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c
index 6c4df9e3..4becef4d 100644
--- a/src/openvpn/cryptoapi.c
+++ b/src/openvpn/cryptoapi.c
@@ -537,7 +537,7 @@  finish(RSA *rsa)
     return 1;
 }
 
-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(OPENSSL_NO_EC)
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
 
 static EC_KEY_METHOD *ec_method = NULL;
 
@@ -1232,7 +1232,7 @@  SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop)
             goto err;
         }
     }
-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(OPENSSL_NO_EC)
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
     else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC)
     {
         if (!ssl_ctx_set_eckey(ssl_ctx, cd, pkey))