[Openvpn-devel] Disable external ec key support when building with libressl

Message ID 1519231562-5641-1-git-send-email-selva.nair@gmail.com
State Accepted
Headers show
Series
  • [Openvpn-devel] Disable external ec key support when building with libressl
Related show

Commit Message

Selva Nair Feb. 21, 2018, 4:46 p.m.
From: Selva Nair <selva.nair@gmail.com>

- This codepath uses some openssl-1.1 specific API and is enabled only
  for openssl 1.1 and higher versions. But, due to incompatible
  version numbering in libressl, it gets wrongly enabled with libressl
  versions that do not support the reqired API. As an easy workaround
  disable the feature when LIBRESSL_VERSION_NUMBER is defined.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
---
Caution: Only partially compile tested on freebsd 11 + libressl 2.6.4
due to other conflicts with that version of libressl.

 src/openvpn/ssl_openssl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Arne Schwabe Feb. 21, 2018, 5 p.m. | #1
Am 21.02.18 um 17:46 schrieb selva.nair@gmail.com:
> From: Selva Nair <selva.nair@gmail.com>
> 
> - This codepath uses some openssl-1.1 specific API and is enabled only
>   for openssl 1.1 and higher versions. But, due to incompatible
>   version numbering in libressl, it gets wrongly enabled with libressl
>   versions that do not support the reqired API. As an easy workaround
>   disable the feature when LIBRESSL_VERSION_NUMBER is defined.
>

I will reluctantly ACK this because LibreSSL will not fix their stuff.

Acked-By: Arne Schwabe

I have not tested this to compile but the code looks good.

Arne

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Gert Doering Feb. 21, 2018, 6:04 p.m. | #2
Acked-by: Gert Doering <gert@greenie.muc.de>

Tested on the OpenBSD 6.0 buildslave that was failing previously, and
things are happy now (did not test "FreeBSD + LibreSSL", that's a 
different issue which we might want to fix, but since it's not the
default SSL library there, it's not as annoying as OpenBSD breakage.
FTR, OpenBSD 6.0 has LibreSSL 2.4.2, so that could explain the 
difference...).

Your patch has been applied to the master branch.

commit 028b501734b4a57dc53edb8b11a4b370f5b99e38
Author: Selva Nair
Date:   Wed Feb 21 11:46:02 2018 -0500

     Disable external ec key support when building with libressl

     Signed-off-by: Selva Nair <selva.nair@gmail.com>
     Acked-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <1519231562-5641-1-git-send-email-selva.nair@gmail.com>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16510.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Patch

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 56b12b7..d91458b 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -1159,7 +1159,7 @@  err:
     return 0;
 }
 
-#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC)
+#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(LIBRESSL_VERSION_NUMBER)
 
 /* called when EC_KEY is destroyed */
 static void
@@ -1307,7 +1307,7 @@  tls_ctx_use_external_private_key(struct tls_root_ctx *ctx,
             goto err;
         }
     }
-#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC)
+#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(LIBRESSL_VERSION_NUMBER)
     else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC)
     {
         if (!tls_ctx_use_external_ec_key(ctx, pkey))