Message ID | 1519231562-5641-1-git-send-email-selva.nair@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | [Openvpn-devel] Disable external ec key support when building with libressl | expand |
Am 21.02.18 um 17:46 schrieb selva.nair@gmail.com: > From: Selva Nair <selva.nair@gmail.com> > > - This codepath uses some openssl-1.1 specific API and is enabled only > for openssl 1.1 and higher versions. But, due to incompatible > version numbering in libressl, it gets wrongly enabled with libressl > versions that do not support the reqired API. As an easy workaround > disable the feature when LIBRESSL_VERSION_NUMBER is defined. > I will reluctantly ACK this because LibreSSL will not fix their stuff. Acked-By: Arne Schwabe I have not tested this to compile but the code looks good. Arne ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Acked-by: Gert Doering <gert@greenie.muc.de> Tested on the OpenBSD 6.0 buildslave that was failing previously, and things are happy now (did not test "FreeBSD + LibreSSL", that's a different issue which we might want to fix, but since it's not the default SSL library there, it's not as annoying as OpenBSD breakage. FTR, OpenBSD 6.0 has LibreSSL 2.4.2, so that could explain the difference...). Your patch has been applied to the master branch. commit 028b501734b4a57dc53edb8b11a4b370f5b99e38 Author: Selva Nair Date: Wed Feb 21 11:46:02 2018 -0500 Disable external ec key support when building with libressl Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1519231562-5641-1-git-send-email-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16510.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 56b12b7..d91458b 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1159,7 +1159,7 @@ err: return 0; } -#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) +#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(LIBRESSL_VERSION_NUMBER) /* called when EC_KEY is destroyed */ static void @@ -1307,7 +1307,7 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, goto err; } } -#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) +#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(LIBRESSL_VERSION_NUMBER) else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { if (!tls_ctx_use_external_ec_key(ctx, pkey))