Message ID | 20210308114405.19066-1-gert@greenie.muc.de |
---|---|
State | Accepted |
Headers | show |
Series | [Openvpn-devel] Fix EVP_PKEY_CTX_... compilation with LibreSSL | expand |
Am 08.03.21 um 12:44 schrieb Gert Doering: > Commit 06f6cf3ff850f29 introduced use of newer OpenSSL functions > for the TLS 1.0-1.1 PRF, to make OpenVPN work with FIPS-enabled OpenSSL. > > LibreSSL masquerades as "very new OpenSSL" but does not have these > functions (or at least not on the OpenBSD system tested), so compilationg > breaks. > > Add a "but not if LibreSSL" check to the OpenSSL version check, as we > do in other places. > I have to say that I am not really surprised by this but at least currently while we still support OpenSSL 1.0.2 it is not very intrusive. Acked-By: Arne Schwabe <arne@rfc2549.org>
Patch has been applied to the master branch. commit 4cf01c8e4381403998341aa32f79f4bf24c7ccb1 Author: Gert Doering Date: Mon Mar 8 12:44:05 2021 +0100 Fix EVP_PKEY_CTX_... compilation with LibreSSL Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20210308114405.19066-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21628.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 7aaa6624..49698e4b 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -51,7 +51,7 @@ #include <openssl/rand.h> #include <openssl/ssl.h> -#if OPENSSL_VERSION_NUMBER >= 0x10100000L +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) #include <openssl/kdf.h> #endif @@ -1128,7 +1128,7 @@ engine_load_key(const char *file, SSL_CTX *ctx) #endif /* if HAVE_OPENSSL_ENGINE */ } -#if OPENSSL_VERSION_NUMBER >= 0x10100000L +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, uint8_t *output, int output_len)
Commit 06f6cf3ff850f29 introduced use of newer OpenSSL functions for the TLS 1.0-1.1 PRF, to make OpenVPN work with FIPS-enabled OpenSSL. LibreSSL masquerades as "very new OpenSSL" but does not have these functions (or at least not on the OpenBSD system tested), so compilationg breaks. Add a "but not if LibreSSL" check to the OpenSSL version check, as we do in other places. Signed-off-by: Gert Doering <gert@greenie.muc.de> --- src/openvpn/crypto_openssl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)