[Openvpn-devel] Fix EVP_PKEY_CTX_... compilation with LibreSSL

Message ID 20210308114405.19066-1-gert@greenie.muc.de
State Accepted
Headers show
Series [Openvpn-devel] Fix EVP_PKEY_CTX_... compilation with LibreSSL | expand

Commit Message

Gert Doering March 8, 2021, 12:44 a.m. UTC
Commit 06f6cf3ff850f29 introduced use of newer OpenSSL functions
for the TLS 1.0-1.1 PRF, to make OpenVPN work with FIPS-enabled OpenSSL.

LibreSSL masquerades as "very new OpenSSL" but does not have these
functions (or at least not on the OpenBSD system tested), so compilationg
breaks.

Add a "but not if LibreSSL" check to the OpenSSL version check, as we
do in other places.

Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
 src/openvpn/crypto_openssl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Arne Schwabe March 8, 2021, 12:49 a.m. UTC | #1
Am 08.03.21 um 12:44 schrieb Gert Doering:
> Commit 06f6cf3ff850f29 introduced use of newer OpenSSL functions
> for the TLS 1.0-1.1 PRF, to make OpenVPN work with FIPS-enabled OpenSSL.
> 
> LibreSSL masquerades as "very new OpenSSL" but does not have these
> functions (or at least not on the OpenBSD system tested), so compilationg
> breaks.
> 
> Add a "but not if LibreSSL" check to the OpenSSL version check, as we
> do in other places.
>

I have to say that I am not really surprised by this but at least
currently while we still support OpenSSL 1.0.2 it is not very intrusive.

Acked-By: Arne Schwabe <arne@rfc2549.org>
Gert Doering March 8, 2021, 12:55 a.m. UTC | #2
Patch has been applied to the master branch.

commit 4cf01c8e4381403998341aa32f79f4bf24c7ccb1
Author: Gert Doering
Date:   Mon Mar 8 12:44:05 2021 +0100

     Fix EVP_PKEY_CTX_... compilation with LibreSSL

     Signed-off-by: Gert Doering <gert@greenie.muc.de>
     Acked-by: Arne Schwabe <arne@rfc2549.org>
     Message-Id: <20210308114405.19066-1-gert@greenie.muc.de>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21628.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 7aaa6624..49698e4b 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -51,7 +51,7 @@ 
 #include <openssl/rand.h>
 #include <openssl/ssl.h>
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
 #include <openssl/kdf.h>
 #endif
 
@@ -1128,7 +1128,7 @@  engine_load_key(const char *file, SSL_CTX *ctx)
 #endif /* if HAVE_OPENSSL_ENGINE */
 }
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
 bool
 ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
              int secret_len, uint8_t *output, int output_len)