@@ -387,7 +387,19 @@
#else
for (int nid = 0; nid < 10000; ++nid)
{
+#if defined(LIBRESSL_VERSION_NUMBER)
+ /* OpenBSD/LibreSSL reimplemented EVP_get_cipherbyname and broke
+ * calling EVP_get_cipherbynid with an invalid nid in the process
+ * so that it would segfault. */
+ const EVP_CIPHER *cipher = NULL;
+ const char *name = OBJ_nid2sn(nid);
+ if (name)
+ {
+ cipher = EVP_get_cipherbyname(name);
+ }
+#else /* if defined(LIBRESSL_VERSION_NUMBER) */
const EVP_CIPHER *cipher = EVP_get_cipherbynid(nid);
+#endif
/* We cast the const away so we can keep the function prototype
* compatible with EVP_CIPHER_do_all_provided */
collect_ciphers((EVP_CIPHER *) cipher, &cipher_list);
@@ -441,7 +453,19 @@
#else
for (int nid = 0; nid < 10000; ++nid)
{
+ /* OpenBSD/LibreSSL reimplemented EVP_get_digestbyname and broke
+ * calling EVP_get_digestbynid with an invalid nid in the process
+ * so that it would segfault. */
+#ifdef LIBRESSL_VERSION_NUMBER
+ const EVP_MD *digest = NULL;
+ const char *name = OBJ_nid2sn(nid);
+ if (name)
+ {
+ digest = EVP_get_digestbyname(name);
+ }
+#else /* ifdef LIBRESSL_VERSION_NUMBER */
const EVP_MD *digest = EVP_get_digestbynid(nid);
+#endif
if (digest)
{
/* We cast the const away so we can keep the function prototype
@@ -449,7 +473,7 @@
print_digest((EVP_MD *)digest, NULL);
}
}
-#endif
+#endif /* if OPENSSL_VERSION_NUMBER >= 0x30000000L */
printf("\n");
}
Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/586?usp=email to review the following change. Change subject: Workaround issue in LibreSSL crashing when enumerating digests/ciphers ...................................................................... Workaround issue in LibreSSL crashing when enumerating digests/ciphers OpenBSD/LibreSSL reimplemented EVP_get_cipherbyname/EVP_get_digestbyname and broke calling EVP_get_cipherbynid/EVP_get_digestbyname with an invalid nid in the process so that it would segfault. Workaround but doing that NULL check in OpenVPN instead of leaving it to the library. Change-Id: Ia08a9697d0ff41721fb0acf17ccb4cfa23cb3934 Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- M src/openvpn/crypto_openssl.c 1 file changed, 25 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/86/586/1