Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.

Tue, 07 Feb 2017 00:48:07 -0800 

2017-02-07 9:14 GMT+05:00 Antonio Quartulli <a...@unstable.cc>:

> On Mon, Feb 06, 2017 at 08:18:01PM +0100, Olivier W wrote:
> > Should be compatible with all versions of OpenSSL and LibreSSL.
> > Similar to what is done in curl:
> > https://github.com/curl/curl/blob/028391df5d84d9fae3433afdee9261
> d565900355/lib/vtls/openssl.c#L603-L619
> >
> > Error while compiling was:
> > "ssl_openssl.c:512:30: error: no member named 'cert' in 'struct
> ssl_ctx_st'
> > ssl.cert = ctx->ctx->cert;
> > ~ ^
> > 1 error generated.
> > *** Error code 1"
> > ---
> > diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
> > index 8266595..a889332 100644
> > --- a/src/openvpn/ssl_openssl.c
> > +++ b/src/openvpn/ssl_openssl.c
> > @@ -508,10 +508,13 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx
> > *ctx, const char *curve_name
> >          const EC_GROUP *ecgrp = NULL;
> >          EVP_PKEY *pkey = NULL;
> >
> > -        /* Little hack to get private key ref from SSL_CTX, yay
> OpenSSL... */
> > -        SSL ssl;
> > -        ssl.cert = ctx->ctx->cert;
> > -        pkey = SSL_get_privatekey(&ssl);
> > +        SSL *ssl = SSL_new(ctx->ctx);
> > +        if (!ssl)
> > +        {
> > +            crypto_msg(M_FATAL, "SSL_new failed");
> > +        }
> > +        pkey = SSL_get_privatekey(ssl);
> > +        SSL_free(ssl);
>
> I have a question (sorry if I couldn't check myself): did you check that
> SSL_get_privatekey() and SSL_free() won't crash when ssl is NULL ?
>


what if we involve clang static analyzer for such things ? can we count on
it ?

it is capable of detecting "Argument with 'nonnull' attribute passed null"

and, as I can see, after applying patch it didn't find new issues

http://chipitsine.github.io/without-patch/
http://chipitsine.github.io/with-patch/


also, it might be even automated, run clang static analyzer before and
after applying patch and compare the result


>
> Cheers,
>
>
> --
> Antonio Quartulli
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to