Hello, Please find the new version of the patch. So, I added back the comment I had removed and new versions of OpenSSL will use SSL_CTX_get0_privatekey() instead of SSL_new() + SSL_get_privatekey() + SSL_free().
It successfully compile with LibreSSL 2.4.5, 2.5.1 and OpenSSL 1.0.2k. I've also pushed it to Github and Travis-CI is currently running: https://github.com/OpenVPN/openvpn/pull/82 Best Regards, Olivier --- diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 8266595..abf69c9 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -508,10 +508,18 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name const EC_GROUP *ecgrp = NULL; EVP_PKEY *pkey = NULL; +#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + pkey = SSL_CTX_get0_privatekey(ctx->ctx); +#else /* Little hack to get private key ref from SSL_CTX, yay OpenSSL... */ - SSL ssl; - ssl.cert = ctx->ctx->cert; - pkey = SSL_get_privatekey(&ssl); + SSL *ssl = SSL_new(ctx->ctx); + if (!ssl) + { + crypto_msg(M_FATAL, "SSL_new failed"); + } + pkey = SSL_get_privatekey(ssl); + SSL_free(ssl); +#endif msg(D_TLS_DEBUG, "Extracting ECDH curve from private key"); 2017-02-08 23:39 GMT+01:00 Steffan Karger <stef...@karger.me>: > Hi, > > On 06-02-17 20:18, Olivier W wrote: >> Should be compatible with all versions of OpenSSL and LibreSSL. >> Similar to what is done in curl: >> https://github.com/curl/curl/blob/028391df5d84d9fae3433afdee9261d565900355/lib/vtls/openssl.c#L603-L619 >> >> Error while compiling was: >> "ssl_openssl.c:512:30: error: no member named 'cert' in 'struct ssl_ctx_st' >> ssl.cert = ctx->ctx->cert; >> ~ ^ >> 1 error generated. >> *** Error code 1" >> --- >> diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c >> index 8266595..a889332 100644 >> --- a/src/openvpn/ssl_openssl.c >> +++ b/src/openvpn/ssl_openssl.c >> @@ -508,10 +508,13 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx >> *ctx, const char *curve_name >> const EC_GROUP *ecgrp = NULL; >> EVP_PKEY *pkey = NULL; >> >> - /* Little hack to get private key ref from SSL_CTX, yay OpenSSL... >> */ >> - SSL ssl; >> - ssl.cert = ctx->ctx->cert; >> - pkey = SSL_get_privatekey(&ssl); >> + SSL *ssl = SSL_new(ctx->ctx); >> + if (!ssl) >> + { >> + crypto_msg(M_FATAL, "SSL_new failed"); >> + } >> + pkey = SSL_get_privatekey(ssl); >> + SSL_free(ssl); > > The code change looks good, and passes my (manual) tests. I'd like to > keep the comment though, because this still is a hack/workaround to get > the private key from the SSL_CTX object, it just does so a little nicer > at the cost of a number of malloc/free calls. > > It might be even worth noting that the workaround is only needed for > OpenSSL <= 1.0.1, because later versions do have a function to get the > private key from a struct SSL_CTX directly. By noting that explicitly, > we help ourselves remember to get rid of the hack as soon as we drop > support for these OpenSSL versions. > > -Steffan > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel