Hi, On 14-01-18 17:31, Selva Nair wrote: > On Sun, Jan 14, 2018 at 6:28 AM, Steffan Karger <[email protected]> wrote: >> On 08-01-18 03:21, [email protected] wrote: >>> From: Selva Nair <[email protected]> >>> >>> - Replace direct access to internals of openssl structs >>> by corresponding methods. >>> >>> Signed-off-by: Selva Nair <[email protected]> >>> --- >>> Tested on Windows 10 with openssl 1.0.1r and 1.1.0g >>> >>> configure.ac | 1 + >>> src/openvpn/cryptoapi.c | 69 >>> +++++++++++++++++++++++++++----------------- >>> src/openvpn/openssl_compat.h | 14 +++++++++ >>> 3 files changed, 57 insertions(+), 27 deletions(-) >>> >>> > .. > >>> - rsa->n = BN_dup(pub_rsa->n); >>> - rsa->flags |= RSA_FLAG_EXT_PKEY; >>> + if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA) >>> + { >>> + msg(M_WARN, "cryptoapicert requires an RSA certificate"); >>> + goto err; >>> + } >>> + pub_rsa = EVP_PKEY_get0_RSA(pkey); >> >> This conflicts with the patch set from Emmanuel, where he removes >> EVP_PKEY_id(). Canbe easily resolved by changing the if to >> >> if (!(pub_rsa = EVP_PKEY_get0_RSA)) >> >> ... but only once the NULL-check patch for openssl_compat.h is applied. > > I'll send a v2 assuming that patch will get merged eventually. > > I would have preferred to have EVP_PKEY_id() retained in the compat layer > as its much more convenient to use it when multiple key types are to be > differentiated.. (read as: I want to support EC certs here).
That should still be possible just fine, see e.g. how Emmanuel does that in "OpenSSL: remove some EVP_PKEY type checks". -Steffan ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
