Hi,
On 14-01-18 17:31, Selva Nair wrote:
> On Sun, Jan 14, 2018 at 6:28 AM, Steffan Karger <stef...@karger.me> wrote:
>> On 08-01-18 03:21, selva.n...@gmail.com wrote:
>>> From: Selva Nair <selva.n...@gmail.com>
>>>
>>> - Replace direct access to internals of openssl structs
>>> by corresponding methods.
>>>
>>> Signed-off-by: Selva Nair <selva.n...@gmail.com>
>>> ---
>>> Tested on Windows 10 with openssl 1.0.1r and 1.1.0g
>>>
>>> configure.ac | 1 +
>>> src/openvpn/cryptoapi.c | 69
>>> +++++++++++++++++++++++++++-----------------
>>> src/openvpn/openssl_compat.h | 14 +++++++++
>>> 3 files changed, 57 insertions(+), 27 deletions(-)
>>>
>>>
> ..
>
>>> - rsa->n = BN_dup(pub_rsa->n);
>>> - rsa->flags |= RSA_FLAG_EXT_PKEY;
>>> + if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA)
>>> + {
>>> + msg(M_WARN, "cryptoapicert requires an RSA certificate");
>>> + goto err;
>>> + }
>>> + pub_rsa = EVP_PKEY_get0_RSA(pkey);
>>
>> This conflicts with the patch set from Emmanuel, where he removes
>> EVP_PKEY_id(). Canbe easily resolved by changing the if to
>>
>> if (!(pub_rsa = EVP_PKEY_get0_RSA))
>>
>> ... but only once the NULL-check patch for openssl_compat.h is applied.
>
> I'll send a v2 assuming that patch will get merged eventually.
>
> I would have preferred to have EVP_PKEY_id() retained in the compat layer
> as its much more convenient to use it when multiple key types are to be
> differentiated.. (read as: I want to support EC certs here).
That should still be possible just fine, see e.g. how Emmanuel does that
in "OpenSSL: remove some EVP_PKEY type checks".
-Steffan
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
