Hi,
On Sat, Jan 20, 2018 at 6:30 AM, Steffan Karger <stef...@karger.me> wrote:
> Hi,
>
> On 17-01-18 14:10, Emmanuel Deloget wrote:
>> Calling EVP_KEY_id() before EVP_PKEY_get0_*() is unnecessary as
>> the same check is also performed in the later.
>>
>> We also make the code a bit better by not calling the various
>> EVP_PKEY_get0_*() functions twice (this needs a bit or reordering to
>> avoid introducing yet another #ifndef OPENSSL_NO_EC in the code).
>>
>> Signed-off-by: Emmanuel Deloget <log...@free.fr>
>> ---
..
> Unfortunately, OpenSSL 1.1.0 treats calling EVP_PKEY_get0_foo on a
> non-foo key as an error. Running 'make check' with this patch and
> openssl 1.1.0 fails:
>
> Sat Jan 20 12:23:41 2018 Control Channel: TLSv1.2, cipher TLSv1.2
> ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
> Sat Jan 20 12:23:41 2018 OpenSSL: error:06078081:digital envelope
> routines:EVP_PKEY_get0_DSA:expecting a dsa key
> Sat Jan 20 12:23:41 2018 OpenSSL: error:0608308E:digital envelope
> routines:EVP_PKEY_get0_EC_KEY:expecting a ec key
> Sat Jan 20 12:23:41 2018 TLS_ERROR: BIO read tls_read_plaintext error
>
> So, NAK. (And Selva gets to keep EPV_PKEY_id() ;-) )
>
> Sorry for not spotting this earlier, could have saved us quite a bit of
> work...
I'm surprised that my argument about
if (EVP_PKEY_id(foo) == ...EC..) { do EC stuff }
else if (EVP_PKEY_id(foo) == ..RSA..) { do RSA stuff }
or switch(EVP_PKEY_id(foo))
being stylistically better[tm] did not work!
Still pleased by the end result. Now I get to spit out some of the
"if (EVP_PKEY_get0_RSA(..))" that was pushed down my throat :).
For patches already on the ML will do so after review.
Selva
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
