From: Antonio Quartulli <antonio@openvpn.net>
Date: Wed, 9 Aug 2017 07:42:37 +0000 (+0800)
Subject: OpenSSL: remove unreachable call to SSL_CTX_get0_privatekey()
X-Git-Tag: v2.4.4~36
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a0ee61b31ced8c49ed3926adaf8c42dca4702b49;p=thirdparty%2Fopenvpn.git

OpenSSL: remove unreachable call to SSL_CTX_get0_privatekey()

In tls_ctx_load_ecdh_params() the SSL_CTX_get0_privatekey() function
is invoked only when "OPENSSL_VERSION_NUMBER >= 0x10002000L" and
curve_name is NULL.

However, under the very same conditions the code flow will
lead to an earlier return, thus never reaching the invocation of
SSL_CTX_get0_privatekey().

Restructure the surrounding code in order to make the if/else
block a bit easier to read and get rid of the unreachable
invocation.

Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20170809074237.31291-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15186.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 5b004f99d069fe0238aacbb0b3288872a4d7ae17)
---

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 0ac60357c..c60983416 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -487,15 +487,7 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
 
     /* Generate a new ECDH key for each SSL session (for non-ephemeral ECDH) */
     SSL_CTX_set_options(ctx->ctx, SSL_OP_SINGLE_ECDH_USE);
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
-    /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter loading */
-    if (NULL == curve_name)
-    {
-        SSL_CTX_set_ecdh_auto(ctx->ctx, 1);
-        return;
-    }
-#endif
-    /* For older OpenSSL, we'll have to do the parameter loading on our own */
+
     if (curve_name != NULL)
     {
         /* Use user supplied curve if given */
@@ -504,14 +496,17 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
     }
     else
     {
-        /* Extract curve from key */
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+        /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter
+         * loading */
+        SSL_CTX_set_ecdh_auto(ctx->ctx, 1);
+        return;
+#else
+        /* For older OpenSSL we have to extract the curve from key on our own */
         EC_KEY *eckey = NULL;
         const EC_GROUP *ecgrp = NULL;
         EVP_PKEY *pkey = NULL;
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
-        pkey = SSL_CTX_get0_privatekey(ctx->ctx);
-#else
         /* Little hack to get private key ref from SSL_CTX, yay OpenSSL... */
         SSL *ssl = SSL_new(ctx->ctx);
         if (!ssl)
@@ -520,7 +515,6 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
         }
         pkey = SSL_get_privatekey(ssl);
         SSL_free(ssl);
-#endif
 
         msg(D_TLS_DEBUG, "Extracting ECDH curve from private key");
 
@@ -529,6 +523,7 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
         {
             nid = EC_GROUP_get_curve_name(ecgrp);
         }
+#endif
     }
 
     /* Translate NID back to name , just for kicks */