Fix EVP_PKEY_CTX_... compilation with LibreSSL

Commit 06f6cf3ff850f29 introduced use of newer OpenSSL functions
for the TLS 1.0-1.1 PRF, to make OpenVPN work with FIPS-enabled OpenSSL.

LibreSSL masquerades as "very new OpenSSL" but does not have these
functions (or at least not on the OpenBSD system tested), so compilationg
breaks.

Add a "but not if LibreSSL" check to the OpenSSL version check, as we
do in other places.

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210308114405.19066-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21628.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 7aaa662461d890fe27365a3bf0f58e9d5dce2838..49698e4b3194d87cca6113517a22f18987608506 100644 (file)
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -51,7 +51,7 @@
 #include <openssl/rand.h>
 #include <openssl/ssl.h>
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
 #include <openssl/kdf.h>
 #endif
 
@@ -1128,7 +1128,7 @@ engine_load_key(const char *file, SSL_CTX *ctx)
 #endif /* if HAVE_OPENSSL_ENGINE */
 }
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
 bool
 ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
              int secret_len, uint8_t *output, int output_len)