From 6bb4edf4f778128672f405c0e33c3c785afcc479 Mon Sep 17 00:00:00 2001 From: Selva Nair Date: Tue, 19 Oct 2021 12:50:53 -0400 Subject: [PATCH] Require EC key support in Windows builds Do not support the use of OPENSSL_NO_EC on Windows. We build Windows releases with EC key support enabled in OpenSSL and there is no reason to disable it in OpenVPN. ECDSA signature for cryptoapicert is handled only with OpenSSL 1.1.0 or later. That restriction is retained. Same as commit ec9f698 in 2.6, except for context changes. Signed-off-by: Selva Nair Acked-by: Gert Doering Message-Id: <20211019165053.26345-1-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22968.html Signed-off-by: Gert Doering --- src/openvpn/crypto_openssl.c | 4 ++++ src/openvpn/cryptoapi.c | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 79fbab401..c9dc9d0ad 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -51,6 +51,10 @@ #include #include +#if defined(_WIN32) && defined(OPENSSL_NO_EC) +#error Windows build with OPENSSL_NO_EC: disabling EC key is not supported. +#endif + /* * Check for key size creepage. */ diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index 6c4df9e3e..4becef4d1 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -537,7 +537,7 @@ finish(RSA *rsa) return 1; } -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(OPENSSL_NO_EC) +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) static EC_KEY_METHOD *ec_method = NULL; @@ -1232,7 +1232,7 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) goto err; } } -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(OPENSSL_NO_EC) +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { if (!ssl_ctx_set_eckey(ssl_ctx, cd, pkey)) -- 2.47.2