Fix EVP_PKEY_CTX_... compilation with LibreSSL

Commit 06f6cf3 introduced use of newer OpenSSL functions for the TLS 1.0-1.1 PRF, to make OpenVPN work with FIPS-enabled OpenSSL. LibreSSL masquerades as "very new OpenSSL" but does not have these functions (or at least not on the OpenBSD system tested), so compilationg breaks. Add a "but not if LibreSSL" check to the OpenSSL version check, as we do in other places. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20210308114405.19066-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21628.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenVPN · Mar 8, 2021 · 4cf01c8 · 4cf01c8
1 parent 06f6cf3
commit 4cf01c8
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
@@ -51,7 +51,7 @@
 #include <openssl/rand.h>
 #include <openssl/ssl.h>
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
 #include <openssl/kdf.h>
 #endif
 
@@ -1128,7 +1128,7 @@ engine_load_key(const char *file, SSL_CTX *ctx)
 #endif /* if HAVE_OPENSSL_ENGINE */
 }
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
 bool
 ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
              int secret_len, uint8_t *output, int output_len)