Re: [Openvpn-devel] [RFC PATCH v1 14/15] OpenSSL: check for the SSL reason, not the full error

[Steffan K. <st...@ka...>]

Hi,

On 17-02-17 23:00, lo...@fr... wrote:
> From: Emmanuel Deloget <lo...@fr...>
> 
> OpenSSL 1.1 changed the SSLv3 API and removed many SSL_L_SSL3_*
> constants. Moreover, new code might use different function
> code for the same error.
> 
> Thus, we extract the error reason from the error code before
> we compare it instead of trying to rebuild an error code
> that might not be correct.
> 
> The new version is compatible with OpenSSL 1.0.x as well as
> with older versions (starting at 0.9.8).
> 
> Signed-off-by: Emmanuel Deloget <lo...@fr...>
> ---
>  src/openvpn/crypto_openssl.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
> index 2f77a9853ac484770dcd808efdf13671ade7e758..23de17542bf0f4a311825373ecf8d8261fd21c73 100644
> --- a/src/openvpn/crypto_openssl.c
> +++ b/src/openvpn/crypto_openssl.c
> @@ -194,8 +194,7 @@ crypto_print_openssl_errors(const unsigned int flags)
>      while ((err = ERR_get_error()))
>      {
>          /* Be more clear about frequently occurring "no shared cipher" error */
> -        if (err == ERR_PACK(ERR_LIB_SSL,SSL_F_SSL3_GET_CLIENT_HELLO,
> -                            SSL_R_NO_SHARED_CIPHER))
> +        if (ERR_GET_REASON(err) == SSL_R_NO_SHARED_CIPHER)
>          {
>              msg(D_CRYPT_ERRORS, "TLS error: The server has no TLS ciphersuites "
>                  "in common with the client. Your --tls-cipher setting might be "
> 

This patch is correct even outside the context of the transition to 1.1,
and can be applied immediately.  ACK.

-Steffan