[Openvpn-devel,v2,1/2] Update openssl_compat.h for newer LibreSSL

Message ID 20220811171120.59361-1-maximilian.fillinger@foxcrypto.com
State Changes Requested
Headers show
Series [Openvpn-devel,v2,1/2] Update openssl_compat.h for newer LibreSSL | expand

Commit Message

Maximilian Fillinger Aug. 11, 2022, 7:11 a.m. UTC
LibreSSL has added some of the functions that are defined here. However,
we still need RSA_F_RSA_OSSL_PRIVATE_ENCRYPT.

v2: Change ifdef condition for RSA_F_RSA_OSSL_PRIVATE_ENCRYPT.

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
---
 src/openvpn/openssl_compat.h | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

Comments

Arne Schwabe Aug. 18, 2022, 10:16 a.m. UTC | #1
Am 11.08.22 um 19:11 schrieb Max Fillinger:
> LibreSSL has added some of the functions that are defined here. However,
> we still need RSA_F_RSA_OSSL_PRIVATE_ENCRYPT.
> 
> v2: Change ifdef condition for RSA_F_RSA_OSSL_PRIVATE_ENCRYPT.
> 
> Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
> ---
>   src/openvpn/openssl_compat.h | 8 +++++---
>   1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
> index b3ee94f1..c78d2229 100644
> --- a/src/openvpn/openssl_compat.h
> +++ b/src/openvpn/openssl_compat.h
> @@ -51,8 +51,8 @@
>   #define SSL_CTX_set1_groups SSL_CTX_set1_curves
>   #endif
>   
> -/* Functionality missing in LibreSSL and OpenSSL 1.0.2 */
> -#if (OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)) && !defined(ENABLE_CRYPTO_WOLFSSL)
> +/* Functionality missing in LibreSSL before 3.5 and OpenSSL 1.0.2 */
> +#if (OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050000fL)) && !defined(ENABLE_CRYPTO_WOLFSSL)
>   /**
>    * Destroy a X509 object
>    *
> @@ -68,11 +68,13 @@ X509_OBJECT_free(X509_OBJECT *obj)
>       }
>   }
>   
> -#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT       RSA_F_RSA_EAY_PRIVATE_ENCRYPT
>   #define EVP_CTRL_AEAD_SET_TAG                EVP_CTRL_GCM_SET_TAG
>   #define EVP_CTRL_AEAD_GET_TAG                EVP_CTRL_GCM_GET_TAG
>   #endif
>   
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> +#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT       RSA_F_RSA_EAY_PRIVATE_ENCRYPT
> +#endif
>   

The patch basically removes the !defined(ENABLE_CRYPTO_WOLFSSL) from 
this part of the ifdef and that breaks wolfSSL. While I don't think we 
should much effort into wolfSSL, we should also not break it on purpose.

Arne
Maximilian Fillinger Aug. 19, 2022, 3:39 a.m. UTC | #2
> -----Original Message-----
> From: Arne Schwabe [mailto:arne@rfc2549.org]
> Sent: donderdag 18 augustus 2022 22:16
> To: Maximilian Fillinger <maximilian.fillinger@foxcrypto.com>; openvpn-
> devel@lists.sourceforge.net
> Subject: Re: [Openvpn-devel] [PATCH v2 1/2] Update openssl_compat.h for
> newer LibreSSL
> 
> Am 11.08.22 um 19:11 schrieb Max Fillinger:
> > LibreSSL has added some of the functions that are defined here.
> However,
> > we still need RSA_F_RSA_OSSL_PRIVATE_ENCRYPT.
> >
> > v2: Change ifdef condition for RSA_F_RSA_OSSL_PRIVATE_ENCRYPT.
> >
> > Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
> > ---
> >   src/openvpn/openssl_compat.h | 8 +++++---
> >   1 file changed, 5 insertions(+), 3 deletions(-)
> >
> > diff --git a/src/openvpn/openssl_compat.h
> b/src/openvpn/openssl_compat.h
> > index b3ee94f1..c78d2229 100644
> > --- a/src/openvpn/openssl_compat.h
> > +++ b/src/openvpn/openssl_compat.h
> > @@ -51,8 +51,8 @@
> >   #define SSL_CTX_set1_groups SSL_CTX_set1_curves
> >   #endif
> >
> > -/* Functionality missing in LibreSSL and OpenSSL 1.0.2 */
> > -#if (OPENSSL_VERSION_NUMBER < 0x10100000L ||
> defined(LIBRESSL_VERSION_NUMBER)) && !defined(ENABLE_CRYPTO_WOLFSSL)
> > +/* Functionality missing in LibreSSL before 3.5 and OpenSSL 1.0.2 */
> > +#if (OPENSSL_VERSION_NUMBER < 0x10100000L ||
> (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <
> 0x3050000fL)) && !defined(ENABLE_CRYPTO_WOLFSSL)
> >   /**
> >    * Destroy a X509 object
> >    *
> > @@ -68,11 +68,13 @@ X509_OBJECT_free(X509_OBJECT *obj)
> >       }
> >   }
> >
> > -#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT
> RSA_F_RSA_EAY_PRIVATE_ENCRYPT
> >   #define EVP_CTRL_AEAD_SET_TAG                EVP_CTRL_GCM_SET_TAG
> >   #define EVP_CTRL_AEAD_GET_TAG                EVP_CTRL_GCM_GET_TAG
> >   #endif
> >
> > +#if OPENSSL_VERSION_NUMBER < 0x10100000L ||
> defined(LIBRESSL_VERSION_NUMBER)
> > +#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT
> RSA_F_RSA_EAY_PRIVATE_ENCRYPT
> > +#endif
> >
> 
> The patch basically removes the !defined(ENABLE_CRYPTO_WOLFSSL) from
> this part of the ifdef and that breaks wolfSSL. While I don't think we
> should much effort into wolfSSL, we should also not break it on purpose.
> 
> Arne

You told me to ignore it in IRC. But sure, I can make a v3.
Arne Schwabe Aug. 19, 2022, 10:31 a.m. UTC | #3
>> The patch basically removes the !defined(ENABLE_CRYPTO_WOLFSSL) from
>> this part of the ifdef and that breaks wolfSSL. While I don't think we
>> should much effort into wolfSSL, we should also not break it on purpose.
>>
>> Arne
> 
> You told me to ignore it in IRC. But sure, I can make a v3.

Ignore but not break on purpose :)

Arne

Patch

diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index b3ee94f1..c78d2229 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -51,8 +51,8 @@ 
 #define SSL_CTX_set1_groups SSL_CTX_set1_curves
 #endif
 
-/* Functionality missing in LibreSSL and OpenSSL 1.0.2 */
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)) && !defined(ENABLE_CRYPTO_WOLFSSL)
+/* Functionality missing in LibreSSL before 3.5 and OpenSSL 1.0.2 */
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050000fL)) && !defined(ENABLE_CRYPTO_WOLFSSL)
 /**
  * Destroy a X509 object
  *
@@ -68,11 +68,13 @@  X509_OBJECT_free(X509_OBJECT *obj)
     }
 }
 
-#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT       RSA_F_RSA_EAY_PRIVATE_ENCRYPT
 #define EVP_CTRL_AEAD_SET_TAG                EVP_CTRL_GCM_SET_TAG
 #define EVP_CTRL_AEAD_GET_TAG                EVP_CTRL_GCM_GET_TAG
 #endif
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT       RSA_F_RSA_EAY_PRIVATE_ENCRYPT
+#endif
 
 /* Functionality missing in 1.0.2 */
 #if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(ENABLE_CRYPTO_WOLFSSL)