Message ID | 20220822154037.44320-1-maximilian.fillinger@foxcrypto.com |
---|---|
State | Accepted |
Headers | show |
Series | [Openvpn-devel,v2,1/2] Update openssl_compat.h for newer LibreSSL | expand |
Am 22.08.22 um 17:40 schrieb Max Fillinger: > LibreSSL has added some of the functions that are defined here. However, > we still need RSA_F_RSA_OSSL_PRIVATE_ENCRYPT. > Thanks. Acked-By: Arne Schwabe <arne@rfc2549.org>
I have not tested this on a recent-enough OpenBSD or OpenSSL 1.0.x (no time to build or find such a system) but I have tested on FreeBSD with 1.1.1l - unsurprisingly (the #ifdef say so) no difference. I'm a bit unsure if we need this for 2.5 - it's "long term compat" and not very intrusive, but on the other hand, not too many people seem to care about LibreSSL. Your patch has been applied to the master branch. commit 6d9695de9fd125cced72b531559c2bdf0c4e0966 Author: Max Fillinger Date: Mon Aug 22 17:40:37 2022 +0200 Update openssl_compat.h for newer LibreSSL Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20220822154037.44320-1-maximilian.fillinger@foxcrypto.com> URL: https://www.mail-archive.com/search?l=mid&q=20220822154037.44320-1-maximilian.fillinger@foxcrypto.com Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
I have not tested this on a recent-enough OpenBSD or OpenSSL 1.0.x (no time to build or find such a system) but I have tested on FreeBSD with 1.1.1l - unsurprisingly (the #ifdef say so) no difference. I'm a bit unsure if we need this for 2.5 - it's "long term compat" and not very intrusive, but on the other hand, not too many people seem to care about LibreSSL. Your patch has been applied to the master branch. commit 6d9695de9fd125cced72b531559c2bdf0c4e0966 Author: Max Fillinger Date: Mon Aug 22 17:40:37 2022 +0200 Update openssl_compat.h for newer LibreSSL Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20220822154037.44320-1-maximilian.fillinger@foxcrypto.com> URL: https://www.mail-archive.com/search?l=mid&q=20220822154037.44320-1-maximilian.fillinger@foxcrypto.com Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
> I'm a bit unsure if we need this for 2.5 - it's "long term compat" > and not very intrusive, but on the other hand, not too many people > seem to care about LibreSSL. OpenBSD has packaged 2.5.7 for snapshots, so they must already have a workaround.
Hi, On Tue, Aug 23, 2022 at 10:21:30AM +0000, Maximilian Fillinger wrote: > > I'm a bit unsure if we need this for 2.5 - it's "long term compat" > > and not very intrusive, but on the other hand, not too many people > > seem to care about LibreSSL. > > OpenBSD has packaged 2.5.7 for snapshots, so they must already have a workaround. Might be worth looking at their ports tree and see what patches they apply... (putting that on my heap of things to do "really soon") gert
Am 23.08.22 um 20:55 schrieb Gert Doering: > Hi, > > On Tue, Aug 23, 2022 at 10:21:30AM +0000, Maximilian Fillinger wrote: >>> I'm a bit unsure if we need this for 2.5 - it's "long term compat" >>> and not very intrusive, but on the other hand, not too many people >>> seem to care about LibreSSL. >> >> OpenBSD has packaged 2.5.7 for snapshots, so they must already have a workaround. > > Might be worth looking at their ports tree and see what patches they > apply... (putting that on my heap of things to do "really soon") So here is a git mirror of their CVS (sic!) tree: https://github.com/openbsd/ports/tree/master/net/openvpn - They patch sample config to use user _nobody and enable that. - Something in route, removing RTA_IFP - some stuff in tun.c but they think the revamped OpenSSL 3.0 way of calculating the TLS1 PRF might actually not be in 2.5 yet, so they do not need a patch for that. Arne
> but they think the revamped OpenSSL 3.0 way of calculating the TLS1 PRF > might actually not be in 2.5 yet, so they do not need a patch for that. In 2.5, openssl_compat.h also doesn't try to define X509_OBJECT_free(), so there's nothing to backport there.
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index b3ee94f1..9d89bd0a 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -51,8 +51,8 @@ #define SSL_CTX_set1_groups SSL_CTX_set1_curves #endif -/* Functionality missing in LibreSSL and OpenSSL 1.0.2 */ -#if (OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)) && !defined(ENABLE_CRYPTO_WOLFSSL) +/* Functionality missing in LibreSSL before 3.5 and OpenSSL 1.0.2 */ +#if (OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050000fL)) && !defined(ENABLE_CRYPTO_WOLFSSL) /** * Destroy a X509 object * @@ -68,11 +68,13 @@ X509_OBJECT_free(X509_OBJECT *obj) } } -#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT #define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG #define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG #endif +#if (OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)) && !defined(ENABLE_CRYPTO_WOLFSSL) +#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT +#endif /* Functionality missing in 1.0.2 */ #if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(ENABLE_CRYPTO_WOLFSSL)
LibreSSL has added some of the functions that are defined here. However, we still need RSA_F_RSA_OSSL_PRIVATE_ENCRYPT. v2: Change ifdef condition for RSA_F_RSA_OSSL_PRIVATE_ENCRYPT. v3: Don't break WolfSSL. Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> --- src/openvpn/openssl_compat.h | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)