Opened 17 months ago

Last modified 3 months ago

#26034 assigned defect

LibreSSL 2.7.x supports some OpenSSL 1.1 APIs?

Reported by: nickm Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: 035-removed-20180711
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Toralf points me towards this Python patch:

https://github.com/gentoo/gentoo/blob/master/dev-lang/python/files/python-3.5.5-libressl-compatibility.patch

It implies that for Python's purposes at least, LibreSSL 2.7.x supports the newer openssl APIs. We should test that out, and if so, support it.

Child Tickets

Change History (8)

comment:1 Changed 17 months ago by nickm

Milestone: Tor: 0.3.4.x-finalTor: 0.3.5.x-final
Summary: LibreSSL 2.7.x may support OpenSSL 1.1 APIs?LibreSSL 2.7.x supports some OpenSSL 1.1 APIs?

So I tried merging the obvious patch:

--- a/src/common/compat_openssl.h
+++ b/src/common/compat_openssl.h
@@ -28,6 +28,11 @@
 #define OPENSSL_1_1_API
 #endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) && ... */
 
+#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070000fL
+/* LibreSSL 2.7.x and later also have this API */
+#define OPENSSL_1_1_API
+#endif
+
 #ifndef OPENSSL_VERSION
 #define OPENSSL_VERSION SSLEAY_VERSION
 #endif

And while it appears that libressl supports some of the new OpenSSL APIs, the port is nontrivial: there are other things that we're conditioning on the 1.1 API that libressl does not have.

So let's revisit this in a later series.

comment:2 Changed 15 months ago by nickm

Keywords: 035-removed-20180711 added
Milestone: Tor: 0.3.5.x-finalTor: unspecified

These tickets are being triaged out of 0.3.5. The ones marked "035-roadmap-proposed" may return.

comment:3 Changed 14 months ago by toralf

with LibreSSL 2.6.5 at a hardened Gentroo I do get with current git tree:

orproject@mr-fox ~/tor $ git describe
tor-0.3.5.0-alpha-dev-621-g5aaea38d8
torproject@mr-fox ~/tor $ 
torproject@mr-fox ~/tor $ make
make  all-am
make[1]: Entering directory '/home/torproject/tor'
  CC       src/lib/crypt_ops/crypto_hkdf.o
afl-cc 2.52b by <lcamtuf@google.com>
src/lib/crypt_ops/crypto_hkdf.c:24:10: fatal error: openssl/kdf.h: No such file or directory
 #include <openssl/kdf.h>
          ^~~~~~~~~~~~~~~
compilation terminated.
make[1]: *** [Makefile:8150: src/lib/crypt_ops/crypto_hkdf.o] Error 1
make[1]: Leaving directory '/home/torproject/tor'
make: *** [Makefile:4554: all] Error 2

comment:4 Changed 14 months ago by nickm

toralf -- that sounds like a separate issue, if it's happening on an unmodified version of git master?

comment:5 Changed 14 months ago by nickm

(In fact, that issue might be #26712?)

comment:6 in reply to:  4 Changed 14 months ago by toralf

Replying to nickm:

toralf -- that sounds like a separate issue, if it's happening on an unmodified version of git master?

yes - that's why I pasted "git describe" too here

comment:7 Changed 14 months ago by toralf

right - and this separate HKDF issue is fixed by commit 2b523604 - tested here with LibreSSL 2.6.5

Last edited 14 months ago by toralf (previous) (diff)

comment:8 Changed 3 months ago by nickm

Owner: nickm deleted

These tickets are not things I'm currently working on. They may be important, but they don't need to be done by me specifically. Un-assigning.

Note: See TracTickets for help on using tickets.