Comments (12)
LibreSSL now has SSL{,_CTX}_set1_groups{,_list}() functions (and defines for SSL{,_CTX}_set1_curves{,_list}.
from openbsd.
LibreSSL is currently API compatible with OpenSSL 1.0.1 (which it was forked from) with some new extensions and backported features.
SSL_CTRL_SET_CURVES was added in 2012, but only first appeared in OpenSSL 1.0.2 in 2015. We can certainly look at porting in this API, but does this mean that QT 5.5.0-beta also intends to be incompatible with OpenSSL <= 1.0.1 ?
from openbsd.
Their configure test claims >=0.9.7 is required. After looking at the code it appears they forgot to update that because some ifdefs for 0.9.7 and openssl 0.9.8f were removed with 5.5.0-beta. Nevertheless 1.0.1 should work but LibreSSL reports 0x20000000L whereas the failing bit is behing
#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_EC)
After looking at the history of opensslv.h it appears to me that using the version isn't considered a sane way to detect the presence of a feature. If you could provide a hint how to detect this instead, I would be grateful and provide qt with a patch.
from openbsd.
For just the code around SSL_CTRL_SET_CURVES, I might suggest replacing with #if defined(SSL_CTRL_SET_CURVES). However, there are more complications when I looked at the rest of the QT ssl code.
LibreSSL is also missing EC_curve_nist2nid, but QT dynamically loads this function itself at runtime using its own internal definition. Thus, it does not fail at compile time, even though it is not defined in the LibreSSL headers. However, code like the following would then fail at runtime:
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
if (nid == 0 && q_SSLeay() >= 0x10002000L)
nid = q_EC_curve_nist2nid(curveNameLatin1.data());
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
If this were an autoconf project, I would recommend using AC_CHECK_FUNC/AC_SEARCH_LIBS to check for the function instead, but I'm not sure if you can do that with qmake's configure. It's possible something like this would work, where the function is only used if it actually loads at runtime:
if (q_EC_curve_nist2nid) {
if (nid == 0) {
nid = q_EC_curve_nist2nid(curveNameLatin1.data());
}
EC_curve_nist2nid doesn't look like a lot of trouble to backport at any rate. I am concerned that if we pick and choose some APIs from OpenSSL 1.0.2, we may create silent issues in upstream software, where the presence of one feature but not another was never tested.
from openbsd.
afais EC_curve_nist2nid is part of libressl now according to https://marc.info/?l=openbsd-announce&m=143635991232240
so the only problem seems the if-conditional which can easily be fixed with #if defined(SSL_CTRL_SET_CURVES)
from openbsd.
Should this be closed as behaving correctly?
from openbsd.
I'm building Qt 5.5.1 on OpenBSD right now, with "defined(SSL_CTRL_SET_CURVES)" tweak added. I'll report if something will break at run-time when it'll be possible to test, so, please, don't close this issue for now.
from openbsd.
@4a6f656c OpenSSL also defines SSL_CTRL_SET_CURVES_LIST
which is checked for by e.g. nginx: https://github.com/nginx/nginx/blob/master/src/event/ngx_event_openssl.c#L1075
That is needed as well.
from openbsd.
@leonklingele it would be far better for things to check on the availability of the function/feature, or at least condition on the thing that the code calls rather than the CTRL define. That said, we've just added these, even though they are unused due to the implementation.
from openbsd.
@4a6f656c agree, bbf43a1 broke qtnetwork-5.7.1 which invokes those macros when they are defined
from openbsd.
@zavorka is right, I just hit this problem too. removing the doesnt_exist
defines fixes the build.
from openbsd.
@zavorka @v4hn - thanks, the OpenBSD ports developers discovered the same issue with Qt. The problem here is that they do not use the macros, rather than decided to call SSL_ctrl() directly. Removing the doesnt_exist
does fix the compilation issue, but it still will not use the functionality.
I've just committed a change that replaces the defines with actual values that are wired into the control interface. We'd hoped to remove this entirely, however it seems like we're stuck supporting it for now.
from openbsd.
Related Issues (20)
- Is libressl compatible with Linux? HOT 2
- curl-7.73.0 w/ libressl-3.2.2 leaks memory HOT 11
- tls_keypair_load_cert() fail but return no error HOT 2
- SSL_CTX_{g,s}et_security_level HOT 3
- Any possibility of creating a ruby gem for this project? HOT 1
- Inconsistent cert verification errors returned between TLS 1.2 and 1.3 HOT 6
- License information not available HOT 1
- one bug
- stack-buffer-overflow in function x509_constraints_parse_mailbox HOT 2
- TLS 1.3 decrypting support
- SIGSEGV occurred in EVP_MD_CTX_cleanup() immediately after malloc() returned NULL in pkey_hmac_init(). HOT 3
- Missing DSA_meth_set1_name HOT 2
- URI Checks are too strict in subject alt name HOT 2
- netcat may read from invalid file descriptors
- libtls: make the TLS_EOF_NO_CLOSE_NOTIFY bit user-visible
- stack-buffer-overflow(max 5byte) in print_bin() when indent is specified as 124 or more
- SIGSEGV occurs if memory allocation fails in ssl3_setup_init_buffer() called by tls13_use_legacy_stack() when downgrading from TLS1.3. HOT 4
- SSL_get{_peer,}_signature_type_nid implemented but not exported HOT 1
- Compat: Ability to compile without IPv6 support HOT 2
- EVP_get_cipherbynid/EVP_get_digestbynid when given an invalid ID/EVP_get_digestbyname segfaults with NULL argument HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openbsd.