OpenSSL 1.1 support status : what next?

Emmanuel Deloget logout at free.fr
Sun Jun 25 02:35:52 AEST 2017 

Hello Douglas,

On Fri, Jun 23, 2017 at 9:16 PM, Douglas E Engert <deengert at gmail.com>
wrote:
> OpenSC has taken a different approach to OpenSSL-1.1. Rather then writing
> a shim for OpenSSL-1.1, the OpenSC code has been converted to
> the OpenSSL-1.1 API and a sc-ossl-compat.h" file consisting of defines and
> macros was written to support older versions of OpenSSL and Libressl.
>
>
https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/sc-ossl-compat.h
>
> The nice part of this approach is when using OpenSSL-1.1 sc-ossl-compat.h
> does not do anything. It sole purpose to provide calls to the older APIs
> that are not going to change and eventually the sc-ossl-compat.h could be
> removed.
>
> Only the OpenSSL routines used by OpenSC have added to sc-ossl-compat.h
> but others defines and macro could be added.There are a few utilities that
> use still use a few #ifdef's during initialization.

This might be because I'm kind of a failure when I try to speak English but
this is what I assumed to be a shim :) Of course, I might be wrong again :)

This is very similar to the approach taken by Kurt in his patch and to the
work I did for OpenVPN
​ [1]​
. And I also think it's the way to go since it will allow to diss older
versions of openssl and/or libressl with minimal change in the Code That
Matters while not being terribly difficult to maintain. According to Kurt's
patch, such a compat file for openssh would clock at roughly 500 lines of
nearly trivial code (and I insist on this fact: code is quite trivial. The
most complicated function would be this one :

​----8<-----​
static int EVP_MD_CTX_reset(EVP_MD_CTX *ctx)
{
​ ​
if (ctx == NULL)
​ ​
return 1;
​ ​
/*
​ ​
* Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because
​ ​
* sometimes only copies of the context are ever finalised.
​ ​
*/
​ ​
if (ctx->digest && ctx->digest->cleanup
​ ​
   && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_CLEANED))
​ ​
ctx->digest->cleanup(ctx);
​ ​
if (ctx->digest && ctx->digest->ctx_size && ctx->md_data
​ ​
   && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE)) {
​ ​
OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
​ ​
}
​ ​
EVP_PKEY_CTX_free(ctx->pctx);
#ifndef OPENSSL_NO_ENGINE
​ ​
ENGINE_finish(ctx->engine);
#endif
​ ​
OPENSSL_cleanse(ctx, sizeof(*ctx));

​ ​
return 1;
}
​---->8-----


Other functions are getter and setters such as :

​----8<-----​
void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM
**priv_key)
{
if (pub_key != NULL)
*pub_key = dh->pub_key;
if (priv_key != NULL)
*priv_key = dh->priv_key;
}

int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
{
/* If the field pub_key in dh is NULL, the corresponding input
* parameters MUST be non-NULL.  The priv_key field may
* be left NULL.
*/
if (dh->pub_key == NULL && pub_key == NULL)
return 0;

if (pub_key != NULL) {
BN_free(dh->pub_key);
dh->pub_key = pub_key;
}
if (priv_key != NULL) {
BN_free(dh->priv_key);
dh->priv_key = priv_key;
}

return 1;
}

​int RSA_bits(const RSA *r)
{
return (BN_num_bits(r->n));
}
​---->8-----


There are some simple security​-related functions such as OPENSSL_zalloc()
or OPENSSL_clean_free() but these functions are quite simple too (and the
reasoning behind them is, I assume, well known).


BR,

-- Emmanuel Deloget

​[1]
https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/openssl_compat.h

More information about the openssh-unix-dev mailing list