Status of OpenSSL 1.1 support

Sebastian Andrzej Siewior openssh at ml.breakpoint.cc
Mon Oct 16 06:04:17 AEDT 2017


On 2017-10-14 11:40:30 [+1100], Damien Miller wrote:
> The compatibility layer is unversioned, incomplete, barely documented
> and seems to be unmaintained. Because it isn't a library, they require
> it to be added to downstream projects directly. This isn't even close
> to a solution.

It can't be a library like lib-ossl-compat.so or so. All data struct
became opaque and all that "compat" layer is doing is providing the
accessor functions which have to be used in openssl 1.1 and were not
around in earler openssl versions. So you can use the accessor function
and don't have to care about the crypto library.
Providing a library like lib-ossl-compat.so would required to be
compiled against the same libssl.so _and_ would require a so bump each
time the now opaque struct has been modified (since it would export the
hidden opaque struct). This would defeat the purpose of making them
opaque in the first place.
What they did is simply collect the accessor which were needed in order
to be able to compile against both versions.

Are you saying, that you do not accept a wrapper like
	static inline int
	EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx) {
		return ctx->key_len;
	}

and prefer accessing
	ctx->key_len

directly instead? Except for the different function, the resulting code
should be identical when compiled against libressl. It also shouldn't be
problemantic from the security / maintainance point of view since the
wrapper does exactly what you would do while using libressl anyway.
The worst thing that could happen is that you perform some kind of
access which is not yet covered by a wrapper function. But this isn't
something you should care about, the openssl 1.1 users would notice it
and send I patch. I guess you might be annoyed but those patches. Other
than that, it should be fine.

> In the absence of any progress, I'm considering adding some build sugar
> to simplify the process of building (and possibly fetching) LibreSSL as
> port of the OpenSSH build process. AFAIK Apple's OpenSSH distribution is
> already linked against LibreSSL (and of course, OpenBSD does too), so
> IMO it's had enough road-testing for general use.

Please don't. This reads like you are thinking about embedding a library
into the openssh project. Distros don't like this. It has security
implications.

> -d

Sebastian


More information about the openssh-unix-dev mailing list