Working with recent LibreSSL versions to replace OpenSSL I found it impossible to patch the currently
available OpenSSL plugin reliably (e.g. ready for audit). So I ported OpenSSL into a new plugin removing
the #ifdef/#endif hell.
This is a suggestion. Unit tests work with the provided patch. Regression tests have not been (fully) updated,
yet (not covered by patch).
#2 Updated by Tobias Brunner about 3 years ago
- Category changed from libcharon to libstrongswan
- Status changed from New to Feedback
Thanks for the effort but this doesn't really do it. It's based on an old version (5.5.3 I guess, there were several changes to the openssl plugin since then), it only provides a subset of the functionality of the openssl plugin, and the code changes (besides lots of unnecessary code reformatting that makes spotting the differences more difficult) are quite minimal and I really don't like maintaining lots of duplicate code (not that the situation with these ifdefs is much better - I guess we could remove support for older OpenSSL versions to make that a bit better, though).
According to some reports (e.g. this FreeBSD bug) the following might be enough to get the openssl plugin working with LibreSSL:
#ifdef LIBRESSL_VERSION_NUMBER #undef OPENSSL_VERSION_NUMBER #define OPENSSL_VERSION_NUMBER 0x1000107fL #endif
#3 Updated by Jordan Hrycaj about 3 years ago
The patch applies to 5.5.3 and 5.6.0.
I had problems with 5.6.0 using LibreSSL 2.6.2, 2.6.3 w/StrongSwan 5.6.0. Will go to 5.6.1 (or better) soon.
Do as you like and ditch that patch. Unfortunately the OpenSSL plugin is hard to audit/code review although seems ok in most cases (seen after re-factoring).
On the other hand, any new module implies work to verify ...