Feature #2495
LibreSSL Plugin
Description
Working with recent LibreSSL versions to replace OpenSSL I found it impossible to patch the currently
available OpenSSL plugin reliably (e.g. ready for audit). So I ported OpenSSL into a new plugin removing
the #ifdef/#endif hell.
This is a suggestion. Unit tests work with the provided patch. Regression tests have not been (fully) updated,
yet (not covered by patch).
History
#1 Updated by Jordan Hrycaj over 4 years ago
wrong category, sorry => libstrongswan
#2 Updated by Tobias Brunner over 4 years ago
- Category changed from libcharon to libstrongswan
- Status changed from New to Feedback
Thanks for the effort but this doesn't really do it. It's based on an old version (5.5.3 I guess, there were several changes to the openssl plugin since then), it only provides a subset of the functionality of the openssl plugin, and the code changes (besides lots of unnecessary code reformatting that makes spotting the differences more difficult) are quite minimal and I really don't like maintaining lots of duplicate code (not that the situation with these ifdefs is much better - I guess we could remove support for older OpenSSL versions to make that a bit better, though).
According to some reports (e.g. this FreeBSD bug) the following might be enough to get the openssl plugin working with LibreSSL:
#ifdef LIBRESSL_VERSION_NUMBER
#undef OPENSSL_VERSION_NUMBER
#define OPENSSL_VERSION_NUMBER 0x1000107fL
#endif
#3 Updated by Jordan Hrycaj over 4 years ago
The patch applies to 5.5.3 and 5.6.0.
I had problems with 5.6.0 using LibreSSL 2.6.2, 2.6.3 w/StrongSwan 5.6.0. Will go to 5.6.1 (or better) soon.
Do as you like and ditch that patch. Unfortunately the OpenSSL plugin is hard to audit/code review although seems ok in most cases (seen after re-factoring).
On the other hand, any new module implies work to verify ...
#4 Updated by Jordan Hrycaj over 4 years ago
Just an additional side note: This patch adds additional overhead
for thread locking and probably other oddities to LibreSSL but it
may work nevertheless.