Project

General

Profile

Feature #2495

LibreSSL Plugin

Added by Jordan Hrycaj over 4 years ago. Updated over 4 years ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
libstrongswan
Start date:
12.12.2017
Due date:
Estimated time:
Resolution:

Description

Working with recent LibreSSL versions to replace OpenSSL I found it impossible to patch the currently
available OpenSSL plugin reliably (e.g. ready for audit). So I ported OpenSSL into a new plugin removing
the #ifdef/#endif hell.

This is a suggestion. Unit tests work with the provided patch. Regression tests have not been (fully) updated,
yet (not covered by patch).

0003-ADDED-LibreSSL-plugin-for-EC-RSA-x509-cert-handling.patch (123 KB) 0003-ADDED-LibreSSL-plugin-for-EC-RSA-x509-cert-handling.patch libressl plugin Jordan Hrycaj, 12.12.2017 11:06
strongswan-test.log (197 KB) strongswan-test.log unit test logs Jordan Hrycaj, 12.12.2017 11:06

History

#1 Updated by Jordan Hrycaj over 4 years ago

wrong category, sorry => libstrongswan

#2 Updated by Tobias Brunner over 4 years ago

  • Category changed from libcharon to libstrongswan
  • Status changed from New to Feedback

Thanks for the effort but this doesn't really do it. It's based on an old version (5.5.3 I guess, there were several changes to the openssl plugin since then), it only provides a subset of the functionality of the openssl plugin, and the code changes (besides lots of unnecessary code reformatting that makes spotting the differences more difficult) are quite minimal and I really don't like maintaining lots of duplicate code (not that the situation with these ifdefs is much better - I guess we could remove support for older OpenSSL versions to make that a bit better, though).

According to some reports (e.g. this FreeBSD bug) the following might be enough to get the openssl plugin working with LibreSSL:

#ifdef LIBRESSL_VERSION_NUMBER
#undef OPENSSL_VERSION_NUMBER
#define OPENSSL_VERSION_NUMBER 0x1000107fL
#endif

#3 Updated by Jordan Hrycaj over 4 years ago

The patch applies to 5.5.3 and 5.6.0.
I had problems with 5.6.0 using LibreSSL 2.6.2, 2.6.3 w/StrongSwan 5.6.0. Will go to 5.6.1 (or better) soon.

Do as you like and ditch that patch. Unfortunately the OpenSSL plugin is hard to audit/code review although seems ok in most cases (seen after re-factoring).

On the other hand, any new module implies work to verify ...

#4 Updated by Jordan Hrycaj over 4 years ago

Just an additional side note: This patch adds additional overhead
for thread locking and probably other oddities to LibreSSL but it
may work nevertheless.

Also available in: Atom PDF