Skip to content

Match functions to the respective OpenSSL and LibreSSL versions (including LibreSSL 2.7!)#4234

Closed
vishwin wants to merge 3 commits intopyca:masterfrom
vishwin:master
Closed

Match functions to the respective OpenSSL and LibreSSL versions (including LibreSSL 2.7!)#4234
vishwin wants to merge 3 commits intopyca:masterfrom
vishwin:master

Conversation

@vishwin
Copy link
Contributor

@vishwin vishwin commented May 13, 2018
edited
Loading

In the footsteps of #4210 and #4211, fix at least some of the remaining fallout. During this process, introduce some additional LibreSSL defines. Not only does LibreSSL 2.7 not implement every new function from OpenSSL 1.1.0, but certain functions from both OpenSSL 1.1.0 and 1.0.2 actually appeared in LibreSSL 2.1.4 and 2.5.1 instead of 2.7.0. In the future we may need some sort of separation between the OpenSSL and LibreSSL defines.

I tested this on FreeBSD 12-CURRENT under LibreSSL 2.7.3, OpenSSL 1.0.2o (from base system and ports) and OpenSSL 1.1.0h. Ran the Fernet example from the README and test imported the OpenSSL python library, both with no problems.

vishwin added 3 commits May 13, 2018 00:11
@vishwin
Match functions to the respective OpenSSL and LibreSSL versions
479064e 
Being that LibreSSL 2.7 introduced most of OpenSSL 1.1.0's APIs,
modify the preprocessor directives to match. In this process,
introduce some more CRYPTOGRAPHY_LIBRESSL defines, especially as
certain OpenSSL functions appeared in earlier LibreSSL versions
2.5.0 and 2.5.1.
@vishwin
Custom extensions don't exist in LibreSSL
cb61f20
@vishwin
ALPN actually first appeared in LibreSSL 2.1.4
c39a5b4
@reaperhulk
Copy link
Member

reaperhulk commented May 16, 2018
edited
Loading

Looks like some pep8 issues here, but I'm concerned about the direction these macros are taking at this point. The complexity is very high and we're doing things like returning true for CRYPTOGRAPHY_OPENSSL_110_OR_GREATER when it's LibreSSL >= 2.7.0, but then adding additional checks in some places to say "oh but if it's actually libre then ignore the previous".

I don't have a good suggestion on how to handle this but I'm not comfortable merging as is.

On the bright side we'll be moving the libre builder into travis shortly so we can test 2.7.x more easily to confirm that it works in CI. Previously we tested in Jenkins but the Jenkins builders won't trust changes coming from non-committers.

@vishwin
Copy link
Contributor Author

vishwin commented May 17, 2018

I'll probably just separate the logic in the macros given the creeping complexity we're all seeing, as in only having the CRYPTOGRAPHY_OPENSSL return true when actually OpenSSL and vice versa for LibreSSL. Places where any CRYPTOGRAPHY_OPENSSL macros are in use will then need to add the corresponding CRYPTOGRAPHY_LIBRESSL macro. I think this will allow for a cleaner distinction between features found between the two SSL implementations, as said previously, different OpenSSL features appeared in LibreSSL earlier than 2.7, some don't exist in libre at all, etc. This can even account for the possibility of LibreSSL having something that OpenSSL doesn't.

I am continuing to discuss with sp1l on how to best tackle this.

This was referenced May 28, 2018
Closed
Closed
@adarshaj adarshaj mentioned this pull request May 29, 2018
Closed
This was referenced May 29, 2018
Closed
Merged
@alex
Copy link
Member

alex commented May 31, 2018

Subsumed by #4270

@alex alex closed this May 31, 2018
@BKPepe BKPepe mentioned this pull request Oct 22, 2019
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vishwin @reaperhulk @alex