| Message ID | 20221105203247.3284-1-bage@debian.org |
|---|---|
| State | Accepted |
| Headers | show |
| Series | Drop LibreSSL deviation from OpenSSL | expand |
Hi Bastian, On 05.11.22 21:32, Bastian Germann wrote: > Current LibreSSL versions do not need any exceptions from OpenSSL. > This was tested with v3.6.1 on Arch Linux. > > Signed-off-by: Bastian Germann <bage@debian.org> > --- > corelib/swupdate_decrypt.c | 4 ++-- > include/sslapi.h | 14 +++++--------- > 2 files changed, 7 insertions(+), 11 deletions(-) > > diff --git a/corelib/swupdate_decrypt.c b/corelib/swupdate_decrypt.c > index b3a4d0a..9fa8dcb 100644 > --- a/corelib/swupdate_decrypt.c > +++ b/corelib/swupdate_decrypt.c > @@ -46,7 +46,7 @@ struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, char keylen, u > return NULL; > } > > -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) > +#if OPENSSL_VERSION_NUMBER < 0x10100000L > EVP_CIPHER_CTX_init(&dgst->ctxdec); > #else > dgst->ctxdec = EVP_CIPHER_CTX_new(); > @@ -111,7 +111,7 @@ int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf, > void swupdate_DECRYPT_cleanup(struct swupdate_digest *dgst) > { > if (dgst) { > -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) > +#if OPENSSL_VERSION_NUMBER < 0x10100000L > EVP_CIPHER_CTX_cleanup(SSL_GET_CTXDEC(dgst)); > #else > EVP_CIPHER_CTX_free(SSL_GET_CTXDEC(dgst)); > diff --git a/include/sslapi.h b/include/sslapi.h > index 1fa15b0..accf3c4 100644 > --- a/include/sslapi.h > +++ b/include/sslapi.h > @@ -55,14 +55,11 @@ > #if defined(CONFIG_SSL_IMPL_OPENSSL) || defined(CONFIG_SSL_IMPL_WOLFSSL) > > #ifdef CONFIG_SIGALG_CMS > -#if defined(LIBRESSL_VERSION_NUMBER) > -#error "LibreSSL does not support CMS, please select RSA PKCS" > -#else > #include <openssl/cms.h> > > static inline uint32_t SSL_X509_get_extension_flags(X509 *x) > { > -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) > +#if OPENSSL_VERSION_NUMBER < 0x10100000L > return x->ex_flags; > #else > return X509_get_extension_flags(x); > @@ -71,14 +68,13 @@ static inline uint32_t SSL_X509_get_extension_flags(X509 *x) > > static inline uint32_t SSL_X509_get_extended_key_usage(X509 *x) > { > -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) > +#if OPENSSL_VERSION_NUMBER < 0x10100000L > return x->ex_xkusage; > #else > return X509_get_extended_key_usage(x); > #endif > } > > -#endif > #endif /* CONFIG_SIGALG_CMS */ > > #ifdef CONFIG_SSL_IMPL_WOLFSSL > @@ -104,14 +100,14 @@ struct swupdate_digest { > Aes ctxdec; > Pkcs11Dev pkdev; > Pkcs11Token pktoken; > -#elif OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) > +#elif OPENSSL_VERSION_NUMBER < 0x10100000L > EVP_CIPHER_CTX ctxdec; > #else > EVP_CIPHER_CTX *ctxdec; > #endif > }; > > -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) > +#if OPENSSL_VERSION_NUMBER < 0x10100000L > #define SSL_GET_CTXDEC(dgst) &dgst->ctxdec > #else > #define SSL_GET_CTXDEC(dgst) dgst->ctxdec > @@ -122,7 +118,7 @@ struct swupdate_digest { > * library > * It must be called just once > */ > -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) > +#if OPENSSL_VERSION_NUMBER < 0x10100000L > #define swupdate_crypto_init() { \ > do { \ > CRYPTO_malloc_init(); \ Applied to -master, thanks ! Best regards, Stefano Babic
diff --git a/corelib/swupdate_decrypt.c b/corelib/swupdate_decrypt.c index b3a4d0a..9fa8dcb 100644 --- a/corelib/swupdate_decrypt.c +++ b/corelib/swupdate_decrypt.c @@ -46,7 +46,7 @@ struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, char keylen, u return NULL; } -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) +#if OPENSSL_VERSION_NUMBER < 0x10100000L EVP_CIPHER_CTX_init(&dgst->ctxdec); #else dgst->ctxdec = EVP_CIPHER_CTX_new(); @@ -111,7 +111,7 @@ int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf, void swupdate_DECRYPT_cleanup(struct swupdate_digest *dgst) { if (dgst) { -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) +#if OPENSSL_VERSION_NUMBER < 0x10100000L EVP_CIPHER_CTX_cleanup(SSL_GET_CTXDEC(dgst)); #else EVP_CIPHER_CTX_free(SSL_GET_CTXDEC(dgst)); diff --git a/include/sslapi.h b/include/sslapi.h index 1fa15b0..accf3c4 100644 --- a/include/sslapi.h +++ b/include/sslapi.h @@ -55,14 +55,11 @@ #if defined(CONFIG_SSL_IMPL_OPENSSL) || defined(CONFIG_SSL_IMPL_WOLFSSL) #ifdef CONFIG_SIGALG_CMS -#if defined(LIBRESSL_VERSION_NUMBER) -#error "LibreSSL does not support CMS, please select RSA PKCS" -#else #include <openssl/cms.h> static inline uint32_t SSL_X509_get_extension_flags(X509 *x) { -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) +#if OPENSSL_VERSION_NUMBER < 0x10100000L return x->ex_flags; #else return X509_get_extension_flags(x); @@ -71,14 +68,13 @@ static inline uint32_t SSL_X509_get_extension_flags(X509 *x) static inline uint32_t SSL_X509_get_extended_key_usage(X509 *x) { -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) +#if OPENSSL_VERSION_NUMBER < 0x10100000L return x->ex_xkusage; #else return X509_get_extended_key_usage(x); #endif } -#endif #endif /* CONFIG_SIGALG_CMS */ #ifdef CONFIG_SSL_IMPL_WOLFSSL @@ -104,14 +100,14 @@ struct swupdate_digest { Aes ctxdec; Pkcs11Dev pkdev; Pkcs11Token pktoken; -#elif OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) +#elif OPENSSL_VERSION_NUMBER < 0x10100000L EVP_CIPHER_CTX ctxdec; #else EVP_CIPHER_CTX *ctxdec; #endif }; -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) +#if OPENSSL_VERSION_NUMBER < 0x10100000L #define SSL_GET_CTXDEC(dgst) &dgst->ctxdec #else #define SSL_GET_CTXDEC(dgst) dgst->ctxdec @@ -122,7 +118,7 @@ struct swupdate_digest { * library * It must be called just once */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) +#if OPENSSL_VERSION_NUMBER < 0x10100000L #define swupdate_crypto_init() { \ do { \ CRYPTO_malloc_init(); \
Current LibreSSL versions do not need any exceptions from OpenSSL. This was tested with v3.6.1 on Arch Linux. Signed-off-by: Bastian Germann <bage@debian.org> --- corelib/swupdate_decrypt.c | 4 ++-- include/sslapi.h | 14 +++++--------- 2 files changed, 7 insertions(+), 11 deletions(-)