[PATCH v1 1/1] add libressl support

[Adam Duskett]

Because LibreSSL returns 2.x for the version numbers, the macros think
that OpenSSL 1.1 should be used. This patch checks to see if there is
an LIBRESSL_VERSION_NUMBER defined.

Also, add a check to see if CONFIG_SIGALG_CMS is enabled in sslapi.h
before including openssl/cms.h. LibreSSL does not support cms and
probably never will. As such, LibreSSL doesn't include it and will
fail during a build that would otherwise pass.

Signed-off-by: Adam Duskett <adus...@gmail.com>
---
corelib/swupdate_decrypt.c | 4 ++--
include/sslapi.h | 8 +++++---
2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/corelib/swupdate_decrypt.c b/corelib/swupdate_decrypt.c
index ea68fdd..8e092c8 100644
--- a/corelib/swupdate_decrypt.c
+++ b/corelib/swupdate_decrypt.c
@@ -43,7 +43,7 @@ struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, unsigned char
return NULL;
}

-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
EVP_CIPHER_CTX_init(&dgst->ctxdec);
#else
dgst->ctxdec = EVP_CIPHER_CTX_new();
@@ -103,7 +103,7 @@ int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,
void swupdate_DECRYPT_cleanup(struct swupdate_digest *dgst)
{
if (dgst) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
EVP_CIPHER_CTX_cleanup(SSL_GET_CTXDEC(dgst));
#else
EVP_CIPHER_CTX_free(SSL_GET_CTXDEC(dgst));
diff --git a/include/sslapi.h b/include/sslapi.h
index acc0813..40c52b3 100644
--- a/include/sslapi.h
+++ b/include/sslapi.h
@@ -35,21 +35,23 @@
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/aes.h>
+#ifdef CONFIG_SIGALG_CMS
#include <openssl/cms.h>
+#endif
#include <openssl/opensslv.h>

struct swupdate_digest {
EVP_PKEY *pkey; /* this is used for RSA key */
X509_STORE *certs; /* this is used if CMS is set */
EVP_MD_CTX *ctx;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
EVP_CIPHER_CTX ctxdec;
#else
EVP_CIPHER_CTX *ctxdec;
#endif
};

-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
#define SSL_GET_CTXDEC(dgst) &dgst->ctxdec
#else
#define SSL_GET_CTXDEC(dgst) dgst->ctxdec
@@ -60,7 +62,7 @@ struct swupdate_digest {
* library
* It must be called just once
*/
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
#define swupdate_crypto_init() { \
do { \
CRYPTO_malloc_init(); \
--
2.13.0

[Stefano Babic]

Hi Adam,

On 14/07/2017 19:45, Adam Duskett wrote:
> Because LibreSSL returns 2.x for the version numbers, the macros think
> that OpenSSL 1.1 should be used. This patch checks to see if there is
> an LIBRESSL_VERSION_NUMBER defined.
>

ok - the same fix is used in other projects as well.

Just for my curiosity: LibreSSL is not part neither of distros nor of
Yocto / Buildroot. Do you use SWUpdate on a FreeBSD ?

> Also, add a check to see if CONFIG_SIGALG_CMS is enabled in sslapi.h
> before including openssl/cms.h. LibreSSL does not support cms and
> probably never will. As such, LibreSSL doesn't include it and will
> fail during a build that would otherwise pass.

Anyway, this is a different issue and it is preferable to split this
patch into two separate patches, one for each issue.

What about to extend the test here to stop the compiler if
CONFIG_SIGALG_CMS with LibreSSL is used ? We can write a very useful
hint why it cannot work. Something like:

#ifdef CONFIG_SIGALG_CMS
#if defined(LIBRESSL_VERSION_NUMBER)
#error "LibreSSL does not support CMS, turn off SIGALG_CMS"
#endif
#include <openssl/cms.h>

Best regards,
Stefano Babic

--
=====================================================================
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sba...@denx.de
=====================================================================

[Adam Duskett]

Hi Stefano

On Sat, Jul 15, 2017 at 12:24 PM, Stefano Babic <sba...@denx.de> wrote:
> Hi Adam,
>
> On 14/07/2017 19:45, Adam Duskett wrote:
>> Because LibreSSL returns 2.x for the version numbers, the macros think
>> that OpenSSL 1.1 should be used. This patch checks to see if there is
>> an LIBRESSL_VERSION_NUMBER defined.
>>
>
> ok - the same fix is used in other projects as well.
>
> Just for my curiosity: LibreSSL is not part neither of distros nor of
> Yocto / Buildroot. Do you use SWUpdate on a FreeBSD ?
>

I maintain the Buildroot package. It's in master and will be in the
next release. :)

>> Also, add a check to see if CONFIG_SIGALG_CMS is enabled in sslapi.h
>> before including openssl/cms.h. LibreSSL does not support cms and
>> probably never will. As such, LibreSSL doesn't include it and will
>> fail during a build that would otherwise pass.
>
> Anyway, this is a different issue and it is preferable to split this
> patch into two separate patches, one for each issue.
>

If you wish. I added it to the single patch because without this
change swupdate
doesn't compile against LibreSSL, and thus swupdate wouldn't support LibreSSL.

Thanks!

Adam

[Stefano Babic]

Hi Adam,

On 15/07/2017 18:26, Adam Duskett wrote:
> Hi Stefano
>
> On Sat, Jul 15, 2017 at 12:24 PM, Stefano Babic <sba...@denx.de> wrote:
>> Hi Adam,
>>
>> On 14/07/2017 19:45, Adam Duskett wrote:
>>> Because LibreSSL returns 2.x for the version numbers, the macros think
>>> that OpenSSL 1.1 should be used. This patch checks to see if there is
>>> an LIBRESSL_VERSION_NUMBER defined.
>>>
>>
>> ok - the same fix is used in other projects as well.
>>
>> Just for my curiosity: LibreSSL is not part neither of distros nor of
>> Yocto / Buildroot. Do you use SWUpdate on a FreeBSD ?
>>
> I maintain the Buildroot package. It's in master and will be in the
> next release. :)

:-)

>
>>> Also, add a check to see if CONFIG_SIGALG_CMS is enabled in sslapi.h
>>> before including openssl/cms.h. LibreSSL does not support cms and
>>> probably never will. As such, LibreSSL doesn't include it and will
>>> fail during a build that would otherwise pass.
>>
>> Anyway, this is a different issue and it is preferable to split this
>> patch into two separate patches, one for each issue.
>>
> If you wish. I added it to the single patch because without this
> change swupdate
> doesn't compile against LibreSSL, and thus swupdate wouldn't support LibreSSL.

Ok - nice if you still want to fix in a single patch. Just send a V2 to
raise an error when CONFIG_CMS with LibreSSL is set - thanks !

Best regards,
Stefano

[Adam Duskett]

Because LibreSSL returns 2.x for the version numbers, the macros think
that OpenSSL 1.1 should be used. This patch checks to see if there is
an LIBRESSL_VERSION_NUMBER defined.

Also, add a check to see if CONFIG_SIGALG_CMS is enabled in sslapi.h
before including openssl/cms.h. LibreSSL does not support cms and
probably never will. As such, LibreSSL doesn't include it and will
fail during a build that would otherwise pass.

Signed-off-by: Adam Duskett <Adamd...@outlook.com>
---
Changes v1 -> v2:
- Include a check to see if LIBRESSL_VERSION_NUMBER is the host
ssl library and error out if CONFIG_SIGALG_CMS is selected wit the
message: "LibreSSL does not support CMS, please select RSA PKCS" (Stefano)

corelib/swupdate_decrypt.c | 4 ++--
include/sslapi.h | 12 +++++++++---
2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/corelib/swupdate_decrypt.c b/corelib/swupdate_decrypt.c
index ea68fdd..8e092c8 100644
--- a/corelib/swupdate_decrypt.c
+++ b/corelib/swupdate_decrypt.c
@@ -43,7 +43,7 @@ struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, unsigned char
return NULL;
}

-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
EVP_CIPHER_CTX_init(&dgst->ctxdec);
#else
dgst->ctxdec = EVP_CIPHER_CTX_new();
@@ -103,7 +103,7 @@ int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,
void swupdate_DECRYPT_cleanup(struct swupdate_digest *dgst)
{
if (dgst) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
EVP_CIPHER_CTX_cleanup(SSL_GET_CTXDEC(dgst));
#else
EVP_CIPHER_CTX_free(SSL_GET_CTXDEC(dgst));
diff --git a/include/sslapi.h b/include/sslapi.h

index acc0813..67aa424 100644
--- a/include/sslapi.h
+++ b/include/sslapi.h
@@ -35,21 +35,27 @@

#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/aes.h>
+#ifdef CONFIG_SIGALG_CMS

+#if defined(LIBRESSL_VERSION_NUMBER)
+#error "LibreSSL does not support CMS, please select RSA PKCS"
+#else
#include <openssl/cms.h>
+#endif
+#endif

#include <openssl/opensslv.h>

struct swupdate_digest {
EVP_PKEY *pkey; /* this is used for RSA key */
X509_STORE *certs; /* this is used if CMS is set */
EVP_MD_CTX *ctx;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
EVP_CIPHER_CTX ctxdec;
#else
EVP_CIPHER_CTX *ctxdec;
#endif
};

-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
#define SSL_GET_CTXDEC(dgst) &dgst->ctxdec
#else
#define SSL_GET_CTXDEC(dgst) dgst->ctxdec

@@ -60,7 +66,7 @@ struct swupdate_digest {

* library
* It must be called just once
*/
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
#define swupdate_crypto_init() { \
do { \
CRYPTO_malloc_init(); \

--
2.13.3

[Adam Duskett]

Submitted.

Thanks!

[Stefano Babic]

Applied to -master, thanks !

Best regards,
Stefano Babic

[Adam Duskett]

And thank you as well!

I really appreciate it!

Adam