OK, then. To be honest, I had to research this subject myself because of your request :) I didn't before because the patch I had found and sent just worked. The relevant commit which changed API seems to be https://github.com/libressl-portable/openbsd/commit/122ecd906da74daffaeffc65c21100b967f5bb45 It was later partially reverted, because of many breakages: https://github.com/libressl-portable/openbsd/commit/0d7a7d5f5a441ac2a48a57dad03170f2f484402a The 1st commit hides many of internal variables into opaque structures, the 2nd one reverses some of it (enc_read_ctx was one of those reverted). So it wasn't a bug, but bad API (inherited from OpenSSL). It will probably work until there are ways to work it around. I'm not really sure what this patch does, as I'm not an SSL_* master. It seems to return initialization vector of some EVP_CIPHER. I guess enc_write_ctx and enc_read_ctx are equal in this case, that's why it's fine to use enc_read_ctx. On 17-04-26 14:38:36, David Woodhouse wrote: > On Wed, 2017-04-26 at 15:22 +0200, Piotr Kubaj wrote: > > Sure, it's attached. > > > > On 17-04-25 15:26:36, David Woodhouse wrote: > > > > > > On Tue, 2017-04-25 at 14:00 +0200, Piotr Kubaj wrote: > > > > > > > > > > > > > > > > So, OpenConnect 7.08 (I've verified this problem is also present in > > > > OpenConnect's master branch) is once again broken with LibreSSL > > > > (2.5.1 and higher). This patch fixes issues https://github.com/gentoo > > > > /libressl/blob/master/net-vpn/openconnect/files/openconnect-7.08- > > > > libressl251.patch?while not breaking older releases. Could you merge > > > > it? > > > Thanks. Can I have a commit message explaining the fix, and a signed- > > > off-by please? > > Thanks... but that's still not really explaining the fix. What changed > in LibreSSL? Why are we using enc_read_ctx instead of enc_write_ctx > now; why is that OK? Was it a bug before? Is it guaranteed to keep > working now or did the read context just not change *yet*? What commit > in LibreSSL changed this... ? > > All of which I can work out for myself given enough time and > motivation, but it's supposed to be there in the commit message so I > don't have to... :) -- _________________________________________ / Political history is far too criminal a \ | subject to be a fit thing to teach | | children. | | | \ -- W. H. Auden / ----------------------------------------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || -------------- next part -------------- A non-text attachment was scrubbed... Name: openconnect.patch Type: text/x-diff Size: 720 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20170427/c11700b2/attachment.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20170427/c11700b2/attachment.sig>
