Hello Douglas, On Fri, Jun 23, 2017 at 9:16 PM, Douglas E Engert <deengert@xxxxxxxxx> wrote: > OpenSC has taken a different approach to OpenSSL-1.1. Rather then writing > a shim for OpenSSL-1.1, the OpenSC code has been converted to > the OpenSSL-1.1 API and a sc-ossl-compat.h" file consisting of defines and > macros was written to support older versions of OpenSSL and Libressl. > > https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/sc-ossl-compat.h > > The nice part of this approach is when using OpenSSL-1.1 sc-ossl-compat.h > does not do anything. It sole purpose to provide calls to the older APIs > that are not going to change and eventually the sc-ossl-compat.h could be > removed. > > Only the OpenSSL routines used by OpenSC have added to sc-ossl-compat.h > but others defines and macro could be added.There are a few utilities that > use still use a few #ifdef's during initialization. This might be because I'm kind of a failure when I try to speak English but this is what I assumed to be a shim :) Of course, I might be wrong again :) This is very similar to the approach taken by Kurt in his patch and to the work I did for OpenVPN [1] . And I also think it's the way to go since it will allow to diss older versions of openssl and/or libressl with minimal change in the Code That Matters while not being terribly difficult to maintain. According to Kurt's patch, such a compat file for openssh would clock at roughly 500 lines of nearly trivial code (and I insist on this fact: code is quite trivial. The most complicated function would be this one : ----8<----- static int EVP_MD_CTX_reset(EVP_MD_CTX *ctx) { if (ctx == NULL) return 1; /* * Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because * sometimes only copies of the context are ever finalised. */ if (ctx->digest && ctx->digest->cleanup && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_CLEANED)) ctx->digest->cleanup(ctx); if (ctx->digest && ctx->digest->ctx_size && ctx->md_data && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE)) { OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size); } EVP_PKEY_CTX_free(ctx->pctx); #ifndef OPENSSL_NO_ENGINE ENGINE_finish(ctx->engine); #endif OPENSSL_cleanse(ctx, sizeof(*ctx)); return 1; } ---->8----- Other functions are getter and setters such as : ----8<----- void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) { if (pub_key != NULL) *pub_key = dh->pub_key; if (priv_key != NULL) *priv_key = dh->priv_key; } int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) { /* If the field pub_key in dh is NULL, the corresponding input * parameters MUST be non-NULL. The priv_key field may * be left NULL. */ if (dh->pub_key == NULL && pub_key == NULL) return 0; if (pub_key != NULL) { BN_free(dh->pub_key); dh->pub_key = pub_key; } if (priv_key != NULL) { BN_free(dh->priv_key); dh->priv_key = priv_key; } return 1; } int RSA_bits(const RSA *r) { return (BN_num_bits(r->n)); } ---->8----- There are some simple security-related functions such as OPENSSL_zalloc() or OPENSSL_clean_free() but these functions are quite simple too (and the reasoning behind them is, I assume, well known). BR, -- Emmanuel Deloget [1] https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/openssl_compat.h _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev