Contents

  1. EGD
  2. Deprecated des_ methods
  3. Uses removed Compression
  4. SSLv2/SSLv3 method failures
  5. GOST engine
  6. SHA-0
  7. Linking

EGD

FreeBSD has not needed the Perl Entropy Gathering Daemon WikiPedia article since FreeBSD 4.2 and no Operating System that is supported by a vendor needs it any longer. EGD was only necessary for some commercial UNIX systems, versions that needed it all reached end of life.

OS

EGD needed until

OS released

End-of-support

IRIX

6.5.19

Feb 2003

Dec 2013

Solaris

2.6

Jul 1997

Jul 2006

AIX

5.2

Oct 2002

Apr 2009

Tru64

5.1B

Sep 2002

Dec 2012

HP-UX

11i v2

Sep 2003

Dec 2015

TODO: Properly format this info As I recall, SunOS dlopen() is broken and is unsuitable for use in UnrealIRCd as well due to failing to properly handle dependency resolution. So that removes SunOS from the list. So, basically: IRIX, AIX, Tru64 - doesn't build with either available GCC or standard compiler, NO dlopen() Solaris 2.x/SunOS - nothing resembling even gcc 2.95 is available, dlopen() is broken and unsuitable for use in the ircd HP-UX - no shl_load() support in unrealircd, no build system support for HP's compiler

Observed as

Usually noticed as

undefined reference to 'RAND_egd'

in the compile output

Resolution

Remove the offending part

As of LibreSSL 2.2.0 LibreSSL added a define to make patching easier # define OPENSSL_NO_EGD

"Guard" the code calling RAND_egd 

#ifndef OPENSSL_NO_EGD
   RAND_egd("/some/file");
#endif

Deprecated des_ methods

OpenSSL has deprecated a large number of des_ methods and types on 24 October 2001(commit) and released this 30 December 2002 with OpenSSL 0.9.7.

LibreSSL removed des_old completely, and the next release of OpenSSL (1.0.3) has also removed these compatibility macros.

Observed as

use of undeclared identifier 'des_cblock'; did you mean 'DES_cblock'?

Resolution

  1. Rename the des_ method or type to DES_ (don't forget to change C_Block -> DES_cblock)

  2. Adapt the variables passed to the method (DES_ structs need to be passed as pointers, prefix the variable with &)

The old compatibility macros can be found here

Example 

des_key_schedule ks1;
des_cblock iv1;

des_ncbc_encrypt(src, dst, len, ks1, iv1, DES_DECRYPT);

Becomes 

DES_key_schedule ks1;
DES_cblock iv1;

DES_ncbc_encrypt(src, dst, len, &ks1, &iv1, DES_DECRYPT);

Uses removed Compression

LibreSSL disabled compression by default because of the number of attacks that use compression (CRIME, BREACH, BEAST). LibreSSL does not include openssl/comp.h from openssl/ssl.h (and ssl3.h) leading to build failures
TLS v1.3 no longer supports compression (so just compress before encryption)

Observed as

unknown type name 'COMP_METHOD' or SSL_get_current_compression

Resolution

Missing comp.h

First of all try and add 

#include <openssl/comp.h>

to the code or header. There's no risk of re-defining methods/types #ifndef HEADER_COMP_H

SSL_NO_COMP vs OPENSSL_NO_COMP

If the OpenSSL library has been compiled without support for compression it defines OPENSSL_NO_COMP yet LibreSSL defines in opensslfeatures.h SSL_NO_COMP

Remove/disable offending code

Remove offending code, preferably by using macros so this will still work with OpenSSL libs that do support compression

Example 1: Take care of defines

If the software has been created with care this will likely make the port just work when added in the right location 

#include <openssl/opensslfeatures.h>
#include <openssl/comp.h>
#ifdef SSL_NO_COMP
#define OPENSSL_NO_COMP
#endif

Example 2: Disable code

If the software unconditionally relies on the existence of SSL compression you will need to add blocks of 

#ifndef OPENSSL_NO_COMP
   /* Offending code */
#endif

SSLv2/SSLv3 method failures

Check the SSLv2 disabled exp-run results in the Bugs database. Contains interesting examples of fixes as well!

Observed as

Usually noticed as 

ssl.c:73:30: warning: implicit declaration of function 'SSLv3_server_method' is invalid in C99 [-Wimplicit-function-declaration]
        ctx = SSL_CTX_new (server ? SSLv3_server_method() : SSLv3_client_method ());

in the build output. There's more than just these 2 SSLv3 methods.

Resolution

Sometimes you will find an example for OPENSSL_NO_SSL2 in the code, do something similar for SSLv3. This tends to use #ifdef guards around the SSLv2 or SSLv3 code.

Example SSLv3_server_method code 

ctx = SSL_CTX_new (server ? SSLv3_server_method() : SSLv3_client_method ());

Becomes 

#ifndef OPENSSL_NO_SSL3
ctx = SSL_CTX_new (server ? SSLv3_server_method() : SSLv3_client_method ());
#else
ctx = SSL_CTX_new (server ? SSLv23_server_method() : SSLv23_client_method ());
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv2);
#endif

This retains compatibility with !OpenSSL 0.9.8, 1.0.0 and 1.0.1

You can use SSLv23 methods, these have been retained in LibreSSL but negotiate TLSv1, TLSv1.1 or TLSv1.2. What it will negotiate is controlled using the SSL_CTX_set_options. You will actually improve ports that you modify!

GOST engine

LibreSSL removed the GOST engine completely due to potentially problematic license. Later a partial reimplementation was added that does not

Observed as

Usually noticed as

undefined reference to 'ENGINE_load_gost()'

in the compile output

Resolution

Remove the offending part

Since OpenSSL comes with an OPENSSL_NO_GOST knob, ports seem to check for the availability of GOST. LibreSSL can also be compiled with NO_GOST so you need a different way of disabling GOST.

LIBRESS_VERSION_NUMBER should be available included from <openssl/opensslv.h> 

#if !defined(OPENSSL_NO_GOST) && OPENSSL_VERSION_NUMBER >= 0x1000001fL && !defined(LIBRESSL_VERSION_NUMBER)
   ENGINE_load_gost();
#endif

SHA-0

Some ports require SHA-0 (EVP_sha)

Observed as

work/qca-2.1.0/plugins/qca-ossl/qca-ossl.cpp:7139:35: error: use of undeclared identifier 'EVP_sha'; did you mean 'EVP_sha1'?
    return new opensslHashContext( EVP_sha(), this, type);
                                   ^~~~~~~
                                   EVP_sha1
/usr/local/include/openssl/evp.h:658:15: note: 'EVP_sha1' declared here
const EVP_MD *EVP_sha1(void);

Resolution

"Guard" the offending code with an #ifndef block 

#ifndef OPENSSL_NO_SHA0
    return new opensslHashContext( EVP_sha(), this, type);
#endif

Linking

Some ports don't properly link against ports' libcrypto

Observed as

# readelf -d work/stage/usr/local/bin/ipmitool
 0x0000000000000001 (NEEDED)             Shared library: [libcrypto.so.7]

Resolution

Add the following to the port's Makefile 

CFLAGS+=        -I${OPENSSLINC}
LDFLAGS+=       -L${OPENSSLLIB}

Conditionally when OpenSSL support is conditional

Check that it works with readelf again 

# readelf -d work/stage/usr/local/bin/ipmitool
 0x0000000000000001 (NEEDED)             Shared library: [libcrypto.so.32]

LibreSSL/PatchingPorts (last edited 2015-10-25T12:20:50+0000 by BernardSpil)