Monday, July 31, 2023

Re: (maintainer update) gerbil-0.17

> - I'm not sure if the libressl patching is correct, someone could review those.
>
> blob - /dev/null
> file + lang/gerbil/patches/patch-src_std_crypto_libcrypto_ss (mode 644)
> --- /dev/null
> +++ lang/gerbil/patches/patch-src_std_crypto_libcrypto_ss
> @@ -0,0 +1,62 @@
> +Fix build with opaque HMAC_CTX and DH in LibreSSL 3.5.
> +
> +Index: src/std/crypto/libcrypto.ss
> +--- src/std/crypto/libcrypto.ss.orig
> ++++ src/std/crypto/libcrypto.ss
> +@@ -175,14 +175,14 @@ END-C
> + (define-c-lambda/const-pointer EVP_sha512 () EVP_MD*)
> + (define-c-lambda/const-pointer EVP_ripemd160 () EVP_MD* "!defined(OPENSSL_NO_RMD160)")
> + (define-c-lambda/const-pointer EVP_whirlpool () EVP_MD* "!defined(OPENSSL_NO_WHIRLPOOL)")
> +-(define-c-lambda/const-pointer EVP_blake2b512 () EVP_MD* "(OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(OPENSSL_NO_BLAKE2)")
> +-(define-c-lambda/const-pointer EVP_blake2s256 () EVP_MD* "(OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(OPENSSL_NO_BLAKE2)")
> ++(define-c-lambda/const-pointer EVP_blake2b512 () EVP_MD* "(OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined (LIBRESSL_VERSION_NUMBER)) && !defined(OPENSSL_NO_BLAKE2)")
> ++(define-c-lambda/const-pointer EVP_blake2s256 () EVP_MD* "(OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined (LIBRESSL_VERSION_NUMBER)) && !defined(OPENSSL_NO_BLAKE2)")
> ++(define-c-lambda/const-pointer EVP_blake2b512 () EVP_MD* "(OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined (LIBRESSL_VERSION_NUMBER)) && !defined(OPENSSL_NO_BLAKE2)")

We should probably define OPENSSL_NO_BLAKE2 in opensslfeatures.h, so
you don't need this hunk. I'll look into it. Does this work?

(define-c-lambda/const-pointer EVP_blake2s256 () EVP_MD* "(OPENSSL_VERSION_NUMBER >= 0x10100000L && defined (NID_blake2s256)) && !defined(OPENSSL_NO_BLAKE2)")
(define-c-lambda/const-pointer EVP_blake2b512 () EVP_MD* "(OPENSSL_VERSION_NUMBER >= 0x10100000L && defined (NID_blake2b512)) && !defined(OPENSSL_NO_BLAKE2)")

> + (define-c-lambda/const-pointer EVP_sha3_224 () EVP_MD* "OPENSSL_VERSION_NUMBER >= 0x10101000L")
> + (define-c-lambda/const-pointer EVP_sha3_256 () EVP_MD* "OPENSSL_VERSION_NUMBER >= 0x10101000L")
> + (define-c-lambda/const-pointer EVP_sha3_384 () EVP_MD* "OPENSSL_VERSION_NUMBER >= 0x10101000L")
> + (define-c-lambda/const-pointer EVP_sha3_512 () EVP_MD* "OPENSSL_VERSION_NUMBER >= 0x10101000L")
> +-(define-c-lambda/const-pointer EVP_shake128 () EVP_MD* "OPENSSL_VERSION_NUMBER >= 0x10101000L")
> +-(define-c-lambda/const-pointer EVP_shake256 () EVP_MD* "OPENSSL_VERSION_NUMBER >= 0x10101000L")
> ++(define-c-lambda/const-pointer EVP_shake128 () EVP_MD* "OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined (LIBRESSL_VERSION_NUMBER)")
> ++(define-c-lambda/const-pointer EVP_shake256 () EVP_MD* "OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined (LIBRESSL_VERSION_NUMBER)")

try using "&& defined(NID_shake128)" and "&& defined(NID_shake256)" instead
of "&& !defined (LIBRESSL_VERSION_NUMBER)"

> + (define-c-lambda/const-pointer EVP_keccak256 () EVP_MD* "0") ;; still not available as of 3.0.0-alpha6
> +
> + (define-c-lambda EVP_MD_type (EVP_MD*) int)
> +@@ -372,7 +372,7 @@ END-C
> + (c-declare #<<END-C
> + static HMAC_CTX *ffi_create_HMAC_CTX ()
> + {
> +-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
> ++#if OPENSSL_VERSION_NUMBER < 0x10100000L

ok

> + HMAC_CTX *ctx = (HMAC_CTX*)malloc (sizeof (HMAC_CTX));
> + if (ctx) {
> + HMAC_CTX_init (ctx);
> +@@ -385,7 +385,7 @@ static HMAC_CTX *ffi_create_HMAC_CTX ()
> +
> + static ___SCMOBJ ffi_release_HMAC_CTX (void *ptr)
> + {
> +-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
> ++#if OPENSSL_VERSION_NUMBER < 0x10100000L

ok

> + HMAC_CTX_cleanup ((HMAC_CTX*) ptr);
> + free (ptr);
> + #else
> +@@ -465,7 +465,7 @@ static ___SCMOBJ ffi_DH_free (void *dh)
> +
> + static BIGNUM *ffi_DH_pub_key (DH *dh)
> + {
> +-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
> ++#if OPENSSL_VERSION_NUMBER < 0x10100000L

ok

> + return dh->pub_key;
> + #else
> + BIGNUM const *pub;
> +@@ -596,8 +596,8 @@ END-C
> + (define-macro (define-consts . cs) `(begin ,@(map (lambda (c) `(define-const ,c)) cs)))
> + (define-macro (define-consts* ccond . cs) `(begin ,@(map (lambda (c) `(define-const* ,c ,ccond)) cs)))
> + (define-consts EVP_PKEY_NONE EVP_PKEY_RSA EVP_PKEY_RSA2 EVP_PKEY_DSA EVP_PKEY_DSA1 EVP_PKEY_DSA2 EVP_PKEY_DSA3 EVP_PKEY_DSA4 EVP_PKEY_DH EVP_PKEY_EC EVP_PKEY_HMAC)
> +-(define-consts* "OPENSSL_VERSION_NUMBER >= 0x10100000L" EVP_PKEY_DHX EVP_PKEY_CMAC EVP_PKEY_TLS1_PRF EVP_PKEY_HKDF)

> +-(define-consts* "OPENSSL_VERSION_NUMBER >= 0x10101000L" EVP_PKEY_RSA_PSS EVP_PKEY_SM2 EVP_PKEY_SCRYPT EVP_PKEY_SIPHASH EVP_PKEY_POLY1305 EVP_PKEY_X25519 EVP_PKEY_ED25519 EVP_PKEY_X448 EVP_PKEY_ED448)
> ++(define-consts* "OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)" EVP_PKEY_DHX EVP_PKEY_CMAC EVP_PKEY_TLS1_PRF EVP_PKEY_HKDF)

Instead of throwing them all away, this could be improved a bit:

EVP_PKEY_DHX not supported
EVP_PKEY_CMAC supported
EVP_PKEY_TLS1_PRF not supported
EVP_PKEY_HKDF supported

Probably worth trying individual definitiions with the added condition
&& defined(EVP_PKEY_foo) in place of && !defined(LIBRESSL_VERSION_NUMBER).

> ++(define-consts* "OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)" EVP_PKEY_RSA_PSS EVP_PKEY_SM2 EVP_PKEY_SCRYPT EVP_PKEY_SIPHASH EVP_PKEY_POLY1305 EVP_PKEY_X25519 EVP_PKEY_ED25519 EVP_PKEY_X448 EVP_PKEY_ED448)

same here:

EVP_PKEY_RSA_PSS supported
EVP_PKEY_SM2 not supported
EVP_PKEY_SCRYPT not supported
EVP_PKEY_SIPHASH not supported
EVP_PKEY_POLY1305 not supported
EVP_PKEY_X25519 supported
EVP_PKEY_ED25519 supported
EVP_PKEY_X448 not supported
EVP_PKEY_ED448 not supported

No comments:

Post a Comment