OpenConnect 7.07 fails to build with LibreSSL

Piotr Kubaj pkubaj at anongoth.pl
Thu Apr 27 06:09:17 PDT 2017 

OK, then.

To be honest, I had to research this subject myself because of your request :) I didn't before because the patch I had found and sent just worked.

The relevant commit which changed API seems to be https://github.com/libressl-portable/openbsd/commit/122ecd906da74daffaeffc65c21100b967f5bb45

It was later partially reverted, because of many breakages: https://github.com/libressl-portable/openbsd/commit/0d7a7d5f5a441ac2a48a57dad03170f2f484402a

The 1st commit hides many of internal variables into opaque structures, the 2nd one reverses some of it (enc_read_ctx was one of those reverted). So it wasn't a bug, but bad API (inherited from OpenSSL). It will probably work until there are ways to work it around.

I'm not really sure what this patch does, as I'm not an SSL_* master. It seems to return initialization vector of some EVP_CIPHER. I guess enc_write_ctx and enc_read_ctx are equal in this case, that's why it's fine to use enc_read_ctx.

On 17-04-26 14:38:36, David Woodhouse wrote:
> On Wed, 2017-04-26 at 15:22 +0200, Piotr Kubaj wrote:
> > Sure, it's attached.
> > 
> > On 17-04-25 15:26:36, David Woodhouse wrote:
> > > 
> > > On Tue, 2017-04-25 at 14:00 +0200, Piotr Kubaj wrote:
> > > > 
> > > > 
> > > > 
> > > > So, OpenConnect 7.08 (I've verified this problem is also present in
> > > > OpenConnect's master branch) is once again broken with LibreSSL
> > > > (2.5.1 and higher). This patch fixes issues https://github.com/gentoo
> > > > /libressl/blob/master/net-vpn/openconnect/files/openconnect-7.08-
> > > > libressl251.patch while not breaking older releases. Could you merge
> > > > it?
> > > Thanks. Can I have a commit message explaining the fix, and a signed-
> > > off-by please?
> 
> Thanks... but that's still not really explaining the fix. What changed
> in LibreSSL? Why are we using enc_read_ctx instead of enc_write_ctx
> now; why is that OK? Was it a bug before? Is it guaranteed to keep
> working now or did the read context just not change *yet*? What commit
> in LibreSSL changed this... ?
> 
> All of which I can work out for myself given enough time and
> motivation, but it's supposed to be there in the commit message so I
> don't have to... :)



-- 
 _________________________________________ 
/ Political history is far too criminal a \
| subject to be a fit thing to teach      |
| children.                               |
|                                         |
\ -- W. H. Auden                          /
 ----------------------------------------- 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openconnect.patch
Type: text/x-diff
Size: 720 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20170427/c11700b2/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20170427/c11700b2/attachment.sig>

More information about the openconnect-devel mailing list