LibreSSL 3.5 compatibility

LibreSSL is now closer to OpenSSL 1.1 than OpenSSL 1.0. According to https://undeadly.org/cgi?action=article;sid=20220116121253, this is the intention of OpenBSD developers.

According to #40630 (closed), many special cases are needed to compile Tor against LibreSSL 3.5 when using Tor's OpenSSL 1.0 compatibility mode, whereas only a small number of #defines are required when using OpenSSL 1.1 compatibility mode. One additional workaround is required for LibreSSL 3.4 compatibility.

Compiles and passes unit tests with LibreSSL 3.4.3 and 3.5.1.

requested review from @nickm

This looks plausible to me, but I'd like to know more about testing. At the least I'd like to confirm:

• Which versions of libressl does it build with, and not build with?
• Which versions of openssl does it build with, and not build with?

In particular we should probably check with each series in openssl 1.0.1 and later, since our code claims to work with those. (We could narrow it down to 1.0.2, 1.1.1, and 3.0, since those are the ones that are in theory supported or have legacy support available from openssl.)

I don't know which versions of libressl it makes sense to test with; probably every branch from the last year or two?

• Which versions of libressl does it build with, and not build with?

My understanding was that only the latest version is supported. However, I believe that is incorrect. https://www.libressl.org/releases.html says that "LibreSSL transitions to a new stable release branch every 6 months in coordination with the OpenBSD development schedule. LibreSSL stable branches are updated for 1 year after their corresponding OpenBSD branch is tagged for release. See below for the current stable release branches.". Based on the list, I conclude that LibreSSL 3.3.6, 3.4.3, and 3.5.1 were supported as of March 2022. Therefore, I have now done the following tests:

LibreSSL	Before patch	After patch
3.3.6	Rejected by configure	Not tested
3.4.3	Compiles and passes tests	Fails to compile
3.5.1	Fails to compile	Compiles and passes tests

I have a new version which compiles and passes tests on 3.4.3 which I will submit shortly.

• Which versions of openssl does it build with, and not build with?

I have not tested this patch against any versions of OpenSSL. Unless I have done something terribly wrong, there should be no effect on OpenSSL or any other implementation which does not define LIBRESSL_VERSION_NUMBER.

added 1 commit

• f3dabd70 - LibreSSL 3.5 compatibility

Compare with previous version

changed title from Update for modern LibreSSL to LibreSSL 3.5 compatibility

changed the description

That's an improvement, but can you try 3.3.6 too?

Err, I see that 3.3.6 is currently rejected by configure. Does the support policy mean we should un-reject it, do you think, or is this good enough?

I assumed that it was rejected for a good reason. I didn't investigate to see if the issue was fixed with newer LibreSSL 3.3.

According to https://github.com/libressl-portable/portable/issues/629, the issue was fixed in https://github.com/libressl-portable/openbsd/commit/6e2ae6018f8ad5bba7cd973e4360c215dee79bcc, and https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.3-relnotes.txt says " * Implement key exporter for TLSv1.3.", so perhaps the rejected versions could be limited to 3.3.0 through 3.3.2.

On the other hand, according to https://www.libressl.org/releases.html, "LibreSSL stable branches are updated for 1 year after their corresponding OpenBSD branch is tagged for release.", and https://en.wikipedia.org/wiki/OpenBSD says that OpenBSD 6.9 is now EOL, so it seems like it should be fine to leave it as it is.

Okay, that makes sense. Then I say we merge.

approved this merge request

(Note: needs a changes/ file before merge.)

added 1 commit

• b1545b6d - Changes file for #40630 (closed) (LibreSSL 3.5 compatibility)

Compare with previous version

merged