Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OPENSSL_API_COMPAT is not defined by OpenSSL 3.0 #977

Open
ydroneaud opened this issue Mar 2, 2022 · 3 comments · May be fixed by #980
Open

OPENSSL_API_COMPAT is not defined by OpenSSL 3.0 #977

ydroneaud opened this issue Mar 2, 2022 · 3 comments · May be fixed by #980

Comments

@ydroneaud
Copy link

With OpenSSL 3.0, it's really up to the application to define OPENSSL_API_COMPAT, and when compiling tcpdump, OPENSSL_API_COMPAT is not defined, thus the check in esp_init() is incorrect:

#if !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < 0x10100000L
        OpenSSL_add_all_algorithms();
#endif

OpenSSL_add_all_algorithms();

When compiled against OpenSSL 3.0.1 built with --api=1.1.1 and no-deprecated configuration options, OpenSSL_add_all_algorithms() is not defined, and build fail:

./print-esp.c: In function 'esp_init':
./print-esp.c:682:2: warning: implicit declaration of function 'OpenSSL_add_all_algorithms' [-Wimplicit-function-declaration]
  OpenSSL_add_all_algorithms();
  ^
libnetdissect.a(print-esp.o): In function `esp_init':
.../print-esp.c:682: undefined reference to `OpenSSL_add_all_algorithms'
collect2: error: ld returned 1 exit status
ydroneaud added a commit to opteya/tcpdump that referenced this issue Mar 3, 2022
…t accordingly

OPENSSL_API_COMPAT is to be set by the module
including OpenSSL header to request a certain
API level compatibility, and starting with
OpenSSL 3, it's no more defined by OpenSSL
header to the default API level.

OPENSSL_VERSION_NUMBER must be used instead.

Fixes the-tcpdump-group#977

Signed-off-by: Yann Droneaud <[email protected]>
@DimitriPapadopoulos
Copy link

DimitriPapadopoulos commented Aug 13, 2023

The whole code looks like this:

tcpdump/print-esp.c

Lines 674 to 687 in 9ff9f78

DIAG_OFF_DEPRECATION
static void esp_init(netdissect_options *ndo _U_)
{
/*
* 0.9.6 doesn't appear to define OPENSSL_API_COMPAT, so
* we check whether it's undefined or it's less than the
* value for 1.1.0.
*/
#if !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < 0x10100000L
OpenSSL_add_all_algorithms();
#endif
EVP_add_cipher_alias(SN_des_ede3_cbc, "3des");
}
DIAG_ON_DEPRECATION

Given that OpenSSL 1.0.2 is no longer supported except with paid support contracts (Release Strategy), is it worth still maintaining this #if?

Also, the OpenSSL_add_all_algorithms man page, versions 1.1 and newer, reads:

HISTORY

The OpenSSL_add_all_algorithms(), OpenSSL_add_all_ciphers(), OpenSSL_add_all_digests(), and EVP_cleanup(), functions were deprecated in OpenSSL 1.1.0 by OPENSSL_init_crypto() and should not be used.

@infrastation
Copy link
Member

Solaris CBE: OpenSSL 1.0.2za 24 Aug 2021

@DimitriPapadopoulos
Copy link

Indeed. Then isn't #980 the proper solution?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging a pull request may close this issue.

3 participants