Hi! I have no issues compiling with the visual studio compiler, but when i build the project using this:

"C:\Program Files\CMake\bin\cmake.exe" -G"Visual Studio 14 2015" -T"Intel C++ Compiler 16.0" ..

Then i get hundreds of errors like this one:

C:\Program Files (x86)\Windows Kits\10\Include\10.0.10240.0\ucrt\corecrt_malloc.h(54): error : expected an identifier _ACRTIMP _CRTALLOCATOR _CRTRESTRICT ^

All errors relate to that corecrt_malloc.h file. I saw that error in one of my projects when i included a header when i shouldn't have, maybe there is a missing ifdef somewhere?

I'm using the latest Visual Studio 2015 Update 2, using Intel C++ Compiler 2016 Update 3

After fixing "issue" https://github.com/libressl-portable/portable/issues/122, LibreSSL again has SSL2 compat.

Removing strings added in https://github.com/libressl-portable/openbsd/commit/59785c860c90ffae3a6bea20e2d52a0ce89e4ca3 didn't help. Also, compiling nginx 1.9.9 with LibreSSL 2.2.2 didn't help, while nginx 1.9.3 is fine. Strange.

I am asking LibreSSL team for two things:

1. If it's necessary to accept "no extensions" case, please remove SSL2 compat in the next public releases through other means. Privacy concerns explained here: https://twitter.com/selecadm/status/674979088558399489
2. Please also provide instructions on how to reject "no extensions" regardless.

When LibreSSL will support Curve25519 for Key Exchange and Ed25519 Key Authentication to be possible to implement a full ECC public key infrastructure without using NIST curves and others with performance not so good? We can see that by now many libraries support it : http://ianix.com/pub/curve25519-deployment.html

LibreSSL 2.1 compiled on OpenBSD 5.7 does not show this curve.

Ed25519 : http://ed25519.cr.yp.to/

This algorithms is really more fast on low end hardware like embedded systems and mobile phones than RSA-4096 and AES-256 especially when mostly of low end hardware doesn't have any kind of hardware acceleration and yet they are even more secure. I hope to see those algorithms in the next release.

Possible relevant discussion : https://www.ietf.org/mail-archive/web/tls/current/msg10179.html

/tmp/ccLdfLLF.s:356: Error: selected processor does not support ARM mode `rev r9,r9'
/tmp/ccLdfLLF.s:392: Error: selected processor does not support ARM mode `rev r3,ip'
/tmp/ccLdfLLF.s:452: Error: selected processor does not support ARM mode `rev r3,r9'
make[1]: *** [modes/libcrypto_la-ctr128.lo] Error 1

it's caused by this command:

gcc -std=gnu99 "-DPACKAGE_NAME=\"libressl\"" "-DPACKAGE_TARNAME=\"libressl\"" "-DPACKAGE_VERSION=\"2.1.1\"" "-DPACKAGE_STRING=\"libressl 2.1.1\"" "-DPACKAGE_BUGREPORT=\"\"" "-DPACKAGE_URL=\"\"" "-DPACKAGE=\"libressl\"" "-DVERSION=\"2.1.1\"" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_DLFCN_H=1 "-DLT_OBJDIR=\".libs/\"" -DNO_REALLOCARRAY=1 -DNO_TIMINGSAFE_BCMP=1 -DNO_TIMINGSAFE_MEMCMP=1 -DNO_ARC4RANDOM_BUF=1 -DNO_GETENTROPY=1 -DNO_STRTONUM=1 -DNO_EXPLICIT_BZERO=1 -DHAVE_VA_COPY=1 -DHAVE_GETAUXVAL=1 -DHAVE_ERR_H=1 -I. -I../include -DHAVE_CRYPTODEV -DLIBRESSL_INTERNAL -I../crypto/asn1 -I../crypto/evp -I../crypto/modes -D_GNU_SOURCE -std=gnu99 -g -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE -Wno-pointer-sign  -DOPENSSL_NO_HW_PADLOCK -fdata-sections -ffunction-sections -Os -g0 -fno-unwind-tables -fno-asynchronous-unwind-tables -Wa,--noexecstack -ftree-dce -Wall -std=gnu99 -g -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE -Wno-pointer-sign -MT modes/libcrypto_la-ctr128.lo -MD -MP -MF modes/.deps/libcrypto_la-ctr128.Tpo -c modes/ctr128.c  -fPIC -DPIC -o modes/.libs/libcrypto_la-ctr128.o

the code in question is

@ 210 "modes/ctr128.c" 1
        ctr32 = GETU32(ivec+12);

which expands to

 ctr32 = ({ u32 ret; asm ("rev %0,%1" : "=r"(ret) : "r"((u32)(*(const u32 *)(ivec+12)))); ret; });
   ctr32 = 0;

via crypto/modes/modes_lcl.h BSWAP8 and BSWAP4 macros

# elif (defined(__arm__) || defined(__arm)) && !defined(__STRICT_ALIGNMENT)
#  define BSWAP8(x) ({  u32 lo=(u64)(x)>>32,hi=(x);     \
                        asm ("rev %0,%0; rev %1,%1"     \
                        : "+r"(hi),"+r"(lo));           \
                        (u64)hi<<32|lo;                 })
#  define BSWAP4(x) ({  u32 ret;                        \
                        asm ("rev %0,%1"                \
                        : "=r"(ret) : "r"((u32)(x)));   \
                        ret;                            })

i was told that the rev instructions is only supported by some new arm cpus, thus the error trying to use it on not-latest-arm-cpu

when upgrade macOs to macOs High Sierra 10.13.2 git clone like git clone github.com/xxx.git failed It print LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to github.com:443

openssl version

LibreSSL 2.2.7

curl https://github.com -v

Rebuilt URL to: https://github.com/
*   Trying 192.30.255.112...
* TCP_NODELAY set
* Connected to github.com (192.30.255.112) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to github.com:443
* stopped the pause stream!
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to github.com:443

libressl 2.2.2 fails to build on OS X 10.6.8.

$ ./configure --prefix=/tmp/building/libressl/2.2.2
$ make

Output:

Making all in crypto
/bin/sh ../libtool    --mode=compile gcc -std=gnu99  -g -O2 -Wall -std=gnu99 -fno-strict-aliasing  -fno-strict-overflow -D_FORTIFY_SOURCE=2 -fstack-protector-all  -c -o bn/mont5-macosx-x86_64.lo bn/mont5-macosx-x86_64.s
libtool: compile:  gcc -std=gnu99 -g -O2 -Wall -std=gnu99 -fno-strict-aliasing -fno-strict-overflow -D_FORTIFY_SOURCE=2 -fstack-protector-all -c bn/mont5-macosx-x86_64.s  -fno-common -DPIC -o bn/.libs/mont5-macosx-x86_64.o
bn/mont5-macosx-x86_64.s:57:suffix or operands invalid for `movq'
bn/mont5-macosx-x86_64.s:120:suffix or operands invalid for `movq'
bn/mont5-macosx-x86_64.s:203:suffix or operands invalid for `movq'
bn/mont5-macosx-x86_64.s:315:suffix or operands invalid for `movq'
bn/mont5-macosx-x86_64.s:462:suffix or operands invalid for `movq'
bn/mont5-macosx-x86_64.s:630:suffix or operands invalid for `movq'
make[1]: *** [bn/mont5-macosx-x86_64.lo] Error 1
make: *** [all-recursive] Error 1

Building 2.2.1 works fine.

Dear people,

I have a problem with the LibreSSL package on my Macbook. This problem occurs when I put my Macbook Pro into sleep mode and continue where I left off. get it with a bunch of hosts, github, brew but also whatsapp desktop app can't connect anymore. The errors are as following:

:$ openssl version
LibreSSL 2.8.3
:$ /usr/local/opt/libressl/bin/openssl s_client -connect github.com:443 -msg
CONNECTED(00000006)
>>> TLS 1.2 Handshake [length 00bf], ClientHello
    01 00 00 bb 03 03 f6 4e 6b 42 67 c6 5f b5 88 87
    72 b0 9c a5 a2 28 31 ea a5 fe 55 21 77 aa 18 4f
    30 bb 30 4a 5c ca 00 00 5c c0 30 c0 2c c0 28 c0
    24 c0 14 c0 0a 00 9f 00 6b 00 39 cc a9 cc a8 cc
    aa ff 85 00 c4 00 88 00 81 00 9d 00 3d 00 35 00
    c0 00 84 c0 2f c0 2b c0 27 c0 23 c0 13 c0 09 00
    9e 00 67 00 33 00 be 00 45 00 9c 00 3c 00 2f 00
    ba 00 41 c0 11 c0 07 00 05 00 04 c0 12 c0 08 00
    16 00 0a 00 ff 01 00 00 36 00 0b 00 02 01 00 00
    0a 00 08 00 06 00 1d 00 17 00 18 00 23 00 00 00
    0d 00 1c 00 1a 06 01 06 03 ef ef 05 01 05 03 04
    01 04 03 ee ee ed ed 03 01 03 03 02 01 02 03
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Start Time: 1554305653
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

I tried turning of IPv6, but it was already off. I tried switching networks, also didn't work. I tried updating the LibreSSL package after turning of system protection and even that didn't work... This makes me think it is a problem deeper into my computer but I just wanted to be sure and ask this community for help.

This is disabled for now on Windows for now due to pipe2/socketpair support, but I think it can be emulated without too much issue. Based on @kinichiro 's work on ssltest

When I sign a certificate with -startdate and -enddate, the x509 tool parses it just fine, but the s_client tool gives an error with either

format error in certificate's notBefore field

or

format error in certificate's notAfter field

This also prevents applications that depend on this library to connect to the servers using them. At the moment, this is preventing us from using Alpine as a base, since that uses LibreSSL.

I'm a little lost in this code base, but I might be able to provide a patch with some pointers.

Just did a clean download. Using Msys with Git, whatever version was available as of two days ago.

$ ./autogen.sh
pulling upstream openbsd source
Already on 'master'
Your branch is up-to-date with 'origin/master'.
Current branch master is up to date.
libcrypto version 35:0:0
libssl version 36:0:0
libtls version 7:0:0
Added OID dsa
objects.txt:41:Undefined identifier X9_62_id_fieldType

I tried just doing the CMake stuff but alas it failed since none of the ssl/tls source trees were available.

Not sure how to build this otherwise.

Hi,

I'd like to add support for Cygwin to libressl portable, slowly and carefully. For a start I'd like to propose the below patch. It allows to build with the default hardening without having to specify --enable-windows-ssp. Other than that change, libressl-portable builds out of the box on Cygwin 1.7.35, the upcoming release later this week. The reason it needs 1.7.35 is the existence of the issetugid function. The functionality existed for a long time, it was just never exported so far.

Unfortunately the testsuite doesn't build on Cygwin, because the testsuite requires SA_ONSTACK and sigaltstack to work, functionality not available yet on Cygwin. But that's another issue.

Thanks, Corinna

Signed-off-by: Corinna Vinschen [email protected]

This removes some build complexity by linking bundled apps statically unconditionally. It also fixes a build error on some systems when there is trailing whitespace in the object list.

Using TDM mingw (gcc 5.1.0), which worked with the 3.5 builds. Now I am getting (with 3.6.1):

"libtool: link: object name conflicts in archive: .libs/libcrypto.lax/libcompat.a//c/Users/ron/src/libressl-3.6.1/crypto/./.libs/libcompat.a"

Compiling in an MSYS2 shell, with the TDM gcc binaries at the front of the PATH. Configured like:

./configure --host=i686-w64-ming32 --enable-shared=no --enable-libtls-only

export CPPFLAGS="-D__MINGW_USE_VC2005_COMPAT"

Hello,

I got this error while running an executable statically linked with libressl 3.5.3, on an Oracle GNU/Linux 9.

$ ~/mnt/builds/aaa/bin/AAA
Auto configuration failed
139745154068864:error:25FFF06C:DSO support routines:CRYPTO_internal:functionality not supported:/root/.conan/data/libressl/3.5.3_2/cvs/stable/build/2e1e716172e678bcba79f77e72e24c9607780d51/libressl-3.5.3/crypto/dso/dso_lib.c:226:
139745154068864:error:0EFFF06E:configuration file routines:CRYPTO_internal:error loading dso:/root/.conan/data/libressl/3.5.3_2/cvs/stable/build/2e1e716172e678bcba79f77e72e24c9607780d51/libressl-3.5.3/crypto/conf/conf_mod.c:273:module=providers, path=providers
139745154068864:error:0EFFF071:configuration file routines:CRYPTO_internal:unknown module name:/root/.conan/data/libressl/3.5.3_2/cvs/stable/build/2e1e716172e678bcba79f77e72e24c9607780d51/libressl-3.5.3/crypto/conf/conf_mod.c:214:module=providers

This error doesn't appear on Oracle GNU/Linux 8. The difference being the openssl packages which were upgraded in the distribution from 1.1.1k to 3.0.1. To be more accurate, the file /etc/ssl/openssl.cnf didn't exist before, and was introduced in Oracle GNU/Linux 9 :

[[email protected] /]# cat /etc/ssl/openssl.cnf       
...
[openssl_init]
providers = provider_sect
# Load default TLS policy configuration
ssl_conf = ssl_module

# Uncomment the sections that start with ## below to enable the legacy provider.
# Loading the legacy provider enables support for the following algorithms:
# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
# Key Derivation Function (KDF): PBKDF1
# In general it is not recommended to use the above mentioned algorithms for
# security critical operations, as they are cryptographically weak or vulnerable
# to side-channel attacks and as such have been deprecated.

[provider_sect]
default = default_sect
##legacy = legacy_sect
##
[default_sect]
activate = 1

##[legacy_sect]
##activate = 1

[ ssl_module ]
...



[email protected]:~$ podman run -it --rm docker.io/library/oraclelinux:9 dnf list installed | grep ssl
openssl.x86_64                                                                                          1:3.0.1-41.0.1.el9_0                                                                                @System
openssl-libs.x86_64                                                                                     1:3.0.1-41.0.1.el9_0                                                                                @System
[email protected]:~$ podman run -it --rm docker.io/library/oraclelinux:8 dnf list installed | grep ssl
openssl-libs.x86_64                                                                                     1:1.1.1k-7.el8_6                                                                                    @System

Related links :

1. https://github.com/nodejs/node/issues/43132
2. https://github.com/openssl/openssl/issues/16249
3. https://docs.oracle.com/en/operating-systems/oracle-linux/9/relnotes9.0/ol9.0-NewFeaturesandChanges.html#ol9-features-security
4. https://jtuto.com/phantomjs-wont-install-autoconfiguration-error/

I've read about the OPENSSL_CONF=/dev/null workaround, but it's not really a fix - am I the only one running into this issue?

Thank you!

Hey there,

In some of my code I was, up until version 3.5, able to modify the functions of the EVP_CIPHER by modifying the function pointers in the struct. E.g,

static EVP_CIPHER aes;
aes.init = my_aes_init;
aes.do_cipher = my_aes_do;

This now fails. I'm assuming that's because struct has been made opaque. When OpenSSL did the same thing they still allowed the struct's functions pointers to be modified by using EVP_CIPHER_meth_new() and, for example, EVP_CIPHER_meth_set_init(); I've not yet been able to find equivalent functionality in the LibreSSL 3.5 code base as of yet. I see you have _meth_new for EVP_MD, BIO, etc but not EVP_CIPHER. Am I missing something, is this something that is in development, on your radar, or won't be implemented?

49. freed_arg: int_engine_init frees e. [[show details](https://scan8.scan.coverity.com/eventId=12302459-73&modelId=12302459-0&fileInstanceId=61260862&filePath=%2Fhome%2Frunner%2Fwork%2Fportable%2Fportable%2Fcrypto%2Fengine%2Feng_cnf.c&fileStart=84&fileEnd=95)]
   	50. Condition !int_engine_init(e), taking true branch.
189        if (e && (do_init == -1) && !int_engine_init(e)) {
190                ecmd = NULL;
   	51. Jumping to label err.
191                goto err;
192        }
193        ret = 1;
194
195err:
   	52. Condition ret != 1, taking true branch.
196        if (ret != 1) {
197                ENGINEerror(ENGINE_R_ENGINE_CONFIGURATION_ERROR);
   	53. Condition ecmd, taking false branch.
198                if (ecmd)
199                        ERR_asprintf_error_data(
200                            "section=%s, name=%s, value=%s",
201                            ecmd->section, ecmd->name, ecmd->value);
202        }
   	
CID 278489 (#1-3 of 3): Double free (USE_AFTER_FREE)
54. double_free: Calling ENGINE_free frees pointer e which has already been freed. [[show details](https://scan8.scan.coverity.com/eventId=12302459-104&modelId=12302459-4&fileInstanceId=61260868&filePath=%2Fhome%2Frunner%2Fwork%2Fportable%2Fportable%2Fcrypto%2Fengine%2Feng_lib.c&fileStart=141&fileEnd=144)]
203        ENGINE_free(e);
204        return ret;
205}