ldns icon indicating copy to clipboard operation
ldns copied to clipboard
verified publisher icon NLnetLabs

Draft: OpenSSL 3

Open Michael-Panic opened this issue 1 year ago • 3 comments

A few days ago, I volunteered to contribute an OpenSSL 3 implementation that doesn't use any functions or types deprecated by OpenSSL 3 in #243. I realized as I was finishing this that I don't actually have a good way of testing this, so it probably shouldn't be merged as-is.

I tried running ./tests/test-all.sh, but many of the tests failed, even without my changes. I suspect my computer isn't set up to properly run the tests, plus there were some comments in there about the tests really only working on openbsd.

But I'm willing to help however I can to figure out how to get this all tested and merged.

Michael-Panic avatar Nov 27 '24 22:11 Michael-Panic

No worries. I'll give it a proper review! Thanks for starting with this anyway!

wtoorop avatar Nov 29 '24 13:11 wtoorop

I would propose to reuse existing solution from unbound code. There seems to be used OSSL_PARAM_BLD_push_BN and BN_bin2bn and dropped sldns_key_buf2dsa_raw function for newer OpenSSL.

Anyone else had found any time to review this proposal?

pemensik avatar Oct 03 '25 19:10 pemensik

Okay, I've started review and pushed some fixes (to make the tests work) on the review/Michael-Panic-openssl-3 branch. Compiling with -fsanitize=address,undefined -fno-sanitize-recover shows quite a few memory leaks. Also tests do not cover all the algorithms, so I guess it would be wise to add the missing ones, as some of the fixes were for specific algorithms. All in all this will be a bigger effort, and I'd like to postpone it until after the 1.8.5 release.

@Michael-Panic I have created a PR #1 on your branch for you to review and merge the updates and fixes

wtoorop avatar Nov 21 '25 15:11 wtoorop