LibreSSL Portable itself. This includes the build scaffold and compatibility layer that builds portable LibreSSL from the OpenBSD source code.

LibreSSL image

Official portable version of LibreSSL

Linux Build Status macOS Build Status Android_Build Status Cross_Build Status Fuzzing Status

LibreSSL is a fork of OpenSSL 1.0.1g developed by the OpenBSD project. Our goal is to modernize the codebase, improve security, and apply best practice development processes from OpenBSD.

Compatibility with OpenSSL:

LibreSSL is API compatible with OpenSSL 1.0.1, but does not yet include all new APIs from OpenSSL 1.0.2 and later. LibreSSL also includes APIs not yet present in OpenSSL. The current common API subset is OpenSSL 1.0.1.

LibreSSL is not ABI compatible with any release of OpenSSL, or necessarily earlier releases of LibreSSL. You will need to relink your programs to LibreSSL in order to use it, just as in moving between major versions of OpenSSL. LibreSSL's installed library version numbers are incremented to account for ABI and API changes.

Compatibility with other operating systems:

While primarily developed on and taking advantage of APIs available on OpenBSD, the LibreSSL portable project attempts to provide working alternatives for other operating systems, and assists with improving OS-native implementations where possible.

At the time of this writing, LibreSSL is known to build and work on:

  • Linux (kernel 3.17 or later recommended)
  • FreeBSD (tested with 9.2 and later)
  • NetBSD (7.0 or later recommended)
  • HP-UX (11i)
  • Solaris (11 and later preferred)
  • Mac OS X (tested with 10.8 and later)
  • AIX (5.3 and later)

LibreSSL also supports the following Windows environments:

  • Microsoft Windows (Windows 7 / Windows Server 2008r2 or later, x86 and x64)
  • Wine (32-bit and 64-bit)
  • Mingw-w64, Cygwin, and Visual Studio

Official release tarballs are available at your friendly neighborhood OpenBSD mirror in directory LibreSSL, although we suggest that you use a mirror.

The LibreSSL portable build framework is also mirrored in Github.

Please report bugs either to the public [email protected] mailing list, or to the github issue tracker

Severe vulnerabilities or bugs requiring coordination with OpenSSL can be sent to the core team at [email protected].

Building LibreSSL

Prerequisites when building from a Git checkout

If you have checked this source using Git, or have downloaded a source tarball from Github, follow these initial steps to prepare the source tree for building. Note: Your build will fail if you do not follow these instructions! If you cannot follow these instructions (e.g. Windows system using CMake) or cannot meet these prerequistes, please download an official release distribution from https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ instead. Using official releases is strongly advised if you are not a developer.

  1. Ensure you have the following packages installed: automake, autoconf, git, libtool, perl
  2. Run ./autogen.sh to prepare the source tree for building or run ./dist.sh to prepare a tarball.

Steps that apply to all builds

Once you have a source tree, either by downloaded using git and having run the autogen.sh script above, or by downloading a release distribution from an OpenBSD mirror, run these commands to build and install the package on most systems:

./configure   # see ./configure --help for configuration options
make check    # runs builtin unit tests
make install  # set DESTDIR= to install to an alternate location

If you wish to use the CMake build system, use these commands:

mkdir build
cd build
cmake ..
make
make test

For faster builds, you can use Ninja as well:

mkdir build-ninja
cd build-ninja
cmake -G"Ninja" ..
ninja
ninja test

OS specific build information:

HP-UX (11i)

Set the UNIX_STD environment variable to 2003 before running configure in order to build with the HP C/aC++ compiler. See the "standards(5)" man page for more details.

export UNIX_STD=2003
./configure
make

Windows - Mingw-w64

LibreSSL builds against relatively recent versions of Mingw-w64, not to be confused with the original mingw.org project. Mingw-w64 3.2 or later should work. See README.windows for more information

Windows - Visual Studio

LibreSSL builds using the CMake target "Visual Studio 12 2013" and newer. To generate a Visual Studio project, install CMake, enter the LibreSSL source directory and run:

 mkdir build-vs2013
 cd build-vs2013
 cmake -G"Visual Studio 12 2013" ..

Replace "Visual Studio 12 2013" with whatever version of Visual Studio you have installed. This will generate a LibreSSL.sln file that you can incorporate into other projects or build by itself.

Cmake - Additional Options

Option Name Default Description
LIBRESSL_SKIP_INSTALL OFF allows skipping install() rules. Can be specified from command line using
-DLIBRESSL_SKIP_INSTALL=ON
LIBRESSL_APPS ON allows skipping application builds. Apps are required to run tests
LIBRESSL_TESTS ON allows skipping of tests. Tests are only available in static builds
BUILD_SHARED_LIBS OFF CMake option for building shared libraries.
ENABLE_ASM ON builds assembly optimized rules.
ENABLE_EXTRATESTS OFF Enable extra tests that may be unreliable on some platforms
ENABLE_NC OFF Enable installing TLS-enabled nc(1)
OPENSSLDIR Blank Set the default openssl directory. Can be specified from command line using
-DOPENSSLDIR=

Using LibreSSL

CMake

Make a new folder in your project root (where your main CMakeLists.txt file is located) called CMake. Copy the FindLibreSSL.cmake file to that folder, and add the following line to your main CMakeLists.txt:

set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/CMake;${CMAKE_MODULE_PATH}")

After your add_executable or add_library line in your CMakeLists.txt file add the following:

find_package(LibreSSL REQUIRED)

It will tell CMake to find LibreSSL and if found will let you use the following 3 interfaces in your CMakeLists.txt file:

  • LibreSSL::Crypto
  • LibreSSL::SSL
  • LibreSSL::TLS

If you for example want to use the LibreSSL TLS library in your test program, include it like so (SSL and Cryto are required by TLS and included automatically too):

target_link_libraries(test LibreSSL::TLS)

Full example:

cmake_minimum_required(VERSION 3.10.0)

set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/CMake;${CMAKE_MODULE_PATH}")

project(test)

add_executable(test Main.cpp)

find_package(LibreSSL REQUIRED)

target_link_libraries(test LibreSSL::TLS)

Linux

Following the guide in the sections above to compile LibreSSL using make and running "sudo make install" will install LibreSSL to the /usr/local/ folder, and will found automatically by find_package. If your system installs it to another location or you have placed them yourself in a different location, you can set the CMake variable LIBRESSL_ROOT_DIR to the correct path, to help CMake find the library.

Windows

Placing the library files in C:/Program Files/LibreSSL/lib and the include files in C:/Program Files/LibreSSL/include should let CMake find them automatically, but it is recommended that you use CMake-GUI to set the paths. It is more convenient as you can have the files in any folder you choose.

Owner
OpenBSD LibreSSL Portable
Github clone of official LibreSSL portable repositories for informational purposes.
OpenBSD LibreSSL Portable
Comments
  • Compilation problem with VS2015 using Intel Compiler

    Compilation problem with VS2015 using Intel Compiler

    Hi! I have no issues compiling with the visual studio compiler, but when i build the project using this:

    "C:\Program Files\CMake\bin\cmake.exe" -G"Visual Studio 14 2015" -T"Intel C++ Compiler 16.0" ..

    Then i get hundreds of errors like this one:

    C:\Program Files (x86)\Windows Kits\10\Include\10.0.10240.0\ucrt\corecrt_malloc.h(54): error : expected an identifier _ACRTIMP _CRTALLOCATOR _CRTRESTRICT ^

    All errors relate to that corecrt_malloc.h file. I saw that error in one of my projects when i included a header when i shouldn't have, maybe there is a missing ifdef somewhere?

    I'm using the latest Visual Studio 2015 Update 2, using Intel C++ Compiler 2016 Update 3

  • Provide functionality for disabling SSLv2 handshakes

    Provide functionality for disabling SSLv2 handshakes

    After fixing "issue" https://github.com/libressl-portable/portable/issues/122, LibreSSL again has SSL2 compat.

    Removing strings added in https://github.com/libressl-portable/openbsd/commit/59785c860c90ffae3a6bea20e2d52a0ce89e4ca3 didn't help. Also, compiling nginx 1.9.9 with LibreSSL 2.2.2 didn't help, while nginx 1.9.3 is fine. Strange.

    I am asking LibreSSL team for two things:

    1. If it's necessary to accept "no extensions" case, please remove SSL2 compat in the next public releases through other means. Privacy concerns explained here: https://twitter.com/selecadm/status/674979088558399489
    2. Please also provide instructions on how to reject "no extensions" regardless.
  • Support for Curve25519 Key Exchange and Ed25519 Authentication

    Support for Curve25519 Key Exchange and Ed25519 Authentication

    When LibreSSL will support Curve25519 for Key Exchange and Ed25519 Key Authentication to be possible to implement a full ECC public key infrastructure without using NIST curves and others with performance not so good? We can see that by now many libraries support it : http://ianix.com/pub/curve25519-deployment.html

    LibreSSL 2.1 compiled on OpenBSD 5.7 does not show this curve.

    Ed25519 : http://ed25519.cr.yp.to/

    This algorithms is really more fast on low end hardware like embedded systems and mobile phones than RSA-4096 and AES-256 especially when mostly of low end hardware doesn't have any kind of hardware acceleration and yet they are even more secure. I hope to see those algorithms in the next release.

    Possible relevant discussion : https://www.ietf.org/mail-archive/web/tls/current/msg10179.html

  • build fails on arm when gcc is targeted for older CPUs

    build fails on arm when gcc is targeted for older CPUs

    /tmp/ccLdfLLF.s:356: Error: selected processor does not support ARM mode `rev r9,r9'
    /tmp/ccLdfLLF.s:392: Error: selected processor does not support ARM mode `rev r3,ip'
    /tmp/ccLdfLLF.s:452: Error: selected processor does not support ARM mode `rev r3,r9'
    make[1]: *** [modes/libcrypto_la-ctr128.lo] Error 1
    

    it's caused by this command:

    gcc -std=gnu99 "-DPACKAGE_NAME=\"libressl\"" "-DPACKAGE_TARNAME=\"libressl\"" "-DPACKAGE_VERSION=\"2.1.1\"" "-DPACKAGE_STRING=\"libressl 2.1.1\"" "-DPACKAGE_BUGREPORT=\"\"" "-DPACKAGE_URL=\"\"" "-DPACKAGE=\"libressl\"" "-DVERSION=\"2.1.1\"" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_DLFCN_H=1 "-DLT_OBJDIR=\".libs/\"" -DNO_REALLOCARRAY=1 -DNO_TIMINGSAFE_BCMP=1 -DNO_TIMINGSAFE_MEMCMP=1 -DNO_ARC4RANDOM_BUF=1 -DNO_GETENTROPY=1 -DNO_STRTONUM=1 -DNO_EXPLICIT_BZERO=1 -DHAVE_VA_COPY=1 -DHAVE_GETAUXVAL=1 -DHAVE_ERR_H=1 -I. -I../include -DHAVE_CRYPTODEV -DLIBRESSL_INTERNAL -I../crypto/asn1 -I../crypto/evp -I../crypto/modes -D_GNU_SOURCE -std=gnu99 -g -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE -Wno-pointer-sign  -DOPENSSL_NO_HW_PADLOCK -fdata-sections -ffunction-sections -Os -g0 -fno-unwind-tables -fno-asynchronous-unwind-tables -Wa,--noexecstack -ftree-dce -Wall -std=gnu99 -g -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -D_GNU_SOURCE -Wno-pointer-sign -MT modes/libcrypto_la-ctr128.lo -MD -MP -MF modes/.deps/libcrypto_la-ctr128.Tpo -c modes/ctr128.c  -fPIC -DPIC -o modes/.libs/libcrypto_la-ctr128.o
    

    the code in question is

    @ 210 "modes/ctr128.c" 1
            ctr32 = GETU32(ivec+12);
    

    which expands to

     ctr32 = ({ u32 ret; asm ("rev %0,%1" : "=r"(ret) : "r"((u32)(*(const u32 *)(ivec+12)))); ret; });
       ctr32 = 0;
    

    via crypto/modes/modes_lcl.h BSWAP8 and BSWAP4 macros

    # elif (defined(__arm__) || defined(__arm)) && !defined(__STRICT_ALIGNMENT)
    #  define BSWAP8(x) ({  u32 lo=(u64)(x)>>32,hi=(x);     \
                            asm ("rev %0,%0; rev %1,%1"     \
                            : "+r"(hi),"+r"(lo));           \
                            (u64)hi<<32|lo;                 })
    #  define BSWAP4(x) ({  u32 ret;                        \
                            asm ("rev %0,%1"                \
                            : "=r"(ret) : "r"((u32)(x)));   \
                            ret;                            })
    

    i was told that the rev instructions is only supported by some new arm cpus, thus the error trying to use it on not-latest-arm-cpu

  • LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to github.com:443

    LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to github.com:443

    when upgrade macOs to macOs High Sierra 10.13.2 git clone like git clone github.com/xxx.git failed It print LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to github.com:443

    openssl version

    LibreSSL 2.2.7

    curl https://github.com -v

    Rebuilt URL to: https://github.com/
    *   Trying 192.30.255.112...
    * TCP_NODELAY set
    * Connected to github.com (192.30.255.112) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/cert.pem
      CApath: none
    * TLSv1.2 (OUT), TLS handshake, Client hello (1):
    * LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to github.com:443
    * stopped the pause stream!
    * Closing connection 0
    curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to github.com:443
    
  • 2.2.2 fails to build on OS X 10.6.8

    2.2.2 fails to build on OS X 10.6.8

    libressl 2.2.2 fails to build on OS X 10.6.8.

    $ ./configure --prefix=/tmp/building/libressl/2.2.2
    $ make
    

    Output:

    Making all in crypto
    /bin/sh ../libtool    --mode=compile gcc -std=gnu99  -g -O2 -Wall -std=gnu99 -fno-strict-aliasing  -fno-strict-overflow -D_FORTIFY_SOURCE=2 -fstack-protector-all  -c -o bn/mont5-macosx-x86_64.lo bn/mont5-macosx-x86_64.s
    libtool: compile:  gcc -std=gnu99 -g -O2 -Wall -std=gnu99 -fno-strict-aliasing -fno-strict-overflow -D_FORTIFY_SOURCE=2 -fstack-protector-all -c bn/mont5-macosx-x86_64.s  -fno-common -DPIC -o bn/.libs/mont5-macosx-x86_64.o
    bn/mont5-macosx-x86_64.s:57:suffix or operands invalid for `movq'
    bn/mont5-macosx-x86_64.s:120:suffix or operands invalid for `movq'
    bn/mont5-macosx-x86_64.s:203:suffix or operands invalid for `movq'
    bn/mont5-macosx-x86_64.s:315:suffix or operands invalid for `movq'
    bn/mont5-macosx-x86_64.s:462:suffix or operands invalid for `movq'
    bn/mont5-macosx-x86_64.s:630:suffix or operands invalid for `movq'
    make[1]: *** [bn/mont5-macosx-x86_64.lo] Error 1
    make: *** [all-recursive] Error 1
    

    Building 2.2.1 works fine.

  • LibreSSL SSL_connect: SSL_ERROR_SYSCALL to any host

    LibreSSL SSL_connect: SSL_ERROR_SYSCALL to any host

    Dear people,

    I have a problem with the LibreSSL package on my Macbook. This problem occurs when I put my Macbook Pro into sleep mode and continue where I left off. get it with a bunch of hosts, github, brew but also whatsapp desktop app can't connect anymore. The errors are as following:

    :$ openssl version
    LibreSSL 2.8.3
    :$ /usr/local/opt/libressl/bin/openssl s_client -connect github.com:443 -msg
    CONNECTED(00000006)
    >>> TLS 1.2 Handshake [length 00bf], ClientHello
        01 00 00 bb 03 03 f6 4e 6b 42 67 c6 5f b5 88 87
        72 b0 9c a5 a2 28 31 ea a5 fe 55 21 77 aa 18 4f
        30 bb 30 4a 5c ca 00 00 5c c0 30 c0 2c c0 28 c0
        24 c0 14 c0 0a 00 9f 00 6b 00 39 cc a9 cc a8 cc
        aa ff 85 00 c4 00 88 00 81 00 9d 00 3d 00 35 00
        c0 00 84 c0 2f c0 2b c0 27 c0 23 c0 13 c0 09 00
        9e 00 67 00 33 00 be 00 45 00 9c 00 3c 00 2f 00
        ba 00 41 c0 11 c0 07 00 05 00 04 c0 12 c0 08 00
        16 00 0a 00 ff 01 00 00 36 00 0b 00 02 01 00 00
        0a 00 08 00 06 00 1d 00 17 00 18 00 23 00 00 00
        0d 00 1c 00 1a 06 01 06 03 ef ef 05 01 05 03 04
        01 04 03 ee ee ed ed 03 01 03 03 02 01 02 03
    write:errno=54
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 0 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : 0000
        Session-ID: 
        Session-ID-ctx: 
        Master-Key: 
        Start Time: 1554305653
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
    ---
    

    I tried turning of IPv6, but it was already off. I tried switching networks, also didn't work. I tried updating the LibreSSL package after turning of system protection and even that didn't work... This makes me think it is a problem deeper into my computer but I just wanted to be sure and ask this community for help.

  • enable tlstest

    enable tlstest

    This is disabled for now on Windows for now due to pipe2/socketpair support, but I think it can be emulated without too much issue. Based on @kinichiro 's work on ssltest

  • format error in certificate's notBefore/notAfter field

    format error in certificate's notBefore/notAfter field

    When I sign a certificate with -startdate and -enddate, the x509 tool parses it just fine, but the s_client tool gives an error with either

    format error in certificate's notBefore field
    

    or

    format error in certificate's notAfter field
    

    This also prevents applications that depend on this library to connect to the servers using them. At the moment, this is preventing us from using Alpine as a base, since that uses LibreSSL.

    I'm a little lost in this code base, but I might be able to provide a patch with some pointers.

  • Windows: Undefined identifier X9_62_id_fieldType

    Windows: Undefined identifier X9_62_id_fieldType

    Just did a clean download. Using Msys with Git, whatever version was available as of two days ago.

    $ ./autogen.sh
    pulling upstream openbsd source
    Already on 'master'
    Your branch is up-to-date with 'origin/master'.
    Current branch master is up to date.
    libcrypto version 35:0:0
    libssl version 36:0:0
    libtls version 7:0:0
    Added OID dsa
    objects.txt:41:Undefined identifier X9_62_id_fieldType
    

    I tried just doing the CMake stuff but alas it failed since none of the ssl/tls source trees were available.

    Not sure how to build this otherwise.

  • Add preliminary Cygwin support

    Add preliminary Cygwin support

    Hi,

    I'd like to add support for Cygwin to libressl portable, slowly and carefully. For a start I'd like to propose the below patch. It allows to build with the default hardening without having to specify --enable-windows-ssp. Other than that change, libressl-portable builds out of the box on Cygwin 1.7.35, the upcoming release later this week. The reason it needs 1.7.35 is the existence of the issetugid function. The functionality existed for a long time, it was just never exported so far.

    Unfortunately the testsuite doesn't build on Cygwin, because the testsuite requires SA_ONSTACK and sigaltstack to work, functionality not available yet on Cygwin. But that's another issue.

    Thanks, Corinna

    Signed-off-by: Corinna Vinschen [email protected]

  • CI: add CIFuzz action

    CI: add CIFuzz action

    Add CIFuzz workflow action to have fuzzers build and run on each PR.

    This is a service offered by OSS-Fuzz where libressl already runs. CIFuzz can help detect catch regressions and fuzzing build issues early, and has a variety of features (see the URL above). In the current PR the fuzzers gets build on a pull request and will run for 300 seconds.

    Signed-off-by: David Korczynski [email protected]

  • Clarify relation of v3.6.1 with recent OpenSSL CVE-2022-3786

    Clarify relation of v3.6.1 with recent OpenSSL CVE-2022-3786

    You coincidently released v3.6.1 with fixes to X.509 validation and ASN.1 "indefinite length encoding" at the same time as OpenSSL had an security announcement regarding buffer overflow in X.509 email address validation which sounds vaguely similar. It would be a nice if you could add a note that explicitly say that this is unrelated and not security relevant (assuming it indeed isn't :-)).

  • Building on mingw fails with

    Building on mingw fails with "object name conflicts"

    Using TDM mingw (gcc 5.1.0), which worked with the 3.5 builds. Now I am getting (with 3.6.1):

    "libtool: link: object name conflicts in archive: .libs/libcrypto.lax/libcompat.a//c/Users/ron/src/libressl-3.6.1/crypto/./.libs/libcompat.a"

    Compiling in an MSYS2 shell, with the TDM gcc binaries at the front of the PATH. Configured like:

    ./configure --host=i686-w64-ming32 --enable-shared=no --enable-libtls-only

    export CPPFLAGS="-D__MINGW_USE_VC2005_COMPAT"

  • libressl 3.5.3 not compatible with

    libressl 3.5.3 not compatible with "providers" introduced by openssl 3.0.1 ?

    Hello,

    I got this error while running an executable statically linked with libressl 3.5.3, on an Oracle GNU/Linux 9.

    $ ~/mnt/builds/aaa/bin/AAA
    Auto configuration failed
    139745154068864:error:25FFF06C:DSO support routines:CRYPTO_internal:functionality not supported:/root/.conan/data/libressl/3.5.3_2/cvs/stable/build/2e1e716172e678bcba79f77e72e24c9607780d51/libressl-3.5.3/crypto/dso/dso_lib.c:226:
    139745154068864:error:0EFFF06E:configuration file routines:CRYPTO_internal:error loading dso:/root/.conan/data/libressl/3.5.3_2/cvs/stable/build/2e1e716172e678bcba79f77e72e24c9607780d51/libressl-3.5.3/crypto/conf/conf_mod.c:273:module=providers, path=providers
    139745154068864:error:0EFFF071:configuration file routines:CRYPTO_internal:unknown module name:/root/.conan/data/libressl/3.5.3_2/cvs/stable/build/2e1e716172e678bcba79f77e72e24c9607780d51/libressl-3.5.3/crypto/conf/conf_mod.c:214:module=providers
    

    This error doesn't appear on Oracle GNU/Linux 8. The difference being the openssl packages which were upgraded in the distribution from 1.1.1k to 3.0.1. To be more accurate, the file /etc/ssl/openssl.cnf didn't exist before, and was introduced in Oracle GNU/Linux 9 :

    [[email protected] /]# cat /etc/ssl/openssl.cnf       
    ...
    [openssl_init]
    providers = provider_sect
    # Load default TLS policy configuration
    ssl_conf = ssl_module
    
    # Uncomment the sections that start with ## below to enable the legacy provider.
    # Loading the legacy provider enables support for the following algorithms:
    # Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
    # Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
    # Key Derivation Function (KDF): PBKDF1
    # In general it is not recommended to use the above mentioned algorithms for
    # security critical operations, as they are cryptographically weak or vulnerable
    # to side-channel attacks and as such have been deprecated.
    
    [provider_sect]
    default = default_sect
    ##legacy = legacy_sect
    ##
    [default_sect]
    activate = 1
    
    ##[legacy_sect]
    ##activate = 1
    
    [ ssl_module ]
    ...
    
    
    
    [email protected]:~$ podman run -it --rm docker.io/library/oraclelinux:9 dnf list installed | grep ssl
    openssl.x86_64                                                                                          1:3.0.1-41.0.1.el9_0                                                                                @System
    openssl-libs.x86_64                                                                                     1:3.0.1-41.0.1.el9_0                                                                                @System
    [email protected]:~$ podman run -it --rm docker.io/library/oraclelinux:8 dnf list installed | grep ssl
    openssl-libs.x86_64                                                                                     1:1.1.1k-7.el8_6                                                                                    @System
    

    Related links :

    1. https://github.com/nodejs/node/issues/43132
    2. https://github.com/openssl/openssl/issues/16249
    3. https://docs.oracle.com/en/operating-systems/oracle-linux/9/relnotes9.0/ol9.0-NewFeaturesandChanges.html#ol9-features-security
    4. https://jtuto.com/phantomjs-wont-install-autoconfiguration-error/

    I've read about the OPENSSL_CONF=/dev/null workaround, but it's not really a fix - am I the only one running into this issue?

    Thank you!

  • EVP_CIPHER Opacity

    EVP_CIPHER Opacity

    Hey there,

    In some of my code I was, up until version 3.5, able to modify the functions of the EVP_CIPHER by modifying the function pointers in the struct. E.g,

    static EVP_CIPHER aes;
    aes.init = my_aes_init;
    aes.do_cipher = my_aes_do;
    

    This now fails. I'm assuming that's because struct has been made opaque. When OpenSSL did the same thing they still allowed the struct's functions pointers to be modified by using EVP_CIPHER_meth_new() and, for example, EVP_CIPHER_meth_set_init(); I've not yet been able to find equivalent functionality in the LibreSSL 3.5 code base as of yet. I see you have _meth_new for EVP_MD, BIO, etc but not EVP_CIPHER. Am I missing something, is this something that is in development, on your radar, or won't be implemented?

Parses existing Chia plotter log files and builds a .csv file containing all the important details

Chia Log Analysis Parses through Chia plotter log files and plops all the juicy details into a CSV file! Build See below for instructions if you prefe

May 10, 2022
A basic C++ cryptocurrency/block-chain. Includes a basic wallet system. See README.md for all the inclusions and future additions.

Cryptocurrency Project C++ cryptocurrency/block-chain. Mostly basic blockchain for now. New Additions are in the works(see below). This file details w

Dec 23, 2021
An open source, portable, easy to use, readable and flexible SSL library

README for Mbed TLS Mbed TLS is a C library that implements cryptographic primitives, X.509 certificate manipulation and the SSL/TLS and DTLS protocol

Nov 25, 2022
High-level build system for distributed, multi-platform C/C++ projects.

fips fips is a highlevel build system wrapper written in Python for C/C++ projects. (this project has nothing to do with the Federal Information Proce

Nov 13, 2022
Mbedcrypto - a portable, small, easy to use and fast c++14 library for cryptography.

mbedcrypto mbedcrypto is a portable, small, easy to use, feature rich and fast c++14 library for cryptography based on fantastic and clean mbedtlsnote

Jun 16, 2022
A modern, portable, easy to use crypto library.
A modern, portable, easy to use crypto library.

Sodium is a new, easy-to-use software library for encryption, decryption, signatures, password hashing and more. It is a portable, cross-compilable, i

Nov 24, 2022
Small portable AES128/192/256 in C

Tiny AES in C This is a small and portable implementation of the AES ECB, CTR and CBC encryption algorithms written in C. You can override the default

Nov 24, 2022
Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.

Tink A multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse. Ubuntu

Nov 18, 2022
MIRACL Cryptographic SDK: Multiprecision Integer and Rational Arithmetic Cryptographic Library is a C software library that is widely regarded by developers as the gold standard open source SDK for elliptic curve cryptography (ECC).

MIRACL What is MIRACL? Multiprecision Integer and Rational Arithmetic Cryptographic Library – the MIRACL Crypto SDK – is a C software library that is

Nov 22, 2022
XMRig is a high performance, open source, cross platform RandomX, KawPow, CryptoNight and AstroBWT unified CPU/GPU miner

XMRig is a high performance, open source, cross platform RandomX, KawPow, CryptoNight and AstroBWT unified CPU/GPU miner and RandomX benchmark. Official binaries are available for Windows, Linux, macOS and FreeBSD.

Nov 17, 2022
vulnerability in zam64.sys, zam32.sys allowing ring 0 code execution. CVE-2021-31727 and CVE-2021-31728 public reference.
vulnerability in zam64.sys, zam32.sys allowing ring 0 code execution. CVE-2021-31727 and CVE-2021-31728 public reference.

CVE-2021-31727 and CVE-2021-31728 Public Reference for CVE-2021-31727 Exposes unrestricted disk read/write capabilities. Public Reference for CVE-2021

Nov 9, 2022
wtf is a distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows.
wtf is a distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows.

wtf is a distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows.

Nov 17, 2022
This repository contains commercially licensed wolfSSL products and example code for use on specified Renesas platforms.

wolfSSL Product for Renesas This repository contains commercially licensed wolfSSL product code for use on specified Renesas platforms. This code is o

Sep 9, 2022
OSS-Sydr-Fuzz - OSS-Fuzz fork for hybrid fuzzing (fuzzer+DSE) open source software.

OSS-Sydr-Fuzz: Hybrid Fuzzing for Open Source Software This repository is a fork of OSS-Fuzz project. OSS-Sydr-Fuzz contains open source software targ

Nov 17, 2022
Passbolt - Open source password manager for teams

Passbolt - Open source password manager for teams

Oct 29, 2022
Open-source, airgapped bitcoin hardware signer for the M5StickV.
Open-source, airgapped bitcoin hardware signer for the M5StickV.

Krux ✝ Krux is an open-source DIY hardware signer for Bitcoin that can sign for multisignature and single-key wallets. It is a low-cost airgapped devi

Oct 17, 2022
Jazzer is a coverage-guided, in-process fuzzer for the JVM platform developed by Code Intelligence.
Jazzer is a coverage-guided, in-process fuzzer for the JVM platform developed by Code Intelligence.

Jazzer is a coverage-guided, in-process fuzzer for the JVM platform developed by Code Intelligence. It is based on libFuzzer and brings many of its instrumentation-powered mutation features to the JVM.

Nov 25, 2022
x509cert is a tool and library for generating X.509 certificates and certificate requests.

x509cert is a tool and library for generating X.509 certificates and certificate requests. It is written in C99 and uses BearSSL to decode keys and compute signatures.

Sep 5, 2022