Re: git: 537cd766435c - main - factor: support OpenSSL 3

Reply: Enji Cooper : "Re: git: 537cd766435c - main - factor: support OpenSSL 3"
In reply to: Enji Cooper : "git: 537cd766435c - main - factor: support OpenSSL 3"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: John Baldwin <jhb_at_FreeBSD.org>
Date: Sat, 27 May 2023 19:21:58 UTC

On 5/27/23 11:11 AM, Enji Cooper wrote:
> The branch main has been updated by ngie:
> 
> URL: https://cgit.FreeBSD.org/src/commit/?id=537cd766435c80e61e72bb9369f77aa9630a1537
> 
> commit 537cd766435c80e61e72bb9369f77aa9630a1537
> Author:     Enji Cooper <ngie@FreeBSD.org>
> AuthorDate: 2023-05-27 04:55:12 +0000
> Commit:     Enji Cooper <ngie@FreeBSD.org>
> CommitDate: 2023-05-27 18:11:44 +0000
> 
>      factor: support OpenSSL 3
>      
>      This change ports the BN APIs to an OpenSSL 3 compatible set of APIs.
>      
>      This removes the need for requesting OpenSSL 1.1 compatible APIs.
>      
>      MFC after:      1 week
>      Reviewed by:    emaste
>      Differential Revision:  https://reviews.freebsd.org/D40298
> ---
>   usr.bin/factor/Makefile |  1 -
>   usr.bin/factor/factor.c | 17 +++++++++++++++--
>   2 files changed, 15 insertions(+), 3 deletions(-)
> 
> diff --git a/usr.bin/factor/Makefile b/usr.bin/factor/Makefile
> index 255160ef6e00..ffa9ec7de1f8 100644
> --- a/usr.bin/factor/Makefile
> +++ b/usr.bin/factor/Makefile
> @@ -9,7 +9,6 @@ CFLAGS+=-I${SRCTOP}/usr.bin/primes
>   
>   .if ${MK_OPENSSL} != "no"
>   CFLAGS+=-DHAVE_OPENSSL
> -CFLAGS+=-DOPENSSL_API_COMPAT=0x10100000L
>   LIBADD+=crypto
>   .endif
>   
> diff --git a/usr.bin/factor/factor.c b/usr.bin/factor/factor.c
> index 4edc2ed2a72c..a3b0a65b5eca 100644
> --- a/usr.bin/factor/factor.c
> +++ b/usr.bin/factor/factor.c
> @@ -209,7 +209,11 @@ pr_fact(BIGNUM *val)
>   			if (!BN_sqr(bnfact, bnfact, ctx))
>   				errx(1, "error in BN_sqr()");
>   			if (BN_cmp(bnfact, val) > 0 ||
> +#if OPENSSL_VERSION_NUMBER >= 0x30000000L
> +			    BN_check_prime(val, NULL, NULL) == 1)
> +#else
>   			    BN_is_prime_ex(val, PRIME_CHECKS, NULL, NULL) == 1)
> +#endif
>   				pr_print(val);
>   			else
>   				pollard_pminus1(val);
> @@ -282,7 +286,11 @@ newbase:
>   			errx(1, "error in BN_gcd()");
>   
>   		if (!BN_is_one(x)) {
> +#if OPENSSL_VERSION_NUMBER >= 0x30000000L
> +			if (BN_check_prime(x, NULL, NULL) == 1)
> +#else
>   			if (BN_is_prime_ex(x, PRIME_CHECKS, NULL, NULL) == 1)
> +#endif
>   				pr_print(x);
>   			else
>   				pollard_pminus1(x);
> @@ -291,8 +299,13 @@ newbase:
>   			BN_div(num, NULL, val, x, ctx);
>   			if (BN_is_one(num))
>   				return;
> -			if (BN_is_prime_ex(num, PRIME_CHECKS, NULL,
> -			    NULL) == 1) {
> +#if OPENSSL_VERSION_NUMBER >= 0x30000000L
> +			if (BN_check_prime(num, NULL, NULL) == 1)
> +#else
> +			if (BN_is_prime_ex(num, PRIME_CHECKS, NULL, NULL)
> +			    == 1)
> +#endif
> +			{
>   				pr_print(num);
>   				fflush(stdout);
>   				return;

I would suggest restructing this by having a compat shim for the 3.0 API at
the top of the file (something like this):

#if OPENSSL_VERSION_NUMBER < 0x30000000L
#define PRIME_CHECKS     5

static int
BN_check_prime(const BIGNUM *p, BN_CTX *ctx, BN_GENCB *cb)
{
     return (BN_is_prime_ex(p, PRIME_CHECKS, ctx, cb));
}
#endif

And then just using BN_check_prime in the rest of the file without #ifdef's.

This is the approach we used for OpenSSL 1.1.x and will result in fewer #ifdef's
and cleaner code overall.  One thing we didn't do for OpenSSL 1.1.x but could
choose to do in this case is to define a header with these shims that could be
shared to reduce the work needed to update programs to move away from APIs
deprecated in 3.0.

-- 
John Baldwin