J08nY
commented
4 years ago The integration of both LibreSSL and OpenSSL/BoringSSL could be done in a similar way of how BoringSSL support was added while keeping OpenSSL. I would suggest adding the libressl-portable as a git submodule into ext/ like how BoringSSL is. Then the makefile target for LibreSSL in standalone/libs/jni will do the same stuff as the BoringSSL target (copy over and rename the .so from the built LibreSSL in the submodule and link to it, instead of just -lcrypto). The LibreSSLLib would also specify this library name instead of just crypto.
This should work to be able to use all of the three libs at the same time. It might also require some messing with RPATH or something like that, but maybe not, so it is worth a try.
mgrabovsky
I've reused the BoringSSL provider to add support for LibreSSL. Some small changes had to be done, since LibreSSL doesn't provide two functions in its API (
EC_GROUP_get0_orderandBN_bn2bin_padded). Created and tested on Fedora 30, using LibreSSL 2.9.2 from the LibreLAMP project.Currently, the implementation doesn't play well with OpenSSL, because LibreSSL uses the same library names (
libcrypto.so, etc.). In practice, it is therefore conventionally not even possible to have them both installed at the same time (short of static linking,LD_LIBRARY_PATH, using chroot, Docker or something else).I have therefore disabled loading in the OpenSSL provider in
ECTesterStandalonefor now.I've taken the provider for a test drive by generating a couple of keys, performing ECDH operations and generating ECDSA signatures (each of them 100,000 times). All seems to have gone quite well. Here's a sneak peek at one of the diagnostic plots: