search

the-tcpdump-group / tcpdump

the TCPdump network dissector
https://www.tcpdump.org/
Other
2.67k stars 838 forks source link

OPENSSL_API_COMPAT is not defined by OpenSSL 3.0 #977

Open ydroneaud opened 2 years ago

ydroneaud commented 2 years ago

With OpenSSL 3.0, it's really up to the application to define OPENSSL_API_COMPAT, and when compiling tcpdump, OPENSSL_API_COMPAT is not defined, thus the check in esp_init() is incorrect:

#if !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < 0x10100000L
        OpenSSL_add_all_algorithms();
#endif

https://github.com/the-tcpdump-group/tcpdump/blob/9ff9f78db3cd17d3761fdc441ad58f1ab4917507/print-esp.c#L683

When compiled against OpenSSL 3.0.1 built with --api=1.1.1 and no-deprecated configuration options, OpenSSL_add_all_algorithms() is not defined, and build fail:

./print-esp.c: In function 'esp_init':
./print-esp.c:682:2: warning: implicit declaration of function 'OpenSSL_add_all_algorithms' [-Wimplicit-function-declaration]
  OpenSSL_add_all_algorithms();
  ^
libnetdissect.a(print-esp.o): In function `esp_init':
.../print-esp.c:682: undefined reference to `OpenSSL_add_all_algorithms'
collect2: error: ld returned 1 exit status
DimitriPapadopoulos commented 1 year ago

The whole code looks like this: https://github.com/the-tcpdump-group/tcpdump/blob/9ff9f78db3cd17d3761fdc441ad58f1ab4917507/print-esp.c#L674-L687

Given that OpenSSL 1.0.2 is no longer supported except with paid support contracts (Release Strategy), is it worth still maintaining this #if?

Also, the OpenSSL_add_all_algorithms man page, versions 1.1 and newer, reads:

HISTORY

The OpenSSL_add_all_algorithms(), OpenSSL_add_all_ciphers(), OpenSSL_add_all_digests(), and EVP_cleanup(), functions were deprecated in OpenSSL 1.1.0 by OPENSSL_init_crypto() and should not be used.