On Tue, May 18, 2021 at 11:45:33AM +0200, Giovanni Bechis wrote:
> Hi,
> upcoming Apache httpd doesn't build with LibreSSL because it uses
> EVP_PKEY_X25519 constants that are not defined on LibreSSL.
> The following diff works, is it better to add EVP_PKEY_X constants
> to evp.h instead ?
There is more code that would need to be added to libcrypto to make this
work. We will likely have to add EVP_PKEY_X25519 at some point, but
libcrypto is not ready. There are currently no plans for X448 support.
With your patch the call to EVP_PKEY_CTX_new_id() will fail. I would
suggest disabling X25519 and X448 support as follows:
Index: patches/patch-modules_md_md_crypt_c
===================================================================
RCS file: patches/patch-modules_md_md_crypt_c
diff -N patches/patch-modules_md_md_crypt_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-modules_md_md_crypt_c 18 May 2021 11:14:02 -0000
@@ -0,0 +1,34 @@
+$OpenBSD$
+
+LibreSSL does not expose X25519 via EVP and has no X448 support.
+
+Index: modules/md/md_crypt.c
+--- modules/md/md_crypt.c.orig
++++ modules/md/md_crypt.c
+@@ -797,7 +797,7 @@ static apr_status_t gen_ec(md_pkey_t **ppkey, apr_pool
+ curve_nid = NID_X9_62_prime192v1;
+ }
+ #endif
+-#ifdef NID_X25519
++#if defined(NID_X25519) && !defined(LIBRESSL_VERSION_NUMBER)
+ if (NID_undef == curve_nid && !apr_strnatcasecmp("X25519", curve)) {
+ curve_nid = NID_X25519;
+ }
+@@ -814,7 +814,7 @@ static apr_status_t gen_ec(md_pkey_t **ppkey, apr_pool
+ *ppkey = make_pkey(p);
+ switch (curve_nid) {
+
+-#ifdef NID_X25519
++#if defined(NID_X25519) && !defined(LIBRESSL_VERSION_NUMBER)
+ case NID_X25519:
+ /* no parameters */
+ if (NULL == (ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X25519, NULL))
+@@ -828,7 +828,7 @@ static apr_status_t gen_ec(md_pkey_t **ppkey, apr_pool
+ break;
+ #endif
+
+-#ifdef NID_X448
++#if defined(NID_X448) && !defined(LIBRESSL_VERSION_NUMBER)
+ case NID_X448:
+ /* no parameters */
+ if (NULL == (ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X448, NULL))
