Hi Nenad,

On Sat, Mar 23, 2019 at 10:48:35AM +0100, Nenad Merdanovic wrote:
> >    CC      src/ssl_sock.o
> > src/ssl_sock.c: In function 'sample_conv_aes_gcm_dec':
> > src/ssl_sock.c:9166:27: error: 'EVP_CTRL_AEAD_SET_IVLEN' undeclared (first 
> > use in this function)
> > src/ssl_sock.c:9166:27: note: each undeclared identifier is reported only 
> > once for each function it appears in
> > src/ssl_sock.c:9191:27: error: 'EVP_CTRL_AEAD_SET_TAG' undeclared (first 
> > use in this function)
> > distcc[22896] ERROR: compile src/ssl_sock.c on localhost failed
> > make: *** [src/ssl_sock.o] Error 1
> > 
> > It's on openssl 1.1.1a.
> 
> Are you sure that's 1.1.1a? I can actually see a problem with 1.0.2 and
> lower, where these are differently named, but work the same, so I am going
> to send a fix for that. I have double-checked that it builds fine with 1.1.1
> (and should with 1.1.0):
> Built with OpenSSL version : OpenSSL 1.1.1a  20 Nov 2018
> Running on OpenSSL version : OpenSSL 1.1.1a  20 Nov 2018

Bah obviously you're right. I was building with distcc and my cross-compiler
whose sysroot has 1.0.2 but typed "openssl version" on the command line...
When built against 1.1.1a it builds fine.

> I will, for now, also disable this for BoringSSL and LibreSSL until I manage
> to test it.

OK thanks!

> > Do you think it would be easy enough to have the equivalent encrypt
> > version ? :-)  I suspect it's mostly a matter of using the Encrypt
> > variant of the EVP functions, but I could really be wrong. This
> > could even allow to encrypt cookies in response and decrypt them
> > back for example.
> 
> Yes, that's the plan. It's a tiny bit more complex as I still need to think
> about how best to "return" two values. Current idea is to have the converter
> output the ciphertext and then as a last argument I will pass the variable
> name in which the AEAD tag will be stored by the converter.

I'm not sure why this is needed, because my first impression was that if
this part can be an argument in the decode it ought to be one as well for
the encoder, but that's where my ignorance of crypto shines, as I understand
from your explanation that it's something the encryption returns instead. I
thought that we'd simply have aes_gcm_encrypt(args),aes_gcm_decrypt(args)
be an identity in fact, but don't worry, I'm not asking you to do magics!

Cheers,
Willy

Reply via email to