Skip to content

Check consistency of OpenSSL data headers #132745

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
picnixz opened this issue Apr 20, 2025 · 0 comments
Open

Check consistency of OpenSSL data headers #132745

picnixz opened this issue Apr 20, 2025 · 0 comments
Assignees
@picnixz
Labels
build The build process and cross-build extension-modules C modules in the Modules dir topic-SSL type-feature A feature request or enhancement

Comments

@picnixz
Copy link
Member

picnixz commented Apr 20, 2025
edited by github-actions bot
Loading

Feature or enhancement

Proposal:

OpenSSL mnemonics may change in minor releases and/or they may have clashes. Clashes are annoying because we cannot build 1-to-1 hash tables out of it while inconsistencies mean that error messages would be incorrectly rendered. Note that only error reporting is affected but not error handling as code paths are using the macros defined by OpenSSL (so it doesn't matter which version we're using, as soon as they are available)

I want to create a tool that checks the OpenSSL mnemonics themselves to see if there are duplicates for instance, as well as a tool that bisects whether the latest OpenSSL version has changed its mnemonics. Currently, _ssl.c contains this:

/* Include generated data (error codes) */
/* See make_ssl_data.h for notes on adding a new version. */
#if (OPENSSL_VERSION_NUMBER >= 0x30100000L)
#include "_ssl_data_34.h"
#elif (OPENSSL_VERSION_NUMBER >= 0x30000000L)
#include "_ssl_data_300.h"
#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L)
#include "_ssl_data_111.h"
#else
#error Unsupported OpenSSL version
#endif

In other words, we make the assumption that error codes from OpenSSL 3.1.x up to now have not been changed, but this is not necessarily correct (if new codes are added, it's fine, but if mnemonics are renumbered, it's not: this happened in 3.4.0 -> 3.4.1).

In addition, the reason why 3.4.1 mnemonics changed is because there were mismatched values (see openssl/openssl#26388). The tool would then be doing the following:

  • check whether OpenSSL mnemonics are valid after pulling them; namely check that we don't have mismatched values or clashing values.
  • compute the diff between the latest known mnemonics and the pulled mnemonics. If there are more entries, we can use the same file; otherwise a new file must be created.

To ease development, I also suggest a separate _ssl_data.h file, also automatically generated, and that would be responsible to hold the above code snippet. It's easier than adding more and more lines to _ssl.c in the future. I also suggest moving the _ssl_data_* files into a dedicated folder as we may have more and more files in the future.

Has this already been discussed elsewhere?

This is a minor feature, which does not need previous discussion elsewhere

Links to previous discussion of this feature:

No response
@picnixz picnixz added build The build process and cross-build extension-modules C modules in the Modules dir topic-SSL type-feature A feature request or enhancement labels Apr 20, 2025
@picnixz picnixz self-assigned this Apr 20, 2025
@picnixz picnixz mentioned this issue Apr 20, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@picnixz picnixz

Labels
build The build process and cross-build extension-modules C modules in the Modules dir topic-SSL type-feature A feature request or enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@picnixz