Skip to content

Check consistency of OpenSSL data headers #132745

New issue
New issue
Open
Open
Check consistency of OpenSSL data headers#132745
Assignees
picnixz
Labels
buildThe build process and cross-buildextension-modulesC modules in the Modules dirtopic-SSLtype-featureA feature request or enhancement
@picnixz

Description

@picnixz
picnixz
opened on Apr 20, 2025

Feature or enhancement

Proposal:

OpenSSL mnemonics may change in minor releases and/or they may have clashes. Clashes are annoying because we cannot build 1-to-1 hash tables out of it while inconsistencies mean that error messages would be incorrectly rendered. Note that only error reporting is affected but not error handling as code paths are using the macros defined by OpenSSL (so it doesn't matter which version we're using, as soon as they are available)

I want to create a tool that checks the OpenSSL mnemonics themselves to see if there are duplicates for instance, as well as a tool that bisects whether the latest OpenSSL version has changed its mnemonics. Currently, _ssl.c contains this:

/* Include generated data (error codes) */
/* See make_ssl_data.h for notes on adding a new version. */
#if (OPENSSL_VERSION_NUMBER >= 0x30100000L)
#include "_ssl_data_34.h"
#elif (OPENSSL_VERSION_NUMBER >= 0x30000000L)
#include "_ssl_data_300.h"
#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L)
#include "_ssl_data_111.h"
#else
#error Unsupported OpenSSL version
#endif

In other words, we make the assumption that error codes from OpenSSL 3.1.x up to now have not been changed, but this is not necessarily correct (if new codes are added, it's fine, but if mnemonics are renumbered, it's not: this happened in 3.4.0 -> 3.4.1).

In addition, the reason why 3.4.1 mnemonics changed is because there were mismatched values (see openssl/openssl#26388). The tool would then be doing the following:

  • check whether OpenSSL mnemonics are valid after pulling them; namely check that we don't have mismatched values or clashing values.
  • compute the diff between the latest known mnemonics and the pulled mnemonics. If there are more entries, we can use the same file; otherwise a new file must be created.

To ease development, I also suggest a separate _ssl_data.h file, also automatically generated, and that would be responsible to hold the above code snippet. It's easier than adding more and more lines to _ssl.c in the future. I also suggest moving the _ssl_data_* files into a dedicated folder as we may have more and more files in the future.

Has this already been discussed elsewhere?

This is a minor feature, which does not need previous discussion elsewhere

Links to previous discussion of this feature:

No response

Metadata

Metadata

Assignees

Labels

buildThe build process and cross-buildextension-modulesC modules in the Modules dirtopic-SSLtype-featureA feature request or enhancement

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions