From: Theo Buehler Subject: Re: rpki-client: openssl 4 compat To: Job Snijders Cc: tech@openbsd.org Date: Mon, 27 Apr 2026 21:56:59 +0200 On Mon, Apr 27, 2026 at 07:44:19PM +0000, Job Snijders wrote: > On Mon, Apr 13, 2026 at 12:11:38PM +0200, Theo Buehler wrote: > > This adds two compat implementations for the OpenSSL 4 API that is > > required to deal with opaque strings. This API will eventually land in > > libcrypto but I did not manage to do that in this cycle for various > > reasons. > > OK job@ > > one question below > > > Once LibreSSL provides this, the file will move to portable, but for > > now this way is simplest to ensure that rpki-client as expected with all > > libcrypto versions we care about. > > > > I did not guard the prototypes in extern.h because there's no need. > > > > The openssl bit in regress isn't for commit. I did it this way to keep > > the diff small if anyone wants to test that. You'll need to build and > > install the security/openssl/4.0 and security/openssl/libretls4 ports. > > with the regress piece in my tree, i didn't seem to need libretls4 to > run make in /usr/src/regress/usr.sbin/rpki-client/openssl/ - are you and > I testing something else? :) There are '&& exists(/usr/local/lib/${EOPENSSL}/libtls.a)' where EOPENSSL expands to eopenssl40, and without libretls4, this check will be false. Without libretls4 it will still compile and run the basic regress tests like test-roa.c, etc. But it won't compile rpki-client against libretls4 and build/obj/rpki-client won't exist (or be old).