OpenSSL v1.1 fixes for v3.0.x #1850
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
spbnick
force-pushed
the
v3.0.x_openssl_1.1_fix
branch
from
3b97563
to
34f496c
Compare
|
Alright, I see some failures in CI and will try to fix them next week. |
|
Not directly related to this change, but it looks like both 3.0 and 3.1 compile fine on my Debian Sid system (OpenSSL 1.1.0c-1) now. I'm actually not really sure what caused this |
spbnick
force-pushed
the
v3.0.x_openssl_1.1_fix
branch
from
34f496c
to
7bf250b
Compare
spbnick
force-pushed
the
v3.0.x_openssl_1.1_fix
branch
from
7bf250b
to
bbbde85
Compare
spbnick
force-pushed
the
v3.0.x_openssl_1.1_fix
branch
2 times, most recently
from
44db3d0
to
6979958
Compare
|
The mentioned warnings are still there (except ones seen on RHEL6), but otherwise it builds fine in CI now. |
spbnick
force-pushed
the
v3.0.x_openssl_1.1_fix
branch
from
6979958
to
ae84424
Compare
|
Alright, now all OpenSSL-related warnings are gone. @alandekok, @arr2036, could you please review? Thank you. |
alandekok
reviewed
Nov 23, 2016
| p += SSL3_RANDOM_SIZE; | ||
| #ifdef HAVE_SSL_GET_CLIENT_RANDOM |
There was a problem hiding this comment.
I'd prefer to just use the local version of SSL_get_server_random() instead of ifdefs. We took a pass through the code to do this, but haven't finished it yet.
There was a problem hiding this comment.
Ah, OK, makes sense.
|
It looks pretty good. I'll take another pass through it later today. |
Needed for conditionally avoiding accessing private OpenSSL structures in a following patch. Backported from v3.1.x.
Switch to checking for EVP_CIPHER_CTX_new instead of EVP_cleanup to detect presence of libcrypto, because EVP_cleanup was removed as symbol from OpenSSL 1.1, and the check would always fail.
Apart from dealing with a FIXME, this is needed for implementing compatibility fallbacks for some functions introduced in OpenSSL 1.1, in following commits.
Check for presence of openssl/asn1.h to support definition of fallback functions in later patches.
Check for presence of openssl/conf.h to support definition of fallback functions in later patches.
Add four fallback function implementations to use in place of functions removed/deprecated in OpenSSL 1.1. Those are to be used in the following patches to make the build work and not produce deprecation warnings.
Some more OpenSSL structures were made private in v1.1 and accessor functions were added instead. Switch to using accessor functions to fix the build.
Add the missing mandatory HMAC context initialization to rlm_otp's otp_gen_state. Otherwise the outcome of the following HMAC operations is undefined.
Switch to using HMAC_CTX_new in place of HMAC_CTX_init, which was removed in OpenSSL 1.1, resulting in broken build.
Replace remaining use of HMAC_Init with HMAC_Init_ex to silence deprecation warnings with OpenSSL 1.1.
Switch to using ASN1_STRING_get0_data instead of ASN1_STRING_data, which was deprecated in OpenSSL 1.1 and would produce build warnings.
Switch to using CONF_modules_load_file instead of OPENSSL_config, which was deprecated in OpenSSL 1.1 and would produce build warnings.
Update some declarations to use const to match respective changes in OpenSSL 1.1 and not produce build warnings.
Use appropriate OpenSSL thread cleanup function or don't use any, depending on their deprecation status in various OpenSSL versions.
Check if CRYPTO_set_id_callback and CRYPTO_set_locking_callback are defined as functions (as opposed to stub macros), and if they aren't, don't call them and don't define the corresponding callbacks. This avoids the "unused function" warnings with OpenSSL v1.1.
spbnick
force-pushed
the
v3.0.x_openssl_1.1_fix
branch
from
ae84424
to
d768705
Compare
|
Alright, I moved |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This makes v3.0.x build on Fedora Rawhide and concerns #1817.
I tested the build on Fedora Rawhide, Debian Testing, and RHEL6.8.
I didn't run any tests.
There are still a couple OpenSSL-related warnings on Rawhide, which I'm not yet sure how to deal with:
RHEL6.8 also complained a bit:
The above can be fixed by checking that we're below OpenSSL_0_9_8y, and
removing const from
ext_listincbtls_verifyinsrc/main/tls.c, but I'm notsure if it's worth it, or maybe I just had enough for today.
Some of the fallback functions I defined in
missing-hmight not be necessary.Please tell me what you think and if anything needs changing.
Thank you.