Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Curl fails to compile without DSA in OpenSSL. #1361

Closed
neheb opened this issue Mar 27, 2017 · 5 comments
Closed

Curl fails to compile without DSA in OpenSSL. #1361

neheb opened this issue Mar 27, 2017 · 5 comments
Labels
build TLS

Comments

@neheb
Copy link
Contributor

neheb commented Mar 27, 2017

I did this

Compiled

I expected the following

Successfull compile

curl/libcurl version

Latest
[curl -V output]
root@LEDE:~# curl -V
curl 7.53.1 (mips-openwrt-linux-gnu) libcurl/7.53.1 OpenSSL/1.0.2k
Protocols: file http https
Features: IPv6 Largefile SSL HTTPS-proxy

operating system

LEDE master

Basically I am trying to reduce the size of OpenSSL on an embedded platform by removing several features from OpenSSL. One of those attempts was to remove DSA. Curl fails to compile though. Is there any way to make DSA support optional? Maybe some ifdef magic?
@jay
Copy link
Member

jay commented Mar 27, 2017

Basically I am trying to reduce the size of OpenSSL on an embedded platform by removing several features from OpenSSL. One of those attempts was to remove DSA. Curl fails to compile though.

What error do you see? I think this is because we include OpenSSL's dsa.h unconditionally but that include will #error when DSA is not built in. Try this:

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index c64e19e..98324be 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -59,7 +59,9 @@
 #include <openssl/ssl.h>
 #include <openssl/rand.h>
 #include <openssl/x509v3.h>
+#ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
+#endif
 #include <openssl/dh.h>
 #include <openssl/err.h>
 #include <openssl/md5.h>

@bagder
Copy link
Member

bagder commented Mar 27, 2017

@jay: we also use DSA * etc in the get_cert_chain() function.

@jay
Copy link
Member

jay commented Mar 27, 2017

Ok. 2nd draft:

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index c64e19e..f87838f 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -59,7 +59,9 @@
 #include <openssl/ssl.h>
 #include <openssl/rand.h>
 #include <openssl/x509v3.h>
+#ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
+#endif
 #include <openssl/dh.h>
 #include <openssl/err.h>
 #include <openssl/md5.h>
@@ -2799,6 +2801,7 @@ static CURLcode get_cert_chain(struct connectdata *conn,
       }
       case EVP_PKEY_DSA:
       {
+#ifndef OPENSSL_NO_DSA
         DSA *dsa;
 #ifdef HAVE_OPAQUE_EVP_PKEY
         dsa = EVP_PKEY_get0_DSA(pubkey);
@@ -2829,6 +2832,7 @@ static CURLcode get_cert_chain(struct connectdata *conn,
         print_pubkey_BN(dsa, priv_key, i);
         print_pubkey_BN(dsa, pub_key, i);
 #endif
+#endif /* !OPENSSL_NO_DSA */
         break;
       }
       case EVP_PKEY_DH:

@neheb
Copy link
Contributor Author

neheb commented Mar 27, 2017

Looks like it compiled just fine. Only left to runtime test it.

jay added a commit that referenced this issue Mar 28, 2017
@jay
openssl: exclude DSA code when OPENSSL_NO_DSA is defined
b04e4eb 
- Fix compile errors that occur in openssl.c when OpenSSL lib was
  built without DSA support.

Bug: #1361
Reported-by: neheb@users.noreply.github.com
@jay
Copy link
Member

jay commented Mar 28, 2017

Thanks, landed in b04e4eb.

@jay jay closed this as completed Mar 28, 2017
@lock lock bot locked as resolved and limited conversation to collaborators May 6, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
build TLS
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bagder @jay @neheb