/curl

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Curl fails to compile without DSA in OpenSSL. #1361

Closed
neheb opened this Issue Mar 27, 2017 · 5 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
No milestone
3 participants
@neheb @jay @bagder
@neheb

neheb commented Mar 27, 2017

I did this

Compiled

I expected the following

Successfull compile

curl/libcurl version

Latest
[curl -V output]
root@LEDE:~# curl -V
curl 7.53.1 (mips-openwrt-linux-gnu) libcurl/7.53.1 OpenSSL/1.0.2k
Protocols: file http https
Features: IPv6 Largefile SSL HTTPS-proxy

operating system

LEDE master

Basically I am trying to reduce the size of OpenSSL on an embedded platform by removing several features from OpenSSL. One of those attempts was to remove DSA. Curl fails to compile though. Is there any way to make DSA support optional? Maybe some ifdef magic?

@bagder bagder added build SSL/TLS labels Mar 27, 2017

@jay

This comment has been minimized.

Sign in to view
Member

jay commented Mar 27, 2017

Basically I am trying to reduce the size of OpenSSL on an embedded platform by removing several features from OpenSSL. One of those attempts was to remove DSA. Curl fails to compile though.

What error do you see? I think this is because we include OpenSSL's dsa.h unconditionally but that include will #error when DSA is not built in. Try this:

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index c64e19e..98324be 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -59,7 +59,9 @@
 #include <openssl/ssl.h>
 #include <openssl/rand.h>
 #include <openssl/x509v3.h>
+#ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
+#endif
 #include <openssl/dh.h>
 #include <openssl/err.h>
 #include <openssl/md5.h>
@bagder

This comment has been minimized.

Sign in to view
Member

bagder commented Mar 27, 2017

@jay: we also use DSA * etc in the get_cert_chain() function.
@jay

This comment has been minimized.

Sign in to view
Member

jay commented Mar 27, 2017

Ok. 2nd draft:

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index c64e19e..f87838f 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -59,7 +59,9 @@
 #include <openssl/ssl.h>
 #include <openssl/rand.h>
 #include <openssl/x509v3.h>
+#ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
+#endif
 #include <openssl/dh.h>
 #include <openssl/err.h>
 #include <openssl/md5.h>
@@ -2799,6 +2801,7 @@ static CURLcode get_cert_chain(struct connectdata *conn,
       }
       case EVP_PKEY_DSA:
       {
+#ifndef OPENSSL_NO_DSA
         DSA *dsa;
 #ifdef HAVE_OPAQUE_EVP_PKEY
         dsa = EVP_PKEY_get0_DSA(pubkey);
@@ -2829,6 +2832,7 @@ static CURLcode get_cert_chain(struct connectdata *conn,
         print_pubkey_BN(dsa, priv_key, i);
         print_pubkey_BN(dsa, pub_key, i);
 #endif
+#endif /* !OPENSSL_NO_DSA */
         break;
       }
       case EVP_PKEY_DH:
@neheb

This comment has been minimized.

Sign in to view

neheb commented Mar 27, 2017

Looks like it compiled just fine. Only left to runtime test it.

jay added a commit that referenced this issue Mar 28, 2017

@jay
openssl: exclude DSA code when OPENSSL_NO_DSA is defined 
- Fix compile errors that occur in openssl.c when OpenSSL lib was
  built without DSA support.

Bug: #1361
Reported-by: neheb@users.noreply.github.com
Loading status checks…
b04e4eb
@jay

This comment has been minimized.

Sign in to view
Member

jay commented Mar 28, 2017

Thanks, landed in b04e4eb.

@jay jay closed this Mar 28, 2017

@lock lock bot locked as resolved and limited conversation to collaborators May 6, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.