Curl fails to compile without DSA in OpenSSL. #1361

neheb · 2017-03-27T22:12:10Z

I did this

Compiled

I expected the following

Successfull compile

curl/libcurl version

Latest
[curl -V output]
root@LEDE:~# curl -V
curl 7.53.1 (mips-openwrt-linux-gnu) libcurl/7.53.1 OpenSSL/1.0.2k
Protocols: file http https
Features: IPv6 Largefile SSL HTTPS-proxy

operating system

LEDE master

Basically I am trying to reduce the size of OpenSSL on an embedded platform by removing several features from OpenSSL. One of those attempts was to remove DSA. Curl fails to compile though. Is there any way to make DSA support optional? Maybe some ifdef magic?

jay · 2017-03-27T22:27:53Z

Basically I am trying to reduce the size of OpenSSL on an embedded platform by removing several features from OpenSSL. One of those attempts was to remove DSA. Curl fails to compile though.

What error do you see? I think this is because we include OpenSSL's dsa.h unconditionally but that include will #error when DSA is not built in. Try this:

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index c64e19e..98324be 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -59,7 +59,9 @@
 #include <openssl/ssl.h>
 #include <openssl/rand.h>
 #include <openssl/x509v3.h>
+#ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
+#endif
 #include <openssl/dh.h>
 #include <openssl/err.h>
 #include <openssl/md5.h>

bagder · 2017-03-27T22:31:30Z

@jay: we also use DSA * etc in the get_cert_chain() function.

jay · 2017-03-27T22:49:08Z

Ok. 2nd draft:

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index c64e19e..f87838f 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -59,7 +59,9 @@
 #include <openssl/ssl.h>
 #include <openssl/rand.h>
 #include <openssl/x509v3.h>
+#ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
+#endif
 #include <openssl/dh.h>
 #include <openssl/err.h>
 #include <openssl/md5.h>
@@ -2799,6 +2801,7 @@ static CURLcode get_cert_chain(struct connectdata *conn,
       }
       case EVP_PKEY_DSA:
       {
+#ifndef OPENSSL_NO_DSA
         DSA *dsa;
 #ifdef HAVE_OPAQUE_EVP_PKEY
         dsa = EVP_PKEY_get0_DSA(pubkey);
@@ -2829,6 +2832,7 @@ static CURLcode get_cert_chain(struct connectdata *conn,
         print_pubkey_BN(dsa, priv_key, i);
         print_pubkey_BN(dsa, pub_key, i);
 #endif
+#endif /* !OPENSSL_NO_DSA */
         break;
       }
       case EVP_PKEY_DH:

neheb · 2017-03-27T23:13:48Z

Looks like it compiled just fine. Only left to runtime test it.


        openssl: exclude DSA code when OPENSSL_NO_DSA is defined

- Fix compile errors that occur in openssl.c when OpenSSL lib was built without DSA support. Bug: #1361 Reported-by: neheb@users.noreply.github.com

jay · 2017-03-28T07:57:24Z

Thanks, landed in b04e4eb.

bagder added build SSL/TLS labels Mar 27, 2017

jay closed this Mar 28, 2017

lock bot locked as resolved and limited conversation to collaborators May 6, 2018

curl / curl

Curl fails to compile without DSA in OpenSSL. #1361

Curl fails to compile without DSA in OpenSSL. #1361

neheb commented Mar 27, 2017

This comment has been minimized.

jay commented Mar 27, 2017

This comment has been minimized.

bagder commented Mar 27, 2017

This comment has been minimized.

jay commented Mar 27, 2017

This comment has been minimized.

neheb commented Mar 27, 2017

This comment has been minimized.

jay commented Mar 28, 2017

curl / curl

Sponsor curl/curl

Join GitHub today

Curl fails to compile without DSA in OpenSSL. #1361

Curl fails to compile without DSA in OpenSSL. #1361

Comments

neheb commented Mar 27, 2017

I did this

I expected the following

curl/libcurl version

operating system

This comment has been minimized.

jay commented Mar 27, 2017

This comment has been minimized.

bagder commented Mar 27, 2017

This comment has been minimized.

jay commented Mar 27, 2017

This comment has been minimized.

neheb commented Mar 27, 2017

This comment has been minimized.

jay commented Mar 28, 2017