Curl fails to compile without DSA in OpenSSL. #1361

Closed
neheb opened this Issue Mar 27, 2017 · 5 comments

Projects

None yet

3 participants

@neheb
neheb commented Mar 27, 2017

I did this

Compiled

I expected the following

Successfull compile

curl/libcurl version

Latest
[curl -V output]
root@LEDE:~# curl -V
curl 7.53.1 (mips-openwrt-linux-gnu) libcurl/7.53.1 OpenSSL/1.0.2k
Protocols: file http https
Features: IPv6 Largefile SSL HTTPS-proxy

operating system

LEDE master

Basically I am trying to reduce the size of OpenSSL on an embedded platform by removing several features from OpenSSL. One of those attempts was to remove DSA. Curl fails to compile though. Is there any way to make DSA support optional? Maybe some ifdef magic?

Owner
jay commented Mar 27, 2017

Basically I am trying to reduce the size of OpenSSL on an embedded platform by removing several features from OpenSSL. One of those attempts was to remove DSA. Curl fails to compile though.

What error do you see? I think this is because we include OpenSSL's dsa.h unconditionally but that include will #error when DSA is not built in. Try this:

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index c64e19e..98324be 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -59,7 +59,9 @@
 #include <openssl/ssl.h>
 #include <openssl/rand.h>
 #include <openssl/x509v3.h>
+#ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
+#endif
 #include <openssl/dh.h>
 #include <openssl/err.h>
 #include <openssl/md5.h>
Owner
bagder commented Mar 27, 2017

@jay: we also use DSA * etc in the get_cert_chain() function.

Owner
jay commented Mar 27, 2017

Ok. 2nd draft:

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index c64e19e..f87838f 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -59,7 +59,9 @@
 #include <openssl/ssl.h>
 #include <openssl/rand.h>
 #include <openssl/x509v3.h>
+#ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
+#endif
 #include <openssl/dh.h>
 #include <openssl/err.h>
 #include <openssl/md5.h>
@@ -2799,6 +2801,7 @@ static CURLcode get_cert_chain(struct connectdata *conn,
       }
       case EVP_PKEY_DSA:
       {
+#ifndef OPENSSL_NO_DSA
         DSA *dsa;
 #ifdef HAVE_OPAQUE_EVP_PKEY
         dsa = EVP_PKEY_get0_DSA(pubkey);
@@ -2829,6 +2832,7 @@ static CURLcode get_cert_chain(struct connectdata *conn,
         print_pubkey_BN(dsa, priv_key, i);
         print_pubkey_BN(dsa, pub_key, i);
 #endif
+#endif /* !OPENSSL_NO_DSA */
         break;
       }
       case EVP_PKEY_DH:
neheb commented Mar 27, 2017

Looks like it compiled just fine. Only left to runtime test it.

@jay jay added a commit that referenced this issue Mar 28, 2017
@jay jay openssl: exclude DSA code when OPENSSL_NO_DSA is defined
- Fix compile errors that occur in openssl.c when OpenSSL lib was
  built without DSA support.

Bug: #1361
Reported-by: neheb@users.noreply.github.com
b04e4eb
Owner
jay commented Mar 28, 2017

Thanks, landed in b04e4eb.

@jay jay closed this Mar 28, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment