New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PolarSSL: version 1.3.8 now required #1401

Closed
MarcelRaad opened this Issue Apr 10, 2017 · 5 comments

Comments

Projects
None yet
3 participants
@MarcelRaad
Member

MarcelRaad commented Apr 10, 2017

I did this

Tried to build curl with PolarSSL on Ubuntu 14.04 Trusty Tahr. It compiled, but linking failed because of an undefined reference to ssl_session_init which was introduced in 9f498de and is only available in PolarSSL versions 1.3.8 and 1.3.9. Ubuntu Trusty comes with PolarSSL 1.3.4.

I expected the following

Either the minimum version documented in INTERNALS.md bumped to 1.3.8 and the minimum POLARSSL_VERSION_NUMBER in polarssl.c bumped to 0x01030800 or a successful build.

curl/libcurl version

git master f9d1e9a

operating system

Ubuntu Trusty

@bagder bagder added the SSL/TLS label Apr 10, 2017

@bagder

This comment has been minimized.

Show comment
Hide comment
@bagder

bagder Apr 10, 2017

Member

I'm inclined to say that we simply raise the bar to 1.3.8 unless someone steps forward and does the work to make sure older versions get supported again.

Reading up on recent security details, it seems PolarSSL users shouldn't use anything other than 1.3.19 anyway...

Member

bagder commented Apr 10, 2017

I'm inclined to say that we simply raise the bar to 1.3.8 unless someone steps forward and does the work to make sure older versions get supported again.

Reading up on recent security details, it seems PolarSSL users shouldn't use anything other than 1.3.19 anyway...

@bagder

This comment has been minimized.

Show comment
Hide comment
@bagder

bagder Apr 10, 2017

Member

I believe commit 04b4ee5 (June 2016) is what broke support for older versions, and that change doesn't look like a quick and easy fix to get working for older PolarSSL versions. The fact that it took 10 months for someone to report it could also work as a sign...

Member

bagder commented Apr 10, 2017

I believe commit 04b4ee5 (June 2016) is what broke support for older versions, and that change doesn't look like a quick and easy fix to get working for older PolarSSL versions. The fact that it took 10 months for someone to report it could also work as a sign...

@jay

This comment has been minimized.

Show comment
Hide comment
@jay

jay Apr 11, 2017

Member

We could fix it I think. That call in the final two versions of PolarSSL is just this

void ssl_session_init( ssl_session *session )
{
    memset( session, 0, sizeof(ssl_session) );
}

Regarding security for PolarSSL in Trusty I assume it gets security fixes for their LTS?

Member

jay commented Apr 11, 2017

We could fix it I think. That call in the final two versions of PolarSSL is just this

void ssl_session_init( ssl_session *session )
{
    memset( session, 0, sizeof(ssl_session) );
}

Regarding security for PolarSSL in Trusty I assume it gets security fixes for their LTS?

@MarcelRaad

This comment has been minimized.

Show comment
Hide comment
@MarcelRaad

MarcelRaad Apr 11, 2017

Member

We could fix it I think. That call in the final two versions of PolarSSL is just this

Right, as there won't be new versions of PolarSSL, we don't need to consider future changes to ssl_session_init. If @bagder agrees and nobody's faster than me, I'll change that to just use the memset.

Member

MarcelRaad commented Apr 11, 2017

We could fix it I think. That call in the final two versions of PolarSSL is just this

Right, as there won't be new versions of PolarSSL, we don't need to consider future changes to ssl_session_init. If @bagder agrees and nobody's faster than me, I'll change that to just use the memset.

@bagder

This comment has been minimized.

Show comment
Hide comment
@bagder

bagder Apr 11, 2017

Member

I'm totally fine with that!

Member

bagder commented Apr 11, 2017

I'm totally fine with that!

MarcelRaad added a commit to MarcelRaad/curl that referenced this issue Apr 11, 2017

polarssl: unbreak build with versions < 1.3.8
ssl_session_init was only introduced in version 1.3.8, the penultimate
version. The function only contains a memset, so replace it with that.

Suggested-by: Jay Satiro
Fixes curl#1401

@lock lock bot locked as resolved and limited conversation to collaborators May 6, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.