curl build fails with OpenSSL (master) using opaque X509 struct

[DevByStarlight]

Greetings,

Building curl against the latest OpenSSL master branch fails due to recent change to make x509 an opaque structure.

• Cross compiling curl for iOS (iPhone arm7 and other archs)
• curl - master branch @3ad83bc3a623758a53496dbb88be48fd5e190aca
• openssl - master branch @6f73d28c20459034bfd4090494be9fb1a479c8af

I realize I'm using the "bleeding edge" codelines. Perhaps consider this more of a heads up of openssl changes affecting curl (likely BoringSSL too).

The 'internals' lists 'OpenSSL 0.9.7' as a dependency (http://curl.haxx.se/dev/internals.html). However, I'm not sure where it might be mentioned the "most recently tested compatible' versions of underlying libraries such as OpenSSL.

[Edit: I have reverted to an earlier OpenSSL commit for the time being.]
~~

Compile error in vtls

    mv -f vtls/.deps/libcurl_la-nss.Tpo vtls/.deps/libcurl_la-nss.Plo
    mv -f vtls/.deps/libcurlu_la-vtls.Tpo vtls/.deps/libcurlu_la-vtls.Plo
    mv -f vtls/.deps/libcurl_la-polarssl.Tpo vtls/.deps/libcurl_la-polarssl.Plo
    mv -f vtls/.deps/libcurl_la-polarssl_threadlock.Tpo vtls/.deps/libcurl_la-polarssl_threadlock.Plo
    vtls/openssl.c:2350:13: error: incomplete definition of type 'struct x509_st'
        cinf = x->cert_info;

~~

Appears to be a side-effect of this commit in OpenSSL master codeline

    Commit: 2c81e476fab0e3e0b6140652b4577bf6f3b827be [2c81e47]
    Parents: 7e4188326b
    Author: Dr. Stephen Henson <steve@openssl.org>
    Date: September 22, 2015 at 6:00:13 AM PDT
    Commit Date: September 22, 2015 at 1:15:55 PM PDT

    Make X509 opaque

    Reviewed-by: Rich Salz <rsalz@openssl.org>

[bagder]

We test and aim to work with all released versions of OpenSSL. While I think it is useful to also work with OpenSSL's development branch it is a high maintenance burden to keep that polished. We'll appreciate patches that fix this, and I occasionally go through and fix this myself but I cannot consider it to be a high prioritized activity.

[bagder]

I just looked and its not clear to me which alternative API they suggest we use to get the same information. I will consider this an OpenSSL bug for now.

[DevByStarlight]

On Oct 17, 2015 14:23, "Daniel Stenberg" notifications@github.com wrote:

I just looked and its not clear to me which alternative API they suggest
we use to get the same information. I will consider this an OpenSSL bug for
now.

—
Reply to this email directly or view it on GitHub.

Agreed.
Thanks for taking a look at it. :)

Fwiw : I added an SSL context callback (and some naughty header copy/paste
hackery) to poke at some of the inner structures in my app's curl calls at
runtime. It gets around some issues I needed to address but isn't a viable,
not ideal, long-term solution.

[gvanem]

I can verify this on MSVC/Windows too:

vtls/openssl.c(2343): error C2037: left of 'cert_info' specifies undefined struct/union 'x509_st'
vtls/openssl.c(2345): error C2037: left of 'signature' specifies undefined struct/union 'x509_cinf_st'
vtls/openssl.c(2345): error C2198: 'i2a_ASN1_OBJECT': too few arguments for call
vtls/openssl.c(2354): error C2037: left of 'key' specifies undefined struct/union 'x509_cinf_st'
vtls/openssl.c(2354): error C2198: 'i2a_ASN1_OBJECT': too few arguments for call
vtls/openssl.c(2397): error C2037: left of 'extensions' specifies undefined struct/union 'x509_cinf_st'
vtls/openssl.c(2397): error C2198: 'X509V3_ext': too few arguments for call
vtls/openssl.c(2399): error C2037: left of 'signature' specifies undefined struct/union 'x509_st'
vtls/openssl.c(2400): error C2037: left of 'signature' specifies undefined struct/union 'x509_st'

And these:

vtls/openssl.c(2951): warning C4013: 'SSLeay' undefined; assuming extern returning int
vtls/openssl.c(2953): error C2065: 'SSLEAY_VERSION_NUMBER': undeclared identifier

@bagder I will consider this an OpenSSL bug for now.

Probably. I'll stick to SChannel anyway.

[bagder]

This also fails the same way with "version 1.1.0 pre release 1 (alpha)" that was released today.

[bagder]

(in addition to several other warnings/errors)

[richsalz]

If you consider it an OpenSSL bug, please mail details to rt at openssl.org

[bagder]

Thanks, filed here: https://rt.openssl.org/Ticket/Display.html?id=4177

(some other minor tweaks were just pushed)

[bagder]

With the use of some fun #ifdef trickery I solved it and OpenSSL >= 1.1.0 now works and builds fine.

[richsalz]

Great. Is there an easy way to see what you did? Maybe others would benefit and we could post it on the wiki.

[bagder]

First, I had to add some #defines for names that no longer exist:
fa9332d

Then I adjusted to using new X509* calls to access the data that isn't exposed in structs anymore:
7f683b0

[richsalz]

Thanks, I'll copy these links into our wiki!