New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

curl build fails with OpenSSL (master) using opaque X509 struct #491

Closed
DevByStarlight opened this Issue Oct 14, 2015 · 12 comments

Comments

Projects
None yet
4 participants
@DevByStarlight

DevByStarlight commented Oct 14, 2015

Greetings,

Building curl against the latest OpenSSL master branch fails due to recent change to make x509 an opaque structure.

  • Cross compiling curl for iOS (iPhone arm7 and other archs)
  • curl - master branch @3ad83bc3a623758a53496dbb88be48fd5e190aca
  • openssl - master branch @6f73d28c20459034bfd4090494be9fb1a479c8af

I realize I'm using the "bleeding edge" codelines. Perhaps consider this more of a heads up of openssl changes affecting curl (likely BoringSSL too).

The 'internals' lists 'OpenSSL 0.9.7' as a dependency (http://curl.haxx.se/dev/internals.html). However, I'm not sure where it might be mentioned the "most recently tested compatible' versions of underlying libraries such as OpenSSL.

[Edit: I have reverted to an earlier OpenSSL commit for the time being.]
~~

Compile error in vtls

    mv -f vtls/.deps/libcurl_la-nss.Tpo vtls/.deps/libcurl_la-nss.Plo
    mv -f vtls/.deps/libcurlu_la-vtls.Tpo vtls/.deps/libcurlu_la-vtls.Plo
    mv -f vtls/.deps/libcurl_la-polarssl.Tpo vtls/.deps/libcurl_la-polarssl.Plo
    mv -f vtls/.deps/libcurl_la-polarssl_threadlock.Tpo vtls/.deps/libcurl_la-polarssl_threadlock.Plo
    vtls/openssl.c:2350:13: error: incomplete definition of type 'struct x509_st'
        cinf = x->cert_info;

~~

Appears to be a side-effect of this commit in OpenSSL master codeline

    Commit: 2c81e476fab0e3e0b6140652b4577bf6f3b827be [2c81e47]
    Parents: 7e4188326b
    Author: Dr. Stephen Henson <steve@openssl.org>
    Date: September 22, 2015 at 6:00:13 AM PDT
    Commit Date: September 22, 2015 at 1:15:55 PM PDT

    Make X509 opaque

    Reviewed-by: Rich Salz <rsalz@openssl.org>

@bagder bagder added the SSL/TLS label Oct 15, 2015

@bagder

This comment has been minimized.

Member

bagder commented Oct 15, 2015

We test and aim to work with all released versions of OpenSSL. While I think it is useful to also work with OpenSSL's development branch it is a high maintenance burden to keep that polished. We'll appreciate patches that fix this, and I occasionally go through and fix this myself but I cannot consider it to be a high prioritized activity.

@bagder bagder changed the title from Curl build fails with latest OpenSSL to curl build fails with OpenSSL (master) using opaque X509 struct Oct 17, 2015

@bagder

This comment has been minimized.

Member

bagder commented Oct 17, 2015

I just looked and its not clear to me which alternative API they suggest we use to get the same information. I will consider this an OpenSSL bug for now.

@DevByStarlight

This comment has been minimized.

DevByStarlight commented Nov 3, 2015

On Oct 17, 2015 14:23, "Daniel Stenberg" notifications@github.com wrote:

I just looked and its not clear to me which alternative API they suggest
we use to get the same information. I will consider this an OpenSSL bug for
now.


Reply to this email directly or view it on GitHub.

Agreed.
Thanks for taking a look at it. :)

Fwiw : I added an SSL context callback (and some naughty header copy/paste
hackery) to poke at some of the inner structures in my app's curl calls at
runtime. It gets around some issues I needed to address but isn't a viable,
not ideal, long-term solution.

@gvanem

This comment has been minimized.

Member

gvanem commented Dec 2, 2015

I can verify this on MSVC/Windows too:

vtls/openssl.c(2343): error C2037: left of 'cert_info' specifies undefined struct/union 'x509_st'
vtls/openssl.c(2345): error C2037: left of 'signature' specifies undefined struct/union 'x509_cinf_st'
vtls/openssl.c(2345): error C2198: 'i2a_ASN1_OBJECT': too few arguments for call
vtls/openssl.c(2354): error C2037: left of 'key' specifies undefined struct/union 'x509_cinf_st'
vtls/openssl.c(2354): error C2198: 'i2a_ASN1_OBJECT': too few arguments for call
vtls/openssl.c(2397): error C2037: left of 'extensions' specifies undefined struct/union 'x509_cinf_st'
vtls/openssl.c(2397): error C2198: 'X509V3_ext': too few arguments for call
vtls/openssl.c(2399): error C2037: left of 'signature' specifies undefined struct/union 'x509_st'
vtls/openssl.c(2400): error C2037: left of 'signature' specifies undefined struct/union 'x509_st'

And these:

vtls/openssl.c(2951): warning C4013: 'SSLeay' undefined; assuming extern returning int
vtls/openssl.c(2953): error C2065: 'SSLEAY_VERSION_NUMBER': undeclared identifier

@bagder I will consider this an OpenSSL bug for now.

Probably. I'll stick to SChannel anyway.

@bagder

This comment has been minimized.

Member

bagder commented Dec 10, 2015

This also fails the same way with "version 1.1.0 pre release 1 (alpha)" that was released today.

@bagder

This comment has been minimized.

Member

bagder commented Dec 10, 2015

(in addition to several other warnings/errors)

@richsalz

This comment has been minimized.

richsalz commented Dec 10, 2015

If you consider it an OpenSSL bug, please mail details to rt at openssl.org

@bagder

This comment has been minimized.

Member

bagder commented Dec 10, 2015

Thanks, filed here: https://rt.openssl.org/Ticket/Display.html?id=4177

(some other minor tweaks were just pushed)

@bagder bagder closed this in 7f683b0 Dec 10, 2015

@bagder

This comment has been minimized.

Member

bagder commented Dec 10, 2015

With the use of some fun #ifdef trickery I solved it and OpenSSL >= 1.1.0 now works and builds fine.

@richsalz

This comment has been minimized.

richsalz commented Dec 11, 2015

Great. Is there an easy way to see what you did? Maybe others would benefit and we could post it on the wiki.

@bagder

This comment has been minimized.

Member

bagder commented Dec 12, 2015

First, I had to add some #defines for names that no longer exist:
fa9332d

Then I adjusted to using new X509* calls to access the data that isn't exposed in structs anymore:
7f683b0

@richsalz

This comment has been minimized.

richsalz commented Dec 12, 2015

Thanks, I'll copy these links into our wiki!

@lock lock bot locked as resolved and limited conversation to collaborators May 7, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.