Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

openssl: fix building with v3 no-deprecated + add CI test #12384

Closed
wants to merge 7 commits into from

Conversation

vszakats
Copy link
Member

@vszakats vszakats commented Nov 22, 2023

  • build quictls with no-deprecated in CI to have test coverage for
    this OpenSSL 3 configuration.

  • don't call OpenSSL_add_all_algorithms(), OpenSSL_add_all_digests().
    The caller code is meant for OpenSSL 3, while these two functions were
    only necessary before OpenSSL 1.1.0. They are missing from OpenSSL 3
    if built with option no-deprecated, causing build errors:

    vtls/openssl.c:4097:3: error: call to undeclared function 'OpenSSL_add_all_algorithms'; ISO C99 and later do not   support implicit function declarations [-Wimplicit-function-declaration]
    vtls/openssl.c:4098:3: error: call to undeclared function 'OpenSSL_add_all_digests'; ISO C99 and later do not   support implicit function declarations [-Wimplicit-function-declaration]
    

    Ref: https://ci.appveyor.com/project/curlorg/curl-for-win/builds/48587418?fullLog=true#L7667

    Regression from b6e6d4f OpenSSL: Include SIG and KEM algorithms in verbose #12030
    Bug: curl 8.3 build failing with OPENSSL 3 due to absence of DES functions #12380 (comment)

  • vquic/curl_ngtcp2: fix using SSL_get_peer_certificate with
    no-deprecated quictls 3 builds.
    Do it by moving an existing solution for this from vtls/openssl.c
    to vtls/openssl.h and adjusting caller code.

    vquic/curl_ngtcp2.c:1950:19: error: implicit declaration of function 'SSL_get_peer_certificate'; did you mean   'SSL_get1_peer_certificate'? [-Wimplicit-function-declaration]
    

    Ref: https://github.com/curl/curl/actions/runs/6960723097/job/18940818625#step:24:1178

  • curl_ntlm_core: fix -Wunused-parameter, -Wunused-variable and
    -Wunused-function when trying to build curl with NTLM enabled but
    without the necessary TLS backend (with DES) support.

Closes #12384


  • curl_ntlm_core: allow NTLM with no-deprecated OpenSSL 3 builds.
    Though OpenSSL 3 deprecated the DES functions needed for the NTLM
    feature, its no-deprecated build option doesn't actually disable
    these DES functions. It means we can use them for NTLM even if
    OPENSSL_NO_DEPRECATED_3_0 is set. Adjust our logic to allow it.
    This failed tests due to some types missing. Dropping this.
    https://github.com/curl/curl/actions/runs/6961417865/job/18942957524?pr=12384#step:24:132

@vszakats
Copy link
Member Author

/cc @ajbozarth

@ajbozarth
Copy link
Contributor

Thanks for the catch, I missed that those were deprecated when we added the version checks

@github-actions github-actions bot added the CI Continuous Integration label Nov 22, 2023
@vszakats
Copy link
Member Author

@ajbozarth: These calls seem redundant, but can you confirm their removal didn't break this feature?

Copy link
Contributor

@ajbozarth ajbozarth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've checkout and run the code and it's still fully functional

LGTM (can't make this an approve cause of perms)

@vszakats
Copy link
Member Author

Thank you @ajbozarth!

@vszakats vszakats added authentication HTTP/3 h3 or quic related labels Nov 22, 2023
Don't call `OpenSSL_add_all_algorithms(), `OpenSSL_add_all_digests()`.
The caller code is meant for OpenSSL 3, while these two functions were
only necessary before OpenSSL 1.1.0. They are missing from OpenSSL 3
if built with option `no-deprecated`, causing a build error.

Regression from b6e6d4f curl#12030

Bug: curl#12380 (comment)
Closes #xxxxx
With OpenSSL 3 `no-deprecated`.

```
curl_ntlm_core.c: In function ‘Curl_ntlm_core_lm_resp’:
curl_ntlm_core.c:309:50: error: unused parameter ‘keys’ [-Werror=unused-parameter]
  309 | void Curl_ntlm_core_lm_resp(const unsigned char *keys,
      |                             ~~~~~~~~~~~~~~~~~~~~~^~~~
curl_ntlm_core.c:310:50: error: unused parameter ‘plaintext’ [-Werror=unused-parameter]
  310 |                             const unsigned char *plaintext,
      |                             ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~
curl_ntlm_core.c:311:44: error: unused parameter ‘results’ [-Werror=unused-parameter]
  311 |                             unsigned char *results)
      |                             ~~~~~~~~~~~~~~~^~~~~~~
```
Ref: https://github.com/curl/curl/actions/runs/6960319321/job/18939543529?pr=12384#step:24:134
With OpenSSL 3 `no-deprecated`.

These happen after our intentional `#error` directive when building
without necessary TLS-backend with DES support but let's fix them
anyway for good measure.

```
curl_ntlm_core.c: In function ‘Curl_ntlm_core_mk_lm_hash’:
curl_ntlm_core.c:350:30: error: unused variable ‘magic’ [-Werror=unused-variable]
  350 |   static const unsigned char magic[] = {
      |                              ^~~~~
At top level:
curl_ntlm_core.c:350:30: error: ‘magic’ defined but not used [-Werror=unused-const-variable=]
curl_ntlm_core.c:136:13: error: ‘extend_key_56_to_64’ defined but not used [-Werror=unused-function]
  136 | static void extend_key_56_to_64(const unsigned char *key_56, char *key)
      |             ^~~~~~~~~~~~~~~~~~~
```
Ref: https://github.com/curl/curl/actions/runs/6960319321/job/18939543529?pr=12384#step:24:144
We build quictls with `no-deprecated` which implies `no-des` and
NTLM support needs DES.
This function is not present in OpenSSL 3 `no-deprecated` builds.

Fix it by moving an existing solution for this from `vtls/openssl.c`
to `vtls/openssl.h` and adjusting the caller code.

```
vquic/curl_ngtcp2.c: In function ‘qng_verify_peer’:
vquic/curl_ngtcp2.c:1950:19: error: implicit declaration of function ‘SSL_get_peer_certificate’; did you mean ‘SSL_get1_peer_certificate’? [-Wimplicit-function-declaration]
 1950 |     server_cert = SSL_get_peer_certificate(ctx->ssl);
      |                   ^~~~~~~~~~~~~~~~~~~~~~~~
      |                   SSL_get1_peer_certificate
```
Ref: https://github.com/curl/curl/actions/runs/6960723097/job/18940818625#step:24:1178
@vszakats vszakats changed the title openssl: fix building with no-deprecated openssl: fix building with no-deprecated OpenSSL 3 Nov 22, 2023
@vszakats vszakats changed the title openssl: fix building with no-deprecated OpenSSL 3 openssl: fix building with v3 no-deprecated + add CI test Nov 23, 2023
@vszakats vszakats closed this in 0069778 Nov 23, 2023
@vszakats vszakats deleted the openssl-fix-no-deprecated branch November 23, 2023 02:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
authentication build CI Continuous Integration HTTP/3 h3 or quic related regression TLS
Development

Successfully merging this pull request may close these issues.

2 participants