add OpenSSL 1.1.0-pre3 compatibility #650

Closed
wants to merge 2 commits into
from

Projects

None yet

4 participants

@vszakats
Contributor

by using API instead of accessing an internal structure.

@vszakats
Contributor

Here's a successful log building openssl-master, libssh2-master, curl-master:
https://ci.appveyor.com/project/vsz/harbour-deps/build/1.0.561

Binaries:
https://bintray.com/vszakats/generic/curl-test/7.47.2-dev/view#files

curl 7.47.2-DEV (i386-pc-win32) libcurl/7.47.2-DEV OpenSSL/1.1.0 zlib/1.2.8 libssh2/1.7.0_DEV nghttp2/1.7.1
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL libz TLS-SRP HTTP2
curl 7.47.2-DEV (x86_64-pc-win32) libcurl/7.47.2-DEV OpenSSL/1.1.0 zlib/1.2.8 WinIDN libssh2/1.7.0_DEV nghttp2/1.7.1
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL libz TLS-SRP HTTP2
@gvanem
Contributor
gvanem commented Feb 13, 2016

Just wondering; have you tried building OpenSSL 1.1.0-pre3-dev using MSVC-2015? I am (+ other people too) getting an "Internal Compiler Error" when I try.
Ref: http://openssl.6102.n7.nabble.com/MSVC-2015-internal-compiler-error-td62339.html

@vszakats
Contributor

I haven't made tests with MSVC, sorry.

If said MSVC is patched up with the latest update, it could only be coded around, which is not always trivial and almost always a maintenance liability — unless the code is unnecessarily twisted. Either way, it'd be worth reporting this to the compiler devs.

@gvanem
Contributor
gvanem commented Feb 13, 2016

... unless the code is unnecessarily twisted.

OpenSSL code "twisted"? No way 😄 .
I've heard a fix is to go back to MSVC 2013.

@jay
Member
jay commented Feb 13, 2016

I understand your desire to build with OpenSSL master but I hesitate to do this because anything we mark TODO seems to end up there for a long while without a fix. Also although it's not policy here personally I'd appreciate it if your builds available for public dl kept using the latest stable release version of OpenSSL. That pre alpha beta has all sorts of bugs, only recently did they fix a very serious one.

@vszakats
Contributor

These are test builds. They are clearly (I hope) marked as such. They are not advertised anywhere. Without any place to download those from, I couldn't verify the builds, so they need to exist somewhere.

As for the TODOs, at the current state of things there is no documented way (at least my search didn't reveal anything) to extract these internals from OpenSSL, so they might as well just be converted to no-ops. Not sure how these affect curl functionality. Either way, if curl wants to support 1.1.0, these issues will have to be dealt with in some ways.

If this is not wanted here, I'll keep it local till official support comes in curl.

@bagder
Member
bagder commented Feb 13, 2016

I'm not sharing @jay 's concern. The 1.1.0-pre (or openssl git master) compile errors we get are just early warnings of what will come anyway, so fixing them now is better as it allows us to try out curl earlier and in fact also help out to test openssl. I'm in favor of merging.

@bagder
Member
bagder commented Feb 13, 2016

That said, I don't think removing features like this is the correct way to adapt. I'm pretty sure we can find the right way to maintain functionality. And if not, we discuss with the openssl team.

@bagder
Member
bagder commented Feb 13, 2016

For example, my own personal attempt (that is far from completed) to do this started out like this:

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index b4f62e6..9443971 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2354,13 +2354,13 @@ static CURLcode get_cert_chain(struct connectdata *conn,

     pubkey = X509_get_pubkey(x);
     if(!pubkey)
       infof(data, "   Unable to load public key\n");
     else {
-      switch(pubkey->type) {
+      switch(EVP_PKEY_id(pubkey)) {
       case EVP_PKEY_RSA:
-        BIO_printf(mem, "%d", BN_num_bits(pubkey->pkey.rsa->n));
+        BN_print(mem, EVP_PKEY_get0_RSA(pubkey)->n);
         push_certinfo("RSA Public Key", i);

         print_pubkey_BN(rsa, n, i);
         print_pubkey_BN(rsa, e, i);
         print_pubkey_BN(rsa, d, i);

@vszakats
Contributor

I admit I haven't even checked if the RSA (and friends) structure was kept open, just assumed it was made opaque like the rest of them. If it remained so, like your patch suggests, there is no issue, and most of my patch can be dialed back and TODOs resolved. I'll verify this tomorrow and get back with the results.

@bagder
Member
bagder commented Feb 13, 2016

Commit 3aeb93486588 in openssl's git tree is what made EVP_PKEY opaque, and looking at their own changes for that was quite educational in finding fixes.

@vszakats
Contributor

Didn't want to suggest that losing features is fine. Let's regard this as a work in progress.

@bagder
Member
bagder commented Feb 13, 2016

No harm done, that's why we review and discuss. I value your work and efforts put into this!

@vszakats
Contributor

Thanks @bagder! Quick check shows that RSA structure is opaque. (which would be inline with ongoing efforts and general good practice) Anyhow I'll revisit this on a bigger screen.

@jay
Member
jay commented Feb 13, 2016

personally I'd appreciate it if your builds available for public dl kept using the latest stable release version of OpenSSL.

@vszakats I apologize that was unclear. What I meant was your builds that are linked to on the curl download page I have a personal opinion that it should be built from the stable release of OpenSSL. I think this will be better for users that are downloading what they believe to be stable. I recall in the past there was an issue where the release was rebuilt with the latest dependencies, which is why I thought that could become an issue if you have switched that build link to OpenSSL master. What else you do with your builds I have no opinion!

@vszakats
Contributor

The linked/published versions are strictly built against the latest available stable versions. Test builds are uploaded into separate buckets, plus development sources always have -dev suffixes or some other distinction in their version numbers. With these, there's little chance unstable builds end up under the published stable URLs.

Having said that, the practice to update the packages under their published URLs continues, but only in case there is a stable update of any dependency (or maybe if there is something crucial to fix in the build process).

I hope these clear out any concern. Suggestions to improve the process are welcome of course.

@vszakats
Contributor

One more thought on that: starting yesterday, LibreSSL dependent builds are published of curl. I chose to use 2.3.2 of LibreSSL, which is called "snapshot" release, not stable. It seemed like the right thing to do (f.e. Homebrew regards it as stable too), but 2.2.x can be built as well, if this was a wrong decision.

You can find them here:
https://bintray.com/vszakats/generic/curl/view#

@bagder bagder self-assigned this Feb 14, 2016
@bagder bagder added the SSL/TLS label Feb 14, 2016
@vszakats
Contributor

Okay, so it turns out I mistook pubkey accesses hidden inside a macro into thinking RSA/DSA/DH structures were made opaque. Luckily these are still transparent, so there is nothing lost here by OpenSSL 1.1.0. I've reworked the patch to deal with EVP_PKEY opacity only and it now builds fine against latest OpenSSL master/HEAD.

Also included @bagder's BN_print() update.

@jay jay and 3 others commented on an outdated diff Feb 15, 2016
lib/vtls/openssl.c
case EVP_PKEY_RSA:
- BIO_printf(mem, "%d", BN_num_bits(pubkey->pkey.rsa->n));
+ {
+ RSA *rsa;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
+ !defined(LIBRESSL_VERSION_NUMBER)
+ rsa = EVP_PKEY_get0_RSA(pubkey);
+ BN_print(mem, rsa->n);
@jay
jay Feb 15, 2016 Member

@bagder But why are we calling BN_print directly to print n now instead of BN_num_bits like the old way below? Does that do the same thing because it doesn't look like it. Isn't n printed a few lines down print_pubkey_BN(rsa, n, i);? I don't have a working OpenSSL 1.1.0 setup but that looks inconsistent, at that point shouldn't we be retrieving the number of bits so when it's output it looks like for example:
RSA Public Key:2048
2048 being the number of bits in this case

@bagder
bagder Feb 15, 2016 Member

I did that because I thought it would do the comparable thing, if not we should fix it. Remember that my fix was not complete! (and I didn't compare old/new output)

@jay
jay Feb 15, 2016 Member

@vszakats Can you please give it a run on OpenSSL 1.1.0 using the certinfo.c example and see what shows for 'RSA Public Key:' when you connect to a website like ssllabs.com or something. It should show the number of bits, like

RSA Public Key:2048
rsa(n):a whole lot of hex digits should be here, but not on on the line above.
@vszakats
vszakats Feb 15, 2016 Contributor

@jay Here's the output:

2 certs!
Subject:C = US, ST = California, L = Los Angeles, O = Internet Corporation for Assigned Names and Numbers, OU = Technology, CN = www.example.org
Issuer:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
Version:2
Serial Number:0e64c5fbc236ade14b172aeb41c78cb0
Public Key Algorithm:    Signature Algorithm: sha256WithRSAEncryption
sha256WithRSAEncryption
X509v3 Authority Key Identifier:keyid:51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B
X509v3 Subject Key Identifier:A6:4F:60:1E:1F:2D:D1:E7:F1:23:A0:2A:95:16:E4:E8:9A:EA:6E:48
X509v3 Subject Alternative Name:DNS:www.example.org,DNS:example.com,DNS:example.edu,DNS:example.net,DNS:example.org,DNS:www.example.com,DNS:www.example.edu,DNS:www.example.net
X509v3 Key Usage:DigitalSignature,KeyEncipherment
X509v3 Extended Key Usage:TLSWebServerAuthentication,TLSWebClientAuthentication
X509v3 CRL Distribution Points:, FullName:, URI:http://crl3.digicert.com/sha2-ha-server-g4.crl, 
FullName:, URI:http://crl4.digicert.com/sha2-ha-server-g4.crl
X509v3 Certificate Policies:Policy:2.16.840.1.114412.1.1, CPS:https://www.digicert.com/CPS, Policy:2.23.140.1.2.2
Authority Information Access:OCSP-URI:http://ocsp.digicert.com, CAIssuers-URI:http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
X509v3 Basic Constraints:CA:FALSE
Start date:Nov  3 00:00:00 2015 GMT
Expire date:Nov 28 12:00:00 2018 GMT
RSA Public Key:B340962F61633E25C197AD6545FBEF1342B32C9986F4B5800B76DC06382C1FA362555A3676DEAE5DFCE2E5B4E6EC5DCAEECADF5016242CEEFC9AB68CF6A8B3AC7A087B2A1FAD5FE7FA965925AB90B0F8C23F13042674680FC6782A958A5F42F20EED52A6EB682389E543F86D121B62427BA805F359C45ED6C5CC46C04B19B92D4A7172241E5E554493AB78A1474DA5DC075A9C67F41168122FD32871BCAD72053C1675D4F87258BA19F1DC09EDF118C6922F7DBC160B378D8AEF1B6F4FB9E07A5498BFB5B6CFBBAA937F0A7F1F56EBA9D8E1DBD539D8185BD1F26433D0D6C423FF09AB6D71CEDACFC1179C23BE2CAF2F921C3F90088958F2B1E1106F832EF79F
rsa(n):B340962F61633E25C197AD6545FBEF1342B32C9986F4B5800B76DC06382C1FA362555A3676DEAE5DFCE2E5B4E6EC5DCAEECADF5016242CEEFC9AB68CF6A8B3AC7A087B2A1FAD5FE7FA965925AB90B0F8C23F13042674680FC6782A958A5F42F20EED52A6EB682389E543F86D121B62427BA805F359C45ED6C5CC46C04B19B92D4A7172241E5E554493AB78A1474DA5DC075A9C67F41168122FD32871BCAD72053C1675D4F87258BA19F1DC09EDF118C6922F7DBC160B378D8AEF1B6F4FB9E07A5498BFB5B6CFBBAA937F0A7F1F56EBA9D8E1DBD539D8185BD1F26433D0D6C423FF09AB6D71CEDACFC1179C23BE2CAF2F921C3F90088958F2B1E1106F832EF79F
rsa(e):10001
Signature:84:a8:9a:11:a7:d8:bd:0b:26:7e:52:24:7b:b2:55:9d:ea:30:89:51:08:87:6f:a9:ed:10:ea:5b:3e:0b:c7:2d:47:04:4e:dd:45:37:c7:ca:bc:38:7f:b6:6a:1c:65:42:6a:73:74:2e:5a:97:85:d0:cc:92:e2:2e:38:89:d9:0d:69:fa:1b:9b:f0:c1:62:32:65:4f:3d:98:db:da:d6:66:da:2a:56:56:e3:11:33:ec:e0:a5:15:4c:ea:75:49:f4:5d:ef:15:f5:12:1c:e6:f8:fc:9b:04:21:4b:cf:63:e7:7c:fc:aa:dc:fa:43:d0:c0:bb:f2:89:ea:91:6d:cb:85:8e:6a:9f:c8:f9:94:bf:55:3d:42:82:38:4d:08:a4:a7:0e:d3:65:4d:33:61:90:0d:3f:80:bf:82:3e:11:cb:8f:3f:ce:79:94:69:1b:f2:da:4b:c8:97:b8:11:43:6d:6a:25:32:b9:b2:ea:22:62:86:0d:a3:72:7d:4f:ea:57:3c:65:3b:2f:27:73:fc:7c:16:fb:0d:03:a4:0a:ed:01:ab:a4:23:c6:8d:5f:8a:21:15:42:92:c0:34:a2:20:85:88:58:98:89:19:b1:1e:20:ed:13:20:5c:04:55:64:ce:9d:b3:65:fd:f6:8f:5e:99:39:21:15:e2:71:aa:6a:88:82:
Cert:-----BEGIN CERTIFICATE-----
MIIF8jCCBNqgAwIBAgIQDmTF+8I2reFLFyrrQceMsDANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNTExMDMwMDAwMDBaFw0xODExMjgxMjAwMDBa
MIGlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxML
TG9zIEFuZ2VsZXMxPDA6BgNVBAoTM0ludGVybmV0IENvcnBvcmF0aW9uIGZvciBB
c3NpZ25lZCBOYW1lcyBhbmQgTnVtYmVyczETMBEGA1UECxMKVGVjaG5vbG9neTEY
MBYGA1UEAxMPd3d3LmV4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAs0CWL2FjPiXBl61lRfvvE0KzLJmG9LWAC3bcBjgsH6NiVVo2dt6u
Xfzi5bTm7F3K7srfUBYkLO78mraM9qizrHoIeyofrV/n+pZZJauQsPjCPxMEJnRo
D8Z4KpWKX0LyDu1SputoI4nlQ/htEhtiQnuoBfNZxF7WxcxGwEsZuS1KcXIkHl5V
RJOreKFHTaXcB1qcZ/QRaBIv0yhxvK1yBTwWddT4cli6GfHcCe3xGMaSL328Fgs3
jYrvG29PueB6VJi/tbbPu6qTfwp/H1brqdjh29U52Bhb0fJkM9DWxCP/Cattcc7a
z8EXnCO+LK8vkhw/kAiJWPKx4RBvgy73nwIDAQABo4ICUDCCAkwwHwYDVR0jBBgw
FoAUUWj/kK8CB3U8zNllZGKiErhZcjswHQYDVR0OBBYEFKZPYB4fLdHn8SOgKpUW
5Oia6m5IMIGBBgNVHREEejB4gg93d3cuZXhhbXBsZS5vcmeCC2V4YW1wbGUuY29t
ggtleGFtcGxlLmVkdYILZXhhbXBsZS5uZXSCC2V4YW1wbGUub3Jngg93d3cuZXhh
bXBsZS5jb22CD3d3dy5leGFtcGxlLmVkdYIPd3d3LmV4YW1wbGUubmV0MA4GA1Ud
DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0f
BG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItaGEtc2Vy
dmVyLWc0LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTIt
aGEtc2VydmVyLWc0LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsG
AQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjCB
gwYIKwYBBQUHAQEEdzB1MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
dC5jb20wTQYIKwYBBQUHMAKGQWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9E
aWdpQ2VydFNIQTJIaWdoQXNzdXJhbmNlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQC
MAAwDQYJKoZIhvcNAQELBQADggEBAISomhGn2L0LJn5SJHuyVZ3qMIlRCIdvqe0Q
6ls+C8ctRwRO3UU3x8q8OH+2ahxlQmpzdC5al4XQzJLiLjiJ2Q1p+hub8MFiMmVP
PZjb2tZm2ipWVuMRM+zgpRVM6nVJ9F3vFfUSHOb4/JsEIUvPY+d8/Krc+kPQwLvy
ieqRbcuFjmqfyPmUv1U9QoI4TQikpw7TZU0zYZANP4C/gj4Ry48/znmUaRvy2kvI
l7gRQ21qJTK5suoiYoYNo3J9T+pXPGU7Lydz/HwW+w0DpArtAaukI8aNX4ohFUKS
wDSiIIWIWJiJGbEeIO0TIFwEVWTOnbNl/faPXpk5IRXicapqiII=
-----END CERTIFICATE-----

Subject:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
Issuer:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
Version:2
Serial Number:04e1e7a4dc5cf2f36dc02b42b85d159f
Public Key Algorithm:    Signature Algorithm: sha256WithRSAEncryption
sha256WithRSAEncryption
X509v3 Basic Constraints:CA:TRUE,pathlen:0
X509v3 Key Usage:DigitalSignature,CertificateSign,CRLSign
X509v3 Extended Key Usage:TLSWebServerAuthentication,TLSWebClientAuthentication
Authority Information Access:OCSP-URI:http://ocsp.digicert.com
X509v3 CRL Distribution Points:, FullName:, URI:http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
X509v3 Certificate Policies:Policy:X509v3AnyPolicy, CPS:https://www.digicert.com/CPS
X509v3 Subject Key Identifier:51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B
X509v3 Authority Key Identifier:keyid:B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3
Start date:Oct 22 12:00:00 2013 GMT
Expire date:Oct 22 12:00:00 2028 GMT
RSA Public Key:B6E02FC22406C86D045FD7EF0A6406B27D22266516AE42409BCEDC9F9F76073EC330558719B94F940E5A941F5556B4C2022AAFD098EE0B40D7C4D03B72C8149EEF90B111A9AED2C8B8433AD90B0BD5D595F540AFC81DED4D9C5F57B786506899F58ADAD2C7051FA897C9DCA4B182842DC6ADA59CC71982A6850F5E44582A378FFD35F10B0827325AF5BB8B9EA4BD51D027E2DD3B4233A30528C4BB28CC9AAC2B230D78C67BE65E71B74A3E08FB81B71616A19D23124DE5D79208AC75A49CBACD17B21E4435657F532539D11C0A9A631B199274680A37C2C25248CB395AA2B6E15DC1DDA020B821A293266F144A2141C7ED6D9BF2482FF303F5A26892532F5EE3
rsa(n):B6E02FC22406C86D045FD7EF0A6406B27D22266516AE42409BCEDC9F9F76073EC330558719B94F940E5A941F5556B4C2022AAFD098EE0B40D7C4D03B72C8149EEF90B111A9AED2C8B8433AD90B0BD5D595F540AFC81DED4D9C5F57B786506899F58ADAD2C7051FA897C9DCA4B182842DC6ADA59CC71982A6850F5E44582A378FFD35F10B0827325AF5BB8B9EA4BD51D027E2DD3B4233A30528C4BB28CC9AAC2B230D78C67BE65E71B74A3E08FB81B71616A19D23124DE5D79208AC75A49CBACD17B21E4435657F532539D11C0A9A631B199274680A37C2C25248CB395AA2B6E15DC1DDA020B821A293266F144A2141C7ED6D9BF2482FF303F5A26892532F5EE3
rsa(e):10001
Signature:18:8a:95:89:03:e6:6d:df:5c:fc:1d:68:ea:4a:8f:83:d6:51:2f:8d:6b:44:16:9e:ac:63:f5:d2:6e:6c:84:99:8b:aa:81:71:84:5b:ed:34:4e:b0:b7:79:92:29:cc:2d:80:6a:f0:8e:20:e1:79:a4:fe:03:47:13:ea:f5:86:ca:59:71:7d:f4:04:96:6b:d3:59:58:3d:fe:d3:31:25:5c:18:38:84:a3:e6:9f:82:fd:8c:5b:98:31:4e:cd:78:9e:1a:fd:85:cb:49:aa:f2:27:8b:99:72:fc:3e:aa:d5:41:0b:da:d5:36:a1:bf:1c:6e:47:49:7f:5e:d9:48:7c:03:d9:fd:8b:49:a0:98:26:42:40:eb:d6:92:11:a4:64:0a:57:54:c4:f5:1d:d6:02:5e:6b:ac:ee:c4:80:9a:12:72:fa:56:93:d7:ff:bf:30:85:06:30:bf:0b:7f:4e:ff:57:05:9d:24:ed:85:c3:2b:fb:a6:75:a8:ac:2d:16:ef:7d:79:27:b2:eb:c2:9d:0b:07:ea:aa:85:d3:01:a3:20:28:41:59:43:28:d2:81:e3:aa:f6:ec:7b:3b:77:b6:40:62:80:05:41:45:01:ef:17:06:3e:de:c0:33:9b:67:d3:61:2e:72:87:e4:69:fc:12:00:57:40:1e:70:f5:1e:c9:b4:
Cert:-----BEGIN CERTIFICATE-----
MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy
YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2
4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC
Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1
itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn
4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X
sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft
bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA
MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG
BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ
UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D
aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd
aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH
E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly
/D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu
xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF
0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae
cPUeybQ=
-----END CERTIFICATE-----
@gvanem
gvanem Feb 15, 2016 Contributor

Aren't macros supposed to be in upper case? So IMHO:

print_pubkey_BN -> PRINT_PUBKEY_BN

Also remember OpenSSL could have a #define OPENSSL_NO_RSA in it's opensslconf.h. Hence num-bits should be 0, or?

@vszakats
vszakats Feb 15, 2016 Contributor

(It means a revert is needed for that line.)

@vszakats
Contributor

After reverting that line:

2 certs!
Subject:C = US, ST = California, L = Los Angeles, O = Internet Corporation for Assigned Names and Numbers, OU = Technology, CN = www.example.org
Issuer:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
Version:2
Serial Number:0e64c5fbc236ade14b172aeb41c78cb0
Public Key Algorithm:    Signature Algorithm: sha256WithRSAEncryption
sha256WithRSAEncryption
X509v3 Authority Key Identifier:keyid:51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B
X509v3 Subject Key Identifier:A6:4F:60:1E:1F:2D:D1:E7:F1:23:A0:2A:95:16:E4:E8:9A:EA:6E:48
X509v3 Subject Alternative Name:DNS:www.example.org,DNS:example.com,DNS:example.edu,DNS:example.net,DNS:example.org,DNS:www.example.com,DNS:www.example.edu,DNS:www.example.net
X509v3 Key Usage:DigitalSignature,KeyEncipherment
X509v3 Extended Key Usage:TLSWebServerAuthentication,TLSWebClientAuthentication
X509v3 CRL Distribution Points:, FullName:, URI:http://crl3.digicert.com/sha2-ha-server-g4.crl, 
FullName:, URI:http://crl4.digicert.com/sha2-ha-server-g4.crl
X509v3 Certificate Policies:Policy:2.16.840.1.114412.1.1, CPS:https://www.digicert.com/CPS, Policy:2.23.140.1.2.2
Authority Information Access:OCSP-URI:http://ocsp.digicert.com, CAIssuers-URI:http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
X509v3 Basic Constraints:CA:FALSE
Start date:Nov  3 00:00:00 2015 GMT
Expire date:Nov 28 12:00:00 2018 GMT
RSA Public Key:2048
rsa(n):B340962F61633E25C197AD6545FBEF1342B32C9986F4B5800B76DC06382C1FA362555A3676DEAE5DFCE2E5B4E6EC5DCAEECADF5016242CEEFC9AB68CF6A8B3AC7A087B2A1FAD5FE7FA965925AB90B0F8C23F13042674680FC6782A958A5F42F20EED52A6EB682389E543F86D121B62427BA805F359C45ED6C5CC46C04B19B92D4A7172241E5E554493AB78A1474DA5DC075A9C67F41168122FD32871BCAD72053C1675D4F87258BA19F1DC09EDF118C6922F7DBC160B378D8AEF1B6F4FB9E07A5498BFB5B6CFBBAA937F0A7F1F56EBA9D8E1DBD539D8185BD1F26433D0D6C423FF09AB6D71CEDACFC1179C23BE2CAF2F921C3F90088958F2B1E1106F832EF79F
rsa(e):10001
Signature:84:a8:9a:11:a7:d8:bd:0b:26:7e:52:24:7b:b2:55:9d:ea:30:89:51:08:87:6f:a9:ed:10:ea:5b:3e:0b:c7:2d:47:04:4e:dd:45:37:c7:ca:bc:38:7f:b6:6a:1c:65:42:6a:73:74:2e:5a:97:85:d0:cc:92:e2:2e:38:89:d9:0d:69:fa:1b:9b:f0:c1:62:32:65:4f:3d:98:db:da:d6:66:da:2a:56:56:e3:11:33:ec:e0:a5:15:4c:ea:75:49:f4:5d:ef:15:f5:12:1c:e6:f8:fc:9b:04:21:4b:cf:63:e7:7c:fc:aa:dc:fa:43:d0:c0:bb:f2:89:ea:91:6d:cb:85:8e:6a:9f:c8:f9:94:bf:55:3d:42:82:38:4d:08:a4:a7:0e:d3:65:4d:33:61:90:0d:3f:80:bf:82:3e:11:cb:8f:3f:ce:79:94:69:1b:f2:da:4b:c8:97:b8:11:43:6d:6a:25:32:b9:b2:ea:22:62:86:0d:a3:72:7d:4f:ea:57:3c:65:3b:2f:27:73:fc:7c:16:fb:0d:03:a4:0a:ed:01:ab:a4:23:c6:8d:5f:8a:21:15:42:92:c0:34:a2:20:85:88:58:98:89:19:b1:1e:20:ed:13:20:5c:04:55:64:ce:9d:b3:65:fd:f6:8f:5e:99:39:21:15:e2:71:aa:6a:88:82:
Cert:-----BEGIN CERTIFICATE-----
MIIF8jCCBNqgAwIBAgIQDmTF+8I2reFLFyrrQceMsDANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNTExMDMwMDAwMDBaFw0xODExMjgxMjAwMDBa
MIGlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxML
TG9zIEFuZ2VsZXMxPDA6BgNVBAoTM0ludGVybmV0IENvcnBvcmF0aW9uIGZvciBB
c3NpZ25lZCBOYW1lcyBhbmQgTnVtYmVyczETMBEGA1UECxMKVGVjaG5vbG9neTEY
MBYGA1UEAxMPd3d3LmV4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAs0CWL2FjPiXBl61lRfvvE0KzLJmG9LWAC3bcBjgsH6NiVVo2dt6u
Xfzi5bTm7F3K7srfUBYkLO78mraM9qizrHoIeyofrV/n+pZZJauQsPjCPxMEJnRo
D8Z4KpWKX0LyDu1SputoI4nlQ/htEhtiQnuoBfNZxF7WxcxGwEsZuS1KcXIkHl5V
RJOreKFHTaXcB1qcZ/QRaBIv0yhxvK1yBTwWddT4cli6GfHcCe3xGMaSL328Fgs3
jYrvG29PueB6VJi/tbbPu6qTfwp/H1brqdjh29U52Bhb0fJkM9DWxCP/Cattcc7a
z8EXnCO+LK8vkhw/kAiJWPKx4RBvgy73nwIDAQABo4ICUDCCAkwwHwYDVR0jBBgw
FoAUUWj/kK8CB3U8zNllZGKiErhZcjswHQYDVR0OBBYEFKZPYB4fLdHn8SOgKpUW
5Oia6m5IMIGBBgNVHREEejB4gg93d3cuZXhhbXBsZS5vcmeCC2V4YW1wbGUuY29t
ggtleGFtcGxlLmVkdYILZXhhbXBsZS5uZXSCC2V4YW1wbGUub3Jngg93d3cuZXhh
bXBsZS5jb22CD3d3dy5leGFtcGxlLmVkdYIPd3d3LmV4YW1wbGUubmV0MA4GA1Ud
DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0f
BG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItaGEtc2Vy
dmVyLWc0LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTIt
aGEtc2VydmVyLWc0LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsG
AQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjCB
gwYIKwYBBQUHAQEEdzB1MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
dC5jb20wTQYIKwYBBQUHMAKGQWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9E
aWdpQ2VydFNIQTJIaWdoQXNzdXJhbmNlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQC
MAAwDQYJKoZIhvcNAQELBQADggEBAISomhGn2L0LJn5SJHuyVZ3qMIlRCIdvqe0Q
6ls+C8ctRwRO3UU3x8q8OH+2ahxlQmpzdC5al4XQzJLiLjiJ2Q1p+hub8MFiMmVP
PZjb2tZm2ipWVuMRM+zgpRVM6nVJ9F3vFfUSHOb4/JsEIUvPY+d8/Krc+kPQwLvy
ieqRbcuFjmqfyPmUv1U9QoI4TQikpw7TZU0zYZANP4C/gj4Ry48/znmUaRvy2kvI
l7gRQ21qJTK5suoiYoYNo3J9T+pXPGU7Lydz/HwW+w0DpArtAaukI8aNX4ohFUKS
wDSiIIWIWJiJGbEeIO0TIFwEVWTOnbNl/faPXpk5IRXicapqiII=
-----END CERTIFICATE-----

Subject:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
Issuer:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
Version:2
Serial Number:04e1e7a4dc5cf2f36dc02b42b85d159f
Public Key Algorithm:    Signature Algorithm: sha256WithRSAEncryption
sha256WithRSAEncryption
X509v3 Basic Constraints:CA:TRUE,pathlen:0
X509v3 Key Usage:DigitalSignature,CertificateSign,CRLSign
X509v3 Extended Key Usage:TLSWebServerAuthentication,TLSWebClientAuthentication
Authority Information Access:OCSP-URI:http://ocsp.digicert.com
X509v3 CRL Distribution Points:, FullName:, URI:http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
X509v3 Certificate Policies:Policy:X509v3AnyPolicy, CPS:https://www.digicert.com/CPS
X509v3 Subject Key Identifier:51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B
X509v3 Authority Key Identifier:keyid:B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3
Start date:Oct 22 12:00:00 2013 GMT
Expire date:Oct 22 12:00:00 2028 GMT
RSA Public Key:2048
rsa(n):B6E02FC22406C86D045FD7EF0A6406B27D22266516AE42409BCEDC9F9F76073EC330558719B94F940E5A941F5556B4C2022AAFD098EE0B40D7C4D03B72C8149EEF90B111A9AED2C8B8433AD90B0BD5D595F540AFC81DED4D9C5F57B786506899F58ADAD2C7051FA897C9DCA4B182842DC6ADA59CC71982A6850F5E44582A378FFD35F10B0827325AF5BB8B9EA4BD51D027E2DD3B4233A30528C4BB28CC9AAC2B230D78C67BE65E71B74A3E08FB81B71616A19D23124DE5D79208AC75A49CBACD17B21E4435657F532539D11C0A9A631B199274680A37C2C25248CB395AA2B6E15DC1DDA020B821A293266F144A2141C7ED6D9BF2482FF303F5A26892532F5EE3
rsa(e):10001
Signature:18:8a:95:89:03:e6:6d:df:5c:fc:1d:68:ea:4a:8f:83:d6:51:2f:8d:6b:44:16:9e:ac:63:f5:d2:6e:6c:84:99:8b:aa:81:71:84:5b:ed:34:4e:b0:b7:79:92:29:cc:2d:80:6a:f0:8e:20:e1:79:a4:fe:03:47:13:ea:f5:86:ca:59:71:7d:f4:04:96:6b:d3:59:58:3d:fe:d3:31:25:5c:18:38:84:a3:e6:9f:82:fd:8c:5b:98:31:4e:cd:78:9e:1a:fd:85:cb:49:aa:f2:27:8b:99:72:fc:3e:aa:d5:41:0b:da:d5:36:a1:bf:1c:6e:47:49:7f:5e:d9:48:7c:03:d9:fd:8b:49:a0:98:26:42:40:eb:d6:92:11:a4:64:0a:57:54:c4:f5:1d:d6:02:5e:6b:ac:ee:c4:80:9a:12:72:fa:56:93:d7:ff:bf:30:85:06:30:bf:0b:7f:4e:ff:57:05:9d:24:ed:85:c3:2b:fb:a6:75:a8:ac:2d:16:ef:7d:79:27:b2:eb:c2:9d:0b:07:ea:aa:85:d3:01:a3:20:28:41:59:43:28:d2:81:e3:aa:f6:ec:7b:3b:77:b6:40:62:80:05:41:45:01:ef:17:06:3e:de:c0:33:9b:67:d3:61:2e:72:87:e4:69:fc:12:00:57:40:1e:70:f5:1e:c9:b4:
Cert:-----BEGIN CERTIFICATE-----
MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy
YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2
4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC
Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1
itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn
4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X
sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft
bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA
MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG
BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ
UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D
aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd
aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH
E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly
/D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu
xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF
0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae
cPUeybQ=
-----END CERTIFICATE-----
@vszakats
Contributor

Patch reverted to the original version:

BIO_printf(mem, "%d", RSA_bits(rsa));

With result as seen above.

@vszakats vszakats changed the title from add OpenSSL 1.1.0-pre3-dev compatibility to add OpenSSL 1.1.0-pre3 compatibility Feb 15, 2016
@vszakats vszakats avoid direct PKEY access with OpenSSL 1.1.0
by using API instead of accessing an internal structure.
This is required starting OpenSSL 1.1.0-pre3.
6de1afb
@vszakats
Contributor

Updates done. Removed -dev too, now that -pre3 is officially out.

@bagder
Member
bagder commented Feb 15, 2016

Thanks! Can I ask that you make that into a

#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
    !defined(LIBRESSL_VERSION_NUMBER)
#define SSL_OPAQUE_EVP 1
#endif

... or similar at the top of the file and then just use #ifdef SSL_OPAQUE_EVP (or whatever name you think is suitable) on the 4 places in the code, to make the code easier on the eyes?

@vszakats vszakats use macro to guard the opaque EVP_PKEY branch
59fe6e7
@vszakats
Contributor

Done that. Settled on HAVE_OPAQUE_EVP_PKEY, added to the condition that already existed.

@bagder bagder added a commit that closed this pull request Feb 15, 2016
@vszakats @bagder vszakats + bagder openssl: avoid direct PKEY access with OpenSSL 1.1.0
by using API instead of accessing an internal structure.
This is required starting OpenSSL 1.1.0-pre3.

Closes #650
ae01698
@bagder bagder closed this in ae01698 Feb 15, 2016
@bagder
Member
bagder commented Feb 15, 2016

Thanks!

@vszakats vszakats deleted the vszakats:ossl110p3 branch Feb 15, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment