-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openssl: fix BoringSSL symbol conflicts with LDAP and Schannel #9110
Conversation
f7c6a4b
to
6d5f552
Compare
diff --git a/lib/ldap.c b/lib/ldap.c
index 51a32dc96..13b684104 100644
--- a/lib/ldap.c
+++ b/lib/ldap.c
@@ -37,6 +37,8 @@
* OpenLDAP library versions, USE_OPENLDAP shall not be defined.
*/
+#include "urldata.h"
+
#ifdef USE_WIN32_LDAP /* Use Windows LDAP implementation. */
# include <winldap.h>
# ifndef LDAP_VENDOR_NAME
@@ -56,7 +58,6 @@
# endif /* HAVE_LDAP_SSL && HAVE_LDAP_SSL_H */
#endif
-#include "urldata.h"
#include <curl/curl.h>
#include "sendf.h"
#include "escape.h"
diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h
index 0b4c4d934..45ecb029b 100644
--- a/lib/vtls/schannel.h
+++ b/lib/vtls/schannel.h
@@ -28,12 +28,12 @@
#ifdef USE_SCHANNEL
+#include "urldata.h"
+
#include <schnlsp.h>
#include <schannel.h>
#include "curl_sspi.h"
-#include "urldata.h"
-
/* <wincrypt.h> has been included via the above <schnlsp.h>.
* Or in case of ldap.c, it was included via <winldap.h>.
* And since <wincrypt.h> has this: |
6d5f552
to
f51fe7b
Compare
Same issue as here [1], but this time when building curl with BoringSSL for Windows with LDAP(S) or Schannel support enabled. Apply the same fix [2] for these source files as well. This can also be fixed by moving `#include "urldata.h"` _before_ including `winldap.h` and `schnlsp.h` respectively. This seems like a cleaner fix, though I'm not sure why it works and if it has any downside. [1] curl#5669 [2] curl@fbe07c6
f51fe7b
to
6eea6a7
Compare
Interesting. Could boringssl have fixed it to undefine the symbols? For all versions we have the way that works, I would just copy that, note it must come after curl_setup.h which always comes first. Lines 36 to 46 in 45ac4d0
|
Probably could be fixed in BoringSSL, but I see little chance getting it fixed there. Likely Google don't mix it with |
Its downside is that this isn't supposed to be used as a dependency, has no versioning or formal releases. TLS-SRP also isn't supported, but its advantages outweigh it. A smaller downside is that it uses pthread even on Windows, which has an issue with static linking, possibly in combination with UCRT builds with the cross-toolchain I tested it with. With this fixed, it's the most promising alternative TLS backend. Binary size is also 2MB lower for both curl EXE and DLL. curl needs two patches, one merged [1], one fixing new iterations of a known issue [2] pending. [1] curl/curl#9109 [2] curl/curl#9110 curl would probably use a third patch from a CMake expert: ngtcp2 detection is broken, so we need to use an local workaround. curl autotools doesn't support BoringSSL because I've found no way to tell libtool to link pthread DLL instead of the static version.
Found this in
This was a similar bug where apparently the exact reverse action (i.e. moving |
I would explicitly include wincrypt, followed by the undefines, as early as possible so that something that includes something that includes BoringSSL can't come before it. |
@jay: Do you have an alternative patch suggestion? |
I mean this, it's not really an alternative I just added the include diff --git a/lib/ldap.c b/lib/ldap.c
index 51a32dc..292684b 100644
--- a/lib/ldap.c
+++ b/lib/ldap.c
@@ -26,6 +26,18 @@
#if !defined(CURL_DISABLE_LDAP) && !defined(USE_OPENLDAP)
+/* Wincrypt must be included before anything that could include OpenSSL. */
+#if defined(USE_WIN32_CRYPTO)
+#include <wincrypt.h>
+/* Undefine wincrypt conflicting symbols for BoringSSL. */
+#undef X509_NAME
+#undef X509_EXTENSIONS
+#undef PKCS7_ISSUER_AND_SERIAL
+#undef PKCS7_SIGNER_INFO
+#undef OCSP_REQUEST
+#undef OCSP_RESPONSE
+#endif
+
/*
* Notice that USE_OPENLDAP is only a source code selection switch. When
* libcurl is built with USE_OPENLDAP defined the libcurl source code that
diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h
index 0b4c4d9..05323c7 100644
--- a/lib/vtls/schannel.h
+++ b/lib/vtls/schannel.h
@@ -28,6 +28,18 @@
#ifdef USE_SCHANNEL
+/* Wincrypt must be included before anything that could include OpenSSL. */
+#if defined(USE_WIN32_CRYPTO)
+#include <wincrypt.h>
+/* Undefine wincrypt conflicting symbols for BoringSSL. */
+#undef X509_NAME
+#undef X509_EXTENSIONS
+#undef PKCS7_ISSUER_AND_SERIAL
+#undef PKCS7_SIGNER_INFO
+#undef OCSP_REQUEST
+#undef OCSP_RESPONSE
+#endif
+
#include <schnlsp.h>
#include <schannel.h>
#include "curl_sspi.h" either that or maybe it could just be included once in whatever curl header is actually causing this problem by including boringssl, rather than putting it in each unit |
@jay: Thanks, got it. But, speaking of MinGW, both |
That works in openssl.c but maybe WIN32 is the right check in ldap. |
Tried with But, it resolves the problem, so for me this version is also fine. |
I re-set it to use |
Ref: curl/curl@4c46c82 Ref: curl/curl#9110 Follow-up of: 8a3a331
Same issue as here [1], but this time when building curl with BoringSSL
for Windows with LDAP(S) or Schannel support enabled.
Apply the same fix [2] for these source files as well.
This can also be fixed by moving
#include "urldata.h"
beforeincluding
winldap.h
andschnlsp.h
respectively. This seems likea cleaner fix, though I'm not sure why it works and if it has any
downside. (see below)
[1] #5669
[2] fbe07c6