New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenSSL 1.1 API deprecations #597

Closed
Polynomial-C opened this Issue Jan 4, 2017 · 10 comments

Comments

Projects
None yet
3 participants
@Polynomial-C

Polynomial-C commented Jan 4, 2017

Error message when trying to compile current git HEAD:

libtool: link: i686-pc-linux-gnu-gcc -march=native -O2 -pipe -Wall -Wl,-O1 -Wl,--hash-style=gnu -Wl,--sort-common -o irssi gui-entry.o gui-expandos.o gui-printtext.o gui-readline.o gui-windows.o lastlog.o mainwindows.o mainwindow-activity.o mainwindows-layout.o statusbar.o statusbar-config.o statusbar-items.o term.o term-terminfo.o terminfo-core.o textbuffer.o textbuffer-commands.o textbuffer-view.o irssi.o module-formats.o -Wl,--export-dynamic -pthread -Wl,--export-dynamic  -Wl,--as-needed ../fe-common/irc/libfe_common_irc.a ../fe-common/irc/dcc/libfe_irc_dcc.a ../fe-common/irc/notifylist/libfe_irc_notifylist.a ../fe-common/core/libfe_common_core.a ../irc/libirc.a ../irc/core/libirc_core.a ../irc/dcc/libirc_dcc.a ../irc/flood/libirc_flood.a ../irc/notifylist/libirc_notifylist.a ../core/libcore.a ../lib-config/libirssi_config.a -lgmodule-2.0 -lglib-2.0 -lssl -lcrypto -lncursesw -pthread
../core/libcore.a(network-openssl.o): In function `net_connect_ip_ssl':
network-openssl.c:(.text+0x691): undefined reference to `SSL_library_init'
network-openssl.c:(.text+0x696): undefined reference to `SSL_load_error_strings'
network-openssl.c:(.text+0x69b): undefined reference to `OpenSSL_add_all_algorithms'
../core/libcore.a(network-openssl.o): In function `irssi_ssl_handshake':
network-openssl.c:(.text+0xb79): undefined reference to `X509_get_notBefore'
network-openssl.c:(.text+0xbcd): undefined reference to `X509_get_notAfter'
network-openssl.c:(.text+0xce7): undefined reference to `ASN1_STRING_data'
network-openssl.c:(.text+0xd87): undefined reference to `ASN1_STRING_data'
network-openssl.c:(.text+0x1082): undefined reference to `ASN1_STRING_data'
collect2: error: ld returned 1 exit status
make[3]: *** [Makefile:519: irssi] Error 1

See also openssl-1.1 API changes

Please note that openssl-1.1 can be compiled with three different compatibility levels:

--api=0.9.8, --api=1.0.0 and --api=1.1.0.

The important information here is that with --api=1.1.0 (which is what openssl on this test machine was compiled with) all interfaces seen as deprecated by openssl developers won't be available anymore. So please carefully check your code for usage of deprecated interfaces.

@ailin-nemui

This comment has been minimized.

Contributor

ailin-nemui commented Jan 4, 2017

why is this not a compile time error? sounds like you're linking to the wrong library or header/library mismatch?

@Polynomial-C

This comment has been minimized.

Polynomial-C commented Jan 4, 2017

I don't know why it not fails before the linking state. But on that test machine there's no other openssl header/library installed than the 1.1.0c version with --api=1.1.0 being set during compilation.
I reported a very similar error to nsd upstream where it also didn't fail before the linking state (admittedly, no libtool was involved there but that should not make any difference):
https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=827

@ailin-nemui

This comment has been minimized.

Contributor

ailin-nemui commented Jan 4, 2017

say what you want if there is no compile time error then the openssl headers are sh*t. may be a bug in upstream openssl as well. anyway thanks for the report

@dequis

This comment has been minimized.

Member

dequis commented Jan 4, 2017

make distclean or git clean -fdx then try again

@ailin-nemui

This comment has been minimized.

Contributor

ailin-nemui commented Jan 6, 2017

make CFLAGS=-Werror please

@dequis

This comment has been minimized.

Member

dequis commented Jan 6, 2017

Got myself an openssl 1.1.0c, no --api params.

./Configure --prefix=/usr --openssldir=/etc/ssl --libdir=lib \
	shared zlib enable-ec_nistp_64_gcc_128 linux-x86_64  \
	"-Wa,--noexecstack ${CPPFLAGS} ${CFLAGS} ${LDFLAGS}"
$ openssl version -a
OpenSSL 1.1.0c  10 Nov 2016
built on: reproducible build, date unspecified
platform: linux-x86_64
compiler: gcc -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/etc/ssl\"" -DENGINESDIR="\"/usr/lib/engines-1.1\""  -Wa,--noexecstack  -march=x86-64 -mtune=generic -O1 -pipe -fstack-protector-strong -g3  -O2 -g3  -O2 -Wl,-O1,--sort-common,--as-needed,-z,relro
OPENSSLDIR: "/etc/ssl"
ENGINESDIR: "/usr/lib/engines-1.1"

Irssi build warnings:

network-openssl.c: In function ‘tls_dns_name’:
network-openssl.c:80:2: warning: ‘ASN1_STRING_data’ is deprecated [-Wdeprecated-declarations]
  dnsname = (char *) ASN1_STRING_data(gn->d.ia5);
  ^~~~~~~
In file included from /usr/include/openssl/bn.h:31:0,
                 from /usr/include/openssl/asn1.h:24,
                 from /usr/include/openssl/objects.h:916,
                 from /usr/include/openssl/evp.h:27,
                 from /usr/include/openssl/x509.h:23,
                 from /usr/include/openssl/ssl.h:50,
                 from tls.h:22,
                 from network-openssl.c:26:
/usr/include/openssl/asn1.h:553:1: note: declared here
 DEPRECATEDIN_1_1_0(unsigned char *ASN1_STRING_data(ASN1_STRING *x))
 ^
  CC       session.o
  CC       settings.o
network-openssl.c: In function ‘set_peer_cert_chain_info’:
network-openssl.c:612:4: warning: ‘ASN1_STRING_data’ is deprecated [-Wdeprecated-declarations]
    value = (char *)ASN1_STRING_data(data);
    ^~~~~
In file included from /usr/include/openssl/bn.h:31:0,
                 from /usr/include/openssl/asn1.h:24,
                 from /usr/include/openssl/objects.h:916,
                 from /usr/include/openssl/evp.h:27,
                 from /usr/include/openssl/x509.h:23,
                 from /usr/include/openssl/ssl.h:50,
                 from tls.h:22,
                 from network-openssl.c:26:
/usr/include/openssl/asn1.h:553:1: note: declared here
 DEPRECATEDIN_1_1_0(unsigned char *ASN1_STRING_data(ASN1_STRING *x))
 ^
network-openssl.c:631:4: warning: ‘ASN1_STRING_data’ is deprecated [-Wdeprecated-declarations]
    value = (char *)ASN1_STRING_data(data);
    ^~~~~
In file included from /usr/include/openssl/bn.h:31:0,
                 from /usr/include/openssl/asn1.h:24,
                 from /usr/include/openssl/objects.h:916,
                 from /usr/include/openssl/evp.h:27,
                 from /usr/include/openssl/x509.h:23,
                 from /usr/include/openssl/ssl.h:50,
                 from tls.h:22,
                 from network-openssl.c:26:
/usr/include/openssl/asn1.h:553:1: note: declared here
 DEPRECATEDIN_1_1_0(unsigned char *ASN1_STRING_data(ASN1_STRING *x))
 ^

Build succeeds.

@ailin-nemui

This comment has been minimized.

Contributor

ailin-nemui commented Jan 9, 2017

@ahf are you up for this challenge

@Polynomial-C

This comment has been minimized.

Polynomial-C commented Jan 10, 2017

Alright, here comes the make CFLAGS=-Werror run. Sorry it took so long...

i686-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I../..  -I../../src -I../../src/core -pthread -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -DSYSCONFDIR=\""/etc"\" -DMODULEDIR=\""/usr/lib/irssi/modules"\"   -Werror -c -o network-openssl.o network-openssl.c
network-openssl.c: In function ‘tls_dns_name’:
network-openssl.c:80:21: error: implicit declaration of function ‘ASN1_STRING_data’ [-Werror=implicit-function-declaration]
  dnsname = (char *) ASN1_STRING_data(gn->d.ia5);
                     ^
network-openssl.c: In function ‘irssi_ssl_init’:
network-openssl.c:355:2: error: implicit declaration of function ‘SSL_library_init’ [-Werror=implicit-function-declaration]
  SSL_library_init();
  ^
network-openssl.c:356:2: error: implicit declaration of function ‘SSL_load_error_strings’ [-Werror=implicit-function-declaration]
  SSL_load_error_strings();
  ^
network-openssl.c:357:2: error: implicit declaration of function ‘OpenSSL_add_all_algorithms’ [-Werror=implicit-function-declaration]
  OpenSSL_add_all_algorithms();
  ^
network-openssl.c: In function ‘set_pubkey_info’:
network-openssl.c:555:23: error: implicit declaration of function ‘X509_get_notBefore’ [-Werror=implicit-function-declaration]
  ASN1_TIME_print(bio, X509_get_notBefore(cert));
                       ^
network-openssl.c:555:23: error: passing argument 2 of ‘ASN1_TIME_print’ makes pointer from integer without a cast [-Werror=int-conversion]
In file included from /usr/include/openssl/objects.h:916:0,
                 from /usr/include/openssl/evp.h:27,
                 from /usr/include/openssl/pem.h:16,
                 from /usr/include/openssl/ssl.h:55,
                 from tls.h:22,
                 from network-openssl.c:26:
/usr/include/openssl/asn1.h:753:5: note: expected ‘const ASN1_TIME * {aka const struct asn1_string_st *}’ but argument is of type ‘int’
 int ASN1_TIME_print(BIO *fp, const ASN1_TIME *a);
     ^
network-openssl.c:563:23: error: implicit declaration of function ‘X509_get_notAfter’ [-Werror=implicit-function-declaration]
  ASN1_TIME_print(bio, X509_get_notAfter(cert));
                       ^
network-openssl.c:563:23: error: passing argument 2 of ‘ASN1_TIME_print’ makes pointer from integer without a cast [-Werror=int-conversion]
In file included from /usr/include/openssl/objects.h:916:0,
                 from /usr/include/openssl/evp.h:27,
                 from /usr/include/openssl/pem.h:16,
                 from /usr/include/openssl/ssl.h:55,
                 from tls.h:22,
                 from network-openssl.c:26:
/usr/include/openssl/asn1.h:753:5: note: expected ‘const ASN1_TIME * {aka const struct asn1_string_st *}’ but argument is of type ‘int’
 int ASN1_TIME_print(BIO *fp, const ASN1_TIME *a);
     ^
cc1: all warnings being treated as errors
make[3]: *** [Makefile:570: network-openssl.o] Error 1

And yes, without adding --api=1.1.0 to openssl's configure you still get the deprecated interfaces. But that doesn't change the fact that these interfaces are deprecated and openssl will removed them entirely with openssl-1.2

@dequis dequis changed the title from irssi fails to build with openssl-1.1 (new API) to OpenSSL 1.1 API deprecations Jan 10, 2017

@dequis

This comment has been minimized.

Member

dequis commented Jan 10, 2017

Changed the title to something less misleading.

LemonBoy added a commit to LemonBoy/irssi that referenced this issue Jan 23, 2017

Support OpenSSL 1.1.0.
- X509_get_notBefore becomes X509_get0_notBefore
- X509_get_notAfter becomes X509_get0_notAfter
- ASN1_STRING_data becomes ASN1_STRING_get0_data (and drops the const)
- The whole library is now initialized by OPENSSL_init_ssl

Closes irssi#597

LemonBoy added a commit to LemonBoy/irssi that referenced this issue Jan 23, 2017

Support OpenSSL 1.1.0.
- X509_get_notBefore becomes X509_get0_notBefore
- X509_get_notAfter becomes X509_get0_notAfter
- ASN1_STRING_data becomes ASN1_STRING_get0_data (and drops the const)
- The whole library is now initialized by OPENSSL_init_ssl

Closes irssi#597
@ailin-nemui

This comment has been minimized.

Contributor

ailin-nemui commented Jan 31, 2017

@Polynomial-C are you interested in testing this

LemonBoy added a commit to LemonBoy/irssi that referenced this issue Feb 3, 2017

Support OpenSSL 1.1.0.
- X509_get_notBefore becomes X509_get0_notBefore
- X509_get_notAfter becomes X509_get0_notAfter
- ASN1_STRING_data becomes ASN1_STRING_get0_data (and drops the const)
- The whole library is now initialized by OPENSSL_init_ssl

Closes irssi#597

LemonBoy added a commit to LemonBoy/irssi that referenced this issue Feb 3, 2017

Support OpenSSL 1.1.0.
- X509_get_notBefore becomes X509_get0_notBefore
- X509_get_notAfter becomes X509_get0_notAfter
- ASN1_STRING_data becomes ASN1_STRING_get0_data (and drops the const)
- The whole library is now initialized by OPENSSL_init_ssl

Closes irssi#597
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment