ipsec-tools: compile with openssl 1.1, compile fix#6141
Conversation
|
I've just submitted this patch upstream. |
|
Thanks for sending this in. It'll take some time to review. Can you tell me where you sent it upstream? I don't see anything on the ipsec-tools-devel sourceforge mailing list, which is what upstream uses for communication. |
|
It's here: https://sourceforge.net/p/ipsec-tools/mailman/ipsec-tools-devel/thread/20180528120513.560-1-cote2004-github%40yahoo.com/#msg36327963. And I did CC you when I sent it. However, with DMARC active, list e-mails may be getting bounces. Should I resend it to Reinoud, who replied to your question about openssl 1.1 support. I though about doing it when I submitted the patch, but decided against it. |
nmeyerhans
left a comment
nmeyerhans
left a comment
There was a problem hiding this comment.
I've successfully compile-tested this on Debian, but not yet on OpenWRT.
I'd love to see upstream comment on this before we merge it, so let's give them some time to do so. I also want to get some more meaningful testing of it.
| if ((dh = DH_new()) == NULL) | ||
| goto end; | ||
| - if (eay_v2bn(&dh->p, prime) < 0) | ||
| + BIGNUM *p = BN_new(); |
There was a problem hiding this comment.
gcc on Debian reports errors related to -Werror=maybe-uninitialized on the 4 BIGNUM declarations starting here. The issue is that there's a possibility for the goto end statements on preceding lines to be executed before these declarations, and end can call BN_free() on them. The full errors are:
./crypto_openssl.c: In function 'eay_dh_compute':
./crypto_openssl.c:2390:3: error: 'priv_key' may be used uninitialized in this function [-Werror=maybe-uninitialized]
BN_free(priv_key);
^~~~~~~~~~~~~~~~~
./crypto_openssl.c:2388:3: error: 'pub_key' may be used uninitialized in this function [-Werror=maybe-uninitialized]
BN_free(pub_key);
^~~~~~~~~~~~~~~~
./crypto_openssl.c:2383:5: error: 'p' may be used uninitialized in this function [-Werror=maybe-uninitialized]
if (p != NULL)
^
./crypto_openssl.c:2385:5: error: 'BNg' may be used uninitialized in this function [-Werror=maybe-uninitialized]
if (BNg != NULL)
^
This can be fixed by moving these 4 declaration such that they occur before the first goto end.
There was a problem hiding this comment.
You're right. I will update.
Added compatibility with openssl 1.1, and also fixed a compiler warning about implicit declaration. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
cotequeiroz
force-pushed
the
ipsec-tools_openssl-1.1
branch
from
b1f27d9 to
d0908fa
Compare
|
I sent the corrected patch upstream right away, but I had forgotten to update this until now. |
|
Just wanted to follow up so you know this isn't languishing. I've done some testing on Debian and am entirely happy with the results so far, both with OpenSSL 1.1 and 1.0. I don't have any major concerns at this time, but still want to do more testing before I merge. Also, it doesn't look like upstream has responded at all yet. 😞 It may be worth bugging them again... |
|
Merged, finally. Still no response from upstream. Remind me to bring up the idea of a fork again someday... For the record, I uploaded a package including this fix to Debian on June 30, so ipsec-tools will once again be included in the next stable release. It was previously slated to be excluded since openssl 1.0 will not be included in the next version. |
Incorporate the openssl 1.1 patch from openwrt/packages#6141 Incorporate the fix from Adrian Bunk <bunk@debian.org> for flex 2.6.4-6 support (Closes: Bug#892831)
Incorporate the openssl 1.1 patch from openwrt/packages#6141 Origin: upstream, https://salsa.debian.org/debian/ipsec-tools/-/raw/master/debian/patches/openssl1.1?inline=false Last-Update: 2023-09-29 =================================================================== Signed-off-by: Thomas Reim <reimth@gmail.com>
2 participants
Added compatibility with openssl 1.1, and also fixed a compiler
warning about implicit declaration.
Signed-off-by: Eneas U de Queiroz cote2004-github@yahoo.com
Maintainer: @nmeyerhans, @aTanW
Compile tested: bcm47xx/ramips/x86_64, openwrt master
Run tested: x86_64