Project

General

Profile

Actions

Bug #2727

closed

Won't compile with OpenSSL 1.1.0

Added by falemagn almost 8 years ago. Updated almost 8 years ago.

Status:
Fixed
Priority:
Normal
Category:
core
Target version:
ASK QUESTIONS IN Forums:

Description

Lighttpd 1.4.39 won't compile with OpenSSL 1.1.0, mainly due to the fact that the internals of many structures have been hidden from the user, making the use of accessor functions mandatory.

Attached there's a patch that fixes the issue.


Files

patch (1.45 KB) patch Apply with -p1 from within the lighttpd root directory. falemagn, 2016-04-15 19:27
Actions #1

Updated by gstrauss almost 8 years ago

Thanks for the patch. I'll test it out next week (against older openssl releases, too) unless someone else beats me to it.

(FYI for others reading this ticket: openssl 1.1.0 is in beta right now, and has not yet been officially released)

Actions #2

Updated by gstrauss almost 8 years ago

I looked up the functions calls added by your patch.
According to https://www.openssl.org/docs/manpages.html

these are available in openssl 1.0.1 (and possibly earlier, but people should be using 1.0.1 or later)
  • X509_NAME_ENTRY_get_data()
  • BN_bin2bn()
these are new in openssl 1.1.0
  • DH_get0_pqg()
  • DH_set_length()

so it looks like we'll have to wrap the new calls with #if OPENSSL_VERSION_NUMBER >= 0x010100000L
https://www.openssl.org/docs/man1.0.1/crypto/OPENSSL_VERSION_NUMBER.html

Actions #3

Updated by gstrauss almost 8 years ago

  • Status changed from New to Patch Pending

The deprecated ERR_remove_state() in server.c should be replaced with ERR_remove_thread_state()

I also had trouble compiling connections.c with openssl 1.1.0pre5

connections.c:287:10: error: ‘SSL_R_TLSV1_ALERT_UNKNOWN_CA’ undeclared (first use in this function)
     case SSL_R_TLSV1_ALERT_UNKNOWN_CA:
          ^
connections.c:287:10: note: each undeclared identifier is reported only once for each function it appears in
connections.c:288:10: error: ‘SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN’ undeclared (first use in this function)
     case SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN:
          ^
connections.c:289:10: error: ‘SSL_R_SSLV3_ALERT_BAD_CERTIFICATE’ undeclared (first use in this function)
     case SSL_R_SSLV3_ALERT_BAD_CERTIFICATE:
          ^

I have patched and tested compiling and linking against openssl 1.1.0pre5. The modified patch will probably go to master next Monday.

Actions #4

Updated by falemagn almost 8 years ago

gstrauss wrote:

I looked up the functions calls added by your patch.
According to https://www.openssl.org/docs/manpages.html

these are available in openssl 1.0.1 (and possibly earlier, but people should be using 1.0.1 or later)
  • X509_NAME_ENTRY_get_data()
  • BN_bin2bn()

Of these 2, BN_bin2bn was already there before my patch.

these are new in openssl 1.1.0
  • DH_get0_pqg()
  • DH_set_length()

so it looks like we'll have to wrap the new calls with #if OPENSSL_VERSION_NUMBER >= 0x010100000L
https://www.openssl.org/docs/man1.0.1/crypto/OPENSSL_VERSION_NUMBER.html

I'd suggest that #if OPENSSL_VERSION_NUMBER < 0x010100000 then those two functions could be defined, so the code stays clean and compatible.

Actions #5

Updated by falemagn almost 8 years ago

gstrauss wrote:

I also had trouble compiling connections.c with openssl 1.1.0pre5

[...]

Did you have that problem with the patch I submitted? That would be strange, since the patch contains an #ifdef around those cases to avoid the compilation issue: it appears those defines just don't exist anymore.

Actions #6

Updated by gstrauss almost 8 years ago

  • Target version changed from 1.4.x to 1.4.40
Actions #7

Updated by gstrauss almost 8 years ago

Did you have that problem with the patch I submitted? That would be strange, since the patch contains an #ifdef around those cases to avoid the compilation issue: it appears those defines just don't exist anymore.

Ah, I had overlooked that #ifdef in your patch for connections.c. Sorry.

Anyway, you can see the patch in my working branch personal/gstrauss/master (to which I force-push and rewrite as I please) if you

$ git clone https://git.lighttpd.net/lighttpd/lighttpd1.4.git

Actions #8

Updated by falemagn almost 8 years ago

gstrauss wrote:

Anyway, you can see the patch in my working branch personal/gstrauss/master (to which I force-push and rewrite as I please) if you
[...]

Looks nice to me. Thanks for your time! :)

Actions #9

Updated by gstrauss almost 8 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100
Actions

Also available in: Atom