Project

General

Profile

Bug #2727

Won't compile with OpenSSL 1.1.0

Added by falemagn 12 months ago. Updated 11 months ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
core
Target version:
Start date:
2016-04-15
Due date:
% Done:

100%

Missing in 1.5.x:

Description

Lighttpd 1.4.39 won't compile with OpenSSL 1.1.0, mainly due to the fact that the internals of many structures have been hidden from the user, making the use of accessor functions mandatory.

Attached there's a patch that fixes the issue.

patch View - Apply with -p1 from within the lighttpd root directory. (1.45 KB) falemagn, 2016-04-15 19:27

Associated revisions

Revision 49c74fff (diff)
Added by gstrauss 11 months ago

[core] compile with upcoming openssl 1.1.0 release (fixes #2727)

(thx falemagn)

x-ref:
"Won't compile with OpenSSL 1.1.0"
https://redmine.lighttpd.net/issues/2727

History

#1 Updated by gstrauss 12 months ago

Thanks for the patch. I'll test it out next week (against older openssl releases, too) unless someone else beats me to it.

(FYI for others reading this ticket: openssl 1.1.0 is in beta right now, and has not yet been officially released)

#2 Updated by gstrauss 11 months ago

I looked up the functions calls added by your patch.
According to https://www.openssl.org/docs/manpages.html

these are available in openssl 1.0.1 (and possibly earlier, but people should be using 1.0.1 or later)
  • X509_NAME_ENTRY_get_data()
  • BN_bin2bn()
these are new in openssl 1.1.0
  • DH_get0_pqg()
  • DH_set_length()

so it looks like we'll have to wrap the new calls with #if OPENSSL_VERSION_NUMBER >= 0x010100000L
https://www.openssl.org/docs/man1.0.1/crypto/OPENSSL_VERSION_NUMBER.html

#3 Updated by gstrauss 11 months ago

  • Status changed from New to Patch Pending

The deprecated ERR_remove_state() in server.c should be replaced with ERR_remove_thread_state()

I also had trouble compiling connections.c with openssl 1.1.0pre5

connections.c:287:10: error: ‘SSL_R_TLSV1_ALERT_UNKNOWN_CA’ undeclared (first use in this function)
     case SSL_R_TLSV1_ALERT_UNKNOWN_CA:
          ^
connections.c:287:10: note: each undeclared identifier is reported only once for each function it appears in
connections.c:288:10: error: ‘SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN’ undeclared (first use in this function)
     case SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN:
          ^
connections.c:289:10: error: ‘SSL_R_SSLV3_ALERT_BAD_CERTIFICATE’ undeclared (first use in this function)
     case SSL_R_SSLV3_ALERT_BAD_CERTIFICATE:
          ^

I have patched and tested compiling and linking against openssl 1.1.0pre5. The modified patch will probably go to master next Monday.

#4 Updated by falemagn 11 months ago

gstrauss wrote:

I looked up the functions calls added by your patch.
According to https://www.openssl.org/docs/manpages.html

these are available in openssl 1.0.1 (and possibly earlier, but people should be using 1.0.1 or later)
  • X509_NAME_ENTRY_get_data()
  • BN_bin2bn()

Of these 2, BN_bin2bn was already there before my patch.

these are new in openssl 1.1.0
  • DH_get0_pqg()
  • DH_set_length()

so it looks like we'll have to wrap the new calls with #if OPENSSL_VERSION_NUMBER >= 0x010100000L
https://www.openssl.org/docs/man1.0.1/crypto/OPENSSL_VERSION_NUMBER.html

I'd suggest that #if OPENSSL_VERSION_NUMBER < 0x010100000 then those two functions could be defined, so the code stays clean and compatible.

#5 Updated by falemagn 11 months ago

gstrauss wrote:

I also had trouble compiling connections.c with openssl 1.1.0pre5

[...]

Did you have that problem with the patch I submitted? That would be strange, since the patch contains an #ifdef around those cases to avoid the compilation issue: it appears those defines just don't exist anymore.

#6 Updated by gstrauss 11 months ago

  • Target version changed from 1.4.x to 1.4.40

#7 Updated by gstrauss 11 months ago

Did you have that problem with the patch I submitted? That would be strange, since the patch contains an #ifdef around those cases to avoid the compilation issue: it appears those defines just don't exist anymore.

Ah, I had overlooked that #ifdef in your patch for connections.c. Sorry.

Anyway, you can see the patch in my working branch personal/gstrauss/master (to which I force-push and rewrite as I please) if you

$ git clone https://git.lighttpd.net/lighttpd/lighttpd1.4.git

#8 Updated by falemagn 11 months ago

gstrauss wrote:

Anyway, you can see the patch in my working branch personal/gstrauss/master (to which I force-push and rewrite as I please) if you
[...]

Looks nice to me. Thanks for your time! :)

#9 Updated by gstrauss 11 months ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom