Re: mod_md in 2.4.61 fails to compile with openssl < 1.1.1

Fri, 05 Jul 2024 06:39:22 -0700 


On 7/5/24 3:16 PM, Yann Ylavic wrote:
> On Fri, Jul 5, 2024 at 3:05 PM Ruediger Pluem <rpl...@apache.org> wrote:
>>
>>
>>
>> On 7/5/24 2:14 PM, Ruediger Pluem wrote:
>>>
>>>
>>> On 7/5/24 2:11 PM, Ruediger Pluem wrote:
>>>>
>>>>
>>>> On 7/5/24 2:04 PM, Stefan Eissing via dev wrote:
>>>>>
>>>>>
>>>>>> Am 05.07.2024 um 13:51 schrieb Ruediger Pluem <rpl...@apache.org>:
>>>>>>
>>>>>> I just noticed that mod_md in 2.4.61 fails to compile with openssl < 
>>>>>> 1.1.1. Below is the output against openssl 1.0.2 on RedHat 7:
>>>>>>
>>>>>> md_crypt.c: In function 'md_pkey_get_rsa_e64':
>>>>>> md_crypt.c:982:5: warning: implicit declaration of function 
>>>>>> 'EVP_PKEY_get0_RSA' [-Wimplicit-function-declaration]
>>>>>>     const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey);
>>>>>>     ^
>>>>>> md_crypt.c:982:22: warning: initialization makes pointer from integer 
>>>>>> without a cast [enabled by default]
>>>>>>     const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey);
>>>>>>                      ^
>>>>>> md_crypt.c: In function 'md_pkey_get_rsa_n64':
>>>>>> md_crypt.c:1002:22: warning: initialization makes pointer from integer 
>>>>>> without a cast [enabled by default]
>>>>>>     const RSA *rsa = EVP_PKEY_get0_RSA(pkey->pkey);
>>>>>>                      ^
>>
>> This was already the case with 2.4.59 and openssl 1.0.2. Hence we did not 
>> fail to compile but loading of mod_md likely would fail
>> as the symbol EVP_PKEY_get0_RSA is not available with openssl 1.0.2.
> 
> This probably comes from r1913912 (2.4.x) which backported r1913616
> (trunk) which changed EVP_PKEY_get1_RSA() => EVP_PKEY_get0_RSA(), the
> former being probably available in < 1.1.1.
> So the check for using EVP_PKEY_get{0,1}_RSA() or the new openssl >= 3
> API should probably be something like:
> 
> #if OPENSSL_VERSION_NUMBER < 0x10101000L
>     RSA *rsa = EVP_PKEY_get1_RSA(pkey->pkey);
>     if (rsa) {
>         const char *ret;
>         const BIGNUM *e;
>         RSA_get0_key(rsa, NULL, &e, NULL);
>         ret = bn64(e, p);
>         RSA_free(rsa);
>         return ret;
>     }
> #elif OPENSSL_VERSION_NUMBER < 0x30000000L
>     ...
> #else
>     ...
> #endif
> 
> ?

I guess the core thing is the SCT stuff. Would it make sense to define 
OPENSSL_NO_CT with OPENSSL_VERSION_NUMBER < 0x10100000L
again. This would make it compile again. Of course we need to fix 
EVP_PKEY_get{0,1}_RSA() stuff as you propose then as well.


Regards

Rüdiger























					Reply via email to