OpenSSL 4.0.0 was released[1] a few months ago and one of the changes
that affects Serf is making ASN1_STRING an opaque type.
[1]: https://github.com/openssl/openssl/releases/tag/openssl-4.0.0
This results the below build failure:
| cc -o buckets/ssl_buckets.o -c -g -O2 -Werror=implicit-function-declaration
-ffile-prefix-map=/build/reproducible-path/serf-1.3.10=.
-fstack-protector-strong -fstack-clash-protection -Wformat
-Werror=format-security -fcf-protection -std=c89 -Wdeclaration-after-statement
-Wmissing-prototypes -Wall -O2 -isystem /usr/include/mit-krb5 -Wdate-time
-D_FORTIFY_SOURCE=2 -DNDEBUG -DOPENSSL_NO_STDIO -DLINUX -D_REENTRANT
-D_GNU_SOURCE -DSERF_HAVE_GSSAPI -I. -I/usr/include/apr-1.0 -I/usr/include
-I/usr/include buckets/ssl_buckets.c
| buckets/ssl_buckets.c: In function 'get_subject_alt_names':
| buckets/ssl_buckets.c:570:41: error: invalid use of incomplete typedef
'ASN1_IA5STRING' {aka 'struct asn1_string_st'}
| 570 | strlen(nm->d.ia5->data) != nm->d.ia5->length)
| | ^~
| buckets/ssl_buckets.c:570:61: error: invalid use of incomplete typedef
'ASN1_IA5STRING' {aka 'struct asn1_string_st'}
| 570 | strlen(nm->d.ia5->data) != nm->d.ia5->length)
| | ^~
| buckets/ssl_buckets.c:573:77: error: invalid use of incomplete typedef
'ASN1_IA5STRING' {aka 'struct asn1_string_st'}
| 573 | p = pstrdup_escape_nul_bytes((const char
*)nm->d.ia5->data,
| |
^~
| buckets/ssl_buckets.c:574:63: error: invalid use of incomplete typedef
'ASN1_IA5STRING' {aka 'struct asn1_string_st'}
| 574 |
nm->d.ia5->length,
| | ^~
The attached patch fixes the build failure for 1.3.10, but should
probably be properly guarded with the relevant ASN1_STRING checks like
what already exists in trunk.
Although trunk uses ASN1_STRING_get0_data/length in some places, this
particular code path is still accessing the internals directly.
Even after fixing the build, I see a test failure in 1.3.10 that doesn't
happen with OpenSSL 3.6.2.
| 0088F7FDB37F0000:error:0A000126:SSL routines::unexpected eof while
reading:../ssl/record/rec_layer_s3.c:703:
| ..........................F...........................................
|
| There was 1 failure:
| 1) test_ssltunnel_basic_auth_server_has_keepalive_off: test/test_context.c:2210: expected
<0> but was <120199>
Cheers,
--
James (he/him)
GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7 2D23 DFE6 91AE 331B A3DB
diff --git i/buckets/ssl_buckets.c w/buckets/ssl_buckets.c
index 9d68bf8..54f28d9 100644
--- i/buckets/ssl_buckets.c
+++ w/buckets/ssl_buckets.c
@@ -567,11 +567,11 @@ get_subject_alt_names(apr_array_header_t **san_arr, X509
*ssl_cert,
switch (nm->type) {
case GEN_DNS:
if (copy_action == ErrorOnNul &&
- strlen(nm->d.ia5->data) != nm->d.ia5->length)
+ strlen(ASN1_STRING_get0_data(nm->d.ia5)) !=
ASN1_STRING_length(nm->d.ia5))
return SERF_ERROR_SSL_CERT_FAILED;
if (san_arr && *san_arr)
- p = pstrdup_escape_nul_bytes((const char
*)nm->d.ia5->data,
- nm->d.ia5->length,
+ p = pstrdup_escape_nul_bytes((const char
*)ASN1_STRING_get0_data(nm->d.ia5),
+
ASN1_STRING_length(nm->d.ia5),
pool);
break;
default:
