On Fri, Feb 04, 2022 at 11:18:50AM +0100, William Lallemand wrote: > On Fri, Feb 04, 2022 at 09:57:25AM +0100, Remi Tricot-Le Breton wrote: > > > > > > On 02/02/2022 17:49, William Lallemand wrote: > > > > > >> Subject: [PATCH 2/7] BUILD: SSL: define X509_OBJECT for BoringSSL > > >> > > >> X509_OBJECT is opaque in BonringSSL, since we still use it, let us move > > >> it to openssl-compat.h > > >> > > >> from > > >> https://boringssl.googlesource.com/boringssl/+/refs/heads/2924/include/openssl/x509_vfy.h#120 > > > I'm not really fond of this kind of declaration, most of the time we > > > added helpers that were available in recent version of OpenSSL in this > > > file. But in this case, adding a whole structure that was removed... > > > with no guarantee that this will continue to work it's not a good idea. > > > > > > From what I get they aligned the opaque structures with the OpenSSL API, > > > so we probably will have the same problem with OpenSSL v3 without the > > > obsolete API. And we are currently in the process of porting it to > > > HAProxy. We probably need to change the code that uses X509_OBJECT. > > > So I suppose it will start to work during this portage. > > > > > X509_OBJECT and the APIs working on this structure were not marked as > > deprecated in OpenSSLv3, we are facing yet another place where BoringSSL > > seems a bit excessive in what they want to keep hidden. > > Managing BoringSSL would still be much more expensive than managing > > OpenSSLv3 if this kind of problem happens on many structures. > > > > Thanks for the clarification Rémi, I now remember having this > conversation :-) > > But when checking the commits they didn't make anything deprecated in > fact, they just made it opaque. > > https://boringssl.googlesource.com/boringssl/+/dddb60eb9700110835ff6e2b429de40a17006429 > > In this commit they pretend aligning with OpenSSL, which might be the > case, if you take a look at openssl/x509.h, they still define: > > - DEFINE_STACK_OF(X509_OBJECT) > - OPENSSL_EXPORT STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE > *st); > > So either there is an export problem of the X509_OBJECT or we are > missing a include or something else is wrongly done. > > I'll made some test to check what's going on. >
I just tried to build with the latest boringSSL version, the problem is on our side: We are defining X509_OBJECT_get0_X509_CRL() because it does not exist in boringSSL, and inside it we are accessing the members of the X509_OBJECT and it can't work since it's opaque. We need to use the accessors instead, or find an alternative API. -- William Lallemand
