> [k...@sibbald.com - Mon Mar 01 13:38:48 2010]: > > Hello, > > This is something between a request for information and a bug report. > > Background: > We have been using OpenSSL for many years in Bacula, which has created > a > number of license problems because we are GPL. > > Problem: > Our users are reporting that Bacula no longer compiles under Fedora 12 > because > of our use of OpenSSL. > > Compiling guid_to_name.c > crypto.c: In function 'ASN1_OCTET_STRING* openssl_cert_keyid(X509*)': > crypto.c:333: error: invalid conversion from 'const > X509V3_EXT_METHOD*' to 'X509V3_EXT_METHOD*' > crypto.c: In function 'CRYPTO_SESSION* > crypto_session_new(crypto_cipher_t, alist*)': > crypto.c:1102: error: cannot convert 'unsigned char*' to > 'EVP_PKEY_CTX*' for argument '1' to 'int > EVP_PKEY_encrypt(EVP_PKEY_CTX*, unsigned char*, size_t*, const > unsigned char*, size_t)' > crypto.c: In function 'crypto_error_t crypto_session_decode(const > u_int8_t*, u_int32_t, alist*, CRYPTO_SESSION**)': > crypto.c:1226: error: cannot convert 'unsigned char*' to > 'EVP_PKEY_CTX*' for argument '1' to 'int > EVP_PKEY_decrypt(EVP_PKEY_CTX*, unsigned char*, size_t*, const > unsigned char*, size_t)' > make[1]: *** [crypto.lo] Error 1 > > In looking at your change log, it looks like you have renamed > some "undocumented" functions, which causes the above errors. > I am not sure why these functions were used since it was Landon Fuller > who > wrote the original code. > > However, I am wondering why it was really necessary to make this > change. > Wouldn't it have been simpler for your users to simply change the name > of the > new function? > > Now I am faced with the prospect of having to add special code to > detect the > OpenSSL version, or possible switch to another encryption library :-( >
I've had a look at the code in question. What I think happened is that a number of "cookbooks" and even published books presented some highly non-portable code (extracted from library internals) as an example of correct usage of OpenSSL. In general if you have to poke around in lots of internal functions there is probably a better way of doing things. The openssl_cert_keyid() is one such example. The way ASN1 is used was changed and this ended up biting people using the "published" example so you've got some version dependence in there and direct access to internals. The portable way to handle that entire function is with the single call: keyid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); which works unmodified on all versions of OpenSSL. Now the use of EVP_PKEY_encrypt() and EVP_PKEY_decrypt() The portable way of handling things in all versions of OpenSSL is to use RSA_public_encrypt() and RSA_private_decrypt(). This isn't a drop in replacement because those functions take an RSA structure instead of an EVP_PKEY. You can do this: ret = RSA_public_encrypt(key_len, key, encrypted_key, key->pkey.rsa, RSA_PKCS1_PADDING); Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
