Re: [ovs-dev] [RFC 1/5] stream: store stream peer id with stream state

Fri, 07 Apr 2017 13:37:46 -0700 

> From: "Ben Pfaff" <[email protected]>
> To: "Lance Richardson" <[email protected]>
> Cc: [email protected], [email protected], "mickeys dev" 
> <[email protected]>
> Sent: Thursday, 6 April, 2017 11:39:52 AM
> Subject: Re: [RFC 1/5] stream: store stream peer id with stream state
> 
> On Thu, Apr 06, 2017 at 08:37:34AM -0700, Ben Pfaff wrote:
> > On Mon, Mar 27, 2017 at 02:56:09PM -0400, Lance Richardson wrote:
> > > Keep track of authenticated ID for stream peer. For SSL connections,
> > > the authenticated ID is the CN (Common Name) field from the peer's
> > > SSL certificate.
> > > 
> > > Signed-off-by: Lance Richardson <[email protected]>
> > 
> > Not all the new functions here follow the OVS convention that the
> > function name should be at the beginning of a line.
> > 
> > It looks like the convention here is that the peer id is the common
> > name, except that if the common name contains "id:..." then that and
> > everything after it is not part of the peer id.  Probably, this
> > convention should be documented somewhere, although that might only come
> > with a later patch that actually makes this feature user-visible (I
> > haven't read ahead yet).
> 
> Oh, and I get build failures because:
> 
>     ../lib/stream-ssl.c:452:24: error: 'ASN1_STRING_data' is deprecated
>     [-Werror,-Wdeprecated-declarations]
>     /usr/include/openssl/asn1.h:553:35: note: 'ASN1_STRING_data' has been
>     explicitly marked deprecated here
>     /usr/include/i386-linux-gnu/openssl/opensslconf.h:130:53: note: expanded
>     from macro 'DEPRECATEDIN_1_1_0'
>     /usr/include/i386-linux-gnu/openssl/opensslconf.h:105:35: note: expanded
>     from macro 'DECLARE_DEPRECATED'
> 

What distro are you using? ASN1_STRING_data() was deprecated in openssl 1.1, 
with
the recommended alternative being ASN1_STRING_get0_data(). However, all of
the machines I have at arm's reach (Fedora 25, Ubuntu Zesty Zapus, RHEL 7.3)
use some flavor of openssl 1.0, which doesn't implement ASN1_STRING_get0_data().
(And wow, OS X 10.11.6 uses openssl 0.9.8.)

How about this:

#if OPENSSL_VERSION_NUMBER < 0x10100000L
    /* ASN1_STRING_data() s deprecated as of OpenSSL version 1.1 */
    cn = (const char *)ASN1_STRING_data(cn_data);
#else
    cn = ASN1_STRING_get0_data(cn_data);
#endif

   Lance
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to