+cc Bernard Spil
On 2015/09/28 02:27, David Coppa wrote:
>
> Hi!
>
> I was trying to update security/wpa_supplicant to the latest release (2.5).
> No cookie for me this time :(
>
> First error:
>
> cc -c -o ../src/eap_peer/eap_tls_common.o -O2 -pipe
> -I/home/cvs/obj/wpa_supplicant-2.5/wpa_supplicant-2.5/src
> -I/home/cvs/obj/wpa_supplicant-2.5/wpa_supplicant-2.5/src/utils
> -I/usr/local/include/PCSC -DCONFIG_BACKEND_FILE -DCONFIG_PEERKEY
> -DCONFIG_DRIVER_WIRED -DCONFIG_DRIVER_OPENBSD -DEAP_TLS -DEAP_PEAP -DEAP_TTLS
> -DEAP_MD5 -DEAP_MSCHAPv2 -DEAP_GTC -DEAP_OTP -DEAP_SIM -DEAP_LEAP -DEAP_PSK
> -DEAP_AKA -DEAP_FAST -DEAP_PAX -DEAP_SAKE -DEAP_GPSK -DEAP_IKEV2
> -DIEEE8021X_EAPOL -DPCSC_FUNCS -I/usr/include/PCSC -DPKCS12_FUNCS
> -DCONFIG_SMARTCARD -DEAP_TLS_OPENSSL -DCONFIG_SHA256 -DALL_DH_GROUPS
> -DCONFIG_CTRL_IFACE -DCONFIG_CTRL_IFACE_UNIX ../src/eap_peer/eap_tls_common.c
> cc -c -o ../src/crypto/tls_openssl.o -O2 -pipe
> -I/home/cvs/obj/wpa_supplicant-2.5/wpa_supplicant-2.5/src
> -I/home/cvs/obj/wpa_supplicant-2.5/wpa_supplicant-2.5/src/utils
> -I/usr/local/include/PCSC -DCONFIG_BACKEND_FILE -DCONFIG_PEERKEY
> -DCONFIG_DRIVER_WIRED -DCONFIG_DRIVER_OPENBSD -DEAP_TLS -DEAP_PEAP -DEAP_TTLS
> -DEAP_MD5 -DEAP_MSCHAPv2 -DEAP_GTC -DEAP_OTP -DEAP_SIM -DEAP_LEAP -DEAP_PSK
> -DEAP_AKA -DEAP_FAST -DEAP_PAX -DEAP_SAKE -DEAP_GPSK -DEAP_IKEV2
> -DIEEE8021X_EAPOL -DPCSC_FUNCS -I/usr/include/PCSC -DPKCS12_FUNCS
> -DCONFIG_SMARTCARD -DEAP_TLS_OPENSSL -DCONFIG_SHA256 -DALL_DH_GROUPS
> -DCONFIG_CTRL_IFACE -DCONFIG_CTRL_IFACE_UNIX ../src/crypto/tls_openssl.c
> ../src/crypto/tls_openssl.c: In function 'tls_parse_pkcs12':
> ../src/crypto/tls_openssl.c:2252: error: 'SSL_BUILD_CHAIN_FLAG_CHECK'
> undeclared (first use in this function)
> ../src/crypto/tls_openssl.c:2252: error: (Each undeclared identifier is
> reported only once
> ../src/crypto/tls_openssl.c:2252: error: for each function it appears in.)
> ../src/crypto/tls_openssl.c:2253: error: 'SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR'
> undeclared (first use in this function)
> Makefile:1748: recipe for target '../src/crypto/tls_openssl.o' failed
> gmake: *** [../src/crypto/tls_openssl.o] Error 1
>
> Then if I cut that chunk out:
>
> ---8<---
>
> $ cat patches/patch-src_crypto_tls_openssl_c
> $OpenBSD$
> --- src/crypto/tls_openssl.c.orig Mon Sep 28 09:44:11 2015
> +++ src/crypto/tls_openssl.c Mon Sep 28 09:44:30 2015
> @@ -2247,18 +2247,6 @@ static int tls_parse_pkcs12(struct tls_data *data, SSL
> /* Try to continue anyway */
> }
> sk_X509_free(certs);
> -#ifndef OPENSSL_IS_BORINGSSL
This ifndef is for Android :)
Checking for SSL_BUILD_CHAIN_FLAG_CHECK (or at a push LIBRESSL_VERSION)
being defined should be more widely applicable here.
> - res = SSL_build_cert_chain(ssl,
> - SSL_BUILD_CHAIN_FLAG_CHECK |
> - SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR);
> - if (!res) {
> - tls_show_errors(MSG_DEBUG, __func__,
> - "Failed to build certificate chain");
> - } else if (res == 2) {
> - wpa_printf(MSG_DEBUG,
> - "TLS: Ignore certificate chain verification
> error when building chain with PKCS#12 extra certificates");
> - }
> -#endif /* OPENSSL_IS_BORINGSSL */
> /*
> * Try to continue regardless of result since it is possible for
> * the extra certificates not to be required.
>
> ---8<---
>
> Another bunch of errors while linking:
>
> cc -o wpa_supplicant config.o notify.o bss.o eap_register.o
> ../src/utils/common.o ../src/utils/wpa_debug.o ../src/utils/wpabuf.o wmm_ac.o
> ../src/utils/os_unix.o ../src/utils/eloop.o config_file.o
> ../src/rsn_supp/wpa.o ../src/rsn_supp/preauth.o ../src/rsn_supp/pmksa_cache.o
> ../src/rsn_supp/peerkey.o ../src/rsn_supp/wpa_ie.o ../src/common/wpa_common.o
> ../src/eap_peer/eap_tls.o ../src/eap_peer/eap_peap.o
> ../src/eap_common/eap_peap_common.o ../src/eap_peer/eap_ttls.o
> ../src/eap_peer/eap_md5.o ../src/eap_peer/eap_mschapv2.o
> ../src/eap_peer/mschapv2.o ../src/eap_peer/eap_gtc.o
> ../src/eap_peer/eap_otp.o ../src/eap_peer/eap_sim.o
> ../src/eap_peer/eap_leap.o ../src/eap_peer/eap_psk.o
> ../src/eap_common/eap_psk_common.o ../src/eap_peer/eap_aka.o
> ../src/eap_common/eap_sim_common.o ../src/eap_peer/eap_fast.o
> ../src/eap_peer/eap_fast_pac.o ../src/eap_common/eap_fast_common.o
> ../src/eap_peer/eap_pax.o ../src/eap_common/eap_pax_common.o
> ../src/eap_peer/eap_sake.o ../src/eap_common/eap_sak!
e_common.o ../src/eap_peer/eap_gpsk.o ../src/eap_common/eap_gpsk_common.o
../src/eap_peer/eap_ikev2.o ../src/eap_peer/ikev2.o
../src/eap_common/eap_ikev2_common.o ../src/eap_common/ikev2_common.o
../src/eapol_supp/eapol_supp_sm.o ../src/eap_peer/eap.o
../src/eap_peer/eap_methods.o ../src/utils/pcsc_funcs.o
../src/crypto/ms_funcs.o ../src/eap_common/chap.o
../src/eap_peer/eap_tls_common.o ../src/crypto/tls_openssl.o
../src/crypto/crypto_openssl.o ../src/crypto/fips_prf_openssl.o
../src/crypto/aes-eax.o ../src/crypto/aes-ctr.o ../src/crypto/aes-encblock.o
../src/crypto/aes-omac1.o ../src/crypto/sha256-prf.o
../src/crypto/sha256-tlsprf.o ../src/crypto/dh_groups.o ../src/crypto/random.o
ctrl_iface.o ctrl_iface_unix.o ../src/utils/base64.o
../src/common/ieee802_11_common.o ../src/common/hw_features_common.o
../src/eap_common/eap_common.o ../src/crypto/sha1-prf.o
../src/crypto/sha1-tprf.o ../src/crypto/sha1-tlsprf.o
../src/drivers/driver_common.o wpa_supplicant.o events.o bl!
acklist.o wpas_glue.o scan.o main.o ../src/drivers/driver_wired.o
../src/drivers/driver_openbsd.o ../src/drivers/drivers.o
../src/l2_packet/l2_packet_freebsd.o -L/usr/local/lib -lpcap -lpcsclite
-lpthread -lssl -lcrypto
> ../src/utils/os_unix.o: In function `os_random':
> os_unix.c:(.text+0x4f1): warning: warning: random() may return deterministic
> values, is that what you want?
> /usr/local/lib/libpcsclite.so.1.0: warning: warning: strcpy() is almost
> always misused, please use strlcpy()
> /usr/local/lib/libpcsclite.so.1.0: warning: warning: rand() may return
> deterministic values, is that what you want?
> ../src/crypto/tls_openssl.o: In function `tls_sess_sec_cb':
> tls_openssl.c:(.text+0x4a1): undefined reference to `SSL_get_client_random'
> tls_openssl.c:(.text+0x4b3): undefined reference to `SSL_get_server_random'
> ../src/crypto/tls_openssl.o: In function `tls_parse_pkcs12':
> tls_openssl.c:(.text+0x75b): undefined reference to `SSL_clear_chain_certs'
> tls_openssl.c:(.text+0x7ad): undefined reference to `SSL_add1_chain_cert'
> ../src/crypto/tls_openssl.o: In function `tls_connection_get_random':
> tls_openssl.c:(.text+0x1569): undefined reference to `SSL_get_client_random'
> tls_openssl.c:(.text+0x1589): undefined reference to `SSL_get_server_random'
> ../src/crypto/tls_openssl.o: In function `tls_connection_set_cipher_list':
> tls_openssl.c:(.text+0x32d4): undefined reference to `SSL_set_security_level'
> tls_openssl.c:(.text+0x332a): undefined reference to `SSL_get_security_level'
> tls_openssl.c:(.text+0x333c): undefined reference to `SSL_set_security_level'
> ../src/crypto/tls_openssl.o: In function `openssl_tls_prf':
> tls_openssl.c:(.text+0x3961): undefined reference to `SSL_get_client_random'
> tls_openssl.c:(.text+0x397d): undefined reference to `SSL_get_server_random'
> tls_openssl.c:(.text+0x3991): undefined reference to
> `SSL_SESSION_get_master_key'
> tls_openssl.c:(.text+0x3b6c): undefined reference to
> `SSL_CIPHER_get_cipher_nid'
> tls_openssl.c:(.text+0x3b7a): undefined reference to
> `SSL_CIPHER_get_digest_nid'
> collect2: ld returned 1 exit status
> Makefile:1663: recipe for target 'wpa_supplicant' failed
> gmake: *** [wpa_supplicant] Error 1
OpenSSL 1.1 API.
These are guarded by OPENSSL_VERSION_NUMBER >= 0x10100000L checks.
wpa-supplicant doesn't use an autoconf-like mechanism so you can't
reasonably add checks that the specific functions exist, the only
sensible option is to change these to something like
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION)
Similar for < 0x10100000L || defined(LIBRESSL_VERSION).
