Bug#828594: virtuoso-opensource: FTBFS with openssl 1.1.0

[Sebastian Andrzej Siewior]

control: tags -1 patch
control: forwarded -1 https://github.com/openlink/virtuoso-opensource/pull/583

On 2016-09-10 17:39:04 [+0200], Kurt Roeckx wrote:
> You already had to include that file to get it working, and that seems to be
> a message form 2001.  So you really can't say they haven't been warned.

okay.

> > That part where I replaced d2i_ASN1_BOOLEAN() looks like
> > they copied it from old openssl code.
> 
> I'm not sure that that code you replaced it with is correct or not.

this makes two people then.

> > @@ -854,16 +857,18 @@ bif_smime_sign (caddr_t * qst, caddr_t * err_ret, 
> > state_slot_t ** args)
> >  }
> >  
> >certs = sk_X509_new_null ();
> > +#if HALP
> >if (store && store->objs)
> >  {
> >for (inx = 0; inx < sk_X509_OBJECT_num (store->objs); inx++)
> > {
> >   X509_OBJECT *obj = sk_X509_OBJECT_value (store->objs, inx);
> > - if (obj->type == X509_LU_X509)
> > + if (X509_OBJECT_get_type(obj) == X509_LU_X509)
> > sk_X509_push (certs, X509_dup (obj->data.x509));
> > }
> >  
> >  }
> > +#endif
> 
> Are you looking for X509_STORE_get0_objects(store) instead of
> store->objs?

correct.

> > @@ -1488,6 +1496,7 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * 
> > err_ret, state_slot_t ** args
> > int n, i, len;
> > char *s, *data_ptr;
> > BIO *mem = BIO_new (BIO_s_mem ());
> > +#if HALP
> > for (i = 0; NULL != subj && i < sk_X509_NAME_ENTRY_num(subj->entries); 
> > i++)
> >   {
> > ne = sk_X509_NAME_ENTRY_value(subj->entries,i);
> 
> I think you're looking for:
> for (i = 0; NULL != subj && i < X509_NAME_entry_count(subj); i++)
> {
> X509_NAME_ENTRY *ne = X509_NAME_get_entry(subj, i);
> 
exactly. Thank you.

The patch attached should contain the changes. And I forwarded ported to
their latest develop branch and created a pull request.

> 
> Kurt

Sebastian
>From 823092cccbd8e2ab9bfad6c3d3df791a7ffa76fc Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior 
Date: Mon, 5 Sep 2016 10:49:54 +
Subject: [PATCH] virtuoso-opensource: build against openssl 1.1.0

Signed-off-by: Sebastian Andrzej Siewior 
---
 libsrc/Dk/Dkernel.c  |   6 +-
 libsrc/Wi/bif_crypto.c   | 120 ++
 libsrc/Wi/http.c |   2 +-
 libsrc/Wi/xmlenc.c   | 319 +++
 libsrc/Wi/xmlenc.h   | 193 ++--
 libsrc/Wi/xmlenc_algos.c | 132 +++-
 libsrc/util/sslengine.c  |   6 +-
 7 files changed, 524 insertions(+), 254 deletions(-)

diff --git a/libsrc/Dk/Dkernel.c b/libsrc/Dk/Dkernel.c
index c8dfbf7..82c77cb 100644
--- a/libsrc/Dk/Dkernel.c
+++ b/libsrc/Dk/Dkernel.c
@@ -4930,7 +4930,11 @@ ssl_server_init ()
 # if (OPENSSL_VERSION_NUMBER >= 0x00908000L)
   SSL_library_init ();
 # endif
-  SSLeay_add_all_algorithms ();
+#if OPENSSL_VERSION_NUMBER < 0x1010
+  SSLeay_add_all_algorithms();
+#else
+  OpenSSL_add_all_algorithms();
+#endif
   PKCS12_PBE_add ();		/* stub */
 
 #ifdef NO_THREAD
diff --git a/libsrc/Wi/bif_crypto.c b/libsrc/Wi/bif_crypto.c
index c759d11..3bfc588 100644
--- a/libsrc/Wi/bif_crypto.c
+++ b/libsrc/Wi/bif_crypto.c
@@ -181,21 +181,26 @@ box_hmac (caddr_t box, caddr_t key, int alg)
   unsigned char temp[EVP_MAX_MD_SIZE];
   unsigned int size = 0;
   caddr_t res = NULL;
-  HMAC_CTX ctx;
+  HMAC_CTX *ctx;
   const EVP_MD *md = EVP_sha1 ();
 
   if (alg == 1)
 md = EVP_ripemd160 ();
 
-  HMAC_Init (, key, box_length (key) - DV_STRINGP (key) ? 1 : 0, md);
-  box_hmac_1 (box, );
-  HMAC_Final (, temp, );
+  ctx = HMAC_CTX_new();
+  if (!ctx)
+	  return res;
+
+  HMAC_Init_ex (ctx, key, box_length (key) - DV_STRINGP (key) ? 1 : 0, md, NULL);
+  box_hmac_1 (box, ctx);
+  HMAC_Final (ctx, temp, );
   if (size)
 {
   res = dk_alloc_box (size + 1, DV_SHORT_STRING);
   memcpy (res, temp, size);
   res[size] = 0;
 }
+  HMAC_CTX_free(ctx);
   return res;
 }
 
@@ -347,14 +352,12 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de
 	{
 	  int ii;
 
-	  opp = op;
-	  ii = d2i_ASN1_BOOLEAN (NULL, , len + hl);
-	  if (ii < 0)
+	  if (len + hl < 1)
 		{
 		  if (BIO_write (bp, "Bad boolean\n", 12))
 		goto end;
 		}
-	  BIO_printf (bp, "%d", ii);
+	  BIO_printf (bp, "%d", p[0]);
 	}
 	  else if (tag == V_ASN1_BMPSTRING)
 	{
@@ -415,7 +418,7 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de
 		}
 	  if (os != NULL)
 		{
-		  M_ASN1_OCTET_STRING_free (os);
+		  ASN1_STRING_free (os);
 		  os = NULL;
 		}
 	}
@@ -448,7 +451,7 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de
 		  if (BIO_write (bp, "BAD INTEGER", 11) <= 0)
 		goto end;
 		}
-	  M_ASN1_INTEGER_free (bs);
+	  ASN1_STRING_free (bs);
 	}
 	  else if (tag == V_ASN1_ENUMERATED)
 	{
@@ -479,7 +482,7 

Processed: Re: Bug#828594: virtuoso-opensource: FTBFS with openssl 1.1.0

[Debian Bug Tracking System]

Processing control commands:

> tags -1 patch
Bug #828594 [src:virtuoso-opensource] virtuoso-opensource: FTBFS with openssl 
1.1.0
Added tag(s) patch.
> forwarded -1 https://github.com/openlink/virtuoso-opensource/pull/583
Bug #828594 [src:virtuoso-opensource] virtuoso-opensource: FTBFS with openssl 
1.1.0
Set Bug forwarded-to-address to 
'https://github.com/openlink/virtuoso-opensource/pull/583'.

-- 
828594: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828594
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#828594: virtuoso-opensource: FTBFS with openssl 1.1.0

[Kurt Roeckx]

On Mon, Sep 05, 2016 at 10:02:43PM +0200, Sebastian Andrzej Siewior wrote:
> On 2016-06-26 12:24:41 [+0200], Kurt Roeckx wrote:
> > If you have problems making things work, feel free to contact us.
> 
> The patch attached fixes most of it.
> There are a few des ??? DES conversations like des_cblock ??? DES_cblock or
> des_key_schedule ??? DES_key_schedule or des_ede3_cbc_encrypt ???
> DESede3_cbc_encrypt which I hope are okay.

des_old.h has been removed.  Replacing des_ by DES_ will probably
work in most case.  It used to contain:

* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
*
* The function names in here are deprecated and are only present to
* provide an interface compatible with openssl 0.9.6 and older as
* well as libdes.  OpenSSL now provides functions where "des_" has
* been replaced with "DES_" in the names, to make it possible to
* make incompatible changes that are needed for C type security and
* other stuff.
*
* This include files has two compatibility modes:
*
*   - If OPENSSL_DES_LIBDES_COMPATIBILITY is defined, you get an API
* that is compatible with libdes and SSLeay.
*   - If OPENSSL_DES_LIBDES_COMPATIBILITY isn't defined, you get an
* API that is compatible with OpenSSL 0.9.5x to 0.9.6x.
*
* Note that these modes break earlier snapshots of OpenSSL, where
* libdes compatibility was the only available mode or (later on) the
* prefered compatibility mode.  However, after much consideration
* (and more or less violent discussions with external parties), it
* was concluded that OpenSSL should be compatible with earlier versions
* of itself before anything else.  Also, in all honesty, libdes is
* an old beast that shouldn't really be used any more.
*
* Please consider starting to use the DES_ functions rather than the
* des_ ones.  The des_ functions will disappear completely before
* OpenSSL 1.0!
*
* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
[...]
#  define des_ede3_cbc_encrypt(i,o,l,k1,k2,k3,iv,e)\
DES_ede3_cbc_encrypt((i),(o),(l),&(k1),&(k2),&(k3),(iv),(e))

You already had to include that file to get it working, and that seems to be
a message form 2001.  So you really can't say they haven't been warned.

> There are M_ASN1_INTEGER_free ??? ASN1_STRING_free which I also hope that
> those are okay.

# define M_ASN1_INTEGER_free(a)  ASN1_STRING_free((ASN1_STRING *)a)

So that looks fine.

> That part where I replaced d2i_ASN1_BOOLEAN() looks like
> they copied it from old openssl code.

I'm not sure that that code you replaced it with is correct or not.


> @@ -854,16 +857,18 @@ bif_smime_sign (caddr_t * qst, caddr_t * err_ret, 
> state_slot_t ** args)
>  }
>  
>certs = sk_X509_new_null ();
> +#if HALP
>if (store && store->objs)
>  {
>for (inx = 0; inx < sk_X509_OBJECT_num (store->objs); inx++)
>   {
> X509_OBJECT *obj = sk_X509_OBJECT_value (store->objs, inx);
> -   if (obj->type == X509_LU_X509)
> +   if (X509_OBJECT_get_type(obj) == X509_LU_X509)
>   sk_X509_push (certs, X509_dup (obj->data.x509));
>   }
>  
>  }
> +#endif

Are you looking for X509_STORE_get0_objects(store) instead of
store->objs?

> @@ -1488,6 +1496,7 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * 
> err_ret, state_slot_t ** args
>   int n, i, len;
>   char *s, *data_ptr;
>   BIO *mem = BIO_new (BIO_s_mem ());
> +#if HALP
>   for (i = 0; NULL != subj && i < sk_X509_NAME_ENTRY_num(subj->entries); 
> i++)
> {
>   ne = sk_X509_NAME_ENTRY_value(subj->entries,i);

I think you're looking for:
for (i = 0; NULL != subj && i < X509_NAME_entry_count(subj); i++)
{
X509_NAME_ENTRY *ne = X509_NAME_get_entry(subj, i);



Kurt

Bug#828594: virtuoso-opensource: FTBFS with openssl 1.1.0

[Kurt Roeckx]

On Mon, Sep 05, 2016 at 10:02:43PM +0200, Sebastian Andrzej Siewior wrote:
> On 2016-06-26 12:24:41 [+0200], Kurt Roeckx wrote:
> > If you have problems making things work, feel free to contact us.
> 
> The patch attached fixes most of it.
> There are a few des ??? DES conversations like des_cblock ??? DES_cblock or
> des_key_schedule ??? DES_key_schedule or des_ede3_cbc_encrypt ???
> DESede3_cbc_encrypt which I hope are okay.
> There are M_ASN1_INTEGER_free ??? ASN1_STRING_free which I also hope that
> those are okay. That part where I replaced d2i_ASN1_BOOLEAN() looks like
> they copied it from old openssl code.
> There are a few #if HALP blocks which I simply don't know what should
> happen in there. If HALP is turned into 0 then it compiles.

I'll try to take a look at it soon.


Kurt

Bug#828594: virtuoso-opensource: FTBFS with openssl 1.1.0

[Sebastian Andrzej Siewior]

On 2016-06-26 12:24:41 [+0200], Kurt Roeckx wrote:
> If you have problems making things work, feel free to contact us.

The patch attached fixes most of it.
There are a few des ⇾ DES conversations like des_cblock ⇾ DES_cblock or
des_key_schedule ⇾ DES_key_schedule or des_ede3_cbc_encrypt ⇾
DESede3_cbc_encrypt which I hope are okay.
There are M_ASN1_INTEGER_free ⇾ ASN1_STRING_free which I also hope that
those are okay. That part where I replaced d2i_ASN1_BOOLEAN() looks like
they copied it from old openssl code.
There are a few #if HALP blocks which I simply don't know what should
happen in there. If HALP is turned into 0 then it compiles.

> Kurt
Sebastian
>From 58fa4e5de620b90fca7c2366a130ec73d0aee0f0 Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior 
Date: Mon, 5 Sep 2016 10:49:54 +
Subject: [PATCH] virtuoso-opensource: build against openssl 1.1.0

Signed-off-by: Sebastian Andrzej Siewior 
---
 libsrc/Dk/Dkernel.c  |   6 +-
 libsrc/Wi/bif_crypto.c   |  80 +++-
 libsrc/Wi/http.c |   2 +-
 libsrc/Wi/xmlenc.c   | 319 +++
 libsrc/Wi/xmlenc.h   | 176 --
 libsrc/Wi/xmlenc_algos.c | 132 +++-
 libsrc/util/sslengine.c  |   6 +-
 7 files changed, 485 insertions(+), 236 deletions(-)

diff --git a/libsrc/Dk/Dkernel.c b/libsrc/Dk/Dkernel.c
index c8dfbf7..82c77cb 100644
--- a/libsrc/Dk/Dkernel.c
+++ b/libsrc/Dk/Dkernel.c
@@ -4930,7 +4930,11 @@ ssl_server_init ()
 # if (OPENSSL_VERSION_NUMBER >= 0x00908000L)
   SSL_library_init ();
 # endif
-  SSLeay_add_all_algorithms ();
+#if OPENSSL_VERSION_NUMBER < 0x1010
+  SSLeay_add_all_algorithms();
+#else
+  OpenSSL_add_all_algorithms();
+#endif
   PKCS12_PBE_add ();		/* stub */
 
 #ifdef NO_THREAD
diff --git a/libsrc/Wi/bif_crypto.c b/libsrc/Wi/bif_crypto.c
index c759d11..23c676b 100644
--- a/libsrc/Wi/bif_crypto.c
+++ b/libsrc/Wi/bif_crypto.c
@@ -181,21 +181,26 @@ box_hmac (caddr_t box, caddr_t key, int alg)
   unsigned char temp[EVP_MAX_MD_SIZE];
   unsigned int size = 0;
   caddr_t res = NULL;
-  HMAC_CTX ctx;
+  HMAC_CTX *ctx;
   const EVP_MD *md = EVP_sha1 ();
 
   if (alg == 1)
 md = EVP_ripemd160 ();
 
-  HMAC_Init (, key, box_length (key) - DV_STRINGP (key) ? 1 : 0, md);
-  box_hmac_1 (box, );
-  HMAC_Final (, temp, );
+  ctx = HMAC_CTX_new();
+  if (!ctx)
+	  return res;
+
+  HMAC_Init_ex (ctx, key, box_length (key) - DV_STRINGP (key) ? 1 : 0, md, NULL);
+  box_hmac_1 (box, ctx);
+  HMAC_Final (ctx, temp, );
   if (size)
 {
   res = dk_alloc_box (size + 1, DV_SHORT_STRING);
   memcpy (res, temp, size);
   res[size] = 0;
 }
+  HMAC_CTX_free(ctx);
   return res;
 }
 
@@ -347,14 +352,12 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de
 	{
 	  int ii;
 
-	  opp = op;
-	  ii = d2i_ASN1_BOOLEAN (NULL, , len + hl);
-	  if (ii < 0)
+	  if (len + hl < 1)
 		{
 		  if (BIO_write (bp, "Bad boolean\n", 12))
 		goto end;
 		}
-	  BIO_printf (bp, "%d", ii);
+	  BIO_printf (bp, "%d", p[0]);
 	}
 	  else if (tag == V_ASN1_BMPSTRING)
 	{
@@ -415,7 +418,7 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de
 		}
 	  if (os != NULL)
 		{
-		  M_ASN1_OCTET_STRING_free (os);
+		  ASN1_STRING_free (os);
 		  os = NULL;
 		}
 	}
@@ -448,7 +451,7 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de
 		  if (BIO_write (bp, "BAD INTEGER", 11) <= 0)
 		goto end;
 		}
-	  M_ASN1_INTEGER_free (bs);
+	  ASN1_STRING_free (bs);
 	}
 	  else if (tag == V_ASN1_ENUMERATED)
 	{
@@ -479,7 +482,7 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de
 		  if (BIO_write (bp, "BAD ENUMERATED", 11) <= 0)
 		goto end;
 		}
-	  M_ASN1_ENUMERATED_free (bs);
+	  ASN1_STRING_free (bs);
 	}
 	  else if (len > 0 && dump)
 	{
@@ -515,7 +518,7 @@ end:
   if (o != NULL)
 ASN1_OBJECT_free (o);
   if (os != NULL)
-M_ASN1_OCTET_STRING_free (os);
+ASN1_STRING_free (os);
   *pp = p;
   return (ret);
 }
@@ -854,16 +857,18 @@ bif_smime_sign (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args)
 }
 
   certs = sk_X509_new_null ();
+#if HALP
   if (store && store->objs)
 {
   for (inx = 0; inx < sk_X509_OBJECT_num (store->objs); inx++)
 	{
 	  X509_OBJECT *obj = sk_X509_OBJECT_value (store->objs, inx);
-	  if (obj->type == X509_LU_X509)
+	  if (X509_OBJECT_get_type(obj) == X509_LU_X509)
 	sk_X509_push (certs, X509_dup (obj->data.x509));
 	}
 
 }
+#endif
   if (store)
 X509_STORE_free (store);
   in_bio = BIO_new_mem_buf (msg, box_length (msg) - 1);
@@ -935,6 +940,7 @@ bif_smime_encrypt (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args)
 sqlr_new_error ("42000", "CR006", "No recipient certificates");
 
   certs = sk_X509_new_null ();
+#if HALP
   if (store && 

Bug#828594: virtuoso-opensource: FTBFS with openssl 1.1.0

[Kurt Roeckx]

Source: virtuoso-opensource
Version: 6.1.6+dfsg2-3
Severity: important
Control: block 827061 by -1

Hi,

OpenSSL 1.1.0 is about to released.  During a rebuild of all packages using
OpenSSL this package fail to build.  A log of that build can be found at:
https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/virtuoso-opensource_6.1.6+dfsg2-3_amd64-20160529-1549

On https://wiki.openssl.org/index.php/1.1_API_Changes you can see various of the
reasons why it might fail.  There are also updated man pages at
https://www.openssl.org/docs/manmaster/ that should contain useful information.

There is a libssl-dev package available in experimental that contains a recent
snapshot, I suggest you try building against that to see if everything works.

If you have problems making things work, feel free to contact us.


Kurt