Bug#828594: virtuoso-opensource: FTBFS with openssl 1.1.0
control: tags -1 patch control: forwarded -1 https://github.com/openlink/virtuoso-opensource/pull/583 On 2016-09-10 17:39:04 [+0200], Kurt Roeckx wrote: > You already had to include that file to get it working, and that seems to be > a message form 2001. So you really can't say they haven't been warned. okay. > > That part where I replaced d2i_ASN1_BOOLEAN() looks like > > they copied it from old openssl code. > > I'm not sure that that code you replaced it with is correct or not. this makes two people then. > > @@ -854,16 +857,18 @@ bif_smime_sign (caddr_t * qst, caddr_t * err_ret, > > state_slot_t ** args) > > } > > > >certs = sk_X509_new_null (); > > +#if HALP > >if (store && store->objs) > > { > >for (inx = 0; inx < sk_X509_OBJECT_num (store->objs); inx++) > > { > > X509_OBJECT *obj = sk_X509_OBJECT_value (store->objs, inx); > > - if (obj->type == X509_LU_X509) > > + if (X509_OBJECT_get_type(obj) == X509_LU_X509) > > sk_X509_push (certs, X509_dup (obj->data.x509)); > > } > > > > } > > +#endif > > Are you looking for X509_STORE_get0_objects(store) instead of > store->objs? correct. > > @@ -1488,6 +1496,7 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * > > err_ret, state_slot_t ** args > > int n, i, len; > > char *s, *data_ptr; > > BIO *mem = BIO_new (BIO_s_mem ()); > > +#if HALP > > for (i = 0; NULL != subj && i < sk_X509_NAME_ENTRY_num(subj->entries); > > i++) > > { > > ne = sk_X509_NAME_ENTRY_value(subj->entries,i); > > I think you're looking for: > for (i = 0; NULL != subj && i < X509_NAME_entry_count(subj); i++) > { > X509_NAME_ENTRY *ne = X509_NAME_get_entry(subj, i); > exactly. Thank you. The patch attached should contain the changes. And I forwarded ported to their latest develop branch and created a pull request. > > Kurt Sebastian >From 823092cccbd8e2ab9bfad6c3d3df791a7ffa76fc Mon Sep 17 00:00:00 2001 From: Sebastian Andrzej SiewiorDate: Mon, 5 Sep 2016 10:49:54 + Subject: [PATCH] virtuoso-opensource: build against openssl 1.1.0 Signed-off-by: Sebastian Andrzej Siewior --- libsrc/Dk/Dkernel.c | 6 +- libsrc/Wi/bif_crypto.c | 120 ++ libsrc/Wi/http.c | 2 +- libsrc/Wi/xmlenc.c | 319 +++ libsrc/Wi/xmlenc.h | 193 ++-- libsrc/Wi/xmlenc_algos.c | 132 +++- libsrc/util/sslengine.c | 6 +- 7 files changed, 524 insertions(+), 254 deletions(-) diff --git a/libsrc/Dk/Dkernel.c b/libsrc/Dk/Dkernel.c index c8dfbf7..82c77cb 100644 --- a/libsrc/Dk/Dkernel.c +++ b/libsrc/Dk/Dkernel.c @@ -4930,7 +4930,11 @@ ssl_server_init () # if (OPENSSL_VERSION_NUMBER >= 0x00908000L) SSL_library_init (); # endif - SSLeay_add_all_algorithms (); +#if OPENSSL_VERSION_NUMBER < 0x1010 + SSLeay_add_all_algorithms(); +#else + OpenSSL_add_all_algorithms(); +#endif PKCS12_PBE_add (); /* stub */ #ifdef NO_THREAD diff --git a/libsrc/Wi/bif_crypto.c b/libsrc/Wi/bif_crypto.c index c759d11..3bfc588 100644 --- a/libsrc/Wi/bif_crypto.c +++ b/libsrc/Wi/bif_crypto.c @@ -181,21 +181,26 @@ box_hmac (caddr_t box, caddr_t key, int alg) unsigned char temp[EVP_MAX_MD_SIZE]; unsigned int size = 0; caddr_t res = NULL; - HMAC_CTX ctx; + HMAC_CTX *ctx; const EVP_MD *md = EVP_sha1 (); if (alg == 1) md = EVP_ripemd160 (); - HMAC_Init (, key, box_length (key) - DV_STRINGP (key) ? 1 : 0, md); - box_hmac_1 (box, ); - HMAC_Final (, temp, ); + ctx = HMAC_CTX_new(); + if (!ctx) + return res; + + HMAC_Init_ex (ctx, key, box_length (key) - DV_STRINGP (key) ? 1 : 0, md, NULL); + box_hmac_1 (box, ctx); + HMAC_Final (ctx, temp, ); if (size) { res = dk_alloc_box (size + 1, DV_SHORT_STRING); memcpy (res, temp, size); res[size] = 0; } + HMAC_CTX_free(ctx); return res; } @@ -347,14 +352,12 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de { int ii; - opp = op; - ii = d2i_ASN1_BOOLEAN (NULL, , len + hl); - if (ii < 0) + if (len + hl < 1) { if (BIO_write (bp, "Bad boolean\n", 12)) goto end; } - BIO_printf (bp, "%d", ii); + BIO_printf (bp, "%d", p[0]); } else if (tag == V_ASN1_BMPSTRING) { @@ -415,7 +418,7 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de } if (os != NULL) { - M_ASN1_OCTET_STRING_free (os); + ASN1_STRING_free (os); os = NULL; } } @@ -448,7 +451,7 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de if (BIO_write (bp, "BAD INTEGER", 11) <= 0) goto end; } - M_ASN1_INTEGER_free (bs); + ASN1_STRING_free (bs); } else if (tag == V_ASN1_ENUMERATED) { @@ -479,7 +482,7
Processed: Re: Bug#828594: virtuoso-opensource: FTBFS with openssl 1.1.0
Processing control commands: > tags -1 patch Bug #828594 [src:virtuoso-opensource] virtuoso-opensource: FTBFS with openssl 1.1.0 Added tag(s) patch. > forwarded -1 https://github.com/openlink/virtuoso-opensource/pull/583 Bug #828594 [src:virtuoso-opensource] virtuoso-opensource: FTBFS with openssl 1.1.0 Set Bug forwarded-to-address to 'https://github.com/openlink/virtuoso-opensource/pull/583'. -- 828594: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828594 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#828594: virtuoso-opensource: FTBFS with openssl 1.1.0
On Mon, Sep 05, 2016 at 10:02:43PM +0200, Sebastian Andrzej Siewior wrote: > On 2016-06-26 12:24:41 [+0200], Kurt Roeckx wrote: > > If you have problems making things work, feel free to contact us. > > The patch attached fixes most of it. > There are a few des ??? DES conversations like des_cblock ??? DES_cblock or > des_key_schedule ??? DES_key_schedule or des_ede3_cbc_encrypt ??? > DESede3_cbc_encrypt which I hope are okay. des_old.h has been removed. Replacing des_ by DES_ will probably work in most case. It used to contain: * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING * * The function names in here are deprecated and are only present to * provide an interface compatible with openssl 0.9.6 and older as * well as libdes. OpenSSL now provides functions where "des_" has * been replaced with "DES_" in the names, to make it possible to * make incompatible changes that are needed for C type security and * other stuff. * * This include files has two compatibility modes: * * - If OPENSSL_DES_LIBDES_COMPATIBILITY is defined, you get an API * that is compatible with libdes and SSLeay. * - If OPENSSL_DES_LIBDES_COMPATIBILITY isn't defined, you get an * API that is compatible with OpenSSL 0.9.5x to 0.9.6x. * * Note that these modes break earlier snapshots of OpenSSL, where * libdes compatibility was the only available mode or (later on) the * prefered compatibility mode. However, after much consideration * (and more or less violent discussions with external parties), it * was concluded that OpenSSL should be compatible with earlier versions * of itself before anything else. Also, in all honesty, libdes is * an old beast that shouldn't really be used any more. * * Please consider starting to use the DES_ functions rather than the * des_ ones. The des_ functions will disappear completely before * OpenSSL 1.0! * * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING [...] # define des_ede3_cbc_encrypt(i,o,l,k1,k2,k3,iv,e)\ DES_ede3_cbc_encrypt((i),(o),(l),&(k1),&(k2),&(k3),(iv),(e)) You already had to include that file to get it working, and that seems to be a message form 2001. So you really can't say they haven't been warned. > There are M_ASN1_INTEGER_free ??? ASN1_STRING_free which I also hope that > those are okay. # define M_ASN1_INTEGER_free(a) ASN1_STRING_free((ASN1_STRING *)a) So that looks fine. > That part where I replaced d2i_ASN1_BOOLEAN() looks like > they copied it from old openssl code. I'm not sure that that code you replaced it with is correct or not. > @@ -854,16 +857,18 @@ bif_smime_sign (caddr_t * qst, caddr_t * err_ret, > state_slot_t ** args) > } > >certs = sk_X509_new_null (); > +#if HALP >if (store && store->objs) > { >for (inx = 0; inx < sk_X509_OBJECT_num (store->objs); inx++) > { > X509_OBJECT *obj = sk_X509_OBJECT_value (store->objs, inx); > - if (obj->type == X509_LU_X509) > + if (X509_OBJECT_get_type(obj) == X509_LU_X509) > sk_X509_push (certs, X509_dup (obj->data.x509)); > } > > } > +#endif Are you looking for X509_STORE_get0_objects(store) instead of store->objs? > @@ -1488,6 +1496,7 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * > err_ret, state_slot_t ** args > int n, i, len; > char *s, *data_ptr; > BIO *mem = BIO_new (BIO_s_mem ()); > +#if HALP > for (i = 0; NULL != subj && i < sk_X509_NAME_ENTRY_num(subj->entries); > i++) > { > ne = sk_X509_NAME_ENTRY_value(subj->entries,i); I think you're looking for: for (i = 0; NULL != subj && i < X509_NAME_entry_count(subj); i++) { X509_NAME_ENTRY *ne = X509_NAME_get_entry(subj, i); Kurt
Bug#828594: virtuoso-opensource: FTBFS with openssl 1.1.0
On Mon, Sep 05, 2016 at 10:02:43PM +0200, Sebastian Andrzej Siewior wrote: > On 2016-06-26 12:24:41 [+0200], Kurt Roeckx wrote: > > If you have problems making things work, feel free to contact us. > > The patch attached fixes most of it. > There are a few des ??? DES conversations like des_cblock ??? DES_cblock or > des_key_schedule ??? DES_key_schedule or des_ede3_cbc_encrypt ??? > DESede3_cbc_encrypt which I hope are okay. > There are M_ASN1_INTEGER_free ??? ASN1_STRING_free which I also hope that > those are okay. That part where I replaced d2i_ASN1_BOOLEAN() looks like > they copied it from old openssl code. > There are a few #if HALP blocks which I simply don't know what should > happen in there. If HALP is turned into 0 then it compiles. I'll try to take a look at it soon. Kurt
Bug#828594: virtuoso-opensource: FTBFS with openssl 1.1.0
On 2016-06-26 12:24:41 [+0200], Kurt Roeckx wrote: > If you have problems making things work, feel free to contact us. The patch attached fixes most of it. There are a few des ⇾ DES conversations like des_cblock ⇾ DES_cblock or des_key_schedule ⇾ DES_key_schedule or des_ede3_cbc_encrypt ⇾ DESede3_cbc_encrypt which I hope are okay. There are M_ASN1_INTEGER_free ⇾ ASN1_STRING_free which I also hope that those are okay. That part where I replaced d2i_ASN1_BOOLEAN() looks like they copied it from old openssl code. There are a few #if HALP blocks which I simply don't know what should happen in there. If HALP is turned into 0 then it compiles. > Kurt Sebastian >From 58fa4e5de620b90fca7c2366a130ec73d0aee0f0 Mon Sep 17 00:00:00 2001 From: Sebastian Andrzej SiewiorDate: Mon, 5 Sep 2016 10:49:54 + Subject: [PATCH] virtuoso-opensource: build against openssl 1.1.0 Signed-off-by: Sebastian Andrzej Siewior --- libsrc/Dk/Dkernel.c | 6 +- libsrc/Wi/bif_crypto.c | 80 +++- libsrc/Wi/http.c | 2 +- libsrc/Wi/xmlenc.c | 319 +++ libsrc/Wi/xmlenc.h | 176 -- libsrc/Wi/xmlenc_algos.c | 132 +++- libsrc/util/sslengine.c | 6 +- 7 files changed, 485 insertions(+), 236 deletions(-) diff --git a/libsrc/Dk/Dkernel.c b/libsrc/Dk/Dkernel.c index c8dfbf7..82c77cb 100644 --- a/libsrc/Dk/Dkernel.c +++ b/libsrc/Dk/Dkernel.c @@ -4930,7 +4930,11 @@ ssl_server_init () # if (OPENSSL_VERSION_NUMBER >= 0x00908000L) SSL_library_init (); # endif - SSLeay_add_all_algorithms (); +#if OPENSSL_VERSION_NUMBER < 0x1010 + SSLeay_add_all_algorithms(); +#else + OpenSSL_add_all_algorithms(); +#endif PKCS12_PBE_add (); /* stub */ #ifdef NO_THREAD diff --git a/libsrc/Wi/bif_crypto.c b/libsrc/Wi/bif_crypto.c index c759d11..23c676b 100644 --- a/libsrc/Wi/bif_crypto.c +++ b/libsrc/Wi/bif_crypto.c @@ -181,21 +181,26 @@ box_hmac (caddr_t box, caddr_t key, int alg) unsigned char temp[EVP_MAX_MD_SIZE]; unsigned int size = 0; caddr_t res = NULL; - HMAC_CTX ctx; + HMAC_CTX *ctx; const EVP_MD *md = EVP_sha1 (); if (alg == 1) md = EVP_ripemd160 (); - HMAC_Init (, key, box_length (key) - DV_STRINGP (key) ? 1 : 0, md); - box_hmac_1 (box, ); - HMAC_Final (, temp, ); + ctx = HMAC_CTX_new(); + if (!ctx) + return res; + + HMAC_Init_ex (ctx, key, box_length (key) - DV_STRINGP (key) ? 1 : 0, md, NULL); + box_hmac_1 (box, ctx); + HMAC_Final (ctx, temp, ); if (size) { res = dk_alloc_box (size + 1, DV_SHORT_STRING); memcpy (res, temp, size); res[size] = 0; } + HMAC_CTX_free(ctx); return res; } @@ -347,14 +352,12 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de { int ii; - opp = op; - ii = d2i_ASN1_BOOLEAN (NULL, , len + hl); - if (ii < 0) + if (len + hl < 1) { if (BIO_write (bp, "Bad boolean\n", 12)) goto end; } - BIO_printf (bp, "%d", ii); + BIO_printf (bp, "%d", p[0]); } else if (tag == V_ASN1_BMPSTRING) { @@ -415,7 +418,7 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de } if (os != NULL) { - M_ASN1_OCTET_STRING_free (os); + ASN1_STRING_free (os); os = NULL; } } @@ -448,7 +451,7 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de if (BIO_write (bp, "BAD INTEGER", 11) <= 0) goto end; } - M_ASN1_INTEGER_free (bs); + ASN1_STRING_free (bs); } else if (tag == V_ASN1_ENUMERATED) { @@ -479,7 +482,7 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de if (BIO_write (bp, "BAD ENUMERATED", 11) <= 0) goto end; } - M_ASN1_ENUMERATED_free (bs); + ASN1_STRING_free (bs); } else if (len > 0 && dump) { @@ -515,7 +518,7 @@ end: if (o != NULL) ASN1_OBJECT_free (o); if (os != NULL) -M_ASN1_OCTET_STRING_free (os); +ASN1_STRING_free (os); *pp = p; return (ret); } @@ -854,16 +857,18 @@ bif_smime_sign (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args) } certs = sk_X509_new_null (); +#if HALP if (store && store->objs) { for (inx = 0; inx < sk_X509_OBJECT_num (store->objs); inx++) { X509_OBJECT *obj = sk_X509_OBJECT_value (store->objs, inx); - if (obj->type == X509_LU_X509) + if (X509_OBJECT_get_type(obj) == X509_LU_X509) sk_X509_push (certs, X509_dup (obj->data.x509)); } } +#endif if (store) X509_STORE_free (store); in_bio = BIO_new_mem_buf (msg, box_length (msg) - 1); @@ -935,6 +940,7 @@ bif_smime_encrypt (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args) sqlr_new_error ("42000", "CR006", "No recipient certificates"); certs = sk_X509_new_null (); +#if HALP if (store &&
Bug#828594: virtuoso-opensource: FTBFS with openssl 1.1.0
Source: virtuoso-opensource Version: 6.1.6+dfsg2-3 Severity: important Control: block 827061 by -1 Hi, OpenSSL 1.1.0 is about to released. During a rebuild of all packages using OpenSSL this package fail to build. A log of that build can be found at: https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/virtuoso-opensource_6.1.6+dfsg2-3_amd64-20160529-1549 On https://wiki.openssl.org/index.php/1.1_API_Changes you can see various of the reasons why it might fail. There are also updated man pages at https://www.openssl.org/docs/manmaster/ that should contain useful information. There is a libssl-dev package available in experimental that contains a recent snapshot, I suggest you try building against that to see if everything works. If you have problems making things work, feel free to contact us. Kurt