Re: (ITS#8809) tls_o failure when linking to OpenSSL 1.0.2 with "no-deprecated" compile flag

2018-02-23 Thread quanah 
--On Friday, February 23, 2018 5:07 PM + Howard Chu  
wrote:

> qua...@openldap.org wrote:
>> Full_Name: Quanah Gibson-Mount
>> Version: HEAD
>> OS: N/A
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (47.208.148.239)
>>
>>
>> When attempting to link OpenLDAP to OpenSSL 1.0.2 series, where OpenSSL
>> has been built with deprecated API's disabled, the build will fail.
>> This is because RSA_F4 is deprecated in 1.0.2.  In master, this is
>> around line 1367:
>>
>> # if OPENSSL_VERSION_NUMBER < 0x1010
>> static RSA *
>> tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
>
>> This function needs to check < 1.0.2 rather than < 1.1
>
> That would only be true if the RSA callback is not needed at all in
> 1.0.2. Is that true?

Not sure.  Exact error is in RE24 is:

tls_o.c:1184:25: error: 'RSA_F4' undeclared (first use in this function)
   if ( BN_set_word( bn, RSA_F4 )) {


so it dies before we get to the RSA_generate_key_ex function itself.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: (ITS#8809) tls_o failure when linking to OpenSSL 1.0.2 with "no-deprecated" compile flag

2018-02-23 Thread hyc 
qua...@openldap.org wrote:
> Full_Name: Quanah Gibson-Mount
> Version: HEAD
> OS: N/A
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (47.208.148.239)
> 
> 
> When attempting to link OpenLDAP to OpenSSL 1.0.2 series, where OpenSSL has 
> been
> built with deprecated API's disabled, the build will fail.  This is because
> RSA_F4 is deprecated in 1.0.2.  In master, this is around line 1367:
> 
> #if OPENSSL_VERSION_NUMBER < 0x1010
> static RSA *
> tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )

> This function needs to check < 1.0.2 rather than < 1.1

That would only be true if the RSA callback is not needed at all in 1.0.2. Is 
that true?

-- 
   -- Howard Chu
   CTO, Symas Corp.   http://www.symas.com
   Director, Highland Sun http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

(ITS#8809) tls_o failure when linking to OpenSSL 1.0.2 with "no-deprecated" compile flag

2018-02-23 Thread quanah 
Full_Name: Quanah Gibson-Mount
Version: HEAD
OS: N/A
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (47.208.148.239)


When attempting to link OpenLDAP to OpenSSL 1.0.2 series, where OpenSSL has been
built with deprecated API's disabled, the build will fail.  This is because
RSA_F4 is deprecated in 1.0.2.  In master, this is around line 1367:

#if OPENSSL_VERSION_NUMBER < 0x1010
static RSA *
tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
{
RSA *tmp_rsa;
/* FIXME:  Pregenerate the key on startup */
/* FIXME:  Who frees the key? */
#if OPENSSL_VERSION_NUMBER >= 0x00908000
BIGNUM *bn = BN_new();
tmp_rsa = NULL;
if ( bn ) {
if ( BN_set_word( bn, RSA_F4 )) {
tmp_rsa = RSA_new();
if ( tmp_rsa && !RSA_generate_key_ex( tmp_rsa, key_length, bn, NULL
)) {
RSA_free( tmp_rsa );
tmp_rsa = NULL;
}
}
BN_free( bn );
}
#else
tmp_rsa = RSA_generate_key( key_length, RSA_F4, NULL, NULL );
#endif

if ( !tmp_rsa ) {
Debug( LDAP_DEBUG_ANY,
"TLS: Failed to generate temporary %d-bit %s RSA key\n",
key_length, is_export ? "export" : "domestic", 0 );
}
return tmp_rsa;
}
#endif /* OPENSSL_VERSION_NUMBER < 1.1 */


This function needs to check < 1.0.2 rather than < 1.1