Full_Name: Quanah Gibson-Mount Version: HEAD OS: N/A URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.148.239) When attempting to link OpenLDAP to OpenSSL 1.0.2 series, where OpenSSL has been built with deprecated API's disabled, the build will fail. This is because RSA_F4 is deprecated in 1.0.2. In master, this is around line 1367: #if OPENSSL_VERSION_NUMBER < 0x10100000 static RSA * tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length ) { RSA *tmp_rsa; /* FIXME: Pregenerate the key on startup */ /* FIXME: Who frees the key? */ #if OPENSSL_VERSION_NUMBER >= 0x00908000 BIGNUM *bn = BN_new(); tmp_rsa = NULL; if ( bn ) { if ( BN_set_word( bn, RSA_F4 )) { tmp_rsa = RSA_new(); if ( tmp_rsa && !RSA_generate_key_ex( tmp_rsa, key_length, bn, NULL )) { RSA_free( tmp_rsa ); tmp_rsa = NULL; } } BN_free( bn ); } #else tmp_rsa = RSA_generate_key( key_length, RSA_F4, NULL, NULL ); #endif if ( !tmp_rsa ) { Debug( LDAP_DEBUG_ANY, "TLS: Failed to generate temporary %d-bit %s RSA key\n", key_length, is_export ? "export" : "domestic", 0 ); } return tmp_rsa; } #endif /* OPENSSL_VERSION_NUMBER < 1.1 */ This function needs to check < 1.0.2 rather than < 1.1
quanah@openldap.org wrote: > Full_Name: Quanah Gibson-Mount > Version: HEAD > OS: N/A > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (47.208.148.239) > > > When attempting to link OpenLDAP to OpenSSL 1.0.2 series, where OpenSSL has been > built with deprecated API's disabled, the build will fail. This is because > RSA_F4 is deprecated in 1.0.2. In master, this is around line 1367: > > #if OPENSSL_VERSION_NUMBER < 0x10100000 > static RSA * > tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length ) > This function needs to check < 1.0.2 rather than < 1.1 That would only be true if the RSA callback is not needed at all in 1.0.2. Is that true? -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
--On Friday, February 23, 2018 5:07 PM +0000 Howard Chu <hyc@symas.com> wrote: > quanah@openldap.org wrote: >> Full_Name: Quanah Gibson-Mount >> Version: HEAD >> OS: N/A >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (47.208.148.239) >> >> >> When attempting to link OpenLDAP to OpenSSL 1.0.2 series, where OpenSSL >> has been built with deprecated API's disabled, the build will fail. >> This is because RSA_F4 is deprecated in 1.0.2. In master, this is >> around line 1367: >> >> # if OPENSSL_VERSION_NUMBER < 0x10100000 >> static RSA * >> tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length ) > >> This function needs to check < 1.0.2 rather than < 1.1 > > That would only be true if the RSA callback is not needed at all in > 1.0.2. Is that true? Not sure. Exact error is in RE24 is: tls_o.c:1184:25: error: 'RSA_F4' undeclared (first use in this function) if ( BN_set_word( bn, RSA_F4 )) { so it dies before we get to the RSA_generate_key_ex function itself. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>
changed notes changed state Open to Test moved from Incoming to Build
changed notes changed state Test to Release
fixed in master fixed in RE24 (2.4.47)
changed notes changed state Release to Closed