OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Incoming/8809
Full headers

From: quanah@openldap.org
Subject: tls_o failure when linking to OpenSSL 1.0.2 with "no-deprecated" compile flag
Compose comment
Download message
State:
0 replies:
2 followups: 1 2

Major security issue: yes  no

Notes:

Notification:


Date: Fri, 23 Feb 2018 16:47:27 +0000
From: quanah@openldap.org
To: openldap-its@OpenLDAP.org
Subject: tls_o failure when linking to OpenSSL 1.0.2 with "no-deprecated" compile flag
Full_Name: Quanah Gibson-Mount
Version: HEAD
OS: N/A
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (47.208.148.239)


When attempting to link OpenLDAP to OpenSSL 1.0.2 series, where OpenSSL has been
built with deprecated API's disabled, the build will fail.  This is because
RSA_F4 is deprecated in 1.0.2.  In master, this is around line 1367:

#if OPENSSL_VERSION_NUMBER < 0x10100000
static RSA *
tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
{
    RSA *tmp_rsa;
    /* FIXME:  Pregenerate the key on startup */
    /* FIXME:  Who frees the key? */
#if OPENSSL_VERSION_NUMBER >= 0x00908000
    BIGNUM *bn = BN_new();
    tmp_rsa = NULL;
    if ( bn ) {
        if ( BN_set_word( bn, RSA_F4 )) {
            tmp_rsa = RSA_new();
            if ( tmp_rsa && !RSA_generate_key_ex( tmp_rsa, key_length,
bn, NULL
)) {
                RSA_free( tmp_rsa );
                tmp_rsa = NULL;
            }
        }
        BN_free( bn );
    }
#else
    tmp_rsa = RSA_generate_key( key_length, RSA_F4, NULL, NULL );
#endif

    if ( !tmp_rsa ) {
        Debug( LDAP_DEBUG_ANY,
            "TLS: Failed to generate temporary %d-bit %s RSA key\n",
            key_length, is_export ? "export" : "domestic", 0 );
    }
    return tmp_rsa;
}
#endif /* OPENSSL_VERSION_NUMBER < 1.1 */


This function needs to check < 1.0.2 rather than < 1.1

Followup 1

Download message
Subject: Re: (ITS#8809) tls_o failure when linking to OpenSSL 1.0.2 with
 "no-deprecated" compile flag
To: quanah@openldap.org, openldap-its@OpenLDAP.org
From: Howard Chu <hyc@symas.com>
Date: Fri, 23 Feb 2018 17:07:43 +0000
quanah@openldap.org wrote:
> Full_Name: Quanah Gibson-Mount
> Version: HEAD
> OS: N/A
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (47.208.148.239)
> 
> 
> When attempting to link OpenLDAP to OpenSSL 1.0.2 series, where OpenSSL has
been
> built with deprecated API's disabled, the build will fail.  This is because
> RSA_F4 is deprecated in 1.0.2.  In master, this is around line 1367:
> 
> #if OPENSSL_VERSION_NUMBER < 0x10100000
> static RSA *
> tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )

> This function needs to check < 1.0.2 rather than < 1.1

That would only be true if the RSA callback is not needed at all in 1.0.2. Is 
that true?

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 2

Download message
Date: Fri, 23 Feb 2018 09:48:32 -0800
From: Quanah Gibson-Mount <quanah@symas.com>
To: Howard Chu <hyc@symas.com>, openldap-its@OpenLDAP.org
Subject: Re: (ITS#8809) tls_o failure when linking to OpenSSL 1.0.2 with
 "no-deprecated" compile flag
--On Friday, February 23, 2018 5:07 PM +0000 Howard Chu <hyc@symas.com> 
wrote:

> quanah@openldap.org wrote:
>> Full_Name: Quanah Gibson-Mount
>> Version: HEAD
>> OS: N/A
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (47.208.148.239)
>>
>>
>> When attempting to link OpenLDAP to OpenSSL 1.0.2 series, where OpenSSL
>> has been built with deprecated API's disabled, the build will fail.
>> This is because RSA_F4 is deprecated in 1.0.2.  In master, this is
>> around line 1367:
>>
>> # if OPENSSL_VERSION_NUMBER < 0x10100000
>> static RSA *
>> tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
>
>> This function needs to check < 1.0.2 rather than < 1.1
>
> That would only be true if the RSA callback is not needed at all in
> 1.0.2. Is that true?

Not sure.  Exact error is in RE24 is:

tls_o.c:1184:25: error: 'RSA_F4' undeclared (first use in this function)
   if ( BN_set_word( bn, RSA_F4 )) {


so it dies before we get to the RSA_generate_key_ex function itself.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>



Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org