| Message ID | 20190109101831.7957-1-stefan.strogin@gmail.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | Fix build with LibreSSL | expand |
On Wed, Jan 09, 2019 at 12:18:31PM +0200, Stefan Strogin wrote: > When using LibreSSL build fails with: > > ../src/crypto/tls_openssl.o: in function `tls_connection_client_cert': > ../src/crypto/tls_openssl.c:2817: undefined reference to `SSL_use_certificate_chain_file' > collect2: error: ld returned 1 exit status > make: *** [Makefile:1901: wpa_supplicant] Error 1 > > There is now such function in LibreSSL. Do you mean "there is no such function" instead of there now being such a function? I did not see this in LibreSSL 2.9.0 either. > Also SSL_OP_NO_TLSv1_3 was not defined till 2.9.0. Sure, but why would that need a change in tls_openssl.c? > diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c > @@ -2804,7 +2804,7 @@ static int tls_connection_client_cert(struct tls_connection *conn, > return 0; > } > > -#if OPENSSL_VERSION_NUMBER >= 0x10100000L > +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) > if (SSL_use_certificate_chain_file(conn->ssl, client_cert) == 1) { > ERR_clear_error(); > wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_chain_file" So this makes sense if the "now" in the commit message was a typo. > @@ -4486,7 +4486,10 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, > } > } > #endif > -#if OPENSSL_VERSION_NUMBER >= 0x10101000L > +#if (!defined(LIBRESSL_VERSION_NUMBER) && \ > + OPENSSL_VERSION_NUMBER >= 0x10100000L) || \ > + (defined(LIBRESSL_VERSION_NUMBER) && \ > + LIBRESSL_VERSION_NUMBER >= 0x20900000L) > #ifdef SSL_OP_NO_TLSv1_3 > if (params->flags & TLS_CONN_EAP_FAST) { > /* Need to disable TLS v1.3 at least for now since OpenSSL 1.1.1 But I don't see why this would be needed. That #ifdef SSL_OP_NO_TLSv1_3 takes care of this without having to make the version check any more complex. At least this builds fine for me against LibreSSL 2.8.3.
On 09/01/2019 13:00, Jouni Malinen wrote: > On Wed, Jan 09, 2019 at 12:18:31PM +0200, Stefan Strogin wrote: >> When using LibreSSL build fails with: >> >> ../src/crypto/tls_openssl.o: in function `tls_connection_client_cert': >> ../src/crypto/tls_openssl.c:2817: undefined reference to `SSL_use_certificate_chain_file' >> collect2: error: ld returned 1 exit status >> make: *** [Makefile:1901: wpa_supplicant] Error 1 >> >> There is now such function in LibreSSL. > > Do you mean "there is no such function" instead of there now being such > a function? I did not see this in LibreSSL 2.9.0 either. Oops, sorry, it was a typo. I'll resend the patch. "no such function", of course. >> @@ -4486,7 +4486,10 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, >> } >> } >> #endif >> -#if OPENSSL_VERSION_NUMBER >= 0x10101000L >> +#if (!defined(LIBRESSL_VERSION_NUMBER) && \ >> + OPENSSL_VERSION_NUMBER >= 0x10100000L) || \ >> + (defined(LIBRESSL_VERSION_NUMBER) && \ >> + LIBRESSL_VERSION_NUMBER >= 0x20900000L) >> #ifdef SSL_OP_NO_TLSv1_3 >> if (params->flags & TLS_CONN_EAP_FAST) { >> /* Need to disable TLS v1.3 at least for now since OpenSSL 1.1.1 > > But I don't see why this would be needed. That #ifdef SSL_OP_NO_TLSv1_3 > takes care of this without having to make the version check any more > complex. At least this builds fine for me against LibreSSL 2.8.3. > Yes, I see. I'll send v2 without changing this part. -- Stefan
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index cb70e2c47..72e655b85 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -2804,7 +2804,7 @@ static int tls_connection_client_cert(struct tls_connection *conn, return 0; } -#if OPENSSL_VERSION_NUMBER >= 0x10100000L +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) if (SSL_use_certificate_chain_file(conn->ssl, client_cert) == 1) { ERR_clear_error(); wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_chain_file" @@ -4486,7 +4486,10 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, } } #endif -#if OPENSSL_VERSION_NUMBER >= 0x10101000L +#if (!defined(LIBRESSL_VERSION_NUMBER) && \ + OPENSSL_VERSION_NUMBER >= 0x10100000L) || \ + (defined(LIBRESSL_VERSION_NUMBER) && \ + LIBRESSL_VERSION_NUMBER >= 0x20900000L) #ifdef SSL_OP_NO_TLSv1_3 if (params->flags & TLS_CONN_EAP_FAST) { /* Need to disable TLS v1.3 at least for now since OpenSSL 1.1.1
When using LibreSSL build fails with: ../src/crypto/tls_openssl.o: in function `tls_connection_client_cert': ../src/crypto/tls_openssl.c:2817: undefined reference to `SSL_use_certificate_chain_file' collect2: error: ld returned 1 exit status make: *** [Makefile:1901: wpa_supplicant] Error 1 There is now such function in LibreSSL. Also SSL_OP_NO_TLSv1_3 was not defined till 2.9.0. Signed-off-by: Stefan Strogin <stefan.strogin@gmail.com> --- src/crypto/tls_openssl.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)