All,
I don't think my commit broke the build. Re-winding to
fe07505146b7573f36a0d01ba0d2b847af7c9914 shows that the 1.1.x build does
not work on my machine.
$ sh buildconf --with-apr=apr-1.7.4
(This path is correct)
$ cat config.nice
#! /bin/sh
#
# Created by configure
"./configure" \
"--with-apr=/usr/local/Cellar/apr/1.7.4/bin/apr-1-config" \
"--with-ssl=/usr/local/Cellar/openssl@1.1/1.1.1w/" \
"$@"
$ ./config.nice
[... no errors...]
$ make clean
$ make
/bin/sh /usr/local/Cellar/apr/1.7.4/build-1/libtool --silent
--mode=compile --tag=CC clang -g -O2 -Wall -DHAVE_CONFIG_H -DDARWIN
-DSIGPROCMASK_SETS_THREAD_MASK -g -O2 -DHAVE_OPENSSL
-DHAVE_POOL_PRE_CLEANUP
-I/Users/christopherschultz/git/tomcat-native/native/include
-I/Library/Java/JavaVirtualMachines/temurin-21.jdk/Contents/Home/include
-I/Library/Java/JavaVirtualMachines/temurin-21.jdk/Contents/Home/include/darwin
-I/usr/local/Cellar/openssl@1.1/1.1.1w//include
-I/usr/local/opt/apr/include/apr-1 -o src/ssl.lo -c src/ssl.c && touch
src/ssl.lo
src/ssl.c:201:7: error: incomplete definition of type 'struct dh_st'
dh->p = prime(NULL);
~~^
/usr/local/Cellar/openssl@1.1/1.1.1w//include/openssl/ossl_typ.h:104:16:
note: forward declaration of 'struct dh_st'
typedef struct dh_st DH;
^
src/ssl.c:202:18: error: incomplete definition of type 'struct dh_st'
BN_dec2bn(&dh->g, gen);
~~^
/usr/local/Cellar/openssl@1.1/1.1.1w//include/openssl/ossl_typ.h:104:16:
note: forward declaration of 'struct dh_st'
typedef struct dh_st DH;
^
src/ssl.c:203:12: error: incomplete definition of type 'struct dh_st'
if (!dh->p || !dh->g) {
~~^
/usr/local/Cellar/openssl@1.1/1.1.1w//include/openssl/ossl_typ.h:104:16:
note: forward declaration of 'struct dh_st'
typedef struct dh_st DH;
^
src/ssl.c:203:22: error: incomplete definition of type 'struct dh_st'
if (!dh->p || !dh->g) {
~~^
/usr/local/Cellar/openssl@1.1/1.1.1w//include/openssl/ossl_typ.h:104:16:
note: forward declaration of 'struct dh_st'
typedef struct dh_st DH;
^
src/ssl.c:324:5: warning: 'ERR_remove_thread_state' is deprecated
[-Wdeprecated-declarations]
ERR_remove_thread_state(NULL);
^
/usr/local/Cellar/openssl@1.1/1.1.1w//include/openssl/err.h:260:1: note:
'ERR_remove_thread_state' has been explicitly marked deprecated here
DEPRECATEDIN_1_1_0(void ERR_remove_thread_state(void *))
^
/usr/local/Cellar/openssl@1.1/1.1.1w//include/openssl/opensslconf.h:160:34:
note: expanded from macro 'DEPRECATEDIN_1_1_0'
# define DEPRECATEDIN_1_1_0(f) DECLARE_DEPRECATED(f)
^
/usr/local/Cellar/openssl@1.1/1.1.1w//include/openssl/opensslconf.h:118:55:
note: expanded from macro 'DECLARE_DEPRECATED'
# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
^
src/ssl.c:547:22: error: implicit declaration of function 'RAND_egd' is
invalid in C99 [-Werror,-Wimplicit-function-declaration]
if ((n = RAND_egd(file + 4)) > 0)
^
src/ssl.c:570:19: error: implicit declaration of function 'RAND_egd' is
invalid in C99 [-Werror,-Wimplicit-function-declaration]
else if ((n = RAND_egd(file)) > 0) {
^
src/ssl.c:848:11: error: incomplete definition of type 'struct bio_st'
if (bi->ptr != NULL && (bi->flags & SSL_BIO_FLAG_CALLBACK)) {
~~^
/usr/local/Cellar/openssl@1.1/1.1.1w//include/openssl/ossl_typ.h:79:16:
note: forward declaration of 'struct bio_st'
typedef struct bio_st BIO;
^
src/ssl.c:848:31: error: incomplete definition of type 'struct bio_st'
if (bi->ptr != NULL && (bi->flags & SSL_BIO_FLAG_CALLBACK)) {
~~^
/usr/local/Cellar/openssl@1.1/1.1.1w//include/openssl/ossl_typ.h:79:16:
note: forward declaration of 'struct bio_st'
typedef struct bio_st BIO;
^
src/ssl.c:849:37: error: incomplete definition of type 'struct bio_st'
BIO_JAVA *j = (BIO_JAVA *)bi->ptr;
~~^
/usr/local/Cellar/openssl@1.1/1.1.1w//include/openssl/ossl_typ.h:79:16:
note: forward declaration of 'struct bio_st'
typedef struct bio_st BIO;
^
src/ssl.c:866:11: error: incomplete definition of type 'struct bio_st'
if (bi->ptr != NULL && (bi->flags & SSL_BIO_FLAG_CALLBACK)) {
~~^
/usr/local/Cellar/openssl@1.1/1.1.1w//include/openssl/ossl_typ.h:79:16:
note: forward declaration of 'struct bio_st'
typedef struct bio_st BIO;
^
src/ssl.c:866:31: error: incomplete definition of type 'struct bio_st'
if (bi->ptr != NULL && (bi->flags & SSL_BIO_FLAG_CALLBACK)) {
~~^
/usr/local/Cellar/openssl@1.1/1.1.1w//include/openssl/ossl_typ.h:79:16:
note: forward declaration of 'struct bio_st'
typedef struct bio_st BIO;
^
src/ssl.c:867:37: error: incomplete definition of type 'struct bio_st'
BIO_JAVA *j = (BIO_JAVA *)bi->ptr;
~~^
/usr/local/Cellar/openssl@1.1/1.1.1w//include/openssl/ossl_typ.h:79:16:
note: forward declaration of 'struct bio_st'
typedef struct bio_st BIO;
^
src/ssl.c:881:7: error: incomplete definition of type 'struct bio_st'
bi->shutdown = 1;
~~^
/usr/local/Cellar/openssl@1.1/1.1.1w//include/openssl/ossl_typ.h:79:16:
note: forward declaration of 'struct bio_st'
typedef struct bio_st BIO;
^
src/ssl.c:882:7: error: incomplete definition of type 'struct bio_st'
bi->init = 0;
~~^
/usr/local/Cellar/openssl@1.1/1.1.1w//include/openssl/ossl_typ.h:79:16:
note: forward declaration of 'struct bio_st'
typedef struct bio_st BIO;
^
src/ssl.c:883:7: error: incomplete definition of type 'struct bio_st'
bi->num = -1;
~~^
/usr/local/Cellar/openssl@1.1/1.1.1w//include/openssl/ossl_typ.h:79:16:
note: forward declaration of 'struct bio_st'
typedef struct bio_st BIO;
^
src/ssl.c:884:7: error: incomplete definition of type 'struct bio_st'
bi->ptr = (char *)j;
~~^
/usr/local/Cellar/openssl@1.1/1.1.1w//include/openssl/ossl_typ.h:79:16:
note: forward declaration of 'struct bio_st'
typedef struct bio_st BIO;
^
src/ssl.c:893:11: error: incomplete definition of type 'struct bio_st'
if (bi->ptr != NULL) {
~~^
/usr/local/Cellar/openssl@1.1/1.1.1w//include/openssl/ossl_typ.h:79:16:
note: forward declaration of 'struct bio_st'
typedef struct bio_st BIO;
^
src/ssl.c:894:37: error: incomplete definition of type 'struct bio_st'
BIO_JAVA *j = (BIO_JAVA *)bi->ptr;
~~^
/usr/local/Cellar/openssl@1.1/1.1.1w//include/openssl/ossl_typ.h:79:16:
note: forward declaration of 'struct bio_st'
typedef struct bio_st BIO;
^
src/ssl.c:895:15: error: incomplete definition of type 'struct bio_st'
if (bi->init) {
~~^
/usr/local/Cellar/openssl@1.1/1.1.1w//include/openssl/ossl_typ.h:79:16:
note: forward declaration of 'struct bio_st'
typedef struct bio_st BIO;
^
fatal error: too many errors emitted, stopping now [-ferror-limit=]
1 warning and 20 errors generated.
make[1]: *** [src/ssl.lo] Error 1
make: *** [all-recursive] Error 1
I get roughly the same behavior when compiling against OpenSSL 3.0 as
well. The first error in ssl.c doesn't look like an error to me:
src/ssl.c:201:7: error: incomplete definition of type 'struct dh_st'
dh->p = prime(NULL);
~~^
The full code in that area is:
static DH *make_dh_params(BIGNUM *(*prime)(BIGNUM *), const char *gen)
{
DH *dh = DH_new();
if (!dh) {
return NULL;
}
dh->p = prime(NULL); // Line 201
BN_dec2bn(&dh->g, gen);
if (!dh->p || !dh->g) {
DH_free(dh);
return NULL;
}
return dh;
}
Is this just a bad setup on my end?
Building the main branch in this environment (but with OpenSSL 3.0)
works with some warnings but no errors.
Can anyone confirm they can build 1.1.x HEAD?
Thanks,
-chris
On 5/31/24 13:11, schu...@apache.org wrote:
This is an automated email from the ASF dual-hosted git repository.
schultz pushed a commit to branch 1.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
The following commit(s) were added to refs/heads/1.1.x by this push:
new 0ab6bdd39 Use ERR_error_string_n instead of ERR_error_string.
0ab6bdd39 is described below
commit 0ab6bdd3973c702a46a9564266d1f4848bd05b01
Author: Christopher Schultz <ch...@christopherschultz.net>
AuthorDate: Fri May 31 13:10:27 2024 -0400
Use ERR_error_string_n instead of ERR_error_string.
Use header-defined constant for error message buffer sizes.
---
native/include/ssl_private.h | 5 +++++
native/src/ssl.c | 8 ++++----
native/src/sslcontext.c | 32 ++++++++++++++++----------------
native/src/sslnetwork.c | 4 ++--
4 files changed, 27 insertions(+), 22 deletions(-)
diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
index 68fc8a877..ede9ae94f 100644
--- a/native/include/ssl_private.h
+++ b/native/include/ssl_private.h
@@ -63,6 +63,11 @@
#define SSL_AIDX_ECC (3)
#define SSL_AIDX_MAX (4)
+/*
+ * The length of error message strings. MUST BE AT LEAST 256.
+ */
+#define TCN_OPENSSL_ERROR_STRING_LENGTH 256
+
/*
* Define the SSL options
*/
diff --git a/native/src/ssl.c b/native/src/ssl.c
index d6fdaee55..782de1139 100644
--- a/native/src/ssl.c
+++ b/native/src/ssl.c
@@ -806,11 +806,11 @@ TCN_IMPLEMENT_CALL(jint, SSL, fipsModeSet)(TCN_STDARGS,
jint mode)
if(1 != (r = (jint)FIPS_mode_set((int)mode))) {
/* arrange to get a human-readable error message */
unsigned long err = ERR_get_error();
- char msg[256];
+ char msg[TCN_OPENSSL_ERROR_STRING_LENGTH];
/* ERR_load_crypto_strings() already called in initialize() */
- ERR_error_string_n(err, msg, 256);
+ ERR_error_string_n(err, msg, TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_ThrowException(e, msg);
}
@@ -1105,9 +1105,9 @@ TCN_IMPLEMENT_CALL(jboolean, SSL,
loadDSATempKey)(TCN_STDARGS, jint idx,
TCN_IMPLEMENT_CALL(jstring, SSL, getLastError)(TCN_STDARGS)
{
- char buf[256];
+ char buf[TCN_OPENSSL_ERROR_STRING_LENGTH];
UNREFERENCED(o);
- ERR_error_string(ERR_get_error(), buf);
+ ERR_error_string_n(ERR_get_error(), buf, TCN_OPENSSL_ERROR_STRING_LENGTH);
return tcn_new_string(e, buf);
}
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
index c632fc7cf..e2d341c30 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -136,8 +136,8 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS,
jlong pool,
}
if (!ctx) {
- char err[256];
- ERR_error_string(ERR_get_error(), err);
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
+ ERR_error_string_n(ERR_get_error(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Invalid Server SSL Protocol (%s)", err);
goto init_failed;
}
@@ -327,8 +327,8 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCipherSuite)(TCN_STDARGS, jlong ctx,
#else
if (!SSL_CTX_set_cipher_list(c->ctx, J2S(ciphers))) {
#endif
- char err[256];
- ERR_error_string(ERR_get_error(), err);
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
+ ERR_error_string_n(ERR_get_error(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err);
rv = JNI_FALSE;
}
@@ -348,7 +348,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCARevocation)(TCN_STDARGS, jlong ctx
TCN_ALLOC_CSTRING(path);
jboolean rv = JNI_FALSE;
X509_LOOKUP *lookup;
- char err[256];
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
UNREFERENCED(o);
TCN_ASSERT(ctx != 0);
@@ -362,7 +362,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCARevocation)(TCN_STDARGS, jlong ctx
if (J2S(file)) {
lookup = X509_STORE_add_lookup(c->crl, X509_LOOKUP_file());
if (lookup == NULL) {
- ERR_error_string(ERR_get_error(), err);
+ ERR_error_string_n(ERR_get_error(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
X509_STORE_free(c->crl);
c->crl = NULL;
tcn_Throw(e, "Lookup failed for file %s (%s)", J2S(file), err);
@@ -373,7 +373,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCARevocation)(TCN_STDARGS, jlong ctx
if (J2S(path)) {
lookup = X509_STORE_add_lookup(c->crl, X509_LOOKUP_hash_dir());
if (lookup == NULL) {
- ERR_error_string(ERR_get_error(), err);
+ ERR_error_string_n(ERR_get_error(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
X509_STORE_free(c->crl);
c->crl = NULL;
tcn_Throw(e, "Lookup failed for path %s (%s)", J2S(file), err);
@@ -426,8 +426,8 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCACertificate)(TCN_STDARGS,
*/
if (!SSL_CTX_load_verify_locations(c->ctx,
J2S(file), J2S(path))) {
- char err[256];
- ERR_error_string(ERR_get_error(), err);
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
+ ERR_error_string_n(ERR_get_error(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Unable to configure locations "
"for client authentication (%s)", err);
rv = JNI_FALSE;
@@ -637,7 +637,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCertificate)(TCN_STDARGS, jlong ctx,
TCN_ALLOC_CSTRING(password);
const char *key_file, *cert_file;
const char *p;
- char err[256];
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
#ifdef HAVE_ECC
EC_GROUP *ecparams;
int nid;
@@ -670,7 +670,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCertificate)(TCN_STDARGS, jlong ctx,
}
if ((p = strrchr(cert_file, '.')) != NULL && strcmp(p, ".pkcs12") == 0) {
if (!ssl_load_pkcs12(c, cert_file, &c->keys[idx], &c->certs[idx], 0))
{
- ERR_error_string(ERR_get_error(), err);
+ ERR_error_string_n(ERR_get_error(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Unable to load certificate %s (%s)",
cert_file, err);
rv = JNI_FALSE;
@@ -679,14 +679,14 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCertificate)(TCN_STDARGS, jlong ctx,
}
else {
if ((c->keys[idx] = load_pem_key(c, key_file)) == NULL) {
- ERR_error_string(ERR_get_error(), err);
+ ERR_error_string_n(ERR_get_error(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Unable to load certificate key %s (%s)",
key_file, err);
rv = JNI_FALSE;
goto cleanup;
}
if ((c->certs[idx] = load_pem_cert(c, cert_file)) == NULL) {
- ERR_error_string(ERR_get_error(), err);
+ ERR_error_string_n(ERR_get_error(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Unable to load certificate %s (%s)",
cert_file, err);
rv = JNI_FALSE;
@@ -694,19 +694,19 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCertificate)(TCN_STDARGS, jlong ctx,
}
}
if (SSL_CTX_use_certificate(c->ctx, c->certs[idx]) <= 0) {
- ERR_error_string(ERR_get_error(), err);
+ ERR_error_string_n(ERR_get_error(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Error setting certificate (%s)", err);
rv = JNI_FALSE;
goto cleanup;
}
if (SSL_CTX_use_PrivateKey(c->ctx, c->keys[idx]) <= 0) {
- ERR_error_string(ERR_get_error(), err);
+ ERR_error_string_n(ERR_get_error(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Error setting private key (%s)", err);
rv = JNI_FALSE;
goto cleanup;
}
if (SSL_CTX_check_private_key(c->ctx) <= 0) {
- ERR_error_string(ERR_get_error(), err);
+ ERR_error_string_n(ERR_get_error(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Private key does not match the certificate public key
(%s)",
err);
rv = JNI_FALSE;
diff --git a/native/src/sslnetwork.c b/native/src/sslnetwork.c
index 4557b514e..094453c76 100644
--- a/native/src/sslnetwork.c
+++ b/native/src/sslnetwork.c
@@ -126,8 +126,8 @@ static tcn_ssl_conn_t *ssl_create(JNIEnv *env,
tcn_ssl_ctxt_t *ctx, apr_pool_t *
return NULL;
}
if ((ssl = SSL_new(ctx->ctx)) == NULL) {
- char err[256];
- ERR_error_string(ERR_get_error(), err);
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
+ ERR_error_string_n(ERR_get_error(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(env, "SSL_new failed (%s)", err);
con = NULL;
return NULL;
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
