Re: [squid-users] errors when building with ssl-crtd for CentOS 6

From: Dan Charlesworth <dan_at_getbusi.com>
Date: Fri, 10 Aug 2012 21:02:44 +1000

Thanks again. Turns out what you pasted is the same ABI my CentOS 6.3 =
environment.

I made a patch (attached) based on your suggestions but the build is =
failing on the following errors:
certificate_db.cc: In member function 'bool =
Ssl::CertificateDb::deleteInvalidCertificate()':
certificate_db.cc:439: error: invalid conversion from 'void*' to 'const =
_STACK*'
certificate_db.cc:439: error: initializing argument 1 of 'void* =
sk_value(const _STACK*, int)'
certificate_db.cc: In member function 'bool =
Ssl::CertificateDb::deleteOldestCertificate()':
certificate_db.cc:478: error: expected ')' before ';' token
certificate_db.cc: In member function 'bool =
Ssl::CertificateDb::deleteByHostname(const std::string&)':
certificate_db.cc:504: error: invalid conversion from 'void*' to 'const =
_STACK*'
certificate_db.cc:504: error: initializing argument 1 of 'void* =
sk_value(const _STACK*, int)'

Anything else I can try?

Thanks

--- src/ssl/certificate_db.cc 2012-06-08 21:20:21.000000000 +1000
+++ src/ssl/certificate_db.cc 2012-08-10 20:43:37.000000000 +1000
@@ -394,7 +394,7 @@
         corrupt = true;
 
     // Create indexes in db.
-#if OPENSSL_VERSION_NUMBER >= 0x1000004fL
+#if OPENSSL_VERSION_NUMBER >= 0x10000003L
     if (!corrupt && !TXT_DB_create_index(temp_db.get(), cnlSerial, NULL, LHASH_HASH_FN(index_serial), LHASH_COMP_FN(index_serial)))
         corrupt = true;
 
@@ -434,7 +434,7 @@
         return false;
 
     bool removed_one = false;
-#if OPENSSL_VERSION_NUMBER >= 0x1000004fL
+#if OPENSSL_VERSION_NUMBER >= 0x10000003L
     for (int i = 0; i < sk_OPENSSL_PSTRING_num(db.get()->data); i++) {
         const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db.get()->data, i));
 #else
@@ -445,7 +445,7 @@
         if (!sslDateIsInTheFuture(current_row[cnlExp_date])) {
             std::string filename(cert_full + "/" + current_row[cnlSerial] + ".pem");
             FileLocker cert_locker(filename);
-#if OPENSSL_VERSION_NUMBER >= 0x1000004fL
+#if OPENSSL_VERSION_NUMBER >= 0x10000003L
             sk_OPENSSL_PSTRING_delete(db.get()->data, i);
 #else
             sk_delete(db.get()->data, i);
@@ -467,22 +467,22 @@
     if (!db)
         return false;
 
-#if OPENSSL_VERSION_NUMBER >= 0x1000004fL
+#if OPENSSL_VERSION_NUMBER >= 0x10000003L
     if (sk_OPENSSL_PSTRING_num(db.get()->data) == 0)
 #else
     if (sk_num(db.get()->data) == 0)
 #endif
         return false;
 
-#if OPENSSL_VERSION_NUMBER >= 0x1000004fL
- const char **row = (const char **)sk_OPENSSL_PSTRING_value(db.get()->data, 0);
+#if OPENSSL_VERSION_NUMBER >= 0x10000003L
+ const char **row = (const char **)sk_value((const _STACK *)(db.get()->data, 0);
 #else
     const char **row = (const char **)sk_value(db.get()->data, 0);
 #endif
     std::string filename(cert_full + "/" + row[cnlSerial] + ".pem");
     FileLocker cert_locker(filename);
 
-#if OPENSSL_VERSION_NUMBER >= 0x1000004fL
+#if OPENSSL_VERSION_NUMBER >= 0x10000003L
     sk_OPENSSL_PSTRING_delete(db.get()->data, 0);
 #else
     sk_delete(db.get()->data, 0);
@@ -499,7 +499,7 @@
     if (!db)
         return false;
 
-#if OPENSSL_VERSION_NUMBER >= 0x1000004fL
+#if OPENSSL_VERSION_NUMBER >= 0x10000003L
     for (int i = 0; i < sk_OPENSSL_PSTRING_num(db.get()->data); i++) {
         const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db.get()->data, i));
 #else
@@ -509,7 +509,7 @@
         if (host == current_row[cnlName]) {
             std::string filename(cert_full + "/" + current_row[cnlSerial] + ".pem");
             FileLocker cert_locker(filename);
-#if OPENSSL_VERSION_NUMBER >= 0x1000004fL
+#if OPENSSL_VERSION_NUMBER >= 0x10000003L
             sk_OPENSSL_PSTRING_delete(db.get()->data, i);
 #else
             sk_delete(db.get()->data, i);

On 10/08/2012, at 8:32 PM, nipun_mlist Assam <nipunmlist_at_gmail.com> wrote:

> ABI version is defined in opensslv.h. Something like "#define
> OPENSSL_VERSION_NUMBER 0x10000003L"
> Generally openssl header files install in /usr/include/openssl/
>
> Regards,
> Nipun
>
>
>
>
> On Fri, Aug 10, 2012 at 3:44 PM, Dan Charlesworth <dan_at_getbusi.com> wrote:
>> Thanks Nipun. A patch is going to be a much better option for me given the difficulty of dealing with building RPMs and mock environments etc.
>>
>> I understand part 2 of your suggestions but I'm unsure how to find out what my "abl version is" if I run openssl version I get the following output: "OpenSSL 1.0.0-fips 29 Mar 2010"
>>
>> Should I be replacing all instances of '0x1000004fL' with '1.0.0-fips' in certificate_db.cc?
>>
>> Sorry - I"m pretty new to this.
>>
>> Thanks
>>
>> On 10/08/2012, at 7:30 PM, nipun_mlist Assam <nipunmlist_at_gmail.com> wrote:
>>
>>>>> certificate_db.cc: In member function 'bool
>>>>> Ssl::CertificateDb::deleteInvalidCertificate()':
>>>>> certificate_db.cc:441: error: cannot convert 'stack_st_OPENSSL_PSTRING*'
>>>>> to 'const _STACK*' for argument '1' to 'int sk_num(const _STACK*)'
>>>>> certificate_db.cc:442: error: cannot convert 'stack_st_OPENSSL_PSTRING*'
>>>>> to 'const _STACK*' for argument '1' to 'void* sk_value(const _STACK*, int)
>>>>>
>>>>> I don't quite understand what Michael did to work-around it. I would just
>>>>> like to know if this can be worked around given my environment and if so,
>>>>> how exactly?
>>>>
>>>>
>>>> He installed a different verioon of OpenSSL and used the --with-openssl=
>>>> configure option to tell Squid exactly which library to build against.
>>>>
>>>> The early 1.0.0 had symbol issues and all signs are pointing at those -fips
>>>> libraries being patched with ABI breaking stuff.
>>>>
>>>
>>> One more way to fix this is, .....
>>> replace all "#if OPENSSL_VERSION_NUMBER >= 0x1000004fL"
>>> with
>>> #if OPENSSL_VERSION_NUMBER >= your-openssl-abi-version"
>>>
>>> and replace all
>>> "const char **row = (const char **)sk_OPENSSL_PSTRING_value(..."
>>> with
>>> "const char **row = (const char **)sk_value((const _STACK *)(..."
>>>
>>> --
>>> Regards,
>>> Nipun
>>
>
>
>
> --
> Regards,
> Nipun Talukdar
> Bangalore
Received on Fri Aug 10 2012 - 11:02:55 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 10 2012 - 12:00:02 MDT