[CONC-272] Build failure with OpenSSL 0.9.8 Created: 2017-07-26  Updated: 2023-10-18  Resolved: 2017-07-27

Status: Closed
Project: MariaDB Connector/C
Component/s: None
Affects Version/s: 3.0.2
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Evan Miller Assignee: Georg Richter
Resolution: Not a Bug Votes: 0
Labels: None
Environment:

macOS 10.12.6


 Description   

Building against OpenSSL 0.9.8zh, I get the following error:

Scanning dependencies of target mariadb_obj
 
[  1%] Building C object libmariadb/CMakeFiles/mariadb_obj.dir/secure/openssl.c.o
 
/tmp/mariadb-connector-c-3.0.2-src/libmariadb/secure/openssl.c:247:5: warning: 
      implicit declaration of function 'CRYPTO_THREADID_set_callback' is invalid in C99
 
      [-Wimplicit-function-declaration]
 
    CRYPTO_THREADID_set_callback(my_cb_threadid);
 
    ^
 
1 warning generated.
 
[ 42%] Built target mariadb_obj
 
[ 43%] Linking C static library libmariadbclient.a
 
[ 43%] Built target mariadbclient
 
[ 44%] Linking C shared library libmariadb.dylib
 
Undefined symbols for architecture x86_64:
 
  "_CRYPTO_THREADID_set_callback", referenced from:
 
      _ma_tls_start in openssl.c.o
 
ld: symbol(s) not found for architecture x86_64
 
clang: error: linker command failed with exit code 1 (use -v to see invocation)
 
make[2]: *** [libmariadb/libmariadb.3.dylib] Error 1
 
make[1]: *** [libmariadb/CMakeFiles/libmariadb.dir/all] Error 2
 
make: *** [all] Error 2

From the man page:

CRYPTO_THREADID and associated functions were introduced in OpenSSL 1.0.0 to replace (actually, deprecate) the previous CRYPTO_set_id_callback(), CRYPTO_get_id_callback(), and CRYPTO_thread_id() functions which assumed thread IDs to always be represented by 'unsigned long'.

The following patch fixes things:

--- openssl.c    2017-07-26 15:27:59.000000000 -0400
 
+++ openssl.c.fixed     2017-07-26 15:27:27.000000000 -0400
 
@@ -244,7 +244,11 @@
 
         pthread_mutex_init(&LOCK_crypto[i], NULL);
 
     }
 
     CRYPTO_set_locking_callback(my_cb_locking);
 
+#if OPENSSL_VERSION_NUMBER < 0x10000000L
 
+    CRYPTO_set_id_callback(my_cb_threadid);
 
+#else
 
     CRYPTO_THREADID_set_callback(my_cb_threadid);
 
+#endif
 
   }
 
   return 0;
 
 }



 Comments   
Comment by Georg Richter [ 2017-07-27 ]

Connector/C requires OpenSSL 1.0.1 or later.

Please read

Comment by Evan Miller [ 2017-07-27 ]

Hi, I realize old versions of OpenSSL are not supported; however, Mac OS X still ships with 0.9.8, and so I have to manually apply this patch on new releases of Connector/C. In addition, the Connector/C code has "#if OPENSSL_VERSION_NUMBER < 0x10000000L" in other places, so the provided patch isn't breaking new ground in terms of supporting 0.9.x. I humbly ask you to reconsider. Thanks.

Comment by Sergei Golubchik [ 2017-07-27 ]

The last release of OpenSSL 0.9.8 was at December 3, 2015. There were 45 CVE ids for OpenSSL in 2016/2017, and while some of them don't apply to 0.9.8, many do. And they aren't and won't ever be fixed in 0.9.8.

This is, basically, why we don't want to encourage using MariaDB with OpenSSL 0.9.8.

If I'd have just one Mac to run MariaDB on, I'd either install newer OpenSSL (with all these vulnerabilities fixed) or I'd simply edited system openssl.h, adding something like

#define CRYPTO_THREADID_set_callback(X) CRYPTO_set_id_callback(X)

or I'd patched my copy of MariaDB with your patch.

if I'd had a fleet of Macs, I'd, probably, valued security higher, and installed newer OpenSSL.

Comment by Evan Miller [ 2017-07-27 ]

Thanks for the reply. This is for shipping software; I'd prefer to link against the Mac OS X system OpenSSL, and let Apple worry about keeping OpenSSL up-to-date via system updates, rather than provide OpenSSL separately, in which case I have to keep abreast of OpenSSL security issues myself.

If the issue remains closed, I will continue to apply the patch. If it makes any difference, the patch can be reduced to one line based on your suggestion:

--- openssl.c    2017-07-27 16:55:06.000000000 -0400
 
+++ openssl.c.fixed     2017-07-27 16:51:59.000000000 -0400
 
@@ -101,6 +101,7 @@
 
    set during ssl_initialization
 
  */
 
 #if OPENSSL_VERSION_NUMBER < 0x10000000L
 
+#define CRYPTO_THREADID_set_callback(X) CRYPTO_set_id_callback(X)
 
 static unsigned long my_cb_threadid(void)
 
 {
 
   /* cast pthread_t to unsigned long */

I know you want to discourage use of OpenSSL 0.9.8, but the reality is that it's installed on every Mac and Apple is forced to keep fixing its security issues. In light of this situation, it would be great if Connector/C would compile against 0.9.8, even if the support is only unofficial.

Generated at Thu Feb 08 03:04:07 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.