[pulseaudio-discuss] [PATCH] raop: add compatibility with openssl 1.1.0

Felipe Sateler fsateler at debian.org
Wed Nov 2 20:03:40 UTC 2016 

On 10 September 2016 at 10:39, Tanu Kaskinen <tanuk at iki.fi> wrote:
> Openssl 1.1.0 made all structs opaque, which caused a build failure in
> raop_client.c. The struct member assignments are now replaced with a
> call to RSA_set0_key(). The function does not exist in older versions,
> so a compatibility macro was added.
>
> BugLink: https://bugs.freedesktop.org/show_bug.cgi?id=96726
> ---
>
> I have tested that this builds with old and new openssl, but I have not
> tested that the code works. I don't have any RAOP hardware.

I cannot test either. AFAICT, the compat looks good:

1. The macro does roughly the same as the real function[1], except for
freeing the previous values and some checks that don't apply here.
2. RSA_new appears to initialize n, e and d to zero., thus the freeing
is not necessary.

Therefore I conclude the part for compat with 1.1.0 is good.

I do have some comments below though.

[1] https://github.com/openssl/openssl/blob/OpenSSL_1_1_0/crypto/rsa/rsa_lib.c#L188-L212
Don't look for copying code here, as the license is not GPL-compatible AFAIK.

>
>
>  src/modules/raop/raop_client.c | 15 +++++++++++++--
>  1 file changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/src/modules/raop/raop_client.c b/src/modules/raop/raop_client.c
> index 3b6c36e..88de62c 100644
> --- a/src/modules/raop/raop_client.c
> +++ b/src/modules/raop/raop_client.c
> @@ -68,6 +68,14 @@
>
>  #define RAOP_PORT 5000
>
> +/* Openssl 1.1.0 broke compatibility. We could depend on openssl 1.1.0, but
> + * it may take some time before distributions are able to upgrade to the new
> + * openssl version. To insulate ourselves from such transition problems, let's
> + * add a compatibility macro. */
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +#define RSA_set0_key(r, n_, e_, d) (r->n = n_, r->e = e_, 1)

While as noted this appears to do the right thing, why not make it a
real function instead? This should make it nicer for debuggers too.

> +#endif
> +
>  struct pa_raop_client {
>      pa_core *core;
>      char *host;
> @@ -161,12 +169,15 @@ static int rsa_encrypt(uint8_t *text, int len, uint8_t *res) {
>      uint8_t exponent[8];
>      int size;
>      RSA *rsa;
> +    BIGNUM *n_bn;
> +    BIGNUM *e_bn;
>
>      rsa = RSA_new();
>      size = pa_base64_decode(n, modules);
> -    rsa->n = BN_bin2bn(modules, size, NULL);
> +    n_bn = BN_bin2bn(modules, size, NULL);
>      size = pa_base64_decode(e, exponent);
> -    rsa->e = BN_bin2bn(exponent, size, NULL);
> +    e_bn = BN_bin2bn(exponent, size, NULL);
> +    pa_assert(RSA_set0_key(rsa, n_bn, e_bn, NULL) == 1);

Shouldn't this be pa_assert_se?

>
>      size = RSA_public_encrypt(len, text, res, rsa, RSA_PKCS1_OAEP_PADDING);
>      RSA_free(rsa);

-- 

Saludos,
Felipe Sateler

More information about the pulseaudio-discuss mailing list