On Fri, Feb 04, 2022 at 09:57:25AM +0100, Remi Tricot-Le Breton wrote: > > > On 02/02/2022 17:49, William Lallemand wrote: > > > >> Subject: [PATCH 2/7] BUILD: SSL: define X509_OBJECT for BoringSSL > >> > >> X509_OBJECT is opaque in BonringSSL, since we still use it, let us move it > >> to openssl-compat.h > >> > >> from > >> https://boringssl.googlesource.com/boringssl/+/refs/heads/2924/include/openssl/x509_vfy.h#120 > > I'm not really fond of this kind of declaration, most of the time we > > added helpers that were available in recent version of OpenSSL in this > > file. But in this case, adding a whole structure that was removed... > > with no guarantee that this will continue to work it's not a good idea. > > > > From what I get they aligned the opaque structures with the OpenSSL API, > > so we probably will have the same problem with OpenSSL v3 without the > > obsolete API. And we are currently in the process of porting it to > > HAProxy. We probably need to change the code that uses X509_OBJECT. > > So I suppose it will start to work during this portage. > > > X509_OBJECT and the APIs working on this structure were not marked as > deprecated in OpenSSLv3, we are facing yet another place where BoringSSL > seems a bit excessive in what they want to keep hidden. > Managing BoringSSL would still be much more expensive than managing > OpenSSLv3 if this kind of problem happens on many structures. >
Thanks for the clarification Rémi, I now remember having this conversation :-) But when checking the commits they didn't make anything deprecated in fact, they just made it opaque. https://boringssl.googlesource.com/boringssl/+/dddb60eb9700110835ff6e2b429de40a17006429 In this commit they pretend aligning with OpenSSL, which might be the case, if you take a look at openssl/x509.h, they still define: - DEFINE_STACK_OF(X509_OBJECT) - OPENSSL_EXPORT STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *st); So either there is an export problem of the X509_OBJECT or we are missing a include or something else is wrongly done. I'll made some test to check what's going on. -- William Lallemand