Jason Fehr created IMPALA-14217:
-----------------------------------
Summary: X509_get0_notBefore and X509_get0_notAfter Compile Error
with OpenSSL 1.0
Key: IMPALA-14217
URL: https://issues.apache.org/jira/browse/IMPALA-14217
Project: IMPALA
Issue Type: Bug
Affects Versions: Impala 4.5.0
Reporter: Jason Fehr
Assignee: Jason Fehr
IMPALA-13237 introduced code
[here|https://gerrit.cloudera.org/c/23097/19/be/src/util/openssl-util.cc#182]
and
[here|https://gerrit.cloudera.org/c/23097/19/be/src/util/openssl-util.cc#186]
that uses the X509_get0_notBefore and X509_get0_notAfter OpenSSL functions
available in OpenSSL 1.1.1 and later versions. Thus, when compiling against
OpenSSL 1.0.x, the compilation fails.
The [OpenSSL
doc|https://docs.openssl.org/3.0/man3/X509_get0_notBefore/#history] states the
`X509_get_notBefore` and `X509_get_notAfter` functions were first deprecated in
OpenSSL 1.1.0. Digging into the OpenSSL code, the 1.0.x function definitions
are
[here|https://github.com/openssl/openssl/blob/d9e048ceac64d3f2cfa8b153271acd309e6a5edb/crypto/x509/x509.h#L612-L613].
In OpenSSL 1.1.0 and later, a macro is used to map the deprecated functions
to the non-deprecated functions `X509_getm_notBefore` and `X509_getm_notAfter`
[here|https://github.com/openssl/openssl/blob/8253b58d60eec11fdb5e5dbf9cc61f78a9b7095d/include/openssl/x509.h.in#L678-L679].
The only difference between the `X509_get0_` and `X509_getm_` functions is the
former returns a `const ASN1_TIME*` while the latter returns a mutable
`ASN1_TIME*`. Thus, it is safe to switch to the deprecated `X509_get_`
functions.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
