Fix build warnings with OpenSSL 4.0#4016
Conversation
📝 WalkthroughWalkthroughTwo functions in ChangesOpenSSL 4.0 TLS Compatibility
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/tls.c`:
- Around line 1322-1325: The buffer copy logic in the null-termination code path
has an unsigned integer underflow vulnerability when outlen is 0, causing
SIZE_MAX to be used as copy_len. Add a guard check at the beginning of this code
block to return early or handle the case where outlen equals 0, before the
subtraction operation in the copy_len calculation occurs. This prevents the
expression outlen - 1 from underflowing and writing past the buffer bounds.
- Around line 469-477: The error variable is declared but not initialized before
being passed to X509_check_certificate_times(). Since this function only writes
to the error parameter when it returns 0 (indicating failure or invalidity), but
the code only reads the error variable when the function returns 1 (success),
the variable is accessed uninitialized. Initialize the error variable to 0
before the X509_check_certificate_times() function call to ensure it has a
defined value when read.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
1f62de1 to
b3e7ab1
Compare
zuiderkwast
left a comment
There was a problem hiding this comment.
LGTM, thanks!
Do we run with OpenSSL 4 in any of the CI jobs or daily jobs? If not, is there an easy way to update one of them to use a distro that does, or just update OpenSSL in one of them?
fedora rawhide ( |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## unstable #4016 +/- ##
============================================
+ Coverage 76.75% 76.78% +0.03%
============================================
Files 162 162
Lines 81017 81021 +4
============================================
+ Hits 62187 62216 +29
+ Misses 18830 18805 -25
🚀 New features to boost your workflow:
|
Some functions are newly deprecated in OpenSSL 4.0, this commits works around those. More specifically: - X509_cmp_current_time() in isCertValid() is no longer necessary as X509_check_certificate_times() compares the notBefore and notAfter on its own. Had to add a version check since this function is new in OpenSSL 4.0. - Replace deprecated X509_NAME_get_text_by_NID. Not a perfect fix, because the new implementation still assumes that the name does not contain embedded null characters which may not be true, e.g., if the name is of type UniversalString or BMPString. - Also fix constness of X509_get_subject_name return value for modern OpenSSL versions The latter two fixes are taken from this Fedora patch: https://src.fedoraproject.org/rpms/valkey/c/1a9c8847172ef3fb116a1e2fdb3871692378adae?branch=rawhide Signed-off-by: Petr Khartskhaev <pkhartsk@redhat.com>
b3e7ab1 to
ee48897
Compare
|
Yup, the fedora test passes, where openssl 4 is installed here |
|
Changed the title "Fix build failures" -> "warnings". It's just deprecated functions - so unless compiled with |
|
Let's backport to all versions. Old versions can run on new OS versions with new OpenSSL versions too, so backporting prevents future CI problems for these branches. (Assuming it applies cleanly - if not we could skip it.) |
Yes, should I rename the commit too?
I think the first hunk will fail as that function doesn't exist in any released version as of now, the second one seems to only be present in =>9.0 |
| return false; | ||
| } | ||
| if (error > 0) { | ||
| serverLog(LL_WARNING, "X509_check_certificate_times() returned error %d", error); |
There was a problem hiding this comment.
I don't think we need this warning in logs. I could be wrong but seems like a specific error for a function.
There was a problem hiding this comment.
The integer pointed to by error will be set to X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD or X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD if the certificate has an invalid notBefore or notAfter field, respectively.
The integer pointed to by error will be set to X509_V_ERR_CERT_NOT_YET_VALID or X509_V_ERR_CERT_HAS_EXPIRED if the verification time is outside of the certificate's correctly encoded validity window as per RFC5280.
I'd say this is actually pretty useful to have, though I agree that just outputting a random integer is hardly helpful. Also this is stupid since this if statement will never be reached. Could be solved by either switch casing it or outputting a better-worded general error BEFORE returning false, or just removing this statement completely.
There was a problem hiding this comment.
Yeah, this is not logged when the certificate is simply expired. It's only on other errors, which are likely configuration/admin errors. I agree it can be good to have.
There was a problem hiding this comment.
I see you've already merged (thanks!), so I put the code fixing this into #4064. This unreachable if statement does no harm, but still.. :D
|
|
||
| if (nid == -1) return 0; | ||
|
|
||
| #if OPENSSL_VERSION_NUMBER >= 0x30000000L |
There was a problem hiding this comment.
Any harm in directly using const? without the version check?
There was a problem hiding this comment.
Apparently, in 1.1.1 it's not const. Not sure if we have 1.1.1 in any of our CI jobs though - it would show a compile warning I guess. See #4016 (comment) above.
There was a problem hiding this comment.
Threw a warning for me on RHEL8 w/ 1.1.1.
See this almalinux8 build before I pushed this version check https://github.com/valkey-io/valkey/actions/runs/28020409485/job/82935479930
No, it's not necessary. We squash-merge and use the PR title and description as commit message.
Ok, so we should backport to 9.0 and 9.1 only then. Thanks for checking! |
Some functions are newly deprecated in OpenSSL 4.0. This commit works around those. More specifically: - X509_cmp_current_time() in isCertValid() is no longer necessary as X509_check_certificate_times() compares the notBefore and notAfter on its own. Had to add a version check since this function is new in OpenSSL 4.0. - Replace deprecated X509_NAME_get_text_by_NID. Not a perfect fix, because the new implementation still assumes that the name does not contain embedded null characters which may not be true, e.g., if the name is of type UniversalString or BMPString. - Also fix constness of X509_get_subject_name return value. The latter two fixes are taken from this Fedora patch: https://src.fedoraproject.org/rpms/valkey/c/1a9c8847172ef3fb116a1e2fdb3871692378adae?branch=rawhide Closes #4012 Signed-off-by: Petr Khartskhaev <pkhartsk@redhat.com>
Some functions are newly deprecated in OpenSSL 4.0. This commit works around those. More specifically: - X509_cmp_current_time() in isCertValid() is no longer necessary as X509_check_certificate_times() compares the notBefore and notAfter on its own. Had to add a version check since this function is new in OpenSSL 4.0. - Replace deprecated X509_NAME_get_text_by_NID. Not a perfect fix, because the new implementation still assumes that the name does not contain embedded null characters which may not be true, e.g., if the name is of type UniversalString or BMPString. - Also fix constness of X509_get_subject_name return value. The latter two fixes are taken from this Fedora patch: https://src.fedoraproject.org/rpms/valkey/c/1a9c8847172ef3fb116a1e2fdb3871692378adae?branch=rawhide Closes #4012 Signed-off-by: Petr Khartskhaev <pkhartsk@redhat.com>
Some functions are newly deprecated in OpenSSL 4.0, this commits works around those. More specifically:
X509_cmp_current_time() in isCertValid() is no longer necessary as X509_check_certificate_times() compares the notBefore and notAfter on its own. Had to add a version check since this function is new in OpenSSL 4.0.
Replace deprecated X509_NAME_get_text_by_NID. Not a perfect fix, because the new implementation still assumes that the name does not contain embedded null characters which may not be true, e.g., if the name is of type UniversalString or BMPString.
Also fix constness of X509_get_subject_name return value.
The latter two fixes are taken from this Fedora patch: https://src.fedoraproject.org/rpms/valkey/c/1a9c8847172ef3fb116a1e2fdb3871692378adae?branch=rawhide
Closes #4012