"Dereferencing Pointer To Incomplete Type" on ARM

Rafa_F · August 19, 2015, 3:15pm

I swear I had built the hg default version on my AMD64 just fine, but
now
I’m doing it on my ARM device running Ubuntu 15.04 with kernel 4.2.
I used the default system openssl, but also tried with the master git
version all with the same result.

Attempts with:

./auto/configure --with-http_ssl_module --with-ipv6
./auto/configure --with-http_ssl_module --with-ipv6 --with-cc-opt=“-I
/usr/local/ssl/include -I /usr/local/include” --with-ld-opt=“-L
/usr/local/ssl/lib -L /usr/local/lib”
./auto/configure --with-ipv6 --with-http_ssl_module
–with-openssl=/src/openssl/
and of course “make”.

src/event/ngx_event_openssl.c: In function ‘ngx_ssl_handshake’:
src/event/ngx_event_openssl.c:1164:31: error: dereferencing pointer to
incomplete type
if (c->ssl->connection->s3) {
^
src/event/ngx_event_openssl.c:1165:31: error: dereferencing pointer to
incomplete type
c->ssl->connection->s3->flags |=
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
^

“./auto/configure --with-ipv6” built with no problems.

Posted at Nginx Forum:

vindicator · August 20, 2015, 11:45am

Looks like it isn’t just nginx (or even more likely IS an openssl issue)
because I just encountered it again with pjproject:

…/src/pj/ssl_sock_ossl.c:1001:5: warning: implicit declaration of
function
‘M_ASN1_STRING_length’ [-Wimplicit-function-declaration]
len = M_ASN1_STRING_length(X509_get_serialNumber(x));
^
…/src/pj/ssl_sock_ossl.c: In function ‘pj_ssl_sock_get_info’:
…/src/pj/ssl_sock_ossl.c:2285:24: error: dereferencing pointer to
incomplete type
info->cipher = (cipher->id & 0x00FFFFFF);
^

Posted at Nginx Forum:

vindicator · August 24, 2015, 6:24pm

Hello!

On Wed, Aug 19, 2015 at 09:15:07AM -0400, vindicator wrote:

./auto/configure --with-ipv6 --with-http_ssl_module
c->ssl->connection->s3->flags |=
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
^

“./auto/configure --with-ipv6” built with no problems.

Looks like you have OPENSSL_NO_SSL_INTERN defined by default in your
system.
Try this patch:

— a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1159,6 +1159,7 @@ ngx_ssl_handshake(ngx_connection_t *c)
c->send_chain = ngx_ssl_send_chain;

#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
+#ifndef OPENSSL_NO_SSL_INTERN

     /* initial handshake done, disable renegotiation

(CVE-2009-3555) */
if (c->ssl->connection->s3) {
@@ -1166,6 +1167,7 @@ ngx_ssl_handshake(ngx_connection_t *c)
}

#endif
+#endif

     return NGX_OK;
 }

–
Maxim D.
http://nginx.org/

vindicator · August 25, 2015, 3:53pm

Hello!

On Mon, Aug 24, 2015 at 10:40:05PM -0400, vindicator wrote:

                           ^
     ^

cc1: all warnings being treated as errors

[…]

Oh, it looks like you are trying to build nginx against OpenSSL
master branch. As OpenSSL guys are changing things rapidly
nowadays, it’s not really going to work. Try any released version
instead.

Quick and dirty fix below, but I wouldn’t bet it will be enough to
build with OpenSSL master even in a week from now.

— a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1159,6 +1159,7 @@ ngx_ssl_handshake(ngx_connection_t *c)
c->send_chain = ngx_ssl_send_chain;

#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
+#if 0

     /* initial handshake done, disable renegotiation

(CVE-2009-3555) */
if (c->ssl->connection->s3) {
@@ -1166,6 +1167,7 @@ ngx_ssl_handshake(ngx_connection_t *c)
}

#endif
+#endif

     return NGX_OK;
 }

@@ -2861,7 +2863,7 @@ ngx_ssl_session_ticket_key_callback(ngx_
ngx_hex_dump(buf, key[0].name, 16) - buf, buf,
SSL_session_reused(ssl_conn) ? “reused” :
“new”);

```
   RAND_pseudo_bytes(iv, 16);
```

   RAND_bytes(iv, 16);
   EVP_EncryptInit_ex(ectx, EVP_aes_128_cbc(), NULL,

key[0].aes_key, iv);
HMAC_Init_ex(hctx, key[0].hmac_key, 16,
ngx_ssl_session_ticket_md(), NULL);

–
Maxim D.
http://nginx.org/

vindicator · August 25, 2015, 4:40am

Thanks, but no. I’m still getting that error:

cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror
-g
-I src/core -I src/event -I src/event/modules -I src/os/unix -I objs
-o objs/src/event/ngx_event_openssl.o
src/event/ngx_event_openssl.c
src/event/ngx_event_openssl.c: In function ‘ngx_ssl_handshake’:
src/event/ngx_event_openssl.c:1165:31: error: dereferencing pointer to
incomplete type
if (c->ssl->connection->s3) {
^
src/event/ngx_event_openssl.c:1166:31: error: dereferencing pointer to
incomplete type
c->ssl->connection->s3->flags |=
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
^
src/event/ngx_event_openssl.c: In function
‘ngx_ssl_session_ticket_key_callback’:
src/event/ngx_event_openssl.c:2866:9: error: implicit declaration of
function ‘RAND_pseudo_bytes’ [-Werror=implicit-function-declaration]
RAND_pseudo_bytes(iv, 16);
^
cc1: all warnings being treated as errors

Changed code section:

    c->recv_chain = ngx_ssl_recv_chain;
    c->send_chain = ngx_ssl_send_chain;

#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
#ifndef OPENSSL_NO_SSL_INTERN

    /* initial handshake done, disable renegotiation (CVE-2009-3555)

*/
if (c->ssl->connection->s3) {
c->ssl->connection->s3->flags |=
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
}

#endif
#endif

    return NGX_OK;
}

sslerr = SSL_get_error(c->ssl->connection, n);

Just adding that I clean the source before each build attempt via:

hg --config “extensions.purge=” purge --all
hg revert --all

I also don’t know where I’d find if “OPENSSL_NO_SSL_INTERN” was already
defined. printenv doesn’t show it, nor does a recursive grep in /etc or
~.
Let me know if there are any other tests you’d like me to try or any
other
information you need from me that may help.

Posted at Nginx Forum: