Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#1038 closed Bug / Defect (fixed-external)

OpenVPN-2.4.5 fails to build against libressl-2.6.4 due to bad ifdef check

Reported by: faminebadger Owned by: Steffan Karger
Priority: minor Milestone:
Component: Crypto Version: OpenVPN 2.4.5 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Updating my gentoo system today, I got a build failure from openvpn, as follows:

  In file included from crypto_openssl.c:44:0:
  openssl_compat.h:717:1: error: conflicting types for ‘SSL_CTX_set_min_proto_version’
   SSL_CTX_set_min_proto_version(SSL_CTX *ctx, long tls_ver_min)
   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  In file included from openssl_compat.h:45:0,
                   from crypto_openssl.c:44:
  /usr/include/openssl/ssl.h:1175:5: note: previous declaration of ‘SSL_CTX_set_min_proto_version’ was here
   int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version);
       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  In file included from crypto_openssl.c:44:0:
  openssl_compat.h:746:1: error: conflicting types for ‘SSL_CTX_set_max_proto_version’
   SSL_CTX_set_max_proto_version(SSL_CTX *ctx, long tls_ver_max)
   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  In file included from openssl_compat.h:45:0,
                   from crypto_openssl.c:44:
  /usr/include/openssl/ssl.h:1176:5: note: previous declaration of ‘SSL_CTX_set_max_proto_version’ was here
   int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version);
       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  make[3]: *** [Makefile:718: crypto_openssl.o] Error 1

It appears the file openssl_compat.h is making assumptions that openssl functions are implemented as defines to other functions. This is no longer true for libressl >= 2.6.4, as can be seen comparing the ssl.h files:

Libressl:

  int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version);
  int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version);

Openssl:

  #define SSL_CTX_set_min_proto_version(ctx, version) \
          SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
  #define SSL_CTX_set_max_proto_version(ctx, version) \
          SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)

I've made a patch that works for me (attached), but I'm not sure the best general purpose solution - certainly relying on functions like these always being defines seems a bit spurious.

Attachments (1)

libressl.patch (812 bytes) - added by faminebadger 3 years ago.
Patch to remove spurious local function in presence of libressl

Download all attachments as: .zip

Change History (5)

Changed 3 years ago by faminebadger

Attachment: libressl.patch added

Patch to remove spurious local function in presence of libressl

comment:1 Changed 3 years ago by faminebadger

Sorry, I left the "component" field at its default by mistake - it should be "Building/Compiling?" I guess, but I can't seem to change it now.

Last edited 3 years ago by faminebadger (previous) (diff)

comment:2 Changed 3 years ago by Gert Döring

Component: Access ServerCrypto
Owner: changed from jamesyonan to Steffan Karger
Priority: criticalminor
Resolution: fixed-external
Status: newclosed

For the time being, build against OpenSSL or mbedTLS.

LibreSSL in 2.4.5 is not a supported crypto backend, so if it breaks, that's how it is.

This said, we've made contacts with the OpenBSD and LibreSSL community (or, to be more precise, we got friendly offers for help with this) and will make this a supported backend - thus, from 2.4.6 onwards, please feel free to open a bug if it still fails :-)

(I am closing this ticket not due to "we are not going to fix it" but because discussions on how to make this really proper are ongoing on th openvpn-devel list already)

comment:3 Changed 3 years ago by Gert Döring

Version: OpenVPN 2.4.5 (Community Ed)

comment:4 Changed 3 years ago by j.ca

A nice patch that doesn't hardcode any implementation-specific version number was proposed by Selva Nair on the mailing-list:

https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16614.html

Maybe use this diff instead?

Also, LibreSSL-2.7.x should restore compatibility with openvpn-2.4.5, #defines were added in HEAD:

https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/ssl.h.diff?r1=1.145&r2=1.146

Note: See TracTickets for help on using tickets.