#1038 closed Bug / Defect (fixed-external)
OpenVPN-2.4.5 fails to build against libressl-2.6.4 due to bad ifdef check
Reported by: | faminebadger | Owned by: | Steffan Karger |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | Crypto | Version: | OpenVPN 2.4.5 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
Updating my gentoo system today, I got a build failure from openvpn, as follows:
In file included from crypto_openssl.c:44:0: openssl_compat.h:717:1: error: conflicting types for ‘SSL_CTX_set_min_proto_version’ SSL_CTX_set_min_proto_version(SSL_CTX *ctx, long tls_ver_min) ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from openssl_compat.h:45:0, from crypto_openssl.c:44: /usr/include/openssl/ssl.h:1175:5: note: previous declaration of ‘SSL_CTX_set_min_proto_version’ was here int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from crypto_openssl.c:44:0: openssl_compat.h:746:1: error: conflicting types for ‘SSL_CTX_set_max_proto_version’ SSL_CTX_set_max_proto_version(SSL_CTX *ctx, long tls_ver_max) ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from openssl_compat.h:45:0, from crypto_openssl.c:44: /usr/include/openssl/ssl.h:1176:5: note: previous declaration of ‘SSL_CTX_set_max_proto_version’ was here int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ make[3]: *** [Makefile:718: crypto_openssl.o] Error 1
It appears the file openssl_compat.h is making assumptions that openssl functions are implemented as defines to other functions. This is no longer true for libressl >= 2.6.4, as can be seen comparing the ssl.h files:
Libressl:
int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version); int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version);
Openssl:
#define SSL_CTX_set_min_proto_version(ctx, version) \ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL) #define SSL_CTX_set_max_proto_version(ctx, version) \ SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
I've made a patch that works for me (attached), but I'm not sure the best general purpose solution - certainly relying on functions like these always being defines seems a bit spurious.
Attachments (1)
Change History (5)
Changed 7 years ago by
Attachment: | libressl.patch added |
---|
comment:1 Changed 7 years ago by
Sorry, I left the "component" field at its default by mistake - it should be "Building/Compiling?" I guess, but I can't seem to change it now.
comment:2 Changed 7 years ago by
Component: | Access Server → Crypto |
---|---|
Owner: | changed from jamesyonan to Steffan Karger |
Priority: | critical → minor |
Resolution: | → fixed-external |
Status: | new → closed |
For the time being, build against OpenSSL or mbedTLS.
LibreSSL in 2.4.5 is not a supported crypto backend, so if it breaks, that's how it is.
This said, we've made contacts with the OpenBSD and LibreSSL community (or, to be more precise, we got friendly offers for help with this) and will make this a supported backend - thus, from 2.4.6 onwards, please feel free to open a bug if it still fails :-)
(I am closing this ticket not due to "we are not going to fix it" but because discussions on how to make this really proper are ongoing on th openvpn-devel list already)
comment:3 Changed 7 years ago by
Version: | → OpenVPN 2.4.5 (Community Ed) |
---|
comment:4 Changed 7 years ago by
A nice patch that doesn't hardcode any implementation-specific version number was proposed by Selva Nair on the mailing-list:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16614.html
Maybe use this diff instead?
Also, LibreSSL-2.7.x should restore compatibility with openvpn-2.4.5, #defines were added in HEAD:
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/ssl.h.diff?r1=1.145&r2=1.146
Patch to remove spurious local function in presence of libressl