Bug 61184 - [PATCH] Fix build with LibreSSL in 2.4.26-dev
Summary: [PATCH] Fix build with LibreSSL in 2.4.26-dev
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4-HEAD
Hardware: PC FreeBSD
: P2 normal with 3 votes (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: FixedInTrunk, PatchAvailable
Depends on:
Blocks:
 
Reported: 2017-06-13 20:07 UTC by Bernard Spil
Modified: 2017-10-03 12:02 UTC (History)
2 users (show)



Attachments
unified diff for httpd 2.4.26-dev (3.38 KB, patch)
2017-06-13 20:07 UTC, Bernard Spil
Details | Diff
Build log FreeBSD 11.0-p9 (355.11 KB, text/plain)
2017-06-13 20:38 UTC, Bernard Spil
Details
unified diff for httpd 2.4.26-dev (6.90 KB, patch)
2017-06-13 21:08 UTC, Bernard Spil
Details | Diff
Build log FreeBSD 11.0-p9 (349.61 KB, text/plain)
2017-06-13 21:12 UTC, Bernard Spil
Details
unified diff for Apache 2.4.26 (8.86 KB, patch)
2017-06-20 20:13 UTC, Bernard Spil
Details | Diff
Build log FreeBSD 11.0-p9 (349.61 KB, text/plain)
2017-06-20 20:16 UTC, Bernard Spil
Details
unified diff for Apache 2.4.26 (9.10 KB, patch)
2017-06-23 08:28 UTC, Bernard Spil
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Bernard Spil 2017-06-13 20:07:13 UTC
Created attachment 35052 [details]
unified diff for httpd 2.4.26-dev

Hi,

Just tried building httpd 2.4.26-dev with LibreSSL and ran into some compile failures. These failures are related to the added OpenSSL 1.1 support in 2.4.26.

LibreSSL defines OPENSSL_VERSION_NUMBER as 0x20000000L whereas it does not implement all post-1.0.1f (point of forking) features. LibreSSL added LIBRESSL_VERSION_NUMBER allowing checks.

Attached patches touch mod_ssl and ab. Adding checks for defined(LIBRESSL_VERSION_NUMBER).

Hope you can still include these in the release.

Thanks,

Bernard Spil
Maintainer of OpenSSL and LibreSSL ports in FreeBSD.
Comment 1 Bernard Spil 2017-06-13 20:38:28 UTC
Created attachment 35053 [details]
Build log FreeBSD 11.0-p9

Poudriere logs on FreeBSD 11.0-p9 with LibreSSL replacing OpenSSL in base.
Comment 2 Bernard Spil 2017-06-13 21:08:10 UTC
Created attachment 35054 [details]
unified diff for httpd 2.4.26-dev

Replace patches, were incomplete. Built OK but still warnings.
This patch-set stopped all compile warnings.
Comment 3 Bernard Spil 2017-06-13 21:12:59 UTC
Created attachment 35055 [details]
Build log FreeBSD 11.0-p9

Built with new patch-set
Comment 4 Stefan Eissing 2017-06-15 11:08:34 UTC
Hmm. This looks ugly. Would it make more sense to re#define Libressl's sense of superiority? Something like

#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x20000000L
#undef OPENSSL_VERSION_NUMBER
#define OPENSSL_VERSION_NUMBER 0x1000200eL
#endif

Or whatever version it currently is closest to? You know better than me.

Regarding the release: how would the impact be, if you need to patch that yourself for debian? I am not sure if we want to restart the already late release only for this. If something else comes up, we can take it in of course.
Comment 5 Stefan Eissing 2017-06-15 11:09:53 UTC
What I mean was

#if defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x20000000L
...
Comment 6 Bernard Spil 2017-06-20 20:13:02 UTC
Created attachment 35062 [details]
unified diff for Apache 2.4.26
Comment 7 Bernard Spil 2017-06-20 20:16:29 UTC
Created attachment 35063 [details]
Build log FreeBSD 11.0-p9

I went through the code more rigorously checking diff between 2.4.25 and 2.4.26 for changes that I needed to tend to. Further to that I verified method availability in LibreSSL 2.5.4.

Please do review this thoroughly!

Thanks,

Bernard.
Comment 8 Bernard Spil 2017-06-23 08:28:37 UTC
Created attachment 35070 [details]
unified diff for Apache 2.4.26

Updated patch for support/ab.c
"next release of LibreSSL (2.6.x) will contain SSL_CTX_set_{min,max}_proto_version() and it is already available in -current." see https://github.com/libressl-portable/openbsd/commit/56f107201baefb5533486d665a58d8f57fd3aeda
Comment 9 Yann Ylavic 2017-06-24 11:36:24 UTC
(In reply to Bernard Spil from comment #8)
> 
> "next release of LibreSSL (2.6.x) will contain
> SSL_CTX_set_{min,max}_proto_version() and it is already available in
> -current."

So wouldn't somethig like:
    #if defined(LIBRESSL_VERSION_NUMBER) \
        && !defined(SSL_CTRL_SET_MIN/MAX_PROTO_VERSION)
or:     && !defined(SSL_CTX_set_min/max_proto_version)
be relevant right now?

Also, instead of:
    #if OPENSSL_VERSION_NUMBER < 0x10100000L \
        || defined(LIBRESSL_VERSION_NUMBER)
all over the place, couldn't we:
    #if OPENSSL_VERSION_NUMBER >= 0x10100000L \
        && !defined(LIBRESSL_VERSION_NUMBER)
    #define MODSSL_HAVE_SSL_1_1_API 1
    #endif
and test this instead (maybe with a better name)?


Thanks for the patch anyway! I plan to commit it but wanted your/team's feedbacks on this change before.
Comment 10 Christian Schmidt 2017-06-29 06:31:59 UTC
I think you also need to change ssl_engine_vars.c line 117-121.

#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
        md = EVP_get_digestbynid(OBJ_obj2nid(x->sig_alg->algorithm));
#else
        md = EVP_get_digestbynid(X509_get_signature_nid(x));
#endif


Otherwise, I get the following error when starting the server:

httpd: Syntax error on line 139 of /usr/local/apache2/conf/httpd.conf: Cannot load modules/mod_ssl.so into server: Error relocating /usr/local/apache2/modules/mod_ssl.so: X509_get_signature_nid: symbol not found
Comment 11 Yann Ylavic 2017-07-29 23:34:16 UTC
Committed to trunk in r1803396 and proposed for backport to 2.4.x.
Comment 12 Yann Ylavic 2017-10-03 12:02:41 UTC
Backported to 2.4.28 in r1807734.