Bug 62346 - LibreSSL 2.7.2+ blocks load of mod_ssl, Undefined symbol "OPENSSL_malloc_init"
Summary: LibreSSL 2.7.2+ blocks load of mod_ssl, Undefined symbol "OPENSSL_malloc_init"
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.33
Hardware: PC FreeBSD
: P2 blocker (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-05-02 10:34 UTC by gessel
Modified: 2018-05-02 19:33 UTC (History)
0 users



Attachments
Backport r1828222 + r1830522 (3.72 KB, patch)
2018-05-02 16:11 UTC, Yann Ylavic
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description gessel 2018-05-02 10:34:32 UTC
LibreSSL 2.7.2's inclusion into the ports tree has created a bit of a rash of issues.  Most are documented at https://wiki.freebsd.org/LibreSSL/2.7.  Apache24 is listed as patched and does, in fact, build without glaring errors.  

And, after patching a few ports that don't have their patches integrated yet, I can rebuild all ports without fails https://forums.freebsd.org/threads/python27-problem-at-packaging-stage.51189/page-2#post-386195

However, in my environment (at least) it will not start - this is on every jail I have - Apache24 will not start:
httpd: Syntax error on line 130 of /usr/local/etc/apache24/httpd.conf: Cannot load libexec/apache24/mod_ssl.so into server: /usr/local/libexec/apache24/mod_ssl.so: Undefined symbol "OPENSSL_malloc_init"

The following innocuous seeming error seems relevant

--- mod_ssl.slo ---
mod_ssl.c:404:5: warning: implicit declaration of function 'OPENSSL_malloc_init' is invalid in C99 [-Wimplicit-function-declaration]
    OPENSSL_malloc_init();
Comment 1 gessel 2018-05-02 12:20:49 UTC
   /* We must register the library in full, to ensure our configuration
     * code can successfully test the SSL environment.
     */
#if MODSSL_USE_OPENSSL_PRE_1_1_API
    (void)CRYPTO_malloc_init();
#else
    OPENSSL_malloc_init();
#endif
    ERR_load_crypto_strings();
    SSL_load_error_strings();
    SSL_library_init();
#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
    ENGINE_load_builtin_engines();
#endif
    OpenSSL_add_all_algorithms();
    OPENSSL_load_builtin_modules();
Comment 2 Yann Ylavic 2018-05-02 12:45:01 UTC
(In reply to gessel from comment #1)
>    /* We must register the library in full, to ensure our configuration
>      * code can successfully test the SSL environment.
>      */
> #if MODSSL_USE_OPENSSL_PRE_1_1_API
>     (void)CRYPTO_malloc_init();

Here, trunk uses:
#if MODSSL_USE_OPENSSL_PRE_1_1_API || defined(LIBRESSL_VERSION_NUMBER)

This change was part of TLSv1.3 integration (bug 62236), so the full bits may be r1828222 + r1830522.
Comment 3 gessel 2018-05-02 13:44:29 UTC
It appears these changes are not fully integrated in the FreeBSD port Apache v2.4.33

As on my machine
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c:546-551
    char *cp;
    int protocol = mctx->protocol;
    SSLSrvConfigRec *sc = mySrvConfig(s);
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
    int prot;
#endif

Revision 1830522 shows
@@ -582,7 +582,8 @@
     char *cp;
     int protocol = mctx->protocol;
     SSLSrvConfigRec *sc = mySrvConfig(s);
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L  && \
+	(!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x20800000L)
     int prot;
 #endif


and in httpd/httpd/trunk/modules/ssl/mod_ssl.c:398-404

    /* We must register the library in full, to ensure our configuration
     * code can successfully test the SSL environment.
     */
#if MODSSL_USE_OPENSSL_PRE_1_1_API
    (void)CRYPTO_malloc_init();
#else
    OPENSSL_malloc_init();

Revision 1828222 shows

@@ -407,7 +407,7 @@
     /* We must register the library in full, to ensure our configuration
      * code can successfully test the SSL environment.
      */
-#if MODSSL_USE_OPENSSL_PRE_1_1_API
+#if MODSSL_USE_OPENSSL_PRE_1_1_API || defined(LIBRESSL_VERSION_NUMBER)
     (void)CRYPTO_malloc_init();
 #else
     OPENSSL_malloc_init();
Comment 4 gessel 2018-05-02 15:37:17 UTC
Failed attempt below:

make clean && make distclean && make
cd /var/ports/usr/ports/www/apache24/work/httpd-2.4.33/modules/ssl/
mv ssl_engine_init.c ssl_engine_init.c.orig
mv mod_ssl.c mod_ssl.c.orig
mv ssl_private.h ssl_private.h.orig
wget -O ssl_engine_init.c 'https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?revision=1830522&view=co&pathrev=1830522'
wget -O mod_ssl.c 'https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?revision=1828222&view=co&pathrev=1828222'
wget -O ssl_private.h 'https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?revision=1828222&view=co&pathrev=1828222'
cd ../md/
mv md_crypt.c.orig md_crypt.c.pre-182822
mv md_crypt.c md_crypt.c.orig 
wget -O md_crypt.c 'https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/md/md_crypt.c?revision=1828222&view=co&pathrev=1828222'
cd /usr/ports/www/apache24
make makepatch
make clean && make distclean
portmaster

yields 
--- ssl_engine_init.slo ---
ssl_engine_init.c:54:12: error: static declaration of 'DH_set0_pqg' follows non-static declaration
static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
           ^
/usr/local/include/openssl/dh.h:195:5: note: previous declaration is here
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
    ^
1 error generated.
*** [ssl_engine_init.slo] Error code 1


:(
Comment 5 Yann Ylavic 2018-05-02 16:11:40 UTC
Created attachment 35905 [details]
Backport r1828222 + r1830522

How about this patch instead?

Your method was quite rough to patch 2.4.33 :)
Comment 6 gessel 2018-05-02 16:34:32 UTC
Thanks Yann,

Yeah, crude and bumbling, but thanks for the new patch.  modules/md/md_crypt.c already has the patch.  The ones for modules/ssl/...  succeeded.

However, building with the patches yields:

(I reverted the system and successfully test built - of course while the shipping version builds, it won't start due to the OPENSSL_malloc_init).

--- ssl_engine_init.slo ---
ssl_engine_init.c:54:12: error: static declaration of 'DH_set0_pqg' follows non-static declaration
static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
           ^
/usr/local/include/openssl/dh.h:195:5: note: previous declaration is here
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
    ^
1 error generated.
*** [ssl_engine_init.slo] Error code 1


According to some helpful people on the libressl list, it may be sufficient to simply comment out the OPENSSL_malloc_init(); line.  I'm going to revert and try that next.
Comment 8 Bernard Spil 2018-05-02 19:33:49 UTC
Meanwhile, I've committed fixes to the FreeBSD port.

The LibreSSL 2.7 patch I created has been imported in trunk, how do you deal with backporting to 2.4?