H2o: Can't build with LibreSSL 2.7.0

Created on 23 Mar 2018  ·  4Comments  ·  Source: h2o/h2o

I tried to build H2O with LibreSSL 2.7.0 that released March 21st.
Then, build process fails with error messages below.
(both master branch (commit 0376131) and H2O v2.2.4)

In file included from //rpmbuild/BUILD/repo/include/h2o/socket.h:34:0,
                 from //rpmbuild/BUILD/repo/include/h2o/multithread.h:27,
                 from //rpmbuild/BUILD/repo/include/h2o/hostinfo.h:32,
                 from //rpmbuild/BUILD/repo/lib/common/hostinfo.c:22:
//rpmbuild/BUILD/repo/include/h2o/openssl_backport.h:37:27: error: static declaration of 'BIO_meth_new' follows non-static declaration
 static inline BIO_METHOD *BIO_meth_new(int type, const char *name)
                           ^~~~~~~~~~~~
In file included from /var/tmp/h2o-nightly-2.3.0-0.nightly20180323t195237.git0376131.el7.jp3cki-libressl-2.7.0-root/include/openssl/evp.h:67:0,
                 from /var/tmp/h2o-nightly-2.3.0-0.nightly20180323t195237.git0376131.el7.jp3cki-libressl-2.7.0-root/include/openssl/hmac.h:67,
                 from /var/tmp/h2o-nightly-2.3.0-0.nightly20180323t195237.git0376131.el7.jp3cki-libressl-2.7.0-root/include/openssl/ssl.h:149,
                 from //rpmbuild/BUILD/repo/include/h2o/socket.h:31,
                 from //rpmbuild/BUILD/repo/include/h2o/multithread.h:27,
                 from //rpmbuild/BUILD/repo/include/h2o/hostinfo.h:32,
                 from //rpmbuild/BUILD/repo/lib/common/hostinfo.c:22:
/var/tmp/h2o-nightly-2.3.0-0.nightly20180323t195237.git0376131.el7.jp3cki-libressl-2.7.0-root/include/openssl/bio.h:338:13: note: previous declaration of 'BIO_meth_new' was here
 BIO_METHOD *BIO_meth_new(int type, const char *name);
             ^~~~~~~~~~~~
make[2]: *** [CMakeFiles/libh2o-evloop.dir/lib/common/hostinfo.c.o] Error 1
make[2]: *** Waiting for unfinished jobs....

The release note of LibreSSL says "Added support for many OpenSSL 1.0.2 and 1.1 APIs" and it looks backport code of H2O hasn't compatible with that.

I don't think that this problem is environmental dependent, but I describe my environment.

  • CentOS 7 on Docker on CentOS 7 (Kernel 4.15.11, from ELRepo) on VPS (SAKURA internet)
  • Building RPM

    • Static link to LibreSSL

    • cmake -DWITH_MRUBY=on -DCMAKE_INSTALL_PREFIX=%{_prefix} -DCMAKE_INCLUDE_PATH=%{libressl_root}/include -DCMAKE_LIBRARY_PATH=%{libressl_root}/lib

    • Repository is here

It can build with same build script with LibreSSL 2.6.4.

picture fetus-hina
👍1

Most helpful comment

Maybe it works if apply 3 patches below:

diff --git a/include/h2o/openssl_backport.h b/include/h2o/openssl_backport.h
index b24440e..b59a519 100644
--- a/include/h2o/openssl_backport.h
+++ b/include/h2o/openssl_backport.h
@@ -25,7 +25,7 @@
 #include <stdlib.h>

 /* backports for OpenSSL 1.0.2 */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)

 #define BIO_get_data(bio) ((bio)->ptr)
 #define BIO_set_data(bio, p) ((bio)->ptr = (p))
@@ -57,7 +58,7 @@ static inline BIO_METHOD *BIO_meth_new(int type, const char *name)
 #endif

 /* backports for OpenSSL 1.0.1 and LibreSSL */
-#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER < 0x10002000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)

 #define SSL_is_server(ssl) ((ssl)->server)

```patch
diff --git a/deps/neverbleed/neverbleed.c b/deps/neverbleed/neverbleed.c
index 29b35a9..42356a6 100644
--- a/deps/neverbleed/neverbleed.c
+++ b/deps/neverbleed/neverbleed.c
@@ -547,7 +547,7 @@ static int sign_stub(struct expbuf_t *buf)
return 0;
}

-#if !OPENSSL_1_1_API
+#if !OPENSSL_1_1_API && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL)

static void RSA_get0_key(const RSA rsa, const BIGNUM *n, const BIGNUM *e, const BIGNUM *d)
{

```patch
diff --git a/deps/picotls/lib/openssl.c b/deps/picotls/lib/openssl.c
index a19a29a..c4dfccb 100644
--- a/deps/picotls/lib/openssl.c
+++ b/deps/picotls/lib/openssl.c
@@ -41,13 +41,15 @@
 #include "picotls.h"
 #include "picotls/openssl.h"

-#if (OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER))
-#define OPENSSL_1_0_API 1
+#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L
+#define OPENSSL_1_1_API 1
+#elif defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070000fL
+#define OPENSSL_1_1_API 1
 #else
-#define OPENSSL_1_0_API 0
+#define OPENSSL_1_1_API 0
 #endif

-#if OPENSSL_1_0_API
+#if !OPENSSL_1_1_API

 #define EVP_PKEY_up_ref(p) CRYPTO_add(&(p)->references, 1, CRYPTO_LOCK_EVP_PKEY)
 #define X509_STORE_up_ref(p) CRYPTO_add(&(p)->references, 1, CRYPTO_LOCK_X509_STORE)
  • Patches can be applied to

    • H2O-HEAD (0376131)

    • H2O 2.2.4

  • Build with OpenSSL/LibreSSL

    • with OpenSSL

    • Built successfully H2O 2.2.4+ with OpenSSL 1.0.2k (CentOS 7 package)

    • Built successfully H2O 2.2.4+ with OpenSSL 1.1.0g

    • Built successfully H2O 2.2.4+ with OpenSSL 1.1.1-pre3 (β1)

    • Built successfully H2O 2.2.4+ with OpenSSL 1.0.1u

    • with LibreSSL

    • Built successfully H2O 2.2.4+ & HEAD with LibreSSL 2.7.0 & 2.7.1.

    • Built successfully H2O 2.2.4+ with LibreSSL 2.6.4

    • Built successfully H2O 2.2.4+ & HEAD with LibreSSL 2.6.3 (@omasanori reported in comment below)

    • Built successfully H2O 2.2.4+ with LibreSSL 2.4.5 (H2O Bundled)

(Note: "H2O 2.2.4+" means "H2O 2.2.4 + patches")

picture fetus-hina on 23 Mar 2018
👍4

All 4 comments

Maybe it works if apply 3 patches below:

diff --git a/include/h2o/openssl_backport.h b/include/h2o/openssl_backport.h
index b24440e..b59a519 100644
--- a/include/h2o/openssl_backport.h
+++ b/include/h2o/openssl_backport.h
@@ -25,7 +25,7 @@
 #include <stdlib.h>

 /* backports for OpenSSL 1.0.2 */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)

 #define BIO_get_data(bio) ((bio)->ptr)
 #define BIO_set_data(bio, p) ((bio)->ptr = (p))
@@ -57,7 +58,7 @@ static inline BIO_METHOD *BIO_meth_new(int type, const char *name)
 #endif

 /* backports for OpenSSL 1.0.1 and LibreSSL */
-#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER < 0x10002000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)

 #define SSL_is_server(ssl) ((ssl)->server)

```patch
diff --git a/deps/neverbleed/neverbleed.c b/deps/neverbleed/neverbleed.c
index 29b35a9..42356a6 100644
--- a/deps/neverbleed/neverbleed.c
+++ b/deps/neverbleed/neverbleed.c
@@ -547,7 +547,7 @@ static int sign_stub(struct expbuf_t *buf)
return 0;
}

-#if !OPENSSL_1_1_API
+#if !OPENSSL_1_1_API && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL)

static void RSA_get0_key(const RSA rsa, const BIGNUM *n, const BIGNUM *e, const BIGNUM *d)
{

```patch
diff --git a/deps/picotls/lib/openssl.c b/deps/picotls/lib/openssl.c
index a19a29a..c4dfccb 100644
--- a/deps/picotls/lib/openssl.c
+++ b/deps/picotls/lib/openssl.c
@@ -41,13 +41,15 @@
 #include "picotls.h"
 #include "picotls/openssl.h"

-#if (OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER))
-#define OPENSSL_1_0_API 1
+#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L
+#define OPENSSL_1_1_API 1
+#elif defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070000fL
+#define OPENSSL_1_1_API 1
 #else
-#define OPENSSL_1_0_API 0
+#define OPENSSL_1_1_API 0
 #endif

-#if OPENSSL_1_0_API
+#if !OPENSSL_1_1_API

 #define EVP_PKEY_up_ref(p) CRYPTO_add(&(p)->references, 1, CRYPTO_LOCK_EVP_PKEY)
 #define X509_STORE_up_ref(p) CRYPTO_add(&(p)->references, 1, CRYPTO_LOCK_X509_STORE)
  • Patches can be applied to

    • H2O-HEAD (0376131)

    • H2O 2.2.4

  • Build with OpenSSL/LibreSSL

    • with OpenSSL

    • Built successfully H2O 2.2.4+ with OpenSSL 1.0.2k (CentOS 7 package)

    • Built successfully H2O 2.2.4+ with OpenSSL 1.1.0g

    • Built successfully H2O 2.2.4+ with OpenSSL 1.1.1-pre3 (β1)

    • Built successfully H2O 2.2.4+ with OpenSSL 1.0.1u

    • with LibreSSL

    • Built successfully H2O 2.2.4+ & HEAD with LibreSSL 2.7.0 & 2.7.1.

    • Built successfully H2O 2.2.4+ with LibreSSL 2.6.4

    • Built successfully H2O 2.2.4+ & HEAD with LibreSSL 2.6.3 (@omasanori reported in comment below)

    • Built successfully H2O 2.2.4+ with LibreSSL 2.4.5 (H2O Bundled)

(Note: "H2O 2.2.4+" means "H2O 2.2.4 + patches")

fetus-hina picture fetus-hina on 23 Mar 2018
👍4

Good catch!

Not tested with LibreSSL < 2.7.0

I've confirmed that H2O 2.2.4 and master with your patches can be built successfully with LibreSSL 2.6.3 on OpenBSD 6.2.

omasanori picture omasanori on 27 Mar 2018
👍1

Confirm that this works on FreeBSD with LibreSSL 2.7.1
Patch here

Sp1l picture Sp1l on 1 Apr 2018
👍1

I've built H2O-HEAD vanilla + LibreSSL 2.7.2 and it works.
I close this issue now.

It's not released yet.
Still needs patch above if you guys build released version (v2.2.4) + LibreSSL 2.7.x.

Thank you @kazuho for your work.

fetus-hina picture fetus-hina on 5 Apr 2018
🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dch picture dch  ·  5Comments
taosx picture taosx  ·  6Comments
concatime picture concatime  ·  3Comments
kazuho picture kazuho  ·  7Comments
basbebe picture basbebe  ·  3Comments