Latest OpenSSL 1.1.0e incorrectly detected as LibreSSL during build

[aaronm-cloudtek]

Describe the issue

After updating to OpenSSL 1.1.0e I can no longer build. configure fails with:

configure: error: Detected LibreSSL: This is NOT supported, and may break consensus compatibility!

I don't have LibreSSL anywhere on my system though. I tried configure --with-libressl which runs successfully but then make fails:

Making all in src
make[1]: Entering directory '/mnt/tank/projects/PIVX/src'
make[2]: Entering directory '/mnt/tank/projects/PIVX/src'
  CXX      libbitcoinconsensus_la-allocators.lo
  CXX      primitives/libbitcoinconsensus_la-transaction.lo
  CXX      crypto/libbitcoinconsensus_la-hmac_sha512.lo
  CXX      crypto/libbitcoinconsensus_la-scrypt.lo
  CXX      crypto/libbitcoinconsensus_la-sha1.lo
  CXX      crypto/libbitcoinconsensus_la-sha256.lo
  CXX      crypto/libbitcoinconsensus_la-sha512.lo
  CXX      crypto/libbitcoinconsensus_la-ripemd160.lo
  CXX      libbitcoinconsensus_la-eccryptoverify.lo
  CXX      libbitcoinconsensus_la-ecwrapper.lo
ecwrapper.cpp: In function ‘int {anonymous}::ECDSA_SIG_recover_key_GFp(EC_KEY*, ECDSA_SIG*, const unsigned char*, int, int, int)’:
ecwrapper.cpp:62:28: error: invalid use of incomplete type ‘ECDSA_SIG {aka struct ECDSA_SIG_st}’
     if (!BN_add(x, x, ecsig->r)) {
                            ^~
In file included from ecwrapper.h:11:0,
                 from ecwrapper.cpp:5:
/usr/include/openssl/ec.h:1044:16: note: forward declaration of ‘ECDSA_SIG {aka struct ECDSA_SIG_st}’
 typedef struct ECDSA_SIG_st ECDSA_SIG;
                ^~~~~~~~~~~~
ecwrapper.cpp:118:34: error: invalid use of incomplete type ‘ECDSA_SIG {aka struct ECDSA_SIG_st}’
     if (!BN_mod_inverse(rr, ecsig->r, order, ctx)) {
                                  ^~
In file included from ecwrapper.h:11:0,
                 from ecwrapper.cpp:5:
/usr/include/openssl/ec.h:1044:16: note: forward declaration of ‘ECDSA_SIG {aka struct ECDSA_SIG_st}’
 typedef struct ECDSA_SIG_st ECDSA_SIG;
                ^~~~~~~~~~~~
ecwrapper.cpp:123:31: error: invalid use of incomplete type ‘ECDSA_SIG {aka struct ECDSA_SIG_st}’
     if (!BN_mod_mul(sor, ecsig->s, rr, order, ctx)) {
                               ^~
In file included from ecwrapper.h:11:0,
                 from ecwrapper.cpp:5:
/usr/include/openssl/ec.h:1044:16: note: forward declaration of ‘ECDSA_SIG {aka struct ECDSA_SIG_st}’
 typedef struct ECDSA_SIG_st ECDSA_SIG;
                ^~~~~~~~~~~~
ecwrapper.cpp: In member function ‘bool CECKey::Recover(const uint256&, const unsigned char*, int)’:
ecwrapper.cpp:221:31: error: invalid use of incomplete type ‘ECDSA_SIG {aka struct ECDSA_SIG_st}’
     BN_bin2bn(&p64[0], 32, sig->r);
                               ^~
In file included from ecwrapper.h:11:0,
                 from ecwrapper.cpp:5:
/usr/include/openssl/ec.h:1044:16: note: forward declaration of ‘ECDSA_SIG {aka struct ECDSA_SIG_st}’
 typedef struct ECDSA_SIG_st ECDSA_SIG;
                ^~~~~~~~~~~~
ecwrapper.cpp:222:32: error: invalid use of incomplete type ‘ECDSA_SIG {aka struct ECDSA_SIG_st}’
     BN_bin2bn(&p64[32], 32, sig->s);
                                ^~
In file included from ecwrapper.h:11:0,
                 from ecwrapper.cpp:5:
/usr/include/openssl/ec.h:1044:16: note: forward declaration of ‘ECDSA_SIG {aka struct ECDSA_SIG_st}’
 typedef struct ECDSA_SIG_st ECDSA_SIG;
                ^~~~~~~~~~~~
make[2]: *** [Makefile:6085: libbitcoinconsensus_la-ecwrapper.lo] Error 1
make[2]: Leaving directory '/mnt/tank/projects/PIVX/src'
make[1]: *** [Makefile:6949: all-recursive] Error 1
make[1]: Leaving directory '/mnt/tank/projects/PIVX/src'
make: *** [Makefile:592: all-recursive] Error 1

What version of PIVX Core are you using?

Latest master, commit id 6b5cf7f

Machine specs:

• OS: Arch Linux

Any extra information that might be useful in the debugging process.

config.log here

[Fuzzbawls]

Until this is resolved, you can use the depends system to self-compile. see https://github.com/PIVX-Project/PIVX/blob/master/depends/README.md for more info.

[ITwrx]

same here with arch and openssl 1.1.0.e-1
also, didn't build with depends system.
fcmatch.c:284:63: error: 'PRI_CHAR_WIDTH_STRONG' undeclared here (not in a function) #define FC_OBJECT(NAME, Type, Cmp) { FC_##NAME##_OBJECT, Cmp, PRI_##NAME##_STRONG, PRI_##NAME##_WEAK }, ^ fcobjs.h:54:1: note: in expansion of macro 'FC_OBJECT' FC_OBJECT (CHAR_WIDTH, FcTypeInteger, NULL) ^~~~~~~~~ fcmatch.c:284:84: error: 'PRI_CHAR_WIDTH_WEAK' undeclared here (not in a function) #define FC_OBJECT(NAME, Type, Cmp) { FC_##NAME##_OBJECT, Cmp, PRI_##NAME##_STRONG, PRI_##NAME##_WEAK }, ^ fcobjs.h:54:1: note: in expansion of macro 'FC_OBJECT' FC_OBJECT (CHAR_WIDTH, FcTypeInteger, NULL) ^~~~~~~~~ make[4]: *** [Makefile:613: fcmatch.lo] Error 1 make[4]: Leaving directory '/home/user/Downloads/PIVX-2.2.0/depends/work/build/x86_64-pc-linux-gnu/fontconfig/2.11.1-89fa7d4fc91/src' make[3]: *** [Makefile:474: all] Error 2 make[3]: Leaving directory '/home/user/Downloads/PIVX-2.2.0/depends/work/build/x86_64-pc-linux-gnu/fontconfig/2.11.1-89fa7d4fc91/src' make[2]: *** [Makefile:561: all-recursive] Error 1 make[2]: Leaving directory '/home/user/Downloads/PIVX-2.2.0/depends/work/build/x86_64-pc-linux-gnu/fontconfig/2.11.1-89fa7d4fc91' make[1]: *** [Makefile:444: all] Error 2 make[1]: Leaving directory '/home/user/Downloads/PIVX-2.2.0/depends/work/build/x86_64-pc-linux-gnu/fontconfig/2.11.1-89fa7d4fc91' make: *** [funcs.mk:244: /home/user/Downloads/PIVX-2.2.0/depends/work/build/x86_64-pc-linux-gnu/fontconfig/2.11.1-89fa7d4fc91/./.stamp_built] Error 2

[aaronm-cloudtek]

@ITwrx to get it to compile you can change the depends fontconfig requirement to 2.12.1 and apply this patch

[ITwrx]

@aaronm-cloudtek i'll try the new 2.2.1 binary out and see if that works for me. If not, i'll be back to attempting to build. thanks for the info either way.

[dddaniel]

Confirmed. The same build issue happens on debian stretch/testing.

For those who want to compile pivx on a debian, just make sure you have an older libss-dev pkg installed:
apt-get install libssl1.0-dev

[Trollwut]

Even compiling it on my own won't work.

make in the /depend/ folder works, but when using the ./configure [...], there's this line, where it ends:

configure: error: Detected LibreSSL: This is NOT supported, and may break consensus compatibility!

OS: arch 64

Any information about when OpenSSL won't break it?

[ITwrx]

@Trollwut I couldn't get make in depends to work. If you got that to work, then configure should be using that v1.0 openssl that was made in depends folder, but i think you have to "point" configure at the depends stuff. maybe you can make better sense of that part in the readme linked above than i could. i don't think you can just run configure without additional params or it will try to use your default system openssl.

according to @Fuzzbawls, pivx is not currently planning to move to openssl v1.1 anytime soon (maybe never), so you can either use the depends system, the binary which includes openssl v1.0.1k or you can possibly install the openssl-1.0 from arch official repos and manually specify SSL_CFLAGS SSL_LIBS CRYPTO_CFLAGS CRYPTO_LIBS to pivx configure. i'm trying to do the last one but i don't know what my configure variables need to be or how to get that info.

[Trollwut]

@ITwrx yes, I followed the instruction of the depends-README. Took me some fiddling, but got the Qt to run.

Maybe it helps that there are openssl-1.0 packages in the repository, so maybe there's a way to use them instead?

[ITwrx]

what was your configure command/other procedure for using the depends system?

regarding openssl v1.0, from above: "or you can possibly install the openssl-1.0 from arch official repos and manually specify SSL_CFLAGS SSL_LIBS CRYPTO_CFLAGS CRYPTO_LIBS to pivx configure. i'm trying to do the last one but i don't know what my configure variables need to be or how to get that info."

[Trollwut]

Fuck, did see that I wrote some bullshit. I fiddlet a bit, but DID NOT get it to run. Nonetheless I share you my approach:

I'm using Arch on a 64 bit system, so this was my approach:

I cloned the whole repository to my disk and went into it:

git clone https://github.com/PIVX-Project/PIVX && cd PIVX/depends/

there I just made it, as I didn't needed any other archs:

make

This making creates a new subfolder with the name of your arch. This you need to make it in the "root" of the github repository, so:

cd .. && autogen.sh

Now you can configure it:

./configure --prefix=pwd/depends/x86_64-pc-linux-gnu

But here the mentioned error occures and stops the configuring:

configure: error: Detected LibreSSL: This is NOT supported, and may break consensus compatibility!

As a "solution", I downloaded the precompiled binaries from the PIVX website and just start it from there.

[ITwrx]

oh, i was under the impression that you were supposed to cd into the depends dir and run make there. then cd back into main dir and run configure, but point it to depends dir. then configure would use the openssl made in depends folder. i'm not sure though. that was just my reading of the readme.

i'll post back if i ever get the repo opensslv1 working.

[Trollwut]

Sorry, I suck. Yes, the first make should be done in the /depends/ directory. After that, you should be able to ./configure it in the "root" directory and make it there. (edited my post above for future readers)

But as I said, configuring won't finish.

[aaronm-cloudtek]

@Trollwut Did the make depends script actually finish successfully? I had to bump the fontconfig requirement to 2.12.1 and apply this patch to get it to compile. Or maybe a newer version would work without the patch.

[Trollwut]

Yes, the make in the /depends/ folder finished without errors and God said it was good.

Didn't have to do anything with fontconfig and can't remember that I have done something similar with it in the past.

[ITwrx]

@aaronm-cloudtek fontconfig is what crapped out on mine as well.

[Fuzzbawls]

suggested that anyone above experiencing this issue look at #447

[ewtoombs]

Looks like the relevant lines are in configure.ac:898:

AC_CHECK_LIB([crypto],[RAND_egd],[],[
  AC_ARG_WITH([libressl],
    [AS_HELP_STRING([--with-libressl],[Build with system LibreSSL (default is no; DANGEROUS; NOT SUPPORTED)])],
    [AC_MSG_WARN([Detected LibreSSL: This is NOT supported, and may break consensus compatibility!])],
    [AC_MSG_ERROR([Detected LibreSSL: This is NOT supported, and may break consensus compatibility!])]
  )
])

Why are these checks even there? Looks like RAND_egd isn't in new versions of openssl, and was being used to tell the difference between openssl and libressl. Looks like a more reliable check is needed.

[ewtoombs]

In a bizarre and frustrating twist, it looks like RAND_egd is actually still in openssl.

/usr/include/openssl/rand.h:59:int RAND_egd(const char *path);
/usr/include/openssl/rand.h:60:int RAND_egd_bytes(const char *path, int bytes);
/usr/include/openssl-1.0/openssl/rand.h:110:int RAND_egd(const char *path);
/usr/include/openssl-1.0/openssl/rand.h:111:int RAND_egd_bytes(const char *path, int bytes);

[ewtoombs]

I looked into it further. RAND_egd only gets included into openssl if openssl is compiled with EGD support, which is now off by default. The declarations in the previous post are actually wrapped in an #ifdef that did not appear in the grep output. It is no longer an accurate way to check for libressl. A new way must be devised. For now, commenting out that entire test in configure.ac should serve fine as a workaround, as PIVX does not appear to require RAND_egd. Just don't use libressl.

[Warrows]

@ewtoombs Actually LibreSSL as well as OpenSSL over version 1.0 are do not require REND_egd. As it turns out both of them implement different cryptography from the old one, which we use in zPIV, amongst other places. The fastest way to "solve" this problem (after fixing compilation) is to change the message to specify "unsupported SSL" instead of "libressl" detected.
That is what I am going for, you can see PR #447 for additional details. In the long run the ideal would of course be to get rid of any openssl use in cryptography used for consensus.

[steveast]

How to compile use old openssl?

[tools4]

environment variable

[Warrows]

The reported bug (OpenSSL 1.1 seen as libreSSL) is now fixed since #447 is merged.

[minblock]

Try using openssl1.0-dev solved my problem