libressl: static declaration of 'OpenSSL_version_num'

[jungle-boogie]

Hello,

Curl is failing to build on openBSD -current:

/home/jungle/bin/curl/lib/vtls/openssl.c:121:22: error: static declaration of 'OpenSSL_version_num' follows non-static declaration                                                     
static unsigned long OpenSSL_version_num(void)                                                                                                                                       
                     ^                                                                                                                                                               
/usr/include/openssl/crypto.h:340:15: note: previous declaration is here                                                                                                             
unsigned long OpenSSL_version_num(void);                                                                                                                                             
              ^                                                                                                                                                                      
1 error generated.                                                                                                                                                                   
*** Error 1 in . (lib/CMakeFiles/libcurl.dir/build.make:2943 'lib/CMakeFiles/libcurl.dir/vtls/openssl.c.o': cd /home/jungle/bin/curl/build/lib...)                                     
*** Error 1 in . (CMakeFiles/Makefile2:1014 'lib/CMakeFiles/libcurl.dir/all')                                                                                                        
*** Error 1 in /home/jungle/bin/curl/build (Makefile:141 'all')           

See this openBSD commit to lib/libcrypto/crypto.h:
openbsd/src@3a94b19#diff-f5754718dcf4bb001cacd3a8e689bb01

Simply editing this file:
https://github.com/curl/curl/blob/master/lib/vtls/openssl.c#L121

and removing Static at the beginning of the line causes the build to successfully build.

[jay]

Do you know the first version of libressl where this is fixed? I think it would be better to change it to #if (LIBRESSL_VERSION_NUMBER < fixedver)

[jungle-boogie]

Hi @jay,

I don't know the first version. If you take a look at the openBSD commit I linked, it was only modified 5 days ago. My openBSD -current machine has libressl 2.7.0, if that helps.

[jay]

i see, it's the dev branch not release. It looks like they're transitioning from libressl 2.6.x to 3.0.x but it's unclear to me whether they'll continue with a 2.6.5 in parallel and whether it will have the api.

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 2a6b3cf..f8b3fa8 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -117,7 +117,8 @@
 #define X509_get0_notBefore(x) X509_get_notBefore(x)
 #define X509_get0_notAfter(x) X509_get_notAfter(x)
 #define CONST_EXTS /* nope */
-#ifdef LIBRESSL_VERSION_NUMBER
+#if defined(LIBRESSL_VERSION_NUMBER) && \
+  (LIBRESSL_VERSION_NUMBER <= 0x2060400fL)
 static unsigned long OpenSSL_version_num(void)
 {
   return LIBRESSL_VERSION_NUMBER;

[bagder]

I think we should either get some confirmation of this from the libressl team, or wait for an actual release to see how this will end up. Otherwise I think the fix looks correct.

[jay]

I think we should either get some confirmation of this from the libressl team

@4a6f656c

[sthen]

0x2070000fL would be appropriate if checking for a version, however the only place cURL uses this is to print LibreSSL/$version, so decoding based on LIBRESSL_VERSION_NUMBER is more appropriate here. This is what we're currently doing in ports:

Index: lib/vtls/openssl.c
--- lib/vtls/openssl.c.orig
+++ lib/vtls/openssl.c
@@ -117,12 +117,7 @@
 #define X509_get0_notBefore(x) X509_get_notBefore(x)
 #define X509_get0_notAfter(x) X509_get_notAfter(x)
 #define CONST_EXTS /* nope */
-#ifdef LIBRESSL_VERSION_NUMBER
-static unsigned long OpenSSL_version_num(void)
-{
-  return LIBRESSL_VERSION_NUMBER;
-}
-#else
+#ifndef LIBRESSL_VERSION_NUMBER
 #define OpenSSL_version_num() SSLeay()
 #endif
 #endif
@@ -3527,7 +3522,11 @@ static size_t Curl_ossl_version(char *buffer, size_t s
   unsigned long ssleay_value;
   sub[2]='\0';
   sub[1]='\0';
+#ifdef LIBRESSL_VERSION_NUMBER
+  ssleay_value = LIBRESSL_VERSION_NUMBER;
+#else
   ssleay_value = OpenSSL_version_num();
+#endif
   if(ssleay_value < 0x906000) {
     ssleay_value = SSLEAY_VERSION_NUMBER;
     sub[0]='\0';

Results with this on OpenBSD -current:

$ curl -V
curl 7.58.0 (x86_64-unknown-openbsd6.2) libcurl/7.58.0 LibreSSL/2.7.0 zlib/1.2.3 nghttp2/1.30.0
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IPv6 Largefile NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy 

[4a6f656c]

@jay - the additional API will appear in the 2.7.x release. There will only be a 2.6.5 release if there are security or bug fixes and such a release would not contain the API changes. As sthen notes, conditioning on 0x2070000fL is the correct version to use, if you want to take that route. For now, I'd recommend holding off until we finish the API churn, as there may be other fixes/changes.

[bagder]

thanks @4a6f656c, waiting a bit to see how this settles for real in a coming release seems like the sensible thing to do.

[bagder]

libressl 2.7.0 has been released so it makes sense to revisit this issue now...

[donny-dont]

@sthen 's fix is probably the most correct. Internally LibreSSL will print out its OPENSSL_VERSION_NUMBER which will always be 0x20000000L so doing a patch like the following would not get the desired behavior.

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 2a6b3cfac..78a98b0ca 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -118,10 +118,13 @@
 #define X509_get0_notAfter(x) X509_get_notAfter(x)
 #define CONST_EXTS /* nope */
 #ifdef LIBRESSL_VERSION_NUMBER
+/* For LibreSSL before 2.7.0 */
+#if (LIBRESSL_VERSION_NUMBER < 0x2070000fL)
 static unsigned long OpenSSL_version_num(void)
 {
   return LIBRESSL_VERSION_NUMBER;
 }
+#endif
 #else
 #define OpenSSL_version_num() SSLeay()
 #endif