Build fails when compiled against LibreSSL 2.5.1

[qbit]

On OpenBSD-current LibreSSL 2.5.1 is shipping, portable LibreSSL is still at 2.5.0, so I am not including a PR as testing will likely be difficult.

Here is a link to the LibreSSL change: x509_vfy.h

cc -pthread -fno-strict-aliasing -O2 -pipe -DNDEBUG -O2 -pipe -fPIC -fPIC -I/usr/local/include/python2.7 -c build/temp.openbsd-6.0-amd64-2.7/_openssl.c -o build/temp.openbsd-6.0-amd64-2.7/build/temp.openbsd-6.0-amd64-2.7/_openssl.o
build/temp.openbsd-6.0-amd64-2.7/_openssl.c:2720: error: expected identifier or '(' before numeric constant
build/temp.openbsd-6.0-amd64-2.7/_openssl.c:2721: error: expected identifier or '(' before numeric constant
build/temp.openbsd-6.0-amd64-2.7/_openssl.c:2722: error: expected identifier or '(' before numeric constant
build/temp.openbsd-6.0-amd64-2.7/_openssl.c:2738: error: 'X509_VERIFY_PARAM_set1_email' redeclared as different kind of symbol
/usr/include/openssl/x509_vfy.h:545: error: previous declaration of 'X509_VERIFY_PARAM_set1_email' was here
build/temp.openbsd-6.0-amd64-2.7/_openssl.c:2740: error: 'X509_VERIFY_PARAM_set1_ip' redeclared as different kind of symbol
/usr/include/openssl/x509_vfy.h:547: error: previous declaration of 'X509_VERIFY_PARAM_set1_ip' was here
build/temp.openbsd-6.0-amd64-2.7/_openssl.c: In function '_setup_ssl_threads':
build/temp.openbsd-6.0-amd64-2.7/_openssl.c:2809: warning: comparison is always false due to limited range of data type
error: command 'cc' failed with exit status 1

[tiran]

2.5.1 hasn't been released yet.

https://www.libressl.org/

The latest development release is 2.5.0

[qbit]

Right, hence my "portable LibreSSL is still at 2.5.0, so I am not including a PR as testing will likely be difficult." bit.

[tiran]

I know what is going on here. 2.5.0 doesn't have X509_VERIFY_PARAM_set1_email etc. The functions were introduced in 2.5.1. The code at https://github.com/pyca/cryptography/blob/master/src/_cffi_src/openssl/x509_vfy.py#L216 needs to check for LIBRESSL_VERSION_NUMBER >= 2.5.1.

[tiran]

Oh, it's going to be fun. I don't see X509_VERIFY_PARAM_set1_host in LibreSSL 2.5.1

[reaperhulk]

Yeah, I'm inclined to say OpenBSD needs to add X509_VERIFY_PARAM_set1_host. They made the choice to be "compatible" (sort of) with OpenSSL, so they don't get to just add a subset. Hopefully this was just an oversight.

Alternately it doesn't appear we're using X509_VERIFY_PARAM_set1_host (in either cryptography or pyopenssl) so we could potentially remove the binding, but I'd want to have a good reason why it's unneeded first.

[tiran]

I'm with you, Paul. For Python 3.7 OpenBSD has to provide X509_VERIFY_PARAM_set1_host anyway. I have plans to replace Python's hostname verification code with OpenSSLs. Over the years our own implementation had at least 6 bugs [1].

[1] https://speakerdeck.com/tiran/pyconpl-2016-keynote-tales-from-python-security?slide=63

[reaperhulk]

Looks like it merged 2 weeks ago, so presumably the next libressl release will have it: libressl/openbsd@5a0ee82#diff-981ccc999a3dc0b6f3bf66cfb971f58fR498

[sthen]

The functions and some prototypes were added (which is what caused the build failure in Cryptography), but not all of them have prototypes yet (e.g. X509_VERIFY_PARAM_set1_host only has the function so far). I've pinged libressl devs about that.

[ryandesign]

"The latest stable release is 2.5.3" and is affected by this issue. See https://trac.macports.org/ticket/53964.

[alex]

Fixed in #3530