aws-lc-sys build failure on Linux when OpenSSL 3.4.1 headers are found

[RJVB]

Verification

• I searched for recent similar issues at https://github.com/rust-lang/rustup/issues?q=is%3Aissue+is%3Aopen%2Cclosed and found no duplicates.
• I am on the latest version of Rustup according to https://github.com/rust-lang/rustup/tags and am still able to reproduce my issue.

Problem

I'm trying to build rustup (1.28.1) itself locally on an older Linux distro and run into a build failure in aws-lc-sys when the OpenSSL3 headers are available. Errors range from the DEFINE_STACK_OF macro being called with the wrong number of arguments to an obsolete header file being included in rust_wrapper.h (asn1_mac.h).

After seeing that aws-lc-sys seems to contain its own OpenSSL copy I removed the explicit -I arguments to expose my (self-built) OpenSSL3 install, and the build succeeded.

However, I notice that the resulting rustup binary still links to libssl and libcrypto - from my OpenSSL3 install.

I have tried to find information about the dependency requirements for building rustup locally but came up empty.
What OpenSSL version(s) is/are supported, in particular?

Steps

1. start the build using a compiler wrapper script that has the -I flags to find the intended dependencies, in particular OpenSSL3 headers (-I/opt/local/libexec/openssl3/include).
2. observe build failures
3. start the build without the OpenSSL3 related compiler arguments
4. build succeeds but the resulting binary still links to OpenSSL3.

Possible Solution(s)

It would be of great help to know what OpenSSL versions are supported, and possibly what support there is for non-standard install layouts.

Notes

No response

Rustup version

1.28.1

Installed toolchains

stable-x86_64-unknown-linux-gnu

OS version

KUbuntu 14.04LTS with self-built upgrades to just about anything that matters except for libc. Hence the self-building of rustup...
(I'm pretty certain that the issue here is not the fact I use an old distro but that I use a non-standard install layout!)

[rami3l]

@RJVB Thanks for filing this issue!

I understand your frustrations, however it seems unlikely that we can do anything about it in this repo. Would you mind transferring this issue to https://github.com/aws/aws-lc-rs so that they can have a better look? The full cargo log will be greatly appreciated!

[RJVB]

I can do that of course, but wouldn't this rather be an issue of how aws-lc-sys is built via the build system for rustup?

I know next to nothing about rust or cargo (I just encounter them as build dependencies) but this feels like what can happen if you build a "vendored" dependency through, say, the CMake build system of some more complex project, and the 2 projects have conflicting dependencies.

And I suppose you (rather than they) can answer the question if rustup itself pulls in OpenSSL and what version(s) it can work with. Linking to OpenSSL3 all while using an embedded older version is not a good idea, btw, as surely you know.

[rami3l]

And I suppose you (rather than they) can answer the question if rustup itself pulls in OpenSSL and what version(s) it can work with. Linking to OpenSSL3 all while using an embedded older version is not a good idea, btw, as surely you know.

We do use openssl-sys that vendors 3.4.1:

rustup/Cargo.lock

Lines 1688 to 1695 in 3b60eb2

	[[package]]
	name = "openssl-src"
	version = "300.4.2+3.4.1"
	source = "registry+https://github.com/rust-lang/crates.io-index"
	checksum = "168ce4e058f975fe43e89d9ccf78ca668601887ae736090aacc23ae353c298e2"
	dependencies = [
	"cc",
	]

... but vendoring is not on by default:

rustup/Cargo.toml

Line 17 in 3b60eb2

vendored-openssl = ['openssl/vendored']

The C part of our build process is entirely handled by the dependencies that rely on C, and we don't handle that directly. Are you sure you are having problems when building aws-lc-rs?

[rami3l]

@RJVB BTW if you just want to get rustup up and running, you can try compiling with the reqwest/rustls/aws-lc backend only:

> cargo build --no-default-features --features=reqwest-rustls-tls

... or alternatively, you can disable the aws-lc-rs part altogether by using the curl/openssl backend only:

> cargo build --no-default-features --features=curl-backend

... or if you want to vendor OpenSSL:

> cargo build --no-default-features --features=curl-backend,vendored-openssl

[rami3l]

@RJVB I think I know what you are confused about now.

By default we have all these three backends on, and on Linux they all rely on OpenSSL in different ways (unfortunately none is handled directly by us), so it might be good to try what works for you by isolating them.

rustup/Cargo.toml

Line 15 in 3b60eb2

default = ["curl-backend", "reqwest-native-tls", "reqwest-rustls-tls"]

We understand that the status quo is not satisfying, and the simplification is in the works (#3790), but we currently need to keep them for compatibility purposes.

[RJVB]

We do use openssl-sys that vendors 3.4.1:
... but vendoring is not on by default:

rustup/Cargo.toml

Line 17 in 3b60eb2
vendored-openssl = ['openssl/vendored']

I clearly don't know how to read that but do I at least understand correctly that "vendoring is not on" means that the build will use whatever OpenSSL version it finds in the system?

Are you sure you are having problems when building aws-lc-rs?

No: aws-lc-sys ! I'm rebuilding with the "offending" compiler flags as we speak :

:info:build [aws-lc-sys 0.26.0] cargo:warning=In file included from /opt/local/var/lnxports/build/_opt_local_site-ports_devel_rustup/rustup/work/.rustup/Cargo/registry/src/index.crates.io-1949cf8c6b5b557f/aws-lc-sys-0.26.0/include/rust_wrapper.h:12,
:info:build [aws-lc-sys 0.26.0] cargo:warning=                 from rust_wrapper.c:6:
:info:build [aws-lc-sys 0.26.0] cargo:warning=/opt/local/libexec/openssl3/include/openssl/asn1_mac.h:10:2: error: #error "This file is obsolete; please update your software."
:info:build [aws-lc-sys 0.26.0] cargo:warning=   10 | #error "This file is obsolete; please update your software."
:info:build [aws-lc-sys 0.26.0] cargo:warning=      |  ^~~~~
:info:build [aws-lc-sys 0.26.0] cargo:warning=In file included from /opt/local/var/lnxports/build/_opt_local_site-ports_devel_rustup/rustup/work/.rustup/Cargo/registry/src/index.crates.io-1949cf8c6b5b557f/aws-lc-sys-0.26.0/aws-lc/include/openssl/base.h:80,
:info:build [aws-lc-sys 0.26.0] cargo:warning=                 from /opt/local/var/lnxports/build/_opt_local_site-ports_devel_rustup/rustup/work/.rustup/Cargo/registry/src/index.crates.io-1949cf8c6b5b557f/aws-lc-sys-0.26.0/include/rust_wrapper.h:14:
:info:build [aws-lc-sys 0.26.0] cargo:warning=/opt/local/var/lnxports/build/_opt_local_site-ports_devel_rustup/rustup/work/.rustup/Cargo/registry/src/index.crates.io-1949cf8c6b5b557f/aws-lc-sys-0.26.0/generated-include/openssl/boringssl_prefix_symbols.h:237: warning: "BIO_append_filename" redefined
:info:build [aws-lc-sys 0.26.0] cargo:warning=  237 | #define BIO_append_filename BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_append_filename)
:info:build [aws-lc-sys 0.26.0] cargo:warning=      | 
:info:build [aws-lc-sys 0.26.0] cargo:warning=In file included from /opt/local/libexec/openssl3/include/openssl/asn1.h:30,
:info:build [aws-lc-sys 0.26.0] cargo:warning=                 from /opt/local/var/lnxports/build/_opt_local_site-ports_devel_rustup/rustup/work/.rustup/Cargo/registry/src/index.crates.io-1949cf8c6b5b557f/aws-lc-sys-0.26.0/include/rust_wrapper.h:11:
:info:build [aws-lc-sys 0.26.0] cargo:warning=/opt/local/libexec/openssl3/include/openssl/bio.h:587: note: this is the location of the previous definition
[...]
87:50: error: macro "EVP_MD_CTX_create" passed 1 arguments, but takes just 0
:info:build [aws-lc-sys 0.26.0] cargo:warning=  287 | OPENSSL_EXPORT EVP_MD_CTX *EVP_MD_CTX_create(void);
:info:build [aws-lc-sys 0.26.0] cargo:warning=      |                                                  ^
:info:build [aws-lc-sys 0.26.0] cargo:warning=/opt/local/libexec/openssl3/include/openssl/evp.h:708: note: macro "EVP_MD_CTX_create" defined here
[...]
:info:build [aws-lc-sys 0.26.0] cargo:warning=/opt/local/var/lnxports/build/_opt_local_site-ports_devel_rustup/rustup/work/.rustup/Cargo/registry/src/index.crates.io-1949cf8c6b5b557f/aws-lc-sys-0.26.0/aws-lc/include/openssl/obj.h:253:37: error: macro "OBJ_cleanup" passed 1 arguments, but takes just 0
:info:build [aws-lc-sys 0.26.0] cargo:warning=  253 | OPENSSL_EXPORT void OBJ_cleanup(void);
:info:build [aws-lc-sys 0.26.0] cargo:warning=      |                                     ^            
:info:build [aws-lc-sys 0.26.0] cargo:warning=/opt/local/libexec/openssl3/include/openssl/objects.h:167: note: macro "OBJ_cleanup" defined here

And so forth.

Given the other info above this looks to me like a build system that knows to avoid including the wrong OpenSSL headers from the default/system search path but gets tripped up because the user injected flags that force the compiler to look in the wrong place first. That would indeed be something to report "upstream", but what about the fact they're apparently building in an obsolete OpenSSL version?

[djc]

@RJVB I highly recommend filing an issue against the aws-lc-rs repo. In my experience they have been very responsive in fixing build issues. Meanwhile, I don't think there is much we can do about your issues on the rustup side.

(Are you rebuilding because your distro's libc is too old for the binaries we release?)

[RJVB]

(Are you rebuilding because your distro's libc is too old for the binaries we release?)

That's one reason I have the packaging (MacPorts "port") in which this issue came up, but on Mac. The other is having a binary that's built against to (and has RPATH set for) the more up-to-date in /opt/local .

I like my ports to build on Linux too and there I can (for now) use the downloadable binaries to bootstrap the rustup build with an up-to-date cargo etc. My libc doesn't yet have copy_file_range(2) but Rust seems to know how to use the corresponding syscall when required. There used to be a time where I had to use a wrapper to handle the EAGAIN or EXDEV errors related to how I set up my ZFS datasets but it appears Rust now handles that too.

[RJVB]

aws/aws-lc-rs#743