218637 – net/haproxy: build fails with latest LibreSSL

Bug 218637 - net/haproxy: build fails with latest LibreSSL

Summary: net/haproxy: build fails with latest LibreSSL

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Dmitry Sivachenko

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-04-13 17:38 UTC by Mark.Martinec
Modified:	2017-07-26 03:05 UTC (History)
CC List:	3 users (show)

See Also:	218590

Flags:	bugzilla: maintainer-feedback? (demon)

Attachments
haproxy-1.7.5.log.xz poudriere build log (4.82 KB, application/x-xz) 2017-04-13 17:38 UTC, Mark.Martinec	no flags	Details
haproxy patch to build using libressl (1.70 KB, patch) 2017-04-24 22:40 UTC, dewayne	dewayne: maintainer-approval?	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark.Martinec 2017-04-13 17:38:41 UTC

Created attachment 181762 [details]
haproxy-1.7.5.log.xz poudriere build log

Using: haproxy-1.7.5, libressl 2.5.3, FreeBSD 11.0-RELEASE-p8

Building haproxy now fails with the current version of libressl from ports.
Full poudriere build log is attached, here are the essentials:



src/shctx.c:660:31: warning: incompatible pointer types passing 'SSL_SESSION *(SSL *, const unsigned char *, int, int *)' (aka 'struct ssl_session_st *(struct ssl_st *, const unsigned char *, int, int *)') to parameter of type 'SSL_SESSION *(*)(struct ssl_st *, unsigned char *, int, int *)' (aka 'struct ssl_session_st *(*)(struct ssl_st *, unsigned char *, int, int *)') [-Wincompatible-pointer-types]
        SSL_CTX_sess_set_get_cb(ctx, shctx_get_cb);
                                     ^~~~~~~~~~~~
/usr/local/include/openssl/ssl.h:742:20: note: passing argument to parameter 'get_session_cb' here
    SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data,
                   ^
1 warning generated.
src/ssl_sock.c:800:2: error: no member named 'tlsext_status_cb' in 'struct ssl_ctx_st'
        SSL_CTX_get_tlsext_status_cb(ctx, &callback);
        ^                            ~~~
src/ssl_sock.c:798:30: note: expanded from macro 'SSL_CTX_get_tlsext_status_cb'
        *cb = (void (*) (void))ctx->tlsext_status_cb;
                               ~~~  ^
src/ssl_sock.c:829:17: error: no member named 'tlsext_status_arg' in 'struct ssl_ctx_st'
                cb_arg = ctx->tlsext_status_arg;
                         ~~~  ^
src/ssl_sock.c:3542:50: error: no member named 'packet_length' in 'struct ssl_st'
                                        empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
                                                           ~~~~~~~~~~~~~~~~~~~~~~~  ^
src/ssl_sock.c:3620:48: error: no member named 'packet_length' in 'struct ssl_st'
                        empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
                                           ~~~~~~~~~~~~~~~~~~~~~~~  ^
src/ssl_sock.c:4700:18: warning: passing 'const ASN1_OBJECT **' (aka 'const struct asn1_object_st **') to parameter of type 'ASN1_OBJECT **' (aka 'struct asn1_object_st **') discards qualifiers in nested pointer types [-Wincompatible-pointer-types-discards-qualifiers]
        X509_ALGOR_get0(&algorithm, NULL, NULL, X509_get0_tbs_sigalg(crt));
                        ^~~~~~~~~~
/usr/local/include/openssl/x509.h:760:36: note: passing argument to parameter 'paobj' here
void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval,
                                   ^
1 warning and 4 errors generated.
gmake[1]: *** [Makefile:817: src/ssl_sock.o] Error 1

Comment 1 Dmitry Sivachenko freebsd_committer

2017-04-13 18:38:53 UTC

Please report all not FreeBSD-specific problems to haproxy mailing list.
Build breakage should be fixed upstream.

(1.8-dev1 should build fine, but merging changes to 1.7 branch requires manual merge since code differ)

Comment 2 Mike Walker 2017-04-14 18:19:54 UTC

This seems to be a problem with the latest version of LibreSSL (2.5.3) and is also affecting builds of www/nginx with the lua module enabled.

Going the following mention in the LibreSSL 2.5.3 release notes [1]:

 * Moved many leaked implementation details in public structs behind opaque
   pointers.

I'm assuming there's going to have to be some upstream refactoring/cleanup of projects tickling/reading now-private internal SSL data structures 


1: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.5.3-relnotes.txt

Comment 3 Mike Walker 2017-04-14 18:26:16 UTC

And see also bug #218590 - mail/qmail-tls: Fix build with LibreSSL 2.5.3

Comment 4 dewayne 2017-04-16 21:15:04 UTC

(In reply to Mike Walker from comment #3)
Thanks for logging this PR Mike.  Its always helpful to log issues so other FreeBSD'ers don't flap around hunting upstream or down valleys as to why a build, doesn't. At least we understand what "the problem" is.

I also tried haproxy-devel using standard options defaults on FreeBSD 11.0Stable, 

src/ssl_sock.c:848:2: error: no member named 'tlsext_status_cb' in 'struct ssl_ctx_st'
        SSL_CTX_get_tlsext_status_cb(ctx, &callback);
        ^                            ~~~
src/ssl_sock.c:846:30: note: expanded from macro 'SSL_CTX_get_tlsext_status_cb'
        *cb = (void (*) (void))ctx->tlsext_status_cb;
                               ~~~  ^
src/ssl_sock.c:877:17: error: no member named 'tlsext_status_arg' in 'struct ssl_ctx_st'
                cb_arg = ctx->tlsext_status_arg;

Comment 5 dewayne 2017-04-24 22:40:21 UTC

Created attachment 182063 [details]
haproxy patch to build using libressl

Mark,
I've obtained this patch 
https://github.com/HardenedBSD/hardenedbsd-ports/commit/e1b1d4779a822852906d730641cba102d51252e9
provided via Bernard Spil <bernard.spil@hardenedbsd.org>

haproxy builds cleanly as a result.

Thanks to Bernard for sharing this patch originally from openbsd. For convenience I've attached the patch for further testing.  Don't forget to close/fixed this PR if it works for you.

Comment 6 Mark.Martinec 2017-04-25 00:33:54 UTC

Great! With this patch applied the net/haproxy builds fine.
Looks good, although I haven't tested the haproxy ssl support.

The haproxy-devel needs similar love.

Comment 7 commit-hook freebsd_committer

2017-05-14 09:40:36 UTC

A commit references this bug:

Author: brnrd
Date: Sun May 14 09:40:25 UTC 2017
New revision: 440870
URL: https://svnweb.freebsd.org/changeset/ports/440870

Log:
  net/haproxy: Fix build with LibreSSL

   - Add patch from OpenBSD

  PR:		218637
  Reported by:	Mark Martinec <Mark.Martinec@ijs.si>
  Approved by:	maintainer timeout
  Obtained from:	OpenBSD

Changes:
  head/net/haproxy/files/patch-src_ssl__sock.c

Comment 8 Bernard Spil freebsd_committer

2017-05-14 13:16:29 UTC

No response from upstream unfortunately

https://www.mail-archive.com/haproxy@formilux.org/msg25819.html