Linking against libressl fails for missing symbol UI_null

[elseifthen]

I'm trying to build a static version of the xmlsec library (version 1.2.37, currently under Linux). To this end, I built the dependency libraries libxml2 (2.9.10), libxslt (1.1.32) and libressl (3.6.1) locally and configuring seems to find them all, but when I build, I get an error upon linking:
../src/openssl/.libs/libxmlsec1-openssl.so: undefined reference to UI_null'`

From what I found, this symbol is only present in the openssl library but not in libressl, yet the defines in app.c seem to suggest it is actually intended work with libressl:
#if !defined(OPENSSL_NO_ENGINE) && (!defined(XMLSEC_OPENSSL_API_300) || defined(XMLSEC_OPENSSL3_ENGINES))

Did you manage to build 1.2.37 against libressl 3.6.1? (I had initially tried to build against libressl 3.0.0 but there was another symbol missing, namely ASN1_TIME_to_tm)

[petrovr]

elseifthen wrote:

I'm trying to build a static version of the xmlsec library (version 1.2.37, currently under Linux). To this end, I built the dependency libraries libxml2 (2.9.10), libxslt (1.1.32) and libressl (3.6.1) locally and configuring seems to find them all, but when I build, I get an error upon linking: `../src/openssl/.libs/libxmlsec1-openssl.so: undefined reference to `UI_null'` From what I found, this symbol is only present in the openssl library but not in libressl, yet the defines in app.c seem to suggest it is actually intended work with libressl: `#if !defined(OPENSSL_NO_ENGINE) && (!defined(XMLSEC_OPENSSL_API_300) || defined(XMLSEC_OPENSSL3_ENGINES))`

libressl with engines? No! This functionality is cut off. Try to build with defined OPENSSL_NO_ENGINE.

Did you manage to build 1.2.37 against libressl 3.6.1? (I had initially tried to build against libressl 3.0.0 but there was another symbol missing, namely ASN1_TIME_to_tm)

Yes build with "compatible" libraries is like gambling. Regards, Roumen Petrov

[lsh123]

Something is fishy here -- if you can compile the code with UI_null() then compiler found definition of UI_null somewhere. If UI_null is not present in libressl I would expect it to fail at compile time, not at the link time.

I don't test against all OpenSSL forks but I gladly accept PRs / patches to make it work :)

Aleksey

[elseifthen]

@lsh123 : Apparently the compiler (gcc 8.3.1) takes UI_null as an implicit function declaration:

app.c: In function ‘xmlSecOpenSSLAppEngineKeyLoad’:
app.c:490:65: warning: implicit declaration of function ‘UI_null’; did you mean ‘UI_ctrl’? [-Wimplicit-function-declaration]
     if(ENGINE_ctrl_cmd(engine, "SET_USER_INTERFACE", 0, (void *)UI_null(), 0, 1) < 0) {
                                                                 ^~~~~~~
                                                                 UI_ctrl
app.c:490:57: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
     if(ENGINE_ctrl_cmd(engine, "SET_USER_INTERFACE", 0, (void *)UI_null(), 0, 1) < 0) {
                                                         ^
app.c:506:36: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
                                    (UI_METHOD *)UI_null(),
                                    ^

@petrovr : I did export -fPIC -DOPENSSL_NO_ENGINE now but I got
`
In file included from app.c:27:
/work/usr/include/openssl/engine.h:70:2: error: #error ENGINE is disabled.
#error ENGINE is disabled.
^~~~~
``
I was able to compile with "--disable-apps" though, but I couldn't find in the documentation what it actually is that I disabled with that option (I'm new to xmlsec).

[lsh123]

Ah that makes sense. You didn't mention any compilation errors so I was surprised. PR #456 should fix this issue. However quite a few xmlsec tests fail with recent libressl because tests use old (small) keys and libressl has very strong opinion about it. I am going to fix the test keys but it might take a little while.

[elseifthen]

@lsh123 With this simple modification (of PR #456), building against libressl 3.6.1 works now. Thank you!

[lsh123]

great, thanks for letting me know. as I said, bunch of tests are failing because of key size --> you can ignore those for now

[petrovr]

Hi, elseifthen wrote: ...

@petrovr : I tried to ` export OPENSSL_NO_ENGINE=1` and reconfigure/rebuild ..

CPPFLAGS=-DOPENSSL_NO_ENGINE .../configure .... Regards, Roumen Petrov

[lsh123]

PR #458 and #459 should fix all the tests for libressl

[elseifthen]

Hi, elseifthen wrote: ...
@petrovr : I tried to export OPENSSL_NO_ENGINE=1 and reconfigure/rebuild ..
CPPFLAGS=-DOPENSSL_NO_ENGINE .../configure .... Regards, Roumen Petrov

I've tried it with CFLAGS but I also had to safeguard the inclusion of the engine.h header because I got the error I mentioned in my edited comment ("error ENGINE is disabled."; see #455 (comment)).