Summary: | mail/qmail-tls: Fix build with LibreSSL 2.5.3 | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Bernard Spil <brnrd> | ||||||||
Component: | Individual Port(s) | Assignee: | Bernard Spil <brnrd> | ||||||||
Status: | Closed FIXED | ||||||||||
Severity: | Affects Some People | CC: | brnrd, dewayne, erdgeist, mike.walker | ||||||||
Priority: | --- | Keywords: | needs-qa, patch | ||||||||
Version: | Latest | Flags: | bugzilla:
maintainer-feedback?
(erdgeist) koobs: merge-quarterly? |
||||||||
Hardware: | Any | ||||||||||
OS: | Any | ||||||||||
See Also: |
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218586 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218637 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218595 |
||||||||||
Attachments: |
|
Bernard - helpful as always, thankyou. :) Perhaps its time to change your username to MrLibre(ssl) ;) (In reply to Bernard Spil from comment #0) I believe Bernard's right. This seems to be a problem with the latest version of LibreSSL (2.5.3) and is also affecting other ports: * haproxy - bug #218586, bug #218637 * nginx with lua - bug #218595 The following is mentioned in the LibreSSL 2.5.3 release notes [1]: * Moved many leaked implementation details in public structs behind opaque pointers. I'm assuming there's going to have to be some upstream refactoring/cleanup of projects tickling/reading now-private internal SSL data structures 1: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.5.3-relnotes.txt A friend already reported the issue and a patch to Frederik Vermeulen, maintainer of upstream netqmail tls patch at http://inoa.net/qmail-tls/ I hope they will uncorporate this fix soonish and I don't like keeping those patches downstream as I clearly think this has been a booboo by libressl authors breaking their promise to not break existing code that relies on OpenSSL API, removing the very reason for libressls existence in the first place. I think I will now make a patch that supports mbedtls2, as this looks like the API I would very much love to see in an TLS lib. (In reply to erdgeist from comment #3) To be fair, these same types of changes (making structs opaque) are also going into OpenSSL 1.1 so it looks like everybody has some work to do. Created attachment 182592 [details]
svn diff for mail/qmail
Proper svn diff for net/qmail
```
mail/qmail: Fix build with LibreSSL
- Add patch for qmail-tls
PR: 218590
```
Hi Erdgeist, OK to commit this? Cheers, Bernard. Note these changes come under blanket approval (build fixes) (In reply to Bernard Spil from comment #6) Sure. Thanks a lot. A commit references this bug: Author: brnrd Date: Thu Jul 27 11:20:13 UTC 2017 New revision: 446735 URL: https://svnweb.freebsd.org/changeset/ports/446735 Log: mail/qmail-tls: Fix build with LibreSSL - Replace direct struct access with get/setters PR: 218590 Approved by: erdgeist (maintainer) MFH: 2017Q3 Changes: head/mail/qmail/files/patch-LibreSSL Built on local LibreSSL system and on vanilla 10.3/11.0 i386/amd64 in poudriere. (In reply to Kubilay Kocak from comment #7) Once again, broken changes are not covered by portmgr blanket. A commit references this bug: Author: brnrd Date: Thu Jul 27 11:56:01 UTC 2017 New revision: 446737 URL: https://svnweb.freebsd.org/changeset/ports/446737 Log: mail/qmail-tls: Fix patch - Fix egregious accept=>connect mistake PR: 218590 Reported by: antoine Changes: head/mail/qmail/files/patch-LibreSSL A commit references this bug: Author: antoine Date: Fri Jul 28 08:22:16 UTC 2017 New revision: 446810 URL: https://svnweb.freebsd.org/changeset/ports/446810 Log: Revert r446735 and unbreak, the patch fails to apply and is probably wrong PR: 218590 Reported by: pkg-fallout Changes: head/mail/qmail/files/patch-LibreSSL Created attachment 184829 [details]
svn diff for mail/qmail
Refactored the patch.
Missed the way this this master/slave port works.
Assuming the breakage was with master port due to unconditional patching of the WRKSRC
```
mail/qmail: Add extra-patch for LibreSSL
- Add LibreSSL patch for qmail-tls slave port
- Add EXTRA_PATCHES for SLAVE_TLS in master port
PR: 218590
```
As for the ssl->type to SSL_get_state change: This seems weird but is actually how it is implemented. ssl->type would return either accept (server) or connect (client) mode, ssl->state added additional states not available through ssl->type. The SSL_ST_ACCEPT and SSL_ST_CONNECT are only available through the SSL_get_state method in most recent versions of OpenSSL/LibreSSL.
Feedback appreciated!
|
Created attachment 181717 [details] patch for qmail-tls OpenBSD's been more aggressive making structures opaque than OpenSSL has. This makes programs trying to access these structs fail. The direct access should be replaced with the appropriate methods, from the SSL_get_state(3) manual: "These functions are available in all versions of OpenSSL."