Bug 218590

Summary: mail/qmail-tls: Fix build with LibreSSL 2.5.3
Product: Ports & Packages Reporter: Bernard Spil <brnrd>
Component: Individual Port(s)Assignee: Bernard Spil <brnrd>
Status: Closed FIXED    
Severity: Affects Some People CC: brnrd, dewayne, erdgeist, mike.walker
Priority: --- Keywords: needs-qa, patch
Version: LatestFlags: bugzilla: maintainer-feedback? (erdgeist)
koobs: merge-quarterly?
Hardware: Any   
OS: Any   
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218586
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218637
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218595
Attachments:
Description Flags
patch for qmail-tls
none
svn diff for mail/qmail
none
svn diff for mail/qmail brnrd: maintainer-approval?

Description Bernard Spil freebsd_committer freebsd_triage 2017-04-12 14:01:41 UTC
Created attachment 181717 [details]
patch for qmail-tls

OpenBSD's been more aggressive making structures opaque than OpenSSL has. This makes programs trying to access these structs fail.

The direct access should be replaced with the appropriate methods, from the SSL_get_state(3) manual:
"These functions are available in all versions of OpenSSL."
Comment 1 dewayne 2017-04-16 21:09:07 UTC
Bernard - helpful as always, thankyou. :)
Perhaps its time to change your username to MrLibre(ssl)  ;)
Comment 2 Mike Walker 2017-04-18 14:50:59 UTC
(In reply to Bernard Spil from comment #0)

I believe Bernard's right.

This seems to be a problem with the latest version of LibreSSL (2.5.3) and is also affecting other ports:

 * haproxy - bug #218586, bug #218637
 * nginx with lua - bug #218595

The following is mentioned in the LibreSSL 2.5.3 release notes [1]:

 * Moved many leaked implementation details in public structs behind opaque
   pointers.

I'm assuming there's going to have to be some upstream refactoring/cleanup of projects tickling/reading now-private internal SSL data structures 

1: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.5.3-relnotes.txt
Comment 3 erdgeist 2017-04-18 15:15:05 UTC
A friend already reported the issue and a patch to Frederik Vermeulen, maintainer of upstream netqmail tls patch at http://inoa.net/qmail-tls/

I hope they will uncorporate this fix soonish and I don't like keeping those patches downstream as I clearly think this has been a booboo by libressl authors breaking their promise to not break existing code that relies on OpenSSL API, removing the very reason for libressls existence in the first place.

I think I will now make a patch that supports mbedtls2, as this looks like the API I would very much love to see in an TLS lib.
Comment 4 Mike Walker 2017-04-18 18:01:45 UTC
(In reply to erdgeist from comment #3)

To be fair, these same types of changes (making structs opaque) are also going into OpenSSL 1.1 so it looks like everybody has some work to do.
Comment 5 Bernard Spil freebsd_committer freebsd_triage 2017-05-14 13:59:58 UTC
Created attachment 182592 [details]
svn diff for mail/qmail

Proper svn diff for net/qmail

```
mail/qmail: Fix build with LibreSSL

 - Add patch for qmail-tls

PR: 218590
```
Comment 6 Bernard Spil freebsd_committer freebsd_triage 2017-07-25 12:21:33 UTC
Hi Erdgeist,

OK to commit this?

Cheers, Bernard.
Comment 7 Kubilay Kocak freebsd_committer freebsd_triage 2017-07-26 03:05:10 UTC
Note these changes come under blanket approval (build fixes)
Comment 8 erdgeist 2017-07-26 12:43:32 UTC
(In reply to Bernard Spil from comment #6)
Sure. Thanks a lot.
Comment 9 commit-hook freebsd_committer freebsd_triage 2017-07-27 11:20:45 UTC
A commit references this bug:

Author: brnrd
Date: Thu Jul 27 11:20:13 UTC 2017
New revision: 446735
URL: https://svnweb.freebsd.org/changeset/ports/446735

Log:
  mail/qmail-tls: Fix build with LibreSSL

   - Replace direct struct access with get/setters

  PR:		218590
  Approved by:	erdgeist (maintainer)
  MFH:		2017Q3

Changes:
  head/mail/qmail/files/patch-LibreSSL
Comment 10 Bernard Spil freebsd_committer freebsd_triage 2017-07-27 11:22:27 UTC
Built on local LibreSSL system and on vanilla 10.3/11.0 i386/amd64 in poudriere.
Comment 11 Antoine Brodin freebsd_committer freebsd_triage 2017-07-27 11:42:42 UTC
(In reply to Kubilay Kocak from comment #7)
Once again, broken changes are not covered by portmgr blanket.
Comment 12 commit-hook freebsd_committer freebsd_triage 2017-07-27 11:56:17 UTC
A commit references this bug:

Author: brnrd
Date: Thu Jul 27 11:56:01 UTC 2017
New revision: 446737
URL: https://svnweb.freebsd.org/changeset/ports/446737

Log:
  mail/qmail-tls: Fix patch

   - Fix egregious accept=>connect mistake

  PR:		218590
  Reported by:	antoine

Changes:
  head/mail/qmail/files/patch-LibreSSL
Comment 13 commit-hook freebsd_committer freebsd_triage 2017-07-28 08:23:01 UTC
A commit references this bug:

Author: antoine
Date: Fri Jul 28 08:22:16 UTC 2017
New revision: 446810
URL: https://svnweb.freebsd.org/changeset/ports/446810

Log:
  Revert r446735 and unbreak, the patch fails to apply and is probably wrong

  PR:		218590
  Reported by:	pkg-fallout

Changes:
  head/mail/qmail/files/patch-LibreSSL
Comment 14 Bernard Spil freebsd_committer freebsd_triage 2017-07-29 11:56:03 UTC
Created attachment 184829 [details]
svn diff for mail/qmail

Refactored the patch.
Missed the way this this master/slave port works.
Assuming the breakage was with master port due to unconditional patching of the WRKSRC

```
mail/qmail: Add extra-patch for LibreSSL

 - Add LibreSSL patch for qmail-tls slave port
 - Add EXTRA_PATCHES for SLAVE_TLS in master port

PR: 218590

```
As for the ssl->type to SSL_get_state change: This seems weird but is actually how it is implemented. ssl->type would return either accept (server) or connect (client) mode, ssl->state added additional states not available through ssl->type. The SSL_ST_ACCEPT and SSL_ST_CONNECT are only available through the SSL_get_state method in most recent versions of OpenSSL/LibreSSL.

Feedback appreciated!