Bug 223994

Summary: sysutils/bacula9-server appears to be broken when built with libressl after the 9.0.6 update
Product: Ports & Packages Reporter: Dean E. Weimer <dweimer>
Component: Individual Port(s)Assignee: Walter Schwarzenfeld <w.schwarzenfeld>
Status: Closed Overcome By Events    
Severity: Affects Some People CC: brnrd, martin, w.schwarzenfeld
Priority: --- Flags: bugzilla: maintainer-feedback? (dvl)
Version: Latest   
Hardware: Any   
OS: Any   
Bug Depends on: 228402    
Bug Blocks:    
Attachments:
Description Flags
Full output of /usr/ports/sysutils/bacula9-client make
none
src/lib/openssl-compat.h patch for LibreSSL
none
src/lib/crypto.c patch for LibreSSL
none
src/lib/openssl.c patch for LibreSSL none

Description Dean E. Weimer 2017-11-30 14:30:42 UTC
Created attachment 188429 [details]
Full output of /usr/ports/sysutils/bacula9-client make

Appears to be broken when built with libressl after the 9.0.6 update, here is where the breakdown begins. I am attaching full build output from bacula9-client build. Error is consistent and easily to duplicate by using DEFAULT_VERSIONS= ssl=libressl in make.conf. 

--- openssl.lo ---
Compiling openssl.c
--- crypto.lo ---
crypto.c:199:1: error: unknown type name 'DEFINE_STACK_OF'
DEFINE_STACK_OF(SignerInfo);
^
crypto.c:200:1: error: unknown type name 'DEFINE_STACK_OF'
DEFINE_STACK_OF(RecipientInfo);
^
crypto.c:334:21: error: use of undeclared identifier 'ASN1_STRING_get0_data'; did you mean 'ASN1_STRING_data'?
   ext_value_data = ASN1_STRING_get0_data(asn1_ext_val);
                    ^~~~~~~~~~~~~~~~~~~~~
                    ASN1_STRING_data
/usr/local/include/openssl/asn1.h:787:17: note: 'ASN1_STRING_data' declared here
unsigned char * ASN1_STRING_data(ASN1_STRING *x);
                ^
crypto.c:334:43: error: cannot initialize a parameter of type 'ASN1_STRING *' (aka 'asn1_string_st *') with an lvalue of type 'const ASN1_STRING *' (aka 'const asn1_string_st *')
   ext_value_data = ASN1_STRING_get0_data(asn1_ext_val);
Comment 1 Dan Langille freebsd_committer 2017-12-04 01:44:30 UTC
I posted to the bacula-users mailing list.

One idea came out of that: https://marc.info/?l=bacula-users&m=151206017708430&w=2

Do you have time to play with a patch?  I'm overloaded just now.
Comment 2 Dean E. Weimer 2018-02-02 21:42:39 UTC
Created attachment 190277 [details]
src/lib/openssl-compat.h patch for LibreSSL
Comment 3 Dean E. Weimer 2018-02-02 21:43:16 UTC
Created attachment 190278 [details]
src/lib/crypto.c patch for LibreSSL
Comment 4 Dan Langille freebsd_committer 2018-02-02 21:45:29 UTC
(In reply to Dean E. Weimer from comment #3)
These work for you?
Comment 5 Dean E. Weimer 2018-02-02 21:45:54 UTC
I have a couple of patches that at least get the client to build, I admit that this is really a shoot from the hip type of work, based on some internet searches and trial an error. They may work for server as well, ran out of free time to try that as well will update later if I get time to try it as well.
Comment 6 Dean E. Weimer 2018-02-02 22:03:08 UTC
(In reply to Dean E. Weimer from comment #5)
Server built and installed as well, have to run though, so I won't know until tonight if all the backups run OK or not.
Comment 7 Dean E. Weimer 2018-02-05 14:22:42 UTC
(In reply to Dean E. Weimer from comment #6)

Forgot to update Saturday morning, All of my backups ran fine after the build with these patches was installed.
Comment 8 Dan Langille freebsd_committer 2018-02-15 23:20:08 UTC
feedback from the Bacula mailing list, the patches are incomplete.

https://marc.info/?l=bacula-users&m=151820132712504&w=2
Comment 9 Dean E. Weimer 2018-02-16 14:56:46 UTC
(In reply to Dan Langille from comment #8)

There are, its possible with different options defined that the others may need changed as well.

root@bacula:/var/ports/usr/ports/sysutils/bacula9-server # grep -R "OPENSSL_VERSION_NUMBER" *
work/bacula-9.0.6/src/lib/openssl-compat.h:#if ( (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) )
work/bacula-9.0.6/src/lib/openssl.c:#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
work/bacula-9.0.6/src/lib/openssl.c:#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
work/bacula-9.0.6/src/lib/openssl.c:#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
work/bacula-9.0.6/src/lib/crypto.c:#if ( (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) )

I created onee for the openssl.c file and willl upload after posting this.

This one I wouldn't think should change.
work/bacula-9.0.6/src/lib/tls.c:#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)

Looks like its deciding whether or not to build with support for older SSL protocols.
119 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
120    /* Allows SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols */
121    ctx->openssl = SSL_CTX_new(TLS_method());
122
123 #else
124    /* Allows most all protocols */
125    ctx->openssl = SSL_CTX_new(SSLv23_method());
126
127 #endif
Comment 10 Dean E. Weimer 2018-02-16 14:57:35 UTC
Created attachment 190694 [details]
src/lib/openssl.c patch for LibreSSL
Comment 11 Dan Langille freebsd_committer 2018-03-09 17:37:06 UTC
Let's see what the Bacula community says about this.
Comment 12 martin 2018-03-09 18:02:32 UTC
(In reply to Dean E. Weimer from comment #10)

Looks OK to me, but I would patch work/bacula-9.0.6/src/lib/tls.c to explicitly select TLS_method on LibreSSL rather than relying on the goofy value of OPENSSL_VERSION_NUMBER.
Comment 13 Dan Langille freebsd_committer 2018-04-07 20:24:26 UTC
Martin: I don't know how to implement what you said.

Do you mean just on patch, on work/bacula-9.0.6/src/lib/tls.c ?

In there, I now find:

   /* Allocate our OpenSSL TLS Context */
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
   /* Allows SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols */
   ctx->openssl = SSL_CTX_new(TLS_methodTLS_method());

#else
   /* Allows most all protocols */
   ctx->openssl = SSL_CTX_new(SSLv23_method());

#endif


Is this what you are talking about?  I have no OpenSSL/LibreSSL experience.
Comment 14 martin 2018-04-09 12:10:28 UTC
(In reply to Dan Langille from comment #13)

Yes, I meant changing that #if to something like this (untested):

#if (OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(LIBRESSL_VERSION_NUMBER))

I'm assuming you are using LibreSSL >= 2.2.2.
Comment 15 Dan Langille freebsd_committer 2018-05-23 16:00:06 UTC
see also #228402
Comment 16 Bernard Spil freebsd_committer 2018-06-09 09:14:09 UTC
Hi Dean, Martin,

Can you please check if the patch in bug #228402 works for you?

This PR is to fix issues with the 2.6 branch of LibreSSL, but LibreSSL meanwhile was upgraded to 2.7 branch which brought in OpenSSL 1.1 API. Thus the patch is a lot smaller now.

If the patch in bug #228402 I think we can close this bug.

Thanks! Bernard.
Comment 17 Dean E. Weimer 2018-06-27 20:55:25 UTC
(In reply to Bernard Spil from comment #16)
The Patch for #228402 worked with the latest port.
Comment 18 Walter Schwarzenfeld freebsd_triage 2019-08-09 10:16:16 UTC
We have libressl 2.9.2 and bacula9 version 9.4.3. Is this still relevant?
Comment 19 martin 2019-08-09 11:34:38 UTC
I think this PR can be closed.  I've not tested the port, but bacula 9.4.4 needs no patches to build with libressl 2.9.2.