Bug 224148

Summary: security/stunnel: fix build with LibreSSL
Product: Ports & Packages Reporter: Piotr Kubaj <pkubaj>
Component: Individual Port(s)Assignee: Ryan Steinmetz <zi>
Status: Closed Works As Intended    
Severity: Affects Only Me CC: 000.fbsd, brnrd, daz, grembo, pkubaj, w.schwarzenfeld
Priority: --- Flags: bugzilla: maintainer-feedback? (zi)
Version: Latest   
Hardware: Any   
OS: Any   
Bug Depends on:    
Bug Blocks: 226843    
Attachments:
Description Flags
patch
none
svn diff for security/stunnel
none
Patch to build stunnel 5.47 and 5.48 with LibreSSL 2.7
none
svn-diff-stunnel_new
none
svn-diff-stunnel-broken-libressl none

Description Piotr Kubaj freebsd_committer freebsd_triage 2017-12-06 18:44:39 UTC
Created attachment 188593 [details]
patch

This patch fixes build with LibreSSL. Tested with Poudriere on 11.1-RELEASE.
Comment 1 Piotr Kubaj freebsd_committer freebsd_triage 2017-12-06 18:45:51 UTC
@brnrd
If @zi does not accept this patch, could you commit it to HBSD repo? Redefining OPENSSL_VERSION_NUMBER is not a proper fix :)
Comment 2 Ryan Steinmetz freebsd_committer freebsd_triage 2017-12-06 19:02:20 UTC
Please push this patch upstream into the stunnel project.
Comment 3 Bernard Spil freebsd_committer freebsd_triage 2017-12-06 20:30:56 UTC
Hi Ryan,

I've tried this but the upstream maintainer has some grudge against LibreSSL and makes a point of not supporting it.
Comment 4 Ryan Steinmetz freebsd_committer freebsd_triage 2017-12-06 20:34:34 UTC
I would propose sending them a patch that added autoconf detection for the items in question.  That way it isn't directly related to libressl and should be accepted.

Then the patch can be updated to be #ifdef HAVE_WHATEVER.

As previously discussed, I don't want to have to maintain patches in the ports that are not supported upstream.
Comment 5 Bernard Spil freebsd_committer freebsd_triage 2017-12-06 20:37:20 UTC
Hi Ryan,

Agreed. Piotr: Can you see if you can factor a patch? I do think Michal would remember my name, would be beneficial if it arrives from someone else :D
Comment 6 Miroslav Lachman 2018-01-10 02:02:35 UTC
(In reply to Ryan Steinmetz from comment #4)
I think it is better to have some patch in ports tree to get stunnel working with LibreSSL than broken stunnel for people using LibreSSL.

PC-BSD / TrueOS have this patch for a long time
https://github.com/trueos/freebsd-ports/blob/trueos-master/security/stunnel/files/patch-src_common.h (because TrueOS uses LibreSSL as global default SSL for everything)

Can we have patched stunnel in the ports tree, please?
Comment 7 Ryan Steinmetz freebsd_committer freebsd_triage 2018-01-10 14:12:19 UTC
(In reply to Miroslav Lachman from comment #6)

Miroslav,

Please create a patch that adds autoconf detection for the function(s) in question and I will be happy to submit it upstream to the stunnel developers and commit it to the port after they've blessed it.

Thanks!
Comment 8 Miroslav Lachman 2018-01-10 16:12:31 UTC
Unfortunately I cannot code C, I am not able to write any autoconf patch. I am dependent on work of others. That's why I use TrueOS patch locally.
Comment 9 Bernard Spil freebsd_committer freebsd_triage 2018-06-09 09:20:52 UTC
Created attachment 194092 [details]
svn diff for security/stunnel

Patch update for LibreSSL 2.7
Comment 10 Bernard Spil freebsd_committer freebsd_triage 2018-06-09 09:21:29 UTC
*** Bug 227264 has been marked as a duplicate of this bug. ***
Comment 11 Michael Gmelin freebsd_committer freebsd_triage 2018-07-08 12:30:24 UTC
Created attachment 194951 [details]
Patch to build stunnel 5.47 and 5.48 with LibreSSL 2.7

Fixes the build for stunnel 5.47 and 5.48 with LibreSSL 2.7
Comment 12 Ryan Steinmetz freebsd_committer freebsd_triage 2018-07-08 12:50:07 UTC
Please push this patch (or some variation that they approve of) upstream into the stunnel project
Comment 13 Michael Gmelin freebsd_committer freebsd_triage 2018-07-08 13:10:04 UTC
(In reply to Ryan Steinmetz from comment #12)

Not sure if I have the time to argue with the author about three lines of code. Maybe after the next quarterly, when we won't support LibreSSL 2.6 any more (reduces the patch).

Still felt like leaving this here would be useful for others who run their own builders.
Comment 14 Miroslav Lachman 2019-02-21 16:09:29 UTC
Any update on this issue?
I am still not able to build stunnel on FreeBSD without patches from TrueOS.
Comment 15 Ryan Steinmetz freebsd_committer freebsd_triage 2019-02-21 16:54:54 UTC
I think if someone is willing to write the autoconf magic for upstream to detect the specific SSL calls and conditionally use/not use them, that you will have a good chance of it being accepted.  This ends up solving the issue without specifically being a libressl patch.
Comment 16 Walter Schwarzenfeld freebsd_triage 2019-08-08 17:45:14 UTC
(In reply to Michael Gmelin from comment #11)
The patch applies with 5.55.1 and libressl 2.9.2 but it fails.

--- stunnel-tls.o ---
In file included from tls.c:39:
./prototypes.h:756:8: error: unknown type name 'CRYPTO_RWLOCK'
extern CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS];
       ^
tls.c:56:30: warning: incompatible pointer types passing 'void *(size_t, const char *, int)' (aka 'void *(unsigned long, const char *, int)') to parameter of type 'void *(*)(size_t)' (aka 'void *(*)(unsigned long)') [-Wincompatible-pointer-types]
    CRYPTO_set_mem_functions(str_alloc_detached_debug,
                             ^~~~~~~~~~~~~~~~~~~~~~~~
/usr/local/include/openssl/crypto.h:417:38: note: passing argument to parameter 'm' here
int CRYPTO_set_mem_functions(void *(*m)(size_t), void *(*r)(void *, size_t), void (*f)(void *));
                                     ^
tls.c:57:9: warning: incompatible pointer types passing 'void *(void *, size_t, const char *, int)' (aka 'void *(void *, unsigned long, const char *, int)') to parameter of type 'void *(*)(void *, size_t)' (aka 'void *(*)(void *, unsigned long)') [-Wincompatible-pointer-types]
        str_realloc_detached_debug, str_free_debug);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/local/include/openssl/crypto.h:417:58: note: passing argument to parameter 'r' here
int CRYPTO_set_mem_functions(void *(*m)(size_t), void *(*r)(void *, size_t), void (*f)(void *));
                                                         ^
tls.c:57:37: warning: incompatible pointer types passing 'void (void *, const char *, int)' to parameter of type 'void (*)(void *)' [-Wincompatible-pointer-types]
        str_realloc_detached_debug, str_free_debug);
                                    ^~~~~~~~~~~~~~
/usr/local/include/openssl/crypto.h:417:85: note: passing argument to parameter 'f' here
int CRYPTO_set_mem_functions(void *(*m)(size_t), void *(*r)(void *, size_t), void (*f)(void *));
                                                                                    ^
3 warnings and 1 error generated.
--- stunnel-file.o ---
In file included from file.c:39:
./prototypes.h:756:8: error: unknown type name 'CRYPTO_RWLOCK'
extern CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS];
       ^
1 error generated.
--- stunnel-tls.o ---
*** [stunnel-tls.o] Error code 1

make[4]: stopped in /ram/usr/ports/security/stunnel/work/stunnel-5.55/src
--- stunnel-file.o ---
*** [stunnel-file.o] Error code 1

make[4]: stopped in /ram/usr/ports/security/stunnel/work/stunnel-5.55/src
--- stunnel-str.o ---
In file included from str.c:39:
./prototypes.h:756:8: error: unknown type name 'CRYPTO_RWLOCK'
extern CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS];
       ^
str.c:461:9: warning: implicit declaration of function 'CRYPTO_THREAD_write_lock' is invalid in C99 [-Wimplicit-function-declaration]
        CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_LEAK_HASH]);
        ^
str.c:465:17: warning: implicit declaration of function 'CRYPTO_THREAD_unlock' is invalid in C99 [-Wimplicit-function-declaration]
                CRYPTO_THREAD_unlock(stunnel_locks[LOCK_LEAK_HASH]);
                ^
str.c:472:9: warning: implicit declaration of function 'CRYPTO_THREAD_unlock' is invalid in C99 [-Wimplicit-function-declaration]
        CRYPTO_THREAD_unlock(stunnel_locks[LOCK_LEAK_HASH]);
        ^
str.c:481:9: warning: implicit declaration of function 'CRYPTO_atomic_add' is invalid in C99 [-Wimplicit-function-declaration]
        CRYPTO_atomic_add(&entry->num, change, &allocations,
        ^
str.c:503:5: warning: implicit declaration of function 'CRYPTO_THREAD_write_lock' is invalid in C99 [-Wimplicit-function-declaration]
    CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_LEAK_RESULTS]);
    ^
str.c:511:5: warning: implicit declaration of function 'CRYPTO_THREAD_unlock' is invalid in C99 [-Wimplicit-function-declaration]
    CRYPTO_THREAD_unlock(stunnel_locks[LOCK_LEAK_RESULTS]);
    ^
6 warnings and 1 error generated.
*** [stunnel-str.o] Error code 1

make[4]: stopped in /ram/usr/ports/security/stunnel/work/stunnel-5.55/src
--- stunnel-client.o ---
In file included from client.c:39:
./prototypes.h:756:8: error: unknown type name 'CRYPTO_RWLOCK'
extern CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS];
       ^
client.c:104:5: warning: implicit declaration of function 'CRYPTO_THREAD_read_lock' is invalid in C99 [-Wimplicit-function-declaration]
    CRYPTO_THREAD_read_lock(stunnel_locks[LOCK_THREAD_LIST]);
    ^
client.c:105:5: warning: implicit declaration of function 'CRYPTO_THREAD_unlock' is invalid in C99 [-Wimplicit-function-declaration]
    CRYPTO_THREAD_unlock(stunnel_locks[LOCK_THREAD_LIST]);
    ^
client.c:119:5: warning: implicit declaration of function 'CRYPTO_THREAD_write_lock' is invalid in C99 [-Wimplicit-function-declaration]
    CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_THREAD_LIST]);
    ^
client.c:257:5: warning: implicit declaration of function 'CRYPTO_atomic_add' is invalid in C99 [-Wimplicit-function-declaration]
    CRYPTO_atomic_add(&num_clients, 1, &num, stunnel_locks[LOCK_CLIENTS]);
    ^
client.c:614:5: warning: implicit declaration of function 'CRYPTO_THREAD_read_lock' is invalid in C99 [-Wimplicit-function-declaration]
    CRYPTO_THREAD_read_lock(stunnel_locks[LOCK_SESSION]);
    ^
client.c:627:5: warning: implicit declaration of function 'CRYPTO_THREAD_unlock' is invalid in C99 [-Wimplicit-function-declaration]
    CRYPTO_THREAD_unlock(stunnel_locks[LOCK_SESSION]);
    ^
client.c:714:21: warning: implicit declaration of function 'SSL_has_pending' is invalid in C99 [-Wimplicit-function-declaration]
        has_pending=SSL_has_pending(c->ssl);
                    ^
client.c:1505:5: warning: implicit declaration of function 'CRYPTO_THREAD_write_lock' is invalid in C99 [-Wimplicit-function-declaration]
    CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_ADDR]);
    ^
client.c:1508:5: warning: implicit declaration of function 'CRYPTO_THREAD_unlock' is invalid in C99 [-Wimplicit-function-declaration]
    CRYPTO_THREAD_unlock(stunnel_locks[LOCK_ADDR]);
    ^
client.c:1524:9: warning: implicit declaration of function 'CRYPTO_THREAD_read_lock' is invalid in C99 [-Wimplicit-function-declaration]
        CRYPTO_THREAD_read_lock(stunnel_locks[LOCK_ADDR]);
        ^
client.c:1530:13: warning: implicit declaration of function 'CRYPTO_THREAD_unlock' is invalid in C99 [-Wimplicit-function-declaration]
            CRYPTO_THREAD_unlock(stunnel_locks[LOCK_ADDR]);
            ^
client.c:1546:13: warning: implicit declaration of function 'CRYPTO_THREAD_unlock' is invalid in C99 [-Wimplicit-function-declaration]
            CRYPTO_THREAD_unlock(stunnel_locks[LOCK_ADDR]);
            ^
12 warnings and 1 error generated.
*** [stunnel-client.o] Error code 1

make[4]: stopped in /ram/usr/ports/security/stunnel/work/stunnel-5.55/src
4 errors

make[4]: stopped in /ram/usr/ports/security/stunnel/work/stunnel-5.55/src
*** [all] Error code 2

make[3]: stopped in /ram/usr/ports/security/stunnel/work/stunnel-5.55/src
1 error
Comment 17 Walter Schwarzenfeld freebsd_triage 2019-08-27 14:34:43 UTC
Created attachment 206956 [details]
svn-diff-stunnel_new

I got it from here:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d65515da00c16636e1d6f10f0482b29afe4cf9b
Comment 18 Walter Schwarzenfeld freebsd_triage 2020-01-31 18:37:47 UTC
Comment on attachment 194951 [details]
Patch to build stunnel 5.47 and 5.48 with LibreSSL 2.7

Both patches obsolete, we have stunnel version 5.56.
Comment 19 Walter Schwarzenfeld freebsd_triage 2020-01-31 18:44:24 UTC
Created attachment 211224 [details]
svn-diff-stunnel-broken-libressl

Mark broken with libressl (for the moment).
Comment 20 Ryan Steinmetz freebsd_committer freebsd_triage 2020-01-31 18:54:51 UTC
Please create a patch that adds autoconf detection for the function(s) in question and I will be happy to submit it upstream to the stunnel developers and commit it to the port after they've blessed it.

Feel free to re-open once this has been done.

Thanks!