security/p5-Crypt-SMIME 0.19 fails when building against LibreSSL from ports because support for CMS (Cryptographic Message Syntax) is disabled: In file included from SMIME.xs:12: /usr/local/include/openssl/cms.h:62:2: error: CMS is disabled. #error CMS is disabled. ^ 1 error generated. *** [SMIME.o] Error code 1
Created attachment 177854 [details] [patch] mark broken with fb9 + base ssl security/p5-Crypt-SMIME 0.19 requires cms.h which is not available with the base openssl in FreeBSD 9. The patch marks that condition. Workaround on 9: use openssl from ports.
(In reply to John Hein from comment #1) noticed by pkg-fallout
Sorry if I wasn't clear enough in the original PR. The problem also exists on FreeBSD 11 if using the libressl port. I tried building with base openssl via make.conf, but that's not possible when the libressl port is installed.
(In reply to John Hein from comment #1) FYI - This is not the same as the problem described by the submitter (who appears to be using openssl from ports).
(In reply to freebsd from comment #3) Thanks for the important distinction. I don't have a workaround for the issue withe disabled CMS in libressl at the moment.
Created attachment 177855 [details] [patch] mark broken with fb9 + base ssl [take 2] Ignore completely unrelated previous patch. This one is the right one to address the broken build with FB9 + base ssl.
Peter, sorry for not reading your original post closely enough and piggybacking the FreeBSD 9 issue here. Perhaps I should open a new bug for that, but hopefully someone will pick up that patch and apply it. If not, I'll move to a new bug. The least I can do is dig into your issue more closely. It looks like libressl has had CMS disabled upstream since "day one". I haven't really been following libressl much, but it seems they just have not implemented CMS. And in September they removed it from libressl-portable (commit df207699777fe7a671df25998808dac473903678). So it seems like libressl is avoiding CMS at the least. In any case, I don't see an easy fix. The crypt-smime change in 0.91 says: +0.19 Fri Dec 2 13:22:27 JST 2016 + - Use RFC-5652 CMS functions instead of PKCS#7 ones for better + interoperability, Suggested by Hib Engler <h [...] + killercool.net>. CMS has a backwards compatibility with + PKCS#7 so the change should introduce no compat issues. I did see another project where there was a workaround to fall back to pkcs#7 : https://patchwork.kernel.org/patch/8463141/ In any case, I still don't know what the fix is for your issue (which seems to perhaps be more of a problem with libressl?). If CMS is disabled by libressl for good reasons, perhaps Crypt-SMIME is going in the wrong direction. But it could be that libressl is just sweeping it under the rug since they don't want to deal with CMS right now. I can't read the tea leaves well enough to discern. Maybe a libressl expert could help more. Again, sorry for my too-hasty initial read of your bug report and the ensuing confusion.
(In reply to John Hein from comment #7) On this machine we've been using LibreSSL since basically forever. Versions of p5-Crypt-SMIME up to and including 0.18 worked fine with this setup. From what I gather from reading the changelogs, what's changed for 0.19 is that it honors the SSL settings in make.conf now (I assume it fell back to OpenSSL from base before that). If my reading is correct, it should be relatively easy to add config switch to the port to continue building it with the base OpenSSL.
More background on CMS in libressl and the recent cleanup/removal of CMS references: https://marc.info/?l=openbsd-ports&m=147502230332492&w=2 Maybe an upstream bug report to Crypt-SMIME is your next best option if you really want it to work with libressl. But if you don't care about its compatibility with libressl, you may be right about adding a way to have security/p5-Crypt-SMIME build with openssl. Maybe one thing to do is to add an option. Relying on base for ports is kind of the opposite direction the project is taking, however. I think the tendency is to move away from relying on base versions of contrib software for dependencies in ports. It would be easier if libressl & openssl ports could co-exist, but they conflict right now.
A possible workaround for you is to use DEFAULT_VERSIONS=ssl=base when building security/p5-Crypt-SMIME (you can just put it in your environment). Normally people put DEFAULT_VERSIONS=ssl=XXX in /etc/make.conf to express a preference for using a particular version of ssl (base, openssl, libressl) for _all_ ports builds. But there's nothing to say you can't define DEFAULT_VERSIONS more "surgically" to be different for different ports. There may be complications from doing that, but for a single deviation like this port, you should be okay. There has been some talk of altering what exactly is included in base for ssl (e.g., removing it entirely or using a stripped down version of openssl for just the things that the base OS needs - which would probably _not_ include CMS). So if that talk becomes some form of reality, depending on base for a full-fledged openssl implementation for this port would not be a good long term fix. It seems to me the most fruitful direction would be to work on allowing libressl & openssl to co-exist as ports. I don't think libressl's goals are to be 100% compatible with openssl, so these kinds of problems will always crop up.
(In reply to John Hein from comment #10) Unfortunately, that does not work (I had already tried this before posting the PR): ===> Cleaning for p5-Crypt-SMIME-0.19 Dependency error: This port wants the OpenSSL library from the FreeBSD base system. You can't build against it, while a newer version is installed by a port. Please deinstall the port, remove DEFAULT_VERSIONS=ssl=base or undefine WITH_OPENSSL_BASE. *** Error code 1
(In reply to John Hein from comment #10) After some further experiment, the port seems to be broken (e.g. incompatible) with libressl from 0.19 onward due to upstream changes. I reverted the changes to the Makefile, but the message about disabled CMS support stayed. According to the upstream changelog, the PKCS#7 functions were replaced with CMS functions, so that might be the reason.
(In reply to Peter Putzer from comment #12) Yeah, the two upstream projects in question (Crypt-SMIME & libressl) are going in the opposite directions with respect to CMS - the former is embracing it, and the latter is removing any vestiges of it from libressl code base. It would be nice to allow the openssl & libressl ports to be installed together. I suspect Crypt-SMIME won't be the only port that needs features of one that aren't in the other (openssl rather than libressl in this case). But someone has to do that work, so that doesn't help you now. Right now, the state of affairs is that Crypt-SMIME + libressl should be marked BROKEN.
The 'mark broken' (via IGNORE) approach was applied in r428413 and r428458 (although this bug was not referenced in the commit messages). This bug should probably be closed. Getting Crypt-SMIME to work with libressl is an upstream issue.
(In reply to John Hein from comment #14) Unfortunately, upstream is not interested (https://rt.cpan.org/Public/Bug/Display.html?id=119227). Gentoo has noted the same problem (https://bugs.gentoo.org/show_bug.cgi?id=601774), maybe whatever fix/workaround/solution the devise could be shared?
Closing per comment #14.