Bug 216836 - security/openvpn Can't compile with LibreSSL 2.5.1
Summary: security/openvpn Can't compile with LibreSSL 2.5.1
Status: Closed Not Accepted
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Matthias Andree
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-02-05 21:40 UTC by OlivierW
Modified: 2017-02-16 13:58 UTC (History)
1 user (show)

See Also:
mandree: maintainer-feedback+

Attachments
Fix building problem. Does it run correctly? (795 bytes, patch)
2017-02-05 21:40 UTC, OlivierW 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description OlivierW 2017-02-05 21:40:48 UTC 
Created attachment 179658 [details]
Fix building problem. Does it run correctly?

Hello,

OpenVPN doesn't build with LibreSSL 2.5.1, getting this error:
"ssl_openssl.c:512:30: error: no member named 'cert' in 'struct ssl_ctx_st'
        ssl.cert = ctx->ctx->cert;
                   ~~~~~~~~  ^
1 error generated.
*** Error code 1"

I've attached a patch, inspired from curl's source code: https://github.com/curl/curl/blob/master/lib/vtls/openssl.c#L603-L619

Unfortunately, I don't have a usable running OpenVPN server, can someone please test if everything works properly?

Best Regards.
Comment 1 OlivierW 2017-02-05 21:52:10 UTC 
Talking about LibreSSL, not related to the build problem: a few lines above my modification, at line 488 of file src/openvpn/ssl_openssl.c there is this test:
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
Shouldn't it be completed by:
 || defined(LIBRESSL_VERSION_NUMBER)
?

SSL_CTX_set_ecdh_auto seems to be present in LibreSSL 2.2.2 which also define LIBRESSL_VERSION_NUMBER for the first time.
Comment 2 OlivierW 2017-02-05 22:05:01 UTC 
(In reply to OlivierW from comment #1)
My mistake, LIBRESSL_VERSION_NUMBER and SSL_CTX_set_ecdh_auto() are also in earlier versions of LibreSSL...

SSL_CTX_set_ecdh_auto() appears in LibreSSL 2.1.0, but versions are all equal to "0x20000000L" in 2.1.0, 2.2.1 and earlier versions like 2.0.6.
Maybe we should target LibreSSL 2.2.2 which has "0x20020002L".

If so, the test mentioned in comment #1 should be changed to:
#if OPENSSL_VERSION_NUMBER >= 0x10002000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x20020002L )
Comment 3 Matthias Andree freebsd_committer freebsd_triage 2017-02-05 22:28:25 UTC 
If it hurts, don't do it, and build against OpenSSL or mbedTLS.

I will not currently accept local patches for OpenVPN that affect crypto code.  
Any such patches need to be directed upstream for review and scrutiny.  The upstream maintainers are normally open to such contributions, but I lack personal interest in spending my time on a product that claims OpenSSL compatibility and breaks everywhere and everything.
Comment 4 OlivierW 2017-02-05 22:33:08 UTC 
Ok I understand, I'll send it upstream.
Comment 5 Matthias Andree freebsd_committer freebsd_triage 2017-02-05 23:12:12 UTC 
best channels are https://community.openvpn.net/openvpn and the openvpn-devel mailing list for discussion and questions.
Comment 6 OlivierW 2017-02-06 11:19:18 UTC 
Thanks mandree@!
Sadly I read your comment too late and didn't follow the right way to contribute to OpenVPN :-(
I'll fix that problem tonight or in the next few days.

Since my first post here, I've been able to setup and run OpenVPN. I just don't know how to test the code works.

If you or anyone is interested in following the correction of this build error, here's the gihub pull request: https://github.com/OpenVPN/openvpn/pull/82
Comment 7 OlivierW 2017-02-16 13:58:15 UTC 
Hello,

For people interested in the follow-up of the patch, it has been upstreamed: https://github.com/OpenVPN/openvpn/commit/dcfd3b6173d8cdb4658de23db1dd0bd932b390d2 :-)

Best Regards,
Olivier