Bug 218590 - mail/qmail-tls: Fix build with LibreSSL 2.5.3
Summary: mail/qmail-tls: Fix build with LibreSSL 2.5.3
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Bernard Spil
Keywords: needs-qa, patch
Depends on:
Reported: 2017-04-12 14:01 UTC by Bernard Spil
Modified: 2017-07-29 11:56 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (erdgeist)
koobs: merge-quarterly?

patch for qmail-tls (1.00 KB, text/plain)
2017-04-12 14:01 UTC, Bernard Spil
no flags Details
svn diff for mail/qmail (1.47 KB, patch)
2017-05-14 13:59 UTC, Bernard Spil
no flags Details | Diff
svn diff for mail/qmail (1.96 KB, patch)
2017-07-29 11:56 UTC, Bernard Spil
brnrd: maintainer-approval?
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Bernard Spil freebsd_committer freebsd_triage 2017-04-12 14:01:41 UTC
Created attachment 181717 [details]
patch for qmail-tls

OpenBSD's been more aggressive making structures opaque than OpenSSL has. This makes programs trying to access these structs fail.

The direct access should be replaced with the appropriate methods, from the SSL_get_state(3) manual:
"These functions are available in all versions of OpenSSL."
Comment 1 dewayne 2017-04-16 21:09:07 UTC
Bernard - helpful as always, thankyou. :)
Perhaps its time to change your username to MrLibre(ssl)  ;)
Comment 2 Mike Walker 2017-04-18 14:50:59 UTC
(In reply to Bernard Spil from comment #0)

I believe Bernard's right.

This seems to be a problem with the latest version of LibreSSL (2.5.3) and is also affecting other ports:

 * haproxy - bug #218586, bug #218637
 * nginx with lua - bug #218595

The following is mentioned in the LibreSSL 2.5.3 release notes [1]:

 * Moved many leaked implementation details in public structs behind opaque

I'm assuming there's going to have to be some upstream refactoring/cleanup of projects tickling/reading now-private internal SSL data structures 

1: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.5.3-relnotes.txt
Comment 3 erdgeist 2017-04-18 15:15:05 UTC
A friend already reported the issue and a patch to Frederik Vermeulen, maintainer of upstream netqmail tls patch at http://inoa.net/qmail-tls/

I hope they will uncorporate this fix soonish and I don't like keeping those patches downstream as I clearly think this has been a booboo by libressl authors breaking their promise to not break existing code that relies on OpenSSL API, removing the very reason for libressls existence in the first place.

I think I will now make a patch that supports mbedtls2, as this looks like the API I would very much love to see in an TLS lib.
Comment 4 Mike Walker 2017-04-18 18:01:45 UTC
(In reply to erdgeist from comment #3)

To be fair, these same types of changes (making structs opaque) are also going into OpenSSL 1.1 so it looks like everybody has some work to do.
Comment 5 Bernard Spil freebsd_committer freebsd_triage 2017-05-14 13:59:58 UTC
Created attachment 182592 [details]
svn diff for mail/qmail

Proper svn diff for net/qmail

mail/qmail: Fix build with LibreSSL

 - Add patch for qmail-tls

PR: 218590
Comment 6 Bernard Spil freebsd_committer freebsd_triage 2017-07-25 12:21:33 UTC
Hi Erdgeist,

OK to commit this?

Cheers, Bernard.
Comment 7 Kubilay Kocak freebsd_committer freebsd_triage 2017-07-26 03:05:10 UTC
Note these changes come under blanket approval (build fixes)
Comment 8 erdgeist 2017-07-26 12:43:32 UTC
(In reply to Bernard Spil from comment #6)
Sure. Thanks a lot.
Comment 9 commit-hook freebsd_committer freebsd_triage 2017-07-27 11:20:45 UTC
A commit references this bug:

Author: brnrd
Date: Thu Jul 27 11:20:13 UTC 2017
New revision: 446735
URL: https://svnweb.freebsd.org/changeset/ports/446735

  mail/qmail-tls: Fix build with LibreSSL

   - Replace direct struct access with get/setters

  PR:		218590
  Approved by:	erdgeist (maintainer)
  MFH:		2017Q3

Comment 10 Bernard Spil freebsd_committer freebsd_triage 2017-07-27 11:22:27 UTC
Built on local LibreSSL system and on vanilla 10.3/11.0 i386/amd64 in poudriere.
Comment 11 Antoine Brodin freebsd_committer freebsd_triage 2017-07-27 11:42:42 UTC
(In reply to Kubilay Kocak from comment #7)
Once again, broken changes are not covered by portmgr blanket.
Comment 12 commit-hook freebsd_committer freebsd_triage 2017-07-27 11:56:17 UTC
A commit references this bug:

Author: brnrd
Date: Thu Jul 27 11:56:01 UTC 2017
New revision: 446737
URL: https://svnweb.freebsd.org/changeset/ports/446737

  mail/qmail-tls: Fix patch

   - Fix egregious accept=>connect mistake

  PR:		218590
  Reported by:	antoine

Comment 13 commit-hook freebsd_committer freebsd_triage 2017-07-28 08:23:01 UTC
A commit references this bug:

Author: antoine
Date: Fri Jul 28 08:22:16 UTC 2017
New revision: 446810
URL: https://svnweb.freebsd.org/changeset/ports/446810

  Revert r446735 and unbreak, the patch fails to apply and is probably wrong

  PR:		218590
  Reported by:	pkg-fallout

Comment 14 Bernard Spil freebsd_committer freebsd_triage 2017-07-29 11:56:03 UTC
Created attachment 184829 [details]
svn diff for mail/qmail

Refactored the patch.
Missed the way this this master/slave port works.
Assuming the breakage was with master port due to unconditional patching of the WRKSRC

mail/qmail: Add extra-patch for LibreSSL

 - Add LibreSSL patch for qmail-tls slave port
 - Add EXTRA_PATCHES for SLAVE_TLS in master port

PR: 218590

As for the ssl->type to SSL_get_state change: This seems weird but is actually how it is implemented. ssl->type would return either accept (server) or connect (client) mode, ssl->state added additional states not available through ssl->type. The SSL_ST_ACCEPT and SSL_ST_CONNECT are only available through the SSL_get_state method in most recent versions of OpenSSL/LibreSSL.

Feedback appreciated!