Bug 219763 - net/freeradius3: 3.0.4.14 fails to build on FreeBSD 11.1-Prerelease with libressl due to missing psk_identity
Summary: net/freeradius3: 3.0.4.14 fails to build on FreeBSD 11.1-Prerelease with libr...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Ryan Steinmetz
URL:
Keywords: needs-qa
Depends on:
Blocks:
 
Reported: 2017-06-04 06:21 UTC by dewayne
Modified: 2017-07-26 03:35 UTC (History)
4 users (show)

See Also:
koobs: maintainer-feedback? (zi)
koobs: merge-quarterly?


Attachments
patch against head (2.31 KB, patch)
2017-07-06 10:00 UTC, Franco Fichtner
franco: maintainer-approval?
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description dewayne 2017-06-04 06:21:56 UTC
On FreeBSD b2.hs 11.1-PRERELEASE FreeBSD 11.1-PRERELEASE #0 r318992M: Sun May 28 06:32:28 AEST 2017

make package returns
                   ^
src/main/tls.c:3169:12: error: no member named 'psk_identity' in 'struct fr_tls_server_conf_t'
        if (conf->psk_identity) {
            ~~~~  ^
4 warnings and 1 error generated.
gmake[1]: *** [scripts/boiler.mk:635: build/objs/src/main/tls.lo] Error 1
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2017-06-04 14:47:03 UTC
@Dewayne, 

Did this port build using libressl in a previous versions (ie: is this a regression), or using a different version of libressl, and if so, please detail the last version combination(s) that built successfully.
Comment 2 dewayne 2017-07-03 05:47:29 UTC
(In reply to Kubilay Kocak from comment #1)
I doubt that this is going to help, I need to spend more time on it.

Interim update.
Freeradius3 3.0.13 successfully builds with libressl 2.5.4 on FreeBSD11.1Beta3 amd64.  

We only use certs, no psk's. Both FreeRadius3 and libressl have been upgraded 3.0.14 and 2.5.4.  The error 
src/main/tls.c:3169:10: error: 'fr_tls_server_conf_t {aka struct fr_tls_server_conf_t}' has no member named 'psk_identity'
  if (conf->psk_identity) {

seems to arise because 
PSK_MAX_IDENTITY_LEN
is defined in openssl's /usr/local/include/openssl/ssl.h but not in libressl's instance.  (Aside libressl is used on amd64, while the i386's use openssl (for padlock))

openssl's ssl.h is 
-rw-r--r--  1 root  wheel  149267 Jul  1 18:45 /usr/local/include/openssl/ssl.h
while libressl has
-rw-r--r--  1 root  wheel  84869 Jul  1 15:33 /usr/local/include/openssl/ssl.h

obviously a significant difference.  But if that mattered, why would 3.0.13 build on libressl but 3.0.14 doesn't :(

So I compared the tls.c's "include" files for a clue (compared 3.0.13 with those in 3.0.14)

# sh -c 'for i in process.h rad_assert.h radiusd.h; do diff freeradius-server-3.0.13/src/include/$i /var/ports/usr/ports/net/freeradius3/work/freeradius-server-3.0.14/src/include/$i; done'
#
No differences.

diff'ing tls.c revealed a lot of changes.  Apart from 

< #if OPENSSL_VERSION_NUMBER >= 0x10100000L
---
> #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)

There wasn't anything obviously related.


FYI: Config for all tests options:
b2# make -C /usr/ports/net/freeradius3 -DUSE_K8 showconfig|grep =on
     DOCS=on: Build and/or install documentation
     HEIMDAL=on: With Heimdal Kerberos support
     HEIMDAL_PORT=on: With Heimdal Kerberos from ports
     KERBEROS=on: Kerberos support
     LDAP=on: LDAP protocol support
     PERL=on: Perl scripting language support
     USER=on: Run as user freeradius, group freeradius
b2#

And significant flags on amd64:

# make -C /usr/ports/net/freeradius3 -DUSE_K8 -DUSE_GCC5 showconfig -VCFLAGS -Vspacer -VLDFLAGS
-O2 -pipe -DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3 -g0 -ggdb0 -DSTRIP_FBSDID -UDEBUGGING -UEBUGGING -UDEBUG -march=core-avx-i -mtune=core-avx-i  -I/usr/local/include -fstack-protector -Wl,-rpath=/usr/local/lib/gcc5 -DLDAP_DEPRECATED -fno-strict-aliasing

 -L/usr/local/lib -L/usr/local/lib/heimdal -Wl,-rpath,/usr/local/lib -fstack-protector -Wl,-rpath=/usr/local/lib/gcc5 -L/usr/local/lib/gcc5

In trying to get this to build, I used gcc5 whereas we normally build with clang.  The behaviour is the same regardless of compiler.

Please note that I have some local changes to my libressl.  If anyone can build freeradius3 3.0.14 with libressl 2.5.4 on 11.1beta3 or later then I may have the problem, as the other 1170 ports build fine.

Unfortunately on this build cycle, I've run out of time and reverted freeradius3, back to 3.0.13 :/
Comment 3 Franco Fichtner 2017-07-06 10:00:56 UTC
Created attachment 184116 [details]
patch against head

This is a fix via HardenedBSD originally written by OpenBSD.
Comment 4 Franco Fichtner 2017-07-16 16:33:16 UTC
Friendly ping to get this merged :)
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2017-07-17 04:04:04 UTC
Bernard (CC'd) is probably best places to address this.

Also still not sure whether this is/was a regression, though the summary implies it, and if so on what port change(s) (freeradius or libressl) the regression was introduced. Can someone comment/confirm.

@Franco The HardenedBSD commit mentions FreeBSD fiddling with a patch and removing another. Can you provide references to the commits/issues that made those changes  so we can CC/assign the committer if necessary.

Attachment 184116 [details] also needs QA confirmation
Comment 6 Franco Fichtner 2017-07-17 04:53:10 UTC
FreeRADIUS 3.0.14 added a features which broke LibreSSL compatibility (PSK).

The commit hstory in FreeBSD:

https://svnweb.freebsd.org/ports?view=revision&revision=442287 Original update (zi)
https://svnweb.freebsd.org/ports?view=revision&revision=443120 Incomplete/faulty LibreSSL fix (brnrd)
https://svnweb.freebsd.org/ports?view=revision&revision=443386 Resolve of broken port by removing LibreSSL compat patch completely (zi)

At the very least, zi should have been assigned last month, it probably failed because the subject missed a colon after the port origin?


Cheers,
Franco
Comment 7 Kubilay Kocak freebsd_committer freebsd_triage 2017-07-17 05:56:41 UTC
Thank you for clarifying and providing references Franco.
Comment 8 Ryan Steinmetz freebsd_committer freebsd_triage 2017-07-17 12:43:54 UTC
Please make sure you are reaching out to the FreeRADIUS developers for this issue.
Comment 9 Franco Fichtner 2017-07-17 13:31:07 UTC
This is already on the v3.0.x branch: https://github.com/FreeRADIUS/freeradius-server/commit/2093dc4a46d1bfbd3ef3a78cea1b8ded916441de
Comment 10 Ryan Steinmetz freebsd_committer freebsd_triage 2017-07-17 17:31:15 UTC
Port updated to 3.0.15, which should include the required commits from upstream.  Please confirm this has been resolved.
Comment 11 Franco Fichtner 2017-07-18 04:39:12 UTC
3.0.15 looks good on LibreSSL 2.4.5 now.


Cheers,
Franco
Comment 12 Kubilay Kocak freebsd_committer freebsd_triage 2017-07-26 03:35:35 UTC
Assign to maintainer and committer that resolved (the same)