Bug 223994 - sysutils/bacula9-server appears to be broken when built with libressl after the 9.0.6 update
Summary: sysutils/bacula9-server appears to be broken when built with libressl after t...
Status: In Progress
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Dan Langille
URL:
Keywords:
Depends on: 228402
Blocks:
  Show dependency treegraph
 
Reported: 2017-11-30 14:30 UTC by Dean E. Weimer
Modified: 2018-06-27 20:55 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (dvl)


Attachments
Full output of /usr/ports/sysutils/bacula9-client make (32.92 KB, text/plain)
2017-11-30 14:30 UTC, Dean E. Weimer
no flags Details
src/lib/openssl-compat.h patch for LibreSSL (469 bytes, patch)
2018-02-02 21:42 UTC, Dean E. Weimer
no flags Details | Diff
src/lib/crypto.c patch for LibreSSL (429 bytes, patch)
2018-02-02 21:43 UTC, Dean E. Weimer
no flags Details | Diff
src/lib/openssl.c patch for LibreSSL (949 bytes, patch)
2018-02-16 14:57 UTC, Dean E. Weimer
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Dean E. Weimer 2017-11-30 14:30:42 UTC
Created attachment 188429 [details]
Full output of /usr/ports/sysutils/bacula9-client make

Appears to be broken when built with libressl after the 9.0.6 update, here is where the breakdown begins. I am attaching full build output from bacula9-client build. Error is consistent and easily to duplicate by using DEFAULT_VERSIONS= ssl=libressl in make.conf. 

--- openssl.lo ---
Compiling openssl.c
--- crypto.lo ---
crypto.c:199:1: error: unknown type name 'DEFINE_STACK_OF'
DEFINE_STACK_OF(SignerInfo);
^
crypto.c:200:1: error: unknown type name 'DEFINE_STACK_OF'
DEFINE_STACK_OF(RecipientInfo);
^
crypto.c:334:21: error: use of undeclared identifier 'ASN1_STRING_get0_data'; did you mean 'ASN1_STRING_data'?
   ext_value_data = ASN1_STRING_get0_data(asn1_ext_val);
                    ^~~~~~~~~~~~~~~~~~~~~
                    ASN1_STRING_data
/usr/local/include/openssl/asn1.h:787:17: note: 'ASN1_STRING_data' declared here
unsigned char * ASN1_STRING_data(ASN1_STRING *x);
                ^
crypto.c:334:43: error: cannot initialize a parameter of type 'ASN1_STRING *' (aka 'asn1_string_st *') with an lvalue of type 'const ASN1_STRING *' (aka 'const asn1_string_st *')
   ext_value_data = ASN1_STRING_get0_data(asn1_ext_val);
Comment 1 Dan Langille freebsd_committer 2017-12-04 01:44:30 UTC
I posted to the bacula-users mailing list.

One idea came out of that: https://marc.info/?l=bacula-users&m=151206017708430&w=2

Do you have time to play with a patch?  I'm overloaded just now.
Comment 2 Dean E. Weimer 2018-02-02 21:42:39 UTC
Created attachment 190277 [details]
src/lib/openssl-compat.h patch for LibreSSL
Comment 3 Dean E. Weimer 2018-02-02 21:43:16 UTC
Created attachment 190278 [details]
src/lib/crypto.c patch for LibreSSL
Comment 4 Dan Langille freebsd_committer 2018-02-02 21:45:29 UTC
(In reply to Dean E. Weimer from comment #3)
These work for you?
Comment 5 Dean E. Weimer 2018-02-02 21:45:54 UTC
I have a couple of patches that at least get the client to build, I admit that this is really a shoot from the hip type of work, based on some internet searches and trial an error. They may work for server as well, ran out of free time to try that as well will update later if I get time to try it as well.
Comment 6 Dean E. Weimer 2018-02-02 22:03:08 UTC
(In reply to Dean E. Weimer from comment #5)
Server built and installed as well, have to run though, so I won't know until tonight if all the backups run OK or not.
Comment 7 Dean E. Weimer 2018-02-05 14:22:42 UTC
(In reply to Dean E. Weimer from comment #6)

Forgot to update Saturday morning, All of my backups ran fine after the build with these patches was installed.
Comment 8 Dan Langille freebsd_committer 2018-02-15 23:20:08 UTC
feedback from the Bacula mailing list, the patches are incomplete.

https://marc.info/?l=bacula-users&m=151820132712504&w=2
Comment 9 Dean E. Weimer 2018-02-16 14:56:46 UTC
(In reply to Dan Langille from comment #8)

There are, its possible with different options defined that the others may need changed as well.

root@bacula:/var/ports/usr/ports/sysutils/bacula9-server # grep -R "OPENSSL_VERSION_NUMBER" *
work/bacula-9.0.6/src/lib/openssl-compat.h:#if ( (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) )
work/bacula-9.0.6/src/lib/openssl.c:#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
work/bacula-9.0.6/src/lib/openssl.c:#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
work/bacula-9.0.6/src/lib/openssl.c:#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
work/bacula-9.0.6/src/lib/crypto.c:#if ( (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) )

I created onee for the openssl.c file and willl upload after posting this.

This one I wouldn't think should change.
work/bacula-9.0.6/src/lib/tls.c:#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)

Looks like its deciding whether or not to build with support for older SSL protocols.
119 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
120    /* Allows SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols */
121    ctx->openssl = SSL_CTX_new(TLS_method());
122
123 #else
124    /* Allows most all protocols */
125    ctx->openssl = SSL_CTX_new(SSLv23_method());
126
127 #endif
Comment 10 Dean E. Weimer 2018-02-16 14:57:35 UTC
Created attachment 190694 [details]
src/lib/openssl.c patch for LibreSSL
Comment 11 Dan Langille freebsd_committer 2018-03-09 17:37:06 UTC
Let's see what the Bacula community says about this.
Comment 12 martin 2018-03-09 18:02:32 UTC
(In reply to Dean E. Weimer from comment #10)

Looks OK to me, but I would patch work/bacula-9.0.6/src/lib/tls.c to explicitly select TLS_method on LibreSSL rather than relying on the goofy value of OPENSSL_VERSION_NUMBER.
Comment 13 Dan Langille freebsd_committer 2018-04-07 20:24:26 UTC
Martin: I don't know how to implement what you said.

Do you mean just on patch, on work/bacula-9.0.6/src/lib/tls.c ?

In there, I now find:

   /* Allocate our OpenSSL TLS Context */
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
   /* Allows SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols */
   ctx->openssl = SSL_CTX_new(TLS_methodTLS_method());

#else
   /* Allows most all protocols */
   ctx->openssl = SSL_CTX_new(SSLv23_method());

#endif


Is this what you are talking about?  I have no OpenSSL/LibreSSL experience.
Comment 14 martin 2018-04-09 12:10:28 UTC
(In reply to Dan Langille from comment #13)

Yes, I meant changing that #if to something like this (untested):

#if (OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(LIBRESSL_VERSION_NUMBER))

I'm assuming you are using LibreSSL >= 2.2.2.
Comment 15 Dan Langille freebsd_committer 2018-05-23 16:00:06 UTC
see also #228402
Comment 16 Bernard Spil freebsd_committer 2018-06-09 09:14:09 UTC
Hi Dean, Martin,

Can you please check if the patch in bug #228402 works for you?

This PR is to fix issues with the 2.6 branch of LibreSSL, but LibreSSL meanwhile was upgraded to 2.7 branch which brought in OpenSSL 1.1 API. Thus the patch is a lot smaller now.

If the patch in bug #228402 I think we can close this bug.

Thanks! Bernard.
Comment 17 Dean E. Weimer 2018-06-27 20:55:25 UTC
(In reply to Bernard Spil from comment #16)
The Patch for #228402 worked with the latest port.