Bug 232169 - security/ipsec-tools: Fails to build with OpenSSL 1.1.1
Summary: security/ipsec-tools: Fails to build with OpenSSL 1.1.1
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Olivier Cochard
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-11 04:41 UTC by Olivier Cochard
Modified: 2020-01-02 21:42 UTC (History)
4 users (show)

See Also:


Attachments
svn-diff-ipsec-tools (32.79 KB, patch)
2018-10-29 01:07 UTC, Walter Schwarzenfeld
no flags Details | Diff
ipsec-tools patch (1.12 KB, patch)
2019-02-03 18:34 UTC, Michael Grimm
no flags Details | Diff
Patch to deal with openssl defaults to 1.1.1, now (1.04 KB, patch)
2020-01-02 21:06 UTC, Michael Grimm
no flags Details | Diff
Patch if a check on ${SSL_DEFAULT} may be needed (1.21 KB, patch)
2020-01-02 21:12 UTC, Michael Grimm
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Olivier Cochard freebsd_committer 2018-10-11 04:41:21 UTC
Since OpenSSL was upgraded to 1.1.1 in head, this port compilation failed.

Some extract of the build log:

--- eaytest.o ---
eaytest.c:106:41: error: incomplete definition of type 'struct evp_pkey_st'
        error = eay_check_rsasign(src, sig, evp->pkey.rsa);
                                            ~~~^
/usr/include/openssl/ossl_typ.h:93:16: note: forward declaration of 'struct evp_pkey_st'


--- crypto_openssl.o ---
crypto_openssl.c:319:10: error: incomplete definition of type 'struct X509_name_entry_st'
                if ((ea->value->length == 1 && ea->value->data[0] == '*') ||
                     ~~^
/usr/include/openssl/x509.h:73:16: note: forward declaration of 'struct X509_name_entry_st'
Comment 1 Walter Schwarzenfeld freebsd_triage 2018-10-29 01:07:48 UTC
Created attachment 198726 [details]
svn-diff-ipsec-tools

I got it from there
https://bugs.archlinux.org/task/59734

Builds with openssl111 on poudriere 11.2-amd64 fine. Don't tested functionality.
Comment 2 Michael Grimm 2018-11-25 19:31:42 UTC
I did apply the above mentioned svn-diff-ipsec-tools patch, and ipsec-tools did compile again successfully (poudriere, openssl-1.1.1, stable-12). 

My ipsec/racoon tunnel is working as before. Thanks.
Comment 3 Olivier Cochard freebsd_committer 2018-11-25 19:52:43 UTC
thanks for your test Michael, I will commit a fixed version (this patch but with conditional because once this patch is applied, this port didn't build on previous FreeBSD version).
Comment 4 commit-hook freebsd_committer 2018-11-25 20:36:14 UTC
A commit references this bug:

Author: olivier
Date: Sun Nov 25 20:35:23 UTC 2018
New revision: 485900
URL: https://svnweb.freebsd.org/changeset/ports/485900

Log:
  Fix openssl 1.1.1 breakage

  PR:		232169
  Submitted by:	Walter Schwarzenfeld <w.schwarzenfeld@utanet.at>
  Obtained from:	https://bugs.archlinux.org/task/59734

Changes:
  head/security/ipsec-tools/Makefile
  head/security/ipsec-tools/files/extra-patch-aclocal.m4
  head/security/ipsec-tools/files/extra-patch-ipsec-tools
Comment 5 Olivier Cochard freebsd_committer 2018-11-25 20:40:03 UTC
Thanks all for your patch and tests.
Comment 6 Michael Grimm 2018-11-25 22:08:49 UTC
Sorry to report, but your patch doesn't work for me:

/usr/include/openssl/ossl_typ.h:120:16: note: forward declaration of 'struct x509_st'
typedef struct x509_st X509;
               ^
fatal error: too many errors emitted, stopping now [-ferror-limit=]
20 errors generated.
*** [crypto_openssl.o] Error code 1

make[6]: stopped in /usr/home/poudriere/ports/default/security/ipsec-tools/work/ipsec-tools-0.8.2/src/racoon
--- sockmisc.o ---
mv -f .deps/sockmisc.Tpo .deps/sockmisc.Po
--- libracoon_la-vmbuf.lo ---
mv -f .deps/libracoon_la-vmbuf.Tpo .deps/libracoon_la-vmbuf.Plo
--- libracoon_la-kmpstat.lo ---
mv -f .deps/libracoon_la-kmpstat.Tpo .deps/libracoon_la-kmpstat.Plo
1 error

make[6]: stopped in /usr/home/poudriere/ports/default/security/ipsec-tools/work/ipsec-tools-0.8.2/src/racoon
*** [all] Error code 2

make[5]: stopped in /usr/home/poudriere/ports/default/security/ipsec-tools/work/ipsec-tools-0.8.2/src/racoon
1 error

make[5]: stopped in /usr/home/poudriere/ports/default/security/ipsec-tools/work/ipsec-tools-0.8.2/src/racoon
*** [all-recursive] Error code 1

make[4]: stopped in /usr/home/poudriere/ports/default/security/ipsec-tools/work/ipsec-tools-0.8.2/src
1 error

make[4]: stopped in /usr/home/poudriere/ports/default/security/ipsec-tools/work/ipsec-tools-0.8.2/src
*** [all-recursive] Error code 1

make[3]: stopped in /usr/home/poudriere/ports/default/security/ipsec-tools/work/ipsec-tools-0.8.2
1 error

make[3]: stopped in /usr/home/poudriere/ports/default/security/ipsec-tools/work/ipsec-tools-0.8.2
*** [all] Error code 2

make[2]: stopped in /usr/home/poudriere/ports/default/security/ipsec-tools/work/ipsec-tools-0.8.2
1 error

make[2]: stopped in /usr/home/poudriere/ports/default/security/ipsec-tools/work/ipsec-tools-0.8.2
===> Compilation failed unexpectedly.
Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to
the maintainer.
*** Error code 1

Stop.
make[1]: stopped in /usr/home/poudriere/ports/default/security/ipsec-tools
*** Error code 1

Stop.
make: stopped in /usr/home/poudriere/ports/default/security/ipsec-tools


The sum of all files in /usr/ports/security/ipsec-tools are as follows:

root> sum Makefile files/*
35953 5 Makefile
40954 2 files/extra-patch-aclocal.m4
51216 29 files/extra-patch-ipsec-tools
23962 6 files/natt.diff
33823 1 files/patch-handler.c
10199 5 files/patch-isakmp_frag.c
37122 1 files/patch-isakmp_inf.c
57042 1 files/patch-isakmp.c
10021 3 files/patch-isakmpinit
56352 6 files/patch-reqid.diff
3397 1 files/patch-src_racoon_gssapi.c
7773 1 files/patch-src-racoon-isakmp_cfg.c
37462 2 files/racoon.in
18508 1 files/wildcard-psk.diff
Comment 7 Walter Schwarzenfeld freebsd_triage 2018-11-25 23:00:06 UTC
reopen see comment6
Comment 8 Walter Schwarzenfeld freebsd_triage 2018-11-26 00:24:39 UTC
Cannot repeat some things. It builds on 11.2 with or without condition.
Comment 9 Walter Schwarzenfeld freebsd_triage 2018-11-26 00:36:07 UTC
No, I tested wrong. Everythings ok. Build with condition and builds not without.
Comment 10 Olivier Cochard freebsd_committer 2018-11-26 06:44:24 UTC
(In reply to Michael Grimm from comment #6)

Hi Michael,
I didn't reach to reproduce your problem: I've tested on -current 10.4 and 11.2.
Can you check there is no 'old' files from the previous patches (I've renamed some files) in your port tree?

Thanks
Comment 11 Michael Grimm 2018-11-26 06:52:54 UTC
Hi Olivier,

these are the files in security/ipsec-tools:

-rw-r--r--  1 root  wheel  uarch  144 Feb  6  2015 distinfo
drwxr-xr-x  2 root  wheel  uarch   15 Nov 25 22:39 files
-rw-r--r--  1 root  wheel  uarch 4175 Nov 25 21:35 Makefile
-rw-r--r--  1 root  wheel  uarch  873 Jan 22  2014 pkg-descr
-rw-r--r--  1 root  wheel  uarch  826 Feb  6  2015 pkg-plist


and these are the files in ../files:

-rw-r--r--  1 root  wheel  uarch  1049 Nov 25 21:35 files/extra-patch-aclocal.m4
-rw-r--r--  1 root  wheel  uarch 29418 Nov 25 21:35 files/extra-patch-ipsec-tools
-rw-r--r--  1 root  wheel  uarch  5196 Apr 18  2017 files/natt.diff
-rw-r--r--  1 root  wheel  uarch   779 Apr 14  2018 files/patch-handler.c
-rw-r--r--  1 root  wheel  uarch  4106 Apr 14  2018 files/patch-isakmp_frag.c
-rw-r--r--  1 root  wheel  uarch   763 Apr 14  2018 files/patch-isakmp_inf.c
-rw-r--r--  1 root  wheel  uarch   958 Apr 14  2018 files/patch-isakmp.c
-rw-r--r--  1 root  wheel  uarch  2279 Apr 29  2018 files/patch-isakmpinit
-rw-r--r--  1 root  wheel  uarch  5888 Aug 10 12:03 files/patch-reqid.diff
-rw-r--r--  1 root  wheel  uarch   452 May 19  2015 files/patch-src_racoon_gssapi.c
-rw-r--r--  1 root  wheel  uarch   521 Feb  6  2015 files/patch-src-racoon-isakmp_cfg.c
-rw-r--r--  1 root  wheel  uarch  1031 Jan 24  2014 files/racoon.in
-rw-r--r--  1 root  wheel  uarch   431 Feb  6  2015 files/wildcard-psk.diff

The checksums you will find in comment #6

This is the relevant entry in my poudriere make.conf on FreeBSD 12.0-PRERELEASE r340917:

DEFAULT_VERSIONS+= bdb=5 ssl=openssl111 php=72 mysql=10.2m

Please let me know what else I can check.
Comment 12 Michael Grimm 2018-11-26 06:58:19 UTC
Add on:

I do find the following in Makefile:

.  if ${OSVERSION} >= 1200085 && ${SSL_DEFAULT} == base

I am not that familiar with this syntax, but doesn't that mean that this will not switch to openssl111 in my case because my SSL_DEFAULT equals to openssl111 instead of base?

Regards,
Michael
Comment 13 Michael Grimm 2018-11-26 07:01:59 UTC
Yes, modifying my DEFAULT_VERSIONS from ...

DEFAULT_VERSIONS+= bdb=5 ssl=openssl111 php=72 mysql=10.2m

... to ...

DEFAULT_VERSIONS+= bdb=5 ssl=base php=72 mysql=10.2m

... did the trick. Now, ipsec-tools compile successfully
Comment 14 Michael Grimm 2018-11-26 08:10:24 UTC
The attached patch to Makefile works for me:

-------------------------------------------------------
--- Makefile	2018-11-26 08:37:05.378112000 +0100
+++ Makefile.old	2018-11-26 08:20:53.165248000 +0100
@@ -8,7 +8,7 @@
 
 PORTNAME=	ipsec-tools
 PORTVERSION=	0.8.2
-PORTREVISION=	7_3
+PORTREVISION=	7
 CATEGORIES=	security
 MASTER_SITES=	SF
 
@@ -84,10 +84,8 @@
 .include <bsd.port.pre.mk>
 
 # Need to be patched for openssl-1.1.1 (default after 1200080)
-# Possible values: base, openssl, openssl111, libressl, libressl-devel
 .if ${OPSYS} == FreeBSD
-#.  if ${OSVERSION} >= 1200085 && ( ${SSL_DEFAULT} == base || ${SSL_DEFAULT} == openssl111 )
-.  if ${OSVERSION} >= 1200085 && ${SSL_DEFAULT} != openssl
+.  if ${OSVERSION} >= 1200085 && ${SSL_DEFAULT} == base
 BUILD_DEPENDS=	automake>=0:devel/automake
 .  endif
 .endif
@@ -97,8 +95,7 @@
 
 # Need to be patched for openssl-1.1.1 (default after 1200080)
 .if ${OPSYS} == FreeBSD
-#.  if ${OSVERSION} >= 1200085 && ( ${SSL_DEFAULT} == base || ${SSL_DEFAULT} == openssl111 )
-.  if ${OSVERSION} >= 1200085 && ${SSL_DEFAULT} != openssl
+.  if ${OSVERSION} >= 1200085 && ${SSL_DEFAULT} == base
 post-configure:
 	@${REINPLACE_CMD} -e "s/automake-1.14/automake-1.16/g" ${WRKSRC}/Makefile ${WRKSRC}/*/Makefile \
 				${WRKSRC}/*/*/Makefile
@@ -124,8 +121,7 @@
 	${INSTALL_DATA} ${WRKSRC}/src/racoon/doc/* ${STAGEDIR}/${DOCSDIR}
 
 .if ${OPSYS} == FreeBSD
-#.  if ${OSVERSION} >= 1200085 && ( ${SSL_DEFAULT} == base || ${SSL_DEFAULT} == openssl111 )
-.  if ${OSVERSION} >= 1200085 && ${SSL_DEFAULT} != openssl
+.  if ${OSVERSION} >= 1200085 && ${SSL_DEFAULT} == base
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-aclocal.m4
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-ipsec-tools
 PLIST_FILES+=	include/racoon/openssl_compat.h
----------------------------------------------------

Both possible fixes (either != openssl or == base || == openssl111) do work at my site but I cannot test it on OS < 12

Regrads,
Michael
Comment 15 Michael Grimm 2018-12-22 16:58:07 UTC
I wonder if all Makefile occurencies of "${SSL_DEFAULT} == base" have been modified to either ...

"${SSL_DEFAULT} != openssl"
or
${SSL_DEFAULT} == openssl111"

... in the meantime?

Regards,
Michael
Comment 16 Michael Grimm 2019-02-03 18:25:16 UTC
Please, you need to modify your patch in the following regards:

#) I do have STABLE-12 running
#) I do *not* use OPENSSL from base
#) I *do* use OPENSSL from ports (OpenSSL 1.1.1a)

Your recent modification do constantly break compilation of ipsec-tools!

I do always need to apply the following patch:

mike> sudo cat /root/ipsec-tools.patch 
---------------------
--- Makefile.orig	2018-11-26 18:59:50.000000000 +0100
+++ Makefile	2019-02-02 09:31:57.897089000 +0100
@@ -85,7 +85,7 @@
 
 # Need to be patched for openssl-1.1.1 (default after 1200080)
 .if ${OPSYS} == FreeBSD
-.  if ${OSVERSION} >= 1200085 && ${SSL_DEFAULT} == base
+.  if ${OSVERSION} >= 1200085 && ${SSL_DEFAULT} != openssl
 BUILD_DEPENDS+=	automake>=0:devel/automake
 .  endif
 .endif
@@ -95,7 +95,7 @@
 
 # Need to be patched for openssl-1.1.1 (default after 1200080)
 .if ${OPSYS} == FreeBSD
-.  if ${OSVERSION} >= 1200085 && ${SSL_DEFAULT} == base
+.  if ${OSVERSION} >= 1200085 && ${SSL_DEFAULT} != openssl
 post-configure:
 	@${REINPLACE_CMD} -e "s/automake-1.14/automake-1.16/g" ${WRKSRC}/Makefile ${WRKSRC}/*/Makefile \
 				${WRKSRC}/*/*/Makefile
@@ -121,7 +121,7 @@
 	${INSTALL_DATA} ${WRKSRC}/src/racoon/doc/* ${STAGEDIR}/${DOCSDIR}
 
 .if ${OPSYS} == FreeBSD
-.  if ${OSVERSION} >= 1200085 && ${SSL_DEFAULT} == base
+.  if ${OSVERSION} >= 1200085 && ${SSL_DEFAULT} != openssl
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-aclocal.m4
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-ipsec-tools
 PLIST_FILES+=	include/racoon/openssl_compat.h
---------------------


Onene could also use:
if ${OSVERSION} >= 1200085 && ( ${SSL_DEFAULT} == base || ${SSL_DEFAULT} == openssl111 )

I did report this a couple of times since last November.

Thank you in advance and with kind regards,
Michael
Comment 17 Michael Grimm 2019-02-03 18:34:44 UTC
Created attachment 201690 [details]
ipsec-tools patch
Comment 18 commit-hook freebsd_committer 2019-02-03 21:05:20 UTC
A commit references this bug:

Author: olivier
Date: Sun Feb  3 21:04:25 UTC 2019
New revision: 492078
URL: https://svnweb.freebsd.org/changeset/ports/492078

Log:
  Fix build on 12-stable when using OpenSSL from port.

  PR:		232169
  Submitted by:	Michael Grimm <trashcan@ellael.org>

Changes:
  head/security/ipsec-tools/Makefile
Comment 19 Olivier Cochard freebsd_committer 2019-02-03 21:07:14 UTC
(In reply to Michael Grimm from comment #17)

Hi,
thanks for your patch, can you confirm that revision 485900 fixed it ?
I've tested against 11.2 and 12.0 but not on a 12-stable.
Comment 20 Michael Grimm 2019-02-03 22:13:29 UTC
(In reply to Olivier Cochard from comment #19)

I can confirm that it is working on STABLE-12.

Thanks for fixing this issue.

Regards,
Michael
Comment 21 Michael Grimm 2020-01-02 21:06:40 UTC
Created attachment 210400 [details]
Patch to deal with openssl defaults to 1.1.1, now
Comment 22 Michael Grimm 2020-01-02 21:11:09 UTC
Sorry, my comment has been lost from attachment.

The recent renaming of openssl111 port to openssl breaks my last years's patch, because, now, a probe on ${SSL_DEFAULT} is no longer needed, at least on STABLE-12.1.

Just in case, older OS versions still need a test on ${SSL_DEFAULT} then patch in my seconf attachment will work for me as well.
Comment 23 Michael Grimm 2020-01-02 21:12:07 UTC
Created attachment 210401 [details]
Patch if a check on ${SSL_DEFAULT} may be needed
Comment 24 Kurt Jaeger freebsd_committer 2020-01-02 21:34:14 UTC
well, the newest patch from 2020 testbuilds fine.

Not sure how to proceed...
Comment 25 Michael Grimm 2020-01-02 21:41:29 UTC
(In reply to Kurt Jaeger from comment #24)

I might have screwed my bug report completely :-) Sorry,ยด.

But which of my two possible solutions did you test?
That with ${SSL_DEFAULT} from 21:12 or that without any ${SSL_DEFAULT} check from 21:06?
Comment 26 Kurt Jaeger freebsd_committer 2020-01-02 21:42:40 UTC
(In reply to Michael Grimm from comment #25)
The second patch only.