Bug 256744 - security/openvpn: fix missing include for PATH_MAX
Summary: security/openvpn: fix missing include for PATH_MAX
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Matthias Andree
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-06-21 10:41 UTC by Franco Fichtner
Modified: 2021-06-22 19:29 UTC (History)
1 user (show)

See Also:
mandree: maintainer-feedback+


Attachments
fix missing PATH_MAX (994 bytes, patch)
2021-06-21 10:41 UTC, Franco Fichtner
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Franco Fichtner 2021-06-21 10:41:15 UTC
Created attachment 225961 [details]
fix missing PATH_MAX

Hi,

This "unbreaks" LibreSSL as it appears OpenSSL silently pulls in the required header.


Cheers,
Franco
Comment 1 Matthias Andree freebsd_committer 2021-06-21 21:32:13 UTC
Franco,

thanks for the contribution. It seems to fix the compilation but down the road but we'd need to validate pkcs11-helper to use the same SSL library (else we get OpenSSL and LibreSSL mixed in some cases).

Beyond that, I wonder if this is any good.  I am loathe to accept it:

* libressl still does not appear to have full OpenSSL-compatible TLS v1.3 support, as of 3.3.3.

* I think we ought to get openvpn-devel fixed first, too (it has self-test failures beyond PATH_MAX). Else we might find out we were wasting time on a temporary solution and would have to withdraw libressl support later.  It seems clearer and easier to tell people "use OpenVPN with OpenSSL but not LibreSSL" to avoid confusing people - and we don't have OpenVPN upstream commitments to LibreSSL either.  

=> I propose that if you can convince the upstream OpenVPN community that you have someone (possibly yourself) who commits to maintaining the LibreSSL compatibility in OpenVPN upstream, this all might stand a better chance of integration.

So, what do you propose now?
Comment 2 Gert Doering 2021-06-22 06:49:01 UTC
Hi,

OpenVPN upstream representative here :-)

LibreSSL is not a primary supported SSL library.  As in "we do not intentionally break it, but if something breaks due to unrelated patches, this might go unnoticed due to lack of systematic testing on all supported platforms".

We do test on OpenBSD (currently 6.8) with the system LibreSSL, and that works just fine (including plugin-auth-pam).  So most "big" incompatibilities are spotted quickly...

$ src/openvpn/openvpn --version
OpenVPN 2.5.3 [git:r25/ecaf88f8a4e75856] x86_64-unknown-openbsd6.8 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 22 2021
library versions: LibreSSL 3.2.2, LZO 2.10


This all said, your patch to auth-pam.c makes sense - having something crypto-unrelated which just happens to build due to indirect header chains should be fixed.

Due to the way our process works: can you send the patch to openvpn-devel@lists.sourceforge.net, please?  We require everything to be reviewed on the public list, even if somewhat straightforward.


I'm not sure about all implications of the Makefile-patch for the FreeBSD-port - as Matthias said, this might cause problems with pkcs11-helper.  So I'm not voicing support or refusal here.
Comment 3 Franco Fichtner 2021-06-22 09:16:27 UTC
Hi,

Thanks for the responses. Patch sent to mailing list but it was rejected by the list software. Not sure if I need to subscribe first and/or the attachment was the issue?

I enabled PKCS11 and TEST option for OPNsense and it compiles fine and passes tests under LibreSSL.  Checking with ldd neither openvpn binary nor libpkcs11-helper.so link to base OpenSSL so at least from this point of view I cannot see any obvious issues with it.

https://github.com/OpenSC/pkcs11-helper/blob/master/ChangeLog

The maintainers for pkcs11-helper only mention LibreSSL build support back in 2018 and there are no open or closed issues regarding LibreSSL:

https://github.com/OpenSC/pkcs11-helper/issues?q=is%3Aissue+libressl

It seems to me rather straightforward and if you both agree we will be more vigilant in the future to chase LibreSSL interoperability issues in OPNsense and try to work on them with upstream directly?

That being said there were only 1-2 cases over the last 5 years or so.


Cheers,
Franco
Comment 4 commit-hook freebsd_committer 2021-06-22 19:27:31 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=159c6c7314095a10121155f501c093ad6f18c3c4

commit 159c6c7314095a10121155f501c093ad6f18c3c4
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2021-06-22 19:25:44 +0000
Commit:     Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2021-06-22 19:25:44 +0000

    security/openvpn: fix missing include for PATH_MAX

    While here, add a warning banner about libressl support status,
    and clean up a leftover INSTALL_DATA workaround no longer needed.

    Patch suggested and
    Reported by:    Franco Fichtner <franco@opnsense.org>
    PR:             256744

 security/openvpn/Makefile                                      | 10 +++++++---
 .../openvpn/files/patch-src_plugins_auth-pam_auth-pam.c (new)  | 10 ++++++++++
 2 files changed, 17 insertions(+), 3 deletions(-)
Comment 5 Matthias Andree freebsd_committer 2021-06-22 19:29:29 UTC
    So, I've added the patch on the assumption that upstream might consider the patch going forward. Regarding pkcs11-helper, since we link to the lib, its build needs to be linked against the exact same OpenSSL library that OpenVPN would use. We have a post-build target to sanity check this, and break the build on mismatch (detected by checking if we have multiple libcrypto or libssl libraries in the executable).