portable icon indicating copy to clipboard operation
portable copied to clipboard

Published 20 hours ago verified publisher icon libressl

Build failure with >= postfix-3.5.20

Open orbea opened this issue 2 years ago • 6 comments

As I am sure is well known modern Postfix releases are broken with LibreSSL, OpenBSD outright uses OpenSSL.

https://github.com/openbsd/ports/blob/dce94975560b18e52943920a42ff29ca6a191611/mail/postfix/stable/Makefile#L7

And the Postfix 3.5 releases are the oldest that work with LibreSSL, but starting with >= 3.5.20 one of the build failures with modern Postfix has been introduced.

tls_misc.c: In function 'tls_library_init':
tls_misc.c:660:5: error: unknown type name 'OPENSSL_INIT_SETTINGS'; did you mean 'OPENSSL_INIT_ATFORK'?
  660 |     OPENSSL_INIT_SETTINGS *init_settings;
      |     ^~~~~~~~~~~~~~~~~~~~~
      |     OPENSSL_INIT_ATFORK
tls_misc.c:684:26: error: implicit declaration of function 'OPENSSL_INIT_new'; did you mean 'OPENSSL_init_ssl'? [-Werror=implicit-function-declaration]
  684 |     if ((init_settings = OPENSSL_INIT_new()) == 0) {
      |                          ^~~~~~~~~~~~~~~~
      |                          OPENSSL_init_ssl
tls_misc.c:684:24: warning: assignment to 'int *' from 'int' makes pointer from integer without a cast [-Wint-conversion]
  684 |     if ((init_settings = OPENSSL_INIT_new()) == 0) {
      |                        ^
tls_misc.c:690:10: error: implicit declaration of function 'OPENSSL_INIT_free'; did you mean 'OPENSSL_INIT_ASYNC'? [-Werror=implicit-function-declaration]
  690 |     do { OPENSSL_INIT_free(init_settings); return (init_res = (x)); } while(0)
      |          ^~~~~~~~~~~~~~~~~
tls_misc.c:741:13: note: in expansion of macro 'TLS_LIB_INIT_RETURN'
  741 |             TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
      |             ^~~~~~~~~~~~~~~~~~~
tls_misc.c:744:9: error: implicit declaration of function 'OPENSSL_INIT_set_config_file_flags' [-Werror=implicit-function-declaration]
  744 |         OPENSSL_INIT_set_config_file_flags(init_settings, file_flags);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tls_misc.c:749:9: error: implicit declaration of function 'OPENSSL_INIT_set_config_filename' [-Werror=implicit-function-declaration]
  749 |         OPENSSL_INIT_set_config_filename(init_settings, conf_file);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tls_misc.c:751:9: error: implicit declaration of function 'OPENSSL_INIT_set_config_appname' [-Werror=implicit-function-declaration]
  751 |         OPENSSL_INIT_set_config_appname(init_settings, conf_name);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
make: *** [Makefile:92: tls_misc.o] Error 1

build.log

OpenBSD currently provides 3.5.17 where the current patches also allow 3.5.19 to build.

https://github.com/openbsd/ports/blob/dce94975560b18e52943920a42ff29ca6a191611/mail/postfix/stable35/Makefile#L1 https://github.com/openbsd/ports/blob/dce94975560b18e52943920a42ff29ca6a191611/mail/postfix/stable35/patches/patch-src_tls_tls_certkey_c https://github.com/openbsd/ports/blob/dce94975560b18e52943920a42ff29ca6a191611/mail/postfix/stable35/patches/patch-src_tls_tls_server_c

Is there any hope that LibreSSL can at least support newer Postfix 3.5 patch releases?

orbea avatar Sep 17 '23 17:09 orbea

AFAIK the biggest issue with Postfix and LibreSSL is the lack of DANE support.

brad0 avatar Nov 02 '23 23:11 brad0

Current events made this a bit of a problem.

This issue came too close to the 3.8 release for us to do anything about it. We don't really want to add OPENSSL_INIT_new(). My understanding of the Postfix release cycle is that Postfix 3.5 will be end of life some time next year, so we would add another single-digit consumer API for no compelling reason. The reason here is that Postfix added two config knobs to add support for OpenSSL config files.

It is straightforward to patch out the OPENSSL_INIT_new()-related code:

https://marc.info/?l=openbsd-ports&m=170300480407134&w=2

As long as you don't set the tls_config_{file,name} configuration, this should work just fine.

Brad is right, DANE support became mandatory in Postfix at some point, presumably at around the time when support for the OpenSSL 1.0 branch was removed, and that is the major blocker. While supporting DANE in LibreSSL is not entirely out of the question, doing it the OpenSSL way pretty much is.

botovq avatar Dec 19 '23 18:12 botovq

With the release of Postfix 3.6.

20200705

	Cleanup: OpenSSL-1.1.1 is the minimum supported version.
	This is an LTS (long-term support) version that will reach
	the end of life by 2023-09-11. This removes support for
	export ciphers.

	This also changes the Postfix default fingerprint digest
	from MD5 to SHA256, but only when the compatibility_level
	is set to '3' or higher.

	Code by Viktor Dukhovni. Files: global/mail_params.c,
	global/mail_params.h, posttls-finger/posttls-finger.c,
	proto/COMPATIBILITY_README.html, proto/TLS_README.html,
	proto/postconf.proto, smtp/smtp.c, smtp/smtp_tls_policy.c,
	smtpd/smtpd.c, smtpd/smtpd_check.c, tls/Makefile.in,
	tls/tls.h, tls/tls_certkey.c, tls/tls_client.c, tls/tls_dane.c,
	tls/tls_dh.c, tls/tls_misc.c, tls/tls_rsa.c, tls/tls_server.c,
	tls/tls_verify.c.

20200710

	Security: added a section to the sendmail(1) manpage for
	security researchers and application developers, with an
	example of using '--' to disable command option processing
	for user-specified data. File sendmail/sendmail.c.

	Error reporting: added '--' to a postalias command line to
	make an obsecure error message less confusing. File
	sendmail/sendmail.c.

	Conversion from Postfix built-in DANE support to OpenSSL
	DANE support. Code by Viktor Dukhovni. Files:
	posttls-finger/posttls-finger.c, proto/postconf.proto,
	smtp/smtp.c, smtp/smtp_proto.c, smtp/smtp_tls_policy.c,
	tls/Makefile.in, tlsproxy/tlsproxy.c, tls/tls_client.c,
	tls/tls_dane.c, tls/tls_fprint.c, tls/tls.h, tls/tls_misc.c,
	tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
	tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c,
	tls/tls_proxy.h, tls/tls_verify.c, util/hex_code.c.

	Bugfix (introduced: Postfix 3.0): minor memory leaks in the
	Postfix TLS library, found during tests. File: tls/tls_misc.c.

brad0 avatar Dec 20 '23 00:12 brad0

@botovq Thanks for the detailed information, would you mind elaborating on why OPENSSL_INIT_new() is undesirable?

I can confirm your patch also builds on my side and its understandable if fixing newer postfix is difficult, but if at all possible it would be greatly appreciated. Its one of the few blockers I have found in Gentoo so far.

orbea avatar Dec 20 '23 14:12 orbea

It is not desirable simply because there are almost no consumers. It is not particularly offensive as far as new OpenSSL APIs go, but it adds quite a bit of complexity. If it was the only thing in the way of having newer postfix work out of the box it would be an easier sell. But as things are, it's most likely easier to adjust the few consumers than to add this kind of complexity to our libraries.

botovq avatar Dec 20 '23 18:12 botovq

That makes sense, thanks for helping me understand.

orbea avatar Dec 21 '23 13:12 orbea