Adding OpenSSL support requiring patches for 1.1

To: pkgsrc-users%netbsd.org@localhost
Subject: Adding OpenSSL support requiring patches for 1.1
From: Edgar Fuß <ef%math.uni-bonn.de@localhost>
Date: Thu, 11 Feb 2021 11:34:42 +0100

Another question that came up on sysutils/ups-nut:

NUT can be configured to use OpenSSL, NSS or no SSL.
I added pkgsrc options for that and wiz@ realized that the openssl option 
doesn't work for 1.1.x. There's an upstream issue, pull request and commit 
to resolve that. I turned it into pkgsrc patches (small, see attachments), 
but wiz@ rightfully argued it was awkward to add pkrsrc patches to support 
newer OpenSSL and committed with NSS support only.

What do people think the better approach is? In an ideal world, that fix 
would go into an upstream release, but in the real world, the last NUT 
release (2.7.4) is from 2016. I'm afraid there are more projects like this.

$ NetBSD $
Add compatibility with OpenSSL 1.1

Upstream issue #504
Upstream pull request #558
Upstream commit fcbf18c92918ce5e81d0aab62a7aed5c2245ea4d

--- m4/nut_check_libopenssl.m4.orig
+++ m4/nut_check_libopenssl.m4
@@ -58,7 +58,7 @@ if test -z "${nut_have_libopenssl_seen}"; then
 
 	dnl check if openssl is usable
 	AC_CHECK_HEADERS(openssl/ssl.h, [nut_have_openssl=yes], [nut_have_openssl=no], [AC_INCLUDES_DEFAULT])
-	AC_CHECK_FUNCS(SSL_library_init, [], [nut_have_openssl=no])
+	AC_CHECK_FUNCS(SSL_CTX_new, [], [nut_have_openssl=no])
 
 	if test "${nut_have_openssl}" = "yes"; then
 		nut_with_ssl="yes"

$ NetBSD $
Add compatibility with OpenSSL 1.1

Upstream issue #504
Upstream pull request #558
Upstream commit fcbf18c92918ce5e81d0aab62a7aed5c2245ea4d

--- server/netssl.c.orig
+++ server/netssl.c
@@ -387,12 +387,15 @@ void ssl_init(void)
 
 #ifdef WITH_OPENSSL
 
+# if OPENSSL_VERSION_NUMBER < 0x10100000L
 	SSL_load_error_strings();
 	SSL_library_init();
+#  define TLS_server_method TLSv1_server_method
+# endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
 
-	if ((ssl_method = TLSv1_server_method()) == NULL) {
+	if ((ssl_method = TLS_server_method()) == NULL) {
 		ssl_debug();
-		fatalx(EXIT_FAILURE, "TLSv1_server_method failed");
+		fatalx(EXIT_FAILURE, "TLS_server_method failed");
 	}
 
 	if ((ssl_ctx = SSL_CTX_new(ssl_method)) == NULL) {

$ NetBSD $
Add compatibility with OpenSSL 1.1

Upstream issue #504
Upstream pull request #558
Upstream commit fcbf18c92918ce5e81d0aab62a7aed5c2245ea4d

--- clients/upsclient.c.orig
+++ clients/upsclient.c
@@ -316,10 +316,13 @@ int upscli_init(int certverify, const char *certpath,
 	
 #ifdef WITH_OPENSSL
 	
+# if OPENSSL_VERSION_NUMBER < 0x10100000L
 	SSL_library_init();
 	SSL_load_error_strings();
+#  define TLS_client_method TLSv1_client_method
+# endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
 
-	ssl_method = TLSv1_client_method();
+	ssl_method = TLS_client_method();
 
 	if (!ssl_method) {
 		return 0;

$ NetBSD $
Add compatibility with OpenSSL 1.1

Upstream issue #504
Upstream pull request #558
Upstream commit fcbf18c92918ce5e81d0aab62a7aed5c2245ea4d
autoreconf

--- include/config.h.in.orig	2016-03-08 16:12:38.000000000 +0100
+++ include/config.h.in 2021-02-10 19:15:20.000000000 +0100
@@ -204,12 +206,12 @@
 /* Define to 1 if you have the `snprintf' function. */
 #undef HAVE_SNPRINTF
 
+/* Define to 1 if you have the `SSL_CTX_new' function. */
+#undef HAVE_SSL_CTX_NEW
+
 /* Define to 1 if you have the <ssl.h> header file. */
 #undef HAVE_SSL_H
 
-/* Define to 1 if you have the `SSL_library_init' function. */
-#undef HAVE_SSL_LIBRARY_INIT
-
 /* Define to 1 if you have the <stdarg.h> header file. */
 #undef HAVE_STDARG_H

$ NetBSD $
Add compatibility with OpenSSL 1.1

Upstream issue #504
Upstream pull request #558
Upstream commit fcbf18c92918ce5e81d0aab62a7aed5c2245ea4d
autoreconf

--- configure.orig	2016-03-09 09:51:12.000000000 +0100
+++ configure 2021-02-10 19:15:20.000000000 +0100
@@ -10399,12 +10399,12 @@
 
 done
 
-	for ac_func in SSL_library_init
+	for ac_func in SSL_CTX_new
 do :
-  ac_fn_c_check_func "$LINENO" "SSL_library_init" "ac_cv_func_SSL_library_init"
-if test "x$ac_cv_func_SSL_library_init" = xyes; then :
+  ac_fn_c_check_func "$LINENO" "SSL_CTX_new" "ac_cv_func_SSL_CTX_new"
+if test "x$ac_cv_func_SSL_CTX_new" = xyes; then :
   cat >>confdefs.h <<_ACEOF
-#define HAVE_SSL_LIBRARY_INIT 1
+#define HAVE_SSL_CTX_NEW 1
 _ACEOF
 
 else
@@ -10510,12 +10510,12 @@
 
 done
 
-	for ac_func in SSL_library_init
+	for ac_func in SSL_CTX_new
 do :
-  ac_fn_c_check_func "$LINENO" "SSL_library_init" "ac_cv_func_SSL_library_init"
-if test "x$ac_cv_func_SSL_library_init" = xyes; then :
+  ac_fn_c_check_func "$LINENO" "SSL_CTX_new" "ac_cv_func_SSL_CTX_new"
+if test "x$ac_cv_func_SSL_CTX_new" = xyes; then :
   cat >>confdefs.h <<_ACEOF
-#define HAVE_SSL_LIBRARY_INIT 1
+#define HAVE_SSL_CTX_NEW 1
 _ACEOF
 
 else

Prev by Date: diff from 2021-02-09 00:05 to 2021-02-10 15:43
Next by Date: Re: math/blas not compiling due to gcc7 error
Previous by Thread: graphics/xpaint: Update to 3.1.2?
Next by Thread: lang/erlang fails to build netbsd-9/amd64
Indexes:

Home | Main Index | Thread Index | Old Index