On Wed, 01 Jun 2022 20:17:52 +0300 Nicholas Guriev <nicho...@guriev.su> wrote:
To fix FTBFS of the squid package, I offer to apply my changes with the -Wno-error=deprecated-declarations flag and an original patch. This will allow us to proceed with the OpenSSL transition.See also my MR on Salsa. https://salsa.debian.org/squid-team/squid/-/merge_requests/20
I am sponsoring this. Please find a debdiff attached.
diff -Nru squid-5.5/debian/changelog squid-5.5/debian/changelog --- squid-5.5/debian/changelog 2022-04-15 14:39:54.000000000 +0200 +++ squid-5.5/debian/changelog 2022-05-31 22:13:38.000000000 +0200 @@ -1,3 +1,23 @@ +squid (5.5-1.1) unstable; urgency=medium + + * Non-maintainer upload. + + [ Nicholas Guriev ] + * Fixing build against OpenSSL 3.0 (Closes: #1005650, LP: #1946205) + + * debian/rules + - Do not fail on errors about deprecated declarations from OpenSSL. + - Remove -Wall in CFLAGS from the debian/rules file since upstream build + scripts already pass this flag. + + * debian/patches/ + - New 0006-Fix-build-against-OpenSSL-3-0.patch + + [ Simon Deziel ] + * apparmor: allow reading /etc/ssl/openssl.cnf + + -- Nicholas Guriev <guriev...@ya.ru> Tue, 31 May 2022 23:13:38 +0300 + squid (5.5-1) unstable; urgency=medium [ Amos Jeffries <amosjeffr...@squid-cache.org> ] diff -Nru squid-5.5/debian/patches/0006-Fix-build-against-OpenSSL-3-0.patch squid-5.5/debian/patches/0006-Fix-build-against-OpenSSL-3-0.patch --- squid-5.5/debian/patches/0006-Fix-build-against-OpenSSL-3-0.patch 1970-01-01 01:00:00.000000000 +0100 +++ squid-5.5/debian/patches/0006-Fix-build-against-OpenSSL-3-0.patch 2022-05-31 21:31:08.000000000 +0200 @@ -0,0 +1,210 @@ +From: Nicholas Guriev <guriev...@ya.ru> +Date: Tue, 31 May 2022 22:31:08 +0300 +Subject: Make build against OpenSSL-3.0 possible + In OpenSSL, the SSL_get_ex_new_index macro (substituted to + CRYPTO_get_ex_new_index) requires CRYPTO_EX_dup as the second callback. This + typedef, for some reason, has got an extra asterisk near void* within + arguments into the third version. Freely conversions from void* to void** is + okay in C but prohibited in C++. So I've updated the callback prototype to + match the last OpenSSL version. + . + OpenSSL pre-3.0 defined all of the SSL_OP_* macros with numeric hexadecimal + literals. However, the third version uses there casting expressions with + shifts which preprocessor is unable to compute. So I check only macros + existence, this lets Squid accept obsolete options. But it's nothing, + OpenSSL should ignore them anyway. + +--- + acinclude/lib-checks.m4 | 2 - + src/security/PeerOptions.cc | 50 ++++++++++++++++++++++---------------------- + src/ssl/support.cc | 2 - + 3 files changed, 27 insertions(+), 27 deletions(-) + +--- a/acinclude/lib-checks.m4 ++++ b/acinclude/lib-checks.m4 +@@ -236,7 +236,7 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_CONST_CRYP + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([ + #include <openssl/ssl.h> + +-int const_dup_func(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *, int, long, void *) { ++int const_dup_func(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **, int, long, void *) { + return 0; + } + ],[ +--- a/src/security/PeerOptions.cc ++++ b/src/security/PeerOptions.cc +@@ -297,130 +297,130 @@ static struct ssl_option { + + } ssl_options[] = { + +-#if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG ++#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG + { + "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG + }, + #endif +-#if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG ++#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG + { + "SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG + }, + #endif +-#if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER ++#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER + { + "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER + }, + #endif +-#if SSL_OP_SSLEAY_080_CLIENT_DH_BUG ++#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG + { + "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG + }, + #endif +-#if SSL_OP_TLS_D5_BUG ++#ifdef SSL_OP_TLS_D5_BUG + { + "TLS_D5_BUG", SSL_OP_TLS_D5_BUG + }, + #endif +-#if SSL_OP_TLS_BLOCK_PADDING_BUG ++#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG + { + "TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG + }, + #endif +-#if SSL_OP_TLS_ROLLBACK_BUG ++#ifdef SSL_OP_TLS_ROLLBACK_BUG + { + "TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG + }, + #endif +-#if SSL_OP_ALL ++#ifdef SSL_OP_ALL + { + "ALL", (long)SSL_OP_ALL + }, + #endif +-#if SSL_OP_SINGLE_DH_USE ++#ifdef SSL_OP_SINGLE_DH_USE + { + "SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE + }, + #endif +-#if SSL_OP_EPHEMERAL_RSA ++#ifdef SSL_OP_EPHEMERAL_RSA + { + "EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA + }, + #endif +-#if SSL_OP_PKCS1_CHECK_1 ++#ifdef SSL_OP_PKCS1_CHECK_1 + { + "PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1 + }, + #endif +-#if SSL_OP_PKCS1_CHECK_2 ++#ifdef SSL_OP_PKCS1_CHECK_2 + { + "PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2 + }, + #endif +-#if SSL_OP_NETSCAPE_CA_DN_BUG ++#ifdef SSL_OP_NETSCAPE_CA_DN_BUG + { + "NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG + }, + #endif +-#if SSL_OP_NON_EXPORT_FIRST ++#ifdef SSL_OP_NON_EXPORT_FIRST + { + "NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST + }, + #endif +-#if SSL_OP_CIPHER_SERVER_PREFERENCE ++#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + { + "CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE + }, + #endif +-#if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG ++#ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG + { + "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG + }, + #endif +-#if SSL_OP_NO_SSLv3 ++#ifdef SSL_OP_NO_SSLv3 + { + "NO_SSLv3", SSL_OP_NO_SSLv3 + }, + #endif +-#if SSL_OP_NO_TLSv1 ++#ifdef SSL_OP_NO_TLSv1 + { + "NO_TLSv1", SSL_OP_NO_TLSv1 + }, + #else + { "NO_TLSv1", 0 }, + #endif +-#if SSL_OP_NO_TLSv1_1 ++#ifdef SSL_OP_NO_TLSv1_1 + { + "NO_TLSv1_1", SSL_OP_NO_TLSv1_1 + }, + #else + { "NO_TLSv1_1", 0 }, + #endif +-#if SSL_OP_NO_TLSv1_2 ++#ifdef SSL_OP_NO_TLSv1_2 + { + "NO_TLSv1_2", SSL_OP_NO_TLSv1_2 + }, + #else + { "NO_TLSv1_2", 0 }, + #endif +-#if SSL_OP_NO_TLSv1_3 ++#ifdef SSL_OP_NO_TLSv1_3 + { + "NO_TLSv1_3", SSL_OP_NO_TLSv1_3 + }, + #else + { "NO_TLSv1_3", 0 }, + #endif +-#if SSL_OP_NO_COMPRESSION ++#ifdef SSL_OP_NO_COMPRESSION + { + "No_Compression", SSL_OP_NO_COMPRESSION + }, + #endif +-#if SSL_OP_NO_TICKET ++#ifdef SSL_OP_NO_TICKET + { + "NO_TICKET", SSL_OP_NO_TICKET + }, + #endif +-#if SSL_OP_SINGLE_ECDH_USE ++#ifdef SSL_OP_SINGLE_ECDH_USE + { + "SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE + }, +@@ -512,7 +512,7 @@ Security::PeerOptions::parseOptions() + + } + +-#if SSL_OP_NO_SSLv2 ++#ifdef SSL_OP_NO_SSLv2 + // compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0 + op = op | SSL_OP_NO_SSLv2; + #endif +--- a/src/ssl/support.cc ++++ b/src/ssl/support.cc +@@ -559,7 +559,7 @@ Ssl::VerifyCallbackParameters::At(Securi + // "dup" function for SSL_get_ex_new_index("cert_err_check") + #if SQUID_USE_CONST_CRYPTO_EX_DATA_DUP + static int +-ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *, ++ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **, + int, long, void *) + #else + static int diff -Nru squid-5.5/debian/patches/series squid-5.5/debian/patches/series --- squid-5.5/debian/patches/series 2022-04-15 14:39:54.000000000 +0200 +++ squid-5.5/debian/patches/series 2022-05-31 21:31:08.000000000 +0200 @@ -2,3 +2,4 @@ 0002-Change-default-file-locations-for-debian.patch 0003-installed-binary-for-debian-ci.patch 0005-Use-RuntimeDirectory-to-create-run-squid.patch +0006-Fix-build-against-OpenSSL-3-0.patch diff -Nru squid-5.5/debian/rules squid-5.5/debian/rules --- squid-5.5/debian/rules 2022-04-15 14:39:54.000000000 +0200 +++ squid-5.5/debian/rules 2022-05-30 23:20:06.000000000 +0200 @@ -1,7 +1,8 @@ #! /usr/bin/make -f export DEB_BUILD_MAINT_OPTIONS = hardening=+all -export DEB_CFLAGS_MAINT_APPEND = -Wall +export DEB_CFLAGS_MAINT_APPEND = -Wno-error=deprecated-declarations +export DEB_CXXFLAGS_MAINT_APPEND = -Wno-error=deprecated-declarations ifneq (,$(filter $(DEB_HOST_ARCH), armel m68k mips mipsel powerpc powerpcspe sh4)) DEB_LDFLAGS_MAINT_APPEND += -latomic diff -Nru squid-5.5/debian/usr.sbin.squid squid-5.5/debian/usr.sbin.squid --- squid-5.5/debian/usr.sbin.squid 2022-04-15 14:39:54.000000000 +0200 +++ squid-5.5/debian/usr.sbin.squid 2022-05-19 12:50:39.000000000 +0200 @@ -7,6 +7,7 @@ #include <abstractions/base> #include <abstractions/kerberosclient> #include <abstractions/nameservice> + #include <abstractions/openssl> #include <abstractions/ssl_certs> # If you are using squid with the default snakeoil certificates, you will