On Fri, Jul 19, 2024 at 05:09:15PM +0200, Remi Locherer wrote: > On Mon, Jul 15, 2024 at 01:45:32PM +0100, Stuart Henderson wrote: > > On 2024/07/14 21:08, Remi Locherer wrote: > > > -V = 8.2208.0 > > > +V = 8.2404.0 > > > DISTNAME = rsyslog-$V > > > PKGNAME-main = rsyslog-$V > > > PKGNAME-mysql = rsyslog-mysql-$V > > > @@ -22,8 +22,6 @@ REVISION-pgsql = 0 > > > > There are some REVISION-* to remove too. > > > > > --- /dev/null 1 Jan 1970 00:00:00 -0000 > > > +++ patches/patch-runtime_net_ossl_c 20 May 2024 19:52:41 -0000 > > > @@ -0,0 +1,24 @@ > > > +LibreSSL does not support SSL_CONF_CTX. > > > +This patch is already present in rsyslog master and will most likely > > > +ship with a future version. > > > > I'm not sure if this is quite enough. It removes the > > net_ossl_apply_tlscgfcmd function but not the prototype, and it's still > > referenced later in the BEGINobjQueryInterface(net_ossl) bits below in > > that file, > > > > ... > > 1196 pIf->osslGetpeercert = net_ossl_getpeercert; > > 1197 pIf->osslChkpeercertvalidity = net_ossl_chkpeercertvalidity; > > 1198 pIf->osslApplyTlscgfcmd = net_ossl_apply_tlscgfcmd; > > 1199 pIf->osslSetBioCallback = net_ossl_set_bio_callback; > > ... > > > > I think rsyslog will probably crash if any functions using that are > > called. > > > > Is there anyone reading who uses the rsyslog port with TLS who could > > check runtime? > > > > Indeed! Rsyslogd does not crash but it fails to load the lmnsd_ossl module: > > 0985.329403000:main thread : modules.c: loading module > '/usr/local/lib/rsyslog/lmnsd_ossl.so' > rsyslogd:/usr/local/lib/rsyslog/lmnsd_ossl.so: undefined symbol > 'net_ossl_apply_tlscgfcmd' >
With the below I could transmit a log message using the ossl module. I also removed the revision lines from the makefile. OK? Remi --- sysutils/rsyslog/Makefile +++ sysutils/rsyslog/Makefile @@ -6,7 +6,7 @@ COMMENT-elasticsearch = Elasticsearch plugin for rsysl MULTI_PACKAGES = -main -mysql -normalize -pgsql -elasticsearch -V = 8.2208.0 +V = 8.2404.0 DISTNAME = rsyslog-$V PKGNAME-main = rsyslog-$V PKGNAME-mysql = rsyslog-mysql-$V @@ -14,16 +14,9 @@ PKGNAME-normalize = rsyslog-normalize-$V PKGNAME-pgsql = rsyslog-pgsql-$V PKGNAME-elasticsearch = rsyslog-elasticsearch-$V CATEGORIES = sysutils -REVISION-elasticsearch =0 -REVISION-main = 0 -REVISION-mysql = 0 -REVISION-normalize = 0 -REVISION-pgsql = 0 HOMEPAGE = https://www.rsyslog.com/ -MAINTAINER = Remi Locherer <r...@openbsd.org> - # GPLv3+ PERMIT_PACKAGE = Yes @@ -32,7 +25,7 @@ COMPILER = base-clang ports-gcc base-gcc WANTLIB-main += c crypto curl estr fastjson gcrypt gmp gnutls WANTLIB-main += gpg-error hogweed iconv idn2 intl m nettle nghttp2 WANTLIB-main += p11-kit pthread relp ssl tasn1 unistring uuid z -WANTLIB-main += brotlidec brotlienc execinfo zstd +WANTLIB-main += execinfo nghttp3 ngtcp2 ngtcp2_crypto_quictls WANTLIB-mysql += crypto m mariadb pthread ssl z @@ -41,6 +34,7 @@ WANTLIB-normalize += estr fastjson lognorm pthread WANTLIB-pgsql += crypto m pq pthread ssl WANTLIB-elasticsearch += crypto curl m nghttp2 pthread ssl z +WANTLIB-elasticsearch += nghttp3 ngtcp2 ngtcp2_crypto_quictls LIB_DEPENDS-main = devel/libfastjson \ devel/libestr \ --- sysutils/rsyslog/distinfo +++ sysutils/rsyslog/distinfo @@ -1,2 +1,2 @@ -SHA256 (rsyslog-8.2208.0.tar.gz) = FN5o57jlqwxdc0+C4tyf/yLNf0cQrWkHJ+sQp7mz314= -SIZE (rsyslog-8.2208.0.tar.gz) = 3262298 +SHA256 (rsyslog-8.2404.0.tar.gz) = MFKNFA7BsfB5IkCB+jffbgZYf/QrAuPmHy2qBSbFTTM= +SIZE (rsyslog-8.2404.0.tar.gz) = 3408657 --- /dev/null +++ sysutils/rsyslog/patches/patch-runtime_net_ossl_c @@ -0,0 +1,46 @@ +LibreSSL does not support SSL_CONF_cmd. +This is already present in rsyslog master and will most likely ship +with a future version. +https://github.com/rsyslog/rsyslog/commit/b79fd513271bdd02d8a37fa4197d2f293aaf6d11 + +Index: runtime/net_ossl.c +--- runtime/net_ossl.c.orig ++++ runtime/net_ossl.c +@@ -59,7 +59,9 @@ void net_ossl_set_ssl_verify_callback(SSL *pSsl, int f + void net_ossl_set_ctx_verify_callback(SSL_CTX *pCtx, int flags); + void net_ossl_set_bio_callback(BIO *conn); + int net_ossl_verify_callback(int status, X509_STORE_CTX *store); ++#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + rsRetVal net_ossl_apply_tlscgfcmd(net_ossl_t *pThis, uchar *tlscfgcmd); ++#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L + rsRetVal net_ossl_chkpeercertvalidity(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP); + X509* net_ossl_getpeercert(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP); + rsRetVal net_ossl_peerfingerprint(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP); +@@ -472,6 +474,7 @@ void net_ossl_lastOpenSSLErrorMsg + } + } + ++#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + /* initialize tls config commands in openssl context + */ + rsRetVal net_ossl_apply_tlscgfcmd(net_ossl_t *pThis, uchar *tlscfgcmd) +@@ -557,8 +560,8 @@ rsRetVal net_ossl_apply_tlscgfcmd(net_ossl_t *pThis, u + finalize_it: + RETiRet; + } ++#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L + +- + /* Convert a fingerprint to printable data. The conversion is carried out + * according IETF I-D syslog-transport-tls-12. The fingerprint string is + * returned in a new cstr object. It is the caller's responsibility to +@@ -1195,7 +1198,9 @@ CODESTARTobjQueryInterface(net_ossl) + pIf->osslPeerfingerprint = net_ossl_peerfingerprint; + pIf->osslGetpeercert = net_ossl_getpeercert; + pIf->osslChkpeercertvalidity = net_ossl_chkpeercertvalidity; ++#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + pIf->osslApplyTlscgfcmd = net_ossl_apply_tlscgfcmd; ++#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L + pIf->osslSetBioCallback = net_ossl_set_bio_callback; + pIf->osslSetCtxVerifyCallback = net_ossl_set_ctx_verify_callback; + pIf->osslSetSslVerifyCallback = net_ossl_set_ssl_verify_callback; --- /dev/null +++ sysutils/rsyslog/patches/patch-runtime_net_ossl_h @@ -0,0 +1,18 @@ +LibreSSL does not support SSL_CONF_cmd. +This is already present in rsyslog master and will most likely ship +with a future version. +https://github.com/rsyslog/rsyslog/commit/b79fd513271bdd02d8a37fa4197d2f293aaf6d11 + +Index: runtime/net_ossl.h +--- runtime/net_ossl.h.orig ++++ runtime/net_ossl.h +@@ -88,7 +88,9 @@ BEGINinterface(net_ossl) /* name must also be changed + rsRetVal (*osslPeerfingerprint)(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP); + X509* (*osslGetpeercert)(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP); + rsRetVal (*osslChkpeercertvalidity)(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP); ++#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + rsRetVal (*osslApplyTlscgfcmd)(net_ossl_t *pThis, uchar *tlscfgcmd); ++#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L + void (*osslSetBioCallback)(BIO *conn); + void (*osslSetCtxVerifyCallback)(SSL_CTX *pCtx, int flags); + void (*osslSetSslVerifyCallback)(SSL *pSsl, int flags);
