boost has a number of LIBRESSL_VERSION_NUMBER code paths that should be
removed upstream. In fact, all of these paths can be dropped or weakened
once we turn on the OpenSSL TLSv1.3 API (I will start looking into this
again after the next bump). I will take this upstream at that point.
For the moment, I'd like us to switch to using the OpenSSL 1.1.1 path for
SSL_CTX_get_default_passwd_cb and SSL_CTX_get_default_passwd_cb_userdata.
These functions have been available since LibreSSL 2.7.2. Without this
patch, the builds of the following ports will break once we make SSL_CTX
opaque in libssl.
math/rstudio
net/i2pd
net/icinga/core2
net/libtorrent-rasterbar
The same patch is also needed for
telephony/resiprocate
which uses its bundled version of boost::asio::ssl.
The third patch is for
databases/mongodb
which backports the OpenSSL 1.1.1 code path to its very old bundled
version of asio.
This went through several bulks with boost 1.72 and 1.73.
Index: devel/boost/Makefile
===================================================================
RCS file: /cvs/ports/devel/boost/Makefile,v
retrieving revision 1.112
diff -u -p -r1.112 Makefile
--- devel/boost/Makefile 6 May 2021 11:36:14 -0000 1.112
+++ devel/boost/Makefile 7 May 2021 01:51:49 -0000
@@ -6,6 +6,7 @@ COMMENT-main= free peer-reviewed portabl
COMMENT-md= machine-dependent libraries for boost
VERSION= 1.73.0
+REVISION= 0
DISTNAME= boost_${VERSION:S/./_/g}
PKGNAME-main= boost-${VERSION}
PKGNAME-md= boost-md-${VERSION}
Index: devel/boost/patches/patch-boost_asio_ssl_impl_context_ipp
===================================================================
RCS file: devel/boost/patches/patch-boost_asio_ssl_impl_context_ipp
diff -N devel/boost/patches/patch-boost_asio_ssl_impl_context_ipp
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ devel/boost/patches/patch-boost_asio_ssl_impl_context_ipp 7 May 2021
03:44:07 -0000
@@ -0,0 +1,86 @@
+$OpenBSD$
+
+Use accessors instead of reaching into SSL_CTX. The requisite
+accessors have been available since LibreSSL 2.7.2 and are thus
+present in all supported versions.
+
+Index: boost/asio/ssl/impl/context.ipp
+--- boost/asio/ssl/impl/context.ipp.orig
++++ boost/asio/ssl/impl/context.ipp
+@@ -387,9 +387,7 @@ context::~context()
+ {
+ if (handle_)
+ {
+-#if ((OPENSSL_VERSION_NUMBER >= 0x10100000L) \
+- && !defined(LIBRESSL_VERSION_NUMBER)) \
+- || defined(BOOST_ASIO_USE_WOLFSSL)
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) || defined(BOOST_ASIO_USE_WOLFSSL)
+ void* cb_userdata = ::SSL_CTX_get_default_passwd_cb_userdata(handle_);
+ #else // (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ void* cb_userdata = handle_->default_passwd_callback_userdata;
+@@ -400,9 +398,7 @@ context::~context()
+ static_cast<detail::password_callback_base*>(
+ cb_userdata);
+ delete callback;
+-#if ((OPENSSL_VERSION_NUMBER >= 0x10100000L) \
+- && !defined(LIBRESSL_VERSION_NUMBER)) \
+- || defined(BOOST_ASIO_USE_WOLFSSL)
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) || defined(BOOST_ASIO_USE_WOLFSSL)
+ ::SSL_CTX_set_default_passwd_cb_userdata(handle_, 0);
+ #else // (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ handle_->default_passwd_callback_userdata = 0;
+@@ -739,9 +735,7 @@ BOOST_ASIO_SYNC_OP_VOID context::use_certificate_chain
+ bio_cleanup bio = { make_buffer_bio(chain) };
+ if (bio.p)
+ {
+-#if ((OPENSSL_VERSION_NUMBER >= 0x10100000L) \
+- && !defined(LIBRESSL_VERSION_NUMBER)) \
+- || defined(BOOST_ASIO_USE_WOLFSSL)
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) || defined(BOOST_ASIO_USE_WOLFSSL)
+ pem_password_cb* callback = ::SSL_CTX_get_default_passwd_cb(handle_);
+ void* cb_userdata = ::SSL_CTX_get_default_passwd_cb_userdata(handle_);
+ #else // (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+@@ -768,9 +762,7 @@ BOOST_ASIO_SYNC_OP_VOID context::use_certificate_chain
+ BOOST_ASIO_SYNC_OP_VOID_RETURN(ec);
+ }
+
+-#if ((OPENSSL_VERSION_NUMBER >= 0x10002000L) \
+- && !defined(LIBRESSL_VERSION_NUMBER)) \
+- || defined(BOOST_ASIO_USE_WOLFSSL)
++#if (OPENSSL_VERSION_NUMBER >= 0x10002000L) || defined(BOOST_ASIO_USE_WOLFSSL)
+ ::SSL_CTX_clear_chain_certs(handle_);
+ #else
+ if (handle_->extra_certs)
+@@ -847,9 +839,7 @@ BOOST_ASIO_SYNC_OP_VOID context::use_private_key(
+ {
+ ::ERR_clear_error();
+
+-#if ((OPENSSL_VERSION_NUMBER >= 0x10100000L) \
+- && !defined(LIBRESSL_VERSION_NUMBER)) \
+- || defined(BOOST_ASIO_USE_WOLFSSL)
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) || defined(BOOST_ASIO_USE_WOLFSSL)
+ pem_password_cb* callback = ::SSL_CTX_get_default_passwd_cb(handle_);
+ void* cb_userdata = ::SSL_CTX_get_default_passwd_cb_userdata(handle_);
+ #else // (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+@@ -916,9 +906,7 @@ BOOST_ASIO_SYNC_OP_VOID context::use_rsa_private_key(
+ {
+ ::ERR_clear_error();
+
+-#if ((OPENSSL_VERSION_NUMBER >= 0x10100000L) \
+- && !defined(LIBRESSL_VERSION_NUMBER)) \
+- || defined(BOOST_ASIO_USE_WOLFSSL)
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) || defined(BOOST_ASIO_USE_WOLFSSL)
+ pem_password_cb* callback = ::SSL_CTX_get_default_passwd_cb(handle_);
+ void* cb_userdata = ::SSL_CTX_get_default_passwd_cb_userdata(handle_);
+ #else // (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+@@ -1157,9 +1145,7 @@ int context::verify_callback_function(int preverified,
+ BOOST_ASIO_SYNC_OP_VOID context::do_set_password_callback(
+ detail::password_callback_base* callback, boost::system::error_code& ec)
+ {
+-#if ((OPENSSL_VERSION_NUMBER >= 0x10100000L) \
+- && !defined(LIBRESSL_VERSION_NUMBER)) \
+- || defined(BOOST_ASIO_USE_WOLFSSL)
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) || defined(BOOST_ASIO_USE_WOLFSSL)
+ void* old_callback = ::SSL_CTX_get_default_passwd_cb_userdata(handle_);
+ ::SSL_CTX_set_default_passwd_cb_userdata(handle_, callback);
+ #else // (OPENSSL_VERSION_NUMBER >= 0x10100000L)
Index: telephony/resiprocate/Makefile
===================================================================
RCS file: /cvs/ports/telephony/resiprocate/Makefile,v
retrieving revision 1.2
diff -u -p -r1.2 Makefile
--- telephony/resiprocate/Makefile 4 Jun 2020 20:50:39 -0000 1.2
+++ telephony/resiprocate/Makefile 21 Apr 2021 19:01:53 -0000
@@ -6,7 +6,7 @@ COMMENT-return = reSIProcate STUN/TURN c
V = 1.12.0
DISTNAME = resiprocate-${V}
-REVISION = 0
+REVISION = 1
PKGNAME-main = resiprocate-${V}
PKGNAME-repro = resiprocate-repro-${V}
PKGNAME-return = resiprocate-return-${V}
Index:
telephony/resiprocate/patches/patch-contrib_asio_include_asio_ssl_impl_context_ipp
===================================================================
RCS file:
telephony/resiprocate/patches/patch-contrib_asio_include_asio_ssl_impl_context_ipp
diff -N
telephony/resiprocate/patches/patch-contrib_asio_include_asio_ssl_impl_context_ipp
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++
telephony/resiprocate/patches/patch-contrib_asio_include_asio_ssl_impl_context_ipp
7 May 2021 03:41:32 -0000
@@ -0,0 +1,71 @@
+$OpenBSD$
+
+Use accessors instead of reaching into structs. LibreSSL 3.4.x will
+make SSL_CTX and other structs opaque.
+
+Index: contrib/asio/include/asio/ssl/impl/context.ipp
+--- contrib/asio/include/asio/ssl/impl/context.ipp.orig
++++ contrib/asio/include/asio/ssl/impl/context.ipp
+@@ -386,7 +386,7 @@ context::~context()
+ {
+ if (handle_)
+ {
+-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) &&
!defined(LIBRESSL_VERSION_NUMBER)
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ void* cb_userdata = ::SSL_CTX_get_default_passwd_cb_userdata(handle_);
+ #else // (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ void* cb_userdata = handle_->default_passwd_callback_userdata;
+@@ -397,7 +397,7 @@ context::~context()
+ static_cast<detail::password_callback_base*>(
+ cb_userdata);
+ delete callback;
+-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) &&
!defined(LIBRESSL_VERSION_NUMBER)
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ ::SSL_CTX_set_default_passwd_cb_userdata(handle_, 0);
+ #else // (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ handle_->default_passwd_callback_userdata = 0;
+@@ -734,7 +734,7 @@ ASIO_SYNC_OP_VOID context::use_certificate_chain(
+ bio_cleanup bio = { make_buffer_bio(chain) };
+ if (bio.p)
+ {
+-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) &&
!defined(LIBRESSL_VERSION_NUMBER)
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ pem_password_cb* callback = ::SSL_CTX_get_default_passwd_cb(handle_);
+ void* cb_userdata = ::SSL_CTX_get_default_passwd_cb_userdata(handle_);
+ #else // (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+@@ -761,7 +761,7 @@ ASIO_SYNC_OP_VOID context::use_certificate_chain(
+ ASIO_SYNC_OP_VOID_RETURN(ec);
+ }
+
+-#if (OPENSSL_VERSION_NUMBER >= 0x10002000L) &&
!defined(LIBRESSL_VERSION_NUMBER)
++#if (OPENSSL_VERSION_NUMBER >= 0x10002000L)
+ ::SSL_CTX_clear_chain_certs(handle_);
+ #else
+ if (handle_->extra_certs)
+@@ -838,7 +838,7 @@ ASIO_SYNC_OP_VOID context::use_private_key(
+ {
+ ::ERR_clear_error();
+
+-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) &&
!defined(LIBRESSL_VERSION_NUMBER)
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ pem_password_cb* callback = ::SSL_CTX_get_default_passwd_cb(handle_);
+ void* cb_userdata = ::SSL_CTX_get_default_passwd_cb_userdata(handle_);
+ #else // (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+@@ -905,7 +905,7 @@ ASIO_SYNC_OP_VOID context::use_rsa_private_key(
+ {
+ ::ERR_clear_error();
+
+-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) &&
!defined(LIBRESSL_VERSION_NUMBER)
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ pem_password_cb* callback = ::SSL_CTX_get_default_passwd_cb(handle_);
+ void* cb_userdata = ::SSL_CTX_get_default_passwd_cb_userdata(handle_);
+ #else // (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+@@ -1144,7 +1144,7 @@ int context::verify_callback_function(int preverified,
+ ASIO_SYNC_OP_VOID context::do_set_password_callback(
+ detail::password_callback_base* callback, asio::error_code& ec)
+ {
+-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) &&
!defined(LIBRESSL_VERSION_NUMBER)
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ void* old_callback = ::SSL_CTX_get_default_passwd_cb_userdata(handle_);
+ ::SSL_CTX_set_default_passwd_cb_userdata(handle_, callback);
+ #else // (OPENSSL_VERSION_NUMBER >= 0x10100000L)
Index: databases/mongodb/Makefile
===================================================================
RCS file: /cvs/ports/databases/mongodb/Makefile,v
retrieving revision 1.40
diff -u -p -r1.40 Makefile
--- databases/mongodb/Makefile 23 Feb 2021 19:39:11 -0000 1.40
+++ databases/mongodb/Makefile 22 Apr 2021 13:51:25 -0000
@@ -12,7 +12,7 @@ COMMENT = scalable, high-performance doc
DISTNAME = mongodb-src-r3.2.22
PKGNAME = ${DISTNAME:S/src-r//}
CATEGORIES = databases
-REVISION = 1
+REVISION = 2
HOMEPAGE = https://www.mongodb.com/
Index:
databases/mongodb/patches/patch-src_third_party_asio-asio-1-11-0_asio_include_asio_ssl_impl_context_ipp
===================================================================
RCS file:
databases/mongodb/patches/patch-src_third_party_asio-asio-1-11-0_asio_include_asio_ssl_impl_context_ipp
diff -N
databases/mongodb/patches/patch-src_third_party_asio-asio-1-11-0_asio_include_asio_ssl_impl_context_ipp
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++
databases/mongodb/patches/patch-src_third_party_asio-asio-1-11-0_asio_include_asio_ssl_impl_context_ipp
22 Apr 2021 13:51:09 -0000
@@ -0,0 +1,116 @@
+$OpenBSD$
+
+Index: src/third_party/asio-asio-1-11-0/asio/include/asio/ssl/impl/context.ipp
+---
src/third_party/asio-asio-1-11-0/asio/include/asio/ssl/impl/context.ipp.orig
++++ src/third_party/asio-asio-1-11-0/asio/include/asio/ssl/impl/context.ipp
+@@ -192,13 +192,14 @@ context::~context()
+ {
+ if (handle_)
+ {
+- if (handle_->default_passwd_callback_userdata)
++ void* cb_userdata = ::SSL_CTX_get_default_passwd_cb_userdata(handle_);
++ if (cb_userdata)
+ {
+ detail::password_callback_base* callback =
+ static_cast<detail::password_callback_base*>(
+- handle_->default_passwd_callback_userdata);
++ cb_userdata);
+ delete callback;
+- handle_->default_passwd_callback_userdata = 0;
++ ::SSL_CTX_set_default_passwd_cb_userdata(handle_, 0);
+ }
+
+ if (SSL_CTX_get_app_data(handle_))
+@@ -528,10 +529,12 @@ asio::error_code context::use_certificate_chain(
+ bio_cleanup bio = { make_buffer_bio(chain) };
+ if (bio.p)
+ {
++ pem_password_cb* callback = ::SSL_CTX_get_default_passwd_cb(handle_);
++ void* cb_userdata = ::SSL_CTX_get_default_passwd_cb_userdata(handle_);
+ x509_cleanup cert = {
+ ::PEM_read_bio_X509_AUX(bio.p, 0,
+- handle_->default_passwd_callback,
+- handle_->default_passwd_callback_userdata) };
++ callback,
++ cb_userdata) };
+ if (!cert.p)
+ {
+ ec = asio::error_code(ERR_R_PEM_LIB,
+@@ -548,15 +551,11 @@ asio::error_code context::use_certificate_chain(
+ return ec;
+ }
+
+- if (handle_->extra_certs)
+- {
+- ::sk_X509_pop_free(handle_->extra_certs, X509_free);
+- handle_->extra_certs = 0;
+- }
++ ::SSL_CTX_clear_chain_certs(handle_);
+
+ while (X509* cacert = ::PEM_read_bio_X509(bio.p, 0,
+- handle_->default_passwd_callback,
+- handle_->default_passwd_callback_userdata))
++ callback,
++ cb_userdata))
+ {
+ if (!::SSL_CTX_add_extra_chain_cert(handle_, cacert))
+ {
+@@ -621,6 +620,9 @@ asio::error_code context::use_private_key(
+ {
+ ::ERR_clear_error();
+
++ pem_password_cb* callback = ::SSL_CTX_get_default_passwd_cb(handle_);
++ void* cb_userdata = ::SSL_CTX_get_default_passwd_cb_userdata(handle_);
++
+ bio_cleanup bio = { make_buffer_bio(private_key) };
+ if (bio.p)
+ {
+@@ -632,8 +634,8 @@ asio::error_code context::use_private_key(
+ break;
+ case context_base::pem:
+ evp_private_key.p = ::PEM_read_bio_PrivateKey(
+- bio.p, 0, handle_->default_passwd_callback,
+- handle_->default_passwd_callback_userdata);
++ bio.p, 0, callback,
++ cb_userdata);
+ break;
+ default:
+ {
+@@ -680,6 +682,9 @@ asio::error_code context::use_rsa_private_key(
+ {
+ ::ERR_clear_error();
+
++ pem_password_cb* callback = ::SSL_CTX_get_default_passwd_cb(handle_);
++ void* cb_userdata = ::SSL_CTX_get_default_passwd_cb_userdata(handle_);
++
+ bio_cleanup bio = { make_buffer_bio(private_key) };
+ if (bio.p)
+ {
+@@ -691,8 +696,8 @@ asio::error_code context::use_rsa_private_key(
+ break;
+ case context_base::pem:
+ rsa_private_key.p = ::PEM_read_bio_RSAPrivateKey(
+- bio.p, 0, handle_->default_passwd_callback,
+- handle_->default_passwd_callback_userdata);
++ bio.p, 0, callback,
++ cb_userdata);
+ break;
+ default:
+ {
+@@ -911,11 +916,12 @@ int context::verify_callback_function(int preverified,
+ asio::error_code context::do_set_password_callback(
+ detail::password_callback_base* callback, asio::error_code& ec)
+ {
+- if (handle_->default_passwd_callback_userdata)
+- delete static_cast<detail::password_callback_base*>(
+- handle_->default_passwd_callback_userdata);
++ void* old_callback = ::SSL_CTX_get_default_passwd_cb_userdata(handle_);
++ ::SSL_CTX_set_default_passwd_cb_userdata(handle_, callback);
+
+- handle_->default_passwd_callback_userdata = callback;
++ if (old_callback)
++ delete static_cast<detail::password_callback_base*>(
++ old_callback);
+
+ SSL_CTX_set_default_passwd_cb(handle_,
&context::password_callback_function);
+
