The attached port is based on prior work by Pete Vickers on Pound-1.10, now updated to the current Pound-2.4.2. It was motivated by our requirement for filtering HTTP requests. Unfortunately, we could not figure out yet how to do this with relayd.
Note that building a package from this port requires that thread support is enabled in OpenSSL. Thus you need to apply the three patches below to the kernel source tree BEFORE attempting to build the pound package. We ignore if thread support was left disabled on OpenBSD simply because it was no needed so far, or if there were other reasons such as concerns about reliability or security of the resulting OpenSSL library. We tested our port and the OpenSSL library with thread support on i386 and sparc64. Please test and commit this port and the source tree patches, if there are no objections to activate thread support in OpenSSL by default. Further work on filter support in relayd might eventually make this port and enabling thread support in OpenSSL redundant later. Thanks in advance for any feedback, Rolf So far, to make Pound ports on OpenBSD, the recommendation was to build OpenSSL with thread support and install it in parallel to the OpenBSD default installed (non-threaded) OpenSSL library. However, making a Pound port on sparc64 following that recipe fails. Some subtle bug in the assembler specific to non UltraSPARC CPUs (found in SUN Blade 100 for ex.) surfaces while making OpenSSL with threads support. Although ./config no-hw threads no-asm --openssldir=/usr/ports/net/pound-2.4.2/w-pound-2.4.2/openssl-tmp resolves this issue at first sight, 'make test' later fails. To resolve, and also as a presumably cleaner long-term solution that avoids an installation of another OpenSSL library in parallel, we propose to modify and remake OpenBSD's OpenSSL native library with threads support. Thereafter, our Pound port builds cleanly, and "it just works" without having to recompile OpenSSL and install a second OpenSSL library. According to CVS, http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/Makefile , OpenBSD does not use Configure of OpenSSL, but uses pre-compiled opensslconf.h files that contain options. Therefore, we modify them for i386 and sparc64 respectively: diff -u /usr/src/lib/libssl/crypto/arch/i386/opensslconf.h.orig /usr/src/lib/libssl/crypto/arch/i386/opensslconf.h --- /usr/src/lib/libssl/crypto/arch/i386/opensslconf.h.orig Tue Sep 3 20:59:55 2002 +++ /usr/src/lib/libssl/crypto/arch/i386/opensslconf.h Thu Apr 17 19:28:50 2008 @@ -10,6 +10,10 @@ #endif /* OPENSSL_DOING_MAKEDEPEND */ +#ifndef OPENSSL_THREADS +# define OPENSSL_THREADS +#endif + /* The OPENSSL_NO_* macros are also defined as NO_* if the application asks for it. This is a transient feature that is provided for those who haven't had the time to do the appropriate changes in their Note: Apply the above patch to the other archs as well, e.g. .../arch/sparc64/opensslconf.h, etc. diff -u /usr/src/lib/libssl/crypto/Makefile.orig /usr/src/lib/libssl/crypto/Makefile --- /usr/src/lib/libssl/crypto/Makefile.orig Sat Feb 24 20:45:52 2007 +++ /usr/src/lib/libssl/crypto/Makefile Thu Apr 17 19:29:58 2008 @@ -28,6 +28,7 @@ CFLAGS+= -DOPENSSL_NO_HW_CSWIFT -DOPENSSL_NO_HW_NCIPHER -DOPENSSL_NO_HW_ATALLA CFLAGS+= -DOPENSSL_NO_HW_NURON -DOPENSSL_NO_HW_UBSEC -DOPENSSL_NO_HW_AEP CFLAGS+= -DOPENSSL_NO_HW_SUREWARE -DOPENSSL_NO_HW_4758_CCA +CFLAGS+= -DOPENSSL_THREADS CFLAGS+= -I${.CURDIR}/../${SSLEAYDIST} CFLAGS+= -I${LCRYPTO_SRC} SRCS+= o_time.c diff -u /usr/src/lib/libssl/ssl/Makefile.orig /usr/src/lib/libssl/ssl/Makefile --- /usr/src/lib/libssl/ssl/Makefile.orig Thu Nov 24 21:49:23 2005 +++ /usr/src/lib/libssl/ssl/Makefile Thu Apr 17 19:30:40 2008 @@ -24,6 +24,7 @@ CFLAGS+= -DOPENSSL_NO_IDEA -DTERMIOS -DANSI_SOURCE -DNO_ERR CFLAGS+= -DOPENSSL_NO_MDC2 CFLAGS+= -DOPENSSL_NO_RC5 -DOPENSSL_NO_KRB5 -DHAVE_DLFCN_H +CFLAGS+= -DOPENSSL_THREADS CFLAGS+= -I${.CURDIR}/../${SSLEAYDIST} SRCS= bio_ssl.c s2_clnt.c s3_both.c s3_srvr.c ssl_err2.c ssl_txt.c \ Then rebuild kernel as well as userland. Finally, verify that the header file is up-to-date as shown below (why is this not automagically done by make install, but only done if entire kernel and/or userland is built?). Our port will only build if the header file not has these three additional lines which indicate that OpenSSL now includes thread support: diff -u /usr/include/openssl/opensslconf.h.orig /usr/include/openssl/opensslconf.h --- /usr/include/openssl/opensslconf.h.orig Fri May 23 19:44:54 2008 +++ /usr/include/openssl/opensslconf.h Fri May 23 19:45:08 2008 @@ -10,6 +10,10 @@ #endif /* OPENSSL_DOING_MAKEDEPEND */ +#ifndef OPENSSL_THREADS +# define OPENSSL_THREADS +#endif + /* The OPENSSL_NO_* macros are also defined as NO_* if the application asks for it. This is a transient feature that is provided for those who haven't had the time to do the appropriate changes in their
pound-2.4.2.tgz
Description: Binary data
