Build failure with >= postfix-3.5.20

[orbea]

As I am sure is well known modern Postfix releases are broken with LibreSSL, OpenBSD outright uses OpenSSL.

https://github.com/openbsd/ports/blob/dce94975560b18e52943920a42ff29ca6a191611/mail/postfix/stable/Makefile#L7

And the Postfix 3.5 releases are the oldest that work with LibreSSL, but starting with >= 3.5.20 one of the build failures with modern Postfix has been introduced.

tls_misc.c: In function 'tls_library_init':
tls_misc.c:660:5: error: unknown type name 'OPENSSL_INIT_SETTINGS'; did you mean 'OPENSSL_INIT_ATFORK'?
  660 |     OPENSSL_INIT_SETTINGS *init_settings;
      |     ^~~~~~~~~~~~~~~~~~~~~
      |     OPENSSL_INIT_ATFORK
tls_misc.c:684:26: error: implicit declaration of function 'OPENSSL_INIT_new'; did you mean 'OPENSSL_init_ssl'? [-Werror=implicit-function-declaration]
  684 |     if ((init_settings = OPENSSL_INIT_new()) == 0) {
      |                          ^~~~~~~~~~~~~~~~
      |                          OPENSSL_init_ssl
tls_misc.c:684:24: warning: assignment to 'int *' from 'int' makes pointer from integer without a cast [-Wint-conversion]
  684 |     if ((init_settings = OPENSSL_INIT_new()) == 0) {
      |                        ^
tls_misc.c:690:10: error: implicit declaration of function 'OPENSSL_INIT_free'; did you mean 'OPENSSL_INIT_ASYNC'? [-Werror=implicit-function-declaration]
  690 |     do { OPENSSL_INIT_free(init_settings); return (init_res = (x)); } while(0)
      |          ^~~~~~~~~~~~~~~~~
tls_misc.c:741:13: note: in expansion of macro 'TLS_LIB_INIT_RETURN'
  741 |             TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
      |             ^~~~~~~~~~~~~~~~~~~
tls_misc.c:744:9: error: implicit declaration of function 'OPENSSL_INIT_set_config_file_flags' [-Werror=implicit-function-declaration]
  744 |         OPENSSL_INIT_set_config_file_flags(init_settings, file_flags);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tls_misc.c:749:9: error: implicit declaration of function 'OPENSSL_INIT_set_config_filename' [-Werror=implicit-function-declaration]
  749 |         OPENSSL_INIT_set_config_filename(init_settings, conf_file);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tls_misc.c:751:9: error: implicit declaration of function 'OPENSSL_INIT_set_config_appname' [-Werror=implicit-function-declaration]
  751 |         OPENSSL_INIT_set_config_appname(init_settings, conf_name);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
make: *** [Makefile:92: tls_misc.o] Error 1

build.log

OpenBSD currently provides 3.5.17 where the current patches also allow 3.5.19 to build.

https://github.com/openbsd/ports/blob/dce94975560b18e52943920a42ff29ca6a191611/mail/postfix/stable35/Makefile#L1 https://github.com/openbsd/ports/blob/dce94975560b18e52943920a42ff29ca6a191611/mail/postfix/stable35/patches/patch-src_tls_tls_certkey_c https://github.com/openbsd/ports/blob/dce94975560b18e52943920a42ff29ca6a191611/mail/postfix/stable35/patches/patch-src_tls_tls_server_c

Is there any hope that LibreSSL can at least support newer Postfix 3.5 patch releases?

[brad0]

AFAIK the biggest issue with Postfix and LibreSSL is the lack of DANE support.

[botovq]

Current events made this a bit of a problem.

This issue came too close to the 3.8 release for us to do anything about it. We don't really want to add OPENSSL_INIT_new(). My understanding of the Postfix release cycle is that Postfix 3.5 will be end of life some time next year, so we would add another single-digit consumer API for no compelling reason. The reason here is that Postfix added two config knobs to add support for OpenSSL config files.

It is straightforward to patch out the OPENSSL_INIT_new()-related code:

https://marc.info/?l=openbsd-ports&m=170300480407134&w=2

As long as you don't set the tls_config_{file,name} configuration, this should work just fine.

Brad is right, DANE support became mandatory in Postfix at some point, presumably at around the time when support for the OpenSSL 1.0 branch was removed, and that is the major blocker. While supporting DANE in LibreSSL is not entirely out of the question, doing it the OpenSSL way pretty much is.

[brad0]

With the release of Postfix 3.6.

20200705

    Cleanup: OpenSSL-1.1.1 is the minimum supported version.
    This is an LTS (long-term support) version that will reach
    the end of life by 2023-09-11. This removes support for
    export ciphers.

    This also changes the Postfix default fingerprint digest
    from MD5 to SHA256, but only when the compatibility_level
    is set to '3' or higher.

    Code by Viktor Dukhovni. Files: global/mail_params.c,
    global/mail_params.h, posttls-finger/posttls-finger.c,
    proto/COMPATIBILITY_README.html, proto/TLS_README.html,
    proto/postconf.proto, smtp/smtp.c, smtp/smtp_tls_policy.c,
    smtpd/smtpd.c, smtpd/smtpd_check.c, tls/Makefile.in,
    tls/tls.h, tls/tls_certkey.c, tls/tls_client.c, tls/tls_dane.c,
    tls/tls_dh.c, tls/tls_misc.c, tls/tls_rsa.c, tls/tls_server.c,
    tls/tls_verify.c.

20200710

    Security: added a section to the sendmail(1) manpage for
    security researchers and application developers, with an
    example of using '--' to disable command option processing
    for user-specified data. File sendmail/sendmail.c.

    Error reporting: added '--' to a postalias command line to
    make an obsecure error message less confusing. File
    sendmail/sendmail.c.

    Conversion from Postfix built-in DANE support to OpenSSL
    DANE support. Code by Viktor Dukhovni. Files:
    posttls-finger/posttls-finger.c, proto/postconf.proto,
    smtp/smtp.c, smtp/smtp_proto.c, smtp/smtp_tls_policy.c,
    tls/Makefile.in, tlsproxy/tlsproxy.c, tls/tls_client.c,
    tls/tls_dane.c, tls/tls_fprint.c, tls/tls.h, tls/tls_misc.c,
    tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
    tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c,
    tls/tls_proxy.h, tls/tls_verify.c, util/hex_code.c.

    Bugfix (introduced: Postfix 3.0): minor memory leaks in the
    Postfix TLS library, found during tests. File: tls/tls_misc.c.

[orbea]

@botovq Thanks for the detailed information, would you mind elaborating on why OPENSSL_INIT_new() is undesirable?

I can confirm your patch also builds on my side and its understandable if fixing newer postfix is difficult, but if at all possible it would be greatly appreciated. Its one of the few blockers I have found in Gentoo so far.

[botovq]

It is not desirable simply because there are almost no consumers. It is not particularly offensive as far as new OpenSSL APIs go, but it adds quite a bit of complexity. If it was the only thing in the way of having newer postfix work out of the box it would be an easier sell. But as things are, it's most likely easier to adjust the few consumers than to add this kind of complexity to our libraries.

[orbea]

That makes sense, thanks for helping me understand.