search

sonertari / SSLproxy

Transparent SSL/TLS proxy for decrypting and diverting network traffic to other programs, such as UTM services, for deep SSL inspection
BSD 2-Clause "Simplified" License
385 stars 100 forks source link

Can not compile on OpenBSD 7.5 amd64 #70

Closed tangentnet closed 3 months ago

tangentnet commented 3 months ago

System: OpenBSD tangent.localdomain 7.5 GENERIC.MP#82 amd64

Version for sslproxy : sslproxy-0.9.5

Output of make: `[Fri Jul 05 19:37:43 tangent tangent /usr/ports/security/sslproxy]

make

===> Building from scratch sslproxy-0.9.5 ===> sslproxy-0.9.5 depends on: libnet->=1.1v0,<1.2v0 -> libnet-1.1.6v0 ===> sslproxy-0.9.5 depends on: sqlite3- -> sqlite3-3.44.2 ===> sslproxy-0.9.5 depends on: gmake- -> gmake-4.4.1 ===> sslproxy-0.9.5 depends on: libevent-* -> libevent-2.1.12p0 ===> Verifying specs: c crypto event_core event_extra event_openssl event_pthreads pthread ssl ===> found c.99.0 crypto.53.0 event_core.2.1 event_extra.1.0 event_openssl.1.0 event_pthreads.0.0 pthread.27.1 ssl.56.0 ===> Checking files for sslproxy-0.9.5 `/usr/ports/distfiles/sslproxy-0.9.5.tar.gz' is up to date.

(SHA256) sslproxy-0.9.5.tar.gz: OK ===> Extracting for sslproxy-0.9.5 ===> Patching for sslproxy-0.9.5 ===> Compiler link: clang -> /usr/bin/clang ===> Compiler link: clang++ -> /usr/bin/clang++ ===> Compiler link: cc -> /usr/bin/cc ===> Compiler link: c++ -> /usr/bin/c++ ===> Generating configure for sslproxy-0.9.5 ===> Configuring for sslproxy-0.9.5 ===> Building for sslproxy-0.9.5 gmake: GNUmakefile: No such file or directory gmake: No rule to make target 'GNUmakefile'. Stop. Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:3061 '/usr/ports/pobj/sslproxy-0.9.5/.build_done': @cd /usr/ports/pobj/sslproxy-0...) *** Error 2 in /usr/ports/security/sslproxy (/usr/ports/infrastructure/mk/bsd.port.mk:2704 'all': @lock=sslproxy-0.9.5; export _LOCKS_HELD=...)`

OpenSSL (not sure whether it is relevant for this case or not): LibreSSL 3.9.0

Version of libevent (not sure whether it is relevant for this case or not): libevent-2.1.12p0

I can compile outside of the ports system, but it fails inside OpenBSD ports system.

sonertari commented 3 months ago

Do you use the sslproxy port at UTMFW? And it seems like GNUmakefile is missing in your tarball. How did you generate the sslproxy tarball?

tangentnet commented 3 months ago

Do you use the sslproxy port at UTMFW? And it seems like GNUmakefile is missing in your tarball. How did you generate the sslproxy tarball?

I'm building it on OpenBSD 7.5, not UTMFW. I was able to build it after creating a suitable directory structure and producing an archive. I somehow neglected to do that before, as I typically do with sources from github.

I created a port for net/testproxy, built and installed it for running sslproxy tests but, the TESTHARNESS is failing. Here is my modified Makefile: COMMENT= transparent SSL/TLS proxy to divert decrypted traffic DISTNAME= sslproxy-0.9.5 EXTRACT_SUFX= .tar.gz CATEGORIES= security HOMEPAGE= https://github.com/sonertari/SSLproxy MAINTAINER= Soner Tari <sonertari@gmail.com> PERMIT_PACKAGE= Yes WANTLIB += c crypto event_core event_extra event_openssl event_pthreads WANTLIB += pthread ssl MASTER_SITES= https://github.com/sonertari/SSLproxy/ LIB_DEPENDS= devel/libevent2 BUILD_DEPENDS= net/libnet/1.1 \ databases/sqlite3 RUN_DEPENDS= devel/libevent2 \ net/libnet/1.1 \ databases/sqlite3 TEST_DEPENDS= devel/check \ net/testproxy \ security/sudo MAKE_FLAGS= MANDIR=man PREFIX=${TRUEPREFIX} USE_GMAKE= Yes MAKE_FILE= GNUmakefile .include <bsd.port.mk>

Tests return this error: `Host: example.com Content-Type: application/ocsp-request

, {}) [08:30:42] [DEBUG] SRV.h1.s2.c1.t2.1: TCP stream read error: Resource temporarily unavailable (os error 35) [08:30:42] [DEBUG] SRV.h1.s3.c2.t1.1: TCP stream connected gmake[2]: [GNUmakefile:38: test] Segmentation fault (core dumped) gmake[2]: Leaving directory '/usr/ports/pobj/sslproxy-0.9.5/sslproxy-0.9.5/tests/testproxy' gmake[1]: [GNUmakefile:20: e2etest] Error 2 gmake[1]: Leaving directory '/usr/ports/pobj/sslproxy-0.9.5/sslproxy-0.9.5' gmake: [GNUmakefile:14: test] Error 2 Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:3096 '/usr/ports/pobj/sslproxy-0.9.5/.test_done': @cd /usr/ports/pobj/sslproxy-0....) *** Error 2 in /usr/ports/security/sslproxy (/usr/ports/infrastructure/mk/bsd.port.mk:2704 'test': @lock=sslproxy-0.9.5; export _LOCKS_HELD...)` Let me know if this is relevant.

sonertari commented 3 months ago

Use the sslproxy port at UTMFW. Create the tarball using git clone (remove the .git folder only). SSLproxy e2e tests are supported on Linux only. I've never used testproxy on OpenBSD.

tangentnet commented 3 months ago

Thank you; I did it already. Because the test software requires testproxy via rust and expects it at $HOME/.cargo/bin/testproxy, I created a port for systemwide use and updated sslproxy-0.9.5/tests/testproxy/GNUmakefile for skipping e2e tests on OpenBSD. I am not sure if this approach is correct, please have a look and evaluate

sslproxy-0.9.5/tests/testproxy/GNUmakefile:

TESTPROXY:= /usr/local/bin/testproxy

TESTPROXY_VERSION=$(shell $(TESTPROXY) -V)
ifneq ($(TESTPROXY_VERSION),testproxy 0.0.5)
$(error Use Testproxy v0.0.5 with this version of SSLproxy, found $(TESTPROXY_VERSION))
endif

ifeq ($(findstring -DWITHOUT_USERAUTH,$(shell $(PROJECT_ROOT)/src/sslproxy -V 2>&1 | grep "Features: ")),-DWITHOUT_USERAUTH)
$(error End-to-end tests need UserAuth enabled, disable WITHOUT_USERAUTH feature in main makefile and try again)
endif

all: test

buildsslproxy:
        $(MAKE) -C $(PROJECT_ROOT)

buildlp:
        $(MAKE) -C lp

# Detect the OS
OS := $(shell uname -s)

# XXX: How to build sslproxy before setting the vars? Otherwise, we depend on the main makefile to have already built it.
test: SSL_PROTOS=$(shell $(PROJECT_ROOT)/src/sslproxy -V 2>&1 | grep "SSL/TLS protocol availability")
test: TLS11=$(findstring tls11,$(SSL_PROTOS))
test: TLS13=$(findstring tls13,$(SSL_PROTOS))
test: OPENSSL=$(shell $(PROJECT_ROOT)/src/sslproxy -V 2>&1 | grep "compiled against OpenSSL")
test: OPENSSL3=$(findstring "OpenSSL 3.",$(OPENSSL))
test: SSLPROXY_CONF=$(if $(TLS13),sslproxy.conf,sslproxy_no_tls13.conf)
test: SSLPROXY_CONF:=$(if $(TLS11),$(SSLPROXY_CONF),sslproxy_no_tls11.conf)
test: SSLPROXY_CONF:=$(if $(OPENSSL3),$(SSLPROXY_CONF),sslproxy_openssl3.conf)
test: SSLPROXY_COMMAND=$(PROJECT_ROOT)/src/sslproxy -f $(SSLPROXY_CONF) -o Debug=no -o Daemon=yes -o User=nobody
test: TESTHARNESS=$(if $(TLS13),testharness.json,testharness_no_tls13.json)
test: TESTHARNESS:=$(if $(TLS11),$(TESTHARNESS),testharness_no_tls11.json)
test: TESTHARNESS:=$(if $(OPENSSL3),$(TESTHARNESS),testharness_openssl3.json)
test: SKIP_TESTHARNESS=2
test: buildsslproxy buildlp
ifeq ($(OS),OpenBSD)
        @echo "Skipping e2e tests on OpenBSD"
else
        sudo LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) ./lp/lp -f ./lp/lp.conf -o Debug=no -o Daemon=yes -o User=nobody
        sudo LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) $(SSLPROXY_COMMAND)
        $(TESTPROXY) -f $(TESTHARNESS) -l 4 --skip-test-harness $(SKIP_TESTHARNESS)
        sudo pkill sslproxy
        sudo pkill lp
endif

test_split: SSL_PROTOS=$(shell $(PROJECT_ROOT)/src/sslproxy -V 2>&1 | grep "SSL/TLS protocol availability")
test_split: TLS11=$(findstring tls11,$(SSL_PROTOS))
test_split: TLS13=$(findstring tls13,$(SSL_PROTOS))
test_split: OPENSSL=$(shell $(PROJECT_ROOT)/src/sslproxy -V 2>&1 | grep "compiled against OpenSSL")
test_split: OPENSSL3=$(findstring "OpenSSL 3.",$(OPENSSL))
test_split: SSLPROXY_CONF=$(if $(TLS13),sslproxy.conf,sslproxy_no_tls13.conf)
test_split: SSLPROXY_CONF:=$(if $(TLS11),$(SSLPROXY_CONF),sslproxy_no_tls11.conf)
test_split: SSLPROXY_CONF:=$(if $(OPENSSL3),$(SSLPROXY_CONF),sslproxy_openssl3.conf)
test_split: SSLPROXY_COMMAND=$(PROJECT_ROOT)/src/sslproxy -n -f $(SSLPROXY_CONF) -o Debug=no -o Daemon=yes -o User=nobody
test_split: TESTHARNESS=$(if $(TLS13),testharness_split.json,testharness_split_no_tls13.json)
test_split: TESTHARNESS:=$(if $(TLS11),testharness_split_no_tls11.json)
test_split: TESTHARNESS:=$(if $(OPENSSL3),testharness_split_openssl3.json)
test_split: buildsslproxy buildlp
ifeq ($(OS),OpenBSD)
        @echo "Skipping e2e split tests on OpenBSD"
else
        sudo LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) ./lp/lp -f ./lp/lp.conf -o Debug=no -o Daemon=yes -o User=nobody
        sudo LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) $(SSLPROXY_COMMAND)
        $(TESTPROXY) -f $(TESTHARNESS) -l 4
        sudo pkill sslproxy
        sudo pkill lp
endif

travis: test

clean:
        $(MAKE) -C $(PROJECT_ROOT) clean
        $(MAKE) -C lp clean

FORCE:

.PHONY: all clean buildsslproxy buildlp test test_split travis

Makefile:


DISTNAME=       sslproxy-0.9.5
EXTRACT_SUFX=   .tar.gz

CATEGORIES=     security

HOMEPAGE=       https://github.com/sonertari/SSLproxy

MAINTAINER=     Soner Tari <sonertari@gmail.com>

# SSLproxy: BSD, khash.h (header-based library): MIT
PERMIT_PACKAGE= Yes

WANTLIB += c crypto event_core event_extra event_openssl event_pthreads
WANTLIB += pthread ssl

MASTER_SITES=   https://github.com/sonertari/SSLproxy/

LIB_DEPENDS=    devel/libevent2
BUILD_DEPENDS=  net/libnet/1.1 \
                databases/sqlite3
RUN_DEPENDS=    devel/libevent2 \
                net/libnet/1.1 \
                databases/sqlite3
# following is expected with MALLOC_FLAGS J:
# "cert.t.c:66:F:cert_refcount_inc:cert_refcount_inc_01:0: refcount mismatch"
# the test deliberately does a use-after-free
TEST_DEPENDS=   devel/check \
                net/testproxy 

MAKE_FLAGS=     MANDIR=man PREFIX=${TRUEPREFIX}

USE_GMAKE=      Yes

MAKE_FILE=      GNUmakefile

.include        <bsd.port.mk>