Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support building on OpenBSD #224

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Support building on OpenBSD #224

wants to merge 6 commits into from

Conversation

catap
Copy link

@catap catap commented Sep 25, 2024

Here some micro polish which allows to build the main branch on OpenBSD 7.6 beta.

I haven't tested it a lot, but it defently compiled :)

@catap
lib-ssl-iostream: recovery support of OpenBSD
88c8fa0 
LibreSSL hasn't got SSL_CTX_select_current_cert and it was broken as
side effect at 88da15b
@catap
lib-dcrypt: make 448bit curves optional
652d522 
LibreSSL doesn't implement any 448bit curves, so some ifdef magic is
required to be able build it on OpenBSD.
@catap
lib-dcrypt: avoid using EVP_PKEY_check on LibreSSL
779e6ee 
OpenBSD 7.6 won't have EVP_PKEY_check anymore, see:
openbsd/src@a8d73a0
sirainen
sirainen requested changes Sep 26, 2024
View reviewed changes
src/lib-dcrypt/dcrypt-openssl1.c

#ifdef HAVE_X25519
if (IS_XD_CURVE(nid)) {
unsigned char buf[128];
size_t len = sizeof(buf);
EVP_PKEY_get_raw_public_key(pub, buf, &len);
pub_pt_hex = OPENSSL_buf2hexstr(buf, len);
pub_pt_hex = binary_to_hex_ucase(buf, len);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's now invalid to call OPENSSL_free() in this code path. binary_to_hex_ucase() result doesn't have to be freed.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ooops, it's defently a kind of missed things that someone usually makes at 1am :) Thanks for catching it!

src/lib-dcrypt/dcrypt-openssl1.c

#ifdef HAVE_X25519
if (IS_XD_CURVE(nid)) {
unsigned char buf[128];
size_t len = sizeof(buf);
EVP_PKEY_get_raw_public_key(priv, buf, &len);
pub_pt_hex = OPENSSL_buf2hexstr(buf, len);
pub_pt_hex = binary_to_hex_ucase(buf, len);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

here too

src/lib-ssl-iostream/iostream-openssl-context.c
SSL_CTX_select_current_cert(ctx, x);
#endif
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if something breaks now because these aren't called, @cmouse ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure, would have to test this. @catap would be nice if you could test out that:

local_name cert {
}

blocks work still correctly with SNI

and that e.g. drwetter's SSL checker gives clean bill of health .

@catap
lib-dcrypt: avoid using OPENSSL_buf2hexstr
fac3992 
LibreSSL hasn't got it, and here binary_to_hex_ucase which is the same
and is used for OpenSSL 3.
@catap
configure: use egrep isntead of grep
1d9b01f 
grep is used for simple patterns and basic regular expressions (BREs);
egrep can handle extended regular expressions (EREs). A pattern in form
'a|b|c' requires ERE, and BRE isn't enough for non-GNU grep.
@catap
Copy link
Author

catap commented Sep 26, 2024

Well, I've tried to run it and discoevered that dovecot can't start on OpenBSD and probably on non Linux. It doesn't build and install imap-hibernate because condition:

AM_CONDITIONAL([BUILD_IMAP_HIBERNATE], [test "$notify" != kqueue -a "$notify" != none])

but it is included into src/config/all-settings.c.

So, when I try to run dovecot, it fails as:

Fatal: service(imap-hibernate) access(/home/catap/src/dovecot/local/libexec/dovecot/imap-hibernate) failed: No such file or directory

Thus, I had pushed some small polish, but I haven't tested that SNI works because I can't start it :(

@cmouse
Copy link
Contributor

cmouse commented Sep 26, 2024

you could just disable imap-hibernate? not sure why it even tries to start up though. do you have service imap-hibernate block in your config?

@catap
Copy link
Author

catap commented Sep 26, 2024

you could just disable imap-hibernate? not sure why it even tries to start up though. do you have service imap-hibernate block in your config?

I don’t but it is added via default settings :)

I’m making a way to exclude it, but it is a bit messy and I’m cleaning it right now.

@catap
Copy link
Author

catap commented Sep 26, 2024

I just pushed an updated version. It was tested with keys which is generated by command:

openssl req -x509 -newkey rsa:4096 -keyout generic.key -out generic.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=generic"
openssl req -x509 -newkey rsa:4096 -keyout hosta.key -out hosta.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=hosta"
openssl req -x509 -newkey rsa:4096 -keyout hostb.key -out hostb.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=hostb"

A test was:

openssl s_client -crlf -showcerts -connect 127.0.0.1:10993
openssl s_client -crlf -showcerts -connect 127.0.0.1:10993 -servername hosta
openssl s_client -crlf -showcerts -connect 127.0.0.1:10993 -servername hostb

and confirmation that the rigth cerificate is used.

The used config:

# 0.0.0-33328+17fb6744c9-dirty (c228f3c277): /home/catap/src/dovecot/local/etc/dovecot/dovecot.conf
# OS: OpenBSD 7.6 amd64  
# Hostname: localhost
dovecot_config_version = 2.4.0
default_internal_group = catap
default_internal_user = catap
default_login_user = catap
dovecot_storage_version = 2.4.0
ssl_cert = </home/catap/src/dovecot/local/etc/dovecot/generic.pem
ssl_key = # hidden, use -P to show it
service auth {
  name = auth
  unix_listener auth-userdb {
    path = auth-userdb
  }
}
service auth-worker {
  name = auth-worker
}
service dict {
  name = dict
  unix_listener dict {
    path = dict
  }
}
service imap {
  name = imap
}
service imap-login {
  name = imap-login
  inet_listener imap {
    name = imap
    port = 10143
  }
  inet_listener imaps {
    name = imaps
    port = 10993
    ssl = yes
  }
}
service lmtp {
  name = lmtp
  unix_listener lmtp {
    path = lmtp
  }
}
service pop3 {
  name = pop3
}
service pop3-login {
  name = pop3-login
  inet_listener pop3 {
    name = pop3
    port = 10110
  }
  inet_listener pop3s {
    name = pop3s
    port = 10995
    ssl = yes
  }
}
service submission {
  name = submission
}
service submission-login {
  name = submission-login
  inet_listener submission {
    name = submission
  }
  inet_listener submissions {
    name = submissions
  }
}
passdb system {
  driver = passwd
  name = system
}
userdb system {
  driver = passwd
  name = system
}
namespace inbox {
  inbox = yes
  name = inbox
  mailbox Drafts {
    name = Drafts
    special_use = \Drafts
  }
  mailbox Junk {
    name = Junk
    special_use = \Junk
  }
  mailbox Trash {
    name = Trash
    special_use = \Trash
  }
  mailbox Sent {
    name = Sent
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    name = Sent Messages
    special_use = \Sent
  }
}
local_name hosta {
  ssl_cert = </home/catap/src/dovecot/local/etc/dovecot/hosta.pem
  ssl_key = # hidden, use -P to show it
}
local_name hostb {
  ssl_cert = </home/catap/src/dovecot/local/etc/dovecot/hostb.pem
  ssl_key = # hidden, use -P to show it
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cmouse cmouse Awaiting requested review from cmouse

@sirainen sirainen Awaiting requested review from sirainen

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@catap @cmouse @sirainen