Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support building on OpenBSD #224

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Support building on OpenBSD #224

wants to merge 7 commits into from

Conversation

catap
Copy link

@catap catap commented Sep 25, 2024

Here some micro polish which allows to build the main branch on OpenBSD 7.6 beta.

I haven't tested it a lot, but it defently compiled :)

sirainen
sirainen requested changes Sep 26, 2024
View reviewed changes
src/lib-dcrypt/dcrypt-openssl1.c Outdated Show resolved Hide resolved
src/lib-dcrypt/dcrypt-openssl1.c Outdated Show resolved Hide resolved
src/lib-ssl-iostream/iostream-openssl-context.c Show resolved Hide resolved
@catap
Copy link
Author

catap commented Sep 26, 2024

Well, I've tried to run it and discoevered that dovecot can't start on OpenBSD and probably on non Linux. It doesn't build and install imap-hibernate because condition:

AM_CONDITIONAL([BUILD_IMAP_HIBERNATE], [test "$notify" != kqueue -a "$notify" != none])

but it is included into src/config/all-settings.c.

So, when I try to run dovecot, it fails as:

Fatal: service(imap-hibernate) access(/home/catap/src/dovecot/local/libexec/dovecot/imap-hibernate) failed: No such file or directory

Thus, I had pushed some small polish, but I haven't tested that SNI works because I can't start it :(

@cmouse
Copy link
Contributor

cmouse commented Sep 26, 2024

you could just disable imap-hibernate? not sure why it even tries to start up though. do you have service imap-hibernate block in your config?

@catap
Copy link
Author

catap commented Sep 26, 2024

you could just disable imap-hibernate? not sure why it even tries to start up though. do you have service imap-hibernate block in your config?

I don’t but it is added via default settings :)

I’m making a way to exclude it, but it is a bit messy and I’m cleaning it right now.

@catap
Copy link
Author

catap commented Sep 26, 2024

I just pushed an updated version. It was tested with keys which is generated by command:

openssl req -x509 -newkey rsa:4096 -keyout generic.key -out generic.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=generic"
openssl req -x509 -newkey rsa:4096 -keyout hosta.key -out hosta.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=hosta"
openssl req -x509 -newkey rsa:4096 -keyout hostb.key -out hostb.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=hostb"

A test was:

openssl s_client -crlf -showcerts -connect 127.0.0.1:10993
openssl s_client -crlf -showcerts -connect 127.0.0.1:10993 -servername hosta
openssl s_client -crlf -showcerts -connect 127.0.0.1:10993 -servername hostb

and confirmation that the rigth cerificate is used.

The used config:

# 0.0.0-33328+17fb6744c9-dirty (c228f3c277): /home/catap/src/dovecot/local/etc/dovecot/dovecot.conf
# OS: OpenBSD 7.6 amd64  
# Hostname: localhost
dovecot_config_version = 2.4.0
default_internal_group = catap
default_internal_user = catap
default_login_user = catap
dovecot_storage_version = 2.4.0
ssl_cert = </home/catap/src/dovecot/local/etc/dovecot/generic.pem
ssl_key = # hidden, use -P to show it
service auth {
  name = auth
  unix_listener auth-userdb {
    path = auth-userdb
  }
}
service auth-worker {
  name = auth-worker
}
service dict {
  name = dict
  unix_listener dict {
    path = dict
  }
}
service imap {
  name = imap
}
service imap-login {
  name = imap-login
  inet_listener imap {
    name = imap
    port = 10143
  }
  inet_listener imaps {
    name = imaps
    port = 10993
    ssl = yes
  }
}
service lmtp {
  name = lmtp
  unix_listener lmtp {
    path = lmtp
  }
}
service pop3 {
  name = pop3
}
service pop3-login {
  name = pop3-login
  inet_listener pop3 {
    name = pop3
    port = 10110
  }
  inet_listener pop3s {
    name = pop3s
    port = 10995
    ssl = yes
  }
}
service submission {
  name = submission
}
service submission-login {
  name = submission-login
  inet_listener submission {
    name = submission
  }
  inet_listener submissions {
    name = submissions
  }
}
passdb system {
  driver = passwd
  name = system
}
userdb system {
  driver = passwd
  name = system
}
namespace inbox {
  inbox = yes
  name = inbox
  mailbox Drafts {
    name = Drafts
    special_use = \Drafts
  }
  mailbox Junk {
    name = Junk
    special_use = \Junk
  }
  mailbox Trash {
    name = Trash
    special_use = \Trash
  }
  mailbox Sent {
    name = Sent
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    name = Sent Messages
    special_use = \Sent
  }
}
local_name hosta {
  ssl_cert = </home/catap/src/dovecot/local/etc/dovecot/hosta.pem
  ssl_key = # hidden, use -P to show it
}
local_name hostb {
  ssl_cert = </home/catap/src/dovecot/local/etc/dovecot/hostb.pem
  ssl_key = # hidden, use -P to show it
}

@catap
Copy link
Author

catap commented Oct 13, 2024

I had discovered one more edge case for OpenBSD which already handled well for FreeBSD. I have added one more commit.

sirainen
sirainen requested changes Oct 14, 2024
View reviewed changes
configure.ac Outdated
@@ -729,7 +729,7 @@ libdovecot_headers=
libdovecot_c_files=
non_libdovecot_headers=
non_libdovecot_c_files=
all_files=`find $srcdir/src -name '*.[[ch]]' | grep -v '/src/config/all-settings.c' | grep -v '/src/lib-settings/' | grep -v '/test-' | xargs grep '\\(struct setting_parser_info [[a-z]]\\)\\|\\(struct service_settings [[a-z]]\\)\\|\\(<settings checks>\\)' | sed 's/:.*//' | sort | uniq`
all_files=`find $srcdir/src -name '*.[[ch]]' | grep -v '/src/config/all-settings.c' | grep -v '/src/lib-settings/' | grep -v '/test-' | xargs egrep '(struct setting_parser_info [[a-z]])|(struct service_settings [[a-z]])|(<settings checks>)' | sed 's/:.*//' | sort | uniq`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I remember reading somewhere egrep is going to be deprecated. Should use grep -E instead.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, egrep was removed from POSIX: https://pubs.opengroup.org/onlinepubs/9699919799/xrat/V4_xcu_chap04.html

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After some thinking the cleaner way is using $GREP, $EGREP and $SED and allow configure to decided which should be used on this platform.

src/lib-dcrypt/dcrypt-openssl1.c
#ifdef HAVE_X25519
if (!IS_XD_CURVE(nid))
#endif
OPENSSL_free(pub_pt_hex);
Copy link
Contributor

@sirainen sirainen Oct 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this going to complain because pub_pt_hex is const pointer, or does OPENSSL_free() just cast it away? Anyway, perhaps nicer:

	const char *pub_pt_hex = NULL;
	char *pub_pt_hex_free = NULL;
...
		pub_pt_hex = pub_pt_hex_free =
			ec_key_get_pub_point_hex(EVP_PKEY_get0_EC_KEY(pub));
...
OPENSSL_free(pub_pt_hex_free);

Would also avoid the secondary ifdef/if checks.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, it makes code cleaner.

@sirainen
Copy link
Contributor

The commit titles also could use a bit of clarifying / making them more consistent with how we usually write them, but I could change them also at the end.

@catap
lib-ssl-iostream: recovery support of OpenBSD
ac7b4ce 
LibreSSL hasn't got SSL_CTX_select_current_cert and it was broken as
side effect at 88da15b
@catap
lib-dcrypt: make 448bit curves optional
8b072ce 
LibreSSL doesn't implement any 448bit curves, so some ifdef magic is
required to be able build it on OpenBSD.
@catap
lib-dcrypt: avoid using EVP_PKEY_check on LibreSSL
7b34545 
OpenBSD 7.6 won't have EVP_PKEY_check anymore, see:
openbsd/src@a8d73a0
@catap
lib-dcrypt: avoid using OPENSSL_buf2hexstr
0915848 
LibreSSL hasn't got it, and here binary_to_hex_ucase which is the same
and is used for OpenSSL 3.
@catap
configure: use $GREP, $EGREP and $SED
cf388d0 
Also, grep is used for simple patterns and basic regular
expressions (BREs); egrep can handle extended regular
expressions (EREs). A pattern in form 'a|b|c' requires ERE, and BRE
isn't enough for non-GNU grep.
@catap
imap-hibernate: enable services only when it's build
24e7e11
@catap
net: OpenBSD similar with FreeBSD at net_connect_ip_full
f8ac266
@catap
Copy link
Author

catap commented Oct 14, 2024

@sirainen the branch is rebased to the last main and I had reworked affected commits as it was suggested at review.

@catap catap requested a review from sirainen October 14, 2024 12:24
@catap
Copy link
Author

catap commented Oct 14, 2024

BTW I think that f8ac266 worth to be backported to 2.3 as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cmouse cmouse Awaiting requested review from cmouse

@sirainen sirainen Awaiting requested review from sirainen

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@catap @cmouse @sirainen