On 2018/10/23 03:13, Joel Sing wrote: > x11/freerdp currently reaches deep into libssl internals, in order to send > TLS alerts. AFAIK OpenSSL 1.1 does not provide any way for TLS alerts to be > triggered outside the library and freerdp's approach is to simply disable > this code. Do the same thing for current LibreSSL, so that we can make > these internals internal. > > ok?
OK. Alternatively I would also be happy to just remove the "|| defined(LIBRESSL_VERSION_NUMBER)". In that code block it says "Manually sending a TLS alert is necessary in certain cases, like when server-side NLA results in an authentication failure" - I don't think we have anything using the server-side functionality of freerdp's library so this is unlikely to affect us. There's a newer version upstream (ports update blocked as they now want timer_create()) - but they haven't changed this area. > Index: Makefile > =================================================================== > RCS file: /cvs/ports/x11/freerdp/Makefile,v > retrieving revision 1.33 > diff -u -p -u -p -r1.33 Makefile > --- Makefile 14 Aug 2018 08:36:49 -0000 1.33 > +++ Makefile 22 Oct 2018 16:08:45 -0000 > @@ -6,7 +6,7 @@ BROKEN-hppa = undefined reference to __ > COMMENT = open source client for Windows Terminal Server > DISTNAME = freerdp-2.0.0-rc1 > PKGNAME = freerdp-2.0.0rc1 > -REVISION = 0 > +REVISION = 1 > CATEGORIES = x11 net > > SHARED_LIBS += freerdp-client2 0.0 # 2.0 > Index: patches/patch-libfreerdp_crypto_tls_c > =================================================================== > RCS file: patches/patch-libfreerdp_crypto_tls_c > diff -N patches/patch-libfreerdp_crypto_tls_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-libfreerdp_crypto_tls_c 22 Oct 2018 16:08:45 -0000 > @@ -0,0 +1,17 @@ > +$OpenBSD$ > + > +Stop reaching into libssl internals to send TLS alerts. > + > +Index: libfreerdp/crypto/tls.c > +--- libfreerdp/crypto/tls.c.orig > ++++ libfreerdp/crypto/tls.c > +@@ -1020,7 +1020,8 @@ BOOL tls_send_alert(rdpTls* tls) > + * FIXME: The following code does not work on OpenSSL > 1.1.0 because > the > + * SSL struct is opaqe now > + */ > +-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) > ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ > ++ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < > 0x2080000fL) > + > + if (tls->alertDescription != TLS_ALERT_DESCRIPTION_CLOSE_NOTIFY) > + { >