On Fri, May 03 2019, Remi Locherer <[email protected]> wrote: > Hi porters > > This updates librelp to version 1.4.0. It now supports OpenSSL and GNUtls. > > I verified that rsyslog from ports still works with this (imrelp and omrelp). > > Please have a look at my patch for tcp.c. Is this a good way to deal with > LibreSSL not supporting @SECLEVEL?
I think it's fine. No need to spread the "!defined(LIBRESSL_VERSION_NUMBER)" disease. > Comments/OKs? As noted by Antoine the python version shouldn't be hardcoded. Here's a proposal which: - removes gnutls from TEST_DEPENDS (LIB_DEPENDS is enough) - adds coreutils to TEST_DEPENDS for gtimeout, so that the *abort* tests aren't skipped - uses MODPY_RUN_DEPENDS and MODPY_BIN from the python module instead of hardcoding the python path and version. We could have used MODPY_ADJ_FILES=tests/*.py but tests/test-framework.sh would have needed patching anyway. - use python2, needed by tests/dummyserver.py (previously SKIPPED because of the lack of "timeout" command) - moves the /bin/bash handling to post-extract so that update-patches doesn't create bogus patches Note that you could also add a TEST_DEPENDS on sysutils/ggrep instead of patching tests/tls-wrong-signedcert.sh. The major bump is warranted (symbols have been removed) and the update looks good ports-wise. Index: Makefile =================================================================== RCS file: /cvs/ports/sysutils/librelp/Makefile,v retrieving revision 1.13 diff -u -p -r1.13 Makefile --- Makefile 13 Aug 2018 22:07:13 -0000 1.13 +++ Makefile 3 May 2019 18:54:10 -0000 @@ -2,9 +2,9 @@ COMMENT = reliable event logging protocol library -DISTNAME = librelp-1.2.16 +DISTNAME = librelp-1.4.0 -SHARED_LIBS += relp 2.0 # 4.0 +SHARED_LIBS += relp 3.0 # 5.0 CATEGORIES = sysutils @@ -16,20 +16,30 @@ MAINTAINER = Remi Locherer <remi@openbsd PERMIT_PACKAGE_CDROM = Yes WANTLIB = ffi gmp gnutls hogweed iconv idn2 intl nettle p11-kit pthread -WANTLIB += tasn1 unistring z +WANTLIB += tasn1 unistring crypto ssl MASTER_SITES = http://download.rsyslog.com/librelp/ -LIB_DEPENDS = security/gnutls +MODULES = lang/python +MODPY_BUILDDEP = No +MODPY_RUNDEP = No +MODPY_VERSION = ${MODPY_DEFAULT_VERSION_2} +LIB_DEPENDS = security/gnutls TEST_DEPENDS = shells/bash \ - ${LIB_DEPENDS} + sysutils/coreutils \ + ${MODPY_RUN_DEPENDS} SEPARATE_BUILD = Yes CONFIGURE_STYLE = gnu +CONFIGURE_ARGS = --disable-valgrind -pre-test: +post-extract: sed -i s,#!/bin/bash,#!${LOCALBASE}/bin/bash, ${WRKSRC}/tests/*.sh + +pre-test: + ln -sf ${MODPY_BIN} ${WRKDIR}/bin/python + ln -sf ${LOCALBASE}/bin/gtimeout ${WRKDIR}/bin/timeout .include <bsd.port.mk> Index: distinfo =================================================================== RCS file: /cvs/ports/sysutils/librelp/distinfo,v retrieving revision 1.6 diff -u -p -r1.6 distinfo --- distinfo 13 Aug 2018 22:07:13 -0000 1.6 +++ distinfo 3 May 2019 18:54:10 -0000 @@ -1,2 +1,2 @@ -SHA256 (librelp-1.2.16.tar.gz) = DCNd0qAQYK1eZEOIebMa5k52QNDiYqoaKHot2bxg/VM= -SIZE (librelp-1.2.16.tar.gz) = 474456 +SHA256 (librelp-1.4.0.tar.gz) = XNAs5+3i/qA35lzFOJ5B3embabHfmEtCwUAp5gu53QU= +SIZE (librelp-1.4.0.tar.gz) = 519235 Index: patches/patch-src_tcp_c =================================================================== RCS file: patches/patch-src_tcp_c diff -N patches/patch-src_tcp_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_tcp_c 3 May 2019 18:54:10 -0000 @@ -0,0 +1,22 @@ +$OpenBSD$ + +LibreSSL has no support for @SECLEVEL + +Index: src/tcp.c +--- src/tcp.c.orig ++++ src/tcp.c +@@ -1183,14 +1183,8 @@ relpTcpTLSSetPrio_ossl(relpTcp_t *const pThis) + /* Compute priority string (in simple cases where the user does not care...) */ + if(pThis->pristring == NULL) { + if (pThis->authmode == eRelpAuthMode_None) { +- #if OPENSSL_VERSION_NUMBER >= 0x10100000L +- /* NOTE: do never use: +eNULL, it DISABLES encryption! */ +- strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL@SECLEVEL=0", +- sizeof(pristringBuf)); +- #else + strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL", + sizeof(pristringBuf)); +- #endif + } else { + strncpy(pristringBuf, "DEFAULT", sizeof(pristringBuf)); + } Index: patches/patch-tests_tls-wrong-signedcert_sh =================================================================== RCS file: patches/patch-tests_tls-wrong-signedcert_sh diff -N patches/patch-tests_tls-wrong-signedcert_sh --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-tests_tls-wrong-signedcert_sh 3 May 2019 18:54:10 -0000 @@ -0,0 +1,15 @@ +$OpenBSD$ + +Index: tests/tls-wrong-signedcert.sh +--- tests/tls-wrong-signedcert.sh.orig ++++ tests/tls-wrong-signedcert.sh +@@ -7,6 +7,7 @@ echo 'Send Message...' + ./send $TLSLIB -t 127.0.0.1 -p $TESTPORT -m "testmessage" -T -a "name" -x ${srcdir}/tls-certs/ca.pem -y ${srcdir}/tls-certs/cert.pem -z ${srcdir}/tls-certs/key.pem -P 'server.testbench.rsyslog.com' --errorfile $TESTDIR/error.out.log $OPT_VERBOSE + + stop_receiver +-# Perform multiline GREP with -z +-check_output "authentication error.*signed certificate in certificate chain" $TESTDIR/error.out.log -z ++tr -d '\n' < $TESTDIR/error.out.log > $TESTDIR/error.out.log.x ++mv -f $TESTDIR/error.out.log.x $TESTDIR/error.out.log ++check_output "authentication error.*signed certificate in certificate chain" $TESTDIR/error.out.log + terminate -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
