Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 750413

Summary: switching to libressl
Product: Gentoo Linux Reporter: Alexandros C. Couloumbis <alex>
Component: Current packagesAssignee: Gentoo Linux bug wranglers <bug-wranglers>
Status: RESOLVED INVALID    
Severity: normal CC: alex, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://wiki.gentoo.org/wiki/Project:LibreSSL
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: emerge --info
required package ebuild modifications

Description Alexandros C. Couloumbis 2020-10-20 11:15:27 UTC
switching to libressl still bumps to various issues, some reported here

Reproducible: Always

Steps to Reproduce:
1. on make.conf USE="libressl -openssl ssl"
2. on package.mask --> dev-libs/openssl
2. emerge -uDNp world
Actual Results:  
the following packages complain either or both for missing +openssl USE flag and/or dev-libs/openssl been masked (while dev-libs/libressl is installed)

dev-libs/apr-util/apr-util-1.6.1-r6
dev-libs/hiredis/hiredis-1.0.0
www-apache/mod_security/mod_security-2.9.1-r1
www-apache/mod_security/mod_security-2.9.3



the following changes fix the reported issues:

diff --git a/dev-libs/apr-util/apr-util-1.6.1-r6.ebuild b/dev-libs/apr-util/apr-util-1.6.1-r6.ebuild
index a30d4b805b28..882336dd90d7 100644
--- a/dev-libs/apr-util/apr-util-1.6.1-r6.ebuild
+++ b/dev-libs/apr-util/apr-util-1.6.1-r6.ebuild
@@ -16,7 +16,7 @@ SRC_URI="mirror://apache/apr/${P}.tar.bz2"
 LICENSE="Apache-2.0"
 SLOT="1"
 KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~mips ppc ppc64 ~s390 sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-IUSE="berkdb doc gdbm ldap libressl mysql nss odbc openssl postgres sqlite static-libs"
+IUSE="berkdb doc gdbm ldap libressl mysql nss odbc ssl postgres sqlite static-libs"
 #RESTRICT="test"
 
 RDEPEND="
@@ -31,7 +31,7 @@ RDEPEND="
 	) )
 	nss? ( dev-libs/nss )
 	odbc? ( dev-db/unixODBC )
-	openssl? (
+	ssl? (
 		!libressl? ( dev-libs/openssl:0= )
 		libressl? ( dev-libs/libressl )
 	)
@@ -78,7 +78,7 @@ src_configure() {
 		$(use_with mysql)
 		$(use_with nss)
 		$(use_with odbc)
-		$(use_with openssl)
+		$(use_with ssl)
 		$(use_with postgres pgsql)
 		$(use_with sqlite sqlite3)
 	)
@@ -101,7 +101,7 @@ src_configure() {
 		myconf+=( --without-berkeley-db )
 	fi
 
-	if use nss || use openssl ; then
+	if use nss || use ssl ; then
 		myconf+=( --with-crypto ) # 518708
 	fi
 
diff --git a/dev-libs/hiredis/hiredis-1.0.0.ebuild b/dev-libs/hiredis/hiredis-1.0.0.ebuild
index d11dddc289cd..ec81c43b9ec8 100644
--- a/dev-libs/hiredis/hiredis-1.0.0.ebuild
+++ b/dev-libs/hiredis/hiredis-1.0.0.ebuild
@@ -16,7 +16,10 @@ IUSE="examples ssl static-libs test"
 RESTRICT="!test? ( test )"
 
 DEPEND="
-	ssl? ( dev-libs/openssl )
+	ssl? ( 
+			!libressl? ( dev-libs/openssl:0= )
+			libressl? ( dev-libs/libressl:0= )
+		)
 	test? ( dev-db/redis )"
 
 src_prepare() {
diff --git a/www-apache/mod_security/mod_security-2.9.1-r1.ebuild b/www-apache/mod_security/mod_security-2.9.1-r1.ebuild
index eb214cbee1c6..6c1d28b64682 100644
--- a/www-apache/mod_security/mod_security-2.9.1-r1.ebuild
+++ b/www-apache/mod_security/mod_security-2.9.1-r1.ebuild
@@ -18,7 +18,8 @@ KEYWORDS="amd64 x86"
 IUSE="doc fuzzyhash geoip jit json lua mlogc"
 
 COMMON_DEPEND="dev-libs/apr
-	dev-libs/apr-util[openssl]
+	!libressl? ( dev-libs/openssl:0= )
+	libressl? ( dev-libs/libressl:0= )
 	dev-libs/libxml2
 	dev-libs/libpcre[jit?]
 	fuzzyhash? ( app-crypt/ssdeep )
diff --git a/www-apache/mod_security/mod_security-2.9.3.ebuild b/www-apache/mod_security/mod_security-2.9.3.ebuild
index c7a7974d2d08..ae896dabb492 100644
--- a/www-apache/mod_security/mod_security-2.9.3.ebuild
+++ b/www-apache/mod_security/mod_security-2.9.3.ebuild
@@ -18,7 +18,8 @@ KEYWORDS="amd64 x86"
 IUSE="doc fuzzyhash geoip jit json lua mlogc"
 
 COMMON_DEPEND="dev-libs/apr
-	dev-libs/apr-util[openssl]
+	!libressl? ( dev-libs/openssl:0= )
+	libressl? ( dev-libs/libressl:0= )
 	dev-libs/libxml2
 	dev-libs/libpcre[jit?]
 	fuzzyhash? ( app-crypt/ssdeep )
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-20 11:17:48 UTC
Please file individual bugs for each, so we can assign to the right maintainers.
Comment 2 Alexandros C. Couloumbis 2020-10-20 11:18:59 UTC
Created attachment 667532 [details]
emerge --info
Comment 3 Alexandros C. Couloumbis 2020-10-20 11:19:58 UTC
Created attachment 667535 [details, diff]
required package ebuild modifications
Comment 4 Alexandros C. Couloumbis 2020-10-20 11:31:58 UTC
(In reply to Sam James from comment #1)
> Please file individual bugs for each, so we can assign to the right
> maintainers.

I am afraid (IMHO), this is NOT the optimal way to approach the openssl --> libressl migration chronic problems, since, depending on various different system setups, such issues may well bump every now & then

so, this BUG report, is an attempt to have a centralized BUG report on the openssl --> libressl migration process (https://wiki.gentoo.org/wiki/Project:LibreSSL)


please kindly reconsider the validity of this BUG report


with kind regards
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-20 11:35:04 UTC
(In reply to Alexandros C. Couloumbis from comment #4)
> (In reply to Sam James from comment #1)
> > Please file individual bugs for each, so we can assign to the right
> > maintainers.
> 
> I am afraid (IMHO), this is NOT the optimal way to approach the openssl -->
> libressl migration chronic problems, since, depending on various different
> system setups, such issues may well bump every now & then
> 

We still need individual bugs per package to put the patches in and figure out any issues.

> so, this BUG report, is an attempt to have a centralized BUG report on the
> openssl --> libressl migration process
> (https://wiki.gentoo.org/wiki/Project:LibreSSL)

We already have this: bug 561854.
Comment 6 Alexandros C. Couloumbis 2020-11-27 08:42:47 UTC
another one bites the dust

Failed to emerge dev-lang/php-7.4.13

/extra/tmp/portage/dev-lang/php-7.4.13/work/sapis-build/embed/ext/openssl/openssl.c: In function ‘php_openssl_load_cipher_mode’:
/extra/tmp/portage/dev-lang/php-7.4.13/work/sapis-build/embed/ext/openssl/openssl.c:6501:8: error: ‘EVP_CIPH_OCB_MODE’ undeclared (first use in this function); did you mean ‘EVP_CIPH_OFB_MODE’?
 6501 |   case EVP_CIPH_OCB_MODE:
      |        ^~~~~~~~~~~~~~~~~
      |        EVP_CIPH_OFB_MODE
/extra/tmp/portage/dev-lang/php-7.4.13/work/sapis-build/embed/ext/openssl/openssl.c:6501:8: note: each undeclared identifier is reported only once for each function it appears in
/extra/tmp/portage/dev-lang/php-7.4.13/work/sapis-build/embed/ext/openssl/openssl.c:6509:30: error: ‘EVP_CTRL_AEAD_GET_TAG’ undeclared (first use in this function); did you mean ‘EVP_CTRL_CCM_GET_TAG’?
 6509 |    mode->aead_get_tag_flag = EVP_CTRL_AEAD_GET_TAG;
      |                              ^~~~~~~~~~~~~~~~~~~~~
      |                              EVP_CTRL_CCM_GET_TAG
/extra/tmp/portage/dev-lang/php-7.4.13/work/sapis-build/embed/ext/openssl/openssl.c:6510:30: error: ‘EVP_CTRL_AEAD_SET_TAG’ undeclared (first use in this function); did you mean ‘EVP_CTRL_GCM_SET_TAG’?
 6510 |    mode->aead_set_tag_flag = EVP_CTRL_AEAD_SET_TAG;
      |                              ^~~~~~~~~~~~~~~~~~~~~
      |                              EVP_CTRL_GCM_SET_TAG
/extra/tmp/portage/dev-lang/php-7.4.13/work/sapis-build/embed/ext/openssl/openssl.c:6511:28: error: ‘EVP_CTRL_AEAD_SET_IVLEN’ undeclared (first use in this function); did you mean ‘EVP_CTRL_GCM_SET_IVLEN’?
 6511 |    mode->aead_ivlen_flag = EVP_CTRL_AEAD_SET_IVLEN;
      |                            ^~~~~~~~~~~~~~~~~~~~~~~
      |                            EVP_CTRL_GCM_SET_IVLEN

searching the net, looks like this is an upstream (php) issue against libressl support (is this politics?)

still the whole issue of migrating from openssl to libressl is getting quite aggravating

I will open a specific php ticket, but I insist that we do need a libressl centralized BUG space (I would like to avoid reverting my libressl migration back to openssl, but this is crazy)