openssl 1.1.1 minor patches to build on SCO OpenServer 5.0.7

Matt Caswell matt at openssl.org
Mon May 16 08:57:56 UTC 2022 

Hi Kevin,

The patch in s_socket.c is likely to be acceptable. It looks reasonable 
to me, it may well be useful on other systems and can probably be 
described as a bug fix.

The other changes require the new OPENSSL_SYS_SCO5 define and are 
essentially adding support for a new platform into the codebase.

We have a couple of policies which describe acceptable changes in this area.

Our platform policy says:

"Support for a new platform should only be added if it is being adopted 
as a primary, secondary or community platform."

https://www.openssl.org/policies/platformpolicy.html

Essentially this means that someone has to volunteer to be a community 
maintainer of the platform moving forwards, i.e. they are the contact 
point for any bug fixes/problems that may arise on that platform. You 
don't need to be a committer on the project to be a platform maintainer.

You are proposing updates to an existing stable branch (1.1.1) - as 
opposed to the latest dev branch (master). 1.1.1 also happens to be a 
Long Term Support (LTS) release. In that case our Stable Release Updates 
Policy applies which says this about new platforms:

"The addition of new platforms to LTS branches is acceptable so long as 
the required changes consist solely of additions to configuration."

https://www.openssl.org/policies/technical/stable-release-updates.html

In this case the changes are more than just configuration changes - they 
actually require code changes. Therefore they will not be acceptable on 
the 1.1.1 branch.

If the changes were only on the master branch (and therefore the stable 
release updates policy does not apply) then the changes are likely to be 
acceptable assuming that there is a volunteer to be the community 
maintainer. That's all subject to the standard PR review process of course.


Matt


On 13/05/2022 17:54, Kevin R. Bulgrien wrote:
> It was necessary to apply 5 minor patches to openssl 1.1.1n to build it for
> SCO OpenServer 5.0.7.  One patch fixing a missing #ifdef AF_INET6 is
> already applied to current development for this base version.
> 
> The reason for the build is to get TLS1.3 capability on an ancient system.
> As it is well-known that TLS1.3 is not going to fix the security issues
> on SCO OpenServer 5.0.7, so there's likly no real value to opening a
> discussion on that matter.
> 
> Is the project interested in receiving the patches?  The curl project has
> accepted various patches against SCO OpenServer 5.0.7 for similar issues.
> 
> To pull this off, it was necessary to build perl 5.10.1.  At the moment,
> all tests are broken (probably requiring some perl modules needed to
> support them).  That should be doable, as builds of latest revisions of
> of many CPAN perl modules related to build and test have successfully
> built for perl 5.8.8 on this system.
> 
> The main challenge left to resolve is to build an entropy source for the
> system (probably EGD), but, informal tests seem to show that TLS1.3 is
> functional after using a Configure command like:
> 
>           ./Configure \
>             --prefix="${PKG_PRFX}" \
>             --openssldir="${PKG_PRFX}/openssl" \
>             sco5-gcc \
>             no-threads \
>             no-asm \
>             no-comp \
>             shared \
>             -D_REENTRANT \
>             PERL=/usr/local/bin/perl \
>             HASHBANGPERL=/usr/local/bin/perl
> 
> The test involved creating a random number source file from another
> system's /dev/urandom, and then using it in lieu of a local entropy
> source.
> 
> $ scp $APP:rnd1 .
> 
> Proof-of-concept, as this is unfamiliar territory, was to test with
> the SCO-provided openssl:
> 
> $ openssl s_client -crlf -rand rnd1 -connect tls13.cloudflare.com:443
> ...
> 5120 semi-random bytes loaded
> CONNECTED(00000003)
> ...
> SSL-Session:
>      Protocol  : TLSv1
>      Cipher    : AES128-SHA
> ...
> 
> Apparently some DNS issues are left to resolve in the new build also,
> but using an IP address:
> 
> $ uname -mrsv
> SCO_SV 3.2 5.0.7 i386
> 
> $ ./apps/openssl version -b -f -o -p -r -v
> OpenSSL 1.1.1n  15 Mar 2022
> built on: Fri May 13 04:28:57 2022 UTC
> platform: sco5-gcc
> options:  bn(64,32) rc4(int) des(long) idea(int) blowfish(ptr)
> compiler: gcc -fPIC -O3 -fomit-frame-pointer  -DOPENSSL_PIC -DNDEBUG -D_REENTRANT
> Seeding source: os-specific
> 
> $ ./apps/openssl s_client -crlf -rand rnd1 -connect 104.16.132.229:443
> CONNECTED(00000003)
> ...
> SSL-Session:
>      Protocol  : TLSv1.3
>      Cipher    : TLS_AES_256_GCM_SHA384
> ...
> 
> All patches are trivial and all but the define OPENSSL_SYS_SCO5 and SHUT_*
> patches piggy back onto other #ifdefs, so it seems somewhat reasonable to
> think they might be acceptable for a merge.
> 
> A synopsis of the patches:
> 
> ---------------------------------------------------------------------------
> openssl-1.1.1n-i686-pc-sco3.2v5.0.7-1.patch
>    #ifdef AF_INET6
> ---------------------------------------------------------------------------
> 
> --- openssl-1.1.1n/apps/s_socket.c.orig 2022-03-15 09:37:47.000000000 -0500
> +++ openssl-1.1.1n/apps/s_socket.c      2022-04-26 22:05:51.000000000 -0500
> @@ -160,7 +160,9 @@
>       if (*sock == INVALID_SOCKET) {
>           if (bindaddr != NULL && !found) {
>               BIO_printf(bio_err, "Can't bind %saddress for %s%s%s\n",
> +#ifdef AF_INET6
>                          BIO_ADDRINFO_family(res) == AF_INET6 ? "IPv6 " :
> +#endif
>                          BIO_ADDRINFO_family(res) == AF_INET ? "IPv4 " :
>                          BIO_ADDRINFO_family(res) == AF_UNIX ? "unix " : "",
>                          bindhost != NULL ? bindhost : "",
> @@ -239,6 +241,7 @@
>       sock_protocol = BIO_ADDRINFO_protocol(res);
>       sock_address = BIO_ADDRINFO_address(res);
>       next = BIO_ADDRINFO_next(res);
> +#ifdef AF_INET6
>       if (sock_family == AF_INET6)
>           sock_options |= BIO_SOCK_V6_ONLY;
>       if (next != NULL
> @@ -257,6 +260,7 @@
>               sock_options &= ~BIO_SOCK_V6_ONLY;
>           }
>       }
> +#endif
> 
>       asock = BIO_socket(sock_family, sock_type, sock_protocol, 0);
>       if (asock == INVALID_SOCKET && sock_family_fallback != AF_UNSPEC) {
> 
> ---------------------------------------------------------------------------
> openssl-1.1.1n-i686-pc-sco3.2v5.0.7-2.patch
>    define OPENSSL_SYS_SCO5
> ---------------------------------------------------------------------------
> 
> --- openssl-1.1.1n/include/openssl/e_os2.h.orig 2022-03-15 09:37:47.000000000 -0500
> +++ openssl-1.1.1n/include/openssl/e_os2.h      2022-04-27 06:39:40.000000000 -0500
> @@ -119,6 +119,9 @@
>   #  if defined(_AIX) && !defined(OPENSSL_SYS_AIX)
>   #   define OPENSSL_SYS_AIX
>   #  endif
> +#  if defined(_SCO_DS) && !defined(OPENSSL_SYS_SCO5)
> +#   define OPENSSL_SYS_SCO5
> +#  endif
>   # endif
> 
>   /* -------------------------------- VOS ----------------------------------- */
> 
> ---------------------------------------------------------------------------
> openssl-1.1.1n-i686-pc-sco3.2v5.0.7-3.patch
>   typedef unsigned int socklen_t;
> ---------------------------------------------------------------------------
> 
> --- openssl-1.1.1n/crypto/bio/bio_local.h.orig  2022-03-15 09:37:47.000000000 -0500
> +++ openssl-1.1.1n/crypto/bio/bio_local.h       2022-04-26 22:20:18.000000000 -0500
> @@ -134,7 +134,7 @@
>   };
> 
>   #ifndef OPENSSL_NO_SOCK
> -# ifdef OPENSSL_SYS_VMS
> +# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_SCO5)
>   typedef unsigned int socklen_t;
>   # endif
> 
> openssl-1.1.1n-i686-pc-sco3.2v5.0.7-4.patch
>    he_fallback_address, *he_fallback_addresses[]
> 
> --- openssl-1.1.1n/crypto/bio/b_addr.c.orig     2022-03-15 09:37:47.000000000 -0500
> +++ openssl-1.1.1n/crypto/bio/b_addr.c  2022-04-26 22:25:32.000000000 -0500
> @@ -744,7 +744,7 @@
>   # pragma pointer_size 32
>   #endif
>           /* Windows doesn't seem to have in_addr_t */
> -#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
> +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_SCO5)
>           static uint32_t he_fallback_address;
>           static const char *he_fallback_addresses[] =
>               { (char *)&he_fallback_address, NULL };
> 
> ---------------------------------------------------------------------------
> openssl-1.1.1n-i686-pc-sco3.2v5.0.7-5.patch
>    SHUT_RD, SHUT_WR, SHUT_RDWR
> ---------------------------------------------------------------------------
> 
> --- openssl-1.1.1n/apps/ocsp.c.orig     2022-03-15 09:37:47.000000000 -0500
> +++ openssl-1.1.1n/apps/ocsp.c  2022-04-26 22:35:40.000000000 -0500
> @@ -64,6 +64,22 @@
>   # define LOG_ERR       2
>   #endif
> 
> +/*
> + * shutdown() flags for systems that don't define them
> + */
> +
> +#ifndef SHUT_RD
> +#define SHUT_RD 0x00
> +#endif
> +
> +#ifndef SHUT_WR
> +#define SHUT_WR 0x01
> +#endif
> +
> +#ifndef SHUT_RDWR
> +#define SHUT_RDWR 0x02
> +#endif
> +
>   #if defined(OPENSSL_SYS_VXWORKS)
>   /* not supported */
>   int setpgid(pid_t pid, pid_t pgid)
> 
> ---------------------------------------------------------------------------
> 
> I have made a branch on github, so that's how I know the first patch is not
> needed.  Feedback?
> 
> --
> 
> Kevin R. Bulgrien
>

More information about the openssl-users mailing list