From 2ff929235d586c3e9cb56dd4982a84b570987a26 Mon Sep 17 00:00:00 2001
From: Jim Klimov <jim@jimklimov.com>
Date: Sun, 15 Nov 2020 00:30:41 +0100
Subject: [PATCH 1/6] m4/nut_check_libnetsnmp.m4: pick correct bitness
 net-snmp-config-{32,64} script if available

---
 m4/nut_check_libnetsnmp.m4 | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/m4/nut_check_libnetsnmp.m4 b/m4/nut_check_libnetsnmp.m4
index 83b26330b7..be6e51e6da 100644
--- a/m4/nut_check_libnetsnmp.m4
+++ b/m4/nut_check_libnetsnmp.m4
@@ -13,8 +13,15 @@ if test -z "${nut_have_libnetsnmp_seen}"; then
 	CFLAGS_ORIG="${CFLAGS}"
 	LIBS_ORIG="${LIBS}"
 
-	dnl By default seek in PATH
-	NET_SNMP_CONFIG=net-snmp-config
+	dnl By default seek in PATH, but which variant (if several are provided)?
+	AC_CHECK_SIZEOF([void *])
+	AS_CASE(["${ac_cv_sizeof_void_p}"],
+		[4],[NET_SNMP_CONFIG=net-snmp-config-32],
+		[8],[NET_SNMP_CONFIG=net-snmp-config-64]
+		)
+	AS_IF([test -n "${NET_SNMP_CONFIG}" && test -n "`command -v "${NET_SNMP_CONFIG}"`"],
+		[], [NET_SNMP_CONFIG=net-snmp-config])
+
 	AC_ARG_WITH(net-snmp-config,
 		AS_HELP_STRING([@<:@--with-net-snmp-config=/path/to/net-snmp-config@:>@],
 			[path to program that reports Net-SNMP configuration]),

From fff0650bba511eeffea3239be9747cc2301bc605 Mon Sep 17 00:00:00 2001
From: Jim Klimov <jim@jimklimov.com>
Date: Sun, 15 Nov 2020 00:54:08 +0100
Subject: [PATCH 2/6] ci_build.sh : enable SSL build variants of
 "default-all-errors" with both OpenSS and Mozilla NSS

---
 ci_build.sh | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/ci_build.sh b/ci_build.sh
index 181d071298..40bc9c138a 100755
--- a/ci_build.sh
+++ b/ci_build.sh
@@ -282,7 +282,9 @@ default|default-alldrv|default-all-errors|default-spellcheck|default-shellcheck|
         sudo dpkg -r --force all pkg-config
     fi
 
-    configure_nut
+    if [ "$BUILD_TYPE" != "default-all-errors" ] ; then
+        configure_nut
+    fi
 
     case "$BUILD_TYPE" in
         "default-tgt:"*) # Hook for matrix of custom distchecks primarily
@@ -326,7 +328,26 @@ default|default-alldrv|default-all-errors|default-spellcheck|default-shellcheck|
             ;;
         "default-all-errors")
             RES=0
-            build_to_only_catch_errors || RES=$?
+            if pkg-config --exists nss && pkg-config --exists openssl ; then
+                # Try builds for both cases as they are ifdef-ed
+
+                echo "=== Building with SSL=openssl..."
+                ( CONFIG_OPTS+=("--with-openssl")
+                  configure_nut
+                  build_to_only_catch_errors ) || RES=$?
+
+                echo "=== Clean the sandbox..."
+                make distclean -k || true
+
+                echo "=== Building with SSL=nss..."
+                ( CONFIG_OPTS+=("--with-nss")
+                  configure_nut
+                  build_to_only_catch_errors ) || RES=$?
+            else
+                # Build what we can configure
+                configure_nut
+                build_to_only_catch_errors || RES=$?
+            fi
             exit $RES
             ;;
     esac

From ba4b3eb0045770f0475f617da3078a5a9e25fa00 Mon Sep 17 00:00:00 2001
From: Jim Klimov <jim@jimklimov.com>
Date: Sun, 15 Nov 2020 01:02:28 +0100
Subject: [PATCH 3/6] nut_check_libnss.m4 : warn that nss.pc is more sensitive
 to matching PKG_CONFIG_PATH and build bitness than others

---
 m4/nut_check_libnss.m4 | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/m4/nut_check_libnss.m4 b/m4/nut_check_libnss.m4
index 7fed727d3f..52f438fb75 100644
--- a/m4/nut_check_libnss.m4
+++ b/m4/nut_check_libnss.m4
@@ -59,6 +59,10 @@ if test -z "${nut_have_libnss_seen}"; then
 	AC_MSG_RESULT([${LIBS}])
 
 	dnl check if NSS is usable: we need both the runtime and headers
+	dnl NOTE that caller may have to specify PKG_CONFIG_PATH including
+	dnl their bitness variant if it is not prioritized in their default
+	dnl setting built in by OS distribution; the .../pkgconfig/nss.pc
+	dnl tends to specify the libdir which is CPU Arch dependent.
 	AC_CHECK_FUNCS(NSS_Init, [nut_have_libnss=yes], [nut_have_libnss=no])
 	dnl libc6 also provides an nss.h file, so also check for ssl.h
 	AC_CHECK_HEADERS([nss.h ssl.h], [], [nut_have_libnss=no], [AC_INCLUDES_DEFAULT])

From fd2a0d122448a23c503a125ef3936eea650e7a3f Mon Sep 17 00:00:00 2001
From: Jim Klimov <jim@jimklimov.com>
Date: Sun, 15 Nov 2020 01:05:38 +0100
Subject: [PATCH 4/6] clients/upsclient.c: mark up NUT_UNUSED_VARIABLEs for
 build with Mozilla NSS

---
 clients/upsclient.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/clients/upsclient.c b/clients/upsclient.c
index 456f202730..6779d32c75 100644
--- a/clients/upsclient.c
+++ b/clients/upsclient.c
@@ -199,6 +199,9 @@ static int ssl_error(SSL *ssl, int ret)
 static char *nss_password_callback(PK11SlotInfo *slot, PRBool retry,
 		void *arg)
 {
+	NUT_UNUSED_VARIABLE(retry);
+	NUT_UNUSED_VARIABLE(arg);
+
 	upslogx(LOG_INFO, "Intend to retrieve password for %s / %s: password %sconfigured",
 		PK11_GetSlotName(slot), PK11_GetTokenName(slot), nsscertpasswd?"":"not ");
 	return nsscertpasswd ? PL_strdup(nsscertpasswd) : NULL;
@@ -233,6 +236,10 @@ static SECStatus AuthCertificateDontVerify(CERTCertDBHandle *arg, PRFileDesc *fd
 	PRBool checksig, PRBool isServer)
 {
 	UPSCONN_t *ups   = (UPSCONN_t *)SSL_RevealPinArg(fd);
+	NUT_UNUSED_VARIABLE(arg);
+	NUT_UNUSED_VARIABLE(checksig);
+	NUT_UNUSED_VARIABLE(isServer);
+
 	upslogx(LOG_INFO, "Do not intend to authenticate server %s",
 		ups?ups->host:"<unnamed>");
 	return SECSuccess;
@@ -241,6 +248,8 @@ static SECStatus AuthCertificateDontVerify(CERTCertDBHandle *arg, PRFileDesc *fd
 static SECStatus BadCertHandler(UPSCONN_t *arg, PRFileDesc *fd)
 {
 	HOST_CERT_t* cert;
+	NUT_UNUSED_VARIABLE(fd);
+
 	upslogx(LOG_WARNING, "Certificate validation failed for %s",
 		(arg&&arg->host)?arg->host:"<unnamed>");
 	/* BadCertHandler is called when the NSS certificate validation is failed.
@@ -288,6 +297,8 @@ static SECStatus GetClientAuthData(UPSCONN_t *arg, PRFileDesc *fd,
 
 static void HandshakeCallback(PRFileDesc *fd, UPSCONN_t *client_data)
 {
+	NUT_UNUSED_VARIABLE(fd);
+
 	upslogx(LOG_INFO, "SSL handshake done successfully with server %s",
 		client_data->host);
 }

From 30e6d4d0c817c0b55000a548c4b1f43582cda47c Mon Sep 17 00:00:00 2001
From: Jim Klimov <jim@jimklimov.com>
Date: Sun, 15 Nov 2020 01:07:30 +0100
Subject: [PATCH 5/6] server/netssl.c: mark up NUT_UNUSED_VARIABLEs for build
 with Mozilla NSS

---
 server/netssl.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/server/netssl.c b/server/netssl.c
index 4c9dce0f2d..f53198cd3f 100644
--- a/server/netssl.c
+++ b/server/netssl.c
@@ -145,6 +145,8 @@ static SECKEYPrivateKey *privKey;
 static char *nss_password_callback(PK11SlotInfo *slot, PRBool retry,
 		void *arg)
 {
+	NUT_UNUSED_VARIABLE(arg);
+
 	if (retry) {
 		/* Force not inted to retrieve password many times. */
 		return NULL;
@@ -170,6 +172,8 @@ static int ssl_error(PRFileDesc *ssl, int ret)
 	char buffer[256];
 	PRInt32 length;
 	PRErrorCode e;
+	NUT_UNUSED_VARIABLE(ssl);
+	NUT_UNUSED_VARIABLE(ret);
 
 	e = PR_GetError();
 	length = PR_GetErrorText(buffer);
@@ -195,6 +199,8 @@ static SECStatus AuthCertificate(CERTCertDBHandle *arg, PRFileDesc *fd,
 
 static SECStatus BadCertHandler(nut_ctype_t *arg, PRFileDesc *fd)
 {
+	NUT_UNUSED_VARIABLE(fd);
+
 	upslogx(LOG_WARNING, "Certificate validation failed for %s",
 		(arg&&arg->addr)?arg->addr:"<unnamed>");
 #ifdef WITH_CLIENT_CERTIFICATE_VALIDATION
@@ -211,6 +217,8 @@ static SECStatus BadCertHandler(nut_ctype_t *arg, PRFileDesc *fd)
 
 static void HandshakeCallback(PRFileDesc *fd, nut_ctype_t *client_data)
 {
+	NUT_UNUSED_VARIABLE(fd);
+
 	upslogx(LOG_INFO, "SSL handshake done successfully with client %s",
 		client_data->addr);
 }

From 7fc2db6cab40313d82d92b48f6b4ee137a887535 Mon Sep 17 00:00:00 2001
From: Jim Klimov <jim@jimklimov.com>
Date: Sun, 15 Nov 2020 01:13:09 +0100
Subject: [PATCH 6/6] server/netssl.c: comment about non-fatal build warnings
 from NSS include names we use

---
 server/netssl.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/server/netssl.c b/server/netssl.c
index f53198cd3f..4fa42f7de6 100644
--- a/server/netssl.c
+++ b/server/netssl.c
@@ -35,6 +35,13 @@
 	#include <pk11pub.h>
 	#include <prinit.h>
 	#include <private/pprio.h>
+/* Note: on systems with NSS 3.x the following two lines complain non-fatally:
+ *   /usr/include/mps/key.h:9:9: note: '#pragma message: key.h is deprecated. Please include keyhi.h instead.'
+ *   /usr/include/mps/keyt.h:9:9: note: '#pragma message: keyt.h is deprecated. Please include keythi.h instead.'
+ * If this becomes a warning or error in the future, it can be addressed
+ * with a trick like done elsewhere for best pick of (sys/)types.h support
+ * for the specific build target platform.
+ */
 	#include <key.h>
 	#include <keyt.h>
 	#include <secerr.h>