Accepting request 547147 from home:adkorte:branches:hardware

- Add support for OpenSSL 1.1.0 library, allow TLSv1 and higher (not just TLSv1) and report TLS version used in debug mode level 3 and higher (boo#1069988, openssl-1_1.patch) - Fix missing pointer dereference in upssched (nut-upssched.patch) - Support for allowfrom parameter was removed in version 2.4.0 (nut-preconfig.patch) OBS-URL: https://build.opensuse.org/request/show/547147 OBS-URL: https://build.opensuse.org/package/show/hardware/nut?expand=0&rev=74
2017-12-01 15:34:51 +00:00
parent 2a51005c79
commit 39ef41b7d0
5 changed files with 175 additions and 3 deletions
--- a/nut-preconfig.patch
+++ b/nut-preconfig.patch
@@ -19,19 +19,17 @@
 +	desc = "Local UPS"
 --- conf/upsd.users.sample
 +++ conf/upsd.users.sample
-@@ -62,3 +62,13 @@
+@@ -62,3 +62,11 @@
 # The matching MONITOR line in your upsmon.conf would look like this:
 #
 # MONITOR myups@localhost 1 upsmon pass master	(or slave)
 +
 +[upsmaster]
 +	password = @UPSD_INITIAL_MASTER_PASSWORD@
-+	allowfrom = localhost
 +	upsmon master
 +
 +[upsslave]
 +	password = @UPSD_INITIAL_SLAVE_PASSWORD@
-+	allowfrom = localhost
 +	upsmon slave
 --- conf/upsmon.conf.sample.in
 +++ conf/upsmon.conf.sample.in
--- a/nut-upssched.patch
+++ b/nut-upssched.patch
@@ -0,0 +1,13 @@
+diff --git a/clients/upssched.c b/clients/upssched.c
+index 97b3ed42..3fdf118e 100644
+--- a/clients/upssched.c
+++ b/clients/upssched.c
+@@ -794,7 +794,7 @@ static void parse_at(const char *ntype, const char *un, const char *cmd,
+ 	}
+ 
+ 	if (!strcmp(cmd, "EXECUTE")) {
+-		if (ca1 == '\0') {
+		if (*ca1 == '\0') {
+ 			upslogx(LOG_ERR, "Empty EXECUTE command argument");
+ 			return;
+ 		}
--- a/nut.changes
+++ b/nut.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Fri Dec  1 14:59:25 UTC 2017 - suse+build@de-korte.org
+
+- Add support for OpenSSL 1.1.0 library, allow TLSv1 and higher
+  (not just TLSv1) and report TLS version used in debug mode level
+  3 and higher (boo#1069988, openssl-1_1.patch)
+- Fix missing pointer dereference in upssched (nut-upssched.patch)
+- Support for allowfrom parameter was removed in version 2.4.0
+  (nut-preconfig.patch)
+
 -------------------------------------------------------------------
 Thu Nov 30 18:01:31 CET 2017 - sbrabec@suse.com

--- a/nut.spec
+++ b/nut.spec
@@ -57,6 +57,8 @@ Patch8:         nut-doc-fixed-date.patch
 Patch9:         nut-doc-cables.patch
 # PATCH-FIX-UPSTREAM use-pkg-config-gdlib.diff alarrosa@suse.com -- Use pkg-config to obtain CFLAGS and LDFLAGS to use when building with gd
 Patch10:        use-pkg-config-gdlib.diff
+Patch11:        openssl-1_1.patch
+Patch12:        nut-upssched.patch
 BuildRequires:  apache2-devel
 BuildRequires:  asciidoc
 BuildRequires:  avahi-devel
@@ -250,6 +252,8 @@ cp -a %{SOURCE2} %{SOURCE5} %{SOURCE6} %{SOURCE7} .
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
+%patch11 -p1
+%patch12 -p1
 sed -i s/@now@/`date -r ChangeLog +%%Y-%%m-%%d`/g docs/docinfo.xml.in

 sed -i s:%{_prefix}/local/ups/bin:/bin: conf/upssched.conf.sample.in
--- a/openssl-1_1.patch
+++ b/openssl-1_1.patch
@@ -0,0 +1,147 @@
+diff --git a/clients/upsclient.c b/clients/upsclient.c
+index b90587b0..b7dd8f42 100644
+--- a/clients/upsclient.c
+++ b/clients/upsclient.c
+@@ -299,11 +299,6 @@ int upscli_init(int certverify, const char *certpath,
+ {
+ #ifdef WITH_OPENSSL
+ 	int ret, ssl_mode = SSL_VERIFY_NONE;
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+-	const SSL_METHOD	*ssl_method;
+-#else
+-	SSL_METHOD	*ssl_method;
+-#endif
+ #elif defined(WITH_NSS) /* WITH_OPENSSL */
+ 	SECStatus	status;
+ #endif /* WITH_OPENSSL | WITH_NSS */
+@@ -315,22 +310,35 @@ int upscli_init(int certverify, const char *certpath,
+ 	}
+ 	
+ #ifdef WITH_OPENSSL
+
+	SSL_load_error_strings();
+ 	
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	SSL_library_init();
+-	SSL_load_error_strings();
+ 
+-	ssl_method = TLSv1_client_method();
+	ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+#else
+	OPENSSL_init_ssl(0, NULL);
+ 
+-	if (!ssl_method) {
+-		return 0;
+-	}
+	ssl_ctx = SSL_CTX_new(TLS_client_method());
+#endif
+ 
+-	ssl_ctx = SSL_CTX_new(ssl_method);
+ 	if (!ssl_ctx) {
+ 		upslogx(LOG_ERR, "Can not initialize SSL context");
+ 		return -1;
+ 	}
+ 	
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	/* set minimum protocol TLSv1 */
+	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+#else
+	ret = SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION);
+	if (ret != 1) {
+		upslogx(LOG_ERR, "Can not set minimum protocol to TLSv1");
+		return -1;
+	}
+#endif
+
+ 	if (!certpath) {
+ 		if (certverify == 1) {
+ 			upslogx(LOG_ERR, "Can not verify certificate if any is specified");
+@@ -737,7 +745,7 @@ static int upscli_sslinit(UPSCONN_t *ups, int verifycert)
+ 	switch(res)
+ 	{
+ 	case 1:
+-		upsdebugx(3, "SSL connected");
+		upsdebugx(3, "SSL connected (%s)", SSL_get_version(ups->ssl));
+ 		break;
+ 	case 0:
+ 		upslog_with_errno(1, "SSL_connect do not accept handshake.");
+diff --git a/m4/nut_check_libopenssl.m4 b/m4/nut_check_libopenssl.m4
+index 1b875077..5f29f4a3 100644
+--- a/m4/nut_check_libopenssl.m4
+++ b/m4/nut_check_libopenssl.m4
+@@ -57,8 +57,9 @@ if test -z "${nut_have_libopenssl_seen}"; then
+ 	AC_MSG_RESULT([${LIBS}])
+ 
+ 	dnl check if openssl is usable
+-	AC_CHECK_HEADERS(openssl/ssl.h, [nut_have_openssl=yes], [nut_have_openssl=no], [AC_INCLUDES_DEFAULT])
+-	AC_CHECK_FUNCS(SSL_library_init, [], [nut_have_openssl=no])
+	AC_CHECK_FUNCS(OPENSSL_init_ssl, [nut_have_openssl=yes], [nut_have_openssl=no])
+	AC_CHECK_FUNCS(SSL_library_init, [nut_have_openssl=yes], [])
+	AC_CHECK_HEADERS(openssl/ssl.h, [], [nut_have_openssl=no], [AC_INCLUDES_DEFAULT])
+ 
+ 	if test "${nut_have_openssl}" = "yes"; then
+ 		nut_with_ssl="yes"
+diff --git a/server/netssl.c b/server/netssl.c
+index c2f40989..6ae13e8d 100644
+--- a/server/netssl.c
+++ b/server/netssl.c
+@@ -275,7 +275,7 @@ void net_starttls(nut_ctype_t *client, int numarg, const char **arg)
+ 	{
+ 	case 1:
+ 		client->ssl_connected = 1;
+-		upsdebugx(3, "SSL connected");
+		upsdebugx(3, "SSL connected (%s)", SSL_get_version(client->ssl));
+ 		break;
+ 		
+ 	case 0:
+@@ -371,13 +371,7 @@ void ssl_init(void)
+ {
+ #ifdef WITH_NSS
+ 	SECStatus status;
+-#elif defined(WITH_OPENSSL)
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+-	const SSL_METHOD	*ssl_method;
+-#else
+-	SSL_METHOD	*ssl_method;
+-#endif
+-#endif /* WITH_NSS|WITH_OPENSSL */
+#endif /* WITH_NSS */
+ 
+ 	if (!certfile) {
+ 		return;
+@@ -388,17 +382,31 @@ void ssl_init(void)
+ #ifdef WITH_OPENSSL
+ 
+ 	SSL_load_error_strings();
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	SSL_library_init();
+ 
+-	if ((ssl_method = TLSv1_server_method()) == NULL) {
+	ssl_ctx = SSL_CTX_new(SSLv23_server_method());
+#else
+	OPENSSL_init_ssl(0, NULL);
+
+	ssl_ctx = SSL_CTX_new(TLS_server_method());
+#endif
+
+	if (!ssl_ctx) {
+ 		ssl_debug();
+-		fatalx(EXIT_FAILURE, "TLSv1_server_method failed");
+		fatalx(EXIT_FAILURE, "SSL_CTX_new failed");
+ 	}
+ 
+-	if ((ssl_ctx = SSL_CTX_new(ssl_method)) == NULL) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	/* set minimum protocol TLSv1 */
+	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+#else
+	if (SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION) != 1) {
+ 		ssl_debug();
+-		fatalx(EXIT_FAILURE, "SSL_CTX_new failed");
+		fatalx(EXIT_FAILURE, "SSL_CTX_set_min_proto_version(TLS1_VERSION)");
+ 	}
+#endif
+ 
+ 	if (SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile) != 1) {
+ 		ssl_debug();