From 08f2061422b637ac1612ffc0efca4771a6a08dc3 Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Wed, 15 Sep 2010 15:45:35 +0100 Subject: [PATCH 1/4] Build with --enable-threads again (bug #607159). --- cups.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/cups.spec b/cups.spec index f97f5c1..39ad9dd 100644 --- a/cups.spec +++ b/cups.spec @@ -309,7 +309,7 @@ export CFLAGS="$RPM_OPT_FLAGS -fstack-protector-all -DLDAP_DEPRECATED=1" --with-pdftops=pdftops \ --with-dbusdir=%{_sysconfdir}/dbus-1 \ --with-php=/usr/bin/php-cgi --enable-avahi \ - --disable-threads --enable-gnutls \ + --enable-threads --enable-gnutls \ localedir=%{_datadir}/locale # If we got this far, all prerequisite libraries must be here. @@ -578,6 +578,9 @@ rm -rf $RPM_BUILD_ROOT %{php_extdir}/phpcups.so %changelog +* Wed Sep 15 2010 Tim Waugh +- Build with --enable-threads again (bug #607159). + * Wed Sep 15 2010 Tim Waugh - Fixed serverbin-compat patch to avoid misleading "filter not available" messages (bug #633779). From b2a234f5b23e437d98df439555f95d1dc2e63ada Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Wed, 15 Sep 2010 15:57:45 +0100 Subject: [PATCH 2/4] Force the use of gnutls despite thread-safety concerns (bug #607159). --- cups-force-gnutls.patch | 89 +++++++++++++++++++++++++++++++++++++++++ cups.spec | 4 ++ 2 files changed, 93 insertions(+) create mode 100644 cups-force-gnutls.patch diff --git a/cups-force-gnutls.patch b/cups-force-gnutls.patch new file mode 100644 index 0000000..85adaa8 --- /dev/null +++ b/cups-force-gnutls.patch @@ -0,0 +1,89 @@ +diff -up cups-1.4.4/config-scripts/cups-ssl.m4.force-gnutls cups-1.4.4/config-scripts/cups-ssl.m4 +--- cups-1.4.4/config-scripts/cups-ssl.m4.force-gnutls 2010-09-15 16:49:22.343502552 +0100 ++++ cups-1.4.4/config-scripts/cups-ssl.m4 2010-09-15 16:49:42.347502595 +0100 +@@ -65,23 +65,21 @@ if test x$enable_ssl != xno; then + if $PKGCONFIG --exists gnutls; then + if test "x$have_pthread" = xyes; then + AC_MSG_WARN([The current version of GNU TLS cannot be made thread-safe.]) +- else +- have_ssl=1 +- SSLLIBS=`$PKGCONFIG --libs gnutls` +- SSLFLAGS=`$PKGCONFIG --cflags gnutls` +- AC_DEFINE(HAVE_SSL) +- AC_DEFINE(HAVE_GNUTLS) + fi ++ have_ssl=1 ++ SSLLIBS=`$PKGCONFIG --libs gnutls` ++ SSLFLAGS=`$PKGCONFIG --cflags gnutls` ++ AC_DEFINE(HAVE_SSL) ++ AC_DEFINE(HAVE_GNUTLS) + elif test "x$LIBGNUTLSCONFIG" != x; then + if test "x$have_pthread" = xyes; then + AC_MSG_WARN([The current version of GNU TLS cannot be made thread-safe.]) +- else +- have_ssl=1 +- SSLLIBS=`$LIBGNUTLSCONFIG --libs` +- SSLFLAGS=`$LIBGNUTLSCONFIG --cflags` +- AC_DEFINE(HAVE_SSL) +- AC_DEFINE(HAVE_GNUTLS) + fi ++ have_ssl=1 ++ SSLLIBS=`$LIBGNUTLSCONFIG --libs` ++ SSLFLAGS=`$LIBGNUTLSCONFIG --cflags` ++ AC_DEFINE(HAVE_SSL) ++ AC_DEFINE(HAVE_GNUTLS) + fi + + if test $have_ssl = 1; then +diff -up cups-1.4.4/configure.force-gnutls cups-1.4.4/configure +--- cups-1.4.4/configure.force-gnutls 2010-06-17 19:25:47.000000000 +0100 ++++ cups-1.4.4/configure 2010-09-15 16:50:01.689503165 +0100 +@@ -17542,36 +17542,34 @@ fi + if test "x$have_pthread" = xyes; then + { echo "$as_me:$LINENO: WARNING: The current version of GNU TLS cannot be made thread-safe." >&5 + echo "$as_me: WARNING: The current version of GNU TLS cannot be made thread-safe." >&2;} +- else +- have_ssl=1 +- SSLLIBS=`$PKGCONFIG --libs gnutls` +- SSLFLAGS=`$PKGCONFIG --cflags gnutls` +- cat >>confdefs.h <<\_ACEOF ++ fi ++ have_ssl=1 ++ SSLLIBS=`$PKGCONFIG --libs gnutls` ++ SSLFLAGS=`$PKGCONFIG --cflags gnutls` ++ cat >>confdefs.h <<\_ACEOF + #define HAVE_SSL 1 + _ACEOF + +- cat >>confdefs.h <<\_ACEOF ++ cat >>confdefs.h <<\_ACEOF + #define HAVE_GNUTLS 1 + _ACEOF + +- fi + elif test "x$LIBGNUTLSCONFIG" != x; then + if test "x$have_pthread" = xyes; then + { echo "$as_me:$LINENO: WARNING: The current version of GNU TLS cannot be made thread-safe." >&5 + echo "$as_me: WARNING: The current version of GNU TLS cannot be made thread-safe." >&2;} +- else +- have_ssl=1 +- SSLLIBS=`$LIBGNUTLSCONFIG --libs` +- SSLFLAGS=`$LIBGNUTLSCONFIG --cflags` +- cat >>confdefs.h <<\_ACEOF ++ fi ++ have_ssl=1 ++ SSLLIBS=`$LIBGNUTLSCONFIG --libs` ++ SSLFLAGS=`$LIBGNUTLSCONFIG --cflags` ++ cat >>confdefs.h <<\_ACEOF + #define HAVE_SSL 1 + _ACEOF + +- cat >>confdefs.h <<\_ACEOF ++ cat >>confdefs.h <<\_ACEOF + #define HAVE_GNUTLS 1 + _ACEOF + +- fi + fi + + if test $have_ssl = 1; then diff --git a/cups.spec b/cups.spec index 39ad9dd..304ee31 100644 --- a/cups.spec +++ b/cups.spec @@ -59,6 +59,7 @@ Patch22: cups-uri-compat.patch Patch23: cups-cups-get-classes.patch Patch24: cups-avahi.patch Patch25: cups-str3382.patch +Patch26: cups-force-gnutls.patch Patch29: cups-0755.patch Patch30: cups-EAI_AGAIN.patch Patch31: cups-hostnamelookups.patch @@ -253,6 +254,8 @@ module. %patch24 -p1 -b .avahi # Fix temporary filename creation. %patch25 -p1 -b .str3382 +# Force the use of gnutls despite thread-safety concerns (bug #607159). +%patch26 -p1 -b .force-gnutls # Use mode 0755 for binaries and libraries where appropriate. %patch29 -p1 -b .0755 # Re-initialise the resolver on failure in httpAddrLookup(). @@ -580,6 +583,7 @@ rm -rf $RPM_BUILD_ROOT %changelog * Wed Sep 15 2010 Tim Waugh - Build with --enable-threads again (bug #607159). +- Force the use of gnutls despite thread-safety concerns (bug #607159). * Wed Sep 15 2010 Tim Waugh - Fixed serverbin-compat patch to avoid misleading "filter not From 55737f88236d386815a7ddea953bc575ae22e4db Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Wed, 15 Sep 2010 16:56:44 +0100 Subject: [PATCH 3/4] 1.4.4-8 --- cups.spec | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/cups.spec b/cups.spec index 304ee31..0c0a258 100644 --- a/cups.spec +++ b/cups.spec @@ -8,7 +8,7 @@ Summary: Common Unix Printing System Name: cups Version: 1.4.4 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv2 Group: System Environment/Daemons Source: http://ftp.easysw.com/pub/cups/%{version}/cups-%{version}-source.tar.bz2 @@ -581,11 +581,9 @@ rm -rf $RPM_BUILD_ROOT %{php_extdir}/phpcups.so %changelog -* Wed Sep 15 2010 Tim Waugh +* Wed Sep 15 2010 Tim Waugh 1:1.4.4-8 - Build with --enable-threads again (bug #607159). - Force the use of gnutls despite thread-safety concerns (bug #607159). - -* Wed Sep 15 2010 Tim Waugh - Fixed serverbin-compat patch to avoid misleading "filter not available" messages (bug #633779). From 91b2885d0a0da6e95bc6c1a45b0cc0b4ede56143 Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Fri, 17 Sep 2010 14:41:37 +0100 Subject: [PATCH 4/4] Perform locking for gnutls and avoid libgcrypt's broken locking (bug #607159). --- cups-serialize-gnutls.patch | 109 ++++++++++++++++++++++++++++++++++++ cups.spec | 10 +++- 2 files changed, 118 insertions(+), 1 deletion(-) create mode 100644 cups-serialize-gnutls.patch diff --git a/cups-serialize-gnutls.patch b/cups-serialize-gnutls.patch new file mode 100644 index 0000000..cdd82cb --- /dev/null +++ b/cups-serialize-gnutls.patch @@ -0,0 +1,109 @@ +diff -up cups-1.4.4/cups/http.c.serialize-gnutls cups-1.4.4/cups/http.c +--- cups-1.4.4/cups/http.c.serialize-gnutls 2010-09-17 13:37:01.858871762 +0100 ++++ cups-1.4.4/cups/http.c 2010-09-17 13:55:22.579871934 +0100 +@@ -149,7 +149,7 @@ static int http_write_ssl(http_t *http, + + # ifdef HAVE_GNUTLS + # ifdef HAVE_PTHREAD_H +-GCRY_THREAD_OPTION_PTHREAD_IMPL; ++static pthread_mutex_t gnutls_lock; + # endif /* HAVE_PTHREAD_H */ + + # elif defined(HAVE_LIBSSL) && defined(HAVE_PTHREAD_H) +@@ -1231,7 +1231,7 @@ httpInitialize(void) + */ + + # ifdef HAVE_PTHREAD_H +- gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); ++ pthread_mutex_init(&gnutls_lock, NULL); + # endif /* HAVE_PTHREAD_H */ + + /* +@@ -2228,6 +2228,7 @@ _httpWait(http_t *http, /* I - Connect + if (SSL_pending((SSL *)(http->tls))) + return (1); + # elif defined(HAVE_GNUTLS) ++ /* lock already held here... */ + if (gnutls_record_check_pending(((http_tls_t *)(http->tls))->session)) + return (1); + # elif defined(HAVE_CDSASSL) +@@ -2294,6 +2295,8 @@ int /* O - 1 if data is available, 0 + httpWait(http_t *http, /* I - Connection to server */ + int msec) /* I - Milliseconds to wait */ + { ++ int ret; ++ + /* + * First see if there is data in the buffer... + */ +@@ -2318,7 +2321,17 @@ httpWait(http_t *http, /* I - Connecti + * If not, check the SSL/TLS buffers and do a select() on the connection... + */ + +- return (_httpWait(http, msec, 1)); ++#if defined(HAVE_SSL) && defined(HAVE_GNUTLS) && defined(HAVE_PTHREAD_H) ++ pthread_mutex_lock(&gnutls_lock); ++#endif ++ ++ ret = _httpWait(http, msec, 1); ++ ++#if defined(HAVE_SSL) && defined(HAVE_GNUTLS) && defined(HAVE_PTHREAD_H) ++ pthread_mutex_unlock(&gnutls_lock); ++#endif ++ ++ return (ret); + } + + +@@ -2769,7 +2782,9 @@ http_read_ssl(http_t *http, /* I - Conn + ssize_t result; /* Return value */ + + ++ pthread_mutex_lock(&gnutls_lock); + result = gnutls_record_recv(((http_tls_t *)(http->tls))->session, buf, len); ++ pthread_mutex_unlock(&gnutls_lock); + + if (result < 0 && !errno) + { +@@ -3085,6 +3100,7 @@ http_setup_ssl(http_t *http) /* I - Con + return (-1); + } + ++ pthread_mutex_lock(&gnutls_lock); + gnutls_certificate_allocate_credentials(credentials); + + gnutls_init(&(conn->session), GNUTLS_CLIENT); +@@ -3104,9 +3120,11 @@ http_setup_ssl(http_t *http) /* I - Con + free(credentials); + free(conn); + ++ pthread_mutex_unlock(&gnutls_lock); + return (-1); + } + ++ pthread_mutex_unlock(&gnutls_lock); + conn->credentials = credentials; + + # elif defined(HAVE_CDSASSL) +@@ -3196,9 +3214,11 @@ http_shutdown_ssl(http_t *http) /* I - + conn = (http_tls_t *)(http->tls); + credentials = (gnutls_certificate_client_credentials *)(conn->credentials); + ++ pthread_mutex_lock(&gnutls_lock); + gnutls_bye(conn->session, GNUTLS_SHUT_RDWR); + gnutls_deinit(conn->session); + gnutls_certificate_free_credentials(*credentials); ++ pthread_mutex_unlock(&gnutls_lock); + free(credentials); + free(conn); + +@@ -3445,7 +3465,9 @@ http_write_ssl(http_t *http, /* I - + # elif defined(HAVE_GNUTLS) + ssize_t result; /* Return value */ + ++ pthread_mutex_lock(&gnutls_lock); + result = gnutls_record_send(((http_tls_t *)(http->tls))->session, buf, len); ++ pthread_mutex_unlock(&gnutls_lock); + + if (result < 0 && !errno) + { diff --git a/cups.spec b/cups.spec index 0c0a258..4d4c917 100644 --- a/cups.spec +++ b/cups.spec @@ -8,7 +8,7 @@ Summary: Common Unix Printing System Name: cups Version: 1.4.4 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2 Group: System Environment/Daemons Source: http://ftp.easysw.com/pub/cups/%{version}/cups-%{version}-source.tar.bz2 @@ -60,6 +60,7 @@ Patch23: cups-cups-get-classes.patch Patch24: cups-avahi.patch Patch25: cups-str3382.patch Patch26: cups-force-gnutls.patch +Patch27: cups-serialize-gnutls.patch Patch29: cups-0755.patch Patch30: cups-EAI_AGAIN.patch Patch31: cups-hostnamelookups.patch @@ -256,6 +257,9 @@ module. %patch25 -p1 -b .str3382 # Force the use of gnutls despite thread-safety concerns (bug #607159). %patch26 -p1 -b .force-gnutls +# Perform locking for gnutls and avoid libgcrypt's broken +# locking (bug #607159). +%patch27 -p1 -b .serialize-gnutls # Use mode 0755 for binaries and libraries where appropriate. %patch29 -p1 -b .0755 # Re-initialise the resolver on failure in httpAddrLookup(). @@ -581,6 +585,10 @@ rm -rf $RPM_BUILD_ROOT %{php_extdir}/phpcups.so %changelog +* Fri Sep 17 2010 Tim Waugh 1:1.4.4-9 +- Perform locking for gnutls and avoid libgcrypt's broken + locking (bug #607159). + * Wed Sep 15 2010 Tim Waugh 1:1.4.4-8 - Build with --enable-threads again (bug #607159). - Force the use of gnutls despite thread-safety concerns (bug #607159).