keepalived/SOURCES/bz1688892-fix-openssl-init-failure.patch

From aeec0e2cda5c440fdd3c5bea20ed7567bea540e1 Mon Sep 17 00:00:00 2001
From: Quentin Armitage <quentin@armitage.org.uk>
Date: Tue, 12 Mar 2019 14:58:38 +0000
Subject: [PATCH 1/3] Fix OpenSSL init failure with OpenSSL v1.1.1

OpenSSL v1.1.1, but not v1.1.0h or v1.1.1b failed in SSL_CTX_new()
if OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG) had previously
been called.

This commit doesn't call OPENSSL_init_crypto() if doing so causes
SSL_CTX_new() to fail.

Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
---
 configure.ac                 | 30 ++++++++++++++++++++++++++++++
 keepalived/check/check_ssl.c |  6 ++++++
 2 files changed, 36 insertions(+)

diff --git a/configure.ac b/configure.ac
index 89399ca3..504b9b92 100644
--- a/configure.ac
+++ b/configure.ac
@@ -819,6 +819,36 @@ AC_CHECK_FUNCS([SSL_set0_rbio OPENSSL_init_crypto])
 # TLS_method() introduced OpenSSL v1.1.0
 AC_CHECK_FUNCS([TLS_method])
 
+# In OpenSSL v1.1.1 the call to SSL_CTX_new() fails if OPENSSL_init_crypto() has been called with
+# OPENSSL_INIT_NO_LOAD_CONFIG. It does not fail in v1.1.0h and v1.1.1b.
+AS_IF([test .$ac_cv_func_OPENSSL_init_crypto = .yes -a .$ac_cv_func_TLS_method = .yes],
+      [
+	AC_RUN_IFELSE(
+	  [AC_LANG_PROGRAM(
+	    [[#include <openssl/ssl.h>]],
+	    [[
+	      const SSL_METHOD *meth;
+	      SSL_CTX *ctx;
+
+	      if (!OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL))
+		return 1;
+
+	      /* Initialize SSL context */
+	      meth = TLS_method();
+	      if (!(ctx = SSL_CTX_new(meth)))
+		return 1;
+	      return 0;
+	    ]])],
+	  [openssl_init_no_load_bug=0],
+	  [openssl_init_no_load_bug=1],
+	  [
+	    AC_MSG_WARN([Cannot determine if need to OPENSSL_init_crypto() problem. Assuming yes for safety.])
+	    openssl_init_no_load_bug=1
+	  ]
+	)
+	AS_IF([test $openssl_init_no_load_bug -eq 1],
+	      [AC_DEFINE([HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG], [ 1 ], [Define to 1 if OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG) bug)])])
+      ])
 unset LIBS
 
 if test $BUILD_GENHASH = No; then
diff --git a/keepalived/check/check_ssl.c b/keepalived/check/check_ssl.c
index 6bf6a005..2743ea87 100644
--- a/keepalived/check/check_ssl.c
+++ b/keepalived/check/check_ssl.c
@@ -69,8 +69,14 @@ build_ssl_ctx(void)
 
 	/* Library initialization */
 #if HAVE_OPENSSL_INIT_CRYPTO
+#ifndef HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG
+	/* In OpenSSL v1.1.1 if the following is called, SSL_CTX_new() below fails.
+	 * It works in v1.1.0h and v1.1.1b.
+	 * It transpires that it works without setting NO_LOAD_CONFIG, but it is
+	 * presumably more efficient not to load it. */
 	if (!OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL))
 		log_message(LOG_INFO, "OPENSSL_init_crypto failed");
+#endif
 #else
 	SSL_library_init();
 	SSL_load_error_strings();
-- 
2.20.1
import keepalived-2.0.10-10.el8 2020-04-23 22:23:50 +00:00			`From aeec0e2cda5c440fdd3c5bea20ed7567bea540e1 Mon Sep 17 00:00:00 2001`
			`From: Quentin Armitage <quentin@armitage.org.uk>`
			`Date: Tue, 12 Mar 2019 14:58:38 +0000`
			`Subject: [PATCH 1/3] Fix OpenSSL init failure with OpenSSL v1.1.1`

			`OpenSSL v1.1.1, but not v1.1.0h or v1.1.1b failed in SSL_CTX_new()`
			`if OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG) had previously`
			`been called.`

			`This commit doesn't call OPENSSL_init_crypto() if doing so causes`
			`SSL_CTX_new() to fail.`

			`Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>`
			`---`
			`configure.ac \| 30 ++++++++++++++++++++++++++++++`
			`keepalived/check/check_ssl.c \| 6 ++++++`
			`2 files changed, 36 insertions(+)`

			`diff --git a/configure.ac b/configure.ac`
			`index 89399ca3..504b9b92 100644`
			`--- a/configure.ac`
			`+++ b/configure.ac`
			`@@ -819,6 +819,36 @@ AC_CHECK_FUNCS([SSL_set0_rbio OPENSSL_init_crypto])`
			`# TLS_method() introduced OpenSSL v1.1.0`
			`AC_CHECK_FUNCS([TLS_method])`

			`+# In OpenSSL v1.1.1 the call to SSL_CTX_new() fails if OPENSSL_init_crypto() has been called with`
			`+# OPENSSL_INIT_NO_LOAD_CONFIG. It does not fail in v1.1.0h and v1.1.1b.`
			`+AS_IF([test .$ac_cv_func_OPENSSL_init_crypto = .yes -a .$ac_cv_func_TLS_method = .yes],`
			`+ [`
			`+ AC_RUN_IFELSE(`
			`+ [AC_LANG_PROGRAM(`
			`+ [[#include <openssl/ssl.h>]],`
			`+ [[`
			`+ const SSL_METHOD *meth;`
			`+ SSL_CTX *ctx;`
			`+`
			`+ if (!OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL))`
			`+ return 1;`
			`+`
			`+ /* Initialize SSL context */`
			`+ meth = TLS_method();`
			`+ if (!(ctx = SSL_CTX_new(meth)))`
			`+ return 1;`
			`+ return 0;`
			`+ ]])],`
			`+ [openssl_init_no_load_bug=0],`
			`+ [openssl_init_no_load_bug=1],`
			`+ [`
			`+ AC_MSG_WARN([Cannot determine if need to OPENSSL_init_crypto() problem. Assuming yes for safety.])`
			`+ openssl_init_no_load_bug=1`
			`+ ]`
			`+ )`
			`+ AS_IF([test $openssl_init_no_load_bug -eq 1],`
			`+ [AC_DEFINE([HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG], [ 1 ], [Define to 1 if OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG) bug)])])`
			`+ ])`
			`unset LIBS`

			`if test $BUILD_GENHASH = No; then`
			`diff --git a/keepalived/check/check_ssl.c b/keepalived/check/check_ssl.c`
			`index 6bf6a005..2743ea87 100644`
			`--- a/keepalived/check/check_ssl.c`
			`+++ b/keepalived/check/check_ssl.c`
			`@@ -69,8 +69,14 @@ build_ssl_ctx(void)`

			`/* Library initialization */`
			`#if HAVE_OPENSSL_INIT_CRYPTO`
			`+#ifndef HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG`
			`+ /* In OpenSSL v1.1.1 if the following is called, SSL_CTX_new() below fails.`
			`+ * It works in v1.1.0h and v1.1.1b.`
			`+ * It transpires that it works without setting NO_LOAD_CONFIG, but it is`
			`+ * presumably more efficient not to load it. */`
			`if (!OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL))`
			`log_message(LOG_INFO, "OPENSSL_init_crypto failed");`
			`+#endif`
			`#else`
			`SSL_library_init();`
			`SSL_load_error_strings();`
			`--`
			`2.20.1`