rpms/keepalived
5
0
Fork 0
Code Issues Pull Requests Releases Activity

re-import sources as agreed with the maintainer

Browse Source
This commit is contained in:
Adam Samalik 2023-07-10 09:22:03 +02:00
parent 027423ee43
commit 597e85760d
13 changed files with 1045 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
.gitignore vendored
View File

@ -1,2 +1,29 @@
SOURCES/keepalived-2.1.5.tar.gz /keepalived-1.2.9.tar.gz
/keepalived-1.2.10.tar.gz
/keepalived-1.2.11.tar.gz
/keepalived-1.2.12.tar.gz
/keepalived-1.2.13.tar.gz
/keepalived-1.2.14.tar.gz
/keepalived-1.2.15.tar.gz
/keepalived-1.2.16.tar.gz
/keepalived-1.2.17.tar.gz
/keepalived-1.2.18.tar.gz
/keepalived-1.2.19.tar.gz
/keepalived-1.2.20.tar.gz
/keepalived-1.2.21.tar.gz
/keepalived-1.2.22.tar.gz
/keepalived-1.2.23.tar.gz
/keepalived-1.2.24.tar.gz
/keepalived-1.3.2.tar.gz
/keepalived-1.3.5.tar.gz
/keepalived-1.3.6.tar.gz
/keepalived-1.3.9.tar.gz
/keepalived-1.4.0.tar.gz
/keepalived-1.4.1.tar.gz
/keepalived-1.4.2.tar.gz
/keepalived-1.4.3.tar.gz
/keepalived-2.0.5.tar.gz
/keepalived-2.0.6.tar.gz
/keepalived-2.0.7.tar.gz
/keepalived-2.0.10.tar.gz
/keepalived-2.1.5.tar.gz /keepalived-2.1.5.tar.gz

51
bz1683438-fix-vrrp_script-execution.patch Normal file
View File

@ -0,0 +1,51 @@
From 4e60fead497c9e99953dd6106c6a5869182533cc Mon Sep 17 00:00:00 2001
From: Quentin Armitage <quentin@armitage.org.uk>
Date: Thu, 9 May 2019 19:23:46 +0100
Subject: [PATCH] Don't enclose /dev/tcp/127.0.0.1/22 in ' chars when running
as script
RedHat identified a problem with scripts like:
vrrp_script {
script "</dev/tcp/127.0.0.1/22"
}
where returning an exit code of 127 (script not found).
This was identified to be due to the "script" being enclosed in '
characters, so the resulting system call was
system("'</dev/tcp/127.0.0.1/22'"), which failed. Not adding the leading
and trailing ' characters when the first character of the script is '<'
or '>' resolves the problem.
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
---
lib/notify.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/lib/notify.c b/lib/notify.c
index 2f60e24c..1984bde3 100644
--- a/lib/notify.c
+++ b/lib/notify.c
@@ -130,10 +130,18 @@ cmd_str_r(const notify_script_t *script, char *buf, size_t len)
if (i)
*str_p++ = ' ';
- *str_p++ = '\'';
+
+ /* Allow special case of bash script which is redirection only to
+ * test for file existence. */
+ if (i || (script->args[i][0] != '<' && script->args[i][0] != '>'))
+ *str_p++ = '\'';
+
strcpy(str_p, script->args[i]);
str_p += str_len;
- *str_p++ = '\'';
+
+ /* Close opening ' if we added one */
+ if (i || (script->args[i][0] != '<' && script->args[i][0] != '>'))
+ *str_p++ = '\'';
}
*str_p = '\0';
--
2.24.1

76
bz1688892-fix-openssl-init-config-check.patch Normal file
View File

@ -0,0 +1,76 @@
From 1f2b558da9f631a635e9b099b455696b1903bee4 Mon Sep 17 00:00:00 2001
From: Quentin Armitage <quentin@armitage.org.uk>
Date: Fri, 15 Mar 2019 00:12:19 +0000
Subject: [PATCH 3/3] Fix some configure tested checks for OPENSSL_init_crypto
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
---
genhash/ssl.c | 6 +++---
keepalived/check/check_ssl.c | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/genhash/ssl.c b/genhash/ssl.c
index 96f51201..0574675a 100644
--- a/genhash/ssl.c
+++ b/genhash/ssl.c
@@ -44,7 +44,7 @@ void
init_ssl(void)
{
/* Library initialization */
-#if HAVE_OPENSSL_INIT_CRYPTO
+#ifdef HAVE_OPENSSL_INIT_CRYPTO
#ifndef HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG
/* In OpenSSL v1.1.1 if the following is called, SSL_CTX_new() below fails.
* It works in v1.1.0h and v1.1.1b.
@@ -59,7 +59,7 @@ init_ssl(void)
#endif
/* Initialize SSL context */
-#if HAVE_TLS_METHOD
+#ifdef HAVE_TLS_METHOD
req->meth = TLS_method();
#else
req->meth = SSLv23_method();
@@ -123,7 +123,7 @@ ssl_connect(thread_t * thread)
}
BIO_set_nbio(sock_obj->bio, 1); /* Set the Non-Blocking flag */
-#if HAVE_SSL_SET0_RBIO
+#ifdef HAVE_SSL_SET0_RBIO
BIO_up_ref(sock_obj->bio);
SSL_set0_rbio(sock_obj->ssl, sock_obj->bio);
SSL_set0_wbio(sock_obj->ssl, sock_obj->bio);
diff --git a/keepalived/check/check_ssl.c b/keepalived/check/check_ssl.c
index 2743ea87..58061b91 100644
--- a/keepalived/check/check_ssl.c
+++ b/keepalived/check/check_ssl.c
@@ -68,7 +68,7 @@ build_ssl_ctx(void)
ssl_data_t *ssl;
/* Library initialization */
-#if HAVE_OPENSSL_INIT_CRYPTO
+#ifdef HAVE_OPENSSL_INIT_CRYPTO
#ifndef HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG
/* In OpenSSL v1.1.1 if the following is called, SSL_CTX_new() below fails.
* It works in v1.1.0h and v1.1.1b.
@@ -88,7 +88,7 @@ build_ssl_ctx(void)
ssl = check_data->ssl;
/* Initialize SSL context */
-#if HAVE_TLS_METHOD
+#ifdef HAVE_TLS_METHOD
ssl->meth = TLS_method();
#else
ssl->meth = SSLv23_method();
@@ -226,7 +226,7 @@ ssl_connect(thread_t * thread, int new_req)
BIO_get_fd(req->bio, &bio_fd);
fcntl(bio_fd, F_SETFD, fcntl(bio_fd, F_GETFD) | FD_CLOEXEC);
-#if HAVE_SSL_SET0_RBIO
+#ifdef HAVE_SSL_SET0_RBIO
BIO_up_ref(req->bio);
SSL_set0_rbio(req->ssl, req->bio);
SSL_set0_wbio(req->ssl, req->bio);
--
2.20.1

409
bz1688892-fix-openssl-init-configure.patch Normal file
View File

@ -0,0 +1,409 @@
--- a/configure 2018-11-12 13:40:33.000000000 -0600
+++ b/configure 2019-03-18 11:29:03.305427768 -0500
@@ -730,7 +730,6 @@
AMDEPBACKSLASH
AMDEP_FALSE
AMDEP_TRUE
-am__quote
am__include
DEPDIR
OBJEXT
@@ -790,7 +789,6 @@
docdir
oldincludedir
includedir
-runstatedir
localstatedir
sharedstatedir
sysconfdir
@@ -809,7 +807,8 @@
PACKAGE_TARNAME
PACKAGE_NAME
PATH_SEPARATOR
-SHELL'
+SHELL
+am__quote'
ac_subst_files=''
ac_user_opts='
enable_option_checking
@@ -925,7 +924,6 @@
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
-runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -1178,15 +1176,6 @@
| -silent | --silent | --silen | --sile | --sil)
silent=yes ;;
- -runstatedir | --runstatedir | --runstatedi | --runstated \
- | --runstate | --runstat | --runsta | --runst | --runs \
- | --run | --ru | --r)
- ac_prev=runstatedir ;;
- -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
- | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
- | --run=* | --ru=* | --r=*)
- runstatedir=$ac_optarg ;;
-
-sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
ac_prev=sbindir ;;
-sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1324,7 +1313,7 @@
for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
datadir sysconfdir sharedstatedir localstatedir includedir \
oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
- libdir localedir mandir runstatedir
+ libdir localedir mandir
do
eval ac_val=\$$ac_var
# Remove trailing slashes.
@@ -1477,7 +1466,6 @@
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
- --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
@@ -2689,7 +2677,7 @@
ac_compiler_gnu=$ac_cv_c_compiler_gnu
-am__api_version='1.15'
+am__api_version='1.16'
ac_aux_dir=
for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do
@@ -3234,8 +3222,8 @@
# For better backward compatibility. To be removed once Automake 1.9.x
# dies out for good. For more background, see:
-# <http://lists.gnu.org/archive/html/automake/2012-07/msg00001.html>
-# <http://lists.gnu.org/archive/html/automake/2012-07/msg00014.html>
+# <https://lists.gnu.org/archive/html/automake/2012-07/msg00001.html>
+# <https://lists.gnu.org/archive/html/automake/2012-07/msg00014.html>
mkdir_p='$(MKDIR_P)'
# We need awk for the "check" target (and possibly the TAP driver). The
@@ -3286,7 +3274,7 @@
Aborting the configuration process, to ensure you take notice of the issue.
You can download and install GNU coreutils to get an 'rm' implementation
-that behaves properly: <http://www.gnu.org/software/coreutils/>.
+that behaves properly: <https://www.gnu.org/software/coreutils/>.
If you want to complete the configuration process using your problematic
'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM
@@ -4650,45 +4638,45 @@
ac_config_commands="$ac_config_commands depfiles"
-
-am_make=${MAKE-make}
-cat > confinc << 'END'
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${MAKE-make} supports the include directive" >&5
+$as_echo_n "checking whether ${MAKE-make} supports the include directive... " >&6; }
+cat > confinc.mk << 'END'
am__doit:
- @echo this is the am__doit target
+ @echo this is the am__doit target >confinc.out
.PHONY: am__doit
END
-# If we don't find an include directive, just comment out the code.
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for style of include used by $am_make" >&5
-$as_echo_n "checking for style of include used by $am_make... " >&6; }
am__include="#"
am__quote=
-_am_result=none
-# First try GNU make style include.
-echo "include confinc" > confmf
-# Ignore all kinds of additional output from 'make'.
-case `$am_make -s -f confmf 2> /dev/null` in #(
-*the\ am__doit\ target*)
- am__include=include
- am__quote=
- _am_result=GNU
- ;;
-esac
-# Now try BSD make style include.
-if test "$am__include" = "#"; then
- echo '.include "confinc"' > confmf
- case `$am_make -s -f confmf 2> /dev/null` in #(
- *the\ am__doit\ target*)
- am__include=.include
- am__quote="\""
- _am_result=BSD
+# BSD make does it like this.
+echo '.include "confinc.mk" # ignored' > confmf.BSD
+# Other make implementations (GNU, Solaris 10, AIX) do it like this.
+echo 'include confinc.mk # ignored' > confmf.GNU
+_am_result=no
+for s in GNU BSD; do
+ { echo "$as_me:$LINENO: ${MAKE-make} -f confmf.$s && cat confinc.out" >&5
+ (${MAKE-make} -f confmf.$s && cat confinc.out) >&5 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }
+ case $?:`cat confinc.out 2>/dev/null` in #(
+ '0:this is the am__doit target') :
+ case $s in #(
+ BSD) :
+ am__include='.include' am__quote='"' ;; #(
+ *) :
+ am__include='include' am__quote='' ;;
+esac ;; #(
+ *) :
;;
- esac
-fi
-
-
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $_am_result" >&5
-$as_echo "$_am_result" >&6; }
-rm -f confinc confmf
+esac
+ if test "$am__include" != "#"; then
+ _am_result="yes ($s style)"
+ break
+ fi
+done
+rm -f confinc.* confmf.*
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: ${_am_result}" >&5
+$as_echo "${_am_result}" >&6; }
# Check whether --enable-dependency-tracking was given.
if test "${enable_dependency_tracking+set}" = set; then :
@@ -7506,8 +7494,8 @@
done
-# SSL_set0_rbio(), SSL_set0_wbio() and OPENSSL_init_crypto() introduced OpenSSL v1.1.0
-for ac_func in SSL_set0_rbio OPENSSL_init_crypto
+# SSL_set0_rbio(), SSL_set0_wbio() OPENSSL_init_crypto() and TLS_method() introduced OpenSSL v1.1.0
+for ac_func in SSL_set0_rbio OPENSSL_init_crypto TLS_method
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -7520,19 +7508,62 @@
done
-# TLS_method() introduced OpenSSL v1.1.0
-for ac_func in TLS_method
-do :
- ac_fn_c_check_func "$LINENO" "TLS_method" "ac_cv_func_TLS_method"
-if test "x$ac_cv_func_TLS_method" = xyes; then :
- cat >>confdefs.h <<_ACEOF
-#define HAVE_TLS_METHOD 1
-_ACEOF
+# In OpenSSL v1.1.1 the call to SSL_CTX_new() fails if OPENSSL_init_crypto() has been called with
+# OPENSSL_INIT_NO_LOAD_CONFIG. It does not fail in v1.1.0h and v1.1.1b.
+if test .$ac_cv_func_OPENSSL_init_crypto = .yes; then :
+ if test .$ac_cv_func_TLS_method = .yes; then :
+ method_func=TLS_method
+else
+ method_func=SSLv23_method
fi
-done
+ if test "$cross_compiling" = yes; then :
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cannot determine if need to OPENSSL_init_crypto() problem. Assuming yes for safety." >&5
+$as_echo "$as_me: WARNING: Cannot determine if need to OPENSSL_init_crypto() problem. Assuming yes for safety." >&2;}
+ openssl_init_no_load_bug=1
+
+
+else
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+#include <openssl/ssl.h>
+int
+main ()
+{
+
+ const SSL_METHOD *meth;
+ SSL_CTX *ctx;
+
+ if (!OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL))
+ return 1;
+ /* Initialize SSL context */
+ meth = $method_func();
+ if (!(ctx = SSL_CTX_new(meth)))
+ return 1;
+ return 0;
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_run "$LINENO"; then :
+ openssl_init_no_load_bug=0
+else
+ openssl_init_no_load_bug=1
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+ conftest.$ac_objext conftest.beam conftest.$ac_ext
+fi
+
+ if test $openssl_init_no_load_bug -eq 1; then :
+
+$as_echo "#define HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG 1 " >>confdefs.h
+
+fi
+
+fi
unset LIBS
if test $BUILD_GENHASH = No; then
@@ -12695,7 +12726,7 @@
#
# INIT-COMMANDS
#
-AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir"
+AMDEP_TRUE="$AMDEP_TRUE" MAKE="${MAKE-make}"
_ACEOF
@@ -13322,29 +13353,35 @@
# Older Autoconf quotes --file arguments for eval, but not when files
# are listed without --file. Let's play safe and only enable the eval
# if we detect the quoting.
- case $CONFIG_FILES in
- *\'*) eval set x "$CONFIG_FILES" ;;
- *) set x $CONFIG_FILES ;;
- esac
+ # TODO: see whether this extra hack can be removed once we start
+ # requiring Autoconf 2.70 or later.
+ case $CONFIG_FILES in #(
+ *\'*) :
+ eval set x "$CONFIG_FILES" ;; #(
+ *) :
+ set x $CONFIG_FILES ;; #(
+ *) :
+ ;;
+esac
shift
- for mf
+ # Used to flag and report bootstrapping failures.
+ am_rc=0
+ for am_mf
do
# Strip MF so we end up with the name of the file.
- mf=`echo "$mf" | sed -e 's/:.*$//'`
- # Check whether this is an Automake generated Makefile or not.
- # We used to match only the files named 'Makefile.in', but
- # some people rename them; so instead we look at the file content.
- # Grep'ing the first line is not enough: some people post-process
- # each Makefile.in and add a new line on top of each file to say so.
- # Grep'ing the whole file is not good either: AIX grep has a line
+ am_mf=`$as_echo "$am_mf" | sed -e 's/:.*$//'`
+ # Check whether this is an Automake generated Makefile which includes
+ # dependency-tracking related rules and includes.
+ # Grep'ing the whole file directly is not great: AIX grep has a line
# limit of 2048, but all sed's we know have understand at least 4000.
- if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then
- dirpart=`$as_dirname -- "$mf" ||
-$as_expr X"$mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
- X"$mf" : 'X\(//\)[^/]' \| \
- X"$mf" : 'X\(//\)$' \| \
- X"$mf" : 'X\(/\)' \| . 2>/dev/null ||
-$as_echo X"$mf" |
+ sed -n 's,^am--depfiles:.*,X,p' "$am_mf" | grep X >/dev/null 2>&1 \
+ || continue
+ am_dirpart=`$as_dirname -- "$am_mf" ||
+$as_expr X"$am_mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+ X"$am_mf" : 'X\(//\)[^/]' \| \
+ X"$am_mf" : 'X\(//\)$' \| \
+ X"$am_mf" : 'X\(/\)' \| . 2>/dev/null ||
+$as_echo X"$am_mf" |
sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
s//\1/
q
@@ -13362,53 +13399,48 @@
q
}
s/.*/./; q'`
- else
- continue
- fi
- # Extract the definition of DEPDIR, am__include, and am__quote
- # from the Makefile without running 'make'.
- DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"`
- test -z "$DEPDIR" && continue
- am__include=`sed -n 's/^am__include = //p' < "$mf"`
- test -z "$am__include" && continue
- am__quote=`sed -n 's/^am__quote = //p' < "$mf"`
- # Find all dependency output files, they are included files with
- # $(DEPDIR) in their names. We invoke sed twice because it is the
- # simplest approach to changing $(DEPDIR) to its actual value in the
- # expansion.
- for file in `sed -n "
- s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \
- sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g'`; do
- # Make sure the directory exists.
- test -f "$dirpart/$file" && continue
- fdir=`$as_dirname -- "$file" ||
-$as_expr X"$file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
- X"$file" : 'X\(//\)[^/]' \| \
- X"$file" : 'X\(//\)$' \| \
- X"$file" : 'X\(/\)' \| . 2>/dev/null ||
-$as_echo X"$file" |
- sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
- s//\1/
- q
- }
- /^X\(\/\/\)[^/].*/{
+ am_filepart=`$as_basename -- "$am_mf" ||
+$as_expr X/"$am_mf" : '.*/\([^/][^/]*\)/*$' \| \
+ X"$am_mf" : 'X\(//\)$' \| \
+ X"$am_mf" : 'X\(/\)' \| . 2>/dev/null ||
+$as_echo X/"$am_mf" |
+ sed '/^.*\/\([^/][^/]*\)\/*$/{
s//\1/
q
}
- /^X\(\/\/\)$/{
+ /^X\/\(\/\/\)$/{
s//\1/
q
}
- /^X\(\/\).*/{
+ /^X\/\(\/\).*/{
s//\1/
q
}
s/.*/./; q'`
- as_dir=$dirpart/$fdir; as_fn_mkdir_p
- # echo "creating $dirpart/$file"
- echo '# dummy' > "$dirpart/$file"
- done
+ { echo "$as_me:$LINENO: cd "$am_dirpart" \
+ && sed -e '/# am--include-marker/d' "$am_filepart" \
+ | $MAKE -f - am--depfiles" >&5
+ (cd "$am_dirpart" \
+ && sed -e '/# am--include-marker/d' "$am_filepart" \
+ | $MAKE -f - am--depfiles) >&5 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } || am_rc=$?
done
+ if test $am_rc -ne 0; then
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "Something went wrong bootstrapping makefile fragments
+ for automatic dependency tracking. Try re-running configure with the
+ '--disable-dependency-tracking' option to at least be able to build
+ the package (albeit without support for automatic dependency tracking).
+See \`config.log' for more details" "$LINENO" 5; }
+ fi
+ { am_dirpart=; unset am_dirpart;}
+ { am_filepart=; unset am_filepart;}
+ { am_mf=; unset am_mf;}
+ { am_rc=; unset am_rc;}
+ rm -f conftest-deps.mk
}
;;

81
bz1688892-fix-openssl-init-failure.patch Normal file
View File

@ -0,0 +1,81 @@
From aeec0e2cda5c440fdd3c5bea20ed7567bea540e1 Mon Sep 17 00:00:00 2001
From: Quentin Armitage <quentin@armitage.org.uk>
Date: Tue, 12 Mar 2019 14:58:38 +0000
Subject: [PATCH 1/3] Fix OpenSSL init failure with OpenSSL v1.1.1
OpenSSL v1.1.1, but not v1.1.0h or v1.1.1b failed in SSL_CTX_new()
if OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG) had previously
been called.
This commit doesn't call OPENSSL_init_crypto() if doing so causes
SSL_CTX_new() to fail.
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
---
configure.ac | 30 ++++++++++++++++++++++++++++++
keepalived/check/check_ssl.c | 6 ++++++
2 files changed, 36 insertions(+)
diff --git a/configure.ac b/configure.ac
index 89399ca3..504b9b92 100644
--- a/configure.ac
+++ b/configure.ac
@@ -819,6 +819,36 @@ AC_CHECK_FUNCS([SSL_set0_rbio OPENSSL_init_crypto])
# TLS_method() introduced OpenSSL v1.1.0
AC_CHECK_FUNCS([TLS_method])
+# In OpenSSL v1.1.1 the call to SSL_CTX_new() fails if OPENSSL_init_crypto() has been called with
+# OPENSSL_INIT_NO_LOAD_CONFIG. It does not fail in v1.1.0h and v1.1.1b.
+AS_IF([test .$ac_cv_func_OPENSSL_init_crypto = .yes -a .$ac_cv_func_TLS_method = .yes],
+ [
+ AC_RUN_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[#include <openssl/ssl.h>]],
+ [[
+ const SSL_METHOD *meth;
+ SSL_CTX *ctx;
+
+ if (!OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL))
+ return 1;
+
+ /* Initialize SSL context */
+ meth = TLS_method();
+ if (!(ctx = SSL_CTX_new(meth)))
+ return 1;
+ return 0;
+ ]])],
+ [openssl_init_no_load_bug=0],
+ [openssl_init_no_load_bug=1],
+ [
+ AC_MSG_WARN([Cannot determine if need to OPENSSL_init_crypto() problem. Assuming yes for safety.])
+ openssl_init_no_load_bug=1
+ ]
+ )
+ AS_IF([test $openssl_init_no_load_bug -eq 1],
+ [AC_DEFINE([HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG], [ 1 ], [Define to 1 if OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG) bug)])])
+ ])
unset LIBS
if test $BUILD_GENHASH = No; then
diff --git a/keepalived/check/check_ssl.c b/keepalived/check/check_ssl.c
index 6bf6a005..2743ea87 100644
--- a/keepalived/check/check_ssl.c
+++ b/keepalived/check/check_ssl.c
@@ -69,8 +69,14 @@ build_ssl_ctx(void)
/* Library initialization */
#if HAVE_OPENSSL_INIT_CRYPTO
+#ifndef HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG
+ /* In OpenSSL v1.1.1 if the following is called, SSL_CTX_new() below fails.
+ * It works in v1.1.0h and v1.1.1b.
+ * It transpires that it works without setting NO_LOAD_CONFIG, but it is
+ * presumably more efficient not to load it. */
if (!OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL))
log_message(LOG_INFO, "OPENSSL_init_crypto failed");
+#endif
#else
SSL_library_init();
SSL_load_error_strings();
--
2.20.1

72
bz1688892-fix-openssl-init-genhash.patch Normal file
View File

@ -0,0 +1,72 @@
From 5e1a2130340ea4fabc4095b412c8b3836d112828 Mon Sep 17 00:00:00 2001
From: Quentin Armitage <quentin@armitage.org.uk>
Date: Wed, 13 Mar 2019 09:46:27 +0000
Subject: [PATCH 2/3] Fix genhash re OPENSSL_init_crypto bug and improve
configure.ac
Commit fe6d6ac (Fix OpenSSL init failure with OpenSSL v1.1.1) didn't
update the identical code in genhash/ssl.c. Also, an improvement for
the test in configure.ac was suggested.
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
---
configure.ac | 12 +++++-------
genhash/ssl.c | 6 ++++++
2 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/configure.ac b/configure.ac
index 504b9b92..c964a11e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -813,16 +813,14 @@ AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
# SSL_CTX_set_verify_depth() introduced OpenSSL v0.9.5a
AC_CHECK_FUNCS([SSL_CTX_set_verify_depth])
-# SSL_set0_rbio(), SSL_set0_wbio() and OPENSSL_init_crypto() introduced OpenSSL v1.1.0
-AC_CHECK_FUNCS([SSL_set0_rbio OPENSSL_init_crypto])
-
-# TLS_method() introduced OpenSSL v1.1.0
-AC_CHECK_FUNCS([TLS_method])
+# SSL_set0_rbio(), SSL_set0_wbio() OPENSSL_init_crypto() and TLS_method() introduced OpenSSL v1.1.0
+AC_CHECK_FUNCS([SSL_set0_rbio OPENSSL_init_crypto TLS_method])
# In OpenSSL v1.1.1 the call to SSL_CTX_new() fails if OPENSSL_init_crypto() has been called with
# OPENSSL_INIT_NO_LOAD_CONFIG. It does not fail in v1.1.0h and v1.1.1b.
-AS_IF([test .$ac_cv_func_OPENSSL_init_crypto = .yes -a .$ac_cv_func_TLS_method = .yes],
+AS_IF([test .$ac_cv_func_OPENSSL_init_crypto = .yes],
[
+ AS_IF([test .$ac_cv_func_TLS_method = .yes], [method_func=TLS_method], [method_func=SSLv23_method])
AC_RUN_IFELSE(
[AC_LANG_PROGRAM(
[[#include <openssl/ssl.h>]],
@@ -834,7 +832,7 @@ AS_IF([test .$ac_cv_func_OPENSSL_init_crypto = .yes -a .$ac_cv_func_TLS_method =
return 1;
/* Initialize SSL context */
- meth = TLS_method();
+ meth = $method_func();
if (!(ctx = SSL_CTX_new(meth)))
return 1;
return 0;
diff --git a/genhash/ssl.c b/genhash/ssl.c
index 8e9162c8..96f51201 100644
--- a/genhash/ssl.c
+++ b/genhash/ssl.c
@@ -45,8 +45,14 @@ init_ssl(void)
{
/* Library initialization */
#if HAVE_OPENSSL_INIT_CRYPTO
+#ifndef HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG
+ /* In OpenSSL v1.1.1 if the following is called, SSL_CTX_new() below fails.
+ * It works in v1.1.0h and v1.1.1b.
+ * It transpires that it works without setting NO_LOAD_CONFIG, but it is
+ * presumably more efficient not to load it. */
if (!OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL))
fprintf(stderr, "OPENSSL_init_crypto failed\n");
+#endif
#else
SSL_library_init();
SSL_load_error_strings();
--
2.20.1

26
bz1693706-fix-smtp-alerts-segfault.patch Normal file
View File

@ -0,0 +1,26 @@
From fdb1739356f723a4e9e4f8b52c37d193a3a5c6e3 Mon Sep 17 00:00:00 2001
From: Quentin Armitage <quentin@armitage.org.uk>
Date: Tue, 27 Nov 2018 10:57:37 +0000
Subject: [PATCH] Fix segfault when smtp alerts configured
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
---
keepalived/core/global_data.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/keepalived/core/global_data.c b/keepalived/core/global_data.c
index 6e872dcf..cd381d9b 100644
--- a/keepalived/core/global_data.c
+++ b/keepalived/core/global_data.c
@@ -253,7 +253,7 @@ init_global_data(data_t * data, data_t *old_global_data)
if (!data->smtp_connection_to)
set_default_smtp_connection_timeout(data);
- if (strcmp(data->local_name, unknown_name)) {
+ if (data->local_name && strcmp(data->local_name, unknown_name)) {
if (!data->email_from)
set_default_email_from(data, data->local_name);
--
2.20.1

39
bz1693706-fix-smtp_helo_name-double-free.patch Normal file
View File

@ -0,0 +1,39 @@
From e91583fb20b584621dd48031bef68279945f7aa6 Mon Sep 17 00:00:00 2001
From: Quentin Armitage <quentin@armitage.org.uk>
Date: Tue, 20 Nov 2018 13:03:55 +0000
Subject: [PATCH] Fix double free when global data smtp_helo_name copied from
local_name
Issue #1071 identified a double free fault. It occurred when smtp_helo_name
was not set, in which case it was set to point to the same malloc'd memory
as local_name. At termination keepalived freed both local_name and
smtp_helo_name.
If keepalived needs to use local_name for smtp_helo_name it now malloc's
aadditional memory to copy the string into.
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
---
keepalived/core/global_data.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/keepalived/core/global_data.c b/keepalived/core/global_data.c
index cd381d9b..be9fecbd 100644
--- a/keepalived/core/global_data.c
+++ b/keepalived/core/global_data.c
@@ -257,8 +257,10 @@ init_global_data(data_t * data, data_t *old_global_data)
if (!data->email_from)
set_default_email_from(data, data->local_name);
- if (!data->smtp_helo_name)
- data->smtp_helo_name = data->local_name;
+ if (!data->smtp_helo_name) {
+ data->smtp_helo_name = MALLOC(strlen(data->local_name) + 1);
+ strcpy(data->smtp_helo_name, data->local_name);
+ }
}
}
--
2.20.1

34
bz1792160-fix-fault-rename-interface.patch Normal file
View File

@ -0,0 +1,34 @@
From 30eeb48b1a0737dc7443fd421fd6613e0d55fd17 Mon Sep 17 00:00:00 2001
From: "Z. Liu" <liuzx@knownsec.com>
Date: Tue, 18 Dec 2018 16:38:24 +0800
Subject: [PATCH] Also skip route not configured with down interface
Otherwise, if keepalived has virtual_routes configured, we create
a virtual interface and bring it up and down, current code will bring
VRRP state to FAULT and never return.
# ip tun add test mode ipip remote 10.0.0.1 local 10.0.0.2
# ip link set test up
# ip link set test down
---
keepalived/vrrp/vrrp_if.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/keepalived/vrrp/vrrp_if.c b/keepalived/vrrp/vrrp_if.c
index a2087ceb..6ae2666a 100644
--- a/keepalived/vrrp/vrrp_if.c
+++ b/keepalived/vrrp/vrrp_if.c
@@ -1051,7 +1051,9 @@ interface_down(interface_t *ifp)
/* Any route that has an oif will be tracking the interface,
* so we only need to check for routes that dont specify an
* oif */
- if (!route->oif && route->configured_ifindex != ifp->ifindex)
+ /* Don't track route if it's not configured with this down
+ * interface. */
+ if (!route->oif || route->configured_ifindex != ifp->ifindex)
continue;
route->set = false;
--
2.24.1

110
keepalived.init Normal file
View File

@ -0,0 +1,110 @@
#!/bin/sh
#
# keepalived High Availability monitor built upon LVS and VRRP
#
# chkconfig: - 86 14
# description: Robust keepalive facility to the Linux Virtual Server project \
# with multilayer TCP/IP stack checks.
### BEGIN INIT INFO
# Provides: keepalived
# Required-Start: $local_fs $network $named $syslog
# Required-Stop: $local_fs $network $named $syslog
# Should-Start: smtpdaemon httpd
# Should-Stop: smtpdaemon httpd
# Default-Start:
# Default-Stop: 0 1 2 3 4 5 6
# Short-Description: High Availability monitor built upon LVS and VRRP
# Description: Robust keepalive facility to the Linux Virtual Server
# project with multilayer TCP/IP stack checks.
### END INIT INFO
# Source function library.
. /etc/rc.d/init.d/functions
exec="/usr/sbin/keepalived"
prog="keepalived"
config="/etc/keepalived/keepalived.conf"
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
lockfile=/var/lock/subsys/$prog
start() {
[ -x $exec ] || exit 5
[ -e $config ] || exit 6
echo -n $"Starting $prog: "
daemon $exec $KEEPALIVED_OPTIONS
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $"Stopping $prog: "
killproc $prog
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
restart() {
stop
start
}
reload() {
echo -n $"Reloading $prog: "
killproc $prog -1
retval=$?
echo
return $retval
}
force_reload() {
restart
}
rh_status() {
status $prog
}
rh_status_q() {
rh_status &>/dev/null
}
case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
exit 2
esac
exit $?

17
tests/keepalived.conf.in Normal file
View File

@ -0,0 +1,17 @@
global_defs {
router_id TEST
}
vrrp_instance VRRP {
state MASTER
priority 100
advert_int 1
interface eth0
virtual_router_id 100
virtual_ipaddress {
$VIP_INCLUDE
}
virtual_ipaddress_excluded {
$VIP_EXCLUDE
}
}

91
tests/run_tests.sh Executable file
View File

@ -0,0 +1,91 @@
#!/bin/sh
export VIP_INCLUDE="192.168.1.101"
export VIP_EXCLUDE="192.168.1.102"
echo -ne "[debug]: setting up config file ... "
envsubst '${VIP_INCLUDE},${VIP_EXCLUDE}' < ./keepalived.conf.in > /etc/keepalived/keepalived.conf
if [ $? -ne 0 ] ; then
echo "FAIL"
exit 1
else
echo "OK"
fi
echo -ne "[debug]: starting service ... "
systemctl start keepalived
if [ $? -ne 0 ] ; then
echo "FAIL"
exit 1
else
echo "OK"
fi
echo -ne "[debug]: checking service active ... "
systemctl -q is-active keepalived
if [ $? -ne 0 ] ; then
echo "FAIL"
exit 1
else
echo "OK"
fi
sleep 5
echo -ne "[debug]: checking included VIP ... "
ip addr show eth0 | grep -q ${VIP_INCLUDE}
if [ $? -ne 0 ] ; then
echo "FAIL"
exit 1
else
echo "OK"
fi
echo -ne "[debug]: checking excluded VIP ... "
ip addr show eth0 | grep -q ${VIP_EXCLUDE}
if [ $? -ne 0 ] ; then
echo "FAIL"
exit 1
else
echo "OK"
fi
echo -ne "[debug]: stopping service ... "
systemctl stop keepalived
if [ $? -ne 0 ] ; then
echo "FAIL"
exit 1
else
echo "OK"
fi
echo -ne "[debug]: checking service inactive ... "
systemctl -q is-active keepalived
if [ $? -ne 3 ] ; then
echo "FAIL"
exit 1
else
echo "OK"
fi
sleep 5
echo -ne "[debug]: checking include VIP ... "
ip addr show eth0 | grep -q ${VIP_INCLUDE}
if [ $? -ne 1 ] ; then
echo "FAIL"
exit 1
else
echo "OK"
fi
echo -ne "[debug]: checking exclude VIP ... "
ip addr show eth0 | grep -q ${VIP_EXCLUDE}
if [ $? -ne 1 ] ; then
echo "FAIL"
exit 1
else
echo "OK"
fi
exit 0

11
tests/tests.yml Normal file
View File

@ -0,0 +1,11 @@
- hosts: localhost
roles:
- role: standard-test-basic
tags:
- classic
tests:
- simple:
dir: .
run: ./run_tests.sh
required_packages:
- gettext