rpms/librabbitmq
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Conditionally enable SSL engine APIs

Browse Source
This commit is contained in:
Than Ngo 2024-03-13 10:23:42 +01:00
parent e213f27760
commit 2e7ff4d683
2 changed files with 158 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
librabbitmq.spec
View File

@ -19,7 +19,7 @@
Name: %{libname}
Summary: Client library for AMQP
Version: 0.13.0
Release: 5%{?dist}
Release: 6%{?dist}
License: MIT
URL: https://github.com/alanxz/rabbitmq-c
@ -27,6 +27,7 @@ Source0: https://github.com/%{gh_owner}/%{gh_project}/archive/%{gh_commit}/%{g
# CVE-2023-35789, https://github.com/alanxz/rabbitmq-c/pull/781
Patch0: rabbitmq-c-CVE-2023-35789.patch
Patch1: rabbitmq-c-conditionally_enable_ssl_engine_apis.patch
BuildRequires: gcc
BuildRequires: cmake > 3.12
@ -70,6 +71,7 @@ amqp-publish Publish a message on an AMQP server
%prep
%setup -q -n %{gh_project}-%{gh_commit}
%patch -P0 -p1
%patch -P1 -p1
# Copy sources to be included in -devel docs.
cp -pr examples Examples
@ -148,6 +150,9 @@ make test
%changelog
* Wed Mar 13 2024 Than Ngo <than@redhat.com> - 0.13.0-6
- Conditionally enable SSL engine APIs
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.13.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild

152
rabbitmq-c-conditionally_enable_ssl_engine_apis.patch Normal file
View File

@ -0,0 +1,152 @@
diff -up rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/cmake/config.h.in.orig rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/cmake/config.h.in
--- rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/cmake/config.h.in.orig 2023-02-06 01:31:11.000000000 +0100
+++ rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/cmake/config.h.in 2024-03-05 15:42:21.611143615 +0100
@@ -7,4 +7,6 @@
#define AMQ_PLATFORM "@CMAKE_SYSTEM_NAME@"
+#cmakedefine ENABLE_SSL_ENGINE_API
+
#endif /* CONFIG_H */
diff -up rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/CMakeLists.txt.orig rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/CMakeLists.txt
--- rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/CMakeLists.txt.orig 2023-02-06 01:31:11.000000000 +0100
+++ rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/CMakeLists.txt 2024-03-05 15:42:21.610143596 +0100
@@ -42,6 +42,7 @@ endif()
include(CheckSymbolExists)
include(CheckLibraryExists)
+include(CMakeDependentOption)
include(CMakePushCheckState)
include(GNUInstallDirs)
@@ -119,14 +120,19 @@ if (ENABLE_SSL_SUPPORT)
set(THREADS_PREFER_PTHREAD_FLAG ON)
find_package(Threads REQUIRED)
cmake_pop_check_state()
+
+ cmake_push_check_state()
+ set(CMAKE_REQUIRED_LIBRARIES OpenSSL::SSL)
+ check_symbol_exists(ENGINE_new openssl/engine.h HAS_OPENSSL_ENGINE)
+ cmake_pop_check_state()
+
+ cmake_dependent_option(ENABLE_SSL_ENGINE_API "Enable support for deprecated OpenSSL ENGINE feature" ON "HAS_OPENSSL_ENGINE" OFF)
endif()
if(CMAKE_PROJECT_NAME STREQUAL PROJECT_NAME)
include(CTest)
endif()
-include(CMakeDependentOption)
-
option(BUILD_SHARED_LIBS "Build rabbitmq-c as a shared library" ON)
option(BUILD_STATIC_LIBS "Build rabbitmq-c as a static library" ON)
option(INSTALL_STATIC_LIBS "Install rabbitmq-c static library" ON)
diff -up rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/include/rabbitmq-c/amqp.h.orig rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/include/rabbitmq-c/amqp.h
--- rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/include/rabbitmq-c/amqp.h.orig 2023-02-06 01:31:11.000000000 +0100
+++ rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/include/rabbitmq-c/amqp.h 2024-03-05 15:42:21.612143634 +0100
@@ -670,7 +670,8 @@ typedef enum amqp_status_enum_ {
certificate failed. */
AMQP_STATUS_SSL_CONNECTION_FAILED = -0x0203, /**< SSL handshake failed. */
AMQP_STATUS_SSL_SET_ENGINE_FAILED = -0x0204, /**< SSL setting engine failed */
- _AMQP_STATUS_SSL_NEXT_VALUE = -0x0205 /**< Internal value */
+ AMQP_STATUS_SSL_UNIMPLEMENTED = -0x0205, /**< SSL API is not implemented. */
+ _AMQP_STATUS_SSL_NEXT_VALUE = -0x0206 /**< Internal value */
} amqp_status_enum;
/**
diff -up rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/include/rabbitmq-c/ssl_socket.h.orig rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/include/rabbitmq-c/ssl_socket.h
--- rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/include/rabbitmq-c/ssl_socket.h.orig 2023-02-06 01:31:11.000000000 +0100
+++ rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/include/rabbitmq-c/ssl_socket.h 2024-03-05 15:42:21.612143634 +0100
@@ -102,7 +102,8 @@ int AMQP_CALL amqp_ssl_socket_set_key(am
* \param [in] the key ID.
*
* \return \ref AMQP_STATUS_OK on success an \ref amqp_status_enum value on
- * failure.
+ * failure. May return \ref AMQP_STATUS_SSL_UNIMPLEMENTED if OpenSSL does
+ * not support the ENGINE API.
*
* \since v0.11.0
*/
@@ -262,7 +263,8 @@ int AMQP_CALL amqp_initialize_ssl_librar
* has been called.
*
* \param [in] engine the engine ID
- * \return AMQP_STATUS_OK on success.
+ * \return AMQP_STATUS_OK on success. May return \ref AMQP_STATUS_SSL_UNIMPLEMENTED
+ * if OpenSSL does not support the ENGINE API.
*
* \since v0.11.0
*/
diff -up rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/librabbitmq/amqp_api.c.orig rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/librabbitmq/amqp_api.c
--- rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/librabbitmq/amqp_api.c.orig 2023-02-06 01:31:11.000000000 +0100
+++ rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/librabbitmq/amqp_api.c 2024-03-05 15:42:21.612143634 +0100
@@ -85,7 +85,9 @@ static const char *ssl_error_strings[] =
/* AMQP_STATUS_SSL_CONNECTION_FAILED -0x0203 */
"SSL handshake failed",
/* AMQP_STATUS_SSL_SET_ENGINE_FAILED -0x0204 */
- "SSL setting engine failed"};
+ "SSL setting engine failed",
+ /* AMQP_STATUS_SSL_UNIMPLEMENTED -0x0204 */
+ "SSL API is not implemented"};
static const char *unknown_error_string = "(unknown error)";
diff -up rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/librabbitmq/amqp_openssl.c.orig rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/librabbitmq/amqp_openssl.c
--- rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/librabbitmq/amqp_openssl.c.orig 2023-02-06 01:31:11.000000000 +0100
+++ rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/librabbitmq/amqp_openssl.c 2024-03-05 15:42:21.613143653 +0100
@@ -23,7 +23,9 @@
#include <limits.h>
#include <openssl/bio.h>
#include <openssl/conf.h>
+#ifdef ENABLE_SSL_ENGINE_API
#include <openssl/engine.h>
+#endif
#include <openssl/err.h>
#include <openssl/ssl.h>
#include <openssl/x509v3.h>
@@ -36,7 +38,9 @@ static int decrement_ssl_connections(voi
static pthread_mutex_t openssl_init_mutex = PTHREAD_MUTEX_INITIALIZER;
static amqp_boolean_t openssl_bio_initialized = 0;
static int openssl_connections = 0;
+#ifdef ENABLE_SSL_ENGINE_API
static ENGINE *openssl_engine = NULL;
+#endif
#define CHECK_SUCCESS(condition) \
do { \
@@ -391,6 +395,7 @@ int amqp_ssl_socket_set_key(amqp_socket_
int amqp_ssl_socket_set_key_engine(amqp_socket_t *base, const char *cert,
const char *key) {
+#ifdef ENABLE_SSL_ENGINE_API
int status;
struct amqp_ssl_socket_t *self;
EVP_PKEY *pkey = NULL;
@@ -415,6 +420,9 @@ int amqp_ssl_socket_set_key_engine(amqp_
return AMQP_STATUS_SSL_ERROR;
}
return AMQP_STATUS_OK;
+#else
+ return AMQP_STATUS_SSL_UNIMPLEMENTED;
+#endif
}
static int password_cb(AMQP_UNUSED char *buffer, AMQP_UNUSED int length,
@@ -580,6 +588,7 @@ void amqp_set_initialize_ssl_library(amq
int amqp_initialize_ssl_library(void) { return AMQP_STATUS_OK; }
int amqp_set_ssl_engine(const char *engine) {
+#ifdef ENABLE_SSL_ENGINE_API
int status = AMQP_STATUS_OK;
CHECK_SUCCESS(pthread_mutex_lock(&openssl_init_mutex));
@@ -609,6 +618,9 @@ int amqp_set_ssl_engine(const char *engi
out:
CHECK_SUCCESS(pthread_mutex_unlock(&openssl_init_mutex));
return status;
+#else
+ return AMQP_STATUS_SSL_UNIMPLEMENTED;
+#endif
}
static int initialize_ssl_and_increment_connections() {