rpms
/
librabbitmq
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- update to 0.14.0 

- fix rpminspect rpmdeps
- fix gating-yaml-checks

Related: RHEL-31259
This commit is contained in:
Than Ngo 2024-04-03 16:05:07 +02:00
parent cb4cdbd1c3
commit 519467800d
6 changed files with 22 additions and 290 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -17,3 +17,4 @@ clog
/rabbitmq-c-0.11.0-a64c08c.tar.gz
/rabbitmq-c-0.12.0-675afc2.tar.gz
/rabbitmq-c-0.13.0-974d71a.tar.gz
/rabbitmq-c-0.14.0-124722b.tar.gz

7
gating.yaml Normal file
View File

@ -0,0 +1,7 @@
#gating rhel
--- !Policy
product_versions:
- rhel-*
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

25
librabbitmq.spec
View File

@ -9,7 +9,7 @@
%bcond_without tests
%global gh_commit 974d71adceae6d742ae20a4c880d99c131f1460a
%global gh_commit 124722b5045baa41a24ce2e2d7c52a47467e7ac0
%global gh_short %(c=%{gh_commit}; echo ${c:0:7})
%global gh_owner alanxz
%global gh_project rabbitmq-c
@ -18,22 +18,18 @@
Name: %{libname}
Summary: Client library for AMQP
Version: 0.13.0
Release: 6%{?dist}
Version: 0.14.0
Release: 1%{?dist}
License: MIT
URL: https://github.com/alanxz/rabbitmq-c
Source0: https://github.com/%{gh_owner}/%{gh_project}/archive/%{gh_commit}/%{gh_project}-%{version}-%{gh_short}.tar.gz
# CVE-2023-35789, https://github.com/alanxz/rabbitmq-c/pull/781
Patch0: rabbitmq-c-CVE-2023-35789.patch
Patch1: rabbitmq-c-conditionally_enable_ssl_engine_apis.patch
BuildRequires: gcc
BuildRequires: cmake > 3.12
BuildRequires: cmake >= 3.12
BuildRequires: openssl-devel >= 1.1.1
# For tools
BuildRequires: popt-devel > 1.14
BuildRequires: popt-devel >= 1.14
# For man page
BuildRequires: xmlto
BuildRequires: make
@ -55,7 +51,7 @@ for %{name}.
%package tools
Summary: Example tools built using the librabbitmq package
Requires: %{name}%{?_isa} = %{version}
Requires: %{name}%{?_isa} = %{version}-%{release}
%description tools
This package contains example tools built using %{name}.
@ -70,8 +66,6 @@ amqp-publish Publish a message on an AMQP server
%prep
%setup -q -n %{gh_project}-%{gh_commit}
%patch -P0 -p1
%patch -P1 -p1
# Copy sources to be included in -devel docs.
cp -pr examples Examples
@ -151,6 +145,13 @@ make test
%changelog
* Wed Apr 03 2024 Than Ngo <than@redhat.com> - 0.14.0-1
- update to 0.14.0
- fix rpminspect rpmdeps
- fix gating-yaml-checks
Related: RHEL-31259
* Tue Apr 02 2024 Than Ngo <than@redhat.com> - 0.13.0-6
- Resolves: RHEL-31259, Conditionally enable SSL engine APIs

125
rabbitmq-c-CVE-2023-35789.patch
View File

@ -1,125 +0,0 @@
commit 463054383fbeef889b409a7f843df5365288e2a0
Author: Christian Kastner <ckk@kvr.at>
Date: Tue Jun 13 14:21:52 2023 +0200
Add option to read username/password from file (#781)
* Add option to read username/password from file
diff --git a/tools/common.c b/tools/common.c
index 73b47e2..7efe557 100644
--- a/tools/common.c
+++ b/tools/common.c
@@ -18,6 +18,11 @@
#include "compat.h"
#endif
+/* For when reading auth data from a file */
+#define MAXAUTHTOKENLEN 128
+#define USERNAMEPREFIX "username:"
+#define PASSWORDPREFIX "password:"
+
void die(const char *fmt, ...) {
va_list ap;
va_start(ap, fmt);
@@ -125,6 +130,7 @@ static char *amqp_vhost;
static char *amqp_username;
static char *amqp_password;
static int amqp_heartbeat = 0;
+static char *amqp_authfile;
#ifdef WITH_SSL
static int amqp_ssl = 0;
static char *amqp_cacert = "/etc/ssl/certs/cacert.pem";
@@ -147,6 +153,8 @@ struct poptOption connect_options[] = {
"the password to login with", "password"},
{"heartbeat", 0, POPT_ARG_INT, &amqp_heartbeat, 0,
"heartbeat interval, set to 0 to disable", "heartbeat"},
+ {"authfile", 0, POPT_ARG_STRING, &amqp_authfile, 0,
+ "path to file containing username/password for authentication", "file"},
#ifdef WITH_SSL
{"ssl", 0, POPT_ARG_NONE, &amqp_ssl, 0, "connect over SSL/TLS", NULL},
{"cacert", 0, POPT_ARG_STRING, &amqp_cacert, 0,
@@ -158,6 +166,50 @@ struct poptOption connect_options[] = {
#endif /* WITH_SSL */
{NULL, '\0', 0, NULL, 0, NULL, NULL}};
+void read_authfile(const char *path) {
+ size_t n;
+ FILE *fp = NULL;
+ char token[MAXAUTHTOKENLEN];
+
+ if ((amqp_username = malloc(MAXAUTHTOKENLEN)) == NULL ||
+ (amqp_password = malloc(MAXAUTHTOKENLEN)) == NULL) {
+ die("Out of memory");
+ } else if ((fp = fopen(path, "r")) == NULL) {
+ die("Could not read auth data file %s", path);
+ }
+
+ if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL ||
+ strncmp(token, USERNAMEPREFIX, strlen(USERNAMEPREFIX))) {
+ die("Malformed auth file (missing username)");
+ }
+ strncpy(amqp_username, &token[strlen(USERNAMEPREFIX)], MAXAUTHTOKENLEN);
+ /* Missing newline means token was cut off */
+ n = strlen(amqp_username);
+ if (amqp_username[n - 1] != '\n') {
+ die("Username too long");
+ } else {
+ amqp_username[n - 1] = '\0';
+ }
+
+ if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL ||
+ strncmp(token, PASSWORDPREFIX, strlen(PASSWORDPREFIX))) {
+ die("Malformed auth file (missing password)");
+ }
+ strncpy(amqp_password, &token[strlen(PASSWORDPREFIX)], MAXAUTHTOKENLEN);
+ /* Missing newline means token was cut off */
+ n = strlen(amqp_password);
+ if (amqp_password[n - 1] != '\n') {
+ die("Password too long");
+ } else {
+ amqp_password[n - 1] = '\0';
+ }
+
+ (void)fgetc(fp);
+ if (!feof(fp)) {
+ die("Malformed auth file (trailing data)");
+ }
+}
+
static void init_connection_info(struct amqp_connection_info *ci) {
ci->user = NULL;
ci->password = NULL;
@@ -237,6 +289,8 @@ static void init_connection_info(struct amqp_connection_info *ci) {
if (amqp_username) {
if (amqp_url) {
die("--username and --url options cannot be used at the same time");
+ } else if (amqp_authfile) {
+ die("--username and --authfile options cannot be used at the same time");
}
ci->user = amqp_username;
@@ -245,11 +299,23 @@ static void init_connection_info(struct amqp_connection_info *ci) {
if (amqp_password) {
if (amqp_url) {
die("--password and --url options cannot be used at the same time");
+ } else if (amqp_authfile) {
+ die("--password and --authfile options cannot be used at the same time");
}
ci->password = amqp_password;
}
+ if (amqp_authfile) {
+ if (amqp_url) {
+ die("--authfile and --url options cannot be used at the same time");
+ }
+
+ read_authfile(amqp_authfile);
+ ci->user = amqp_username;
+ ci->password = amqp_password;
+ }
+
if (amqp_vhost) {
if (amqp_url) {
die("--vhost and --url options cannot be used at the same time");

152
rabbitmq-c-conditionally_enable_ssl_engine_apis.patch
View File

@ -1,152 +0,0 @@
diff -up rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/cmake/config.h.in.orig rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/cmake/config.h.in
--- rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/cmake/config.h.in.orig 2023-02-06 01:31:11.000000000 +0100
+++ rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/cmake/config.h.in 2024-03-05 15:42:21.611143615 +0100
@@ -7,4 +7,6 @@
#define AMQ_PLATFORM "@CMAKE_SYSTEM_NAME@"
+#cmakedefine ENABLE_SSL_ENGINE_API
+
#endif /* CONFIG_H */
diff -up rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/CMakeLists.txt.orig rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/CMakeLists.txt
--- rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/CMakeLists.txt.orig 2023-02-06 01:31:11.000000000 +0100
+++ rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/CMakeLists.txt 2024-03-05 15:42:21.610143596 +0100
@@ -42,6 +42,7 @@ endif()
include(CheckSymbolExists)
include(CheckLibraryExists)
+include(CMakeDependentOption)
include(CMakePushCheckState)
include(GNUInstallDirs)
@@ -119,14 +120,19 @@ if (ENABLE_SSL_SUPPORT)
set(THREADS_PREFER_PTHREAD_FLAG ON)
find_package(Threads REQUIRED)
cmake_pop_check_state()
+
+ cmake_push_check_state()
+ set(CMAKE_REQUIRED_LIBRARIES OpenSSL::SSL)
+ check_symbol_exists(ENGINE_new openssl/engine.h HAS_OPENSSL_ENGINE)
+ cmake_pop_check_state()
+
+ cmake_dependent_option(ENABLE_SSL_ENGINE_API "Enable support for deprecated OpenSSL ENGINE feature" ON "HAS_OPENSSL_ENGINE" OFF)
endif()
if(CMAKE_PROJECT_NAME STREQUAL PROJECT_NAME)
include(CTest)
endif()
-include(CMakeDependentOption)
-
option(BUILD_SHARED_LIBS "Build rabbitmq-c as a shared library" ON)
option(BUILD_STATIC_LIBS "Build rabbitmq-c as a static library" ON)
option(INSTALL_STATIC_LIBS "Install rabbitmq-c static library" ON)
diff -up rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/include/rabbitmq-c/amqp.h.orig rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/include/rabbitmq-c/amqp.h
--- rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/include/rabbitmq-c/amqp.h.orig 2023-02-06 01:31:11.000000000 +0100
+++ rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/include/rabbitmq-c/amqp.h 2024-03-05 15:42:21.612143634 +0100
@@ -670,7 +670,8 @@ typedef enum amqp_status_enum_ {
certificate failed. */
AMQP_STATUS_SSL_CONNECTION_FAILED = -0x0203, /**< SSL handshake failed. */
AMQP_STATUS_SSL_SET_ENGINE_FAILED = -0x0204, /**< SSL setting engine failed */
- _AMQP_STATUS_SSL_NEXT_VALUE = -0x0205 /**< Internal value */
+ AMQP_STATUS_SSL_UNIMPLEMENTED = -0x0205, /**< SSL API is not implemented. */
+ _AMQP_STATUS_SSL_NEXT_VALUE = -0x0206 /**< Internal value */
} amqp_status_enum;
/**
diff -up rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/include/rabbitmq-c/ssl_socket.h.orig rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/include/rabbitmq-c/ssl_socket.h
--- rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/include/rabbitmq-c/ssl_socket.h.orig 2023-02-06 01:31:11.000000000 +0100
+++ rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/include/rabbitmq-c/ssl_socket.h 2024-03-05 15:42:21.612143634 +0100
@@ -102,7 +102,8 @@ int AMQP_CALL amqp_ssl_socket_set_key(am
* \param [in] the key ID.
*
* \return \ref AMQP_STATUS_OK on success an \ref amqp_status_enum value on
- * failure.
+ * failure. May return \ref AMQP_STATUS_SSL_UNIMPLEMENTED if OpenSSL does
+ * not support the ENGINE API.
*
* \since v0.11.0
*/
@@ -262,7 +263,8 @@ int AMQP_CALL amqp_initialize_ssl_librar
* has been called.
*
* \param [in] engine the engine ID
- * \return AMQP_STATUS_OK on success.
+ * \return AMQP_STATUS_OK on success. May return \ref AMQP_STATUS_SSL_UNIMPLEMENTED
+ * if OpenSSL does not support the ENGINE API.
*
* \since v0.11.0
*/
diff -up rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/librabbitmq/amqp_api.c.orig rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/librabbitmq/amqp_api.c
--- rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/librabbitmq/amqp_api.c.orig 2023-02-06 01:31:11.000000000 +0100
+++ rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/librabbitmq/amqp_api.c 2024-03-05 15:42:21.612143634 +0100
@@ -85,7 +85,9 @@ static const char *ssl_error_strings[] =
/* AMQP_STATUS_SSL_CONNECTION_FAILED -0x0203 */
"SSL handshake failed",
/* AMQP_STATUS_SSL_SET_ENGINE_FAILED -0x0204 */
- "SSL setting engine failed"};
+ "SSL setting engine failed",
+ /* AMQP_STATUS_SSL_UNIMPLEMENTED -0x0204 */
+ "SSL API is not implemented"};
static const char *unknown_error_string = "(unknown error)";
diff -up rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/librabbitmq/amqp_openssl.c.orig rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/librabbitmq/amqp_openssl.c
--- rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/librabbitmq/amqp_openssl.c.orig 2023-02-06 01:31:11.000000000 +0100
+++ rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/librabbitmq/amqp_openssl.c 2024-03-05 15:42:21.613143653 +0100
@@ -23,7 +23,9 @@
#include <limits.h>
#include <openssl/bio.h>
#include <openssl/conf.h>
+#ifdef ENABLE_SSL_ENGINE_API
#include <openssl/engine.h>
+#endif
#include <openssl/err.h>
#include <openssl/ssl.h>
#include <openssl/x509v3.h>
@@ -36,7 +38,9 @@ static int decrement_ssl_connections(voi
static pthread_mutex_t openssl_init_mutex = PTHREAD_MUTEX_INITIALIZER;
static amqp_boolean_t openssl_bio_initialized = 0;
static int openssl_connections = 0;
+#ifdef ENABLE_SSL_ENGINE_API
static ENGINE *openssl_engine = NULL;
+#endif
#define CHECK_SUCCESS(condition) \
do { \
@@ -391,6 +395,7 @@ int amqp_ssl_socket_set_key(amqp_socket_
int amqp_ssl_socket_set_key_engine(amqp_socket_t *base, const char *cert,
const char *key) {
+#ifdef ENABLE_SSL_ENGINE_API
int status;
struct amqp_ssl_socket_t *self;
EVP_PKEY *pkey = NULL;
@@ -415,6 +420,9 @@ int amqp_ssl_socket_set_key_engine(amqp_
return AMQP_STATUS_SSL_ERROR;
}
return AMQP_STATUS_OK;
+#else
+ return AMQP_STATUS_SSL_UNIMPLEMENTED;
+#endif
}
static int password_cb(AMQP_UNUSED char *buffer, AMQP_UNUSED int length,
@@ -580,6 +588,7 @@ void amqp_set_initialize_ssl_library(amq
int amqp_initialize_ssl_library(void) { return AMQP_STATUS_OK; }
int amqp_set_ssl_engine(const char *engine) {
+#ifdef ENABLE_SSL_ENGINE_API
int status = AMQP_STATUS_OK;
CHECK_SUCCESS(pthread_mutex_lock(&openssl_init_mutex));
@@ -609,6 +618,9 @@ int amqp_set_ssl_engine(const char *engi
out:
CHECK_SUCCESS(pthread_mutex_unlock(&openssl_init_mutex));
return status;
+#else
+ return AMQP_STATUS_SSL_UNIMPLEMENTED;
+#endif
}
static int initialize_ssl_and_increment_connections() {

2
sources
View File

@ -1 +1 @@
SHA512 (rabbitmq-c-0.13.0-974d71a.tar.gz) = 58b3ca777a971ac451edb75afb2446d4bf7611134387db6dadcc95ff1f44257eb1812ff665f658544e03e14622ccc6aacc26d03d1b30a16470ccb1977275bf34
SHA512 (rabbitmq-c-0.14.0-124722b.tar.gz) = 167f340002d96769e19b5ea7e567d397f6702b0c212cbcf771f2e8ea16531221046747f9d70315869f696587a9e0922d922362efcc45bb1401420e9558b63acc