From 3b12aabe3c72038b65c61e07e5d7e37a1670b8aa Mon Sep 17 00:00:00 2001
From: alakatos <alakatos@redhat.com>
Date: Tue, 17 Aug 2021 09:06:32 +0200
Subject: [PATCH] Enable openssl Replace GNUTLS_SHUT_RDWR by GNUTLS_SHUT_WR
 when ending TLS connections   resolves: rhbz#1990735 Comply with rhel crypto
 policies Forward return code from relpEngineSetTLSLib to
 relpEngineSetTLSLibByName   resolves: rhbz#1972067

---
 librelp-1.10.0-crypto-compliance.patch        | 88 +++++++++++++++++++
 ...hbz1972067-relpEngineSetTLSLibByName.patch | 15 ++++
 librelp.spec                                  | 19 +++-
 3 files changed, 120 insertions(+), 2 deletions(-)
 create mode 100644 librelp-1.10.0-crypto-compliance.patch
 create mode 100644 librelp-1.10.0-rhbz1972067-relpEngineSetTLSLibByName.patch

diff --git a/librelp-1.10.0-crypto-compliance.patch b/librelp-1.10.0-crypto-compliance.patch
new file mode 100644
index 0000000..56a120a
--- /dev/null
+++ b/librelp-1.10.0-crypto-compliance.patch
@@ -0,0 +1,88 @@
+diff -up librelp-1.10.0/src/tcp.c.crypto-compliance librelp-1.10.0/src/tcp.c
+--- librelp-1.10.0/src/tcp.c.crypto-compliance	2021-02-16 09:07:24.000000000 +0100
++++ librelp-1.10.0/src/tcp.c	2021-08-17 10:13:53.368936612 +0200
+@@ -1155,32 +1155,8 @@ static relpRetVal LIBRELP_ATTR_NONNULL()
+ relpTcpTLSSetPrio_gtls(relpTcp_t *const pThis)
+ {
+ 	int r;
+-	char pristringBuf[4096];
+-	char *pristring;
+ 	ENTER_RELPFUNC;
+-	/* Set default priority string (in simple cases where the user does not care...) */
+-	if(pThis->pristring == NULL) {
+-		if (pThis->authmode == eRelpAuthMode_None) {
+-			if(pThis->bEnableTLSZip) {
+-				strncpy(pristringBuf, "NORMAL:+ANON-DH:+COMP-ALL", sizeof(pristringBuf));
+-			} else {
+-				strncpy(pristringBuf, "NORMAL:+ANON-DH:+COMP-NULL", sizeof(pristringBuf));
+-			}
+-			pristringBuf[sizeof(pristringBuf)-1] = '\0';
+-			pristring = pristringBuf;
+-			r = gnutls_priority_set_direct(pThis->session, pristring, NULL);
+-		} else {
+-			r = gnutls_set_default_priority(pThis->session);
+-			strncpy(pristringBuf, "to recommended system default", sizeof(pristringBuf));
+-			pristringBuf[sizeof(pristringBuf)-1] = '\0';
+-			pristring = pristringBuf;
+-		}
+-
+-	} else {
+-		pristring = pThis->pristring;
+-		r = gnutls_priority_set_direct(pThis->session, pristring, NULL);
+-	}
+-
++	r = gnutls_set_default_priority(pThis->session);
+ 	if(r == GNUTLS_E_INVALID_REQUEST) {
+ 		ABORT_FINALIZE(RELP_RET_INVLD_TLS_PRIO);
+ 	} else if(r != GNUTLS_E_SUCCESS) {
+@@ -1188,7 +1164,7 @@ relpTcpTLSSetPrio_gtls(relpTcp_t *const
+ 	}
+ 
+ finalize_it:
+-	pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_gtls: Setting ciphers '%s' iRet=%d\n", pristring, iRet);
++	pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_gtls: Setting ciphers to system default iRet=%d\n", iRet);
+ 
+ 	if(iRet != RELP_RET_OK) {
+ 		chkGnutlsCode(pThis, "Failed to set GnuTLS priority", iRet, r);
+@@ -1207,38 +1183,15 @@ relpTcpTLSSetPrio_gtls(LIBRELP_ATTR_UNUS
+ static relpRetVal LIBRELP_ATTR_NONNULL()
+ relpTcpTLSSetPrio_ossl(relpTcp_t *const pThis)
+ {
+-	char pristringBuf[4096];
+-	char *pristring;
+ 	ENTER_RELPFUNC;
+-	/* Compute priority string (in simple cases where the user does not care...) */
+-	if(pThis->pristring == NULL) {
+-		if (pThis->authmode == eRelpAuthMode_None) {
+-			#if OPENSSL_VERSION_NUMBER >= 0x10100000L \
+-				&& !defined(LIBRESSL_VERSION_NUMBER)
+-			 /* NOTE: do never use: +eNULL, it DISABLES encryption! */
+-			strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL@SECLEVEL=0",
+-				sizeof(pristringBuf));
+-			#else
+-			strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL",
+-				sizeof(pristringBuf));
+-			#endif
+-		} else {
+-			strncpy(pristringBuf, "DEFAULT", sizeof(pristringBuf));
+-		}
+-		pristringBuf[sizeof(pristringBuf)-1] = '\0';
+-		pristring = pristringBuf;
+-	} else {
+-		/* We use custom CipherString if used sets it by SslConfCmd */
+-		pristring = pThis->pristring;
+-	}
+ 
+-	if ( SSL_set_cipher_list(pThis->ssl, pristring) == 0 ){
+-		pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_ossl: Error setting ciphers '%s'\n", pristring);
++	if (SSL_set_cipher_list(pThis->ssl, "PROFILE=SYSTEM") == 0){
++		pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_ossl: Error setting ciphers to system default\n");
+ 		ABORT_FINALIZE(RELP_RET_ERR_TLS_SETUP);
+ 	}
+ 
+ finalize_it:
+-	pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_ossl: Setting ciphers '%s' iRet=%d\n", pristring, iRet);
++	pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_ossl: Setting ciphers to system default iRet=%d\n", iRet);
+ 	LEAVE_RELPFUNC;
+ }
+ #else
diff --git a/librelp-1.10.0-rhbz1972067-relpEngineSetTLSLibByName.patch b/librelp-1.10.0-rhbz1972067-relpEngineSetTLSLibByName.patch
new file mode 100644
index 0000000..89493d3
--- /dev/null
+++ b/librelp-1.10.0-rhbz1972067-relpEngineSetTLSLibByName.patch
@@ -0,0 +1,15 @@
+diff -up librelp-1.10.0/src/relp.c.orig librelp-1.10.0/src/relp.c
+--- librelp-1.10.0/src/relp.c.orig	2021-08-17 08:33:12.416786299 +0200
++++ librelp-1.10.0/src/relp.c	2021-08-17 08:33:45.070119507 +0200
+@@ -385,9 +385,9 @@ relpEngineSetTLSLibByName(relpEngine_t *
+ 	}
+ 
+ 	if(!strcasecmp(name, "gnutls")) {
+-		relpEngineSetTLSLib(pThis, RELP_USE_GNUTLS);
++		CHKRet(relpEngineSetTLSLib(pThis, RELP_USE_GNUTLS));
+ 	}else if(!strcasecmp(name, "openssl")) {
+-		relpEngineSetTLSLib(pThis, RELP_USE_OPENSSL);
++		CHKRet(relpEngineSetTLSLib(pThis, RELP_USE_OPENSSL));
+ 	} else {
+ 		relpEngineCallOnGenericErr(pThis, "librelp", RELP_RET_PARAM_ERROR,
+ 				"invalid tls lib '%s' requested; this version of "
diff --git a/librelp.spec b/librelp.spec
index b7d70cf..a37e25e 100644
--- a/librelp.spec
+++ b/librelp.spec
@@ -1,12 +1,15 @@
 Summary: The Reliable Event Logging Protocol library
 Name: librelp
 Version: 1.10.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv3+
 URL: http://www.rsyslog.com/
 Source0: http://download.rsyslog.com/%{name}/%{name}-%{version}.tar.gz
 BuildRequires: gnutls-devel >= 1.4.0
 
+Patch0: librelp-1.10.0-rhbz1972067-relpEngineSetTLSLibByName.patch
+Patch1: librelp-1.10.0-crypto-compliance.patch
+
 %description
 Librelp is an easy to use library for the RELP protocol. RELP (stands
 for Reliable Event Logging Protocol) is a general-purpose, extensible
@@ -16,10 +19,12 @@ logging protocol.
 Summary: Development files for the %{name} package
 Requires: %{name} = %{version}-%{release}
 Requires: pkgconfig
+Requires: openssl-libs
 BuildRequires: autoconf
 BuildRequires: automake
 BuildRequires: libtool
 BuildRequires: make
+BuildRequires: openssl-devel
 
 %description devel
 Librelp is an easy to use library for the RELP protocol. The
@@ -28,10 +33,12 @@ to develop applications using librelp.
 
 %prep
 %setup -q
+%patch0 -p1 -b .tls-by-name
+%patch1 -p1 -b .crypto-compliance
 
 %build
 autoreconf -ivf
-%configure --disable-static --disable-tls-openssl
+%configure --disable-static
 make %{?_smp_mflags}
 
 %install
@@ -52,6 +59,14 @@ rm $RPM_BUILD_ROOT/%{_libdir}/*.la
 %{_libdir}/pkgconfig/relp.pc
 
 %changelog
+* Fri Aug 06 2021 Attila Lakatos <alakatos@redhat.com> - 1.10.0-4
+- Replace GNUTLS_SHUT_RDWR by GNUTLS_SHUT_WR when ending TLS connections
+  resolves: rhbz#1990735
+- Add patch to comply with crypto policies
+- Forward return code from relpEngineSetTLSLib to relpEngineSetTLSLibByName
+- Enable openssl
+  resolves: rhbz#1972067
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.10.0-3
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688