rpms/librelp
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Enable openssl

Browse Source 
Replace GNUTLS_SHUT_RDWR by GNUTLS_SHUT_WR when ending TLS connections
  resolves: rhbz#1990735
Comply with rhel crypto policies
Forward return code from relpEngineSetTLSLib to relpEngineSetTLSLibByName
  resolves: rhbz#1972067
This commit is contained in:
alakatos 2021-08-17 09:06:32 +02:00
parent f593723fce
commit 3b12aabe3c
3 changed files with 120 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
librelp-1.10.0-crypto-compliance.patch Normal file
View File

@ -0,0 +1,88 @@
diff -up librelp-1.10.0/src/tcp.c.crypto-compliance librelp-1.10.0/src/tcp.c
--- librelp-1.10.0/src/tcp.c.crypto-compliance 2021-02-16 09:07:24.000000000 +0100
+++ librelp-1.10.0/src/tcp.c 2021-08-17 10:13:53.368936612 +0200
@@ -1155,32 +1155,8 @@ static relpRetVal LIBRELP_ATTR_NONNULL()
relpTcpTLSSetPrio_gtls(relpTcp_t *const pThis)
{
int r;
- char pristringBuf[4096];
- char *pristring;
ENTER_RELPFUNC;
- /* Set default priority string (in simple cases where the user does not care...) */
- if(pThis->pristring == NULL) {
- if (pThis->authmode == eRelpAuthMode_None) {
- if(pThis->bEnableTLSZip) {
- strncpy(pristringBuf, "NORMAL:+ANON-DH:+COMP-ALL", sizeof(pristringBuf));
- } else {
- strncpy(pristringBuf, "NORMAL:+ANON-DH:+COMP-NULL", sizeof(pristringBuf));
- }
- pristringBuf[sizeof(pristringBuf)-1] = '\0';
- pristring = pristringBuf;
- r = gnutls_priority_set_direct(pThis->session, pristring, NULL);
- } else {
- r = gnutls_set_default_priority(pThis->session);
- strncpy(pristringBuf, "to recommended system default", sizeof(pristringBuf));
- pristringBuf[sizeof(pristringBuf)-1] = '\0';
- pristring = pristringBuf;
- }
-
- } else {
- pristring = pThis->pristring;
- r = gnutls_priority_set_direct(pThis->session, pristring, NULL);
- }
-
+ r = gnutls_set_default_priority(pThis->session);
if(r == GNUTLS_E_INVALID_REQUEST) {
ABORT_FINALIZE(RELP_RET_INVLD_TLS_PRIO);
} else if(r != GNUTLS_E_SUCCESS) {
@@ -1188,7 +1164,7 @@ relpTcpTLSSetPrio_gtls(relpTcp_t *const
}
finalize_it:
- pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_gtls: Setting ciphers '%s' iRet=%d\n", pristring, iRet);
+ pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_gtls: Setting ciphers to system default iRet=%d\n", iRet);
if(iRet != RELP_RET_OK) {
chkGnutlsCode(pThis, "Failed to set GnuTLS priority", iRet, r);
@@ -1207,38 +1183,15 @@ relpTcpTLSSetPrio_gtls(LIBRELP_ATTR_UNUS
static relpRetVal LIBRELP_ATTR_NONNULL()
relpTcpTLSSetPrio_ossl(relpTcp_t *const pThis)
{
- char pristringBuf[4096];
- char *pristring;
ENTER_RELPFUNC;
- /* Compute priority string (in simple cases where the user does not care...) */
- if(pThis->pristring == NULL) {
- if (pThis->authmode == eRelpAuthMode_None) {
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L \
- && !defined(LIBRESSL_VERSION_NUMBER)
- /* NOTE: do never use: +eNULL, it DISABLES encryption! */
- strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL@SECLEVEL=0",
- sizeof(pristringBuf));
- #else
- strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL",
- sizeof(pristringBuf));
- #endif
- } else {
- strncpy(pristringBuf, "DEFAULT", sizeof(pristringBuf));
- }
- pristringBuf[sizeof(pristringBuf)-1] = '\0';
- pristring = pristringBuf;
- } else {
- /* We use custom CipherString if used sets it by SslConfCmd */
- pristring = pThis->pristring;
- }
- if ( SSL_set_cipher_list(pThis->ssl, pristring) == 0 ){
- pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_ossl: Error setting ciphers '%s'\n", pristring);
+ if (SSL_set_cipher_list(pThis->ssl, "PROFILE=SYSTEM") == 0){
+ pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_ossl: Error setting ciphers to system default\n");
ABORT_FINALIZE(RELP_RET_ERR_TLS_SETUP);
}
finalize_it:
- pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_ossl: Setting ciphers '%s' iRet=%d\n", pristring, iRet);
+ pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_ossl: Setting ciphers to system default iRet=%d\n", iRet);
LEAVE_RELPFUNC;
}
#else

15
librelp-1.10.0-rhbz1972067-relpEngineSetTLSLibByName.patch Normal file
View File

@ -0,0 +1,15 @@
diff -up librelp-1.10.0/src/relp.c.orig librelp-1.10.0/src/relp.c
--- librelp-1.10.0/src/relp.c.orig 2021-08-17 08:33:12.416786299 +0200
+++ librelp-1.10.0/src/relp.c 2021-08-17 08:33:45.070119507 +0200
@@ -385,9 +385,9 @@ relpEngineSetTLSLibByName(relpEngine_t *
}
if(!strcasecmp(name, "gnutls")) {
- relpEngineSetTLSLib(pThis, RELP_USE_GNUTLS);
+ CHKRet(relpEngineSetTLSLib(pThis, RELP_USE_GNUTLS));
}else if(!strcasecmp(name, "openssl")) {
- relpEngineSetTLSLib(pThis, RELP_USE_OPENSSL);
+ CHKRet(relpEngineSetTLSLib(pThis, RELP_USE_OPENSSL));
} else {
relpEngineCallOnGenericErr(pThis, "librelp", RELP_RET_PARAM_ERROR,
"invalid tls lib '%s' requested; this version of "

19
librelp.spec
View File

@ -1,12 +1,15 @@
Summary: The Reliable Event Logging Protocol library Summary: The Reliable Event Logging Protocol library
Name: librelp Name: librelp
Version: 1.10.0 Version: 1.10.0
Release: 3%{?dist} Release: 4%{?dist}
License: GPLv3+ License: GPLv3+
URL: http://www.rsyslog.com/ URL: http://www.rsyslog.com/
Source0: http://download.rsyslog.com/%{name}/%{name}-%{version}.tar.gz Source0: http://download.rsyslog.com/%{name}/%{name}-%{version}.tar.gz
BuildRequires: gnutls-devel >= 1.4.0 BuildRequires: gnutls-devel >= 1.4.0
Patch0: librelp-1.10.0-rhbz1972067-relpEngineSetTLSLibByName.patch
Patch1: librelp-1.10.0-crypto-compliance.patch
%description %description
Librelp is an easy to use library for the RELP protocol. RELP (stands Librelp is an easy to use library for the RELP protocol. RELP (stands
for Reliable Event Logging Protocol) is a general-purpose, extensible for Reliable Event Logging Protocol) is a general-purpose, extensible
@ -16,10 +19,12 @@ logging protocol.
Summary: Development files for the %{name} package Summary: Development files for the %{name} package
Requires: %{name} = %{version}-%{release} Requires: %{name} = %{version}-%{release}
Requires: pkgconfig Requires: pkgconfig
Requires: openssl-libs
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: libtool BuildRequires: libtool
BuildRequires: make BuildRequires: make
BuildRequires: openssl-devel
%description devel %description devel
Librelp is an easy to use library for the RELP protocol. The Librelp is an easy to use library for the RELP protocol. The
@ -28,10 +33,12 @@ to develop applications using librelp.
%prep %prep
%setup -q %setup -q
%patch0 -p1 -b .tls-by-name
%patch1 -p1 -b .crypto-compliance
%build %build
autoreconf -ivf autoreconf -ivf
%configure --disable-static --disable-tls-openssl %configure --disable-static
make %{?_smp_mflags} make %{?_smp_mflags}
%install %install
@ -52,6 +59,14 @@ rm $RPM_BUILD_ROOT/%{_libdir}/*.la
%{_libdir}/pkgconfig/relp.pc %{_libdir}/pkgconfig/relp.pc
%changelog %changelog
* Fri Aug 06 2021 Attila Lakatos <alakatos@redhat.com> - 1.10.0-4
- Replace GNUTLS_SHUT_RDWR by GNUTLS_SHUT_WR when ending TLS connections
resolves: rhbz#1990735
- Add patch to comply with crypto policies
- Forward return code from relpEngineSetTLSLib to relpEngineSetTLSLibByName
- Enable openssl
resolves: rhbz#1972067
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.10.0-3 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.10.0-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688 Related: rhbz#1991688