Enable openssl
Replace GNUTLS_SHUT_RDWR by GNUTLS_SHUT_WR when ending TLS connections resolves: rhbz#1990735 Comply with rhel crypto policies Forward return code from relpEngineSetTLSLib to relpEngineSetTLSLibByName resolves: rhbz#1972067
This commit is contained in:
alakatos
parent
f593723fce
commit
3b12aabe3c
88
librelp-1.10.0-crypto-compliance.patch
Normal file
88
librelp-1.10.0-crypto-compliance.patch
Normal file
@ -0,0 +1,88 @@
|
||||
diff -up librelp-1.10.0/src/tcp.c.crypto-compliance librelp-1.10.0/src/tcp.c
|
||||
--- librelp-1.10.0/src/tcp.c.crypto-compliance 2021-02-16 09:07:24.000000000 +0100
|
||||
+++ librelp-1.10.0/src/tcp.c 2021-08-17 10:13:53.368936612 +0200
|
||||
@@ -1155,32 +1155,8 @@ static relpRetVal LIBRELP_ATTR_NONNULL()
|
||||
relpTcpTLSSetPrio_gtls(relpTcp_t *const pThis)
|
||||
{
|
||||
int r;
|
||||
- char pristringBuf[4096];
|
||||
- char *pristring;
|
||||
ENTER_RELPFUNC;
|
||||
- /* Set default priority string (in simple cases where the user does not care...) */
|
||||
- if(pThis->pristring == NULL) {
|
||||
- if (pThis->authmode == eRelpAuthMode_None) {
|
||||
- if(pThis->bEnableTLSZip) {
|
||||
- strncpy(pristringBuf, "NORMAL:+ANON-DH:+COMP-ALL", sizeof(pristringBuf));
|
||||
- } else {
|
||||
- strncpy(pristringBuf, "NORMAL:+ANON-DH:+COMP-NULL", sizeof(pristringBuf));
|
||||
- }
|
||||
- pristringBuf[sizeof(pristringBuf)-1] = '\0';
|
||||
- pristring = pristringBuf;
|
||||
- r = gnutls_priority_set_direct(pThis->session, pristring, NULL);
|
||||
- } else {
|
||||
- r = gnutls_set_default_priority(pThis->session);
|
||||
- strncpy(pristringBuf, "to recommended system default", sizeof(pristringBuf));
|
||||
- pristringBuf[sizeof(pristringBuf)-1] = '\0';
|
||||
- pristring = pristringBuf;
|
||||
- }
|
||||
-
|
||||
- } else {
|
||||
- pristring = pThis->pristring;
|
||||
- r = gnutls_priority_set_direct(pThis->session, pristring, NULL);
|
||||
- }
|
||||
-
|
||||
+ r = gnutls_set_default_priority(pThis->session);
|
||||
if(r == GNUTLS_E_INVALID_REQUEST) {
|
||||
ABORT_FINALIZE(RELP_RET_INVLD_TLS_PRIO);
|
||||
} else if(r != GNUTLS_E_SUCCESS) {
|
||||
@@ -1188,7 +1164,7 @@ relpTcpTLSSetPrio_gtls(relpTcp_t *const
|
||||
}
|
||||
|
||||
finalize_it:
|
||||
- pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_gtls: Setting ciphers '%s' iRet=%d\n", pristring, iRet);
|
||||
+ pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_gtls: Setting ciphers to system default iRet=%d\n", iRet);
|
||||
|
||||
if(iRet != RELP_RET_OK) {
|
||||
chkGnutlsCode(pThis, "Failed to set GnuTLS priority", iRet, r);
|
||||
@@ -1207,38 +1183,15 @@ relpTcpTLSSetPrio_gtls(LIBRELP_ATTR_UNUS
|
||||
static relpRetVal LIBRELP_ATTR_NONNULL()
|
||||
relpTcpTLSSetPrio_ossl(relpTcp_t *const pThis)
|
||||
{
|
||||
- char pristringBuf[4096];
|
||||
- char *pristring;
|
||||
ENTER_RELPFUNC;
|
||||
- /* Compute priority string (in simple cases where the user does not care...) */
|
||||
- if(pThis->pristring == NULL) {
|
||||
- if (pThis->authmode == eRelpAuthMode_None) {
|
||||
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L \
|
||||
- && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
- /* NOTE: do never use: +eNULL, it DISABLES encryption! */
|
||||
- strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL@SECLEVEL=0",
|
||||
- sizeof(pristringBuf));
|
||||
- #else
|
||||
- strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL",
|
||||
- sizeof(pristringBuf));
|
||||
- #endif
|
||||
- } else {
|
||||
- strncpy(pristringBuf, "DEFAULT", sizeof(pristringBuf));
|
||||
- }
|
||||
- pristringBuf[sizeof(pristringBuf)-1] = '\0';
|
||||
- pristring = pristringBuf;
|
||||
- } else {
|
||||
- /* We use custom CipherString if used sets it by SslConfCmd */
|
||||
- pristring = pThis->pristring;
|
||||
- }
|
||||
|
||||
- if ( SSL_set_cipher_list(pThis->ssl, pristring) == 0 ){
|
||||
- pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_ossl: Error setting ciphers '%s'\n", pristring);
|
||||
+ if (SSL_set_cipher_list(pThis->ssl, "PROFILE=SYSTEM") == 0){
|
||||
+ pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_ossl: Error setting ciphers to system default\n");
|
||||
ABORT_FINALIZE(RELP_RET_ERR_TLS_SETUP);
|
||||
}
|
||||
|
||||
finalize_it:
|
||||
- pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_ossl: Setting ciphers '%s' iRet=%d\n", pristring, iRet);
|
||||
+ pThis->pEngine->dbgprint((char*)"relpTcpTLSSetPrio_ossl: Setting ciphers to system default iRet=%d\n", iRet);
|
||||
LEAVE_RELPFUNC;
|
||||
}
|
||||
#else
|
||||
15
librelp-1.10.0-rhbz1972067-relpEngineSetTLSLibByName.patch
Normal file
15
librelp-1.10.0-rhbz1972067-relpEngineSetTLSLibByName.patch
Normal file
@ -0,0 +1,15 @@
|
||||
diff -up librelp-1.10.0/src/relp.c.orig librelp-1.10.0/src/relp.c
|
||||
--- librelp-1.10.0/src/relp.c.orig 2021-08-17 08:33:12.416786299 +0200
|
||||
+++ librelp-1.10.0/src/relp.c 2021-08-17 08:33:45.070119507 +0200
|
||||
@@ -385,9 +385,9 @@ relpEngineSetTLSLibByName(relpEngine_t *
|
||||
}
|
||||
|
||||
if(!strcasecmp(name, "gnutls")) {
|
||||
- relpEngineSetTLSLib(pThis, RELP_USE_GNUTLS);
|
||||
+ CHKRet(relpEngineSetTLSLib(pThis, RELP_USE_GNUTLS));
|
||||
}else if(!strcasecmp(name, "openssl")) {
|
||||
- relpEngineSetTLSLib(pThis, RELP_USE_OPENSSL);
|
||||
+ CHKRet(relpEngineSetTLSLib(pThis, RELP_USE_OPENSSL));
|
||||
} else {
|
||||
relpEngineCallOnGenericErr(pThis, "librelp", RELP_RET_PARAM_ERROR,
|
||||
"invalid tls lib '%s' requested; this version of "
|
||||
19
librelp.spec
19
librelp.spec
@ -1,12 +1,15 @@
|
||||
Summary: The Reliable Event Logging Protocol library
|
||||
Name: librelp
|
||||
Version: 1.10.0
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: GPLv3+
|
||||
URL: http://www.rsyslog.com/
|
||||
Source0: http://download.rsyslog.com/%{name}/%{name}-%{version}.tar.gz
|
||||
BuildRequires: gnutls-devel >= 1.4.0
|
||||
|
||||
Patch0: librelp-1.10.0-rhbz1972067-relpEngineSetTLSLibByName.patch
|
||||
Patch1: librelp-1.10.0-crypto-compliance.patch
|
||||
|
||||
%description
|
||||
Librelp is an easy to use library for the RELP protocol. RELP (stands
|
||||
for Reliable Event Logging Protocol) is a general-purpose, extensible
|
||||
@ -16,10 +19,12 @@ logging protocol.
|
||||
Summary: Development files for the %{name} package
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
Requires: pkgconfig
|
||||
Requires: openssl-libs
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
BuildRequires: libtool
|
||||
BuildRequires: make
|
||||
BuildRequires: openssl-devel
|
||||
|
||||
%description devel
|
||||
Librelp is an easy to use library for the RELP protocol. The
|
||||
@ -28,10 +33,12 @@ to develop applications using librelp.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch0 -p1 -b .tls-by-name
|
||||
%patch1 -p1 -b .crypto-compliance
|
||||
|
||||
%build
|
||||
autoreconf -ivf
|
||||
%configure --disable-static --disable-tls-openssl
|
||||
%configure --disable-static
|
||||
make %{?_smp_mflags}
|
||||
|
||||
%install
|
||||
@ -52,6 +59,14 @@ rm $RPM_BUILD_ROOT/%{_libdir}/*.la
|
||||
%{_libdir}/pkgconfig/relp.pc
|
||||
|
||||
%changelog
|
||||
* Fri Aug 06 2021 Attila Lakatos <alakatos@redhat.com> - 1.10.0-4
|
||||
- Replace GNUTLS_SHUT_RDWR by GNUTLS_SHUT_WR when ending TLS connections
|
||||
resolves: rhbz#1990735
|
||||
- Add patch to comply with crypto policies
|
||||
- Forward return code from relpEngineSetTLSLib to relpEngineSetTLSLibByName
|
||||
- Enable openssl
|
||||
resolves: rhbz#1972067
|
||||
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.10.0-3
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
Loading…
Reference in New Issue
Block a user