Port to openssl 1.1.0
This commit is contained in:
Vitezslav Crhonek
parent
0314364ecc
commit
c4e0090cf8
217
openwsman-2.6.2-openssl-1.1-fix.patch
Normal file
217
openwsman-2.6.2-openssl-1.1-fix.patch
Normal file
@ -0,0 +1,217 @@
|
||||
diff -up openwsman-2.6.2/src/lib/wsman-curl-client-transport.c.orig openwsman-2.6.2/src/lib/wsman-curl-client-transport.c
|
||||
--- openwsman-2.6.2/src/lib/wsman-curl-client-transport.c.orig 2015-10-19 15:27:46.000000000 +0200
|
||||
+++ openwsman-2.6.2/src/lib/wsman-curl-client-transport.c 2017-01-02 15:18:43.444990500 +0100
|
||||
@@ -239,12 +239,16 @@ write_handler( void *ptr, size_t size, s
|
||||
static int ssl_certificate_thumbprint_verify_callback(X509_STORE_CTX *ctx, void *arg)
|
||||
{
|
||||
unsigned char *thumbprint = (unsigned char *)arg;
|
||||
- X509 *cert = ctx->cert;
|
||||
EVP_MD *tempDigest;
|
||||
|
||||
unsigned char tempFingerprint[EVP_MAX_MD_SIZE];
|
||||
unsigned int tempFingerprintLen;
|
||||
tempDigest = (EVP_MD*)EVP_sha1( );
|
||||
+
|
||||
+ X509 *cert = X509_STORE_CTX_get_current_cert(ctx);
|
||||
+ if(!cert)
|
||||
+ return 0;
|
||||
+
|
||||
if ( X509_digest(cert, tempDigest, tempFingerprint, &tempFingerprintLen ) <= 0)
|
||||
return 0;
|
||||
if(!memcmp(tempFingerprint, thumbprint, tempFingerprintLen))
|
||||
diff -up openwsman-2.6.2/src/server/shttpd/config.c.orig openwsman-2.6.2/src/server/shttpd/config.c
|
||||
--- openwsman-2.6.2/src/server/shttpd/config.c.orig 2015-10-19 15:27:46.000000000 +0200
|
||||
+++ openwsman-2.6.2/src/server/shttpd/config.c 2017-01-03 14:21:57.925415734 +0100
|
||||
@@ -85,32 +85,24 @@ static void
|
||||
set_ssl(struct shttpd_ctx *ctx, void *arg, const char *pem)
|
||||
{
|
||||
SSL_CTX *CTX;
|
||||
+ SSL_CONF_CTX *CCTX;
|
||||
void *lib;
|
||||
struct ssl_func *fp;
|
||||
char *ssl_disabled_protocols = wsmand_options_get_ssl_disabled_protocols();
|
||||
+ int ret;
|
||||
|
||||
arg = NULL; /* Unused */
|
||||
|
||||
- /* Load SSL library dynamically */
|
||||
- if ((lib = dlopen(SSL_LIB, RTLD_LAZY)) == NULL) {
|
||||
- elog(E_FATAL, NULL, "set_ssl: cannot load %s", SSL_LIB);
|
||||
- ctx->ssl_ctx = NULL;
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
- for (fp = ssl_sw; fp->name != NULL; fp++) {
|
||||
- if ((fp->ptr.v_void = dlsym(lib, fp->name)) == NULL) {
|
||||
- elog(E_FATAL, NULL,"set_ssl: cannot find %s", fp->name);
|
||||
- ctx->ssl_ctx = NULL;
|
||||
- return;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
/* Initialize SSL crap */
|
||||
static int ssl_library_initialized = 0;
|
||||
if(!ssl_library_initialized) {
|
||||
debug("Initialize SSL");
|
||||
+ SSL_load_error_strings();
|
||||
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
SSL_library_init();
|
||||
+ #else
|
||||
+ OPENSSL_init_ssl(0, NULL);
|
||||
+ #endif
|
||||
ssl_library_initialized = 1;
|
||||
}
|
||||
if ((CTX = SSL_CTX_new(SSLv23_server_method())) == NULL) {
|
||||
@@ -126,17 +118,26 @@ set_ssl(struct shttpd_ctx *ctx, void *ar
|
||||
SSL_CTX_free(CTX);
|
||||
CTX = NULL;
|
||||
}
|
||||
+ if ((CCTX = SSL_CONF_CTX_new()) == NULL) {
|
||||
+ elog(E_FATAL, NULL, "SSL_CONF_CTX_new error");
|
||||
+ debug("SSL_CONF_CTX_new error");
|
||||
+ }
|
||||
+ else {
|
||||
+ SSL_CONF_CTX_set_ssl_ctx(CCTX, CTX);
|
||||
+ }
|
||||
+
|
||||
+/*
|
||||
while (ssl_disabled_protocols) {
|
||||
struct ctx_opts_t {
|
||||
char *name;
|
||||
- long opt;
|
||||
+ char *opt;
|
||||
} protocols[] = {
|
||||
- { "SSLv2", SSL_OP_NO_SSLv2 },
|
||||
- { "SSLv3", SSL_OP_NO_SSLv3 },
|
||||
- { "TLSv1", SSL_OP_NO_TLSv1 },
|
||||
+ { "SSLv2", "SSLv2" },
|
||||
+ { "SSLv3", "SSLv3" },
|
||||
+ { "TLSv1", "TLSv1" },
|
||||
# if OPENSSL_VERSION_NUMBER >= 0x10001000L
|
||||
- { "TLSv1_1", SSL_OP_NO_TLSv1_1 },
|
||||
- { "TLSv1_2", SSL_OP_NO_TLSv1_2 },
|
||||
+ { "TLSv1_1", "TLSv1.1" },
|
||||
+ { "TLSv1_2", "TLSv1.2" },
|
||||
# endif
|
||||
{ NULL, 0 }
|
||||
};
|
||||
@@ -150,7 +151,17 @@ set_ssl(struct shttpd_ctx *ctx, void *ar
|
||||
for (idx = 0; protocols[idx].name ; ++idx) {
|
||||
if (strncasecmp(protocols[idx].name, ssl_disabled_protocols, blank_ptr-ssl_disabled_protocols) == 0) {
|
||||
debug("SSL: disable %s protocol", protocols[idx].name);
|
||||
- SSL_CTX_ctrl(CTX, SSL_CTRL_OPTIONS, protocols[idx].opt, NULL);
|
||||
+ debug("SSL: set '%s' as minimum protocol version - opt value", protocols[idx].opt);
|
||||
+ ret = SSL_CONF_cmd(CTX, "MinProtocol", protocols[idx].opt);
|
||||
+ if (ret > 2) {
|
||||
+ debug("SSL: SSL_CONF_cmd OK");
|
||||
+ }
|
||||
+ if (ret == -2) {
|
||||
+ debug("SSL: SSL_CONF_cmd ret == -2");
|
||||
+ }
|
||||
+ if (ret != -2) {
|
||||
+ debug("Error processing SSL_CONF_cmd()");
|
||||
+ }
|
||||
break;
|
||||
}
|
||||
}
|
||||
@@ -158,6 +169,10 @@ set_ssl(struct shttpd_ctx *ctx, void *ar
|
||||
break;
|
||||
ssl_disabled_protocols = blank_ptr + 1;
|
||||
}
|
||||
+*/
|
||||
+ if (!SSL_CONF_CTX_finish(CCTX)) {
|
||||
+ elog(E_FATAL, NULL, "SSL_CONF_CTX_finish error");
|
||||
+ }
|
||||
|
||||
ctx->ssl_ctx = CTX;
|
||||
}
|
||||
diff -up openwsman-2.6.2/src/server/shttpd/io_ssl.c.orig openwsman-2.6.2/src/server/shttpd/io_ssl.c
|
||||
--- openwsman-2.6.2/src/server/shttpd/io_ssl.c.orig 2015-10-19 15:27:46.000000000 +0200
|
||||
+++ openwsman-2.6.2/src/server/shttpd/io_ssl.c 2017-01-03 13:43:13.926524433 +0100
|
||||
@@ -11,26 +11,6 @@
|
||||
#include "shttpd_defs.h"
|
||||
|
||||
#if !defined(NO_SSL)
|
||||
-struct ssl_func ssl_sw[] = {
|
||||
- {"SSL_free", {0}},
|
||||
- {"SSL_accept", {0}},
|
||||
- {"SSL_connect", {0}},
|
||||
- {"SSL_read", {0}},
|
||||
- {"SSL_write", {0}},
|
||||
- {"SSL_get_error", {0}},
|
||||
- {"SSL_set_fd", {0}},
|
||||
- {"SSL_new", {0}},
|
||||
- {"SSL_CTX_new", {0}},
|
||||
- {"SSLv23_server_method", {0}},
|
||||
- {"SSL_library_init", {0}},
|
||||
- {"SSL_CTX_use_PrivateKey_file", {0}},
|
||||
- {"SSL_CTX_use_certificate_file",{0}},
|
||||
- {"SSL_CTX_free", {0}},
|
||||
- {"SSL_pending", {0}},
|
||||
- {"SSL_CTX_use_certificate_chain_file",{0}},
|
||||
- {"SSL_CTX_ctrl", {0}},
|
||||
- {NULL, {0}}
|
||||
-};
|
||||
|
||||
void
|
||||
ssl_handshake(struct stream *stream)
|
||||
diff -up openwsman-2.6.2/src/server/shttpd/ssl.h.orig openwsman-2.6.2/src/server/shttpd/ssl.h
|
||||
--- openwsman-2.6.2/src/server/shttpd/ssl.h.orig 2015-10-19 15:27:46.000000000 +0200
|
||||
+++ openwsman-2.6.2/src/server/shttpd/ssl.h 2017-01-02 15:18:43.445990500 +0100
|
||||
@@ -12,56 +12,4 @@
|
||||
|
||||
# include <openssl/ssl.h>
|
||||
|
||||
-#else
|
||||
-
|
||||
-/*
|
||||
- * Snatched from OpenSSL includes. I put the prototypes here to be independent
|
||||
- * from the OpenSSL source installation. Having this, shttpd + SSL can be
|
||||
- * built on any system with binary SSL libraries installed.
|
||||
- */
|
||||
-
|
||||
-typedef struct ssl_st SSL;
|
||||
-typedef struct ssl_method_st SSL_METHOD;
|
||||
-typedef struct ssl_ctx_st SSL_CTX;
|
||||
-
|
||||
-#define SSL_ERROR_WANT_READ 2
|
||||
-#define SSL_ERROR_WANT_WRITE 3
|
||||
-#define SSL_ERROR_SYSCALL 5
|
||||
-#define SSL_FILETYPE_PEM 1
|
||||
-
|
||||
#endif
|
||||
-
|
||||
-/*
|
||||
- * Dynamically loaded SSL functionality
|
||||
- */
|
||||
-struct ssl_func {
|
||||
- const char *name; /* SSL function name */
|
||||
- union variant ptr; /* Function pointer */
|
||||
-};
|
||||
-
|
||||
-extern struct ssl_func ssl_sw[];
|
||||
-
|
||||
-#define FUNC(x) ssl_sw[x].ptr.v_func
|
||||
-
|
||||
-#define SSL_free(x) (* (void (*)(SSL *)) FUNC(0))(x)
|
||||
-#define SSL_accept(x) (* (int (*)(SSL *)) FUNC(1))(x)
|
||||
-#define SSL_connect(x) (* (int (*)(SSL *)) FUNC(2))(x)
|
||||
-#define SSL_read(x,y,z) (* (int (*)(SSL *, void *, int)) FUNC(3))((x),(y),(z))
|
||||
-#define SSL_write(x,y,z) \
|
||||
- (* (int (*)(SSL *, const void *,int)) FUNC(4))((x), (y), (z))
|
||||
-#define SSL_get_error(x,y)(* (int (*)(SSL *, int)) FUNC(5))((x), (y))
|
||||
-#define SSL_set_fd(x,y) (* (int (*)(SSL *, int)) FUNC(6))((x), (y))
|
||||
-#define SSL_new(x) (* (SSL * (*)(SSL_CTX *)) FUNC(7))(x)
|
||||
-#define SSL_CTX_new(x) (* (SSL_CTX * (*)(SSL_METHOD *)) FUNC(8))(x)
|
||||
-#define SSLv23_server_method() (* (SSL_METHOD * (*)(void)) FUNC(9))()
|
||||
-#define SSL_library_init() (* (int (*)(void)) FUNC(10))()
|
||||
-#define SSL_CTX_use_PrivateKey_file(x,y,z) (* (int (*)(SSL_CTX *, \
|
||||
- const char *, int)) FUNC(11))((x), (y), (z))
|
||||
-#define SSL_CTX_use_certificate_file(x,y,z) (* (int (*)(SSL_CTX *, \
|
||||
- const char *, int)) FUNC(12))((x), (y), (z))
|
||||
-#define SSL_CTX_use_certificate_chain_file(x,y) (* (int (*)(SSL_CTX *, \
|
||||
- const char *)) FUNC(15))((x), (y))
|
||||
-#define SSL_CTX_free(x) (*(void (*)(SSL_CTX *)) FUNC(13))(x)
|
||||
-#define SSL_pending(x) (*(int (*)(SSL *)) FUNC(14))(x)
|
||||
-#define SSL_CTX_ctrl(w,x,y,z) (*(long (*)(SSL_CTX *,int,long,void *)) FUNC(16))((w),(x),(y),(z))
|
||||
-
|
||||
@ -9,7 +9,7 @@ BuildRequires: perl-devel perl-generators pkgconfig openssl-devel
|
||||
BuildRequires: cmake
|
||||
BuildRequires: systemd-units
|
||||
Version: 2.6.2
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
Url: http://www.openwsman.org/
|
||||
License: BSD
|
||||
Group: Applications/System
|
||||
@ -27,6 +27,7 @@ Patch1: openwsman-2.2.7-libssl.patch
|
||||
Patch2: openwsman-2.4.0-pamsetup.patch
|
||||
Patch3: openwsman-2.4.12-ruby-binding-build.patch
|
||||
Patch4: openwsman-2.6.2-python3.patch
|
||||
Patch5: openwsman-2.6.2-openssl-1.1-fix.patch
|
||||
|
||||
%description
|
||||
Openwsman is a project intended to provide an open-source
|
||||
@ -183,6 +184,7 @@ popd
|
||||
%patch2 -p1 -b .pamsetup
|
||||
%patch3 -p1 -b .ruby-binding-build
|
||||
%patch4 -p1 -b .python3
|
||||
%patch5 -p1 -b .openssl-1.1-fix
|
||||
|
||||
# support ruby 2.2
|
||||
pushd bindings/ruby
|
||||
@ -357,6 +359,10 @@ rm -f /var/log/wsmand.log
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Jan 03 2017 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.6.2-9
|
||||
- Port to openssl 1.1.0
|
||||
Resolves: #1383992
|
||||
|
||||
* Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com> - 2.6.2-8
|
||||
- Rebuild for Python 3.6
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user