From bfa589ac16669502133b661988afbf4d148c6aad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= Date: Wed, 7 Jul 2021 13:46:16 +0200 Subject: [PATCH] - update genprotimg for OpenSSL3 (#1964818) - Related: #1964818 --- s390-tools-2.16.0-genprotimg-openssl3.patch | 149 ++++++++++++++++++++ s390-tools-2.16.0-no-genprotimg.patch | 12 -- s390utils.spec | 24 ++-- 3 files changed, 157 insertions(+), 28 deletions(-) create mode 100644 s390-tools-2.16.0-genprotimg-openssl3.patch delete mode 100644 s390-tools-2.16.0-no-genprotimg.patch diff --git a/s390-tools-2.16.0-genprotimg-openssl3.patch b/s390-tools-2.16.0-genprotimg-openssl3.patch new file mode 100644 index 0000000..bc9ee45 --- /dev/null +++ b/s390-tools-2.16.0-genprotimg-openssl3.patch @@ -0,0 +1,149 @@ +From 8723dbce048add87ce10fe8c72eea75c4f828ef8 Mon Sep 17 00:00:00 2001 +From: Marc Hartmayer +Date: Wed, 23 Jun 2021 13:16:25 +0000 +Subject: [PATCH] genprotimg: add OpenSSL 3.0 support +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add OpenSSL 3.0 support while still supporting OpenSSL 1.1.0 and newer. For this +set the OPENSSL_API_COMPAT user defined macro to OpenSSL 1.1.0 (see +https://www.openssl.org/docs/manmaster/man7/OPENSSL_API_COMPAT.html) so we don't +see any deprecation warnings when using OpenSSL 3.0. In addition, add an +compatibility layer for OpenSSL since some OpenSSL API functions were constified +with OpenSSL 3.0. + +Fixes: https://github.com/ibm-s390-linux/s390-tools/issues/112 +Reviewed-by: Patrick Steuer +Signed-off-by: Marc Hartmayer +Signed-off-by: Jan Höppner +--- + CHANGELOG.md | 1 + + genprotimg/src/Makefile | 1 + + genprotimg/src/utils/crypto.c | 15 ++++++------ + genprotimg/src/utils/openssl_compat.h | 33 +++++++++++++++++++++++++++ + 4 files changed, 43 insertions(+), 7 deletions(-) + create mode 100644 genprotimg/src/utils/openssl_compat.h + +diff --git a/genprotimg/src/Makefile b/genprotimg/src/Makefile +index a71bb1e3..0e811d66 100644 +--- a/genprotimg/src/Makefile ++++ b/genprotimg/src/Makefile +@@ -29,6 +29,7 @@ $(bin_PROGRAM)_OBJS := $($(bin_PROGRAM)_SRCS:.c=.o) + + ALL_CFLAGS += -std=gnu11 -DPKGDATADIR=$(PKGDATADIR) \ + $(GLIB2_CFLAGS) $(LIBCRYPTO_CFLAGS) $(LIBCURL_CFLAGS) \ ++ -DOPENSSL_API_COMPAT=0x10100000L \ + $(WARNINGS) \ + $(NULL) + ALL_CPPFLAGS += $(INCLUDE_PARMS) +diff --git a/genprotimg/src/utils/crypto.c b/genprotimg/src/utils/crypto.c +index 2e4750b8..087de375 100644 +--- a/genprotimg/src/utils/crypto.c ++++ b/genprotimg/src/utils/crypto.c +@@ -31,6 +31,7 @@ + + #include "buffer.h" + #include "curl.h" ++#include "openssl_compat.h" + #include "crypto.h" + + #define DEFINE_GSLIST_MAP(t2, t1) \ +@@ -1438,7 +1439,7 @@ static const char *get_first_dp_url(DIST_POINT *dp) + return NULL; + } + +-static gboolean insert_crl(X509_NAME *name, X509_CRL *crl) ++static gboolean insert_crl(const X509_NAME *name, X509_CRL *crl) + { + g_autofree gchar *key = NULL; + +@@ -1453,7 +1454,7 @@ static gboolean insert_crl(X509_NAME *name, X509_CRL *crl) + } + + /* Caller is responsible for free'ing */ +-static X509_CRL *lookup_crl(X509_NAME *name) ++static X509_CRL *lookup_crl(const X509_NAME *name) + { + g_autoptr(X509_CRL) crl = NULL; + g_autofree gchar *key = NULL; +@@ -1473,7 +1474,7 @@ static X509_CRL *lookup_crl(X509_NAME *name) + } + + /* Returns empty stack if no CRL downloaded. */ +-static STACK_OF_X509_CRL *crls_download_cb(X509_STORE_CTX *ctx, X509_NAME *nm) ++static STACK_OF_X509_CRL *crls_download_cb(const X509_STORE_CTX *ctx, const X509_NAME *nm) + { + g_autoptr(STACK_OF_X509_CRL) crls = NULL; + g_autoptr(X509_CRL) crl = NULL; +@@ -1483,7 +1484,7 @@ static STACK_OF_X509_CRL *crls_download_cb(X509_STORE_CTX *ctx, X509_NAME *nm) + crls = sk_X509_CRL_new_null(); + if (!crls) + g_abort(); +- cert = X509_STORE_CTX_get_current_cert(ctx); ++ cert = Pv_X509_STORE_CTX_get_current_cert(ctx); + if (!cert) + return g_steal_pointer(&crls); + g_assert(X509_NAME_cmp(X509_get_issuer_name(cert), nm) == 0); +@@ -1527,19 +1528,19 @@ void STACK_OF_X509_CRL_free(STACK_OF_X509_CRL *stack) + /* Downloaded CRLs have a higher precedence than the CRLs specified on the + * command line. + */ +-static STACK_OF_X509_CRL *crls_cb(X509_STORE_CTX *ctx, X509_NAME *nm) ++static STACK_OF_X509_CRL *crls_cb(const X509_STORE_CTX *ctx, const X509_NAME *nm) + { + g_autoptr(STACK_OF_X509_CRL) crls = crls_download_cb(ctx, nm); + + if (sk_X509_CRL_num(crls) > 0) + return g_steal_pointer(&crls); +- return X509_STORE_CTX_get1_crls(ctx, nm); ++ return Pv_X509_STORE_CTX_get1_crls(ctx, nm); + } + + /* Set up CRL lookup with download support */ + void store_setup_crl_download(X509_STORE *st) + { +- X509_STORE_set_lookup_crls(st, crls_cb); ++ Pv_X509_STORE_set_lookup_crls(st, crls_cb); + } + + /* Download a CRL using the URI specified in the distribution @crldp */ +diff --git a/genprotimg/src/utils/openssl_compat.h b/genprotimg/src/utils/openssl_compat.h +new file mode 100644 +index 00000000..791c31fc +--- /dev/null ++++ b/genprotimg/src/utils/openssl_compat.h +@@ -0,0 +1,33 @@ ++/* ++ * OpenSSL compatibility utils ++ * ++ * Copyright IBM Corp. 2021 ++ * ++ * s390-tools is free software; you can redistribute it and/or modify ++ * it under the terms of the MIT license. See LICENSE for details. ++ */ ++ ++#ifndef PV_UTILS_OPENSSL_COMPAT_H ++#define PV_UTILS_OPENSSL_COMPAT_H ++ ++#include ++#include ++#include ++ ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#define Pv_X509_STORE_CTX_get_current_cert(ctx) \ ++ X509_STORE_CTX_get_current_cert((X509_STORE_CTX *)(ctx)) ++#define Pv_X509_STORE_CTX_get1_crls(ctx, nm) \ ++ X509_STORE_CTX_get1_crls((X509_STORE_CTX *)(ctx), (X509_NAME *)(nm)) ++#define Pv_X509_STORE_set_lookup_crls(st, cb) \ ++ X509_STORE_set_lookup_crls(st, (X509_STORE_CTX_lookup_crls_fn)(cb)) ++#else ++#define Pv_X509_STORE_CTX_get_current_cert(ctx) \ ++ X509_STORE_CTX_get_current_cert(ctx) ++#define Pv_X509_STORE_CTX_get1_crls(ctx, nm) \ ++ X509_STORE_CTX_get1_crls(ctx, nm) ++#define Pv_X509_STORE_set_lookup_crls(st, cb) \ ++ X509_STORE_set_lookup_crls(st, cb) ++#endif ++ ++#endif diff --git a/s390-tools-2.16.0-no-genprotimg.patch b/s390-tools-2.16.0-no-genprotimg.patch deleted file mode 100644 index 58f4468..0000000 --- a/s390-tools-2.16.0-no-genprotimg.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up s390-tools-2.16.0/Makefile.orig s390-tools-2.16.0/Makefile ---- s390-tools-2.16.0/Makefile.orig 2021-06-02 13:19:47.774533339 +0200 -+++ s390-tools-2.16.0/Makefile 2021-06-02 13:19:54.563698060 +0200 -@@ -9,7 +9,7 @@ TOOL_DIRS = zipl zdump fdasd dasdfmt das - vmconvert vmcp man mon_tools dasdinfo vmur cpuplugd ipl_tools \ - ziomon iucvterm hyptop cmsfs-fuse qethqoat zfcpdump zdsfs cpumf \ - systemd hmcdrvfs cpacfstats zdev dump2tar zkey netboot etc zpcictl \ -- genprotimg lsstp hsci -+ lsstp hsci - - SUB_DIRS = $(LIB_DIRS) $(TOOL_DIRS) - diff --git a/s390utils.spec b/s390utils.spec index 6d5c861..32a4f52 100644 --- a/s390utils.spec +++ b/s390utils.spec @@ -3,12 +3,10 @@ %global signzipl 1 %endif -%global with_openssl3 1 - Name: s390utils Summary: Utilities and daemons for IBM z Systems Version: 2.16.0 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 2 License: MIT ExclusiveArch: s390 s390x @@ -42,9 +40,8 @@ Patch1: s390-tools-zipl-blscfg-rpm-nvr-sort.patch Patch100: s390-tools-2.16.0-zkey.patch # https://github.com/ibm-s390-linux/s390-tools/commit/b6bdd7744aba06d82f30b0c84012f0b06ccb01de Patch101: s390-tools-2.16.0-genprotimg.patch - -# OpenSSL 3.0 workaround until there is an upstream fix -Patch200: s390-tools-2.16.0-no-genprotimg.patch +# https://github.com/ibm-s390-linux/s390-tools/commit/8723dbce048add87ce10fe8c72eea75c4f828ef8 +Patch102: s390-tools-2.16.0-genprotimg-openssl3.patch Requires: s390utils-core = %{epoch}:%{version}-%{release} Requires: s390utils-base = %{epoch}:%{version}-%{release} @@ -75,10 +72,7 @@ be used together with the zSeries (s390) Linux kernel and device drivers. # upstream fixes %patch100 -p1 %patch101 -p1 - -%if 0%{?with_openssl3} -%patch200 -p1 -%endif +%patch102 -p1 # remove --strip from install find . -name Makefile | xargs sed -i 's/$(INSTALL) -s/$(INSTALL)/g' @@ -462,9 +456,7 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %{_sbindir}/znetconf %{_sbindir}/zpcictl %{_bindir}/dump2tar -%if ! 0%{?with_openssl3} %{_bindir}/genprotimg -%endif %{_bindir}/mk-s390image %{_bindir}/vmconvert %{_bindir}/zkey @@ -497,9 +489,7 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %{_mandir}/man8/dasdstat.8* %{_mandir}/man8/dasdview.8* %{_mandir}/man8/dumpconf.8* -%if ! 0%{?with_openssl3} %{_mandir}/man8/genprotimg.8.* -%endif %{_mandir}/man8/hsci.8* %{_mandir}/man8/hyptop.8* %{_mandir}/man8/lschp.8* @@ -529,9 +519,7 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %{_mandir}/man8/znetconf.8* %{_mandir}/man8/zpcictl.8* %dir %{_datadir}/s390-tools/ -%if ! 0%{?with_openssl3} %{_datadir}/s390-tools/genprotimg/ -%endif %{_datadir}/s390-tools/netboot/ %dir %attr(0770,root,zkeyadm) %{_sysconfdir}/zkey %dir %attr(0770,root,zkeyadm) %{_sysconfdir}/zkey/repository @@ -831,6 +819,10 @@ User-space development files for the s390/s390x architecture. %changelog +* Wed Jul 07 2021 Dan Horák - 2:2.16.0-6 +- update genprotimg for OpenSSL3 (#1964818) +- Related: #1964818 + * Thu Jun 17 2021 Dan Horák - 2:2.16.0-5 - drop obsolete setting from device_cio_free.service (#1972449) - Resolves: #1972449