- update genprotimg for OpenSSL3 (#1964818)

- Related: #1964818
2021-07-07 13:46:16 +02:00 · 2021-07-07 13:46:16 +02:00 · bfa589ac16
commit bfa589ac16
parent 2ade7f47aa
3 changed files with 157 additions and 28 deletions
--- a/s390-tools-2.16.0-genprotimg-openssl3.patch
+++ b/s390-tools-2.16.0-genprotimg-openssl3.patch
@ -0,0 +1,149 @@
+From 8723dbce048add87ce10fe8c72eea75c4f828ef8 Mon Sep 17 00:00:00 2001
+From: Marc Hartmayer <mhartmay@linux.ibm.com>
+Date: Wed, 23 Jun 2021 13:16:25 +0000
+Subject: [PATCH] genprotimg: add OpenSSL 3.0 support
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add OpenSSL 3.0 support while still supporting OpenSSL 1.1.0 and newer. For this
+set the OPENSSL_API_COMPAT user defined macro to OpenSSL 1.1.0 (see
+https://www.openssl.org/docs/manmaster/man7/OPENSSL_API_COMPAT.html) so we don't
+see any deprecation warnings when using OpenSSL 3.0. In addition, add an
+compatibility layer for OpenSSL since some OpenSSL API functions were constified
+with OpenSSL 3.0.
+
+Fixes: https://github.com/ibm-s390-linux/s390-tools/issues/112
+Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
+Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
+Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+---
+ CHANGELOG.md                          |  1 +
+ genprotimg/src/Makefile               |  1 +
+ genprotimg/src/utils/crypto.c         | 15 ++++++------
+ genprotimg/src/utils/openssl_compat.h | 33 +++++++++++++++++++++++++++
+ 4 files changed, 43 insertions(+), 7 deletions(-)
+ create mode 100644 genprotimg/src/utils/openssl_compat.h
+
+diff --git a/genprotimg/src/Makefile b/genprotimg/src/Makefile
+index a71bb1e3..0e811d66 100644
+--- a/genprotimg/src/Makefile
+++ b/genprotimg/src/Makefile
+@@ -29,6 +29,7 @@ $(bin_PROGRAM)_OBJS := $($(bin_PROGRAM)_SRCS:.c=.o)
+ 
+ ALL_CFLAGS += -std=gnu11 -DPKGDATADIR=$(PKGDATADIR) \
+ 	$(GLIB2_CFLAGS) $(LIBCRYPTO_CFLAGS) $(LIBCURL_CFLAGS) \
+	-DOPENSSL_API_COMPAT=0x10100000L \
+ 	$(WARNINGS) \
+ 	$(NULL)
+ ALL_CPPFLAGS += $(INCLUDE_PARMS)
+diff --git a/genprotimg/src/utils/crypto.c b/genprotimg/src/utils/crypto.c
+index 2e4750b8..087de375 100644
+--- a/genprotimg/src/utils/crypto.c
+++ b/genprotimg/src/utils/crypto.c
+@@ -31,6 +31,7 @@
+ 
+ #include "buffer.h"
+ #include "curl.h"
+#include "openssl_compat.h"
+ #include "crypto.h"
+ 
+ #define DEFINE_GSLIST_MAP(t2, t1)					\
+@@ -1438,7 +1439,7 @@ static const char *get_first_dp_url(DIST_POINT *dp)
+ 	return NULL;
+ }
+ 
+-static gboolean insert_crl(X509_NAME *name, X509_CRL *crl)
+static gboolean insert_crl(const X509_NAME *name, X509_CRL *crl)
+ {
+ 	g_autofree gchar *key = NULL;
+ 
+@@ -1453,7 +1454,7 @@ static gboolean insert_crl(X509_NAME *name, X509_CRL *crl)
+ }
+ 
+ /* Caller is responsible for free'ing */
+-static X509_CRL *lookup_crl(X509_NAME *name)
+static X509_CRL *lookup_crl(const X509_NAME *name)
+ {
+ 	g_autoptr(X509_CRL) crl = NULL;
+ 	g_autofree gchar *key = NULL;
+@@ -1473,7 +1474,7 @@ static X509_CRL *lookup_crl(X509_NAME *name)
+ }
+ 
+ /* Returns empty stack if no CRL downloaded. */
+-static STACK_OF_X509_CRL *crls_download_cb(X509_STORE_CTX *ctx, X509_NAME *nm)
+static STACK_OF_X509_CRL *crls_download_cb(const X509_STORE_CTX *ctx, const X509_NAME *nm)
+ {
+ 	g_autoptr(STACK_OF_X509_CRL) crls = NULL;
+ 	g_autoptr(X509_CRL) crl = NULL;
+@@ -1483,7 +1484,7 @@ static STACK_OF_X509_CRL *crls_download_cb(X509_STORE_CTX *ctx, X509_NAME *nm)
+ 	crls = sk_X509_CRL_new_null();
+ 	if (!crls)
+ 		g_abort();
+-	cert = X509_STORE_CTX_get_current_cert(ctx);
+	cert = Pv_X509_STORE_CTX_get_current_cert(ctx);
+ 	if (!cert)
+ 		return g_steal_pointer(&crls);
+ 	g_assert(X509_NAME_cmp(X509_get_issuer_name(cert), nm) == 0);
+@@ -1527,19 +1528,19 @@ void STACK_OF_X509_CRL_free(STACK_OF_X509_CRL *stack)
+ /* Downloaded CRLs have a higher precedence than the CRLs specified on the
+  * command line.
+  */
+-static STACK_OF_X509_CRL *crls_cb(X509_STORE_CTX *ctx, X509_NAME *nm)
+static STACK_OF_X509_CRL *crls_cb(const X509_STORE_CTX *ctx, const X509_NAME *nm)
+ {
+ 	g_autoptr(STACK_OF_X509_CRL) crls = crls_download_cb(ctx, nm);
+ 
+ 	if (sk_X509_CRL_num(crls) > 0)
+ 		return g_steal_pointer(&crls);
+-	return X509_STORE_CTX_get1_crls(ctx, nm);
+	return Pv_X509_STORE_CTX_get1_crls(ctx, nm);
+ }
+ 
+ /* Set up CRL lookup with download support */
+ void store_setup_crl_download(X509_STORE *st)
+ {
+-	X509_STORE_set_lookup_crls(st, crls_cb);
+	Pv_X509_STORE_set_lookup_crls(st, crls_cb);
+ }
+ 
+ /* Download a CRL using the URI specified in the distribution @crldp */
+diff --git a/genprotimg/src/utils/openssl_compat.h b/genprotimg/src/utils/openssl_compat.h
+new file mode 100644
+index 00000000..791c31fc
+--- /dev/null
+++ b/genprotimg/src/utils/openssl_compat.h
+@@ -0,0 +1,33 @@
+/*
+ * OpenSSL compatibility utils
+ *
+ * Copyright IBM Corp. 2021
+ *
+ * s390-tools is free software; you can redistribute it and/or modify
+ * it under the terms of the MIT license. See LICENSE for details.
+ */
+
+#ifndef PV_UTILS_OPENSSL_COMPAT_H
+#define PV_UTILS_OPENSSL_COMPAT_H
+
+#include <openssl/opensslv.h>
+#include <openssl/x509.h>
+#include <openssl/x509_vfy.h>
+
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#define Pv_X509_STORE_CTX_get_current_cert(ctx)                                \
+	X509_STORE_CTX_get_current_cert((X509_STORE_CTX *)(ctx))
+#define Pv_X509_STORE_CTX_get1_crls(ctx, nm)                                   \
+	X509_STORE_CTX_get1_crls((X509_STORE_CTX *)(ctx), (X509_NAME *)(nm))
+#define Pv_X509_STORE_set_lookup_crls(st, cb)                                  \
+	X509_STORE_set_lookup_crls(st, (X509_STORE_CTX_lookup_crls_fn)(cb))
+#else
+#define Pv_X509_STORE_CTX_get_current_cert(ctx)                                \
+	X509_STORE_CTX_get_current_cert(ctx)
+#define Pv_X509_STORE_CTX_get1_crls(ctx, nm)                                   \
+	X509_STORE_CTX_get1_crls(ctx, nm)
+#define Pv_X509_STORE_set_lookup_crls(st, cb)                                  \
+	X509_STORE_set_lookup_crls(st, cb)
+#endif
+
+#endif
--- a/s390-tools-2.16.0-no-genprotimg.patch
+++ b/s390-tools-2.16.0-no-genprotimg.patch
@ -1,12 +0,0 @@
-diff -up s390-tools-2.16.0/Makefile.orig s390-tools-2.16.0/Makefile
--- s390-tools-2.16.0/Makefile.orig	2021-06-02 13:19:47.774533339 +0200
-+++ s390-tools-2.16.0/Makefile	2021-06-02 13:19:54.563698060 +0200
-@@ -9,7 +9,7 @@ TOOL_DIRS = zipl zdump fdasd dasdfmt das
- 	   vmconvert vmcp man mon_tools dasdinfo vmur cpuplugd ipl_tools \
- 	   ziomon iucvterm hyptop cmsfs-fuse qethqoat zfcpdump zdsfs cpumf \
- 	   systemd hmcdrvfs cpacfstats zdev dump2tar zkey netboot etc zpcictl \
-	   genprotimg lsstp hsci
-+	   lsstp hsci
- 
- SUB_DIRS = $(LIB_DIRS) $(TOOL_DIRS)
- 
--- a/s390utils.spec
+++ b/s390utils.spec
@ -3,12 +3,10 @@
 %global signzipl 1
 %endif

-%global with_openssl3 1
-
 Name:           s390utils
 Summary:        Utilities and daemons for IBM z Systems
 Version:        2.16.0
-Release:        5%{?dist}
+Release:        6%{?dist}
 Epoch:          2
 License:        MIT
 ExclusiveArch:  s390 s390x
@ -42,9 +40,8 @@ Patch1:         s390-tools-zipl-blscfg-rpm-nvr-sort.patch
 Patch100:       s390-tools-2.16.0-zkey.patch
 # https://github.com/ibm-s390-linux/s390-tools/commit/b6bdd7744aba06d82f30b0c84012f0b06ccb01de
 Patch101:       s390-tools-2.16.0-genprotimg.patch
-
-# OpenSSL 3.0 workaround until there is an upstream fix
-Patch200:       s390-tools-2.16.0-no-genprotimg.patch
+# https://github.com/ibm-s390-linux/s390-tools/commit/8723dbce048add87ce10fe8c72eea75c4f828ef8
+Patch102:       s390-tools-2.16.0-genprotimg-openssl3.patch

 Requires:       s390utils-core = %{epoch}:%{version}-%{release}
 Requires:       s390utils-base = %{epoch}:%{version}-%{release}
@ -75,10 +72,7 @@ be used together with the zSeries (s390) Linux kernel and device drivers.
 # upstream fixes
 %patch100 -p1
 %patch101 -p1
-
-%if 0%{?with_openssl3}
-%patch200 -p1
-%endif
+%patch102 -p1

 # remove --strip from install
 find . -name Makefile | xargs sed -i 's/$(INSTALL) -s/$(INSTALL)/g'
@ -462,9 +456,7 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
 %{_sbindir}/znetconf
 %{_sbindir}/zpcictl
 %{_bindir}/dump2tar
-%if ! 0%{?with_openssl3}
 %{_bindir}/genprotimg
-%endif
 %{_bindir}/mk-s390image
 %{_bindir}/vmconvert
 %{_bindir}/zkey
@ -497,9 +489,7 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
 %{_mandir}/man8/dasdstat.8*
 %{_mandir}/man8/dasdview.8*
 %{_mandir}/man8/dumpconf.8*
-%if ! 0%{?with_openssl3}
 %{_mandir}/man8/genprotimg.8.*
-%endif
 %{_mandir}/man8/hsci.8*
 %{_mandir}/man8/hyptop.8*
 %{_mandir}/man8/lschp.8*
@ -529,9 +519,7 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
 %{_mandir}/man8/znetconf.8*
 %{_mandir}/man8/zpcictl.8*
 %dir %{_datadir}/s390-tools/
-%if ! 0%{?with_openssl3}
 %{_datadir}/s390-tools/genprotimg/
-%endif
 %{_datadir}/s390-tools/netboot/
 %dir %attr(0770,root,zkeyadm) %{_sysconfdir}/zkey
 %dir %attr(0770,root,zkeyadm) %{_sysconfdir}/zkey/repository
@ -831,6 +819,10 @@ User-space development files for the s390/s390x architecture.


 %changelog
+* Wed Jul 07 2021 Dan Horák <dan[at]danny.cz> - 2:2.16.0-6
+- update genprotimg for OpenSSL3 (#1964818)
+- Related: #1964818
+
 * Thu Jun 17 2021 Dan Horák <dan[at]danny.cz> - 2:2.16.0-5
 - drop obsolete setting from device_cio_free.service (#1972449)
 - Resolves: #1972449