From 8a949fe33c999b0bbe2d496e4adbc768e210d3ed Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: Mar 01 2017 12:42:05 +0000 Subject: Include fix for runtime issues with OpenSSL 1.1.0 (#1427561) --- diff --git a/dnssec-trigger-0.13-openssl-1.1.0-fixup.patch b/dnssec-trigger-0.13-openssl-1.1.0-fixup.patch new file mode 100644 index 0000000..d84ad7e --- /dev/null +++ b/dnssec-trigger-0.13-openssl-1.1.0-fixup.patch @@ -0,0 +1,69 @@ +From 2fcc4bce2043149074bcf09fcb8ee3a0c7bc2348 Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior +Date: Mon, 7 Nov 2016 20:59:11 +0000 +Subject: [PATCH 1/8] dnssec-trigger: openssl 1.1.0 fixup + +- SSL_OP_NO_SSLv2 / SSLv2 has been removed from openssl 1.1.0 and as + such it can't be tested (the way it is) if disabling it worked. + +Signed-off-by: Sebastian Andrzej Siewior +--- + riggerd/cfg.c | 2 ++ + riggerd/net_help.c | 2 ++ + riggerd/svr.c | 2 ++ + 3 files changed, 6 insertions(+) + +diff --git a/riggerd/cfg.c b/riggerd/cfg.c +index 03f4f73..08b2028 100644 +--- a/riggerd/cfg.c ++++ b/riggerd/cfg.c +@@ -540,9 +540,11 @@ cfg_setup_ctx_client(struct cfg* cfg, char* err, size_t errlen) + if(!ctx) + return ctx_err_ret(ctx, err, errlen, + "could not allocate SSL_CTX pointer"); ++#if OPENSSL_VERSION_NUMBER < 0x10100000 + if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)) + return ctx_err_ret(ctx, err, errlen, + "could not set SSL_OP_NO_SSLv2"); ++#endif + if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) || + !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM) + || !SSL_CTX_check_private_key(ctx)) +diff --git a/riggerd/net_help.c b/riggerd/net_help.c +index 0f0d1d0..c469894 100644 +--- a/riggerd/net_help.c ++++ b/riggerd/net_help.c +@@ -447,11 +447,13 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem) + return NULL; + } + /* no SSLv2 because has defects */ ++#if OPENSSL_VERSION_NUMBER < 0x10100000 + if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){ + log_crypto_err("could not set SSL_OP_NO_SSLv2"); + SSL_CTX_free(ctx); + return NULL; + } ++#endif + if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) { + log_err("error for cert file: %s", pem); + log_crypto_err("error in SSL_CTX use_certificate_file"); +diff --git a/riggerd/svr.c b/riggerd/svr.c +index 272dc2e..e7e618f 100644 +--- a/riggerd/svr.c ++++ b/riggerd/svr.c +@@ -162,10 +162,12 @@ static int setup_ssl_ctx(struct svr* s) + return 0; + } + /* no SSLv2 because has defects */ ++#if OPENSSL_VERSION_NUMBER < 0x10100000 + if(!(SSL_CTX_set_options(s->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){ + log_crypto_err("could not set SSL_OP_NO_SSLv2"); + return 0; + } ++#endif + s_cert = s->cfg->server_cert_file; + s_key = s->cfg->server_key_file; + verbose(VERB_ALGO, "setup SSL certificates"); +-- +2.7.4 + diff --git a/dnssec-trigger.spec b/dnssec-trigger.spec index ef1c05b..fa2cb30 100644 --- a/dnssec-trigger.spec +++ b/dnssec-trigger.spec @@ -5,7 +5,7 @@ Summary: Tool for dynamic reconfiguration of validating resolver Unbound Name: dnssec-trigger Version: 0.13 -Release: 1%{?svn_snapshot:.%{svn_snapshot}svn}%{?dist} +Release: 2%{?svn_snapshot:.%{svn_snapshot}svn}%{?dist} License: BSD Url: http://www.nlnetlabs.nl/downloads/dnssec-trigger/ @@ -20,6 +20,8 @@ Source2: dnssec-trigger-default.conf Source3: dnssec-trigger-workstation.conf # Patches +# https://github.com/oerdnj/dnssec-trigger/commit/2fcc4bce2043149074bcf09fcb8ee3a0c7bc2348 +Patch0: dnssec-trigger-0.13-openssl-1.1.0-fixup.patch # to obsolete the version in which the panel was in main package Obsoletes: %{name} < 0.12-22 @@ -76,6 +78,7 @@ some user input is needed, the panel creates a dialog window. # don't use DNSSEC for forward zones for now sed -i "s/validate_connection_provided_zones=yes/validate_connection_provided_zones=no/" dnssec.conf +%patch0 -p1 -b .openssl-110-fixup %build %configure \ @@ -180,6 +183,9 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Wed Mar 01 2017 Tomas Hozza - 0.13-2 +- Include fix for runtime issues with OpenSSL 1.1.0 (#1427561) + * Fri Feb 17 2017 Tomas Hozza - 0.13-1 - Update to stable 0.13 upstream release - Dropped merged patches