control: tags -1 patch fixed-upstream On 2016-06-27 15:56:40 [+0200], Julien ÉLIE wrote: > I suggest to release a 2.6.0-3 Debian package containing upstream commits > 9988 and 10024. (And, while we're at it, also upstream commit 9986 that > removes TCP_NODELAY for nnrpd.) > It will normally permits INN to build against OpenSSL 1.1.0.
This is also what Redhat did except for the TCP_NODELAY thing. https://bugzilla.redhat.com/show_bug.cgi?id=1387660 Please find attached a patch against the package which includes the three three patches mentioned here and was sbuild tested. Should I NMU it? Sebastian
From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Date: Tue, 29 Nov 2016 21:10:31 +0100 Subject: [PATCH] cherry-pick patches for OpenSSL 1.1.0 support and TCP_NODELAY Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> --- debian/changelog | 9 +++ debian/patches/changeset_branches_2.6_10024 | 45 ++++++++++++++ debian/patches/changeset_branches_2.6_9986 | 82 +++++++++++++++++++++++++ debian/patches/changeset_branches_2.6_9988 | 95 +++++++++++++++++++++++++++++ debian/patches/series | 3 + debian/rules | 1 + 6 files changed, 235 insertions(+) create mode 100644 debian/patches/changeset_branches_2.6_10024 create mode 100644 debian/patches/changeset_branches_2.6_9986 create mode 100644 debian/patches/changeset_branches_2.6_9988 diff --git a/debian/changelog b/debian/changelog index 7985664277f2..73931da6d2af 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +inn2 (2.6.0-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Backport upstream fixes to get it built against openssl 1.1.0 and run + ./autogen to get configure script updated (Closes: #828351). + * Backport a patch to drop to drop TCP_NODELAY. + + -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Tue, 29 Nov 2016 21:09:07 +0100 + inn2 (2.6.0-2) unstable; urgency=medium * Stop rnews from segfaulting while starting. (Closes: #809774) diff --git a/debian/patches/changeset_branches_2.6_10024 b/debian/patches/changeset_branches_2.6_10024 new file mode 100644 index 000000000000..c0130929576e --- /dev/null +++ b/debian/patches/changeset_branches_2.6_10024 @@ -0,0 +1,45 @@ +Description: Fix build with OpenSSL 1.1.0 - a few X509_xxx types are now opaque +Author: iulius +Origin: upstream + +Check that the current certificate returned by +X509_STORE_CTX_get_current_cert() is not NULL. In the switch part, +err_cert is not NULL though because otherwise the error would have been +different than X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT. + +--- + nnrpd/tls.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/nnrpd/tls.c ++++ b/nnrpd/tls.c +@@ -244,9 +244,13 @@ verify_callback(int ok, X509_STORE_CTX * + err = X509_STORE_CTX_get_error(ctx); + depth = X509_STORE_CTX_get_error_depth(ctx); + +- X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf)); +- if ((tls_serveractive) && (tls_loglevel >= 1)) +- Printf("Peer cert verify depth=%d %s", depth, buf); ++ if (err_cert != NULL) { ++ X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf)); ++ if ((tls_serveractive) && (tls_loglevel >= 1)) { ++ Printf("Peer cert verify depth=%d %s", depth, buf); ++ } ++ } ++ + if (ok==0) + { + syslog(L_NOTICE, "verify error:num=%d:%s", err, +@@ -260,9 +264,10 @@ verify_callback(int ok, X509_STORE_CTX * + verify_error = X509_V_ERR_CERT_CHAIN_TOO_LONG; + } + } +- switch (ctx->error) { ++ ++ switch (err) { + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: +- X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, sizeof(buf)); ++ X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, sizeof(buf)); + syslog(L_NOTICE, "issuer= %s", buf); + break; + case X509_V_ERR_CERT_NOT_YET_VALID: diff --git a/debian/patches/changeset_branches_2.6_9986 b/debian/patches/changeset_branches_2.6_9986 new file mode 100644 index 000000000000..bbabbebd2220 --- /dev/null +++ b/debian/patches/changeset_branches_2.6_9986 @@ -0,0 +1,82 @@ +Description: nnrpd: keep TCP_NODELAY only for BSD/OS systems +Author: iulius +Origin: upstream + +Fixed slow nnrpd responses for a few NNTP commands. The TCP_NODELAY +option was unconditionally set whereas only BSD/OS systems needed it. +Modern networking stacks do not need such tweaks. + +Thanks to Christian Mock for having discovered that. + +--- + configure.ac | 6 ++++++ + doc/pod/news.pod | 6 ++++++ + nnrpd/nnrpd.c | 11 ++++++++--- + 3 files changed, 20 insertions(+), 3 deletions(-) + +--- a/configure.ac ++++ b/configure.ac +@@ -203,6 +203,12 @@ dnl (like asprintf) that we use. + [Define if compiling on Linux to get prototypes for some functions.]) + ;; + ++dnl Detect BSD/OS for later use in nnrpd code. ++*-bsdi*) ++ AC_DEFINE([INN_BSDI_HOST], [1], ++ [Define if compiling on BSD/OS systems.]) ++ ;; ++ + dnl HP-UX's native compiler needs a special flag to turn on ANSI, and needs + dnl -g on link as well as compile for debugging to work. + *hpux*) +--- a/doc/pod/news.pod ++++ b/doc/pod/news.pod +@@ -4,6 +4,12 @@ + + =item * + ++Fixed slow B<nnrpd> responses for a few NNTP commands. The TCP_NODELAY ++option was unconditionally set whereas only BSD/OS systems needed it. ++Thanks to Christian Mock for having discovered that. ++ ++=item * ++ + When an encryption layer is negotiated after a successful use of the + STARTTLS command, or after a successful authentication using a SASL + mechanism which negotiates an encrypted layer, B<nnrpd> now updates +--- a/nnrpd/nnrpd.c ++++ b/nnrpd/nnrpd.c +@@ -13,7 +13,9 @@ + #include "portable/socket.h" + #include <netdb.h> + #include <signal.h> +-#include <netinet/tcp.h> ++#if defined(INN_BSDI_HOST) ++# include <netinet/tcp.h> ++#endif + + #if HAVE_GETSPNAM + # include <shadow.h> +@@ -543,7 +545,6 @@ StartConnection(unsigned short port) + struct sockaddr *sas = (struct sockaddr *) &sss; + socklen_t length; + size_t size; +- int nodelay = 1; + + memset(&Client, 0, sizeof(Client)); + strlcpy(Client.host, "?", sizeof(Client.host)); +@@ -612,9 +613,13 @@ StartConnection(unsigned short port) + Client.serverport = network_sockaddr_port(sas); + } + ++#if defined(INN_BSDI_HOST) + /* Setting TCP_NODELAY to nnrpd fixes a problem of slow downloading +- * of overviews and slow answers on some architectures (like BSD/OS). */ ++ * of overviews and slow answers on some architectures (like BSD/OS ++ * where TCP delayed acknowledgements are enabled). */ ++ int nodelay = 1; + setsockopt(STDIN_FILENO, IPPROTO_TCP, TCP_NODELAY, &nodelay, sizeof(nodelay)); ++#endif + + notice("%s (%s) connect - port %u", Client.host, Client.ip, port); + diff --git a/debian/patches/changeset_branches_2.6_9988 b/debian/patches/changeset_branches_2.6_9988 new file mode 100644 index 000000000000..058688d6f8a9 --- /dev/null +++ b/debian/patches/changeset_branches_2.6_9988 @@ -0,0 +1,95 @@ +Description: Add support for OpenSSL 1.1.0 +Author: iulius +Origin: upstream + +--- + doc/pod/news.pod | 4 ++++ + m4/openssl.m4 | 5 +++-- + nnrpd/tls.c | 14 ++++++++++++-- + nnrpd/tls.h | 4 ++++ + 4 files changed, 23 insertions(+), 4 deletions(-) + +--- a/doc/pod/news.pod ++++ b/doc/pod/news.pod +@@ -10,6 +10,10 @@ Thanks to Christian Mock for having disc + + =item * + ++S<OpenSSL 1.1.0> support has been added to INN. ++ ++=item * ++ + When an encryption layer is negotiated after a successful use of the + STARTTLS command, or after a successful authentication using a SASL + mechanism which negotiates an encrypted layer, B<nnrpd> now updates +--- a/m4/openssl.m4 ++++ b/m4/openssl.m4 +@@ -28,6 +28,7 @@ dnl The canonical version of this file i + dnl package, available at <http://www.eyrie.org/~eagle/software/rra-c-util/>. + dnl + dnl Written by Russ Allbery <ea...@eyrie.org> ++dnl Copyright 2016 Russ Allbery <ea...@eyrie.org> + dnl Copyright 2010, 2013 + dnl The Board of Trustees of the Leland Stanford Junior University + dnl +@@ -71,10 +72,10 @@ AC_DEFUN([_INN_LIB_OPENSSL_INTERNAL], + [AC_MSG_ERROR([cannot find usable OpenSSL crypto library])])], + [$inn_openssl_extra]) + AS_IF([test x"$inn_reduced_depends" = xtrue], +- [AC_CHECK_LIB([ssl], [SSL_library_init], [OPENSSL_LIBS=-lssl], ++ [AC_CHECK_LIB([ssl], [SSL_accept], [OPENSSL_LIBS=-lssl], + [AS_IF([test x"$1" = xtrue], + [AC_MSG_ERROR([cannot find usable OpenSSL library])])])], +- [AC_CHECK_LIB([ssl], [SSL_library_init], ++ [AC_CHECK_LIB([ssl], [SSL_accept], + [OPENSSL_LIBS="-lssl $CRYPTO_LIBS"], + [AS_IF([test x"$1" = xtrue], + [AC_MSG_ERROR([cannot find usable OpenSSL library])])], +--- a/nnrpd/tls.c ++++ b/nnrpd/tls.c +@@ -216,7 +216,10 @@ tmp_dh_cb(SSL *s UNUSED, int export UNUS + default: + /* We should check current keylength vs. requested keylength + * also, this is an extremely expensive operation! */ +- dh = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL); ++ dh = DH_new(); ++ if (dh != NULL) { ++ DH_generate_parameters_ex(dh, keylength, DH_GENERATOR_2, NULL); ++ } + r = dh; + } + +@@ -492,10 +495,17 @@ tls_init_serverengine(int verifydepth, i + if (tls_loglevel >= 2) + Printf("starting TLS engine"); + ++/* New functions have been introduced in OpenSSL 1.1.0. */ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + SSL_load_error_strings(); + SSLeay_add_ssl_algorithms(); +- + CTX = SSL_CTX_new(SSLv23_server_method()); ++#else ++ OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS ++ | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); ++ CTX = SSL_CTX_new(TLS_server_method()); ++#endif ++ + if (CTX == NULL) { + return (-1); + }; +--- a/nnrpd/tls.h ++++ b/nnrpd/tls.h +@@ -22,8 +22,12 @@ + #ifndef TLS_H + #define TLS_H + ++/* Comment out to avoid the use of deprecated interfaces. */ ++/* #define OPENSSL_API_COMPAT 0x10100000L */ ++ + #include <openssl/lhash.h> + #include <openssl/bn.h> ++#include <openssl/dh.h> + #include <openssl/err.h> + #include <openssl/pem.h> + #include <openssl/rand.h> diff --git a/debian/patches/series b/debian/patches/series index d083a3f82309..b54f237d5cb7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -4,6 +4,9 @@ changeset_branches_2.6_9968 changeset_branches_2.6_9969 changeset_branches_2.6_9970 changeset_branches_2.6_9976 +changeset_branches_2.6_9986 +changeset_branches_2.6_9988 +changeset_branches_2.6_10024 # waiting to be merged upstream diff --git a/debian/rules b/debian/rules index ec95cb1f6fb3..e7465f4a22ec 100755 --- a/debian/rules +++ b/debian/rules @@ -71,6 +71,7 @@ endif configure: $(addprefix .stamp-configure-, $(FLAVORS)) .stamp-configure-%: dh_testdir + ./autogen mkdir -p $B for dir in $(src_files); do cp -ldpR $$dir $B; done cd $B && \ -- 2.10.2