control: tags -1 patch fixed-upstream
On 2016-06-27 15:56:40 [+0200], Julien ÉLIE wrote:
> I suggest to release a 2.6.0-3 Debian package containing upstream commits
> 9988 and 10024. (And, while we're at it, also upstream commit 9986 that
> removes TCP_NODELAY for nnrpd.)
> It will normally permits INN to build against OpenSSL 1.1.0.
This is also what Redhat did except for the TCP_NODELAY thing.
https://bugzilla.redhat.com/show_bug.cgi?id=1387660
Please find attached a patch against the package which includes the
three three patches mentioned here and was sbuild tested.
Should I NMU it?
Sebastian
From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
Date: Tue, 29 Nov 2016 21:10:31 +0100
Subject: [PATCH] cherry-pick patches for OpenSSL 1.1.0 support and TCP_NODELAY
Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
---
debian/changelog | 9 +++
debian/patches/changeset_branches_2.6_10024 | 45 ++++++++++++++
debian/patches/changeset_branches_2.6_9986 | 82 +++++++++++++++++++++++++
debian/patches/changeset_branches_2.6_9988 | 95 +++++++++++++++++++++++++++++
debian/patches/series | 3 +
debian/rules | 1 +
6 files changed, 235 insertions(+)
create mode 100644 debian/patches/changeset_branches_2.6_10024
create mode 100644 debian/patches/changeset_branches_2.6_9986
create mode 100644 debian/patches/changeset_branches_2.6_9988
diff --git a/debian/changelog b/debian/changelog
index 7985664277f2..73931da6d2af 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+inn2 (2.6.0-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Backport upstream fixes to get it built against openssl 1.1.0 and run
+ ./autogen to get configure script updated (Closes: #828351).
+ * Backport a patch to drop to drop TCP_NODELAY.
+
+ -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Tue, 29 Nov 2016 21:09:07 +0100
+
inn2 (2.6.0-2) unstable; urgency=medium
* Stop rnews from segfaulting while starting. (Closes: #809774)
diff --git a/debian/patches/changeset_branches_2.6_10024 b/debian/patches/changeset_branches_2.6_10024
new file mode 100644
index 000000000000..c0130929576e
--- /dev/null
+++ b/debian/patches/changeset_branches_2.6_10024
@@ -0,0 +1,45 @@
+Description: Fix build with OpenSSL 1.1.0 - a few X509_xxx types are now opaque
+Author: iulius
+Origin: upstream
+
+Check that the current certificate returned by
+X509_STORE_CTX_get_current_cert() is not NULL. In the switch part,
+err_cert is not NULL though because otherwise the error would have been
+different than X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT.
+
+---
+ nnrpd/tls.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/nnrpd/tls.c
++++ b/nnrpd/tls.c
+@@ -244,9 +244,13 @@ verify_callback(int ok, X509_STORE_CTX *
+ err = X509_STORE_CTX_get_error(ctx);
+ depth = X509_STORE_CTX_get_error_depth(ctx);
+
+- X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
+- if ((tls_serveractive) && (tls_loglevel >= 1))
+- Printf("Peer cert verify depth=%d %s", depth, buf);
++ if (err_cert != NULL) {
++ X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
++ if ((tls_serveractive) && (tls_loglevel >= 1)) {
++ Printf("Peer cert verify depth=%d %s", depth, buf);
++ }
++ }
++
+ if (ok==0)
+ {
+ syslog(L_NOTICE, "verify error:num=%d:%s", err,
+@@ -260,9 +264,10 @@ verify_callback(int ok, X509_STORE_CTX *
+ verify_error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
+ }
+ }
+- switch (ctx->error) {
++
++ switch (err) {
+ case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+- X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, sizeof(buf));
++ X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, sizeof(buf));
+ syslog(L_NOTICE, "issuer= %s", buf);
+ break;
+ case X509_V_ERR_CERT_NOT_YET_VALID:
diff --git a/debian/patches/changeset_branches_2.6_9986 b/debian/patches/changeset_branches_2.6_9986
new file mode 100644
index 000000000000..bbabbebd2220
--- /dev/null
+++ b/debian/patches/changeset_branches_2.6_9986
@@ -0,0 +1,82 @@
+Description: nnrpd: keep TCP_NODELAY only for BSD/OS systems
+Author: iulius
+Origin: upstream
+
+Fixed slow nnrpd responses for a few NNTP commands. The TCP_NODELAY
+option was unconditionally set whereas only BSD/OS systems needed it.
+Modern networking stacks do not need such tweaks.
+
+Thanks to Christian Mock for having discovered that.
+
+---
+ configure.ac | 6 ++++++
+ doc/pod/news.pod | 6 ++++++
+ nnrpd/nnrpd.c | 11 ++++++++---
+ 3 files changed, 20 insertions(+), 3 deletions(-)
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -203,6 +203,12 @@ dnl (like asprintf) that we use.
+ [Define if compiling on Linux to get prototypes for some functions.])
+ ;;
+
++dnl Detect BSD/OS for later use in nnrpd code.
++*-bsdi*)
++ AC_DEFINE([INN_BSDI_HOST], [1],
++ [Define if compiling on BSD/OS systems.])
++ ;;
++
+ dnl HP-UX's native compiler needs a special flag to turn on ANSI, and needs
+ dnl -g on link as well as compile for debugging to work.
+ *hpux*)
+--- a/doc/pod/news.pod
++++ b/doc/pod/news.pod
+@@ -4,6 +4,12 @@
+
+ =item *
+
++Fixed slow B<nnrpd> responses for a few NNTP commands. The TCP_NODELAY
++option was unconditionally set whereas only BSD/OS systems needed it.
++Thanks to Christian Mock for having discovered that.
++
++=item *
++
+ When an encryption layer is negotiated after a successful use of the
+ STARTTLS command, or after a successful authentication using a SASL
+ mechanism which negotiates an encrypted layer, B<nnrpd> now updates
+--- a/nnrpd/nnrpd.c
++++ b/nnrpd/nnrpd.c
+@@ -13,7 +13,9 @@
+ #include "portable/socket.h"
+ #include <netdb.h>
+ #include <signal.h>
+-#include <netinet/tcp.h>
++#if defined(INN_BSDI_HOST)
++# include <netinet/tcp.h>
++#endif
+
+ #if HAVE_GETSPNAM
+ # include <shadow.h>
+@@ -543,7 +545,6 @@ StartConnection(unsigned short port)
+ struct sockaddr *sas = (struct sockaddr *) &sss;
+ socklen_t length;
+ size_t size;
+- int nodelay = 1;
+
+ memset(&Client, 0, sizeof(Client));
+ strlcpy(Client.host, "?", sizeof(Client.host));
+@@ -612,9 +613,13 @@ StartConnection(unsigned short port)
+ Client.serverport = network_sockaddr_port(sas);
+ }
+
++#if defined(INN_BSDI_HOST)
+ /* Setting TCP_NODELAY to nnrpd fixes a problem of slow downloading
+- * of overviews and slow answers on some architectures (like BSD/OS). */
++ * of overviews and slow answers on some architectures (like BSD/OS
++ * where TCP delayed acknowledgements are enabled). */
++ int nodelay = 1;
+ setsockopt(STDIN_FILENO, IPPROTO_TCP, TCP_NODELAY, &nodelay, sizeof(nodelay));
++#endif
+
+ notice("%s (%s) connect - port %u", Client.host, Client.ip, port);
+
diff --git a/debian/patches/changeset_branches_2.6_9988 b/debian/patches/changeset_branches_2.6_9988
new file mode 100644
index 000000000000..058688d6f8a9
--- /dev/null
+++ b/debian/patches/changeset_branches_2.6_9988
@@ -0,0 +1,95 @@
+Description: Add support for OpenSSL 1.1.0
+Author: iulius
+Origin: upstream
+
+---
+ doc/pod/news.pod | 4 ++++
+ m4/openssl.m4 | 5 +++--
+ nnrpd/tls.c | 14 ++++++++++++--
+ nnrpd/tls.h | 4 ++++
+ 4 files changed, 23 insertions(+), 4 deletions(-)
+
+--- a/doc/pod/news.pod
++++ b/doc/pod/news.pod
+@@ -10,6 +10,10 @@ Thanks to Christian Mock for having disc
+
+ =item *
+
++S<OpenSSL 1.1.0> support has been added to INN.
++
++=item *
++
+ When an encryption layer is negotiated after a successful use of the
+ STARTTLS command, or after a successful authentication using a SASL
+ mechanism which negotiates an encrypted layer, B<nnrpd> now updates
+--- a/m4/openssl.m4
++++ b/m4/openssl.m4
+@@ -28,6 +28,7 @@ dnl The canonical version of this file i
+ dnl package, available at <http://www.eyrie.org/~eagle/software/rra-c-util/>.
+ dnl
+ dnl Written by Russ Allbery <ea...@eyrie.org>
++dnl Copyright 2016 Russ Allbery <ea...@eyrie.org>
+ dnl Copyright 2010, 2013
+ dnl The Board of Trustees of the Leland Stanford Junior University
+ dnl
+@@ -71,10 +72,10 @@ AC_DEFUN([_INN_LIB_OPENSSL_INTERNAL],
+ [AC_MSG_ERROR([cannot find usable OpenSSL crypto library])])],
+ [$inn_openssl_extra])
+ AS_IF([test x"$inn_reduced_depends" = xtrue],
+- [AC_CHECK_LIB([ssl], [SSL_library_init], [OPENSSL_LIBS=-lssl],
++ [AC_CHECK_LIB([ssl], [SSL_accept], [OPENSSL_LIBS=-lssl],
+ [AS_IF([test x"$1" = xtrue],
+ [AC_MSG_ERROR([cannot find usable OpenSSL library])])])],
+- [AC_CHECK_LIB([ssl], [SSL_library_init],
++ [AC_CHECK_LIB([ssl], [SSL_accept],
+ [OPENSSL_LIBS="-lssl $CRYPTO_LIBS"],
+ [AS_IF([test x"$1" = xtrue],
+ [AC_MSG_ERROR([cannot find usable OpenSSL library])])],
+--- a/nnrpd/tls.c
++++ b/nnrpd/tls.c
+@@ -216,7 +216,10 @@ tmp_dh_cb(SSL *s UNUSED, int export UNUS
+ default:
+ /* We should check current keylength vs. requested keylength
+ * also, this is an extremely expensive operation! */
+- dh = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
++ dh = DH_new();
++ if (dh != NULL) {
++ DH_generate_parameters_ex(dh, keylength, DH_GENERATOR_2, NULL);
++ }
+ r = dh;
+ }
+
+@@ -492,10 +495,17 @@ tls_init_serverengine(int verifydepth, i
+ if (tls_loglevel >= 2)
+ Printf("starting TLS engine");
+
++/* New functions have been introduced in OpenSSL 1.1.0. */
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ SSL_load_error_strings();
+ SSLeay_add_ssl_algorithms();
+-
+ CTX = SSL_CTX_new(SSLv23_server_method());
++#else
++ OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS
++ | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
++ CTX = SSL_CTX_new(TLS_server_method());
++#endif
++
+ if (CTX == NULL) {
+ return (-1);
+ };
+--- a/nnrpd/tls.h
++++ b/nnrpd/tls.h
+@@ -22,8 +22,12 @@
+ #ifndef TLS_H
+ #define TLS_H
+
++/* Comment out to avoid the use of deprecated interfaces. */
++/* #define OPENSSL_API_COMPAT 0x10100000L */
++
+ #include <openssl/lhash.h>
+ #include <openssl/bn.h>
++#include <openssl/dh.h>
+ #include <openssl/err.h>
+ #include <openssl/pem.h>
+ #include <openssl/rand.h>
diff --git a/debian/patches/series b/debian/patches/series
index d083a3f82309..b54f237d5cb7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,6 +4,9 @@ changeset_branches_2.6_9968
changeset_branches_2.6_9969
changeset_branches_2.6_9970
changeset_branches_2.6_9976
+changeset_branches_2.6_9986
+changeset_branches_2.6_9988
+changeset_branches_2.6_10024
# waiting to be merged upstream
diff --git a/debian/rules b/debian/rules
index ec95cb1f6fb3..e7465f4a22ec 100755
--- a/debian/rules
+++ b/debian/rules
@@ -71,6 +71,7 @@ endif
configure: $(addprefix .stamp-configure-, $(FLAVORS))
.stamp-configure-%:
dh_testdir
+ ./autogen
mkdir -p $B
for dir in $(src_files); do cp -ldpR $$dir $B; done
cd $B && \
--
2.10.2
