Control: tags 851085 + patch
Control: tags 851085 + pending
Dear maintainer,
I've prepared an NMU for conserver (versioned as 8.2.1-1.1) and I am
about to upload (RC bug with no feedback, RM bug filled).
Regards.
Sebastian
diff -u conserver-8.2.1/configure conserver-8.2.1/configure
--- conserver-8.2.1/configure
+++ conserver-8.2.1/configure
@@ -5249,7 +5249,7 @@
int
main ()
{
-SSL_library_init()
+SSL_CTX_new(NULL)
;
return 0;
}
diff -u conserver-8.2.1/debian/changelog conserver-8.2.1/debian/changelog
--- conserver-8.2.1/debian/changelog
+++ conserver-8.2.1/debian/changelog
@@ -1,3 +1,11 @@
+conserver (8.2.1-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * cherry-pick a handfull patches from upstream for OpenSSL 1.1 compatibility
+ (Closes: #851085).
+
+ -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Tue, 19 Feb 2019 23:50:54 +0100
+
conserver (8.2.1-1) unstable; urgency=medium
* new upstream version
diff -u conserver-8.2.1/debian/control conserver-8.2.1/debian/control
--- conserver-8.2.1/debian/control
+++ conserver-8.2.1/debian/control
@@ -2,7 +2,7 @@
Section: non-free/comm
Priority: optional
Maintainer: Jörgen Hägg <j...@debian.org>
-Build-Depends: debhelper (>= 7.0.50), po-debconf, libpam0g-dev, libwrap0-dev, libssl1.0-dev
+Build-Depends: debhelper (>= 7.0.50), po-debconf, libpam0g-dev, libwrap0-dev, libssl-dev
Standards-Version: 3.9.8
XS-Autobuild: yes
Homepage: http://www.conserver.com/
only in patch2:
unchanged:
--- conserver-8.2.1.orig/configure.in
+++ conserver-8.2.1/configure.in
@@ -535,7 +535,7 @@
[LIBS="$LIBS -lssl -lcrypto"
AC_MSG_CHECKING(for openssl libraries -lssl and -lcrypto)
AC_TRY_LINK([#include <openssl/ssl.h>
- ],[SSL_library_init()],
+ ],[SSL_CTX_new(NULL)],
[AC_MSG_RESULT(yes)
cons_with_openssl="YES"
AC_DEFINE(HAVE_OPENSSL)
only in patch2:
unchanged:
--- conserver-8.2.1.orig/conserver/cutil.c
+++ conserver-8.2.1/conserver/cutil.c
@@ -59,7 +59,9 @@
{
DestroyDataStructures();
#if HAVE_OPENSSL
+# if OPENSSL_VERSION_NUMBER < 0x10100000L
ERR_free_strings();
+# endif
#endif
exit(status);
}
only in patch2:
unchanged:
--- conserver-8.2.1.orig/conserver/cutil.h
+++ conserver-8.2.1/conserver/cutil.h
@@ -9,7 +9,15 @@
#include <stdarg.h>
#if HAVE_OPENSSL
# include <openssl/ssl.h>
+# include <openssl/bn.h>
+# include <openssl/dh.h>
# include <openssl/err.h>
+# if OPENSSL_VERSION_NUMBER < 0x10100000L
+# define TLS_method SSLv23_method
+# define CIPHER_SEC0
+# else
+# define CIPHER_SEC0 ":@SECLEVEL=0"
+# endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
#endif
#if HAVE_GSSAPI
# include <gssapi/gssapi.h>
only in patch2:
unchanged:
--- conserver-8.2.1.orig/conserver/main.c
+++ conserver-8.2.1/conserver/main.c
@@ -86,12 +86,74 @@
#endif
#if HAVE_OPENSSL
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+{
+ /* If the fields p and g in d are NULL, the corresponding input
+ * parameters MUST be non-NULL. q may remain NULL.
+ */
+ if ((dh->p == NULL && p == NULL)
+ || (dh->g == NULL && g == NULL))
+ return 0;
+
+ if (p != NULL) {
+ BN_free(dh->p);
+ dh->p = p;
+ }
+ if (q != NULL) {
+ BN_free(dh->q);
+ dh->q = q;
+ }
+ if (g != NULL) {
+ BN_free(dh->g);
+ dh->g = g;
+ }
+
+ if (q != NULL) {
+ dh->length = BN_num_bits(q);
+ }
+
+ return 1;
+}
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+
SSL_CTX *ctx = (SSL_CTX *)0;
DH *dh512 = (DH *)0;
DH *dh1024 = (DH *)0;
DH *dh2048 = (DH *)0;
DH *dh4096 = (DH *)0;
+DH *
+DHFromArray(unsigned char *dh_p, size_t dh_p_size, unsigned char *dh_g, size_t dh_g_size) {
+ DH *dh;
+ BIGNUM *p, *g;
+
+ p = BN_bin2bn(dh_p, dh_p_size, NULL);
+ if (p == NULL) {
+ return (NULL);
+ }
+
+ g = BN_bin2bn(dh_g, dh_g_size, NULL);
+ if (g == NULL) {
+ BN_free(g);
+ return (NULL);
+ }
+
+ if ((dh = DH_new()) == NULL) {
+ BN_free(p);
+ BN_free(g);
+ return (NULL);
+ }
+
+ if (!DH_set0_pqg(dh, p, NULL, g)) {
+ BN_free(p);
+ BN_free(g);
+ DH_free(dh);
+ return (NULL);
+ }
+
+ return (dh);
+}
DH *
GetDH512(void)
@@ -108,17 +170,8 @@
static unsigned char dh512_g[] = {
0x02,
};
- DH *dh;
- if ((dh = DH_new()) == NULL)
- return (NULL);
- dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
- dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
- if ((dh->p == NULL) || (dh->g == NULL)) {
- DH_free(dh);
- return (NULL);
- }
- return (dh);
+ return DHFromArray(dh512_p, sizeof(dh512_p), dh512_g, sizeof(dh512_g));
}
DH *
@@ -142,17 +195,8 @@
static unsigned char dh1024_g[] = {
0x02,
};
- DH *dh;
- if ((dh = DH_new()) == NULL)
- return (NULL);
- dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
- dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
- if ((dh->p == NULL) || (dh->g == NULL)) {
- DH_free(dh);
- return (NULL);
- }
- return (dh);
+ return DHFromArray(dh1024_p, sizeof(dh1024_p), dh1024_g, sizeof(dh1024_g));
}
DH *
@@ -189,17 +233,8 @@
static unsigned char dh2048_g[] = {
0x02,
};
- DH *dh;
- if ((dh = DH_new()) == NULL)
- return (NULL);
- dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
- dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
- if ((dh->p == NULL) || (dh->g == NULL)) {
- DH_free(dh);
- return (NULL);
- }
- return (dh);
+ return DHFromArray(dh2048_p, sizeof(dh2048_p), dh2048_g, sizeof(dh2048_g));
}
DH *
@@ -262,17 +297,8 @@
static unsigned char dh4096_g[] = {
0x02,
};
- DH *dh;
- if ((dh = DH_new()) == NULL)
- return (NULL);
- dh->p = BN_bin2bn(dh4096_p, sizeof(dh4096_p), NULL);
- dh->g = BN_bin2bn(dh4096_g, sizeof(dh4096_g), NULL);
- if ((dh->p == NULL) || (dh->g == NULL)) {
- DH_free(dh);
- return (NULL);
- }
- return (dh);
+ return DHFromArray(dh4096_p, sizeof(dh4096_p), dh4096_g, sizeof(dh4096_g));
}
DH *
@@ -306,12 +332,14 @@
if (ctx == (SSL_CTX *)0) {
char *ciphers;
int verifymode;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
SSL_load_error_strings();
if (!SSL_library_init()) {
Error("SetupSSL(): SSL_library_init() failed");
Bye(EX_SOFTWARE);
}
- if ((ctx = SSL_CTX_new(SSLv23_method())) == (SSL_CTX *)0) {
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+ if ((ctx = SSL_CTX_new(TLS_method())) == (SSL_CTX *)0) {
Error("SetupSSL(): SSL_CTX_new() failed");
Bye(EX_SOFTWARE);
}
@@ -337,7 +365,7 @@
}
ciphers = "ALL:!LOW:!EXP:!MD5:!aNULL:@STRENGTH";
} else {
- ciphers = "ALL:!LOW:!EXP:!MD5:@STRENGTH";
+ ciphers = "ALL:aNULL:!LOW:!EXP:!MD5:@STRENGTH" CIPHER_SEC0;
}
if (config->sslcacertificatefile != (char *)0) {
STACK_OF(X509_NAME) * cert_names;
only in patch2:
unchanged:
--- conserver-8.2.1.orig/console/console.c
+++ conserver-8.2.1/console/console.c
@@ -36,8 +36,6 @@
#include <readconf.h>
#include <version.h>
#if HAVE_OPENSSL
-# include <openssl/ssl.h>
-# include <openssl/err.h>
# include <openssl/opensslv.h>
#endif
#if HAVE_GSSAPI
@@ -78,12 +76,14 @@
{
if (ctx == (SSL_CTX *)0) {
char *ciphers;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
SSL_load_error_strings();
if (!SSL_library_init()) {
Error("SSL library initialization failed");
Bye(EX_UNAVAILABLE);
}
- if ((ctx = SSL_CTX_new(SSLv23_method())) == (SSL_CTX *)0) {
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+ if ((ctx = SSL_CTX_new(TLS_method())) == (SSL_CTX *)0) {
Error("Creating SSL context failed");
Bye(EX_UNAVAILABLE);
}
@@ -123,7 +123,7 @@
# if defined(REQ_SERVER_CERT)
ciphers = "ALL:!LOW:!EXP:!MD5:!aNULL:@STRENGTH";
# else
- ciphers = "ALL:!LOW:!EXP:!MD5:@STRENGTH";
+ ciphers = "ALL:aNULL:!LOW:!EXP:!MD5:@STRENGTH" CIPHER_SEC0;
# endif
}
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);
only in patch2:
unchanged:
--- conserver-8.2.1.orig/debian/patches/0001-fix-build-with-openssl-1.1-but-all-the-tests-fail.patch
+++ conserver-8.2.1/debian/patches/0001-fix-build-with-openssl-1.1-but-all-the-tests-fail.patch
@@ -0,0 +1,134 @@
+From 166633395d93f3900483b763350610ad4ce41073 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-git...@yahoo.com>
+Date: Fri, 25 May 2018 16:05:57 -0300
+Subject: [PATCH 1/4] fix build with openssl 1.1, but all the tests fail
+
+Applying patch from @FauxFaux
+
+Signed-off-by: Eneas U de Queiroz <cote2004-git...@yahoo.com>
+---
+ conserver/main.c | 76 +++++++++++++++++++++++-------------------------
+ 1 file changed, 36 insertions(+), 40 deletions(-)
+
+diff --git a/conserver/main.c b/conserver/main.c
+index cb9af46cd2ceb..c5d9ca77eb911 100644
+--- a/conserver/main.c
++++ b/conserver/main.c
+@@ -92,6 +92,38 @@ DH *dh1024 = (DH *)0;
+ DH *dh2048 = (DH *)0;
+ DH *dh4096 = (DH *)0;
+
++DH *
++DHFromArray(char *dh_p, size_t dh_p_size, char *dh_g, size_t dh_g_size) {
++ DH *dh;
++ BIGNUM *p, *g;
++
++ p = BN_bin2bn(dh_p, dh_p_size, NULL);
++ if (p == NULL) {
++ BN_free(p);
++ return (NULL);
++ }
++
++ g = BN_bin2bn(dh_g, dh_g_size, NULL);
++ if (g == NULL) {
++ BN_free(g);
++ return (NULL);
++ }
++
++ if ((dh = DH_new()) == NULL) {
++ BN_free(p);
++ BN_free(g);
++ return (NULL);
++ }
++
++ if (!DH_set0_pqg(dh, p, NULL, g)) {
++ BN_free(p);
++ BN_free(g);
++ DH_free(dh);
++ return (NULL);
++ }
++
++ return (dh);
++}
+
+ DH *
+ GetDH512(void)
+@@ -108,17 +140,8 @@ GetDH512(void)
+ static unsigned char dh512_g[] = {
+ 0x02,
+ };
+- DH *dh;
+
+- if ((dh = DH_new()) == NULL)
+- return (NULL);
+- dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
+- dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
+- if ((dh->p == NULL) || (dh->g == NULL)) {
+- DH_free(dh);
+- return (NULL);
+- }
+- return (dh);
++ return DHFromArray(dh512_p, sizeof(dh512_p), dh512_g, sizeof(dh512_g));
+ }
+
+ DH *
+@@ -142,17 +165,8 @@ GetDH1024(void)
+ static unsigned char dh1024_g[] = {
+ 0x02,
+ };
+- DH *dh;
+
+- if ((dh = DH_new()) == NULL)
+- return (NULL);
+- dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
+- dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
+- if ((dh->p == NULL) || (dh->g == NULL)) {
+- DH_free(dh);
+- return (NULL);
+- }
+- return (dh);
++ return DHFromArray(dh1024_p, sizeof(dh1024_p), dh1024_g, sizeof(dh1024_g));
+ }
+
+ DH *
+@@ -189,17 +203,8 @@ GetDH2048(void)
+ static unsigned char dh2048_g[] = {
+ 0x02,
+ };
+- DH *dh;
+
+- if ((dh = DH_new()) == NULL)
+- return (NULL);
+- dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
+- dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
+- if ((dh->p == NULL) || (dh->g == NULL)) {
+- DH_free(dh);
+- return (NULL);
+- }
+- return (dh);
++ return DHFromArray(dh2048_p, sizeof(dh2048_p), dh2048_g, sizeof(dh2048_g));
+ }
+
+ DH *
+@@ -262,17 +267,8 @@ GetDH4096(void)
+ static unsigned char dh4096_g[] = {
+ 0x02,
+ };
+- DH *dh;
+
+- if ((dh = DH_new()) == NULL)
+- return (NULL);
+- dh->p = BN_bin2bn(dh4096_p, sizeof(dh4096_p), NULL);
+- dh->g = BN_bin2bn(dh4096_g, sizeof(dh4096_g), NULL);
+- if ((dh->p == NULL) || (dh->g == NULL)) {
+- DH_free(dh);
+- return (NULL);
+- }
+- return (dh);
++ return DHFromArray(dh4096_p, sizeof(dh4096_p), dh4096_g, sizeof(dh4096_g));
+ }
+
+ DH *
+--
+2.20.1
+
only in patch2:
unchanged:
--- conserver-8.2.1.orig/debian/patches/0002-don-t-leak-in-the-error-case.patch
+++ conserver-8.2.1/debian/patches/0002-don-t-leak-in-the-error-case.patch
@@ -0,0 +1,34 @@
+From 4e3c2e134e96677994eeabecf51ad1226d08ac04 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-git...@yahoo.com>
+Date: Fri, 25 May 2018 16:07:53 -0300
+Subject: [PATCH 2/4] don't leak in the error case
+
+Applying patch from @FauxFaux
+
+Signed-off-by: Eneas U de Queiroz <cote2004-git...@yahoo.com>
+---
+ conserver/main.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/conserver/main.c b/conserver/main.c
+index c5d9ca77eb911..883597fba1227 100644
+--- a/conserver/main.c
++++ b/conserver/main.c
+@@ -99,13 +99,12 @@ DHFromArray(char *dh_p, size_t dh_p_size, char *dh_g, size_t dh_g_size) {
+
+ p = BN_bin2bn(dh_p, dh_p_size, NULL);
+ if (p == NULL) {
+- BN_free(p);
+ return (NULL);
+ }
+
+ g = BN_bin2bn(dh_g, dh_g_size, NULL);
+ if (g == NULL) {
+- BN_free(g);
++ BN_free(p);
+ return (NULL);
+ }
+
+--
+2.20.1
+
only in patch2:
unchanged:
--- conserver-8.2.1.orig/debian/patches/0003-openssl-1.1-1.0-support.patch
+++ conserver-8.2.1/debian/patches/0003-openssl-1.1-1.0-support.patch
@@ -0,0 +1,153 @@
+From 16598183c667d20314b180dcd352673ef6f882ad Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-git...@yahoo.com>
+Date: Fri, 25 May 2018 16:10:00 -0300
+Subject: [PATCH 3/4] openssl 1.1/1.0 support
+
+Added support for building with earlier openssl versions, and enabled
+anonymous ciphers in openssl 1.1, so it maintains the same functionality
+as earlier openssl (even though this is dangerously insecure), so it
+passes all tests.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-git...@yahoo.com>
+---
+ conserver/main.c | 45 +++++++++++++++++++++++++++++++++++++++++----
+ console/console.c | 15 +++++++++++++--
+ 2 files changed, 54 insertions(+), 6 deletions(-)
+
+diff --git a/conserver/main.c b/conserver/main.c
+index 883597fba1227..71b59c4b3846d 100644
+--- a/conserver/main.c
++++ b/conserver/main.c
+@@ -86,6 +86,41 @@ unsigned long dmallocMarkMain = 0;
+ #endif
+
+ #if HAVE_OPENSSL
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
++{
++ /* If the fields p and g in d are NULL, the corresponding input
++ * parameters MUST be non-NULL. q may remain NULL.
++ */
++ if ((dh->p == NULL && p == NULL)
++ || (dh->g == NULL && g == NULL))
++ return 0;
++
++ if (p != NULL) {
++ BN_free(dh->p);
++ dh->p = p;
++ }
++ if (q != NULL) {
++ BN_free(dh->q);
++ dh->q = q;
++ }
++ if (g != NULL) {
++ BN_free(dh->g);
++ dh->g = g;
++ }
++
++ if (q != NULL) {
++ dh->length = BN_num_bits(q);
++ }
++
++ return 1;
++}
++#define TLS_method SSLv23_method
++#define CIPHER_SEC0
++#else
++#define CIPHER_SEC0 ":@SECLEVEL=0"
++#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
++
+ SSL_CTX *ctx = (SSL_CTX *)0;
+ DH *dh512 = (DH *)0;
+ DH *dh1024 = (DH *)0;
+@@ -93,7 +128,7 @@ DH *dh2048 = (DH *)0;
+ DH *dh4096 = (DH *)0;
+
+ DH *
+-DHFromArray(char *dh_p, size_t dh_p_size, char *dh_g, size_t dh_g_size) {
++DHFromArray(unsigned char *dh_p, size_t dh_p_size, unsigned char *dh_g, size_t dh_g_size) {
+ DH *dh;
+ BIGNUM *p, *g;
+
+@@ -104,7 +139,7 @@ DHFromArray(char *dh_p, size_t dh_p_size, char *dh_g, size_t dh_g_size) {
+
+ g = BN_bin2bn(dh_g, dh_g_size, NULL);
+ if (g == NULL) {
+- BN_free(p);
++ BN_free(g);
+ return (NULL);
+ }
+
+@@ -301,12 +336,14 @@ SetupSSL(void)
+ if (ctx == (SSL_CTX *)0) {
+ char *ciphers;
+ int verifymode;
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ SSL_load_error_strings();
+ if (!SSL_library_init()) {
+ Error("SetupSSL(): SSL_library_init() failed");
+ Bye(EX_SOFTWARE);
+ }
+- if ((ctx = SSL_CTX_new(SSLv23_method())) == (SSL_CTX *)0) {
++#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
++ if ((ctx = SSL_CTX_new(TLS_method())) == (SSL_CTX *)0) {
+ Error("SetupSSL(): SSL_CTX_new() failed");
+ Bye(EX_SOFTWARE);
+ }
+@@ -332,7 +369,7 @@ SetupSSL(void)
+ }
+ ciphers = "ALL:!LOW:!EXP:!MD5:!aNULL:@STRENGTH";
+ } else {
+- ciphers = "ALL:!LOW:!EXP:!MD5:@STRENGTH";
++ ciphers = "ALL:aNULL:!LOW:!EXP:!MD5:@STRENGTH" CIPHER_SEC0;
+ }
+ if (config->sslcacertificatefile != (char *)0) {
+ STACK_OF(X509_NAME) * cert_names;
+diff --git a/console/console.c b/console/console.c
+index 1b05f43eea654..418f2ed7f8c4d 100644
+--- a/console/console.c
++++ b/console/console.c
+@@ -71,6 +71,15 @@ struct winsize ws;
+ #endif
+
+ #if HAVE_OPENSSL
++
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#define TLS_method SSLv23_method
++#define CIPHER_SEC0
++#else
++#define CIPHER_SEC0 ":@SECLEVEL=0"
++#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
++
++
+ SSL_CTX *ctx = (SSL_CTX *)0;
+
+ void
+@@ -78,12 +87,14 @@ SetupSSL(void)
+ {
+ if (ctx == (SSL_CTX *)0) {
+ char *ciphers;
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ SSL_load_error_strings();
+ if (!SSL_library_init()) {
+ Error("SSL library initialization failed");
+ Bye(EX_UNAVAILABLE);
+ }
+- if ((ctx = SSL_CTX_new(SSLv23_method())) == (SSL_CTX *)0) {
++#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
++ if ((ctx = SSL_CTX_new(TLS_method())) == (SSL_CTX *)0) {
+ Error("Creating SSL context failed");
+ Bye(EX_UNAVAILABLE);
+ }
+@@ -123,7 +134,7 @@ SetupSSL(void)
+ # if defined(REQ_SERVER_CERT)
+ ciphers = "ALL:!LOW:!EXP:!MD5:!aNULL:@STRENGTH";
+ # else
+- ciphers = "ALL:!LOW:!EXP:!MD5:@STRENGTH";
++ ciphers = "ALL:aNULL:!LOW:!EXP:!MD5:@STRENGTH" CIPHER_SEC0;
+ # endif
+ }
+ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);
+--
+2.20.1
+
only in patch2:
unchanged:
--- conserver-8.2.1.orig/debian/patches/0004-condensed-some-TLS-overrides-and-removed-extra-inclu.patch
+++ conserver-8.2.1/debian/patches/0004-condensed-some-TLS-overrides-and-removed-extra-inclu.patch
@@ -0,0 +1,75 @@
+From d6af8728d7a8b2622f2a9e97f50e35c1365946c3 Mon Sep 17 00:00:00 2001
+From: Bryan Stansell <br...@conserver.com>
+Date: Sun, 27 May 2018 18:56:25 -0700
+Subject: [PATCH 4/4] condensed some TLS overrides and removed extra includes
+
+---
+ conserver/cutil.h | 6 ++++++
+ conserver/main.c | 4 ----
+ console/console.c | 11 -----------
+ 3 files changed, 6 insertions(+), 15 deletions(-)
+
+diff --git a/conserver/cutil.h b/conserver/cutil.h
+index e21010f15bda8..c12c012cf0388 100644
+--- a/conserver/cutil.h
++++ b/conserver/cutil.h
+@@ -10,6 +10,12 @@
+ #if HAVE_OPENSSL
+ # include <openssl/ssl.h>
+ # include <openssl/err.h>
++# if OPENSSL_VERSION_NUMBER < 0x10100000L
++# define TLS_method SSLv23_method
++# define CIPHER_SEC0
++# else
++# define CIPHER_SEC0 ":@SECLEVEL=0"
++# endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+ #endif
+ #if HAVE_GSSAPI
+ # include <gssapi/gssapi.h>
+diff --git a/conserver/main.c b/conserver/main.c
+index 71b59c4b3846d..b24f953d4597f 100644
+--- a/conserver/main.c
++++ b/conserver/main.c
+@@ -115,10 +115,6 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+
+ return 1;
+ }
+-#define TLS_method SSLv23_method
+-#define CIPHER_SEC0
+-#else
+-#define CIPHER_SEC0 ":@SECLEVEL=0"
+ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+
+ SSL_CTX *ctx = (SSL_CTX *)0;
+diff --git a/console/console.c b/console/console.c
+index 418f2ed7f8c4d..a312cf1dbc61e 100644
+--- a/console/console.c
++++ b/console/console.c
+@@ -36,8 +36,6 @@
+ #include <readconf.h>
+ #include <version.h>
+ #if HAVE_OPENSSL
+-# include <openssl/ssl.h>
+-# include <openssl/err.h>
+ # include <openssl/opensslv.h>
+ #endif
+ #if HAVE_GSSAPI
+@@ -71,15 +69,6 @@ struct winsize ws;
+ #endif
+
+ #if HAVE_OPENSSL
+-
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+-#define TLS_method SSLv23_method
+-#define CIPHER_SEC0
+-#else
+-#define CIPHER_SEC0 ":@SECLEVEL=0"
+-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+-
+-
+ SSL_CTX *ctx = (SSL_CTX *)0;
+
+ void
+--
+2.20.1
+
only in patch2:
unchanged:
--- conserver-8.2.1.orig/debian/patches/0005-Fix-compilation-without-deprecated-OpenSSL-APIs.patch
+++ conserver-8.2.1/debian/patches/0005-Fix-compilation-without-deprecated-OpenSSL-APIs.patch
@@ -0,0 +1,27 @@
+From b1a0fa3c501cc233a952f91ad38044b4db1e8c46 Mon Sep 17 00:00:00 2001
+From: Rosen Penev <ros...@gmail.com>
+Date: Wed, 2 Jan 2019 09:05:02 -0800
+Subject: [PATCH] Fix compilation without deprecated OpenSSL APIs
+
+There headers get implicitly included by ssl.h normally. With deprecated APIs disabled
+they do not.
+---
+ conserver/cutil.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/conserver/cutil.h b/conserver/cutil.h
+index 899da7a8f89ff..63aef653bdb6f 100644
+--- a/conserver/cutil.h
++++ b/conserver/cutil.h
+@@ -7,6 +7,8 @@
+ #include <stdarg.h>
+ #if HAVE_OPENSSL
+ # include <openssl/ssl.h>
++# include <openssl/bn.h>
++# include <openssl/dh.h>
+ # include <openssl/err.h>
+ # if OPENSSL_VERSION_NUMBER < 0x10100000L
+ # define TLS_method SSLv23_method
+--
+2.20.1
+
only in patch2:
unchanged:
--- conserver-8.2.1.orig/debian/patches/0006-Fix-compilation-without-deprecated-OpenSSL-1.1-APIs.patch
+++ conserver-8.2.1/debian/patches/0006-Fix-compilation-without-deprecated-OpenSSL-1.1-APIs.patch
@@ -0,0 +1,40 @@
+From 12671246aeedfa17a9b1f0bf3e772969f79bc4bf Mon Sep 17 00:00:00 2001
+From: Rosen Penev <ros...@gmail.com>
+Date: Sun, 6 Jan 2019 19:54:31 -0800
+Subject: [PATCH] Fix compilation without deprecated OpenSSL 1.1 APIs
+
+---
+ configure.in | 2 +-
+ conserver/cutil.c | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/configure.in b/configure.in
+index a06081182bd2b..00b7f8bb8aac0 100644
+--- a/configure.in
++++ b/configure.in
+@@ -535,7 +535,7 @@ AC_ARG_WITH(openssl,
+ [LIBS="$LIBS -lssl -lcrypto"
+ AC_MSG_CHECKING(for openssl libraries -lssl and -lcrypto)
+ AC_TRY_LINK([#include <openssl/ssl.h>
+- ],[SSL_library_init()],
++ ],[SSL_CTX_new(NULL)],
+ [AC_MSG_RESULT(yes)
+ cons_with_openssl="YES"
+ AC_DEFINE(HAVE_OPENSSL)
+diff --git a/conserver/cutil.c b/conserver/cutil.c
+index af8196c5a782e..dcfe33324e9ab 100644
+--- a/conserver/cutil.c
++++ b/conserver/cutil.c
+@@ -57,7 +57,9 @@ Bye(int status)
+ {
+ DestroyDataStructures();
+ #if HAVE_OPENSSL
++# if OPENSSL_VERSION_NUMBER < 0x10100000L
+ ERR_free_strings();
++# endif
+ #endif
+ exit(status);
+ }
+--
+2.20.1
+
only in patch2:
unchanged:
--- conserver-8.2.1.orig/debian/patches/series
+++ conserver-8.2.1/debian/patches/series
@@ -0,0 +1,8 @@
+# This series and patches file is just for convenience and contains
+# only the OpenSSL 1.1 related changes in order to address #851085
+0001-fix-build-with-openssl-1.1-but-all-the-tests-fail.patch
+0002-don-t-leak-in-the-error-case.patch
+0003-openssl-1.1-1.0-support.patch
+0004-condensed-some-TLS-overrides-and-removed-extra-inclu.patch
+0005-Fix-compilation-without-deprecated-OpenSSL-APIs.patch
+0006-Fix-compilation-without-deprecated-OpenSSL-1.1-APIs.patch
