Hello community,
here is the log from the commit of package nut for openSUSE:Factory checked in
at 2017-12-02 13:12:31
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/nut (Old)
and /work/SRC/openSUSE:Factory/.nut.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nut"
Sat Dec 2 13:12:31 2017 rev:61 rq:547154 version:2.7.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/nut/nut.changes 2017-10-19 19:32:57.430573289
+0200
+++ /work/SRC/openSUSE:Factory/.nut.new/nut.changes 2017-12-02
13:12:41.669949590 +0100
@@ -1,0 +2,16 @@
+Fri Dec 1 14:59:25 UTC 2017 - suse+bu...@de-korte.org
+
+- Add support for OpenSSL 1.1.0 library, allow TLSv1 and higher
+ (not just TLSv1) and report TLS version used in debug mode level
+ 3 and higher (boo#1069988, openssl-1_1.patch)
+- Fix missing pointer dereference in upssched (nut-upssched.patch)
+- Support for allowfrom parameter was removed in version 2.4.0
+ (nut-preconfig.patch)
+
+-------------------------------------------------------------------
+Thu Nov 30 18:01:31 CET 2017 - sbra...@suse.com
+
+- No more conflict with apcupsd (boo#1070373).
+- Remove smartups references. It is dropped since 2001.
+
+-------------------------------------------------------------------
New:
----
nut-upssched.patch
openssl-1_1.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ nut.spec ++++++
--- /var/tmp/diff_new_pack.N2fJ9f/_old 2017-12-02 13:12:42.693912296 +0100
+++ /var/tmp/diff_new_pack.N2fJ9f/_new 2017-12-02 13:12:42.693912296 +0100
@@ -57,6 +57,8 @@
Patch9: nut-doc-cables.patch
# PATCH-FIX-UPSTREAM use-pkg-config-gdlib.diff alarr...@suse.com -- Use
pkg-config to obtain CFLAGS and LDFLAGS to use when building with gd
Patch10: use-pkg-config-gdlib.diff
+Patch11: openssl-1_1.patch
+Patch12: nut-upssched.patch
BuildRequires: apache2-devel
BuildRequires: asciidoc
BuildRequires: avahi-devel
@@ -74,7 +76,6 @@
BuildRequires: pkgconfig
BuildRequires: source-highlight
BuildRequires: tcpd-devel
-BuildRequires: tex(upquote.sty)
BuildRequires: pkgconfig(dbus-glib-1)
BuildRequires: pkgconfig(gdlib)
BuildRequires: pkgconfig(libpowerman)
@@ -82,6 +83,7 @@
BuildRequires: pkgconfig(neon)
BuildRequires: pkgconfig(openssl)
BuildRequires: pkgconfig(udev)
+BuildRequires: tex(upquote.sty)
Requires: logrotate
Requires: usbutils
Requires(post): udev
@@ -89,9 +91,6 @@
Enhances: %{USBHIDDRIVERS}
# Package provides the only avalailable driver for other USB UPSes:
Supplements: %{USBNONHIDDRIVERS}
-Conflicts: apcupsd
-Provides: smartups = %{version}
-Obsoletes: smartups < %{version}
# for update from openSUSE <= 11.3, SLE <= 11
Provides: nut-classic = %{version}
Obsoletes: nut-classic < %{version}
@@ -253,6 +252,8 @@
%patch8 -p1
%patch9 -p1
%patch10 -p1
+%patch11 -p1
+%patch12 -p1
sed -i s/@now@/`date -r ChangeLog +%%Y-%%m-%%d`/g docs/docinfo.xml.in
sed -i s:%{_prefix}/local/ups/bin:/bin: conf/upssched.conf.sample.in
++++++ nut-preconfig.patch ++++++
--- /var/tmp/diff_new_pack.N2fJ9f/_old 2017-12-02 13:12:42.749910256 +0100
+++ /var/tmp/diff_new_pack.N2fJ9f/_new 2017-12-02 13:12:42.753910110 +0100
@@ -19,19 +19,17 @@
+ desc = "Local UPS"
--- conf/upsd.users.sample
+++ conf/upsd.users.sample
-@@ -62,3 +62,13 @@
+@@ -62,3 +62,11 @@
# The matching MONITOR line in your upsmon.conf would look like this:
#
# MONITOR myups@localhost 1 upsmon pass master (or slave)
+
+[upsmaster]
+ password = @UPSD_INITIAL_MASTER_PASSWORD@
-+ allowfrom = localhost
+ upsmon master
+
+[upsslave]
+ password = @UPSD_INITIAL_SLAVE_PASSWORD@
-+ allowfrom = localhost
+ upsmon slave
--- conf/upsmon.conf.sample.in
+++ conf/upsmon.conf.sample.in
++++++ nut-upssched.patch ++++++
diff --git a/clients/upssched.c b/clients/upssched.c
index 97b3ed42..3fdf118e 100644
--- a/clients/upssched.c
+++ b/clients/upssched.c
@@ -794,7 +794,7 @@ static void parse_at(const char *ntype, const char *un,
const char *cmd,
}
if (!strcmp(cmd, "EXECUTE")) {
- if (ca1 == '\0') {
+ if (*ca1 == '\0') {
upslogx(LOG_ERR, "Empty EXECUTE command argument");
return;
}
++++++ openssl-1_1.patch ++++++
diff --git a/clients/upsclient.c b/clients/upsclient.c
index b90587b0..b7dd8f42 100644
--- a/clients/upsclient.c
+++ b/clients/upsclient.c
@@ -299,11 +299,6 @@ int upscli_init(int certverify, const char *certpath,
{
#ifdef WITH_OPENSSL
int ret, ssl_mode = SSL_VERIFY_NONE;
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
- const SSL_METHOD *ssl_method;
-#else
- SSL_METHOD *ssl_method;
-#endif
#elif defined(WITH_NSS) /* WITH_OPENSSL */
SECStatus status;
#endif /* WITH_OPENSSL | WITH_NSS */
@@ -315,22 +310,35 @@ int upscli_init(int certverify, const char *certpath,
}
#ifdef WITH_OPENSSL
+
+ SSL_load_error_strings();
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
SSL_library_init();
- SSL_load_error_strings();
- ssl_method = TLSv1_client_method();
+ ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+#else
+ OPENSSL_init_ssl(0, NULL);
- if (!ssl_method) {
- return 0;
- }
+ ssl_ctx = SSL_CTX_new(TLS_client_method());
+#endif
- ssl_ctx = SSL_CTX_new(ssl_method);
if (!ssl_ctx) {
upslogx(LOG_ERR, "Can not initialize SSL context");
return -1;
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ /* set minimum protocol TLSv1 */
+ SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+#else
+ ret = SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION);
+ if (ret != 1) {
+ upslogx(LOG_ERR, "Can not set minimum protocol to TLSv1");
+ return -1;
+ }
+#endif
+
if (!certpath) {
if (certverify == 1) {
upslogx(LOG_ERR, "Can not verify certificate if any is
specified");
@@ -737,7 +745,7 @@ static int upscli_sslinit(UPSCONN_t *ups, int verifycert)
switch(res)
{
case 1:
- upsdebugx(3, "SSL connected");
+ upsdebugx(3, "SSL connected (%s)", SSL_get_version(ups->ssl));
break;
case 0:
upslog_with_errno(1, "SSL_connect do not accept handshake.");
diff --git a/m4/nut_check_libopenssl.m4 b/m4/nut_check_libopenssl.m4
index 1b875077..5f29f4a3 100644
--- a/m4/nut_check_libopenssl.m4
+++ b/m4/nut_check_libopenssl.m4
@@ -57,8 +57,9 @@ if test -z "${nut_have_libopenssl_seen}"; then
AC_MSG_RESULT([${LIBS}])
dnl check if openssl is usable
- AC_CHECK_HEADERS(openssl/ssl.h, [nut_have_openssl=yes],
[nut_have_openssl=no], [AC_INCLUDES_DEFAULT])
- AC_CHECK_FUNCS(SSL_library_init, [], [nut_have_openssl=no])
+ AC_CHECK_FUNCS(OPENSSL_init_ssl, [nut_have_openssl=yes],
[nut_have_openssl=no])
+ AC_CHECK_FUNCS(SSL_library_init, [nut_have_openssl=yes], [])
+ AC_CHECK_HEADERS(openssl/ssl.h, [], [nut_have_openssl=no],
[AC_INCLUDES_DEFAULT])
if test "${nut_have_openssl}" = "yes"; then
nut_with_ssl="yes"
diff --git a/server/netssl.c b/server/netssl.c
index c2f40989..6ae13e8d 100644
--- a/server/netssl.c
+++ b/server/netssl.c
@@ -275,7 +275,7 @@ void net_starttls(nut_ctype_t *client, int numarg, const
char **arg)
{
case 1:
client->ssl_connected = 1;
- upsdebugx(3, "SSL connected");
+ upsdebugx(3, "SSL connected (%s)",
SSL_get_version(client->ssl));
break;
case 0:
@@ -371,13 +371,7 @@ void ssl_init(void)
{
#ifdef WITH_NSS
SECStatus status;
-#elif defined(WITH_OPENSSL)
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
- const SSL_METHOD *ssl_method;
-#else
- SSL_METHOD *ssl_method;
-#endif
-#endif /* WITH_NSS|WITH_OPENSSL */
+#endif /* WITH_NSS */
if (!certfile) {
return;
@@ -388,17 +382,31 @@ void ssl_init(void)
#ifdef WITH_OPENSSL
SSL_load_error_strings();
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
SSL_library_init();
- if ((ssl_method = TLSv1_server_method()) == NULL) {
+ ssl_ctx = SSL_CTX_new(SSLv23_server_method());
+#else
+ OPENSSL_init_ssl(0, NULL);
+
+ ssl_ctx = SSL_CTX_new(TLS_server_method());
+#endif
+
+ if (!ssl_ctx) {
ssl_debug();
- fatalx(EXIT_FAILURE, "TLSv1_server_method failed");
+ fatalx(EXIT_FAILURE, "SSL_CTX_new failed");
}
- if ((ssl_ctx = SSL_CTX_new(ssl_method)) == NULL) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ /* set minimum protocol TLSv1 */
+ SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+#else
+ if (SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION) != 1) {
ssl_debug();
- fatalx(EXIT_FAILURE, "SSL_CTX_new failed");
+ fatalx(EXIT_FAILURE,
"SSL_CTX_set_min_proto_version(TLS1_VERSION)");
}
+#endif
if (SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile) != 1) {
ssl_debug();
