[pkg-nagios-changes] [Git][nagios-team/pkg-nsca-ng][master] 2 commits: Add upstream patch to fix FTBFS with OpenSSL 1.1.1. (closes: #900152)

Tue Mar 19 17:36:11 GMT 2019

Bas Couwenberg pushed to branch master at Debian Nagios Maintainer Group / pkg-nsca-ng


Commits:
3b0eae31 by Bas Couwenberg at 2019-03-19T17:32:54Z
Add upstream patch to fix FTBFS with OpenSSL 1.1.1. (closes: #900152)

- - - - -
19898cde by Bas Couwenberg at 2019-03-19T17:33:13Z
Set distribution to unstable.

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/0001-Work-around-TLSv1.3-PSK-bug-in-OpenSSL-1.1.1.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,10 +1,13 @@
-nsca-ng (1.5-4) UNRELEASED; urgency=medium
+nsca-ng (1.5-4) unstable; urgency=medium
 
+  * Team upload.
   * Drop autopkgtest to test installability.
   * Add lintian override for testsuite-autopkgtest-missing.
   * Bump Standards-Version to 4.3.0, no changes.
+  * Add upstream patch to fix FTBFS with OpenSSL 1.1.1.
+    (closes: #900152)
 
- -- Bas Couwenberg <sebastic at debian.org>  Wed, 01 Aug 2018 21:07:15 +0200
+ -- Bas Couwenberg <sebastic at debian.org>  Tue, 19 Mar 2019 18:32:59 +0100
 
 nsca-ng (1.5-3) unstable; urgency=medium
 


=====================================
debian/patches/0001-Work-around-TLSv1.3-PSK-bug-in-OpenSSL-1.1.1.patch
=====================================
@@ -0,0 +1,77 @@
+Description: Work around TLSv1.3 PSK bug in OpenSSL 1.1.1
+ When TLSv1.3 is used with (at least) OpenSSL 1.1.1b, the
+ SSL_get_psk_identity(3) unexpectedly returns NULL.  Work around this
+ issue be storing a copy of the PSK identity into the SSL object.
+From: Holger Weiß <holger at weiss.in-berlin.de>
+Origin :https://github.com/weiss/nsca-ng/commit/7d9ca3413e661c0ac8a020bf674d16c3af4ebccb
+Bug: https://github.com/weiss/nsca-ng/issues/4
+Bug-Debian: https://bugs.debian.org/900152
+
+--- a/src/common/tls.c
++++ b/src/common/tls.c
+@@ -530,6 +530,8 @@ tls_free(tls_state *tls)
+ 		free(tls->output);
+ 	if (tls->addr != NULL)
+ 		free(tls->addr);
++	if (tls->id != NULL)
++		free(tls->id);
+ 	if (tls->peer != NULL)
+ 		free(tls->peer);
+ 	if (tls->ssl != NULL)
+@@ -632,7 +634,7 @@ accept_ssl_cb(EV_P_ ev_io *w, int revent
+ 		debug("TLS handshake with %s not (yet) successful", tls->addr);
+ 		check_tls_error(EV_A_ w, result);
+ 	} else { /* The TLS connection is established. */
+-		if ((tls->id = SSL_get_psk_identity(tls->ssl)) == NULL) {
++		if ((tls->id = SSL_get_app_data(tls->ssl)) == NULL) {
+ 			error("Cannot retrieve client identity");
+ 			tls_free(tls);
+ 		} else {
+--- a/src/common/tls.h
++++ b/src/common/tls.h
+@@ -61,7 +61,7 @@
+ typedef struct tls_state_s {
+ /* public: */
+ 	void *data;     /* Can freely be used by the caller. */
+-	const char *id; /* Client ID (e.g., "foo"). */
++	char *id;       /* Client ID (e.g., "foo"). */
+ 	char *addr;     /* Client IP address (e.g., "192.0.2.2"). */
+ 	char *peer;     /* Client ID and IP address (e.g., "foo at 192.0.2.2"). */
+ 
+--- a/src/server/auth.c
++++ b/src/server/auth.c
+@@ -41,6 +41,7 @@
+ #include "log.h"
+ #include "system.h"
+ #include "util.h"
++#include "wrappers.h"
+ 
+ static bool match(regex_t * restrict, const char * restrict);
+ 
+@@ -49,8 +50,8 @@ static bool match(regex_t * restrict, co
+  */
+ 
+ unsigned int
+-check_psk(SSL *ssl __attribute__((__unused__)), const char *identity,
+-          unsigned char *password, unsigned int max_password_len)
++check_psk(SSL *ssl, const char *identity, unsigned char *password,
++          unsigned int max_password_len)
+ {
+ 	cfg_t *auth;
+ 	const char *configured_pw;
+@@ -63,6 +64,15 @@ check_psk(SSL *ssl __attribute__((__unus
+ 	}
+ 	debug("Verifying key provided by %s", identity);
+ 
++	/*
++	 * With (at least) OpenSSL 1.1.1b, SSL_get_psk_identity(3) returns NULL
++	 * when TLSv1.3 is used.  As a workaround, we store the ID ourselves:
++	 */
++	if (SSL_set_app_data(ssl, xstrdup(identity)) != 1) {
++		error("Cannot store client-supplied ID (`%s')", identity);
++		return 0;
++	}
++
+ 	configured_pw = cfg_getstr(auth, "password");
+ 	password_len = MIN(strlen(configured_pw), max_password_len);
+ 	(void)memcpy(password, configured_pw, password_len);


=====================================
debian/patches/series
=====================================
@@ -1 +1,2 @@
 nsca-ng.cfg_debian_config
+0001-Work-around-TLSv1.3-PSK-bug-in-OpenSSL-1.1.1.patch



View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nsca-ng/compare/bd20a9104bd458bd36b822bb9452bc76ff08a217...19898cde3dfbac672b9804796e0eeaa66304e68f

-- 
View it on GitLab: https://salsa.debian.org/nagios-team/pkg-nsca-ng/compare/bd20a9104bd458bd36b822bb9452bc76ff08a217...19898cde3dfbac672b9804796e0eeaa66304e68f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-changes/attachments/20190319/460aeb44/attachment-0001.html>
