[Pkg-nagios-devel] Bug#925083: unblock: nsca-ng/1.5-4

Bas Couwenberg sebastic at xs4all.nl
Tue Mar 19 18:35:53 GMT 2019


Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock

Please unblock package nsca-ng 1.5-4.

It cherry-picks the OpenSSL 1.1.1 change from the 1.6 release available
in experimental.

unblock nsca-ng/1.5-4

Kind Regards,

Bas
-------------- next part --------------
diff -Nru nsca-ng-1.5/debian/changelog nsca-ng-1.5/debian/changelog
--- nsca-ng-1.5/debian/changelog	2018-07-29 12:38:31.000000000 +0200
+++ nsca-ng-1.5/debian/changelog	2019-03-19 18:32:59.000000000 +0100
@@ -1,3 +1,14 @@
+nsca-ng (1.5-4) unstable; urgency=medium
+
+  * Team upload.
+  * Drop autopkgtest to test installability.
+  * Add lintian override for testsuite-autopkgtest-missing.
+  * Bump Standards-Version to 4.3.0, no changes.
+  * Add upstream patch to fix FTBFS with OpenSSL 1.1.1.
+    (closes: #900152)
+
+ -- Bas Couwenberg <sebastic at debian.org>  Tue, 19 Mar 2019 18:32:59 +0100
+
 nsca-ng (1.5-3) unstable; urgency=medium
 
   * Team upload.
diff -Nru nsca-ng-1.5/debian/control nsca-ng-1.5/debian/control
--- nsca-ng-1.5/debian/control	2018-07-29 12:38:31.000000000 +0200
+++ nsca-ng-1.5/debian/control	2019-03-19 18:29:13.000000000 +0100
@@ -10,7 +10,7 @@
                libbsd-dev,
                libssl-dev,
                libsystemd-dev
-Standards-Version: 4.1.5
+Standards-Version: 4.3.0
 Vcs-Browser: https://salsa.debian.org/nagios-team/pkg-nsca-ng
 Vcs-Git: https://salsa.debian.org/nagios-team/pkg-nsca-ng.git
 Homepage: http://www.nsca-ng.org/
diff -Nru nsca-ng-1.5/debian/patches/0001-Work-around-TLSv1.3-PSK-bug-in-OpenSSL-1.1.1.patch nsca-ng-1.5/debian/patches/0001-Work-around-TLSv1.3-PSK-bug-in-OpenSSL-1.1.1.patch
--- nsca-ng-1.5/debian/patches/0001-Work-around-TLSv1.3-PSK-bug-in-OpenSSL-1.1.1.patch	1970-01-01 01:00:00.000000000 +0100
+++ nsca-ng-1.5/debian/patches/0001-Work-around-TLSv1.3-PSK-bug-in-OpenSSL-1.1.1.patch	2019-03-19 18:31:41.000000000 +0100
@@ -0,0 +1,77 @@
+Description: Work around TLSv1.3 PSK bug in OpenSSL 1.1.1
+ When TLSv1.3 is used with (at least) OpenSSL 1.1.1b, the
+ SSL_get_psk_identity(3) unexpectedly returns NULL.  Work around this
+ issue be storing a copy of the PSK identity into the SSL object.
+From: Holger WeiƟ <holger at weiss.in-berlin.de>
+Origin :https://github.com/weiss/nsca-ng/commit/7d9ca3413e661c0ac8a020bf674d16c3af4ebccb
+Bug: https://github.com/weiss/nsca-ng/issues/4
+Bug-Debian: https://bugs.debian.org/900152
+
+--- a/src/common/tls.c
++++ b/src/common/tls.c
+@@ -530,6 +530,8 @@ tls_free(tls_state *tls)
+ 		free(tls->output);
+ 	if (tls->addr != NULL)
+ 		free(tls->addr);
++	if (tls->id != NULL)
++		free(tls->id);
+ 	if (tls->peer != NULL)
+ 		free(tls->peer);
+ 	if (tls->ssl != NULL)
+@@ -632,7 +634,7 @@ accept_ssl_cb(EV_P_ ev_io *w, int revent
+ 		debug("TLS handshake with %s not (yet) successful", tls->addr);
+ 		check_tls_error(EV_A_ w, result);
+ 	} else { /* The TLS connection is established. */
+-		if ((tls->id = SSL_get_psk_identity(tls->ssl)) == NULL) {
++		if ((tls->id = SSL_get_app_data(tls->ssl)) == NULL) {
+ 			error("Cannot retrieve client identity");
+ 			tls_free(tls);
+ 		} else {
+--- a/src/common/tls.h
++++ b/src/common/tls.h
+@@ -61,7 +61,7 @@
+ typedef struct tls_state_s {
+ /* public: */
+ 	void *data;     /* Can freely be used by the caller. */
+-	const char *id; /* Client ID (e.g., "foo"). */
++	char *id;       /* Client ID (e.g., "foo"). */
+ 	char *addr;     /* Client IP address (e.g., "192.0.2.2"). */
+ 	char *peer;     /* Client ID and IP address (e.g., "foo at 192.0.2.2"). */
+ 
+--- a/src/server/auth.c
++++ b/src/server/auth.c
+@@ -41,6 +41,7 @@
+ #include "log.h"
+ #include "system.h"
+ #include "util.h"
++#include "wrappers.h"
+ 
+ static bool match(regex_t * restrict, const char * restrict);
+ 
+@@ -49,8 +50,8 @@ static bool match(regex_t * restrict, co
+  */
+ 
+ unsigned int
+-check_psk(SSL *ssl __attribute__((__unused__)), const char *identity,
+-          unsigned char *password, unsigned int max_password_len)
++check_psk(SSL *ssl, const char *identity, unsigned char *password,
++          unsigned int max_password_len)
+ {
+ 	cfg_t *auth;
+ 	const char *configured_pw;
+@@ -63,6 +64,15 @@ check_psk(SSL *ssl __attribute__((__unus
+ 	}
+ 	debug("Verifying key provided by %s", identity);
+ 
++	/*
++	 * With (at least) OpenSSL 1.1.1b, SSL_get_psk_identity(3) returns NULL
++	 * when TLSv1.3 is used.  As a workaround, we store the ID ourselves:
++	 */
++	if (SSL_set_app_data(ssl, xstrdup(identity)) != 1) {
++		error("Cannot store client-supplied ID (`%s')", identity);
++		return 0;
++	}
++
+ 	configured_pw = cfg_getstr(auth, "password");
+ 	password_len = MIN(strlen(configured_pw), max_password_len);
+ 	(void)memcpy(password, configured_pw, password_len);
diff -Nru nsca-ng-1.5/debian/patches/series nsca-ng-1.5/debian/patches/series
--- nsca-ng-1.5/debian/patches/series	2016-12-03 22:51:15.000000000 +0100
+++ nsca-ng-1.5/debian/patches/series	2019-03-19 18:31:35.000000000 +0100
@@ -1 +1,2 @@
 nsca-ng.cfg_debian_config
+0001-Work-around-TLSv1.3-PSK-bug-in-OpenSSL-1.1.1.patch
diff -Nru nsca-ng-1.5/debian/source/lintian-overrides nsca-ng-1.5/debian/source/lintian-overrides
--- nsca-ng-1.5/debian/source/lintian-overrides	2018-07-29 12:38:31.000000000 +0200
+++ nsca-ng-1.5/debian/source/lintian-overrides	2019-03-19 18:29:13.000000000 +0100
@@ -1,3 +1,6 @@
 # Not available via HTTPS.
 debian-watch-uses-insecure-uri *
 
+# Not worth the effort
+testsuite-autopkgtest-missing
+
diff -Nru nsca-ng-1.5/debian/tests/control nsca-ng-1.5/debian/tests/control
--- nsca-ng-1.5/debian/tests/control	2018-07-29 12:38:31.000000000 +0200
+++ nsca-ng-1.5/debian/tests/control	1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-# Test installability
-Depends: @
-Test-Command: /bin/true


More information about the Pkg-nagios-devel mailing list