nut/trunk/nut-openssl-1.1.patch

   1 From da1f5aa699f54e0f6977ab64a3bc2f90a51c3104 Mon Sep 17 00:00:00 2001
   2 From: Arjen de Korte <build+lede@de-korte.org>
   3 Date: Mon, 27 Nov 2017 21:10:13 +0100
   4 Subject: [PATCH] Add support for openssl-1.1.0
   5
   6 --- a/clients/upsclient.c
   7 +++ b/clients/upsclient.c
   8 @@ -299,11 +299,6 @@
   9  {
  10  #ifdef WITH_OPENSSL
  11         int ret, ssl_mode = SSL_VERIFY_NONE;
  12 -#if OPENSSL_VERSION_NUMBER >= 0x10000000L
  13 -       const SSL_METHOD        *ssl_method;
  14 -#else
  15 -       SSL_METHOD      *ssl_method;
  16 -#endif
  17  #elif defined(WITH_NSS) /* WITH_OPENSSL */
  18         SECStatus       status;
  19  #endif /* WITH_OPENSSL | WITH_NSS */
  20 @@ -315,22 +310,32 @@
  21         }
  22
  23  #ifdef WITH_OPENSSL
  24 -
  25 -       SSL_library_init();
  26 -       SSL_load_error_strings();
  27
  28 -       ssl_method = TLSv1_client_method();
  29 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
  30 +       SSL_load_error_strings();
  31 +       SSL_library_init();
  32
  33 -       if (!ssl_method) {
  34 -               return 0;
  35 -       }
  36 +       ssl_ctx = SSL_CTX_new(SSLv23_client_method());
  37 +#else
  38 +       ssl_ctx = SSL_CTX_new(TLS_client_method());
  39 +#endif
  40
  41 -       ssl_ctx = SSL_CTX_new(ssl_method);
  42         if (!ssl_ctx) {
  43                 upslogx(LOG_ERR, "Can not initialize SSL context");
  44                 return -1;
  45         }
  46
  47 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
  48 +       /* set minimum protocol TLSv1 */
  49 +       SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
  50 +#else
  51 +       ret = SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION);
  52 +       if (ret != 1) {
  53 +               upslogx(LOG_ERR, "Can not set minimum protocol to TLSv1");
  54 +               return -1;
  55 +       }
  56 +#endif
  57 +
  58         if (!certpath) {
  59                 if (certverify == 1) {
  60                         upslogx(LOG_ERR, "Can not verify certificate if any is specified");
  61 @@ -737,7 +742,7 @@
  62         switch(res)
  63         {
  64         case 1:
  65 -               upsdebugx(3, "SSL connected");
  66 +               upsdebugx(3, "SSL connected (%s)", SSL_get_version(ups->ssl));
  67                 break;
  68         case 0:
  69                 upslog_with_errno(1, "SSL_connect do not accept handshake.");
  70 --- a/clients/upssched.c
  71 +++ b/clients/upssched.c
  72 @@ -794,7 +794,7 @@
  73         }
  74
  75         if (!strcmp(cmd, "EXECUTE")) {
  76 -               if (ca1 == '\0') {
  77 +               if (ca1[0] == '\0') {
  78                         upslogx(LOG_ERR, "Empty EXECUTE command argument");
  79                         return;
  80                 }
  81 --- a/m4/nut_check_libopenssl.m4
  82 +++ b/m4/nut_check_libopenssl.m4
  83 @@ -58,7 +58,7 @@
  84
  85         dnl check if openssl is usable
  86         AC_CHECK_HEADERS(openssl/ssl.h, [nut_have_openssl=yes], [nut_have_openssl=no], [AC_INCLUDES_DEFAULT])
  87 -       AC_CHECK_FUNCS(SSL_library_init, [], [nut_have_openssl=no])
  88 +       AC_CHECK_FUNCS(SSL_CTX_new, [], [nut_have_openssl=no])
  89
  90         if test "${nut_have_openssl}" = "yes"; then
  91                 nut_with_ssl="yes"
  92 --- a/server/netssl.c
  93 +++ b/server/netssl.c
  94 @@ -274,7 +274,7 @@
  95         {
  96         case 1:
  97                 client->ssl_connected = 1;
  98 -               upsdebugx(3, "SSL connected");
  99 +               upsdebugx(3, "SSL connected (%s)", SSL_get_version(client->ssl));
 100                 break;
 101
 102         case 0:
 103 @@ -370,13 +370,7 @@
 104  {
 105  #ifdef WITH_NSS
 106         SECStatus status;
 107 -#elif defined(WITH_OPENSSL)
 108 -#if OPENSSL_VERSION_NUMBER >= 0x10000000L
 109 -       const SSL_METHOD        *ssl_method;
 110 -#else
 111 -       SSL_METHOD      *ssl_method;
 112 -#endif
 113 -#endif /* WITH_NSS|WITH_OPENSSL */
 114 +#endif /* WITH_NSS */
 115
 116         if (!certfile) {
 117                 return;
 118 @@ -386,18 +380,29 @@
 119
 120  #ifdef WITH_OPENSSL
 121
 122 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
 123         SSL_load_error_strings();
 124         SSL_library_init();
 125
 126 -       if ((ssl_method = TLSv1_server_method()) == NULL) {
 127 +       ssl_ctx = SSL_CTX_new(SSLv23_server_method());
 128 +#else
 129 +       ssl_ctx = SSL_CTX_new(TLS_server_method());
 130 +#endif
 131 +
 132 +       if (!ssl_ctx) {
 133                 ssl_debug();
 134 -               fatalx(EXIT_FAILURE, "TLSv1_server_method failed");
 135 +               fatalx(EXIT_FAILURE, "SSL_CTX_new failed");
 136         }
 137
 138 -       if ((ssl_ctx = SSL_CTX_new(ssl_method)) == NULL) {
 139 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
 140 +       /* set minimum protocol TLSv1 */
 141 +       SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
 142 +#else
 143 +       if (SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION) != 1) {
 144                 ssl_debug();
 145 -               fatalx(EXIT_FAILURE, "SSL_CTX_new failed");
 146 +               fatalx(EXIT_FAILURE, "SSL_CTX_set_min_proto_version(TLS1_VERSION)");
 147         }
 148 +#endif
 149
 150         if (SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile) != 1) {
 151                 ssl_debug();