Control: tags 828619 + patch Control: tags 828619 + pending Dear maintainer,
I've prepared an NMU for znc (versioned as 1.6.3-3.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. Regards. -- WBR, wRAR
diff -Nru znc-1.6.3/debian/changelog znc-1.6.3/debian/changelog --- znc-1.6.3/debian/changelog 2016-10-27 14:10:30.000000000 +0500 +++ znc-1.6.3/debian/changelog 2016-12-18 21:17:47.000000000 +0500 @@ -1,3 +1,17 @@ +znc (1.6.3-3.1) unstable; urgency=medium + + * Non-maintainer upload. + * Really fix FTBFS with openssl 1.1.0 (Closes: #828619): + + Fix 01-openssl-1.1 to include more upstream commits. + + Add 02-openssl-1.1-csocket.diff, cherry-picked from the Csocket + submodule. + + Add -DOPENSSL_NO_COMP=1 to CPPFLAGS (mimicking yet another upstream + commit). + * Add zlib1g-dev to Build-Depends, it was pulled in by libssl-dev + previously. + + -- Andrey Rahmatullin <[email protected]> Sun, 18 Dec 2016 21:17:47 +0500 + znc (1.6.3-3) unstable; urgency=high * Add patch 01-openssl-1.1 to fix a FTBFS with openssl 1.1.0. diff -Nru znc-1.6.3/debian/control znc-1.6.3/debian/control --- znc-1.6.3/debian/control 2016-10-27 14:10:30.000000000 +0500 +++ znc-1.6.3/debian/control 2016-12-14 22:41:12.000000000 +0500 @@ -9,7 +9,8 @@ tcl8.5-dev, libsasl2-dev, swig3.0, - python3-dev + python3-dev, + zlib1g-dev Maintainer: Patrick Matthäi <[email protected]> Standards-Version: 3.9.8 Homepage: http://www.znc.in/ diff -Nru znc-1.6.3/debian/patches/01-openssl-1.1.diff znc-1.6.3/debian/patches/01-openssl-1.1.diff --- znc-1.6.3/debian/patches/01-openssl-1.1.diff 2016-10-27 14:10:30.000000000 +0500 +++ znc-1.6.3/debian/patches/01-openssl-1.1.diff 2016-12-18 21:17:47.000000000 +0500 @@ -1,9 +1,51 @@ -# Cherry pick 03775fcdc5a118eb336d80d012a140f060053ab7..b7dcac5e5f37be93c572bc581c288a5000ebc05a +# Cherry pick debfdf6c02cc922a4e5a7b42eb5b608267c34fb5..b7dcac5e5f37be93c572bc581c288a5000ebc05a # Closes: #828619 -diff -Naur znc-1.6.3.orig/src/SSLVerifyHost.cpp znc-1.6.3/src/SSLVerifyHost.cpp ---- znc-1.6.3.orig/src/SSLVerifyHost.cpp 2016-02-23 22:25:45.000000000 +0100 -+++ znc-1.6.3/src/SSLVerifyHost.cpp 2016-10-27 11:07:13.229157272 +0200 +Index: znc-1.6.3/modules/schat.cpp +=================================================================== +--- znc-1.6.3.orig/modules/schat.cpp ++++ znc-1.6.3/modules/schat.cpp +@@ -25,6 +25,12 @@ + #include <znc/User.h> + #include <znc/IRCNetwork.h> + ++#if !defined(OPENSSL_VERSION_NUMBER) || defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100007 ++/* SSL_SESSION was made opaque in OpenSSL 1.1.0, cipher accessor was added 2 weeks before the public release. ++See openssl/openssl@e92813234318635639dba0168c7ef5568757449b. */ ++# define SSL_SESSION_get0_cipher(pSession) ((pSession)->cipher) ++#endif ++ + using std::pair; + using std::stringstream; + using std::map; +@@ -226,9 +232,7 @@ public: + Table.SetCell("Host", pSock->GetRemoteIP()); + Table.SetCell("Port", CString(pSock->GetRemotePort())); + SSL_SESSION *pSession = pSock->GetSSLSession(); +- if (pSession && pSession->cipher && pSession->cipher->name) +- Table.SetCell("Cipher", pSession->cipher->name); +- ++ Table.SetCell("Cipher", SSL_CIPHER_get_name(pSession ? SSL_SESSION_get0_cipher(pSession) : NULL)); + } else { + Table.SetCell("Status", "Waiting"); + Table.SetCell("Port", CString(pSock->GetLocalPort())); +@@ -286,11 +290,7 @@ public: + Table.SetCell("RemoteIP:Port", pSock->GetRemoteIP() + ":" + + CString(pSock->GetRemotePort())); + SSL_SESSION *pSession = pSock->GetSSLSession(); +- if (pSession && pSession->cipher && pSession->cipher->name) +- Table.SetCell("Cipher", pSession->cipher->name); +- else +- Table.SetCell("Cipher", "None"); +- ++ Table.SetCell("Cipher", SSL_CIPHER_get_name(pSession ? SSL_SESSION_get0_cipher(pSession) : NULL)); + } else { + Table.SetCell("Type", "Listener"); + Table.SetCell("LocalIP:Port", pSock->GetLocalIP() + +Index: znc-1.6.3/src/SSLVerifyHost.cpp +=================================================================== +--- znc-1.6.3.orig/src/SSLVerifyHost.cpp ++++ znc-1.6.3/src/SSLVerifyHost.cpp @@ -17,6 +17,12 @@ #include <znc/SSLVerifyHost.h> @@ -17,7 +59,7 @@ #include <openssl/x509v3.h> -@@ -305,7 +311,7 @@ +@@ -305,7 +311,7 @@ static HostnameValidationResult matches_ int common_name_loc = -1; X509_NAME_ENTRY *common_name_entry = NULL; ASN1_STRING *common_name_asn1 = NULL; @@ -26,7 +68,7 @@ // Find the position of the CN field in the Subject field of the certificate common_name_loc = X509_NAME_get_index_by_NID(X509_get_subject_name((X509 *) server_cert), NID_commonName, -1); -@@ -324,7 +330,7 @@ +@@ -324,7 +330,7 @@ static HostnameValidationResult matches_ if (common_name_asn1 == NULL) { return Error; } @@ -35,7 +77,7 @@ // Make sure there isn't an embedded NUL character in the CN if (ASN1_STRING_length(common_name_asn1) != static_cast<int>(strlen(common_name_str))) { -@@ -369,7 +375,7 @@ +@@ -369,7 +375,7 @@ static HostnameValidationResult matches_ if (current_name->type == GEN_DNS) { // Current name is a DNS name, let's check it @@ -44,9 +86,10 @@ // Make sure there isn't an embedded NUL character in the DNS name if (ASN1_STRING_length(current_name->d.dNSName) != static_cast<int>(strlen(dns_name))) { -diff -Naur znc-1.6.3.orig/src/Utils.cpp znc-1.6.3/src/Utils.cpp ---- znc-1.6.3.orig/src/Utils.cpp 2016-02-23 22:25:45.000000000 +0100 -+++ znc-1.6.3/src/Utils.cpp 2016-10-27 11:07:13.233157247 +0200 +Index: znc-1.6.3/src/Utils.cpp +=================================================================== +--- znc-1.6.3.orig/src/Utils.cpp ++++ znc-1.6.3/src/Utils.cpp @@ -19,6 +19,7 @@ #include <znc/FileUtils.h> #ifdef HAVE_LIBSSL @@ -55,7 +98,7 @@ #endif /* HAVE_LIBSSL */ #include <unistd.h> -@@ -51,79 +52,68 @@ +@@ -51,79 +52,68 @@ constexpr const char* szDefaultDH2048 = "-----END DH PARAMETERS-----\n"; void CUtils::GenerateCert(FILE *pOut, const CString& sHost) { @@ -190,3 +233,24 @@ } #endif /* HAVE_LIBSSL */ +Index: znc-1.6.3/src/main.cpp +=================================================================== +--- znc-1.6.3.orig/src/main.cpp ++++ znc-1.6.3/src/main.cpp +@@ -17,7 +17,15 @@ + #include <znc/znc.h> + #include <signal.h> + +-#if defined(HAVE_LIBSSL) && defined(HAVE_PTHREAD) ++#if defined(HAVE_LIBSSL) && defined(HAVE_PTHREAD) && ( !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100004 ) ++/* Starting with version 1.1.0-pre4, OpenSSL has a new threading implementation that doesn't need locking callbacks. ++ "OpenSSL now uses a new threading API. It is no longer necessary to ++ set locking callbacks to use OpenSSL in a multi-threaded environment. There ++ are two supported threading models: pthreads and windows threads. It is ++ also possible to configure OpenSSL at compile time for "no-threads". The ++ old threading API should no longer be used. The functions have been ++ replaced with "no-op" compatibility macros." ++See openssl/openssl@2e52e7df518d80188c865ea3f7bb3526d14b0c08. */ + #include <znc/Threads.h> + #include <openssl/crypto.h> + #include <memory> diff -Nru znc-1.6.3/debian/patches/02-openssl-1.1-csocket.diff znc-1.6.3/debian/patches/02-openssl-1.1-csocket.diff --- znc-1.6.3/debian/patches/02-openssl-1.1-csocket.diff 1970-01-01 05:00:00.000000000 +0500 +++ znc-1.6.3/debian/patches/02-openssl-1.1-csocket.diff 2016-12-18 21:17:47.000000000 +0500 @@ -0,0 +1,480 @@ +#cherry-pick 8b6636f04272e10dd52acb9081564dfc13b56b4b..448e18a29ed383451db3cb648a72da4fcbb3f8e5 from third_party/Csocket + +diff --git a/Csocket.cpp b/Csocket.cpp +index 63cef83..276e31f 100644 +--- a/src/Csocket.cpp ++++ b/src/Csocket.cpp +@@ -45,9 +45,38 @@ + + #ifdef HAVE_LIBSSL + #include <stdio.h> ++#include <openssl/ssl.h> + #include <openssl/conf.h> + #include <openssl/engine.h> ++#ifndef OPENSSL_NO_COMP + #include <openssl/comp.h> ++#endif ++#define HAVE_ERR_REMOVE_STATE ++#define CONST_SSL_METHOD ++#ifdef OPENSSL_VERSION_NUMBER ++# if OPENSSL_VERSION_NUMBER >= 0x10000000 ++# undef HAVE_ERR_REMOVE_STATE ++# define HAVE_ERR_REMOVE_THREAD_STATE ++# undef CONST_SSL_METHOD ++# define CONST_SSL_METHOD const /* 1.0.0-pre~: openssl/openssl@4ebb342fcd90562bce999dcc0915b16f816fbbf2 */ ++# endif ++# if OPENSSL_VERSION_NUMBER < 0x10001000 ++# define OPENSSL_NO_TLS1_1 /* 1.0.1-pre~: openssl/openssl@637f374ad49d5f6d4f81d87d7cdd226428aa470c */ ++# define OPENSSL_NO_TLS1_2 /* 1.0.1-pre~: openssl/openssl@7409d7ad517650db332ae528915a570e4e0ab88b */ ++# endif ++# ifndef LIBRESSL_VERSION_NUMBER /* forked from OpenSSL 1.0.1g, sets high version "with the idea of discouraging software from relying on magic numbers for detecting features"(!) */ ++# if OPENSSL_VERSION_NUMBER >= 0x10100000 ++# undef HAVE_ERR_REMOVE_THREAD_STATE /* 1.1.0-pre4: openssl/openssl@8509dcc9f319190c565ab6baad7c88d37a951d1c */ ++# undef OPENSSL_NO_SSL2 /* 1.1.0-pre4: openssl/openssl@e80381e1a3309f5d4a783bcaa508a90187a48882 */ ++# define OPENSSL_NO_SSL2 /* 1.1.0-pre1: openssl/openssl@45f55f6a5bdcec411ef08a6f8aae41d5d3d234ad */ ++# define HAVE_FLEXIBLE_TLS_METHOD /* 1.1.0-pre1: openssl/openssl@32ec41539b5b23bc42503589fcc5be65d648d1f5 */ ++# define HAVE_OPAQUE_X509 /* 1.1.0-pre1: openssl/openssl@2c81e476fab0e3e0b6140652b4577bf6f3b827be */ ++# define HAVE_OPAQUE_EVP_PKEY /* 1.1.0-pre3: openssl/openssl@3aeb93486588e7dd01379c50b8fd496d55cf8858 */ ++# define HAVE_OPAQUE_RSA /* 1.1.0-pre5: openssl/openssl@9862e9aa98ee1e38fbcef8d1dd5db0e750eb5e8d */ ++# define HAVE_OPAQUE_DSA /* 1.1.0-pre5: openssl/openssl@1258396d73cf937e4daaf2c35377011b9366f956 */ ++# endif ++# endif /* LIBRESSL_VERSION_NUMBER */ ++#endif /* OPENSSL_VERSION_NUMBER */ + #endif /* HAVE_LIBSSL */ + + #ifdef HAVE_ICU +@@ -530,9 +559,17 @@ bool InitCsocket() + void ShutdownCsocket() + { + #ifdef HAVE_LIBSSL ++#if defined( HAVE_ERR_REMOVE_THREAD_STATE ) ++ ERR_remove_thread_state( NULL ); ++#elif defined( HAVE_ERR_REMOVE_STATE ) + ERR_remove_state( 0 ); ++#endif ++#ifndef OPENSSL_NO_ENGINE + ENGINE_cleanup(); ++#endif ++#ifndef OPENSSL_IS_BORINGSSL + CONF_modules_unload( 1 ); ++#endif + ERR_free_strings(); + EVP_cleanup(); + CRYPTO_cleanup_all_ex_data(); +@@ -573,6 +610,7 @@ bool InitSSL( ECompType eCompressionType ) + } + #endif /* _WIN32 */ + ++#ifndef OPENSSL_NO_COMP + COMP_METHOD *cm = NULL; + + if( CT_ZLIB & eCompressionType ) +@@ -588,6 +626,7 @@ bool InitSSL( ECompType eCompressionType ) + if( cm ) + SSL_COMP_add_compression_method( CT_RLE, cm ); + } ++#endif + + // setting this up once in the begining + s_iCsockSSLIdx = SSL_get_ex_new_index( 0, NULL, NULL, NULL, NULL ); +@@ -1463,73 +1502,88 @@ bool Csock::SSLClientSetup() + } + #endif /* _WIN64 */ + ++ CONST_SSL_METHOD SSL_METHOD * (*pMethod)() = NULL; ++ const char * pMethodName = NULL; ++ ++#ifdef HAVE_FLEXIBLE_TLS_METHOD ++ int iProtoVersion = 0; ++ pMethod = TLS_client_method; ++ pMethodName = "TLS_client_method"; ++#else ++ pMethod = SSLv23_client_method; ++ pMethodName = "SSLv23_client_method"; ++#endif /* HAVE_FLEXIBLE_TLS_METHOD */ ++ + switch( m_iMethod ) + { +-#ifndef OPENSSL_NO_SSL3 +- case SSL3: +- m_ssl_ctx = SSL_CTX_new( SSLv3_client_method() ); +- if( !m_ssl_ctx ) +- { +- CS_DEBUG( "WARNING: MakeConnection .... SSLv3_client_method failed!" ); +- return( false ); +- } +- break; +-#endif /* OPENSSL_NO_SSL3 */ +- /* Fall through if SSL3 is disabled */ ++ case SSL23: ++ break; // defaults already set above, anything else can either match a case or fall through and use defaults anyway ++#ifndef OPENSSL_NO_TLS1_2 + case TLS12: +-#if defined( TLS1_2_VERSION ) && defined( OPENSSL_VERSION_NUMBER ) && OPENSSL_VERSION_NUMBER >= 0x1000100f +- m_ssl_ctx = SSL_CTX_new( TLSv1_2_client_method() ); +- if( !m_ssl_ctx ) +- { +- CS_DEBUG( "WARNING: MakeConnection .... TLSv1_2_client_method failed!" ); +- return( false ); +- } ++# ifdef HAVE_FLEXIBLE_TLS_METHOD ++ iProtoVersion = TLS1_2_VERSION; ++# else ++ pMethod = TLSv1_2_client_method; ++ pMethodName = "TLSv1_2_client_method"; ++# endif /* HAVE_FLEXIBLE_TLS_METHOD */ + break; +-#endif /* TLS1_2_VERSION */ ++#endif /* OPENSSL_NO_TLS1_2 */ ++#ifndef OPENSSL_NO_TLS1_1 + case TLS11: +-#if defined( TLS1_1_VERSION ) && defined( OPENSSL_VERSION_NUMBER ) && OPENSSL_VERSION_NUMBER >= 0x1000100f +- m_ssl_ctx = SSL_CTX_new( TLSv1_1_client_method() ); +- if( !m_ssl_ctx ) +- { +- CS_DEBUG( "WARNING: MakeConnection .... TLSv1_1_client_method failed!" ); +- return( false ); +- } ++# ifdef HAVE_FLEXIBLE_TLS_METHOD ++ iProtoVersion = TLS1_1_VERSION; ++# else ++ pMethod = TLSv1_1_client_method; ++ pMethodName = "TLSv1_1_client_method"; ++# endif /* HAVE_FLEXIBLE_TLS_METHOD */ + break; +-#endif /* TLS1_1_VERSION */ ++#endif /* OPENSSL_NO_TLS1_1 */ ++#ifndef OPENSSL_NO_TLS1 + case TLS1: +- m_ssl_ctx = SSL_CTX_new( TLSv1_client_method() ); +- if( !m_ssl_ctx ) +- { +- CS_DEBUG( "WARNING: MakeConnection .... TLSv1_client_method failed!" ); +- return( false ); +- } ++# ifdef HAVE_FLEXIBLE_TLS_METHOD ++ iProtoVersion = TLS1_VERSION; ++# else ++ pMethod = TLSv1_client_method; ++ pMethodName = "TLSv1_client_method"; ++# endif /* HAVE_FLEXIBLE_TLS_METHOD */ + break; +- case SSL2: ++#endif /* OPENSSL_NO_TLS1 */ ++#ifndef OPENSSL_NO_SSL3 ++ case SSL3: ++# ifdef HAVE_FLEXIBLE_TLS_METHOD ++ iProtoVersion = SSL3_VERSION; ++# else ++ pMethod = SSLv3_client_method; ++ pMethodName = "SSLv3_client_method"; ++# endif /* HAVE_FLEXIBLE_TLS_METHOD */ ++ break; ++#endif /* OPENSSL_NO_SSL3 */ + #ifndef OPENSSL_NO_SSL2 +- m_ssl_ctx = SSL_CTX_new( SSLv2_client_method() ); +- if( !m_ssl_ctx ) +- { +- CS_DEBUG( "WARNING: MakeConnection .... SSLv2_client_method failed!" ); +- return( false ); +- } ++ case SSL2: ++ pMethod = SSLv2_client_method; ++ pMethodName = "SSLv2_client_method"; + break; + #endif /* OPENSSL_NO_SSL2 */ +- /* Fall through if SSL2 is disabled */ +- case SSL23: + default: +- if( m_iMethod != SSL23 ) +- { +- CS_DEBUG( "WARNING: SSL Client Method other than SSLv23 specified, but has passed through" ); +- } +- m_ssl_ctx = SSL_CTX_new( SSLv23_client_method() ); +- if( !m_ssl_ctx ) +- { +- CS_DEBUG( "WARNING: MakeConnection .... SSLv23_client_method failed!" ); +- return( false ); +- } ++ CS_DEBUG( "WARNING: SSL Client Method other than SSLv23 specified, but has passed through" ); + break; + } + ++ m_ssl_ctx = SSL_CTX_new( pMethod() ); ++ if( !m_ssl_ctx ) ++ { ++ CS_DEBUG( "WARNING: MakeConnection .... " << pMethodName << " failed!" ); ++ return( false ); ++ } ++ ++#ifdef HAVE_FLEXIBLE_TLS_METHOD ++ if( iProtoVersion ) ++ { ++ SSL_CTX_set_min_proto_version( m_ssl_ctx, iProtoVersion ); ++ SSL_CTX_set_max_proto_version( m_ssl_ctx, iProtoVersion ); ++ } ++#endif /* HAVE_FLEXIBLE_TLS_METHOD */ ++ + SSL_CTX_set_default_verify_paths( m_ssl_ctx ); + + if( !m_sPemFile.empty() ) +@@ -1588,78 +1642,88 @@ bool Csock::SSLClientSetup() + SSL_CTX * Csock::SetupServerCTX() + { + SSL_CTX * pCTX = NULL; ++ CONST_SSL_METHOD SSL_METHOD * (*pMethod)() = NULL; ++ const char * pMethodName = NULL; ++ ++#ifdef HAVE_FLEXIBLE_TLS_METHOD ++ int iProtoVersion = 0; ++ pMethod = TLS_server_method; ++ pMethodName = "TLS_server_method"; ++#else ++ pMethod = SSLv23_server_method; ++ pMethodName = "SSLv23_server_method"; ++#endif /* HAVE_FLEXIBLE_TLS_METHOD */ ++ + switch( m_iMethod ) + { +-#ifndef OPENSSL_NO_SSL3 +- case SSL3: +- pCTX = SSL_CTX_new( SSLv3_server_method() ); +- if( !pCTX ) +- { +- CS_DEBUG( "WARNING: MakeConnection .... SSLv3_server_method failed!" ); +- return( NULL ); +- } +- break; +-#endif /* OPENSSL_NO_SSL3 */ +- /* Fall through if SSL3 is disabled */ ++ case SSL23: ++ break; // defaults already set above, anything else can either match a case or fall through and use defaults anyway ++#ifndef OPENSSL_NO_TLS1_2 + case TLS12: +-#if defined( TLS1_2_VERSION ) && defined( OPENSSL_VERSION_NUMBER ) && OPENSSL_VERSION_NUMBER >= 0x1000100f +- pCTX = SSL_CTX_new( TLSv1_2_server_method() ); +- if( !pCTX ) +- { +- CS_DEBUG( "WARNING: MakeConnection .... TLSv1_2_server_method failed!" ); +- return( NULL ); +- } ++# ifdef HAVE_FLEXIBLE_TLS_METHOD ++ iProtoVersion = TLS1_2_VERSION; ++# else ++ pMethod = TLSv1_2_server_method; ++ pMethodName = "TLSv1_2_server_method"; ++# endif /* HAVE_FLEXIBLE_TLS_METHOD */ + break; +-#endif /* TLS1_2_VERSION */ ++#endif /* OPENSSL_NO_TLS1_2 */ ++#ifndef OPENSSL_NO_TLS1_1 + case TLS11: +-#if defined( TLS1_1_VERSION ) && defined( OPENSSL_VERSION_NUMBER ) && OPENSSL_VERSION_NUMBER >= 0x1000100f +- pCTX = SSL_CTX_new( TLSv1_1_server_method() ); +- if( !pCTX ) +- { +- CS_DEBUG( "WARNING: MakeConnection .... TLSv1_1_server_method failed!" ); +- return( NULL ); +- } ++# ifdef HAVE_FLEXIBLE_TLS_METHOD ++ iProtoVersion = TLS1_1_VERSION; ++# else ++ pMethod = TLSv1_1_server_method; ++ pMethodName = "TLSv1_1_server_method"; ++# endif /* HAVE_FLEXIBLE_TLS_METHOD */ + break; ++#endif /* OPENSSL_NO_TLS1_1 */ ++#ifndef OPENSSL_NO_TLS1 + case TLS1: +-#endif /* TLS1_1_VERSION */ +- pCTX = SSL_CTX_new( TLSv1_server_method() ); +- if( !pCTX ) +- { +- CS_DEBUG( "WARNING: MakeConnection .... TLSv1_server_method failed!" ); +- return( NULL ); +- } ++# ifdef HAVE_FLEXIBLE_TLS_METHOD ++ iProtoVersion = TLS1_VERSION; ++# else ++ pMethod = TLSv1_server_method; ++ pMethodName = "TLSv1_server_method"; ++# endif /* HAVE_FLEXIBLE_TLS_METHOD */ + break; +- case SSL2: ++#endif /* OPENSSL_NO_TLS1 */ ++#ifndef OPENSSL_NO_SSL3 ++ case SSL3: ++# ifdef HAVE_FLEXIBLE_TLS_METHOD ++ iProtoVersion = SSL3_VERSION; ++# else ++ pMethod = SSLv3_server_method; ++ pMethodName = "SSLv3_server_method"; ++# endif /* HAVE_FLEXIBLE_TLS_METHOD */ ++ break; ++#endif /* OPENSSL_NO_SSL3 */ + #ifndef OPENSSL_NO_SSL2 +- pCTX = SSL_CTX_new( SSLv2_server_method() ); +- if( !pCTX ) +- { +- CS_DEBUG( "WARNING: MakeConnection .... SSLv2_server_method failed!" ); +- return( NULL ); +- } ++ case SSL2: ++ pMethod = SSLv2_server_method; ++ pMethodName = "SSLv2_server_method"; + break; + #endif /* OPENSSL_NO_SSL2 */ +- /* Fall through if SSL2 is disabled */ +- case SSL23: + default: +- if( m_iMethod != SSL23 ) +- { +- CS_DEBUG( "WARNING: SSL Server Method other than SSLv23 specified, but has passed through" ); +- } +- pCTX = SSL_CTX_new( SSLv23_server_method() ); +- if( !pCTX ) +- { +- CS_DEBUG( "WARNING: MakeConnection .... SSLv23_server_method failed!" ); +- return( NULL ); +- } ++ CS_DEBUG( "WARNING: SSL Server Method other than SSLv23 specified, but has passed through" ); + break; + } ++ ++ pCTX = SSL_CTX_new( pMethod() ); + if( !pCTX ) + { +- CS_DEBUG( "ERROR: NULL Ptr where there shouldn't be" ); ++ CS_DEBUG( "WARNING: MakeConnection .... " << pMethodName << " failed!" ); + return( NULL ); + } + ++#ifdef HAVE_FLEXIBLE_TLS_METHOD ++ if( iProtoVersion ) ++ { ++ SSL_CTX_set_min_proto_version( pCTX, iProtoVersion ); ++ SSL_CTX_set_max_proto_version( pCTX, iProtoVersion ); ++ } ++#endif /* HAVE_FLEXIBLE_TLS_METHOD */ ++ + SSL_CTX_set_default_verify_paths( pCTX ); + + // set the pemfile password +@@ -1724,6 +1788,8 @@ SSL_CTX * Csock::SetupServerCTX() + #ifndef OPENSSL_NO_ECDH + // Errors for the following block are non-fatal (ECDHE is nice to have + // but not a requirement) ++#ifndef OPENSSL_IS_BORINGSSL ++ // BoringSSL does this thing automatically + #if defined( SSL_CTX_set_ecdh_auto ) + // Auto-select sensible curve + if( !SSL_CTX_set_ecdh_auto( pCTX , 1 ) ) +@@ -1742,6 +1808,7 @@ SSL_CTX * Csock::SetupServerCTX() + ERR_clear_error(); + } + #endif /* SSL_CTX_set_tmp_ecdh */ ++#endif /* !OPENSSL_IS_BORINGSSL */ + #endif /* OPENSSL_NO_ECDH */ + + if( !ConfigureCTXOptions( pCTX ) ) +@@ -2611,39 +2678,56 @@ CS_STRING Csock::GetPeerPubKey() const + { + CS_STRING sKey; + +- SSL_SESSION * pSession = GetSSLSession(); ++ X509 * pCert = GetX509(); + +- if( pSession && pSession->peer ) ++ if( pCert ) + { +- EVP_PKEY * pKey = X509_get_pubkey( pSession->peer ); ++ EVP_PKEY * pKey = X509_get_pubkey( pCert ); + if( pKey ) + { +- char *hxKey = NULL; +- switch( pKey->type ) ++ const BIGNUM * pPubKey = NULL; ++#ifdef HAVE_OPAQUE_EVP_PKEY ++ int iType = EVP_PKEY_base_id( pKey ); ++#else ++ int iType = pKey->type; ++#endif /* HAVE_OPAQUE_EVP_PKEY */ ++ switch( iType ) + { ++#ifndef OPENSSL_NO_RSA + case EVP_PKEY_RSA: +- { +- hxKey = BN_bn2hex( pKey->pkey.rsa->n ); ++# ifdef HAVE_OPAQUE_RSA ++ RSA_get0_key( EVP_PKEY_get0_RSA( pKey ), &pPubKey, NULL, NULL ); ++# elif defined( HAVE_OPAQUE_EVP_PKEY ) ++ pPubKey = EVP_PKEY_get0_RSA( pKey )->n; ++# else ++ pPubKey = pKey->pkey.rsa->n; ++# endif /* HAVE_OPAQUE_RSA */ + break; +- } ++#endif /* OPENSSL_NO_RSA */ ++#ifndef OPENSSL_NO_DSA + case EVP_PKEY_DSA: +- { +- hxKey = BN_bn2hex( pKey->pkey.dsa->pub_key ); ++# ifdef HAVE_OPAQUE_DSA ++ DSA_get0_key( EVP_PKEY_get0_DSA( pKey ), &pPubKey, NULL ); ++# elif defined( HAVE_OPAQUE_EVP_PKEY ) ++ pPubKey = EVP_PKEY_get0_DSA( pKey )->pub_key; ++# else ++ pPubKey = pKey->pkey.dsa->pub_key; ++# endif /* HAVE_OPAQUE_DSA */ + break; +- } ++#endif /* OPENSSL_NO_DSA */ + default: +- { +- CS_DEBUG( "Not Prepared for Public Key Type [" << pKey->type << "]" ); ++ CS_DEBUG( "Not Prepared for Public Key Type [" << iType << "]" ); + break; + } +- } +- if( hxKey ) ++ if( pPubKey ) + { ++ char *hxKey = BN_bn2hex( pPubKey ); + sKey = hxKey; + OPENSSL_free( hxKey ); + } + EVP_PKEY_free( pKey ); + } ++ X509_free( pCert ); + } + return( sKey ); + } +@@ -2657,17 +2741,25 @@ long Csock::GetPeerFingerprint( CS_STRING & sFP ) const + + X509 * pCert = GetX509(); + ++#ifdef HAVE_OPAQUE_X509 ++ unsigned char sha1_hash[SHA_DIGEST_LENGTH]; ++ ++ if( pCert && X509_digest( pCert, EVP_sha1(), sha1_hash, NULL ) ) ++#else ++ unsigned char * sha1_hash = NULL; ++ + // Inspired by charybdis +- if( pCert ) ++ if( pCert && (sha1_hash = pCert->sha1_hash) ) ++#endif /* HAVE_OPAQUE_X509 */ + { + for( int i = 0; i < SHA_DIGEST_LENGTH; i++ ) + { + char buf[3]; +- snprintf( buf, 3, "%02x", pCert->sha1_hash[i] ); ++ snprintf( buf, 3, "%02x", sha1_hash[i] ); + sFP += buf; + } +- X509_free( pCert ); + } ++ X509_free( pCert ); + + return( SSL_get_verify_result( m_ssl ) ); + } diff -Nru znc-1.6.3/debian/patches/series znc-1.6.3/debian/patches/series --- znc-1.6.3/debian/patches/series 2016-10-27 14:10:30.000000000 +0500 +++ znc-1.6.3/debian/patches/series 2016-12-18 21:17:47.000000000 +0500 @@ -1 +1,2 @@ 01-openssl-1.1.diff +02-openssl-1.1-csocket.diff diff -Nru znc-1.6.3/debian/rules znc-1.6.3/debian/rules --- znc-1.6.3/debian/rules 2016-10-27 14:10:30.000000000 +0500 +++ znc-1.6.3/debian/rules 2016-12-18 21:17:47.000000000 +0500 @@ -3,6 +3,9 @@ export DEB_BUILD_MAINT_OPTIONS = hardening=+all,-pie export DEB_BUILD_OPTIONS+=nocheck +# the same as the upstream commit 1a897403350b5fd51b415a02b15b2f92d0afd65a +export DEB_CPPFLAGS_MAINT_APPEND=-DOPENSSL_NO_COMP=1 + DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
signature.asc
Description: PGP signature
