Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package nsca-ng 1.5-4.
It cherry-picks the OpenSSL 1.1.1 change from the 1.6 release available
in experimental.
unblock nsca-ng/1.5-4
Kind Regards,
Bas
diff -Nru nsca-ng-1.5/debian/changelog nsca-ng-1.5/debian/changelog
--- nsca-ng-1.5/debian/changelog 2018-07-29 12:38:31.000000000 +0200
+++ nsca-ng-1.5/debian/changelog 2019-03-19 18:32:59.000000000 +0100
@@ -1,3 +1,14 @@
+nsca-ng (1.5-4) unstable; urgency=medium
+
+ * Team upload.
+ * Drop autopkgtest to test installability.
+ * Add lintian override for testsuite-autopkgtest-missing.
+ * Bump Standards-Version to 4.3.0, no changes.
+ * Add upstream patch to fix FTBFS with OpenSSL 1.1.1.
+ (closes: #900152)
+
+ -- Bas Couwenberg <sebas...@debian.org> Tue, 19 Mar 2019 18:32:59 +0100
+
nsca-ng (1.5-3) unstable; urgency=medium
* Team upload.
diff -Nru nsca-ng-1.5/debian/control nsca-ng-1.5/debian/control
--- nsca-ng-1.5/debian/control 2018-07-29 12:38:31.000000000 +0200
+++ nsca-ng-1.5/debian/control 2019-03-19 18:29:13.000000000 +0100
@@ -10,7 +10,7 @@
libbsd-dev,
libssl-dev,
libsystemd-dev
-Standards-Version: 4.1.5
+Standards-Version: 4.3.0
Vcs-Browser: https://salsa.debian.org/nagios-team/pkg-nsca-ng
Vcs-Git: https://salsa.debian.org/nagios-team/pkg-nsca-ng.git
Homepage: http://www.nsca-ng.org/
diff -Nru
nsca-ng-1.5/debian/patches/0001-Work-around-TLSv1.3-PSK-bug-in-OpenSSL-1.1.1.patch
nsca-ng-1.5/debian/patches/0001-Work-around-TLSv1.3-PSK-bug-in-OpenSSL-1.1.1.patch
---
nsca-ng-1.5/debian/patches/0001-Work-around-TLSv1.3-PSK-bug-in-OpenSSL-1.1.1.patch
1970-01-01 01:00:00.000000000 +0100
+++
nsca-ng-1.5/debian/patches/0001-Work-around-TLSv1.3-PSK-bug-in-OpenSSL-1.1.1.patch
2019-03-19 18:31:41.000000000 +0100
@@ -0,0 +1,77 @@
+Description: Work around TLSv1.3 PSK bug in OpenSSL 1.1.1
+ When TLSv1.3 is used with (at least) OpenSSL 1.1.1b, the
+ SSL_get_psk_identity(3) unexpectedly returns NULL. Work around this
+ issue be storing a copy of the PSK identity into the SSL object.
+From: Holger Weiß <hol...@weiss.in-berlin.de>
+Origin
:https://github.com/weiss/nsca-ng/commit/7d9ca3413e661c0ac8a020bf674d16c3af4ebccb
+Bug: https://github.com/weiss/nsca-ng/issues/4
+Bug-Debian: https://bugs.debian.org/900152
+
+--- a/src/common/tls.c
++++ b/src/common/tls.c
+@@ -530,6 +530,8 @@ tls_free(tls_state *tls)
+ free(tls->output);
+ if (tls->addr != NULL)
+ free(tls->addr);
++ if (tls->id != NULL)
++ free(tls->id);
+ if (tls->peer != NULL)
+ free(tls->peer);
+ if (tls->ssl != NULL)
+@@ -632,7 +634,7 @@ accept_ssl_cb(EV_P_ ev_io *w, int revent
+ debug("TLS handshake with %s not (yet) successful", tls->addr);
+ check_tls_error(EV_A_ w, result);
+ } else { /* The TLS connection is established. */
+- if ((tls->id = SSL_get_psk_identity(tls->ssl)) == NULL) {
++ if ((tls->id = SSL_get_app_data(tls->ssl)) == NULL) {
+ error("Cannot retrieve client identity");
+ tls_free(tls);
+ } else {
+--- a/src/common/tls.h
++++ b/src/common/tls.h
+@@ -61,7 +61,7 @@
+ typedef struct tls_state_s {
+ /* public: */
+ void *data; /* Can freely be used by the caller. */
+- const char *id; /* Client ID (e.g., "foo"). */
++ char *id; /* Client ID (e.g., "foo"). */
+ char *addr; /* Client IP address (e.g., "192.0.2.2"). */
+ char *peer; /* Client ID and IP address (e.g., "foo@192.0.2.2"). */
+
+--- a/src/server/auth.c
++++ b/src/server/auth.c
+@@ -41,6 +41,7 @@
+ #include "log.h"
+ #include "system.h"
+ #include "util.h"
++#include "wrappers.h"
+
+ static bool match(regex_t * restrict, const char * restrict);
+
+@@ -49,8 +50,8 @@ static bool match(regex_t * restrict, co
+ */
+
+ unsigned int
+-check_psk(SSL *ssl __attribute__((__unused__)), const char *identity,
+- unsigned char *password, unsigned int max_password_len)
++check_psk(SSL *ssl, const char *identity, unsigned char *password,
++ unsigned int max_password_len)
+ {
+ cfg_t *auth;
+ const char *configured_pw;
+@@ -63,6 +64,15 @@ check_psk(SSL *ssl __attribute__((__unus
+ }
+ debug("Verifying key provided by %s", identity);
+
++ /*
++ * With (at least) OpenSSL 1.1.1b, SSL_get_psk_identity(3) returns NULL
++ * when TLSv1.3 is used. As a workaround, we store the ID ourselves:
++ */
++ if (SSL_set_app_data(ssl, xstrdup(identity)) != 1) {
++ error("Cannot store client-supplied ID (`%s')", identity);
++ return 0;
++ }
++
+ configured_pw = cfg_getstr(auth, "password");
+ password_len = MIN(strlen(configured_pw), max_password_len);
+ (void)memcpy(password, configured_pw, password_len);
diff -Nru nsca-ng-1.5/debian/patches/series nsca-ng-1.5/debian/patches/series
--- nsca-ng-1.5/debian/patches/series 2016-12-03 22:51:15.000000000 +0100
+++ nsca-ng-1.5/debian/patches/series 2019-03-19 18:31:35.000000000 +0100
@@ -1 +1,2 @@
nsca-ng.cfg_debian_config
+0001-Work-around-TLSv1.3-PSK-bug-in-OpenSSL-1.1.1.patch
diff -Nru nsca-ng-1.5/debian/source/lintian-overrides
nsca-ng-1.5/debian/source/lintian-overrides
--- nsca-ng-1.5/debian/source/lintian-overrides 2018-07-29 12:38:31.000000000
+0200
+++ nsca-ng-1.5/debian/source/lintian-overrides 2019-03-19 18:29:13.000000000
+0100
@@ -1,3 +1,6 @@
# Not available via HTTPS.
debian-watch-uses-insecure-uri *
+# Not worth the effort
+testsuite-autopkgtest-missing
+
diff -Nru nsca-ng-1.5/debian/tests/control nsca-ng-1.5/debian/tests/control
--- nsca-ng-1.5/debian/tests/control 2018-07-29 12:38:31.000000000 +0200
+++ nsca-ng-1.5/debian/tests/control 1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-# Test installability
-Depends: @
-Test-Command: /bin/true
