Hello community, here is the log from the commit of package qpid-proton for openSUSE:Factory checked in at 2017-09-25 13:49:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/qpid-proton (Old) and /work/SRC/openSUSE:Factory/.qpid-proton.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "qpid-proton" Mon Sep 25 13:49:33 2017 rev:10 rq:528227 version:0.17.0 Changes: -------- --- /work/SRC/openSUSE:Factory/qpid-proton/qpid-proton.changes 2017-08-24 18:05:42.311987387 +0200 +++ /work/SRC/openSUSE:Factory/.qpid-proton.new/qpid-proton.changes 2017-09-25 13:49:37.805449093 +0200 @@ -1,0 +2,9 @@ +Thu Aug 24 11:14:18 UTC 2017 - [email protected] + +- Modify openssl DH code to work with openssl 1.1.0 + * Added patch qpid-proton-fix-dh-openssl-1.1.0.patch + +- Rework Openssl session resume code to work with openssl 1.1.0 + * Added patch qpid-proton-fix-session-resume-openssl-1.1.0.patch + +------------------------------------------------------------------- New: ---- qpid-proton-fix-dh-openssl-1.1.0.patch qpid-proton-fix-session-resume-openssl-1.1.0.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ qpid-proton.spec ++++++ --- /var/tmp/diff_new_pack.4VctPh/_old 2017-09-25 13:49:38.553343874 +0200 +++ /var/tmp/diff_new_pack.4VctPh/_new 2017-09-25 13:49:38.557343312 +0200 @@ -28,6 +28,10 @@ Patch101: qpid-proton-cmake-fixes.patch Patch102: qpid-proton-0.9-pthread.patch Patch103: qpid-proton-0.16.0-gcc7.patch +# PATCH-FIX-UPSTREAM - qpid-proton-fix-dh-openssl-1.1.0.patch - Modify openssl DH code to work with openssl 1.1 +Patch104: qpid-proton-fix-dh-openssl-1.1.0.patch +# PATCH-FIX-UPSTREAM - qpid-proton-fix-session-resume-openssl-1.1.0.patch - Rework Openssl session resume code to work with openssl 1.1 +Patch105: qpid-proton-fix-session-resume-openssl-1.1.0.patch BuildRequires: cmake BuildRequires: doxygen BuildRequires: epydoc @@ -44,7 +48,6 @@ BuildRequires: perl(ExtUtils::MakeMaker) BuildRequires: perl(Test::Exception) BuildRequires: perl(Test::More) -BuildRoot: %{_tmppath}/%{name}-%{version}-build %description Proton is a high performance, lightweight messaging library. It can be used in @@ -91,11 +94,11 @@ %package devel-doc Summary: Documentation for the C development libraries for Qpid Proton Group: Documentation/Other +Provides: %{name} = %{version} +Obsoletes: %{name} < %{version} %if 0%{?suse_version} >= 1120 BuildArch: noarch %endif -Provides: %{name} = %{version} -Obsoletes: %{name} < %{version} %description devel-doc Proton is a high performance, lightweight messaging library. It can be used in @@ -108,13 +111,13 @@ Summary: Python language bindings for the Qpid Proton messaging framework Group: Development/Libraries/Python Requires: libqpid-proton%{qpid_proton_soversion} = %{version}-%{release} -Requires: python = %python2_version +Requires: python = %{python2_version} # NOTE: the name on pypi for the package is python-qpid-proton so the name # for the RPM package should be python-python-qpid-proton (python-$pypi_name) -Provides: python-qpid-proton = %version -Obsoletes: python-qpid-proton < %version +Provides: python-qpid-proton = %{version} +Obsoletes: python-qpid-proton < %{version} # as long as python2 is the default, provide also the non-versioned python pkg -Provides: python-python-qpid-proton = %version +Provides: python-python-qpid-proton = %{version} %description -n python2-python-qpid-proton Proton is a high performance, lightweight messaging library. It can be used in @@ -130,8 +133,8 @@ Requires: python = %{python3_version} # NOTE: the name on pypi for the package is python-qpid-proton so the name # for the RPM package should be python-python-qpid-proton (python-$pypi_name) -Provides: python3-qpid-proton = %version -Obsoletes: python3-qpid-proton < %version +Provides: python3-qpid-proton = %{version} +Obsoletes: python3-qpid-proton < %{version} %description -n python3-python-qpid-proton Proton is a high performance, lightweight messaging library. It can be used in @@ -142,16 +145,16 @@ %package -n python-python-qpid-proton-doc Summary: Documentation for the Python language bindings for Qpid Proton -Group: Documentation/Other -%if 0%{?suse_version} >= 1120 -BuildArch: noarch -%endif # NOTE: the name on pypi for the package is python-qpid-proton so the name # for the RPM package should be python-python-qpid-proton (python-$pypi_name) -Provides: python-qpid-proton-doc = %version -Obsoletes: python-qpid-proton-doc < %version +Group: Documentation/Other +Provides: python-qpid-proton-doc = %{version} +Obsoletes: python-qpid-proton-doc < %{version} # provide documentation for python2 and python3 Provides: %{python_module python-python-qpid-proton-doc} +%if 0%{?suse_version} >= 1120 +BuildArch: noarch +%endif %description -n python-python-qpid-proton-doc Proton is a high performance, lightweight messaging library. It can be used in @@ -210,16 +213,13 @@ %postun -n libqpid-proton-cpp%{qpid_proton_soversion} -p /sbin/ldconfig %files -n libqpid-proton%{qpid_proton_soversion} -%defattr(-,root,root) %{_libdir}/libqpid-proton.so.* %{_libdir}/libqpid-proton-core.so.* %files -n libqpid-proton-cpp%{qpid_proton_soversion} -%defattr(-,root,root) %{_libdir}/libqpid-proton-cpp.so.* %files devel -%defattr(-,root,root) %{_includedir}/proton %{_libdir}/libqpid-proton.so %{_libdir}/libqpid-proton-core.so @@ -233,7 +233,6 @@ %{_libdir}/cmake/ProtonCpp/*.cmake %files devel-doc -%defattr(-,root,root) %dir %{_datadir}/proton-%{version} %doc %{_datadir}/proton-%{version}/LICENSE %doc %{_datadir}/proton-%{version}/README.md @@ -243,26 +242,22 @@ %{_docdir}/%{name}/api-cpp %files -n python2-python-qpid-proton -%defattr(-,root,root) %{python2_sitearch}/*_cproton.so %{python2_sitearch}/cproton.* %{python2_sitearch}/proton %{python2_sitearch}/python_qpid_proton-%{version}-py*.egg-info %files -n python3-python-qpid-proton -%defattr(-,root,root) %{python3_sitearch}/*_cproton*.so %{python3_sitearch}/cproton.* %{python3_sitearch}/proton %{python3_sitearch}/python_qpid_proton-%{version}-py*.egg-info %files -n python-python-qpid-proton-doc -%defattr(-,root,root) %dir %{_docdir}/%{name} %{_docdir}/%{name}/api-py %files -n perl-qpid-proton -%defattr(-,root,root) %{perl_vendorarch}/* %changelog ++++++ qpid-proton-fix-dh-openssl-1.1.0.patch ++++++ >From bc872440428073e86ce2631276dc8b7f62da4c33 Mon Sep 17 00:00:00 2001 From: Andrew Stitcher <[email protected]> Date: Tue, 17 Jan 2017 02:10:48 -0500 Subject: [PATCH] PROTON-1381, PROTON-1326: Modify openssl DH code to work with openssl 1.1 Modified patch from Volker Diels-Grabsch --- proton-c/src/ssl/openssl.c | 37 +++++++++++++++++++++++++++---------- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/proton-c/src/ssl/openssl.c b/proton-c/src/ssl/openssl.c index 0b7d157ea..0c51c0363 100644 --- a/proton-c/src/ssl/openssl.c +++ b/proton-c/src/ssl/openssl.c @@ -356,12 +356,22 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) return preverify_ok; } +// This was introduced in v1.1 +#if OPENSSL_VERSION_NUMBER < 0x10100000 +int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) +{ + dh->p = p; + dh->q = q; + dh->g = g; + return 1; +} +#endif // this code was generated using the command: // "openssl dhparam -C -2 2048" static DH *get_dh2048(void) { - static const unsigned char dh2048_p[]={ + static const unsigned char dhp_2048[]={ 0xAE,0xF7,0xE9,0x66,0x26,0x7A,0xAC,0x0A,0x6F,0x1E,0xCD,0x81, 0xBD,0x0A,0x10,0x7E,0xFA,0x2C,0xF5,0x2D,0x98,0xD4,0xE7,0xD9, 0xE4,0x04,0x8B,0x06,0x85,0xF2,0x0B,0xA3,0x90,0x15,0x56,0x0C, @@ -385,17 +395,24 @@ static DH *get_dh2048(void) 0xA4,0xED,0xFD,0x49,0x0B,0xE3,0x4A,0xF6,0x28,0xB3,0x98,0xB0, 0x23,0x1C,0x09,0x33, }; - static const unsigned char dh2048_g[]={ + static const unsigned char dhg_2048[]={ 0x02, }; - DH *dh; - - if ((dh=DH_new()) == NULL) return(NULL); - dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); - dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); - if ((dh->p == NULL) || (dh->g == NULL)) - { DH_free(dh); return(NULL); } - return(dh); + DH *dh = DH_new(); + BIGNUM *dhp_bn, *dhg_bn; + + if (dh == NULL) + return NULL; + dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL); + dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL); + if (dhp_bn == NULL || dhg_bn == NULL + || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { + DH_free(dh); + BN_free(dhp_bn); + BN_free(dhg_bn); + return NULL; + } + return dh; } typedef struct { ++++++ qpid-proton-fix-session-resume-openssl-1.1.0.patch ++++++ >From 5c885661aabfe6e554422bb5f342b8113cf6bbbf Mon Sep 17 00:00:00 2001 From: Andrew Stitcher <[email protected]> Date: Fri, 21 Jul 2017 19:15:45 -0400 Subject: [PATCH] PROTON-1326: Rework Openssl session resume code to work with openssl 1.1 --- proton-c/src/ssl/openssl.c | 96 ++++++++++++++++++++++------------------------ 1 file changed, 45 insertions(+), 51 deletions(-) diff --git a/proton-c/src/ssl/openssl.c b/proton-c/src/ssl/openssl.c index 0c51c0363..8cb4e7bef 100644 --- a/proton-c/src/ssl/openssl.c +++ b/proton-c/src/ssl/openssl.c @@ -51,7 +51,6 @@ #include <fcntl.h> #include <assert.h> - /** @file * SSL/TLS support API. * @@ -60,7 +59,6 @@ static int ssl_initialized; static int ssl_ex_data_index; -static int ssl_session_ex_data_index; typedef struct pn_ssl_session_t pn_ssl_session_t; @@ -416,40 +414,55 @@ static DH *get_dh2048(void) } typedef struct { - const char *id; + char *id; SSL_SESSION *session; -} ssl_cache_visit_data; - -static void SSL_SESSION_cache_visitor(SSL_SESSION *session, ssl_cache_visit_data *data) -{ - const char *cached_id = (const char*)SSL_SESSION_get_ex_data(session, ssl_session_ex_data_index); - if (!cached_id) return; - - if ( strcmp(cached_id, data->id)==0 ) { - data->session = session; - } -} - -static void SSL_SESSION_visit_caster(void *s, void * d) { - SSL_SESSION_cache_visitor((SSL_SESSION*) s, (ssl_cache_visit_data*) d); -} +} ssl_cache_data; -static SSL_SESSION *ssn_cache_find( pn_ssl_domain_t *domain, const char *id ) -{ - if (!id) return NULL; +#define SSL_CACHE_SIZE 4 +static int ssl_cache_ptr = 0; +static ssl_cache_data ssl_cache[SSL_CACHE_SIZE]; - ssl_cache_visit_data visitor = {id, NULL}; - lh_SSL_SESSION_doall_arg(SSL_CTX_sessions(domain->ctx), &SSL_SESSION_visit_caster, ssl_cache_visit_data, &visitor); - return visitor.session; +static void ssn_init(void) { + ssl_cache_data s = {NULL, NULL}; + for (int i=0; i<SSL_CACHE_SIZE; i++) { + ssl_cache[i] = s; + } } -// Set up/tear down ssl session ex data -int ssl_session_ex_data_init(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp) { - return CRYPTO_set_ex_data(ad, idx, NULL); +static void ssn_restore(pn_transport_t *transport, pni_ssl_t *ssl) { + if (!ssl->session_id) return; + for (int i = ssl_cache_ptr;;) { + i = (i==0) ? SSL_CACHE_SIZE-1 : i-1; + if (ssl_cache[i].id == NULL) return; + if (strcmp(ssl_cache[i].id, ssl->session_id) == 0) { + ssl_log( transport, "Restoring previous session id=%s", ssl->session_id ); + int rc = SSL_set_session( ssl->ssl, ssl_cache[i].session ); + if (rc != 1) { + ssl_log( transport, "Session restore failed, id=%s", ssl->session_id ); + } + return; + } + if (i == ssl_cache_ptr) return; + } } -void ssl_session_ex_data_fini(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp) { - free(CRYPTO_get_ex_data(ad, idx)); +static void ssn_save(pn_transport_t *transport, pni_ssl_t *ssl) { + if (ssl->session_id) { + // Attach the session id to the session before we close the connection + // So that if we find it in the cache later we can figure out the session id + SSL_SESSION *session = SSL_get1_session( ssl->ssl ); + if (session) { + ssl_log(transport, "Saving SSL session as %s", ssl->session_id ); + // If we're overwriting a value, need to free it + free(ssl_cache[ssl_cache_ptr].id); + if (ssl_cache[ssl_cache_ptr].session) SSL_SESSION_free(ssl_cache[ssl_cache_ptr].session); + + char *id = pn_strdup( ssl->session_id ); + ssl_cache_data s = {id, session}; + ssl_cache[ssl_cache_ptr++] = s; + if (ssl_cache_ptr==SSL_CACHE_SIZE) ssl_cache_ptr = 0; + } + } } /** Public API - visible to application code */ @@ -468,8 +481,7 @@ pn_ssl_domain_t *pn_ssl_domain( pn_ssl_mode_t mode ) OpenSSL_add_all_algorithms(); ssl_ex_data_index = SSL_get_ex_new_index( 0, (void *) "org.apache.qpid.proton.ssl", NULL, NULL, NULL); - ssl_session_ex_data_index = SSL_SESSION_get_ex_new_index(0, (void *)"ssl session data", - &ssl_session_ex_data_init, NULL, &ssl_session_ex_data_fini); + ssn_init(); } pn_ssl_domain_t *domain = (pn_ssl_domain_t *) calloc(1, sizeof(pn_ssl_domain_t)); @@ -857,16 +869,7 @@ static int start_ssl_shutdown(pn_transport_t *transport) pni_ssl_t *ssl = transport->ssl; if (!ssl->ssl_shutdown) { ssl_log(transport, "Shutting down SSL connection..."); - if (ssl->session_id) { - // Attach the session id to the session before we close the connection - // So that if we find it in the cache later we can figure out the session id - char *id = pn_strdup( ssl->session_id ); - SSL_SESSION *session = SSL_get_session( ssl->ssl ); - if (session) { - ssl_log(transport, "Saving SSL session as %s", ssl->session_id ); - SSL_SESSION_set_ex_data(session, ssl_session_ex_data_index, id); - } - } + ssn_save(transport, ssl); ssl->ssl_shutdown = true; BIO_ssl_shutdown( ssl->bio_ssl ); } @@ -1167,16 +1170,7 @@ static int init_ssl_socket(pn_transport_t* transport, pni_ssl_t *ssl) #endif // restore session, if available - if (ssl->session_id) { - SSL_SESSION *ssn = ssn_cache_find( ssl->domain, ssl->session_id ); - if (ssn) { - ssl_log( transport, "Restoring previous session id=%s", ssl->session_id ); - int rc = SSL_set_session( ssl->ssl, ssn ); - if (rc != 1) { - ssl_log( transport, "Session restore failed, id=%s", ssl->session_id ); - } - } - } + ssn_restore(transport, ssl); // now layer a BIO over the SSL socket ssl->bio_ssl = BIO_new(BIO_f_ssl());
