Date: Thursday, March 16, 2017 @ 13:02:58
Author: jgc
Revision: 290931
upgpkg: pgbouncer 1.7.2-2
OpenSSL 1.1
Added:
pgbouncer/trunk/usual-openssl.patch
Modified:
pgbouncer/trunk/PKGBUILD
---------------------+
PKGBUILD | 15 ++-
usual-openssl.patch | 242 ++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 253 insertions(+), 4 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2017-03-16 12:45:44 UTC (rev 290930)
+++ PKGBUILD 2017-03-16 13:02:58 UTC (rev 290931)
@@ -2,12 +2,12 @@
pkgname=pgbouncer
pkgver=1.7.2
-pkgrel=1
+pkgrel=2
pkgdesc="A lightweight connection pooler for PostgreSQL"
arch=('i686' 'x86_64')
url="https://wiki.postgresql.org/wiki/PgBouncer";
license=('BSD')
-depends=('libevent>=2.0' 'c-ares')
+depends=('libevent>=2.0' 'c-ares' 'systemd')
makedepends=('asciidoc' 'xmlto')
backup=('etc/pgbouncer/pgbouncer.ini' 'etc/logrotate.d/pgbouncer')
install=$pkgname.install
@@ -15,13 +15,20 @@
pgbouncer.ini
pgbouncer.logrotate
pgbouncer.service
- pgbouncer.tmpfiles.conf)
+ pgbouncer.tmpfiles.conf
+ usual-openssl.patch)
sha256sums=('de36b318fe4a2f20a5f60d1c5ea62c1ca331f6813d2c484866ecb59265a160ba'
'4f30e4a3eb76acdd233ebc7dd099dff6976299ba958e40a8429b74112e804b05'
'8da38746d9c9dfc2433a8cfe22fdaf517e14492672d09e3c48cd4745fc03e9bd'
'274a3d447c151323f2d297aae881ec69be1477f16e30b0bba469afe68c2d122a'
- '476ea0400ba063e932a58f1f49ae401d65b22add521894872c09ec6985e0960d')
+ '476ea0400ba063e932a58f1f49ae401d65b22add521894872c09ec6985e0960d'
+ '46d2d1c421ccd9893af4f6fde28d796b7910d2385efd3e27cca118d8e484ca7b')
+prepare() {
+ cd "$srcdir/$pkgname-$pkgver/lib"
+ patch -Np1 -i ../../usual-openssl.patch
+}
+
build() {
cd "$srcdir/$pkgname-$pkgver"
./configure --prefix=/usr --disable-debug
Added: usual-openssl.patch
===================================================================
--- usual-openssl.patch (rev 0)
+++ usual-openssl.patch 2017-03-16 13:02:58 UTC (rev 290931)
@@ -0,0 +1,242 @@
+From 0e56f729d74e4af6c19fe60f6e2b47f5e717dcac Mon Sep 17 00:00:00 2001
+From: Marko Kreen <mark...@gmail.com>
+Date: Tue, 6 Dec 2016 20:05:17 +0200
+Subject: [PATCH] tls: additional openssl 1.1 compat
+
+Fixes: #15
+---
+ test/connect-tls.c | 2 +-
+ usual/tls/tls.c | 2 ++
+ usual/tls/tls_cert.c | 12 ++++++------
+ usual/tls/tls_compat.h | 45 +++++++++++++++++++++++++++++++++++++++++++++
+ usual/tls/tls_ocsp.c | 28 +++++++++++++++++-----------
+ usual/tls/tls_util.c | 2 +-
+ usual/tls/tls_verify.c | 8 ++++----
+ 7 files changed, 76 insertions(+), 23 deletions(-)
+
+diff --git a/usual/tls/tls.c b/usual/tls/tls.c
+index 3377cb4..1843e44 100644
+--- a/usual/tls/tls.c
++++ b/usual/tls/tls.c
+@@ -67,7 +67,9 @@ tls_deinit(void)
+ CRYPTO_cleanup_all_ex_data();
+ BIO_sock_cleanup();
+ ERR_clear_error();
++#ifdef USE_LIBSSL_INTERNALS
+ ERR_remove_thread_state(NULL);
++#endif
+ ERR_free_strings();
+
+ tls_initialised = 0;
+diff --git a/usual/tls/tls_cert.c b/usual/tls/tls_cert.c
+index ca6668a..9a81e2f 100644
+--- a/usual/tls/tls_cert.c
++++ b/usual/tls/tls_cert.c
+@@ -86,7 +86,7 @@ tls_parse_bigint(struct tls *ctx, const ASN1_INTEGER
*asn1int, const char **dst_
+ */
+
+ static int
+-check_invalid_bytes(struct tls *ctx, unsigned char *data, unsigned int len,
++check_invalid_bytes(struct tls *ctx, const unsigned char *data, unsigned int
len,
+ int ascii_only, const char *desc)
+ {
+ unsigned int i, c;
+@@ -125,7 +125,7 @@ static int
+ tls_parse_asn1string(struct tls *ctx, ASN1_STRING *a1str, const char **dst_p,
int minchars, int maxchars, const char *desc)
+ {
+ int format, len, ret = -1;
+- unsigned char *data;
++ const unsigned char *data;
+ ASN1_STRING *a1utf = NULL;
+ int ascii_only = 0;
+ char *cstr = NULL;
+@@ -134,7 +134,7 @@ tls_parse_asn1string(struct tls *ctx, ASN1_STRING *a1str,
const char **dst_p, in
+ *dst_p = NULL;
+
+ format = ASN1_STRING_type(a1str);
+- data = ASN1_STRING_data(a1str);
++ data = ASN1_STRING_get0_data(a1str);
+ len = ASN1_STRING_length(a1str);
+ if (len < minchars) {
+ tls_set_errorx(ctx, "invalid %s: string too short", desc);
+@@ -188,7 +188,7 @@ tls_parse_asn1string(struct tls *ctx, ASN1_STRING *a1str,
const char **dst_p, in
+ tls_set_errorx(ctx, "multibyte conversion failed:
expected UTF8 result");
+ goto failed;
+ }
+- data = ASN1_STRING_data(a1utf);
++ data = ASN1_STRING_get0_data(a1utf);
+ len = ASN1_STRING_length(a1utf);
+ }
+
+@@ -275,12 +275,12 @@ static int
+ tls_load_alt_ipaddr(struct tls *ctx, ASN1_OCTET_STRING *bin, struct tls_cert
*cert)
+ {
+ struct tls_cert_general_name *slot;
+- void *data;
++ const void *data;
+ int len;
+
+ slot = &cert->subject_alt_names[cert->subject_alt_name_count];
+ len = ASN1_STRING_length(bin);
+- data = ASN1_STRING_data(bin);
++ data = ASN1_STRING_get0_data(bin);
+ if (len < 0) {
+ tls_set_errorx(ctx, "negative length for ipaddress");
+ return -1;
+diff --git a/usual/tls/tls_compat.h b/usual/tls/tls_compat.h
+index 40ca5cf..8305958 100644
+--- a/usual/tls/tls_compat.h
++++ b/usual/tls/tls_compat.h
+@@ -12,6 +12,7 @@
+ #include <usual/time.h>
+
+ #include <openssl/ssl.h>
++#include <openssl/err.h>
+
+ /* OpenSSL 1.1+ has hidden struct fields */
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+@@ -21,6 +22,50 @@
+ #define X509_get_key_usage(x509) ((x509)->ex_kusage)
+ #define X509_get_extended_key_usage(x509) ((x509)->ex_xkusage)
+ #define SSL_CTX_get0_param(ssl_ctx) ((ssl_ctx)->param)
++#define ASN1_STRING_get0_data(x) ((const unsigned char*)ASN1_STRING_data(x))
++#define X509_OBJECT_get0_X509(x) ((x)->data.x509)
++
++#ifndef OPENSSL_VERSION
++#define OPENSSL_VERSION SSLEAY_VERSION
++#define OpenSSL_version(x) SSLeay_version(x)
++#endif
++
++static inline X509_OBJECT *X509_OBJECT_new(void)
++{
++ X509_OBJECT *obj = OPENSSL_malloc(sizeof(*obj));
++ if (obj) {
++ memset(obj, 0, sizeof(*obj));
++ } else {
++ X509err(X509_F_GET_CERT_BY_SUBJECT, ERR_R_MALLOC_FAILURE);
++ }
++ return obj;
++}
++
++static inline void X509_OBJECT_free(X509_OBJECT *obj)
++{
++ if (obj) {
++ if (obj->type == X509_LU_X509) {
++ X509_free(obj->data.x509);
++ } else if (obj->type == X509_LU_CRL) {
++ X509_CRL_free(obj->data.crl);
++ }
++ OPENSSL_free(obj);
++ }
++}
++
++static inline X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX
*ctx, int lookup, X509_NAME *name)
++{
++ X509_OBJECT *obj = X509_OBJECT_new();
++ if (obj) {
++ if (X509_STORE_get_by_subject(ctx, lookup, name, obj)) {
++ return obj;
++ }
++ X509_OBJECT_free(obj);
++ }
++ return NULL;
++}
++
++
+ #endif
+
+ /* ecdh_auto is broken - ignores main EC key */
+diff --git a/usual/tls/tls_ocsp.c b/usual/tls/tls_ocsp.c
+index 1e41d48..0b21e32 100644
+--- a/usual/tls/tls_ocsp.c
++++ b/usual/tls/tls_ocsp.c
+@@ -164,8 +164,8 @@ tls_ocsp_get_certid(X509 *main_cert, STACK_OF(X509)
*extra_certs, SSL_CTX *ssl_c
+ {
+ X509_NAME *issuer_name;
+ X509 *issuer;
+- X509_STORE_CTX storectx;
+- X509_OBJECT tmpobj;
++ X509_STORE_CTX *storectx = NULL;
++ X509_OBJECT *tmpobj;
+ OCSP_CERTID *cid = NULL;
+ X509_STORE *store;
+ int ok;
+@@ -182,17 +182,23 @@ tls_ocsp_get_certid(X509 *main_cert, STACK_OF(X509)
*extra_certs, SSL_CTX *ssl_c
+
+ store = SSL_CTX_get_cert_store(ssl_ctx);
+ if (!store)
+- return NULL;
+- ok = X509_STORE_CTX_init(&storectx, store, main_cert, extra_certs);
++ goto error;
++ ok = X509_STORE_CTX_init(storectx, store, main_cert, extra_certs);
+ if (ok != 1)
+- return NULL;
+- ok = X509_STORE_get_by_subject(&storectx, X509_LU_X509, issuer_name,
&tmpobj);
+- if (ok == 1) {
+- cid = OCSP_cert_to_id(NULL, main_cert, tmpobj.data.x509);
+- X509_free(tmpobj.data.x509);
+- }
+- X509_STORE_CTX_cleanup(&storectx);
++ goto error;
++
++ tmpobj = X509_STORE_CTX_get_obj_by_subject(storectx, X509_LU_X509,
issuer_name);
++ if (!tmpobj)
++ goto error;
++ cid = OCSP_cert_to_id(NULL, main_cert, X509_OBJECT_get0_X509(tmpobj));
++ X509_OBJECT_free(tmpobj);
++ X509_STORE_CTX_free(storectx);
+ return cid;
++error:
++ if (storectx) {
++ X509_STORE_CTX_free(storectx);
++ }
++ return NULL;
+ }
+
+ static int
+diff --git a/usual/tls/tls_util.c b/usual/tls/tls_util.c
+index 2b91c64..823ccd1 100644
+--- a/usual/tls/tls_util.c
++++ b/usual/tls/tls_util.c
+@@ -30,7 +30,7 @@
+ const char *
+ tls_backend_version(void)
+ {
+- return SSLeay_version(SSLEAY_VERSION);
++ return OpenSSL_version(OPENSSL_VERSION);
+ }
+
+ /*
+diff --git a/usual/tls/tls_verify.c b/usual/tls/tls_verify.c
+index 1c94b7c..9e5cce6 100644
+--- a/usual/tls/tls_verify.c
++++ b/usual/tls/tls_verify.c
+@@ -116,12 +116,12 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert,
const char *name)
+ continue;
+
+ if (type == GEN_DNS) {
+- void *data;
++ const void *data;
+ int format, len;
+
+ format = ASN1_STRING_type(altname->d.dNSName);
+ if (format == V_ASN1_IA5STRING) {
+- data = ASN1_STRING_data(altname->d.dNSName);
++ data =
ASN1_STRING_get0_data(altname->d.dNSName);
+ len = ASN1_STRING_length(altname->d.dNSName);
+
+ if (len < 0 || len != (int)strlen(data)) {
+@@ -161,11 +161,11 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert,
const char *name)
+ }
+
+ } else if (type == GEN_IPADD) {
+- unsigned char *data;
++ const unsigned char *data;
+ int datalen;
+
+ datalen = ASN1_STRING_length(altname->d.iPAddress);
+- data = ASN1_STRING_data(altname->d.iPAddress);
++ data = ASN1_STRING_get0_data(altname->d.iPAddress);
+
+ if (datalen < 0) {
+ tls_set_errorx(ctx,
