Date: Thursday, March 16, 2017 @ 13:02:58 Author: jgc Revision: 290931
upgpkg: pgbouncer 1.7.2-2 OpenSSL 1.1 Added: pgbouncer/trunk/usual-openssl.patch Modified: pgbouncer/trunk/PKGBUILD ---------------------+ PKGBUILD | 15 ++- usual-openssl.patch | 242 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 253 insertions(+), 4 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2017-03-16 12:45:44 UTC (rev 290930) +++ PKGBUILD 2017-03-16 13:02:58 UTC (rev 290931) @@ -2,12 +2,12 @@ pkgname=pgbouncer pkgver=1.7.2 -pkgrel=1 +pkgrel=2 pkgdesc="A lightweight connection pooler for PostgreSQL" arch=('i686' 'x86_64') url="https://wiki.postgresql.org/wiki/PgBouncer" license=('BSD') -depends=('libevent>=2.0' 'c-ares') +depends=('libevent>=2.0' 'c-ares' 'systemd') makedepends=('asciidoc' 'xmlto') backup=('etc/pgbouncer/pgbouncer.ini' 'etc/logrotate.d/pgbouncer') install=$pkgname.install @@ -15,13 +15,20 @@ pgbouncer.ini pgbouncer.logrotate pgbouncer.service - pgbouncer.tmpfiles.conf) + pgbouncer.tmpfiles.conf + usual-openssl.patch) sha256sums=('de36b318fe4a2f20a5f60d1c5ea62c1ca331f6813d2c484866ecb59265a160ba' '4f30e4a3eb76acdd233ebc7dd099dff6976299ba958e40a8429b74112e804b05' '8da38746d9c9dfc2433a8cfe22fdaf517e14492672d09e3c48cd4745fc03e9bd' '274a3d447c151323f2d297aae881ec69be1477f16e30b0bba469afe68c2d122a' - '476ea0400ba063e932a58f1f49ae401d65b22add521894872c09ec6985e0960d') + '476ea0400ba063e932a58f1f49ae401d65b22add521894872c09ec6985e0960d' + '46d2d1c421ccd9893af4f6fde28d796b7910d2385efd3e27cca118d8e484ca7b') +prepare() { + cd "$srcdir/$pkgname-$pkgver/lib" + patch -Np1 -i ../../usual-openssl.patch +} + build() { cd "$srcdir/$pkgname-$pkgver" ./configure --prefix=/usr --disable-debug Added: usual-openssl.patch =================================================================== --- usual-openssl.patch (rev 0) +++ usual-openssl.patch 2017-03-16 13:02:58 UTC (rev 290931) @@ -0,0 +1,242 @@ +From 0e56f729d74e4af6c19fe60f6e2b47f5e717dcac Mon Sep 17 00:00:00 2001 +From: Marko Kreen <mark...@gmail.com> +Date: Tue, 6 Dec 2016 20:05:17 +0200 +Subject: [PATCH] tls: additional openssl 1.1 compat + +Fixes: #15 +--- + test/connect-tls.c | 2 +- + usual/tls/tls.c | 2 ++ + usual/tls/tls_cert.c | 12 ++++++------ + usual/tls/tls_compat.h | 45 +++++++++++++++++++++++++++++++++++++++++++++ + usual/tls/tls_ocsp.c | 28 +++++++++++++++++----------- + usual/tls/tls_util.c | 2 +- + usual/tls/tls_verify.c | 8 ++++---- + 7 files changed, 76 insertions(+), 23 deletions(-) + +diff --git a/usual/tls/tls.c b/usual/tls/tls.c +index 3377cb4..1843e44 100644 +--- a/usual/tls/tls.c ++++ b/usual/tls/tls.c +@@ -67,7 +67,9 @@ tls_deinit(void) + CRYPTO_cleanup_all_ex_data(); + BIO_sock_cleanup(); + ERR_clear_error(); ++#ifdef USE_LIBSSL_INTERNALS + ERR_remove_thread_state(NULL); ++#endif + ERR_free_strings(); + + tls_initialised = 0; +diff --git a/usual/tls/tls_cert.c b/usual/tls/tls_cert.c +index ca6668a..9a81e2f 100644 +--- a/usual/tls/tls_cert.c ++++ b/usual/tls/tls_cert.c +@@ -86,7 +86,7 @@ tls_parse_bigint(struct tls *ctx, const ASN1_INTEGER *asn1int, const char **dst_ + */ + + static int +-check_invalid_bytes(struct tls *ctx, unsigned char *data, unsigned int len, ++check_invalid_bytes(struct tls *ctx, const unsigned char *data, unsigned int len, + int ascii_only, const char *desc) + { + unsigned int i, c; +@@ -125,7 +125,7 @@ static int + tls_parse_asn1string(struct tls *ctx, ASN1_STRING *a1str, const char **dst_p, int minchars, int maxchars, const char *desc) + { + int format, len, ret = -1; +- unsigned char *data; ++ const unsigned char *data; + ASN1_STRING *a1utf = NULL; + int ascii_only = 0; + char *cstr = NULL; +@@ -134,7 +134,7 @@ tls_parse_asn1string(struct tls *ctx, ASN1_STRING *a1str, const char **dst_p, in + *dst_p = NULL; + + format = ASN1_STRING_type(a1str); +- data = ASN1_STRING_data(a1str); ++ data = ASN1_STRING_get0_data(a1str); + len = ASN1_STRING_length(a1str); + if (len < minchars) { + tls_set_errorx(ctx, "invalid %s: string too short", desc); +@@ -188,7 +188,7 @@ tls_parse_asn1string(struct tls *ctx, ASN1_STRING *a1str, const char **dst_p, in + tls_set_errorx(ctx, "multibyte conversion failed: expected UTF8 result"); + goto failed; + } +- data = ASN1_STRING_data(a1utf); ++ data = ASN1_STRING_get0_data(a1utf); + len = ASN1_STRING_length(a1utf); + } + +@@ -275,12 +275,12 @@ static int + tls_load_alt_ipaddr(struct tls *ctx, ASN1_OCTET_STRING *bin, struct tls_cert *cert) + { + struct tls_cert_general_name *slot; +- void *data; ++ const void *data; + int len; + + slot = &cert->subject_alt_names[cert->subject_alt_name_count]; + len = ASN1_STRING_length(bin); +- data = ASN1_STRING_data(bin); ++ data = ASN1_STRING_get0_data(bin); + if (len < 0) { + tls_set_errorx(ctx, "negative length for ipaddress"); + return -1; +diff --git a/usual/tls/tls_compat.h b/usual/tls/tls_compat.h +index 40ca5cf..8305958 100644 +--- a/usual/tls/tls_compat.h ++++ b/usual/tls/tls_compat.h +@@ -12,6 +12,7 @@ + #include <usual/time.h> + + #include <openssl/ssl.h> ++#include <openssl/err.h> + + /* OpenSSL 1.1+ has hidden struct fields */ + #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) +@@ -21,6 +22,50 @@ + #define X509_get_key_usage(x509) ((x509)->ex_kusage) + #define X509_get_extended_key_usage(x509) ((x509)->ex_xkusage) + #define SSL_CTX_get0_param(ssl_ctx) ((ssl_ctx)->param) ++#define ASN1_STRING_get0_data(x) ((const unsigned char*)ASN1_STRING_data(x)) ++#define X509_OBJECT_get0_X509(x) ((x)->data.x509) ++ ++#ifndef OPENSSL_VERSION ++#define OPENSSL_VERSION SSLEAY_VERSION ++#define OpenSSL_version(x) SSLeay_version(x) ++#endif ++ ++static inline X509_OBJECT *X509_OBJECT_new(void) ++{ ++ X509_OBJECT *obj = OPENSSL_malloc(sizeof(*obj)); ++ if (obj) { ++ memset(obj, 0, sizeof(*obj)); ++ } else { ++ X509err(X509_F_GET_CERT_BY_SUBJECT, ERR_R_MALLOC_FAILURE); ++ } ++ return obj; ++} ++ ++static inline void X509_OBJECT_free(X509_OBJECT *obj) ++{ ++ if (obj) { ++ if (obj->type == X509_LU_X509) { ++ X509_free(obj->data.x509); ++ } else if (obj->type == X509_LU_CRL) { ++ X509_CRL_free(obj->data.crl); ++ } ++ OPENSSL_free(obj); ++ } ++} ++ ++static inline X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *ctx, int lookup, X509_NAME *name) ++{ ++ X509_OBJECT *obj = X509_OBJECT_new(); ++ if (obj) { ++ if (X509_STORE_get_by_subject(ctx, lookup, name, obj)) { ++ return obj; ++ } ++ X509_OBJECT_free(obj); ++ } ++ return NULL; ++} ++ ++ + #endif + + /* ecdh_auto is broken - ignores main EC key */ +diff --git a/usual/tls/tls_ocsp.c b/usual/tls/tls_ocsp.c +index 1e41d48..0b21e32 100644 +--- a/usual/tls/tls_ocsp.c ++++ b/usual/tls/tls_ocsp.c +@@ -164,8 +164,8 @@ tls_ocsp_get_certid(X509 *main_cert, STACK_OF(X509) *extra_certs, SSL_CTX *ssl_c + { + X509_NAME *issuer_name; + X509 *issuer; +- X509_STORE_CTX storectx; +- X509_OBJECT tmpobj; ++ X509_STORE_CTX *storectx = NULL; ++ X509_OBJECT *tmpobj; + OCSP_CERTID *cid = NULL; + X509_STORE *store; + int ok; +@@ -182,17 +182,23 @@ tls_ocsp_get_certid(X509 *main_cert, STACK_OF(X509) *extra_certs, SSL_CTX *ssl_c + + store = SSL_CTX_get_cert_store(ssl_ctx); + if (!store) +- return NULL; +- ok = X509_STORE_CTX_init(&storectx, store, main_cert, extra_certs); ++ goto error; ++ ok = X509_STORE_CTX_init(storectx, store, main_cert, extra_certs); + if (ok != 1) +- return NULL; +- ok = X509_STORE_get_by_subject(&storectx, X509_LU_X509, issuer_name, &tmpobj); +- if (ok == 1) { +- cid = OCSP_cert_to_id(NULL, main_cert, tmpobj.data.x509); +- X509_free(tmpobj.data.x509); +- } +- X509_STORE_CTX_cleanup(&storectx); ++ goto error; ++ ++ tmpobj = X509_STORE_CTX_get_obj_by_subject(storectx, X509_LU_X509, issuer_name); ++ if (!tmpobj) ++ goto error; ++ cid = OCSP_cert_to_id(NULL, main_cert, X509_OBJECT_get0_X509(tmpobj)); ++ X509_OBJECT_free(tmpobj); ++ X509_STORE_CTX_free(storectx); + return cid; ++error: ++ if (storectx) { ++ X509_STORE_CTX_free(storectx); ++ } ++ return NULL; + } + + static int +diff --git a/usual/tls/tls_util.c b/usual/tls/tls_util.c +index 2b91c64..823ccd1 100644 +--- a/usual/tls/tls_util.c ++++ b/usual/tls/tls_util.c +@@ -30,7 +30,7 @@ + const char * + tls_backend_version(void) + { +- return SSLeay_version(SSLEAY_VERSION); ++ return OpenSSL_version(OPENSSL_VERSION); + } + + /* +diff --git a/usual/tls/tls_verify.c b/usual/tls/tls_verify.c +index 1c94b7c..9e5cce6 100644 +--- a/usual/tls/tls_verify.c ++++ b/usual/tls/tls_verify.c +@@ -116,12 +116,12 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name) + continue; + + if (type == GEN_DNS) { +- void *data; ++ const void *data; + int format, len; + + format = ASN1_STRING_type(altname->d.dNSName); + if (format == V_ASN1_IA5STRING) { +- data = ASN1_STRING_data(altname->d.dNSName); ++ data = ASN1_STRING_get0_data(altname->d.dNSName); + len = ASN1_STRING_length(altname->d.dNSName); + + if (len < 0 || len != (int)strlen(data)) { +@@ -161,11 +161,11 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name) + } + + } else if (type == GEN_IPADD) { +- unsigned char *data; ++ const unsigned char *data; + int datalen; + + datalen = ASN1_STRING_length(altname->d.iPAddress); +- data = ASN1_STRING_data(altname->d.iPAddress); ++ data = ASN1_STRING_get0_data(altname->d.iPAddress); + + if (datalen < 0) { + tls_set_errorx(ctx,