Dear maintainer, I've prepared an NMU for bip (versioned as 0.8.9-1.2) and uploaded it to DELAYED/4. Please feel free to tell me if I should delay it longer.
Regards. Sebastian
diff -Nru bip-0.8.9/debian/changelog bip-0.8.9/debian/changelog --- bip-0.8.9/debian/changelog 2016-11-11 19:08:24.000000000 +0100 +++ bip-0.8.9/debian/changelog 2018-01-22 23:28:55.000000000 +0100 @@ -1,3 +1,13 @@ +bip (0.8.9-1.2) unstable; urgency=medium + + * Non-maintainer upload. + * Cherry-pick a few patches from upstream in order to get it built against + OpenSSL 1.1 (Closes: #851093). + * Remove Arnaud Cornet <acor...@debian.org> from Uploaders. Thank you for + all your work (Closes: #876953). + + -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Mon, 22 Jan 2018 23:28:55 +0100 + bip (0.8.9-1.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru bip-0.8.9/debian/control bip-0.8.9/debian/control --- bip-0.8.9/debian/control 2016-11-11 19:08:24.000000000 +0100 +++ bip-0.8.9/debian/control 2018-01-22 23:28:55.000000000 +0100 @@ -2,9 +2,9 @@ Section: net Priority: optional Maintainer: Pierre-Louis Bonicoli <pierre-louis.bonic...@gmx.fr> -Uploaders: Arnaud Cornet <acor...@debian.org>, Marc Dequènes (Duck) <d...@duckcorp.org> +Uploaders: Marc Dequènes (Duck) <d...@duckcorp.org> Standards-Version: 3.9.4 -Build-Depends: debhelper (>= 9), bison, flex, libssl1.0-dev, +Build-Depends: debhelper (>= 9), bison, flex, libssl-dev, autoconf-archive, dh-autoreconf, autotools-dev Vcs-Git: git://anonscm.debian.org/collab-maint/bip.git Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/bip.git/ diff -Nru bip-0.8.9/debian/patches/0001-Handle-OpenSSL-version-1.1.patch bip-0.8.9/debian/patches/0001-Handle-OpenSSL-version-1.1.patch --- bip-0.8.9/debian/patches/0001-Handle-OpenSSL-version-1.1.patch 1970-01-01 01:00:00.000000000 +0100 +++ bip-0.8.9/debian/patches/0001-Handle-OpenSSL-version-1.1.patch 2018-01-22 23:21:09.000000000 +0100 @@ -0,0 +1,165 @@ +From 39414f8ff9df63c8bc2e4eee34f09f829a5bf8f5 Mon Sep 17 00:00:00 2001 +From: Pierre-Louis Bonicoli <pierre-louis.bonic...@gmx.fr> +Date: Wed, 29 Jun 2016 19:40:32 +0200 +Subject: [PATCH] Handle OpenSSL version 1.1 + +adding forward-compatible code to older versions +--- + src/connection.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 69 insertions(+), 13 deletions(-) + +diff --git a/src/connection.c b/src/connection.c +index 23ecb1eb889e..37cda12932bc 100644 +--- a/src/connection.c ++++ b/src/connection.c +@@ -238,6 +238,49 @@ static int _write_socket_SSL(connection_t *cn, char* message) + mylog(LOG_DEBUGVERB, "%d/%d bytes sent", count, size); + return WRITE_OK; + } ++ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#define X509_OBJECT_get0_X509(o) ((o)->data.x509) ++#define X509_STORE_CTX_get_by_subject(vs, type, name, ret) X509_STORE_get_by_subject(vs, type, name, ret) ++ ++int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) ++{ ++ // bip doesn't use q parameter ++ assert(q == NULL); ++ dh->p = p; ++ dh->g = g; ++ ++ return 1; ++} ++ ++X509_OBJECT *X509_OBJECT_new() ++{ ++ X509_OBJECT *ret = OPENSSL_malloc(sizeof(*ret)); ++ ++ if (ret != NULL) { ++ memset(ret, 0, sizeof(*ret)); ++ ret->type = X509_LU_FAIL; ++ } ++ return ret; ++} ++ ++void X509_OBJECT_free(X509_OBJECT *a) ++{ ++ if (a == NULL) ++ return; ++ switch (a->type) { ++ default: ++ break; ++ case X509_LU_X509: ++ X509_free(a->data.x509); ++ break; ++ case X509_LU_CRL: ++ X509_CRL_free(a->data.crl); ++ break; ++ } ++ OPENSSL_free(a); ++} ++#endif + #endif + + static int _write_socket(connection_t *cn, char *message) +@@ -1089,6 +1132,8 @@ static connection_t *connection_init(int anti_flood, int ssl, int timeout, + static DH *dh_512(void) + { + DH *dh; ++ BIGNUM *p; ++ BIGNUM *g; + static DH *dh_512; + + if (dh_512 == NULL) { +@@ -1096,15 +1141,19 @@ static DH *dh_512(void) + mylog(LOG_WARN, "SSL: cannot create DH parameter set"); + return (0); + } +- dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), (BIGNUM *) 0); +- dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), (BIGNUM *) 0); +- if ((dh->p == NULL) || (dh->g == NULL)) { ++ ++ p = BN_bin2bn(dh512_p, sizeof(dh512_p), (BIGNUM *) 0); ++ g = BN_bin2bn(dh512_g, sizeof(dh512_g), (BIGNUM *) 0); ++ ++ if ((p == NULL) || (g == NULL)) { + mylog(LOG_WARN, "SSL: cannot load compiled-in DH " + "parameters"); + DH_free(dh); + return (0); +- } else ++ } else { ++ DH_set0_pqg(dh, p, NULL, g); + dh_512 = dh; ++ } + } + return dh_512; + } +@@ -1113,6 +1162,8 @@ static DH *dh_512(void) + static DH *dh_1024(void) + { + DH *dh; ++ BIGNUM *p; ++ BIGNUM *g; + static DH *dh_1024; + + if (dh_1024 == NULL) { +@@ -1120,15 +1171,19 @@ static DH *dh_1024(void) + mylog(LOG_WARN, "SSL: cannot create DH parameter set"); + return (0); + } +- dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), (BIGNUM *) 0); +- dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), (BIGNUM *) 0); +- if ((dh->p == NULL) || (dh->g == NULL)) { ++ ++ p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), (BIGNUM *) 0); ++ g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), (BIGNUM *) 0); ++ ++ if ((p == NULL) || (g == NULL)) { + mylog(LOG_WARN, "SSL: cannot load compiled-in DH " + "parameters"); + DH_free(dh); + return (0); +- } else ++ } else { ++ DH_set0_pqg(dh, p, NULL, g); + dh_1024 = dh; ++ } + } + return (dh_1024); + } +@@ -1315,7 +1370,7 @@ static int bip_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx) + int err, depth; + SSL *ssl; + connection_t *c; +- X509_OBJECT xobj; ++ X509_OBJECT *xobj; + int result; + + err_cert = X509_STORE_CTX_get_current_cert(ctx); +@@ -1345,10 +1400,10 @@ static int bip_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx) + err == X509_V_ERR_CERT_HAS_EXPIRED || + err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)) { + +- if (X509_STORE_get_by_subject(ctx, X509_LU_X509, +- X509_get_subject_name(err_cert), &xobj) > 0 && +- !X509_cmp(xobj.data.x509, err_cert)) { +- ++ xobj = X509_OBJECT_new(); ++ if (X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, ++ X509_get_subject_name(err_cert), xobj) > 0 && ++ !X509_cmp(X509_OBJECT_get0_X509(xobj), err_cert)) { + if (err == X509_V_ERR_CERT_HAS_EXPIRED) + mylog(LOG_INFO, "Basic mode; Accepting " + "*expired* peer certificate " +@@ -1368,6 +1423,7 @@ static int bip_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx) + + link_add_untrusted(c->user_data, X509_dup(err_cert)); + } ++ X509_OBJECT_free(xobj); + } + + if (!result) { +-- +2.15.1 + diff -Nru bip-0.8.9/debian/patches/0002-check-value-returned-by-SSL_CTX_new.patch bip-0.8.9/debian/patches/0002-check-value-returned-by-SSL_CTX_new.patch --- bip-0.8.9/debian/patches/0002-check-value-returned-by-SSL_CTX_new.patch 1970-01-01 01:00:00.000000000 +0100 +++ bip-0.8.9/debian/patches/0002-check-value-returned-by-SSL_CTX_new.patch 2018-01-22 23:21:31.000000000 +0100 @@ -0,0 +1,28 @@ +From 406ebacfe5ab8fbd5747d08a6eab3d43d45709e2 Mon Sep 17 00:00:00 2001 +From: Pierre-Louis Bonicoli <pierre-louis.bonic...@gmx.fr> +Date: Wed, 13 Apr 2016 01:14:36 +0200 +Subject: [PATCH] check value returned by SSL_CTX_new + +--- + src/connection.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/connection.c b/src/connection.c +index 431dd07e5e39..1c445e6b0c81 100644 +--- a/src/connection.c ++++ b/src/connection.c +@@ -1355,7 +1355,10 @@ static SSL_CTX *SSL_init_context(char *ciphers) + } + + /* allocated by function */ +- ctx = SSL_CTX_new(SSLv23_method()); ++ if (!(ctx = SSL_CTX_new(SSLv23_method()))) { ++ ERR_print_errors(errbio); ++ return NULL; ++ } + SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_BOTH); + SSL_CTX_set_timeout(ctx, (long)60); + SSL_CTX_set_options(ctx, SSL_OP_ALL); +-- +2.15.1 + diff -Nru bip-0.8.9/debian/patches/0003-Add-missing-call-to-SSL_CTX_free.patch bip-0.8.9/debian/patches/0003-Add-missing-call-to-SSL_CTX_free.patch --- bip-0.8.9/debian/patches/0003-Add-missing-call-to-SSL_CTX_free.patch 1970-01-01 01:00:00.000000000 +0100 +++ bip-0.8.9/debian/patches/0003-Add-missing-call-to-SSL_CTX_free.patch 2018-01-22 23:21:49.000000000 +0100 @@ -0,0 +1,24 @@ +From e8b5d02f132627bb8b6a985d9d908fe31f9d7f71 Mon Sep 17 00:00:00 2001 +From: Pierre-Louis Bonicoli <pierre-louis.bonic...@gmx.fr> +Date: Wed, 13 Apr 2016 01:15:43 +0200 +Subject: [PATCH] Add missing call to SSL_CTX_free + +--- + src/connection.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/connection.c b/src/connection.c +index 1c445e6b0c81..a5fbb3d20f81 100644 +--- a/src/connection.c ++++ b/src/connection.c +@@ -1264,6 +1264,7 @@ connection_t *accept_new(connection_t *cn) + conn->ssl_h = SSL_new(sslctx); + if (!conn->ssl_h) { + connection_free(conn); ++ SSL_CTX_free(sslctx); + return NULL; + } + SSL_set_accept_state(conn->ssl_h); +-- +2.15.1 + diff -Nru bip-0.8.9/debian/patches/0004-X509_OBJECT_new-call-X509err.patch bip-0.8.9/debian/patches/0004-X509_OBJECT_new-call-X509err.patch --- bip-0.8.9/debian/patches/0004-X509_OBJECT_new-call-X509err.patch 1970-01-01 01:00:00.000000000 +0100 +++ bip-0.8.9/debian/patches/0004-X509_OBJECT_new-call-X509err.patch 2018-01-22 23:22:20.000000000 +0100 @@ -0,0 +1,26 @@ +From e452c023ad83b4e88c5b09fef501ab82e7058bf7 Mon Sep 17 00:00:00 2001 +From: Pierre-Louis Bonicoli <pierre-louis.bonic...@gmx.fr> +Date: Sat, 12 Nov 2016 00:58:18 +0100 +Subject: [PATCH] X509_OBJECT_new: call X509err + +mimic behavior of X509_OBJECT_new provided by OpenSSL >= 1.1 +--- + src/connection.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/connection.c b/src/connection.c +index 65f06e4cb7ef..a10a6860d610 100644 +--- a/src/connection.c ++++ b/src/connection.c +@@ -262,6 +262,8 @@ X509_OBJECT *X509_OBJECT_new() + if (ret != NULL) { + memset(ret, 0, sizeof(*ret)); + ret->type = X509_LU_FAIL; ++ } else { ++ X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); + } + return ret; + } +-- +2.15.1 + diff -Nru bip-0.8.9/debian/patches/0005-Check-value-returned-by-X509_OBJECT_new.patch bip-0.8.9/debian/patches/0005-Check-value-returned-by-X509_OBJECT_new.patch --- bip-0.8.9/debian/patches/0005-Check-value-returned-by-X509_OBJECT_new.patch 1970-01-01 01:00:00.000000000 +0100 +++ bip-0.8.9/debian/patches/0005-Check-value-returned-by-X509_OBJECT_new.patch 2018-01-22 23:22:37.000000000 +0100 @@ -0,0 +1,72 @@ +From 2e81cca480ed74abf8559d7e1bbe52f6be273786 Mon Sep 17 00:00:00 2001 +From: Pierre-Louis Bonicoli <pierre-louis.bonic...@gmx.fr> +Date: Sat, 12 Nov 2016 00:52:50 +0100 +Subject: [PATCH] Check value returned by X509_OBJECT_new() + +Reported by Alexander Couzens, thanks to him ! +--- + src/connection.c | 45 ++++++++++++++++++++++++--------------------- + 1 file changed, 24 insertions(+), 21 deletions(-) + +diff --git a/src/connection.c b/src/connection.c +index a10a6860d610..86377a9109bf 100644 +--- a/src/connection.c ++++ b/src/connection.c +@@ -1374,30 +1374,33 @@ static int bip_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx) + err == X509_V_ERR_CERT_HAS_EXPIRED || + err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)) { + +- xobj = X509_OBJECT_new(); +- if (X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, +- X509_get_subject_name(err_cert), xobj) > 0 && +- !X509_cmp(X509_OBJECT_get0_X509(xobj), err_cert)) { +- if (err == X509_V_ERR_CERT_HAS_EXPIRED) +- mylog(LOG_INFO, "Basic mode; Accepting " +- "*expired* peer certificate " +- "found in store."); +- else +- mylog(LOG_INFO, "Basic mode; Accepting peer " +- "certificate found in store."); +- +- result = 1; +- err = X509_V_OK; +- X509_STORE_CTX_set_error(ctx, err); ++ if (!(xobj = X509_OBJECT_new())) { ++ result = 0; + } else { +- mylog(LOG_INFO, "Basic mode; peer certificate NOT " +- "in store, rejecting it!"); +- err = X509_V_ERR_CERT_REJECTED; +- X509_STORE_CTX_set_error(ctx, err); ++ if (X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, ++ X509_get_subject_name(err_cert), xobj) > 0 && ++ !X509_cmp(X509_OBJECT_get0_X509(xobj), err_cert)) { ++ if (err == X509_V_ERR_CERT_HAS_EXPIRED) ++ mylog(LOG_INFO, "Basic mode; Accepting " ++ "*expired* peer certificate " ++ "found in store."); ++ else ++ mylog(LOG_INFO, "Basic mode; Accepting peer " ++ "certificate found in store."); + +- link_add_untrusted(c->user_data, X509_dup(err_cert)); ++ result = 1; ++ err = X509_V_OK; ++ X509_STORE_CTX_set_error(ctx, err); ++ } else { ++ mylog(LOG_INFO, "Basic mode; peer certificate NOT " ++ "in store, rejecting it!"); ++ err = X509_V_ERR_CERT_REJECTED; ++ X509_STORE_CTX_set_error(ctx, err); ++ ++ link_add_untrusted(c->user_data, X509_dup(err_cert)); ++ } ++ X509_OBJECT_free(xobj); + } +- X509_OBJECT_free(xobj); + } + + if (!result) { +-- +2.15.1 + diff -Nru bip-0.8.9/debian/patches/series bip-0.8.9/debian/patches/series --- bip-0.8.9/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ bip-0.8.9/debian/patches/series 2018-01-22 23:24:00.000000000 +0100 @@ -0,0 +1,5 @@ +0001-Handle-OpenSSL-version-1.1.patch +0002-check-value-returned-by-SSL_CTX_new.patch +0003-Add-missing-call-to-SSL_CTX_free.patch +0004-X509_OBJECT_new-call-X509err.patch +0005-Check-value-returned-by-X509_OBJECT_new.patch