Dear maintainer,

I've prepared an NMU for bip (versioned as 0.8.9-1.2) and
uploaded it to DELAYED/4. Please feel free to tell me if I
should delay it longer.

Regards.
Sebastian
diff -Nru bip-0.8.9/debian/changelog bip-0.8.9/debian/changelog
--- bip-0.8.9/debian/changelog	2016-11-11 19:08:24.000000000 +0100
+++ bip-0.8.9/debian/changelog	2018-01-22 23:28:55.000000000 +0100
@@ -1,3 +1,13 @@
+bip (0.8.9-1.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Cherry-pick a few patches from upstream in order to get it built against
+    OpenSSL 1.1 (Closes: #851093).
+  * Remove Arnaud Cornet <acor...@debian.org> from Uploaders. Thank you for
+    all your work (Closes: #876953).
+
+ -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc>  Mon, 22 Jan 2018 23:28:55 +0100
+
 bip (0.8.9-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru bip-0.8.9/debian/control bip-0.8.9/debian/control
--- bip-0.8.9/debian/control	2016-11-11 19:08:24.000000000 +0100
+++ bip-0.8.9/debian/control	2018-01-22 23:28:55.000000000 +0100
@@ -2,9 +2,9 @@
 Section: net
 Priority: optional
 Maintainer: Pierre-Louis Bonicoli <pierre-louis.bonic...@gmx.fr>
-Uploaders: Arnaud Cornet <acor...@debian.org>, Marc Dequènes (Duck) <d...@duckcorp.org>
+Uploaders: Marc Dequènes (Duck) <d...@duckcorp.org>
 Standards-Version: 3.9.4
-Build-Depends: debhelper (>= 9), bison, flex, libssl1.0-dev,
+Build-Depends: debhelper (>= 9), bison, flex, libssl-dev,
  autoconf-archive, dh-autoreconf, autotools-dev
 Vcs-Git: git://anonscm.debian.org/collab-maint/bip.git
 Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/bip.git/
diff -Nru bip-0.8.9/debian/patches/0001-Handle-OpenSSL-version-1.1.patch bip-0.8.9/debian/patches/0001-Handle-OpenSSL-version-1.1.patch
--- bip-0.8.9/debian/patches/0001-Handle-OpenSSL-version-1.1.patch	1970-01-01 01:00:00.000000000 +0100
+++ bip-0.8.9/debian/patches/0001-Handle-OpenSSL-version-1.1.patch	2018-01-22 23:21:09.000000000 +0100
@@ -0,0 +1,165 @@
+From 39414f8ff9df63c8bc2e4eee34f09f829a5bf8f5 Mon Sep 17 00:00:00 2001
+From: Pierre-Louis Bonicoli <pierre-louis.bonic...@gmx.fr>
+Date: Wed, 29 Jun 2016 19:40:32 +0200
+Subject: [PATCH] Handle OpenSSL version 1.1
+
+adding forward-compatible code to older versions
+---
+ src/connection.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 69 insertions(+), 13 deletions(-)
+
+diff --git a/src/connection.c b/src/connection.c
+index 23ecb1eb889e..37cda12932bc 100644
+--- a/src/connection.c
++++ b/src/connection.c
+@@ -238,6 +238,49 @@ static int _write_socket_SSL(connection_t *cn, char* message)
+ 	mylog(LOG_DEBUGVERB, "%d/%d bytes sent", count, size);
+ 	return WRITE_OK;
+ }
++
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#define X509_OBJECT_get0_X509(o) ((o)->data.x509)
++#define X509_STORE_CTX_get_by_subject(vs, type, name, ret) X509_STORE_get_by_subject(vs, type, name, ret)
++
++int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
++{
++	// bip doesn't use q parameter
++	assert(q == NULL);
++	dh->p = p;
++	dh->g = g;
++
++	return 1;
++}
++
++X509_OBJECT *X509_OBJECT_new()
++{
++	X509_OBJECT *ret = OPENSSL_malloc(sizeof(*ret));
++
++	if (ret != NULL) {
++		memset(ret, 0, sizeof(*ret));
++		ret->type = X509_LU_FAIL;
++	}
++	return ret;
++}
++
++void X509_OBJECT_free(X509_OBJECT *a)
++{
++	if (a == NULL)
++		return;
++	switch (a->type) {
++	default:
++		break;
++	case X509_LU_X509:
++		X509_free(a->data.x509);
++		break;
++	case X509_LU_CRL:
++		X509_CRL_free(a->data.crl);
++		break;
++	}
++	OPENSSL_free(a);
++}
++#endif
+ #endif
+ 
+ static int _write_socket(connection_t *cn, char *message)
+@@ -1089,6 +1132,8 @@ static connection_t *connection_init(int anti_flood, int ssl, int timeout,
+ static DH *dh_512(void)
+ {
+ 	DH *dh;
++	BIGNUM *p;
++	BIGNUM *g;
+ 	static DH *dh_512;
+ 
+ 	if (dh_512 == NULL) {
+@@ -1096,15 +1141,19 @@ static DH *dh_512(void)
+ 			mylog(LOG_WARN, "SSL: cannot create DH parameter set");
+ 			return (0);
+ 		}
+-		dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), (BIGNUM *) 0);
+-		dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), (BIGNUM *) 0);
+-		if ((dh->p == NULL) || (dh->g == NULL)) {
++
++		p = BN_bin2bn(dh512_p, sizeof(dh512_p), (BIGNUM *) 0);
++		g = BN_bin2bn(dh512_g, sizeof(dh512_g), (BIGNUM *) 0);
++
++		if ((p == NULL) || (g == NULL)) {
+ 			mylog(LOG_WARN, "SSL: cannot load compiled-in DH "
+ 					"parameters");
+ 			DH_free(dh);
+ 			return (0);
+-		} else
++		} else {
++			DH_set0_pqg(dh, p, NULL, g);
+ 			dh_512 = dh;
++		}
+ 	}
+ 	return dh_512;
+ }
+@@ -1113,6 +1162,8 @@ static DH *dh_512(void)
+ static DH *dh_1024(void)
+ {
+ 	DH *dh;
++	BIGNUM *p;
++	BIGNUM *g;
+ 	static DH *dh_1024;
+ 
+ 	if (dh_1024 == NULL) {
+@@ -1120,15 +1171,19 @@ static DH *dh_1024(void)
+ 			mylog(LOG_WARN, "SSL: cannot create DH parameter set");
+ 			return (0);
+ 		}
+-		dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), (BIGNUM *) 0);
+-		dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), (BIGNUM *) 0);
+-		if ((dh->p == NULL) || (dh->g == NULL)) {
++
++		p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), (BIGNUM *) 0);
++		g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), (BIGNUM *) 0);
++
++		if ((p == NULL) || (g == NULL)) {
+ 			mylog(LOG_WARN, "SSL: cannot load compiled-in DH "
+ 					"parameters");
+ 			DH_free(dh);
+ 			return (0);
+-		} else
++		} else {
++			DH_set0_pqg(dh, p, NULL, g);
+ 			dh_1024 = dh;
++		}
+ 	}
+ 	return (dh_1024);
+ }
+@@ -1315,7 +1370,7 @@ static int bip_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
+ 	int err, depth;
+ 	SSL *ssl;
+ 	connection_t *c;
+-	X509_OBJECT xobj;
++	X509_OBJECT *xobj;
+ 	int result;
+ 
+ 	err_cert = X509_STORE_CTX_get_current_cert(ctx);
+@@ -1345,10 +1400,10 @@ static int bip_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
+ 			 err == X509_V_ERR_CERT_HAS_EXPIRED ||
+ 			 err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)) {
+ 
+-		if (X509_STORE_get_by_subject(ctx, X509_LU_X509,
+-				X509_get_subject_name(err_cert), &xobj) > 0 &&
+-				!X509_cmp(xobj.data.x509, err_cert)) {
+-
++		xobj = X509_OBJECT_new();
++		if (X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509,
++				X509_get_subject_name(err_cert), xobj) > 0 &&
++				!X509_cmp(X509_OBJECT_get0_X509(xobj), err_cert)) {
+ 			if (err == X509_V_ERR_CERT_HAS_EXPIRED)
+ 				mylog(LOG_INFO, "Basic mode; Accepting "
+ 						"*expired* peer certificate "
+@@ -1368,6 +1423,7 @@ static int bip_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
+ 
+ 			link_add_untrusted(c->user_data, X509_dup(err_cert));
+ 		}
++		X509_OBJECT_free(xobj);
+ 	}
+ 
+ 	if (!result) {
+-- 
+2.15.1
+
diff -Nru bip-0.8.9/debian/patches/0002-check-value-returned-by-SSL_CTX_new.patch bip-0.8.9/debian/patches/0002-check-value-returned-by-SSL_CTX_new.patch
--- bip-0.8.9/debian/patches/0002-check-value-returned-by-SSL_CTX_new.patch	1970-01-01 01:00:00.000000000 +0100
+++ bip-0.8.9/debian/patches/0002-check-value-returned-by-SSL_CTX_new.patch	2018-01-22 23:21:31.000000000 +0100
@@ -0,0 +1,28 @@
+From 406ebacfe5ab8fbd5747d08a6eab3d43d45709e2 Mon Sep 17 00:00:00 2001
+From: Pierre-Louis Bonicoli <pierre-louis.bonic...@gmx.fr>
+Date: Wed, 13 Apr 2016 01:14:36 +0200
+Subject: [PATCH] check value returned by SSL_CTX_new
+
+---
+ src/connection.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/connection.c b/src/connection.c
+index 431dd07e5e39..1c445e6b0c81 100644
+--- a/src/connection.c
++++ b/src/connection.c
+@@ -1355,7 +1355,10 @@ static SSL_CTX *SSL_init_context(char *ciphers)
+ 	}
+ 
+ 	/* allocated by function */
+-	ctx = SSL_CTX_new(SSLv23_method());
++	if (!(ctx = SSL_CTX_new(SSLv23_method()))) {
++		ERR_print_errors(errbio);
++		return NULL;
++	}
+ 	SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_BOTH);
+ 	SSL_CTX_set_timeout(ctx, (long)60);
+ 	SSL_CTX_set_options(ctx, SSL_OP_ALL);
+-- 
+2.15.1
+
diff -Nru bip-0.8.9/debian/patches/0003-Add-missing-call-to-SSL_CTX_free.patch bip-0.8.9/debian/patches/0003-Add-missing-call-to-SSL_CTX_free.patch
--- bip-0.8.9/debian/patches/0003-Add-missing-call-to-SSL_CTX_free.patch	1970-01-01 01:00:00.000000000 +0100
+++ bip-0.8.9/debian/patches/0003-Add-missing-call-to-SSL_CTX_free.patch	2018-01-22 23:21:49.000000000 +0100
@@ -0,0 +1,24 @@
+From e8b5d02f132627bb8b6a985d9d908fe31f9d7f71 Mon Sep 17 00:00:00 2001
+From: Pierre-Louis Bonicoli <pierre-louis.bonic...@gmx.fr>
+Date: Wed, 13 Apr 2016 01:15:43 +0200
+Subject: [PATCH] Add missing call to SSL_CTX_free
+
+---
+ src/connection.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/connection.c b/src/connection.c
+index 1c445e6b0c81..a5fbb3d20f81 100644
+--- a/src/connection.c
++++ b/src/connection.c
+@@ -1264,6 +1264,7 @@ connection_t *accept_new(connection_t *cn)
+ 		conn->ssl_h = SSL_new(sslctx);
+ 		if (!conn->ssl_h) {
+ 			connection_free(conn);
++			SSL_CTX_free(sslctx);
+ 			return NULL;
+ 		}
+ 		SSL_set_accept_state(conn->ssl_h);
+-- 
+2.15.1
+
diff -Nru bip-0.8.9/debian/patches/0004-X509_OBJECT_new-call-X509err.patch bip-0.8.9/debian/patches/0004-X509_OBJECT_new-call-X509err.patch
--- bip-0.8.9/debian/patches/0004-X509_OBJECT_new-call-X509err.patch	1970-01-01 01:00:00.000000000 +0100
+++ bip-0.8.9/debian/patches/0004-X509_OBJECT_new-call-X509err.patch	2018-01-22 23:22:20.000000000 +0100
@@ -0,0 +1,26 @@
+From e452c023ad83b4e88c5b09fef501ab82e7058bf7 Mon Sep 17 00:00:00 2001
+From: Pierre-Louis Bonicoli <pierre-louis.bonic...@gmx.fr>
+Date: Sat, 12 Nov 2016 00:58:18 +0100
+Subject: [PATCH] X509_OBJECT_new: call X509err
+
+mimic behavior of X509_OBJECT_new provided by OpenSSL >= 1.1
+---
+ src/connection.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/connection.c b/src/connection.c
+index 65f06e4cb7ef..a10a6860d610 100644
+--- a/src/connection.c
++++ b/src/connection.c
+@@ -262,6 +262,8 @@ X509_OBJECT *X509_OBJECT_new()
+ 	if (ret != NULL) {
+ 		memset(ret, 0, sizeof(*ret));
+ 		ret->type = X509_LU_FAIL;
++	} else {
++		X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
+ 	}
+ 	return ret;
+ }
+-- 
+2.15.1
+
diff -Nru bip-0.8.9/debian/patches/0005-Check-value-returned-by-X509_OBJECT_new.patch bip-0.8.9/debian/patches/0005-Check-value-returned-by-X509_OBJECT_new.patch
--- bip-0.8.9/debian/patches/0005-Check-value-returned-by-X509_OBJECT_new.patch	1970-01-01 01:00:00.000000000 +0100
+++ bip-0.8.9/debian/patches/0005-Check-value-returned-by-X509_OBJECT_new.patch	2018-01-22 23:22:37.000000000 +0100
@@ -0,0 +1,72 @@
+From 2e81cca480ed74abf8559d7e1bbe52f6be273786 Mon Sep 17 00:00:00 2001
+From: Pierre-Louis Bonicoli <pierre-louis.bonic...@gmx.fr>
+Date: Sat, 12 Nov 2016 00:52:50 +0100
+Subject: [PATCH] Check value returned by X509_OBJECT_new()
+
+Reported by Alexander Couzens, thanks to him !
+---
+ src/connection.c | 45 ++++++++++++++++++++++++---------------------
+ 1 file changed, 24 insertions(+), 21 deletions(-)
+
+diff --git a/src/connection.c b/src/connection.c
+index a10a6860d610..86377a9109bf 100644
+--- a/src/connection.c
++++ b/src/connection.c
+@@ -1374,30 +1374,33 @@ static int bip_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
+ 			 err == X509_V_ERR_CERT_HAS_EXPIRED ||
+ 			 err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)) {
+ 
+-		xobj = X509_OBJECT_new();
+-		if (X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509,
+-				X509_get_subject_name(err_cert), xobj) > 0 &&
+-				!X509_cmp(X509_OBJECT_get0_X509(xobj), err_cert)) {
+-			if (err == X509_V_ERR_CERT_HAS_EXPIRED)
+-				mylog(LOG_INFO, "Basic mode; Accepting "
+-						"*expired* peer certificate "
+-						"found in store.");
+-			else
+-				mylog(LOG_INFO, "Basic mode; Accepting peer "
+-					"certificate found in store.");
+-
+-			result = 1;
+-			err = X509_V_OK;
+-			X509_STORE_CTX_set_error(ctx, err);
++		if (!(xobj = X509_OBJECT_new())) {
++			result = 0;
+ 		} else {
+-			mylog(LOG_INFO, "Basic mode; peer certificate NOT "
+-					"in store, rejecting it!");
+-			err = X509_V_ERR_CERT_REJECTED;
+-			X509_STORE_CTX_set_error(ctx, err);
++			if (X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509,
++					X509_get_subject_name(err_cert), xobj) > 0 &&
++					!X509_cmp(X509_OBJECT_get0_X509(xobj), err_cert)) {
++				if (err == X509_V_ERR_CERT_HAS_EXPIRED)
++					mylog(LOG_INFO, "Basic mode; Accepting "
++							"*expired* peer certificate "
++							"found in store.");
++				else
++					mylog(LOG_INFO, "Basic mode; Accepting peer "
++						"certificate found in store.");
+ 
+-			link_add_untrusted(c->user_data, X509_dup(err_cert));
++				result = 1;
++				err = X509_V_OK;
++				X509_STORE_CTX_set_error(ctx, err);
++			} else {
++				mylog(LOG_INFO, "Basic mode; peer certificate NOT "
++						"in store, rejecting it!");
++				err = X509_V_ERR_CERT_REJECTED;
++				X509_STORE_CTX_set_error(ctx, err);
++
++				link_add_untrusted(c->user_data, X509_dup(err_cert));
++			}
++			X509_OBJECT_free(xobj);
+ 		}
+-		X509_OBJECT_free(xobj);
+ 	}
+ 
+ 	if (!result) {
+-- 
+2.15.1
+
diff -Nru bip-0.8.9/debian/patches/series bip-0.8.9/debian/patches/series
--- bip-0.8.9/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ bip-0.8.9/debian/patches/series	2018-01-22 23:24:00.000000000 +0100
@@ -0,0 +1,5 @@
+0001-Handle-OpenSSL-version-1.1.patch
+0002-check-value-returned-by-SSL_CTX_new.patch
+0003-Add-missing-call-to-SSL_CTX_free.patch
+0004-X509_OBJECT_new-call-X509err.patch
+0005-Check-value-returned-by-X509_OBJECT_new.patch

Reply via email to