diff --git a/SOURCES/bz1688892-fix-openssl-init-config-check.patch b/SOURCES/bz1688892-fix-openssl-init-config-check.patch new file mode 100644 index 0000000..b77f498 --- /dev/null +++ b/SOURCES/bz1688892-fix-openssl-init-config-check.patch @@ -0,0 +1,76 @@ +From 1f2b558da9f631a635e9b099b455696b1903bee4 Mon Sep 17 00:00:00 2001 +From: Quentin Armitage +Date: Fri, 15 Mar 2019 00:12:19 +0000 +Subject: [PATCH 3/3] Fix some configure tested checks for OPENSSL_init_crypto + +Signed-off-by: Quentin Armitage +--- + genhash/ssl.c | 6 +++--- + keepalived/check/check_ssl.c | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/genhash/ssl.c b/genhash/ssl.c +index 96f51201..0574675a 100644 +--- a/genhash/ssl.c ++++ b/genhash/ssl.c +@@ -44,7 +44,7 @@ void + init_ssl(void) + { + /* Library initialization */ +-#if HAVE_OPENSSL_INIT_CRYPTO ++#ifdef HAVE_OPENSSL_INIT_CRYPTO + #ifndef HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG + /* In OpenSSL v1.1.1 if the following is called, SSL_CTX_new() below fails. + * It works in v1.1.0h and v1.1.1b. +@@ -59,7 +59,7 @@ init_ssl(void) + #endif + + /* Initialize SSL context */ +-#if HAVE_TLS_METHOD ++#ifdef HAVE_TLS_METHOD + req->meth = TLS_method(); + #else + req->meth = SSLv23_method(); +@@ -123,7 +123,7 @@ ssl_connect(thread_t * thread) + } + + BIO_set_nbio(sock_obj->bio, 1); /* Set the Non-Blocking flag */ +-#if HAVE_SSL_SET0_RBIO ++#ifdef HAVE_SSL_SET0_RBIO + BIO_up_ref(sock_obj->bio); + SSL_set0_rbio(sock_obj->ssl, sock_obj->bio); + SSL_set0_wbio(sock_obj->ssl, sock_obj->bio); +diff --git a/keepalived/check/check_ssl.c b/keepalived/check/check_ssl.c +index 2743ea87..58061b91 100644 +--- a/keepalived/check/check_ssl.c ++++ b/keepalived/check/check_ssl.c +@@ -68,7 +68,7 @@ build_ssl_ctx(void) + ssl_data_t *ssl; + + /* Library initialization */ +-#if HAVE_OPENSSL_INIT_CRYPTO ++#ifdef HAVE_OPENSSL_INIT_CRYPTO + #ifndef HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG + /* In OpenSSL v1.1.1 if the following is called, SSL_CTX_new() below fails. + * It works in v1.1.0h and v1.1.1b. +@@ -88,7 +88,7 @@ build_ssl_ctx(void) + ssl = check_data->ssl; + + /* Initialize SSL context */ +-#if HAVE_TLS_METHOD ++#ifdef HAVE_TLS_METHOD + ssl->meth = TLS_method(); + #else + ssl->meth = SSLv23_method(); +@@ -226,7 +226,7 @@ ssl_connect(thread_t * thread, int new_req) + + BIO_get_fd(req->bio, &bio_fd); + fcntl(bio_fd, F_SETFD, fcntl(bio_fd, F_GETFD) | FD_CLOEXEC); +-#if HAVE_SSL_SET0_RBIO ++#ifdef HAVE_SSL_SET0_RBIO + BIO_up_ref(req->bio); + SSL_set0_rbio(req->ssl, req->bio); + SSL_set0_wbio(req->ssl, req->bio); +-- +2.20.1 + diff --git a/SOURCES/bz1688892-fix-openssl-init-configure.patch b/SOURCES/bz1688892-fix-openssl-init-configure.patch new file mode 100644 index 0000000..43ec64b --- /dev/null +++ b/SOURCES/bz1688892-fix-openssl-init-configure.patch @@ -0,0 +1,409 @@ +--- a/configure 2018-11-12 13:40:33.000000000 -0600 ++++ b/configure 2019-03-18 11:29:03.305427768 -0500 +@@ -730,7 +730,6 @@ + AMDEPBACKSLASH + AMDEP_FALSE + AMDEP_TRUE +-am__quote + am__include + DEPDIR + OBJEXT +@@ -790,7 +789,6 @@ + docdir + oldincludedir + includedir +-runstatedir + localstatedir + sharedstatedir + sysconfdir +@@ -809,7 +807,8 @@ + PACKAGE_TARNAME + PACKAGE_NAME + PATH_SEPARATOR +-SHELL' ++SHELL ++am__quote' + ac_subst_files='' + ac_user_opts=' + enable_option_checking +@@ -925,7 +924,6 @@ + sysconfdir='${prefix}/etc' + sharedstatedir='${prefix}/com' + localstatedir='${prefix}/var' +-runstatedir='${localstatedir}/run' + includedir='${prefix}/include' + oldincludedir='/usr/include' + docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' +@@ -1178,15 +1176,6 @@ + | -silent | --silent | --silen | --sile | --sil) + silent=yes ;; + +- -runstatedir | --runstatedir | --runstatedi | --runstated \ +- | --runstate | --runstat | --runsta | --runst | --runs \ +- | --run | --ru | --r) +- ac_prev=runstatedir ;; +- -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ +- | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ +- | --run=* | --ru=* | --r=*) +- runstatedir=$ac_optarg ;; +- + -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) + ac_prev=sbindir ;; + -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ +@@ -1324,7 +1313,7 @@ + for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ + datadir sysconfdir sharedstatedir localstatedir includedir \ + oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ +- libdir localedir mandir runstatedir ++ libdir localedir mandir + do + eval ac_val=\$$ac_var + # Remove trailing slashes. +@@ -1477,7 +1466,6 @@ + --sysconfdir=DIR read-only single-machine data [PREFIX/etc] + --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] + --localstatedir=DIR modifiable single-machine data [PREFIX/var] +- --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] + --libdir=DIR object code libraries [EPREFIX/lib] + --includedir=DIR C header files [PREFIX/include] + --oldincludedir=DIR C header files for non-gcc [/usr/include] +@@ -2689,7 +2677,7 @@ + ac_compiler_gnu=$ac_cv_c_compiler_gnu + + +-am__api_version='1.15' ++am__api_version='1.16' + + ac_aux_dir= + for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do +@@ -3234,8 +3222,8 @@ + + # For better backward compatibility. To be removed once Automake 1.9.x + # dies out for good. For more background, see: +-# +-# ++# ++# + mkdir_p='$(MKDIR_P)' + + # We need awk for the "check" target (and possibly the TAP driver). The +@@ -3286,7 +3274,7 @@ + Aborting the configuration process, to ensure you take notice of the issue. + + You can download and install GNU coreutils to get an 'rm' implementation +-that behaves properly: . ++that behaves properly: . + + If you want to complete the configuration process using your problematic + 'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM +@@ -4650,45 +4638,45 @@ + + ac_config_commands="$ac_config_commands depfiles" + +- +-am_make=${MAKE-make} +-cat > confinc << 'END' ++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${MAKE-make} supports the include directive" >&5 ++$as_echo_n "checking whether ${MAKE-make} supports the include directive... " >&6; } ++cat > confinc.mk << 'END' + am__doit: +- @echo this is the am__doit target ++ @echo this is the am__doit target >confinc.out + .PHONY: am__doit + END +-# If we don't find an include directive, just comment out the code. +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for style of include used by $am_make" >&5 +-$as_echo_n "checking for style of include used by $am_make... " >&6; } + am__include="#" + am__quote= +-_am_result=none +-# First try GNU make style include. +-echo "include confinc" > confmf +-# Ignore all kinds of additional output from 'make'. +-case `$am_make -s -f confmf 2> /dev/null` in #( +-*the\ am__doit\ target*) +- am__include=include +- am__quote= +- _am_result=GNU +- ;; +-esac +-# Now try BSD make style include. +-if test "$am__include" = "#"; then +- echo '.include "confinc"' > confmf +- case `$am_make -s -f confmf 2> /dev/null` in #( +- *the\ am__doit\ target*) +- am__include=.include +- am__quote="\"" +- _am_result=BSD ++# BSD make does it like this. ++echo '.include "confinc.mk" # ignored' > confmf.BSD ++# Other make implementations (GNU, Solaris 10, AIX) do it like this. ++echo 'include confinc.mk # ignored' > confmf.GNU ++_am_result=no ++for s in GNU BSD; do ++ { echo "$as_me:$LINENO: ${MAKE-make} -f confmf.$s && cat confinc.out" >&5 ++ (${MAKE-make} -f confmf.$s && cat confinc.out) >&5 2>&5 ++ ac_status=$? ++ echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } ++ case $?:`cat confinc.out 2>/dev/null` in #( ++ '0:this is the am__doit target') : ++ case $s in #( ++ BSD) : ++ am__include='.include' am__quote='"' ;; #( ++ *) : ++ am__include='include' am__quote='' ;; ++esac ;; #( ++ *) : + ;; +- esac +-fi +- +- +-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $_am_result" >&5 +-$as_echo "$_am_result" >&6; } +-rm -f confinc confmf ++esac ++ if test "$am__include" != "#"; then ++ _am_result="yes ($s style)" ++ break ++ fi ++done ++rm -f confinc.* confmf.* ++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: ${_am_result}" >&5 ++$as_echo "${_am_result}" >&6; } + + # Check whether --enable-dependency-tracking was given. + if test "${enable_dependency_tracking+set}" = set; then : +@@ -7506,8 +7494,8 @@ + done + + +-# SSL_set0_rbio(), SSL_set0_wbio() and OPENSSL_init_crypto() introduced OpenSSL v1.1.0 +-for ac_func in SSL_set0_rbio OPENSSL_init_crypto ++# SSL_set0_rbio(), SSL_set0_wbio() OPENSSL_init_crypto() and TLS_method() introduced OpenSSL v1.1.0 ++for ac_func in SSL_set0_rbio OPENSSL_init_crypto TLS_method + do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` + ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +@@ -7520,19 +7508,62 @@ + done + + +-# TLS_method() introduced OpenSSL v1.1.0 +-for ac_func in TLS_method +-do : +- ac_fn_c_check_func "$LINENO" "TLS_method" "ac_cv_func_TLS_method" +-if test "x$ac_cv_func_TLS_method" = xyes; then : +- cat >>confdefs.h <<_ACEOF +-#define HAVE_TLS_METHOD 1 +-_ACEOF ++# In OpenSSL v1.1.1 the call to SSL_CTX_new() fails if OPENSSL_init_crypto() has been called with ++# OPENSSL_INIT_NO_LOAD_CONFIG. It does not fail in v1.1.0h and v1.1.1b. ++if test .$ac_cv_func_OPENSSL_init_crypto = .yes; then : + ++ if test .$ac_cv_func_TLS_method = .yes; then : ++ method_func=TLS_method ++else ++ method_func=SSLv23_method + fi +-done ++ if test "$cross_compiling" = yes; then : ++ ++ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cannot determine if need to OPENSSL_init_crypto() problem. Assuming yes for safety." >&5 ++$as_echo "$as_me: WARNING: Cannot determine if need to OPENSSL_init_crypto() problem. Assuming yes for safety." >&2;} ++ openssl_init_no_load_bug=1 ++ ++ ++else ++ cat confdefs.h - <<_ACEOF >conftest.$ac_ext ++/* end confdefs.h. */ ++#include ++int ++main () ++{ ++ ++ const SSL_METHOD *meth; ++ SSL_CTX *ctx; ++ ++ if (!OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL)) ++ return 1; + ++ /* Initialize SSL context */ ++ meth = $method_func(); ++ if (!(ctx = SSL_CTX_new(meth))) ++ return 1; ++ return 0; + ++ ; ++ return 0; ++} ++_ACEOF ++if ac_fn_c_try_run "$LINENO"; then : ++ openssl_init_no_load_bug=0 ++else ++ openssl_init_no_load_bug=1 ++fi ++rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ ++ conftest.$ac_objext conftest.beam conftest.$ac_ext ++fi ++ ++ if test $openssl_init_no_load_bug -eq 1; then : ++ ++$as_echo "#define HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG 1 " >>confdefs.h ++ ++fi ++ ++fi + unset LIBS + + if test $BUILD_GENHASH = No; then +@@ -12695,7 +12726,7 @@ + # + # INIT-COMMANDS + # +-AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir" ++AMDEP_TRUE="$AMDEP_TRUE" MAKE="${MAKE-make}" + + _ACEOF + +@@ -13322,29 +13353,35 @@ + # Older Autoconf quotes --file arguments for eval, but not when files + # are listed without --file. Let's play safe and only enable the eval + # if we detect the quoting. +- case $CONFIG_FILES in +- *\'*) eval set x "$CONFIG_FILES" ;; +- *) set x $CONFIG_FILES ;; +- esac ++ # TODO: see whether this extra hack can be removed once we start ++ # requiring Autoconf 2.70 or later. ++ case $CONFIG_FILES in #( ++ *\'*) : ++ eval set x "$CONFIG_FILES" ;; #( ++ *) : ++ set x $CONFIG_FILES ;; #( ++ *) : ++ ;; ++esac + shift +- for mf ++ # Used to flag and report bootstrapping failures. ++ am_rc=0 ++ for am_mf + do + # Strip MF so we end up with the name of the file. +- mf=`echo "$mf" | sed -e 's/:.*$//'` +- # Check whether this is an Automake generated Makefile or not. +- # We used to match only the files named 'Makefile.in', but +- # some people rename them; so instead we look at the file content. +- # Grep'ing the first line is not enough: some people post-process +- # each Makefile.in and add a new line on top of each file to say so. +- # Grep'ing the whole file is not good either: AIX grep has a line ++ am_mf=`$as_echo "$am_mf" | sed -e 's/:.*$//'` ++ # Check whether this is an Automake generated Makefile which includes ++ # dependency-tracking related rules and includes. ++ # Grep'ing the whole file directly is not great: AIX grep has a line + # limit of 2048, but all sed's we know have understand at least 4000. +- if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then +- dirpart=`$as_dirname -- "$mf" || +-$as_expr X"$mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ +- X"$mf" : 'X\(//\)[^/]' \| \ +- X"$mf" : 'X\(//\)$' \| \ +- X"$mf" : 'X\(/\)' \| . 2>/dev/null || +-$as_echo X"$mf" | ++ sed -n 's,^am--depfiles:.*,X,p' "$am_mf" | grep X >/dev/null 2>&1 \ ++ || continue ++ am_dirpart=`$as_dirname -- "$am_mf" || ++$as_expr X"$am_mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ ++ X"$am_mf" : 'X\(//\)[^/]' \| \ ++ X"$am_mf" : 'X\(//\)$' \| \ ++ X"$am_mf" : 'X\(/\)' \| . 2>/dev/null || ++$as_echo X"$am_mf" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q +@@ -13362,53 +13399,48 @@ + q + } + s/.*/./; q'` +- else +- continue +- fi +- # Extract the definition of DEPDIR, am__include, and am__quote +- # from the Makefile without running 'make'. +- DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"` +- test -z "$DEPDIR" && continue +- am__include=`sed -n 's/^am__include = //p' < "$mf"` +- test -z "$am__include" && continue +- am__quote=`sed -n 's/^am__quote = //p' < "$mf"` +- # Find all dependency output files, they are included files with +- # $(DEPDIR) in their names. We invoke sed twice because it is the +- # simplest approach to changing $(DEPDIR) to its actual value in the +- # expansion. +- for file in `sed -n " +- s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \ +- sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g'`; do +- # Make sure the directory exists. +- test -f "$dirpart/$file" && continue +- fdir=`$as_dirname -- "$file" || +-$as_expr X"$file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ +- X"$file" : 'X\(//\)[^/]' \| \ +- X"$file" : 'X\(//\)$' \| \ +- X"$file" : 'X\(/\)' \| . 2>/dev/null || +-$as_echo X"$file" | +- sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ +- s//\1/ +- q +- } +- /^X\(\/\/\)[^/].*/{ ++ am_filepart=`$as_basename -- "$am_mf" || ++$as_expr X/"$am_mf" : '.*/\([^/][^/]*\)/*$' \| \ ++ X"$am_mf" : 'X\(//\)$' \| \ ++ X"$am_mf" : 'X\(/\)' \| . 2>/dev/null || ++$as_echo X/"$am_mf" | ++ sed '/^.*\/\([^/][^/]*\)\/*$/{ + s//\1/ + q + } +- /^X\(\/\/\)$/{ ++ /^X\/\(\/\/\)$/{ + s//\1/ + q + } +- /^X\(\/\).*/{ ++ /^X\/\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` +- as_dir=$dirpart/$fdir; as_fn_mkdir_p +- # echo "creating $dirpart/$file" +- echo '# dummy' > "$dirpart/$file" +- done ++ { echo "$as_me:$LINENO: cd "$am_dirpart" \ ++ && sed -e '/# am--include-marker/d' "$am_filepart" \ ++ | $MAKE -f - am--depfiles" >&5 ++ (cd "$am_dirpart" \ ++ && sed -e '/# am--include-marker/d' "$am_filepart" \ ++ | $MAKE -f - am--depfiles) >&5 2>&5 ++ ac_status=$? ++ echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } || am_rc=$? + done ++ if test $am_rc -ne 0; then ++ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 ++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} ++as_fn_error $? "Something went wrong bootstrapping makefile fragments ++ for automatic dependency tracking. Try re-running configure with the ++ '--disable-dependency-tracking' option to at least be able to build ++ the package (albeit without support for automatic dependency tracking). ++See \`config.log' for more details" "$LINENO" 5; } ++ fi ++ { am_dirpart=; unset am_dirpart;} ++ { am_filepart=; unset am_filepart;} ++ { am_mf=; unset am_mf;} ++ { am_rc=; unset am_rc;} ++ rm -f conftest-deps.mk + } + ;; + diff --git a/SOURCES/bz1688892-fix-openssl-init-failure.patch b/SOURCES/bz1688892-fix-openssl-init-failure.patch new file mode 100644 index 0000000..4a8f64a --- /dev/null +++ b/SOURCES/bz1688892-fix-openssl-init-failure.patch @@ -0,0 +1,81 @@ +From aeec0e2cda5c440fdd3c5bea20ed7567bea540e1 Mon Sep 17 00:00:00 2001 +From: Quentin Armitage +Date: Tue, 12 Mar 2019 14:58:38 +0000 +Subject: [PATCH 1/3] Fix OpenSSL init failure with OpenSSL v1.1.1 + +OpenSSL v1.1.1, but not v1.1.0h or v1.1.1b failed in SSL_CTX_new() +if OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG) had previously +been called. + +This commit doesn't call OPENSSL_init_crypto() if doing so causes +SSL_CTX_new() to fail. + +Signed-off-by: Quentin Armitage +--- + configure.ac | 30 ++++++++++++++++++++++++++++++ + keepalived/check/check_ssl.c | 6 ++++++ + 2 files changed, 36 insertions(+) + +diff --git a/configure.ac b/configure.ac +index 89399ca3..504b9b92 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -819,6 +819,36 @@ AC_CHECK_FUNCS([SSL_set0_rbio OPENSSL_init_crypto]) + # TLS_method() introduced OpenSSL v1.1.0 + AC_CHECK_FUNCS([TLS_method]) + ++# In OpenSSL v1.1.1 the call to SSL_CTX_new() fails if OPENSSL_init_crypto() has been called with ++# OPENSSL_INIT_NO_LOAD_CONFIG. It does not fail in v1.1.0h and v1.1.1b. ++AS_IF([test .$ac_cv_func_OPENSSL_init_crypto = .yes -a .$ac_cv_func_TLS_method = .yes], ++ [ ++ AC_RUN_IFELSE( ++ [AC_LANG_PROGRAM( ++ [[#include ]], ++ [[ ++ const SSL_METHOD *meth; ++ SSL_CTX *ctx; ++ ++ if (!OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL)) ++ return 1; ++ ++ /* Initialize SSL context */ ++ meth = TLS_method(); ++ if (!(ctx = SSL_CTX_new(meth))) ++ return 1; ++ return 0; ++ ]])], ++ [openssl_init_no_load_bug=0], ++ [openssl_init_no_load_bug=1], ++ [ ++ AC_MSG_WARN([Cannot determine if need to OPENSSL_init_crypto() problem. Assuming yes for safety.]) ++ openssl_init_no_load_bug=1 ++ ] ++ ) ++ AS_IF([test $openssl_init_no_load_bug -eq 1], ++ [AC_DEFINE([HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG], [ 1 ], [Define to 1 if OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG) bug)])]) ++ ]) + unset LIBS + + if test $BUILD_GENHASH = No; then +diff --git a/keepalived/check/check_ssl.c b/keepalived/check/check_ssl.c +index 6bf6a005..2743ea87 100644 +--- a/keepalived/check/check_ssl.c ++++ b/keepalived/check/check_ssl.c +@@ -69,8 +69,14 @@ build_ssl_ctx(void) + + /* Library initialization */ + #if HAVE_OPENSSL_INIT_CRYPTO ++#ifndef HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG ++ /* In OpenSSL v1.1.1 if the following is called, SSL_CTX_new() below fails. ++ * It works in v1.1.0h and v1.1.1b. ++ * It transpires that it works without setting NO_LOAD_CONFIG, but it is ++ * presumably more efficient not to load it. */ + if (!OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL)) + log_message(LOG_INFO, "OPENSSL_init_crypto failed"); ++#endif + #else + SSL_library_init(); + SSL_load_error_strings(); +-- +2.20.1 + diff --git a/SOURCES/bz1688892-fix-openssl-init-genhash.patch b/SOURCES/bz1688892-fix-openssl-init-genhash.patch new file mode 100644 index 0000000..a9251f3 --- /dev/null +++ b/SOURCES/bz1688892-fix-openssl-init-genhash.patch @@ -0,0 +1,72 @@ +From 5e1a2130340ea4fabc4095b412c8b3836d112828 Mon Sep 17 00:00:00 2001 +From: Quentin Armitage +Date: Wed, 13 Mar 2019 09:46:27 +0000 +Subject: [PATCH 2/3] Fix genhash re OPENSSL_init_crypto bug and improve + configure.ac + +Commit fe6d6ac (Fix OpenSSL init failure with OpenSSL v1.1.1) didn't +update the identical code in genhash/ssl.c. Also, an improvement for +the test in configure.ac was suggested. + +Signed-off-by: Quentin Armitage +--- + configure.ac | 12 +++++------- + genhash/ssl.c | 6 ++++++ + 2 files changed, 11 insertions(+), 7 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 504b9b92..c964a11e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -813,16 +813,14 @@ AC_COMPILE_IFELSE([AC_LANG_SOURCE([[ + # SSL_CTX_set_verify_depth() introduced OpenSSL v0.9.5a + AC_CHECK_FUNCS([SSL_CTX_set_verify_depth]) + +-# SSL_set0_rbio(), SSL_set0_wbio() and OPENSSL_init_crypto() introduced OpenSSL v1.1.0 +-AC_CHECK_FUNCS([SSL_set0_rbio OPENSSL_init_crypto]) +- +-# TLS_method() introduced OpenSSL v1.1.0 +-AC_CHECK_FUNCS([TLS_method]) ++# SSL_set0_rbio(), SSL_set0_wbio() OPENSSL_init_crypto() and TLS_method() introduced OpenSSL v1.1.0 ++AC_CHECK_FUNCS([SSL_set0_rbio OPENSSL_init_crypto TLS_method]) + + # In OpenSSL v1.1.1 the call to SSL_CTX_new() fails if OPENSSL_init_crypto() has been called with + # OPENSSL_INIT_NO_LOAD_CONFIG. It does not fail in v1.1.0h and v1.1.1b. +-AS_IF([test .$ac_cv_func_OPENSSL_init_crypto = .yes -a .$ac_cv_func_TLS_method = .yes], ++AS_IF([test .$ac_cv_func_OPENSSL_init_crypto = .yes], + [ ++ AS_IF([test .$ac_cv_func_TLS_method = .yes], [method_func=TLS_method], [method_func=SSLv23_method]) + AC_RUN_IFELSE( + [AC_LANG_PROGRAM( + [[#include ]], +@@ -834,7 +832,7 @@ AS_IF([test .$ac_cv_func_OPENSSL_init_crypto = .yes -a .$ac_cv_func_TLS_method = + return 1; + + /* Initialize SSL context */ +- meth = TLS_method(); ++ meth = $method_func(); + if (!(ctx = SSL_CTX_new(meth))) + return 1; + return 0; +diff --git a/genhash/ssl.c b/genhash/ssl.c +index 8e9162c8..96f51201 100644 +--- a/genhash/ssl.c ++++ b/genhash/ssl.c +@@ -45,8 +45,14 @@ init_ssl(void) + { + /* Library initialization */ + #if HAVE_OPENSSL_INIT_CRYPTO ++#ifndef HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG ++ /* In OpenSSL v1.1.1 if the following is called, SSL_CTX_new() below fails. ++ * It works in v1.1.0h and v1.1.1b. ++ * It transpires that it works without setting NO_LOAD_CONFIG, but it is ++ * presumably more efficient not to load it. */ + if (!OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL)) + fprintf(stderr, "OPENSSL_init_crypto failed\n"); ++#endif + #else + SSL_library_init(); + SSL_load_error_strings(); +-- +2.20.1 + diff --git a/SPECS/keepalived.spec b/SPECS/keepalived.spec index 7e608f0..997e502 100644 --- a/SPECS/keepalived.spec +++ b/SPECS/keepalived.spec @@ -9,7 +9,7 @@ Name: keepalived Summary: High Availability monitor built upon LVS, VRRP and service pollers Version: 2.0.10 -Release: 1%{?dist} +Release: 4%{?dist}.1 License: GPLv2+ URL: http://www.keepalived.org/ Group: System Environment/Daemons @@ -17,6 +17,11 @@ Group: System Environment/Daemons Source0: http://www.keepalived.org/software/keepalived-%{version}.tar.gz Source1: keepalived.service +Patch1: bz1688892-fix-openssl-init-failure.patch +Patch2: bz1688892-fix-openssl-init-genhash.patch +Patch3: bz1688892-fix-openssl-init-config-check.patch +Patch4: bz1688892-fix-openssl-init-configure.patch + Requires(post): systemd Requires(preun): systemd Requires(postun): systemd @@ -25,9 +30,11 @@ Requires(postun): systemd BuildRequires: net-snmp-devel %endif BuildRequires: gcc +BuildRequires: automake BuildRequires: systemd-units BuildRequires: openssl-devel BuildRequires: libnl3-devel +BuildRequires: ipset-devel BuildRequires: iptables-devel BuildRequires: libnfnetlink-devel @@ -47,6 +54,10 @@ infrastructures. %prep %setup -q +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 %build %configure \ @@ -96,10 +107,22 @@ mkdir -p %{buildroot}%{_libexecdir}/keepalived %{_mandir}/man8/keepalived.8* %changelog +* Thu Apr 04 2019 Ryan O'Hara - 2.0.10-4.1 +- Rebuild for z-stream (#1690306) + +* Wed Mar 27 2019 Ryan O'Hara - 2.0.10-4 +- Bump release number (#1688892) + +* Mon Mar 18 2019 Ryan O'Hara - 2.0.10-3 +- Rework fix for OpenSSL initialization segfault (#1688892) + +* Fri Mar 15 2019 Ryan O'Hara - 2.0.10-2 +- Fix OpenSSL initialization segfault (#1688892) + * Mon Nov 26 2018 Ryan O'Hara - 2.0.10-1 - Update to 2.0.10 (#1631816) -* Mon Oct 06 2018 Ryan O'Hara - 2.0.7-2 +* Mon Oct 08 2018 Ryan O'Hara - 2.0.7-2 - Remove BuildRequires for ipset-devel * Tue Oct 02 2018 Ryan O'Hara - 2.0.7-1