diff --git a/SOURCES/openvswitch-2.17.0.patch b/SOURCES/openvswitch-2.17.0.patch index ac1ba8d..5da4f59 100644 --- a/SOURCES/openvswitch-2.17.0.patch +++ b/SOURCES/openvswitch-2.17.0.patch @@ -283,6 +283,108 @@ index 0c360fd1ef..c981f90bc7 100644 [], [enable_sparse=no]) AM_CONDITIONAL([ENABLE_SPARSE_BY_DEFAULT], [test $enable_sparse = yes])]) +diff --git a/build-aux/generate-dhparams-c b/build-aux/generate-dhparams-c +index 1884c99e1f..aca1dbca91 100755 +--- a/build-aux/generate-dhparams-c ++++ b/build-aux/generate-dhparams-c +@@ -1,5 +1,74 @@ + #! /bin/sh -e + ++dhparam_to_c() { ++ local bits ++ local get_p=0 ++ local line ++ local nl=" ++" ++ local p ++ local i=0 ++ while read -r line; do ++ case "$line" in ++ *"DH Parameters: "*) ++ bits=${line#*DH Parameters: (} ++ bits=${bits% bit)} ++ continue ++ ;; ++ "P:"|"prime:") ++ get_p=1 ++ continue ++ ;; ++ "G: "*|"generator: "*) ++ g=${line#*(} ++ g=${g%)} ++ g=$(printf "0x%.2X" "$g") ++ continue ++ ;; ++ esac ++ if [ "$get_p" = 1 ]; then ++ IFS=":" ++ for x in $line; do ++ [ -z "$p" ] && [ "$x" = "00" ] && continue ++ [ $i -ge 10 ] && i=0 ++ [ $i -eq 0 ] && p="$p$nl " ++ x=0x$x ++ p=$(printf "%s 0x%.2X," "$p" "$x") ++ i=$((i + 1)) ++ done ++ unset IFS ++ fi ++ done <<EOF ++$(openssl dhparam -in "$1" -text -noout) ++EOF ++ p=${p%,} ++ cat <<EOF ++DH *get_dh${bits}(void) ++{ ++ static unsigned char dhp_${bits}[] = {$p ++ }; ++ static unsigned char dhg_${bits}[] = { ++ $g ++ }; ++ DH *dh = DH_new(); ++ BIGNUM *p, *g; ++ ++ if (dh == NULL) ++ return NULL; ++ p = BN_bin2bn(dhp_${bits}, sizeof(dhp_${bits}), NULL); ++ g = BN_bin2bn(dhg_${bits}, sizeof(dhg_${bits}), NULL); ++ if (p == NULL || g == NULL ++ || !my_DH_set0_pqg(dh, p, NULL, g)) { ++ DH_free(dh); ++ BN_free(p); ++ BN_free(g); ++ return NULL; ++ } ++ return dh; ++} ++EOF ++} ++ + cat <<'EOF' + /* Generated automatically; do not modify! -*- buffer-read-only: t -*- + * +@@ -9,6 +78,7 @@ cat <<'EOF' + #include "lib/dhparams.h" + #include "openvswitch/util.h" + ++#if OPENSSL_VERSION_NUMBER < 0x3000000fL + static int + my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q OVS_UNUSED, BIGNUM *g) + { +@@ -22,11 +92,6 @@ my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q OVS_UNUSED, BIGNUM *g) + #endif + } + EOF +-(openssl dhparam -C -in lib/dh2048.pem -noout && +-openssl dhparam -C -in lib/dh4096.pem -noout) | sed ' +- s/^static DH/DH/ +- s/\(get_dh[0-9]*\)()/\1(void)/ +- s/\(DH_set0_pqg\)/my_\1/ +- s/[ ]*$// +- s/ / /g +-' ++dhparam_to_c lib/dh2048.pem ++dhparam_to_c lib/dh4096.pem ++echo "#endif" diff --git a/configure.ac b/configure.ac index 4e9bcce272..5cc3f4801e 100644 --- a/configure.ac @@ -50814,6 +50916,23 @@ index 34d45b82a1..31db2d2c7c 100644 /* Throttle restarts to no more than once every 10 seconds. */ if (time(NULL) < last_restart + 10) { +diff --git a/lib/dhparams.c b/lib/dhparams.c +index 85123863fc..50209d5d81 100644 +--- a/lib/dhparams.c ++++ b/lib/dhparams.c +@@ -6,6 +6,7 @@ + #include "lib/dhparams.h" + #include "openvswitch/util.h" + ++#if OPENSSL_VERSION_NUMBER < 0x3000000fL + static int + my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q OVS_UNUSED, BIGNUM *g) + { +@@ -142,3 +143,4 @@ DH *get_dh4096(void) + } + return dh; + } ++#endif diff --git a/lib/dns-resolve.c b/lib/dns-resolve.c index d344514343..1afcc65adb 100644 --- a/lib/dns-resolve.c @@ -55187,6 +55306,60 @@ index 1c71df1a12..ec567603b1 100644 struct stopwatch *sw = node->data; shash_delete(&stopwatches, node); free(sw); +diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c +index f4fe3432e7..62da9febb6 100644 +--- a/lib/stream-ssl.c ++++ b/lib/stream-ssl.c +@@ -193,7 +193,9 @@ static void ssl_clear_txbuf(struct ssl_stream *); + static void interpret_queued_ssl_error(const char *function); + static int interpret_ssl_error(const char *function, int ret, int error, + int *want); ++#if OPENSSL_VERSION_NUMBER < 0x3000000fL + static DH *tmp_dh_callback(SSL *ssl, int is_export OVS_UNUSED, int keylength); ++#endif + static void log_ca_cert(const char *file_name, X509 *cert); + static void stream_ssl_set_ca_cert_file__(const char *file_name, + bool bootstrap, bool force); +@@ -471,7 +473,11 @@ static char * + get_peer_common_name(const struct ssl_stream *sslv) + { + char *peer_name = NULL; ++#if OPENSSL_VERSION_NUMBER < 0x3000000fL + X509 *peer_cert = SSL_get_peer_certificate(sslv->ssl); ++#else ++ X509 *peer_cert = SSL_get1_peer_certificate(sslv->ssl); ++#endif + if (!peer_cert) { + return NULL; + } +@@ -1070,7 +1076,11 @@ do_ssl_init(void) + return ENOPROTOOPT; + } + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); ++#if OPENSSL_VERSION_NUMBER < 0x3000000fL + SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_callback); ++#else ++ SSL_CTX_set_dh_auto(ctx, 1); ++#endif + SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); + SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, +@@ -1081,6 +1091,7 @@ do_ssl_init(void) + return 0; + } + ++#if OPENSSL_VERSION_NUMBER < 0x3000000fL + static DH * + tmp_dh_callback(SSL *ssl OVS_UNUSED, int is_export OVS_UNUSED, int keylength) + { +@@ -1112,6 +1123,7 @@ tmp_dh_callback(SSL *ssl OVS_UNUSED, int is_export OVS_UNUSED, int keylength) + keylength); + return NULL; + } ++#endif + + /* Returns true if SSL is at least partially configured. */ + bool diff --git a/lib/stream.c b/lib/stream.c index fcaddf10ad..71039e24f1 100644 --- a/lib/stream.c diff --git a/SPECS/openvswitch2.17.spec b/SPECS/openvswitch2.17.spec index 73fbb35..566ff69 100644 --- a/SPECS/openvswitch2.17.spec +++ b/SPECS/openvswitch2.17.spec @@ -57,7 +57,7 @@ Summary: Open vSwitch Group: System Environment/Daemons daemon/database/utilities URL: http://www.openvswitch.org/ Version: 2.17.0 -Release: 56%{?dist} +Release: 57%{?dist} # Nearly all of openvswitch is ASL 2.0. The bugtool is LGPLv2+, and the # lib/sflow*.[ch] files are SISSL @@ -743,6 +743,13 @@ exit 0 %endif %changelog +* Fri Oct 07 2022 Open vSwitch CI <ovs-ci@redhat.com> - 2.17.0-57 +- Merging upstream branch-2.17 [RH git: d374ce43dc] + Commit list: + fbc3b10e9f Add support for OpenSSL 3.0 functions. + 5a77d53b8e dhparams: Fix .c file generation with OpenSSL >= 3.0. + + * Fri Oct 07 2022 Open vSwitch CI <ovs-ci@redhat.com> - 2.17.0-56 - Merging upstream branch-2.17 [RH git: c5c912ba61] Commit list: