diff options
3 files changed, 154 insertions, 3 deletions
diff --git a/meta-oe/recipes-extended/rsyslog/rsyslog/replace_deprecated_GnuTLS_functions.patch b/meta-oe/recipes-extended/rsyslog/rsyslog/replace_deprecated_GnuTLS_functions.patch new file mode 100644 index 0000000000..be05eee822 --- /dev/null +++ b/meta-oe/recipes-extended/rsyslog/rsyslog/replace_deprecated_GnuTLS_functions.patch | |||
| @@ -0,0 +1,73 @@ | |||
| 1 | replace deprecated GnuTLS functions with newer ones if available | ||
| 2 | |||
| 3 | closes https://github.com/rsyslog/rsyslog/issues/302 | ||
| 4 | |||
| 5 | Upstream fix https://github.com/rsyslog/rsyslog/commit/b34c35e38f258935c0e92ca754da097d7f3f0f58 | ||
| 6 | |||
| 7 | Upstream-Status: Backport | ||
| 8 | Signed-off-by: Tudor Florea <tudor.florea@enea.com> | ||
| 9 | |||
| 10 | --- | ||
| 11 | configure.ac | 2 ++ | ||
| 12 | runtime/nsd_gtls.c | 21 ++++++++++++++++++--- | ||
| 13 | 2 files changed, 20 insertions(+), 3 deletions(-) | ||
| 14 | |||
| 15 | diff --git a/configure.ac b/configure.ac | ||
| 16 | index 643fc94..56835fb 100644 | ||
| 17 | --- a/configure.ac | ||
| 18 | +++ b/configure.ac | ||
| 19 | @@ -763,6 +763,8 @@ AC_ARG_ENABLE(gnutls, | ||
| 20 | if test "x$enable_gnutls" = "xyes"; then | ||
| 21 | PKG_CHECK_MODULES(GNUTLS, gnutls >= 1.4.0) | ||
| 22 | AC_DEFINE([ENABLE_GNUTLS], [1], [Indicator that GnuTLS is present]) | ||
| 23 | + AC_CHECK_LIB(gnutls, gnutls_global_init) | ||
| 24 | + AC_CHECK_FUNCS(gnutls_certificate_set_retrieve_function,,) | ||
| 25 | fi | ||
| 26 | AM_CONDITIONAL(ENABLE_GNUTLS, test x$enable_gnutls = xyes) | ||
| 27 | |||
| 28 | diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c | ||
| 29 | index a763e4b..e127834 100644 | ||
| 30 | --- a/runtime/nsd_gtls.c | ||
| 31 | +++ b/runtime/nsd_gtls.c | ||
| 32 | @@ -232,15 +232,26 @@ gtlsLoadOurCertKey(nsd_gtls_t *pThis) | ||
| 33 | */ | ||
| 34 | static int | ||
| 35 | gtlsClientCertCallback(gnutls_session session, | ||
| 36 | - __attribute__((unused)) const gnutls_datum* req_ca_rdn, int __attribute__((unused)) nreqs, | ||
| 37 | - __attribute__((unused)) const gnutls_pk_algorithm* sign_algos, int __attribute__((unused)) sign_algos_length, | ||
| 38 | - gnutls_retr_st *st) | ||
| 39 | + __attribute__((unused)) const gnutls_datum* req_ca_rdn, | ||
| 40 | + int __attribute__((unused)) nreqs, | ||
| 41 | + __attribute__((unused)) const gnutls_pk_algorithm* sign_algos, | ||
| 42 | + int __attribute__((unused)) sign_algos_length, | ||
| 43 | +#if HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION | ||
| 44 | + gnutls_retr2_st* st | ||
| 45 | +#else | ||
| 46 | + gnutls_retr_st *st | ||
| 47 | +#endif | ||
| 48 | + ) | ||
| 49 | { | ||
| 50 | nsd_gtls_t *pThis; | ||
| 51 | |||
| 52 | pThis = (nsd_gtls_t*) gnutls_session_get_ptr(session); | ||
| 53 | |||
| 54 | +#if HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION | ||
| 55 | + st->cert_type = GNUTLS_CRT_X509; | ||
| 56 | +#else | ||
| 57 | st->type = GNUTLS_CRT_X509; | ||
| 58 | +#endif | ||
| 59 | st->ncerts = 1; | ||
| 60 | st->cert.x509 = &pThis->ourCert; | ||
| 61 | st->key.x509 = pThis->ourKey; | ||
| 62 | @@ -1625,7 +1625,11 @@ Connect(nsd_t *pNsd, int family, uchar *port, uchar *host) | ||
| 63 | gnutls_session_set_ptr(pThis->sess, (void*)pThis); | ||
| 64 | iRet = gtlsLoadOurCertKey(pThis); /* first load .pem files */ | ||
| 65 | if(iRet == RS_RET_OK) { | ||
| 66 | +# if HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION | ||
| 67 | + gnutls_certificate_set_retrieve_function(xcred, gtlsClientCertCallback); | ||
| 68 | +# else | ||
| 69 | gnutls_certificate_client_set_retrieve_function(xcred, gtlsClientCertCallback); | ||
| 70 | +# endif | ||
| 71 | } else if(iRet != RS_RET_CERTLESS) { | ||
| 72 | FINALIZE; /* we have an error case! */ | ||
| 73 | } | ||
diff --git a/meta-oe/recipes-extended/rsyslog/rsyslog/use_gnutls_certificate_type_set_priority_only_if_available.patch b/meta-oe/recipes-extended/rsyslog/rsyslog/use_gnutls_certificate_type_set_priority_only_if_available.patch new file mode 100644 index 0000000000..e1dab759ab --- /dev/null +++ b/meta-oe/recipes-extended/rsyslog/rsyslog/use_gnutls_certificate_type_set_priority_only_if_available.patch | |||
| @@ -0,0 +1,79 @@ | |||
| 1 | From 21674039db99d1067e9df4df04d965297d62c6af Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Rainer Gerhards <rgerhards@adiscon.com> | ||
| 3 | Date: Mon, 18 May 2015 09:36:02 +0200 | ||
| 4 | Subject: [PATCH] use gnutls_certificate_type_set_priority() only if available | ||
| 5 | |||
| 6 | The gnutls_certificate_type_set_priority function is deprecated | ||
| 7 | and not available in recent GnuTLS versions. However, there is no | ||
| 8 | doc how to properly replace it with gnutls_priority_set_direct. | ||
| 9 | A lot of folks have simply removed it, when they also called | ||
| 10 | gnutls_set_default_priority. This is what we now also do. If | ||
| 11 | this causes problems or someone has an idea of how to replace | ||
| 12 | the deprecated function in a better way, please let us know! | ||
| 13 | In any case, we use it as long as it is available and let | ||
| 14 | not insult us by the deprecation warnings. | ||
| 15 | |||
| 16 | Upstream-Status: Backport | ||
| 17 | Signed-off-by: Tudor Florea <tudor.florea@enea.com> | ||
| 18 | |||
| 19 | --- | ||
| 20 | configure.ac | 1 + | ||
| 21 | runtime/nsd_gtls.c | 18 ++++++++++++++++-- | ||
| 22 | 2 files changed, 17 insertions(+), 2 deletions(-) | ||
| 23 | |||
| 24 | diff --git a/configure.ac b/configure.ac | ||
| 25 | index 56835fb..1c2be01 100644 | ||
| 26 | --- a/configure.ac | ||
| 27 | +++ b/configure.ac | ||
| 28 | @@ -765,6 +765,7 @@ if test "x$enable_gnutls" = "xyes"; then | ||
| 29 | AC_DEFINE([ENABLE_GNUTLS], [1], [Indicator that GnuTLS is present]) | ||
| 30 | AC_CHECK_LIB(gnutls, gnutls_global_init) | ||
| 31 | AC_CHECK_FUNCS(gnutls_certificate_set_retrieve_function,,) | ||
| 32 | + AC_CHECK_FUNCS(gnutls_certificate_type_set_priority,,) | ||
| 33 | fi | ||
| 34 | AM_CONDITIONAL(ENABLE_GNUTLS, test x$enable_gnutls = xyes) | ||
| 35 | |||
| 36 | diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c | ||
| 37 | index e127834..4b6aab1 100644 | ||
| 38 | --- a/runtime/nsd_gtls.c | ||
| 39 | +++ b/runtime/nsd_gtls.c | ||
| 40 | @@ -1658,8 +1658,9 @@ Connect(nsd_t *pNsd, int family, uchar *port, uchar *host) | ||
| 41 | nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd; | ||
| 42 | int sock; | ||
| 43 | int gnuRet; | ||
| 44 | - /* TODO: later? static const int cert_type_priority[3] = { GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, 0 };*/ | ||
| 45 | +# if HAVE_GNUTLS_CERTIFICATE_TYPE_SET_PRIORITY | ||
| 46 | static const int cert_type_priority[2] = { GNUTLS_CRT_X509, 0 }; | ||
| 47 | +# endif | ||
| 48 | DEFiRet; | ||
| 49 | |||
| 50 | ISOBJ_TYPE_assert(pThis, nsd_gtls); | ||
| 51 | @@ -1688,14 +1689,27 @@ Connect(nsd_t *pNsd, int family, uchar *port, uchar *host) | ||
| 52 | gnutls_certificate_set_retrieve_function(xcred, gtlsClientCertCallback); | ||
| 53 | # else | ||
| 54 | gnutls_certificate_client_set_retrieve_function(xcred, gtlsClientCertCallback); | ||
| 55 | -# endif | ||
| 56 | +# endif | ||
| 57 | } else if(iRet != RS_RET_CERTLESS) { | ||
| 58 | FINALIZE; /* we have an error case! */ | ||
| 59 | } | ||
| 60 | |||
| 61 | /* Use default priorities */ | ||
| 62 | CHKgnutls(gnutls_set_default_priority(pThis->sess)); | ||
| 63 | +# if HAVE_GNUTLS_CERTIFICATE_TYPE_SET_PRIORITY | ||
| 64 | + /* The gnutls_certificate_type_set_priority function is deprecated | ||
| 65 | + * and not available in recent GnuTLS versions. However, there is no | ||
| 66 | + * doc how to properly replace it with gnutls_priority_set_direct. | ||
| 67 | + * A lot of folks have simply removed it, when they also called | ||
| 68 | + * gnutls_set_default_priority. This is what we now also do. If | ||
| 69 | + * this causes problems or someone has an idea of how to replace | ||
| 70 | + * the deprecated function in a better way, please let us know! | ||
| 71 | + * In any case, we use it as long as it is available and let | ||
| 72 | + * not insult us by the deprecation warnings. | ||
| 73 | + * 2015-05-18 rgerhards | ||
| 74 | + */ | ||
| 75 | CHKgnutls(gnutls_certificate_type_set_priority(pThis->sess, cert_type_priority)); | ||
| 76 | +# endif | ||
| 77 | |||
| 78 | /* put the x509 credentials to the current session */ | ||
| 79 | CHKgnutls(gnutls_credentials_set(pThis->sess, GNUTLS_CRD_CERTIFICATE, xcred)); | ||
diff --git a/meta-oe/recipes-extended/rsyslog/rsyslog_7.6.1.bb b/meta-oe/recipes-extended/rsyslog/rsyslog_7.6.1.bb index ddc6eb3176..928434eb74 100644 --- a/meta-oe/recipes-extended/rsyslog/rsyslog_7.6.1.bb +++ b/meta-oe/recipes-extended/rsyslog/rsyslog_7.6.1.bb | |||
| @@ -17,9 +17,6 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=51d9635e646fb75e1b74c074f788e973 \ | |||
| 17 | file://COPYING.ASL20;md5=052f8a09206615ab07326ff8ce2d9d32\ | 17 | file://COPYING.ASL20;md5=052f8a09206615ab07326ff8ce2d9d32\ |
| 18 | " | 18 | " |
| 19 | 19 | ||
| 20 | # http://errors.yoctoproject.org/Errors/Details/25829/ | ||
| 21 | PNBLACKLIST[rsyslog] ?= "Not compatible with gnutls version 3.4 currently in oe-core" | ||
| 22 | |||
| 23 | SRC_URI = "http://www.rsyslog.com/download/files/download/rsyslog/${BPN}-${PV}.tar.gz \ | 20 | SRC_URI = "http://www.rsyslog.com/download/files/download/rsyslog/${BPN}-${PV}.tar.gz \ |
| 24 | file://initscript \ | 21 | file://initscript \ |
| 25 | file://rsyslog.conf \ | 22 | file://rsyslog.conf \ |
| @@ -28,6 +25,8 @@ SRC_URI = "http://www.rsyslog.com/download/files/download/rsyslog/${BPN}-${PV}.t | |||
| 28 | file://run-ptest \ | 25 | file://run-ptest \ |
| 29 | file://rsyslog-fix-ptest-not-finish.patch \ | 26 | file://rsyslog-fix-ptest-not-finish.patch \ |
| 30 | file://json-0.12-fix.patch \ | 27 | file://json-0.12-fix.patch \ |
| 28 | file://replace_deprecated_GnuTLS_functions.patch \ | ||
| 29 | file://use_gnutls_certificate_type_set_priority_only_if_available.patch \ | ||
| 31 | " | 30 | " |
| 32 | 31 | ||
| 33 | SRC_URI[md5sum] = "093c462a5245012bd9e7b82dd8aedffb" | 32 | SRC_URI[md5sum] = "093c462a5245012bd9e7b82dd8aedffb" |
