Hello community, here is the log from the commit of package librelp for openSUSE:Factory checked in at 2018-03-30 11:55:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/librelp (Old) and /work/SRC/openSUSE:Factory/.librelp.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "librelp" Fri Mar 30 11:55:51 2018 rev:31 rq:590808 version:1.2.15 Changes: -------- --- /work/SRC/openSUSE:Factory/librelp/librelp.changes 2017-06-07 09:50:33.435943710 +0200 +++ /work/SRC/openSUSE:Factory/.librelp.new/librelp.changes 2018-03-30 11:55:55.214690509 +0200 @@ -1,0 +2,12 @@ +Sat Mar 24 08:48:48 UTC 2018 - astieger@suse.com + +- librelp 1.2.15: + * CVE-2018-1000140: A remote attackher could have used specially + crafted x509 certificates when connecting to rsyslog to trigger + a stack buffer overflow and run arbitrary code (bsc#1086730) + * bugfix: invalid handling of snprintf() return code + * bugfix: invalid assert predicate + * some code cleanup + * bugfix: error message on open error was truncated + +------------------------------------------------------------------- Old: ---- librelp-1.2.14.tar.gz New: ---- librelp-1.2.15.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ librelp.spec ++++++ --- /var/tmp/diff_new_pack.6P9UtR/_old 2018-03-30 11:55:56.830632068 +0200 +++ /var/tmp/diff_new_pack.6P9UtR/_new 2018-03-30 11:55:56.830632068 +0200 @@ -1,7 +1,7 @@ # # spec file for package librelp # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ %define library_name librelp0 Name: librelp -Version: 1.2.14 +Version: 1.2.15 Release: 0 Summary: A reliable logging library License: GPL-3.0+ @@ -26,7 +26,6 @@ Url: http://www.librelp.com/ Source: http://download.rsyslog.com/librelp/%{name}-%{version}.tar.gz BuildRequires: pkgconfig -BuildRoot: %{_tmppath}/%{name}-%{version}-build %if 0%{?suse_version} > 1110 BuildRequires: pkgconfig(gnutls) >= 2.0.0 %else @@ -120,11 +119,9 @@ %postun -n %{library_name} -p /sbin/ldconfig %files -n librelp0 -%defattr(-,root,root,-) %{_libdir}/librelp.so.* %files devel -%defattr(-,root,root,-) %doc AUTHORS ChangeLog COPYING NEWS README doc/*.html %{_includedir}/librelp.h %{_libdir}/librelp.so ++++++ librelp-1.2.14.tar.gz -> librelp-1.2.15.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.2.14/ChangeLog new/librelp-1.2.15/ChangeLog --- old/librelp-1.2.14/ChangeLog 2017-05-29 08:36:37.000000000 +0200 +++ new/librelp-1.2.15/ChangeLog 2018-03-21 09:43:07.000000000 +0100 @@ -1,4 +1,21 @@ ---------------------------------------------------------------------- +Version 1.2.15 - 2018-03-21 +- made build on Solaris again +- made build on AIX + Thanks to Philippe Duveau for providing the patches +- bugfix: invalid handling of snprintf() return code +- bugfix: invalid assert predicate + an assert could change status variable due to typo, so in debug + mode processing could fail. + thanks to github user KatMisato for alerting us + fixes https://github.com/rsyslog/librelp/issues/66 +- some code cleanup +- bugfix: error message on open error was truncated + The "connection already open" error message when trying to open + an already open connection was truncated due to too-small size + specified. + Thanks to rsyslog forum user AlanR for the problem report. +---------------------------------------------------------------------- Version 1.2.14 - 2017-05-29 - API extension: add relpSrvSetMaxDataSize() Thanks to Nathan Brown for the patch. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.2.14/Makefile.in new/librelp-1.2.15/Makefile.in --- old/librelp-1.2.14/Makefile.in 2017-05-29 08:37:25.000000000 +0200 +++ new/librelp-1.2.15/Makefile.in 2018-03-21 09:43:29.000000000 +0100 @@ -192,8 +192,8 @@ DIST_SUBDIRS = $(SUBDIRS) am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in \ $(srcdir)/relp.pc.in AUTHORS COPYING ChangeLog INSTALL NEWS \ - README compile config.guess config.sub install-sh ltmain.sh \ - missing + README compile config.guess config.sub depcomp install-sh \ + ltmain.sh missing DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) distdir = $(PACKAGE)-$(VERSION) top_distdir = $(distdir) @@ -302,6 +302,7 @@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOL_LIBS = @SOL_LIBS@ STRIP = @STRIP@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.2.14/config.h.in new/librelp-1.2.15/config.h.in --- old/librelp-1.2.14/config.h.in 2017-05-29 08:37:24.000000000 +0200 +++ new/librelp-1.2.15/config.h.in 2018-03-21 09:43:33.000000000 +0100 @@ -70,6 +70,21 @@ /* Defined if debug mode is disabled. */ #undef NDEBUG +/* Indicator for a AIX OS */ +#undef OS_AIX + +/* Indicator for APPLE OS */ +#undef OS_APPLE + +/* Indicator for a BSD OS */ +#undef OS_BSD + +/* Indicator for a Linux OS */ +#undef OS_LINUX + +/* Indicator for a Solaris OS */ +#undef OS_SOLARIS + /* Name of package */ #undef PACKAGE @@ -112,6 +127,12 @@ /* Version number of package */ #undef VERSION +/* Use POSIX pthread semantics */ +#undef _POSIX_PTHREAD_SEMANTICS + +/* Use X/Open CAE Specification */ +#undef _XOPEN_SOURCE + /* Define to empty if `const' does not conform to ANSI C. */ #undef const diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.2.14/configure new/librelp-1.2.15/configure --- old/librelp-1.2.14/configure 2017-05-29 08:37:24.000000000 +0200 +++ new/librelp-1.2.15/configure 2018-03-21 09:43:29.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for librelp 1.2.14. +# Generated by GNU Autoconf 2.69 for librelp 1.2.15. # # Report bugs to <rgerhards@adiscon.com>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='librelp' PACKAGE_TARNAME='librelp' -PACKAGE_VERSION='1.2.14' -PACKAGE_STRING='librelp 1.2.14' +PACKAGE_VERSION='1.2.15' +PACKAGE_STRING='librelp 1.2.15' PACKAGE_BUGREPORT='rgerhards@adiscon.com' PACKAGE_URL='' @@ -690,6 +690,17 @@ LDFLAGS CFLAGS CC +OS_AIX_FALSE +OS_AIX_TRUE +OS_SOLARIS_FALSE +OS_SOLARIS_TRUE +OS_LINUX_FALSE +OS_LINUX_TRUE +xOS_LINUX_FALSE +xOS_LINUX_TRUE +OS_APPLE_FALSE +OS_APPLE_TRUE +SOL_LIBS AM_BACKSLASH AM_DEFAULT_VERBOSITY AM_DEFAULT_V @@ -1337,7 +1348,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures librelp 1.2.14 to adapt to many kinds of systems. +\`configure' configures librelp 1.2.15 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1408,7 +1419,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of librelp 1.2.14:";; + short | recursive ) echo "Configuration of librelp 1.2.15:";; esac cat <<\_ACEOF @@ -1528,7 +1539,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -librelp configure 1.2.14 +librelp configure 1.2.15 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2054,7 +2065,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by librelp $as_me 1.2.14, which was +It was created by librelp $as_me 1.2.15, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2917,7 +2928,7 @@ # Define the identity of the package. PACKAGE='librelp' - VERSION='1.2.14' + VERSION='1.2.15' cat >>confdefs.h <<_ACEOF @@ -3032,7 +3043,7 @@ # Define the identity of the package. PACKAGE='librelp' - VERSION='1.2.14' + VERSION='1.2.15' cat >>confdefs.h <<_ACEOF @@ -3169,6 +3180,101 @@ +echo HOST: ${host} +case "${host}" in + *-*-linux*) + +$as_echo "#define OS_LINUX 1" >>confdefs.h + + os_type="linux" + ;; + *-*-*darwin*|*-*-dragonfly*|*-*-freebsd*|*-*-netbsd*|*-*-openbsd*) + +$as_echo "#define OS_BSD 1" >>confdefs.h + + os_type="bsd" + ;; + *-apple-*) + +$as_echo "#define OS_APPLE 1" >>confdefs.h + + os_type="apple" + ;; + *-*-kfreebsd*) + # kernel is FreeBSD, but userspace is glibc - i.e. like linux + # do not DEFINE OS_BSD + os_type="bsd" + ;; + *-*-solaris*) + os_type="solaris" + +$as_echo "#define OS_SOLARIS 1" >>confdefs.h + + +$as_echo "#define _POSIX_PTHREAD_SEMANTICS 1" >>confdefs.h + + +$as_echo "#define _XOPEN_SOURCE 600" >>confdefs.h + + CPPFLAGS="-std=c99 $CPPFLAGS" + CFLAGS="-std=c99 $CFLAGS" + SOL_LIBS="-lsocket -lnsl" + # Solaris libuuid does not ship with a pkgconfig file so override the appropriate + # variables (but only if they have not been set by the user). + LIBUUID_CFLAGS=${LIBUUID_CFLAGS:= } + LIBUUID_LIBS=${LIBUUID_LIBS:=-luuid} + + ;; + *-*-aix*) + os_type="aix" + +$as_echo "#define OS_AIX 1" >>confdefs.h + + CFLAGS="$CFLAGS -D_LINUX_SOURCE_COMPAT" + LDFLAGS="$LDFLAGS -brtl" + ;; +esac + if test x$os_type == xapple; then + OS_APPLE_TRUE= + OS_APPLE_FALSE='#' +else + OS_APPLE_TRUE='#' + OS_APPLE_FALSE= +fi + + if test x$os_type == xlinux; then + xOS_LINUX_TRUE= + xOS_LINUX_FALSE='#' +else + xOS_LINUX_TRUE='#' + xOS_LINUX_FALSE= +fi + + if test x$os_type == xlinux; then + OS_LINUX_TRUE= + OS_LINUX_FALSE='#' +else + OS_LINUX_TRUE='#' + OS_LINUX_FALSE= +fi + + if test x$os_type == xsolaris; then + OS_SOLARIS_TRUE= + OS_SOLARIS_FALSE='#' +else + OS_SOLARIS_TRUE='#' + OS_SOLARIS_FALSE= +fi + + if test "x$os_type" = "xaix"; then + OS_AIX_TRUE= + OS_AIX_FALSE='#' +else + OS_AIX_TRUE='#' + OS_AIX_FALSE= +fi + + # Checks for programs. ac_ext=c ac_cpp='$CPP $CPPFLAGS' @@ -13376,6 +13482,26 @@ am__EXEEXT_FALSE= fi +if test -z "${OS_APPLE_TRUE}" && test -z "${OS_APPLE_FALSE}"; then + as_fn_error $? "conditional \"OS_APPLE\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${xOS_LINUX_TRUE}" && test -z "${xOS_LINUX_FALSE}"; then + as_fn_error $? "conditional \"xOS_LINUX\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${OS_LINUX_TRUE}" && test -z "${OS_LINUX_FALSE}"; then + as_fn_error $? "conditional \"OS_LINUX\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${OS_SOLARIS_TRUE}" && test -z "${OS_SOLARIS_FALSE}"; then + as_fn_error $? "conditional \"OS_SOLARIS\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${OS_AIX_TRUE}" && test -z "${OS_AIX_FALSE}"; then + as_fn_error $? "conditional \"OS_AIX\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then as_fn_error $? "conditional \"AMDEP\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -13785,7 +13911,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by librelp $as_me 1.2.14, which was +This file was extended by librelp $as_me 1.2.15, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -13851,7 +13977,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -librelp config.status 1.2.14 +librelp config.status 1.2.15 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.2.14/configure.ac new/librelp-1.2.15/configure.ac --- old/librelp-1.2.14/configure.ac 2017-05-29 08:36:58.000000000 +0200 +++ new/librelp-1.2.15/configure.ac 2018-03-21 09:43:20.000000000 +0100 @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ(2.61) -AC_INIT([librelp], [1.2.14], [rgerhards@adiscon.com]) +AC_INIT([librelp], [1.2.15], [rgerhards@adiscon.com]) AM_INIT_AUTOMAKE AM_INIT_AUTOMAKE m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) @@ -10,6 +10,52 @@ AC_CONFIG_HEADER([config.h]) AC_CONFIG_MACRO_DIR([m4]) +echo HOST: ${host} +case "${host}" in + *-*-linux*) + AC_DEFINE([OS_LINUX], [1], [Indicator for a Linux OS]) + os_type="linux" + ;; + *-*-*darwin*|*-*-dragonfly*|*-*-freebsd*|*-*-netbsd*|*-*-openbsd*) + AC_DEFINE([OS_BSD], [1], [Indicator for a BSD OS]) + os_type="bsd" + ;; + *-apple-*) + AC_DEFINE([OS_APPLE], [1], [Indicator for APPLE OS]) + os_type="apple" + ;; + *-*-kfreebsd*) + # kernel is FreeBSD, but userspace is glibc - i.e. like linux + # do not DEFINE OS_BSD + os_type="bsd" + ;; + *-*-solaris*) + os_type="solaris" + AC_DEFINE([OS_SOLARIS], [1], [Indicator for a Solaris OS]) + AC_DEFINE([_POSIX_PTHREAD_SEMANTICS], [1], [Use POSIX pthread semantics]) + AC_DEFINE([_XOPEN_SOURCE], [600], [Use X/Open CAE Specification]) + CPPFLAGS="-std=c99 $CPPFLAGS" + CFLAGS="-std=c99 $CFLAGS" + SOL_LIBS="-lsocket -lnsl" + # Solaris libuuid does not ship with a pkgconfig file so override the appropriate + # variables (but only if they have not been set by the user). + LIBUUID_CFLAGS=${LIBUUID_CFLAGS:= } + LIBUUID_LIBS=${LIBUUID_LIBS:=-luuid} + AC_SUBST(SOL_LIBS) + ;; + *-*-aix*) + os_type="aix" + AC_DEFINE([OS_AIX], [1], [Indicator for a AIX OS]) + CFLAGS="$CFLAGS -D_LINUX_SOURCE_COMPAT" + LDFLAGS="$LDFLAGS -brtl" + ;; +esac +AM_CONDITIONAL(OS_APPLE, test x$os_type == xapple) +AM_CONDITIONAL(xOS_LINUX, test x$os_type == xlinux) +AM_CONDITIONAL(OS_LINUX, test x$os_type == xlinux) +AM_CONDITIONAL(OS_SOLARIS, test x$os_type == xsolaris) +AM_CONDITIONAL(OS_AIX, test "x$os_type" = "xaix") + # Checks for programs. AC_PROG_CC AM_PROG_CC_C_O diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.2.14/doc/Makefile.in new/librelp-1.2.15/doc/Makefile.in --- old/librelp-1.2.14/doc/Makefile.in 2017-05-29 08:37:25.000000000 +0200 +++ new/librelp-1.2.15/doc/Makefile.in 2018-03-21 09:43:29.000000000 +0100 @@ -188,6 +188,7 @@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOL_LIBS = @SOL_LIBS@ STRIP = @STRIP@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.2.14/src/Makefile.am new/librelp-1.2.15/src/Makefile.am --- old/librelp-1.2.14/src/Makefile.am 2017-05-29 08:35:54.000000000 +0200 +++ new/librelp-1.2.15/src/Makefile.am 2018-03-20 18:27:30.000000000 +0100 @@ -1,7 +1,16 @@ -# Uncomment for debugging -DEBUG = -g -PTHREADS_CFLAGS = -pthread +if OS_SOLARIS +then + PTHREADS_CFLAGS = -pthread +else +if OS_AIX + PTHREADS_CFLAGS = -qthreaded +else + PTHREADS_CFLAGS = -mt +endif +endif +DEBUG = -g +# Uncomment for debugging #CFLAGS += $(DEBUG) lib_LTLIBRARIES = librelp.la diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.2.14/src/Makefile.in new/librelp-1.2.15/src/Makefile.in --- old/librelp-1.2.14/src/Makefile.in 2017-05-29 08:37:25.000000000 +0200 +++ new/librelp-1.2.15/src/Makefile.in 2018-03-21 09:43:29.000000000 +0100 @@ -277,6 +277,7 @@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOL_LIBS = @SOL_LIBS@ STRIP = @STRIP@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ @@ -333,11 +334,8 @@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ - -# Uncomment for debugging DEBUG = -g -PTHREADS_CFLAGS = -pthread - +# Uncomment for debugging #CFLAGS += $(DEBUG) lib_LTLIBRARIES = librelp.la librelp_la_SOURCES = \ @@ -823,6 +821,10 @@ .PRECIOUS: Makefile +@OS_SOLARIS_TRUE@then +@OS_SOLARIS_TRUE@ PTHREADS_CFLAGS = -pthread +@OS_AIX_TRUE@@OS_SOLARIS_FALSE@ PTHREADS_CFLAGS = -qthreaded +@OS_AIX_FALSE@@OS_SOLARIS_FALSE@ PTHREADS_CFLAGS = -mt # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.2.14/src/copen.c new/librelp-1.2.15/src/copen.c --- old/librelp-1.2.14/src/copen.c 2016-06-22 11:23:27.000000000 +0200 +++ new/librelp-1.2.15/src/copen.c 2017-10-16 11:50:12.000000000 +0200 @@ -134,7 +134,9 @@ pSess->pEngine->dbgprint("in open command handler\n"); if(pSess->bServerConnOpen) { - relpSessSendResponse(pSess, pFrame->txnr, (unsigned char*) "500 connection already open", 20); + relpSessSendResponse(pSess, pFrame->txnr, + (unsigned char*) "500 connection already open", + sizeof("500 connection already open") - 1); ABORT_FINALIZE(RELP_RET_SESSION_OPEN); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.2.14/src/librelp.h new/librelp-1.2.15/src/librelp.h --- old/librelp-1.2.14/src/librelp.h 2017-04-20 11:54:58.000000000 +0200 +++ new/librelp-1.2.15/src/librelp.h 2018-03-20 18:27:56.000000000 +0100 @@ -133,7 +133,7 @@ #define RELP_RET_CMD_DISABLED RELPERR_BASE + 23 /**< tried to use a cmd that is disabled in this session */ #define RELP_RET_INVALID_HDL RELPERR_BASE + 24 /**< invalid object handle (pointer) provided by caller */ #define RELP_RET_INCOMPAT_OFFERS RELPERR_BASE + 25 /**< client and server offers are incompatible */ -#define RELP_RET_RQD_FEAT_MISSING RELPERR_BASE + 26 /**< the remote peer does not support a feature required by us */ +#define RELP_RET_RQD_FEAT_MISSING RELPERR_BASE + 26 /**< the remote peer does not support a required feature */ #define RELP_RET_MALICIOUS_HNAME RELPERR_BASE + 27 /**< remote peer is trying malicious things with its hostname */ #define RELP_RET_INVALID_HNAME RELPERR_BASE + 28 /**< remote peer's hostname invalid or unobtainable */ #define RELP_RET_ADDR_UNKNOWN RELPERR_BASE + 29 /**< remote peer's IP address could not be obtained */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.2.14/src/relp.c new/librelp-1.2.15/src/relp.c --- old/librelp-1.2.14/src/relp.c 2016-11-23 13:52:21.000000000 +0100 +++ new/librelp-1.2.15/src/relp.c 2018-03-21 09:40:38.000000000 +0100 @@ -897,13 +897,14 @@ # ifdef ENABLE_TLS localRet = relpTcpRtryHandshake(pSessEtry->pSess->pTcp); if(localRet != RELP_RET_OK) { - pThis->dbgprint("relp session %d handshake iRet %d, tearing it down\n", + pThis->dbgprint("relp session %d handshake " + "iRet %d, tearing it down\n", sock, localRet); relpEngineDelSess(pThis, pSessEtry); } # else - pThis->dbgprint("librelp error: handshake retry requested in " - "non-TLS mode"); + pThis->dbgprint("librelp error: handshake retry " + "requested in non-TLS mode"); # endif /* #ifdef ENABLE_TLS */ } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.2.14/src/relpsess.c new/librelp-1.2.15/src/relpsess.c --- old/librelp-1.2.14/src/relpsess.c 2017-04-20 11:54:58.000000000 +0200 +++ new/librelp-1.2.15/src/relpsess.c 2018-03-21 09:40:38.000000000 +0100 @@ -400,7 +400,8 @@ pThis->pEngine->dbgprint("Warning: exceeding window size, max %d, curr %d\n", pThis->lenUnackedLst, pThis->sizeWindow); } - pThis->pEngine->dbgprint("ADD sess %p unacked %d, sessState %d\n", pThis, pThis->lenUnackedLst, pThis->sessState); + pThis->pEngine->dbgprint("ADD sess %p unacked %d, sessState %d\n", + pThis, pThis->lenUnackedLst, pThis->sessState); finalize_it: LEAVE_RELPFUNC; @@ -433,7 +434,8 @@ free(pUnackedLstEntry); - pThis->pEngine->dbgprint("DEL sess %p unacked %d, sessState %d\n", pThis, pThis->lenUnackedLst, pThis->sessState); + pThis->pEngine->dbgprint("DEL sess %p unacked %d, sessState %d\n", + pThis, pThis->lenUnackedLst, pThis->sessState); LEAVE_RELPFUNC; } @@ -646,7 +648,7 @@ ENTER_RELPFUNC; RELPOBJ_assert(pThis, Sess); - assert(pThis->sessState = eRelpSessState_BROKEN); + assert(pThis->sessState == eRelpSessState_BROKEN); CHKRet(relpTcpAbortDestruct(&pThis->pTcp)); CHKRet(relpSessConnect(pThis, pThis->protFamily, pThis->srvPort, pThis->srvAddr)); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.2.14/src/tcp.c new/librelp-1.2.15/src/tcp.c --- old/librelp-1.2.14/src/tcp.c 2016-11-22 18:18:02.000000000 +0100 +++ new/librelp-1.2.15/src/tcp.c 2018-03-21 09:40:38.000000000 +0100 @@ -1,6 +1,6 @@ /* This implements the relp mapping onto TCP. * - * Copyright 2008-2016 by Rainer Gerhards and Adiscon GmbH. + * Copyright 2008-2018 by Rainer Gerhards and Adiscon GmbH. * * This file is part of librelp. * @@ -68,6 +68,12 @@ # define SOL_TCP (getprotobyname("tcp")->p_proto) #endif +/* AIXPORT : MSG_DONTWAIT not supported */ +#if defined(_AIX) && !defined(MSG_DONTWAIT) +#define MSG_DONTWAIT MSG_NONBLOCK +#endif + + #ifdef ENABLE_TLS /* forward definitions */ #ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION @@ -77,7 +83,7 @@ /* helper to free permittedPeer structure */ static inline void -relpTcpFreePermittedPeers(relpTcp_t *pThis) +relpTcpFreePermittedPeers(relpTcp_t *const pThis) { int i; for(i = 0 ; i < pThis->permittedPeers.nmemb ; ++i) @@ -93,7 +99,9 @@ * to the "parent" client or server object, depending on connType. */ relpRetVal -relpTcpConstruct(relpTcp_t **ppThis, relpEngine_t *pEngine, int connType, void *pParent) +relpTcpConstruct(relpTcp_t **ppThis, relpEngine_t *const pEngine, + const int connType, + void *const pParent) { relpTcp_t *pThis; @@ -219,7 +227,7 @@ * shortcut for error handling (safes doing it twice). */ static int -chkGnutlsCode(relpTcp_t *pThis, char *emsg, relpRetVal ecode, int gnuRet) +chkGnutlsCode(relpTcp_t *const pThis, char *emsg, relpRetVal ecode, const int gnuRet) { char msgbuf[4096]; int r; @@ -238,7 +246,7 @@ /* helper to call onAuthErr if set */ static inline void -callOnAuthErr(relpTcp_t *pThis, char *authdata, char *emsg, relpRetVal ecode) +callOnAuthErr(relpTcp_t *const pThis, char *authdata, char *emsg, relpRetVal ecode) { pThis->pEngine->dbgprint("librelp: auth error: authdata:'%s', ecode %d, " "emsg '%s'\n", authdata, ecode, emsg); @@ -291,7 +299,7 @@ * into a function. */ static inline int8_t -isAnonAuth(relpTcp_t *pThis) +isAnonAuth(relpTcp_t *const pThis) { return pThis->ownCertFile == NULL; } @@ -306,7 +314,7 @@ * rgerhards, 2008-03-31 */ static relpRetVal -relpTcpSetRemHost(relpTcp_t *pThis, struct sockaddr *pAddr) +relpTcpSetRemHost(relpTcp_t *const pThis, struct sockaddr *pAddr) { relpEngine_t *pEngine; int error; @@ -407,7 +415,7 @@ } relpRetVal -relpTcpSetUsrPtr(relpTcp_t *pThis, void *pUsr) +relpTcpSetUsrPtr(relpTcp_t *const pThis, void *pUsr) { ENTER_RELPFUNC; RELPOBJ_assert(pThis, Tcp); @@ -416,7 +424,7 @@ } relpRetVal -relpTcpSetAuthMode(relpTcp_t *pThis, relpAuthMode_t authmode) +relpTcpSetAuthMode(relpTcp_t *const pThis, relpAuthMode_t authmode) { ENTER_RELPFUNC; RELPOBJ_assert(pThis, Tcp); @@ -425,7 +433,7 @@ } relpRetVal -relpTcpSetConnTimeout(relpTcp_t *pThis, int connTimeout) +relpTcpSetConnTimeout(relpTcp_t *const pThis, const int connTimeout) { ENTER_RELPFUNC; RELPOBJ_assert(pThis, Tcp); @@ -434,7 +442,7 @@ } relpRetVal -relpTcpSetGnuTLSPriString(relpTcp_t *pThis, char *pristr) +relpTcpSetGnuTLSPriString(relpTcp_t *const pThis, char *pristr) { ENTER_RELPFUNC; RELPOBJ_assert(pThis, Tcp); @@ -451,7 +459,7 @@ } relpRetVal -relpTcpSetCACert(relpTcp_t *pThis, char *cert) +relpTcpSetCACert(relpTcp_t *const pThis, char *cert) { ENTER_RELPFUNC; RELPOBJ_assert(pThis, Tcp); @@ -468,7 +476,7 @@ } relpRetVal -relpTcpSetOwnCert(relpTcp_t *pThis, char *cert) +relpTcpSetOwnCert(relpTcp_t *const pThis, char *cert) { ENTER_RELPFUNC; RELPOBJ_assert(pThis, Tcp); @@ -485,7 +493,7 @@ } relpRetVal -relpTcpSetPrivKey(relpTcp_t *pThis, char *cert) +relpTcpSetPrivKey(relpTcp_t *const pThis, char *cert) { ENTER_RELPFUNC; RELPOBJ_assert(pThis, Tcp); @@ -534,7 +542,7 @@ } relpRetVal -relpTcpSetDHBits(relpTcp_t *pThis, int bits) +relpTcpSetDHBits(relpTcp_t *const pThis, const int bits) { ENTER_RELPFUNC; RELPOBJ_assert(pThis, Tcp); @@ -545,7 +553,7 @@ #ifdef ENABLE_TLS /* set TLS priority string, common code both for client and server */ static relpRetVal -relpTcpTLSSetPrio(relpTcp_t *pThis) +relpTcpTLSSetPrio(relpTcp_t *const pThis) { int r; char pristringBuf[4096]; @@ -576,11 +584,13 @@ LEAVE_RELPFUNC; } +#ifndef _AIX #pragma GCC diagnostic push /* per https://lists.gnupg.org/pipermail/gnutls-help/2004-August/000154.html This is expected */ #pragma GCC diagnostic ignored "-Wint-to-pointer-cast" +#endif static relpRetVal -relpTcpAcceptConnReqInitTLS(relpTcp_t *pThis, relpSrv_t *pSrv) +relpTcpAcceptConnReqInitTLS(relpTcp_t *const pThis, relpSrv_t *const pSrv) { int r; ENTER_RELPFUNC; @@ -630,7 +640,9 @@ finalize_it: LEAVE_RELPFUNC; } +#ifndef _AIX #pragma GCC diagnostic pop +#endif #endif /* #ifdef ENABLE_TLS */ /* Enable KEEPALIVE handling on the socket. */ @@ -711,7 +723,7 @@ * to be put asleep on some platforms. */ static void -doSleep(int iSeconds, int iuSeconds) +doSleep(int iSeconds, const int iuSeconds) { struct timeval tvSelectTimeout; tvSelectTimeout.tv_sec = iSeconds; @@ -724,7 +736,7 @@ * rgerhards, 2008-03-17 */ relpRetVal -relpTcpAcceptConnReq(relpTcp_t **ppThis, int sock, relpSrv_t *pSrv) +relpTcpAcceptConnReq(relpTcp_t **ppThis, const int sock, relpSrv_t *const pSrv) { relpTcp_t *pThis = NULL; int sockflags; @@ -799,7 +811,7 @@ * sufficiently large buffer. 512 bytes shall always do. */ static void -GenFingerprintStr(char *pFingerprint, int sizeFingerprint, char *fpBuf) +GenFingerprintStr(char *pFingerprint, const int sizeFingerprint, char *fpBuf) { int iSrc, iDst; @@ -812,7 +824,7 @@ /* Check the peer's ID in fingerprint auth mode. */ static int -relpTcpChkPeerFingerprint(relpTcp_t *pThis, gnutls_x509_crt_t cert) +relpTcpChkPeerFingerprint(relpTcp_t *const pThis, gnutls_x509_crt_t cert) { int r = 0; int i; @@ -858,7 +870,7 @@ * rgerhards, 2008-05-27 */ static relpRetVal -AddPermittedPeerWildcard(tcpPermittedPeerEntry_t *pEtry, char* pszStr, int lenStr) +AddPermittedPeerWildcard(tcpPermittedPeerEntry_t *pEtry, char* pszStr, const int lenStr) { tcpPermittedPeerWildcardComp_t *pNew = NULL; int iSrc; @@ -1027,7 +1039,8 @@ break; case tcpPEER_WILDCARD_AT_END: if( pWildcard->lenDomainPart > pC - pStart - || strncmp((char*)pStart, (char*)pWildcard->pszDomainPart, pWildcard->lenDomainPart)) { + || strncmp((char*)pStart, (char*)pWildcard->pszDomainPart, + pWildcard->lenDomainPart)) { goto done; } break; @@ -1072,7 +1085,7 @@ * called multiple times). */ static void -relpTcpChkOnePeerName(relpTcp_t *pThis, char *peername, int *pbFoundPositiveMatch) +relpTcpChkOnePeerName(relpTcp_t *const pThis, char *peername, int *pbFoundPositiveMatch) { int i; @@ -1104,7 +1117,7 @@ * Note that non-0 is also returned if no CN is found. */ static int -relpTcpGetCN(relpTcp_t *pThis, gnutls_x509_crt_t cert, char *namebuf, int lenNamebuf) +relpTcpGetCN(relpTcp_t *const pThis, gnutls_x509_crt_t cert, char *namebuf, const int lenNamebuf) { int r; int gnuRet; @@ -1161,9 +1174,35 @@ return r; } + +/* helper to consistently add names to error message buffer */ +static int +relpTcpAddToCertNamesBuffer(relpTcp_t *const pThis, + char *const buf, + const size_t buflen, + int *p_currIdx, + const char *const certName) +{ + int r = 0; + assert(buf != NULL); + assert(p_currIdx != NULL); + const int currIdx = *p_currIdx; + const int n = snprintf(buf + currIdx, buflen - currIdx, + "DNSname: %s; ", certName); + if(n < 0 || n >= (int) (buflen - currIdx)) { + callOnAuthErr(pThis, "", "certificate validation failed, names " + "inside certifcate are way to long (> 32KiB)", + RELP_RET_AUTH_CERT_INVL); + r = GNUTLS_E_CERTIFICATE_ERROR; + } else { + *p_currIdx += n; + } + return r; +} + /* Check the peer's ID in name auth mode. */ static int -relpTcpChkPeerName(relpTcp_t *pThis, gnutls_x509_crt_t cert) +relpTcpChkPeerName(relpTcp_t *const pThis, gnutls_x509_crt_t cert) { int r = 0; int ret; @@ -1202,8 +1241,9 @@ break; else if(gnuRet == GNUTLS_SAN_DNSNAME) { pThis->pEngine->dbgprint("librelp: subject alt dnsName: '%s'\n", szAltName); - iAllNames += snprintf(allNames+iAllNames, sizeof(allNames)-iAllNames, - "DNSname: %s; ", szAltName); + r = relpTcpAddToCertNamesBuffer(pThis, allNames, sizeof(allNames), + &iAllNames, szAltName); + if(r != 0) goto done; relpTcpChkOnePeerName(pThis, szAltName, &bFoundPositiveMatch); /* do NOT break, because there may be multiple dNSName's! */ } @@ -1214,8 +1254,9 @@ /* if we did not succeed so far, we try the CN part of the DN... */ if(relpTcpGetCN(pThis, cert, cnBuf, sizeof(cnBuf)) == 0) { pThis->pEngine->dbgprint("librelp: relpTcp now checking auth for CN '%s'\n", cnBuf); - iAllNames += snprintf(allNames+iAllNames, sizeof(allNames)-iAllNames, - "CN: %s; ", cnBuf); + r = relpTcpAddToCertNamesBuffer(pThis, allNames, sizeof(allNames), + &iAllNames, cnBuf); + if(r != 0) goto done; relpTcpChkOnePeerName(pThis, cnBuf, &bFoundPositiveMatch); } } @@ -1236,13 +1277,12 @@ relpTcpVerifyCertificateCallback(gnutls_session_t session) { int r = 0; - relpTcp_t *pThis; const gnutls_datum_t *cert_list; unsigned int list_size = 0; gnutls_x509_crt_t cert; int bMustDeinitCert = 0; - pThis = (relpTcp_t*) gnutls_session_get_ptr(session); + relpTcp_t *const pThis = (relpTcp_t*) gnutls_session_get_ptr(session); /* This function only works for X.509 certificates. */ if(gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) { @@ -1293,7 +1333,7 @@ /* initialize the listener for TLS use */ static relpRetVal -relpTcpLstnInitTLS(relpTcp_t *pThis) +relpTcpLstnInitTLS(relpTcp_t *const pThis) { int r; ENTER_RELPFUNC; @@ -1333,7 +1373,8 @@ r = gnutls_certificate_set_x509_trust_file(pThis->xcred, pThis->caCertFile, GNUTLS_X509_FMT_PEM); if(r < 0) { - chkGnutlsCode(pThis, "Failed to set certificate trust files", RELP_RET_ERR_TLS_SETUP, r); + chkGnutlsCode(pThis, "Failed to set certificate trust files", + RELP_RET_ERR_TLS_SETUP, r); ABORT_FINALIZE(RELP_RET_ERR_TLS_SETUP); } pThis->pEngine->dbgprint("librelp: obtained %d certificates from %s\n", r, pThis->caCertFile); @@ -1361,7 +1402,7 @@ * gerhards, 2008-03-17 */ relpRetVal -relpTcpLstnInit(relpTcp_t *pThis, unsigned char *pLstnPort, int ai_family) +relpTcpLstnInit(relpTcp_t *const pThis, unsigned char *pLstnPort, const int ai_family) { struct addrinfo hints, *res, *r; int error, maxs, *s, on = 1; @@ -1512,7 +1553,7 @@ * rgerhards, 2008-03-17 */ relpRetVal -relpTcpRcv(relpTcp_t *pThis, relpOctet_t *pRcvBuf, ssize_t *pLenBuf) +relpTcpRcv(relpTcp_t *const pThis, relpOctet_t *pRcvBuf, ssize_t *pLenBuf) { ENTER_RELPFUNC; RELPOBJ_assert(pThis, Tcp); @@ -1548,7 +1589,7 @@ * such option is available on the platform in question. */ static inline void -setCORKopt(int sock, int onOff) +setCORKopt(int sock, const int onOff) { #if defined(TCP_CORK) setsockopt(sock, SOL_TCP, TCP_CORK, &onOff, sizeof (onOff)); @@ -1564,13 +1605,13 @@ * does not interfere with normal operations. */ void -relpTcpHintBurstBegin(relpTcp_t *pThis) +relpTcpHintBurstBegin(relpTcp_t *const pThis) { setCORKopt(pThis->sock, 1); } /* this is the counterpart to relpTcpHintBurstBegin -- see there for doc */ void -relpTcpHintBurstEnd(relpTcp_t *pThis) +relpTcpHintBurstEnd(relpTcp_t *const pThis) { setCORKopt(pThis->sock, 0); } @@ -1583,7 +1624,7 @@ * rgerhards, 2008-03-19 */ relpRetVal -relpTcpSend(relpTcp_t *pThis, relpOctet_t *pBuf, ssize_t *pLenBuf) +relpTcpSend(relpTcp_t *const pThis, relpOctet_t *pBuf, ssize_t *pLenBuf) { ssize_t written; ENTER_RELPFUNC; @@ -1631,12 +1672,14 @@ } #ifdef ENABLE_TLS +#ifndef _AIX #pragma GCC diagnostic push /* we need to disable a warning below */ /* per https://lists.gnupg.org/pipermail/gnutls-help/2004-August/000154.html This is expected */ #pragma GCC diagnostic ignored "-Wint-to-pointer-cast" +#endif /* this is only called for client-initiated sessions */ static relpRetVal -relpTcpConnectTLSInit(relpTcp_t *pThis) +relpTcpConnectTLSInit(relpTcp_t *const pThis) { int r; int sockflags; @@ -1747,7 +1790,9 @@ finalize_it: LEAVE_RELPFUNC; } +#ifndef _AIX #pragma GCC diagnostic pop +#endif #endif /* #ifdef ENABLE_TLS */ /* open a connection to a remote host (server). @@ -1755,7 +1800,11 @@ * rgerhards, 2008-03-19 */ relpRetVal -relpTcpConnect(relpTcp_t *pThis, int family, unsigned char *port, unsigned char *host, unsigned char *clientIP) +relpTcpConnect(relpTcp_t *const pThis, + const int family, + unsigned char *port, + unsigned char *host, + unsigned char *clientIP) { struct addrinfo *res = NULL; struct addrinfo hints; @@ -1840,13 +1889,13 @@ * "0 if trying to read data, 1 if trying to write data." */ int -relpTcpGetRtryDirection(relpTcp_t *pThis) +relpTcpGetRtryDirection(relpTcp_t *const pThis) { return gnutls_record_get_direction(pThis->session); } relpRetVal -relpTcpRtryHandshake(relpTcp_t *pThis) +relpTcpRtryHandshake(relpTcp_t *const pThis) { int r; ENTER_RELPFUNC;