Bas Couwenberg · Bas Couwenberg · 19898cde · 19898cde · 19898cde
--- a/debian/changelog
+++ b/debian/changelog
-nsca-ng (1.5-4) UNRELEASED; urgency=medium
+nsca-ng (1.5-4) unstable; urgency=medium

+  * Team upload.
  * Drop autopkgtest to test installability.
  * Add lintian override for testsuite-autopkgtest-missing.
  * Bump Standards-Version to 4.3.0, no changes.
+  * Add upstream patch to fix FTBFS with OpenSSL 1.1.1.
+    (closes: #900152)

- -- Bas Couwenberg <sebastic@debian.org>  Wed, 01 Aug 2018 21:07:15 +0200
+ -- Bas Couwenberg <sebastic@debian.org>  Tue, 19 Mar 2019 18:32:59 +0100

 nsca-ng (1.5-3) unstable; urgency=medium


--- a/debian/patches/0001-Work-around-TLSv1.3-PSK-bug-in-OpenSSL-1.1.1.patch
+++ b/debian/patches/0001-Work-around-TLSv1.3-PSK-bug-in-OpenSSL-1.1.1.patch
+Description: Work around TLSv1.3 PSK bug in OpenSSL 1.1.1
+ When TLSv1.3 is used with (at least) OpenSSL 1.1.1b, the
+ SSL_get_psk_identity(3) unexpectedly returns NULL.  Work around this
+ issue be storing a copy of the PSK identity into the SSL object.
+From: Holger Weiß <holger@weiss.in-berlin.de>
+Origin :https://github.com/weiss/nsca-ng/commit/7d9ca3413e661c0ac8a020bf674d16c3af4ebccb
+Bug: https://github.com/weiss/nsca-ng/issues/4
+Bug-Debian: https://bugs.debian.org/900152
+
+--- a/src/common/tls.c
+++ b/src/common/tls.c
+@@ -530,6 +530,8 @@ tls_free(tls_state *tls)
+ 		free(tls->output);
+ 	if (tls->addr != NULL)
+ 		free(tls->addr);
+	if (tls->id != NULL)
+		free(tls->id);
+ 	if (tls->peer != NULL)
+ 		free(tls->peer);
+ 	if (tls->ssl != NULL)
+@@ -632,7 +634,7 @@ accept_ssl_cb(EV_P_ ev_io *w, int revent
+ 		debug("TLS handshake with %s not (yet) successful", tls->addr);
+ 		check_tls_error(EV_A_ w, result);
+ 	} else { /* The TLS connection is established. */
+-		if ((tls->id = SSL_get_psk_identity(tls->ssl)) == NULL) {
+		if ((tls->id = SSL_get_app_data(tls->ssl)) == NULL) {
+ 			error("Cannot retrieve client identity");
+ 			tls_free(tls);
+ 		} else {
+--- a/src/common/tls.h
+++ b/src/common/tls.h
+@@ -61,7 +61,7 @@
+ typedef struct tls_state_s {
+ /* public: */
+ 	void *data;     /* Can freely be used by the caller. */
+-	const char *id; /* Client ID (e.g., "foo"). */
+	char *id;       /* Client ID (e.g., "foo"). */
+ 	char *addr;     /* Client IP address (e.g., "192.0.2.2"). */
+ 	char *peer;     /* Client ID and IP address (e.g., "foo@192.0.2.2"). */
+ 
+--- a/src/server/auth.c
+++ b/src/server/auth.c
+@@ -41,6 +41,7 @@
+ #include "log.h"
+ #include "system.h"
+ #include "util.h"
+#include "wrappers.h"
+ 
+ static bool match(regex_t * restrict, const char * restrict);
+ 
+@@ -49,8 +50,8 @@ static bool match(regex_t * restrict, co
+  */
+ 
+ unsigned int
+-check_psk(SSL *ssl __attribute__((__unused__)), const char *identity,
+-          unsigned char *password, unsigned int max_password_len)
+check_psk(SSL *ssl, const char *identity, unsigned char *password,
+          unsigned int max_password_len)
+ {
+ 	cfg_t *auth;
+ 	const char *configured_pw;
+@@ -63,6 +64,15 @@ check_psk(SSL *ssl __attribute__((__unus
+ 	}
+ 	debug("Verifying key provided by %s", identity);
+ 
+	/*
+	 * With (at least) OpenSSL 1.1.1b, SSL_get_psk_identity(3) returns NULL
+	 * when TLSv1.3 is used.  As a workaround, we store the ID ourselves:
+	 */
+	if (SSL_set_app_data(ssl, xstrdup(identity)) != 1) {
+		error("Cannot store client-supplied ID (`%s')", identity);
+		return 0;
+	}
+
+ 	configured_pw = cfg_getstr(auth, "password");
+ 	password_len = MIN(strlen(configured_pw), max_password_len);
+ 	(void)memcpy(password, configured_pw, password_len);
--- a/debian/patches/series
+++ b/debian/patches/series
 nsca-ng.cfg_debian_config
+0001-Work-around-TLSv1.3-PSK-bug-in-OpenSSL-1.1.1.patch