diff --git a/tn5250-0.17.4-openssl-1.1.patch b/tn5250-0.17.4-openssl-1.1.patch new file mode 100644 index 0000000..0bfc1fc --- /dev/null +++ b/tn5250-0.17.4-openssl-1.1.patch @@ -0,0 +1,286 @@ +From 65c0559d8a91c8153e72dbb2524386ce37cc325a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20Hor=C3=A1k?= +Date: Mon, 20 Feb 2017 14:47:03 +0100 +Subject: [PATCH 1/4] fix build with -Werror=format-security + +--- + curses/cursesterm.c | 4 ++-- + lib5250/sslstream.c | 2 +- + lib5250/telnetstr.c | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/curses/cursesterm.c b/curses/cursesterm.c +index bf20f05..2aa65b8 100644 +--- a/curses/cursesterm.c ++++ b/curses/cursesterm.c +@@ -640,9 +640,9 @@ static void curses_terminal_update(Tn5250Terminal * This, Tn5250Display *display + if(This->data->is_xterm) { + if (This->data->font_132!=NULL) { + if (tn5250_display_width (display)>100) +- printf(This->data->font_132); ++ printf("%s",This->data->font_132); + else +- printf(This->data->font_80); ++ printf("%s",This->data->font_80); + } + printf ("\x1b[8;%d;%dt", tn5250_display_height (display)+1, + tn5250_display_width (display)); +diff --git a/lib5250/sslstream.c b/lib5250/sslstream.c +index e0b720a..77aab64 100644 +--- a/lib5250/sslstream.c ++++ b/lib5250/sslstream.c +@@ -317,7 +317,7 @@ static void ssl_log_SB_buf(unsigned char *buf, int len) + + if (!tn5250_logfile) + return; +- fprintf(tn5250_logfile,ssl_getTelOpt(type=*buf++)); ++ fprintf(tn5250_logfile,"%s",ssl_getTelOpt(type=*buf++)); + switch (c=*buf++) { + case IS: + fputs("",tn5250_logfile); +diff --git a/lib5250/telnetstr.c b/lib5250/telnetstr.c +index 763c519..f95a737 100644 +--- a/lib5250/telnetstr.c ++++ b/lib5250/telnetstr.c +@@ -292,7 +292,7 @@ static void log_SB_buf(unsigned char *buf, int len) + + if (!tn5250_logfile) + return; +- fprintf(tn5250_logfile,getTelOpt(type=*buf++)); ++ fprintf(tn5250_logfile,"%s",getTelOpt(type=*buf++)); + switch (c=*buf++) { + case IS: + fputs("",tn5250_logfile); +-- +2.7.4 + + +From 0b6bd9bb964a04b5dd8a0278af1c16d8b71e09f4 Mon Sep 17 00:00:00 2001 +From: Michael Orlitzky +Date: Tue, 23 Aug 2016 18:13:47 -0400 +Subject: [PATCH 2/4] sslstream.c: ignore the user's choice of ssl_method. + +The SSLv2 and SSLv3 protocols are insecure, and people have begun to +operate without them. LibreSSL, for example, does not have them +enabled, and it is possible to build OpenSSL in the same manner. + +If SSLv[23] are disabled, the user would not be able to choose "ssl2" +or "ssl3" as his "ssl_method", an option that was undocumented +anywhere. Therefore there is not much lost, and some security to gain, +by removing the option completely. This commit does that, and uses the +automatic protocol choice that is capable of negotiating TLSv1, +TLSv1.1 and TLSv1.2. + +Gentoo-Bug: 591940 +--- + lib5250/sslstream.c | 26 ++++++++++---------------- + 1 file changed, 10 insertions(+), 16 deletions(-) + +diff --git a/lib5250/sslstream.c b/lib5250/sslstream.c +index 77aab64..f4353a9 100644 +--- a/lib5250/sslstream.c ++++ b/lib5250/sslstream.c +@@ -372,22 +372,16 @@ int tn5250_ssl_stream_init (Tn5250Stream *This) + + /* which SSL method do we use? */ + +- strcpy(methstr,"auto"); +- if (This->config!=NULL && tn5250_config_get (This->config, "ssl_method")) { +- strncpy(methstr, tn5250_config_get (This->config, "ssl_method"), 4); +- methstr[4] = '\0'; +- } +- +- if (!strcmp(methstr, "ssl2")) { +- meth = SSLv2_client_method(); +- TN5250_LOG(("SSL Method = SSLv2_client_method()\n")); +- } else if (!strcmp(methstr, "ssl3")) { +- meth = SSLv3_client_method(); +- TN5250_LOG(("SSL Method = SSLv3_client_method()\n")); +- } else { +- meth = SSLv23_client_method(); +- TN5250_LOG(("SSL Method = SSLv23_client_method()\n")); +- } ++ /* Ignore the user's choice of ssl_method (which isn't documented ++ * anyway...) if it was either "ssl2" or "ssl3". Both are insecure, ++ * and this is only safe supported method left. ++ * ++ * This is a Gentoo-specific modification that lets us build ++ * against LibreSSL and newer OpenSSL with its insecure protocols ++ * disabled. ++ */ ++ meth = SSLv23_client_method(); ++ TN5250_LOG(("SSL Method = SSLv23_client_method()\n")); + + /* create a new SSL context */ + +-- +2.7.4 + + +From 66e1a2f80091e9ee9b99156ae23e5faaf9f24fe0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20Hor=C3=A1k?= +Date: Mon, 20 Feb 2017 15:06:36 +0100 +Subject: [PATCH 3/4] remove duplicate definition for tn3270_ssl_stream_init() + +--- + lib5250/sslstream.c | 93 ----------------------------------------------------- + 1 file changed, 93 deletions(-) + +diff --git a/lib5250/sslstream.c b/lib5250/sslstream.c +index f4353a9..86d38cf 100644 +--- a/lib5250/sslstream.c ++++ b/lib5250/sslstream.c +@@ -477,99 +477,6 @@ int tn5250_ssl_stream_init (Tn5250Stream *This) + return 0; /* Ok */ + } + +-/****f* lib5250/tn3270_ssl_stream_init +- * NAME +- * tn3270_ssl_stream_init +- * SYNOPSIS +- * ret = tn3270_ssl_stream_init (This); +- * INPUTS +- * Tn5250Stream * This - +- * DESCRIPTION +- * DOCUMENT ME!!! +- *****/ +-int tn3270_ssl_stream_init (Tn5250Stream *This) +-{ +- int len; +- +-/* initialize SSL library */ +- +- SSL_load_error_strings(); +- SSL_library_init(); +- +-/* create a new SSL context */ +- +- This->ssl_context = SSL_CTX_new(SSLv23_client_method()); +- if (This->ssl_context==NULL) { +- DUMP_ERR_STACK (); +- return -1; +- } +- +-/* if a certificate authority file is defined, load it into this context */ +- +- if (This->config!=NULL && tn5250_config_get (This->config, "ssl_ca_file")) { +- if (SSL_CTX_load_verify_locations(This->ssl_context, +- tn5250_config_get (This->config, "ssl_ca_file"), NULL)<1) { +- DUMP_ERR_STACK (); +- return -1; +- } +- } +- +-/* if a certificate authority file is defined, load it into this context */ +- +- if (This->config!=NULL && tn5250_config_get (This->config, "ssl_ca_file")) { +- if (SSL_CTX_load_verify_locations(This->ssl_context, +- tn5250_config_get (This->config, "ssl_ca_file"), NULL)<1) { +- DUMP_ERR_STACK (); +- return -1; +- } +- } +- +- This->userdata = NULL; +- +-/* if a PEM passphrase is defined, set things up so that it can be used */ +- +- if (This->config!=NULL && tn5250_config_get (This->config,"ssl_pem_pass")){ +- TN5250_LOG(("SSL: Setting password callback\n")); +- len = strlen(tn5250_config_get (This->config, "ssl_pem_pass")); +- This->userdata = malloc(len+1); +- strncpy(This->userdata, +- tn5250_config_get (This->config, "ssl_pem_pass"), len); +- SSL_CTX_set_default_passwd_cb(This->ssl_context, +- (pem_password_cb *)ssl_stream_passwd_cb); +- SSL_CTX_set_default_passwd_cb_userdata(This->ssl_context, (void *)This); +- +- } +- +-/* If a certificate file has been defined, load it into this context as well */ +- +- if (This->config!=NULL && tn5250_config_get (This->config, "ssl_cert_file")){ +- TN5250_LOG(("SSL: Loading certificates from certificate file\n")); +- if (SSL_CTX_use_certificate_file(This->ssl_context, +- tn5250_config_get (This->config, "ssl_cert_file"), +- SSL_FILETYPE_PEM) <= 0) { +- DUMP_ERR_STACK (); +- return -1; +- } +- TN5250_LOG(("SSL: Loading private keys from certificate file\n")); +- if (SSL_CTX_use_PrivateKey_file(This->ssl_context, +- tn5250_config_get (This->config, "ssl_cert_file"), +- SSL_FILETYPE_PEM) <= 0) { +- DUMP_ERR_STACK (); +- return -1; +- } +- } +- +- This->ssl_handle = NULL; +- This->connect = ssl_stream_connect; +- This->accept = ssl_stream_accept; +- This->disconnect = ssl_stream_disconnect; +- This->handle_receive = ssl_stream_handle_receive; +- This->send_packet = tn3270_ssl_stream_send_packet; +- This->destroy = ssl_stream_destroy; +- This->streamtype = TN3270E_STREAM; +- return 0; /* Ok */ +-} +- + /****i* lib5250/ssl_stream_connect + * NAME + * ssl_stream_connect +-- +2.7.4 + + +From 5922e57bb5ea78ff35f82a60f1721d533cc0584a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20Hor=C3=A1k?= +Date: Mon, 20 Feb 2017 15:37:51 +0100 +Subject: [PATCH 4/4] port to OpenSSL 1.1 + +- check for better functions in configure +- update SSL initialization call +--- + configure.ac | 8 ++++---- + lib5250/sslstream.c | 2 +- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 4ba0007..8a16cff 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -152,13 +152,13 @@ dnl ** happily, we don't have to hunt for them thanks to ldconfig! + dnl ** + if test -n $sslincludedir; then + CPPFLAGS="$CPPFLAGS $sslincludedir" +- AC_CHECK_LIB(crypto,CRYPTO_num_locks) +- if test "$ac_cv_lib_crypto_CRYPTO_num_locks" != "yes" ++ AC_CHECK_LIB(crypto,OPENSSL_init) ++ if test "$ac_cv_lib_crypto_OPENSSL_init" != "yes" + then + AC_MSG_ERROR([** Unable to find OpenSSL libraries!]) + fi +- AC_CHECK_LIB(ssl,SSL_library_init) +- if test "$ac_cv_lib_ssl_SSL_library_init" != "yes" ++ AC_CHECK_LIB(ssl,OPENSSL_init_ssl) ++ if test "$ac_cv_lib_ssl_OPENSSL_init_ssl" != "yes" + then + AC_MSG_ERROR([** Unable to find OpenSSL libraries!]) + fi +diff --git a/lib5250/sslstream.c b/lib5250/sslstream.c +index 86d38cf..3c0f390 100644 +--- a/lib5250/sslstream.c ++++ b/lib5250/sslstream.c +@@ -368,7 +368,7 @@ int tn5250_ssl_stream_init (Tn5250Stream *This) + /* initialize SSL library */ + + SSL_load_error_strings(); +- SSL_library_init(); ++ OPENSSL_init_ssl(0, NULL); + + /* which SSL method do we use? */ + +-- +2.7.4 + diff --git a/tn5250.spec b/tn5250.spec index 72e30f3..2797cf4 100644 --- a/tn5250.spec +++ b/tn5250.spec @@ -1,13 +1,14 @@ Name: tn5250 Version: 0.17.4 -Release: 2mamba +Release: 3mamba Summary: A telnet client for the IBM AS/400 that emulates 5250 terminals and printers Group: Applications/Networking Vendor: openmamba Distribution: openmamba -Packager: Silvan Calarco +Packager: Silvan Calarco URL: http://tn5250.sourceforge.net/ Source: http://downloads.sourceforge.net/sourceforge/tn5250/%{name}-%{version}.tar.gz +Patch0: tn5250-0.17.4-openssl-1.1.patch License: LGPL ## AUTOBUILDREQ-BEGIN BuildRequires: glibc-devel @@ -15,8 +16,6 @@ BuildRequires: libncurses-devel BuildRequires: libopenssl-devel ## AUTOBUILDREQ-END -BuildRoot: %{_tmppath}/%{name}-%{version}-root - %description tn5250 is a telnet client for the IBM AS/400 that emulates 5250 terminals and printers. This function is the same as that provided by the 5250 emulator in IBM Client Access. @@ -29,11 +28,15 @@ Requires: %{name} = %{version} %description devel tn5250 is a telnet client for the IBM AS/400 that emulates 5250 terminals and printers. This function is the same as that provided by the 5250 emulator in IBM Client Access. +This package contains static libraries and header files needed for development. -This package contains static libraries and header files need for development. +%debug_package %prep %setup -q +%patch0 -p1 + +autoreconf -f -i %build %configure @@ -54,7 +57,6 @@ This package contains static libraries and header files need for development. %{_bindir}/xt5250 %{_bindir}/5250keys %{_libdir}/*.so.* - %{_mandir}/man1/lp5250d.* %{_mandir}/man1/scs2ascii.* %{_mandir}/man1/scs2pdf.* @@ -62,7 +64,8 @@ This package contains static libraries and header files need for development. %{_mandir}/man1/tn5250.* %{_mandir}/man5/tn5250rc.* %{_datadir}/tn5250/* -%doc AUTHORS COPYING ChangeLog NEWS README README.ssl TODO +%doc AUTHORS COPYING +#ChangeLog NEWS README README.ssl TODO %files devel %defattr(-,root,root) @@ -76,6 +79,9 @@ This package contains static libraries and header files need for development. #%{_libdir}/pkgconfig/tn5250.pc %changelog +* Fri May 21 2021 Silvan Calarco 0.17.4-3mamba +- rebuilt with debug package and specfile fixes + * Wed Jul 10 2013 Automatic Build System 0.17.4-2mamba - automatic version update by autodist