From 6f99654c4963128d154326397d6db8d7e7b9ef97 Mon Sep 17 00:00:00 2001
From: Jan Wagner <waja@cyconet.org>
Date: Mon, 14 Nov 2016 00:03:59 +0100
Subject: [PATCH] Adding OpenSSL support by d/p/21_openssl11 (Closes: #844031),
 still build against openssl 1.0

---
 debian/patches/21_openssl11 | 204 ++++++++++++++++++++++++++++++++++++
 debian/patches/series       |   1 +
 2 files changed, 205 insertions(+)
 create mode 100644 debian/patches/21_openssl11

diff --git a/debian/patches/21_openssl11 b/debian/patches/21_openssl11
new file mode 100644
index 0000000..6f6609e
--- /dev/null
+++ b/debian/patches/21_openssl11
@@ -0,0 +1,204 @@
+From fe1c4bb0e5ea3632d608a6b8b7e51d580856d833 Mon Sep 17 00:00:00 2001
+From: vagrant <vagrant@debiantesting-64>
+Date: Sun, 13 Nov 2016 19:39:46 +0000
+Subject: [PATCH] add openssl 1.1 support
+
+changes:
+  - CRYPTO_lock detection replaced in configure.ac. We don't use that
+    function anywhere, so just replace it with the suggested one from
+    https://wiki.openssl.org/index.php/Library_Initialization#Autoconf
+  - OPENSSL_NO_SSL2 is no longer defined while ssl2 is not included.
+    Set it ourself using the suggested openssl 1.1 version check from
+    https://wiki.openssl.org/index.php/1.1_API_Changes#Backward_compatibility
+  - openssl 1.1 sends a sigpipe if the connection is still open when
+    calling SSL_shutdown(), so move the close before the shutdown.
+
+Signed-off-by: Sven Nierlein <sven@nierlein.de>
+---
+ configure.ac         | 6 +++---
+ plugins/check_http.c | 4 ++--
+ plugins/check_smtp.c | 8 +++++---
+ plugins/check_tcp.c  | 4 ++--
+ plugins/common.h     | 7 +++++++
+ 5 files changed, 19 insertions(+), 10 deletions(-)
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -493,15 +493,15 @@
+ 	dnl Check for crypto lib
+ 	_SAVEDLIBS="$LIBS"
+ 	LIBS="-L${with_openssl}/lib"
+-	AC_CHECK_LIB(crypto,CRYPTO_lock)
+-	if test "$ac_cv_lib_crypto_CRYPTO_lock" = "yes"; then
++	AC_CHECK_LIB(crypto,CRYPTO_new_ex_data)
++	if test "$ac_cv_lib_crypto_CRYPTO_new_ex_data" = "yes"; then
+ 		dnl Check for SSL lib
+ 		AC_CHECK_LIB(ssl,main, SSLLIBS="-lssl -lcrypto",,-lcrypto)
+ 	fi
+ 	LIBS="$_SAVEDLIBS"
+ 
+ 	dnl test headers and libs to decide whether check_http should use SSL
+-	if test "$ac_cv_lib_crypto_CRYPTO_lock" = "yes"; then
++	if test "$ac_cv_lib_crypto_CRYPTO_new_ex_data" = "yes"; then
+ 		if test "$ac_cv_lib_ssl_main" = "yes"; then
+ 			if test "$FOUNDINCLUDE" = "yes"; then
+ 				FOUNDOPENSSL="yes"
+--- a/plugins/check_http.c
++++ b/plugins/check_http.c
+@@ -886,8 +886,8 @@
+     elapsed_time_ssl = (double)microsec_ssl / 1.0e6;
+     if (check_cert == TRUE) {
+       result = np_net_ssl_check_cert(days_till_exp_warn, days_till_exp_crit);
+-      np_net_ssl_cleanup();
+       if (sd) close(sd);
++      np_net_ssl_cleanup();
+       return result;
+     }
+   }
+@@ -1005,10 +1005,10 @@
+     die (STATE_CRITICAL, _("HTTP CRITICAL - No data received from host\n"));
+ 
+   /* close the connection */
++  if (sd) close(sd);
+ #ifdef HAVE_SSL
+   np_net_ssl_cleanup();
+ #endif
+-  if (sd) close(sd);
+ 
+   /* Save check time */
+   microsec = deltime (tv);
+--- a/plugins/check_smtp.c
++++ b/plugins/check_smtp.c
+@@ -239,8 +239,8 @@
+ 		  result = np_net_ssl_init(sd);
+ 		  if(result != STATE_OK) {
+ 		    printf (_("CRITICAL - Cannot create SSL context.\n"));
+-		    np_net_ssl_cleanup();
+ 		    close(sd);
++		    np_net_ssl_cleanup();
+ 		    return STATE_CRITICAL;
+ 		  } else {
+ 			ssl_established = 1;
+@@ -764,10 +764,12 @@
+ int
+ my_close (void)
+ {
++	int result;
++	result = close(sd);
+ #ifdef HAVE_SSL
+-  np_net_ssl_cleanup();
++	np_net_ssl_cleanup();
+ #endif
+-  return close(sd);
++	return result;
+ }
+ 
+ 
+--- a/plugins/check_tcp.c
++++ b/plugins/check_tcp.c
+@@ -247,8 +247,8 @@
+ 		}
+ 	}
+ 	if(result != STATE_OK){
+-		np_net_ssl_cleanup();
+ 		if(sd) close(sd);
++		np_net_ssl_cleanup();
+ 		return result;
+ 	}
+ #endif /* HAVE_SSL */
+@@ -321,10 +321,10 @@
+ 	if (server_quit != NULL) {
+ 		my_send(server_quit, strlen(server_quit));
+ 	}
++	if (sd) close (sd);
+ #ifdef HAVE_SSL
+ 	np_net_ssl_cleanup();
+ #endif
+-	if (sd) close (sd);
+ 
+ 	microsec = deltime (tv);
+ 	elapsed_time = (double)microsec / 1.0e6;
+--- a/plugins/common.h
++++ b/plugins/common.h
+@@ -161,6 +161,13 @@
+ #  endif
+ #endif
+ 
++/* openssl 1.1 does not set OPENSSL_NO_SSL2 by default but ships without ssl2 */
++#ifdef OPENSSL_VERSION_NUMBER
++#  if OPENSSL_VERSION_NUMBER >= 0x10100000
++#   define OPENSSL_NO_SSL2
++#  endif
++#endif
++
+ /*
+  *
+  * Standard Values
+--- a/configure
++++ b/configure
+@@ -15775,9 +15775,9 @@
+ 
+ 		_SAVEDLIBS="$LIBS"
+ 	LIBS="-L${with_openssl}/lib"
+-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for CRYPTO_lock in -lcrypto" >&5
+-$as_echo_n "checking for CRYPTO_lock in -lcrypto... " >&6; }
+-if ${ac_cv_lib_crypto_CRYPTO_lock+:} false; then :
++	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for CRYPTO_new_ex_data in -lcrypto" >&5
++$as_echo_n "checking for CRYPTO_new_ex_data in -lcrypto... " >&6; }
++if ${ac_cv_lib_crypto_CRYPTO_new_ex_data+:} false; then :
+   $as_echo_n "(cached) " >&6
+ else
+   ac_check_lib_save_LIBS=$LIBS
+@@ -15791,27 +15791,27 @@
+ #ifdef __cplusplus
+ extern "C"
+ #endif
+-char CRYPTO_lock ();
++char CRYPTO_new_ex_data ();
+ int
+ main ()
+ {
+-return CRYPTO_lock ();
++return CRYPTO_new_ex_data ();
+   ;
+   return 0;
+ }
+ _ACEOF
+ if ac_fn_c_try_link "$LINENO"; then :
+-  ac_cv_lib_crypto_CRYPTO_lock=yes
++  ac_cv_lib_crypto_CRYPTO_new_ex_data=yes
+ else
+-  ac_cv_lib_crypto_CRYPTO_lock=no
++  ac_cv_lib_crypto_CRYPTO_new_ex_data=no
+ fi
+ rm -f core conftest.err conftest.$ac_objext \
+     conftest$ac_exeext conftest.$ac_ext
+ LIBS=$ac_check_lib_save_LIBS
+ fi
+-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_CRYPTO_lock" >&5
+-$as_echo "$ac_cv_lib_crypto_CRYPTO_lock" >&6; }
+-if test "x$ac_cv_lib_crypto_CRYPTO_lock" = xyes; then :
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_CRYPTO_new_ex_data" >&5
++$as_echo "$ac_cv_lib_crypto_CRYPTO_new_ex_data" >&6; }
++if test "x$ac_cv_lib_crypto_CRYPTO_new_ex_data" = xyes; then :
+   cat >>confdefs.h <<_ACEOF
+ #define HAVE_LIBCRYPTO 1
+ _ACEOF
+@@ -15820,7 +15820,7 @@
+ 
+ fi
+ 
+-	if test "$ac_cv_lib_crypto_CRYPTO_lock" = "yes"; then
++	if test "$ac_cv_lib_crypto_CRYPTO_new_ex_data" = "yes"; then
+ 				{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lssl" >&5
+ $as_echo_n "checking for main in -lssl... " >&6; }
+ if ${ac_cv_lib_ssl_main+:} false; then :
+@@ -15858,7 +15858,7 @@
+ 	fi
+ 	LIBS="$_SAVEDLIBS"
+ 
+-		if test "$ac_cv_lib_crypto_CRYPTO_lock" = "yes"; then
++		if test "$ac_cv_lib_crypto_CRYPTO_new_ex_data" = "yes"; then
+ 		if test "$ac_cv_lib_ssl_main" = "yes"; then
+ 			if test "$FOUNDINCLUDE" = "yes"; then
+ 				FOUNDOPENSSL="yes"
diff --git a/debian/patches/series b/debian/patches/series
index 1538bc9..9533258 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@
 16_check_smtp_quit
 17_check_smtp_forcetls_on_cert
 20_check_radius_radcli
+21_openssl11