From a08cc5b5330d213519bffaf0bb27476cd156b6b0 Mon Sep 17 00:00:00 2001
From: Sebastian Kemper <sebastian_ml@gmx.net>
Date: Tue, 26 Nov 2019 21:16:44 +0100
Subject: [PATCH 1/3] nut: revert 81e6bb7

gdlib pc file doesn't set a version, so "pkg-config --modversion gdlib"
returns nothing. Also, the test

  if test "$?" != "0" -a -n "${GD_VERSION}"; then

is wrong as pkg-config wouldn't return != 0 on success.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
---
 net/nut/patches/010-libgd-pkgconfig.patch | 79 -----------------------
 1 file changed, 79 deletions(-)
 delete mode 100644 net/nut/patches/010-libgd-pkgconfig.patch

diff --git a/net/nut/patches/010-libgd-pkgconfig.patch b/net/nut/patches/010-libgd-pkgconfig.patch
deleted file mode 100644
index bb8709092..000000000
--- a/net/nut/patches/010-libgd-pkgconfig.patch
+++ /dev/null
@@ -1,79 +0,0 @@
---- a/m4/nut_check_libgd.m4
-+++ b/m4/nut_check_libgd.m4
-@@ -9,37 +9,27 @@ if test -z "${nut_have_libgd_seen}"; then
- 	nut_have_libgd_seen=yes
- 
- 	CFLAGS_ORIG="${CFLAGS}"
--	LDFLAGS_ORIG="${LDFLAGS}"
- 	LIBS_ORIG="${LIBS}"
- 
--	dnl Initial defaults. These are only used if gdlib-config is
--	dnl unusable and the user fails to pass better values in --with
--	dnl arguments
--	CFLAGS=""
--	LDFLAGS="-L/usr/X11R6/lib"
--	LIBS="-lgd -lpng -lz -ljpeg -lfreetype -lm -lXpm -lX11"
--
--	AC_MSG_CHECKING(for gd version via gdlib-config)
--	GD_VERSION=`gdlib-config --version 2>/dev/null`
--	if test "$?" != "0" -o -z "${GD_VERSION}"; then
--		GD_VERSION="none"
-+	AC_MSG_CHECKING(for gd version via pkg-config)
-+	GD_VERSION=`pkg-config --silence-errors --modversion gdlib 2>/dev/null`
-+	if test "$?" != "0" -a -n "${GD_VERSION}"; then
-+		CFLAGS"`pkg-config --silence-errors --cflags gdllib 2>/dev/null`"
-+		LIBS="`pkg-config --silence-errors --libs gdlib 2>/dev/null`"
-+	else
-+		AC_MSG_CHECKING(via gdlib-config)
-+		GD_VERSION="`gdlib-config --version 2>/dev/null`"
-+		if test "$?" = "0" -a -n "${GD_VERSION}"; then
-+			CFLAGS="`gdlib-config --cflags 2>/dev/null`"
-+			LIBS="`gdlib-config --libs 2>/dev/null`"
-+		else
-+			GD_VERSION="none"
-+			CFLAGS=""
-+			LIBS="-lgd"
-+		fi
- 	fi
- 	AC_MSG_RESULT(${GD_VERSION} found)
- 
--	case "${GD_VERSION}" in
--	none)
--		;;
--	2.0.5 | 2.0.6 | 2.0.7)
--		AC_MSG_WARN([[gd ${GD_VERSION} detected, unable to use gdlib-config script]])
--		AC_MSG_WARN([[If gd detection fails, upgrade gd or use --with-gd-includes and --with-gd-libs]])
--		;;
--	*)
--		CFLAGS="`gdlib-config --includes 2>/dev/null`"
--		LDFLAGS="`gdlib-config --ldflags 2>/dev/null`"
--		LIBS="`gdlib-config --libs 2>/dev/null`"
--		;;
--	esac
--
- 	dnl Now allow overriding gd settings if the user knows best
- 	AC_MSG_CHECKING(for gd include flags)
- 	AC_ARG_WITH(gd-includes,
-@@ -70,7 +60,7 @@ if test -z "${nut_have_libgd_seen}"; then
- 			;;
- 		esac
- 	], [])
--	AC_MSG_RESULT([${LDFLAGS} ${LIBS}])
-+	AC_MSG_RESULT([${LIBS}])
- 
- 	dnl check if gd is usable
- 	AC_CHECK_HEADERS(gd.h gdfontmb.h, [nut_have_libgd=yes], [nut_have_libgd=no], [AC_INCLUDES_DEFAULT])
-@@ -79,12 +69,11 @@ if test -z "${nut_have_libgd_seen}"; then
- 	if test "${nut_have_libgd}" = "yes"; then
- 		AC_DEFINE(HAVE_LIBGD, 1, [Define if you have Boutell's libgd installed])
- 		LIBGD_CFLAGS="${CFLAGS}"
--		LIBGD_LDFLAGS="${LDFLAGS} ${LIBS}"
-+		LIBGD_LDFLAGS="${LIBS}"
- 	fi
- 
- 	dnl put back the original versions
- 	CFLAGS="${CFLAGS_ORIG}"
--	LDFLAGS="${LDFLAGS_ORIG}"
- 	LIBS="${LIBS_ORIG}"
- fi
- ])

From cdd660a41dbfb87c9a253a7ebf856d7b733b752f Mon Sep 17 00:00:00 2001
From: Sebastian Kemper <sebastian_ml@gmx.net>
Date: Wed, 27 Nov 2019 19:41:40 +0100
Subject: [PATCH 2/3] nut: fix CGI setup

This commit makes

 - the libgd dependency (as well as specifying libs and includes)
 - the configure argument "--with-cgi"

dependant on whether the package nut-web-cgi is selected.

nut-web-cgi is also added to PKG_CONFIG_DEPENDS.

Resolves: #10641

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
---
 net/nut/Makefile | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/net/nut/Makefile b/net/nut/Makefile
index 38605cc46..d1229ada6 100644
--- a/net/nut/Makefile
+++ b/net/nut/Makefile
@@ -25,7 +25,8 @@ PKG_CONFIG_DEPENDS:= \
 	CONFIG_NUT_DRIVER_SNMP \
 	CONFIG_NUT_DRIVER_USB \
 	CONFIG_NUT_DRIVER_SERIAL \
-	CONFIG_NUT_SSL
+	CONFIG_NUT_SSL \
+	CONFIG_PACKAGE_nut-web-cgi
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -301,7 +302,7 @@ endef
 define Package/nut-web-cgi
 	$(call Package/nut/Default)
 	TITLE+= Web CGI interface
-	DEPENDS:=nut +nut-common +libgd
+	DEPENDS:=nut +nut-common +PACKAGE_nut-web-cgi:libgd
 endef
 
 define Package/nut-web-cgi/description
@@ -530,7 +531,7 @@ CONFIGURE_ARGS += \
 	--without-powerman \
 	--without-wrap \
 	--with-hotplug-dir=/etc/hotplug \
-	--with-cgi \
+	--with$(if $(CONFIG_PACKAGE_nut-web-cgi),,out)-cgi \
 	--without-ipmi \
 	--without-freeipmi \
 	--$(if $(CONFIG_NUT_SSL),with,without)-ssl $(if $(CONFIG_NUT_SSL),--with-openssl) \
@@ -538,7 +539,9 @@ CONFIGURE_ARGS += \
 	--with-statepath=/var/run/nut \
 	--with-drvpath=/lib/nut \
 	--with-user=root \
-	--with-group=root
+	--with-group=root \
+	$(if $(CONFIG_PACKAGE_nut-web-cgi),--with-gd-includes="`pkg-config --cflags gdlib`") \
+	$(if $(CONFIG_PACKAGE_nut-web-cgi),--with-gd-libs="`pkg-config --libs gdlib`")
 
 define Build/InstallDev
 	$(INSTALL_DIR) $(1)/usr/include $(1)/usr/lib/pkgconfig

From 7d4f1b8589bc425acfd4d71a6e6be08a66d8f3dc Mon Sep 17 00:00:00 2001
From: Sebastian Kemper <sebastian_ml@gmx.net>
Date: Wed, 27 Nov 2019 19:52:27 +0100
Subject: [PATCH 3/3] nut: update OpenSSL 1.1.0 patch

Replaces OpenWrt patch with upstream patch. Also removes
0002-Fix-check-for-empty-string.patch as this is included in upstream
OpenSSL 1.1.0 patch.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
---
 net/nut/Makefile                              |   2 +-
 ...Add-compatibility-with-openssl-1.1.0.patch | 175 ++++++++++++++----
 .../0002-Fix-check-for-empty-string.patch     |  25 ---
 3 files changed, 135 insertions(+), 67 deletions(-)
 delete mode 100644 net/nut/patches/0002-Fix-check-for-empty-string.patch

diff --git a/net/nut/Makefile b/net/nut/Makefile
index d1229ada6..bb3c79e17 100644
--- a/net/nut/Makefile
+++ b/net/nut/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=nut
 PKG_VERSION:=2.7.4
-PKG_RELEASE:=18
+PKG_RELEASE:=19
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://www.networkupstools.org/source/2.7/
diff --git a/net/nut/patches/0001-Add-compatibility-with-openssl-1.1.0.patch b/net/nut/patches/0001-Add-compatibility-with-openssl-1.1.0.patch
index f75f1322a..23d10fb38 100644
--- a/net/nut/patches/0001-Add-compatibility-with-openssl-1.1.0.patch
+++ b/net/nut/patches/0001-Add-compatibility-with-openssl-1.1.0.patch
@@ -1,43 +1,101 @@
-From fcbf18c92918ce5e81d0aab62a7aed5c2245ea4d Mon Sep 17 00:00:00 2001
-From: Eneas U de Queiroz <cote2004-github@yahoo.com>
-Date: Fri, 1 Jun 2018 11:17:28 -0300
-Subject: [PATCH 1/2] Add compatibility with openssl 1.1.0
+commit 612c05efb3c3b243da603a3a050993281888b6e3
+Author: Arjen de Korte <build+github@de-korte.org>
+Date:   Fri Mar 15 10:17:32 2019 +0100
 
-Minor adjustments were needed:
-* Openssl 1.1 libs do not need to be initialized.
-* TLSv*_method became TLS_*_method.
+    Add support for openssl-1.1.0 (#504)
+    
+    * Add support for openssl-1.1.0
+    
+    * Allow TLSv1 and higher (not just TLSv1)
+    
+    * Fix check for empty string
+    
+    * Report TLS handshake in debug mode
+    
+    * Update nut_check_libopenssl.m4
+    
+    * Update upsclient.c
+    
+    * Update netssl.c
 
-Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
----
- clients/upsclient.c        | 5 ++++-
- m4/nut_check_libopenssl.m4 | 2 +-
- server/netssl.c            | 7 +++++--
- 3 files changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/clients/upsclient.c b/clients/upsclient.c
-index b90587b0..053d60fb 100644
 --- a/clients/upsclient.c
 +++ b/clients/upsclient.c
-@@ -316,10 +316,13 @@ int upscli_init(int certverify, const char *certpath,
+@@ -299,11 +299,6 @@ int upscli_init(int certverify, const ch
+ {
+ #ifdef WITH_OPENSSL
+ 	int ret, ssl_mode = SSL_VERIFY_NONE;
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+-	const SSL_METHOD	*ssl_method;
+-#else
+-	SSL_METHOD	*ssl_method;
+-#endif
+ #elif defined(WITH_NSS) /* WITH_OPENSSL */
+ 	SECStatus	status;
+ #endif /* WITH_OPENSSL | WITH_NSS */
+@@ -315,22 +310,32 @@ int upscli_init(int certverify, const ch
+ 	}
  	
  #ifdef WITH_OPENSSL
- 	
-+# if OPENSSL_VERSION_NUMBER < 0x10100000L
- 	SSL_library_init();
- 	SSL_load_error_strings();
-+#  define TLS_client_method TLSv1_client_method
-+# endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+-	
+-	SSL_library_init();
+-	SSL_load_error_strings();
  
 -	ssl_method = TLSv1_client_method();
-+	ssl_method = TLS_client_method();
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++	SSL_load_error_strings();
++	SSL_library_init();
  
- 	if (!ssl_method) {
- 		return 0;
-diff --git a/m4/nut_check_libopenssl.m4 b/m4/nut_check_libopenssl.m4
-index 1b875077..7eb401cd 100644
+-	if (!ssl_method) {
+-		return 0;
+-	}
++	ssl_ctx = SSL_CTX_new(SSLv23_client_method());
++#else
++	ssl_ctx = SSL_CTX_new(TLS_client_method());
++#endif
+ 
+-	ssl_ctx = SSL_CTX_new(ssl_method);
+ 	if (!ssl_ctx) {
+ 		upslogx(LOG_ERR, "Can not initialize SSL context");
+ 		return -1;
+ 	}
+ 	
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++	/* set minimum protocol TLSv1 */
++	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
++#else
++	ret = SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION);
++	if (ret != 1) {
++		upslogx(LOG_ERR, "Can not set minimum protocol to TLSv1");
++		return -1;
++	}
++#endif
++
+ 	if (!certpath) {
+ 		if (certverify == 1) {
+ 			upslogx(LOG_ERR, "Can not verify certificate if any is specified");
+@@ -737,7 +742,7 @@ static int upscli_sslinit(UPSCONN_t *ups
+ 	switch(res)
+ 	{
+ 	case 1:
+-		upsdebugx(3, "SSL connected");
++		upsdebugx(3, "SSL connected (%s)", SSL_get_version(ups->ssl));
+ 		break;
+ 	case 0:
+ 		upslog_with_errno(1, "SSL_connect do not accept handshake.");
+--- a/clients/upssched.c
++++ b/clients/upssched.c
+@@ -794,7 +794,7 @@ static void parse_at(const char *ntype,
+ 	}
+ 
+ 	if (!strcmp(cmd, "EXECUTE")) {
+-		if (ca1 == '\0') {
++		if (ca1[0] == '\0') {
+ 			upslogx(LOG_ERR, "Empty EXECUTE command argument");
+ 			return;
+ 		}
 --- a/m4/nut_check_libopenssl.m4
 +++ b/m4/nut_check_libopenssl.m4
-@@ -58,7 +58,7 @@ if test -z "${nut_have_libopenssl_seen}"; then
+@@ -58,7 +58,7 @@ if test -z "${nut_have_libopenssl_seen}"
  
  	dnl check if openssl is usable
  	AC_CHECK_HEADERS(openssl/ssl.h, [nut_have_openssl=yes], [nut_have_openssl=no], [AC_INCLUDES_DEFAULT])
@@ -46,28 +104,63 @@ index 1b875077..7eb401cd 100644
  
  	if test "${nut_have_openssl}" = "yes"; then
  		nut_with_ssl="yes"
-diff --git a/server/netssl.c b/server/netssl.c
-index c2f40989..0289e296 100644
 --- a/server/netssl.c
 +++ b/server/netssl.c
-@@ -387,12 +387,15 @@ void ssl_init(void)
+@@ -274,7 +274,7 @@ void net_starttls(nut_ctype_t *client, i
+ 	{
+ 	case 1:
+ 		client->ssl_connected = 1;
+-		upsdebugx(3, "SSL connected");
++		upsdebugx(3, "SSL connected (%s)", SSL_get_version(client->ssl));
+ 		break;
+ 		
+ 	case 0:
+@@ -370,13 +370,7 @@ void ssl_init(void)
+ {
+ #ifdef WITH_NSS
+ 	SECStatus status;
+-#elif defined(WITH_OPENSSL)
+-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+-	const SSL_METHOD	*ssl_method;
+-#else
+-	SSL_METHOD	*ssl_method;
+-#endif
+-#endif /* WITH_NSS|WITH_OPENSSL */
++#endif /* WITH_NSS */
+ 
+ 	if (!certfile) {
+ 		return;
+@@ -386,18 +380,29 @@ void ssl_init(void)
  
  #ifdef WITH_OPENSSL
  
-+# if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
  	SSL_load_error_strings();
  	SSL_library_init();
-+#  define TLS_server_method TLSv1_server_method
-+# endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
  
 -	if ((ssl_method = TLSv1_server_method()) == NULL) {
-+	if ((ssl_method = TLS_server_method()) == NULL) {
++	ssl_ctx = SSL_CTX_new(SSLv23_server_method());
++#else
++	ssl_ctx = SSL_CTX_new(TLS_server_method());
++#endif
++
++	if (!ssl_ctx) {
  		ssl_debug();
 -		fatalx(EXIT_FAILURE, "TLSv1_server_method failed");
-+		fatalx(EXIT_FAILURE, "TLS_server_method failed");
++		fatalx(EXIT_FAILURE, "SSL_CTX_new failed");
  	}
  
- 	if ((ssl_ctx = SSL_CTX_new(ssl_method)) == NULL) {
--- 
-2.16.1
-
+-	if ((ssl_ctx = SSL_CTX_new(ssl_method)) == NULL) {
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++	/* set minimum protocol TLSv1 */
++	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
++#else
++	if (SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION) != 1) {
+ 		ssl_debug();
+-		fatalx(EXIT_FAILURE, "SSL_CTX_new failed");
++		fatalx(EXIT_FAILURE, "SSL_CTX_set_min_proto_version(TLS1_VERSION)");
+ 	}
++#endif
+ 
+ 	if (SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile) != 1) {
+ 		ssl_debug();
diff --git a/net/nut/patches/0002-Fix-check-for-empty-string.patch b/net/nut/patches/0002-Fix-check-for-empty-string.patch
deleted file mode 100644
index 2f4c72409..000000000
--- a/net/nut/patches/0002-Fix-check-for-empty-string.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 2ef929da38232af63ba53074ca97e95ae4faf912 Mon Sep 17 00:00:00 2001
-From: Arjen de Korte <build+lede@de-korte.org>
-Date: Tue, 28 Nov 2017 22:01:41 +0100
-Subject: [PATCH 2/2] Fix check for empty string
-
----
- clients/upssched.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/clients/upssched.c b/clients/upssched.c
-index 97b3ed42..3fdf118e 100644
---- a/clients/upssched.c
-+++ b/clients/upssched.c
-@@ -794,7 +794,7 @@ static void parse_at(const char *ntype, const char *un, const char *cmd,
- 	}
- 
- 	if (!strcmp(cmd, "EXECUTE")) {
--		if (ca1 == '\0') {
-+		if (ca1[0] == '\0') {
- 			upslogx(LOG_ERR, "Empty EXECUTE command argument");
- 			return;
- 		}
--- 
-2.16.1
-