From 37167a9a70105414f6555eb918821f51d88b888c Mon Sep 17 00:00:00 2001 From: =?utf8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= Date: Sat, 22 Sep 2018 16:13:33 +0200 Subject: [PATCH] - rel 3; fix openssl build (from debian) --- openssl-1.1.0.patch | 253 ++++++++++++++++++++++++++++++++++++++++++++ sendmail.spec | 4 +- 2 files changed, 256 insertions(+), 1 deletion(-) create mode 100644 openssl-1.1.0.patch diff --git a/openssl-1.1.0.patch b/openssl-1.1.0.patch new file mode 100644 index 0000000..4507621 --- /dev/null +++ b/openssl-1.1.0.patch @@ -0,0 +1,253 @@ +From: Sebastian Andrzej Siewior +Date: Sat, 10 Sep 2016 19:27:17 +0000 +Subject: [PATCH] sendmail: compile against openssl 1.1.0 + +Signed-off-by: Sebastian Andrzej Siewior +--- + +--- a/sendmail/tls.c ++++ b/sendmail/tls.c +@@ -60,18 +60,58 @@ static unsigned char dh512_g[] = + 0x02 + }; + ++#if OPENSSL_VERSION_NUMBER < 0x10100000 ++ ++static inline int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) ++{ ++ /* If the fields p and g in d are NULL, the corresponding input ++ * parameters MUST be non-NULL. q may remain NULL. ++ */ ++ if ((dh->p == NULL && p == NULL) ++ || (dh->g == NULL && g == NULL)) ++ return 0; ++ ++ if (p != NULL) { ++ BN_free(dh->p); ++ dh->p = p; ++ } ++ if (q != NULL) { ++ BN_free(dh->q); ++ dh->q = q; ++ } ++ if (g != NULL) { ++ BN_free(dh->g); ++ dh->g = g; ++ } ++ ++ if (q != NULL) { ++ dh->length = BN_num_bits(q); ++ } ++ ++ return 1; ++} ++#endif ++ + static DH * + get_dh512() + { + DH *dh = NULL; ++ BIGNUM *p; ++ BIGNUM *g; + +- if ((dh = DH_new()) == NULL) +- return NULL; +- dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); +- dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); +- if ((dh->p == NULL) || (dh->g == NULL)) +- return NULL; ++ dh = DH_new(); ++ p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); ++ g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); ++ if (!dh || !p || !g) ++ goto err; ++ if (!DH_set0_pqg(dh, p, NULL, g)) ++ goto err; + return dh; ++err: ++ DH_free(dh); ++ BN_free(p); ++ BN_free(g); ++ return NULL; + } + + # if 0 +@@ -117,17 +157,22 @@ get_dh2048() + }; + static unsigned char dh2048_g[]={ 0x02, }; + DH *dh; ++ BIGNUM *p; ++ BIGNUM *g; + +- if ((dh=DH_new()) == NULL) +- return(NULL); +- dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); +- dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); +- if ((dh->p == NULL) || (dh->g == NULL)) +- { +- DH_free(dh); +- return(NULL); +- } ++ dh = DH_new(); ++ p = BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); ++ g = BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); ++ if (!dh || !p || !g) ++ goto err; ++ if (!DH_set0_pqg(dh, p, NULL, g)) ++ goto err; + return(dh); ++err: ++ DH_free(dh); ++ BN_free(p); ++ BN_free(g); ++ return NULL; + } + # endif /* !NO_DH */ + +@@ -926,7 +971,7 @@ inittls(ctx, req, options, srv, certfile + { + /* get a pointer to the current certificate validation store */ + store = SSL_CTX_get_cert_store(*ctx); /* does not fail */ +- crl_file = BIO_new(BIO_s_file_internal()); ++ crl_file = BIO_new(BIO_s_file()); + if (crl_file != NULL) + { + if (BIO_read_filename(crl_file, CRLFile) >= 0) +@@ -1000,26 +1045,43 @@ inittls(ctx, req, options, srv, certfile + ** maybe we should do it only on demand... + */ + +- if (bitset(TLS_I_RSA_TMP, req) + # if SM_CONF_SHM +- && ShmId != SM_SHM_NO_ID && +- (rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, +- NULL)) == NULL +-# else /* SM_CONF_SHM */ +- && 0 /* no shared memory: no need to generate key now */ +-# endif /* SM_CONF_SHM */ +- ) ++ if (bitset(TLS_I_RSA_TMP, req) ++ && ShmId != SM_SHM_NO_ID) + { +- if (LogLevel > 7) ++ BIGNUM *bn; ++ ++ bn = BN_new(); ++ rsa_tmp = RSA_new(); ++ if (!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4)) { ++ RSA_free(rsa_tmp); ++ rsa_tmp = NULL; ++ } ++ if (rsa_tmp) + { +- sm_syslog(LOG_WARNING, NOQID, +- "STARTTLS=%s, error: RSA_generate_key failed", +- who); +- if (LogLevel > 9) +- tlslogerr(LOG_WARNING, who); ++ if (!RSA_generate_key_ex(rsa_tmp, RSA_KEYLENGTH, bn, NULL)) ++ { ++ RSA_free(rsa_tmp); ++ rsa_tmp = NULL; ++ } ++ } ++ BN_free(bn); ++ if (!rsa_tmp) ++ { ++ if (LogLevel > 7) ++ { ++ sm_syslog(LOG_WARNING, NOQID, ++ "STARTTLS=%s, error: RSA_generate_key failed", ++ who); ++ if (LogLevel > 9) ++ tlslogerr(LOG_WARNING, who); ++ } ++ return false; + } +- return false; + } ++# else /* SM_CONF_SHM */ ++ /* no shared memory: no need to generate key now */ ++# endif /* SM_CONF_SHM */ + # endif /* !TLS_NO_RSA */ + + /* +@@ -1210,9 +1272,15 @@ inittls(ctx, req, options, srv, certfile + sm_dprintf("inittls: Generating %d bit DH parameters\n", bits); + + /* this takes a while! */ +- dsa = DSA_generate_parameters(bits, NULL, 0, NULL, +- NULL, 0, NULL); +- dh = DSA_dup_DH(dsa); ++ dsa = DSA_new(); ++ if (dsa) { ++ int r; ++ ++ r = DSA_generate_parameters_ex(dsa, bits, NULL, 0, ++ NULL, NULL, NULL); ++ if (r != 0) ++ dh = DSA_dup_DH(dsa); ++ } + DSA_free(dsa); + } + else if (dh == NULL && bitset(TLS_I_DHFIXED, req)) +@@ -1733,6 +1801,9 @@ tmp_rsa_key(s, export, keylength) + int export; + int keylength; + { ++ BIGNUM *bn; ++ int ret; ++ + # if SM_CONF_SHM + extern int ShmId; + extern int *PRSATmpCnt; +@@ -1742,10 +1813,22 @@ tmp_rsa_key(s, export, keylength) + return rsa_tmp; + # endif /* SM_CONF_SHM */ + +- if (rsa_tmp != NULL) +- RSA_free(rsa_tmp); +- rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, NULL); +- if (rsa_tmp == NULL) ++ if (rsa_tmp == NULL) { ++ rsa_tmp = RSA_new(); ++ if (!rsa_tmp) ++ return NULL; ++ } ++ ++ bn = BN_new(); ++ if (!bn) ++ return NULL; ++ if (!BN_set_word(bn, RSA_F4)) { ++ BN_free(bn); ++ return NULL; ++ } ++ ret = RSA_generate_key_ex(rsa_tmp, RSA_KEYLENGTH, bn, NULL); ++ BN_free(bn); ++ if (!ret) + { + if (LogLevel > 0) + sm_syslog(LOG_ERR, NOQID, +@@ -1971,9 +2054,9 @@ x509_verify_cb(ok, ctx) + { + if (LogLevel > 13) + tls_verify_log(ok, ctx, "x509"); +- if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL) ++ if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL) + { +- ctx->error = 0; ++ X509_STORE_CTX_set_error(ctx, 0); + return 1; /* override it */ + } + } +--- a/doc/op/op.me ++++ b/doc/op/op.me +@@ -10898,7 +10898,7 @@ C=FileName_of_CA_Certificate + ln -s $C `openssl x509 -noout -hash < $C`.0 + .)b + A better way to do this is to use the +-.b c_rehash ++.b "openssl rehash" + command that is part of the OpenSSL distribution + because it handles subject hash collisions + by incrementing the number in the suffix of the filename of the symbolic link, diff --git a/sendmail.spec b/sendmail.spec index 7d95e98..ae3dfe3 100644 --- a/sendmail.spec +++ b/sendmail.spec @@ -23,7 +23,7 @@ Summary(tr.UTF-8): Elektronik posta hizmetleri sunucusu Summary(uk.UTF-8): Поштовий транспортний агент sendmail Name: sendmail Version: 8.15.2 -Release: 2 +Release: 3 License: BSD Group: Networking/Daemons/SMTP Source0: ftp://ftp.sendmail.org/pub/sendmail/%{name}.%{version}.tar.gz @@ -53,6 +53,7 @@ Patch6: %{name}-hprescan-dos.patch Patch7: %{name}-format_string.patch # originally from http://blue-labs.org/clue/bluelabs.patch-8.12.3 Patch8: bluelabs.patch-8.12.3 +Patch9: openssl-1.1.0.patch URL: http://www.sendmail.org/ BuildRequires: cyrus-sasl-devel BuildRequires: db-devel >= 4.1.25 @@ -184,6 +185,7 @@ Pliki nagłówkowe i statyczna biblioteka libmilter. %patch6 -p1 %patch7 -p1 %{?with_pgsql:%patch8 -p1} +%patch9 -p1 sed -e 's|@@PATH@@|\.\.|' < %{SOURCE6} > cf/cf/pld.mc -- 2.44.0