[packages/sendmail.git] / openssl-1.1.0.patch

From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Sat, 10 Sep 2016 19:27:17 +0000
Subject: [PATCH] sendmail: compile against openssl 1.1.0

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
---

--- a/sendmail/tls.c
+++ b/sendmail/tls.c
@@ -60,18 +60,58 @@ static unsigned char dh512_g[] =
 	0x02
 };
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+
+static inline int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+{
+	/* If the fields p and g in d are NULL, the corresponding input
+	 * parameters MUST be non-NULL.  q may remain NULL.
+	 */
+	if ((dh->p == NULL && p == NULL)
+	    || (dh->g == NULL && g == NULL))
+		return 0;
+
+	if (p != NULL) {
+		BN_free(dh->p);
+		dh->p = p;
+	}
+	if (q != NULL) {
+		BN_free(dh->q);
+		dh->q = q;
+	}
+	if (g != NULL) {
+		BN_free(dh->g);
+		dh->g = g;
+	}
+
+	if (q != NULL) {
+		dh->length = BN_num_bits(q);
+	}
+
+	return 1;
+}
+#endif
+
 static DH *
 get_dh512()
 {
 	DH *dh = NULL;
+	BIGNUM *p;
+	BIGNUM *g;
 
-	if ((dh = DH_new()) == NULL)
-		return NULL;
-	dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
-	dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
-	if ((dh->p == NULL) || (dh->g == NULL))
-		return NULL;
+	dh = DH_new();
+	p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
+	g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
+	if (!dh || !p || !g)
+		goto err;
+	if (!DH_set0_pqg(dh, p, NULL, g))
+		goto err;
 	return dh;
+err:
+	DH_free(dh);
+	BN_free(p);
+	BN_free(g);
+	return NULL;
 }
 
 #  if 0
@@ -117,17 +157,22 @@ get_dh2048()
 		};
 	static unsigned char dh2048_g[]={ 0x02, };
 	DH *dh;
+	BIGNUM *p;
+	BIGNUM *g;
 
-	if ((dh=DH_new()) == NULL)
-		return(NULL);
-	dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
-	dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
-	if ((dh->p == NULL) || (dh->g == NULL))
-	{
-		DH_free(dh);
-		return(NULL);
-	}
+	dh = DH_new();
+	p = BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
+	g = BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
+	if (!dh || !p || !g)
+		goto err;
+	if (!DH_set0_pqg(dh, p, NULL, g))
+		goto err;
 	return(dh);
+err:
+	DH_free(dh);
+	BN_free(p);
+	BN_free(g);
+	return NULL;
 }
 # endif /* !NO_DH */
 
@@ -926,7 +971,7 @@ inittls(ctx, req, options, srv, certfile
 	{
 		/* get a pointer to the current certificate validation store */
 		store = SSL_CTX_get_cert_store(*ctx);	/* does not fail */
-		crl_file = BIO_new(BIO_s_file_internal());
+		crl_file = BIO_new(BIO_s_file());
 		if (crl_file != NULL)
 		{
 			if (BIO_read_filename(crl_file, CRLFile) >= 0)
@@ -1000,26 +1045,43 @@ inittls(ctx, req, options, srv, certfile
 	**  maybe we should do it only on demand...
 	*/
 
-	if (bitset(TLS_I_RSA_TMP, req)
 #  if SM_CONF_SHM
-	    && ShmId != SM_SHM_NO_ID &&
-	    (rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL,
-					NULL)) == NULL
-#  else /* SM_CONF_SHM */
-	    && 0	/* no shared memory: no need to generate key now */
-#  endif /* SM_CONF_SHM */
-	   )
+	if (bitset(TLS_I_RSA_TMP, req)
+	    && ShmId != SM_SHM_NO_ID)
 	{
-		if (LogLevel > 7)
+		BIGNUM *bn;
+
+		bn = BN_new();
+		rsa_tmp = RSA_new();
+		if (!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4)) {
+			RSA_free(rsa_tmp);
+			rsa_tmp = NULL;
+		}
+		if (rsa_tmp)
 		{
-			sm_syslog(LOG_WARNING, NOQID,
-				  "STARTTLS=%s, error: RSA_generate_key failed",
-				  who);
-			if (LogLevel > 9)
-				tlslogerr(LOG_WARNING, who);
+			if (!RSA_generate_key_ex(rsa_tmp, RSA_KEYLENGTH, bn, NULL))
+			{
+				RSA_free(rsa_tmp);
+				rsa_tmp = NULL;
+			}
+		}
+		BN_free(bn);
+		if (!rsa_tmp)
+		{
+			if (LogLevel > 7)
+			{
+				sm_syslog(LOG_WARNING, NOQID,
+					  "STARTTLS=%s, error: RSA_generate_key failed",
+					  who);
+				if (LogLevel > 9)
+					tlslogerr(LOG_WARNING, who);
+			}
+			return false;
 		}
-		return false;
 	}
+#  else /* SM_CONF_SHM */
+	/* no shared memory: no need to generate key now */
+#  endif /* SM_CONF_SHM */
 # endif /* !TLS_NO_RSA */
 
 	/*
@@ -1210,9 +1272,15 @@ inittls(ctx, req, options, srv, certfile
 				sm_dprintf("inittls: Generating %d bit DH parameters\n", bits);
 
 			/* this takes a while! */
-			dsa = DSA_generate_parameters(bits, NULL, 0, NULL,
-						      NULL, 0, NULL);
-			dh = DSA_dup_DH(dsa);
+			dsa = DSA_new();
+			if (dsa) {
+				int r;
+
+				r = DSA_generate_parameters_ex(dsa, bits, NULL, 0,
+							    NULL, NULL, NULL);
+				if (r != 0)
+					dh = DSA_dup_DH(dsa);
+			}
 			DSA_free(dsa);
 		}
 		else if (dh == NULL && bitset(TLS_I_DHFIXED, req))
@@ -1733,6 +1801,9 @@ tmp_rsa_key(s, export, keylength)
 	int export;
 	int keylength;
 {
+	BIGNUM *bn;
+	int ret;
+
 #   if SM_CONF_SHM
 	extern int ShmId;
 	extern int *PRSATmpCnt;
@@ -1742,10 +1813,22 @@ tmp_rsa_key(s, export, keylength)
 		return rsa_tmp;
 #   endif /* SM_CONF_SHM */
 
-	if (rsa_tmp != NULL)
-		RSA_free(rsa_tmp);
-	rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, NULL);
-	if (rsa_tmp == NULL)
+	if (rsa_tmp == NULL) {
+		rsa_tmp = RSA_new();
+		if (!rsa_tmp)
+			return NULL;
+	}
+
+	bn = BN_new();
+	if (!bn)
+		return NULL;
+	if (!BN_set_word(bn, RSA_F4)) {
+		BN_free(bn);
+		return NULL;
+	}
+	ret = RSA_generate_key_ex(rsa_tmp, RSA_KEYLENGTH, bn, NULL);
+	BN_free(bn);
+	if (!ret)
 	{
 		if (LogLevel > 0)
 			sm_syslog(LOG_ERR, NOQID,
@@ -1971,9 +2054,9 @@ x509_verify_cb(ok, ctx)
 	{
 		if (LogLevel > 13)
 			tls_verify_log(ok, ctx, "x509");
-		if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL)
+		if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL)
 		{
-			ctx->error = 0;
+			X509_STORE_CTX_set_error(ctx, 0);
 			return 1;	/* override it */
 		}
 	}
--- a/doc/op/op.me
+++ b/doc/op/op.me
@@ -10898,7 +10898,7 @@ C=FileName_of_CA_Certificate
 ln -s $C `openssl x509 -noout -hash < $C`.0
 .)b
 A better way to do this is to use the
-.b c_rehash
+.b "openssl rehash"
 command that is part of the OpenSSL distribution
 because it handles subject hash collisions
 by incrementing the number in the suffix of the filename of the symbolic link,
Commit	Line	Data
37167a9a AM	1	From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
	2	Date: Sat, 10 Sep 2016 19:27:17 +0000
	3	Subject: [PATCH] sendmail: compile against openssl 1.1.0
	4
	5	Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
	6	---
	7
	8	--- a/sendmail/tls.c
	9	+++ b/sendmail/tls.c
	10	@@ -60,18 +60,58 @@ static unsigned char dh512_g[] =
	11	0x02
	12	};
	13
	14	+#if OPENSSL_VERSION_NUMBER < 0x10100000
	15	+
	16	+static inline int DH_set0_pqg(DH dh, BIGNUM p, BIGNUM q, BIGNUM g)
	17	+{
	18	+ /* If the fields p and g in d are NULL, the corresponding input
	19	+ * parameters MUST be non-NULL. q may remain NULL.
	20	+ */
	21	+ if ((dh->p == NULL && p == NULL)
	22	+ \|\| (dh->g == NULL && g == NULL))
	23	+ return 0;
	24	+
	25	+ if (p != NULL) {
	26	+ BN_free(dh->p);
	27	+ dh->p = p;
	28	+ }
	29	+ if (q != NULL) {
	30	+ BN_free(dh->q);
	31	+ dh->q = q;
	32	+ }
	33	+ if (g != NULL) {
	34	+ BN_free(dh->g);
	35	+ dh->g = g;
	36	+ }
	37	+
	38	+ if (q != NULL) {
	39	+ dh->length = BN_num_bits(q);
	40	+ }
	41	+
	42	+ return 1;
	43	+}
	44	+#endif
	45	+
	46	static DH *
	47	get_dh512()
	48	{
	49	DH *dh = NULL;
	50	+ BIGNUM *p;
	51	+ BIGNUM *g;
	52
	53	- if ((dh = DH_new()) == NULL)
	54	- return NULL;
	55	- dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
	56	- dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
	57	- if ((dh->p == NULL) \|\| (dh->g == NULL))
	58	- return NULL;
	59	+ dh = DH_new();
	60	+ p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
	61	+ g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
	62	+ if (!dh \|\| !p \|\| !g)
	63	+ goto err;
	64	+ if (!DH_set0_pqg(dh, p, NULL, g))
65	+ goto err;
66	return dh;
67	+err:
68	+ DH_free(dh);
69	+ BN_free(p);
70	+ BN_free(g);
71	+ return NULL;
72	}
73
74	# if 0
75	@@ -117,17 +157,22 @@ get_dh2048()
76	};
77	static unsigned char dh2048_g[]={ 0x02, };
78	DH *dh;
79	+ BIGNUM *p;
80	+ BIGNUM *g;
81
82	- if ((dh=DH_new()) == NULL)
83	- return(NULL);
84	- dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
85	- dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
86	- if ((dh->p == NULL) \|\| (dh->g == NULL))
87	- {
88	- DH_free(dh);
89	- return(NULL);
90	- }
91	+ dh = DH_new();
92	+ p = BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
93	+ g = BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
94	+ if (!dh \|\| !p \|\| !g)
95	+ goto err;
96	+ if (!DH_set0_pqg(dh, p, NULL, g))
97	+ goto err;
98	return(dh);
99	+err:
100	+ DH_free(dh);
101	+ BN_free(p);
102	+ BN_free(g);
103	+ return NULL;
104	}
105	# endif /* !NO_DH */
106
107	@@ -926,7 +971,7 @@ inittls(ctx, req, options, srv, certfile
108	{
109	/* get a pointer to the current certificate validation store */
110	store = SSL_CTX_get_cert_store(ctx); / does not fail */
111	- crl_file = BIO_new(BIO_s_file_internal());
112	+ crl_file = BIO_new(BIO_s_file());
113	if (crl_file != NULL)
114	{
115	if (BIO_read_filename(crl_file, CRLFile) >= 0)
116	@@ -1000,26 +1045,43 @@ inittls(ctx, req, options, srv, certfile
117	** maybe we should do it only on demand...
118	*/
119
120	- if (bitset(TLS_I_RSA_TMP, req)
121	# if SM_CONF_SHM
122	- && ShmId != SM_SHM_NO_ID &&
123	- (rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL,
124	- NULL)) == NULL
125	-# else /* SM_CONF_SHM */
126	- && 0 /* no shared memory: no need to generate key now */
127	-# endif /* SM_CONF_SHM */
128	- )
129	+ if (bitset(TLS_I_RSA_TMP, req)
130	+ && ShmId != SM_SHM_NO_ID)
131	{
132	- if (LogLevel > 7)
133	+ BIGNUM *bn;
134	+
135	+ bn = BN_new();
136	+ rsa_tmp = RSA_new();
137	+ if (!bn \|\| !rsa_tmp \|\| !BN_set_word(bn, RSA_F4)) {
138	+ RSA_free(rsa_tmp);
139	+ rsa_tmp = NULL;
140	+ }
141	+ if (rsa_tmp)
142	{
143	- sm_syslog(LOG_WARNING, NOQID,
144	- "STARTTLS=%s, error: RSA_generate_key failed",
145	- who);
146	- if (LogLevel > 9)
147	- tlslogerr(LOG_WARNING, who);
148	+ if (!RSA_generate_key_ex(rsa_tmp, RSA_KEYLENGTH, bn, NULL))
149	+ {
150	+ RSA_free(rsa_tmp);
151	+ rsa_tmp = NULL;
152	+ }
153	+ }
154	+ BN_free(bn);
155	+ if (!rsa_tmp)
156	+ {
157	+ if (LogLevel > 7)
158	+ {
159	+ sm_syslog(LOG_WARNING, NOQID,
160	+ "STARTTLS=%s, error: RSA_generate_key failed",
161	+ who);
162	+ if (LogLevel > 9)
163	+ tlslogerr(LOG_WARNING, who);
164	+ }
165	+ return false;
166	}
167	- return false;
168	}
169	+# else /* SM_CONF_SHM */
170	+ /* no shared memory: no need to generate key now */
171	+# endif /* SM_CONF_SHM */
172	# endif /* !TLS_NO_RSA */
173
174	/*
175	@@ -1210,9 +1272,15 @@ inittls(ctx, req, options, srv, certfile
176	sm_dprintf("inittls: Generating %d bit DH parameters\n", bits);
177
178	/* this takes a while! */
179	- dsa = DSA_generate_parameters(bits, NULL, 0, NULL,
180	- NULL, 0, NULL);
181	- dh = DSA_dup_DH(dsa);
182	+ dsa = DSA_new();
183	+ if (dsa) {
184	+ int r;
185	+
186	+ r = DSA_generate_parameters_ex(dsa, bits, NULL, 0,
187	+ NULL, NULL, NULL);
188	+ if (r != 0)
189	+ dh = DSA_dup_DH(dsa);
190	+ }
191	DSA_free(dsa);
192	}
193	else if (dh == NULL && bitset(TLS_I_DHFIXED, req))
194	@@ -1733,6 +1801,9 @@ tmp_rsa_key(s, export, keylength)
195	int export;
196	int keylength;
197	{
198	+ BIGNUM *bn;
199	+ int ret;
200	+
201	# if SM_CONF_SHM
202	extern int ShmId;
203	extern int *PRSATmpCnt;
204	@@ -1742,10 +1813,22 @@ tmp_rsa_key(s, export, keylength)
205	return rsa_tmp;
206	# endif /* SM_CONF_SHM */
207
208	- if (rsa_tmp != NULL)
209	- RSA_free(rsa_tmp);
210	- rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, NULL);
211	- if (rsa_tmp == NULL)
212	+ if (rsa_tmp == NULL) {
213	+ rsa_tmp = RSA_new();
214	+ if (!rsa_tmp)
215	+ return NULL;
216	+ }
217	+
218	+ bn = BN_new();
219	+ if (!bn)
220	+ return NULL;
221	+ if (!BN_set_word(bn, RSA_F4)) {
222	+ BN_free(bn);
223	+ return NULL;
224	+ }
225	+ ret = RSA_generate_key_ex(rsa_tmp, RSA_KEYLENGTH, bn, NULL);
226	+ BN_free(bn);
227	+ if (!ret)
228	{
229	if (LogLevel > 0)
230	sm_syslog(LOG_ERR, NOQID,
231	@@ -1971,9 +2054,9 @@ x509_verify_cb(ok, ctx)
232	{
233	if (LogLevel > 13)
234	tls_verify_log(ok, ctx, "x509");
235	- if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL)
236	+ if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL)
237	{
238	- ctx->error = 0;
239	+ X509_STORE_CTX_set_error(ctx, 0);
240	return 1; /* override it */
241	}
242	}
243	--- a/doc/op/op.me
244	+++ b/doc/op/op.me
245	@@ -10898,7 +10898,7 @@ C=FileName_of_CA_Certificate
246	ln -s $C `openssl x509 -noout -hash < $C`.0
247	.)b
248	A better way to do this is to use the
249	-.b c_rehash
250	+.b "openssl rehash"
251	command that is part of the OpenSSL distribution
252	because it handles subject hash collisions
253	by incrementing the number in the suffix of the filename of the symbolic link,