- package missing file
[packages/sendmail.git] / openssl-1.1.0.patch
CommitLineData
37167a9a
AM
1From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
2Date: Sat, 10 Sep 2016 19:27:17 +0000
3Subject: [PATCH] sendmail: compile against openssl 1.1.0
4
5Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
6---
7
8--- a/sendmail/tls.c
9+++ b/sendmail/tls.c
10@@ -60,18 +60,58 @@ static unsigned char dh512_g[] =
11 0x02
12 };
13
14+#if OPENSSL_VERSION_NUMBER < 0x10100000
15+
16+static inline int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
17+{
18+ /* If the fields p and g in d are NULL, the corresponding input
19+ * parameters MUST be non-NULL. q may remain NULL.
20+ */
21+ if ((dh->p == NULL && p == NULL)
22+ || (dh->g == NULL && g == NULL))
23+ return 0;
24+
25+ if (p != NULL) {
26+ BN_free(dh->p);
27+ dh->p = p;
28+ }
29+ if (q != NULL) {
30+ BN_free(dh->q);
31+ dh->q = q;
32+ }
33+ if (g != NULL) {
34+ BN_free(dh->g);
35+ dh->g = g;
36+ }
37+
38+ if (q != NULL) {
39+ dh->length = BN_num_bits(q);
40+ }
41+
42+ return 1;
43+}
44+#endif
45+
46 static DH *
47 get_dh512()
48 {
49 DH *dh = NULL;
50+ BIGNUM *p;
51+ BIGNUM *g;
52
53- if ((dh = DH_new()) == NULL)
54- return NULL;
55- dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
56- dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
57- if ((dh->p == NULL) || (dh->g == NULL))
58- return NULL;
59+ dh = DH_new();
60+ p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
61+ g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
62+ if (!dh || !p || !g)
63+ goto err;
64+ if (!DH_set0_pqg(dh, p, NULL, g))
65+ goto err;
66 return dh;
67+err:
68+ DH_free(dh);
69+ BN_free(p);
70+ BN_free(g);
71+ return NULL;
72 }
73
74 # if 0
75@@ -117,17 +157,22 @@ get_dh2048()
76 };
77 static unsigned char dh2048_g[]={ 0x02, };
78 DH *dh;
79+ BIGNUM *p;
80+ BIGNUM *g;
81
82- if ((dh=DH_new()) == NULL)
83- return(NULL);
84- dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
85- dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
86- if ((dh->p == NULL) || (dh->g == NULL))
87- {
88- DH_free(dh);
89- return(NULL);
90- }
91+ dh = DH_new();
92+ p = BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
93+ g = BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
94+ if (!dh || !p || !g)
95+ goto err;
96+ if (!DH_set0_pqg(dh, p, NULL, g))
97+ goto err;
98 return(dh);
99+err:
100+ DH_free(dh);
101+ BN_free(p);
102+ BN_free(g);
103+ return NULL;
104 }
105 # endif /* !NO_DH */
106
107@@ -926,7 +971,7 @@ inittls(ctx, req, options, srv, certfile
108 {
109 /* get a pointer to the current certificate validation store */
110 store = SSL_CTX_get_cert_store(*ctx); /* does not fail */
111- crl_file = BIO_new(BIO_s_file_internal());
112+ crl_file = BIO_new(BIO_s_file());
113 if (crl_file != NULL)
114 {
115 if (BIO_read_filename(crl_file, CRLFile) >= 0)
116@@ -1000,26 +1045,43 @@ inittls(ctx, req, options, srv, certfile
117 ** maybe we should do it only on demand...
118 */
119
120- if (bitset(TLS_I_RSA_TMP, req)
121 # if SM_CONF_SHM
122- && ShmId != SM_SHM_NO_ID &&
123- (rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL,
124- NULL)) == NULL
125-# else /* SM_CONF_SHM */
126- && 0 /* no shared memory: no need to generate key now */
127-# endif /* SM_CONF_SHM */
128- )
129+ if (bitset(TLS_I_RSA_TMP, req)
130+ && ShmId != SM_SHM_NO_ID)
131 {
132- if (LogLevel > 7)
133+ BIGNUM *bn;
134+
135+ bn = BN_new();
136+ rsa_tmp = RSA_new();
137+ if (!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4)) {
138+ RSA_free(rsa_tmp);
139+ rsa_tmp = NULL;
140+ }
141+ if (rsa_tmp)
142 {
143- sm_syslog(LOG_WARNING, NOQID,
144- "STARTTLS=%s, error: RSA_generate_key failed",
145- who);
146- if (LogLevel > 9)
147- tlslogerr(LOG_WARNING, who);
148+ if (!RSA_generate_key_ex(rsa_tmp, RSA_KEYLENGTH, bn, NULL))
149+ {
150+ RSA_free(rsa_tmp);
151+ rsa_tmp = NULL;
152+ }
153+ }
154+ BN_free(bn);
155+ if (!rsa_tmp)
156+ {
157+ if (LogLevel > 7)
158+ {
159+ sm_syslog(LOG_WARNING, NOQID,
160+ "STARTTLS=%s, error: RSA_generate_key failed",
161+ who);
162+ if (LogLevel > 9)
163+ tlslogerr(LOG_WARNING, who);
164+ }
165+ return false;
166 }
167- return false;
168 }
169+# else /* SM_CONF_SHM */
170+ /* no shared memory: no need to generate key now */
171+# endif /* SM_CONF_SHM */
172 # endif /* !TLS_NO_RSA */
173
174 /*
175@@ -1210,9 +1272,15 @@ inittls(ctx, req, options, srv, certfile
176 sm_dprintf("inittls: Generating %d bit DH parameters\n", bits);
177
178 /* this takes a while! */
179- dsa = DSA_generate_parameters(bits, NULL, 0, NULL,
180- NULL, 0, NULL);
181- dh = DSA_dup_DH(dsa);
182+ dsa = DSA_new();
183+ if (dsa) {
184+ int r;
185+
186+ r = DSA_generate_parameters_ex(dsa, bits, NULL, 0,
187+ NULL, NULL, NULL);
188+ if (r != 0)
189+ dh = DSA_dup_DH(dsa);
190+ }
191 DSA_free(dsa);
192 }
193 else if (dh == NULL && bitset(TLS_I_DHFIXED, req))
194@@ -1733,6 +1801,9 @@ tmp_rsa_key(s, export, keylength)
195 int export;
196 int keylength;
197 {
198+ BIGNUM *bn;
199+ int ret;
200+
201 # if SM_CONF_SHM
202 extern int ShmId;
203 extern int *PRSATmpCnt;
204@@ -1742,10 +1813,22 @@ tmp_rsa_key(s, export, keylength)
205 return rsa_tmp;
206 # endif /* SM_CONF_SHM */
207
208- if (rsa_tmp != NULL)
209- RSA_free(rsa_tmp);
210- rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, NULL);
211- if (rsa_tmp == NULL)
212+ if (rsa_tmp == NULL) {
213+ rsa_tmp = RSA_new();
214+ if (!rsa_tmp)
215+ return NULL;
216+ }
217+
218+ bn = BN_new();
219+ if (!bn)
220+ return NULL;
221+ if (!BN_set_word(bn, RSA_F4)) {
222+ BN_free(bn);
223+ return NULL;
224+ }
225+ ret = RSA_generate_key_ex(rsa_tmp, RSA_KEYLENGTH, bn, NULL);
226+ BN_free(bn);
227+ if (!ret)
228 {
229 if (LogLevel > 0)
230 sm_syslog(LOG_ERR, NOQID,
231@@ -1971,9 +2054,9 @@ x509_verify_cb(ok, ctx)
232 {
233 if (LogLevel > 13)
234 tls_verify_log(ok, ctx, "x509");
235- if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL)
236+ if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL)
237 {
238- ctx->error = 0;
239+ X509_STORE_CTX_set_error(ctx, 0);
240 return 1; /* override it */
241 }
242 }
243--- a/doc/op/op.me
244+++ b/doc/op/op.me
245@@ -10898,7 +10898,7 @@ C=FileName_of_CA_Certificate
246 ln -s $C `openssl x509 -noout -hash < $C`.0
247 .)b
248 A better way to do this is to use the
249-.b c_rehash
250+.b "openssl rehash"
251 command that is part of the OpenSSL distribution
252 because it handles subject hash collisions
253 by incrementing the number in the suffix of the filename of the symbolic link,
This page took 0.128469 seconds and 4 git commands to generate.