]>
Commit | Line | Data |
---|---|---|
37167a9a AM |
1 | From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> |
2 | Date: Sat, 10 Sep 2016 19:27:17 +0000 | |
3 | Subject: [PATCH] sendmail: compile against openssl 1.1.0 | |
4 | ||
5 | Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> | |
6 | --- | |
7 | ||
8 | --- a/sendmail/tls.c | |
9 | +++ b/sendmail/tls.c | |
10 | @@ -60,18 +60,58 @@ static unsigned char dh512_g[] = | |
11 | 0x02 | |
12 | }; | |
13 | ||
14 | +#if OPENSSL_VERSION_NUMBER < 0x10100000 | |
15 | + | |
16 | +static inline int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) | |
17 | +{ | |
18 | + /* If the fields p and g in d are NULL, the corresponding input | |
19 | + * parameters MUST be non-NULL. q may remain NULL. | |
20 | + */ | |
21 | + if ((dh->p == NULL && p == NULL) | |
22 | + || (dh->g == NULL && g == NULL)) | |
23 | + return 0; | |
24 | + | |
25 | + if (p != NULL) { | |
26 | + BN_free(dh->p); | |
27 | + dh->p = p; | |
28 | + } | |
29 | + if (q != NULL) { | |
30 | + BN_free(dh->q); | |
31 | + dh->q = q; | |
32 | + } | |
33 | + if (g != NULL) { | |
34 | + BN_free(dh->g); | |
35 | + dh->g = g; | |
36 | + } | |
37 | + | |
38 | + if (q != NULL) { | |
39 | + dh->length = BN_num_bits(q); | |
40 | + } | |
41 | + | |
42 | + return 1; | |
43 | +} | |
44 | +#endif | |
45 | + | |
46 | static DH * | |
47 | get_dh512() | |
48 | { | |
49 | DH *dh = NULL; | |
50 | + BIGNUM *p; | |
51 | + BIGNUM *g; | |
52 | ||
53 | - if ((dh = DH_new()) == NULL) | |
54 | - return NULL; | |
55 | - dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); | |
56 | - dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); | |
57 | - if ((dh->p == NULL) || (dh->g == NULL)) | |
58 | - return NULL; | |
59 | + dh = DH_new(); | |
60 | + p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); | |
61 | + g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); | |
62 | + if (!dh || !p || !g) | |
63 | + goto err; | |
64 | + if (!DH_set0_pqg(dh, p, NULL, g)) | |
65 | + goto err; | |
66 | return dh; | |
67 | +err: | |
68 | + DH_free(dh); | |
69 | + BN_free(p); | |
70 | + BN_free(g); | |
71 | + return NULL; | |
72 | } | |
73 | ||
74 | # if 0 | |
75 | @@ -117,17 +157,22 @@ get_dh2048() | |
76 | }; | |
77 | static unsigned char dh2048_g[]={ 0x02, }; | |
78 | DH *dh; | |
79 | + BIGNUM *p; | |
80 | + BIGNUM *g; | |
81 | ||
82 | - if ((dh=DH_new()) == NULL) | |
83 | - return(NULL); | |
84 | - dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); | |
85 | - dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); | |
86 | - if ((dh->p == NULL) || (dh->g == NULL)) | |
87 | - { | |
88 | - DH_free(dh); | |
89 | - return(NULL); | |
90 | - } | |
91 | + dh = DH_new(); | |
92 | + p = BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); | |
93 | + g = BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); | |
94 | + if (!dh || !p || !g) | |
95 | + goto err; | |
96 | + if (!DH_set0_pqg(dh, p, NULL, g)) | |
97 | + goto err; | |
98 | return(dh); | |
99 | +err: | |
100 | + DH_free(dh); | |
101 | + BN_free(p); | |
102 | + BN_free(g); | |
103 | + return NULL; | |
104 | } | |
105 | # endif /* !NO_DH */ | |
106 | ||
107 | @@ -926,7 +971,7 @@ inittls(ctx, req, options, srv, certfile | |
108 | { | |
109 | /* get a pointer to the current certificate validation store */ | |
110 | store = SSL_CTX_get_cert_store(*ctx); /* does not fail */ | |
111 | - crl_file = BIO_new(BIO_s_file_internal()); | |
112 | + crl_file = BIO_new(BIO_s_file()); | |
113 | if (crl_file != NULL) | |
114 | { | |
115 | if (BIO_read_filename(crl_file, CRLFile) >= 0) | |
116 | @@ -1000,26 +1045,43 @@ inittls(ctx, req, options, srv, certfile | |
117 | ** maybe we should do it only on demand... | |
118 | */ | |
119 | ||
120 | - if (bitset(TLS_I_RSA_TMP, req) | |
121 | # if SM_CONF_SHM | |
122 | - && ShmId != SM_SHM_NO_ID && | |
123 | - (rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, | |
124 | - NULL)) == NULL | |
125 | -# else /* SM_CONF_SHM */ | |
126 | - && 0 /* no shared memory: no need to generate key now */ | |
127 | -# endif /* SM_CONF_SHM */ | |
128 | - ) | |
129 | + if (bitset(TLS_I_RSA_TMP, req) | |
130 | + && ShmId != SM_SHM_NO_ID) | |
131 | { | |
132 | - if (LogLevel > 7) | |
133 | + BIGNUM *bn; | |
134 | + | |
135 | + bn = BN_new(); | |
136 | + rsa_tmp = RSA_new(); | |
137 | + if (!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4)) { | |
138 | + RSA_free(rsa_tmp); | |
139 | + rsa_tmp = NULL; | |
140 | + } | |
141 | + if (rsa_tmp) | |
142 | { | |
143 | - sm_syslog(LOG_WARNING, NOQID, | |
144 | - "STARTTLS=%s, error: RSA_generate_key failed", | |
145 | - who); | |
146 | - if (LogLevel > 9) | |
147 | - tlslogerr(LOG_WARNING, who); | |
148 | + if (!RSA_generate_key_ex(rsa_tmp, RSA_KEYLENGTH, bn, NULL)) | |
149 | + { | |
150 | + RSA_free(rsa_tmp); | |
151 | + rsa_tmp = NULL; | |
152 | + } | |
153 | + } | |
154 | + BN_free(bn); | |
155 | + if (!rsa_tmp) | |
156 | + { | |
157 | + if (LogLevel > 7) | |
158 | + { | |
159 | + sm_syslog(LOG_WARNING, NOQID, | |
160 | + "STARTTLS=%s, error: RSA_generate_key failed", | |
161 | + who); | |
162 | + if (LogLevel > 9) | |
163 | + tlslogerr(LOG_WARNING, who); | |
164 | + } | |
165 | + return false; | |
166 | } | |
167 | - return false; | |
168 | } | |
169 | +# else /* SM_CONF_SHM */ | |
170 | + /* no shared memory: no need to generate key now */ | |
171 | +# endif /* SM_CONF_SHM */ | |
172 | # endif /* !TLS_NO_RSA */ | |
173 | ||
174 | /* | |
175 | @@ -1210,9 +1272,15 @@ inittls(ctx, req, options, srv, certfile | |
176 | sm_dprintf("inittls: Generating %d bit DH parameters\n", bits); | |
177 | ||
178 | /* this takes a while! */ | |
179 | - dsa = DSA_generate_parameters(bits, NULL, 0, NULL, | |
180 | - NULL, 0, NULL); | |
181 | - dh = DSA_dup_DH(dsa); | |
182 | + dsa = DSA_new(); | |
183 | + if (dsa) { | |
184 | + int r; | |
185 | + | |
186 | + r = DSA_generate_parameters_ex(dsa, bits, NULL, 0, | |
187 | + NULL, NULL, NULL); | |
188 | + if (r != 0) | |
189 | + dh = DSA_dup_DH(dsa); | |
190 | + } | |
191 | DSA_free(dsa); | |
192 | } | |
193 | else if (dh == NULL && bitset(TLS_I_DHFIXED, req)) | |
194 | @@ -1733,6 +1801,9 @@ tmp_rsa_key(s, export, keylength) | |
195 | int export; | |
196 | int keylength; | |
197 | { | |
198 | + BIGNUM *bn; | |
199 | + int ret; | |
200 | + | |
201 | # if SM_CONF_SHM | |
202 | extern int ShmId; | |
203 | extern int *PRSATmpCnt; | |
204 | @@ -1742,10 +1813,22 @@ tmp_rsa_key(s, export, keylength) | |
205 | return rsa_tmp; | |
206 | # endif /* SM_CONF_SHM */ | |
207 | ||
208 | - if (rsa_tmp != NULL) | |
209 | - RSA_free(rsa_tmp); | |
210 | - rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, NULL); | |
211 | - if (rsa_tmp == NULL) | |
212 | + if (rsa_tmp == NULL) { | |
213 | + rsa_tmp = RSA_new(); | |
214 | + if (!rsa_tmp) | |
215 | + return NULL; | |
216 | + } | |
217 | + | |
218 | + bn = BN_new(); | |
219 | + if (!bn) | |
220 | + return NULL; | |
221 | + if (!BN_set_word(bn, RSA_F4)) { | |
222 | + BN_free(bn); | |
223 | + return NULL; | |
224 | + } | |
225 | + ret = RSA_generate_key_ex(rsa_tmp, RSA_KEYLENGTH, bn, NULL); | |
226 | + BN_free(bn); | |
227 | + if (!ret) | |
228 | { | |
229 | if (LogLevel > 0) | |
230 | sm_syslog(LOG_ERR, NOQID, | |
231 | @@ -1971,9 +2054,9 @@ x509_verify_cb(ok, ctx) | |
232 | { | |
233 | if (LogLevel > 13) | |
234 | tls_verify_log(ok, ctx, "x509"); | |
235 | - if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL) | |
236 | + if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL) | |
237 | { | |
238 | - ctx->error = 0; | |
239 | + X509_STORE_CTX_set_error(ctx, 0); | |
240 | return 1; /* override it */ | |
241 | } | |
242 | } | |
243 | --- a/doc/op/op.me | |
244 | +++ b/doc/op/op.me | |
245 | @@ -10898,7 +10898,7 @@ C=FileName_of_CA_Certificate | |
246 | ln -s $C `openssl x509 -noout -hash < $C`.0 | |
247 | .)b | |
248 | A better way to do this is to use the | |
249 | -.b c_rehash | |
250 | +.b "openssl rehash" | |
251 | command that is part of the OpenSSL distribution | |
252 | because it handles subject hash collisions | |
253 | by incrementing the number in the suffix of the filename of the symbolic link, |