45076211bfa599e4c800bfdf1d3958435e9e7864
[packages/sendmail.git] / openssl-1.1.0.patch
1 From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
2 Date: Sat, 10 Sep 2016 19:27:17 +0000
3 Subject: [PATCH] sendmail: compile against openssl 1.1.0
4
5 Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
6 ---
7
8 --- a/sendmail/tls.c
9 +++ b/sendmail/tls.c
10 @@ -60,18 +60,58 @@ static unsigned char dh512_g[] =
11         0x02
12  };
13  
14 +#if OPENSSL_VERSION_NUMBER < 0x10100000
15 +
16 +static inline int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
17 +{
18 +       /* If the fields p and g in d are NULL, the corresponding input
19 +        * parameters MUST be non-NULL.  q may remain NULL.
20 +        */
21 +       if ((dh->p == NULL && p == NULL)
22 +           || (dh->g == NULL && g == NULL))
23 +               return 0;
24 +
25 +       if (p != NULL) {
26 +               BN_free(dh->p);
27 +               dh->p = p;
28 +       }
29 +       if (q != NULL) {
30 +               BN_free(dh->q);
31 +               dh->q = q;
32 +       }
33 +       if (g != NULL) {
34 +               BN_free(dh->g);
35 +               dh->g = g;
36 +       }
37 +
38 +       if (q != NULL) {
39 +               dh->length = BN_num_bits(q);
40 +       }
41 +
42 +       return 1;
43 +}
44 +#endif
45 +
46  static DH *
47  get_dh512()
48  {
49         DH *dh = NULL;
50 +       BIGNUM *p;
51 +       BIGNUM *g;
52  
53 -       if ((dh = DH_new()) == NULL)
54 -               return NULL;
55 -       dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
56 -       dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
57 -       if ((dh->p == NULL) || (dh->g == NULL))
58 -               return NULL;
59 +       dh = DH_new();
60 +       p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
61 +       g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
62 +       if (!dh || !p || !g)
63 +               goto err;
64 +       if (!DH_set0_pqg(dh, p, NULL, g))
65 +               goto err;
66         return dh;
67 +err:
68 +       DH_free(dh);
69 +       BN_free(p);
70 +       BN_free(g);
71 +       return NULL;
72  }
73  
74  #  if 0
75 @@ -117,17 +157,22 @@ get_dh2048()
76                 };
77         static unsigned char dh2048_g[]={ 0x02, };
78         DH *dh;
79 +       BIGNUM *p;
80 +       BIGNUM *g;
81  
82 -       if ((dh=DH_new()) == NULL)
83 -               return(NULL);
84 -       dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
85 -       dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
86 -       if ((dh->p == NULL) || (dh->g == NULL))
87 -       {
88 -               DH_free(dh);
89 -               return(NULL);
90 -       }
91 +       dh = DH_new();
92 +       p = BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
93 +       g = BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
94 +       if (!dh || !p || !g)
95 +               goto err;
96 +       if (!DH_set0_pqg(dh, p, NULL, g))
97 +               goto err;
98         return(dh);
99 +err:
100 +       DH_free(dh);
101 +       BN_free(p);
102 +       BN_free(g);
103 +       return NULL;
104  }
105  # endif /* !NO_DH */
106  
107 @@ -926,7 +971,7 @@ inittls(ctx, req, options, srv, certfile
108         {
109                 /* get a pointer to the current certificate validation store */
110                 store = SSL_CTX_get_cert_store(*ctx);   /* does not fail */
111 -               crl_file = BIO_new(BIO_s_file_internal());
112 +               crl_file = BIO_new(BIO_s_file());
113                 if (crl_file != NULL)
114                 {
115                         if (BIO_read_filename(crl_file, CRLFile) >= 0)
116 @@ -1000,26 +1045,43 @@ inittls(ctx, req, options, srv, certfile
117         **  maybe we should do it only on demand...
118         */
119  
120 -       if (bitset(TLS_I_RSA_TMP, req)
121  #  if SM_CONF_SHM
122 -           && ShmId != SM_SHM_NO_ID &&
123 -           (rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL,
124 -                                       NULL)) == NULL
125 -#  else /* SM_CONF_SHM */
126 -           && 0        /* no shared memory: no need to generate key now */
127 -#  endif /* SM_CONF_SHM */
128 -          )
129 +       if (bitset(TLS_I_RSA_TMP, req)
130 +           && ShmId != SM_SHM_NO_ID)
131         {
132 -               if (LogLevel > 7)
133 +               BIGNUM *bn;
134 +
135 +               bn = BN_new();
136 +               rsa_tmp = RSA_new();
137 +               if (!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4)) {
138 +                       RSA_free(rsa_tmp);
139 +                       rsa_tmp = NULL;
140 +               }
141 +               if (rsa_tmp)
142                 {
143 -                       sm_syslog(LOG_WARNING, NOQID,
144 -                                 "STARTTLS=%s, error: RSA_generate_key failed",
145 -                                 who);
146 -                       if (LogLevel > 9)
147 -                               tlslogerr(LOG_WARNING, who);
148 +                       if (!RSA_generate_key_ex(rsa_tmp, RSA_KEYLENGTH, bn, NULL))
149 +                       {
150 +                               RSA_free(rsa_tmp);
151 +                               rsa_tmp = NULL;
152 +                       }
153 +               }
154 +               BN_free(bn);
155 +               if (!rsa_tmp)
156 +               {
157 +                       if (LogLevel > 7)
158 +                       {
159 +                               sm_syslog(LOG_WARNING, NOQID,
160 +                                         "STARTTLS=%s, error: RSA_generate_key failed",
161 +                                         who);
162 +                               if (LogLevel > 9)
163 +                                       tlslogerr(LOG_WARNING, who);
164 +                       }
165 +                       return false;
166                 }
167 -               return false;
168         }
169 +#  else /* SM_CONF_SHM */
170 +       /* no shared memory: no need to generate key now */
171 +#  endif /* SM_CONF_SHM */
172  # endif /* !TLS_NO_RSA */
173  
174         /*
175 @@ -1210,9 +1272,15 @@ inittls(ctx, req, options, srv, certfile
176                                 sm_dprintf("inittls: Generating %d bit DH parameters\n", bits);
177  
178                         /* this takes a while! */
179 -                       dsa = DSA_generate_parameters(bits, NULL, 0, NULL,
180 -                                                     NULL, 0, NULL);
181 -                       dh = DSA_dup_DH(dsa);
182 +                       dsa = DSA_new();
183 +                       if (dsa) {
184 +                               int r;
185 +
186 +                               r = DSA_generate_parameters_ex(dsa, bits, NULL, 0,
187 +                                                           NULL, NULL, NULL);
188 +                               if (r != 0)
189 +                                       dh = DSA_dup_DH(dsa);
190 +                       }
191                         DSA_free(dsa);
192                 }
193                 else if (dh == NULL && bitset(TLS_I_DHFIXED, req))
194 @@ -1733,6 +1801,9 @@ tmp_rsa_key(s, export, keylength)
195         int export;
196         int keylength;
197  {
198 +       BIGNUM *bn;
199 +       int ret;
200 +
201  #   if SM_CONF_SHM
202         extern int ShmId;
203         extern int *PRSATmpCnt;
204 @@ -1742,10 +1813,22 @@ tmp_rsa_key(s, export, keylength)
205                 return rsa_tmp;
206  #   endif /* SM_CONF_SHM */
207  
208 -       if (rsa_tmp != NULL)
209 -               RSA_free(rsa_tmp);
210 -       rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, NULL);
211 -       if (rsa_tmp == NULL)
212 +       if (rsa_tmp == NULL) {
213 +               rsa_tmp = RSA_new();
214 +               if (!rsa_tmp)
215 +                       return NULL;
216 +       }
217 +
218 +       bn = BN_new();
219 +       if (!bn)
220 +               return NULL;
221 +       if (!BN_set_word(bn, RSA_F4)) {
222 +               BN_free(bn);
223 +               return NULL;
224 +       }
225 +       ret = RSA_generate_key_ex(rsa_tmp, RSA_KEYLENGTH, bn, NULL);
226 +       BN_free(bn);
227 +       if (!ret)
228         {
229                 if (LogLevel > 0)
230                         sm_syslog(LOG_ERR, NOQID,
231 @@ -1971,9 +2054,9 @@ x509_verify_cb(ok, ctx)
232         {
233                 if (LogLevel > 13)
234                         tls_verify_log(ok, ctx, "x509");
235 -               if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL)
236 +               if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL)
237                 {
238 -                       ctx->error = 0;
239 +                       X509_STORE_CTX_set_error(ctx, 0);
240                         return 1;       /* override it */
241                 }
242         }
243 --- a/doc/op/op.me
244 +++ b/doc/op/op.me
245 @@ -10898,7 +10898,7 @@ C=FileName_of_CA_Certificate
246  ln -s $C `openssl x509 -noout -hash < $C`.0
247  .)b
248  A better way to do this is to use the
249 -.b c_rehash
250 +.b "openssl rehash"
251  command that is part of the OpenSSL distribution
252  because it handles subject hash collisions
253  by incrementing the number in the suffix of the filename of the symbolic link,
This page took 0.046946 seconds and 2 git commands to generate.