openssl-1.1.0.patch

   1 From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
   2 Date: Sat, 10 Sep 2016 19:27:17 +0000
   3 Subject: [PATCH] sendmail: compile against openssl 1.1.0
   4
   5 Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
   6 ---
   7
   8 --- a/sendmail/tls.c
   9 +++ b/sendmail/tls.c
  10 @@ -60,18 +60,58 @@ static unsigned char dh512_g[] =
  11         0x02
  12  };
  13
  14 +#if OPENSSL_VERSION_NUMBER < 0x10100000
  15 +
  16 +static inline int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
  17 +{
  18 +       /* If the fields p and g in d are NULL, the corresponding input
  19 +        * parameters MUST be non-NULL.  q may remain NULL.
  20 +        */
  21 +       if ((dh->p == NULL && p == NULL)
  22 +           || (dh->g == NULL && g == NULL))
  23 +               return 0;
  24 +
  25 +       if (p != NULL) {
  26 +               BN_free(dh->p);
  27 +               dh->p = p;
  28 +       }
  29 +       if (q != NULL) {
  30 +               BN_free(dh->q);
  31 +               dh->q = q;
  32 +       }
  33 +       if (g != NULL) {
  34 +               BN_free(dh->g);
  35 +               dh->g = g;
  36 +       }
  37 +
  38 +       if (q != NULL) {
  39 +               dh->length = BN_num_bits(q);
  40 +       }
  41 +
  42 +       return 1;
  43 +}
  44 +#endif
  45 +
  46  static DH *
  47  get_dh512()
  48  {
  49         DH *dh = NULL;
  50 +       BIGNUM *p;
  51 +       BIGNUM *g;
  52
  53 -       if ((dh = DH_new()) == NULL)
  54 -               return NULL;
  55 -       dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
  56 -       dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
  57 -       if ((dh->p == NULL) || (dh->g == NULL))
  58 -               return NULL;
  59 +       dh = DH_new();
  60 +       p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
  61 +       g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
  62 +       if (!dh || !p || !g)
  63 +               goto err;
  64 +       if (!DH_set0_pqg(dh, p, NULL, g))
  65 +               goto err;
  66         return dh;
  67 +err:
  68 +       DH_free(dh);
  69 +       BN_free(p);
  70 +       BN_free(g);
  71 +       return NULL;
  72  }
  73
  74  #  if 0
  75 @@ -117,17 +157,22 @@ get_dh2048()
  76                 };
  77         static unsigned char dh2048_g[]={ 0x02, };
  78         DH *dh;
  79 +       BIGNUM *p;
  80 +       BIGNUM *g;
  81
  82 -       if ((dh=DH_new()) == NULL)
  83 -               return(NULL);
  84 -       dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
  85 -       dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
  86 -       if ((dh->p == NULL) || (dh->g == NULL))
  87 -       {
  88 -               DH_free(dh);
  89 -               return(NULL);
  90 -       }
  91 +       dh = DH_new();
  92 +       p = BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
  93 +       g = BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
  94 +       if (!dh || !p || !g)
  95 +               goto err;
  96 +       if (!DH_set0_pqg(dh, p, NULL, g))
  97 +               goto err;
  98         return(dh);
  99 +err:
 100 +       DH_free(dh);
 101 +       BN_free(p);
 102 +       BN_free(g);
 103 +       return NULL;
 104  }
 105  # endif /* !NO_DH */
 106
 107 @@ -926,7 +971,7 @@ inittls(ctx, req, options, srv, certfile
 108         {
 109                 /* get a pointer to the current certificate validation store */
 110                 store = SSL_CTX_get_cert_store(*ctx);   /* does not fail */
 111 -               crl_file = BIO_new(BIO_s_file_internal());
 112 +               crl_file = BIO_new(BIO_s_file());
 113                 if (crl_file != NULL)
 114                 {
 115                         if (BIO_read_filename(crl_file, CRLFile) >= 0)
 116 @@ -1000,26 +1045,43 @@ inittls(ctx, req, options, srv, certfile
 117         **  maybe we should do it only on demand...
 118         */
 119
 120 -       if (bitset(TLS_I_RSA_TMP, req)
 121  #  if SM_CONF_SHM
 122 -           && ShmId != SM_SHM_NO_ID &&
 123 -           (rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL,
 124 -                                       NULL)) == NULL
 125 -#  else /* SM_CONF_SHM */
 126 -           && 0        /* no shared memory: no need to generate key now */
 127 -#  endif /* SM_CONF_SHM */
 128 -          )
 129 +       if (bitset(TLS_I_RSA_TMP, req)
 130 +           && ShmId != SM_SHM_NO_ID)
 131         {
 132 -               if (LogLevel > 7)
 133 +               BIGNUM *bn;
 134 +
 135 +               bn = BN_new();
 136 +               rsa_tmp = RSA_new();
 137 +               if (!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4)) {
 138 +                       RSA_free(rsa_tmp);
 139 +                       rsa_tmp = NULL;
 140 +               }
 141 +               if (rsa_tmp)
 142                 {
 143 -                       sm_syslog(LOG_WARNING, NOQID,
 144 -                                 "STARTTLS=%s, error: RSA_generate_key failed",
 145 -                                 who);
 146 -                       if (LogLevel > 9)
 147 -                               tlslogerr(LOG_WARNING, who);
 148 +                       if (!RSA_generate_key_ex(rsa_tmp, RSA_KEYLENGTH, bn, NULL))
 149 +                       {
 150 +                               RSA_free(rsa_tmp);
 151 +                               rsa_tmp = NULL;
 152 +                       }
 153 +               }
 154 +               BN_free(bn);
 155 +               if (!rsa_tmp)
 156 +               {
 157 +                       if (LogLevel > 7)
 158 +                       {
 159 +                               sm_syslog(LOG_WARNING, NOQID,
 160 +                                         "STARTTLS=%s, error: RSA_generate_key failed",
 161 +                                         who);
 162 +                               if (LogLevel > 9)
 163 +                                       tlslogerr(LOG_WARNING, who);
 164 +                       }
 165 +                       return false;
 166                 }
 167 -               return false;
 168         }
 169 +#  else /* SM_CONF_SHM */
 170 +       /* no shared memory: no need to generate key now */
 171 +#  endif /* SM_CONF_SHM */
 172  # endif /* !TLS_NO_RSA */
 173
 174         /*
 175 @@ -1210,9 +1272,15 @@ inittls(ctx, req, options, srv, certfile
 176                                 sm_dprintf("inittls: Generating %d bit DH parameters\n", bits);
 177
 178                         /* this takes a while! */
 179 -                       dsa = DSA_generate_parameters(bits, NULL, 0, NULL,
 180 -                                                     NULL, 0, NULL);
 181 -                       dh = DSA_dup_DH(dsa);
 182 +                       dsa = DSA_new();
 183 +                       if (dsa) {
 184 +                               int r;
 185 +
 186 +                               r = DSA_generate_parameters_ex(dsa, bits, NULL, 0,
 187 +                                                           NULL, NULL, NULL);
 188 +                               if (r != 0)
 189 +                                       dh = DSA_dup_DH(dsa);
 190 +                       }
 191                         DSA_free(dsa);
 192                 }
 193                 else if (dh == NULL && bitset(TLS_I_DHFIXED, req))
 194 @@ -1733,6 +1801,9 @@ tmp_rsa_key(s, export, keylength)
 195         int export;
 196         int keylength;
 197  {
 198 +       BIGNUM *bn;
 199 +       int ret;
 200 +
 201  #   if SM_CONF_SHM
 202         extern int ShmId;
 203         extern int *PRSATmpCnt;
 204 @@ -1742,10 +1813,22 @@ tmp_rsa_key(s, export, keylength)
 205                 return rsa_tmp;
 206  #   endif /* SM_CONF_SHM */
 207
 208 -       if (rsa_tmp != NULL)
 209 -               RSA_free(rsa_tmp);
 210 -       rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, NULL);
 211 -       if (rsa_tmp == NULL)
 212 +       if (rsa_tmp == NULL) {
 213 +               rsa_tmp = RSA_new();
 214 +               if (!rsa_tmp)
 215 +                       return NULL;
 216 +       }
 217 +
 218 +       bn = BN_new();
 219 +       if (!bn)
 220 +               return NULL;
 221 +       if (!BN_set_word(bn, RSA_F4)) {
 222 +               BN_free(bn);
 223 +               return NULL;
 224 +       }
 225 +       ret = RSA_generate_key_ex(rsa_tmp, RSA_KEYLENGTH, bn, NULL);
 226 +       BN_free(bn);
 227 +       if (!ret)
 228         {
 229                 if (LogLevel > 0)
 230                         sm_syslog(LOG_ERR, NOQID,
 231 @@ -1971,9 +2054,9 @@ x509_verify_cb(ok, ctx)
 232         {
 233                 if (LogLevel > 13)
 234                         tls_verify_log(ok, ctx, "x509");
 235 -               if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL)
 236 +               if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL)
 237                 {
 238 -                       ctx->error = 0;
 239 +                       X509_STORE_CTX_set_error(ctx, 0);
 240                         return 1;       /* override it */
 241                 }
 242         }
 243 --- a/doc/op/op.me
 244 +++ b/doc/op/op.me
 245 @@ -10898,7 +10898,7 @@ C=FileName_of_CA_Certificate
 246  ln -s $C `openssl x509 -noout -hash < $C`.0
 247  .)b
 248  A better way to do this is to use the
 249 -.b c_rehash
 250 +.b "openssl rehash"
 251  command that is part of the OpenSSL distribution
 252  because it handles subject hash collisions
 253  by incrementing the number in the suffix of the filename of the symbolic link,