1 From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
2 Date: Sat, 10 Sep 2016 19:27:17 +0000
3 Subject: [PATCH] sendmail: compile against openssl 1.1.0
5 Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
10 @@ -60,18 +60,58 @@ static unsigned char dh512_g[] =
14 +#if OPENSSL_VERSION_NUMBER < 0x10100000
16 +static inline int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
18 + /* If the fields p and g in d are NULL, the corresponding input
19 + * parameters MUST be non-NULL. q may remain NULL.
21 + if ((dh->p == NULL && p == NULL)
22 + || (dh->g == NULL && g == NULL))
39 + dh->length = BN_num_bits(q);
53 - if ((dh = DH_new()) == NULL)
55 - dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
56 - dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
57 - if ((dh->p == NULL) || (dh->g == NULL))
60 + p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
61 + g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
62 + if (!dh || !p || !g)
64 + if (!DH_set0_pqg(dh, p, NULL, g))
75 @@ -117,17 +157,22 @@ get_dh2048()
77 static unsigned char dh2048_g[]={ 0x02, };
82 - if ((dh=DH_new()) == NULL)
84 - dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
85 - dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
86 - if ((dh->p == NULL) || (dh->g == NULL))
92 + p = BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
93 + g = BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
94 + if (!dh || !p || !g)
96 + if (!DH_set0_pqg(dh, p, NULL, g))
107 @@ -926,7 +971,7 @@ inittls(ctx, req, options, srv, certfile
109 /* get a pointer to the current certificate validation store */
110 store = SSL_CTX_get_cert_store(*ctx); /* does not fail */
111 - crl_file = BIO_new(BIO_s_file_internal());
112 + crl_file = BIO_new(BIO_s_file());
113 if (crl_file != NULL)
115 if (BIO_read_filename(crl_file, CRLFile) >= 0)
116 @@ -1000,26 +1045,43 @@ inittls(ctx, req, options, srv, certfile
117 ** maybe we should do it only on demand...
120 - if (bitset(TLS_I_RSA_TMP, req)
122 - && ShmId != SM_SHM_NO_ID &&
123 - (rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL,
125 -# else /* SM_CONF_SHM */
126 - && 0 /* no shared memory: no need to generate key now */
127 -# endif /* SM_CONF_SHM */
129 + if (bitset(TLS_I_RSA_TMP, req)
130 + && ShmId != SM_SHM_NO_ID)
136 + rsa_tmp = RSA_new();
137 + if (!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4)) {
143 - sm_syslog(LOG_WARNING, NOQID,
144 - "STARTTLS=%s, error: RSA_generate_key failed",
147 - tlslogerr(LOG_WARNING, who);
148 + if (!RSA_generate_key_ex(rsa_tmp, RSA_KEYLENGTH, bn, NULL))
159 + sm_syslog(LOG_WARNING, NOQID,
160 + "STARTTLS=%s, error: RSA_generate_key failed",
163 + tlslogerr(LOG_WARNING, who);
169 +# else /* SM_CONF_SHM */
170 + /* no shared memory: no need to generate key now */
171 +# endif /* SM_CONF_SHM */
172 # endif /* !TLS_NO_RSA */
175 @@ -1210,9 +1272,15 @@ inittls(ctx, req, options, srv, certfile
176 sm_dprintf("inittls: Generating %d bit DH parameters\n", bits);
178 /* this takes a while! */
179 - dsa = DSA_generate_parameters(bits, NULL, 0, NULL,
181 - dh = DSA_dup_DH(dsa);
186 + r = DSA_generate_parameters_ex(dsa, bits, NULL, 0,
189 + dh = DSA_dup_DH(dsa);
193 else if (dh == NULL && bitset(TLS_I_DHFIXED, req))
194 @@ -1733,6 +1801,9 @@ tmp_rsa_key(s, export, keylength)
203 extern int *PRSATmpCnt;
204 @@ -1742,10 +1813,22 @@ tmp_rsa_key(s, export, keylength)
206 # endif /* SM_CONF_SHM */
208 - if (rsa_tmp != NULL)
210 - rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, NULL);
211 - if (rsa_tmp == NULL)
212 + if (rsa_tmp == NULL) {
213 + rsa_tmp = RSA_new();
221 + if (!BN_set_word(bn, RSA_F4)) {
225 + ret = RSA_generate_key_ex(rsa_tmp, RSA_KEYLENGTH, bn, NULL);
230 sm_syslog(LOG_ERR, NOQID,
231 @@ -1971,9 +2054,9 @@ x509_verify_cb(ok, ctx)
234 tls_verify_log(ok, ctx, "x509");
235 - if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL)
236 + if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL)
239 + X509_STORE_CTX_set_error(ctx, 0);
240 return 1; /* override it */
245 @@ -10898,7 +10898,7 @@ C=FileName_of_CA_Certificate
246 ln -s $C `openssl x509 -noout -hash < $C`.0
248 A better way to do this is to use the
251 command that is part of the OpenSSL distribution
252 because it handles subject hash collisions
253 by incrementing the number in the suffix of the filename of the symbolic link,