From b2a7f05dd3a0156d7f35c1d82686d2d276c13306 Mon Sep 17 00:00:00 2001
From: Bartek Szady <bszx@bszx.eu>
Date: Fri, 26 Nov 2021 16:00:11 +0100
Subject: [PATCH] - added bug fixing (2, 3) and enhancement patches from
 fedora, rel 9

---
 defaultvalues.patch                  |  11 ++
 ssmtp-authpass.patch                 |  13 +++
 ssmtp-garbage_writes.patch           |  18 ++++
 ssmtp-validate-TLS-server-cert.patch | 153 +++++++++++++++++++++++++++
 ssmtp.spec                           |  10 +-
 5 files changed, 204 insertions(+), 1 deletion(-)
 create mode 100644 defaultvalues.patch
 create mode 100644 ssmtp-authpass.patch
 create mode 100644 ssmtp-garbage_writes.patch
 create mode 100644 ssmtp-validate-TLS-server-cert.patch

diff --git a/defaultvalues.patch b/defaultvalues.patch
new file mode 100644
index 0000000..e417cd0
--- /dev/null
+++ b/defaultvalues.patch
@@ -0,0 +1,11 @@
+--- ssmtp-2.64/ssmtp.conf.orig	2008-02-29 03:50:15.000000000 +0100
++++ ssmtp-2.64/ssmtp.conf	2021-11-26 15:50:46.285946096 +0100
+@@ -30,6 +30,8 @@
+ 
+ # Use SSL/TLS to send secure messages to server.
+ #UseTLS=YES
++#IMPORTANT: The following line is mandatory for TLS authentication
++TLS_CA_File=/etc/ssl/certs/ca-certificates.crt
+ 
+ # Use SSL/TLS certificate to authenticate against smtp host.
+ #UseTLSCert=YES
diff --git a/ssmtp-authpass.patch b/ssmtp-authpass.patch
new file mode 100644
index 0000000..8937df8
--- /dev/null
+++ b/ssmtp-authpass.patch
@@ -0,0 +1,13 @@
+diff -up ssmtp-2.61/ssmtp.c.orig ssmtp-2.61/ssmtp.c
+--- ssmtp-2.61/ssmtp.c.orig	2008-11-26 17:27:29.000000000 +0200
++++ ssmtp-2.61/ssmtp.c	2008-11-26 17:25:36.000000000 +0200
+@@ -1051,7 +1051,8 @@ bool_t read_config()
+ 				}
+ 			}
+ 			else if(strcasecmp(p, "AuthPass") == 0 && !auth_pass) {
+-				if((auth_pass = strdup(q)) == (char *)NULL) {
++				auth_pass = firsttok(&rightside, " \n\t");
++				if(auth_pass  == (char *)NULL) {
+ 					die("parse_config() -- strdup() failed");
+ 				}
+ 
diff --git a/ssmtp-garbage_writes.patch b/ssmtp-garbage_writes.patch
new file mode 100644
index 0000000..754e654
--- /dev/null
+++ b/ssmtp-garbage_writes.patch
@@ -0,0 +1,18 @@
+--- ssmtp-2.64/ssmtp.c.orig	2012-06-30 23:56:31.000000000 +0300
++++ ssmtp-2.64/ssmtp.c	2012-06-30 23:59:02.764119487 +0300
+@@ -1655,12 +1655,12 @@ int ssmtp(char *argv[])
+ 			outbytes += smtp_write(sock, "%s", leadingdot ? b : buf);
+ 		} else {
+ 			if (log_level > 0) {
+-				log_event(LOG_INFO, "Sent a very long line in chunks");
++				log_event(LOG_INFO, "Sending a partial line");
+ 			}
+ 			if (leadingdot) {
+-				outbytes += fd_puts(sock, b, sizeof(b));
++				outbytes += fd_puts(sock, b, strlen(b));
+ 			} else {
+-				outbytes += fd_puts(sock, buf, bufsize);
++				outbytes += fd_puts(sock, buf, strlen(buf));
+ 			}
+ 		}
+ 		(void)alarm((unsigned) MEDWAIT);
diff --git a/ssmtp-validate-TLS-server-cert.patch b/ssmtp-validate-TLS-server-cert.patch
new file mode 100644
index 0000000..96cb331
--- /dev/null
+++ b/ssmtp-validate-TLS-server-cert.patch
@@ -0,0 +1,153 @@
+diff -up ssmtp-2.64/ssmtp.conf.5.orig ssmtp-2.64/ssmtp.conf.5
+--- ssmtp-2.64/ssmtp.conf.5.orig	2013-08-20 10:09:28.912253115 +0300
++++ ssmtp-2.64/ssmtp.conf.5	2013-08-20 10:10:05.666212495 +0300
+@@ -53,6 +53,13 @@ See RFC 2487.
+ .Pp
+ .It Cm TLSCert
+ The file name of an RSA certificate to use for TLS, if required.
++.It Cm TLSKey
++The file name of an RSA key to use for TLS, if required.
++.It Cm TLS_CA_File
++A file of trusted certificates for validating the server, if required.
++.Pp
++.It Cm TLS_CA_Dir
++A directory of trusted certificates for validating the server, if required.
+ .Pp
+ .It Cm AuthUser
+ The user name to use for SMTP AUTH.
+diff -up ssmtp-2.64/ssmtp.c.orig ssmtp-2.64/ssmtp.c
+--- ssmtp-2.64/ssmtp.c.orig	2013-08-20 10:09:03.510255402 +0300
++++ ssmtp-2.64/ssmtp.c	2013-08-20 10:10:05.666212495 +0300
+@@ -69,7 +69,10 @@ char *minus_F = (char)NULL;
+ char *gecos;
+ char *prog = (char)NULL;
+ char *root = NULL;
+-char *tls_cert = "/etc/ssl/certs/ssmtp.pem";	/* Default Certificate */
++char *tls_cert = "/etc/pki/tls/private/ssmtp.pem";	/* Default Certificate */
++char *tls_key = "/etc/pki/tls/private/ssmtp.pem";    /* Default private key */
++char *tls_ca_file = NULL;      /* Trusted Certificate file */
++char *tls_ca_dir = NULL;       /* Trusted Certificate directory */
+ char *uad = (char)NULL;
+ char *config_file = (char)NULL;		/* alternate configuration file */
+ 
+@@ -1084,6 +1087,33 @@ bool_t read_config()
+ 					log_event(LOG_INFO, "Set TLSCert=\"%s\"\n", tls_cert);
+ 				}
+ 			}
++                       else if(strcasecmp(p, "TLSKey") == 0) {
++                               if((tls_key = strdup(q)) == (char *)NULL) {
++                                       die("parse_config() -- strdup() failed");
++                               }
++
++                               if(log_level > 0) {
++                                       log_event(LOG_INFO, "Set TLSKey=\"%s\"\n", tls_key);
++                               }
++                       }
++                       else if(strcasecmp(p, "TLS_CA_File") == 0) {
++                               if((tls_ca_file = strdup(q)) == (char *)NULL) {
++                                       die("parse_config() -- strdup() failed");
++                               }
++
++                               if(log_level > 0) {
++                                       log_event(LOG_INFO, "Set TLS_CA_File=\"%s\"\n", tls_ca_file);
++                               }
++                       }
++                       else if(strcasecmp(p, "TLS_CA_Dir") == 0) {
++                               if((tls_ca_dir = strdup(q)) == (char *)NULL) {
++                                       die("parse_config() -- strdup() failed");
++                               }
++
++                               if(log_level > 0) {
++                                       log_event(LOG_INFO, "Set TLS_CA_Dir=\"%s\"\n", tls_ca_dir);
++                               }
++                       }
+ #endif
+ 			/* Command-line overrides these */
+ 			else if(strcasecmp(p, "AuthUser") == 0 && !auth_user) {
+@@ -1168,6 +1198,8 @@ int smtp_open(char *host, int port)
+ 
+ #ifdef HAVE_SSL
+ 	int err;
++	long lerr;
++	unsigned long ulerr;
+ 	char buf[(BUF_SZ + 1)];
+ 
+ 	/* Init SSL stuff */
+@@ -1190,7 +1222,7 @@ int smtp_open(char *host, int port)
+ 			return(-1);
+ 		}
+ 
+-		if(SSL_CTX_use_PrivateKey_file(ctx, tls_cert, SSL_FILETYPE_PEM) <= 0) {
++		if(SSL_CTX_use_PrivateKey_file(ctx, tls_key, SSL_FILETYPE_PEM) <= 0) {
+ 			perror("Use PrivateKey");
+ 			return(-1);
+ 		}
+@@ -1200,6 +1232,16 @@ int smtp_open(char *host, int port)
+ 			return(-1);
+ 		}
+ 	}
++	if (tls_ca_file || tls_ca_dir) {
++		if(!SSL_CTX_load_verify_locations(ctx, tls_ca_file, tls_ca_dir)) {
++			ulerr = ERR_get_error();
++			log_event(LOG_ERR, "Error setting verify location: %s",
++				  ERR_reason_error_string(ulerr));
++			return(-1);
++		}
++	}
++
++	SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
+ #endif
+ 
+ #ifdef INET6
+@@ -1303,14 +1345,20 @@ int smtp_open(char *host, int port)
+ 
+ 		ssl = SSL_new(ctx);
+ 		if(!ssl) {
+-			log_event(LOG_ERR, "SSL not working");
++			ulerr = ERR_get_error();
++			log_event(LOG_ERR, "SSL not working: %s",
++                                 ERR_reason_error_string(ulerr));
+ 			return(-1);
+ 		}
+ 		SSL_set_fd(ssl, s);
+ 
+ 		err = SSL_connect(ssl);
+ 		if(err < 0) { 
+-			perror("SSL_connect");
++			ulerr = ERR_get_error();
++			lerr = SSL_get_verify_result(ssl);
++			log_event(LOG_ERR, "SSL not working: %s (%ld)",
++				ERR_reason_error_string(ulerr), lerr);
++
+ 			return(-1);
+ 		}
+ 
+@@ -1324,8 +1372,6 @@ int smtp_open(char *host, int port)
+ 			return(-1);
+ 		}
+ 		X509_free(server_cert);
+-
+-		/* TODO: Check server cert if changed! */
+ 	}
+ #endif
+ 
+diff -up ssmtp-2.64/TLS.orig ssmtp-2.64/TLS
+--- ssmtp-2.64/TLS.orig	2013-08-20 10:09:52.524212818 +0300
++++ ssmtp-2.64/TLS	2013-08-20 10:10:05.667213425 +0300
+@@ -26,9 +26,13 @@ Set this to yes to make ssmtp identify i
+ TLSCert=<file>
+ Specify which certificate file should be used.
+ 
++TLSKey=<file>
++Specify which key file should be used (can be the same as the certificate file).
+ 
+-TODO:
+-* Check server certificate for changes and notify about it.
+-* Diffrent Certificate and Key file?
++TLS_CA_File=<file>
++Optional file of trusted certificates for validating the server.
++
++TLS_CA_Dir=<file>
++Optional directory of trusted certificates for validating the server.
+ 
+ 
diff --git a/ssmtp.spec b/ssmtp.spec
index aad8586..36f54f1 100644
--- a/ssmtp.spec
+++ b/ssmtp.spec
@@ -2,13 +2,17 @@ Summary:	Extremely simple MTA to get mail off the system to a mail hub
 Summary(pl.UTF-8):	Skrajnie prosty MTA do przekazywania poczty z systemu do huba
 Name:		ssmtp
 Version:	2.64
-Release:	8
+Release:	9
 License:	GPL
 Group:		Networking/Daemons/SMTP
 Source0:	http://http.us.debian.org/debian/pool/main/s/ssmtp/%{name}_%{version}.orig.tar.bz2
 # Source0-md5:	65b4e0df4934a6cd08c506cabcbe584f
 Patch0:		%{name}-nonsl.patch
 Patch1:		%{name}-ssl.patch
+Patch2:		%{name}-garbage_writes.patch
+Patch3:		%{name}-authpass.patch
+Patch4:		%{name}-validate-TLS-server-cert.patch
+Patch5:		defaultvalues.patch
 BuildRequires:	autoconf
 BuildRequires:	automake
 BuildRequires:	openssl-devel
@@ -64,6 +68,10 @@ należy do huba pocztowego z własnym administratorem.
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
 
 %build
 rm -f missing
-- 
2.44.0