[packages/opensmtpd] - updated to 6.4.2p1 - added openssl1.1 patch (git fix to allow openssl again, not just libressl) -
qboosh
qboosh at pld-linux.org
Sat Sep 28 18:15:00 CEST 2019
commit e31b6fdb5e58ac75cbdc79f8cbbfad06a1e46f4c
Author: Jakub Bogusz <qboosh at pld-linux.org>
Date: Sat Sep 28 18:18:09 2019 +0200
- updated to 6.4.2p1
- added openssl1.1 patch (git fix to allow openssl again, not just libressl)
- added ac patch (fix wrong test arguments)
- fixed configure options
- /usr/sbin/sendmail is specified as required by FHS 3.0 footnote
opensmtpd-ac.patch | 11 ++
opensmtpd-openssl1.1.patch | 280 +++++++++++++++++++++++++++++++++++++++++++++
opensmtpd.spec | 47 +++++---
3 files changed, 323 insertions(+), 15 deletions(-)
---
diff --git a/opensmtpd.spec b/opensmtpd.spec
index a627007..052edaf 100644
--- a/opensmtpd.spec
+++ b/opensmtpd.spec
@@ -1,30 +1,35 @@
# TODO
# - should mailq and newaliases be in bindir?
-
+#
# Conditional build:
%bcond_without pam # build without PAM support
%bcond_without table_db # build table-db backend
Summary: Free implementation of the server-side SMTP protocol as defined by RFC 5321
+Summary(pl.UTF-8): Wolnodostępna implementacja strony serwerowej protokołu SMTP wg RFC 5321
Name: opensmtpd
-Version: 6.0.3p1
+Version: 6.4.2p1
Release: 1
License: ISC
Group: Daemons
Source0: https://www.opensmtpd.org/archives/%{name}-%{version}.tar.gz
-# Source0-md5: 66e496bb0f3303d660744f4fa2178765
+# Source0-md5: fecf68278db728e7112fdbb8ec551e33
Source1: %{name}.service
Source2: %{name}.init
Source3: %{name}.pam
Source4: aliases
Patch0: 11_ssl_1.1.diff
-URL: http://www.opensmtpd.org/
-BuildRequires: autoconf
+# based on https://github.com/OpenSMTPD/OpenSMTPD/commit/227ca8aa76c6656ce04ebc51faebd927a561350e
+Patch1: %{name}-openssl1.1.patch
+Patch2: %{name}-ac.patch
+URL: https://www.opensmtpd.org/
+BuildRequires: autoconf >= 2.69
BuildRequires: automake
BuildRequires: bison
-BuildRequires: db-devel
+%{?with_table_db:BuildRequires: db-devel}
BuildRequires: libasr-devel
BuildRequires: libevent-devel
+BuildRequires: libtool >= 2:2
BuildRequires: openssl-devel
%{?with_pam:BuildRequires: pam-devel}
BuildRequires: rpmbuild(macros) >= 1.228
@@ -67,27 +72,30 @@ re-usable by everyone under an ISC license.
%prep
%setup -q
%patch0 -p1
+%patch1 -p1
+%patch2 -p1
%build
-%{__aclocal}
+%{__libtoolize}
+%{__aclocal} -I m4
%{__autoconf}
%{__autoheader}
%{__automake}
%configure \
--sysconfdir=%{_sysconfdir}/mail \
- --with-ca-file=%{certsdir}/ca-certificates.crt \
+ %{?with_pam:--with-auth-pam=smtp} \
+ --with-group-queue=smtpq \
--with-mantype=man \
- %{?with_pam:--with-pam} \
- %{?with_pam:--enable-table-db} \
- --with-privsep-user=smtpd \
- --with-queue-user=smtpq \
- --with-privsep-path=%{privsepdir} \
- --with-sock-dir=%{_localstatedir}/run
+ --with-path-CAfile=%{certsdir}/ca-certificates.crt \
+ %{?with_table_db:--with-table-db} \
+ --with-user-queue=smtpq \
+ --with-user-smtpd=smtpd
%{__make}
%install
rm -rf $RPM_BUILD_ROOT
+
%{__make} install \
DESTDIR=$RPM_BUILD_ROOT
@@ -100,14 +108,16 @@ cp -p %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/smtp
%endif
touch $RPM_BUILD_ROOT%{_sysconfdir}/mail/aliases.db
-# /usr/sbin/sendmail compatibility is not required /usr/lib/sendmail is
install -d $RPM_BUILD_ROOT%{_prefix}/lib
ln -s %{_sbindir}/smtpctl $RPM_BUILD_ROOT%{_prefix}/lib/sendmail
# other utils
ln -s %{_sbindir}/smtpctl $RPM_BUILD_ROOT%{_sbindir}/mailq
+ln -s %{_sbindir}/smtpctl $RPM_BUILD_ROOT%{_sbindir}/sendmail
+%if %{with table_db}
ln -s %{_sbindir}/smtpctl $RPM_BUILD_ROOT%{_sbindir}/makemap
ln -s %{_sbindir}/smtpctl $RPM_BUILD_ROOT%{_sbindir}/newaliases
+%endif
# queue dirs
install -d $RPM_BUILD_ROOT%{spooldir}/{queue,corrupt,incoming,offline,purge,temporary}
@@ -148,13 +158,16 @@ fi
%dir %{_sysconfdir}/mail
%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/mail/smtpd.conf
%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/mail/aliases
+%if %{with table_db}
%ghost %{_sysconfdir}/mail/aliases.db
+%endif
%if %{with pam}
%config(noreplace) %verify(not md5 mtime size) /etc/pam.d/smtp
%endif
%attr(754,root,root) /etc/rc.d/init.d/opensmtpd
%{systemdunitdir}/%{name}.service
%attr(755,root,root) %{_sbindir}/mailq
+%attr(755,root,root) %{_sbindir}/sendmail
%attr(755,root,root) %{_sbindir}/smtpctl
%attr(755,root,root) %{_sbindir}/smtpd
%attr(755,root,root) %{_prefix}/lib/sendmail
@@ -175,7 +188,11 @@ fi
%dir %{_libexecdir}/%{name}
%attr(755,root,root) %{_libexecdir}/%{name}/encrypt
+%attr(755,root,root) %{_libexecdir}/%{name}/mail.lmtp
%attr(755,root,root) %{_libexecdir}/%{name}/mail.local
+%attr(755,root,root) %{_libexecdir}/%{name}/mail.maildir
+%attr(755,root,root) %{_libexecdir}/%{name}/mail.mboxfile
+%attr(755,root,root) %{_libexecdir}/%{name}/mail.mda
%dir %attr(711,root,root) %{spooldir}
%dir %attr(1777,root,root) %{spooldir}/offline
diff --git a/opensmtpd-ac.patch b/opensmtpd-ac.patch
new file mode 100644
index 0000000..90d9486
--- /dev/null
+++ b/opensmtpd-ac.patch
@@ -0,0 +1,11 @@
+--- opensmtpd-6.4.2p1/configure.ac.orig 2019-09-28 17:12:18.247895541 +0200
++++ opensmtpd-6.4.2p1/configure.ac 2019-09-28 18:08:49.759522146 +0200
+@@ -1073,7 +1073,7 @@
+ fi
+
+ if test "x$ac_cv_header_security_pam_appl_h" != "xyes" -a \
+- test "x$ac_cv_header_pam_pam_appl_h" != "xyes"; then
++ "x$ac_cv_header_pam_pam_appl_h" != "xyes"; then
+ AC_MSG_ERROR([PAM headers not found])
+ fi
+
diff --git a/opensmtpd-openssl1.1.patch b/opensmtpd-openssl1.1.patch
new file mode 100644
index 0000000..842e45a
--- /dev/null
+++ b/opensmtpd-openssl1.1.patch
@@ -0,0 +1,280 @@
+From 227ca8aa76c6656ce04ebc51faebd927a561350e Mon Sep 17 00:00:00 2001
+From: Gilles Chehade <gilles at poolp.org>
+Date: Tue, 9 Jul 2019 21:58:47 +0200
+Subject: [PATCH] unbreak on OpenSSL 1.1
+
+---
+ configure.ac | 13 ++
+ openbsd-compat/Makefile.am | 5 +-
+ .../SSL_CTX_use_certificate_chain_mem.c | 176 ++++++++++++++++++
+ openbsd-compat/openbsd-compat.h | 12 ++
+ smtpd/ca.c | 17 +-
+ smtpd/ssl.c | 4 +
+ 6 files changed, 222 insertions(+), 5 deletions(-)
+ create mode 100644 openbsd-compat/SSL_CTX_use_certificate_chain_mem.c
+
+diff --git a/configure.ac b/configure.ac
+index 7856318d..5d18c707 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -601,6 +601,7 @@ AC_CHECK_FUNCS([ \
+ b64_pton \
+ __b64_pton \
+ bcopy \
++ calloc_conceal \
+ chflags \
+ crypt_checkpass \
+ dirfd \
+@@ -621,6 +622,7 @@ AC_CHECK_FUNCS([ \
+ inet_ntoa \
+ inet_ntop \
+ isblank \
++ malloc_conceal \
+ memmove \
+ nsleep \
+ pidfile \
+@@ -1893,6 +1895,17 @@ AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL], [1],
+ )
+
+
++LIBS="-lcrypto -lssl $LIBS"
++AC_MSG_CHECKING([whether SSL_CTX_use_certificate_chain_mem is available])
++AC_TRY_LINK_FUNC([SSL_CTX_use_certificate_chain_mem],
++ [
++ AC_DEFINE([HAVE_SSL_CTX_USE_CERTIFICATE_CHAIN_MEM], [1],
++ [Define if SSL_CTX_use_certificate_chain_mem exists in libssl])
++ AC_MSG_RESULT([yes])
++ ],
++ [ AC_MSG_RESULT([no])]
++)
++
+ # Sanity check OpenSSL headers
+ AC_MSG_CHECKING([whether LibreSSL's headers match the library])
+ AC_RUN_IFELSE(
+diff --git a/openbsd-compat/Makefile.am b/openbsd-compat/Makefile.am
+index 7252d91d..6fb72d29 100644
+--- a/openbsd-compat/Makefile.am
++++ b/openbsd-compat/Makefile.am
+@@ -1,7 +1,8 @@
+ noinst_LIBRARIES = libopenbsd-compat.a
+
+-#libopenbsd_compat_a_SOURCES = arc4random.c
+-libopenbsd_compat_a_SOURCES = base64.c
++libopenbsd_compat_a_SOURCES = arc4random.c
++libopenbsd_compat_a_SOURCES += SSL_CTX_use_certificate_chain_mem.c
++libopenbsd_compat_a_SOURCES += base64.c
+ libopenbsd_compat_a_SOURCES += bsd-getpeereid.c
+ libopenbsd_compat_a_SOURCES += bsd-misc.c
+ libopenbsd_compat_a_SOURCES += bsd-waitpid.c
+diff --git a/openbsd-compat/SSL_CTX_use_certificate_chain_mem.c b/openbsd-compat/SSL_CTX_use_certificate_chain_mem.c
+new file mode 100644
+index 00000000..1df167b8
+--- /dev/null
++++ b/openbsd-compat/SSL_CTX_use_certificate_chain_mem.c
+@@ -0,0 +1,176 @@
++/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
++ * All rights reserved.
++ *
++ * This package is an SSL implementation written
++ * by Eric Young (eay at cryptsoft.com).
++ * The implementation was written so as to conform with Netscapes SSL.
++ *
++ * This library is free for commercial and non-commercial use as long as
++ * the following conditions are aheared to. The following conditions
++ * apply to all code found in this distribution, be it the RC4, RSA,
++ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
++ * included with this distribution is covered by the same copyright terms
++ * except that the holder is Tim Hudson (tjh at cryptsoft.com).
++ *
++ * Copyright remains Eric Young's, and as such any Copyright notices in
++ * the code are not to be removed.
++ * If this package is used in a product, Eric Young should be given attribution
++ * as the author of the parts of the library used.
++ * This can be in the form of a textual message at program startup or
++ * in documentation (online or textual) provided with the package.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ * must display the following acknowledgement:
++ * "This product includes cryptographic software written by
++ * Eric Young (eay at cryptsoft.com)"
++ * The word 'cryptographic' can be left out if the rouines from the library
++ * being used are not cryptographic related :-).
++ * 4. If you include any Windows specific code (or a derivative thereof) from
++ * the apps directory (application code) you must include an acknowledgement:
++ * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ *
++ * The licence and distribution terms for any publically available version or
++ * derivative of this code cannot be changed. i.e. this code cannot simply be
++ * copied and put under another distribution licence
++ * [including the GNU Public Licence.]
++ */
++
++/*
++ * SSL operations needed when running in a privilege separated environment.
++ * Adapted from openssl's ssl_rsa.c by Pierre-Yves Ritschard .
++ */
++
++#include "includes.h"
++
++#include <sys/types.h>
++
++#include <limits.h>
++#include <unistd.h>
++#include <stdio.h>
++
++#include <openssl/err.h>
++#include <openssl/bio.h>
++#include <openssl/objects.h>
++#include <openssl/evp.h>
++#include <openssl/x509.h>
++#include <openssl/pem.h>
++#include <openssl/ssl.h>
++
++#include "log.h"
++#include "ssl.h"
++
++#define SSL_ECDH_CURVE "prime256v1"
++
++/*
++ * Read a bio that contains our certificate in "PEM" format,
++ * possibly followed by a sequence of CA certificates that should be
++ * sent to the peer in the Certificate message.
++ */
++static int
++ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in)
++{
++ int ret = 0;
++ X509 *x = NULL;
++
++ ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
++
++ x = PEM_read_bio_X509_AUX(in, NULL, SSL_CTX_get_default_passwd_cb(ctx),
++ SSL_CTX_get_default_passwd_cb_userdata(ctx));
++ if (x == NULL) {
++ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB);
++ goto end;
++ }
++
++ ret = SSL_CTX_use_certificate(ctx, x);
++
++ if (ERR_peek_error() != 0)
++ ret = 0;
++ /* Key/certificate mismatch doesn't imply ret==0 ... */
++ if (ret) {
++ /*
++ * If we could set up our certificate, now proceed to
++ * the CA certificates.
++ */
++ X509 *ca;
++ STACK_OF(X509) *chain;
++ int r;
++ unsigned long err;
++
++ SSL_CTX_get_extra_chain_certs_only(ctx, &chain);
++ if (chain != NULL) {
++ sk_X509_pop_free(chain, X509_free);
++ SSL_CTX_clear_extra_chain_certs(ctx);
++ }
++
++ while ((ca = PEM_read_bio_X509(in, NULL,
++ SSL_CTX_get_default_passwd_cb(ctx),
++ SSL_CTX_get_default_passwd_cb_userdata(ctx))) != NULL) {
++ r = SSL_CTX_add_extra_chain_cert(ctx, ca);
++ if (!r) {
++ X509_free(ca);
++ ret = 0;
++ goto end;
++ }
++ /*
++ * Note that we must not free r if it was successfully
++ * added to the chain (while we must free the main
++ * certificate, since its reference count is increased
++ * by SSL_CTX_use_certificate).
++ */
++ }
++
++ /* When the while loop ends, it's usually just EOF. */
++ err = ERR_peek_last_error();
++ if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
++ ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
++ ERR_clear_error();
++ else
++ ret = 0; /* some real error */
++ }
++
++end:
++ if (x != NULL)
++ X509_free(x);
++ return (ret);
++}
++
++#ifndef HAVE_SSL_CTX_USE_CERTIFICATE_CHAIN_MEM
++int
++SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len)
++{
++ BIO *in;
++ int ret = 0;
++
++ in = BIO_new_mem_buf(buf, len);
++ if (in == NULL) {
++ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
++ goto end;
++ }
++
++ ret = ssl_ctx_use_certificate_chain_bio(ctx, in);
++
++end:
++ BIO_free(in);
++ return (ret);
++}
++#endif
+diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
+index 7dde2fe1..4a296519 100644
+--- a/openbsd-compat/openbsd-compat.h
++++ b/openbsd-compat/openbsd-compat.h
+@@ -141,6 +141,10 @@ void arc4random_buf(void *, size_t);
+ uint32_t arc4random_uniform(uint32_t);
+ #endif
+
++#if !defined(SSL_OP_NO_CLIENT_RENEGOTIATION)
++#define SSL_OP_NO_CLIENT_RENEGOTIATION 0
++#endif
++
+ #ifndef HAVE_ASPRINTF
+ int asprintf(char **, const char *, ...);
+ #endif
+@@ -229,6 +233,14 @@ int inet_net_pton(int, const char *, void *, size_t);
+ #define pledge(promises, paths) 0
+ #endif
+
++#ifndef HAVE_MALLOC_CONCEAL
++#define malloc_conceal malloc
++#endif
++
++#ifndef HAVE_CALLOC_CONCEAL
++#define calloc_conceal calloc
++#endif
++
+ #ifndef HAVE_RES_HNOK
+ int res_hnok(const char *);
+ #endif
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/opensmtpd.git/commitdiff/e31b6fdb5e58ac75cbdc79f8cbbfad06a1e46f4c
More information about the pld-cvs-commit
mailing list