[packages/opensmtpd] - up to 6.6.2p1; fixes local and remote root hole - CVE-2020-7247
arekm
arekm at pld-linux.org
Wed Jan 29 19:16:28 CET 2020
commit b45fa1183b4a8f3c982a1e040cb3bdec5a5ad671
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date: Wed Jan 29 19:16:21 2020 +0100
- up to 6.6.2p1; fixes local and remote root hole - CVE-2020-7247
11_ssl_1.1.diff | 722 ---------------------------------------------
opensmtpd-openssl1.1.patch | 280 ------------------
opensmtpd.spec | 17 +-
3 files changed, 7 insertions(+), 1012 deletions(-)
---
diff --git a/opensmtpd.spec b/opensmtpd.spec
index c4bce2e..971d846 100644
--- a/opensmtpd.spec
+++ b/opensmtpd.spec
@@ -8,20 +8,17 @@
Summary: Free implementation of the server-side SMTP protocol as defined by RFC 5321
Summary(pl.UTF-8): Wolnodostępna implementacja strony serwerowej protokołu SMTP wg RFC 5321
Name: opensmtpd
-Version: 6.4.2p1
-Release: 3
+Version: 6.6.2p1
+Release: 1
License: ISC
Group: Daemons
Source0: https://www.opensmtpd.org/archives/%{name}-%{version}.tar.gz
-# Source0-md5: fecf68278db728e7112fdbb8ec551e33
+# Source0-md5: bd29619f56c009a4eb4879304771822b
Source1: %{name}.service
Source2: %{name}.init
Source3: %{name}.pam
Source4: aliases
-Patch0: 11_ssl_1.1.diff
-# based on https://github.com/OpenSMTPD/OpenSMTPD/commit/227ca8aa76c6656ce04ebc51faebd927a561350e
-Patch1: %{name}-openssl1.1.patch
-Patch2: %{name}-ac.patch
+Patch0: %{name}-ac.patch
URL: https://www.opensmtpd.org/
BuildRequires: autoconf >= 2.69
BuildRequires: automake
@@ -72,8 +69,6 @@ re-usable by everyone under an ISC license.
%prep
%setup -q
%patch0 -p1
-%patch1 -p1
-%patch2 -p1
%build
%{__libtoolize}
@@ -155,7 +150,7 @@ fi
%files
%defattr(644,root,root,755)
-%doc LICENSE README.md THANKS
+%doc LICENSE README.md
%dir %{_sysconfdir}/mail
%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/mail/smtpd.conf
%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/mail/aliases
@@ -167,11 +162,13 @@ fi
%endif
%attr(754,root,root) /etc/rc.d/init.d/opensmtpd
%{systemdunitdir}/%{name}.service
+%attr(755,root,root) %{_bindir}/smtp
%attr(755,root,root) %{_sbindir}/mailq
%attr(755,root,root) %{_sbindir}/sendmail
%attr(755,root,root) %{_sbindir}/smtpctl
%attr(755,root,root) %{_sbindir}/smtpd
%attr(755,root,root) %{_prefix}/lib/sendmail
+%{_mandir}/man1/smtp.1*
%{_mandir}/man5/aliases.5*
%{_mandir}/man5/forward.5*
%{_mandir}/man5/smtpd.conf.5*
diff --git a/11_ssl_1.1.diff b/11_ssl_1.1.diff
deleted file mode 100644
index 40a62ae..0000000
--- a/11_ssl_1.1.diff
+++ /dev/null
@@ -1,722 +0,0 @@
-Description: Enable support for OpenSSL 1.1
-Author: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
- Ryan Kavanagh <rak at debian.org>
-Origin: Debian
-Bug: https://github.com/OpenSMTPD/OpenSMTPD/issues/738
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859544
-Forwarded: https://github.com/OpenSMTPD/OpenSMTPD/pull/825
-Last-Update: 2018-03-18
----
-This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
-diff --git a/openbsd-compat/libressl.c b/openbsd-compat/libressl.c
-index f4f2b52e..d06e006f 100644
---- a/openbsd-compat/libressl.c
-+++ b/openbsd-compat/libressl.c
-@@ -81,14 +81,14 @@ SSL_CTX_use_certificate_chain(SSL_CTX *ctx, char *buf, off_t len)
- x = ca = NULL;
-
- if ((in = BIO_new_mem_buf(buf, len)) == NULL) {
-- SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
-+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
- goto end;
- }
-
- if ((x = PEM_read_bio_X509(in, NULL,
-- ctx->default_passwd_callback,
-- ctx->default_passwd_callback_userdata)) == NULL) {
-- SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
-+ SSL_CTX_get_default_passwd_cb(ctx),
-+ SSL_CTX_get_default_passwd_cb_userdata(ctx))) == NULL) {
-+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB);
- goto end;
- }
-
-@@ -99,14 +99,11 @@ SSL_CTX_use_certificate_chain(SSL_CTX *ctx, char *buf, off_t len)
- * the CA certificates.
- */
-
-- if (ctx->extra_certs != NULL) {
-- sk_X509_pop_free(ctx->extra_certs, X509_free);
-- ctx->extra_certs = NULL;
-- }
-+ SSL_CTX_clear_extra_chain_certs(ctx);
-
- while ((ca = PEM_read_bio_X509(in, NULL,
-- ctx->default_passwd_callback,
-- ctx->default_passwd_callback_userdata)) != NULL) {
-+ SSL_CTX_get_default_passwd_cb(ctx),
-+ SSL_CTX_get_default_passwd_cb_userdata(ctx))) != NULL) {
-
- if (!SSL_CTX_add_extra_chain_cert(ctx, ca))
- goto end;
-diff --git a/smtpd/ca.c b/smtpd/ca.c
-index e383c6a1..29a44b9b 100644
---- a/smtpd/ca.c
-+++ b/smtpd/ca.c
-@@ -170,6 +170,190 @@ ca_verify_cb(int ok, X509_STORE_CTX *ctx)
- return ok;
- }
-
-+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
-+
-+static int RSA_meth_get_flags(RSA_METHOD *meth)
-+{
-+ return meth->flags;
-+}
-+
-+static int RSA_meth_set_flags(RSA_METHOD *meth, int flags)
-+{
-+ meth->flags = flags;
-+ return 1;
-+}
-+
-+static void *RSA_meth_get0_app_data(const RSA_METHOD *meth)
-+{
-+ return meth->app_data;
-+}
-+
-+static int RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data)
-+{
-+ meth->app_data = app_data;
-+ return 1;
-+}
-+
-+static int (*RSA_meth_get_pub_enc(const RSA_METHOD *meth))
-+(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
-+{
-+ return meth->rsa_pub_enc;
-+}
-+
-+static int RSA_meth_set_pub_enc(RSA_METHOD *meth,
-+ int (*pub_enc) (int flen, const unsigned char *from,
-+ unsigned char *to, RSA *rsa,
-+ int padding))
-+{
-+ meth->rsa_pub_enc = pub_enc;
-+ return 1;
-+}
-+
-+static int (*RSA_meth_get_pub_dec(const RSA_METHOD *meth))
-+(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
-+{
-+ return meth->rsa_pub_dec;
-+}
-+
-+static int (*RSA_meth_get_priv_enc(const RSA_METHOD *meth))
-+(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
-+{
-+ return meth->rsa_priv_enc;
-+}
-+
-+int RSA_meth_set_priv_enc(RSA_METHOD *meth,
-+ int (*priv_enc) (int flen, const unsigned char *from,
-+ unsigned char *to, RSA *rsa, int padding))
-+{
-+ meth->rsa_priv_enc = priv_enc;
-+ return 1;
-+}
-+
-+static int (*RSA_meth_get_priv_dec(const RSA_METHOD *meth))
-+(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
-+{
-+ return meth->rsa_priv_dec;
-+}
-+
-+static int RSA_meth_set_priv_dec(RSA_METHOD *meth,
-+ int (*priv_dec) (int flen, const unsigned char *from,
-+ unsigned char *to, RSA *rsa, int padding))
-+{
-+ meth->rsa_priv_dec = priv_dec;
-+ return 1;
-+}
-+
-+static int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))
-+ (BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
-+{
-+ return meth->rsa_mod_exp;
-+}
-+
-+static int RSA_meth_set_mod_exp(RSA_METHOD *meth,
-+ int (*mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx))
-+{
-+ meth->rsa_mod_exp = mod_exp;
-+ return 1;
-+}
-+
-+static int (*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth))
-+(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
-+{
-+ return meth->bn_mod_exp;
-+}
-+
-+static int RSA_meth_set_bn_mod_exp(RSA_METHOD *meth, int (*bn_mod_exp)
-+ (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
-+ BN_CTX *ctx, BN_MONT_CTX *m_ctx))
-+{
-+ meth->bn_mod_exp = bn_mod_exp;
-+ return 1;
-+}
-+
-+static int (*RSA_meth_get_init(const RSA_METHOD *meth)) (RSA *rsa)
-+{
-+ return meth->init;
-+}
-+
-+static int RSA_meth_set_init(RSA_METHOD *meth, int (*init) (RSA *rsa))
-+{
-+ meth->init = init;
-+ return 1;
-+}
-+
-+static int (*RSA_meth_get_finish(const RSA_METHOD *meth)) (RSA *rsa)
-+{
-+ return meth->finish;
-+}
-+
-+static int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa))
-+{
-+ meth->finish = finish;
-+ return 1;
-+}
-+
-+static int (*RSA_meth_get_keygen(const RSA_METHOD *meth))
-+ (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb)
-+{
-+ return meth->rsa_keygen;
-+}
-+
-+static int RSA_meth_set_keygen(RSA_METHOD *meth, int (*keygen)
-+ (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb))
-+{
-+ meth->rsa_keygen = keygen;
-+ return 1;
-+}
-+
-+static int (*RSA_meth_get_verify(const RSA_METHOD *meth))
-+ (int dtype, const unsigned char *m,
-+ unsigned int m_length, const unsigned char *sigbuf,
-+ unsigned int siglen, const RSA *rsa)
-+{
-+ if (meth->flags & RSA_FLAG_SIGN_VER)
-+ return meth->rsa_verify;
-+ return NULL;
-+}
-+
-+static int (*RSA_meth_get_sign(const RSA_METHOD *meth))
-+ (int type,
-+ const unsigned char *m, unsigned int m_length,
-+ unsigned char *sigret, unsigned int *siglen,
-+ const RSA *rsa)
-+{
-+ if (meth->flags & RSA_FLAG_SIGN_VER)
-+ return meth->rsa_sign;
-+ return NULL;
-+}
-+
-+static int RSA_meth_set_pub_dec(RSA_METHOD *meth,
-+ int (*pub_dec) (int flen, const unsigned char *from,
-+ unsigned char *to, RSA *rsa, int padding))
-+{
-+ meth->rsa_pub_dec = pub_dec;
-+ return 1;
-+}
-+
-+static RSA_METHOD *RSA_meth_new(const char *name, int flags)
-+{
-+ RSA_METHOD *meth = malloc(sizeof(*meth));
-+
-+ if (meth != NULL) {
-+ memset(meth, 0, sizeof(*meth));
-+ meth->flags = flags;
-+
-+ meth->name = strdup(name);
-+ if (meth->name != NULL)
-+ return meth;
-+
-+ free(meth);
-+ }
-+
-+ return NULL;
-+}
-+
-+#endif
-+
- int
- ca_X509_verify(void *certificate, void *chain, const char *CAfile,
- const char *CRLfile, const char **errstr)
-@@ -201,7 +385,7 @@ end:
- *errstr = NULL;
- if (ret != 1) {
- if (xsc)
-- *errstr = X509_verify_cert_error_string(xsc->error);
-+ *errstr = X509_verify_cert_error_string(X509_STORE_CTX_get_error(xsc));
- else if (ERR_peek_last_error())
- *errstr = ERR_error_string(ERR_peek_last_error(), NULL);
- }
-@@ -302,24 +486,9 @@ ca_imsg(struct mproc *p, struct imsg *imsg)
- * RSA privsep engine (called from unprivileged processes)
- */
-
--const RSA_METHOD *rsa_default = NULL;
--
--static RSA_METHOD rsae_method = {
-- "RSA privsep engine",
-- rsae_pub_enc,
-- rsae_pub_dec,
-- rsae_priv_enc,
-- rsae_priv_dec,
-- rsae_mod_exp,
-- rsae_bn_mod_exp,
-- rsae_init,
-- rsae_finish,
-- 0,
-- NULL,
-- NULL,
-- NULL,
-- rsae_keygen
--};
-+static const RSA_METHOD *rsa_default = NULL;
-+
-+static const char *rsae_method_name = "RSA privsep engine";
-
- static int
- rsae_send_imsg(int flen, const unsigned char *from, unsigned char *to,
-@@ -404,7 +573,7 @@ rsae_pub_enc(int flen,const unsigned char *from, unsigned char *to, RSA *rsa,
- int padding)
- {
- log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
-- return (rsa_default->rsa_pub_enc(flen, from, to, rsa, padding));
-+ return (RSA_meth_get_pub_enc(rsa_default)(flen, from, to, rsa, padding));
- }
-
- static int
-@@ -412,7 +581,7 @@ rsae_pub_dec(int flen,const unsigned char *from, unsigned char *to, RSA *rsa,
- int padding)
- {
- log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
-- return (rsa_default->rsa_pub_dec(flen, from, to, rsa, padding));
-+ return (RSA_meth_get_pub_dec(rsa_default)(flen, from, to, rsa, padding));
- }
-
- static int
-@@ -424,7 +593,7 @@ rsae_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa,
- return (rsae_send_imsg(flen, from, to, rsa, padding,
- IMSG_CA_PRIVENC));
- }
-- return (rsa_default->rsa_priv_enc(flen, from, to, rsa, padding));
-+ return (RSA_meth_get_priv_enc(rsa_default)(flen, from, to, rsa, padding));
- }
-
- static int
-@@ -436,14 +605,14 @@ rsae_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa,
- return (rsae_send_imsg(flen, from, to, rsa, padding,
- IMSG_CA_PRIVDEC));
- }
-- return (rsa_default->rsa_priv_dec(flen, from, to, rsa, padding));
-+ return (RSA_meth_get_priv_dec(rsa_default)(flen, from, to, rsa, padding));
- }
-
- static int
- rsae_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
- {
- log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
-- return (rsa_default->rsa_mod_exp(r0, I, rsa, ctx));
-+ return (RSA_meth_get_mod_exp(rsa_default)(r0, I, rsa, ctx));
- }
-
- static int
-@@ -451,34 +620,36 @@ rsae_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
- {
- log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
-- return (rsa_default->bn_mod_exp(r, a, p, m, ctx, m_ctx));
-+ return (RSA_meth_get_bn_mod_exp(rsa_default)(r, a, p, m, ctx, m_ctx));
- }
-
- static int
- rsae_init(RSA *rsa)
- {
- log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
-- if (rsa_default->init == NULL)
-+ if (RSA_meth_get_init(rsa_default) == NULL)
- return (1);
-- return (rsa_default->init(rsa));
-+ return (RSA_meth_get_init(rsa_default)(rsa));
- }
-
- static int
- rsae_finish(RSA *rsa)
- {
- log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
-- if (rsa_default->finish == NULL)
-+ if (RSA_meth_get_finish(rsa_default) == NULL)
- return (1);
-- return (rsa_default->finish(rsa));
-+ return (RSA_meth_get_finish(rsa_default)(rsa));
- }
-
- static int
- rsae_keygen(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb)
- {
- log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
-- return (rsa_default->rsa_keygen(rsa, bits, e, cb));
-+ return (RSA_meth_get_keygen(rsa_default)(rsa, bits, e, cb));
- }
-
-+static RSA_METHOD *rsae_method;
-+
- void
- ca_engine_init(void)
- {
-@@ -490,7 +661,7 @@ ca_engine_init(void)
- errstr = "ENGINE_new";
- goto fail;
- }
-- if (!ENGINE_set_name(e, rsae_method.name)) {
-+ if (!ENGINE_set_name(e, rsae_method_name)) {
- errstr = "ENGINE_set_name";
- goto fail;
- }
-@@ -503,25 +674,58 @@ ca_engine_init(void)
- goto fail;
- }
-
-+ rsae_method = RSA_meth_new(rsae_method_name, 0);
-+ if (!rsae_method) {
-+ errstr = "RSA_meth_new";
-+ goto fail;
-+ }
-+
- if ((name = ENGINE_get_name(e)) == NULL)
- name = "unknown RSA engine";
-
- log_debug("debug: %s: using %s", __func__, name);
-
-- if (rsa_default->flags & RSA_FLAG_SIGN_VER)
-+ if (RSA_meth_get_sign(rsa_default) ||
-+ RSA_meth_get_verify(rsa_default))
- fatalx("unsupported RSA engine");
-
-- if (rsa_default->rsa_mod_exp == NULL)
-- rsae_method.rsa_mod_exp = NULL;
-- if (rsa_default->bn_mod_exp == NULL)
-- rsae_method.bn_mod_exp = NULL;
-- if (rsa_default->rsa_keygen == NULL)
-- rsae_method.rsa_keygen = NULL;
-- rsae_method.flags = rsa_default->flags |
-- RSA_METHOD_FLAG_NO_CHECK;
-- rsae_method.app_data = rsa_default->app_data;
--
-- if (!ENGINE_set_RSA(e, &rsae_method)) {
-+ errstr = "Setting callback";
-+ if (!RSA_meth_set_pub_enc(rsae_method, rsae_pub_enc))
-+ goto fail;
-+ if (!RSA_meth_set_pub_dec(rsae_method, rsae_pub_dec))
-+ goto fail;
-+ if (!RSA_meth_set_priv_enc(rsae_method, rsae_priv_enc))
-+ goto fail;
-+ if (!RSA_meth_set_priv_dec(rsae_method, rsae_priv_dec))
-+ goto fail;
-+
-+ if (RSA_meth_get_mod_exp(rsa_default)) {
-+ if (!RSA_meth_set_mod_exp(rsae_method, rsae_mod_exp))
-+ goto fail;
-+ }
-+
-+ if (RSA_meth_get_bn_mod_exp(rsa_default))
-+ if (!RSA_meth_set_bn_mod_exp(rsae_method, rsae_bn_mod_exp))
-+ goto fail;
-+ if (!RSA_meth_set_init(rsae_method, rsae_init))
-+ goto fail;
-+ if (!RSA_meth_set_finish(rsae_method, rsae_finish))
-+ goto fail;
-+
-+ if (RSA_meth_get_keygen(rsa_default)) {
-+ if (!RSA_meth_set_keygen(rsae_method, rsae_keygen))
-+ goto fail;
-+ }
-+
-+ if (!RSA_meth_set_flags(rsae_method,
-+ RSA_meth_get_flags(rsa_default) |
-+ RSA_METHOD_FLAG_NO_CHECK))
-+ goto fail;
-+
-+ if (!RSA_meth_set0_app_data(rsae_method, RSA_meth_get0_app_data(rsa_default)))
-+ goto fail;
-+
-+ if (!ENGINE_set_RSA(e, rsae_method)) {
- errstr = "ENGINE_set_RSA";
- goto fail;
- }
-diff --git a/smtpd/crypto.c b/smtpd/crypto.c
-index 76f98807..01452851 100644
---- a/smtpd/crypto.c
-+++ b/smtpd/crypto.c
-@@ -64,7 +64,7 @@ crypto_setup(const char *key, size_t len)
- int
- crypto_encrypt_file(FILE * in, FILE * out)
- {
-- EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX *ctx;
- uint8_t ibuf[CRYPTO_BUFFER_SIZE];
- uint8_t obuf[CRYPTO_BUFFER_SIZE];
- uint8_t iv[IV_SIZE];
-@@ -91,12 +91,14 @@ crypto_encrypt_file(FILE * in, FILE * out)
- if ((w = fwrite(iv, 1, sizeof iv, out)) != sizeof iv)
- return 0;
-
-- EVP_CIPHER_CTX_init(&ctx);
-- EVP_EncryptInit_ex(&ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
-+ ctx = EVP_CIPHER_CTX_new();
-+ if (!ctx)
-+ return 0;
-+ EVP_EncryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
-
- /* encrypt until end of file */
- while ((r = fread(ibuf, 1, CRYPTO_BUFFER_SIZE, in)) != 0) {
-- if (!EVP_EncryptUpdate(&ctx, obuf, &len, ibuf, r))
-+ if (!EVP_EncryptUpdate(ctx, obuf, &len, ibuf, r))
- goto end;
- if (len && (w = fwrite(obuf, len, 1, out)) != 1)
- goto end;
-@@ -105,13 +107,13 @@ crypto_encrypt_file(FILE * in, FILE * out)
- goto end;
-
- /* finalize and write last chunk if any */
-- if (!EVP_EncryptFinal_ex(&ctx, obuf, &len))
-+ if (!EVP_EncryptFinal_ex(ctx, obuf, &len))
- goto end;
- if (len && (w = fwrite(obuf, len, 1, out)) != 1)
- goto end;
-
- /* get and append tag */
-- EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, sizeof tag, tag);
-+ EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, sizeof tag, tag);
- if ((w = fwrite(tag, sizeof tag, 1, out)) != 1)
- goto end;
-
-@@ -119,14 +121,14 @@ crypto_encrypt_file(FILE * in, FILE * out)
- ret = 1;
-
- end:
-- EVP_CIPHER_CTX_cleanup(&ctx);
-+ EVP_CIPHER_CTX_free(ctx);
- return ret;
- }
-
- int
- crypto_decrypt_file(FILE * in, FILE * out)
- {
-- EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX *ctx;
- uint8_t ibuf[CRYPTO_BUFFER_SIZE];
- uint8_t obuf[CRYPTO_BUFFER_SIZE];
- uint8_t iv[IV_SIZE];
-@@ -171,11 +173,13 @@ crypto_decrypt_file(FILE * in, FILE * out)
- sz -= sizeof tag;
-
-
-- EVP_CIPHER_CTX_init(&ctx);
-- EVP_DecryptInit_ex(&ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
-+ ctx = EVP_CIPHER_CTX_new();
-+ if (!ctx)
-+ return 0;
-+ EVP_DecryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
-
- /* set expected tag */
-- EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, sizeof tag, tag);
-+ EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, sizeof tag, tag);
-
- /* decrypt until end of ciphertext */
- while (sz) {
-@@ -185,7 +189,7 @@ crypto_decrypt_file(FILE * in, FILE * out)
- r = fread(ibuf, 1, sz, in);
- if (!r)
- break;
-- if (!EVP_DecryptUpdate(&ctx, obuf, &len, ibuf, r))
-+ if (!EVP_DecryptUpdate(ctx, obuf, &len, ibuf, r))
- goto end;
- if (len && (w = fwrite(obuf, len, 1, out)) != 1)
- goto end;
-@@ -195,7 +199,7 @@ crypto_decrypt_file(FILE * in, FILE * out)
- goto end;
-
- /* finalize, write last chunk if any and perform authentication check */
-- if (!EVP_DecryptFinal_ex(&ctx, obuf, &len))
-+ if (!EVP_DecryptFinal_ex(ctx, obuf, &len))
- goto end;
- if (len && (w = fwrite(obuf, len, 1, out)) != 1)
- goto end;
-@@ -204,14 +208,14 @@ crypto_decrypt_file(FILE * in, FILE * out)
- ret = 1;
-
- end:
-- EVP_CIPHER_CTX_cleanup(&ctx);
-+ EVP_CIPHER_CTX_free(ctx);
- return ret;
- }
-
- size_t
- crypto_encrypt_buffer(const char *in, size_t inlen, char *out, size_t outlen)
- {
-- EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX *ctx;
- uint8_t iv[IV_SIZE];
- uint8_t tag[GCM_TAG_SIZE];
- uint8_t version = API_VERSION;
-@@ -239,33 +243,35 @@ crypto_encrypt_buffer(const char *in, size_t inlen, char *out, size_t outlen)
- memcpy(out + len, iv, sizeof iv);
- len += sizeof iv;
-
-- EVP_CIPHER_CTX_init(&ctx);
-- EVP_EncryptInit_ex(&ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
-+ ctx = EVP_CIPHER_CTX_new();
-+ if (!ctx)
-+ return 0;
-+ EVP_EncryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
-
- /* encrypt buffer */
-- if (!EVP_EncryptUpdate(&ctx, out + len, &olen, in, inlen))
-+ if (!EVP_EncryptUpdate(ctx, out + len, &olen, in, inlen))
- goto end;
- len += olen;
-
- /* finalize and write last chunk if any */
-- if (!EVP_EncryptFinal_ex(&ctx, out + len, &olen))
-+ if (!EVP_EncryptFinal_ex(ctx, out + len, &olen))
- goto end;
- len += olen;
-
- /* get and append tag */
-- EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, sizeof tag, tag);
-+ EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, sizeof tag, tag);
- memcpy(out + len, tag, sizeof tag);
- ret = len + sizeof tag;
-
- end:
-- EVP_CIPHER_CTX_cleanup(&ctx);
-+ EVP_CIPHER_CTX_cleanup(ctx);
- return ret;
- }
-
- size_t
- crypto_decrypt_buffer(const char *in, size_t inlen, char *out, size_t outlen)
- {
-- EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX *ctx;
- uint8_t iv[IV_SIZE];
- uint8_t tag[GCM_TAG_SIZE];
- int olen;
-@@ -292,24 +298,26 @@ crypto_decrypt_buffer(const char *in, size_t inlen, char *out, size_t outlen)
- inlen -= sizeof iv;
- in += sizeof iv;
-
-- EVP_CIPHER_CTX_init(&ctx);
-- EVP_DecryptInit_ex(&ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
-+ ctx = EVP_CIPHER_CTX_new();
-+ if (!ctx)
-+ return 0;
-+ EVP_DecryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
-
- /* set expected tag */
-- EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, sizeof tag, tag);
-+ EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, sizeof tag, tag);
-
- /* decrypt buffer */
-- if (!EVP_DecryptUpdate(&ctx, out, &olen, in, inlen))
-+ if (!EVP_DecryptUpdate(ctx, out, &olen, in, inlen))
- goto end;
- len += olen;
-
- /* finalize, write last chunk if any and perform authentication check */
-- if (!EVP_DecryptFinal_ex(&ctx, out + len, &olen))
-+ if (!EVP_DecryptFinal_ex(ctx, out + len, &olen))
- goto end;
- ret = len + olen;
-
- end:
-- EVP_CIPHER_CTX_cleanup(&ctx);
-+ EVP_CIPHER_CTX_cleanup(ctx);
- return ret;
- }
-
-diff --git a/smtpd/libressl.c b/smtpd/libressl.c
-index 57d74389..db78d943 100644
---- a/smtpd/libressl.c
-+++ b/smtpd/libressl.c
-@@ -94,10 +94,10 @@ ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in)
-
- ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
-
-- x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback,
-- ctx->default_passwd_callback_userdata);
-+ x = PEM_read_bio_X509_AUX(in, NULL, SSL_CTX_get_default_passwd_cb(ctx),
-+ SSL_CTX_get_default_passwd_cb_userdata(ctx));
- if (x == NULL) {
-- SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
-+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB);
- goto end;
- }
-
-@@ -115,14 +115,11 @@ ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in)
- int r;
- unsigned long err;
-
-- if (ctx->extra_certs != NULL) {
-- sk_X509_pop_free(ctx->extra_certs, X509_free);
-- ctx->extra_certs = NULL;
-- }
-+ SSL_CTX_clear_extra_chain_certs(ctx);
-
- while ((ca = PEM_read_bio_X509(in, NULL,
-- ctx->default_passwd_callback,
-- ctx->default_passwd_callback_userdata)) != NULL) {
-+ SSL_CTX_get_default_passwd_cb(ctx),
-+ SSL_CTX_get_default_passwd_cb_userdata(ctx))) != NULL) {
- r = SSL_CTX_add_extra_chain_cert(ctx, ca);
- if (!r) {
- X509_free(ca);
-@@ -160,7 +157,7 @@ SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len)
-
- in = BIO_new_mem_buf(buf, len);
- if (in == NULL) {
-- SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
-+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
- goto end;
- }
-
-diff --git a/smtpd/ssl.c b/smtpd/ssl.c
-index b88360eb..0c93d87e 100644
---- a/smtpd/ssl.c
-+++ b/smtpd/ssl.c
-@@ -425,7 +425,7 @@ ssl_ctx_fake_private_key(SSL_CTX *ctx, const void *data, size_t datalen,
- */
- ret = SSL_CTX_use_PrivateKey(ctx, pkey);
- if (!ret)
-- SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_SSL_LIB);
-+ SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_SYS_LIB);
-
- if (pkeyptr != NULL)
- *pkeyptr = pkey;
-diff --git a/smtpd/ssl.h b/smtpd/ssl.h
-index 90f018d0..553120d4 100644
---- a/smtpd/ssl.h
-+++ b/smtpd/ssl.h
-@@ -73,3 +73,17 @@ void SSL_CTX_set_ecdh_auto(SSL_CTX *, int);
- void SSL_CTX_set_dh_auto(SSL_CTX *, int);
- #endif
- int SSL_CTX_use_certificate_chain_mem(SSL_CTX *, void *, int);
-+
-+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
-+
-+static inline pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
-+{
-+ return ctx->default_passwd_callback;
-+}
-+
-+static inline void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx)
-+{
-+ return ctx->default_passwd_callback_userdata;
-+}
-+
-+#endif
diff --git a/opensmtpd-openssl1.1.patch b/opensmtpd-openssl1.1.patch
deleted file mode 100644
index 842e45a..0000000
--- a/opensmtpd-openssl1.1.patch
+++ /dev/null
@@ -1,280 +0,0 @@
-From 227ca8aa76c6656ce04ebc51faebd927a561350e Mon Sep 17 00:00:00 2001
-From: Gilles Chehade <gilles at poolp.org>
-Date: Tue, 9 Jul 2019 21:58:47 +0200
-Subject: [PATCH] unbreak on OpenSSL 1.1
-
----
- configure.ac | 13 ++
- openbsd-compat/Makefile.am | 5 +-
- .../SSL_CTX_use_certificate_chain_mem.c | 176 ++++++++++++++++++
- openbsd-compat/openbsd-compat.h | 12 ++
- smtpd/ca.c | 17 +-
- smtpd/ssl.c | 4 +
- 6 files changed, 222 insertions(+), 5 deletions(-)
- create mode 100644 openbsd-compat/SSL_CTX_use_certificate_chain_mem.c
-
-diff --git a/configure.ac b/configure.ac
-index 7856318d..5d18c707 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -601,6 +601,7 @@ AC_CHECK_FUNCS([ \
- b64_pton \
- __b64_pton \
- bcopy \
-+ calloc_conceal \
- chflags \
- crypt_checkpass \
- dirfd \
-@@ -621,6 +622,7 @@ AC_CHECK_FUNCS([ \
- inet_ntoa \
- inet_ntop \
- isblank \
-+ malloc_conceal \
- memmove \
- nsleep \
- pidfile \
-@@ -1893,6 +1895,17 @@ AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL], [1],
- )
-
-
-+LIBS="-lcrypto -lssl $LIBS"
-+AC_MSG_CHECKING([whether SSL_CTX_use_certificate_chain_mem is available])
-+AC_TRY_LINK_FUNC([SSL_CTX_use_certificate_chain_mem],
-+ [
-+ AC_DEFINE([HAVE_SSL_CTX_USE_CERTIFICATE_CHAIN_MEM], [1],
-+ [Define if SSL_CTX_use_certificate_chain_mem exists in libssl])
-+ AC_MSG_RESULT([yes])
-+ ],
-+ [ AC_MSG_RESULT([no])]
-+)
-+
- # Sanity check OpenSSL headers
- AC_MSG_CHECKING([whether LibreSSL's headers match the library])
- AC_RUN_IFELSE(
-diff --git a/openbsd-compat/Makefile.am b/openbsd-compat/Makefile.am
-index 7252d91d..6fb72d29 100644
---- a/openbsd-compat/Makefile.am
-+++ b/openbsd-compat/Makefile.am
-@@ -1,7 +1,8 @@
- noinst_LIBRARIES = libopenbsd-compat.a
-
--#libopenbsd_compat_a_SOURCES = arc4random.c
--libopenbsd_compat_a_SOURCES = base64.c
-+libopenbsd_compat_a_SOURCES = arc4random.c
-+libopenbsd_compat_a_SOURCES += SSL_CTX_use_certificate_chain_mem.c
-+libopenbsd_compat_a_SOURCES += base64.c
- libopenbsd_compat_a_SOURCES += bsd-getpeereid.c
- libopenbsd_compat_a_SOURCES += bsd-misc.c
- libopenbsd_compat_a_SOURCES += bsd-waitpid.c
-diff --git a/openbsd-compat/SSL_CTX_use_certificate_chain_mem.c b/openbsd-compat/SSL_CTX_use_certificate_chain_mem.c
-new file mode 100644
-index 00000000..1df167b8
---- /dev/null
-+++ b/openbsd-compat/SSL_CTX_use_certificate_chain_mem.c
-@@ -0,0 +1,176 @@
-+/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
-+ * All rights reserved.
-+ *
-+ * This package is an SSL implementation written
-+ * by Eric Young (eay at cryptsoft.com).
-+ * The implementation was written so as to conform with Netscapes SSL.
-+ *
-+ * This library is free for commercial and non-commercial use as long as
-+ * the following conditions are aheared to. The following conditions
-+ * apply to all code found in this distribution, be it the RC4, RSA,
-+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
-+ * included with this distribution is covered by the same copyright terms
-+ * except that the holder is Tim Hudson (tjh at cryptsoft.com).
-+ *
-+ * Copyright remains Eric Young's, and as such any Copyright notices in
-+ * the code are not to be removed.
-+ * If this package is used in a product, Eric Young should be given attribution
-+ * as the author of the parts of the library used.
-+ * This can be in the form of a textual message at program startup or
-+ * in documentation (online or textual) provided with the package.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. All advertising materials mentioning features or use of this software
-+ * must display the following acknowledgement:
-+ * "This product includes cryptographic software written by
-+ * Eric Young (eay at cryptsoft.com)"
-+ * The word 'cryptographic' can be left out if the rouines from the library
-+ * being used are not cryptographic related :-).
-+ * 4. If you include any Windows specific code (or a derivative thereof) from
-+ * the apps directory (application code) you must include an acknowledgement:
-+ * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ *
-+ * The licence and distribution terms for any publically available version or
-+ * derivative of this code cannot be changed. i.e. this code cannot simply be
-+ * copied and put under another distribution licence
-+ * [including the GNU Public Licence.]
-+ */
-+
-+/*
-+ * SSL operations needed when running in a privilege separated environment.
-+ * Adapted from openssl's ssl_rsa.c by Pierre-Yves Ritschard .
-+ */
-+
-+#include "includes.h"
-+
-+#include <sys/types.h>
-+
-+#include <limits.h>
-+#include <unistd.h>
-+#include <stdio.h>
-+
-+#include <openssl/err.h>
-+#include <openssl/bio.h>
-+#include <openssl/objects.h>
-+#include <openssl/evp.h>
-+#include <openssl/x509.h>
-+#include <openssl/pem.h>
-+#include <openssl/ssl.h>
-+
-+#include "log.h"
-+#include "ssl.h"
-+
-+#define SSL_ECDH_CURVE "prime256v1"
-+
-+/*
-+ * Read a bio that contains our certificate in "PEM" format,
-+ * possibly followed by a sequence of CA certificates that should be
-+ * sent to the peer in the Certificate message.
-+ */
-+static int
-+ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in)
-+{
-+ int ret = 0;
-+ X509 *x = NULL;
-+
-+ ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
-+
-+ x = PEM_read_bio_X509_AUX(in, NULL, SSL_CTX_get_default_passwd_cb(ctx),
-+ SSL_CTX_get_default_passwd_cb_userdata(ctx));
-+ if (x == NULL) {
-+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB);
-+ goto end;
-+ }
-+
-+ ret = SSL_CTX_use_certificate(ctx, x);
-+
-+ if (ERR_peek_error() != 0)
-+ ret = 0;
-+ /* Key/certificate mismatch doesn't imply ret==0 ... */
-+ if (ret) {
-+ /*
-+ * If we could set up our certificate, now proceed to
-+ * the CA certificates.
-+ */
-+ X509 *ca;
-+ STACK_OF(X509) *chain;
-+ int r;
-+ unsigned long err;
-+
-+ SSL_CTX_get_extra_chain_certs_only(ctx, &chain);
-+ if (chain != NULL) {
-+ sk_X509_pop_free(chain, X509_free);
-+ SSL_CTX_clear_extra_chain_certs(ctx);
-+ }
-+
-+ while ((ca = PEM_read_bio_X509(in, NULL,
-+ SSL_CTX_get_default_passwd_cb(ctx),
-+ SSL_CTX_get_default_passwd_cb_userdata(ctx))) != NULL) {
-+ r = SSL_CTX_add_extra_chain_cert(ctx, ca);
-+ if (!r) {
-+ X509_free(ca);
-+ ret = 0;
-+ goto end;
-+ }
-+ /*
-+ * Note that we must not free r if it was successfully
-+ * added to the chain (while we must free the main
-+ * certificate, since its reference count is increased
-+ * by SSL_CTX_use_certificate).
-+ */
-+ }
-+
-+ /* When the while loop ends, it's usually just EOF. */
-+ err = ERR_peek_last_error();
-+ if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
-+ ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
-+ ERR_clear_error();
-+ else
-+ ret = 0; /* some real error */
-+ }
-+
-+end:
-+ if (x != NULL)
-+ X509_free(x);
-+ return (ret);
-+}
-+
-+#ifndef HAVE_SSL_CTX_USE_CERTIFICATE_CHAIN_MEM
-+int
-+SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len)
-+{
-+ BIO *in;
-+ int ret = 0;
-+
-+ in = BIO_new_mem_buf(buf, len);
-+ if (in == NULL) {
-+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
-+ goto end;
-+ }
-+
-+ ret = ssl_ctx_use_certificate_chain_bio(ctx, in);
-+
-+end:
-+ BIO_free(in);
-+ return (ret);
-+}
-+#endif
-diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
-index 7dde2fe1..4a296519 100644
---- a/openbsd-compat/openbsd-compat.h
-+++ b/openbsd-compat/openbsd-compat.h
-@@ -141,6 +141,10 @@ void arc4random_buf(void *, size_t);
- uint32_t arc4random_uniform(uint32_t);
- #endif
-
-+#if !defined(SSL_OP_NO_CLIENT_RENEGOTIATION)
-+#define SSL_OP_NO_CLIENT_RENEGOTIATION 0
-+#endif
-+
- #ifndef HAVE_ASPRINTF
- int asprintf(char **, const char *, ...);
- #endif
-@@ -229,6 +233,14 @@ int inet_net_pton(int, const char *, void *, size_t);
- #define pledge(promises, paths) 0
- #endif
-
-+#ifndef HAVE_MALLOC_CONCEAL
-+#define malloc_conceal malloc
-+#endif
-+
-+#ifndef HAVE_CALLOC_CONCEAL
-+#define calloc_conceal calloc
-+#endif
-+
- #ifndef HAVE_RES_HNOK
- int res_hnok(const char *);
- #endif
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/opensmtpd.git/commitdiff/b45fa1183b4a8f3c982a1e040cb3bdec5a5ad671
More information about the pld-cvs-commit
mailing list