commit: d4637e8d3a6d78bfb956570ddf9b03236f3620c0
Author: Fabian Groffen <grobian <AT> gentoo <DOT> org>
AuthorDate: Tue Jan 3 10:22:20 2023 +0000
Commit: Fabian Groffen <grobian <AT> gentoo <DOT> org>
CommitDate: Tue Jan 3 10:22:20 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d4637e8d
mail-mta/exim-4.94.2-r12: update openssl-3 patches
Signed-off-by: Fabian Groffen <grobian <AT> gentoo.org>
...im-4.94.2-r11.ebuild => exim-4.94.2-r12.ebuild} | 2 +-
mail-mta/exim/files/exim-4.94.2-openssl3.patch | 306 ++++++++++++++++++++-
2 files changed, 303 insertions(+), 5 deletions(-)
diff --git a/mail-mta/exim/exim-4.94.2-r11.ebuild
b/mail-mta/exim/exim-4.94.2-r12.ebuild
similarity index 99%
rename from mail-mta/exim/exim-4.94.2-r11.ebuild
rename to mail-mta/exim/exim-4.94.2-r12.ebuild
index 352ae0cdcd7e..a347cf1581f6 100644
--- a/mail-mta/exim/exim-4.94.2-r11.ebuild
+++ b/mail-mta/exim/exim-4.94.2-r12.ebuild
@@ -122,7 +122,7 @@ src_prepare() {
eapply "${FILESDIR}"/exim-4.94-localscan_dlopen.patch
eapply "${FILESDIR}"/exim-4.94.2-fix-crash-resolve.patch # 799368
upstr
eapply "${FILESDIR}"/exim-4.94-CVE-2022-3559.patch # 877607 upstr
- eapply "${FILESDIR}"/exim-4.94.2-openssl3.patch # 888619 backport
+ eapply "${FILESDIR}"/exim-4.94.2-openssl3.patch # 888619 backports
# for this reason we have a := dep on opendmarc, they changed their
# API in a minor release
diff --git a/mail-mta/exim/files/exim-4.94.2-openssl3.patch
b/mail-mta/exim/files/exim-4.94.2-openssl3.patch
index d1102aac8bfa..f9758515bef1 100644
--- a/mail-mta/exim/files/exim-4.94.2-openssl3.patch
+++ b/mail-mta/exim/files/exim-4.94.2-openssl3.patch
@@ -1,13 +1,34 @@
-Based on original commit, but applied to 4.94.2 tarball.
+Original commits from upstream applied to 4.94.2 release tarball
+
+From a5d79c99f4948d9fd288a1bfaca3a44cf2caaa32 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146...@wizmail.org>
+Date: Wed, 1 Dec 2021 17:36:18 +0000
+Subject: [PATCH] OpenSSL: use nondeprecated D-H functions under 3.0.0.
+
+From c6a290f4d8df3734b3cdc2232b4334ff8386c1da Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146...@wizmail.org>
+Date: Wed, 1 Dec 2021 18:52:21 +0000
+Subject: [PATCH] OpenSSL: tidy DH and ECDH param setup Testsuite: expand DH
+ testcase
From ff7829398d74e67f1c1f40339a772fd76708e5ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= <jskar...@redhat.com>
Date: Sat, 27 Nov 2021 21:07:15 +0000
Subject: [PATCH] Fix build for OpenSSL 3.0.0 . Bug 2810
----
- src/src/tls-openssl.c | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
+From ca4014de81e6aa367aa0a54c49b4c3d4b137814c Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146...@wizmail.org>
+Date: Sun, 1 Jan 2023 12:18:38 +0000
+Subject: [PATCH] OpenSSL: fix tls_eccurve setting explicit curve/group. Bug
+ 2954
+
+From 7fa5764c203f2f4a900898a79ed02d674075313f Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146...@wizmail.org>
+Date: Mon, 2 Jan 2023 15:04:14 +0000
+Subject: [PATCH] OpenSSL: Fix tls_eccurve on earlier versions than 3.0.0. Bug
+ 2954
+
+Broken-by: ca4014de81e6
--- a/src/tls-openssl.c
+++ b/src/tls-openssl.c
@@ -32,3 +53,280 @@ Subject: [PATCH] Fix build for OpenSSL 3.0.0 . Bug 2810
#endif
#ifdef SSL_OP_NO_TLSv1_2
{ US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
+@@ -1017,23 +1021,27 @@
+ *************************************************/
+
+ /* If dhparam is set, expand it, and load up the parameters for DH encryption.
++Server only.
+
+ Arguments:
+ sctx The current SSL CTX (inbound or outbound)
+ dhparam DH parameter file or fixed parameter identity string
+- host connected host, if client; NULL if server
+ errstr error string pointer
+
+ Returns: TRUE if OK (nothing to set up, or setup worked)
+ */
+
+ static BOOL
+-init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar **
errstr)
++init_dh(SSL_CTX * sctx, uschar * dhparam, uschar ** errstr)
+ {
+-BIO *bio;
+-DH *dh;
+-uschar *dhexpanded;
+-const char *pem;
++BIO * bio;
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
++DH * dh;
++#else
++EVP_PKEY * pkey;
++#endif
++uschar * dhexpanded;
++const char * pem;
+ int dh_bitsize;
+
+ if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
+@@ -1046,7 +1054,7 @@
+ if (!(bio = BIO_new_file(CS dhexpanded, "r")))
+ {
+ tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
+- host, US strerror(errno), errstr);
++ NULL, US strerror(errno), errstr);
+ return FALSE;
+ }
+ }
+@@ -1061,17 +1069,23 @@
+ if (!(pem = std_dh_prime_named(dhexpanded)))
+ {
+ tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
+- host, US strerror(errno), errstr);
++ NULL, US strerror(errno), errstr);
+ return FALSE;
+ }
+ bio = BIO_new_mem_buf(CS pem, -1);
+ }
+
+-if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
++if (!(
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
++ dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)
++#else
++ pkey = PEM_read_bio_Parameters_ex(bio, NULL, NULL, NULL)
++#endif
++ ) )
+ {
+ BIO_free(bio);
+ tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
+- host, NULL, errstr);
++ NULL, NULL, errstr);
+ return FALSE;
+ }
+
+@@ -1081,33 +1095,54 @@
+ * If someone wants to dance at the edge, then they can raise the limit or use
+ * current libraries. */
+-#ifdef EXIM_HAVE_OPENSSL_DH_BITS
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
++# ifdef EXIM_HAVE_OPENSSL_DH_BITS
+ /* Added in commit 26c79d5641d; `git describe --contains` says
OpenSSL_1_1_0-pre1~1022
+ * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
+ dh_bitsize = DH_bits(dh);
+-#else
++# else
+ dh_bitsize = 8 * DH_size(dh);
++# endif
++#else /* 3.0.0 + */
++dh_bitsize = EVP_PKEY_get_bits(pkey);
+ #endif
+
+-/* Even if it is larger, we silently return success rather than cause things
+- * to fail out, so that a too-large DH will not knock out all TLS; it's a
+- * debatable choice. */
+-if (dh_bitsize > tls_dh_max_bits)
++/* Even if it is larger, we silently return success rather than cause things
to
++fail out, so that a too-large DH will not knock out all TLS; it's a debatable
++choice. Likewise for a failing attempt to set one. */
++
++if (dh_bitsize <= tls_dh_max_bits)
+ {
+- DEBUG(D_tls)
+- debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
+- dh_bitsize, tls_dh_max_bits);
++ if (
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
++ SSL_CTX_set_tmp_dh(sctx, dh)
++#else
++ SSL_CTX_set0_tmp_dh_pkey(sctx, pkey)
++#endif
++ == 0)
++ {
++ ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
++ log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (D-H param setting '%s'): %s",
++ dhexpanded ? dhexpanded : US"default", ssl_errstring);
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ /* EVP_PKEY_free(pkey); crashes */
++#endif
++ }
++ else
++ DEBUG(D_tls)
++ debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
++ dhexpanded ? dhexpanded : US"default", dh_bitsize);
+ }
+ else
+- {
+- SSL_CTX_set_tmp_dh(sctx, dh);
+ DEBUG(D_tls)
+- debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
+- dhexpanded ? dhexpanded : US"default", dh_bitsize);
+- }
++ debug_printf("dhparams '%s' %d bits, is > tls_dh_max_bits limit of %d\n",
++ dhexpanded ? dhexpanded : US"default", dh_bitsize, tls_dh_max_bits);
+
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ DH_free(dh);
+-BIO_free(bio);
++#endif
++/* The EVP_PKEY ownership stays with the ctx; do not free it */
+
++BIO_free(bio);
+ return TRUE;
+ }
+
+@@ -1118,7 +1154,7 @@
+ * Initialize for ECDH *
+ *************************************************/
+
+-/* Load parameters for ECDH encryption.
++/* Load parameters for ECDH encryption. Server only.
+
+ For now, we stick to NIST P-256 because: it's simple and easy to configure;
+ it avoids any patent issues that might bite redistributors; despite events in
+@@ -1136,37 +1172,40 @@
+
+ Arguments:
+ sctx The current SSL CTX (inbound or outbound)
+- host connected host, if client; NULL if server
+ errstr error string pointer
+
+ Returns: TRUE if OK (nothing to set up, or setup worked)
+ */
+
+ static BOOL
+-init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
++init_ecdh(SSL_CTX * sctx, uschar ** errstr)
+ {
+ #ifdef OPENSSL_NO_ECDH
+ return TRUE;
+ #else
+
+-EC_KEY * ecdh;
+ uschar * exp_curve;
+-int nid;
+-BOOL rv;
+-
+-if (host) /* No ECDH setup for clients, only for servers */
+- return TRUE;
++int nid, rc;
+
+ # ifndef EXIM_HAVE_ECDH
+ DEBUG(D_tls)
+- debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
++ debug_printf(" No OpenSSL API to define ECDH parameters, skipping\n");
+ return TRUE;
+ # else
+
+ if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
+ return FALSE;
++
++/* Is the option deliberately empty? */
++
+ if (!exp_curve || !*exp_curve)
++ {
++#if OPENSSL_VERSION_NUMBER >= 0x10002000L
++ DEBUG(D_tls) debug_printf( " ECDH OpenSSL 1.0.2+: clearing curves list\n");
++ (void) SSL_CTX_set1_curves(sctx, &nid, 0);
++#endif
+ return TRUE;
++ }
+
+ /* "auto" needs to be handled carefully.
+ * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
+@@ -1202,27 +1241,41 @@
+ # endif
+ )
+ {
+- tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
+- host, NULL, errstr);
++ uschar * s = string_sprintf("Unknown curve name tls_eccurve '%s'",
exp_curve);
++ DEBUG(D_tls) debug_printf("TLS error '%s'\n", s);
++ if (errstr) *errstr = s;
+ return FALSE;
+ }
+
+-if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
+- {
+- tls_error(US"Unable to create ec curve", host, NULL, errstr);
+- return FALSE;
+- }
++# if OPENSSL_VERSION_NUMBER < 0x30000000L
++ {
++ EC_KEY * ecdh;
++ if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
++ {
++ tls_error(US"Unable to create ec curve", NULL, NULL, errstr);
++ return FALSE;
++ }
+
+-/* The "tmp" in the name here refers to setting a temporary key
+-not to the stability of the interface. */
++ /* The "tmp" in the name here refers to setting a temporary key
++ not to the stability of the interface. */
+
+-if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
+- tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host,
NULL, errstr);
++ if ((rc = SSL_CTX_set_tmp_ecdh(sctx, ecdh)) == 0)
++ tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), NULL,
NULL, errstr);
++ else
++ DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' curve\n", exp_curve);
++ EC_KEY_free(ecdh);
++ }
++
++#else /* v 3.0.0 + */
++
++if ((rc = SSL_CTX_set1_groups(sctx, &nid, 1)) == 0)
++ tls_error(string_sprintf("Error enabling '%s' group", exp_curve), NULL,
NULL, errstr);
+ else
+- DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
++ DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' group\n", exp_curve);
++
++#endif
+
+-EC_KEY_free(ecdh);
+-return !rv;
++return !!rc;
+
+ # endif /*EXIM_HAVE_ECDH*/
+ #endif /*OPENSSL_NO_ECDH*/
+@@ -1727,8 +1780,8 @@
+ SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
+ SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
+
+-if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
+- || !init_ecdh(server_sni, NULL, &dummy_errstr)
++if ( !init_dh(server_sni, cbinfo->dhparam, &dummy_errstr)
++ || !init_ecdh(server_sni, &dummy_errstr)
+ )
+ goto bad;
+
+@@ -2213,8 +2266,8 @@
+ /* Initialize with DH parameters if supplied */
+ /* Initialize ECDH temp key parameter selection */
+
+-if ( !init_dh(ctx, dhparam, host, errstr)
+- || !init_ecdh(ctx, host, errstr)
++if ( !init_dh(ctx, dhparam, errstr)
++ || !init_ecdh(ctx, errstr)
+ )
+ return DEFER;
+
