Hello community, here is the log from the commit of package sendmail for openSUSE:Factory checked in at 2017-11-10 14:57:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sendmail (Old) and /work/SRC/openSUSE:Factory/.sendmail.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sendmail" Fri Nov 10 14:57:33 2017 rev:81 rq:540178 version:8.15.2 Changes: -------- --- /work/SRC/openSUSE:Factory/sendmail/sendmail.changes 2017-08-18 15:05:14.523072570 +0200 +++ /work/SRC/openSUSE:Factory/.sendmail.new/sendmail.changes 2017-11-10 14:57:47.547220821 +0100 @@ -1,0 +2,13 @@ +Thu Nov 9 10:21:44 UTC 2017 - wer...@suse.de + +- Apply former patches only if openssl 1.1.0+ are installed + +------------------------------------------------------------------- +Wed Nov 8 15:42:28 UTC 2017 - vci...@suse.com + +- support build with openssl 1.1 (bsc#1067222) + * add patches from Fedora: + sendmail-8.15.2-openssl-1.1.0-fix.patch + sendmail-8.15.2-openssl-1.1.0-ecdhe-fix.patch (rh#1473971) + +------------------------------------------------------------------- New: ---- sendmail-8.15.2-openssl-1.1.0-ecdhe-fix.patch sendmail-8.15.2-openssl-1.1.0-fix.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sendmail.spec ++++++ --- /var/tmp/diff_new_pack.zFeoqN/_old 2017-11-10 14:57:52.227051547 +0100 +++ /var/tmp/diff_new_pack.zFeoqN/_new 2017-11-10 14:57:52.231051403 +0100 @@ -103,6 +103,8 @@ Patch4: sendmail-8.14.8-m4header.patch # PATCH-FIX-DEBIAN: systemd socket activation support for libmilter Patch5: sendmail-fd-passing-libmilter.patch +Patch6: sendmail-8.15.2-openssl-1.1.0-fix.patch +Patch7: sendmail-8.15.2-openssl-1.1.0-ecdhe-fix.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %global _sysconfdir %{_sysconfdir} %global _mailcnfdir %{_sysconfdir}/mail @@ -197,6 +199,10 @@ %patch1 -p0 -b .select %patch4 -p0 -b .m4head %patch5 -p1 -b .fdmilt +if pkg-config --atleast-version=1.1.0 openssl; then +%patch6 -p1 -b .openssl11 +%patch7 -p1 -b .ecdhe +fi %patch0 -p0 -b .p0 tar --strip-components=1 -xf %{S:1} set -f ++++++ sendmail-8.15.2-openssl-1.1.0-ecdhe-fix.patch ++++++ diff --git a/sendmail/tls.c b/sendmail/tls.c index 16cb93f..9338380 100644 --- a/sendmail/tls.c +++ b/sendmail/tls.c @@ -1329,13 +1329,8 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar } #if _FFR_TLS_EC - ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); - if (ecdh != NULL) - { - SSL_CTX_set_options(*ctx, SSL_OP_SINGLE_ECDH_USE); - SSL_CTX_set_tmp_ecdh(*ctx, ecdh); - EC_KEY_free(ecdh); - } + SSL_CTX_set_options(*ctx, SSL_OP_SINGLE_ECDH_USE); + SSL_CTX_set_ecdh_auto(*ctx, 1); #endif /* _FFR_TLS_EC */ } ++++++ sendmail-8.15.2-openssl-1.1.0-fix.patch ++++++ --- sendmail-8.15.2.orig/sendmail/tls.c 2016-12-01 15:20:59.953546417 +0100 +++ sendmail-8.15.2.orig/sendmail/tls.c 2016-12-01 17:26:43.868521378 +0100 @@ -63,14 +63,28 @@ static unsigned char dh512_g[] = static DH * get_dh512() { - DH *dh = NULL; + DH *dh; + BIGNUM *p, *g; if ((dh = DH_new()) == NULL) return NULL; - dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); - dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); - if ((dh->p == NULL) || (dh->g == NULL)) + p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); + g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); + if (p == NULL || g == NULL) + { + BN_free(p); + BN_free(g); + DH_free(dh); return NULL; + } + +#if OPENSSL_VERSION_NUMBER >= 0x10100005L + DH_set0_pqg(dh, p, NULL, g); +#else + dh->p = p; + dh->g = g; +#endif + return dh; } @@ -117,16 +131,27 @@ get_dh2048() }; static unsigned char dh2048_g[]={ 0x02, }; DH *dh; + BIGNUM *p, *g; if ((dh=DH_new()) == NULL) return(NULL); - dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); - dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); - if ((dh->p == NULL) || (dh->g == NULL)) + p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL); + g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL); + if (p == NULL || g == NULL) { + BN_free(p); + BN_free(g); DH_free(dh); - return(NULL); + return NULL; } + +#if OPENSSL_VERSION_NUMBER >= 0x10100005L + DH_set0_pqg(dh, p, NULL, g); +#else + dh->p = p; + dh->g = g; +#endif + return(dh); } # endif /* !NO_DH */ @@ -715,6 +740,54 @@ static char server_session_id_context[] # define SM_SSL_OP_TLS_BLOCK_PADDING_BUG 0 #endif +static RSA * +generate_rsa_key(bits, e) + int bits; + unsigned long e; +{ +#if OPENSSL_VERSION_NUMBER < 0x00908000L + return RSA_generate_key(bits, e, NULL, NULL); +#else + BIGNUM *bne; + RSA *rsa = NULL; + + bne = BN_new(); + if (bne && BN_set_word(bne, e) != 1) + rsa = RSA_new(); + if (rsa && RSA_generate_key_ex(rsa, bits, bne, NULL) != 1) + { + RSA_free(rsa); + rsa = NULL; + } + BN_free(bne); + return rsa; +#endif +} + +static DSA * +generate_dsa_parameters(bits, seed, seed_len, counter_ret, h_ret) + int bits; + unsigned char *seed; + int seed_len; + int *counter_ret; + unsigned long *h_ret; +{ +#if OPENSSL_VERSION_NUMBER < 0x00908000L + return DSA_generate_parameters(bits, seed, seed_len, counter_ret, + h_ret, NULL, NULL); +#else + DSA *dsa = DSA_new(); + + if (dsa && DSA_generate_parameters_ex(dsa, bits, seed, seed_len, + counter_ret, h_ret, NULL) != 1) + { + DSA_free(dsa); + dsa = NULL; + } + return dsa; +#endif +} + bool inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhparam) SSL_CTX **ctx; @@ -926,7 +999,7 @@ inittls(ctx, req, options, srv, certfile { /* get a pointer to the current certificate validation store */ store = SSL_CTX_get_cert_store(*ctx); /* does not fail */ - crl_file = BIO_new(BIO_s_file_internal()); + crl_file = BIO_new(BIO_s_file()); if (crl_file != NULL) { if (BIO_read_filename(crl_file, CRLFile) >= 0) @@ -1003,8 +1076,7 @@ inittls(ctx, req, options, srv, certfile if (bitset(TLS_I_RSA_TMP, req) # if SM_CONF_SHM && ShmId != SM_SHM_NO_ID && - (rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, - NULL)) == NULL + (rsa_tmp = generate_rsa_key(RSA_KEYLENGTH, RSA_F4)) == NULL # else /* SM_CONF_SHM */ && 0 /* no shared memory: no need to generate key now */ # endif /* SM_CONF_SHM */ @@ -1210,8 +1282,8 @@ inittls(ctx, req, options, srv, certfile sm_dprintf("inittls: Generating %d bit DH parameters\n", bits); /* this takes a while! */ - dsa = DSA_generate_parameters(bits, NULL, 0, NULL, - NULL, 0, NULL); + dsa = generate_dsa_parameters(bits, NULL, 0, NULL, + NULL); dh = DSA_dup_DH(dsa); DSA_free(dsa); } @@ -1747,7 +1819,7 @@ tmp_rsa_key(s, export, keylength) if (rsa_tmp != NULL) RSA_free(rsa_tmp); - rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, NULL); + rsa_tmp = generate_rsa_key(RSA_KEYLENGTH, RSA_F4); if (rsa_tmp == NULL) { if (LogLevel > 0) @@ -1974,11 +2046,20 @@ x509_verify_cb(ok, ctx) { if (LogLevel > 13) tls_verify_log(ok, ctx, "x509"); +#if OPENSSL_VERSION_NUMBER >= 0x10100005L + if (X509_STORE_CTX_get_error(ctx) == + X509_V_ERR_UNABLE_TO_GET_CRL) + { + X509_STORE_CTX_set_error(ctx, 0); + return 1; /* override it */ + } +#else if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL) { ctx->error = 0; return 1; /* override it */ } +#endif } return ok; }