Bug#859544: opensmtpd: Please migrate to openssl1.1 in buster

2018-01-19 Thread Ryan Kavanagh
Hi Sebastian,

On Fri, Jan 19, 2018 at 09:01:08PM +0100, Sebastian Andrzej Siewior wrote:
> Could you please test this? It seems to compile now.

Thanks for updating the patch. I rebased/updated it for the latest upstream
release (6.0.3p1) and it seems to compile / run. I've forwarded it upstream[0]
to take a look at, and will upload to Debian as soon as they take a look at it.

Best wishes,
Ryan

[0] https://github.com/OpenSMTPD/OpenSMTPD/pull/825

-- 
|)|/  Ryan Kavanagh  | GPG: 4E46 9519 ED67 7734 268F
|\|\  https://ryanak.ca/ |  BD95 8F7B F8FC 4A11 C97A


signature.asc
Description: PGP signature


Bug#859544: opensmtpd: Please migrate to openssl1.1 in buster

2018-01-19 Thread Sebastian Andrzej Siewior
On 2018-01-11 21:45:35 [+0100], To Ryan Kavanagh wrote:
> I will try give it a try once I have some time…

Could you please test this? It seems to compile now.
 
> > Best wishes,
> > Ryan

Sebastian
>From 0edb13aac685566cc0db2806e0e19dfab3421e52 Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior 
Date: Fri, 19 Jan 2018 20:22:08 +0100
Subject: [PATCH] opensmtpd: openssl 1.1 bits

Try to add OpenSSL 1.1 bits while it still should compile against 1.0.2.
Compile tested.

Signed-off-by: Sebastian Andrzej Siewior 
---
 openbsd-compat/libressl.c |  17 ++-
 smtpd/ca.c| 286 +++---
 smtpd/crypto.c|  64 ++-
 smtpd/libressl.c  |  17 ++-
 smtpd/ssl.c   |   2 +-
 smtpd/ssl.h   |  14 +++
 6 files changed, 310 insertions(+), 90 deletions(-)

diff --git a/openbsd-compat/libressl.c b/openbsd-compat/libressl.c
index f4f2b52e51bc..d06e006f6298 100644
--- a/openbsd-compat/libressl.c
+++ b/openbsd-compat/libressl.c
@@ -81,14 +81,14 @@ SSL_CTX_use_certificate_chain(SSL_CTX *ctx, char *buf, off_t len)
 	x = ca = NULL;
 
 	if ((in = BIO_new_mem_buf(buf, len)) == NULL) {
-		SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
+		SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
 		goto end;
 	}
 
 	if ((x = PEM_read_bio_X509(in, NULL,
-		ctx->default_passwd_callback,
-		ctx->default_passwd_callback_userdata)) == NULL) {
-		SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
+		SSL_CTX_get_default_passwd_cb(ctx),
+		SSL_CTX_get_default_passwd_cb_userdata(ctx))) == NULL) {
+		SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB);
 		goto end;
 	}
 
@@ -99,14 +99,11 @@ SSL_CTX_use_certificate_chain(SSL_CTX *ctx, char *buf, off_t len)
 	 * the CA certificates.
 	 */
 
-	if (ctx->extra_certs != NULL) {
-		sk_X509_pop_free(ctx->extra_certs, X509_free);
-		ctx->extra_certs = NULL;
-	}
+	SSL_CTX_clear_extra_chain_certs(ctx);
 
 	while ((ca = PEM_read_bio_X509(in, NULL,
-		ctx->default_passwd_callback,
-		ctx->default_passwd_callback_userdata)) != NULL) {
+		SSL_CTX_get_default_passwd_cb(ctx),
+		SSL_CTX_get_default_passwd_cb_userdata(ctx))) != NULL) {
 
 		if (!SSL_CTX_add_extra_chain_cert(ctx, ca))
 			goto end;
diff --git a/smtpd/ca.c b/smtpd/ca.c
index 717f18b2346a..b5ba70508fb2 100644
--- a/smtpd/ca.c
+++ b/smtpd/ca.c
@@ -190,6 +190,190 @@ ca_verify_cb(int ok, X509_STORE_CTX *ctx)
 	return ok;
 }
 
+#if (OPENSSL_VERSION_NUMBER < 0x1010L) || defined(LIBRESSL_VERSION_NUMBER)
+
+static int RSA_meth_get_flags(RSA_METHOD *meth)
+{
+	return meth->flags;
+}
+
+static int RSA_meth_set_flags(RSA_METHOD *meth, int flags)
+{
+	meth->flags = flags;
+	return 1;
+}
+
+static void *RSA_meth_get0_app_data(const RSA_METHOD *meth)
+{
+	return meth->app_data;
+}
+
+static int RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data)
+{
+	meth->app_data = app_data;
+	return 1;
+}
+
+static int (*RSA_meth_get_pub_enc(const RSA_METHOD *meth))
+(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
+{
+	return meth->rsa_pub_enc;
+}
+
+static int RSA_meth_set_pub_enc(RSA_METHOD *meth,
+	int (*pub_enc) (int flen, const unsigned char *from,
+			unsigned char *to, RSA *rsa,
+			int padding))
+{
+	meth->rsa_pub_enc = pub_enc;
+	return 1;
+}
+
+static int (*RSA_meth_get_pub_dec(const RSA_METHOD *meth))
+(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
+{
+	return meth->rsa_pub_dec;
+}
+
+static int (*RSA_meth_get_priv_enc(const RSA_METHOD *meth))
+(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
+{
+	return meth->rsa_priv_enc;
+}
+
+int RSA_meth_set_priv_enc(RSA_METHOD *meth,
+  int (*priv_enc) (int flen, const unsigned char *from,
+  unsigned char *to, RSA *rsa, int padding))
+{
+	meth->rsa_priv_enc = priv_enc;
+	return 1;
+}
+
+static int (*RSA_meth_get_priv_dec(const RSA_METHOD *meth))
+(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
+{
+	return meth->rsa_priv_dec;
+}
+
+static int RSA_meth_set_priv_dec(RSA_METHOD *meth,
+  int (*priv_dec) (int flen, const unsigned char *from,
+  unsigned char *to, RSA *rsa, int padding))
+{
+	meth->rsa_priv_dec = priv_dec;
+	return 1;
+}
+
+static int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))
+  (BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
+{
+	return meth->rsa_mod_exp;
+}
+
+static int RSA_meth_set_mod_exp(RSA_METHOD *meth,
+  int (*mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx))
+{
+	meth->rsa_mod_exp = mod_exp;
+	return 1;
+}
+
+static int (*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth))
+(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+{
+	return meth->bn_mod_exp;
+}
+
+static int RSA_meth_set_bn_mod_exp(RSA_METHOD *meth, int (*bn_mod_exp)
+  (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const 

Bug#859544: opensmtpd: Please migrate to openssl1.1 in buster

2018-01-11 Thread Sebastian Andrzej Siewior
On 2018-01-04 11:11:42 [-0500], Ryan Kavanagh wrote:
> Control: tag -1 + help
> 
> Hi Sebastian,
Hi,

> Sorry for dropping the ball on this.
> 
> On Fri, Oct 13, 2017 at 10:07:54PM +0200, Sebastian Andrzej Siewior wrote:
> > Could you retry with the following patch?
> 
> I've applied the patch, and it successfully builds with libssl 1.0.2n, but 
> FTBFS
> with 1.1.0g (logs attached). Unfortunately, libssl is outside my realm of
> expertise and AFAICT upstream hasn't made any progress towards a port to 1.1.
> Any suggestions on how to fix the SSL-related build issue?

Interresting. So I double checked and indeed, it does not compile
against 1.1. I do have some memory of testing this so I am confused that
it does not work. Even more that I don't have the patch in my folder
where I keep/have the other patches around.
I will try give it a try once I have some time…

> Best wishes,
> Ryan

Sebastian



Bug#859544: opensmtpd: Please migrate to openssl1.1 in buster

2018-01-04 Thread Ryan Kavanagh
Control: tag -1 + help

Hi Sebastian,

Sorry for dropping the ball on this.

On Fri, Oct 13, 2017 at 10:07:54PM +0200, Sebastian Andrzej Siewior wrote:
> Could you retry with the following patch?

I've applied the patch, and it successfully builds with libssl 1.0.2n, but FTBFS
with 1.1.0g (logs attached). Unfortunately, libssl is outside my realm of
expertise and AFAICT upstream hasn't made any progress towards a port to 1.1.
Any suggestions on how to fix the SSL-related build issue?

Best wishes,
Ryan

-- 
|_)|_/  Ryan Kavanagh  | GPG: 4E46 9519 ED67 7734 268F
| \| \  https://ryanak.ca/ |  BD95 8F7B F8FC 4A11 C97A
sbuild (Debian sbuild) 0.73.0 (23 Dec 2016) on zeta.ryanak.ca

+==+
| opensmtpd 6.0.2p1-2 (amd64)  Wed, 03 Jan 2018 16:39:07 + |
+==+

Package: opensmtpd
Version: 6.0.2p1-2
Source Version: 6.0.2p1-2
Distribution: experimenal
Machine Architecture: amd64
Host Architecture: amd64
Build Architecture: amd64
Build Type: full

E: 60append-apt-sources: Checking for auxiliary apt sources in 
/etc/schroot/sources.list.d/sid-snap.sources.list
E: 60append-apt-sources: Checking for apt preferences in 
/etc/schroot/sources.list.d/sid-snap.preferences
E: 80append-apt-sources: Get:1 http://localhost:3142/debian sid InRelease [240 
kB]
E: 80append-apt-sources: Get:2 http://localhost:3142/debian sid/main 
Sources.diff/Index [27.9 kB]
E: 80append-apt-sources: Get:3 http://localhost:3142/debian sid/main amd64 
Packages.diff/Index [27.9 kB]
E: 80append-apt-sources: Get:4 http://localhost:3142/debian sid/main Sources 
2018-01-02-2020.59.pdiff [16.4 kB]
E: 80append-apt-sources: Get:5 http://localhost:3142/debian sid/main Sources 
2018-01-03-0225.05.pdiff [10.1 kB]
E: 80append-apt-sources: Get:6 http://localhost:3142/debian sid/main Sources 
2018-01-03-0826.10.pdiff [2218 B]
E: 80append-apt-sources: Get:7 http://localhost:3142/debian sid/main Sources 
2018-01-03-1421.25.pdiff [14.1 kB]
E: 80append-apt-sources: Get:8 http://localhost:3142/debian sid/main amd64 
Packages 2018-01-02-2020.59.pdiff [10.9 kB]
E: 80append-apt-sources: Get:9 http://localhost:3142/debian sid/main amd64 
Packages 2018-01-03-0225.05.pdiff [11.6 kB]
E: 80append-apt-sources: Get:10 http://localhost:3142/debian sid/main amd64 
Packages 2018-01-03-0826.10.pdiff [1432 B]
E: 80append-apt-sources: Get:11 http://localhost:3142/debian sid/main amd64 
Packages 2018-01-03-1421.25.pdiff [16.4 kB]
E: 80append-apt-sources: Get:7 http://localhost:3142/debian sid/main Sources 
2018-01-03-1421.25.pdiff [14.1 kB]
E: 80append-apt-sources: Get:11 http://localhost:3142/debian sid/main amd64 
Packages 2018-01-03-1421.25.pdiff [16.4 kB]
E: 80append-apt-sources: Get:12 http://localhost:3142/debian sid/main 
Translation-en [5931 kB]
E: 80append-apt-sources: Fetched 6310 kB in 5s (1153 kB/s)
I: NOTICE: Log filtering will replace 
'var/run/schroot/mount/sid-snap-d120cfe2-d0ea-4691-ba5b-c7ab00433bc9' with 
'<>'

+--+
| Update chroot|
+--+

Hit:1 http://localhost:3142/debian sid InRelease
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
Calculating upgrade...
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

+--+
| Fetch source files   |
+--+


Local sources
-

/tmp/opensmtpd_6.0.2p1-2.dsc exists in /tmp; copying to chroot
I: NOTICE: Log filtering will replace 
'build/opensmtpd-3pEn6P/opensmtpd-6.0.2p1' with '<>'
I: NOTICE: Log filtering will replace 'build/opensmtpd-3pEn6P' with 
'<>'

+--+
| Install build-essential  |
+--+


Setup apt archive
-

Merged Build-Depends: build-essential, fakeroot
Filtered Build-Depends: build-essential, fakeroot
dpkg-deb: building package 'sbuild-build-depends-core-dummy' in 
'/<>/resolver-EpZHeW/apt_archive/sbuild-build-depends-core-dummy.deb'.
dpkg-scanpackages: warning: Packages in archive but missing from override file:
dpkg-scanpackages: warning:   sbuild-build-depends-core-dummy
dpkg-scanpackages: info: Wrote 1 entries to output Packages file.
Ign:1 copy:/<>/resolver-EpZHeW/apt_archive ./ InRelease
Get:2 copy:/<>/resolver-EpZHeW/apt_archive ./ Release [957 B]
Ign:3 copy:/<>/resolver-EpZHeW/apt_archive ./ Release.gpg
Get:4 

Bug#859544: opensmtpd: Please migrate to openssl1.1 in buster

2017-10-14 Thread Ryan Kavanagh
Hi Sebastian,

On Fri, Oct 13, 2017 at 10:07:54PM +0200, Sebastian Andrzej Siewior wrote:
> Could you retry with the following patch?
> SSL_F_SSL_CTX_USE_CERTIFICATE_FILE and SSL_CTX_clear_extra_chain_certs
> was around in openssl since before they forked it. So with this patch
> it should work with their libressl, libssl 1.0.2 and 1.1.

Great, thanks! I'll try compiling with it, and if it works, I'll
forward it to upstream for review and apply it to the Debian package if
they approve of it.

Best wishes,
Ryan

-- 
|_)|_/  Ryan Kavanagh  | GPG: 4E46 9519 ED67 7734 268F
| \| \  https://ryanak.ca/ |  BD95 8F7B F8FC 4A11 C97A


signature.asc
Description: PGP signature


Bug#859544: opensmtpd: Please migrate to openssl1.1 in buster

2017-10-13 Thread Sebastian Andrzej Siewior
On 2017-10-13 11:21:03 [-0400], Ryan Kavanagh wrote:
> Hi Sebastian,
Hi Ryan,

> To clarify: I wrote a patch that I believe ports opensmtpd to OpenSSL
> 1.1, but with no backwards compatibility for 1.0. It has not been
> applied (nor reviewed) by upstream, because upstream needs to cope with
> multiple SSL libraries and they are waiting to see how other OpenBSD
> portable daemons deal with this. See this comment[0] for details on
> their situation.
 
Could you retry with the following patch?
SSL_F_SSL_CTX_USE_CERTIFICATE_FILE and SSL_CTX_clear_extra_chain_certs
was around in openssl since before they forked it. So with this patch it
should work with their libressl, libssl 1.0.2 and 1.1.

From: Ryan Kavanagh 
Date: Sun, 6 Nov 2016 11:40:32 -0500
Subject: [PATCH] OpenSSL 1.1 compat: update SSL ctx usages

[ bigeasy @ breakpoint
---
 openbsd-compat/libressl.c |   17 +++--
 smtpd/libressl.c  |   13 +
 smtpd/ssl.h   |   14 ++
 3 files changed, 26 insertions(+), 18 deletions(-)

--- a/openbsd-compat/libressl.c
+++ b/openbsd-compat/libressl.c
@@ -81,14 +81,14 @@ SSL_CTX_use_certificate_chain(SSL_CTX *c
x = ca = NULL;
 
if ((in = BIO_new_mem_buf(buf, len)) == NULL) {
-   SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
+   SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
goto end;
}
 
if ((x = PEM_read_bio_X509(in, NULL,
-   ctx->default_passwd_callback,
-   ctx->default_passwd_callback_userdata)) == NULL) {
-   SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
+   SSL_CTX_get_default_passwd_cb(ctx),
+   SSL_CTX_get_default_passwd_cb_userdata(ctx))) == NULL) {
+   SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB);
goto end;
}
 
@@ -99,14 +99,11 @@ SSL_CTX_use_certificate_chain(SSL_CTX *c
 * the CA certificates.
 */
 
-   if (ctx->extra_certs != NULL) {
-   sk_X509_pop_free(ctx->extra_certs, X509_free);
-   ctx->extra_certs = NULL;
-   }
+   SSL_CTX_clear_extra_chain_certs(ctx);
 
while ((ca = PEM_read_bio_X509(in, NULL,
-   ctx->default_passwd_callback,
-   ctx->default_passwd_callback_userdata)) != NULL) {
+   SSL_CTX_get_default_passwd_cb(ctx),
+   SSL_CTX_get_default_passwd_cb_userdata(ctx))) != NULL) {
 
if (!SSL_CTX_add_extra_chain_cert(ctx, ca))
goto end;
--- a/smtpd/libressl.c
+++ b/smtpd/libressl.c
@@ -94,8 +94,8 @@ ssl_ctx_use_certificate_chain_bio(SSL_CT
 
ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
 
-   x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback,
-   ctx->default_passwd_callback_userdata);
+   x = PEM_read_bio_X509_AUX(in, NULL, SSL_CTX_get_default_passwd_cb(ctx),
+   SSL_CTX_get_default_passwd_cb_userdata(ctx));
if (x == NULL) {
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
goto end;
@@ -115,14 +115,11 @@ ssl_ctx_use_certificate_chain_bio(SSL_CT
int r;
unsigned long err;
 
-   if (ctx->extra_certs != NULL) {
-   sk_X509_pop_free(ctx->extra_certs, X509_free);
-   ctx->extra_certs = NULL;
-   }
+   SSL_CTX_clear_extra_chain_certs(ctx);
 
while ((ca = PEM_read_bio_X509(in, NULL,
-   ctx->default_passwd_callback,
-   ctx->default_passwd_callback_userdata)) != NULL) {
+   SSL_CTX_get_default_passwd_cb(ctx),
+   SSL_CTX_get_default_passwd_cb_userdata(ctx))) != NULL) {
r = SSL_CTX_add_extra_chain_cert(ctx, ca);
if (!r) {
X509_free(ca);
--- a/smtpd/ssl.h
+++ b/smtpd/ssl.h
@@ -73,3 +73,17 @@ void SSL_CTX_set_ecdh_auto(SSL_CTX *, in
 void   SSL_CTX_set_dh_auto(SSL_CTX *, int);
 #endif
 int SSL_CTX_use_certificate_chain_mem(SSL_CTX *, void *, int);
+
+#if (OPENSSL_VERSION_NUMBER < 0x1010L) || defined(LIBRESSL_VERSION_NUMBER)
+
+static inline pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
+{
+   return ctx->default_passwd_callback;
+}
+
+static inline void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx)
+{
+   return ctx->default_passwd_callback_userdata;
+}
+
+#endif

> Best,
> Ryan
> 

Sebastian



Bug#859544: opensmtpd: Please migrate to openssl1.1 in buster

2017-10-13 Thread Ryan Kavanagh
Hi Sebastian,

On Fri, Oct 13, 2017 at 01:24:19PM +0200, Sebastian Andrzej Siewior
wrote:
> On 2017-10-12 18:33:40 [-0400], Ryan Kavanagh wrote: [trimmed]
> > I made initial efforts to port it to OpenSSL 1.1 and sent them
> > upstream, but things are complicated by opensmtpd needing to be able
> > to cope with multiple SSL libraries.
> 
> So you made a new version to cope with multiple ssl libs, good. Thanks
> for the update.

To clarify: I wrote a patch that I believe ports opensmtpd to OpenSSL
1.1, but with no backwards compatibility for 1.0. It has not been
applied (nor reviewed) by upstream, because upstream needs to cope with
multiple SSL libraries and they are waiting to see how other OpenBSD
portable daemons deal with this. See this comment[0] for details on
their situation.

Best,
Ryan

[0] https://github.com/OpenSMTPD/OpenSMTPD/issues/738#issuecomment-258774846

-- 
|_)|_/  Ryan Kavanagh  | GPG: 4E46 9519 ED67 7734 268F
| \| \  https://ryanak.ca/ |  BD95 8F7B F8FC 4A11 C97A


signature.asc
Description: PGP signature


Bug#859544: opensmtpd: Please migrate to openssl1.1 in buster

2017-10-13 Thread Sebastian Andrzej Siewior
On 2017-10-12 18:33:40 [-0400], Ryan Kavanagh wrote:
> Hi Sebastian,
Hi Ryan,

> This is being tracked upstream. I made initial efforts to port it to
> OpenSSL 1.1 and sent them upstream (see second comment in the upstream
> bug), but things are complicated by opensmtpd needing to be able to cope
> with multiple SSL libraries. I've followed up, let's see what happens.

So you made a new version to cope with multiple ssl libs, good. Thanks
for the update.

> Best wishes,
> Ryan

Sebastian



Bug#859544: opensmtpd: Please migrate to openssl1.1 in buster

2017-10-12 Thread Ryan Kavanagh
Hi Sebastian,

On Thu, Oct 12, 2017 at 11:44:58PM +0200, Sebastian Andrzej Siewior wrote:
> Please react before that happens.

This is being tracked upstream. I made initial efforts to port it to
OpenSSL 1.1 and sent them upstream (see second comment in the upstream
bug), but things are complicated by opensmtpd needing to be able to cope
with multiple SSL libraries. I've followed up, let's see what happens.

Best wishes,
Ryan

-- 
|_)|_/  Ryan Kavanagh  | GPG: 4E46 9519 ED67 7734 268F
| \| \  https://ryanak.ca/ |  BD95 8F7B F8FC 4A11 C97A


signature.asc
Description: PGP signature


Bug#859544: opensmtpd: Please migrate to openssl1.1 in buster

2017-10-12 Thread Sebastian Andrzej Siewior
Hi,

this is a remainder about the openssl transition [0]. We really want to
remove libssl1.0-dev from unstable for Buster. I will raise the severity
of this bug to serious in a month. Please react before that happens.

[0] https://bugs.debian.org/871056#55

Sebastian