Bug#859544: opensmtpd: Please migrate to openssl1.1 in buster
Hi Sebastian, On Fri, Jan 19, 2018 at 09:01:08PM +0100, Sebastian Andrzej Siewior wrote: > Could you please test this? It seems to compile now. Thanks for updating the patch. I rebased/updated it for the latest upstream release (6.0.3p1) and it seems to compile / run. I've forwarded it upstream[0] to take a look at, and will upload to Debian as soon as they take a look at it. Best wishes, Ryan [0] https://github.com/OpenSMTPD/OpenSMTPD/pull/825 -- |)|/ Ryan Kavanagh | GPG: 4E46 9519 ED67 7734 268F |\|\ https://ryanak.ca/ | BD95 8F7B F8FC 4A11 C97A signature.asc Description: PGP signature
Bug#859544: opensmtpd: Please migrate to openssl1.1 in buster
On 2018-01-11 21:45:35 [+0100], To Ryan Kavanagh wrote:
> I will try give it a try once I have some time…
Could you please test this? It seems to compile now.
> > Best wishes,
> > Ryan
Sebastian
>From 0edb13aac685566cc0db2806e0e19dfab3421e52 Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior
Date: Fri, 19 Jan 2018 20:22:08 +0100
Subject: [PATCH] opensmtpd: openssl 1.1 bits
Try to add OpenSSL 1.1 bits while it still should compile against 1.0.2.
Compile tested.
Signed-off-by: Sebastian Andrzej Siewior
---
openbsd-compat/libressl.c | 17 ++-
smtpd/ca.c| 286 +++---
smtpd/crypto.c| 64 ++-
smtpd/libressl.c | 17 ++-
smtpd/ssl.c | 2 +-
smtpd/ssl.h | 14 +++
6 files changed, 310 insertions(+), 90 deletions(-)
diff --git a/openbsd-compat/libressl.c b/openbsd-compat/libressl.c
index f4f2b52e51bc..d06e006f6298 100644
--- a/openbsd-compat/libressl.c
+++ b/openbsd-compat/libressl.c
@@ -81,14 +81,14 @@ SSL_CTX_use_certificate_chain(SSL_CTX *ctx, char *buf, off_t len)
x = ca = NULL;
if ((in = BIO_new_mem_buf(buf, len)) == NULL) {
- SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
goto end;
}
if ((x = PEM_read_bio_X509(in, NULL,
- ctx->default_passwd_callback,
- ctx->default_passwd_callback_userdata)) == NULL) {
- SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
+ SSL_CTX_get_default_passwd_cb(ctx),
+ SSL_CTX_get_default_passwd_cb_userdata(ctx))) == NULL) {
+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB);
goto end;
}
@@ -99,14 +99,11 @@ SSL_CTX_use_certificate_chain(SSL_CTX *ctx, char *buf, off_t len)
* the CA certificates.
*/
- if (ctx->extra_certs != NULL) {
- sk_X509_pop_free(ctx->extra_certs, X509_free);
- ctx->extra_certs = NULL;
- }
+ SSL_CTX_clear_extra_chain_certs(ctx);
while ((ca = PEM_read_bio_X509(in, NULL,
- ctx->default_passwd_callback,
- ctx->default_passwd_callback_userdata)) != NULL) {
+ SSL_CTX_get_default_passwd_cb(ctx),
+ SSL_CTX_get_default_passwd_cb_userdata(ctx))) != NULL) {
if (!SSL_CTX_add_extra_chain_cert(ctx, ca))
goto end;
diff --git a/smtpd/ca.c b/smtpd/ca.c
index 717f18b2346a..b5ba70508fb2 100644
--- a/smtpd/ca.c
+++ b/smtpd/ca.c
@@ -190,6 +190,190 @@ ca_verify_cb(int ok, X509_STORE_CTX *ctx)
return ok;
}
+#if (OPENSSL_VERSION_NUMBER < 0x1010L) || defined(LIBRESSL_VERSION_NUMBER)
+
+static int RSA_meth_get_flags(RSA_METHOD *meth)
+{
+ return meth->flags;
+}
+
+static int RSA_meth_set_flags(RSA_METHOD *meth, int flags)
+{
+ meth->flags = flags;
+ return 1;
+}
+
+static void *RSA_meth_get0_app_data(const RSA_METHOD *meth)
+{
+ return meth->app_data;
+}
+
+static int RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data)
+{
+ meth->app_data = app_data;
+ return 1;
+}
+
+static int (*RSA_meth_get_pub_enc(const RSA_METHOD *meth))
+(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
+{
+ return meth->rsa_pub_enc;
+}
+
+static int RSA_meth_set_pub_enc(RSA_METHOD *meth,
+ int (*pub_enc) (int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa,
+ int padding))
+{
+ meth->rsa_pub_enc = pub_enc;
+ return 1;
+}
+
+static int (*RSA_meth_get_pub_dec(const RSA_METHOD *meth))
+(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
+{
+ return meth->rsa_pub_dec;
+}
+
+static int (*RSA_meth_get_priv_enc(const RSA_METHOD *meth))
+(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
+{
+ return meth->rsa_priv_enc;
+}
+
+int RSA_meth_set_priv_enc(RSA_METHOD *meth,
+ int (*priv_enc) (int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa, int padding))
+{
+ meth->rsa_priv_enc = priv_enc;
+ return 1;
+}
+
+static int (*RSA_meth_get_priv_dec(const RSA_METHOD *meth))
+(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
+{
+ return meth->rsa_priv_dec;
+}
+
+static int RSA_meth_set_priv_dec(RSA_METHOD *meth,
+ int (*priv_dec) (int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa, int padding))
+{
+ meth->rsa_priv_dec = priv_dec;
+ return 1;
+}
+
+static int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))
+ (BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
+{
+ return meth->rsa_mod_exp;
+}
+
+static int RSA_meth_set_mod_exp(RSA_METHOD *meth,
+ int (*mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx))
+{
+ meth->rsa_mod_exp = mod_exp;
+ return 1;
+}
+
+static int (*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth))
+(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+{
+ return meth->bn_mod_exp;
+}
+
+static int RSA_meth_set_bn_mod_exp(RSA_METHOD *meth, int (*bn_mod_exp)
+ (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
+ BN_CTX *ctx, BN_MONT_CTX *m_ctx))
+{
Bug#859544: opensmtpd: Please migrate to openssl1.1 in buster
On 2018-01-04 11:11:42 [-0500], Ryan Kavanagh wrote: > Control: tag -1 + help > > Hi Sebastian, Hi, > Sorry for dropping the ball on this. > > On Fri, Oct 13, 2017 at 10:07:54PM +0200, Sebastian Andrzej Siewior wrote: > > Could you retry with the following patch? > > I've applied the patch, and it successfully builds with libssl 1.0.2n, but > FTBFS > with 1.1.0g (logs attached). Unfortunately, libssl is outside my realm of > expertise and AFAICT upstream hasn't made any progress towards a port to 1.1. > Any suggestions on how to fix the SSL-related build issue? Interresting. So I double checked and indeed, it does not compile against 1.1. I do have some memory of testing this so I am confused that it does not work. Even more that I don't have the patch in my folder where I keep/have the other patches around. I will try give it a try once I have some time… > Best wishes, > Ryan Sebastian
Bug#859544: opensmtpd: Please migrate to openssl1.1 in buster
Control: tag -1 + help Hi Sebastian, Sorry for dropping the ball on this. On Fri, Oct 13, 2017 at 10:07:54PM +0200, Sebastian Andrzej Siewior wrote: > Could you retry with the following patch? I've applied the patch, and it successfully builds with libssl 1.0.2n, but FTBFS with 1.1.0g (logs attached). Unfortunately, libssl is outside my realm of expertise and AFAICT upstream hasn't made any progress towards a port to 1.1. Any suggestions on how to fix the SSL-related build issue? Best wishes, Ryan -- |_)|_/ Ryan Kavanagh | GPG: 4E46 9519 ED67 7734 268F | \| \ https://ryanak.ca/ | BD95 8F7B F8FC 4A11 C97A sbuild (Debian sbuild) 0.73.0 (23 Dec 2016) on zeta.ryanak.ca +==+ | opensmtpd 6.0.2p1-2 (amd64) Wed, 03 Jan 2018 16:39:07 + | +==+ Package: opensmtpd Version: 6.0.2p1-2 Source Version: 6.0.2p1-2 Distribution: experimenal Machine Architecture: amd64 Host Architecture: amd64 Build Architecture: amd64 Build Type: full E: 60append-apt-sources: Checking for auxiliary apt sources in /etc/schroot/sources.list.d/sid-snap.sources.list E: 60append-apt-sources: Checking for apt preferences in /etc/schroot/sources.list.d/sid-snap.preferences E: 80append-apt-sources: Get:1 http://localhost:3142/debian sid InRelease [240 kB] E: 80append-apt-sources: Get:2 http://localhost:3142/debian sid/main Sources.diff/Index [27.9 kB] E: 80append-apt-sources: Get:3 http://localhost:3142/debian sid/main amd64 Packages.diff/Index [27.9 kB] E: 80append-apt-sources: Get:4 http://localhost:3142/debian sid/main Sources 2018-01-02-2020.59.pdiff [16.4 kB] E: 80append-apt-sources: Get:5 http://localhost:3142/debian sid/main Sources 2018-01-03-0225.05.pdiff [10.1 kB] E: 80append-apt-sources: Get:6 http://localhost:3142/debian sid/main Sources 2018-01-03-0826.10.pdiff [2218 B] E: 80append-apt-sources: Get:7 http://localhost:3142/debian sid/main Sources 2018-01-03-1421.25.pdiff [14.1 kB] E: 80append-apt-sources: Get:8 http://localhost:3142/debian sid/main amd64 Packages 2018-01-02-2020.59.pdiff [10.9 kB] E: 80append-apt-sources: Get:9 http://localhost:3142/debian sid/main amd64 Packages 2018-01-03-0225.05.pdiff [11.6 kB] E: 80append-apt-sources: Get:10 http://localhost:3142/debian sid/main amd64 Packages 2018-01-03-0826.10.pdiff [1432 B] E: 80append-apt-sources: Get:11 http://localhost:3142/debian sid/main amd64 Packages 2018-01-03-1421.25.pdiff [16.4 kB] E: 80append-apt-sources: Get:7 http://localhost:3142/debian sid/main Sources 2018-01-03-1421.25.pdiff [14.1 kB] E: 80append-apt-sources: Get:11 http://localhost:3142/debian sid/main amd64 Packages 2018-01-03-1421.25.pdiff [16.4 kB] E: 80append-apt-sources: Get:12 http://localhost:3142/debian sid/main Translation-en [5931 kB] E: 80append-apt-sources: Fetched 6310 kB in 5s (1153 kB/s) I: NOTICE: Log filtering will replace 'var/run/schroot/mount/sid-snap-d120cfe2-d0ea-4691-ba5b-c7ab00433bc9' with '<>' +--+ | Update chroot| +--+ Hit:1 http://localhost:3142/debian sid InRelease Reading package lists... Reading package lists... Building dependency tree... Reading state information... Calculating upgrade... 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. +--+ | Fetch source files | +--+ Local sources - /tmp/opensmtpd_6.0.2p1-2.dsc exists in /tmp; copying to chroot I: NOTICE: Log filtering will replace 'build/opensmtpd-3pEn6P/opensmtpd-6.0.2p1' with '<>' I: NOTICE: Log filtering will replace 'build/opensmtpd-3pEn6P' with '<>' +--+ | Install build-essential | +--+ Setup apt archive - Merged Build-Depends: build-essential, fakeroot Filtered Build-Depends: build-essential, fakeroot dpkg-deb: building package 'sbuild-build-depends-core-dummy' in '/<>/resolver-EpZHeW/apt_archive/sbuild-build-depends-core-dummy.deb'. dpkg-scanpackages: warning: Packages in archive but missing from override file: dpkg-scanpackages: warning: sbuild-build-depends-core-dummy dpkg-scanpackages: info: Wrote 1 entries to output Packages file. Ign:1 copy:/<>/resolver-EpZHeW/apt_archive ./ InRelease Get:2 copy:/<>/resolver-EpZHeW/apt_archive ./ Release [957 B] Ign:3 copy:/<>/resolver-EpZHeW/apt_archive ./ Release.gpg Get:4 copy:/<>/resolver-EpZHeW/
Bug#859544: opensmtpd: Please migrate to openssl1.1 in buster
Hi Sebastian, On Fri, Oct 13, 2017 at 10:07:54PM +0200, Sebastian Andrzej Siewior wrote: > Could you retry with the following patch? > SSL_F_SSL_CTX_USE_CERTIFICATE_FILE and SSL_CTX_clear_extra_chain_certs > was around in openssl since before they forked it. So with this patch > it should work with their libressl, libssl 1.0.2 and 1.1. Great, thanks! I'll try compiling with it, and if it works, I'll forward it to upstream for review and apply it to the Debian package if they approve of it. Best wishes, Ryan -- |_)|_/ Ryan Kavanagh | GPG: 4E46 9519 ED67 7734 268F | \| \ https://ryanak.ca/ | BD95 8F7B F8FC 4A11 C97A signature.asc Description: PGP signature
Bug#859544: opensmtpd: Please migrate to openssl1.1 in buster
On 2017-10-13 11:21:03 [-0400], Ryan Kavanagh wrote:
> Hi Sebastian,
Hi Ryan,
> To clarify: I wrote a patch that I believe ports opensmtpd to OpenSSL
> 1.1, but with no backwards compatibility for 1.0. It has not been
> applied (nor reviewed) by upstream, because upstream needs to cope with
> multiple SSL libraries and they are waiting to see how other OpenBSD
> portable daemons deal with this. See this comment[0] for details on
> their situation.
Could you retry with the following patch?
SSL_F_SSL_CTX_USE_CERTIFICATE_FILE and SSL_CTX_clear_extra_chain_certs
was around in openssl since before they forked it. So with this patch it
should work with their libressl, libssl 1.0.2 and 1.1.
From: Ryan Kavanagh
Date: Sun, 6 Nov 2016 11:40:32 -0500
Subject: [PATCH] OpenSSL 1.1 compat: update SSL ctx usages
[ bigeasy @ breakpoint
---
openbsd-compat/libressl.c | 17 +++--
smtpd/libressl.c | 13 +
smtpd/ssl.h | 14 ++
3 files changed, 26 insertions(+), 18 deletions(-)
--- a/openbsd-compat/libressl.c
+++ b/openbsd-compat/libressl.c
@@ -81,14 +81,14 @@ SSL_CTX_use_certificate_chain(SSL_CTX *c
x = ca = NULL;
if ((in = BIO_new_mem_buf(buf, len)) == NULL) {
- SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
goto end;
}
if ((x = PEM_read_bio_X509(in, NULL,
- ctx->default_passwd_callback,
- ctx->default_passwd_callback_userdata)) == NULL) {
- SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
+ SSL_CTX_get_default_passwd_cb(ctx),
+ SSL_CTX_get_default_passwd_cb_userdata(ctx))) == NULL) {
+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB);
goto end;
}
@@ -99,14 +99,11 @@ SSL_CTX_use_certificate_chain(SSL_CTX *c
* the CA certificates.
*/
- if (ctx->extra_certs != NULL) {
- sk_X509_pop_free(ctx->extra_certs, X509_free);
- ctx->extra_certs = NULL;
- }
+ SSL_CTX_clear_extra_chain_certs(ctx);
while ((ca = PEM_read_bio_X509(in, NULL,
- ctx->default_passwd_callback,
- ctx->default_passwd_callback_userdata)) != NULL) {
+ SSL_CTX_get_default_passwd_cb(ctx),
+ SSL_CTX_get_default_passwd_cb_userdata(ctx))) != NULL) {
if (!SSL_CTX_add_extra_chain_cert(ctx, ca))
goto end;
--- a/smtpd/libressl.c
+++ b/smtpd/libressl.c
@@ -94,8 +94,8 @@ ssl_ctx_use_certificate_chain_bio(SSL_CT
ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
- x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback,
- ctx->default_passwd_callback_userdata);
+ x = PEM_read_bio_X509_AUX(in, NULL, SSL_CTX_get_default_passwd_cb(ctx),
+ SSL_CTX_get_default_passwd_cb_userdata(ctx));
if (x == NULL) {
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
goto end;
@@ -115,14 +115,11 @@ ssl_ctx_use_certificate_chain_bio(SSL_CT
int r;
unsigned long err;
- if (ctx->extra_certs != NULL) {
- sk_X509_pop_free(ctx->extra_certs, X509_free);
- ctx->extra_certs = NULL;
- }
+ SSL_CTX_clear_extra_chain_certs(ctx);
while ((ca = PEM_read_bio_X509(in, NULL,
- ctx->default_passwd_callback,
- ctx->default_passwd_callback_userdata)) != NULL) {
+ SSL_CTX_get_default_passwd_cb(ctx),
+ SSL_CTX_get_default_passwd_cb_userdata(ctx))) != NULL) {
r = SSL_CTX_add_extra_chain_cert(ctx, ca);
if (!r) {
X509_free(ca);
--- a/smtpd/ssl.h
+++ b/smtpd/ssl.h
@@ -73,3 +73,17 @@ void SSL_CTX_set_ecdh_auto(SSL_CTX *, in
void SSL_CTX_set_dh_auto(SSL_CTX *, int);
#endif
int SSL_CTX_use_certificate_chain_mem(SSL_CTX *, void *, int);
+
+#if (OPENSSL_VERSION_NUMBER < 0x1010L) || defined(LIBRESSL_VERSION_NUMBER)
+
+static inline pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
+{
+ return ctx->default_passwd_callback;
+}
+
+static inline void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx)
+{
+ return ctx->default_passwd_callback_userdata;
+}
+
+#endif
> Best,
> Ryan
>
Sebastian
Bug#859544: opensmtpd: Please migrate to openssl1.1 in buster
Hi Sebastian, On Fri, Oct 13, 2017 at 01:24:19PM +0200, Sebastian Andrzej Siewior wrote: > On 2017-10-12 18:33:40 [-0400], Ryan Kavanagh wrote: [trimmed] > > I made initial efforts to port it to OpenSSL 1.1 and sent them > > upstream, but things are complicated by opensmtpd needing to be able > > to cope with multiple SSL libraries. > > So you made a new version to cope with multiple ssl libs, good. Thanks > for the update. To clarify: I wrote a patch that I believe ports opensmtpd to OpenSSL 1.1, but with no backwards compatibility for 1.0. It has not been applied (nor reviewed) by upstream, because upstream needs to cope with multiple SSL libraries and they are waiting to see how other OpenBSD portable daemons deal with this. See this comment[0] for details on their situation. Best, Ryan [0] https://github.com/OpenSMTPD/OpenSMTPD/issues/738#issuecomment-258774846 -- |_)|_/ Ryan Kavanagh | GPG: 4E46 9519 ED67 7734 268F | \| \ https://ryanak.ca/ | BD95 8F7B F8FC 4A11 C97A signature.asc Description: PGP signature
Bug#859544: opensmtpd: Please migrate to openssl1.1 in buster
On 2017-10-12 18:33:40 [-0400], Ryan Kavanagh wrote: > Hi Sebastian, Hi Ryan, > This is being tracked upstream. I made initial efforts to port it to > OpenSSL 1.1 and sent them upstream (see second comment in the upstream > bug), but things are complicated by opensmtpd needing to be able to cope > with multiple SSL libraries. I've followed up, let's see what happens. So you made a new version to cope with multiple ssl libs, good. Thanks for the update. > Best wishes, > Ryan Sebastian
Bug#859544: opensmtpd: Please migrate to openssl1.1 in buster
Hi Sebastian, On Thu, Oct 12, 2017 at 11:44:58PM +0200, Sebastian Andrzej Siewior wrote: > Please react before that happens. This is being tracked upstream. I made initial efforts to port it to OpenSSL 1.1 and sent them upstream (see second comment in the upstream bug), but things are complicated by opensmtpd needing to be able to cope with multiple SSL libraries. I've followed up, let's see what happens. Best wishes, Ryan -- |_)|_/ Ryan Kavanagh | GPG: 4E46 9519 ED67 7734 268F | \| \ https://ryanak.ca/ | BD95 8F7B F8FC 4A11 C97A signature.asc Description: PGP signature
Bug#859544: opensmtpd: Please migrate to openssl1.1 in buster
Hi, this is a remainder about the openssl transition [0]. We really want to remove libssl1.0-dev from unstable for Buster. I will raise the severity of this bug to serious in a month. Please react before that happens. [0] https://bugs.debian.org/871056#55 Sebastian
