* [gentoo-commits] repo/gentoo:master commit in: profiles/, mail-mta/opensmtpd/, mail-mta/opensmtpd/files/
@ 2020-03-07 0:32 Jason A. Donenfeld
0 siblings, 0 replies; only message in thread
From: Jason A. Donenfeld @ 2020-03-07 0:32 UTC (permalink / raw
To: gentoo-commits
commit: ea5bd9d4206b4e0c2c75a03337509e0d6d72ef51
Author: Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org>
AuthorDate: Sat Mar 7 00:30:24 2020 +0000
Commit: Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org>
CommitDate: Sat Mar 7 00:32:31 2020 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ea5bd9d4
mail-mta/opensmtpd: remove ancient ~6.0.3_p1 version
Closes: https://bugs.gentoo.org/710754
Package-Manager: Portage-2.3.88, Repoman-2.3.20
Signed-off-by: Jason A. Donenfeld <zx2c4 <AT> gentoo.org>
mail-mta/opensmtpd/Manifest | 1 -
.../opensmtpd-6.0.3_p1-fix-crash-on-auth.patch | 43 --
.../files/opensmtpd-6.0.3_p1-openssl_1.1.patch | 722 ---------------------
.../files/opensmtpd-6.0.3_p1-security-fixes.patch | 123 ----
mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r3.ebuild | 78 ---
profiles/package.mask | 8 -
6 files changed, 975 deletions(-)
diff --git a/mail-mta/opensmtpd/Manifest b/mail-mta/opensmtpd/Manifest
index 0c001fb94e6..ef56b7e6d94 100644
--- a/mail-mta/opensmtpd/Manifest
+++ b/mail-mta/opensmtpd/Manifest
@@ -1,2 +1 @@
-DIST opensmtpd-6.0.3p1.tar.gz 699702 BLAKE2B 49f08e8329adc049a562b6ef7efa4c0a39cbcfe8a158cb905cfc726a7302ffe9833ccfb52041340767d55d0f2ae2087e8eac92b7359016c6c76b4d963a334558 SHA512 e579818a0ddbe637deb5a4e40f43eaf797783903ceac18fd89a57581b135b9e407d424e1a70ff7b4b06a0ee50bafb6e8ab2451371917887904b06ff1b55d320f
DIST opensmtpd-6.6.4p1.tar.gz 790754 BLAKE2B 18cc19569ae764eff3d672cbfb87df7bd00afcce93705ad128e935c0a47a246c3a6166fca7b6f844c0dd5e728492d8aeb7e0f8a8c1f5a756bf356ae9afb80852 SHA512 267307c91f4fcf21624b0897dfb1f5638b77da7b8d9a02211d734ed2cc5bd39ea7542ae7f200255e2945518fbe7609a0e5aa4e5c6dcb8146014f08b3845c108b
diff --git a/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-fix-crash-on-auth.patch b/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-fix-crash-on-auth.patch
deleted file mode 100644
index c20b5e0a0ef..00000000000
--- a/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-fix-crash-on-auth.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 9b5f70b93e038df5446bd37a4adac5a0380748e7 Mon Sep 17 00:00:00 2001
-From: johannes <johannes.brechtmann@gmail.com>
-Date: Wed, 21 Feb 2018 23:57:11 +0100
-Subject: [PATCH] crypt_checkpass: include HAVE_CRYPT_H definition, add NULL
- check
-
----
- openbsd-compat/crypt_checkpass.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/openbsd-compat/crypt_checkpass.c b/openbsd-compat/crypt_checkpass.c
-index dafd2dae..d10b3a57 100644
---- a/openbsd-compat/crypt_checkpass.c
-+++ b/openbsd-compat/crypt_checkpass.c
-@@ -1,5 +1,6 @@
- /* OPENBSD ORIGINAL: lib/libc/crypt/cryptutil.c */
-
-+#include "includes.h"
- #include <errno.h>
- #ifdef HAVE_CRYPT_H
- #include <crypt.h>
-@@ -10,6 +11,8 @@
- int
- crypt_checkpass(const char *pass, const char *goodhash)
- {
-+ char *c;
-+
- if (goodhash == NULL)
- goto fail;
-
-@@ -17,7 +20,11 @@ crypt_checkpass(const char *pass, const char *goodhash)
- if (strlen(goodhash) == 0 && strlen(pass) == 0)
- return 0;
-
-- if (strcmp(crypt(pass, goodhash), goodhash) == 0)
-+ c = crypt(pass, goodhash);
-+ if (c == NULL)
-+ goto fail;
-+
-+ if (strcmp(c, goodhash) == 0)
- return 0;
-
- fail:
diff --git a/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-openssl_1.1.patch b/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-openssl_1.1.patch
deleted file mode 100644
index 40a62ae9251..00000000000
--- a/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-openssl_1.1.patch
+++ /dev/null
@@ -1,722 +0,0 @@
-Description: Enable support for OpenSSL 1.1
-Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
- Ryan Kavanagh <rak@debian.org>
-Origin: Debian
-Bug: https://github.com/OpenSMTPD/OpenSMTPD/issues/738
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859544
-Forwarded: https://github.com/OpenSMTPD/OpenSMTPD/pull/825
-Last-Update: 2018-03-18
----
-This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
-diff --git a/openbsd-compat/libressl.c b/openbsd-compat/libressl.c
-index f4f2b52e..d06e006f 100644
---- a/openbsd-compat/libressl.c
-+++ b/openbsd-compat/libressl.c
-@@ -81,14 +81,14 @@ SSL_CTX_use_certificate_chain(SSL_CTX *ctx, char *buf, off_t len)
- x = ca = NULL;
-
- if ((in = BIO_new_mem_buf(buf, len)) == NULL) {
-- SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
-+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
- goto end;
- }
-
- if ((x = PEM_read_bio_X509(in, NULL,
-- ctx->default_passwd_callback,
-- ctx->default_passwd_callback_userdata)) == NULL) {
-- SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
-+ SSL_CTX_get_default_passwd_cb(ctx),
-+ SSL_CTX_get_default_passwd_cb_userdata(ctx))) == NULL) {
-+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB);
- goto end;
- }
-
-@@ -99,14 +99,11 @@ SSL_CTX_use_certificate_chain(SSL_CTX *ctx, char *buf, off_t len)
- * the CA certificates.
- */
-
-- if (ctx->extra_certs != NULL) {
-- sk_X509_pop_free(ctx->extra_certs, X509_free);
-- ctx->extra_certs = NULL;
-- }
-+ SSL_CTX_clear_extra_chain_certs(ctx);
-
- while ((ca = PEM_read_bio_X509(in, NULL,
-- ctx->default_passwd_callback,
-- ctx->default_passwd_callback_userdata)) != NULL) {
-+ SSL_CTX_get_default_passwd_cb(ctx),
-+ SSL_CTX_get_default_passwd_cb_userdata(ctx))) != NULL) {
-
- if (!SSL_CTX_add_extra_chain_cert(ctx, ca))
- goto end;
-diff --git a/smtpd/ca.c b/smtpd/ca.c
-index e383c6a1..29a44b9b 100644
---- a/smtpd/ca.c
-+++ b/smtpd/ca.c
-@@ -170,6 +170,190 @@ ca_verify_cb(int ok, X509_STORE_CTX *ctx)
- return ok;
- }
-
-+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
-+
-+static int RSA_meth_get_flags(RSA_METHOD *meth)
-+{
-+ return meth->flags;
-+}
-+
-+static int RSA_meth_set_flags(RSA_METHOD *meth, int flags)
-+{
-+ meth->flags = flags;
-+ return 1;
-+}
-+
-+static void *RSA_meth_get0_app_data(const RSA_METHOD *meth)
-+{
-+ return meth->app_data;
-+}
-+
-+static int RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data)
-+{
-+ meth->app_data = app_data;
-+ return 1;
-+}
-+
-+static int (*RSA_meth_get_pub_enc(const RSA_METHOD *meth))
-+(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
-+{
-+ return meth->rsa_pub_enc;
-+}
-+
-+static int RSA_meth_set_pub_enc(RSA_METHOD *meth,
-+ int (*pub_enc) (int flen, const unsigned char *from,
-+ unsigned char *to, RSA *rsa,
-+ int padding))
-+{
-+ meth->rsa_pub_enc = pub_enc;
-+ return 1;
-+}
-+
-+static int (*RSA_meth_get_pub_dec(const RSA_METHOD *meth))
-+(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
-+{
-+ return meth->rsa_pub_dec;
-+}
-+
-+static int (*RSA_meth_get_priv_enc(const RSA_METHOD *meth))
-+(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
-+{
-+ return meth->rsa_priv_enc;
-+}
-+
-+int RSA_meth_set_priv_enc(RSA_METHOD *meth,
-+ int (*priv_enc) (int flen, const unsigned char *from,
-+ unsigned char *to, RSA *rsa, int padding))
-+{
-+ meth->rsa_priv_enc = priv_enc;
-+ return 1;
-+}
-+
-+static int (*RSA_meth_get_priv_dec(const RSA_METHOD *meth))
-+(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
-+{
-+ return meth->rsa_priv_dec;
-+}
-+
-+static int RSA_meth_set_priv_dec(RSA_METHOD *meth,
-+ int (*priv_dec) (int flen, const unsigned char *from,
-+ unsigned char *to, RSA *rsa, int padding))
-+{
-+ meth->rsa_priv_dec = priv_dec;
-+ return 1;
-+}
-+
-+static int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))
-+ (BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
-+{
-+ return meth->rsa_mod_exp;
-+}
-+
-+static int RSA_meth_set_mod_exp(RSA_METHOD *meth,
-+ int (*mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx))
-+{
-+ meth->rsa_mod_exp = mod_exp;
-+ return 1;
-+}
-+
-+static int (*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth))
-+(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
-+{
-+ return meth->bn_mod_exp;
-+}
-+
-+static int RSA_meth_set_bn_mod_exp(RSA_METHOD *meth, int (*bn_mod_exp)
-+ (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
-+ BN_CTX *ctx, BN_MONT_CTX *m_ctx))
-+{
-+ meth->bn_mod_exp = bn_mod_exp;
-+ return 1;
-+}
-+
-+static int (*RSA_meth_get_init(const RSA_METHOD *meth)) (RSA *rsa)
-+{
-+ return meth->init;
-+}
-+
-+static int RSA_meth_set_init(RSA_METHOD *meth, int (*init) (RSA *rsa))
-+{
-+ meth->init = init;
-+ return 1;
-+}
-+
-+static int (*RSA_meth_get_finish(const RSA_METHOD *meth)) (RSA *rsa)
-+{
-+ return meth->finish;
-+}
-+
-+static int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa))
-+{
-+ meth->finish = finish;
-+ return 1;
-+}
-+
-+static int (*RSA_meth_get_keygen(const RSA_METHOD *meth))
-+ (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb)
-+{
-+ return meth->rsa_keygen;
-+}
-+
-+static int RSA_meth_set_keygen(RSA_METHOD *meth, int (*keygen)
-+ (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb))
-+{
-+ meth->rsa_keygen = keygen;
-+ return 1;
-+}
-+
-+static int (*RSA_meth_get_verify(const RSA_METHOD *meth))
-+ (int dtype, const unsigned char *m,
-+ unsigned int m_length, const unsigned char *sigbuf,
-+ unsigned int siglen, const RSA *rsa)
-+{
-+ if (meth->flags & RSA_FLAG_SIGN_VER)
-+ return meth->rsa_verify;
-+ return NULL;
-+}
-+
-+static int (*RSA_meth_get_sign(const RSA_METHOD *meth))
-+ (int type,
-+ const unsigned char *m, unsigned int m_length,
-+ unsigned char *sigret, unsigned int *siglen,
-+ const RSA *rsa)
-+{
-+ if (meth->flags & RSA_FLAG_SIGN_VER)
-+ return meth->rsa_sign;
-+ return NULL;
-+}
-+
-+static int RSA_meth_set_pub_dec(RSA_METHOD *meth,
-+ int (*pub_dec) (int flen, const unsigned char *from,
-+ unsigned char *to, RSA *rsa, int padding))
-+{
-+ meth->rsa_pub_dec = pub_dec;
-+ return 1;
-+}
-+
-+static RSA_METHOD *RSA_meth_new(const char *name, int flags)
-+{
-+ RSA_METHOD *meth = malloc(sizeof(*meth));
-+
-+ if (meth != NULL) {
-+ memset(meth, 0, sizeof(*meth));
-+ meth->flags = flags;
-+
-+ meth->name = strdup(name);
-+ if (meth->name != NULL)
-+ return meth;
-+
-+ free(meth);
-+ }
-+
-+ return NULL;
-+}
-+
-+#endif
-+
- int
- ca_X509_verify(void *certificate, void *chain, const char *CAfile,
- const char *CRLfile, const char **errstr)
-@@ -201,7 +385,7 @@ end:
- *errstr = NULL;
- if (ret != 1) {
- if (xsc)
-- *errstr = X509_verify_cert_error_string(xsc->error);
-+ *errstr = X509_verify_cert_error_string(X509_STORE_CTX_get_error(xsc));
- else if (ERR_peek_last_error())
- *errstr = ERR_error_string(ERR_peek_last_error(), NULL);
- }
-@@ -302,24 +486,9 @@ ca_imsg(struct mproc *p, struct imsg *imsg)
- * RSA privsep engine (called from unprivileged processes)
- */
-
--const RSA_METHOD *rsa_default = NULL;
--
--static RSA_METHOD rsae_method = {
-- "RSA privsep engine",
-- rsae_pub_enc,
-- rsae_pub_dec,
-- rsae_priv_enc,
-- rsae_priv_dec,
-- rsae_mod_exp,
-- rsae_bn_mod_exp,
-- rsae_init,
-- rsae_finish,
-- 0,
-- NULL,
-- NULL,
-- NULL,
-- rsae_keygen
--};
-+static const RSA_METHOD *rsa_default = NULL;
-+
-+static const char *rsae_method_name = "RSA privsep engine";
-
- static int
- rsae_send_imsg(int flen, const unsigned char *from, unsigned char *to,
-@@ -404,7 +573,7 @@ rsae_pub_enc(int flen,const unsigned char *from, unsigned char *to, RSA *rsa,
- int padding)
- {
- log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
-- return (rsa_default->rsa_pub_enc(flen, from, to, rsa, padding));
-+ return (RSA_meth_get_pub_enc(rsa_default)(flen, from, to, rsa, padding));
- }
-
- static int
-@@ -412,7 +581,7 @@ rsae_pub_dec(int flen,const unsigned char *from, unsigned char *to, RSA *rsa,
- int padding)
- {
- log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
-- return (rsa_default->rsa_pub_dec(flen, from, to, rsa, padding));
-+ return (RSA_meth_get_pub_dec(rsa_default)(flen, from, to, rsa, padding));
- }
-
- static int
-@@ -424,7 +593,7 @@ rsae_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa,
- return (rsae_send_imsg(flen, from, to, rsa, padding,
- IMSG_CA_PRIVENC));
- }
-- return (rsa_default->rsa_priv_enc(flen, from, to, rsa, padding));
-+ return (RSA_meth_get_priv_enc(rsa_default)(flen, from, to, rsa, padding));
- }
-
- static int
-@@ -436,14 +605,14 @@ rsae_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa,
- return (rsae_send_imsg(flen, from, to, rsa, padding,
- IMSG_CA_PRIVDEC));
- }
-- return (rsa_default->rsa_priv_dec(flen, from, to, rsa, padding));
-+ return (RSA_meth_get_priv_dec(rsa_default)(flen, from, to, rsa, padding));
- }
-
- static int
- rsae_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
- {
- log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
-- return (rsa_default->rsa_mod_exp(r0, I, rsa, ctx));
-+ return (RSA_meth_get_mod_exp(rsa_default)(r0, I, rsa, ctx));
- }
-
- static int
-@@ -451,34 +620,36 @@ rsae_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
- {
- log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
-- return (rsa_default->bn_mod_exp(r, a, p, m, ctx, m_ctx));
-+ return (RSA_meth_get_bn_mod_exp(rsa_default)(r, a, p, m, ctx, m_ctx));
- }
-
- static int
- rsae_init(RSA *rsa)
- {
- log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
-- if (rsa_default->init == NULL)
-+ if (RSA_meth_get_init(rsa_default) == NULL)
- return (1);
-- return (rsa_default->init(rsa));
-+ return (RSA_meth_get_init(rsa_default)(rsa));
- }
-
- static int
- rsae_finish(RSA *rsa)
- {
- log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
-- if (rsa_default->finish == NULL)
-+ if (RSA_meth_get_finish(rsa_default) == NULL)
- return (1);
-- return (rsa_default->finish(rsa));
-+ return (RSA_meth_get_finish(rsa_default)(rsa));
- }
-
- static int
- rsae_keygen(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb)
- {
- log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
-- return (rsa_default->rsa_keygen(rsa, bits, e, cb));
-+ return (RSA_meth_get_keygen(rsa_default)(rsa, bits, e, cb));
- }
-
-+static RSA_METHOD *rsae_method;
-+
- void
- ca_engine_init(void)
- {
-@@ -490,7 +661,7 @@ ca_engine_init(void)
- errstr = "ENGINE_new";
- goto fail;
- }
-- if (!ENGINE_set_name(e, rsae_method.name)) {
-+ if (!ENGINE_set_name(e, rsae_method_name)) {
- errstr = "ENGINE_set_name";
- goto fail;
- }
-@@ -503,25 +674,58 @@ ca_engine_init(void)
- goto fail;
- }
-
-+ rsae_method = RSA_meth_new(rsae_method_name, 0);
-+ if (!rsae_method) {
-+ errstr = "RSA_meth_new";
-+ goto fail;
-+ }
-+
- if ((name = ENGINE_get_name(e)) == NULL)
- name = "unknown RSA engine";
-
- log_debug("debug: %s: using %s", __func__, name);
-
-- if (rsa_default->flags & RSA_FLAG_SIGN_VER)
-+ if (RSA_meth_get_sign(rsa_default) ||
-+ RSA_meth_get_verify(rsa_default))
- fatalx("unsupported RSA engine");
-
-- if (rsa_default->rsa_mod_exp == NULL)
-- rsae_method.rsa_mod_exp = NULL;
-- if (rsa_default->bn_mod_exp == NULL)
-- rsae_method.bn_mod_exp = NULL;
-- if (rsa_default->rsa_keygen == NULL)
-- rsae_method.rsa_keygen = NULL;
-- rsae_method.flags = rsa_default->flags |
-- RSA_METHOD_FLAG_NO_CHECK;
-- rsae_method.app_data = rsa_default->app_data;
--
-- if (!ENGINE_set_RSA(e, &rsae_method)) {
-+ errstr = "Setting callback";
-+ if (!RSA_meth_set_pub_enc(rsae_method, rsae_pub_enc))
-+ goto fail;
-+ if (!RSA_meth_set_pub_dec(rsae_method, rsae_pub_dec))
-+ goto fail;
-+ if (!RSA_meth_set_priv_enc(rsae_method, rsae_priv_enc))
-+ goto fail;
-+ if (!RSA_meth_set_priv_dec(rsae_method, rsae_priv_dec))
-+ goto fail;
-+
-+ if (RSA_meth_get_mod_exp(rsa_default)) {
-+ if (!RSA_meth_set_mod_exp(rsae_method, rsae_mod_exp))
-+ goto fail;
-+ }
-+
-+ if (RSA_meth_get_bn_mod_exp(rsa_default))
-+ if (!RSA_meth_set_bn_mod_exp(rsae_method, rsae_bn_mod_exp))
-+ goto fail;
-+ if (!RSA_meth_set_init(rsae_method, rsae_init))
-+ goto fail;
-+ if (!RSA_meth_set_finish(rsae_method, rsae_finish))
-+ goto fail;
-+
-+ if (RSA_meth_get_keygen(rsa_default)) {
-+ if (!RSA_meth_set_keygen(rsae_method, rsae_keygen))
-+ goto fail;
-+ }
-+
-+ if (!RSA_meth_set_flags(rsae_method,
-+ RSA_meth_get_flags(rsa_default) |
-+ RSA_METHOD_FLAG_NO_CHECK))
-+ goto fail;
-+
-+ if (!RSA_meth_set0_app_data(rsae_method, RSA_meth_get0_app_data(rsa_default)))
-+ goto fail;
-+
-+ if (!ENGINE_set_RSA(e, rsae_method)) {
- errstr = "ENGINE_set_RSA";
- goto fail;
- }
-diff --git a/smtpd/crypto.c b/smtpd/crypto.c
-index 76f98807..01452851 100644
---- a/smtpd/crypto.c
-+++ b/smtpd/crypto.c
-@@ -64,7 +64,7 @@ crypto_setup(const char *key, size_t len)
- int
- crypto_encrypt_file(FILE * in, FILE * out)
- {
-- EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX *ctx;
- uint8_t ibuf[CRYPTO_BUFFER_SIZE];
- uint8_t obuf[CRYPTO_BUFFER_SIZE];
- uint8_t iv[IV_SIZE];
-@@ -91,12 +91,14 @@ crypto_encrypt_file(FILE * in, FILE * out)
- if ((w = fwrite(iv, 1, sizeof iv, out)) != sizeof iv)
- return 0;
-
-- EVP_CIPHER_CTX_init(&ctx);
-- EVP_EncryptInit_ex(&ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
-+ ctx = EVP_CIPHER_CTX_new();
-+ if (!ctx)
-+ return 0;
-+ EVP_EncryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
-
- /* encrypt until end of file */
- while ((r = fread(ibuf, 1, CRYPTO_BUFFER_SIZE, in)) != 0) {
-- if (!EVP_EncryptUpdate(&ctx, obuf, &len, ibuf, r))
-+ if (!EVP_EncryptUpdate(ctx, obuf, &len, ibuf, r))
- goto end;
- if (len && (w = fwrite(obuf, len, 1, out)) != 1)
- goto end;
-@@ -105,13 +107,13 @@ crypto_encrypt_file(FILE * in, FILE * out)
- goto end;
-
- /* finalize and write last chunk if any */
-- if (!EVP_EncryptFinal_ex(&ctx, obuf, &len))
-+ if (!EVP_EncryptFinal_ex(ctx, obuf, &len))
- goto end;
- if (len && (w = fwrite(obuf, len, 1, out)) != 1)
- goto end;
-
- /* get and append tag */
-- EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, sizeof tag, tag);
-+ EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, sizeof tag, tag);
- if ((w = fwrite(tag, sizeof tag, 1, out)) != 1)
- goto end;
-
-@@ -119,14 +121,14 @@ crypto_encrypt_file(FILE * in, FILE * out)
- ret = 1;
-
- end:
-- EVP_CIPHER_CTX_cleanup(&ctx);
-+ EVP_CIPHER_CTX_free(ctx);
- return ret;
- }
-
- int
- crypto_decrypt_file(FILE * in, FILE * out)
- {
-- EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX *ctx;
- uint8_t ibuf[CRYPTO_BUFFER_SIZE];
- uint8_t obuf[CRYPTO_BUFFER_SIZE];
- uint8_t iv[IV_SIZE];
-@@ -171,11 +173,13 @@ crypto_decrypt_file(FILE * in, FILE * out)
- sz -= sizeof tag;
-
-
-- EVP_CIPHER_CTX_init(&ctx);
-- EVP_DecryptInit_ex(&ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
-+ ctx = EVP_CIPHER_CTX_new();
-+ if (!ctx)
-+ return 0;
-+ EVP_DecryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
-
- /* set expected tag */
-- EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, sizeof tag, tag);
-+ EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, sizeof tag, tag);
-
- /* decrypt until end of ciphertext */
- while (sz) {
-@@ -185,7 +189,7 @@ crypto_decrypt_file(FILE * in, FILE * out)
- r = fread(ibuf, 1, sz, in);
- if (!r)
- break;
-- if (!EVP_DecryptUpdate(&ctx, obuf, &len, ibuf, r))
-+ if (!EVP_DecryptUpdate(ctx, obuf, &len, ibuf, r))
- goto end;
- if (len && (w = fwrite(obuf, len, 1, out)) != 1)
- goto end;
-@@ -195,7 +199,7 @@ crypto_decrypt_file(FILE * in, FILE * out)
- goto end;
-
- /* finalize, write last chunk if any and perform authentication check */
-- if (!EVP_DecryptFinal_ex(&ctx, obuf, &len))
-+ if (!EVP_DecryptFinal_ex(ctx, obuf, &len))
- goto end;
- if (len && (w = fwrite(obuf, len, 1, out)) != 1)
- goto end;
-@@ -204,14 +208,14 @@ crypto_decrypt_file(FILE * in, FILE * out)
- ret = 1;
-
- end:
-- EVP_CIPHER_CTX_cleanup(&ctx);
-+ EVP_CIPHER_CTX_free(ctx);
- return ret;
- }
-
- size_t
- crypto_encrypt_buffer(const char *in, size_t inlen, char *out, size_t outlen)
- {
-- EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX *ctx;
- uint8_t iv[IV_SIZE];
- uint8_t tag[GCM_TAG_SIZE];
- uint8_t version = API_VERSION;
-@@ -239,33 +243,35 @@ crypto_encrypt_buffer(const char *in, size_t inlen, char *out, size_t outlen)
- memcpy(out + len, iv, sizeof iv);
- len += sizeof iv;
-
-- EVP_CIPHER_CTX_init(&ctx);
-- EVP_EncryptInit_ex(&ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
-+ ctx = EVP_CIPHER_CTX_new();
-+ if (!ctx)
-+ return 0;
-+ EVP_EncryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
-
- /* encrypt buffer */
-- if (!EVP_EncryptUpdate(&ctx, out + len, &olen, in, inlen))
-+ if (!EVP_EncryptUpdate(ctx, out + len, &olen, in, inlen))
- goto end;
- len += olen;
-
- /* finalize and write last chunk if any */
-- if (!EVP_EncryptFinal_ex(&ctx, out + len, &olen))
-+ if (!EVP_EncryptFinal_ex(ctx, out + len, &olen))
- goto end;
- len += olen;
-
- /* get and append tag */
-- EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, sizeof tag, tag);
-+ EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, sizeof tag, tag);
- memcpy(out + len, tag, sizeof tag);
- ret = len + sizeof tag;
-
- end:
-- EVP_CIPHER_CTX_cleanup(&ctx);
-+ EVP_CIPHER_CTX_cleanup(ctx);
- return ret;
- }
-
- size_t
- crypto_decrypt_buffer(const char *in, size_t inlen, char *out, size_t outlen)
- {
-- EVP_CIPHER_CTX ctx;
-+ EVP_CIPHER_CTX *ctx;
- uint8_t iv[IV_SIZE];
- uint8_t tag[GCM_TAG_SIZE];
- int olen;
-@@ -292,24 +298,26 @@ crypto_decrypt_buffer(const char *in, size_t inlen, char *out, size_t outlen)
- inlen -= sizeof iv;
- in += sizeof iv;
-
-- EVP_CIPHER_CTX_init(&ctx);
-- EVP_DecryptInit_ex(&ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
-+ ctx = EVP_CIPHER_CTX_new();
-+ if (!ctx)
-+ return 0;
-+ EVP_DecryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
-
- /* set expected tag */
-- EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, sizeof tag, tag);
-+ EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, sizeof tag, tag);
-
- /* decrypt buffer */
-- if (!EVP_DecryptUpdate(&ctx, out, &olen, in, inlen))
-+ if (!EVP_DecryptUpdate(ctx, out, &olen, in, inlen))
- goto end;
- len += olen;
-
- /* finalize, write last chunk if any and perform authentication check */
-- if (!EVP_DecryptFinal_ex(&ctx, out + len, &olen))
-+ if (!EVP_DecryptFinal_ex(ctx, out + len, &olen))
- goto end;
- ret = len + olen;
-
- end:
-- EVP_CIPHER_CTX_cleanup(&ctx);
-+ EVP_CIPHER_CTX_cleanup(ctx);
- return ret;
- }
-
-diff --git a/smtpd/libressl.c b/smtpd/libressl.c
-index 57d74389..db78d943 100644
---- a/smtpd/libressl.c
-+++ b/smtpd/libressl.c
-@@ -94,10 +94,10 @@ ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in)
-
- ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
-
-- x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback,
-- ctx->default_passwd_callback_userdata);
-+ x = PEM_read_bio_X509_AUX(in, NULL, SSL_CTX_get_default_passwd_cb(ctx),
-+ SSL_CTX_get_default_passwd_cb_userdata(ctx));
- if (x == NULL) {
-- SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
-+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB);
- goto end;
- }
-
-@@ -115,14 +115,11 @@ ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in)
- int r;
- unsigned long err;
-
-- if (ctx->extra_certs != NULL) {
-- sk_X509_pop_free(ctx->extra_certs, X509_free);
-- ctx->extra_certs = NULL;
-- }
-+ SSL_CTX_clear_extra_chain_certs(ctx);
-
- while ((ca = PEM_read_bio_X509(in, NULL,
-- ctx->default_passwd_callback,
-- ctx->default_passwd_callback_userdata)) != NULL) {
-+ SSL_CTX_get_default_passwd_cb(ctx),
-+ SSL_CTX_get_default_passwd_cb_userdata(ctx))) != NULL) {
- r = SSL_CTX_add_extra_chain_cert(ctx, ca);
- if (!r) {
- X509_free(ca);
-@@ -160,7 +157,7 @@ SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len)
-
- in = BIO_new_mem_buf(buf, len);
- if (in == NULL) {
-- SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
-+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
- goto end;
- }
-
-diff --git a/smtpd/ssl.c b/smtpd/ssl.c
-index b88360eb..0c93d87e 100644
---- a/smtpd/ssl.c
-+++ b/smtpd/ssl.c
-@@ -425,7 +425,7 @@ ssl_ctx_fake_private_key(SSL_CTX *ctx, const void *data, size_t datalen,
- */
- ret = SSL_CTX_use_PrivateKey(ctx, pkey);
- if (!ret)
-- SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_SSL_LIB);
-+ SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_SYS_LIB);
-
- if (pkeyptr != NULL)
- *pkeyptr = pkey;
-diff --git a/smtpd/ssl.h b/smtpd/ssl.h
-index 90f018d0..553120d4 100644
---- a/smtpd/ssl.h
-+++ b/smtpd/ssl.h
-@@ -73,3 +73,17 @@ void SSL_CTX_set_ecdh_auto(SSL_CTX *, int);
- void SSL_CTX_set_dh_auto(SSL_CTX *, int);
- #endif
- int SSL_CTX_use_certificate_chain_mem(SSL_CTX *, void *, int);
-+
-+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
-+
-+static inline pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
-+{
-+ return ctx->default_passwd_callback;
-+}
-+
-+static inline void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx)
-+{
-+ return ctx->default_passwd_callback_userdata;
-+}
-+
-+#endif
diff --git a/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch b/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch
deleted file mode 100644
index b22f3af1fbe..00000000000
--- a/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-diff -ru OpenSMTPD-opensmtpd-6.0.3/smtpd/mta_session.c OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/mta_session.c
---- OpenSMTPD-opensmtpd-6.0.3/smtpd/mta_session.c 2018-01-04 23:24:01.000000000 +0100
-+++ OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/mta_session.c 2020-01-29 09:47:24.607457717 +0100
-@@ -1290,40 +1290,20 @@
- break;
-
- case IO_ERROR:
-+ case IO_TLSERROR:
- log_debug("debug: mta: %p: IO error: %s", s, io_error(io));
-- if (!s->ready) {
-- mta_error(s, "IO Error: %s", io_error(io));
-- mta_connect(s);
-- break;
-- }
-- else if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) {
-- /* error in non-strict SSL negotiation, downgrade to plain */
-- if (s->flags & MTA_TLS) {
-- log_info("smtp-out: Error on session %016"PRIx64
-- ": opportunistic TLS failed, "
-- "downgrading to plain", s->id);
-- s->flags &= ~MTA_TLS;
-- s->flags |= MTA_DOWNGRADE_PLAIN;
-- mta_connect(s);
-- break;
-- }
-- }
-- mta_error(s, "IO Error: %s", io_error(io));
-- mta_free(s);
-- break;
-
-- case IO_TLSERROR:
-- log_debug("debug: mta: %p: TLS IO error: %s", s, io_error(io));
-- if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) {
-+ if (s->state == MTA_STARTTLS && s->use_smtp_tls) {
- /* error in non-strict SSL negotiation, downgrade to plain */
-- log_info("smtp-out: TLS Error on session %016"PRIx64
-- ": TLS failed, "
-+ log_info("smtp-out: Error on session %016"PRIx64
-+ ": opportunistic TLS failed, "
- "downgrading to plain", s->id);
- s->flags &= ~MTA_TLS;
- s->flags |= MTA_DOWNGRADE_PLAIN;
- mta_connect(s);
- break;
- }
-+
- mta_error(s, "IO Error: %s", io_error(io));
- mta_free(s);
- break;
-diff -ru OpenSMTPD-opensmtpd-6.0.3/smtpd/smtp_session.c OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/smtp_session.c
---- OpenSMTPD-opensmtpd-6.0.3/smtpd/smtp_session.c 2018-01-04 23:24:01.000000000 +0100
-+++ OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/smtp_session.c 2020-01-29 09:47:24.610791335 +0100
-@@ -2004,25 +2004,23 @@
- memmove(maddr->user, p, strlen(p) + 1);
- }
-
-- if (!valid_localpart(maddr->user) ||
-- !valid_domainpart(maddr->domain)) {
-- /* accept empty return-path in MAIL FROM, required for bounces */
-- if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
-- return (1);
-+ /* accept empty return-path in MAIL FROM, required for bounces */
-+ if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
-+ return (1);
-
-- /* no user-part, reject */
-- if (maddr->user[0] == '\0')
-- return (0);
--
-- /* no domain, local user */
-- if (maddr->domain[0] == '\0') {
-- (void)strlcpy(maddr->domain, domain,
-- sizeof(maddr->domain));
-- return (1);
-- }
-+ /* no or invalid user-part, reject */
-+ if (maddr->user[0] == '\0' || !valid_localpart(maddr->user))
- return (0);
-+
-+ /* no domain part, local user */
-+ if (maddr->domain[0] == '\0') {
-+ (void)strlcpy(maddr->domain, domain,
-+ sizeof(maddr->domain));
- }
-
-+ if (!valid_domainpart(maddr->domain))
-+ return (0);
-+
- return (1);
- }
-
-diff -ru opensmtpd-6.0.3p1/smtpd/mta_session.c opensmtpd-6.0.3p1-modified/smtpd/mta_session.c
---- opensmtpd-6.0.3p1/smtpd/mta_session.c 2018-01-10 21:06:40.000000000 +0800
-+++ opensmtpd-6.0.3p1-modified/smtpd/mta_session.c 2020-02-25 09:57:04.624147227 +0800
-@@ -1214,7 +1214,7 @@
- if (cont) {
- if (s->replybuf[0] == '\0')
- (void)strlcat(s->replybuf, line, sizeof s->replybuf);
-- else {
-+ else if (len > 4) {
- line = line + 4;
- if (isdigit((int)*line) && *(line + 1) == '.' &&
- isdigit((int)*line+2) && *(line + 3) == '.' &&
-@@ -1229,7 +1229,9 @@
- /* last line of a reply, check if we're on a continuation to parse out status and ESC.
- * if we overflow reply buffer or are not on continuation, log entire last line.
- */
-- if (s->replybuf[0] != '\0') {
-+ if (s->replybuf[0] == '\0')
-+ (void)strlcat(s->replybuf, line, sizeof s->replybuf);
-+ else if (len > 4) {
- p = line + 4;
- if (isdigit((int)*p) && *(p + 1) == '.' &&
- isdigit((int)*p+2) && *(p + 3) == '.' &&
-@@ -1238,8 +1240,6 @@
- if (strlcat(s->replybuf, p, sizeof s->replybuf) >= sizeof s->replybuf)
- (void)strlcpy(s->replybuf, line, sizeof s->replybuf);
- }
-- else
-- (void)strlcpy(s->replybuf, line, sizeof s->replybuf);
-
- if (s->state == MTA_QUIT) {
- log_info("%016"PRIx64" mta event=closed reason=quit messages=%zu",
diff --git a/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r3.ebuild b/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r3.ebuild
deleted file mode 100644
index 14d9fa69ea4..00000000000
--- a/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r3.ebuild
+++ /dev/null
@@ -1,78 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit pam toolchain-funcs systemd
-
-DESCRIPTION="Lightweight but featured SMTP daemon from OpenBSD"
-HOMEPAGE="https://www.opensmtpd.org"
-SRC_URI="https://www.opensmtpd.org/archives/${P/_}.tar.gz"
-
-LICENSE="ISC BSD BSD-1 BSD-2 BSD-4"
-SLOT="0"
-KEYWORDS="~amd64 ~arm ~arm64 ~x86"
-IUSE="libressl pam +mta"
-
-DEPEND="
- acct-user/smtpd
- acct-user/smtpq
- !libressl? ( dev-libs/openssl:0= )
- libressl? ( dev-libs/libressl:0= )
- elibc_musl? ( sys-libs/fts-standalone )
- sys-libs/zlib
- pam? ( sys-libs/pam )
- sys-libs/db:=
- dev-libs/libevent
- app-misc/ca-certificates
- net-mail/mailbase
- net-libs/libasr
- !mail-mta/courier
- !mail-mta/esmtp
- !mail-mta/exim
- !mail-mta/mini-qmail
- !mail-mta/msmtp[mta]
- !mail-mta/netqmail
- !mail-mta/nullmailer
- !mail-mta/postfix
- !mail-mta/qmail-ldap
- !mail-mta/sendmail
- !mail-mta/ssmtp[mta]
-"
-RDEPEND="${DEPEND}"
-
-S=${WORKDIR}/${P/_}
-PATCHES=(
- "${FILESDIR}/${P}-fix-crash-on-auth.patch"
- "${FILESDIR}/${P}-openssl_1.1.patch"
- "${FILESDIR}/${P}-security-fixes.patch"
-)
-
-src_configure() {
- tc-export AR
- AR="$(which "$AR")" econf \
- --with-table-db \
- --with-user-smtpd=smtpd \
- --with-user-queue=smtpq \
- --with-group-queue=smtpq \
- --with-path-socket=/run \
- --with-path-CAfile=/etc/ssl/certs/ca-certificates.crt \
- --sysconfdir=/etc/opensmtpd \
- $(use_with pam auth-pam)
-}
-
-src_install() {
- default
- newinitd "${FILESDIR}"/smtpd.initd smtpd
- systemd_dounit "${FILESDIR}"/smtpd.{service,socket}
- use pam && newpamd "${FILESDIR}"/smtpd.pam smtpd
- dosym smtpctl /usr/sbin/makemap
- dosym smtpctl /usr/sbin/newaliases
- if use mta ; then
- dodir /usr/sbin
- dosym smtpctl /usr/sbin/sendmail
- dosym ../sbin/smtpctl /usr/bin/sendmail
- mkdir -p "${ED}"/usr/$(get_libdir) || die
- ln -s --relative "${ED}"/usr/sbin/smtpctl "${ED}"/usr/$(get_libdir)/sendmail || die
- fi
-}
diff --git a/profiles/package.mask b/profiles/package.mask
index d5a4bc79b9e..5ef30fbb59c 100644
--- a/profiles/package.mask
+++ b/profiles/package.mask
@@ -109,14 +109,6 @@ sci-misc/pythoncad
# Last release in 2013, bug #710164, masked for removal in 30 days.
sci-electronics/gresistor
-# Jason A. Donenfeld <zx2c4@gentoo.org> (2020-02-24)
-# Unsupported upstream version, likely has security bugs. Not removed
-# immediately because of backwards incompatible configuration changes
-# with the newer version in the tree.
-#
-# Removal in 14 days. Bug #710754.
-~mail-mta/opensmtpd-6.0.3_p1
-
# Marek Szuba <marecki@gentoo.org> (2020-02-24)
# Deprecated upstream in Q1'2018 in favour of dev-libs/intel-neo and
# while it officially remains the recommended solution for "legacy HW
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2020-03-07 0:32 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-03-07 0:32 [gentoo-commits] repo/gentoo:master commit in: profiles/, mail-mta/opensmtpd/, mail-mta/opensmtpd/files/ Jason A. Donenfeld
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox