From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 839D615800F for ; Tue, 3 Jan 2023 10:22:51 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C3952E08F7; Tue, 3 Jan 2023 10:22:50 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id AB1E5E08F7 for ; Tue, 3 Jan 2023 10:22:50 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 834FA340CCE for ; Tue, 3 Jan 2023 10:22:49 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id C9BA562F for ; Tue, 3 Jan 2023 10:22:47 +0000 (UTC) From: "Fabian Groffen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Fabian Groffen" Message-ID: <1672741340.d4637e8d3a6d78bfb956570ddf9b03236f3620c0.grobian@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: mail-mta/exim/, mail-mta/exim/files/ X-VCS-Repository: repo/gentoo X-VCS-Files: mail-mta/exim/exim-4.94.2-r11.ebuild mail-mta/exim/exim-4.94.2-r12.ebuild mail-mta/exim/files/exim-4.94.2-openssl3.patch X-VCS-Directories: mail-mta/exim/ mail-mta/exim/files/ X-VCS-Committer: grobian X-VCS-Committer-Name: Fabian Groffen X-VCS-Revision: d4637e8d3a6d78bfb956570ddf9b03236f3620c0 X-VCS-Branch: master Date: Tue, 3 Jan 2023 10:22:47 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 88631ad7-25e1-4b00-8c26-a04f22055be4 X-Archives-Hash: 0ebc8ea936b956289d07402cae9c7430 commit: d4637e8d3a6d78bfb956570ddf9b03236f3620c0 Author: Fabian Groffen gentoo org> AuthorDate: Tue Jan 3 10:22:20 2023 +0000 Commit: Fabian Groffen gentoo org> CommitDate: Tue Jan 3 10:22:20 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d4637e8d mail-mta/exim-4.94.2-r12: update openssl-3 patches Signed-off-by: Fabian Groffen gentoo.org> ...im-4.94.2-r11.ebuild => exim-4.94.2-r12.ebuild} | 2 +- mail-mta/exim/files/exim-4.94.2-openssl3.patch | 306 ++++++++++++++++++++- 2 files changed, 303 insertions(+), 5 deletions(-) diff --git a/mail-mta/exim/exim-4.94.2-r11.ebuild b/mail-mta/exim/exim-4.94.2-r12.ebuild similarity index 99% rename from mail-mta/exim/exim-4.94.2-r11.ebuild rename to mail-mta/exim/exim-4.94.2-r12.ebuild index 352ae0cdcd7e..a347cf1581f6 100644 --- a/mail-mta/exim/exim-4.94.2-r11.ebuild +++ b/mail-mta/exim/exim-4.94.2-r12.ebuild @@ -122,7 +122,7 @@ src_prepare() { eapply "${FILESDIR}"/exim-4.94-localscan_dlopen.patch eapply "${FILESDIR}"/exim-4.94.2-fix-crash-resolve.patch # 799368 upstr eapply "${FILESDIR}"/exim-4.94-CVE-2022-3559.patch # 877607 upstr - eapply "${FILESDIR}"/exim-4.94.2-openssl3.patch # 888619 backport + eapply "${FILESDIR}"/exim-4.94.2-openssl3.patch # 888619 backports # for this reason we have a := dep on opendmarc, they changed their # API in a minor release diff --git a/mail-mta/exim/files/exim-4.94.2-openssl3.patch b/mail-mta/exim/files/exim-4.94.2-openssl3.patch index d1102aac8bfa..f9758515bef1 100644 --- a/mail-mta/exim/files/exim-4.94.2-openssl3.patch +++ b/mail-mta/exim/files/exim-4.94.2-openssl3.patch @@ -1,13 +1,34 @@ -Based on original commit, but applied to 4.94.2 tarball. +Original commits from upstream applied to 4.94.2 release tarball + +From a5d79c99f4948d9fd288a1bfaca3a44cf2caaa32 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Wed, 1 Dec 2021 17:36:18 +0000 +Subject: [PATCH] OpenSSL: use nondeprecated D-H functions under 3.0.0. + +From c6a290f4d8df3734b3cdc2232b4334ff8386c1da Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Wed, 1 Dec 2021 18:52:21 +0000 +Subject: [PATCH] OpenSSL: tidy DH and ECDH param setup Testsuite: expand DH + testcase From ff7829398d74e67f1c1f40339a772fd76708e5ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= Date: Sat, 27 Nov 2021 21:07:15 +0000 Subject: [PATCH] Fix build for OpenSSL 3.0.0 . Bug 2810 ---- - src/src/tls-openssl.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) +From ca4014de81e6aa367aa0a54c49b4c3d4b137814c Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Sun, 1 Jan 2023 12:18:38 +0000 +Subject: [PATCH] OpenSSL: fix tls_eccurve setting explicit curve/group. Bug + 2954 + +From 7fa5764c203f2f4a900898a79ed02d674075313f Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Mon, 2 Jan 2023 15:04:14 +0000 +Subject: [PATCH] OpenSSL: Fix tls_eccurve on earlier versions than 3.0.0. Bug + 2954 + +Broken-by: ca4014de81e6 --- a/src/tls-openssl.c +++ b/src/tls-openssl.c @@ -32,3 +53,280 @@ Subject: [PATCH] Fix build for OpenSSL 3.0.0 . Bug 2810 #endif #ifdef SSL_OP_NO_TLSv1_2 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 }, +@@ -1017,23 +1021,27 @@ + *************************************************/ + + /* If dhparam is set, expand it, and load up the parameters for DH encryption. ++Server only. + + Arguments: + sctx The current SSL CTX (inbound or outbound) + dhparam DH parameter file or fixed parameter identity string +- host connected host, if client; NULL if server + errstr error string pointer + + Returns: TRUE if OK (nothing to set up, or setup worked) + */ + + static BOOL +-init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr) ++init_dh(SSL_CTX * sctx, uschar * dhparam, uschar ** errstr) + { +-BIO *bio; +-DH *dh; +-uschar *dhexpanded; +-const char *pem; ++BIO * bio; ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++DH * dh; ++#else ++EVP_PKEY * pkey; ++#endif ++uschar * dhexpanded; ++const char * pem; + int dh_bitsize; + + if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr)) +@@ -1046,7 +1054,7 @@ + if (!(bio = BIO_new_file(CS dhexpanded, "r"))) + { + tls_error(string_sprintf("could not read dhparams file %s", dhexpanded), +- host, US strerror(errno), errstr); ++ NULL, US strerror(errno), errstr); + return FALSE; + } + } +@@ -1061,17 +1069,23 @@ + if (!(pem = std_dh_prime_named(dhexpanded))) + { + tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded), +- host, US strerror(errno), errstr); ++ NULL, US strerror(errno), errstr); + return FALSE; + } + bio = BIO_new_mem_buf(CS pem, -1); + } + +-if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL))) ++if (!( ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL) ++#else ++ pkey = PEM_read_bio_Parameters_ex(bio, NULL, NULL, NULL) ++#endif ++ ) ) + { + BIO_free(bio); + tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded), +- host, NULL, errstr); ++ NULL, NULL, errstr); + return FALSE; + } + +@@ -1081,33 +1095,54 @@ + * If someone wants to dance at the edge, then they can raise the limit or use + * current libraries. */ +-#ifdef EXIM_HAVE_OPENSSL_DH_BITS ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++# ifdef EXIM_HAVE_OPENSSL_DH_BITS + /* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022 + * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */ + dh_bitsize = DH_bits(dh); +-#else ++# else + dh_bitsize = 8 * DH_size(dh); ++# endif ++#else /* 3.0.0 + */ ++dh_bitsize = EVP_PKEY_get_bits(pkey); + #endif + +-/* Even if it is larger, we silently return success rather than cause things +- * to fail out, so that a too-large DH will not knock out all TLS; it's a +- * debatable choice. */ +-if (dh_bitsize > tls_dh_max_bits) ++/* Even if it is larger, we silently return success rather than cause things to ++fail out, so that a too-large DH will not knock out all TLS; it's a debatable ++choice. Likewise for a failing attempt to set one. */ ++ ++if (dh_bitsize <= tls_dh_max_bits) + { +- DEBUG(D_tls) +- debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n", +- dh_bitsize, tls_dh_max_bits); ++ if ( ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ SSL_CTX_set_tmp_dh(sctx, dh) ++#else ++ SSL_CTX_set0_tmp_dh_pkey(sctx, pkey) ++#endif ++ == 0) ++ { ++ ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring)); ++ log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (D-H param setting '%s'): %s", ++ dhexpanded ? dhexpanded : US"default", ssl_errstring); ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ /* EVP_PKEY_free(pkey); crashes */ ++#endif ++ } ++ else ++ DEBUG(D_tls) ++ debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n", ++ dhexpanded ? dhexpanded : US"default", dh_bitsize); + } + else +- { +- SSL_CTX_set_tmp_dh(sctx, dh); + DEBUG(D_tls) +- debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n", +- dhexpanded ? dhexpanded : US"default", dh_bitsize); +- } ++ debug_printf("dhparams '%s' %d bits, is > tls_dh_max_bits limit of %d\n", ++ dhexpanded ? dhexpanded : US"default", dh_bitsize, tls_dh_max_bits); + ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + DH_free(dh); +-BIO_free(bio); ++#endif ++/* The EVP_PKEY ownership stays with the ctx; do not free it */ + ++BIO_free(bio); + return TRUE; + } + +@@ -1118,7 +1154,7 @@ + * Initialize for ECDH * + *************************************************/ + +-/* Load parameters for ECDH encryption. ++/* Load parameters for ECDH encryption. Server only. + + For now, we stick to NIST P-256 because: it's simple and easy to configure; + it avoids any patent issues that might bite redistributors; despite events in +@@ -1136,37 +1172,40 @@ + + Arguments: + sctx The current SSL CTX (inbound or outbound) +- host connected host, if client; NULL if server + errstr error string pointer + + Returns: TRUE if OK (nothing to set up, or setup worked) + */ + + static BOOL +-init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr) ++init_ecdh(SSL_CTX * sctx, uschar ** errstr) + { + #ifdef OPENSSL_NO_ECDH + return TRUE; + #else + +-EC_KEY * ecdh; + uschar * exp_curve; +-int nid; +-BOOL rv; +- +-if (host) /* No ECDH setup for clients, only for servers */ +- return TRUE; ++int nid, rc; + + # ifndef EXIM_HAVE_ECDH + DEBUG(D_tls) +- debug_printf("No OpenSSL API to define ECDH parameters, skipping\n"); ++ debug_printf(" No OpenSSL API to define ECDH parameters, skipping\n"); + return TRUE; + # else + + if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr)) + return FALSE; ++ ++/* Is the option deliberately empty? */ ++ + if (!exp_curve || !*exp_curve) ++ { ++#if OPENSSL_VERSION_NUMBER >= 0x10002000L ++ DEBUG(D_tls) debug_printf( " ECDH OpenSSL 1.0.2+: clearing curves list\n"); ++ (void) SSL_CTX_set1_curves(sctx, &nid, 0); ++#endif + return TRUE; ++ } + + /* "auto" needs to be handled carefully. + * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1 +@@ -1202,27 +1241,41 @@ + # endif + ) + { +- tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve), +- host, NULL, errstr); ++ uschar * s = string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve); ++ DEBUG(D_tls) debug_printf("TLS error '%s'\n", s); ++ if (errstr) *errstr = s; + return FALSE; + } + +-if (!(ecdh = EC_KEY_new_by_curve_name(nid))) +- { +- tls_error(US"Unable to create ec curve", host, NULL, errstr); +- return FALSE; +- } ++# if OPENSSL_VERSION_NUMBER < 0x30000000L ++ { ++ EC_KEY * ecdh; ++ if (!(ecdh = EC_KEY_new_by_curve_name(nid))) ++ { ++ tls_error(US"Unable to create ec curve", NULL, NULL, errstr); ++ return FALSE; ++ } + +-/* The "tmp" in the name here refers to setting a temporary key +-not to the stability of the interface. */ ++ /* The "tmp" in the name here refers to setting a temporary key ++ not to the stability of the interface. */ + +-if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0)) +- tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr); ++ if ((rc = SSL_CTX_set_tmp_ecdh(sctx, ecdh)) == 0) ++ tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), NULL, NULL, errstr); ++ else ++ DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' curve\n", exp_curve); ++ EC_KEY_free(ecdh); ++ } ++ ++#else /* v 3.0.0 + */ ++ ++if ((rc = SSL_CTX_set1_groups(sctx, &nid, 1)) == 0) ++ tls_error(string_sprintf("Error enabling '%s' group", exp_curve), NULL, NULL, errstr); + else +- DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve); ++ DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' group\n", exp_curve); ++ ++#endif + +-EC_KEY_free(ecdh); +-return !rv; ++return !!rc; + + # endif /*EXIM_HAVE_ECDH*/ + #endif /*OPENSSL_NO_ECDH*/ +@@ -1727,8 +1780,8 @@ + SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb); + SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo); + +-if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr) +- || !init_ecdh(server_sni, NULL, &dummy_errstr) ++if ( !init_dh(server_sni, cbinfo->dhparam, &dummy_errstr) ++ || !init_ecdh(server_sni, &dummy_errstr) + ) + goto bad; + +@@ -2213,8 +2266,8 @@ + /* Initialize with DH parameters if supplied */ + /* Initialize ECDH temp key parameter selection */ + +-if ( !init_dh(ctx, dhparam, host, errstr) +- || !init_ecdh(ctx, host, errstr) ++if ( !init_dh(ctx, dhparam, errstr) ++ || !init_ecdh(ctx, errstr) + ) + return DEFER; +