pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/mail/prayer prayer: Fix building with OpenSSL 1.1. Dis...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/f5480caffa92
branches:  trunk
changeset: 413380:f5480caffa92
user:      nia <nia%pkgsrc.org@localhost>
date:      Thu Mar 19 11:30:26 2020 +0000

description:
prayer: Fix building with OpenSSL 1.1. Disable SSLv3. From Debian.

diffstat:

 mail/prayer/distinfo                      |    4 +-
 mail/prayer/patches/patch-lib_ssl.c       |  156 ++++++++++++++++++++++++++++++
 mail/prayer/patches/patch-shared_config.c |   20 +++
 3 files changed, 179 insertions(+), 1 deletions(-)

diffs (203 lines):

diff -r 19b9e8212259 -r f5480caffa92 mail/prayer/distinfo
--- a/mail/prayer/distinfo      Thu Mar 19 11:24:04 2020 +0000
+++ b/mail/prayer/distinfo      Thu Mar 19 11:30:26 2020 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.18 2017/08/19 00:24:50 jlam Exp $
+$NetBSD: distinfo,v 1.19 2020/03/19 11:30:26 nia Exp $
 
 SHA1 (prayer-1.3.5.tar.gz) = cce72edba8859b2c4e71799a7f93a420326f87b6
 RMD160 (prayer-1.3.5.tar.gz) = 8c2c9a4ddb723c8defd7f8742d529de0b6dbaa89
@@ -9,7 +9,9 @@
 SHA1 (patch-files_install.sh) = 8590e20625cda6b37e517e24df18ce27eedbbe5d
 SHA1 (patch-lib_os.c) = 7e9646b4aaa2518152f3c338ea22700e71f5c8be
 SHA1 (patch-lib_os__bsd.h) = b64c720e1ddbcf1756c05fed505aca00a7c61b8f
+SHA1 (patch-lib_ssl.c) = d32c2d1fb0771ba0192c5ed8e1a3e509b090a5b0
 SHA1 (patch-man_Makefile) = 642e082aa5a2813932c057ef4088256a80831636
 SHA1 (patch-servers_Makefile) = db4f3051d7f22b1bb269b8dcc9977b7aa52dde47
 SHA1 (patch-session_html__secure__tidy.c) = e6a0c0252c09655dbf894cc94107d6cf92839c8b
+SHA1 (patch-shared_config.c) = 9aefcc6e97d5dc14320a2afab7495f867ca3288b
 SHA1 (patch-utils_Makefile) = 12e95f0603fcb8b83fb20ab737fe2943ecba26b3
diff -r 19b9e8212259 -r f5480caffa92 mail/prayer/patches/patch-lib_ssl.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/mail/prayer/patches/patch-lib_ssl.c       Thu Mar 19 11:30:26 2020 +0000
@@ -0,0 +1,156 @@
+$NetBSD: patch-lib_ssl.c,v 1.1 2020/03/19 11:30:26 nia Exp $
+
+Bug-Debian: https://bugs.debian.org/828512
+Description: Support OpenSSL 1.1 API changes
+ SSL_CTX_set_tmp_rsa_callback() (used for export-weakened keys) no longer does anything.
+
+Description: Disable SSL 3.0 on client as well as server side
+Author: Magnus Holmgren <holmgren%debian.org@localhost>
+
+--- lib/ssl.c.orig     2020-03-19 11:24:27.753715164 +0000
++++ lib/ssl.c
+@@ -78,17 +78,6 @@ static void os_initialize_prng(struct ss
+     int totbytes = 0;
+     int bytes;
+ 
+-    if (ssl_config->egd_socket) {
+-        if ((bytes = RAND_egd(ssl_config->egd_socket)) == -1) {
+-            log_fatal("EGD Socket %s failed", ssl_config->egd_socket);
+-        } else {
+-            totbytes += bytes;
+-            log_debug("Snagged %d random bytes from EGD Socket %s",
+-                      bytes, ssl_config->egd_socket);
+-            goto SEEDED;        /* ditto */
+-        }
+-    }
+-
+     /* Try the good-old default /dev/urandom, if available  */
+     totbytes += add_rand_file("/dev/urandom");
+     if (prng_seeded(totbytes)) {
+@@ -212,6 +201,8 @@ static int new_session_cb(SSL * ssl, SSL
+     unsigned char *data = NULL, *asn;
+     time_t expire;
+     int ret = -1;
++    unsigned int session_id_length;
++    unsigned char *session_id = SSL_SESSION_get_id(sess, &session_id_length);
+ 
+     if (!sess_dbopen)
+         return 0;
+@@ -241,8 +232,7 @@ static int new_session_cb(SSL * ssl, SSL
+     if (data && len) {
+         /* store the session in our database */
+         do {
+-            ret = DB->store(sessdb, (void *) sess->session_id,
+-                            sess->session_id_length,
++            ret = DB->store(sessdb, (void *) session_id, session_id_length,
+                             (void *) data, len + sizeof(time_t), NULL);
+         }
+         while (ret == MYDB_AGAIN);
+@@ -255,8 +245,8 @@ static int new_session_cb(SSL * ssl, SSL
+     if (ssl_verbose_logging) {
+         int i;
+         char idstr[SSL_MAX_SSL_SESSION_ID_LENGTH * 2 + 1];
+-        for (i = 0; i < sess->session_id_length; i++)
+-            sprintf(idstr + i * 2, "%02X", sess->session_id[i]);
++        for (i = 0; i < session_id_length; i++)
++            sprintf(idstr + i * 2, "%02X", session_id[i]);
+ 
+         log_debug("new SSL session: id=%s, expire=%s, status=%s",
+                   idstr, ctime(&expire), ret ? "failed" : "ok");
+@@ -298,7 +288,10 @@ static void remove_session(unsigned char
+  */
+ static void remove_session_cb(SSL_CTX * ctx, SSL_SESSION * sess)
+ {
+-    remove_session(sess->session_id, sess->session_id_length);
++    unsigned int session_id_length;
++    unsigned char *session_id = SSL_SESSION_get_id(sess, &session_id_length);
++
++    remove_session(session_id, session_id_length);
+ }
+ 
+ /*
+@@ -387,15 +380,16 @@ void ssl_context_init(struct ssl_config 
+     SSL_load_error_strings();
+ 
+     /* Set up client context: only used by accountd */
+-    client_ctx = SSL_CTX_new(SSLv3_client_method());
++    client_ctx = SSL_CTX_new(SSLv23_client_method());
+     SSL_CTX_set_session_cache_mode(client_ctx, SSL_SESS_CACHE_BOTH);
+     SSL_CTX_set_info_callback(client_ctx, info_callback);
+ #ifdef SSL_MODE_AUTO_RETRY
+     SSL_CTX_set_mode(client_ctx, SSL_MODE_AUTO_RETRY);
+ #endif
+-
+-    if (SSL_CTX_need_tmp_RSA(client_ctx))
+-        SSL_CTX_set_tmp_rsa_callback(client_ctx, rsa_callback);
++    /* SSLv2 now obsolete */
++    SSL_CTX_set_options(client_ctx, SSL_OP_NO_SSLv2);
++    /* SSLv3 now also obsolete */
++    SSL_CTX_set_options(client_ctx, SSL_OP_NO_SSLv3);
+ 
+     /* Don't bother with session cache for client side: not enough
+      * connections to worry about caching */
+@@ -420,6 +414,8 @@ void ssl_context_init(struct ssl_config 
+ 
+     /* SSLv2 now obsolete */
+     SSL_CTX_set_options(server_ctx, SSL_OP_NO_SSLv2);
++    /* SSLv3 now also obsolete */
++    SSL_CTX_set_options(server_ctx, SSL_OP_NO_SSLv3);
+ 
+     /* Start off with the session cache disabled */
+     SSL_CTX_set_session_cache_mode(server_ctx, SSL_SESS_CACHE_OFF);
+@@ -503,10 +499,6 @@ void ssl_context_init(struct ssl_config 
+         log_fatal("SSL_CTX_set_options(SSL_OP_CIPHER_SERVER_PREFERENCE)"
+                   "failed");
+ 
+-    /* Set up RSA temporary key callback routine */
+-    if (SSL_CTX_need_tmp_RSA(server_ctx))
+-        SSL_CTX_set_tmp_rsa_callback(server_ctx, rsa_callback);
+-
+     /* Initialise RSA temporary key (will take a couple of secs to complete) */
+     ssl_init_rsakey(ssl_config);
+ }
+@@ -615,7 +607,7 @@ void *ssl_start_server(int fd, unsigned 
+     else
+         log_debug("SSL: No client certificate");
+ 
+-    switch (ssl->session->ssl_version) {
++    switch (SSL_version(ssl)) {
+     case SSL2_VERSION:
+         ver = "SSLv2";
+         break;
+@@ -625,6 +617,12 @@ void *ssl_start_server(int fd, unsigned 
+     case TLS1_VERSION:
+         ver = "TLSv1";
+         break;
++    case TLS1_1_VERSION:
++        ver = "TLSv1.1";
++        break;
++    case TLS1_2_VERSION:
++        ver = "TLSv1.2";
++        break;
+     default:
+         ver = "UNKNOWN";
+     }
+@@ -668,7 +666,7 @@ void *ssl_start_client(int fd, unsigned 
+ 
+     /* Verify certificate here? Need local context to play with? */
+ 
+-    switch (((SSL *) ssl)->session->ssl_version) {
++    switch (SSL_version(ssl)) {
+     case SSL2_VERSION:
+         ver = "SSLv2";
+         break;
+@@ -678,6 +676,12 @@ void *ssl_start_client(int fd, unsigned 
+     case TLS1_VERSION:
+         ver = "TLSv1";
+         break;
++    case TLS1_1_VERSION:
++        ver = "TLSv1.1";
++        break;
++    case TLS1_2_VERSION:
++        ver = "TLSv1.2";
++        break;
+     default:
+         ver = "UNKNOWN";
+     }
diff -r 19b9e8212259 -r f5480caffa92 mail/prayer/patches/patch-shared_config.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/mail/prayer/patches/patch-shared_config.c Thu Mar 19 11:30:26 2020 +0000
@@ -0,0 +1,20 @@
+$NetBSD: patch-shared_config.c,v 1.1 2020/03/19 11:30:26 nia Exp $
+
+Bug-Debian: https://bugs.debian.org/828512
+Description: Support OpenSSL 1.1 API changes
+ SSL_CTX_set_tmp_rsa_callback() (used for export-weakened keys) no longer does anything.
+
+--- shared/config.c.orig       2012-06-30 14:30:08.000000000 +0000
++++ shared/config.c
+@@ -455,9 +455,9 @@ static struct {
+     "draft_att_total_max", config_number, OFFSET(draft_att_total_max)}
+     , {
+     "dualuse", config_bool, OFFSET(dualuse)}
+-    , {
++    , /*{
+     "egd_socket", config_path, OFFSET(egd_socket)}
+-    , {
++    , */{
+     "expunge_on_exit", config_bool, OFFSET(expunge_on_exit)}
+     , {
+     "fatal_dump_core", config_bool, OFFSET(fatal_dump_core)}



Home | Main Index | Thread Index | Old Index