NetBSD Problem Report #53401
From www@NetBSD.org Wed Jun 27 02:03:28 2018
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 363987A0D9
for <gnats-bugs@gnats.NetBSD.org>; Wed, 27 Jun 2018 02:03:28 +0000 (UTC)
Message-Id: <20180627020326.5D9C17A1B1@mollari.NetBSD.org>
Date: Wed, 27 Jun 2018 02:03:26 +0000 (UTC)
From: jdbaker@mylinuxisp.com
Reply-To: jdbaker@consolidated.net
To: gnats-bugs@NetBSD.org
Subject: mail/sendmail build fails with OpenSSL 1.1 in -current
X-Send-Pr-Version: www-1.0
>Number: 53401
>Notify-List: jdbaker@consolidated.net, jnemeth@NetBSD.org
>Category: pkg
>Synopsis: mail/sendmail build fails with OpenSSL 1.1 in -current
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: jnemeth
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Jun 27 02:05:00 +0000 2018
>Closed-Date: Sun Feb 03 07:22:29 +0000 2019
>Last-Modified: Sun Feb 03 07:22:29 +0000 2019
>Originator: John D. Baker
>Release: NetBSD/sparc-8.99.21, pkgsrc-HEAD (pre-pkgsrc-2018Q2)
>Organization:
>Environment:
NetBSD david.technoskunk.fur 8.99.21 NetBSD 8.99.21 (DAVID) #25: Tue Jun 26 13:37:45 CDT 2018 sysop@plex760.technoskunk.fur:/r0/build/current/obj/sparc/sys/arch/sparc/compile/DAVID sparc
>Description:
I last built "mail/sendmail" on this system exactly one year ago and
would have been none the wiser if my ISP had not started requiring
authentication for relay.
Setting about building with the "sasl" option enabled, the build
eventually failed in the stage-install phase with:
[...]
=> Checking file-check results for sendmail-8.15.2nb2
ERROR: ************************************************************
ERROR: The following files are in the PLIST but not in /var/tmp/pkgsrc/mail/sendmail/work/.destdir/usr/pkg:
ERROR: /var/tmp/pkgsrc/mail/sendmail/work/.destdir/usr/pkg/bin/hoststat
ERROR: /var/tmp/pkgsrc/mail/sendmail/work/.destdir/usr/pkg/bin/mailq
ERROR: /var/tmp/pkgsrc/mail/sendmail/work/.destdir/usr/pkg/bin/newaliases
ERROR: /var/tmp/pkgsrc/mail/sendmail/work/.destdir/usr/pkg/bin/purgestat
ERROR: /var/tmp/pkgsrc/mail/sendmail/work/.destdir/usr/pkg/libexec/sendmail/sendmail
ERROR: /var/tmp/pkgsrc/mail/sendmail/work/.destdir/usr/pkg/man/man1/mailq.1
ERROR: /var/tmp/pkgsrc/mail/sendmail/work/.destdir/usr/pkg/man/man1/newaliases.1
ERROR: /var/tmp/pkgsrc/mail/sendmail/work/.destdir/usr/pkg/man/man5/aliases.5
ERROR: /var/tmp/pkgsrc/mail/sendmail/work/.destdir/usr/pkg/man/man8/sendmail.8
*** Error code 1
Stop.
make[1]: stopped in /x/pkgsrc/mail/sendmail
*** Error code 1
Stop.
make: stopped in /x/pkgsrc/mail/sendmail
This is also seen in the bulk-build reports:
http://mail-index.netbsd.org/pkgsrc-bulk/2018/06/05/msg016020.html
http://mail-index.netbsd.org/pkgsrc-bulk/2018/06/23/msg016088.html
The actual error occurs much earlier, but the build continues
anyway:
[...]
cc -O -I. -I../../include -DNEWDB -DNIS -DMAP_REGEX -DSOCKETMAP -DLDAPMAP -D_FFR_LDAP_NETWORK_TIMEOUT -I/usr/pkg/include -DSMRSH_CMDDIR=\"/usr/pkg/libexec/sm.bin\" -DNETINET6 -DNEEDSGETIPNODE -DTCPWRAPPERS -DSASL=2 -DNAMED_RESN=0 -D_FFR_USE_GETPWNAM_ERRNO=1 -DMILTER -DSTARTTLS -DLDAP_DEPRECATED -I/usr/include -I/usr/pkg/include -c tls.c
tls.c: In function 'get_dh512':
tls.c:70:4: error: dereferencing pointer to incomplete type 'DH {aka struct dh_st}'
dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
^~
tls.c: In function 'inittls':
tls.c:929:22: warning: implicit declaration of function 'BIO_s_file_internal' [-Wimplicit-function-declaration]
crl_file = BIO_new(BIO_s_file_internal());
^~~~~~~~~~~~~~~~~~~
tls.c:929:22: warning: passing argument 1 of 'BIO_new' makes pointer from integer without a cast [-Wint-conversion]
In file included from /usr/include/openssl/ssl.h:48:0,
from ./sendmail.h:125,
from tls.c:11:
/usr/include/openssl/bio.h:535:6: note: expected 'const BIO_METHOD * {aka const struct bio_method_st *}' but argument is of type 'int'
BIO *BIO_new(const BIO_METHOD *type);
^~~~~~~
tls.c:1006:6: warning: 'RSA_generate_key' is deprecated [-Wdeprecated-declarations]
(rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL,
^
In file included from /usr/include/openssl/rsa.h:13:0,
from /usr/include/openssl/x509.h:31,
from /usr/include/openssl/ssl.h:50,
from ./sendmail.h:125,
from tls.c:11:
/usr/include/openssl/rsa.h:193:1: note: declared here
DEPRECATEDIN_0_9_8(RSA *RSA_generate_key(int bits, unsigned long e, void
^
tls.c:1213:4: warning: 'DSA_generate_parameters' is deprecated [-Wdeprecated-declarations]
dsa = DSA_generate_parameters(bits, NULL, 0, NULL,
^~~
In file included from /usr/include/openssl/dh.h:13:0,
from /usr/include/openssl/dsa.h:31,
from /usr/include/openssl/x509.h:32,
from /usr/include/openssl/ssl.h:50,
from ./sendmail.h:125,
from tls.c:11:
/usr/include/openssl/dsa.h:122:1: note: declared here
DEPRECATEDIN_0_9_8(DSA *DSA_generate_parameters(int bits,
^
tls.c: In function 'tmp_rsa_key':
tls.c:1747:2: warning: 'RSA_generate_key' is deprecated [-Wdeprecated-declarations]
rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, NULL);
^~~~~~~
In file included from /usr/include/openssl/rsa.h:13:0,
from /usr/include/openssl/x509.h:31,
from /usr/include/openssl/ssl.h:50,
from ./sendmail.h:125,
from tls.c:11:
/usr/include/openssl/rsa.h:193:1: note: declared here
DEPRECATEDIN_0_9_8(RSA *RSA_generate_key(int bits, unsigned long e, void
^
tls.c: In function 'x509_verify_cb':
tls.c:1974:10: error: dereferencing pointer to incomplete type 'X509_STORE_CTX {aka struct x509_store_ctx_st}'
if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL)
^~
*** Error code 1
Stop.
make[1]: stopped in /var/tmp/pkgsrc/mail/sendmail/work/sendmail-8.15.2/obj.NetBSD.8.99.21.sparc/sendmail
[...]
>How-To-Repeat:
Build "mail/sendmail" on any -current system after the import of
OpenSSL v1.1.
>Fix:
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: pkg-manager->jnemeth
Responsible-Changed-By: bsiegert@NetBSD.org
Responsible-Changed-When: Sun, 08 Jul 2018 10:22:44 +0000
Responsible-Changed-Why:
Over to Sendmail maintainer.
From: Brett Lymn <blymn@internode.on.net>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: pkg/53401
Date: Fri, 16 Nov 2018 18:00:52 +1030
--ctP54qlpMx3WjD+/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
The following lightly edited patch comes from the Debian people and
fixes the issue with compiling sendmail against openssl 1.1.
Tested working on my machine.
--
Brett Lymn
Let go, or be dragged - Zen proverb.
--ctP54qlpMx3WjD+/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=patch-bk
From 02edb8d94682fcf13a7e98618294e06f728e66e6 Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Sat, 10 Sep 2016 19:27:17 +0000
Subject: [PATCH] sendmail: compile against openssl 1.1.0
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
---
debian/configure.ac | 13 +++--
sendmail/tls.c | 165 +++++++++++++++++++++++++++++++++++++++-------------
2 files changed, 132 insertions(+), 46 deletions(-)
diff --git a/sendmail/tls.c b/sendmail/tls.c
index 6b0ea25..6a10890 100644
--- sendmail/tls.c
+++ sendmail/tls.c
@@ -60,18 +60,58 @@ static unsigned char dh512_g[] =
0x02
};
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+
+static inline int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+{
+ /* If the fields p and g in d are NULL, the corresponding input
+ * parameters MUST be non-NULL. q may remain NULL.
+ */
+ if ((dh->p == NULL && p == NULL)
+ || (dh->g == NULL && g == NULL))
+ return 0;
+
+ if (p != NULL) {
+ BN_free(dh->p);
+ dh->p = p;
+ }
+ if (q != NULL) {
+ BN_free(dh->q);
+ dh->q = q;
+ }
+ if (g != NULL) {
+ BN_free(dh->g);
+ dh->g = g;
+ }
+
+ if (q != NULL) {
+ dh->length = BN_num_bits(q);
+ }
+
+ return 1;
+}
+#endif
+
static DH *
get_dh512()
{
DH *dh = NULL;
-
- if ((dh = DH_new()) == NULL)
- return NULL;
- dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
- dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
- if ((dh->p == NULL) || (dh->g == NULL))
- return NULL;
+ BIGNUM *p;
+ BIGNUM *g;
+
+ dh = DH_new();
+ p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
+ g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
+ if (!dh || !p || !g)
+ goto err;
+ if (!DH_set0_pqg(dh, p, NULL, g))
+ goto err;
return dh;
+err:
+ DH_free(dh);
+ BN_free(p);
+ BN_free(g);
+ return NULL;
}
# if 0
@@ -117,17 +157,22 @@ get_dh2048()
};
static unsigned char dh2048_g[]={ 0x02, };
DH *dh;
-
- if ((dh=DH_new()) == NULL)
- return(NULL);
- dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
- dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
- if ((dh->p == NULL) || (dh->g == NULL))
- {
- DH_free(dh);
- return(NULL);
- }
+ BIGNUM *p;
+ BIGNUM *g;
+
+ dh = DH_new();
+ p = BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
+ g = BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
+ if (!dh || !p || !g)
+ goto err;
+ if (!DH_set0_pqg(dh, p, NULL, g))
+ goto err;
return(dh);
+err:
+ DH_free(dh);
+ BN_free(p);
+ BN_free(g);
+ return NULL;
}
# endif /* !NO_DH */
@@ -926,7 +971,7 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
{
/* get a pointer to the current certificate validation store */
store = SSL_CTX_get_cert_store(*ctx); /* does not fail */
- crl_file = BIO_new(BIO_s_file_internal());
+ crl_file = BIO_new(BIO_s_file());
if (crl_file != NULL)
{
if (BIO_read_filename(crl_file, CRLFile) >= 0)
@@ -1000,26 +1045,41 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
** maybe we should do it only on demand...
*/
- if (bitset(TLS_I_RSA_TMP, req)
# if SM_CONF_SHM
- && ShmId != SM_SHM_NO_ID &&
- (rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL,
- NULL)) == NULL
-# else /* SM_CONF_SHM */
- && 0 /* no shared memory: no need to generate key now */
-# endif /* SM_CONF_SHM */
- )
+ if (bitset(TLS_I_RSA_TMP, req)
+ && ShmId != SM_SHM_NO_ID)
{
- if (LogLevel > 7)
+ BIGNUM *bn;
+
+ bn = BN_new();
+ rsa_tmp = RSA_new();
+ if (!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4)) {
+ RSA_free(rsa_tmp);
+ rsa_tmp = NULL;
+ }
+ if (rsa_tmp)
{
- sm_syslog(LOG_WARNING, NOQID,
- "STARTTLS=%s, error: RSA_generate_key failed",
- who);
- if (LogLevel > 9)
- tlslogerr(LOG_WARNING, who);
+ if (!RSA_generate_key_ex(rsa_tmp, RSA_KEYLENGTH, bn, NULL))
+ {
+ RSA_free(rsa_tmp);
+ rsa_tmp = NULL;
+ }
+ }
+ BN_free(bn);
+ if (!rsa_tmp)
+ {
+ if (LogLevel > 7)
+ {
+ sm_syslog(LOG_WARNING, NOQID,
+ "STARTTLS=%s, error: RSA_generate_key failed",
+ who);
+ if (LogLevel > 9)
+ tlslogerr(LOG_WARNING, who);
+ }
+ return false;
}
- return false;
}
+# endif /* SM_CONF_SHM */
# endif /* !TLS_NO_RSA */
/*
@@ -1210,9 +1270,15 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
sm_dprintf("inittls: Generating %d bit DH parameters\n", bits);
/* this takes a while! */
- dsa = DSA_generate_parameters(bits, NULL, 0, NULL,
- NULL, 0, NULL);
- dh = DSA_dup_DH(dsa);
+ dsa = DSA_new();
+ if (dsa) {
+ int r;
+
+ r = DSA_generate_parameters_ex(dsa, bits, NULL, 0,
+ NULL, NULL, NULL);
+ if (r != 0)
+ dh = DSA_dup_DH(dsa);
+ }
DSA_free(dsa);
}
else if (dh == NULL && bitset(TLS_I_DHFIXED, req))
@@ -1733,6 +1799,9 @@ tmp_rsa_key(s, export, keylength)
int export;
int keylength;
{
+ BIGNUM *bn;
+ int ret;
+
# if SM_CONF_SHM
extern int ShmId;
extern int *PRSATmpCnt;
@@ -1742,10 +1811,22 @@ tmp_rsa_key(s, export, keylength)
return rsa_tmp;
# endif /* SM_CONF_SHM */
- if (rsa_tmp != NULL)
- RSA_free(rsa_tmp);
- rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, NULL);
- if (rsa_tmp == NULL)
+ if (rsa_tmp == NULL) {
+ rsa_tmp = RSA_new();
+ if (!rsa_tmp)
+ return NULL;
+ }
+
+ bn = BN_new();
+ if (!bn)
+ return NULL;
+ if (!BN_set_word(bn, RSA_F4)) {
+ BN_free(bn);
+ return NULL;
+ }
+ ret = RSA_generate_key_ex(rsa_tmp, RSA_KEYLENGTH, bn, NULL);
+ BN_free(bn);
+ if (!ret)
{
if (LogLevel > 0)
sm_syslog(LOG_ERR, NOQID,
@@ -1971,9 +2052,9 @@ x509_verify_cb(ok, ctx)
{
if (LogLevel > 13)
tls_verify_log(ok, ctx, "x509");
- if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL)
+ if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL)
{
- ctx->error = 0;
+ X509_STORE_CTX_set_error(ctx, 0);
return 1; /* override it */
}
}
--
2.9.3
--ctP54qlpMx3WjD+/--
From: "John D. Baker" <jdbaker@consolidated.net>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: pkg/53401: mail/sendmail build fails with OpenSSL 1.1 in -current
Date: Sun, 2 Dec 2018 11:38:34 -0600 (CST)
On Fri, 16 Nov 2018, Brett Lymn wrote:
> The following lightly edited patch comes from the Debian people and
> fixes the issue with compiling sendmail against openssl 1.1.
>
> Tested working on my machine.
I've put this in my LOCALPATCHES tree and it does indeed allow sendmail
to build on -current (sparc-8.99.26 for me). I have not yet performed
a functional test, but expect to do so soon-ish.
Any possibility of adding to pkgsrc patches or upstreaming?
Thanks.
--
|/"\ John D. Baker, KN5UKS NetBSD Darwin/MacOS X
|\ / jdbaker[snail]consolidated[flyspeck]net OpenBSD FreeBSD
| X No HTML/proprietary data in email. BSD just sits there and works!
|/ \ GPGkeyID: D703 4A7E 479F 63F8 D3F4 BD99 9572 8F23 E4AD 1645
From: "John D. Baker" <jdbaker@consolidated.net>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: pkg/53401: mail/sendmail build fails with OpenSSL 1.1 in -current
Date: Tue, 4 Dec 2018 08:24:22 -0600 (CST)
On Sun, 2 Dec 2018, John D. Baker wrote:
> On Fri, 16 Nov 2018, Brett Lymn wrote:
>
> > The following lightly edited patch comes from the Debian people and
> > fixes the issue with compiling sendmail against openssl 1.1.
> >
> > Tested working on my machine.
>
> I've put this in my LOCALPATCHES tree and it does indeed allow sendmail
> to build on -current (sparc-8.99.26 for me). I have not yet performed
> a functional test, but expect to do so soon-ish.
My sendmail built with this patch appears to function properly (my ISP
recently implemented SMTP_AUTH w/STARTTLS, so I need working SSL/TLS
support in sendmail, etc.)
Please note that my email address has changed, so addenda to this and
any other PRs originated by me will start bouncing after 31 December.
Please change the email address associated with these PRs to:
jdbaker@consolidated.net
Thanks.
--
|/"\ John D. Baker, KN5UKS NetBSD Darwin/MacOS X
|\ / jdbaker[snail]consolidated[flyspeck]net OpenBSD FreeBSD
| X No HTML/proprietary data in email. BSD just sits there and works!
|/ \ GPGkeyID: D703 4A7E 479F 63F8 D3F4 BD99 9572 8F23 E4AD 1645
From: "Benny Siegert" <bsiegert@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/53401 CVS commit: pkgsrc/mail/sendmail
Date: Wed, 5 Dec 2018 12:10:21 +0000
Module Name: pkgsrc
Committed By: bsiegert
Date: Wed Dec 5 12:10:21 UTC 2018
Modified Files:
pkgsrc/mail/sendmail: Makefile distinfo
Added Files:
pkgsrc/mail/sendmail/patches: patch-bk
Log Message:
Fix sendmail with OpenSSL 1.1.
"Lightly edited" patch from Debian via PR pkg/53401.
Bump revision.
To generate a diff of this commit:
cvs rdiff -u -r1.129 -r1.130 pkgsrc/mail/sendmail/Makefile
cvs rdiff -u -r1.57 -r1.58 pkgsrc/mail/sendmail/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/mail/sendmail/patches/patch-bk
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->feedback
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Tue, 29 Jan 2019 06:58:11 +0000
State-Changed-Why:
committed; ok to close?
From: "John D. Baker" <jdbaker@consolidated.net>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: pkg/53401 (mail/sendmail build fails with OpenSSL 1.1 in -current)
Date: Tue, 29 Jan 2019 08:54:24 -0600 (CST)
On Tue, 29 Jan 2019, dholland@NetBSD.org wrote:
> State-Changed-From-To: open->feedback
> State-Changed-By: dholland@NetBSD.org
> State-Changed-When: Tue, 29 Jan 2019 06:58:11 +0000
> State-Changed-Why:
> committed; ok to close?
It built without problems on 8.99.30/sparc (and still on netbsd-[78]/sparc)
and seems to work. So, yes, this PR can be closed.
Thanks.
--
|/"\ John D. Baker, KN5UKS NetBSD Darwin/MacOS X
|\ / jdbaker[snail]consolidated[flyspeck]net OpenBSD FreeBSD
| X No HTML/proprietary data in email. BSD just sits there and works!
|/ \ GPGkeyID: D703 4A7E 479F 63F8 D3F4 BD99 9572 8F23 E4AD 1645
State-Changed-From-To: feedback->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sun, 03 Feb 2019 07:22:29 +0000
State-Changed-Why:
Confirmed fixed, thanks.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home