mail-mta/opensmtpd: remove ancient ~6.0.3_p1 version

Closes: https://bugs.gentoo.org/710754
Package-Manager: Portage-2.3.88, Repoman-2.3.20
Signed-off-by: Jason A. Donenfeld <zx2c4@gentoo.org>

diff --git a/mail-mta/opensmtpd/Manifest b/mail-mta/opensmtpd/Manifest
index 0c001fb94e6ed2ec6c7b7a5935b9c237a8848254..ef56b7e6d94a6b19f8e22f54034e24b68af14fb2 100644 (file)
--- a/mail-mta/opensmtpd/Manifest
+++ b/mail-mta/opensmtpd/Manifest
@@ -1,2 +1 @@
-DIST opensmtpd-6.0.3p1.tar.gz 699702 BLAKE2B 49f08e8329adc049a562b6ef7efa4c0a39cbcfe8a158cb905cfc726a7302ffe9833ccfb52041340767d55d0f2ae2087e8eac92b7359016c6c76b4d963a334558 SHA512 e579818a0ddbe637deb5a4e40f43eaf797783903ceac18fd89a57581b135b9e407d424e1a70ff7b4b06a0ee50bafb6e8ab2451371917887904b06ff1b55d320f
 DIST opensmtpd-6.6.4p1.tar.gz 790754 BLAKE2B 18cc19569ae764eff3d672cbfb87df7bd00afcce93705ad128e935c0a47a246c3a6166fca7b6f844c0dd5e728492d8aeb7e0f8a8c1f5a756bf356ae9afb80852 SHA512 267307c91f4fcf21624b0897dfb1f5638b77da7b8d9a02211d734ed2cc5bd39ea7542ae7f200255e2945518fbe7609a0e5aa4e5c6dcb8146014f08b3845c108b

diff --git a/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-fix-crash-on-auth.patch b/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-fix-crash-on-auth.patch
deleted file mode 100644 (file)
index c20b5e0..0000000
--- a/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-fix-crash-on-auth.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 9b5f70b93e038df5446bd37a4adac5a0380748e7 Mon Sep 17 00:00:00 2001
-From: johannes <johannes.brechtmann@gmail.com>
-Date: Wed, 21 Feb 2018 23:57:11 +0100
-Subject: [PATCH] crypt_checkpass: include HAVE_CRYPT_H definition, add NULL
- check
-
----
- openbsd-compat/crypt_checkpass.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/openbsd-compat/crypt_checkpass.c b/openbsd-compat/crypt_checkpass.c
-index dafd2dae..d10b3a57 100644
---- a/openbsd-compat/crypt_checkpass.c
-+++ b/openbsd-compat/crypt_checkpass.c
-@@ -1,5 +1,6 @@
- /* OPENBSD ORIGINAL: lib/libc/crypt/cryptutil.c */
- 
-+#include "includes.h"
- #include <errno.h>
- #ifdef HAVE_CRYPT_H
- #include <crypt.h>
-@@ -10,6 +11,8 @@
- int
- crypt_checkpass(const char *pass, const char *goodhash)
- {
-+      char *c;
-+
-       if (goodhash == NULL)
-               goto fail;
- 
-@@ -17,7 +20,11 @@ crypt_checkpass(const char *pass, const char *goodhash)
-       if (strlen(goodhash) == 0 && strlen(pass) == 0)
-               return 0;
- 
--      if (strcmp(crypt(pass, goodhash), goodhash) == 0)
-+      c = crypt(pass, goodhash);
-+      if (c == NULL)
-+              goto fail;
-+
-+      if (strcmp(c, goodhash) == 0)
-               return 0;
- 
- fail:

diff --git a/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-openssl_1.1.patch b/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-openssl_1.1.patch
deleted file mode 100644 (file)
index 40a62ae..0000000
--- a/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-openssl_1.1.patch
+++ /dev/null
@@ -1,722 +0,0 @@
-Description: Enable support for OpenSSL 1.1
-Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
-        Ryan Kavanagh <rak@debian.org>
-Origin: Debian
-Bug: https://github.com/OpenSMTPD/OpenSMTPD/issues/738
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859544
-Forwarded: https://github.com/OpenSMTPD/OpenSMTPD/pull/825
-Last-Update: 2018-03-18
----
-This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
-diff --git a/openbsd-compat/libressl.c b/openbsd-compat/libressl.c
-index f4f2b52e..d06e006f 100644
---- a/openbsd-compat/libressl.c
-+++ b/openbsd-compat/libressl.c
-@@ -81,14 +81,14 @@ SSL_CTX_use_certificate_chain(SSL_CTX *ctx, char *buf, off_t len)
-       x = ca = NULL;
- 
-       if ((in = BIO_new_mem_buf(buf, len)) == NULL) {
--              SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
-+              SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
-               goto end;
-       }
- 
-       if ((x = PEM_read_bio_X509(in, NULL,
--                  ctx->default_passwd_callback,
--                  ctx->default_passwd_callback_userdata)) == NULL) {
--              SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
-+                  SSL_CTX_get_default_passwd_cb(ctx),
-+                  SSL_CTX_get_default_passwd_cb_userdata(ctx))) == NULL) {
-+              SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB);
-               goto end;
-       }
- 
-@@ -99,14 +99,11 @@ SSL_CTX_use_certificate_chain(SSL_CTX *ctx, char *buf, off_t len)
-        * the CA certificates.
-        */
- 
--      if (ctx->extra_certs != NULL) {
--              sk_X509_pop_free(ctx->extra_certs, X509_free);
--              ctx->extra_certs = NULL;
--      }
-+      SSL_CTX_clear_extra_chain_certs(ctx);
- 
-       while ((ca = PEM_read_bio_X509(in, NULL,
--                  ctx->default_passwd_callback,
--                  ctx->default_passwd_callback_userdata)) != NULL) {
-+                  SSL_CTX_get_default_passwd_cb(ctx),
-+                  SSL_CTX_get_default_passwd_cb_userdata(ctx))) != NULL) {
- 
-               if (!SSL_CTX_add_extra_chain_cert(ctx, ca))
-                       goto end;
-diff --git a/smtpd/ca.c b/smtpd/ca.c
-index e383c6a1..29a44b9b 100644
---- a/smtpd/ca.c
-+++ b/smtpd/ca.c
-@@ -170,6 +170,190 @@ ca_verify_cb(int ok, X509_STORE_CTX *ctx)
-       return ok;
- }
- 
-+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
-+
-+static int RSA_meth_get_flags(RSA_METHOD *meth)
-+{
-+      return meth->flags;
-+}
-+
-+static int RSA_meth_set_flags(RSA_METHOD *meth, int flags)
-+{
-+      meth->flags = flags;
-+      return 1;
-+}
-+
-+static void *RSA_meth_get0_app_data(const RSA_METHOD *meth)
-+{
-+      return meth->app_data;
-+}
-+
-+static int RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data)
-+{
-+      meth->app_data = app_data;
-+      return 1;
-+}
-+
-+static int (*RSA_meth_get_pub_enc(const RSA_METHOD *meth))
-+(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
-+{
-+      return meth->rsa_pub_enc;
-+}
-+
-+static int RSA_meth_set_pub_enc(RSA_METHOD *meth,
-+      int (*pub_enc) (int flen, const unsigned char *from,
-+                      unsigned char *to, RSA *rsa,
-+                      int padding))
-+{
-+      meth->rsa_pub_enc = pub_enc;
-+      return 1;
-+}
-+
-+static int (*RSA_meth_get_pub_dec(const RSA_METHOD *meth))
-+(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
-+{
-+      return meth->rsa_pub_dec;
-+}
-+
-+static int (*RSA_meth_get_priv_enc(const RSA_METHOD *meth))
-+(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
-+{
-+      return meth->rsa_priv_enc;
-+}
-+
-+int RSA_meth_set_priv_enc(RSA_METHOD *meth,
-+  int (*priv_enc) (int flen, const unsigned char *from,
-+  unsigned char *to, RSA *rsa, int padding))
-+{
-+      meth->rsa_priv_enc = priv_enc;
-+      return 1;
-+}
-+
-+static int (*RSA_meth_get_priv_dec(const RSA_METHOD *meth))
-+(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
-+{
-+      return meth->rsa_priv_dec;
-+}
-+
-+static int RSA_meth_set_priv_dec(RSA_METHOD *meth,
-+  int (*priv_dec) (int flen, const unsigned char *from,
-+  unsigned char *to, RSA *rsa, int padding))
-+{
-+      meth->rsa_priv_dec = priv_dec;
-+      return 1;
-+}
-+
-+static int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))
-+  (BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
-+{
-+      return meth->rsa_mod_exp;
-+}
-+
-+static int RSA_meth_set_mod_exp(RSA_METHOD *meth,
-+  int (*mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx))
-+{
-+      meth->rsa_mod_exp = mod_exp;
-+      return 1;
-+}
-+
-+static int (*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth))
-+(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
-+{
-+      return meth->bn_mod_exp;
-+}
-+
-+static int RSA_meth_set_bn_mod_exp(RSA_METHOD *meth, int (*bn_mod_exp)
-+  (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
-+   BN_CTX *ctx, BN_MONT_CTX *m_ctx))
-+{
-+      meth->bn_mod_exp = bn_mod_exp;
-+      return 1;
-+}
-+
-+static int (*RSA_meth_get_init(const RSA_METHOD *meth)) (RSA *rsa)
-+{
-+      return meth->init;
-+}
-+
-+static int RSA_meth_set_init(RSA_METHOD *meth, int (*init) (RSA *rsa))
-+{
-+      meth->init = init;
-+      return 1;
-+}
-+
-+static int (*RSA_meth_get_finish(const RSA_METHOD *meth)) (RSA *rsa)
-+{
-+      return meth->finish;
-+}
-+
-+static int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa))
-+{
-+      meth->finish = finish;
-+      return 1;
-+}
-+
-+static int (*RSA_meth_get_keygen(const RSA_METHOD *meth))
-+  (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb)
-+{
-+      return meth->rsa_keygen;
-+}
-+
-+static int RSA_meth_set_keygen(RSA_METHOD *meth, int (*keygen)
-+  (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb))
-+{
-+      meth->rsa_keygen = keygen;
-+      return 1;
-+}
-+
-+static int (*RSA_meth_get_verify(const RSA_METHOD *meth))
-+  (int dtype, const unsigned char *m,
-+   unsigned int m_length, const unsigned char *sigbuf,
-+   unsigned int siglen, const RSA *rsa)
-+{
-+      if (meth->flags & RSA_FLAG_SIGN_VER)
-+              return meth->rsa_verify;
-+      return NULL;
-+}
-+
-+static int (*RSA_meth_get_sign(const RSA_METHOD *meth))
-+  (int type,
-+   const unsigned char *m, unsigned int m_length,
-+   unsigned char *sigret, unsigned int *siglen,
-+   const RSA *rsa)
-+{
-+      if (meth->flags & RSA_FLAG_SIGN_VER)
-+              return meth->rsa_sign;
-+      return NULL;
-+}
-+
-+static int RSA_meth_set_pub_dec(RSA_METHOD *meth,
-+ int (*pub_dec) (int flen, const unsigned char *from,
-+   unsigned char *to, RSA *rsa, int padding))
-+{
-+      meth->rsa_pub_dec = pub_dec;
-+      return 1;
-+}
-+
-+static RSA_METHOD *RSA_meth_new(const char *name, int flags)
-+{
-+      RSA_METHOD *meth = malloc(sizeof(*meth));
-+
-+      if (meth != NULL) {
-+              memset(meth, 0, sizeof(*meth));
-+              meth->flags = flags;
-+
-+              meth->name = strdup(name);
-+              if (meth->name != NULL)
-+                      return meth;
-+
-+              free(meth);
-+      }
-+
-+      return NULL;
-+}
-+
-+#endif
-+
- int
- ca_X509_verify(void *certificate, void *chain, const char *CAfile,
-     const char *CRLfile, const char **errstr)
-@@ -201,7 +385,7 @@ end:
-       *errstr = NULL;
-       if (ret != 1) {
-               if (xsc)
--                      *errstr = X509_verify_cert_error_string(xsc->error);
-+                      *errstr = X509_verify_cert_error_string(X509_STORE_CTX_get_error(xsc));
-               else if (ERR_peek_last_error())
-                       *errstr = ERR_error_string(ERR_peek_last_error(), NULL);
-       }
-@@ -302,24 +486,9 @@ ca_imsg(struct mproc *p, struct imsg *imsg)
-  * RSA privsep engine (called from unprivileged processes)
-  */
- 
--const RSA_METHOD *rsa_default = NULL;
--
--static RSA_METHOD rsae_method = {
--      "RSA privsep engine",
--      rsae_pub_enc,
--      rsae_pub_dec,
--      rsae_priv_enc,
--      rsae_priv_dec,
--      rsae_mod_exp,
--      rsae_bn_mod_exp,
--      rsae_init,
--      rsae_finish,
--      0,
--      NULL,
--      NULL,
--      NULL,
--      rsae_keygen
--};
-+static const RSA_METHOD *rsa_default = NULL;
-+
-+static const char *rsae_method_name = "RSA privsep engine";
- 
- static int
- rsae_send_imsg(int flen, const unsigned char *from, unsigned char *to,
-@@ -404,7 +573,7 @@ rsae_pub_enc(int flen,const unsigned char *from, unsigned char *to, RSA *rsa,
-     int padding)
- {
-       log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
--      return (rsa_default->rsa_pub_enc(flen, from, to, rsa, padding));
-+      return (RSA_meth_get_pub_enc(rsa_default)(flen, from, to, rsa, padding));
- }
- 
- static int
-@@ -412,7 +581,7 @@ rsae_pub_dec(int flen,const unsigned char *from, unsigned char *to, RSA *rsa,
-     int padding)
- {
-       log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
--      return (rsa_default->rsa_pub_dec(flen, from, to, rsa, padding));
-+      return (RSA_meth_get_pub_dec(rsa_default)(flen, from, to, rsa, padding));
- }
- 
- static int
-@@ -424,7 +593,7 @@ rsae_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa,
-               return (rsae_send_imsg(flen, from, to, rsa, padding,
-                   IMSG_CA_PRIVENC));
-       }
--      return (rsa_default->rsa_priv_enc(flen, from, to, rsa, padding));
-+      return (RSA_meth_get_priv_enc(rsa_default)(flen, from, to, rsa, padding));
- }
- 
- static int
-@@ -436,14 +605,14 @@ rsae_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa,
-               return (rsae_send_imsg(flen, from, to, rsa, padding,
-                   IMSG_CA_PRIVDEC));
-       }
--      return (rsa_default->rsa_priv_dec(flen, from, to, rsa, padding));
-+      return (RSA_meth_get_priv_dec(rsa_default)(flen, from, to, rsa, padding));
- }
- 
- static int
- rsae_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
- {
-       log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
--      return (rsa_default->rsa_mod_exp(r0, I, rsa, ctx));
-+      return (RSA_meth_get_mod_exp(rsa_default)(r0, I, rsa, ctx));
- }
- 
- static int
-@@ -451,34 +620,36 @@ rsae_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
-     const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
- {
-       log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
--      return (rsa_default->bn_mod_exp(r, a, p, m, ctx, m_ctx));
-+      return (RSA_meth_get_bn_mod_exp(rsa_default)(r, a, p, m, ctx, m_ctx));
- }
- 
- static int
- rsae_init(RSA *rsa)
- {
-       log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
--      if (rsa_default->init == NULL)
-+      if (RSA_meth_get_init(rsa_default) == NULL)
-               return (1);
--      return (rsa_default->init(rsa));
-+      return (RSA_meth_get_init(rsa_default)(rsa));
- }
- 
- static int
- rsae_finish(RSA *rsa)
- {
-       log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
--      if (rsa_default->finish == NULL)
-+      if (RSA_meth_get_finish(rsa_default) == NULL)
-               return (1);
--      return (rsa_default->finish(rsa));
-+      return (RSA_meth_get_finish(rsa_default)(rsa));
- }
- 
- static int
- rsae_keygen(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb)
- {
-       log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
--      return (rsa_default->rsa_keygen(rsa, bits, e, cb));
-+      return (RSA_meth_get_keygen(rsa_default)(rsa, bits, e, cb));
- }
- 
-+static RSA_METHOD *rsae_method;
-+
- void
- ca_engine_init(void)
- {
-@@ -490,7 +661,7 @@ ca_engine_init(void)
-                       errstr = "ENGINE_new";
-                       goto fail;
-               }
--              if (!ENGINE_set_name(e, rsae_method.name)) {
-+              if (!ENGINE_set_name(e, rsae_method_name)) {
-                       errstr = "ENGINE_set_name";
-                       goto fail;
-               }
-@@ -503,25 +674,58 @@ ca_engine_init(void)
-               goto fail;
-       }
- 
-+      rsae_method = RSA_meth_new(rsae_method_name, 0);
-+      if (!rsae_method) {
-+              errstr = "RSA_meth_new";
-+              goto fail;
-+      }
-+
-       if ((name = ENGINE_get_name(e)) == NULL)
-               name = "unknown RSA engine";
- 
-       log_debug("debug: %s: using %s", __func__, name);
- 
--      if (rsa_default->flags & RSA_FLAG_SIGN_VER)
-+      if (RSA_meth_get_sign(rsa_default) ||
-+          RSA_meth_get_verify(rsa_default))
-               fatalx("unsupported RSA engine");
- 
--      if (rsa_default->rsa_mod_exp == NULL)
--              rsae_method.rsa_mod_exp = NULL;
--      if (rsa_default->bn_mod_exp == NULL)
--              rsae_method.bn_mod_exp = NULL;
--      if (rsa_default->rsa_keygen == NULL)
--              rsae_method.rsa_keygen = NULL;
--      rsae_method.flags = rsa_default->flags |
--          RSA_METHOD_FLAG_NO_CHECK;
--      rsae_method.app_data = rsa_default->app_data;
--
--      if (!ENGINE_set_RSA(e, &rsae_method)) {
-+      errstr = "Setting callback";
-+      if (!RSA_meth_set_pub_enc(rsae_method, rsae_pub_enc))
-+              goto fail;
-+        if (!RSA_meth_set_pub_dec(rsae_method, rsae_pub_dec))
-+              goto fail;
-+        if (!RSA_meth_set_priv_enc(rsae_method, rsae_priv_enc))
-+              goto fail;
-+        if (!RSA_meth_set_priv_dec(rsae_method, rsae_priv_dec))
-+              goto fail;
-+
-+      if (RSA_meth_get_mod_exp(rsa_default)) {
-+              if (!RSA_meth_set_mod_exp(rsae_method, rsae_mod_exp))
-+                      goto fail;
-+      }
-+
-+      if (RSA_meth_get_bn_mod_exp(rsa_default))
-+              if (!RSA_meth_set_bn_mod_exp(rsae_method, rsae_bn_mod_exp))
-+                      goto fail;
-+        if (!RSA_meth_set_init(rsae_method, rsae_init))
-+              goto fail;
-+        if (!RSA_meth_set_finish(rsae_method, rsae_finish))
-+              goto fail;
-+
-+      if (RSA_meth_get_keygen(rsa_default)) {
-+              if (!RSA_meth_set_keygen(rsae_method, rsae_keygen))
-+                      goto fail;
-+      }
-+
-+      if (!RSA_meth_set_flags(rsae_method,
-+                         RSA_meth_get_flags(rsa_default) |
-+                         RSA_METHOD_FLAG_NO_CHECK))
-+              goto fail;
-+
-+      if (!RSA_meth_set0_app_data(rsae_method, RSA_meth_get0_app_data(rsa_default)))
-+              goto fail;
-+
-+      if (!ENGINE_set_RSA(e, rsae_method)) {
-               errstr = "ENGINE_set_RSA";
-               goto fail;
-       }
-diff --git a/smtpd/crypto.c b/smtpd/crypto.c
-index 76f98807..01452851 100644
---- a/smtpd/crypto.c
-+++ b/smtpd/crypto.c
-@@ -64,7 +64,7 @@ crypto_setup(const char *key, size_t len)
- int
- crypto_encrypt_file(FILE * in, FILE * out)
- {
--      EVP_CIPHER_CTX  ctx;
-+      EVP_CIPHER_CTX  *ctx;
-       uint8_t         ibuf[CRYPTO_BUFFER_SIZE];
-       uint8_t         obuf[CRYPTO_BUFFER_SIZE];
-       uint8_t         iv[IV_SIZE];
-@@ -91,12 +91,14 @@ crypto_encrypt_file(FILE * in, FILE * out)
-       if ((w = fwrite(iv, 1, sizeof iv, out)) != sizeof iv)
-               return 0;
- 
--      EVP_CIPHER_CTX_init(&ctx);
--      EVP_EncryptInit_ex(&ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
-+        ctx = EVP_CIPHER_CTX_new();
-+        if (!ctx)
-+                return 0;
-+      EVP_EncryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
- 
-       /* encrypt until end of file */
-       while ((r = fread(ibuf, 1, CRYPTO_BUFFER_SIZE, in)) != 0) {
--              if (!EVP_EncryptUpdate(&ctx, obuf, &len, ibuf, r))
-+              if (!EVP_EncryptUpdate(ctx, obuf, &len, ibuf, r))
-                       goto end;
-               if (len && (w = fwrite(obuf, len, 1, out)) != 1)
-                       goto end;
-@@ -105,13 +107,13 @@ crypto_encrypt_file(FILE * in, FILE * out)
-               goto end;
- 
-       /* finalize and write last chunk if any */
--      if (!EVP_EncryptFinal_ex(&ctx, obuf, &len))
-+      if (!EVP_EncryptFinal_ex(ctx, obuf, &len))
-               goto end;
-       if (len && (w = fwrite(obuf, len, 1, out)) != 1)
-               goto end;
- 
-       /* get and append tag */
--      EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, sizeof tag, tag);
-+      EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, sizeof tag, tag);
-       if ((w = fwrite(tag, sizeof tag, 1, out)) != 1)
-               goto end;
- 
-@@ -119,14 +121,14 @@ crypto_encrypt_file(FILE * in, FILE * out)
-       ret = 1;
- 
- end:
--      EVP_CIPHER_CTX_cleanup(&ctx);
-+      EVP_CIPHER_CTX_free(ctx);
-       return ret;
- }
- 
- int
- crypto_decrypt_file(FILE * in, FILE * out)
- {
--      EVP_CIPHER_CTX  ctx;
-+      EVP_CIPHER_CTX  *ctx;
-       uint8_t         ibuf[CRYPTO_BUFFER_SIZE];
-       uint8_t         obuf[CRYPTO_BUFFER_SIZE];
-       uint8_t         iv[IV_SIZE];
-@@ -171,11 +173,13 @@ crypto_decrypt_file(FILE * in, FILE * out)
-       sz -= sizeof tag;
- 
- 
--      EVP_CIPHER_CTX_init(&ctx);
--      EVP_DecryptInit_ex(&ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
-+        ctx = EVP_CIPHER_CTX_new();
-+        if (!ctx)
-+                return 0;
-+      EVP_DecryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
- 
-       /* set expected tag */
--      EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, sizeof tag, tag);
-+      EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, sizeof tag, tag);
- 
-       /* decrypt until end of ciphertext */
-       while (sz) {
-@@ -185,7 +189,7 @@ crypto_decrypt_file(FILE * in, FILE * out)
-                       r = fread(ibuf, 1, sz, in);
-               if (!r)
-                       break;
--              if (!EVP_DecryptUpdate(&ctx, obuf, &len, ibuf, r))
-+              if (!EVP_DecryptUpdate(ctx, obuf, &len, ibuf, r))
-                       goto end;
-               if (len && (w = fwrite(obuf, len, 1, out)) != 1)
-                       goto end;
-@@ -195,7 +199,7 @@ crypto_decrypt_file(FILE * in, FILE * out)
-               goto end;
- 
-       /* finalize, write last chunk if any and perform authentication check */
--      if (!EVP_DecryptFinal_ex(&ctx, obuf, &len))
-+      if (!EVP_DecryptFinal_ex(ctx, obuf, &len))
-               goto end;
-       if (len && (w = fwrite(obuf, len, 1, out)) != 1)
-               goto end;
-@@ -204,14 +208,14 @@ crypto_decrypt_file(FILE * in, FILE * out)
-       ret = 1;
- 
- end:
--      EVP_CIPHER_CTX_cleanup(&ctx);
-+      EVP_CIPHER_CTX_free(ctx);
-       return ret;
- }
- 
- size_t
- crypto_encrypt_buffer(const char *in, size_t inlen, char *out, size_t outlen)
- {
--      EVP_CIPHER_CTX  ctx;
-+      EVP_CIPHER_CTX  *ctx;
-       uint8_t         iv[IV_SIZE];
-       uint8_t         tag[GCM_TAG_SIZE];
-       uint8_t         version = API_VERSION;
-@@ -239,33 +243,35 @@ crypto_encrypt_buffer(const char *in, size_t inlen, char *out, size_t outlen)
-       memcpy(out + len, iv, sizeof iv);
-       len += sizeof iv;
- 
--      EVP_CIPHER_CTX_init(&ctx);
--      EVP_EncryptInit_ex(&ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
-+        ctx = EVP_CIPHER_CTX_new();
-+        if (!ctx)
-+                return 0;
-+      EVP_EncryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
- 
-       /* encrypt buffer */
--      if (!EVP_EncryptUpdate(&ctx, out + len, &olen, in, inlen))
-+      if (!EVP_EncryptUpdate(ctx, out + len, &olen, in, inlen))
-               goto end;
-       len += olen;
- 
-       /* finalize and write last chunk if any */
--      if (!EVP_EncryptFinal_ex(&ctx, out + len, &olen))
-+      if (!EVP_EncryptFinal_ex(ctx, out + len, &olen))
-               goto end;
-       len += olen;
- 
-       /* get and append tag */
--      EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, sizeof tag, tag);
-+      EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, sizeof tag, tag);
-       memcpy(out + len, tag, sizeof tag);
-       ret = len + sizeof tag;
- 
- end:
--      EVP_CIPHER_CTX_cleanup(&ctx);
-+      EVP_CIPHER_CTX_cleanup(ctx);
-       return ret;
- }
- 
- size_t
- crypto_decrypt_buffer(const char *in, size_t inlen, char *out, size_t outlen)
- {
--      EVP_CIPHER_CTX  ctx;
-+      EVP_CIPHER_CTX  *ctx;
-       uint8_t         iv[IV_SIZE];
-       uint8_t         tag[GCM_TAG_SIZE];
-       int             olen;
-@@ -292,24 +298,26 @@ crypto_decrypt_buffer(const char *in, size_t inlen, char *out, size_t outlen)
-       inlen -= sizeof iv;
-       in += sizeof iv;
- 
--      EVP_CIPHER_CTX_init(&ctx);
--      EVP_DecryptInit_ex(&ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
-+        ctx = EVP_CIPHER_CTX_new();
-+        if (!ctx)
-+                return 0;
-+      EVP_DecryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
- 
-       /* set expected tag */
--      EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, sizeof tag, tag);
-+      EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, sizeof tag, tag);
- 
-       /* decrypt buffer */
--      if (!EVP_DecryptUpdate(&ctx, out, &olen, in, inlen))
-+      if (!EVP_DecryptUpdate(ctx, out, &olen, in, inlen))
-               goto end;
-       len += olen;
- 
-       /* finalize, write last chunk if any and perform authentication check */
--      if (!EVP_DecryptFinal_ex(&ctx, out + len, &olen))
-+      if (!EVP_DecryptFinal_ex(ctx, out + len, &olen))
-               goto end;
-       ret = len + olen;
- 
- end:
--      EVP_CIPHER_CTX_cleanup(&ctx);
-+      EVP_CIPHER_CTX_cleanup(ctx);
-       return ret;
- }
- 
-diff --git a/smtpd/libressl.c b/smtpd/libressl.c
-index 57d74389..db78d943 100644
---- a/smtpd/libressl.c
-+++ b/smtpd/libressl.c
-@@ -94,10 +94,10 @@ ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in)
- 
-       ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
- 
--      x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback,
--          ctx->default_passwd_callback_userdata);
-+      x = PEM_read_bio_X509_AUX(in, NULL, SSL_CTX_get_default_passwd_cb(ctx),
-+          SSL_CTX_get_default_passwd_cb_userdata(ctx));
-       if (x == NULL) {
--              SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
-+              SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB);
-               goto end;
-       }
- 
-@@ -115,14 +115,11 @@ ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in)
-               int r;
-               unsigned long err;
- 
--              if (ctx->extra_certs != NULL) {
--                      sk_X509_pop_free(ctx->extra_certs, X509_free);
--                      ctx->extra_certs = NULL;
--              }
-+              SSL_CTX_clear_extra_chain_certs(ctx);
- 
-               while ((ca = PEM_read_bio_X509(in, NULL,
--                  ctx->default_passwd_callback,
--                  ctx->default_passwd_callback_userdata)) != NULL) {
-+                  SSL_CTX_get_default_passwd_cb(ctx),
-+                  SSL_CTX_get_default_passwd_cb_userdata(ctx))) != NULL) {
-                       r = SSL_CTX_add_extra_chain_cert(ctx, ca);
-                       if (!r) {
-                               X509_free(ca);
-@@ -160,7 +157,7 @@ SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len)
- 
-       in = BIO_new_mem_buf(buf, len);
-       if (in == NULL) {
--              SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
-+              SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
-               goto end;
-       }
- 
-diff --git a/smtpd/ssl.c b/smtpd/ssl.c
-index b88360eb..0c93d87e 100644
---- a/smtpd/ssl.c
-+++ b/smtpd/ssl.c
-@@ -425,7 +425,7 @@ ssl_ctx_fake_private_key(SSL_CTX *ctx, const void *data, size_t datalen,
-        */
-       ret = SSL_CTX_use_PrivateKey(ctx, pkey);
-       if (!ret)
--              SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_SSL_LIB);
-+              SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_SYS_LIB);
- 
-       if (pkeyptr != NULL)
-               *pkeyptr = pkey;
-diff --git a/smtpd/ssl.h b/smtpd/ssl.h
-index 90f018d0..553120d4 100644
---- a/smtpd/ssl.h
-+++ b/smtpd/ssl.h
-@@ -73,3 +73,17 @@ void        SSL_CTX_set_ecdh_auto(SSL_CTX *, int);
- void  SSL_CTX_set_dh_auto(SSL_CTX *, int);
- #endif
- int SSL_CTX_use_certificate_chain_mem(SSL_CTX *, void *, int);
-+
-+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
-+
-+static inline pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
-+{
-+      return ctx->default_passwd_callback;
-+}
-+
-+static inline void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx)
-+{
-+      return ctx->default_passwd_callback_userdata;
-+}
-+
-+#endif

diff --git a/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch b/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch
deleted file mode 100644 (file)
index b22f3af..0000000
--- a/mail-mta/opensmtpd/files/opensmtpd-6.0.3_p1-security-fixes.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-diff -ru OpenSMTPD-opensmtpd-6.0.3/smtpd/mta_session.c OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/mta_session.c
---- OpenSMTPD-opensmtpd-6.0.3/smtpd/mta_session.c      2018-01-04 23:24:01.000000000 +0100
-+++ OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/mta_session.c        2020-01-29 09:47:24.607457717 +0100
-@@ -1290,40 +1290,20 @@
-               break;
- 
-       case IO_ERROR:
-+      case IO_TLSERROR:
-               log_debug("debug: mta: %p: IO error: %s", s, io_error(io));
--              if (!s->ready) {
--                      mta_error(s, "IO Error: %s", io_error(io));
--                      mta_connect(s);
--                      break;
--              }
--              else if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) {
--                      /* error in non-strict SSL negotiation, downgrade to plain */
--                      if (s->flags & MTA_TLS) {
--                              log_info("smtp-out: Error on session %016"PRIx64
--                                  ": opportunistic TLS failed, "
--                                  "downgrading to plain", s->id);
--                              s->flags &= ~MTA_TLS;
--                              s->flags |= MTA_DOWNGRADE_PLAIN;
--                              mta_connect(s);
--                              break;
--                      }
--              }
--              mta_error(s, "IO Error: %s", io_error(io));
--              mta_free(s);
--              break;
- 
--      case IO_TLSERROR:
--              log_debug("debug: mta: %p: TLS IO error: %s", s, io_error(io));
--              if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) {
-+              if (s->state == MTA_STARTTLS && s->use_smtp_tls) {
-                       /* error in non-strict SSL negotiation, downgrade to plain */
--                      log_info("smtp-out: TLS Error on session %016"PRIx64
--                          ": TLS failed, "
-+                      log_info("smtp-out: Error on session %016"PRIx64
-+                          ": opportunistic TLS failed, "
-                           "downgrading to plain", s->id);
-                       s->flags &= ~MTA_TLS;
-                       s->flags |= MTA_DOWNGRADE_PLAIN;
-                       mta_connect(s);
-                       break;
-               }
-+
-               mta_error(s, "IO Error: %s", io_error(io));
-               mta_free(s);
-               break;
-diff -ru OpenSMTPD-opensmtpd-6.0.3/smtpd/smtp_session.c OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/smtp_session.c
---- OpenSMTPD-opensmtpd-6.0.3/smtpd/smtp_session.c     2018-01-04 23:24:01.000000000 +0100
-+++ OpenSMTPD-opensmtpd-6.0.3-fixed/smtpd/smtp_session.c       2020-01-29 09:47:24.610791335 +0100
-@@ -2004,25 +2004,23 @@
-               memmove(maddr->user, p, strlen(p) + 1);
-       }
- 
--      if (!valid_localpart(maddr->user) ||
--          !valid_domainpart(maddr->domain)) {
--              /* accept empty return-path in MAIL FROM, required for bounces */
--              if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
--                      return (1);
-+      /* accept empty return-path in MAIL FROM, required for bounces */
-+      if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
-+              return (1);
- 
--              /* no user-part, reject */
--              if (maddr->user[0] == '\0')
--                      return (0);
--
--              /* no domain, local user */
--              if (maddr->domain[0] == '\0') {
--                      (void)strlcpy(maddr->domain, domain,
--                          sizeof(maddr->domain));
--                      return (1);
--              }
-+      /* no or invalid user-part, reject */
-+      if (maddr->user[0] == '\0' || !valid_localpart(maddr->user))
-               return (0);
-+
-+      /* no domain part, local user */
-+      if (maddr->domain[0] == '\0') {
-+              (void)strlcpy(maddr->domain, domain,
-+                      sizeof(maddr->domain));
-       }
- 
-+      if (!valid_domainpart(maddr->domain))
-+              return (0);
-+
-       return (1);
- }
- 
-diff -ru opensmtpd-6.0.3p1/smtpd/mta_session.c opensmtpd-6.0.3p1-modified/smtpd/mta_session.c
---- opensmtpd-6.0.3p1/smtpd/mta_session.c      2018-01-10 21:06:40.000000000 +0800
-+++ opensmtpd-6.0.3p1-modified/smtpd/mta_session.c     2020-02-25 09:57:04.624147227 +0800
-@@ -1214,7 +1214,7 @@
-               if (cont) {
-                       if (s->replybuf[0] == '\0')
-                               (void)strlcat(s->replybuf, line, sizeof s->replybuf);
--                      else {
-+                      else if (len > 4) {
-                               line = line + 4;
-                               if (isdigit((int)*line) && *(line + 1) == '.' &&
-                                   isdigit((int)*line+2) && *(line + 3) == '.' &&
-@@ -1229,7 +1229,9 @@
-               /* last line of a reply, check if we're on a continuation to parse out status and ESC.
-                * if we overflow reply buffer or are not on continuation, log entire last line.
-                */
--              if (s->replybuf[0] != '\0') {
-+              if (s->replybuf[0] == '\0')
-+                      (void)strlcat(s->replybuf, line, sizeof s->replybuf);
-+              else if (len > 4) {
-                       p = line + 4;
-                       if (isdigit((int)*p) && *(p + 1) == '.' &&
-                           isdigit((int)*p+2) && *(p + 3) == '.' &&
-@@ -1238,8 +1240,6 @@
-                       if (strlcat(s->replybuf, p, sizeof s->replybuf) >= sizeof s->replybuf)
-                               (void)strlcpy(s->replybuf, line, sizeof s->replybuf);
-               }
--              else
--                      (void)strlcpy(s->replybuf, line, sizeof s->replybuf);
- 
-               if (s->state == MTA_QUIT) {
-                       log_info("%016"PRIx64" mta event=closed reason=quit messages=%zu",

diff --git a/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r3.ebuild b/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r3.ebuild
deleted file mode 100644 (file)
index 14d9fa6..0000000
--- a/mail-mta/opensmtpd/opensmtpd-6.0.3_p1-r3.ebuild
+++ /dev/null
@@ -1,78 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit pam toolchain-funcs systemd
-
-DESCRIPTION="Lightweight but featured SMTP daemon from OpenBSD"
-HOMEPAGE="https://www.opensmtpd.org"
-SRC_URI="https://www.opensmtpd.org/archives/${P/_}.tar.gz"
-
-LICENSE="ISC BSD BSD-1 BSD-2 BSD-4"
-SLOT="0"
-KEYWORDS="~amd64 ~arm ~arm64 ~x86"
-IUSE="libressl pam +mta"
-
-DEPEND="
-       acct-user/smtpd
-       acct-user/smtpq
-       !libressl? ( dev-libs/openssl:0= )
-       libressl? ( dev-libs/libressl:0= )
-       elibc_musl? ( sys-libs/fts-standalone )
-       sys-libs/zlib
-       pam? ( sys-libs/pam )
-       sys-libs/db:=
-       dev-libs/libevent
-       app-misc/ca-certificates
-       net-mail/mailbase
-       net-libs/libasr
-       !mail-mta/courier
-       !mail-mta/esmtp
-       !mail-mta/exim
-       !mail-mta/mini-qmail
-       !mail-mta/msmtp[mta]
-       !mail-mta/netqmail
-       !mail-mta/nullmailer
-       !mail-mta/postfix
-       !mail-mta/qmail-ldap
-       !mail-mta/sendmail
-       !mail-mta/ssmtp[mta]
-"
-RDEPEND="${DEPEND}"
-
-S=${WORKDIR}/${P/_}
-PATCHES=(
-       "${FILESDIR}/${P}-fix-crash-on-auth.patch"
-       "${FILESDIR}/${P}-openssl_1.1.patch"
-       "${FILESDIR}/${P}-security-fixes.patch"
-)
-
-src_configure() {
-       tc-export AR
-       AR="$(which "$AR")" econf \
-               --with-table-db \
-               --with-user-smtpd=smtpd \
-               --with-user-queue=smtpq \
-               --with-group-queue=smtpq \
-               --with-path-socket=/run \
-               --with-path-CAfile=/etc/ssl/certs/ca-certificates.crt \
-               --sysconfdir=/etc/opensmtpd \
-               $(use_with pam auth-pam)
-}
-
-src_install() {
-       default
-       newinitd "${FILESDIR}"/smtpd.initd smtpd
-       systemd_dounit "${FILESDIR}"/smtpd.{service,socket}
-       use pam && newpamd "${FILESDIR}"/smtpd.pam smtpd
-       dosym smtpctl /usr/sbin/makemap
-       dosym smtpctl /usr/sbin/newaliases
-       if use mta ; then
-               dodir /usr/sbin
-               dosym smtpctl /usr/sbin/sendmail
-               dosym ../sbin/smtpctl /usr/bin/sendmail
-               mkdir -p "${ED}"/usr/$(get_libdir) || die
-               ln -s --relative "${ED}"/usr/sbin/smtpctl "${ED}"/usr/$(get_libdir)/sendmail || die
-       fi
-}

diff --git a/profiles/package.mask b/profiles/package.mask
index d5a4bc79b9e1bb4296e343fdcd5c1cf2ecaec429..5ef30fbb59cef594575caf12f01ddfe446a3bf6a 100644 (file)
--- a/profiles/package.mask
+++ b/profiles/package.mask
@@ -109,14 +109,6 @@ sci-misc/pythoncad
 # Last release in 2013, bug #710164, masked for removal in 30 days.
 sci-electronics/gresistor
 
-# Jason A. Donenfeld <zx2c4@gentoo.org> (2020-02-24)
-# Unsupported upstream version, likely has security bugs. Not removed
-# immediately because of backwards incompatible configuration changes
-# with the newer version in the tree.
-#
-# Removal in 14 days. Bug #710754.
-~mail-mta/opensmtpd-6.0.3_p1
-
 # Marek Szuba <marecki@gentoo.org> (2020-02-24)
 # Deprecated upstream in Q1'2018 in favour of dev-libs/intel-neo and
 # while it officially remains the recommended solution for "legacy HW