do not use deprecated openssl v3 engine api (#RHEL-33733)
Resolves: #RHEL-33733
This commit is contained in:
parent
79a5cb2d9f
commit
3a1bfe8d5d
189
dovecot-2.3.21-noengine.patch
Normal file
189
dovecot-2.3.21-noengine.patch
Normal file
@ -0,0 +1,189 @@
|
|||||||
|
diff -up dovecot-2.3.21/m4/ssl.m4.noengine dovecot-2.3.21/m4/ssl.m4
|
||||||
|
--- dovecot-2.3.21/m4/ssl.m4.noengine 2024-05-06 17:39:59.362886891 +0200
|
||||||
|
+++ dovecot-2.3.21/m4/ssl.m4 2024-05-06 17:42:17.945312656 +0200
|
||||||
|
@@ -233,6 +233,27 @@ AC_DEFUN([DOVECOT_SSL], [
|
||||||
|
AC_CHECK_LIB(ssl, ECDSA_SIG_set0, [
|
||||||
|
AC_DEFINE(HAVE_ECDSA_SIG_SET0,, [Build with ECDSA_SIG_set0 support])
|
||||||
|
],, $SSL_LIBS)
|
||||||
|
+ AC_CHECK_LIB(ssl, OSSL_PROVIDER_try_load, [
|
||||||
|
+ AC_DEFINE(HAVE_OSSL_PROVIDER_try_load,, [Build with OSSL_PROVIDER_try_load support])
|
||||||
|
+ ],, $SSL_LIBS)
|
||||||
|
+ AC_CHECK_LIB(ssl, OPENSSL_init_ssl, [
|
||||||
|
+ AC_DEFINE(HAVE_OPENSSL_init_ssl,, [Build with OPENSSL_init_ssl support])
|
||||||
|
+ ],, $SSL_LIBS)
|
||||||
|
+ AC_CHECK_LIB(ssl, OPENSSL_cleanup, [
|
||||||
|
+ AC_DEFINE(HAVE_OPENSSL_cleanup,, [OpenSSL supports OPENSSL_cleanup()])
|
||||||
|
+ ],, $SSL_LIBS)
|
||||||
|
+ AC_CHECK_LIB(ssl, OPENSSL_thread_stop, [
|
||||||
|
+ AC_DEFINE(HAVE_OPENSSL_thread_stop,, [OpenSSL supports OPENSSL_thread_stop()])
|
||||||
|
+ ],, $SSL_LIBS)
|
||||||
|
+ AC_CHECK_LIB(ssl, ERR_remove_thread_state, [
|
||||||
|
+ AC_DEFINE(HAVE_ERR_remove_thread_state,, [OpenSSL supports ERR_remove_thread_state()])
|
||||||
|
+ ],, $SSL_LIBS)
|
||||||
|
+ AC_CHECK_LIB(ssl, ERR_remove_state, [
|
||||||
|
+ AC_DEFINE(HAVE_ERR_remove_state,, [OpenSSL supports ERR_remove_state()])
|
||||||
|
+ ],, $SSL_LIBS)
|
||||||
|
+ AC_CHECK_LIB(ssl, ENGINE_by_id_DISABLED, [
|
||||||
|
+ AC_DEFINE(HAVE_ENGINE_by_id,, [OpenSSL supports ENGINE_by_id() - !!!EXPLICITELY DISABLED!!! ])
|
||||||
|
+ ],, $SSL_LIBS)
|
||||||
|
AC_CHECK_LIB(ssl, EC_GROUP_order_bits, [
|
||||||
|
AC_DEFINE(HAVE_EC_GROUP_order_bits,, [Build with EC_GROUP_order_bits support])
|
||||||
|
],, $SSL_LIBS)
|
||||||
|
diff -up dovecot-2.3.21/src/lib-ssl-iostream/dovecot-openssl-common.c.noengine dovecot-2.3.21/src/lib-ssl-iostream/dovecot-openssl-common.c
|
||||||
|
--- dovecot-2.3.21/src/lib-ssl-iostream/dovecot-openssl-common.c.noengine 2023-09-14 15:17:46.000000000 +0200
|
||||||
|
+++ dovecot-2.3.21/src/lib-ssl-iostream/dovecot-openssl-common.c 2024-05-06 17:39:59.363886901 +0200
|
||||||
|
@@ -3,13 +3,23 @@
|
||||||
|
#include "lib.h"
|
||||||
|
#include "randgen.h"
|
||||||
|
#include "dovecot-openssl-common.h"
|
||||||
|
+#include "iostream-openssl.h"
|
||||||
|
|
||||||
|
#include <openssl/ssl.h>
|
||||||
|
-#include <openssl/engine.h>
|
||||||
|
+#include <openssl/err.h>
|
||||||
|
+#ifdef HAVE_OSSL_PROVIDER_try_load
|
||||||
|
+# include <openssl/provider.h>
|
||||||
|
+#else
|
||||||
|
+# include <openssl/engine.h>
|
||||||
|
+#endif
|
||||||
|
#include <openssl/rand.h>
|
||||||
|
|
||||||
|
static int openssl_init_refcount = 0;
|
||||||
|
-static ENGINE *dovecot_openssl_engine;
|
||||||
|
+#ifdef HAVE_OSSL_PROVIDER_try_load
|
||||||
|
+static OSSL_PROVIDER *dovecot_openssl_engine = NULL;
|
||||||
|
+#else
|
||||||
|
+static ENGINE *dovecot_openssl_engine = NULL;
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
#ifdef HAVE_SSL_NEW_MEM_FUNCS
|
||||||
|
static void *dovecot_openssl_malloc(size_t size, const char *u0 ATTR_UNUSED, int u1 ATTR_UNUSED)
|
||||||
|
@@ -17,12 +27,14 @@ static void *dovecot_openssl_malloc(size
|
||||||
|
static void *dovecot_openssl_malloc(size_t size)
|
||||||
|
#endif
|
||||||
|
{
|
||||||
|
+ if (size == 0)
|
||||||
|
+ return NULL;
|
||||||
|
/* this may be performance critical, so don't use
|
||||||
|
i_malloc() or calloc() */
|
||||||
|
void *mem = malloc(size);
|
||||||
|
- if (mem == NULL) {
|
||||||
|
+ if (unlikely(mem == NULL)) {
|
||||||
|
i_fatal_status(FATAL_OUTOFMEM,
|
||||||
|
- "OpenSSL: malloc(%zu): Out of memory", size);
|
||||||
|
+ "OpenSSL: malloc(%zu): Out of memory", size);
|
||||||
|
}
|
||||||
|
return mem;
|
||||||
|
}
|
||||||
|
@@ -33,10 +45,14 @@ static void *dovecot_openssl_realloc(voi
|
||||||
|
static void *dovecot_openssl_realloc(void *ptr, size_t size)
|
||||||
|
#endif
|
||||||
|
{
|
||||||
|
+ if (size == 0) {
|
||||||
|
+ free(ptr);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
void *mem = realloc(ptr, size);
|
||||||
|
- if (mem == NULL) {
|
||||||
|
+ if (unlikely(mem == NULL)) {
|
||||||
|
i_fatal_status(FATAL_OUTOFMEM,
|
||||||
|
- "OpenSSL: realloc(%zu): Out of memory", size);
|
||||||
|
+ "OpenSSL: realloc(%zu): Out of memory", size);
|
||||||
|
}
|
||||||
|
return mem;
|
||||||
|
}
|
||||||
|
@@ -63,9 +79,13 @@ void dovecot_openssl_common_global_ref(v
|
||||||
|
/*i_warning("CRYPTO_set_mem_functions() was called too late");*/
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifdef HAVE_OPENSSL_init_ssl
|
||||||
|
+ OPENSSL_init_ssl(0, NULL);
|
||||||
|
+#else
|
||||||
|
SSL_library_init();
|
||||||
|
SSL_load_error_strings();
|
||||||
|
OpenSSL_add_all_algorithms();
|
||||||
|
+#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
bool dovecot_openssl_common_global_unref(void)
|
||||||
|
@@ -76,30 +96,35 @@ bool dovecot_openssl_common_global_unref
|
||||||
|
return TRUE;
|
||||||
|
|
||||||
|
if (dovecot_openssl_engine != NULL) {
|
||||||
|
+#ifdef HAVE_OSSL_PROVIDER_try_load
|
||||||
|
+ OSSL_PROVIDER_unload(dovecot_openssl_engine);
|
||||||
|
+#else
|
||||||
|
ENGINE_finish(dovecot_openssl_engine);
|
||||||
|
+#endif
|
||||||
|
dovecot_openssl_engine = NULL;
|
||||||
|
}
|
||||||
|
+#ifdef HAVE_OPENSSL_cleanup
|
||||||
|
+ OPENSSL_cleanup();
|
||||||
|
+#else
|
||||||
|
/* OBJ_cleanup() is called automatically by EVP_cleanup() in
|
||||||
|
newer versions. Doesn't hurt to call it anyway. */
|
||||||
|
OBJ_cleanup();
|
||||||
|
-#ifdef HAVE_SSL_COMP_FREE_COMPRESSION_METHODS
|
||||||
|
+# if !defined(OPENSSL_NO_COMP)
|
||||||
|
SSL_COMP_free_compression_methods();
|
||||||
|
-#endif
|
||||||
|
+# endif
|
||||||
|
ENGINE_cleanup();
|
||||||
|
EVP_cleanup();
|
||||||
|
CRYPTO_cleanup_all_ex_data();
|
||||||
|
-#ifdef HAVE_OPENSSL_AUTO_THREAD_DEINIT
|
||||||
|
+# ifdef HAVE_OPENSSL_thread_stop
|
||||||
|
/* no cleanup needed */
|
||||||
|
-#elif defined(HAVE_OPENSSL_ERR_REMOVE_THREAD_STATE)
|
||||||
|
+# elif defined(HAVE_ERR_remove_thread_state)
|
||||||
|
/* This was marked as deprecated in v1.1. */
|
||||||
|
ERR_remove_thread_state(NULL);
|
||||||
|
-#else
|
||||||
|
+# elif defined(HAVE_ERR_remove_state)
|
||||||
|
/* This was deprecated by ERR_remove_thread_state(NULL) in v1.0.0. */
|
||||||
|
ERR_remove_state(0);
|
||||||
|
-#endif
|
||||||
|
+# endif
|
||||||
|
ERR_free_strings();
|
||||||
|
-#ifdef HAVE_OPENSSL_CLEANUP
|
||||||
|
- OPENSSL_cleanup();
|
||||||
|
#endif
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
@@ -110,6 +135,7 @@ int dovecot_openssl_common_global_set_en
|
||||||
|
if (dovecot_openssl_engine != NULL)
|
||||||
|
return 1;
|
||||||
|
|
||||||
|
+#ifdef HAVE_ENGINE_by_id
|
||||||
|
ENGINE_load_builtin_engines();
|
||||||
|
dovecot_openssl_engine = ENGINE_by_id(engine);
|
||||||
|
if (dovecot_openssl_engine == NULL) {
|
||||||
|
@@ -128,5 +154,15 @@ int dovecot_openssl_common_global_set_en
|
||||||
|
dovecot_openssl_engine = NULL;
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
+#elif defined(HAVE_OSSL_PROVIDER_try_load)
|
||||||
|
+ if ((dovecot_openssl_engine = OSSL_PROVIDER_try_load(NULL, engine, 1)) == NULL) {
|
||||||
|
+ *error_r = t_strdup_printf("Cannot load '%s': %s", engine,
|
||||||
|
+ openssl_iostream_error());
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ return 1;
|
||||||
|
+#else
|
||||||
|
+ *error_r = t_strdup_printf("Cannot load '%s': No engine/provider support available", engine);
|
||||||
|
+#endif
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
diff -up dovecot-2.3.21/src/lib-ssl-iostream/Makefile.am.noengine dovecot-2.3.21/src/lib-ssl-iostream/Makefile.am
|
||||||
|
--- dovecot-2.3.21/src/lib-ssl-iostream/Makefile.am.noengine 2023-09-14 15:17:46.000000000 +0200
|
||||||
|
+++ dovecot-2.3.21/src/lib-ssl-iostream/Makefile.am 2024-05-06 17:39:59.363886901 +0200
|
||||||
|
@@ -5,7 +5,8 @@ NOPLUGIN_LDFLAGS =
|
||||||
|
AM_CPPFLAGS = \
|
||||||
|
-I$(top_srcdir)/src/lib \
|
||||||
|
-I$(top_srcdir)/src/lib-test \
|
||||||
|
- -DMODULE_DIR=\""$(moduledir)"\"
|
||||||
|
+ -DMODULE_DIR=\""$(moduledir)"\" \
|
||||||
|
+ $(SSL_CFLAGS)
|
||||||
|
|
||||||
|
if BUILD_OPENSSL
|
||||||
|
module_LTLIBRARIES = libssl_iostream_openssl.la
|
@ -6,7 +6,7 @@ Name: dovecot
|
|||||||
Epoch: 1
|
Epoch: 1
|
||||||
Version: 2.3.21
|
Version: 2.3.21
|
||||||
%global prever %{nil}
|
%global prever %{nil}
|
||||||
Release: 6%{?dist}
|
Release: 7%{?dist}
|
||||||
#dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
|
#dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
|
||||||
License: MIT AND LGPL-2.1-only
|
License: MIT AND LGPL-2.1-only
|
||||||
|
|
||||||
@ -50,6 +50,9 @@ Patch22: dovecot-configure-c99.patch
|
|||||||
# Fedora/RHEL specific, drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes
|
# Fedora/RHEL specific, drop OTP which uses SHA1 so we dont use SHA1 for crypto purposes
|
||||||
Patch23: dovecot-2.3.20-nolibotp.patch
|
Patch23: dovecot-2.3.20-nolibotp.patch
|
||||||
|
|
||||||
|
# adapted from 2.4 dovecot, issue #RHEL-33733
|
||||||
|
Patch24: dovecot-2.3.21-noengine.patch
|
||||||
|
|
||||||
Source15: prestartscript
|
Source15: prestartscript
|
||||||
|
|
||||||
BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel
|
BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel
|
||||||
@ -153,6 +156,7 @@ mv dovecot-2.3-pigeonhole-%{pigeonholever} dovecot-pigeonhole
|
|||||||
%patch -P21 -p1 -b .7bad6a24
|
%patch -P21 -p1 -b .7bad6a24
|
||||||
%patch -P22 -p1 -b .c99
|
%patch -P22 -p1 -b .c99
|
||||||
%patch -P23 -p1 -b .nolibotp
|
%patch -P23 -p1 -b .nolibotp
|
||||||
|
%patch -P 24 -p1 -b .noengine
|
||||||
cp run-test-valgrind.supp dovecot-pigeonhole/
|
cp run-test-valgrind.supp dovecot-pigeonhole/
|
||||||
# valgrind would fail with shell wrapper
|
# valgrind would fail with shell wrapper
|
||||||
echo "testsuite" >dovecot-pigeonhole/run-test-valgrind.exclude
|
echo "testsuite" >dovecot-pigeonhole/run-test-valgrind.exclude
|
||||||
@ -500,6 +504,9 @@ make check
|
|||||||
%{_libdir}/%{name}/dict/libdriver_pgsql.so
|
%{_libdir}/%{name}/dict/libdriver_pgsql.so
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon May 13 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-7
|
||||||
|
- do not use deprecated openssl v3 engine api (#RHEL-33733)
|
||||||
|
|
||||||
* Wed Jan 31 2024 Pete Walter <pwalter@fedoraproject.org> - 1:2.3.21-6
|
* Wed Jan 31 2024 Pete Walter <pwalter@fedoraproject.org> - 1:2.3.21-6
|
||||||
- Rebuild for ICU 74
|
- Rebuild for ICU 74
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user