diff --git a/mail/exim/Makefile b/mail/exim/Makefile index f3045963d649..6f6cdcdcb702 100644 --- a/mail/exim/Makefile +++ b/mail/exim/Makefile @@ -1,670 +1,650 @@ PORTNAME= exim PORTVERSION?= ${EXIM_VERSION} PORTREVISION?= 0 CATEGORIES= mail MASTER_SITES= EXIM:exim MASTER_SITE_SUBDIR= /exim4/:exim \ /exim4/fixes/:exim \ /exim4/old/:exim DISTNAME= ${PORTNAME}-${EXIM_VERSION} DISTFILES= ${DISTNAME}${EXTRACT_SUFX}:exim DIST_SUBDIR= exim EXTRACT_ONLY= ${DISTNAME}${EXTRACT_SUFX} MAINTAINER= fluffy@FreeBSD.org COMMENT?= High performance MTA for Unix systems on the Internet WWW= https://www.exim.org/ LICENSE= GPLv2 USES= compiler cpe tar:bzip2 perl5 USE_CSTD= c99 USE_PERL5= run # Exim build system is job unsafe atm MAKE_JOBS_UNSAFE= yes # One can tune the following "hidden" knobs: # - EXIM_USER: user exim is running as; # - EXIM_GROUP: ditto for the group; # - LOGDIR: where Exim logs will be put; # - LOG_FILE_PATH: path where '%s' will be substituted with # the target name (main, reject, etc); # - CONFIG_FILE_PATH: path to the default configuration file; # - ALT_CONFIG_PREFIX: path to the default prefix for all # configuration files, excluding the main one; # will be effective only when WITH_ALT_CONFIG_PREFIX # will be set via OPTIONS. .if make(makesum) && !defined(FETCH_ALL) .error "You forgot to define FETCH_ALL to create the sane distinfo" .endif .include "options" OPTIONS_SUB= yes AUTH_SASL_LIB_DEPENDS= libsasl2.so:security/cyrus-sasl2 BDB_USES= bdb DMARC_LIB_DEPENDS= libopendmarc.so:mail/opendmarc EMBEDDED_PERL_USE= perl5=run,build +EMBEDDED_PERL_BUILD_DEPENDS= p5-File-FcntlLock>0:devel/p5-File-FcntlLock +EMBEDDED_PERL_RUN_DEPENDS= p5-File-FcntlLock>0:devel/p5-File-FcntlLock EXIMON_USES= xorg EXIMON_USE= xorg=x11,xaw,xext,xmu,xt GNUTLS_LIB_DEPENDS= libgnutls.so:security/gnutls ICONV_USES= iconv:lib,build INTERNATIONAL_LIB_DEPENDS= libidn.so:dns/libidn LMDB_LIB_DEPENDS= liblmdb.so:databases/lmdb MYSQL_USES= mysql OPENLDAP_USES= ldap PGSQL_LIB_DEPENDS= libicudata.so:devel/icu PGSQL_USES= pgsql pkgconfig REDIS_LIB_DEPENDS= libhiredis.so:databases/hiredis SASLAUTHD_RUN_DEPENDS= ${LOCALBASE}/sbin/saslauthd:security/cyrus-sasl2-saslauthd SA_EXIM_RUN_DEPENDS= ${LOCALBASE}/bin/spamc:mail/spamassassin SPF_LIB_DEPENDS= libspf2.so:mail/libspf2 SQLITE_LIB_DEPENDS= libicudata.so:devel/icu SQLITE_USES= pkgconfig sqlite -DEBIAN_PATCHES_PREFIX= ${FILESDIR}/debian/75 -EXTRA_PATCHES= \ - ${DEBIAN_PATCHES_PREFIX}_01-Fix-exit-on-attempt-to-rewrite-a-malformed-address.-.patch:-p1 \ - ${DEBIAN_PATCHES_PREFIX}_05-SPF-fix-memory-accounting-for-error-case.patch:-p1 \ - ${DEBIAN_PATCHES_PREFIX}_08-Fix-regex-n-use-after-free.-Bug-2915.patch:-p1 \ - ${DEBIAN_PATCHES_PREFIX}_09-Fix-non-WITH_CONTENT_SCAN-build.patch:-p1 \ - ${DEBIAN_PATCHES_PREFIX}_10-Fix-non-WITH_CONTENT_SCAN-build-2.patch:-p1 \ - ${DEBIAN_PATCHES_PREFIX}_11-Fix-non-WITH_CONTENT_SCAN-build-3.patch:-p1 \ - ${DEBIAN_PATCHES_PREFIX}_16-GnuTLS-fix-for-clients-offering-no-TLS-extensions.patch:-p1 \ - ${DEBIAN_PATCHES_PREFIX}_18-Fix-Build-with-libopendmarc-1.4.x-fixes-2728.patch:-p1 \ - ${DEBIAN_PATCHES_PREFIX}_19-DMARC-fix-use-after-free-in-dmarc_dns_lookup.patch:-p1 \ - ${DEBIAN_PATCHES_PREFIX}_22-Fix-daemon-startup.-Bug-2930.patch:-p1 \ - ${DEBIAN_PATCHES_PREFIX}_23-Fix-reccipients-after-run.-.-Bug-2929.patch:-p1 \ - ${DEBIAN_PATCHES_PREFIX}_31-Fix-regext-substring-capture-variables-for-null-matc.patch:-p1 \ - ${DEBIAN_PATCHES_PREFIX}_32-Fix-regex-substring-capture-variables-for-null-match.patch:-p1 \ - ${DEBIAN_PATCHES_PREFIX}_34-Fix-regex-substring-capture-commentary.-Bug-2933.patch:-p1 \ - ${DEBIAN_PATCHES_PREFIX}_37-OpenSSL-when-preloading-creds-do-the-server-certs-be.patch:-p1 \ - ${DEBIAN_PATCHES_PREFIX}_38-OpenSSL-fix-double-expansion-of-tls_verify_certifica.patch:-p1 \ - ${DEBIAN_PATCHES_PREFIX}_50-Fix-logging-of-max-size-log-line.patch:-p1 \ - ${DEBIAN_PATCHES_PREFIX}_55-Fix-recursion-on-dns_again_means_nonexist.-Bug-2911.patch:-p1 \ - ${DEBIAN_PATCHES_PREFIX}_58-Close-server-smtp-socket-explicitly-on-connect-ACL-d.patch:-p1 \ - ${DEBIAN_PATCHES_PREFIX}_60-OpenSSL-fix-tls_eccurve-setting-explicit-curve-group.patch:-p1 \ - ${DEBIAN_PATCHES_PREFIX}_62-OpenSSL-Fix-tls_eccurve-on-earlier-versions-than-3.0.patch:-p1 \ - ${DEBIAN_PATCHES_PREFIX}_63-OpenSSL-log-conns-rejected-for-bad-ALPN-with-the-off.patch:-p1 \ - ${DEBIAN_PATCHES_PREFIX}_64-DANE-do-not-check-dns_again_means_nonexist-for-TLSA-.patch:-p1 \ - ${DEBIAN_PATCHES_PREFIX}_66-Fix-crash-in-expansions.patch:-p1 +#DEBIAN_PATCHES_PREFIX= ${FILESDIR}/debian/75 +#EXTRA_PATCHES= \ +# ${DEBIAN_PATCHES_PREFIX}_01-Fix-exit-on-attempt-to-rewrite-a-malformed-address.-.patch:-p1 \ +# ${DEBIAN_PATCHES_PREFIX}_05-SPF-fix-memory-accounting-for-error-case.patch:-p1 .include # OCSP is supported for openssl only .if ${PORT_OPTIONS:MOCSP} .if ! ${PORT_OPTIONS:MTLS} IGNORE= you cannot enable OCSP stapling without TLS support .elif ${PORT_OPTIONS:MGNUTLS} IGNORE= you cannot enable OCSP stapling with gnutls .endif .endif # DMARC implies SPF and DKIM .if ${PORT_OPTIONS:MDMARC} .if ! ${PORT_OPTIONS:MSPF} || ! ${PORT_OPTIONS:MDKIM} IGNORE= you cannot enable DMARC without SPF and DKIM support .endif .endif # ARC implies SPF and DKIM .if ${PORT_OPTIONS:MARC} .if ! ${PORT_OPTIONS:MSPF} || ! ${PORT_OPTIONS:MDKIM} IGNORE= you cannot enable ARC without SPF and DKIM support .endif .endif # DANE implies DNSSEC .if ${PORT_OPTIONS:MDANE} .if ! ${PORT_OPTIONS:MDNSSEC} || ! ${PORT_OPTIONS:MTLS} IGNORE= you cannot enable DANE without DNSSEC support or without TLS support .endif .endif .if ${PORT_OPTIONS:MSA_EXIM} || defined(FETCH_ALL) MASTER_SITES+= http://marc.merlins.org/linux/exim/files/:sa_exim \ SF/sa-exim/sa-exim/${SA_EXIM_VERSION}:sa_exim DISTFILES+= sa-exim-${SA_EXIM_VERSION}.tar.gz:sa_exim EXTRA_PATCHES+= ${FILESDIR}/extra-patch-Local-sa-exim.c EXTRA_PATCHES+= ${FILESDIR}/extra-patch-Local-sa-exim.conf .endif -EXIM_VERSION= 4.96.2 +EXIM_VERSION= 4.97 SA_EXIM_VERSION=4.2.1 EXIM_INSTALL_ARG+= "-no_chown" "-no_symlink" EXTRA_PATCHES+= `${FIND} ${PATCHDIR} -name '74_*.patch'|${SORT} -h` .if !defined(EXIMON_ONLY) PLIST_SUB+= EXIM="" .if defined(PKGNAMESUFFIX) CONFLICTS+= ${PKGNAMEPREFIX}${PORTNAME}-4.* .endif .for suffix in -ldap2 -mysql -postgresql -sa-exim -sqlite .if !defined(PKGNAMESUFFIX) || ${PKGNAMESUFFIX} != ${suffix} CONFLICTS+= ${PKGNAMEPREFIX}${PORTNAME}${suffix}-4.* .endif .endfor .if ${PORT_OPTIONS:MEXIMON} CONFLICTS+= ${PKGNAMEPREFIX}${PORTNAME}-monitor-4.* .endif PKGMESSAGE= ${WRKDIR}/POST-INSTALL-NOTES .else # !EXIMON_ONLY PLIST_SUB+= EXIM="@comment " PORT_OPTIONS+= EXIMON PKGMESSAGE= ${WRKDIR}/pkg-message EXIM_INSTALL_ARG+= "eximon" "eximon.bin" .endif # !EXIMON_ONLY PORTDOC_BASE= ACKNOWLEDGMENTS NOTICE README.UPDATING PORTDOC_FILES= ChangeLog Exim3.upgrade Exim4.upgrade NewStuff \ OptionLists.txt README README.SIEVE dbm.discuss.txt \ experimental-spec.txt filter.txt spec.txt PORT_EXAMPLES= convert4r3 convert4r4 transport-filter.pl DAILY_SCRIPTS= 150.exim-tidydb 460.exim-mail-rejects MAKE_ENV+= OSTYPE="${OPSYS}" ARCHTYPE="${ARCH}" DUMMY_LDFLAGS="${DUMMY_LDFLAGS}" STRIP_COMMAND="${STRIP_CMD}" EXIM_USER?= mailnull EXIM_GROUP?= mail # Default user/group are system ones, so we don't want to check them .if ${EXIM_USER} != "mailnull" USERS= ${EXIM_USER} .endif .if ${EXIM_GROUP} != "mail" GROUPS= ${EXIM_GROUP} .endif LOGDIR?= /var/log/exim LOG_FILE_PATH?= ${LOGDIR}/%slog CONFIG_FILE_PATH?= ${PREFIX}/etc/exim/configure ALT_CONFIG_PREFIX?= ${PREFIX}/etc/exim/ EXIM_DYNAMIC_LDFLAGS= -fPIC -rdynamic -Wl,--export-dynamic SED_SCRIPT= -e 's,%%PREFIX%%,${PREFIX},g' \ -e 's,%%DOCSDIR%%,${DOCSDIR},g' \ -e 's,%%EXAMPLESDIR%%,${EXAMPLESDIR},g' \ -e 's,%%EXIM_USER%%,${EXIM_USER},g' \ -e 's,%%EXIM_GROUP%%,${EXIM_GROUP},g' \ -e 's,%%LOGDIR%%,${LOGDIR},g' SEDLIST+= -e 's,XX_CFLAGS_XX,${CFLAGS:S/,/\\,/g},' \ -e 's,XX_PREFIX_XX,${PREFIX:S/,/\\,/g},' \ -e 's,XX_LOCALBASE_XX,${LOCALBASE:S/,/\\,/g},' \ -e 's,XX_LOG_FILE_PATH_XX,${LOG_FILE_PATH:S/,/\\,/g},' \ -e 's,XX_CONFIG_FILE_PATH_XX,${CONFIG_FILE_PATH:S/,/\\,/g},' \ -e 's,XX_ALT_CONFIG_PREFIX_XX,${ALT_CONFIG_PREFIX:S/,/\\,/g},' \ -e 's,XX_EXIM_USER_XX,${EXIM_USER:S/,/\\,/g},' \ -e 's,XX_EXIM_GROUP_XX,${EXIM_GROUP:S/,/\\,/g},' \ -e 's,XX_DEFAULT_CHARSET_XX,${WITH_DEFAULT_CHARSET:S/,/\\,/g},' \ -e 's,XX_DYNAMIC_LDFLAGS_XX,${EXIM_DYNAMIC_LDFLAGS:S/,/\\,/g},' PLIST_SUB+= EXIM_VERSION="${EXIM_VERSION}-${PORTREVISION}" \ EXIM_USER=${EXIM_USER} \ EXIM_GROUP=${EXIM_GROUP} \ LOGDIR="${LOGDIR:S/^\///}" # Exim refuses to run local deliveries as root by default. You can # add other users to this colon-separated list that cannot be # overridden at runtime below, but are advised not to remove "root". #WITH_FIXED_NEVER_USERS= root:daemon:bin # When Exim is decoding MIME "words" in header lines it converts any foreign # character sets to the one that is set in the headers_charset option. # The default setting is defined by this setting: WITH_DEFAULT_CHARSET?= ISO-8859-1 # You should not need to fiddle with anything below this point. LIB_DEPENDS+= libpcre2-posix.so:devel/pcre2 .if ! ${PORT_OPTIONS:MDKIM} SEDLIST+= -e 's,^\# (DISABLE_DKIM=),\1,' .endif .if ${PORT_OPTIONS:MLISTMATCH_RHS} SEDLIST+= -e 's,^\# (EXPAND_LISTMATCH_RHS=),\1,' .endif .if ${PORT_OPTIONS:MDCC} SEDLIST+= -e 's,^\# (EXPERIMENTAL_DCC=),\1,' .endif .if ${PORT_OPTIONS:MPROXY} SEDLIST+= -e 's,^\# (SUPPORT_PROXY=),\1,' .endif .if ${PORT_OPTIONS:MCERTNAMES} SEDLIST+= -e 's,^\# (EXPERIMENTAL_CERTNAMES=),\1,' .endif .if ${PORT_OPTIONS:MDSN} SEDLIST+= -e 's,^\# (EXPERIMENTAL_DSN=),\1,' .endif .if !${PORT_OPTIONS:MDANE} SEDLIST+= -e 's,^(SUPPORT_DANE=),\#\1,' .endif .if ${PORT_OPTIONS:MARC} SEDLIST+= -e 's,^\# (EXPERIMENTAL_ARC=),\1,' .endif .if !${PORT_OPTIONS:MEVENT} SEDLIST+= -e 's,^\# (DISABLE_EVENT=),\1,' .endif .if ${PORT_OPTIONS:MINTERNATIONAL} SEDLIST+= -e 's,^\# (SUPPORT_I18N=),\1,' \ -e 's,XX_IDN_LIBS_XX,-L${LOCALBASE}/lib -lidn,' .else SEDLIST+= -e 's,XX_IDN_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MSOCKS} SEDLIST+= -e 's,^\# (SUPPORT_SOCKS=),\1,' .endif .if !${PORT_OPTIONS:MPRDR} SEDLIST+= -e 's,^\# (DISABLE_PRDR=),\1,' .endif .if !${PORT_OPTIONS:MOCSP} SEDLIST+= -e 's,^\# (DISABLE_OCSP=),\1,' .endif .if !${PORT_OPTIONS:MDNSSEC} SEDLIST+= -e 's,^\# (DISABLE_DNSSEC=),\1,' .endif .if ${PORT_OPTIONS:MDMARC} SEDLIST+= -e 's,XX_DMARC_LIBS_XX,-L${LOCALBASE}/lib -lopendmarc,' \ -e 's,^\# (SUPPORT_DMARC=),\1,' .else SEDLIST+= -e 's,XX_DMARC_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MWISHLIST} EXTRA_PATCHES+= `${FIND} ${PATCHDIR} -name 'wishlist-*.patch'` .endif .if ${PORT_OPTIONS:MFIXED_NEVER_USERS} SEDLIST+= -e 's,^(FIXED_NEVER_USERS=).*,\1${WITH_FIXED_NEVER_USERS:S/,/\\,/g},' .endif .if ${PORT_OPTIONS:MEXIMON} SEDLIST+= -e 's,^\# (EXIM_MONITOR=),\1,' .endif .if ${PORT_OPTIONS:MTLS} .if ! ${PORT_OPTIONS:MGNUTLS} USES+= ssl SEDLIST+= -e 's,^\# (USE_OPENSSL=),\1,' SEDLIST+= -e 's,^\# (TLS_LIBS=.*-lssl[[:space:]]),\1,' BROKEN_SSL= openssl31 BROKEN_SSL_REASON= error: token is not a valid binary operator in a preprocessor subexpression .else SEDLIST+= -e 's,^\# (USE_GNUTLS=),\1,' SEDLIST+= -e 's,^\# (TLS_LIBS=.*-lgnutls[[:space:]]),\1,' .endif .else # TLS support SEDLIST+= -e 's,^\# (DISABLE_TLS=),\1,' .endif .if ${PORT_OPTIONS:MEMBEDDED_PERL} SEDLIST+= -e 's,^\# (EXIM_PERL=),\1,' .endif .if ${PORT_OPTIONS:MTCP_WRAPPERS} SEDLIST+= -e 's,XX_TCP_WRAPPERS_LIBS_XX,-lwrap,' \ -e 's,^\# (USE_TCP_WRAPPERS=),\1,' .else SEDLIST+= -e 's,XX_TCP_WRAPPERS_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MICONV} SEDLIST+= -e 's,XX_ICONV_LIBS_XX,-L${LOCALBASE:S/,/\\,/g}/lib ${ICONV_LIB},' \ -e 's,^\# (HAVE_ICONV=),\1,' .else SEDLIST+= -e 's,XX_ICONV_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MOPENLDAP} LDAP_LIB_TYPE= OPENLDAP2 SEDLIST+= -e 's,XX_LDAP_LIBS_XX,-L${LOCALBASE:S/,/\\,/g}/lib -llber -lldap,' \ -e 's,XX_LDAP_INCLUDE_XX,-I${LOCALBASE:S/,/\\,/g}/include,' \ -e 's,XX_LDAP_TYPE_XX,${LDAP_LIB_TYPE:S/,/\\,/g},' \ -e 's,^\# (LOOKUP_LDAP=),\1,' .else SEDLIST+= -e 's,XX_LDAP_[^ ]*_XX,,' \ -e 's,^(LDAP_LIB_TYPE=),\# \1,' .endif .if ${PORT_OPTIONS:MBDB} INVALID_BDB_VER= 2 3 6 18 DB_LIBS= -L${BDB_LIB_DIR} -l${BDB_LIB_NAME} DB_INCLUDES= -I${BDB_INCLUDE_DIR} .else DB_LIBS= DB_INCLUDES= SEDLIST+= -e 's,^(DBMLIB=),\# \1,' .endif SEDLIST+= -e 's,XX_DB_LIBS_XX,${DB_LIBS:S/,/\\,/g},' \ -e 's,XX_DB_INCLUDES_XX,${DB_INCLUDES:S/,/\\,/g},' .if ${PORT_OPTIONS:MLMDB} _LMDB_LIBS= -L${LOCALBASE}/lib -llmdb _LMDB_INCLUDES= -I${LOCALBASE}/include SEDLIST+= -e 's,^\# (EXPERIMENTAL_LMDB=),\1,' .else _LMDB_LIBS= _LMDB_INCLUDES= .endif SEDLIST+= -e 's,XX_LMDB_LIBS_XX,${_LMDB_LIBS:S/,/\\,/g},' \ -e 's,XX_LMDB_INCLUDES_XX,${_LMDB_INCLUDES:S/,/\\,/g},' .if ${PORT_OPTIONS:MMYSQL} SEDLIST+= -e 's,XX_MYSQL_LIBS_XX,-L${LOCALBASE:S/,/\\,/g}/lib/mysql -l${_MYSQL_SHLIB:S/lib//},' \ -e 's,XX_MYSQL_INCLUDE_XX,-I${LOCALBASE:S/,/\\,/g}/include/mysql,' \ -e 's,^\# (LOOKUP_MYSQL=),\1,' .else SEDLIST+= -e 's,XX_MYSQL_[^ ]*_XX,,' .endif .if ${PORT_OPTIONS:MSASLAUTHD} SASLAUTHD_SOCKET?= /var/run/saslauthd/mux SEDLIST+= -e 's,^\# (CYRUS_SASLAUTHD_SOCKET=).*,\1${SASLAUTHD_SOCKET:S/,/\\,/g},' .endif .if ${PORT_OPTIONS:MPAM} SEDLIST+= -e 's,XX_PAM_LIBS_XX,-lpam,' \ -e 's,^\# (SUPPORT_PAM=),\1,' .else SEDLIST+= -e 's,XX_PAM_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MAUTH_CRAM_MD5} SEDLIST+= -e 's,^\# (AUTH_CRAM_MD5=),\1,' .endif .if ${PORT_OPTIONS:MAUTH_PLAINTEXT} SEDLIST+= -e 's,^\# (AUTH_PLAINTEXT=),\1,' .endif .if ${PORT_OPTIONS:MAUTH_DOVECOT} SEDLIST+= -e 's,^\# (AUTH_DOVECOT=),\1,' .endif .if ${PORT_OPTIONS:MAUTH_SPA} SEDLIST+= -e 's,^\# (AUTH_SPA=),\1,' .endif .if ${PORT_OPTIONS:MAUTH_SASL} SEDLIST+= -e 's,^\# (AUTH_CYRUS_SASL=),\1,' \ -e 's,^\# (AUTH_LIBS=.*-lsasl2),\1,' .endif .if ${PORT_OPTIONS:MAUTH_TLS} SEDLIST+= -e 's,^\# (AUTH_TLS=),\1,' .endif .if ${PORT_OPTIONS:MAUTH_RADIUS} WITH_RADIUS_TYPE?= RADLIB .if ${WITH_RADIUS_TYPE:tl} == radlib SEDLIST+= -e 's,XX_RADIUS_LIBS_XX,-lradius,' \ -e 's,^\# (RADIUS_CONFIG_FILE=).*,\1/etc/radius.conf,' \ -e 's,^\# (RADIUS_LIB_TYPE=).*,\1RADLIB,' .elif ${WITH_RADIUS_TYPE:tl} == radiusclient LIB_DEPENDS+= libfreeradius-client.so:net/freeradius-client SEDLIST+= -e 's,XX_RADIUS_LIBS_XX,-L${LOCALBASE:S/,/\\,/g}/lib -lfreeradius-client,' \ -e 's,^\# (RADIUS_CONFIG_FILE=).*,\1${LOCALBASE:S/,/\\,/g}/etc/radiusclient/radiusclient.conf,' \ -e 's,^\# (RADIUS_LIB_TYPE=).*,\1RADIUSCLIENTNEW,' .else IGNORE= the variable WITH_RADIUS_TYPE must be either RADLIB or RADIUSCLIENT .endif .else SEDLIST+= -e 's,XX_RADIUS_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MPGSQL} SEDLIST+= -e 's,XX_PGSQL_LIBS_XX,-L${LOCALBASE:S/,/\\,/g}/lib -lpq,' \ -e 's,XX_PGSQL_INCLUDE_XX,-I${LOCALBASE:S/,/\\,/g}/include/pgsql,' \ -e 's,^\# (LOOKUP_PGSQL=),\1,' .else SEDLIST+= -e 's,XX_PGSQL_[^ ]*_XX,,' .endif .if ! ${PORT_OPTIONS:MPGSQL} && ! ${PORT_OPTIONS:MMYSQL} && !defined(LDAP_LIB_TYPE) && \ ! ${PORT_OPTIONS:MBDB} && ! ${PORT_OPTIONS:MLMDB} SEDLIST+= -e 's,^(LOOKUP_LIBS=),\# \1,' \ -e 's,^(LOOKUP_INCLUDE=),\# \1,' .endif .if ! ${PORT_OPTIONS:MDNSDB} SEDLIST+= -e 's,^(LOOKUP_DNSDB=),\# \1,' .endif .if ${PORT_OPTIONS:MMAILDIR} SEDLIST+= -e 's,^\# (SUPPORT_MAILDIR=),\1,' .endif .if ${PORT_OPTIONS:MMAILSTORE} SEDLIST+= -e 's,^\# (SUPPORT_MAILSTORE=),\1,' .endif .if ${PORT_OPTIONS:MMBX} SEDLIST+= -e 's,^\# (SUPPORT_MBX=),\1,' .endif .if ${PORT_OPTIONS:MCDB} SEDLIST+= -e 's,^\# (LOOKUP_CDB=),\1,' .endif .if ${PORT_OPTIONS:MDSEARCH} SEDLIST+= -e 's,^\# (LOOKUP_DSEARCH=),\1,' .endif .if ! ${PORT_OPTIONS:MLSEARCH} SEDLIST+= -e 's,^(LOOKUP_LSEARCH=),\# \1,' .endif .if ${PORT_OPTIONS:MNIS} SEDLIST+= -e 's,^\# (LOOKUP_NIS=),\1,' .endif .if ${PORT_OPTIONS:MPASSWD} SEDLIST+= -e 's,^\# (LOOKUP_PASSWD=),\1,' .endif .if ${PORT_OPTIONS:MSQLITE} SEDLIST+= -e 's,XX_SQLITE_LIBS_XX,`pkg-config --static --libs sqlite3`,' \ -e 's,XX_SQLITE_FLAGS_XX,`pkg-config --cflags sqlite3`,' \ -e 's,^\# (LOOKUP_SQLITE=),\1,' .else SEDLIST+= -e 's,XX_SQLITE_LIBS_XX,,' \ -e 's,XX_SQLITE_FLAGS_XX,,' .endif .if ${PORT_OPTIONS:MREDIS} SEDLIST+= -e 's,XX_REDIS_LIBS_XX,-L${LOCALBASE}/lib -lhiredis,' \ -e 's,^\# (LOOKUP_REDIS=),\1,' \ -e 's,^\# (REDIS=),\1,' .else SEDLIST+= -e 's,XX_REDIS_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MLMTP} SEDLIST+= -e 's,^\# (TRANSPORT_LMTP=),\1,' .endif .if ! ${PORT_OPTIONS:MALT_CONFIG_PREFIX} SEDLIST+= -e 's,^(ALT_CONFIG_PREFIX=),\# \1,' .endif .if ${PORT_OPTIONS:MSPF} SEDLIST+= -e 's,XX_SPF_FLAGS_XX,-DSPF,' \ -e 's,XX_SPF_LIBS_XX,-L${LOCALBASE}/lib -lspf2 -lpthread,' \ -e 's,^\# (SUPPORT_SPF=),\1,' .else SEDLIST+= -e 's,XX_SPF_FLAGS_XX,,' \ -e 's,XX_SPF_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MSRS} SEDLIST+= -e 's,XX_SRS_FLAGS_XX,-DSUPPORT_SRS,' \ -e 's,XX_SRS_LIBS_XX,,' .else SEDLIST+= -e 's,XX_SRS_FLAGS_XX,,' \ -e 's,XX_SRS_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MREADLINE} SEDLIST+= -e 's,^\# (USE_READLINE=),\1,' .endif .if ${PORT_OPTIONS:MCONTENT_SCAN} SEDLIST+= -e 's,^\# (WITH_CONTENT_SCAN=),\1,' .endif .if !defined(EXIMON_ONLY) && ${PORT_OPTIONS:MDAEMON} USE_RC_SUBR= exim PLIST_SUB+= EXIMDAEMON="" SUB_LIST+= LOGDIR="${LOGDIR}" .else PLIST_SUB+= EXIMDAEMON="@comment " .endif .if ${PORT_OPTIONS:MIPV6} SEDLIST+= -e 's,^\# (HAVE_IPV6=),\1,' .endif .if ${PORT_OPTIONS:MDISABLE_D_OPT} SEDLIST+= -e 's,^\# (DISABLE_D_OPTION=),\1,' .else .if defined(WHITELIST_D_MACROS) SEDLIST+= -e 's,^\# (WHITELIST_D_MACROS=).*$$,\1${WHITELIST_D_MACROS:S/,/\\,/g},' .endif .endif .if defined(TRUSTED_CONFIG_LIST) SEDLIST+= -e 's,^\# (TRUSTED_CONFIG_LIST=).*$$,\1${TRUSTED_CONFIG_LIST:S/,/\\,/g},' .endif .if ${PORT_OPTIONS:MQUEUEFILE} SEDLIST+= -e 's,^\# (EXPERIMENTAL_QUEUEFILE=),\1,' .endif MAKE_ENV+= INSTALL_ARG="${EXIM_INSTALL_ARG}" DUMMY_LDFLAGS!= ${ECHO_CMD} ${LDFLAGS} | ${SED} -e 's|-Wl,-rpath|-Wl,-DUMMYrpath|g; s|-rpath|-Wl,-rpath|g; s|-DUMMYrpath|-rpath|g' pre-everything:: @${ECHO} 'Exim now drops privileges when alternate configuration' @${ECHO} 'files are used. You can set make variable TRUSTED_CONFIG_LIST' @${ECHO} 'to specify the list of configuration files for which' @${ECHO} 'root privileges will be retained.' @${ECHO} '' @${ECHO} 'You can whitelist some macros using the make variable' @${ECHO} 'WHITELIST_D_MACROS. This is useful if you are running' @${ECHO} 'with DISABLE_D_OPT set, but macros whitelisting will be' @${ECHO} 'removed in some future Exim release, so it is better' @${ECHO} 'to use TRUSTED_CONFIG_LIST to set the list of trusted' @${ECHO} 'configuration files.' .if empty(.MAKEFLAGS:M-s) && ${PORT_OPTIONS:MWISHLIST} @${ECHO} '' @${ECHO} 'Included extra patches:' @${FIND} ${PATCHDIR} -name 'wishlist-*.patch' \ -exec ${SED} -ne 's,^# , ,p' {} \; @${ECHO} '' .endif post-extract: .if ${PORT_OPTIONS:MSA_EXIM} @cd ${WRKDIR} && ${TAR} ${EXTRACT_BEFORE_ARGS} ${_DISTDIR}/sa-exim-${SA_EXIM_VERSION}.tar.gz ${EXTRACT_AFTER_ARGS} @@${CP} ${WRKDIR}/sa-exim-${SA_EXIM_VERSION}/sa-exim.c ${WRKSRC}/Local @@${CP} ${WRKDIR}/sa-exim-${SA_EXIM_VERSION}/sa-exim.conf ${WRKSRC}/Local .endif do-configure: @${MKDIR} ${WRKSRC}/Local @${SED} -E ${SEDLIST} ${WRKSRC}/src/EDITME > ${WRKSRC}/Local/Makefile .if ${PORT_OPTIONS:MEXIMON} @${CP} ${WRKSRC}/exim_monitor/EDITME ${WRKSRC}/Local/eximon.conf .endif @${REINPLACE_CMD} -E ${SEDLIST} ${WRKSRC}/src/configure.default @${REINPLACE_CMD} -e 's!$$(LDFLAGS)!$$(DUMMY_LDFLAGS) -L$${LOCALBASE}/lib!' ${WRKSRC}/OS/Makefile-Base @${REINPLACE_CMD} -e 's/"(Exim $$version_number)\\n\\t"/"(Exim $$version_number (${OPSYS}))\\n\\t"/' \ ${WRKSRC}/src/globals.c @${REINPLACE_CMD} -e 's/Exim version %s \(#%s \)\{0,1\}/&(${OPSYS} ${OSREL}) /' ${WRKSRC}/src/exim.c @${REINPLACE_CMD} -e 's/^#include "cnumber\.h"$$/${PORTREVISION}/' ${WRKSRC}/src/version.c @${REINPLACE_CMD} -E -e 's/^(PERL_COMMAND=).*/\1${PERL:S,/,\/,g}/' \ -e 's/^(CC=).*/\1${CC:S,/,\/,g}/' ${WRKSRC}/OS/Makefile-Default .if ${PORT_OPTIONS:MSA_EXIM} @${REINPLACE_CMD} -E -e 's/^\# (HAVE_LOCAL_SCAN=).*/\1yes/' \ ${WRKSRC}/OS/Makefile-Default @${REINPLACE_CMD} -E -e 's/^(LOCAL_SCAN_SOURCE=).*/\1Local\/sa-exim.c/' \ ${WRKSRC}/OS/Makefile-Default @{ \ ${ECHO_CMD} "char *version=\"${SA_EXIM_VERSION}\";"; \ ${ECHO_CMD} "#define SPAMC_LOCATION \"${LOCALBASE}/bin/spamc\""; \ ${ECHO_CMD} "#define SPAMASSASSIN_CONF \"${PREFIX}/etc/exim/sa-exim.conf\""; \ } > ${WRKSRC}/Local/sa-exim.h @${REINPLACE_CMD} -e 's,/usr/bin/spamc,${LOCALBASE}/bin/spamc,' \ ${WRKSRC}/Local/sa-exim.conf .endif @(cd ${WRKSRC}; ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} configure) post-build: .for script in ${DAILY_SCRIPTS} @${SED} ${SED_SCRIPT} ${FILESDIR}/${script}.sh > ${WRKDIR}/${script}.sh .endfor @${SED} ${SED_SCRIPT} ${FILESDIR}/POST-INSTALL-NOTES > \ ${WRKDIR}/POST-INSTALL-NOTES @${SED} ${SED_SCRIPT} ${FILESDIR}/POST-INSTALL-NOTES.clamd > ${WRKDIR}/POST-INSTALL-NOTES.clamd @${SED} ${SED_SCRIPT} ${FILESDIR}/POST-INSTALL-NOTES > ${WRKDIR}/POST-INSTALL-NOTES @[ ! -f ${PKGDIR}/pkg-message ] || ${SED} ${SED_SCRIPT} ${PKGDIR}/pkg-message > ${WRKDIR}/pkg-message .if !defined(EXIMON_ONLY) post-install: .if ${PORT_OPTIONS:MDAEMON} ${MKDIR} ${STAGEDIR}${PREFIX}/etc/periodic/daily .for script in ${DAILY_SCRIPTS} ${INSTALL_SCRIPT} ${WRKDIR}/${script}.sh ${STAGEDIR}${PREFIX}/etc/periodic/daily/${script} .endfor .endif @${MKDIR} -m 750 ${STAGEDIR}${LOGDIR} ${INSTALL_MAN} ${WRKSRC}/doc/exim.8 ${STAGEDIR}${MAN8PREFIX}/man/man8 .if ${PORT_OPTIONS:MDOCS} @${MKDIR} ${STAGEDIR}${DOCSDIR} ${INSTALL_DATA} ${WRKDIR}/POST-INSTALL-NOTES ${STAGEDIR}${DOCSDIR} ${INSTALL_DATA} ${WRKDIR}/POST-INSTALL-NOTES.clamd ${STAGEDIR}${DOCSDIR} .for docfile in ${PORTDOC_BASE} ${INSTALL_DATA} ${WRKSRC}/${docfile} ${STAGEDIR}${DOCSDIR} .endfor .for docfile in ${PORTDOC_FILES} ${INSTALL_DATA} ${WRKSRC}/doc/${docfile} ${STAGEDIR}${DOCSDIR} .endfor @${MKDIR} ${STAGEDIR}${EXAMPLESDIR} .for example in ${PORT_EXAMPLES} ${INSTALL_SCRIPT} ${WRKSRC}/build-${OPSYS}-${ARCH}/${example} ${STAGEDIR}${EXAMPLESDIR} .endfor .endif .if ${PORT_OPTIONS:MSA_EXIM} ${INSTALL_DATA} ${WRKSRC}/Local/sa-exim.conf \ ${STAGEDIR}${PREFIX}/etc/exim/sa-exim.conf.sample .endif .endif # ! defined(EXIMON_ONLY) .include # If using clang, avoid too many warnings due to Exim code style .if ${CHOSEN_COMPILER_TYPE} == "clang" EXIM_WARN_FLAGS?= -Wno-logical-op-parentheses -Wno-macro-redefined -Wno-parentheses -Wno-dangling-else .endif CFLAGS+= ${EXIM_WARN_FLAGS} .include diff --git a/mail/exim/distinfo b/mail/exim/distinfo index c8414ae70062..9cbaf2901ea2 100644 --- a/mail/exim/distinfo +++ b/mail/exim/distinfo @@ -1,5 +1,5 @@ -TIMESTAMP = 1697388290 -SHA256 (exim/exim-4.96.2.tar.bz2) = a7b9c247a8dcdf72b37ef4a6db0a744f6d34f65b40ef376265ddeb35610bb432 -SIZE (exim/exim-4.96.2.tar.bz2) = 2047572 +TIMESTAMP = 1699107695 +SHA256 (exim/exim-4.97.tar.bz2) = f0f6141b126a929e431d6ac8af3d6a1e310621ffe1f628b7b0de1e9b05488bfd +SIZE (exim/exim-4.97.tar.bz2) = 2077471 SHA256 (exim/sa-exim-4.2.1.tar.gz) = 24d4bf7b0fdddaea11f132981cebb6a86a4ab20ef54111a8ebd481b421c6e2c1 SIZE (exim/sa-exim-4.2.1.tar.gz) = 68933 diff --git a/mail/exim/files/debian/75_01-Fix-exit-on-attempt-to-rewrite-a-malformed-address.-.patch b/mail/exim/files/debian/75_01-Fix-exit-on-attempt-to-rewrite-a-malformed-address.-.patch deleted file mode 100644 index 42a2c237aa82..000000000000 --- a/mail/exim/files/debian/75_01-Fix-exit-on-attempt-to-rewrite-a-malformed-address.-.patch +++ /dev/null @@ -1,39 +0,0 @@ -From e7ec503729970a03d4509921342bc81313976126 Mon Sep 17 00:00:00 2001 -From: Jeremy Harris -Date: Tue, 12 Jul 2022 22:14:04 +0100 -Subject: [PATCH] Fix exit on attempt to rewrite a malformed address. Bug 2903 - ---- - src/rewrite.c | 9 +- - test/confs/0471 | 7 + - test/log/0471 | 5 + - test/scripts/0000-Basic/0471 | 4 +- - test/stderr/0471 | 245 ++++++++++++++++++++++++++++++++++- - 6 files changed, 267 insertions(+), 8 deletions(-) - ---- a/src/rewrite.c -+++ b/src/rewrite.c -@@ -493,19 +493,18 @@ - empty address, overlong addres. Sometimes the result matters, sometimes not. - It seems this function is called for *any* header we see. */ - - if (!recipient) - { -- /* Handle unparesable addresses in the header. Slightly ugly because a -+ /* Log unparesable addresses in the header. Slightly ugly because a - null output from the extract can also result from a header without an -- address, "To: undisclosed recpients:;" being the classic case. */ -+ address, "To: undisclosed recpients:;" being the classic case. Ignore -+ this one and carry on. */ - - if ((rewrite_rules || routed_old) && Ustrcmp(errmess, "empty address") != 0) -- { - log_write(0, LOG_MAIN, "rewrite: %s", errmess); -- exim_exit(EXIT_FAILURE); -- } -+ - loop_reset_point = store_reset(loop_reset_point); - continue; - } - - /* If routed_old is not NULL, this is a rewrite caused by a router, diff --git a/mail/exim/files/debian/75_05-SPF-fix-memory-accounting-for-error-case.patch b/mail/exim/files/debian/75_05-SPF-fix-memory-accounting-for-error-case.patch deleted file mode 100644 index e474acf6f54d..000000000000 --- a/mail/exim/files/debian/75_05-SPF-fix-memory-accounting-for-error-case.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 93c722ce0549360af68269f088f4e59ed8fc130e Mon Sep 17 00:00:00 2001 -From: Jeremy Harris -Date: Sun, 7 Aug 2022 17:00:27 +0100 -Subject: [PATCH] SPF: fix memory accounting for error case - ---- - src/spf.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/spf.c b/src/spf.c -index db6eea3a8..a8c0f75c4 100644 ---- a/src/spf.c -+++ b/src/spf.c -@@ -204,7 +204,7 @@ spf_nxdomain = SPF_dns_rr_new_init(spf_dns_server, - "", ns_t_any, 24 * 60 * 60, HOST_NOT_FOUND); - if (!spf_nxdomain) - { -- free(spf_dns_server); -+ store_free(spf_dns_server); - return NULL; - } - --- -2.35.1 - diff --git a/mail/exim/files/debian/75_08-Fix-regex-n-use-after-free.-Bug-2915.patch b/mail/exim/files/debian/75_08-Fix-regex-n-use-after-free.-Bug-2915.patch deleted file mode 100644 index 6dd55c1fe806..000000000000 --- a/mail/exim/files/debian/75_08-Fix-regex-n-use-after-free.-Bug-2915.patch +++ /dev/null @@ -1,167 +0,0 @@ -From 4e9ed49f8f12eb331b29bd5b6dc3693c520fddc2 Mon Sep 17 00:00:00 2001 -From: Jeremy Harris -Date: Wed, 31 Aug 2022 15:37:40 +0100 -Subject: [PATCH] Fix $regex use-after-free. Bug 2915 - ---- - src/exim.c | 4 +--- - src/expand.c | 2 +- - src/functions.h | 1 + - src/globals.c | 2 +- - src/regex.c | 29 ++++++++++++++++++----------- - src/smtp_in.c | 2 ++ - 7 files changed, 55 insertions(+), 17 deletions(-) - ---- a/src/exim.c -+++ b/src/exim.c -@@ -1999,12 +1999,10 @@ - - regex_whitelisted_macro = - regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE); - #endif - --for (i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL; -- - /* If the program is called as "mailq" treat it as equivalent to "exim -bp"; - this seems to be a generally accepted convention, since one finds symbolic - links called "mailq" in standard OS configurations. */ - - if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) || -@@ -6082,11 +6080,11 @@ - callout_address = NULL; - sending_ip_address = NULL; - deliver_localpart_data = deliver_domain_data = - recipient_data = sender_data = NULL; - acl_var_m = NULL; -- for(int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL; -+ regex_vars_clear(); - - store_reset(reset_point); - } - - exim_exit(EXIT_SUCCESS); /* Never returns */ ---- a/src/expand.c -+++ b/src/expand.c -@@ -1871,11 +1871,11 @@ - { - tree_node * node = tree_search(router_var, name + 2); - return node ? node->data.ptr : strict_acl_vars ? NULL : US""; - } - --/* Handle $auth variables. */ -+/* Handle $auth, $regex variables. */ - - if (Ustrncmp(name, "auth", 4) == 0) - { - uschar *endptr; - int n = Ustrtoul(name + 4, &endptr, 10); ---- a/src/functions.h -+++ b/src/functions.h -@@ -436,10 +436,11 @@ - extern int regex(const uschar **); - #endif - extern BOOL regex_match(const pcre2_code *, const uschar *, int, uschar **); - extern BOOL regex_match_and_setup(const pcre2_code *, const uschar *, int, int); - extern const pcre2_code *regex_must_compile(const uschar *, BOOL, BOOL); -+extern void regex_vars_clear(void); - extern void retry_add_item(address_item *, uschar *, int); - extern BOOL retry_check_address(const uschar *, host_item *, uschar *, BOOL, - uschar **, uschar **); - extern retry_config *retry_find_config(const uschar *, const uschar *, int, int); - extern BOOL retry_ultimate_address_timeout(uschar *, const uschar *, ---- a/src/globals.c -+++ b/src/globals.c -@@ -1313,11 +1313,11 @@ - #ifndef DISABLE_PIPE_CONNECT - const pcre2_code *regex_EARLY_PIPE = NULL; - #endif - const pcre2_code *regex_ismsgid = NULL; - const pcre2_code *regex_smtp_code = NULL; --const uschar *regex_vars[REGEX_VARS]; -+const uschar *regex_vars[REGEX_VARS] = { 0 };; - #ifdef WHITELIST_D_MACROS - const pcre2_code *regex_whitelisted_macro = NULL; - #endif - #ifdef WITH_CONTENT_SCAN - uschar *regex_match_string = NULL; ---- a/src/regex.c -+++ b/src/regex.c -@@ -94,22 +94,32 @@ - } - pcre2_match_data_free(md); - return FAIL; - } - -+ -+/* reset expansion variables */ -+void -+regex_vars_clear(void) -+{ -+regex_match_string = NULL; -+for (int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL; -+} -+ -+ -+ - int --regex(const uschar **listptr) -+regex(const uschar ** listptr) - { - unsigned long mbox_size; --FILE *mbox_file; --pcre_list *re_list_head; --uschar *linebuffer; -+FILE * mbox_file; -+pcre_list * re_list_head; -+uschar * linebuffer; - long f_pos = 0; - int ret = FAIL; - --/* reset expansion variable */ --regex_match_string = NULL; -+regex_vars_clear(); - - if (!mime_stream) /* We are in the DATA ACL */ - { - if (!(mbox_file = spool_mbox(&mbox_size, NULL, NULL))) - { /* error while spooling */ -@@ -167,18 +177,17 @@ - - - int - mime_regex(const uschar **listptr) - { --pcre_list *re_list_head = NULL; --FILE *f; --uschar *mime_subject = NULL; -+pcre_list * re_list_head = NULL; -+FILE * f; -+uschar * mime_subject = NULL; - int mime_subject_len = 0; - int ret; - --/* reset expansion variable */ --regex_match_string = NULL; -+regex_vars_clear(); - - /* precompile our regexes */ - if (!(re_list_head = compile(*listptr))) - return FAIL; /* no regexes -> nothing to do */ - ---- a/src/smtp_in.c -+++ b/src/smtp_in.c -@@ -2155,12 +2155,14 @@ - prdr_requested = FALSE; - #endif - #ifdef SUPPORT_I18N - message_smtputf8 = FALSE; - #endif -+regex_vars_clear(); - body_linecount = body_zerocount = 0; - -+lookup_value = NULL; /* Can be set by ACL */ - sender_rate = sender_rate_limit = sender_rate_period = NULL; - ratelimiters_mail = NULL; /* Updated by ratelimit ACL condition */ - /* Note that ratelimiters_conn persists across resets. */ - - /* Reset message ACL variables */ diff --git a/mail/exim/files/debian/75_09-Fix-non-WITH_CONTENT_SCAN-build.patch b/mail/exim/files/debian/75_09-Fix-non-WITH_CONTENT_SCAN-build.patch deleted file mode 100644 index 6071fa7c5bf4..000000000000 --- a/mail/exim/files/debian/75_09-Fix-non-WITH_CONTENT_SCAN-build.patch +++ /dev/null @@ -1,58 +0,0 @@ -From d8ecc7bf97934a1e2244788c610c958cacd740bd Mon Sep 17 00:00:00 2001 -From: Jeremy Harris -Date: Wed, 31 Aug 2022 17:03:37 +0100 -Subject: [PATCH 1/3] Fix non-WITH_CONTENT_SCAN build. - -Broken-by: 4e9ed49f8f ---- - src/exim.c | 11 +++++++++++ - src/regex.c | 10 ---------- - 2 files changed, 11 insertions(+), 10 deletions(-) - ---- a/src/exim.c -+++ b/src/exim.c -@@ -1677,10 +1677,21 @@ - if ((s = expand_string(big_buffer))) printf("%s\n", CS s); - else printf("Failed: %s\n", expand_string_message); - } - - -+/* reset regex expansion variables */ -+void -+regex_vars_clear(void) -+{ -+regex_match_string = NULL; -+for (int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL; -+} -+ -+ -+ -+ - - /************************************************* - * Entry point and high-level code * - *************************************************/ - ---- a/src/regex.c -+++ b/src/regex.c -@@ -95,20 +95,10 @@ - pcre2_match_data_free(md); - return FAIL; - } - - --/* reset expansion variables */ --void --regex_vars_clear(void) --{ --regex_match_string = NULL; --for (int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL; --} -- -- -- - int - regex(const uschar ** listptr) - { - unsigned long mbox_size; - FILE * mbox_file; diff --git a/mail/exim/files/debian/75_10-Fix-non-WITH_CONTENT_SCAN-build-2.patch b/mail/exim/files/debian/75_10-Fix-non-WITH_CONTENT_SCAN-build-2.patch deleted file mode 100644 index 0a8ed514ffe8..000000000000 --- a/mail/exim/files/debian/75_10-Fix-non-WITH_CONTENT_SCAN-build-2.patch +++ /dev/null @@ -1,135 +0,0 @@ -From 158dff9936e36a2d31d037d3988b9353458d6471 Mon Sep 17 00:00:00 2001 -From: Jeremy Harris -Date: Wed, 31 Aug 2022 17:17:59 +0100 -Subject: [PATCH 2/3] Fix non-WITH_CONTENT_SCAN build (2) - -Broken-by: d8ecc7bf97 ---- - src/exim.c | 13 +------------ - src/functions.h | 2 +- - src/globals.h | 2 +- - src/regex.c | 10 ++++++++++ - src/smtp_in.c | 2 ++ - 5 files changed, 15 insertions(+), 14 deletions(-) - ---- a/src/exim.c -+++ b/src/exim.c -@@ -1677,21 +1677,10 @@ - if ((s = expand_string(big_buffer))) printf("%s\n", CS s); - else printf("Failed: %s\n", expand_string_message); - } - - --/* reset regex expansion variables */ --void --regex_vars_clear(void) --{ --regex_match_string = NULL; --for (int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL; --} -- -- -- -- - - /************************************************* - * Entry point and high-level code * - *************************************************/ - -@@ -6085,17 +6074,17 @@ - deliver_domain_orig = NULL; - deliver_host = deliver_host_address = NULL; - dnslist_domain = dnslist_matched = NULL; - #ifdef WITH_CONTENT_SCAN - malware_name = NULL; -+ regex_vars_clear(); - #endif - callout_address = NULL; - sending_ip_address = NULL; - deliver_localpart_data = deliver_domain_data = - recipient_data = sender_data = NULL; - acl_var_m = NULL; -- regex_vars_clear(); - - store_reset(reset_point); - } - - exim_exit(EXIT_SUCCESS); /* Never returns */ ---- a/src/functions.h -+++ b/src/functions.h -@@ -432,15 +432,15 @@ - extern BOOL receive_msg(BOOL); - extern int_eximarith_t receive_statvfs(BOOL, int *); - extern void receive_swallow_smtp(void); - #ifdef WITH_CONTENT_SCAN - extern int regex(const uschar **); -+extern void regex_vars_clear(void); - #endif - extern BOOL regex_match(const pcre2_code *, const uschar *, int, uschar **); - extern BOOL regex_match_and_setup(const pcre2_code *, const uschar *, int, int); - extern const pcre2_code *regex_must_compile(const uschar *, BOOL, BOOL); --extern void regex_vars_clear(void); - extern void retry_add_item(address_item *, uschar *, int); - extern BOOL retry_check_address(const uschar *, host_item *, uschar *, BOOL, - uschar **, uschar **); - extern retry_config *retry_find_config(const uschar *, const uschar *, int, int); - extern BOOL retry_ultimate_address_timeout(uschar *, const uschar *, ---- a/src/globals.h -+++ b/src/globals.h -@@ -895,16 +895,16 @@ - #ifndef DISABLE_PIPE_CONNECT - extern const pcre2_code *regex_EARLY_PIPE; /* For recognizing PIPE_CONNCT */ - #endif - extern const pcre2_code *regex_ismsgid; /* Compiled r.e. for message ID */ - extern const pcre2_code *regex_smtp_code; /* For recognizing SMTP codes */ --extern const uschar *regex_vars[]; /* $regexN variables */ - #ifdef WHITELIST_D_MACROS - extern const pcre2_code *regex_whitelisted_macro; /* For -D macro values */ - #endif - #ifdef WITH_CONTENT_SCAN - extern uschar *regex_match_string; /* regex that matched a line (regex ACL condition) */ -+extern const uschar *regex_vars[]; - #endif - extern int remote_delivery_count; /* Number of remote addresses */ - extern int remote_max_parallel; /* Maximum parallel delivery */ - extern uschar *remote_sort_domains; /* Remote domain sorting order */ - extern retry_config *retries; /* Chain of retry config information */ ---- a/src/regex.c -+++ b/src/regex.c -@@ -95,10 +95,20 @@ - pcre2_match_data_free(md); - return FAIL; - } - - -+/* reset expansion variables */ -+void -+regex_vars_clear(void) -+{ -+regex_match_string = NULL; -+for (int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL; -+} -+ -+ -+ - int - regex(const uschar ** listptr) - { - unsigned long mbox_size; - FILE * mbox_file; ---- a/src/smtp_in.c -+++ b/src/smtp_in.c -@@ -2155,11 +2155,13 @@ - prdr_requested = FALSE; - #endif - #ifdef SUPPORT_I18N - message_smtputf8 = FALSE; - #endif -+#ifdef WITH_CONTENT_SCAN - regex_vars_clear(); -+#endif - body_linecount = body_zerocount = 0; - - lookup_value = NULL; /* Can be set by ACL */ - sender_rate = sender_rate_limit = sender_rate_period = NULL; - ratelimiters_mail = NULL; /* Updated by ratelimit ACL condition */ diff --git a/mail/exim/files/debian/75_11-Fix-non-WITH_CONTENT_SCAN-build-3.patch b/mail/exim/files/debian/75_11-Fix-non-WITH_CONTENT_SCAN-build-3.patch deleted file mode 100644 index b06d89679b7e..000000000000 --- a/mail/exim/files/debian/75_11-Fix-non-WITH_CONTENT_SCAN-build-3.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 32da6327e434e986a18b75a84f2d8c687ba14619 Mon Sep 17 00:00:00 2001 -From: Jeremy Harris -Date: Thu, 1 Sep 2022 15:54:35 +0100 -Subject: [PATCH 3/3] Fix non-WITH_CONTENT_SCAN build (3) - -Broken-by: d8ecc7bf97 ---- - src/expand.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/expand.c b/src/expand.c -index 89de56255..831ca2b75 100644 ---- a/src/expand.c -+++ b/src/expand.c -@@ -1869,6 +1869,7 @@ if (Ustrncmp(name, "auth", 4) == 0) - if (!*endptr && n != 0 && n <= AUTH_VARS) - return auth_vars[n-1] ? auth_vars[n-1] : US""; - } -+#ifdef WITH_CONTENT_SCAN - else if (Ustrncmp(name, "regex", 5) == 0) - { - uschar *endptr; -@@ -1876,6 +1877,7 @@ else if (Ustrncmp(name, "regex", 5) == 0) - if (!*endptr && n != 0 && n <= REGEX_VARS) - return regex_vars[n-1] ? regex_vars[n-1] : US""; - } -+#endif - - /* For all other variables, search the table */ - -@@ -8715,9 +8717,11 @@ assert_variable_notin() treats as const, so deconst is safe. */ - for (int i = 0; i < AUTH_VARS; i++) if (auth_vars[i]) - assert_variable_notin(US"auth", US auth_vars[i], &e); - -+#ifdef WITH_CONTENT_SCAN - /* check regex variables. assert_variable_notin() treats as const. */ - for (int i = 0; i < REGEX_VARS; i++) if (regex_vars[i]) - assert_variable_notin(US"regex", US regex_vars[i], &e); -+#endif - - /* check known-name variables */ - for (var_entry * v = var_table; v < var_table + var_table_size; v++) --- -2.35.1 - diff --git a/mail/exim/files/debian/75_16-GnuTLS-fix-for-clients-offering-no-TLS-extensions.patch b/mail/exim/files/debian/75_16-GnuTLS-fix-for-clients-offering-no-TLS-extensions.patch deleted file mode 100644 index 73b584dbef4d..000000000000 --- a/mail/exim/files/debian/75_16-GnuTLS-fix-for-clients-offering-no-TLS-extensions.patch +++ /dev/null @@ -1,96 +0,0 @@ -From ece23f05d6a430a461a75639197271c23f6858ec Mon Sep 17 00:00:00 2001 -From: Jasen Betts -Date: Fri, 30 Sep 2022 13:49:41 +0100 -Subject: [PATCH] GnuTLS: fix for clients offering no TLS extensions - ---- - src/tls-gnu.c | 3 ++- - src/tls-openssl.c | 39 +++++++++++++++--------------- - test/confs/2091 | 1 + - test/log/2091 | 3 +++ - test/scripts/2090-GnuTLS-ALPN/2091 | 19 +++++++++++++++ - test/stdout/2091 | 21 ++++++++++++++++ - 7 files changed, 68 insertions(+), 21 deletions(-) - create mode 120000 test/confs/2091 - create mode 100644 test/log/2091 - create mode 100644 test/scripts/2090-GnuTLS-ALPN/2091 - create mode 100644 test/stdout/2091 - ---- a/src/tls-gnu.c -+++ b/src/tls-gnu.c -@@ -1130,12 +1130,13 @@ - static int - tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype, - unsigned when, unsigned int incoming, const gnutls_datum_t * msg) - { - /* Call fn for each extension seen. 3.6.3 onwards */ --return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg, -+int rc = gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg, - GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO); -+return rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE ? 0 : rc; - } - - - # ifdef notdef_crashes - /* Make a note that we saw a status-response */ ---- a/src/tls-openssl.c -+++ b/src/tls-openssl.c -@@ -940,40 +940,39 @@ - - Returns: nothing - */ - - static void --info_callback(SSL *s, int where, int ret) -+info_callback(SSL * s, int where, int ret) - { - DEBUG(D_tls) - { -- const uschar * str; -+ gstring * g = NULL; - -- if (where & SSL_ST_CONNECT) -- str = US"SSL_connect"; -- else if (where & SSL_ST_ACCEPT) -- str = US"SSL_accept"; -- else -- str = US"SSL info (undefined)"; -+ if (where & SSL_ST_CONNECT) g = string_append_listele(g, ',', US"SSL_connect"); -+ if (where & SSL_ST_ACCEPT) g = string_append_listele(g, ',', US"SSL_accept"); -+ if (where & SSL_CB_LOOP) g = string_append_listele(g, ',', US"state_chg"); -+ if (where & SSL_CB_EXIT) g = string_append_listele(g, ',', US"hshake_exit"); -+ if (where & SSL_CB_READ) g = string_append_listele(g, ',', US"read"); -+ if (where & SSL_CB_WRITE) g = string_append_listele(g, ',', US"write"); -+ if (where & SSL_CB_ALERT) g = string_append_listele(g, ',', US"alert"); -+ if (where & SSL_CB_HANDSHAKE_START) g = string_append_listele(g, ',', US"hshake_start"); -+ if (where & SSL_CB_HANDSHAKE_DONE) g = string_append_listele(g, ',', US"hshake_done"); - - if (where & SSL_CB_LOOP) -- debug_printf("%s: %s\n", str, SSL_state_string_long(s)); -+ debug_printf("SSL %s: %s\n", g->s, SSL_state_string_long(s)); - else if (where & SSL_CB_ALERT) -- debug_printf("SSL3 alert %s:%s:%s\n", -- str = where & SSL_CB_READ ? US"read" : US"write", -+ debug_printf("SSL %s %s:%s\n", g->s, - SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); - else if (where & SSL_CB_EXIT) - { -- if (ret == 0) -- debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s)); -- else if (ret < 0) -- debug_printf("%s: error in %s\n", str, SSL_state_string_long(s)); -+ if (ret <= 0) -+ debug_printf("SSL %s: %s in %s\n", g->s, -+ ret == 0 ? "failed" : "error", SSL_state_string_long(s)); - } -- else if (where & SSL_CB_HANDSHAKE_START) -- debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s)); -- else if (where & SSL_CB_HANDSHAKE_DONE) -- debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s)); -+ else if (where & (SSL_CB_HANDSHAKE_START | SSL_CB_HANDSHAKE_DONE)) -+ debug_printf("SSL %s: %s\n", g->s, SSL_state_string_long(s)); - } - } - - #ifdef OPENSSL_HAVE_KEYLOG_CB - static void diff --git a/mail/exim/files/debian/75_18-Fix-Build-with-libopendmarc-1.4.x-fixes-2728.patch b/mail/exim/files/debian/75_18-Fix-Build-with-libopendmarc-1.4.x-fixes-2728.patch deleted file mode 100644 index 456f315236b1..000000000000 --- a/mail/exim/files/debian/75_18-Fix-Build-with-libopendmarc-1.4.x-fixes-2728.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 1561c5d88b3a23a4348d8e3c1ce28554fcbcfe46 Mon Sep 17 00:00:00 2001 -From: "Heiko Schlittermann (HS12-RIPE)" -Date: Sat, 15 Oct 2022 19:30:58 +0200 -Subject: [PATCH 1/2] Fix: Build with libopendmarc 1.4.x (fixes 2728) - ---- - src/EDITME | 7 +++++-- - src/config.h.defaults | 1 + - src/dmarc.c | 7 ++++++- - 4 files changed, 15 insertions(+), 3 deletions(-) - ---- a/src/EDITME -+++ b/src/EDITME -@@ -600,18 +600,21 @@ - - # EXPERIMENTAL_DCC=yes - - # Uncomment the following line to add DMARC checking capability, implemented - # using libopendmarc libraries. You must have SPF and DKIM support enabled also. --# Library version libopendmarc-1.4.1-1.fc33.x86_64 (on Fedora 33) is known broken; --# 1.3.2-3 works. I seems that the OpenDMARC project broke their API. - # SUPPORT_DMARC=yes - # CFLAGS += -I/usr/local/include - # LDFLAGS += -lopendmarc - # Uncomment the following if you need to change the default. You can - # override it at runtime (main config option dmarc_tld_file) - # DMARC_TLD_FILE=/etc/exim/opendmarc.tlds -+# -+# Library version libopendmarc-1.4.1-1.fc33.x86_64 (on Fedora 33) is known broken; -+# 1.3.2-3 works. It seems that the OpenDMARC project broke their API. -+# Use this option if you need to build with an old library (1.3.x) -+# DMARC_API=100300 - - # Uncomment the following line to add ARC (Authenticated Received Chain) - # support. You must have SPF and DKIM support enabled also. - # EXPERIMENTAL_ARC=yes - ---- a/src/config.h.defaults -+++ b/src/config.h.defaults -@@ -148,10 +148,11 @@ - #define STRING_SPRINTF_BUFFER_SIZE (8192 * 4) - - #define SUPPORT_CRYPTEQ - #define SUPPORT_DANE - #define SUPPORT_DMARC -+#define DMARC_API 100400 - #define DMARC_TLD_FILE "/etc/exim/opendmarc.tlds" - #define SUPPORT_I18N - #define SUPPORT_I18N_2008 - #define SUPPORT_MAILDIR - #define SUPPORT_MAILSTORE ---- a/src/dmarc.c -+++ b/src/dmarc.c -@@ -457,11 +457,16 @@ - dkim_result = vs == PDKIM_VERIFY_PASS ? DMARC_POLICY_DKIM_OUTCOME_PASS : - vs == PDKIM_VERIFY_FAIL ? DMARC_POLICY_DKIM_OUTCOME_FAIL : - vs == PDKIM_VERIFY_INVALID ? DMARC_POLICY_DKIM_OUTCOME_TMPFAIL : - DMARC_POLICY_DKIM_OUTCOME_NONE; - libdm_status = opendmarc_policy_store_dkim(dmarc_pctx, US sig->domain, -- dkim_result, US""); -+/* The opendmarc project broke its API in a way we can't detect * easily. -+ * The EDITME provides a DMARC_API variable */ -+#if DMARC_API >= 100400 -+ sig->selector, -+#endif -+ dkim_result, US""); - DEBUG(D_receive) - debug_printf("DMARC adding DKIM sender domain = %s\n", sig->domain); - if (libdm_status != DMARC_PARSE_OKAY) - log_write(0, LOG_MAIN|LOG_PANIC, - "failure to store dkim (%s) for DMARC: %s", diff --git a/mail/exim/files/debian/75_19-DMARC-fix-use-after-free-in-dmarc_dns_lookup.patch b/mail/exim/files/debian/75_19-DMARC-fix-use-after-free-in-dmarc_dns_lookup.patch deleted file mode 100644 index e8bda9e07b35..000000000000 --- a/mail/exim/files/debian/75_19-DMARC-fix-use-after-free-in-dmarc_dns_lookup.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 12fb3842f81bcbd4a4519d5728f2d7e0e3ca1445 Mon Sep 17 00:00:00 2001 -From: Lorenz Brun -Date: Fri, 14 Oct 2022 21:02:51 +0200 -Subject: [PATCH 2/2] DMARC: fix use-after-free in dmarc_dns_lookup - -This fixes a use-after-free in dmarc_dns_lookup where the result -of dns_lookup in dnsa is freed before the required data is copied out. - -Fixes: 9258363 ("DNS: explicit alloc/free of workspace") ---- - src/dmarc.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/dmarc.c b/src/dmarc.c -index ad0c26c91..53c2752ac 100644 ---- a/src/dmarc.c -+++ b/src/dmarc.c -@@ -226,16 +226,17 @@ dns_scan dnss; - int rc = dns_lookup(dnsa, string_sprintf("_dmarc.%s", dom), T_TXT, NULL); - - if (rc == DNS_SUCCEED) - for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr; - rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) - if (rr->type == T_TXT && rr->size > 3) - { -+ uschar *record = string_copyn_taint(US rr->data, rr->size, GET_TAINTED); - store_free_dns_answer(dnsa); -- return string_copyn_taint(US rr->data, rr->size, GET_TAINTED); -+ return record; - } - store_free_dns_answer(dnsa); - return NULL; - } - - - static int --- -2.35.1 - diff --git a/mail/exim/files/debian/75_22-Fix-daemon-startup.-Bug-2930.patch b/mail/exim/files/debian/75_22-Fix-daemon-startup.-Bug-2930.patch deleted file mode 100644 index 412c39be28d7..000000000000 --- a/mail/exim/files/debian/75_22-Fix-daemon-startup.-Bug-2930.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 221321d2c51b83d1feced80ecd6c2fe33ec5456c Mon Sep 17 00:00:00 2001 -From: Jeremy Harris -Date: Thu, 3 Nov 2022 20:08:25 +0000 -Subject: [PATCH 1/2] Fix daemon startup. Bug 2930 - -Broken-by: 7d5055276a ---- - src/daemon.c | 8 ++++++-- - 2 files changed, 10 insertions(+), 2 deletions(-) - ---- a/src/daemon.c -+++ b/src/daemon.c -@@ -1744,19 +1744,23 @@ - { - /* If the parent process of this one has pid == 1, we are re-initializing the - daemon as the result of a SIGHUP. In this case, there is no need to do - anything, because the controlling terminal has long gone. Otherwise, fork, in - case current process is a process group leader (see 'man setsid' for an -- explanation) before calling setsid(). */ -+ explanation) before calling setsid(). -+ All other forks want daemon_listen cleared. Rather than blow a register, jsut -+ restore it here. */ - - if (getppid() != 1) - { -+ BOOL daemon_listen = f.daemon_listen; - pid_t pid = exim_fork(US"daemon"); - if (pid < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, - "fork() failed when starting daemon: %s", strerror(errno)); - if (pid > 0) exit(EXIT_SUCCESS); /* in parent process, just exit */ - (void)setsid(); /* release controlling terminal */ -+ f.daemon_listen = daemon_listen; - } - } - - /* We are now in the disconnected, daemon process (unless debugging). Set up - the listening sockets if required. */ -@@ -2090,11 +2094,11 @@ - { /* found; append port to list */ - for (p = i2->log; *p; ) p++; /* end of existing string */ - if (*--p == '}') *p = '\0'; /* drop EOL */ - while (isdigit(*--p)) ; /* char before port */ - -- i2->log = *p == ':' /* no list yet? */ -+ i2->log = *p == ':' /* no list yet? { */ - ? string_sprintf("%.*s{%s,%d}", - (int)(p - i2->log + 1), i2->log, p+1, ipa->port) - : string_sprintf("%s,%d}", i2->log, ipa->port); - ipa->log = NULL; - break; diff --git a/mail/exim/files/debian/75_23-Fix-reccipients-after-run.-.-Bug-2929.patch b/mail/exim/files/debian/75_23-Fix-reccipients-after-run.-.-Bug-2929.patch deleted file mode 100644 index 1db2ad0c9c99..000000000000 --- a/mail/exim/files/debian/75_23-Fix-reccipients-after-run.-.-Bug-2929.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 6b331d5834d12bdda21857cd6fffac17038ce3c7 Mon Sep 17 00:00:00 2001 -From: Ruben Jenster -Date: Thu, 3 Nov 2022 21:38:15 +0000 -Subject: [PATCH 2/2] Fix $reccipients after ${run...}. Bug 2929 - -Broken-by: cfe6acff2d ---- - src/transport.c | 3 ++- - 2 files changed, 5 insertions(+), 1 deletion(-) - ---- a/src/transport.c -+++ b/src/transport.c -@@ -2342,13 +2342,14 @@ - /* Handle normal expansion string */ - - else - { - const uschar *expanded_arg; -+ BOOL enable_dollar_recipients_g = f.enable_dollar_recipients; - f.enable_dollar_recipients = allow_dollar_recipients; - expanded_arg = expand_cstring(argv[i]); -- f.enable_dollar_recipients = FALSE; -+ f.enable_dollar_recipients = enable_dollar_recipients_g; - - if (!expanded_arg) - { - uschar *msg = string_sprintf("Expansion of \"%s\" " - "from command \"%s\" in %s failed: %s", diff --git a/mail/exim/files/debian/75_31-Fix-regext-substring-capture-variables-for-null-matc.patch b/mail/exim/files/debian/75_31-Fix-regext-substring-capture-variables-for-null-matc.patch deleted file mode 100644 index d12b1b246631..000000000000 --- a/mail/exim/files/debian/75_31-Fix-regext-substring-capture-variables-for-null-matc.patch +++ /dev/null @@ -1,60 +0,0 @@ -From e63825824cc406c160ccbf2b154c5d81b168604a Mon Sep 17 00:00:00 2001 -From: Jeremy Harris -Date: Fri, 11 Nov 2022 00:05:59 +0000 -Subject: [PATCH 1/2] Fix regext substring capture variables for null matches. - Bug 2933 - -broken-by: 59d66fdc13f0 ---- - src/exim.c | 2 ++ - src/malware.c | 3 +++ - src/regex.c | 2 +- - 4 files changed, 11 insertions(+), 1 deletion(-) - ---- a/src/exim.c -+++ b/src/exim.c -@@ -167,10 +167,12 @@ - for (int matchnum = setup < 0 ? 0 : 1; matchnum < res; matchnum++) - { - PCRE2_SIZE len; - pcre2_substring_get_bynumber(md, matchnum, - (PCRE2_UCHAR **)&expand_nstring[expand_nmax], &len); -+ if (!expand_nstring[expand_nmax]) -+ { expand_nstring[expand_nmax] = US""; len = 0; } - expand_nlength[expand_nmax++] = (int)len; - } - expand_nmax--; - } - else if (res != PCRE2_ERROR_NOMATCH) DEBUG(D_any) ---- a/src/malware.c -+++ b/src/malware.c -@@ -323,11 +323,14 @@ - int i = pcre2_match(cre, text, PCRE2_ZERO_TERMINATED, 0, 0, md, pcre_mtc_ctx); - PCRE2_UCHAR * substr = NULL; - PCRE2_SIZE slen; - - if (i >= 2) /* Got it */ -+ { - pcre2_substring_get_bynumber(md, 1, &substr, &slen); -+ if (!substr) substr = US""; -+ } - return US substr; - } - - static const pcre2_code * - m_pcre_nextinlist(const uschar ** list, int * sep, ---- a/src/regex.c -+++ b/src/regex.c -@@ -84,11 +84,11 @@ - for (int nn = 1; nn < n; nn++) - { - PCRE2_UCHAR * cstr; - PCRE2_SIZE cslen; - pcre2_substring_get_bynumber(md, nn, &cstr, &cslen); -- regex_vars[nn-1] = CUS cstr; -+ regex_vars[nn-1] = cstr ? CUS cstr : CUS""; - } - - return OK; - } - } diff --git a/mail/exim/files/debian/75_32-Fix-regex-substring-capture-variables-for-null-match.patch b/mail/exim/files/debian/75_32-Fix-regex-substring-capture-variables-for-null-match.patch deleted file mode 100644 index 7c2c14a385dc..000000000000 --- a/mail/exim/files/debian/75_32-Fix-regex-substring-capture-variables-for-null-match.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 7ad1a2b2cc57b5f4bcb59186a9a8abcbed9f4f76 Mon Sep 17 00:00:00 2001 -From: Jeremy Harris -Date: Fri, 11 Nov 2022 18:22:00 +0000 -Subject: [PATCH 2/2] Fix regex substring capture variables for null matches - (again). Bug 2933 - -Broken-by: 59d66fdc13f0 ---- - src/exim.c | 11 +++++------ - src/malware.c | 10 +++++----- - src/regex.c | 8 ++++---- - test/aux-var-src/0383.F | 4 ++-- - test/log/0383 | 4 ++-- - test/mail/0383.CALLER | 8 ++++---- - test/scripts/0000-Basic/0002 | 2 ++ - test/stdout/0002 | 2 ++ - 8 files changed, 26 insertions(+), 23 deletions(-) - ---- a/src/exim.c -+++ b/src/exim.c -@@ -160,20 +160,19 @@ - PCRE_EOPT | options, md, pcre_mtc_ctx); - BOOL yield; - - if ((yield = (res >= 0))) - { -+ PCRE2_SIZE * ovec = pcre2_get_ovector_pointer(md); - res = pcre2_get_ovector_count(md); - expand_nmax = setup < 0 ? 0 : setup + 1; - for (int matchnum = setup < 0 ? 0 : 1; matchnum < res; matchnum++) - { -- PCRE2_SIZE len; -- pcre2_substring_get_bynumber(md, matchnum, -- (PCRE2_UCHAR **)&expand_nstring[expand_nmax], &len); -- if (!expand_nstring[expand_nmax]) -- { expand_nstring[expand_nmax] = US""; len = 0; } -- expand_nlength[expand_nmax++] = (int)len; -+ int off = matchnum * 2; -+ int len = ovec[off + 1] - ovec[off]; -+ expand_nstring[expand_nmax] = string_copyn(subject + ovec[off], len); -+ expand_nlength[expand_nmax++] = len; - } - expand_nmax--; - } - else if (res != PCRE2_ERROR_NOMATCH) DEBUG(D_any) - { ---- a/src/malware.c -+++ b/src/malware.c -@@ -319,19 +319,19 @@ - uschar * - m_pcre_exec(const pcre2_code * cre, uschar * text) - { - pcre2_match_data * md = pcre2_match_data_create(2, pcre_gen_ctx); - int i = pcre2_match(cre, text, PCRE2_ZERO_TERMINATED, 0, 0, md, pcre_mtc_ctx); --PCRE2_UCHAR * substr = NULL; --PCRE2_SIZE slen; -+uschar * substr = NULL; - - if (i >= 2) /* Got it */ - { -- pcre2_substring_get_bynumber(md, 1, &substr, &slen); -- if (!substr) substr = US""; -+ PCRE2_SIZE * ovec = pcre2_get_ovector_pointer(md); -+ int len = ovec[3] - ovec[2]; -+ substr = string_copyn(text + ovec[2], len); - } --return US substr; -+return substr; - } - - static const pcre2_code * - m_pcre_nextinlist(const uschar ** list, int * sep, - char * listerr, uschar ** errstr) ---- a/src/regex.c -+++ b/src/regex.c -@@ -81,14 +81,14 @@ - sizeof(regex_match_string_buffer)-1); - regex_match_string = regex_match_string_buffer; - - for (int nn = 1; nn < n; nn++) - { -- PCRE2_UCHAR * cstr; -- PCRE2_SIZE cslen; -- pcre2_substring_get_bynumber(md, nn, &cstr, &cslen); -- regex_vars[nn-1] = cstr ? CUS cstr : CUS""; -+ PCRE2_SIZE * ovec = pcre2_get_ovector_pointer(md); -+ int off = nn * 2; -+ int len = ovec[off + 1] - ovec[off]; -+ regex_vars[nn-1] = string_copyn(linebuffer + ovec[off], len); - } - - return OK; - } - } diff --git a/mail/exim/files/debian/75_34-Fix-regex-substring-capture-commentary.-Bug-2933.patch b/mail/exim/files/debian/75_34-Fix-regex-substring-capture-commentary.-Bug-2933.patch deleted file mode 100644 index 61d4483e5f04..000000000000 --- a/mail/exim/files/debian/75_34-Fix-regex-substring-capture-commentary.-Bug-2933.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 9ba47886c71d40edc99b026a99edee269d9c9c6f Mon Sep 17 00:00:00 2001 -From: Jeremy Harris -Date: Sat, 12 Nov 2022 12:38:22 +0000 -Subject: [PATCH] Fix regex substring capture - commentary. Bug 2933 - -Broken-by (corrected): 22ed7a5295f1 ---- - src/exim.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/exim.c b/src/exim.c -index 16c0184e0..625494ce4 100644 ---- a/src/exim.c -+++ b/src/exim.c -@@ -102,11 +102,13 @@ pcre_gen_mtc_ctx = pcre2_match_context_create(pcre_gen_ctx); - * Execute regular expression and set strings * - *************************************************/ - - /* This function runs a regular expression match, and sets up the pointers to - the matched substrings. The matched strings are copied so the lifetime of --the subject is not a problem. -+the subject is not a problem. Matched strings will have the same taint status -+as the subject string (this is not a de-taint method, and must not be made so -+given the support for wildcards in REs). - - Arguments: - re the compiled expression - subject the subject string - options additional PCRE options -@@ -130,10 +132,15 @@ if ((yield = (res >= 0))) - PCRE2_SIZE * ovec = pcre2_get_ovector_pointer(md); - res = pcre2_get_ovector_count(md); - expand_nmax = setup < 0 ? 0 : setup + 1; - for (int matchnum = setup < 0 ? 0 : 1; matchnum < res; matchnum++) - { -+ /* Although PCRE2 has a pcre2_substring_get_bynumber() conveneience, it -+ seems to return a bad pointer when a capture group had no data, eg. (.*) -+ matching zero letters. So use the underlying ovec and hope (!) that the -+ offsets are sane (including that case). Should we go further and range- -+ check each one vs. the subject string length? */ - int off = matchnum * 2; - int len = ovec[off + 1] - ovec[off]; - expand_nstring[expand_nmax] = string_copyn(subject + ovec[off], len); - expand_nlength[expand_nmax++] = len; - } --- -2.35.1 - diff --git a/mail/exim/files/debian/75_37-OpenSSL-when-preloading-creds-do-the-server-certs-be.patch b/mail/exim/files/debian/75_37-OpenSSL-when-preloading-creds-do-the-server-certs-be.patch deleted file mode 100644 index 2e21065fb1d6..000000000000 --- a/mail/exim/files/debian/75_37-OpenSSL-when-preloading-creds-do-the-server-certs-be.patch +++ /dev/null @@ -1,232 +0,0 @@ -From 7f65a63b60c6ea86db683ac00e221939f3bb1d47 Mon Sep 17 00:00:00 2001 -From: Jeremy Harris -Date: Tue, 25 Oct 2022 21:26:30 +0100 -Subject: [PATCH 1/2] OpenSSL: when preloading creds do the server certs before - the OCSP proofs so that the latter can ve verified before loading - ---- - src/tls-openssl.c | 113 ++++++++++++++++++++++-------------------- - 1 file changed, 58 insertions(+), 55 deletions(-) - -diff --git a/src/tls-openssl.c b/src/tls-openssl.c -index 68ad6f15b..fdf0d92b2 100644 ---- a/src/tls-openssl.c -+++ b/src/tls-openssl.c -@@ -441,14 +441,16 @@ exim_openssl_state_st state_server = {.is_server = TRUE}; - static int - setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, - uschar ** errstr ); - - /* Callbacks */ - #ifndef DISABLE_OCSP - static int tls_server_stapling_cb(SSL *s, void *arg); -+static void x509_stack_dump_cert_s_names(const STACK_OF(X509) * sk); -+static void x509_store_dump_cert_s_names(X509_STORE * store); - #endif - - - - /* Daemon-called, before every connection, key create/rotate */ - #ifndef DISABLE_TLS_RESUME - static void tk_init(void); -@@ -1307,15 +1309,14 @@ ocsp_load_response(exim_openssl_state_st * state, const uschar * filename, - { - BIO * bio; - OCSP_RESPONSE * resp; - OCSP_BASICRESP * basic_response; - OCSP_SINGLERESP * single_response; - ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd; - STACK_OF(X509) * sk; --unsigned long verify_flags; - int status, reason, i; - - DEBUG(D_tls) - debug_printf("tls_ocsp_file (%s) '%s'\n", is_pem ? "PEM" : "DER", filename); - - if (!filename || !*filename) return; - -@@ -1372,28 +1373,28 @@ if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL) - if (!(basic_response = OCSP_response_get1_basic(resp))) - { - DEBUG(D_tls) - debug_printf("OCSP response parse error: unable to extract basic response.\n"); - goto bad; - } - --sk = state->verify_stack; --verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */ -+sk = state->verify_stack; /* set by setup_certs() / chain_from_pem_file() */ - - /* May need to expose ability to adjust those flags? - OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT - OCSP_TRUSTOTHER OCSP_NOINTERN */ - --/* This does a full verify on the OCSP proof before we load it for serving --up; possibly overkill - just date-checks might be nice enough. -+/* This does a partial verify (only the signer link, not the whole chain-to-CA) -+on the OCSP proof before we load it for serving up; possibly overkill - -+just date-checks might be nice enough. - - OCSP_basic_verify takes a "store" arg, but does not --use it for the chain verification, which is all we do --when OCSP_NOVERIFY is set. The content from the wire --"basic_response" and a cert-stack "sk" are all that is used. -+use it for the chain verification, when OCSP_NOVERIFY is set. -+The content from the wire "basic_response" and a cert-stack "sk" are all -+that is used. - - We have a stack, loaded in setup_certs() if tls_verify_certificates - was a file (not a directory, or "system"). It is unfortunate we - cannot used the connection context store, as that would neatly - handle the "system" case too, but there seems to be no library - function for getting a stack from a store. - [ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ] -@@ -1402,15 +1403,15 @@ SNI handling. - - Separately we might try to replace using OCSP_basic_verify() - which seems to not - be a public interface into the OpenSSL library (there's no manual entry) - - But what with? We also use OCSP_basic_verify in the client stapling callback. - And there we NEED it; we must verify that status... unless the - library does it for us anyway? */ - --if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0) -+if ((i = OCSP_basic_verify(basic_response, sk, NULL, OCSP_NOVERIFY)) < 0) - { - DEBUG(D_tls) - { - ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring)); - debug_printf("OCSP response verify failure: %s\n", US ssl_errstring); - } - goto bad; -@@ -1747,61 +1748,18 @@ if (opt_unset_or_noexpand(tls_eccurve)) - if (init_ecdh(ctx, &dummy_errstr)) - state_server.lib_state.ecdh = TRUE; - } - else - DEBUG(D_tls) debug_printf("TLS: not preloading ECDH curve for server\n"); - - #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT) --/* If we can, preload the server-side cert, key and ocsp */ -- --if ( opt_set_and_noexpand(tls_certificate) --# ifndef DISABLE_OCSP -- && opt_unset_or_noexpand(tls_ocsp_file) --#endif -- && opt_unset_or_noexpand(tls_privatekey)) -- { -- /* Set watches on the filenames. The implementation does de-duplication -- so we can just blindly do them all. */ -- -- if ( tls_set_watch(tls_certificate, TRUE) --# ifndef DISABLE_OCSP -- && tls_set_watch(tls_ocsp_file, TRUE) --#endif -- && tls_set_watch(tls_privatekey, TRUE)) -- { -- state_server.certificate = tls_certificate; -- state_server.privatekey = tls_privatekey; --#ifndef DISABLE_OCSP -- state_server.u_ocsp.server.file = tls_ocsp_file; --#endif -- -- DEBUG(D_tls) debug_printf("TLS: preloading server certs\n"); -- if (tls_expand_session_files(ctx, &state_server, &dummy_errstr) == OK) -- state_server.lib_state.conn_certs = TRUE; -- } -- } --else if ( !tls_certificate && !tls_privatekey --# ifndef DISABLE_OCSP -- && !tls_ocsp_file --#endif -- ) -- { /* Generate & preload a selfsigned cert. No files to watch. */ -- if (tls_expand_session_files(ctx, &state_server, &dummy_errstr) == OK) -- { -- state_server.lib_state.conn_certs = TRUE; -- lifetime = f.running_in_test_harness ? 2 : 60 * 60; /* 1 hour */ -- } -- } --else -- DEBUG(D_tls) debug_printf("TLS: not preloading server certs\n"); -- -- - /* If we can, preload the Authorities for checking client certs against. - Actual choice to do verify is made (tls_{,try_}verify_hosts) --at TLS conn startup */ -+at TLS conn startup. -+Do this before the server ocsp so that its info can verify the ocsp. */ - - if ( opt_set_and_noexpand(tls_verify_certificates) - && opt_unset_or_noexpand(tls_crl)) - { - /* Watch the default dir also as they are always included */ - - if ( tls_set_watch(CUS X509_get_default_cert_file(), FALSE) -@@ -1809,18 +1767,63 @@ if ( opt_set_and_noexpand(tls_verify_certificates) - && tls_set_watch(tls_crl, FALSE)) - { - DEBUG(D_tls) debug_printf("TLS: preloading CA bundle for server\n"); - - if (setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, &dummy_errstr) - == OK) - state_server.lib_state.cabundle = TRUE; -- } -+ -+ /* If we can, preload the server-side cert, key and ocsp */ -+ -+ if ( opt_set_and_noexpand(tls_certificate) -+# ifndef DISABLE_OCSP -+ && opt_unset_or_noexpand(tls_ocsp_file) -+# endif -+ && opt_unset_or_noexpand(tls_privatekey)) -+ { -+ /* Set watches on the filenames. The implementation does de-duplication -+ so we can just blindly do them all. */ -+ -+ if ( tls_set_watch(tls_certificate, TRUE) -+# ifndef DISABLE_OCSP -+ && tls_set_watch(tls_ocsp_file, TRUE) -+# endif -+ && tls_set_watch(tls_privatekey, TRUE)) -+ { -+ state_server.certificate = tls_certificate; -+ state_server.privatekey = tls_privatekey; -+#ifndef DISABLE_OCSP -+ state_server.u_ocsp.server.file = tls_ocsp_file; -+# endif -+ -+ DEBUG(D_tls) debug_printf("TLS: preloading server certs\n"); -+ if (tls_expand_session_files(ctx, &state_server, &dummy_errstr) == OK) -+ state_server.lib_state.conn_certs = TRUE; -+ } -+ } -+ else if ( !tls_certificate && !tls_privatekey -+# ifndef DISABLE_OCSP -+ && !tls_ocsp_file -+# endif -+ ) -+ { /* Generate & preload a selfsigned cert. No files to watch. */ -+ if (tls_expand_session_files(ctx, &state_server, &dummy_errstr) == OK) -+ { -+ state_server.lib_state.conn_certs = TRUE; -+ lifetime = f.running_in_test_harness ? 2 : 60 * 60; /* 1 hour */ -+ } -+ } -+ else -+ DEBUG(D_tls) debug_printf("TLS: not preloading server certs\n"); -+ } - } - else - DEBUG(D_tls) debug_printf("TLS: not preloading CA bundle for server\n"); -+ -+ - #endif /* EXIM_HAVE_INOTIFY */ - - - /* If we can, preload the ciphers control string */ - - if (opt_set_and_noexpand(tls_require_ciphers)) - { --- -2.35.1 - diff --git a/mail/exim/files/debian/75_38-OpenSSL-fix-double-expansion-of-tls_verify_certifica.patch b/mail/exim/files/debian/75_38-OpenSSL-fix-double-expansion-of-tls_verify_certifica.patch deleted file mode 100644 index 09e4f11ef20e..000000000000 --- a/mail/exim/files/debian/75_38-OpenSSL-fix-double-expansion-of-tls_verify_certifica.patch +++ /dev/null @@ -1,217 +0,0 @@ -From 62b97c2ecf148ee86053d82e5509e4c3a5a20054 Mon Sep 17 00:00:00 2001 -From: Jeremy Harris -Date: Sat, 29 Oct 2022 22:33:43 +0100 -Subject: [PATCH 2/2] OpenSSL: fix double-expansion of tls_verify_certificates - ---- - src/tls-openssl.c | 66 +++++++++++++++++++++---------------------- - 1 file changed, 33 insertions(+), 33 deletions(-) - -diff --git a/src/tls-openssl.c b/src/tls-openssl.c -index fdf0d92b2..2e09882d2 100644 ---- a/src/tls-openssl.c -+++ b/src/tls-openssl.c -@@ -435,15 +435,15 @@ typedef struct exim_openssl_state { - /* should figure out a cleanup of API to handle state preserved per - implementation, for various reasons, which can be void * in the APIs. - For now, we hack around it. */ - exim_openssl_state_st *client_static_state = NULL; /*XXX should not use static; multiple concurrent clients! */ - exim_openssl_state_st state_server = {.is_server = TRUE}; - - static int --setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, -+setup_certs(SSL_CTX * sctx, uschar ** certs, uschar * crl, host_item * host, - uschar ** errstr ); - - /* Callbacks */ - #ifndef DISABLE_OCSP - static int tls_server_stapling_cb(SSL *s, void *arg); - static void x509_stack_dump_cert_s_names(const STACK_OF(X509) * sk); - static void x509_store_dump_cert_s_names(X509_STORE * store); -@@ -1762,18 +1762,18 @@ if ( opt_set_and_noexpand(tls_verify_certificates) - { - /* Watch the default dir also as they are always included */ - - if ( tls_set_watch(CUS X509_get_default_cert_file(), FALSE) - && tls_set_watch(tls_verify_certificates, FALSE) - && tls_set_watch(tls_crl, FALSE)) - { -+ uschar * v_certs = tls_verify_certificates; - DEBUG(D_tls) debug_printf("TLS: preloading CA bundle for server\n"); - -- if (setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, &dummy_errstr) -- == OK) -+ if (setup_certs(ctx, &v_certs, tls_crl, NULL, &dummy_errstr) == OK) - state_server.lib_state.cabundle = TRUE; - - /* If we can, preload the server-side cert, key and ocsp */ - - if ( opt_set_and_noexpand(tls_certificate) - # ifndef DISABLE_OCSP - && opt_unset_or_noexpand(tls_ocsp_file) -@@ -1897,18 +1897,19 @@ if ( opt_set_and_noexpand(ob->tls_verify_certificates) - { - if ( !watch - || tls_set_watch(CUS X509_get_default_cert_file(), FALSE) - && tls_set_watch(ob->tls_verify_certificates, FALSE) - && tls_set_watch(ob->tls_crl, FALSE) - ) - { -+ uschar * v_certs = ob->tls_verify_certificates; - DEBUG(D_tls) - debug_printf("TLS: preloading CA bundle for transport '%s'\n", t->name); - -- if (setup_certs(ctx, ob->tls_verify_certificates, -+ if (setup_certs(ctx, &v_certs, - ob->tls_crl, dummy_host, &dummy_errstr) == OK) - ob->tls_preload.cabundle = TRUE; - } - } - else - DEBUG(D_tls) - debug_printf("TLS: not preloading CA bundle, for transport '%s'\n", t->name); -@@ -2238,22 +2239,20 @@ if (state->u_ocsp.server.file) - { - SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb); - SSL_CTX_set_tlsext_status_arg(server_sni, state); - } - #endif - - { -- uschar * expcerts; -- if ( !expand_check(tls_verify_certificates, US"tls_verify_certificates", -- &expcerts, &dummy_errstr) -- || (rc = setup_certs(server_sni, expcerts, tls_crl, NULL, -+ uschar * v_certs = tls_verify_certificates; -+ if ((rc = setup_certs(server_sni, &v_certs, tls_crl, NULL, - &dummy_errstr)) != OK) - goto bad; - -- if (expcerts && *expcerts) -+ if (v_certs && *v_certs) - setup_cert_verify(server_sni, FALSE, verify_callback_server); - } - - /* do this after setup_certs, because this can require the certs for verifying - OCSP information. */ - if ((rc = tls_expand_session_files(server_sni, state, &dummy_errstr)) != OK) - goto bad; -@@ -3017,32 +3016,33 @@ return TRUE; - - - /* Called by both client and server startup; on the server possibly - repeated after a Server Name Indication. - - Arguments: - sctx SSL_CTX* to initialise -- certs certs file, expanded -+ certs certs file, returned expanded - crl CRL file or NULL - host NULL in a server; the remote host in a client - errstr error string pointer - - Returns: OK/DEFER/FAIL - */ - - static int --setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, -+setup_certs(SSL_CTX * sctx, uschar ** certsp, uschar * crl, host_item * host, - uschar ** errstr) - { --uschar *expcerts, *expcrl; -+uschar * expcerts, * expcrl; - --if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr)) -+if (!expand_check(*certsp, US"tls_verify_certificates", &expcerts, errstr)) - return DEFER; - DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts); - -+*certsp = expcerts; - if (expcerts && *expcerts) - { - /* Tell the library to use its compiled-in location for the system default - CA bundle. Then add the ones specified in the config, if any. */ - - if (!SSL_CTX_set_default_verify_paths(sctx)) - return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr); -@@ -3330,28 +3330,28 @@ if (verify_check_host(&tls_verify_hosts) == OK) - server_verify_optional = FALSE; - else if (verify_check_host(&tls_try_verify_hosts) == OK) - server_verify_optional = TRUE; - else - goto skip_certs; - - { -- uschar * expcerts; -- if (!expand_check(tls_verify_certificates, US"tls_verify_certificates", -- &expcerts, errstr)) -- return DEFER; -- DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts); -+ uschar * v_certs = tls_verify_certificates; - - if (state_server.lib_state.cabundle) -- { DEBUG(D_tls) debug_printf("TLS: CA bundle for server was preloaded\n"); } -+ { -+ DEBUG(D_tls) debug_printf("TLS: CA bundle for server was preloaded\n"); -+ setup_cert_verify(ctx, server_verify_optional, verify_callback_server); -+ } - else -- if ((rc = setup_certs(ctx, expcerts, tls_crl, NULL, errstr)) != OK) -+ { -+ if ((rc = setup_certs(ctx, &v_certs, tls_crl, NULL, errstr)) != OK) - return rc; -- -- if (expcerts && *expcerts) -- setup_cert_verify(ctx, server_verify_optional, verify_callback_server); -+ if (v_certs && *v_certs) -+ setup_cert_verify(ctx, server_verify_optional, verify_callback_server); -+ } - } - skip_certs: ; - - #ifndef DISABLE_TLS_RESUME - # if OPENSSL_VERSION_NUMBER < 0x30000000L - SSL_CTX_set_tlsext_ticket_key_cb(ctx, ticket_key_callback); - /* despite working, appears to always return failure, so ignoring */ -@@ -3606,28 +3606,28 @@ if ( ( ( !ob->tls_verify_hosts || !ob->tls_verify_hosts - client_verify_optional = FALSE; - else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK) - client_verify_optional = TRUE; - else - return OK; - - { -- uschar * expcerts; -- if (!expand_check(ob->tls_verify_certificates, US"tls_verify_certificates", -- &expcerts, errstr)) -- return DEFER; -- DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts); -+ uschar * v_certs = ob->tls_verify_certificates; - - if (state->lib_state.cabundle) -- { DEBUG(D_tls) debug_printf("TLS: CA bundle was preloaded\n"); } -+ { -+ DEBUG(D_tls) debug_printf("TLS: CA bundle for tpt was preloaded\n"); -+ setup_cert_verify(ctx, client_verify_optional, verify_callback_client); -+ } - else -- if ((rc = setup_certs(ctx, expcerts, ob->tls_crl, host, errstr)) != OK) -+ { -+ if ((rc = setup_certs(ctx, &v_certs, ob->tls_crl, host, errstr)) != OK) - return rc; -- -- if (expcerts && *expcerts) -- setup_cert_verify(ctx, client_verify_optional, verify_callback_client); -+ if (v_certs && *v_certs) -+ setup_cert_verify(ctx, client_verify_optional, verify_callback_client); -+ } - } - - if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK) - { - state->verify_cert_hostnames = - #ifdef SUPPORT_I18N - string_domain_utf8_to_alabel(host->certname, NULL); --- -2.35.1 - diff --git a/mail/exim/files/debian/75_50-Fix-logging-of-max-size-log-line.patch b/mail/exim/files/debian/75_50-Fix-logging-of-max-size-log-line.patch deleted file mode 100644 index f5dbd7a3d356..000000000000 --- a/mail/exim/files/debian/75_50-Fix-logging-of-max-size-log-line.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 1ed24e36e279c922d3366f6c3144570cc5f54d7a Mon Sep 17 00:00:00 2001 -From: Jeremy Harris -Date: Mon, 19 Dec 2022 21:09:17 +0000 -Subject: [PATCH] Fix logging of max-size log line - -Broken-by: d12746bc15d8 ---- - src/log.c | 7 ++++--- - test/confs/0633 | 21 ++++++++++++++++++++ - test/scripts/0000-Basic/0633 | 9 +++++++++ - test/stderr/0633 | 38 ++++++++++++++++++++++++++++++++++++ - test/stdout/0633 | 15 ++++++++++++++ - 6 files changed, 92 insertions(+), 3 deletions(-) - create mode 100644 test/confs/0633 - create mode 100644 test/scripts/0000-Basic/0633 - create mode 100644 test/stderr/0633 - create mode 100644 test/stdout/0633 - ---- a/src/log.c -+++ b/src/log.c -@@ -803,11 +803,11 @@ Returns: nothing - void - log_write(unsigned int selector, int flags, const char *format, ...) - { - int paniclogfd; - ssize_t written_len; --gstring gs = { .size = LOG_BUFFER_SIZE-1, .ptr = 0, .s = log_buffer }; -+gstring gs = { .size = LOG_BUFFER_SIZE-2, .ptr = 0, .s = log_buffer }; - gstring * g; - va_list ap; - - /* If panic_recurseflag is set, we have failed to open the panic log. This is - the ultimate disaster. First try to write the message to a debug file and/or -@@ -949,15 +949,14 @@ DEBUG(D_any|D_v) - g->ptr = i; - g = string_cat(g, US"**** log string overflowed log buffer ****"); - } - va_end(ap); - -- g->size = LOG_BUFFER_SIZE; - g = string_catn(g, US"\n", 1); - debug_printf("%s", string_from_gstring(g)); - -- gs.size = LOG_BUFFER_SIZE-1; /* Having used the buffer for debug output, */ -+ gs.size = LOG_BUFFER_SIZE-2; /* Having used the buffer for debug output, */ - gs.ptr = 0; /* reset it for the real use. */ - gs.s = log_buffer; - } - /* If no log file is specified, we are in a mess. */ - -@@ -1035,10 +1034,12 @@ if ( flags & LOG_RECIPIENTS - if (LOG_BUFFER_SIZE - g->ptr < Ustrlen(s) + 3) break; - g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " %s", s); - } - } - -+/* actual size, now we are placing the newline (and space for NUL) */ -+gs.size = LOG_BUFFER_SIZE; - g = string_catn(g, US"\n", 1); - string_from_gstring(g); - - /* Handle loggable errors when running a utility, or when address testing. - Write to log_stderr unless debugging (when it will already have been written), diff --git a/mail/exim/files/debian/75_55-Fix-recursion-on-dns_again_means_nonexist.-Bug-2911.patch b/mail/exim/files/debian/75_55-Fix-recursion-on-dns_again_means_nonexist.-Bug-2911.patch deleted file mode 100644 index 271ff90ab99a..000000000000 --- a/mail/exim/files/debian/75_55-Fix-recursion-on-dns_again_means_nonexist.-Bug-2911.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 1d38781da934809e6ce0b8c3718c4b3bccdfe1d2 Mon Sep 17 00:00:00 2001 -From: Jeremy Harris -Date: Wed, 28 Dec 2022 19:39:06 +0000 -Subject: [PATCH] Fix recursion on dns_again_means_nonexist. Bug 2911 - ---- - src/dns.c | 12 ++++++++ - test/confs/2202 | 18 +++++++++-- - test/scripts/2200-dnsdb/2202 | 8 +++++ - test/stderr/2202 | 58 +++++++++++++++++++++++++++++++++++- - test/stdout/2202 | 8 +++++ - 6 files changed, 108 insertions(+), 4 deletions(-) - ---- a/src/dns.c -+++ b/src/dns.c -@@ -799,10 +799,11 @@ int - dns_basic_lookup(dns_answer * dnsa, const uschar * name, int type) - { - int rc; - #ifndef STAND_ALONE - const uschar * save_domain; -+static BOOL try_again_recursion = FALSE; - #endif - - /* DNS lookup failures of any kind are cached in a tree. This is mainly so that - a timeout on one domain doesn't happen time and time again for messages that - have many addresses in the same domain. We rely on the resolver and name server -@@ -903,15 +904,26 @@ if (dnsa->answerlen < 0) switch (h_errno - DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave TRY_AGAIN\n", - name, dns_text_type(type)); - - /* Cut this out for various test programs */ - #ifndef STAND_ALONE -+ if (try_again_recursion) -+ { -+ log_write(0, LOG_MAIN|LOG_PANIC, -+ "dns_again_means_nonexist recursion seen for %s (assuming nonexist)", -+ name); -+ return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type), DNS_NOMATCH); -+ } -+ -+ try_again_recursion = TRUE; - save_domain = deliver_domain; - deliver_domain = string_copy(name); /* set $domain */ - rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0, - &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL); - deliver_domain = save_domain; -+ try_again_recursion = FALSE; -+ - if (rc != OK) - { - DEBUG(D_dns) debug_printf("returning DNS_AGAIN\n"); - return dns_fail_return(name, type, 0, DNS_AGAIN); - } diff --git a/mail/exim/files/debian/75_58-Close-server-smtp-socket-explicitly-on-connect-ACL-d.patch b/mail/exim/files/debian/75_58-Close-server-smtp-socket-explicitly-on-connect-ACL-d.patch deleted file mode 100644 index ddf54fa02af2..000000000000 --- a/mail/exim/files/debian/75_58-Close-server-smtp-socket-explicitly-on-connect-ACL-d.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 57d70161718e02927a22d6a3481803b72035ac46 Mon Sep 17 00:00:00 2001 -From: Jeremy Harris -Date: Sat, 31 Dec 2022 13:37:17 +0000 -Subject: [PATCH] Close server smtp socket explicitly on connect ACL "drop" - ---- - src/smtp_in.c | 13 ++++++++ - test/confs/0022 | 2 ++ - test/log/0022 | 2 ++ - test/rejectlog/0022 | 3 ++ - test/scripts/0000-Basic/0022 | 13 ++++++++ - test/stderr/0022 | 60 ++++++++++++++++++------------------ - test/stdout/0022 | 6 ++++ - 7 files changed, 69 insertions(+), 30 deletions(-) - create mode 100644 test/rejectlog/0022 - -diff --git a/src/smtp_in.c b/src/smtp_in.c -index 1cfcc0404..6880e3c09 100644 ---- a/src/smtp_in.c -+++ b/src/smtp_in.c -@@ -3563,10 +3563,23 @@ log_write(L_smtp_connection, LOG_MAIN, "%s closed by DROP in ACL", - /* Run the not-quit ACL, but without any custom messages. This should not be a - problem, because we get here only if some other ACL has issued "drop", and - in that case, *its* custom messages will have been used above. */ - - smtp_notquit_exit(US"acl-drop", NULL, NULL); -+ -+/* An overenthusiastic fail2ban/iptables implimentation has been seen to result -+in the TCP conn staying open, and retrying, despite this process exiting. A -+malicious client could possibly do the same, tying up server netowrking -+resources. Close the socket explicitly to try to avoid that (there's a note in -+the Linux socket(7) manpage, SO_LINGER para, to the effect that exim() without -+close() results in the socket always lingering). */ -+ -+(void) poll_one_fd(fileno(smtp_in), POLLIN, 200); -+DEBUG(D_any) debug_printf_indent("SMTP(close)>>\n"); -+(void) fclose(smtp_in); -+(void) fclose(smtp_out); -+ - return 2; - } - - - -diff --git a/test/rejectlog/0022 b/test/rejectlog/0022 -new file mode 100644 -index 000000000..68e21fff3 --- -2.39.0 - diff --git a/mail/exim/files/debian/75_60-OpenSSL-fix-tls_eccurve-setting-explicit-curve-group.patch b/mail/exim/files/debian/75_60-OpenSSL-fix-tls_eccurve-setting-explicit-curve-group.patch deleted file mode 100644 index a34731a4a453..000000000000 --- a/mail/exim/files/debian/75_60-OpenSSL-fix-tls_eccurve-setting-explicit-curve-group.patch +++ /dev/null @@ -1,166 +0,0 @@ -From ca4014de81e6aa367aa0a54c49b4c3d4b137814c Mon Sep 17 00:00:00 2001 -From: Jeremy Harris -Date: Sun, 1 Jan 2023 12:18:38 +0000 -Subject: [PATCH] OpenSSL: fix tls_eccurve setting explicit curve/group. Bug - 2954 - ---- - src/tls-openssl.c | 39 ++++++++++++++---------- - test/confs/2148 | 54 ++++++++++++++++++++++++++++++++++ - test/confs/2149 | 39 +++++++++++++----------- - test/log/2148 | 48 ++++++++++++++++++++++++++++++ - test/log/2149 | 39 ++++++++++++------------ - test/paniclog/{2149 => 2148} | 0 - test/scripts/2100-OpenSSL/2148 | 50 +++++++++++++++++++++++++++++++ - test/scripts/2100-OpenSSL/2149 | 50 ++++++++++++++++--------------- - test/stderr/2148 | 5 ++++ - test/stderr/2149 | 3 -- - 11 files changed, 250 insertions(+), 81 deletions(-) - create mode 100644 test/confs/2148 - create mode 100644 test/log/2148 - rename test/paniclog/{2149 => 2148} (100%) - create mode 100644 test/scripts/2100-OpenSSL/2148 - create mode 100644 test/stderr/2148 - ---- a/src/tls-openssl.c -+++ b/src/tls-openssl.c -@@ -657,16 +657,16 @@ if (dh_bitsize <= tls_dh_max_bits) - /* EVP_PKEY_free(pkey); crashes */ - #endif - } - else - DEBUG(D_tls) -- debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n", -+ debug_printf(" Diffie-Hellman initialized from %s with %d-bit prime\n", - dhexpanded ? dhexpanded : US"default", dh_bitsize); - } - else - DEBUG(D_tls) -- debug_printf("dhparams '%s' %d bits, is > tls_dh_max_bits limit of %d\n", -+ debug_printf(" dhparams '%s' %d bits, is > tls_dh_max_bits limit of %d\n", - dhexpanded ? dhexpanded : US"default", dh_bitsize, tls_dh_max_bits); - - #if OPENSSL_VERSION_NUMBER < 0x30000000L - DH_free(dh); - #endif -@@ -712,23 +712,31 @@ init_ecdh(SSL_CTX * sctx, uschar ** errs - #ifdef OPENSSL_NO_ECDH - return TRUE; - #else - - uschar * exp_curve; --int nid; --BOOL rv; -+int nid, rc; - - # ifndef EXIM_HAVE_ECDH - DEBUG(D_tls) -- debug_printf("No OpenSSL API to define ECDH parameters, skipping\n"); -+ debug_printf(" No OpenSSL API to define ECDH parameters, skipping\n"); - return TRUE; - # else - - if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr)) - return FALSE; -+ -+/* Is the option deliberately empty? */ -+ - if (!exp_curve || !*exp_curve) -+ { -+#if OPENSSL_VERSION_NUMBER >= 0x10002000L -+ DEBUG(D_tls) debug_printf( " ECDH OpenSSL 1.0.2+: clearing curves list\n"); -+ (void) SSL_CTX_set1_curves(sctx, &nid, 0); -+#endif - return TRUE; -+ } - - /* "auto" needs to be handled carefully. - * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1 - * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto - * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO) -@@ -737,27 +745,26 @@ if (!exp_curve || !*exp_curve) - */ - if (Ustrcmp(exp_curve, "auto") == 0) - { - #if OPENSSL_VERSION_NUMBER < 0x10002000L - DEBUG(D_tls) debug_printf( -- "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n"); -+ " ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n"); - exp_curve = US"prime256v1"; - #else - # if defined SSL_CTRL_SET_ECDH_AUTO - DEBUG(D_tls) debug_printf( -- "ECDH OpenSSL 1.0.2+: temp key parameter settings: autoselection\n"); -+ " ECDH OpenSSL 1.0.2+: temp key parameter settings: autoselection\n"); - SSL_CTX_set_ecdh_auto(sctx, 1); - return TRUE; - # else - DEBUG(D_tls) debug_printf( -- "ECDH OpenSSL 1.1.0+: temp key parameter settings: default selection\n"); -+ " ECDH OpenSSL 1.1.0+: temp key parameter settings: library default selection\n"); - return TRUE; - # endif - #endif - } - --DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve); - if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef - # ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID - && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef - # endif - ) -@@ -777,27 +784,27 @@ if ( (nid = OBJ_sn2nid (CCS exp_c - } - - /* The "tmp" in the name here refers to setting a temporary key - not to the stability of the interface. */ - -- if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0)) -+ if ((rc = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0)) - tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), NULL, NULL, errstr); - else -- DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve); -+ DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' curve\n", exp_curve); - EC_KEY_free(ecdh); - } - - #else /* v 3.0.0 + */ - --if ((rv = SSL_CTX_set1_groups(sctx, &nid, 1)) == 0) -+if ((rc = SSL_CTX_set1_groups(sctx, &nid, 1)) == 0) - tls_error(string_sprintf("Error enabling '%s' group", exp_curve), NULL, NULL, errstr); - else -- DEBUG(D_tls) debug_printf("ECDH: enabled '%s' group\n", exp_curve); -+ DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' group\n", exp_curve); - - #endif - --return !rv; -+return !!rc; - - # endif /*EXIM_HAVE_ECDH*/ - #endif /*OPENSSL_NO_ECDH*/ - } - -@@ -1719,19 +1726,19 @@ state_server.lib_state.lib_ctx = ctx; - - /* Preload DH params and EC curve */ - - if (opt_unset_or_noexpand(tls_dhparam)) - { -- DEBUG(D_tls) debug_printf("TLS: preloading DH params for server\n"); -+ DEBUG(D_tls) debug_printf("TLS: preloading DH params '%s' for server\n", tls_dhparam); - if (init_dh(ctx, tls_dhparam, &dummy_errstr)) - state_server.lib_state.dh = TRUE; - } - else - DEBUG(D_tls) debug_printf("TLS: not preloading DH params for server\n"); - if (opt_unset_or_noexpand(tls_eccurve)) - { -- DEBUG(D_tls) debug_printf("TLS: preloading ECDH curve for server\n"); -+ DEBUG(D_tls) debug_printf("TLS: preloading ECDH curve '%s' for server\n", tls_eccurve); - if (init_ecdh(ctx, &dummy_errstr)) - state_server.lib_state.ecdh = TRUE; - } - else - DEBUG(D_tls) debug_printf("TLS: not preloading ECDH curve for server\n"); diff --git a/mail/exim/files/debian/75_62-OpenSSL-Fix-tls_eccurve-on-earlier-versions-than-3.0.patch b/mail/exim/files/debian/75_62-OpenSSL-Fix-tls_eccurve-on-earlier-versions-than-3.0.patch deleted file mode 100644 index e346df17abdb..000000000000 --- a/mail/exim/files/debian/75_62-OpenSSL-Fix-tls_eccurve-on-earlier-versions-than-3.0.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 7fa5764c203f2f4a900898a79ed02d674075313f Mon Sep 17 00:00:00 2001 -From: Jeremy Harris -Date: Mon, 2 Jan 2023 15:04:14 +0000 -Subject: [PATCH 1/3] OpenSSL: Fix tls_eccurve on earlier versions than 3.0.0. - Bug 2954 - -Broken-by: ca4014de81e6 ---- - src/tls-openssl.c | 7 ++++--- - test/log/2149 | 28 ++++++++++++++-------------- - test/runtest | 3 +++ - test/scripts/2100-OpenSSL/2149 | 22 ++++++++++++---------- - 4 files changed, 33 insertions(+), 27 deletions(-) - -diff --git a/src/tls-openssl.c b/src/tls-openssl.c -index 4d0f99ea9..e063d29bd 100644 ---- a/src/tls-openssl.c -+++ b/src/tls-openssl.c -@@ -786,8 +786,9 @@ if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef - # endif - ) - { -- tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve), -- NULL, NULL, errstr); -+ uschar * s = string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve); -+ DEBUG(D_tls) debug_printf("TLS error '%s'\n", s); -+ if (errstr) *errstr = s; - return FALSE; - } - -@@ -803,7 +804,7 @@ if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef - /* The "tmp" in the name here refers to setting a temporary key - not to the stability of the interface. */ - -- if ((rc = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0)) -+ if ((rc = SSL_CTX_set_tmp_ecdh(sctx, ecdh)) == 0) - tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), NULL, NULL, errstr); - else - DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' curve\n", exp_curve); --- -2.39.0 - diff --git a/mail/exim/files/debian/75_63-OpenSSL-log-conns-rejected-for-bad-ALPN-with-the-off.patch b/mail/exim/files/debian/75_63-OpenSSL-log-conns-rejected-for-bad-ALPN-with-the-off.patch deleted file mode 100644 index 15b1b8a8ff8d..000000000000 --- a/mail/exim/files/debian/75_63-OpenSSL-log-conns-rejected-for-bad-ALPN-with-the-off.patch +++ /dev/null @@ -1,99 +0,0 @@ -From e1aca33756f73c22b00a98d40ce2be8ed94464b1 Mon Sep 17 00:00:00 2001 -From: Jeremy Harris -Date: Thu, 5 Jan 2023 13:03:37 +0000 -Subject: [PATCH 2/3] OpenSSL: log conns rejected for bad ALPN, with the - offered value - -Unfortunately, no way to do this under GnuTLS ---- - src/match.c | 1 + - src/tls-gnu.c | 9 ++++++++- - src/tls-openssl.c | 13 +++++++++++-- - test/log/1190 | 2 ++ - test/runtest | 3 +++ - 5 files changed, 25 insertions(+), 3 deletions(-) - -diff --git a/src/match.c b/src/match.c -index 91a49c0f0..07070362d 100644 ---- a/src/match.c -+++ b/src/match.c -@@ -968,6 +968,7 @@ Arguments: - s string to search for - listptr ptr to ptr to colon separated list of patterns, or NULL - sep a separator value for the list (see string_nextinlist()) -+ or zero for auto - anchorptr ptr to tree for named items, or NULL if no named items - cache_bits ptr to cache_bits for ditto, or NULL if not caching - type MCL_DOMAIN when matching a domain list -diff --git a/src/tls-gnu.c b/src/tls-gnu.c -index 729fb5879..b47fabf1d 100644 ---- a/src/tls-gnu.c -+++ b/src/tls-gnu.c -@@ -1119,21 +1119,28 @@ switch (tls_id) - /* The format of "data" here doesn't seem to be documented, but appears - to be a 2-byte field with a (redundant, given the "size" arg) total length - then a sequence of one-byte size then string (not nul-term) names. The -- latter is as described in OpenSSL documentation. */ -+ latter is as described in OpenSSL documentation. -+ Note that we do not get called for a match_fail, making it hard to log -+ a single bad ALPN being offered (the common case). */ -+ { -+ gstring * g = NULL; - - DEBUG(D_tls) debug_printf("Seen ALPN extension from client (s=%u):", size); - for (const uschar * s = data+2; s-data < size-1; s += *s + 1) - { - server_seen_alpn++; -+ g = string_append_listele_n(g, ':', s+1, *s); - DEBUG(D_tls) debug_printf(" '%.*s'", (int)*s, s+1); - } - DEBUG(D_tls) debug_printf("\n"); - if (server_seen_alpn > 1) - { -+ log_write(0, LOG_MAIN, "TLS ALPN (%s) rejected", string_from_gstring(g)); - DEBUG(D_tls) debug_printf("TLS: too many ALPNs presented in handshake\n"); - return GNUTLS_E_NO_APPLICATION_PROTOCOL; - } - break; -+ } - #endif - } - return 0; -diff --git a/src/tls-openssl.c b/src/tls-openssl.c -index e063d29bd..513ba0d3a 100644 ---- a/src/tls-openssl.c -+++ b/src/tls-openssl.c -@@ -2324,6 +2324,8 @@ static int - tls_server_alpn_cb(SSL *ssl, const uschar ** out, uschar * outlen, - const uschar * in, unsigned int inlen, void * arg) - { -+gstring * g = NULL; -+ - server_seen_alpn = TRUE; - DEBUG(D_tls) - { -@@ -2354,12 +2356,19 @@ if ( inlen > 1 /* at least one name */ - } - } - --/* More than one name from clilent, or name did not match our list. */ -+/* More than one name from client, or name did not match our list. */ - - /* This will be fatal to the TLS conn; would be nice to kill TCP also. - Maybe as an option in future; for now leave control to the config (must-tls). */ - --DEBUG(D_tls) debug_printf("TLS ALPN rejected\n"); -+for (int pos = 0, siz; pos < inlen; pos += siz+1) -+ { -+ siz = in[pos]; -+ if (pos + 1 + siz > inlen) siz = inlen - pos - 1; -+ g = string_append_listele_n(g, ':', in + pos + 1, siz); -+ } -+log_write(0, LOG_MAIN, "TLS ALPN (%s) rejected", string_from_gstring(g)); -+gstring_release_unused(g); - return SSL_TLSEXT_ERR_ALERT_FATAL; - } - #endif /* EXIM_HAVE_ALPN */ --- -2.39.0 - diff --git a/mail/exim/files/debian/75_64-DANE-do-not-check-dns_again_means_nonexist-for-TLSA-.patch b/mail/exim/files/debian/75_64-DANE-do-not-check-dns_again_means_nonexist-for-TLSA-.patch deleted file mode 100644 index 5d990eddfca6..000000000000 --- a/mail/exim/files/debian/75_64-DANE-do-not-check-dns_again_means_nonexist-for-TLSA-.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 30520c8f87fcf660ed99a2344cae7f9787f7bc89 Mon Sep 17 00:00:00 2001 -From: Jeremy Harris -Date: Thu, 5 Jan 2023 18:39:51 +0000 -Subject: [PATCH 3/3] DANE: do not check dns_again_means_nonexist for TLSA - results of TRY_AGAIN - ---- - src/dns.c | 35 ++++++++++++++++++++++------------- - doc/doc-docbook/spec.xfpt | 7 ++++++- - 3 files changed, 32 insertions(+), 14 deletions(-) - ---- a/src/dns.c -+++ b/src/dns.c -@@ -904,25 +904,34 @@ if (dnsa->answerlen < 0) switch (h_errno - DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave TRY_AGAIN\n", - name, dns_text_type(type)); - - /* Cut this out for various test programs */ - #ifndef STAND_ALONE -- if (try_again_recursion) -+ /* Permitting dns_again_means nonexist for TLSA lookups breaks the -+ doewngrade resistance of dane, so avoid for those. */ -+ -+ if (type == T_TLSA) -+ rc = FAIL; -+ else - { -- log_write(0, LOG_MAIN|LOG_PANIC, -- "dns_again_means_nonexist recursion seen for %s (assuming nonexist)", -- name); -- return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type), DNS_NOMATCH); -- } -+ if (try_again_recursion) -+ { -+ log_write(0, LOG_MAIN|LOG_PANIC, -+ "dns_again_means_nonexist recursion seen for %s" -+ " (assuming nonexist)", name); -+ return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type), -+ DNS_NOMATCH); -+ } - -- try_again_recursion = TRUE; -- save_domain = deliver_domain; -- deliver_domain = string_copy(name); /* set $domain */ -- rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0, -- &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL); -- deliver_domain = save_domain; -- try_again_recursion = FALSE; -+ try_again_recursion = TRUE; -+ save_domain = deliver_domain; -+ deliver_domain = string_copy(name); /* set $domain */ -+ rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0, -+ &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL); -+ deliver_domain = save_domain; -+ try_again_recursion = FALSE; -+ } - - if (rc != OK) - { - DEBUG(D_dns) debug_printf("returning DNS_AGAIN\n"); - return dns_fail_return(name, type, 0, DNS_AGAIN); ---- a/doc/spec.txt -+++ b/doc/spec.txt -@@ -14246,11 +14246,13 @@ dns_again_means_nonexist, it is treated - should be used with care. You can make it apply to reverse lookups by a setting - such as this: - - dns_again_means_nonexist = *.in-addr.arpa - --This option applies to all DNS lookups that Exim does. It also applies when the -+This option applies to all DNS lookups that Exim does, except for TLSA lookups -+(where knowing about such failures +is security-relevant). It also applies -+when the - gethostbyname() or getipnodebyname() functions give temporary errors, since - these are most likely to be caused by DNS lookup problems. The dnslookup router - has some options of its own for controlling what happens when lookups for MX or - SRV records give temporary errors. These more specific options are applied - after this global option. diff --git a/mail/exim/files/debian/75_66-Fix-crash-in-expansions.patch b/mail/exim/files/debian/75_66-Fix-crash-in-expansions.patch deleted file mode 100644 index d65891fd9dbe..000000000000 --- a/mail/exim/files/debian/75_66-Fix-crash-in-expansions.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 70069b65a39a7ba73a36fbd95371ff03cde1eb23 Mon Sep 17 00:00:00 2001 -From: Jeremy Harris -Date: Thu, 2 Feb 2023 20:00:35 +0000 -Subject: [PATCH] Fix crash in expansions - -Broken-by: 1058096b8c53 ---- - src/expand.c | 9 +++++---- - test/stderr/0630 | 1 + - 3 files changed, 10 insertions(+), 4 deletions(-) - ---- a/src/expand.c -+++ b/src/expand.c -@@ -4652,11 +4652,11 @@ while (*s) - yield = string_catn(yield, value, len); - - continue; - } - -- if (isdigit(*s)) -+ if (isdigit(*s)) /* A $ variable */ - { - int n; - s = read_cnumber(&n, s); - if (n >= 0 && n <= expand_nmax) - yield = string_catn(yield, expand_nstring[n], expand_nlength[n]); -@@ -7060,10 +7060,11 @@ NOT_ITEM: ; - if (arg) *arg++ = '_'; /* Put back for error messages */ - } - - /* Deal specially with operators that might take a certificate variable - as we do not want to do the usual expansion. For most, expand the string.*/ -+ - switch(c) - { - #ifndef DISABLE_TLS - case EOP_MD5: - case EOP_SHA1: -@@ -7107,11 +7108,11 @@ NOT_ITEM: ; - - /* Otherwise, switch on the operator type. After handling go back - to the main loop top. */ - - { -- int start = yield->ptr; -+ unsigned expansion_start = gstring_length(yield); - switch(c) - { - case EOP_BASE32: - { - uschar *t; -@@ -8168,12 +8169,12 @@ NOT_ITEM: ; - goto EXPAND_FAILED; - } /* EOP_* switch */ - - DEBUG(D_expand) - { -- const uschar * s = yield->s + start; -- int i = yield->ptr - start; -+ const uschar * s = yield->s + expansion_start; -+ int i = gstring_length(yield) - expansion_start; - BOOL tainted = is_tainted(s); - - DEBUG(D_noutf8) - { - debug_printf_indent("|-----op-res: %.*s\n", i, s); diff --git a/mail/exim/files/patch-src_tls-openssl.c b/mail/exim/files/patch-src_tls-openssl.c new file mode 100644 index 000000000000..9306c0a193a0 --- /dev/null +++ b/mail/exim/files/patch-src_tls-openssl.c @@ -0,0 +1,11 @@ +--- src/tls-openssl.c.orig 2023-11-07 21:07:29.239948000 +0100 ++++ src/tls-openssl.c 2023-11-07 21:08:03.517118000 +0100 +@@ -2605,7 +2605,7 @@ + asking for certificate-status under DANE, so this callback won't run for + that combination. It still will for non-DANE. */ + +-#ifdef EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_SIGNER ++#if defined(EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_SIGNER) && defined(SUPPORT_DANE) + X509 * signer; + + if ( tls_out.dane_verified diff --git a/mail/exim/pkg-plist b/mail/exim/pkg-plist index b56151e3aa82..8ca5e7f4633a 100644 --- a/mail/exim/pkg-plist +++ b/mail/exim/pkg-plist @@ -1,44 +1,46 @@ %%SUID%%@mode 4755 %%EXIM%%sbin/exim %%SUID%%@mode %%EXIM%%sbin/exim_checkaccess %%EXIM%%sbin/exim_dbmbuild %%EXIM%%sbin/exim_dumpdb %%EXIM%%sbin/exim_fixdb +%%EXIM%%sbin/exim_id_update %%EXIM%%sbin/exim_lock +%%EXIM%%sbin/exim_msgdate %%EXIM%%sbin/exim_tidydb %%EXIM%%sbin/exicyclog %%EXIM%%sbin/exigrep %%EXIM%%sbin/eximstats %%EXIM%%sbin/exinext %%EXIM%%sbin/exipick %%EXIM%%sbin/exiqgrep %%EXIM%%sbin/exiqsumm %%EXIM%%sbin/exiwhat %%EXIM%%man/man8/exim.8.gz %%EXIMON%%sbin/eximon %%EXIMON%%sbin/eximon.bin %%EXIM%%%%PORTDOCS%%%%DOCSDIR%%/ACKNOWLEDGMENTS %%EXIM%%%%PORTDOCS%%%%DOCSDIR%%/NOTICE %%EXIM%%%%PORTDOCS%%%%DOCSDIR%%/README.UPDATING %%EXIM%%%%PORTDOCS%%%%DOCSDIR%%/ChangeLog %%EXIM%%%%PORTDOCS%%%%DOCSDIR%%/Exim3.upgrade %%EXIM%%%%PORTDOCS%%%%DOCSDIR%%/Exim4.upgrade %%EXIM%%%%PORTDOCS%%%%DOCSDIR%%/NewStuff %%EXIM%%%%PORTDOCS%%%%DOCSDIR%%/OptionLists.txt %%EXIM%%%%PORTDOCS%%%%DOCSDIR%%/POST-INSTALL-NOTES %%EXIM%%%%PORTDOCS%%%%DOCSDIR%%/POST-INSTALL-NOTES.clamd %%EXIM%%%%PORTDOCS%%%%DOCSDIR%%/README %%EXIM%%%%PORTDOCS%%%%DOCSDIR%%/README.SIEVE %%EXIM%%%%PORTDOCS%%%%DOCSDIR%%/dbm.discuss.txt %%EXIM%%%%PORTDOCS%%%%DOCSDIR%%/experimental-spec.txt %%EXIM%%%%PORTDOCS%%%%DOCSDIR%%/filter.txt %%EXIM%%%%PORTDOCS%%%%DOCSDIR%%/spec.txt %%EXIM%%%%PORTDOCS%%%%EXAMPLESDIR%%/convert4r3 %%EXIM%%%%PORTDOCS%%%%EXAMPLESDIR%%/convert4r4 %%EXIM%%%%PORTDOCS%%%%EXAMPLESDIR%%/transport-filter.pl %%EXIMDAEMON%%etc/periodic/daily/150.exim-tidydb %%EXIMDAEMON%%etc/periodic/daily/460.exim-mail-rejects @sample %%ETCDIR%%/configure.sample %%SA_EXIM%%@sample %%ETCDIR%%/sa-exim.conf.sample %%EXIM%%@dir(%%EXIM_USER%%,%%EXIM_GROUP%%,) /%%LOGDIR%%