diff --git a/mail/exim/Makefile b/mail/exim/Makefile index 98565c95aa5a..358845ea8316 100644 --- a/mail/exim/Makefile +++ b/mail/exim/Makefile @@ -1,670 +1,670 @@ PORTNAME= exim PORTVERSION?= ${EXIM_VERSION} -PORTREVISION?= 1 +PORTREVISION?= 0 CATEGORIES= mail MASTER_SITES= EXIM:exim MASTER_SITE_SUBDIR= /exim4/:exim \ /exim4/fixes/:exim \ /exim4/old/:exim DISTNAME= ${PORTNAME}-${EXIM_VERSION} DISTFILES= ${DISTNAME}${EXTRACT_SUFX}:exim DIST_SUBDIR= exim EXTRACT_ONLY= ${DISTNAME}${EXTRACT_SUFX} MAINTAINER= fluffy@FreeBSD.org COMMENT?= High performance MTA for Unix systems on the Internet WWW= https://www.exim.org/ LICENSE= GPLv2 USES= compiler cpe tar:bzip2 perl5 USE_CSTD= c99 USE_PERL5= run # Exim build system is job unsafe atm MAKE_JOBS_UNSAFE= yes # One can tune the following "hidden" knobs: # - EXIM_USER: user exim is running as; # - EXIM_GROUP: ditto for the group; # - LOGDIR: where Exim logs will be put; # - LOG_FILE_PATH: path where '%s' will be substituted with # the target name (main, reject, etc); # - CONFIG_FILE_PATH: path to the default configuration file; # - ALT_CONFIG_PREFIX: path to the default prefix for all # configuration files, excluding the main one; # will be effective only when WITH_ALT_CONFIG_PREFIX # will be set via OPTIONS. .if make(makesum) && !defined(FETCH_ALL) .error "You forgot to define FETCH_ALL to create the sane distinfo" .endif .include "options" OPTIONS_SUB= yes AUTH_SASL_LIB_DEPENDS= libsasl2.so:security/cyrus-sasl2 BDB_USES= bdb DMARC_LIB_DEPENDS= libopendmarc.so:mail/opendmarc EMBEDDED_PERL_USE= perl5=run,build EXIMON_USES= xorg EXIMON_USE= xorg=x11,xaw,xext,xmu,xt GNUTLS_LIB_DEPENDS= libgnutls.so:security/gnutls ICONV_USES= iconv:lib,build INTERNATIONAL_LIB_DEPENDS= libidn.so:dns/libidn LMDB_LIB_DEPENDS= liblmdb.so:databases/lmdb MYSQL_USES= mysql OPENLDAP_USES= ldap PGSQL_LIB_DEPENDS= libicudata.so:devel/icu PGSQL_USES= pgsql pkgconfig REDIS_LIB_DEPENDS= libhiredis.so:databases/hiredis SASLAUTHD_RUN_DEPENDS= ${LOCALBASE}/sbin/saslauthd:security/cyrus-sasl2-saslauthd SA_EXIM_RUN_DEPENDS= ${LOCALBASE}/bin/spamc:mail/spamassassin SPF_LIB_DEPENDS= libspf2.so:mail/libspf2 SQLITE_LIB_DEPENDS= libicudata.so:devel/icu SQLITE_USES= pkgconfig sqlite DEBIAN_PATCHES_PREFIX= ${FILESDIR}/debian/75 EXTRA_PATCHES= \ ${DEBIAN_PATCHES_PREFIX}_01-Fix-exit-on-attempt-to-rewrite-a-malformed-address.-.patch:-p1 \ ${DEBIAN_PATCHES_PREFIX}_05-SPF-fix-memory-accounting-for-error-case.patch:-p1 \ ${DEBIAN_PATCHES_PREFIX}_08-Fix-regex-n-use-after-free.-Bug-2915.patch:-p1 \ ${DEBIAN_PATCHES_PREFIX}_09-Fix-non-WITH_CONTENT_SCAN-build.patch:-p1 \ ${DEBIAN_PATCHES_PREFIX}_10-Fix-non-WITH_CONTENT_SCAN-build-2.patch:-p1 \ ${DEBIAN_PATCHES_PREFIX}_11-Fix-non-WITH_CONTENT_SCAN-build-3.patch:-p1 \ ${DEBIAN_PATCHES_PREFIX}_16-GnuTLS-fix-for-clients-offering-no-TLS-extensions.patch:-p1 \ ${DEBIAN_PATCHES_PREFIX}_18-Fix-Build-with-libopendmarc-1.4.x-fixes-2728.patch:-p1 \ ${DEBIAN_PATCHES_PREFIX}_19-DMARC-fix-use-after-free-in-dmarc_dns_lookup.patch:-p1 \ ${DEBIAN_PATCHES_PREFIX}_22-Fix-daemon-startup.-Bug-2930.patch:-p1 \ ${DEBIAN_PATCHES_PREFIX}_23-Fix-reccipients-after-run.-.-Bug-2929.patch:-p1 \ ${DEBIAN_PATCHES_PREFIX}_31-Fix-regext-substring-capture-variables-for-null-matc.patch:-p1 \ ${DEBIAN_PATCHES_PREFIX}_32-Fix-regex-substring-capture-variables-for-null-match.patch:-p1 \ ${DEBIAN_PATCHES_PREFIX}_34-Fix-regex-substring-capture-commentary.-Bug-2933.patch:-p1 \ ${DEBIAN_PATCHES_PREFIX}_37-OpenSSL-when-preloading-creds-do-the-server-certs-be.patch:-p1 \ ${DEBIAN_PATCHES_PREFIX}_38-OpenSSL-fix-double-expansion-of-tls_verify_certifica.patch:-p1 \ ${DEBIAN_PATCHES_PREFIX}_50-Fix-logging-of-max-size-log-line.patch:-p1 \ ${DEBIAN_PATCHES_PREFIX}_55-Fix-recursion-on-dns_again_means_nonexist.-Bug-2911.patch:-p1 \ ${DEBIAN_PATCHES_PREFIX}_58-Close-server-smtp-socket-explicitly-on-connect-ACL-d.patch:-p1 \ ${DEBIAN_PATCHES_PREFIX}_60-OpenSSL-fix-tls_eccurve-setting-explicit-curve-group.patch:-p1 \ ${DEBIAN_PATCHES_PREFIX}_62-OpenSSL-Fix-tls_eccurve-on-earlier-versions-than-3.0.patch:-p1 \ ${DEBIAN_PATCHES_PREFIX}_63-OpenSSL-log-conns-rejected-for-bad-ALPN-with-the-off.patch:-p1 \ ${DEBIAN_PATCHES_PREFIX}_64-DANE-do-not-check-dns_again_means_nonexist-for-TLSA-.patch:-p1 \ ${DEBIAN_PATCHES_PREFIX}_66-Fix-crash-in-expansions.patch:-p1 .include # OCSP is supported for openssl only .if ${PORT_OPTIONS:MOCSP} .if ! ${PORT_OPTIONS:MTLS} IGNORE= you cannot enable OCSP stapling without TLS support .elif ${PORT_OPTIONS:MGNUTLS} IGNORE= you cannot enable OCSP stapling with gnutls .endif .endif # DMARC implies SPF and DKIM .if ${PORT_OPTIONS:MDMARC} .if ! ${PORT_OPTIONS:MSPF} || ! ${PORT_OPTIONS:MDKIM} IGNORE= you cannot enable DMARC without SPF and DKIM support .endif .endif # ARC implies SPF and DKIM .if ${PORT_OPTIONS:MARC} .if ! ${PORT_OPTIONS:MSPF} || ! ${PORT_OPTIONS:MDKIM} IGNORE= you cannot enable ARC without SPF and DKIM support .endif .endif # DANE implies DNSSEC .if ${PORT_OPTIONS:MDANE} .if ! ${PORT_OPTIONS:MDNSSEC} || ! ${PORT_OPTIONS:MTLS} IGNORE= you cannot enable DANE without DNSSEC support or without TLS support .endif .endif .if ${PORT_OPTIONS:MSA_EXIM} || defined(FETCH_ALL) MASTER_SITES+= http://marc.merlins.org/linux/exim/files/:sa_exim \ SF/sa-exim/sa-exim/${SA_EXIM_VERSION}:sa_exim DISTFILES+= sa-exim-${SA_EXIM_VERSION}.tar.gz:sa_exim EXTRA_PATCHES+= ${FILESDIR}/extra-patch-Local-sa-exim.c EXTRA_PATCHES+= ${FILESDIR}/extra-patch-Local-sa-exim.conf .endif -EXIM_VERSION= 4.96 +EXIM_VERSION= 4.96.1 SA_EXIM_VERSION=4.2.1 EXIM_INSTALL_ARG+= "-no_chown" "-no_symlink" EXTRA_PATCHES+= `${FIND} ${PATCHDIR} -name '74_*.patch'|${SORT} -h` .if !defined(EXIMON_ONLY) PLIST_SUB+= EXIM="" .if defined(PKGNAMESUFFIX) CONFLICTS+= ${PKGNAMEPREFIX}${PORTNAME}-4.* .endif .for suffix in -ldap2 -mysql -postgresql -sa-exim -sqlite .if !defined(PKGNAMESUFFIX) || ${PKGNAMESUFFIX} != ${suffix} CONFLICTS+= ${PKGNAMEPREFIX}${PORTNAME}${suffix}-4.* .endif .endfor .if ${PORT_OPTIONS:MEXIMON} CONFLICTS+= ${PKGNAMEPREFIX}${PORTNAME}-monitor-4.* .endif PKGMESSAGE= ${WRKDIR}/POST-INSTALL-NOTES .else # !EXIMON_ONLY PLIST_SUB+= EXIM="@comment " PORT_OPTIONS+= EXIMON PKGMESSAGE= ${WRKDIR}/pkg-message EXIM_INSTALL_ARG+= "eximon" "eximon.bin" .endif # !EXIMON_ONLY PORTDOC_BASE= ACKNOWLEDGMENTS NOTICE README.UPDATING PORTDOC_FILES= ChangeLog Exim3.upgrade Exim4.upgrade NewStuff \ OptionLists.txt README README.SIEVE dbm.discuss.txt \ experimental-spec.txt filter.txt spec.txt PORT_EXAMPLES= convert4r3 convert4r4 transport-filter.pl DAILY_SCRIPTS= 150.exim-tidydb 460.exim-mail-rejects MAKE_ENV+= OSTYPE="${OPSYS}" ARCHTYPE="${ARCH}" DUMMY_LDFLAGS="${DUMMY_LDFLAGS}" STRIP_COMMAND="${STRIP_CMD}" EXIM_USER?= mailnull EXIM_GROUP?= mail # Default user/group are system ones, so we don't want to check them .if ${EXIM_USER} != "mailnull" USERS= ${EXIM_USER} .endif .if ${EXIM_GROUP} != "mail" GROUPS= ${EXIM_GROUP} .endif LOGDIR?= /var/log/exim LOG_FILE_PATH?= ${LOGDIR}/%slog CONFIG_FILE_PATH?= ${PREFIX}/etc/exim/configure ALT_CONFIG_PREFIX?= ${PREFIX}/etc/exim/ EXIM_DYNAMIC_LDFLAGS= -fPIC -rdynamic -Wl,--export-dynamic SED_SCRIPT= -e 's,%%PREFIX%%,${PREFIX},g' \ -e 's,%%DOCSDIR%%,${DOCSDIR},g' \ -e 's,%%EXAMPLESDIR%%,${EXAMPLESDIR},g' \ -e 's,%%EXIM_USER%%,${EXIM_USER},g' \ -e 's,%%EXIM_GROUP%%,${EXIM_GROUP},g' \ -e 's,%%LOGDIR%%,${LOGDIR},g' SEDLIST+= -e 's,XX_CFLAGS_XX,${CFLAGS:S/,/\\,/g},' \ -e 's,XX_PREFIX_XX,${PREFIX:S/,/\\,/g},' \ -e 's,XX_LOCALBASE_XX,${LOCALBASE:S/,/\\,/g},' \ -e 's,XX_LOG_FILE_PATH_XX,${LOG_FILE_PATH:S/,/\\,/g},' \ -e 's,XX_CONFIG_FILE_PATH_XX,${CONFIG_FILE_PATH:S/,/\\,/g},' \ -e 's,XX_ALT_CONFIG_PREFIX_XX,${ALT_CONFIG_PREFIX:S/,/\\,/g},' \ -e 's,XX_EXIM_USER_XX,${EXIM_USER:S/,/\\,/g},' \ -e 's,XX_EXIM_GROUP_XX,${EXIM_GROUP:S/,/\\,/g},' \ -e 's,XX_DEFAULT_CHARSET_XX,${WITH_DEFAULT_CHARSET:S/,/\\,/g},' \ -e 's,XX_DYNAMIC_LDFLAGS_XX,${EXIM_DYNAMIC_LDFLAGS:S/,/\\,/g},' PLIST_SUB+= EXIM_VERSION="${EXIM_VERSION}-${PORTREVISION}" \ EXIM_USER=${EXIM_USER} \ EXIM_GROUP=${EXIM_GROUP} \ LOGDIR="${LOGDIR:S/^\///}" # Exim refuses to run local deliveries as root by default. You can # add other users to this colon-separated list that cannot be # overridden at runtime below, but are advised not to remove "root". #WITH_FIXED_NEVER_USERS= root:daemon:bin # When Exim is decoding MIME "words" in header lines it converts any foreign # character sets to the one that is set in the headers_charset option. # The default setting is defined by this setting: WITH_DEFAULT_CHARSET?= ISO-8859-1 # You should not need to fiddle with anything below this point. LIB_DEPENDS+= libpcre2-posix.so:devel/pcre2 .if ! ${PORT_OPTIONS:MDKIM} SEDLIST+= -e 's,^\# (DISABLE_DKIM=),\1,' .endif .if ${PORT_OPTIONS:MLISTMATCH_RHS} SEDLIST+= -e 's,^\# (EXPAND_LISTMATCH_RHS=),\1,' .endif .if ${PORT_OPTIONS:MDCC} SEDLIST+= -e 's,^\# (EXPERIMENTAL_DCC=),\1,' .endif .if ${PORT_OPTIONS:MPROXY} SEDLIST+= -e 's,^\# (SUPPORT_PROXY=),\1,' .endif .if ${PORT_OPTIONS:MCERTNAMES} SEDLIST+= -e 's,^\# (EXPERIMENTAL_CERTNAMES=),\1,' .endif .if ${PORT_OPTIONS:MDSN} SEDLIST+= -e 's,^\# (EXPERIMENTAL_DSN=),\1,' .endif .if !${PORT_OPTIONS:MDANE} SEDLIST+= -e 's,^(SUPPORT_DANE=),\#\1,' .endif .if ${PORT_OPTIONS:MARC} SEDLIST+= -e 's,^\# (EXPERIMENTAL_ARC=),\1,' .endif .if !${PORT_OPTIONS:MEVENT} SEDLIST+= -e 's,^\# (DISABLE_EVENT=),\1,' .endif .if ${PORT_OPTIONS:MINTERNATIONAL} SEDLIST+= -e 's,^\# (SUPPORT_I18N=),\1,' \ -e 's,XX_IDN_LIBS_XX,-L${LOCALBASE}/lib -lidn,' .else SEDLIST+= -e 's,XX_IDN_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MSOCKS} SEDLIST+= -e 's,^\# (SUPPORT_SOCKS=),\1,' .endif .if !${PORT_OPTIONS:MPRDR} SEDLIST+= -e 's,^\# (DISABLE_PRDR=),\1,' .endif .if !${PORT_OPTIONS:MOCSP} SEDLIST+= -e 's,^\# (DISABLE_OCSP=),\1,' .endif .if !${PORT_OPTIONS:MDNSSEC} SEDLIST+= -e 's,^\# (DISABLE_DNSSEC=),\1,' .endif .if ${PORT_OPTIONS:MDMARC} SEDLIST+= -e 's,XX_DMARC_LIBS_XX,-L${LOCALBASE}/lib -lopendmarc,' \ -e 's,^\# (SUPPORT_DMARC=),\1,' .else SEDLIST+= -e 's,XX_DMARC_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MWISHLIST} EXTRA_PATCHES+= `${FIND} ${PATCHDIR} -name 'wishlist-*.patch'` .endif .if ${PORT_OPTIONS:MFIXED_NEVER_USERS} SEDLIST+= -e 's,^(FIXED_NEVER_USERS=).*,\1${WITH_FIXED_NEVER_USERS:S/,/\\,/g},' .endif .if ${PORT_OPTIONS:MEXIMON} SEDLIST+= -e 's,^\# (EXIM_MONITOR=),\1,' .endif .if ${PORT_OPTIONS:MTLS} .if ! ${PORT_OPTIONS:MGNUTLS} USES+= ssl SEDLIST+= -e 's,^\# (USE_OPENSSL=),\1,' SEDLIST+= -e 's,^\# (TLS_LIBS=.*-lssl[[:space:]]),\1,' BROKEN_SSL= openssl31 BROKEN_SSL_REASON= error: token is not a valid binary operator in a preprocessor subexpression .else SEDLIST+= -e 's,^\# (USE_GNUTLS=),\1,' SEDLIST+= -e 's,^\# (TLS_LIBS=.*-lgnutls[[:space:]]),\1,' .endif .else # TLS support SEDLIST+= -e 's,^\# (DISABLE_TLS=),\1,' .endif .if ${PORT_OPTIONS:MEMBEDDED_PERL} SEDLIST+= -e 's,^\# (EXIM_PERL=),\1,' .endif .if ${PORT_OPTIONS:MTCP_WRAPPERS} SEDLIST+= -e 's,XX_TCP_WRAPPERS_LIBS_XX,-lwrap,' \ -e 's,^\# (USE_TCP_WRAPPERS=),\1,' .else SEDLIST+= -e 's,XX_TCP_WRAPPERS_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MICONV} SEDLIST+= -e 's,XX_ICONV_LIBS_XX,-L${LOCALBASE:S/,/\\,/g}/lib ${ICONV_LIB},' \ -e 's,^\# (HAVE_ICONV=),\1,' .else SEDLIST+= -e 's,XX_ICONV_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MOPENLDAP} LDAP_LIB_TYPE= OPENLDAP2 SEDLIST+= -e 's,XX_LDAP_LIBS_XX,-L${LOCALBASE:S/,/\\,/g}/lib -llber -lldap,' \ -e 's,XX_LDAP_INCLUDE_XX,-I${LOCALBASE:S/,/\\,/g}/include,' \ -e 's,XX_LDAP_TYPE_XX,${LDAP_LIB_TYPE:S/,/\\,/g},' \ -e 's,^\# (LOOKUP_LDAP=),\1,' .else SEDLIST+= -e 's,XX_LDAP_[^ ]*_XX,,' \ -e 's,^(LDAP_LIB_TYPE=),\# \1,' .endif .if ${PORT_OPTIONS:MBDB} INVALID_BDB_VER= 2 3 6 18 DB_LIBS= -L${BDB_LIB_DIR} -l${BDB_LIB_NAME} DB_INCLUDES= -I${BDB_INCLUDE_DIR} .else DB_LIBS= DB_INCLUDES= SEDLIST+= -e 's,^(DBMLIB=),\# \1,' .endif SEDLIST+= -e 's,XX_DB_LIBS_XX,${DB_LIBS:S/,/\\,/g},' \ -e 's,XX_DB_INCLUDES_XX,${DB_INCLUDES:S/,/\\,/g},' .if ${PORT_OPTIONS:MLMDB} _LMDB_LIBS= -L${LOCALBASE}/lib -llmdb _LMDB_INCLUDES= -I${LOCALBASE}/include SEDLIST+= -e 's,^\# (EXPERIMENTAL_LMDB=),\1,' .else _LMDB_LIBS= _LMDB_INCLUDES= .endif SEDLIST+= -e 's,XX_LMDB_LIBS_XX,${_LMDB_LIBS:S/,/\\,/g},' \ -e 's,XX_LMDB_INCLUDES_XX,${_LMDB_INCLUDES:S/,/\\,/g},' .if ${PORT_OPTIONS:MMYSQL} SEDLIST+= -e 's,XX_MYSQL_LIBS_XX,-L${LOCALBASE:S/,/\\,/g}/lib/mysql -l${_MYSQL_SHLIB:S/lib//},' \ -e 's,XX_MYSQL_INCLUDE_XX,-I${LOCALBASE:S/,/\\,/g}/include/mysql,' \ -e 's,^\# (LOOKUP_MYSQL=),\1,' .else SEDLIST+= -e 's,XX_MYSQL_[^ ]*_XX,,' .endif .if ${PORT_OPTIONS:MSASLAUTHD} SASLAUTHD_SOCKET?= /var/run/saslauthd/mux SEDLIST+= -e 's,^\# (CYRUS_SASLAUTHD_SOCKET=).*,\1${SASLAUTHD_SOCKET:S/,/\\,/g},' .endif .if ${PORT_OPTIONS:MPAM} SEDLIST+= -e 's,XX_PAM_LIBS_XX,-lpam,' \ -e 's,^\# (SUPPORT_PAM=),\1,' .else SEDLIST+= -e 's,XX_PAM_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MAUTH_CRAM_MD5} SEDLIST+= -e 's,^\# (AUTH_CRAM_MD5=),\1,' .endif .if ${PORT_OPTIONS:MAUTH_PLAINTEXT} SEDLIST+= -e 's,^\# (AUTH_PLAINTEXT=),\1,' .endif .if ${PORT_OPTIONS:MAUTH_DOVECOT} SEDLIST+= -e 's,^\# (AUTH_DOVECOT=),\1,' .endif .if ${PORT_OPTIONS:MAUTH_SPA} SEDLIST+= -e 's,^\# (AUTH_SPA=),\1,' .endif .if ${PORT_OPTIONS:MAUTH_SASL} SEDLIST+= -e 's,^\# (AUTH_CYRUS_SASL=),\1,' \ -e 's,^\# (AUTH_LIBS=.*-lsasl2),\1,' .endif .if ${PORT_OPTIONS:MAUTH_TLS} SEDLIST+= -e 's,^\# (AUTH_TLS=),\1,' .endif .if ${PORT_OPTIONS:MAUTH_RADIUS} WITH_RADIUS_TYPE?= RADLIB .if ${WITH_RADIUS_TYPE:tl} == radlib SEDLIST+= -e 's,XX_RADIUS_LIBS_XX,-lradius,' \ -e 's,^\# (RADIUS_CONFIG_FILE=).*,\1/etc/radius.conf,' \ -e 's,^\# (RADIUS_LIB_TYPE=).*,\1RADLIB,' .elif ${WITH_RADIUS_TYPE:tl} == radiusclient LIB_DEPENDS+= libfreeradius-client.so:net/freeradius-client SEDLIST+= -e 's,XX_RADIUS_LIBS_XX,-L${LOCALBASE:S/,/\\,/g}/lib -lfreeradius-client,' \ -e 's,^\# (RADIUS_CONFIG_FILE=).*,\1${LOCALBASE:S/,/\\,/g}/etc/radiusclient/radiusclient.conf,' \ -e 's,^\# (RADIUS_LIB_TYPE=).*,\1RADIUSCLIENTNEW,' .else IGNORE= the variable WITH_RADIUS_TYPE must be either RADLIB or RADIUSCLIENT .endif .else SEDLIST+= -e 's,XX_RADIUS_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MPGSQL} SEDLIST+= -e 's,XX_PGSQL_LIBS_XX,-L${LOCALBASE:S/,/\\,/g}/lib -lpq,' \ -e 's,XX_PGSQL_INCLUDE_XX,-I${LOCALBASE:S/,/\\,/g}/include/pgsql,' \ -e 's,^\# (LOOKUP_PGSQL=),\1,' .else SEDLIST+= -e 's,XX_PGSQL_[^ ]*_XX,,' .endif .if ! ${PORT_OPTIONS:MPGSQL} && ! ${PORT_OPTIONS:MMYSQL} && !defined(LDAP_LIB_TYPE) && \ ! ${PORT_OPTIONS:MBDB} && ! ${PORT_OPTIONS:MLMDB} SEDLIST+= -e 's,^(LOOKUP_LIBS=),\# \1,' \ -e 's,^(LOOKUP_INCLUDE=),\# \1,' .endif .if ! ${PORT_OPTIONS:MDNSDB} SEDLIST+= -e 's,^(LOOKUP_DNSDB=),\# \1,' .endif .if ${PORT_OPTIONS:MMAILDIR} SEDLIST+= -e 's,^\# (SUPPORT_MAILDIR=),\1,' .endif .if ${PORT_OPTIONS:MMAILSTORE} SEDLIST+= -e 's,^\# (SUPPORT_MAILSTORE=),\1,' .endif .if ${PORT_OPTIONS:MMBX} SEDLIST+= -e 's,^\# (SUPPORT_MBX=),\1,' .endif .if ${PORT_OPTIONS:MCDB} SEDLIST+= -e 's,^\# (LOOKUP_CDB=),\1,' .endif .if ${PORT_OPTIONS:MDSEARCH} SEDLIST+= -e 's,^\# (LOOKUP_DSEARCH=),\1,' .endif .if ! ${PORT_OPTIONS:MLSEARCH} SEDLIST+= -e 's,^(LOOKUP_LSEARCH=),\# \1,' .endif .if ${PORT_OPTIONS:MNIS} SEDLIST+= -e 's,^\# (LOOKUP_NIS=),\1,' .endif .if ${PORT_OPTIONS:MPASSWD} SEDLIST+= -e 's,^\# (LOOKUP_PASSWD=),\1,' .endif .if ${PORT_OPTIONS:MSQLITE} SEDLIST+= -e 's,XX_SQLITE_LIBS_XX,`pkg-config --static --libs sqlite3`,' \ -e 's,XX_SQLITE_FLAGS_XX,`pkg-config --cflags sqlite3`,' \ -e 's,^\# (LOOKUP_SQLITE=),\1,' .else SEDLIST+= -e 's,XX_SQLITE_LIBS_XX,,' \ -e 's,XX_SQLITE_FLAGS_XX,,' .endif .if ${PORT_OPTIONS:MREDIS} SEDLIST+= -e 's,XX_REDIS_LIBS_XX,-L${LOCALBASE}/lib -lhiredis,' \ -e 's,^\# (LOOKUP_REDIS=),\1,' \ -e 's,^\# (REDIS=),\1,' .else SEDLIST+= -e 's,XX_REDIS_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MLMTP} SEDLIST+= -e 's,^\# (TRANSPORT_LMTP=),\1,' .endif .if ! ${PORT_OPTIONS:MALT_CONFIG_PREFIX} SEDLIST+= -e 's,^(ALT_CONFIG_PREFIX=),\# \1,' .endif .if ${PORT_OPTIONS:MSPF} SEDLIST+= -e 's,XX_SPF_FLAGS_XX,-DSPF,' \ -e 's,XX_SPF_LIBS_XX,-L${LOCALBASE}/lib -lspf2 -lpthread,' \ -e 's,^\# (SUPPORT_SPF=),\1,' .else SEDLIST+= -e 's,XX_SPF_FLAGS_XX,,' \ -e 's,XX_SPF_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MSRS} SEDLIST+= -e 's,XX_SRS_FLAGS_XX,-DSUPPORT_SRS,' \ -e 's,XX_SRS_LIBS_XX,,' .else SEDLIST+= -e 's,XX_SRS_FLAGS_XX,,' \ -e 's,XX_SRS_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MREADLINE} SEDLIST+= -e 's,^\# (USE_READLINE=),\1,' .endif .if ${PORT_OPTIONS:MCONTENT_SCAN} SEDLIST+= -e 's,^\# (WITH_CONTENT_SCAN=),\1,' .endif .if !defined(EXIMON_ONLY) && ${PORT_OPTIONS:MDAEMON} USE_RC_SUBR= exim PLIST_SUB+= EXIMDAEMON="" SUB_LIST+= LOGDIR="${LOGDIR}" .else PLIST_SUB+= EXIMDAEMON="@comment " .endif .if ${PORT_OPTIONS:MIPV6} SEDLIST+= -e 's,^\# (HAVE_IPV6=),\1,' .endif .if ${PORT_OPTIONS:MDISABLE_D_OPT} SEDLIST+= -e 's,^\# (DISABLE_D_OPTION=),\1,' .else .if defined(WHITELIST_D_MACROS) SEDLIST+= -e 's,^\# (WHITELIST_D_MACROS=).*$$,\1${WHITELIST_D_MACROS:S/,/\\,/g},' .endif .endif .if defined(TRUSTED_CONFIG_LIST) SEDLIST+= -e 's,^\# (TRUSTED_CONFIG_LIST=).*$$,\1${TRUSTED_CONFIG_LIST:S/,/\\,/g},' .endif .if ${PORT_OPTIONS:MQUEUEFILE} SEDLIST+= -e 's,^\# (EXPERIMENTAL_QUEUEFILE=),\1,' .endif MAKE_ENV+= INSTALL_ARG="${EXIM_INSTALL_ARG}" DUMMY_LDFLAGS!= ${ECHO_CMD} ${LDFLAGS} | ${SED} -e 's|-Wl,-rpath|-Wl,-DUMMYrpath|g; s|-rpath|-Wl,-rpath|g; s|-DUMMYrpath|-rpath|g' pre-everything:: @${ECHO} 'Exim now drops privileges when alternate configuration' @${ECHO} 'files are used. You can set make variable TRUSTED_CONFIG_LIST' @${ECHO} 'to specify the list of configuration files for which' @${ECHO} 'root privileges will be retained.' @${ECHO} '' @${ECHO} 'You can whitelist some macros using the make variable' @${ECHO} 'WHITELIST_D_MACROS. This is useful if you are running' @${ECHO} 'with DISABLE_D_OPT set, but macros whitelisting will be' @${ECHO} 'removed in some future Exim release, so it is better' @${ECHO} 'to use TRUSTED_CONFIG_LIST to set the list of trusted' @${ECHO} 'configuration files.' .if empty(.MAKEFLAGS:M-s) && ${PORT_OPTIONS:MWISHLIST} @${ECHO} '' @${ECHO} 'Included extra patches:' @${FIND} ${PATCHDIR} -name 'wishlist-*.patch' \ -exec ${SED} -ne 's,^# , ,p' {} \; @${ECHO} '' .endif post-extract: .if ${PORT_OPTIONS:MSA_EXIM} @cd ${WRKDIR} && ${TAR} ${EXTRACT_BEFORE_ARGS} ${_DISTDIR}/sa-exim-${SA_EXIM_VERSION}.tar.gz ${EXTRACT_AFTER_ARGS} @@${CP} ${WRKDIR}/sa-exim-${SA_EXIM_VERSION}/sa-exim.c ${WRKSRC}/Local @@${CP} ${WRKDIR}/sa-exim-${SA_EXIM_VERSION}/sa-exim.conf ${WRKSRC}/Local .endif do-configure: @${MKDIR} ${WRKSRC}/Local @${SED} -E ${SEDLIST} ${WRKSRC}/src/EDITME > ${WRKSRC}/Local/Makefile .if ${PORT_OPTIONS:MEXIMON} @${CP} ${WRKSRC}/exim_monitor/EDITME ${WRKSRC}/Local/eximon.conf .endif @${REINPLACE_CMD} -E ${SEDLIST} ${WRKSRC}/src/configure.default @${REINPLACE_CMD} -e 's!$$(LDFLAGS)!$$(DUMMY_LDFLAGS) -L$${LOCALBASE}/lib!' ${WRKSRC}/OS/Makefile-Base @${REINPLACE_CMD} -e 's/"(Exim $$version_number)\\n\\t"/"(Exim $$version_number (${OPSYS}))\\n\\t"/' \ ${WRKSRC}/src/globals.c @${REINPLACE_CMD} -e 's/Exim version %s \(#%s \)\{0,1\}/&(${OPSYS} ${OSREL}) /' ${WRKSRC}/src/exim.c @${REINPLACE_CMD} -e 's/^#include "cnumber\.h"$$/${PORTREVISION}/' ${WRKSRC}/src/version.c @${REINPLACE_CMD} -E -e 's/^(PERL_COMMAND=).*/\1${PERL:S,/,\/,g}/' \ -e 's/^(CC=).*/\1${CC:S,/,\/,g}/' ${WRKSRC}/OS/Makefile-Default .if ${PORT_OPTIONS:MSA_EXIM} @${REINPLACE_CMD} -E -e 's/^\# (HAVE_LOCAL_SCAN=).*/\1yes/' \ ${WRKSRC}/OS/Makefile-Default @${REINPLACE_CMD} -E -e 's/^(LOCAL_SCAN_SOURCE=).*/\1Local\/sa-exim.c/' \ ${WRKSRC}/OS/Makefile-Default @{ \ ${ECHO_CMD} "char *version=\"${SA_EXIM_VERSION}\";"; \ ${ECHO_CMD} "#define SPAMC_LOCATION \"${LOCALBASE}/bin/spamc\""; \ ${ECHO_CMD} "#define SPAMASSASSIN_CONF \"${PREFIX}/etc/exim/sa-exim.conf\""; \ } > ${WRKSRC}/Local/sa-exim.h @${REINPLACE_CMD} -e 's,/usr/bin/spamc,${LOCALBASE}/bin/spamc,' \ ${WRKSRC}/Local/sa-exim.conf .endif @(cd ${WRKSRC}; ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} configure) post-build: .for script in ${DAILY_SCRIPTS} @${SED} ${SED_SCRIPT} ${FILESDIR}/${script}.sh > ${WRKDIR}/${script}.sh .endfor @${SED} ${SED_SCRIPT} ${FILESDIR}/POST-INSTALL-NOTES > \ ${WRKDIR}/POST-INSTALL-NOTES @${SED} ${SED_SCRIPT} ${FILESDIR}/POST-INSTALL-NOTES.clamd > ${WRKDIR}/POST-INSTALL-NOTES.clamd @${SED} ${SED_SCRIPT} ${FILESDIR}/POST-INSTALL-NOTES > ${WRKDIR}/POST-INSTALL-NOTES @[ ! -f ${PKGDIR}/pkg-message ] || ${SED} ${SED_SCRIPT} ${PKGDIR}/pkg-message > ${WRKDIR}/pkg-message .if !defined(EXIMON_ONLY) post-install: .if ${PORT_OPTIONS:MDAEMON} ${MKDIR} ${STAGEDIR}${PREFIX}/etc/periodic/daily .for script in ${DAILY_SCRIPTS} ${INSTALL_SCRIPT} ${WRKDIR}/${script}.sh ${STAGEDIR}${PREFIX}/etc/periodic/daily/${script} .endfor .endif @${MKDIR} -m 750 ${STAGEDIR}${LOGDIR} ${INSTALL_MAN} ${WRKSRC}/doc/exim.8 ${STAGEDIR}${MAN8PREFIX}/man/man8 .if ${PORT_OPTIONS:MDOCS} @${MKDIR} ${STAGEDIR}${DOCSDIR} ${INSTALL_DATA} ${WRKDIR}/POST-INSTALL-NOTES ${STAGEDIR}${DOCSDIR} ${INSTALL_DATA} ${WRKDIR}/POST-INSTALL-NOTES.clamd ${STAGEDIR}${DOCSDIR} .for docfile in ${PORTDOC_BASE} ${INSTALL_DATA} ${WRKSRC}/${docfile} ${STAGEDIR}${DOCSDIR} .endfor .for docfile in ${PORTDOC_FILES} ${INSTALL_DATA} ${WRKSRC}/doc/${docfile} ${STAGEDIR}${DOCSDIR} .endfor @${MKDIR} ${STAGEDIR}${EXAMPLESDIR} .for example in ${PORT_EXAMPLES} ${INSTALL_SCRIPT} ${WRKSRC}/build-${OPSYS}-${ARCH}/${example} ${STAGEDIR}${EXAMPLESDIR} .endfor .endif .if ${PORT_OPTIONS:MSA_EXIM} ${INSTALL_DATA} ${WRKSRC}/Local/sa-exim.conf \ ${STAGEDIR}${PREFIX}/etc/exim/sa-exim.conf.sample .endif .endif # ! defined(EXIMON_ONLY) .include # If using clang, avoid too many warnings due to Exim code style .if ${CHOSEN_COMPILER_TYPE} == "clang" EXIM_WARN_FLAGS?= -Wno-logical-op-parentheses -Wno-macro-redefined -Wno-parentheses -Wno-dangling-else .endif CFLAGS+= ${EXIM_WARN_FLAGS} .include diff --git a/mail/exim/distinfo b/mail/exim/distinfo index eb6b96ef513f..5536bcc2c9df 100644 --- a/mail/exim/distinfo +++ b/mail/exim/distinfo @@ -1,5 +1,5 @@ -TIMESTAMP = 1681024359 -SHA256 (exim/exim-4.96.tar.bz2) = c7a413fec601cc44a8f5fe9e5b64cb24a7d133f3a4a976f33741d98ff0ec6b91 -SIZE (exim/exim-4.96.tar.bz2) = 2047632 +TIMESTAMP = 1696250210 +SHA256 (exim/exim-4.96.1.tar.bz2) = 26bbcd4f45483c7138912b4bd31022aee8abf8ac7cdff55839d7e2a9e4c60692 +SIZE (exim/exim-4.96.1.tar.bz2) = 2048927 SHA256 (exim/sa-exim-4.2.1.tar.gz) = 24d4bf7b0fdddaea11f132981cebb6a86a4ab20ef54111a8ebd481b421c6e2c1 SIZE (exim/sa-exim-4.2.1.tar.gz) = 68933 diff --git a/mail/exim/files/debian/75_01-Fix-exit-on-attempt-to-rewrite-a-malformed-address.-.patch b/mail/exim/files/debian/75_01-Fix-exit-on-attempt-to-rewrite-a-malformed-address.-.patch index bf0f64942d7d..42a2c237aa82 100644 --- a/mail/exim/files/debian/75_01-Fix-exit-on-attempt-to-rewrite-a-malformed-address.-.patch +++ b/mail/exim/files/debian/75_01-Fix-exit-on-attempt-to-rewrite-a-malformed-address.-.patch @@ -1,57 +1,39 @@ From e7ec503729970a03d4509921342bc81313976126 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Tue, 12 Jul 2022 22:14:04 +0100 Subject: [PATCH] Fix exit on attempt to rewrite a malformed address. Bug 2903 --- - doc/ChangeLog | 5 + src/rewrite.c | 9 +- test/confs/0471 | 7 + test/log/0471 | 5 + test/scripts/0000-Basic/0471 | 4 +- test/stderr/0471 | 245 ++++++++++++++++++++++++++++++++++- 6 files changed, 267 insertions(+), 8 deletions(-) ---- a/doc/ChangeLog -+++ b/doc/ChangeLog -@@ -1,9 +1,14 @@ - This document describes *changes* to previous versions, that might - affect Exim's operation, with an unchanged configuration file. For new - options, and new features, see the NewStuff file next to this ChangeLog. - -+JH/04 Bug 2903: avoid exit on an attempt to rewrite a malformed address. -+ Make the rewrite never match and keep the logging. Trust the -+ admin to be using verify=header-syntax (to actually reject the message). -+ -+ - Exim version 4.96 - ----------------- - - JH/01 Move the wait-for-next-tick (needed for unique messmage IDs) from - after reception to before a subsequent reception. This should --- a/src/rewrite.c +++ b/src/rewrite.c @@ -493,19 +493,18 @@ empty address, overlong addres. Sometimes the result matters, sometimes not. It seems this function is called for *any* header we see. */ if (!recipient) { - /* Handle unparesable addresses in the header. Slightly ugly because a + /* Log unparesable addresses in the header. Slightly ugly because a null output from the extract can also result from a header without an - address, "To: undisclosed recpients:;" being the classic case. */ + address, "To: undisclosed recpients:;" being the classic case. Ignore + this one and carry on. */ if ((rewrite_rules || routed_old) && Ustrcmp(errmess, "empty address") != 0) - { log_write(0, LOG_MAIN, "rewrite: %s", errmess); - exim_exit(EXIT_FAILURE); - } + loop_reset_point = store_reset(loop_reset_point); continue; } /* If routed_old is not NULL, this is a rewrite caused by a router, diff --git a/mail/exim/files/debian/75_08-Fix-regex-n-use-after-free.-Bug-2915.patch b/mail/exim/files/debian/75_08-Fix-regex-n-use-after-free.-Bug-2915.patch index 2429e9ff55b9..6dd55c1fe806 100644 --- a/mail/exim/files/debian/75_08-Fix-regex-n-use-after-free.-Bug-2915.patch +++ b/mail/exim/files/debian/75_08-Fix-regex-n-use-after-free.-Bug-2915.patch @@ -1,193 +1,167 @@ From 4e9ed49f8f12eb331b29bd5b6dc3693c520fddc2 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Wed, 31 Aug 2022 15:37:40 +0100 Subject: [PATCH] Fix $regex use-after-free. Bug 2915 --- - doc/ChangeLog | 8 +++++++- src/exim.c | 4 +--- src/expand.c | 2 +- src/functions.h | 1 + src/globals.c | 2 +- src/regex.c | 29 ++++++++++++++++++----------- src/smtp_in.c | 2 ++ 7 files changed, 55 insertions(+), 17 deletions(-) ---- a/doc/ChangeLog -+++ b/doc/ChangeLog -@@ -4,15 +4,21 @@ - - JH/04 Bug 2903: avoid exit on an attempt to rewrite a malformed address. - Make the rewrite never match and keep the logging. Trust the - admin to be using verify=header-syntax (to actually reject the message). - -+JH/08 Bug 2915: Fix use-after-free for $regex variables. Previously when -+ more than one message arrived in a single connection a reference from -+ the earlier message could be re-used. Often a sigsegv resulted. -+ These variables were introduced in Exim 4.87. -+ Debug help from Graeme Fowler. -+ - - Exim version 4.96 - ----------------- - --JH/01 Move the wait-for-next-tick (needed for unique messmage IDs) from -+JH/01 Move the wait-for-next-tick (needed for unique message IDs) from - after reception to before a subsequent reception. This should - mean slightly faster delivery, and also confirmation of reception - to senders. - - JH/02 Move from using the pcre library to pcre2. The former is no longer --- a/src/exim.c +++ b/src/exim.c @@ -1999,12 +1999,10 @@ regex_whitelisted_macro = regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE); #endif -for (i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL; - /* If the program is called as "mailq" treat it as equivalent to "exim -bp"; this seems to be a generally accepted convention, since one finds symbolic links called "mailq" in standard OS configurations. */ if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) || @@ -6082,11 +6080,11 @@ callout_address = NULL; sending_ip_address = NULL; deliver_localpart_data = deliver_domain_data = recipient_data = sender_data = NULL; acl_var_m = NULL; - for(int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL; + regex_vars_clear(); store_reset(reset_point); } exim_exit(EXIT_SUCCESS); /* Never returns */ --- a/src/expand.c +++ b/src/expand.c @@ -1871,11 +1871,11 @@ { tree_node * node = tree_search(router_var, name + 2); return node ? node->data.ptr : strict_acl_vars ? NULL : US""; } -/* Handle $auth variables. */ +/* Handle $auth, $regex variables. */ if (Ustrncmp(name, "auth", 4) == 0) { uschar *endptr; int n = Ustrtoul(name + 4, &endptr, 10); --- a/src/functions.h +++ b/src/functions.h @@ -436,10 +436,11 @@ extern int regex(const uschar **); #endif extern BOOL regex_match(const pcre2_code *, const uschar *, int, uschar **); extern BOOL regex_match_and_setup(const pcre2_code *, const uschar *, int, int); extern const pcre2_code *regex_must_compile(const uschar *, BOOL, BOOL); +extern void regex_vars_clear(void); extern void retry_add_item(address_item *, uschar *, int); extern BOOL retry_check_address(const uschar *, host_item *, uschar *, BOOL, uschar **, uschar **); extern retry_config *retry_find_config(const uschar *, const uschar *, int, int); extern BOOL retry_ultimate_address_timeout(uschar *, const uschar *, --- a/src/globals.c +++ b/src/globals.c @@ -1313,11 +1313,11 @@ #ifndef DISABLE_PIPE_CONNECT const pcre2_code *regex_EARLY_PIPE = NULL; #endif const pcre2_code *regex_ismsgid = NULL; const pcre2_code *regex_smtp_code = NULL; -const uschar *regex_vars[REGEX_VARS]; +const uschar *regex_vars[REGEX_VARS] = { 0 };; #ifdef WHITELIST_D_MACROS const pcre2_code *regex_whitelisted_macro = NULL; #endif #ifdef WITH_CONTENT_SCAN uschar *regex_match_string = NULL; --- a/src/regex.c +++ b/src/regex.c @@ -94,22 +94,32 @@ } pcre2_match_data_free(md); return FAIL; } + +/* reset expansion variables */ +void +regex_vars_clear(void) +{ +regex_match_string = NULL; +for (int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL; +} + + + int -regex(const uschar **listptr) +regex(const uschar ** listptr) { unsigned long mbox_size; -FILE *mbox_file; -pcre_list *re_list_head; -uschar *linebuffer; +FILE * mbox_file; +pcre_list * re_list_head; +uschar * linebuffer; long f_pos = 0; int ret = FAIL; -/* reset expansion variable */ -regex_match_string = NULL; +regex_vars_clear(); if (!mime_stream) /* We are in the DATA ACL */ { if (!(mbox_file = spool_mbox(&mbox_size, NULL, NULL))) { /* error while spooling */ @@ -167,18 +177,17 @@ int mime_regex(const uschar **listptr) { -pcre_list *re_list_head = NULL; -FILE *f; -uschar *mime_subject = NULL; +pcre_list * re_list_head = NULL; +FILE * f; +uschar * mime_subject = NULL; int mime_subject_len = 0; int ret; -/* reset expansion variable */ -regex_match_string = NULL; +regex_vars_clear(); /* precompile our regexes */ if (!(re_list_head = compile(*listptr))) return FAIL; /* no regexes -> nothing to do */ --- a/src/smtp_in.c +++ b/src/smtp_in.c @@ -2155,12 +2155,14 @@ prdr_requested = FALSE; #endif #ifdef SUPPORT_I18N message_smtputf8 = FALSE; #endif +regex_vars_clear(); body_linecount = body_zerocount = 0; +lookup_value = NULL; /* Can be set by ACL */ sender_rate = sender_rate_limit = sender_rate_period = NULL; ratelimiters_mail = NULL; /* Updated by ratelimit ACL condition */ /* Note that ratelimiters_conn persists across resets. */ /* Reset message ACL variables */ diff --git a/mail/exim/files/debian/75_16-GnuTLS-fix-for-clients-offering-no-TLS-extensions.patch b/mail/exim/files/debian/75_16-GnuTLS-fix-for-clients-offering-no-TLS-extensions.patch index ae2fa16f51ea..73b584dbef4d 100644 --- a/mail/exim/files/debian/75_16-GnuTLS-fix-for-clients-offering-no-TLS-extensions.patch +++ b/mail/exim/files/debian/75_16-GnuTLS-fix-for-clients-offering-no-TLS-extensions.patch @@ -1,114 +1,96 @@ From ece23f05d6a430a461a75639197271c23f6858ec Mon Sep 17 00:00:00 2001 From: Jasen Betts Date: Fri, 30 Sep 2022 13:49:41 +0100 Subject: [PATCH] GnuTLS: fix for clients offering no TLS extensions --- - doc/ChangeLog | 3 +++ src/tls-gnu.c | 3 ++- src/tls-openssl.c | 39 +++++++++++++++--------------- test/confs/2091 | 1 + test/log/2091 | 3 +++ test/scripts/2090-GnuTLS-ALPN/2091 | 19 +++++++++++++++ test/stdout/2091 | 21 ++++++++++++++++ 7 files changed, 68 insertions(+), 21 deletions(-) create mode 120000 test/confs/2091 create mode 100644 test/log/2091 create mode 100644 test/scripts/2090-GnuTLS-ALPN/2091 create mode 100644 test/stdout/2091 ---- a/doc/ChangeLog -+++ b/doc/ChangeLog -@@ -10,10 +10,14 @@ - more than one message arrived in a single connection a reference from - the earlier message could be re-used. Often a sigsegv resulted. - These variables were introduced in Exim 4.87. - Debug help from Graeme Fowler. - -+JH/10 GnuTLS: fix for (IOT?) clients offering no TLS extensions at all. -+ Find and fix by Jasen Betts. -+ -+ - - Exim version 4.96 - ----------------- - - JH/01 Move the wait-for-next-tick (needed for unique message IDs) from --- a/src/tls-gnu.c +++ b/src/tls-gnu.c @@ -1130,12 +1130,13 @@ static int tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype, unsigned when, unsigned int incoming, const gnutls_datum_t * msg) { /* Call fn for each extension seen. 3.6.3 onwards */ -return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg, +int rc = gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg, GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO); +return rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE ? 0 : rc; } # ifdef notdef_crashes /* Make a note that we saw a status-response */ --- a/src/tls-openssl.c +++ b/src/tls-openssl.c @@ -940,40 +940,39 @@ Returns: nothing */ static void -info_callback(SSL *s, int where, int ret) +info_callback(SSL * s, int where, int ret) { DEBUG(D_tls) { - const uschar * str; + gstring * g = NULL; - if (where & SSL_ST_CONNECT) - str = US"SSL_connect"; - else if (where & SSL_ST_ACCEPT) - str = US"SSL_accept"; - else - str = US"SSL info (undefined)"; + if (where & SSL_ST_CONNECT) g = string_append_listele(g, ',', US"SSL_connect"); + if (where & SSL_ST_ACCEPT) g = string_append_listele(g, ',', US"SSL_accept"); + if (where & SSL_CB_LOOP) g = string_append_listele(g, ',', US"state_chg"); + if (where & SSL_CB_EXIT) g = string_append_listele(g, ',', US"hshake_exit"); + if (where & SSL_CB_READ) g = string_append_listele(g, ',', US"read"); + if (where & SSL_CB_WRITE) g = string_append_listele(g, ',', US"write"); + if (where & SSL_CB_ALERT) g = string_append_listele(g, ',', US"alert"); + if (where & SSL_CB_HANDSHAKE_START) g = string_append_listele(g, ',', US"hshake_start"); + if (where & SSL_CB_HANDSHAKE_DONE) g = string_append_listele(g, ',', US"hshake_done"); if (where & SSL_CB_LOOP) - debug_printf("%s: %s\n", str, SSL_state_string_long(s)); + debug_printf("SSL %s: %s\n", g->s, SSL_state_string_long(s)); else if (where & SSL_CB_ALERT) - debug_printf("SSL3 alert %s:%s:%s\n", - str = where & SSL_CB_READ ? US"read" : US"write", + debug_printf("SSL %s %s:%s\n", g->s, SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); else if (where & SSL_CB_EXIT) { - if (ret == 0) - debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s)); - else if (ret < 0) - debug_printf("%s: error in %s\n", str, SSL_state_string_long(s)); + if (ret <= 0) + debug_printf("SSL %s: %s in %s\n", g->s, + ret == 0 ? "failed" : "error", SSL_state_string_long(s)); } - else if (where & SSL_CB_HANDSHAKE_START) - debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s)); - else if (where & SSL_CB_HANDSHAKE_DONE) - debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s)); + else if (where & (SSL_CB_HANDSHAKE_START | SSL_CB_HANDSHAKE_DONE)) + debug_printf("SSL %s: %s\n", g->s, SSL_state_string_long(s)); } } #ifdef OPENSSL_HAVE_KEYLOG_CB static void diff --git a/mail/exim/files/debian/75_18-Fix-Build-with-libopendmarc-1.4.x-fixes-2728.patch b/mail/exim/files/debian/75_18-Fix-Build-with-libopendmarc-1.4.x-fixes-2728.patch index f261d621d67a..456f315236b1 100644 --- a/mail/exim/files/debian/75_18-Fix-Build-with-libopendmarc-1.4.x-fixes-2728.patch +++ b/mail/exim/files/debian/75_18-Fix-Build-with-libopendmarc-1.4.x-fixes-2728.patch @@ -1,88 +1,71 @@ From 1561c5d88b3a23a4348d8e3c1ce28554fcbcfe46 Mon Sep 17 00:00:00 2001 From: "Heiko Schlittermann (HS12-RIPE)" Date: Sat, 15 Oct 2022 19:30:58 +0200 Subject: [PATCH 1/2] Fix: Build with libopendmarc 1.4.x (fixes 2728) --- - doc/ChangeLog | 3 +++ src/EDITME | 7 +++++-- src/config.h.defaults | 1 + src/dmarc.c | 7 ++++++- 4 files changed, 15 insertions(+), 3 deletions(-) ---- a/doc/ChangeLog -+++ b/doc/ChangeLog -@@ -13,10 +13,13 @@ - Debug help from Graeme Fowler. - - JH/10 GnuTLS: fix for (IOT?) clients offering no TLS extensions at all. - Find and fix by Jasen Betts. - -+HS/01 Bug 2728: Introduce EDITME option "DMARC_API" to work around incompatible -+ API changes in libopendmarc. -+ - - - Exim version 4.96 - ----------------- - --- a/src/EDITME +++ b/src/EDITME @@ -600,18 +600,21 @@ # EXPERIMENTAL_DCC=yes # Uncomment the following line to add DMARC checking capability, implemented # using libopendmarc libraries. You must have SPF and DKIM support enabled also. -# Library version libopendmarc-1.4.1-1.fc33.x86_64 (on Fedora 33) is known broken; -# 1.3.2-3 works. I seems that the OpenDMARC project broke their API. # SUPPORT_DMARC=yes # CFLAGS += -I/usr/local/include # LDFLAGS += -lopendmarc # Uncomment the following if you need to change the default. You can # override it at runtime (main config option dmarc_tld_file) # DMARC_TLD_FILE=/etc/exim/opendmarc.tlds +# +# Library version libopendmarc-1.4.1-1.fc33.x86_64 (on Fedora 33) is known broken; +# 1.3.2-3 works. It seems that the OpenDMARC project broke their API. +# Use this option if you need to build with an old library (1.3.x) +# DMARC_API=100300 # Uncomment the following line to add ARC (Authenticated Received Chain) # support. You must have SPF and DKIM support enabled also. # EXPERIMENTAL_ARC=yes --- a/src/config.h.defaults +++ b/src/config.h.defaults @@ -148,10 +148,11 @@ #define STRING_SPRINTF_BUFFER_SIZE (8192 * 4) #define SUPPORT_CRYPTEQ #define SUPPORT_DANE #define SUPPORT_DMARC +#define DMARC_API 100400 #define DMARC_TLD_FILE "/etc/exim/opendmarc.tlds" #define SUPPORT_I18N #define SUPPORT_I18N_2008 #define SUPPORT_MAILDIR #define SUPPORT_MAILSTORE --- a/src/dmarc.c +++ b/src/dmarc.c @@ -457,11 +457,16 @@ dkim_result = vs == PDKIM_VERIFY_PASS ? DMARC_POLICY_DKIM_OUTCOME_PASS : vs == PDKIM_VERIFY_FAIL ? DMARC_POLICY_DKIM_OUTCOME_FAIL : vs == PDKIM_VERIFY_INVALID ? DMARC_POLICY_DKIM_OUTCOME_TMPFAIL : DMARC_POLICY_DKIM_OUTCOME_NONE; libdm_status = opendmarc_policy_store_dkim(dmarc_pctx, US sig->domain, - dkim_result, US""); +/* The opendmarc project broke its API in a way we can't detect * easily. + * The EDITME provides a DMARC_API variable */ +#if DMARC_API >= 100400 + sig->selector, +#endif + dkim_result, US""); DEBUG(D_receive) debug_printf("DMARC adding DKIM sender domain = %s\n", sig->domain); if (libdm_status != DMARC_PARSE_OKAY) log_write(0, LOG_MAIN|LOG_PANIC, "failure to store dkim (%s) for DMARC: %s", diff --git a/mail/exim/files/debian/75_22-Fix-daemon-startup.-Bug-2930.patch b/mail/exim/files/debian/75_22-Fix-daemon-startup.-Bug-2930.patch index 2a3434f8b0b1..412c39be28d7 100644 --- a/mail/exim/files/debian/75_22-Fix-daemon-startup.-Bug-2930.patch +++ b/mail/exim/files/debian/75_22-Fix-daemon-startup.-Bug-2930.patch @@ -1,68 +1,50 @@ From 221321d2c51b83d1feced80ecd6c2fe33ec5456c Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 3 Nov 2022 20:08:25 +0000 Subject: [PATCH 1/2] Fix daemon startup. Bug 2930 Broken-by: 7d5055276a --- - doc/ChangeLog | 4 ++++ src/daemon.c | 8 ++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) ---- a/doc/ChangeLog -+++ b/doc/ChangeLog -@@ -16,10 +16,14 @@ - Find and fix by Jasen Betts. - - HS/01 Bug 2728: Introduce EDITME option "DMARC_API" to work around incompatible - API changes in libopendmarc. - -+JH/12 Bug 2930: Fix daemon startup. When started from any process apart from -+ pid 1, in the normal "background daemon" mode, having to drop process- -+ group leadership also lost track of needing to create listener sockets. -+ - - - Exim version 4.96 - ----------------- - --- a/src/daemon.c +++ b/src/daemon.c @@ -1744,19 +1744,23 @@ { /* If the parent process of this one has pid == 1, we are re-initializing the daemon as the result of a SIGHUP. In this case, there is no need to do anything, because the controlling terminal has long gone. Otherwise, fork, in case current process is a process group leader (see 'man setsid' for an - explanation) before calling setsid(). */ + explanation) before calling setsid(). + All other forks want daemon_listen cleared. Rather than blow a register, jsut + restore it here. */ if (getppid() != 1) { + BOOL daemon_listen = f.daemon_listen; pid_t pid = exim_fork(US"daemon"); if (pid < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork() failed when starting daemon: %s", strerror(errno)); if (pid > 0) exit(EXIT_SUCCESS); /* in parent process, just exit */ (void)setsid(); /* release controlling terminal */ + f.daemon_listen = daemon_listen; } } /* We are now in the disconnected, daemon process (unless debugging). Set up the listening sockets if required. */ @@ -2090,11 +2094,11 @@ { /* found; append port to list */ for (p = i2->log; *p; ) p++; /* end of existing string */ if (*--p == '}') *p = '\0'; /* drop EOL */ while (isdigit(*--p)) ; /* char before port */ - i2->log = *p == ':' /* no list yet? */ + i2->log = *p == ':' /* no list yet? { */ ? string_sprintf("%.*s{%s,%d}", (int)(p - i2->log + 1), i2->log, p+1, ipa->port) : string_sprintf("%s,%d}", i2->log, ipa->port); ipa->log = NULL; break; diff --git a/mail/exim/files/debian/75_23-Fix-reccipients-after-run.-.-Bug-2929.patch b/mail/exim/files/debian/75_23-Fix-reccipients-after-run.-.-Bug-2929.patch index 1c98ef26083b..1db2ad0c9c99 100644 --- a/mail/exim/files/debian/75_23-Fix-reccipients-after-run.-.-Bug-2929.patch +++ b/mail/exim/files/debian/75_23-Fix-reccipients-after-run.-.-Bug-2929.patch @@ -1,45 +1,28 @@ From 6b331d5834d12bdda21857cd6fffac17038ce3c7 Mon Sep 17 00:00:00 2001 From: Ruben Jenster Date: Thu, 3 Nov 2022 21:38:15 +0000 Subject: [PATCH 2/2] Fix $reccipients after ${run...}. Bug 2929 Broken-by: cfe6acff2d --- - doc/ChangeLog | 3 +++ src/transport.c | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) ---- a/doc/ChangeLog -+++ b/doc/ChangeLog -@@ -20,10 +20,13 @@ - - JH/12 Bug 2930: Fix daemon startup. When started from any process apart from - pid 1, in the normal "background daemon" mode, having to drop process- - group leadership also lost track of needing to create listener sockets. - -+JH/13 Bug 2929: Fix using $recipients after ${run...}. A change made for 4.96 -+ resulted in the variable appearing empty. Find and fix by Ruben Jenster. -+ - - - Exim version 4.96 - ----------------- - --- a/src/transport.c +++ b/src/transport.c @@ -2342,13 +2342,14 @@ /* Handle normal expansion string */ else { const uschar *expanded_arg; + BOOL enable_dollar_recipients_g = f.enable_dollar_recipients; f.enable_dollar_recipients = allow_dollar_recipients; expanded_arg = expand_cstring(argv[i]); - f.enable_dollar_recipients = FALSE; + f.enable_dollar_recipients = enable_dollar_recipients_g; if (!expanded_arg) { uschar *msg = string_sprintf("Expansion of \"%s\" " "from command \"%s\" in %s failed: %s", diff --git a/mail/exim/files/debian/75_31-Fix-regext-substring-capture-variables-for-null-matc.patch b/mail/exim/files/debian/75_31-Fix-regext-substring-capture-variables-for-null-matc.patch index bd250f2b7191..d12b1b246631 100644 --- a/mail/exim/files/debian/75_31-Fix-regext-substring-capture-variables-for-null-matc.patch +++ b/mail/exim/files/debian/75_31-Fix-regext-substring-capture-variables-for-null-matc.patch @@ -1,79 +1,60 @@ From e63825824cc406c160ccbf2b154c5d81b168604a Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Fri, 11 Nov 2022 00:05:59 +0000 Subject: [PATCH 1/2] Fix regext substring capture variables for null matches. Bug 2933 broken-by: 59d66fdc13f0 --- - doc/ChangeLog | 5 +++++ src/exim.c | 2 ++ src/malware.c | 3 +++ src/regex.c | 2 +- 4 files changed, 11 insertions(+), 1 deletion(-) ---- a/doc/ChangeLog -+++ b/doc/ChangeLog -@@ -22,10 +22,15 @@ - pid 1, in the normal "background daemon" mode, having to drop process- - group leadership also lost track of needing to create listener sockets. - - JH/13 Bug 2929: Fix using $recipients after ${run...}. A change made for 4.96 - resulted in the variable appearing empty. Find and fix by Ruben Jenster. -+ -+JH/14 Bug 2933: Fix regex substring match variables for null matches. Since 4.96 -+ a capture group which obtained no text (eg. "(abc)*" matching zero -+ occurrences) could cause a segfault if the corresponding $ was -+ expanded. - - - - Exim version 4.96 - ----------------- --- a/src/exim.c +++ b/src/exim.c @@ -167,10 +167,12 @@ for (int matchnum = setup < 0 ? 0 : 1; matchnum < res; matchnum++) { PCRE2_SIZE len; pcre2_substring_get_bynumber(md, matchnum, (PCRE2_UCHAR **)&expand_nstring[expand_nmax], &len); + if (!expand_nstring[expand_nmax]) + { expand_nstring[expand_nmax] = US""; len = 0; } expand_nlength[expand_nmax++] = (int)len; } expand_nmax--; } else if (res != PCRE2_ERROR_NOMATCH) DEBUG(D_any) --- a/src/malware.c +++ b/src/malware.c @@ -323,11 +323,14 @@ int i = pcre2_match(cre, text, PCRE2_ZERO_TERMINATED, 0, 0, md, pcre_mtc_ctx); PCRE2_UCHAR * substr = NULL; PCRE2_SIZE slen; if (i >= 2) /* Got it */ + { pcre2_substring_get_bynumber(md, 1, &substr, &slen); + if (!substr) substr = US""; + } return US substr; } static const pcre2_code * m_pcre_nextinlist(const uschar ** list, int * sep, --- a/src/regex.c +++ b/src/regex.c @@ -84,11 +84,11 @@ for (int nn = 1; nn < n; nn++) { PCRE2_UCHAR * cstr; PCRE2_SIZE cslen; pcre2_substring_get_bynumber(md, nn, &cstr, &cslen); - regex_vars[nn-1] = CUS cstr; + regex_vars[nn-1] = cstr ? CUS cstr : CUS""; } return OK; } } diff --git a/mail/exim/files/debian/75_50-Fix-logging-of-max-size-log-line.patch b/mail/exim/files/debian/75_50-Fix-logging-of-max-size-log-line.patch index 5992faca6eac..f5dbd7a3d356 100644 --- a/mail/exim/files/debian/75_50-Fix-logging-of-max-size-log-line.patch +++ b/mail/exim/files/debian/75_50-Fix-logging-of-max-size-log-line.patch @@ -1,82 +1,63 @@ From 1ed24e36e279c922d3366f6c3144570cc5f54d7a Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Mon, 19 Dec 2022 21:09:17 +0000 Subject: [PATCH] Fix logging of max-size log line Broken-by: d12746bc15d8 --- - doc/ChangeLog | 5 +++++ src/log.c | 7 ++++--- test/confs/0633 | 21 ++++++++++++++++++++ test/scripts/0000-Basic/0633 | 9 +++++++++ test/stderr/0633 | 38 ++++++++++++++++++++++++++++++++++++ test/stdout/0633 | 15 ++++++++++++++ 6 files changed, 92 insertions(+), 3 deletions(-) create mode 100644 test/confs/0633 create mode 100644 test/scripts/0000-Basic/0633 create mode 100644 test/stderr/0633 create mode 100644 test/stdout/0633 ---- a/doc/ChangeLog -+++ b/doc/ChangeLog -@@ -28,10 +28,15 @@ JH/13 Bug 2929: Fix using $recipients af - JH/14 Bug 2933: Fix regex substring match variables for null matches. Since 4.96 - a capture group which obtained no text (eg. "(abc)*" matching zero - occurrences) could cause a segfault if the corresponding $ was - expanded. - -+JH/18 Fix a fencepost error in logging. Previously (since 4.92) when a log line -+ was exactly sized compared to the log buffer, a crash occurred with the -+ misleading message "bad memory reference; pool not found". -+ Found and traced by Jasen Betts. -+ - - - Exim version 4.96 - ----------------- - --- a/src/log.c +++ b/src/log.c @@ -803,11 +803,11 @@ Returns: nothing void log_write(unsigned int selector, int flags, const char *format, ...) { int paniclogfd; ssize_t written_len; -gstring gs = { .size = LOG_BUFFER_SIZE-1, .ptr = 0, .s = log_buffer }; +gstring gs = { .size = LOG_BUFFER_SIZE-2, .ptr = 0, .s = log_buffer }; gstring * g; va_list ap; /* If panic_recurseflag is set, we have failed to open the panic log. This is the ultimate disaster. First try to write the message to a debug file and/or @@ -949,15 +949,14 @@ DEBUG(D_any|D_v) g->ptr = i; g = string_cat(g, US"**** log string overflowed log buffer ****"); } va_end(ap); - g->size = LOG_BUFFER_SIZE; g = string_catn(g, US"\n", 1); debug_printf("%s", string_from_gstring(g)); - gs.size = LOG_BUFFER_SIZE-1; /* Having used the buffer for debug output, */ + gs.size = LOG_BUFFER_SIZE-2; /* Having used the buffer for debug output, */ gs.ptr = 0; /* reset it for the real use. */ gs.s = log_buffer; } /* If no log file is specified, we are in a mess. */ @@ -1035,10 +1034,12 @@ if ( flags & LOG_RECIPIENTS if (LOG_BUFFER_SIZE - g->ptr < Ustrlen(s) + 3) break; g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " %s", s); } } +/* actual size, now we are placing the newline (and space for NUL) */ +gs.size = LOG_BUFFER_SIZE; g = string_catn(g, US"\n", 1); string_from_gstring(g); /* Handle loggable errors when running a utility, or when address testing. Write to log_stderr unless debugging (when it will already have been written), diff --git a/mail/exim/files/debian/75_55-Fix-recursion-on-dns_again_means_nonexist.-Bug-2911.patch b/mail/exim/files/debian/75_55-Fix-recursion-on-dns_again_means_nonexist.-Bug-2911.patch index bbbfbe9ef1e7..271ff90ab99a 100644 --- a/mail/exim/files/debian/75_55-Fix-recursion-on-dns_again_means_nonexist.-Bug-2911.patch +++ b/mail/exim/files/debian/75_55-Fix-recursion-on-dns_again_means_nonexist.-Bug-2911.patch @@ -1,76 +1,54 @@ From 1d38781da934809e6ce0b8c3718c4b3bccdfe1d2 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Wed, 28 Dec 2022 19:39:06 +0000 Subject: [PATCH] Fix recursion on dns_again_means_nonexist. Bug 2911 --- - doc/ChangeLog | 8 +++++ src/dns.c | 12 ++++++++ test/confs/2202 | 18 +++++++++-- test/scripts/2200-dnsdb/2202 | 8 +++++ test/stderr/2202 | 58 +++++++++++++++++++++++++++++++++++- test/stdout/2202 | 8 +++++ 6 files changed, 108 insertions(+), 4 deletions(-) ---- a/doc/ChangeLog -+++ b/doc/ChangeLog -@@ -33,10 +33,18 @@ JH/14 Bug 2933: Fix regex substring matc - JH/18 Fix a fencepost error in logging. Previously (since 4.92) when a log line - was exactly sized compared to the log buffer, a crash occurred with the - misleading message "bad memory reference; pool not found". - Found and traced by Jasen Betts. - -+JH/19 Bug 2911: Fix a recursion in DNS lookups. Previously, if the main option -+ dns_again_means_nonexist included an element causing a DNS lookup which -+ iteslf returned DNS_AGAIN, unbounded recursion occurred. Possible results -+ included (though probably not limited to) a process crash from stack -+ memory limit, or from excessive open files. Replace this with a paniclog -+ whine (as this is likely a configuration error), and returning -+ DNS_NOMATCH. -+ - - - Exim version 4.96 - ----------------- - --- a/src/dns.c +++ b/src/dns.c @@ -799,10 +799,11 @@ int dns_basic_lookup(dns_answer * dnsa, const uschar * name, int type) { int rc; #ifndef STAND_ALONE const uschar * save_domain; +static BOOL try_again_recursion = FALSE; #endif /* DNS lookup failures of any kind are cached in a tree. This is mainly so that a timeout on one domain doesn't happen time and time again for messages that have many addresses in the same domain. We rely on the resolver and name server @@ -903,15 +904,26 @@ if (dnsa->answerlen < 0) switch (h_errno DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave TRY_AGAIN\n", name, dns_text_type(type)); /* Cut this out for various test programs */ #ifndef STAND_ALONE + if (try_again_recursion) + { + log_write(0, LOG_MAIN|LOG_PANIC, + "dns_again_means_nonexist recursion seen for %s (assuming nonexist)", + name); + return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type), DNS_NOMATCH); + } + + try_again_recursion = TRUE; save_domain = deliver_domain; deliver_domain = string_copy(name); /* set $domain */ rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0, &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL); deliver_domain = save_domain; + try_again_recursion = FALSE; + if (rc != OK) { DEBUG(D_dns) debug_printf("returning DNS_AGAIN\n"); return dns_fail_return(name, type, 0, DNS_AGAIN); } diff --git a/mail/exim/files/debian/75_60-OpenSSL-fix-tls_eccurve-setting-explicit-curve-group.patch b/mail/exim/files/debian/75_60-OpenSSL-fix-tls_eccurve-setting-explicit-curve-group.patch index da05ba9476a8..a34731a4a453 100644 --- a/mail/exim/files/debian/75_60-OpenSSL-fix-tls_eccurve-setting-explicit-curve-group.patch +++ b/mail/exim/files/debian/75_60-OpenSSL-fix-tls_eccurve-setting-explicit-curve-group.patch @@ -1,184 +1,166 @@ From ca4014de81e6aa367aa0a54c49b4c3d4b137814c Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 1 Jan 2023 12:18:38 +0000 Subject: [PATCH] OpenSSL: fix tls_eccurve setting explicit curve/group. Bug 2954 --- - doc/ChangeLog | 4 +++ src/tls-openssl.c | 39 ++++++++++++++---------- test/confs/2148 | 54 ++++++++++++++++++++++++++++++++++ test/confs/2149 | 39 +++++++++++++----------- test/log/2148 | 48 ++++++++++++++++++++++++++++++ test/log/2149 | 39 ++++++++++++------------ test/paniclog/{2149 => 2148} | 0 test/scripts/2100-OpenSSL/2148 | 50 +++++++++++++++++++++++++++++++ test/scripts/2100-OpenSSL/2149 | 50 ++++++++++++++++--------------- test/stderr/2148 | 5 ++++ test/stderr/2149 | 3 -- 11 files changed, 250 insertions(+), 81 deletions(-) create mode 100644 test/confs/2148 create mode 100644 test/log/2148 rename test/paniclog/{2149 => 2148} (100%) create mode 100644 test/scripts/2100-OpenSSL/2148 create mode 100644 test/stderr/2148 ---- a/doc/ChangeLog -+++ b/doc/ChangeLog -@@ -41,10 +41,14 @@ JH/19 Bug 2911: Fix a recursion in DNS l - included (though probably not limited to) a process crash from stack - memory limit, or from excessive open files. Replace this with a paniclog - whine (as this is likely a configuration error), and returning - DNS_NOMATCH. - -+JH/20 Bug 2954: (OpenSSL) Fix setting of explicit EC curve/group. Previously -+ this always failed, probably leading to the usual downgrade to in-clear -+ connections. -+ - - - Exim version 4.96 - ----------------- - --- a/src/tls-openssl.c +++ b/src/tls-openssl.c @@ -657,16 +657,16 @@ if (dh_bitsize <= tls_dh_max_bits) /* EVP_PKEY_free(pkey); crashes */ #endif } else DEBUG(D_tls) - debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n", + debug_printf(" Diffie-Hellman initialized from %s with %d-bit prime\n", dhexpanded ? dhexpanded : US"default", dh_bitsize); } else DEBUG(D_tls) - debug_printf("dhparams '%s' %d bits, is > tls_dh_max_bits limit of %d\n", + debug_printf(" dhparams '%s' %d bits, is > tls_dh_max_bits limit of %d\n", dhexpanded ? dhexpanded : US"default", dh_bitsize, tls_dh_max_bits); #if OPENSSL_VERSION_NUMBER < 0x30000000L DH_free(dh); #endif @@ -712,23 +712,31 @@ init_ecdh(SSL_CTX * sctx, uschar ** errs #ifdef OPENSSL_NO_ECDH return TRUE; #else uschar * exp_curve; -int nid; -BOOL rv; +int nid, rc; # ifndef EXIM_HAVE_ECDH DEBUG(D_tls) - debug_printf("No OpenSSL API to define ECDH parameters, skipping\n"); + debug_printf(" No OpenSSL API to define ECDH parameters, skipping\n"); return TRUE; # else if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr)) return FALSE; + +/* Is the option deliberately empty? */ + if (!exp_curve || !*exp_curve) + { +#if OPENSSL_VERSION_NUMBER >= 0x10002000L + DEBUG(D_tls) debug_printf( " ECDH OpenSSL 1.0.2+: clearing curves list\n"); + (void) SSL_CTX_set1_curves(sctx, &nid, 0); +#endif return TRUE; + } /* "auto" needs to be handled carefully. * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO) @@ -737,27 +745,26 @@ if (!exp_curve || !*exp_curve) */ if (Ustrcmp(exp_curve, "auto") == 0) { #if OPENSSL_VERSION_NUMBER < 0x10002000L DEBUG(D_tls) debug_printf( - "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n"); + " ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n"); exp_curve = US"prime256v1"; #else # if defined SSL_CTRL_SET_ECDH_AUTO DEBUG(D_tls) debug_printf( - "ECDH OpenSSL 1.0.2+: temp key parameter settings: autoselection\n"); + " ECDH OpenSSL 1.0.2+: temp key parameter settings: autoselection\n"); SSL_CTX_set_ecdh_auto(sctx, 1); return TRUE; # else DEBUG(D_tls) debug_printf( - "ECDH OpenSSL 1.1.0+: temp key parameter settings: default selection\n"); + " ECDH OpenSSL 1.1.0+: temp key parameter settings: library default selection\n"); return TRUE; # endif #endif } -DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve); if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef # ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef # endif ) @@ -777,27 +784,27 @@ if ( (nid = OBJ_sn2nid (CCS exp_c } /* The "tmp" in the name here refers to setting a temporary key not to the stability of the interface. */ - if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0)) + if ((rc = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0)) tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), NULL, NULL, errstr); else - DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve); + DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' curve\n", exp_curve); EC_KEY_free(ecdh); } #else /* v 3.0.0 + */ -if ((rv = SSL_CTX_set1_groups(sctx, &nid, 1)) == 0) +if ((rc = SSL_CTX_set1_groups(sctx, &nid, 1)) == 0) tls_error(string_sprintf("Error enabling '%s' group", exp_curve), NULL, NULL, errstr); else - DEBUG(D_tls) debug_printf("ECDH: enabled '%s' group\n", exp_curve); + DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' group\n", exp_curve); #endif -return !rv; +return !!rc; # endif /*EXIM_HAVE_ECDH*/ #endif /*OPENSSL_NO_ECDH*/ } @@ -1719,19 +1726,19 @@ state_server.lib_state.lib_ctx = ctx; /* Preload DH params and EC curve */ if (opt_unset_or_noexpand(tls_dhparam)) { - DEBUG(D_tls) debug_printf("TLS: preloading DH params for server\n"); + DEBUG(D_tls) debug_printf("TLS: preloading DH params '%s' for server\n", tls_dhparam); if (init_dh(ctx, tls_dhparam, &dummy_errstr)) state_server.lib_state.dh = TRUE; } else DEBUG(D_tls) debug_printf("TLS: not preloading DH params for server\n"); if (opt_unset_or_noexpand(tls_eccurve)) { - DEBUG(D_tls) debug_printf("TLS: preloading ECDH curve for server\n"); + DEBUG(D_tls) debug_printf("TLS: preloading ECDH curve '%s' for server\n", tls_eccurve); if (init_ecdh(ctx, &dummy_errstr)) state_server.lib_state.ecdh = TRUE; } else DEBUG(D_tls) debug_printf("TLS: not preloading ECDH curve for server\n"); diff --git a/mail/exim/files/debian/75_64-DANE-do-not-check-dns_again_means_nonexist-for-TLSA-.patch b/mail/exim/files/debian/75_64-DANE-do-not-check-dns_again_means_nonexist-for-TLSA-.patch index 417ffa4eed8c..5d990eddfca6 100644 --- a/mail/exim/files/debian/75_64-DANE-do-not-check-dns_again_means_nonexist-for-TLSA-.patch +++ b/mail/exim/files/debian/75_64-DANE-do-not-check-dns_again_means_nonexist-for-TLSA-.patch @@ -1,96 +1,78 @@ From 30520c8f87fcf660ed99a2344cae7f9787f7bc89 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 5 Jan 2023 18:39:51 +0000 Subject: [PATCH 3/3] DANE: do not check dns_again_means_nonexist for TLSA results of TRY_AGAIN --- - doc/doc-docbook/spec.xfpt | 7 ++++++- - doc/ChangeLog | 4 ++++ src/dns.c | 35 ++++++++++++++++++++++------------- + doc/doc-docbook/spec.xfpt | 7 ++++++- 3 files changed, 32 insertions(+), 14 deletions(-) ---- a/doc/ChangeLog -+++ b/doc/ChangeLog -@@ -46,10 +46,14 @@ JH/19 Bug 2911: Fix a recursion in DNS l - JH/20 Bug 2954: (OpenSSL) Fix setting of explicit EC curve/group. Previously - this always failed, probably leading to the usual downgrade to in-clear - connections. - - -+JH/20 Fix TLSA lookups. Previously dns_again_means_nonexist would affect -+ SERVFAIL results, which breaks the downgrade resistance of DANE. Change -+ to not checking that list for these looks. -+ - - Exim version 4.96 - ----------------- - - JH/01 Move the wait-for-next-tick (needed for unique message IDs) from --- a/src/dns.c +++ b/src/dns.c @@ -904,25 +904,34 @@ if (dnsa->answerlen < 0) switch (h_errno DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave TRY_AGAIN\n", name, dns_text_type(type)); /* Cut this out for various test programs */ #ifndef STAND_ALONE - if (try_again_recursion) + /* Permitting dns_again_means nonexist for TLSA lookups breaks the + doewngrade resistance of dane, so avoid for those. */ + + if (type == T_TLSA) + rc = FAIL; + else { - log_write(0, LOG_MAIN|LOG_PANIC, - "dns_again_means_nonexist recursion seen for %s (assuming nonexist)", - name); - return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type), DNS_NOMATCH); - } + if (try_again_recursion) + { + log_write(0, LOG_MAIN|LOG_PANIC, + "dns_again_means_nonexist recursion seen for %s" + " (assuming nonexist)", name); + return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type), + DNS_NOMATCH); + } - try_again_recursion = TRUE; - save_domain = deliver_domain; - deliver_domain = string_copy(name); /* set $domain */ - rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0, - &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL); - deliver_domain = save_domain; - try_again_recursion = FALSE; + try_again_recursion = TRUE; + save_domain = deliver_domain; + deliver_domain = string_copy(name); /* set $domain */ + rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0, + &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL); + deliver_domain = save_domain; + try_again_recursion = FALSE; + } if (rc != OK) { DEBUG(D_dns) debug_printf("returning DNS_AGAIN\n"); return dns_fail_return(name, type, 0, DNS_AGAIN); --- a/doc/spec.txt +++ b/doc/spec.txt @@ -14246,11 +14246,13 @@ dns_again_means_nonexist, it is treated should be used with care. You can make it apply to reverse lookups by a setting such as this: dns_again_means_nonexist = *.in-addr.arpa -This option applies to all DNS lookups that Exim does. It also applies when the +This option applies to all DNS lookups that Exim does, except for TLSA lookups +(where knowing about such failures +is security-relevant). It also applies +when the gethostbyname() or getipnodebyname() functions give temporary errors, since these are most likely to be caused by DNS lookup problems. The dnslookup router has some options of its own for controlling what happens when lookups for MX or SRV records give temporary errors. These more specific options are applied after this global option. diff --git a/mail/exim/files/debian/75_66-Fix-crash-in-expansions.patch b/mail/exim/files/debian/75_66-Fix-crash-in-expansions.patch index d776c8edf393..d65891fd9dbe 100644 --- a/mail/exim/files/debian/75_66-Fix-crash-in-expansions.patch +++ b/mail/exim/files/debian/75_66-Fix-crash-in-expansions.patch @@ -1,84 +1,66 @@ From 70069b65a39a7ba73a36fbd95371ff03cde1eb23 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 2 Feb 2023 20:00:35 +0000 Subject: [PATCH] Fix crash in expansions Broken-by: 1058096b8c53 --- - doc/ChangeLog | 4 ++++ src/expand.c | 9 +++++---- test/stderr/0630 | 1 + 3 files changed, 10 insertions(+), 4 deletions(-) ---- a/doc/ChangeLog -+++ b/doc/ChangeLog -@@ -50,10 +50,14 @@ JH/20 Bug 2954: (OpenSSL) Fix setting of - - JH/20 Fix TLSA lookups. Previously dns_again_means_nonexist would affect - SERVFAIL results, which breaks the downgrade resistance of DANE. Change - to not checking that list for these looks. - -+JH/23 Fix crash in string expansions. Previously, if an empty variable was -+ immediately followed by an expansion operator, a null-indirection read -+ was done, killing the process. -+ - - Exim version 4.96 - ----------------- - - JH/01 Move the wait-for-next-tick (needed for unique message IDs) from --- a/src/expand.c +++ b/src/expand.c @@ -4652,11 +4652,11 @@ while (*s) yield = string_catn(yield, value, len); continue; } - if (isdigit(*s)) + if (isdigit(*s)) /* A $ variable */ { int n; s = read_cnumber(&n, s); if (n >= 0 && n <= expand_nmax) yield = string_catn(yield, expand_nstring[n], expand_nlength[n]); @@ -7060,10 +7060,11 @@ NOT_ITEM: ; if (arg) *arg++ = '_'; /* Put back for error messages */ } /* Deal specially with operators that might take a certificate variable as we do not want to do the usual expansion. For most, expand the string.*/ + switch(c) { #ifndef DISABLE_TLS case EOP_MD5: case EOP_SHA1: @@ -7107,11 +7108,11 @@ NOT_ITEM: ; /* Otherwise, switch on the operator type. After handling go back to the main loop top. */ { - int start = yield->ptr; + unsigned expansion_start = gstring_length(yield); switch(c) { case EOP_BASE32: { uschar *t; @@ -8168,12 +8169,12 @@ NOT_ITEM: ; goto EXPAND_FAILED; } /* EOP_* switch */ DEBUG(D_expand) { - const uschar * s = yield->s + start; - int i = yield->ptr - start; + const uschar * s = yield->s + expansion_start; + int i = gstring_length(yield) - expansion_start; BOOL tainted = is_tainted(s); DEBUG(D_noutf8) { debug_printf_indent("|-----op-res: %.*s\n", i, s);