opendkim: support OpenSSL 1.1 with/without deprecated APIs

This patch enables support of OpenSSL 1.1+ with and without deprecated OpenSSL APIs. Signed-off-by: Val Kulkov <val.kulkov@gmail.com>
2018-12-21 02:15:19 -05:00 · 2018-12-21 02:15:19 -05:00 · 5f08e7b75b
commit 5f08e7b75b
parent 5a978f2270
3 changed files with 203 additions and 91 deletions
--- a/mail/opendkim/Makefile
+++ b/mail/opendkim/Makefile
@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=opendkim
 PKG_VERSION:=2.10.3
-PKG_RELEASE:=2
+PKG_RELEASE:=3

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=@SF/$(PKG_NAME)
--- a/mail/opendkim/patches/010-openssl_1.1.0_compat.patch
+++ b/mail/opendkim/patches/010-openssl_1.1.0_compat.patch
@ -1,90 +0,0 @@
-Description: Build and work with either openssl 1.0.2 or 1.1.0
-   * Add patch to build with either openssl 1.0.2 or 1.1.0 (Closes: #828466)
-     - Thanks to Sebastian Andrzej Siewior for the patch
-Author: Sebastian Andrzej Siewior
-Bug-Debian: http://bugs.debian.org/828466
-Origin: vendor
-Forwarded: no
-Reviewed-By: Scott Kitterman <scott@kitterman.com>
-Last-Update: <YYYY-MM-DD>
-
--- opendkim-2.11.0~alpha.orig/configure.ac
-+++ opendkim-2.11.0~alpha/configure.ac
-@@ -864,26 +864,28 @@ then
- 	AC_SEARCH_LIBS([ERR_peek_error], [crypto], ,
- 	               AC_MSG_ERROR([libcrypto not found]))
- 
-	AC_SEARCH_LIBS([SSL_library_init], [ssl], ,
-		[
-			if test x"$enable_shared" = x"yes"
-			then
-				AC_MSG_ERROR([Cannot build shared opendkim
-				              against static openssl libraries.
-				              Configure with --disable-shared
-				              to get this working or obtain a
-				              shared libssl library for
-				              opendkim to use.])
-			fi
- 
-			# avoid caching issue - last result of SSL_library_init
-			# shouldn't be cached for this next check
-			unset ac_cv_search_SSL_library_init
-			LIBCRYPTO_LIBS="$LIBCRYPTO_LIBS -ldl"
-			AC_SEARCH_LIBS([SSL_library_init], [ssl], ,
-			               AC_MSG_ERROR([libssl not found]), [-ldl])
-		]
-	)
-+	AC_LINK_IFELSE(
-+		       [AC_LANG_PROGRAM([[#include <openssl/ssl.h>]],
-+					[[SSL_library_init();]])],
-+					[od_have_ossl="yes";],
-+					[od_have_ossl="no";])
-+	if test x"$od_have_ossl" = x"no"
-+	then
-+		if test x"$enable_shared" = x"yes"
-+		then
-+			AC_MSG_ERROR([Cannot build shared opendkim
-+			              against static openssl libraries.
-+			              Configure with --disable-shared
-+			              to get this working or obtain a
-+			              shared libssl library for
-+			              opendkim to use.])
-+		fi
-+
-+		LIBCRYPTO_LIBS="$LIBCRYPTO_LIBS -ldl"
-+		AC_SEARCH_LIBS([SSL_library_init], [ssl], ,
-+		               AC_MSG_ERROR([libssl not found]), [-ldl])
-+	fi
- 
- 	AC_CHECK_DECL([SHA256_DIGEST_LENGTH],
-                       AC_DEFINE([HAVE_SHA256], 1,
--- opendkim-2.11.0~alpha.orig/opendkim/opendkim-crypto.c
-+++ opendkim-2.11.0~alpha/opendkim/opendkim-crypto.c
-@@ -222,7 +222,11 @@ dkimf_crypto_free_id(void *ptr)
- 	{
- 		assert(pthread_setspecific(id_key, ptr) == 0);
- 
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000
-+		OPENSSL_thread_stop();
-+#else
- 		ERR_remove_state(0);
-+#endif
- 
- 		free(ptr);
- 
-@@ -392,11 +396,15 @@ dkimf_crypto_free(void)
- {
- 	if (crypto_init_done)
- 	{
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000
-+		OPENSSL_thread_stop();
-+#else
- 		CRYPTO_cleanup_all_ex_data();
- 		CONF_modules_free();
- 		EVP_cleanup();
- 		ERR_free_strings();
- 		ERR_remove_state(0);
-+#endif
- 
- 		if (nmutexes > 0)
- 		{
--- a/mail/opendkim/patches/010-openssl_1.1_compat.patch
+++ b/mail/opendkim/patches/010-openssl_1.1_compat.patch
@ -0,0 +1,202 @@
+This patch has been tested with OpenSSL 1.0.2q, 1.1.0j and 1.1.1a
+with and without support for deprecated OpenSSL APIs.
+
+--- a/configure.ac
+++ b/configure.ac
+@@ -860,26 +860,10 @@ then
+ 	AC_SEARCH_LIBS([ERR_peek_error], [crypto], ,
+ 	               AC_MSG_ERROR([libcrypto not found]))
+ 
+-	AC_SEARCH_LIBS([SSL_library_init], [ssl], ,
+-		[
+-			if test x"$enable_shared" = x"yes"
+-			then
+-				AC_MSG_ERROR([Cannot build shared opendkim
+-				              against static openssl libraries.
+-				              Configure with --disable-shared
+-				              to get this working or obtain a
+-				              shared libssl library for
+-				              opendkim to use.])
+-			fi
+-
+-			# avoid caching issue - last result of SSL_library_init
+-			# shouldn't be cached for this next check
+-			unset ac_cv_search_SSL_library_init
+-			LIBCRYPTO_LIBS="$LIBCRYPTO_LIBS -ldl"
+-			AC_SEARCH_LIBS([SSL_library_init], [ssl], ,
+-			               AC_MSG_ERROR([libssl not found]), [-ldl])
+-		]
+-	)
+	od_have_ossl="no"
+	AC_CHECK_LIB(ssl, OPENSSL_init_ssl, [od_have_ossl="yes"])
+	AC_CHECK_LIB(ssl, SSL_library_init, [od_have_ossl="yes"])
+	AS_IF([test "x$od_have_ossl" = xno], [AC_MSG_ERROR([libssl not found])])
+ 
+ 	AC_CHECK_DECL([SHA256_DIGEST_LENGTH],
+                       AC_DEFINE([HAVE_SHA256], 1,
+--- a/opendkim/opendkim-crypto.c
+++ b/opendkim/opendkim-crypto.c
+@@ -139,6 +139,7 @@ static unsigned int nmutexes = 0;
+ static unsigned long threadid = 0L;
+ static pthread_mutex_t *mutexes = NULL;
+ 
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+ /*
+ **  DKIMF_CRYPTO_LOCK_CALLBACK -- locking callback for libcrypto
+ **
+@@ -166,6 +167,7 @@ dkimf_crypto_lock_callback(int mode, int
+ 
+ 	assert(status == 0);
+ }
+#endif
+ 
+ /*
+ **  DKIMF_CRYPTO_GET_ID -- generate/retrieve thread ID
+@@ -208,21 +210,15 @@ dkimf_crypto_get_id(void)
+ static void
+ dkimf_crypto_free_id(void *ptr)
+ {
+-	/*
+-	**  Trick dkimf_crypto_get_id(); the thread-specific pointer has
+-	**  already been cleared at this point, but dkimf_crypto_get_id()
+-	**  may be called by ERR_remove_state() which will then allocate a
+-	**  new thread pointer if the thread-specific pointer is NULL.  This
+-	**  means a memory leak of thread IDs and, on Solaris, an infinite loop
+-	**  because the destructor (indirectly) re-sets the thread-specific
+-	**  pointer to something not NULL.  See pthread_key_create(3).
+-	*/
+-
+ 	if (ptr != NULL)
+ 	{
+ 		assert(pthread_setspecific(id_key, ptr) == 0);
+ 
+-		ERR_remove_state(0);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+		OPENSSL_thread_stop();
+#else
+		ERR_remove_thread_state(NULL);
+#endif
+ 
+ 		free(ptr);
+ 
+@@ -300,6 +296,7 @@ dkimf_crypto_dyn_destroy(struct CRYPTO_d
+ **  	None.
+ */
+ 
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+ static void
+ dkimf_crypto_dyn_lock(int mode, struct CRYPTO_dynlock_value *lock,
+                       /* UNUSED */ const char *file,
+@@ -316,6 +313,7 @@ dkimf_crypto_dyn_lock(int mode, struct C
+ 
+ 	assert(status == 0);
+ }
+#endif
+ 
+ /*
+ **  DKIMF_CRYPTO_INIT -- set up openssl dependencies
+@@ -335,7 +333,12 @@ dkimf_crypto_init(void)
+ 	int n;
+ 	int status;
+ 
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+ 	n = CRYPTO_num_locks();
+#else
+	// see openssl/crypto.h for more details
+	n = 1;
+#endif
+ 	mutexes = (pthread_mutex_t *) malloc(n * sizeof(pthread_mutex_t));
+ 	if (mutexes == NULL)
+ 		return errno;
+@@ -357,15 +360,22 @@ dkimf_crypto_init(void)
+ 	if (status != 0)
+ 		return status;
+ 
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+ 	SSL_load_error_strings();
+ 	SSL_library_init();
+ 	ERR_load_crypto_strings();
+#else
+	OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+	OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+#endif
+ 
+#if OPENSSL_VERSION_NUMBER < 0x10000000
+ 	CRYPTO_set_id_callback(&dkimf_crypto_get_id);
+ 	CRYPTO_set_locking_callback(&dkimf_crypto_lock_callback);
+ 	CRYPTO_set_dynlock_create_callback(&dkimf_crypto_dyn_create);
+ 	CRYPTO_set_dynlock_lock_callback(&dkimf_crypto_dyn_lock);
+ 	CRYPTO_set_dynlock_destroy_callback(&dkimf_crypto_dyn_destroy);
+#endif
+ 
+ #ifdef USE_OPENSSL_ENGINE
+ 	if (!SSL_set_engine(NULL))
+@@ -392,11 +402,15 @@ dkimf_crypto_free(void)
+ {
+ 	if (crypto_init_done)
+ 	{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+		OPENSSL_thread_stop();
+#else
+ 		CRYPTO_cleanup_all_ex_data();
+ 		CONF_modules_free();
+ 		EVP_cleanup();
+ 		ERR_free_strings();
+-		ERR_remove_state(0);
+		ERR_remove_thread_state(NULL);
+#endif
+ 
+ 		if (nmutexes > 0)
+ 		{
+--- a/libopendkim/dkim.c
+++ b/libopendkim/dkim.c
+@@ -4195,8 +4195,10 @@ dkim_init_openssl(void)
+ {
+ 	pthread_mutex_lock(&openssl_lock);
+ 
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+ 	if (openssl_refcount == 0)
+ 		OpenSSL_add_all_algorithms();
+#endif
+ 	openssl_refcount++;
+ 
+ 	pthread_mutex_unlock(&openssl_lock);
+@@ -4220,8 +4222,10 @@ dkim_close_openssl(void)
+ 	pthread_mutex_lock(&openssl_lock);
+ 
+ 	openssl_refcount--;
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+ 	if (openssl_refcount == 0)
+ 		EVP_cleanup();
+#endif
+ 
+ 	pthread_mutex_unlock(&openssl_lock);
+ }
+--- a/opendkim/opendkim-testkey.c
+++ b/opendkim/opendkim-testkey.c
+@@ -452,7 +452,11 @@ main(int argc, char **argv)
+ 	memset(err, '\0', sizeof err);
+ 
+ #ifndef USE_GNUTLS
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+ 	ERR_load_crypto_strings();
+#else
+	OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+#endif
+ #endif /* ! USE_GNUTLS */
+ 
+ 	/* process a KeyTable if specified and not overridden */
+--- a/opendkim/opendkim.c
+++ b/opendkim/opendkim.c
+@@ -15540,7 +15540,11 @@ main(int argc, char **argv)
+ 			printf("\tCompiled with GnuTLS %s\n", GNUTLS_VERSION);
+ #else /* USE_GNUTLS */
+ 			printf("\tCompiled with %s\n",
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+ 			       SSLeay_version(SSLEAY_VERSION));
+#else
+			       OpenSSL_version(OPENSSL_VERSION));
+#endif
+ #endif /* USE_GNUTLS */
+ 			printf("\tSMFI_VERSION 0x%x\n", SMFI_VERSION);
+ #ifdef HAVE_SMFI_VERSION