commit 6b6e74833a94d0f73f374befadbb2e1a7bbc81d8 Author: Jacob Welsh AuthorDate: Sat Nov 5 21:21:14 2022 +0000 Commit: Jacob Welsh CommitDate: Sat Nov 5 21:47:26 2022 +0000 Type: mixed fixups from partial config.h readthrough Import clarifying comments from configure.ac and elsewhere. CRYPT_USE_XPG6 isn't actually needed - the probe was only for non-breakage. Remove options for pretend OpenSSL APIs: ASN1_STRING_get0_data ECDSA_SIG_get0 ECDSA_SIG_set0 (adding missing null pointer checks) EC_GROUP_order_bits EVP_MD_CTX_new Remove option for lacking the well established OpenSSL API: RSA_generate_key_ex. The older RSA_generate_key is inferior because it demands the exponent as a machine integer rather than bignum. Reformat hard-wrapped comment lines. Remove broken mremap() feature test macro usage which exploited private glibc internals. Update webpage link. (They can keep the bugreport email address since they love email so much.) Add GCC-specific endian detection: best we can do short of implementing a runtime check. Remove other unused definitions (HAVE_GNUTLS escaped the bulk pruning because it was referenced for the feature listing in master/main.c). diff --git a/config.h b/config.h index acb23c61d3..de4d7bd1ab 100644 --- a/config.h +++ b/config.h @@ -27,14 +27,14 @@ /* Lua support is builtin */ /* #undef BUILTIN_LUA */ -/* IMAP capabilities advertised in banner */ +/* IMAP capabilities advertised in banner. (IDLE doesn't really belong to banner. It's there just to make Blackberries happy, because otherwise BIS server disables push email.) */ #define CAPABILITY_BANNER_STRING "IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE" /* IMAP capabilities */ #define CAPABILITY_STRING "IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY PREVIEW STATUS=SIZE SAVEDATE" /* Define if _XPG6 macro is needed for crypt() */ -#define CRYPT_USE_XPG6 /**/ +/* #undef CRYPT_USE_XPG6 */ /* Build with extra debugging checks */ /* #undef DEBUG */ @@ -66,9 +66,6 @@ /* How to define flexible array members in structs */ #define FLEXIBLE_ARRAY_MEMBER -/* Build with ASN1_STRING_get0_data() support */ -/* #undef HAVE_ASN1_STRING_GET0_DATA */ - /* Define to 1 if you have the `backtrace_symbols' function. */ /* #undef HAVE_BACKTRACE_SYMBOLS */ @@ -114,18 +111,6 @@ /* Define to 1 if you have the `dirfd' function. */ #define HAVE_DIRFD 1 -/* Build with ECDSA_SIG_get0 support */ -/* #undef HAVE_ECDSA_SIG_GET0 */ - -/* Build with ECDSA_SIG_set0 support */ -/* #undef HAVE_ECDSA_SIG_SET0 */ - -/* Build with EC_GROUP_order_bits support */ -/* #undef HAVE_EC_GROUP_order_bits */ - -/* Build with EVP_MD_CTX_new() support */ -/* #undef HAVE_EVP_MD_CTX_NEW */ - /* Build with EVP_PKEY_get0_*() support */ /* #undef HAVE_EVP_PKEY_get0 */ @@ -159,7 +144,7 @@ /* Define if you want stemming support for FTS */ /* #undef HAVE_FTS_STEMMER */ -/* Define to 1 if you have the `getmntinfo' function. */ +/* Define to 1 if you have the `getmntinfo' function (BSDs). */ /* #undef HAVE_GETMNTINFO */ /* Define to 1 if you have the `getpagesize' function. */ @@ -168,7 +153,7 @@ /* Define to 1 if you have the `getpeereid' function. */ /* #undef HAVE_GETPEEREID */ -/* Define to 1 if you have the `getpeerucred' function. */ +/* Define to 1 if you have the `getpeerucred' function (Solaris). */ /* #undef HAVE_GETPEERUCRED */ /* Define to 1 if you have the `glob' function. */ @@ -177,9 +162,6 @@ /* Define to 1 if you have the header file. */ #define HAVE_GLOB_H 1 -/* Build with GNUTLS support */ -/* #undef HAVE_GNUTLS */ - /* Build with GSSAPI support */ /* #undef HAVE_GSSAPI */ @@ -201,8 +183,7 @@ /* GSSAPI supports SPNEGO */ /* #undef HAVE_GSSAPI_SPNEGO */ -/* Define to 1 if you have the `gsskrb5_register_acceptor_identity' function. - */ +/* Define to 1 if you have the `gsskrb5_register_acceptor_identity' function. */ /* #undef HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY */ /* Build with HMAC_CTX_new() support */ @@ -217,8 +198,7 @@ /* Define to 1 if you have the header file. */ /* #undef HAVE_JFS_QUOTA_H */ -/* Define to 1 if you have the `krb5_gss_register_acceptor_identity' function. - */ +/* Define to 1 if you have the `krb5_gss_register_acceptor_identity' function. */ /* #undef HAVE_KRB5_GSS_REGISTER_ACCEPTOR_IDENTITY */ /* libcap is installed for cap_init() */ @@ -252,7 +232,7 @@ #define HAVE_LINUX_FALLOC_H 1 /* Define if you have Linux-compatible mremap() */ -/* #undef HAVE_LINUX_MREMAP */ +#define HAVE_LINUX_MREMAP /**/ /* Define if you have Linux-compatible sendfile() */ #define HAVE_LINUX_SENDFILE /**/ @@ -311,8 +291,7 @@ /* Define if your MySQL library supports setting cipher */ /* #undef HAVE_MYSQL_SSL_CIPHER */ -/* Defineif your MySQL library supports verifying the name in the SSL - certificate */ +/* Define if your MySQL library supports verifying the name in the SSL certificate */ /* #undef HAVE_MYSQL_SSL_VERIFY_SERVER_CERT */ /* Build with OBJ_length() support */ @@ -375,9 +354,6 @@ /* Define if you wish to retrieve quota of NFS mounted mailboxes */ /* #undef HAVE_RQUOTA */ -/* Build with RSA_generate_key_ex() support */ -/* #undef HAVE_RSA_GENERATE_KEY_EX */ - /* Build with RSA_set0_crt_params support */ /* #undef HAVE_RSA_SET0_CRT_PARAMS */ @@ -658,7 +634,7 @@ #define PACKAGE_VERSION "2.3.19.1" /* Support URL */ -#define PACKAGE_WEBPAGE "http://www.dovecot.org/" +#define PACKAGE_WEBPAGE "http://jwrd.net/" /* Build with BSD authentication support */ /* #undef PASSDB_BSDAUTH */ @@ -774,16 +750,11 @@ /* Version number of package */ #define VERSION "2.3.19.1" -/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most - significant byte first (like Motorola and SPARC, unlike Intel). */ -#if defined AC_APPLE_UNIVERSAL_BUILD -# if defined __BIG_ENDIAN__ -# define WORDS_BIGENDIAN 1 -# endif -#else -# ifndef WORDS_BIGENDIAN -/* # undef WORDS_BIGENDIAN */ -# endif +/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel). (__BYTE_ORDER__ is a GNU C extension.) */ +#ifndef __BYTE_ORDER__ +# error Unknown endianness +#elif __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ +# define WORDS_BIGENDIAN 1 #endif /* Number of bits in a file offset, on hosts where this is settable. */ @@ -791,15 +762,3 @@ /* Define for large files, on AIX-style hosts. */ /* #undef _LARGE_FILES */ - -/* Define to `__inline__' or `__inline' if that's what the C compiler - calls it, or to nothing if 'inline' is not supported under any name. */ -#ifndef __cplusplus -/* #undef inline */ -#endif - -/* Define to 'unsigned int' if you don't have it */ -/* #undef size_t */ - -/* Define to 'int' if you don't have it */ -/* #undef ssize_t */ diff --git a/src/lib-dcrypt/dcrypt-openssl.c b/src/lib-dcrypt/dcrypt-openssl.c index 1cbe352541..1a13eb5de5 100644 --- a/src/lib-dcrypt/dcrypt-openssl.c +++ b/src/lib-dcrypt/dcrypt-openssl.c @@ -82,11 +82,6 @@ #define OBJ_length(o) ((o)->length) #endif -#ifndef HAVE_EVP_MD_CTX_NEW -# define EVP_MD_CTX_new() EVP_MD_CTX_create() -# define EVP_MD_CTX_free(ctx) EVP_MD_CTX_destroy(ctx) -#endif - #ifndef HAVE_HMAC_CTX_NEW # define HMAC_Init_ex(ctx, key, key_len, md, impl) \ HMAC_Init_ex(&(ctx), key, key_len, md, impl) @@ -184,18 +179,6 @@ dcrypt_openssl_key_string_get_info(const char *key_data, const char **encryption_key_hash_r, const char **key_hash_r, const char **error_r); -#ifndef HAVE_EC_GROUP_order_bits -static int EC_GROUP_order_bits(const EC_GROUP *grp) -{ - int bits; - BIGNUM *bn = BN_new(); - (void)EC_GROUP_get_order(grp, bn, NULL); - bits = BN_num_bits(bn); - BN_free(bn); - return bits; -} -#endif - static bool dcrypt_openssl_error(const char **error_r) { unsigned long ec; @@ -3055,7 +3038,7 @@ dcrypt_openssl_public_key_id_evp(EVP_PKEY *key, long len = BIO_get_mem_data(b, &ptr); unsigned int hlen = sizeof(buf); /* then hash it */ - EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + EVP_MD_CTX *ctx = EVP_MD_CTX_create(); if (ctx == NULL || EVP_DigestInit_ex(ctx, md, NULL) < 1 || EVP_DigestUpdate(ctx, (const unsigned char*)ptr, len) < 1 || @@ -3065,7 +3048,7 @@ dcrypt_openssl_public_key_id_evp(EVP_PKEY *key, buffer_append(result, buf, hlen); res = TRUE; } - EVP_MD_CTX_free(ctx); + EVP_MD_CTX_destroy(ctx); BIO_vfree(b); return res; @@ -3125,35 +3108,10 @@ dcrypt_openssl_digest(const char *algorithm, const void *data, size_t data_len, } else { ret = TRUE; } - EVP_MD_CTX_free(mdctx); + EVP_MD_CTX_destroy(mdctx); return ret; } -#ifndef HAVE_ECDSA_SIG_GET0 -static void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) -{ - i_assert(sig != NULL); - *pr = sig->r; - *ps = sig->s; -} -#endif -#ifndef HAVE_ECDSA_SIG_SET0 -static int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) -{ - if (sig == NULL || r == NULL || s == NULL) { - ECDSAerr(0, ERR_R_PASSED_NULL_PARAMETER); - return 0; - } - - BN_free(sig->r); - sig->r = r; - BN_free(sig->s); - sig->s = s; - - return 1; -} -#endif - static bool dcrypt_openssl_sign_ecdsa(struct dcrypt_private_key *key, const char *algorithm, const void *data, size_t data_len, buffer_t *signature_r, @@ -3162,7 +3120,16 @@ dcrypt_openssl_sign_ecdsa(struct dcrypt_private_key *key, const char *algorithm, EVP_PKEY *pkey = key->key; EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey); bool ret; - int rs_len = EC_GROUP_order_bits(EC_KEY_get0_group(ec_key)) / 8; + + int rs_len; + { + EC_GROUP *grp = EC_KEY_get0_group(ec_key); + BIGNUM *bn = BN_new(); + if (!bn || !EC_GROUP_get_order(grp, bn, NULL)) + return dcrypt_openssl_error(error_r); + rs_len = BN_num_bits(bn) / 8; + BN_free(bn); + } /* digest data */ buffer_t *digest = t_buffer_create(64); @@ -3175,10 +3142,8 @@ dcrypt_openssl_sign_ecdsa(struct dcrypt_private_key *key, const char *algorithm, return dcrypt_openssl_error(error_r); /* export signature */ - const BIGNUM *r; - const BIGNUM *s; - - ECDSA_SIG_get0(ec_sig, &r, &s); + const BIGNUM *r = sig->r; + const BIGNUM *s = sig->s; int r_len = BN_num_bytes(r); i_assert(rs_len >= r_len); @@ -3288,6 +3253,8 @@ dcrypt_openssl_verify_ecdsa(struct dcrypt_public_key *key, const char *algorithm BIGNUM *r = BN_new(); BIGNUM *s = BN_new(); + if (!r || !s) + return dcrypt_openssl_error(error_r); /* attempt to decode BIGNUMs */ if (BN_bin2bn(signature, signature_len / 2, r) == NULL) { BN_free(r); @@ -3304,7 +3271,12 @@ dcrypt_openssl_verify_ecdsa(struct dcrypt_public_key *key, const char *algorithm /* reconstruct signature */ ECDSA_SIG *ec_sig = ECDSA_SIG_new(); - ECDSA_SIG_set0(ec_sig, r, s); + if (!ec_sig) + return dcrypt_openssl_error(error_r); + BN_free(ec_sig->r); + BN_free(ec_sig->s); + ec_sig->r = r; + ec_sig->s = s; /* verify it */ ec = ECDSA_do_verify(digest->data, digest->used, ec_sig, ec_key); diff --git a/src/lib-ssl-iostream/iostream-openssl-common.c b/src/lib-ssl-iostream/iostream-openssl-common.c index 04dc5eaa17..426fe6512b 100644 --- a/src/lib-ssl-iostream/iostream-openssl-common.c +++ b/src/lib-ssl-iostream/iostream-openssl-common.c @@ -68,7 +68,7 @@ static const char *asn1_string_to_c(ASN1_STRING *asn_str) unsigned int len; len = ASN1_STRING_length(asn_str); - cstr = t_strndup(ASN1_STRING_get0_data(asn_str), len); + cstr = t_strndup(ASN1_STRING_data(asn_str), len); if (strlen(cstr) != len) { /* NULs in the name - could be some MITM attack. never allow. */ @@ -89,7 +89,7 @@ static int get_general_ip_addr(const GENERAL_NAME *name, struct ip_addr *ip_r) { if (ASN1_STRING_type(name->d.ip) != V_ASN1_OCTET_STRING) return 0; - const unsigned char *data = ASN1_STRING_get0_data(name->d.ip); + const unsigned char *data = ASN1_STRING_data(name->d.ip); if (name->d.ip->length == sizeof(ip_r->u.ip4.s_addr)) { ip_r->family = AF_INET; diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c index fe9b05956e..38c556d69f 100644 --- a/src/lib-ssl-iostream/iostream-openssl-context.c +++ b/src/lib-ssl-iostream/iostream-openssl-context.c @@ -29,7 +29,6 @@ int dovecot_ssl_extdata_index; static RSA *ssl_gen_rsa_key(SSL *ssl ATTR_UNUSED, int is_export ATTR_UNUSED, int keylength) { -#ifdef HAVE_RSA_GENERATE_KEY_EX BIGNUM *bn = BN_new(); RSA *rsa = RSA_new(); @@ -44,9 +43,6 @@ static RSA *ssl_gen_rsa_key(SSL *ssl ATTR_UNUSED, if (rsa != NULL) RSA_free(rsa); return NULL; -#else - return RSA_generate_key(keylength, RSA_F4, NULL, NULL); -#endif } static DH *ssl_tmp_dh_callback(SSL *ssl ATTR_UNUSED, diff --git a/src/lib-ssl-iostream/iostream-openssl.h b/src/lib-ssl-iostream/iostream-openssl.h index 4449668050..3b322205e3 100644 --- a/src/lib-ssl-iostream/iostream-openssl.h +++ b/src/lib-ssl-iostream/iostream-openssl.h @@ -5,9 +5,6 @@ #include -#ifndef HAVE_ASN1_STRING_GET0_DATA -# define ASN1_STRING_get0_data(str) ASN1_STRING_data(str) -#endif enum openssl_iostream_sync_type { OPENSSL_IOSTREAM_SYNC_TYPE_NONE, OPENSSL_IOSTREAM_SYNC_TYPE_FIRST_READ, diff --git a/src/lib/file-cache.c b/src/lib/file-cache.c index 008021e33a..261f866a0d 100644 --- a/src/lib/file-cache.c +++ b/src/lib/file-cache.c @@ -88,7 +88,7 @@ int file_cache_set_size(struct file_cache *cache, uoff_t size) } } else { new_base = mremap_anon(cache->mmap_base, cache->mmap_length, - size, MREMAP_MAYMOVE); + size, MREMAP_ANON_MAYMOVE); if (new_base == MAP_FAILED) { i_error("mremap_anon(%s, %"PRIuUOFF_T") failed: %m", cache->path, size); diff --git a/src/lib/mmap-anon.c b/src/lib/mmap-anon.c index fbb2c47f4c..973be2e36d 100644 --- a/src/lib/mmap-anon.c +++ b/src/lib/mmap-anon.c @@ -2,6 +2,8 @@ /* @UNSAFE: whole file */ +#define _GNU_SOURCE /* for mremap, MREMAP_MAYMOVE */ + #include "lib.h" #include "mmap-util.h" @@ -123,7 +125,7 @@ void *mremap_anon(void *old_address, size_t old_size ATTR_UNUSED, if (new_size > hdr->size) { /* grow */ - if ((flags & MREMAP_MAYMOVE) == 0) { + if ((flags & MREMAP_ANON_MAYMOVE) == 0) { errno = ENOMEM; return MAP_FAILED; } @@ -172,7 +174,11 @@ void *mmap_anon(size_t length) void *mremap_anon(void *old_address, size_t old_size, size_t new_size, unsigned long flags) { - return mremap(old_address, old_size, new_size, flags); + int new_flags = 0; + /* MREMAP_MAYMOVE is unportable and forces proliferation of _GNU_SOURCE, so we expose instead our own fixed one and translate here. */ + if (flags & MREMAP_ANON_MAYMOVE) + new_flags |= MREMAP_MAYMOVE; + return mremap(old_address, old_size, new_size, new_flags); } int munmap_anon(void *start, size_t length) diff --git a/src/lib/mmap-util.h b/src/lib/mmap-util.h index 0f4184e70d..723b43b12a 100644 --- a/src/lib/mmap-util.h +++ b/src/lib/mmap-util.h @@ -3,16 +3,9 @@ #include -#ifdef HAVE_LINUX_MREMAP -# define __USE_GNU /* for MREMAP_MAYMOVE */ -#endif - #include -#undef __USE_GNU -#if !defined (MREMAP_MAYMOVE) && !defined (HAVE_LINUX_MREMAP) -# define MREMAP_MAYMOVE 1 -#endif +#define MREMAP_ANON_MAYMOVE 1 #define madvise my_madvise int my_madvise(void *start, size_t length, int advice); diff --git a/src/master/main.c b/src/master/main.c index cf12184dff..fade987c91 100644 --- a/src/master/main.c +++ b/src/master/main.c @@ -682,9 +682,6 @@ static void print_build_options(void) #ifdef IOLOOP_NOTIFY_KQUEUE " notify=kqueue" #endif -#ifdef HAVE_GNUTLS - " gnutls" -#endif #ifdef HAVE_OPENSSL " openssl" #endif