commit 5a6081de73bf7f5bc8a66e2fe3299b4186bb6e79 Author: Jacob Welsh AuthorDate: Sat Nov 12 18:29:16 2022 +0000 Commit: Jacob Welsh CommitDate: Sat Nov 12 22:20:22 2022 +0000 Type: mixed fixups from remainder of config.h readthrough Reformat, clarify and correct more comments. Remove options for pretend OpenSSL APIs: auto thread deinit (OPENSSL_thread_stop) OPENSSL_cleanup SSL_CIPHER_get_kx_nid SSL_CTX_add0_chain_cert SSL_CTX_set1_curves_list SSL_CTX_set_ciphersuites (TLS 1.3) SSL_CTX_set_current_cert SSL_CTX_set_min_proto_version (protocol versions can still be selected the old way) Remove option for lacking well established OpenSSL APIs: SSL_clear_options ( http://fixpoint.welshcomputing.com/2022/jwrd-logs-for-Nov-2022/#5336 ) SSL_get_servername, SSL_CTX_set_tlsext_servername_callback, SSL_set_tlsext_host_name (SNI) Define HAVE_OPENSSL_ERR_REMOVE_THREAD_STATE and HAVE_X509_CHECK_HOST, since we do have them, but keep them optional since they don't go back very far. Combine options for X509_check_host, X509_check_ip (unused) and X509_check_ip_asc into one, as they're a family introduced at the same time. Remove TLS Compression code: the API was never standardized and is now long disabled for insecurity ( http://fixpoint.welshcomputing.com/2022/jwrd-logs-for-Nov-2022/#5339 ). Remove code for replacing libssl/libcrypto memory allocation routines ( http://fixpoint.welshcomputing.com/2022/jwrd-logs-for-Nov-2022/#5359 ). Garbage-collect now unused HAVE_TIMEGM and TIME_T_MAX_BITS. Reduce the integer types insanity, so that one config.h can at least support all Gales platforms, by assuming musl specifics like 64-bit off_t and GCC intrinsics like __SIZEOF_INT__. (TODO: something different for PRIdTIME_T/PRIxTIME_T as current Gales musl doesn't in fact guarantee 64-bit time_t.) Remove VA_COPY macro wrapping, requiring va_copy support (C99). diff --git a/config.h b/config.h index 263cba19e2..677c8f4b3f 100644 --- a/config.h +++ b/config.h @@ -93,16 +93,13 @@ /* Define to 1 if you have the header file. */ #define HAVE_CRYPT_H 1 -/* Define to 1 if you have the declaration of - `CASS_SSL_VERIFY_PEER_IDENTITY_DNS', and to 0 if you don't. */ +/* Define to 1 if you have the declaration of `CASS_SSL_VERIFY_PEER_IDENTITY_DNS', and to 0 if you don't. */ /* #undef HAVE_DECL_CASS_SSL_VERIFY_PEER_IDENTITY_DNS */ -/* Define to 1 if you have the declaration of - `ZSTD_error_parameter_unsupported', and to 0 if you don't. */ +/* Define to 1 if you have the declaration of `ZSTD_error_parameter_unsupported', and to 0 if you don't. */ /* #undef HAVE_DECL_ZSTD_ERROR_PARAMETER_UNSUPPORTED */ -/* Define to 1 if you have the declaration of `ZSTD_minCLevel', and to 0 if - you don't. */ +/* Define to 1 if you have the declaration of `ZSTD_minCLevel', and to 0 if you don't. */ /* #undef HAVE_DECL_ZSTD_MINCLEVEL */ /* Define if you have struct dirent->d_type */ @@ -300,14 +297,8 @@ /* Build with OpenSSL support */ /* #undef HAVE_OPENSSL */ -/* Define if OpenSSL performs thread cleanup automatically */ -/* #undef HAVE_OPENSSL_AUTO_THREAD_DEINIT */ - -/* OpenSSL supports OPENSSL_cleanup() */ -/* #undef HAVE_OPENSSL_CLEANUP */ - -/* Define if you have ERR_remove_thread_state */ -/* #undef HAVE_OPENSSL_ERR_REMOVE_THREAD_STATE */ +/* Define if you have ERR_remove_thread_state (circa OpenSSL 1.0.0) */ +#define HAVE_OPENSSL_ERR_REMOVE_THREAD_STATE /**/ /* Define if you have pam/pam_appl.h */ /* #undef HAVE_PAM_PAM_APPL_H */ @@ -381,7 +372,7 @@ /* Define to 1 if you have the `setrlimit' function. */ #define HAVE_SETRLIMIT 1 -/* Define to 'int' if you don't have socklen_t */ +/* Define if you have socklen_t */ #define HAVE_SOCKLEN_T /**/ /* Define if you have Solaris-compatible sendfile() */ @@ -390,39 +381,6 @@ /* Build with SSL/TLS support */ /* #undef HAVE_SSL */ -/* Define if you have SSL_CIPHER_get_kx_nid */ -/* #undef HAVE_SSL_CIPHER_get_kx_nid */ - -/* Define if you have SSL_clear_options */ -/* #undef HAVE_SSL_CLEAR_OPTIONS */ - -/* Build with OpenSSL compression */ -/* #undef HAVE_SSL_COMPRESSION */ - -/* Build with SSL_COMP_free_compression_methods() support */ -/* #undef HAVE_SSL_COMP_FREE_COMPRESSION_METHODS */ - -/* Define if you have SSL_CTX_add0_chain_cert */ -/* #undef HAVE_SSL_CTX_ADD0_CHAIN_CERT */ - -/* Define if you have SSL_CTX_set1_curves_list */ -/* #undef HAVE_SSL_CTX_SET1_CURVES_LIST */ - -/* Build with SSL_CTX_set_ciphersuites() support */ -/* #undef HAVE_SSL_CTX_SET_CIPHERSUITES */ - -/* Define if you have SSL_CTX_set_current_cert */ -/* #undef HAVE_SSL_CTX_SET_CURRENT_CERT */ - -/* Define if you have SSL_CTX_set_min_proto_version */ -/* #undef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION */ - -/* Build with TLS hostname support */ -/* #undef HAVE_SSL_GET_SERVERNAME */ - -/* Define if CRYPTO_set_mem_functions has new style parameters */ -/* #undef HAVE_SSL_NEW_MEM_FUNCS */ - /* Define if you have statfs.f_mntfromname */ /* #undef HAVE_STATFS_MNTFROMNAME */ @@ -498,9 +456,6 @@ /* Define to 1 if you have the header file. */ /* #undef HAVE_SYS_VMOUNT_H */ -/* Define to 1 if you have the `timegm' function. */ -#define HAVE_TIMEGM 1 - /* Define if you have struct tm->tm_gmtoff */ #define HAVE_TM_GMTOFF /**/ @@ -540,14 +495,8 @@ /* Define to 1 if you have the `writev' function. */ #define HAVE_WRITEV 1 -/* OpenSSL supports X509_check_host() */ -/* #undef HAVE_X509_CHECK_HOST */ - -/* OpenSSL supports X509_check_ip() */ -/* #undef HAVE_X509_CHECK_IP */ - -/* OpenSSL supports X509_check_ip_asc() */ -/* #undef HAVE_X509_CHECK_IP_ASC */ +/* Define if OpenSSL supports the X509_check_host() family (circa OpenSSL 1.0.2) */ +#define HAVE_X509_CHECK_HOST /**/ /* Define to 1 if you have the header file. */ /* #undef HAVE_XFS_XQM_H */ @@ -600,11 +549,11 @@ /* Required memory alignment */ #define MEM_ALIGN_SIZE 8 -/* Define if shared mmaps don't get updated by write()s */ +/* Define if shared mmaps don't get updated by write()s (some OpenBSD versions at least). This amounts to disabling at least some uses of mmap. */ /* #undef MMAP_CONFLICTS_WRITE */ /* Maximum value of off_t */ -#define OFF_T_MAX LONG_MAX +#define OFF_T_MAX INT64_MAX /* off_t is always 64-bit on musl */ /* Name of package */ #define PACKAGE "dovecot" @@ -648,38 +597,38 @@ /* Build with SQL support */ /* #undef PASSDB_SQL */ -/* Define if pread/pwrite implementation is broken */ +/* Define if pread/pwrite implementation is broken (HPUX) */ /* #undef PREAD_BROKEN */ -/* Define if pread/pwrite needs _XOPEN_SOURCE 500 */ +/* Define if pread/pwrite needs _XOPEN_SOURCE 500 (glibc) */ /* #undef PREAD_WRAPPERS */ /* printf() fmt for dec time_t */ -#define PRIdTIME_T "ld" +#define PRIdTIME_T PRId64 /* FIXME */ /* printf() format for uoff_t */ -#define PRIuUOFF_T "lu" +#define PRIuUOFF_T PRIu64 /* off_t is always 64-bit on musl */ /* printf() fmt for hex time_t */ -#define PRIxTIME_T "lx" +#define PRIxTIME_T PRIx64 /* FIXME */ /* Define if process title can be changed by modifying argv */ #define PROCTITLE_HACK /**/ /* The size of `int', as computed by sizeof. */ -#define SIZEOF_INT 4 +#define SIZEOF_INT __SIZEOF_INT__ /* gcc builtin */ /* The size of `long', as computed by sizeof. */ -#define SIZEOF_LONG 8 +#define SIZEOF_LONG __SIZEOF_LONG__ /* gcc builtin */ /* The size of `long long', as computed by sizeof. */ -#define SIZEOF_LONG_LONG 8 +#define SIZEOF_LONG_LONG __SIZEOF_LONG_LONG__ /* gcc builtin */ /* The size of `void *', as computed by sizeof. */ -#define SIZEOF_VOID_P 8 +#define SIZEOF_VOID_P __SIZEOF_POINTER__ /* gcc builtin */ /* Maximum value of ssize_t */ -#define SSIZE_T_MAX LONG_MAX +#define SSIZE_T_MAX (SIZE_MAX >> 1) /* C99 static array */ #define STATIC_ARRAY static @@ -687,15 +636,12 @@ /* Building with static code analyzer */ /* #undef STATIC_CHECKER */ -/* reasonable mntctl buffer size */ +/* reasonable mntctl buffer size (AIX) */ /* #undef STATIC_MTAB_SIZE */ -/* Points to textcat pkgdatadir containing the language files */ +/* Points to textcat pkgdatadir containing the language files (when HAVE_FTS_EXTTEXTCAT) */ /* #undef TEXTCAT_DATADIR */ -/* max. time_t bits gmtime() can handle */ -#define TIME_T_MAX_BITS 40 - /* Define if your time_t is signed */ #define TIME_T_SIGNED /**/ @@ -703,13 +649,13 @@ /* #undef UOFF_T_INT */ /* Define if off_t is long */ -#define UOFF_T_LONG /**/ +/* #undef UOFF_T_LONG */ /* Define if off_t is long long */ -/* #undef UOFF_T_LONG_LONG */ +#define UOFF_T_LONG_LONG /* off_t is always 64-bit on musl */ /* Maximum value of uoff_t */ -#define UOFF_T_MAX ULONG_MAX +#define UOFF_T_MAX UINT64_MAX /* off_t is always 64-bit on musl */ /* Build with checkpassword userdb support */ #define USERDB_CHECKPASSWORD /**/ @@ -729,12 +675,6 @@ /* Build with SQL support */ /* #undef USERDB_SQL */ -/* A 'va_copy' style function */ -#define VA_COPY va_copy - -/* 'va_lists' cannot be copied as values */ -#define VA_COPY_AS_ARRAY 1 - /* Version number of package */ #define VERSION "2.3.19.1" diff --git a/src/imap/imap-client.h b/src/imap/imap-client.h index a307955f7d..e863dd1656 100644 --- a/src/imap/imap-client.h +++ b/src/imap/imap-client.h @@ -235,7 +235,6 @@ struct client { bool id_logged:1; bool mailbox_examined:1; bool anvil_sent:1; - bool tls_compression:1; bool input_skip_line:1; /* skip all the data until we've found a new line */ bool modseqs_sent_since_sync:1; diff --git a/src/imap/imap-state.c b/src/imap/imap-state.c index 2b064ec809..faca8332e0 100644 --- a/src/imap/imap-state.c +++ b/src/imap/imap-state.c @@ -25,7 +25,6 @@ enum imap_state_type_public { enum imap_state_type_internal { IMAP_STATE_TYPE_ID_LOGGED = 'I', - IMAP_STATE_TYPE_TLS_COMPRESSION = 'C', }; struct mailbox_import_state { @@ -289,8 +288,6 @@ int imap_state_export_base(struct client *client, bool internal, if (internal) { if (client->id_logged) buffer_append_c(dest, IMAP_STATE_TYPE_ID_LOGGED); - if (client->tls_compression) - buffer_append_c(dest, IMAP_STATE_TYPE_TLS_COMPRESSION); } /* IMAP SEARCHRES extension */ @@ -752,16 +749,6 @@ import_state_id_logged(struct client *client, return 0; } -static ssize_t -import_state_tls_compression(struct client *client, - const unsigned char *data ATTR_UNUSED, - size_t size ATTR_UNUSED, - const char **error_r ATTR_UNUSED) -{ - client->tls_compression = TRUE; - return 0; -} - void imap_state_import_idle_cmd_tag(struct client *client, const char *tag) { if (client->state_import_idle_continue) { @@ -812,7 +799,6 @@ static struct { size_t size, const char **error_r); } imap_states_internal[] = { { IMAP_STATE_TYPE_ID_LOGGED, import_state_id_logged }, - { IMAP_STATE_TYPE_TLS_COMPRESSION, import_state_tls_compression } }; static ssize_t diff --git a/src/imap/main.c b/src/imap/main.c index 8efcfd48ab..c8a80d7d35 100644 --- a/src/imap/main.c +++ b/src/imap/main.c @@ -391,8 +391,6 @@ login_client_connected(const struct master_login_client *login_client, master_service_client_connection_destroyed(master_service); return; } - if ((flags & MAIL_AUTH_REQUEST_FLAG_TLS_COMPRESSION) != 0) - client->tls_compression = TRUE; if (request.input_size > 0) { client_add_istream_prefix(client, request.input, request.input_size); diff --git a/src/lib-master/master-auth.h b/src/lib-master/master-auth.h index 8e0db7452a..4b5f3246eb 100644 --- a/src/lib-master/master-auth.h +++ b/src/lib-master/master-auth.h @@ -24,8 +24,6 @@ struct master_service; "Internal error occurred. Refer to server log for more information." enum mail_auth_request_flags { - /* Connection has TLS compression enabled */ - MAIL_AUTH_REQUEST_FLAG_TLS_COMPRESSION = BIT(0), /* Connection is secure (SSL or just trusted) */ MAIL_AUTH_REQUEST_FLAG_CONN_SECURED = BIT(1), /* Connection is secured using SSL specifically */ diff --git a/src/lib-master/master-service-ssl-settings.c b/src/lib-master/master-service-ssl-settings.c index 5ddf18cc8a..2476d62808 100644 --- a/src/lib-master/master-service-ssl-settings.c +++ b/src/lib-master/master-service-ssl-settings.c @@ -176,13 +176,11 @@ master_service_ssl_settings_check(void *_set, pool_t pool ATTR_UNUSED, } } -#ifndef HAVE_SSL_CTX_SET1_CURVES_LIST if (*set->ssl_curve_list != '\0') { - *error_r = "ssl_curve_list is set, but the linked openssl " + *error_r = "ssl_curve_list is set, but this " "version does not support it"; return FALSE; } -#endif return TRUE; #endif diff --git a/src/lib-smtp/smtp-server-command.c b/src/lib-smtp/smtp-server-command.c index 992a345751..226d94d70f 100644 --- a/src/lib-smtp/smtp-server-command.c +++ b/src/lib-smtp/smtp-server-command.c @@ -832,7 +832,7 @@ void smtp_server_command_fail(struct smtp_server_command *cmd, /* Send the same reply for all */ if (!sent) { va_list args_copy; - VA_COPY(args_copy, args); + va_copy(args_copy, args); smtp_server_reply_indexv(&cmd->context, i, status, enh_code, fmt, args_copy); va_end(args_copy); diff --git a/src/lib-ssl-iostream/dovecot-openssl-common.c b/src/lib-ssl-iostream/dovecot-openssl-common.c index 76f98bc9e7..a7e84b3282 100644 --- a/src/lib-ssl-iostream/dovecot-openssl-common.c +++ b/src/lib-ssl-iostream/dovecot-openssl-common.c @@ -11,58 +11,11 @@ static int openssl_init_refcount = 0; static ENGINE *dovecot_openssl_engine; -#ifdef HAVE_SSL_NEW_MEM_FUNCS -static void *dovecot_openssl_malloc(size_t size, const char *u0 ATTR_UNUSED, int u1 ATTR_UNUSED) -#else -static void *dovecot_openssl_malloc(size_t size) -#endif -{ - /* this may be performance critical, so don't use - i_malloc() or calloc() */ - void *mem = malloc(size); - if (mem == NULL) { - i_fatal_status(FATAL_OUTOFMEM, - "OpenSSL: malloc(%zu): Out of memory", size); - } - return mem; -} - -#ifdef HAVE_SSL_NEW_MEM_FUNCS -static void *dovecot_openssl_realloc(void *ptr, size_t size, const char *u0 ATTR_UNUSED, int u1 ATTR_UNUSED) -#else -static void *dovecot_openssl_realloc(void *ptr, size_t size) -#endif -{ - void *mem = realloc(ptr, size); - if (mem == NULL) { - i_fatal_status(FATAL_OUTOFMEM, - "OpenSSL: realloc(%zu): Out of memory", size); - } - return mem; -} - -#ifdef HAVE_SSL_NEW_MEM_FUNCS -static void dovecot_openssl_free(void *ptr, const char *u0 ATTR_UNUSED, int u1 ATTR_UNUSED) -#else -static void dovecot_openssl_free(void *ptr) -#endif -{ - free(ptr); -} - void dovecot_openssl_common_global_ref(void) { if (openssl_init_refcount++ > 0) return; - /* use our own memory allocation functions that will die instead of - returning NULL. this avoids random failures on out-of-memory - conditions. */ - if (CRYPTO_set_mem_functions(dovecot_openssl_malloc, - dovecot_openssl_realloc, dovecot_openssl_free) == 0) { - /*i_warning("CRYPTO_set_mem_functions() was called too late");*/ - } - SSL_library_init(); SSL_load_error_strings(); OpenSSL_add_all_algorithms(); @@ -82,25 +35,16 @@ bool dovecot_openssl_common_global_unref(void) /* OBJ_cleanup() is called automatically by EVP_cleanup() in newer versions. Doesn't hurt to call it anyway. */ OBJ_cleanup(); -#ifdef HAVE_SSL_COMP_FREE_COMPRESSION_METHODS - SSL_COMP_free_compression_methods(); -#endif ENGINE_cleanup(); EVP_cleanup(); CRYPTO_cleanup_all_ex_data(); -#ifdef HAVE_OPENSSL_AUTO_THREAD_DEINIT - /* no cleanup needed */ -#elif defined(HAVE_OPENSSL_ERR_REMOVE_THREAD_STATE) - /* This was marked as deprecated in v1.1. */ +#ifdef HAVE_OPENSSL_ERR_REMOVE_THREAD_STATE ERR_remove_thread_state(NULL); #else /* This was deprecated by ERR_remove_thread_state(NULL) in v1.0.0. */ ERR_remove_state(0); #endif ERR_free_strings(); -#ifdef HAVE_OPENSSL_CLEANUP - OPENSSL_cleanup(); -#endif return FALSE; } diff --git a/src/lib-ssl-iostream/iostream-openssl-common.c b/src/lib-ssl-iostream/iostream-openssl-common.c index 426fe6512b..e9f339b79c 100644 --- a/src/lib-ssl-iostream/iostream-openssl-common.c +++ b/src/lib-ssl-iostream/iostream-openssl-common.c @@ -61,7 +61,7 @@ int openssl_min_protocol_to_options(const char *min_protocol, long *opt_r, return 0; } -#if !defined(HAVE_X509_CHECK_HOST) || !defined(HAVE_X509_CHECK_IP_ASC) +#ifndef HAVE_X509_CHECK_HOST static const char *asn1_string_to_c(ASN1_STRING *asn_str) { const char *cstr; @@ -148,7 +148,7 @@ bool openssl_cert_match_name(SSL *ssl, const char *verify_name, cert = SSL_get_peer_certificate(ssl); i_assert(cert != NULL); -#if defined(HAVE_X509_CHECK_HOST) && defined(HAVE_X509_CHECK_IP_ASC) +#ifdef HAVE_X509_CHECK_HOST char *peername; int check_res; diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c index 38c556d69f..d0fde557cd 100644 --- a/src/lib-ssl-iostream/iostream-openssl-context.c +++ b/src/lib-ssl-iostream/iostream-openssl-context.c @@ -202,9 +202,6 @@ static int ssl_ctx_use_certificate_chain(SSL_CTX *ctx, const char *cert) ret = 0; if (ret != 0) { -#ifdef HAVE_SSL_CTX_SET_CURRENT_CERT - SSL_CTX_select_current_cert(ctx, x); -#endif /* If we could set up our certificate, now proceed to * the CA certificates. */ @@ -213,11 +210,7 @@ static int ssl_ctx_use_certificate_chain(SSL_CTX *ctx, const char *cert) unsigned long err; while ((ca = PEM_read_bio_X509(in,NULL,NULL,NULL)) != NULL) { -#ifdef HAVE_SSL_CTX_ADD0_CHAIN_CERT - r = SSL_CTX_add0_chain_cert(ctx, ca); -#else r = SSL_CTX_add_extra_chain_cert(ctx, ca); -#endif if (r == 0) { X509_free(ca); ret = 0; @@ -235,9 +228,6 @@ static int ssl_ctx_use_certificate_chain(SSL_CTX *ctx, const char *cert) end: if (x != NULL) X509_free(x); BIO_free(in); -#ifdef HAVE_SSL_CTX_SET_CURRENT_CERT - SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST); -#endif return ret; } @@ -325,7 +315,7 @@ ssl_iostream_ctx_verify_remote_cert(struct ssl_iostream_context *ctx, SSL_CTX_set_client_CA_list(ctx->ssl_ctx, ca_names); } -#ifdef HAVE_SSL_GET_SERVERNAME +/* This used to be ifdef-guarded by HAVE_SSL_GET_SERVERNAME, but SSL_get_servername reportedly dates back to OpenSSL 0.9.8f (though documented only later), so it seems safe to make unconditional. */ static int ssl_servername_callback(SSL *ssl, int *al ATTR_UNUSED, void *context ATTR_UNUSED) { @@ -350,7 +340,6 @@ static int ssl_servername_callback(SSL *ssl, int *al ATTR_UNUSED, } return SSL_TLSEXT_ERR_OK; } -#endif static int ssl_iostream_context_load_ca(struct ssl_iostream_context *ctx, @@ -408,42 +397,20 @@ ssl_iostream_context_set(struct ssl_iostream_context *ctx, set->cipher_list, openssl_iostream_error()); return -1; } -#ifdef HAVE_SSL_CTX_SET1_CURVES_LIST - if (set->curve_list != NULL && strlen(set->curve_list) > 0 && - SSL_CTX_set1_curves_list(ctx->ssl_ctx, set->curve_list) == 0) { - *error_r = t_strdup_printf( - "Can't set curve list to '%s' (ssl_curve_list setting)", - set->curve_list); - return -1; - } -#endif -#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES - if (set->ciphersuites != NULL && - SSL_CTX_set_ciphersuites(ctx->ssl_ctx, set->ciphersuites) == 0) { - *error_r = t_strdup_printf("Can't set ciphersuites to '%s': %s", - set->ciphersuites, openssl_iostream_error()); - return -1; - } -#endif if (set->prefer_server_ciphers) { SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); } if (ctx->set.min_protocol != NULL) { long opts; - int min_protocol; if (openssl_min_protocol_to_options(ctx->set.min_protocol, - &opts, &min_protocol) < 0) { + &opts, NULL) < 0) { *error_r = t_strdup_printf( "Unknown ssl_min_protocol setting '%s'", set->min_protocol); return -1; } -#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION - SSL_CTX_set_min_proto_version(ctx->ssl_ctx, min_protocol); -#else SSL_CTX_set_options(ctx->ssl_ctx, opts); -#endif } if (set->cert.cert != NULL && @@ -490,7 +457,7 @@ ssl_iostream_context_set(struct ssl_iostream_context *ctx, return -1; } } -#ifdef HAVE_SSL_GET_SERVERNAME + /* As with ssl_servername_callback, this used to be ifdef-guarded. */ if (!ctx->client_ctx) { if (SSL_CTX_set_tlsext_servername_callback(ctx->ssl_ctx, ssl_servername_callback) != 1) { @@ -498,7 +465,6 @@ ssl_iostream_context_set(struct ssl_iostream_context *ctx, i_debug("OpenSSL library doesn't support SNI"); } } -#endif return 0; } diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c index 6920c53390..e9c3f56ab5 100644 --- a/src/lib-ssl-iostream/iostream-openssl.c +++ b/src/lib-ssl-iostream/iostream-openssl.c @@ -171,48 +171,19 @@ openssl_iostream_set(struct ssl_iostream *ssl_io, return -1; } } -#ifdef HAVE_SSL_CTX_SET1_CURVES_LIST - if (set->curve_list != NULL && strlen(set->curve_list) > 0 && - (ctx_set->curve_list == NULL || strcmp(ctx_set->curve_list, set->curve_list) != 0)) { - if (SSL_set1_curves_list(ssl_io->ssl, set->curve_list) == 0) { - *error_r = t_strdup_printf( - "Failed to set curve list to '%s'", - set->curve_list); - return -1; - } - } -#endif -#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES - if (set->ciphersuites != NULL && - strcmp(ctx_set->ciphersuites, set->ciphersuites) != 0) { - if (SSL_set_ciphersuites(ssl_io->ssl, set->ciphersuites) == 0) { - *error_r = t_strdup_printf( - "Can't set ciphersuites to '%s': %s", - set->ciphersuites, openssl_iostream_error()); - return -1; - } - } -#endif if (set->prefer_server_ciphers) SSL_set_options(ssl_io->ssl, SSL_OP_CIPHER_SERVER_PREFERENCE); if (set->min_protocol != NULL) { -#if defined(HAVE_SSL_CLEAR_OPTIONS) SSL_clear_options(ssl_io->ssl, OPENSSL_ALL_PROTOCOL_OPTIONS); -#endif long opts; - int min_protocol; if (openssl_min_protocol_to_options(set->min_protocol, &opts, - &min_protocol) < 0) { + NULL) < 0) { *error_r = t_strdup_printf( "Unknown ssl_min_protocol setting '%s'", set->min_protocol); return -1; } -#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION - SSL_set_min_proto_version(ssl_io->ssl, min_protocol); -#else SSL_set_options(ssl_io->ssl, opts); -#endif } if (set->cert.cert != NULL && strcmp(ctx_set->cert.cert, set->cert.cert) != 0) { @@ -306,9 +277,8 @@ openssl_iostream_create(struct ssl_iostream_context *ctx, const char *host, /* bio_int will be freed by SSL_free() */ SSL_set_bio(ssl_io->ssl, bio_int, bio_int); SSL_set_ex_data(ssl_io->ssl, dovecot_ssl_extdata_index, ssl_io); -#ifdef HAVE_SSL_GET_SERVERNAME + /* As with ssl_servername_callback, this used to be ifdef-guarded. */ SSL_set_tlsext_host_name(ssl_io->ssl, host); -#endif if (openssl_iostream_set(ssl_io, set, error_r) < 0) { openssl_iostream_free(ssl_io); @@ -814,26 +784,9 @@ static const char *openssl_iostream_get_server_name(struct ssl_iostream *ssl_io) } static const char * -openssl_iostream_get_compression(struct ssl_iostream *ssl_io) -{ -#if defined(HAVE_SSL_COMPRESSION) && !defined(OPENSSL_NO_COMP) - const COMP_METHOD *comp; - - comp = SSL_get_current_compression(ssl_io->ssl); - return comp == NULL ? NULL : SSL_COMP_get_name(comp); -#else - return NULL; -#endif -} - -static const char * openssl_iostream_get_security_string(struct ssl_iostream *ssl_io) { const SSL_CIPHER *cipher; -#if defined(HAVE_SSL_COMPRESSION) && !defined(OPENSSL_NO_COMP) - const COMP_METHOD *comp; -#endif - const char *comp_str; int bits, alg_bits; if (!ssl_io->handshaked) @@ -841,17 +794,10 @@ openssl_iostream_get_security_string(struct ssl_iostream *ssl_io) cipher = SSL_get_current_cipher(ssl_io->ssl); bits = SSL_CIPHER_get_bits(cipher, &alg_bits); -#if defined(HAVE_SSL_COMPRESSION) && !defined(OPENSSL_NO_COMP) - comp = SSL_get_current_compression(ssl_io->ssl); - comp_str = comp == NULL ? "" : - t_strconcat(" ", SSL_COMP_get_name(comp), NULL); -#else - comp_str = ""; -#endif - return t_strdup_printf("%s with cipher %s (%d/%d bits)%s", + return t_strdup_printf("%s with cipher %s (%d/%d bits)", SSL_get_version(ssl_io->ssl), SSL_CIPHER_get_name(cipher), - bits, alg_bits, comp_str); + bits, alg_bits); } static const char * @@ -878,17 +824,12 @@ openssl_iostream_get_pfs(struct ssl_iostream *ssl_io) return NULL; const SSL_CIPHER *cipher = SSL_get_current_cipher(ssl_io->ssl); -#if defined(HAVE_SSL_CIPHER_get_kx_nid) - int nid = SSL_CIPHER_get_kx_nid(cipher); - return OBJ_nid2sn(nid); -#else char buf[128]; const char *desc, *ptr; if ((desc = SSL_CIPHER_description(cipher, buf, sizeof(buf)))==NULL || (ptr = strstr(desc, "Kx=")) == NULL) return ""; return t_strcut(ptr+3, ' '); -#endif } static const char * @@ -924,7 +865,6 @@ static const struct iostream_ssl_vfuncs ssl_vfuncs = { .cert_match_name = openssl_iostream_cert_match_name, .get_peer_name = openssl_iostream_get_peer_name, .get_server_name = openssl_iostream_get_server_name, - .get_compression = openssl_iostream_get_compression, .get_security_string = openssl_iostream_get_security_string, .get_last_error = openssl_iostream_get_last_error, .get_cipher = openssl_iostream_get_cipher, diff --git a/src/lib-ssl-iostream/iostream-ssl-private.h b/src/lib-ssl-iostream/iostream-ssl-private.h index c0f4a3a041..383699511d 100644 --- a/src/lib-ssl-iostream/iostream-ssl-private.h +++ b/src/lib-ssl-iostream/iostream-ssl-private.h @@ -41,7 +41,6 @@ struct iostream_ssl_vfuncs { const char **reason_r); const char *(*get_peer_name)(struct ssl_iostream *ssl_io); const char *(*get_server_name)(struct ssl_iostream *ssl_io); - const char *(*get_compression)(struct ssl_iostream *ssl_io); const char *(*get_security_string)(struct ssl_iostream *ssl_io); const char *(*get_last_error)(struct ssl_iostream *ssl_io); const char *(*get_cipher)(struct ssl_iostream *ssl_io, unsigned int *bits_r); diff --git a/src/lib-ssl-iostream/iostream-ssl.c b/src/lib-ssl-iostream/iostream-ssl.c index 48369be096..a1c8695337 100644 --- a/src/lib-ssl-iostream/iostream-ssl.c +++ b/src/lib-ssl-iostream/iostream-ssl.c @@ -254,11 +254,6 @@ const char *ssl_iostream_get_server_name(struct ssl_iostream *ssl_io) return ssl_vfuncs->get_server_name(ssl_io); } -const char *ssl_iostream_get_compression(struct ssl_iostream *ssl_io) -{ - return ssl_vfuncs->get_compression(ssl_io); -} - const char *ssl_iostream_get_security_string(struct ssl_iostream *ssl_io) { return ssl_vfuncs->get_security_string(ssl_io); diff --git a/src/lib-ssl-iostream/iostream-ssl.h b/src/lib-ssl-iostream/iostream-ssl.h index 322448691f..17e76ca281 100644 --- a/src/lib-ssl-iostream/iostream-ssl.h +++ b/src/lib-ssl-iostream/iostream-ssl.h @@ -121,7 +121,6 @@ int ssl_iostream_check_cert_validity(struct ssl_iostream *ssl_io, bool ssl_iostream_cert_match_name(struct ssl_iostream *ssl_io, const char *name, const char **reason_r); const char *ssl_iostream_get_peer_name(struct ssl_iostream *ssl_io); -const char *ssl_iostream_get_compression(struct ssl_iostream *ssl_io); const char *ssl_iostream_get_server_name(struct ssl_iostream *ssl_io); const char *ssl_iostream_get_security_string(struct ssl_iostream *ssl_io); /* Returns SSL context's current used cipher algorithm. Returns NULL diff --git a/src/lib-test/test-common.c b/src/lib-test/test-common.c index feea7ecd88..b48f1d7233 100644 --- a/src/lib-test/test-common.c +++ b/src/lib-test/test-common.c @@ -256,7 +256,7 @@ test_error_handler(const struct failure_context *ctx, if (expected_errors > 0) { va_list args2; - VA_COPY(args2, args); + va_copy(args2, args); suppress = expect_error_check(&expected_error_str, format, args2); expected_errors--; va_end(args2); @@ -293,7 +293,7 @@ test_fatal_handler(const struct failure_context *ctx, i_assert(expecting_fatal); /* if not at the right time, bail */ va_list args2; - VA_COPY(args2, args); + va_copy(args2, args); bool suppress = expect_error_check(&expected_fatal_str, format, args2); va_end(args); diff --git a/src/lib/event-log.c b/src/lib/event-log.c index f8f2f79793..629e181b1d 100644 --- a/src/lib/event-log.c +++ b/src/lib/event-log.c @@ -142,7 +142,7 @@ event_get_log_message_str_out(struct event_get_log_message_context *glmctx, va_list args_copy; /* construct message from format and arguments */ - VA_COPY(args_copy, args); + va_copy(args_copy, args); str_vprintfa(str_out, fmt, args_copy); va_end(args_copy); } @@ -336,7 +336,7 @@ event_logv_params(struct event *event, const struct event_log_params *params, if (params->base_str_out != NULL && !glmctx.str_out_done) { va_list args_copy; - VA_COPY(args_copy, args); + va_copy(args_copy, args); str_vprintfa(params->base_str_out, fmt, args_copy); va_end(args_copy); } diff --git a/src/lib/macros.h b/src/lib/macros.h index 8cd159f784..e63e10dedd 100644 --- a/src/lib/macros.h +++ b/src/lib/macros.h @@ -43,19 +43,6 @@ #define POINTER_CAST_TO(p, type) \ ((type)(uintptr_t)(p)) -/* Define VA_COPY() to do the right thing for copying va_list variables. - config.h may have already defined VA_COPY as va_copy or __va_copy. */ -#ifndef VA_COPY -# if defined (__GNUC__) && defined (__PPC__) && \ - (defined (_CALL_SYSV) || defined (_WIN32)) -# define VA_COPY(ap1, ap2) (*(ap1) = *(ap2)) -# elif defined (VA_COPY_AS_ARRAY) -# define VA_COPY(ap1, ap2) memmove ((ap1), (ap2), sizeof (va_list)) -# else /* va_list is a pointer */ -# define VA_COPY(ap1, ap2) ((ap1) = (ap2)) -# endif /* va_list is a pointer */ -#endif - /* Provide convenience macros for handling structure * fields through their offsets. */ diff --git a/src/lib/str.c b/src/lib/str.c index 2ec597023d..c2906236ae 100644 --- a/src/lib/str.c +++ b/src/lib/str.c @@ -116,7 +116,7 @@ void str_vprintfa(string_t *str, const char *fmt, va_list args) size_t pos = str->used; int ret, ret2; - VA_COPY(args2, args); + va_copy(args2, args); /* the format string is modified only if %m exists in it. it happens only in error conditions, so don't try to t_push() here since it'll diff --git a/src/lib/strfuncs.c b/src/lib/strfuncs.c index 56e45765ba..e06a95aa27 100644 --- a/src/lib/strfuncs.c +++ b/src/lib/strfuncs.c @@ -129,7 +129,7 @@ char *t_noalloc_strdup_vprintf(const char *format, va_list args, int old_errno = errno; #endif - VA_COPY(args2, args); + va_copy(args2, args); /* the format string is modified only if %m exists in it. it happens only in error conditions, so don't try to t_push() here since it'll diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c index 3a03a37559..d171ca6336 100644 --- a/src/login-common/sasl-server.c +++ b/src/login-common/sasl-server.c @@ -177,9 +177,6 @@ static int master_send_request(struct anvil_request *anvil_request) req.local_port = client->local_port; req.remote_port = client->remote_port; req.client_pid = getpid(); - if (client->ssl_iostream != NULL && - ssl_iostream_get_compression(client->ssl_iostream) != NULL) - req.flags |= MAIL_AUTH_REQUEST_FLAG_TLS_COMPRESSION; if (client->secured) req.flags |= MAIL_AUTH_REQUEST_FLAG_CONN_SECURED; if (client->ssl_secured) diff --git a/src/master/main.c b/src/master/main.c index fade987c91..24c3d297d3 100644 --- a/src/master/main.c +++ b/src/master/main.c @@ -162,7 +162,7 @@ master_fatal_callback(const struct failure_context *ctx, path = t_strconcat(FATAL_FILENAME, NULL); fd = open(path, O_CREAT | O_TRUNC | O_WRONLY, 0600); if (fd != -1) { - VA_COPY(args2, args); + va_copy(args2, args); str = t_strdup_vprintf(format, args2); va_end(args2); (void)write_full(fd, str, strlen(str)); @@ -180,7 +180,7 @@ startup_fatal_handler(const struct failure_context *ctx, { va_list args2; - VA_COPY(args2, args); + va_copy(args2, args); fprintf(stderr, "%s%s\n", failure_log_type_prefixes[ctx->type], t_strdup_vprintf(fmt, args2)); va_end(args2); @@ -194,7 +194,7 @@ startup_error_handler(const struct failure_context *ctx, { va_list args2; - VA_COPY(args2, args); + va_copy(args2, args); fprintf(stderr, "%s%s\n", failure_log_type_prefixes[ctx->type], t_strdup_vprintf(fmt, args2)); va_end(args2); @@ -208,7 +208,7 @@ startup_early_error_handler(const struct failure_context *ctx, struct master_delayed_error *err; va_list args2; - VA_COPY(args2, args); + va_copy(args2, args); if (delayed_errors_pool == NULL) { delayed_errors_pool = pool_alloconly_create("delayed errors", 512);