Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#828540: sendmail: FTBFS with openssl 1.1.0
57 views
Skip to first unread message
Kurt Roeckx
Jun 26, 2016, 7:00:04 AM6/26/16
to
Source: sendmail
Version: 8.15.2-4
Severity: important
Control: block 827061 by -1
Hi,
OpenSSL 1.1.0 is about to released. During a rebuild of all packages using
OpenSSL this package fail to build. A log of that build can be found at:
https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/sendmail_8.15.2-4_amd64-20160529-1535
On https://wiki.openssl.org/index.php/1.1_API_Changes you can see various of the
reasons why it might fail. There are also updated man pages at
https://www.openssl.org/docs/manmaster/ that should contain useful information.
There is a libssl-dev package available in experimental that contains a recent
snapshot, I suggest you try building against that to see if everything works.
If you have problems making things work, feel free to contact us.
Kurt
Version: 8.15.2-4
Severity: important
Control: block 827061 by -1
Hi,
OpenSSL 1.1.0 is about to released. During a rebuild of all packages using
OpenSSL this package fail to build. A log of that build can be found at:
https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/sendmail_8.15.2-4_amd64-20160529-1535
On https://wiki.openssl.org/index.php/1.1_API_Changes you can see various of the
reasons why it might fail. There are also updated man pages at
https://www.openssl.org/docs/manmaster/ that should contain useful information.
There is a libssl-dev package available in experimental that contains a recent
snapshot, I suggest you try building against that to see if everything works.
If you have problems making things work, feel free to contact us.
Kurt
Andreas Beckmann
Jun 30, 2016, 8:00:03 PM6/30/16
to
Control: tag -1 help
Hi Kurt,
maybe you can help me getting sendmail (which I'm QA maintaining for
some years now) to work with the new openssl.
On 2016-06-26 12:24, Kurt Roeckx wrote:
> https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/sendmail_8.15.2-4_amd64-20160529-1535
> If you have problems making things work, feel free to contact us.
in debian/configure.ac we have
if test $ac_cv_header_openssl_ssl_h = yes; then
AC_CHECK_LIB(ssl, SSL_library_init,
[sm_have_tls=yes]
,[sm_have_tls=no]
,[-lcrypto])
if test $sm_have_tls != yes; then
AC_MSG_WARN([Could not find -lssl (libssl-dev)])
fi;
fi;
which fails. The whole autotools stuff is only used for the debian packaging.
That fails because SSL_library_init is now a macro instead of a function.
Maybe this check is superfluous and could just be removed.
If I do this, building fails due to some API changes:
gcc -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -fPIC -I. -I../../include -DSOCKETMAP -DMAP_REGEX -DNEWDB -DNIS -DNISPLUS -DLDAPMAP -DHASFCHMOD=1 -DHASSETRLIMIT=1 -DHASFLOCK=0 -DUSESETEUID=1 -DHASGETUSERSHELL=1 -DNETINET6 -D_PATH_SENDMAILPID=\"/var/run/sendmail/mta/sendmail.pid\" -DIP_SRCROUTE=1 -DLDAP_REFERRALS -D_FFR_LDAP_URI -D_FFR_LDAP_SETVERSION -DLDAP_DEPRECATED -DTCPWRAPPERS -DSASL -I/usr/include/sasl -DSTARTTLS -D_FFR_QUEUE_SCHED_DBG -D_FFR_SKIP_DOMAINS -D_FFR_GROUPREADABLEAUTHINFOFILE -D_FFR_DAEMON_NETUNIX -D_FFR_NO_PIPE -D_FFR_SHM_STATUS -D_FFR_RHS -D_FFR_MAIL_MACRO -D_FFR_QUEUEDELAY=1 -D_FFR_BADRCPT_SHUTDOWN -D_FFR_RESET_MACRO_GLOBALS -D_FFR_TLS_1 -D_FFR_TLS_EC -D_FFR_DEAL_WITH_ERROR_SSL -Wdate-time -D_FORTIFY_SOURCE=2 -c -o tls.o tls.c
tls.c: In function 'get_dh512':
tls.c:70:4: error: dereferencing pointer to incomplete type 'DH {aka struct dh_st}'
dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
^
tls.c: In function 'inittls':
tls.c:929:22: warning: implicit declaration of function 'BIO_s_file_internal' [-Wimplicit-function-declaration]
crl_file = BIO_new(BIO_s_file_internal());
^
tls.c:929:22: warning: passing argument 1 of 'BIO_new' makes pointer from integer without a cast [-Wint-conversion]
In file included from /usr/include/openssl/ssl.h:48:0,
from ./sendmail.h:125,
from tls.c:11:
/usr/include/openssl/bio.h:538:6: note: expected 'const BIO_METHOD * {aka const struct bio_method_st *}' but argument is of type 'int'
BIO *BIO_new(const BIO_METHOD *type);
^
tls.c:1006:6: warning: 'RSA_generate_key' is deprecated [-Wdeprecated-declarations]
(rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL,
^
In file included from /usr/include/openssl/rsa.h:13:0,
from /usr/include/openssl/x509.h:31,
from /usr/include/openssl/ssl.h:50,
from ./sendmail.h:125,
from tls.c:11:
/usr/include/openssl/rsa.h:193:1: note: declared here
DEPRECATEDIN_0_9_8(RSA *RSA_generate_key(int bits, unsigned long e, void
^
tls.c:1213:4: warning: 'DSA_generate_parameters' is deprecated [-Wdeprecated-declarations]
dsa = DSA_generate_parameters(bits, NULL, 0, NULL,
^
In file included from /usr/include/openssl/dh.h:13:0,
from /usr/include/openssl/dsa.h:31,
from /usr/include/openssl/x509.h:32,
from /usr/include/openssl/ssl.h:50,
from ./sendmail.h:125,
from tls.c:11:
/usr/include/openssl/dsa.h:121:1: note: declared here
DEPRECATEDIN_0_9_8(DSA *DSA_generate_parameters(int bits,
^
tls.c:1298:5: warning: implicit declaration of function 'SSL_CTX_set_tmp_rsa_callback' [-Wimplicit-function-declaration]
SSL_CTX_set_tmp_rsa_callback(*ctx, tmp_rsa_key);
^
tls.c: In function 'tmp_rsa_key':
tls.c:1747:2: warning: 'RSA_generate_key' is deprecated [-Wdeprecated-declarations]
rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, NULL);
^
In file included from /usr/include/openssl/rsa.h:13:0,
from /usr/include/openssl/x509.h:31,
from /usr/include/openssl/ssl.h:50,
from ./sendmail.h:125,
from tls.c:11:
/usr/include/openssl/rsa.h:193:1: note: declared here
DEPRECATEDIN_0_9_8(RSA *RSA_generate_key(int bits, unsigned long e, void
^
tls.c: In function 'x509_verify_cb':
tls.c:1974:10: error: dereferencing pointer to incomplete type 'X509_STORE_CTX {aka struct x509_store_ctx_st}'
if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL)
^
<builtin>: recipe for target 'tls.o' failed
The file in question is sendmail/tls.c
Since I'm used to neither openssl nor the sendmail source code (and I
have no use for sendmail at all, now that it passes the piuparts
tests), I'm not going to write a patch for supporting openssl 1.1.0
along 1.0.2.
Instead I'll wait for either a new upstream release or some patch
showing up somewhere, which may mean stretch could ship without
sendmail.
Dear users of sendmail: Your help is needed in case you want to
continue using sendmail in stretch!
Andreas
Hi Kurt,
maybe you can help me getting sendmail (which I'm QA maintaining for
some years now) to work with the new openssl.
On 2016-06-26 12:24, Kurt Roeckx wrote:
> https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/sendmail_8.15.2-4_amd64-20160529-1535
> If you have problems making things work, feel free to contact us.
if test $ac_cv_header_openssl_ssl_h = yes; then
AC_CHECK_LIB(ssl, SSL_library_init,
[sm_have_tls=yes]
,[sm_have_tls=no]
,[-lcrypto])
if test $sm_have_tls != yes; then
AC_MSG_WARN([Could not find -lssl (libssl-dev)])
fi;
fi;
which fails. The whole autotools stuff is only used for the debian packaging.
That fails because SSL_library_init is now a macro instead of a function.
Maybe this check is superfluous and could just be removed.
If I do this, building fails due to some API changes:
gcc -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -fPIC -I. -I../../include -DSOCKETMAP -DMAP_REGEX -DNEWDB -DNIS -DNISPLUS -DLDAPMAP -DHASFCHMOD=1 -DHASSETRLIMIT=1 -DHASFLOCK=0 -DUSESETEUID=1 -DHASGETUSERSHELL=1 -DNETINET6 -D_PATH_SENDMAILPID=\"/var/run/sendmail/mta/sendmail.pid\" -DIP_SRCROUTE=1 -DLDAP_REFERRALS -D_FFR_LDAP_URI -D_FFR_LDAP_SETVERSION -DLDAP_DEPRECATED -DTCPWRAPPERS -DSASL -I/usr/include/sasl -DSTARTTLS -D_FFR_QUEUE_SCHED_DBG -D_FFR_SKIP_DOMAINS -D_FFR_GROUPREADABLEAUTHINFOFILE -D_FFR_DAEMON_NETUNIX -D_FFR_NO_PIPE -D_FFR_SHM_STATUS -D_FFR_RHS -D_FFR_MAIL_MACRO -D_FFR_QUEUEDELAY=1 -D_FFR_BADRCPT_SHUTDOWN -D_FFR_RESET_MACRO_GLOBALS -D_FFR_TLS_1 -D_FFR_TLS_EC -D_FFR_DEAL_WITH_ERROR_SSL -Wdate-time -D_FORTIFY_SOURCE=2 -c -o tls.o tls.c
tls.c: In function 'get_dh512':
tls.c:70:4: error: dereferencing pointer to incomplete type 'DH {aka struct dh_st}'
dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
^
tls.c: In function 'inittls':
tls.c:929:22: warning: implicit declaration of function 'BIO_s_file_internal' [-Wimplicit-function-declaration]
crl_file = BIO_new(BIO_s_file_internal());
^
tls.c:929:22: warning: passing argument 1 of 'BIO_new' makes pointer from integer without a cast [-Wint-conversion]
In file included from /usr/include/openssl/ssl.h:48:0,
from ./sendmail.h:125,
from tls.c:11:
/usr/include/openssl/bio.h:538:6: note: expected 'const BIO_METHOD * {aka const struct bio_method_st *}' but argument is of type 'int'
BIO *BIO_new(const BIO_METHOD *type);
^
tls.c:1006:6: warning: 'RSA_generate_key' is deprecated [-Wdeprecated-declarations]
(rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL,
^
In file included from /usr/include/openssl/rsa.h:13:0,
from /usr/include/openssl/x509.h:31,
from /usr/include/openssl/ssl.h:50,
from ./sendmail.h:125,
from tls.c:11:
/usr/include/openssl/rsa.h:193:1: note: declared here
DEPRECATEDIN_0_9_8(RSA *RSA_generate_key(int bits, unsigned long e, void
^
tls.c:1213:4: warning: 'DSA_generate_parameters' is deprecated [-Wdeprecated-declarations]
dsa = DSA_generate_parameters(bits, NULL, 0, NULL,
^
In file included from /usr/include/openssl/dh.h:13:0,
from /usr/include/openssl/dsa.h:31,
from /usr/include/openssl/x509.h:32,
from /usr/include/openssl/ssl.h:50,
from ./sendmail.h:125,
from tls.c:11:
/usr/include/openssl/dsa.h:121:1: note: declared here
DEPRECATEDIN_0_9_8(DSA *DSA_generate_parameters(int bits,
^
tls.c:1298:5: warning: implicit declaration of function 'SSL_CTX_set_tmp_rsa_callback' [-Wimplicit-function-declaration]
SSL_CTX_set_tmp_rsa_callback(*ctx, tmp_rsa_key);
^
tls.c: In function 'tmp_rsa_key':
tls.c:1747:2: warning: 'RSA_generate_key' is deprecated [-Wdeprecated-declarations]
rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, NULL);
^
In file included from /usr/include/openssl/rsa.h:13:0,
from /usr/include/openssl/x509.h:31,
from /usr/include/openssl/ssl.h:50,
from ./sendmail.h:125,
from tls.c:11:
/usr/include/openssl/rsa.h:193:1: note: declared here
DEPRECATEDIN_0_9_8(RSA *RSA_generate_key(int bits, unsigned long e, void
^
tls.c: In function 'x509_verify_cb':
tls.c:1974:10: error: dereferencing pointer to incomplete type 'X509_STORE_CTX {aka struct x509_store_ctx_st}'
if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL)
^
<builtin>: recipe for target 'tls.o' failed
The file in question is sendmail/tls.c
Since I'm used to neither openssl nor the sendmail source code (and I
have no use for sendmail at all, now that it passes the piuparts
tests), I'm not going to write a patch for supporting openssl 1.1.0
along 1.0.2.
Instead I'll wait for either a new upstream release or some patch
showing up somewhere, which may mean stretch could ship without
sendmail.
Dear users of sendmail: Your help is needed in case you want to
continue using sendmail in stretch!
Andreas
Kurt Roeckx
Jul 1, 2016, 4:10:03 AM7/1/16
to
On Fri, Jul 01, 2016 at 01:47:09AM +0200, Andreas Beckmann wrote:
>
> Since I'm used to neither openssl nor the sendmail source code (and I
> have no use for sendmail at all, now that it passes the piuparts
> tests), I'm not going to write a patch for supporting openssl 1.1.0
> along 1.0.2.
> Instead I'll wait for either a new upstream release or some patch
> showing up somewhere, which may mean stretch could ship without
> sendmail.
>
> Dear users of sendmail: Your help is needed in case you want to
> continue using sendmail in stretch!
It's actually on the release team's list of key source packages.
>
> Since I'm used to neither openssl nor the sendmail source code (and I
> have no use for sendmail at all, now that it passes the piuparts
> tests), I'm not going to write a patch for supporting openssl 1.1.0
> along 1.0.2.
> Instead I'll wait for either a new upstream release or some patch
> showing up somewhere, which may mean stretch could ship without
> sendmail.
>
> Dear users of sendmail: Your help is needed in case you want to
> continue using sendmail in stretch!
The errors there should be easy to solve, you just need to know
which functions to use.
Kurt
Sebastian Andrzej Siewior
Sep 12, 2016, 3:10:02 AM9/12/16
to
control: tags -1 patch
On 2016-07-01 01:47:09 [+0200], Andreas Beckmann wrote:
> maybe you can help me getting sendmail (which I'm QA maintaining for
> some years now) to work with the new openssl.
…
> Andreas
Sebastian
On 2016-07-01 01:47:09 [+0200], Andreas Beckmann wrote:
> maybe you can help me getting sendmail (which I'm QA maintaining for
> some years now) to work with the new openssl.
> Dear users of sendmail: Your help is needed in case you want to
> continue using sendmail in stretch!
could you please try if the patch attached works? It compiles :)
> continue using sendmail in stretch!
> Andreas
Sebastian
Andreas Beckmann
Sep 12, 2016, 11:20:03 AM9/12/16
to
On 2016-09-12 09:02, Sebastian Andrzej Siewior wrote:
> could you please try if the patch attached works? It compiles :)
Many thanks, so let's just try it :-)
> could you please try if the patch attached works? It compiles :)
It FTBFS on the non-linux architectures:
https://buildd.debian.org/status/package.php?p=sendmail&suite=unstable
It's this part of your patch:
@@ -1002,9 +1047,23 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
if (bitset(TLS_I_RSA_TMP, req)
# if SM_CONF_SHM
- && ShmId != SM_SHM_NO_ID &&
- (rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL,
- NULL)) == NULL
+ && ShmId != SM_SHM_NO_ID) {
+ BIGNUM *bn;
+
+ bn = BN_new();
+ rsa_tmp = RSA_new();
+ if (!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4)) {
+ RSA_free(rsa_tmp);
+ rsa_tmp = NULL;
+ }
+ if (rsa_tmp) {
+ if (!RSA_generate_key_ex(rsa_tmp, RSA_KEYLENGTH, bn, NULL)) {
+ RSA_free(rsa_tmp);
+ rsa_tmp = NULL;
+ }
+ }
+ BN_free(bn);
+ if (!rsa_tmp
# else /* SM_CONF_SHM */
&& 0 /* no shared memory: no need to generate key now */
# endif /* SM_CONF_SHM */
@@ -1020,6 +1079,7 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
}
return false;
}
+ }
# endif /* !TLS_NO_RSA */
/*
The braces don't match the #if scope (opened within SM_CONF_SHM, closed outside).
kfreebsd doesn't seem to have shmem.
Andreas
Sebastian Andrzej Siewior
Sep 12, 2016, 3:20:03 PM9/12/16
to
On 2016-09-12 17:15:15 [+0200], Andreas Beckmann wrote:
> Many thanks, so let's just try it :-)
>
> It FTBFS on the non-linux architectures:
> https://buildd.debian.org/status/package.php?p=sendmail&suite=unstable
>
> It's this part of your patch:
Sorry for that. V2 attached. I could throw on a freebsd-* porter box
> Many thanks, so let's just try it :-)
>
> It FTBFS on the non-linux architectures:
> https://buildd.debian.org/status/package.php?p=sendmail&suite=unstable
>
> It's this part of your patch:
first if you want me to.
Sebastian
0 new messages