From owner-svn-src-all@freebsd.org  Wed Mar 18 18:22:00 2020
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 351292689D3;
 Wed, 18 Mar 2020 18:22:00 +0000 (UTC) (envelope-from hrs@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48jJKM3kPDz3NJ3;
 Wed, 18 Mar 2020 18:21:59 +0000 (UTC) (envelope-from hrs@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5C1F0260B5;
 Wed, 18 Mar 2020 18:21:59 +0000 (UTC) (envelope-from hrs@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 02IILxXQ014043;
 Wed, 18 Mar 2020 18:21:59 GMT (envelope-from hrs@FreeBSD.org)
Received: (from hrs@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 02IILxet014042;
 Wed, 18 Mar 2020 18:21:59 GMT (envelope-from hrs@FreeBSD.org)
Message-Id: <202003181821.02IILxet014042@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: hrs set sender to hrs@FreeBSD.org
 using -f
From: Hiroki Sato <hrs@FreeBSD.org>
Date: Wed, 18 Mar 2020 18:21:59 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org
Subject: svn commit: r359081 - stable/12/contrib/sendmail/src
X-SVN-Group: stable-12
X-SVN-Commit-Author: hrs
X-SVN-Commit-Paths: stable/12/contrib/sendmail/src
X-SVN-Commit-Revision: 359081
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2020 18:22:00 -0000

Author: hrs
Date: Wed Mar 18 18:21:58 2020
New Revision: 359081
URL: https://svnweb.freebsd.org/changeset/base/359081

Log:
  MFC of r358404, r358410, r358412, and r358413:
  
  Fix broken STARTTLS when SharedMemoryKey is enabled.
  
  OpenSSL 1.1 API patch for sendmail had a bug which
  prevented sm_RSA_generate_key() function from working.
  This function is used to generate a temporary RSA key
  for a shared memory region used for TLS processing.
  Note that 12.0 and 12.1-RELEASE include this bug.
  
  This affects only if SM_CONF_SHM compile-time
  option (enabled by default) and SharedMemoryKey
  run-time option (not enabled by default) in a .cf file are
  specified.  The latter corresponds to confSHARED_MEMORY_KEY in
  a .mc file.
  
  Fix style inconsistencies.
  
  Do not free p and g parameters after calling DH_set0_pqg(3).
  
  PR:		242861
  Differential Revision:	https://reviews.freebsd.org/D23734

Modified:
  stable/12/contrib/sendmail/src/tls.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/contrib/sendmail/src/tls.c
==============================================================================
--- stable/12/contrib/sendmail/src/tls.c	Wed Mar 18 18:20:55 2020	(r359080)
+++ stable/12/contrib/sendmail/src/tls.c	Wed Mar 18 18:21:58 2020	(r359081)
@@ -56,10 +56,10 @@ DH_set0_pqg(dh, p, q, g)
 	BIGNUM *q;
 	BIGNUM *g;
 {
-	dh->p=p;
+	dh->p = p;
 	if (q != NULL)
-		dh->q=q;
-	dh->g=g;
+		dh->q = q;
+	dh->g = g;
 	return 1; /* success */
 }
 # endif /* !defined() || OPENSSL_VERSION_NUMBER < 0x00907000L */
@@ -83,20 +83,25 @@ static unsigned char dh512_g[] =
 static DH *
 get_dh512()
 {
-	DH *dh = NULL;
+	DH *dh;
 	BIGNUM *dhp_bn, *dhg_bn;
 
 	if ((dh = DH_new()) == NULL)
 		return NULL;
 	dhp_bn = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
 	dhg_bn = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
-	if ((dhp_bn == NULL) || (dhg_bn == NULL) || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn))
+	if ((dhp_bn == NULL) || (dhg_bn == NULL))
 	{
 		DH_free(dh);
 		BN_free(dhp_bn);
 		BN_free(dhg_bn);
-		return(NULL);
+		return NULL;
 	}
+	if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn))
+	{
+		DH_free(dh);
+		return NULL;
+	}
 	return dh;
 }
 
@@ -117,7 +122,7 @@ oK0jjSXgFyeU4/NfyA+zuNeWzUL6bHmigwIBAg==
 static DH *
 get_dh2048()
 {
-	static unsigned char dh2048_p[]={
+	static unsigned char dh2048_p[] = {
 		0xAC,0x37,0x20,0x70,0xBA,0x71,0x12,0x4B,0x10,0x1C,0xF9,0x68,
 		0x95,0x12,0x82,0x50,0x9D,0xAC,0xCC,0xA4,0x73,0x8A,0xC7,0x96,
 		0x57,0xD7,0x14,0x49,0x03,0x59,0x1B,0x1A,0x06,0xC3,0xB2,0xA4,
@@ -141,22 +146,27 @@ get_dh2048()
 		0xE3,0xF3,0x5F,0xC8,0x0F,0xB3,0xB8,0xD7,0x96,0xCD,0x42,0xFA,
 		0x6C,0x79,0xA2,0x83,
 		};
-	static unsigned char dh2048_g[]={ 0x02, };
+	static unsigned char dh2048_g[] = { 0x02, };
 	DH *dh;
 	BIGNUM *dhp_bn, *dhg_bn;
 
-	if ((dh=DH_new()) == NULL)
-		return(NULL);
-	dhp_bn = BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
-	dhg_bn = BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
-	if ((dhp_bn == NULL) || (dhg_bn == NULL) || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn))
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+	dhp_bn = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
+	dhg_bn = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
+	if ((dhp_bn == NULL) || (dhg_bn == NULL))
 	{
 		DH_free(dh);
 		BN_free(dhp_bn);
 		BN_free(dhg_bn);
-		return(NULL);
+		return NULL;
 	}
-	return(dh);
+	if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn))
+	{
+		DH_free(dh);
+		return NULL;
+	}
+	return dh;
 }
 # endif /* !NO_DH */
 
@@ -744,19 +754,16 @@ sm_RSA_generate_key(num, e)
 	unsigned long e;
 {
 	RSA *rsa = NULL;
-        BIGNUM *bn_rsa_r4;
-	int rc;
+	BIGNUM *bn_rsa_r4;
 
 	bn_rsa_r4 = BN_new();
-        rc = BN_set_word(bn_rsa_r4, RSA_F4);
-	if ((bn_rsa_r4 != NULL) && BN_set_word(bn_rsa_r4, RSA_F4) && (rsa = RSA_new()) != NULL)
+	if ((bn_rsa_r4 != NULL) && BN_set_word(bn_rsa_r4, e) && (rsa = RSA_new()) != NULL)
 	{
-		if (!RSA_generate_key_ex(rsa, RSA_KEYLENGTH, bn_rsa_r4, NULL))
+		if (!RSA_generate_key_ex(rsa, num, bn_rsa_r4, NULL))
 		{
 			RSA_free(rsa);
 			rsa = NULL;
 		}
-		return NULL;
 	}
 	BN_free(bn_rsa_r4);
 	return rsa;
@@ -1263,7 +1270,7 @@ inittls(ctx, req, options, srv, certfile, keyfile, cac
 			if (tTd(96, 2))
 				sm_dprintf("inittls: Generating %d bit DH parameters\n", bits);
 
-			dsa=DSA_new();
+			dsa = DSA_new();
 			/* this takes a while! */
 			(void)DSA_generate_parameters_ex(dsa, bits, NULL, 0,
 							 NULL, NULL, NULL);