From nobody Thu Mar 31 20:01:42 2022 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id E1E841A526E8; Thu, 31 Mar 2022 20:01:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KTvMW4g2Wz3v1D; Thu, 31 Mar 2022 20:01:43 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648756904; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ScF76ZuqK9gfEeJFzsRSEi8JzgW1i2IxOUbcQfl8L/c=; b=eYgxZws78QsX7NINn+uUPTjxBezL9AbjNv2d2cWl8ZrlrMQgpMVoJOdmfU5fdWMfVBsb6T c9zxUGqyToB+9UHeDDGUW8s6TdYoRvixSMI8Gy8v8ajLSLEJbvi7sVFUwyhHrK6JzDeEgD T96z4AXL5fZh8eMD2oQG3Bwz4VaOLYT0jx9DogzYzLbujIEAeUxhWDzzRRMDDFVtxWsTU+ TAXcvmV1iH4nftnh+ykC6lsCdd8lxet6fnH9t4vtT0nxhb4BNkh57GPPUSabrW+27njMb8 lDWjKuP6opDjD8UwiZ1K0/OoHl0ws9bu11nE2tajJpZMr5GsNDjqwkfIFiNO+g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 19AA92E02C; Thu, 31 Mar 2022 20:01:43 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 22VK1gUG019800; Thu, 31 Mar 2022 20:01:42 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 22VK1g0R019799; Thu, 31 Mar 2022 20:01:42 GMT (envelope-from git) Date: Thu, 31 Mar 2022 20:01:42 GMT Message-Id: <202203312001.22VK1g0R019799@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Dima Panov Subject: git: d5f03fef61f8 - main - mail/exim: port TLS patches from upstream (+) List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: fluffy X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: d5f03fef61f8dd05ac7308ad148e2a98e598fdcc Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648756904; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ScF76ZuqK9gfEeJFzsRSEi8JzgW1i2IxOUbcQfl8L/c=; b=B83HsRobm9m7ExuhSUSKJz0pDLsb7S4pM2ORllxy8npqO3Ohw2HG7jHoS121IC/BNQ3vlU U/ZrY681uslvk9xBNVdC3RQq3DnlTv1BVpp5tPNplv4ujCVwAtrFCOQ9Z3nJ0jTFRc90Av ehV633wBg7xucI1fkbOqYoNXr/lZafoJjF14q4N5OtP4MNfKnZgGvQL4ckYrv5aO5nkOzY /lfmYW8glCc0Zn0fqJJlhUWfUQDy25idV5L0EeX5UQjlBARulKjWBI18nQpEMbMqnFFZmW iVyPOUInoJ9P3/pPNAj+hRfMHkeO1uXO3DOVU1VAtdT/fY4GLfITz8pDu2eJVg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1648756904; a=rsa-sha256; cv=none; b=A8NF8i/jyRGyPWzmeXiXkpODVR6p2EzQv1kBIBNCXPzVUQVJ6yCH0reOyozv0FrlHTUSg2 ChxPZfmbtWQ8rRZls3PZG0SKLoI2rjPwQhxyViigXwlPxvzL9gcnMttwEdIJ3OASglbXHl edDZ0l1KF18EFBJqtzZLa81GAlv9D23J3bhtpag+nvWAMRD56AZyGQmsdiNvrfmV9/jg3m 9W3Hi+SZovOPpteg2U/U3BJiZOhIjS7jInUfpugz6GN7d/hKlijjrcXCSU1Q2YG3BqJaps 3u5Nr4zmOhvIq9ccB+wNfEwKv+KAJ5Zw32Y6/ltJ9wCJJ9VxtsKLQMef3Zetkw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by fluffy: URL: https://cgit.FreeBSD.org/ports/commit/?id=d5f03fef61f8dd05ac7308ad148e2a98e598fdcc commit d5f03fef61f8dd05ac7308ad148e2a98e598fdcc Author: Dima Panov AuthorDate: 2022-03-31 19:57:25 +0000 Commit: Dima Panov CommitDate: 2022-03-31 19:57:25 +0000 mail/exim: port TLS patches from upstream (+) This fixes hang in TLS transport after 4xx or 5xx bug (see https://bugs.exim.org/show_bug.cgi?id=2864) PR: 262594 Tested by: Kurt Jaeger, David Siebörger --- mail/exim/Makefile | 7 +- mail/exim/files/tls/patch-tls1 | 43 ++++++++++ mail/exim/files/tls/patch-tls2 | 174 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 223 insertions(+), 1 deletion(-) diff --git a/mail/exim/Makefile b/mail/exim/Makefile index 614fd1f88b0a..d6c7c6ffc8b1 100644 --- a/mail/exim/Makefile +++ b/mail/exim/Makefile @@ -2,7 +2,7 @@ PORTNAME= exim PORTVERSION?= ${EXIM_VERSION} -PORTREVISION?= 3 +PORTREVISION?= 4 CATEGORIES= mail MASTER_SITES= EXIM:exim MASTER_SITE_SUBDIR= /exim4/:exim \ @@ -77,6 +77,11 @@ EXTRA_PATCHES= \ ${DEBIAN_PATCHES_PREFIX}_50-Fix-include_directory-in-redirect-routers.-Bug-2715.patch:-p1 \ ${DEBIAN_PATCHES_PREFIX}_55-Specific-check-for-null-pointer.patch:-p1 +TLS_PATCHES_PREFIX= ${FILESDIR}/tls/ +EXTRA_PATCHES+= \ + ${TLS_PATCHES_PREFIX}patch-tls1:-p1 \ + ${TLS_PATCHES_PREFIX}patch-tls2:-p1 + .include # OCSP is supported for openssl only diff --git a/mail/exim/files/tls/patch-tls1 b/mail/exim/files/tls/patch-tls1 new file mode 100644 index 000000000000..d76d5589b2bb --- /dev/null +++ b/mail/exim/files/tls/patch-tls1 @@ -0,0 +1,43 @@ +From fc624b8cb4c3312d7450dfa86adfa3fe8dd9cbeb Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Tue, 11 Jan 2022 14:50:09 +0000 +Subject: [PATCH] Ensure server tls close alert not delayed + +--- + src/src/tls-gnu.c | 5 +++++ + src/src/tls-openssl.c | 3 +++ + 2 files changed, 8 insertions(+) + +diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c +index 53635ac..3adadb8 100644 +--- a/src/tls-gnu.c ++++ b/src/tls-gnu.c +@@ -3731,6 +3731,11 @@ if (do_shutdown) + + tls_write(ct_ctx, NULL, 0, FALSE); /* flush write buffer */ + ++#ifdef EXIM_TCP_CORK ++ if (do_shutdown > 1) ++ (void) setsockopt(tlsp->active.sock, IPPROTO_TCP, EXIM_TCP_CORK, US &off, sizeof(off)); ++#endif ++ + ALARM(2); + gnutls_bye(state->session, do_shutdown > 1 ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR); + ALARM_CLR(0); +diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c +index 5130455..576f62b 100644 +--- a/src/tls-openssl.c ++++ b/src/tls-openssl.c +@@ -4516,6 +4516,9 @@ if (do_shutdown) + if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */ + && do_shutdown > 1) + { ++#ifdef EXIM_TCP_CORK ++ (void) setsockopt(*fdp, IPPROTO_TCP, EXIM_TCP_CORK, US &off, sizeof(off)); ++#endif + ALARM(2); + rc = SSL_shutdown(*sslp); /* wait for response */ + ALARM_CLR(0); +-- +1.9.1 + diff --git a/mail/exim/files/tls/patch-tls2 b/mail/exim/files/tls/patch-tls2 new file mode 100644 index 000000000000..e88c127fd374 --- /dev/null +++ b/mail/exim/files/tls/patch-tls2 @@ -0,0 +1,174 @@ +From 2ead369f8435918f3f15408b9394e580bcaf0910 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Thu, 10 Mar 2022 15:23:26 +0000 +Subject: [PATCH] OpenSSL: track shutdown calls. Bug 2864 + +--- + doc/doc-txt/ChangeLog | 5 +++++ + src/src/macros.h | 7 ++++--- + src/src/tls-gnu.c | 10 +++++++--- + src/src/tls-openssl.c | 13 ++++++++----- + src/src/transports/smtp.c | 19 +++++++++++++------ + 5 files changed, 37 insertions(+), 17 deletions(-) + +diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog +index 5ba587b..1c799b6 100644 +--- a/doc/ChangeLog ++++ b/doc/ChangeLog +@@ -95,6 +95,11 @@ JH/21 Remove the "allow_insecure_tainted_data" main config option and the + JH/22 Fix static address-list lookups to properly return the matched item. + Previously only the domain part was returned. + ++JH/23 Bug 2864: FreeBSD: fix transport hang after 4xx/5xx response. Previously ++ the call into OpenSSL to send a TLS Close was being repeated; this ++ resulted in the library waiting for the peer's Close. If that was never ++ sent we waited forever. Fix by tracking send calls. ++ + + Exim version 4.95 + ----------------- +diff --git a/src/src/macros.h b/src/src/macros.h +index 92f2cc0..659a70f 100644 +--- a/src/macros.h ++++ b/src/macros.h +@@ -1051,9 +1051,10 @@ enum { FILTER_UNSET, FILTER_FORWARD, FILTER_EXIM, FILTER_SIEVE }; + + + /* Options on tls_close */ +-#define TLS_NO_SHUTDOWN 0 +-#define TLS_SHUTDOWN_NOWAIT 1 +-#define TLS_SHUTDOWN_WAIT 2 ++#define TLS_NO_SHUTDOWN 0 /* Just forget the context */ ++#define TLS_SHUTDOWN_NOWAIT 1 /* Send alert; do not wait */ ++#define TLS_SHUTDOWN_WAIT 2 /* Send alert & wait for peer's alert */ ++#define TLS_SHUTDOWN_WONLY 3 /* only wait for peer's alert */ + + + #ifdef COMPILE_UTILITY +diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c +index 1215f85..6227823 100644 +--- a/src/tls-gnu.c ++++ b/src/tls-gnu.c +@@ -3744,17 +3744,21 @@ if (!tlsp || tlsp->active.sock < 0) return; /* TLS was not active */ + if (do_shutdown) + { + DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n", +- do_shutdown > 1 ? " (with response-wait)" : ""); ++ do_shutdown > TLS_SHUTDOWN_NOWAIT ? " (with response-wait)" : ""); + + tls_write(ct_ctx, NULL, 0, FALSE); /* flush write buffer */ + + #ifdef EXIM_TCP_CORK +- if (do_shutdown > 1) ++ if (do_shutdown == TLS_SHUTDOWN_WAIT) + (void) setsockopt(tlsp->active.sock, IPPROTO_TCP, EXIM_TCP_CORK, US &off, sizeof(off)); + #endif + ++ /* The library seems to have no way to only wait for a peer's ++ shutdown, so handle the same as TLS_SHUTDOWN_WAIT */ ++ + ALARM(2); +- gnutls_bye(state->session, do_shutdown > 1 ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR); ++ gnutls_bye(state->session, ++ do_shutdown > TLS_SHUTDOWN_NOWAIT ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR); + ALARM_CLR(0); + } + +diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c +index d5c5778..7bf62f5 100644 +--- a/src/tls-openssl.c ++++ b/src/tls-openssl.c +@@ -4519,22 +4519,25 @@ int * fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock; + + if (*fdp < 0) return; /* TLS was not active */ + +-if (do_shutdown) ++if (do_shutdown > TLS_NO_SHUTDOWN) + { + int rc; + DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n", +- do_shutdown > 1 ? " (with response-wait)" : ""); ++ do_shutdown > TLS_SHUTDOWN_NOWAIT ? " (with response-wait)" : ""); + + tls_write(ct_ctx, NULL, 0, FALSE); /* flush write buffer */ + +- if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */ +- && do_shutdown > 1) ++ if ( ( do_shutdown >= TLS_SHUTDOWN_WONLY ++ || (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */ ++ ) ++ && do_shutdown > TLS_SHUTDOWN_NOWAIT ++ ) + { + #ifdef EXIM_TCP_CORK + (void) setsockopt(*fdp, IPPROTO_TCP, EXIM_TCP_CORK, US &off, sizeof(off)); + #endif + ALARM(2); +- rc = SSL_shutdown(*sslp); /* wait for response */ ++ rc = SSL_shutdown(*sslp); /* wait for response */ + ALARM_CLR(0); + } + +diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c +index e2c2680..524f186 100644 +--- a/src/transports/smtp.c ++++ b/src/transports/smtp.c +@@ -4085,7 +4085,7 @@ else + sx->send_quit = FALSE; /* avoid sending it later */ + + #ifndef DISABLE_TLS +- if (sx->cctx.tls_ctx) /* need to send TLS Close Notify */ ++ if (sx->cctx.tls_ctx && sx->send_tlsclose) /* need to send TLS Close Notify */ + { + # ifdef EXIM_TCP_CORK /* Use _CORK to get Close Notify in FIN segment */ + (void) setsockopt(sx->cctx.sock, IPPROTO_TCP, EXIM_TCP_CORK, US &on, sizeof(on)); +@@ -4429,7 +4429,8 @@ if (!sx->ok) + # ifndef DISABLE_TLS + if (sx->cctx.tls_ctx) + { +- tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_WAIT); ++ tls_close(sx->cctx.tls_ctx, ++ sx->send_tlsclose ? TLS_SHUTDOWN_WAIT : TLS_SHUTDOWN_WONLY); + sx->cctx.tls_ctx = NULL; + } + # endif +@@ -4640,7 +4641,8 @@ if (sx->completed_addr && sx->ok && sx->send_quit) + a new EHLO. If we don't get a good response, we don't attempt to pass + the socket on. */ + +- tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_WAIT); ++ tls_close(sx->cctx.tls_ctx, ++ sx->send_tlsclose ? TLS_SHUTDOWN_WAIT : TLS_SHUTDOWN_WONLY); + sx->send_tlsclose = FALSE; + sx->cctx.tls_ctx = NULL; + tls_out.active.sock = -1; +@@ -4742,7 +4744,7 @@ if (sx->send_quit) + { /* Use _MORE to get QUIT in FIN segment */ + (void)smtp_write_command(sx, SCMD_MORE, "QUIT\r\n"); + #ifndef DISABLE_TLS +- if (sx->cctx.tls_ctx) ++ if (sx->cctx.tls_ctx && sx->send_tlsclose) + { + # ifdef EXIM_TCP_CORK /* Use _CORK to get TLS Close Notify in FIN segment */ + (void) setsockopt(sx->cctx.sock, IPPROTO_TCP, EXIM_TCP_CORK, US &on, sizeof(on)); +@@ -4797,10 +4799,15 @@ if (sx->send_quit || tcw_done && !tcw) + while (!sigalrm_seen && n > 0); + ALARM_CLR(0); + ++ if (sx->send_tlsclose) ++ { + # ifdef EXIM_TCP_CORK +- (void) setsockopt(sx->cctx.sock, IPPROTO_TCP, EXIM_TCP_CORK, US &on, sizeof(on)); ++ (void) setsockopt(sx->cctx.sock, IPPROTO_TCP, EXIM_TCP_CORK, US &on, sizeof(on)); + # endif +- tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_WAIT); ++ tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_WAIT); ++ } ++ else ++ tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_WONLY); + sx->cctx.tls_ctx = NULL; + } + #endif +-- +1.9.1 +