Attachment 168521 Details for Bug 208225 – patch-bug7199

[patch] patch-bug7199

patch-bug7199 (text/plain), 8.85 KB, created by Sascha Holzleiter on 2016-03-23 00:20:30 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Sascha Holzleiter

Created: 2016-03-23 00:20:30 UTC

Size: 8.85 KB

patch

obsolete

>--- spamc/libspamc.c
>+++ spamc/libspamc.c
>@@ -1187,7 +1187,7 @@ int message_filter(struct transport *tp,
>     unsigned int throwaway;
>     SSL_CTX *ctx = NULL;
>     SSL *ssl = NULL;
>-    SSL_METHOD *meth;
>+    const SSL_METHOD *meth;
>     char zlib_on = 0;
>     unsigned char *zlib_buf = NULL;
>     int zlib_bufsiz = 0;
>@@ -1213,11 +1213,7 @@ int message_filter(struct transport *tp,
>     if (flags & SPAMC_USE_SSL) {
> #ifdef SPAMC_SSL
> 	SSLeay_add_ssl_algorithms();
>-	if (flags & SPAMC_TLSV1) {
>-	    meth = TLSv1_client_method();
>-	} else {
>-	    meth = SSLv3_client_method(); /* default */
>-	}
>+	meth = SSLv23_client_method();
> 	SSL_load_error_strings();
> 	ctx = SSL_CTX_new(meth);
> #else
>@@ -1596,7 +1592,7 @@ int message_tell(struct transport *tp, c
>     int failureval;
>     SSL_CTX *ctx = NULL;
>     SSL *ssl = NULL;
>-    SSL_METHOD *meth;
>+    const SSL_METHOD *meth;
> 
>     assert(tp != NULL);
>     assert(m != NULL);
>@@ -1604,7 +1600,7 @@ int message_tell(struct transport *tp, c
>     if (flags & SPAMC_USE_SSL) {
> #ifdef SPAMC_SSL
> 	SSLeay_add_ssl_algorithms();
>-	meth = SSLv3_client_method();
>+	meth = SSLv23_client_method();
> 	SSL_load_error_strings();
> 	ctx = SSL_CTX_new(meth);
> #else
>--- spamc/spamc.c
>+++ spamc/spamc.c
>@@ -368,16 +368,11 @@ read_args(int argc, char **argv,
>             case 'S':
>             {
>                 flags |= SPAMC_USE_SSL;
>-		if (!spamc_optarg || (strcmp(spamc_optarg,"sslv3") == 0)) {
>-		    flags |= SPAMC_SSLV3;
>-		}
>-		else if (strcmp(spamc_optarg,"tlsv1") == 0) {
>-		    flags |= SPAMC_TLSV1;
>-		}
>-		else {
>-		    libspamc_log(flags, LOG_ERR, "Please specify a legal ssl version (%s)", spamc_optarg);
>-		    ret = EX_USAGE;
>-		}
>+                if(spamc_optarg) {
>+                    libspamc_log(flags, LOG_ERR,
>+                        "Explicit specification of an SSL/TLS version no longer supported.");
>+                    ret = EX_USAGE;
>+                }
>                 break;
>             }
> #endif
>--- spamd/spamd.raw
>+++ spamd/spamd.raw
>@@ -409,7 +409,6 @@ GetOptions(
>   'sql-config!'              => \$opt{'sql-config'},
>   'ssl'                      => \$opt{'ssl'},
>   'ssl-port=s'               => \$opt{'ssl-port'},
>-  'ssl-version=s'            => \$opt{'ssl-version'},
>   'syslog-socket=s'          => \$opt{'syslog-socket'},
>   'syslog|s=s'               => \$opt{'syslog'},
>   'log-timestamp-fmt:s'      => \$opt{'log-timestamp-fmt'},
>@@ -743,11 +742,6 @@ if ( defined $ENV{'HOME'} ) {
> 
> # Do whitelist later in tmp dir. Side effect: this will be done as -u user.
> 
>-my $sslversion = $opt{'ssl-version'} || 'sslv3';
>-if ($sslversion !~ /^(?:sslv3|tlsv1)$/) {
>-  die "spamd: invalid ssl-version: $opt{'ssl-version'}\n";
>-}
>-
> $opt{'server-key'}  ||= "$LOCAL_RULES_DIR/certs/server-key.pem";
> $opt{'server-cert'} ||= "$LOCAL_RULES_DIR/certs/server-cert.pem";
> 
>@@ -898,9 +892,8 @@ sub compose_listen_info_string {
>                       $socket_info->{ip_addr}, $socket_info->{port}));
> 
>     } elsif ($socket->isa('IO::Socket::SSL')) {
>-      push(@listeninfo, sprintf("SSL [%s]:%s, ssl version %s",
>-                      $socket_info->{ip_addr}, $socket_info->{port},
>-                      $opt{'ssl-version'}||'sslv3'));
>+      push(@listeninfo, sprintf("SSL [%r]:%s", $socket_info->{ip_addr},
>+                      $socket_info->{port}));
>     }
>   }
> 
>@@ -1071,7 +1064,6 @@ sub server_sock_setup_inet {
>     $sockopt{V6Only} = 1  if $io_socket_module_name eq 'IO::Socket::IP'
>                              && IO::Socket::IP->VERSION >= 0.09;
>     %sockopt = (%sockopt, (
>-      SSL_version     => $sslversion,
>       SSL_verify_mode => 0x00,
>       SSL_key_file    => $opt{'server-key'},
>       SSL_cert_file   => $opt{'server-cert'},
>@@ -1092,7 +1084,8 @@ sub server_sock_setup_inet {
>     if (!$server_inet) {
>       $diag = sprintf("could not create %s socket on [%s]:%s: %s",
>                       $ssl ? 'IO::Socket::SSL' : $io_socket_module_name,
>-                      $adr, $port, $!);
>+                      $adr, $port, $ssl && $IO::Socket::SSL::SSL_ERROR ?
>+                      "$!,$IO::Socket::SSL::SSL_ERROR" : $!);
>       push(@diag_fail, $diag);
>     } else {
>       $diag = sprintf("created %s socket on [%s]:%s",
>@@ -3232,7 +3225,6 @@ Options:
>  -H [dir], --helper-home-dir[=dir] Specify a different HOME directory
>  --ssl                             Enable SSL on TCP connections
>  --ssl-port port                   Override --port setting for SSL connections
>- --ssl-version sslversion          Specify SSL protocol version to use
>  --server-key keyfile              Specify an SSL keyfile
>  --server-cert certfile            Specify an SSL certificate
>  --socketpath=path                 Listen on a given UNIX domain socket
>@@ -3720,14 +3712,6 @@ Optionally specifies the port number for
> SSL connections (default: whatever --port uses).  See B<--ssl> for
> more details.
> 
>-=item B<--ssl-version>=I<sslversion>
>-
>-Specify the SSL protocol version to use, one of B<sslv3> or B<tlsv1>.
>-The default, B<sslv3>, is the most flexible, accepting a SSLv3 or
>-higher hello handshake, then negotiating use of SSLv3 or TLSv1
>-protocol if the client can accept it.  Specifying B<--ssl-version>
>-implies B<--ssl>.
>-
> =item B<--server-key> I<keyfile>
> 
> Specify the SSL key file to use for SSL connections.
>--- spamc/spamc.pod
>+++ spamc/spamc.pod
>@@ -177,12 +177,10 @@ The default is 1 time (ie. one attempt a
> Sleep for I<sleep> seconds between failed spamd filtering attempts.
> The default is 1 second.
> 
>-=item B<-S>, B<--ssl>, B<--ssl>=I<sslversion>
>+=item B<-S>, B<--ssl>, B<--ssl>
> 
> If spamc was built with support for SSL, encrypt data to and from the
> spamd process with SSL; spamd must support SSL as well.
>-I<sslversion> specifies the SSL protocol version to use, either
>-C<sslv3>, or C<tlsv1>. The default, is C<sslv3>.
> 
> =item B<-t> I<timeout>, B<--timeout>=I<timeout>
> 
>--- t/spamd_ssl_tls.t
>+++ t/spamd_ssl_tls.t
>@@ -1,28 +0,0 @@
>-#!/usr/bin/perl
>-
>-use lib '.'; use lib 't';
>-use SATest; sa_t_init("spamd_ssl_tls");
>-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);
>-
>-exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);
>-
>-# ---------------------------------------------------------------------------
>-
>-%patterns = (
>-
>-q{ Return-Path: sb55sb55@yahoo.com}, 'firstline',
>-q{ Subject: There yours for FREE!}, 'subj',
>-q{ X-Spam-Status: Yes, score=}, 'status',
>-q{ X-Spam-Flag: YES}, 'flag',
>-q{ X-Spam-Level: **********}, 'stars',
>-q{ TEST_ENDSNUMS}, 'endsinnums',
>-q{ TEST_NOREALNAME}, 'noreal',
>-q{ This must be the very last line}, 'lastline',
>-
>-
>-);
>-
>-ok (sdrun ("-L --ssl --ssl-version=tlsv1 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert",
>-           "--ssl=tlsv1 < data/spam/001",
>-           \&patterns_run_cb));
>-ok_all_patterns();
>--- t/spamd_ssl_v3.t
>+++ t/spamd_ssl_v3.t
>@@ -1,28 +0,0 @@
>-#!/usr/bin/perl
>-
>-use lib '.'; use lib 't';
>-use SATest; sa_t_init("spamd_sslv3");
>-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);
>-
>-exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);
>-
>-# ---------------------------------------------------------------------------
>-
>-%patterns = (
>-
>-q{ Return-Path: sb55sb55@yahoo.com}, 'firstline',
>-q{ Subject: There yours for FREE!}, 'subj',
>-q{ X-Spam-Status: Yes, score=}, 'status',
>-q{ X-Spam-Flag: YES}, 'flag',
>-q{ X-Spam-Level: **********}, 'stars',
>-q{ TEST_ENDSNUMS}, 'endsinnums',
>-q{ TEST_NOREALNAME}, 'noreal',
>-q{ This must be the very last line}, 'lastline',
>-
>-
>-);
>-
>-ok (sdrun ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert",
>-           "--ssl=sslv3 < data/spam/001",
>-           \&patterns_run_cb));
>-ok_all_patterns();
>--- t/spamd_ssl_accept_fail.t
>+++ t/spamd_ssl_accept_fail.t
>@@ -23,9 +23,9 @@ q{ This must be the very last line}, 'la
> 
> );
> 
>-ok (start_spamd ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert"));
>+ok (start_spamd ("-L --ssl --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert"));
> ok (spamcrun ("< data/spam/001", \&patterns_run_cb));
>-ok (spamcrun ("--ssl=sslv3  < data/spam/001", \&patterns_run_cb));
>+ok (spamcrun ("--ssl < data/spam/001", \&patterns_run_cb));
> ok (stop_spamd ());
> 
> ok_all_patterns();
>--- t/spamd_ssl.t
>+++ t/spamd_ssl.t
>@@ -2,10 +2,7 @@
> 
> use lib '.'; use lib 't';
> use SATest; sa_t_init("spamd_ssl");
>-use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9),
>-    onfail => sub {
>-	warn "\n\nNote: This may not be a SpamAssassin bug, as some platforms require that you" .
>-	    "\nspecify a protocol in spamc --ssl option, and possibly in spamd --ssl-version.\n\n" };
>+use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);
> 
> exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);
> 
>--- MANIFEST
>+++ MANIFEST
>@@ -511,8 +511,6 @@ t/spamd_report_ifspam.t
> t/spamd_sql_prefs.t
> t/spamd_ssl.t
> t/spamd_ssl_accept_fail.t
>-t/spamd_ssl_tls.t
>-t/spamd_ssl_v3.t
> t/spamd_stop.t
> t/spamd_symbols.t
> t/spamd_syslog.t

Actions: View | Diff

Attachments on bug 208225: 168521