spamassassin/repos/extra-x86_64/disable-sslv3.patch

   1 Index: spamassassin-3.4.1/spamc/libspamc.c
   2 ===================================================================
   3 --- spamassassin-3.4.1.orig/spamc/libspamc.c
   4 +++ spamassassin-3.4.1/spamc/libspamc.c
   5 @@ -1187,7 +1187,7 @@ int message_filter(struct transport *tp,
   6      unsigned int throwaway;
   7      SSL_CTX *ctx = NULL;
   8      SSL *ssl = NULL;
   9 -    SSL_METHOD *meth;
  10 +    const SSL_METHOD *meth;
  11      char zlib_on = 0;
  12      unsigned char *zlib_buf = NULL;
  13      int zlib_bufsiz = 0;
  14 @@ -1213,11 +1213,7 @@ int message_filter(struct transport *tp,
  15      if (flags & SPAMC_USE_SSL) {
  16  #ifdef SPAMC_SSL
  17         SSLeay_add_ssl_algorithms();
  18 -       if (flags & SPAMC_TLSV1) {
  19 -           meth = TLSv1_client_method();
  20 -       } else {
  21 -           meth = SSLv3_client_method(); /* default */
  22 -       }
  23 +       meth = SSLv23_client_method();
  24         SSL_load_error_strings();
  25         ctx = SSL_CTX_new(meth);
  26  #else
  27 @@ -1596,7 +1592,7 @@ int message_tell(struct transport *tp, c
  28      int failureval;
  29      SSL_CTX *ctx = NULL;
  30      SSL *ssl = NULL;
  31 -    SSL_METHOD *meth;
  32 +    const SSL_METHOD *meth;
  33
  34      assert(tp != NULL);
  35      assert(m != NULL);
  36 @@ -1604,7 +1600,7 @@ int message_tell(struct transport *tp, c
  37      if (flags & SPAMC_USE_SSL) {
  38  #ifdef SPAMC_SSL
  39         SSLeay_add_ssl_algorithms();
  40 -       meth = SSLv3_client_method();
  41 +       meth = SSLv23_client_method();
  42         SSL_load_error_strings();
  43         ctx = SSL_CTX_new(meth);
  44  #else
  45 Index: spamassassin-3.4.1/spamc/spamc.c
  46 ===================================================================
  47 --- spamassassin-3.4.1.orig/spamc/spamc.c
  48 +++ spamassassin-3.4.1/spamc/spamc.c
  49 @@ -368,16 +368,11 @@ read_args(int argc, char **argv,
  50              case 'S':
  51              {
  52                  flags |= SPAMC_USE_SSL;
  53 -               if (!spamc_optarg || (strcmp(spamc_optarg,"sslv3") == 0)) {
  54 -                   flags |= SPAMC_SSLV3;
  55 -               }
  56 -               else if (strcmp(spamc_optarg,"tlsv1") == 0) {
  57 -                   flags |= SPAMC_TLSV1;
  58 -               }
  59 -               else {
  60 -                   libspamc_log(flags, LOG_ERR, "Please specify a legal ssl version (%s)", spamc_optarg);
  61 -                   ret = EX_USAGE;
  62 -               }
  63 +                if(spamc_optarg) {
  64 +                    libspamc_log(flags, LOG_ERR,
  65 +                        "Explicit specification of an SSL/TLS version no longer supported.");
  66 +                    ret = EX_USAGE;
  67 +                }
  68                  break;
  69              }
  70  #endif
  71 Index: spamassassin-3.4.1/spamd/spamd.raw
  72 ===================================================================
  73 --- spamassassin-3.4.1.orig/spamd/spamd.raw
  74 +++ spamassassin-3.4.1/spamd/spamd.raw
  75 @@ -409,7 +409,6 @@ GetOptions(
  76    'sql-config!'              => \$opt{'sql-config'},
  77    'ssl'                      => \$opt{'ssl'},
  78    'ssl-port=s'               => \$opt{'ssl-port'},
  79 -  'ssl-version=s'            => \$opt{'ssl-version'},
  80    'syslog-socket=s'          => \$opt{'syslog-socket'},
  81    'syslog|s=s'               => \$opt{'syslog'},
  82    'log-timestamp-fmt:s'      => \$opt{'log-timestamp-fmt'},
  83 @@ -743,11 +742,6 @@ if ( defined $ENV{'HOME'} ) {
  84
  85  # Do whitelist later in tmp dir. Side effect: this will be done as -u user.
  86
  87 -my $sslversion = $opt{'ssl-version'} || 'sslv3';
  88 -if ($sslversion !~ /^(?:sslv3|tlsv1)$/) {
  89 -  die "spamd: invalid ssl-version: $opt{'ssl-version'}\n";
  90 -}
  91 -
  92  $opt{'server-key'}  ||= "$LOCAL_RULES_DIR/certs/server-key.pem";
  93  $opt{'server-cert'} ||= "$LOCAL_RULES_DIR/certs/server-cert.pem";
  94
  95 @@ -898,9 +892,8 @@ sub compose_listen_info_string {
  96                        $socket_info->{ip_addr}, $socket_info->{port}));
  97
  98      } elsif ($socket->isa('IO::Socket::SSL')) {
  99 -      push(@listeninfo, sprintf("SSL [%s]:%s, ssl version %s",
 100 -                      $socket_info->{ip_addr}, $socket_info->{port},
 101 -                      $opt{'ssl-version'}||'sslv3'));
 102 +      push(@listeninfo, sprintf("SSL [%r]:%s", $socket_info->{ip_addr},
 103 +                      $socket_info->{port}));
 104      }
 105    }
 106
 107 @@ -1071,7 +1064,6 @@ sub server_sock_setup_inet {
 108      $sockopt{V6Only} = 1  if $io_socket_module_name eq 'IO::Socket::IP'
 109                               && IO::Socket::IP->VERSION >= 0.09;
 110      %sockopt = (%sockopt, (
 111 -      SSL_version     => $sslversion,
 112        SSL_verify_mode => 0x00,
 113        SSL_key_file    => $opt{'server-key'},
 114        SSL_cert_file   => $opt{'server-cert'},
 115 @@ -1092,7 +1084,8 @@ sub server_sock_setup_inet {
 116      if (!$server_inet) {
 117        $diag = sprintf("could not create %s socket on [%s]:%s: %s",
 118                        $ssl ? 'IO::Socket::SSL' : $io_socket_module_name,
 119 -                      $adr, $port, $!);
 120 +                      $adr, $port, $ssl && $IO::Socket::SSL::SSL_ERROR ?
 121 +                      "$!,$IO::Socket::SSL::SSL_ERROR" : $!);
 122        push(@diag_fail, $diag);
 123      } else {
 124        $diag = sprintf("created %s socket on [%s]:%s",
 125 @@ -3232,7 +3225,6 @@ Options:
 126   -H [dir], --helper-home-dir[=dir] Specify a different HOME directory
 127   --ssl                             Enable SSL on TCP connections
 128   --ssl-port port                   Override --port setting for SSL connections
 129 - --ssl-version sslversion          Specify SSL protocol version to use
 130   --server-key keyfile              Specify an SSL keyfile
 131   --server-cert certfile            Specify an SSL certificate
 132   --socketpath=path                 Listen on a given UNIX domain socket
 133 @@ -3720,14 +3712,6 @@ Optionally specifies the port number for
 134  SSL connections (default: whatever --port uses).  See B<--ssl> for
 135  more details.
 136
 137 -=item B<--ssl-version>=I<sslversion>
 138 -
 139 -Specify the SSL protocol version to use, one of B<sslv3> or B<tlsv1>.
 140 -The default, B<sslv3>, is the most flexible, accepting a SSLv3 or
 141 -higher hello handshake, then negotiating use of SSLv3 or TLSv1
 142 -protocol if the client can accept it.  Specifying B<--ssl-version>
 143 -implies B<--ssl>.
 144 -
 145  =item B<--server-key> I<keyfile>
 146
 147  Specify the SSL key file to use for SSL connections.
 148 Index: spamassassin-3.4.1/spamc/spamc.pod
 149 ===================================================================
 150 --- spamassassin-3.4.1.orig/spamc/spamc.pod
 151 +++ spamassassin-3.4.1/spamc/spamc.pod
 152 @@ -177,12 +177,10 @@ The default is 1 time (ie. one attempt a
 153  Sleep for I<sleep> seconds between failed spamd filtering attempts.
 154  The default is 1 second.
 155
 156 -=item B<-S>, B<--ssl>, B<--ssl>=I<sslversion>
 157 +=item B<-S>, B<--ssl>, B<--ssl>
 158
 159  If spamc was built with support for SSL, encrypt data to and from the
 160  spamd process with SSL; spamd must support SSL as well.
 161 -I<sslversion> specifies the SSL protocol version to use, either
 162 -C<sslv3>, or C<tlsv1>. The default, is C<sslv3>.
 163
 164  =item B<-t> I<timeout>, B<--timeout>=I<timeout>
 165
 166 Index: spamassassin-3.4.1/t/spamd_ssl_tls.t
 167 ===================================================================
 168 --- spamassassin-3.4.1.orig/t/spamd_ssl_tls.t
 169 +++ /dev/null
 170 @@ -1,28 +0,0 @@
 171 -#!/usr/bin/perl
 172 -
 173 -use lib '.'; use lib 't';
 174 -use SATest; sa_t_init("spamd_ssl_tls");
 175 -use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);
 176 -
 177 -exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);
 178 -
 179 -# ---------------------------------------------------------------------------
 180 -
 181 -%patterns = (
 182 -
 183 -q{ Return-Path: sb55sb55@yahoo.com}, 'firstline',
 184 -q{ Subject: There yours for FREE!}, 'subj',
 185 -q{ X-Spam-Status: Yes, score=}, 'status',
 186 -q{ X-Spam-Flag: YES}, 'flag',
 187 -q{ X-Spam-Level: **********}, 'stars',
 188 -q{ TEST_ENDSNUMS}, 'endsinnums',
 189 -q{ TEST_NOREALNAME}, 'noreal',
 190 -q{ This must be the very last line}, 'lastline',
 191 -
 192 -
 193 -);
 194 -
 195 -ok (sdrun ("-L --ssl --ssl-version=tlsv1 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert",
 196 -           "--ssl=tlsv1 < data/spam/001",
 197 -           \&patterns_run_cb));
 198 -ok_all_patterns();
 199 Index: spamassassin-3.4.1/t/spamd_ssl_v3.t
 200 ===================================================================
 201 --- spamassassin-3.4.1.orig/t/spamd_ssl_v3.t
 202 +++ /dev/null
 203 @@ -1,28 +0,0 @@
 204 -#!/usr/bin/perl
 205 -
 206 -use lib '.'; use lib 't';
 207 -use SATest; sa_t_init("spamd_sslv3");
 208 -use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);
 209 -
 210 -exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);
 211 -
 212 -# ---------------------------------------------------------------------------
 213 -
 214 -%patterns = (
 215 -
 216 -q{ Return-Path: sb55sb55@yahoo.com}, 'firstline',
 217 -q{ Subject: There yours for FREE!}, 'subj',
 218 -q{ X-Spam-Status: Yes, score=}, 'status',
 219 -q{ X-Spam-Flag: YES}, 'flag',
 220 -q{ X-Spam-Level: **********}, 'stars',
 221 -q{ TEST_ENDSNUMS}, 'endsinnums',
 222 -q{ TEST_NOREALNAME}, 'noreal',
 223 -q{ This must be the very last line}, 'lastline',
 224 -
 225 -
 226 -);
 227 -
 228 -ok (sdrun ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert",
 229 -           "--ssl=sslv3 < data/spam/001",
 230 -           \&patterns_run_cb));
 231 -ok_all_patterns();
 232 Index: spamassassin-3.4.1/t/spamd_ssl_accept_fail.t
 233 ===================================================================
 234 --- spamassassin-3.4.1.orig/t/spamd_ssl_accept_fail.t
 235 +++ spamassassin-3.4.1/t/spamd_ssl_accept_fail.t
 236 @@ -23,9 +23,9 @@ q{ This must be the very last line}, 'la
 237
 238  );
 239
 240 -ok (start_spamd ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert"));
 241 +ok (start_spamd ("-L --ssl --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert"));
 242  ok (spamcrun ("< data/spam/001", \&patterns_run_cb));
 243 -ok (spamcrun ("--ssl=sslv3  < data/spam/001", \&patterns_run_cb));
 244 +ok (spamcrun ("--ssl < data/spam/001", \&patterns_run_cb));
 245  ok (stop_spamd ());
 246
 247  ok_all_patterns();
 248 Index: spamassassin-3.4.1/t/spamd_ssl.t
 249 ===================================================================
 250 --- spamassassin-3.4.1.orig/t/spamd_ssl.t
 251 +++ spamassassin-3.4.1/t/spamd_ssl.t
 252 @@ -2,10 +2,7 @@
 253
 254  use lib '.'; use lib 't';
 255  use SATest; sa_t_init("spamd_ssl");
 256 -use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9),
 257 -    onfail => sub {
 258 -       warn "\n\nNote: This may not be a SpamAssassin bug, as some platforms require that you" .
 259 -           "\nspecify a protocol in spamc --ssl option, and possibly in spamd --ssl-version.\n\n" };
 260 +use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);
 261
 262  exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);
 263
 264 Index: spamassassin-3.4.1/MANIFEST
 265 ===================================================================
 266 --- spamassassin-3.4.1.orig/MANIFEST
 267 +++ spamassassin-3.4.1/MANIFEST
 268 @@ -511,8 +511,6 @@ t/spamd_report_ifspam.t
 269  t/spamd_sql_prefs.t
 270  t/spamd_ssl.t
 271  t/spamd_ssl_accept_fail.t
 272 -t/spamd_ssl_tls.t
 273 -t/spamd_ssl_v3.t
 274  t/spamd_stop.t
 275  t/spamd_symbols.t
 276  t/spamd_syslog.t