gentoo auto-resync : 03:01:2023 - 14:26:21

3 files changed, 305 insertions, 7 deletions

diff --git a/mail-mta/exim/Manifest b/mail-mta/exim/Manifest
index 41d122febc71..0d8b2980c805 100644
--- a/mail-mta/exim/Manifest
+++ b/mail-mta/exim/Manifest
@@ -10,7 +10,7 @@ AUX exim-4.94-localscan_dlopen.patch 9595 BLAKE2B c48eaaf486585890dc4028beaca7a3
 AUX exim-4.94-maildir.patch 316 BLAKE2B fe0b27712e77eba83244434c33372cec47fa317026d159de7a0ac37f2563999a6470df2dc203c1fcda8e7074c949133a0311c2b94c4b48bbc46d64c7c486202c SHA512 13863226883f79dcc781fe8eb3b50ad3c5511af130cf6e41ce40e8543d46832668bd7d746a2cc67842748cdf26144bef4aece49397d3168819215eac93ca1e6e
 AUX exim-4.94-opendmarc-1.4.patch 506 BLAKE2B d8ba66e1165dffb9ba367b997d69090fa8b31aa6ce3cb17d6ade4bd3b3dabf2a2d93223106eeb7f39754397eb17979e66d52de8dc2d524de9019c9598cd89af6 SHA512 6145f07c0b5b4234160fd3480329759a06500b658643523f32bcfa9158258a9b708095725f2e56d5538567f888c5e0e954c4ac51c8f2d16921dc4950241cd2fc
 AUX exim-4.94.2-fix-crash-resolve.patch 809 BLAKE2B cd9d3d923510315f75a3bad8c56b89b59782f9af8523a794845b1163c0bac5682f311a86eda1b8e78396d77c159629ef5186416626ebe627d723e17e3b388afc SHA512 a00960409e835dd067c88b4cb34953bc9343417ddfd448f5042b1597bc127f95937a5d8786d6f3ae347654842344d61ec268c7ed37e0f05c79ef7c530f741a7b
-AUX exim-4.94.2-openssl3.patch 1101 BLAKE2B 5b7b146a21a3f9d725eca200247221cb57d89aab69f365ea252a9dc9ecb53e534e7b49405de18764b9d9038a0d7389785bd719d2ada118c50b417313b94d7286 SHA512 c3971b246c74b13bcd3a3c6bfad88cf3ec275c9ff47399b95056c6cf45a39293cb44be17d321803ac4500a6e01e99b066910d3e3bc79e9316c8ee13a0d1cae28
+AUX exim-4.94.2-openssl3.patch 10345 BLAKE2B 81d44f9f13522c5f4cdffae14a960d20f9ad926b57f403116fd3cf31ebf8ba73de058b4e6e20817c4f0890ba94eff6a8552d9ab817963a0e11d46e336eb811d6 SHA512 4814e0968bd5e3a9eb12c6b7cb22253eb0e98438b3a9aa58d7e6c5a18913a66578d406c9b01c5afcc566b40943e1e9ecb303237298ab289e830e1e55257c2475
 AUX exim-4.95-localscan_dlopen.patch 7621 BLAKE2B 6df3c1acb585dc87759e056f7bb44e50219812c3ca41364fff77942cc2d6f7452d8f4c158f17295bc586eeacc8048e24f767bab0464d300a7cb7d357c63bedd9 SHA512 1cf52ac9637a753ff7257c274bc09591a8c761fc6599cbb2cceb213272573c371dbc5db6b028c2f745989013c21af54c45facf5f2bf5c87742e299c12a9b8a1b
 AUX exim-4.96-dmarc_use_after_free.patch 1026 BLAKE2B 6d94bfd5f313afa826d247d7a88a1cbf7a3d2e5124dcd69767b131740030d2793306eca80c5de2206f7d7f683e117ffbbaccace947a2ad726b6adb2b3dcb0fc8 SHA512 c1e61b5d85563265eb14b5ba8c88cd6bc78d0ad3730051f57408fa43d16a2eeeb98d8890d0dc7b36f9aaea284c5b0a890fb8db824666ee31b462084be14a7156
 AUX exim-submission.socket 161 BLAKE2B 409a5a687897af369a6a2ff0c30564096cc6b308dbc5d0afb6742df44d2aa972e45bad9681d2cb72be9731b260d23fdadb80bae644e7b875af5e34e9c8b8b40f SHA512 4a233761793e3510e9efa5aad3a6098c41b757f13133a7ea825680f2b393aba8d7935f16bf1dd065dde884fe7ba45639a8d398333a7d9bf0a6b72f88c8f2a09d
@@ -26,7 +26,7 @@ DIST exim-4.96.tar.xz 1879152 BLAKE2B 4b424f2ebc661bd0db35d7f6da86300c6d5cb5b9a5
 DIST exim-pdf-4.94.2.tar.xz 2092248 BLAKE2B 973ab4f117fdb58afa017bc41b4496fac1277e707a9926d67317c455b0bd617021c17cba6c8d793d8962aacef12c0790d5add7174017512b7b1ea070f8e8533d SHA512 3a661f69d81a992798d4b7e5b7def7cfffa297a7b3c02a6631be426cefff5a6e8783fa322a1bd105d01f7b06968d01e77963e6ab7be3157f63eb62eb6ff172b0
 DIST exim-pdf-4.96.tar.xz 2137468 BLAKE2B 7f61767f91864c43a3b7b6ca36ec7f41da6ad7029687a38cfa9307c444c2ffbd3eb61d45645ffd20ec16ba64a37e1ff08c02e7e4e36499c7783679af9a399081 SHA512 05e94579631656330d95d237c58bc9fd52229a067c5846e7c3409b4c83040c9216819bcb0090673d9991fd59e2c2025340592b31b241b557c6775782106854d1
 DIST system_filter.exim.gz 3075 BLAKE2B d05e872b5cef377d29126cda03fc0a74c8777b2119b76ff43da6e8de808035eb9bfcb034a85d81824f135d484e864bfc0629fc1af2c228a7277d5ee7cf9cde79 SHA512 cb358d3ce2499a0bb5920d962a06f2af8486e55ec90c8c928bd8e3aefb279aa57f5f960d5adfcef68bd94110b405eaa144e9629cfe6014a529c79c544600bbf3
-EBUILD exim-4.94.2-r11.ebuild 16251 BLAKE2B 4df92f7a561416a439fbdfc7e0dbbdf2e04d4dbf8a0f205c84f8e01b6ec35199658f38574c91201745de88c907b56e6356cb5bf77922d4842b9da0713300cf00 SHA512 a7a0171592745af6b6cdc5f4ec10b204e341e1f90d20ccc417885b2fc6feaf1e39bd9a6836f1d8a7693f6f872ec69aab7d85fb6a4d3afbd94f268a525e9e43af
+EBUILD exim-4.94.2-r12.ebuild 16252 BLAKE2B 7dad738905a4799367f4a7e6bdb47431d4f6ac810ee4c24cbb4b151b7ae483c1a7541a875a772093f7c1c9873c7e3f1a997a79082f26b72c9c218b5f0fb59dd8 SHA512 9f2f34234861d0bd33dd60d0455e59253f8513bfe16f121a4f6a8b864bf711deac66b3c004febca9f9f4ae66214858fc527c703efd8885f77514c060d40c539d
 EBUILD exim-4.94.2-r7.ebuild 14840 BLAKE2B beec43c20d547763f805f10531a5cddf46e2339760dbb8545c9715b4031dc6325b16e1f3e79c20be364bfc681bdb652ee316b2653c5ed6ae2eea2dfad5872ba2 SHA512 6598f7597787e1eef199aebae2aba4213c8059d1246b4418ea03c786c24923342285ad4208c076cdfec37645d9781e2aa7573b18dd8e28aefb06af964ef616b0
 EBUILD exim-4.96-r2.ebuild 15788 BLAKE2B c35234d38a5cb58ec4d82bc4eaf20e536f855f783cb4c9f324ad0db3555ecd4d45f2ddfa0d6b05e7c90ac294598a516134d6b8d81d9394b0d7472def7f183871 SHA512 3513a65e2958be49bd6e3e33a3ca093307aa7e1008f70a7d460896e916fb3f2e6a97aba790df9fa562e4b8d01dfe275569bece1f5795b5a0b1d5af9d859557e0
 MISC metadata.xml 2759 BLAKE2B 4f5d0d9fbd244b0836de4bd0d3b84f45376628a12e019c89e49e6dbd7128c19f16281fdfb401d852f57f27f547184351000382cc7333a524f7be280e0799d8d8 SHA512 85a2eaef07eb68d51a1307c6d76bef6620e7311ffda593750ebee5fe84affac2e026c971818500004c0ab9722a8e84c8eb0394fb66bb2ba6cd3465cf7e1f1a73
diff --git a/mail-mta/exim/exim-4.94.2-r11.ebuild b/mail-mta/exim/exim-4.94.2-r12.ebuild
index 352ae0cdcd7e..a347cf1581f6 100644
--- a/mail-mta/exim/exim-4.94.2-r11.ebuild
+++ b/mail-mta/exim/exim-4.94.2-r12.ebuild
@@ -122,7 +122,7 @@ src_prepare() {
 	eapply     "${FILESDIR}"/exim-4.94-localscan_dlopen.patch
 	eapply     "${FILESDIR}"/exim-4.94.2-fix-crash-resolve.patch # 799368 upstr
 	eapply     "${FILESDIR}"/exim-4.94-CVE-2022-3559.patch  # 877607 upstr
-	eapply     "${FILESDIR}"/exim-4.94.2-openssl3.patch # 888619 backport
+	eapply     "${FILESDIR}"/exim-4.94.2-openssl3.patch # 888619 backports
 
 	# for this reason we have a := dep on opendmarc, they changed their
 	# API in a minor release
diff --git a/mail-mta/exim/files/exim-4.94.2-openssl3.patch b/mail-mta/exim/files/exim-4.94.2-openssl3.patch
index d1102aac8bfa..f9758515bef1 100644
--- a/mail-mta/exim/files/exim-4.94.2-openssl3.patch
+++ b/mail-mta/exim/files/exim-4.94.2-openssl3.patch
@@ -1,13 +1,34 @@
-Based on original commit, but applied to 4.94.2 tarball.
+Original commits from upstream applied to 4.94.2 release tarball
+
+From a5d79c99f4948d9fd288a1bfaca3a44cf2caaa32 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Wed, 1 Dec 2021 17:36:18 +0000
+Subject: [PATCH] OpenSSL: use nondeprecated D-H functions under 3.0.0.
+
+From c6a290f4d8df3734b3cdc2232b4334ff8386c1da Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Wed, 1 Dec 2021 18:52:21 +0000
+Subject: [PATCH] OpenSSL: tidy DH and ECDH param setup Testsuite: expand DH
+ testcase
 
 From ff7829398d74e67f1c1f40339a772fd76708e5ac Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= <jskarvad@redhat.com>
 Date: Sat, 27 Nov 2021 21:07:15 +0000
 Subject: [PATCH] Fix build for OpenSSL 3.0.0 .  Bug 2810
 
----
- src/src/tls-openssl.c | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
+From ca4014de81e6aa367aa0a54c49b4c3d4b137814c Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Sun, 1 Jan 2023 12:18:38 +0000
+Subject: [PATCH] OpenSSL: fix tls_eccurve setting explicit curve/group.  Bug
+ 2954
+
+From 7fa5764c203f2f4a900898a79ed02d674075313f Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Mon, 2 Jan 2023 15:04:14 +0000
+Subject: [PATCH] OpenSSL: Fix tls_eccurve on earlier versions than 3.0.0.  Bug
+ 2954
+
+Broken-by: ca4014de81e6
 
 --- a/src/tls-openssl.c
 +++ b/src/tls-openssl.c
@@ -32,3 +53,280 @@ Subject: [PATCH] Fix build for OpenSSL 3.0.0 .  Bug 2810
  #endif
  #ifdef SSL_OP_NO_TLSv1_2
    { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
+@@ -1017,23 +1021,27 @@
+ *************************************************/
+ 
+ /* If dhparam is set, expand it, and load up the parameters for DH encryption.
++Server only.
+ 
+ Arguments:
+   sctx      The current SSL CTX (inbound or outbound)
+   dhparam   DH parameter file or fixed parameter identity string
+-  host      connected host, if client; NULL if server
+   errstr    error string pointer
+ 
+ Returns:    TRUE if OK (nothing to set up, or setup worked)
+ */
+ 
+ static BOOL
+-init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
++init_dh(SSL_CTX * sctx, uschar * dhparam, uschar ** errstr)
+ {
+-BIO *bio;
+-DH *dh;
+-uschar *dhexpanded;
+-const char *pem;
++BIO * bio;
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
++DH * dh;
++#else
++EVP_PKEY * pkey;
++#endif
++uschar * dhexpanded;
++const char * pem;
+ int dh_bitsize;
+ 
+ if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
+@@ -1046,7 +1054,7 @@
+   if (!(bio = BIO_new_file(CS dhexpanded, "r")))
+     {
+     tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
+-          host, US strerror(errno), errstr);
++          NULL, US strerror(errno), errstr);
+     return FALSE;
+     }
+   }
+@@ -1061,17 +1069,23 @@
+   if (!(pem = std_dh_prime_named(dhexpanded)))
+     {
+     tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
+-        host, US strerror(errno), errstr);
++        NULL, US strerror(errno), errstr);
+     return FALSE;
+     }
+   bio = BIO_new_mem_buf(CS pem, -1);
+   }
+ 
+-if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
++if (!(
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
++      dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)
++#else
++      pkey = PEM_read_bio_Parameters_ex(bio, NULL, NULL, NULL)
++#endif
++   ) )
+   {
+   BIO_free(bio);
+   tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
+-      host, NULL, errstr);
++      NULL, NULL, errstr);
+   return FALSE;
+   }
+ 
+@@ -1081,33 +1095,54 @@
+  * If someone wants to dance at the edge, then they can raise the limit or use
+  * current libraries. */
+-#ifdef EXIM_HAVE_OPENSSL_DH_BITS
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
++# ifdef EXIM_HAVE_OPENSSL_DH_BITS
+ /* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
+  * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
+ dh_bitsize = DH_bits(dh);
+-#else
++# else
+ dh_bitsize = 8 * DH_size(dh);
++# endif
++#else	/* 3.0.0 + */
++dh_bitsize = EVP_PKEY_get_bits(pkey);
+ #endif
+ 
+-/* Even if it is larger, we silently return success rather than cause things
+- * to fail out, so that a too-large DH will not knock out all TLS; it's a
+- * debatable choice. */
+-if (dh_bitsize > tls_dh_max_bits)
++/* Even if it is larger, we silently return success rather than cause things to
++fail out, so that a too-large DH will not knock out all TLS; it's a debatable
++choice.  Likewise for a failing attempt to set one. */
++
++if (dh_bitsize <= tls_dh_max_bits)
+   {
+-  DEBUG(D_tls)
+-    debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
+-        dh_bitsize, tls_dh_max_bits);
++  if (
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
++      SSL_CTX_set_tmp_dh(sctx, dh)
++#else
++      SSL_CTX_set0_tmp_dh_pkey(sctx, pkey)
++#endif
++      == 0)
++    {
++    ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
++    log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (D-H param setting '%s'): %s",
++	dhexpanded ? dhexpanded : US"default", ssl_errstring);
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++    /* EVP_PKEY_free(pkey);  crashes */
++#endif
++    }
++  else
++    DEBUG(D_tls)
++      debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
++	dhexpanded ? dhexpanded : US"default", dh_bitsize);
+   }
+ else
+-  {
+-  SSL_CTX_set_tmp_dh(sctx, dh);
+   DEBUG(D_tls)
+-    debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
+-      dhexpanded ? dhexpanded : US"default", dh_bitsize);
+-  }
++    debug_printf("dhparams '%s' %d bits, is > tls_dh_max_bits limit of %d\n",
++	dhexpanded ? dhexpanded : US"default", dh_bitsize, tls_dh_max_bits);
+ 
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ DH_free(dh);
+-BIO_free(bio);
++#endif
++/* The EVP_PKEY ownership stays with the ctx; do not free it */
+ 
++BIO_free(bio);
+ return TRUE;
+ }
+ 
+@@ -1118,7 +1154,7 @@
+ *               Initialize for ECDH              *
+ *************************************************/
+ 
+-/* Load parameters for ECDH encryption.
++/* Load parameters for ECDH encryption.  Server only.
+ 
+ For now, we stick to NIST P-256 because: it's simple and easy to configure;
+ it avoids any patent issues that might bite redistributors; despite events in
+@@ -1136,37 +1172,40 @@
+ 
+ Arguments:
+   sctx      The current SSL CTX (inbound or outbound)
+-  host      connected host, if client; NULL if server
+   errstr    error string pointer
+ 
+ Returns:    TRUE if OK (nothing to set up, or setup worked)
+ */
+ 
+ static BOOL
+-init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
++init_ecdh(SSL_CTX * sctx, uschar ** errstr)
+ {
+ #ifdef OPENSSL_NO_ECDH
+ return TRUE;
+ #else
+ 
+-EC_KEY * ecdh;
+ uschar * exp_curve;
+-int nid;
+-BOOL rv;
+-
+-if (host)	/* No ECDH setup for clients, only for servers */
+-  return TRUE;
++int nid, rc;
+ 
+ # ifndef EXIM_HAVE_ECDH
+ DEBUG(D_tls)
+-  debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
++  debug_printf(" No OpenSSL API to define ECDH parameters, skipping\n");
+ return TRUE;
+ # else
+ 
+ if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
+   return FALSE;
++
++/* Is the option deliberately empty? */
++
+ if (!exp_curve || !*exp_curve)
++  {
++#if OPENSSL_VERSION_NUMBER >= 0x10002000L
++  DEBUG(D_tls) debug_printf( " ECDH OpenSSL 1.0.2+: clearing curves list\n");
++  (void) SSL_CTX_set1_curves(sctx, &nid, 0);
++#endif
+   return TRUE;
++  }
+ 
+ /* "auto" needs to be handled carefully.
+  * OpenSSL <  1.0.2: we do not select anything, but fallback to prime256v1
+@@ -1202,27 +1241,41 @@
+ #   endif
+    )
+   {
+-  tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
+-    host, NULL, errstr);
++  uschar * s = string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve);
++  DEBUG(D_tls) debug_printf("TLS error '%s'\n", s);
++  if (errstr) *errstr = s;
+   return FALSE;
+   }
+ 
+-if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
+-  {
+-  tls_error(US"Unable to create ec curve", host, NULL, errstr);
+-  return FALSE;
+-  }
++# if OPENSSL_VERSION_NUMBER < 0x30000000L
++ {
++  EC_KEY * ecdh;
++  if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
++    {
++    tls_error(US"Unable to create ec curve", NULL, NULL, errstr);
++    return FALSE;
++    }
+ 
+-/* The "tmp" in the name here refers to setting a temporary key
+-not to the stability of the interface. */
++  /* The "tmp" in the name here refers to setting a temporary key
++  not to the stability of the interface. */
+ 
+-if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
+-  tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
++  if ((rc = SSL_CTX_set_tmp_ecdh(sctx, ecdh)) == 0)
++    tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), NULL, NULL, errstr);
++  else
++    DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' curve\n", exp_curve);
++  EC_KEY_free(ecdh);
++ }
++
++#else	/* v 3.0.0 + */
++
++if ((rc = SSL_CTX_set1_groups(sctx, &nid, 1)) == 0)
++  tls_error(string_sprintf("Error enabling '%s' group", exp_curve), NULL, NULL, errstr);
+ else
+-  DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
++  DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' group\n", exp_curve);
++
++#endif
+ 
+-EC_KEY_free(ecdh);
+-return !rv;
++return !!rc;
+ 
+ # endif	/*EXIM_HAVE_ECDH*/
+ #endif /*OPENSSL_NO_ECDH*/
+@@ -1727,8 +1780,8 @@
+ SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
+ SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
+ 
+-if (  !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
+-   || !init_ecdh(server_sni, NULL, &dummy_errstr)
++if (  !init_dh(server_sni, cbinfo->dhparam, &dummy_errstr)
++   || !init_ecdh(server_sni, &dummy_errstr)
+    )
+   goto bad;
+ 
+@@ -2213,8 +2266,8 @@
+ /* Initialize with DH parameters if supplied */
+ /* Initialize ECDH temp key parameter selection */
+ 
+-if (  !init_dh(ctx, dhparam, host, errstr)
+-   || !init_ecdh(ctx, host, errstr)
++if (  !init_dh(ctx, dhparam, errstr)
++   || !init_ecdh(ctx, errstr)
+    )
+   return DEFER;
+