extending the certificate validate period

remove redundant patches (cherry picked from commit 7534b7f15cabaf20116feea135596488be044235)
2025-02-12 06:03:15 +00:00 · 2025-02-12 06:03:15 +00:00 · 4244359591
commit 4244359591
parent e8e508837d
3 changed files with 9 additions and 277 deletions
--- a/sendmail-8.15.2-format-security.patch
+++ b/sendmail-8.15.2-format-security.patch
@ -1,92 +0,0 @@
-diff --git a/sendmail/srvrsmtp.c b/sendmail/srvrsmtp.c
-index ba636a8..46c5356 100644
--- a/sendmail/srvrsmtp.c
-+++ b/sendmail/srvrsmtp.c
-@@ -159,6 +159,26 @@
- #define SKIP_SPACE(s)	while (SM_ISSPACE(*s))	\
- 				(s)++
- 
-+static inline void
-+message1(fmt)
-+       char *fmt;
-+{
-+       if (strchr(fmt, '%') == NULL)
-+               message(fmt, NULL);
-+       else
-+               message("%s", fmt);
-+}
-+
-+static inline void
-+usrerr1(fmt)
-+       char *fmt;
-+{
-+       if (strchr(fmt, '%') == NULL)
-+               usrerr(fmt, NULL);
-+       else
-+               usrerr("%s", fmt);
-+}
-+
- #if _FFR_EAI
- /*
- **  ADDR_IS_ASCII -- check whether an address is 100% printable ASCII
-@@ -638,13 +658,13 @@
- 				bool tsave = QuickAbort;		\
- 									\
- 				QuickAbort = false;			\
-				usrerr(response);			\
-+				usrerr1(response);			\
- 				QuickAbort = tsave;			\
- 				e->e_sendqueue = NULL;			\
- 				goto doquit;				\
- 			}						\
- 			else						\
-				usrerr(response);			\
-+				usrerr1(response);			\
- 			break;						\
- 									\
- 		  case SMFIR_REJECT:					\
-@@ -1011,7 +1031,7 @@
- 	else if (strncmp(nullserver, "421 ", 4) == 0)
- 	{
- 		/* Can't use ("%s", ...) due to message() requirements */
-		message(nullserver);
-+		message1(nullserver);
- 		goto doquit;
- 	}
- 
-@@ -1953,7 +1973,7 @@
- 					if (ISSMTPREPLY(nullserver))
- 					{
- 						/* Can't use ("%s", ...) due to usrerr() requirements */
-						usrerr(nullserver);
-+						usrerr1(nullserver);
- 					}
- 					else
- 					{
-@@ -2561,7 +2581,7 @@
- 					if (response != NULL)
- 					{
- 						/* Can't use ("%s", ...) due to usrerr() requirements */
-						usrerr(response);
-+						usrerr1(response);
- 					}
- 					else
- 					{
-@@ -3800,7 +3820,7 @@
- #endif
- 
- 			/* Can't use ("%s", ...) due to usrerr() requirements */
-			usrerr(response);
-+			usrerr1(response);
- 			if (strncmp(response, "421 ", 4) == 0
- 			    || strncmp(response, "421-", 4) == 0)
- 			{
-@@ -3922,7 +3942,7 @@
- 				(void) extenhsc(response + 4, ' ', e->e_enhsc);
- #endif
- 			/* Can't use ("%s", ...) due to usrerr() requirements */
-			usrerr(response);
-+			usrerr1(response);
- 			if (strncmp(response, "421 ", 4) == 0
- 			    || strncmp(response, "421-", 4) == 0)
- 				rv = false;
--- a/sendmail-8.15.2-openssl-1.1.0-fix.patch
+++ b/sendmail-8.15.2-openssl-1.1.0-fix.patch
@ -1,183 +0,0 @@
--- sendmail-8.15.2.orig/sendmail/tls.c 2016-12-01 15:20:59.953546417 +0100
-+++ sendmail-8.15.2.orig/sendmail/tls.c 2016-12-01 17:26:43.868521378 +0100
-@@ -79,7 +79,8 @@
- static DH *
- get_dh512()
- {
-	DH *dh = NULL;
-+	DH *dh;
-+       BIGNUM *p, *g;
- #  if MTA_HAVE_DH_set0_pqg
- 	BIGNUM *dhp_bn, *dhg_bn;
- #  endif
-@@ -96,13 +97,23 @@
- 		return NULL;
- 	}
- #  else
-	dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
-	dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
-	if ((dh->p == NULL) || (dh->g == NULL))
-+	p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
-+	g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
-+	if (p == NULL || g == NULL)
- 	{
-+               BN_free(p);
-+               BN_free(g);
- 		DH_free(dh);
- 		return NULL;
- 	}
-+
-+#if OPENSSL_VERSION_NUMBER >= 0x10100005L
-+       DH_set0_pqg(dh, p, NULL, g);
-+#else
-+       dh->p = p;
-+       dh->g = g;
-+#endif
-+
- #  endif
- 	return dh;
- }
-@@ -150,6 +161,8 @@
- 		};
- 	static unsigned char dh2048_g[]={ 0x02, };
- 	DH *dh;
-+	BIGNUM *p, *g;
-+
- #  if MTA_HAVE_DH_set0_pqg
- 	BIGNUM *dhp_bn, *dhg_bn;
- #  endif
-@@ -166,13 +179,23 @@
- 		return NULL;
- 	}
- #  else
-	dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
-	dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
-	if ((dh->p == NULL) || (dh->g == NULL))
-+	p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
-+	g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
-+	if (p == NULL || g == NULL)
- 	{
-+               BN_free(p);
-+               BN_free(g);
- 		DH_free(dh);
-		return(NULL);
-+		return NULL;
- 	}
-+
-+#if OPENSSL_VERSION_NUMBER >= 0x10100005L
-+       DH_set0_pqg(dh, p, NULL, g);
-+#else
-+       dh->p = p;
-+       dh->g = g;
-+#endif
-+
- #  endif
- 	return(dh);
- }
-@@ -929,6 +952,54 @@
- #  define SM_SSL_OP_TLS_BLOCK_PADDING_BUG	0
- # endif
- 
-+static RSA *
-+generate_rsa_key(bits, e)
-+       int bits;
-+       unsigned long e;
-+{
-+#if OPENSSL_VERSION_NUMBER < 0x00908000L
-+       return RSA_generate_key(bits, e, NULL, NULL);
-+#else
-+       BIGNUM *bne;
-+       RSA *rsa = NULL;
-+
-+       bne = BN_new();
-+       if (bne && BN_set_word(bne, e) != 1)
-+               rsa = RSA_new();
-+       if (rsa && RSA_generate_key_ex(rsa, bits, bne, NULL) != 1)
-+       {
-+               RSA_free(rsa);
-+               rsa = NULL;
-+       }
-+       BN_free(bne);
-+       return rsa;
-+#endif
-+}
-+
-+static DSA *
-+generate_dsa_parameters(bits, seed, seed_len, counter_ret, h_ret)
-+       int bits;
-+       unsigned char *seed;
-+       int seed_len;
-+       int *counter_ret;
-+       unsigned long *h_ret;
-+{
-+#if OPENSSL_VERSION_NUMBER < 0x00908000L
-+       return DSA_generate_parameters(bits, seed, seed_len, counter_ret,
-+                                      h_ret, NULL, NULL);
-+#else
-+       DSA *dsa = DSA_new();
-+
-+       if (dsa && DSA_generate_parameters_ex(dsa, bits, seed, seed_len,
-+                                             counter_ret, h_ret, NULL) != 1)
-+       {
-+               DSA_free(dsa);
-+               dsa = NULL;
-+       }
-+       return dsa;
-+#endif
-+}
-+
- bool
- inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhparam)
- 	SSL_CTX **ctx;
-@@ -1183,8 +1254,7 @@
- 	if (bitset(TLS_I_RSA_TMP, req)
- #  if SM_CONF_SHM
- 	    && ShmId != SM_SHM_NO_ID &&
-	    (rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL,
-					NULL)) == NULL
-+	    (rsa_tmp = generate_rsa_key(RSA_KEYLENGTH, RSA_F4)) == NULL
- #  else /* SM_CONF_SHM */
- 	    && 0	/* no shared memory: no need to generate key now */
- #  endif /* SM_CONF_SHM */
-@@ -1391,8 +1461,8 @@
- 			}
- #  else
- 			/* this takes a while! */
-			dsa = DSA_generate_parameters(bits, NULL, 0, NULL,
-						      NULL, 0, NULL);
-+                       dsa = generate_dsa_parameters(bits, NULL, 0, NULL,
-+                                                     NULL);
- 			dh = DSA_dup_DH(dsa);
- #  endif
- 			DSA_free(dsa);
-@@ -2081,7 +2151,7 @@
- 
- 	if (rsa_tmp != NULL)
- 		RSA_free(rsa_tmp);
-	rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, NULL);
-+	rsa_tmp = generate_rsa_key(RSA_KEYLENGTH, RSA_F4);
- 	if (rsa_tmp == NULL)
- 	{
- 		if (LogLevel > 0)
-@@ -2526,12 +2596,21 @@
- 	SM_GETTLSI;
- 	if (LogLevel > 13)
- 		tls_verify_log(ok, ctx, "X509");
-+#if OPENSSL_VERSION_NUMBER >= 0x10100005L
-+               if (X509_STORE_CTX_get_error(ctx) ==
-+                   X509_V_ERR_UNABLE_TO_GET_CRL)
-+               {
-+                       X509_STORE_CTX_set_error(ctx, 0);
-+                       return 1;       /* override it */
-+               }
-+#else
- 	if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL &&
- 	    !SM_TLSI_IS(tlsi_ctx, TLSI_FL_CRLREQ))
- 	{
- 		X509_STORE_CTX_set_error(ctx, 0);
- 		return 1;	/* override it */
- 	}
-+#endif
- 	return ok;
- }
- 
--- a/sendmail.spec
+++ b/sendmail.spec
@ -1,6 +1,6 @@
 Name:          sendmail
 Version:       8.17.2
-Release:       2
+Release:       3
 Summary:       A classic mail transfer agent from the Unix world
 License:       Sendmail
 URL:           http://www.sendmail.org/
@ -344,7 +344,7 @@ if [ ! -f %{_sysconfdir}/pki/tls/certs/sendmail.pem ]; then
    fi

    %{_bindir}/openssl req -new -key %{_sysconfdir}/pki/tls/private/sendmail.key -x509 -sha256 \
-        -days 730 -set_serial $RANDOM -out %{_sysconfdir}/pki/tls/certs/sendmail.pem \
+        -days 2190 -set_serial $RANDOM -out %{_sysconfdir}/pki/tls/certs/sendmail.pem \
        -subj "/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=${FQDN}/emailAddress=root@${FQDN}"
    chmod 600 %{_sysconfdir}/pki/tls/certs/sendmail.pem
 fi
@ -469,6 +469,13 @@ exit 0


 %changelog
+* Wed Feb 12 2025 xinghe <xinghe2@h-partners.com> - 8.17.2-3
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:extending the certificate validate period
+       remove redundant patches
+
 * Wed May 22 2024 xinghe <xinghe2@h-partners.com> - 8.17.2-2
 - Type:bugfix
 - ID:NA