aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2018-10-29 12:53:15 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2018-11-07 16:46:09 +0000
commit6656d5c5e61c9fc1d80216cb65d54bf23dbab73b (patch)
tree13cbc9b2c25efe911e8dd49bcd3920d241734c5d
parentf82b04f0cec7fe6af7841f73765a1d882ec41098 (diff)
downloadaports-6656d5c5e61c9fc1d80216cb65d54bf23dbab73b.tar.gz
aports-6656d5c5e61c9fc1d80216cb65d54bf23dbab73b.tar.bz2
aports-6656d5c5e61c9fc1d80216cb65d54bf23dbab73b.tar.xz
main/opensmtpd: rebuild against openssl-1.1
-rw-r--r--main/opensmtpd/APKBUILD8
-rw-r--r--main/opensmtpd/openssl-1.1.patch737
2 files changed, 742 insertions, 3 deletions
diff --git a/main/opensmtpd/APKBUILD b/main/opensmtpd/APKBUILD
index 781b02e946..b3e6e0a709 100644
--- a/main/opensmtpd/APKBUILD
+++ b/main/opensmtpd/APKBUILD
@@ -4,14 +4,14 @@
# Maintainer: Jonathan Curran <jonathan@curran.in>
pkgname=opensmtpd
pkgver=6.0.3p1
-pkgrel=1
+pkgrel=2
pkgdesc="secure, reliable, lean, and easy-to configure SMTP server"
url="http://www.opensmtpd.org"
arch="all"
license="ISC"
depends="!postfix"
makedepends="automake autoconf libtool mdocml db-dev libasr-dev libevent-dev
- fts-dev zlib-dev libressl-dev bison flex-dev"
+ fts-dev zlib-dev openssl-dev bison flex-dev"
install="$pkgname.pre-install"
subpackages="$pkgname-doc"
source="https://www.opensmtpd.org/archives/$pkgname-$pkgver.tar.gz
@@ -19,6 +19,7 @@ source="https://www.opensmtpd.org/archives/$pkgname-$pkgver.tar.gz
aliases
autoconf-decl-checks.patch
fix-segfault-in-crypt_checkpass.patch
+ openssl-1.1.patch
"
options="suid !check"
@@ -62,4 +63,5 @@ sha512sums="e579818a0ddbe637deb5a4e40f43eaf797783903ceac18fd89a57581b135b9e407d4
8d3b27c760df84804baadc90c23b34f3e99980fae97c685f98ab096c3e84ab293316cd7c49317fa3cffac7ab5e63217ada6a2c5b245f352bafe880b087e7705e smtpd.initd
51d47b34eb3d728daa45f29d6434cc75db28dfa69b6fb3ecd873121df85b296a2d2c81016d765a07778aa26a496e4b29c09a30b82678cf42596a536734b5deca aliases
37104cc605569f142ceffa902f200e8a7e9e1114ebe5394ed1eac0ed6ce25454e1610270921c45246de8396eee04b7c8ab5a112a231036a6ef14e7e229b264e3 autoconf-decl-checks.patch
-cd6b60e478703890af1112d93c2d2ac0c87c5ad394d91a7903ca11532c4d2c8763330a8c20ef9b8d5a79632760faee5ee1437a43d37d1727aef2e1431d1d030c fix-segfault-in-crypt_checkpass.patch"
+cd6b60e478703890af1112d93c2d2ac0c87c5ad394d91a7903ca11532c4d2c8763330a8c20ef9b8d5a79632760faee5ee1437a43d37d1727aef2e1431d1d030c fix-segfault-in-crypt_checkpass.patch
+fb5a07cac0b07806d9fa2b5ac87e004da9f0d894cd00526b703fdfd23c94499d2464ae383ba65891232e9a4f2a582af1d6285c5ceb2cca61bbfbec6344cdc46b openssl-1.1.patch"
diff --git a/main/opensmtpd/openssl-1.1.patch b/main/opensmtpd/openssl-1.1.patch
new file mode 100644
index 0000000000..2eafa7f34b
--- /dev/null
+++ b/main/opensmtpd/openssl-1.1.patch
@@ -0,0 +1,737 @@
+From 32d77702a7c76e462b4f2b6bc88f9101c9839d54 Mon Sep 17 00:00:00 2001
+From: Ryan Kavanagh <rak@debian.org>
+Date: Fri, 19 Jan 2018 15:35:49 -0500
+Subject: [PATCH] Update to use SSL_F_SSL_CTX_USE_CERTIFICATE_FILE and
+ SSL_CTX_clear_extra_chain_certs
+
+Patch updated by Sebastian Andrzej Siewior <sebastian@breakpoint.cc>,
+with description:
+
+ SSL_F_SSL_CTX_USE_CERTIFICATE_FILE and
+ SSL_CTX_clear_extra_chain_certs was around in openssl since before
+ they forked it. So with this patch it should work with their
+ libressl, libssl 1.0.2 and 1.1.
+
+Source: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859544#72
+Source: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859544#96
+---
+ openbsd-compat/libressl.c | 17 +--
+ smtpd/ca.c | 290 ++++++++++++++++++++++++++++++++------
+ smtpd/crypto.c | 64 +++++----
+ smtpd/libressl.c | 17 +--
+ smtpd/ssl.c | 2 +-
+ smtpd/ssl.h | 14 ++
+ 6 files changed, 312 insertions(+), 92 deletions(-)
+
+diff --git a/openbsd-compat/libressl.c b/openbsd-compat/libressl.c
+index f4f2b52e..d06e006f 100644
+--- a/openbsd-compat/libressl.c
++++ b/openbsd-compat/libressl.c
+@@ -81,14 +81,14 @@ SSL_CTX_use_certificate_chain(SSL_CTX *ctx, char *buf, off_t len)
+ x = ca = NULL;
+
+ if ((in = BIO_new_mem_buf(buf, len)) == NULL) {
+- SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
++ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
+ goto end;
+ }
+
+ if ((x = PEM_read_bio_X509(in, NULL,
+- ctx->default_passwd_callback,
+- ctx->default_passwd_callback_userdata)) == NULL) {
+- SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
++ SSL_CTX_get_default_passwd_cb(ctx),
++ SSL_CTX_get_default_passwd_cb_userdata(ctx))) == NULL) {
++ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB);
+ goto end;
+ }
+
+@@ -99,14 +99,11 @@ SSL_CTX_use_certificate_chain(SSL_CTX *ctx, char *buf, off_t len)
+ * the CA certificates.
+ */
+
+- if (ctx->extra_certs != NULL) {
+- sk_X509_pop_free(ctx->extra_certs, X509_free);
+- ctx->extra_certs = NULL;
+- }
++ SSL_CTX_clear_extra_chain_certs(ctx);
+
+ while ((ca = PEM_read_bio_X509(in, NULL,
+- ctx->default_passwd_callback,
+- ctx->default_passwd_callback_userdata)) != NULL) {
++ SSL_CTX_get_default_passwd_cb(ctx),
++ SSL_CTX_get_default_passwd_cb_userdata(ctx))) != NULL) {
+
+ if (!SSL_CTX_add_extra_chain_cert(ctx, ca))
+ goto end;
+diff --git a/smtpd/ca.c b/smtpd/ca.c
+index e383c6a1..29a44b9b 100644
+--- a/smtpd/ca.c
++++ b/smtpd/ca.c
+@@ -170,6 +170,190 @@ ca_verify_cb(int ok, X509_STORE_CTX *ctx)
+ return ok;
+ }
+
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
++
++static int RSA_meth_get_flags(RSA_METHOD *meth)
++{
++ return meth->flags;
++}
++
++static int RSA_meth_set_flags(RSA_METHOD *meth, int flags)
++{
++ meth->flags = flags;
++ return 1;
++}
++
++static void *RSA_meth_get0_app_data(const RSA_METHOD *meth)
++{
++ return meth->app_data;
++}
++
++static int RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data)
++{
++ meth->app_data = app_data;
++ return 1;
++}
++
++static int (*RSA_meth_get_pub_enc(const RSA_METHOD *meth))
++(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
++{
++ return meth->rsa_pub_enc;
++}
++
++static int RSA_meth_set_pub_enc(RSA_METHOD *meth,
++ int (*pub_enc) (int flen, const unsigned char *from,
++ unsigned char *to, RSA *rsa,
++ int padding))
++{
++ meth->rsa_pub_enc = pub_enc;
++ return 1;
++}
++
++static int (*RSA_meth_get_pub_dec(const RSA_METHOD *meth))
++(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
++{
++ return meth->rsa_pub_dec;
++}
++
++static int (*RSA_meth_get_priv_enc(const RSA_METHOD *meth))
++(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
++{
++ return meth->rsa_priv_enc;
++}
++
++int RSA_meth_set_priv_enc(RSA_METHOD *meth,
++ int (*priv_enc) (int flen, const unsigned char *from,
++ unsigned char *to, RSA *rsa, int padding))
++{
++ meth->rsa_priv_enc = priv_enc;
++ return 1;
++}
++
++static int (*RSA_meth_get_priv_dec(const RSA_METHOD *meth))
++(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
++{
++ return meth->rsa_priv_dec;
++}
++
++static int RSA_meth_set_priv_dec(RSA_METHOD *meth,
++ int (*priv_dec) (int flen, const unsigned char *from,
++ unsigned char *to, RSA *rsa, int padding))
++{
++ meth->rsa_priv_dec = priv_dec;
++ return 1;
++}
++
++static int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))
++ (BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
++{
++ return meth->rsa_mod_exp;
++}
++
++static int RSA_meth_set_mod_exp(RSA_METHOD *meth,
++ int (*mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx))
++{
++ meth->rsa_mod_exp = mod_exp;
++ return 1;
++}
++
++static int (*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth))
++(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
++{
++ return meth->bn_mod_exp;
++}
++
++static int RSA_meth_set_bn_mod_exp(RSA_METHOD *meth, int (*bn_mod_exp)
++ (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
++ BN_CTX *ctx, BN_MONT_CTX *m_ctx))
++{
++ meth->bn_mod_exp = bn_mod_exp;
++ return 1;
++}
++
++static int (*RSA_meth_get_init(const RSA_METHOD *meth)) (RSA *rsa)
++{
++ return meth->init;
++}
++
++static int RSA_meth_set_init(RSA_METHOD *meth, int (*init) (RSA *rsa))
++{
++ meth->init = init;
++ return 1;
++}
++
++static int (*RSA_meth_get_finish(const RSA_METHOD *meth)) (RSA *rsa)
++{
++ return meth->finish;
++}
++
++static int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa))
++{
++ meth->finish = finish;
++ return 1;
++}
++
++static int (*RSA_meth_get_keygen(const RSA_METHOD *meth))
++ (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb)
++{
++ return meth->rsa_keygen;
++}
++
++static int RSA_meth_set_keygen(RSA_METHOD *meth, int (*keygen)
++ (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb))
++{
++ meth->rsa_keygen = keygen;
++ return 1;
++}
++
++static int (*RSA_meth_get_verify(const RSA_METHOD *meth))
++ (int dtype, const unsigned char *m,
++ unsigned int m_length, const unsigned char *sigbuf,
++ unsigned int siglen, const RSA *rsa)
++{
++ if (meth->flags & RSA_FLAG_SIGN_VER)
++ return meth->rsa_verify;
++ return NULL;
++}
++
++static int (*RSA_meth_get_sign(const RSA_METHOD *meth))
++ (int type,
++ const unsigned char *m, unsigned int m_length,
++ unsigned char *sigret, unsigned int *siglen,
++ const RSA *rsa)
++{
++ if (meth->flags & RSA_FLAG_SIGN_VER)
++ return meth->rsa_sign;
++ return NULL;
++}
++
++static int RSA_meth_set_pub_dec(RSA_METHOD *meth,
++ int (*pub_dec) (int flen, const unsigned char *from,
++ unsigned char *to, RSA *rsa, int padding))
++{
++ meth->rsa_pub_dec = pub_dec;
++ return 1;
++}
++
++static RSA_METHOD *RSA_meth_new(const char *name, int flags)
++{
++ RSA_METHOD *meth = malloc(sizeof(*meth));
++
++ if (meth != NULL) {
++ memset(meth, 0, sizeof(*meth));
++ meth->flags = flags;
++
++ meth->name = strdup(name);
++ if (meth->name != NULL)
++ return meth;
++
++ free(meth);
++ }
++
++ return NULL;
++}
++
++#endif
++
+ int
+ ca_X509_verify(void *certificate, void *chain, const char *CAfile,
+ const char *CRLfile, const char **errstr)
+@@ -201,7 +385,7 @@ ca_X509_verify(void *certificate, void *chain, const char *CAfile,
+ *errstr = NULL;
+ if (ret != 1) {
+ if (xsc)
+- *errstr = X509_verify_cert_error_string(xsc->error);
++ *errstr = X509_verify_cert_error_string(X509_STORE_CTX_get_error(xsc));
+ else if (ERR_peek_last_error())
+ *errstr = ERR_error_string(ERR_peek_last_error(), NULL);
+ }
+@@ -302,24 +486,9 @@ ca_imsg(struct mproc *p, struct imsg *imsg)
+ * RSA privsep engine (called from unprivileged processes)
+ */
+
+-const RSA_METHOD *rsa_default = NULL;
+-
+-static RSA_METHOD rsae_method = {
+- "RSA privsep engine",
+- rsae_pub_enc,
+- rsae_pub_dec,
+- rsae_priv_enc,
+- rsae_priv_dec,
+- rsae_mod_exp,
+- rsae_bn_mod_exp,
+- rsae_init,
+- rsae_finish,
+- 0,
+- NULL,
+- NULL,
+- NULL,
+- rsae_keygen
+-};
++static const RSA_METHOD *rsa_default = NULL;
++
++static const char *rsae_method_name = "RSA privsep engine";
+
+ static int
+ rsae_send_imsg(int flen, const unsigned char *from, unsigned char *to,
+@@ -404,7 +573,7 @@ rsae_pub_enc(int flen,const unsigned char *from, unsigned char *to, RSA *rsa,
+ int padding)
+ {
+ log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
+- return (rsa_default->rsa_pub_enc(flen, from, to, rsa, padding));
++ return (RSA_meth_get_pub_enc(rsa_default)(flen, from, to, rsa, padding));
+ }
+
+ static int
+@@ -412,7 +581,7 @@ rsae_pub_dec(int flen,const unsigned char *from, unsigned char *to, RSA *rsa,
+ int padding)
+ {
+ log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
+- return (rsa_default->rsa_pub_dec(flen, from, to, rsa, padding));
++ return (RSA_meth_get_pub_dec(rsa_default)(flen, from, to, rsa, padding));
+ }
+
+ static int
+@@ -424,7 +593,7 @@ rsae_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa,
+ return (rsae_send_imsg(flen, from, to, rsa, padding,
+ IMSG_CA_PRIVENC));
+ }
+- return (rsa_default->rsa_priv_enc(flen, from, to, rsa, padding));
++ return (RSA_meth_get_priv_enc(rsa_default)(flen, from, to, rsa, padding));
+ }
+
+ static int
+@@ -436,14 +605,14 @@ rsae_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa,
+ return (rsae_send_imsg(flen, from, to, rsa, padding,
+ IMSG_CA_PRIVDEC));
+ }
+- return (rsa_default->rsa_priv_dec(flen, from, to, rsa, padding));
++ return (RSA_meth_get_priv_dec(rsa_default)(flen, from, to, rsa, padding));
+ }
+
+ static int
+ rsae_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
+ {
+ log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
+- return (rsa_default->rsa_mod_exp(r0, I, rsa, ctx));
++ return (RSA_meth_get_mod_exp(rsa_default)(r0, I, rsa, ctx));
+ }
+
+ static int
+@@ -451,34 +620,36 @@ rsae_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+ {
+ log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
+- return (rsa_default->bn_mod_exp(r, a, p, m, ctx, m_ctx));
++ return (RSA_meth_get_bn_mod_exp(rsa_default)(r, a, p, m, ctx, m_ctx));
+ }
+
+ static int
+ rsae_init(RSA *rsa)
+ {
+ log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
+- if (rsa_default->init == NULL)
++ if (RSA_meth_get_init(rsa_default) == NULL)
+ return (1);
+- return (rsa_default->init(rsa));
++ return (RSA_meth_get_init(rsa_default)(rsa));
+ }
+
+ static int
+ rsae_finish(RSA *rsa)
+ {
+ log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
+- if (rsa_default->finish == NULL)
++ if (RSA_meth_get_finish(rsa_default) == NULL)
+ return (1);
+- return (rsa_default->finish(rsa));
++ return (RSA_meth_get_finish(rsa_default)(rsa));
+ }
+
+ static int
+ rsae_keygen(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb)
+ {
+ log_debug("debug: %s: %s", proc_name(smtpd_process), __func__);
+- return (rsa_default->rsa_keygen(rsa, bits, e, cb));
++ return (RSA_meth_get_keygen(rsa_default)(rsa, bits, e, cb));
+ }
+
++static RSA_METHOD *rsae_method;
++
+ void
+ ca_engine_init(void)
+ {
+@@ -490,7 +661,7 @@ ca_engine_init(void)
+ errstr = "ENGINE_new";
+ goto fail;
+ }
+- if (!ENGINE_set_name(e, rsae_method.name)) {
++ if (!ENGINE_set_name(e, rsae_method_name)) {
+ errstr = "ENGINE_set_name";
+ goto fail;
+ }
+@@ -503,25 +674,58 @@ ca_engine_init(void)
+ goto fail;
+ }
+
++ rsae_method = RSA_meth_new(rsae_method_name, 0);
++ if (!rsae_method) {
++ errstr = "RSA_meth_new";
++ goto fail;
++ }
++
+ if ((name = ENGINE_get_name(e)) == NULL)
+ name = "unknown RSA engine";
+
+ log_debug("debug: %s: using %s", __func__, name);
+
+- if (rsa_default->flags & RSA_FLAG_SIGN_VER)
++ if (RSA_meth_get_sign(rsa_default) ||
++ RSA_meth_get_verify(rsa_default))
+ fatalx("unsupported RSA engine");
+
+- if (rsa_default->rsa_mod_exp == NULL)
+- rsae_method.rsa_mod_exp = NULL;
+- if (rsa_default->bn_mod_exp == NULL)
+- rsae_method.bn_mod_exp = NULL;
+- if (rsa_default->rsa_keygen == NULL)
+- rsae_method.rsa_keygen = NULL;
+- rsae_method.flags = rsa_default->flags |
+- RSA_METHOD_FLAG_NO_CHECK;
+- rsae_method.app_data = rsa_default->app_data;
+-
+- if (!ENGINE_set_RSA(e, &rsae_method)) {
++ errstr = "Setting callback";
++ if (!RSA_meth_set_pub_enc(rsae_method, rsae_pub_enc))
++ goto fail;
++ if (!RSA_meth_set_pub_dec(rsae_method, rsae_pub_dec))
++ goto fail;
++ if (!RSA_meth_set_priv_enc(rsae_method, rsae_priv_enc))
++ goto fail;
++ if (!RSA_meth_set_priv_dec(rsae_method, rsae_priv_dec))
++ goto fail;
++
++ if (RSA_meth_get_mod_exp(rsa_default)) {
++ if (!RSA_meth_set_mod_exp(rsae_method, rsae_mod_exp))
++ goto fail;
++ }
++
++ if (RSA_meth_get_bn_mod_exp(rsa_default))
++ if (!RSA_meth_set_bn_mod_exp(rsae_method, rsae_bn_mod_exp))
++ goto fail;
++ if (!RSA_meth_set_init(rsae_method, rsae_init))
++ goto fail;
++ if (!RSA_meth_set_finish(rsae_method, rsae_finish))
++ goto fail;
++
++ if (RSA_meth_get_keygen(rsa_default)) {
++ if (!RSA_meth_set_keygen(rsae_method, rsae_keygen))
++ goto fail;
++ }
++
++ if (!RSA_meth_set_flags(rsae_method,
++ RSA_meth_get_flags(rsa_default) |
++ RSA_METHOD_FLAG_NO_CHECK))
++ goto fail;
++
++ if (!RSA_meth_set0_app_data(rsae_method, RSA_meth_get0_app_data(rsa_default)))
++ goto fail;
++
++ if (!ENGINE_set_RSA(e, rsae_method)) {
+ errstr = "ENGINE_set_RSA";
+ goto fail;
+ }
+diff --git a/smtpd/crypto.c b/smtpd/crypto.c
+index 76f98807..01452851 100644
+--- a/smtpd/crypto.c
++++ b/smtpd/crypto.c
+@@ -64,7 +64,7 @@ crypto_setup(const char *key, size_t len)
+ int
+ crypto_encrypt_file(FILE * in, FILE * out)
+ {
+- EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX *ctx;
+ uint8_t ibuf[CRYPTO_BUFFER_SIZE];
+ uint8_t obuf[CRYPTO_BUFFER_SIZE];
+ uint8_t iv[IV_SIZE];
+@@ -91,12 +91,14 @@ crypto_encrypt_file(FILE * in, FILE * out)
+ if ((w = fwrite(iv, 1, sizeof iv, out)) != sizeof iv)
+ return 0;
+
+- EVP_CIPHER_CTX_init(&ctx);
+- EVP_EncryptInit_ex(&ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
++ ctx = EVP_CIPHER_CTX_new();
++ if (!ctx)
++ return 0;
++ EVP_EncryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
+
+ /* encrypt until end of file */
+ while ((r = fread(ibuf, 1, CRYPTO_BUFFER_SIZE, in)) != 0) {
+- if (!EVP_EncryptUpdate(&ctx, obuf, &len, ibuf, r))
++ if (!EVP_EncryptUpdate(ctx, obuf, &len, ibuf, r))
+ goto end;
+ if (len && (w = fwrite(obuf, len, 1, out)) != 1)
+ goto end;
+@@ -105,13 +107,13 @@ crypto_encrypt_file(FILE * in, FILE * out)
+ goto end;
+
+ /* finalize and write last chunk if any */
+- if (!EVP_EncryptFinal_ex(&ctx, obuf, &len))
++ if (!EVP_EncryptFinal_ex(ctx, obuf, &len))
+ goto end;
+ if (len && (w = fwrite(obuf, len, 1, out)) != 1)
+ goto end;
+
+ /* get and append tag */
+- EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, sizeof tag, tag);
++ EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, sizeof tag, tag);
+ if ((w = fwrite(tag, sizeof tag, 1, out)) != 1)
+ goto end;
+
+@@ -119,14 +121,14 @@ crypto_encrypt_file(FILE * in, FILE * out)
+ ret = 1;
+
+ end:
+- EVP_CIPHER_CTX_cleanup(&ctx);
++ EVP_CIPHER_CTX_free(ctx);
+ return ret;
+ }
+
+ int
+ crypto_decrypt_file(FILE * in, FILE * out)
+ {
+- EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX *ctx;
+ uint8_t ibuf[CRYPTO_BUFFER_SIZE];
+ uint8_t obuf[CRYPTO_BUFFER_SIZE];
+ uint8_t iv[IV_SIZE];
+@@ -171,11 +173,13 @@ crypto_decrypt_file(FILE * in, FILE * out)
+ sz -= sizeof tag;
+
+
+- EVP_CIPHER_CTX_init(&ctx);
+- EVP_DecryptInit_ex(&ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
++ ctx = EVP_CIPHER_CTX_new();
++ if (!ctx)
++ return 0;
++ EVP_DecryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
+
+ /* set expected tag */
+- EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, sizeof tag, tag);
++ EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, sizeof tag, tag);
+
+ /* decrypt until end of ciphertext */
+ while (sz) {
+@@ -185,7 +189,7 @@ crypto_decrypt_file(FILE * in, FILE * out)
+ r = fread(ibuf, 1, sz, in);
+ if (!r)
+ break;
+- if (!EVP_DecryptUpdate(&ctx, obuf, &len, ibuf, r))
++ if (!EVP_DecryptUpdate(ctx, obuf, &len, ibuf, r))
+ goto end;
+ if (len && (w = fwrite(obuf, len, 1, out)) != 1)
+ goto end;
+@@ -195,7 +199,7 @@ crypto_decrypt_file(FILE * in, FILE * out)
+ goto end;
+
+ /* finalize, write last chunk if any and perform authentication check */
+- if (!EVP_DecryptFinal_ex(&ctx, obuf, &len))
++ if (!EVP_DecryptFinal_ex(ctx, obuf, &len))
+ goto end;
+ if (len && (w = fwrite(obuf, len, 1, out)) != 1)
+ goto end;
+@@ -204,14 +208,14 @@ crypto_decrypt_file(FILE * in, FILE * out)
+ ret = 1;
+
+ end:
+- EVP_CIPHER_CTX_cleanup(&ctx);
++ EVP_CIPHER_CTX_free(ctx);
+ return ret;
+ }
+
+ size_t
+ crypto_encrypt_buffer(const char *in, size_t inlen, char *out, size_t outlen)
+ {
+- EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX *ctx;
+ uint8_t iv[IV_SIZE];
+ uint8_t tag[GCM_TAG_SIZE];
+ uint8_t version = API_VERSION;
+@@ -239,33 +243,35 @@ crypto_encrypt_buffer(const char *in, size_t inlen, char *out, size_t outlen)
+ memcpy(out + len, iv, sizeof iv);
+ len += sizeof iv;
+
+- EVP_CIPHER_CTX_init(&ctx);
+- EVP_EncryptInit_ex(&ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
++ ctx = EVP_CIPHER_CTX_new();
++ if (!ctx)
++ return 0;
++ EVP_EncryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
+
+ /* encrypt buffer */
+- if (!EVP_EncryptUpdate(&ctx, out + len, &olen, in, inlen))
++ if (!EVP_EncryptUpdate(ctx, out + len, &olen, in, inlen))
+ goto end;
+ len += olen;
+
+ /* finalize and write last chunk if any */
+- if (!EVP_EncryptFinal_ex(&ctx, out + len, &olen))
++ if (!EVP_EncryptFinal_ex(ctx, out + len, &olen))
+ goto end;
+ len += olen;
+
+ /* get and append tag */
+- EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, sizeof tag, tag);
++ EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, sizeof tag, tag);
+ memcpy(out + len, tag, sizeof tag);
+ ret = len + sizeof tag;
+
+ end:
+- EVP_CIPHER_CTX_cleanup(&ctx);
++ EVP_CIPHER_CTX_cleanup(ctx);
+ return ret;
+ }
+
+ size_t
+ crypto_decrypt_buffer(const char *in, size_t inlen, char *out, size_t outlen)
+ {
+- EVP_CIPHER_CTX ctx;
++ EVP_CIPHER_CTX *ctx;
+ uint8_t iv[IV_SIZE];
+ uint8_t tag[GCM_TAG_SIZE];
+ int olen;
+@@ -292,24 +298,26 @@ crypto_decrypt_buffer(const char *in, size_t inlen, char *out, size_t outlen)
+ inlen -= sizeof iv;
+ in += sizeof iv;
+
+- EVP_CIPHER_CTX_init(&ctx);
+- EVP_DecryptInit_ex(&ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
++ ctx = EVP_CIPHER_CTX_new();
++ if (!ctx)
++ return 0;
++ EVP_DecryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, cp.key, iv);
+
+ /* set expected tag */
+- EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, sizeof tag, tag);
++ EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, sizeof tag, tag);
+
+ /* decrypt buffer */
+- if (!EVP_DecryptUpdate(&ctx, out, &olen, in, inlen))
++ if (!EVP_DecryptUpdate(ctx, out, &olen, in, inlen))
+ goto end;
+ len += olen;
+
+ /* finalize, write last chunk if any and perform authentication check */
+- if (!EVP_DecryptFinal_ex(&ctx, out + len, &olen))
++ if (!EVP_DecryptFinal_ex(ctx, out + len, &olen))
+ goto end;
+ ret = len + olen;
+
+ end:
+- EVP_CIPHER_CTX_cleanup(&ctx);
++ EVP_CIPHER_CTX_cleanup(ctx);
+ return ret;
+ }
+
+diff --git a/smtpd/libressl.c b/smtpd/libressl.c
+index 57d74389..db78d943 100644
+--- a/smtpd/libressl.c
++++ b/smtpd/libressl.c
+@@ -94,10 +94,10 @@ ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in)
+
+ ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
+
+- x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback,
+- ctx->default_passwd_callback_userdata);
++ x = PEM_read_bio_X509_AUX(in, NULL, SSL_CTX_get_default_passwd_cb(ctx),
++ SSL_CTX_get_default_passwd_cb_userdata(ctx));
+ if (x == NULL) {
+- SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
++ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB);
+ goto end;
+ }
+
+@@ -115,14 +115,11 @@ ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in)
+ int r;
+ unsigned long err;
+
+- if (ctx->extra_certs != NULL) {
+- sk_X509_pop_free(ctx->extra_certs, X509_free);
+- ctx->extra_certs = NULL;
+- }
++ SSL_CTX_clear_extra_chain_certs(ctx);
+
+ while ((ca = PEM_read_bio_X509(in, NULL,
+- ctx->default_passwd_callback,
+- ctx->default_passwd_callback_userdata)) != NULL) {
++ SSL_CTX_get_default_passwd_cb(ctx),
++ SSL_CTX_get_default_passwd_cb_userdata(ctx))) != NULL) {
+ r = SSL_CTX_add_extra_chain_cert(ctx, ca);
+ if (!r) {
+ X509_free(ca);
+@@ -160,7 +157,7 @@ SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len)
+
+ in = BIO_new_mem_buf(buf, len);
+ if (in == NULL) {
+- SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
++ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
+ goto end;
+ }
+
+diff --git a/smtpd/ssl.c b/smtpd/ssl.c
+index b88360eb..0c93d87e 100644
+--- a/smtpd/ssl.c
++++ b/smtpd/ssl.c
+@@ -425,7 +425,7 @@ ssl_ctx_fake_private_key(SSL_CTX *ctx, const void *data, size_t datalen,
+ */
+ ret = SSL_CTX_use_PrivateKey(ctx, pkey);
+ if (!ret)
+- SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_SSL_LIB);
++ SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_SYS_LIB);
+
+ if (pkeyptr != NULL)
+ *pkeyptr = pkey;
+diff --git a/smtpd/ssl.h b/smtpd/ssl.h
+index 90f018d0..553120d4 100644
+--- a/smtpd/ssl.h
++++ b/smtpd/ssl.h
+@@ -73,3 +73,17 @@ void SSL_CTX_set_ecdh_auto(SSL_CTX *, int);
+ void SSL_CTX_set_dh_auto(SSL_CTX *, int);
+ #endif
+ int SSL_CTX_use_certificate_chain_mem(SSL_CTX *, void *, int);
++
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
++
++static inline pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
++{
++ return ctx->default_passwd_callback;
++}
++
++static inline void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx)
++{
++ return ctx->default_passwd_callback_userdata;
++}
++
++#endif