Bug#828540: sendmail: FTBFS with openssl 1.1.0

[Andreas Beckmann <anbe@debian.org>]

Control: tag -1 help

Hi Kurt,

maybe you can help me getting sendmail (which I'm QA maintaining for 
some years now) to work with the new openssl.

On 2016-06-26 12:24, Kurt Roeckx wrote:
> https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/sendmail_8.15.2-4_amd64-20160529-1535

> If you have problems making things work, feel free to contact us.

in debian/configure.ac we have

        if test $ac_cv_header_openssl_ssl_h = yes; then
                AC_CHECK_LIB(ssl, SSL_library_init,
                        [sm_have_tls=yes]
                        ,[sm_have_tls=no]
                        ,[-lcrypto])

                if test $sm_have_tls != yes; then
                        AC_MSG_WARN([Could not find -lssl (libssl-dev)])
                        fi;
                fi;

which fails. The whole autotools stuff is only used for the debian packaging.
That fails because SSL_library_init is now a macro instead of a function.
Maybe this check is superfluous and could just be removed.
If I do this, building fails due to some API changes:

gcc -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -fPIC -I. -I../../include    -DSOCKETMAP -DMAP_REGEX -DNEWDB -DNIS -DNISPLUS -DLDAPMAP  -DHASFCHMOD=1 -DHASSETRLIMIT=1 -DHASFLOCK=0 -DUSESETEUID=1 -DHASGETUSERSHELL=1 -DNETINET6  -D_PATH_SENDMAILPID=\"/var/run/sendmail/mta/sendmail.pid\" -DIP_SRCROUTE=1 -DLDAP_REFERRALS -D_FFR_LDAP_URI -D_FFR_LDAP_SETVERSION -DLDAP_DEPRECATED  -DTCPWRAPPERS -DSASL -I/usr/include/sasl -DSTARTTLS  -D_FFR_QUEUE_SCHED_DBG -D_FFR_SKIP_DOMAINS -D_FFR_GROUPREADABLEAUTHINFOFILE -D_FFR_DAEMON_NETUNIX -D_FFR_NO_PIPE -D_FFR_SHM_STATUS -D_FFR_RHS -D_FFR_MAIL_MACRO -D_FFR_QUEUEDELAY=1 -D_FFR_BADRCPT_SHUTDOWN -D_FFR_RESET_MACRO_GLOBALS -D_FFR_TLS_1 -D_FFR_TLS_EC -D_FFR_DEAL_WITH_ERROR_SSL   -Wdate-time -D_FORTIFY_SOURCE=2  -c -o tls.o tls.c
tls.c: In function 'get_dh512':
tls.c:70:4: error: dereferencing pointer to incomplete type 'DH {aka struct dh_st}'
  dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
    ^
tls.c: In function 'inittls':
tls.c:929:22: warning: implicit declaration of function 'BIO_s_file_internal' [-Wimplicit-function-declaration]
   crl_file = BIO_new(BIO_s_file_internal());
                      ^
tls.c:929:22: warning: passing argument 1 of 'BIO_new' makes pointer from integer without a cast [-Wint-conversion]
In file included from /usr/include/openssl/ssl.h:48:0,
                 from ./sendmail.h:125,
                 from tls.c:11:
/usr/include/openssl/bio.h:538:6: note: expected 'const BIO_METHOD * {aka const struct bio_method_st *}' but argument is of type 'int'
 BIO *BIO_new(const BIO_METHOD *type);
      ^
tls.c:1006:6: warning: 'RSA_generate_key' is deprecated [-Wdeprecated-declarations]
      (rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL,
      ^
In file included from /usr/include/openssl/rsa.h:13:0,
                 from /usr/include/openssl/x509.h:31,
                 from /usr/include/openssl/ssl.h:50,
                 from ./sendmail.h:125,
                 from tls.c:11:
/usr/include/openssl/rsa.h:193:1: note: declared here
 DEPRECATEDIN_0_9_8(RSA *RSA_generate_key(int bits, unsigned long e, void
 ^
tls.c:1213:4: warning: 'DSA_generate_parameters' is deprecated [-Wdeprecated-declarations]
    dsa = DSA_generate_parameters(bits, NULL, 0, NULL,
    ^
In file included from /usr/include/openssl/dh.h:13:0,
                 from /usr/include/openssl/dsa.h:31,
                 from /usr/include/openssl/x509.h:32,
                 from /usr/include/openssl/ssl.h:50,
                 from ./sendmail.h:125,
                 from tls.c:11:
/usr/include/openssl/dsa.h:121:1: note: declared here
 DEPRECATEDIN_0_9_8(DSA *DSA_generate_parameters(int bits,
 ^
tls.c:1298:5: warning: implicit declaration of function 'SSL_CTX_set_tmp_rsa_callback' [-Wimplicit-function-declaration]
     SSL_CTX_set_tmp_rsa_callback(*ctx, tmp_rsa_key);
     ^
tls.c: In function 'tmp_rsa_key':
tls.c:1747:2: warning: 'RSA_generate_key' is deprecated [-Wdeprecated-declarations]
  rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, NULL);
  ^
In file included from /usr/include/openssl/rsa.h:13:0,
                 from /usr/include/openssl/x509.h:31,
                 from /usr/include/openssl/ssl.h:50,
                 from ./sendmail.h:125,
                 from tls.c:11:
/usr/include/openssl/rsa.h:193:1: note: declared here
 DEPRECATEDIN_0_9_8(RSA *RSA_generate_key(int bits, unsigned long e, void
 ^
tls.c: In function 'x509_verify_cb':
tls.c:1974:10: error: dereferencing pointer to incomplete type 'X509_STORE_CTX {aka struct x509_store_ctx_st}'
   if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL)
          ^
<builtin>: recipe for target 'tls.o' failed


The file in question is sendmail/tls.c


Since I'm used to neither openssl nor the sendmail source code (and I 
have no use for sendmail at all, now that it passes the piuparts 
tests), I'm not going to write a patch for supporting openssl 1.1.0 
along 1.0.2.
Instead I'll wait for either a new upstream release or some patch 
showing up somewhere, which may mean stretch could ship without 
sendmail.

Dear users of sendmail: Your help is needed in case you want to 
continue using sendmail in stretch!


Andreas