From 2483c1fceb8225a89e93901e9b5d182d576ac488 Mon Sep 17 00:00:00 2001
From: Ryan Kavanagh <rak@debian.org>
Date: Tue, 28 Jan 2020 18:03:34 -0500
Subject: [PATCH 1/2] Fix potential denial of service attack,
 018_smtpd_tls.patch.sig

smtpd can crash on opportunistic TLS downgrade, causing a denial of
service.
---
 debian/patches/018_smtpd_tls.patch.sig | 58 ++++++++++++++++++++++++++
 debian/patches/series                  |  1 +
 2 files changed, 59 insertions(+)
 create mode 100644 debian/patches/018_smtpd_tls.patch.sig

diff --git a/debian/patches/018_smtpd_tls.patch.sig b/debian/patches/018_smtpd_tls.patch.sig
new file mode 100644
index 00000000..5a8121e8
--- /dev/null
+++ b/debian/patches/018_smtpd_tls.patch.sig
@@ -0,0 +1,58 @@
+Description: fix denial of service attack
+ OpenBSD 6.6 errata 018, January 30, 2020:
+ .
+ smtpd can crash on opportunistic TLS downgrade, causing a denial of service.
+Origin: https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/018_smtpd_tls.patch.sig
+Bug-Debian: https://bugs.debian.org/950121
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: opensmtpd/smtpd/mta_session.c
+===================================================================
+--- opensmtpd.orig/smtpd/mta_session.c	2020-01-28 17:56:07.336180890 -0500
++++ opensmtpd/smtpd/mta_session.c	2020-01-28 17:56:07.336180890 -0500
+@@ -1292,40 +1292,20 @@
+ 		break;
+ 
+ 	case IO_ERROR:
++	case IO_TLSERROR:
+ 		log_debug("debug: mta: %p: IO error: %s", s, io_error(io));
+-		if (!s->ready) {
+-			mta_error(s, "IO Error: %s", io_error(io));
+-			mta_connect(s);
+-			break;
+-		}
+-		else if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) {
+-			/* error in non-strict SSL negotiation, downgrade to plain */
+-			if (s->flags & MTA_TLS) {
+-				log_info("smtp-out: Error on session %016"PRIx64
+-				    ": opportunistic TLS failed, "
+-				    "downgrading to plain", s->id);
+-				s->flags &= ~MTA_TLS;
+-				s->flags |= MTA_DOWNGRADE_PLAIN;
+-				mta_connect(s);
+-				break;
+-			}
+-		}
+-		mta_error(s, "IO Error: %s", io_error(io));
+-		mta_free(s);
+-		break;
+ 
+-	case IO_TLSERROR:
+-		log_debug("debug: mta: %p: TLS IO error: %s", s, io_error(io));
+-		if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) {
++		if (s->state == MTA_STARTTLS && s->use_smtp_tls) {
+ 			/* error in non-strict SSL negotiation, downgrade to plain */
+-			log_info("smtp-out: TLS Error on session %016"PRIx64
+-			    ": TLS failed, "
++			log_info("smtp-out: Error on session %016"PRIx64
++			    ": opportunistic TLS failed, "
+ 			    "downgrading to plain", s->id);
+ 			s->flags &= ~MTA_TLS;
+ 			s->flags |= MTA_DOWNGRADE_PLAIN;
+ 			mta_connect(s);
+ 			break;
+ 		}
++
+ 		mta_error(s, "IO Error: %s", io_error(io));
+ 		mta_free(s);
+ 		break;
diff --git a/debian/patches/series b/debian/patches/series
index d884dbea..dbf2b325 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 07_automake_missing_options.diff
 10_smtpd.conf.diff
 11_ssl_1.1.diff
+018_smtpd_tls.patch.sig
-- 
2.25.0