imapext-2007

changeset 7:a5aee41f2fb9

find changesets by author, revision, files, or words in the commit message
OpenSSL 1.1 patch from NetBSD pkgsrc/mail/imap-uw $NetBSD: patch-src_osdep_unix_ssl__unix.c,v 1.2 2018/04/16 21:27:57 christos Exp$ Description: Support OpenSSL 1.1 When building with OpenSSL 1.1 and newer, use the new built-in hostname verification instead of code that doesn't compile due to structs having been made opaque. Bug-Debian: https://bugs.debian.org/828589
author HIROSE Yuuji <yuuji@gentei.org>
date Sun, 07 May 2023 11:44:06 +0900
parents fc6002700ecd
children 0196ff555697
files src/osdep/unix/ssl_unix.c
diffstat 1 files changed, 56 insertions(+), 18 deletions(-) [+]
line diff
     1.1 --- a/src/osdep/unix/ssl_unix.c	Mon Sep 14 20:06:41 2009 +0900
     1.2 +++ b/src/osdep/unix/ssl_unix.c	Sun May 07 11:44:06 2023 +0900
     1.3 @@ -219,16 +219,28 @@
     1.4      (sslclientkey_t) mail_parameters (NIL,GET_SSLCLIENTKEY,NIL);
     1.5    if (ssl_last_error) fs_give ((void **) &ssl_last_error);
     1.6    ssl_last_host = host;
     1.7 -  if (!(stream->context = SSL_CTX_new ((flags & NET_TLSCLIENT) ?
     1.8 -				       TLSv1_client_method () :
     1.9 -				       SSLv23_client_method ())))
    1.10 +  if (!(stream->context = SSL_CTX_new (
    1.11 +#if OPENSSL_VERSION_NUMBER < 0x10100000UL
    1.12 +  (flags & NET_TLSCLIENT) ?  TLSv1_client_method () : SSLv23_client_method ()
    1.13 +#else
    1.14 +  TLS_client_method()
    1.15 +#endif
    1.16 +  )))
    1.17      return "SSL context failed";
    1.18    SSL_CTX_set_options (stream->context,0);
    1.19  				/* disable certificate validation? */
    1.20    if (flags & NET_NOVALIDATECERT)
    1.21      SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL);
    1.22 -  else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
    1.23 +  else {
    1.24 +#if OPENSSL_VERSION_NUMBER >= 0x10100000      
    1.25 +      X509_VERIFY_PARAM *param = SSL_CTX_get0_param(stream->context);
    1.26 +      X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
    1.27 +      X509_VERIFY_PARAM_set1_host(param, host, 0);
    1.28 +#endif
    1.29 +
    1.30 +      SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
    1.31  				/* set default paths to CAs... */
    1.32 +  }
    1.33    SSL_CTX_set_default_verify_paths (stream->context);
    1.34  				/* ...unless a non-standard path desired */
    1.35    if (s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL))
    1.36 @@ -266,6 +278,7 @@
    1.37    if (SSL_write (stream->con,"",0) < 0)
    1.38      return ssl_last_error ? ssl_last_error : "SSL negotiation failed";
    1.39  				/* need to validate host names? */
    1.40 +#if OPENSSL_VERSION_NUMBER < 0x10100000
    1.41    if (!(flags & NET_NOVALIDATECERT) &&
    1.42        (err = ssl_validate_cert (cert = SSL_get_peer_certificate (stream->con),
    1.43  				host))) {
    1.44 @@ -275,6 +288,7 @@
    1.45      sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???");
    1.46      return ssl_last_error = cpystr (tmp);
    1.47    }
    1.48 +#endif
    1.49    return NIL;
    1.50  }
    1.51  
    1.52 @@ -313,6 +327,7 @@
    1.53   * Returns: NIL if validated, else string of error message
    1.54   */
    1.55  
    1.56 +#if OPENSSL_VERSION_NUMBER < 0x10100000
    1.57  static char *ssl_validate_cert (X509 *cert,char *host)
    1.58  {
    1.59    int i,n;
    1.60 @@ -342,6 +357,7 @@
    1.61    else ret = "Unable to locate common name in certificate";
    1.62    return ret;
    1.63  }
    1.64 +#endif
    1.65  
    1.66  /* Case-independent wildcard pattern match
    1.67   * Accepts: base string
    1.68 @@ -702,9 +718,13 @@
    1.69      if (stat (key,&sbuf)) strcpy (key,cert);
    1.70    }
    1.71  				/* create context */
    1.72 -  if (!(stream->context = SSL_CTX_new (start_tls ?
    1.73 -				       TLSv1_server_method () :
    1.74 -				       SSLv23_server_method ())))
    1.75 +  if (!(stream->context = SSL_CTX_new (
    1.76 +#if OPENSSL_VERSION_NUMBER < 0x10100000UL
    1.77 +  start_tls ? TLSv1_server_method () : SSLv23_server_method ()
    1.78 +#else
    1.79 +  TLS_server_method ()
    1.80 +#endif
    1.81 +  )))
    1.82      syslog (LOG_ALERT,"Unable to create SSL context, host=%.80s",
    1.83  	    tcp_clienthost ());
    1.84    else {			/* set context options */
    1.85 @@ -772,17 +792,35 @@
    1.86  {
    1.87    unsigned long i;
    1.88    static RSA *key = NIL;
    1.89 -  if (!key) {			/* if don't have a key already */
    1.90 -				/* generate key */
    1.91 -    if (!(key = RSA_generate_key (export ? keylength : 1024,RSA_F4,NIL,NIL))) {
    1.92 -      syslog (LOG_ALERT,"Unable to generate temp key, host=%.80s",
    1.93 -	      tcp_clienthost ());
    1.94 -      while (i = ERR_get_error ())
    1.95 -	syslog (LOG_ALERT,"SSL error status: %s",ERR_error_string (i,NIL));
    1.96 -      exit (1);
    1.97 -    }
    1.98 -  }
    1.99 -  return key;
   1.100 +  static BIGNUM *ebn = NIL;
   1.101 +
   1.102 +  if (key)
   1.103 +     return key;
   1.104 +
   1.105 +  key = RSA_new ();
   1.106 +  if (!key)			/* if don't have a key already */
   1.107 +    goto out;
   1.108 +
   1.109 +  ebn = BN_new ();
   1.110 +  if (!ebn)
   1.111 +    goto out;
   1.112 +  BN_set_word (ebn, RSA_F4);
   1.113 +
   1.114 +  if (!RSA_generate_key_ex (key, export ? keylength : 1024, ebn, NIL))
   1.115 +    goto out;
   1.116 +  BN_free (ebn);
   1.117 +   return key;
   1.118 +
   1.119 +out:
   1.120 +  if (key)
   1.121 +    RSA_free (key);
   1.122 +  if (ebn)
   1.123 +    BN_free (ebn);
   1.124 +  syslog (LOG_ALERT,"Unable to generate temp key, host=%.80s",
   1.125 +          tcp_clienthost ());
   1.126 +  while (i = ERR_get_error ())
   1.127 +    syslog (LOG_ALERT,"SSL error status: %s",ERR_error_string (i,NIL));
   1.128 +  exit (1);
   1.129  }
   1.130  
   1.131  /* Wait for stdin input

UW-IMAP'd extensions by yuuji