imapext-2007
changeset 7:a5aee41f2fb9
OpenSSL 1.1 patch from NetBSD pkgsrc/mail/imap-uw
$NetBSD: patch-src_osdep_unix_ssl__unix.c,v 1.2 2018/04/16 21:27:57 christos Exp$
Description: Support OpenSSL 1.1
When building with OpenSSL 1.1 and newer, use the new built-in
hostname verification instead of code that doesn't compile due to
structs having been made opaque.
Bug-Debian: https://bugs.debian.org/828589
author | HIROSE Yuuji <yuuji@gentei.org> |
---|---|
date | Sun, 07 May 2023 11:44:06 +0900 |
parents | fc6002700ecd |
children | 0196ff555697 |
files | src/osdep/unix/ssl_unix.c |
diffstat | 1 files changed, 56 insertions(+), 18 deletions(-) [+] |
line diff
1.1 --- a/src/osdep/unix/ssl_unix.c Mon Sep 14 20:06:41 2009 +0900 1.2 +++ b/src/osdep/unix/ssl_unix.c Sun May 07 11:44:06 2023 +0900 1.3 @@ -219,16 +219,28 @@ 1.4 (sslclientkey_t) mail_parameters (NIL,GET_SSLCLIENTKEY,NIL); 1.5 if (ssl_last_error) fs_give ((void **) &ssl_last_error); 1.6 ssl_last_host = host; 1.7 - if (!(stream->context = SSL_CTX_new ((flags & NET_TLSCLIENT) ? 1.8 - TLSv1_client_method () : 1.9 - SSLv23_client_method ()))) 1.10 + if (!(stream->context = SSL_CTX_new ( 1.11 +#if OPENSSL_VERSION_NUMBER < 0x10100000UL 1.12 + (flags & NET_TLSCLIENT) ? TLSv1_client_method () : SSLv23_client_method () 1.13 +#else 1.14 + TLS_client_method() 1.15 +#endif 1.16 + ))) 1.17 return "SSL context failed"; 1.18 SSL_CTX_set_options (stream->context,0); 1.19 /* disable certificate validation? */ 1.20 if (flags & NET_NOVALIDATECERT) 1.21 SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL); 1.22 - else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify); 1.23 + else { 1.24 +#if OPENSSL_VERSION_NUMBER >= 0x10100000 1.25 + X509_VERIFY_PARAM *param = SSL_CTX_get0_param(stream->context); 1.26 + X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); 1.27 + X509_VERIFY_PARAM_set1_host(param, host, 0); 1.28 +#endif 1.29 + 1.30 + SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify); 1.31 /* set default paths to CAs... */ 1.32 + } 1.33 SSL_CTX_set_default_verify_paths (stream->context); 1.34 /* ...unless a non-standard path desired */ 1.35 if (s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL)) 1.36 @@ -266,6 +278,7 @@ 1.37 if (SSL_write (stream->con,"",0) < 0) 1.38 return ssl_last_error ? ssl_last_error : "SSL negotiation failed"; 1.39 /* need to validate host names? */ 1.40 +#if OPENSSL_VERSION_NUMBER < 0x10100000 1.41 if (!(flags & NET_NOVALIDATECERT) && 1.42 (err = ssl_validate_cert (cert = SSL_get_peer_certificate (stream->con), 1.43 host))) { 1.44 @@ -275,6 +288,7 @@ 1.45 sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???"); 1.46 return ssl_last_error = cpystr (tmp); 1.47 } 1.48 +#endif 1.49 return NIL; 1.50 } 1.51 1.52 @@ -313,6 +327,7 @@ 1.53 * Returns: NIL if validated, else string of error message 1.54 */ 1.55 1.56 +#if OPENSSL_VERSION_NUMBER < 0x10100000 1.57 static char *ssl_validate_cert (X509 *cert,char *host) 1.58 { 1.59 int i,n; 1.60 @@ -342,6 +357,7 @@ 1.61 else ret = "Unable to locate common name in certificate"; 1.62 return ret; 1.63 } 1.64 +#endif 1.65 1.66 /* Case-independent wildcard pattern match 1.67 * Accepts: base string 1.68 @@ -702,9 +718,13 @@ 1.69 if (stat (key,&sbuf)) strcpy (key,cert); 1.70 } 1.71 /* create context */ 1.72 - if (!(stream->context = SSL_CTX_new (start_tls ? 1.73 - TLSv1_server_method () : 1.74 - SSLv23_server_method ()))) 1.75 + if (!(stream->context = SSL_CTX_new ( 1.76 +#if OPENSSL_VERSION_NUMBER < 0x10100000UL 1.77 + start_tls ? TLSv1_server_method () : SSLv23_server_method () 1.78 +#else 1.79 + TLS_server_method () 1.80 +#endif 1.81 + ))) 1.82 syslog (LOG_ALERT,"Unable to create SSL context, host=%.80s", 1.83 tcp_clienthost ()); 1.84 else { /* set context options */ 1.85 @@ -772,17 +792,35 @@ 1.86 { 1.87 unsigned long i; 1.88 static RSA *key = NIL; 1.89 - if (!key) { /* if don't have a key already */ 1.90 - /* generate key */ 1.91 - if (!(key = RSA_generate_key (export ? keylength : 1024,RSA_F4,NIL,NIL))) { 1.92 - syslog (LOG_ALERT,"Unable to generate temp key, host=%.80s", 1.93 - tcp_clienthost ()); 1.94 - while (i = ERR_get_error ()) 1.95 - syslog (LOG_ALERT,"SSL error status: %s",ERR_error_string (i,NIL)); 1.96 - exit (1); 1.97 - } 1.98 - } 1.99 - return key; 1.100 + static BIGNUM *ebn = NIL; 1.101 + 1.102 + if (key) 1.103 + return key; 1.104 + 1.105 + key = RSA_new (); 1.106 + if (!key) /* if don't have a key already */ 1.107 + goto out; 1.108 + 1.109 + ebn = BN_new (); 1.110 + if (!ebn) 1.111 + goto out; 1.112 + BN_set_word (ebn, RSA_F4); 1.113 + 1.114 + if (!RSA_generate_key_ex (key, export ? keylength : 1024, ebn, NIL)) 1.115 + goto out; 1.116 + BN_free (ebn); 1.117 + return key; 1.118 + 1.119 +out: 1.120 + if (key) 1.121 + RSA_free (key); 1.122 + if (ebn) 1.123 + BN_free (ebn); 1.124 + syslog (LOG_ALERT,"Unable to generate temp key, host=%.80s", 1.125 + tcp_clienthost ()); 1.126 + while (i = ERR_get_error ()) 1.127 + syslog (LOG_ALERT,"SSL error status: %s",ERR_error_string (i,NIL)); 1.128 + exit (1); 1.129 } 1.130 1.131 /* Wait for stdin input