main/imap: fix for the previous SNI patch

author: Ondrej Exner <ondrej.exner@ubnt.com> 2019-09-10 14:04:39 +0200
committer: Natanael Copa <ncopa@alpinelinux.org> 2019-09-11 07:24:32 +0000
commit: ffdcf96da172dff28c2ed28ec32e9961faf50d35 (patch)
tree: f1a23c2893600573cef7e6cdeb072e6f65b35d2e /main/imap
parent: a99f1eeddb8cce150162f24c5ce049555d7e4e64 (diff)
download: aports-ffdcf96da172dff28c2ed28ec32e9961faf50d35.tar.bz2
aports-ffdcf96da172dff28c2ed28ec32e9961faf50d35.tar.xz
3 files changed, 43 insertions, 27 deletions
diff --git a/main/imap/2014_openssl1.1.1_sni.patch b/main/imap/2014_openssl1.1.1_sni.patch
new file mode 100644
index 0000000000..af2bf99962
--- /dev/null
+++ b/main/imap/2014_openssl1.1.1_sni.patch
@@ -0,0 +1,40 @@
+Bug-Debian: https://bugs.debian.org/916041
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1834340
+Description: 
+ Google IMAP servers require SNI if TLSv1.3 is used,
+ otherwise it sends a self-signed certificate which
+ fails validation.
+
+ OpenSSL support/versions:
+ - TLSv1.3 on 1.1.1,
+ - a2i_IPADDRESS() on 0.9.8'ish,
+ - SSL_set_tlsext_host_name() on 0.9.8'ish/1.0.0;
+ per 'git blame/describe' and the CHANGES file.
+
+ So check for TLSv1.3 support / OpenSSL 1.1.1
+ not to incur behavior changes on pre-TLSv1.3,
+ and set host_name to 'host' (ssl_open_verify()
+ validates this, via 'ssl_last_host' variable)
+
+ This patch just combines these two patches:
+ - BTS#916041 (message #5) by Ed Spiridonov,
+ - LP#916041 (comment #6) by David Zuelke.
+Author: Mauricio Faria de Oliveira <mfo@canonical.com>
+
+--- a/src/osdep/unix/ssl_unix.c
++++ b/src/osdep/unix/ssl_unix.c
+@@ -266,6 +266,14 @@ static char *ssl_start_work (SSLSTREAM *
+ 				/* create connection */
+   if (!(stream->con = (SSL *) SSL_new (stream->context)))
+     return "SSL connection failed";
++#if OPENSSL_VERSION_NUMBER >= 0x10101000
++  /* Use SNI in case server requires it with TLSv1.3.
++   * Literal IP addresses not permitted per RFC 6066. */
++  if (!a2i_IPADDRESS(host)) {
++    ERR_clear_error();
++    SSL_set_tlsext_host_name(stream->con,host);
++  }
++#endif
+   bio = BIO_new_socket (stream->tcpstream->tcpsi,BIO_NOCLOSE);
+   SSL_set_bio (stream->con,bio,bio);
+   SSL_set_connect_state (stream->con);
diff --git a/main/imap/APKBUILD b/main/imap/APKBUILD
index 1b34a85c73..d3d4c4e0e2 100644
--- a/main/imap/APKBUILD
+++ b/main/imap/APKBUILD
@@ -5,7 +5,7 @@
 # build it shared
 pkgname=imap
 pkgver=2007f
-pkgrel=10
+pkgrel=11
 pkgdesc="An IMAP/POP server"
 url="http://www.washington.edu/imap"
 arch="all"
@@ -17,7 +17,7 @@ source="http://ftp.ntua.gr/pub/net/mail/imap/imap-$pkgver.tar.gz
 	fix-linking.patch
 	c-client-2006k_KOLAB_Annotations.patch
 	1006_openssl1.1_autoverify.patch
-	sni.patch
+	2014_openssl1.1.1_sni.patch
 	"
 
 builddir="$srcdir"/$pkgname-$pkgver
@@ -67,4 +67,4 @@ sha512sums="7c3e1d9927872001e768ff2ddbcf3af74078243efe58dd70e01d966856b7611134e4
 f8a4b5b8759b690273ec8c86db55c3c3ebf7b358321aa829341bc65e98db0f10696b1eeae922eecada668f011b0b3231ed73c3a959b47b4cba00568bf7d231c1  fix-linking.patch
 871093236b3ae300968e1e200a2389566af72ed1f62ad57c1dc617dd59e8378f29175fe07e5cfc575e022f3c27769b06850cbf21567f7cc359ca204c4d87a3af  c-client-2006k_KOLAB_Annotations.patch
 7ecbe52adc6e3d1deee05790745642f794150ffaebf51c0cf689dc036eea9c7d80e643648aac37bf0aa83ac138b8bb63abfad3b540bc9440de3456162dfabae5  1006_openssl1.1_autoverify.patch
-2b1ec17da5c57832f3adb30f09f4fd31f6cdfc63a696f36141b84bdc0a375f0b40a2c84cba3d11658a2895125687f49ead04ef381eed4b61564ede65f6149622  sni.patch"
+884fe866cdce7955134c0ff939f1f5ef151ccbed772e64807095d369cb96fb67790cb070a7ea588e1e8f5523fcfeac5a6af6b1db69ec8f516b4c08db0cb029cb  2014_openssl1.1.1_sni.patch"
diff --git a/main/imap/sni.patch b/main/imap/sni.patch
deleted file mode 100644
index 2247f65f98..0000000000
--- a/main/imap/sni.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Description: Google IMAP servers require SNI if client supports TLS 1.3.
-Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/php-imap/+bug/1834340
-
---- a/src/osdep/unix/ssl_unix.c
-+++ b/src/osdep/unix/ssl_unix.c
-@@ -273,6 +273,18 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags)
- 				/* create connection */
-   if (!(stream->con = (SSL *) SSL_new (stream->context)))
-     return "SSL connection failed";
-+#if OPENSSL_VERSION_NUMBER >= 0x10200000L
-+  ASN1_OCTET_STRING *ip;
-+  /* support SNI if host is not an IP address */
-+  /* per RFC 6066: */
-+  /* Literal IPv4 and IPv6 addresses are not permitted in "HostName". */
-+  /* a2i_IPADDRESS is available since OpenSSL 1.0.2 */
-+  ip = a2i_IPADDRESS(host);
-+  if (ip == NULL) {
-+    ERR_clear_error();
-+    SSL_set_tlsext_host_name(stream->con,host);
-+  }
-+#endif
-   bio = BIO_new_socket (stream->tcpstream->tcpsi,BIO_NOCLOSE);
-   SSL_set_bio (stream->con,bio,bio);
-   SSL_set_connect_state (stream->con);
author	Ondrej Exner <ondrej.exner@ubnt.com>	2019-09-10 14:04:39 +0200
committer	Natanael Copa <ncopa@alpinelinux.org>	2019-09-11 07:24:32 +0000
commit	ffdcf96da172dff28c2ed28ec32e9961faf50d35 (patch)
tree	f1a23c2893600573cef7e6cdeb072e6f65b35d2e /main/imap
parent	a99f1eeddb8cce150162f24c5ce049555d7e4e64 (diff)
download	aports-ffdcf96da172dff28c2ed28ec32e9961faf50d35.tar.bz2 aports-ffdcf96da172dff28c2ed28ec32e9961faf50d35.tar.xz