From 7e9211ac1ea29666ef8f545eb877fd30a5a7dcd9 Mon Sep 17 00:00:00 2001
From: Britney Fransen <brfransen@gmail.com>
Date: Thu, 12 Apr 2018 21:49:43 +0000
Subject: imap: update

---
 abs/core/imap/1006_openssl1.1_autoverify.patch | 58 ++++++++++++++++++++++++++
 abs/core/imap/PKGBUILD                         | 40 ++++--------------
 abs/core/imap/imap.install                     | 40 ++++++++++++++++++
 3 files changed, 107 insertions(+), 31 deletions(-)
 create mode 100644 abs/core/imap/1006_openssl1.1_autoverify.patch
 create mode 100644 abs/core/imap/imap.install

diff --git a/abs/core/imap/1006_openssl1.1_autoverify.patch b/abs/core/imap/1006_openssl1.1_autoverify.patch
new file mode 100644
index 0000000..087e747
--- /dev/null
+++ b/abs/core/imap/1006_openssl1.1_autoverify.patch
@@ -0,0 +1,58 @@
+Description: Support OpenSSL 1.1
+ When building with OpenSSL 1.1 and newer, use the new built-in
+ hostname verification instead of code that doesn't compile due to
+ structs having been made opaque.
+Bug-Debian: https://bugs.debian.org/828589
+
+--- a/src/osdep/unix/ssl_unix.c
++++ b/src/osdep/unix/ssl_unix.c
+@@ -227,8 +227,16 @@ static char *ssl_start_work (SSLSTREAM *
+ 				/* disable certificate validation? */
+   if (flags & NET_NOVALIDATECERT)
+     SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL);
+-  else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
++  else {
++#if OPENSSL_VERSION_NUMBER >= 0x10100000      
++      X509_VERIFY_PARAM *param = SSL_CTX_get0_param(stream->context);
++      X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
++      X509_VERIFY_PARAM_set1_host(param, host, 0);
++#endif
++
++      SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
+ 				/* set default paths to CAs... */
++  }
+   SSL_CTX_set_default_verify_paths (stream->context);
+ 				/* ...unless a non-standard path desired */
+   if (s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL))
+@@ -266,6 +274,7 @@ static char *ssl_start_work (SSLSTREAM *
+   if (SSL_write (stream->con,"",0) < 0)
+     return ssl_last_error ? ssl_last_error : "SSL negotiation failed";
+ 				/* need to validate host names? */
++#if OPENSSL_VERSION_NUMBER < 0x10100000
+   if (!(flags & NET_NOVALIDATECERT) &&
+       (err = ssl_validate_cert (cert = SSL_get_peer_certificate (stream->con),
+ 				host))) {
+@@ -275,6 +284,7 @@ static char *ssl_start_work (SSLSTREAM *
+     sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???");
+     return ssl_last_error = cpystr (tmp);
+   }
++#endif
+   return NIL;
+ }
+ 
+@@ -313,6 +323,7 @@ static int ssl_open_verify (int ok,X509_
+  * Returns: NIL if validated, else string of error message
+  */
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000
+ static char *ssl_validate_cert (X509 *cert,char *host)
+ {
+   int i,n;
+@@ -342,6 +353,7 @@ static char *ssl_validate_cert (X509 *ce
+   else ret = "Unable to locate common name in certificate";
+   return ret;
+ }
++#endif
+ 
+ /* Case-independent wildcard pattern match
+  * Accepts: base string
diff --git a/abs/core/imap/PKGBUILD b/abs/core/imap/PKGBUILD
index cad646c..77219da 100644
--- a/abs/core/imap/PKGBUILD
+++ b/abs/core/imap/PKGBUILD
@@ -3,17 +3,18 @@
 pkgbase=imap
 pkgname=(imap c-client)
 pkgver=2007f
-pkgrel=5
-arch=('i686' 'x86_64')
+pkgrel=9
+arch=('x86_64')
 license=('APACHE')
 url="http://www.washington.edu/imap"
 makedepends=('pam')
-source=("ftp://ftp.cac.washington.edu/imap/${pkgname}-${pkgver}.tar.gz"
-        'c-client-2006k_GENTOO_amd64-so-fix.patch'
+source=("https://www.mirrorservice.org/sites/ftp.cac.washington.edu/imap/${pkgname}-${pkgver}.tar.gz"
+        'c-client-2006k_GENTOO_amd64-so-fix.patch' '1006_openssl1.1_autoverify.patch'
         'imap' 'ipop2' 'ipop3')
 options=('staticlibs')
 md5sums=('2126fd125ea26b73b20f01fcd5940369'
          '7f3937a871edd54203fe51f91423e204'
+         'cc8cc4df43f73bc144b9a41c55ef5991'
          '3ae5b3b333bc8ea2da106f6a97d7bd8d'
          '448f988dc5f9bdb2223dcea3abc4f5f1'
          '1499b13015075f0aafba04324a6f523a')
@@ -28,35 +29,15 @@ prepare() {
     -i src/osdep/unix/Makefile
 
   patch -p1 -i $srcdir/c-client-2006k_GENTOO_amd64-so-fix.patch
+  patch -p1 -i $srcdir/1006_openssl1.1_autoverify.patch
 }
 
 build() {
   cd $srcdir/$pkgbase-$pkgver
   # NOTE: if you wish to enforce SSL, use SSLTYPE=unix.nopwd
 
-  yes "y" | make lnp EXTRAAUTHENTICATORS=gss PASSWDTYPE=pam SPECIALAUTHENTICATORS=ssl SSLTYPE=unix EXTRACFLAGS="${CFLAGS} -fPIC -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lpam"
+  yes "y" | make lnp EXTRAAUTHENTICATORS=gss PASSWDTYPE=pam SPECIALAUTHENTICATORS=ssl SSLTYPE=unix EXTRACFLAGS="${CFLAGS} -fPIC -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lpam" EXTRALDFLAGS="${LDFLAGS}"
 
-  # create ssl certs for secure imap
-  for i in imapd ipop3d; do
-    PEM1=$srcdir/pem1
-    PEM2=$srcdir/pem2
-    /usr/bin/openssl req -newkey rsa:1024 -keyout $PEM1 \
-      -nodes -x509 -days 365 -out  $PEM2 << EOF
---
-SomeState
-SomeCity
-SomeOrganization
-SomeOrganizationalUnit
-localhost.localdomain
-root@localhost.localdomain
-EOF
-
-    cat $PEM1 >  ${i}.pem
-    echo ""    >> ${i}.pem
-    cat $PEM2 >> ${i}.pem
-    rm $PEM1 $PEM2
-    umask 022
-  done
 }
 
 package_imap() {
@@ -64,7 +45,8 @@ package_imap() {
   depends=('c-client')
   provides=('imap-server' 'pop3-server')
   conflicts=('courier-mta' 'courier-imap')
-  backup=(etc/xinetd.d/{imap,ipop2,ipop3} etc/ssl/certs/{imapd,ipop3d}.pem)
+  backup=(etc/xinetd.d/{imap,ipop2,ipop3})
+  install=imap.install
 
   cd $srcdir/$pkgbase-$pkgver
   install -d $pkgdir/usr/bin
@@ -72,10 +54,6 @@ package_imap() {
   install -D -m755 ipopd/ipop2d $pkgdir/usr/bin/ipop2d
   install -D -m755 ipopd/ipop3d $pkgdir/usr/bin/ipop3d
 
-  # install certs
-  install -D -m600 imapd.pem $pkgdir/etc/ssl/certs/imapd.pem
-  install -D -m600 ipop3d.pem $pkgdir/etc/ssl/certs/ipop3d.pem
-
   # install xinetd.d configs
   install -D -m644 ../imap $pkgdir/etc/xinetd.d/imap
   install -D -m644 ../ipop2 $pkgdir/etc/xinetd.d/ipop2
diff --git a/abs/core/imap/imap.install b/abs/core/imap/imap.install
new file mode 100644
index 0000000..1f554a8
--- /dev/null
+++ b/abs/core/imap/imap.install
@@ -0,0 +1,40 @@
+post_install() {
+  if [ ! -e /etc/ssl/certs/imapd.pem ]; then
+    generate_certificate imapd
+  fi
+  if [ ! -e /etc/ssl/certs/ipop3d.pem ]; then
+    generate_certificate ipop3d
+  fi
+}
+
+post_upgrade() {
+  post_install
+}
+
+generate_certificate() {
+  t=$1
+  echo -n "Generating $t certificate..."
+
+  umask 077
+  tmpdir=$(mktemp -d)
+  PEM1="$tmpdir/$t.pem1"
+  PEM2="$tmpdir/$t.pem2"
+  cert="$tmpdir/$t.pem"
+  /usr/bin/openssl req -newkey rsa:4096 -keyout "$PEM1" \
+    -nodes -x509 -days 365 -out "$PEM2" >/dev/null 2>&1 << EOF
+--
+SomeState
+SomeCity
+SomeOrganization
+SomeOrganizationalUnit
+localhost.localdomain
+root@localhost.localdomain
+EOF
+
+  cat "$PEM1" >  "$cert"
+  echo ""     >> "$cert"
+  cat "$PEM2" >> "$cert"
+  install -Dm 600 "$cert" -t /etc/ssl/certs
+  rm -rf "$tmpdir"
+  echo "done."
+}
-- 
cgit v0.12