From 7e9211ac1ea29666ef8f545eb877fd30a5a7dcd9 Mon Sep 17 00:00:00 2001 From: Britney Fransen Date: Thu, 12 Apr 2018 21:49:43 +0000 Subject: imap: update --- abs/core/imap/1006_openssl1.1_autoverify.patch | 58 ++++++++++++++++++++++++++ abs/core/imap/PKGBUILD | 40 ++++-------------- abs/core/imap/imap.install | 40 ++++++++++++++++++ 3 files changed, 107 insertions(+), 31 deletions(-) create mode 100644 abs/core/imap/1006_openssl1.1_autoverify.patch create mode 100644 abs/core/imap/imap.install diff --git a/abs/core/imap/1006_openssl1.1_autoverify.patch b/abs/core/imap/1006_openssl1.1_autoverify.patch new file mode 100644 index 0000000..087e747 --- /dev/null +++ b/abs/core/imap/1006_openssl1.1_autoverify.patch @@ -0,0 +1,58 @@ +Description: Support OpenSSL 1.1 + When building with OpenSSL 1.1 and newer, use the new built-in + hostname verification instead of code that doesn't compile due to + structs having been made opaque. +Bug-Debian: https://bugs.debian.org/828589 + +--- a/src/osdep/unix/ssl_unix.c ++++ b/src/osdep/unix/ssl_unix.c +@@ -227,8 +227,16 @@ static char *ssl_start_work (SSLSTREAM * + /* disable certificate validation? */ + if (flags & NET_NOVALIDATECERT) + SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL); +- else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify); ++ else { ++#if OPENSSL_VERSION_NUMBER >= 0x10100000 ++ X509_VERIFY_PARAM *param = SSL_CTX_get0_param(stream->context); ++ X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); ++ X509_VERIFY_PARAM_set1_host(param, host, 0); ++#endif ++ ++ SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify); + /* set default paths to CAs... */ ++ } + SSL_CTX_set_default_verify_paths (stream->context); + /* ...unless a non-standard path desired */ + if (s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL)) +@@ -266,6 +274,7 @@ static char *ssl_start_work (SSLSTREAM * + if (SSL_write (stream->con,"",0) < 0) + return ssl_last_error ? ssl_last_error : "SSL negotiation failed"; + /* need to validate host names? */ ++#if OPENSSL_VERSION_NUMBER < 0x10100000 + if (!(flags & NET_NOVALIDATECERT) && + (err = ssl_validate_cert (cert = SSL_get_peer_certificate (stream->con), + host))) { +@@ -275,6 +284,7 @@ static char *ssl_start_work (SSLSTREAM * + sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???"); + return ssl_last_error = cpystr (tmp); + } ++#endif + return NIL; + } + +@@ -313,6 +323,7 @@ static int ssl_open_verify (int ok,X509_ + * Returns: NIL if validated, else string of error message + */ + ++#if OPENSSL_VERSION_NUMBER < 0x10100000 + static char *ssl_validate_cert (X509 *cert,char *host) + { + int i,n; +@@ -342,6 +353,7 @@ static char *ssl_validate_cert (X509 *ce + else ret = "Unable to locate common name in certificate"; + return ret; + } ++#endif + + /* Case-independent wildcard pattern match + * Accepts: base string diff --git a/abs/core/imap/PKGBUILD b/abs/core/imap/PKGBUILD index cad646c..77219da 100644 --- a/abs/core/imap/PKGBUILD +++ b/abs/core/imap/PKGBUILD @@ -3,17 +3,18 @@ pkgbase=imap pkgname=(imap c-client) pkgver=2007f -pkgrel=5 -arch=('i686' 'x86_64') +pkgrel=9 +arch=('x86_64') license=('APACHE') url="http://www.washington.edu/imap" makedepends=('pam') -source=("ftp://ftp.cac.washington.edu/imap/${pkgname}-${pkgver}.tar.gz" - 'c-client-2006k_GENTOO_amd64-so-fix.patch' +source=("https://www.mirrorservice.org/sites/ftp.cac.washington.edu/imap/${pkgname}-${pkgver}.tar.gz" + 'c-client-2006k_GENTOO_amd64-so-fix.patch' '1006_openssl1.1_autoverify.patch' 'imap' 'ipop2' 'ipop3') options=('staticlibs') md5sums=('2126fd125ea26b73b20f01fcd5940369' '7f3937a871edd54203fe51f91423e204' + 'cc8cc4df43f73bc144b9a41c55ef5991' '3ae5b3b333bc8ea2da106f6a97d7bd8d' '448f988dc5f9bdb2223dcea3abc4f5f1' '1499b13015075f0aafba04324a6f523a') @@ -28,35 +29,15 @@ prepare() { -i src/osdep/unix/Makefile patch -p1 -i $srcdir/c-client-2006k_GENTOO_amd64-so-fix.patch + patch -p1 -i $srcdir/1006_openssl1.1_autoverify.patch } build() { cd $srcdir/$pkgbase-$pkgver # NOTE: if you wish to enforce SSL, use SSLTYPE=unix.nopwd - yes "y" | make lnp EXTRAAUTHENTICATORS=gss PASSWDTYPE=pam SPECIALAUTHENTICATORS=ssl SSLTYPE=unix EXTRACFLAGS="${CFLAGS} -fPIC -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lpam" + yes "y" | make lnp EXTRAAUTHENTICATORS=gss PASSWDTYPE=pam SPECIALAUTHENTICATORS=ssl SSLTYPE=unix EXTRACFLAGS="${CFLAGS} -fPIC -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lpam" EXTRALDFLAGS="${LDFLAGS}" - # create ssl certs for secure imap - for i in imapd ipop3d; do - PEM1=$srcdir/pem1 - PEM2=$srcdir/pem2 - /usr/bin/openssl req -newkey rsa:1024 -keyout $PEM1 \ - -nodes -x509 -days 365 -out $PEM2 << EOF --- -SomeState -SomeCity -SomeOrganization -SomeOrganizationalUnit -localhost.localdomain -root@localhost.localdomain -EOF - - cat $PEM1 > ${i}.pem - echo "" >> ${i}.pem - cat $PEM2 >> ${i}.pem - rm $PEM1 $PEM2 - umask 022 - done } package_imap() { @@ -64,7 +45,8 @@ package_imap() { depends=('c-client') provides=('imap-server' 'pop3-server') conflicts=('courier-mta' 'courier-imap') - backup=(etc/xinetd.d/{imap,ipop2,ipop3} etc/ssl/certs/{imapd,ipop3d}.pem) + backup=(etc/xinetd.d/{imap,ipop2,ipop3}) + install=imap.install cd $srcdir/$pkgbase-$pkgver install -d $pkgdir/usr/bin @@ -72,10 +54,6 @@ package_imap() { install -D -m755 ipopd/ipop2d $pkgdir/usr/bin/ipop2d install -D -m755 ipopd/ipop3d $pkgdir/usr/bin/ipop3d - # install certs - install -D -m600 imapd.pem $pkgdir/etc/ssl/certs/imapd.pem - install -D -m600 ipop3d.pem $pkgdir/etc/ssl/certs/ipop3d.pem - # install xinetd.d configs install -D -m644 ../imap $pkgdir/etc/xinetd.d/imap install -D -m644 ../ipop2 $pkgdir/etc/xinetd.d/ipop2 diff --git a/abs/core/imap/imap.install b/abs/core/imap/imap.install new file mode 100644 index 0000000..1f554a8 --- /dev/null +++ b/abs/core/imap/imap.install @@ -0,0 +1,40 @@ +post_install() { + if [ ! -e /etc/ssl/certs/imapd.pem ]; then + generate_certificate imapd + fi + if [ ! -e /etc/ssl/certs/ipop3d.pem ]; then + generate_certificate ipop3d + fi +} + +post_upgrade() { + post_install +} + +generate_certificate() { + t=$1 + echo -n "Generating $t certificate..." + + umask 077 + tmpdir=$(mktemp -d) + PEM1="$tmpdir/$t.pem1" + PEM2="$tmpdir/$t.pem2" + cert="$tmpdir/$t.pem" + /usr/bin/openssl req -newkey rsa:4096 -keyout "$PEM1" \ + -nodes -x509 -days 365 -out "$PEM2" >/dev/null 2>&1 << EOF +-- +SomeState +SomeCity +SomeOrganization +SomeOrganizationalUnit +localhost.localdomain +root@localhost.localdomain +EOF + + cat "$PEM1" > "$cert" + echo "" >> "$cert" + cat "$PEM2" >> "$cert" + install -Dm 600 "$cert" -t /etc/ssl/certs + rm -rf "$tmpdir" + echo "done." +} -- cgit v0.12