components/library/uwimap/patches/1006_openssl1.1_autoverify.patch

   1 Description: Support OpenSSL 1.1
   2  When building with OpenSSL 1.1 and newer, use the new built-in
   3  hostname verification instead of code that doesn't compile due to
   4  structs having been made opaque.
   5 Bug-Debian: https://bugs.debian.org/828589
   6
   7 --- a/src/osdep/unix/ssl_unix.c
   8 +++ b/src/osdep/unix/ssl_unix.c
   9 @@ -227,8 +227,16 @@ static char *ssl_start_work (SSLSTREAM *
  10                                 /* disable certificate validation? */
  11    if (flags & NET_NOVALIDATECERT)
  12      SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL);
  13 -  else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
  14 +  else {
  15 +#if OPENSSL_VERSION_NUMBER >= 0x10100000
  16 +      X509_VERIFY_PARAM *param = SSL_CTX_get0_param(stream->context);
  17 +      X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
  18 +      X509_VERIFY_PARAM_set1_host(param, host, 0);
  19 +#endif
  20 +
  21 +      SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
  22                                 /* set default paths to CAs... */
  23 +  }
  24    SSL_CTX_set_default_verify_paths (stream->context);
  25                                 /* ...unless a non-standard path desired */
  26    if (s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL))
  27 @@ -266,6 +274,7 @@ static char *ssl_start_work (SSLSTREAM *
  28    if (SSL_write (stream->con,"",0) < 0)
  29      return ssl_last_error ? ssl_last_error : "SSL negotiation failed";
  30                                 /* need to validate host names? */
  31 +#if OPENSSL_VERSION_NUMBER < 0x10100000
  32    if (!(flags & NET_NOVALIDATECERT) &&
  33        (err = ssl_validate_cert (cert = SSL_get_peer_certificate (stream->con),
  34                                 host))) {
  35 @@ -275,6 +284,7 @@ static char *ssl_start_work (SSLSTREAM *
  36      sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???");
  37      return ssl_last_error = cpystr (tmp);
  38    }
  39 +#endif
  40    return NIL;
  41  }
  42  \f
  43 @@ -313,6 +323,7 @@ static int ssl_open_verify (int ok,X509_
  44   * Returns: NIL if validated, else string of error message
  45   */
  46
  47 +#if OPENSSL_VERSION_NUMBER < 0x10100000
  48  static char *ssl_validate_cert (X509 *cert,char *host)
  49  {
  50    int i,n;
  51 @@ -342,6 +353,7 @@ static char *ssl_validate_cert (X509 *ce
  52    else ret = "Unable to locate common name in certificate";
  53    return ret;
  54  }
  55 +#endif
  56  \f
  57  /* Case-independent wildcard pattern match
  58   * Accepts: base string