File imap-openssl.patch of Package imap

Overview Repositories Revisions Requests Users Attributes Meta

File imap-openssl.patch of Package imap

Index: imap-2007e/src/osdep/unix/ssl_unix.c
===================================================================
--- imap-2007e.orig/src/osdep/unix/ssl_unix.c
+++ imap-2007e/src/osdep/unix/ssl_unix.c
@@ -38,7 +38,7 @@
 #undef crypt
 
 #define SSLBUFLEN 8192
-#define SSLCIPHERLIST "ALL:!LOW"
+#define SSLCIPHERLIST "DEFAULT"
 
 
 /* SSL I/O stream */
@@ -93,28 +93,13 @@ static int sslonceonly = 0;
 void ssl_onceonlyinit (void)
 {
   if (!sslonceonly++) {		/* only need to call it once */
-    int fd;
-    char tmp[MAILTMPLEN];
-    struct stat sbuf;
-				/* if system doesn't have /dev/urandom */
-    if (stat ("/dev/urandom",&sbuf)) {
-      while ((fd = open (tmpnam (tmp),O_WRONLY|O_CREAT|O_EXCL,0600)) < 0)
-	sleep (1);
-      unlink (tmp);		/* don't need the file */
-      fstat (fd,&sbuf);		/* get information about the file */
-      close (fd);		/* flush descriptor */
-				/* not great but it'll have to do */
-      sprintf (tmp + strlen (tmp),"%.80s%lx%.80s%lx%lx%lx%lx%lx",
-	       tcp_serveraddr (),(unsigned long) tcp_serverport (),
-	       tcp_clientaddr (),(unsigned long) tcp_clientport (),
-	       (unsigned long) sbuf.st_ino,(unsigned long) time (0),
-	       (unsigned long) gethostid (),(unsigned long) getpid ());
-      RAND_seed (tmp,strlen (tmp));
-    }
-				/* apply runtime linkage */
-    mail_parameters (NIL,SET_SSLDRIVER,(void *) &ssldriver);
-    mail_parameters (NIL,SET_SSLSTART,(void *) ssl_start);
-    SSL_library_init ();	/* add all algorithms */
+      mail_parameters (NIL,SET_SSLDRIVER,(void *) &ssldriver);
+      mail_parameters (NIL,SET_SSLSTART,(void *) ssl_start);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+      SSL_library_init();
+#else
+      OPENSSL_init_ssl(0, NULL);
+#endif
   }
 }
 
@@ -219,11 +204,13 @@ static char *ssl_start_work (SSLSTREAM *
     (sslclientkey_t) mail_parameters (NIL,GET_SSLCLIENTKEY,NIL);
   if (ssl_last_error) fs_give ((void **) &ssl_last_error);
   ssl_last_host = host;
-  if (!(stream->context = SSL_CTX_new ((flags & NET_TLSCLIENT) ?
-				       TLSv1_client_method () :
-				       SSLv23_client_method ())))
+  if (!(stream->context = SSL_CTX_new (SSLv23_client_method ())))
     return "SSL context failed";
-  SSL_CTX_set_options (stream->context,0);
+#ifdef SSL_CTX_set_min_proto_version
+  SSL_CTX_set_min_proto_version(stream->context, TLS1_VERSION);
+#else
+  SSL_CTX_set_options (stream->context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+#endif
 				/* disable certificate validation? */
   if (flags & NET_NOVALIDATECERT)
     SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL);
@@ -702,13 +689,22 @@ void ssl_server_init (char *server)
     if (stat (key,&sbuf)) strcpy (key,cert);
   }
 				/* create context */
-  if (!(stream->context = SSL_CTX_new (start_tls ?
-				       TLSv1_server_method () :
-				       SSLv23_server_method ())))
+  if (!(stream->context = SSL_CTX_new (SSLv23_server_method ())))
     syslog (LOG_ALERT,"Unable to create SSL context, host=%.80s",
 	    tcp_clienthost ());
   else {			/* set context options */
-    SSL_CTX_set_options (stream->context,SSL_OP_ALL);
+    SSL_CTX_set_options (stream->context, SSL_OP_ALL);
+#if defined(SSL_CTX_set_min_proto_version)
+    SSL_CTX_set_min_proto_version(stream->context, TLS1_VERSION);
+#else
+    SSL_CTX_set_options (stream->context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+#endif
+#if defined(SSL_CTX_set_dh_auto)
+    SSL_CTX_set_dh_auto(stream->context, 1);
+#endif
+#if defined(SSL_CTX_set_ecdh_auto)
+    SSL_CTX_set_ecdh_auto(stream->context, 1);
+#endif
 				/* set cipher list */
     if (!SSL_CTX_set_cipher_list (stream->context,SSLCIPHERLIST))
       syslog (LOG_ALERT,"Unable to set cipher list %.80s, host=%.80s",
@@ -724,8 +720,6 @@ void ssl_server_init (char *server)
 	      key,tcp_clienthost ());
 
     else {			/* generate key if needed */
-      if (SSL_CTX_need_tmp_RSA (stream->context))
-	SSL_CTX_set_tmp_rsa_callback (stream->context,ssl_genkey);
 				/* create new SSL connection */
       if (!(stream->con = SSL_new (stream->context)))
 	syslog (LOG_ALERT,"Unable to create SSL connection, host=%.80s",
@@ -760,31 +754,7 @@ void ssl_server_init (char *server)
   ssl_close (stream);		/* punt stream */
   exit (1);			/* punt this program too */
 }
-
-/* Generate one-time key for server
- * Accepts: SSL connection
- *	    export flag
- *	    keylength
- * Returns: generated key, always
- */
 
-static RSA *ssl_genkey (SSL *con,int export,int keylength)
-{
-  unsigned long i;
-  static RSA *key = NIL;
-  if (!key) {			/* if don't have a key already */
-				/* generate key */
-    if (!(key = RSA_generate_key (export ? keylength : 1024,RSA_F4,NIL,NIL))) {
-      syslog (LOG_ALERT,"Unable to generate temp key, host=%.80s",
-	      tcp_clienthost ());
-      while (i = ERR_get_error ())
-	syslog (LOG_ALERT,"SSL error status: %s",ERR_error_string (i,NIL));
-      exit (1);
-    }
-  }
-  return key;
-}
-
 /* Wait for stdin input
  * Accepts: timeout in seconds
  * Returns: T if have input on stdin, else NIL

Places

File imap-openssl.patch of Package imap

Places