c-client: rebuild against OpenSSL

This commit is contained in:
John 2021-01-06 23:55:17 +01:00
parent ff37d6200d
commit b8820021c9
3 changed files with 61 additions and 3 deletions

View file

@ -2383,7 +2383,7 @@ libdwarf.so.1 libdwarf-20160613_1
libmemcached.so.11 libmemcached-1.0.18_1
libhashkit.so.2 libmemcached-1.0.18_1
libmemcachedutil.so.2 libmemcached-1.0.18_1
libc-client.so.1 c-client-2007f_1
libc-client.so.1 c-client-2007f_4
libonig.so.5 oniguruma-6.8.1_1
liblo10k1.so.0 alsa-tools-1.0.29_1
libgflags.so.2.2 gflags-2.1.2_1

View file

@ -0,0 +1,58 @@
Description: Support OpenSSL 1.1
When building with OpenSSL 1.1 and newer, use the new built-in
hostname verification instead of code that doesn't compile due to
structs having been made opaque.
Bug-Debian: https://bugs.debian.org/828589
--- src/osdep/unix/ssl_unix.c
+++ src/osdep/unix/ssl_unix.c
@@ -227,8 +227,16 @@ static char *ssl_start_work (SSLSTREAM *
/* disable certificate validation? */
if (flags & NET_NOVALIDATECERT)
SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL);
- else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
+ else {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+ X509_VERIFY_PARAM *param = SSL_CTX_get0_param(stream->context);
+ X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+ X509_VERIFY_PARAM_set1_host(param, host, 0);
+#endif
+
+ SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
/* set default paths to CAs... */
+ }
SSL_CTX_set_default_verify_paths (stream->context);
/* ...unless a non-standard path desired */
if (s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL))
@@ -266,6 +274,7 @@ static char *ssl_start_work (SSLSTREAM *
if (SSL_write (stream->con,"",0) < 0)
return ssl_last_error ? ssl_last_error : "SSL negotiation failed";
/* need to validate host names? */
+#if OPENSSL_VERSION_NUMBER < 0x10100000
if (!(flags & NET_NOVALIDATECERT) &&
(err = ssl_validate_cert (cert = SSL_get_peer_certificate (stream->con),
host))) {
@@ -275,6 +284,7 @@ static char *ssl_start_work (SSLSTREAM *
sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???");
return ssl_last_error = cpystr (tmp);
}
+#endif
return NIL;
}
@@ -313,6 +323,7 @@ static int ssl_open_verify (int ok,X509_
* Returns: NIL if validated, else string of error message
*/
+#if OPENSSL_VERSION_NUMBER < 0x10100000
static char *ssl_validate_cert (X509 *cert,char *host)
{
int i,n;
@@ -342,6 +353,7 @@ static char *ssl_validate_cert (X509 *ce
else ret = "Unable to locate common name in certificate";
return ret;
}
+#endif
/* Case-independent wildcard pattern match
* Accepts: base string

View file

@ -1,9 +1,9 @@
# Template file for 'c-client'
pkgname=c-client
version=2007f
revision=3
revision=4
wrksrc="imap-${version}"
makedepends="pam-devel libressl-devel e2fsprogs-devel"
makedepends="pam-devel openssl-devel e2fsprogs-devel"
short_desc="IMAP client library"
maintainer="John Regan <john@jrjrtech.com>"
license="Apache-2.0"