Re: [update] Imapfilter 2.6.3

Mon, 02 Nov 2015 14:07:51 -0800 

Michael McConville <[email protected]> writes:

> They added some new SSL conditions that don't compile. I took the simple
> route in the attached patches and defaulted to SSL23.

Well, simple but a bit intrusive...

> That uses the best
> available cipher, right?

That uses the default cipher suite.

> This approach is a little iffy because I think
> it ignores the user's cipher prefs. I wanted to get a working WiP so
> that people could review it because I haven't worked with SSL/TLS APIs
> before.
>
> What's attached builds and runs fine for me.

Here's an less intrusive diff that should be easy to push upstream.
(Except in special cases, please send diffs instead of tarballs for
existing ports).

If SSLv3 isn't available, this should print an error message an aborts
the connection.  Disclaimer: not tested yet.

Index: Makefile
===================================================================
RCS file: /cvs/ports/mail/imapfilter/Makefile,v
retrieving revision 1.17
diff -u -p -r1.17 Makefile
--- Makefile    18 Jul 2015 23:11:01 -0000      1.17
+++ Makefile    2 Nov 2015 21:50:50 -0000
@@ -2,8 +2,7 @@
 
 COMMENT=               remote IMAP filtering utility
 
-V=                     2.6.1
-REVISION=              0
+V=                     2.6.3
 DISTNAME=              imapfilter-${V}
 
 GH_TAGNAME=            v${V}
Index: distinfo
===================================================================
RCS file: /cvs/ports/mail/imapfilter/distinfo,v
retrieving revision 1.9
diff -u -p -r1.9 distinfo
--- distinfo    29 Jun 2015 09:52:25 -0000      1.9
+++ distinfo    2 Nov 2015 21:50:50 -0000
@@ -1,2 +1,2 @@
-SHA256 (imapfilter-2.6.1.tar.gz) = 2UlKUgg3aWh+eA2kHPmk0hvrVq9YY6+z28SiEJ7VwdM=
-SIZE (imapfilter-2.6.1.tar.gz) = 55450
+SHA256 (imapfilter-2.6.3.tar.gz) = EXSGLW1cpJiyWnixJ8Jba/vUwM7DD439S2sQ+GlM0kQ=
+SIZE (imapfilter-2.6.3.tar.gz) = 55757
Index: patches/patch-src_imapfilter_c
===================================================================
RCS file: /cvs/ports/mail/imapfilter/patches/patch-src_imapfilter_c,v
retrieving revision 1.2
diff -u -p -r1.2 patch-src_imapfilter_c
--- patches/patch-src_imapfilter_c      18 Jul 2015 23:11:01 -0000      1.2
+++ patches/patch-src_imapfilter_c      2 Nov 2015 21:50:50 -0000
@@ -1,6 +1,9 @@
 $OpenBSD: patch-src_imapfilter_c,v 1.2 2015/07/18 23:11:01 sthen Exp $
---- src/imapfilter.c.orig      Mon Jun 29 02:33:17 2015
-+++ src/imapfilter.c   Sat Jul 18 18:34:04 2015
+
+Cope with SSLv3 removal.
+
+--- src/imapfilter.c.orig      Wed Sep 30 22:55:26 2015
++++ src/imapfilter.c   Mon Nov  2 22:37:03 2015
 @@ -21,7 +21,10 @@
  
  extern buffer ibuf, obuf, nbuf, cbuf;
@@ -13,16 +16,7 @@ $OpenBSD: patch-src_imapfilter_c,v 1.2 2
  #if OPENSSL_VERSION_NUMBER >= 0x01000100fL
  extern SSL_CTX *tls11ctx, *tls12ctx;
  #endif
-@@ -52,7 +55,7 @@ main(int argc, char *argv[])
-       opts.config = NULL;
-       opts.oneline = NULL;
-       opts.debug = NULL;
--      opts.truststore = "/etc/ssl/certs";
-+      opts.truststore = "/etc/ssl/cert.pem";
- 
-       env.home = NULL;
-       env.pathmax = -1;
-@@ -109,7 +112,9 @@ main(int argc, char *argv[])
+@@ -114,7 +117,9 @@ main(int argc, char *argv[])
  
        SSL_library_init();
        SSL_load_error_strings();
@@ -32,9 +26,9 @@ $OpenBSD: patch-src_imapfilter_c,v 1.2 2
        ssl23ctx = SSL_CTX_new(SSLv23_client_method());
        tls1ctx = SSL_CTX_new(TLSv1_client_method());
  #if OPENSSL_VERSION_NUMBER >= 0x01000100fL
-@@ -121,7 +126,9 @@ main(int argc, char *argv[])
+@@ -125,7 +130,9 @@ main(int argc, char *argv[])
                capath = opts.truststore;
-       if (exists_file(opts.truststore))
+       else if (exists_file(opts.truststore))
                cafile = opts.truststore;
 +#ifndef OPENSSL_NO_SSL3_METHOD
        SSL_CTX_load_verify_locations(ssl3ctx, cafile, capath);
@@ -42,7 +36,7 @@ $OpenBSD: patch-src_imapfilter_c,v 1.2 2
        SSL_CTX_load_verify_locations(ssl23ctx, cafile, capath);
        SSL_CTX_load_verify_locations(tls1ctx, cafile, capath);
  #if OPENSSL_VERSION_NUMBER >= 0x01000100fL
-@@ -146,7 +153,9 @@ main(int argc, char *argv[])
+@@ -150,7 +157,9 @@ main(int argc, char *argv[])
  #endif
        stop_lua();
  
Index: patches/patch-src_socket_c
===================================================================
RCS file: patches/patch-src_socket_c
diff -N patches/patch-src_socket_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_socket_c  2 Nov 2015 21:50:50 -0000
@@ -0,0 +1,32 @@
+$OpenBSD$
+
+Cope with SSLv3 removal.
+
+--- src/socket.c.orig  Wed Sep 30 22:55:26 2015
++++ src/socket.c       Mon Nov  2 22:47:35 2015
+@@ -16,8 +16,10 @@
+ #include "imapfilter.h"
+ #include "session.h"
+ 
+-
+-SSL_CTX *ssl3ctx, *ssl23ctx, *tls1ctx;
++SSL_CTX *ssl23ctx, *tls1ctx;
++#ifndef OPENSSL_NO_SSL3_METHOD
++SSL_CTX *ssl3ctx;
++#endif
+ #if OPENSSL_VERSION_NUMBER >= 0x01000100fL
+ SSL_CTX *tls11ctx, *tls12ctx;
+ #endif
+@@ -95,7 +97,12 @@ open_secure_connection(session *ssn)
+       if (!ssn->sslproto) {
+               ctx = ssl23ctx;
+       } else if (!strcasecmp(ssn->sslproto, "ssl3")) {
++#ifndef OPENSSL_NO_SSL3_METHOD
+               ctx = ssl3ctx;
++#else
++              error("protocol SSLv3 not supported\n");
++              goto fail;
++#endif
+       } else if (!strcasecmp(ssn->sslproto, "tls1")) {
+               ctx = tls1ctx;
+       } else if (!strcasecmp(ssn->sslproto, "tls1.1")) {


-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply via email to