File imap-openssl.patch of Package imap.11873
Index: imap-2007e/src/osdep/unix/ssl_unix.c
===================================================================
--- imap-2007e.orig/src/osdep/unix/ssl_unix.c
+++ imap-2007e/src/osdep/unix/ssl_unix.c
@@ -38,7 +38,7 @@
#undef crypt
#define SSLBUFLEN 8192
-#define SSLCIPHERLIST "ALL:!LOW"
+#define SSLCIPHERLIST "DEFAULT"
/* SSL I/O stream */
@@ -93,28 +93,13 @@ static int sslonceonly = 0;
void ssl_onceonlyinit (void)
{
if (!sslonceonly++) { /* only need to call it once */
- int fd;
- char tmp[MAILTMPLEN];
- struct stat sbuf;
- /* if system doesn't have /dev/urandom */
- if (stat ("/dev/urandom",&sbuf)) {
- while ((fd = open (tmpnam (tmp),O_WRONLY|O_CREAT|O_EXCL,0600)) < 0)
- sleep (1);
- unlink (tmp); /* don't need the file */
- fstat (fd,&sbuf); /* get information about the file */
- close (fd); /* flush descriptor */
- /* not great but it'll have to do */
- sprintf (tmp + strlen (tmp),"%.80s%lx%.80s%lx%lx%lx%lx%lx",
- tcp_serveraddr (),(unsigned long) tcp_serverport (),
- tcp_clientaddr (),(unsigned long) tcp_clientport (),
- (unsigned long) sbuf.st_ino,(unsigned long) time (0),
- (unsigned long) gethostid (),(unsigned long) getpid ());
- RAND_seed (tmp,strlen (tmp));
- }
- /* apply runtime linkage */
- mail_parameters (NIL,SET_SSLDRIVER,(void *) &ssldriver);
- mail_parameters (NIL,SET_SSLSTART,(void *) ssl_start);
- SSL_library_init (); /* add all algorithms */
+ mail_parameters (NIL,SET_SSLDRIVER,(void *) &ssldriver);
+ mail_parameters (NIL,SET_SSLSTART,(void *) ssl_start);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ SSL_library_init();
+#else
+ OPENSSL_init_ssl(0, NULL);
+#endif
}
}
@@ -219,11 +204,13 @@ static char *ssl_start_work (SSLSTREAM *
(sslclientkey_t) mail_parameters (NIL,GET_SSLCLIENTKEY,NIL);
if (ssl_last_error) fs_give ((void **) &ssl_last_error);
ssl_last_host = host;
- if (!(stream->context = SSL_CTX_new ((flags & NET_TLSCLIENT) ?
- TLSv1_client_method () :
- SSLv23_client_method ())))
+ if (!(stream->context = SSL_CTX_new (SSLv23_client_method ())))
return "SSL context failed";
- SSL_CTX_set_options (stream->context,0);
+#ifdef SSL_CTX_set_min_proto_version
+ SSL_CTX_set_min_proto_version(stream->context, TLS1_VERSION);
+#else
+ SSL_CTX_set_options (stream->context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+#endif
/* disable certificate validation? */
if (flags & NET_NOVALIDATECERT)
SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL);
@@ -702,13 +689,22 @@ void ssl_server_init (char *server)
if (stat (key,&sbuf)) strcpy (key,cert);
}
/* create context */
- if (!(stream->context = SSL_CTX_new (start_tls ?
- TLSv1_server_method () :
- SSLv23_server_method ())))
+ if (!(stream->context = SSL_CTX_new (SSLv23_server_method ())))
syslog (LOG_ALERT,"Unable to create SSL context, host=%.80s",
tcp_clienthost ());
else { /* set context options */
- SSL_CTX_set_options (stream->context,SSL_OP_ALL);
+ SSL_CTX_set_options (stream->context, SSL_OP_ALL);
+#if defined(SSL_CTX_set_min_proto_version)
+ SSL_CTX_set_min_proto_version(stream->context, TLS1_VERSION);
+#else
+ SSL_CTX_set_options (stream->context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+#endif
+#if defined(SSL_CTX_set_dh_auto)
+ SSL_CTX_set_dh_auto(stream->context, 1);
+#endif
+#if defined(SSL_CTX_set_ecdh_auto)
+ SSL_CTX_set_ecdh_auto(stream->context, 1);
+#endif
/* set cipher list */
if (!SSL_CTX_set_cipher_list (stream->context,SSLCIPHERLIST))
syslog (LOG_ALERT,"Unable to set cipher list %.80s, host=%.80s",
@@ -724,8 +720,6 @@ void ssl_server_init (char *server)
key,tcp_clienthost ());
else { /* generate key if needed */
- if (SSL_CTX_need_tmp_RSA (stream->context))
- SSL_CTX_set_tmp_rsa_callback (stream->context,ssl_genkey);
/* create new SSL connection */
if (!(stream->con = SSL_new (stream->context)))
syslog (LOG_ALERT,"Unable to create SSL connection, host=%.80s",
@@ -760,31 +754,7 @@ void ssl_server_init (char *server)
ssl_close (stream); /* punt stream */
exit (1); /* punt this program too */
}
-
-/* Generate one-time key for server
- * Accepts: SSL connection
- * export flag
- * keylength
- * Returns: generated key, always
- */
-static RSA *ssl_genkey (SSL *con,int export,int keylength)
-{
- unsigned long i;
- static RSA *key = NIL;
- if (!key) { /* if don't have a key already */
- /* generate key */
- if (!(key = RSA_generate_key (export ? keylength : 1024,RSA_F4,NIL,NIL))) {
- syslog (LOG_ALERT,"Unable to generate temp key, host=%.80s",
- tcp_clienthost ());
- while (i = ERR_get_error ())
- syslog (LOG_ALERT,"SSL error status: %s",ERR_error_string (i,NIL));
- exit (1);
- }
- }
- return key;
-}
-
/* Wait for stdin input
* Accepts: timeout in seconds
* Returns: T if have input on stdin, else NIL