meta-openembedded/meta-oe/recipes-devtools/uw-imap/uw-imap/0001-Support-OpenSSL-1.1.patch - stefanberger/openbmc - Gitiles

 From 4c684542816a08b95444b8e2515f24d084e6e3c3 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Tue, 4 Sep 2018 22:05:17 -0700
 Subject: [PATCH] Support OpenSSL 1.1

 When building with OpenSSL 1.1 and newer, use the new built-in
  hostname verification instead of code that doesn't compile due to
  structs having been made opaque.
 Bug-Debian: https://bugs.debian.org/828589

 Upstream-Status: Unknown

 Signed-off-by: Khem Raj <raj.khem@gmail.com>
 ---
  src/osdep/unix/ssl_unix.c | 14 +++++++++++++-
  1 file changed, 13 insertions(+), 1 deletion(-)

 diff --git a/src/osdep/unix/ssl_unix.c b/src/osdep/unix/ssl_unix.c
 index 3bfdff3..dec9467 100644
 --- a/src/osdep/unix/ssl_unix.c
 +++ b/src/osdep/unix/ssl_unix.c
 @@ -227,8 +227,16 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags)
  				/* disable certificate validation? */
    if (flags & NET_NOVALIDATECERT)
      SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL);
 -  else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
 +  else {
 +#if OPENSSL_VERSION_NUMBER >= 0x10100000
 +      X509_VERIFY_PARAM *param = SSL_CTX_get0_param(stream->context);
 +      X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
 +      X509_VERIFY_PARAM_set1_host(param, host, 0);
 +#endif
 +
 +      SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
  				/* set default paths to CAs... */
 +  }
    SSL_CTX_set_default_verify_paths (stream->context);
  				/* ...unless a non-standard path desired */
    if (s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL))
 @@ -266,6 +274,7 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags)
    if (SSL_write (stream->con,"",0) < 0)
      return ssl_last_error ? ssl_last_error : "SSL negotiation failed";
  				/* need to validate host names? */
 +#if OPENSSL_VERSION_NUMBER < 0x10100000
    if (!(flags & NET_NOVALIDATECERT) &&
        (err = ssl_validate_cert (cert = SSL_get_peer_certificate (stream->con),
  				host))) {
 @@ -275,6 +284,7 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags)
      sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???");
      return ssl_last_error = cpystr (tmp);
    }
 +#endif
    return NIL;
  }

 @@ -313,6 +323,7 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx)
   * Returns: NIL if validated, else string of error message
   */

 +#if OPENSSL_VERSION_NUMBER < 0x10100000
  static char *ssl_validate_cert (X509 *cert,char *host)
  {
    int i,n;
 @@ -342,6 +353,7 @@ static char *ssl_validate_cert (X509 *cert,char *host)
    else ret = "Unable to locate common name in certificate";
    return ret;
  }
 +#endif

  /* Case-independent wildcard pattern match
   * Accepts: base string
	From 4c684542816a08b95444b8e2515f24d084e6e3c3 Mon Sep 17 00:00:00 2001
	From: Khem Raj <raj.khem@gmail.com>
	Date: Tue, 4 Sep 2018 22:05:17 -0700
	Subject: [PATCH] Support OpenSSL 1.1

	When building with OpenSSL 1.1 and newer, use the new built-in
	hostname verification instead of code that doesn't compile due to
	structs having been made opaque.
	Bug-Debian: https://bugs.debian.org/828589

	Upstream-Status: Unknown

	Signed-off-by: Khem Raj <raj.khem@gmail.com>
	---
	src/osdep/unix/ssl_unix.c \| 14 +++++++++++++-
	1 file changed, 13 insertions(+), 1 deletion(-)

	diff --git a/src/osdep/unix/ssl_unix.c b/src/osdep/unix/ssl_unix.c
	index 3bfdff3..dec9467 100644
	--- a/src/osdep/unix/ssl_unix.c
	+++ b/src/osdep/unix/ssl_unix.c
	@@ -227,8 +227,16 @@ static char ssl_start_work (SSLSTREAM stream,char *host,unsigned long flags)
	/* disable certificate validation? */
	if (flags & NET_NOVALIDATECERT)
	SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL);
	- else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
	+ else {
	+#if OPENSSL_VERSION_NUMBER >= 0x10100000
	+ X509_VERIFY_PARAM *param = SSL_CTX_get0_param(stream->context);
	+ X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
	+ X509_VERIFY_PARAM_set1_host(param, host, 0);
	+#endif
	+
	+ SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
	/* set default paths to CAs... */
	+ }
	SSL_CTX_set_default_verify_paths (stream->context);
	/* ...unless a non-standard path desired */
	if (s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL))
	@@ -266,6 +274,7 @@ static char ssl_start_work (SSLSTREAM stream,char *host,unsigned long flags)
	if (SSL_write (stream->con,"",0) < 0)
	return ssl_last_error ? ssl_last_error : "SSL negotiation failed";
	/* need to validate host names? */
	+#if OPENSSL_VERSION_NUMBER < 0x10100000
	if (!(flags & NET_NOVALIDATECERT) &&
	(err = ssl_validate_cert (cert = SSL_get_peer_certificate (stream->con),
	host))) {
	@@ -275,6 +284,7 @@ static char ssl_start_work (SSLSTREAM stream,char *host,unsigned long flags)
	sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???");
	return ssl_last_error = cpystr (tmp);
	}
	+#endif
	return NIL;
	}

	@@ -313,6 +323,7 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx)
	* Returns: NIL if validated, else string of error message
	*/

	+#if OPENSSL_VERSION_NUMBER < 0x10100000
	static char ssl_validate_cert (X509 cert,char *host)
	{
	int i,n;
	@@ -342,6 +353,7 @@ static char ssl_validate_cert (X509 cert,char *host)
	else ret = "Unable to locate common name in certificate";
	return ret;
	}
	+#endif

	/* Case-independent wildcard pattern match
	* Accepts: base string