Kolab Groupware OBS

Changes of Revision 3

cyrus-imapd.spec Changed

0001-Openssl-3.0-fixes.patch Added

@@ -0,0 +1,175 @@
+From 2c816fac8d7f69539b0dde34fa74a55257232d16 Mon Sep 17 00:00:00 2001
+From: Christian Mollekopf <mollekopf@apheleia-it.ch>
+Date: Fri, 14 Oct 2022 17:00:07 +0200
+Subject: PATCH Openssl 3.0 fixes
+
+---
+ imap/tls.c      | 31 +++++++++++++++++++------------
+ imtest/imtest.c | 12 +++++++-----
+ 2 files changed, 26 insertions(+), 17 deletions(-)
+
+diff --git a/imap/tls.c b/imap/tls.c
+index 7951c98e3..df6c9cd61 100644
+--- a/imap/tls.c
++++ b/imap/tls.c
+@@ -149,7 +149,7 @@ static int tls_serverengine = 0; /* server engine initialized? */
+ static int tls_clientengine = 0; /* client engine initialized? */
+ static int do_dump = 0;         /* actively dumping protocol? */
+ 
+-#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL)
++#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && (OPENSSL_VERSION_NUMBER < 0x30000000L)
+ static DH *dh_params = NULL;
+ #endif
+ 
+@@ -240,7 +240,7 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+ }
+ #endif
+ 
+-#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL)
++#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && (OPENSSL_VERSION_NUMBER < 0x30000000L)
+ /* Logic copied from OpenSSL apps/s_server.c: give the TLS context
+  * DH params to work with DHE-* cipher suites. Hardcoded fallback
+  * in case no DH params in server_key or server_cert.
+@@ -739,7 +739,6 @@ EXPORTED int     tls_init_serverengine(const char *ident,
+     const char   *client_ca_file;
+     const char   *server_ca_file;
+     const char   *server_cert_file;
+-    const char   *server_dhparam_file;
+     const char   *server_key_file;
+     const char   *crl_file_path;
+     enum enum_value tls_client_certs;
+@@ -883,7 +882,6 @@ EXPORTED int     tls_init_serverengine(const char *ident,
+ 
+     server_ca_file = config_getstring(IMAPOPT_TLS_SERVER_CA_FILE);
+     server_cert_file = config_getstring(IMAPOPT_TLS_SERVER_CERT);
+-    server_dhparam_file = config_getstring(IMAPOPT_TLS_SERVER_DHPARAM);
+     server_key_file = config_getstring(IMAPOPT_TLS_SERVER_KEY);
+ 
+     if (config_debug) {
+@@ -949,8 +947,11 @@ EXPORTED int     tls_init_serverengine(const char *ident,
+     SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb);
+ #endif
+ 
+-#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL)
++#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
++    SSL_CTX_set_dh_auto(s_ctx, 1);
++#elif (OPENSSL_VERSION_NUMBER >= 0x0090800fL)
+     /* Load DH params for DHE-* key exchanges */
++    const char *server_dhparam_file = config_getstring(IMAPOPT_TLS_SERVER_DHPARAM);
+     dh_params = load_dh_param(server_dhparam_file, server_key_file, server_cert_file);
+     SSL_CTX_set_tmp_dh(s_ctx, dh_params);
+ #endif
+@@ -959,12 +960,16 @@ EXPORTED int     tls_init_serverengine(const char *ident,
+     const char *ec = config_getstring(IMAPOPT_TLS_ECCURVE);
+     int openssl_nid = OBJ_sn2nid(ec);
+     if (openssl_nid != 0) {
++#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
++        SSL_CTX_set1_curves(s_ctx, &openssl_nid, 1);
++#else
+         EC_KEY *ecdh;
+         ecdh = EC_KEY_new_by_curve_name(openssl_nid);
+         if (ecdh != NULL) {
+             SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
+             EC_KEY_free(ecdh);
+         }
++#endif
+     }
+ #endif
+ 
+@@ -1086,20 +1091,22 @@ EXPORTED int     tls_init_serverengine(const char *ident,
+ 
+ /* taken from OpenSSL apps/s_cb.c */
+ 
+-static long bio_dump_cb(BIO * bio, int cmd, const char *argp, int argi,
+-                        long argl __attribute__((unused)), long ret)
++static long bio_dump_cb(BIO * bio, int cmd, const char *argp,
++                        size_t len __attribute__((unused)), int argi,
++                        long argl __attribute__((unused)), int ret,
++                        size_t *processed __attribute__((unused)))
+ {
+     if (!do_dump)
+         return (ret);
+ 
+     if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) {
+-        printf("read from %08lX %08lX (%d bytes => %ld (0x%lX))",
++        printf("read from %08lX %08lX (%d bytes => %d (0x%X))",
+                (unsigned long)bio, (unsigned long)argp,
+                argi, ret, ret);
+         tls_dump(argp, (int) ret);
+         return (ret);
+     } else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) {
+-        printf("write to %08lX %08lX (%d bytes => %ld (0x%lX))",
++        printf("write to %08lX %08lX (%d bytes => %d (0x%X))",
+                (unsigned long) bio, (unsigned long)argp,
+                argi, ret, ret);
+         tls_dump(argp, (int) ret);
+@@ -1171,7 +1178,7 @@ EXPORTED int tls_start_servertls(int readfd, int writefd, int timeout,
+      * created for us, so we can use it for debugging purposes.
+      */
+     if (var_imapd_tls_loglevel >= 3)
+-        BIO_set_callback(SSL_get_rbio(tls_conn), bio_dump_cb);
++        BIO_set_callback_ex(SSL_get_rbio(tls_conn), bio_dump_cb);
+ 
+     /* Dump the negotiation for loglevels 3 and 4*/
+     if (var_imapd_tls_loglevel >= 3)
+@@ -1402,7 +1409,7 @@ EXPORTED int tls_shutdown_serverengine(void)
+             sess_dbopen = 0;
+         }
+ 
+-#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL)
++#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && (OPENSSL_VERSION_NUMBER < 0x30000000L)
+         if (dh_params) DH_free(dh_params);
+ #endif
+     }
+@@ -1659,7 +1666,7 @@ HIDDEN int tls_start_clienttls(int readfd, int writefd,
+      * created for us, so we can use it for debugging purposes.
+      */
+     if (var_proxy_tls_loglevel >= 3)
+-        BIO_set_callback(SSL_get_rbio(tls_conn), bio_dump_cb);
++        BIO_set_callback_ex(SSL_get_rbio(tls_conn), bio_dump_cb);
+ 
+     /* Dump the negotiation for loglevels 3 and 4*/
+     if (var_proxy_tls_loglevel >= 3)
+diff --git a/imtest/imtest.c b/imtest/imtest.c
+index a6fcf91e6..ca241fa61 100644
+--- a/imtest/imtest.c
++++ b/imtest/imtest.c
+@@ -630,20 +630,22 @@ static int tls_dump(const char *s, int len)
+ 
+ /* taken from OpenSSL apps/s_cb.c */
+ 
+-static long bio_dump_cb(BIO * bio, int cmd, const char *argp, int argi,
+-                        long argl __attribute__((unused)), long ret)
++static long bio_dump_cb(BIO * bio, int cmd, const char *argp,
++                        size_t len __attribute__((unused)), int argi,
++                        long argl __attribute__((unused)), int ret,
++                        size_t *processed __attribute__((unused)))
+ {
+     if (!do_dump)
+         return (ret);
+ 
+     if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) {
+-        printf("read from %08lX %08lX (%d bytes => %ld (0x%lX))\n",
++        printf("read from %08lX %08lX (%d bytes => %d (0x%X))\n",
+                (unsigned long) bio, (unsigned long) argp,
+                argi, ret, ret);
+         tls_dump(argp, (int) ret);
+         return (ret);
+     } else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) {
+-        printf("write to %08lX %08lX (%d bytes => %ld (0x%lX))\n",
++        printf("write to %08lX %08lX (%d bytes => %d (0x%X))\n",
+                (unsigned long) bio, (unsigned long) argp,
+                argi, ret, ret);
+         tls_dump(argp, (int) ret);
+@@ -686,7 +688,7 @@ static int tls_start_clienttls(unsigned *layer, char **authid)
+      * created for us, so we can use it for debugging purposes.
+      */
+     if (verbose==1)
+-        BIO_set_callback(SSL_get_rbio(tls_conn), bio_dump_cb);
++        BIO_set_callback_ex(SSL_get_rbio(tls_conn), bio_dump_cb);
+ 
+     /* Dump the negotiation for loglevels 3 and 4 */
+     if (verbose==1)
+-- 
+2.37.3
+