From owner-svn-ports-head@freebsd.org  Sun Mar  8 00:48:47 2020
Return-Path: <owner-svn-ports-head@freebsd.org>
Delivered-To: svn-ports-head@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1EC33256F62;
 Sun,  8 Mar 2020 00:48:47 +0000 (UTC)
 (envelope-from riggs@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48ZjQk3rGtz4PD7;
 Sun,  8 Mar 2020 00:48:46 +0000 (UTC)
 (envelope-from riggs@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1093919AF8;
 Sun,  8 Mar 2020 00:48:46 +0000 (UTC)
 (envelope-from riggs@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0280mjeW067946;
 Sun, 8 Mar 2020 00:48:45 GMT (envelope-from riggs@FreeBSD.org)
Received: (from riggs@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0280mjZw067944;
 Sun, 8 Mar 2020 00:48:45 GMT (envelope-from riggs@FreeBSD.org)
Message-Id: <202003080048.0280mjZw067944@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: riggs set sender to
 riggs@FreeBSD.org using -f
From: Thomas Zander <riggs@FreeBSD.org>
Date: Sun, 8 Mar 2020 00:48:45 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r527991 - in head/mail/cclient: . files
X-SVN-Group: ports-head
X-SVN-Commit-Author: riggs
X-SVN-Commit-Paths: in head/mail/cclient: . files
X-SVN-Commit-Revision: 527991
X-SVN-Commit-Repository: ports
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-head@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the ports tree for head
 <svn-ports-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-head>, 
 <mailto:svn-ports-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-head/>
List-Post: <mailto:svn-ports-head@freebsd.org>
List-Help: <mailto:svn-ports-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Mar 2020 00:48:47 -0000

Author: riggs
Date: Sun Mar  8 00:48:45 2020
New Revision: 527991
URL: https://svnweb.freebsd.org/changeset/ports/527991

Log:
  Fix hostname verification
  
  PR:		226621
  Submitted by:	satanist+freebsd@bureaucracy.de
  Reviewed by:	brnrd

Modified:
  head/mail/cclient/Makefile
  head/mail/cclient/files/patch-src_osdep_unix_ssl__unix.c

Modified: head/mail/cclient/Makefile
==============================================================================
--- head/mail/cclient/Makefile	Sat Mar  7 22:55:10 2020	(r527990)
+++ head/mail/cclient/Makefile	Sun Mar  8 00:48:45 2020	(r527991)
@@ -3,7 +3,7 @@
 
 PORTNAME=	cclient
 PORTVERSION=	2007f
-PORTREVISION=	3
+PORTREVISION=	4
 PORTEPOCH=	1
 CATEGORIES=	mail devel
 MASTER_SITES=	ftp://ftp.cac.washington.edu/imap/%SUBDIR%/ \

Modified: head/mail/cclient/files/patch-src_osdep_unix_ssl__unix.c
==============================================================================
--- head/mail/cclient/files/patch-src_osdep_unix_ssl__unix.c	Sat Mar  7 22:55:10 2020	(r527990)
+++ head/mail/cclient/files/patch-src_osdep_unix_ssl__unix.c	Sun Mar  8 00:48:45 2020	(r527991)
@@ -1,26 +1,59 @@
---- src/osdep/unix/ssl_unix.c.orig	2011-07-23 00:20:10 UTC
+Description: Support OpenSSL 1.1
+ When building with OpenSSL 1.1 and newer, use the new built-in
+ hostname verification instead of code that doesn't compile due to
+ structs having been made opaque.
+Bug-Debian: https://bugs.debian.org/828589
+
+Obtained from: https://sources.debian.org/data/main/u/uw-imap/8:2007f~dfsg-5/debian/patches/1006_openssl1.1_autoverify.patch
+--- src/osdep/unix/ssl_unix.c.orig
 +++ src/osdep/unix/ssl_unix.c
-@@ -270,9 +270,9 @@ static char *ssl_start_work (SSLSTREAM *
+@@ -227,8 +227,16 @@ static char *ssl_start_work (SSLSTREAM *
+ 				/* disable certificate validation? */
+   if (flags & NET_NOVALIDATECERT)
+     SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL);
+-  else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
++  else {
++#if OPENSSL_VERSION_NUMBER >= 0x10100000      
++      X509_VERIFY_PARAM *param = SSL_CTX_get0_param(stream->context);
++      X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
++      X509_VERIFY_PARAM_set1_host(param, host, 0);
++#endif
++
++      SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
+ 				/* set default paths to CAs... */
++  }
+   SSL_CTX_set_default_verify_paths (stream->context);
+ 				/* ...unless a non-standard path desired */
+   if (s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL))
+@@ -266,6 +274,7 @@ static char *ssl_start_work (SSLSTREAM *
+   if (SSL_write (stream->con,"",0) < 0)
+     return ssl_last_error ? ssl_last_error : "SSL negotiation failed";
+ 				/* need to validate host names? */
++#if OPENSSL_VERSION_NUMBER < 0x10100000
+   if (!(flags & NET_NOVALIDATECERT) &&
        (err = ssl_validate_cert (cert = SSL_get_peer_certificate (stream->con),
  				host))) {
- 				/* application callback */
--    if (scq) return (*scq) (err,host,cert ? cert->name : "???") ? NIL : "";
-+    if (scq) return (*scq) (err,host,cert ? X509_get_subject_name(cert) : "???") ? NIL : "";
- 				/* error message to return via mm_log() */
--    sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???");
-+    sprintf (tmp,"*%.128s: %.255s",err,cert ? X509_get_subject_name(cert) : "???");
+@@ -275,6 +284,7 @@ static char *ssl_start_work (SSLSTREAM *
+     sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???");
      return ssl_last_error = cpystr (tmp);
    }
++#endif
    return NIL;
-@@ -322,9 +322,9 @@ static char *ssl_validate_cert (X509 *ce
- 				/* make sure have a certificate */
-   if (!cert) ret = "No certificate from server";
- 				/* and that it has a name */
--  else if (!cert->name) ret = "No name in certificate";
-+  else if (!X509_get_subject_name(cert)) ret = "No name in certificate";
- 				/* locate CN */
--  else if (s = strstr (cert->name,"/CN=")) {
-+  else if (s = strstr (X509_get_subject_name(cert),"/CN=")) {
-     if (t = strchr (s += 4,'/')) *t = '\0';
- 				/* host name matches pattern? */
-     ret = ssl_compare_hostnames (host,s) ? NIL :
+ }
+ 
+@@ -313,6 +323,7 @@ static int ssl_open_verify (int ok,X509_
+  * Returns: NIL if validated, else string of error message
+  */
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000
+ static char *ssl_validate_cert (X509 *cert,char *host)
+ {
+   int i,n;
+@@ -342,6 +353,7 @@ static char *ssl_validate_cert (X509 *ce
+   else ret = "Unable to locate common name in certificate";
+   return ret;
+ }
++#endif
+ 
+ /* Case-independent wildcard pattern match
+  * Accepts: base string