From 6ef422d1bd3241d3ebfc92bfa7795113432d8403 Mon Sep 17 00:00:00 2001 From: tb Date: Mon, 14 Sep 2020 15:14:55 +0000 Subject: [PATCH] fetchmail: use legacy certificate verification beck's shiny new validator found its first victim. bluhm saw warnings from fetchmail's verify callback and once we investigated, it was quick to segfault since it doesn't bother to check return values. Failures are more visible to the callback than they previously were. Fixing this mess is more work than it's worth, so let it use the old garbage. with & ok beck, tested & ok bluhm --- mail/fetchmail/Makefile | 3 ++- mail/fetchmail/patches/patch-socket_c | 27 ++++++++++++++++++++++++++- 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/mail/fetchmail/Makefile b/mail/fetchmail/Makefile index bce4304b6ff..b8d81605b0e 100644 --- a/mail/fetchmail/Makefile +++ b/mail/fetchmail/Makefile @@ -1,9 +1,10 @@ -# $OpenBSD: Makefile,v 1.158 2020/09/13 19:01:23 tb Exp $ +# $OpenBSD: Makefile,v 1.159 2020/09/14 15:14:55 tb Exp $ COMMENT= mail retrieval utility for POP2, POP3, KPOP, IMAP and more DISTNAME= fetchmail-6.4.12 EXTRACT_SUFX= .tar.xz +REVISION= 0 CATEGORIES= mail MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=fetchmail/} diff --git a/mail/fetchmail/patches/patch-socket_c b/mail/fetchmail/patches/patch-socket_c index fab6f64afbe..39c60624528 100644 --- a/mail/fetchmail/patches/patch-socket_c +++ b/mail/fetchmail/patches/patch-socket_c @@ -1,4 +1,4 @@ -$OpenBSD: patch-socket_c,v 1.12 2020/09/07 09:40:53 tb Exp $ +$OpenBSD: patch-socket_c,v 1.13 2020/09/14 15:14:55 tb Exp $ Index: socket.c --- socket.c.orig @@ -12,3 +12,28 @@ Index: socket.c /* OSSL_proto_version_logic for OpenSSL 1.0.x and LibreSSL */ static int OSSL10X_proto_version_logic(int sock, const char **myproto, int *avoid_ssl_versions) { +@@ -1149,6 +1149,10 @@ int SSLOpen(int sock, char *mycert, char *mykey, const + /* Check which trusted X.509 CA certificate store(s) to load */ + { + char *tmp; ++#if defined(X509_V_FLAG_LEGACY_VERIFY) ++ X509_VERIFY_PARAM *param; ++ int flags; ++#endif + int want_default_cacerts = 0; + + /* Load user locations if any is given */ +@@ -1162,6 +1166,13 @@ int SSLOpen(int sock, char *mycert, char *mykey, const + if (want_default_cacerts || (tmp && tmp[0])) { + SSL_CTX_set_default_verify_paths(_ctx[sock]); + } ++#if defined(X509_V_FLAG_LEGACY_VERIFY) ++ if ((param = SSL_CTX_get0_param(_ctx[sock])) != NULL) { ++ flags = X509_VERIFY_PARAM_get_flags(param); ++ flags |= X509_V_FLAG_LEGACY_VERIFY; ++ X509_VERIFY_PARAM_set_flags(param, flags); ++ } ++#endif + } + + _ssl_context[sock] = SSL_new(_ctx[sock]);