fetchmail: use legacy certificate verification

beck's shiny new validator found its first victim. bluhm saw warnings from fetchmail's verify callback and once we investigated, it was quick to segfault since it doesn't bother to check return values. Failures are more visible to the callback than they previously were. Fixing this mess is more work than it's worth, so let it use the old garbage. with & ok beck, tested & ok bluhm
2020-09-14 15:14:55 +00:00 · 2020-09-14 15:14:55 +00:00 · 6ef422d1bd
commit 6ef422d1bd
parent 5c76c1d5b1
2 changed files with 28 additions and 2 deletions
--- a/mail/fetchmail/Makefile
+++ b/mail/fetchmail/Makefile
@ -1,9 +1,10 @@
-# $OpenBSD: Makefile,v 1.158 2020/09/13 19:01:23 tb Exp $
+# $OpenBSD: Makefile,v 1.159 2020/09/14 15:14:55 tb Exp $

 COMMENT=	mail retrieval utility for POP2, POP3, KPOP, IMAP and more

 DISTNAME=	fetchmail-6.4.12
 EXTRACT_SUFX=	.tar.xz
+REVISION=	0

 CATEGORIES=	mail
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=fetchmail/}
--- a/mail/fetchmail/patches/patch-socket_c
+++ b/mail/fetchmail/patches/patch-socket_c
@ -1,4 +1,4 @@
-$OpenBSD: patch-socket_c,v 1.12 2020/09/07 09:40:53 tb Exp $
+$OpenBSD: patch-socket_c,v 1.13 2020/09/14 15:14:55 tb Exp $

 Index: socket.c
 --- socket.c.orig
@ -12,3 +12,28 @@ Index: socket.c
 /* OSSL_proto_version_logic for OpenSSL 1.0.x and LibreSSL */
 static int OSSL10X_proto_version_logic(int sock, const char **myproto, int *avoid_ssl_versions)
 {
+@@ -1149,6 +1149,10 @@ int SSLOpen(int sock, char *mycert, char *mykey, const
+ 	/* Check which trusted X.509 CA certificate store(s) to load */
+ 	{
+ 		char *tmp;
+#if defined(X509_V_FLAG_LEGACY_VERIFY)
+		X509_VERIFY_PARAM *param;
+		int flags;
+#endif
+ 		int want_default_cacerts = 0;
+ 
+ 		/* Load user locations if any is given */
+@@ -1162,6 +1166,13 @@ int SSLOpen(int sock, char *mycert, char *mykey, const
+ 		if (want_default_cacerts || (tmp && tmp[0])) {
+ 			SSL_CTX_set_default_verify_paths(_ctx[sock]);
+ 		}
+#if defined(X509_V_FLAG_LEGACY_VERIFY)
+		if ((param = SSL_CTX_get0_param(_ctx[sock])) != NULL) {
+			flags = X509_VERIFY_PARAM_get_flags(param);
+			flags |= X509_V_FLAG_LEGACY_VERIFY;
+			X509_VERIFY_PARAM_set_flags(param, flags);
+		}
+#endif
+ 	}
+ 	
+ 	_ssl_context[sock] = SSL_new(_ctx[sock]);