imapproxy: use X509_VERIFY_PARAM_set1_host so it actually checks the

server cert
2021-03-17 15:05:50 +00:00 · 2021-03-17 15:05:50 +00:00 · 9f3e43a282
commit 9f3e43a282
parent f991775829
3 changed files with 58 additions and 2 deletions
--- a/mail/imapproxy/Makefile
+++ b/mail/imapproxy/Makefile
@ -1,9 +1,10 @@
-# $OpenBSD: Makefile,v 1.12 2021/03/16 17:44:52 sthen Exp $
+# $OpenBSD: Makefile,v 1.13 2021/03/17 15:05:50 sthen Exp $

 COMMENT=	caching IMAP proxy to be used with webmail clients

 DISTNAME=	squirrelmail-20210316_0200-SVN.imap_proxy
 PKGNAME=	imapproxy-1.2.8pre2021.02
+REVISION=	0
 WRKDIST=	${WRKDIR}/squirrelmail.imap_proxy

 CATEGORIES=	mail
--- a/mail/imapproxy/patches/patch-scripts_imapproxy_conf
+++ b/mail/imapproxy/patches/patch-scripts_imapproxy_conf
@ -1,4 +1,4 @@
-$OpenBSD: patch-scripts_imapproxy_conf,v 1.4 2021/03/16 17:44:52 sthen Exp $
+$OpenBSD: patch-scripts_imapproxy_conf,v 1.5 2021/03/17 15:05:50 sthen Exp $

 Index: scripts/imapproxy.conf
 --- scripts/imapproxy.conf.orig
@ -28,4 +28,22 @@ Index: scripts/imapproxy.conf
 +chroot_directory /var/empty
 
 
+ #
+@@ -213,12 +213,14 @@ enable_admin_commands no
+ #
+ ## TLS configuration options
+ #
+-#tls_ca_file /usr/share/ssl/certs/ca-bundle.crt
+tls_ca_file /etc/ssl/cert.pem
+ #tls_ca_path /usr/share/ssl/certs/
+tls_verify_server yes
+#tls_ciphers ALL:!aNULL:!eNULL
+
+## Client certificate options
+ #tls_cert_file /usr/share/ssl/certs/mycert.crt
+ #tls_key_file /usr/share/ssl/certs/mycert.key
+-#tls_verify_server no
+-#tls_ciphers ALL:!aNULL:!eNULL
+ 
+ 
 #
--- a/mail/imapproxy/patches/patch-src_imapcommon_c
+++ b/mail/imapproxy/patches/patch-src_imapcommon_c
@ -0,0 +1,37 @@
+$OpenBSD: patch-src_imapcommon_c,v 1.1 2021/03/17 15:05:50 sthen Exp $
+
+Index: src/imapcommon.c
+--- src/imapcommon.c.orig
+++ src/imapcommon.c
+@@ -169,6 +169,7 @@ extern ProxyConfig_Struct PC_Struct;
+ static int send_queued_preauth_commands( char *, ITD_Struct * );
+ 
+ #if HAVE_LIBSSL
+#include <openssl/x509v3.h>
+ extern SSL_CTX *tls_ctx;
+ 
+ /*++
+@@ -369,6 +370,7 @@ extern void UnLockMutex( pthread_mutex_t *mutex )
+ extern int Attempt_STARTTLS( ITD_Struct *Server )
+ {
+     char *fn = "Attempt_STARTTLS()";
+    X509_VERIFY_PARAM *param = NULL;
+ 
+     unsigned int BufLen = BUFSIZE - 1;
+     char SendBuf[BUFSIZE];
+@@ -467,6 +469,15 @@ extern int Attempt_STARTTLS( ITD_Struct *Server )
+ 	{
+ 	    syslog(LOG_INFO,
+ 		    "STARTTLS failed: SSL_set_fd() failed: %d",
+		    SSL_get_error( Server->conn->tls, rc ) );
+	    goto fail;
+	}
+
+	param = SSL_get0_param(Server->conn->tls);
+	X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+	if (!X509_VERIFY_PARAM_set1_host(param, PC_Struct.server_hostname, 0)) {
+	    syslog(LOG_INFO,
+		    "STARTTLS failed: !X509_VERIFY_PARAM_set1_host() failed: %d",
+ 		    SSL_get_error( Server->conn->tls, rc ) );
+ 	    goto fail;
+ 	}