mirror of
https://github.com/crazywhalecc/static-php-cli.git
synced 2026-07-08 01:15:37 +08:00
add imap support
This commit is contained in:
58
src/globals/patch/1006_openssl1.1_autoverify.patch
Normal file
58
src/globals/patch/1006_openssl1.1_autoverify.patch
Normal file
@@ -0,0 +1,58 @@
|
||||
Description: Support OpenSSL 1.1
|
||||
When building with OpenSSL 1.1 and newer, use the new built-in
|
||||
hostname verification instead of code that doesn't compile due to
|
||||
structs having been made opaque.
|
||||
Bug-Debian: https://bugs.debian.org/828589
|
||||
|
||||
--- a/src/osdep/unix/ssl_unix.c
|
||||
+++ b/src/osdep/unix/ssl_unix.c
|
||||
@@ -227,8 +227,16 @@ static char *ssl_start_work (SSLSTREAM *
|
||||
/* disable certificate validation? */
|
||||
if (flags & NET_NOVALIDATECERT)
|
||||
SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL);
|
||||
- else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
|
||||
+ else {
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
|
||||
+ X509_VERIFY_PARAM *param = SSL_CTX_get0_param(stream->context);
|
||||
+ X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
|
||||
+ X509_VERIFY_PARAM_set1_host(param, host, 0);
|
||||
+#endif
|
||||
+
|
||||
+ SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
|
||||
/* set default paths to CAs... */
|
||||
+ }
|
||||
SSL_CTX_set_default_verify_paths (stream->context);
|
||||
/* ...unless a non-standard path desired */
|
||||
if (s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL))
|
||||
@@ -266,6 +274,7 @@ static char *ssl_start_work (SSLSTREAM *
|
||||
if (SSL_write (stream->con,"",0) < 0)
|
||||
return ssl_last_error ? ssl_last_error : "SSL negotiation failed";
|
||||
/* need to validate host names? */
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000
|
||||
if (!(flags & NET_NOVALIDATECERT) &&
|
||||
(err = ssl_validate_cert (cert = SSL_get_peer_certificate (stream->con),
|
||||
host))) {
|
||||
@@ -275,6 +284,7 @@ static char *ssl_start_work (SSLSTREAM *
|
||||
sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???");
|
||||
return ssl_last_error = cpystr (tmp);
|
||||
}
|
||||
+#endif
|
||||
return NIL;
|
||||
}
|
||||
|
||||
@@ -313,6 +323,7 @@ static int ssl_open_verify (int ok,X509_
|
||||
* Returns: NIL if validated, else string of error message
|
||||
*/
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000
|
||||
static char *ssl_validate_cert (X509 *cert,char *host)
|
||||
{
|
||||
int i,n;
|
||||
@@ -342,6 +353,7 @@ static char *ssl_validate_cert (X509 *ce
|
||||
else ret = "Unable to locate common name in certificate";
|
||||
return ret;
|
||||
}
|
||||
+#endif
|
||||
|
||||
/* Case-independent wildcard pattern match
|
||||
* Accepts: base string
|
||||
42
src/globals/patch/2014_openssl1.1.1_sni.patch
Normal file
42
src/globals/patch/2014_openssl1.1.1_sni.patch
Normal file
@@ -0,0 +1,42 @@
|
||||
Bug-Debian: https://bugs.debian.org/916041
|
||||
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1834340
|
||||
Description:
|
||||
Google IMAP servers require SNI if TLSv1.3 is used,
|
||||
otherwise it sends a self-signed certificate which
|
||||
fails validation.
|
||||
|
||||
OpenSSL support/versions:
|
||||
- TLSv1.3 on 1.1.1,
|
||||
- a2i_IPADDRESS() on 0.9.8'ish,
|
||||
- SSL_set_tlsext_host_name() on 0.9.8'ish/1.0.0;
|
||||
per 'git blame/describe' and the CHANGES file.
|
||||
|
||||
So check for TLSv1.3 support / OpenSSL 1.1.1
|
||||
not to incur behavior changes on pre-TLSv1.3,
|
||||
and set host_name to 'host' (ssl_open_verify()
|
||||
validates this, via 'ssl_last_host' variable)
|
||||
|
||||
This patch just combines these two patches:
|
||||
- BTS#916041 (message #5) by Ed Spiridonov,
|
||||
- LP#1834340 (comment #6) by David Zuelke.
|
||||
Author: Mauricio Faria de Oliveira <mfo@canonical.com>
|
||||
|
||||
Index: uw-imap-2007f~dfsg/src/osdep/unix/ssl_unix.c
|
||||
===================================================================
|
||||
--- uw-imap-2007f~dfsg.orig/src/osdep/unix/ssl_unix.c
|
||||
+++ uw-imap-2007f~dfsg/src/osdep/unix/ssl_unix.c
|
||||
@@ -266,6 +266,14 @@ static char *ssl_start_work (SSLSTREAM *
|
||||
/* create connection */
|
||||
if (!(stream->con = (SSL *) SSL_new (stream->context)))
|
||||
return "SSL connection failed";
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x10101000
|
||||
+ /* Use SNI in case server requires it with TLSv1.3.
|
||||
+ * Literal IP addresses not permitted per RFC 6066. */
|
||||
+ if (!a2i_IPADDRESS(host)) {
|
||||
+ ERR_clear_error();
|
||||
+ SSL_set_tlsext_host_name(stream->con,host);
|
||||
+ }
|
||||
+#endif
|
||||
bio = BIO_new_socket (stream->tcpstream->tcpsi,BIO_NOCLOSE);
|
||||
SSL_set_bio (stream->con,bio,bio);
|
||||
SSL_set_connect_state (stream->con);
|
||||
Reference in New Issue
Block a user