On Wed, 2019-07-03 at 11:38 +0100, Luca Boccassi wrote: > On Mon, 17 Jun 2019 11:39:13 +0100 Luca Boccassi < > bl...@debian.org > > > wrote: > > On Tue, 9 Apr 2019 15:52:52 +0200 Sylvain Beucler < > > > > b...@beuc.net > > > > > wrote: > > > Package: evolution-ews > > > Version: 3.30.5-1 > > > X-Debbugs-CC: > > t...@security.debian.org > > > > > Severity: grave > > > Tags: security > > > > > > Hi, > > > > > > The following vulnerability was published for evolution-ews. > > > > > > CVE-2019-3890[0]: > > > No description was found (try on a search engine) > > > > > > If you fix the vulnerability please also make sure to include the > > > CVE (Common Vulnerabilities & Exposures) id in your changelog > > entry. > > > For further information see: > > > > > > [0] > > https://security-tracker.debian.org/tracker/CVE-2019-3890 > > > > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3890 > > > > https://gitlab.gnome.org/GNOME/evolution-ews/issues/27 > > > > https://gitlab.gnome.org/GNOME/evolution-ews/issues/36 > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1678313 > > > > > Note: depends on evolution-data-server patch > > > > > > Cheers! > > > Sylvain Beucler / Debian LTS > > > > Dear Maintainers, > > > > I have backported the required patches and tested them on Buster, > > they > > seem to work fine. > > > > I have opened PRs against the 2 repos on Salsa, but they both > > require > > a > > new debian/buster branch to be created as debian/master has moved > > on > > to > > new releases: > > > > > > https://salsa.debian.org/gnome-team/evolution-data-server/merge_requests/1 > > > > https://salsa.debian.org/gnome-team/evolution-ews/merge_requests/2 > > > > It would be great if we could have evolution-ews in Buster, as it's > > the > > only way to use exchange/o365 for Debian users. > > > > Thanks! > > Dear Maintainers, > > As things stand, Buster users will have no way to use a GUI email > client with an Exchange/OWA/O365 email server. They will have to stay > on Stretch and completely skip Buster, or move to a different > distribution. If they were to upgrade from Stretch to Buster, their > email accounts would simply disappear from their evolution instances, > without any explanation nor warning. > > I'd like to propose to upload the changes mentioned above to > unstable, > let them migrate to Bullseye and then upload to buster-backports, so > that users on Buster have at least that path to avoid breaking this > functionality. This needs to be done before 3.32 moved from > experimental to unstable of course. > > I'd be more than happy to do all of the above work via NMUs. The > evolution-data-server change is backward compatible and does not > require a rebuild of reverse dependencies. Are there any objections > to > this idea? > > Thank you!
Dear Maintainers, Uploaders and Gnome Team, As mentioned in the previous mail, I intend to upload to DELAYED/7 NMUs for evolution-data-server and evolution-ews on Friday afternoon (GMT- ish). I am attaching the debdiffs for both. Please let me know if there are any objections. If there are no objections and the NMUs are not cancelled and make it to unstable, and then migrate to bullseye, I then intend to upload the equivalent ~bpo binary NMUs to buster-backports. This way, stretch users that enabled buster-backports before the dist upgrade should have an upgrade path that allows them not to lose their inboxes, calendars and so on. Thank you! -- Kind regards, Luca Boccassi
diff -Nru evolution-data-server-3.30.5/debian/changelog evolution-data-server-3.30.5/debian/changelog --- evolution-data-server-3.30.5/debian/changelog 2019-02-04 13:14:07.000000000 +0000 +++ evolution-data-server-3.30.5/debian/changelog 2019-07-09 14:52:09.000000000 +0100 @@ -1,3 +1,11 @@ +evolution-data-server (3.30.5-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Backport Let-child-source-with-none-authentication-method-use.patch. + Necessary to fix #926712 (CVE-2019-3890) in evolution-ews + + -- Luca Boccassi <bl...@debian.org> Tue, 09 Jul 2019 14:52:09 +0100 + evolution-data-server (3.30.5-1) unstable; urgency=medium * New upstream release diff -Nru evolution-data-server-3.30.5/debian/patches/Let-child-source-with-none-authentication-method-use.patch evolution-data-server-3.30.5/debian/patches/Let-child-source-with-none-authentication-method-use.patch --- evolution-data-server-3.30.5/debian/patches/Let-child-source-with-none-authentication-method-use.patch 1970-01-01 01:00:00.000000000 +0100 +++ evolution-data-server-3.30.5/debian/patches/Let-child-source-with-none-authentication-method-use.patch 2019-06-17 10:46:30.000000000 +0100 @@ -0,0 +1,23 @@ +Author: Milan Crha <mc...@redhat.com> +Description: Let child source with 'none' authentication method use collection source authentication + That might be the same as having set NULL authentication method. +Bug: https://gitlab.gnome.org/GNOME/evolution-ews/issues/27 +Bug-Debian: https://bugs.debian.org/926712 +Origin: upstream, https://gitlab.gnome.org/GNOME/evolution-data-server/commit/6672b8236139bd6ef41ecb915f4c72e2a052dba5 +--- a/src/libedataserver/e-data-server-util.c ++++ b/src/libedataserver/e-data-server-util.c +@@ -3232,11 +3232,13 @@ + if (can_use_collection) { + gchar *method_source, *method_collection; + +- /* Also check the method; if different, then rather not use the collection */ ++ /* Also check the method; if different, then rather not use the collection. ++ Consider 'none' method on the child as the same as the collection method. */ + method_source = e_source_authentication_dup_method (auth_source); + method_collection = e_source_authentication_dup_method (auth_collection); + + can_use_collection = !method_source || !method_collection || ++ g_ascii_strcasecmp (method_source, "none") == 0 || + g_ascii_strcasecmp (method_source, method_collection) == 0; + + g_free (method_source); diff -Nru evolution-data-server-3.30.5/debian/patches/series evolution-data-server-3.30.5/debian/patches/series --- evolution-data-server-3.30.5/debian/patches/series 2019-02-04 13:14:07.000000000 +0000 +++ evolution-data-server-3.30.5/debian/patches/series 2019-06-17 10:46:30.000000000 +0100 @@ -1,2 +1,3 @@ 01-noinst-libedbus-private.patch ubuntu_gettext_domain.patch +Let-child-source-with-none-authentication-method-use.patch
diff -Nru evolution-ews-3.30.5/debian/changelog evolution-ews-3.30.5/debian/changelog
--- evolution-ews-3.30.5/debian/changelog 2019-02-04 13:39:09.000000000 +0000
+++ evolution-ews-3.30.5/debian/changelog 2019-04-02 17:56:27.000000000 +0100
@@ -1,3 +1,13 @@
+evolution-ews (3.30.5-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Backport patch to fix Office365 with OAuth2 (Closes: #926249)
+ * Backport patch to fix CVE-2019-3890 - SSL certificates not being validated
+ before use. Bump dependency on libedataserver1.2-dev to >= 3.30.5-1.1~ as
+ the fix requires a change in that library. (Closes: #926712)
+
+ -- Luca Boccassi <bl...@debian.org> Tue, 02 Apr 2019 17:56:27 +0100
+
evolution-ews (3.30.5-1) unstable; urgency=medium
* New upstream release
diff -Nru evolution-ews-3.30.5/debian/control evolution-ews-3.30.5/debian/control
--- evolution-ews-3.30.5/debian/control 2019-02-04 13:39:09.000000000 +0000
+++ evolution-ews-3.30.5/debian/control 2019-04-02 17:56:27.000000000 +0100
@@ -14,7 +14,7 @@
evolution-dev (>= 3.30.5),
evolution-data-server-dev (>= 3.30.5),
libcamel1.2-dev (>= 3.30.5),
- libedataserver1.2-dev (>= 3.30.5),
+ libedataserver1.2-dev (>= 3.30.5-1.1~),
libebackend1.2-dev (>= 3.30.5),
libecal1.2-dev (>= 3.30.5),
libedata-cal1.2-dev (>= 3.30.5),
diff -Nru evolution-ews-3.30.5/debian/control.in evolution-ews-3.30.5/debian/control.in
--- evolution-ews-3.30.5/debian/control.in 2019-02-04 13:39:09.000000000 +0000
+++ evolution-ews-3.30.5/debian/control.in 2019-04-02 17:56:27.000000000 +0100
@@ -10,7 +10,7 @@
evolution-dev (>= 3.30.5),
evolution-data-server-dev (>= 3.30.5),
libcamel1.2-dev (>= 3.30.5),
- libedataserver1.2-dev (>= 3.30.5),
+ libedataserver1.2-dev (>= 3.30.5-1.1~),
libebackend1.2-dev (>= 3.30.5),
libecal1.2-dev (>= 3.30.5),
libedata-cal1.2-dev (>= 3.30.5),
diff -Nru evolution-ews-3.30.5/debian/patches/0001-Do-not-pass-scope-parameter-in-OAuth2-requests.patch evolution-ews-3.30.5/debian/patches/0001-Do-not-pass-scope-parameter-in-OAuth2-requests.patch
--- evolution-ews-3.30.5/debian/patches/0001-Do-not-pass-scope-parameter-in-OAuth2-requests.patch 1970-01-01 01:00:00.000000000 +0100
+++ evolution-ews-3.30.5/debian/patches/0001-Do-not-pass-scope-parameter-in-OAuth2-requests.patch 2019-04-02 17:56:27.000000000 +0100
@@ -0,0 +1,49 @@
+Author: Luca Boccassi <luca.bocca...@microsoft.com>
+Description: do not pass 'scope' parameter in OAuth2 requests on outlook.office365.com server
+ It is optional and can cause errors like:
+ error:invalid_request description:AADSTS65002:
+ Consent between first party applications and resources must be
+ configured via preauthorization.
+Bug-Debian: https://bugs.debian.org/926249
+Origin: https://gitlab.gnome.org/GNOME/evolution-ews/merge_requests/1
+Applied-upstream: https://gitlab.gnome.org/GNOME/evolution-ews/commit/8dafe925c30e2a2bc53578076eb5710b18eedd42
+--- a/src/server/e-oauth2-service-office365.c
++++ b/src/server/e-oauth2-service-office365.c
+@@ -30,21 +30,6 @@
+
+ #define OFFICE365_RESOURCE "https://outlook.office.com";
+
+-#define OFFICE365_SCOPE "openid offline_access profile " \
+- "Mail.ReadWrite " \
+- "Mail.ReadWrite.Shared " \
+- "Mail.Send " \
+- "Mail.Send.Shared " \
+- "Calendars.ReadWrite " \
+- "Calendars.ReadWrite.Shared " \
+- "Contacts.ReadWrite " \
+- "Contacts.ReadWrite.Shared " \
+- "Tasks.ReadWrite " \
+- "Tasks.ReadWrite.Shared " \
+- "MailboxSettings.ReadWrite " \
+- "People.Read " \
+- "User.ReadBasic.All"
+-
+ struct _EOAuth2ServiceOffice365Private
+ {
+ GMutex string_cache_lock;
+@@ -253,7 +238,6 @@
+
+ e_oauth2_service_util_set_to_form (uri_query, "response_mode", "query");
+ e_oauth2_service_util_set_to_form (uri_query, "prompt", "login");
+- e_oauth2_service_util_set_to_form (uri_query, "scope", OFFICE365_SCOPE);
+ e_oauth2_service_util_set_to_form (uri_query, "resource", OFFICE365_RESOURCE);
+ }
+
+@@ -321,7 +305,6 @@
+ {
+ g_return_if_fail (form != NULL);
+
+- e_oauth2_service_util_set_to_form (form, "scope", OFFICE365_SCOPE);
+ e_oauth2_service_util_set_to_form (form, "resource", OFFICE365_RESOURCE);
+ e_oauth2_service_util_set_to_form (form, "redirect_uri", e_oauth2_service_get_redirect_uri (service, source));
+ }
diff -Nru evolution-ews-3.30.5/debian/patches/0001-I-27-SSL-Certificates-are-not-validated.patch evolution-ews-3.30.5/debian/patches/0001-I-27-SSL-Certificates-are-not-validated.patch
--- evolution-ews-3.30.5/debian/patches/0001-I-27-SSL-Certificates-are-not-validated.patch 1970-01-01 01:00:00.000000000 +0100
+++ evolution-ews-3.30.5/debian/patches/0001-I-27-SSL-Certificates-are-not-validated.patch 2019-04-02 17:56:27.000000000 +0100
@@ -0,0 +1,777 @@
+Author: Milan Crha <mc...@redhat.com>
+Description: SSL Certificates are not validated
+ This depends on https://gitlab.gnome.org/GNOME/evolution-data-server/commit/6672b8236139bd6ef41ecb915f4c72e2a052dba5 too.
+Bug: https://gitlab.gnome.org/GNOME/evolution-ews/issues/27
+Bug-Debian: https://bugs.debian.org/926712
+Origin: upstream, https://gitlab.gnome.org/GNOME/evolution-ews/commit/915226eca9454b8b3e5adb6f2fff9698451778de
+--- a/src/addressbook/e-book-backend-ews.c
++++ b/src/addressbook/e-book-backend-ews.c
+@@ -3241,7 +3241,8 @@
+ bbews->priv->cnc, "proxy-resolver",
+ G_BINDING_SYNC_CREATE);
+
+- *out_auth_result = e_ews_connection_try_credentials_sync (bbews->priv->cnc, credentials, cancellable, error);
++ *out_auth_result = e_ews_connection_try_credentials_sync (bbews->priv->cnc, credentials, NULL,
++ out_certificate_pem, out_certificate_errors, cancellable, error);
+
+ if (*out_auth_result == E_SOURCE_AUTHENTICATION_ACCEPTED) {
+ ESource *source = e_backend_get_source (E_BACKEND (bbews));
+--- a/src/calendar/e-cal-backend-ews.c
++++ b/src/calendar/e-cal-backend-ews.c
+@@ -1502,7 +1502,8 @@
+ cbews->priv->cnc, "proxy-resolver",
+ G_BINDING_SYNC_CREATE);
+
+- *out_auth_result = e_ews_connection_try_credentials_sync (cbews->priv->cnc, credentials, cancellable, error);
++ *out_auth_result = e_ews_connection_try_credentials_sync (cbews->priv->cnc, credentials, NULL,
++ out_certificate_pem, out_certificate_errors, cancellable, error);
+
+ if (*out_auth_result == E_SOURCE_AUTHENTICATION_ACCEPTED) {
+ ESource *source = e_backend_get_source (E_BACKEND (cbews));
+--- a/src/camel/camel-ews-store.c
++++ b/src/camel/camel-ews-store.c
+@@ -1831,6 +1831,8 @@
+ const gchar *password;
+ gchar *hosturl;
+ gchar *old_sync_state = NULL, *new_sync_state = NULL;
++ gchar *certificate_pem = NULL;
++ GTlsCertificateFlags certificate_errors = 0;
+ GError *local_error = NULL;
+
+ ews_store = CAMEL_EWS_STORE (service);
+@@ -1967,6 +1969,18 @@
+
+ g_slist_free_full (created_folder_ids, g_free);
+
++ if (g_error_matches (local_error, SOUP_HTTP_ERROR, SOUP_STATUS_SSL_FAILED) &&
++ e_ews_connection_get_ssl_error_details (connection, &certificate_pem, &certificate_errors)) {
++ source = e_ews_connection_get_source (connection);
++
++ if (source) {
++ e_source_emit_credentials_required (source, E_SOURCE_CREDENTIALS_REASON_SSL_FAILED,
++ certificate_pem, certificate_errors, local_error);
++ }
++
++ g_free (certificate_pem);
++ }
++
+ if (local_error == NULL) {
+ result = CAMEL_AUTHENTICATION_ACCEPTED;
+ } else if (g_error_matches (local_error, EWS_CONNECTION_ERROR, EWS_CONNECTION_ERROR_AUTHENTICATION_FAILED)) {
+--- a/src/collection/e-ews-backend.c
++++ b/src/collection/e-ews-backend.c
+@@ -727,6 +727,15 @@
+ /* Reset the connectable, it steals data from Authentication extension,
+ where is written incorrect address */
+ e_backend_set_connectable (backend, NULL);
++
++ /* Eventually unset temporary SSL trust, but only once, when the process started.
++ It might bee too often anywhere lease (like in the authenticate callback) */
++ if (e_source_has_extension (source, E_SOURCE_EXTENSION_WEBDAV_BACKEND)) {
++ ESourceWebdav *webdav_extension;
++
++ webdav_extension = e_source_get_extension (source, E_SOURCE_EXTENSION_WEBDAV_BACKEND);
++ e_source_webdav_unset_temporary_ssl_trust (webdav_extension);
++ }
+ }
+
+ static void
+@@ -930,7 +939,7 @@
+ }
+
+ if (!success) {
+- connection = e_ews_backend_ref_connection_sync (E_EWS_BACKEND (backend), NULL, cancellable, error);
++ connection = e_ews_backend_ref_connection_sync (E_EWS_BACKEND (backend), NULL, NULL, NULL, cancellable, error);
+ if (connection == NULL)
+ return FALSE;
+
+@@ -1037,7 +1046,7 @@
+ const gchar *extension_name;
+ gboolean success = FALSE;
+
+- connection = e_ews_backend_ref_connection_sync (E_EWS_BACKEND (backend), NULL, cancellable, error);
++ connection = e_ews_backend_ref_connection_sync (E_EWS_BACKEND (backend), NULL, NULL, NULL, cancellable, error);
+ if (connection == NULL)
+ return FALSE;
+
+@@ -1142,7 +1151,7 @@
+ ews_backend->priv->credentials = e_named_parameters_new_clone (credentials);
+ g_mutex_unlock (&ews_backend->priv->connection_lock);
+
+- connection = e_ews_backend_ref_connection_sync (ews_backend, &result, cancellable, error);
++ connection = e_ews_backend_ref_connection_sync (ews_backend, &result, out_certificate_pem, out_certificate_errors, cancellable, error);
+ g_clear_object (&connection);
+
+ if (result == E_SOURCE_AUTHENTICATION_ACCEPTED) {
+@@ -1223,7 +1232,7 @@
+ EEwsConnection *connection;
+ GError *error = NULL;
+
+- connection = e_ews_backend_ref_connection_sync (E_EWS_BACKEND (object), NULL, cancellable, &error);
++ connection = e_ews_backend_ref_connection_sync (E_EWS_BACKEND (object), NULL, NULL, NULL, cancellable, &error);
+
+ /* Sanity check. */
+ g_return_if_fail (
+@@ -1241,6 +1250,8 @@
+ EEwsConnection *
+ e_ews_backend_ref_connection_sync (EEwsBackend *backend,
+ ESourceAuthenticationResult *result,
++ gchar **out_certificate_pem,
++ GTlsCertificateFlags *out_certificate_errors,
+ GCancellable *cancellable,
+ GError **error)
+ {
+@@ -1272,7 +1283,8 @@
+ connection, "proxy-resolver",
+ G_BINDING_SYNC_CREATE);
+
+- local_result = e_ews_connection_try_credentials_sync (connection, backend->priv->credentials, cancellable, error);
++ local_result = e_ews_connection_try_credentials_sync (connection, backend->priv->credentials, NULL,
++ out_certificate_pem, out_certificate_errors, cancellable, error);
+ if (result)
+ *result = local_result;
+
+@@ -1413,7 +1425,7 @@
+ return TRUE;
+ }
+
+- connection = e_ews_backend_ref_connection_sync (backend, NULL, cancellable, error);
++ connection = e_ews_backend_ref_connection_sync (backend, NULL, NULL, NULL, cancellable, error);
+
+ if (connection == NULL) {
+ backend->priv->need_update_folders = TRUE;
+--- a/src/collection/e-ews-backend.h
++++ b/src/collection/e-ews-backend.h
+@@ -63,6 +63,8 @@
+ e_ews_backend_ref_connection_sync
+ (EEwsBackend *backend,
+ ESourceAuthenticationResult *result,
++ gchar **out_certificate_pem,
++ GTlsCertificateFlags *out_certificate_errors,
+ GCancellable *cancellable,
+ GError **error);
+ void e_ews_backend_ref_connection (EEwsBackend *backend,
+--- a/src/configuration/e-ews-config-lookup.c
++++ b/src/configuration/e-ews-config-lookup.c
+@@ -344,9 +344,54 @@
+
+ if (password) {
+ const gchar *servers;
++ gchar *certificate_host = NULL;
++ gchar *certificate_pem = NULL;
++ GTlsCertificateFlags certificate_errors = 0;
++ GError *local_error = NULL;
++
++ if (e_named_parameters_exists (params, E_CONFIG_LOOKUP_PARAM_CERTIFICATE_PEM) &&
++ e_named_parameters_exists (params, E_CONFIG_LOOKUP_PARAM_CERTIFICATE_TRUST) &&
++ e_named_parameters_exists (params, E_CONFIG_LOOKUP_PARAM_CERTIFICATE_HOST)) {
++ GTlsCertificate *certificate;
++ const gchar *param_certificate_pem;
++
++ param_certificate_pem = e_named_parameters_get (params, E_CONFIG_LOOKUP_PARAM_CERTIFICATE_PEM);
++ certificate = g_tls_certificate_new_from_pem (param_certificate_pem, -1, NULL);
++
++ if (certificate) {
++ ETrustPromptResponse trust_response;
++
++ trust_response = e_config_lookup_decode_certificate_trust (
++ e_named_parameters_get (params, E_CONFIG_LOOKUP_PARAM_CERTIFICATE_TRUST));
++
++ if (trust_response != E_TRUST_PROMPT_RESPONSE_UNKNOWN) {
++ ESourceWebdav *webdav_extension;
++
++ webdav_extension = e_source_get_extension (source, E_SOURCE_EXTENSION_WEBDAV_BACKEND);
++ e_source_webdav_update_ssl_trust (webdav_extension,
++ e_named_parameters_get (params, E_CONFIG_LOOKUP_PARAM_CERTIFICATE_HOST),
++ certificate, trust_response);
++ }
++
++ g_object_unref (certificate);
++ }
++ }
+
+- if (e_ews_autodiscover_ws_url_sync (source, ews_settings, email_address, password, cancellable, NULL)) {
++ if (e_ews_autodiscover_ws_url_sync (source, ews_settings, email_address, password, &certificate_pem, &certificate_errors, cancellable, &local_error)) {
+ ews_config_lookup_worker_result_from_settings (lookup_worker, config_lookup, email_address, ews_settings, params);
++ } else if (g_error_matches (local_error, SOUP_HTTP_ERROR, SOUP_STATUS_SSL_FAILED)) {
++ const gchar *hosturl;
++ SoupURI *suri;
++
++ hosturl = camel_ews_settings_get_hosturl (ews_settings);
++ suri = soup_uri_new (hosturl);
++ if (suri) {
++ certificate_host = g_strdup (soup_uri_get_host (suri));
++
++ soup_uri_free (suri);
++ }
++ } else {
++ g_clear_error (&local_error);
+ }
+
+ servers = e_named_parameters_get (params, E_CONFIG_LOOKUP_PARAM_SERVERS);
+@@ -357,7 +402,7 @@
+
+ servers_strv = g_strsplit (servers, ";", 0);
+
+- for (ii = 0; servers_strv && servers_strv[ii] && !g_cancellable_is_cancelled (cancellable); ii++) {
++ for (ii = 0; servers_strv && servers_strv[ii] && !g_cancellable_is_cancelled (cancellable) && !local_error; ii++) {
+ const gchar *server = servers_strv[ii];
+ gchar *tmp = NULL;
+
+@@ -368,8 +413,21 @@
+
+ camel_ews_settings_set_hosturl (ews_settings, server);
+
+- if (e_ews_autodiscover_ws_url_sync (source, ews_settings, email_address, password, cancellable, NULL)) {
++ if (e_ews_autodiscover_ws_url_sync (source, ews_settings, email_address, password, &certificate_pem, &certificate_errors, cancellable, &local_error)) {
+ ews_config_lookup_worker_result_from_settings (lookup_worker, config_lookup, email_address, ews_settings, params);
++ } else if (g_error_matches (local_error, SOUP_HTTP_ERROR, SOUP_STATUS_SSL_FAILED)) {
++ const gchar *hosturl;
++ SoupURI *suri;
++
++ hosturl = camel_ews_settings_get_hosturl (ews_settings);
++ suri = soup_uri_new (hosturl);
++ if (suri) {
++ certificate_host = g_strdup (soup_uri_get_host (suri));
++
++ soup_uri_free (suri);
++ }
++ } else {
++ g_clear_error (&local_error);
+ }
+
+ g_free (tmp);
+@@ -378,7 +436,31 @@
+ g_strfreev (servers_strv);
+ }
+
+- if (out_restart_params)
++ if (g_error_matches (local_error, SOUP_HTTP_ERROR, SOUP_STATUS_SSL_FAILED) &&
++ certificate_pem && *certificate_pem && certificate_errors) {
++ gchar *description = e_trust_prompt_describe_certificate_errors (certificate_errors);
++
++ if (description) {
++ g_set_error_literal (error, E_CONFIG_LOOKUP_WORKER_ERROR,
++ E_CONFIG_LOOKUP_WORKER_ERROR_CERTIFICATE, description);
++
++ g_free (description);
++
++ if (out_restart_params) {
++ if (!*out_restart_params)
++ *out_restart_params = e_named_parameters_new_clone (params);
++
++ e_named_parameters_set (*out_restart_params, E_CONFIG_LOOKUP_PARAM_CERTIFICATE_PEM, certificate_pem);
++ e_named_parameters_set (*out_restart_params, E_CONFIG_LOOKUP_PARAM_CERTIFICATE_HOST, certificate_host);
++ }
++ }
++ }
++
++ g_clear_error (&local_error);
++ g_free (certificate_host);
++ g_free (certificate_pem);
++
++ if (out_restart_params && !*out_restart_params)
+ *out_restart_params = e_named_parameters_new_clone (params);
+ }
+
+--- a/src/configuration/e-ews-config-utils.c
++++ b/src/configuration/e-ews-config-utils.c
+@@ -317,7 +317,7 @@
+ if (data->try_credentials_func)
+ auth_result = data->try_credentials_func (data->conn, credentials, data->user_data, cancellable, error);
+ else
+- auth_result = e_ews_connection_try_credentials_sync (data->conn, credentials, cancellable, error);
++ auth_result = e_ews_connection_try_credentials_sync (data->conn, credentials, NULL, NULL, NULL, cancellable, error);
+
+ if (auth_result == E_SOURCE_AUTHENTICATION_ACCEPTED) {
+ *out_authenticated = TRUE;
+@@ -377,7 +377,7 @@
+ if (try_credentials_func)
+ result = try_credentials_func (conn, NULL, user_data, cancellable, &local_error);
+ else
+- result = e_ews_connection_try_credentials_sync (conn, NULL, cancellable, &local_error);
++ result = e_ews_connection_try_credentials_sync (conn, NULL, NULL, NULL, NULL, cancellable, &local_error);
+
+ if (result != E_SOURCE_AUTHENTICATION_ACCEPTED) {
+ g_clear_object (&conn);
+--- a/src/configuration/e-mail-config-ews-autodiscover.c
++++ b/src/configuration/e-mail-config-ews-autodiscover.c
+@@ -45,6 +45,8 @@
+ ESource *source;
+ CamelEwsSettings *ews_settings;
+ gchar *email_address;
++ gchar *certificate_pem;
++ GTlsCertificateFlags certificate_errors;
+ };
+
+ enum {
+@@ -67,6 +69,7 @@
+ g_clear_object (&async_context->source);
+ g_clear_object (&async_context->ews_settings);
+ g_free (async_context->email_address);
++ g_free (async_context->certificate_pem);
+
+ g_slice_free (AsyncContext, async_context);
+ }
+@@ -87,6 +90,9 @@
+ }
+
+ static void
++mail_config_ews_autodiscover_run (EMailConfigEwsAutodiscover *autodiscover);
++
++static void
+ mail_config_ews_autodiscover_run_cb (GObject *source_object,
+ GAsyncResult *result,
+ gpointer user_data)
+@@ -111,17 +117,62 @@
+ g_object_thaw_notify (G_OBJECT (settings));
+
+ if (e_activity_handle_cancellation (async_context->activity, error)) {
+- g_error_free (error);
++ /* Do nothing, just free the error below */
++ } else if (g_error_matches (error, SOUP_HTTP_ERROR, SOUP_STATUS_SSL_FAILED) &&
++ async_context->certificate_pem && *async_context->certificate_pem && async_context->certificate_errors) {
++ ETrustPromptResponse response;
++ GtkWidget *parent;
++ const gchar *host;
++
++ parent = gtk_widget_get_toplevel (GTK_WIDGET (autodiscover));
++ if (!GTK_IS_WINDOW (parent))
++ parent = NULL;
++
++ host = camel_network_settings_get_host (CAMEL_NETWORK_SETTINGS (settings));
++
++ response = e_trust_prompt_run_modal (parent ? GTK_WINDOW (parent) : NULL,
++ E_SOURCE_EXTENSION_COLLECTION, _("Exchange Web Services"),
++ host, async_context->certificate_pem, async_context->certificate_errors,
++ error->message);
++
++ g_clear_error (&error);
++
++ if (response != E_TRUST_PROMPT_RESPONSE_UNKNOWN) {
++ GTlsCertificate *certificate;
++
++ certificate = g_tls_certificate_new_from_pem (async_context->certificate_pem, -1, &error);
++ if (certificate) {
++ ESourceWebdav *extension_webdav;
++
++ extension_webdav = e_source_get_extension (async_context->source, E_SOURCE_EXTENSION_WEBDAV_BACKEND);
++
++ e_source_webdav_update_ssl_trust (extension_webdav, host, certificate, response);
++
++ g_object_unref (certificate);
++ }
++
++ if (error) {
++ e_alert_submit (
++ alert_sink,
++ "ews:autodiscovery-error",
++ error->message, NULL);
++ }
++ }
+
++ if (response == E_TRUST_PROMPT_RESPONSE_ACCEPT ||
++ response == E_TRUST_PROMPT_RESPONSE_ACCEPT_TEMPORARILY) {
++ mail_config_ews_autodiscover_run (autodiscover);
++ }
+ } else if (error != NULL) {
+ e_alert_submit (
+ alert_sink,
+ "ews:autodiscovery-error",
+ error->message, NULL);
+- g_error_free (error);
+ }
+
+ gtk_widget_set_sensitive (GTK_WIDGET (autodiscover), TRUE);
++
++ g_clear_error (&error);
+ }
+
+ static gboolean
+@@ -141,6 +192,7 @@
+ async_context->ews_settings, async_context->email_address,
+ credentials && e_named_parameters_get (credentials, E_SOURCE_CREDENTIAL_PASSWORD) ?
+ e_named_parameters_get (credentials, E_SOURCE_CREDENTIAL_PASSWORD) : "",
++ &async_context->certificate_pem, &async_context->certificate_errors,
+ cancellable, &local_error);
+
+ if (local_error == NULL) {
+@@ -173,6 +225,7 @@
+ if (without_password) {
+ success = e_ews_autodiscover_ws_url_sync (async_context->source,
+ async_context->ews_settings, async_context->email_address, "",
++ &async_context->certificate_pem, &async_context->certificate_errors,
+ cancellable, &local_error);
+ }
+
+@@ -236,6 +289,8 @@
+ async_context->source = g_object_ref (source);
+ async_context->ews_settings = g_object_ref (settings);
+ async_context->email_address = g_strdup (e_mail_config_service_page_get_email_address (page));
++ async_context->certificate_pem = NULL;
++ async_context->certificate_errors = 0;
+
+ /*
+ * The GTask will be run in a new thread, which will invoke
+--- a/src/server/e-ews-connection-utils.c
++++ b/src/server/e-ews-connection-utils.c
+@@ -522,8 +522,13 @@
+ GCancellable *cancellable)
+ {
+ ESoupAuthBearer *using_bearer_auth;
++ ESource *source;
+ GError *local_error = NULL;
+
++ source = e_ews_connection_get_source (cnc);
++ if (source)
++ e_soup_ssl_trust_connect (message, source);
++
+ if (!ews_connection_utils_maybe_prepare_bearer_auth (cnc, message, cancellable))
+ return FALSE;
+
+--- a/src/server/e-ews-connection.c
++++ b/src/server/e-ews-connection.c
+@@ -112,6 +112,10 @@
+
+ /* Set to TRUE when this connection had been disconnected and cannot be used anymore */
+ gboolean disconnected_flag;
++
++ gboolean ssl_info_set;
++ gchar *ssl_certificate_pem;
++ GTlsCertificateFlags ssl_certificate_errors;
+ };
+
+ enum {
+@@ -848,6 +852,37 @@
+ return expired;
+ }
+
++static void
++ews_connection_check_ssl_error (EEwsConnection *connection,
++ SoupMessage *message)
++{
++ g_return_if_fail (E_IS_EWS_CONNECTION (connection));
++ g_return_if_fail (SOUP_IS_MESSAGE (message));
++
++ if (message->status_code == SOUP_STATUS_SSL_FAILED) {
++ GTlsCertificate *certificate = NULL;
++
++ g_mutex_lock (&connection->priv->property_lock);
++
++ g_clear_pointer (&connection->priv->ssl_certificate_pem, g_free);
++ connection->priv->ssl_info_set = FALSE;
++
++ g_object_get (G_OBJECT (message),
++ "tls-certificate", &certificate,
++ "tls-errors", &connection->priv->ssl_certificate_errors,
++ NULL);
++
++ if (certificate) {
++ g_object_get (certificate, "certificate-pem", &connection->priv->ssl_certificate_pem, NULL);
++ connection->priv->ssl_info_set = TRUE;
++
++ g_object_unref (certificate);
++ }
++
++ g_mutex_unlock (&connection->priv->property_lock);
++ }
++}
++
+ /* Response callbacks */
+
+ static void
+@@ -875,8 +910,15 @@
+ if (g_cancellable_is_cancelled (enode->cancellable))
+ goto exit;
+
++ ews_connection_check_ssl_error (enode->cnc, msg);
++
+ if (ews_connection_credentials_failed (enode->cnc, msg, enode->simple)) {
+ goto exit;
++ } else if (msg->status_code == SOUP_STATUS_SSL_FAILED) {
++ g_simple_async_result_set_error (
++ enode->simple, SOUP_HTTP_ERROR, SOUP_STATUS_SSL_FAILED,
++ "%s", msg->reason_phrase);
++ goto exit;
+ } else if (msg->status_code == SOUP_STATUS_UNAUTHORIZED) {
+ if (msg->response_headers) {
+ const gchar *diagnostics;
+@@ -1878,6 +1920,9 @@
+ cnc->priv->soup_thread = g_thread_new (NULL, e_ews_soup_thread, cnc);
+
+ cnc->priv->soup_session = soup_session_async_new_with_options (
++ SOUP_SESSION_TIMEOUT, 90,
++ SOUP_SESSION_SSL_STRICT, TRUE,
++ SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
+ SOUP_SESSION_ASYNC_CONTEXT, cnc->priv->soup_context,
+ NULL);
+
+@@ -1994,6 +2039,7 @@
+ g_free (priv->email);
+ g_free (priv->hash_key);
+ g_free (priv->impersonate_user);
++ g_free (priv->ssl_certificate_pem);
+
+ g_clear_object (&priv->bearer_auth);
+
+@@ -2581,10 +2627,15 @@
+ ESourceAuthenticationResult
+ e_ews_connection_try_credentials_sync (EEwsConnection *cnc,
+ const ENamedParameters *credentials,
++ ESource *use_source,
++ gchar **out_certificate_pem,
++ GTlsCertificateFlags *out_certificate_errors,
+ GCancellable *cancellable,
+ GError **error)
+ {
+ ESourceAuthenticationResult result;
++ ESource *source;
++ gboolean de_set_source;
+ EwsFolderId *fid = NULL;
+ GSList *ids = NULL;
+ GError *local_error = NULL;
+@@ -2598,14 +2649,31 @@
+ fid->is_distinguished_id = TRUE;
+ ids = g_slist_append (ids, fid);
+
++ source = e_ews_connection_get_source (cnc);
++ if (use_source && use_source != source) {
++ cnc->priv->source = g_object_ref (use_source);
++ de_set_source = TRUE;
++ } else {
++ source = NULL;
++ de_set_source = FALSE;
++ }
++
+ e_ews_connection_get_folder_sync (
+ cnc, EWS_PRIORITY_MEDIUM, "Default",
+ NULL, ids, NULL, cancellable, &local_error);
+
++ if (de_set_source) {
++ g_clear_object (&cnc->priv->source);
++ cnc->priv->source = source;
++ }
++
+ g_slist_free_full (ids, (GDestroyNotify) e_ews_folder_id_free);
+
+ if (local_error == NULL) {
+ result = E_SOURCE_AUTHENTICATION_ACCEPTED;
++ } else if (g_error_matches (local_error, SOUP_HTTP_ERROR, SOUP_STATUS_SSL_FAILED) &&
++ e_ews_connection_get_ssl_error_details (cnc, out_certificate_pem, out_certificate_errors)) {
++ result = E_SOURCE_AUTHENTICATION_ERROR_SSL_FAILED;
+ } else {
+ gboolean auth_failed;
+
+@@ -2642,6 +2710,29 @@
+ return cnc->priv->source;
+ }
+
++gboolean
++e_ews_connection_get_ssl_error_details (EEwsConnection *cnc,
++ gchar **out_certificate_pem,
++ GTlsCertificateFlags *out_certificate_errors)
++{
++ g_return_val_if_fail (E_IS_EWS_CONNECTION (cnc), FALSE);
++ g_return_val_if_fail (out_certificate_pem != NULL, FALSE);
++ g_return_val_if_fail (out_certificate_errors != NULL, FALSE);
++
++ g_mutex_lock (&cnc->priv->property_lock);
++ if (!cnc->priv->ssl_info_set) {
++ g_mutex_unlock (&cnc->priv->property_lock);
++ return FALSE;
++ }
++
++ *out_certificate_pem = g_strdup (cnc->priv->ssl_certificate_pem);
++ *out_certificate_errors = cnc->priv->ssl_certificate_errors;
++
++ g_mutex_unlock (&cnc->priv->property_lock);
++
++ return TRUE;
++}
++
+ const gchar *
+ e_ews_connection_get_uri (EEwsConnection *cnc)
+ {
+@@ -2965,6 +3056,9 @@
+ g_set_error (
+ &error, SOUP_HTTP_ERROR, status,
+ "%d %s", status, msg->reason_phrase);
++
++ if (status == SOUP_STATUS_SSL_FAILED)
++ ews_connection_check_ssl_error (ad->cnc, msg);
+ }
+
+ g_free (service_url);
+@@ -3125,7 +3219,8 @@
+ }
+
+ static SoupMessage *
+-e_ews_get_msg_for_url (CamelEwsSettings *settings,
++e_ews_get_msg_for_url (EEwsConnection *cnc,
++ CamelEwsSettings *settings,
+ const gchar *url,
+ xmlOutputBuffer *buf,
+ GError **error)
+@@ -3147,6 +3242,9 @@
+ return NULL;
+ }
+
++ if (cnc->priv->source)
++ e_soup_ssl_trust_connect (msg, cnc->priv->source);
++
+ e_ews_message_attach_chunk_allocator (msg);
+
+ e_ews_message_set_user_agent_header (msg, settings);
+@@ -3176,6 +3274,8 @@
+ CamelEwsSettings *settings,
+ const gchar *email_address,
+ const gchar *password,
++ gchar **out_certificate_pem,
++ GTlsCertificateFlags *out_certificate_errors,
+ GCancellable *cancellable,
+ GError **error)
+ {
+@@ -3194,7 +3294,7 @@
+
+ result = e_async_closure_wait (closure);
+
+- success = e_ews_autodiscover_ws_url_finish (settings, result, error);
++ success = e_ews_autodiscover_ws_url_finish (settings, result, out_certificate_pem, out_certificate_errors, error);
+
+ e_async_closure_free (closure);
+
+@@ -3305,11 +3405,11 @@
+ simple, ad, (GDestroyNotify) autodiscover_data_free);
+
+ /* Passing a NULL URL string returns NULL. */
+- ad->msgs[0] = e_ews_get_msg_for_url (settings, url1, buf, &error);
+- ad->msgs[1] = e_ews_get_msg_for_url (settings, url2, buf, NULL);
+- ad->msgs[2] = e_ews_get_msg_for_url (settings, url3, buf, NULL);
+- ad->msgs[3] = e_ews_get_msg_for_url (settings, url4, buf, NULL);
+- ad->msgs[4] = e_ews_get_msg_for_url (settings, url5, buf, NULL);
++ ad->msgs[0] = e_ews_get_msg_for_url (cnc, settings, url1, buf, &error);
++ ad->msgs[1] = e_ews_get_msg_for_url (cnc, settings, url2, buf, NULL);
++ ad->msgs[2] = e_ews_get_msg_for_url (cnc, settings, url3, buf, NULL);
++ ad->msgs[3] = e_ews_get_msg_for_url (cnc, settings, url4, buf, NULL);
++ ad->msgs[4] = e_ews_get_msg_for_url (cnc, settings, url5, buf, NULL);
+
+ /* These have to be submitted only after they're both set in ad->msgs[]
+ * or there will be races with fast completion */
+@@ -3369,10 +3469,13 @@
+ gboolean
+ e_ews_autodiscover_ws_url_finish (CamelEwsSettings *settings,
+ GAsyncResult *result,
++ gchar **out_certificate_pem,
++ GTlsCertificateFlags *out_certificate_errors,
+ GError **error)
+ {
+ GSimpleAsyncResult *simple;
+ struct _autodiscover_data *ad;
++ GError *local_error = NULL;
+
+ g_return_val_if_fail (
+ g_simple_async_result_is_valid (
+@@ -3382,8 +3485,20 @@
+ simple = G_SIMPLE_ASYNC_RESULT (result);
+ ad = g_simple_async_result_get_op_res_gpointer (simple);
+
+- if (g_simple_async_result_propagate_error (simple, error))
++ if (g_simple_async_result_propagate_error (simple, &local_error)) {
++ if (g_error_matches (local_error, SOUP_HTTP_ERROR, SOUP_STATUS_SSL_FAILED)) {
++ if (!e_ews_connection_get_ssl_error_details (ad->cnc, out_certificate_pem, out_certificate_errors)) {
++ if (out_certificate_pem)
++ *out_certificate_pem = NULL;
++ if (out_certificate_errors)
++ *out_certificate_errors = 0;
++ }
++ }
++
++ g_propagate_error (error, local_error);
++
+ return FALSE;
++ }
+
+ g_warn_if_fail (ad->as_url != NULL);
+ g_warn_if_fail (ad->oab_url != NULL);
+@@ -3542,6 +3657,8 @@
+ simple = G_SIMPLE_ASYNC_RESULT (user_data);
+ data = g_simple_async_result_get_op_res_gpointer (simple);
+
++ ews_connection_check_ssl_error (data->cnc, soup_message);
++
+ if (ews_connection_credentials_failed (data->cnc, soup_message, simple)) {
+ goto exit;
+ } else if (soup_message->status_code != 200) {
+@@ -3687,7 +3804,7 @@
+
+ g_return_if_fail (E_IS_EWS_CONNECTION (cnc));
+
+- soup_message = e_ews_get_msg_for_url (cnc->priv->settings, cnc->priv->uri, NULL, &error);
++ soup_message = e_ews_get_msg_for_url (cnc, cnc->priv->settings, cnc->priv->uri, NULL, &error);
+
+ simple = g_simple_async_result_new (
+ G_OBJECT (cnc), callback, user_data,
+@@ -3808,7 +3925,7 @@
+
+ g_return_if_fail (E_IS_EWS_CONNECTION (cnc));
+
+- soup_message = e_ews_get_msg_for_url (cnc->priv->settings, cnc->priv->uri, NULL, &error);
++ soup_message = e_ews_get_msg_for_url (cnc, cnc->priv->settings, cnc->priv->uri, NULL, &error);
+
+ simple = g_simple_async_result_new (
+ G_OBJECT (cnc), callback, user_data,
+@@ -3895,6 +4012,8 @@
+ simple = G_SIMPLE_ASYNC_RESULT (user_data);
+ data = g_simple_async_result_get_op_res_gpointer (simple);
+
++ ews_connection_check_ssl_error (data->cnc, soup_message);
++
+ if (ews_connection_credentials_failed (data->cnc, soup_message, simple)) {
+ g_unlink (data->cache_filename);
+ } else if (soup_message->status_code != 200) {
+@@ -4023,7 +4142,7 @@
+
+ g_return_if_fail (E_IS_EWS_CONNECTION (cnc));
+
+- soup_message = e_ews_get_msg_for_url (cnc->priv->settings, cnc->priv->uri, NULL, &error);
++ soup_message = e_ews_get_msg_for_url (cnc, cnc->priv->settings, cnc->priv->uri, NULL, &error);
+
+ simple = g_simple_async_result_new (
+ G_OBJECT (cnc), callback, user_data,
+--- a/src/server/e-ews-connection.h
++++ b/src/server/e-ews-connection.h
+@@ -427,9 +427,16 @@
+ e_ews_connection_try_credentials_sync
+ (EEwsConnection *cnc,
+ const ENamedParameters *credentials,
++ ESource *use_source,
++ gchar **out_certificate_pem,
++ GTlsCertificateFlags *out_certificate_errors,
+ GCancellable *cancellable,
+ GError **error);
+ ESource * e_ews_connection_get_source (EEwsConnection *cnc);
++gboolean e_ews_connection_get_ssl_error_details
++ (EEwsConnection *cnc,
++ gchar **out_certificate_pem,
++ GTlsCertificateFlags *out_certificate_errors);
+ const gchar * e_ews_connection_get_uri (EEwsConnection *cnc);
+ ESoupAuthBearer *
+ e_ews_connection_ref_bearer_auth(EEwsConnection *cnc);
+@@ -475,6 +482,8 @@
+ CamelEwsSettings *settings,
+ const gchar *email_address,
+ const gchar *password,
++ gchar **out_certificate_pem,
++ GTlsCertificateFlags *out_certificate_errors,
+ GCancellable *cancellable,
+ GError **error);
+ void e_ews_autodiscover_ws_url (ESource *source,
+@@ -487,6 +496,8 @@
+ gboolean e_ews_autodiscover_ws_url_finish
+ (CamelEwsSettings *settings,
+ GAsyncResult *result,
++ gchar **out_certificate_pem,
++ GTlsCertificateFlags *out_certificate_errors,
+ GError **error);
+ const gchar * e_ews_connection_get_mailbox (EEwsConnection *cnc);
+ void e_ews_connection_set_mailbox (EEwsConnection *cnc,
diff -Nru evolution-ews-3.30.5/debian/patches/series evolution-ews-3.30.5/debian/patches/series
--- evolution-ews-3.30.5/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ evolution-ews-3.30.5/debian/patches/series 2019-04-02 17:56:27.000000000 +0100
@@ -0,0 +1,2 @@
+0001-I-27-SSL-Certificates-are-not-validated.patch
+0001-Do-not-pass-scope-parameter-in-OAuth2-requests.patch
signature.asc
Description: This is a digitally signed message part
