Bug#804457: imapfilter: Uses SSLv3 method

2015-11-16 Thread Andy Whitcroft 
Package: imapfilter
Version: 1:2.6.2-1
Followup-For: Bug #804457
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu xenial ubuntu-patch

Dear Maintainer,

We recently have disabled SSLv3 in Ubuntu as part of testing that we
found that imapfilter coredumped on startup.  Looking at Debian we see
that it is being disabled there such that imapfilter will no longer
build.  For Ubuntu we are applying the attached patch which follows the
recommendation in this Bug and as such should fix the issue in Debian
also:

  * Switch to using SSLv23_client_method in all cases to avoid using
now removed/nutered protocols and increasing forward compatibility.
(LP: #1516585).


Thanks for considering the patch.


-- System Information:
Debian Release: stretch/sid
  APT prefers xenial-updates
  APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 
'xenial-proposed'), (500, 'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.2.0-19-generic (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru imapfilter-2.6.2/debian/patches/series imapfilter-2.6.2/debian/patches/series
--- imapfilter-2.6.2/debian/patches/series	2015-01-05 18:29:14.0 +
+++ imapfilter-2.6.2/debian/patches/series	2015-11-16 12:53:46.0 +
@@ -1 +1,2 @@
 fix-makefile.diff
+ubuntu-switch-to-SSLv23_client_method-and-use-CTX-options-to-select-protocol.patch
diff -Nru imapfilter-2.6.2/debian/patches/ubuntu-switch-to-SSLv23_client_method-and-use-CTX-options-to-select-protocol.patch imapfilter-2.6.2/debian/patches/ubuntu-switch-to-SSLv23_client_method-and-use-CTX-options-to-select-protocol.patch
--- imapfilter-2.6.2/debian/patches/ubuntu-switch-to-SSLv23_client_method-and-use-CTX-options-to-select-protocol.patch	1970-01-01 01:00:00.0 +0100
+++ imapfilter-2.6.2/debian/patches/ubuntu-switch-to-SSLv23_client_method-and-use-CTX-options-to-select-protocol.patch	2015-11-16 13:29:59.0 +
@@ -0,0 +1,125 @@
+Description: switch to SSLv23_client_method() and use CTX options to select protocol
+ With us disabling SSLv3 we now either will not build (on Debian) or
+ coredump during initialisation.  As per the Debian bug recommendation
+ switch to always using SSLv23_client_method() as that can handle the best
+ protocol available (including TLS etc) going forward.  Where we need to
+ specify a specific protocol start using SSL_CTS_set_options() to limit
+ the negociable protocols.
+Author: Andy Whitcroft 
+Bug-Debian: https://bugs.debian.org/804457
+Bug-Ubuntu: https://launchpad.net/bugs/1516585
+
+Index: imapfilter-2.6.2/src/imapfilter.c
+===
+--- imapfilter-2.6.2.orig/src/imapfilter.c
 imapfilter-2.6.2/src/imapfilter.c
+@@ -21,10 +21,7 @@
+ 
+ extern buffer ibuf, obuf, nbuf, cbuf;
+ extern regexp responses[];
+-extern SSL_CTX *ssl3ctx, *ssl23ctx, *tls1ctx;
+-#if OPENSSL_VERSION_NUMBER >= 0x01000100fL
+-extern SSL_CTX *tls11ctx, *tls12ctx;
+-#endif
++extern SSL_CTX *ssl23ctx;
+ 
+ options opts;			/* Program options. */
+ environment env;		/* Environment variables. */
+@@ -109,25 +106,13 @@ main(int argc, char *argv[])
+ 
+ 	SSL_library_init();
+ 	SSL_load_error_strings();
+-	ssl3ctx = SSL_CTX_new(SSLv3_client_method());
+ 	ssl23ctx = SSL_CTX_new(SSLv23_client_method());
+-	tls1ctx = SSL_CTX_new(TLSv1_client_method());
+-#if OPENSSL_VERSION_NUMBER >= 0x01000100fL
+-	tls11ctx = SSL_CTX_new(TLSv1_1_client_method());
+-	tls12ctx = SSL_CTX_new(TLSv1_2_client_method());
+-#endif
+ 
+ 	if (exists_dir(opts.truststore))
+ 		capath = opts.truststore;
+ 	if (exists_file(opts.truststore))
+ 		cafile = opts.truststore;
+-	SSL_CTX_load_verify_locations(ssl3ctx, cafile, capath);
+ 	SSL_CTX_load_verify_locations(ssl23ctx, cafile, capath);
+-	SSL_CTX_load_verify_locations(tls1ctx, cafile, capath);
+-#if OPENSSL_VERSION_NUMBER >= 0x01000100fL
+-	SSL_CTX_load_verify_locations(tls11ctx, cafile, capath);
+-	SSL_CTX_load_verify_locations(tls12ctx, cafile, capath);
+-#endif
+ 
+ 	start_lua();
+ #if LUA_VERSION_NUM < 502
+@@ -146,13 +131,7 @@ main(int argc, char *argv[])
+ #endif
+ 	stop_lua();
+ 
+-	SSL_CTX_free(ssl3ctx);
+ 	SSL_CTX_free(ssl23ctx);
+-	SSL_CTX_free(tls1ctx);
+-#if OPENSSL_VERSION_NUMBER >= 0x01000100fL
+-	SSL_CTX_free(tls11ctx);
+-	SSL_CTX_free(tls12ctx);
+-#endif
+ 	ERR_free_strings();
+ 
+ 	regexp_free(responses);
+Index: imapfilter-2.6.2/src/socket.c
+===
+--- imapfilter-2.6.2.orig/src/socket.c
 imapfilter-2.6.2/src/socket.c
+@@ -17,11 +17,7 @@
+ #include "session.h"
+ 
+ 
+-SSL_CTX *ssl3ctx, *ssl23ctx, *tls1ctx;
+-#if OPENSSL_VERSION_NUMBER >= 0x01000100fL
+-SSL_CTX *tls11ctx, *tls12ctx;
+-#endif
+-
++SSL_CTX *ssl23ctx;
+ 
+ /*
+  * Connect to mail server.
+@@ -90,28 +86,28 @@ int
+

Bug#804457: imapfilter: Uses SSLv3 method

2015-11-08 Thread Kurt Roeckx 
Source: imapfilter
Version: 1:2.6.2-1
Severity: serious
Control: block 797926 by -1

Hi,

In imapfilter.c you set things up like this:
ssl3ctx = SSL_CTX_new(SSLv3_client_method());
ssl23ctx = SSL_CTX_new(SSLv23_client_method());
tls1ctx = SSL_CTX_new(TLSv1_client_method());
#if OPENSSL_VERSION_NUMBER >= 0x01000100fL
tls11ctx = SSL_CTX_new(TLSv1_1_client_method());
tls12ctx = SSL_CTX_new(TLSv1_2_client_method());
#endif


And then in socket.c you have things like:
if (!ssn->sslproto) {
ctx = ssl23ctx;
} else if (!strcasecmp(ssn->sslproto, "ssl3")) {
ctx = ssl3ctx;
} else if (!strcasecmp(ssn->sslproto, "tls1")) {
ctx = tls1ctx;
} else if (!strcasecmp(ssn->sslproto, "tls1.1")) {
#if OPENSSL_VERSION_NUMBER >= 0x01000100fL
ctx = tls11ctx;
#else
ctx = tls1ctx;
#endif
} else if (!strcasecmp(ssn->sslproto, "tls1.2")) {
#if OPENSSL_VERSION_NUMBER >= 0x01000100fL
ctx = tls12ctx;
#else
ctx = tls1ctx;
#endif
} else {
ctx = ssl23ctx;
}


I have just removed the SSLv3_* methods in unstable.  You could
use OPENSSL_NO_SSL3 to remove the code making use of the SSLv3_*
methods.  But I suggest you get rid of all of this and just use
the SSLv23_* method.

The SSLv23_* methods are the only ones that support multiple
versions.  The plan is for all the others to go away because they
only support 1 version.

If you want to support selecting versions I suggest you use
SSL_set_options() with things like SSL_OP_NO_SSLv3.


Kurt