From a1a808b80e9790d26a6bfc19785e5e90aad64c12 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 11 Mar 2025 07:08:51 +0000 Subject: [PATCH] import CS cyrus-imapd-3.4.8-2.el9 --- SOURCES/patch-cyrus-auto-dh-param | 71 +++++++++++++++++++++++++++++++ SPECS/cyrus-imapd.spec | 9 +++- 2 files changed, 79 insertions(+), 1 deletion(-) create mode 100644 SOURCES/patch-cyrus-auto-dh-param diff --git a/SOURCES/patch-cyrus-auto-dh-param b/SOURCES/patch-cyrus-auto-dh-param new file mode 100644 index 0000000..72db95b --- /dev/null +++ b/SOURCES/patch-cyrus-auto-dh-param @@ -0,0 +1,71 @@ + +https://github.com/cyrusimap/cyrus-imapd/pull/5156 + +--- cyrus-imapd-3.4.8/imap/tls.c.8 2024-05-06 01:00:03.000000000 +0100 ++++ cyrus-imapd-3.4.8/imap/tls.c 2024-12-10 16:22:50.950639737 +0000 +@@ -149,7 +149,8 @@ static int tls_serverengine = 0; /* serv + static int tls_clientengine = 0; /* client engine initialized? */ + static int do_dump = 0; /* actively dumping protocol? */ + +-#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) ++#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && (OPENSSL_VERSION_NUMBER < 0x10101000L) ++#define HAVE_MANUAL_DH_PARAMS 1 + static DH *dh_params = NULL; + #endif + +@@ -240,7 +241,7 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p + } + #endif + +-#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) ++#ifdef HAVE_MANUAL_DH_PARAMS + /* Logic copied from OpenSSL apps/s_server.c: give the TLS context + * DH params to work with DHE-* cipher suites. Hardcoded fallback + * in case no DH params in server_key or server_cert. +@@ -294,7 +295,7 @@ static DH *load_dh_param(const char *dhf + + return(ret); + } +-#endif /* OPENSSL_VERSION_NUMBER >= 0x009080fL */ ++#endif /* HAVE_MANUAL_DH_PARAMS */ + + /* taken from OpenSSL apps/s_cb.c */ + +@@ -739,7 +740,6 @@ EXPORTED int tls_init_serverengine(c + const char *client_ca_file; + const char *server_ca_file; + const char *server_cert_file; +- const char *server_dhparam_file; + const char *server_key_file; + const char *crl_file_path; + enum enum_value tls_client_certs; +@@ -883,7 +883,6 @@ EXPORTED int tls_init_serverengine(c + + server_ca_file = config_getstring(IMAPOPT_TLS_SERVER_CA_FILE); + server_cert_file = config_getstring(IMAPOPT_TLS_SERVER_CERT); +- server_dhparam_file = config_getstring(IMAPOPT_TLS_SERVER_DHPARAM); + server_key_file = config_getstring(IMAPOPT_TLS_SERVER_KEY); + + if (config_debug) { +@@ -949,8 +948,11 @@ EXPORTED int tls_init_serverengine(c + SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb); + #endif + +-#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) ++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) ++ SSL_CTX_set_dh_auto(s_ctx, 1); ++#elif defined(HAVE_MANUAL_DH_PARAMS) + /* Load DH params for DHE-* key exchanges */ ++ const char *server_dhparam_file = config_getstring(IMAPOPT_TLS_SERVER_DHPARAM); + dh_params = load_dh_param(server_dhparam_file, server_key_file, server_cert_file); + SSL_CTX_set_tmp_dh(s_ctx, dh_params); + #endif +@@ -1402,7 +1404,7 @@ EXPORTED int tls_shutdown_serverengine(v + sess_dbopen = 0; + } + +-#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) ++#ifdef HAVE_MANUAL_DH_PARAMS + if (dh_params) DH_free(dh_params); + #endif + } diff --git a/SPECS/cyrus-imapd.spec b/SPECS/cyrus-imapd.spec index 020a5bb..ac1f919 100644 --- a/SPECS/cyrus-imapd.spec +++ b/SPECS/cyrus-imapd.spec @@ -1,6 +1,6 @@ Name: cyrus-imapd Version: 3.4.8 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A high-performance email, contacts and calendar server License: BSD URL: http://www.cyrusimap.org/ @@ -69,6 +69,9 @@ Patch91: patch-cassandane-no-syslog # Upstream ticket https://github.com/cyrusimap/cyrus-imapd/issues/1995 Patch92: patch-cassandane-fix-annotator +# Upstream PR https://github.com/cyrusimap/cyrus-imapd/pull/5156 +Patch93: patch-cyrus-auto-dh-param + BuildRequires: autoconf automake bison flex gcc gcc-c++ git glibc-langpack-en BuildRequires: groff libtool pkgconfig rsync systemd transfig @@ -810,6 +813,10 @@ fi %changelog +* Tue Dec 10 2024 Joe Orton - 3.4.8-2 +- tls: enable automatic DH parameter selection + Resolves: RHEL-70762 + * Wed Jun 05 2024 Martin Osvald - 3.4.8-1 - Update to 3.4.8, fixing CVE-2024-34055