import CS cyrus-imapd-3.4.8-2.el9

2025-03-11 07:08:51 +00:00 · 2025-03-11 07:08:51 +00:00 · a1a808b80e
commit a1a808b80e
parent c5dc6840bc
2 changed files with 79 additions and 1 deletions
--- a/SOURCES/patch-cyrus-auto-dh-param
+++ b/SOURCES/patch-cyrus-auto-dh-param
@ -0,0 +1,71 @@
 https://github.com/cyrusimap/cyrus-imapd/pull/5156
 --- cyrus-imapd-3.4.8/imap/tls.c.8	2024-05-06 01:00:03.000000000 +0100
 +++ cyrus-imapd-3.4.8/imap/tls.c	2024-12-10 16:22:50.950639737 +0000
@@ -149,7 +149,8 @@ static int tls_serverengine = 0; /* serv
 static int tls_clientengine = 0; /* client engine initialized? */
 static int do_dump = 0;         /* actively dumping protocol? */
 -#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL)
 +#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && (OPENSSL_VERSION_NUMBER < 0x10101000L)
 +#define HAVE_MANUAL_DH_PARAMS 1
 static DH *dh_params = NULL;
 #endif
@@ -240,7 +241,7 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p
 }
 #endif
 -#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL)
 +#ifdef HAVE_MANUAL_DH_PARAMS
 /* Logic copied from OpenSSL apps/s_server.c: give the TLS context
  * DH params to work with DHE-* cipher suites. Hardcoded fallback
  * in case no DH params in server_key or server_cert.
@@ -294,7 +295,7 @@ static DH *load_dh_param(const char *dhf
     return(ret);
 }
 -#endif /* OPENSSL_VERSION_NUMBER >= 0x009080fL */
 +#endif /* HAVE_MANUAL_DH_PARAMS */
 /* taken from OpenSSL apps/s_cb.c */
@@ -739,7 +740,6 @@ EXPORTED int     tls_init_serverengine(c
     const char   *client_ca_file;
     const char   *server_ca_file;
     const char   *server_cert_file;
 -    const char   *server_dhparam_file;
     const char   *server_key_file;
     const char   *crl_file_path;
     enum enum_value tls_client_certs;
@@ -883,7 +883,6 @@ EXPORTED int     tls_init_serverengine(c
     server_ca_file = config_getstring(IMAPOPT_TLS_SERVER_CA_FILE);
     server_cert_file = config_getstring(IMAPOPT_TLS_SERVER_CERT);
 -    server_dhparam_file = config_getstring(IMAPOPT_TLS_SERVER_DHPARAM);
     server_key_file = config_getstring(IMAPOPT_TLS_SERVER_KEY);
     if (config_debug) {
@@ -949,8 +948,11 @@ EXPORTED int     tls_init_serverengine(c
     SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb);
 #endif
 -#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL)
 +#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
 +    SSL_CTX_set_dh_auto(s_ctx, 1);
 +#elif defined(HAVE_MANUAL_DH_PARAMS)
     /* Load DH params for DHE-* key exchanges */
 +    const char *server_dhparam_file = config_getstring(IMAPOPT_TLS_SERVER_DHPARAM);
     dh_params = load_dh_param(server_dhparam_file, server_key_file, server_cert_file);
     SSL_CTX_set_tmp_dh(s_ctx, dh_params);
 #endif
@@ -1402,7 +1404,7 @@ EXPORTED int tls_shutdown_serverengine(v
             sess_dbopen = 0;
         }
 -#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL)
 +#ifdef HAVE_MANUAL_DH_PARAMS
         if (dh_params) DH_free(dh_params);
 #endif
     }
--- a/SPECS/cyrus-imapd.spec
+++ b/SPECS/cyrus-imapd.spec
@ -1,6 +1,6 @@
 Name: cyrus-imapd
 Version: 3.4.8
-Release: 1%{?dist}
+Release: 2%{?dist}
 Summary: A high-performance email, contacts and calendar server
 License: BSD
 URL: http://www.cyrusimap.org/
@ -69,6 +69,9 @@ Patch91: patch-cassandane-no-syslog
 # Upstream ticket https://github.com/cyrusimap/cyrus-imapd/issues/1995
 Patch92: patch-cassandane-fix-annotator
 # Upstream PR https://github.com/cyrusimap/cyrus-imapd/pull/5156
 Patch93: patch-cyrus-auto-dh-param
 BuildRequires: autoconf automake bison flex gcc gcc-c++ git glibc-langpack-en
 BuildRequires: groff libtool pkgconfig rsync systemd transfig
@ -810,6 +813,10 @@ fi
 %changelog
 * Tue Dec 10 2024 Joe Orton <jorton@redhat.com> - 3.4.8-2
 - tls: enable automatic DH parameter selection
  Resolves: RHEL-70762
 * Wed Jun 05 2024 Martin Osvald <mosvald@redhat.com> - 3.4.8-1
 - Update to 3.4.8, fixing CVE-2024-34055