Subject: pkg/28478: imap-uw package should read SSL keys from separate file
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: None <thorpej@shagadelic.org>
List: pkgsrc-bugs
Date: 11/30/2004 15:33:00
>Number:         28478
>Category:       pkg
>Synopsis:       imap-uw package should read SSL keys from separate file
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Nov 30 15:33:00 +0000 2004
>Originator:     Jason R Thorpe
>Release:        NetBSD 2.99.10
>Organization:
        -- Jason R. Thorpe <thorpej@shagadelic.org>
>Environment:
	
	
System: NetBSD yeah-baby.shagadelic.org 2.99.10 NetBSD 2.99.10 (YEAH-BABY-XP) #32: Wed Nov 3 16:00:40 PST 2004 thorpej@yeah-baby.shagadelic.org:/u1/netbsd/src/sys/arch/i386/compile/YEAH-BABY-XP i386
Architecture: i386
Machine: i386
>Description:
	The imap-uw package basically assumes that the SSL certificate
	and private key will be kept in the same file.  This is non-optimal
	in many configurations, where you want to use more restrictive
	file system permissions on the private key.

>How-To-Repeat:
	Inspection.

>Fix:
	The following patch makes the imap-uw package use the new
	SSLKEYS variable from the openssl package's "builtin.mk"
	for the location of the private key file.  On NetBSD systems,
	this defaults to /etc/openssl/private.

	Note: The patch of patch-ab is confusing to look at.  What
	it does is remove the "SSLKEYS" variable from the Makefile,
	the same way that "SSLDIR" and "SSLCERTS" are removed.

Index: MESSAGE
===================================================================
RCS file: /cvsroot/pkgsrc/mail/imap-uw/MESSAGE,v
retrieving revision 1.2
diff -u -p -r1.2 MESSAGE
--- MESSAGE	16 Sep 2003 19:16:44 -0000	1.2
+++ MESSAGE	30 Nov 2004 15:25:12 -0000
@@ -19,9 +19,10 @@ Add the following to /etc/inetd.conf:
  pop3s  stream  tcp     nowait  root    ${PREFIX}/libexec/ipop3d   ipop3d
 
 In order to use SSL, you will need to configure a certificate and store it
-in the ${SSLCERTS} directory, using the imapd.pem name.
-If you want to use an existing certificate, say from Apache, just copy it
-there (you may need to concatenate .key and .crt files together).
+in the ${SSLCERTS} directory, using the imapd.pem name.  Place the key for
+the certificate in the ${SSLKEYS} directory, also using the imapd.pem name.
+If you want to use an existing certificate, say from Apache, just copy the
+certificate and key files to the appropriate locations.
 
 To put the changes into effect, make inetd reload its configuration:
 On NetBSD 1.5 or later:
Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/mail/imap-uw/Makefile,v
retrieving revision 1.85
diff -u -p -r1.85 Makefile
--- Makefile	13 Nov 2004 21:28:28 -0000	1.85
+++ Makefile	30 Nov 2004 15:25:12 -0000
@@ -59,6 +59,7 @@ CCLIENT_MFILES=	src/imapd/Makefile					\
 		src/osdep/unix/Makefile
 
 MESSAGE_SUBST+=	SSLCERTS="${SSLCERTS}"
+MESSAGE_SUBST+=	SSLKEYS="${SSLKEYS}"
 PLIST_SUBST+=	CCLIENT_MAJOR="${CCLIENT_MAJOR}"
 PLIST_SUBST+=	CCLIENT_MINOR="${CCLIENT_MINOR}"
 
@@ -66,6 +67,7 @@ MANFILES=	src/imapd/imapd.8 src/ipopd/ip
 
 MAKE_ENV+=	SSLDIR=${SSLBASE:Q}
 MAKE_ENV+=	SSLCERTS=${SSLCERTS:Q}
+MAKE_ENV+=	SSLKEYS=${SSLKEYS:Q}
 MAKE_ENV+=	CCLIENT_MAJOR=${CCLIENT_MAJOR:Q}
 MAKE_ENV+=	CCLIENT_MINOR=${CCLIENT_MINOR:Q}
 MAKE_ENV+=	CREATEPROTO=${IMAP_UW_CCLIENT_MBOX_FMT:Q}proto
Index: distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/mail/imap-uw/distinfo,v
retrieving revision 1.18
diff -u -p -r1.18 distinfo
--- distinfo	11 Oct 2004 16:56:28 -0000	1.18
+++ distinfo	30 Nov 2004 15:25:12 -0000
@@ -3,7 +3,7 @@ $NetBSD: distinfo,v 1.18 2004/10/11 16:5
 SHA1 (imap-2004a.tar.Z) = e5df251f2b8c3f01e94195a2832b5ba5cd809fbb
 Size (imap-2004a.tar.Z) = 2224181 bytes
 SHA1 (patch-aa) = 2109d076b1f50ca461b2b2a00ee927207a64f766
-SHA1 (patch-ab) = 76af6b8772962e77925da19902285aabcebc7d76
+SHA1 (patch-ab) = 20c8d4f449d7b72e4abe01da941658999799fa4d
 SHA1 (patch-ac) = 8b4ea8c15929c65eda1b3444c68fdbf70fa68b6a
 SHA1 (patch-ad) = 3404de4e4acb456e3c7b34ca80b31b80b465b3e1
 SHA1 (patch-ae) = 702473377ca66266bdb6d5d13045d279a38ea7de
Index: patches/patch-ab
===================================================================
RCS file: /cvsroot/pkgsrc/mail/imap-uw/patches/patch-ab,v
retrieving revision 1.14
diff -u -p -r1.14 patch-ab
--- patches/patch-ab	12 Aug 2004 12:13:54 -0000	1.14
+++ patches/patch-ab	30 Nov 2004 15:25:12 -0000
@@ -1,17 +1,18 @@
-$NetBSD: patch-ab,v 1.14 2004/08/12 12:13:54 adam Exp $
+$NetBSD$
 
---- src/osdep/unix/Makefile.orig	2004-08-12 13:26:38.000000000 +0000
-+++ src/osdep/unix/Makefile
-@@ -29,8 +29,6 @@ IP=4
+--- src/osdep/unix/Makefile.orig	2004-11-23 22:28:38.000000000 -0800
++++ src/osdep/unix/Makefile	2004-11-23 22:34:55.000000000 -0800
+@@ -29,9 +29,6 @@
  
  # Extended flags needed for SSL.  You may need to modify.
  
 -SSLDIR=/usr/local/ssl
 -SSLCERTS=$(SSLDIR)/certs
- SSLKEYS=$(SSLCERTS)
+-SSLKEYS=$(SSLCERTS)
  SSLINCLUDE=$(SSLDIR)/include
  SSLLIB=$(SSLDIR)/lib
-@@ -48,7 +46,7 @@ SSLRSA= # -lRSAglue -lrsaref
+ 
+@@ -48,7 +45,7 @@
  
  SSLCFLAGS= -I$(SSLINCLUDE) -I$(SSLINCLUDE)/openssl\
   -DSSL_CERT_DIRECTORY=\"$(SSLCERTS)\" -DSSL_KEY_DIRECTORY=\"$(SSLKEYS)\"
@@ -20,7 +21,7 @@ $NetBSD: patch-ab,v 1.14 2004/08/12 12:1
  
  
  # Extended flags needed for non-standard passwd types.  You may need to modify.
-@@ -92,14 +90,14 @@ LOCKPGM=/etc/mlock
+@@ -92,14 +89,14 @@
  # set certain other formats (e.g. mbx and mx) as the EMPTYPROTO since these
  # formats can never be empty files.
  
@@ -37,7 +38,7 @@ $NetBSD: patch-ab,v 1.14 2004/08/12 12:1
  LN=ln -s
  RANLIB=ranlib
  
-@@ -391,9 +389,9 @@ gso:	os_sol.h	# GCC Solaris
+@@ -391,9 +388,9 @@
  	 SPOOLDIR=/var/spool MAILSPOOL=/var/mail \
  	 ACTIVEFILE=/usr/share/news/active \
  	 RSHPATH=/usr/bin/rsh \
@@ -49,7 +50,7 @@ $NetBSD: patch-ab,v 1.14 2004/08/12 12:1
  
  gsu:	# GCC SUN-OS
  	$(BUILD) `$(CAT) SPECIALS` OS=sun \
-@@ -483,9 +481,9 @@ neb:	# NetBSD
+@@ -483,9 +480,9 @@
  	$(BUILD) `$(CAT) SPECIALS` OS=bsi \
  	 CRXTYPE=nfs \
  	 SPOOLDIR=/var \
@@ -61,7 +62,7 @@ $NetBSD: patch-ab,v 1.14 2004/08/12 12:1
  	 BASELDFLAGS="-lcrypt"
  
  nec:	# NEC UX
-@@ -911,7 +909,7 @@ onceenv:
+@@ -911,7 +908,7 @@
  	 -DACTIVEFILE=\"$(ACTIVEFILE)\" -DNEWSSPOOL=\"$(NEWSSPOOL)\" \
  	 -DRSHPATH=\"$(RSHPATH)\" -DLOCKPGM=\"$(LOCKPGM)\" > OSCFLAGS
  	echo $(BASELDFLAGS) $(EXTRALDFLAGS) > LDFLAGS

>Unformatted: