diff --git a/sources b/sources index cfbf649..4a70ced 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -7317dd7889303abbbd30e39f04771f10 zcp-7.1.11.tar.gz +98ceed8b35a68bba669aecccbc7b1f43 zcp-7.1.12.tar.gz diff --git a/zarafa-7.1.10-ssl_protocols_ciphers.patch b/zarafa-7.1.10-ssl_protocols_ciphers.patch deleted file mode 100644 index 876df60..0000000 --- a/zarafa-7.1.10-ssl_protocols_ciphers.patch +++ /dev/null @@ -1,449 +0,0 @@ -Patch by Robert Scheck for Zarafa <= 7.1.10 which implements much more -fine granulated configuration settings for SSL/TLS protocol and cipher enabling and disabling. The -currently available "ssl_enable_v2" setting allows either to disable SSLv2 (and enables SSLv3 only -instead) or to enable all, thus SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 (TLSv1.1 and TLSv1.2 only -if Zarafa was linked against OpenSSL 1.0.1 or later). Since SSLv2 has known protocol weaknesses it -never should be enabled - but for Zarafa it currently must be enabled to support TLSv1 and better. - -This patch introduces the new setting "ssl_protocols" which replaces "ssl_enable_v2". The default -is "!SSLv2" to simply disable SSLv2 by default. The setting can be filled either with SSL protocols -that shall be enabled and/or disabled, e.g. "SSLv3 TLSv1" or "!SSLv2 !SSLv3". However only the more -usual disable/exclude option should be used as this does not exclude future protocols by default. - -Further this patch introduces the completely new setting "ssl_ciphers". This one allows to set SSL -cipher suites. Right now, all SSL ciphers are accepted which is just weak or might Zarafa even make -even vulnerable to known SSL attacks. The German Federal Office for Information Security (BSI) says -that RC4 should not be used anymore - but Zarafa does it by default. And without this patch there -is also no way for Zarafa administrators to avoid that. Indeed this setting has the risk to get the -administrators ending up in a cipher mismatch between different systems but this new setting still -could be declared as officially unsupported and only for the brave ones who know what they do. Thus -the default is already set to something less weak than before but still below BSI recommendations. - -Finally this patch introduces the also new setting "ssl_prefer_server_ciphers". It does what it is -named after: When choosing a cipher during an SSL/TLS handshake, normally the client's preference -is used. If this setting is enabled, the server's preference will be used instead. This comes handy -to administrators for strange cipher orderings required for special configurations and clients - or -new weaknesses where workarounds are required for the time being. - -Testing: Configure zarafa-gateway, zarafa-ical and zarafa-server for cleartext and SSL as usual. -Try to login via POP3S, IMAPS, CalDAV-SSL and MAPI in SOAP over HTTPS. Change SSL protocols and the -ciphers to something more weak ("SSLv2" and "LOW") or to something more strong ("TLSv1.2" and e.g. -"HIGH"). During all my tests I did not figure out any newly introduced issue or Zarafa breakage. - -Important: The technical implementation of this patch might be not perfect as I am not really a C/ -C++ developer. The logic and the implementation is heavily based on Dovecot, Postfix and hints from -https://docs.fedoraproject.org/en-US/Fedora_Security_Team/html/Defensive_Coding/. There should be -a code review and code clean up by an experienced C/C++ developer before merging into Zarafa core. - -This patch should be only applied in conjuction with the POP3 RESP-CODES and AUTH-RESP-CODE patch, -the POP3 CAPA (CAPABILITIES) patch as well as the POP3 STLS (STARTTLS) patch applied before. - -Proposed to upstream via e-mail on Sat, 8 Mar 2014 14:30:29 +0100, patch was put into the upstream -ticket https://jira.zarafa.com/browse/ZCP-12143. - ---- zarafa-7.1.10/caldav/CalDAV.cpp 2014-05-23 15:56:36.000000000 +0200 -+++ zarafa-7.1.10/caldav/CalDAV.cpp.rsc 2014-08-12 19:45:04.000000000 +0200 -@@ -220,7 +220,9 @@ - { "log_timestamp", "1" }, - { "ssl_private_key_file", "/etc/zarafa/ical/privkey.pem" }, - { "ssl_certificate_file", "/etc/zarafa/ical/cert.pem" }, -- { "ssl_enable_v2", "no" }, -+ { "ssl_protocols", "!SSLv2" }, -+ { "ssl_ciphers", "ALL:!LOW:!SSLv2:!EXP:!aNULL" }, -+ { "ssl_prefer_server_ciphers", "no" }, - { "ssl_verify_client", "no" }, - { "ssl_verify_file", "" }, - { "ssl_verify_path", "" }, ---- zarafa-7.1.10/common/ECChannel.cpp 2014-05-23 15:56:36.000000000 +0200 -+++ zarafa-7.1.10/common/ECChannel.cpp.rsc 2014-08-12 19:48:00.000000000 +0200 -@@ -92,6 +92,11 @@ - HRESULT hr = hrSuccess; - char *szFile = NULL; - char *szPath = NULL; -+ char *ssl_protocols = strdup(lpConfig->GetSetting("ssl_protocols")); -+ char *ssl_ciphers = lpConfig->GetSetting("ssl_ciphers"); -+ char *ssl_name; -+ int ssl_proto, ssl_op = 0, ssl_include = 0, ssl_exclude = 0; -+ bool ssl_neg; - - if (lpConfig == NULL) { - hr = MAPI_E_CALL_FAILED; -@@ -107,11 +112,79 @@ - SSL_load_error_strings(); - lpCTX = SSL_CTX_new(SSLv23_server_method()); - SSL_CTX_set_options(lpCTX, SSL_OP_ALL); -- SSL_CTX_set_default_verify_paths(lpCTX); - -- // disable SSLv2 support -- if (!parseBool(lpConfig->GetSetting("ssl_enable_v2", "", "no"))) -- SSL_CTX_set_options(lpCTX, SSL_OP_NO_SSLv2); -+ ssl_name = strtok(ssl_protocols, " "); -+ while(ssl_name != NULL) { -+ if (*ssl_name != '!') -+ ssl_neg = FALSE; -+ else { -+ ssl_name++; -+ ssl_neg = TRUE; -+ } -+ -+ if (strcasecmp(ssl_name, SSL_TXT_SSLV2) == 0) -+ ssl_proto = 0x01; -+ else if (strcasecmp(ssl_name, SSL_TXT_SSLV3) == 0) -+ ssl_proto = 0x02; -+ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1) == 0) -+ ssl_proto = 0x04; -+#ifdef SSL_TXT_TLSV1_1 -+ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1_1) == 0) -+ ssl_proto = 0x08; -+#endif -+#ifdef SSL_TXT_TLSV1_2 -+ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1_2) == 0) -+ ssl_proto = 0x10; -+#endif -+ else { -+ lpLogger->Log(EC_LOGLEVEL_ERROR, "Unknown protocol '%s' in ssl_protocols setting", ssl_name); -+ hr = MAPI_E_CALL_FAILED; -+ goto exit; -+ } -+ -+ if (ssl_neg) -+ ssl_exclude |= ssl_proto; -+ else -+ ssl_include |= ssl_proto; -+ -+ ssl_name = strtok(NULL, " "); -+ } -+ -+ if (ssl_include != 0) { -+ // Exclude everything, except those that are included (and let excludes still override those) -+ ssl_exclude |= 0x1f & ~ssl_include; -+ } -+ -+ if ((ssl_exclude & 0x01) != 0) -+ ssl_op |= SSL_OP_NO_SSLv2; -+ if ((ssl_exclude & 0x02) != 0) -+ ssl_op |= SSL_OP_NO_SSLv3; -+ if ((ssl_exclude & 0x04) != 0) -+ ssl_op |= SSL_OP_NO_TLSv1; -+#ifdef SSL_OP_NO_TLSv1_1 -+ if ((ssl_exclude & 0x08) != 0) -+ ssl_op |= SSL_OP_NO_TLSv1_1; -+#endif -+#ifdef SSL_OP_NO_TLSv1_2 -+ if ((ssl_exclude & 0x10) != 0) -+ ssl_op |= SSL_OP_NO_TLSv1_2; -+#endif -+ -+ if (ssl_protocols) { -+ SSL_CTX_set_options(lpCTX, ssl_op); -+ } -+ -+ if (ssl_ciphers && SSL_CTX_set_cipher_list(lpCTX, ssl_ciphers) != 1) { -+ lpLogger->Log(EC_LOGLEVEL_ERROR, "Can not set SSL cipher list to '%s': %s", ssl_ciphers, ERR_error_string(ERR_get_error(), 0)); -+ hr = MAPI_E_CALL_FAILED; -+ goto exit; -+ } -+ -+ if (parseBool(lpConfig->GetSetting("ssl_prefer_server_ciphers"))) { -+ SSL_CTX_set_options(lpCTX, SSL_OP_CIPHER_SERVER_PREFERENCE); -+ } -+ -+ SSL_CTX_set_default_verify_paths(lpCTX); - - if (SSL_CTX_use_certificate_chain_file(lpCTX, lpConfig->GetSetting("ssl_certificate_file")) != 1) { - lpLogger->Log(EC_LOGLEVEL_ERROR, "SSL CTX certificate file error: %s", ERR_error_string(ERR_get_error(), 0)); ---- zarafa-7.1.10/doc/manual.xml 2014-05-23 15:01:13.000000000 +0200 -+++ zarafa-7.1.10/doc/manual.xml.rsc 2014-08-12 19:45:04.000000000 +0200 -@@ -4226,11 +4226,33 @@ - - - -- -+ - -- Incoming SSL connections normally are v3. -- Default: no -- -+ Disabled or enabled protocol names. Supported protocol names -+ are SSLv2, SSLv3 -+ and TLSv1. If Zarafa was linked against -+ OpenSSL 1.0.1 or later there is additional support for the new protocols -+ TLSv1.1 and TLSv1.2. -+ To exclude both, SSLv2 and SSLv3 set -+ to !SSLv2 !SSLv3. SSLv2 is considered unsafe -+ and these connections should not be accepted. -+ Default: !SSLv2 -+ -+ -+ -+ -+ -+ -+ SSL ciphers to use, set to ALL for backward compatibility. -+ Default: ALL:!LOW:!SSLv2:!EXP:!aNULL -+ -+ -+ -+ -+ -+ -+ Prefer the server's order of SSL ciphers over client's. -+ Default: no - - - -@@ -8070,11 +8092,32 @@ - - - -- -+ -+ -+ Disabled or enabled protocol names. Supported protocol names -+ are SSLv2, SSLv3 -+ and TLSv1. If Zarafa was linked against -+ OpenSSL 1.0.1 or later there is additional support for the new protocols -+ TLSv1.1 and TLSv1.2. -+ To exclude both, SSLv2 and SSLv3 set -+ to !SSLv2 !SSLv3. SSLv2 is considered unsafe -+ and these connections should not be accepted. -+ Default: !SSLv2 -+ -+ -+ -+ -+ -+ -+ SSL ciphers to use, set to ALL for backward compatibility. -+ Default: ALL:!LOW:!SSLv2:!EXP:!aNULL -+ -+ -+ -+ -+ - -- Accept SSLv2 only connections. SSLv2 is considered -- unsafe, and these connections should not be -- accepted. -+ Prefer the server's order of SSL ciphers over client's. - Default: no - - -@@ -10075,11 +10118,32 @@ - - - -- -+ -+ -+ Disabled or enabled protocol names. Supported protocol names -+ are SSLv2, SSLv3 -+ and TLSv1. If Zarafa was linked against -+ OpenSSL 1.0.1 or later there is additional support for the new protocols -+ TLSv1.1 and TLSv1.2. -+ To exclude both, SSLv2 and SSLv3 set -+ to !SSLv2 !SSLv3. SSLv2 is considered unsafe -+ and these connections should not be accepted. -+ Default: !SSLv2 -+ -+ -+ -+ -+ -+ -+ SSL ciphers to use, set to ALL for backward compatibility. -+ Default: ALL:!LOW:!SSLv2:!EXP:!aNULL -+ -+ -+ -+ -+ - -- Accept SSLv2 only connections. SSLv2 is considered -- unsafe, and these connections should not be -- accepted. -+ Prefer the server's order of SSL ciphers over client's. - Default: no - - ---- zarafa-7.1.10/gateway/Gateway.cpp 2014-05-23 15:56:37.000000000 +0200 -+++ zarafa-7.1.10/gateway/Gateway.cpp.rsc 2014-08-12 19:45:04.000000000 +0200 -@@ -365,7 +365,9 @@ - { "ssl_verify_client", "no" }, - { "ssl_verify_file", "" }, - { "ssl_verify_path", "" }, -- { "ssl_enable_v2", "no" }, -+ { "ssl_protocols", "!SSLv2" }, -+ { "ssl_ciphers", "ALL:!LOW:!SSLv2:!EXP:!aNULL" }, -+ { "ssl_prefer_server_ciphers", "no" }, - { "log_method", "file" }, - { "log_file", "-" }, - { "log_level", "2", CONFIGSETTING_RELOADABLE }, ---- zarafa-7.1.10/installer/linux/gateway.cfg 2014-05-23 15:03:19.000000000 +0200 -+++ zarafa-7.1.10/installer/linux/gateway.cfg.rsc 2014-08-12 19:45:04.000000000 +0200 -@@ -84,8 +84,14 @@ - ssl_verify_file = - ssl_verify_path = - --# Accept SSLv2 only incoming connections --ssl_enable_v2 = no -+# SSL protocols to use, set to '!SSLv2' for 'ssl_enable_v2 = no' -+ssl_protocols = !SSLv2 -+ -+# SSL ciphers to use, set to 'ALL' for backward compatibility -+ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL -+ -+# Prefer the server's order of SSL ciphers over client's -+ssl_prefer_server_ciphers = no - - # Process model, using pthreads (thread) or processes (fork) - process_model = fork ---- zarafa-7.1.10/installer/linux/ical.cfg 2014-05-23 15:03:19.000000000 +0200 -+++ zarafa-7.1.10/installer/linux/ical.cfg.rsc 2014-08-12 19:45:04.000000000 +0200 -@@ -66,8 +66,14 @@ - ssl_verify_file = - ssl_verify_path = - --# Accept SSLv2 only incoming connections --ssl_enable_v2 = no -+# SSL protocols to use, set to '!SSLv2' for 'ssl_enable_v2 = no' -+ssl_protocols = !SSLv2 -+ -+# SSL ciphers to use, set to 'ALL' for backward compatibility -+ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL -+ -+# Prefer the server's order of SSL ciphers over client's -+ssl_prefer_server_ciphers = no - - ############################################################## - # OTHER ICAL SETTINGS ---- zarafa-7.1.10/installer/linux/server.cfg 2014-05-23 15:03:19.000000000 +0200 -+++ zarafa-7.1.10/installer/linux/server.cfg.rsc 2014-08-12 19:45:04.000000000 +0200 -@@ -154,8 +154,14 @@ - # Path with CA certificates, e.g. /etc/ssl/certs - server_ssl_ca_path = - --# Accept SSLv2 only connections. Normally v3 connections are used. --server_ssl_enable_v2 = no -+# SSL protocols to use, set to '!SSLv2' for 'server_ssl_enable_v2 = no' -+server_ssl_protocols = !SSLv2 -+ -+# SSL ciphers to use, set to 'ALL' for backward compatibility -+server_ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL -+ -+# Prefer the server's order of SSL ciphers over client's -+server_ssl_prefer_server_ciphers = no - - # Path of SSL Public keys of clients - sslkeys_path = /etc/zarafa/sslkeys ---- zarafa-7.1.10/provider/server/ECServer.cpp 2014-05-23 15:56:37.000000000 +0200 -+++ zarafa-7.1.10/provider/server/ECServer.cpp.rsc 2014-08-12 19:45:04.000000000 +0200 -@@ -919,7 +919,9 @@ - { "server_ssl_key_pass", "server", CONFIGSETTING_EXACT }, - { "server_ssl_ca_file", "/etc/zarafa/ssl/cacert.pem" }, - { "server_ssl_ca_path", "" }, -- { "server_ssl_enable_v2", "no" }, -+ { "server_ssl_protocols", "!SSLv2" }, -+ { "server_ssl_ciphers", "ALL:!LOW:!SSLv2:!EXP:!aNULL" }, -+ { "server_ssl_prefer_server_ciphers", "no" }, - { "sslkeys_path", "/etc/zarafa/sslkeys" }, // login keys - // Database options - { "database_engine", "mysql" }, ---- zarafa-7.1.10/provider/server/ECSoapServerConnection.cpp 2014-05-23 15:56:37.000000000 +0200 -+++ zarafa-7.1.10/provider/server/ECSoapServerConnection.cpp.rsc 2014-08-12 19:45:04.000000000 +0200 -@@ -240,6 +240,11 @@ - ECRESULT er = erSuccess; - int socket = SOAP_INVALID_SOCKET; - struct soap *lpsSoap = NULL; -+ char *server_ssl_protocols = strdup(m_lpConfig->GetSetting("server_ssl_protocols")); -+ char *server_ssl_ciphers = m_lpConfig->GetSetting("server_ssl_ciphers"); -+ char *ssl_name; -+ int ssl_proto, ssl_op = 0, ssl_include = 0, ssl_exclude = 0; -+ bool ssl_neg; - - if(lpServerName == NULL) { - er = ZARAFA_E_INVALID_PARAMETER; -@@ -270,10 +275,79 @@ - goto exit; - } - -- // disable SSLv2 support -- if (!parseBool(m_lpConfig->GetSetting("server_ssl_enable_v2", "", "no"))) -- SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_NO_SSLv2); -- -+ SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_ALL); -+ -+ ssl_name = strtok(server_ssl_protocols, " "); -+ while(ssl_name != NULL) { -+ if (*ssl_name != '!') -+ ssl_neg = FALSE; -+ else { -+ ssl_name++; -+ ssl_neg = TRUE; -+ } -+ -+ if (strcasecmp(ssl_name, SSL_TXT_SSLV2) == 0) -+ ssl_proto = 0x01; -+ else if (strcasecmp(ssl_name, SSL_TXT_SSLV3) == 0) -+ ssl_proto = 0x02; -+ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1) == 0) -+ ssl_proto = 0x04; -+#ifdef SSL_TXT_TLSV1_1 -+ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1_1) == 0) -+ ssl_proto = 0x08; -+#endif -+#ifdef SSL_TXT_TLSV1_2 -+ else if (strcasecmp(ssl_name, SSL_TXT_TLSV1_2) == 0) -+ ssl_proto = 0x10; -+#endif -+ else { -+ m_lpLogger->Log(EC_LOGLEVEL_FATAL, "Unknown protocol '%s' in server_ssl_protocols setting", ssl_name); -+ er = ZARAFA_E_CALL_FAILED; -+ goto exit; -+ } -+ -+ if (ssl_neg) -+ ssl_exclude |= ssl_proto; -+ else -+ ssl_include |= ssl_proto; -+ -+ ssl_name = strtok(NULL, " "); -+ } -+ -+ if (ssl_include != 0) { -+ // Exclude everything, except those that are included (and let excludes still override those) -+ ssl_exclude |= 0x1f & ~ssl_include; -+ } -+ -+ if ((ssl_exclude & 0x01) != 0) -+ ssl_op |= SSL_OP_NO_SSLv2; -+ if ((ssl_exclude & 0x02) != 0) -+ ssl_op |= SSL_OP_NO_SSLv3; -+ if ((ssl_exclude & 0x04) != 0) -+ ssl_op |= SSL_OP_NO_TLSv1; -+#ifdef SSL_OP_NO_TLSv1_1 -+ if ((ssl_exclude & 0x08) != 0) -+ ssl_op |= SSL_OP_NO_TLSv1_1; -+#endif -+#ifdef SSL_OP_NO_TLSv1_2 -+ if ((ssl_exclude & 0x10) != 0) -+ ssl_op |= SSL_OP_NO_TLSv1_2; -+#endif -+ -+ if (server_ssl_protocols) { -+ SSL_CTX_set_options(lpsSoap->ctx, ssl_op); -+ } -+ -+ if (server_ssl_ciphers && SSL_CTX_set_cipher_list(lpsSoap->ctx, server_ssl_ciphers) != 1) { -+ m_lpLogger->Log(EC_LOGLEVEL_FATAL, "Can not set SSL cipher list to '%s': %s", server_ssl_ciphers, ERR_error_string(ERR_get_error(), 0)); -+ er = ZARAFA_E_CALL_FAILED; -+ goto exit; -+ } -+ -+ if (parseBool(m_lpConfig->GetSetting("server_ssl_prefer_server_ciphers"))) { -+ SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); -+ } -+ - // request certificate from client, is OK if not present. - SSL_CTX_set_verify(lpsSoap->ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, NULL); - diff --git a/zarafa-7.1.11-gsoap-sslv3.patch b/zarafa-7.1.11-gsoap-sslv3.patch deleted file mode 100644 index 877b0e1..0000000 --- a/zarafa-7.1.11-gsoap-sslv3.patch +++ /dev/null @@ -1,36 +0,0 @@ -Patch by Robert Scheck for zarafa >= 7.1.11 which removes the Zarafa- -specific override/limitation that forces SSLv3-only SOAP connection between the Zarafa services. -The pristine gSOAP library itself uses SSLv23_method() instead and thus allows TLSv1.0, TLSv1.1 -as well as TLSv1.2. Disable SSLv2 and SSLv3 as well as TLS compression explicitly; similar like -the Zarafa Outlook Client which meanwhile only allows TLSv1.0 (and better). - -Proposed to upstream via e-mail on Wed, 2 Apr 2014 11:35:40 +0200, initial patch was put into the -upstream ticket Ticket#2014040210000266. - ---- zarafa-7.1.11/provider/common/SOAPSock.cpp 2014-09-03 10:45:06.000000000 +0200 -+++ zarafa-7.1.11/provider/common/SOAPSock.cpp.gsoap-sslv3 2015-03-04 00:28:25.000000000 +0100 -@@ -162,9 +162,6 @@ - - lpCmd->endpoint = strdup(strServerPath.c_str()); - -- // override the gsoap default v23 method to the force safer v3 only method. -- lpCmd->soap->ctx = SSL_CTX_new(SSLv3_method()); -- - #ifdef WITH_OPENSSL - if (strncmp("https:", lpCmd->endpoint, 6) == 0) { - // no need to add certificates to call, since soap also calls SSL_CTX_set_default_verify_paths() -@@ -188,6 +185,14 @@ - lpCmd->soap->fsslverify = ssl_verify_callback_zarafa_silent; - - SSL_CTX_set_verify(lpCmd->soap->ctx, SSL_VERIFY_PEER, lpCmd->soap->fsslverify); -+ -+ // disable SSLv2 (according to RFC 6176) and SSLv3, leaving just TLSv1.0 (and better) -+ SSL_CTX_set_options(lpCmd->soap->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); -+ -+#ifdef SSL_OP_NO_COMPRESSION -+ // disable TLS compression to close the CRIME attack vector (also known as CVE-2012-4929) -+ SSL_CTX_set_options(lpCmd->soap->ctx, SSL_OP_NO_COMPRESSION); -+#endif - } - #endif - diff --git a/zarafa-7.1.11-webaccess-mcrypt.patch b/zarafa-7.1.11-webaccess-mcrypt.patch deleted file mode 100644 index 56b5274..0000000 --- a/zarafa-7.1.11-webaccess-mcrypt.patch +++ /dev/null @@ -1,58 +0,0 @@ -Patch by Robert Scheck for Zarafa >= 7.1.10 which fixes the fix that fixes CVE-2014-0103. Ush, -that was complicated, so: CVE-2014-0103 exists because Zarafa WebAccess < 7.1.10 and Zarafa WebApp < 1.6 storing passwords -in cleartext on server (in the PHP session). Zarafa solved this flaw by using openssl_encrypt() and openssl_decrypt() from -PHP's OpenSSL bindings. However these functions are only available in PHP 5.3 or later. Without this patch suggestion, any -older but still supported Linux distribution like Red Hat Enterprise Linux 5 or SuSE Linux Enterprise Server 10 (which are -both shipping PHP < 5.3 by default) would still be left vulnerable. - -Given that I am personally more a fan of OpenSSL rather mcrypt, I am not absolutely sure if this implementation is really -correct even it works fine on my test system. So please explicitly review this code to avoid introducing another security -flaw by trying to fix one! A thing that I generally question for myself is the usage of "des-ede3-cbc"/"MCRYPT_TRIPLEDES" -instead of e.g. MCRYPT_RIJNDAEL_128. Given that this decision was initially made by Zarafa I am just following that here. - -Important: To get this patch really powerful the install-time requirement needs to be adapted like this (this example is -based on Fedora's build system so the macros %{?rhel} and %{?fedora} might not exist at Zarafa but need to be replaced by -other macros): - -%if 0%{?rhel}%{?fedora} < 6 -Requires: php-mcrypt -%else -Requires: php-openssl -%endif - -This requires php-openssl (provided by php-common) on RHEL 6 (and later) and php-mcrypt (separate package) before RHEL 6. - -Proposed to upstream via e-mail on Thu, 5 Jun 2014 00:24:32 +0200, initial patch was put into the (non-disclosed) upstream -ticket https://jira.zarafa.com/browse/ZCP-12407. - ---- zarafa-7.1.10/php-webclient-ajax/index.php 2014-05-23 15:56:38.000000000 +0200 -+++ zarafa-7.1.10/php-webclient-ajax/index.php.webaccess-mcrypt 2014-06-05 00:08:18.000000000 +0200 -@@ -135,6 +135,8 @@ - // if user has openssl module installed - if(function_exists("openssl_encrypt")) { - $_SESSION['password'] = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV); -+ } elseif(function_exists("mcrypt_encrypt")) { -+ $_SESSION['password'] = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV)); - } else { - $_SESSION["password"] = $password; - } ---- zarafa-7.1.10/php-webclient-ajax/server/core/class.mapisession.php 2014-05-23 15:56:38.000000000 +0200 -+++ zarafa-7.1.10/php-webclient-ajax/server/core/class.mapisession.php.webaccess-mcrypt 2014-06-05 00:08:57.000000000 +0200 -@@ -132,6 +132,8 @@ - if(is_string($username) && is_string($password)) { - if(function_exists("openssl_decrypt")) { - $password = openssl_decrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV); -+ } elseif(function_exists("mcrypt_decrypt")) { -+ $password = rtrim(mcrypt_decrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, base64_decode($password), MCRYPT_MODE_CBC, PASSWORD_IV), "\0"); - } - // logon - $this->session = mapi_logon_zarafa($username, $password, $server, $sslcert_file, $sslcert_pass); -@@ -139,6 +141,8 @@ - - if(function_exists("openssl_encrypt")) { - $password = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV); -+ } elseif(function_exists("mcrypt_encrypt")) { -+ $password = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV)); - } - - if ($result == NOERROR && $this->session !== false){ diff --git a/zarafa-7.1.12-gsoap-sslv3.patch b/zarafa-7.1.12-gsoap-sslv3.patch new file mode 100644 index 0000000..b1e58f2 --- /dev/null +++ b/zarafa-7.1.12-gsoap-sslv3.patch @@ -0,0 +1,38 @@ +Patch by Robert Scheck for zarafa >= 7.1.12 which disables weak SSLv2 +and SSLv3 protocols for encrypted SOAP connections between the Zarafa services. Until (including) +the Zarafa 7.1.11 release the upstream default was to replace the SSLv23_method() that a pristine +gSOAP library ships with the "safer" SSLv3_method(). With Zarafa 7.1.12 the SSLv3_method() was +changed to SSLv23_method(). However this enables SSLv2 again (and still does not disable SSLv3). +Thus this patch disables SSLv2 and SSLv3 as well as TLS compression explicitly; similar like the +Zarafa Outlook Client which meanwhile only allows TLSv1.0 (and better). + +Proposed to upstream via e-mail on Wed, 2 Apr 2014 11:35:40 +0200, initial patch was put into the +upstream ticket Ticket#2014040210000266. + +--- zarafa-7.1.12/provider/common/SOAPSock.cpp 2015-04-07 13:10:13.000000000 +0200 ++++ zarafa-7.1.12/provider/common/SOAPSock.cpp.gsoap-sslv3 2015-04-07 16:32:20.000000000 +0200 +@@ -157,9 +157,6 @@ + + lpCmd->endpoint = strdup(strServerPath.c_str()); + +- // default allow SSLv3, TLSv1, TLSv1.1 and TLSv1.2 +- lpCmd->soap->ctx = SSL_CTX_new(SSLv23_method()); +- + #ifdef WITH_OPENSSL + if (strncmp("https:", lpCmd->endpoint, 6) == 0) { + // no need to add certificates to call, since soap also calls SSL_CTX_set_default_verify_paths() +@@ -183,6 +180,14 @@ + lpCmd->soap->fsslverify = ssl_verify_callback_zarafa_silent; + + SSL_CTX_set_verify(lpCmd->soap->ctx, SSL_VERIFY_PEER, lpCmd->soap->fsslverify); ++ ++ // disable SSLv2 (according to RFC 6176) and SSLv3, leaving just TLSv1.0 (and better) ++ SSL_CTX_set_options(lpCmd->soap->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); ++ ++#ifdef SSL_OP_NO_COMPRESSION ++ // disable TLS compression to close the CRIME attack vector (also known as CVE-2012-4929) ++ SSL_CTX_set_options(lpCmd->soap->ctx, SSL_OP_NO_COMPRESSION); ++#endif + } + #endif + diff --git a/zarafa-7.1.12-licensed-archiver.patch b/zarafa-7.1.12-licensed-archiver.patch new file mode 100644 index 0000000..0ccde8c --- /dev/null +++ b/zarafa-7.1.12-licensed-archiver.patch @@ -0,0 +1,117 @@ +Patch by Robert Scheck for Zarafa >= 7.1.12 which removes a wrongly introduced dependency to the +proprietary zarafa-licensed. From Zarafa 7.1.11 to 7.1.12 there were some changes to the ValidateArchiverLicense() method; +due to these changes rebuilding fails with "ArchiverSession.cpp:53:23: fatal error: ECLicense.h: No such file or directory" +now. The patch just reverts the changes that were introduced from 7.1.11 to 7.1.12 to get the code building again. + +--- zarafa-7.1.12/ECtools/zarafa-archiver/ArchiverSession.cpp 2015-04-07 13:10:12.000000000 +0200 ++++ zarafa-7.1.12/ECtools/zarafa-archiver/ArchiverSession.cpp.licensed-archiver 2015-04-07 15:55:07.000000000 +0200 +@@ -50,8 +50,6 @@ + #include "mapiext.h" + #include "userutil.h" + #include "ECMsgStore.h" +-#include "ECLicense.h" +-#include "ECMAPILicense.h" + + typedef mapi_memory_ptr ECServerListPtr; + +@@ -879,38 +877,7 @@ + typedef mapi_object_ptr ECMsgStorePtr; + + HRESULT ArchiverSession::ValidateArchiverLicense(bool attachnewuser /* = false*/) const { +- IMsgStore *lpMsgStore = NULL; +- IMsgStore *lpProxedMsgStore = NULL; +- UnknownPtr ptrUnknown; +- ECMsgStorePtr ptrOnlineStore; +- +- HRESULT hr = HrOpenDefaultStore(GetMAPISession(), MDB_WRITE | MDB_NO_DIALOG | MDB_NO_MAIL | MDB_TEMPORARY, &lpMsgStore); +- if (hr != hrSuccess) +- goto exit; +- +- hr = GetProxyStoreObject(lpMsgStore, &lpProxedMsgStore); +- if (hr != hrSuccess) +- goto exit; +- +- hr = lpProxedMsgStore->QueryInterface(IID_ECMsgStoreOnline, &ptrUnknown); +- if (hr != hrSuccess) +- goto exit; +- +- hr = ptrUnknown->QueryInterface(IID_ECMsgStore, &ptrOnlineStore); +- if (hr != hrSuccess) { +- m_lpLogger->Log(EC_LOGLEVEL_FATAL, "Unable to validate archived user count. Please check the archiver and licensed log for errors."); +- hr = MAPI_E_NO_SUPPORT; +- goto exit; +- } +- +- hr = HrCheckLicense(&ptrOnlineStore->m_xMsgStore, SERVICE_TYPE_ARCHIVE, ZARAFA_ARCHIVE_DEFAULT); +- if (hr != hrSuccess) +- { +- m_lpLogger->Log(EC_LOGLEVEL_FATAL, "No archiver license found."); +- hr = MAPI_E_NO_SUPPORT; +- } +- else +- { ++ HRESULT hr; + unsigned int ulArchivedUsers = 0; + unsigned int ulMaxUsers = 0; + +@@ -931,7 +898,6 @@ + } else if (ulArchivedUsers + 5 >= ulMaxUsers) { //@todo which warning limit? + m_lpLogger->Log(EC_LOGLEVEL_FATAL, "You almost reached the archived user limit. Archived users %d of %d", ulArchivedUsers, ulMaxUsers); + } +- } + + exit: + return hr; +--- zarafa-7.1.12/ECtools/zarafa-archiver/Makefile.am 2015-04-07 12:00:49.000000000 +0200 ++++ zarafa-7.1.12/ECtools/zarafa-archiver/Makefile.am.licensed-archiver 2015-04-07 15:59:42.000000000 +0200 +@@ -9,7 +9,6 @@ + -I${top_srcdir}/provider/client \ + -I${top_srcdir}/provider/include \ + -I${top_srcdir}/provider/soap \ +- -I${top_srcdir}/liblicense \ + -I${top_builddir}/provider/soap \ + $(GSOAP_CFLAGS) \ + -I${top_srcdir}/common \ +@@ -17,9 +16,7 @@ + + libarchiver_la_LIBADD = ${top_builddir}/mapi4linux/src/libmapi.la \ + ${top_builddir}/common/libcommon_mapi.la \ +- ${top_builddir}/common/libcommon_util.la \ +- ${top_builddir}/liblicense/liblicense.la \ +- ${top_builddir}/liblicense/liblicense_mapi.la ++ ${top_builddir}/common/libcommon_util.la + + libarchiver_la_SOURCES = \ + ArchiverSession.cpp ArchiverSession.h ArchiverSessionPtr.h \ +--- zarafa-7.1.12/ECtools/zarafa-archiver/Makefile.in 2015-04-07 12:03:40.000000000 +0200 ++++ zarafa-7.1.12/ECtools/zarafa-archiver/Makefile.in.licensed-archiver 2015-04-07 16:00:15.000000000 +0200 +@@ -112,9 +112,7 @@ + libarchiver_la_DEPENDENCIES = \ + ${top_builddir}/mapi4linux/src/libmapi.la \ + ${top_builddir}/common/libcommon_mapi.la \ +- ${top_builddir}/common/libcommon_util.la \ +- ${top_builddir}/liblicense/liblicense.la \ +- ${top_builddir}/liblicense/liblicense_mapi.la ++ ${top_builddir}/common/libcommon_util.la + am_libarchiver_la_OBJECTS = ArchiverSession.lo archiver-common.lo \ + ArchiveManageImpl.lo ArchiveStateCollector.lo \ + ArchiveStateUpdater.lo ArchiveHelper.lo StoreHelper.lo \ +@@ -395,7 +393,6 @@ + -I${top_srcdir}/provider/client \ + -I${top_srcdir}/provider/include \ + -I${top_srcdir}/provider/soap \ +- -I${top_srcdir}/liblicense \ + -I${top_builddir}/provider/soap \ + $(GSOAP_CFLAGS) \ + -I${top_srcdir}/common \ +@@ -403,9 +400,7 @@ + + libarchiver_la_LIBADD = ${top_builddir}/mapi4linux/src/libmapi.la \ + ${top_builddir}/common/libcommon_mapi.la \ +- ${top_builddir}/common/libcommon_util.la \ +- ${top_builddir}/liblicense/liblicense.la \ +- ${top_builddir}/liblicense/liblicense_mapi.la ++ ${top_builddir}/common/libcommon_util.la + + libarchiver_la_SOURCES = \ + ArchiverSession.cpp ArchiverSession.h ArchiverSessionPtr.h \ diff --git a/zarafa-7.1.12-ssl_ecdhe.patch b/zarafa-7.1.12-ssl_ecdhe.patch new file mode 100644 index 0000000..837fba2 --- /dev/null +++ b/zarafa-7.1.12-ssl_ecdhe.patch @@ -0,0 +1,85 @@ +Patch by Robert Scheck for Zarafa >= 7.1.12 which implements ECDHE (elliptic +curve diffie-hellman key exchange) support. http://en.wikipedia.org/wiki/Elliptic_curve_cryptography is +providing more information about elliptic curves. + +Suggestions for testing; run the following openssl(1) commands before and after applying this patch: + +1. echo QUIT | openssl s_client -connect :110 -starttls pop3 2>&1 | grep Cipher +2. echo QUIT | openssl s_client -connect :143 -starttls imap 2>&1 | grep Cipher +3. echo QUIT | openssl s_client -connect :237 2>&1 | grep Cipher +4. echo QUIT | openssl s_client -connect :993 2>&1 | grep Cipher +5. echo QUIT | openssl s_client -connect :995 2>&1 | grep Cipher +6. echo QUIT | openssl s_client -connect :8443 2>&1 | grep Cipher + +After applying this patch the output should contain e.g. "ECDHE-RSA-AES256-GCM-SHA384" on a Red Hat +Enterprise Linux 6.5 (only RHEL >= 6.5 has support for elliptic curve). Without this patch the result +is e.g. "AES256-GCM-SHA384". + +Important: The technical implementation of this patch might be not perfect as I am not really a C/C++ +developer. The logic and the implementation is heavily based on Sendmail. There should be a code review +by an experienced C/C++ and OpenSSL developer before merging into Zarafa core. + +This patch should be only applied after ZCP-12143 and its dependencies. However this patch might maybe +not directly apply due to some previous merge issues as mentioned in Ticket#2014030810000131. + +Proposed to upstream via e-mail on Mon, 14 Apr 2014 12:04:17 +0200, initial patch was put into upstream +ticket https://jira.zarafa.com/browse/ZCP-12237. + +--- zarafa-7.1.12/common/ECChannel.cpp 2015-04-07 13:10:12.000000000 +0200 ++++ zarafa-7.1.12/common/ECChannel.cpp.ssl_ecdhe 2015-04-07 17:12:15.000000000 +0200 +@@ -93,6 +93,9 @@ + char *ssl_ciphers = lpConfig->GetSetting("ssl_ciphers"); + char *ssl_name = NULL; + int ssl_op = 0, ssl_include = 0, ssl_exclude = 0; ++#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1) ++ EC_KEY *ecdh; ++#endif + + if (lpConfig == NULL) { + lpLogger->Log(EC_LOGLEVEL_ERROR, "ECChannel::HrSetCtx(): invalid parameters"); +@@ -113,6 +116,16 @@ + + SSL_CTX_set_options(lpCTX, SSL_OP_ALL); // enable quirk and bug workarounds + ++#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1) ++ ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); ++ ++ if (ecdh != NULL) { ++ SSL_CTX_set_options(lpCTX, SSL_OP_SINGLE_ECDH_USE); ++ SSL_CTX_set_tmp_ecdh(lpCTX, ecdh); ++ EC_KEY_free(ecdh); ++ } ++#endif ++ + ssl_name = strtok(ssl_protocols, " "); + while(ssl_name != NULL) { + int ssl_proto = 0; +--- zarafa-7.1.12/provider/server/ECSoapServerConnection.cpp 2015-04-07 13:10:13.000000000 +0200 ++++ zarafa-7.1.12/provider/server/ECSoapServerConnection.cpp.ssl_ecdhe 2015-04-07 17:13:23.000000000 +0200 +@@ -235,6 +235,9 @@ + char *server_ssl_ciphers = m_lpConfig->GetSetting("server_ssl_ciphers"); + char *ssl_name = NULL; + int ssl_op = 0, ssl_include = 0, ssl_exclude = 0; ++#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1) ++ EC_KEY *ecdh; ++#endif + + if(lpServerName == NULL) { + free(server_ssl_ciphers); +@@ -268,6 +271,16 @@ + + SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_ALL); + ++#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1) ++ ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); ++ ++ if (ecdh != NULL) { ++ SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_SINGLE_ECDH_USE); ++ SSL_CTX_set_tmp_ecdh(lpsSoap->ctx, ecdh); ++ EC_KEY_free(ecdh); ++ } ++#endif ++ + ssl_name = strtok(server_ssl_protocols, " "); + while(ssl_name != NULL) { + int ssl_proto = 0; diff --git a/zarafa-7.1.12-ssl_protocols_ciphers.patch b/zarafa-7.1.12-ssl_protocols_ciphers.patch new file mode 100644 index 0000000..c9de1c6 --- /dev/null +++ b/zarafa-7.1.12-ssl_protocols_ciphers.patch @@ -0,0 +1,123 @@ +Patch by Robert Scheck for Zarafa >= 7.1.12 which re-adds the whole +documentation that was initially proposed to upstream but lost when this feature was backported +from Zarafa 7.2 to the 7.1 series. + +Proposed to upstream via e-mail on Sat, 8 Mar 2014 14:30:29 +0100, initial patch was put into +the upstream ticket https://jira.zarafa.com/browse/ZCP-12143. + +--- zarafa-7.1.12/doc/manual.xml 2015-04-07 12:03:31.000000000 +0200 ++++ zarafa-7.1.12/doc/manual.xml.ssl_protocols_ciphers 2015-04-07 17:05:47.000000000 +0200 +@@ -4226,14 +4226,35 @@ + + + +- ++ + +- Incoming SSL connections normally are v3. +- Default: no +- ++ Disabled or enabled protocol names. Supported protocol names ++ are SSLv2, SSLv3 ++ and TLSv1. If Zarafa was linked against ++ OpenSSL 1.0.1 or later there is additional support for the new protocols ++ TLSv1.1 and TLSv1.2. ++ To exclude both, SSLv2 and SSLv3 set ++ to !SSLv2 !SSLv3. SSLv2 is considered unsafe ++ and these connections should not be accepted. ++ Default: !SSLv2 ++ ++ ++ ++ ++ ++ ++ SSL ciphers to use, set to ALL for backward compatibility. ++ Default: ALL:!LOW:!SSLv2:!EXP:!aNULL + + + ++ ++ ++ ++ Prefer the server's order of SSL ciphers over client's. ++ Default: no ++ ++ + + + +@@ -8090,11 +8111,32 @@ + + + +- ++ ++ ++ Disabled or enabled protocol names. Supported protocol names ++ are SSLv2, SSLv3 ++ and TLSv1. If Zarafa was linked against ++ OpenSSL 1.0.1 or later there is additional support for the new protocols ++ TLSv1.1 and TLSv1.2. ++ To exclude both, SSLv2 and SSLv3 set ++ to !SSLv2 !SSLv3. SSLv2 is considered unsafe ++ and these connections should not be accepted. ++ Default: !SSLv2 ++ ++ ++ ++ ++ + +- Accept SSLv2 only connections. SSLv2 is considered +- unsafe, and these connections should not be +- accepted. ++ SSL ciphers to use, set to ALL for backward compatibility. ++ Default: ALL:!LOW:!SSLv2:!EXP:!aNULL ++ ++ ++ ++ ++ ++ ++ Prefer the server's order of SSL ciphers over client's. + Default: no + + +@@ -10091,11 +10133,32 @@ + + + +- ++ ++ ++ Disabled or enabled protocol names. Supported protocol names ++ are SSLv2, SSLv3 ++ and TLSv1. If Zarafa was linked against ++ OpenSSL 1.0.1 or later there is additional support for the new protocols ++ TLSv1.1 and TLSv1.2. ++ To exclude both, SSLv2 and SSLv3 set ++ to !SSLv2 !SSLv3. SSLv2 is considered unsafe ++ and these connections should not be accepted. ++ Default: !SSLv2 ++ ++ ++ ++ ++ ++ ++ SSL ciphers to use, set to ALL for backward compatibility. ++ Default: ALL:!LOW:!SSLv2:!EXP:!aNULL ++ ++ ++ ++ ++ + +- Accept SSLv2 only connections. SSLv2 is considered +- unsafe, and these connections should not be +- accepted. ++ Prefer the server's order of SSL ciphers over client's. + Default: no + + diff --git a/zarafa-7.1.12-webaccess-mcrypt.patch b/zarafa-7.1.12-webaccess-mcrypt.patch new file mode 100644 index 0000000..e7b3fcd --- /dev/null +++ b/zarafa-7.1.12-webaccess-mcrypt.patch @@ -0,0 +1,58 @@ +Patch by Robert Scheck for Zarafa >= 7.1.12 which fixes the fix that fixes CVE-2014-0103. Ush, +that was complicated, so: CVE-2014-0103 exists because Zarafa WebAccess < 7.1.10 and Zarafa WebApp < 1.6 storing passwords +in cleartext on server (in the PHP session). Zarafa solved this flaw by using openssl_encrypt() and openssl_decrypt() from +PHP's OpenSSL bindings. However these functions are only available in PHP 5.3 or later. Without this patch suggestion, any +older but still supported Linux distribution like Red Hat Enterprise Linux 5 or SuSE Linux Enterprise Server 10 (which are +both shipping PHP < 5.3 by default) would still be left vulnerable. + +Given that I am personally more a fan of OpenSSL rather mcrypt, I am not absolutely sure if this implementation is really +correct even it works fine on my test system. So please explicitly review this code to avoid introducing another security +flaw by trying to fix one! A thing that I generally question for myself is the usage of "des-ede3-cbc"/"MCRYPT_TRIPLEDES" +instead of e.g. MCRYPT_RIJNDAEL_128. Given that this decision was initially made by Zarafa I am just following that here. + +Important: To get this patch really powerful the install-time requirement needs to be adapted like this (this example is +based on Fedora's build system so the macros %{?rhel} and %{?fedora} might not exist at Zarafa but need to be replaced by +other macros): + +%if 0%{?rhel}%{?fedora} < 6 +Requires: php-mcrypt +%else +Requires: php-openssl +%endif + +This requires php-openssl (provided by php-common) on RHEL 6 (and later) and php-mcrypt (separate package) before RHEL 6. + +Proposed to upstream via e-mail on Thu, 5 Jun 2014 00:24:32 +0200, initial patch was put into the (non-disclosed) upstream +ticket https://jira.zarafa.com/browse/ZCP-12407. + +--- zarafa-7.1.12/php-webclient-ajax/index.php 2015-04-07 13:10:13.000000000 +0200 ++++ zarafa-7.1.12/php-webclient-ajax/index.php.webaccess-mcrypt 2015-04-07 16:22:23.000000000 +0200 +@@ -135,6 +135,8 @@ + } else { + $_SESSION['password'] = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV); + } ++ } elseif(function_exists("mcrypt_encrypt")) { ++ $_SESSION['password'] = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV)); + } else { + $_SESSION["password"] = $password; + } +--- zarafa-7.1.12/php-webclient-ajax/server/core/class.mapisession.php 2015-04-07 13:10:14.000000000 +0200 ++++ zarafa-7.1.12/php-webclient-ajax/server/core/class.mapisession.php.webaccess-mcrypt 2015-04-07 16:23:58.000000000 +0200 +@@ -132,6 +132,8 @@ + } else { + $password = openssl_decrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV); + } ++ } elseif(function_exists("mcrypt_decrypt")) { ++ $password = rtrim(mcrypt_decrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, base64_decode($password), MCRYPT_MODE_CBC, PASSWORD_IV), "\0"); + } + // logon + $this->session = mapi_logon_zarafa($username, $password, $server, $sslcert_file, $sslcert_pass); +@@ -144,6 +146,8 @@ + } else { + $password = openssl_encrypt($password,"des-ede3-cbc",PASSWORD_KEY,0,PASSWORD_IV); + } ++ } elseif(function_exists("mcrypt_encrypt")) { ++ $password = base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, PASSWORD_KEY, $password, MCRYPT_MODE_CBC, PASSWORD_IV)); + } + + if ($result == NOERROR && $this->session !== false){ diff --git a/zarafa-7.1.9-ssl_ecdhe.patch b/zarafa-7.1.9-ssl_ecdhe.patch deleted file mode 100644 index 6596637..0000000 --- a/zarafa-7.1.9-ssl_ecdhe.patch +++ /dev/null @@ -1,85 +0,0 @@ -Patch by Robert Scheck for Zarafa <= 7.1.9 which implements ECDHE (elliptic -curve diffie-hellman key exchange) support. http://en.wikipedia.org/wiki/Elliptic_curve_cryptography is -providing more information about elliptic curves. - -Suggestions for testing; run the following openssl(1) commands before and after applying this patch: - -1. echo QUIT | openssl s_client -connect :110 -starttls pop3 2>&1 | grep Cipher -2. echo QUIT | openssl s_client -connect :143 -starttls imap 2>&1 | grep Cipher -3. echo QUIT | openssl s_client -connect :237 2>&1 | grep Cipher -4. echo QUIT | openssl s_client -connect :993 2>&1 | grep Cipher -5. echo QUIT | openssl s_client -connect :995 2>&1 | grep Cipher -6. echo QUIT | openssl s_client -connect :8443 2>&1 | grep Cipher - -After applying this patch the output should contain e.g. "ECDHE-RSA-AES256-GCM-SHA384" on a Red Hat -Enterprise Linux 6.5 (only RHEL >= 6.5 has support for elliptic curve). Without this patch the result -is e.g. "AES256-GCM-SHA384". - -Important: The technical implementation of this patch might be not perfect as I am not really a C/C++ -developer. The logic and the implementation is heavily based on Sendmail. There should be a code review -by an experienced C/C++ and OpenSSL developer before merging into Zarafa core. - -This patch should be only applied after ZCP-12143 and its dependencies. However this patch might maybe -not directly apply due to some previous merge issues as mentioned in Ticket#2014030810000131. - -Proposed to upstream via e-mail on Mon, 14 Apr 2014 12:04:17 +0200, patch was put into the upstream -ticket https://jira.zarafa.com/browse/ZCP-12237. - ---- zarafa-7.1.9/common/ECChannel.cpp 2014-04-13 23:46:59.000000000 +0200 -+++ zarafa-7.1.9/common/ECChannel.cpp.ssl_ecdhe 2014-04-13 23:59:43.000000000 +0200 -@@ -97,6 +97,9 @@ - char *ssl_name; - int ssl_proto, ssl_op = 0, ssl_include = 0, ssl_exclude = 0; - bool ssl_neg; -+#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1) -+ EC_KEY *ecdh; -+#endif - - if (lpConfig == NULL) { - hr = MAPI_E_CALL_FAILED; -@@ -113,6 +116,16 @@ - lpCTX = SSL_CTX_new(SSLv23_server_method()); - SSL_CTX_set_options(lpCTX, SSL_OP_ALL); - -+#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1) -+ ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); -+ -+ if (ecdh != NULL) { -+ SSL_CTX_set_options(lpCTX, SSL_OP_SINGLE_ECDH_USE); -+ SSL_CTX_set_tmp_ecdh(lpCTX, ecdh); -+ EC_KEY_free(ecdh); -+ } -+#endif -+ - ssl_name = strtok(ssl_protocols, " "); - while(ssl_name != NULL) { - if (*ssl_name != '!') ---- zarafa-7.1.9/provider/server/ECSoapServerConnection.cpp 2014-04-13 23:46:59.000000000 +0200 -+++ zarafa-7.1.9/provider/server/ECSoapServerConnection.cpp.ssl_ecdhe 2014-04-14 00:00:54.000000000 +0200 -@@ -245,6 +245,9 @@ - char *ssl_name; - int ssl_proto, ssl_op = 0, ssl_include = 0, ssl_exclude = 0; - bool ssl_neg; -+#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1) -+ EC_KEY *ecdh; -+#endif - - if(lpServerName == NULL) { - er = ZARAFA_E_INVALID_PARAMETER; -@@ -277,6 +280,16 @@ - - SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_ALL); - -+#if !defined(OPENSSL_NO_ECDH) && defined(NID_X9_62_prime256v1) -+ ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); -+ -+ if (ecdh != NULL) { -+ SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_SINGLE_ECDH_USE); -+ SSL_CTX_set_tmp_ecdh(lpsSoap->ctx, ecdh); -+ EC_KEY_free(ecdh); -+ } -+#endif -+ - ssl_name = strtok(server_ssl_protocols, " "); - while(ssl_name != NULL) { - if (*ssl_name != '!') diff --git a/zarafa.spec b/zarafa.spec index 4fc0f9a..2debd81 100644 --- a/zarafa.spec +++ b/zarafa.spec @@ -1,6 +1,6 @@ %global beta_or_rc 0 -%global actual_release 3 -%global svnrevision 46050 +%global actual_release 1 +%global svnrevision 48726 %global with_search 1 %global with_ldap 1 %global with_xmlto 1 @@ -31,7 +31,7 @@ Summary: Open Source Edition of the Zarafa Collaboration Platform Name: zarafa -Version: 7.1.11 +Version: 7.1.12 %if %{beta_or_rc} Release: 0.%{actual_release}.svn%{svnrevision}%{?dist} %else @@ -57,16 +57,17 @@ Source3: %{name}-webaccess.conf Patch0: zarafa-7.1.11-rpath.patch Patch1: zarafa-7.1.11-php-unbundle.patch Patch2: zarafa-7.1.10-kyotocabinet.patch -Patch3: zarafa-7.1.10-ssl_protocols_ciphers.patch -Patch4: zarafa-7.1.9-ssl_ecdhe.patch +Patch3: zarafa-7.1.12-ssl_protocols_ciphers.patch +Patch4: zarafa-7.1.12-ssl_ecdhe.patch Patch5: zarafa-7.1.11-plaintext_auth_localhost.patch Patch6: zarafa-7.1.10-imap-badcharset.patch Patch7: zarafa-7.1.10-imap-fetch-body.patch Patch8: zarafa-7.1.11-vacation-headers.patch Patch9: zarafa-7.1.11-vacation-headers2.patch Patch10: zarafa-7.1.11-webaccess-fail2ban.patch -Patch11: zarafa-7.1.11-webaccess-mcrypt.patch -Patch12: zarafa-7.1.11-gsoap-sslv3.patch +Patch11: zarafa-7.1.12-webaccess-mcrypt.patch +Patch12: zarafa-7.1.12-gsoap-sslv3.patch +Patch13: zarafa-7.1.12-licensed-archiver.patch BuildRequires: bison BuildRequires: gcc-c++ @@ -406,6 +407,7 @@ touch -c -r aclocal.m4.rpath aclocal.m4 %patch11 -p1 -b .webaccess-mcrypt rm -f php-webclient-ajax/{.,*,*/*}/*.webaccess-* %patch12 -p1 -b .gsoap-sslv3 +%patch13 -p1 -b .licensed-archiver %build %if 0%{?rhel}%{?fedora} < 6 @@ -553,7 +555,7 @@ mkdir -p $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/plugins/ # Remove unwanted language connectors and webaccess files rm -f $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/client/widgets/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.{cfm,pl} -rm -f $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/{.htaccess,%{name}-webaccess.conf,senddocument.php} +rm -f $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/{.htaccess,%{name}-webaccess.conf} # Remove flash-based multi-attachment upload (missing source) %if %{no_multiupload} @@ -782,8 +784,6 @@ fi %{_libdir}/libicalmapi.so %{_libdir}/libinetmapi.so %{_libdir}/libmapi.so -%{_libdir}/libmapicalendar.so -%{_libdir}/libmapitimezone.so %{_libdir}/libcommon_mapi.a %{_libdir}/libcommon_service.a %{_libdir}/libcommon_ssl.a @@ -792,10 +792,8 @@ fi %{_libdir}/libzarafasync.so %{_includedir}/icalmapi/ %{_includedir}/inetmapi/ -%{_includedir}/mapitimezone/ %{_includedir}/mapi4linux/ %{_includedir}/libfreebusy/ -%{_includedir}/libmapicalendar/ %{_includedir}/libzarafasync/ %{_includedir}/%{name}/ %{_libdir}/pkgconfig/%{name}.pc @@ -940,12 +938,11 @@ fi %{_libdir}/libicalmapi.so.* %{_libdir}/libinetmapi.so.* %{_libdir}/libmapi.so.* -%{_libdir}/libmapicalendar.so.* -%{_libdir}/libmapitimezone.so.* %files -n php-mapi %defattr(-,root,root,-) %config(noreplace) %{_sysconfdir}/php.d/%{ini_name} +%config(noreplace) %{_sysconfdir}/%{name}/php-mapi.cfg %{_datadir}/php/mapi/ %{_libdir}/php/modules/mapi.so @@ -954,7 +951,8 @@ fi %{python_sitearch}/* %changelog -* Sun Feb 22 2015 Robert Scheck 7.1.11-3 +* Tue Apr 07 2015 Robert Scheck 7.1.12-1 +- Upgrade to 7.1.12 - Added multiple minor enhancement and bugfix patches - Added patch to fix CVE-2014-0103 for PHP < 5.3 (#1073618) - Handle "su" option in logrotate >= 3.8.0 to avoid errors