From 46394f56c5cbca626c5eff2091f2d21abe313d56 Mon Sep 17 00:00:00 2001
From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
Date: Fri, 6 Mar 2020 20:12:25 +0200
Subject: [PATCH] community/alpine: fix download, cert validation

also create debug subpackage
---
 ...-ssl_unix-fix-server-name-validation.patch | 63 +++++++++++++++++++
 community/alpine/APKBUILD                     | 16 ++---
 2 files changed, 72 insertions(+), 7 deletions(-)
 create mode 100644 community/alpine/0001-ssl_unix-fix-server-name-validation.patch

diff --git a/community/alpine/0001-ssl_unix-fix-server-name-validation.patch b/community/alpine/0001-ssl_unix-fix-server-name-validation.patch
new file mode 100644
index 00000000000..fd85bad5aa2
--- /dev/null
+++ b/community/alpine/0001-ssl_unix-fix-server-name-validation.patch
@@ -0,0 +1,63 @@
+From 381647e651dd17f2a48b66a1cc358db3f3be6f98 Mon Sep 17 00:00:00 2001
+From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
+Date: Fri, 6 Mar 2020 20:05:14 +0200
+Subject: [PATCH] ssl_unix: fix server name validation
+
+look for CN instead of checking only the first RDN
+---
+ imap/src/osdep/unix/ssl_unix.c | 29 ++++++++++++-----------------
+ 1 file changed, 12 insertions(+), 17 deletions(-)
+
+diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c
+index 4ebe1ae..24a503f 100644
+--- a/imap/src/osdep/unix/ssl_unix.c
++++ b/imap/src/osdep/unix/ssl_unix.c
+@@ -507,7 +507,7 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx)
+ 
+ static char *ssl_validate_cert (X509 *cert,char *host)
+ {
+-  int i,j,n, m = 0;
++  int i,n, m = 0;
+   char *s=NULL,*t,*ret = NIL;
+   void *ext;
+   GENERAL_NAME *name;
+@@ -540,25 +540,20 @@ static char *ssl_validate_cert (X509 *cert,char *host)
+ 				/* Method 2, use cname */
+   if(m == 0 || ret != NIL){
+      cname = X509_get_subject_name(cert);
+-     for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){
+-        if((e = X509_NAME_get_entry(cname, j)) != NULL){
+-           X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf));
+-           s = (char *) buf;
+-        }
+-        else s = NIL;
+-        if (s != NIL) {
++     s = X509_NAME_get_text_by_NID(cname, NID_commonName, buf, sizeof(buf)) > 0 ?
++           (char *) buf : NIL;
++     if (s != NIL) {
+ 				/* host name matches pattern? */
+-	   ret = ssl_compare_hostnames (host,s) ? NIL :
+-		 "Server name does not match certificate";
++	ret = ssl_compare_hostnames (host,s) ? NIL :
++	      "Server name does not match certificate";
+ 				/* if mismatch, see if in extensions */
+-	   if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) &&
+-		(n = sk_GENERAL_NAME_num (ext)))
++	if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) &&
++	     (n = sk_GENERAL_NAME_num (ext)))
+ 	           /* older versions of OpenSSL use "ia5" instead of dNSName */
+-	      for (i = 0; ret && (i < n); i++)
+-		  if ((name = sk_GENERAL_NAME_value (ext,i)) &&
+-		     (name->type = GEN_DNS) && (s = name->d.ia5->data) &&
+-		     ssl_compare_hostnames (host,s)) ret = NIL;
+-        }
++	   for (i = 0; ret && (i < n); i++)
++	       if ((name = sk_GENERAL_NAME_value (ext,i)) &&
++		  (name->type = GEN_DNS) && (s = name->d.ia5->data) &&
++		  ssl_compare_hostnames (host,s)) ret = NIL;
+      }
+   }
+ 
+-- 
+2.25.1
+
diff --git a/community/alpine/APKBUILD b/community/alpine/APKBUILD
index c6aa031d608..9cc9febfa2c 100644
--- a/community/alpine/APKBUILD
+++ b/community/alpine/APKBUILD
@@ -1,19 +1,20 @@
 # Maintainer: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
 pkgname=alpine
 pkgver=2.22
-_ver=${pkgver%_p*}
-_pver=${pkgver##*_p}
-pkgrel=0
+_commit=7e3b3be
+pkgrel=1
 pkgdesc="Text-based email client, friendly for novices but powerful"
 url="http://alpine.x10host.com/alpine/"
 arch="all"
 license="Apache-2.0"
 makedepends="openldap-dev heimdal-dev ncurses-dev openssl-dev
 	automake autoconf libtool gettext-dev"
-subpackages="$pkgname-doc"
-source="http://alpine.x10host.com/alpine/release/src/alpine-$pkgver.tar.xz
+subpackages="$pkgname-dbg $pkgname-doc"
+source="$pkgname-$pkgver.tar.gz::https://repo.or.cz/alpine.git/snapshot/v$pkgver.tar.gz
 	uclibc-musl.patch
+	0001-ssl_unix-fix-server-name-validation.patch
 	"
+builddir="$srcdir/$pkgname-v$pkgver-$_commit"
 
 
 prepare() {
@@ -38,5 +39,6 @@ package() {
 	make DESTDIR="$pkgdir" install
 }
 
-sha512sums="7737dce02ac94170948df7fccb61380c6cb101190e37f5b3ba281d573f54df1db24569d177b460f49bfff381a922be2e4b0f3a0f1a213d88a64d361aedc3c4f1  alpine-2.22.tar.xz
-1b14352571dd12749bbb6ebc1fd468dbb5a8e4d7a27e87f5baeb00a60d5c1a016d925c6bc776da7e1dbf0ad8d799a65049b64774113274d7ffb07c7b1b196775  uclibc-musl.patch"
+sha512sums="5d10c68374337dbaed9a8dcca91a17a20dfe240a13b28107574a8e37db70eaf3c959654c7f8ffc2d4292f643f4ea64344718bc8eda9fc5cda9955337f58aa7c3  alpine-2.22.tar.gz
+1b14352571dd12749bbb6ebc1fd468dbb5a8e4d7a27e87f5baeb00a60d5c1a016d925c6bc776da7e1dbf0ad8d799a65049b64774113274d7ffb07c7b1b196775  uclibc-musl.patch
+5e10289f292139bf576e40bda0f3539d62024309650473a2fdbb281e5d7691cc4c1d3d21f78615e2c900766eddba076f512d92f60d4fbb61e1683f35cba185aa  0001-ssl_unix-fix-server-name-validation.patch"