From 66ae4aab60444bfdc5f093849ddc2868125b03bc5802e809db001b817375c167 Mon Sep 17 00:00:00 2001
From: Dirk Mueller <dmueller@suse.com>
Date: Sat, 15 May 2021 19:51:48 +0000
Subject: [PATCH] Accepting request 893083 from
 home:favogt:branches:server:mail

- Add patch to fix insecure default openssl.cnf (boo#1184552):
  * openssl-cnf-default_bits-2048.patch
- Use %autosetup

OBS-URL: https://build.opensuse.org/request/show/893083
OBS-URL: https://build.opensuse.org/package/show/server:mail/dovecot23?expand=0&rev=94
---
 dovecot23.changes                   |  7 +++++++
 dovecot23.spec                      |  8 ++++----
 openssl-cnf-default_bits-2048.patch | 21 +++++++++++++++++++++
 3 files changed, 32 insertions(+), 4 deletions(-)
 create mode 100644 openssl-cnf-default_bits-2048.patch

diff --git a/dovecot23.changes b/dovecot23.changes
index fbcfffd..78bacc2 100644
--- a/dovecot23.changes
+++ b/dovecot23.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri May 14 10:07:07 UTC 2021 - Fabian Vogt <fvogt@suse.com>
+
+- Add patch to fix insecure default openssl.cnf (boo#1184552):
+  * openssl-cnf-default_bits-2048.patch
+- Use %autosetup
+
 -------------------------------------------------------------------
 Thu Mar  4 10:28:11 UTC 2021 - Michael Ströder <michael@stroeder.com>
 
diff --git a/dovecot23.spec b/dovecot23.spec
index a939cd4..51c9ba1 100644
--- a/dovecot23.spec
+++ b/dovecot23.spec
@@ -150,6 +150,8 @@ Patch:          dovecot-2.3.0-dont_use_etc_ssl_certs.patch
 Patch1:         dovecot-2.3.0-better_ssl_defaults.patch
 #               https://github.com/dovecot/core/pull/126
 Patch2:         allow-tls1.3-only.patch
+#               https://github.com/dovecot/core/pull/161
+Patch3:         openssl-cnf-default_bits-2048.patch
 Summary:        IMAP and POP3 Server Written Primarily with Security in Mind
 License:        BSD-3-Clause AND LGPL-2.1-or-later AND MIT
 Group:          Productivity/Networking/Email/Servers
@@ -326,10 +328,8 @@ This package holds the file needed to compile plugins outside of the
 dovecot tree.
 
 %prep
-%setup -q -n %{pkg_name}-%{dovecot_version} -a 1
-%patch -p1
-%patch1 -p1
-%patch2 -p1
+%autosetup -p1 -n %{pkg_name}-%{dovecot_version} -a 1
+
 gzip -9v ChangeLog
 # Fix plugins dir.
 sed -i 's|#mail_plugin_dir = /usr/lib/dovecot|mail_plugin_dir = %{_libdir}/dovecot/modules|' doc/example-config/conf.d/10-mail.conf
diff --git a/openssl-cnf-default_bits-2048.patch b/openssl-cnf-default_bits-2048.patch
new file mode 100644
index 0000000..a64bf91
--- /dev/null
+++ b/openssl-cnf-default_bits-2048.patch
@@ -0,0 +1,21 @@
+From 397ca180b8e58bf38525afcf9af249b190120607 Mon Sep 17 00:00:00 2001
+From: Arjen de Korte <build+github@de-korte.org>
+Date: Sat, 10 Apr 2021 13:52:15 +0200
+Subject: [PATCH] doc/openssl.cnf: Increase default_bits to 2048
+
+NIST guidelines mandate that all SSL certificates must be of at least 2048 key length
+---
+ doc/dovecot-openssl.cnf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/dovecot-openssl.cnf b/doc/dovecot-openssl.cnf
+index b2dfebfea9..f65a80cc2f 100644
+--- a/doc/dovecot-openssl.cnf
++++ b/doc/dovecot-openssl.cnf
+@@ -1,5 +1,5 @@
+ [ req ]
+-default_bits = 1024
++default_bits = 2048
+ encrypt_key = yes
+ distinguished_name = req_dn
+ x509_extensions = cert_type