* Add variable system-certs-file to indicate the location of a container

    of CA certificates. This complements the variable system-certs-path that
    gives the location the directory that containes CA certificates.

12 files changed, 117 insertions, 15 deletions

diff --git a/alpine/alpine.c b/alpine/alpine.c
index a829c6d..25ea280 100644
--- a/alpine/alpine.c
+++ b/alpine/alpine.c
@@ -473,6 +473,7 @@ main(int argc, char **argv)
 
 #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
     set_system_certs_path(pine_state);
+    set_system_certs_container(pine_state);
 #endif
 
 #ifdef SMIME
diff --git a/alpine/confscroll.c b/alpine/confscroll.c
index 7518dcf..78f4a92 100644
--- a/alpine/confscroll.c
+++ b/alpine/confscroll.c
@@ -5775,6 +5775,7 @@ fix_side_effects(struct pine *ps, struct variable *var, int revert)
 #endif
 #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
 			var == &ps->vars[V_SSLCAPATH] ||
+			var == &ps->vars[V_SSLCAFILE] ||
 #endif
 		        var == &ps->vars[V_RSHPATH] ||
 		        var == &ps->vars[V_RSHCMD] ||
diff --git a/imap/src/c-client/mail.h b/imap/src/c-client/mail.h
index e6c0f69..1a4e1b0 100644
--- a/imap/src/c-client/mail.h
+++ b/imap/src/c-client/mail.h
@@ -192,8 +192,10 @@
 #define SET_EXTERNALAUTHID (long) 230
 #define GET_SSLCAPATH (long) 231
 #define SET_SSLCAPATH (long) 232
-#define GET_RESTRICTIONS (long) 233
-#define SET_RESTRICTIONS (long) 234
+#define GET_SSLCAFILE (long) 233
+#define SET_SSLCAFILE (long) 234
+#define GET_RESTRICTIONS (long) 235
+#define SET_RESTRICTIONS (long) 236
 
 	/* 3xx: TCP/IP */
 #define GET_OPENTIMEOUT (long) 300
diff --git a/imap/src/osdep/nt/env_nt.c b/imap/src/osdep/nt/env_nt.c
index da84b10..8fc72f0 100644
--- a/imap/src/osdep/nt/env_nt.c
+++ b/imap/src/osdep/nt/env_nt.c
@@ -44,6 +44,7 @@ static unsigned int rndm = 0;	/* initial `random' number */
 static int server_nli = 0;	/* server and not logged in */
 static int logtry = 3;		/* number of login tries */
 static char *sslCApath = NIL;	/* non-standard CA path */
+static char *sslCAfile = NIL;	/* non-standard CA container */
 				/* block notification */
 static blocknotify_t mailblocknotify = mm_blocknotify;
 				/* callback to get username */
@@ -135,6 +136,13 @@ void *env_parameters (long function,void *value)
   case GET_SSLCAPATH:
     ret = (void *) sslCApath;
     break;
+  case SET_SSLCAFILE:		/* this can be set null */
+    if (sslCAfile) fs_give ((void **) &sslCAfile);
+    sslCAfile = value ? cpystr ((char *) value) : value;
+    break;
+  case GET_SSLCAFILE:
+    ret = (void *) sslCAfile;
+    break;
   }
   return ret;
 }
@@ -786,4 +794,5 @@ void env_end(void)
   if(myNewsrc)	  fs_give((void **) &myNewsrc);
   if(sysInbox)	  fs_give((void **) &sysInbox);
   if(sslCApath)	  fs_give((void **) &sslCApath);
+  if(sslCAfile)	  fs_give((void **) &sslCAfile);
 }
diff --git a/imap/src/osdep/nt/ssl_libressl.c b/imap/src/osdep/nt/ssl_libressl.c
index 366fae0..5270a9f 100644
--- a/imap/src/osdep/nt/ssl_libressl.c
+++ b/imap/src/osdep/nt/ssl_libressl.c
@@ -387,6 +387,7 @@ static char *ssl_start_work(SSLSTREAM *stream, char *host, unsigned long flags)
 	int minv, maxv;
 	int masklow, maskhigh;
 	char *s, *t, *err, tmp[MAILTMPLEN], buf[256];
+	char *CAfile, *CApath;
 	sslcertificatequery_t scq =
 		(sslcertificatequery_t)mail_parameters(NIL, GET_SSLCERTIFICATEQUERY, NIL);
 	sslclientcert_t scc =
@@ -406,10 +407,12 @@ static char *ssl_start_work(SSLSTREAM *stream, char *host, unsigned long flags)
 		SSL_CTX_set_verify(stream->context, SSL_VERIFY_NONE, NIL);
 	else SSL_CTX_set_verify(stream->context, SSL_VERIFY_PEER, ssl_open_verify);
 			/* a non-standard path desired */
-	if ((s = (char *)mail_parameters(NIL, GET_SSLCAPATH, NIL)) != NIL)
-		SSL_CTX_load_verify_locations(stream->context, NIL, (const char *)s);
+	CAfile = (char *) mail_parameters (NIL, GET_SSLCAFILE, NIL);
+	CApath = (char *) mail_parameters (NIL, GET_SSLCAPATH, NIL);
+	if (CAfile != NIL || CApath != NIL)
+	    SSL_CTX_load_verify_locations (stream->context, CAfile, CApath);
 	else 		/* otherwise we set default paths to CAs... */
-		SSL_CTX_set_default_verify_paths(stream->context);
+	    SSL_CTX_set_default_verify_paths(stream->context);
 	/* want to send client certificate? */
 	if (scc && (s = (*scc) ()) && (sl = strlen(s))) {
 		if ((cert = PEM_read_bio_X509(bio = BIO_new_mem_buf(s, sl), NIL, NIL, NIL)) != NIL) {
diff --git a/imap/src/osdep/unix/env_unix.c b/imap/src/osdep/unix/env_unix.c
index 322ab61..fe1b91d 100644
--- a/imap/src/osdep/unix/env_unix.c
+++ b/imap/src/osdep/unix/env_unix.c
@@ -73,6 +73,7 @@ static char *blackBoxDir = NIL;	/* black box directory name */
 				/* black box default home directory */
 static char *blackBoxDefaultHome = NIL;
 static char *sslCApath = NIL;	/* non-standard CA path */
+static char *sslCAfile = NIL;	/* non-standard CA container */
 static short anonymous = NIL;	/* is anonymous */
 static short blackBox = NIL;	/* is a black box */
 static short closedBox = NIL;	/* is a closed box (uses chroot() jail) */
@@ -346,6 +347,13 @@ void *env_parameters (long function,void *value)
   case GET_SSLCAPATH:
     ret = (void *) sslCApath;
     break;
+  case SET_SSLCAFILE:		/* this can be set null */
+    if (sslCAfile) fs_give ((void **) &sslCAfile);
+    sslCAfile = value ? cpystr ((char *) value) : value;
+    break;
+  case GET_SSLCAFILE:
+    ret = (void *) sslCAfile;
+    break;
   case SET_LISTMAXLEVEL:
     list_max_level = (long) value;
   case GET_LISTMAXLEVEL:
@@ -1766,6 +1774,8 @@ void dorc (char *file,long flag)
 				 */
 	  else if (!compare_cstring (s,"set CA-certificate-path"))
 	    sslCApath = cpystr (k);
+	  else if (!compare_cstring (s,"set CA-certificate-container"))
+	    sslCAfile = cpystr (k);
 	  else if (!compare_cstring (s,"set disable-plaintext"))
 	    disablePlaintext = atoi (k);
 	  else if (!compare_cstring (s,"set allowed-login-attempts"))
@@ -1872,6 +1882,7 @@ void env_end(void)
   if(blackBoxDefaultHome)
 		   fs_give((void **)&blackBoxDefaultHome);
   if(sslCApath)	   fs_give((void **)&sslCApath);
+  if(sslCAfile)	   fs_give((void **)&sslCAfile);
   if(userFlags){
     int i;
     for(i = 0; i < NUSERFLAGS; i++)
diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c
index 5793152..4ebe1ae 100644
--- a/imap/src/osdep/unix/ssl_unix.c
+++ b/imap/src/osdep/unix/ssl_unix.c
@@ -395,6 +395,7 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags)
   int minv, maxv;
   int masklow, maskhigh;
   char *s,*t,*err,tmp[MAILTMPLEN], buf[256];
+  char *CAfile, *CApath;
   sslcertificatequery_t scq =
     (sslcertificatequery_t) mail_parameters (NIL,GET_SSLCERTIFICATEQUERY,NIL);
   sslclientcert_t scc =
@@ -414,8 +415,10 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags)
     SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL);
   else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
 				/* if a non-standard path desired */
-  if ((s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL)) != NULL)
-    SSL_CTX_load_verify_locations (stream->context,NIL,s);
+  CAfile = (char *) mail_parameters (NIL,GET_SSLCAFILE,NIL);
+  CApath = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL);
+  if (CAfile != NIL || CApath != NIL)
+    SSL_CTX_load_verify_locations (stream->context, CAfile, CApath);
   else				/* set default paths to CAs... */
   SSL_CTX_set_default_verify_paths (stream->context);
 				/* want to send client certificate? */
diff --git a/include/config.wnt.h b/include/config.wnt.h
index e8d22ff..a906b6f 100644
--- a/include/config.wnt.h
+++ b/include/config.wnt.h
@@ -563,6 +563,7 @@
 #undef DF_ENCRYPTION_RANGE
 #else
 #define DEFAULT_SSLCAPATH "C:\\libressl\\ssl\\certs"
+#define DEFAULT_SSLCAFILE "C:\\libressl\\ssl\\certs\\cert.pem"
 #endif
 
 /* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */
diff --git a/pith/conf.c b/pith/conf.c
index 3bd564b..f6fe486 100644
--- a/pith/conf.c
+++ b/pith/conf.c
@@ -379,6 +379,8 @@ CONF_TXT_T cf_text_mimetype_path[] =	"Sets the search path for the mimetypes con
 
 #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
 CONF_TXT_T cf_text_system_certs_path[] = "Sets the path for the system ssl certificates issued by a trusted\n# certificate authority. Note that this could be a list of paths, if the same\n# pinerc is used in different systems. Alpine always chooses the first one that\n# it finds. Value must be an absolute path.";
+
+CONF_TXT_T cf_text_system_certs_file[] = "Sets the path for the system ssl file container of certificates issued by a\n# certificate authority. Note that this could be a list of container files,\n# if the same pinerc is used in different systems. Alpine always chooses the,\n# first one that it finds. Value must be an absolute path.";
 #endif
 
 CONF_TXT_T cf_text_newmail_fifo_path[] = "Sets the filename for the newmail fifo (named pipe). Unix only.";
@@ -667,7 +669,9 @@ static struct variable variables[] = {
 	NULL,			cf_text_mimetype_path},
 #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
 {"system-certs-path",			0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0,
-	NULL,			cf_text_system_certs_path},
+	"System CACerts Dir",	cf_text_system_certs_path},
+{"system-certs-file",			0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0,
+	"System CACerts File",	cf_text_system_certs_file},
 #endif
 {"url-viewers",				0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0,
 	"URL-Viewers",		cf_text_browser},
@@ -1737,6 +1741,10 @@ init_vars(struct pine *ps, void (*cmds_f) (struct pine *, char **))
     GLO_SSLCAPATH		= parse_list(DEFAULT_SSLCAPATH, 1,
 					     PL_REMSURRQUOT, NULL);
 #endif /* DEFAULT_SSLCAPATH */
+#ifdef DEFAULT_SSLCAFILE
+    GLO_SSLCAFILE		= parse_list(DEFAULT_SSLCAFILE, 1,
+					     PL_REMSURRQUOT, NULL);
+#endif /* DEFAULT_SSLCAFILE */
 #ifdef	DF_VAR_SPELLER
     GLO_SPELLER			= cpystr(DF_VAR_SPELLER);
 #endif
@@ -2382,6 +2390,7 @@ init_vars(struct pine *ps, void (*cmds_f) (struct pine *, char **))
     set_current_val(&vars[V_MIMETYPE_PATH], TRUE, TRUE);
 #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
     set_current_val(&vars[V_SSLCAPATH], TRUE, TRUE);
+    set_current_val(&vars[V_SSLCAFILE], TRUE, TRUE);
 #endif
 #if !defined(DOS) && !defined(OS2) && !defined(LEAVEOUTFIFO)
     set_current_val(&vars[V_FIFOPATH], TRUE, TRUE);
@@ -7082,6 +7091,22 @@ set_system_certs_path(struct pine *ps)
       }
   }
 }
+
+
+void
+set_system_certs_container(struct pine *ps)
+{ 
+  char **l;
+
+  for (l = ps->vars[V_SSLCAPATH].current_val.l; l && *l; l++){
+      if(is_absolute_path(*l)
+	  && can_access(*l, ACCESS_EXISTS) == 0
+	  && can_access(*l, READ_ACCESS) == 0){
+           mail_parameters(NULL, SET_SSLCAFILE, (void *) *l);
+           break;
+      }
+  }
+}
 #endif
 
 int
@@ -7943,6 +7968,8 @@ config_help(int var, int feature)
 #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
       case V_SSLCAPATH :
 	return(h_config_system_certs_path);
+      case V_SSLCAFILE :
+	return(h_config_system_certs_file);
 #endif
 #if !defined(DOS) && !defined(OS2) && !defined(LEAVEOUTFIFO)
       case V_FIFOPATH :
diff --git a/pith/conf.h b/pith/conf.h
index 3e7844e..ac6f0a8 100644
--- a/pith/conf.h
+++ b/pith/conf.h
@@ -136,6 +136,8 @@
 #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
 #define VAR_SSLCAPATH		     vars[V_SSLCAPATH].current_val.l
 #define GLO_SSLCAPATH		     vars[V_SSLCAPATH].global_val.l
+#define VAR_SSLCAFILE		     vars[V_SSLCAFILE].current_val.l
+#define GLO_SSLCAFILE		     vars[V_SSLCAFILE].global_val.l
 #endif
 #define VAR_INDEX_COLOR_STYLE	     vars[V_INDEX_COLOR_STYLE].current_val.p
 #define GLO_INDEX_COLOR_STYLE	     vars[V_INDEX_COLOR_STYLE].global_val.p
@@ -922,6 +924,7 @@ void	   free_pinerc_lines(PINERC_LINE **);
 void	   panic1(char *, char *);
 #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
 void	   set_system_certs_path(struct pine *);
+void	   set_system_certs_container(struct pine *);
 #endif
 
 /* mandatory to implement prototypes */
diff --git a/pith/conftype.h b/pith/conftype.h
index 0911272..029b81b 100644
--- a/pith/conftype.h
+++ b/pith/conftype.h
@@ -127,6 +127,7 @@ typedef	enum {    V_PERSONAL_NAME = 0
 		, V_MIMETYPE_PATH
 #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
 		, V_SSLCAPATH
+		, V_SSLCAFILE
 #endif
 		, V_BROWSER
 		, V_HISTORY
diff --git a/pith/pine.hlp b/pith/pine.hlp
index fa1468c..4f0eb38 100644
--- a/pith/pine.hlp
+++ b/pith/pine.hlp
@@ -140,7 +140,7 @@ with help text for the config screen and the composer that didn't have any
 reasonable place to be called from.
 Dummy change to get revision in pine.hlp
 ============= h_revision =================
-Alpine Commit 401 2020-01-30 00:08:16
+Alpine Commit 402 2020-02-03 21:15:05
 ============= h_news =================
 <HTML>
 <HEAD>
@@ -187,6 +187,10 @@ any problems you find with this release. New enhancements
      this must be C:\\libressl\\ssl\\certs. The C: drive can be replaced 
      by the name of the drive where the binary and DLL files are located.
 
+<LI> New variable system-certs-file that allows users to configure the
+     location of a container of certificate authoririty (CA) certificates
+     to be used to validate certificates of remote servers.
+
 <LI>Crash in Alpine when attempting to reply to a multipart/alternative 
     message that is malformed, and the option to include attachments in
     reply is enabled. Reported and patched by Peter Tirsek.
@@ -22232,7 +22236,7 @@ directory. For example, the directory might not be accessible, or has not been
 updated and contains old certificates that have expired.
 
 <P>
-When a user wants to override the default, this variable can be used to list
+This variable can be used to list
 the directory where such certificates can be found. Alpine will use the first
 directory in this list that exists in your system and can be accessed. This
 allows for users to be able to use the same pinerc file in different systems.
@@ -22241,9 +22245,45 @@ allows for users to be able to use the same pinerc file in different systems.
 Example of values for this option might be:
 
 <PRE>
-System Certs Path = /etc/ssl/certs
-                    /usr/local/ssl/certs
-                    C:\\libressl\\ssl\\certs
+System CACerts Dir = /etc/ssl/certs
+                     /usr/local/ssl/certs
+                     C:\\libressl\\ssl\\certs
+<PRE>
+
+<P>
+In unix systems, the default location of the certificates for openssl can
+be obtained by first executing the command
+
+<PRE>openssl version -d</PRE>
+
+and adding &quot;/certs&quot; to that value. In Windows the default location
+for the certificates is C:\\libressl\\ssl\\certs. This value was set by
+LibreSSL developers, and this option can be used to override this default.
+
+<P>
+&lt;End of help on this topic&gt;
+</BODY></HTML>
+====== h_config_system_certs_file ======
+<HTML>
+<HEAD>
+<TITLE>OPTION: <!--#echo var="VAR_system-certs-file"--></TITLE>
+</HEAD>
+<BODY>
+<H1>OPTION: <!--#echo var="VAR_system-certs-file"--></H1>
+
+This option sets the location of the container file that holds 
+certificate authority (CA) certificates.
+Alpine will use the first
+container in this list that exists in your system and can be accessed. This
+allows for users to be able to use the same pinerc file in different systems.
+
+<P>
+Example of values for this option might be:
+
+<PRE>
+System Certs Path = /etc/ssl/certs/cert.pem
+                    /usr/local/ssl/ca-root-nss.crt
+                    C:\\libressl\\ssl\\certs\\cert.pem
 <PRE>
 
 <P>
@@ -22253,8 +22293,8 @@ be obtained by first executing the command
 <PRE>openssl version -d</PRE>
 
 and adding &quot;/certs&quot; to that value. In Windows the default location
-for the certificates is C:\\libressl\\ssl\\certs. This value was set by LibreSSL
-developers, and this option can be used to override this default.
+for the certificates is C:\\libressl\\ssl\\certs\\cert.pem. This value was set 
+by LibreSSL developers, and this option can be used to override this default.
 
 <P>
 &lt;End of help on this topic&gt;