diff options
author | Eduardo Chappa <chappa@washington.edu> | 2020-07-17 01:43:23 -0600 |
---|---|---|
committer | Eduardo Chappa <chappa@washington.edu> | 2020-07-17 01:43:23 -0600 |
commit | 50f4fdaa40ab3195377f22243c3ba4287389d207 (patch) | |
tree | 343bbe912224e2a82c12b4008de6b1d37b5028fb | |
parent | 15dc39d5ae81117836fc0513e37fe3b89608c8aa (diff) | |
download | alpine-50f4fdaa40ab3195377f22243c3ba4287389d207.tar.xz |
* Experimental: Attempt to implement the Encryption Range in Windows. It works
in Windows 10, and it should work in Windows 8.1. It needs testing in
Windows 7 and Windows Vista.
-rw-r--r-- | alpine/alpine.c | 3 | ||||
-rw-r--r-- | alpine/confscroll.c | 4 | ||||
-rw-r--r-- | imap/src/osdep/nt/ssl_win.c | 116 | ||||
-rw-r--r-- | include/config.wnt.h | 2 | ||||
-rw-r--r-- | pith/conf.c | 66 | ||||
-rw-r--r-- | pith/conf.h | 2 | ||||
-rw-r--r-- | pith/conftype.h | 2 | ||||
-rw-r--r-- | pith/pine.hlp | 6 |
8 files changed, 162 insertions, 39 deletions
diff --git a/alpine/alpine.c b/alpine/alpine.c index 55bd581b..a2585af8 100644 --- a/alpine/alpine.c +++ b/alpine/alpine.c @@ -662,7 +662,6 @@ main(int argc, char **argv) } } -#ifdef DF_ENCRYPTION_RANGE if(ps_global->VAR_ENCRYPTION_RANGE && ps_global->VAR_ENCRYPTION_RANGE[0]){ char *min_s, *max_s, *s; @@ -725,7 +724,7 @@ main(int argc, char **argv) mail_parameters(NULL, SET_ENCRYPTION_RANGE_MAX, (void *) &max_v); } } -#endif /* DF_ENCRYPTION_RANGE */ + /* * setup alternative authentication driver preference for IMAP opens diff --git a/alpine/confscroll.c b/alpine/confscroll.c index c8760eb7..67b15704 100644 --- a/alpine/confscroll.c +++ b/alpine/confscroll.c @@ -343,9 +343,7 @@ exclude_config_var(struct pine *ps, struct variable *var, int allow_hard_to_conf case V_GLOB_ADDRBOOK : case V_DISABLE_DRIVERS : case V_DISABLE_AUTHS : -#ifdef DF_ENCRYPTION_RANGE case V_ENCRYPTION_RANGE : -#endif case V_REMOTE_ABOOK_METADATA : case V_REMOTE_ABOOK_HISTORY : case V_REMOTE_ABOOK_VALIDITY : @@ -5780,9 +5778,7 @@ fix_side_effects(struct pine *ps, struct variable *var, int revert) var == &ps->vars[V_NEWS_SPEC] || var == &ps->vars[V_DISABLE_DRIVERS] || var == &ps->vars[V_DISABLE_AUTHS] || -#ifdef DF_ENCRYPTION_RANGE var == &ps->vars[V_ENCRYPTION_RANGE] || -#endif #if !defined(_WINDOWS) || defined(ENABLE_WINDOWS_UNIXSSL_CERTS) var == &ps->vars[V_SSLCAPATH] || var == &ps->vars[V_SSLCAFILE] || diff --git a/imap/src/osdep/nt/ssl_win.c b/imap/src/osdep/nt/ssl_win.c index 5b8606a1..a6af01e3 100644 --- a/imap/src/osdep/nt/ssl_win.c +++ b/imap/src/osdep/nt/ssl_win.c @@ -1,5 +1,5 @@ /* ======================================================================== - * Copyright 2018 Eduardo Chappa + * Copyright 2018-2020 Eduardo Chappa * Copyright 2008-2009 Mark Crispin * ======================================================================== */ @@ -153,7 +153,84 @@ SSLSTREAM *ssl_open (char *host,char *service,unsigned long port) return stream ? ssl_start (stream,host,port) : NIL; } - +#ifdef SP_PROT_SSL3 + #ifdef MIN_ENCRYPTION + #undef MIN_ENCRYPTION + #endif /* MIN_ENCRYPTION */ + #define MIN_ENCRYPTION SP_PROT_SSL3 + #ifdef MAX_ENCRYPTION + #undef MAX_ENCRYPTION + #endif /* MAX_ENCRYPTION */ + #define MAX_ENCRYPTION SP_PROT_SSL3 +#endif /* SP_PROT_SSL3 */ +#ifdef SP_PROT_TLS1 + #ifndef MIN_ENCRYPTION + #define MIN_ENCRYPTION SP_PROT_TLS1 + #endif /* MIN_ENCRYPTION */ + #ifdef MAX_ENCRYPTION + #undef MAX_ENCRYPTION + #endif /* MAX_ENCRYPTION */ + #define MAX_ENCRYPTION SP_PROT_TLS1 +#endif /* SP_PROT_TLS1 */ +#ifdef SP_PROT_TLS1_1 + #ifndef MIN_ENCRYPTION + #define MIN_ENCRYPTION SP_PROT_TLS1_1 + #endif /* MIN_ENCRYPTION */ + #ifdef MAX_ENCRYPTION + #undef MAX_ENCRYPTION + #endif /* MAX_ENCRYPTION */ + #define MAX_ENCRYPTION SP_PROT_TLS1_1 +#endif /* SP_PROT_TLS1_1 */ +#ifdef SP_PROT_TLS1_2 + #ifndef MIN_ENCRYPTION + #define MIN_ENCRYPTION SP_PROT_TLS1_2 + #endif /* MIN_ENCRYPTION */ + #ifdef MAX_ENCRYPTION + #undef MAX_ENCRYPTION + #endif /* MAX_ENCRYPTION */ + #define MAX_ENCRYPTION SP_PROT_TLS1_2 +#endif /* SP_PROT_TLS1_2 */ + +typedef struct ssl_versions_s { + char *name; + int version; +} SSL_VERSIONS_S; + +SSL_VERSIONS_S ssl_versions[] = { + { "no_min", MIN_ENCRYPTION }, +#ifdef SP_PROT_SSL3 + { "ssl3", SP_PROT_SSL3 }, +#endif /* SP_PROT_SSL3 */ +#ifdef SP_PROT_TLS1 + { "tls1", SP_PROT_TLS1 }, +#endif /* SP_PROT_TLS1 */ +#ifdef SP_PROT_TLS1_1 + { "tls1_1", SP_PROT_TLS1_1 }, +#endif /* SP_PROT_TLS1_1 */ +#ifdef SP_PROT_TLS1_2 + { "tls1_2", SP_PROT_TLS1_2 }, +#endif /* SP_PROT_TLS1_2 */ + { "no_max", MAX_ENCRYPTION }, /* set this last in the list */ + { NULL, 0 }, +}; + +int +pith_ssl_encryption_version(char *s) +{ + int i; + + if (s == NULL || *s == '\0') + return -1; + + for (i = 0; ssl_versions[i].name != NULL; i++) + if (strcmp(ssl_versions[i].name, s) == 0) + break; + + if (strcmp(s, "no_max") == 0) i--; + + return ssl_versions[i].name != NULL ? ssl_versions[i].version : -1; +} + /* SSL authenticated open * Accepts: host name * service name @@ -201,6 +278,9 @@ static SSLSTREAM *ssl_start (TCPSTREAM *tstream,char *host,unsigned long flags) PWSTR whost = NIL; char *buf = (char *) fs_get (ssltsz); unsigned long size = 0; + int minv = *(int *) mail_parameters(NULL, GET_ENCRYPTION_RANGE_MIN, NULL); + int maxv = *(int *) mail_parameters(NULL, GET_ENCRYPTION_RANGE_MAX, NULL); + int i, client_request, range; sslcertificatequery_t scq = (sslcertificatequery_t) mail_parameters (NIL,GET_SSLCERTIFICATEQUERY,NIL); sslfailure_t sf = (sslfailure_t) mail_parameters (NIL,GET_SSLFAILURE,NIL); @@ -210,7 +290,30 @@ static SSLSTREAM *ssl_start (TCPSTREAM *tstream,char *host,unsigned long flags) /* initialize TLS credential */ memset (&tlscred,0,sizeof (SCHANNEL_CRED)); tlscred.dwVersion = SCHANNEL_CRED_VERSION; - tlscred.grbitEnabledProtocols = SP_PROT_TLS1; + client_request = (flags & NET_TRYTLS1) ? SP_PROT_TLS1 + : (flags & NET_TRYTLS1_1) ? SP_PROT_TLS1_1 + : (flags & NET_TRYTLS1_2) ? SP_PROT_TLS1_2 + : 0; + /* + * if no special request, negotiate the maximum the client is configured + * to negotiate. + */ + if(client_request == 0) + client_request = maxv; + + if(client_request < minv || client_request > maxv) + return NIL; /* out of range? bail out */ + + if (flags & NET_TRYTLS1) range = SP_PROT_TLS1; + else if (flags & NET_TRYTLS1_1) range = SP_PROT_TLS1_1; + else if (flags & NET_TRYTLS1_2) range = SP_PROT_TLS1_2; + else { + for(i = 0, range; ssl_versions[i].name != NULL; i++) + range |= (ssl_versions[i].version >= minv + && ssl_versions[i].version <= maxv) + ? ssl_versions[i].version : 0; + } + tlscred.grbitEnabledProtocols = range; /* acquire credentials */ if (sft->AcquireCredentialsHandle @@ -497,13 +600,6 @@ static char *ssl_getline_work (SSLSTREAM *stream,unsigned long *size, return ret; } -/* not implemented yet */ -int pith_ssl_encryption_version(char *s) -{ -return 0; -} - - char *ssl_getsize(SSLSTREAM* stream, unsigned long size) { char *ret = NIL; diff --git a/include/config.wnt.h b/include/config.wnt.h index 65f1533b..2734bff5 100644 --- a/include/config.wnt.h +++ b/include/config.wnt.h @@ -571,8 +571,6 @@ #define DEFAULT_SSLCAPATH "C:\\libressl\\ssl\\certs" #define DEFAULT_SSLCAFILE "C:\\libressl\\ssl\\certs\\cert.pem" #endif /* WXPBUILD */ -#else -#undef DF_ENCRYPTION_RANGE #endif /* defined(ENABLE_WINDOWS_UNIXSSL) && defined(WXPBUILD) */ /* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */ diff --git a/pith/conf.c b/pith/conf.c index cbbe7558..f856c961 100644 --- a/pith/conf.c +++ b/pith/conf.c @@ -756,10 +756,8 @@ static struct variable variables[] = { NULL, cf_text_disable_drivers}, {"disable-these-authenticators", 0, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, NULL, cf_text_disable_auths}, -#ifdef DF_ENCRYPTION_RANGE {"encryption-protocol-range", 0, 1, 0, 1, 1, 0, 0, 0, 0, 1, 0, NULL, cf_text_encryption_range}, -#endif {"remote-abook-metafile", 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0, NULL, cf_text_remote_abook_metafile}, {"remote-abook-history", 0, 1, 0, 1, 1, 0, 0, 0, 0, 1, 0, @@ -1621,9 +1619,7 @@ init_vars(struct pine *ps, void (*cmds_f) (struct pine *, char **)) GLO_PRINTER = cpystr(DF_DEFAULT_PRINTER); GLO_ELM_STYLE_SAVE = cpystr(DF_ELM_STYLE_SAVE); -#ifdef DF_ENCRYPTION_RANGE GLO_ENCRYPTION_RANGE = cpystr(DF_ENCRYPTION_RANGE); -#endif GLO_SAVE_BY_SENDER = cpystr(DF_SAVE_BY_SENDER); GLO_HEADER_IN_REPLY = cpystr(DF_HEADER_IN_REPLY); GLO_INBOX_PATH = cpystr("inbox"); @@ -2353,9 +2349,7 @@ init_vars(struct pine *ps, void (*cmds_f) (struct pine *, char **)) set_current_val(&vars[V_FORCED_ABOOK_ENTRY], TRUE, TRUE); set_current_val(&vars[V_DISABLE_DRIVERS], TRUE, TRUE); set_current_val(&vars[V_DISABLE_AUTHS], TRUE, TRUE); -#ifdef DF_ENCRYPTION_RANGE set_current_val(&vars[V_ENCRYPTION_RANGE], TRUE, TRUE); -#endif set_current_val(&vars[V_VIEW_HEADERS], TRUE, TRUE); /* strip spaces and colons */ @@ -7893,10 +7887,8 @@ config_help(int var, int feature) return(h_config_disable_drivers); case V_DISABLE_AUTHS : return(h_config_disable_auths); -#ifdef DF_ENCRYPTION_RANGE case V_ENCRYPTION_RANGE : return(h_config_encryption_range); -#endif case V_REMOTE_ABOOK_METADATA : return(h_config_abook_metafile); case V_REPLY_STRING : @@ -8218,6 +8210,12 @@ printer_value_check_and_adjust(void) return(!ok); } +#ifdef _WINDOWS +#include <schannel.h> +#include <Schnlsp.h> +#else +#include <openssl/ssl.h> +#endif /* _WINDOWS */ char ** get_supported_options(void) @@ -8269,14 +8267,50 @@ get_supported_options(void) config[cnt] = cpystr(_(" TLS and SSL")); tmp[0] = tmp[1] = ' '; tmp[2] = '\0'; - strcat(tmp, "TLSv1, "); - strcat(tmp, "TLSv1.1, "); - strcat(tmp, "TLSv1.2, "); -#ifdef TLS1_3_VERSION - strcat(tmp, "TLSv1.3, "); -#endif /* TLS1_3_VERSION */ - tmp[strlen(tmp)-2] = '.'; - tmp[strlen(tmp)-1] = '\0'; +#ifdef _WINDOWS + #ifdef SP_PROT_SSL3 + strcat(tmp, "SSLv3, "); + #endif /* SP_PROT_SSL3 */ + #ifdef SP_PROT_TLS1 + strcat(tmp, "TLSv1, "); + #endif /* SP_PROT_TLS1 */ + #ifdef SP_PROT_TLS1_1 + strcat(tmp, "TLSv1.1, "); + #endif /* SP_PROT_TLS1 */ + #ifdef SP_PROT_TLS1_2 + strcat(tmp, "TLSv1.2, "); + #endif /* SP_PROT_TLS1_2 */ + #ifdef SP_PROT_TLS1_3 + strcat(tmp, "TLSv1.3, "); + #endif /* SP_PROT_TLS1_3 */ +#else + #ifdef SSL3_VERSION + #ifndef OPENSSL_NO_SSL3_METHOD + strcat(tmp, "SSLv3, "); + #endif /* OPENSSL_NO_SSL3_METHOD */ + #endif /* SSL3_VERSION */ + #ifdef TLS1_VERSION + #ifndef OPENSSL_NO_TLS1_METHOD + strcat(tmp, "TLSv1, "); + #endif /* OPENSSL_NO_TLS1_METHOD */ + #endif /* TLS1_VERSION */ + #ifdef TLS1_1_VERSION + #ifndef OPENSSL_NO_TLS1_1_METHOD + strcat(tmp, "TLSv1.1, "); + #endif /* OPENSSL_NO_TLS1_1_METHOD */ + #endif /* TLS1_1_VERSION */ + #ifdef TLS1_2_VERSION + #ifndef OPENSSL_NO_TLS1_2_METHOD + strcat(tmp, "TLSv1.2, "); + #endif /* OPENSSL_NO_TLS1_2_METHOD */ + #endif /* TLS1_2_VERSION */ + #ifdef TLS1_3_VERSION + #ifndef OPENSSL_NO_TLS1_3_METHOD + strcat(tmp, "TLSv1.3, "); + #endif /* OPENSSL_NO_TLS1_3_METHOD */ + #endif /* TLS1_3_VERSION */ +#endif /* _WINDOWS */ + tmp[strlen(tmp)-2] = '\0'; } else config[cnt] = cpystr(_(" None (no TLS or SSL)")); diff --git a/pith/conf.h b/pith/conf.h index bd72563b..100224bc 100644 --- a/pith/conf.h +++ b/pith/conf.h @@ -267,10 +267,8 @@ #define GLO_REMOTE_ABOOK_HISTORY vars[V_REMOTE_ABOOK_HISTORY].global_val.p #define VAR_REMOTE_ABOOK_VALIDITY vars[V_REMOTE_ABOOK_VALIDITY].current_val.p #define GLO_REMOTE_ABOOK_VALIDITY vars[V_REMOTE_ABOOK_VALIDITY].global_val.p -#ifdef DF_ENCRYPTION_RANGE #define GLO_ENCRYPTION_RANGE vars[V_ENCRYPTION_RANGE].global_val.p #define VAR_ENCRYPTION_RANGE vars[V_ENCRYPTION_RANGE].current_val.p -#endif /* Elm style save is obsolete in Pine 3.81 (see saved msg name rule) */ #define VAR_ELM_STYLE_SAVE vars[V_ELM_STYLE_SAVE].current_val.p #define GLO_ELM_STYLE_SAVE vars[V_ELM_STYLE_SAVE].global_val.p diff --git a/pith/conftype.h b/pith/conftype.h index 3f0f1e3c..4ea7993e 100644 --- a/pith/conftype.h +++ b/pith/conftype.h @@ -174,9 +174,7 @@ typedef enum { V_PERSONAL_NAME = 0 , V_NEW_VER_QUELL , V_DISABLE_DRIVERS , V_DISABLE_AUTHS -#ifdef DF_ENCRYPTION_RANGE , V_ENCRYPTION_RANGE -#endif , V_REMOTE_ABOOK_METADATA , V_REMOTE_ABOOK_HISTORY , V_REMOTE_ABOOK_VALIDITY diff --git a/pith/pine.hlp b/pith/pine.hlp index 2435d516..c6c1a2e4 100644 --- a/pith/pine.hlp +++ b/pith/pine.hlp @@ -140,7 +140,7 @@ with help text for the config screen and the composer that didn't have any reasonable place to be called from. Dummy change to get revision in pine.hlp ============= h_revision ================= -Alpine Commit 493 2020-07-10 00:56:09 +Alpine Commit 494 2020-07-17 01:43:03 ============= h_news ================= <HTML> <HEAD> @@ -237,6 +237,10 @@ problems you find with this release. <LI> Alpine will not write debug files unless started with the option -d, so for example "alpine -d 2" will generate a debug file at level 2, but just issuing the alpine command will not write any debug to a file. + +<LI> Experimental: Attempt to implement the Encryption Range in Windows. It works + in Windows 10, and it should work in Windows 8.1. It needs testing in + Windows 7 and Windows Vista. </UL> <P> |