summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEduardo Chappa <chappa@washington.edu>2020-01-25 11:12:24 -0700
committerEduardo Chappa <chappa@washington.edu>2020-01-25 11:12:24 -0700
commitd75d2841dcf33329544fdc6e697f2402d55226d6 (patch)
tree3dc188171a86cade68951fd82ce3951122bf3199
parent99948a254e2c2352547b962cbd1c23738e7af6b3 (diff)
downloadalpine-d75d2841dcf33329544fdc6e697f2402d55226d6.tar.xz
* New variable system-certs-path that allows users to indicate the
location of the directory where folders are located. In PC-Alpine this must be C:\libressl\ssl\certs. The C: drive can be replaced by the name of the drive where the binary and DLL files are located.
-rw-r--r--alpine/alpine.c4
-rw-r--r--alpine/confscroll.c7
-rwxr-xr-xbuild.bat4
-rwxr-xr-xconfigure6
-rw-r--r--configure.ac2
-rw-r--r--imap/src/osdep/nt/env_nt.c9
-rw-r--r--imap/src/osdep/nt/ssl_libressl.c99
-rw-r--r--imap/src/osdep/nt/ssl_nt.c8
-rw-r--r--imap/src/osdep/unix/ssl_unix.c26
-rw-r--r--include/config.h.in3
-rw-r--r--include/config.wnt.h9
-rw-r--r--pith/conf.c41
-rw-r--r--pith/conf.h9
-rw-r--r--pith/conftype.h5
-rw-r--r--pith/pine.hlp58
15 files changed, 217 insertions, 73 deletions
diff --git a/alpine/alpine.c b/alpine/alpine.c
index 2ec1e844..a829c6d2 100644
--- a/alpine/alpine.c
+++ b/alpine/alpine.c
@@ -471,6 +471,10 @@ main(int argc, char **argv)
init_vars(pine_state, process_init_cmds);
+#if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
+ set_system_certs_path(pine_state);
+#endif
+
#ifdef SMIME
if(F_ON(F_DONT_DO_SMIME, ps_global))
smime_deinit();
diff --git a/alpine/confscroll.c b/alpine/confscroll.c
index 6890e6f6..7518dcf1 100644
--- a/alpine/confscroll.c
+++ b/alpine/confscroll.c
@@ -341,7 +341,9 @@ exclude_config_var(struct pine *ps, struct variable *var, int allow_hard_to_conf
case V_GLOB_ADDRBOOK :
case V_DISABLE_DRIVERS :
case V_DISABLE_AUTHS :
+#ifdef DF_ENCRYPTION_RANGE
case V_ENCRYPTION_RANGE :
+#endif
case V_REMOTE_ABOOK_METADATA :
case V_REMOTE_ABOOK_HISTORY :
case V_REMOTE_ABOOK_VALIDITY :
@@ -5768,7 +5770,12 @@ fix_side_effects(struct pine *ps, struct variable *var, int revert)
var == &ps->vars[V_NEWS_SPEC] ||
var == &ps->vars[V_DISABLE_DRIVERS] ||
var == &ps->vars[V_DISABLE_AUTHS] ||
+#ifdef DF_ENCRYPTION_RANGE
var == &ps->vars[V_ENCRYPTION_RANGE] ||
+#endif
+#if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
+ var == &ps->vars[V_SSLCAPATH] ||
+#endif
var == &ps->vars[V_RSHPATH] ||
var == &ps->vars[V_RSHCMD] ||
var == &ps->vars[V_SSHCMD] ||
diff --git a/build.bat b/build.bat
index 4b1f312a..6f43f0a9 100755
--- a/build.bat
+++ b/build.bat
@@ -34,12 +34,14 @@ set CRYPTO_VERSION=41
set SSL_VERSION=43
set TLS_VERSION=15
set BIT=32
+set windows32build=-DW32BITSBUILD
goto wntbuild
:wnt
set CRYPTO_VERSION=45
set SSL_VERSION=47
set TLS_VERSION=19
set BIT=64
+set windows32build=
:wntbuild
echo PC-Alpine for Windows/Winsock (Win32) build sequence
set cclntmake=makefile.nt
@@ -68,7 +70,7 @@ echo including LDAP functionality
set ldapflags=-I\"%ALPINE_LDAP%\"\inckit -DENABLE_LDAP
set ldaplibes=\"%ALPINE_LDAP%\"\binaries\release\ldap32.lib
:noldapwnt
-set extracflagsnq=/DWINVER=0x0501 /Zi -Od %ldapflags% %libresslflags% -D_USE_32BIT_TIME_T -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DSPCL_REMARKS=\"\\\"\\\"\"
+set extracflagsnq=/DWINVER=0x0501 /Zi -Od %ldapflags% %libresslflags% %windows32build% -D_USE_32BIT_TIME_T -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DSPCL_REMARKS=\"\\\"\\\"\"
set extralibes="%libresslextralibes%"
set extralibesalpine="%ldaplibes% %libressllibes%"
set extrarcflags="/D_PCP_WNT"
diff --git a/configure b/configure
index a7a8ee62..dc5492a9 100755
--- a/configure
+++ b/configure
@@ -21814,6 +21814,12 @@ else
$as_echo "$as_me: SSL Problem: certificate directory not found" >&6;}
fi
+
+cat >>confdefs.h <<_ACEOF
+#define DEFAULT_SSLCAPATH "$certdir"
+_ACEOF
+
+
if test "x$with_smime" != "xno" ; then
if test -n "$certdir" ; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: * * * S/MIME support enabled" >&5
diff --git a/configure.ac b/configure.ac
index bf5762db..ac90e420 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2080,6 +2080,8 @@ else
AC_MSG_NOTICE([SSL Problem: certificate directory not found])
fi
+ AC_DEFINE_UNQUOTED([DEFAULT_SSLCAPATH],"$certdir",[Directory where system certificates are located])
+
if test "x$with_smime" != "xno" ; then
if test -n "$certdir" ; then
AC_MSG_NOTICE([* * * S/MIME support enabled])
diff --git a/imap/src/osdep/nt/env_nt.c b/imap/src/osdep/nt/env_nt.c
index 50063ad6..da84b10c 100644
--- a/imap/src/osdep/nt/env_nt.c
+++ b/imap/src/osdep/nt/env_nt.c
@@ -43,6 +43,7 @@ static void (*alarm_rang) (); /* alarm interrupt function */
static unsigned int rndm = 0; /* initial `random' number */
static int server_nli = 0; /* server and not logged in */
static int logtry = 3; /* number of login tries */
+static char *sslCApath = NIL; /* non-standard CA path */
/* block notification */
static blocknotify_t mailblocknotify = mm_blocknotify;
/* callback to get username */
@@ -127,6 +128,13 @@ void *env_parameters (long function,void *value)
case GET_BLOCKNOTIFY:
ret = (void *) mailblocknotify;
break;
+ case SET_SSLCAPATH: /* this can be set null */
+ if (sslCApath) fs_give ((void **) &sslCApath);
+ sslCApath = value ? cpystr ((char *) value) : value;
+ break;
+ case GET_SSLCAPATH:
+ ret = (void *) sslCApath;
+ break;
}
return ret;
}
@@ -777,4 +785,5 @@ void env_end(void)
if(myHomeDir) fs_give((void **) &myHomeDir);
if(myNewsrc) fs_give((void **) &myNewsrc);
if(sysInbox) fs_give((void **) &sysInbox);
+ if(sslCApath) fs_give((void **) &sslCApath);
}
diff --git a/imap/src/osdep/nt/ssl_libressl.c b/imap/src/osdep/nt/ssl_libressl.c
index c44c1e94..366fae01 100644
--- a/imap/src/osdep/nt/ssl_libressl.c
+++ b/imap/src/osdep/nt/ssl_libressl.c
@@ -1,20 +1,14 @@
/* ========================================================================
- * Copyright 2018 Eduardo Chappa
- * Copyright 2008-2009 Mark Crispin
+ * Copyright 2018-2020 Eduardo Chappa
* ========================================================================
*/
/*
* Program: SSL authentication/encryption module for Windows 9x and NT
*
- * Author: Mark Crispin
+ * Author: Eduardo Chappa, based on ssl_unix.c
*
- * Date: 22 September 1998
- * Last Edited: 8 November 2009
- *
- * Previous versions of this file were
- *
- * Copyright 1988-2008 University of Washington
+ * Last Edited: January 25, 2020
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -73,7 +67,8 @@ typedef struct ssl_stream {
#include "sslio.h"
/* Function prototypes */
-const SSL_METHOD *ssl_connect_mthd(int flag);
+int ssl_disable_mask(int ssl_version, int direction);
+const SSL_METHOD *ssl_connect_mthd(int flag, int *minv, int *maxv);
static SSLSTREAM *ssl_start(TCPSTREAM *tstream,char *host,unsigned long flags);
static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags);
static int ssl_open_verify (int ok,X509_STORE_CTX *ctx);
@@ -109,20 +104,20 @@ pith_ssl_encryption_version(char *s)
{ "tls1_3", TLS1_3_VERSION },
#endif /* TLS1_3_VERSION */
{ "no_max", 0 }, /* set this last in the list */
- { NULL, 0 },
+ { NIL, 0 },
};
int i;
- if (s == NULL || *s == '\0')
+ if (s == NIL || *s == '\0')
return -1;
- for (i = 0; ssl_versions[i].name != NULL; i++)
+ for (i = 0; ssl_versions[i].name != NIL; i++)
if (strcmp(ssl_versions[i].name, s) == 0)
break;
if (strcmp(s, "no_max") == 0) i--;
- return ssl_versions[i].name != NULL ? ssl_versions[i].version : -1;
+ return ssl_versions[i].name != NIL ? ssl_versions[i].version : -1;
}
/* Secure Sockets Layer network driver dispatch */
@@ -158,9 +153,9 @@ void ssl_onceonlyinit (void)
/* if system doesn't have /dev/urandom */
if (stat ("/dev/urandom",&sbuf)) {
strcpy(tmp, "SSLXXXXXX");
- fd = fopen(tmp,"a");
- fstat (fd,&sbuf); /* get information about the file */
+ fd = open(tmp,"a");
close (fd); /* flush descriptor */
+ fstat (fd,&sbuf); /* get information about the file */
unlink (tmp); /* don't need the file */
/* not great but it'll have to do */
sprintf (tmp + strlen (tmp),"%.80s%lx%.80s%lx%lx%lx%lx%lx",
@@ -174,7 +169,7 @@ void ssl_onceonlyinit (void)
mail_parameters (NIL,SET_SSLDRIVER,(void *) &ssldriver);
mail_parameters (NIL,SET_SSLSTART,(void *) ssl_start);
#ifdef OPENSSL_1_1_0
- OPENSSL_init_ssl(0, NULL);
+ OPENSSL_init_ssl(0, NIL);
#else
SSL_library_init (); /* add all algorithms */
#endif /* OPENSSL_1_1_0 */
@@ -253,7 +248,7 @@ int ssl_disable_mask(int ssl_version, int direction)
/* ssl_connect_mthd: returns a context pointer to the connection to
* a ssl server
*/
-const SSL_METHOD *ssl_connect_mthd(int flag, int *min, int *max)
+const SSL_METHOD *ssl_connect_mthd(int flag, int *minv, int *maxv)
{
int client_request;
client_request = (flag & NET_TRYTLS1) ? TLS1_VERSION
@@ -266,55 +261,55 @@ const SSL_METHOD *ssl_connect_mthd(int flag, int *min, int *max)
#endif
: 0;
- *min = *(int *)mail_parameters(NULL, GET_ENCRYPTION_RANGE_MIN, NULL);
- *max = *(int *)mail_parameters(NULL, GET_ENCRYPTION_RANGE_MAX, NULL);
+ *minv = *(int *)mail_parameters(NIL, GET_ENCRYPTION_RANGE_MIN, NIL);
+ *maxv = *(int *)mail_parameters(NIL, GET_ENCRYPTION_RANGE_MAX, NIL);
/*
* if no special request, negotiate the maximum the client is configured
* to negotiate
*/
if (client_request == 0)
- client_request = *max;
+ client_request = *maxv;
- if (client_request < *min || client_request > *max)
+ if (client_request < *minv || client_request > *maxv)
return NIL; /* out of range? bail out */
- /* Some Linux distributors seem to believe that it is ok to disable some of
- * these methods for their users, so we have to test that every requested
- * method has actually been compiled in into their openssl/libressl library.
- * Oh well...
- */
+ /* Some Linux distributors seem to believe that it is ok to disable some of
+ * these methods for their users, so we have to test that every requested
+ * method has actually been compiled in into their openssl/libressl library.
+ * Oh well...
+ */
#ifndef OPENSSL_1_1_0
if (client_request == SSL3_VERSION)
#ifndef OPENSSL_NO_SSL3_METHOD
- return SSLv3_client_method();
+ return SSLv3_client_method();
#else
- return NIL;
+ return NIL;
#endif /* OPENSSL_NO_SSL3_METHOD */
else if (client_request == TLS1_VERSION)
#ifndef OPENSSL_NO_TLS1_METHOD
- return TLSv1_client_method();
+ return TLSv1_client_method();
#else
- return NIL;
+ return NIL;
#endif /* OPENSSL_NO_TLS1_METHOD */
else if (client_request == TLS1_1_VERSION)
#ifndef OPENSSL_NO_TLS1_1_METHOD
- return TLSv1_1_client_method();
+ return TLSv1_1_client_method();
#else
- return NIL;
+ return NIL;
#endif /* OPENSSL_NO_TLS1_1_METHOD */
else if (client_request == TLS1_2_VERSION)
#ifndef OPENSSL_NO_TLS1_2_METHOD
- return TLSv1_2_client_method();
+ return TLSv1_2_client_method();
#else
- return NIL;
+ return NIL;
#endif /* OPENSSL_NO_TLS1_2_METHOD */
#ifdef TLS1_3_VERSION /* this is only reachable if TLS1_3 support exists */
else if (client_request == TLS1_3_VERSION)
#ifndef OPENSSL_NO_TLS1_3_METHOD
- return TLS_client_method();
+ return TLS_client_method();
#else
- return NIL;
+ return NIL;
#endif /* #ifndef OPENSSL_NO_TLS1_2_METHOD */
#endif /* TLS1_3_VERSION */
#endif /* ifndef OPENSSL_1_1_0 */
@@ -389,7 +384,7 @@ static char *ssl_start_work(SSLSTREAM *stream, char *host, unsigned long flags)
BIO *bio;
X509 *cert;
unsigned long sl, tl;
- int min, max;
+ int minv, maxv;
int masklow, maskhigh;
char *s, *t, *err, tmp[MAILTMPLEN], buf[256];
sslcertificatequery_t scq =
@@ -400,24 +395,24 @@ static char *ssl_start_work(SSLSTREAM *stream, char *host, unsigned long flags)
(sslclientkey_t)mail_parameters(NIL, GET_SSLCLIENTKEY, NIL);
if (ssl_last_error) fs_give((void **)&ssl_last_error);
ssl_last_host = host;
- if (!(stream->context = SSL_CTX_new(ssl_connect_mthd(flags, &min, &max))))
+ if (!(stream->context = SSL_CTX_new(ssl_connect_mthd(flags, &minv, &maxv))))
return "SSL context failed";
SSL_CTX_set_options(stream->context, 0);
- masklow = ssl_disable_mask(min, -1);
- maskhigh = ssl_disable_mask(max, 1);
+ masklow = ssl_disable_mask(minv, -1);
+ maskhigh = ssl_disable_mask(maxv, 1);
SSL_CTX_set_options(stream->context, masklow | maskhigh);
/* disable certificate validation? */
if (flags & NET_NOVALIDATECERT)
SSL_CTX_set_verify(stream->context, SSL_VERIFY_NONE, NIL);
else SSL_CTX_set_verify(stream->context, SSL_VERIFY_PEER, ssl_open_verify);
- /* set default paths to CAs... */
- SSL_CTX_set_default_verify_paths(stream->context);
- /* ...unless a non-standard path desired */
- if ((s = (char *)mail_parameters(NIL, GET_SSLCAPATH, NIL)) != NULL)
- SSL_CTX_load_verify_locations(stream->context, NIL, s);
+ /* a non-standard path desired */
+ if ((s = (char *)mail_parameters(NIL, GET_SSLCAPATH, NIL)) != NIL)
+ SSL_CTX_load_verify_locations(stream->context, NIL, (const char *)s);
+ else /* otherwise we set default paths to CAs... */
+ SSL_CTX_set_default_verify_paths(stream->context);
/* want to send client certificate? */
if (scc && (s = (*scc) ()) && (sl = strlen(s))) {
- if ((cert = PEM_read_bio_X509(bio = BIO_new_mem_buf(s, sl), NIL, NIL, NIL)) != NULL) {
+ if ((cert = PEM_read_bio_X509(bio = BIO_new_mem_buf(s, sl), NIL, NIL, NIL)) != NIL) {
SSL_CTX_use_certificate(stream->context, cert);
X509_free(cert);
}
@@ -427,7 +422,7 @@ static char *ssl_start_work(SSLSTREAM *stream, char *host, unsigned long flags)
if ((t = (sck ? (*sck) () : s)) && (tl = strlen(t))) {
EVP_PKEY *key;
if ((key = PEM_read_bio_PrivateKey(bio = BIO_new_mem_buf(t, tl),
- NIL, NIL, "")) != NULL) {
+ NIL, NIL, "")) != NIL) {
SSL_CTX_use_PrivateKey(stream->context, key);
EVP_PKEY_free(key);
}
@@ -535,7 +530,7 @@ static char *ssl_validate_cert (X509 *cert,char *host)
if(m == 0 || ret != NIL){
cname = X509_get_subject_name(cert);
for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){
- if((e = X509_NAME_get_entry(cname, j)) != NULL){
+ if((e = X509_NAME_get_entry(cname, j)) != NIL){
X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf));
s = (char *) buf;
}
@@ -951,8 +946,8 @@ void ssl_server_init (char *server)
sizeof (SSLSTREAM));
ssl_onceonlyinit (); /* make sure algorithms added */
#ifdef OPENSSL_1_1_0
- OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
- OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS|OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NIL);
+ OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS|OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NIL);
#else
ERR_load_crypto_strings ();
SSL_load_error_strings ();
@@ -1065,7 +1060,7 @@ static RSA *ssl_genkey (SSL_CTX_TYPE *con,int export,int keylength)
}
#ifdef OPENSSL_1_1_0
BN_free(e);
- e = NULL;
+ e = NIL;
#endif /* OPENSSL_1_1_0 */
}
return key;
diff --git a/imap/src/osdep/nt/ssl_nt.c b/imap/src/osdep/nt/ssl_nt.c
index 5bc04ab8..71695766 100644
--- a/imap/src/osdep/nt/ssl_nt.c
+++ b/imap/src/osdep/nt/ssl_nt.c
@@ -23,8 +23,8 @@
* http://www.apache.org/licenses/LICENSE-2.0
*
*/
-//#ifdef ENABLE_WINDOWS_LIBRESSL
-//#include "ssl_libressl.c"
-//#else
+#if !defined(ENABLE_WINDOWS_LIBRESSL) || !defined(W32BITSBUILD)
#include "ssl_win.c"
-//#endif /* ENABLE_WINDOWS_LIBRESSL */
+#else
+#include "ssl_libressl.c"
+#endif
diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c
index 93fb1a9a..57931525 100644
--- a/imap/src/osdep/unix/ssl_unix.c
+++ b/imap/src/osdep/unix/ssl_unix.c
@@ -75,7 +75,7 @@ typedef struct ssl_stream {
/* Function prototypes */
int ssl_disable_mask(int ssl_version, int direction);
-const SSL_METHOD *ssl_connect_mthd(int flag, int *min, int *max);
+const SSL_METHOD *ssl_connect_mthd(int flag, int *minv, int *maxv);
static SSLSTREAM *ssl_start(TCPSTREAM *tstream,char *host,unsigned long flags);
static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags);
static int ssl_open_verify (int ok,X509_STORE_CTX *ctx);
@@ -257,7 +257,7 @@ int ssl_disable_mask(int ssl_version, int direction)
/* ssl_connect_mthd: returns a context pointer to the connection to
* a ssl server
*/
-const SSL_METHOD *ssl_connect_mthd(int flag, int *min, int *max)
+const SSL_METHOD *ssl_connect_mthd(int flag, int *minv, int *maxv)
{
int client_request;
client_request = (flag & NET_TRYTLS1) ? TLS1_VERSION
@@ -270,17 +270,17 @@ const SSL_METHOD *ssl_connect_mthd(int flag, int *min, int *max)
#endif
: 0;
- *min = *(int *) mail_parameters(NULL, GET_ENCRYPTION_RANGE_MIN, NULL);
- *max = *(int *) mail_parameters(NULL, GET_ENCRYPTION_RANGE_MAX, NULL);
+ *minv = *(int *) mail_parameters(NULL, GET_ENCRYPTION_RANGE_MIN, NULL);
+ *maxv = *(int *) mail_parameters(NULL, GET_ENCRYPTION_RANGE_MAX, NULL);
/*
* if no special request, negotiate the maximum the client is configured
* to negotiate
*/
if(client_request == 0)
- client_request = *max;
+ client_request = *maxv;
- if(client_request < *min || client_request > *max)
+ if(client_request < *minv || client_request > *maxv)
return NIL; /* out of range? bail out */
/* Some Linux distributors seem to believe that it is ok to disable some of
@@ -392,7 +392,7 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags)
BIO *bio;
X509 *cert;
unsigned long sl,tl;
- int min, max;
+ int minv, maxv;
int masklow, maskhigh;
char *s,*t,*err,tmp[MAILTMPLEN], buf[256];
sslcertificatequery_t scq =
@@ -403,21 +403,21 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags)
(sslclientkey_t) mail_parameters (NIL,GET_SSLCLIENTKEY,NIL);
if (ssl_last_error) fs_give ((void **) &ssl_last_error);
ssl_last_host = host;
- if (!(stream->context = SSL_CTX_new (ssl_connect_mthd(flags, &min, &max))))
+ if (!(stream->context = SSL_CTX_new (ssl_connect_mthd(flags, &minv, &maxv))))
return "SSL context failed";
SSL_CTX_set_options (stream->context,0);
- masklow = ssl_disable_mask(min, -1);
- maskhigh = ssl_disable_mask(max, 1);
+ masklow = ssl_disable_mask(minv, -1);
+ maskhigh = ssl_disable_mask(maxv, 1);
SSL_CTX_set_options(stream->context, masklow|maskhigh);
/* disable certificate validation? */
if (flags & NET_NOVALIDATECERT)
SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL);
else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
- /* set default paths to CAs... */
- SSL_CTX_set_default_verify_paths (stream->context);
- /* ...unless a non-standard path desired */
+ /* if a non-standard path desired */
if ((s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL)) != NULL)
SSL_CTX_load_verify_locations (stream->context,NIL,s);
+ else /* set default paths to CAs... */
+ SSL_CTX_set_default_verify_paths (stream->context);
/* want to send client certificate? */
if (scc && (s = (*scc) ()) && (sl = strlen (s))) {
if ((cert = PEM_read_bio_X509 (bio = BIO_new_mem_buf (s,sl),NIL,NIL,NIL)) != NULL) {
diff --git a/include/config.h.in b/include/config.h.in
index 19d7b34d..6a13eefe 100644
--- a/include/config.h.in
+++ b/include/config.h.in
@@ -42,6 +42,9 @@
/* Default configuration value */
#undef DEFAULT_SAVE
+/* Directory where system certificates are located */
+#undef DEFAULT_SSLCAPATH
+
/* Default configuration value */
#undef DF_AB_SORT_RULE
diff --git a/include/config.wnt.h b/include/config.wnt.h
index ed5de154..65f14725 100644
--- a/include/config.wnt.h
+++ b/include/config.wnt.h
@@ -557,10 +557,15 @@
/* Name of default certificate authority container */
#define DF_CA_CONTAINER "CAContainer"
-//#else
-#undef DF_ENCRYPTION_RANGE
+#else
#endif /* ENABLE_WINDOWS_LIBRESSL */
+#if !defined(ENABLE_WINDOWS_LIBRESSL) || !defined(W32BITSBUILD)
+#undef DF_ENCRYPTION_RANGE
+#else
+#define DEFAULT_SSLCAPATH "C:\\libressl\\ssl\\certs"
+#endif
+
/* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */
/* #define TIME_WITH_SYS_TIME */
diff --git a/pith/conf.c b/pith/conf.c
index 64cd13bd..d7ec5dbb 100644
--- a/pith/conf.c
+++ b/pith/conf.c
@@ -377,6 +377,10 @@ CONF_TXT_T cf_text_mailcap_path[] = "Sets the search path for the mailcap config
CONF_TXT_T cf_text_mimetype_path[] = "Sets the search path for the mimetypes configuration file.\n# NOTE: colon delimited under UNIX, semi-colon delimited under DOS/Windows/OS2.";
+#if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
+CONF_TXT_T cf_text_system_certs_path[] = "Sets the path for the system ssl certificates issued by a trusted\n# certificate authority. Note that this could be a list of paths, if the same\n# pinerc is used in different systems. Alpine always chooses the first one that\n# it finds. Value must be an absolute path.";
+#endif
+
CONF_TXT_T cf_text_newmail_fifo_path[] = "Sets the filename for the newmail fifo (named pipe). Unix only.";
CONF_TXT_T cf_text_nmw_width[] = "Sets the width for the NewMail screen.";
@@ -661,6 +665,10 @@ static struct variable variables[] = {
NULL, cf_text_mailcap_path},
{"mimetype-search-path", 0, 1, 0, 1, 1, 0, 0, 0, 0, 1, 0,
NULL, cf_text_mimetype_path},
+#if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
+{"system-certs-path", 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0,
+ NULL, cf_text_system_certs_path},
+#endif
{"url-viewers", 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0,
"URL-Viewers", cf_text_browser},
{"default-directories", 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0,
@@ -746,8 +754,10 @@ static struct variable variables[] = {
NULL, cf_text_disable_drivers},
{"disable-these-authenticators", 0, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0,
NULL, cf_text_disable_auths},
+#ifdef DF_ENCRYPTION_RANGE
{"encryption-protocol-range", 0, 1, 0, 1, 1, 0, 0, 0, 0, 1, 0,
NULL, cf_text_encryption_range},
+#endif
{"remote-abook-metafile", 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0,
NULL, cf_text_remote_abook_metafile},
{"remote-abook-history", 0, 1, 0, 1, 1, 0, 0, 0, 0, 1, 0,
@@ -1723,6 +1733,10 @@ init_vars(struct pine *ps, void (*cmds_f) (struct pine *, char **))
GLO_WP_INDEXHEIGHT = cpystr("24");
GLO_WP_AGGSTATE = cpystr("1");
GLO_WP_STATE = cpystr("");
+#if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
+ GLO_SSLCAPATH = parse_list(DEFAULT_SSLCAPATH, 1,
+ PL_REMSURRQUOT, NULL);
+#endif
#ifdef DF_VAR_SPELLER
GLO_SPELLER = cpystr(DF_VAR_SPELLER);
#endif
@@ -2337,7 +2351,9 @@ init_vars(struct pine *ps, void (*cmds_f) (struct pine *, char **))
set_current_val(&vars[V_FORCED_ABOOK_ENTRY], TRUE, TRUE);
set_current_val(&vars[V_DISABLE_DRIVERS], TRUE, TRUE);
set_current_val(&vars[V_DISABLE_AUTHS], TRUE, TRUE);
+#ifdef DF_ENCRYPTION_RANGE
set_current_val(&vars[V_ENCRYPTION_RANGE], TRUE, TRUE);
+#endif
set_current_val(&vars[V_VIEW_HEADERS], TRUE, TRUE);
/* strip spaces and colons */
@@ -2364,6 +2380,9 @@ init_vars(struct pine *ps, void (*cmds_f) (struct pine *, char **))
set_current_val(&vars[V_DOWNLOAD_CMD_PREFIX], TRUE, TRUE);
set_current_val(&vars[V_MAILCAP_PATH], TRUE, TRUE);
set_current_val(&vars[V_MIMETYPE_PATH], TRUE, TRUE);
+#if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
+ set_current_val(&vars[V_SSLCAPATH], TRUE, TRUE);
+#endif
#if !defined(DOS) && !defined(OS2) && !defined(LEAVEOUTFIFO)
set_current_val(&vars[V_FIFOPATH], TRUE, TRUE);
#endif
@@ -7048,6 +7067,22 @@ feature_gets_an_x(struct pine *ps, struct variable *var, FEATURE_S *feature,
test_old_growth_bits(ps, feature->id)))));
}
+#if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
+void
+set_system_certs_path(struct pine *ps)
+{
+ char **l;
+
+ for (l = ps->vars[V_SSLCAPATH].current_val.l; l && *l; l++){
+ if(is_absolute_path(*l)
+ && can_access(*l, ACCESS_EXISTS) == 0
+ && can_access(*l, READ_ACCESS) == 0){
+ mail_parameters(NULL, SET_SSLCAPATH, (void *) *l);
+ break;
+ }
+ }
+}
+#endif
int
longest_feature_comment(struct pine *ps, EditWhich ew)
@@ -7837,8 +7872,10 @@ config_help(int var, int feature)
return(h_config_disable_drivers);
case V_DISABLE_AUTHS :
return(h_config_disable_auths);
+#ifdef DF_ENCRYPTION_RANGE
case V_ENCRYPTION_RANGE :
return(h_config_encryption_range);
+#endif
case V_REMOTE_ABOOK_METADATA :
return(h_config_abook_metafile);
case V_REPLY_STRING :
@@ -7903,6 +7940,10 @@ config_help(int var, int feature)
return(h_config_mailcap_path);
case V_MIMETYPE_PATH :
return(h_config_mimetype_path);
+#if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
+ case V_SSLCAPATH :
+ return(h_config_system_certs_path);
+#endif
#if !defined(DOS) && !defined(OS2) && !defined(LEAVEOUTFIFO)
case V_FIFOPATH :
return(h_config_fifopath);
diff --git a/pith/conf.h b/pith/conf.h
index d7769336..3e7844eb 100644
--- a/pith/conf.h
+++ b/pith/conf.h
@@ -133,6 +133,10 @@
#define VAR_COLOR_STYLE vars[V_COLOR_STYLE].current_val.p
#define GLO_COLOR_STYLE vars[V_COLOR_STYLE].global_val.p
#endif
+#if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
+#define VAR_SSLCAPATH vars[V_SSLCAPATH].current_val.l
+#define GLO_SSLCAPATH vars[V_SSLCAPATH].global_val.l
+#endif
#define VAR_INDEX_COLOR_STYLE vars[V_INDEX_COLOR_STYLE].current_val.p
#define GLO_INDEX_COLOR_STYLE vars[V_INDEX_COLOR_STYLE].global_val.p
#define VAR_TITLEBAR_COLOR_STYLE vars[V_TITLEBAR_COLOR_STYLE].current_val.p
@@ -263,8 +267,10 @@
#define GLO_REMOTE_ABOOK_HISTORY vars[V_REMOTE_ABOOK_HISTORY].global_val.p
#define VAR_REMOTE_ABOOK_VALIDITY vars[V_REMOTE_ABOOK_VALIDITY].current_val.p
#define GLO_REMOTE_ABOOK_VALIDITY vars[V_REMOTE_ABOOK_VALIDITY].global_val.p
+#ifdef DF_ENCRYPTION_RANGE
#define GLO_ENCRYPTION_RANGE vars[V_ENCRYPTION_RANGE].global_val.p
#define VAR_ENCRYPTION_RANGE vars[V_ENCRYPTION_RANGE].current_val.p
+#endif
/* Elm style save is obsolete in Pine 3.81 (see saved msg name rule) */
#define VAR_ELM_STYLE_SAVE vars[V_ELM_STYLE_SAVE].current_val.p
#define GLO_ELM_STYLE_SAVE vars[V_ELM_STYLE_SAVE].global_val.p
@@ -914,6 +920,9 @@ char **get_supported_options(void);
unsigned reset_startup_rule(MAILSTREAM *);
void free_pinerc_lines(PINERC_LINE **);
void panic1(char *, char *);
+#if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
+void set_system_certs_path(struct pine *);
+#endif
/* mandatory to implement prototypes */
int set_input_timeout(int);
diff --git a/pith/conftype.h b/pith/conftype.h
index 4278dc59..09112724 100644
--- a/pith/conftype.h
+++ b/pith/conftype.h
@@ -125,6 +125,9 @@ typedef enum { V_PERSONAL_NAME = 0
, V_DOWNLOAD_CMD_PREFIX
, V_MAILCAP_PATH
, V_MIMETYPE_PATH
+#if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
+ , V_SSLCAPATH
+#endif
, V_BROWSER
, V_HISTORY
, V_MAXREMSTREAM
@@ -171,7 +174,9 @@ typedef enum { V_PERSONAL_NAME = 0
, V_NEW_VER_QUELL
, V_DISABLE_DRIVERS
, V_DISABLE_AUTHS
+#ifdef DF_ENCRYPTION_RANGE
, V_ENCRYPTION_RANGE
+#endif
, V_REMOTE_ABOOK_METADATA
, V_REMOTE_ABOOK_HISTORY
, V_REMOTE_ABOOK_VALIDITY
diff --git a/pith/pine.hlp b/pith/pine.hlp
index d81bd397..2dda8a13 100644
--- a/pith/pine.hlp
+++ b/pith/pine.hlp
@@ -140,7 +140,7 @@ with help text for the config screen and the composer that didn't have any
reasonable place to be called from.
Dummy change to get revision in pine.hlp
============= h_revision =================
-Alpine Commit 395 2020-01-19 10:57:47
+Alpine Commit 396 2020-01-25 11:12:17
============= h_news =================
<HTML>
<HEAD>
@@ -173,6 +173,19 @@ Apache web server.
<H2>New in Alpine <!--#echo var="ALPINE_VERSION"--> (<!--#echo var="ALPINE_REVISION"-->)</H2>
+This is a development version of Alpine. These enhancements are
+released after the release of version
+<!--#echo var="ALPINE_VERSION"--> (<!--#echo var="ALPINE_REVISION"-->). Please report
+any problems you find with this release. New enhancements
+
+<UL>
+<LI> New variable system-certs-path that allows users to indicate the location
+of the directory where folders are located. In PC-Alpine this must be
+C:\\libressl\\ssl\\certs. The C: drive can be replaced by the name of the drive
+where the binary and DLL files are located.
+</UL>
+
+<P>
Version <!--#echo var="ALPINE_VERSION"--> (<!--#echo var="ALPINE_REVISION"-->)
addresses bugs found in previous releases and has a few additions as well.
@@ -22196,6 +22209,49 @@ by a colon (:) under UNIX and a semi-colon (;) under Windows.
<P>
&lt;End of help on this topic&gt;
</BODY></HTML>
+====== h_config_system_certs_path ======
+<HTML>
+<HEAD>
+<TITLE>OPTION: <!--#echo var="VAR_system-certs-path"--></TITLE>
+</HEAD>
+<BODY>
+<H1>OPTION: <!--#echo var="VAR_system-certs-path"--></H1>
+
+When Alpine is built to support secure connections to remote servers, a directory
+must be reserved in the system to store certificates that will be used to validate
+remote servers. This is normally configured at the time that Alpine is built, but
+there might be circumstances under which a user might want to use a different
+directory. For example, the directory might not be accessible, or has not been
+updated and contains old certificates that have expired.
+
+<P>
+When a user wants to override the default, this variable can be used to list
+the directory where such certificates can be found. Alpine will use the first
+directory in this list that exists in your system and can be accessed. This
+allows for users to be able to use the same pinerc file in different systems.
+
+<P>
+Example of values for this option might be:
+
+<PRE>
+System Certs Path = /etc/ssl/certs
+ /usr/local/ssl/certs
+ C:\\libressl\\ssl\\certs
+<PRE>
+
+<P>
+In unix systems, the default location of the certificates for openssl can
+be obtained by first executing the command
+
+<PRE>openssl version -d</PRE>
+
+and adding &quot;/certs&quot; to that value. In Windows the default location
+for the certificates is C:\\libressl\\ssl\\certs. This value was set by LibreSSL
+developers, and this option can be used to override this default.
+
+<P>
+&lt;End of help on this topic&gt;
+</BODY></HTML>
====== h_config_set_att_ansi ======
<HTML><HEAD>
<TITLE>OPTION: Set printer to attached ansi printer</TITLE>