diff options
author | Eduardo Chappa <chappa@washington.edu> | 2020-02-03 21:15:19 -0700 |
---|---|---|
committer | Eduardo Chappa <chappa@washington.edu> | 2020-02-03 21:15:19 -0700 |
commit | dba6c62a11eed30f7a4e3e625eec8ca88252ab6c (patch) | |
tree | ad330ee9baf787e4ce638b5da2a9480e33b6c630 | |
parent | 709dc44768db0c0e1123181f53fdba26484eceaa (diff) | |
download | alpine-dba6c62a11eed30f7a4e3e625eec8ca88252ab6c.tar.xz |
* Add variable system-certs-file to indicate the location of a container
of CA certificates. This complements the variable system-certs-path that
gives the location the directory that containes CA certificates.
-rw-r--r-- | alpine/alpine.c | 1 | ||||
-rw-r--r-- | alpine/confscroll.c | 1 | ||||
-rw-r--r-- | imap/src/c-client/mail.h | 6 | ||||
-rw-r--r-- | imap/src/osdep/nt/env_nt.c | 9 | ||||
-rw-r--r-- | imap/src/osdep/nt/ssl_libressl.c | 9 | ||||
-rw-r--r-- | imap/src/osdep/unix/env_unix.c | 11 | ||||
-rw-r--r-- | imap/src/osdep/unix/ssl_unix.c | 7 | ||||
-rw-r--r-- | include/config.wnt.h | 1 | ||||
-rw-r--r-- | pith/conf.c | 29 | ||||
-rw-r--r-- | pith/conf.h | 3 | ||||
-rw-r--r-- | pith/conftype.h | 1 | ||||
-rw-r--r-- | pith/pine.hlp | 54 |
12 files changed, 117 insertions, 15 deletions
diff --git a/alpine/alpine.c b/alpine/alpine.c index a829c6d2..25ea2800 100644 --- a/alpine/alpine.c +++ b/alpine/alpine.c @@ -473,6 +473,7 @@ main(int argc, char **argv) #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) set_system_certs_path(pine_state); + set_system_certs_container(pine_state); #endif #ifdef SMIME diff --git a/alpine/confscroll.c b/alpine/confscroll.c index 7518dcf1..78f4a92d 100644 --- a/alpine/confscroll.c +++ b/alpine/confscroll.c @@ -5775,6 +5775,7 @@ fix_side_effects(struct pine *ps, struct variable *var, int revert) #endif #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) var == &ps->vars[V_SSLCAPATH] || + var == &ps->vars[V_SSLCAFILE] || #endif var == &ps->vars[V_RSHPATH] || var == &ps->vars[V_RSHCMD] || diff --git a/imap/src/c-client/mail.h b/imap/src/c-client/mail.h index e6c0f695..1a4e1b04 100644 --- a/imap/src/c-client/mail.h +++ b/imap/src/c-client/mail.h @@ -192,8 +192,10 @@ #define SET_EXTERNALAUTHID (long) 230 #define GET_SSLCAPATH (long) 231 #define SET_SSLCAPATH (long) 232 -#define GET_RESTRICTIONS (long) 233 -#define SET_RESTRICTIONS (long) 234 +#define GET_SSLCAFILE (long) 233 +#define SET_SSLCAFILE (long) 234 +#define GET_RESTRICTIONS (long) 235 +#define SET_RESTRICTIONS (long) 236 /* 3xx: TCP/IP */ #define GET_OPENTIMEOUT (long) 300 diff --git a/imap/src/osdep/nt/env_nt.c b/imap/src/osdep/nt/env_nt.c index da84b10c..8fc72f0c 100644 --- a/imap/src/osdep/nt/env_nt.c +++ b/imap/src/osdep/nt/env_nt.c @@ -44,6 +44,7 @@ static unsigned int rndm = 0; /* initial `random' number */ static int server_nli = 0; /* server and not logged in */ static int logtry = 3; /* number of login tries */ static char *sslCApath = NIL; /* non-standard CA path */ +static char *sslCAfile = NIL; /* non-standard CA container */ /* block notification */ static blocknotify_t mailblocknotify = mm_blocknotify; /* callback to get username */ @@ -135,6 +136,13 @@ void *env_parameters (long function,void *value) case GET_SSLCAPATH: ret = (void *) sslCApath; break; + case SET_SSLCAFILE: /* this can be set null */ + if (sslCAfile) fs_give ((void **) &sslCAfile); + sslCAfile = value ? cpystr ((char *) value) : value; + break; + case GET_SSLCAFILE: + ret = (void *) sslCAfile; + break; } return ret; } @@ -786,4 +794,5 @@ void env_end(void) if(myNewsrc) fs_give((void **) &myNewsrc); if(sysInbox) fs_give((void **) &sysInbox); if(sslCApath) fs_give((void **) &sslCApath); + if(sslCAfile) fs_give((void **) &sslCAfile); } diff --git a/imap/src/osdep/nt/ssl_libressl.c b/imap/src/osdep/nt/ssl_libressl.c index 366fae01..5270a9f8 100644 --- a/imap/src/osdep/nt/ssl_libressl.c +++ b/imap/src/osdep/nt/ssl_libressl.c @@ -387,6 +387,7 @@ static char *ssl_start_work(SSLSTREAM *stream, char *host, unsigned long flags) int minv, maxv; int masklow, maskhigh; char *s, *t, *err, tmp[MAILTMPLEN], buf[256]; + char *CAfile, *CApath; sslcertificatequery_t scq = (sslcertificatequery_t)mail_parameters(NIL, GET_SSLCERTIFICATEQUERY, NIL); sslclientcert_t scc = @@ -406,10 +407,12 @@ static char *ssl_start_work(SSLSTREAM *stream, char *host, unsigned long flags) SSL_CTX_set_verify(stream->context, SSL_VERIFY_NONE, NIL); else SSL_CTX_set_verify(stream->context, SSL_VERIFY_PEER, ssl_open_verify); /* a non-standard path desired */ - if ((s = (char *)mail_parameters(NIL, GET_SSLCAPATH, NIL)) != NIL) - SSL_CTX_load_verify_locations(stream->context, NIL, (const char *)s); + CAfile = (char *) mail_parameters (NIL, GET_SSLCAFILE, NIL); + CApath = (char *) mail_parameters (NIL, GET_SSLCAPATH, NIL); + if (CAfile != NIL || CApath != NIL) + SSL_CTX_load_verify_locations (stream->context, CAfile, CApath); else /* otherwise we set default paths to CAs... */ - SSL_CTX_set_default_verify_paths(stream->context); + SSL_CTX_set_default_verify_paths(stream->context); /* want to send client certificate? */ if (scc && (s = (*scc) ()) && (sl = strlen(s))) { if ((cert = PEM_read_bio_X509(bio = BIO_new_mem_buf(s, sl), NIL, NIL, NIL)) != NIL) { diff --git a/imap/src/osdep/unix/env_unix.c b/imap/src/osdep/unix/env_unix.c index 322ab61a..fe1b91d4 100644 --- a/imap/src/osdep/unix/env_unix.c +++ b/imap/src/osdep/unix/env_unix.c @@ -73,6 +73,7 @@ static char *blackBoxDir = NIL; /* black box directory name */ /* black box default home directory */ static char *blackBoxDefaultHome = NIL; static char *sslCApath = NIL; /* non-standard CA path */ +static char *sslCAfile = NIL; /* non-standard CA container */ static short anonymous = NIL; /* is anonymous */ static short blackBox = NIL; /* is a black box */ static short closedBox = NIL; /* is a closed box (uses chroot() jail) */ @@ -346,6 +347,13 @@ void *env_parameters (long function,void *value) case GET_SSLCAPATH: ret = (void *) sslCApath; break; + case SET_SSLCAFILE: /* this can be set null */ + if (sslCAfile) fs_give ((void **) &sslCAfile); + sslCAfile = value ? cpystr ((char *) value) : value; + break; + case GET_SSLCAFILE: + ret = (void *) sslCAfile; + break; case SET_LISTMAXLEVEL: list_max_level = (long) value; case GET_LISTMAXLEVEL: @@ -1766,6 +1774,8 @@ void dorc (char *file,long flag) */ else if (!compare_cstring (s,"set CA-certificate-path")) sslCApath = cpystr (k); + else if (!compare_cstring (s,"set CA-certificate-container")) + sslCAfile = cpystr (k); else if (!compare_cstring (s,"set disable-plaintext")) disablePlaintext = atoi (k); else if (!compare_cstring (s,"set allowed-login-attempts")) @@ -1872,6 +1882,7 @@ void env_end(void) if(blackBoxDefaultHome) fs_give((void **)&blackBoxDefaultHome); if(sslCApath) fs_give((void **)&sslCApath); + if(sslCAfile) fs_give((void **)&sslCAfile); if(userFlags){ int i; for(i = 0; i < NUSERFLAGS; i++) diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c index 57931525..4ebe1ae7 100644 --- a/imap/src/osdep/unix/ssl_unix.c +++ b/imap/src/osdep/unix/ssl_unix.c @@ -395,6 +395,7 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags) int minv, maxv; int masklow, maskhigh; char *s,*t,*err,tmp[MAILTMPLEN], buf[256]; + char *CAfile, *CApath; sslcertificatequery_t scq = (sslcertificatequery_t) mail_parameters (NIL,GET_SSLCERTIFICATEQUERY,NIL); sslclientcert_t scc = @@ -414,8 +415,10 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags) SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL); else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify); /* if a non-standard path desired */ - if ((s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL)) != NULL) - SSL_CTX_load_verify_locations (stream->context,NIL,s); + CAfile = (char *) mail_parameters (NIL,GET_SSLCAFILE,NIL); + CApath = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL); + if (CAfile != NIL || CApath != NIL) + SSL_CTX_load_verify_locations (stream->context, CAfile, CApath); else /* set default paths to CAs... */ SSL_CTX_set_default_verify_paths (stream->context); /* want to send client certificate? */ diff --git a/include/config.wnt.h b/include/config.wnt.h index e8d22ff5..a906b6ff 100644 --- a/include/config.wnt.h +++ b/include/config.wnt.h @@ -563,6 +563,7 @@ #undef DF_ENCRYPTION_RANGE #else #define DEFAULT_SSLCAPATH "C:\\libressl\\ssl\\certs" +#define DEFAULT_SSLCAFILE "C:\\libressl\\ssl\\certs\\cert.pem" #endif /* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */ diff --git a/pith/conf.c b/pith/conf.c index 3bd564bd..f6fe4863 100644 --- a/pith/conf.c +++ b/pith/conf.c @@ -379,6 +379,8 @@ CONF_TXT_T cf_text_mimetype_path[] = "Sets the search path for the mimetypes con #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) CONF_TXT_T cf_text_system_certs_path[] = "Sets the path for the system ssl certificates issued by a trusted\n# certificate authority. Note that this could be a list of paths, if the same\n# pinerc is used in different systems. Alpine always chooses the first one that\n# it finds. Value must be an absolute path."; + +CONF_TXT_T cf_text_system_certs_file[] = "Sets the path for the system ssl file container of certificates issued by a\n# certificate authority. Note that this could be a list of container files,\n# if the same pinerc is used in different systems. Alpine always chooses the,\n# first one that it finds. Value must be an absolute path."; #endif CONF_TXT_T cf_text_newmail_fifo_path[] = "Sets the filename for the newmail fifo (named pipe). Unix only."; @@ -667,7 +669,9 @@ static struct variable variables[] = { NULL, cf_text_mimetype_path}, #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) {"system-certs-path", 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0, - NULL, cf_text_system_certs_path}, + "System CACerts Dir", cf_text_system_certs_path}, +{"system-certs-file", 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0, + "System CACerts File", cf_text_system_certs_file}, #endif {"url-viewers", 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0, "URL-Viewers", cf_text_browser}, @@ -1737,6 +1741,10 @@ init_vars(struct pine *ps, void (*cmds_f) (struct pine *, char **)) GLO_SSLCAPATH = parse_list(DEFAULT_SSLCAPATH, 1, PL_REMSURRQUOT, NULL); #endif /* DEFAULT_SSLCAPATH */ +#ifdef DEFAULT_SSLCAFILE + GLO_SSLCAFILE = parse_list(DEFAULT_SSLCAFILE, 1, + PL_REMSURRQUOT, NULL); +#endif /* DEFAULT_SSLCAFILE */ #ifdef DF_VAR_SPELLER GLO_SPELLER = cpystr(DF_VAR_SPELLER); #endif @@ -2382,6 +2390,7 @@ init_vars(struct pine *ps, void (*cmds_f) (struct pine *, char **)) set_current_val(&vars[V_MIMETYPE_PATH], TRUE, TRUE); #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) set_current_val(&vars[V_SSLCAPATH], TRUE, TRUE); + set_current_val(&vars[V_SSLCAFILE], TRUE, TRUE); #endif #if !defined(DOS) && !defined(OS2) && !defined(LEAVEOUTFIFO) set_current_val(&vars[V_FIFOPATH], TRUE, TRUE); @@ -7082,6 +7091,22 @@ set_system_certs_path(struct pine *ps) } } } + + +void +set_system_certs_container(struct pine *ps) +{ + char **l; + + for (l = ps->vars[V_SSLCAPATH].current_val.l; l && *l; l++){ + if(is_absolute_path(*l) + && can_access(*l, ACCESS_EXISTS) == 0 + && can_access(*l, READ_ACCESS) == 0){ + mail_parameters(NULL, SET_SSLCAFILE, (void *) *l); + break; + } + } +} #endif int @@ -7943,6 +7968,8 @@ config_help(int var, int feature) #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) case V_SSLCAPATH : return(h_config_system_certs_path); + case V_SSLCAFILE : + return(h_config_system_certs_file); #endif #if !defined(DOS) && !defined(OS2) && !defined(LEAVEOUTFIFO) case V_FIFOPATH : diff --git a/pith/conf.h b/pith/conf.h index 3e7844eb..ac6f0a8f 100644 --- a/pith/conf.h +++ b/pith/conf.h @@ -136,6 +136,8 @@ #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) #define VAR_SSLCAPATH vars[V_SSLCAPATH].current_val.l #define GLO_SSLCAPATH vars[V_SSLCAPATH].global_val.l +#define VAR_SSLCAFILE vars[V_SSLCAFILE].current_val.l +#define GLO_SSLCAFILE vars[V_SSLCAFILE].global_val.l #endif #define VAR_INDEX_COLOR_STYLE vars[V_INDEX_COLOR_STYLE].current_val.p #define GLO_INDEX_COLOR_STYLE vars[V_INDEX_COLOR_STYLE].global_val.p @@ -922,6 +924,7 @@ void free_pinerc_lines(PINERC_LINE **); void panic1(char *, char *); #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) void set_system_certs_path(struct pine *); +void set_system_certs_container(struct pine *); #endif /* mandatory to implement prototypes */ diff --git a/pith/conftype.h b/pith/conftype.h index 09112724..029b81bc 100644 --- a/pith/conftype.h +++ b/pith/conftype.h @@ -127,6 +127,7 @@ typedef enum { V_PERSONAL_NAME = 0 , V_MIMETYPE_PATH #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) , V_SSLCAPATH + , V_SSLCAFILE #endif , V_BROWSER , V_HISTORY diff --git a/pith/pine.hlp b/pith/pine.hlp index fa1468ca..4f0eb38f 100644 --- a/pith/pine.hlp +++ b/pith/pine.hlp @@ -140,7 +140,7 @@ with help text for the config screen and the composer that didn't have any reasonable place to be called from. Dummy change to get revision in pine.hlp ============= h_revision ================= -Alpine Commit 401 2020-01-30 00:08:16 +Alpine Commit 402 2020-02-03 21:15:05 ============= h_news ================= <HTML> <HEAD> @@ -187,6 +187,10 @@ any problems you find with this release. New enhancements this must be C:\\libressl\\ssl\\certs. The C: drive can be replaced by the name of the drive where the binary and DLL files are located. +<LI> New variable system-certs-file that allows users to configure the + location of a container of certificate authoririty (CA) certificates + to be used to validate certificates of remote servers. + <LI>Crash in Alpine when attempting to reply to a multipart/alternative message that is malformed, and the option to include attachments in reply is enabled. Reported and patched by Peter Tirsek. @@ -22232,7 +22236,7 @@ directory. For example, the directory might not be accessible, or has not been updated and contains old certificates that have expired. <P> -When a user wants to override the default, this variable can be used to list +This variable can be used to list the directory where such certificates can be found. Alpine will use the first directory in this list that exists in your system and can be accessed. This allows for users to be able to use the same pinerc file in different systems. @@ -22241,9 +22245,45 @@ allows for users to be able to use the same pinerc file in different systems. Example of values for this option might be: <PRE> -System Certs Path = /etc/ssl/certs - /usr/local/ssl/certs - C:\\libressl\\ssl\\certs +System CACerts Dir = /etc/ssl/certs + /usr/local/ssl/certs + C:\\libressl\\ssl\\certs +<PRE> + +<P> +In unix systems, the default location of the certificates for openssl can +be obtained by first executing the command + +<PRE>openssl version -d</PRE> + +and adding "/certs" to that value. In Windows the default location +for the certificates is C:\\libressl\\ssl\\certs. This value was set by +LibreSSL developers, and this option can be used to override this default. + +<P> +<End of help on this topic> +</BODY></HTML> +====== h_config_system_certs_file ====== +<HTML> +<HEAD> +<TITLE>OPTION: <!--#echo var="VAR_system-certs-file"--></TITLE> +</HEAD> +<BODY> +<H1>OPTION: <!--#echo var="VAR_system-certs-file"--></H1> + +This option sets the location of the container file that holds +certificate authority (CA) certificates. +Alpine will use the first +container in this list that exists in your system and can be accessed. This +allows for users to be able to use the same pinerc file in different systems. + +<P> +Example of values for this option might be: + +<PRE> +System Certs Path = /etc/ssl/certs/cert.pem + /usr/local/ssl/ca-root-nss.crt + C:\\libressl\\ssl\\certs\\cert.pem <PRE> <P> @@ -22253,8 +22293,8 @@ be obtained by first executing the command <PRE>openssl version -d</PRE> and adding "/certs" to that value. In Windows the default location -for the certificates is C:\\libressl\\ssl\\certs. This value was set by LibreSSL -developers, and this option can be used to override this default. +for the certificates is C:\\libressl\\ssl\\certs\\cert.pem. This value was set +by LibreSSL developers, and this option can be used to override this default. <P> <End of help on this topic> |