diff options
| author | Eduardo Chappa <chappa@washington.edu> | 2019-02-17 19:17:46 -0700 |
|---|---|---|
| committer | Eduardo Chappa <chappa@washington.edu> | 2019-02-17 19:17:46 -0700 |
| commit | 08fcd1b86979b422eb586e56459d6fe15333e500 (patch) | |
| tree | 27247d07d9c1063e2a2fc376155d675f54a4d4e4 /alpine/alpine.c | |
| parent | 35f3426203172af028df5a6e39bc6dea2514020d (diff) | |
| download | alpine-08fcd1b86979b422eb586e56459d6fe15333e500.tar.xz | |
* Rewrite support for specific SSL encryption protocols, including
a. Add a new variable: encryption-protocol-range, which can be
used to specify the minimum and maximum versions of the TLS
protocol that Alpine will attempt to use to encrypt its
communication with the server.
b. Add support for the Server Name Identification (SNI) extension
needed for TLSv1.3.
c. Remove the DTLS code. It was not being used.
Diffstat (limited to 'alpine/alpine.c')
| -rw-r--r-- | alpine/alpine.c | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/alpine/alpine.c b/alpine/alpine.c index bbccb793..11f3354e 100644 --- a/alpine/alpine.c +++ b/alpine/alpine.c @@ -646,6 +646,71 @@ main(int argc, char **argv) } } + if(ps_global->VAR_ENCRYPTION_RANGE + && ps_global->VAR_ENCRYPTION_RANGE[0]){ + char *min_s, *max_s, *s; + int min_v, max_v; + + if((s = strchr(ps_global->VAR_ENCRYPTION_RANGE, ',')) == NULL){ + snprintf(tmp_20k_buf, SIZEOF_20KBUF, + _("Bad encryption range: \"%s\": resetting to default"), + ps_global->VAR_ENCRYPTION_RANGE); + tmp_20k_buf[SIZEOF_20KBUF-1] = '\0'; + init_error(ps_global, SM_ORDER | SM_DING, 3, 5, tmp_20k_buf); + fs_give((void **) &ps_global->VAR_ENCRYPTION_RANGE); + ps_global->VAR_ENCRYPTION_RANGE = cpystr(DF_ENCRYPTION_RANGE); + s = strchr(ps_global->VAR_ENCRYPTION_RANGE, ','); /* try again */ + } + + if(s == NULL){ + snprintf(tmp_20k_buf, SIZEOF_20KBUF, + _("Bad default encryption range: \"%s\""), + ps_global->VAR_ENCRYPTION_RANGE); + tmp_20k_buf[SIZEOF_20KBUF-1] = '\0'; + init_error(ps_global, SM_ORDER | SM_DING, 3, 5, tmp_20k_buf); + } + else { + *s = ' '; + get_pair(ps_global->VAR_ENCRYPTION_RANGE, &min_s, &max_s, 1, 0); + *s = ','; + + min_v = pith_ssl_encryption_version(min_s); + max_v = pith_ssl_encryption_version(max_s); + + if(min_v < 0 || max_v < 0){ + snprintf(tmp_20k_buf, SIZEOF_20KBUF, + _("Bad encryption range: \"%s\": resetting to default"), + ps_global->VAR_ENCRYPTION_RANGE); + tmp_20k_buf[SIZEOF_20KBUF-1] = '\0'; + init_error(ps_global, SM_ORDER | SM_DING, 3, 5, tmp_20k_buf); + min_v = max_v = 0; + } + + if(min_v > max_v){ + int bubble; + snprintf(tmp_20k_buf, SIZEOF_20KBUF, + _("Minimum encryption protocol (%s) bigger than maximum value (%s). Reversing..."), + min_s, max_s); + tmp_20k_buf[SIZEOF_20KBUF-1] = '\0'; + init_error(ps_global, SM_ORDER | SM_DING, 3, 5, tmp_20k_buf); + bubble = min_v; + min_v = max_v; + max_v = bubble; + } + + if(max_v > 0 && max_v < (long) pith_ssl_encryption_version("tls1")){ + snprintf(tmp_20k_buf, SIZEOF_20KBUF, + _("Security alert: SSL maximum encryption version was set to SSLv3."), + ps_global->VAR_ENCRYPTION_RANGE); + tmp_20k_buf[SIZEOF_20KBUF-1] = '\0'; + init_error(ps_global, SM_ORDER | SM_DING, 3, 5, tmp_20k_buf); + } + + mail_parameters(NULL, SET_ENCRYPTION_RANGE_MIN, (void *) &min_v); + mail_parameters(NULL, SET_ENCRYPTION_RANGE_MAX, (void *) &max_v); + } + } + /* * setup alternative authentication driver preference for IMAP opens */ |