summaryrefslogtreecommitdiff
path: root/alpine
diff options
context:
space:
mode:
authorEduardo Chappa <chappa@washington.edu>2019-02-17 19:17:46 -0700
committerEduardo Chappa <chappa@washington.edu>2019-02-17 19:17:46 -0700
commit08fcd1b86979b422eb586e56459d6fe15333e500 (patch)
tree27247d07d9c1063e2a2fc376155d675f54a4d4e4 /alpine
parent35f3426203172af028df5a6e39bc6dea2514020d (diff)
downloadalpine-08fcd1b86979b422eb586e56459d6fe15333e500.tar.xz
* Rewrite support for specific SSL encryption protocols, including
a. Add a new variable: encryption-protocol-range, which can be used to specify the minimum and maximum versions of the TLS protocol that Alpine will attempt to use to encrypt its communication with the server. b. Add support for the Server Name Identification (SNI) extension needed for TLSv1.3. c. Remove the DTLS code. It was not being used.
Diffstat (limited to 'alpine')
-rw-r--r--alpine/alpine.c65
-rw-r--r--alpine/confscroll.c2
2 files changed, 67 insertions, 0 deletions
diff --git a/alpine/alpine.c b/alpine/alpine.c
index bbccb793..11f3354e 100644
--- a/alpine/alpine.c
+++ b/alpine/alpine.c
@@ -646,6 +646,71 @@ main(int argc, char **argv)
}
}
+ if(ps_global->VAR_ENCRYPTION_RANGE
+ && ps_global->VAR_ENCRYPTION_RANGE[0]){
+ char *min_s, *max_s, *s;
+ int min_v, max_v;
+
+ if((s = strchr(ps_global->VAR_ENCRYPTION_RANGE, ',')) == NULL){
+ snprintf(tmp_20k_buf, SIZEOF_20KBUF,
+ _("Bad encryption range: \"%s\": resetting to default"),
+ ps_global->VAR_ENCRYPTION_RANGE);
+ tmp_20k_buf[SIZEOF_20KBUF-1] = '\0';
+ init_error(ps_global, SM_ORDER | SM_DING, 3, 5, tmp_20k_buf);
+ fs_give((void **) &ps_global->VAR_ENCRYPTION_RANGE);
+ ps_global->VAR_ENCRYPTION_RANGE = cpystr(DF_ENCRYPTION_RANGE);
+ s = strchr(ps_global->VAR_ENCRYPTION_RANGE, ','); /* try again */
+ }
+
+ if(s == NULL){
+ snprintf(tmp_20k_buf, SIZEOF_20KBUF,
+ _("Bad default encryption range: \"%s\""),
+ ps_global->VAR_ENCRYPTION_RANGE);
+ tmp_20k_buf[SIZEOF_20KBUF-1] = '\0';
+ init_error(ps_global, SM_ORDER | SM_DING, 3, 5, tmp_20k_buf);
+ }
+ else {
+ *s = ' ';
+ get_pair(ps_global->VAR_ENCRYPTION_RANGE, &min_s, &max_s, 1, 0);
+ *s = ',';
+
+ min_v = pith_ssl_encryption_version(min_s);
+ max_v = pith_ssl_encryption_version(max_s);
+
+ if(min_v < 0 || max_v < 0){
+ snprintf(tmp_20k_buf, SIZEOF_20KBUF,
+ _("Bad encryption range: \"%s\": resetting to default"),
+ ps_global->VAR_ENCRYPTION_RANGE);
+ tmp_20k_buf[SIZEOF_20KBUF-1] = '\0';
+ init_error(ps_global, SM_ORDER | SM_DING, 3, 5, tmp_20k_buf);
+ min_v = max_v = 0;
+ }
+
+ if(min_v > max_v){
+ int bubble;
+ snprintf(tmp_20k_buf, SIZEOF_20KBUF,
+ _("Minimum encryption protocol (%s) bigger than maximum value (%s). Reversing..."),
+ min_s, max_s);
+ tmp_20k_buf[SIZEOF_20KBUF-1] = '\0';
+ init_error(ps_global, SM_ORDER | SM_DING, 3, 5, tmp_20k_buf);
+ bubble = min_v;
+ min_v = max_v;
+ max_v = bubble;
+ }
+
+ if(max_v > 0 && max_v < (long) pith_ssl_encryption_version("tls1")){
+ snprintf(tmp_20k_buf, SIZEOF_20KBUF,
+ _("Security alert: SSL maximum encryption version was set to SSLv3."),
+ ps_global->VAR_ENCRYPTION_RANGE);
+ tmp_20k_buf[SIZEOF_20KBUF-1] = '\0';
+ init_error(ps_global, SM_ORDER | SM_DING, 3, 5, tmp_20k_buf);
+ }
+
+ mail_parameters(NULL, SET_ENCRYPTION_RANGE_MIN, (void *) &min_v);
+ mail_parameters(NULL, SET_ENCRYPTION_RANGE_MAX, (void *) &max_v);
+ }
+ }
+
/*
* setup alternative authentication driver preference for IMAP opens
*/
diff --git a/alpine/confscroll.c b/alpine/confscroll.c
index ff8841fe..98e5768b 100644
--- a/alpine/confscroll.c
+++ b/alpine/confscroll.c
@@ -341,6 +341,7 @@ exclude_config_var(struct pine *ps, struct variable *var, int allow_hard_to_conf
case V_GLOB_ADDRBOOK :
case V_DISABLE_DRIVERS :
case V_DISABLE_AUTHS :
+ case V_ENCRYPTION_RANGE :
case V_REMOTE_ABOOK_METADATA :
case V_REMOTE_ABOOK_HISTORY :
case V_REMOTE_ABOOK_VALIDITY :
@@ -5767,6 +5768,7 @@ fix_side_effects(struct pine *ps, struct variable *var, int revert)
var == &ps->vars[V_NEWS_SPEC] ||
var == &ps->vars[V_DISABLE_DRIVERS] ||
var == &ps->vars[V_DISABLE_AUTHS] ||
+ var == &ps->vars[V_ENCRYPTION_RANGE] ||
var == &ps->vars[V_RSHPATH] ||
var == &ps->vars[V_RSHCMD] ||
var == &ps->vars[V_SSHCMD] ||