diff options
author | Eduardo Chappa <chappa@washington.edu> | 2020-02-03 21:15:19 -0700 |
---|---|---|
committer | Eduardo Chappa <chappa@washington.edu> | 2020-02-03 21:15:19 -0700 |
commit | dba6c62a11eed30f7a4e3e625eec8ca88252ab6c (patch) | |
tree | ad330ee9baf787e4ce638b5da2a9480e33b6c630 /imap | |
parent | 709dc44768db0c0e1123181f53fdba26484eceaa (diff) | |
download | alpine-dba6c62a11eed30f7a4e3e625eec8ca88252ab6c.tar.xz |
* Add variable system-certs-file to indicate the location of a container
of CA certificates. This complements the variable system-certs-path that
gives the location the directory that containes CA certificates.
Diffstat (limited to 'imap')
-rw-r--r-- | imap/src/c-client/mail.h | 6 | ||||
-rw-r--r-- | imap/src/osdep/nt/env_nt.c | 9 | ||||
-rw-r--r-- | imap/src/osdep/nt/ssl_libressl.c | 9 | ||||
-rw-r--r-- | imap/src/osdep/unix/env_unix.c | 11 | ||||
-rw-r--r-- | imap/src/osdep/unix/ssl_unix.c | 7 |
5 files changed, 35 insertions, 7 deletions
diff --git a/imap/src/c-client/mail.h b/imap/src/c-client/mail.h index e6c0f695..1a4e1b04 100644 --- a/imap/src/c-client/mail.h +++ b/imap/src/c-client/mail.h @@ -192,8 +192,10 @@ #define SET_EXTERNALAUTHID (long) 230 #define GET_SSLCAPATH (long) 231 #define SET_SSLCAPATH (long) 232 -#define GET_RESTRICTIONS (long) 233 -#define SET_RESTRICTIONS (long) 234 +#define GET_SSLCAFILE (long) 233 +#define SET_SSLCAFILE (long) 234 +#define GET_RESTRICTIONS (long) 235 +#define SET_RESTRICTIONS (long) 236 /* 3xx: TCP/IP */ #define GET_OPENTIMEOUT (long) 300 diff --git a/imap/src/osdep/nt/env_nt.c b/imap/src/osdep/nt/env_nt.c index da84b10c..8fc72f0c 100644 --- a/imap/src/osdep/nt/env_nt.c +++ b/imap/src/osdep/nt/env_nt.c @@ -44,6 +44,7 @@ static unsigned int rndm = 0; /* initial `random' number */ static int server_nli = 0; /* server and not logged in */ static int logtry = 3; /* number of login tries */ static char *sslCApath = NIL; /* non-standard CA path */ +static char *sslCAfile = NIL; /* non-standard CA container */ /* block notification */ static blocknotify_t mailblocknotify = mm_blocknotify; /* callback to get username */ @@ -135,6 +136,13 @@ void *env_parameters (long function,void *value) case GET_SSLCAPATH: ret = (void *) sslCApath; break; + case SET_SSLCAFILE: /* this can be set null */ + if (sslCAfile) fs_give ((void **) &sslCAfile); + sslCAfile = value ? cpystr ((char *) value) : value; + break; + case GET_SSLCAFILE: + ret = (void *) sslCAfile; + break; } return ret; } @@ -786,4 +794,5 @@ void env_end(void) if(myNewsrc) fs_give((void **) &myNewsrc); if(sysInbox) fs_give((void **) &sysInbox); if(sslCApath) fs_give((void **) &sslCApath); + if(sslCAfile) fs_give((void **) &sslCAfile); } diff --git a/imap/src/osdep/nt/ssl_libressl.c b/imap/src/osdep/nt/ssl_libressl.c index 366fae01..5270a9f8 100644 --- a/imap/src/osdep/nt/ssl_libressl.c +++ b/imap/src/osdep/nt/ssl_libressl.c @@ -387,6 +387,7 @@ static char *ssl_start_work(SSLSTREAM *stream, char *host, unsigned long flags) int minv, maxv; int masklow, maskhigh; char *s, *t, *err, tmp[MAILTMPLEN], buf[256]; + char *CAfile, *CApath; sslcertificatequery_t scq = (sslcertificatequery_t)mail_parameters(NIL, GET_SSLCERTIFICATEQUERY, NIL); sslclientcert_t scc = @@ -406,10 +407,12 @@ static char *ssl_start_work(SSLSTREAM *stream, char *host, unsigned long flags) SSL_CTX_set_verify(stream->context, SSL_VERIFY_NONE, NIL); else SSL_CTX_set_verify(stream->context, SSL_VERIFY_PEER, ssl_open_verify); /* a non-standard path desired */ - if ((s = (char *)mail_parameters(NIL, GET_SSLCAPATH, NIL)) != NIL) - SSL_CTX_load_verify_locations(stream->context, NIL, (const char *)s); + CAfile = (char *) mail_parameters (NIL, GET_SSLCAFILE, NIL); + CApath = (char *) mail_parameters (NIL, GET_SSLCAPATH, NIL); + if (CAfile != NIL || CApath != NIL) + SSL_CTX_load_verify_locations (stream->context, CAfile, CApath); else /* otherwise we set default paths to CAs... */ - SSL_CTX_set_default_verify_paths(stream->context); + SSL_CTX_set_default_verify_paths(stream->context); /* want to send client certificate? */ if (scc && (s = (*scc) ()) && (sl = strlen(s))) { if ((cert = PEM_read_bio_X509(bio = BIO_new_mem_buf(s, sl), NIL, NIL, NIL)) != NIL) { diff --git a/imap/src/osdep/unix/env_unix.c b/imap/src/osdep/unix/env_unix.c index 322ab61a..fe1b91d4 100644 --- a/imap/src/osdep/unix/env_unix.c +++ b/imap/src/osdep/unix/env_unix.c @@ -73,6 +73,7 @@ static char *blackBoxDir = NIL; /* black box directory name */ /* black box default home directory */ static char *blackBoxDefaultHome = NIL; static char *sslCApath = NIL; /* non-standard CA path */ +static char *sslCAfile = NIL; /* non-standard CA container */ static short anonymous = NIL; /* is anonymous */ static short blackBox = NIL; /* is a black box */ static short closedBox = NIL; /* is a closed box (uses chroot() jail) */ @@ -346,6 +347,13 @@ void *env_parameters (long function,void *value) case GET_SSLCAPATH: ret = (void *) sslCApath; break; + case SET_SSLCAFILE: /* this can be set null */ + if (sslCAfile) fs_give ((void **) &sslCAfile); + sslCAfile = value ? cpystr ((char *) value) : value; + break; + case GET_SSLCAFILE: + ret = (void *) sslCAfile; + break; case SET_LISTMAXLEVEL: list_max_level = (long) value; case GET_LISTMAXLEVEL: @@ -1766,6 +1774,8 @@ void dorc (char *file,long flag) */ else if (!compare_cstring (s,"set CA-certificate-path")) sslCApath = cpystr (k); + else if (!compare_cstring (s,"set CA-certificate-container")) + sslCAfile = cpystr (k); else if (!compare_cstring (s,"set disable-plaintext")) disablePlaintext = atoi (k); else if (!compare_cstring (s,"set allowed-login-attempts")) @@ -1872,6 +1882,7 @@ void env_end(void) if(blackBoxDefaultHome) fs_give((void **)&blackBoxDefaultHome); if(sslCApath) fs_give((void **)&sslCApath); + if(sslCAfile) fs_give((void **)&sslCAfile); if(userFlags){ int i; for(i = 0; i < NUSERFLAGS; i++) diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c index 57931525..4ebe1ae7 100644 --- a/imap/src/osdep/unix/ssl_unix.c +++ b/imap/src/osdep/unix/ssl_unix.c @@ -395,6 +395,7 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags) int minv, maxv; int masklow, maskhigh; char *s,*t,*err,tmp[MAILTMPLEN], buf[256]; + char *CAfile, *CApath; sslcertificatequery_t scq = (sslcertificatequery_t) mail_parameters (NIL,GET_SSLCERTIFICATEQUERY,NIL); sslclientcert_t scc = @@ -414,8 +415,10 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags) SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL); else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify); /* if a non-standard path desired */ - if ((s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL)) != NULL) - SSL_CTX_load_verify_locations (stream->context,NIL,s); + CAfile = (char *) mail_parameters (NIL,GET_SSLCAFILE,NIL); + CApath = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL); + if (CAfile != NIL || CApath != NIL) + SSL_CTX_load_verify_locations (stream->context, CAfile, CApath); else /* set default paths to CAs... */ SSL_CTX_set_default_verify_paths (stream->context); /* want to send client certificate? */ |