summaryrefslogtreecommitdiff
path: root/imap
diff options
context:
space:
mode:
authorEduardo Chappa <chappa@washington.edu>2020-02-03 21:15:19 -0700
committerEduardo Chappa <chappa@washington.edu>2020-02-03 21:15:19 -0700
commitdba6c62a11eed30f7a4e3e625eec8ca88252ab6c (patch)
treead330ee9baf787e4ce638b5da2a9480e33b6c630 /imap
parent709dc44768db0c0e1123181f53fdba26484eceaa (diff)
downloadalpine-dba6c62a11eed30f7a4e3e625eec8ca88252ab6c.tar.xz
* Add variable system-certs-file to indicate the location of a container
of CA certificates. This complements the variable system-certs-path that gives the location the directory that containes CA certificates.
Diffstat (limited to 'imap')
-rw-r--r--imap/src/c-client/mail.h6
-rw-r--r--imap/src/osdep/nt/env_nt.c9
-rw-r--r--imap/src/osdep/nt/ssl_libressl.c9
-rw-r--r--imap/src/osdep/unix/env_unix.c11
-rw-r--r--imap/src/osdep/unix/ssl_unix.c7
5 files changed, 35 insertions, 7 deletions
diff --git a/imap/src/c-client/mail.h b/imap/src/c-client/mail.h
index e6c0f695..1a4e1b04 100644
--- a/imap/src/c-client/mail.h
+++ b/imap/src/c-client/mail.h
@@ -192,8 +192,10 @@
#define SET_EXTERNALAUTHID (long) 230
#define GET_SSLCAPATH (long) 231
#define SET_SSLCAPATH (long) 232
-#define GET_RESTRICTIONS (long) 233
-#define SET_RESTRICTIONS (long) 234
+#define GET_SSLCAFILE (long) 233
+#define SET_SSLCAFILE (long) 234
+#define GET_RESTRICTIONS (long) 235
+#define SET_RESTRICTIONS (long) 236
/* 3xx: TCP/IP */
#define GET_OPENTIMEOUT (long) 300
diff --git a/imap/src/osdep/nt/env_nt.c b/imap/src/osdep/nt/env_nt.c
index da84b10c..8fc72f0c 100644
--- a/imap/src/osdep/nt/env_nt.c
+++ b/imap/src/osdep/nt/env_nt.c
@@ -44,6 +44,7 @@ static unsigned int rndm = 0; /* initial `random' number */
static int server_nli = 0; /* server and not logged in */
static int logtry = 3; /* number of login tries */
static char *sslCApath = NIL; /* non-standard CA path */
+static char *sslCAfile = NIL; /* non-standard CA container */
/* block notification */
static blocknotify_t mailblocknotify = mm_blocknotify;
/* callback to get username */
@@ -135,6 +136,13 @@ void *env_parameters (long function,void *value)
case GET_SSLCAPATH:
ret = (void *) sslCApath;
break;
+ case SET_SSLCAFILE: /* this can be set null */
+ if (sslCAfile) fs_give ((void **) &sslCAfile);
+ sslCAfile = value ? cpystr ((char *) value) : value;
+ break;
+ case GET_SSLCAFILE:
+ ret = (void *) sslCAfile;
+ break;
}
return ret;
}
@@ -786,4 +794,5 @@ void env_end(void)
if(myNewsrc) fs_give((void **) &myNewsrc);
if(sysInbox) fs_give((void **) &sysInbox);
if(sslCApath) fs_give((void **) &sslCApath);
+ if(sslCAfile) fs_give((void **) &sslCAfile);
}
diff --git a/imap/src/osdep/nt/ssl_libressl.c b/imap/src/osdep/nt/ssl_libressl.c
index 366fae01..5270a9f8 100644
--- a/imap/src/osdep/nt/ssl_libressl.c
+++ b/imap/src/osdep/nt/ssl_libressl.c
@@ -387,6 +387,7 @@ static char *ssl_start_work(SSLSTREAM *stream, char *host, unsigned long flags)
int minv, maxv;
int masklow, maskhigh;
char *s, *t, *err, tmp[MAILTMPLEN], buf[256];
+ char *CAfile, *CApath;
sslcertificatequery_t scq =
(sslcertificatequery_t)mail_parameters(NIL, GET_SSLCERTIFICATEQUERY, NIL);
sslclientcert_t scc =
@@ -406,10 +407,12 @@ static char *ssl_start_work(SSLSTREAM *stream, char *host, unsigned long flags)
SSL_CTX_set_verify(stream->context, SSL_VERIFY_NONE, NIL);
else SSL_CTX_set_verify(stream->context, SSL_VERIFY_PEER, ssl_open_verify);
/* a non-standard path desired */
- if ((s = (char *)mail_parameters(NIL, GET_SSLCAPATH, NIL)) != NIL)
- SSL_CTX_load_verify_locations(stream->context, NIL, (const char *)s);
+ CAfile = (char *) mail_parameters (NIL, GET_SSLCAFILE, NIL);
+ CApath = (char *) mail_parameters (NIL, GET_SSLCAPATH, NIL);
+ if (CAfile != NIL || CApath != NIL)
+ SSL_CTX_load_verify_locations (stream->context, CAfile, CApath);
else /* otherwise we set default paths to CAs... */
- SSL_CTX_set_default_verify_paths(stream->context);
+ SSL_CTX_set_default_verify_paths(stream->context);
/* want to send client certificate? */
if (scc && (s = (*scc) ()) && (sl = strlen(s))) {
if ((cert = PEM_read_bio_X509(bio = BIO_new_mem_buf(s, sl), NIL, NIL, NIL)) != NIL) {
diff --git a/imap/src/osdep/unix/env_unix.c b/imap/src/osdep/unix/env_unix.c
index 322ab61a..fe1b91d4 100644
--- a/imap/src/osdep/unix/env_unix.c
+++ b/imap/src/osdep/unix/env_unix.c
@@ -73,6 +73,7 @@ static char *blackBoxDir = NIL; /* black box directory name */
/* black box default home directory */
static char *blackBoxDefaultHome = NIL;
static char *sslCApath = NIL; /* non-standard CA path */
+static char *sslCAfile = NIL; /* non-standard CA container */
static short anonymous = NIL; /* is anonymous */
static short blackBox = NIL; /* is a black box */
static short closedBox = NIL; /* is a closed box (uses chroot() jail) */
@@ -346,6 +347,13 @@ void *env_parameters (long function,void *value)
case GET_SSLCAPATH:
ret = (void *) sslCApath;
break;
+ case SET_SSLCAFILE: /* this can be set null */
+ if (sslCAfile) fs_give ((void **) &sslCAfile);
+ sslCAfile = value ? cpystr ((char *) value) : value;
+ break;
+ case GET_SSLCAFILE:
+ ret = (void *) sslCAfile;
+ break;
case SET_LISTMAXLEVEL:
list_max_level = (long) value;
case GET_LISTMAXLEVEL:
@@ -1766,6 +1774,8 @@ void dorc (char *file,long flag)
*/
else if (!compare_cstring (s,"set CA-certificate-path"))
sslCApath = cpystr (k);
+ else if (!compare_cstring (s,"set CA-certificate-container"))
+ sslCAfile = cpystr (k);
else if (!compare_cstring (s,"set disable-plaintext"))
disablePlaintext = atoi (k);
else if (!compare_cstring (s,"set allowed-login-attempts"))
@@ -1872,6 +1882,7 @@ void env_end(void)
if(blackBoxDefaultHome)
fs_give((void **)&blackBoxDefaultHome);
if(sslCApath) fs_give((void **)&sslCApath);
+ if(sslCAfile) fs_give((void **)&sslCAfile);
if(userFlags){
int i;
for(i = 0; i < NUSERFLAGS; i++)
diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c
index 57931525..4ebe1ae7 100644
--- a/imap/src/osdep/unix/ssl_unix.c
+++ b/imap/src/osdep/unix/ssl_unix.c
@@ -395,6 +395,7 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags)
int minv, maxv;
int masklow, maskhigh;
char *s,*t,*err,tmp[MAILTMPLEN], buf[256];
+ char *CAfile, *CApath;
sslcertificatequery_t scq =
(sslcertificatequery_t) mail_parameters (NIL,GET_SSLCERTIFICATEQUERY,NIL);
sslclientcert_t scc =
@@ -414,8 +415,10 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags)
SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL);
else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
/* if a non-standard path desired */
- if ((s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL)) != NULL)
- SSL_CTX_load_verify_locations (stream->context,NIL,s);
+ CAfile = (char *) mail_parameters (NIL,GET_SSLCAFILE,NIL);
+ CApath = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL);
+ if (CAfile != NIL || CApath != NIL)
+ SSL_CTX_load_verify_locations (stream->context, CAfile, CApath);
else /* set default paths to CAs... */
SSL_CTX_set_default_verify_paths (stream->context);
/* want to send client certificate? */