* Add variable system-certs-file to indicate the location of a container

of CA certificates. This complements the variable system-certs-path that gives the location the directory that containes CA certificates.
author: Eduardo Chappa <chappa@washington.edu> 2020-02-03 21:15:19 -0700
committer: Eduardo Chappa <chappa@washington.edu> 2020-02-03 21:15:19 -0700
commit: dba6c62a11eed30f7a4e3e625eec8ca88252ab6c (patch)
tree: ad330ee9baf787e4ce638b5da2a9480e33b6c630 /imap
parent: 709dc44768db0c0e1123181f53fdba26484eceaa (diff)
download: alpine-dba6c62a11eed30f7a4e3e625eec8ca88252ab6c.tar.xz
5 files changed, 35 insertions, 7 deletions
diff --git a/imap/src/c-client/mail.h b/imap/src/c-client/mail.h
index e6c0f695..1a4e1b04 100644
--- a/imap/src/c-client/mail.h
+++ b/imap/src/c-client/mail.h
@@ -192,8 +192,10 @@
 #define SET_EXTERNALAUTHID (long) 230
 #define GET_SSLCAPATH (long) 231
 #define SET_SSLCAPATH (long) 232
-#define GET_RESTRICTIONS (long) 233
-#define SET_RESTRICTIONS (long) 234
+#define GET_SSLCAFILE (long) 233
+#define SET_SSLCAFILE (long) 234
+#define GET_RESTRICTIONS (long) 235
+#define SET_RESTRICTIONS (long) 236
 
 	/* 3xx: TCP/IP */
 #define GET_OPENTIMEOUT (long) 300
diff --git a/imap/src/osdep/nt/env_nt.c b/imap/src/osdep/nt/env_nt.c
index da84b10c..8fc72f0c 100644
--- a/imap/src/osdep/nt/env_nt.c
+++ b/imap/src/osdep/nt/env_nt.c
@@ -44,6 +44,7 @@ static unsigned int rndm = 0;	/* initial `random' number */
 static int server_nli = 0;	/* server and not logged in */
 static int logtry = 3;		/* number of login tries */
 static char *sslCApath = NIL;	/* non-standard CA path */
+static char *sslCAfile = NIL;	/* non-standard CA container */
 				/* block notification */
 static blocknotify_t mailblocknotify = mm_blocknotify;
 				/* callback to get username */
@@ -135,6 +136,13 @@ void *env_parameters (long function,void *value)
   case GET_SSLCAPATH:
     ret = (void *) sslCApath;
     break;
+  case SET_SSLCAFILE:		/* this can be set null */
+    if (sslCAfile) fs_give ((void **) &sslCAfile);
+    sslCAfile = value ? cpystr ((char *) value) : value;
+    break;
+  case GET_SSLCAFILE:
+    ret = (void *) sslCAfile;
+    break;
   }
   return ret;
 }
@@ -786,4 +794,5 @@ void env_end(void)
   if(myNewsrc)	  fs_give((void **) &myNewsrc);
   if(sysInbox)	  fs_give((void **) &sysInbox);
   if(sslCApath)	  fs_give((void **) &sslCApath);
+  if(sslCAfile)	  fs_give((void **) &sslCAfile);
 }
diff --git a/imap/src/osdep/nt/ssl_libressl.c b/imap/src/osdep/nt/ssl_libressl.c
index 366fae01..5270a9f8 100644
--- a/imap/src/osdep/nt/ssl_libressl.c
+++ b/imap/src/osdep/nt/ssl_libressl.c
@@ -387,6 +387,7 @@ static char *ssl_start_work(SSLSTREAM *stream, char *host, unsigned long flags)
 	int minv, maxv;
 	int masklow, maskhigh;
 	char *s, *t, *err, tmp[MAILTMPLEN], buf[256];
+	char *CAfile, *CApath;
 	sslcertificatequery_t scq =
 		(sslcertificatequery_t)mail_parameters(NIL, GET_SSLCERTIFICATEQUERY, NIL);
 	sslclientcert_t scc =
@@ -406,10 +407,12 @@ static char *ssl_start_work(SSLSTREAM *stream, char *host, unsigned long flags)
 		SSL_CTX_set_verify(stream->context, SSL_VERIFY_NONE, NIL);
 	else SSL_CTX_set_verify(stream->context, SSL_VERIFY_PEER, ssl_open_verify);
 			/* a non-standard path desired */
-	if ((s = (char *)mail_parameters(NIL, GET_SSLCAPATH, NIL)) != NIL)
-		SSL_CTX_load_verify_locations(stream->context, NIL, (const char *)s);
+	CAfile = (char *) mail_parameters (NIL, GET_SSLCAFILE, NIL);
+	CApath = (char *) mail_parameters (NIL, GET_SSLCAPATH, NIL);
+	if (CAfile != NIL || CApath != NIL)
+	    SSL_CTX_load_verify_locations (stream->context, CAfile, CApath);
 	else 		/* otherwise we set default paths to CAs... */
-		SSL_CTX_set_default_verify_paths(stream->context);
+	    SSL_CTX_set_default_verify_paths(stream->context);
 	/* want to send client certificate? */
 	if (scc && (s = (*scc) ()) && (sl = strlen(s))) {
 		if ((cert = PEM_read_bio_X509(bio = BIO_new_mem_buf(s, sl), NIL, NIL, NIL)) != NIL) {
diff --git a/imap/src/osdep/unix/env_unix.c b/imap/src/osdep/unix/env_unix.c
index 322ab61a..fe1b91d4 100644
--- a/imap/src/osdep/unix/env_unix.c
+++ b/imap/src/osdep/unix/env_unix.c
@@ -73,6 +73,7 @@ static char *blackBoxDir = NIL;	/* black box directory name */
 				/* black box default home directory */
 static char *blackBoxDefaultHome = NIL;
 static char *sslCApath = NIL;	/* non-standard CA path */
+static char *sslCAfile = NIL;	/* non-standard CA container */
 static short anonymous = NIL;	/* is anonymous */
 static short blackBox = NIL;	/* is a black box */
 static short closedBox = NIL;	/* is a closed box (uses chroot() jail) */
@@ -346,6 +347,13 @@ void *env_parameters (long function,void *value)
   case GET_SSLCAPATH:
     ret = (void *) sslCApath;
     break;
+  case SET_SSLCAFILE:		/* this can be set null */
+    if (sslCAfile) fs_give ((void **) &sslCAfile);
+    sslCAfile = value ? cpystr ((char *) value) : value;
+    break;
+  case GET_SSLCAFILE:
+    ret = (void *) sslCAfile;
+    break;
   case SET_LISTMAXLEVEL:
     list_max_level = (long) value;
   case GET_LISTMAXLEVEL:
@@ -1766,6 +1774,8 @@ void dorc (char *file,long flag)
 				 */
 	  else if (!compare_cstring (s,"set CA-certificate-path"))
 	    sslCApath = cpystr (k);
+	  else if (!compare_cstring (s,"set CA-certificate-container"))
+	    sslCAfile = cpystr (k);
 	  else if (!compare_cstring (s,"set disable-plaintext"))
 	    disablePlaintext = atoi (k);
 	  else if (!compare_cstring (s,"set allowed-login-attempts"))
@@ -1872,6 +1882,7 @@ void env_end(void)
   if(blackBoxDefaultHome)
 		   fs_give((void **)&blackBoxDefaultHome);
   if(sslCApath)	   fs_give((void **)&sslCApath);
+  if(sslCAfile)	   fs_give((void **)&sslCAfile);
   if(userFlags){
     int i;
     for(i = 0; i < NUSERFLAGS; i++)
diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c
index 57931525..4ebe1ae7 100644
--- a/imap/src/osdep/unix/ssl_unix.c
+++ b/imap/src/osdep/unix/ssl_unix.c
@@ -395,6 +395,7 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags)
   int minv, maxv;
   int masklow, maskhigh;
   char *s,*t,*err,tmp[MAILTMPLEN], buf[256];
+  char *CAfile, *CApath;
   sslcertificatequery_t scq =
     (sslcertificatequery_t) mail_parameters (NIL,GET_SSLCERTIFICATEQUERY,NIL);
   sslclientcert_t scc =
@@ -414,8 +415,10 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags)
     SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL);
   else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
 				/* if a non-standard path desired */
-  if ((s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL)) != NULL)
-    SSL_CTX_load_verify_locations (stream->context,NIL,s);
+  CAfile = (char *) mail_parameters (NIL,GET_SSLCAFILE,NIL);
+  CApath = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL);
+  if (CAfile != NIL || CApath != NIL)
+    SSL_CTX_load_verify_locations (stream->context, CAfile, CApath);
   else				/* set default paths to CAs... */
   SSL_CTX_set_default_verify_paths (stream->context);
 				/* want to send client certificate? */
author	Eduardo Chappa <chappa@washington.edu>	2020-02-03 21:15:19 -0700
committer	Eduardo Chappa <chappa@washington.edu>	2020-02-03 21:15:19 -0700
commit	dba6c62a11eed30f7a4e3e625eec8ca88252ab6c (patch)
tree	ad330ee9baf787e4ce638b5da2a9480e33b6c630 /imap
parent	709dc44768db0c0e1123181f53fdba26484eceaa (diff)
download	alpine-dba6c62a11eed30f7a4e3e625eec8ca88252ab6c.tar.xz