* Addition of the variables User Certs Dir and User Certs File, which allow

    a user to specify the location of server certificates that the user trusts.

5 files changed, 48 insertions, 3 deletions

diff --git a/imap/src/c-client/mail.h b/imap/src/c-client/mail.h
index 32df37b..adcad4d 100644
--- a/imap/src/c-client/mail.h
+++ b/imap/src/c-client/mail.h
@@ -196,8 +196,12 @@
 #define SET_SSLCAPATH (long) 232
 #define GET_SSLCAFILE (long) 233
 #define SET_SSLCAFILE (long) 234
-#define GET_RESTRICTIONS (long) 235
-#define SET_RESTRICTIONS (long) 236
+#define GET_SSLAPPCAPATH (long) 235
+#define SET_SSLAPPCAPATH (long) 236
+#define GET_SSLAPPCAFILE (long) 237
+#define SET_SSLAPPCAFILE (long) 238
+#define GET_RESTRICTIONS (long) 239
+#define SET_RESTRICTIONS (long) 240
 
 	/* 3xx: TCP/IP */
 #define GET_OPENTIMEOUT (long) 300
diff --git a/imap/src/osdep/nt/env_nt.c b/imap/src/osdep/nt/env_nt.c
index 8fc72f0..52211ea 100644
--- a/imap/src/osdep/nt/env_nt.c
+++ b/imap/src/osdep/nt/env_nt.c
@@ -45,6 +45,8 @@ static int server_nli = 0;	/* server and not logged in */
 static int logtry = 3;		/* number of login tries */
 static char *sslCApath = NIL;	/* non-standard CA path */
 static char *sslCAfile = NIL;	/* non-standard CA container */
+static char *sslAppCApath = NIL;  /* App SSL Certs CA path */
+static char *sslAppCAfile = NIL;  /* App SSL CA container */
 				/* block notification */
 static blocknotify_t mailblocknotify = mm_blocknotify;
 				/* callback to get username */
@@ -143,6 +145,20 @@ void *env_parameters (long function,void *value)
   case GET_SSLCAFILE:
     ret = (void *) sslCAfile;
     break;
+  case SET_SSLAPPCAPATH:		/* this can be set null */
+    if (sslAppCApath) fs_give ((void **) &sslAppCApath);
+    sslAppCApath = value ? cpystr ((char *) value) : value;
+    break;
+  case GET_SSLAPPCAPATH:
+    ret = (void *) sslAppCApath;
+    break;
+  case SET_SSLCAFILE:		/* this can be set null */
+    if (sslAppCAfile) fs_give ((void **) &sslAppCAfile);
+    sslAppCAfile = value ? cpystr ((char *) value) : value;
+    break;
+  case GET_SSLAPPCAFILE:
+    ret = (void *) sslAppCAfile;
+    break;
   }
   return ret;
 }
diff --git a/imap/src/osdep/nt/ssl_libressl.c b/imap/src/osdep/nt/ssl_libressl.c
index 5270a9f..04dfb36 100644
--- a/imap/src/osdep/nt/ssl_libressl.c
+++ b/imap/src/osdep/nt/ssl_libressl.c
@@ -8,7 +8,7 @@
  *
  * Author:	Eduardo Chappa, based on ssl_unix.c
  *
- * Last Edited:	January 25, 2020
+ * Last Edited:	July 17, 2020
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -413,6 +413,10 @@ static char *ssl_start_work(SSLSTREAM *stream, char *host, unsigned long flags)
 	    SSL_CTX_load_verify_locations (stream->context, CAfile, CApath);
 	else 		/* otherwise we set default paths to CAs... */
 	    SSL_CTX_set_default_verify_paths(stream->context);
+	CAfile = (char *) mail_parameters (NIL,GET_SSLAPPCAFILE,NIL);
+	CApath = (char *) mail_parameters (NIL,GET_SSLAPPCAPATH,NIL);
+	if (CAfile != NIL || CApath != NIL)
+	  SSL_CTX_load_verify_locations (stream->context, CAfile, CApath);
 	/* want to send client certificate? */
 	if (scc && (s = (*scc) ()) && (sl = strlen(s))) {
 		if ((cert = PEM_read_bio_X509(bio = BIO_new_mem_buf(s, sl), NIL, NIL, NIL)) != NIL) {
diff --git a/imap/src/osdep/unix/env_unix.c b/imap/src/osdep/unix/env_unix.c
index fe1b91d..afec59b 100644
--- a/imap/src/osdep/unix/env_unix.c
+++ b/imap/src/osdep/unix/env_unix.c
@@ -74,6 +74,8 @@ static char *blackBoxDir = NIL;	/* black box directory name */
 static char *blackBoxDefaultHome = NIL;
 static char *sslCApath = NIL;	/* non-standard CA path */
 static char *sslCAfile = NIL;	/* non-standard CA container */
+static char *sslAppCApath = NIL;  /* App SSL CA path */
+static char *sslAppCAfile = NIL;  /* App SSL CA container */
 static short anonymous = NIL;	/* is anonymous */
 static short blackBox = NIL;	/* is a black box */
 static short closedBox = NIL;	/* is a closed box (uses chroot() jail) */
@@ -354,6 +356,20 @@ void *env_parameters (long function,void *value)
   case GET_SSLCAFILE:
     ret = (void *) sslCAfile;
     break;
+  case SET_SSLAPPCAPATH:		/* this can be set null */
+    if (sslAppCApath) fs_give ((void **) &sslAppCApath);
+    sslAppCApath = value ? cpystr ((char *) value) : value;
+    break;
+  case GET_SSLAPPCAPATH:
+    ret = (void *) sslAppCApath;
+    break;
+  case SET_SSLAPPCAFILE:		/* this can be set null */
+    if (sslAppCAfile) fs_give ((void **) &sslAppCAfile);
+    sslAppCAfile = value ? cpystr ((char *) value) : value;
+    break;
+  case GET_SSLAPPCAFILE:
+    ret = (void *) sslAppCAfile;
+    break;
   case SET_LISTMAXLEVEL:
     list_max_level = (long) value;
   case GET_LISTMAXLEVEL:
diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c
index 4ebe1ae..1f64b57 100644
--- a/imap/src/osdep/unix/ssl_unix.c
+++ b/imap/src/osdep/unix/ssl_unix.c
@@ -421,6 +421,11 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags)
     SSL_CTX_load_verify_locations (stream->context, CAfile, CApath);
   else				/* set default paths to CAs... */
   SSL_CTX_set_default_verify_paths (stream->context);
+				/* Load app certificates */
+  CAfile = (char *) mail_parameters (NIL,GET_SSLAPPCAFILE,NIL);
+  CApath = (char *) mail_parameters (NIL,GET_SSLAPPCAPATH,NIL);
+  if (CAfile != NIL || CApath != NIL)
+    SSL_CTX_load_verify_locations (stream->context, CAfile, CApath);
 				/* want to send client certificate? */
   if (scc && (s = (*scc) ()) && (sl = strlen (s))) {
     if ((cert = PEM_read_bio_X509 (bio = BIO_new_mem_buf (s,sl),NIL,NIL,NIL)) != NULL) {