* Add variable system-certs-file to indicate the location of a container

    of CA certificates. This complements the variable system-certs-path that
    gives the location the directory that containes CA certificates.

4 files changed, 79 insertions, 8 deletions

diff --git a/pith/conf.c b/pith/conf.c
index 3bd564bd..f6fe4863 100644
--- a/pith/conf.c
+++ b/pith/conf.c
@@ -379,6 +379,8 @@ CONF_TXT_T cf_text_mimetype_path[] =	"Sets the search path for the mimetypes con
 
 #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
 CONF_TXT_T cf_text_system_certs_path[] = "Sets the path for the system ssl certificates issued by a trusted\n# certificate authority. Note that this could be a list of paths, if the same\n# pinerc is used in different systems. Alpine always chooses the first one that\n# it finds. Value must be an absolute path.";
+
+CONF_TXT_T cf_text_system_certs_file[] = "Sets the path for the system ssl file container of certificates issued by a\n# certificate authority. Note that this could be a list of container files,\n# if the same pinerc is used in different systems. Alpine always chooses the,\n# first one that it finds. Value must be an absolute path.";
 #endif
 
 CONF_TXT_T cf_text_newmail_fifo_path[] = "Sets the filename for the newmail fifo (named pipe). Unix only.";
@@ -667,7 +669,9 @@ static struct variable variables[] = {
 	NULL,			cf_text_mimetype_path},
 #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
 {"system-certs-path",			0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0,
-	NULL,			cf_text_system_certs_path},
+	"System CACerts Dir",	cf_text_system_certs_path},
+{"system-certs-file",			0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0,
+	"System CACerts File",	cf_text_system_certs_file},
 #endif
 {"url-viewers",				0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0,
 	"URL-Viewers",		cf_text_browser},
@@ -1737,6 +1741,10 @@ init_vars(struct pine *ps, void (*cmds_f) (struct pine *, char **))
     GLO_SSLCAPATH		= parse_list(DEFAULT_SSLCAPATH, 1,
 					     PL_REMSURRQUOT, NULL);
 #endif /* DEFAULT_SSLCAPATH */
+#ifdef DEFAULT_SSLCAFILE
+    GLO_SSLCAFILE		= parse_list(DEFAULT_SSLCAFILE, 1,
+					     PL_REMSURRQUOT, NULL);
+#endif /* DEFAULT_SSLCAFILE */
 #ifdef	DF_VAR_SPELLER
     GLO_SPELLER			= cpystr(DF_VAR_SPELLER);
 #endif
@@ -2382,6 +2390,7 @@ init_vars(struct pine *ps, void (*cmds_f) (struct pine *, char **))
     set_current_val(&vars[V_MIMETYPE_PATH], TRUE, TRUE);
 #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
     set_current_val(&vars[V_SSLCAPATH], TRUE, TRUE);
+    set_current_val(&vars[V_SSLCAFILE], TRUE, TRUE);
 #endif
 #if !defined(DOS) && !defined(OS2) && !defined(LEAVEOUTFIFO)
     set_current_val(&vars[V_FIFOPATH], TRUE, TRUE);
@@ -7082,6 +7091,22 @@ set_system_certs_path(struct pine *ps)
       }
   }
 }
+
+
+void
+set_system_certs_container(struct pine *ps)
+{ 
+  char **l;
+
+  for (l = ps->vars[V_SSLCAPATH].current_val.l; l && *l; l++){
+      if(is_absolute_path(*l)
+	  && can_access(*l, ACCESS_EXISTS) == 0
+	  && can_access(*l, READ_ACCESS) == 0){
+           mail_parameters(NULL, SET_SSLCAFILE, (void *) *l);
+           break;
+      }
+  }
+}
 #endif
 
 int
@@ -7943,6 +7968,8 @@ config_help(int var, int feature)
 #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
       case V_SSLCAPATH :
 	return(h_config_system_certs_path);
+      case V_SSLCAFILE :
+	return(h_config_system_certs_file);
 #endif
 #if !defined(DOS) && !defined(OS2) && !defined(LEAVEOUTFIFO)
       case V_FIFOPATH :
diff --git a/pith/conf.h b/pith/conf.h
index 3e7844eb..ac6f0a8f 100644
--- a/pith/conf.h
+++ b/pith/conf.h
@@ -136,6 +136,8 @@
 #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
 #define VAR_SSLCAPATH		     vars[V_SSLCAPATH].current_val.l
 #define GLO_SSLCAPATH		     vars[V_SSLCAPATH].global_val.l
+#define VAR_SSLCAFILE		     vars[V_SSLCAFILE].current_val.l
+#define GLO_SSLCAFILE		     vars[V_SSLCAFILE].global_val.l
 #endif
 #define VAR_INDEX_COLOR_STYLE	     vars[V_INDEX_COLOR_STYLE].current_val.p
 #define GLO_INDEX_COLOR_STYLE	     vars[V_INDEX_COLOR_STYLE].global_val.p
@@ -922,6 +924,7 @@ void	   free_pinerc_lines(PINERC_LINE **);
 void	   panic1(char *, char *);
 #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
 void	   set_system_certs_path(struct pine *);
+void	   set_system_certs_container(struct pine *);
 #endif
 
 /* mandatory to implement prototypes */
diff --git a/pith/conftype.h b/pith/conftype.h
index 09112724..029b81bc 100644
--- a/pith/conftype.h
+++ b/pith/conftype.h
@@ -127,6 +127,7 @@ typedef	enum {    V_PERSONAL_NAME = 0
 		, V_MIMETYPE_PATH
 #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD))
 		, V_SSLCAPATH
+		, V_SSLCAFILE
 #endif
 		, V_BROWSER
 		, V_HISTORY
diff --git a/pith/pine.hlp b/pith/pine.hlp
index fa1468ca..4f0eb38f 100644
--- a/pith/pine.hlp
+++ b/pith/pine.hlp
@@ -140,7 +140,7 @@ with help text for the config screen and the composer that didn't have any
 reasonable place to be called from.
 Dummy change to get revision in pine.hlp
 ============= h_revision =================
-Alpine Commit 401 2020-01-30 00:08:16
+Alpine Commit 402 2020-02-03 21:15:05
 ============= h_news =================
 <HTML>
 <HEAD>
@@ -187,6 +187,10 @@ any problems you find with this release. New enhancements
      this must be C:\\libressl\\ssl\\certs. The C: drive can be replaced 
      by the name of the drive where the binary and DLL files are located.
 
+<LI> New variable system-certs-file that allows users to configure the
+     location of a container of certificate authoririty (CA) certificates
+     to be used to validate certificates of remote servers.
+
 <LI>Crash in Alpine when attempting to reply to a multipart/alternative 
     message that is malformed, and the option to include attachments in
     reply is enabled. Reported and patched by Peter Tirsek.
@@ -22232,7 +22236,7 @@ directory. For example, the directory might not be accessible, or has not been
 updated and contains old certificates that have expired.
 
 <P>
-When a user wants to override the default, this variable can be used to list
+This variable can be used to list
 the directory where such certificates can be found. Alpine will use the first
 directory in this list that exists in your system and can be accessed. This
 allows for users to be able to use the same pinerc file in different systems.
@@ -22241,9 +22245,45 @@ allows for users to be able to use the same pinerc file in different systems.
 Example of values for this option might be:
 
 <PRE>
-System Certs Path = /etc/ssl/certs
-                    /usr/local/ssl/certs
-                    C:\\libressl\\ssl\\certs
+System CACerts Dir = /etc/ssl/certs
+                     /usr/local/ssl/certs
+                     C:\\libressl\\ssl\\certs
+<PRE>
+
+<P>
+In unix systems, the default location of the certificates for openssl can
+be obtained by first executing the command
+
+<PRE>openssl version -d</PRE>
+
+and adding &quot;/certs&quot; to that value. In Windows the default location
+for the certificates is C:\\libressl\\ssl\\certs. This value was set by
+LibreSSL developers, and this option can be used to override this default.
+
+<P>
+&lt;End of help on this topic&gt;
+</BODY></HTML>
+====== h_config_system_certs_file ======
+<HTML>
+<HEAD>
+<TITLE>OPTION: <!--#echo var="VAR_system-certs-file"--></TITLE>
+</HEAD>
+<BODY>
+<H1>OPTION: <!--#echo var="VAR_system-certs-file"--></H1>
+
+This option sets the location of the container file that holds 
+certificate authority (CA) certificates.
+Alpine will use the first
+container in this list that exists in your system and can be accessed. This
+allows for users to be able to use the same pinerc file in different systems.
+
+<P>
+Example of values for this option might be:
+
+<PRE>
+System Certs Path = /etc/ssl/certs/cert.pem
+                    /usr/local/ssl/ca-root-nss.crt
+                    C:\\libressl\\ssl\\certs\\cert.pem
 <PRE>
 
 <P>
@@ -22253,8 +22293,8 @@ be obtained by first executing the command
 <PRE>openssl version -d</PRE>
 
 and adding &quot;/certs&quot; to that value. In Windows the default location
-for the certificates is C:\\libressl\\ssl\\certs. This value was set by LibreSSL
-developers, and this option can be used to override this default.
+for the certificates is C:\\libressl\\ssl\\certs\\cert.pem. This value was set 
+by LibreSSL developers, and this option can be used to override this default.
 
 <P>
 &lt;End of help on this topic&gt;