diff options
| -rw-r--r-- | alpine/smime.c | 148 | ||||
| -rwxr-xr-x | configure | 386 | ||||
| -rw-r--r-- | configure.ac | 106 | ||||
| -rw-r--r-- | imap/src/osdep/unix/ssl_unix.c | 83 | ||||
| -rw-r--r-- | pith/pine.hlp | 2 | ||||
| -rw-r--r-- | pith/smime.c | 8 | ||||
| -rw-r--r-- | pith/smkeys.c | 39 | ||||
| -rw-r--r-- | pith/smkeys.h | 13 | ||||
| -rw-r--r-- | po/Makefile.in | 2 |
9 files changed, 631 insertions, 156 deletions
diff --git a/alpine/smime.c b/alpine/smime.c index 7a4fde97..2eb58588 100644 --- a/alpine/smime.c +++ b/alpine/smime.c @@ -381,93 +381,79 @@ output_cert_info(X509 *cert, gf_io_t pc) gf_set_so_writec(&spc, left); - if(!cert->cert_info){ - gf_puts("Couldn't find certificate info.", spc); - gf_puts(NEWLINE, spc); - } - else{ - gf_puts_uline("Certificate Owner", spc); - gf_puts(NEWLINE, spc); - - output_X509_NAME(cert->cert_info->subject, spc); - gf_puts(NEWLINE, spc); - - gf_puts_uline("Serial Number", spc); - gf_puts(NEWLINE, spc); - - { - ASN1_INTEGER *bs; - long l; - const char *neg; - int i; - - bs = X509_get_serialNumber(cert); - if (bs->length <= (int)sizeof(long)){ - l = ASN1_INTEGER_get(bs); - if (bs->type == V_ASN1_NEG_INTEGER){ - l = -l; - neg="-"; - } - else - neg=""; - snprintf(buf, sizeof(buf), " %s%lu (%s0x%lx)", neg, l, neg, l); - } else { - snprintf(buf, sizeof(buf), "%s", bs->type == V_ASN1_NEG_INTEGER ? "(Negative)" : ""); - for (i = 0; i < bs->length; i++) - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), "%02x%s", bs->data[i], - i+1 == bs->length ? "" : ":"); - } + gf_puts_uline("Certificate Owner", spc); + gf_puts(NEWLINE, spc); + + output_X509_NAME(X509_get_subject_name(cert), spc); + gf_puts(NEWLINE, spc); + + gf_puts_uline("Serial Number", spc); + gf_puts(NEWLINE, spc); + + { ASN1_INTEGER *bs; + long l; + const char *neg; + int i; + + bs = X509_get_serialNumber(cert); + if (bs->length <= (int)sizeof(long)){ + l = ASN1_INTEGER_get(bs); + if (bs->type == V_ASN1_NEG_INTEGER){ + l = -l; + neg="-"; + } + else + neg=""; + snprintf(buf, sizeof(buf), " %s%lu (%s0x%lx)", neg, l, neg, l); + } else { + snprintf(buf, sizeof(buf), "%s", bs->type == V_ASN1_NEG_INTEGER ? "(Negative)" : ""); + for (i = 0; i < bs->length; i++) + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), "%02x%s", bs->data[i], + i+1 == bs->length ? "" : ":"); } - gf_puts(buf, spc); - gf_puts(NEWLINE, spc); - gf_puts(NEWLINE, spc); - - gf_puts_uline("Validity", spc); - gf_puts(NEWLINE, spc); - { - BIO *mb = BIO_new(BIO_s_mem()); - char iobuf[4096]; + } + gf_puts(buf, spc); + gf_puts(NEWLINE, spc); + gf_puts(NEWLINE, spc); + + gf_puts_uline("Validity", spc); + gf_puts(NEWLINE, spc); + { BIO *mb = BIO_new(BIO_s_mem()); + char iobuf[4096]; - gf_puts("Not Before: ", spc); + gf_puts("Not Before: ", spc); - (void) BIO_reset(mb); - ASN1_UTCTIME_print(mb, cert->cert_info->validity->notBefore); - (void) BIO_flush(mb); - while((len = BIO_read(mb, iobuf, sizeof(iobuf))) > 0) - gf_nputs(iobuf, len, spc); + (void) BIO_reset(mb); + ASN1_UTCTIME_print(mb, X509_get0_notBefore(cert)); + (void) BIO_flush(mb); + while((len = BIO_read(mb, iobuf, sizeof(iobuf))) > 0) + gf_nputs(iobuf, len, spc); - gf_puts(NEWLINE, spc); + gf_puts(NEWLINE, spc); - gf_puts("Not After: ", spc); + gf_puts("Not After: ", spc); - (void) BIO_reset(mb); - ASN1_UTCTIME_print(mb, cert->cert_info->validity->notAfter); - (void) BIO_flush(mb); - while((len = BIO_read(mb, iobuf, sizeof(iobuf))) > 0) - gf_nputs(iobuf, len, spc); + (void) BIO_reset(mb); + ASN1_UTCTIME_print(mb, X509_get0_notAfter(cert)); + (void) BIO_flush(mb); + while((len = BIO_read(mb, iobuf, sizeof(iobuf))) > 0) + gf_nputs(iobuf, len, spc); - gf_puts(NEWLINE, spc); - gf_puts(NEWLINE, spc); + gf_puts(NEWLINE, spc); + gf_puts(NEWLINE, spc); - BIO_free(mb); - } + BIO_free(mb); } gf_clear_so_writec(left); gf_set_so_writec(&spc, right); - if(!cert->cert_info){ - gf_puts(_("Couldn't find certificate info."), spc); - gf_puts(NEWLINE, spc); - } - else{ - gf_puts_uline("Issuer", spc); - gf_puts(NEWLINE, spc); + gf_puts_uline("Issuer", spc); + gf_puts(NEWLINE, spc); - output_X509_NAME(cert->cert_info->issuer, spc); - gf_puts(NEWLINE, spc); - } + output_X509_NAME(X509_get_issuer_name(cert), spc); + gf_puts(NEWLINE, spc); gf_clear_so_writec(right); @@ -494,6 +480,7 @@ output_cert_info(X509 *cert, gf_io_t pc) X509_NAME_ENTRY *e; int i, offset = 2; char space[256]; + X509_NAME *subject; for(i = 0; i < offset; i++) space[i] = ' '; @@ -502,7 +489,7 @@ output_cert_info(X509 *cert, gf_io_t pc) x = i == -1 ? cert : sk_X509_value(chain, i); - if(x && x->cert_info){ + if(x){ if(i>=0){ space[offset + i + 0] = ' '; space[offset + i + 1] = '\\'; @@ -520,11 +507,10 @@ output_cert_info(X509 *cert, gf_io_t pc) else gf_puts_uline("Issued to: ", pc); - e = X509_NAME_get_entry(x->cert_info->subject, - X509_NAME_entry_count(x->cert_info->subject)-1); + subject = X509_get_subject_name(x); - if(e){ - X509_NAME_get_text_by_OBJ(x->cert_info->subject, e->object, buf, sizeof(buf)); + if((e = X509_NAME_get_entry(subject, X509_NAME_entry_count(subject)-1)) != NULL){ + X509_NAME_get_text_by_OBJ(subject, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf)); gf_puts(buf, pc); gf_puts(NEWLINE, pc); } @@ -535,10 +521,10 @@ output_cert_info(X509 *cert, gf_io_t pc) break; } } - e = X509_NAME_get_entry(x->cert_info->issuer, - X509_NAME_entry_count(x->cert_info->issuer)-1); + e = X509_NAME_get_entry(X509_get_issuer_name(x), + X509_NAME_entry_count(X509_get_issuer_name(x))-1); if(e){ - X509_NAME_get_text_by_OBJ(x->cert_info->issuer, e->object, buf, sizeof(buf)); + X509_NAME_get_text_by_OBJ(X509_get_issuer_name(x), X509_NAME_ENTRY_get_object(e), buf, sizeof(buf)); space[offset + i + 0] = ' '; space[offset + i + 1] = '\\'; space[offset + i + 2] = '-'; @@ -573,7 +559,7 @@ output_X509_NAME(X509_NAME *name, gf_io_t pc) if(!e) continue; - X509_NAME_get_text_by_OBJ(name, e->object, buf, sizeof(buf)); + X509_NAME_get_text_by_OBJ(name, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf)); gf_puts(buf, pc); gf_puts(NEWLINE, pc); @@ -18235,6 +18235,47 @@ if test "x$alpine_DL" = "xnone" ; then fi if test "x$alpine_SSLTYPE" != "xnone" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if OpenSSL is LibreSSL" >&5 +$as_echo_n "checking if OpenSSL is LibreSSL... " >&6; } + if test "$cross_compiling" = yes; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: not checking" >&5 +$as_echo "$as_me: WARNING: cross compiling: not checking" >&2;} +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include <stdio.h> +#include <stdlib.h> +#if HAVE_STDINT_H +#include <stdint.h> +#endif /* HAVE_STDINT_H */ +#include <openssl/ssl.h> +int main(void) { + + if (LIBRESSL_VERSION_NUMBER >= 0x20000000L) + exit(0); + + exit(2); +} + +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + alpine_SSLPROVIDER="libressl" + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + +fi + +if test "x$alpine_SSLTYPE" != "xnone" -a "x$alpine_SSLPROVIDER" != "xlibressl" ; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking Openssl library version >= 1.0.0c" >&5 $as_echo_n "checking Openssl library version >= 1.0.0c... " >&6; } if test "$cross_compiling" = yes; then : @@ -18252,7 +18293,7 @@ else #include <openssl/ssl.h> int main(void) { - if (OPENSSL_VERSION_NUMBER >= 0x1000003f) + if (OPENSSL_VERSION_NUMBER >= 0x1000003fL) exit(0); exit(2); @@ -18262,6 +18303,8 @@ _ACEOF if ac_fn_c_try_run "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } + alpine_SSLPROVIDER="openssl" + else alpine_SSLTYPE="none" fi @@ -18274,7 +18317,179 @@ fi as_fn_error $? "Install openssl version >= 1.0.0c" "$LINENO" 5 exit 1 fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing TLSv1_2_client_method" >&5 +fi + +if test "x$alpine_SSLTYPE" != "xnone" -a "x$alpine_SSLPROVIDER" != "xlibressl" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking Openssl library version >= 1.1.0" >&5 +$as_echo_n "checking Openssl library version >= 1.1.0... " >&6; } + if test "$cross_compiling" = yes; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross compiling: not checking" >&5 +$as_echo "$as_me: WARNING: cross compiling: not checking" >&2;} +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include <stdio.h> +#include <stdlib.h> +#if HAVE_STDINT_H +#include <stdint.h> +#endif /* HAVE_STDINT_H */ +#include <openssl/ssl.h> +int main(void) { + + if (OPENSSL_VERSION_NUMBER >= 0x10100000L) + exit(0); + + exit(2); +} + +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + alpine_SSLVERSION="new" + CFLAGS="$CFLAGS -DOPENSSL_1_1_0 -DOPENSSL_API_COMPAT=0x10100000L" + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + alpine_SSLVERSION="old" +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + +fi + +if test "x$alpine_SSLTYPE" != "xnone" ; then + if test "x$alpine_SSLVERSION" = "xold" -o "x$alpine_SSLPROVIDER" = "xlibressl" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing SSLeay" >&5 +$as_echo_n "checking for library containing SSLeay... " >&6; } +if ${ac_cv_search_SSLeay+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char SSLeay (); +int +main () +{ +return SSLeay (); + ; + return 0; +} +_ACEOF +for ac_lib in '' crypto; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_SSLeay=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_SSLeay+:} false; then : + break +fi +done +if ${ac_cv_search_SSLeay+:} false; then : + +else + ac_cv_search_SSLeay=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_SSLeay" >&5 +$as_echo "$ac_cv_search_SSLeay" >&6; } +ac_res=$ac_cv_search_SSLeay +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +else + alpine_CRYPTO="none" +fi + + else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing OpenSSL_version_num" >&5 +$as_echo_n "checking for library containing OpenSSL_version_num... " >&6; } +if ${ac_cv_search_OpenSSL_version_num+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char OpenSSL_version_num (); +int +main () +{ +return OpenSSL_version_num (); + ; + return 0; +} +_ACEOF +for ac_lib in '' crypto; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_OpenSSL_version_num=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_OpenSSL_version_num+:} false; then : + break +fi +done +if ${ac_cv_search_OpenSSL_version_num+:} false; then : + +else + ac_cv_search_OpenSSL_version_num=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_OpenSSL_version_num" >&5 +$as_echo "$ac_cv_search_OpenSSL_version_num" >&6; } +ac_res=$ac_cv_search_OpenSSL_version_num +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +else + alpine_CRYPTO="none" +fi + + fi + if test "x$alpine_CRYPTO" = "xnone" ; then + as_fn_error $? "crypto library NOT found" "$LINENO" 5 + exit 1 + fi +fi + +if test "x$alpine_SSLTYPE" != "xnone" ; then + if test "x$alpine_SSLVERSION" = "xold" -o "x$alpine_SSLPROVIDER" = "xlibressl" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing TLSv1_2_client_method" >&5 $as_echo_n "checking for library containing TLSv1_2_client_method... " >&6; } if ${ac_cv_search_TLSv1_2_client_method+:} false; then : $as_echo_n "(cached) " >&6 @@ -18334,12 +18549,68 @@ $as_echo "#define SSL_SUPPORTS_TLSV1_2 1" >>confdefs.h fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing TLS_client_method" >&5 +$as_echo_n "checking for library containing TLS_client_method... " >&6; } +if ${ac_cv_search_TLS_client_method+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char TLS_client_method (); +int +main () +{ +return TLS_client_method (); + ; + return 0; +} +_ACEOF +for ac_lib in '' ssl; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_TLS_client_method=$ac_res fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_TLS_client_method+:} false; then : + break +fi +done +if ${ac_cv_search_TLS_client_method+:} false; then : -if test "x$alpine_SSLTYPE" != "xnone" ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing SSLeay" >&5 -$as_echo_n "checking for library containing SSLeay... " >&6; } -if ${ac_cv_search_SSLeay+:} false; then : +else + ac_cv_search_TLS_client_method=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_TLS_client_method" >&5 +$as_echo "$ac_cv_search_TLS_client_method" >&6; } +ac_res=$ac_cv_search_TLS_client_method +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +else + alpine_SSLTYPE="none" +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing DTLS_client_method" >&5 +$as_echo_n "checking for library containing DTLS_client_method... " >&6; } +if ${ac_cv_search_DTLS_client_method+:} false; then : $as_echo_n "(cached) " >&6 else ac_func_search_save_LIBS=$LIBS @@ -18352,16 +18623,16 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext #ifdef __cplusplus extern "C" #endif -char SSLeay (); +char DTLS_client_method (); int main () { -return SSLeay (); +return DTLS_client_method (); ; return 0; } _ACEOF -for ac_lib in '' crypto; do +for ac_lib in '' ssl; do if test -z "$ac_lib"; then ac_res="none required" else @@ -18369,40 +18640,43 @@ for ac_lib in '' crypto; do LIBS="-l$ac_lib $ac_func_search_save_LIBS" fi if ac_fn_c_try_link "$LINENO"; then : - ac_cv_search_SSLeay=$ac_res + ac_cv_search_DTLS_client_method=$ac_res fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext - if ${ac_cv_search_SSLeay+:} false; then : + if ${ac_cv_search_DTLS_client_method+:} false; then : break fi done -if ${ac_cv_search_SSLeay+:} false; then : +if ${ac_cv_search_DTLS_client_method+:} false; then : else - ac_cv_search_SSLeay=no + ac_cv_search_DTLS_client_method=no fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_SSLeay" >&5 -$as_echo "$ac_cv_search_SSLeay" >&6; } -ac_res=$ac_cv_search_SSLeay +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_DTLS_client_method" >&5 +$as_echo "$ac_cv_search_DTLS_client_method" >&6; } +ac_res=$ac_cv_search_DTLS_client_method if test "$ac_res" != no; then : test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" else - alpine_CRYPTO="none" + alpine_SSLTYPE="none" fi - if test "x$alpine_CRYPTO" = "xnone" ; then - as_fn_error $? "crypto library NOT found" "$LINENO" 5 - exit 1 - fi + if test "x$alpine_SSLTYPE" != "xnone" ; then + +$as_echo "#define SSL_SUPPORTS_TLSV1_2 1" >>confdefs.h + + fi + fi fi if test "x$alpine_SSLTYPE" != "xnone" ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing SSL_library_init" >&5 + if test "x$alpine_SSLVERSION" = "xold" -o "x$alpine_SSLPROVIDER" = "xlibressl" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing SSL_library_init" >&5 $as_echo_n "checking for library containing SSL_library_init... " >&6; } if ${ac_cv_search_SSL_library_init+:} false; then : $as_echo_n "(cached) " >&6 @@ -18460,12 +18734,74 @@ else alpine_SSLTYPE="none" fi + if test "x$alpine_SSLTYPE" = "xnone" ; then + as_fn_error $? "No library containing SSL_library_init found in your path" "$LINENO" 5 + exit 1 + fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing OPENSSL_init_ssl" >&5 +$as_echo_n "checking for library containing OPENSSL_init_ssl... " >&6; } +if ${ac_cv_search_OPENSSL_init_ssl+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ - if test "x$alpine_SSLTYPE" = "xnone" ; then - as_fn_error $? "No library containing SSL_library_init found in your path" "$LINENO" 5 - exit 1 +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char OPENSSL_init_ssl (); +int +main () +{ +return OPENSSL_init_ssl (); + ; + return 0; +} +_ACEOF +for ac_lib in '' ssl; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_OPENSSL_init_ssl=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_OPENSSL_init_ssl+:} false; then : + break +fi +done +if ${ac_cv_search_OPENSSL_init_ssl+:} false; then : +else + ac_cv_search_OPENSSL_init_ssl=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_OPENSSL_init_ssl" >&5 +$as_echo "$ac_cv_search_OPENSSL_init_ssl" >&6; } +ac_res=$ac_cv_search_OPENSSL_init_ssl +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +else + alpine_SSLTYPE="none" +fi + + if test "x$alpine_SSLTYPE" = "xnone" ; then + as_fn_error $? "No library containing OPENSSL_init_ssl found in your path" "$LINENO" 5 + exit 1 + fi + fi fi if test "$alpine_with_ldap" = "yes" ; then diff --git a/configure.ac b/configure.ac index 94b062d4..fafa819c 100644 --- a/configure.ac +++ b/configure.ac @@ -1355,8 +1355,35 @@ if test "x$alpine_DL" = "xnone" ; then exit 1 fi -dnl Check Openssl/LibreSSL version first +dnl Check if openssl = LibreSSL if test "x$alpine_SSLTYPE" != "xnone" ; then + AC_MSG_CHECKING([if OpenSSL is LibreSSL]) + AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include <stdio.h> +#include <stdlib.h> +#if HAVE_STDINT_H +#include <stdint.h> +#endif /* HAVE_STDINT_H */ +#include <openssl/ssl.h> +int main(void) { + + if (LIBRESSL_VERSION_NUMBER >= 0x20000000L) + exit(0); + + exit(2); +} + ]])], + [ AC_MSG_RESULT(yes) + alpine_SSLPROVIDER="libressl" + ], + [ AC_MSG_RESULT(no) + ], + [ AC_MSG_WARN([cross compiling: not checking])]) +fi + +dnl Check Openssl/LibreSSL version first +if test "x$alpine_SSLTYPE" != "xnone" -a "x$alpine_SSLPROVIDER" != "xlibressl" ; then AC_MSG_CHECKING([Openssl library version >= 1.0.0c]) AC_RUN_IFELSE( [AC_LANG_SOURCE([[ @@ -1368,13 +1395,15 @@ if test "x$alpine_SSLTYPE" != "xnone" ; then #include <openssl/ssl.h> int main(void) { - if (OPENSSL_VERSION_NUMBER >= 0x1000003f) + if (OPENSSL_VERSION_NUMBER >= 0x1000003fL) exit(0); exit(2); } ]])], - [ AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(yes) + alpine_SSLPROVIDER="openssl" + ], [ alpine_SSLTYPE="none" ], [ AC_MSG_WARN([cross compiling: not checking])]) @@ -1382,30 +1411,79 @@ int main(void) { AC_MSG_ERROR(Install openssl version >= 1.0.0c) exit 1 fi - AC_SEARCH_LIBS(TLSv1_2_client_method,ssl, - [ alpine_c_client_cflags="$alpine_c_client_cflags -DTLSV1_2" - AC_DEFINE([SSL_SUPPORTS_TLSV1_2], [1], [SSL Supports TLSV1.2]) - ]) +fi + +dnl Now check if we are working with version 1.1.0 of openssl +if test "x$alpine_SSLTYPE" != "xnone" -a "x$alpine_SSLPROVIDER" != "xlibressl" ; then + AC_MSG_CHECKING([Openssl library version >= 1.1.0]) + AC_RUN_IFELSE( + [AC_LANG_SOURCE([[ +#include <stdio.h> +#include <stdlib.h> +#if HAVE_STDINT_H +#include <stdint.h> +#endif /* HAVE_STDINT_H */ +#include <openssl/ssl.h> +int main(void) { + + if (OPENSSL_VERSION_NUMBER >= 0x10100000L) + exit(0); + + exit(2); +} + ]])], + [ AC_MSG_RESULT(yes) + alpine_SSLVERSION="new" + CFLAGS="$CFLAGS -DOPENSSL_1_1_0 -DOPENSSL_API_COMPAT=0x10100000L" + ], + [ AC_MSG_RESULT(no) + alpine_SSLVERSION="old" ], + [ AC_MSG_WARN([cross compiling: not checking])]) fi dnl Crypto support is needed if test "x$alpine_SSLTYPE" != "xnone" ; then - AC_SEARCH_LIBS(SSLeay,crypto,, [ alpine_CRYPTO="none" ]) + if test "x$alpine_SSLVERSION" = "xold" -o "x$alpine_SSLPROVIDER" = "xlibressl" ; then + AC_SEARCH_LIBS(SSLeay,crypto,, [ alpine_CRYPTO="none" ]) + else + AC_SEARCH_LIBS(OpenSSL_version_num,crypto,, [ alpine_CRYPTO="none" ]) + fi if test "x$alpine_CRYPTO" = "xnone" ; then AC_MSG_ERROR(crypto library NOT found) exit 1 fi fi -dnl provide SSL support? if test "x$alpine_SSLTYPE" != "xnone" ; then - AC_SEARCH_LIBS(SSL_library_init,ssl,,[ alpine_SSLTYPE="none" ]) + if test "x$alpine_SSLVERSION" = "xold" -o "x$alpine_SSLPROVIDER" = "xlibressl" ; then + AC_SEARCH_LIBS(TLSv1_2_client_method,ssl, + [ alpine_c_client_cflags="$alpine_c_client_cflags -DTLSV1_2" + AC_DEFINE([SSL_SUPPORTS_TLSV1_2], [1], [SSL Supports TLSV1.2]) + ]) + else + AC_SEARCH_LIBS(TLS_client_method,ssl,, [ alpine_SSLTYPE="none"]) + AC_SEARCH_LIBS(DTLS_client_method,ssl,,[ alpine_SSLTYPE="none"]) + if test "x$alpine_SSLTYPE" != "xnone" ; then + AC_DEFINE([SSL_SUPPORTS_TLSV1_2], [1], [SSL Supports TLSV1.2]) + fi + fi +fi - if test "x$alpine_SSLTYPE" = "xnone" ; then - AC_MSG_ERROR(No library containing SSL_library_init found in your path) - exit 1 +dnl provide SSL support? +if test "x$alpine_SSLTYPE" != "xnone" ; then + if test "x$alpine_SSLVERSION" = "xold" -o "x$alpine_SSLPROVIDER" = "xlibressl" ; then + AC_SEARCH_LIBS(SSL_library_init,ssl,,[ alpine_SSLTYPE="none" ]) + if test "x$alpine_SSLTYPE" = "xnone" ; then + AC_MSG_ERROR(No library containing SSL_library_init found in your path) + exit 1 + fi + else + AC_SEARCH_LIBS(OPENSSL_init_ssl,ssl,, [ alpine_SSLTYPE="none" ]) + if test "x$alpine_SSLTYPE" = "xnone" ; then + AC_MSG_ERROR(No library containing OPENSSL_init_ssl found in your path) + exit 1 + fi fi - fi dnl provide LDAP support? diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c index 16b4228c..9498eb0e 100644 --- a/imap/src/osdep/unix/ssl_unix.c +++ b/imap/src/osdep/unix/ssl_unix.c @@ -33,6 +33,10 @@ #include <bio.h> #include <crypto.h> #include <rand.h> +#ifdef OPENSSL_1_1_0 +#include <rsa.h> +#include <bn.h> +#endif /* OPENSSL_1_1_0 */ #undef STRING #undef crypt @@ -78,7 +82,14 @@ static long ssl_compare_hostnames (unsigned char *s,unsigned char *pat); static char *ssl_getline_work (SSLSTREAM *stream,unsigned long *size, long *contd); static long ssl_abort (SSLSTREAM *stream); -static RSA *ssl_genkey (SSL *con,int export,int keylength); + +#ifdef OPENSSL_1_1_0 +#define SSL_CTX_TYPE SSL_CTX +#else +#define SSL_CTX_TYPE SSL +#endif /* OPENSSL_1_1_0 */ + +static RSA *ssl_genkey (SSL_CTX_TYPE *con,int export,int keylength); /* Secure Sockets Layer network driver dispatch */ @@ -128,7 +139,11 @@ void ssl_onceonlyinit (void) /* apply runtime linkage */ mail_parameters (NIL,SET_SSLDRIVER,(void *) &ssldriver); mail_parameters (NIL,SET_SSLSTART,(void *) ssl_start); +#ifdef OPENSSL_1_1_0 + OPENSSL_init_ssl(0, NULL); +#else SSL_library_init (); /* add all algorithms */ +#endif /* OPENSSL_1_1_0 */ } } @@ -163,16 +178,26 @@ SSLSTREAM *ssl_aopen (NETMBX *mb,char *service,char *usrbuf) */ const SSL_METHOD *ssl_connect_mthd(int flag) { +#ifdef OPENSSL_1_1_0 if(flag & NET_TRYTLS1) - return TLSv1_client_method(); + return TLS_client_method(); +#else + if(flag & NET_TRYTLS1) + return TLSv1_client_method(); +#endif /* OPENSSL_1_1_0 */ #ifdef TLSV1_2 else if(flag & NET_TRYTLS1_1) return TLSv1_1_client_method(); else if(flag & NET_TRYTLS1_2) return TLSv1_2_client_method(); -#endif +#endif /* TLSV1_2 */ +#ifdef OPENSSL_1_1_0 + else if(flag & NET_TRYDTLS1) + return DTLS_client_method(); +#else else if(flag & NET_TRYDTLS1) return DTLSv1_client_method(); +#endif /* OPENSSL_1_1_0 */ else return SSLv23_client_method(); } @@ -242,7 +267,7 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags) BIO *bio; X509 *cert; unsigned long sl,tl; - char *s,*t,*err,tmp[MAILTMPLEN]; + char *s,*t,*err,tmp[MAILTMPLEN], buf[256]; sslcertificatequery_t scq = (sslcertificatequery_t) mail_parameters (NIL,GET_SSLCERTIFICATEQUERY,NIL); sslclientcert_t scc = @@ -300,9 +325,10 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags) (err = ssl_validate_cert (cert = SSL_get_peer_certificate (stream->con), host))) { /* application callback */ - if (scq) return (*scq) (err,host,cert ? cert->name : "???") ? NIL : ""; + X509_NAME_oneline (X509_get_subject_name(cert), buf, sizeof(buf)); + if (scq) return (*scq) (err,host,cert ? buf : "???") ? NIL : ""; /* error message to return via mm_log() */ - sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???"); + sprintf (tmp,"*%.128s: %.255s",err,cert ? buf : "???"); return ssl_last_error = cpystr (tmp); } return NIL; @@ -346,20 +372,28 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx) static char *ssl_validate_cert (X509 *cert,char *host) { int i,n; - char *s,*t,*ret; + char *s=NULL,*t,*ret; void *ext; GENERAL_NAME *name; + X509_NAME *cname; + X509_NAME_ENTRY *e; + char buf[256]; /* make sure have a certificate */ if (!cert) ret = "No certificate from server"; /* and that it has a name */ - else if (!cert->name) ret = "No name in certificate"; + else if (!(cname = X509_get_subject_name(cert))) ret = "No name in certificate"; /* locate CN */ - else if ((s = strstr (cert->name,"/CN=")) != NULL) { - if ((t = strchr (s += 4,'/')) != NULL) *t = '\0'; + else{ + if((e = X509_NAME_get_entry(cname, X509_NAME_entry_count(cname)-1)) != NULL){ + X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf)); + s = (char *) buf; + } + else s = NULL; + } + if (s != NULL) { /* host name matches pattern? */ ret = ssl_compare_hostnames (host,s) ? NIL : "Server name does not match certificate"; - if (t) *t = '/'; /* restore smashed delimiter */ /* if mismatch, see if in extensions */ if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) && (n = sk_GENERAL_NAME_num (ext))) @@ -719,8 +753,13 @@ void ssl_server_init (char *server) SSLSTREAM *stream = (SSLSTREAM *) memset (fs_get (sizeof (SSLSTREAM)),0, sizeof (SSLSTREAM)); ssl_onceonlyinit (); /* make sure algorithms added */ +#ifdef OPENSSL_1_1_0 + OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS|OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); +#else ERR_load_crypto_strings (); SSL_load_error_strings (); +#endif /* OPENSSL_1_1_0 */ /* build specific certificate/key file names */ sprintf (cert,"%s/%s-%s.pem",SSL_CERT_DIRECTORY,server,tcp_serveraddr ()); sprintf (key,"%s/%s-%s.pem",SSL_KEY_DIRECTORY,server,tcp_serveraddr ()); @@ -732,9 +771,15 @@ void ssl_server_init (char *server) if (stat (key,&sbuf)) strcpy (key,cert); } /* create context */ +#ifdef OPENSSL_1_1_0 + if (!(stream->context = SSL_CTX_new (start_tls ? + TLS_server_method () : + SSLv23_server_method ()))) +#else if (!(stream->context = SSL_CTX_new (start_tls ? TLSv1_server_method () : SSLv23_server_method ()))) +#endif /* OPENSSL_1_1_0 */ syslog (LOG_ALERT,"Unable to create SSL context, host=%.80s", tcp_clienthost ()); else { /* set context options */ @@ -754,8 +799,13 @@ void ssl_server_init (char *server) key,tcp_clienthost ()); else { /* generate key if needed */ +#ifdef OPENSSL_1_1_0 + if (0) + ssl_genkey(stream->context, 0, 0); +#else if (SSL_CTX_need_tmp_RSA (stream->context)) SSL_CTX_set_tmp_rsa_callback (stream->context,ssl_genkey); +#endif /* OPENSSL_1_1_0 */ /* create new SSL connection */ if (!(stream->con = SSL_new (stream->context))) syslog (LOG_ALERT,"Unable to create SSL connection, host=%.80s", @@ -798,19 +848,28 @@ void ssl_server_init (char *server) * Returns: generated key, always */ -static RSA *ssl_genkey (SSL *con,int export,int keylength) +static RSA *ssl_genkey (SSL_CTX_TYPE *con,int export,int keylength) { unsigned long i; static RSA *key = NIL; if (!key) { /* if don't have a key already */ /* generate key */ +#ifdef OPENSSL_1_1_0 + BIGNUM *e = BN_new(); + if (!RSA_generate_key_ex (key, export ? keylength : 1024, e,NIL)) { +#else if (!(key = RSA_generate_key (export ? keylength : 1024,RSA_F4,NIL,NIL))) { +#endif /* OPENSSL_1_1_0 */ syslog (LOG_ALERT,"Unable to generate temp key, host=%.80s", tcp_clienthost ()); while ((i = ERR_get_error ()) != 0L) syslog (LOG_ALERT,"SSL error status: %s",ERR_error_string (i,NIL)); exit (1); } +#ifdef OPENSSL_1_1_0 + BN_free(e); + e = NULL; +#endif /* OPENSSL_1_1_0 */ } return key; } diff --git a/pith/pine.hlp b/pith/pine.hlp index 5ee5e72c..6559f9d6 100644 --- a/pith/pine.hlp +++ b/pith/pine.hlp @@ -140,7 +140,7 @@ with help text for the config screen and the composer that didn't have any reasonable place to be called from. Dummy change to get revision in pine.hlp ============= h_revision ================= -Alpine Commit 166 2016-08-29 20:39:48 +Alpine Commit 167 2016-09-03 18:44:36 ============= h_news ================= <HTML> <HEAD> diff --git a/pith/smime.c b/pith/smime.c index 9629f743..389ce012 100644 --- a/pith/smime.c +++ b/pith/smime.c @@ -1238,8 +1238,12 @@ smime_init(void) s_cert_store = get_ca_store(); setup_certs_backup_by_type(CACert); +#ifdef OPENSSL_1_1_0 + OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS|OPENSSL_INIT_ADD_ALL_DIGESTS|OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); +#else OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); +#endif /* OPENSSL_1_1_0 */ app_RAND_load_file(NULL); openssl_extra_randomness(); @@ -3142,8 +3146,8 @@ find_certificate_matching_recip_info(PKCS7_RECIP_INFO *ri) mine = x->cert; - if(!X509_NAME_cmp(ri->issuer_and_serial->issuer,mine->cert_info->issuer) && - !ASN1_INTEGER_cmp(ri->issuer_and_serial->serial,mine->cert_info->serialNumber)){ + if(!X509_NAME_cmp(ri->issuer_and_serial->issuer,X509_get_issuer_name(mine)) && + !ASN1_INTEGER_cmp(ri->issuer_and_serial->serial,X509_get_serialNumber(mine))){ break; } } diff --git a/pith/smkeys.c b/pith/smkeys.c index ce58ed41..8666d53b 100644 --- a/pith/smkeys.c +++ b/pith/smkeys.c @@ -62,11 +62,9 @@ smime_X509_to_cert_info(X509 *x, char *name) memset((void *)cert, 0, sizeof(CertList)); cert->x509_cert = x; cert->name = name ? cpystr(name) : NULL; - if(x && x->cert_info){ - cert->data.date_from = smime_get_date(x->cert_info->validity->notBefore); - cert->data.date_to = smime_get_date(x->cert_info->validity->notAfter); - cert->cn = smime_get_cn(x->cert_info->subject); - } + cert->data.date_from = smime_get_date(X509_get0_notBefore(x)); + cert->data.date_to = smime_get_date(X509_get0_notAfter(x)); + cert->cn = smime_get_cn(x); get_fingerprint(x, EVP_md5(), buf, sizeof(buf), NULL); cert->data.md5 = cpystr(buf); @@ -222,7 +220,7 @@ setup_certs_backup_by_type(WhichCerts ctype) case CACert: if((in = BIO_new_file(buf2, "r"))!=0){ x = PEM_read_bio_X509(in, NULL, NULL, NULL); - if(x && x->cert_info){ /* for now copy this information */ + if(x){ /* for now copy this information */ cert = smime_X509_to_cert_info(x, df->d_name); /* we will use the cert->data.md5 variable to find a backup certificate, not the name */ @@ -261,14 +259,20 @@ setup_certs_backup_by_type(WhichCerts ctype) } char * -smime_get_cn(X509_NAME *subject) +smime_get_cn(X509 *x) { - char buf[256]; X509_NAME_ENTRY *e; - e = X509_NAME_get_entry(subject, X509_NAME_entry_count(subject)-1); - if(e) - X509_NAME_get_text_by_OBJ(subject, e->object, buf, sizeof(buf)); - return cpystr(buf); + X509_NAME *subject; + char buf[256]; + char *rv = NULL; + + subject = X509_get_subject_name(x); + if((e = X509_NAME_get_entry(subject, X509_NAME_entry_count(subject)-1)) != NULL){ + X509_NAME_get_text_by_OBJ(subject, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf)); + rv = cpystr(buf); + } + + return rv; } int @@ -395,7 +399,7 @@ emailstrclean(char *string) char * -smime_get_date(ASN1_GENERALIZEDTIME *tm) +smime_get_date(const ASN1_TIME *tm) { BIO *mb = BIO_new(BIO_s_mem()); char iobuf[4096]; @@ -476,13 +480,12 @@ add_certs_in_dir(X509_LOOKUP *lookup, char *path, char *ext, CertList **cdata) cert->name = cpystr(d->d_name); /* read buf into a bio and fill the CertData structure */ if((in = BIO_new_file(buf, "r"))!=0){ - x = PEM_read_bio_X509(in, NULL, NULL, NULL); - if(x && x->cert_info){ - cert->data.date_from = smime_get_date(x->cert_info->validity->notBefore); - cert->data.date_to = smime_get_date(x->cert_info->validity->notAfter); + if((x = PEM_read_bio_X509(in, NULL, NULL, NULL)) != NULL){ + cert->data.date_from = smime_get_date(X509_get0_notBefore(x)); + cert->data.date_to = smime_get_date(X509_get0_notAfter(x)); get_fingerprint(x, EVP_md5(), buf, sizeof(buf), NULL); cert->data.md5 = cpystr(buf); - cert->cn = smime_get_cn(x->cert_info->subject); + cert->cn = smime_get_cn(x); X509_free(x); } BIO_free(in); diff --git a/pith/smkeys.h b/pith/smkeys.h index 8c23d905..0d3570bc 100644 --- a/pith/smkeys.h +++ b/pith/smkeys.h @@ -29,7 +29,16 @@ #include <openssl/pem.h> #include <openssl/err.h> #include <openssl/bio.h> +#include <openssl/safestack.h> +#ifndef OPENSSL_1_1_0 +#define X509_get0_notBefore(x) ((x) && (x)->cert_info \ + ? (x)->cert_info->validity->notBefore \ + : NULL) +#define X509_get0_notAfter(x) ((x) && (x)->cert_info \ + ? (x)->cert_info->validity->notAfter \ + : NULL) +#endif /* OPENSSL_1_1_0 */ #define EMAILADDRLEADER "emailAddress=" #define CACERTSTORELEADER "cacert=" @@ -64,10 +73,10 @@ void free_personal_certs(PERSONAL_CERT **pc); void get_fingerprint(X509 *cert, const EVP_MD *type, char *buf, size_t maxLen, char *s); int certlist_to_file(char *filename, CertList *certlist); int load_cert_for_key(char *pathdir, EVP_PKEY *pkey, char **certfile, X509 **pcert); -char *smime_get_date(ASN1_GENERALIZEDTIME *tm); +char *smime_get_date(const ASN1_TIME *tm); void resort_certificates(CertList **data, WhichCerts ctype); int setup_certs_backup_by_type(WhichCerts ctype); -char *smime_get_cn(X509_NAME *); +char *smime_get_cn(X509 *); CertList *smime_X509_to_cert_info(X509 *, char *); diff --git a/po/Makefile.in b/po/Makefile.in index e72ba769..eb7c1647 100644 --- a/po/Makefile.in +++ b/po/Makefile.in @@ -11,7 +11,7 @@ # Origin: gettext-0.16 PACKAGE = alpine -VERSION = 2.20.14 +VERSION = 2.20.15 PACKAGE_BUGREPORT = chappa@washington.edu SHELL = /bin/sh |