summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--alpine/alpine.c3
-rw-r--r--alpine/confscroll.c4
-rw-r--r--imap/src/osdep/nt/ssl_win.c116
-rw-r--r--include/config.wnt.h2
-rw-r--r--pith/conf.c66
-rw-r--r--pith/conf.h2
-rw-r--r--pith/conftype.h2
-rw-r--r--pith/pine.hlp6
8 files changed, 162 insertions, 39 deletions
diff --git a/alpine/alpine.c b/alpine/alpine.c
index 55bd581b..a2585af8 100644
--- a/alpine/alpine.c
+++ b/alpine/alpine.c
@@ -662,7 +662,6 @@ main(int argc, char **argv)
}
}
-#ifdef DF_ENCRYPTION_RANGE
if(ps_global->VAR_ENCRYPTION_RANGE
&& ps_global->VAR_ENCRYPTION_RANGE[0]){
char *min_s, *max_s, *s;
@@ -725,7 +724,7 @@ main(int argc, char **argv)
mail_parameters(NULL, SET_ENCRYPTION_RANGE_MAX, (void *) &max_v);
}
}
-#endif /* DF_ENCRYPTION_RANGE */
+
/*
* setup alternative authentication driver preference for IMAP opens
diff --git a/alpine/confscroll.c b/alpine/confscroll.c
index c8760eb7..67b15704 100644
--- a/alpine/confscroll.c
+++ b/alpine/confscroll.c
@@ -343,9 +343,7 @@ exclude_config_var(struct pine *ps, struct variable *var, int allow_hard_to_conf
case V_GLOB_ADDRBOOK :
case V_DISABLE_DRIVERS :
case V_DISABLE_AUTHS :
-#ifdef DF_ENCRYPTION_RANGE
case V_ENCRYPTION_RANGE :
-#endif
case V_REMOTE_ABOOK_METADATA :
case V_REMOTE_ABOOK_HISTORY :
case V_REMOTE_ABOOK_VALIDITY :
@@ -5780,9 +5778,7 @@ fix_side_effects(struct pine *ps, struct variable *var, int revert)
var == &ps->vars[V_NEWS_SPEC] ||
var == &ps->vars[V_DISABLE_DRIVERS] ||
var == &ps->vars[V_DISABLE_AUTHS] ||
-#ifdef DF_ENCRYPTION_RANGE
var == &ps->vars[V_ENCRYPTION_RANGE] ||
-#endif
#if !defined(_WINDOWS) || defined(ENABLE_WINDOWS_UNIXSSL_CERTS)
var == &ps->vars[V_SSLCAPATH] ||
var == &ps->vars[V_SSLCAFILE] ||
diff --git a/imap/src/osdep/nt/ssl_win.c b/imap/src/osdep/nt/ssl_win.c
index 5b8606a1..a6af01e3 100644
--- a/imap/src/osdep/nt/ssl_win.c
+++ b/imap/src/osdep/nt/ssl_win.c
@@ -1,5 +1,5 @@
/* ========================================================================
- * Copyright 2018 Eduardo Chappa
+ * Copyright 2018-2020 Eduardo Chappa
* Copyright 2008-2009 Mark Crispin
* ========================================================================
*/
@@ -153,7 +153,84 @@ SSLSTREAM *ssl_open (char *host,char *service,unsigned long port)
return stream ? ssl_start (stream,host,port) : NIL;
}
-
+#ifdef SP_PROT_SSL3
+ #ifdef MIN_ENCRYPTION
+ #undef MIN_ENCRYPTION
+ #endif /* MIN_ENCRYPTION */
+ #define MIN_ENCRYPTION SP_PROT_SSL3
+ #ifdef MAX_ENCRYPTION
+ #undef MAX_ENCRYPTION
+ #endif /* MAX_ENCRYPTION */
+ #define MAX_ENCRYPTION SP_PROT_SSL3
+#endif /* SP_PROT_SSL3 */
+#ifdef SP_PROT_TLS1
+ #ifndef MIN_ENCRYPTION
+ #define MIN_ENCRYPTION SP_PROT_TLS1
+ #endif /* MIN_ENCRYPTION */
+ #ifdef MAX_ENCRYPTION
+ #undef MAX_ENCRYPTION
+ #endif /* MAX_ENCRYPTION */
+ #define MAX_ENCRYPTION SP_PROT_TLS1
+#endif /* SP_PROT_TLS1 */
+#ifdef SP_PROT_TLS1_1
+ #ifndef MIN_ENCRYPTION
+ #define MIN_ENCRYPTION SP_PROT_TLS1_1
+ #endif /* MIN_ENCRYPTION */
+ #ifdef MAX_ENCRYPTION
+ #undef MAX_ENCRYPTION
+ #endif /* MAX_ENCRYPTION */
+ #define MAX_ENCRYPTION SP_PROT_TLS1_1
+#endif /* SP_PROT_TLS1_1 */
+#ifdef SP_PROT_TLS1_2
+ #ifndef MIN_ENCRYPTION
+ #define MIN_ENCRYPTION SP_PROT_TLS1_2
+ #endif /* MIN_ENCRYPTION */
+ #ifdef MAX_ENCRYPTION
+ #undef MAX_ENCRYPTION
+ #endif /* MAX_ENCRYPTION */
+ #define MAX_ENCRYPTION SP_PROT_TLS1_2
+#endif /* SP_PROT_TLS1_2 */
+
+typedef struct ssl_versions_s {
+ char *name;
+ int version;
+} SSL_VERSIONS_S;
+
+SSL_VERSIONS_S ssl_versions[] = {
+ { "no_min", MIN_ENCRYPTION },
+#ifdef SP_PROT_SSL3
+ { "ssl3", SP_PROT_SSL3 },
+#endif /* SP_PROT_SSL3 */
+#ifdef SP_PROT_TLS1
+ { "tls1", SP_PROT_TLS1 },
+#endif /* SP_PROT_TLS1 */
+#ifdef SP_PROT_TLS1_1
+ { "tls1_1", SP_PROT_TLS1_1 },
+#endif /* SP_PROT_TLS1_1 */
+#ifdef SP_PROT_TLS1_2
+ { "tls1_2", SP_PROT_TLS1_2 },
+#endif /* SP_PROT_TLS1_2 */
+ { "no_max", MAX_ENCRYPTION }, /* set this last in the list */
+ { NULL, 0 },
+};
+
+int
+pith_ssl_encryption_version(char *s)
+{
+ int i;
+
+ if (s == NULL || *s == '\0')
+ return -1;
+
+ for (i = 0; ssl_versions[i].name != NULL; i++)
+ if (strcmp(ssl_versions[i].name, s) == 0)
+ break;
+
+ if (strcmp(s, "no_max") == 0) i--;
+
+ return ssl_versions[i].name != NULL ? ssl_versions[i].version : -1;
+}
+
/* SSL authenticated open
* Accepts: host name
* service name
@@ -201,6 +278,9 @@ static SSLSTREAM *ssl_start (TCPSTREAM *tstream,char *host,unsigned long flags)
PWSTR whost = NIL;
char *buf = (char *) fs_get (ssltsz);
unsigned long size = 0;
+ int minv = *(int *) mail_parameters(NULL, GET_ENCRYPTION_RANGE_MIN, NULL);
+ int maxv = *(int *) mail_parameters(NULL, GET_ENCRYPTION_RANGE_MAX, NULL);
+ int i, client_request, range;
sslcertificatequery_t scq =
(sslcertificatequery_t) mail_parameters (NIL,GET_SSLCERTIFICATEQUERY,NIL);
sslfailure_t sf = (sslfailure_t) mail_parameters (NIL,GET_SSLFAILURE,NIL);
@@ -210,7 +290,30 @@ static SSLSTREAM *ssl_start (TCPSTREAM *tstream,char *host,unsigned long flags)
/* initialize TLS credential */
memset (&tlscred,0,sizeof (SCHANNEL_CRED));
tlscred.dwVersion = SCHANNEL_CRED_VERSION;
- tlscred.grbitEnabledProtocols = SP_PROT_TLS1;
+ client_request = (flags & NET_TRYTLS1) ? SP_PROT_TLS1
+ : (flags & NET_TRYTLS1_1) ? SP_PROT_TLS1_1
+ : (flags & NET_TRYTLS1_2) ? SP_PROT_TLS1_2
+ : 0;
+ /*
+ * if no special request, negotiate the maximum the client is configured
+ * to negotiate.
+ */
+ if(client_request == 0)
+ client_request = maxv;
+
+ if(client_request < minv || client_request > maxv)
+ return NIL; /* out of range? bail out */
+
+ if (flags & NET_TRYTLS1) range = SP_PROT_TLS1;
+ else if (flags & NET_TRYTLS1_1) range = SP_PROT_TLS1_1;
+ else if (flags & NET_TRYTLS1_2) range = SP_PROT_TLS1_2;
+ else {
+ for(i = 0, range; ssl_versions[i].name != NULL; i++)
+ range |= (ssl_versions[i].version >= minv
+ && ssl_versions[i].version <= maxv)
+ ? ssl_versions[i].version : 0;
+ }
+ tlscred.grbitEnabledProtocols = range;
/* acquire credentials */
if (sft->AcquireCredentialsHandle
@@ -497,13 +600,6 @@ static char *ssl_getline_work (SSLSTREAM *stream,unsigned long *size,
return ret;
}
-/* not implemented yet */
-int pith_ssl_encryption_version(char *s)
-{
-return 0;
-}
-
-
char *ssl_getsize(SSLSTREAM* stream, unsigned long size)
{
char *ret = NIL;
diff --git a/include/config.wnt.h b/include/config.wnt.h
index 65f1533b..2734bff5 100644
--- a/include/config.wnt.h
+++ b/include/config.wnt.h
@@ -571,8 +571,6 @@
#define DEFAULT_SSLCAPATH "C:\\libressl\\ssl\\certs"
#define DEFAULT_SSLCAFILE "C:\\libressl\\ssl\\certs\\cert.pem"
#endif /* WXPBUILD */
-#else
-#undef DF_ENCRYPTION_RANGE
#endif /* defined(ENABLE_WINDOWS_UNIXSSL) && defined(WXPBUILD) */
/* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */
diff --git a/pith/conf.c b/pith/conf.c
index cbbe7558..f856c961 100644
--- a/pith/conf.c
+++ b/pith/conf.c
@@ -756,10 +756,8 @@ static struct variable variables[] = {
NULL, cf_text_disable_drivers},
{"disable-these-authenticators", 0, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0,
NULL, cf_text_disable_auths},
-#ifdef DF_ENCRYPTION_RANGE
{"encryption-protocol-range", 0, 1, 0, 1, 1, 0, 0, 0, 0, 1, 0,
NULL, cf_text_encryption_range},
-#endif
{"remote-abook-metafile", 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0,
NULL, cf_text_remote_abook_metafile},
{"remote-abook-history", 0, 1, 0, 1, 1, 0, 0, 0, 0, 1, 0,
@@ -1621,9 +1619,7 @@ init_vars(struct pine *ps, void (*cmds_f) (struct pine *, char **))
GLO_PRINTER = cpystr(DF_DEFAULT_PRINTER);
GLO_ELM_STYLE_SAVE = cpystr(DF_ELM_STYLE_SAVE);
-#ifdef DF_ENCRYPTION_RANGE
GLO_ENCRYPTION_RANGE = cpystr(DF_ENCRYPTION_RANGE);
-#endif
GLO_SAVE_BY_SENDER = cpystr(DF_SAVE_BY_SENDER);
GLO_HEADER_IN_REPLY = cpystr(DF_HEADER_IN_REPLY);
GLO_INBOX_PATH = cpystr("inbox");
@@ -2353,9 +2349,7 @@ init_vars(struct pine *ps, void (*cmds_f) (struct pine *, char **))
set_current_val(&vars[V_FORCED_ABOOK_ENTRY], TRUE, TRUE);
set_current_val(&vars[V_DISABLE_DRIVERS], TRUE, TRUE);
set_current_val(&vars[V_DISABLE_AUTHS], TRUE, TRUE);
-#ifdef DF_ENCRYPTION_RANGE
set_current_val(&vars[V_ENCRYPTION_RANGE], TRUE, TRUE);
-#endif
set_current_val(&vars[V_VIEW_HEADERS], TRUE, TRUE);
/* strip spaces and colons */
@@ -7893,10 +7887,8 @@ config_help(int var, int feature)
return(h_config_disable_drivers);
case V_DISABLE_AUTHS :
return(h_config_disable_auths);
-#ifdef DF_ENCRYPTION_RANGE
case V_ENCRYPTION_RANGE :
return(h_config_encryption_range);
-#endif
case V_REMOTE_ABOOK_METADATA :
return(h_config_abook_metafile);
case V_REPLY_STRING :
@@ -8218,6 +8210,12 @@ printer_value_check_and_adjust(void)
return(!ok);
}
+#ifdef _WINDOWS
+#include <schannel.h>
+#include <Schnlsp.h>
+#else
+#include <openssl/ssl.h>
+#endif /* _WINDOWS */
char **
get_supported_options(void)
@@ -8269,14 +8267,50 @@ get_supported_options(void)
config[cnt] = cpystr(_(" TLS and SSL"));
tmp[0] = tmp[1] = ' ';
tmp[2] = '\0';
- strcat(tmp, "TLSv1, ");
- strcat(tmp, "TLSv1.1, ");
- strcat(tmp, "TLSv1.2, ");
-#ifdef TLS1_3_VERSION
- strcat(tmp, "TLSv1.3, ");
-#endif /* TLS1_3_VERSION */
- tmp[strlen(tmp)-2] = '.';
- tmp[strlen(tmp)-1] = '\0';
+#ifdef _WINDOWS
+ #ifdef SP_PROT_SSL3
+ strcat(tmp, "SSLv3, ");
+ #endif /* SP_PROT_SSL3 */
+ #ifdef SP_PROT_TLS1
+ strcat(tmp, "TLSv1, ");
+ #endif /* SP_PROT_TLS1 */
+ #ifdef SP_PROT_TLS1_1
+ strcat(tmp, "TLSv1.1, ");
+ #endif /* SP_PROT_TLS1 */
+ #ifdef SP_PROT_TLS1_2
+ strcat(tmp, "TLSv1.2, ");
+ #endif /* SP_PROT_TLS1_2 */
+ #ifdef SP_PROT_TLS1_3
+ strcat(tmp, "TLSv1.3, ");
+ #endif /* SP_PROT_TLS1_3 */
+#else
+ #ifdef SSL3_VERSION
+ #ifndef OPENSSL_NO_SSL3_METHOD
+ strcat(tmp, "SSLv3, ");
+ #endif /* OPENSSL_NO_SSL3_METHOD */
+ #endif /* SSL3_VERSION */
+ #ifdef TLS1_VERSION
+ #ifndef OPENSSL_NO_TLS1_METHOD
+ strcat(tmp, "TLSv1, ");
+ #endif /* OPENSSL_NO_TLS1_METHOD */
+ #endif /* TLS1_VERSION */
+ #ifdef TLS1_1_VERSION
+ #ifndef OPENSSL_NO_TLS1_1_METHOD
+ strcat(tmp, "TLSv1.1, ");
+ #endif /* OPENSSL_NO_TLS1_1_METHOD */
+ #endif /* TLS1_1_VERSION */
+ #ifdef TLS1_2_VERSION
+ #ifndef OPENSSL_NO_TLS1_2_METHOD
+ strcat(tmp, "TLSv1.2, ");
+ #endif /* OPENSSL_NO_TLS1_2_METHOD */
+ #endif /* TLS1_2_VERSION */
+ #ifdef TLS1_3_VERSION
+ #ifndef OPENSSL_NO_TLS1_3_METHOD
+ strcat(tmp, "TLSv1.3, ");
+ #endif /* OPENSSL_NO_TLS1_3_METHOD */
+ #endif /* TLS1_3_VERSION */
+#endif /* _WINDOWS */
+ tmp[strlen(tmp)-2] = '\0';
}
else
config[cnt] = cpystr(_(" None (no TLS or SSL)"));
diff --git a/pith/conf.h b/pith/conf.h
index bd72563b..100224bc 100644
--- a/pith/conf.h
+++ b/pith/conf.h
@@ -267,10 +267,8 @@
#define GLO_REMOTE_ABOOK_HISTORY vars[V_REMOTE_ABOOK_HISTORY].global_val.p
#define VAR_REMOTE_ABOOK_VALIDITY vars[V_REMOTE_ABOOK_VALIDITY].current_val.p
#define GLO_REMOTE_ABOOK_VALIDITY vars[V_REMOTE_ABOOK_VALIDITY].global_val.p
-#ifdef DF_ENCRYPTION_RANGE
#define GLO_ENCRYPTION_RANGE vars[V_ENCRYPTION_RANGE].global_val.p
#define VAR_ENCRYPTION_RANGE vars[V_ENCRYPTION_RANGE].current_val.p
-#endif
/* Elm style save is obsolete in Pine 3.81 (see saved msg name rule) */
#define VAR_ELM_STYLE_SAVE vars[V_ELM_STYLE_SAVE].current_val.p
#define GLO_ELM_STYLE_SAVE vars[V_ELM_STYLE_SAVE].global_val.p
diff --git a/pith/conftype.h b/pith/conftype.h
index 3f0f1e3c..4ea7993e 100644
--- a/pith/conftype.h
+++ b/pith/conftype.h
@@ -174,9 +174,7 @@ typedef enum { V_PERSONAL_NAME = 0
, V_NEW_VER_QUELL
, V_DISABLE_DRIVERS
, V_DISABLE_AUTHS
-#ifdef DF_ENCRYPTION_RANGE
, V_ENCRYPTION_RANGE
-#endif
, V_REMOTE_ABOOK_METADATA
, V_REMOTE_ABOOK_HISTORY
, V_REMOTE_ABOOK_VALIDITY
diff --git a/pith/pine.hlp b/pith/pine.hlp
index 2435d516..c6c1a2e4 100644
--- a/pith/pine.hlp
+++ b/pith/pine.hlp
@@ -140,7 +140,7 @@ with help text for the config screen and the composer that didn't have any
reasonable place to be called from.
Dummy change to get revision in pine.hlp
============= h_revision =================
-Alpine Commit 493 2020-07-10 00:56:09
+Alpine Commit 494 2020-07-17 01:43:03
============= h_news =================
<HTML>
<HEAD>
@@ -237,6 +237,10 @@ problems you find with this release.
<LI> Alpine will not write debug files unless started with the option -d,
so for example &quot;alpine -d 2&quot; will generate a debug file at level 2,
but just issuing the alpine command will not write any debug to a file.
+
+<LI> Experimental: Attempt to implement the Encryption Range in Windows. It works
+ in Windows 10, and it should work in Windows 8.1. It needs testing in
+ Windows 7 and Windows Vista.
</UL>
<P>