diff options
Diffstat (limited to 'imap')
-rw-r--r-- | imap/src/osdep/nt/env_nt.c | 9 | ||||
-rw-r--r-- | imap/src/osdep/nt/ssl_libressl.c | 99 | ||||
-rw-r--r-- | imap/src/osdep/nt/ssl_nt.c | 8 | ||||
-rw-r--r-- | imap/src/osdep/unix/ssl_unix.c | 26 |
4 files changed, 73 insertions, 69 deletions
diff --git a/imap/src/osdep/nt/env_nt.c b/imap/src/osdep/nt/env_nt.c index 50063ad6..da84b10c 100644 --- a/imap/src/osdep/nt/env_nt.c +++ b/imap/src/osdep/nt/env_nt.c @@ -43,6 +43,7 @@ static void (*alarm_rang) (); /* alarm interrupt function */ static unsigned int rndm = 0; /* initial `random' number */ static int server_nli = 0; /* server and not logged in */ static int logtry = 3; /* number of login tries */ +static char *sslCApath = NIL; /* non-standard CA path */ /* block notification */ static blocknotify_t mailblocknotify = mm_blocknotify; /* callback to get username */ @@ -127,6 +128,13 @@ void *env_parameters (long function,void *value) case GET_BLOCKNOTIFY: ret = (void *) mailblocknotify; break; + case SET_SSLCAPATH: /* this can be set null */ + if (sslCApath) fs_give ((void **) &sslCApath); + sslCApath = value ? cpystr ((char *) value) : value; + break; + case GET_SSLCAPATH: + ret = (void *) sslCApath; + break; } return ret; } @@ -777,4 +785,5 @@ void env_end(void) if(myHomeDir) fs_give((void **) &myHomeDir); if(myNewsrc) fs_give((void **) &myNewsrc); if(sysInbox) fs_give((void **) &sysInbox); + if(sslCApath) fs_give((void **) &sslCApath); } diff --git a/imap/src/osdep/nt/ssl_libressl.c b/imap/src/osdep/nt/ssl_libressl.c index c44c1e94..366fae01 100644 --- a/imap/src/osdep/nt/ssl_libressl.c +++ b/imap/src/osdep/nt/ssl_libressl.c @@ -1,20 +1,14 @@ /* ======================================================================== - * Copyright 2018 Eduardo Chappa - * Copyright 2008-2009 Mark Crispin + * Copyright 2018-2020 Eduardo Chappa * ======================================================================== */ /* * Program: SSL authentication/encryption module for Windows 9x and NT * - * Author: Mark Crispin + * Author: Eduardo Chappa, based on ssl_unix.c * - * Date: 22 September 1998 - * Last Edited: 8 November 2009 - * - * Previous versions of this file were - * - * Copyright 1988-2008 University of Washington + * Last Edited: January 25, 2020 * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -73,7 +67,8 @@ typedef struct ssl_stream { #include "sslio.h" /* Function prototypes */ -const SSL_METHOD *ssl_connect_mthd(int flag); +int ssl_disable_mask(int ssl_version, int direction); +const SSL_METHOD *ssl_connect_mthd(int flag, int *minv, int *maxv); static SSLSTREAM *ssl_start(TCPSTREAM *tstream,char *host,unsigned long flags); static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags); static int ssl_open_verify (int ok,X509_STORE_CTX *ctx); @@ -109,20 +104,20 @@ pith_ssl_encryption_version(char *s) { "tls1_3", TLS1_3_VERSION }, #endif /* TLS1_3_VERSION */ { "no_max", 0 }, /* set this last in the list */ - { NULL, 0 }, + { NIL, 0 }, }; int i; - if (s == NULL || *s == '\0') + if (s == NIL || *s == '\0') return -1; - for (i = 0; ssl_versions[i].name != NULL; i++) + for (i = 0; ssl_versions[i].name != NIL; i++) if (strcmp(ssl_versions[i].name, s) == 0) break; if (strcmp(s, "no_max") == 0) i--; - return ssl_versions[i].name != NULL ? ssl_versions[i].version : -1; + return ssl_versions[i].name != NIL ? ssl_versions[i].version : -1; } /* Secure Sockets Layer network driver dispatch */ @@ -158,9 +153,9 @@ void ssl_onceonlyinit (void) /* if system doesn't have /dev/urandom */ if (stat ("/dev/urandom",&sbuf)) { strcpy(tmp, "SSLXXXXXX"); - fd = fopen(tmp,"a"); - fstat (fd,&sbuf); /* get information about the file */ + fd = open(tmp,"a"); close (fd); /* flush descriptor */ + fstat (fd,&sbuf); /* get information about the file */ unlink (tmp); /* don't need the file */ /* not great but it'll have to do */ sprintf (tmp + strlen (tmp),"%.80s%lx%.80s%lx%lx%lx%lx%lx", @@ -174,7 +169,7 @@ void ssl_onceonlyinit (void) mail_parameters (NIL,SET_SSLDRIVER,(void *) &ssldriver); mail_parameters (NIL,SET_SSLSTART,(void *) ssl_start); #ifdef OPENSSL_1_1_0 - OPENSSL_init_ssl(0, NULL); + OPENSSL_init_ssl(0, NIL); #else SSL_library_init (); /* add all algorithms */ #endif /* OPENSSL_1_1_0 */ @@ -253,7 +248,7 @@ int ssl_disable_mask(int ssl_version, int direction) /* ssl_connect_mthd: returns a context pointer to the connection to * a ssl server */ -const SSL_METHOD *ssl_connect_mthd(int flag, int *min, int *max) +const SSL_METHOD *ssl_connect_mthd(int flag, int *minv, int *maxv) { int client_request; client_request = (flag & NET_TRYTLS1) ? TLS1_VERSION @@ -266,55 +261,55 @@ const SSL_METHOD *ssl_connect_mthd(int flag, int *min, int *max) #endif : 0; - *min = *(int *)mail_parameters(NULL, GET_ENCRYPTION_RANGE_MIN, NULL); - *max = *(int *)mail_parameters(NULL, GET_ENCRYPTION_RANGE_MAX, NULL); + *minv = *(int *)mail_parameters(NIL, GET_ENCRYPTION_RANGE_MIN, NIL); + *maxv = *(int *)mail_parameters(NIL, GET_ENCRYPTION_RANGE_MAX, NIL); /* * if no special request, negotiate the maximum the client is configured * to negotiate */ if (client_request == 0) - client_request = *max; + client_request = *maxv; - if (client_request < *min || client_request > *max) + if (client_request < *minv || client_request > *maxv) return NIL; /* out of range? bail out */ - /* Some Linux distributors seem to believe that it is ok to disable some of - * these methods for their users, so we have to test that every requested - * method has actually been compiled in into their openssl/libressl library. - * Oh well... - */ + /* Some Linux distributors seem to believe that it is ok to disable some of + * these methods for their users, so we have to test that every requested + * method has actually been compiled in into their openssl/libressl library. + * Oh well... + */ #ifndef OPENSSL_1_1_0 if (client_request == SSL3_VERSION) #ifndef OPENSSL_NO_SSL3_METHOD - return SSLv3_client_method(); + return SSLv3_client_method(); #else - return NIL; + return NIL; #endif /* OPENSSL_NO_SSL3_METHOD */ else if (client_request == TLS1_VERSION) #ifndef OPENSSL_NO_TLS1_METHOD - return TLSv1_client_method(); + return TLSv1_client_method(); #else - return NIL; + return NIL; #endif /* OPENSSL_NO_TLS1_METHOD */ else if (client_request == TLS1_1_VERSION) #ifndef OPENSSL_NO_TLS1_1_METHOD - return TLSv1_1_client_method(); + return TLSv1_1_client_method(); #else - return NIL; + return NIL; #endif /* OPENSSL_NO_TLS1_1_METHOD */ else if (client_request == TLS1_2_VERSION) #ifndef OPENSSL_NO_TLS1_2_METHOD - return TLSv1_2_client_method(); + return TLSv1_2_client_method(); #else - return NIL; + return NIL; #endif /* OPENSSL_NO_TLS1_2_METHOD */ #ifdef TLS1_3_VERSION /* this is only reachable if TLS1_3 support exists */ else if (client_request == TLS1_3_VERSION) #ifndef OPENSSL_NO_TLS1_3_METHOD - return TLS_client_method(); + return TLS_client_method(); #else - return NIL; + return NIL; #endif /* #ifndef OPENSSL_NO_TLS1_2_METHOD */ #endif /* TLS1_3_VERSION */ #endif /* ifndef OPENSSL_1_1_0 */ @@ -389,7 +384,7 @@ static char *ssl_start_work(SSLSTREAM *stream, char *host, unsigned long flags) BIO *bio; X509 *cert; unsigned long sl, tl; - int min, max; + int minv, maxv; int masklow, maskhigh; char *s, *t, *err, tmp[MAILTMPLEN], buf[256]; sslcertificatequery_t scq = @@ -400,24 +395,24 @@ static char *ssl_start_work(SSLSTREAM *stream, char *host, unsigned long flags) (sslclientkey_t)mail_parameters(NIL, GET_SSLCLIENTKEY, NIL); if (ssl_last_error) fs_give((void **)&ssl_last_error); ssl_last_host = host; - if (!(stream->context = SSL_CTX_new(ssl_connect_mthd(flags, &min, &max)))) + if (!(stream->context = SSL_CTX_new(ssl_connect_mthd(flags, &minv, &maxv)))) return "SSL context failed"; SSL_CTX_set_options(stream->context, 0); - masklow = ssl_disable_mask(min, -1); - maskhigh = ssl_disable_mask(max, 1); + masklow = ssl_disable_mask(minv, -1); + maskhigh = ssl_disable_mask(maxv, 1); SSL_CTX_set_options(stream->context, masklow | maskhigh); /* disable certificate validation? */ if (flags & NET_NOVALIDATECERT) SSL_CTX_set_verify(stream->context, SSL_VERIFY_NONE, NIL); else SSL_CTX_set_verify(stream->context, SSL_VERIFY_PEER, ssl_open_verify); - /* set default paths to CAs... */ - SSL_CTX_set_default_verify_paths(stream->context); - /* ...unless a non-standard path desired */ - if ((s = (char *)mail_parameters(NIL, GET_SSLCAPATH, NIL)) != NULL) - SSL_CTX_load_verify_locations(stream->context, NIL, s); + /* a non-standard path desired */ + if ((s = (char *)mail_parameters(NIL, GET_SSLCAPATH, NIL)) != NIL) + SSL_CTX_load_verify_locations(stream->context, NIL, (const char *)s); + else /* otherwise we set default paths to CAs... */ + SSL_CTX_set_default_verify_paths(stream->context); /* want to send client certificate? */ if (scc && (s = (*scc) ()) && (sl = strlen(s))) { - if ((cert = PEM_read_bio_X509(bio = BIO_new_mem_buf(s, sl), NIL, NIL, NIL)) != NULL) { + if ((cert = PEM_read_bio_X509(bio = BIO_new_mem_buf(s, sl), NIL, NIL, NIL)) != NIL) { SSL_CTX_use_certificate(stream->context, cert); X509_free(cert); } @@ -427,7 +422,7 @@ static char *ssl_start_work(SSLSTREAM *stream, char *host, unsigned long flags) if ((t = (sck ? (*sck) () : s)) && (tl = strlen(t))) { EVP_PKEY *key; if ((key = PEM_read_bio_PrivateKey(bio = BIO_new_mem_buf(t, tl), - NIL, NIL, "")) != NULL) { + NIL, NIL, "")) != NIL) { SSL_CTX_use_PrivateKey(stream->context, key); EVP_PKEY_free(key); } @@ -535,7 +530,7 @@ static char *ssl_validate_cert (X509 *cert,char *host) if(m == 0 || ret != NIL){ cname = X509_get_subject_name(cert); for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){ - if((e = X509_NAME_get_entry(cname, j)) != NULL){ + if((e = X509_NAME_get_entry(cname, j)) != NIL){ X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf)); s = (char *) buf; } @@ -951,8 +946,8 @@ void ssl_server_init (char *server) sizeof (SSLSTREAM)); ssl_onceonlyinit (); /* make sure algorithms added */ #ifdef OPENSSL_1_1_0 - OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); - OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS|OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); + OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NIL); + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS|OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NIL); #else ERR_load_crypto_strings (); SSL_load_error_strings (); @@ -1065,7 +1060,7 @@ static RSA *ssl_genkey (SSL_CTX_TYPE *con,int export,int keylength) } #ifdef OPENSSL_1_1_0 BN_free(e); - e = NULL; + e = NIL; #endif /* OPENSSL_1_1_0 */ } return key; diff --git a/imap/src/osdep/nt/ssl_nt.c b/imap/src/osdep/nt/ssl_nt.c index 5bc04ab8..71695766 100644 --- a/imap/src/osdep/nt/ssl_nt.c +++ b/imap/src/osdep/nt/ssl_nt.c @@ -23,8 +23,8 @@ * http://www.apache.org/licenses/LICENSE-2.0 * */ -//#ifdef ENABLE_WINDOWS_LIBRESSL -//#include "ssl_libressl.c" -//#else +#if !defined(ENABLE_WINDOWS_LIBRESSL) || !defined(W32BITSBUILD) #include "ssl_win.c" -//#endif /* ENABLE_WINDOWS_LIBRESSL */ +#else +#include "ssl_libressl.c" +#endif diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c index 93fb1a9a..57931525 100644 --- a/imap/src/osdep/unix/ssl_unix.c +++ b/imap/src/osdep/unix/ssl_unix.c @@ -75,7 +75,7 @@ typedef struct ssl_stream { /* Function prototypes */ int ssl_disable_mask(int ssl_version, int direction); -const SSL_METHOD *ssl_connect_mthd(int flag, int *min, int *max); +const SSL_METHOD *ssl_connect_mthd(int flag, int *minv, int *maxv); static SSLSTREAM *ssl_start(TCPSTREAM *tstream,char *host,unsigned long flags); static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags); static int ssl_open_verify (int ok,X509_STORE_CTX *ctx); @@ -257,7 +257,7 @@ int ssl_disable_mask(int ssl_version, int direction) /* ssl_connect_mthd: returns a context pointer to the connection to * a ssl server */ -const SSL_METHOD *ssl_connect_mthd(int flag, int *min, int *max) +const SSL_METHOD *ssl_connect_mthd(int flag, int *minv, int *maxv) { int client_request; client_request = (flag & NET_TRYTLS1) ? TLS1_VERSION @@ -270,17 +270,17 @@ const SSL_METHOD *ssl_connect_mthd(int flag, int *min, int *max) #endif : 0; - *min = *(int *) mail_parameters(NULL, GET_ENCRYPTION_RANGE_MIN, NULL); - *max = *(int *) mail_parameters(NULL, GET_ENCRYPTION_RANGE_MAX, NULL); + *minv = *(int *) mail_parameters(NULL, GET_ENCRYPTION_RANGE_MIN, NULL); + *maxv = *(int *) mail_parameters(NULL, GET_ENCRYPTION_RANGE_MAX, NULL); /* * if no special request, negotiate the maximum the client is configured * to negotiate */ if(client_request == 0) - client_request = *max; + client_request = *maxv; - if(client_request < *min || client_request > *max) + if(client_request < *minv || client_request > *maxv) return NIL; /* out of range? bail out */ /* Some Linux distributors seem to believe that it is ok to disable some of @@ -392,7 +392,7 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags) BIO *bio; X509 *cert; unsigned long sl,tl; - int min, max; + int minv, maxv; int masklow, maskhigh; char *s,*t,*err,tmp[MAILTMPLEN], buf[256]; sslcertificatequery_t scq = @@ -403,21 +403,21 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags) (sslclientkey_t) mail_parameters (NIL,GET_SSLCLIENTKEY,NIL); if (ssl_last_error) fs_give ((void **) &ssl_last_error); ssl_last_host = host; - if (!(stream->context = SSL_CTX_new (ssl_connect_mthd(flags, &min, &max)))) + if (!(stream->context = SSL_CTX_new (ssl_connect_mthd(flags, &minv, &maxv)))) return "SSL context failed"; SSL_CTX_set_options (stream->context,0); - masklow = ssl_disable_mask(min, -1); - maskhigh = ssl_disable_mask(max, 1); + masklow = ssl_disable_mask(minv, -1); + maskhigh = ssl_disable_mask(maxv, 1); SSL_CTX_set_options(stream->context, masklow|maskhigh); /* disable certificate validation? */ if (flags & NET_NOVALIDATECERT) SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL); else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify); - /* set default paths to CAs... */ - SSL_CTX_set_default_verify_paths (stream->context); - /* ...unless a non-standard path desired */ + /* if a non-standard path desired */ if ((s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL)) != NULL) SSL_CTX_load_verify_locations (stream->context,NIL,s); + else /* set default paths to CAs... */ + SSL_CTX_set_default_verify_paths (stream->context); /* want to send client certificate? */ if (scc && (s = (*scc) ()) && (sl = strlen (s))) { if ((cert = PEM_read_bio_X509 (bio = BIO_new_mem_buf (s,sl),NIL,NIL,NIL)) != NULL) { |