From d75d2841dcf33329544fdc6e697f2402d55226d6 Mon Sep 17 00:00:00 2001 From: Eduardo Chappa Date: Sat, 25 Jan 2020 11:12:24 -0700 Subject: * New variable system-certs-path that allows users to indicate the location of the directory where folders are located. In PC-Alpine this must be C:\libressl\ssl\certs. The C: drive can be replaced by the name of the drive where the binary and DLL files are located. --- alpine/alpine.c | 4 ++ alpine/confscroll.c | 7 +++ build.bat | 4 +- configure | 6 +++ configure.ac | 2 + imap/src/osdep/nt/env_nt.c | 9 ++++ imap/src/osdep/nt/ssl_libressl.c | 99 +++++++++++++++++++--------------------- imap/src/osdep/nt/ssl_nt.c | 8 ++-- imap/src/osdep/unix/ssl_unix.c | 26 +++++------ include/config.h.in | 3 ++ include/config.wnt.h | 9 +++- pith/conf.c | 41 +++++++++++++++++ pith/conf.h | 9 ++++ pith/conftype.h | 5 ++ pith/pine.hlp | 58 ++++++++++++++++++++++- 15 files changed, 217 insertions(+), 73 deletions(-) diff --git a/alpine/alpine.c b/alpine/alpine.c index 2ec1e84..a829c6d 100644 --- a/alpine/alpine.c +++ b/alpine/alpine.c @@ -471,6 +471,10 @@ main(int argc, char **argv) init_vars(pine_state, process_init_cmds); +#if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) + set_system_certs_path(pine_state); +#endif + #ifdef SMIME if(F_ON(F_DONT_DO_SMIME, ps_global)) smime_deinit(); diff --git a/alpine/confscroll.c b/alpine/confscroll.c index 6890e6f..7518dcf 100644 --- a/alpine/confscroll.c +++ b/alpine/confscroll.c @@ -341,7 +341,9 @@ exclude_config_var(struct pine *ps, struct variable *var, int allow_hard_to_conf case V_GLOB_ADDRBOOK : case V_DISABLE_DRIVERS : case V_DISABLE_AUTHS : +#ifdef DF_ENCRYPTION_RANGE case V_ENCRYPTION_RANGE : +#endif case V_REMOTE_ABOOK_METADATA : case V_REMOTE_ABOOK_HISTORY : case V_REMOTE_ABOOK_VALIDITY : @@ -5768,7 +5770,12 @@ fix_side_effects(struct pine *ps, struct variable *var, int revert) var == &ps->vars[V_NEWS_SPEC] || var == &ps->vars[V_DISABLE_DRIVERS] || var == &ps->vars[V_DISABLE_AUTHS] || +#ifdef DF_ENCRYPTION_RANGE var == &ps->vars[V_ENCRYPTION_RANGE] || +#endif +#if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) + var == &ps->vars[V_SSLCAPATH] || +#endif var == &ps->vars[V_RSHPATH] || var == &ps->vars[V_RSHCMD] || var == &ps->vars[V_SSHCMD] || diff --git a/build.bat b/build.bat index 4b1f312..6f43f0a 100755 --- a/build.bat +++ b/build.bat @@ -34,12 +34,14 @@ set CRYPTO_VERSION=41 set SSL_VERSION=43 set TLS_VERSION=15 set BIT=32 +set windows32build=-DW32BITSBUILD goto wntbuild :wnt set CRYPTO_VERSION=45 set SSL_VERSION=47 set TLS_VERSION=19 set BIT=64 +set windows32build= :wntbuild echo PC-Alpine for Windows/Winsock (Win32) build sequence set cclntmake=makefile.nt @@ -68,7 +70,7 @@ echo including LDAP functionality set ldapflags=-I\"%ALPINE_LDAP%\"\inckit -DENABLE_LDAP set ldaplibes=\"%ALPINE_LDAP%\"\binaries\release\ldap32.lib :noldapwnt -set extracflagsnq=/DWINVER=0x0501 /Zi -Od %ldapflags% %libresslflags% -D_USE_32BIT_TIME_T -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DSPCL_REMARKS=\"\\\"\\\"\" +set extracflagsnq=/DWINVER=0x0501 /Zi -Od %ldapflags% %libresslflags% %windows32build% -D_USE_32BIT_TIME_T -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DSPCL_REMARKS=\"\\\"\\\"\" set extralibes="%libresslextralibes%" set extralibesalpine="%ldaplibes% %libressllibes%" set extrarcflags="/D_PCP_WNT" diff --git a/configure b/configure index a7a8ee6..dc5492a 100755 --- a/configure +++ b/configure @@ -21814,6 +21814,12 @@ else $as_echo "$as_me: SSL Problem: certificate directory not found" >&6;} fi + +cat >>confdefs.h <<_ACEOF +#define DEFAULT_SSLCAPATH "$certdir" +_ACEOF + + if test "x$with_smime" != "xno" ; then if test -n "$certdir" ; then { $as_echo "$as_me:${as_lineno-$LINENO}: * * * S/MIME support enabled" >&5 diff --git a/configure.ac b/configure.ac index bf5762d..ac90e42 100644 --- a/configure.ac +++ b/configure.ac @@ -2080,6 +2080,8 @@ else AC_MSG_NOTICE([SSL Problem: certificate directory not found]) fi + AC_DEFINE_UNQUOTED([DEFAULT_SSLCAPATH],"$certdir",[Directory where system certificates are located]) + if test "x$with_smime" != "xno" ; then if test -n "$certdir" ; then AC_MSG_NOTICE([* * * S/MIME support enabled]) diff --git a/imap/src/osdep/nt/env_nt.c b/imap/src/osdep/nt/env_nt.c index 50063ad..da84b10 100644 --- a/imap/src/osdep/nt/env_nt.c +++ b/imap/src/osdep/nt/env_nt.c @@ -43,6 +43,7 @@ static void (*alarm_rang) (); /* alarm interrupt function */ static unsigned int rndm = 0; /* initial `random' number */ static int server_nli = 0; /* server and not logged in */ static int logtry = 3; /* number of login tries */ +static char *sslCApath = NIL; /* non-standard CA path */ /* block notification */ static blocknotify_t mailblocknotify = mm_blocknotify; /* callback to get username */ @@ -127,6 +128,13 @@ void *env_parameters (long function,void *value) case GET_BLOCKNOTIFY: ret = (void *) mailblocknotify; break; + case SET_SSLCAPATH: /* this can be set null */ + if (sslCApath) fs_give ((void **) &sslCApath); + sslCApath = value ? cpystr ((char *) value) : value; + break; + case GET_SSLCAPATH: + ret = (void *) sslCApath; + break; } return ret; } @@ -777,4 +785,5 @@ void env_end(void) if(myHomeDir) fs_give((void **) &myHomeDir); if(myNewsrc) fs_give((void **) &myNewsrc); if(sysInbox) fs_give((void **) &sysInbox); + if(sslCApath) fs_give((void **) &sslCApath); } diff --git a/imap/src/osdep/nt/ssl_libressl.c b/imap/src/osdep/nt/ssl_libressl.c index c44c1e9..366fae0 100644 --- a/imap/src/osdep/nt/ssl_libressl.c +++ b/imap/src/osdep/nt/ssl_libressl.c @@ -1,20 +1,14 @@ /* ======================================================================== - * Copyright 2018 Eduardo Chappa - * Copyright 2008-2009 Mark Crispin + * Copyright 2018-2020 Eduardo Chappa * ======================================================================== */ /* * Program: SSL authentication/encryption module for Windows 9x and NT * - * Author: Mark Crispin + * Author: Eduardo Chappa, based on ssl_unix.c * - * Date: 22 September 1998 - * Last Edited: 8 November 2009 - * - * Previous versions of this file were - * - * Copyright 1988-2008 University of Washington + * Last Edited: January 25, 2020 * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -73,7 +67,8 @@ typedef struct ssl_stream { #include "sslio.h" /* Function prototypes */ -const SSL_METHOD *ssl_connect_mthd(int flag); +int ssl_disable_mask(int ssl_version, int direction); +const SSL_METHOD *ssl_connect_mthd(int flag, int *minv, int *maxv); static SSLSTREAM *ssl_start(TCPSTREAM *tstream,char *host,unsigned long flags); static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags); static int ssl_open_verify (int ok,X509_STORE_CTX *ctx); @@ -109,20 +104,20 @@ pith_ssl_encryption_version(char *s) { "tls1_3", TLS1_3_VERSION }, #endif /* TLS1_3_VERSION */ { "no_max", 0 }, /* set this last in the list */ - { NULL, 0 }, + { NIL, 0 }, }; int i; - if (s == NULL || *s == '\0') + if (s == NIL || *s == '\0') return -1; - for (i = 0; ssl_versions[i].name != NULL; i++) + for (i = 0; ssl_versions[i].name != NIL; i++) if (strcmp(ssl_versions[i].name, s) == 0) break; if (strcmp(s, "no_max") == 0) i--; - return ssl_versions[i].name != NULL ? ssl_versions[i].version : -1; + return ssl_versions[i].name != NIL ? ssl_versions[i].version : -1; } /* Secure Sockets Layer network driver dispatch */ @@ -158,9 +153,9 @@ void ssl_onceonlyinit (void) /* if system doesn't have /dev/urandom */ if (stat ("/dev/urandom",&sbuf)) { strcpy(tmp, "SSLXXXXXX"); - fd = fopen(tmp,"a"); - fstat (fd,&sbuf); /* get information about the file */ + fd = open(tmp,"a"); close (fd); /* flush descriptor */ + fstat (fd,&sbuf); /* get information about the file */ unlink (tmp); /* don't need the file */ /* not great but it'll have to do */ sprintf (tmp + strlen (tmp),"%.80s%lx%.80s%lx%lx%lx%lx%lx", @@ -174,7 +169,7 @@ void ssl_onceonlyinit (void) mail_parameters (NIL,SET_SSLDRIVER,(void *) &ssldriver); mail_parameters (NIL,SET_SSLSTART,(void *) ssl_start); #ifdef OPENSSL_1_1_0 - OPENSSL_init_ssl(0, NULL); + OPENSSL_init_ssl(0, NIL); #else SSL_library_init (); /* add all algorithms */ #endif /* OPENSSL_1_1_0 */ @@ -253,7 +248,7 @@ int ssl_disable_mask(int ssl_version, int direction) /* ssl_connect_mthd: returns a context pointer to the connection to * a ssl server */ -const SSL_METHOD *ssl_connect_mthd(int flag, int *min, int *max) +const SSL_METHOD *ssl_connect_mthd(int flag, int *minv, int *maxv) { int client_request; client_request = (flag & NET_TRYTLS1) ? TLS1_VERSION @@ -266,55 +261,55 @@ const SSL_METHOD *ssl_connect_mthd(int flag, int *min, int *max) #endif : 0; - *min = *(int *)mail_parameters(NULL, GET_ENCRYPTION_RANGE_MIN, NULL); - *max = *(int *)mail_parameters(NULL, GET_ENCRYPTION_RANGE_MAX, NULL); + *minv = *(int *)mail_parameters(NIL, GET_ENCRYPTION_RANGE_MIN, NIL); + *maxv = *(int *)mail_parameters(NIL, GET_ENCRYPTION_RANGE_MAX, NIL); /* * if no special request, negotiate the maximum the client is configured * to negotiate */ if (client_request == 0) - client_request = *max; + client_request = *maxv; - if (client_request < *min || client_request > *max) + if (client_request < *minv || client_request > *maxv) return NIL; /* out of range? bail out */ - /* Some Linux distributors seem to believe that it is ok to disable some of - * these methods for their users, so we have to test that every requested - * method has actually been compiled in into their openssl/libressl library. - * Oh well... - */ + /* Some Linux distributors seem to believe that it is ok to disable some of + * these methods for their users, so we have to test that every requested + * method has actually been compiled in into their openssl/libressl library. + * Oh well... + */ #ifndef OPENSSL_1_1_0 if (client_request == SSL3_VERSION) #ifndef OPENSSL_NO_SSL3_METHOD - return SSLv3_client_method(); + return SSLv3_client_method(); #else - return NIL; + return NIL; #endif /* OPENSSL_NO_SSL3_METHOD */ else if (client_request == TLS1_VERSION) #ifndef OPENSSL_NO_TLS1_METHOD - return TLSv1_client_method(); + return TLSv1_client_method(); #else - return NIL; + return NIL; #endif /* OPENSSL_NO_TLS1_METHOD */ else if (client_request == TLS1_1_VERSION) #ifndef OPENSSL_NO_TLS1_1_METHOD - return TLSv1_1_client_method(); + return TLSv1_1_client_method(); #else - return NIL; + return NIL; #endif /* OPENSSL_NO_TLS1_1_METHOD */ else if (client_request == TLS1_2_VERSION) #ifndef OPENSSL_NO_TLS1_2_METHOD - return TLSv1_2_client_method(); + return TLSv1_2_client_method(); #else - return NIL; + return NIL; #endif /* OPENSSL_NO_TLS1_2_METHOD */ #ifdef TLS1_3_VERSION /* this is only reachable if TLS1_3 support exists */ else if (client_request == TLS1_3_VERSION) #ifndef OPENSSL_NO_TLS1_3_METHOD - return TLS_client_method(); + return TLS_client_method(); #else - return NIL; + return NIL; #endif /* #ifndef OPENSSL_NO_TLS1_2_METHOD */ #endif /* TLS1_3_VERSION */ #endif /* ifndef OPENSSL_1_1_0 */ @@ -389,7 +384,7 @@ static char *ssl_start_work(SSLSTREAM *stream, char *host, unsigned long flags) BIO *bio; X509 *cert; unsigned long sl, tl; - int min, max; + int minv, maxv; int masklow, maskhigh; char *s, *t, *err, tmp[MAILTMPLEN], buf[256]; sslcertificatequery_t scq = @@ -400,24 +395,24 @@ static char *ssl_start_work(SSLSTREAM *stream, char *host, unsigned long flags) (sslclientkey_t)mail_parameters(NIL, GET_SSLCLIENTKEY, NIL); if (ssl_last_error) fs_give((void **)&ssl_last_error); ssl_last_host = host; - if (!(stream->context = SSL_CTX_new(ssl_connect_mthd(flags, &min, &max)))) + if (!(stream->context = SSL_CTX_new(ssl_connect_mthd(flags, &minv, &maxv)))) return "SSL context failed"; SSL_CTX_set_options(stream->context, 0); - masklow = ssl_disable_mask(min, -1); - maskhigh = ssl_disable_mask(max, 1); + masklow = ssl_disable_mask(minv, -1); + maskhigh = ssl_disable_mask(maxv, 1); SSL_CTX_set_options(stream->context, masklow | maskhigh); /* disable certificate validation? */ if (flags & NET_NOVALIDATECERT) SSL_CTX_set_verify(stream->context, SSL_VERIFY_NONE, NIL); else SSL_CTX_set_verify(stream->context, SSL_VERIFY_PEER, ssl_open_verify); - /* set default paths to CAs... */ - SSL_CTX_set_default_verify_paths(stream->context); - /* ...unless a non-standard path desired */ - if ((s = (char *)mail_parameters(NIL, GET_SSLCAPATH, NIL)) != NULL) - SSL_CTX_load_verify_locations(stream->context, NIL, s); + /* a non-standard path desired */ + if ((s = (char *)mail_parameters(NIL, GET_SSLCAPATH, NIL)) != NIL) + SSL_CTX_load_verify_locations(stream->context, NIL, (const char *)s); + else /* otherwise we set default paths to CAs... */ + SSL_CTX_set_default_verify_paths(stream->context); /* want to send client certificate? */ if (scc && (s = (*scc) ()) && (sl = strlen(s))) { - if ((cert = PEM_read_bio_X509(bio = BIO_new_mem_buf(s, sl), NIL, NIL, NIL)) != NULL) { + if ((cert = PEM_read_bio_X509(bio = BIO_new_mem_buf(s, sl), NIL, NIL, NIL)) != NIL) { SSL_CTX_use_certificate(stream->context, cert); X509_free(cert); } @@ -427,7 +422,7 @@ static char *ssl_start_work(SSLSTREAM *stream, char *host, unsigned long flags) if ((t = (sck ? (*sck) () : s)) && (tl = strlen(t))) { EVP_PKEY *key; if ((key = PEM_read_bio_PrivateKey(bio = BIO_new_mem_buf(t, tl), - NIL, NIL, "")) != NULL) { + NIL, NIL, "")) != NIL) { SSL_CTX_use_PrivateKey(stream->context, key); EVP_PKEY_free(key); } @@ -535,7 +530,7 @@ static char *ssl_validate_cert (X509 *cert,char *host) if(m == 0 || ret != NIL){ cname = X509_get_subject_name(cert); for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){ - if((e = X509_NAME_get_entry(cname, j)) != NULL){ + if((e = X509_NAME_get_entry(cname, j)) != NIL){ X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf)); s = (char *) buf; } @@ -951,8 +946,8 @@ void ssl_server_init (char *server) sizeof (SSLSTREAM)); ssl_onceonlyinit (); /* make sure algorithms added */ #ifdef OPENSSL_1_1_0 - OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); - OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS|OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); + OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NIL); + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS|OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NIL); #else ERR_load_crypto_strings (); SSL_load_error_strings (); @@ -1065,7 +1060,7 @@ static RSA *ssl_genkey (SSL_CTX_TYPE *con,int export,int keylength) } #ifdef OPENSSL_1_1_0 BN_free(e); - e = NULL; + e = NIL; #endif /* OPENSSL_1_1_0 */ } return key; diff --git a/imap/src/osdep/nt/ssl_nt.c b/imap/src/osdep/nt/ssl_nt.c index 5bc04ab..7169576 100644 --- a/imap/src/osdep/nt/ssl_nt.c +++ b/imap/src/osdep/nt/ssl_nt.c @@ -23,8 +23,8 @@ * http://www.apache.org/licenses/LICENSE-2.0 * */ -//#ifdef ENABLE_WINDOWS_LIBRESSL -//#include "ssl_libressl.c" -//#else +#if !defined(ENABLE_WINDOWS_LIBRESSL) || !defined(W32BITSBUILD) #include "ssl_win.c" -//#endif /* ENABLE_WINDOWS_LIBRESSL */ +#else +#include "ssl_libressl.c" +#endif diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c index 93fb1a9..5793152 100644 --- a/imap/src/osdep/unix/ssl_unix.c +++ b/imap/src/osdep/unix/ssl_unix.c @@ -75,7 +75,7 @@ typedef struct ssl_stream { /* Function prototypes */ int ssl_disable_mask(int ssl_version, int direction); -const SSL_METHOD *ssl_connect_mthd(int flag, int *min, int *max); +const SSL_METHOD *ssl_connect_mthd(int flag, int *minv, int *maxv); static SSLSTREAM *ssl_start(TCPSTREAM *tstream,char *host,unsigned long flags); static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags); static int ssl_open_verify (int ok,X509_STORE_CTX *ctx); @@ -257,7 +257,7 @@ int ssl_disable_mask(int ssl_version, int direction) /* ssl_connect_mthd: returns a context pointer to the connection to * a ssl server */ -const SSL_METHOD *ssl_connect_mthd(int flag, int *min, int *max) +const SSL_METHOD *ssl_connect_mthd(int flag, int *minv, int *maxv) { int client_request; client_request = (flag & NET_TRYTLS1) ? TLS1_VERSION @@ -270,17 +270,17 @@ const SSL_METHOD *ssl_connect_mthd(int flag, int *min, int *max) #endif : 0; - *min = *(int *) mail_parameters(NULL, GET_ENCRYPTION_RANGE_MIN, NULL); - *max = *(int *) mail_parameters(NULL, GET_ENCRYPTION_RANGE_MAX, NULL); + *minv = *(int *) mail_parameters(NULL, GET_ENCRYPTION_RANGE_MIN, NULL); + *maxv = *(int *) mail_parameters(NULL, GET_ENCRYPTION_RANGE_MAX, NULL); /* * if no special request, negotiate the maximum the client is configured * to negotiate */ if(client_request == 0) - client_request = *max; + client_request = *maxv; - if(client_request < *min || client_request > *max) + if(client_request < *minv || client_request > *maxv) return NIL; /* out of range? bail out */ /* Some Linux distributors seem to believe that it is ok to disable some of @@ -392,7 +392,7 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags) BIO *bio; X509 *cert; unsigned long sl,tl; - int min, max; + int minv, maxv; int masklow, maskhigh; char *s,*t,*err,tmp[MAILTMPLEN], buf[256]; sslcertificatequery_t scq = @@ -403,21 +403,21 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags) (sslclientkey_t) mail_parameters (NIL,GET_SSLCLIENTKEY,NIL); if (ssl_last_error) fs_give ((void **) &ssl_last_error); ssl_last_host = host; - if (!(stream->context = SSL_CTX_new (ssl_connect_mthd(flags, &min, &max)))) + if (!(stream->context = SSL_CTX_new (ssl_connect_mthd(flags, &minv, &maxv)))) return "SSL context failed"; SSL_CTX_set_options (stream->context,0); - masklow = ssl_disable_mask(min, -1); - maskhigh = ssl_disable_mask(max, 1); + masklow = ssl_disable_mask(minv, -1); + maskhigh = ssl_disable_mask(maxv, 1); SSL_CTX_set_options(stream->context, masklow|maskhigh); /* disable certificate validation? */ if (flags & NET_NOVALIDATECERT) SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL); else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify); - /* set default paths to CAs... */ - SSL_CTX_set_default_verify_paths (stream->context); - /* ...unless a non-standard path desired */ + /* if a non-standard path desired */ if ((s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL)) != NULL) SSL_CTX_load_verify_locations (stream->context,NIL,s); + else /* set default paths to CAs... */ + SSL_CTX_set_default_verify_paths (stream->context); /* want to send client certificate? */ if (scc && (s = (*scc) ()) && (sl = strlen (s))) { if ((cert = PEM_read_bio_X509 (bio = BIO_new_mem_buf (s,sl),NIL,NIL,NIL)) != NULL) { diff --git a/include/config.h.in b/include/config.h.in index 19d7b34..6a13eef 100644 --- a/include/config.h.in +++ b/include/config.h.in @@ -42,6 +42,9 @@ /* Default configuration value */ #undef DEFAULT_SAVE +/* Directory where system certificates are located */ +#undef DEFAULT_SSLCAPATH + /* Default configuration value */ #undef DF_AB_SORT_RULE diff --git a/include/config.wnt.h b/include/config.wnt.h index ed5de15..65f1472 100644 --- a/include/config.wnt.h +++ b/include/config.wnt.h @@ -557,10 +557,15 @@ /* Name of default certificate authority container */ #define DF_CA_CONTAINER "CAContainer" -//#else -#undef DF_ENCRYPTION_RANGE +#else #endif /* ENABLE_WINDOWS_LIBRESSL */ +#if !defined(ENABLE_WINDOWS_LIBRESSL) || !defined(W32BITSBUILD) +#undef DF_ENCRYPTION_RANGE +#else +#define DEFAULT_SSLCAPATH "C:\\libressl\\ssl\\certs" +#endif + /* Define to 1 if you can safely include both and . */ /* #define TIME_WITH_SYS_TIME */ diff --git a/pith/conf.c b/pith/conf.c index 64cd13b..d7ec5db 100644 --- a/pith/conf.c +++ b/pith/conf.c @@ -377,6 +377,10 @@ CONF_TXT_T cf_text_mailcap_path[] = "Sets the search path for the mailcap config CONF_TXT_T cf_text_mimetype_path[] = "Sets the search path for the mimetypes configuration file.\n# NOTE: colon delimited under UNIX, semi-colon delimited under DOS/Windows/OS2."; +#if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) +CONF_TXT_T cf_text_system_certs_path[] = "Sets the path for the system ssl certificates issued by a trusted\n# certificate authority. Note that this could be a list of paths, if the same\n# pinerc is used in different systems. Alpine always chooses the first one that\n# it finds. Value must be an absolute path."; +#endif + CONF_TXT_T cf_text_newmail_fifo_path[] = "Sets the filename for the newmail fifo (named pipe). Unix only."; CONF_TXT_T cf_text_nmw_width[] = "Sets the width for the NewMail screen."; @@ -661,6 +665,10 @@ static struct variable variables[] = { NULL, cf_text_mailcap_path}, {"mimetype-search-path", 0, 1, 0, 1, 1, 0, 0, 0, 0, 1, 0, NULL, cf_text_mimetype_path}, +#if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) +{"system-certs-path", 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0, + NULL, cf_text_system_certs_path}, +#endif {"url-viewers", 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0, "URL-Viewers", cf_text_browser}, {"default-directories", 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0, @@ -746,8 +754,10 @@ static struct variable variables[] = { NULL, cf_text_disable_drivers}, {"disable-these-authenticators", 0, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, NULL, cf_text_disable_auths}, +#ifdef DF_ENCRYPTION_RANGE {"encryption-protocol-range", 0, 1, 0, 1, 1, 0, 0, 0, 0, 1, 0, NULL, cf_text_encryption_range}, +#endif {"remote-abook-metafile", 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0, NULL, cf_text_remote_abook_metafile}, {"remote-abook-history", 0, 1, 0, 1, 1, 0, 0, 0, 0, 1, 0, @@ -1723,6 +1733,10 @@ init_vars(struct pine *ps, void (*cmds_f) (struct pine *, char **)) GLO_WP_INDEXHEIGHT = cpystr("24"); GLO_WP_AGGSTATE = cpystr("1"); GLO_WP_STATE = cpystr(""); +#if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) + GLO_SSLCAPATH = parse_list(DEFAULT_SSLCAPATH, 1, + PL_REMSURRQUOT, NULL); +#endif #ifdef DF_VAR_SPELLER GLO_SPELLER = cpystr(DF_VAR_SPELLER); #endif @@ -2337,7 +2351,9 @@ init_vars(struct pine *ps, void (*cmds_f) (struct pine *, char **)) set_current_val(&vars[V_FORCED_ABOOK_ENTRY], TRUE, TRUE); set_current_val(&vars[V_DISABLE_DRIVERS], TRUE, TRUE); set_current_val(&vars[V_DISABLE_AUTHS], TRUE, TRUE); +#ifdef DF_ENCRYPTION_RANGE set_current_val(&vars[V_ENCRYPTION_RANGE], TRUE, TRUE); +#endif set_current_val(&vars[V_VIEW_HEADERS], TRUE, TRUE); /* strip spaces and colons */ @@ -2364,6 +2380,9 @@ init_vars(struct pine *ps, void (*cmds_f) (struct pine *, char **)) set_current_val(&vars[V_DOWNLOAD_CMD_PREFIX], TRUE, TRUE); set_current_val(&vars[V_MAILCAP_PATH], TRUE, TRUE); set_current_val(&vars[V_MIMETYPE_PATH], TRUE, TRUE); +#if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) + set_current_val(&vars[V_SSLCAPATH], TRUE, TRUE); +#endif #if !defined(DOS) && !defined(OS2) && !defined(LEAVEOUTFIFO) set_current_val(&vars[V_FIFOPATH], TRUE, TRUE); #endif @@ -7048,6 +7067,22 @@ feature_gets_an_x(struct pine *ps, struct variable *var, FEATURE_S *feature, test_old_growth_bits(ps, feature->id))))); } +#if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) +void +set_system_certs_path(struct pine *ps) +{ + char **l; + + for (l = ps->vars[V_SSLCAPATH].current_val.l; l && *l; l++){ + if(is_absolute_path(*l) + && can_access(*l, ACCESS_EXISTS) == 0 + && can_access(*l, READ_ACCESS) == 0){ + mail_parameters(NULL, SET_SSLCAPATH, (void *) *l); + break; + } + } +} +#endif int longest_feature_comment(struct pine *ps, EditWhich ew) @@ -7837,8 +7872,10 @@ config_help(int var, int feature) return(h_config_disable_drivers); case V_DISABLE_AUTHS : return(h_config_disable_auths); +#ifdef DF_ENCRYPTION_RANGE case V_ENCRYPTION_RANGE : return(h_config_encryption_range); +#endif case V_REMOTE_ABOOK_METADATA : return(h_config_abook_metafile); case V_REPLY_STRING : @@ -7903,6 +7940,10 @@ config_help(int var, int feature) return(h_config_mailcap_path); case V_MIMETYPE_PATH : return(h_config_mimetype_path); +#if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) + case V_SSLCAPATH : + return(h_config_system_certs_path); +#endif #if !defined(DOS) && !defined(OS2) && !defined(LEAVEOUTFIFO) case V_FIFOPATH : return(h_config_fifopath); diff --git a/pith/conf.h b/pith/conf.h index d776933..3e7844e 100644 --- a/pith/conf.h +++ b/pith/conf.h @@ -133,6 +133,10 @@ #define VAR_COLOR_STYLE vars[V_COLOR_STYLE].current_val.p #define GLO_COLOR_STYLE vars[V_COLOR_STYLE].global_val.p #endif +#if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) +#define VAR_SSLCAPATH vars[V_SSLCAPATH].current_val.l +#define GLO_SSLCAPATH vars[V_SSLCAPATH].global_val.l +#endif #define VAR_INDEX_COLOR_STYLE vars[V_INDEX_COLOR_STYLE].current_val.p #define GLO_INDEX_COLOR_STYLE vars[V_INDEX_COLOR_STYLE].global_val.p #define VAR_TITLEBAR_COLOR_STYLE vars[V_TITLEBAR_COLOR_STYLE].current_val.p @@ -263,8 +267,10 @@ #define GLO_REMOTE_ABOOK_HISTORY vars[V_REMOTE_ABOOK_HISTORY].global_val.p #define VAR_REMOTE_ABOOK_VALIDITY vars[V_REMOTE_ABOOK_VALIDITY].current_val.p #define GLO_REMOTE_ABOOK_VALIDITY vars[V_REMOTE_ABOOK_VALIDITY].global_val.p +#ifdef DF_ENCRYPTION_RANGE #define GLO_ENCRYPTION_RANGE vars[V_ENCRYPTION_RANGE].global_val.p #define VAR_ENCRYPTION_RANGE vars[V_ENCRYPTION_RANGE].current_val.p +#endif /* Elm style save is obsolete in Pine 3.81 (see saved msg name rule) */ #define VAR_ELM_STYLE_SAVE vars[V_ELM_STYLE_SAVE].current_val.p #define GLO_ELM_STYLE_SAVE vars[V_ELM_STYLE_SAVE].global_val.p @@ -914,6 +920,9 @@ char **get_supported_options(void); unsigned reset_startup_rule(MAILSTREAM *); void free_pinerc_lines(PINERC_LINE **); void panic1(char *, char *); +#if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) +void set_system_certs_path(struct pine *); +#endif /* mandatory to implement prototypes */ int set_input_timeout(int); diff --git a/pith/conftype.h b/pith/conftype.h index 4278dc5..0911272 100644 --- a/pith/conftype.h +++ b/pith/conftype.h @@ -125,6 +125,9 @@ typedef enum { V_PERSONAL_NAME = 0 , V_DOWNLOAD_CMD_PREFIX , V_MAILCAP_PATH , V_MIMETYPE_PATH +#if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) + , V_SSLCAPATH +#endif , V_BROWSER , V_HISTORY , V_MAXREMSTREAM @@ -171,7 +174,9 @@ typedef enum { V_PERSONAL_NAME = 0 , V_NEW_VER_QUELL , V_DISABLE_DRIVERS , V_DISABLE_AUTHS +#ifdef DF_ENCRYPTION_RANGE , V_ENCRYPTION_RANGE +#endif , V_REMOTE_ABOOK_METADATA , V_REMOTE_ABOOK_HISTORY , V_REMOTE_ABOOK_VALIDITY diff --git a/pith/pine.hlp b/pith/pine.hlp index d81bd39..2dda8a1 100644 --- a/pith/pine.hlp +++ b/pith/pine.hlp @@ -140,7 +140,7 @@ with help text for the config screen and the composer that didn't have any reasonable place to be called from. Dummy change to get revision in pine.hlp ============= h_revision ================= -Alpine Commit 395 2020-01-19 10:57:47 +Alpine Commit 396 2020-01-25 11:12:17 ============= h_news ================= @@ -173,6 +173,19 @@ Apache web server.

New in Alpine ()

+This is a development version of Alpine. These enhancements are +released after the release of version + (). Please report +any problems you find with this release. New enhancements + +
    +
  • New variable system-certs-path that allows users to indicate the location +of the directory where folders are located. In PC-Alpine this must be +C:\\libressl\\ssl\\certs. The C: drive can be replaced by the name of the drive +where the binary and DLL files are located. +
+ +

Version () addresses bugs found in previous releases and has a few additions as well. @@ -22193,6 +22206,49 @@ path can be found in this If there is more than one file name listed, list members should be delimited by a colon (:) under UNIX and a semi-colon (;) under Windows. +

+<End of help on this topic> + +====== h_config_system_certs_path ====== + + +OPTION: <!--#echo var="VAR_system-certs-path"--> + + +

OPTION:

+ +When Alpine is built to support secure connections to remote servers, a directory +must be reserved in the system to store certificates that will be used to validate +remote servers. This is normally configured at the time that Alpine is built, but +there might be circumstances under which a user might want to use a different +directory. For example, the directory might not be accessible, or has not been +updated and contains old certificates that have expired. + +

+When a user wants to override the default, this variable can be used to list +the directory where such certificates can be found. Alpine will use the first +directory in this list that exists in your system and can be accessed. This +allows for users to be able to use the same pinerc file in different systems. + +

+Example of values for this option might be: + +

+System Certs Path = /etc/ssl/certs
+                    /usr/local/ssl/certs
+                    C:\\libressl\\ssl\\certs
+
+
+

+In unix systems, the default location of the certificates for openssl can
+be obtained by first executing the command
+
+
openssl version -d

+
+and adding "/certs" to that value. In Windows the default location
+for the certificates is C:\\libressl\\ssl\\certs. This value was set by LibreSSL
+developers, and this option can be used to override this default.
+
 

 <End of help on this topic>
 
-- 
cgit v1.2.3-54-g00ecf