From ec66afcc51369f994cf04960fc4828cb007176bd Mon Sep 17 00:00:00 2001
From: Eduardo Chappa <chappa@washington.edu>
Date: Sat, 17 Apr 2021 23:22:48 -0600
Subject:   * Add new variable ssl-ciphers to list the ciphers that will be
 used when     negotiating a secure connection with a SSL server. Work in    
 collaboration with professor Martin Trusler.

---
 alpine/confscroll.c            |  1 +
 imap/src/c-client/mail.h       |  2 ++
 imap/src/osdep/unix/env_unix.c |  8 ++++++++
 imap/src/osdep/unix/ssl_unix.c |  4 +++-
 pith/conf.c                    |  9 ++++++++-
 pith/conftype.h                |  1 +
 pith/pine.hlp                  | 31 +++++++++++++++++++++++++++++++
 7 files changed, 54 insertions(+), 2 deletions(-)

diff --git a/alpine/confscroll.c b/alpine/confscroll.c
index d127f60..50f578f 100644
--- a/alpine/confscroll.c
+++ b/alpine/confscroll.c
@@ -5784,6 +5784,7 @@ fix_side_effects(struct pine *ps, struct variable *var, int revert)
 			var == &ps->vars[V_SSLCAFILE] ||
 			var == &ps->vars[V_USERSSLCAPATH] ||
 			var == &ps->vars[V_USERSSLCAFILE] ||
+			var == &ps->vars[V_SSLCIPHERS] ||
 #endif
 		        var == &ps->vars[V_RSHPATH] ||
 		        var == &ps->vars[V_RSHCMD] ||
diff --git a/imap/src/c-client/mail.h b/imap/src/c-client/mail.h
index 9fc1c71..d40d7eb 100644
--- a/imap/src/c-client/mail.h
+++ b/imap/src/c-client/mail.h
@@ -248,6 +248,8 @@
 #define SET_ENCRYPTION_RANGE_MIN (long) 339
 #define GET_ENCRYPTION_RANGE_MAX (long) 340
 #define SET_ENCRYPTION_RANGE_MAX (long) 341
+#define GET_SSLCIPHERS	(long) 342
+#define SET_SSLCIPHERS	(long) 343
 
 	/* 4xx: network drivers */
 #define GET_MAXLOGINTRIALS (long) 400
diff --git a/imap/src/osdep/unix/env_unix.c b/imap/src/osdep/unix/env_unix.c
index afec59b..c41a5d0 100644
--- a/imap/src/osdep/unix/env_unix.c
+++ b/imap/src/osdep/unix/env_unix.c
@@ -76,6 +76,7 @@ static char *sslCApath = NIL;	/* non-standard CA path */
 static char *sslCAfile = NIL;	/* non-standard CA container */
 static char *sslAppCApath = NIL;  /* App SSL CA path */
 static char *sslAppCAfile = NIL;  /* App SSL CA container */
+static char *sslciphers = NIL;	 /* ciphers to negotiate with a SSL server */
 static short anonymous = NIL;	/* is anonymous */
 static short blackBox = NIL;	/* is a black box */
 static short closedBox = NIL;	/* is a closed box (uses chroot() jail) */
@@ -370,6 +371,13 @@ void *env_parameters (long function,void *value)
   case GET_SSLAPPCAFILE:
     ret = (void *) sslAppCAfile;
     break;
+  case SET_SSLCIPHERS:		/* this can be set null */
+    if (sslciphers) fs_give ((void **) &sslciphers);
+    sslciphers = value ? cpystr ((char *) value) : value;
+    break;
+  case GET_SSLCIPHERS:
+    ret = (void *) sslciphers;
+    break;
   case SET_LISTMAXLEVEL:
     list_max_level = (long) value;
   case GET_LISTMAXLEVEL:
diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c
index 1f64b57..5d3ffcd 100644
--- a/imap/src/osdep/unix/ssl_unix.c
+++ b/imap/src/osdep/unix/ssl_unix.c
@@ -395,7 +395,7 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags)
   int minv, maxv;
   int masklow, maskhigh;
   char *s,*t,*err,tmp[MAILTMPLEN], buf[256];
-  char *CAfile, *CApath;
+  char *CAfile, *CApath, *ciphers;
   sslcertificatequery_t scq =
     (sslcertificatequery_t) mail_parameters (NIL,GET_SSLCERTIFICATEQUERY,NIL);
   sslclientcert_t scc =
@@ -414,6 +414,8 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags)
   if (flags & NET_NOVALIDATECERT)
     SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL);
   else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
+				/* set cipher list */
+  ciphers = (char *) mail_parameters (NIL,GET_SSLCIPHERS,NIL);
 				/* if a non-standard path desired */
   CAfile = (char *) mail_parameters (NIL,GET_SSLCAFILE,NIL);
   CApath = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL);
diff --git a/pith/conf.c b/pith/conf.c
index e8904e4..8de5427 100644
--- a/pith/conf.c
+++ b/pith/conf.c
@@ -384,7 +384,9 @@ CONF_TXT_T cf_text_system_certs_file[] = "Sets the path for the system ssl file
 
 CONF_TXT_T cf_text_user_certs_path[] = "Sets the path for additional ssl certificates that the user trusts. Note\n#that this could be a list of paths, if the same\n# pinerc is used in different systems. Alpine always chooses the first one that\n# it finds. Value must be an absolute path.";
 
-CONF_TXT_T cf_text_user_certs_file[] = "Sets the path for a file that contains certificates that a user trusts.\nNote that this could be a list of container files,\n# if the same pinerc is used in different systems. Alpine always chooses the,\n# first one that it finds. Value must be an absolute path.";
+CONF_TXT_T cf_text_user_certs_file[] = "Sets the path for a file that contains certificates that a user trusts.\n#Note that this could be a list of container files,\n# if the same pinerc is used in different systems. Alpine always chooses the,\n# first one that it finds. Value must be an absolute path.";
+
+CONF_TXT_T cf_text_ciphers[] = "Colon separated list of ciphers that should be negotiated with the remote\n# ssl server upon connection.";
 #endif
 
 CONF_TXT_T cf_text_newmail_fifo_path[] = "Sets the filename for the newmail fifo (named pipe). Unix only.";
@@ -678,6 +680,8 @@ static struct variable variables[] = {
 	"User Certs Dir", cf_text_user_certs_file},
 {"user-certs-file",			0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0,
 	"User Certs File", cf_text_user_certs_file},
+{"ssl-ciphers",				0, 1, 0, 1, 1, 0, 0, 0, 0, 1, 0,
+	"SSL Ciphers", cf_text_ciphers},
 #endif
 {"url-viewers",				0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0,
 	"URL-Viewers",		cf_text_browser},
@@ -2439,6 +2443,7 @@ init_vars(struct pine *ps, void (*cmds_f) (struct pine *, char **))
     set_current_val(&vars[V_SSLCAFILE], TRUE, TRUE);
     set_current_val(&vars[V_USERSSLCAPATH], TRUE, TRUE);
     set_current_val(&vars[V_USERSSLCAFILE], TRUE, TRUE);
+    set_current_val(&vars[V_SSLCIPHERS], TRUE, TRUE);
 #endif
 #if !defined(DOS) && !defined(OS2) && !defined(LEAVEOUTFIFO)
     set_current_val(&vars[V_FIFOPATH], TRUE, TRUE);
@@ -8055,6 +8060,8 @@ config_help(int var, int feature)
 	return(h_config_user_certs_path);
       case V_USERSSLCAFILE :
 	return(h_config_user_certs_file);
+      case V_SSLCIPHERS :
+	return(h_config_ssl_ciphers);
 #endif
 #if !defined(DOS) && !defined(OS2) && !defined(LEAVEOUTFIFO)
       case V_FIFOPATH :
diff --git a/pith/conftype.h b/pith/conftype.h
index c563126..5f2dd50 100644
--- a/pith/conftype.h
+++ b/pith/conftype.h
@@ -129,6 +129,7 @@ typedef	enum {    V_PERSONAL_NAME = 0
 		, V_SSLCAFILE
 		, V_USERSSLCAPATH
 		, V_USERSSLCAFILE
+		, V_SSLCIPHERS
 #endif
 		, V_BROWSER
 		, V_HISTORY
diff --git a/pith/pine.hlp b/pith/pine.hlp
index 060a897..603c756 100644
--- a/pith/pine.hlp
+++ b/pith/pine.hlp
@@ -188,6 +188,9 @@ new additions to Alpine, please check it periodically.
 <P>
 New features include:
 <UL>
+<LI> New configuration variable <!--#echo var="VAR_ssl-ciphers"--> that allows
+users to list the ciphers that want to use when connecting to a SSL server.
+Based on a collaboration with Professor Martin Trusler.
 <LI> New hidden feature <a href="h_config_delete_before_writing"><!--#echo var="FEAT_enable-delete-before-writing"--></a>
 to add support for terminals that need lines to be deleted before being written. Based
 on a collaboration with Professor Martin Trusler.
@@ -22808,6 +22811,34 @@ User Certs File = /home/fred/.alpine-certs/certs.pem
                   C:\\libressl\\ssl\\certs\\cert.pem
 <PRE>
 
+<P>
+&lt;End of help on this topic&gt;
+</BODY></HTML>
+====== h_config_ssl_ciphers ======
+<HTML>
+<HEAD>
+<TITLE>OPTION: <!--#echo var="VAR_ssl-ciphers"--></TITLE>
+</HEAD>
+<BODY>
+<H1>OPTION: <!--#echo var="VAR_ssl-ciphers"--></H1>
+
+(UNIX ALPINE ONLY)
+This is a colon separated list of ciphers that your openssl or libressl
+library supports and will use to negotiate a secure connection with a
+remote SSL server.
+
+<P>
+The list of ciphers supported by openssl can be obtained with the command
+line command
+
+<P>
+openssl ciphers
+
+<P>
+Consult the manual page of the openssl ciphers command to see more
+way to specify groups of ciphers, such as RSA, or other groups of
+ciphers.
+
 <P>
 &lt;End of help on this topic&gt;
 </BODY></HTML>
-- 
cgit v1.2.3-54-g00ecf