From dba6c62a11eed30f7a4e3e625eec8ca88252ab6c Mon Sep 17 00:00:00 2001 From: Eduardo Chappa Date: Mon, 3 Feb 2020 21:15:19 -0700 Subject: * Add variable system-certs-file to indicate the location of a container of CA certificates. This complements the variable system-certs-path that gives the location the directory that containes CA certificates. --- imap/src/osdep/nt/env_nt.c | 9 +++++++++ imap/src/osdep/nt/ssl_libressl.c | 9 ++++++--- imap/src/osdep/unix/env_unix.c | 11 +++++++++++ imap/src/osdep/unix/ssl_unix.c | 7 +++++-- 4 files changed, 31 insertions(+), 5 deletions(-) (limited to 'imap/src/osdep') diff --git a/imap/src/osdep/nt/env_nt.c b/imap/src/osdep/nt/env_nt.c index da84b10c..8fc72f0c 100644 --- a/imap/src/osdep/nt/env_nt.c +++ b/imap/src/osdep/nt/env_nt.c @@ -44,6 +44,7 @@ static unsigned int rndm = 0; /* initial `random' number */ static int server_nli = 0; /* server and not logged in */ static int logtry = 3; /* number of login tries */ static char *sslCApath = NIL; /* non-standard CA path */ +static char *sslCAfile = NIL; /* non-standard CA container */ /* block notification */ static blocknotify_t mailblocknotify = mm_blocknotify; /* callback to get username */ @@ -135,6 +136,13 @@ void *env_parameters (long function,void *value) case GET_SSLCAPATH: ret = (void *) sslCApath; break; + case SET_SSLCAFILE: /* this can be set null */ + if (sslCAfile) fs_give ((void **) &sslCAfile); + sslCAfile = value ? cpystr ((char *) value) : value; + break; + case GET_SSLCAFILE: + ret = (void *) sslCAfile; + break; } return ret; } @@ -786,4 +794,5 @@ void env_end(void) if(myNewsrc) fs_give((void **) &myNewsrc); if(sysInbox) fs_give((void **) &sysInbox); if(sslCApath) fs_give((void **) &sslCApath); + if(sslCAfile) fs_give((void **) &sslCAfile); } diff --git a/imap/src/osdep/nt/ssl_libressl.c b/imap/src/osdep/nt/ssl_libressl.c index 366fae01..5270a9f8 100644 --- a/imap/src/osdep/nt/ssl_libressl.c +++ b/imap/src/osdep/nt/ssl_libressl.c @@ -387,6 +387,7 @@ static char *ssl_start_work(SSLSTREAM *stream, char *host, unsigned long flags) int minv, maxv; int masklow, maskhigh; char *s, *t, *err, tmp[MAILTMPLEN], buf[256]; + char *CAfile, *CApath; sslcertificatequery_t scq = (sslcertificatequery_t)mail_parameters(NIL, GET_SSLCERTIFICATEQUERY, NIL); sslclientcert_t scc = @@ -406,10 +407,12 @@ static char *ssl_start_work(SSLSTREAM *stream, char *host, unsigned long flags) SSL_CTX_set_verify(stream->context, SSL_VERIFY_NONE, NIL); else SSL_CTX_set_verify(stream->context, SSL_VERIFY_PEER, ssl_open_verify); /* a non-standard path desired */ - if ((s = (char *)mail_parameters(NIL, GET_SSLCAPATH, NIL)) != NIL) - SSL_CTX_load_verify_locations(stream->context, NIL, (const char *)s); + CAfile = (char *) mail_parameters (NIL, GET_SSLCAFILE, NIL); + CApath = (char *) mail_parameters (NIL, GET_SSLCAPATH, NIL); + if (CAfile != NIL || CApath != NIL) + SSL_CTX_load_verify_locations (stream->context, CAfile, CApath); else /* otherwise we set default paths to CAs... */ - SSL_CTX_set_default_verify_paths(stream->context); + SSL_CTX_set_default_verify_paths(stream->context); /* want to send client certificate? */ if (scc && (s = (*scc) ()) && (sl = strlen(s))) { if ((cert = PEM_read_bio_X509(bio = BIO_new_mem_buf(s, sl), NIL, NIL, NIL)) != NIL) { diff --git a/imap/src/osdep/unix/env_unix.c b/imap/src/osdep/unix/env_unix.c index 322ab61a..fe1b91d4 100644 --- a/imap/src/osdep/unix/env_unix.c +++ b/imap/src/osdep/unix/env_unix.c @@ -73,6 +73,7 @@ static char *blackBoxDir = NIL; /* black box directory name */ /* black box default home directory */ static char *blackBoxDefaultHome = NIL; static char *sslCApath = NIL; /* non-standard CA path */ +static char *sslCAfile = NIL; /* non-standard CA container */ static short anonymous = NIL; /* is anonymous */ static short blackBox = NIL; /* is a black box */ static short closedBox = NIL; /* is a closed box (uses chroot() jail) */ @@ -346,6 +347,13 @@ void *env_parameters (long function,void *value) case GET_SSLCAPATH: ret = (void *) sslCApath; break; + case SET_SSLCAFILE: /* this can be set null */ + if (sslCAfile) fs_give ((void **) &sslCAfile); + sslCAfile = value ? cpystr ((char *) value) : value; + break; + case GET_SSLCAFILE: + ret = (void *) sslCAfile; + break; case SET_LISTMAXLEVEL: list_max_level = (long) value; case GET_LISTMAXLEVEL: @@ -1766,6 +1774,8 @@ void dorc (char *file,long flag) */ else if (!compare_cstring (s,"set CA-certificate-path")) sslCApath = cpystr (k); + else if (!compare_cstring (s,"set CA-certificate-container")) + sslCAfile = cpystr (k); else if (!compare_cstring (s,"set disable-plaintext")) disablePlaintext = atoi (k); else if (!compare_cstring (s,"set allowed-login-attempts")) @@ -1872,6 +1882,7 @@ void env_end(void) if(blackBoxDefaultHome) fs_give((void **)&blackBoxDefaultHome); if(sslCApath) fs_give((void **)&sslCApath); + if(sslCAfile) fs_give((void **)&sslCAfile); if(userFlags){ int i; for(i = 0; i < NUSERFLAGS; i++) diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c index 57931525..4ebe1ae7 100644 --- a/imap/src/osdep/unix/ssl_unix.c +++ b/imap/src/osdep/unix/ssl_unix.c @@ -395,6 +395,7 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags) int minv, maxv; int masklow, maskhigh; char *s,*t,*err,tmp[MAILTMPLEN], buf[256]; + char *CAfile, *CApath; sslcertificatequery_t scq = (sslcertificatequery_t) mail_parameters (NIL,GET_SSLCERTIFICATEQUERY,NIL); sslclientcert_t scc = @@ -414,8 +415,10 @@ static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags) SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL); else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify); /* if a non-standard path desired */ - if ((s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL)) != NULL) - SSL_CTX_load_verify_locations (stream->context,NIL,s); + CAfile = (char *) mail_parameters (NIL,GET_SSLCAFILE,NIL); + CApath = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL); + if (CAfile != NIL || CApath != NIL) + SSL_CTX_load_verify_locations (stream->context, CAfile, CApath); else /* set default paths to CAs... */ SSL_CTX_set_default_verify_paths (stream->context); /* want to send client certificate? */ -- cgit v1.2.3-54-g00ecf