From dba6c62a11eed30f7a4e3e625eec8ca88252ab6c Mon Sep 17 00:00:00 2001 From: Eduardo Chappa Date: Mon, 3 Feb 2020 21:15:19 -0700 Subject: * Add variable system-certs-file to indicate the location of a container of CA certificates. This complements the variable system-certs-path that gives the location the directory that containes CA certificates. --- pith/conf.c | 29 ++++++++++++++++++++++++++++- pith/conf.h | 3 +++ pith/conftype.h | 1 + pith/pine.hlp | 54 +++++++++++++++++++++++++++++++++++++++++++++++------- 4 files changed, 79 insertions(+), 8 deletions(-) (limited to 'pith') diff --git a/pith/conf.c b/pith/conf.c index 3bd564bd..f6fe4863 100644 --- a/pith/conf.c +++ b/pith/conf.c @@ -379,6 +379,8 @@ CONF_TXT_T cf_text_mimetype_path[] = "Sets the search path for the mimetypes con #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) CONF_TXT_T cf_text_system_certs_path[] = "Sets the path for the system ssl certificates issued by a trusted\n# certificate authority. Note that this could be a list of paths, if the same\n# pinerc is used in different systems. Alpine always chooses the first one that\n# it finds. Value must be an absolute path."; + +CONF_TXT_T cf_text_system_certs_file[] = "Sets the path for the system ssl file container of certificates issued by a\n# certificate authority. Note that this could be a list of container files,\n# if the same pinerc is used in different systems. Alpine always chooses the,\n# first one that it finds. Value must be an absolute path."; #endif CONF_TXT_T cf_text_newmail_fifo_path[] = "Sets the filename for the newmail fifo (named pipe). Unix only."; @@ -667,7 +669,9 @@ static struct variable variables[] = { NULL, cf_text_mimetype_path}, #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) {"system-certs-path", 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0, - NULL, cf_text_system_certs_path}, + "System CACerts Dir", cf_text_system_certs_path}, +{"system-certs-file", 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0, + "System CACerts File", cf_text_system_certs_file}, #endif {"url-viewers", 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0, "URL-Viewers", cf_text_browser}, @@ -1737,6 +1741,10 @@ init_vars(struct pine *ps, void (*cmds_f) (struct pine *, char **)) GLO_SSLCAPATH = parse_list(DEFAULT_SSLCAPATH, 1, PL_REMSURRQUOT, NULL); #endif /* DEFAULT_SSLCAPATH */ +#ifdef DEFAULT_SSLCAFILE + GLO_SSLCAFILE = parse_list(DEFAULT_SSLCAFILE, 1, + PL_REMSURRQUOT, NULL); +#endif /* DEFAULT_SSLCAFILE */ #ifdef DF_VAR_SPELLER GLO_SPELLER = cpystr(DF_VAR_SPELLER); #endif @@ -2382,6 +2390,7 @@ init_vars(struct pine *ps, void (*cmds_f) (struct pine *, char **)) set_current_val(&vars[V_MIMETYPE_PATH], TRUE, TRUE); #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) set_current_val(&vars[V_SSLCAPATH], TRUE, TRUE); + set_current_val(&vars[V_SSLCAFILE], TRUE, TRUE); #endif #if !defined(DOS) && !defined(OS2) && !defined(LEAVEOUTFIFO) set_current_val(&vars[V_FIFOPATH], TRUE, TRUE); @@ -7082,6 +7091,22 @@ set_system_certs_path(struct pine *ps) } } } + + +void +set_system_certs_container(struct pine *ps) +{ + char **l; + + for (l = ps->vars[V_SSLCAPATH].current_val.l; l && *l; l++){ + if(is_absolute_path(*l) + && can_access(*l, ACCESS_EXISTS) == 0 + && can_access(*l, READ_ACCESS) == 0){ + mail_parameters(NULL, SET_SSLCAFILE, (void *) *l); + break; + } + } +} #endif int @@ -7943,6 +7968,8 @@ config_help(int var, int feature) #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) case V_SSLCAPATH : return(h_config_system_certs_path); + case V_SSLCAFILE : + return(h_config_system_certs_file); #endif #if !defined(DOS) && !defined(OS2) && !defined(LEAVEOUTFIFO) case V_FIFOPATH : diff --git a/pith/conf.h b/pith/conf.h index 3e7844eb..ac6f0a8f 100644 --- a/pith/conf.h +++ b/pith/conf.h @@ -136,6 +136,8 @@ #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) #define VAR_SSLCAPATH vars[V_SSLCAPATH].current_val.l #define GLO_SSLCAPATH vars[V_SSLCAPATH].global_val.l +#define VAR_SSLCAFILE vars[V_SSLCAFILE].current_val.l +#define GLO_SSLCAFILE vars[V_SSLCAFILE].global_val.l #endif #define VAR_INDEX_COLOR_STYLE vars[V_INDEX_COLOR_STYLE].current_val.p #define GLO_INDEX_COLOR_STYLE vars[V_INDEX_COLOR_STYLE].global_val.p @@ -922,6 +924,7 @@ void free_pinerc_lines(PINERC_LINE **); void panic1(char *, char *); #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) void set_system_certs_path(struct pine *); +void set_system_certs_container(struct pine *); #endif /* mandatory to implement prototypes */ diff --git a/pith/conftype.h b/pith/conftype.h index 09112724..029b81bc 100644 --- a/pith/conftype.h +++ b/pith/conftype.h @@ -127,6 +127,7 @@ typedef enum { V_PERSONAL_NAME = 0 , V_MIMETYPE_PATH #if !defined(_WINDOWS) || (defined(ENABLE_WINDOWS_LIBRESSL) && defined(W32BITSBUILD)) , V_SSLCAPATH + , V_SSLCAFILE #endif , V_BROWSER , V_HISTORY diff --git a/pith/pine.hlp b/pith/pine.hlp index fa1468ca..4f0eb38f 100644 --- a/pith/pine.hlp +++ b/pith/pine.hlp @@ -140,7 +140,7 @@ with help text for the config screen and the composer that didn't have any reasonable place to be called from. Dummy change to get revision in pine.hlp ============= h_revision ================= -Alpine Commit 401 2020-01-30 00:08:16 +Alpine Commit 402 2020-02-03 21:15:05 ============= h_news ================= @@ -187,6 +187,10 @@ any problems you find with this release. New enhancements this must be C:\\libressl\\ssl\\certs. The C: drive can be replaced by the name of the drive where the binary and DLL files are located. +
  • New variable system-certs-file that allows users to configure the + location of a container of certificate authoririty (CA) certificates + to be used to validate certificates of remote servers. +
  • Crash in Alpine when attempting to reply to a multipart/alternative message that is malformed, and the option to include attachments in reply is enabled. Reported and patched by Peter Tirsek. @@ -22232,7 +22236,7 @@ directory. For example, the directory might not be accessible, or has not been updated and contains old certificates that have expired.

    -When a user wants to override the default, this variable can be used to list +This variable can be used to list the directory where such certificates can be found. Alpine will use the first directory in this list that exists in your system and can be accessed. This allows for users to be able to use the same pinerc file in different systems. @@ -22241,9 +22245,45 @@ allows for users to be able to use the same pinerc file in different systems. Example of values for this option might be:

    -System Certs Path = /etc/ssl/certs
    -                    /usr/local/ssl/certs
    -                    C:\\libressl\\ssl\\certs
    +System CACerts Dir = /etc/ssl/certs
    +                     /usr/local/ssl/certs
    +                     C:\\libressl\\ssl\\certs
    +
    +
    +

    +In unix systems, the default location of the certificates for openssl can +be obtained by first executing the command + +

    openssl version -d
    + +and adding "/certs" to that value. In Windows the default location +for the certificates is C:\\libressl\\ssl\\certs. This value was set by +LibreSSL developers, and this option can be used to override this default. + +

    +<End of help on this topic> + +====== h_config_system_certs_file ====== + + +OPTION: <!--#echo var="VAR_system-certs-file"--> + + +

    OPTION:

    + +This option sets the location of the container file that holds +certificate authority (CA) certificates. +Alpine will use the first +container in this list that exists in your system and can be accessed. This +allows for users to be able to use the same pinerc file in different systems. + +

    +Example of values for this option might be: + +

    +System Certs Path = /etc/ssl/certs/cert.pem
    +                    /usr/local/ssl/ca-root-nss.crt
    +                    C:\\libressl\\ssl\\certs\\cert.pem
     
     
     

    @@ -22253,8 +22293,8 @@ be obtained by first executing the command

    openssl version -d
    and adding "/certs" to that value. In Windows the default location -for the certificates is C:\\libressl\\ssl\\certs. This value was set by LibreSSL -developers, and this option can be used to override this default. +for the certificates is C:\\libressl\\ssl\\certs\\cert.pem. This value was set +by LibreSSL developers, and this option can be used to override this default.

    <End of help on this topic> -- cgit v1.2.3-70-g09d2