From: Pierre Habouzit Date: Sun, 13 May 2007 20:35:15 +0000 (+0200) Subject: create mod_ssl. X-Git-Url: http://git.madism.org/?a=commitdiff_plain;h=4f1b1414371cc373f50ca79a888928635a3a3763;p=apps%2Fmadmutt.git create mod_ssl. Signed-off-by: Pierre Habouzit --- diff --git a/globals.h b/globals.h index c70cb29..7e59c1e 100644 --- a/globals.h +++ b/globals.h @@ -112,9 +112,6 @@ WHERE char *SmtpUseTLS; #endif WHERE char *Spoolfile; -WHERE char *SslCertFile INITVAL (NULL); -WHERE short SslDHPrimeBits; -WHERE char *SslCACertFile INITVAL (NULL); WHERE char *StChars; WHERE char *Status; WHERE char *Tochars; diff --git a/imap/imap.c b/imap/imap.c index 43c2426..a6bbfb3 100644 --- a/imap/imap.c +++ b/imap/imap.c @@ -381,16 +381,13 @@ int imap_open_connection (IMAP_DATA * idata) if (imap_check_capabilities (idata)) goto bail; /* Attempt STARTTLS if available and desired. */ - if (!idata->conn->ssf && (option(OPTSSLFORCETLS) || + if (!idata->conn->ssf && (mod_ssl.force_tls || mutt_bit_isset (idata->capabilities, STARTTLS))) { int rc; - if (option (OPTSSLFORCETLS)) + if (mod_ssl.force_tls) rc = M_YES; - else if ((rc = query_quadoption (OPT_SSLSTARTTLS, - _("Secure connection with TLS?"))) == -1) - goto err_close_conn; - if (rc == M_YES) { + else if (mod_ssl.starttls) { if ((rc = imap_exec (idata, "STARTTLS", IMAP_CMD_FAIL_OK)) == -1) goto bail; if (rc != -2) { @@ -409,7 +406,7 @@ int imap_open_connection (IMAP_DATA * idata) } } - if (option(OPTSSLFORCETLS) && ! idata->conn->ssf) { + if (mod_ssl.force_tls && ! idata->conn->ssf) { mutt_error _("Encrypted connection unavailable"); mutt_sleep (1); goto err_close_conn; diff --git a/init.h b/init.h index ddddcb8..8b4e315 100644 --- a/init.h +++ b/init.h @@ -1753,80 +1753,6 @@ struct option_t MuttVars[] = { ** Madmutt still needs to have SSL support enabled in order to use it. */ #endif - {"ssl_force_tls", DT_BOOL, R_NONE, OPTSSLFORCETLS, "no" }, - /* - ** .pp - ** If this variable is \fIset\fP, Madmutt will require that all connections - ** to remote servers be encrypted. Furthermore it will attempt to - ** negotiate TLS even if the server does not advertise the capability, - ** since it would otherwise have to abort the connection anyway. This - ** option supersedes ``$$ssl_starttls''. - */ - {"ssl_starttls", DT_QUAD, R_NONE, OPT_SSLSTARTTLS, "yes" }, - /* - ** .pp - ** Availability: SSL or GNUTLS - ** - ** .pp - ** If \fIset\fP (the default), Madmutt will attempt to use STARTTLS on servers - ** advertising the capability. When \fIunset\fP, Madmutt will not attempt to - ** use STARTTLS regardless of the server's capabilities. - */ - {"certificate_file", DT_PATH, R_NONE, UL &SslCertFile, "~/.cache/madmutt/certificates"}, - /* - ** .pp - ** Availability: SSL or GNUTLS - ** - ** .pp - ** This variable specifies the file where the certificates you trust - ** are saved. When an unknown certificate is encountered, you are asked - ** if you accept it or not. If you accept it, the certificate can also - ** be saved in this file and further connections are automatically - ** accepted. - ** .pp - ** You can also manually add CA certificates in this file. Any server - ** certificate that is signed with one of these CA certificates are - ** also automatically accepted. - ** .pp - ** Example: \fTset certificate_file=~/.madmutt/certificates\fP - */ - {"ssl_use_sslv3", DT_BOOL, R_NONE, OPTSSLV3, "yes" }, - /* - ** .pp - ** Availability: SSL or GNUTLS - ** - ** .pp - ** This variables specifies whether to attempt to use SSLv3 in the - ** SSL authentication process. - */ - {"ssl_use_tlsv1", DT_BOOL, R_NONE, OPTTLSV1, "yes" }, - /* - ** .pp - ** Availability: SSL or GNUTLS - ** - ** .pp - ** This variables specifies whether to attempt to use TLSv1 in the - ** SSL authentication process. - */ - {"ssl_min_dh_prime_bits", DT_NUM, R_NONE, UL &SslDHPrimeBits, "0" }, - /* - ** .pp - ** Availability: GNUTLS - ** - ** .pp - ** This variable specifies the minimum acceptable prime size (in bits) - ** for use in any Diffie-Hellman key exchange. A value of 0 will use - ** the default from the GNUTLS library. - */ - {"ssl_ca_certificates_file", DT_PATH, R_NONE, UL &SslCACertFile, "" }, - /* - ** .pp - ** This variable specifies a file containing trusted CA certificates. - ** Any server certificate that is signed with one of these CA - ** certificates are also automatically accepted. - ** .pp - ** Example: \fTset ssl_ca_certificates_file=/etc/ssl/certs/ca-certificates.crt\fP - */ {"pipe_split", DT_BOOL, R_NONE, OPTPIPESPLIT, "no" }, /* ** .pp diff --git a/lib-lua/lua-token.sh b/lib-lua/lua-token.sh index 17001f1..d744d73 100644 --- a/lib-lua/lua-token.sh +++ b/lib-lua/lua-token.sh @@ -118,6 +118,8 @@ exit 0 ## beep ## beep_new ## bindir +## ca_certificates_file +## cert_file ## charset ## docdir ## dotlock @@ -126,6 +128,7 @@ exit 0 ## editor ## envelope_from_address ## file_charset +## force_tls ## from ## gecos_mask ## hcache_backend @@ -134,6 +137,7 @@ exit 0 ## mailcap_path ## mailcap_sanitize ## mail_check +## min_dh_prime_bits ## no ## operating_system ## quit @@ -145,11 +149,14 @@ exit 0 ## shorthost ## signature ## spam_separator +## starttls ## sysconfdir ## tmpdir ## use_8bitmime ## use_domain ## use_envelope_from ## username +## use_sslv3 +## use_tlsv1 ## version ## yes diff --git a/lib-lua/runtime.c b/lib-lua/runtime.c index f0e9093..2214e9b 100644 --- a/lib-lua/runtime.c +++ b/lib-lua/runtime.c @@ -24,6 +24,7 @@ #include "../mutt.h" #include "../charset.h" #include "../buffy.h" +#include static lua_State *L; @@ -44,6 +45,7 @@ void luaM_initialize(void) {"MCharset", luaopen_MCharset}, {"Mime", luaopen_Mime}, {"Buffy", luaopen_Buffy}, + {"mod_ssl", luaopen_mod_ssl}, }; int i; diff --git a/lib-sys/mutt_ssl.cpkg b/lib-sys/mutt_ssl.cpkg index d266358..1b9e5d1 100644 --- a/lib-sys/mutt_ssl.cpkg +++ b/lib-sys/mutt_ssl.cpkg @@ -22,6 +22,73 @@ #include "mutt.h" #include "mutt_socket.h" +@import "../lib-lua/base.cpkg" + +@package mod_ssl { + bool force_tls = 0; + /* + ** .pp + ** If this variable is \fIset\fP, Madmutt will require that all connections + ** to remote servers be encrypted. Furthermore it will attempt to + ** negotiate TLS even if the server does not advertise the capability, + ** since it would otherwise have to abort the connection anyway. This + ** option supersedes ``$$ssl_starttls''. + */ + bool starttls = 1; + /* + ** .pp + ** If \fIset\fP (the default), Madmutt will attempt to use STARTTLS on servers + ** advertising the capability. When \fIunset\fP, Madmutt will not attempt to + ** use STARTTLS regardless of the server's capabilities. + */ + bool use_sslv3 = 1; + /* + ** .pp + ** This variables specifies whether to attempt to use SSLv3 in the + ** SSL authentication process. + */ + bool use_tlsv1 = 1; + /* + ** .pp + ** This variables specifies whether to attempt to use TLSv1 in the + ** SSL authentication process. + */ + + int min_dh_prime_bits = 0; + /* + ** .pp + ** This variable specifies the minimum acceptable prime size (in bits) + ** for use in any Diffie-Hellman key exchange. A value of 0 will use + ** the default from the GNUTLS library. + */ + + path_t cert_file = m_strdup("~/.cache/madmutt/certificates"); + /* + ** .pp + ** This variable specifies the file where the certificates you trust + ** are saved. When an unknown certificate is encountered, you are asked + ** if you accept it or not. If you accept it, the certificate can also + ** be saved in this file and further connections are automatically + ** accepted. + ** .pp + ** You can also manually add CA certificates in this file. Any server + ** certificate that is signed with one of these CA certificates are + ** also automatically accepted. + ** .pp + ** Example: \fTset certificate_file=~/.madmutt/certificates\fP + */ + + path_t ca_certificates_file = NULL; + /* + ** .pp + ** This variable specifies a file containing trusted CA certificates. + ** Any server certificate that is signed with one of these CA + ** certificates are also automatically accepted. + ** .pp + ** Example: \fTset ssl_ca_certificates_file=/etc/ssl/certs/ca-certificates.crt\fP + */ +}; + typedef struct _tlssockdata { gnutls_session state; gnutls_certificate_credentials xcred; @@ -159,12 +226,13 @@ static int tls_negotiate (CONNECTION * conn) return -1; } - gnutls_certificate_set_x509_trust_file (data->xcred, SslCertFile, + gnutls_certificate_set_x509_trust_file (data->xcred, mod_ssl.cert_file, GNUTLS_X509_FMT_PEM); /* ignore errors, maybe file doesn't exist yet */ - if (SslCACertFile) { - gnutls_certificate_set_x509_trust_file (data->xcred, SslCACertFile, + if (mod_ssl.ca_certificates_file) { + gnutls_certificate_set_x509_trust_file (data->xcred, + mod_ssl.ca_certificates_file, GNUTLS_X509_FMT_PEM); } @@ -179,15 +247,15 @@ static int tls_negotiate (CONNECTION * conn) gnutls_transport_set_ptr (data->state, (gnutls_transport_ptr)(intptr_t)conn->fd); /* disable TLS/SSL protocols as needed */ - if (!option (OPTTLSV1) && !option (OPTSSLV3)) { + if (!mod_ssl.use_tlsv1 && !mod_ssl.use_sslv3) { mutt_error (_("All available protocols for TLS/SSL connection disabled")); goto fail; } - else if (!option (OPTTLSV1)) { + else if (!mod_ssl.use_tlsv1) { protocol_priority[0] = GNUTLS_SSL3; protocol_priority[1] = 0; } - else if (!option (OPTSSLV3)) { + else if (!mod_ssl.use_sslv3) { protocol_priority[0] = GNUTLS_TLS1; protocol_priority[1] = 0; } @@ -201,8 +269,8 @@ static int tls_negotiate (CONNECTION * conn) gnutls_set_default_priority (data->state); gnutls_protocol_set_priority (data->state, protocol_priority); - if (SslDHPrimeBits > 0) { - gnutls_dh_set_prime_bits (data->state, SslDHPrimeBits); + if (mod_ssl.min_dh_prime_bits > 0) { + gnutls_dh_set_prime_bits(data->state, mod_ssl.min_dh_prime_bits); } /* @@ -293,7 +361,7 @@ static int tls_compare_certificates (const gnutls_datum * peercert) unsigned char *b64_data_data; struct stat filestat; - if (stat (SslCertFile, &filestat) == -1) + if (stat(mod_ssl.cert_file, &filestat) == -1) return 0; b64_data.size = filestat.st_size + 1; @@ -301,7 +369,7 @@ static int tls_compare_certificates (const gnutls_datum * peercert) b64_data_data[b64_data.size - 1] = '\0'; b64_data.data = b64_data_data; - fd1 = fopen (SslCertFile, "r"); + fd1 = fopen(mod_ssl.cert_file, "r"); if (fd1 == NULL) { return 0; } @@ -388,7 +456,7 @@ static int tls_check_stored_hostname (const gnutls_datum * cert, regmatch_t pmatch[3]; /* try checking against names stored in stored certs file */ - if ((fp = fopen (SslCertFile, "r"))) { + if ((fp = fopen(mod_ssl.cert_file, "r"))) { if (regcomp (&preg, "^#H ([a-zA-Z0-9_\\.-]+) ([0-9A-F]{4}( [0-9A-F]{4}){7})[ \t]*$", @@ -713,7 +781,7 @@ static int tls_check_certificate (CONNECTION * conn) menu->title = _("TLS/SSL Certificate check"); /* certificates with bad dates, or that are revoked, must be accepted manually each and every time */ - if (SslCertFile && !certerr_expired && !certerr_notyetvalid + if (mod_ssl.cert_file && !certerr_expired && !certerr_notyetvalid && !certerr_revoked) { menu->prompt = _("(r)eject, accept (o)nce, (a)ccept always"); menu->keys = _("roa"); @@ -741,7 +809,7 @@ static int tls_check_certificate (CONNECTION * conn) break; case OP_MAX + 3: /* accept always */ done = 0; - if ((fp = fopen (SslCertFile, "a"))) { + if ((fp = fopen(mod_ssl.cert_file, "a"))) { /* save hostname if necessary */ if (certerr_hostname) { fprintf (fp, "#H %s %s\n", conn->account.host, fpbuf); @@ -779,3 +847,5 @@ static int tls_check_certificate (CONNECTION * conn) gnutls_x509_crt_deinit (cert); return (done == 2); } + +/* vim:set ft=c: */ diff --git a/mutt.h b/mutt.h index 5b790d0..86d6d55 100644 --- a/mutt.h +++ b/mutt.h @@ -169,7 +169,6 @@ enum { OPT_PRINT, OPT_REPLYTO, OPT_RECALL, - OPT_SSLSTARTTLS, OPT_SUBJECT, OPT_VERIFYSIG, /* verify PGP signatures */ OPT_LISTREPLY, @@ -250,9 +249,6 @@ enum { OPTIMAPPASSIVE, OPTIMAPPEEK, OPTIMAPSERVERNOISE, - OPTSSLV3, - OPTTLSV1, - OPTSSLFORCETLS, OPTIMPLICITAUTOVIEW, OPTINCLUDEONLYFIRST, OPTKEEPFLAGGED, diff --git a/pop/pop_lib.c b/pop/pop_lib.c index f6587ef..693259d 100644 --- a/pop/pop_lib.c +++ b/pop/pop_lib.c @@ -244,16 +244,12 @@ pop_query_status pop_open_connection (POP_DATA * pop_data) } /* Attempt STLS if available and desired. */ - if (!pop_data->conn->ssf && (pop_data->cmd_stls || option(OPTSSLFORCETLS))) { - if (option (OPTSSLFORCETLS)) + if (!pop_data->conn->ssf && (pop_data->cmd_stls || mod_ssl.force_tls)) { + if (mod_ssl.force_tls) pop_data->use_stls = 2; if (pop_data->use_stls == 0) { - ret = query_quadoption (OPT_SSLSTARTTLS, - _("Secure connection with TLS?")); - if (ret == -1) - return PQ_ERR; pop_data->use_stls = 1; - if (ret == M_YES) + if (mod_ssl.starttls) pop_data->use_stls = 2; } if (pop_data->use_stls == 2) { @@ -284,7 +280,7 @@ pop_query_status pop_open_connection (POP_DATA * pop_data) } } - if (option(OPTSSLFORCETLS) && !pop_data->conn->ssf) { + if (mod_ssl.force_tls && !pop_data->conn->ssf) { mutt_error _("Encrypted connection unavailable"); mutt_sleep (1); return -2;