From 8fac066483c9ae3176984527c037190fca9dc7f0 Mon Sep 17 00:00:00 2001 From: Pierre Habouzit Date: Sat, 12 May 2007 12:46:37 +0200 Subject: [PATCH] drop openssl support as well, only use GNUTLS. Signed-off-by: Pierre Habouzit --- configure.ac | 38 +-- doconfig.sh | 2 +- globals.h | 11 - imap/imap.c | 7 - imap/util.c | 1 - init.c | 3 +- init.h | 51 --- lib-sys/Makefile.am | 6 +- lib-sys/mutt_socket.c | 13 +- lib-sys/mutt_socket.h | 3 + lib-sys/mutt_ssl.c | 674 -------------------------------------- lib-sys/mutt_ssl.h | 22 -- lib-sys/mutt_ssl_gnutls.c | 5 - main.c | 24 -- mutt.h | 11 - pop/pop_lib.c | 7 - send_smtp.c | 10 +- send_smtp.h | 2 - 18 files changed, 17 insertions(+), 873 deletions(-) delete mode 100644 lib-sys/mutt_ssl.c delete mode 100644 lib-sys/mutt_ssl.h diff --git a/configure.ac b/configure.ac index 8fd5613..2dc8f14 100644 --- a/configure.ac +++ b/configure.ac @@ -332,43 +332,11 @@ AC_CHECK_FUNCS(getaddrinfo) dnl -- imap dependencies -- -AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl[=PFX]], [Compile in SSL support for POP/IMAP]), -[ if test "$with_ssl" != "no"; then - if test "$with_ssl" != "yes"; then - LDFLAGS="$LDFLAGS -L$withval/lib" - CPPFLAGS="$CPPFLAGS -I$withval/include" - fi - saved_LIBS="$LIBS" - - AC_CHECK_LIB(crypto, X509_new,, AC_MSG_ERROR([Unable to find SSL library])) - AC_CHECK_LIB(ssl, SSL_new,, AC_MSG_ERROR([Unable to find SSL library]), -lcrypto) - - AC_CHECK_FUNCS(RAND_status RAND_egd) - - AC_DEFINE(USE_SSL,1,[ Define if you want support for SSL. ]) - LIBS="$saved_LIBS" - MUTTLIBS="$MUTTLIBS -lssl -lcrypto" - need_ssl=yes - fi +AM_PATH_LIBGNUTLS(,[ + CPPFLAGS="$CPPFLAGS $LIBGNUTLS_CFLAGS" + MUTTLIBS="$MUTTLIBS $LIBGNUTLS_LIBS"],[AC_MSG_ERROR([could not find libgnutls]) ]) -AC_ARG_WITH([gnutls], AC_HELP_STRING([--with-gnutls], [Enable SSL support using gnutls]), - [gnutls_prefix="$withval"], [gnutls_prefix="no"]) -if test "$gnutls_prefix" != "no"; then - if test x"$need_ssl" = x"yes"; then - AC_MSG_ERROR([Only either OpenSSL or GNUTLS may be used]) - fi - AM_PATH_LIBGNUTLS(,[ - CPPFLAGS="$CPPFLAGS $LIBGNUTLS_CFLAGS" - MUTTLIBS="$MUTTLIBS $LIBGNUTLS_LIBS" - AC_DEFINE(USE_GNUTLS, 1, [Define if you want support for SSL via the gnutls library.]) - need_ssl=yes], - [AC_MSG_ERROR([could not find libgnutls]) - ]) -fi -AM_CONDITIONAL(USE_SSL, test x$need_ssl = xyes) -AC_SUBST(MUTT_SSL_OBJECTS) - AC_CHECK_LIB(sasl2, sasl_client_init,,AC_MSG_ERROR([could not find libsasl2])) MUTTLIBS="$MUTTLIBS -lsasl2" diff --git a/doconfig.sh b/doconfig.sh index 8818647..eca9583 100755 --- a/doconfig.sh +++ b/doconfig.sh @@ -1,5 +1,5 @@ ./autogen.sh ./configure -C --prefix=/usr --sysconfdir=/etc --mandir=/usr/share/man \ --with-sharedir=/usr/share/mutt-ng --with-docdir=/usr/share/doc/mutt-ng \ - --with-mailpath=/var/mail --enable-fcntl --with-idn --with-curses --enable-nntp --with-gnutls \ + --with-mailpath=/var/mail --enable-fcntl --with-idn --with-curses --enable-nntp \ --with-libesmtp --enable-gpgme --enable-hcache --enable-doc diff --git a/globals.h b/globals.h index 62f84a3..97f792c 100644 --- a/globals.h +++ b/globals.h @@ -112,20 +112,9 @@ WHERE char *SmtpUseTLS; #endif WHERE char *Spoolfile; -#if defined(USE_SSL) || defined(USE_GNUTLS) WHERE char *SslCertFile INITVAL (NULL); -#endif -#if defined(USE_SSL) -WHERE char *SslEntropyFile INITVAL (NULL); -#endif -#ifdef USE_SSL -WHERE char *SslClientCert INITVAL (NULL); -WHERE string_list_t *SslSessionCerts INITVAL (NULL); -#endif -#ifdef USE_GNUTLS WHERE short SslDHPrimeBits; WHERE char *SslCACertFile INITVAL (NULL); -#endif WHERE char *StChars; WHERE char *Status; WHERE char *Tochars; diff --git a/imap/imap.c b/imap/imap.c index 6a84d94..43c2426 100644 --- a/imap/imap.c +++ b/imap/imap.c @@ -21,9 +21,6 @@ #include "browser.h" #include "message.h" #include "imap_private.h" -#if defined(USE_SSL) || defined(USE_GNUTLS) -# include -#endif #include "buffy.h" /* imap forward declarations */ @@ -383,7 +380,6 @@ int imap_open_connection (IMAP_DATA * idata) /* TODO: Parse new tagged CAPABILITY data (* OK [CAPABILITY...]) */ if (imap_check_capabilities (idata)) goto bail; -#if defined(USE_SSL) || defined(USE_GNUTLS) /* Attempt STARTTLS if available and desired. */ if (!idata->conn->ssf && (option(OPTSSLFORCETLS) || mutt_bit_isset (idata->capabilities, STARTTLS))) { @@ -398,9 +394,7 @@ int imap_open_connection (IMAP_DATA * idata) if ((rc = imap_exec (idata, "STARTTLS", IMAP_CMD_FAIL_OK)) == -1) goto bail; if (rc != -2) { -#if defined (USE_SSL) || defined (USE_GNUTLS) if (mutt_ssl_starttls (idata->conn)) -#endif { mutt_error (_("Could not negotiate TLS connection")); mutt_sleep (1); @@ -420,7 +414,6 @@ int imap_open_connection (IMAP_DATA * idata) mutt_sleep (1); goto err_close_conn; } -#endif } else if (ascii_strncasecmp ("* PREAUTH", idata->cmd.buf, 9) == 0) { idata->state = IMAP_AUTHENTICATED; diff --git a/imap/util.c b/imap/util.c index ba05df1..d48101b 100644 --- a/imap/util.c +++ b/imap/util.c @@ -18,7 +18,6 @@ #include "mutt.h" #include "imap_private.h" -#include /* -- public functions -- */ diff --git a/init.c b/init.c index 2270910..b0f4ac3 100644 --- a/init.c +++ b/init.c @@ -14,7 +14,6 @@ #include #include -#include #include #include #include @@ -83,7 +82,7 @@ static struct { int (*check) (const char* option, unsigned long val, char* errbuf, ssize_t errlen); } SpecialVars[] = { -#if defined (USE_LIBESMTP) && (defined (USE_SSL) || defined (USE_GNUTLS)) +#ifdef USE_LIBESMTP { "smtp_use_tls", send_smtp_check_usetls }, #endif { "history", check_history }, diff --git a/init.h b/init.h index f47af03..d468e64 100644 --- a/init.h +++ b/init.h @@ -72,18 +72,12 @@ struct option_t { /* build complete documentation */ #ifdef _MAKEDOC -# ifndef USE_SSL -# define USE_SSL -# endif # ifndef USE_LIBESMTP # define USE_LIBESMTP # endif # ifndef USE_NNTP # define USE_NNTP # endif -# ifndef USE_GNUTLS -# define USE_GNUTLS -# endif # ifndef USE_HCACHE # define USE_HCACHE # endif @@ -1781,18 +1775,6 @@ struct option_t MuttVars[] = { ** Madmutt still needs to have SSL support enabled in order to use it. */ #endif -#if defined(USE_SSL) || defined(USE_GNUTLS) -#ifdef USE_SSL - {"ssl_client_cert", DT_PATH, R_NONE, UL &SslClientCert, "" }, - /* - ** .pp - ** Availability: SSL - ** - ** .pp - ** The file containing a client certificate and its associated private - ** key. - */ -#endif /* USE_SSL */ {"ssl_force_tls", DT_BOOL, R_NONE, OPTSSLFORCETLS, "no" }, /* ** .pp @@ -1830,36 +1812,6 @@ struct option_t MuttVars[] = { ** .pp ** Example: \fTset certificate_file=~/.madmutt/certificates\fP */ -# if defined(_MAKEDOC) || !defined (USE_GNUTLS) - {"ssl_usesystemcerts", DT_BOOL, R_NONE, OPTSSLSYSTEMCERTS, "yes" }, - /* - ** .pp - ** Availability: SSL - ** - ** .pp - ** If set to \fIyes\fP, Madmutt will use CA certificates in the - ** system-wide certificate store when checking if server certificate - ** is signed by a trusted CA. - */ - {"entropy_file", DT_PATH, R_NONE, UL &SslEntropyFile, "" }, - /* - ** .pp - ** Availability: SSL - ** - ** .pp - ** The file which includes random data that is used to initialize SSL - ** library functions. - */ - {"ssl_use_sslv2", DT_BOOL, R_NONE, OPTSSLV2, "no" }, - /* - ** .pp - ** Availability: SSL - ** - ** .pp - ** This variables specifies whether to attempt to use SSLv2 in the - ** SSL authentication process. - */ -# endif /* _MAKEDOC || !USE_GNUTLS */ {"ssl_use_sslv3", DT_BOOL, R_NONE, OPTSSLV3, "yes" }, /* ** .pp @@ -1878,7 +1830,6 @@ struct option_t MuttVars[] = { ** This variables specifies whether to attempt to use TLSv1 in the ** SSL authentication process. */ -# ifdef USE_GNUTLS {"ssl_min_dh_prime_bits", DT_NUM, R_NONE, UL &SslDHPrimeBits, "0" }, /* ** .pp @@ -1898,8 +1849,6 @@ struct option_t MuttVars[] = { ** .pp ** Example: \fTset ssl_ca_certificates_file=/etc/ssl/certs/ca-certificates.crt\fP */ -# endif /* USE_GNUTLS */ -# endif /* USE_SSL || USE_GNUTLS */ {"pipe_split", DT_BOOL, R_NONE, OPTPIPESPLIT, "no" }, /* ** .pp diff --git a/lib-sys/Makefile.am b/lib-sys/Makefile.am index 102fb76..7a2787d 100644 --- a/lib-sys/Makefile.am +++ b/lib-sys/Makefile.am @@ -3,10 +3,10 @@ noinst_LIBRARIES = libsys.a libsys_a_SOURCES = exit.h unix.h mutt_signal.h \ exit.c unix.c mutt_signal.c filter.c \ $(___networking_part____) \ - mutt_socket.h mutt_tunnel.c mutt_ssl.h \ - mutt_socket.c mutt_tunnel.h mutt_ssl.c mutt_ssl_gnutls.c + mutt_socket.h mutt_tunnel.c \ + mutt_socket.c mutt_tunnel.h mutt_ssl_gnutls.c noinst_HEADERS = exit.h unix.h \ - mutt_socket.h mutt_tunnel.c mutt_ssl.h + mutt_socket.h mutt_tunnel.c -include $(top_builddir)/tools/cflags.mk diff --git a/lib-sys/mutt_socket.c b/lib-sys/mutt_socket.c index 72473bc..65ba008 100644 --- a/lib-sys/mutt_socket.c +++ b/lib-sys/mutt_socket.c @@ -24,7 +24,6 @@ #include "mutt_socket.h" #include "mutt_tunnel.h" #include "mutt_signal.h" -#include "mutt_ssl.h" #ifdef HAVE_LIBIDN #include @@ -215,21 +214,11 @@ CONNECTION *mutt_conn_find (const CONNECTION * start, const ACCOUNT * account) if (Tunnel && *Tunnel) mutt_tunnel_socket_setup (conn); else if (account->flags & M_ACCT_SSL) { -#if defined (USE_SSL) || defined (USE_GNUTLS) if (mutt_ssl_socket_setup (conn) < 0) { mutt_socket_free (conn); return NULL; } -#else - mutt_error _("SSL is unavailable."); - - mutt_sleep (2); - mutt_socket_free (conn); - - return NULL; -#endif - } - else { + } else { conn->conn_read = raw_socket_read; conn->conn_write = raw_socket_write; conn->conn_open = raw_socket_open; diff --git a/lib-sys/mutt_socket.h b/lib-sys/mutt_socket.h index 0d3daf3..781427d 100644 --- a/lib-sys/mutt_socket.h +++ b/lib-sys/mutt_socket.h @@ -49,6 +49,9 @@ int mutt_socket_readchar (CONNECTION * conn, char *c); int mutt_socket_readln(char *buf, ssize_t buflen, CONNECTION * conn); int mutt_socket_write(CONNECTION * conn, const char *buf); +int mutt_ssl_starttls (CONNECTION * conn); +int mutt_ssl_socket_setup (CONNECTION * conn); + /* stupid hack for imap_logout_all */ CONNECTION *mutt_socket_head (void); void mutt_socket_free (CONNECTION * conn); diff --git a/lib-sys/mutt_ssl.c b/lib-sys/mutt_ssl.c deleted file mode 100644 index 745141b..0000000 --- a/lib-sys/mutt_ssl.c +++ /dev/null @@ -1,674 +0,0 @@ -/* - * Copyright notice from original mutt: - * Copyright (C) 1999-2001 Tommi Komulainen - * - * This file is part of mutt-ng, see http://www.muttng.org/. - * It's licensed under the GNU General Public License, - * please see the file GPL in the top level source directory. - */ - -#include - -#ifdef USE_SSL - -#include -#include -#include -#include - -#include -#include - -#include "mutt.h" -#include "mutt_socket.h" -#include "mutt_ssl.h" - - -#if OPENSSL_VERSION_NUMBER >= 0x00904000L -#define READ_X509_KEY(fp, key) PEM_read_X509(fp, key, NULL, NULL) -#else -#define READ_X509_KEY(fp, key) PEM_read_X509(fp, key, NULL) -#endif - -/* Just in case OpenSSL doesn't define DEVRANDOM */ -#ifndef DEVRANDOM -#define DEVRANDOM "/dev/urandom" -#endif - -/* This is ugly, but as RAND_status came in on OpenSSL version 0.9.5 - * and the code has to support older versions too, this is seemed to - * be cleaner way compared to having even uglier #ifdefs all around. - */ -#ifdef HAVE_RAND_STATUS -#define HAVE_ENTROPY() (RAND_status() == 1) -#else -static int entropy_byte_count = 0; - -/* OpenSSL fills the entropy pool from /dev/urandom if it exists */ -#define HAVE_ENTROPY() (!access(DEVRANDOM, R_OK) || entropy_byte_count >= 16) -#endif - -typedef struct _sslsockdata { - SSL_CTX *ctx; - SSL *ssl; - X509 *cert; -} sslsockdata; - -/* local prototypes */ -static int ssl_init (void); -static int add_entropy (const char *file); -static int ssl_socket_read (CONNECTION * conn, char *buf, size_t len); -static int ssl_socket_write (CONNECTION * conn, const char *buf, size_t len); -static int ssl_socket_open (CONNECTION * conn); -static int ssl_socket_close (CONNECTION * conn); -static int tls_close (CONNECTION * conn); -static int ssl_check_certificate (sslsockdata * data); -static void ssl_get_client_cert (sslsockdata * ssldata, CONNECTION * conn); -static int ssl_passwd_cb (char *buf, int size, int rwflag, void *userdata); -static int ssl_negotiate (sslsockdata *); - -/* mutt_ssl_starttls: Negotiate TLS over an already opened connection. - * TODO: Merge this code better with ssl_socket_open. */ -int mutt_ssl_starttls (CONNECTION * conn) -{ - sslsockdata *ssldata; - int maxbits; - - if (ssl_init ()) - goto bail; - - ssldata = p_new(sslsockdata, 1); - /* the ssl_use_xxx protocol options don't apply. We must use TLS in TLS. */ - if (!(ssldata->ctx = SSL_CTX_new (TLSv1_client_method ()))) { - goto bail_ssldata; - } - - ssl_get_client_cert (ssldata, conn); - - if (!(ssldata->ssl = SSL_new (ssldata->ctx))) { - goto bail_ctx; - } - - if (SSL_set_fd (ssldata->ssl, conn->fd) != 1) { - goto bail_ssl; - } - - if (ssl_negotiate (ssldata)) - goto bail_ssl; - - /* hmm. watch out if we're starting TLS over any method other than raw. */ - conn->sockdata = ssldata; - conn->conn_read = ssl_socket_read; - conn->conn_write = ssl_socket_write; - conn->conn_close = tls_close; - - conn->ssf = SSL_CIPHER_get_bits (SSL_get_current_cipher (ssldata->ssl), - &maxbits); - - return 0; - -bail_ssl: - p_delete(&ssldata->ssl); -bail_ctx: - p_delete(&ssldata->ctx); -bail_ssldata: - p_delete(&ssldata); -bail: - return -1; -} - -/* - * OpenSSL library needs to be fed with sufficient entropy. On systems - * with /dev/urandom, this is done transparently by the library itself, - * on other systems we need to fill the entropy pool ourselves. - * - * Even though only OpenSSL 0.9.5 and later will complain about the - * lack of entropy, we try to our best and fill the pool with older - * versions also. (That's the reason for the ugly #ifdefs and macros, - * otherwise I could have simply #ifdef'd the whole ssl_init funcion) - */ -static int ssl_init (void) -{ - char path[_POSIX_PATH_MAX]; - static unsigned char init_complete = 0; - - if (init_complete) - return 0; - - if (!HAVE_ENTROPY ()) { - /* load entropy from files */ - add_entropy (SslEntropyFile); - add_entropy (RAND_file_name (path, sizeof (path))); - - /* load entropy from egd sockets */ -#ifdef HAVE_RAND_EGD - add_entropy (getenv ("EGDSOCKET")); - snprintf (path, sizeof (path), "%s/.entropy", NONULL(MCore.homedir)); - add_entropy (path); - add_entropy ("/tmp/entropy"); -#endif - - /* shuffle $RANDFILE (or ~/.rnd if unset) */ - RAND_write_file (RAND_file_name (path, sizeof (path))); - mutt_clear_error (); - if (!HAVE_ENTROPY ()) { - mutt_error (_("Failed to find enough entropy on your system")); - mutt_sleep (2); - return -1; - } - } - - /* I don't think you can do this just before reading the error. The call - * itself might clobber the last SSL error. */ - SSL_load_error_strings (); - SSL_library_init (); - init_complete = 1; - return 0; -} - -static int add_entropy (const char *file) -{ - struct stat st; - int n = -1; - - if (!file) - return 0; - - if (stat (file, &st) == -1) - return errno == ENOENT ? 0 : -1; - - mutt_message (_("Filling entropy pool: %s...\n"), file); - - /* check that the file permissions are secure */ - if (st.st_uid != getuid () || - ((st.st_mode & (S_IWGRP | S_IRGRP)) != 0) || - ((st.st_mode & (S_IWOTH | S_IROTH)) != 0)) { - mutt_error (_("%s has insecure permissions!"), file); - mutt_sleep (2); - return -1; - } - -#ifdef HAVE_RAND_EGD - n = RAND_egd (file); -#endif - if (n <= 0) - n = RAND_load_file (file, -1); - -#ifndef HAVE_RAND_STATUS - if (n > 0) - entropy_byte_count += n; -#endif - return n; -} - -static int ssl_socket_open_err (CONNECTION * conn) -{ - mutt_error (_("SSL disabled due the lack of entropy")); - mutt_sleep (2); - return -1; -} - - -int mutt_ssl_socket_setup (CONNECTION * conn) -{ - if (ssl_init () < 0) { - conn->conn_open = ssl_socket_open_err; - return -1; - } - - conn->conn_open = ssl_socket_open; - conn->conn_read = ssl_socket_read; - conn->conn_write = ssl_socket_write; - conn->conn_close = ssl_socket_close; - - return 0; -} - -static int ssl_socket_read (CONNECTION * conn, char *buf, size_t len) -{ - sslsockdata *data = conn->sockdata; - - return SSL_read (data->ssl, buf, len); -} - -static int ssl_socket_write (CONNECTION * conn, const char *buf, size_t len) -{ - sslsockdata *data = conn->sockdata; - - return SSL_write (data->ssl, buf, len); -} - -static int ssl_socket_open (CONNECTION * conn) -{ - sslsockdata *data; - int maxbits; - - if (raw_socket_open (conn) < 0) - return -1; - - data = p_new(sslsockdata, 1); - conn->sockdata = data; - - data->ctx = SSL_CTX_new (SSLv23_client_method ()); - - /* disable SSL protocols as needed */ - if (!option (OPTTLSV1)) { - SSL_CTX_set_options (data->ctx, SSL_OP_NO_TLSv1); - } - if (!option (OPTSSLV2)) { - SSL_CTX_set_options (data->ctx, SSL_OP_NO_SSLv2); - } - if (!option (OPTSSLV3)) { - SSL_CTX_set_options (data->ctx, SSL_OP_NO_SSLv3); - } - - ssl_get_client_cert (data, conn); - - data->ssl = SSL_new (data->ctx); - SSL_set_fd (data->ssl, conn->fd); - - if (ssl_negotiate (data)) { - mutt_socket_close (conn); - return -1; - } - - conn->ssf = SSL_CIPHER_get_bits (SSL_get_current_cipher (data->ssl), - &maxbits); - - return 0; -} - -/* ssl_negotiate: After SSL state has been initialised, attempt to negotiate - * SSL over the wire, including certificate checks. */ -static int ssl_negotiate (sslsockdata * ssldata) -{ - int err; - const char *errmsg; - -#if OPENSSL_VERSION_NUMBER >= 0x00906000L - /* This only exists in 0.9.6 and above. Without it we may get interrupted - * reads or writes. Bummer. */ - SSL_set_mode (ssldata->ssl, SSL_MODE_AUTO_RETRY); -#endif - - if ((err = SSL_connect (ssldata->ssl)) != 1) { - switch (SSL_get_error (ssldata->ssl, err)) { - case SSL_ERROR_SYSCALL: - errmsg = _("I/O error"); - break; - case SSL_ERROR_SSL: - errmsg = ERR_error_string (ERR_get_error (), NULL); - break; - default: - errmsg = _("unknown error"); - } - - mutt_error (_("SSL failed: %s"), errmsg); - mutt_sleep (1); - - return -1; - } - - ssldata->cert = SSL_get_peer_certificate (ssldata->ssl); - if (!ssldata->cert) { - mutt_error (_("Unable to get certificate from peer")); - mutt_sleep (1); - return -1; - } - - if (!ssl_check_certificate (ssldata)) - return -1; - - mutt_message (_("SSL connection using %s (%s)"), - SSL_get_cipher_version (ssldata->ssl), - SSL_get_cipher_name (ssldata->ssl)); - mutt_sleep (0); - - return 0; -} - -static int ssl_socket_close (CONNECTION * conn) -{ - sslsockdata *data = conn->sockdata; - - if (data) { - SSL_shutdown (data->ssl); - SSL_free (data->ssl); - SSL_CTX_free (data->ctx); - p_delete(&conn->sockdata); - } - - return raw_socket_close (conn); -} - -static int compare_certificates (X509 *cert, X509 *peercert, - unsigned char *peermd, - unsigned int peermdlen) { - unsigned char md[EVP_MAX_MD_SIZE]; - unsigned int mdlen; - - /* Avoid CPU-intensive digest calculation if the certificates are - * not even remotely equal. - */ - if (X509_subject_name_cmp (cert, peercert) != 0 || - X509_issuer_name_cmp (cert, peercert) != 0) - return -1; - - if (!X509_digest (cert, EVP_sha1(), md, &mdlen) || peermdlen != mdlen) - return -1; - - if (memcmp(peermd, md, mdlen) != 0) - return -1; - - return 0; -} - -static int check_certificate_cache (X509 *peercert) { - unsigned char peermd[EVP_MAX_MD_SIZE]; - unsigned int peermdlen; - X509 *cert; - string_list_t *scert; - - if (!X509_digest (peercert, EVP_sha1(), peermd, &peermdlen)) - return 0; - - for (scert = SslSessionCerts; scert; scert = scert->next) { - cert = *(X509**)scert->data; - if (!compare_certificates (cert, peercert, peermd, peermdlen)) { - return 1; - } - } - return 0; -} - -static int tls_close (CONNECTION * conn) -{ - int rc; - - rc = ssl_socket_close (conn); - conn->conn_read = raw_socket_read; - conn->conn_write = raw_socket_write; - conn->conn_close = raw_socket_close; - - return rc; -} - -static char *x509_get_part (char *line, const char *ndx) -{ - static char ret[STRING]; - char *c, *c2; - - m_strcpy(ret, sizeof(ret), _("Unknown")); - - c = strstr (line, ndx); - if (c) { - c += m_strlen(ndx); - c2 = strchr (c, '/'); - if (c2) - *c2 = '\0'; - m_strcpy(ret, sizeof(ret), c); - if (c2) - *c2 = '/'; - } - - return ret; -} - -static void x509_fingerprint (char *s, int l, X509 * cert) -{ - unsigned char md[EVP_MAX_MD_SIZE]; - unsigned int n; - int j; - - if (!X509_digest (cert, EVP_md5 (), md, &n)) { - m_strcpy(s, l, _("[unable to calculate]")); - } - else { - for (j = 0; j < (int) n; j++) { - char ch[8]; - - snprintf(ch, 8, "%02X%s", md[j], (j % 2 ? " " : "")); - m_strcat(s, l, ch); - } - } -} - -static char *asn1time_to_string (ASN1_UTCTIME * tm) -{ - static char buf[64]; - BIO *bio; - - m_strcpy(buf, sizeof(buf), _("[invalid date]")); - - bio = BIO_new (BIO_s_mem ()); - if (bio) { - if (ASN1_TIME_print (bio, tm)) - (void) BIO_read (bio, buf, sizeof (buf)); - BIO_free (bio); - } - - return buf; -} - -static int check_certificate_by_signer (X509 * peercert) -{ - X509_STORE_CTX xsc; - X509_STORE *ctx; - int pass = 0; - - ctx = X509_STORE_new (); - if (ctx == NULL) - return 0; - - if (option (OPTSSLSYSTEMCERTS)) { - if (X509_STORE_set_default_paths (ctx)) - pass++; - } - - if (X509_STORE_load_locations (ctx, SslCertFile, NULL)) - pass++; - - if (pass == 0) { - /* nothing to do */ - X509_STORE_free (ctx); - return 0; - } - - X509_STORE_CTX_init (&xsc, ctx, peercert, NULL); - - pass = (X509_verify_cert (&xsc) > 0); - X509_STORE_CTX_cleanup (&xsc); - X509_STORE_free (ctx); - - return pass; -} - -static int check_certificate_by_digest (X509 * peercert) -{ - unsigned char peermd[EVP_MAX_MD_SIZE]; - unsigned int peermdlen; - X509 *cert = NULL; - int pass = 0; - FILE *fp; - - /* expiration check */ - if (X509_cmp_current_time (X509_get_notBefore (peercert)) >= 0) { - mutt_error (_("Server certificate is not yet valid")); - mutt_sleep (2); - return 0; - } - if (X509_cmp_current_time (X509_get_notAfter (peercert)) <= 0) { - mutt_error (_("Server certificate has expired")); - mutt_sleep (2); - return 0; - } - - if ((fp = fopen (SslCertFile, "rt")) == NULL) - return 0; - - if (!X509_digest (peercert, EVP_sha1 (), peermd, &peermdlen)) { - m_fclose(&fp); - return 0; - } - - while ((cert = READ_X509_KEY (fp, &cert)) != NULL) { - pass = compare_certificates (cert, peercert, peermd, peermdlen) ? 0 : 1; - if (pass) - break; - } - X509_free (cert); - m_fclose(&fp); - - return pass; -} - -static int ssl_check_certificate (sslsockdata * data) -{ - char *part[] = { "/CN=", "/Email=", "/O=", "/OU=", "/L=", "/ST=", "/C=" }; - char helpstr[STRING]; - char buf[STRING]; - MUTTMENU *menu; - int done, row, i; - FILE *fp; - char *name = NULL, *c; - - /* check session cache first */ - if (check_certificate_cache (data->cert)) { - return 1; - } - - if (check_certificate_by_signer (data->cert)) { - return 1; - } - - /* automatic check from user's database */ - if (SslCertFile && check_certificate_by_digest (data->cert)) { - return 1; - } - - /* interactive check from user */ - menu = mutt_new_menu (); - menu->max = 19; - menu->dialog = p_new(char *, menu->max); - for (i = 0; i < menu->max; i++) - menu->dialog[i] = p_new(char, STRING); - - row = 0; - m_strcpy(menu->dialog[row], STRING, - _("This certificate belongs to:")); - row++; - name = X509_NAME_oneline (X509_get_subject_name (data->cert), - buf, sizeof (buf)); - for (i = 0; i < 5; i++) { - c = x509_get_part (name, part[i]); - snprintf (menu->dialog[row++], STRING, " %s", c); - } - - row++; - m_strcpy(menu->dialog[row], STRING, - _("This certificate was issued by:")); - row++; - name = X509_NAME_oneline (X509_get_issuer_name (data->cert), - buf, sizeof (buf)); - for (i = 0; i < 5; i++) { - c = x509_get_part (name, part[i]); - snprintf (menu->dialog[row++], STRING, " %s", c); - } - - row++; - snprintf (menu->dialog[row++], STRING, "%s", - _("This certificate is valid")); - snprintf (menu->dialog[row++], STRING, _(" from %s"), - asn1time_to_string (X509_get_notBefore (data->cert))); - snprintf (menu->dialog[row++], STRING, _(" to %s"), - asn1time_to_string (X509_get_notAfter (data->cert))); - - row++; - buf[0] = '\0'; - x509_fingerprint (buf, sizeof (buf), data->cert); - snprintf (menu->dialog[row++], STRING, _("Fingerprint: %s"), buf); - - menu->title = _("SSL Certificate check"); - - if (SslCertFile && X509_cmp_current_time (X509_get_notAfter (data->cert)) >= 0 - && X509_cmp_current_time (X509_get_notBefore (data->cert)) < 0) { - menu->prompt = _("(r)eject, accept (o)nce, (a)ccept always"); - menu->keys = _("roa"); - } - else { - menu->prompt = _("(r)eject, accept (o)nce"); - menu->keys = _("ro"); - } - - helpstr[0] = '\0'; - mutt_make_help (buf, sizeof (buf), _("Exit "), MENU_GENERIC, OP_EXIT); - m_strcat(helpstr, sizeof(helpstr), buf); - mutt_make_help (buf, sizeof (buf), _("Help"), MENU_GENERIC, OP_HELP); - m_strcat(helpstr, sizeof(helpstr), buf); - menu->help = helpstr; - - done = 0; - set_option (OPTUNBUFFEREDINPUT); - while (!done) { - switch (mutt_menuLoop (menu)) { - case -1: /* abort */ - case OP_MAX + 1: /* reject */ - case OP_EXIT: - done = 1; - break; - case OP_MAX + 3: /* accept always */ - done = 0; - if ((fp = fopen (SslCertFile, "a"))) { - if (PEM_write_X509 (fp, data->cert)) - done = 1; - m_fclose(&fp); - } - if (!done) { - mutt_error (_("Warning: Couldn't save certificate")); - mutt_sleep (2); - } - else { - mutt_message (_("Certificate saved")); - mutt_sleep (0); - } - /* fall through */ - case OP_MAX + 2: /* accept once */ - done = 2; - /* keep a handle on accepted certificates in case we want to - * open up another connection to the same server in this session */ - SslSessionCerts = mutt_add_list_n (SslSessionCerts, &data->cert, - sizeof (X509 **)); - break; - } - } - unset_option (OPTUNBUFFEREDINPUT); - mutt_menuDestroy (&menu); - return (done == 2); -} - -static void ssl_get_client_cert (sslsockdata * ssldata, CONNECTION * conn) -{ - if (SslClientCert) { - SSL_CTX_set_default_passwd_cb_userdata (ssldata->ctx, &conn->account); - SSL_CTX_set_default_passwd_cb (ssldata->ctx, ssl_passwd_cb); - SSL_CTX_use_certificate_file (ssldata->ctx, SslClientCert, - SSL_FILETYPE_PEM); - SSL_CTX_use_PrivateKey_file (ssldata->ctx, SslClientCert, - SSL_FILETYPE_PEM); - } -} - -static int ssl_passwd_cb (char *buf, int size, int rwflag, void *userdata) -{ - ACCOUNT *account = (ACCOUNT *) userdata; - - if (mutt_account_getuser (account)) - return 0; - - if (mutt_account_getpass (account)) - return 0; - - return snprintf (buf, size, "%s", account->pass); -} - -#endif /* USE_SSL */ diff --git a/lib-sys/mutt_ssl.h b/lib-sys/mutt_ssl.h deleted file mode 100644 index b0e6ee6..0000000 --- a/lib-sys/mutt_ssl.h +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright notice from original mutt: - * Copyright (C) 1999-2000 Tommi Komulainen - * - * This file is part of mutt-ng, see http://www.muttng.org/. - * It's licensed under the GNU General Public License, - * please see the file GPL in the top level source directory. - */ - -#ifndef _MUTT_SSL_H_ -#define _MUTT_SSL_H_ 1 - -#include "mutt_socket.h" - -#if defined(USE_SSL) || defined(USE_GNUTLS) - -int mutt_ssl_starttls (CONNECTION * conn); -int mutt_ssl_socket_setup (CONNECTION * conn); - -#endif - -#endif /* _MUTT_SSL_H_ */ diff --git a/lib-sys/mutt_ssl_gnutls.c b/lib-sys/mutt_ssl_gnutls.c index 9c155ea..d266358 100644 --- a/lib-sys/mutt_ssl_gnutls.c +++ b/lib-sys/mutt_ssl_gnutls.c @@ -10,8 +10,6 @@ #include -#ifdef USE_GNUTLS - #include #include #ifdef HAVE_GNUTLS_OPENSSL_H @@ -23,7 +21,6 @@ #include "mutt.h" #include "mutt_socket.h" -#include "mutt_ssl.h" typedef struct _tlssockdata { gnutls_session state; @@ -782,5 +779,3 @@ static int tls_check_certificate (CONNECTION * conn) gnutls_x509_crt_deinit (cert); return (done == 2); } - -#endif /* USE_GNUTLS */ diff --git a/main.c b/main.c index f13f5a5..28d7f4e 100644 --- a/main.c +++ b/main.c @@ -62,16 +62,9 @@ extern int optind; #endif #endif -#ifdef USE_GNUTLS #include -#endif - #include -#ifdef USE_SSL -#include -#endif - static const char *Notice = N_("\ Copyright (C) 1996-2002 Michael R. Elkins and others.\n\ Copyright (C) 2005 The Mutt-ng Team\n\ @@ -189,14 +182,7 @@ static void show_version (void) #endif #endif -#ifdef USE_GNUTLS printf (" gnutls %s\n", LIBGNUTLS_VERSION); -#endif - -#ifdef USE_SSL - printf (" %s\n",OPENSSL_VERSION_TEXT); -#endif - printf (" gpgme %s\n", GPGME_VERSION); puts (_("Compile Options:")); @@ -233,16 +219,6 @@ static void show_version (void) #else "-USE_NNTP " #endif -#ifdef USE_SSL - "+USE_SSL " -#else - "-USE_SSL " -#endif -#ifdef USE_GNUTLS - "+USE_GNUTLS " -#else - "-USE_GNUTLS " -#endif #ifdef USE_LIBESMTP "+USE_LIBESMTP " #else diff --git a/mutt.h b/mutt.h index dc59064..5fddc6c 100644 --- a/mutt.h +++ b/mutt.h @@ -143,9 +143,6 @@ enum { /* options for socket code */ M_NEW_SOCKET, -#ifdef USE_SSL - M_NEW_SSL_SOCKET, -#endif /* Options for mutt_save_attachment */ M_SAVE_APPEND, @@ -172,9 +169,7 @@ enum { OPT_PRINT, OPT_REPLYTO, OPT_RECALL, -#if defined(USE_SSL) || defined(USE_GNUTLS) OPT_SSLSTARTTLS, -#endif OPT_SUBJECT, OPT_VERIFYSIG, /* verify PGP signatures */ OPT_LISTREPLY, @@ -258,15 +253,9 @@ enum { OPTIMAPPASSIVE, OPTIMAPPEEK, OPTIMAPSERVERNOISE, -#if defined(USE_SSL) || defined(USE_GNUTLS) -# ifndef USE_GNUTLS - OPTSSLSYSTEMCERTS, - OPTSSLV2, -# endif /* !USE_GNUTLS */ OPTSSLV3, OPTTLSV1, OPTSSLFORCETLS, -#endif /* USE_SSL || USE_GNUTLS */ OPTIMPLICITAUTOVIEW, OPTINCLUDEONLYFIRST, OPTKEEPFLAGGED, diff --git a/pop/pop_lib.c b/pop/pop_lib.c index f4c17e9..f6587ef 100644 --- a/pop/pop_lib.c +++ b/pop/pop_lib.c @@ -12,9 +12,6 @@ #include "mutt.h" #include "pop.h" -#if defined (USE_SSL) || defined (USE_GNUTLS) -# include -#endif /* given an POP mailbox name, return host, port, username and password */ int pop_parse_path (const char *path, ACCOUNT * act) @@ -246,7 +243,6 @@ pop_query_status pop_open_connection (POP_DATA * pop_data) return PQ_ERR; } -#if (defined(USE_SSL) || defined(USE_GNUTLS)) /* Attempt STLS if available and desired. */ if (!pop_data->conn->ssf && (pop_data->cmd_stls || option(OPTSSLFORCETLS))) { if (option (OPTSSLFORCETLS)) @@ -269,9 +265,7 @@ pop_query_status pop_open_connection (POP_DATA * pop_data) mutt_error ("%s", pop_data->err_msg); mutt_sleep (2); } -#if defined (USE_SSL) || defined (USE_GNUTLS) else if (mutt_ssl_starttls (pop_data->conn)) -#endif { mutt_error (_("Could not negotiate TLS connection")); mutt_sleep (2); @@ -295,7 +289,6 @@ pop_query_status pop_open_connection (POP_DATA * pop_data) mutt_sleep (1); return -2; } -#endif ret = pop_authenticate (pop_data); if (ret == PQ_NOT_CONNECTED) diff --git a/send_smtp.c b/send_smtp.c index 32f4ba0..5323195 100644 --- a/send_smtp.c +++ b/send_smtp.c @@ -13,7 +13,7 @@ #include -#if defined(USE_SSL) || (defined(USE_GNUTLS) && defined(HAVE_GNUTLS_OPENSSL_H)) +#if defined(HAVE_GNUTLS_OPENSSL_H) #include #endif @@ -168,7 +168,7 @@ _send_smtp_messagefp_cb(void **buf, int *len, void *arg) } static int handle_invalid_peer_certificate (long vfy_result) { -#if defined (USE_SSL) || (defined (USE_GNUTLS) && defined (HAVE_GNUTLS_OPENSSL_H)) +#if defined (HAVE_GNUTLS_OPENSSL_H) mutt_error (_("Error verifying certificate: %s"), NONULL (X509_verify_cert_error_string (vfy_result))); #else @@ -275,7 +275,7 @@ static void do_dsn_ret (smtp_message_t message) { smtp_dsn_set_ret (message, Ret_FULL); } -#if defined (USE_LIBESMTP) && (defined (USE_SSL) || defined (USE_GNUTLS)) +#ifdef USE_LIBESMTP int send_smtp_check_usetls (const char* option, unsigned long p, char* errbuf, ssize_t errlen) { char* val = (char*) p; @@ -317,7 +317,7 @@ int send_smtp_invoke (address_t * from, /* the sender */ if ((session = smtp_create_session ()) == NULL) SMTPFAIL ("smtp_create_session"); -#if defined (USE_SSL) || (defined (USE_GNUTLS) && defined (HAVE_GNUTLS_OPENSSL_H)) +#ifdef HAVE_GNUTLS_OPENSSL_H if (SmtpUseTLS != NULL && ascii_strncasecmp("enabled", SmtpUseTLS, 7) == 0) { smtp_starttls_enable(session, Starttls_ENABLED); } else if (SmtpUseTLS != NULL && ascii_strncasecmp("required", SmtpUseTLS, 8) == 0) { @@ -343,7 +343,7 @@ int send_smtp_invoke (address_t * from, /* the sender */ SMTPFAIL ("smtp_auth_set_context"); } -#if defined (USE_SSL) || (defined (USE_GNUTLS) && defined (HAVE_GNUTLS_OPENSSL_H)) +#ifdef HAVE_GNUTLS_OPENSSL_H smtp_starttls_set_ctx (session, NULL); #endif smtp_set_eventcb (session, event_cb, NULL); diff --git a/send_smtp.h b/send_smtp.h index 1733d58..dc1c0e6 100644 --- a/send_smtp.h +++ b/send_smtp.h @@ -11,10 +11,8 @@ #define _MUTT_LIBESMTP_H #ifdef USE_LIBESMTP -#if (defined (USE_SSL) || defined (USE_GNUTLS)) int send_smtp_check_usetls (const char* option, unsigned long p, char* errbuf, ssize_t errlen); -#endif int send_smtp_invoke(address_t * from, /* the sender */ address_t * to, address_t * cc, address_t * bcc, -- 2.20.1