Closer, but not there yet.

diff --git a/Makefile.am b/Makefile.am
index cc0f477baeea2ae8b4a98e984d4f88bf0967b8eb..f618f24ddc2535a0ecbec20c124e6e8adcf5fb01 100644 (file)
--- a/Makefile.am
+++ b/Makefile.am
@@ -342,7 +342,8 @@ uip_forw_SOURCES = uip/forw.c uip/whatnowproc.c uip/whatnowsbr.c uip/sendsbr.c \
 uip_forw_LDADD = $(LDADD) $(READLINELIB) $(TERMLIB) $(ICONVLIB) $(POSTLINK)
 
 uip_inc_SOURCES = uip/inc.c uip/scansbr.c uip/dropsbr.c uip/popsbr.c
-uip_inc_LDADD = $(LDADD) $(TERMLIB) $(ICONVLIB) $(SASLLIB) $(CURLLIB) $(POSTLINK)
+uip_inc_LDADD = $(LDADD) $(TERMLIB) $(ICONVLIB) $(SASLLIB) $(CURLLIB) \
+               $(TLSLIB) $(POSTLINK)
 
 uip_install_mh_SOURCES = uip/install-mh.c
 uip_install_mh_LDADD = $(LDADD) $(POSTLINK)
@@ -389,7 +390,7 @@ uip_mhstore_SOURCES = uip/mhstore.c uip/mhparse.c uip/mhcachesbr.c \
 uip_mhstore_LDADD = $(LDADD) $(TERMLIB) $(ICONVLIB) $(POSTLINK)
 
 uip_msgchk_SOURCES = uip/msgchk.c uip/popsbr.c
-uip_msgchk_LDADD = $(LDADD) $(SASLLIB) $(CURLLIB) $(POSTLINK)
+uip_msgchk_LDADD = $(LDADD) $(SASLLIB) $(CURLLIB) $(TLSLIB) $(POSTLINK)
 
 uip_new_SOURCES = uip/new.c
 uip_new_LDADD = $(LDADD) $(POSTLINK)

diff --git a/h/popsbr.h b/h/popsbr.h
index 3fb4179dba5560228f01be561550451bc6d85d35..c155fd12c9847565c24bef0e98be2896d0649bd0 100644 (file)
--- a/h/popsbr.h
+++ b/h/popsbr.h
@@ -3,7 +3,7 @@
  * popsbr.h -- header for POP client subroutines
  */
 
-int pop_init (char *, char *, char *, char *, char *, int, int, char *,
+int pop_init (char *, char *, char *, char *, char *, int, int, char *, int,
               const char *);
 int pop_fd (char *, int, char *, int);
 int pop_stat (int *, int *);

diff --git a/uip/inc.c b/uip/inc.c
index 78914533137bf686949dc9817e590ce08ba70403..61d7ea9b4d95ffb1fbeba14a8fe619ebd6f01678 100644 (file)
--- a/uip/inc.c
+++ b/uip/inc.c
@@ -49,6 +49,12 @@
 # define SASLminc(a)  0
 #endif
 
+#ifndef TLS_SUPPORT
+# define TLSminc(a) (a)
+#else
+# define TLSminc(a)  0
+#endif
+
 #define INC_SWITCHES \
     X("audit audit-file", 0, AUDSW) \
     X("noaudit", 0, NAUDSW) \
@@ -73,6 +79,8 @@
     X("sasl", SASLminc(5), SASLSW) \
     X("nosasl", SASLminc(3), NOSASLSW) \
     X("saslmech", SASLminc(5), SASLMECHSW) \
+    X("initialtls", TLSminc(-10), INITTLSSW) \
+    X("noinitialtls", TLSminc(-12), NOINITTLSSW) \
     X("authservice", SASLminc(0), AUTHSERVICESW) \
     X("proxy command", 0, PROXYSW) \
 
@@ -186,7 +194,7 @@ main (int argc, char **argv)
     int chgflag = 1, trnflag = 1;
     int noisy = 1, width = -1;
     int hghnum = 0, msgnum = 0;
-    int sasl = 0;
+    int sasl = 0, tls = 0;
     int incerr = 0; /* <0 if inc hits an error which means it should not truncate mailspool */
     char *cp, *maildir = NULL, *folder = NULL;
     char *format = NULL, *form = NULL;
@@ -354,6 +362,14 @@ main (int argc, char **argv)
                    adios (NULL, "missing argument to %s", argp[-2]);
                continue;
 
+           case INITTLSSW:
+               tls++;
+               continue;
+
+           case NOINITTLSSW:
+               tls = 0;
+               continue;
+
            case AUTHSERVICESW:
 #ifdef OAUTH_SUPPORT
                 if (!(auth_svc = *argp++) || *auth_svc == '-')
@@ -421,7 +437,7 @@ main (int argc, char **argv)
         * initialize POP connection
         */
        if (pop_init (host, port, creds.user, creds.password, proxy, snoop,
-                     sasl, saslmech, auth_svc) == NOTOK)
+                     sasl, saslmech, tls, auth_svc) == NOTOK)
            adios (NULL, "%s", response);
 
        /* Check if there are any messages */

diff --git a/uip/msgchk.c b/uip/msgchk.c
index e0eaeb8b8327766d9a9bfd66b27f9a5314a73337..3c78217b5d6af767102e84c1ee4c9a639d0f7bcf 100644 (file)
--- a/uip/msgchk.c
+++ b/uip/msgchk.c
@@ -350,7 +350,7 @@ remotemail (char *host, char *port, char *user, char *proxy, int notifysw,
 
     /* open the POP connection */
     if (pop_init (host, port, creds.user, creds.password, proxy, snoop, sasl,
-                 saslmech, auth_svc) == NOTOK
+                 0, saslmech, auth_svc) == NOTOK
            || pop_stat (&nmsgs, &nbytes) == NOTOK     /* check for messages  */
            || pop_quit () == NOTOK) {                 /* quit POP connection */
        advise (NULL, "%s", response);

diff --git a/uip/popsbr.c b/uip/popsbr.c
index 0e2f211f3a142c6d238d60039aaaeda6296e82f1..b8e5a4483c52384a5ef0ef8f9b08af00d071c202 100644 (file)
--- a/uip/popsbr.c
+++ b/uip/popsbr.c
@@ -75,7 +75,6 @@ static int multiline(void);
 
 #ifdef CYRUS_SASL
 static int pop_auth_sasl(char *, char *, char *);
-static int sasl_fgetc(FILE *);
 #endif /* CYRUS_SASL */
 
 #ifdef TLS_SUPPORT
@@ -93,6 +92,7 @@ static int tls_active = 0;
 static int traverse (int (*)(char *), const char *, ...);
 static int vcommand(const char *, va_list);
 static int sasl_getline (char *, int, FILE *);
+static int sasl_fgetc(FILE *);
 static int putline (char *, FILE *);
 
 
@@ -218,7 +218,7 @@ pop_auth_sasl(char *user, char *host, char *mech)
 
     memset(&secprops, 0, sizeof(secprops));
     secprops.maxbufsize = SASL_BUFFER_SIZE;
-    secprops.max_ssf = UINT_MAX;
+    secprops.max_ssf = tls_active ? 0 : UINT_MAX;
 
     result = sasl_setprop(conn, SASL_SEC_PROPS, &secprops);
 
@@ -522,7 +522,7 @@ parse_proxy(char *proxy, char *host)
 
 int
 pop_init (char *host, char *port, char *user, char *pass, char *proxy,
-         int snoop, int sasl, int tls, char *mech, const char *oauth_svc)
+         int snoop, int sasl, char *mech, int tls, const char *oauth_svc)
 {
     int fd1, fd2;
     char buffer[BUFSIZ];
@@ -873,8 +873,12 @@ vcommand (const char *fmt, va_list ap)
     if (poprint) {
 #ifdef CYRUS_SASL
        if (sasl_ssf)
-           fprintf(stderr, "(encrypted) ");
+           fprintf(stderr, "(sasl-encrypted) ");
 #endif /* CYRUS_SASL */
+#ifdef TLS_SUPPORT
+       if (tls_active)
+           fprintf(stderr, "(tls-encrypted) ");
+#endif /* TLS_SUPPORT */
        if (pophack) {
            if ((cp = strchr (buffer, ' ')))
                *cp = 0;
@@ -983,8 +987,23 @@ putline (char *s, FILE *iop)
     int result;
     unsigned int buflen;
 
-    if (!sasl_complete) {
+    if (sasl_complete == 0 || sasl_ssf == 0) {
 #endif /* CYRUS_SASL */
+#ifdef TLS_SUPPORT
+       if (tls_active) {
+           int ret;
+
+           BIO_printf(io, "%s\r\n");
+           ret = BIO_flush(io);
+
+           if (ret != 1) {
+               strncpy(response, "lost connection", sizeof(response));
+               return NOTOK;
+           else {
+               return OK;
+           }
+       } else
+#endif /* TLS_SUPPORT */
        fprintf (iop, "%s\r\n", s);
 #ifdef CYRUS_SASL
     } else {
@@ -1050,6 +1069,9 @@ sasl_fgetc(FILE *f)
 
     while (retbufsize == 0) {
 
+#ifdef TLS_SUPPORT
+       if (tls_active) {
+
        cc = read(fileno(f), tmpbuf, sizeof(tmpbuf));
 
        if (cc == 0)
@@ -1108,21 +1130,20 @@ tls_negotiate(void)
     BIO *ssl_bio;
 
     if (! sslctx) {
-       SSL_METHOD *method;
-
        SSL_library_init();
        SSL_load_error_strings();
 
-       method = TLS_client_method();
+       sslctx = SSL_CTX_new(SSLv23_client_method());
 
-       sslctx = SSL_CTX_new(method);
-
-       if (! sslctx()) {
+       if (! sslctx) {
            pop_done();
            advise(NULL, "Unable to initialize OpenSSL context: %s",
                   ERR_error_string(ERR_get_error(), NULL));
            return NOTOK;
        }
+
+       SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
+                           SSL_OP_NO_TLSv1);
     }
 
     ssl = SSL_new(sslctx);
@@ -1140,7 +1161,7 @@ tls_negotiate(void)
     if (sbior == NULL || sbiow == NULL) {
        pop_done();
        advise(NULL, "Unable to create BIO endpoints: %s",
-              ERR_error_string(ERR_get_error(), NULL);
+              ERR_error_string(ERR_get_error(), NULL));
        return NOTOK;
     }
 
@@ -1156,7 +1177,7 @@ tls_negotiate(void)
     if (! io) {
        pop_done();
        advise(NULL, "Unable to create a buffer BIO: %s",
-              ERR_error_string(ERR_get_error(), NULL);
+              ERR_error_string(ERR_get_error(), NULL));
        return NOTOK;
     }
      
@@ -1165,7 +1186,7 @@ tls_negotiate(void)
     if (! ssl_bio) {
        pop_done();
        advise(NULL, "Unable to create a SSL BIO: %s",
-              ERR_error_string(ERR_get_error(), NULL);
+              ERR_error_string(ERR_get_error(), NULL));
        return NOTOK;
     }
 
@@ -1179,16 +1200,16 @@ tls_negotiate(void)
     if (BIO_do_handshake(io) < 1) {
        pop_done();
        advise(NULL, "Unable to negotiate SSL connection: %s",
-              ERR_error_string(ERR_get_error(), NULL);
+              ERR_error_string(ERR_get_error(), NULL));
        return NOTOK;
     }
 
-    if (popprint) {
+    if (poprint) {
        const SSL_CIPHER *cipher = SSL_get_current_cipher(ssl);
        printf("SSL negotiation successful: %s(%d) %s\n",
-              SSL_CIPHER_get_name(cipher);
-              SSL_CIPHER_get_bits(cipher, NULL);
-              SSL_CIPHER_get_version(cipher);
+              SSL_CIPHER_get_name(cipher),
+              SSL_CIPHER_get_bits(cipher, NULL),
+              SSL_CIPHER_get_version(cipher));
     }
 
     tls_active = 1;