From: Ken Hornstein Date: Fri, 9 Sep 2016 19:49:26 +0000 (-0400) Subject: Closer, but not there yet. X-Git-Url: https://diplodocus.org/git/nmh/commitdiff_plain/85538978753a0ef2178ea547586261312a033650?ds=inline;hp=-c Closer, but not there yet. --- 85538978753a0ef2178ea547586261312a033650 diff --git a/Makefile.am b/Makefile.am index cc0f477b..f618f24d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -342,7 +342,8 @@ uip_forw_SOURCES = uip/forw.c uip/whatnowproc.c uip/whatnowsbr.c uip/sendsbr.c \ uip_forw_LDADD = $(LDADD) $(READLINELIB) $(TERMLIB) $(ICONVLIB) $(POSTLINK) uip_inc_SOURCES = uip/inc.c uip/scansbr.c uip/dropsbr.c uip/popsbr.c -uip_inc_LDADD = $(LDADD) $(TERMLIB) $(ICONVLIB) $(SASLLIB) $(CURLLIB) $(POSTLINK) +uip_inc_LDADD = $(LDADD) $(TERMLIB) $(ICONVLIB) $(SASLLIB) $(CURLLIB) \ + $(TLSLIB) $(POSTLINK) uip_install_mh_SOURCES = uip/install-mh.c uip_install_mh_LDADD = $(LDADD) $(POSTLINK) @@ -389,7 +390,7 @@ uip_mhstore_SOURCES = uip/mhstore.c uip/mhparse.c uip/mhcachesbr.c \ uip_mhstore_LDADD = $(LDADD) $(TERMLIB) $(ICONVLIB) $(POSTLINK) uip_msgchk_SOURCES = uip/msgchk.c uip/popsbr.c -uip_msgchk_LDADD = $(LDADD) $(SASLLIB) $(CURLLIB) $(POSTLINK) +uip_msgchk_LDADD = $(LDADD) $(SASLLIB) $(CURLLIB) $(TLSLIB) $(POSTLINK) uip_new_SOURCES = uip/new.c uip_new_LDADD = $(LDADD) $(POSTLINK) diff --git a/h/popsbr.h b/h/popsbr.h index 3fb4179d..c155fd12 100644 --- a/h/popsbr.h +++ b/h/popsbr.h @@ -3,7 +3,7 @@ * popsbr.h -- header for POP client subroutines */ -int pop_init (char *, char *, char *, char *, char *, int, int, char *, +int pop_init (char *, char *, char *, char *, char *, int, int, char *, int, const char *); int pop_fd (char *, int, char *, int); int pop_stat (int *, int *); diff --git a/uip/inc.c b/uip/inc.c index 78914533..61d7ea9b 100644 --- a/uip/inc.c +++ b/uip/inc.c @@ -49,6 +49,12 @@ # define SASLminc(a) 0 #endif +#ifndef TLS_SUPPORT +# define TLSminc(a) (a) +#else +# define TLSminc(a) 0 +#endif + #define INC_SWITCHES \ X("audit audit-file", 0, AUDSW) \ X("noaudit", 0, NAUDSW) \ @@ -73,6 +79,8 @@ X("sasl", SASLminc(5), SASLSW) \ X("nosasl", SASLminc(3), NOSASLSW) \ X("saslmech", SASLminc(5), SASLMECHSW) \ + X("initialtls", TLSminc(-10), INITTLSSW) \ + X("noinitialtls", TLSminc(-12), NOINITTLSSW) \ X("authservice", SASLminc(0), AUTHSERVICESW) \ X("proxy command", 0, PROXYSW) \ @@ -186,7 +194,7 @@ main (int argc, char **argv) int chgflag = 1, trnflag = 1; int noisy = 1, width = -1; int hghnum = 0, msgnum = 0; - int sasl = 0; + int sasl = 0, tls = 0; int incerr = 0; /* <0 if inc hits an error which means it should not truncate mailspool */ char *cp, *maildir = NULL, *folder = NULL; char *format = NULL, *form = NULL; @@ -354,6 +362,14 @@ main (int argc, char **argv) adios (NULL, "missing argument to %s", argp[-2]); continue; + case INITTLSSW: + tls++; + continue; + + case NOINITTLSSW: + tls = 0; + continue; + case AUTHSERVICESW: #ifdef OAUTH_SUPPORT if (!(auth_svc = *argp++) || *auth_svc == '-') @@ -421,7 +437,7 @@ main (int argc, char **argv) * initialize POP connection */ if (pop_init (host, port, creds.user, creds.password, proxy, snoop, - sasl, saslmech, auth_svc) == NOTOK) + sasl, saslmech, tls, auth_svc) == NOTOK) adios (NULL, "%s", response); /* Check if there are any messages */ diff --git a/uip/msgchk.c b/uip/msgchk.c index e0eaeb8b..3c78217b 100644 --- a/uip/msgchk.c +++ b/uip/msgchk.c @@ -350,7 +350,7 @@ remotemail (char *host, char *port, char *user, char *proxy, int notifysw, /* open the POP connection */ if (pop_init (host, port, creds.user, creds.password, proxy, snoop, sasl, - saslmech, auth_svc) == NOTOK + 0, saslmech, auth_svc) == NOTOK || pop_stat (&nmsgs, &nbytes) == NOTOK /* check for messages */ || pop_quit () == NOTOK) { /* quit POP connection */ advise (NULL, "%s", response); diff --git a/uip/popsbr.c b/uip/popsbr.c index 0e2f211f..b8e5a448 100644 --- a/uip/popsbr.c +++ b/uip/popsbr.c @@ -75,7 +75,6 @@ static int multiline(void); #ifdef CYRUS_SASL static int pop_auth_sasl(char *, char *, char *); -static int sasl_fgetc(FILE *); #endif /* CYRUS_SASL */ #ifdef TLS_SUPPORT @@ -93,6 +92,7 @@ static int tls_active = 0; static int traverse (int (*)(char *), const char *, ...); static int vcommand(const char *, va_list); static int sasl_getline (char *, int, FILE *); +static int sasl_fgetc(FILE *); static int putline (char *, FILE *); @@ -218,7 +218,7 @@ pop_auth_sasl(char *user, char *host, char *mech) memset(&secprops, 0, sizeof(secprops)); secprops.maxbufsize = SASL_BUFFER_SIZE; - secprops.max_ssf = UINT_MAX; + secprops.max_ssf = tls_active ? 0 : UINT_MAX; result = sasl_setprop(conn, SASL_SEC_PROPS, &secprops); @@ -522,7 +522,7 @@ parse_proxy(char *proxy, char *host) int pop_init (char *host, char *port, char *user, char *pass, char *proxy, - int snoop, int sasl, int tls, char *mech, const char *oauth_svc) + int snoop, int sasl, char *mech, int tls, const char *oauth_svc) { int fd1, fd2; char buffer[BUFSIZ]; @@ -873,8 +873,12 @@ vcommand (const char *fmt, va_list ap) if (poprint) { #ifdef CYRUS_SASL if (sasl_ssf) - fprintf(stderr, "(encrypted) "); + fprintf(stderr, "(sasl-encrypted) "); #endif /* CYRUS_SASL */ +#ifdef TLS_SUPPORT + if (tls_active) + fprintf(stderr, "(tls-encrypted) "); +#endif /* TLS_SUPPORT */ if (pophack) { if ((cp = strchr (buffer, ' '))) *cp = 0; @@ -983,8 +987,23 @@ putline (char *s, FILE *iop) int result; unsigned int buflen; - if (!sasl_complete) { + if (sasl_complete == 0 || sasl_ssf == 0) { #endif /* CYRUS_SASL */ +#ifdef TLS_SUPPORT + if (tls_active) { + int ret; + + BIO_printf(io, "%s\r\n"); + ret = BIO_flush(io); + + if (ret != 1) { + strncpy(response, "lost connection", sizeof(response)); + return NOTOK; + else { + return OK; + } + } else +#endif /* TLS_SUPPORT */ fprintf (iop, "%s\r\n", s); #ifdef CYRUS_SASL } else { @@ -1050,6 +1069,9 @@ sasl_fgetc(FILE *f) while (retbufsize == 0) { +#ifdef TLS_SUPPORT + if (tls_active) { + cc = read(fileno(f), tmpbuf, sizeof(tmpbuf)); if (cc == 0) @@ -1108,21 +1130,20 @@ tls_negotiate(void) BIO *ssl_bio; if (! sslctx) { - SSL_METHOD *method; - SSL_library_init(); SSL_load_error_strings(); - method = TLS_client_method(); + sslctx = SSL_CTX_new(SSLv23_client_method()); - sslctx = SSL_CTX_new(method); - - if (! sslctx()) { + if (! sslctx) { pop_done(); advise(NULL, "Unable to initialize OpenSSL context: %s", ERR_error_string(ERR_get_error(), NULL)); return NOTOK; } + + SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | + SSL_OP_NO_TLSv1); } ssl = SSL_new(sslctx); @@ -1140,7 +1161,7 @@ tls_negotiate(void) if (sbior == NULL || sbiow == NULL) { pop_done(); advise(NULL, "Unable to create BIO endpoints: %s", - ERR_error_string(ERR_get_error(), NULL); + ERR_error_string(ERR_get_error(), NULL)); return NOTOK; } @@ -1156,7 +1177,7 @@ tls_negotiate(void) if (! io) { pop_done(); advise(NULL, "Unable to create a buffer BIO: %s", - ERR_error_string(ERR_get_error(), NULL); + ERR_error_string(ERR_get_error(), NULL)); return NOTOK; } @@ -1165,7 +1186,7 @@ tls_negotiate(void) if (! ssl_bio) { pop_done(); advise(NULL, "Unable to create a SSL BIO: %s", - ERR_error_string(ERR_get_error(), NULL); + ERR_error_string(ERR_get_error(), NULL)); return NOTOK; } @@ -1179,16 +1200,16 @@ tls_negotiate(void) if (BIO_do_handshake(io) < 1) { pop_done(); advise(NULL, "Unable to negotiate SSL connection: %s", - ERR_error_string(ERR_get_error(), NULL); + ERR_error_string(ERR_get_error(), NULL)); return NOTOK; } - if (popprint) { + if (poprint) { const SSL_CIPHER *cipher = SSL_get_current_cipher(ssl); printf("SSL negotiation successful: %s(%d) %s\n", - SSL_CIPHER_get_name(cipher); - SSL_CIPHER_get_bits(cipher, NULL); - SSL_CIPHER_get_version(cipher); + SSL_CIPHER_get_name(cipher), + SSL_CIPHER_get_bits(cipher, NULL), + SSL_CIPHER_get_version(cipher)); } tls_active = 1;