summaryrefslogtreecommitdiff
path: root/libmu_auth
diff options
context:
space:
mode:
authorSergey Poznyakoff <gray@gnu.org>2016-10-12 09:15:47 +0300
committerSergey Poznyakoff <gray@gnu.org>2016-10-12 09:15:47 +0300
commitd56b82437f909ff323d9cd87f2ed9f04322f9966 (patch)
tree3eef864bdfbb95f5eec9e21dfd7f500c90eefb3c /libmu_auth
parent260b113a1e75989b4e460712f16af10d93fe19e8 (diff)
downloadmailutils-d56b82437f909ff323d9cd87f2ed9f04322f9966.tar.gz
mailutils-d56b82437f909ff323d9cd87f2ed9f04322f9966.tar.bz2
Convert to mu_cli: frm, from, messages, mimeview, movemail, readmsg, sieve
* configure.ac (MU_APP_NEW_LIBRARIES): New temp variable. * include/mailutils/sieve.h (mu_cli_capa_sieve): New extern. * include/mailutils/tls.h (mu_cli_capa_tls): New extern. * libmailutils/cli/cli.c: Minor change. * libmailutils/cli/stdcapa.c: Add "auth" capability. * libmu_auth/tls.c: provide mu_cli_capa_tls * dotlock/Makefile.am: Link with MU_APP_NEW_LIBRARIES * dotlock/dotlock.c * frm/Makefile.am: Link with MU_APP_NEW_LIBRARIES * frm/frm.h: Fix includes. * frm/frm.c: Use mu_cli for optionr&config parsing. * frm/from.c: Likewise. * messages/Makefile.am: Link with MU_APP_NEW_LIBRARIES * messages/messages.c: Use mu_cli for optionr&config parsing. * mimeview/Makefile.am: Link with MU_APP_NEW_LIBRARIES * mimeview/mimeview.c: Use mu_cli for optionr&config parsing. * movemail/Makefile.am: Link with MU_APP_NEW_LIBRARIES * movemail/movemail.c: Use mu_cli for optionr&config parsing. * readmsg/Makefile.am: Link with MU_APP_NEW_LIBRARIES * readmsg/readmsg.c: Use mu_cli for optionr&config parsing. * sieve/Makefile.am: Link with MU_APP_NEW_LIBRARIES * sieve/sieve.c: Use mu_cli for optionr&config parsing.
Diffstat (limited to 'libmu_auth')
-rw-r--r--libmu_auth/tls.c111
1 files changed, 108 insertions, 3 deletions
diff --git a/libmu_auth/tls.c b/libmu_auth/tls.c
index 331370ce1..89e3b528b 100644
--- a/libmu_auth/tls.c
+++ b/libmu_auth/tls.c
@@ -35,15 +35,36 @@
#include <mailutils/errno.h>
#include <mailutils/util.h>
#include <mailutils/property.h>
+#include <mailutils/cli.h>
+
+#define SSL_CERT_FILE_CHECKS (MU_FILE_SAFETY_GROUP_WRITABLE | \
+ MU_FILE_SAFETY_GROUP_WRITABLE | \
+ MU_FILE_SAFETY_LINKED_WRDIR)
+
+#define SSL_KEY_FILE_CHECKS (MU_FILE_SAFETY_ALL & \
+ ~MU_FILE_SAFETY_OWNER_MISMATCH)
+
+#define SSL_CA_FILE_CHECKS (MU_FILE_SAFETY_GROUP_WRITABLE | \
+ MU_FILE_SAFETY_GROUP_WRITABLE | \
+ MU_FILE_SAFETY_LINKED_WRDIR)
struct mu_tls_module_config mu_tls_module_config = {
#ifdef WITH_TLS
- 1 /* enable by default */
+ 1, /* enable by default */
+
+ NULL, /* Certificate file */
+ SSL_CERT_FILE_CHECKS,
+
+ NULL, /* Key file */
+ SSL_KEY_FILE_CHECKS, /* Stringent safety checks for keys */
+
+ NULL, /* CA file */
+ SSL_CA_FILE_CHECKS
#else
0
#endif
};
-
+//FIXME: REMOVE
int
mu_tls_module_init (enum mu_gocs_op op, void *data)
{
@@ -774,8 +795,92 @@ mu_tls_client_stream_create (mu_stream_t *pstream,
_tls_client_open,
strin, strout, flags);
}
+
+static int
+cb2_safety_checks (const char *name, void *data)
+{
+ int defval;
+
+ if (data == &mu_tls_module_config.ssl_key_safety_checks)
+ defval = SSL_KEY_FILE_CHECKS;
+ else if (data == &mu_tls_module_config.ssl_cert_safety_checks)
+ defval = SSL_CERT_FILE_CHECKS;
+ else if (data == &mu_tls_module_config.ssl_cafile_safety_checks)
+ defval = SSL_CA_FILE_CHECKS;
+ else
+ {
+ mu_error (_("INTERNAL ERROR at %s:%d: unknown default value?"),
+ __FILE__, __LINE__);
+ defval = MU_FILE_SAFETY_ALL;
+ }
+ if (mu_file_safety_compose (data, name, defval))
+ mu_error (_("unknown keyword: %s"), name);
+ return 0;
+}
-
+static int
+cb_safety_checks (void *data, mu_config_value_t *arg)
+{
+ return mu_cfg_string_value_cb (arg, cb2_safety_checks, data);
+}
+
+static struct mu_cfg_param mu_tls_param[] = {
+ { "enable", mu_c_bool, &mu_tls_module_config.enable, 0, NULL,
+ N_("Enable TLS encryption.") },
+ { "ssl-cert", mu_c_string, &mu_tls_module_config.ssl_cert, 0, NULL,
+ N_("Specify SSL certificate file."),
+ N_("file") },
+ { "ssl-key", mu_c_string, &mu_tls_module_config.ssl_key, 0, NULL,
+ N_("Specify SSL certificate key file."),
+ N_("file") },
+ { "ssl-cafile", mu_c_string, &mu_tls_module_config.ssl_cafile, 0, NULL,
+ N_("Specify trusted CAs file."),
+ N_("file") },
+ { "ssl-priorities", mu_c_string, &mu_tls_module_config.priorities, 0, NULL,
+ N_("Set the priorities to use on the ciphers, key exchange methods, "
+ "macs and compression methods."),
+ NULL },
+ { "key-file-safety-checks", mu_cfg_callback,
+ &mu_tls_module_config.ssl_key_safety_checks, 0,
+ cb_safety_checks,
+ N_("Configure safety checks for SSL key file. Argument is a list or "
+ "sequence of check names optionally prefixed with '+' to enable or "
+ "'-' to disable the corresponding check. Valid check names are:\n"
+ "\n"
+ " none disable all checks\n"
+ " all enable all checks\n"
+ " gwrfil forbid group writable files\n"
+ " awrfil forbid world writable files\n"
+ " grdfil forbid group readable files\n"
+ " ardfil forbid world writable files\n"
+ " linkwrdir forbid symbolic links in group or world writable directories\n"
+ " gwrdir forbid files in group writable directories\n"
+ " awrdir forbid files in world writable directories\n"),
+ N_("arg: list") },
+ { "cert-file-safety-checks", mu_cfg_callback,
+ &mu_tls_module_config.ssl_cert_safety_checks, 0,
+ cb_safety_checks,
+ N_("Configure safety checks for SSL certificate. See above for a description of <arg>."),
+ N_("arg: list") },
+ { "ca-file-safety-checks", mu_cfg_callback,
+ &mu_tls_module_config.ssl_cafile_safety_checks, 0,
+ cb_safety_checks,
+ N_("Configure safety checks for SSL certificate authority file. See above for a description of <arg>."),
+ N_("arg: list") },
+ { NULL }
+};
+
+struct mu_cli_capa mu_cli_capa_tls = {
+ "tls",
+ NULL,
+ mu_tls_param,
+ NULL, NULL
+};
+#else
+struct mu_cli_capa mu_cli_capa_tls = {
+ "tls",
+ NULL
+};
#endif /* WITH_TLS */
/* EOF */

Return to:

Send suggestions and report system problems to the System administrator.