diff options
author | Sergey Poznyakoff <gray@gnu.org> | 2016-10-12 09:15:47 +0300 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org> | 2016-10-12 09:15:47 +0300 |
commit | d56b82437f909ff323d9cd87f2ed9f04322f9966 (patch) | |
tree | 3eef864bdfbb95f5eec9e21dfd7f500c90eefb3c /libmu_auth | |
parent | 260b113a1e75989b4e460712f16af10d93fe19e8 (diff) | |
download | mailutils-d56b82437f909ff323d9cd87f2ed9f04322f9966.tar.gz mailutils-d56b82437f909ff323d9cd87f2ed9f04322f9966.tar.bz2 |
Convert to mu_cli: frm, from, messages, mimeview, movemail, readmsg, sieve
* configure.ac (MU_APP_NEW_LIBRARIES): New temp variable.
* include/mailutils/sieve.h (mu_cli_capa_sieve): New extern.
* include/mailutils/tls.h (mu_cli_capa_tls): New extern.
* libmailutils/cli/cli.c: Minor change.
* libmailutils/cli/stdcapa.c: Add "auth" capability.
* libmu_auth/tls.c: provide mu_cli_capa_tls
* dotlock/Makefile.am: Link with MU_APP_NEW_LIBRARIES
* dotlock/dotlock.c
* frm/Makefile.am: Link with MU_APP_NEW_LIBRARIES
* frm/frm.h: Fix includes.
* frm/frm.c: Use mu_cli for optionr&config parsing.
* frm/from.c: Likewise.
* messages/Makefile.am: Link with MU_APP_NEW_LIBRARIES
* messages/messages.c: Use mu_cli for optionr&config parsing.
* mimeview/Makefile.am: Link with MU_APP_NEW_LIBRARIES
* mimeview/mimeview.c: Use mu_cli for optionr&config parsing.
* movemail/Makefile.am: Link with MU_APP_NEW_LIBRARIES
* movemail/movemail.c: Use mu_cli for optionr&config parsing.
* readmsg/Makefile.am: Link with MU_APP_NEW_LIBRARIES
* readmsg/readmsg.c: Use mu_cli for optionr&config parsing.
* sieve/Makefile.am: Link with MU_APP_NEW_LIBRARIES
* sieve/sieve.c: Use mu_cli for optionr&config parsing.
Diffstat (limited to 'libmu_auth')
-rw-r--r-- | libmu_auth/tls.c | 111 |
1 files changed, 108 insertions, 3 deletions
diff --git a/libmu_auth/tls.c b/libmu_auth/tls.c index 331370ce1..89e3b528b 100644 --- a/libmu_auth/tls.c +++ b/libmu_auth/tls.c @@ -35,15 +35,36 @@ #include <mailutils/errno.h> #include <mailutils/util.h> #include <mailutils/property.h> +#include <mailutils/cli.h> + +#define SSL_CERT_FILE_CHECKS (MU_FILE_SAFETY_GROUP_WRITABLE | \ + MU_FILE_SAFETY_GROUP_WRITABLE | \ + MU_FILE_SAFETY_LINKED_WRDIR) + +#define SSL_KEY_FILE_CHECKS (MU_FILE_SAFETY_ALL & \ + ~MU_FILE_SAFETY_OWNER_MISMATCH) + +#define SSL_CA_FILE_CHECKS (MU_FILE_SAFETY_GROUP_WRITABLE | \ + MU_FILE_SAFETY_GROUP_WRITABLE | \ + MU_FILE_SAFETY_LINKED_WRDIR) struct mu_tls_module_config mu_tls_module_config = { #ifdef WITH_TLS - 1 /* enable by default */ + 1, /* enable by default */ + + NULL, /* Certificate file */ + SSL_CERT_FILE_CHECKS, + + NULL, /* Key file */ + SSL_KEY_FILE_CHECKS, /* Stringent safety checks for keys */ + + NULL, /* CA file */ + SSL_CA_FILE_CHECKS #else 0 #endif }; - +//FIXME: REMOVE int mu_tls_module_init (enum mu_gocs_op op, void *data) { @@ -774,8 +795,92 @@ mu_tls_client_stream_create (mu_stream_t *pstream, _tls_client_open, strin, strout, flags); } + +static int +cb2_safety_checks (const char *name, void *data) +{ + int defval; + + if (data == &mu_tls_module_config.ssl_key_safety_checks) + defval = SSL_KEY_FILE_CHECKS; + else if (data == &mu_tls_module_config.ssl_cert_safety_checks) + defval = SSL_CERT_FILE_CHECKS; + else if (data == &mu_tls_module_config.ssl_cafile_safety_checks) + defval = SSL_CA_FILE_CHECKS; + else + { + mu_error (_("INTERNAL ERROR at %s:%d: unknown default value?"), + __FILE__, __LINE__); + defval = MU_FILE_SAFETY_ALL; + } + if (mu_file_safety_compose (data, name, defval)) + mu_error (_("unknown keyword: %s"), name); + return 0; +} - +static int +cb_safety_checks (void *data, mu_config_value_t *arg) +{ + return mu_cfg_string_value_cb (arg, cb2_safety_checks, data); +} + +static struct mu_cfg_param mu_tls_param[] = { + { "enable", mu_c_bool, &mu_tls_module_config.enable, 0, NULL, + N_("Enable TLS encryption.") }, + { "ssl-cert", mu_c_string, &mu_tls_module_config.ssl_cert, 0, NULL, + N_("Specify SSL certificate file."), + N_("file") }, + { "ssl-key", mu_c_string, &mu_tls_module_config.ssl_key, 0, NULL, + N_("Specify SSL certificate key file."), + N_("file") }, + { "ssl-cafile", mu_c_string, &mu_tls_module_config.ssl_cafile, 0, NULL, + N_("Specify trusted CAs file."), + N_("file") }, + { "ssl-priorities", mu_c_string, &mu_tls_module_config.priorities, 0, NULL, + N_("Set the priorities to use on the ciphers, key exchange methods, " + "macs and compression methods."), + NULL }, + { "key-file-safety-checks", mu_cfg_callback, + &mu_tls_module_config.ssl_key_safety_checks, 0, + cb_safety_checks, + N_("Configure safety checks for SSL key file. Argument is a list or " + "sequence of check names optionally prefixed with '+' to enable or " + "'-' to disable the corresponding check. Valid check names are:\n" + "\n" + " none disable all checks\n" + " all enable all checks\n" + " gwrfil forbid group writable files\n" + " awrfil forbid world writable files\n" + " grdfil forbid group readable files\n" + " ardfil forbid world writable files\n" + " linkwrdir forbid symbolic links in group or world writable directories\n" + " gwrdir forbid files in group writable directories\n" + " awrdir forbid files in world writable directories\n"), + N_("arg: list") }, + { "cert-file-safety-checks", mu_cfg_callback, + &mu_tls_module_config.ssl_cert_safety_checks, 0, + cb_safety_checks, + N_("Configure safety checks for SSL certificate. See above for a description of <arg>."), + N_("arg: list") }, + { "ca-file-safety-checks", mu_cfg_callback, + &mu_tls_module_config.ssl_cafile_safety_checks, 0, + cb_safety_checks, + N_("Configure safety checks for SSL certificate authority file. See above for a description of <arg>."), + N_("arg: list") }, + { NULL } +}; + +struct mu_cli_capa mu_cli_capa_tls = { + "tls", + NULL, + mu_tls_param, + NULL, NULL +}; +#else +struct mu_cli_capa mu_cli_capa_tls = { + "tls", + NULL +}; #endif /* WITH_TLS */ /* EOF */ |