imapfilter/imapfilter/file.c

#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#include <sys/types.h>
#include <regex.h>
#include <string.h>
#include <stdlib.h>
#include <ctype.h>
#include <limits.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <time.h>

#include "config.h"
#include "imapfilter.h"
#include "data.h"

#ifdef SSL_TLS
#include <openssl/ssl.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#endif


extern char logfile[PATH_MAX];
extern unsigned int options;
extern char charset[CHARSET_LEN];
extern unsigned int flags;
extern unsigned int interval;
extern long timeout;
extern char *home;

#ifdef ENCRYPTED_PASSWORDS
char *passphr = NULL;           /* Master password to access the passwords
                                 * file. */

#endif


/*
 * Find the path to configuration file, open it and call parse_config().
 */
int
read_config(char *cfg)
{
        int r;
        FILE *fd;
        char *c;

        c = NULL;

        if (cfg == NULL) {
                cfg = c = (char *)xmalloc(PATH_MAX * sizeof(char));
                snprintf(cfg, PATH_MAX, "%s/%s", home, ".imapfilterrc");
        }
#ifdef DEBUG
        fprintf(stderr, "debug: configuration file: '%s'\n", cfg);
#endif
#ifdef CHECK_PERMISSIONS
        check_file_perms(cfg, S_IRUSR | S_IWUSR);
#endif
        fd = fopen(cfg, "r");
        if (fd == NULL)
                fatal(ERROR_FILE_OPEN, "opening config file %s; %s\n", cfg,
                    strerror(errno));

        if (c != NULL)
                xfree(c);

        if ((r = parse_config(fd)))
                fatal(ERROR_CONFIG_PARSE,
                    "parse error in config file at row %d\n", r);

        fclose(fd);

#ifdef DEBUG
        fprintf(stderr, "debug: options: %0#10x '%s'\n", options, charset);
#endif

        return 0;
}


/*
 * Parse configuration file.
 */
int
parse_config(FILE * fd)
{
        int i, r;
        unsigned int row;
        char line[LINE_MAX];
        regex_t creg[13];
        regmatch_t match[11];
        const char *reg[13] = {
                "^([[:blank:]]*\n|#.*\n)$",

                "^[[:blank:]]*ACCOUNT[[:blank:]]+([[:alnum:]_-]+)[[:blank:]]+"
                "(([[:graph:]]+):([[:graph:]]*)|([[:graph:]]+))@"
                "([[:alnum:].-]+)(:[[:digit:]]+)?[[:blank:]]*"
                "([[:blank:]]SSL|[[:blank:]]SSL2|[[:blank:]]SSL3|"
                "[[:blank:]]TLS1)?[[:blank:]]*\n$",

                "^[[:blank:]]*FOLDER[[:blank:]]+([[:alnum:]_-]+)[[:blank:]]+"
                "([[:print:]]+)[[:blank:]]*\n$",

                "^[[:blank:]]*FILTER[[:blank:]]+([[:alnum:]_-]+)[[:blank:]]*"
                "([[:blank:]]OR|[[:blank:]]AND)?[[:blank:]]*\n$",

                "^[[:blank:]]*ACTION[[:blank:]]+(DELETE|"
                "COPY[[:blank:]]+(\"[[:print:]]*\"|[[:graph:]]+)|"
                "MOVE[[:blank:]]+(\"[[:print:]]*\"|[[:graph:]]+)|"
                "RCOPY[[:blank:]]+([[:alnum:]_-]+)[[:blank:]]+"
                "(\"[[:print:]]*\"|[[:graph:]]+)|"
                "RMOVE[[:blank:]]+([[:alnum:]_-]+)[[:blank:]]+"
                "(\"[[:print:]]*\"|[[:graph:]]+)|"
                "FLAG[[:blank:]]+(REPLACE|ADD|REMOVE)[[:blank:]]+"
                "([[:alpha:],]+)|"
                "LIST)[[:blank:]]*([[:graph:]]*)[[:blank:]]*\n$",

                "^[[:blank:]]*(MASK[[:blank:]])?[[:blank:]]*(OR[[:blank:]]|"
                "AND[[:blank:]])?[[:blank:]]*(NOT[[:blank:]])?[[:blank:]]*"
                "(ANSWERED|DELETED|DRAFT|FLAGGED|NEW|OLD|RECENT|SEEN|"
                "UNANSWERED|UNDELETED|UNDRAFT|UNFLAGGED|UNSEEN)[[:blank:]]*\n$",

                "^[[:blank:]]*(MASK[[:blank:]])?[[:blank:]]*(OR[[:blank:]]|"
                "AND[[:blank:]])?[[:blank:]]*(NOT[[:blank:]])?[[:blank:]]*"
                "(BCC|BODY|CC|FROM|SUBJECT|TEXT|TO)[[:blank:]]+"
                "(\"[[:print:]]*\"|[[:graph:]]+)[[:blank:]]*\n$",

                "^[[:blank:]]*(MASK[[:blank:]])?[[:blank:]]*(OR[[:blank:]]|"
                "AND[[:blank:]])?[[:blank:]]*(NOT[[:blank:]])?[[:blank:]]*"
                "(HEADER)[[:blank:]]+(\"[[:print:]]*\"|[[:graph:]]+)"
                "[[:blank:]]+(\"[[:print:]]*\"|[[:graph:]]+)[[:blank:]]*\n$",

                "^[[:blank:]]*(MASK[[:blank:]])?[[:blank:]]*(OR[[:blank:]]|"
                "AND[[:blank:]])?[[:blank:]]*(NOT[[:blank:]])?[[:blank:]]*"
                "(LARGER|SMALLER|OLDER|NEWER)[[:blank:]]+([[:digit:]]+)"
                "[[:blank:]]*\n$",

                "^[[:blank:]]*JOB[[:blank:]]+([[:alnum:],_-]+)[[:blank:]]+"
                "([[:alnum:],_-]+)[[:blank:]]*\n$",

                "^[[:blank:]]*(SET[[:blank:]])?[[:blank:]]*(LOGFILE|CHARSET)"
                "[[:blank:]]*=[[:blank:]]*(\"[[:print:]]*\"|[[:graph:]]+)"
                "[[:blank:]]*\n$",

                "^[[:blank:]]*(SET[[:blank:]])?[[:blank:]]*(ERRORS|EXPUNGE|"
                "HEADERS|NAMESPACE|SUBSCRIBE)[[:blank:]]*=[[:blank:]]*"
                "(YES|NO)[[:blank:]]*\n$",

                "^[[:blank:]]*(SET[[:blank:]])?[[:blank:]]*(DAEMON|TIMEOUT)"
                "[[:blank:]]*=[[:blank:]]*([[:digit:]]+)\n$"
        };

        r = row = 0;

        for (i = 0; i < 13; i++)
                regcomp(&creg[i], reg[i], REG_EXTENDED | REG_ICASE);

        /* First process all the variables.  This is done because some
         * variables' arguments are used before the other commands are
         * processed. */
        while (fgets(line, LINE_MAX - 1, fd))
                if (!regexec(&creg[10], line, 4, match, 0) ||
                    !regexec(&creg[11], line, 4, match, 0) ||
                    !regexec(&creg[12], line, 4, match, 0))
                        set_options(line, match);

        /* Then rewind and process everything else. */
        fseek(fd, 0L, SEEK_SET);
        while (fgets(line, LINE_MAX - 1, fd)) {
                row++;
                if (!regexec(&creg[0], line, 0, match, 0))
                        continue;
                else if (!regexec(&creg[1], line, 9, match, 0))
                        set_account(line, match);
                else if (!regexec(&creg[2], line, 3, match, 0))
                        r = set_mboxgrp(line, match);
                else if (!regexec(&creg[3], line, 3, match, 0))
                        r = set_filter(line, match);
                else if (!regexec(&creg[4], line, 11, match, 0))
                        r = set_action(line, match);
                else if (!regexec(&creg[5], line, 5, match, 0))
                        r = set_mask(line, match, MASK_MATCH_1);
                else if (!regexec(&creg[6], line, 6, match, 0))
                        r = set_mask(line, match, MASK_MATCH_2);
                else if (!regexec(&creg[7], line, 7, match, 0))
                        r = set_mask(line, match, MASK_MATCH_3);
                else if (!regexec(&creg[8], line, 6, match, 0))
                        r = set_mask(line, match, MASK_MATCH_4);
                else if (!regexec(&creg[9], line, 3, match, 0))
                        r = set_job(line, match);
                /* Skip variable processing. */
                else if (!regexec(&creg[10], line, 4, match, 0) ||
                            !regexec(&creg[11], line, 4, match, 0) ||
                    !regexec(&creg[12], line, 4, match, 0));
                else
                        return row;

                if (r == ERROR_CONFIG_PARSE)
                        return row;
        }

        for (i = 0; i < 13; i++)
                regfree(&creg[i]);

        destroy_unneeded();

        return 0;
}


/*
 * Signal SIGHUP received, destroy all data structures and reread the
 * configuration file.
 */
void
reread_config(char *cfg)
{
        destroy_all();
        read_config(cfg);
        read_passwords();

        flags &= ~(FLAG_SIGHUP_RECEIVED);
}


/*
 * Set other options found in config file.
 */
void
set_options(char *line, regmatch_t * m)
{
        if (!strncasecmp(line + m[2].rm_so, "logfile", 7)) {
                if (*logfile == '\0') {
                        if (*(line + m[3].rm_so) == '"' &&
                            *(line + m[3].rm_eo - 1) == '"')
                                strncat(logfile, line + m[3].rm_so + 1,
                                    min((m[3].rm_eo - m[3].rm_so - 2),
                                        PATH_MAX - 1));
                        else
                                strncat(logfile, line + m[3].rm_so,
                                    min((m[3].rm_eo - m[3].rm_so),
                                        PATH_MAX - 1));
                }
        } else if (!strncasecmp(line + m[2].rm_so, "charset", 7)) {
                if (*(line + m[3].rm_so) == '"' &&
                    *(line + m[3].rm_eo - 1) == '"')
                        strncat(charset, line + m[3].rm_so + 1,
                            min((m[3].rm_eo - m[3].rm_so - 2),
                                CHARSET_LEN - 1));
                else
                        strncat(charset, line + m[3].rm_so,
                            min((m[3].rm_eo - m[3].rm_so), CHARSET_LEN - 1));
        } else if (!strncasecmp(line + m[2].rm_so, "errors", 6)) {
                if (!strncasecmp(line + m[3].rm_so, "yes", 3))
                        options |= OPTION_ERRORS;
                else
                        options &= ~(OPTION_ERRORS);
        } else if (!strncasecmp(line + m[2].rm_so, "expunge", 7)) {
                if (!strncasecmp(line + m[3].rm_so, "yes", 3))
                        options |= OPTION_EXPUNGE;
                else
                        options &= ~(OPTION_EXPUNGE);
        } else if (!strncasecmp(line + m[2].rm_so, "header", 6)) {
                if (!strncasecmp(line + m[3].rm_so, "yes", 3))
                        options |= OPTION_HEADERS;
                else
                        options &= ~(OPTION_HEADERS);
        } else if (!strncasecmp(line + m[2].rm_so, "namespace", 9)) {
                if (!strncasecmp(line + m[3].rm_so, "yes", 3))
                        options |= OPTION_NAMESPACE;
                else
                        options &= ~(OPTION_NAMESPACE);
        } else if (!strncasecmp(line + m[2].rm_so, "subscribe", 9)) {
                if (!strncasecmp(line + m[3].rm_so, "yes", 3))
                        options |= OPTION_SUBSCRIBE;
                else
                        options &= ~(OPTION_SUBSCRIBE);
        } else if (!strncasecmp(line + m[2].rm_so, "timeout", 7)) {
                errno = 0;
                timeout = strtol(line + m[3].rm_so, NULL, 10);
                if (errno)
                        timeout = 0;
        } else if (!strncasecmp(line + m[2].rm_so, "daemon", 6) &&
            !(options & OPTION_DAEMON_MODE)) {
                options |= OPTION_DAEMON_MODE;
                errno = 0;
                interval = strtoul(line + m[3].rm_so, NULL, 10);
                if (errno)
                        interval = 0;
        }
}


#ifdef ENCRYPTED_PASSWORDS
/*
 * Open password file and call parse_passwords().
 */
int
read_passwords(void)
{
        FILE *fd;
        char pwfile[PATH_MAX];

        if (!(flags & FLAG_BLANK_PASSWORD))
                return ERROR_CONFIG_PARSE;

        snprintf(pwfile, PATH_MAX, "%s/%s", home, ".imapfilter/passwords");
#ifdef DEBUG
        fprintf(stderr, "debug: passwords file: '%s'\n", pwfile);
#endif

        if (!exists_file(pwfile))
                return ERROR_FILE_OPEN;

#ifdef CHECK_PERMISSIONS
        check_file_perms(pwfile, S_IRUSR | S_IWUSR);
#endif

        fd = fopen(pwfile, "r");
        if (fd == NULL)
                fatal(ERROR_FILE_OPEN, "opening passwords file %s; %s\n",
                    pwfile, strerror(errno));

        parse_passwords(fd);

        fclose(fd);

        return 0;
}


/*
 *  Parse unencrypted password file.
 */
int
parse_passwords(FILE * fd)
{
        int t;
        char *pe;
        char user[USERNAME_LEN], serv[SERVER_LEN];
        unsigned char *buf;
        char *c, *cp, *line;
        regex_t creg;
        regmatch_t match[4];
        const char *reg;
        int r;

        t = 3;
        pe = NULL;
        reg = "([[:alnum:].-]+) ([[:graph:]]+) ([[:graph:]]+)";

        if (!passphr) {
                passphr = (char *)smalloc(PASSPHRASE_LEN);
                *passphr = '\0';

                do {
                        fseek(fd, 0L, SEEK_SET);
                        printf("Enter master passphrase: ");
                        get_password(passphr, PASSPHRASE_LEN);
                } while ((r = decrypt_passwords(&buf, fd)) && --t != 0);

                if (!t)
                        return ERROR_PASSPHRASE;
        } else
                decrypt_passwords(&buf, fd);

        c = cp = sstrdup(buf);

        regcomp(&creg, reg, REG_EXTENDED | REG_ICASE);

        line = strtok_r(c, "\n", &c);
        while (line != NULL && !regexec(&creg, line, 4, match, 0)) {
                user[0] = serv[0] = '\0';

                strncat(serv, line + match[1].rm_so,
                    min(match[1].rm_eo - match[1].rm_so, SERVER_LEN - 1));
                strncat(user, line + match[2].rm_so,
                    min(match[2].rm_eo - match[2].rm_so, USERNAME_LEN - 1));

                if ((pe = (char *)find_password(user, serv)))
                        strncat(pe, line + match[3].rm_so,
                            min(match[3].rm_eo - match[3].rm_so,
                                PASSWORD_LEN - 1));

                line = strtok_r(NULL, "\n", &c);
        }

        regfree(&creg);
        sfree(cp);
        sfree(buf);

        return 0;
}


/*
 * Store encrypted passwords to file.
 */
int
store_passwords(account_t * accts[])
{
        char pwfile[PATH_MAX];
        FILE *fd;

        snprintf(pwfile, PATH_MAX, "%s/%s", home, ".imapfilter/passwords");

        create_file(pwfile, S_IRUSR | S_IWUSR);

        fd = fopen(pwfile, "w");

        if (fd == NULL)
                fatal(ERROR_FILE_OPEN, "opening passwords file %s; %s\n",
                    pwfile, strerror(errno));

        encrypt_passwords(fd, accts);

        fclose(fd);

        return 0;
}

#endif                          /* ENCRYPTED_PASSWORDS */


/*
 * Create $HOME/.imapfilter directory.
 */
int
create_homedir(void)
{
        char *hdn;

        hdn = ".imapfilter";

        if (home != NULL)
                if (chdir(home))
                        error("could not change directory; %s\n",
                            strerror(errno));

        if (!exists_dir(hdn)) {
                if (mkdir(hdn, S_IRUSR | S_IWUSR | S_IXUSR))
                        error("could not create directory %s; %s\n", hdn,
                            strerror(errno));
        }
#ifdef CHECK_PERMISSIONS
        else {
                check_dir_perms(hdn, S_IRUSR | S_IWUSR | S_IXUSR);
        }
#endif

        return 0;
}


/*
 * Check if a file exists.
 */
int
exists_file(char *fname)
{
        struct stat fs;

        if (access(fname, F_OK))
                return 0;

        stat(fname, &fs);
        if (!S_ISREG(fs.st_mode)) {
                error("file %s not a regular file\n", fname);
                return ERROR_FILE_OPEN;
        }
        return 1;
}


/*
 * Check if a directory exists.
 */
int
exists_dir(char *dname)
{
        struct stat ds;

        if (access(dname, F_OK))
                return 0;

        stat(dname, &ds);
        if (!S_ISDIR(ds.st_mode)) {
                error("file %s not a directory\n", dname);
                return ERROR_FILE_OPEN;
        }
        return 1;
}


/*
 * Create a file with the specified permissions.
 */
int
create_file(char *fname, mode_t mode)
{
        int fd;

        fd = 0;

        if (!exists_file(fname)) {
                fd = open(fname, O_CREAT | O_WRONLY | O_TRUNC, mode);
                if (fd == -1) {
                        error("could not create file %s; %s\n", fname,
                            strerror(errno));
                        return ERROR_FILE_OPEN;
                }
                close(fd);
        }
        return 0;
}


#ifdef CHECK_PERMISSIONS
/*
 * Check the permissions of a file.
 */
int
check_file_perms(char *fname, mode_t mode)
{
        struct stat fs;

        if (stat(fname, &fs)) {
                error("getting file %s status; %s\n", fname,
                    strerror(errno));
                return ERROR_TRIVIAL;
        }
        if (!S_ISREG(fs.st_mode)) {
                error("file %s not a regular file\n", fname);
                return ERROR_TRIVIAL;
        }
        if ((fs.st_mode & 00777) != mode) {
                error("warning: improper file %s permissions\n", fname);
                error("warning: file's mode should be %o not %o\n", mode,
                    fs.st_mode & 00777);
                return ERROR_TRIVIAL;
        }
        return 0;
}


/*
 * Check the permissions of a directory.
 */
int
check_dir_perms(char *dname, mode_t mode)
{
        struct stat ds;

        if (stat(dname, &ds)) {
                error("getting file %s status; %s\n", dname,
                    strerror(errno));
                return ERROR_TRIVIAL;
        }
        if (!S_ISDIR(ds.st_mode)) {
                error("file %s not a directory\n", dname);
                return ERROR_TRIVIAL;
        }
        if ((ds.st_mode & 00777) != mode) {
                error("warning: improper dir %s permissions\n", dname);
                error("warning: dir's mode should be %o not %o\n", mode,
                    ds.st_mode & 00777);
                return ERROR_TRIVIAL;
        }
        return 0;
}

#endif                          /* CHECK_PERMISSIONS */


#ifdef SSL_TLS
/*
 * Get SSL/TLS certificate check it, maybe ask user about it and act
 * accordingly.
 */
int
imf_ssl_cert(SSL * ssl)
{
        X509 *cert;
        unsigned char md[EVP_MAX_MD_SIZE];
        unsigned int mdlen;

        mdlen = 0;

        if (!(cert = SSL_get_peer_certificate(ssl)))
                return ERROR_SSL;

        if (!(X509_digest(cert, EVP_md5(), md, &mdlen)))
                return ERROR_SSL;

        switch (imf_ssl_check_cert(cert, md, &mdlen)) {
        case SSL_CERT_NONEXISTENT:
                imf_ssl_print_cert(cert, md, &mdlen);
                if (flags & FLAG_DAEMON_MODE ||
                    imf_ssl_new_cert(cert) == SSL_CERT_ACTION_REJECT)
                        goto abort;
                break;
        case SSL_CERT_MISMATCH:
                imf_ssl_print_cert(cert, md, &mdlen);
                if (flags & FLAG_DAEMON_MODE ||
                    imf_ssl_cert_mismatch() == SSL_CERT_ACTION_ABORT)
                        goto abort;
                break;
        case SSL_CERT_OK:
                if (options & OPTION_DETAILS_VERBOSE)
                        imf_ssl_print_cert(cert, md, &mdlen);
        }

        X509_free(cert);
        return 0;

abort:
        X509_free(cert);
        return ERROR_SSL;
}


/*
 * Check if the SSL/TLS certificate exists in the certificates file.
 */
int
imf_ssl_check_cert(X509 * pcert, unsigned char *pmd, unsigned int *pmdlen)
{
        int r;
        FILE *fd;
        X509 *cert;
        unsigned char md[EVP_MAX_MD_SIZE];
        unsigned int mdlen;
        char *cfn;

        r = SSL_CERT_NONEXISTENT;
        cert = NULL;
        cfn = ".imapfilter/certificates";

        if (!exists_file(cfn))
                return SSL_CERT_NONEXISTENT;

        fd = fopen(cfn, "r");
        if (fd == NULL)
                return ERROR_FILE_OPEN;

        while ((cert = PEM_read_X509(fd, &cert, NULL, NULL)) != NULL) {
                if (X509_subject_name_cmp(cert, pcert) != 0 ||
                    X509_issuer_name_cmp(cert, pcert) != 0)
                        continue;

                if (!X509_digest(cert, EVP_md5(), md, &mdlen) ||
                    *pmdlen != mdlen)
                        continue;

                if (memcmp(pmd, md, mdlen) != 0) {
                        r = SSL_CERT_MISMATCH;
                        break;
                }
                r = SSL_CERT_OK;
                break;
        }

        fclose(fd);
        X509_free(cert);

        return r;
}


/*
 * Print information about the SSL/TLS certificate.
 */
void
imf_ssl_print_cert(X509 * cert, unsigned char *md, unsigned int *mdlen)
{
        unsigned int i;
        char *c;

        c = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
        printf("Server certificate subject: %s\n", c);
        xfree(c);

        c = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0);
        printf("Server certificate issuer: %s\n", c);
        xfree(c);

        printf("Server key fingerprint: ");
        for (i = 0; i < *mdlen; i++)
                printf(i != *mdlen - 1 ? "%02X:" : "%02X\n", md[i]);
}


/*
 * Ask the user to reject/accept the SSL/TLS certificate.
 */
int
imf_ssl_new_cert(X509 * cert)
{
        FILE *fd;
        char c, *cfn, buf[LINE_MAX];

        do {
                printf("(R)eject, accept (t)emporarily or "
                    "accept (p)ermanently? ");
                fgets(buf, LINE_MAX, stdin);
                c = tolower(*buf);
        } while (c != 'r' && c != 't' && c != 'p');

        if (c == 'r')
                return SSL_CERT_ACTION_REJECT;
        else if (c == 't')
                return SSL_CERT_ACTION_ACCEPT;

        cfn = ".imapfilter/certificates";

        create_file(cfn, S_IRUSR | S_IWUSR);

        fd = fopen(cfn, "a");
        if (fd == NULL)
                return SSL_CERT_ACTION_REJECT;

        PEM_write_X509(fd, cert);

        fclose(fd);

        return SSL_CERT_ACTION_ACCEPT;
}


/*
 * Ask user to proceed, while a fingerprint mismatch in the SSL/TLS
 * certificate was found.
 */
int
imf_ssl_cert_mismatch(void)
{
        char c, buf[LINE_MAX];

        do {
                printf("WARNING: SSL/TLS certificate fingerprint mismatch.\n"
                    "Proceed with the connection (y/n)? ");
                fgets(buf, LINE_MAX, stdin);
                c = tolower(*buf);
        } while (c != 'y' && c != 'n');

        if (c == 'y')
                return SSL_CERT_ACTION_CONTINUE;
        else
                return SSL_CERT_ACTION_ABORT;
}

#endif                          /* SSL_TLS */
1	lefcha	1.1	#include <stdio.h>
2	lefcha	1.28	#include <unistd.h>
3	lefcha	1.1	#include <errno.h>
4	lefcha	1.5	#include <sys/types.h>
5	lefcha	1.1	#include <regex.h>
6			#include <string.h>
7			#include <stdlib.h>
8	lefcha	1.50	#include <ctype.h>
9	lefcha	1.1	#include <limits.h>
10	lefcha	1.10	#include <sys/stat.h>
11	lefcha	1.28	#include <fcntl.h>
12	lefcha	1.29	#include <time.h>
13	lefcha	1.1
14			#include "config.h"
15			#include "imapfilter.h"
16	lefcha	1.13	#include "data.h"
17	lefcha	1.1
18	lefcha	1.50	#ifdef SSL_TLS
19			#include <openssl/ssl.h>
20			#include <openssl/x509.h>
21			#include <openssl/pem.h>
22			#endif
23
24	lefcha	1.1
25	lefcha	1.6	extern char logfile[PATH_MAX];
26	lefcha	1.11	extern unsigned int options;
27	lefcha	1.46	extern char charset[CHARSET_LEN];
28	lefcha	1.34	extern unsigned int flags;
29			extern unsigned int interval;
30	lefcha	1.28	extern long timeout;
31	lefcha	1.29	extern char *home;
32
33			#ifdef ENCRYPTED_PASSWORDS
34	lefcha	1.52	char passphr = NULL; / Master password to access the passwords
35	lefcha	1.48	* file. */
36
37	lefcha	1.28	#endif
38	lefcha	1.27
39	lefcha	1.1
40			/*
41	lefcha	1.13	* Find the path to configuration file, open it and call parse_config().
42	lefcha	1.1	*/
43	lefcha	1.48	int
44			read_config(char *cfg)
45	lefcha	1.1	{
46	lefcha	1.48	int r;
47			FILE *fd;
48			char *c;
49
50			c = NULL;
51
52			if (cfg == NULL) {
53			cfg = c = (char )xmalloc(PATH_MAX sizeof(char));
54			snprintf(cfg, PATH_MAX, "%s/%s", home, ".imapfilterrc");
55			}
56	lefcha	1.1	#ifdef DEBUG
57	lefcha	1.48	fprintf(stderr, "debug: configuration file: '%s'\n", cfg);
58	lefcha	1.1	#endif
59	lefcha	1.13	#ifdef CHECK_PERMISSIONS
60	lefcha	1.48	check_file_perms(cfg, S_IRUSR \| S_IWUSR);
61	lefcha	1.12	#endif
62	lefcha	1.48	fd = fopen(cfg, "r");
63			if (fd == NULL)
64			fatal(ERROR_FILE_OPEN, "opening config file %s; %s\n", cfg,
65			strerror(errno));
66
67			if (c != NULL)
68			xfree(c);
69
70			if ((r = parse_config(fd)))
71			fatal(ERROR_CONFIG_PARSE,
72			"parse error in config file at row %d\n", r);
73	lefcha	1.1
74	lefcha	1.48	fclose(fd);
75	lefcha	1.1
76	lefcha	1.11	#ifdef DEBUG
77	lefcha	1.48	fprintf(stderr, "debug: options: %0#10x '%s'\n", options, charset);
78	lefcha	1.11	#endif
79
80	lefcha	1.48	return 0;
81	lefcha	1.1	}
82
83	lefcha	1.6
84	lefcha	1.10	/*
85	lefcha	1.13	* Parse configuration file.
86	lefcha	1.1	*/
87	lefcha	1.48	int
88			parse_config(FILE * fd)
89	lefcha	1.1	{
90	lefcha	1.48	int i, r;
91			unsigned int row;
92			char line[LINE_MAX];
93			regex_t creg[13];
94			regmatch_t match[11];
95			const char *reg[13] = {
96			"^([[:blank:]]\n\|#.\n)$",
97
98			"^[[:blank:]]*ACCOUNT[[:blank:]]+([[:alnum:]_-]+)[[:blank:]]+"
99			"(([[:graph:]]+):([[:graph:]]*)\|([[:graph:]]+))@"
100			"([[:alnum:].-]+)(:[[:digit:]]+)?[[:blank:]]*"
101			"([[:blank:]]SSL\|[[:blank:]]SSL2\|[[:blank:]]SSL3\|"
102			"[[:blank:]]TLS1)?[[:blank:]]*\n$",
103
104			"^[[:blank:]]*FOLDER[[:blank:]]+([[:alnum:]_-]+)[[:blank:]]+"
105			"([[:print:]]+)[[:blank:]]*\n$",
106
107			"^[[:blank:]]FILTER[[:blank:]]+([[:alnum:]_-]+)[[:blank:]]"
108			"([[:blank:]]OR\|[[:blank:]]AND)?[[:blank:]]*\n$",
109
110			"^[[:blank:]]*ACTION[[:blank:]]+(DELETE\|"
111			"COPY[[:blank:]]+(\"[[:print:]]*\"\|[[:graph:]]+)\|"
112			"MOVE[[:blank:]]+(\"[[:print:]]*\"\|[[:graph:]]+)\|"
113			"RCOPY[[:blank:]]+([[:alnum:]_-]+)[[:blank:]]+"
114			"(\"[[:print:]]*\"\|[[:graph:]]+)\|"
115			"RMOVE[[:blank:]]+([[:alnum:]_-]+)[[:blank:]]+"
116			"(\"[[:print:]]*\"\|[[:graph:]]+)\|"
117			"FLAG[[:blank:]]+(REPLACE\|ADD\|REMOVE)[[:blank:]]+"
118			"([[:alpha:],]+)\|"
119			"LIST)[[:blank:]]([[:graph:]])[[:blank:]]*\n$",
120
121			"^[[:blank:]](MASK[[:blank:]])?[[:blank:]](OR[[:blank:]]\|"
122			"AND[[:blank:]])?[[:blank:]](NOT[[:blank:]])?[[:blank:]]"
123			"(ANSWERED\|DELETED\|DRAFT\|FLAGGED\|NEW\|OLD\|RECENT\|SEEN\|"
124			"UNANSWERED\|UNDELETED\|UNDRAFT\|UNFLAGGED\|UNSEEN)[[:blank:]]*\n$",
125
126			"^[[:blank:]](MASK[[:blank:]])?[[:blank:]](OR[[:blank:]]\|"
127			"AND[[:blank:]])?[[:blank:]](NOT[[:blank:]])?[[:blank:]]"
128			"(BCC\|BODY\|CC\|FROM\|SUBJECT\|TEXT\|TO)[[:blank:]]+"
129			"(\"[[:print:]]\"\|[[:graph:]]+)[[:blank:]]\n$",
130
131			"^[[:blank:]](MASK[[:blank:]])?[[:blank:]](OR[[:blank:]]\|"
132			"AND[[:blank:]])?[[:blank:]](NOT[[:blank:]])?[[:blank:]]"
133			"(HEADER)[[:blank:]]+(\"[[:print:]]*\"\|[[:graph:]]+)"
134			"[[:blank:]]+(\"[[:print:]]\"\|[[:graph:]]+)[[:blank:]]\n$",
135
136			"^[[:blank:]](MASK[[:blank:]])?[[:blank:]](OR[[:blank:]]\|"
137			"AND[[:blank:]])?[[:blank:]](NOT[[:blank:]])?[[:blank:]]"
138			"(LARGER\|SMALLER\|OLDER\|NEWER)[[:blank:]]+([[:digit:]]+)"
139			"[[:blank:]]*\n$",
140
141			"^[[:blank:]]*JOB[[:blank:]]+([[:alnum:],_-]+)[[:blank:]]+"
142			"([[:alnum:],_-]+)[[:blank:]]*\n$",
143
144			"^[[:blank:]](SET[[:blank:]])?[[:blank:]](LOGFILE\|CHARSET)"
145			"[[:blank:]]=[[:blank:]](\"[[:print:]]*\"\|[[:graph:]]+)"
146			"[[:blank:]]*\n$",
147
148			"^[[:blank:]](SET[[:blank:]])?[[:blank:]](ERRORS\|EXPUNGE\|"
149	lefcha	1.53	"HEADERS\|NAMESPACE\|SUBSCRIBE)[[:blank:]]=[[:blank:]]"
150	lefcha	1.48	"(YES\|NO)[[:blank:]]*\n$",
151
152			"^[[:blank:]](SET[[:blank:]])?[[:blank:]](DAEMON\|TIMEOUT)"
153			"[[:blank:]]=[[:blank:]]([[:digit:]]+)\n$"
154			};
155
156			r = row = 0;
157
158			for (i = 0; i < 13; i++)
159			regcomp(&creg[i], reg[i], REG_EXTENDED \| REG_ICASE);
160
161			/* First process all the variables. This is done because some
162			* variables' arguments are used before the other commands are
163			* processed. */
164			while (fgets(line, LINE_MAX - 1, fd))
165			if (!regexec(&creg[10], line, 4, match, 0) \|\|
166			!regexec(&creg[11], line, 4, match, 0) \|\|
167			!regexec(&creg[12], line, 4, match, 0))
168			set_options(line, match);
169	lefcha	1.3
170	lefcha	1.48	/* Then rewind and process everything else. */
171			fseek(fd, 0L, SEEK_SET);
172			while (fgets(line, LINE_MAX - 1, fd)) {
173			row++;
174			if (!regexec(&creg[0], line, 0, match, 0))
175			continue;
176			else if (!regexec(&creg[1], line, 9, match, 0))
177			set_account(line, match);
178			else if (!regexec(&creg[2], line, 3, match, 0))
179			r = set_mboxgrp(line, match);
180			else if (!regexec(&creg[3], line, 3, match, 0))
181			r = set_filter(line, match);
182			else if (!regexec(&creg[4], line, 11, match, 0))
183			r = set_action(line, match);
184			else if (!regexec(&creg[5], line, 5, match, 0))
185			r = set_mask(line, match, MASK_MATCH_1);
186			else if (!regexec(&creg[6], line, 6, match, 0))
187			r = set_mask(line, match, MASK_MATCH_2);
188			else if (!regexec(&creg[7], line, 7, match, 0))
189			r = set_mask(line, match, MASK_MATCH_3);
190			else if (!regexec(&creg[8], line, 6, match, 0))
191			r = set_mask(line, match, MASK_MATCH_4);
192			else if (!regexec(&creg[9], line, 3, match, 0))
193			r = set_job(line, match);
194			/* Skip variable processing. */
195			else if (!regexec(&creg[10], line, 4, match, 0) \|\|
196			!regexec(&creg[11], line, 4, match, 0) \|\|
197			!regexec(&creg[12], line, 4, match, 0));
198			else
199			return row;
200
201			if (r == ERROR_CONFIG_PARSE)
202			return row;
203			}
204	lefcha	1.18
205	lefcha	1.48	for (i = 0; i < 13; i++)
206			regfree(&creg[i]);
207	lefcha	1.6
208	lefcha	1.52	destroy_unneeded();
209	lefcha	1.48
210			return 0;
211	lefcha	1.1	}
212
213
214			/*
215	lefcha	1.52	* Signal SIGHUP received, destroy all data structures and reread the
216			* configuration file.
217			*/
218			void
219			reread_config(char *cfg)
220			{
221			destroy_all();
222			read_config(cfg);
223			read_passwords();
224
225			flags &= ~(FLAG_SIGHUP_RECEIVED);
226			}
227
228
229			/*
230	lefcha	1.13	* Set other options found in config file.
231	lefcha	1.11	*/
232	lefcha	1.48	void
233			set_options(char line, regmatch_t m)
234	lefcha	1.11	{
235	lefcha	1.48	if (!strncasecmp(line + m[2].rm_so, "logfile", 7)) {
236			if (*logfile == '\0') {
237			if (*(line + m[3].rm_so) == '"' &&
238			*(line + m[3].rm_eo - 1) == '"')
239			strncat(logfile, line + m[3].rm_so + 1,
240			min((m[3].rm_eo - m[3].rm_so - 2),
241			PATH_MAX - 1));
242			else
243			strncat(logfile, line + m[3].rm_so,
244			min((m[3].rm_eo - m[3].rm_so),
245			PATH_MAX - 1));
246			}
247			} else if (!strncasecmp(line + m[2].rm_so, "charset", 7)) {
248			if (*(line + m[3].rm_so) == '"' &&
249			*(line + m[3].rm_eo - 1) == '"')
250			strncat(charset, line + m[3].rm_so + 1,
251			min((m[3].rm_eo - m[3].rm_so - 2),
252			CHARSET_LEN - 1));
253			else
254			strncat(charset, line + m[3].rm_so,
255			min((m[3].rm_eo - m[3].rm_so), CHARSET_LEN - 1));
256			} else if (!strncasecmp(line + m[2].rm_so, "errors", 6)) {
257			if (!strncasecmp(line + m[3].rm_so, "yes", 3))
258			options \|= OPTION_ERRORS;
259			else
260			options &= ~(OPTION_ERRORS);
261			} else if (!strncasecmp(line + m[2].rm_so, "expunge", 7)) {
262			if (!strncasecmp(line + m[3].rm_so, "yes", 3))
263			options \|= OPTION_EXPUNGE;
264			else
265			options &= ~(OPTION_EXPUNGE);
266			} else if (!strncasecmp(line + m[2].rm_so, "header", 6)) {
267			if (!strncasecmp(line + m[3].rm_so, "yes", 3))
268			options \|= OPTION_HEADERS;
269			else
270			options &= ~(OPTION_HEADERS);
271			} else if (!strncasecmp(line + m[2].rm_so, "namespace", 9)) {
272			if (!strncasecmp(line + m[3].rm_so, "yes", 3))
273			options \|= OPTION_NAMESPACE;
274			else
275			options &= ~(OPTION_NAMESPACE);
276			} else if (!strncasecmp(line + m[2].rm_so, "subscribe", 9)) {
277			if (!strncasecmp(line + m[3].rm_so, "yes", 3))
278			options \|= OPTION_SUBSCRIBE;
279			else
280			options &= ~(OPTION_SUBSCRIBE);
281			} else if (!strncasecmp(line + m[2].rm_so, "timeout", 7)) {
282			errno = 0;
283			timeout = strtol(line + m[3].rm_so, NULL, 10);
284			if (errno)
285			timeout = 0;
286			} else if (!strncasecmp(line + m[2].rm_so, "daemon", 6) &&
287			!(options & OPTION_DAEMON_MODE)) {
288			options \|= OPTION_DAEMON_MODE;
289			errno = 0;
290			interval = strtoul(line + m[3].rm_so, NULL, 10);
291			if (errno)
292			interval = 0;
293			}
294	lefcha	1.1	}
295	lefcha	1.29
296
297			#ifdef ENCRYPTED_PASSWORDS
298			/*
299			* Open password file and call parse_passwords().
300			*/
301	lefcha	1.48	int
302			read_passwords(void)
303	lefcha	1.29	{
304	lefcha	1.48	FILE *fd;
305			char pwfile[PATH_MAX];
306	lefcha	1.38
307	lefcha	1.48	if (!(flags & FLAG_BLANK_PASSWORD))
308			return ERROR_CONFIG_PARSE;
309	lefcha	1.38
310	lefcha	1.48	snprintf(pwfile, PATH_MAX, "%s/%s", home, ".imapfilter/passwords");
311	lefcha	1.29	#ifdef DEBUG
312	lefcha	1.48	fprintf(stderr, "debug: passwords file: '%s'\n", pwfile);
313	lefcha	1.29	#endif
314	lefcha	1.38
315	lefcha	1.48	if (!exists_file(pwfile))
316			return ERROR_FILE_OPEN;
317	lefcha	1.38
318	lefcha	1.29	#ifdef CHECK_PERMISSIONS
319	lefcha	1.48	check_file_perms(pwfile, S_IRUSR \| S_IWUSR);
320	lefcha	1.29	#endif
321
322	lefcha	1.48	fd = fopen(pwfile, "r");
323			if (fd == NULL)
324			fatal(ERROR_FILE_OPEN, "opening passwords file %s; %s\n",
325			pwfile, strerror(errno));
326	lefcha	1.29
327	lefcha	1.48	parse_passwords(fd);
328	lefcha	1.29
329	lefcha	1.48	fclose(fd);
330	lefcha	1.29
331	lefcha	1.48	return 0;
332	lefcha	1.29	}
333
334
335			/*
336			* Parse unencrypted password file.
337			*/
338	lefcha	1.48	int
339			parse_passwords(FILE * fd)
340	lefcha	1.29	{
341	lefcha	1.48	int t;
342			char *pe;
343			char user[USERNAME_LEN], serv[SERVER_LEN];
344			unsigned char *buf;
345			char c, cp, *line;
346			regex_t creg;
347			regmatch_t match[4];
348			const char *reg;
349			int r;
350
351			t = 3;
352			pe = NULL;
353			reg = "([[:alnum:].-]+) ([[:graph:]]+) ([[:graph:]]+)";
354
355	lefcha	1.52	if (!passphr) {
356			passphr = (char *)smalloc(PASSPHRASE_LEN);
357			*passphr = '\0';
358
359			do {
360			fseek(fd, 0L, SEEK_SET);
361			printf("Enter master passphrase: ");
362			get_password(passphr, PASSPHRASE_LEN);
363			} while ((r = decrypt_passwords(&buf, fd)) && --t != 0);
364
365			if (!t)
366			return ERROR_PASSPHRASE;
367			} else
368			decrypt_passwords(&buf, fd);
369	lefcha	1.48
370			c = cp = sstrdup(buf);
371
372			regcomp(&creg, reg, REG_EXTENDED \| REG_ICASE);
373
374			line = strtok_r(c, "\n", &c);
375			while (line != NULL && !regexec(&creg, line, 4, match, 0)) {
376			user[0] = serv[0] = '\0';
377
378			strncat(serv, line + match[1].rm_so,
379			min(match[1].rm_eo - match[1].rm_so, SERVER_LEN - 1));
380			strncat(user, line + match[2].rm_so,
381			min(match[2].rm_eo - match[2].rm_so, USERNAME_LEN - 1));
382
383			if ((pe = (char *)find_password(user, serv)))
384			strncat(pe, line + match[3].rm_so,
385			min(match[3].rm_eo - match[3].rm_so,
386			PASSWORD_LEN - 1));
387	lefcha	1.29
388	lefcha	1.48	line = strtok_r(NULL, "\n", &c);
389			}
390	lefcha	1.38
391	lefcha	1.48	regfree(&creg);
392			sfree(cp);
393			sfree(buf);
394	lefcha	1.29
395	lefcha	1.48	return 0;
396	lefcha	1.29	}
397
398
399			/*
400			* Store encrypted passwords to file.
401			*/
402	lefcha	1.48	int
403			store_passwords(account_t * accts[])
404	lefcha	1.29	{
405	lefcha	1.48	char pwfile[PATH_MAX];
406			FILE *fd;
407	lefcha	1.29
408	lefcha	1.48	snprintf(pwfile, PATH_MAX, "%s/%s", home, ".imapfilter/passwords");
409	lefcha	1.38
410	lefcha	1.48	create_file(pwfile, S_IRUSR \| S_IWUSR);
411	lefcha	1.29
412	lefcha	1.48	fd = fopen(pwfile, "w");
413	lefcha	1.29
414	lefcha	1.48	if (fd == NULL)
415			fatal(ERROR_FILE_OPEN, "opening passwords file %s; %s\n",
416			pwfile, strerror(errno));
417	lefcha	1.38
418	lefcha	1.48	encrypt_passwords(fd, accts);
419	lefcha	1.38
420	lefcha	1.48	fclose(fd);
421	lefcha	1.29
422	lefcha	1.48	return 0;
423	lefcha	1.29	}
424	lefcha	1.48
425	lefcha	1.47	#endif /* ENCRYPTED_PASSWORDS */
426	lefcha	1.31
427
428			/*
429			* Create $HOME/.imapfilter directory.
430			*/
431	lefcha	1.48	int
432			create_homedir(void)
433	lefcha	1.31	{
434	lefcha	1.48	char *hdn;
435	lefcha	1.38
436	lefcha	1.48	hdn = ".imapfilter";
437	lefcha	1.31
438	lefcha	1.48	if (home != NULL)
439			if (chdir(home))
440			error("could not change directory; %s\n",
441			strerror(errno));
442
443	lefcha	1.49	if (!exists_dir(hdn)) {
444	lefcha	1.48	if (mkdir(hdn, S_IRUSR \| S_IWUSR \| S_IXUSR))
445			error("could not create directory %s; %s\n", hdn,
446			strerror(errno));
447	lefcha	1.49	}
448			#ifdef CHECK_PERMISSIONS
449			else {
450			check_dir_perms(hdn, S_IRUSR \| S_IWUSR \| S_IXUSR);
451			}
452			#endif
453	lefcha	1.36
454	lefcha	1.48	return 0;
455	lefcha	1.31	}
456
457
458			/*
459			* Check if a file exists.
460			*/
461	lefcha	1.48	int
462			exists_file(char *fname)
463	lefcha	1.31	{
464	lefcha	1.48	struct stat fs;
465	lefcha	1.38
466	lefcha	1.48	if (access(fname, F_OK))
467			return 0;
468	lefcha	1.38
469	lefcha	1.48	stat(fname, &fs);
470			if (!S_ISREG(fs.st_mode)) {
471			error("file %s not a regular file\n", fname);
472			return ERROR_FILE_OPEN;
473			}
474			return 1;
475	lefcha	1.31	}
476
477
478	lefcha	1.38	/*
479	lefcha	1.31	* Check if a directory exists.
480			*/
481	lefcha	1.48	int
482			exists_dir(char *dname)
483	lefcha	1.31	{
484	lefcha	1.48	struct stat ds;
485	lefcha	1.38
486	lefcha	1.48	if (access(dname, F_OK))
487			return 0;
488	lefcha	1.38
489	lefcha	1.48	stat(dname, &ds);
490			if (!S_ISDIR(ds.st_mode)) {
491			error("file %s not a directory\n", dname);
492			return ERROR_FILE_OPEN;
493			}
494			return 1;
495	lefcha	1.31	}
496
497
498			/*
499	lefcha	1.36	* Create a file with the specified permissions.
500	lefcha	1.31	*/
501	lefcha	1.48	int
502			create_file(char *fname, mode_t mode)
503	lefcha	1.31	{
504	lefcha	1.48	int fd;
505
506			fd = 0;
507	lefcha	1.38
508	lefcha	1.48	if (!exists_file(fname)) {
509			fd = open(fname, O_CREAT \| O_WRONLY \| O_TRUNC, mode);
510			if (fd == -1) {
511			error("could not create file %s; %s\n", fname,
512			strerror(errno));
513			return ERROR_FILE_OPEN;
514			}
515			close(fd);
516			}
517			return 0;
518	lefcha	1.31	}
519
520
521			#ifdef CHECK_PERMISSIONS
522			/*
523			* Check the permissions of a file.
524			*/
525	lefcha	1.48	int
526			check_file_perms(char *fname, mode_t mode)
527	lefcha	1.31	{
528	lefcha	1.48	struct stat fs;
529	lefcha	1.38
530	lefcha	1.48	if (stat(fname, &fs)) {
531			error("getting file %s status; %s\n", fname,
532			strerror(errno));
533			return ERROR_TRIVIAL;
534			}
535			if (!S_ISREG(fs.st_mode)) {
536			error("file %s not a regular file\n", fname);
537			return ERROR_TRIVIAL;
538			}
539			if ((fs.st_mode & 00777) != mode) {
540			error("warning: improper file %s permissions\n", fname);
541			error("warning: file's mode should be %o not %o\n", mode,
542			fs.st_mode & 00777);
543			return ERROR_TRIVIAL;
544			}
545			return 0;
546	lefcha	1.31	}
547
548
549			/*
550			* Check the permissions of a directory.
551			*/
552	lefcha	1.48	int
553			check_dir_perms(char *dname, mode_t mode)
554	lefcha	1.31	{
555	lefcha	1.48	struct stat ds;
556	lefcha	1.31
557	lefcha	1.48	if (stat(dname, &ds)) {
558			error("getting file %s status; %s\n", dname,
559			strerror(errno));
560			return ERROR_TRIVIAL;
561			}
562			if (!S_ISDIR(ds.st_mode)) {
563			error("file %s not a directory\n", dname);
564			return ERROR_TRIVIAL;
565			}
566			if ((ds.st_mode & 00777) != mode) {
567			error("warning: improper dir %s permissions\n", dname);
568	lefcha	1.50	error("warning: dir's mode should be %o not %o\n", mode,
569	lefcha	1.48	ds.st_mode & 00777);
570			return ERROR_TRIVIAL;
571			}
572			return 0;
573	lefcha	1.31	}
574	lefcha	1.38
575	lefcha	1.47	#endif /* CHECK_PERMISSIONS */
576	lefcha	1.50
577
578			#ifdef SSL_TLS
579			/*
580			* Get SSL/TLS certificate check it, maybe ask user about it and act
581			* accordingly.
582			*/
583			int
584			imf_ssl_cert(SSL * ssl)
585			{
586			X509 *cert;
587			unsigned char md[EVP_MAX_MD_SIZE];
588			unsigned int mdlen;
589
590			mdlen = 0;
591
592			if (!(cert = SSL_get_peer_certificate(ssl)))
593			return ERROR_SSL;
594
595			if (!(X509_digest(cert, EVP_md5(), md, &mdlen)))
596			return ERROR_SSL;
597
598			switch (imf_ssl_check_cert(cert, md, &mdlen)) {
599			case SSL_CERT_NONEXISTENT:
600			imf_ssl_print_cert(cert, md, &mdlen);
601	lefcha	1.51	if (flags & FLAG_DAEMON_MODE \|\|
602			imf_ssl_new_cert(cert) == SSL_CERT_ACTION_REJECT)
603	lefcha	1.50	goto abort;
604			break;
605			case SSL_CERT_MISMATCH:
606			imf_ssl_print_cert(cert, md, &mdlen);
607	lefcha	1.51	if (flags & FLAG_DAEMON_MODE \|\|
608			imf_ssl_cert_mismatch() == SSL_CERT_ACTION_ABORT)
609	lefcha	1.50	goto abort;
610			break;
611			case SSL_CERT_OK:
612			if (options & OPTION_DETAILS_VERBOSE)
613			imf_ssl_print_cert(cert, md, &mdlen);
614			}
615
616			X509_free(cert);
617			return 0;
618
619			abort:
620			X509_free(cert);
621			return ERROR_SSL;
622			}
623
624
625			/*
626			* Check if the SSL/TLS certificate exists in the certificates file.
627			*/
628			int
629			imf_ssl_check_cert(X509 * pcert, unsigned char pmd, unsigned int pmdlen)
630			{
631			int r;
632			FILE *fd;
633			X509 *cert;
634			unsigned char md[EVP_MAX_MD_SIZE];
635			unsigned int mdlen;
636			char *cfn;
637
638			r = SSL_CERT_NONEXISTENT;
639			cert = NULL;
640			cfn = ".imapfilter/certificates";
641
642			if (!exists_file(cfn))
643			return SSL_CERT_NONEXISTENT;
644
645			fd = fopen(cfn, "r");
646			if (fd == NULL)
647			return ERROR_FILE_OPEN;
648
649			while ((cert = PEM_read_X509(fd, &cert, NULL, NULL)) != NULL) {
650			if (X509_subject_name_cmp(cert, pcert) != 0 \|\|
651			X509_issuer_name_cmp(cert, pcert) != 0)
652			continue;
653
654			if (!X509_digest(cert, EVP_md5(), md, &mdlen) \|\|
655			*pmdlen != mdlen)
656			continue;
657
658			if (memcmp(pmd, md, mdlen) != 0) {
659			r = SSL_CERT_MISMATCH;
660			break;
661			}
662			r = SSL_CERT_OK;
663			break;
664			}
665
666			fclose(fd);
667			X509_free(cert);
668
669			return r;
670			}
671
672
673			/*
674			* Print information about the SSL/TLS certificate.
675			*/
676			void
677			imf_ssl_print_cert(X509 * cert, unsigned char md, unsigned int mdlen)
678			{
679			unsigned int i;
680			char *c;
681
682			c = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
683			printf("Server certificate subject: %s\n", c);
684			xfree(c);
685
686			c = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0);
687			printf("Server certificate issuer: %s\n", c);
688			xfree(c);
689
690			printf("Server key fingerprint: ");
691			for (i = 0; i < *mdlen; i++)
692			printf(i != *mdlen - 1 ? "%02X:" : "%02X\n", md[i]);
693			}
694
695
696			/*
697			* Ask the user to reject/accept the SSL/TLS certificate.
698			*/
699			int
700			imf_ssl_new_cert(X509 * cert)
701			{
702			FILE *fd;
703			char c, *cfn, buf[LINE_MAX];
704
705			do {
706			printf("(R)eject, accept (t)emporarily or "
707			"accept (p)ermanently? ");
708			fgets(buf, LINE_MAX, stdin);
709			c = tolower(*buf);
710			} while (c != 'r' && c != 't' && c != 'p');
711
712			if (c == 'r')
713			return SSL_CERT_ACTION_REJECT;
714			else if (c == 't')
715			return SSL_CERT_ACTION_ACCEPT;
716
717			cfn = ".imapfilter/certificates";
718
719			create_file(cfn, S_IRUSR \| S_IWUSR);
720
721			fd = fopen(cfn, "a");
722			if (fd == NULL)
723			return SSL_CERT_ACTION_REJECT;
724
725			PEM_write_X509(fd, cert);
726
727			fclose(fd);
728
729			return SSL_CERT_ACTION_ACCEPT;
730			}
731
732
733			/*
734			* Ask user to proceed, while a fingerprint mismatch in the SSL/TLS
735			* certificate was found.
736			*/
737			int
738			imf_ssl_cert_mismatch(void)
739			{
740			char c, buf[LINE_MAX];
741
742			do {
743			printf("WARNING: SSL/TLS certificate fingerprint mismatch.\n"
744			"Proceed with the connection (y/n)? ");
745			fgets(buf, LINE_MAX, stdin);
746			c = tolower(*buf);
747			} while (c != 'y' && c != 'n');
748
749			if (c == 'y')
750			return SSL_CERT_ACTION_CONTINUE;
751			else
752			return SSL_CERT_ACTION_ABORT;
753			}
754
755			#endif /* SSL_TLS */