X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/754a0503134b184183f64c04ed30a3524fc3860b..c80c557026f3933b0472b13331924f8bd4ed9bf7:/src/src/tls-openssl.c diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index e9628ba29..e2e150c0a 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1,5 +1,3 @@ -/* $Cambridge: exim/src/src/tls-openssl.c,v 1.28 2010/06/12 17:56:32 jetmore Exp $ */ - /************************************************* * Exim - an Internet mail transport agent * *************************************************/ @@ -349,6 +347,9 @@ level. */ SSL_CTX_set_info_callback(ctx, (void (*)())info_callback); +/* Automatically re-try reads/writes after renegotiation. */ +(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); + /* Apply administrator-supplied work-arounds. Historically we applied just one requested option, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we @@ -443,7 +444,6 @@ yet reflect that. It should be a safe change anyway, even 0.9.8 versions have the accessor functions use const in the prototype. */ const SSL_CIPHER *c; uschar *ver; -int bits; switch (ssl->session->ssl_version) { @@ -459,15 +459,27 @@ switch (ssl->session->ssl_version) ver = US"TLSv1"; break; +#ifdef TLS1_1_VERSION + case TLS1_1_VERSION: + ver = US"TLSv1.1"; + break; +#endif + +#ifdef TLS1_2_VERSION + case TLS1_2_VERSION: + ver = US"TLSv1.2"; + break; +#endif + default: ver = US"UNKNOWN"; } c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl); -SSL_CIPHER_get_bits(c, &bits); +SSL_CIPHER_get_bits(c, &tls_bits); string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver, - SSL_CIPHER_get_name(c), bits); + SSL_CIPHER_get_name(c), tls_bits); tls_cipher = cipherbuf; DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf); @@ -876,8 +888,8 @@ if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm) int error; int inbytes; - DEBUG(D_tls) debug_printf("Calling SSL_read(%lx, %lx, %u)\n", (long)ssl, - (long)ssl_xfer_buffer, ssl_xfer_buffer_size); + DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl, + ssl_xfer_buffer, ssl_xfer_buffer_size); if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout); inbytes = SSL_read(ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size); @@ -923,6 +935,7 @@ if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm) ssl_xfer_error = 1; return EOF; } + #ifndef DISABLE_DKIM dkim_exim_verify_feed(ssl_xfer_buffer, inbytes); #endif @@ -956,8 +969,8 @@ tls_read(uschar *buff, size_t len) int inbytes; int error; -DEBUG(D_tls) debug_printf("Calling SSL_read(%lx, %lx, %u)\n", (long)ssl, - (long)buff, (unsigned int)len); +DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl, + buff, (unsigned int)len); inbytes = SSL_read(ssl, CS buff, len); error = SSL_get_error(ssl, inbytes); @@ -999,10 +1012,10 @@ int outbytes; int error; int left = len; -DEBUG(D_tls) debug_printf("tls_do_write(%lx, %d)\n", (long)buff, left); +DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left); while (left > 0) { - DEBUG(D_tls) debug_printf("SSL_write(SSL, %lx, %d)\n", (long)buff, left); + DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left); outbytes = SSL_write(ssl, CS buff, left); error = SSL_get_error(ssl, outbytes); DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error); @@ -1180,7 +1193,7 @@ all options unless explicitly for DTLS, let the administrator choose which to apply. This list is current as of: - ==> 0.9.8n <== */ + ==> 1.0.1b <== */ static struct exim_openssl_option exim_openssl_options[] = { /* KEEP SORTED ALPHABETICALLY! */ #ifdef SSL_OP_ALL @@ -1216,9 +1229,35 @@ static struct exim_openssl_option exim_openssl_options[] = { #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG }, #endif +#ifdef SSL_OP_NO_COMPRESSION + { US"no_compression", SSL_OP_NO_COMPRESSION }, +#endif #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION }, #endif +#ifdef SSL_OP_NO_SSLv2 + { US"no_sslv2", SSL_OP_NO_SSLv2 }, +#endif +#ifdef SSL_OP_NO_SSLv3 + { US"no_sslv3", SSL_OP_NO_SSLv3 }, +#endif +#ifdef SSL_OP_NO_TICKET + { US"no_ticket", SSL_OP_NO_TICKET }, +#endif +#ifdef SSL_OP_NO_TLSv1 + { US"no_tlsv1", SSL_OP_NO_TLSv1 }, +#endif +#ifdef SSL_OP_NO_TLSv1_1 +#if SSL_OP_NO_TLSv1_1 == 0x00000400L + /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */ +#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring +#else + { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 }, +#endif +#endif +#ifdef SSL_OP_NO_TLSv1_2 + { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 }, +#endif #ifdef SSL_OP_SINGLE_DH_USE { US"single_dh_use", SSL_OP_SINGLE_DH_USE }, #endif @@ -1244,6 +1283,7 @@ static struct exim_openssl_option exim_openssl_options[] = { static int exim_openssl_options_size = sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option); + static BOOL tls_openssl_one_option_parse(uschar *name, long *value) { @@ -1291,11 +1331,10 @@ uschar *s, *end; uschar keep_c; BOOL adding, item_parsed; +result = 0L; /* We grandfather in as default the one option which we used to set always. */ #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS -result = SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; -#else -result = 0L; +result |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; #endif if (option_spec == NULL) @@ -1312,7 +1351,7 @@ for (s=option_spec; *s != '\0'; /**/) if (*s != '+' && *s != '-') { DEBUG(D_tls) debug_printf("malformed openssl option setting: " - "+ or - expected but found \"%s\"", s); + "+ or - expected but found \"%s\"\n", s); return FALSE; } adding = *s++ == '+'; @@ -1322,7 +1361,7 @@ for (s=option_spec; *s != '\0'; /**/) item_parsed = tls_openssl_one_option_parse(s, &item); if (!item_parsed) { - DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"", s); + DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s); return FALSE; } DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",