X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/77bb000fa965b786ddb1085dd5af6c80c7d425b0..754a0503134b184183f64c04ed30a3524fc3860b:/src/src/tls-openssl.c

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index a7dad0805..e9628ba29 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/tls-openssl.c,v 1.23 2010/06/05 09:10:10 pdp Exp $ */
+/* $Cambridge: exim/src/src/tls-openssl.c,v 1.28 2010/06/12 17:56:32 jetmore Exp $ */
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
@@ -360,7 +360,7 @@ availability of the option value macros from OpenSSL.  */
 
 okay = tls_openssl_options_parse(openssl_options, &init_options);
 if (!okay)
-  return tls_error("openssl_options parsing failed", host, NULL);
+  return tls_error(US"openssl_options parsing failed", host, NULL);
 
 if (init_options)
   {
@@ -438,7 +438,10 @@ static void
 construct_cipher_name(SSL *ssl)
 {
 static uschar cipherbuf[256];
-SSL_CIPHER *c;
+/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
+yet reflect that.  It should be a safe change anyway, even 0.9.8 versions have
+the accessor functions use const in the prototype. */
+const SSL_CIPHER *c;
 uschar *ver;
 int bits;
 
@@ -460,7 +463,7 @@ switch (ssl->session->ssl_version)
   ver = US"UNKNOWN";
   }
 
-c = SSL_get_current_cipher(ssl);
+c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
 SSL_CIPHER_get_bits(c, &bits);
 
 string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver,
@@ -714,7 +717,7 @@ if (rc <= 0)
   tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
   if (ERR_get_error() == 0)
     log_write(0, LOG_MAIN,
-        "  => client disconnected cleanly (rejected our certificate?)\n");
+        "TLS client disconnected cleanly (rejected our certificate?)");
   return FAIL;
   }
 
@@ -833,10 +836,16 @@ if (rc <= 0)
 
 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
 
+/* Beware anonymous ciphers which lead to server_cert being NULL */
 server_cert = SSL_get_peer_certificate (ssl);
-tls_peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
-  CS txt, sizeof(txt));
-tls_peerdn = txt;
+if (server_cert)
+  {
+  tls_peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
+    CS txt, sizeof(txt));
+  tls_peerdn = txt;
+  }
+else
+  tls_peerdn = NULL;
 
 construct_cipher_name(ssl);   /* Sets tls_cipher */
 
@@ -900,6 +909,14 @@ if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
 
   /* Handle genuine errors */
 
+  else if (error == SSL_ERROR_SSL)
+    {
+    ERR_error_string(ERR_get_error(), ssl_errstring);
+    log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
+    ssl_xfer_error = 1;
+    return EOF;
+    }
+
   else if (error != SSL_ERROR_NONE)
     {
     DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
@@ -1064,8 +1081,10 @@ Returns:     nothing
 void
 tls_version_report(FILE *f)
 {
-fprintf(f, "OpenSSL compile-time version: %s\n", OPENSSL_VERSION_TEXT);
-fprintf(f, "OpenSSL runtime version: %s\n", SSLeay_version(SSLEAY_VERSION));
+fprintf(f, "Library version: OpenSSL: Compile: %s\n"
+           "                          Runtime: %s\n",
+           OPENSSL_VERSION_TEXT,
+           SSLeay_version(SSLEAY_VERSION));
 }
 
 
@@ -1165,61 +1184,61 @@ This list is current as of:
 static struct exim_openssl_option exim_openssl_options[] = {
 /* KEEP SORTED ALPHABETICALLY! */
 #ifdef SSL_OP_ALL
-  { "all", SSL_OP_ALL },
+  { US"all", SSL_OP_ALL },
 #endif
 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
-  { "allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
+  { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
 #endif
 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
-  { "cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
+  { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
 #endif
 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
-  { "dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
+  { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
 #endif
 #ifdef SSL_OP_EPHEMERAL_RSA
-  { "ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
+  { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
 #endif
 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
-  { "legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
+  { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
 #endif
 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
-  { "microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
+  { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
 #endif
 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
-  { "microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
+  { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
 #endif
 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
-  { "msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
+  { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
 #endif
 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
-  { "netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
+  { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
 #endif
 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
-  { "netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
+  { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
 #endif
 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
-  { "no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
+  { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
 #endif
 #ifdef SSL_OP_SINGLE_DH_USE
-  { "single_dh_use", SSL_OP_SINGLE_DH_USE },
+  { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
 #endif
 #ifdef SSL_OP_SINGLE_ECDH_USE
-  { "single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
+  { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
 #endif
 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
-  { "ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
+  { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
 #endif
 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
-  { "sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
+  { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
 #endif
 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
-  { "tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
+  { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
 #endif
 #ifdef SSL_OP_TLS_D5_BUG
-  { "tls_d5_bug", SSL_OP_TLS_D5_BUG },
+  { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
 #endif
 #ifdef SSL_OP_TLS_ROLLBACK_BUG
-  { "tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
+  { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
 #endif
 };
 static int exim_openssl_options_size =