From: Philip Hazel Date: Tue, 29 Mar 2005 14:53:09 +0000 (+0000) Subject: Installed Lars Mainka's patch for OpenSSL support of CRL collections. X-Git-Tag: exim-4_51~37 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/8b417f2c8e0df074cbb139081e5f1fb7992946dd Installed Lars Mainka's patch for OpenSSL support of CRL collections. --- diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 0e14c76c3..18e8d1ff8 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.103 2005/03/29 14:19:21 ph10 Exp $ +$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.104 2005/03/29 14:53:09 ph10 Exp $ Change log file for Exim from version 4.21 ------------------------------------------- @@ -96,6 +96,9 @@ PH/17 The API for radiusclient changed at release 0.4.0. Unfortunately, the API. The code is untested by me (my Linux distribution still has 0.3.2 of radiusclient), but it was contributed by a Radius user. +PH/18 Installed Lars Mainka's patch for the support of CRL collections in + files or directories, for OpenSSL. + A note about Exim versions 4.44 and 4.50 ---------------------------------------- diff --git a/src/ACKNOWLEDGMENTS b/src/ACKNOWLEDGMENTS index faaedb639..2b5426b9d 100644 --- a/src/ACKNOWLEDGMENTS +++ b/src/ACKNOWLEDGMENTS @@ -1,4 +1,4 @@ -$Cambridge: exim/src/ACKNOWLEDGMENTS,v 1.17 2005/03/29 14:19:21 ph10 Exp $ +$Cambridge: exim/src/ACKNOWLEDGMENTS,v 1.18 2005/03/29 14:53:09 ph10 Exp $ EXIM ACKNOWLEDGEMENTS @@ -163,6 +163,7 @@ Chris Liddiard Fix for bug in exiqsumm Chris Lightfoot Patch for -restore-times in exim_lock Edgar Lovecraft Patch for ${str2b64: Torsten Luettgert Suggested patch for proper integer overflow detection +Lars Mainka Patch for OpenSSL crl collections David Madole Patch for SPA forced expansion failure bug Lionel Elie Mamane Patch for IPv4/IPv6 listen() problem on USAGI Linux Patch for recognizing IPv6 "scoped addresses" diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index a4a8e8b9f..693e6dc14 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/tls-openssl.c,v 1.3 2005/01/04 10:00:42 ph10 Exp $ */ +/* $Cambridge: exim/src/src/tls-openssl.c,v 1.4 2005/03/29 14:53:09 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -526,34 +526,51 @@ if (expcerts != NULL) #if OPENSSL_VERSION_NUMBER > 0x00907000L + /* This bit of code is now the version supplied by Lars Mainka. (I have + * merely reformatted it into the Exim code style.) + + * "From here I changed the code to add support for multiple crl's + * in pem format in one file or to support hashed directory entries in + * pem format instead of a file. This method now uses the library function + * X509_STORE_load_locations to add the CRL location to the SSL context. + * OpenSSL will then handle the verify against CA certs and CRLs by + * itself in the verify callback." */ + if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER; if (expcrl != NULL && *expcrl != 0) { - BIO *crl_bio; - X509_CRL *crl_x509; - X509_STORE *cvstore; - - cvstore = SSL_CTX_get_cert_store(ctx); /* cert validation store */ - - crl_bio = BIO_new(BIO_s_file_internal()); - if (crl_bio != NULL) + struct stat statbufcrl; + if (Ustat(expcrl, &statbufcrl) < 0) + { + log_write(0, LOG_MAIN|LOG_PANIC, + "failed to stat %s for certificates revocation lists", expcrl); + return DEFER; + } + else { - if (BIO_read_filename(crl_bio, expcrl)) + /* is it a file or directory? */ + uschar *file, *dir; + X509_STORE *cvstore = SSL_CTX_get_cert_store(ctx); + if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR) { - crl_x509 = PEM_read_bio_X509_CRL(crl_bio, NULL, NULL, NULL); - BIO_free(crl_bio); - X509_STORE_add_crl(cvstore, crl_x509); - X509_CRL_free(crl_x509); - X509_STORE_set_flags(cvstore, - X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); + file = NULL; + dir = expcrl; + DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir); } else { - BIO_free(crl_bio); - return tls_error(US"BIO_read_filename", host); + file = expcrl; + dir = NULL; + DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file); } + if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0) + return tls_error(US"X509_STORE_load_locations", host); + + /* setting the flags to check against the complete crl chain */ + + X509_STORE_set_flags(cvstore, + X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); } - else return tls_error(US"BIO_new", host); } #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */