git://git.exim.org
/
exim.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
build: use pkg-config for i18n
[exim.git]
/
src
/
src
/
tls-openssl.c
diff --git
a/src/src/tls-openssl.c
b/src/src/tls-openssl.c
index 01622560f366c8613b7351bdcfebcd3ba9ee970b..302404b6c9029f1d8321f58cf44916fa1045c4f3 100644
(file)
--- a/
src/src/tls-openssl.c
+++ b/
src/src/tls-openssl.c
@@
-2,7
+2,7
@@
* Exim - an Internet mail transport agent *
*************************************************/
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 202
2
*/
+/* Copyright (c) The Exim Maintainers 2020 - 202
4
*/
/* Copyright (c) University of Cambridge 1995 - 2019 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
/* Copyright (c) University of Cambridge 1995 - 2019 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
@@
-77,9
+77,9
@@
change this guard and punt the issue for a while longer. */
# define EXIM_HAVE_OPENSSL_KEYLOG
# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
# define EXIM_HAVE_SESSION_TICKET
# define EXIM_HAVE_OPENSSL_KEYLOG
# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
# define EXIM_HAVE_SESSION_TICKET
-# define EXIM_HAVE_OPESSL_TRACE
-# define EXIM_HAVE_OPESSL_GET0_SERIAL
-# define EXIM_HAVE_OPESSL_OCSP_RESP_GET0_CERTS
+# define EXIM_HAVE_OPE
N
SSL_TRACE
+# define EXIM_HAVE_OPE
N
SSL_GET0_SERIAL
+# define EXIM_HAVE_OPE
N
SSL_OCSP_RESP_GET0_CERTS
# define EXIM_HAVE_SSL_GET0_VERIFIED_CHAIN
# ifndef DISABLE_OCSP
# define EXIM_HAVE_OCSP
# define EXIM_HAVE_SSL_GET0_VERIFIED_CHAIN
# ifndef DISABLE_OCSP
# define EXIM_HAVE_OCSP
@@
-97,6
+97,9
@@
change this guard and punt the issue for a while longer. */
#if LIBRESSL_VERSION_NUMBER >= 0x3040000fL
# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
#endif
#if LIBRESSL_VERSION_NUMBER >= 0x3040000fL
# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
#endif
+#if LIBRESSL_VERSION_NUMBER >= 0x3050000fL
+# define EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_CERTS
+#endif
#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x030000000L)
# define EXIM_HAVE_EXPORT_CHNL_BNGNG
#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x030000000L)
# define EXIM_HAVE_EXPORT_CHNL_BNGNG
@@
-1756,7
+1759,7
@@
level. */
DEBUG(D_tls)
{
SSL_CTX_set_info_callback(ctx, info_callback);
DEBUG(D_tls)
{
SSL_CTX_set_info_callback(ctx, info_callback);
-#if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
+#if defined(EXIM_HAVE_OPE
N
SSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
/* this needs a debug build of OpenSSL */
SSL_CTX_set_msg_callback(ctx, SSL_trace);
#endif
/* this needs a debug build of OpenSSL */
SSL_CTX_set_msg_callback(ctx, SSL_trace);
#endif
@@
-1904,7
+1907,8
@@
a queue-run startup with watch clear. */
static void
tls_client_creds_init(transport_instance * t, BOOL watch)
{
static void
tls_client_creds_init(transport_instance * t, BOOL watch)
{
-smtp_transport_options_block * ob = t->options_block;
+smtp_transport_options_block * ob = t->drinst.options_block;
+const uschar * trname = t->drinst.name;
exim_openssl_state_st tpt_dummy_state;
host_item * dummy_host = (host_item *)1;
uschar * dummy_errstr;
exim_openssl_state_st tpt_dummy_state;
host_item * dummy_host = (host_item *)1;
uschar * dummy_errstr;
@@
-1931,7
+1935,7
@@
if ( opt_set_and_noexpand(ob->tls_certificate)
uschar * pkey = ob->tls_privatekey;
DEBUG(D_tls)
uschar * pkey = ob->tls_privatekey;
DEBUG(D_tls)
- debug_printf("TLS: preloading client certs for transport '%s'\n",
t->
name);
+ debug_printf("TLS: preloading client certs for transport '%s'\n",
tr
name);
if ( tls_add_certfile(ctx, &tpt_dummy_state, ob->tls_certificate,
&dummy_errstr) == 0
if ( tls_add_certfile(ctx, &tpt_dummy_state, ob->tls_certificate,
&dummy_errstr) == 0
@@
-1944,7
+1948,7
@@
if ( opt_set_and_noexpand(ob->tls_certificate)
}
else
DEBUG(D_tls)
}
else
DEBUG(D_tls)
- debug_printf("TLS: not preloading client certs, for transport '%s'\n", t
->
name);
+ debug_printf("TLS: not preloading client certs, for transport '%s'\n", t
r
name);
if ( opt_set_and_noexpand(ob->tls_verify_certificates)
if ( opt_set_and_noexpand(ob->tls_verify_certificates)
@@
-1958,7
+1962,7
@@
if ( opt_set_and_noexpand(ob->tls_verify_certificates)
{
uschar * v_certs = ob->tls_verify_certificates;
DEBUG(D_tls)
{
uschar * v_certs = ob->tls_verify_certificates;
DEBUG(D_tls)
- debug_printf("TLS: preloading CA bundle for transport '%s'\n", t
->
name);
+ debug_printf("TLS: preloading CA bundle for transport '%s'\n", t
r
name);
if (setup_certs(ctx, &v_certs,
ob->tls_crl, dummy_host, &dummy_errstr) == OK)
if (setup_certs(ctx, &v_certs,
ob->tls_crl, dummy_host, &dummy_errstr) == OK)
@@
-1967,7
+1971,7
@@
if ( opt_set_and_noexpand(ob->tls_verify_certificates)
}
else
DEBUG(D_tls)
}
else
DEBUG(D_tls)
-
debug_printf("TLS: not preloading CA bundle, for transport '%s'\n", t->
name);
+
debug_printf("TLS: not preloading CA bundle, for transport '%s'\n", tr
name);
#endif /*EXIM_HAVE_INOTIFY*/
}
#endif /*EXIM_HAVE_INOTIFY*/
}
@@
-1991,21
+1995,11
@@
state_server.u_ocsp.server.file_expanded = NULL;
static void
tls_client_creds_invalidate(transport_instance * t)
{
static void
tls_client_creds_invalidate(transport_instance * t)
{
-smtp_transport_options_block * ob = t->options_block;
+smtp_transport_options_block * ob = t->
drinst.
options_block;
SSL_CTX_free(ob->tls_preload.lib_ctx);
ob->tls_preload = null_tls_preload;
}
SSL_CTX_free(ob->tls_preload.lib_ctx);
ob->tls_preload = null_tls_preload;
}
-#else
-
-static void
-tls_server_creds_invalidate(void)
-{ return; }
-
-static void
-tls_client_creds_invalidate(transport_instance * t)
-{ return; }
-
#endif /*EXIM_HAVE_INOTIFY*/
#endif /*EXIM_HAVE_INOTIFY*/
@@
-2442,7
+2436,7
@@
tls_in.ocsp = OCSP_NOT_RESP;
if (!olist)
return SSL_TLSEXT_ERR_NOACK;
if (!olist)
return SSL_TLSEXT_ERR_NOACK;
-#ifdef EXIM_HAVE_OPESSL_GET0_SERIAL
+#ifdef EXIM_HAVE_OPE
N
SSL_GET0_SERIAL
{
const X509 * cert_sent = SSL_get_certificate(s);
const ASN1_INTEGER * cert_serial = X509_get0_serialNumber(cert_sent);
{
const X509 * cert_sent = SSL_get_certificate(s);
const ASN1_INTEGER * cert_serial = X509_get0_serialNumber(cert_sent);
@@
-2605,7
+2599,7
@@
if (!(bs = OCSP_response_get1_basic(rsp)))
asking for certificate-status under DANE, so this callback won't run for
that combination. It still will for non-DANE. */
asking for certificate-status under DANE, so this callback won't run for
that combination. It still will for non-DANE. */
-#if
def EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_SIGNER
+#if
defined(EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_SIGNER) && defined(SUPPORT_DANE)
X509 * signer;
if ( tls_out.dane_verified
X509 * signer;
if ( tls_out.dane_verified
@@
-2646,7
+2640,7
@@
if (!(bs = OCSP_response_get1_basic(rsp)))
debug_printf("certs contained in basicresp:\n");
x509_stack_dump_cert_s_names(
debug_printf("certs contained in basicresp:\n");
x509_stack_dump_cert_s_names(
-#ifdef EXIM_HAVE_OPESSL_OCSP_RESP_GET0_CERTS
+#ifdef EXIM_HAVE_OPE
N
SSL_OCSP_RESP_GET0_CERTS
OCSP_resp_get0_certs(bs)
#else
bs->certs
OCSP_resp_get0_certs(bs)
#else
bs->certs
@@
-3504,7
+3498,7
@@
static uschar peerdn[256];
if (tls_in.active.sock >= 0)
{
tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
if (tls_in.active.sock >= 0)
{
tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
- smtp_printf("554 Already in TLS\r\n",
FALS
E);
+ smtp_printf("554 Already in TLS\r\n",
SP_NO_MOR
E);
return FAIL;
}
return FAIL;
}
@@
-3624,7
+3618,7
@@
mode, the fflush() happens when smtp_getc() is called. */
SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
if (!tls_in.on_connect)
{
SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
if (!tls_in.on_connect)
{
- smtp_printf("220 TLS go ahead\r\n",
FALS
E);
+ smtp_printf("220 TLS go ahead\r\n",
SP_NO_MOR
E);
fflush(smtp_out);
}
fflush(smtp_out);
}
@@
-3940,7
+3934,7
@@
if (tlsp->host_resumable)
tlsp->resumption |= RESUME_CLIENT_REQUESTED;
DEBUG(D_tls)
debug_printf("checking for resumable session for %s\n", tlsp->resume_index);
tlsp->resumption |= RESUME_CLIENT_REQUESTED;
DEBUG(D_tls)
debug_printf("checking for resumable session for %s\n", tlsp->resume_index);
- if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
+ if ((dbm_file = dbfn_open(US"tls", O_RDWR
|O_CREAT
, &dbblock, FALSE, FALSE)))
{
if ((dt = dbfn_read_with_length(dbm_file, tlsp->resume_index, &len)))
{
{
if ((dt = dbfn_read_with_length(dbm_file, tlsp->resume_index, &len)))
{
@@
-4023,7
+4017,7
@@
if (SSL_SESSION_is_resumable(ss)) /* 1.1.1 */
dt->ocsp = tlsp->ocsp;
(void) i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */
dt->ocsp = tlsp->ocsp;
(void) i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */
- if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
+ if ((dbm_file = dbfn_open(US"tls", O_RDWR
|O_CREAT
, &dbblock, FALSE, FALSE)))
{
dbfn_write(dbm_file, tlsp->resume_index, dt, dlen);
dbfn_close(dbm_file);
{
dbfn_write(dbm_file, tlsp->resume_index, dt, dlen);
dbfn_close(dbm_file);
@@
-4157,7
+4151,7
@@
tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
host_item * host = conn_args->host; /* for msgs and option-tests */
transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
smtp_transport_options_block * ob = tb
host_item * host = conn_args->host; /* for msgs and option-tests */
transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
smtp_transport_options_block * ob = tb
- ?
(smtp_transport_options_block *)tb->
options_block
+ ?
tb->drinst.
options_block
: &smtp_transport_option_defaults;
exim_openssl_client_tls_ctx * exim_client_ctx;
uschar * expciphers;
: &smtp_transport_option_defaults;
exim_openssl_client_tls_ctx * exim_client_ctx;
uschar * expciphers;
@@
-4551,7
+4545,7
@@
switch(error)
}
#ifndef DISABLE_DKIM
}
#ifndef DISABLE_DKIM
-
dkim_exim
_verify_feed(ssl_xfer_buffer, inbytes);
+
smtp
_verify_feed(ssl_xfer_buffer, inbytes);
#endif
ssl_xfer_buffer_hwm = inbytes;
ssl_xfer_buffer_lwm = 0;
#endif
ssl_xfer_buffer_hwm = inbytes;
ssl_xfer_buffer_lwm = 0;
@@
-4621,7
+4615,7
@@
int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
if (n > lim)
n = lim;
if (n > 0)
if (n > lim)
n = lim;
if (n > 0)
-
dkim_exim
_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
+
smtp
_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
#endif
}
#endif
}
@@
-5167,8
+5161,7
@@
if (!expand_check(option_spec, US"openssl_options", &exp, &end))
for (uschar * s = exp; *s; /**/)
{
for (uschar * s = exp; *s; /**/)
{
- while (isspace(*s)) ++s;
- if (*s == '\0')
+ if (!Uskip_whitespace(&s))
break;
if (*s != '+' && *s != '-')
{
break;
if (*s != '+' && *s != '-')
{
@@
-5177,7
+5170,8
@@
for (uschar * s = exp; *s; /**/)
return FALSE;
}
adding = *s++ == '+';
return FALSE;
}
adding = *s++ == '+';
- for (end = s; *end && !isspace(*end); ) end++;
+ end = s;
+ Uskip_nonwhite(&end);
item_parsed = tls_openssl_one_option_parse(string_copyn(s, end-s), &item);
if (!item_parsed)
{
item_parsed = tls_openssl_one_option_parse(string_copyn(s, end-s), &item);
if (!item_parsed)
{
git://git.exim.org / exim.git / blobdiff