git://git.exim.org
/
exim.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
LibreSSL: fix build for 3.5.0+ Bug 3074
[exim.git]
/
src
/
src
/
tls-openssl.c
diff --git
a/src/src/tls-openssl.c
b/src/src/tls-openssl.c
index 9d0ab2fdf1d5e545ac63e897131b26c5c6d0bdaf..e6a1c6fa4383868e9a85c4a249d2d1ae26c4eb62 100644
(file)
--- a/
src/src/tls-openssl.c
+++ b/
src/src/tls-openssl.c
@@
-2,7
+2,7
@@
* Exim - an Internet mail transport agent *
*************************************************/
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 202
2
*/
+/* Copyright (c) The Exim Maintainers 2020 - 202
3
*/
/* Copyright (c) University of Cambridge 1995 - 2019 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
/* Copyright (c) University of Cambridge 1995 - 2019 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
@@
-77,9
+77,9
@@
change this guard and punt the issue for a while longer. */
# define EXIM_HAVE_OPENSSL_KEYLOG
# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
# define EXIM_HAVE_SESSION_TICKET
# define EXIM_HAVE_OPENSSL_KEYLOG
# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
# define EXIM_HAVE_SESSION_TICKET
-# define EXIM_HAVE_OPESSL_TRACE
-# define EXIM_HAVE_OPESSL_GET0_SERIAL
-# define EXIM_HAVE_OPESSL_OCSP_RESP_GET0_CERTS
+# define EXIM_HAVE_OPE
N
SSL_TRACE
+# define EXIM_HAVE_OPE
N
SSL_GET0_SERIAL
+# define EXIM_HAVE_OPE
N
SSL_OCSP_RESP_GET0_CERTS
# define EXIM_HAVE_SSL_GET0_VERIFIED_CHAIN
# ifndef DISABLE_OCSP
# define EXIM_HAVE_OCSP
# define EXIM_HAVE_SSL_GET0_VERIFIED_CHAIN
# ifndef DISABLE_OCSP
# define EXIM_HAVE_OCSP
@@
-97,6
+97,9
@@
change this guard and punt the issue for a while longer. */
#if LIBRESSL_VERSION_NUMBER >= 0x3040000fL
# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
#endif
#if LIBRESSL_VERSION_NUMBER >= 0x3040000fL
# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
#endif
+#if LIBRESSL_VERSION_NUMBER >= 0x3050000fL
+# define EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_CERTS
+#endif
#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x030000000L)
# define EXIM_HAVE_EXPORT_CHNL_BNGNG
#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x030000000L)
# define EXIM_HAVE_EXPORT_CHNL_BNGNG
@@
-1192,6
+1195,8
@@
else
uschar * name;
int rc;
while ((name = string_nextinlist(&list, &sep, NULL, 0)))
uschar * name;
int rc;
while ((name = string_nextinlist(&list, &sep, NULL, 0)))
+ {
+ DEBUG(D_tls|D_lookup) debug_printf_indent("%s suitable for cert, per OpenSSL?", name);
if ((rc = X509_check_host(cert, CCS name, 0,
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
| X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
if ((rc = X509_check_host(cert, CCS name, 0,
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
| X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
@@
-1203,8
+1208,11
@@
else
tlsp == &tls_out ? deliver_host_address : sender_host_address);
name = NULL;
}
tlsp == &tls_out ? deliver_host_address : sender_host_address);
name = NULL;
}
+ DEBUG(D_tls|D_lookup) debug_printf_indent(" yes\n");
break;
}
break;
}
+ else DEBUG(D_tls|D_lookup) debug_printf_indent(" no\n");
+ }
if (!name)
#else
if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
if (!name)
#else
if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
@@
-1433,7
+1441,7
@@
SNI handling.
Separately we might try to replace using OCSP_basic_verify() - which seems to not
be a public interface into the OpenSSL library (there's no manual entry) -
Separately we might try to replace using OCSP_basic_verify() - which seems to not
be a public interface into the OpenSSL library (there's no manual entry) -
-(in 3.0.0 + i
s
is public)
+(in 3.0.0 + i
t
is public)
But what with? We also use OCSP_basic_verify in the client stapling callback.
And there we NEED it; we must verify that status... unless the
library does it for us anyway? */
But what with? We also use OCSP_basic_verify in the client stapling callback.
And there we NEED it; we must verify that status... unless the
library does it for us anyway? */
@@
-1751,7
+1759,7
@@
level. */
DEBUG(D_tls)
{
SSL_CTX_set_info_callback(ctx, info_callback);
DEBUG(D_tls)
{
SSL_CTX_set_info_callback(ctx, info_callback);
-#if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
+#if defined(EXIM_HAVE_OPE
N
SSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
/* this needs a debug build of OpenSSL */
SSL_CTX_set_msg_callback(ctx, SSL_trace);
#endif
/* this needs a debug build of OpenSSL */
SSL_CTX_set_msg_callback(ctx, SSL_trace);
#endif
@@
-2399,7
+2407,7
@@
for (int pos = 0, siz; pos < inlen; pos += siz+1)
if (pos + 1 + siz > inlen) siz = inlen - pos - 1;
g = string_append_listele_n(g, ':', in + pos + 1, siz);
}
if (pos + 1 + siz > inlen) siz = inlen - pos - 1;
g = string_append_listele_n(g, ':', in + pos + 1, siz);
}
-log_write(0, LOG_MAIN, "TLS ALPN (%
s) rejected", string_from_gstring(g)
);
+log_write(0, LOG_MAIN, "TLS ALPN (%
Y) rejected", g
);
gstring_release_unused(g);
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
gstring_release_unused(g);
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
@@
-2437,7
+2445,7
@@
tls_in.ocsp = OCSP_NOT_RESP;
if (!olist)
return SSL_TLSEXT_ERR_NOACK;
if (!olist)
return SSL_TLSEXT_ERR_NOACK;
-#ifdef EXIM_HAVE_OPESSL_GET0_SERIAL
+#ifdef EXIM_HAVE_OPE
N
SSL_GET0_SERIAL
{
const X509 * cert_sent = SSL_get_certificate(s);
const ASN1_INTEGER * cert_serial = X509_get0_serialNumber(cert_sent);
{
const X509 * cert_sent = SSL_get_certificate(s);
const ASN1_INTEGER * cert_serial = X509_get0_serialNumber(cert_sent);
@@
-2600,7
+2608,7
@@
if (!(bs = OCSP_response_get1_basic(rsp)))
asking for certificate-status under DANE, so this callback won't run for
that combination. It still will for non-DANE. */
asking for certificate-status under DANE, so this callback won't run for
that combination. It still will for non-DANE. */
-#if
def EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_SIGNER
+#if
defined(EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_SIGNER) && defined(SUPPORT_DANE)
X509 * signer;
if ( tls_out.dane_verified
X509 * signer;
if ( tls_out.dane_verified
@@
-2641,7
+2649,7
@@
if (!(bs = OCSP_response_get1_basic(rsp)))
debug_printf("certs contained in basicresp:\n");
x509_stack_dump_cert_s_names(
debug_printf("certs contained in basicresp:\n");
x509_stack_dump_cert_s_names(
-#ifdef EXIM_HAVE_OPESSL_OCSP_RESP_GET0_CERTS
+#ifdef EXIM_HAVE_OPE
N
SSL_OCSP_RESP_GET0_CERTS
OCSP_resp_get0_certs(bs)
#else
bs->certs
OCSP_resp_get0_certs(bs)
#else
bs->certs
@@
-3499,7
+3507,7
@@
static uschar peerdn[256];
if (tls_in.active.sock >= 0)
{
tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
if (tls_in.active.sock >= 0)
{
tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
- smtp_printf("554 Already in TLS\r\n",
FALS
E);
+ smtp_printf("554 Already in TLS\r\n",
SP_NO_MOR
E);
return FAIL;
}
return FAIL;
}
@@
-3619,7
+3627,7
@@
mode, the fflush() happens when smtp_getc() is called. */
SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
if (!tls_in.on_connect)
{
SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
if (!tls_in.on_connect)
{
- smtp_printf("220 TLS go ahead\r\n",
FALS
E);
+ smtp_printf("220 TLS go ahead\r\n",
SP_NO_MOR
E);
fflush(smtp_out);
}
fflush(smtp_out);
}
@@
-4527,10
+4535,15
@@
switch(error)
/* Handle genuine errors */
case SSL_ERROR_SSL:
/* Handle genuine errors */
case SSL_ERROR_SSL:
+ {
+ uschar * conn_info = smtp_get_connection_info();
+ if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
+ /* I'd like to get separated H= here, but too hard for now */
ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
- log_write(0, LOG_MAIN, "TLS error (SSL_read):
%s"
, ssl_errstring);
+ log_write(0, LOG_MAIN, "TLS error (SSL_read):
on %s %s", conn_info
, ssl_errstring);
ssl_xfer_error = TRUE;
return FALSE;
ssl_xfer_error = TRUE;
return FALSE;
+ }
default:
DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
default:
DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);