git://git.exim.org
/
exim.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
build: use pkg-config for i18n
[exim.git]
/
src
/
src
/
tls-openssl.c
diff --git
a/src/src/tls-openssl.c
b/src/src/tls-openssl.c
index 9d0ab2fdf1d5e545ac63e897131b26c5c6d0bdaf..302404b6c9029f1d8321f58cf44916fa1045c4f3 100644
(file)
--- a/
src/src/tls-openssl.c
+++ b/
src/src/tls-openssl.c
@@
-2,7
+2,7
@@
* Exim - an Internet mail transport agent *
*************************************************/
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 202
2
*/
+/* Copyright (c) The Exim Maintainers 2020 - 202
4
*/
/* Copyright (c) University of Cambridge 1995 - 2019 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
/* Copyright (c) University of Cambridge 1995 - 2019 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
@@
-77,9
+77,9
@@
change this guard and punt the issue for a while longer. */
# define EXIM_HAVE_OPENSSL_KEYLOG
# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
# define EXIM_HAVE_SESSION_TICKET
# define EXIM_HAVE_OPENSSL_KEYLOG
# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
# define EXIM_HAVE_SESSION_TICKET
-# define EXIM_HAVE_OPESSL_TRACE
-# define EXIM_HAVE_OPESSL_GET0_SERIAL
-# define EXIM_HAVE_OPESSL_OCSP_RESP_GET0_CERTS
+# define EXIM_HAVE_OPE
N
SSL_TRACE
+# define EXIM_HAVE_OPE
N
SSL_GET0_SERIAL
+# define EXIM_HAVE_OPE
N
SSL_OCSP_RESP_GET0_CERTS
# define EXIM_HAVE_SSL_GET0_VERIFIED_CHAIN
# ifndef DISABLE_OCSP
# define EXIM_HAVE_OCSP
# define EXIM_HAVE_SSL_GET0_VERIFIED_CHAIN
# ifndef DISABLE_OCSP
# define EXIM_HAVE_OCSP
@@
-97,6
+97,9
@@
change this guard and punt the issue for a while longer. */
#if LIBRESSL_VERSION_NUMBER >= 0x3040000fL
# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
#endif
#if LIBRESSL_VERSION_NUMBER >= 0x3040000fL
# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
#endif
+#if LIBRESSL_VERSION_NUMBER >= 0x3050000fL
+# define EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_CERTS
+#endif
#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x030000000L)
# define EXIM_HAVE_EXPORT_CHNL_BNGNG
#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x030000000L)
# define EXIM_HAVE_EXPORT_CHNL_BNGNG
@@
-1192,6
+1195,8
@@
else
uschar * name;
int rc;
while ((name = string_nextinlist(&list, &sep, NULL, 0)))
uschar * name;
int rc;
while ((name = string_nextinlist(&list, &sep, NULL, 0)))
+ {
+ DEBUG(D_tls|D_lookup) debug_printf_indent("%s suitable for cert, per OpenSSL?", name);
if ((rc = X509_check_host(cert, CCS name, 0,
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
| X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
if ((rc = X509_check_host(cert, CCS name, 0,
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
| X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
@@
-1203,8
+1208,11
@@
else
tlsp == &tls_out ? deliver_host_address : sender_host_address);
name = NULL;
}
tlsp == &tls_out ? deliver_host_address : sender_host_address);
name = NULL;
}
+ DEBUG(D_tls|D_lookup) debug_printf_indent(" yes\n");
break;
}
break;
}
+ else DEBUG(D_tls|D_lookup) debug_printf_indent(" no\n");
+ }
if (!name)
#else
if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
if (!name)
#else
if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
@@
-1433,7
+1441,7
@@
SNI handling.
Separately we might try to replace using OCSP_basic_verify() - which seems to not
be a public interface into the OpenSSL library (there's no manual entry) -
Separately we might try to replace using OCSP_basic_verify() - which seems to not
be a public interface into the OpenSSL library (there's no manual entry) -
-(in 3.0.0 + i
s
is public)
+(in 3.0.0 + i
t
is public)
But what with? We also use OCSP_basic_verify in the client stapling callback.
And there we NEED it; we must verify that status... unless the
library does it for us anyway? */
But what with? We also use OCSP_basic_verify in the client stapling callback.
And there we NEED it; we must verify that status... unless the
library does it for us anyway? */
@@
-1751,7
+1759,7
@@
level. */
DEBUG(D_tls)
{
SSL_CTX_set_info_callback(ctx, info_callback);
DEBUG(D_tls)
{
SSL_CTX_set_info_callback(ctx, info_callback);
-#if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
+#if defined(EXIM_HAVE_OPE
N
SSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
/* this needs a debug build of OpenSSL */
SSL_CTX_set_msg_callback(ctx, SSL_trace);
#endif
/* this needs a debug build of OpenSSL */
SSL_CTX_set_msg_callback(ctx, SSL_trace);
#endif
@@
-1899,7
+1907,8
@@
a queue-run startup with watch clear. */
static void
tls_client_creds_init(transport_instance * t, BOOL watch)
{
static void
tls_client_creds_init(transport_instance * t, BOOL watch)
{
-smtp_transport_options_block * ob = t->options_block;
+smtp_transport_options_block * ob = t->drinst.options_block;
+const uschar * trname = t->drinst.name;
exim_openssl_state_st tpt_dummy_state;
host_item * dummy_host = (host_item *)1;
uschar * dummy_errstr;
exim_openssl_state_st tpt_dummy_state;
host_item * dummy_host = (host_item *)1;
uschar * dummy_errstr;
@@
-1926,7
+1935,7
@@
if ( opt_set_and_noexpand(ob->tls_certificate)
uschar * pkey = ob->tls_privatekey;
DEBUG(D_tls)
uschar * pkey = ob->tls_privatekey;
DEBUG(D_tls)
- debug_printf("TLS: preloading client certs for transport '%s'\n",
t->
name);
+ debug_printf("TLS: preloading client certs for transport '%s'\n",
tr
name);
if ( tls_add_certfile(ctx, &tpt_dummy_state, ob->tls_certificate,
&dummy_errstr) == 0
if ( tls_add_certfile(ctx, &tpt_dummy_state, ob->tls_certificate,
&dummy_errstr) == 0
@@
-1939,7
+1948,7
@@
if ( opt_set_and_noexpand(ob->tls_certificate)
}
else
DEBUG(D_tls)
}
else
DEBUG(D_tls)
- debug_printf("TLS: not preloading client certs, for transport '%s'\n", t
->
name);
+ debug_printf("TLS: not preloading client certs, for transport '%s'\n", t
r
name);
if ( opt_set_and_noexpand(ob->tls_verify_certificates)
if ( opt_set_and_noexpand(ob->tls_verify_certificates)
@@
-1953,7
+1962,7
@@
if ( opt_set_and_noexpand(ob->tls_verify_certificates)
{
uschar * v_certs = ob->tls_verify_certificates;
DEBUG(D_tls)
{
uschar * v_certs = ob->tls_verify_certificates;
DEBUG(D_tls)
- debug_printf("TLS: preloading CA bundle for transport '%s'\n", t
->
name);
+ debug_printf("TLS: preloading CA bundle for transport '%s'\n", t
r
name);
if (setup_certs(ctx, &v_certs,
ob->tls_crl, dummy_host, &dummy_errstr) == OK)
if (setup_certs(ctx, &v_certs,
ob->tls_crl, dummy_host, &dummy_errstr) == OK)
@@
-1962,7
+1971,7
@@
if ( opt_set_and_noexpand(ob->tls_verify_certificates)
}
else
DEBUG(D_tls)
}
else
DEBUG(D_tls)
-
debug_printf("TLS: not preloading CA bundle, for transport '%s'\n", t->
name);
+
debug_printf("TLS: not preloading CA bundle, for transport '%s'\n", tr
name);
#endif /*EXIM_HAVE_INOTIFY*/
}
#endif /*EXIM_HAVE_INOTIFY*/
}
@@
-1986,21
+1995,11
@@
state_server.u_ocsp.server.file_expanded = NULL;
static void
tls_client_creds_invalidate(transport_instance * t)
{
static void
tls_client_creds_invalidate(transport_instance * t)
{
-smtp_transport_options_block * ob = t->options_block;
+smtp_transport_options_block * ob = t->
drinst.
options_block;
SSL_CTX_free(ob->tls_preload.lib_ctx);
ob->tls_preload = null_tls_preload;
}
SSL_CTX_free(ob->tls_preload.lib_ctx);
ob->tls_preload = null_tls_preload;
}
-#else
-
-static void
-tls_server_creds_invalidate(void)
-{ return; }
-
-static void
-tls_client_creds_invalidate(transport_instance * t)
-{ return; }
-
#endif /*EXIM_HAVE_INOTIFY*/
#endif /*EXIM_HAVE_INOTIFY*/
@@
-2399,7
+2398,7
@@
for (int pos = 0, siz; pos < inlen; pos += siz+1)
if (pos + 1 + siz > inlen) siz = inlen - pos - 1;
g = string_append_listele_n(g, ':', in + pos + 1, siz);
}
if (pos + 1 + siz > inlen) siz = inlen - pos - 1;
g = string_append_listele_n(g, ':', in + pos + 1, siz);
}
-log_write(0, LOG_MAIN, "TLS ALPN (%
s) rejected", string_from_gstring(g)
);
+log_write(0, LOG_MAIN, "TLS ALPN (%
Y) rejected", g
);
gstring_release_unused(g);
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
gstring_release_unused(g);
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
@@
-2437,7
+2436,7
@@
tls_in.ocsp = OCSP_NOT_RESP;
if (!olist)
return SSL_TLSEXT_ERR_NOACK;
if (!olist)
return SSL_TLSEXT_ERR_NOACK;
-#ifdef EXIM_HAVE_OPESSL_GET0_SERIAL
+#ifdef EXIM_HAVE_OPE
N
SSL_GET0_SERIAL
{
const X509 * cert_sent = SSL_get_certificate(s);
const ASN1_INTEGER * cert_serial = X509_get0_serialNumber(cert_sent);
{
const X509 * cert_sent = SSL_get_certificate(s);
const ASN1_INTEGER * cert_serial = X509_get0_serialNumber(cert_sent);
@@
-2600,7
+2599,7
@@
if (!(bs = OCSP_response_get1_basic(rsp)))
asking for certificate-status under DANE, so this callback won't run for
that combination. It still will for non-DANE. */
asking for certificate-status under DANE, so this callback won't run for
that combination. It still will for non-DANE. */
-#if
def EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_SIGNER
+#if
defined(EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_SIGNER) && defined(SUPPORT_DANE)
X509 * signer;
if ( tls_out.dane_verified
X509 * signer;
if ( tls_out.dane_verified
@@
-2641,7
+2640,7
@@
if (!(bs = OCSP_response_get1_basic(rsp)))
debug_printf("certs contained in basicresp:\n");
x509_stack_dump_cert_s_names(
debug_printf("certs contained in basicresp:\n");
x509_stack_dump_cert_s_names(
-#ifdef EXIM_HAVE_OPESSL_OCSP_RESP_GET0_CERTS
+#ifdef EXIM_HAVE_OPE
N
SSL_OCSP_RESP_GET0_CERTS
OCSP_resp_get0_certs(bs)
#else
bs->certs
OCSP_resp_get0_certs(bs)
#else
bs->certs
@@
-3499,7
+3498,7
@@
static uschar peerdn[256];
if (tls_in.active.sock >= 0)
{
tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
if (tls_in.active.sock >= 0)
{
tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
- smtp_printf("554 Already in TLS\r\n",
FALS
E);
+ smtp_printf("554 Already in TLS\r\n",
SP_NO_MOR
E);
return FAIL;
}
return FAIL;
}
@@
-3619,7
+3618,7
@@
mode, the fflush() happens when smtp_getc() is called. */
SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
if (!tls_in.on_connect)
{
SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
if (!tls_in.on_connect)
{
- smtp_printf("220 TLS go ahead\r\n",
FALS
E);
+ smtp_printf("220 TLS go ahead\r\n",
SP_NO_MOR
E);
fflush(smtp_out);
}
fflush(smtp_out);
}
@@
-3935,7
+3934,7
@@
if (tlsp->host_resumable)
tlsp->resumption |= RESUME_CLIENT_REQUESTED;
DEBUG(D_tls)
debug_printf("checking for resumable session for %s\n", tlsp->resume_index);
tlsp->resumption |= RESUME_CLIENT_REQUESTED;
DEBUG(D_tls)
debug_printf("checking for resumable session for %s\n", tlsp->resume_index);
- if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
+ if ((dbm_file = dbfn_open(US"tls", O_RDWR
|O_CREAT
, &dbblock, FALSE, FALSE)))
{
if ((dt = dbfn_read_with_length(dbm_file, tlsp->resume_index, &len)))
{
{
if ((dt = dbfn_read_with_length(dbm_file, tlsp->resume_index, &len)))
{
@@
-4018,7
+4017,7
@@
if (SSL_SESSION_is_resumable(ss)) /* 1.1.1 */
dt->ocsp = tlsp->ocsp;
(void) i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */
dt->ocsp = tlsp->ocsp;
(void) i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */
- if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
+ if ((dbm_file = dbfn_open(US"tls", O_RDWR
|O_CREAT
, &dbblock, FALSE, FALSE)))
{
dbfn_write(dbm_file, tlsp->resume_index, dt, dlen);
dbfn_close(dbm_file);
{
dbfn_write(dbm_file, tlsp->resume_index, dt, dlen);
dbfn_close(dbm_file);
@@
-4152,7
+4151,7
@@
tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
host_item * host = conn_args->host; /* for msgs and option-tests */
transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
smtp_transport_options_block * ob = tb
host_item * host = conn_args->host; /* for msgs and option-tests */
transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
smtp_transport_options_block * ob = tb
- ?
(smtp_transport_options_block *)tb->
options_block
+ ?
tb->drinst.
options_block
: &smtp_transport_option_defaults;
exim_openssl_client_tls_ctx * exim_client_ctx;
uschar * expciphers;
: &smtp_transport_option_defaults;
exim_openssl_client_tls_ctx * exim_client_ctx;
uschar * expciphers;
@@
-4527,10
+4526,15
@@
switch(error)
/* Handle genuine errors */
case SSL_ERROR_SSL:
/* Handle genuine errors */
case SSL_ERROR_SSL:
+ {
+ uschar * conn_info = smtp_get_connection_info();
+ if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
+ /* I'd like to get separated H= here, but too hard for now */
ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
- log_write(0, LOG_MAIN, "TLS error (SSL_read):
%s"
, ssl_errstring);
+ log_write(0, LOG_MAIN, "TLS error (SSL_read):
on %s %s", conn_info
, ssl_errstring);
ssl_xfer_error = TRUE;
return FALSE;
ssl_xfer_error = TRUE;
return FALSE;
+ }
default:
DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
default:
DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
@@
-4541,7
+4545,7
@@
switch(error)
}
#ifndef DISABLE_DKIM
}
#ifndef DISABLE_DKIM
-
dkim_exim
_verify_feed(ssl_xfer_buffer, inbytes);
+
smtp
_verify_feed(ssl_xfer_buffer, inbytes);
#endif
ssl_xfer_buffer_hwm = inbytes;
ssl_xfer_buffer_lwm = 0;
#endif
ssl_xfer_buffer_hwm = inbytes;
ssl_xfer_buffer_lwm = 0;
@@
-4611,7
+4615,7
@@
int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
if (n > lim)
n = lim;
if (n > 0)
if (n > lim)
n = lim;
if (n > 0)
-
dkim_exim
_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
+
smtp
_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
#endif
}
#endif
}
@@
-5157,8
+5161,7
@@
if (!expand_check(option_spec, US"openssl_options", &exp, &end))
for (uschar * s = exp; *s; /**/)
{
for (uschar * s = exp; *s; /**/)
{
- while (isspace(*s)) ++s;
- if (*s == '\0')
+ if (!Uskip_whitespace(&s))
break;
if (*s != '+' && *s != '-')
{
break;
if (*s != '+' && *s != '-')
{
@@
-5167,7
+5170,8
@@
for (uschar * s = exp; *s; /**/)
return FALSE;
}
adding = *s++ == '+';
return FALSE;
}
adding = *s++ == '+';
- for (end = s; *end && !isspace(*end); ) end++;
+ end = s;
+ Uskip_nonwhite(&end);
item_parsed = tls_openssl_one_option_parse(string_copyn(s, end-s), &item);
if (!item_parsed)
{
item_parsed = tls_openssl_one_option_parse(string_copyn(s, end-s), &item);
if (!item_parsed)
{