Merge branch '4.next'

[users/heiko/exim.git] / src / src / tls-openssl.c

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 9816f734f3018a0bcf0638139c759a9dc144d7fa..7735bd971e80b493d776d5164d2f98672a1e161f 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -94,6 +94,10 @@ functions from the OpenSSL library. */
 # define DISABLE_OCSP
 #endif
 
 # define DISABLE_OCSP
 #endif
 

+#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
+# include <openssl/x509v3.h>
+#endif
+

 /* Structure for collecting random data for seeding. */
 
 typedef struct randstuff {
 /* Structure for collecting random data for seeding. */
 
 typedef struct randstuff {


@@ -147,8 +151,8 @@ static BOOL reexpand_tls_files_for_sni = FALSE;
 typedef struct tls_ext_ctx_cb {
   uschar *certificate;
   uschar *privatekey;
 typedef struct tls_ext_ctx_cb {
   uschar *certificate;
   uschar *privatekey;

-#ifndef DISABLE_OCSP

   BOOL is_server;
   BOOL is_server;

+#ifndef DISABLE_OCSP

   STACK_OF(X509) *verify_stack;                /* chain for verifying the proof */
   union {
     struct {
   STACK_OF(X509) *verify_stack;                /* chain for verifying the proof */
   union {
     struct {


@@ -933,7 +937,7 @@ if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX
   }
 
 supply_response:
   }
 
 supply_response:

-  cbinfo->u_ocsp.server.response = resp;
+  cbinfo->u_ocsp.server.response = resp;       /*XXX stack?*/

 return;
 
 bad:
 return;
 
 bad:


@@ -941,7 +945,7 @@ bad:
     {
     extern char ** environ;
     uschar ** p;
     {
     extern char ** environ;
     uschar ** p;

-    if (environ) for (p = USS environ; *p != NULL; p++)
+    if (environ) for (p = USS environ; *p; p++)

       if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
        {
        DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
       if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
        {
        DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");


@@ -1130,6 +1134,7 @@ else
 #ifndef DISABLE_OCSP
 if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
   {
 #ifndef DISABLE_OCSP
 if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
   {

+  /*XXX stack*/

   if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
     return DEFER;
 
   if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
     return DEFER;
 


@@ -1267,9 +1272,15 @@ static int
 tls_server_stapling_cb(SSL *s, void *arg)
 {
 const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
 tls_server_stapling_cb(SSL *s, void *arg)
 {
 const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;

-uschar *response_der;
+uschar *response_der;  /*XXX blob */

 int response_der_len;
 
 int response_der_len;
 

+/*XXX stack: use SSL_get_certificate() to see which cert; from that work
+out which ocsp blob to send.  Unfortunately, SSL_get_certificate is known
+buggy in current OpenSSL; it returns the last cert loaded always rather than
+the one actually presented.  So we can't support a stack of OCSP proofs at
+this time. */
+

 DEBUG(D_tls)
   debug_printf("Received TLS status request (OCSP stapling); %s response\n",
     cbinfo->u_ocsp.server.response ? "have" : "lack");
 DEBUG(D_tls)
   debug_printf("Received TLS status request (OCSP stapling); %s response\n",
     cbinfo->u_ocsp.server.response ? "have" : "lack");


@@ -1279,7 +1290,7 @@ if (!cbinfo->u_ocsp.server.response)
   return SSL_TLSEXT_ERR_NOACK;
 
 response_der = NULL;
   return SSL_TLSEXT_ERR_NOACK;
 
 response_der = NULL;

-response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response,
+response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response,   /*XXX stack*/

                      &response_der);
 if (response_der_len <= 0)
   return SSL_TLSEXT_ERR_NOACK;
                      &response_der);
 if (response_der_len <= 0)
   return SSL_TLSEXT_ERR_NOACK;


@@ -1471,7 +1482,7 @@ static int
 tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
   uschar *privatekey,
 #ifndef DISABLE_OCSP
 tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
   uschar *privatekey,
 #ifndef DISABLE_OCSP

-  uschar *ocsp_file,
+  uschar *ocsp_file,   /*XXX stack, in server*/

 #endif
   address_item *addr, tls_ext_ctx_cb ** cbp, uschar ** errstr)
 {
 #endif
   address_item *addr, tls_ext_ctx_cb ** cbp, uschar ** errstr)
 {


@@ -1483,9 +1494,10 @@ tls_ext_ctx_cb * cbinfo;
 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
 cbinfo->certificate = certificate;
 cbinfo->privatekey = privatekey;
 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
 cbinfo->certificate = certificate;
 cbinfo->privatekey = privatekey;

+cbinfo->is_server = host==NULL;

 #ifndef DISABLE_OCSP
 cbinfo->verify_stack = NULL;
 #ifndef DISABLE_OCSP
 cbinfo->verify_stack = NULL;

-if ((cbinfo->is_server = host==NULL))
+if (!host)

   {
   cbinfo->u_ocsp.server.file = ocsp_file;
   cbinfo->u_ocsp.server.file_expanded = NULL;
   {
   cbinfo->u_ocsp.server.file = ocsp_file;
   cbinfo->u_ocsp.server.file_expanded = NULL;


@@ -1941,7 +1953,7 @@ the error. */
 
 rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
 #ifndef DISABLE_OCSP
 
 rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
 #ifndef DISABLE_OCSP

-    tls_ocsp_file,
+    tls_ocsp_file,     /*XXX stack*/

 #endif
     NULL, &server_static_cbinfo, errstr);
 if (rc != OK) return rc;
 #endif
     NULL, &server_static_cbinfo, errstr);
 if (rc != OK) return rc;