"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/mx/xtls.c" between
s-nail-14.9.18.tar.xz and s-nail-14.9.19.tar.xz

About: S-nail is a mail processing system intended to provide the functionality of the POSIX mailx command and offers extensions for line editing, IDNA, MIME, S/MIME, SMTP and POP3 (and IMAP). It is usable as a mail batch language.

xtls.c  (s-nail-14.9.18.tar.xz):xtls.c  (s-nail-14.9.19.tar.xz)
/*@ S-nail - a mail user agent derived from Berkeley Mail. /*@ S-nail - a mail user agent derived from Berkeley Mail.
*@ OpenSSL client implementation according to: John Viega, Matt Messier, *@ OpenSSL client implementation according to: John Viega, Matt Messier,
*@ Pravir Chandra: Network Security with OpenSSL. Sebastopol, CA 2002. *@ Pravir Chandra: Network Security with OpenSSL. Sebastopol, CA 2002.
*@ TODO This needs an overhaul -- there _are_ stack leaks!?
* *
* Copyright (c) 2000-2004 Gunnar Ritter, Freiburg i. Br., Germany. * Copyright (c) 2000-2004 Gunnar Ritter, Freiburg i. Br., Germany.
* Copyright (c) 2012 - 2020 Steffen (Daode) Nurpmeso <steffen@sdaoden.eu>. * Copyright (c) 2012 - 2020 Steffen (Daode) Nurpmeso <steffen@sdaoden.eu>.
* SPDX-License-Identifier: BSD-4-Clause TODO ISC * SPDX-License-Identifier: BSD-4-Clause TODO ISC
*/ */
/* /*
* Copyright (c) 2002 * Copyright (c) 2002
* Gunnar Ritter. All rights reserved. * Gunnar Ritter. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
skipping to change at line 51 skipping to change at line 50
*/ */
#undef su_FILE #undef su_FILE
#define su_FILE xtls #define su_FILE xtls
#define mx_SOURCE #define mx_SOURCE
#ifndef mx_HAVE_AMALGAMATION #ifndef mx_HAVE_AMALGAMATION
# include "mx/nail.h" # include "mx/nail.h"
#endif #endif
su_EMPTY_FILE() su_EMPTY_FILE()
#ifdef mx_HAVE_XTLS #ifdef mx_HAVE_XTLS /* Shorthand for mx_HAVE_TLS==mx_TLS_IMPL{...} */
#include <sys/socket.h> #include <sys/socket.h>
#include <openssl/crypto.h> #include <openssl/crypto.h>
#include <openssl/err.h> #include <openssl/err.h>
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/opensslv.h> #include <openssl/opensslv.h>
#include <openssl/pem.h> #include <openssl/pem.h>
#include <openssl/rand.h> #include <openssl/rand.h>
#include <openssl/ssl.h> #include <openssl/ssl.h>
#include <openssl/x509v3.h> #include <openssl/x509v3.h>
#include <openssl/x509.h> #include <openssl/x509.h>
#ifdef mx_HAVE_XTLS_CONFIG #ifdef mx_XTLS_HAVE_CONFIG
# include <openssl/conf.h> # include <openssl/conf.h>
#endif #endif
#ifdef mx_XTLS_HAVE_SET_RESEED_DEFAULTS
# include <openssl/rand_drbg.h>
#endif
#if defined X509_V_FLAG_CRL_CHECK && defined X509_V_FLAG_CRL_CHECK_ALL #if defined X509_V_FLAG_CRL_CHECK && defined X509_V_FLAG_CRL_CHECK_ALL
# include <dirent.h> # include <dirent.h>
#endif #endif
#include <su/cs.h> #include <su/cs.h>
#include <su/mem.h> #include <su/mem.h>
#include "mx/cred-auth.h" #include "mx/cred-auth.h"
#include "mx/file-streams.h" #include "mx/file-streams.h"
#include "mx/names.h" #include "mx/names.h"
#include "mx/net-socket.h" #include "mx/net-socket.h"
#include "mx/random.h" #include "mx/random.h"
#include "mx/tty.h" #include "mx/tty.h"
#include "mx/url.h" #include "mx/url.h"
/* TODO fake */ /* TODO fake */
#include "su/code-in.h" #include "su/code-in.h"
/* Compatibility shims which assume 0/-1 cannot really happen */ /* Compatibility shims which assume 0/-1 cannot really happen */
/* Always for _protocols #ifndef mx_HAVE_XTLS_CONF_CTX */ /* Always for _protocols #ifndef mx_XTLS_HAVE_CONF_CTX */
# ifndef SSL_OP_NO_SSLv2 # ifndef SSL_OP_NO_SSLv2
# define SSL_OP_NO_SSLv2 0 # define SSL_OP_NO_SSLv2 0
# endif # endif
# ifndef SSL_OP_NO_SSLv3 # ifndef SSL_OP_NO_SSLv3
# define SSL_OP_NO_SSLv3 0 # define SSL_OP_NO_SSLv3 0
# endif # endif
# ifndef SSL_OP_NO_TLSv1 # ifndef SSL_OP_NO_TLSv1
# define SSL_OP_NO_TLSv1 0 # define SSL_OP_NO_TLSv1 0
# endif # endif
# ifndef SSL_OP_NO_TLSv1_1 # ifndef SSL_OP_NO_TLSv1_1
skipping to change at line 134 skipping to change at line 136
# define TLS1_1_VERSION 0 # define TLS1_1_VERSION 0
# endif # endif
# ifndef TLS1_2_VERSION # ifndef TLS1_2_VERSION
# define TLS1_2_VERSION 0 # define TLS1_2_VERSION 0
# endif # endif
# ifndef TLS1_3_VERSION # ifndef TLS1_3_VERSION
# define TLS1_3_VERSION 0 # define TLS1_3_VERSION 0
# endif # endif
/* #endif */ /* #endif */
#ifdef mx_HAVE_XTLS_STACK_OF #ifdef mx_XTLS_HAVE_STACK_OF
# define n_XTLS_STACKOF(X) STACK_OF(X) # define a_XTLS_STACKOF(X) STACK_OF(X)
#else #else
# define n_XTLS_STACKOF(X) /*X*/STACK # define a_XTLS_STACKOF(X) /*X*/STACK
#endif #endif
#ifdef mx_HAVE_TLS_RAND_FILE #ifdef mx_XTLS_HAVE_RAND_FILE
# if OPENSSL_VERSION_NUMBER + 0 >= 0x0090581fL # if OPENSSL_VERSION_NUMBER + 0 >= 0x0090581fL
# define a_XTLS_RAND_LOAD_FILE_MAXBYTES -1 # define a_XTLS_RAND_LOAD_FILE_MAXBYTES -1
# else # else
# define a_XTLS_RAND_LOAD_FILE_MAXBYTES 1024 # define a_XTLS_RAND_LOAD_FILE_MAXBYTES 1024
# endif # endif
#endif #endif
/* Compatibility sighs (that sigh is _really_ a cute one) */ /* More cute compatibility sighs */
#if mx_HAVE_XTLS_OPENSSL >= 0x10100 #if mx_HAVE_XTLS >= 0x10100
# define a_xtls_X509_get_notBefore X509_get0_notBefore # define a_xtls_X509_get_notBefore X509_get0_notBefore
# define a_xtls_X509_get_notAfter X509_get0_notAfter # define a_xtls_X509_get_notAfter X509_get0_notAfter
# define a_xtls_SSL_get_verified_chain SSL_get0_verified_chain
#else #else
# define a_xtls_X509_get_notBefore X509_get_notBefore # define a_xtls_X509_get_notBefore X509_get_notBefore
# define a_xtls_X509_get_notAfter X509_get_notAfter # define a_xtls_X509_get_notAfter X509_get_notAfter
# define a_xtls_SSL_get_verified_chain SSL_get_peer_cert_chain
#endif #endif
/* X509_STORE_set_flags */ /* X509_STORE_set_flags */
#undef a_XTLS_X509_V_ANY #undef a_XTLS_X509_V_ANY
#ifndef X509_V_FLAG_NO_ALT_CHAINS #ifndef X509_V_FLAG_NO_ALT_CHAINS
# define X509_V_FLAG_NO_ALT_CHAINS -1 # define X509_V_FLAG_NO_ALT_CHAINS -1
#else #else
# undef a_XTLS_X509_V_ANY # undef a_XTLS_X509_V_ANY
# define a_XTLS_X509_V_ANY # define a_XTLS_X509_V_ANY
#endif #endif
skipping to change at line 196 skipping to change at line 200
# undef a_XTLS_X509_V_ANY # undef a_XTLS_X509_V_ANY
# define a_XTLS_X509_V_ANY # define a_XTLS_X509_V_ANY
#endif #endif
enum a_xtls_state{ enum a_xtls_state{
a_XTLS_S_INIT = 1u<<0, a_XTLS_S_INIT = 1u<<0,
a_XTLS_S_RAND_DRBG_INIT = 1u<<1, a_XTLS_S_RAND_DRBG_INIT = 1u<<1,
a_XTLS_S_RAND_INIT = 1u<<2, a_XTLS_S_RAND_INIT = 1u<<2,
a_XTLS_S_CONF_LOAD = 1u<<3, a_XTLS_S_CONF_LOAD = 1u<<3,
#if mx_HAVE_XTLS_OPENSSL < 0x10100 #if mx_HAVE_XTLS < 0x10100
a_XTLS_S_EXIT_HDL = 1u<<8, a_XTLS_S_EXIT_HDL = 1u<<8,
a_XTLS_S_ALGO_LOAD = 1u<<9, a_XTLS_S_ALGO_LOAD = 1u<<9,
#endif #endif
a_XTLS_S_VERIFY_ERROR = 1u<<16 a_XTLS_S_VERIFY_ERROR = 1u<<16
}; };
struct ssl_method { /* TODO v15 obsolete */ struct ssl_method { /* TODO v15 obsolete */
char const sm_name[8]; char const sm_name[8];
char const sm_map[16]; char const sm_map[16];
skipping to change at line 291 skipping to change at line 295
static struct a_xtls_cipher const a_xtls_smime_ciphers_obs[] = { static struct a_xtls_cipher const a_xtls_smime_ciphers_obs[] = {
{"AES-128", &EVP_aes_128_cbc}, {"AES-128", &EVP_aes_128_cbc},
{"AES-256", &EVP_aes_256_cbc}, {"AES-256", &EVP_aes_256_cbc},
{"AES-192", &EVP_aes_192_cbc} {"AES-192", &EVP_aes_192_cbc}
}; };
#endif #endif
/* Supported S/MIME message digest algorithms. /* Supported S/MIME message digest algorithms.
* Update manual on default changes! */ * Update manual on default changes! */
static struct a_xtls_digest const a_xtls_digests[] = { /*Manual!*/ static struct a_xtls_digest const a_xtls_digests[] = { /*Manual!*/
#ifdef mx_HAVE_XTLS_BLAKE2 #ifdef mx_XTLS_HAVE_BLAKE2
{"BLAKE2b512\0", &EVP_blake2b512}, {"BLAKE2b512\0", &EVP_blake2b512},
{"BLAKE2s256", &EVP_blake2s256}, {"BLAKE2s256", &EVP_blake2s256},
# ifndef a_XTLS_FINGERPRINT_DEFAULT_DIGEST # ifndef a_XTLS_FINGERPRINT_DEFAULT_DIGEST
# define a_XTLS_FINGERPRINT_DEFAULT_DIGEST EVP_blake2s256 # define a_XTLS_FINGERPRINT_DEFAULT_DIGEST EVP_blake2s256
# define a_XTLS_FINGERPRINT_DEFAULT_DIGEST_S "BLAKE2s256" # define a_XTLS_FINGERPRINT_DEFAULT_DIGEST_S "BLAKE2s256"
# endif # endif
#endif #endif
#ifdef mx_HAVE_XTLS_SHA3 #ifdef mx_XTLS_HAVE_SHA3
{"SHA3-512\0", &EVP_sha3_512}, {"SHA3-512\0", &EVP_sha3_512},
{"SHA3-384", &EVP_sha3_384}, {"SHA3-384", &EVP_sha3_384},
{"SHA3-256", &EVP_sha3_256}, {"SHA3-256", &EVP_sha3_256},
{"SHA3-224", &EVP_sha3_224}, {"SHA3-224", &EVP_sha3_224},
#endif #endif
#ifndef OPENSSL_NO_SHA512 #ifndef OPENSSL_NO_SHA512
{"SHA512\0", &EVP_sha512}, {"SHA512\0", &EVP_sha512},
{"SHA384", &EVP_sha384}, {"SHA384", &EVP_sha384},
# ifndef a_XTLS_SMIME_DEFAULT_DIGEST # ifndef a_XTLS_SMIME_DEFAULT_DIGEST
skipping to change at line 363 skipping to change at line 367
{"no-alt-chains", X509_V_FLAG_NO_ALT_CHAINS}, {"no-alt-chains", X509_V_FLAG_NO_ALT_CHAINS},
{"no-check-time", X509_V_FLAG_NO_CHECK_TIME}, {"no-check-time", X509_V_FLAG_NO_CHECK_TIME},
{"partial-chain", X509_V_FLAG_PARTIAL_CHAIN}, {"partial-chain", X509_V_FLAG_PARTIAL_CHAIN},
{"strict", X509_V_FLAG_X509_STRICT}, {"strict", X509_V_FLAG_X509_STRICT},
{"trusted-first", X509_V_FLAG_TRUSTED_FIRST}, {"trusted-first", X509_V_FLAG_TRUSTED_FIRST},
}; };
static uz a_xtls_state; static uz a_xtls_state;
static uz a_xtls_msgno; static uz a_xtls_msgno;
#if mx_HAVE_XTLS >= 0x30000
DEFINE_STACK_OF(GENERAL_NAME)
DEFINE_STACK_OF(X509)
#endif
/* Special pre-PRNG PRNG init */ /* Special pre-PRNG PRNG init */
#ifdef a_XTLS_S_RAND_DRBG_INIT #ifdef mx_XTLS_HAVE_SET_RESEED_DEFAULTS
su_SINLINE void a_xtls_rand_drbg_init(void); SINLINE void a_xtls_rand_drbg_init(void);
#else #else
# define a_xtls_rand_drbg_init() \ # define a_xtls_rand_drbg_init() \
do {a_xtls_state |= a_XTLS_S_RAND_DRBG_INIT;} while(0) do {a_xtls_state |= a_XTLS_S_RAND_DRBG_INIT;} while(0)
#endif #endif
/* PRNG init */ /* PRNG init */
#ifdef mx_HAVE_TLS_RAND_FILE #ifdef mx_XTLS_HAVE_RAND_FILE
static void a_xtls_rand_init(void); static void a_xtls_rand_init(void);
#else #else
# define a_xtls_rand_init() \ # define a_xtls_rand_init() \
do {a_xtls_state |= a_XTLS_S_RAND_INIT;} while(0) do {a_xtls_state |= a_XTLS_S_RAND_INIT;} while(0)
#endif #endif
/* Library init */ /* Library init */
static void a_xtls_init(void); static void a_xtls_init(void);
#if mx_HAVE_XTLS_OPENSSL < 0x10100 #if mx_HAVE_XTLS < 0x10100
# ifdef mx_HAVE_TLS_ALL_ALGORITHMS # ifdef mx_HAVE_TLS_ALL_ALGORITHMS
static void a_xtls__load_algos(void); static void a_xtls__load_algos(void);
# define a_xtls_load_algos a_xtls__load_algos # define a_xtls_load_algos a_xtls__load_algos
# endif # endif
# if defined mx_HAVE_XTLS_CONFIG || defined mx_HAVE_TLS_ALL_ALGORITHMS # if defined mx_XTLS_HAVE_CONFIG || defined mx_HAVE_TLS_ALL_ALGORITHMS
static void a_xtls_atexit(void); static void a_xtls_atexit(void);
# endif # endif
#endif #endif
#ifndef a_xtls_load_algos #ifndef a_xtls_load_algos
# define a_xtls_load_algos() do{;}while(0) # define a_xtls_load_algos() do{;}while(0)
#endif #endif
static boole a_xtls_parse_asn1_time(ASN1_TIME const *atp, static boole a_xtls_parse_asn1_time(ASN1_TIME const *atp,
char *bdat, uz blen); char *bdat, uz blen);
static int a_xtls_verify_cb(int success, X509_STORE_CTX *store); static int a_xtls_verify_cb(int success, X509_STORE_CTX *store);
skipping to change at line 419 skipping to change at line 428
static boole a_xtls_obsolete_conf_vars(void *confp, struct mx_url const *urlp); static boole a_xtls_obsolete_conf_vars(void *confp, struct mx_url const *urlp);
static boole a_xtls_config_pairs(void *confp, struct mx_url const *urlp); static boole a_xtls_config_pairs(void *confp, struct mx_url const *urlp);
static boole a_xtls_load_verifications(SSL_CTX *ctxp, static boole a_xtls_load_verifications(SSL_CTX *ctxp,
struct mx_url const *urlp); struct mx_url const *urlp);
static boole a_xtls_check_host(struct mx_socket *sp, X509 *peercert, static boole a_xtls_check_host(struct mx_socket *sp, X509 *peercert,
struct mx_url const *urlp); struct mx_url const *urlp);
static int smime_verify(struct message *m, int n, static int smime_verify(struct message *m, int n,
n_XTLS_STACKOF(X509) *chain, X509_STORE *store); a_XTLS_STACKOF(X509) *chain, X509_STORE *store);
static EVP_CIPHER const * _smime_cipher(char const *name); static EVP_CIPHER const * _smime_cipher(char const *name);
static int ssl_password_cb(char *buf, int size, int rwflag, static int ssl_password_cb(char *buf, int size, int rwflag,
void *userdata); void *userdata);
static FILE * smime_sign_cert(char const *xname, char const *xname2, static FILE * smime_sign_cert(char const *xname, char const *xname2,
boole dowarn, char const **match, boole fallback_from); boole dowarn, char const **match, boole fallback_from);
static char const * _smime_sign_include_certs(char const *name); static char const * _smime_sign_include_certs(char const *name);
static boole _smime_sign_include_chain_creat(n_XTLS_STACKOF(X509) **chain, static boole _smime_sign_include_chain_creat(a_XTLS_STACKOF(X509) **chain,
char const *cfiles, char const *addr); char const *cfiles, char const *addr);
static EVP_MD const *a_xtls_smime_sign_digest(char const *name, static EVP_MD const *a_xtls_smime_sign_digest(char const *name,
char const **digname); char const **digname);
#if defined X509_V_FLAG_CRL_CHECK && defined X509_V_FLAG_CRL_CHECK_ALL #if defined X509_V_FLAG_CRL_CHECK && defined X509_V_FLAG_CRL_CHECK_ALL
static enum okay load_crl1(X509_STORE *store, char const *name); static enum okay load_crl1(X509_STORE *store, char const *name);
#endif #endif
static enum okay load_crls(X509_STORE *store, enum okeys fok, enum okeys dok); static enum okay load_crls(X509_STORE *store, enum okeys fok, enum okeys dok);
#ifdef a_XTLS_S_RAND_DRBG_INIT #ifdef mx_XTLS_HAVE_SET_RESEED_DEFAULTS
su_SINLINE void SINLINE void
a_xtls_rand_drbg_init(void){ a_xtls_rand_drbg_init(void){
(void)RAND_DRBG_set_reseed_defaults(0, 0, 0, 0); /* (does not fail here) */ (void)RAND_DRBG_set_reseed_defaults(0, 0, 0, 0); /* (does not fail here) */
a_xtls_state |= a_XTLS_S_RAND_DRBG_INIT; a_xtls_state |= a_XTLS_S_RAND_DRBG_INIT;
} }
#endif #endif
#ifdef mx_HAVE_TLS_RAND_FILE #ifdef mx_XTLS_HAVE_RAND_FILE
static void static void
a_xtls_rand_init(void){ a_xtls_rand_init(void){
# define a_XTLS_RAND_ENTROPY 32 # define a_XTLS_RAND_ENTROPY 32
char b64buf[a_XTLS_RAND_ENTROPY * 5 +1], *randfile; char b64buf[a_XTLS_RAND_ENTROPY * 5 +1], *randfile;
char const *cp, *x; char const *cp, *x;
boole err; boole err;
NYD2_IN; NYD2_IN;
a_xtls_rand_drbg_init(); a_xtls_rand_drbg_init();
a_xtls_state |= a_XTLS_S_RAND_INIT; a_xtls_state |= a_XTLS_S_RAND_INIT;
# ifdef mx_HAVE_XTLS_CONFIG # ifdef mx_XTLS_HAVE_CONFIG
if(!(a_xtls_state & a_XTLS_S_INIT)) if(!(a_xtls_state & a_XTLS_S_INIT))
a_xtls_init(); a_xtls_init();
# endif # endif
err = TRU1; err = TRU1;
randfile = NULL; randfile = NULL;
/* Prefer possible user setting */ /* Prefer possible user setting */
if((cp = ok_vlook(tls_rand_file)) != NULL || if((cp = ok_vlook(tls_rand_file)) != NULL ||
(cp = ok_vlook(ssl_rand_file)) != NULL){ (cp = ok_vlook(ssl_rand_file)) != NULL){
skipping to change at line 523 skipping to change at line 532
if(randfile != NULL) if(randfile != NULL)
n_lofi_free(randfile); n_lofi_free(randfile);
if(err) if(err)
n_panic(_("Cannot seed the *TLS PseudoRandomNumberGenerator, " n_panic(_("Cannot seed the *TLS PseudoRandomNumberGenerator, "
"RAND_status() is 0!\n" "RAND_status() is 0!\n"
" Please set *tls-rand-file* to a file with sufficient entropy.\n" " Please set *tls-rand-file* to a file with sufficient entropy.\n"
" On a machine with entropy: " " On a machine with entropy: "
"\"$ dd if=/dev/urandom of=FILE bs=1024 count=1\"\n")); "\"$ dd if=/dev/urandom of=FILE bs=1024 count=1\"\n"));
NYD2_OU; NYD2_OU;
} }
#endif /* mx_HAVE_TLS_RAND_FILE */ #endif /* mx_XTLS_HAVE_RAND_FILE */
static void static void
a_xtls_init(void){ a_xtls_init(void){
#ifdef mx_HAVE_XTLS_CONFIG #ifdef mx_XTLS_HAVE_CONFIG
char const *cp; char const *cp;
#endif #endif
NYD2_IN; NYD2_IN;
if(a_xtls_state & a_XTLS_S_INIT) if(a_xtls_state & a_XTLS_S_INIT)
goto jleave; goto jleave;
#if mx_HAVE_XTLS_OPENSSL >= 0x10100 #if mx_HAVE_XTLS >= 0x10100
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS |
OPENSSL_INIT_LOAD_CRYPTO_STRINGS OPENSSL_INIT_LOAD_CRYPTO_STRINGS
# ifdef mx_HAVE_TLS_ALL_ALGORITHMS # ifdef mx_HAVE_TLS_ALL_ALGORITHMS
| OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS
# endif # endif
, NULL); , NULL);
#else #else
SSL_load_error_strings(); SSL_load_error_strings();
SSL_library_init(); SSL_library_init();
a_xtls_load_algos(); a_xtls_load_algos();
#endif #endif
a_xtls_state |= a_XTLS_S_INIT; a_xtls_state |= a_XTLS_S_INIT;
a_xtls_rand_drbg_init(); a_xtls_rand_drbg_init();
/* Load openssl.cnf or whatever was given in *tls-config-file* */ /* Load openssl.cnf or whatever was given in *tls-config-file* */
#ifdef mx_HAVE_XTLS_CONFIG #ifdef mx_XTLS_HAVE_CONFIG
if((cp = ok_vlook(tls_config_file)) != NULL || if((cp = ok_vlook(tls_config_file)) != NULL ||
(cp = ok_vlook(ssl_config_file)) != NULL){ (cp = ok_vlook(ssl_config_file)) != NULL){
char const *msg; char const *msg;
ul flags; ul flags;
if(*cp == '\0'){ if(*cp == '\0'){
msg = "[default]"; msg = "[default]";
cp = NULL; cp = NULL;
flags = CONF_MFLAGS_IGNORE_MISSING_FILE; flags = CONF_MFLAGS_IGNORE_MISSING_FILE;
}else if((msg = cp, cp = fexpand(cp, (FEXP_NOPROTO | FEXP_LOCAL_FILE | }else if((msg = cp, cp = fexpand(cp, (FEXP_NOPROTO | FEXP_LOCAL_FILE |
FEXP_NSHELL))) != NIL) FEXP_NSHELL))) != NIL)
flags = 0; flags = 0;
else{ else{
n_err(_("*tls-config-file*: file expansion failed: %s\n"), n_err(_("*tls-config-file*: file expansion failed: %s\n"),
n_shexp_quote_cp(msg, FAL0)); n_shexp_quote_cp(msg, FAL0));
goto jefile; goto jefile;
} }
if(CONF_modules_load_file(cp, n_uagent, flags) == 1){ if(CONF_modules_load_file(cp, n_uagent, flags) == 1){
a_xtls_state |= a_XTLS_S_CONF_LOAD; a_xtls_state |= a_XTLS_S_CONF_LOAD;
# if mx_HAVE_XTLS_OPENSSL < 0x10100 # if mx_HAVE_XTLS < 0x10100
if(!(a_xtls_state & a_XTLS_S_EXIT_HDL)){ if(!(a_xtls_state & a_XTLS_S_EXIT_HDL)){
a_xtls_state |= a_XTLS_S_EXIT_HDL; a_xtls_state |= a_XTLS_S_EXIT_HDL;
atexit(&a_xtls_atexit); /* TODO generic program-wide event mech. */ atexit(&a_xtls_atexit); /* TODO generic program-wide event mech. */
} }
# endif # endif
if(n_poption & n_PO_D_V) if(n_poption & n_PO_D_V)
n_err(_("Loaded TLS configuration for %s from %s\n"), n_uagent, n_err(_("Loaded TLS configuration for %s from %s\n"), n_uagent,
n_shexp_quote_cp(msg, FAL0)); n_shexp_quote_cp(msg, FAL0));
jefile:; jefile:;
}else }else
ssl_gen_err(_("TLS CONF_modules_load_file() load error")); ssl_gen_err(_("TLS CONF_modules_load_file() load error"));
} }
#endif /* mx_HAVE_XTLS_CONFIG */ #endif /* mx_XTLS_HAVE_CONFIG */
if(!(a_xtls_state & a_XTLS_S_RAND_INIT)) if(!(a_xtls_state & a_XTLS_S_RAND_INIT))
a_xtls_rand_init(); a_xtls_rand_init();
jleave: jleave:
NYD2_OU; NYD2_OU;
} }
#if mx_HAVE_XTLS_OPENSSL < 0x10100 #if mx_HAVE_XTLS < 0x10100
# ifdef mx_HAVE_TLS_ALL_ALGORITHMS # ifdef mx_HAVE_TLS_ALL_ALGORITHMS
static void static void
a_xtls__load_algos(void){ a_xtls__load_algos(void){
NYD2_IN; NYD2_IN;
if(!(a_xtls_state & a_XTLS_S_ALGO_LOAD)){ if(!(a_xtls_state & a_XTLS_S_ALGO_LOAD)){
a_xtls_state |= a_XTLS_S_ALGO_LOAD; a_xtls_state |= a_XTLS_S_ALGO_LOAD;
OpenSSL_add_all_algorithms(); OpenSSL_add_all_algorithms();
if(!(a_xtls_state & a_XTLS_S_EXIT_HDL)){ if(!(a_xtls_state & a_XTLS_S_EXIT_HDL)){
a_xtls_state |= a_XTLS_S_EXIT_HDL; a_xtls_state |= a_XTLS_S_EXIT_HDL;
atexit(&a_xtls_atexit); /* TODO generic program-wide event mech. */ atexit(&a_xtls_atexit); /* TODO generic program-wide event mech. */
} }
} }
NYD2_OU; NYD2_OU;
} }
# endif # endif
# if defined mx_HAVE_XTLS_CONFIG || defined mx_HAVE_TLS_ALL_ALGORITHMS # if defined mx_XTLS_HAVE_CONFIG || defined mx_HAVE_TLS_ALL_ALGORITHMS
static void static void
a_xtls_atexit(void){ a_xtls_atexit(void){
NYD2_IN; NYD2_IN;
# ifdef mx_HAVE_XTLS_CONFIG
# ifdef mx_XTLS_HAVE_CONFIG
if(a_xtls_state & a_XTLS_S_CONF_LOAD) if(a_xtls_state & a_XTLS_S_CONF_LOAD)
CONF_modules_free(); CONF_modules_free();
# endif # endif
# ifdef mx_HAVE_TLS_ALL_ALGORITHMS # ifdef mx_HAVE_TLS_ALL_ALGORITHMS
if(a_xtls_state & a_XTLS_S_ALGO_LOAD) if(a_xtls_state & a_XTLS_S_ALGO_LOAD)
EVP_cleanup(); EVP_cleanup();
# endif # endif
NYD2_OU; NYD2_OU;
} }
# endif # endif
#endif /* mx_HAVE_XTLS_OPENSSL < 0x10100 */ #endif /* mx_HAVE_XTLS < 0x10100 */
static boole static boole
a_xtls_parse_asn1_time(ASN1_TIME const *atp, char *bdat, uz blen) a_xtls_parse_asn1_time(ASN1_TIME const *atp, char *bdat, uz blen)
{ {
BIO *mbp; BIO *mbp;
char *mcp; char *mcp;
long l; long l;
NYD_IN; NYD_IN;
mbp = BIO_new(BIO_s_mem()); mbp = BIO_new(BIO_s_mem());
skipping to change at line 772 skipping to change at line 784
n_err(_("*{smime,tls}-ca-flags*: " n_err(_("*{smime,tls}-ca-flags*: "
"directive not supported: %s\n"), cp); "directive not supported: %s\n"), cp);
goto jouter; goto jouter;
} }
n_err(_("*{smime,tls}-ca-flags*: invalid directive: %s\n"), cp); n_err(_("*{smime,tls}-ca-flags*: invalid directive: %s\n"), cp);
} }
} }
NYD2_OU; NYD2_OU;
} }
#ifdef mx_HAVE_XTLS_CONF_CTX #ifdef mx_XTLS_HAVE_CONF_CTX
static void * static void *
a_xtls_conf_setup(SSL_CTX *ctxp, struct mx_url const *urlp){ a_xtls_conf_setup(SSL_CTX *ctxp, struct mx_url const *urlp){
char const *cp; char const *cp;
SSL_CONF_CTX *sccp; SSL_CONF_CTX *sccp;
NYD2_IN; NYD2_IN;
sccp = NULL; sccp = NULL;
if((cp = xok_vlook(tls_config_module, urlp, OXM_ALL)) != NULL || if((cp = xok_vlook(tls_config_module, urlp, OXM_ALL)) != NULL ||
(cp = xok_vlook(ssl_config_module, urlp, OXM_ALL)) != NULL){ (cp = xok_vlook(ssl_config_module, urlp, OXM_ALL)) != NULL){
# ifdef mx_HAVE_XTLS_CTX_CONFIG # ifdef mx_XTLS_HAVE_CTX_CONFIG
if(!(a_xtls_state & a_XTLS_S_CONF_LOAD)){ if(!(a_xtls_state & a_XTLS_S_CONF_LOAD)){
n_err(_("*tls-config-module*: no *tls-config-file* loaded: %s\n"), n_err(_("*tls-config-module*: no *tls-config-file* loaded: %s\n"),
n_shexp_quote_cp(cp, FAL0)); n_shexp_quote_cp(cp, FAL0));
goto jleave; goto jleave;
}else if(!SSL_CTX_config(ctxp, cp)){ }else if(!SSL_CTX_config(ctxp, cp)){
ssl_gen_err(_("*tls-config-module*: load error for %s, section [%s]"), ssl_gen_err(_("*tls-config-module*: load error for %s, section [%s]"),
n_uagent, n_shexp_quote_cp(cp, FAL0)); n_uagent, n_shexp_quote_cp(cp, FAL0));
goto jleave; goto jleave;
} }
# else # else
skipping to change at line 865 skipping to change at line 877
*confp = NULL; *confp = NULL;
if(!(rv = error)) if(!(rv = error))
rv = (SSL_CONF_CTX_finish(sccp) != 0); rv = (SSL_CONF_CTX_finish(sccp) != 0);
SSL_CONF_CTX_free(sccp); SSL_CONF_CTX_free(sccp);
NYD2_OU; NYD2_OU;
return rv; return rv;
} }
#else /* mx_HAVE_XTLS_CONF_CTX */ #else /* mx_XTLS_HAVE_CONF_CTX */
# ifdef mx_HAVE_XTLS_CTX_CONFIG # ifdef mx_XTLS_HAVE_CTX_CONFIG
# error SSL_CTX_config(3) support unexpected without SSL_CONF_CTX support # error SSL_CTX_config(3) support unexpected without SSL_CONF_CTX support
# endif # endif
static void * static void *
a_xtls_conf_setup(SSL_CTX* ctxp, struct mx_url const *urlp){ a_xtls_conf_setup(SSL_CTX* ctxp, struct mx_url const *urlp){
char const *cp; char const *cp;
NYD2_IN; NYD2_IN;
if((cp = xok_vlook(tls_config_module, urlp, OXM_ALL)) != NULL || if((cp = xok_vlook(tls_config_module, urlp, OXM_ALL)) != NULL ||
(cp = xok_vlook(ssl_config_module, urlp, OXM_ALL)) != NULL){ (cp = xok_vlook(ssl_config_module, urlp, OXM_ALL)) != NULL){
skipping to change at line 909 skipping to change at line 921
emsg = N_("TLS: %s: cannot load from file %s\n"); emsg = N_("TLS: %s: cannot load from file %s\n");
goto jerr; goto jerr;
} }
}else if(!su_cs_cmp_case(cmd, xcmd = "CipherString") || }else if(!su_cs_cmp_case(cmd, xcmd = "CipherString") ||
!su_cs_cmp_case(cmd, xcmd = "CipherList")/* XXX bad bug in past! */){ !su_cs_cmp_case(cmd, xcmd = "CipherList")/* XXX bad bug in past! */){
if(SSL_CTX_set_cipher_list(ctxp, value) != 1){ if(SSL_CTX_set_cipher_list(ctxp, value) != 1){
emsg = N_("TLS: %s: invalid: %s\n"); emsg = N_("TLS: %s: invalid: %s\n");
goto jerr; goto jerr;
} }
}else if(!su_cs_cmp_case(cmd, xcmd = "Ciphersuites")){ }else if(!su_cs_cmp_case(cmd, xcmd = "Ciphersuites")){
# ifdef mx_HAVE_XTLS_SET_CIPHERSUITES # ifdef mx_XTLS_HAVE_SET_CIPHERSUITES
if(SSL_CTX_set_ciphersuites(ctxp, value) != 1){ if(SSL_CTX_set_ciphersuites(ctxp, value) != 1){
emsg = N_("TLS: %s: invalid: %s\n"); emsg = N_("TLS: %s: invalid: %s\n");
goto jerr; goto jerr;
} }
# else # else
value = NULL; value = NULL;
emsg = N_("TLS: %s: directive not supported\n"); emsg = N_("TLS: %s: directive not supported\n");
goto jxerr; goto jxerr;
# endif # endif
}else if(!su_cs_cmp_case(cmd, xcmd = "Curves")){ }else if(!su_cs_cmp_case(cmd, xcmd = "Curves")){
skipping to change at line 932 skipping to change at line 944
emsg = N_("TLS: %s: invalid: %s\n"); emsg = N_("TLS: %s: invalid: %s\n");
goto jerr; goto jerr;
} }
# else # else
value = NULL; value = NULL;
emsg = N_("TLS: %s: directive not supported\n"); emsg = N_("TLS: %s: directive not supported\n");
goto jxerr; goto jxerr;
# endif # endif
}else if((emsg = NULL, !su_cs_cmp_case(cmd, xcmd = "MaxProtocol")) || }else if((emsg = NULL, !su_cs_cmp_case(cmd, xcmd = "MaxProtocol")) ||
(emsg = (char*)-1, !su_cs_cmp_case(cmd, xcmd = "MinProtocol"))){ (emsg = (char*)-1, !su_cs_cmp_case(cmd, xcmd = "MinProtocol"))){
# ifndef mx_HAVE_XTLS_SET_MIN_PROTO_VERSION # ifndef mx_XTLS_HAVE_SET_MIN_PROTO_VERSION
value = NULL; value = NULL;
emsg = N_("TLS: %s: directive not supported\n"); emsg = N_("TLS: %s: directive not supported\n");
goto jxerr; goto jxerr;
# else # else
struct a_xtls_protocol const *xpp; struct a_xtls_protocol const *xpp;
for(xpp = &a_xtls_protocols[1] /* [0] == ALL */;;) for(xpp = &a_xtls_protocols[1] /* [0] == ALL */;;)
if(xpp->xp_ok_minmaxproto && !su_cs_cmp_case(value, xpp->xp_name)){ if(xpp->xp_ok_minmaxproto && !su_cs_cmp_case(value, xpp->xp_name)){
if(xpp->xp_op_no == 0 || xpp->xp_version == 0) if(xpp->xp_op_no == 0 || xpp->xp_version == 0)
goto jenoproto; goto jenoproto;
break; break;
}else if((++xpp)->xp_last) }else if((++xpp)->xp_last)
goto jenoproto; goto jenoproto;
if((emsg == NULL ? SSL_CTX_set_max_proto_version(ctxp, xpp->xp_version) if((emsg == NULL ? SSL_CTX_set_max_proto_version(ctxp, xpp->xp_version)
: SSL_CTX_set_min_proto_version(ctxp, xpp->xp_version)) != 1){ : SSL_CTX_set_min_proto_version(ctxp, xpp->xp_version)) != 1){
emsg = N_("TLS: %s: cannot set protocol version: %s\n"); emsg = N_("TLS: %s: cannot set protocol version: %s\n");
goto jerr; goto jerr;
} }
# endif /* !mx_HAVE_XTLS_SET_MIN_PROTO_VERSION */ # endif /* !mx_XTLS_HAVE_SET_MIN_PROTO_VERSION */
}else if(!su_cs_cmp_case(cmd, xcmd = "Options")){ }else if(!su_cs_cmp_case(cmd, xcmd = "Options")){
if(su_cs_cmp_case(value, "Bugs")){ if(su_cs_cmp_case(value, "Bugs")){
emsg = N_("TLS: %s: fallback only supports value \"Bugs\": %s\n"); emsg = N_("TLS: %s: fallback only supports value \"Bugs\": %s\n");
goto jxerr; goto jxerr;
} }
SSL_CTX_set_options(ctxp, SSL_OP_ALL); SSL_CTX_set_options(ctxp, SSL_OP_ALL);
}else if(!su_cs_cmp_case(cmd, xcmd = "PrivateKey")){ }else if(!su_cs_cmp_case(cmd, xcmd = "PrivateKey")){
if(SSL_CTX_use_PrivateKey_file(ctxp, value, SSL_FILETYPE_PEM) != 1){ if(SSL_CTX_use_PrivateKey_file(ctxp, value, SSL_FILETYPE_PEM) != 1){
emsg = N_("%s: cannot load from file %s\n"); emsg = N_("%s: cannot load from file %s\n");
goto jerr; goto jerr;
skipping to change at line 1035 skipping to change at line 1047
goto jleave; goto jleave;
} }
static boole static boole
a_xtls_conf_finish(void **confp, boole error){ a_xtls_conf_finish(void **confp, boole error){
UNUSED(confp); UNUSED(confp);
UNUSED(error); UNUSED(error);
*confp = NULL; *confp = NULL;
return TRU1; return TRU1;
} }
#endif /* !mx_HAVE_XTLS_CONF_CTX */ #endif /* !mx_XTLS_HAVE_CONF_CTX */
static boole static boole
a_xtls_obsolete_conf_vars(void *confp, struct mx_url const *urlp){ a_xtls_obsolete_conf_vars(void *confp, struct mx_url const *urlp){
char const *cp, *cp_base, *certchain; char const *cp, *cp_base, *certchain;
boole rv; boole rv;
NYD2_IN; NYD2_IN;
rv = FAL0; rv = FAL0;
/* Certificate via ssl-cert */ /* Certificate via ssl-cert */
skipping to change at line 1254 skipping to change at line 1266
rv = FAL0; rv = FAL0;
if((ca_dir = xok_vlook(tls_ca_dir, urlp, OXM_ALL)) != NULL || if((ca_dir = xok_vlook(tls_ca_dir, urlp, OXM_ALL)) != NULL ||
(ca_dir = xok_vlook(ssl_ca_dir, urlp, OXM_ALL)) != NULL) (ca_dir = xok_vlook(ssl_ca_dir, urlp, OXM_ALL)) != NULL)
ca_dir = fexpand(ca_dir, (FEXP_NOPROTO | FEXP_LOCAL_FILE | FEXP_NSHELL)); ca_dir = fexpand(ca_dir, (FEXP_NOPROTO | FEXP_LOCAL_FILE | FEXP_NSHELL));
if((ca_file = xok_vlook(tls_ca_file, urlp, OXM_ALL)) != NULL || if((ca_file = xok_vlook(tls_ca_file, urlp, OXM_ALL)) != NULL ||
(ca_file = xok_vlook(ssl_ca_file, urlp, OXM_ALL)) != NULL) (ca_file = xok_vlook(ssl_ca_file, urlp, OXM_ALL)) != NULL)
ca_file = fexpand(ca_file, (FEXP_NOPROTO | FEXP_LOCAL_FILE | ca_file = fexpand(ca_file, (FEXP_NOPROTO | FEXP_LOCAL_FILE |
FEXP_NSHELL)); FEXP_NSHELL));
if((ca_dir != NULL || ca_file != NULL) && if(ca_file != NIL &&
SSL_CTX_load_verify_locations(ctxp, ca_file, ca_dir) != 1){ #if mx_HAVE_XTLS >= 0x30000
char const *m1, *m2, *m3; SSL_CTX_load_verify_file(ctxp, ca_file)
#else
if(ca_dir != NULL){ SSL_CTX_load_verify_locations(ctxp, ca_file, ca_dir)
m1 = ca_dir; #endif
m2 = (ca_file != NULL) ? _(" or ") : n_empty; != 1){
}else ssl_gen_err(_("Error loading %s\n"), n_shexp_quote_cp(ca_file, FAL0));
m1 = m2 = n_empty; goto jleave;
m3 = (ca_file != NULL) ? ca_file : n_empty; }
ssl_gen_err(_("Error loading %s%s%s\n"), m1, m2, m3);
if(ca_dir != NIL &&
#if mx_HAVE_XTLS >= 0x30000
SSL_CTX_load_verify_dir(ctxp, ca_dir)
#else
SSL_CTX_load_verify_locations(ctxp, ca_file, ca_dir)
#endif
!= 1){
ssl_gen_err(_("Error loading %s\n"), n_shexp_quote_cp(ca_dir, FAL0));
goto jleave; goto jleave;
} }
/* C99 */{ /* C99 */{
boole xv15; boole xv15;
if((xv15 = ok_blook(ssl_no_default_ca))) if((xv15 = ok_blook(ssl_no_default_ca)))
n_OBSOLETE(_("please use *tls-ca-no-defaults*, " n_OBSOLETE(_("please use *tls-ca-no-defaults*, "
"not *ssl-no-default-ca*")); "not *ssl-no-default-ca*"));
if(!xok_blook(tls_ca_no_defaults, urlp, OXM_ALL) && if(!xok_blook(tls_ca_no_defaults, urlp, OXM_ALL) &&
skipping to change at line 1300 skipping to change at line 1320
rv = TRU1; rv = TRU1;
jleave: jleave:
NYD2_OU; NYD2_OU;
return rv; return rv;
} }
static boole static boole
a_xtls_check_host(struct mx_socket *sop, X509 *peercert, a_xtls_check_host(struct mx_socket *sop, X509 *peercert,
struct mx_url const *urlp){ struct mx_url const *urlp){
char data[256]; char data[256];
n_XTLS_STACKOF(GENERAL_NAME) *gens; a_XTLS_STACKOF(GENERAL_NAME) *gens;
GENERAL_NAME *gen; GENERAL_NAME *gen;
X509_NAME *subj; X509_NAME *subj;
boole rv; boole rv;
NYD_IN; NYD_IN;
UNUSED(sop); UNUSED(sop);
rv = FAL0; rv = FAL0;
if((gens = X509_get_ext_d2i(peercert, NID_subject_alt_name, NULL, NULL) if((gens = X509_get_ext_d2i(peercert, NID_subject_alt_name, NULL, NULL)
) != NULL){ ) != NULL){
skipping to change at line 1341 skipping to change at line 1361
n_err(_("Comparing commonName: need<%s> is<%s>\n"), n_err(_("Comparing commonName: need<%s> is<%s>\n"),
urlp->url_host.s, data); urlp->url_host.s, data);
rv = n_tls_rfc2595_hostname_match(urlp->url_host.s, data); rv = n_tls_rfc2595_hostname_match(urlp->url_host.s, data);
} }
jleave: jleave:
NYD_OU; NYD_OU;
return rv; return rv;
} }
static int static int
smime_verify(struct message *m, int n, n_XTLS_STACKOF(X509) *chain, smime_verify(struct message *m, int n, a_XTLS_STACKOF(X509) *chain,
X509_STORE *store) X509_STORE *store)
{ {
char data[LINESIZE], *sender, *to, *cc, *cnttype; char data[LINESIZE], *sender, *to, *cc, *cnttype;
int rv, c, i, j; int rv, c, i, j;
struct message *x; struct message *x;
FILE *fp, *ip; FILE *fp, *ip;
off_t size; off_t size;
BIO *fb, *pb; BIO *fb, *pb;
PKCS7 *pkcs7; PKCS7 *pkcs7;
n_XTLS_STACKOF(X509) *certs; a_XTLS_STACKOF(X509) *certs;
n_XTLS_STACKOF(GENERAL_NAME) *gens; a_XTLS_STACKOF(GENERAL_NAME) *gens;
X509 *cert; X509 *cert;
X509_NAME *subj; X509_NAME *subj;
GENERAL_NAME *gen; GENERAL_NAME *gen;
NYD_IN; NYD_IN;
rv = 1; rv = 1;
fp = NULL; fp = NULL;
fb = pb = NULL; fb = pb = NULL;
pkcs7 = NULL; pkcs7 = NULL;
certs = NULL; certs = NULL;
skipping to change at line 1663 skipping to change at line 1683
goto jleave; goto jleave;
} }
} }
rv = ok_vlook(smime_sign_include_certs); rv = ok_vlook(smime_sign_include_certs);
jleave: jleave:
NYD_OU; NYD_OU;
return rv; return rv;
} }
static boole static boole
_smime_sign_include_chain_creat(n_XTLS_STACKOF(X509) **chain, _smime_sign_include_chain_creat(a_XTLS_STACKOF(X509) **chain,
char const *cfiles, char const *addr) char const *cfiles, char const *addr)
{ {
X509 *tmp; X509 *tmp;
FILE *fp; FILE *fp;
char *nfield, *cfield, *x; char *nfield, *cfield, *x;
NYD_IN; NYD_IN;
*chain = sk_X509_new_null(); *chain = sk_X509_new_null();
for (nfield = savestr(cfiles); for (nfield = savestr(cfiles);
skipping to change at line 1875 skipping to change at line 1895
/* LibreSSL always succeeds, i think it aborts otherwise. /* LibreSSL always succeeds, i think it aborts otherwise.
* With elder OpenSSL we ensure via RAND_status() in * With elder OpenSSL we ensure via RAND_status() in
* a_xtls_rand_init() that the PRNG is seeded, so it does not fail. * a_xtls_rand_init() that the PRNG is seeded, so it does not fail.
* *
* With newer OpenSSL we disable automatic reseeding, but do not * With newer OpenSSL we disable automatic reseeding, but do not
* ASSERT RAND_status() ("Since you always have to check RAND_bytes's * ASSERT RAND_status() ("Since you always have to check RAND_bytes's
* return value now, RAND_status is mostly useless.", * return value now, RAND_status is mostly useless.",
* 20190104180735.GA25041@roeckx.be), so we have not that many options * 20190104180735.GA25041@roeckx.be), so we have not that many options
* on what to do. Since OSs will try hard to serve, a simple sleep * on what to do. Since OSs will try hard to serve, a simple sleep
* may be it, so do that */ * may be it, so do that */
#if !defined mx_HAVE_XTLS_RESSL && !defined mx_HAVE_TLS_RAND_FILE #if mx_HAVE_TLS != mx_TLS_IMPL_RESSL && !defined mx_XTLS_HAVE_RAND_FILE
n_err(_("TLS RAND_bytes(3ssl) failed (missing entropy?), " n_err(_("TLS RAND_bytes(3ssl) failed (missing entropy?), "
"waiting a bit\n")); "waiting a bit\n"));
/* Around ~Y2K+1 anything <= was a busy loop iirc, so give pad */
n_msleep(250, FAL0); n_msleep(250, FAL0);
continue; continue;
#endif #endif
/* FALLTHRU */
case 1: case 1:
break; break;
} }
blen -= i; blen -= i;
buf = (u8*)buf + i; buf = (u8*)buf + i;
} }
NYD2_OU; NYD2_OU;
} }
#endif /* HAVE_RANDOM == RANDOM_IMPL_TLS */ #endif /* HAVE_RANDOM == RANDOM_IMPL_TLS */
skipping to change at line 1920 skipping to change at line 1942
if(fprnt != NULL || urlp->url_cproto == CPROTO_CERTINFO || if(fprnt != NULL || urlp->url_cproto == CPROTO_CERTINFO ||
(n_poption & n_PO_D_V)){ (n_poption & n_PO_D_V)){
if((fprnt_namep = xok_vlook(tls_fingerprint_digest, urlp, if((fprnt_namep = xok_vlook(tls_fingerprint_digest, urlp,
OXM_ALL)) == NULL || OXM_ALL)) == NULL ||
!a_xtls_digest_find(fprnt_namep, &fprnt_mdp, &fprnt_namep)){ !a_xtls_digest_find(fprnt_namep, &fprnt_mdp, &fprnt_namep)){
fprnt_mdp = a_XTLS_FINGERPRINT_DEFAULT_DIGEST(); fprnt_mdp = a_XTLS_FINGERPRINT_DEFAULT_DIGEST();
fprnt_namep = a_XTLS_FINGERPRINT_DEFAULT_DIGEST_S; fprnt_namep = a_XTLS_FINGERPRINT_DEFAULT_DIGEST_S;
} }
} }
if((ctxp = SSL_CTX_new(n_XTLS_CLIENT_METHOD())) == NULL){ if((ctxp = SSL_CTX_new(mx_XTLS_CLIENT_METHOD())) == NULL){
ssl_gen_err(_("SSL_CTX_new() failed")); ssl_gen_err(_("SSL_CTX_new() failed"));
goto j_leave; goto j_leave;
} }
/* Available with OpenSSL 0.9.6 or later */ /* Available with OpenSSL 0.9.6 or later */
#ifdef SSL_MODE_AUTO_RETRY #ifdef SSL_MODE_AUTO_RETRY
SSL_CTX_set_mode(ctxp, SSL_MODE_AUTO_RETRY); SSL_CTX_set_mode(ctxp, SSL_MODE_AUTO_RETRY);
#endif #endif
if((confp = a_xtls_conf_setup(ctxp, urlp)) == NULL) if((confp = a_xtls_conf_setup(ctxp, urlp)) == NULL)
skipping to change at line 2030 skipping to change at line 2052
" Expected: %s\n Detected: %s\n"), " Expected: %s\n Detected: %s\n"),
urlp->url_h_p.s, fprnt, fpmdhexbuf); urlp->url_h_p.s, fprnt, fpmdhexbuf);
stay = n_tls_verify_decide(); stay = n_tls_verify_decide();
}else if(n_poption & n_PO_D_V) }else if(n_poption & n_PO_D_V)
n_err(_("TLS fingerprint ok\n")); n_err(_("TLS fingerprint ok\n"));
goto jpeer_leave; goto jpeer_leave;
}else if(urlp->url_cproto == CPROTO_CERTINFO){ }else if(urlp->url_cproto == CPROTO_CERTINFO){
char *xcp; char *xcp;
long i; long i;
BIO *biop; BIO *biop;
n_XTLS_STACKOF(X509) *certs; a_XTLS_STACKOF(X509) *certs;
sop->s_tls_finger = savestrbuf(fpmdhexbuf, sop->s_tls_finger = savestrbuf(fpmdhexbuf,
P2UZ(cp - fpmdhexbuf)); P2UZ(cp - fpmdhexbuf));
/* For the sake of `tls cert(chain|ificate)', this too */ /* For the sake of `tls cert(chain|ificate)', this too */
/*if((certs = SSL_get_peer_cert_chain(sop->s_tls)) != NIL){*/ /*if((certs = SSL_get_peer_cert_chain(sop->s_tls)) != NIL){*/
if((certs = if((certs = a_xtls_SSL_get_verified_chain(sop->s_tls)) != NIL){
#if mx_HAVE_XTLS_OPENSSL >= 0x10100
SSL_get0_verified_chain
#else
SSL_get_peer_cert_chain
#endif
(sop->s_tls)) != NIL){
if((biop = BIO_new(BIO_s_mem())) != NIL){ if((biop = BIO_new(BIO_s_mem())) != NIL){
xcp = NIL; xcp = NIL;
peercert = NIL; peercert = NIL;
for(i = 0; i < sk_X509_num(certs); ++i){ for(i = 0; i < sk_X509_num(certs); ++i){
peercert = sk_X509_value(certs, i); peercert = sk_X509_value(certs, i);
if(((n_poption & n_PO_D_V) && if(((n_poption & n_PO_D_V) &&
X509_print(biop, peercert) == 0) || X509_print(biop, peercert) == 0) ||
PEM_write_bio_X509(biop, peercert) == 0){ PEM_write_bio_X509(biop, peercert) == 0){
ssl_gen_err(_("Error storing certificate %d from %s"), ssl_gen_err(_("Error storing certificate %d from %s"),
skipping to change at line 2154 skipping to change at line 2170
goto jleave; goto jleave;
} }
X509_STORE_set_verify_cb_func(store, &a_xtls_verify_cb); X509_STORE_set_verify_cb_func(store, &a_xtls_verify_cb);
if((ca_dir = ok_vlook(smime_ca_dir)) != NIL) if((ca_dir = ok_vlook(smime_ca_dir)) != NIL)
ca_dir = fexpand(ca_dir, (FEXP_NOPROTO | FEXP_LOCAL_FILE | FEXP_NSHELL)); ca_dir = fexpand(ca_dir, (FEXP_NOPROTO | FEXP_LOCAL_FILE | FEXP_NSHELL));
if((ca_file = ok_vlook(smime_ca_file)) != NIL) if((ca_file = ok_vlook(smime_ca_file)) != NIL)
ca_file = fexpand(ca_file, (FEXP_NOPROTO | FEXP_LOCAL_FILE | ca_file = fexpand(ca_file, (FEXP_NOPROTO | FEXP_LOCAL_FILE |
FEXP_NSHELL)); FEXP_NSHELL));
if((ca_dir != NULL || ca_file != NULL) && if(ca_file != NIL &&
X509_STORE_load_locations(store, ca_file, ca_dir) != 1){ #if mx_HAVE_XTLS >= 0x30000
char const *m1, *m2, *m3; X509_STORE_load_file(store, ca_file)
#else
if(ca_dir != NULL){ X509_STORE_load_locations(store, ca_file, NIL)
m1 = ca_dir; #endif
m2 = (ca_file != NULL) ? _(" or ") : n_empty; != 1){
}else ssl_gen_err(_("Error loading %s\n"), n_shexp_quote_cp(ca_file, FAL0));
m1 = m2 = n_empty; goto jleave;
m3 = (ca_file != NULL) ? ca_file : n_empty; }
ssl_gen_err(_("Error loading %s%s%s\n"), m1, m2, m3);
if(ca_dir != NIL &&
#if mx_HAVE_XTLS >= 0x30000
X509_STORE_load_path(store, ca_dir)
#else
X509_STORE_load_locations(store, NIL, ca_dir)
#endif
!= 1){
ssl_gen_err(_("Error loading %s\n"), n_shexp_quote_cp(ca_dir, FAL0));
goto jleave; goto jleave;
} }
/* C99 */{ /* C99 */{
boole xv15; boole xv15;
if((xv15 = ok_blook(smime_no_default_ca))) if((xv15 = ok_blook(smime_no_default_ca)))
n_OBSOLETE(_("please use *smime-ca-no-defaults*, " n_OBSOLETE(_("please use *smime-ca-no-defaults*, "
"not *smime-no-default-ca*")); "not *smime-no-default-ca*"));
if(!ok_blook(smime_ca_no_defaults) && !xv15 && if(!ok_blook(smime_ca_no_defaults) && !xv15 &&
skipping to change at line 2209 skipping to change at line 2233
X509_STORE_free(store); X509_STORE_free(store);
NYD_OU; NYD_OU;
return rv; return rv;
} }
FL FILE * FL FILE *
smime_sign(FILE *ip, char const *addr) smime_sign(FILE *ip, char const *addr)
{ {
FILE *rv, *sfp, *fp, *bp, *hp; FILE *rv, *sfp, *fp, *bp, *hp;
X509 *cert = NULL; X509 *cert = NULL;
n_XTLS_STACKOF(X509) *chain = NULL; a_XTLS_STACKOF(X509) *chain = NIL;
EVP_PKEY *pkey = NULL; EVP_PKEY *pkey = NULL;
BIO *bb, *sb; BIO *bb, *sb;
PKCS7 *pkcs7; PKCS7 *pkcs7;
EVP_MD const *md; EVP_MD const *md;
char const *name; char const *name;
boole bail = FAL0; boole bail = FAL0;
NYD_IN; NYD_IN;
/* TODO smime_sign(): addr should vanish, it is either *from* aka *sender* /* TODO smime_sign(): addr should vanish, it is either *from* aka *sender*
* TODO or what we parsed as From:/Sender: from a template. This latter * TODO or what we parsed as From:/Sender: from a template. This latter
skipping to change at line 2338 skipping to change at line 2362
return rv; return rv;
} }
FL FILE * FL FILE *
smime_encrypt(FILE *ip, char const *xcertfile, char const *to) smime_encrypt(FILE *ip, char const *xcertfile, char const *to)
{ {
FILE *rv, *yp, *fp, *bp, *hp; FILE *rv, *yp, *fp, *bp, *hp;
X509 *cert; X509 *cert;
PKCS7 *pkcs7; PKCS7 *pkcs7;
BIO *bb, *yb; BIO *bb, *yb;
n_XTLS_STACKOF(X509) *certs; a_XTLS_STACKOF(X509) *certs;
EVP_CIPHER const *cipher; EVP_CIPHER const *cipher;
char *certfile; char *certfile;
boole bail; boole bail;
NYD_IN; NYD_IN;
bail = FAL0; bail = FAL0;
rv = yp = fp = bp = hp = NULL; rv = yp = fp = bp = hp = NULL;
if((certfile = fexpand(xcertfile, (FEXP_NOPROTO | FEXP_LOCAL_FILE | if((certfile = fexpand(xcertfile, (FEXP_NOPROTO | FEXP_LOCAL_FILE |
FEXP_NSHELL))) == NIL) FEXP_NSHELL))) == NIL)
skipping to change at line 2560 skipping to change at line 2584
FL enum okay FL enum okay
smime_certsave(struct message *m, int n, FILE *op) smime_certsave(struct message *m, int n, FILE *op)
{ {
struct message *x; struct message *x;
char *to, *cc, *cnttype; char *to, *cc, *cnttype;
int c, i; int c, i;
FILE *fp, *ip; FILE *fp, *ip;
off_t size; off_t size;
BIO *fb, *pb; BIO *fb, *pb;
PKCS7 *pkcs7; PKCS7 *pkcs7;
n_XTLS_STACKOF(X509) *certs, *chain = NULL; a_XTLS_STACKOF(X509) *certs, *chain = NIL;
X509 *cert; X509 *cert;
enum okay rv = STOP; enum okay rv = STOP;
NYD_IN; NYD_IN;
pkcs7 = NULL; pkcs7 = NULL;
a_xtls_msgno = (uz)n; a_xtls_msgno = (uz)n;
jloop: jloop:
to = hfield1("to", m); to = hfield1("to", m);
cc = hfield1("cc", m); cc = hfield1("cc", m);
 End of changes. 58 change blocks. 
82 lines changed or deleted 106 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)