Deleted Added
full compact
tls.c (157001) tls.c (159609)
1/*
1/*
2 * Copyright (c) 2000-2005 Sendmail, Inc. and its suppliers.
2 * Copyright (c) 2000-2006 Sendmail, Inc. and its suppliers.
3 * All rights reserved.
4 *
5 * By using this file, you agree to the terms and conditions set
6 * forth in the LICENSE file which can be found at the top level of
7 * the sendmail distribution.
8 *
9 */
10
11#include <sendmail.h>
12
3 * All rights reserved.
4 *
5 * By using this file, you agree to the terms and conditions set
6 * forth in the LICENSE file which can be found at the top level of
7 * the sendmail distribution.
8 *
9 */
10
11#include <sendmail.h>
12
13SM_RCSID("@(#)$Id: tls.c,v 8.102 2006/03/02 19:18:27 ca Exp $")
13SM_RCSID("@(#)$Id: tls.c,v 8.105 2006/05/11 22:59:31 ca Exp $")
14
15#if STARTTLS
16# include <openssl/err.h>
17# include <openssl/bio.h>
18# include <openssl/pem.h>
19# ifndef HASURANDOMDEV
20# include <openssl/rand.h>
21# endif /* ! HASURANDOMDEV */

--- 479 unchanged lines hidden (view full) ---

501** The session_id_context identifies the service that created a session.
502** This information is used to distinguish between multiple TLS-based
503** servers running on the same server. We use the name of the mail system.
504** Note: the session cache is not persistent.
505*/
506
507static char server_session_id_context[] = "sendmail8";
508
14
15#if STARTTLS
16# include <openssl/err.h>
17# include <openssl/bio.h>
18# include <openssl/pem.h>
19# ifndef HASURANDOMDEV
20# include <openssl/rand.h>
21# endif /* ! HASURANDOMDEV */

--- 479 unchanged lines hidden (view full) ---

501** The session_id_context identifies the service that created a session.
502** This information is used to distinguish between multiple TLS-based
503** servers running on the same server. We use the name of the mail system.
504** Note: the session cache is not persistent.
505*/
506
507static char server_session_id_context[] = "sendmail8";
508
509/* 0.9.8a and b have a problem with SSL_OP_TLS_BLOCK_PADDING_BUG */
510#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL)
511# define SM_SSL_OP_TLS_BLOCK_PADDING_BUG 1
512#else
513# define SM_SSL_OP_TLS_BLOCK_PADDING_BUG 0
514#endif
515
509bool
510inittls(ctx, req, srv, certfile, keyfile, cacertpath, cacertfile, dhparam)
511 SSL_CTX **ctx;
512 unsigned long req;
513 bool srv;
514 char *certfile, *keyfile, *cacertpath, *cacertfile, *dhparam;
515{
516# if !NO_DH
517 static DH *dh = NULL;
518# endif /* !NO_DH */
519 int r;
520 bool ok;
516bool
517inittls(ctx, req, srv, certfile, keyfile, cacertpath, cacertfile, dhparam)
518 SSL_CTX **ctx;
519 unsigned long req;
520 bool srv;
521 char *certfile, *keyfile, *cacertpath, *cacertfile, *dhparam;
522{
523# if !NO_DH
524 static DH *dh = NULL;
525# endif /* !NO_DH */
526 int r;
527 bool ok;
521 long sff, status;
528 long sff, status, options;
522 char *who;
523# if _FFR_TLS_1
524 char *cf2, *kf2;
525# endif /* _FFR_TLS_1 */
526# if SM_CONF_SHM
527 extern int ShmId;
528# endif /* SM_CONF_SHM */
529# if OPENSSL_VERSION_NUMBER > 0x00907000L
530 BIO *crl_file;
531 X509_CRL *crl;
532 X509_STORE *store;
533# endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
529 char *who;
530# if _FFR_TLS_1
531 char *cf2, *kf2;
532# endif /* _FFR_TLS_1 */
533# if SM_CONF_SHM
534 extern int ShmId;
535# endif /* SM_CONF_SHM */
536# if OPENSSL_VERSION_NUMBER > 0x00907000L
537 BIO *crl_file;
538 X509_CRL *crl;
539 X509_STORE *store;
540# endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
541#if SM_SSL_OP_TLS_BLOCK_PADDING_BUG
542 long rt_version;
543 STACK_OF(SSL_COMP) *comp_methods;
544#endif
534
535 status = TLS_S_NONE;
536 who = srv ? "server" : "client";
537 if (ctx == NULL)
545
546 status = TLS_S_NONE;
547 who = srv ? "server" : "client";
548 if (ctx == NULL)
549 {
538 syserr("STARTTLS=%s, inittls: ctx == NULL", who);
550 syserr("STARTTLS=%s, inittls: ctx == NULL", who);
551 /* NOTREACHED */
552 SM_ASSERT(ctx != NULL);
553 }
539
540 /* already initialized? (we could re-init...) */
541 if (*ctx != NULL)
542 return true;
543 ok = true;
544
545# if _FFR_TLS_1
546 /*

--- 343 unchanged lines hidden (view full) ---

890 who, r);
891 if (LogLevel > 9)
892 tlslogerr(who);
893 }
894 }
895# endif /* _FFR_TLS_1 */
896
897 /* SSL_CTX_set_quiet_shutdown(*ctx, 1); violation of standard? */
554
555 /* already initialized? (we could re-init...) */
556 if (*ctx != NULL)
557 return true;
558 ok = true;
559
560# if _FFR_TLS_1
561 /*

--- 343 unchanged lines hidden (view full) ---

905 who, r);
906 if (LogLevel > 9)
907 tlslogerr(who);
908 }
909 }
910# endif /* _FFR_TLS_1 */
911
912 /* SSL_CTX_set_quiet_shutdown(*ctx, 1); violation of standard? */
898 SSL_CTX_set_options(*ctx, SSL_OP_ALL); /* XXX bug compatibility? */
899
913
914 options = SSL_OP_ALL; /* bug compatibility? */
915#if SM_SSL_OP_TLS_BLOCK_PADDING_BUG
916
917 /*
918 ** In OpenSSL 0.9.8[ab], enabling zlib compression breaks the
919 ** padding bug work-around, leading to false positives and
920 ** failed connections. We may not interoperate with systems
921 ** with the bug, but this is better than breaking on all 0.9.8[ab]
922 ** systems that have zlib support enabled.
923 ** Note: this checks the runtime version of the library, not
924 ** just the compile time version.
925 */
926
927 rt_version = SSLeay();
928 if (rt_version >= 0x00908000L && rt_version <= 0x0090802fL)
929 {
930 comp_methods = SSL_COMP_get_compression_methods();
931 if (comp_methods != NULL && sk_SSL_COMP_num(comp_methods) > 0)
932 options &= ~SSL_OP_TLS_BLOCK_PADDING_BUG;
933 }
934#endif
935 SSL_CTX_set_options(*ctx, options);
936
900# if !NO_DH
901 /* Diffie-Hellman initialization */
902 if (bitset(TLS_I_TRY_DH, req))
903 {
904 if (bitset(TLS_S_DHPAR_OK, status))
905 {
906 BIO *bio;
907

--- 725 unchanged lines hidden ---
937# if !NO_DH
938 /* Diffie-Hellman initialization */
939 if (bitset(TLS_I_TRY_DH, req))
940 {
941 if (bitset(TLS_S_DHPAR_OK, status))
942 {
943 BIO *bio;
944

--- 725 unchanged lines hidden ---