tls.c (157001) | tls.c (159609) |
---|---|
1/* | 1/* |
2 * Copyright (c) 2000-2005 Sendmail, Inc. and its suppliers. | 2 * Copyright (c) 2000-2006 Sendmail, Inc. and its suppliers. |
3 * All rights reserved. 4 * 5 * By using this file, you agree to the terms and conditions set 6 * forth in the LICENSE file which can be found at the top level of 7 * the sendmail distribution. 8 * 9 */ 10 11#include <sendmail.h> 12 | 3 * All rights reserved. 4 * 5 * By using this file, you agree to the terms and conditions set 6 * forth in the LICENSE file which can be found at the top level of 7 * the sendmail distribution. 8 * 9 */ 10 11#include <sendmail.h> 12 |
13SM_RCSID("@(#)$Id: tls.c,v 8.102 2006/03/02 19:18:27 ca Exp $") | 13SM_RCSID("@(#)$Id: tls.c,v 8.105 2006/05/11 22:59:31 ca Exp $") |
14 15#if STARTTLS 16# include <openssl/err.h> 17# include <openssl/bio.h> 18# include <openssl/pem.h> 19# ifndef HASURANDOMDEV 20# include <openssl/rand.h> 21# endif /* ! HASURANDOMDEV */ --- 479 unchanged lines hidden (view full) --- 501** The session_id_context identifies the service that created a session. 502** This information is used to distinguish between multiple TLS-based 503** servers running on the same server. We use the name of the mail system. 504** Note: the session cache is not persistent. 505*/ 506 507static char server_session_id_context[] = "sendmail8"; 508 | 14 15#if STARTTLS 16# include <openssl/err.h> 17# include <openssl/bio.h> 18# include <openssl/pem.h> 19# ifndef HASURANDOMDEV 20# include <openssl/rand.h> 21# endif /* ! HASURANDOMDEV */ --- 479 unchanged lines hidden (view full) --- 501** The session_id_context identifies the service that created a session. 502** This information is used to distinguish between multiple TLS-based 503** servers running on the same server. We use the name of the mail system. 504** Note: the session cache is not persistent. 505*/ 506 507static char server_session_id_context[] = "sendmail8"; 508 |
509/* 0.9.8a and b have a problem with SSL_OP_TLS_BLOCK_PADDING_BUG */ 510#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) 511# define SM_SSL_OP_TLS_BLOCK_PADDING_BUG 1 512#else 513# define SM_SSL_OP_TLS_BLOCK_PADDING_BUG 0 514#endif 515 |
|
509bool 510inittls(ctx, req, srv, certfile, keyfile, cacertpath, cacertfile, dhparam) 511 SSL_CTX **ctx; 512 unsigned long req; 513 bool srv; 514 char *certfile, *keyfile, *cacertpath, *cacertfile, *dhparam; 515{ 516# if !NO_DH 517 static DH *dh = NULL; 518# endif /* !NO_DH */ 519 int r; 520 bool ok; | 516bool 517inittls(ctx, req, srv, certfile, keyfile, cacertpath, cacertfile, dhparam) 518 SSL_CTX **ctx; 519 unsigned long req; 520 bool srv; 521 char *certfile, *keyfile, *cacertpath, *cacertfile, *dhparam; 522{ 523# if !NO_DH 524 static DH *dh = NULL; 525# endif /* !NO_DH */ 526 int r; 527 bool ok; |
521 long sff, status; | 528 long sff, status, options; |
522 char *who; 523# if _FFR_TLS_1 524 char *cf2, *kf2; 525# endif /* _FFR_TLS_1 */ 526# if SM_CONF_SHM 527 extern int ShmId; 528# endif /* SM_CONF_SHM */ 529# if OPENSSL_VERSION_NUMBER > 0x00907000L 530 BIO *crl_file; 531 X509_CRL *crl; 532 X509_STORE *store; 533# endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */ | 529 char *who; 530# if _FFR_TLS_1 531 char *cf2, *kf2; 532# endif /* _FFR_TLS_1 */ 533# if SM_CONF_SHM 534 extern int ShmId; 535# endif /* SM_CONF_SHM */ 536# if OPENSSL_VERSION_NUMBER > 0x00907000L 537 BIO *crl_file; 538 X509_CRL *crl; 539 X509_STORE *store; 540# endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */ |
541#if SM_SSL_OP_TLS_BLOCK_PADDING_BUG 542 long rt_version; 543 STACK_OF(SSL_COMP) *comp_methods; 544#endif |
|
534 535 status = TLS_S_NONE; 536 who = srv ? "server" : "client"; 537 if (ctx == NULL) | 545 546 status = TLS_S_NONE; 547 who = srv ? "server" : "client"; 548 if (ctx == NULL) |
549 { |
|
538 syserr("STARTTLS=%s, inittls: ctx == NULL", who); | 550 syserr("STARTTLS=%s, inittls: ctx == NULL", who); |
551 /* NOTREACHED */ 552 SM_ASSERT(ctx != NULL); 553 } |
|
539 540 /* already initialized? (we could re-init...) */ 541 if (*ctx != NULL) 542 return true; 543 ok = true; 544 545# if _FFR_TLS_1 546 /* --- 343 unchanged lines hidden (view full) --- 890 who, r); 891 if (LogLevel > 9) 892 tlslogerr(who); 893 } 894 } 895# endif /* _FFR_TLS_1 */ 896 897 /* SSL_CTX_set_quiet_shutdown(*ctx, 1); violation of standard? */ | 554 555 /* already initialized? (we could re-init...) */ 556 if (*ctx != NULL) 557 return true; 558 ok = true; 559 560# if _FFR_TLS_1 561 /* --- 343 unchanged lines hidden (view full) --- 905 who, r); 906 if (LogLevel > 9) 907 tlslogerr(who); 908 } 909 } 910# endif /* _FFR_TLS_1 */ 911 912 /* SSL_CTX_set_quiet_shutdown(*ctx, 1); violation of standard? */ |
898 SSL_CTX_set_options(*ctx, SSL_OP_ALL); /* XXX bug compatibility? */ | |
899 | 913 |
914 options = SSL_OP_ALL; /* bug compatibility? */ 915#if SM_SSL_OP_TLS_BLOCK_PADDING_BUG 916 917 /* 918 ** In OpenSSL 0.9.8[ab], enabling zlib compression breaks the 919 ** padding bug work-around, leading to false positives and 920 ** failed connections. We may not interoperate with systems 921 ** with the bug, but this is better than breaking on all 0.9.8[ab] 922 ** systems that have zlib support enabled. 923 ** Note: this checks the runtime version of the library, not 924 ** just the compile time version. 925 */ 926 927 rt_version = SSLeay(); 928 if (rt_version >= 0x00908000L && rt_version <= 0x0090802fL) 929 { 930 comp_methods = SSL_COMP_get_compression_methods(); 931 if (comp_methods != NULL && sk_SSL_COMP_num(comp_methods) > 0) 932 options &= ~SSL_OP_TLS_BLOCK_PADDING_BUG; 933 } 934#endif 935 SSL_CTX_set_options(*ctx, options); 936 |
|
900# if !NO_DH 901 /* Diffie-Hellman initialization */ 902 if (bitset(TLS_I_TRY_DH, req)) 903 { 904 if (bitset(TLS_S_DHPAR_OK, status)) 905 { 906 BIO *bio; 907 --- 725 unchanged lines hidden --- | 937# if !NO_DH 938 /* Diffie-Hellman initialization */ 939 if (bitset(TLS_I_TRY_DH, req)) 940 { 941 if (bitset(TLS_S_DHPAR_OK, status)) 942 { 943 BIO *bio; 944 --- 725 unchanged lines hidden --- |