X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;ds=inline;f=src%2Fsrc%2Ftls-openssl.c;h=99d3f87f4795803adee75965bd7ab42016f18589;hb=5fcc791a74a6f6933b3fb03f36e9ea3553152cf7;hp=a236bc0c68c0028497f80157c75750c2d150b3b5;hpb=1d717e1c110562fd6bf28478c79f180cafeba776;p=user%2Fhenk%2Fcode%2Fexim.git diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index a236bc0c6..99d3f87f4 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -148,13 +148,10 @@ all options unless explicitly for DTLS, let the administrator choose which to apply. This list is current as of: - ==> 1.0.1b <== -Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev -Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev -Plus SSL_OP_NO_RENEGOTIATION for 1.1.1 + ==> 1.1.1c <== XXX could we autobuild this list, as with predefined-macros? -Seems just parsing ssl.h for SSL_OP_.* would be enough. +Seems just parsing ssl.h for SSL_OP_.* would be enough (except to exclude DTLS). Also allow a numeric literal? */ static exim_openssl_option exim_openssl_options[] = { @@ -162,15 +159,24 @@ static exim_openssl_option exim_openssl_options[] = { #ifdef SSL_OP_ALL { US"all", (long) SSL_OP_ALL }, #endif +#ifdef SSL_OP_ALLOW_NO_DHE_KEX + { US"allow_no_dhe_kex", SSL_OP_ALLOW_NO_DHE_KEX }, +#endif #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION }, #endif #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE }, #endif +#ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG + { US"cryptopro_tlsext_bug", SSL_OP_CRYPTOPRO_TLSEXT_BUG }, +#endif #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS }, #endif +#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT + { US"enable_middlebox_compat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT }, +#endif #ifdef SSL_OP_EPHEMERAL_RSA { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA }, #endif @@ -192,9 +198,15 @@ static exim_openssl_option exim_openssl_options[] = { #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG }, #endif +#ifdef SSL_OP_NO_ANTI_REPLAY + { US"no_anti_replay", SSL_OP_NO_ANTI_REPLAY }, +#endif #ifdef SSL_OP_NO_COMPRESSION { US"no_compression", SSL_OP_NO_COMPRESSION }, #endif +#ifdef SSL_OP_NO_ENCRYPT_THEN_MAC + { US"no_encrypt_then_mac", SSL_OP_NO_ENCRYPT_THEN_MAC }, +#endif #ifdef SSL_OP_NO_RENEGOTIATION { US"no_renegotiation", SSL_OP_NO_RENEGOTIATION }, #endif @@ -227,6 +239,9 @@ static exim_openssl_option exim_openssl_options[] = { #ifdef SSL_OP_NO_TLSv1_3 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 }, #endif +#ifdef SSL_OP_PRIORITIZE_CHACHA + { US"prioritize_chacha", SSL_OP_PRIORITIZE_CHACHA }, +#endif #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG }, #endif @@ -251,6 +266,9 @@ static exim_openssl_option exim_openssl_options[] = { #ifdef SSL_OP_TLS_ROLLBACK_BUG { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG }, #endif +#ifdef SSL_OP_TLSEXT_PADDING + { US"tlsext_padding", SSL_OP_TLSEXT_PADDING }, +#endif }; #ifndef MACRO_PREDEF @@ -2784,6 +2802,9 @@ if (SSL_session_reused(server_ssl)) /* TLS has been set up. Record data for the connection, adjust the input functions to read via TLS, and initialize things. */ +#ifdef SSL_get_extms_support +tls_in.ext_master_secret = SSL_get_extms_support(server_ssl) == 1; +#endif peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn)); tls_in.ver = tlsver_name(server_ssl); @@ -2826,12 +2847,12 @@ See description in https://paquier.xyz/postgresql-2/channel-binding-openssl/ */ uschar c, * s; size_t len = SSL_get_peer_finished(server_ssl, &c, 0); int old_pool = store_pool; - + SSL_get_peer_finished(server_ssl, s = store_get((int)len, FALSE), len); store_pool = POOL_PERM; tls_in.channelbinding = b64encode_taint(CUS s, (int)len, FALSE); store_pool = old_pool; - DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage\n"); + DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage %p\n", tls_in.channelbinding); } /* Only used by the server-side tls (tls_in), including tls_getc. @@ -3384,6 +3405,9 @@ DEBUG(D_tls) tls_client_resume_posthandshake(exim_client_ctx, tlsp); #endif +#ifdef SSL_get_extms_support +tlsp->ext_master_secret = SSL_get_extms_support(exim_client_ctx->ssl) == 1; +#endif peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn)); tlsp->ver = tlsver_name(exim_client_ctx->ssl); @@ -3402,12 +3426,12 @@ tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl); uschar c, * s; size_t len = SSL_get_finished(exim_client_ctx->ssl, &c, 0); int old_pool = store_pool; - + SSL_get_finished(exim_client_ctx->ssl, s = store_get((int)len, TRUE), len); store_pool = POOL_PERM; tlsp->channelbinding = b64encode_taint(CUS s, (int)len, TRUE); store_pool = old_pool; - DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage\n"); + DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage %p %p\n", tlsp->channelbinding, tlsp); } tlsp->active.sock = cctx->sock;