X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fsrc%2Ftls-openssl.c;h=541c45a9435c1e9be3298e04076a48a99194cd08;hb=5c03403d88afcde2bb3f543296b0fca6f05c9f2c;hp=3092dce2ed9d66c7af8cad36a52030914fa2e4ca;hpb=dea4b5684c694c41105215bdb25f8e91b7c35c5d;p=user%2Fhenk%2Fcode%2Fexim.git diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 3092dce2e..541c45a94 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -148,7 +148,7 @@ Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev static exim_openssl_option exim_openssl_options[] = { /* KEEP SORTED ALPHABETICALLY! */ #ifdef SSL_OP_ALL - { US"all", SSL_OP_ALL }, + { US"all", (long) SSL_OP_ALL }, #endif #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION }, @@ -586,6 +586,7 @@ if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn))) } dn[sizeof(dn)-1] = '\0'; +tlsp->verify_override = FALSE; if (preverify_ok == 0) { uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])", @@ -911,7 +912,7 @@ if (enc) if (!(key = tk_current())) /* current key doesn't exist or isn't valid */ return 0; /* key couldn't be created */ memcpy(key_name, key->name, 16); - DEBUG(D_tls) debug_printf("STEK expire %ld\n", key->expire - time(NULL)); + DEBUG(D_tls) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - time(NULL)); /*XXX will want these dependent on the ssl session strength */ HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key), @@ -933,7 +934,7 @@ else DEBUG(D_tls) { debug_printf("ticket not usable (%s)\n", key ? "expired" : "not found"); - if (key) debug_printf("STEK expire %ld\n", key->expire - now); + if (key) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - now); } return 0; } @@ -942,7 +943,7 @@ else key->hmac_hash, NULL); EVP_DecryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv); - DEBUG(D_tls) debug_printf("ticket usable, STEK expire %ld\n", key->expire - now); + DEBUG(D_tls) debug_printf("ticket usable, STEK expire " TIME_T_FMT "\n", key->expire - now); /* The ticket lifetime and renewal are the same as the STEK lifetime and renewal, which is overenthusiastic. A factor of, say, 3x longer STEK would @@ -1569,7 +1570,7 @@ DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername, /* Make the extension value available for expansion */ store_pool = POOL_PERM; -tls_in.sni = string_copy(US servername); +tls_in.sni = string_copy_taint(US servername, TRUE); store_pool = old_pool; if (!reexpand_tls_files_for_sni) @@ -1714,17 +1715,17 @@ if(!p) return cbinfo->u_ocsp.client.verify_required ? 0 : 1; } -if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len))) - { - tls_out.ocsp = OCSP_FAILED; +if (!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len))) + { + tls_out.ocsp = OCSP_FAILED; /*XXX should use tlsp-> to permit concurrent outbound */ if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN, "Received TLS cert status response, parse error"); else DEBUG(D_tls) debug_printf(" parse error\n"); return 0; - } + } -if(!(bs = OCSP_response_get1_basic(rsp))) +if (!(bs = OCSP_response_get1_basic(rsp))) { tls_out.ocsp = OCSP_FAILED; if (LOGGING(tls_cipher)) @@ -2174,7 +2175,8 @@ if (tlsp->peercert) when it actually failed but we're in try-verify mode, due to us wanting the knowlege that it failed so needing to have the callback and forcing a permissive return. If we don't force it, the TLS startup is failed. - Hence the verify_override bodge - though still a problem for resumption. */ + The extra bit of information is set in verify_override in the cb, stashed + for resumption next to the TLS session, and used here. */ if (!tlsp->verify_override) tlsp->certificate_verified = SSL_get_verify_result(ssl) == X509_V_OK; @@ -2737,12 +2739,14 @@ if (tlsp->host_resumable) debug_printf("decoding session: %s\n", ssl_errstring); } } +#ifdef EXIM_HAVE_SESSION_TICKET else if ( SSL_SESSION_get_ticket_lifetime_hint(ss) + dt->time_stamp < time(NULL)) { DEBUG(D_tls) debug_printf("session expired\n"); dbfn_delete(dbm_file, key); } +#endif else if (!SSL_set_session(ssl, ss)) { DEBUG(D_tls) @@ -2756,6 +2760,8 @@ if (tlsp->host_resumable) { DEBUG(D_tls) debug_printf("good session\n"); tlsp->resumption |= RESUME_CLIENT_SUGGESTED; + tlsp->verify_override = dt->verify_override; + tlsp->ocsp = dt->ocsp; } } else @@ -2784,14 +2790,16 @@ if (SSL_SESSION_is_resumable(ss)) /* 1.1.1 */ { int len = i2d_SSL_SESSION(ss, NULL); int dlen = sizeof(dbdata_tls_session) + len; - dbdata_tls_session * dt = store_get(dlen); + dbdata_tls_session * dt = store_get(dlen, TRUE); uschar * s = dt->session; open_db dbblock, * dbm_file; DEBUG(D_tls) debug_printf("session is resumable\n"); tlsp->resumption |= RESUME_SERVER_TICKET; /* server gave us a ticket */ - len = i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */ + dt->verify_override = tlsp->verify_override; + dt->ocsp = tlsp->ocsp; + (void) i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */ if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE))) { @@ -2900,7 +2908,7 @@ BOOL require_ocsp = FALSE; rc = store_pool; store_pool = POOL_PERM; -exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx)); +exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx), FALSE); exim_client_ctx->corked = NULL; store_pool = rc; @@ -3020,12 +3028,6 @@ if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx))) } SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx)); -#ifdef EXPERIMENTAL_TLS_RESUME -if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host, - errstr)) - return FALSE; -#endif - SSL_set_fd(exim_client_ctx->ssl, cctx->sock); SSL_set_connect_state(exim_client_ctx->ssl); @@ -3085,6 +3087,12 @@ if (request_ocsp) } #endif +#ifdef EXPERIMENTAL_TLS_RESUME +if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host, + errstr)) + return FALSE; +#endif + #ifndef DISABLE_EVENT client_static_cbinfo->event_action = tb ? tb->event_action : NULL; #endif @@ -3181,32 +3189,10 @@ switch(error) case SSL_ERROR_ZERO_RETURN: DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n"); - receive_getc = smtp_getc; - receive_getbuf = smtp_getbuf; - receive_get_cache = smtp_get_cache; - receive_ungetc = smtp_ungetc; - receive_feof = smtp_feof; - receive_ferror = smtp_ferror; - receive_smtp_buffered = smtp_buffered; - if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN) SSL_shutdown(server_ssl); -#ifndef DISABLE_OCSP - sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free); - server_static_cbinfo->verify_stack = NULL; -#endif - SSL_free(server_ssl); - SSL_CTX_free(server_ctx); - server_ctx = NULL; - server_ssl = NULL; - tls_in.active.sock = -1; - tls_in.active.tls_ctx = NULL; - tls_in.bits = 0; - tls_in.cipher = NULL; - tls_in.peerdn = NULL; - tls_in.sni = NULL; - + tls_close(NULL, TLS_NO_SHUTDOWN); return FALSE; /* Handle genuine errors */ @@ -3387,14 +3373,14 @@ a store reset there, so use POOL_PERM. */ if ((more || corked)) { -#ifdef EXPERIMENTAL_PIPE_CONNECT +#ifdef SUPPORT_PIPE_CONNECT int save_pool = store_pool; store_pool = POOL_PERM; #endif corked = string_catn(corked, buff, len); -#ifdef EXPERIMENTAL_PIPE_CONNECT +#ifdef SUPPORT_PIPE_CONNECT store_pool = save_pool; #endif @@ -3495,14 +3481,25 @@ if (shutdown) } } -#ifndef DISABLE_OCSP if (!o_ctx) /* server side */ { +#ifndef DISABLE_OCSP sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free); server_static_cbinfo->verify_stack = NULL; - } #endif + receive_getc = smtp_getc; + receive_getbuf = smtp_getbuf; + receive_get_cache = smtp_get_cache; + receive_ungetc = smtp_ungetc; + receive_feof = smtp_feof; + receive_ferror = smtp_ferror; + receive_smtp_buffered = smtp_buffered; + tls_in.active.tls_ctx = NULL; + tls_in.sni = NULL; + /* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */ + } + SSL_CTX_free(*ctxp); SSL_free(*sslp); *ctxp = NULL;