1 /*@ S-nail - a mail user agent derived from Berkeley Mail.
2 *@ OpenSSL client implementation according to: John Viega, Matt Messier,
3 *@ Pravir Chandra: Network Security with OpenSSL. Sebastopol, CA 2002.
4 *@ TODO This needs an overhaul -- there _are_ stack leaks!?
6 * Copyright (c) 2000-2004 Gunnar Ritter, Freiburg i. Br., Germany.
7 * Copyright (c) 2012 - 2018 Steffen (Daode) Nurpmeso <steffen@sdaoden.eu>.
11 * Gunnar Ritter. All rights reserved.
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 * 3. All advertising materials mentioning features or use of this software
22 * must display the following acknowledgement:
23 * This product includes software developed by Gunnar Ritter
24 * and his contributors.
25 * 4. Neither the name of Gunnar Ritter nor the names of his contributors
26 * may be used to endorse or promote products derived from this software
27 * without specific prior written permission.
29 * THIS SOFTWARE IS PROVIDED BY GUNNAR RITTER AND CONTRIBUTORS ``AS IS'' AND
30 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
31 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 * ARE DISCLAIMED. IN NO EVENT SHALL GUNNAR RITTER OR CONTRIBUTORS BE LIABLE
33 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
34 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
35 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
36 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
38 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
44 #ifndef HAVE_AMALGAMATION
50 #include <sys/socket.h>
52 #include <openssl/crypto.h>
53 #include <openssl/err.h>
54 #include <openssl/evp.h>
55 #include <openssl/opensslv.h>
56 #include <openssl/pem.h>
57 #include <openssl/rand.h>
58 #include <openssl/ssl.h>
59 #include <openssl/x509v3.h>
60 #include <openssl/x509.h>
62 #ifdef HAVE_XTLS_CONFIG
63 # include <openssl/conf.h>
66 #if defined X509_V_FLAG_CRL_CHECK && defined X509_V_FLAG_CRL_CHECK_ALL
70 /* Compatibility shims which assume 0/-1 cannot really happen */
71 #ifndef HAVE_XTLS_CONF_CTX
72 # ifndef SSL_OP_NO_SSLv2
73 # define SSL_OP_NO_SSLv2 0
75 # ifndef SSL_OP_NO_SSLv3
76 # define SSL_OP_NO_SSLv3 0
78 # ifndef SSL_OP_NO_TLSv1
79 # define SSL_OP_NO_TLSv1 0
81 # ifndef SSL_OP_NO_TLSv1_1
82 # define SSL_OP_NO_TLSv1_1 0
84 # ifndef SSL_OP_NO_TLSv1_2
85 # define SSL_OP_NO_TLSv1_2 0
87 # ifndef SSL_OP_NO_TLSv1_3
88 # define SSL_OP_NO_TLSv1_3 0
90 /* SSL_CONF_CTX and _OP_NO_SSL_MASK were both introduced with 1.0.2!?! */
91 # ifndef SSL_OP_NO_SSL_MASK
92 # define SSL_OP_NO_SSL_MASK \
93 (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |\
94 SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 |\
99 # define SSL2_VERSION 0
101 # ifndef SSL3_VERSION
102 # define SSL3_VERSION 0
104 # ifndef TLS1_VERSION
105 # define TLS1_VERSION 0
107 # ifndef TLS1_1_VERSION
108 # define TLS1_1_VERSION 0
110 # ifndef TLS1_2_VERSION
111 # define TLS1_2_VERSION 0
113 # ifndef TLS1_3_VERSION
114 # define TLS1_3_VERSION 0
118 #ifdef HAVE_XTLS_STACK_OF
119 # define n_XTLS_STACKOF(X) STACK_OF(X)
121 # define n_XTLS_STACKOF(X) /*X*/STACK
124 #if OPENSSL_VERSION_NUMBER + 0 >= 0x0090581fL
125 # define a_XTLS_RAND_LOAD_FILE_MAXBYTES -1
127 # define a_XTLS_RAND_LOAD_FILE_MAXBYTES 1024
130 /* Compatibility sighs (that sigh is _really_ a cute one) */
131 #if HAVE_XTLS_OPENSSL >= 0x10100
132 # define a_xtls_X509_get_notBefore X509_get0_notBefore
133 # define a_xtls_X509_get_notAfter X509_get0_notAfter
135 # define a_xtls_X509_get_notBefore X509_get_notBefore
136 # define a_xtls_X509_get_notAfter X509_get_notAfter
139 /* X509_STORE_set_flags */
140 #undef a_XTLS_X509_V_ANY
141 #ifndef X509_V_FLAG_NO_ALT_CHAINS
142 # define X509_V_FLAG_NO_ALT_CHAINS -1
144 # undef a_XTLS_X509_V_ANY
145 # define a_XTLS_X509_V_ANY
147 #ifndef X509_V_FLAG_NO_CHECK_TIME
148 # define X509_V_FLAG_NO_CHECK_TIME -1
150 # undef a_XTLS_X509_V_ANY
151 # define a_XTLS_X509_V_ANY
153 #ifndef X509_V_FLAG_PARTIAL_CHAIN
154 # define X509_V_FLAG_PARTIAL_CHAIN -1
156 # undef a_XTLS_X509_V_ANY
157 # define a_XTLS_X509_V_ANY
159 #ifndef X509_V_FLAG_X509_STRICT
160 # define X509_V_FLAG_X509_STRICT -1
162 # undef a_XTLS_X509_V_ANY
163 # define a_XTLS_X509_V_ANY
165 #ifndef X509_V_FLAG_TRUSTED_FIRST
166 # define X509_V_FLAG_TRUSTED_FIRST -1
168 # undef a_XTLS_X509_V_ANY
169 # define a_XTLS_X509_V_ANY
173 a_XTLS_S_INIT
= 1u<<0,
174 a_XTLS_S_RAND_INIT
= 1u<<1,
175 a_XTLS_S_CONF_LOAD
= 1u<<2,
177 #if HAVE_XTLS_OPENSSL < 0x10100
178 a_XTLS_S_EXIT_HDL
= 1u<<8,
179 a_XTLS_S_ALGO_LOAD
= 1u<<9,
182 a_XTLS_S_VERIFY_ERROR
= 1u<<16
185 struct ssl_method
{ /* TODO v15 obsolete */
186 char const sm_name
[8];
187 char const sm_map
[16];
190 #ifndef HAVE_XTLS_CONF_CTX
191 struct a_xtls_protocol
{
192 char const xp_name
[8];
193 sl_i xp_op_no
; /* SSL_OP_NO_* bit */
194 ui16_t xp_version
; /* *_VERSION number */
195 bool_t xp_ok_minmaxproto
; /* Valid for {Min,Max}Protocol= */
196 bool_t xp_ok_proto
; /* Valid for Protocol= */
201 struct a_xtls_cipher
{
202 char const xc_name
[8];
203 EVP_CIPHER
const *(*xc_fun
)(void);
206 struct a_xtls_digest
{
207 char const xd_name
[16];
208 EVP_MD
const *(*xd_fun
)(void);
211 struct a_xtls_x509_v_flags
{
212 char const xxvf_name
[20];
216 /* Supported SSL/TLS methods: update manual on change! */
217 static struct ssl_method
const _ssl_methods
[] = { /* TODO obsolete */
218 {"auto", "ALL,-SSLv2"},
219 {"ssl3", "-ALL,SSLv3"},
220 {"tls1", "-ALL,TLSv1"},
221 {"tls1.1", "-ALL,TLSv1.1"},
222 {"tls1.2", "-ALL,TLSv1.2"}
225 /* Update manual on change!
226 * Ensure array size by adding \0 to longest entry.
227 * Strictly to be sorted new/up to old/down, [0]=ALL, [x-1]=None! */
228 #ifndef HAVE_XTLS_CONF_CTX
229 static struct a_xtls_protocol
const a_xtls_protocols
[] = {
230 {"ALL", SSL_OP_NO_SSL_MASK
, 0, FAL0
, TRU1
, {0}},
231 {"TLSv1.3\0", SSL_OP_NO_TLSv1_3
, TLS1_3_VERSION
, TRU1
, TRU1
, {0}},
232 {"TLSv1.2", SSL_OP_NO_TLSv1_2
, TLS1_2_VERSION
, TRU1
, TRU1
, {0}},
233 {"TLSv1.1", SSL_OP_NO_TLSv1_1
, TLS1_1_VERSION
, TRU1
, TRU1
, {0}},
234 {"TLSv1", SSL_OP_NO_TLSv1
, TLS1_VERSION
, TRU1
, TRU1
, {0}},
235 {"SSLv3", SSL_OP_NO_SSLv3
, SSL3_VERSION
, TRU1
, TRU1
, {0}},
236 {"SSLv2", SSL_OP_NO_SSLv2
, SSL2_VERSION
, TRU1
, TRU1
, {0}},
237 {"None", SSL_OP_NO_SSL_MASK
, 0, TRU1
, FAL0
, {0}}
239 #endif /* HAVE_XTLS_CONF_CTX */
241 /* Supported S/MIME cipher algorithms */
242 static struct a_xtls_cipher
const a_xtls_ciphers
[] = { /*Manual!*/
243 #ifndef OPENSSL_NO_AES
244 # define a_XTLS_SMIME_DEFAULT_CIPHER EVP_aes_128_cbc /* According RFC 5751 */
245 {"AES128", &EVP_aes_128_cbc
},
246 {"AES256", &EVP_aes_256_cbc
},
247 {"AES192", &EVP_aes_192_cbc
},
249 #ifndef OPENSSL_NO_DES
250 # ifndef a_XTLS_SMIME_DEFAULT_CIPHER
251 # define a_XTLS_SMIME_DEFAULT_CIPHER EVP_des_ede3_cbc
253 {"DES3", &EVP_des_ede3_cbc
},
254 {"DES", &EVP_des_cbc
},
257 #ifndef a_XTLS_SMIME_DEFAULT_CIPHER
258 # error Your OpenSSL library does not include the necessary
259 # error cipher algorithms that are required to support S/MIME
262 #ifndef OPENSSL_NO_AES
263 /* TODO obsolete a_xtls_smime_ciphers_obs */
264 static struct a_xtls_cipher
const a_xtls_smime_ciphers_obs
[] = {
265 {"AES-128", &EVP_aes_128_cbc
},
266 {"AES-256", &EVP_aes_256_cbc
},
267 {"AES-192", &EVP_aes_192_cbc
}
271 /* Supported S/MIME message digest algorithms.
272 * Update manual on default changes! */
273 static struct a_xtls_digest
const a_xtls_digests
[] = { /*Manual!*/
274 #ifdef HAVE_XTLS_BLAKE2
275 {"BLAKE2b512\0", &EVP_blake2b512
},
276 {"BLAKE2s256", &EVP_blake2s256
},
277 # ifndef a_XTLS_FINGERPRINT_DEFAULT_DIGEST
278 # define a_XTLS_FINGERPRINT_DEFAULT_DIGEST EVP_blake2s256
279 # define a_XTLS_FINGERPRINT_DEFAULT_DIGEST_S "BLAKE2s256"
283 #ifdef HAVE_XTLS_SHA3
284 {"SHA3-512\0", &EVP_sha3_512
},
285 {"SHA3-384", &EVP_sha3_384
},
286 {"SHA3-256", &EVP_sha3_256
},
287 {"SHA3-224", &EVP_sha3_224
},
290 #ifndef OPENSSL_NO_SHA512
291 {"SHA512\0", &EVP_sha512
},
292 {"SHA384", &EVP_sha384
},
293 # ifndef a_XTLS_SMIME_DEFAULT_DIGEST
294 # define a_XTLS_SMIME_DEFAULT_DIGEST EVP_sha512
295 # define a_XTLS_SMIME_DEFAULT_DIGEST_S "SHA512"
299 #ifndef OPENSSL_NO_SHA256
300 {"SHA256\0", &EVP_sha256
},
301 {"SHA224", &EVP_sha224
},
302 # ifndef a_XTLS_SMIME_DEFAULT_DIGEST
303 # define a_XTLS_SMIME_DEFAULT_DIGEST EVP_sha256
304 # define a_XTLS_SMIME_DEFAULT_DIGEST_S "SHA256"
306 # ifndef a_XTLS_FINGERPRINT_DEFAULT_DIGEST
307 # define a_XTLS_FINGERPRINT_DEFAULT_DIGEST EVP_sha256
308 # define a_XTLS_FINGERPRINT_DEFAULT_DIGEST_S "SHA256"
312 #ifndef OPENSSL_NO_SHA
313 {"SHA1\0", &EVP_sha1
},
314 # ifndef a_XTLS_SMIME_DEFAULT_DIGEST
315 # define a_XTLS_SMIME_DEFAULT_DIGEST EVP_sha1
316 # define a_XTLS_SMIME_DEFAULT_DIGEST_S "SHA1"
318 # ifndef a_XTLS_FINGERPRINT_DEFAULT_DIGEST
319 # define a_XTLS_FINGERPRINT_DEFAULT_DIGEST EVP_sha1
320 # define a_XTLS_FINGERPRINT_DEFAULT_DIGEST_S "SHA1"
324 #ifndef OPENSSL_NO_MD5
329 #if !defined a_XTLS_SMIME_DEFAULT_DIGEST || \
330 !defined a_XTLS_FINGERPRINT_DEFAULT_DIGEST
331 # error Not enough supported message digest algorithms available
334 /* X509_STORE_set_flags() for *{smime,ssl}-ca-flags* */
335 static struct a_xtls_x509_v_flags
const a_xtls_x509_v_flags
[] = { /* Manual! */
336 {"no-alt-chains", X509_V_FLAG_NO_ALT_CHAINS
},
337 {"no-check-time", X509_V_FLAG_NO_CHECK_TIME
},
338 {"partial-chain", X509_V_FLAG_PARTIAL_CHAIN
},
339 {"strict", X509_V_FLAG_X509_STRICT
},
340 {"trusted-first", X509_V_FLAG_TRUSTED_FIRST
},
343 static enum a_xtls_state a_xtls_state
;
344 static size_t a_xtls_msgno
;
346 static void a_xtls_rand_init(void);
347 static void a_xtls_init(void);
349 #if HAVE_XTLS_OPENSSL < 0x10100
350 # ifdef HAVE_TLS_ALL_ALGORITHMS
351 static void a_xtls__load_algos(void);
352 # define a_xtls_load_algos a_xtls__load_algos
354 # if defined HAVE_XTLS_CONFIG || defined HAVE_TLS_ALL_ALGORITHMS
355 static void a_xtls_atexit(void);
358 #ifndef a_xtls_load_algos
359 # define a_xtls_load_algos() do{;}while(0)
362 static bool_t
a_xtls_parse_asn1_time(ASN1_TIME
const *atp
,
363 char *bdat
, size_t blen
);
364 static int a_xtls_verify_cb(int success
, X509_STORE_CTX
*store
);
366 static bool_t
a_xtls_digest_find(char const *name
, EVP_MD
const **mdp
,
367 char const **normalized_name_or_null
);
369 /* *smime-ca-flags*, *tls-ca-flags* */
370 static void a_xtls_ca_flags(X509_STORE
*store
, char const *flags
);
372 /* SSL_CTX configuration; the latter always NULLs *confp */
373 static void *a_xtls_conf_setup(SSL_CTX
*ctxp
, struct url
const *urlp
);
374 static bool_t
a_xtls_conf(void *confp
, char const *cmd
, char const *value
);
375 static bool_t
a_xtls_conf_finish(void **confp
, bool_t error
);
377 static bool_t
a_xtls_obsolete_conf_vars(void *confp
, struct url
const *urlp
);
378 static bool_t
a_xtls_config_pairs(void *confp
, struct url
const *urlp
);
379 static bool_t
a_xtls_load_verifications(SSL_CTX
*ctxp
, struct url
const *urlp
);
381 static bool_t
a_xtls_check_host(struct sock
*sp
, X509
*peercert
,
382 struct url
const *urlp
);
384 static int smime_verify(struct message
*m
, int n
,
385 n_XTLS_STACKOF(X509
) *chain
, X509_STORE
*store
);
386 static EVP_CIPHER
const * _smime_cipher(char const *name
);
387 static int ssl_password_cb(char *buf
, int size
, int rwflag
,
389 static FILE * smime_sign_cert(char const *xname
, char const *xname2
,
390 bool_t dowarn
, char const **match
);
391 static char const * _smime_sign_include_certs(char const *name
);
392 static bool_t
_smime_sign_include_chain_creat(n_XTLS_STACKOF(X509
) **chain
,
393 char const *cfiles
, char const *addr
);
394 static EVP_MD
const *a_xtls_smime_sign_digest(char const *name
,
395 char const **digname
);
396 #if defined X509_V_FLAG_CRL_CHECK && defined X509_V_FLAG_CRL_CHECK_ALL
397 static enum okay
load_crl1(X509_STORE
*store
, char const *name
);
399 static enum okay
load_crls(X509_STORE
*store
, enum okeys fok
, enum okeys dok
);
402 a_xtls_rand_init(void){
403 #define a_XTLS_RAND_ENTROPY 32
404 char b64buf
[a_XTLS_RAND_ENTROPY
* 5 +1], *randfile
;
409 a_xtls_state
|= a_XTLS_S_RAND_INIT
;
414 #ifdef HAVE_XTLS_CONFIG
415 if(!(a_xtls_state
& a_XTLS_S_INIT
))
419 /* Prefer possible user setting */
420 if((cp
= ok_vlook(tls_rand_file
)) != NULL
||
421 (cp
= ok_vlook(ssl_rand_file
)) != NULL
){
424 if((x
= fexpand(cp
, FEXP_LOCAL
| FEXP_NOPROTO
)) == NULL
)
425 n_err(_("*tls-rand-file*: expansion of %s failed "
426 "(using default)\n"),
427 n_shexp_quote_cp(cp
, FAL0
));
432 randfile
= n_lofi_alloc(PATH_MAX
);
433 if((cp
= RAND_file_name(randfile
, PATH_MAX
)) == NULL
){
434 n_err(_("*tls-rand-file*: no TLS entropy file, can't seed PRNG\n"));
439 (void)RAND_load_file(cp
, a_XTLS_RAND_LOAD_FILE_MAXBYTES
);
441 /* And feed in some data, then write the updated file.
442 * While this rather feeds the PRNG with itself in the n_RANDOM_IMPL_TLS
443 * case, let us stir the buffer a little bit.
444 * Estimate a low but likely still too high number of entropy bytes, use
445 * 20%: base64 uses 3 input = 4 output bytes relation, and the base64
446 * alphabet is a 6 bit one */
447 for(x
= (char*)-1;;){
448 RAND_add(n_random_create_buf(b64buf
, sizeof(b64buf
) -1, NULL
),
449 sizeof(b64buf
) -1, a_XTLS_RAND_ENTROPY
);
450 if((x
= (char*)((uintptr_t)x
>> (1
451 #if HAVE_RANDOM == n_RANDOM_IMPL_TLS
455 err
= (RAND_status() == 0);
458 #if HAVE_RANDOM != n_RANDOM_IMPL_TLS
459 if(!(err
= (RAND_status() == 0)))
465 err
= (RAND_write_file(cp
) == -1);
469 n_lofi_free(randfile
);
471 n_panic(_("Cannot seed the *TLS PseudoRandomNumberGenerator, "
472 "RAND_status() is 0!\n"
473 " Please set *tls-rand-file* to a file with sufficient entropy.\n"
474 " On a machine with entropy: "
475 "\"$ dd if=/dev/urandom of=FILE bs=1024 count=1\"\n"));
481 #ifdef HAVE_XTLS_CONFIG
486 if(a_xtls_state
& a_XTLS_S_INIT
)
489 #if HAVE_XTLS_OPENSSL >= 0x10100
490 OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS
|
491 OPENSSL_INIT_LOAD_CRYPTO_STRINGS
492 # ifdef HAVE_TLS_ALL_ALGORITHMS
493 | OPENSSL_INIT_ADD_ALL_CIPHERS
| OPENSSL_INIT_ADD_ALL_DIGESTS
497 SSL_load_error_strings();
501 a_xtls_state
|= a_XTLS_S_INIT
;
504 /* Load openssl.cnf or whatever was given in *tls-config-file* */
505 #ifdef HAVE_XTLS_CONFIG
506 if((cp
= ok_vlook(tls_config_file
)) != NULL
||
507 (cp
= ok_vlook(ssl_config_file
)) != NULL
){
514 flags
= CONF_MFLAGS_IGNORE_MISSING_FILE
;
515 }else if((msg
= cp
, cp
= fexpand(cp
, FEXP_LOCAL
| FEXP_NOPROTO
)) != NULL
)
518 n_err(_("*tls-config-file*: file expansion failed: %s\n"),
519 n_shexp_quote_cp(msg
, FAL0
));
523 if(CONF_modules_load_file(cp
, n_uagent
, flags
) == 1){
524 a_xtls_state
|= a_XTLS_S_CONF_LOAD
;
525 # if HAVE_XTLS_OPENSSL < 0x10100
526 if(!(a_xtls_state
& a_XTLS_S_EXIT_HDL
)){
527 a_xtls_state
|= a_XTLS_S_EXIT_HDL
;
528 atexit(&a_xtls_atexit
); /* TODO generic program-wide event mech. */
531 if(n_poption
& n_PO_D_V
)
532 n_err(_("Loaded TLS configuration for %s from %s\n"), n_uagent
,
533 n_shexp_quote_cp(msg
, FAL0
));
536 ssl_gen_err(_("TLS CONF_modules_load_file() load error"));
538 #endif /* HAVE_XTLS_CONFIG */
540 if(!(a_xtls_state
& a_XTLS_S_RAND_INIT
))
546 #if HAVE_XTLS_OPENSSL < 0x10100
547 # ifdef HAVE_TLS_ALL_ALGORITHMS
549 a_xtls__load_algos(void){
551 if(!(a_xtls_state
& a_XTLS_S_ALGO_LOAD
)){
552 a_xtls_state
|= a_XTLS_S_ALGO_LOAD
;
553 OpenSSL_add_all_algorithms();
555 if(!(a_xtls_state
& a_XTLS_S_EXIT_HDL
)){
556 a_xtls_state
|= a_XTLS_S_EXIT_HDL
;
557 atexit(&a_xtls_atexit
); /* TODO generic program-wide event mech. */
564 # if defined HAVE_XTLS_CONFIG || defined HAVE_TLS_ALL_ALGORITHMS
568 # ifdef HAVE_XTLS_CONFIG
569 if(a_xtls_state
& a_XTLS_S_CONF_LOAD
)
573 # ifdef HAVE_TLS_ALL_ALGORITHMS
574 if(a_xtls_state
& a_XTLS_S_ALGO_LOAD
)
580 #endif /* HAVE_XTLS_OPENSSL < 0x10100 */
583 a_xtls_parse_asn1_time(ASN1_TIME
const *atp
, char *bdat
, size_t blen
)
590 mbp
= BIO_new(BIO_s_mem());
592 if (ASN1_TIME_print(mbp
, atp
) && (l
= BIO_get_mem_data(mbp
, &mcp
)) > 0)
593 snprintf(bdat
, blen
, "%.*s", (int)l
, mcp
);
595 snprintf(bdat
, blen
, _("Bogus certificate date: %.*s"),
596 /*is (int)*/atp
->length
, (char const*)atp
->data
);
602 return (mcp
!= NULL
);
606 a_xtls_verify_cb(int success
, X509_STORE_CTX
*store
)
613 if (success
&& !(n_poption
& n_PO_D_V
))
616 if (a_xtls_msgno
!= 0) {
617 n_err(_("Message %lu:\n"), (ul_i
)a_xtls_msgno
);
620 n_err(_(" Certificate depth %d %s\n"),
621 X509_STORE_CTX_get_error_depth(store
), (success
? n_empty
: V_(n_error
)));
623 if ((cert
= X509_STORE_CTX_get_current_cert(store
)) != NULL
) {
624 X509_NAME_oneline(X509_get_subject_name(cert
), data
, sizeof data
);
625 n_err(_(" subject = %s\n"), data
);
627 a_xtls_parse_asn1_time(a_xtls_X509_get_notBefore(cert
),
629 n_err(_(" notBefore = %s\n"), data
);
631 a_xtls_parse_asn1_time(a_xtls_X509_get_notAfter(cert
),
633 n_err(_(" notAfter = %s\n"), data
);
635 X509_NAME_oneline(X509_get_issuer_name(cert
), data
, sizeof data
);
636 n_err(_(" issuer = %s\n"), data
);
640 int err
= X509_STORE_CTX_get_error(store
);
642 n_err(_(" err %i: %s\n"), err
, X509_verify_cert_error_string(err
));
643 a_xtls_state
|= a_XTLS_S_VERIFY_ERROR
;
647 rv
= n_tls_verify_decide();
654 a_xtls_digest_find(char const *name
,
655 EVP_MD
const **mdp
, char const **normalized_name_or_null
){
664 nn
= cp
= n_lofi_alloc(i
+1);
665 while((c
= *name
++) != '\0')
666 *cp
++ = upperconv(c
);
669 if(normalized_name_or_null
!= NULL
)
670 *normalized_name_or_null
= savestrbuf(nn
, PTR2SIZE(cp
- nn
));
673 for(i
= 0; i
< n_NELEM(a_xtls_digests
); ++i
)
674 if(!strcmp(a_xtls_digests
[i
].xd_name
, nn
)){
675 *mdp
= (*a_xtls_digests
[i
].xd_fun
)();
679 /* Not a built-in algorithm, but we may have dynamic support for more */
680 #ifdef HAVE_TLS_ALL_ALGORITHMS
681 if((*mdp
= EVP_get_digestbyname(nn
)) != NULL
)
685 n_err(_("Invalid message digest: %s\n"), n_shexp_quote_cp(nn
, FAL0
));
691 return (*mdp
!= NULL
);
695 a_xtls_ca_flags(X509_STORE
*store
, char const *flags
){
700 iolist
= savestr(flags
);
702 while((cp
= n_strsep(&iolist
, ',', TRU1
)) != NULL
){
703 struct a_xtls_x509_v_flags
const *xvfp
;
705 for(xvfp
= &a_xtls_x509_v_flags
[0];
706 xvfp
< &a_xtls_x509_v_flags
[n_NELEM(a_xtls_x509_v_flags
)];
708 if(!asccasecmp(cp
, xvfp
->xxvf_name
)){
709 if(xvfp
->xxvf_flag
!= -1){
710 #ifdef a_XTLS_X509_V_ANY
711 X509_STORE_set_flags(store
, xvfp
->xxvf_flag
);
713 }else if(n_poption
& n_PO_D_V
)
714 n_err(_("*{smime,tls}-ca-flags*: "
715 "directive not supported: %s\n"), cp
);
718 n_err(_("*{smime,tls}-ca-flags*: invalid directive: %s\n"), cp
);
724 #ifdef HAVE_XTLS_CONF_CTX
726 a_xtls_conf_setup(SSL_CTX
*ctxp
, struct url
const *urlp
){
733 if((cp
= xok_vlook(tls_config_module
, urlp
, OXM_ALL
)) != NULL
||
734 (cp
= xok_vlook(ssl_config_module
, urlp
, OXM_ALL
)) != NULL
){
735 # ifdef HAVE_XTLS_CTX_CONFIG
736 if(!(a_xtls_state
& a_XTLS_S_CONF_LOAD
)){
737 n_err(_("*tls-config-module*: no *tls-config-file* loaded: %s\n"),
738 n_shexp_quote_cp(cp
, FAL0
));
740 }else if(!SSL_CTX_config(ctxp
, cp
)){
741 ssl_gen_err(_("*tls-config-module*: load error for %s, section [%s]"),
742 n_uagent
, n_shexp_quote_cp(cp
, FAL0
));
746 n_err(_("*tls-config-module*: set but not supported: %s\n"),
747 n_shexp_quote_cp(cp
, FAL0
));
752 if((sccp
= SSL_CONF_CTX_new()) != NULL
){
753 SSL_CONF_CTX_set_flags(sccp
,
754 SSL_CONF_FLAG_FILE
| SSL_CONF_FLAG_CLIENT
|
755 SSL_CONF_FLAG_CERTIFICATE
| SSL_CONF_FLAG_SHOW_ERRORS
);
757 SSL_CONF_CTX_set_ssl_ctx(sccp
, ctxp
);
759 ssl_gen_err(_("SSL_CONF_CTX_new() failed"));
766 a_xtls_conf(void *confp
, char const *cmd
, char const *value
){
771 if(n_poption
& n_PO_D_V
)
772 n_err(_("TLS: applying config: %s = %s\n"),
773 n_shexp_quote_cp(cmd
, FAL0
), n_shexp_quote_cp(value
, FAL0
));
775 rv
= SSL_CONF_cmd(sccp
= confp
, cmd
, value
);
779 cmd
= n_shexp_quote_cp(cmd
, FAL0
);
780 value
= n_shexp_quote_cp(value
, FAL0
);
782 ssl_gen_err(_("TLS: config failure: %s = %s"), cmd
, value
);
787 case -2: err
= N_("TLS: config command not recognized"); break;
788 case -3: err
= N_("TLS: missing required config argument"); break;
789 default: err
= N_("TLS: unspecified config error"); break;
792 n_err(_("%s (%d): %s = %s\n"), err
, rv
, cmd
, value
);
801 a_xtls_conf_finish(void **confp
, bool_t error
){
806 sccp
= (SSL_CONF_CTX
*)*confp
;
810 rv
= (SSL_CONF_CTX_finish(sccp
) != 0);
812 SSL_CONF_CTX_free(sccp
);
817 #else /* HAVE_XTLS_CONF_CTX */
818 # ifdef HAVE_XTLS_CTX_CONFIG
819 # error SSL_CTX_config(3) support unexpected without SSL_CONF_CTX support
823 a_xtls_conf_setup(SSL_CTX
* ctxp
, struct url
const *urlp
){
827 if((cp
= xok_vlook(tls_config_module
, urlp
, OXM_ALL
)) != NULL
||
828 (cp
= xok_vlook(ssl_config_module
, urlp
, OXM_ALL
)) != NULL
){
829 n_err(_("*tls-config-module*: set but not supported: %s\n"),
830 n_shexp_quote_cp(cp
, FAL0
));
838 a_xtls_conf(void *confp
, char const *cmd
, char const *value
){
839 char const *xcmd
, *emsg
;
843 if(n_poption
& n_PO_D_V
)
844 n_err(_("TLS: applying config: %s = %s\n"),
845 n_shexp_quote_cp(cmd
, FAL0
), n_shexp_quote_cp(value
, FAL0
));
849 if(!asccasecmp(cmd
, xcmd
= "Certificate")){
850 if(SSL_CTX_use_certificate_chain_file(ctxp
, value
) != 1){
851 emsg
= N_("TLS: %s: cannot load from file %s\n");
854 }else if(!asccasecmp(cmd
, xcmd
= "CipherString") ||
855 !asccasecmp(cmd
, xcmd
= "CipherList")/* grr, bad fault in past! */){
856 if(SSL_CTX_set_cipher_list(ctxp
, value
) != 1){
857 emsg
= N_("TLS: %s: invalid: %s\n");
860 }else if(!asccasecmp(cmd
, xcmd
= "Ciphersuites")){
861 #ifdef HAVE_XTLS_SET_CIPHERSUITES
862 if(SSL_CTX_set_ciphersuites(ctxp
, value
) != 1){
863 emsg
= N_("TLS: %s: invalid: %s\n");
868 emsg
= N_("TLS: %s: directive not supported\n");
871 }else if(!asccasecmp(cmd
, xcmd
= "Curves")){
872 #ifdef SSL_CTRL_SET_CURVES_LIST
873 if(SSL_CTX_set1_curves_list(ctxp
, value
) != 1){
874 emsg
= N_("TLS: %s: invalid: %s\n");
879 emsg
= N_("TLS: %s: directive not supported\n");
882 }else if((emsg
= NULL
, !asccasecmp(cmd
, xcmd
= "MaxProtocol")) ||
883 (emsg
= (char*)-1, !asccasecmp(cmd
, xcmd
= "MinProtocol"))){
884 #ifndef HAVE_XTLS_SET_MIN_PROTO_VERSION
886 emsg
= N_("TLS: %s: directive not supported\n");
889 struct a_xtls_protocol
const *xpp
;
892 for(i
= 1 /* [0] == ALL */;;){
893 xpp
= &a_xtls_protocols
[i
];
895 if(xpp
->xp_ok_minmaxproto
&& !asccasecmp(value
, xpp
->xp_name
))
898 if(++i
>= n_NELEM(a_xtls_protocols
)){
899 emsg
= N_("TLS: %s: unsupported element: %s\n");
904 if((emsg
== NULL
? SSL_CTX_set_max_proto_version(ctxp
, xpp
->xp_version
)
905 : SSL_CTX_set_min_proto_version(ctxp
, xpp
->xp_version
)) != 1){
906 emsg
= N_("TLS: %s: invalid protocol: %s\n");
909 #endif /* !HAVE_XTLS_SET_MIN_PROTO_VERSION */
910 }else if(!asccasecmp(cmd
, xcmd
= "Options")){
911 if(asccasecmp(value
, "Bugs")){
912 emsg
= N_("TLS: %s: fallback only supports value \"Bugs\": %s\n");
915 SSL_CTX_set_options(ctxp
, SSL_OP_ALL
);
916 }else if(!asccasecmp(cmd
, xcmd
= "PrivateKey")){
917 if(SSL_CTX_use_PrivateKey_file(ctxp
, value
, SSL_FILETYPE_PEM
) != 1){
918 emsg
= N_("%s: cannot load from file %s\n");
921 }else if(!asccasecmp(cmd
, xcmd
= "Protocol")){
922 char *iolist
, *cp
, addin
;
928 for(iolist
= cp
= savestr(value
);
929 (cp
= n_strsep(&iolist
, ',', FAL0
)) != NULL
;){
932 emsg
= N_("TLS: %s: empty elements are not supported\n");
938 case '-': addin
= FAL0
; /* FALLTHRU */
939 case '+': ++cp
; /* FALLTHRU */
944 struct a_xtls_protocol
const *xpp
;
946 xpp
= &a_xtls_protocols
[i
];
948 if(xpp
->xp_ok_proto
&& !asccasecmp(cp
, xpp
->xp_name
)){
949 /* We need to inverse the meaning of the _NO_s */
951 opts
|= xpp
->xp_op_no
;
953 opts
&= ~xpp
->xp_op_no
;
957 if(++i
>= n_NELEM(a_xtls_protocols
)){
958 emsg
= N_("TLS: %s: unsupported element: %s\n");
964 SSL_CTX_clear_options(ctxp
, SSL_OP_NO_SSL_MASK
);
965 SSL_CTX_set_options(ctxp
, opts
);
967 xcmd
= n_shexp_quote_cp(cmd
, FAL0
);
968 emsg
= N_("TLS: unsupported directive: %s: value: %s\n");
974 return (confp
!= NULL
);
976 ssl_gen_err(V_(emsg
), xcmd
, n_shexp_quote_cp(value
, FAL0
));
981 value
= n_shexp_quote_cp(value
, FAL0
);
982 n_err(V_(emsg
), xcmd
, value
);
988 a_xtls_conf_finish(void **confp
, bool_t error
){
994 #endif /* !HAVE_XTLS_CONF_CTX */
997 a_xtls_obsolete_conf_vars(void *confp
, struct url
const *urlp
){
998 char const *cp
, *cp_base
, *certchain
;
1004 /* Certificate via ssl-cert */
1005 if((certchain
= cp
= xok_vlook(ssl_cert
, urlp
, OXM_ALL
)) != NULL
){
1006 n_OBSOLETE(_("please use *tls-config-pairs* instead of *ssl-cert*"));
1007 if((cp_base
= fexpand(cp
, FEXP_LOCAL
| FEXP_NOPROTO
)) == NULL
){
1008 n_err(_("*ssl-cert* value expansion failed: %s\n"),
1009 n_shexp_quote_cp(cp
, FAL0
));
1012 if(!a_xtls_conf(confp
, "Certificate", certchain
= cp_base
))
1016 /* CipherString via ssl-ciper-list */
1017 if((cp
= xok_vlook(ssl_cipher_list
, urlp
, OXM_ALL
)) != NULL
){
1018 n_OBSOLETE(_("please use *tls-config-pairs* instead of "
1019 "*ssl-cipher-list*"));
1020 if(!a_xtls_conf(confp
, "CipherString", cp
))
1024 /* Curves via ssl-curves */
1025 if((cp
= xok_vlook(ssl_curves
, urlp
, OXM_ALL
)) != NULL
){
1026 n_OBSOLETE(_("please use *tls-config-pairs* instead of *ssl-curves*"));
1027 if(!a_xtls_conf(confp
, "Curves", cp
))
1031 /* PrivateKey via ssl-key */
1032 if((cp
= xok_vlook(ssl_key
, urlp
, OXM_ALL
)) != NULL
){
1033 n_OBSOLETE(_("please use *tls-config-pairs* instead of *ssl-key*"));
1034 if((cp_base
= fexpand(cp
, FEXP_LOCAL
| FEXP_NOPROTO
)) == NULL
){
1035 n_err(_("*ssl-key* value expansion failed: %s\n"),
1036 n_shexp_quote_cp(cp
, FAL0
));
1040 if(certchain
== NULL
){
1041 n_err(_("*ssl-key* can only be used together with *ssl-cert*! "
1042 "And use *ssl-config-pairs*!\n"));
1046 if((cp
!= NULL
|| (cp
= certchain
) != NULL
) &&
1047 !a_xtls_conf(confp
, "PrivateKey", cp
))
1050 /* Protocol via ssl-method or ssl-protocol */
1051 if((cp
= xok_vlook(ssl_method
, urlp
, OXM_ALL
)) != NULL
){
1054 n_OBSOLETE(_("please use *tls-config-pairs* instead of *ssl-method*"));
1056 if(!asccasecmp(_ssl_methods
[i
].sm_name
, cp
)){
1057 cp
= _ssl_methods
[i
].sm_map
;
1060 if(++i
== n_NELEM(_ssl_methods
)){
1061 n_err(_("Unsupported SSL method: %s\n"), cp
);
1066 if((cp_base
= xok_vlook(ssl_protocol
, urlp
, OXM_ALL
)) != NULL
){
1067 n_OBSOLETE(_("please use *tls-config-pairs* instead of *ssl-protocol*"));
1068 if(cp
!= NULL
&& (n_poption
& n_PO_D_V
))
1069 n_err(_("*ssl-protocol* overrides *ssl-method*! "
1070 "And please use *tls-config-pairs* instead!\n"));
1073 if(cp
!= NULL
&& !a_xtls_conf(confp
, "Protocol", cp
))
1083 a_xtls_config_pairs(void *confp
, struct url
const *urlp
){
1084 /* Due to interdependencies some commands have to be delayed a bit */
1085 static char const cmdcert
[] = "Certificate", cmdprivkey
[] = "PrivateKey";
1086 char const *valcert
, *valprivkey
;
1087 char *pairs
, *cp
, *cmd
, *val
;
1090 if((pairs
= n_UNCONST(xok_vlook(tls_config_pairs
, urlp
, OXM_ALL
))
1092 (pairs
= n_UNCONST(xok_vlook(ssl_config_pairs
, urlp
, OXM_ALL
))
1095 pairs
= savestr(pairs
);
1097 valcert
= valprivkey
= NULL
;
1099 while((cp
= n_strsep_esc(&pairs
, ',', FAL0
)) != NULL
){
1106 a_EXPAND_MASK
= a_EXPAND
| a_CERT
| a_PRIVKEY
1109 /* Directive, space trimmed */
1110 if((cmd
= strchr(cp
, '=')) == NULL
){
1113 pairs
= n_UNCONST(n_empty
);
1114 n_err(_("*tls-config-pairs*: missing directive: %s; rest: %s\n"),
1115 n_shexp_quote_cp(cp
, FAL0
), n_shexp_quote_cp(pairs
, FAL0
));
1120 if((cmd
> cp
&& cmd
[-1] == '*')){
1125 while(cmd
> cp
&& (c
= cmd
[-1], blankspacechar(c
)))
1132 /* Command with special treatment? */
1133 if(!asccasecmp(cmd
, cmdcert
))
1135 else if(!asccasecmp(cmd
, cmdprivkey
))
1138 /* Value, space trimmed */
1139 while((c
= *val
) != '\0' && blankspacechar(c
))
1141 cp
= &val
[strlen(val
)];
1142 while(cp
> val
&& (c
= cp
[-1], blankspacechar(c
)))
1147 pairs
= n_UNCONST(n_empty
);
1148 n_err(_("*tls-config-pairs*: missing value: %s; rest: %s\n"),
1149 n_shexp_quote_cp(cmd
, FAL0
), n_shexp_quote_cp(pairs
, FAL0
));
1153 /* Filename transformations to be applied? */
1154 if(f
& a_EXPAND_MASK
){
1155 if((cp
= fexpand(val
, FEXP_LOCAL
| FEXP_NOPROTO
)) == NULL
){
1157 pairs
= n_UNCONST(n_empty
);
1158 n_err(_("*tls-config-pairs*: value expansion failed: %s: %s; "
1160 n_shexp_quote_cp(cmd
, FAL0
), n_shexp_quote_cp(val
, FAL0
),
1161 n_shexp_quote_cp(pairs
, FAL0
));
1167 /* Some things have to be delayed */
1170 else if(f
& a_PRIVKEY
)
1172 else if(!a_xtls_conf(confp
, cmd
, val
)){
1173 pairs
= n_UNCONST(n_empty
);
1178 /* Work the delayed ones */
1179 if((valcert
!= NULL
&& !a_xtls_conf(confp
, cmdcert
, valcert
)) ||
1180 ((valprivkey
!= NULL
|| (valprivkey
= valcert
) != NULL
) &&
1181 !a_xtls_conf(confp
, cmdprivkey
, valprivkey
)))
1182 pairs
= n_UNCONST(n_empty
);
1186 return (pairs
== NULL
);
1190 a_xtls_load_verifications(SSL_CTX
*ctxp
, struct url
const *urlp
){
1191 char *ca_dir
, *ca_file
;
1196 if(n_tls_verify_level
== n_TLS_VERIFY_IGNORE
){
1202 if((ca_dir
= xok_vlook(tls_ca_dir
, urlp
, OXM_ALL
)) != NULL
||
1203 (ca_dir
= xok_vlook(ssl_ca_dir
, urlp
, OXM_ALL
)) != NULL
)
1204 ca_dir
= fexpand(ca_dir
, FEXP_LOCAL
| FEXP_NOPROTO
);
1205 if((ca_file
= xok_vlook(tls_ca_file
, urlp
, OXM_ALL
)) != NULL
||
1206 (ca_file
= xok_vlook(ssl_ca_file
, urlp
, OXM_ALL
)) != NULL
)
1207 ca_file
= fexpand(ca_file
, FEXP_LOCAL
| FEXP_NOPROTO
);
1209 if((ca_dir
!= NULL
|| ca_file
!= NULL
) &&
1210 SSL_CTX_load_verify_locations(ctxp
, ca_file
, ca_dir
) != 1){
1211 char const *m1
, *m2
, *m3
;
1215 m2
= (ca_file
!= NULL
) ? _(" or ") : n_empty
;
1218 m3
= (ca_file
!= NULL
) ? ca_file
: n_empty
;
1219 ssl_gen_err(_("Error loading %s%s%s\n"), m1
, m2
, m3
);
1226 if((xv15
= ok_blook(ssl_no_default_ca
)))
1227 n_OBSOLETE(_("please use *tls-ca-no-defaults*, "
1228 "not *ssl-no-default-ca*"));
1229 if(!xok_blook(tls_ca_no_defaults
, urlp
, OXM_ALL
) &&
1230 !xok_blook(ssl_ca_no_defaults
, urlp
, OXM_ALL
) && !xv15
&&
1231 SSL_CTX_set_default_verify_paths(ctxp
) != 1) {
1232 ssl_gen_err(_("Error loading built-in default CA locations\n"));
1237 a_xtls_state
&= ~a_XTLS_S_VERIFY_ERROR
;
1239 SSL_CTX_set_verify(ctxp
, SSL_VERIFY_PEER
, &a_xtls_verify_cb
);
1240 store
= SSL_CTX_get_cert_store(ctxp
);
1241 load_crls(store
, ok_v_tls_crl_file
, ok_v_tls_crl_dir
);
1242 a_xtls_ca_flags(store
, xok_vlook(tls_ca_flags
, urlp
, OXM_ALL
));
1243 a_xtls_ca_flags(store
, xok_vlook(ssl_ca_flags
, urlp
, OXM_ALL
));
1252 a_xtls_check_host(struct sock
*sp
, X509
*peercert
, struct url
const *urlp
){
1254 n_XTLS_STACKOF(GENERAL_NAME
) *gens
;
1263 if((gens
= X509_get_ext_d2i(peercert
, NID_subject_alt_name
, NULL
, NULL
)
1267 for(i
= 0; i
< sk_GENERAL_NAME_num(gens
); ++i
){
1268 gen
= sk_GENERAL_NAME_value(gens
, i
);
1269 if(gen
->type
== GEN_DNS
){
1270 if(n_poption
& n_PO_D_V
)
1271 n_err(_("Comparing subject_alt_name: need<%s> is<%s>\n"),
1272 urlp
->url_host
.s
, (char*)gen
->d
.ia5
->data
);
1273 if((rv
= n_tls_rfc2595_hostname_match(urlp
->url_host
.s
,
1274 (char*)gen
->d
.ia5
->data
)))
1280 if((subj
= X509_get_subject_name(peercert
)) != NULL
&&
1281 X509_NAME_get_text_by_NID(subj
, NID_commonName
, data
, sizeof data
1283 data
[sizeof data
- 1] = '\0';
1284 if(n_poption
& n_PO_D_V
)
1285 n_err(_("Comparing commonName: need<%s> is<%s>\n"),
1286 urlp
->url_host
.s
, data
);
1287 rv
= n_tls_rfc2595_hostname_match(urlp
->url_host
.s
, data
);
1295 smime_verify(struct message
*m
, int n
, n_XTLS_STACKOF(X509
) *chain
,
1298 char data
[LINESIZE
], *sender
, *to
, *cc
, *cnttype
;
1305 n_XTLS_STACKOF(X509
) *certs
;
1306 n_XTLS_STACKOF(GENERAL_NAME
) *gens
;
1317 a_xtls_state
&= ~a_XTLS_S_VERIFY_ERROR
;
1318 a_xtls_msgno
= (size_t)n
;
1321 sender
= getsender(m
);
1322 to
= hfield1("to", m
);
1323 cc
= hfield1("cc", m
);
1324 cnttype
= hfield1("content-type", m
);
1328 #define _X (sizeof("application/") -1)
1329 #define _Y(X) X, sizeof(X) -1
1330 if (cnttype
&& is_asccaseprefix("application/", cnttype
) &&
1331 (!ascncasecmp(cnttype
+ _X
, _Y("pkcs7-mime")) ||
1332 !ascncasecmp(cnttype
+ _X
, _Y("x-pkcs7-mime")))) {
1335 if ((x
= smime_decrypt(m
, to
, cc
, 1)) == NULL
)
1337 if (x
!= (struct message
*)-1) {
1343 if ((ip
= setinput(&mb
, m
, NEED_BODY
)) == NULL
)
1349 if ((fp
= Ftmp(NULL
, "smimever", OF_RDWR
| OF_UNLINK
| OF_REGISTER
)) ==
1351 n_perr(_("tempfile"), 0);
1354 while (size
-- > 0) {
1360 if ((fb
= BIO_new_fp(fp
, BIO_NOCLOSE
)) == NULL
) {
1362 "Error creating BIO verification object for message %d"), n
);
1366 if ((pkcs7
= SMIME_read_PKCS7(fb
, &pb
)) == NULL
) {
1367 ssl_gen_err(_("Error reading PKCS#7 object for message %d"), n
);
1370 if (PKCS7_verify(pkcs7
, chain
, store
, pb
, NULL
, 0) != 1) {
1371 ssl_gen_err(_("Error verifying message %d"), n
);
1375 if (sender
== NULL
) {
1376 n_err(_("Warning: Message %d has no sender\n"), n
);
1381 certs
= PKCS7_get0_signers(pkcs7
, chain
, 0);
1382 if (certs
== NULL
) {
1383 n_err(_("No certificates found in message %d\n"), n
);
1387 for (i
= 0; i
< sk_X509_num(certs
); ++i
) {
1388 cert
= sk_X509_value(certs
, i
);
1389 gens
= X509_get_ext_d2i(cert
, NID_subject_alt_name
, NULL
, NULL
);
1391 for (j
= 0; j
< sk_GENERAL_NAME_num(gens
); ++j
) {
1392 gen
= sk_GENERAL_NAME_value(gens
, j
);
1393 if (gen
->type
== GEN_EMAIL
) {
1394 if (n_poption
& n_PO_D_V
)
1395 n_err(_("Comparing subject_alt_name: need<%s> is<%s>)\n"),
1396 sender
, (char*)gen
->d
.ia5
->data
);
1397 if (!asccasecmp((char*)gen
->d
.ia5
->data
, sender
))
1403 if ((subj
= X509_get_subject_name(cert
)) != NULL
&&
1404 X509_NAME_get_text_by_NID(subj
, NID_pkcs9_emailAddress
,
1405 data
, sizeof data
) > 0) {
1406 data
[sizeof data
-1] = '\0';
1407 if (n_poption
& n_PO_D_V
)
1408 n_err(_("Comparing emailAddress: need<%s> is<%s>\n"),
1410 if (!asccasecmp(data
, sender
))
1414 n_err(_("Message %d: certificate does not match <%s>\n"), n
, sender
);
1417 rv
= ((a_xtls_state
& a_XTLS_S_VERIFY_ERROR
) != 0);
1419 fprintf(n_stdout
, _("Message %d was verified successfully\n"), n
);
1422 sk_X509_free(certs
);
1435 static EVP_CIPHER
const *
1436 _smime_cipher(char const *name
)
1438 EVP_CIPHER
const *cipher
;
1444 vn
= n_lofi_alloc(i
= strlen(name
) + sizeof("smime-cipher-") -1 +1);
1445 snprintf(vn
, (int)i
, "smime-cipher-%s", name
);
1446 cp
= n_var_vlook(vn
, FAL0
);
1449 if (cp
== NULL
&& (cp
= ok_vlook(smime_cipher
)) == NULL
) {
1450 cipher
= a_XTLS_SMIME_DEFAULT_CIPHER();
1455 for(i
= 0; i
< n_NELEM(a_xtls_ciphers
); ++i
)
1456 if(!asccasecmp(a_xtls_ciphers
[i
].xc_name
, cp
)){
1457 cipher
= (*a_xtls_ciphers
[i
].xc_fun
)();
1460 #ifndef OPENSSL_NO_AES
1461 for (i
= 0; i
< n_NELEM(a_xtls_smime_ciphers_obs
); ++i
) /* TODO obsolete */
1462 if (!asccasecmp(a_xtls_smime_ciphers_obs
[i
].xc_name
, cp
)) {
1463 n_OBSOLETE2(_("*smime-cipher* names with hyphens will vanish"), cp
);
1464 cipher
= (*a_xtls_smime_ciphers_obs
[i
].xc_fun
)();
1469 /* Not a built-in algorithm, but we may have dynamic support for more */
1470 #ifdef HAVE_TLS_ALL_ALGORITHMS
1471 if((cipher
= EVP_get_cipherbyname(cp
)) != NULL
)
1475 n_err(_("Invalid S/MIME cipher(s): %s\n"), cp
);
1482 ssl_password_cb(char *buf
, int size
, int rwflag
, void *userdata
)
1491 if(userdata
!= NULL
){
1495 if(url_parse(&url
, CPROTO_CCRED
, userdata
)){
1496 if(ccred_lookup(&cred
, &url
)){
1499 if((slen
= n_strscpy(buf
, cred
.cc_pass
.s
, size
)) >= 0){
1510 if ((pass
= getpassword("PEM pass phrase:")) != NULL
) {
1512 if (UICMP(z
, len
, >=, size
))
1514 memcpy(buf
, pass
, len
);
1525 smime_sign_cert(char const *xname
, char const *xname2
, bool_t dowarn
,
1531 char const *name
= xname
, *name2
= xname2
, *cp
;
1537 np
= lextract(name
, GTO
| GSKIN
);
1538 while (np
!= NULL
) {
1539 /* This needs to be more intelligent since it will currently take the
1540 * first name for which a private key is available regardless of
1541 * whether it is the right one for the message */
1542 vn
= n_lofi_alloc(vs
= strlen(np
->n_name
) + 30);
1543 snprintf(vn
, vs
, "smime-sign-cert-%s", np
->n_name
);
1544 cp
= n_var_vlook(vn
, FAL0
);
1548 *match
= np
->n_name
;
1553 if (name2
!= NULL
) {
1560 if ((cp
= ok_vlook(smime_sign_cert
)) == NULL
)
1565 if ((cp
= fexpand(cp
, FEXP_LOCAL
| FEXP_NOPROTO
)) == NULL
)
1567 if ((fp
= Fopen(cp
, "r")) == NULL
)
1574 n_err(_("Could not find a certificate for %s%s%s\n"),
1575 xname
, (xname2
!= NULL
? _("or ") : n_empty
),
1576 (xname2
!= NULL
? xname2
: n_empty
));
1581 _smime_sign_include_certs(char const *name
)
1586 /* See comments in smime_sign_cert() for algorithm pitfalls */
1590 for (np
= lextract(name
, GTO
| GSKIN
); np
!= NULL
; np
= np
->n_flink
) {
1594 vn
= n_lofi_alloc(vs
= strlen(np
->n_name
) + 30);
1595 snprintf(vn
, vs
, "smime-sign-include-certs-%s", np
->n_name
);
1596 rv
= n_var_vlook(vn
, FAL0
);
1602 rv
= ok_vlook(smime_sign_include_certs
);
1609 _smime_sign_include_chain_creat(n_XTLS_STACKOF(X509
) **chain
,
1610 char const *cfiles
, char const *addr
)
1614 char *nfield
, *cfield
, *x
;
1617 *chain
= sk_X509_new_null();
1619 for (nfield
= savestr(cfiles
);
1620 (cfield
= n_strsep(&nfield
, ',', TRU1
)) != NULL
;) {
1621 if ((x
= fexpand(cfield
, FEXP_LOCAL
| FEXP_NOPROTO
)) == NULL
||
1622 (fp
= Fopen(cfield
= x
, "r")) == NULL
) {
1626 if ((tmp
= PEM_read_X509(fp
, NULL
, &ssl_password_cb
, n_UNCONST(addr
))
1628 ssl_gen_err(_("Error reading certificate from %s"),
1629 n_shexp_quote_cp(cfield
, FAL0
));
1633 sk_X509_push(*chain
, tmp
);
1637 if (sk_X509_num(*chain
) == 0) {
1638 n_err(_("*smime-sign-include-certs* defined but empty\n"));
1643 return (*chain
!= NULL
);
1645 sk_X509_pop_free(*chain
, X509_free
);
1650 static EVP_MD
const *
1651 a_xtls_smime_sign_digest(char const *name
, char const **digname
){
1652 EVP_MD
const *digest
;
1656 /* See comments in smime_sign_cert() for algorithm pitfalls */
1660 for(np
= lextract(name
, GTO
| GSKIN
); np
!= NULL
; np
= np
->n_flink
){
1664 vn
= n_lofi_alloc(vs
= strlen(np
->n_name
) + 30);
1665 snprintf(vn
, vs
, "smime-sign-digest-%s", np
->n_name
);
1666 if((cp
= n_var_vlook(vn
, FAL0
)) == NULL
){
1667 snprintf(vn
, vs
, "smime-sign-message-digest-%s",np
->n_name
);/*v15*/
1668 cp
= n_var_vlook(vn
, FAL0
);
1676 if((cp
= ok_vlook(smime_sign_digest
)) != NULL
||
1677 (cp
= ok_vlook(smime_sign_message_digest
)/* v15 */) != NULL
)
1679 if(a_xtls_digest_find(cp
, &digest
, digname
))
1682 digest
= a_XTLS_SMIME_DEFAULT_DIGEST();
1683 *digname
= a_XTLS_SMIME_DEFAULT_DIGEST_S
;
1689 #if defined X509_V_FLAG_CRL_CHECK && defined X509_V_FLAG_CRL_CHECK_ALL
1691 load_crl1(X509_STORE
*store
, char const *name
)
1693 X509_LOOKUP
*lookup
;
1694 enum okay rv
= STOP
;
1697 if (n_poption
& n_PO_D_V
)
1698 n_err(_("Loading CRL from %s\n"), n_shexp_quote_cp(name
, FAL0
));
1699 if ((lookup
= X509_STORE_add_lookup(store
, X509_LOOKUP_file())) == NULL
) {
1700 ssl_gen_err(_("Error creating X509 lookup object"));
1703 if (X509_load_crl_file(lookup
, name
, X509_FILETYPE_PEM
) != 1) {
1704 ssl_gen_err(_("Error loading CRL from %s"),
1705 n_shexp_quote_cp(name
, FAL0
));
1713 #endif /* new OpenSSL */
1716 load_crls(X509_STORE
*store
, enum okeys fok
, enum okeys dok
)/*TODO nevertried*/
1718 char *crl_file
, *crl_dir
;
1719 #if defined X509_V_FLAG_CRL_CHECK && defined X509_V_FLAG_CRL_CHECK_ALL
1733 if ((crl_file
= n_var_oklook(fok
)) != NULL
) {
1734 #if defined X509_V_FLAG_CRL_CHECK && defined X509_V_FLAG_CRL_CHECK_ALL
1735 if ((crl_file
= fexpand(crl_file
, FEXP_LOCAL
| FEXP_NOPROTO
)) == NULL
||
1736 load_crl1(store
, crl_file
) != OKAY
)
1740 n_err(_("This OpenSSL version is too old to use CRLs\n"));
1745 if ((crl_dir
= n_var_oklook(dok
)) != NULL
) {
1746 #if defined X509_V_FLAG_CRL_CHECK && defined X509_V_FLAG_CRL_CHECK_ALL
1748 if ((x
= fexpand(crl_dir
, FEXP_LOCAL
| FEXP_NOPROTO
)) == NULL
||
1749 (dirp
= opendir(crl_dir
= x
)) == NULL
) {
1754 ds
= strlen(crl_dir
);
1755 fn
= n_alloc(fs
= ds
+ 20);
1756 memcpy(fn
, crl_dir
, ds
);
1758 while ((dp
= readdir(dirp
)) != NULL
) {
1759 if (dp
->d_name
[0] == '.' && (dp
->d_name
[1] == '\0' ||
1760 (dp
->d_name
[1] == '.' && dp
->d_name
[2] == '\0')))
1762 if (dp
->d_name
[0] == '.')
1764 if (ds
+ (es
= strlen(dp
->d_name
)) + 2 < fs
)
1765 fn
= n_realloc(fn
, fs
= ds
+ es
+ 20);
1766 memcpy(fn
+ ds
+ 1, dp
->d_name
, es
+ 1);
1767 if (load_crl1(store
, fn
) != OKAY
) {
1776 #else /* old OpenSSL */
1777 n_err(_("This OpenSSL version is too old to use CRLs\n"));
1782 if(fok
== ok_v_tls_crl_file
){
1783 fok
= ok_v_ssl_crl_file
;
1784 dok
= ok_v_ssl_crl_dir
;
1787 #if defined X509_V_FLAG_CRL_CHECK && defined X509_V_FLAG_CRL_CHECK_ALL
1789 X509_STORE_set_flags(store
, X509_V_FLAG_CRL_CHECK
|
1790 X509_V_FLAG_CRL_CHECK_ALL
);
1798 #if HAVE_RANDOM == n_RANDOM_IMPL_TLS
1800 n_tls_rand_bytes(void *buf
, size_t blen
){
1803 if(!(a_xtls_state
& a_XTLS_S_RAND_INIT
))
1809 i
= n_MIN(SI32_MAX
, blen
);
1812 buf
= (ui8_t
*)buf
+ i
;
1819 n_tls_open(struct url
*urlp
, struct sock
*sp
){
1822 const EVP_MD
*fprnt_mdp
;
1823 char const *fprnt
, *fprnt_namep
;
1827 n_tls_set_verify_level(urlp
); /* TODO should come in via URL! */
1830 if(urlp
->url_cproto
!= CPROTO_CERTINFO
)
1831 fprnt
= xok_vlook(tls_fingerprint
, urlp
, OXM_ALL
);
1837 if(fprnt
!= NULL
|| urlp
->url_cproto
== CPROTO_CERTINFO
||
1838 (n_poption
& n_PO_D_V
)){
1839 if((fprnt_namep
= xok_vlook(tls_fingerprint_digest
, urlp
,
1840 OXM_ALL
)) == NULL
||
1841 !a_xtls_digest_find(fprnt_namep
, &fprnt_mdp
, &fprnt_namep
)){
1842 fprnt_mdp
= a_XTLS_FINGERPRINT_DEFAULT_DIGEST();
1843 fprnt_namep
= a_XTLS_FINGERPRINT_DEFAULT_DIGEST_S
;
1847 if((ctxp
= SSL_CTX_new(n_XTLS_CLIENT_METHOD())) == NULL
){
1848 ssl_gen_err(_("SSL_CTX_new() failed"));
1852 /* Available with OpenSSL 0.9.6 or later */
1853 #ifdef SSL_MODE_AUTO_RETRY
1854 SSL_CTX_set_mode(ctxp
, SSL_MODE_AUTO_RETRY
);
1857 if((confp
= a_xtls_conf_setup(ctxp
, urlp
)) == NULL
)
1860 if(!a_xtls_obsolete_conf_vars(confp
, urlp
))
1862 if(!a_xtls_config_pairs(confp
, urlp
))
1864 if((fprnt
== NULL
|| urlp
->url_cproto
== CPROTO_CERTINFO
) &&
1865 !a_xtls_load_verifications(ctxp
, urlp
))
1868 /* Done with context setup, create our new per-connection structure */
1869 if(!a_xtls_conf_finish(&confp
, FAL0
))
1871 assert(confp
== NULL
);
1873 if((sp
->s_tls
= SSL_new(ctxp
)) == NULL
){
1874 ssl_gen_err(_("SSL_new() failed"));
1878 /* Try establish SNI extension; even though this is a TLS extension the
1879 * protocol isn't checked by OpenSSL once the host name is set, and
1880 * therefore i refrained from changing so much code just to check out
1881 * whether we are using SSLv3, which should become more and more rare */
1882 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
1883 if((urlp
->url_flags
& n_URL_TLS_MASK
) &&
1884 (urlp
->url_flags
& n_URL_HOST_IS_NAME
)){
1885 if(!SSL_set_tlsext_host_name(sp
->s_tls
, urlp
->url_host
.s
) &&
1886 (n_poption
& n_PO_D_V
))
1887 n_err(_("Hostname cannot be used with ServerNameIndication "
1888 "TLS extension: %s\n"),
1889 n_shexp_quote_cp(urlp
->url_host
.s
, FAL0
));
1893 SSL_set_fd(sp
->s_tls
, sp
->s_fd
);
1895 if(SSL_connect(sp
->s_tls
) < 0){
1896 ssl_gen_err(_("could not initiate TLS connection"));
1900 if(fprnt
!= NULL
|| urlp
->url_cproto
== CPROTO_CERTINFO
||
1901 n_tls_verify_level
!= n_TLS_VERIFY_IGNORE
){
1905 if((peercert
= SSL_get_peer_certificate(sp
->s_tls
)) == NULL
){
1906 n_err(_("TLS: no certificate from peer: %s\n"), urlp
->url_h_p
.s
);
1913 if(!a_xtls_check_host(sp
, peercert
, urlp
)){
1914 n_err(_("TLS certificate does not match: %s\n"), urlp
->url_h_p
.s
);
1915 stay
= n_tls_verify_decide();
1917 if(n_poption
& n_PO_D_V
)
1918 n_err(_("TLS certificate ok\n"));
1923 if(fprnt
!= NULL
|| urlp
->url_cproto
== CPROTO_CERTINFO
||
1924 (n_poption
& n_PO_D_V
)){
1925 char fpmdhexbuf
[EVP_MAX_MD_SIZE
* 3], *cp
;
1926 unsigned char fpmdbuf
[EVP_MAX_MD_SIZE
], *ucp
;
1927 unsigned int fpmdlen
;
1929 if(!X509_digest(peercert
, fprnt_mdp
, fpmdbuf
, &fpmdlen
)){
1930 ssl_gen_err(_("TLS %s fingerprint creation failed"), fprnt_namep
);
1933 assert(fpmdlen
<= EVP_MAX_MD_SIZE
);
1935 for(cp
= fpmdhexbuf
, ucp
= fpmdbuf
; fpmdlen
> 0; --fpmdlen
){
1936 n_c_to_hex_base16(cp
, (char)*ucp
++);
1942 if(n_poption
& n_PO_D_V
)
1943 n_err(_("TLS %s fingerprint: %s\n"), fprnt_namep
, fpmdhexbuf
);
1945 if(!(stay
= !strcmp(fprnt
, fpmdhexbuf
))){
1946 n_err(_("TLS fingerprint does not match: %s\n"
1947 " Expected: %s\n Detected: %s\n"),
1948 urlp
->url_h_p
.s
, fprnt
, fpmdhexbuf
);
1949 stay
= n_tls_verify_decide();
1950 }else if(n_poption
& n_PO_D_V
)
1951 n_err(_("TLS fingerprint ok\n"));
1953 }else if(urlp
->url_cproto
== CPROTO_CERTINFO
)
1954 sp
->s_tls_finger
= savestrbuf(fpmdhexbuf
,
1955 PTR2SIZE(cp
- fpmdhexbuf
));
1959 X509_free(peercert
);
1966 /* We're fully setup: since we don't reuse the SSL_CTX (pooh) keep it local
1967 * and free it right now -- it is reference counted by sp->s_tls.. */
1971 return (sp
->s_tls
!= NULL
);
1973 SSL_free(sp
->s_tls
);
1977 a_xtls_conf_finish(&confp
, TRU1
);
1982 ssl_gen_err(char const *fmt
, ...)
1991 n_err(_(": %s\n"), ERR_error_string(ERR_get_error(), NULL
));
1998 int *msgvec
= vp
, *ip
, ec
= 0, rv
= 1;
1999 X509_STORE
*store
= NULL
;
2000 char *ca_dir
, *ca_file
;
2005 n_tls_verify_level
= n_TLS_VERIFY_STRICT
;
2006 if ((store
= X509_STORE_new()) == NULL
) {
2007 ssl_gen_err(_("Error creating X509 store"));
2010 X509_STORE_set_verify_cb_func(store
, &a_xtls_verify_cb
);
2012 if ((ca_dir
= ok_vlook(smime_ca_dir
)) != NULL
)
2013 ca_dir
= fexpand(ca_dir
, FEXP_LOCAL
| FEXP_NOPROTO
);
2014 if ((ca_file
= ok_vlook(smime_ca_file
)) != NULL
)
2015 ca_file
= fexpand(ca_file
, FEXP_LOCAL
| FEXP_NOPROTO
);
2017 if((ca_dir
!= NULL
|| ca_file
!= NULL
) &&
2018 X509_STORE_load_locations(store
, ca_file
, ca_dir
) != 1){
2019 char const *m1
, *m2
, *m3
;
2023 m2
= (ca_file
!= NULL
) ? _(" or ") : n_empty
;
2026 m3
= (ca_file
!= NULL
) ? ca_file
: n_empty
;
2027 ssl_gen_err(_("Error loading %s%s%s\n"), m1
, m2
, m3
);
2034 if((xv15
= ok_blook(smime_no_default_ca
)))
2035 n_OBSOLETE(_("please use *smime-ca-no-defaults*, "
2036 "not *smime-no-default-ca*"));
2037 if(!ok_blook(smime_ca_no_defaults
) && !xv15
&&
2038 X509_STORE_set_default_paths(store
) != 1) {
2039 ssl_gen_err(_("Error loading built-in default CA locations\n"));
2044 if (load_crls(store
, ok_v_smime_crl_file
, ok_v_smime_crl_dir
) != OKAY
)
2047 a_xtls_ca_flags(store
, ok_vlook(smime_ca_flags
));
2050 for (ip
= msgvec
; *ip
!= 0; ++ip
) {
2051 struct message
*mp
= message
+ *ip
- 1;
2053 ec
|= smime_verify(mp
, *ip
, NULL
, store
);
2059 n_exit_status
|= n_EXIT_ERR
;
2062 X509_STORE_free(store
);
2068 smime_sign(FILE *ip
, char const *addr
)
2070 FILE *rv
, *sp
, *fp
, *bp
, *hp
;
2072 n_XTLS_STACKOF(X509
) *chain
= NULL
;
2073 EVP_PKEY
*pkey
= NULL
;
2081 assert(addr
!= NULL
);
2082 rv
= sp
= fp
= bp
= hp
= NULL
;
2087 n_err(_("No *from* address for signing specified\n"));
2090 if ((fp
= smime_sign_cert(addr
, NULL
, 1, NULL
)) == NULL
)
2093 if ((pkey
= PEM_read_PrivateKey(fp
, NULL
, &ssl_password_cb
,
2094 savecat(addr
, ".smime-cert-key"))) == NULL
) {
2095 ssl_gen_err(_("Error reading private key from"));
2100 if ((cert
= PEM_read_X509(fp
, NULL
, &ssl_password_cb
,
2101 savecat(addr
, ".smime-cert-cert"))) == NULL
) {
2102 ssl_gen_err(_("Error reading signer certificate from"));
2108 if ((name
= _smime_sign_include_certs(addr
)) != NULL
&&
2109 !_smime_sign_include_chain_creat(&chain
, name
,
2110 savecat(addr
, ".smime-include-certs")))
2114 if ((md
= a_xtls_smime_sign_digest(addr
, &name
)) == NULL
)
2117 if ((sp
= Ftmp(NULL
, "smimesign", OF_RDWR
| OF_UNLINK
| OF_REGISTER
)) ==
2119 n_perr(_("tempfile"), 0);
2124 if (smime_split(ip
, &hp
, &bp
, -1, 0) == STOP
)
2130 if ((bb
= BIO_new_fp(bp
, BIO_NOCLOSE
)) == NULL
||
2131 (sb
= BIO_new_fp(sp
, BIO_NOCLOSE
)) == NULL
) {
2132 ssl_gen_err(_("Error creating BIO signing objects"));
2138 #define _X PKCS7_DETACHED | PKCS7_PARTIAL
2139 if ((pkcs7
= PKCS7_sign(NULL
, NULL
, chain
, bb
, _X
)) == NULL
) {
2140 ssl_gen_err(_("Error creating the PKCS#7 signing object"));
2144 if (PKCS7_sign_add_signer(pkcs7
, cert
, pkey
, md
, _X
) == NULL
) {
2145 ssl_gen_err(_("Error setting PKCS#7 signing object signer"));
2149 if (!PKCS7_final(pkcs7
, bb
, _X
)) {
2150 ssl_gen_err(_("Error finalizing the PKCS#7 signing object"));
2156 if (PEM_write_bio_PKCS7(sb
, pkcs7
) == 0) {
2157 ssl_gen_err(_("Error writing signed S/MIME data"));
2171 rv
= smime_sign_assemble(hp
, bp
, sp
, name
);
2172 hp
= bp
= sp
= NULL
;
2177 sk_X509_pop_free(chain
, X509_free
);
2181 EVP_PKEY_free(pkey
);
2195 smime_encrypt(FILE *ip
, char const *xcertfile
, char const *to
)
2197 FILE *rv
, *yp
, *fp
, *bp
, *hp
;
2201 n_XTLS_STACKOF(X509
) *certs
;
2202 EVP_CIPHER
const *cipher
;
2208 rv
= yp
= fp
= bp
= hp
= NULL
;
2210 if ((certfile
= fexpand(xcertfile
, FEXP_LOCAL
| FEXP_NOPROTO
)) == NULL
)
2215 if ((cipher
= _smime_cipher(to
)) == NULL
)
2218 if ((fp
= Fopen(certfile
, "r")) == NULL
) {
2219 n_perr(certfile
, 0);
2222 if ((cert
= PEM_read_X509(fp
, NULL
, &ssl_password_cb
, NULL
)) == NULL
) {
2223 ssl_gen_err(_("Error reading encryption certificate from %s"),
2224 n_shexp_quote_cp(certfile
, FAL0
));
2233 certs
= sk_X509_new_null();
2234 sk_X509_push(certs
, cert
);
2236 if ((yp
= Ftmp(NULL
, "smimeenc", OF_RDWR
| OF_UNLINK
| OF_REGISTER
)) ==
2238 n_perr(_("tempfile"), 0);
2243 if (smime_split(ip
, &hp
, &bp
, -1, 0) == STOP
)
2247 if ((bb
= BIO_new_fp(bp
, BIO_NOCLOSE
)) == NULL
||
2248 (yb
= BIO_new_fp(yp
, BIO_NOCLOSE
)) == NULL
) {
2249 ssl_gen_err(_("Error creating BIO encryption objects"));
2253 if ((pkcs7
= PKCS7_encrypt(certs
, bb
, cipher
, 0)) == NULL
) {
2254 ssl_gen_err(_("Error creating the PKCS#7 encryption object"));
2258 if (PEM_write_bio_PKCS7(yb
, pkcs7
) == 0) {
2259 ssl_gen_err(_("Error writing encrypted S/MIME data"));
2274 rv
= smime_encrypt_assemble(hp
, yp
);
2278 sk_X509_pop_free(certs
, X509_free
);
2293 smime_decrypt(struct message
*m
, char const *to
, char const *cc
,
2309 ob
= bb
= pb
= NULL
;
2311 bp
= hp
= op
= NULL
;
2315 if((yp
= setinput(&mb
, m
, NEED_BODY
)) == NULL
)
2320 if((op
= smime_sign_cert(to
, cc
, 0, &myaddr
)) != NULL
){
2321 pkey
= PEM_read_PrivateKey(op
, NULL
, &ssl_password_cb
,
2322 savecat(myaddr
, ".smime-cert-key"));
2324 ssl_gen_err(_("Error reading private key"));
2329 if((cert
= PEM_read_X509(op
, NULL
, &ssl_password_cb
,
2330 savecat(myaddr
, ".smime-cert-cert"))) == NULL
){
2331 ssl_gen_err(_("Error reading decryption certificate"));
2339 if((op
= Ftmp(NULL
, "smimed", OF_RDWR
| OF_UNLINK
| OF_REGISTER
)) == NULL
){
2340 n_perr(_("tempfile"), 0);
2344 if(smime_split(yp
, &hp
, &bp
, size
, 1) == STOP
)
2347 if((ob
= BIO_new_fp(op
, BIO_NOCLOSE
)) == NULL
||
2348 (bb
= BIO_new_fp(bp
, BIO_NOCLOSE
)) == NULL
){
2349 ssl_gen_err(_("Error creating BIO decryption objects"));
2353 if((pkcs7
= SMIME_read_PKCS7(bb
, &pb
)) == NULL
){
2354 ssl_gen_err(_("Error reading PKCS#7 object"));
2358 if(PKCS7_type_is_signed(pkcs7
)){
2360 setinput(&mb
, m
, NEED_BODY
);
2361 rv
= (struct message
*)-1;
2364 if(PKCS7_verify(pkcs7
, NULL
, NULL
, NULL
, ob
,
2365 PKCS7_NOVERIFY
| PKCS7_NOSIGS
) != 1)
2367 fseek(hp
, 0L, SEEK_END
);
2368 fprintf(hp
, "X-Encryption-Cipher: none\n");
2370 }else if(pkey
== NULL
){
2371 n_err(_("No appropriate private key found\n"));
2373 }else if(cert
== NULL
){
2374 n_err(_("No appropriate certificate found\n"));
2376 }else if(PKCS7_decrypt(pkcs7
, pkey
, cert
, ob
, 0) != 1){
2378 ssl_gen_err(_("Error decrypting PKCS#7 object"));
2385 rv
= smime_decrypt_assemble(m
, hp
, op
);
2386 hp
= op
= NULL
; /* xxx closed by decrypt_assemble */
2403 EVP_PKEY_free(pkey
);
2409 smime_certsave(struct message
*m
, int n
, FILE *op
)
2412 char *to
, *cc
, *cnttype
;
2418 n_XTLS_STACKOF(X509
) *certs
, *chain
= NULL
;
2420 enum okay rv
= STOP
;
2425 a_xtls_msgno
= (size_t)n
;
2427 to
= hfield1("to", m
);
2428 cc
= hfield1("cc", m
);
2429 cnttype
= hfield1("content-type", m
);
2431 if ((ip
= setinput(&mb
, m
, NEED_BODY
)) == NULL
)
2436 #define _X (sizeof("application/") -1)
2437 #define _Y(X) X, sizeof(X) -1
2438 if (cnttype
&& is_asccaseprefix("application/", cnttype
) &&
2439 (!ascncasecmp(cnttype
+ _X
, _Y("pkcs7-mime")) ||
2440 !ascncasecmp(cnttype
+ _X
, _Y("x-pkcs7-mime")))) {
2443 if ((x
= smime_decrypt(m
, to
, cc
, 1)) == NULL
)
2445 if (x
!= (struct message
*)-1) {
2452 if ((fp
= Ftmp(NULL
, "smimecert", OF_RDWR
| OF_UNLINK
| OF_REGISTER
)) ==
2454 n_perr(_("tempfile"), 0);
2458 while (size
-- > 0) {
2465 if ((fb
= BIO_new_fp(fp
, BIO_NOCLOSE
)) == NULL
) {
2466 ssl_gen_err("Error creating BIO object for message %d", n
);
2471 if ((pkcs7
= SMIME_read_PKCS7(fb
, &pb
)) == NULL
) {
2472 ssl_gen_err(_("Error reading PKCS#7 object for message %d"), n
);
2480 certs
= PKCS7_get0_signers(pkcs7
, chain
, 0);
2481 if (certs
== NULL
) {
2482 n_err(_("No certificates found in message %d\n"), n
);
2486 for (i
= 0; i
< sk_X509_num(certs
); ++i
) {
2487 cert
= sk_X509_value(certs
, i
);
2488 if (X509_print_fp(op
, cert
) == 0 || PEM_write_X509(op
, cert
) == 0) {
2489 ssl_gen_err(_("Error writing certificate %d from message %d"),
2501 #endif /* HAVE_XTLS */