1 /*@ S-nail - a mail user agent derived from Berkeley Mail.
2 *@ OpenSSL functions. TODO this needs an overhaul -- there _are_ stack leaks!?
4 * Copyright (c) 2000-2004 Gunnar Ritter, Freiburg i. Br., Germany.
5 * Copyright (c) 2012 - 2014 Steffen (Daode) Nurpmeso <sdaoden@users.sf.net>.
9 * Gunnar Ritter. All rights reserved.
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. All advertising materials mentioning features or use of this software
20 * must display the following acknowledgement:
21 * This product includes software developed by Gunnar Ritter
22 * and his contributors.
23 * 4. Neither the name of Gunnar Ritter nor the names of his contributors
24 * may be used to endorse or promote products derived from this software
25 * without specific prior written permission.
27 * THIS SOFTWARE IS PROVIDED BY GUNNAR RITTER AND CONTRIBUTORS ``AS IS'' AND
28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30 * ARE DISCLAIMED. IN NO EVENT SHALL GUNNAR RITTER OR CONTRIBUTORS BE LIABLE
31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
40 #ifndef HAVE_AMALGAMATION
46 #include <sys/socket.h>
51 #include <netinet/in.h>
53 #include <openssl/crypto.h>
54 #include <openssl/ssl.h>
55 #include <openssl/err.h>
56 #include <openssl/x509v3.h>
57 #include <openssl/x509.h>
58 #include <openssl/pem.h>
59 #include <openssl/rand.h>
61 #ifdef HAVE_ARPA_INET_H
62 # include <arpa/inet.h>
66 * OpenSSL client implementation according to: John Viega, Matt Messier,
67 * Pravir Chandra: Network Security with OpenSSL. Sebastopol, CA 2002.
70 #ifdef HAVE_OPENSSL_STACK_OF
71 # define _STACKOF(X) STACK_OF(X)
73 # define _STACKOF(X) /*X*/STACK
77 char const sm_name
[8];
78 SSL_METHOD
const * (*sm_fun
)(void);
82 char const sc_name
[8];
83 EVP_CIPHER
const * (*sc_fun
)(void);
86 /* Supported SSL/TLS methods: update manual on change! */
87 static struct ssl_method
const _ssl_methods
[] = {
88 {"auto", &SSLv23_client_method
},
89 #define _SSL_DEFAULT_METHOD SSLv23_client_method
90 #ifndef OPENSSL_NO_TLS1
91 # ifdef TLS1_2_VERSION
92 {"tls1.2", &TLSv1_2_client_method
},
94 # ifdef TLS1_1_VERSION
95 {"tls1.1", &TLSv1_1_client_method
},
97 {"tls1", &TLSv1_client_method
},
99 #ifndef OPENSSL_NO_SSL3
100 {"ssl3", &SSLv3_client_method
},
102 #ifndef OPENSSL_NO_SSL2
103 {"ssl2", &SSLv2_client_method
}
107 /* Supported S/MIME cipher algorithms: update manual on change! */
108 static struct smime_cipher
const _smime_ciphers
[] = {
109 #ifndef OPENSSL_NO_AES
110 # define _SMIME_DEFAULT_CIPHER EVP_aes_128_cbc /* According to RFC 5751 */
111 {"aes-128", &EVP_aes_128_cbc
},
112 {"aes-256", &EVP_aes_256_cbc
},
113 {"aes-192", &EVP_aes_192_cbc
},
115 #ifndef OPENSSL_NO_DES
116 # ifndef _SMIME_DEFAULT_CIPHER
117 # define _SMIME_DEFAULT_CIPHER EVP_des_ede3_cbc
119 {"des3", &EVP_des_ede3_cbc
},
120 {"des", &EVP_des_cbc
},
122 #ifndef OPENSSL_NO_RC2
123 {"rc2-40", &EVP_rc2_40_cbc
},
124 {"rc2-64", &EVP_rc2_64_cbc
},
127 #ifndef _SMIME_DEFAULT_CIPHER
128 # error Your OpenSSL library does not include the necessary
129 # error cipher algorithms that are required to support S/MIME
132 static int _ssl_isinit
;
133 static int _ssl_rand_isinit
;
134 static int _ssl_msgno
;
135 static int _ssl_verify_error
;
137 static int _ssl_rand_init(void);
138 static void _ssl_init(void);
139 static bool_t
_ssl_parse_asn1_time(ASN1_TIME
*atp
,
140 char *bdat
, size_t blen
);
141 static int _ssl_verify_cb(int success
, X509_STORE_CTX
*store
);
142 static const SSL_METHOD
*ssl_select_method(char const *uhp
);
143 static void ssl_load_verifications(struct sock
*sp
);
144 static void ssl_certificate(struct sock
*sp
, char const *uhp
);
145 static enum okay
ssl_check_host(char const *server
, struct sock
*sp
);
146 static int smime_verify(struct message
*m
, int n
, _STACKOF(X509
) *chain
,
148 static EVP_CIPHER
const * _smime_cipher(char const *name
);
149 static int ssl_password_cb(char *buf
, int size
, int rwflag
,
151 static FILE * smime_sign_cert(char const *xname
, char const *xname2
,
153 static char * _smime_sign_include_certs(char const *name
);
154 static bool_t
_smime_sign_include_chain_creat(_STACKOF(X509
) **chain
,
156 #if defined X509_V_FLAG_CRL_CHECK && defined X509_V_FLAG_CRL_CHECK_ALL
157 static enum okay
load_crl1(X509_STORE
*store
, char const *name
);
159 static enum okay
load_crls(X509_STORE
*store
, enum okeys fok
, enum okeys dok
);
168 #ifdef HAVE_OPENSSL_RAND_EGD
169 if ((cp
= ok_vlook(ssl_rand_egd
)) != NULL
) {
170 if ((x
= file_expand(cp
)) == NULL
|| RAND_egd(cp
= x
) == -1)
171 fprintf(stderr
, _("entropy daemon at \"%s\" not available\n"),
177 if ((cp
= ok_vlook(ssl_rand_file
)) != NULL
) {
178 if ((x
= file_expand(cp
)) == NULL
|| RAND_load_file(cp
= x
, 1024) == -1)
179 fprintf(stderr
, _("entropy file at \"%s\" not available\n"), cp
);
183 if (!stat(cp
, &st
) && S_ISREG(st
.st_mode
) && !access(cp
, W_OK
)) {
184 if (RAND_write_file(cp
) == -1) {
186 "writing entropy data to \"%s\" failed\n"), cp
);
200 if (_ssl_isinit
== 0) {
204 if (_ssl_rand_isinit
== 0)
205 _ssl_rand_isinit
= _ssl_rand_init();
210 _ssl_parse_asn1_time(ASN1_TIME
*atp
, char *bdat
, size_t blen
)
212 /* Shamelessly stolen from CURL */
214 int Y
, M
, d
, h
, m
, s
;
218 db
= (char const*)atp
->data
;
219 if (atp
->length
< 10)
222 for (s
= 0; s
< 10; ++s
)
223 if (!digitchar(db
[s
]))
226 gm
= (db
[atp
->length
- 1] == 'Z') ? "GMT" : "";
228 Y
= (db
[0] - '0') * 10 + (db
[1] - '0');
233 M
= (db
[2] - '0') * 10 + (db
[3] - '0');
237 d
= (db
[4] - '0') * 10 + (db
[5] - '0');
238 h
= (db
[6] - '0') * 10 + (db
[7] - '0');
239 m
= (db
[8] - '0') * 10 + (db
[9] - '0');
240 s
= (db
[10] >= '0' && db
[10] <= '9' && db
[11] >= '0' && db
[11] <= '9')
241 ? ((db
[10] - '0') * 10 + (db
[11] - '0')) : 0;
243 snprintf(bdat
, blen
, "%04d-%02d-%02d %02d:%02d:%02d %s",
244 Y
, M
, d
, h
, m
, s
, gm
);
250 snprintf(bdat
, blen
, _("Bogus certificate date: %.*s\n"),
257 _ssl_verify_cb(int success
, X509_STORE_CTX
*store
)
264 if (success
&& !(options
& OPT_VERB
))
267 if (_ssl_msgno
!= 0) {
268 fprintf(stderr
, "Message %d:\n", _ssl_msgno
);
271 fprintf(stderr
, _(" Certificate depth %d %s\n"),
272 X509_STORE_CTX_get_error_depth(store
), (success
? "" : _("ERROR")));
274 cert
= X509_STORE_CTX_get_current_cert(store
);
276 X509_NAME_oneline(X509_get_subject_name(cert
), data
, sizeof data
);
277 fprintf(stderr
, _(" subject = %s\n"), data
);
279 _ssl_parse_asn1_time(X509_get_notBefore(cert
), data
, sizeof data
);
280 fprintf(stderr
, _(" notBefore = %s\n"), data
);
282 _ssl_parse_asn1_time(X509_get_notAfter(cert
), data
, sizeof data
);
283 fprintf(stderr
, _(" notAfter = %s\n"), data
);
286 int err
= X509_STORE_CTX_get_error(store
);
287 fprintf(stderr
, _(" err %i: %s\n"),
288 err
, X509_verify_cert_error_string(err
));
289 _ssl_verify_error
= 1;
292 X509_NAME_oneline(X509_get_issuer_name(cert
), data
, sizeof data
);
293 fprintf(stderr
, _(" issuer = %s\n"), data
);
295 if (!success
&& ssl_verify_decide() != OKAY
)
302 static SSL_METHOD
const *
303 ssl_select_method(char const *uhp
)
305 SSL_METHOD
const *method
;
310 if ((cp
= ssl_method_string(uhp
)) != NULL
) {
312 for (i
= 0; i
< NELEM(_ssl_methods
); ++i
)
313 if (!strcmp(_ssl_methods
[i
].sm_name
, cp
)) {
314 method
= (*_ssl_methods
[i
].sm_fun
)();
317 fprintf(stderr
, _("Invalid SSL method \"%s\"\n"), cp
);
319 method
= _SSL_DEFAULT_METHOD();
326 ssl_load_verifications(struct sock
*sp
)
328 char *ca_dir
, *ca_file
;
332 if (ssl_verify_level
== SSL_VERIFY_IGNORE
)
335 if ((ca_dir
= ok_vlook(ssl_ca_dir
)) != NULL
)
336 ca_dir
= file_expand(ca_dir
);
337 if ((ca_file
= ok_vlook(ssl_ca_file
)) != NULL
)
338 ca_file
= file_expand(ca_file
);
340 if (ca_dir
!= NULL
|| ca_file
!= NULL
) {
341 if (SSL_CTX_load_verify_locations(sp
->s_ctx
, ca_file
, ca_dir
) != 1) {
342 fprintf(stderr
, _("Error loading "));
344 fputs(ca_dir
, stderr
);
346 fputs(_(" or "), stderr
);
349 fputs(ca_file
, stderr
);
354 if (!ok_blook(ssl_no_default_ca
)) {
355 if (SSL_CTX_set_default_verify_paths(sp
->s_ctx
) != 1)
356 fprintf(stderr
, _("Error loading default CA locations\n"));
359 _ssl_verify_error
= 0;
361 SSL_CTX_set_verify(sp
->s_ctx
, SSL_VERIFY_PEER
, &_ssl_verify_cb
);
362 store
= SSL_CTX_get_cert_store(sp
->s_ctx
);
363 load_crls(store
, ok_v_ssl_crl_file
, ok_v_ssl_crl_dir
);
369 ssl_certificate(struct sock
*sp
, char const *uhp
)
372 char *certvar
, *keyvar
, *cert
, *key
, *x
;
376 certvar
= ac_alloc(i
+ 9 +1);
377 memcpy(certvar
, "ssl-cert-", 9);
378 memcpy(certvar
+ 9, uhp
, i
+1);
380 if ((cert
= vok_vlook(certvar
)) != NULL
||
381 (cert
= ok_vlook(ssl_cert
)) != NULL
) {
383 if ((cert
= file_expand(cert
)) == NULL
) {
386 } else if (SSL_CTX_use_certificate_chain_file(sp
->s_ctx
, cert
) == 1) {
387 keyvar
= ac_alloc(strlen(uhp
) + 8 +1);
388 memcpy(keyvar
, "ssl-key-", 8);
389 memcpy(keyvar
+ 8, uhp
, i
+1);
390 if ((key
= vok_vlook(keyvar
)) == NULL
&&
391 (key
= ok_vlook(ssl_key
)) == NULL
)
393 else if ((x
= key
, key
= file_expand(key
)) == NULL
) {
397 if (SSL_CTX_use_PrivateKey_file(sp
->s_ctx
, key
, SSL_FILETYPE_PEM
) != 1)
399 fprintf(stderr
, _("cannot load private key from file %s\n"),
404 fprintf(stderr
, _("cannot load certificate from file %s\n"),
412 ssl_check_host(char const *server
, struct sock
*sp
)
417 _STACKOF(GENERAL_NAME
) *gens
;
423 if ((cert
= SSL_get_peer_certificate(sp
->s_ssl
)) == NULL
) {
424 fprintf(stderr
, _("no certificate from \"%s\"\n"), server
);
428 gens
= X509_get_ext_d2i(cert
, NID_subject_alt_name
, NULL
, NULL
);
430 for (i
= 0; i
< sk_GENERAL_NAME_num(gens
); ++i
) {
431 gen
= sk_GENERAL_NAME_value(gens
, i
);
432 if (gen
->type
== GEN_DNS
) {
433 if (options
& OPT_VERB
)
434 fprintf(stderr
, "Comparing DNS: <%s>; should <%s>\n",
435 server
, (char*)gen
->d
.ia5
->data
);
436 rv
= rfc2595_hostname_match(server
, (char*)gen
->d
.ia5
->data
);
443 if ((subj
= X509_get_subject_name(cert
)) != NULL
&&
444 X509_NAME_get_text_by_NID(subj
, NID_commonName
, data
, sizeof data
)
446 data
[sizeof data
- 1] = '\0';
447 if (options
& OPT_VERB
)
448 fprintf(stderr
, "Comparing commonName: <%s>; should <%s>\n",
450 rv
= rfc2595_hostname_match(server
, data
);
460 smime_verify(struct message
*m
, int n
, _STACKOF(X509
) *chain
, X509_STORE
*store
)
462 char data
[LINESIZE
], *sender
, *to
, *cc
, *cnttype
;
469 _STACKOF(X509
) *certs
;
470 _STACKOF(GENERAL_NAME
) *gens
;
479 _ssl_verify_error
= 0;
483 sender
= getsender(m
);
484 to
= hfield1("to", m
);
485 cc
= hfield1("cc", m
);
486 cnttype
= hfield1("content-type", m
);
487 if ((ip
= setinput(&mb
, m
, NEED_BODY
)) == NULL
)
489 if (cnttype
&& !ascncasecmp(cnttype
, "application/x-pkcs7-mime", 24)) {
490 if ((x
= smime_decrypt(m
, to
, cc
, 1)) == NULL
)
492 if (x
!= (struct message
*)-1) {
501 if ((fp
= Ftmp(NULL
, "smimever", OF_RDWR
| OF_UNLINK
| OF_REGISTER
, 0600)) ==
512 if ((fb
= BIO_new_fp(fp
, BIO_NOCLOSE
)) == NULL
) {
514 "Error creating BIO verification object for message %d"), n
);
518 if ((pkcs7
= SMIME_read_PKCS7(fb
, &pb
)) == NULL
) {
519 ssl_gen_err(_("Error reading PKCS#7 object for message %d"), n
);
522 if (PKCS7_verify(pkcs7
, chain
, store
, pb
, NULL
, 0) != 1) {
523 ssl_gen_err(_("Error verifying message %d"), n
);
527 if (sender
== NULL
) {
528 fprintf(stderr
, _("Warning: Message %d has no sender.\n"), n
);
533 certs
= PKCS7_get0_signers(pkcs7
, chain
, 0);
535 fprintf(stderr
, _("No certificates found in message %d.\n"), n
);
539 for (i
= 0; i
< sk_X509_num(certs
); ++i
) {
540 cert
= sk_X509_value(certs
, i
);
541 gens
= X509_get_ext_d2i(cert
, NID_subject_alt_name
, NULL
, NULL
);
543 for (j
= 0; j
< sk_GENERAL_NAME_num(gens
); ++j
) {
544 gen
= sk_GENERAL_NAME_value(gens
, j
);
545 if (gen
->type
== GEN_EMAIL
) {
546 if (options
& OPT_VERB
)
548 "Comparing subject_alt_name: <%s>; should <%s>\n",
549 sender
, (char*)gen
->d
.ia5
->data
);
550 if (!asccasecmp((char*)gen
->d
.ia5
->data
, sender
))
556 if ((subj
= X509_get_subject_name(cert
)) != NULL
&&
557 X509_NAME_get_text_by_NID(subj
, NID_pkcs9_emailAddress
,
558 data
, sizeof data
) > 0) {
559 data
[sizeof data
-1] = '\0';
560 if (options
& OPT_VERB
)
561 fprintf(stderr
, "Comparing emailAddress: <%s>; should <%s>\n",
563 if (!asccasecmp(data
, sender
))
567 fprintf(stderr
, _("Message %d: certificate does not match <%s>\n"),
571 if (_ssl_verify_error
== 0)
572 printf(_("Message %d was verified successfully.\n"), n
);
573 rv
= _ssl_verify_error
;
583 static EVP_CIPHER
const *
584 _smime_cipher(char const *name
)
586 EVP_CIPHER
const *cipher
;
591 vn
= ac_alloc(i
= strlen(name
) + 13 +1);
592 snprintf(vn
, (int)i
, "smime-cipher-%s", name
);
598 for (i
= 0; i
< NELEM(_smime_ciphers
); ++i
)
599 if (!strcmp(_smime_ciphers
[i
].sc_name
, cp
)) {
600 cipher
= (*_smime_ciphers
[i
].sc_fun
)();
603 fprintf(stderr
, _("Invalid cipher(s): %s\n"), cp
);
605 cipher
= _SMIME_DEFAULT_CIPHER();
612 ssl_password_cb(char *buf
, int size
, int rwflag
, void *userdata
)
620 if ((pass
= getpassword("PEM pass phrase:")) != NULL
) {
622 if (UICMP(z
, len
, >=, size
))
624 memcpy(buf
, pass
, len
);
633 smime_sign_cert(char const *xname
, char const *xname2
, bool_t dowarn
)
638 char const *name
= xname
, *name2
= xname2
;
644 np
= lextract(name
, GTO
| GSKIN
);
646 /* This needs to be more intelligent since it will currently take the
647 * first name for which a private key is available regardless of
648 * whether it is the right one for the message */
649 vn
= ac_alloc(vs
= strlen(np
->n_name
) + 30);
650 snprintf(vn
, vs
, "smime-sign-cert-%s", np
->n_name
);
664 if ((cp
= ok_vlook(smime_sign_cert
)) == NULL
)
667 if ((cp
= file_expand(cp
)) == NULL
)
669 if ((fp
= Fopen(cp
, "r")) == NULL
)
676 fprintf(stderr
, _("Could not find a certificate for %s"), xname
);
678 fprintf(stderr
, _("or %s"), xname2
);
685 _smime_sign_include_certs(char const *name
)
690 /* See comments in smime_sign_cert() for algorithm pitfalls */
694 for (np
= lextract(name
, GTO
| GSKIN
); np
!= NULL
; np
= np
->n_flink
) {
696 char *vn
= ac_alloc(vs
= strlen(np
->n_name
) + 30);
697 snprintf(vn
, vs
, "smime-sign-include-certs-%s", np
->n_name
);
704 rv
= ok_vlook(smime_sign_include_certs
);
711 _smime_sign_include_chain_creat(_STACKOF(X509
) **chain
, char const *cfiles
)
715 char *nfield
, *cfield
, *x
;
718 *chain
= sk_X509_new_null();
720 for (nfield
= savestr(cfiles
);
721 (cfield
= n_strsep(&nfield
, ',', TRU1
)) != NULL
;) {
722 if ((x
= file_expand(cfield
)) == NULL
||
723 (fp
= Fopen(cfield
= x
, "r")) == NULL
) {
727 if ((tmp
= PEM_read_X509(fp
, NULL
, &ssl_password_cb
, NULL
)) == NULL
) {
728 ssl_gen_err(_("Error reading certificate from \"%s\""), cfield
);
732 sk_X509_push(*chain
, tmp
);
736 if (sk_X509_num(*chain
) == 0) {
737 fprintf(stderr
, _("smime-sign-include-certs defined but empty\n"));
742 return (*chain
!= NULL
);
744 sk_X509_pop_free(*chain
, X509_free
);
749 #if defined X509_V_FLAG_CRL_CHECK && defined X509_V_FLAG_CRL_CHECK_ALL
751 load_crl1(X509_STORE
*store
, char const *name
)
757 if (options
& OPT_VERB
)
758 printf("Loading CRL from \"%s\".\n", name
);
759 if ((lookup
= X509_STORE_add_lookup(store
, X509_LOOKUP_file())) == NULL
) {
760 ssl_gen_err(_("Error creating X509 lookup object"));
763 if (X509_load_crl_file(lookup
, name
, X509_FILETYPE_PEM
) != 1) {
764 ssl_gen_err(_("Error loading CRL from \"%s\""), name
);
772 #endif /* new OpenSSL */
775 load_crls(X509_STORE
*store
, enum okeys fok
, enum okeys dok
)
777 char *crl_file
, *crl_dir
;
778 #if defined X509_V_FLAG_CRL_CHECK && defined X509_V_FLAG_CRL_CHECK_ALL
787 if ((crl_file
= _var_oklook(fok
)) != NULL
) {
788 #if defined X509_V_FLAG_CRL_CHECK && defined X509_V_FLAG_CRL_CHECK_ALL
789 if ((crl_file
= file_expand(crl_file
)) == NULL
||
790 load_crl1(store
, crl_file
) != OKAY
)
794 "This OpenSSL version is too old to use CRLs.\n"));
799 if ((crl_dir
= _var_oklook(dok
)) != NULL
) {
800 #if defined X509_V_FLAG_CRL_CHECK && defined X509_V_FLAG_CRL_CHECK_ALL
802 if ((x
= file_expand(crl_dir
)) == NULL
||
803 (dirp
= opendir(crl_dir
= x
)) == NULL
) {
808 ds
= strlen(crl_dir
);
809 fn
= smalloc(fs
= ds
+ 20);
810 memcpy(fn
, crl_dir
, ds
);
812 while ((dp
= readdir(dirp
)) != NULL
) {
813 if (dp
->d_name
[0] == '.' && (dp
->d_name
[1] == '\0' ||
814 (dp
->d_name
[1] == '.' && dp
->d_name
[2] == '\0')))
816 if (dp
->d_name
[0] == '.')
818 if (ds
+ (es
= strlen(dp
->d_name
)) + 2 < fs
)
819 fn
= srealloc(fn
, fs
= ds
+ es
+ 20);
820 memcpy(fn
+ ds
+ 1, dp
->d_name
, es
+ 1);
821 if (load_crl1(store
, fn
) != OKAY
) {
829 #else /* old OpenSSL */
831 "This OpenSSL version is too old to use CRLs.\n"));
835 #if defined X509_V_FLAG_CRL_CHECK && defined X509_V_FLAG_CRL_CHECK_ALL
836 if (crl_file
|| crl_dir
)
837 X509_STORE_set_flags(store
, X509_V_FLAG_CRL_CHECK
|
838 X509_V_FLAG_CRL_CHECK_ALL
);
847 ssl_open(char const *server
, struct sock
*sp
, char const *uhp
)
855 ssl_set_verify_level(uhp
);
856 if ((sp
->s_ctx
= SSL_CTX_new(UNCONST(ssl_select_method(uhp
)))) == NULL
) {
857 ssl_gen_err(_("SSL_CTX_new() failed"));
861 #ifdef SSL_MODE_AUTO_RETRY
862 /* available with OpenSSL 0.9.6 or later */
863 SSL_CTX_set_mode(sp
->s_ctx
, SSL_MODE_AUTO_RETRY
);
864 #endif /* SSL_MODE_AUTO_RETRY */
866 if (!ok_blook(ssl_v2_allow
))
867 opts
|= SSL_OP_NO_SSLv2
;
868 SSL_CTX_set_options(sp
->s_ctx
, opts
);
869 ssl_load_verifications(sp
);
870 ssl_certificate(sp
, uhp
);
871 if ((cp
= ok_vlook(ssl_cipher_list
)) != NULL
) {
872 if (SSL_CTX_set_cipher_list(sp
->s_ctx
, cp
) != 1)
873 fprintf(stderr
, _("Invalid cipher(s): %s\n"), cp
);
876 if ((sp
->s_ssl
= SSL_new(sp
->s_ctx
)) == NULL
) {
877 ssl_gen_err(_("SSL_new() failed"));
880 SSL_set_fd(sp
->s_ssl
, sp
->s_fd
);
881 if (SSL_connect(sp
->s_ssl
) < 0) {
882 ssl_gen_err(_("could not initiate SSL/TLS connection"));
885 if (ssl_verify_level
!= SSL_VERIFY_IGNORE
) {
886 if (ssl_check_host(server
, sp
) != OKAY
) {
887 fprintf(stderr
, _("host certificate does not match \"%s\"\n"),
889 if (ssl_verify_decide() != OKAY
)
901 ssl_gen_err(char const *fmt
, ...)
907 vfprintf(stderr
, fmt
, ap
);
909 SSL_load_error_strings();
910 fprintf(stderr
, ": %s\n", ERR_error_string(ERR_get_error(), NULL
));
917 int *msgvec
= vp
, *ip
, ec
= 0, rv
= 1;
918 _STACKOF(X509
) *chain
= NULL
;
920 char *ca_dir
, *ca_file
;
925 ssl_verify_level
= SSL_VERIFY_STRICT
;
926 if ((store
= X509_STORE_new()) == NULL
) {
927 ssl_gen_err(_("Error creating X509 store"));
930 X509_STORE_set_verify_cb_func(store
, &_ssl_verify_cb
);
932 if ((ca_dir
= ok_vlook(smime_ca_dir
)) != NULL
)
933 ca_dir
= file_expand(ca_dir
);
934 if ((ca_file
= ok_vlook(smime_ca_file
)) != NULL
)
935 ca_file
= file_expand(ca_file
);
937 if (ca_dir
!= NULL
|| ca_file
!= NULL
) {
938 if (X509_STORE_load_locations(store
, ca_file
, ca_dir
) != 1) {
939 ssl_gen_err(_("Error loading %s"),
940 (ca_file
!= NULL
) ? ca_file
: ca_dir
);
944 if (!ok_blook(smime_no_default_ca
)) {
945 if (X509_STORE_set_default_paths(store
) != 1) {
946 ssl_gen_err(_("Error loading default CA locations"));
951 if (load_crls(store
, ok_v_smime_crl_file
, ok_v_smime_crl_dir
) != OKAY
)
953 for (ip
= msgvec
; *ip
!= 0; ++ip
) {
954 struct message
*mp
= message
+ *ip
- 1;
956 ec
|= smime_verify(mp
, *ip
, chain
, store
);
959 exit_status
|= EXIT_ERR
;
966 smime_sign(FILE *ip
, char const *addr
)
968 FILE *rv
= NULL
, *sp
= NULL
, *fp
= NULL
, *bp
, *hp
;
970 _STACKOF(X509
) *chain
= NULL
;
972 EVP_PKEY
*pkey
= NULL
;
980 fprintf(stderr
, _("No \"from\" address for signing specified\n"));
983 if ((fp
= smime_sign_cert(addr
, NULL
, 1)) == NULL
)
986 if ((pkey
= PEM_read_PrivateKey(fp
, NULL
, &ssl_password_cb
, NULL
)) == NULL
) {
987 ssl_gen_err(_("Error reading private key from"));
992 if ((cert
= PEM_read_X509(fp
, NULL
, &ssl_password_cb
, NULL
)) == NULL
) {
993 ssl_gen_err(_("Error reading signer certificate from"));
999 if ((addr
= _smime_sign_include_certs(addr
)) != NULL
&&
1000 !_smime_sign_include_chain_creat(&chain
, addr
))
1003 if ((sp
= Ftmp(NULL
, "smimesign", OF_RDWR
| OF_UNLINK
| OF_REGISTER
, 0600))
1010 if (smime_split(ip
, &hp
, &bp
, -1, 0) == STOP
) {
1016 if ((bb
= BIO_new_fp(bp
, BIO_NOCLOSE
)) == NULL
||
1017 (sb
= BIO_new_fp(sp
, BIO_NOCLOSE
)) == NULL
) {
1018 ssl_gen_err(_("Error creating BIO signing objects"));
1023 if ((pkcs7
= PKCS7_sign(cert
, pkey
, chain
, bb
, PKCS7_DETACHED
)) == NULL
) {
1024 ssl_gen_err(_("Error creating the PKCS#7 signing object"));
1028 if (PEM_write_bio_PKCS7(sb
, pkcs7
) == 0) {
1029 ssl_gen_err(_("Error writing signed S/MIME data"));
1041 rv
= smime_sign_assemble(hp
, bp
, sp
);
1048 sk_X509_pop_free(chain
, X509_free
);
1052 EVP_PKEY_free(pkey
);
1060 smime_encrypt(FILE *ip
, char const *xcertfile
, char const *to
)
1062 char *certfile
= UNCONST(xcertfile
);
1063 FILE *rv
= NULL
, *yp
, *fp
, *bp
, *hp
;
1067 _STACKOF(X509
) *certs
;
1068 EVP_CIPHER
const *cipher
;
1072 if ((certfile
= file_expand(certfile
)) == NULL
)
1077 if ((cipher
= _smime_cipher(to
)) == NULL
)
1079 if ((fp
= Fopen(certfile
, "r")) == NULL
) {
1084 if ((cert
= PEM_read_X509(fp
, NULL
, &ssl_password_cb
, NULL
)) == NULL
) {
1085 ssl_gen_err(_("Error reading encryption certificate from \"%s\""),
1094 certs
= sk_X509_new_null();
1095 sk_X509_push(certs
, cert
);
1097 if ((yp
= Ftmp(NULL
, "smimeenc", OF_RDWR
| OF_UNLINK
| OF_REGISTER
, 0600)) ==
1104 if (smime_split(ip
, &hp
, &bp
, -1, 0) == STOP
) {
1110 if ((bb
= BIO_new_fp(bp
, BIO_NOCLOSE
)) == NULL
||
1111 (yb
= BIO_new_fp(yp
, BIO_NOCLOSE
)) == NULL
) {
1112 ssl_gen_err(_("Error creating BIO encryption objects"));
1116 if ((pkcs7
= PKCS7_encrypt(certs
, bb
, cipher
, 0)) == NULL
) {
1117 ssl_gen_err(_("Error creating the PKCS#7 encryption object"));
1121 if (PEM_write_bio_PKCS7(yb
, pkcs7
) == 0) {
1122 ssl_gen_err(_("Error writing encrypted S/MIME data"));
1136 rv
= smime_encrypt_assemble(hp
, yp
);
1144 smime_decrypt(struct message
*m
, char const *to
, char const *cc
, int signcall
)
1147 FILE *fp
, *bp
, *hp
, *op
;
1161 if ((yp
= setinput(&mb
, m
, NEED_BODY
)) == NULL
)
1166 if ((fp
= smime_sign_cert(to
, cc
, 0)) != NULL
) {
1167 pkey
= PEM_read_PrivateKey(fp
, NULL
, &ssl_password_cb
, NULL
);
1169 ssl_gen_err(_("Error reading private key"));
1175 if ((cert
= PEM_read_X509(fp
, NULL
, &ssl_password_cb
, NULL
)) == NULL
) {
1176 ssl_gen_err(_("Error reading decryption certificate"));
1178 EVP_PKEY_free(pkey
);
1184 if ((op
= Ftmp(NULL
, "smimedec", OF_RDWR
| OF_UNLINK
| OF_REGISTER
, 0600)) ==
1190 if (smime_split(yp
, &hp
, &bp
, size
, 1) == STOP
)
1193 if ((ob
= BIO_new_fp(op
, BIO_NOCLOSE
)) == NULL
||
1194 (bb
= BIO_new_fp(bp
, BIO_NOCLOSE
)) == NULL
) {
1195 ssl_gen_err(_("Error creating BIO decryption objects"));
1198 if ((pkcs7
= SMIME_read_PKCS7(bb
, &pb
)) == NULL
) {
1199 ssl_gen_err(_("Error reading PKCS#7 object"));
1206 EVP_PKEY_free(pkey
);
1210 if (PKCS7_type_is_signed(pkcs7
)) {
1212 setinput(&mb
, m
, NEED_BODY
);
1213 rv
= (struct message
*)-1;
1216 if (PKCS7_verify(pkcs7
, NULL
, NULL
, NULL
, ob
,
1217 PKCS7_NOVERIFY
| PKCS7_NOSIGS
) != 1)
1219 fseek(hp
, 0L, SEEK_END
);
1220 fprintf(hp
, "X-Encryption-Cipher: none\n");
1223 } else if (pkey
== NULL
) {
1224 fprintf(stderr
, _("No appropriate private key found.\n"));
1226 } else if (cert
== NULL
) {
1227 fprintf(stderr
, _("No appropriate certificate found.\n"));
1229 } else if (PKCS7_decrypt(pkcs7
, pkey
, cert
, ob
, 0) != 1) {
1231 ssl_gen_err(_("Error decrypting PKCS#7 object"));
1241 EVP_PKEY_free(pkey
);
1249 EVP_PKEY_free(pkey
);
1253 rv
= smime_decrypt_assemble(m
, hp
, op
);
1260 smime_certsave(struct message
*m
, int n
, FILE *op
)
1263 char *to
, *cc
, *cnttype
;
1269 _STACKOF(X509
) *certs
, *chain
= NULL
;
1271 enum okay rv
= STOP
;
1276 to
= hfield1("to", m
);
1277 cc
= hfield1("cc", m
);
1278 cnttype
= hfield1("content-type", m
);
1279 if ((ip
= setinput(&mb
, m
, NEED_BODY
)) == NULL
)
1281 if (cnttype
&& !strncmp(cnttype
, "application/x-pkcs7-mime", 24)) {
1282 if ((x
= smime_decrypt(m
, to
, cc
, 1)) == NULL
)
1284 if (x
!= (struct message
*)-1) {
1291 if ((fp
= Ftmp(NULL
, "smimecert", OF_RDWR
| OF_UNLINK
| OF_REGISTER
, 0600))
1297 while (size
-- > 0) {
1304 if ((fb
= BIO_new_fp(fp
, BIO_NOCLOSE
)) == NULL
) {
1305 ssl_gen_err("Error creating BIO object for message %d", n
);
1310 if ((pkcs7
= SMIME_read_PKCS7(fb
, &pb
)) == NULL
) {
1311 ssl_gen_err(_("Error reading PKCS#7 object for message %d"), n
);
1319 certs
= PKCS7_get0_signers(pkcs7
, chain
, 0);
1320 if (certs
== NULL
) {
1321 fprintf(stderr
, _("No certificates found in message %d\n"), n
);
1325 for (i
= 0; i
< sk_X509_num(certs
); ++i
) {
1326 cert
= sk_X509_value(certs
, i
);
1327 if (X509_print_fp(op
, cert
) == 0 || PEM_write_X509(op
, cert
) == 0) {
1328 ssl_gen_err(_("Error writing certificate %d from message %d"),
1338 #endif /* HAVE_OPENSSL */