1 /*@ S-nail - a mail user agent derived from Berkeley Mail.
4 * Copyright (c) 2000-2004 Gunnar Ritter, Freiburg i. Br., Germany.
5 * Copyright (c) 2012 - 2014 Steffen "Daode" Nurpmeso <sdaoden@users.sf.net>.
9 * Gunnar Ritter. All rights reserved.
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. All advertising materials mentioning features or use of this software
20 * must display the following acknowledgement:
21 * This product includes software developed by Gunnar Ritter
22 * and his contributors.
23 * 4. Neither the name of Gunnar Ritter nor the names of his contributors
24 * may be used to endorse or promote products derived from this software
25 * without specific prior written permission.
27 * THIS SOFTWARE IS PROVIDED BY GUNNAR RITTER AND CONTRIBUTORS ``AS IS'' AND
28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30 * ARE DISCLAIMED. IN NO EVENT SHALL GUNNAR RITTER OR CONTRIBUTORS BE LIABLE
31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
40 #ifndef HAVE_AMALGAMATION
46 #include <sys/socket.h>
51 #include <netinet/in.h>
53 #include <openssl/crypto.h>
54 #include <openssl/ssl.h>
55 #include <openssl/err.h>
56 #include <openssl/x509v3.h>
57 #include <openssl/x509.h>
58 #include <openssl/pem.h>
59 #include <openssl/rand.h>
61 #ifdef HAVE_ARPA_INET_H
62 # include <arpa/inet.h>
66 * OpenSSL client implementation according to: John Viega, Matt Messier,
67 * Pravir Chandra: Network Security with OpenSSL. Sebastopol, CA 2002.
71 # define _STACKOF(X) STACK_OF(X)
73 # define _STACKOF(X) /*X*/STACK
77 char const sm_name
[8];
78 SSL_METHOD
const * (*sm_fun
)(void);
82 char const sc_name
[8];
83 EVP_CIPHER
const * (*sc_fun
)(void);
86 /* Supported SSL/TLS methods: update manual on change! */
87 static struct ssl_method
const _ssl_methods
[] = {
88 {"auto", &SSLv23_client_method
},
89 #define _SSL_DEFAULT_METHOD SSLv23_client_method
90 #ifndef OPENSSL_NO_TLS1
91 # ifdef TLS1_2_VERSION
92 {"tls1.2", &TLSv1_2_client_method
},
94 # ifdef TLS1_1_VERSION
95 {"tls1.1", &TLSv1_1_client_method
},
97 {"tls1", &TLSv1_client_method
},
99 #ifndef OPENSSL_NO_SSL3
100 {"ssl3", &SSLv3_client_method
},
102 #ifndef OPENSSL_NO_SSL2
103 {"ssl2", &SSLv2_client_method
}
107 /* Supported S/MIME cipher algorithms: update manual on change! */
108 static struct smime_cipher
const _smime_ciphers
[] = {
109 #ifndef OPENSSL_NO_AES
110 # define _SMIME_DEFAULT_CIPHER EVP_aes_128_cbc /* According to RFC 5751 */
111 {"aes-128", &EVP_aes_128_cbc
},
112 {"aes-256", &EVP_aes_256_cbc
},
113 {"aes-192", &EVP_aes_192_cbc
},
115 #ifndef OPENSSL_NO_DES
116 # ifndef _SMIME_DEFAULT_CIPHER
117 # define _SMIME_DEFAULT_CIPHER EVP_des_ede3_cbc
119 {"des3", &EVP_des_ede3_cbc
},
120 {"des", &EVP_des_cbc
},
122 #ifndef OPENSSL_NO_RC2
123 {"rc2-40", &EVP_rc2_40_cbc
},
124 {"rc2-64", &EVP_rc2_64_cbc
},
127 #ifndef _SMIME_DEFAULT_CIPHER
128 # error Your OpenSSL library does not include the necessary
129 # error cipher algorithms that are required to support S/MIME
132 static sigjmp_buf ssljmp
;
133 static int initialized
;
134 static int rand_init
;
135 static int message_number
;
136 static int verify_error_found
;
138 static void sslcatch(int s
);
139 static int ssl_rand_init(void);
140 static void ssl_init(void);
141 static int ssl_verify_cb(int success
, X509_STORE_CTX
*store
);
142 static const SSL_METHOD
*ssl_select_method(char const *uhp
);
143 static void ssl_load_verifications(struct sock
*sp
);
144 static void ssl_certificate(struct sock
*sp
, char const *uhp
);
145 static enum okay
ssl_check_host(char const *server
, struct sock
*sp
);
146 static int smime_verify(struct message
*m
, int n
, _STACKOF(X509
) *chain
,
148 static EVP_CIPHER
const * _smime_cipher(char const *name
);
149 static int ssl_password_cb(char *buf
, int size
, int rwflag
,
151 static FILE * smime_sign_cert(char const *xname
, char const *xname2
,
153 static char * smime_sign_include_certs(char const *name
);
154 static int smime_sign_include_chain_creat(_STACKOF(X509
) **chain
,
156 #if defined X509_V_FLAG_CRL_CHECK && defined X509_V_FLAG_CRL_CHECK_ALL
157 static enum okay
load_crl1(X509_STORE
*store
, char const *name
);
159 static enum okay
load_crls(X509_STORE
*store
, enum okeys fok
, enum okeys dok
);
164 NYD_X
; /* Signal handler */
165 termios_state_reset();
166 siglongjmp(ssljmp
, s
);
176 if ((cp
= ok_vlook(ssl_rand_egd
)) != NULL
) {
177 if ((x
= file_expand(cp
)) == NULL
|| RAND_egd(cp
= x
) == -1)
178 fprintf(stderr
, tr(245, "entropy daemon at \"%s\" not available\n"),
182 } else if ((cp
= ok_vlook(ssl_rand_file
)) != NULL
) {
183 if ((x
= file_expand(cp
)) == NULL
|| RAND_load_file(cp
= x
, 1024) == -1)
184 fprintf(stderr
, tr(246, "entropy file at \"%s\" not available\n"), cp
);
188 if (stat(cp
, &st
) == 0 && S_ISREG(st
.st_mode
) && !access(cp
, W_OK
)) {
189 if (RAND_write_file(cp
) == -1) {
190 fprintf(stderr
, tr(247,
191 "writing entropy data to \"%s\" failed\n"), cp
);
205 if (initialized
== 0) {
210 rand_init
= ssl_rand_init();
215 ssl_verify_cb(int success
, X509_STORE_CTX
*store
)
222 X509
*cert
= X509_STORE_CTX_get_current_cert(store
);
223 int depth
= X509_STORE_CTX_get_error_depth(store
);
224 int err
= X509_STORE_CTX_get_error(store
);
226 verify_error_found
= 1;
228 fprintf(stderr
, "Message %d: ", message_number
);
229 fprintf(stderr
, tr(229, "Error with certificate at depth: %i\n"), depth
);
230 X509_NAME_oneline(X509_get_issuer_name(cert
), data
, sizeof data
);
231 fprintf(stderr
, tr(230, " issuer = %s\n"), data
);
232 X509_NAME_oneline(X509_get_subject_name(cert
), data
, sizeof data
);
233 fprintf(stderr
, tr(231, " subject = %s\n"), data
);
234 fprintf(stderr
, tr(232, " err %i: %s\n"),
235 err
, X509_verify_cert_error_string(err
));
236 if (ssl_verify_decide() != OKAY
)
243 static SSL_METHOD
const *
244 ssl_select_method(char const *uhp
)
246 SSL_METHOD
const *method
;
251 if ((cp
= ssl_method_string(uhp
)) != NULL
) {
253 for (i
= 0; i
< NELEM(_ssl_methods
); ++i
)
254 if (!strcmp(_ssl_methods
[i
].sm_name
, cp
)) {
255 method
= (*_ssl_methods
[i
].sm_fun
)();
258 fprintf(stderr
, tr(244, "Invalid SSL method \"%s\"\n"), cp
);
260 method
= _SSL_DEFAULT_METHOD();
267 ssl_load_verifications(struct sock
*sp
)
269 char *ca_dir
, *ca_file
;
273 if (ssl_verify_level
== SSL_VERIFY_IGNORE
)
276 if ((ca_dir
= ok_vlook(ssl_ca_dir
)) != NULL
)
277 ca_dir
= file_expand(ca_dir
);
278 if ((ca_file
= ok_vlook(ssl_ca_file
)) != NULL
)
279 ca_file
= file_expand(ca_file
);
281 if (ca_dir
!= NULL
|| ca_file
!= NULL
) {
282 if (SSL_CTX_load_verify_locations(sp
->s_ctx
, ca_file
, ca_dir
) != 1) {
283 fprintf(stderr
, tr(233, "Error loading "));
285 fputs(ca_dir
, stderr
);
287 fputs(tr(234, " or "), stderr
);
290 fputs(ca_file
, stderr
);
295 if (!ok_blook(ssl_no_default_ca
)) {
296 if (SSL_CTX_set_default_verify_paths(sp
->s_ctx
) != 1)
297 fprintf(stderr
, tr(243, "Error loading default CA locations\n"));
300 verify_error_found
= 0;
302 SSL_CTX_set_verify(sp
->s_ctx
, SSL_VERIFY_PEER
, ssl_verify_cb
);
303 store
= SSL_CTX_get_cert_store(sp
->s_ctx
);
304 load_crls(store
, ok_v_ssl_crl_file
, ok_v_ssl_crl_dir
);
310 ssl_certificate(struct sock
*sp
, char const *uhp
)
313 char *certvar
, *keyvar
, *cert
, *key
, *x
;
317 certvar
= ac_alloc(i
+ 9 + 1);
318 memcpy(certvar
, "ssl-cert-", 9);
319 memcpy(certvar
+ 9, uhp
, i
+ 1);
321 if ((cert
= vok_vlook(certvar
)) != NULL
||
322 (cert
= ok_vlook(ssl_cert
)) != NULL
) {
324 if ((cert
= file_expand(cert
)) == NULL
) {
327 } else if (SSL_CTX_use_certificate_chain_file(sp
->s_ctx
, cert
) == 1) {
328 keyvar
= ac_alloc(strlen(uhp
) + 9);
329 memcpy(keyvar
, "ssl-key-", 8);
330 memcpy(keyvar
+ 8, uhp
, i
+ 1);
331 if ((key
= vok_vlook(keyvar
)) == NULL
&&
332 (key
= ok_vlook(ssl_key
)) == NULL
)
334 else if ((x
= key
, key
= file_expand(key
)) == NULL
) {
338 if (SSL_CTX_use_PrivateKey_file(sp
->s_ctx
, key
, SSL_FILETYPE_PEM
) != 1)
340 fprintf(stderr
, tr(238, "cannot load private key from file %s\n"),
345 fprintf(stderr
, tr(239, "cannot load certificate from file %s\n"),
353 ssl_check_host(char const *server
, struct sock
*sp
)
358 _STACKOF(GENERAL_NAME
) *gens
;
364 if ((cert
= SSL_get_peer_certificate(sp
->s_ssl
)) == NULL
) {
365 fprintf(stderr
, tr(248, "no certificate from \"%s\"\n"), server
);
369 gens
= X509_get_ext_d2i(cert
, NID_subject_alt_name
, NULL
, NULL
);
371 for (i
= 0; i
< sk_GENERAL_NAME_num(gens
); ++i
) {
372 gen
= sk_GENERAL_NAME_value(gens
, i
);
373 if (gen
->type
== GEN_DNS
) {
374 if (options
& OPT_VERBOSE
)
375 fprintf(stderr
, "Comparing DNS name: \"%s\"\n",
377 rv
= rfc2595_hostname_match(server
, (char*)gen
->d
.ia5
->data
);
384 if ((subj
= X509_get_subject_name(cert
)) != NULL
&&
385 X509_NAME_get_text_by_NID(subj
, NID_commonName
, data
, sizeof data
)
387 data
[sizeof data
- 1] = '\0';
388 if (options
& OPT_VERBOSE
)
389 fprintf(stderr
, "Comparing common name: \"%s\"\n", data
);
390 rv
= rfc2595_hostname_match(server
, data
);
400 smime_verify(struct message
*m
, int n
, _STACKOF(X509
) *chain
,
403 char data
[LINESIZE
], *sender
, *to
, *cc
, *cnttype
;
410 _STACKOF(X509
) *certs
;
411 _STACKOF(GENERAL_NAME
) *gens
;
420 verify_error_found
= 0;
424 sender
= getsender(m
);
425 to
= hfield1("to", m
);
426 cc
= hfield1("cc", m
);
427 cnttype
= hfield1("content-type", m
);
428 if ((ip
= setinput(&mb
, m
, NEED_BODY
)) == NULL
)
430 if (cnttype
&& !strncmp(cnttype
, "application/x-pkcs7-mime", 24)) {
431 if ((x
= smime_decrypt(m
, to
, cc
, 1)) == NULL
)
433 if (x
!= (struct message
*)-1) {
442 if ((fp
= Ftmp(NULL
, "smimever", OF_RDWR
| OF_UNLINK
| OF_REGISTER
, 0600)) ==
453 if ((fb
= BIO_new_fp(fp
, BIO_NOCLOSE
)) == NULL
) {
455 "Error creating BIO verification object for message %d"), n
);
459 if ((pkcs7
= SMIME_read_PKCS7(fb
, &pb
)) == NULL
) {
460 ssl_gen_err(tr(538, "Error reading PKCS#7 object for message %d"), n
);
463 if (PKCS7_verify(pkcs7
, chain
, store
, pb
, NULL
, 0) != 1) {
464 ssl_gen_err(tr(539, "Error verifying message %d"), n
);
468 if (sender
== NULL
) {
469 fprintf(stderr
, tr(540, "Warning: Message %d has no sender.\n"), n
);
474 certs
= PKCS7_get0_signers(pkcs7
, chain
, 0);
476 fprintf(stderr
, tr(541, "No certificates found in message %d.\n"), n
);
480 for (i
= 0; i
< sk_X509_num(certs
); i
++) {
481 cert
= sk_X509_value(certs
, i
);
482 gens
= X509_get_ext_d2i(cert
, NID_subject_alt_name
, NULL
, NULL
);
484 for (j
= 0; j
< sk_GENERAL_NAME_num(gens
); ++j
) {
485 gen
= sk_GENERAL_NAME_value(gens
, j
);
486 if (gen
->type
== GEN_EMAIL
) {
487 if (options
& OPT_VERBOSE
)
488 fprintf(stderr
, "Comparing alt. address: %s\"\n", data
);
489 if (!asccasecmp((char*)gen
->d
.ia5
->data
, sender
))
495 if ((subj
= X509_get_subject_name(cert
)) != NULL
&&
496 X509_NAME_get_text_by_NID(subj
, NID_pkcs9_emailAddress
,
497 data
, sizeof data
) > 0) {
498 data
[sizeof data
- 1] = 0;
499 if (options
& OPT_VERBOSE
)
500 fprintf(stderr
, "Comparing address: \"%s\"\n", data
);
501 if (!asccasecmp(data
, sender
))
505 fprintf(stderr
, tr(542, "Message %d: certificate does not match <%s>\n"),
509 if (verify_error_found
== 0)
510 printf(tr(543, "Message %d was verified successfully.\n"), n
);
511 rv
= verify_error_found
;
521 static EVP_CIPHER
const *
522 _smime_cipher(char const *name
)
524 EVP_CIPHER
const *cipher
;
529 vn
= ac_alloc(i
= strlen(name
) + 13 +1);
530 snprintf(vn
, (int)i
, "smime-cipher-%s", name
);
536 for (i
= 0; i
< NELEM(_smime_ciphers
); ++i
)
537 if (!strcmp(_smime_ciphers
[i
].sc_name
, cp
)) {
538 cipher
= (*_smime_ciphers
[i
].sc_fun
)();
541 fprintf(stderr
, tr(240, "Invalid cipher(s): %s\n"), cp
);
543 cipher
= _SMIME_DEFAULT_CIPHER();
550 ssl_password_cb(char *buf
, int size
, int rwflag
, void *userdata
)
552 sighandler_type
volatile saveint
;
559 saveint
= safe_signal(SIGINT
, SIG_IGN
);
560 if (sigsetjmp(ssljmp
, 1) == 0) {
561 if (saveint
!= SIG_IGN
)
562 safe_signal(SIGINT
, sslcatch
);
563 pass
= getpassword("PEM pass phrase:");
565 safe_signal(SIGINT
, saveint
);
572 if (UICMP(z
, len
, >, size
))
574 memcpy(buf
, pass
, len
);
581 smime_sign_cert(char const *xname
, char const *xname2
, bool_t dowarn
)
586 char const *name
= xname
, *name2
= xname2
;
592 np
= lextract(name
, GTO
|GSKIN
);
594 /* This needs to be more intelligent since it will currently take the
595 * first name for which a private key is available regardless of
596 * whether it is the right one for the message */
597 vn
= ac_alloc(vs
= strlen(np
->n_name
) + 30);
598 snprintf(vn
, vs
, "smime-sign-cert-%s", np
->n_name
);
612 if ((cp
= ok_vlook(smime_sign_cert
)) != NULL
)
615 fprintf(stderr
, tr(558, "Could not find a certificate for %s"), xname
);
617 fprintf(stderr
, tr(559, "or %s"), xname2
);
624 if ((cp
= file_expand(cp
)) == NULL
)
626 if ((fp
= Fopen(cp
, "r")) == NULL
)
632 smime_sign_include_certs(char const *name
)
637 /* See comments in smime_sign_cert() for algorithm pitfalls */
641 for (np
= lextract(name
, GTO
| GSKIN
); np
!= NULL
; np
= np
->n_flink
) {
643 char *vn
= ac_alloc(vs
= strlen(np
->n_name
) + 30);
644 snprintf(vn
, vs
, "smime-sign-include-certs-%s", np
->n_name
);
651 rv
= ok_vlook(smime_sign_include_certs
);
658 smime_sign_include_chain_creat(_STACKOF(X509
) **chain
, char const *cfiles
)
662 char *rest
, *x
, *ncf
;
665 *chain
= sk_X509_new_null();
667 for (rest
= savestr(cfiles
);;) {
668 ncf
= strchr(rest
, ',');
671 /* This fails for '=,file' constructs, but those are sick */
675 if ((x
= file_expand(rest
)) == NULL
||
676 (fp
= Fopen(rest
= x
, "r")) == NULL
) {
680 if ((tmp
= PEM_read_X509(fp
, NULL
, ssl_password_cb
, NULL
)) == NULL
) {
681 ssl_gen_err(tr(560, "Error reading certificate from \"%s\""), rest
);
685 sk_X509_push(*chain
, tmp
);
693 if (sk_X509_num(*chain
) == 0) {
694 fprintf(stderr
, tr(561, "smime-sign-include-certs defined but empty\n"));
699 return (*chain
!= NULL
);
701 sk_X509_pop_free(*chain
, X509_free
);
706 #if defined X509_V_FLAG_CRL_CHECK && defined X509_V_FLAG_CRL_CHECK_ALL
708 load_crl1(X509_STORE
*store
, char const *name
)
714 if (options
& OPT_VERBOSE
)
715 printf("Loading CRL from \"%s\".\n", name
);
716 if ((lookup
= X509_STORE_add_lookup(store
, X509_LOOKUP_file())) == NULL
) {
717 ssl_gen_err(tr(565, "Error creating X509 lookup object"));
720 if (X509_load_crl_file(lookup
, name
, X509_FILETYPE_PEM
) != 1) {
721 ssl_gen_err(tr(566, "Error loading CRL from \"%s\""), name
);
729 #endif /* new OpenSSL */
732 load_crls(X509_STORE
*store
, enum okeys fok
, enum okeys dok
)
734 char *crl_file
, *crl_dir
;
735 #if defined X509_V_FLAG_CRL_CHECK && defined X509_V_FLAG_CRL_CHECK_ALL
744 if ((crl_file
= _var_oklook(fok
)) != NULL
) {
745 #if defined X509_V_FLAG_CRL_CHECK && defined X509_V_FLAG_CRL_CHECK_ALL
746 if ((crl_file
= file_expand(crl_file
)) == NULL
||
747 load_crl1(store
, crl_file
) != OKAY
)
750 fprintf(stderr
, tr(567,
751 "This OpenSSL version is too old to use CRLs.\n"));
756 if ((crl_dir
= _var_oklook(dok
)) != NULL
) {
757 #if defined X509_V_FLAG_CRL_CHECK && defined X509_V_FLAG_CRL_CHECK_ALL
759 if ((x
= file_expand(crl_dir
)) == NULL
||
760 (dirp
= opendir(crl_dir
= x
)) == NULL
) {
765 ds
= strlen(crl_dir
);
766 fn
= smalloc(fs
= ds
+ 20);
767 memcpy(fn
, crl_dir
, ds
);
769 while ((dp
= readdir(dirp
)) != NULL
) {
770 if (dp
->d_name
[0] == '.' && (dp
->d_name
[1] == '\0' ||
771 (dp
->d_name
[1] == '.' && dp
->d_name
[2] == '\0')))
773 if (dp
->d_name
[0] == '.')
775 if (ds
+ (es
= strlen(dp
->d_name
)) + 2 < fs
)
776 fn
= srealloc(fn
, fs
= ds
+ es
+ 20);
777 memcpy(fn
+ ds
+ 1, dp
->d_name
, es
+ 1);
778 if (load_crl1(store
, fn
) != OKAY
) {
786 #else /* old OpenSSL */
787 fprintf(stderr
, tr(567,
788 "This OpenSSL version is too old to use CRLs.\n"));
792 #if defined X509_V_FLAG_CRL_CHECK && defined X509_V_FLAG_CRL_CHECK_ALL
793 if (crl_file
|| crl_dir
)
794 X509_STORE_set_flags(store
, X509_V_FLAG_CRL_CHECK
|
795 X509_V_FLAG_CRL_CHECK_ALL
);
804 ssl_open(char const *server
, struct sock
*sp
, char const *uhp
)
812 ssl_set_verify_level(uhp
);
813 if ((sp
->s_ctx
= SSL_CTX_new(UNCONST(ssl_select_method(uhp
)))) == NULL
) {
814 ssl_gen_err(tr(261, "SSL_CTX_new() failed"));
818 #ifdef SSL_MODE_AUTO_RETRY
819 /* available with OpenSSL 0.9.6 or later */
820 SSL_CTX_set_mode(sp
->s_ctx
, SSL_MODE_AUTO_RETRY
);
821 #endif /* SSL_MODE_AUTO_RETRY */
823 if (!ok_blook(ssl_v2_allow
))
824 opts
|= SSL_OP_NO_SSLv2
;
825 SSL_CTX_set_options(sp
->s_ctx
, opts
);
826 ssl_load_verifications(sp
);
827 ssl_certificate(sp
, uhp
);
828 if ((cp
= ok_vlook(ssl_cipher_list
)) != NULL
) {
829 if (SSL_CTX_set_cipher_list(sp
->s_ctx
, cp
) != 1)
830 fprintf(stderr
, tr(240, "Invalid cipher(s): %s\n"), cp
);
833 if ((sp
->s_ssl
= SSL_new(sp
->s_ctx
)) == NULL
) {
834 ssl_gen_err(tr(262, "SSL_new() failed"));
837 SSL_set_fd(sp
->s_ssl
, sp
->s_fd
);
838 if (SSL_connect(sp
->s_ssl
) < 0) {
839 ssl_gen_err(tr(263, "could not initiate SSL/TLS connection"));
842 if (ssl_verify_level
!= SSL_VERIFY_IGNORE
) {
843 if (ssl_check_host(server
, sp
) != OKAY
) {
844 fprintf(stderr
, tr(249, "host certificate does not match \"%s\"\n"),
846 if (ssl_verify_decide() != OKAY
)
858 ssl_gen_err(char const *fmt
, ...)
864 vfprintf(stderr
, fmt
, ap
);
866 SSL_load_error_strings();
867 fprintf(stderr
, ": %s\n", ERR_error_string(ERR_get_error(), NULL
));
874 int *msgvec
= vp
, *ip
, ec
= 0, rv
= 1;
875 _STACKOF(X509
) *chain
= NULL
;
877 char *ca_dir
, *ca_file
;
882 ssl_verify_level
= SSL_VERIFY_STRICT
;
883 if ((store
= X509_STORE_new()) == NULL
) {
884 ssl_gen_err(tr(544, "Error creating X509 store"));
887 X509_STORE_set_verify_cb_func(store
, ssl_verify_cb
);
889 if ((ca_dir
= ok_vlook(smime_ca_dir
)) != NULL
)
890 ca_dir
= file_expand(ca_dir
);
891 if ((ca_file
= ok_vlook(smime_ca_file
)) != NULL
)
892 ca_file
= file_expand(ca_file
);
894 if (ca_dir
!= NULL
|| ca_file
!= NULL
) {
895 if (X509_STORE_load_locations(store
, ca_file
, ca_dir
) != 1) {
896 ssl_gen_err(tr(545, "Error loading %s"),
897 (ca_file
!= NULL
) ? ca_file
: ca_dir
);
901 if (!ok_blook(smime_no_default_ca
)) {
902 if (X509_STORE_set_default_paths(store
) != 1) {
903 ssl_gen_err(tr(546, "Error loading default CA locations"));
908 if (load_crls(store
, ok_v_smime_crl_file
, ok_v_smime_crl_dir
) != OKAY
)
910 for (ip
= msgvec
; *ip
; ip
++) {
911 setdot(&message
[*ip
-1]);
912 ec
|= smime_verify(message
+ *ip
- 1, *ip
, chain
, store
);
921 smime_sign(FILE *ip
, struct header
*headp
)
923 FILE *rv
= NULL
, *sp
, *fp
, *bp
, *hp
;
926 _STACKOF(X509
) *chain
= NULL
;
934 if ((addr
= myorigin(headp
)) == NULL
) {
935 fprintf(stderr
, tr(531, "No \"from\" address for signing specified\n"));
938 if ((fp
= smime_sign_cert(addr
, NULL
, 1)) == NULL
)
941 if ((pkey
= PEM_read_PrivateKey(fp
, NULL
, ssl_password_cb
, NULL
)) == NULL
) {
942 ssl_gen_err(tr(532, "Error reading private key from"));
947 if ((cert
= PEM_read_X509(fp
, NULL
, ssl_password_cb
, NULL
)) == NULL
) {
948 ssl_gen_err(tr(533, "Error reading signer certificate from"));
956 if ((addr
= smime_sign_include_certs(addr
)) != NULL
&&
957 !smime_sign_include_chain_creat(&chain
, addr
)) {
963 if ((sp
= Ftmp(NULL
, "smimesign", OF_RDWR
| OF_UNLINK
| OF_REGISTER
, 0600))
967 sk_X509_pop_free(chain
, X509_free
);
974 if (smime_split(ip
, &hp
, &bp
, -1, 0) == STOP
) {
977 sk_X509_pop_free(chain
, X509_free
);
983 if ((bb
= BIO_new_fp(bp
, BIO_NOCLOSE
)) == NULL
||
984 (sb
= BIO_new_fp(sp
, BIO_NOCLOSE
)) == NULL
) {
985 ssl_gen_err(tr(534, "Error creating BIO signing objects"));
988 sk_X509_pop_free(chain
, X509_free
);
994 if ((pkcs7
= PKCS7_sign(cert
, pkey
, chain
, bb
,
995 PKCS7_DETACHED
)) == NULL
) {
996 ssl_gen_err(tr(535, "Error creating the PKCS#7 signing object"));
999 if (PEM_write_bio_PKCS7(sb
, pkcs7
) == 0) {
1000 ssl_gen_err(tr(536, "Error writing signed S/MIME data"));
1006 sk_X509_pop_free(chain
, X509_free
);
1008 EVP_PKEY_free(pkey
);
1014 sk_X509_pop_free(chain
, X509_free
);
1016 EVP_PKEY_free(pkey
);
1021 rv
= smime_sign_assemble(hp
, bp
, sp
);
1028 smime_encrypt(FILE *ip
, char const *xcertfile
, char const *to
)
1030 char *certfile
= UNCONST(xcertfile
);
1031 FILE *rv
= NULL
, *yp
, *fp
, *bp
, *hp
;
1035 _STACKOF(X509
) *certs
;
1036 EVP_CIPHER
const *cipher
;
1039 if ((certfile
= file_expand(certfile
)) == NULL
)
1043 if ((cipher
= _smime_cipher(to
)) == NULL
)
1045 if ((fp
= Fopen(certfile
, "r")) == NULL
) {
1050 if ((cert
= PEM_read_X509(fp
, NULL
, ssl_password_cb
, NULL
)) == NULL
) {
1051 ssl_gen_err(tr(547, "Error reading encryption certificate from \"%s\""),
1058 certs
= sk_X509_new_null();
1059 sk_X509_push(certs
, cert
);
1061 if ((yp
= Ftmp(NULL
, "smimeenc", OF_RDWR
| OF_UNLINK
| OF_REGISTER
, 0600)) ==
1068 if (smime_split(ip
, &hp
, &bp
, -1, 0) == STOP
) {
1074 if ((bb
= BIO_new_fp(bp
, BIO_NOCLOSE
)) == NULL
||
1075 (yb
= BIO_new_fp(yp
, BIO_NOCLOSE
)) == NULL
) {
1076 ssl_gen_err(tr(548, "Error creating BIO encryption objects"));
1079 if ((pkcs7
= PKCS7_encrypt(certs
, bb
, cipher
, 0)) == NULL
) {
1080 ssl_gen_err(tr(549, "Error creating the PKCS#7 encryption object"));
1083 if (PEM_write_bio_PKCS7(yb
, pkcs7
) == 0) {
1084 ssl_gen_err(tr(550, "Error writing encrypted S/MIME data"));
1086 /* TODO better code flow */
1101 rv
= smime_encrypt_assemble(hp
, yp
);
1108 smime_decrypt(struct message
*m
, char const *to
, char const *cc
, int signcall
)
1110 struct message
*rv
= NULL
;
1111 FILE *fp
, *bp
, *hp
, *op
;
1114 EVP_PKEY
*pkey
= NULL
;
1116 long size
= m
->m_size
;
1120 if ((yp
= setinput(&mb
, m
, NEED_BODY
)) == NULL
)
1124 if ((fp
= smime_sign_cert(to
, cc
, 0)) != NULL
) {
1125 pkey
= PEM_read_PrivateKey(fp
, NULL
, ssl_password_cb
, NULL
);
1127 ssl_gen_err(tr(551, "Error reading private key"));
1133 if ((cert
= PEM_read_X509(fp
, NULL
, ssl_password_cb
, NULL
)) == NULL
) {
1134 ssl_gen_err(tr(552, "Error reading decryption certificate"));
1136 EVP_PKEY_free(pkey
);
1142 if ((op
= Ftmp(NULL
, "smimedec", OF_RDWR
| OF_UNLINK
| OF_REGISTER
, 0600)) ==
1148 if (smime_split(yp
, &hp
, &bp
, size
, 1) == STOP
)
1151 if ((ob
= BIO_new_fp(op
, BIO_NOCLOSE
)) == NULL
||
1152 (bb
= BIO_new_fp(bp
, BIO_NOCLOSE
)) == NULL
) {
1153 ssl_gen_err(tr(553, "Error creating BIO decryption objects"));
1156 if ((pkcs7
= SMIME_read_PKCS7(bb
, &pb
)) == NULL
) {
1157 ssl_gen_err(tr(554, "Error reading PKCS#7 object"));
1164 EVP_PKEY_free(pkey
);
1168 if (PKCS7_type_is_signed(pkcs7
)) {
1170 setinput(&mb
, m
, NEED_BODY
);
1171 rv
= (struct message
*)-1;
1174 if (PKCS7_verify(pkcs7
, NULL
, NULL
, NULL
, ob
,
1175 PKCS7_NOVERIFY
| PKCS7_NOSIGS
) != 1)
1177 fseek(hp
, 0L, SEEK_END
);
1178 fprintf(hp
, "X-Encryption-Cipher: none\n");
1181 } else if (pkey
== NULL
) {
1182 fprintf(stderr
, tr(555, "No appropriate private key found.\n"));
1184 } else if (cert
== NULL
) {
1185 fprintf(stderr
, tr(556, "No appropriate certificate found.\n"));
1187 } else if (PKCS7_decrypt(pkcs7
, pkey
, cert
, ob
, 0) != 1) {
1189 ssl_gen_err(tr(557, "Error decrypting PKCS#7 object"));
1199 EVP_PKEY_free(pkey
);
1207 EVP_PKEY_free(pkey
);
1211 rv
= smime_decrypt_assemble(m
, hp
, op
);
1218 smime_certsave(struct message
*m
, int n
, FILE *op
)
1221 char *to
, *cc
, *cnttype
;
1227 _STACKOF(X509
) *certs
, *chain
= NULL
;
1229 enum okay rv
= STOP
;
1234 to
= hfield1("to", m
);
1235 cc
= hfield1("cc", m
);
1236 cnttype
= hfield1("content-type", m
);
1237 if ((ip
= setinput(&mb
, m
, NEED_BODY
)) == NULL
)
1239 if (cnttype
&& strncmp(cnttype
, "application/x-pkcs7-mime", 24) == 0) {
1240 if ((x
= smime_decrypt(m
, to
, cc
, 1)) == NULL
)
1242 if (x
!= (struct message
*)-1) {
1249 if ((fp
= Ftmp(NULL
, "smimecert", OF_RDWR
| OF_UNLINK
| OF_REGISTER
, 0600))
1255 while (size
-- > 0) {
1262 if ((fb
= BIO_new_fp(fp
, BIO_NOCLOSE
)) == NULL
) {
1263 ssl_gen_err("Error creating BIO object for message %d", n
);
1268 if ((pkcs7
= SMIME_read_PKCS7(fb
, &pb
)) == NULL
) {
1269 ssl_gen_err(tr(562, "Error reading PKCS#7 object for message %d"), n
);
1276 certs
= PKCS7_get0_signers(pkcs7
, chain
, 0);
1277 if (certs
== NULL
) {
1278 fprintf(stderr
, tr(563, "No certificates found in message %d\n"), n
);
1282 for (i
= 0; i
< sk_X509_num(certs
); ++i
) {
1283 cert
= sk_X509_value(certs
, i
);
1284 if (X509_print_fp(op
, cert
) == 0 || PEM_write_X509(op
, cert
) == 0) {
1285 ssl_gen_err(tr(564, "Error writing certificate %d from message %d"),
1295 #endif /* HAVE_OPENSSL */
1297 /* vim:set fenc=utf-8:s-it-mode */