2 * S-nail - a mail user agent derived from Berkeley Mail.
4 * Copyright (c) 2000-2004 Gunnar Ritter, Freiburg i. Br., Germany.
5 * Copyright (c) 2012 Steffen "Daode" Nurpmeso.
9 * Gunnar Ritter. All rights reserved.
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. All advertising materials mentioning features or use of this software
20 * must display the following acknowledgement:
21 * This product includes software developed by Gunnar Ritter
22 * and his contributors.
23 * 4. Neither the name of Gunnar Ritter nor the names of his contributors
24 * may be used to endorse or promote products derived from this software
25 * without specific prior written permission.
27 * THIS SOFTWARE IS PROVIDED BY GUNNAR RITTER AND CONTRIBUTORS ``AS IS'' AND
28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30 * ARE DISCLAIMED. IN NO EVENT SHALL GUNNAR RITTER OR CONTRIBUTORS BE LIABLE
31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
43 typedef int avoid_empty_file_compiler_warning
;
44 #elif defined USE_OPENSSL
52 static struct termios otio
;
53 static sigjmp_buf ssljmp
;
55 #include <openssl/crypto.h>
56 #include <openssl/ssl.h>
57 #include <openssl/err.h>
58 #include <openssl/x509v3.h>
59 #include <openssl/x509.h>
60 #include <openssl/pem.h>
61 #include <openssl/rand.h>
69 #include <sys/socket.h>
71 #include <netinet/in.h>
72 #ifdef HAVE_ARPA_INET_H
73 #include <arpa/inet.h>
74 #endif /* HAVE_ARPA_INET_H */
81 * Mail -- a mail program
87 * OpenSSL client implementation according to: John Viega, Matt Messier,
88 * Pravir Chandra: Network Security with OpenSSL. Sebastopol, CA 2002.
91 static int initialized
;
93 static int message_number
;
94 static int verify_error_found
;
96 static void sslcatch(int s
);
97 static int ssl_rand_init(void);
98 static void ssl_init(void);
99 static int ssl_verify_cb(int success
, X509_STORE_CTX
*store
);
100 static const SSL_METHOD
*ssl_select_method(const char *uhp
);
101 static void ssl_load_verifications(struct sock
*sp
);
102 static void ssl_certificate(struct sock
*sp
, const char *uhp
);
103 static enum okay
ssl_check_host(const char *server
, struct sock
*sp
);
105 static int smime_verify(struct message
*m
, int n
, STACK_OF(X509
) *chain
,
108 static int smime_verify(struct message
*m
, int n
, STACK
*chain
,
111 static EVP_CIPHER
*smime_cipher(const char *name
);
112 static int ssl_password_cb(char *buf
, int size
, int rwflag
, void *userdata
);
113 static FILE *smime_sign_cert(const char *xname
, const char *xname2
, int warn
);
114 static char *smime_sign_include_certs(char *name
);
116 static int smime_sign_include_chain_creat(STACK_OF(X509
) **chain
, char *cfiles
);
118 static int smime_sign_include_chain_creat(STACK
**chain
, char *cfiles
);
120 #if defined (X509_V_FLAG_CRL_CHECK) && defined (X509_V_FLAG_CRL_CHECK_ALL)
121 static enum okay
load_crl1(X509_STORE
*store
, const char *name
);
123 static enum okay
load_crls(X509_STORE
*store
, const char *vfile
,
130 tcsetattr(0, TCSADRAIN
, &otio
);
131 siglongjmp(ssljmp
, s
);
140 if ((cp
= value("ssl-rand-egd")) != NULL
) {
141 cp
= file_expand(cp
);
142 if (RAND_egd(cp
) == -1) {
143 fprintf(stderr
, catgets(catd
, CATSET
, 245,
144 "entropy daemon at \"%s\" not available\n"),
148 } else if ((cp
= value("ssl-rand-file")) != NULL
) {
149 cp
= file_expand(cp
);
150 if (RAND_load_file(cp
, 1024) == -1) {
151 fprintf(stderr
, catgets(catd
, CATSET
, 246,
152 "entropy file at \"%s\" not available\n"), cp
);
156 if (stat(cp
, &st
) == 0 && S_ISREG(st
.st_mode
) &&
157 access(cp
, W_OK
) == 0) {
158 if (RAND_write_file(cp
) == -1) {
159 fprintf(stderr
, catgets(catd
, CATSET
,
161 "writing entropy data to \"%s\" failed\n"), cp
);
173 verbose
= value("verbose") != NULL
;
174 if (initialized
== 0) {
179 rand_init
= ssl_rand_init();
183 ssl_verify_cb(int success
, X509_STORE_CTX
*store
)
187 X509
*cert
= X509_STORE_CTX_get_current_cert(store
);
188 int depth
= X509_STORE_CTX_get_error_depth(store
);
189 int err
= X509_STORE_CTX_get_error(store
);
191 verify_error_found
= 1;
193 fprintf(stderr
, "Message %d: ", message_number
);
194 fprintf(stderr
, catgets(catd
, CATSET
, 229,
195 "Error with certificate at depth: %i\n"),
197 X509_NAME_oneline(X509_get_issuer_name(cert
), data
,
199 fprintf(stderr
, catgets(catd
, CATSET
, 230, " issuer = %s\n"),
201 X509_NAME_oneline(X509_get_subject_name(cert
), data
,
203 fprintf(stderr
, catgets(catd
, CATSET
, 231, " subject = %s\n"),
205 fprintf(stderr
, catgets(catd
, CATSET
, 232, " err %i: %s\n"),
206 err
, X509_verify_cert_error_string(err
));
207 if (ssl_vrfy_decide() != OKAY
)
213 static const SSL_METHOD
*
214 ssl_select_method(const char *uhp
)
216 const SSL_METHOD
*method
;
219 cp
= ssl_method_string(uhp
);
221 #ifndef OPENSSL_NO_SSL2
222 if (strcmp(cp
, "ssl2") == 0)
223 method
= SSLv2_client_method();
226 if (strcmp(cp
, "ssl3") == 0)
227 method
= SSLv3_client_method();
228 else if (strcmp(cp
, "tls1") == 0)
229 method
= TLSv1_client_method();
231 fprintf(stderr
, tr(244, "Invalid SSL method \"%s\"\n"),
233 method
= SSLv23_client_method();
236 method
= SSLv23_client_method();
241 ssl_load_verifications(struct sock
*sp
)
243 char *ca_dir
, *ca_file
;
246 if (ssl_vrfy_level
== VRFY_IGNORE
)
248 if ((ca_dir
= value("ssl-ca-dir")) != NULL
)
249 ca_dir
= file_expand(ca_dir
);
250 if ((ca_file
= value("ssl-ca-file")) != NULL
)
251 ca_file
= file_expand(ca_file
);
252 if (ca_dir
|| ca_file
) {
253 if (SSL_CTX_load_verify_locations(sp
->s_ctx
,
254 ca_file
, ca_dir
) != 1) {
255 fprintf(stderr
, catgets(catd
, CATSET
, 233,
258 fprintf(stderr
, catgets(catd
, CATSET
, 234,
261 fprintf(stderr
, catgets(catd
, CATSET
,
265 fprintf(stderr
, catgets(catd
, CATSET
, 236,
267 fprintf(stderr
, catgets(catd
, CATSET
, 237, "\n"));
270 if (value("ssl-no-default-ca") == NULL
) {
271 if (SSL_CTX_set_default_verify_paths(sp
->s_ctx
) != 1)
272 fprintf(stderr
, catgets(catd
, CATSET
, 243,
273 "Error loading default CA locations\n"));
275 verify_error_found
= 0;
277 SSL_CTX_set_verify(sp
->s_ctx
, SSL_VERIFY_PEER
, ssl_verify_cb
);
278 store
= SSL_CTX_get_cert_store(sp
->s_ctx
);
279 load_crls(store
, "ssl-crl-file", "ssl-crl-dir");
283 ssl_certificate(struct sock
*sp
, const char *uhp
)
285 char *certvar
, *keyvar
, *cert
, *key
;
287 certvar
= ac_alloc(strlen(uhp
) + 10);
288 strcpy(certvar
, "ssl-cert-");
289 strcpy(&certvar
[9], uhp
);
290 if ((cert
= value(certvar
)) != NULL
||
291 (cert
= value("ssl-cert")) != NULL
) {
292 cert
= file_expand(cert
);
293 if (SSL_CTX_use_certificate_chain_file(sp
->s_ctx
, cert
) == 1) {
294 keyvar
= ac_alloc(strlen(uhp
) + 9);
295 strcpy(keyvar
, "ssl-key-");
296 if ((key
= value(keyvar
)) == NULL
&&
297 (key
= value("ssl-key")) == NULL
)
300 key
= file_expand(key
);
301 if (SSL_CTX_use_PrivateKey_file(sp
->s_ctx
, key
,
302 SSL_FILETYPE_PEM
) != 1)
303 fprintf(stderr
, catgets(catd
, CATSET
, 238,
304 "cannot load private key from file %s\n"),
308 fprintf(stderr
, catgets(catd
, CATSET
, 239,
309 "cannot load certificate from file %s\n"),
316 ssl_check_host(const char *server
, struct sock
*sp
)
322 STACK_OF(GENERAL_NAME
) *gens
;
324 /*GENERAL_NAMES*/STACK
*gens
;
329 if ((cert
= SSL_get_peer_certificate(sp
->s_ssl
)) == NULL
) {
330 fprintf(stderr
, catgets(catd
, CATSET
, 248,
331 "no certificate from \"%s\"\n"), server
);
334 gens
= X509_get_ext_d2i(cert
, NID_subject_alt_name
, NULL
, NULL
);
336 for (i
= 0; i
< sk_GENERAL_NAME_num(gens
); i
++) {
337 gen
= sk_GENERAL_NAME_value(gens
, i
);
338 if (gen
->type
== GEN_DNS
) {
341 "Comparing DNS name: \"%s\"\n",
343 if (rfc2595_hostname_match(server
,
344 (char *)gen
->d
.ia5
->data
)
350 if ((subj
= X509_get_subject_name(cert
)) != NULL
&&
351 X509_NAME_get_text_by_NID(subj
, NID_commonName
,
352 data
, sizeof data
) > 0) {
353 data
[sizeof data
- 1] = 0;
355 fprintf(stderr
, "Comparing common name: \"%s\"\n",
357 if (rfc2595_hostname_match(server
, data
) == OKAY
)
362 found
: X509_free(cert
);
367 ssl_open(const char *server
, struct sock
*sp
, const char *uhp
)
373 ssl_set_vrfy_level(uhp
);
375 SSL_CTX_new((SSL_METHOD
*)ssl_select_method(uhp
))) == NULL
) {
376 ssl_gen_err(catgets(catd
, CATSET
, 261, "SSL_CTX_new() failed"));
379 #ifdef SSL_MODE_AUTO_RETRY
380 /* available with OpenSSL 0.9.6 or later */
381 SSL_CTX_set_mode(sp
->s_ctx
, SSL_MODE_AUTO_RETRY
);
382 #endif /* SSL_MODE_AUTO_RETRY */
383 options
= SSL_OP_ALL
;
384 if (value("ssl-v2-allow") == NULL
)
385 options
|= SSL_OP_NO_SSLv2
;
386 SSL_CTX_set_options(sp
->s_ctx
, options
);
387 ssl_load_verifications(sp
);
388 ssl_certificate(sp
, uhp
);
389 if ((cp
= value("ssl-cipher-list")) != NULL
) {
390 if (SSL_CTX_set_cipher_list(sp
->s_ctx
, cp
) != 1)
391 fprintf(stderr
, catgets(catd
, CATSET
, 240,
392 "invalid ciphers: %s\n"), cp
);
394 if ((sp
->s_ssl
= SSL_new(sp
->s_ctx
)) == NULL
) {
395 ssl_gen_err(catgets(catd
, CATSET
, 262, "SSL_new() failed"));
398 SSL_set_fd(sp
->s_ssl
, sp
->s_fd
);
399 if (SSL_connect(sp
->s_ssl
) < 0) {
400 ssl_gen_err(catgets(catd
, CATSET
, 263,
401 "could not initiate SSL/TLS connection"));
404 if (ssl_vrfy_level
!= VRFY_IGNORE
) {
405 if (ssl_check_host(server
, sp
) != OKAY
) {
406 fprintf(stderr
, catgets(catd
, CATSET
, 249,
407 "host certificate does not match \"%s\"\n"),
409 if (ssl_vrfy_decide() != OKAY
)
418 ssl_gen_err(const char *fmt
, ...)
423 vfprintf(stderr
, fmt
, ap
);
425 SSL_load_error_strings();
426 fprintf(stderr
, ": %s\n",
427 (ERR_error_string(ERR_get_error(), NULL
)));
431 smime_sign(FILE *ip
, struct header
*headp
)
433 FILE *sp
, *fp
, *bp
, *hp
;
437 STACK_OF(X509
) *chain
= NULL
;
446 if ((addr
= myorigin(headp
)) == NULL
) {
447 fprintf(stderr
, "No \"from\" address for signing specified\n");
450 if ((fp
= smime_sign_cert(addr
, NULL
, 1)) == NULL
)
452 if ((pkey
= PEM_read_PrivateKey(fp
, NULL
, ssl_password_cb
, NULL
))
454 ssl_gen_err("Error reading private key from");
459 if ((cert
= PEM_read_X509(fp
, NULL
, ssl_password_cb
, NULL
)) == NULL
) {
460 ssl_gen_err("Error reading signer certificate from");
466 if ((cp
= smime_sign_include_certs(addr
)) != NULL
&&
467 !smime_sign_include_chain_creat(&chain
, cp
)) {
472 if ((sp
= Ftemp(&cp
, "Rs", "w+", 0600, 1)) == NULL
) {
475 sk_X509_pop_free(chain
, X509_free
);
483 if (smime_split(ip
, &hp
, &bp
, -1, 0) == STOP
) {
486 sk_X509_pop_free(chain
, X509_free
);
491 if ((bb
= BIO_new_fp(bp
, BIO_NOCLOSE
)) == NULL
||
492 (sb
= BIO_new_fp(sp
, BIO_NOCLOSE
)) == NULL
) {
493 ssl_gen_err("Error creating BIO signing objects");
496 sk_X509_pop_free(chain
, X509_free
);
501 if ((pkcs7
= PKCS7_sign(cert
, pkey
, chain
, bb
,
502 PKCS7_DETACHED
)) == NULL
) {
503 ssl_gen_err("Error creating the PKCS#7 signing object");
508 sk_X509_pop_free(chain
, X509_free
);
513 if (PEM_write_bio_PKCS7(sb
, pkcs7
) == 0) {
514 ssl_gen_err("Error writing signed S/MIME data");
519 sk_X509_pop_free(chain
, X509_free
);
527 sk_X509_pop_free(chain
, X509_free
);
533 return smime_sign_assemble(hp
, bp
, sp
);
538 smime_verify(struct message
*m
, int n
, STACK_OF(X509
) *chain
, X509_STORE
*store
)
540 smime_verify(struct message
*m
, int n
, STACK
*chain
, X509_STORE
*store
)
544 char *cp
, *sender
, *to
, *cc
, *cnttype
;
551 STACK_OF(X509
) *certs
;
552 STACK_OF(GENERAL_NAME
) *gens
;
561 verify_error_found
= 0;
563 loop
: sender
= getsender(m
);
564 to
= hfield1("to", m
);
565 cc
= hfield1("cc", m
);
566 cnttype
= hfield1("content-type", m
);
567 if ((ip
= setinput(&mb
, m
, NEED_BODY
)) == NULL
)
569 if (cnttype
&& strncmp(cnttype
, "application/x-pkcs7-mime", 24) == 0) {
570 if ((x
= smime_decrypt(m
, to
, cc
, 1)) == NULL
)
572 if (x
!= (struct message
*)-1) {
578 if ((fp
= Ftemp(&cp
, "Rv", "w+", 0600, 1)) == NULL
) {
590 if ((fb
= BIO_new_fp(fp
, BIO_NOCLOSE
)) == NULL
) {
591 ssl_gen_err("Error creating BIO verification object "
592 "for message %d", n
);
596 if ((pkcs7
= SMIME_read_PKCS7(fb
, &pb
)) == NULL
) {
597 ssl_gen_err("Error reading PKCS#7 object for message %d", n
);
602 if (PKCS7_verify(pkcs7
, chain
, store
, pb
, NULL
, 0) != 1) {
603 ssl_gen_err("Error verifying message %d", n
);
610 if (sender
== NULL
) {
612 "Warning: Message %d has no sender.\n", n
);
615 certs
= PKCS7_get0_signers(pkcs7
, chain
, 0);
617 fprintf(stderr
, "No certificates found in message %d.\n", n
);
620 for (i
= 0; i
< sk_X509_num(certs
); i
++) {
621 cert
= sk_X509_value(certs
, i
);
622 gens
= X509_get_ext_d2i(cert
, NID_subject_alt_name
, NULL
, NULL
);
624 for (j
= 0; j
< sk_GENERAL_NAME_num(gens
); j
++) {
625 gen
= sk_GENERAL_NAME_value(gens
, j
);
626 if (gen
->type
== GEN_EMAIL
) {
632 if (!asccasecmp((char *)
639 if ((subj
= X509_get_subject_name(cert
)) != NULL
&&
640 X509_NAME_get_text_by_NID(subj
,
641 NID_pkcs9_emailAddress
,
642 data
, sizeof data
) > 0) {
643 data
[sizeof data
- 1] = 0;
645 fprintf(stderr
, "Comparing address: \"%s\"\n",
647 if (asccasecmp(data
, sender
) == 0)
651 fprintf(stderr
, "Message %d: certificate does not match <%s>\n",
654 found
: if (verify_error_found
== 0)
655 printf("Message %d was verified successfully.\n", n
);
656 return verify_error_found
;
662 int *msgvec
= vp
, *ip
;
665 STACK_OF(X509
) *chain
= NULL
;
670 char *ca_dir
, *ca_file
;
673 ssl_vrfy_level
= VRFY_STRICT
;
674 if ((store
= X509_STORE_new()) == NULL
) {
675 ssl_gen_err("Error creating X509 store");
678 X509_STORE_set_verify_cb_func(store
, ssl_verify_cb
);
679 if ((ca_dir
= value("smime-ca-dir")) != NULL
)
680 ca_dir
= file_expand(ca_dir
);
681 if ((ca_file
= value("smime-ca-file")) != NULL
)
682 ca_file
= file_expand(ca_file
);
683 if (ca_dir
|| ca_file
) {
684 if (X509_STORE_load_locations(store
, ca_file
, ca_dir
) != 1) {
685 ssl_gen_err("Error loading %s",
686 ca_file
? ca_file
: ca_dir
);
690 if (value("smime-no-default-ca") == NULL
) {
691 if (X509_STORE_set_default_paths(store
) != 1) {
692 ssl_gen_err("Error loading default CA locations");
696 if (load_crls(store
, "smime-crl-file", "smime-crl-dir") != OKAY
)
698 for (ip
= msgvec
; *ip
; ip
++) {
699 setdot(&message
[*ip
-1]);
700 ec
|= smime_verify(&message
[*ip
-1], *ip
, chain
, store
);
706 smime_cipher(const char *name
)
708 const EVP_CIPHER
*cipher
;
712 vn
= ac_alloc(vs
= strlen(name
) + 30);
713 snprintf(vn
, vs
, "smime-cipher-%s", name
);
714 if ((cp
= value(vn
)) != NULL
) {
715 if (strcmp(cp
, "rc2-40") == 0)
716 cipher
= EVP_rc2_40_cbc();
717 else if (strcmp(cp
, "rc2-64") == 0)
718 cipher
= EVP_rc2_64_cbc();
719 else if (strcmp(cp
, "des") == 0)
720 cipher
= EVP_des_cbc();
721 else if (strcmp(cp
, "des-ede3") == 0)
722 cipher
= EVP_des_ede3_cbc();
724 fprintf(stderr
, "Invalid cipher \"%s\".\n", cp
);
728 cipher
= EVP_des_ede3_cbc();
730 return (EVP_CIPHER
*)cipher
;
734 smime_encrypt(FILE *ip
, const char *certfile
, const char *to
)
736 FILE *yp
, *fp
, *bp
, *hp
;
742 STACK_OF(X509
) *certs
;
748 certfile
= file_expand((char *)certfile
);
750 if ((cipher
= smime_cipher(to
)) == NULL
)
752 if ((fp
= Fopen(certfile
, "r")) == NULL
) {
756 if ((cert
= PEM_read_X509(fp
, NULL
, ssl_password_cb
, NULL
)) == NULL
) {
757 ssl_gen_err("Error reading encryption certificate from \"%s\"",
763 certs
= sk_X509_new_null();
764 sk_X509_push(certs
, cert
);
765 if ((yp
= Ftemp(&cp
, "Ry", "w+", 0600, 1)) == NULL
) {
772 if (smime_split(ip
, &hp
, &bp
, -1, 0) == STOP
) {
776 if ((bb
= BIO_new_fp(bp
, BIO_NOCLOSE
)) == NULL
||
777 (yb
= BIO_new_fp(yp
, BIO_NOCLOSE
)) == NULL
) {
778 ssl_gen_err("Error creating BIO encryption objects");
782 if ((pkcs7
= PKCS7_encrypt(certs
, bb
, cipher
, 0)) == NULL
) {
783 ssl_gen_err("Error creating the PKCS#7 encryption object");
789 if (PEM_write_bio_PKCS7(yb
, pkcs7
) == 0) {
790 ssl_gen_err("Error writing encrypted S/MIME data");
801 return smime_encrypt_assemble(hp
, yp
);
805 smime_decrypt(struct message
*m
, const char *to
, const char *cc
, int signcall
)
807 FILE *fp
, *bp
, *hp
, *op
;
811 EVP_PKEY
*pkey
= NULL
;
813 long size
= m
->m_size
;
816 if ((yp
= setinput(&mb
, m
, NEED_BODY
)) == NULL
)
819 if ((fp
= smime_sign_cert(to
, cc
, 0)) != NULL
) {
820 if ((pkey
= PEM_read_PrivateKey(fp
, NULL
, ssl_password_cb
,
822 ssl_gen_err("Error reading private key");
827 if ((cert
= PEM_read_X509(fp
, NULL
, ssl_password_cb
,
829 ssl_gen_err("Error reading decryption certificate");
836 if ((op
= Ftemp(&cp
, "Rp", "w+", 0600, 1)) == NULL
) {
846 if (smime_split(yp
, &hp
, &bp
, size
, 1) == STOP
) {
854 if ((ob
= BIO_new_fp(op
, BIO_NOCLOSE
)) == NULL
||
855 (bb
= BIO_new_fp(bp
, BIO_NOCLOSE
)) == NULL
) {
856 ssl_gen_err("Error creating BIO decryption objects");
864 if ((pkcs7
= SMIME_read_PKCS7(bb
, &pb
)) == NULL
) {
865 ssl_gen_err("Error reading PKCS#7 object");
873 if (PKCS7_type_is_signed(pkcs7
)) {
884 setinput(&mb
, m
, NEED_BODY
);
885 return (struct message
*)-1;
887 if (PKCS7_verify(pkcs7
, NULL
, NULL
, NULL
, ob
,
888 PKCS7_NOVERIFY
|PKCS7_NOSIGS
) != 1)
890 fseek(hp
, 0L, SEEK_END
);
891 fprintf(hp
, "X-Encryption-Cipher: none\n");
894 } else if (pkey
== NULL
) {
895 fprintf(stderr
, "No appropriate private key found.\n");
897 } else if (cert
== NULL
) {
898 fprintf(stderr
, "No appropriate certificate found.\n");
900 } else if (PKCS7_decrypt(pkcs7
, pkey
, cert
, ob
, 0) != 1) {
901 err
: ssl_gen_err("Error decrypting PKCS#7 object");
922 return smime_decrypt_assemble(m
, hp
, op
);
927 ssl_password_cb(char *buf
, int size
, int rwflag
, void *userdata
)
929 sighandler_type saveint
;
935 saveint
= safe_signal(SIGINT
, SIG_IGN
);
936 if (sigsetjmp(ssljmp
, 1) == 0) {
937 if (saveint
!= SIG_IGN
)
938 safe_signal(SIGINT
, sslcatch
);
939 pass
= getpassword(&otio
, &reset_tio
, "PEM pass phrase:");
941 safe_signal(SIGINT
, saveint
);
947 memcpy(buf
, pass
, len
);
952 smime_sign_cert(const char *xname
, const char *xname2
, int warn
)
958 const char *name
= xname
, *name2
= xname2
;
961 np
= lextract(name
, GTO
|GSKIN
);
964 * This needs to be more intelligent since it will
965 * currently take the first name for which a private
966 * key is available regardless of whether it is the
967 * right one for the message.
969 vn
= ac_alloc(vs
= strlen(np
->n_name
) + 30);
970 snprintf(vn
, vs
, "smime-sign-cert-%s", np
->n_name
);
971 if ((cp
= value(vn
)) != NULL
)
981 if ((cp
= value("smime-sign-cert")) != NULL
)
984 fprintf(stderr
, "Could not find a certificate for %s", xname
);
986 fprintf(stderr
, "or %s", xname2
);
990 open
: cp
= file_expand(cp
);
991 if ((fp
= Fopen(cp
, "r")) == NULL
) {
999 smime_sign_include_certs(char *name
)
1001 /* See comments in smime_sign_cert() for algorithm pitfalls */
1003 struct name
*np
= lextract(name
, GTO
|GSKIN
);
1006 char *vn
= ac_alloc(vs
= strlen(np
->n_name
) + 30);
1007 snprintf(vn
, vs
, "smime-sign-include-certs-%s",
1009 if ((name
= value(vn
)) != NULL
)
1014 return value("smime-sign-include-certs");
1018 smime_sign_include_chain_creat(
1019 #ifdef HAVE_STACK_OF
1020 STACK_OF(X509
) **chain
,
1026 *chain
= sk_X509_new_null();
1031 char *exp
, *ncf
= strchr(cfiles
, ',');
1034 /* This fails for '=,file' constructs, but those are sick */
1038 if ((exp
= file_expand(cfiles
)) != NULL
)
1040 if ((fp
= Fopen(cfiles
, "r")) == NULL
) {
1044 if ((tmp
= PEM_read_X509(fp
, NULL
, ssl_password_cb
, NULL
)
1046 ssl_gen_err("Error reading certificate from \"%s\"",
1051 sk_X509_push(*chain
, tmp
);
1059 if (sk_X509_num(*chain
) == 0) {
1060 fprintf(stderr
, "smime-sign-include-certs defined but empty\n");
1064 jleave
: return (*chain
!= NULL
);
1066 jerr
: sk_X509_pop_free(*chain
, X509_free
);
1072 smime_certsave(struct message
*m
, int n
, FILE *op
)
1075 char *cp
, *to
, *cc
, *cnttype
;
1081 #ifdef HAVE_STACK_OF
1082 STACK_OF(X509
) *certs
;
1083 STACK_OF(X509
) *chain
= NULL
;
1086 STACK
*chain
= NULL
;
1089 enum okay ok
= OKAY
;
1092 loop
: to
= hfield1("to", m
);
1093 cc
= hfield1("cc", m
);
1094 cnttype
= hfield1("content-type", m
);
1095 if ((ip
= setinput(&mb
, m
, NEED_BODY
)) == NULL
)
1097 if (cnttype
&& strncmp(cnttype
, "application/x-pkcs7-mime", 24) == 0) {
1098 if ((x
= smime_decrypt(m
, to
, cc
, 1)) == NULL
)
1100 if (x
!= (struct message
*)-1) {
1106 if ((fp
= Ftemp(&cp
, "Rv", "w+", 0600, 1)) == NULL
) {
1112 while (size
-- > 0) {
1118 if ((fb
= BIO_new_fp(fp
, BIO_NOCLOSE
)) == NULL
) {
1119 ssl_gen_err("Error creating BIO object for message %d", n
);
1123 if ((pkcs7
= SMIME_read_PKCS7(fb
, &pb
)) == NULL
) {
1124 ssl_gen_err("Error reading PKCS#7 object for message %d", n
);
1131 certs
= PKCS7_get0_signers(pkcs7
, chain
, 0);
1132 if (certs
== NULL
) {
1133 fprintf(stderr
, "No certificates found in message %d.\n", n
);
1136 for (i
= 0; i
< sk_X509_num(certs
); i
++) {
1137 cert
= sk_X509_value(certs
, i
);
1138 if (X509_print_fp(op
, cert
) == 0 ||
1139 PEM_write_X509(op
, cert
) == 0) {
1140 ssl_gen_err("Error writing certificate %d from "
1141 "message %d", i
, n
);
1148 #if defined (X509_V_FLAG_CRL_CHECK) && defined (X509_V_FLAG_CRL_CHECK_ALL)
1150 load_crl1(X509_STORE
*store
, const char *name
)
1152 X509_LOOKUP
*lookup
;
1155 printf("Loading CRL from \"%s\".\n", name
);
1156 if ((lookup
= X509_STORE_add_lookup(store
,
1157 X509_LOOKUP_file())) == NULL
) {
1158 ssl_gen_err("Error creating X509 lookup object");
1161 if (X509_load_crl_file(lookup
, name
, X509_FILETYPE_PEM
) != 1) {
1162 ssl_gen_err("Error loading CRL from \"%s\"", name
);
1167 #endif /* new OpenSSL */
1170 load_crls(X509_STORE
*store
, const char *vfile
, const char *vdir
)
1172 char *crl_file
, *crl_dir
;
1173 #if defined (X509_V_FLAG_CRL_CHECK) && defined (X509_V_FLAG_CRL_CHECK_ALL)
1178 #endif /* new OpenSSL */
1180 if ((crl_file
= value(vfile
)) != NULL
) {
1181 #if defined (X509_V_FLAG_CRL_CHECK) && defined (X509_V_FLAG_CRL_CHECK_ALL)
1182 crl_file
= file_expand(crl_file
);
1183 if (load_crl1(store
, crl_file
) != OKAY
)
1185 #else /* old OpenSSL */
1187 "This OpenSSL version is too old to use CRLs.\n");
1189 #endif /* old OpenSSL */
1191 if ((crl_dir
= value(vdir
)) != NULL
) {
1192 #if defined (X509_V_FLAG_CRL_CHECK) && defined (X509_V_FLAG_CRL_CHECK_ALL)
1193 crl_dir
= file_expand(crl_dir
);
1194 ds
= strlen(crl_dir
);
1195 if ((dirfd
= opendir(crl_dir
)) == NULL
) {
1199 fn
= smalloc(fs
= ds
+ 20);
1200 strcpy(fn
, crl_dir
);
1202 while ((dp
= readdir(dirfd
)) != NULL
) {
1203 if (dp
->d_name
[0] == '.' &&
1204 (dp
->d_name
[1] == '\0' ||
1205 (dp
->d_name
[1] == '.' &&
1206 dp
->d_name
[2] == '\0')))
1208 if (dp
->d_name
[0] == '.')
1210 if (ds
+ (es
= strlen(dp
->d_name
)) + 2 < fs
)
1211 fn
= srealloc(fn
, fs
= ds
+ es
+ 20);
1212 strcpy(&fn
[ds
+1], dp
->d_name
);
1213 if (load_crl1(store
, fn
) != OKAY
) {
1221 #else /* old OpenSSL */
1223 "This OpenSSL version is too old to use CRLs.\n");
1225 #endif /* old OpenSSL */
1227 #if defined (X509_V_FLAG_CRL_CHECK) && defined (X509_V_FLAG_CRL_CHECK_ALL)
1228 if (crl_file
|| crl_dir
)
1229 X509_STORE_set_flags(store
, X509_V_FLAG_CRL_CHECK
|
1230 X509_V_FLAG_CRL_CHECK_ALL
);
1231 #endif /* old OpenSSL */
1235 #else /* !NSS && !USE_OPENSSL */
1242 fprintf(stderr
, "No S/MIME support compiled in.\n");
1247 smime_sign(FILE *fp
)
1265 smime_encrypt(FILE *fp
, const char *certfile
, const char *to
)
1276 smime_decrypt(struct message
*m
, const char *to
, const char *cc
, int signcall
)
1294 #endif /* !USE_NSS && !USE_OPENSSL */