1 /*@ S-nail - a mail user agent derived from Berkeley Mail.
4 * Copyright (c) 2000-2004 Gunnar Ritter, Freiburg i. Br., Germany.
5 * Copyright (c) 2012 - 2014 Steffen "Daode" Nurpmeso <sdaoden@users.sf.net>.
9 * Gunnar Ritter. All rights reserved.
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. All advertising materials mentioning features or use of this software
20 * must display the following acknowledgement:
21 * This product includes software developed by Gunnar Ritter
22 * and his contributors.
23 * 4. Neither the name of Gunnar Ritter nor the names of his contributors
24 * may be used to endorse or promote products derived from this software
25 * without specific prior written permission.
27 * THIS SOFTWARE IS PROVIDED BY GUNNAR RITTER AND CONTRIBUTORS ``AS IS'' AND
28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30 * ARE DISCLAIMED. IN NO EVENT SHALL GUNNAR RITTER OR CONTRIBUTORS BE LIABLE
31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
40 #ifndef HAVE_AMALGAMATION
46 #include <sys/socket.h>
51 #include <netinet/in.h>
53 #include <openssl/crypto.h>
54 #include <openssl/ssl.h>
55 #include <openssl/err.h>
56 #include <openssl/x509v3.h>
57 #include <openssl/x509.h>
58 #include <openssl/pem.h>
59 #include <openssl/rand.h>
61 #ifdef HAVE_ARPA_INET_H
62 # include <arpa/inet.h>
66 * OpenSSL client implementation according to: John Viega, Matt Messier,
67 * Pravir Chandra: Network Security with OpenSSL. Sebastopol, CA 2002.
70 static sigjmp_buf ssljmp
;
72 static int initialized
;
74 static int message_number
;
75 static int verify_error_found
;
77 static void sslcatch(int s
);
78 static int ssl_rand_init(void);
79 static void ssl_init(void);
80 static int ssl_verify_cb(int success
, X509_STORE_CTX
*store
);
81 static const SSL_METHOD
*ssl_select_method(const char *uhp
);
82 static void ssl_load_verifications(struct sock
*sp
);
83 static void ssl_certificate(struct sock
*sp
, const char *uhp
);
84 static enum okay
ssl_check_host(const char *server
, struct sock
*sp
);
86 static int smime_verify(struct message
*m
, int n
, STACK_OF(X509
) *chain
,
89 static int smime_verify(struct message
*m
, int n
, STACK
*chain
,
92 static EVP_CIPHER
*smime_cipher(const char *name
);
93 static int ssl_password_cb(char *buf
, int size
, int rwflag
, void *userdata
);
94 static FILE *smime_sign_cert(const char *xname
, const char *xname2
,
96 static char *smime_sign_include_certs(char const *name
);
98 static int smime_sign_include_chain_creat(STACK_OF(X509
) **chain
, char *cfiles
);
100 static int smime_sign_include_chain_creat(STACK
**chain
, char *cfiles
);
102 #if defined (X509_V_FLAG_CRL_CHECK) && defined (X509_V_FLAG_CRL_CHECK_ALL)
103 static enum okay
load_crl1(X509_STORE
*store
, const char *name
);
105 static enum okay
load_crls(X509_STORE
*store
, enum okeys fok
, enum okeys dok
);
110 termios_state_reset();
111 siglongjmp(ssljmp
, s
);
120 if ((cp
= ok_vlook(ssl_rand_egd
)) != NULL
) {
121 if ((x
= file_expand(cp
)) == NULL
|| RAND_egd(cp
= x
) == -1)
122 fprintf(stderr
, tr(245,
123 "entropy daemon at \"%s\" not available\n"),
127 } else if ((cp
= ok_vlook(ssl_rand_file
)) != NULL
) {
128 if ((x
= file_expand(cp
)) == NULL
||
129 RAND_load_file(cp
= x
, 1024) == -1)
130 fprintf(stderr
, tr(246,
131 "entropy file at \"%s\" not available\n"), cp
);
135 if (stat(cp
, &st
) == 0 && S_ISREG(st
.st_mode
) &&
136 access(cp
, W_OK
) == 0) {
137 if (RAND_write_file(cp
) == -1) {
138 fprintf(stderr
, tr(247,
139 "writing entropy data to \"%s\" failed\n"), cp
);
151 if (initialized
== 0) {
156 rand_init
= ssl_rand_init();
160 ssl_verify_cb(int success
, X509_STORE_CTX
*store
)
164 X509
*cert
= X509_STORE_CTX_get_current_cert(store
);
165 int depth
= X509_STORE_CTX_get_error_depth(store
);
166 int err
= X509_STORE_CTX_get_error(store
);
168 verify_error_found
= 1;
170 fprintf(stderr
, "Message %d: ", message_number
);
171 fprintf(stderr
, tr(229,
172 "Error with certificate at depth: %i\n"), depth
);
173 X509_NAME_oneline(X509_get_issuer_name(cert
), data
,
175 fprintf(stderr
, tr(230, " issuer = %s\n"), data
);
176 X509_NAME_oneline(X509_get_subject_name(cert
), data
,
178 fprintf(stderr
, tr(231, " subject = %s\n"),
180 fprintf(stderr
, tr(232, " err %i: %s\n"),
181 err
, X509_verify_cert_error_string(err
));
182 if (ssl_vrfy_decide() != OKAY
)
188 static const SSL_METHOD
*
189 ssl_select_method(const char *uhp
)
191 SSL_METHOD
const *method
= NULL
;
194 cp
= ssl_method_string(uhp
);
196 #ifndef OPENSSL_NO_SSL2
197 if (strcmp(cp
, "ssl2") == 0)
198 method
= SSLv2_client_method();
201 #ifndef OPENSSL_NO_SSL3
202 if (strcmp(cp
, "ssl3") == 0)
203 method
= SSLv3_client_method();
206 #ifndef OPENSSL_NO_TLS1
207 if (strcmp(cp
, "tls1") == 0)
208 method
= TLSv1_client_method();
210 # ifdef TLS1_1_VERSION
211 if (strcmp(cp
, "tls1.1") == 0)
212 method
= TLSv1_1_client_method();
215 # ifdef TLS1_2_VERSION
216 if (strcmp(cp
, "tls1.2") == 0)
217 method
= TLSv1_2_client_method();
221 fprintf(stderr
, tr(244, "Invalid SSL method \"%s\"\n"),
226 method
= SSLv23_client_method();
231 ssl_load_verifications(struct sock
*sp
)
233 char *ca_dir
, *ca_file
;
236 if (ssl_vrfy_level
== VRFY_IGNORE
)
238 if ((ca_dir
= ok_vlook(ssl_ca_dir
)) != NULL
)
239 ca_dir
= file_expand(ca_dir
);
240 if ((ca_file
= ok_vlook(ssl_ca_file
)) != NULL
)
241 ca_file
= file_expand(ca_file
);
242 if (ca_dir
!= NULL
|| ca_file
!= NULL
) {
243 if (SSL_CTX_load_verify_locations(sp
->s_ctx
,
244 ca_file
, ca_dir
) != 1) {
245 fprintf(stderr
, tr(233, "Error loading "));
247 fputs(ca_dir
, stderr
);
249 fputs(tr(234, " or "), stderr
);
252 fputs(ca_file
, stderr
);
256 if (!ok_blook(ssl_no_default_ca
)) {
257 if (SSL_CTX_set_default_verify_paths(sp
->s_ctx
) != 1)
258 fprintf(stderr
, tr(243,
259 "Error loading default CA locations\n"));
261 verify_error_found
= 0;
263 SSL_CTX_set_verify(sp
->s_ctx
, SSL_VERIFY_PEER
, ssl_verify_cb
);
264 store
= SSL_CTX_get_cert_store(sp
->s_ctx
);
265 load_crls(store
, ok_v_ssl_crl_file
, ok_v_ssl_crl_dir
);
269 ssl_certificate(struct sock
*sp
, const char *uhp
)
272 char *certvar
, *keyvar
, *cert
, *key
, *x
;
275 certvar
= ac_alloc(i
+ 9 + 1);
276 memcpy(certvar
, "ssl-cert-", 9);
277 memcpy(certvar
+ 9, uhp
, i
+ 1);
278 if ((cert
= vok_vlook(certvar
)) != NULL
||
279 (cert
= ok_vlook(ssl_cert
)) != NULL
) {
281 if ((cert
= file_expand(cert
)) == NULL
) {
284 } else if (SSL_CTX_use_certificate_chain_file(sp
->s_ctx
, cert
)
286 keyvar
= ac_alloc(strlen(uhp
) + 9);
287 memcpy(keyvar
, "ssl-key-", 8);
288 memcpy(keyvar
+ 8, uhp
, i
+ 1);
289 if ((key
= vok_vlook(keyvar
)) == NULL
&&
290 (key
= ok_vlook(ssl_key
)) == NULL
)
292 else if ((x
= key
, key
= file_expand(key
)) == NULL
) {
296 if (SSL_CTX_use_PrivateKey_file(sp
->s_ctx
, key
,
297 SSL_FILETYPE_PEM
) != 1)
298 jbkey
: fprintf(stderr
, tr(238,
299 "cannot load private key from file "
303 jbcert
: fprintf(stderr
, tr(239,
304 "cannot load certificate from file %s\n"),
311 ssl_check_host(const char *server
, struct sock
*sp
)
317 STACK_OF(GENERAL_NAME
) *gens
;
319 /*GENERAL_NAMES*/STACK
*gens
;
324 if ((cert
= SSL_get_peer_certificate(sp
->s_ssl
)) == NULL
) {
325 fprintf(stderr
, tr(248, "no certificate from \"%s\"\n"),
329 gens
= X509_get_ext_d2i(cert
, NID_subject_alt_name
, NULL
, NULL
);
331 for (i
= 0; i
< sk_GENERAL_NAME_num(gens
); i
++) {
332 gen
= sk_GENERAL_NAME_value(gens
, i
);
333 if (gen
->type
== GEN_DNS
) {
334 if (options
& OPT_VERBOSE
)
336 "Comparing DNS name: \"%s\"\n",
338 if (rfc2595_hostname_match(server
,
339 (char *)gen
->d
.ia5
->data
)
345 if ((subj
= X509_get_subject_name(cert
)) != NULL
&&
346 X509_NAME_get_text_by_NID(subj
, NID_commonName
,
347 data
, sizeof data
) > 0) {
348 data
[sizeof data
- 1] = 0;
349 if (options
& OPT_VERBOSE
)
350 fprintf(stderr
, "Comparing common name: \"%s\"\n",
352 if (rfc2595_hostname_match(server
, data
) == OKAY
)
357 found
: X509_free(cert
);
362 ssl_open(const char *server
, struct sock
*sp
, const char *uhp
)
368 ssl_set_vrfy_level(uhp
);
370 SSL_CTX_new(UNCONST(ssl_select_method(uhp
))))
372 ssl_gen_err(tr(261, "SSL_CTX_new() failed"));
375 #ifdef SSL_MODE_AUTO_RETRY
376 /* available with OpenSSL 0.9.6 or later */
377 SSL_CTX_set_mode(sp
->s_ctx
, SSL_MODE_AUTO_RETRY
);
378 #endif /* SSL_MODE_AUTO_RETRY */
380 if (!ok_blook(ssl_v2_allow
))
381 opts
|= SSL_OP_NO_SSLv2
;
382 SSL_CTX_set_options(sp
->s_ctx
, opts
);
383 ssl_load_verifications(sp
);
384 ssl_certificate(sp
, uhp
);
385 if ((cp
= ok_vlook(ssl_cipher_list
)) != NULL
) {
386 if (SSL_CTX_set_cipher_list(sp
->s_ctx
, cp
) != 1)
387 fprintf(stderr
, tr(240, "invalid ciphers: %s\n"), cp
);
389 if ((sp
->s_ssl
= SSL_new(sp
->s_ctx
)) == NULL
) {
390 ssl_gen_err(tr(262, "SSL_new() failed"));
393 SSL_set_fd(sp
->s_ssl
, sp
->s_fd
);
394 if (SSL_connect(sp
->s_ssl
) < 0) {
395 ssl_gen_err(tr(263, "could not initiate SSL/TLS connection"));
398 if (ssl_vrfy_level
!= VRFY_IGNORE
) {
399 if (ssl_check_host(server
, sp
) != OKAY
) {
400 fprintf(stderr
, tr(249,
401 "host certificate does not match \"%s\"\n"),
403 if (ssl_vrfy_decide() != OKAY
)
412 ssl_gen_err(const char *fmt
, ...)
417 vfprintf(stderr
, fmt
, ap
);
419 SSL_load_error_strings();
420 fprintf(stderr
, ": %s\n",
421 (ERR_error_string(ERR_get_error(), NULL
)));
425 smime_sign(FILE *ip
, struct header
*headp
)
427 FILE *sp
, *fp
, *bp
, *hp
;
432 STACK_OF(X509
) *chain
= NULL
;
441 if ((addr
= myorigin(headp
)) == NULL
) {
442 fprintf(stderr
, "No \"from\" address for signing specified\n");
445 if ((fp
= smime_sign_cert(addr
, NULL
, 1)) == NULL
)
447 if ((pkey
= PEM_read_PrivateKey(fp
, NULL
, ssl_password_cb
, NULL
))
449 ssl_gen_err("Error reading private key from");
454 if ((cert
= PEM_read_X509(fp
, NULL
, ssl_password_cb
, NULL
)) == NULL
) {
455 ssl_gen_err("Error reading signer certificate from");
461 if ((cp
= smime_sign_include_certs(addr
)) != NULL
&&
462 !smime_sign_include_chain_creat(&chain
, cp
)) {
467 if ((sp
= Ftemp(&cp
, "Rs", "w+", 0600, 1)) == NULL
) {
470 sk_X509_pop_free(chain
, X509_free
);
478 if (smime_split(ip
, &hp
, &bp
, -1, 0) == STOP
) {
481 sk_X509_pop_free(chain
, X509_free
);
486 if ((bb
= BIO_new_fp(bp
, BIO_NOCLOSE
)) == NULL
||
487 (sb
= BIO_new_fp(sp
, BIO_NOCLOSE
)) == NULL
) {
488 ssl_gen_err("Error creating BIO signing objects");
491 sk_X509_pop_free(chain
, X509_free
);
496 if ((pkcs7
= PKCS7_sign(cert
, pkey
, chain
, bb
,
497 PKCS7_DETACHED
)) == NULL
) {
498 ssl_gen_err("Error creating the PKCS#7 signing object");
503 sk_X509_pop_free(chain
, X509_free
);
508 if (PEM_write_bio_PKCS7(sb
, pkcs7
) == 0) {
509 ssl_gen_err("Error writing signed S/MIME data");
514 sk_X509_pop_free(chain
, X509_free
);
522 sk_X509_pop_free(chain
, X509_free
);
528 return smime_sign_assemble(hp
, bp
, sp
);
533 smime_verify(struct message
*m
, int n
, STACK_OF(X509
) *chain
, X509_STORE
*store
)
535 smime_verify(struct message
*m
, int n
, STACK
*chain
, X509_STORE
*store
)
539 char *cp
, *sender
, *to
, *cc
, *cnttype
;
546 STACK_OF(X509
) *certs
;
547 STACK_OF(GENERAL_NAME
) *gens
;
556 verify_error_found
= 0;
558 loop
: sender
= getsender(m
);
559 to
= hfield1("to", m
);
560 cc
= hfield1("cc", m
);
561 cnttype
= hfield1("content-type", m
);
562 if ((ip
= setinput(&mb
, m
, NEED_BODY
)) == NULL
)
564 if (cnttype
&& strncmp(cnttype
, "application/x-pkcs7-mime", 24) == 0) {
565 if ((x
= smime_decrypt(m
, to
, cc
, 1)) == NULL
)
567 if (x
!= (struct message
*)-1) {
573 if ((fp
= Ftemp(&cp
, "Rv", "w+", 0600, 1)) == NULL
) {
585 if ((fb
= BIO_new_fp(fp
, BIO_NOCLOSE
)) == NULL
) {
586 ssl_gen_err("Error creating BIO verification object "
587 "for message %d", n
);
591 if ((pkcs7
= SMIME_read_PKCS7(fb
, &pb
)) == NULL
) {
592 ssl_gen_err("Error reading PKCS#7 object for message %d", n
);
597 if (PKCS7_verify(pkcs7
, chain
, store
, pb
, NULL
, 0) != 1) {
598 ssl_gen_err("Error verifying message %d", n
);
605 if (sender
== NULL
) {
607 "Warning: Message %d has no sender.\n", n
);
610 certs
= PKCS7_get0_signers(pkcs7
, chain
, 0);
612 fprintf(stderr
, "No certificates found in message %d.\n", n
);
615 for (i
= 0; i
< sk_X509_num(certs
); i
++) {
616 cert
= sk_X509_value(certs
, i
);
617 gens
= X509_get_ext_d2i(cert
, NID_subject_alt_name
, NULL
, NULL
);
619 for (j
= 0; j
< sk_GENERAL_NAME_num(gens
); j
++) {
620 gen
= sk_GENERAL_NAME_value(gens
, j
);
621 if (gen
->type
== GEN_EMAIL
) {
622 if (options
& OPT_VERBOSE
)
627 if (!asccasecmp((char *)
634 if ((subj
= X509_get_subject_name(cert
)) != NULL
&&
635 X509_NAME_get_text_by_NID(subj
,
636 NID_pkcs9_emailAddress
,
637 data
, sizeof data
) > 0) {
638 data
[sizeof data
- 1] = 0;
639 if (options
& OPT_VERBOSE
)
640 fprintf(stderr
, "Comparing address: \"%s\"\n",
642 if (asccasecmp(data
, sender
) == 0)
646 fprintf(stderr
, "Message %d: certificate does not match <%s>\n",
649 found
: if (verify_error_found
== 0)
650 printf("Message %d was verified successfully.\n", n
);
651 return verify_error_found
;
657 int *msgvec
= vp
, *ip
;
660 STACK_OF(X509
) *chain
= NULL
;
665 char *ca_dir
, *ca_file
;
668 ssl_vrfy_level
= VRFY_STRICT
;
669 if ((store
= X509_STORE_new()) == NULL
) {
670 ssl_gen_err("Error creating X509 store");
673 X509_STORE_set_verify_cb_func(store
, ssl_verify_cb
);
674 if ((ca_dir
= ok_vlook(smime_ca_dir
)) != NULL
)
675 ca_dir
= file_expand(ca_dir
);
676 if ((ca_file
= ok_vlook(smime_ca_file
)) != NULL
)
677 ca_file
= file_expand(ca_file
);
678 if (ca_dir
!= NULL
|| ca_file
!= NULL
) {
679 if (X509_STORE_load_locations(store
, ca_file
, ca_dir
) != 1) {
680 ssl_gen_err("Error loading %s",
681 ca_file
? ca_file
: ca_dir
);
685 if (!ok_blook(smime_no_default_ca
)) {
686 if (X509_STORE_set_default_paths(store
) != 1) {
687 ssl_gen_err("Error loading default CA locations");
691 if (load_crls(store
, ok_v_smime_crl_file
, ok_v_smime_crl_dir
) != OKAY
)
693 for (ip
= msgvec
; *ip
; ip
++) {
694 setdot(&message
[*ip
-1]);
695 ec
|= smime_verify(&message
[*ip
-1], *ip
, chain
, store
);
701 smime_cipher(const char *name
)
703 const EVP_CIPHER
*cipher
;
707 vn
= ac_alloc(vs
= strlen(name
) + 30);
708 snprintf(vn
, vs
, "smime-cipher-%s", name
);
709 if ((cp
= vok_vlook(vn
)) != NULL
) {
710 if (strcmp(cp
, "rc2-40") == 0)
711 cipher
= EVP_rc2_40_cbc();
712 else if (strcmp(cp
, "rc2-64") == 0)
713 cipher
= EVP_rc2_64_cbc();
714 else if (strcmp(cp
, "des") == 0)
715 cipher
= EVP_des_cbc();
716 else if (strcmp(cp
, "des-ede3") == 0)
717 cipher
= EVP_des_ede3_cbc();
719 fprintf(stderr
, "Invalid cipher \"%s\".\n", cp
);
723 cipher
= EVP_des_ede3_cbc();
725 return UNCONST(cipher
);
729 smime_encrypt(FILE *ip
, const char *xcertfile
, const char *to
)
731 char *certfile
= UNCONST(xcertfile
), *cp
;
732 FILE *yp
, *fp
, *bp
, *hp
;
737 STACK_OF(X509
) *certs
;
743 if ((certfile
= file_expand(certfile
)) == NULL
)
747 if ((cipher
= smime_cipher(to
)) == NULL
)
749 if ((fp
= Fopen(certfile
, "r")) == NULL
) {
753 if ((cert
= PEM_read_X509(fp
, NULL
, ssl_password_cb
, NULL
)) == NULL
) {
754 ssl_gen_err("Error reading encryption certificate from \"%s\"",
760 certs
= sk_X509_new_null();
761 sk_X509_push(certs
, cert
);
762 if ((yp
= Ftemp(&cp
, "Ry", "w+", 0600, 1)) == NULL
) {
769 if (smime_split(ip
, &hp
, &bp
, -1, 0) == STOP
) {
773 if ((bb
= BIO_new_fp(bp
, BIO_NOCLOSE
)) == NULL
||
774 (yb
= BIO_new_fp(yp
, BIO_NOCLOSE
)) == NULL
) {
775 ssl_gen_err("Error creating BIO encryption objects");
779 if ((pkcs7
= PKCS7_encrypt(certs
, bb
, cipher
, 0)) == NULL
) {
780 ssl_gen_err("Error creating the PKCS#7 encryption object");
786 if (PEM_write_bio_PKCS7(yb
, pkcs7
) == 0) {
787 ssl_gen_err("Error writing encrypted S/MIME data");
798 return smime_encrypt_assemble(hp
, yp
);
802 smime_decrypt(struct message
*m
, const char *to
, const char *cc
, int signcall
)
804 FILE *fp
, *bp
, *hp
, *op
;
808 EVP_PKEY
*pkey
= NULL
;
810 long size
= m
->m_size
;
813 if ((yp
= setinput(&mb
, m
, NEED_BODY
)) == NULL
)
816 if ((fp
= smime_sign_cert(to
, cc
, 0)) != NULL
) {
817 if ((pkey
= PEM_read_PrivateKey(fp
, NULL
, ssl_password_cb
,
819 ssl_gen_err("Error reading private key");
824 if ((cert
= PEM_read_X509(fp
, NULL
, ssl_password_cb
,
826 ssl_gen_err("Error reading decryption certificate");
833 if ((op
= Ftemp(&cp
, "Rp", "w+", 0600, 1)) == NULL
) {
843 if (smime_split(yp
, &hp
, &bp
, size
, 1) == STOP
) {
851 if ((ob
= BIO_new_fp(op
, BIO_NOCLOSE
)) == NULL
||
852 (bb
= BIO_new_fp(bp
, BIO_NOCLOSE
)) == NULL
) {
853 ssl_gen_err("Error creating BIO decryption objects");
861 if ((pkcs7
= SMIME_read_PKCS7(bb
, &pb
)) == NULL
) {
862 ssl_gen_err("Error reading PKCS#7 object");
870 if (PKCS7_type_is_signed(pkcs7
)) {
881 setinput(&mb
, m
, NEED_BODY
);
882 return (struct message
*)-1;
884 if (PKCS7_verify(pkcs7
, NULL
, NULL
, NULL
, ob
,
885 PKCS7_NOVERIFY
|PKCS7_NOSIGS
) != 1)
887 fseek(hp
, 0L, SEEK_END
);
888 fprintf(hp
, "X-Encryption-Cipher: none\n");
891 } else if (pkey
== NULL
) {
892 fprintf(stderr
, "No appropriate private key found.\n");
894 } else if (cert
== NULL
) {
895 fprintf(stderr
, "No appropriate certificate found.\n");
897 } else if (PKCS7_decrypt(pkcs7
, pkey
, cert
, ob
, 0) != 1) {
898 err
: ssl_gen_err("Error decrypting PKCS#7 object");
919 return smime_decrypt_assemble(m
, hp
, op
);
924 ssl_password_cb(char *buf
, int size
, int rwflag
, void *userdata
)
926 sighandler_type
volatile saveint
;
932 saveint
= safe_signal(SIGINT
, SIG_IGN
);
933 if (sigsetjmp(ssljmp
, 1) == 0) {
934 if (saveint
!= SIG_IGN
)
935 safe_signal(SIGINT
, sslcatch
);
936 pass
= getpassword("PEM pass phrase:");
938 safe_signal(SIGINT
, saveint
);
942 if (UICMP(z
, len
, >, size
))
944 memcpy(buf
, pass
, len
);
949 smime_sign_cert(const char *xname
, const char *xname2
, bool_t dowarn
)
955 const char *name
= xname
, *name2
= xname2
;
958 np
= lextract(name
, GTO
|GSKIN
);
961 * This needs to be more intelligent since it will
962 * currently take the first name for which a private
963 * key is available regardless of whether it is the
964 * right one for the message.
966 vn
= ac_alloc(vs
= strlen(np
->n_name
) + 30);
967 snprintf(vn
, vs
, "smime-sign-cert-%s", np
->n_name
);
980 if ((cp
= ok_vlook(smime_sign_cert
)) != NULL
)
983 fprintf(stderr
, "Could not find a certificate for %s", xname
);
985 fprintf(stderr
, "or %s", xname2
);
990 if ((cp
= file_expand(cp
)) == NULL
)
992 if ((fp
= Fopen(cp
, "r")) == NULL
) {
1000 smime_sign_include_certs(char const *name
)
1003 /* See comments in smime_sign_cert() for algorithm pitfalls */
1005 struct name
*np
= lextract(name
, GTO
|GSKIN
);
1008 char *vn
= ac_alloc(vs
= strlen(np
->n_name
) + 30);
1009 snprintf(vn
, vs
, "smime-sign-include-certs-%s",
1011 ret
= vok_vlook(vn
);
1018 return ok_vlook(smime_sign_include_certs
);
1022 smime_sign_include_chain_creat(
1023 #ifdef HAVE_STACK_OF
1024 STACK_OF(X509
) **chain
,
1030 *chain
= sk_X509_new_null();
1035 char *x
, *ncf
= strchr(cfiles
, ',');
1038 /* This fails for '=,file' constructs, but those are sick */
1042 if ((x
= file_expand(cfiles
)) == NULL
||
1043 (fp
= Fopen(cfiles
= x
, "r")) == NULL
) {
1047 if ((tmp
= PEM_read_X509(fp
, NULL
, ssl_password_cb
, NULL
)
1049 ssl_gen_err("Error reading certificate from \"%s\"",
1054 sk_X509_push(*chain
, tmp
);
1062 if (sk_X509_num(*chain
) == 0) {
1063 fprintf(stderr
, "smime-sign-include-certs defined but empty\n");
1067 jleave
: return (*chain
!= NULL
);
1069 jerr
: sk_X509_pop_free(*chain
, X509_free
);
1075 smime_certsave(struct message
*m
, int n
, FILE *op
)
1078 char *cp
, *to
, *cc
, *cnttype
;
1084 #ifdef HAVE_STACK_OF
1085 STACK_OF(X509
) *certs
;
1086 STACK_OF(X509
) *chain
= NULL
;
1089 STACK
*chain
= NULL
;
1092 enum okay ok
= OKAY
;
1095 loop
: to
= hfield1("to", m
);
1096 cc
= hfield1("cc", m
);
1097 cnttype
= hfield1("content-type", m
);
1098 if ((ip
= setinput(&mb
, m
, NEED_BODY
)) == NULL
)
1100 if (cnttype
&& strncmp(cnttype
, "application/x-pkcs7-mime", 24) == 0) {
1101 if ((x
= smime_decrypt(m
, to
, cc
, 1)) == NULL
)
1103 if (x
!= (struct message
*)-1) {
1109 if ((fp
= Ftemp(&cp
, "Rv", "w+", 0600, 1)) == NULL
) {
1115 while (size
-- > 0) {
1121 if ((fb
= BIO_new_fp(fp
, BIO_NOCLOSE
)) == NULL
) {
1122 ssl_gen_err("Error creating BIO object for message %d", n
);
1126 if ((pkcs7
= SMIME_read_PKCS7(fb
, &pb
)) == NULL
) {
1127 ssl_gen_err("Error reading PKCS#7 object for message %d", n
);
1134 certs
= PKCS7_get0_signers(pkcs7
, chain
, 0);
1135 if (certs
== NULL
) {
1136 fprintf(stderr
, "No certificates found in message %d.\n", n
);
1139 for (i
= 0; i
< sk_X509_num(certs
); i
++) {
1140 cert
= sk_X509_value(certs
, i
);
1141 if (X509_print_fp(op
, cert
) == 0 ||
1142 PEM_write_X509(op
, cert
) == 0) {
1143 ssl_gen_err("Error writing certificate %d from "
1144 "message %d", i
, n
);
1151 #if defined (X509_V_FLAG_CRL_CHECK) && defined (X509_V_FLAG_CRL_CHECK_ALL)
1153 load_crl1(X509_STORE
*store
, const char *name
)
1155 X509_LOOKUP
*lookup
;
1157 if (options
& OPT_VERBOSE
)
1158 printf("Loading CRL from \"%s\".\n", name
);
1159 if ((lookup
= X509_STORE_add_lookup(store
,
1160 X509_LOOKUP_file())) == NULL
) {
1161 ssl_gen_err("Error creating X509 lookup object");
1164 if (X509_load_crl_file(lookup
, name
, X509_FILETYPE_PEM
) != 1) {
1165 ssl_gen_err("Error loading CRL from \"%s\"", name
);
1170 #endif /* new OpenSSL */
1173 load_crls(X509_STORE
*store
, enum okeys fok
, enum okeys dok
)
1175 char *crl_file
, *crl_dir
;
1176 #if defined (X509_V_FLAG_CRL_CHECK) && defined (X509_V_FLAG_CRL_CHECK_ALL)
1181 #endif /* new OpenSSL */
1183 if ((crl_file
= _var_oklook(fok
)) != NULL
) {
1184 #if defined (X509_V_FLAG_CRL_CHECK) && defined (X509_V_FLAG_CRL_CHECK_ALL)
1185 if ((crl_file
= file_expand(crl_file
)) == NULL
||
1186 load_crl1(store
, crl_file
) != OKAY
)
1188 #else /* old OpenSSL */
1190 "This OpenSSL version is too old to use CRLs.\n");
1192 #endif /* old OpenSSL */
1194 if ((crl_dir
= _var_oklook(dok
)) != NULL
) {
1195 #if defined (X509_V_FLAG_CRL_CHECK) && defined (X509_V_FLAG_CRL_CHECK_ALL)
1197 if ((x
= file_expand(crl_dir
)) == NULL
||
1198 (dirp
= opendir(crl_dir
= x
)) == NULL
) {
1202 ds
= strlen(crl_dir
);
1203 fn
= smalloc(fs
= ds
+ 20);
1204 memcpy(fn
, crl_dir
, ds
);
1206 while ((dp
= readdir(dirp
)) != NULL
) {
1207 if (dp
->d_name
[0] == '.' &&
1208 (dp
->d_name
[1] == '\0' ||
1209 (dp
->d_name
[1] == '.' &&
1210 dp
->d_name
[2] == '\0')))
1212 if (dp
->d_name
[0] == '.')
1214 if (ds
+ (es
= strlen(dp
->d_name
)) + 2 < fs
)
1215 fn
= srealloc(fn
, fs
= ds
+ es
+ 20);
1216 memcpy(fn
+ ds
+ 1, dp
->d_name
, es
+ 1);
1217 if (load_crl1(store
, fn
) != OKAY
) {
1225 #else /* old OpenSSL */
1227 "This OpenSSL version is too old to use CRLs.\n");
1229 #endif /* old OpenSSL */
1231 #if defined (X509_V_FLAG_CRL_CHECK) && defined (X509_V_FLAG_CRL_CHECK_ALL)
1232 if (crl_file
|| crl_dir
)
1233 X509_STORE_set_flags(store
, X509_V_FLAG_CRL_CHECK
|
1234 X509_V_FLAG_CRL_CHECK_ALL
);
1235 #endif /* old OpenSSL */
1238 #endif /* HAVE_OPENSSL */