1
/* $Cambridge: exim/exim-src/src/tls-openssl.c,v 1.5 2005/05/03 14:20:01 ph10 Exp $ */
1
3
/*************************************************
2
4
* Exim - an Internet mail transport agent *
3
5
*************************************************/
5
/* Copyright (c) University of Cambridge 1995 - 2004 */
7
/* Copyright (c) University of Cambridge 1995 - 2005 */
6
8
/* See the file NOTICE for conditions of use and distribution. */
8
10
/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
380
379
DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
381
380
if (!SSL_CTX_use_certificate_chain_file(ctx, CS expanded))
382
return tls_error(US"SSL_CTX_use_certificate_chain_file", host);
381
return tls_error(string_sprintf(
382
"SSL_CTX_use_certificate_chain_file file=%s", expanded), host);
385
385
if (privatekey != NULL &&
391
391
DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
392
392
if (!SSL_CTX_use_PrivateKey_file(ctx, CS expanded, SSL_FILETYPE_PEM))
393
return tls_error(US"SSL_CTX_use_PrivateKey_file", host);
393
return tls_error(string_sprintf(
394
"SSL_CTX_use_PrivateKey_file file=%s", expanded), host);
523
524
#if OPENSSL_VERSION_NUMBER > 0x00907000L
526
/* This bit of code is now the version supplied by Lars Mainka. (I have
527
* merely reformatted it into the Exim code style.)
529
* "From here I changed the code to add support for multiple crl's
530
* in pem format in one file or to support hashed directory entries in
531
* pem format instead of a file. This method now uses the library function
532
* X509_STORE_load_locations to add the CRL location to the SSL context.
533
* OpenSSL will then handle the verify against CA certs and CRLs by
534
* itself in the verify callback." */
525
536
if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
526
537
if (expcrl != NULL && *expcrl != 0)
532
cvstore = SSL_CTX_get_cert_store(ctx); /* cert validation store */
534
crl_bio = BIO_new(BIO_s_file_internal());
537
if (BIO_read_filename(crl_bio, expcrl))
539
struct stat statbufcrl;
540
if (Ustat(expcrl, &statbufcrl) < 0)
542
log_write(0, LOG_MAIN|LOG_PANIC,
543
"failed to stat %s for certificates revocation lists", expcrl);
548
/* is it a file or directory? */
550
X509_STORE *cvstore = SSL_CTX_get_cert_store(ctx);
551
if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
539
crl_x509 = PEM_read_bio_X509_CRL(crl_bio, NULL, NULL, NULL);
541
X509_STORE_add_crl(cvstore, crl_x509);
542
X509_CRL_free(crl_x509);
543
X509_STORE_set_flags(cvstore,
544
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
555
DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
549
return tls_error(US"BIO_read_filename", host);
561
DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
563
if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
564
return tls_error(US"X509_STORE_load_locations", host);
566
/* setting the flags to check against the complete crl chain */
568
X509_STORE_set_flags(cvstore,
569
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
552
else return tls_error(US"BIO_new", host);
555
573
#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
902
920
DEBUG(D_tls) debug_printf("Calling SSL_read(%lx, %lx, %u)\n", (long)ssl,
921
(long)buff, (unsigned int)len);
905
923
inbytes = SSL_read(ssl, CS buff, len);
906
924
error = SSL_get_error(ssl, inbytes);