[exim-cvs] cvs commit: exim/exim-doc/doc-txt ChangeLog exim/…

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: exim-cvs
Subject: [exim-cvs] cvs commit: exim/exim-doc/doc-txt ChangeLog exim/exim-src ACKNOWLEDGMENTS exim/exim-src/src tls-openssl.c
ph10 2005/03/29 15:53:09 BST

  Modified files:
    exim-doc/doc-txt     ChangeLog 
    exim-src             ACKNOWLEDGMENTS 
    exim-src/src         tls-openssl.c 
  Log:
  Installed Lars Mainka's patch for OpenSSL support of CRL collections.


  Revision  Changes    Path
  1.104     +3 -0      exim/exim-doc/doc-txt/ChangeLog
  1.18      +1 -0      exim/exim-src/ACKNOWLEDGMENTS
  1.4       +35 -18    exim/exim-src/src/tls-openssl.c


  Index: ChangeLog
  ===================================================================
  RCS file: /home/cvs/exim/exim-doc/doc-txt/ChangeLog,v
  retrieving revision 1.103
  retrieving revision 1.104
  diff -u -r1.103 -r1.104
  --- ChangeLog    29 Mar 2005 14:19:21 -0000    1.103
  +++ ChangeLog    29 Mar 2005 14:53:09 -0000    1.104
  @@ -1,4 +1,4 @@
  -$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.103 2005/03/29 14:19:21 ph10 Exp $
  +$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.104 2005/03/29 14:53:09 ph10 Exp $


   Change log file for Exim from version 4.21
   -------------------------------------------
  @@ -95,6 +95,9 @@
         value for RADIUS_LIB_TYPE, namely "RADIUSCLIENTNEW" to request the new
         API. The code is untested by me (my Linux distribution still has 0.3.2 of
         radiusclient), but it was contributed by a Radius user.
  +
  +PH/18 Installed Lars Mainka's patch for the support of CRL collections in
  +      files or directories, for OpenSSL.



A note about Exim versions 4.44 and 4.50

  Index: ACKNOWLEDGMENTS
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/ACKNOWLEDGMENTS,v
  retrieving revision 1.17
  retrieving revision 1.18
  diff -u -r1.17 -r1.18
  --- ACKNOWLEDGMENTS    29 Mar 2005 14:19:21 -0000    1.17
  +++ ACKNOWLEDGMENTS    29 Mar 2005 14:53:09 -0000    1.18
  @@ -1,4 +1,4 @@
  -$Cambridge: exim/exim-src/ACKNOWLEDGMENTS,v 1.17 2005/03/29 14:19:21 ph10 Exp $
  +$Cambridge: exim/exim-src/ACKNOWLEDGMENTS,v 1.18 2005/03/29 14:53:09 ph10 Exp $


EXIM ACKNOWLEDGEMENTS

  @@ -163,6 +163,7 @@
   Chris Lightfoot           Patch for -restore-times in exim_lock
   Edgar Lovecraft           Patch for ${str2b64:
   Torsten Luettgert         Suggested patch for proper integer overflow detection
  +Lars Mainka               Patch for OpenSSL crl collections
   David Madole              Patch for SPA forced expansion failure bug
   Lionel Elie Mamane        Patch for IPv4/IPv6 listen() problem on USAGI Linux
                             Patch for recognizing IPv6 "scoped addresses"


  Index: tls-openssl.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/tls-openssl.c,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- tls-openssl.c    4 Jan 2005 10:00:42 -0000    1.3
  +++ tls-openssl.c    29 Mar 2005 14:53:09 -0000    1.4
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/tls-openssl.c,v 1.3 2005/01/04 10:00:42 ph10 Exp $ */
  +/* $Cambridge: exim/exim-src/src/tls-openssl.c,v 1.4 2005/03/29 14:53:09 ph10 Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -526,34 +526,51 @@


     #if OPENSSL_VERSION_NUMBER > 0x00907000L


  +  /* This bit of code is now the version supplied by Lars Mainka. (I have
  +   * merely reformatted it into the Exim code style.)
  +
  +   * "From here I changed the code to add support for multiple crl's
  +   * in pem format in one file or to support hashed directory entries in
  +   * pem format instead of a file. This method now uses the library function
  +   * X509_STORE_load_locations to add the CRL location to the SSL context.
  +   * OpenSSL will then handle the verify against CA certs and CRLs by
  +   * itself in the verify callback." */
  +
     if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
     if (expcrl != NULL && *expcrl != 0)
       {
  -    BIO *crl_bio;
  -    X509_CRL *crl_x509;
  -    X509_STORE *cvstore;
  -
  -    cvstore = SSL_CTX_get_cert_store(ctx);  /* cert validation store */
  -
  -    crl_bio = BIO_new(BIO_s_file_internal());
  -    if (crl_bio != NULL)
  +    struct stat statbufcrl;
  +    if (Ustat(expcrl, &statbufcrl) < 0)
  +      {
  +      log_write(0, LOG_MAIN|LOG_PANIC,
  +        "failed to stat %s for certificates revocation lists", expcrl);
  +      return DEFER;
  +      }
  +    else
         {
  -      if (BIO_read_filename(crl_bio, expcrl))
  +      /* is it a file or directory? */
  +      uschar *file, *dir;
  +      X509_STORE *cvstore = SSL_CTX_get_cert_store(ctx);
  +      if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
           {
  -        crl_x509 = PEM_read_bio_X509_CRL(crl_bio, NULL, NULL, NULL);
  -        BIO_free(crl_bio);
  -        X509_STORE_add_crl(cvstore, crl_x509);
  -        X509_CRL_free(crl_x509);
  -        X509_STORE_set_flags(cvstore,
  -          X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
  +        file = NULL;
  +        dir = expcrl;
  +        DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
           }
         else
           {
  -        BIO_free(crl_bio);
  -        return tls_error(US"BIO_read_filename", host);
  +        file = expcrl;
  +        dir = NULL;
  +        DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
           }
  +      if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
  +        return tls_error(US"X509_STORE_load_locations", host);
  +
  +      /* setting the flags to check against the complete crl chain */
  +
  +      X509_STORE_set_flags(cvstore,
  +        X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
         }
  -    else return tls_error(US"BIO_new", host);
       }


     #endif  /* OPENSSL_VERSION_NUMBER > 0x00907000L */