ph10 2005/03/29 15:53:09 BST
Modified files:
exim-doc/doc-txt ChangeLog
exim-src ACKNOWLEDGMENTS
exim-src/src tls-openssl.c
Log:
Installed Lars Mainka's patch for OpenSSL support of CRL collections.
Revision Changes Path
1.104 +3 -0 exim/exim-doc/doc-txt/ChangeLog
1.18 +1 -0 exim/exim-src/ACKNOWLEDGMENTS
1.4 +35 -18 exim/exim-src/src/tls-openssl.c
Index: ChangeLog
===================================================================
RCS file: /home/cvs/exim/exim-doc/doc-txt/ChangeLog,v
retrieving revision 1.103
retrieving revision 1.104
diff -u -r1.103 -r1.104
--- ChangeLog 29 Mar 2005 14:19:21 -0000 1.103
+++ ChangeLog 29 Mar 2005 14:53:09 -0000 1.104
@@ -1,4 +1,4 @@
-$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.103 2005/03/29 14:19:21 ph10 Exp $
+$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.104 2005/03/29 14:53:09 ph10 Exp $
Change log file for Exim from version 4.21
-------------------------------------------
@@ -95,6 +95,9 @@
value for RADIUS_LIB_TYPE, namely "RADIUSCLIENTNEW" to request the new
API. The code is untested by me (my Linux distribution still has 0.3.2 of
radiusclient), but it was contributed by a Radius user.
+
+PH/18 Installed Lars Mainka's patch for the support of CRL collections in
+ files or directories, for OpenSSL.
A note about Exim versions 4.44 and 4.50
Index: ACKNOWLEDGMENTS
===================================================================
RCS file: /home/cvs/exim/exim-src/ACKNOWLEDGMENTS,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- ACKNOWLEDGMENTS 29 Mar 2005 14:19:21 -0000 1.17
+++ ACKNOWLEDGMENTS 29 Mar 2005 14:53:09 -0000 1.18
@@ -1,4 +1,4 @@
-$Cambridge: exim/exim-src/ACKNOWLEDGMENTS,v 1.17 2005/03/29 14:19:21 ph10 Exp $
+$Cambridge: exim/exim-src/ACKNOWLEDGMENTS,v 1.18 2005/03/29 14:53:09 ph10 Exp $
EXIM ACKNOWLEDGEMENTS
@@ -163,6 +163,7 @@
Chris Lightfoot Patch for -restore-times in exim_lock
Edgar Lovecraft Patch for ${str2b64:
Torsten Luettgert Suggested patch for proper integer overflow detection
+Lars Mainka Patch for OpenSSL crl collections
David Madole Patch for SPA forced expansion failure bug
Lionel Elie Mamane Patch for IPv4/IPv6 listen() problem on USAGI Linux
Patch for recognizing IPv6 "scoped addresses"
Index: tls-openssl.c
===================================================================
RCS file: /home/cvs/exim/exim-src/src/tls-openssl.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- tls-openssl.c 4 Jan 2005 10:00:42 -0000 1.3
+++ tls-openssl.c 29 Mar 2005 14:53:09 -0000 1.4
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/exim-src/src/tls-openssl.c,v 1.3 2005/01/04 10:00:42 ph10 Exp $ */
+/* $Cambridge: exim/exim-src/src/tls-openssl.c,v 1.4 2005/03/29 14:53:09 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -526,34 +526,51 @@
#if OPENSSL_VERSION_NUMBER > 0x00907000L
+ /* This bit of code is now the version supplied by Lars Mainka. (I have
+ * merely reformatted it into the Exim code style.)
+
+ * "From here I changed the code to add support for multiple crl's
+ * in pem format in one file or to support hashed directory entries in
+ * pem format instead of a file. This method now uses the library function
+ * X509_STORE_load_locations to add the CRL location to the SSL context.
+ * OpenSSL will then handle the verify against CA certs and CRLs by
+ * itself in the verify callback." */
+
if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
if (expcrl != NULL && *expcrl != 0)
{
- BIO *crl_bio;
- X509_CRL *crl_x509;
- X509_STORE *cvstore;
-
- cvstore = SSL_CTX_get_cert_store(ctx); /* cert validation store */
-
- crl_bio = BIO_new(BIO_s_file_internal());
- if (crl_bio != NULL)
+ struct stat statbufcrl;
+ if (Ustat(expcrl, &statbufcrl) < 0)
+ {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "failed to stat %s for certificates revocation lists", expcrl);
+ return DEFER;
+ }
+ else
{
- if (BIO_read_filename(crl_bio, expcrl))
+ /* is it a file or directory? */
+ uschar *file, *dir;
+ X509_STORE *cvstore = SSL_CTX_get_cert_store(ctx);
+ if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
{
- crl_x509 = PEM_read_bio_X509_CRL(crl_bio, NULL, NULL, NULL);
- BIO_free(crl_bio);
- X509_STORE_add_crl(cvstore, crl_x509);
- X509_CRL_free(crl_x509);
- X509_STORE_set_flags(cvstore,
- X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+ file = NULL;
+ dir = expcrl;
+ DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
}
else
{
- BIO_free(crl_bio);
- return tls_error(US"BIO_read_filename", host);
+ file = expcrl;
+ dir = NULL;
+ DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
}
+ if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
+ return tls_error(US"X509_STORE_load_locations", host);
+
+ /* setting the flags to check against the complete crl chain */
+
+ X509_STORE_set_flags(cvstore,
+ X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
}
- else return tls_error(US"BIO_new", host);
}
#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */