Lines 59-65
Link Here
|
59 |
static SSLSTREAM *ssl_start(TCPSTREAM *tstream,char *host,unsigned long flags); |
59 |
static SSLSTREAM *ssl_start(TCPSTREAM *tstream,char *host,unsigned long flags); |
60 |
static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags); |
60 |
static char *ssl_start_work (SSLSTREAM *stream,char *host,unsigned long flags); |
61 |
static int ssl_open_verify (int ok,X509_STORE_CTX *ctx); |
61 |
static int ssl_open_verify (int ok,X509_STORE_CTX *ctx); |
62 |
static char *ssl_validate_cert (X509 *cert,char *host); |
62 |
static char *ssl_validate_cert (X509 *cert,char *host, char *cert_subj); |
63 |
static long ssl_compare_hostnames (unsigned char *s,unsigned char *pat); |
63 |
static long ssl_compare_hostnames (unsigned char *s,unsigned char *pat); |
64 |
static char *ssl_getline_work (SSLSTREAM *stream,unsigned long *size, |
64 |
static char *ssl_getline_work (SSLSTREAM *stream,unsigned long *size, |
65 |
long *contd); |
65 |
long *contd); |
Lines 210-215
Link Here
|
210 |
BIO *bio; |
210 |
BIO *bio; |
211 |
X509 *cert; |
211 |
X509 *cert; |
212 |
unsigned long sl,tl; |
212 |
unsigned long sl,tl; |
|
|
213 |
char cert_subj[250]; |
213 |
char *s,*t,*err,tmp[MAILTMPLEN]; |
214 |
char *s,*t,*err,tmp[MAILTMPLEN]; |
214 |
sslcertificatequery_t scq = |
215 |
sslcertificatequery_t scq = |
215 |
(sslcertificatequery_t) mail_parameters (NIL,GET_SSLCERTIFICATEQUERY,NIL); |
216 |
(sslcertificatequery_t) mail_parameters (NIL,GET_SSLCERTIFICATEQUERY,NIL); |
Lines 266-278
Link Here
|
266 |
if (SSL_write (stream->con,"",0) < 0) |
267 |
if (SSL_write (stream->con,"",0) < 0) |
267 |
return ssl_last_error ? ssl_last_error : "SSL negotiation failed"; |
268 |
return ssl_last_error ? ssl_last_error : "SSL negotiation failed"; |
268 |
/* need to validate host names? */ |
269 |
/* need to validate host names? */ |
269 |
if (!(flags & NET_NOVALIDATECERT) && |
270 |
if (!(flags & NET_NOVALIDATECERT)) { |
270 |
(err = ssl_validate_cert (cert = SSL_get_peer_certificate (stream->con), |
271 |
cert_subj[0] = '\0'; |
271 |
host))) { |
272 |
cert = SSL_get_peer_certificate(stream->con); |
272 |
/* application callback */ |
273 |
if (cert) |
273 |
if (scq) return (*scq) (err,host,cert ? cert->name : "???") ? NIL : ""; |
274 |
X509_NAME_oneline(X509_get_subject_name(cert), cert_subj, sizeof(cert_subj)); |
274 |
/* error message to return via mm_log() */ |
275 |
err = ssl_validate_cert (cert, host, cert_subj); |
275 |
sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???"); |
276 |
if (err) |
|
|
277 |
/* application callback */ |
278 |
if (scq) return (*scq) (err,host,cert ? cert_subj : "???") ? NIL : ""; |
279 |
/* error message to return via mm_log() */ |
280 |
sprintf (tmp,"*%.128s: %.255s",err,cert ? cert_subj : "???"); |
276 |
return ssl_last_error = cpystr (tmp); |
281 |
return ssl_last_error = cpystr (tmp); |
277 |
} |
282 |
} |
278 |
return NIL; |
283 |
return NIL; |
Lines 313-319
Link Here
|
313 |
* Returns: NIL if validated, else string of error message |
318 |
* Returns: NIL if validated, else string of error message |
314 |
*/ |
319 |
*/ |
315 |
|
320 |
|
316 |
static char *ssl_validate_cert (X509 *cert,char *host) |
321 |
static char *ssl_validate_cert (X509 *cert,char *host, char *cert_subj) |
317 |
{ |
322 |
{ |
318 |
int i,n; |
323 |
int i,n; |
319 |
char *s,*t,*ret; |
324 |
char *s,*t,*ret; |
Lines 322-330
Link Here
|
322 |
/* make sure have a certificate */ |
327 |
/* make sure have a certificate */ |
323 |
if (!cert) ret = "No certificate from server"; |
328 |
if (!cert) ret = "No certificate from server"; |
324 |
/* and that it has a name */ |
329 |
/* and that it has a name */ |
325 |
else if (!cert->name) ret = "No name in certificate"; |
330 |
else if (cert_subj[0] == '\0') ret = "No name in certificate"; |
326 |
/* locate CN */ |
331 |
/* locate CN */ |
327 |
else if (s = strstr (cert->name,"/CN=")) { |
332 |
else if (s = strstr (cert_subj,"/CN=")) { |
328 |
if (t = strchr (s += 4,'/')) *t = '\0'; |
333 |
if (t = strchr (s += 4,'/')) *t = '\0'; |
329 |
/* host name matches pattern? */ |
334 |
/* host name matches pattern? */ |
330 |
ret = ssl_compare_hostnames (host,s) ? NIL : |
335 |
ret = ssl_compare_hostnames (host,s) ? NIL : |