diff options
Diffstat (limited to 'contrib/sendmail/src/tls.c')
| -rw-r--r-- | contrib/sendmail/src/tls.c | 70 |
1 files changed, 49 insertions, 21 deletions
diff --git a/contrib/sendmail/src/tls.c b/contrib/sendmail/src/tls.c index a57a05d3612d..60d408e5e796 100644 --- a/contrib/sendmail/src/tls.c +++ b/contrib/sendmail/src/tls.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000-2006, 2008, 2009, 2011 Sendmail, Inc. and its suppliers. + * Copyright (c) 2000-2006, 2008, 2009, 2011, 2013 Sendmail, Inc. and its suppliers. * All rights reserved. * * By using this file, you agree to the terms and conditions set @@ -10,7 +10,7 @@ #include <sendmail.h> -SM_RCSID("@(#)$Id: tls.c,v 8.118 2011/03/07 23:20:47 ca Exp $") +SM_RCSID("@(#)$Id: tls.c,v 8.121 2013/01/02 23:54:17 ca Exp $") #if STARTTLS # include <openssl/err.h> @@ -267,15 +267,18 @@ tls_rand_init(randfile, logl) ** INIT_TLS_LIBRARY -- Calls functions which setup TLS library for global use. ** ** Parameters: -** none. +** fipsmode -- use FIPS? ** ** Returns: ** succeeded? */ bool -init_tls_library() +init_tls_library(fipsmode) + bool fipsmode; { + bool bv; + /* basic TLS initialization, ignore result for now */ SSL_library_init(); SSL_load_error_strings(); @@ -284,7 +287,30 @@ init_tls_library() SSLeay_add_ssl_algorithms(); # endif /* 0 */ - return tls_rand_init(RandFile, 7); + bv = tls_rand_init(RandFile, 7); +# if _FFR_FIPSMODE + if (bv && fipsmode) + { + if (!FIPS_mode_set(1)) + { + unsigned long err; + + err = ERR_get_error(); + if (LogLevel > 0) + sm_syslog(LOG_ERR, NOQID, + "STARTTLS=init, FIPSMode=%s", + ERR_error_string(err, NULL)); + return false; + } + else + { + if (LogLevel > 9) + sm_syslog(LOG_INFO, NOQID, + "STARTTLS=init, FIPSMode=ok"); + } + } +#endif /* _FFR_FIPSMODE */ + return bv; } /* ** TLS_SET_VERIFY -- request client certificate? @@ -709,7 +735,7 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar "STARTTLS=%s, error: SSL_CTX_new(SSLv23_%s_method()) failed", who, who); if (LogLevel > 9) - tlslogerr(who); + tlslogerr(LOG_WARNING, who); return false; } @@ -808,7 +834,7 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar "STARTTLS=%s, error: RSA_generate_key failed", who); if (LogLevel > 9) - tlslogerr(who); + tlslogerr(LOG_WARNING, who); } return false; } @@ -829,7 +855,7 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar "STARTTLS=%s, error: SSL_CTX_use_PrivateKey_file(%s) failed", who, keyfile); if (LogLevel > 9) - tlslogerr(who); + tlslogerr(LOG_WARNING, who); } if (bitset(TLS_I_USE_KEY, req)) return false; @@ -846,7 +872,7 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar "STARTTLS=%s, error: SSL_CTX_use_certificate_file(%s) failed", who, certfile); if (LogLevel > 9) - tlslogerr(who); + tlslogerr(LOG_WARNING, who); } if (bitset(TLS_I_USE_CERT, req)) return false; @@ -863,7 +889,7 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar "STARTTLS=%s, error: SSL_CTX_check_private_key failed(%s): %d", who, keyfile, r); if (LogLevel > 9) - tlslogerr(who); + tlslogerr(LOG_WARNING, who); } if (bitset(TLS_I_USE_KEY, req)) return false; @@ -882,7 +908,7 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar "STARTTLS=%s, error: SSL_CTX_use_PrivateKey_file(%s) failed", who, kf2); if (LogLevel > 9) - tlslogerr(who); + tlslogerr(LOG_WARNING, who); } } @@ -896,7 +922,7 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar "STARTTLS=%s, error: SSL_CTX_use_certificate_file(%s) failed", who, cf2); if (LogLevel > 9) - tlslogerr(who); + tlslogerr(LOG_WARNING, who); } } @@ -911,7 +937,7 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar "STARTTLS=%s, error: SSL_CTX_check_private_key 2 failed: %d", who, r); if (LogLevel > 9) - tlslogerr(who); + tlslogerr(LOG_WARNING, who); } } # endif /* _FFR_TLS_1 */ @@ -962,7 +988,7 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar who, dhparam, ERR_error_string(err, NULL)); if (LogLevel > 9) - tlslogerr(who); + tlslogerr(LOG_WARNING, who); } } else @@ -973,7 +999,7 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar "STARTTLS=%s, error: BIO_new_file(%s) failed", who, dhparam); if (LogLevel > 9) - tlslogerr(who); + tlslogerr(LOG_WARNING, who); } } } @@ -1089,7 +1115,7 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar "STARTTLS=%s, error: load verify locs %s, %s failed: %d", who, cacertpath, cacertfile, r); if (LogLevel > 9) - tlslogerr(who); + tlslogerr(LOG_WARNING, who); } if (bitset(TLS_I_VRFY_LOC, req)) return false; @@ -1113,7 +1139,7 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar who, CipherList); if (LogLevel > 9) - tlslogerr(who); + tlslogerr(LOG_WARNING, who); } /* failure if setting to this list is required? */ } @@ -1377,7 +1403,7 @@ endtls(ssl, side) sm_syslog(LOG_WARNING, NOQID, "STARTTLS=%s, SSL_shutdown failed: %d", side, r); - tlslogerr(side); + tlslogerr(LOG_WARNING, side); } ret = EX_SOFTWARE; } @@ -1426,7 +1452,7 @@ endtls(ssl, side) sm_syslog(LOG_WARNING, NOQID, "STARTTLS=%s, SSL_shutdown not done", side); - tlslogerr(side); + tlslogerr(LOG_WARNING, side); } ret = EX_SOFTWARE; } @@ -1659,6 +1685,7 @@ tls_verify_cb(ctx, unused) ** TLSLOGERR -- log the errors from the TLS error stack ** ** Parameters: +** level -- syslog level ** who -- server/client (for logging). ** ** Returns: @@ -1666,7 +1693,8 @@ tls_verify_cb(ctx, unused) */ void -tlslogerr(who) +tlslogerr(level, who) + int level; const char *who; { unsigned long l; @@ -1680,7 +1708,7 @@ tlslogerr(who) while ((l = ERR_get_error_line_data(CP &file, &line, CP &data, &flags)) != 0) { - sm_syslog(LOG_WARNING, NOQID, + sm_syslog(level, NOQID, "STARTTLS=%s: %lu:%s:%s:%d:%s", who, es, ERR_error_string(l, buf), file, line, |