/* TLS support can be optionally included, either for OpenSSL or GnuTLS. The
latter needs a whole pile of tables. */
-
#ifdef HAVE_OPENSSL
# define HAVE_TLS
# include <openssl/crypto.h>
# include <openssl/ssl.h>
# include <openssl/err.h>
# include <openssl/rand.h>
-# include <openssl/ocsp.h>
+
+# if OPENSSL_VERSION_NUMBER < 0x0090806fL && !defined(DISABLE_OCSP) && !defined(OPENSSL_NO_TLSEXT)
+# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
+# define DISABLE_OCSP
+# endif
+# ifndef DISABLE_OCSP
+# include <openssl/ocsp.h>
+# endif
#endif
# define HAVE_OCSP
# include <gnutls/ocsp.h>
# endif
+# ifndef GNUTLS_NO_EXTENSIONS
+# define GNUTLS_NO_EXTENSIONS 0
+# endif
# define DH_BITS 768
}
+#ifndef DISABLE_OCSP
static int
tls_client_stapling_cb(SSL *s, void *arg)
{
X509_STORE_free(store);
return ret;
}
+#endif
/*************************************************
tls_start(int sock, SSL **ssl, SSL_CTX *ctx)
{
int rc;
-static const char *sid_ctx = "exim";
+static const unsigned char *sid_ctx = US"exim";
RAND_load_file("client.c", -1); /* Not *very* random! */
*ssl = SSL_new (ctx);
-SSL_set_session_id_context(*ssl, sid_ctx, strlen(sid_ctx));
+SSL_set_session_id_context(*ssl, sid_ctx, strlen(CS sid_ctx));
SSL_set_fd (*ssl, sock);
SSL_set_connect_state(*ssl);
+#ifndef DISABLE_OCSP
if (ocsp_stapling)
{
SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
SSL_CTX_set_tlsext_status_arg(ctx, BIO_new_fp(stdout, BIO_NOCLOSE));
SSL_set_tlsext_status_type(*ssl, TLSEXT_STATUSTYPE_ocsp);
}
+#endif
signal(SIGALRM, sigalrm_handler_flag);
sigalrm_seen = 0;
{
gnutls_session session;
-gnutls_init(&session, GNUTLS_CLIENT);
+gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_NO_EXTENSIONS);
gnutls_cipher_set_priority(session, default_cipher_priority);
gnutls_compression_set_priority(session, comp_priority);
*************************************************/
const char * const HELP_MESSAGE = "\n\
-Usage: client\n\
+Usage: client\n"
+#ifdef HAVE_TLS
+"\
+ [-tls-on-connect]\n\
+ [-ocsp]\n"
+#endif
+"\
+ [-tn] n seconds timeout\n\
<IP address>\n\
<port>\n\
[<outgoing interface>]\n\
while (fgets(CS outbuffer, sizeof(outbuffer), stdin) != NULL)
{
int n = (int)strlen(CS outbuffer);
- while (n > 0 && isspace(outbuffer[n-1])) n--;
- outbuffer[n] = 0;
+
+ /* Strip trailing newline */
+ if (outbuffer[n-1] == '\n') outbuffer[--n] = 0;
/* Expect incoming */
/* Shutdown TLS */
- if (strcmp(outbuffer, "stoptls") == 0 ||
- strcmp(outbuffer, "STOPTLS") == 0)
+ if (strcmp(CS outbuffer, "stoptls") == 0 ||
+ strcmp(CS outbuffer, "STOPTLS") == 0)
{
if (!tls_active)
{
/* Remember that we sent STARTTLS */
- sent_starttls = (strcmp(outbuffer, "starttls") == 0 ||
- strcmp(outbuffer, "STARTTLS") == 0);
+ sent_starttls = (strcmp(CS outbuffer, "starttls") == 0 ||
+ strcmp(CS outbuffer, "STARTTLS") == 0);
/* Fudge: if the command is "starttls_wait", we send the starttls bit,
but we haven't set the flag, so that there is no negotiation. This is for
testing the server's timeout. */
- if (strcmp(outbuffer, "starttls_wait") == 0)
+ if (strcmp(CS outbuffer, "starttls_wait") == 0)
{
outbuffer[8] = 0;
n = 8;
n--;
}
- while ((escape = strstr(outbuffer, "\\n")) != NULL)
+ while ((escape = US strstr(CS outbuffer, "\\n")) != NULL)
{
*escape = '\n';
memmove(escape + 1, escape + 2, (n + 2) - (escape - outbuffer) - 2);
projects / exim.git / blobdiff