* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20181113"
+#define MAIL_RELEASE_DATE "20181116"
#define MAIL_VERSION_NUMBER "3.4"
#ifdef SNAPSHOT
state->tls_context->issuer_CN,
state->tls_context->peer_cert_fprint,
state->tls_context->peer_pkey_fprint);
- msg_info("%s TLS connection established to %s: %s with cipher %s "
- "(%d/%d bits)",
- !TLS_CERT_IS_PRESENT(state->tls_context) ? "Anonymous" :
- TLS_CERT_IS_SECURED(state->tls_context) ? "Verified" :
- TLS_CERT_IS_TRUSTED(state->tls_context) ? "Trusted" :
- "Untrusted", state->namaddrport,
- state->tls_context->protocol,
- state->tls_context->cipher_name,
- state->tls_context->cipher_usebits,
- state->tls_context->cipher_algbits);
+ state->tls_context->namaddr = mystrdup(state->namaddrport);
+ tls_log_summary(TLS_ROLE_CLIENT, state->tls_context);
}
} else { /* tls_proxy_mode */
state->tls_context =
state->tls_context->kex_bits);
cont = 1;
}
- if (state->tls_context->locl_sig_name
- && *state->tls_context->locl_sig_name) {
+ if (state->tls_context->srvr_sig_name
+ && *state->tls_context->srvr_sig_name) {
if (cont) {
vstring_sprintf_append(state->buffer, " server-signature %s",
- state->tls_context->locl_sig_name);
+ state->tls_context->srvr_sig_name);
} else {
out_record(out_stream, REC_TYPE_NORM, STR(state->buffer),
LEN(state->buffer));
vstring_sprintf(state->buffer, "\t server-signature %s",
- state->tls_context->locl_sig_name);
+ state->tls_context->srvr_sig_name);
}
- if (state->tls_context->locl_sig_curve
- && *state->tls_context->locl_sig_curve)
+ if (state->tls_context->srvr_sig_curve
+ && *state->tls_context->srvr_sig_curve)
vstring_sprintf_append(state->buffer, " (%s)",
- state->tls_context->locl_sig_curve);
- else if (state->tls_context->locl_sig_bits > 0)
+ state->tls_context->srvr_sig_curve);
+ else if (state->tls_context->srvr_sig_bits > 0)
vstring_sprintf_append(state->buffer, " (%d bits)",
- state->tls_context->locl_sig_bits);
- if (state->tls_context->locl_sig_dgst
- && *state->tls_context->locl_sig_dgst)
+ state->tls_context->srvr_sig_bits);
+ if (state->tls_context->srvr_sig_dgst
+ && *state->tls_context->srvr_sig_dgst)
vstring_sprintf_append(state->buffer, " server-digest %s",
- state->tls_context->locl_sig_dgst);
+ state->tls_context->srvr_sig_dgst);
}
- if (state->tls_context->peer_sig_name
- && *state->tls_context->peer_sig_name) {
+ if (state->tls_context->clnt_sig_name
+ && *state->tls_context->clnt_sig_name) {
out_record(out_stream, REC_TYPE_NORM, STR(state->buffer),
LEN(state->buffer));
vstring_sprintf(state->buffer, "\t client-signature %s",
- state->tls_context->peer_sig_name);
- if (state->tls_context->peer_sig_curve
- && *state->tls_context->peer_sig_curve)
+ state->tls_context->clnt_sig_name);
+ if (state->tls_context->clnt_sig_curve
+ && *state->tls_context->clnt_sig_curve)
vstring_sprintf_append(state->buffer, " (%s)",
- state->tls_context->peer_sig_curve);
- else if (state->tls_context->peer_sig_bits > 0)
+ state->tls_context->clnt_sig_curve);
+ else if (state->tls_context->clnt_sig_bits > 0)
vstring_sprintf_append(state->buffer, " (%d bits)",
- state->tls_context->peer_sig_bits);
- if (state->tls_context->peer_sig_dgst
- && *state->tls_context->peer_sig_dgst)
+ state->tls_context->clnt_sig_bits);
+ if (state->tls_context->clnt_sig_dgst
+ && *state->tls_context->clnt_sig_dgst)
vstring_sprintf_append(state->buffer, " client-digest %s",
- state->tls_context->peer_sig_dgst);
+ state->tls_context->clnt_sig_dgst);
}
out_fprintf(out_stream, REC_TYPE_NORM, "%s)", STR(state->buffer));
if (TLS_CERT_IS_PRESENT(state->tls_context)) {
*
* The client-only interface SSL_get_server_tmp_key() is slated to be made to
* work on both client and server, and renamed to SSL_get_peer_tmp_key(), with
- * the original name left behind as an alias. We'll use the new name if/when
+ * the original name left behind as an alias. We use the new name when
* available.
- *
- * XXX: Set corresponding OpenSSL version floor below when OpenSSL pull
- * request:
- *
- * <https://github.com/openssl/openssl/pull/7608>
- *
- * is merged, perhaps in the upcoming 1.1.1a release (at which point the XXX
- * part of this comment can be deleted).
*/
#if OPENSSL_VERSION_NUMBER < 0x1010101fUL
#undef SSL_get_signature_nid
*/
#include <dns.h>
+ /*
+ * TLS role, presently for logging.
+ */
+#define TLS_ROLE_CLIENT 0
+#define TLS_ROLE_SERVER 1
+
/*
* Names of valid tlsmgr(8) session caches.
*/
const char *kex_name; /* shared key-exchange algorithm */
const char *kex_curve; /* shared key-exchange ECDHE curve */
int kex_bits; /* shared FFDHE key exchange bits */
- const char *locl_sig_name; /* local signature key algorithm */
- const char *locl_sig_curve; /* local ECDSA curve name */
- int locl_sig_bits; /* local RSA signature key bits */
- const char *locl_sig_dgst; /* local signature digest */
- const char *peer_sig_name; /* peer's signature key algorithm */
- const char *peer_sig_curve; /* peer's ECDSA curve name */
- int peer_sig_bits; /* peer's RSA signature key bits */
- const char *peer_sig_dgst; /* peer's signature digest */
+ const char *clnt_sig_name; /* client's signature key algorithm */
+ const char *clnt_sig_curve; /* client's ECDSA curve name */
+ int clnt_sig_bits; /* client's RSA signature key bits */
+ const char *clnt_sig_dgst; /* client's signature digest */
+ const char *srvr_sig_name; /* server's signature key algorithm */
+ const char *srvr_sig_curve; /* server's ECDSA curve name */
+ int srvr_sig_bits; /* server's RSA signature key bits */
+ const char *srvr_sig_dgst; /* server's signature digest */
/* Private. */
SSL *con;
char *cache_type; /* tlsmgr(8) cache type if enabled */
extern const char *tls_compile_version(void);
extern const char *tls_run_version(void);
extern const char **tls_pkey_algorithms(void);
+extern void tls_log_summary(int, TLS_SESS_STATE *);
#ifdef TLS_INTERNAL
TLS_CERT_FLAG_TRUSTED | TLS_CERT_FLAG_MATCHED;
}
-/* log_summary - TLS loglevel 1 one-liner, embellished with TLS 1.3 details */
-
-static void log_summary(TLS_SESS_STATE *TLScontext,
- const TLS_CLIENT_START_PROPS *props)
-{
- VSTRING *msg = vstring_alloc(100);
-
- vstring_sprintf(msg, "%s TLS connection established to %s: %s"
- " with cipher %s (%d/%d bits)",
- !TLS_CERT_IS_PRESENT(TLScontext) ? "Anonymous" :
- TLS_CERT_IS_SECURED(TLScontext) ? "Verified" :
- TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",
- props->namaddr, TLScontext->protocol,
- TLScontext->cipher_name, TLScontext->cipher_usebits,
- TLScontext->cipher_algbits);
-
- if (TLScontext->kex_name && *TLScontext->kex_name) {
- vstring_sprintf_append(msg, " key-exchange %s",
- TLScontext->kex_name);
- if (TLScontext->kex_curve && *TLScontext->kex_curve)
- vstring_sprintf_append(msg, " (%s)",
- TLScontext->kex_curve);
- else if (TLScontext->kex_bits > 0)
- vstring_sprintf_append(msg, " (%d bits)",
- TLScontext->kex_bits);
- }
- if (TLScontext->peer_sig_name && *TLScontext->peer_sig_name) {
- vstring_sprintf_append(msg, " server-signature %s",
- TLScontext->peer_sig_name);
- if (TLScontext->peer_sig_curve && *TLScontext->peer_sig_curve)
- vstring_sprintf_append(msg, " (%s)",
- TLScontext->peer_sig_curve);
- else if (TLScontext->peer_sig_bits > 0)
- vstring_sprintf_append(msg, " (%d bits)",
- TLScontext->peer_sig_bits);
- if (TLScontext->peer_sig_dgst && *TLScontext->peer_sig_dgst)
- vstring_sprintf_append(msg, " server-digest %s",
- TLScontext->peer_sig_dgst);
- }
- if (TLScontext->locl_sig_name && *TLScontext->locl_sig_name) {
- vstring_sprintf_append(msg, " client-signature %s",
- TLScontext->locl_sig_name);
- if (TLScontext->locl_sig_curve && *TLScontext->locl_sig_curve)
- vstring_sprintf_append(msg, " (%s)",
- TLScontext->locl_sig_curve);
- else if (TLScontext->locl_sig_bits > 0)
- vstring_sprintf_append(msg, " (%d bits)",
- TLScontext->locl_sig_bits);
- if (TLScontext->locl_sig_dgst && *TLScontext->locl_sig_dgst)
- vstring_sprintf_append(msg, " client-digest %s",
- TLScontext->locl_sig_dgst);
- }
- msg_info("%s", vstring_str(msg));
- vstring_free(msg);
-}
-
/*
* This is the actual startup routine for the connection. We expect that the
* buffers are flushed and the "220 Ready to start TLS" was received by us,
tls_get_signature_params(TLScontext);
if (TLScontext->log_mask & TLS_LOG_SUMMARY)
- log_summary(TLScontext, props);
+ tls_log_summary(TLS_ROLE_CLIENT, TLScontext);
tls_int_seed();
/* void tls_get_signature_params(TLScontext)
/* TLS_SESS_STATE *TLScontext;
/*
+/* void tls_log_summary(role, TLScontext)
+/* int role;
+/* TLS_SESS_STATE *TLScontext;
+/*
/* void tls_print_errors()
/*
/* void tls_info_callback(ssl, where, ret)
/* handshake, which are negotiated separately. This function
/* has no effect for TLS 1.2 and earlier.
/*
+/* tls_log_summary() logs a summary of a completed TLS connection.
+/* The "role" argument must be TLS_ROLE_CLIENT for outgoing client
+/* connections, or TLS_ROLE_SERVER for incoming server connections.
+/*
/* tls_print_errors() queries the OpenSSL error stack,
/* logs the error messages, and clears the error stack.
/*
{
const char *kex_name = 0;
const char *kex_curve = 0;
+
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fUL && defined(TLS1_3_VERSION)
+#ifndef OPENSSL_NO_EC
const char *locl_sig_name = 0;
const char *locl_sig_curve = 0;
const char *locl_sig_dgst = 0;
const char *peer_sig_name = 0;
const char *peer_sig_curve = 0;
const char *peer_sig_dgst = 0;
-
-#if OPENSSL_VERSION_NUMBER >= 0x1010100fUL && defined(TLS1_3_VERSION)
-#ifndef OPENSSL_NO_EC
EC_KEY *eckey;
#endif
int nid;
int got_kex_key;
SSL *ssl = TLScontext->con;
+ int srvr = SSL_is_server(ssl);
X509 *cert;
EVP_PKEY *pkey = 0;
+#define SIG_PROP(c, s, p) (*((s) ? &c->srvr_sig_##p : &c->clnt_sig_##p)
+
if (SSL_version(ssl) != TLS1_3_VERSION)
return;
* check via SSL_get_signature_nid(). This means that local signature
* data on clients requires at least 1.1.1a.
*/
- if (SSL_is_server(ssl) || SSL_get_signature_nid(ssl, &nid))
+ if (srvr || SSL_get_signature_nid(ssl, &nid))
cert = SSL_get_certificate(ssl);
else
cert = 0;
case EVP_PKEY_RSA:
/* For RSA, TLS 1.3 mandates PSS signatures */
locl_sig_name = "RSA-PSS";
- TLScontext->locl_sig_bits = EVP_PKEY_bits(pkey);
+ SIG_PROP(TLScontext, srvr, bits) = EVP_PKEY_bits(pkey);
break;
#ifndef OPENSSL_NO_EC
case EVP_PKEY_RSA:
/* For RSA, TLS 1.3 mandates PSS signatures */
peer_sig_name = "RSA-PSS";
- TLScontext->peer_sig_bits = EVP_PKEY_bits(pkey);
+ SIG_PROP(TLScontext, !srvr, bits) = EVP_PKEY_bits(pkey);
break;
#ifndef OPENSSL_NO_EC
if (kex_curve)
TLScontext->kex_curve = mystrdup(kex_curve);
}
+#ifdef SIG_PROP
if (locl_sig_name) {
- TLScontext->locl_sig_name = mystrdup(locl_sig_name);
+ SIG_PROP(TLScontext, srvr, name) = mystrdup(locl_sig_name);
if (locl_sig_curve)
- TLScontext->locl_sig_curve = mystrdup(locl_sig_curve);
+ SIG_PROP(TLScontext, srvr, curve) = mystrdup(locl_sig_curve);
if (locl_sig_dgst)
- TLScontext->locl_sig_dgst = mystrdup(locl_sig_dgst);
+ SIG_PROP(TLScontext, srvr, dgst) = mystrdup(locl_sig_dgst);
}
if (peer_sig_name) {
- TLScontext->peer_sig_name = mystrdup(peer_sig_name);
+ SIG_PROP(TLScontext, !srvr, name) = mystrdup(peer_sig_name);
if (peer_sig_curve)
- TLScontext->peer_sig_curve = mystrdup(peer_sig_curve);
+ SIG_PROP(TLScontext, !srvr, curve) = mystrdup(peer_sig_curve);
if (peer_sig_dgst)
- TLScontext->peer_sig_dgst = mystrdup(peer_sig_dgst);
+ SIG_PROP(TLScontext, !srvr, dgst) = mystrdup(peer_sig_dgst);
+ }
+#endif /* SIG_PROP */
+}
+
+/* tls_log_summary - TLS loglevel 1 one-liner, embellished with TLS 1.3 details */
+
+void tls_log_summary(int role, TLS_SESS_STATE *ctx)
+{
+ VSTRING *msg = vstring_alloc(100);
+ const char *direction = (role == TLS_ROLE_CLIENT) ? "to" : "from";
+
+ vstring_sprintf(msg, "%s TLS connection established %s %s: %s"
+ " with cipher %s (%d/%d bits)",
+ !TLS_CERT_IS_PRESENT(ctx) ? "Anonymous" :
+ TLS_CERT_IS_SECURED(ctx) ? "Verified" :
+ TLS_CERT_IS_TRUSTED(ctx) ? "Trusted" : "Untrusted",
+ direction, ctx->namaddr, ctx->protocol, ctx->cipher_name,
+ ctx->cipher_usebits, ctx->cipher_algbits);
+
+ if (ctx->kex_name && *ctx->kex_name) {
+ vstring_sprintf_append(msg, " key-exchange %s", ctx->kex_name);
+ if (ctx->kex_curve && *ctx->kex_curve)
+ vstring_sprintf_append(msg, " (%s)", ctx->kex_curve);
+ else if (ctx->kex_bits > 0)
+ vstring_sprintf_append(msg, " (%d bits)", ctx->kex_bits);
+ }
+ if (ctx->srvr_sig_name && *ctx->srvr_sig_name) {
+ vstring_sprintf_append(msg, " server-signature %s",
+ ctx->srvr_sig_name);
+ if (ctx->srvr_sig_curve && *ctx->srvr_sig_curve)
+ vstring_sprintf_append(msg, " (%s)", ctx->srvr_sig_curve);
+ else if (ctx->srvr_sig_bits > 0)
+ vstring_sprintf_append(msg, " (%d bits)", ctx->srvr_sig_bits);
+ if (ctx->srvr_sig_dgst && *ctx->srvr_sig_dgst)
+ vstring_sprintf_append(msg, " server-digest %s",
+ ctx->srvr_sig_dgst);
+ }
+ if (ctx->clnt_sig_name && *ctx->clnt_sig_name) {
+ vstring_sprintf_append(msg, " client-signature %s",
+ ctx->clnt_sig_name);
+ if (ctx->clnt_sig_curve && *ctx->clnt_sig_curve)
+ vstring_sprintf_append(msg, " (%s)", ctx->clnt_sig_curve);
+ else if (ctx->clnt_sig_bits > 0)
+ vstring_sprintf_append(msg, " (%d bits)", ctx->clnt_sig_bits);
+ if (ctx->clnt_sig_dgst && *ctx->clnt_sig_dgst)
+ vstring_sprintf_append(msg, " client-digest %s",
+ ctx->clnt_sig_dgst);
}
+ msg_info("%s", vstring_str(msg));
+ vstring_free(msg);
}
/* tls_alloc_app_context - allocate TLS application context */
TLScontext->cipher_name = 0;
TLScontext->kex_name = 0;
TLScontext->kex_curve = 0;
- TLScontext->locl_sig_name = 0;
- TLScontext->locl_sig_curve = 0;
- TLScontext->locl_sig_dgst = 0;
- TLScontext->peer_sig_name = 0;
- TLScontext->peer_sig_curve = 0;
- TLScontext->peer_sig_dgst = 0;
+ TLScontext->clnt_sig_name = 0;
+ TLScontext->clnt_sig_curve = 0;
+ TLScontext->clnt_sig_dgst = 0;
+ TLScontext->srvr_sig_name = 0;
+ TLScontext->srvr_sig_curve = 0;
+ TLScontext->srvr_sig_dgst = 0;
TLScontext->log_mask = log_mask;
TLScontext->namaddr = lowercase(mystrdup(namaddr));
TLScontext->mdalg = 0; /* Alias for props->mdalg */
#define TLS_ATTR_KEX_NAME "key_exchange"
#define TLS_ATTR_KEX_CURVE "key_exchange_curve"
#define TLS_ATTR_KEX_BITS "key_exchange_bits"
-#define TLS_ATTR_LOCL_SIG_NAME "locl_signature"
-#define TLS_ATTR_LOCL_SIG_CURVE "locl_signature_curve"
-#define TLS_ATTR_LOCL_SIG_BITS "locl_signature_bits"
-#define TLS_ATTR_LOCL_SIG_DGST "locl_signature_digest"
-#define TLS_ATTR_PEER_SIG_NAME "peer_signature"
-#define TLS_ATTR_PEER_SIG_CURVE "peer_signature_curve"
-#define TLS_ATTR_PEER_SIG_BITS "peer_signature_bits"
-#define TLS_ATTR_PEER_SIG_DGST "peer_signature_digest"
+#define TLS_ATTR_CLNT_SIG_NAME "clnt_signature"
+#define TLS_ATTR_CLNT_SIG_CURVE "clnt_signature_curve"
+#define TLS_ATTR_CLNT_SIG_BITS "clnt_signature_bits"
+#define TLS_ATTR_CLNT_SIG_DGST "clnt_signature_digest"
+#define TLS_ATTR_SRVR_SIG_NAME "srvr_signature"
+#define TLS_ATTR_SRVR_SIG_CURVE "srvr_signature_curve"
+#define TLS_ATTR_SRVR_SIG_BITS "srvr_signature_bits"
+#define TLS_ATTR_SRVR_SIG_DGST "srvr_signature_digest"
+#define TLS_ATTR_NAMADDR "namaddr"
/*
* TLS_SERVER_INIT_PROPS attributes.
STRING_OR_EMPTY(tp->kex_curve)),
SEND_ATTR_INT(TLS_ATTR_KEX_BITS,
tp->kex_bits),
- SEND_ATTR_STR(TLS_ATTR_LOCL_SIG_NAME,
- STRING_OR_EMPTY(tp->locl_sig_name)),
- SEND_ATTR_STR(TLS_ATTR_LOCL_SIG_CURVE,
- STRING_OR_EMPTY(tp->locl_sig_curve)),
- SEND_ATTR_INT(TLS_ATTR_LOCL_SIG_BITS,
- tp->locl_sig_bits),
- SEND_ATTR_STR(TLS_ATTR_LOCL_SIG_DGST,
- STRING_OR_EMPTY(tp->locl_sig_dgst)),
- SEND_ATTR_STR(TLS_ATTR_PEER_SIG_NAME,
- STRING_OR_EMPTY(tp->peer_sig_name)),
- SEND_ATTR_STR(TLS_ATTR_PEER_SIG_CURVE,
- STRING_OR_EMPTY(tp->peer_sig_curve)),
- SEND_ATTR_INT(TLS_ATTR_PEER_SIG_BITS,
- tp->peer_sig_bits),
- SEND_ATTR_STR(TLS_ATTR_PEER_SIG_DGST,
- STRING_OR_EMPTY(tp->peer_sig_dgst)),
+ SEND_ATTR_STR(TLS_ATTR_CLNT_SIG_NAME,
+ STRING_OR_EMPTY(tp->clnt_sig_name)),
+ SEND_ATTR_STR(TLS_ATTR_CLNT_SIG_CURVE,
+ STRING_OR_EMPTY(tp->clnt_sig_curve)),
+ SEND_ATTR_INT(TLS_ATTR_CLNT_SIG_BITS,
+ tp->clnt_sig_bits),
+ SEND_ATTR_STR(TLS_ATTR_CLNT_SIG_DGST,
+ STRING_OR_EMPTY(tp->clnt_sig_dgst)),
+ SEND_ATTR_STR(TLS_ATTR_SRVR_SIG_NAME,
+ STRING_OR_EMPTY(tp->srvr_sig_name)),
+ SEND_ATTR_STR(TLS_ATTR_SRVR_SIG_CURVE,
+ STRING_OR_EMPTY(tp->srvr_sig_curve)),
+ SEND_ATTR_INT(TLS_ATTR_SRVR_SIG_BITS,
+ tp->srvr_sig_bits),
+ SEND_ATTR_STR(TLS_ATTR_SRVR_SIG_DGST,
+ STRING_OR_EMPTY(tp->srvr_sig_dgst)),
+ SEND_ATTR_STR(TLS_ATTR_NAMADDR,
+ STRING_OR_EMPTY(tp->namaddr)),
ATTR_TYPE_END);
/* Do not flush the stream. */
return (ret);
VSTRING *cipher_name = vstring_alloc(25);
VSTRING *kex_name = vstring_alloc(25);
VSTRING *kex_curve = vstring_alloc(25);
- VSTRING *locl_sig_name = vstring_alloc(25);
- VSTRING *locl_sig_curve = vstring_alloc(25);
- VSTRING *locl_sig_dgst = vstring_alloc(25);
- VSTRING *peer_sig_name = vstring_alloc(25);
- VSTRING *peer_sig_curve = vstring_alloc(25);
- VSTRING *peer_sig_dgst = vstring_alloc(25);
+ VSTRING *clnt_sig_name = vstring_alloc(25);
+ VSTRING *clnt_sig_curve = vstring_alloc(25);
+ VSTRING *clnt_sig_dgst = vstring_alloc(25);
+ VSTRING *srvr_sig_name = vstring_alloc(25);
+ VSTRING *srvr_sig_curve = vstring_alloc(25);
+ VSTRING *srvr_sig_dgst = vstring_alloc(25);
+ VSTRING *namaddr = vstring_alloc(100);
if (msg_verbose)
msg_info("begin tls_proxy_context_scan");
RECV_ATTR_STR(TLS_ATTR_KEX_NAME, kex_name),
RECV_ATTR_STR(TLS_ATTR_KEX_CURVE, kex_curve),
RECV_ATTR_INT(TLS_ATTR_KEX_BITS, &tls_context->kex_bits),
- RECV_ATTR_STR(TLS_ATTR_LOCL_SIG_NAME, locl_sig_name),
- RECV_ATTR_STR(TLS_ATTR_LOCL_SIG_CURVE, locl_sig_curve),
- RECV_ATTR_INT(TLS_ATTR_LOCL_SIG_BITS, &tls_context->locl_sig_bits),
- RECV_ATTR_STR(TLS_ATTR_LOCL_SIG_DGST, locl_sig_dgst),
- RECV_ATTR_STR(TLS_ATTR_PEER_SIG_NAME, peer_sig_name),
- RECV_ATTR_STR(TLS_ATTR_PEER_SIG_CURVE, peer_sig_curve),
- RECV_ATTR_INT(TLS_ATTR_PEER_SIG_BITS, &tls_context->peer_sig_bits),
- RECV_ATTR_STR(TLS_ATTR_PEER_SIG_DGST, peer_sig_dgst),
+ RECV_ATTR_STR(TLS_ATTR_CLNT_SIG_NAME, clnt_sig_name),
+ RECV_ATTR_STR(TLS_ATTR_CLNT_SIG_CURVE, clnt_sig_curve),
+ RECV_ATTR_INT(TLS_ATTR_CLNT_SIG_BITS, &tls_context->clnt_sig_bits),
+ RECV_ATTR_STR(TLS_ATTR_CLNT_SIG_DGST, clnt_sig_dgst),
+ RECV_ATTR_STR(TLS_ATTR_SRVR_SIG_NAME, srvr_sig_name),
+ RECV_ATTR_STR(TLS_ATTR_SRVR_SIG_CURVE, srvr_sig_curve),
+ RECV_ATTR_INT(TLS_ATTR_SRVR_SIG_BITS, &tls_context->srvr_sig_bits),
+ RECV_ATTR_STR(TLS_ATTR_SRVR_SIG_DGST, srvr_sig_dgst),
+ RECV_ATTR_STR(TLS_ATTR_NAMADDR, namaddr),
ATTR_TYPE_END);
/* Always construct a well-formed structure. */
tls_context->peer_CN = vstring_export(peer_CN);
tls_context->cipher_name = vstring_export(cipher_name);
tls_context->kex_name = vstring_export(kex_name);
tls_context->kex_curve = vstring_export(kex_curve);
- tls_context->locl_sig_name = vstring_export(locl_sig_name);
- tls_context->locl_sig_curve = vstring_export(locl_sig_curve);
- tls_context->locl_sig_dgst = vstring_export(locl_sig_dgst);
- tls_context->peer_sig_name = vstring_export(peer_sig_name);
- tls_context->peer_sig_curve = vstring_export(peer_sig_curve);
- tls_context->peer_sig_dgst = vstring_export(peer_sig_dgst);
- ret = (ret == 20 ? 1 : -1);
+ tls_context->clnt_sig_name = vstring_export(clnt_sig_name);
+ tls_context->clnt_sig_curve = vstring_export(clnt_sig_curve);
+ tls_context->clnt_sig_dgst = vstring_export(clnt_sig_dgst);
+ tls_context->srvr_sig_name = vstring_export(srvr_sig_name);
+ tls_context->srvr_sig_curve = vstring_export(srvr_sig_curve);
+ tls_context->srvr_sig_dgst = vstring_export(srvr_sig_dgst);
+ tls_context->namaddr = vstring_export(namaddr);
+ ret = (ret == 21 ? 1 : -1);
if (ret != 1) {
tls_proxy_context_free(tls_context);
tls_context = 0;
myfree((void *) tls_context->kex_name);
if (tls_context->kex_curve)
myfree((void *) tls_context->kex_curve);
- if (tls_context->locl_sig_name)
- myfree((void *) tls_context->locl_sig_name);
- if (tls_context->locl_sig_curve)
- myfree((void *) tls_context->locl_sig_curve);
- if (tls_context->locl_sig_dgst)
- myfree((void *) tls_context->locl_sig_dgst);
- if (tls_context->peer_sig_name)
- myfree((void *) tls_context->peer_sig_name);
- if (tls_context->peer_sig_curve)
- myfree((void *) tls_context->peer_sig_curve);
- if (tls_context->peer_sig_dgst)
- myfree((void *) tls_context->peer_sig_dgst);
+ if (tls_context->clnt_sig_name)
+ myfree((void *) tls_context->clnt_sig_name);
+ if (tls_context->clnt_sig_curve)
+ myfree((void *) tls_context->clnt_sig_curve);
+ if (tls_context->clnt_sig_dgst)
+ myfree((void *) tls_context->clnt_sig_dgst);
+ if (tls_context->srvr_sig_name)
+ myfree((void *) tls_context->srvr_sig_name);
+ if (tls_context->srvr_sig_curve)
+ myfree((void *) tls_context->srvr_sig_curve);
+ if (tls_context->srvr_sig_dgst)
+ myfree((void *) tls_context->srvr_sig_dgst);
+ if (tls_context->namaddr)
+ myfree((void *) tls_context->namaddr);
myfree((void *) tls_context);
}
#endif
-/* log_summary - TLS loglevel 1 one-liner, embellished with TLS 1.3 details */
-
-static void log_summary(TLS_SESS_STATE *TLScontext)
-{
- VSTRING *msg = vstring_alloc(100);
-
- vstring_sprintf(msg, "%s TLS connection established from %s: %s"
- " with cipher %s (%d/%d bits)",
- !TLS_CERT_IS_PRESENT(TLScontext) ? "Anonymous" :
- TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",
- TLScontext->namaddr, TLScontext->protocol,
- TLScontext->cipher_name, TLScontext->cipher_usebits,
- TLScontext->cipher_algbits);
-
- if (TLScontext->kex_name && *TLScontext->kex_name) {
- vstring_sprintf_append(msg, " key-exchange %s",
- TLScontext->kex_name);
- if (TLScontext->kex_curve && *TLScontext->kex_curve)
- vstring_sprintf_append(msg, " (%s)",
- TLScontext->kex_curve);
- else if (TLScontext->kex_bits > 0)
- vstring_sprintf_append(msg, " (%d bits)",
- TLScontext->kex_bits);
- }
- if (TLScontext->locl_sig_name && *TLScontext->locl_sig_name) {
- vstring_sprintf_append(msg, " server-signature %s",
- TLScontext->locl_sig_name);
- if (TLScontext->locl_sig_curve && *TLScontext->locl_sig_curve)
- vstring_sprintf_append(msg, " (%s)",
- TLScontext->locl_sig_curve);
- else if (TLScontext->locl_sig_bits > 0)
- vstring_sprintf_append(msg, " (%d bits)",
- TLScontext->locl_sig_bits);
- if (TLScontext->locl_sig_dgst && *TLScontext->locl_sig_dgst)
- vstring_sprintf_append(msg, " server-digest %s",
- TLScontext->locl_sig_dgst);
- }
- if (TLScontext->peer_sig_name && *TLScontext->peer_sig_name) {
- vstring_sprintf_append(msg, " client-signature %s",
- TLScontext->peer_sig_name);
- if (TLScontext->peer_sig_curve && *TLScontext->peer_sig_curve)
- vstring_sprintf_append(msg, " (%s)",
- TLScontext->peer_sig_curve);
- else if (TLScontext->peer_sig_bits > 0)
- vstring_sprintf_append(msg, " (%d bits)",
- TLScontext->peer_sig_bits);
- if (TLScontext->peer_sig_dgst && *TLScontext->peer_sig_dgst)
- vstring_sprintf_append(msg, " client-digest %s",
- TLScontext->peer_sig_dgst);
- }
- msg_info("%s", vstring_str(msg));
- vstring_free(msg);
-}
-
/* tls_server_init - initialize the server-side TLS engine */
TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
* All the key facts in a single log entry.
*/
if (TLScontext->log_mask & TLS_LOG_SUMMARY)
- log_summary(TLScontext);
+ tls_log_summary(TLS_ROLE_SERVER, TLScontext);
tls_int_seed();
projects / thirdparty / postfix.git / commitdiff
