1 files changed, 44 insertions, 5 deletions
diff --git a/qmail-remote.c b/qmail-remote.c
index d2412aa..94bb69f 100644
--- a/qmail-remote.c
+++ b/qmail-remote.c
@@ -302,8 +302,8 @@ void smtp_quit()
 {
 #ifdef TLS
  /* shouldn't talk to the client unless in an appropriate state */
-  int state = ssl ? ssl->state : SSL_ST_BEFORE;
+  if ((!smtps && !ssl) || (ssl && SSL_is_init_finished(ssl))
-  if (state & SSL_ST_OK || (!smtps && state & SSL_ST_BEFORE))
+    || (!smtps && ssl && SSL_in_before(ssl)))
 #endif
  substdio_putsflush(&smtpto,"QUIT\r\n");
  /* waiting for remote side is just too ridiculous */
@@ -539,6 +539,41 @@ int tls_init()
  SSL_set_cipher_list(myssl, ciphers);
  alloc_free(saciphers.s);
+#if OPENSSL_VERSION_NUMBER >= 0x10100005L
+  stralloc opensslconf = {0};
+  if (control_readfile(&opensslconf, "control/opensslconf", 0) == -1)
+    { SSL_free(myssl); temp_control(); }
+  if (opensslconf.len) {
+    SSL_CONF_CTX *cctx = SSL_CONF_CTX_new();
+    SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE);
+    SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
+    SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CERTIFICATE);
+    SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS);
+    SSL_CONF_CTX_set_ssl(cctx, myssl);
+    int i, j, next = 0;
+    char *cmd, * arg;
+    for (i = 0; i < opensslconf.len; i += next) {
+      cmd = opensslconf.s + i;
+      next = str_len(cmd) + 1;
+      j = str_chr(cmd, ' ');
+      arg = cmd + j;
+      while (*arg == ' ') ++arg;
+      cmd[j] = 0;
+      if (SSL_CONF_cmd(cctx, cmd, arg) <= 0) {
+        SSL_free(myssl);
+        out("Zopensslconf \""); out(cmd); out(" "); out(arg);
+        out("\" failed: "); out(ssl_error());
+        TLS_QUIT;
+      }
+    }
+    (void)SSL_CONF_CTX_finish(cctx);
+  }
+#endif
  /* set SNI hostname */
  if (partner_fqdn)
    SSL_set_tlsext_host_name(myssl, partner_fqdn);
@@ -614,8 +649,12 @@ int tls_init()
      X509_NAME *subj = X509_get_subject_name(peercert);
      i = X509_NAME_get_index_by_NID(subj, NID_commonName, -1);
      if (i >= 0) {
-        const ASN1_STRING *s = X509_NAME_get_entry(subj, i)->value;
+        X509_NAME_ENTRY *entry = X509_NAME_get_entry(subj, i);
-        if (s) { peer.len = s->length; peer.s = s->data; }
+        ASN1_STRING *s = X509_NAME_ENTRY_get_data(entry);
+#if OPENSSL_VERSION_NUMBER < 0x10100005L
+#define ASN1_STRING_get0_data ASN1_STRING_data
+#endif
+        if (s) { peer.len = ASN1_STRING_length(s); peer.s = (unsigned char *)ASN1_STRING_get0_data(s); }
      }
      if (peer.len <= 0) {
        out("ZTLS unable to verify server ");
@@ -668,7 +707,7 @@ int utf8received()
    if (r == 0) break;
    if (r == -1) temp_read();
-    if (ch == '\n') {
+    if (ch == '\n' && receivedline.len) {
      if (!stralloc_append(&header,"\r")) temp_nomem();                 /* received.c does not add '\r' */
      if (!stralloc_append(&header,"\n")) temp_nomem();
      if (case_startb(receivedline.s,5,"Date:")) return 0;              /* header to quit asap */

diff --git a/qmail-remote.c b/qmail-remote.c index d2412aa..94bb69f 100644 --- a/qmail-remote.c +++ b/qmail-remote.c
@@ -302,8 +302,8 @@ void smtp_quit()
302	{	302	{
303	#ifdef TLS	303	#ifdef TLS
304	/* shouldn't talk to the client unless in an appropriate state */	304	/* shouldn't talk to the client unless in an appropriate state */
305	int state = ssl ? ssl->state : SSL_ST_BEFORE;	305	if ((!smtps && !ssl) \|\| (ssl && SSL_is_init_finished(ssl))
306	if (state & SSL_ST_OK \|\| (!smtps && state & SSL_ST_BEFORE))	306	\|\| (!smtps && ssl && SSL_in_before(ssl)))
307	#endif	307	#endif
308	substdio_putsflush(&smtpto,"QUIT\r\n");	308	substdio_putsflush(&smtpto,"QUIT\r\n");
309	/* waiting for remote side is just too ridiculous */	309	/* waiting for remote side is just too ridiculous */
@@ -539,6 +539,41 @@ int tls_init()
539	SSL_set_cipher_list(myssl, ciphers);	539	SSL_set_cipher_list(myssl, ciphers);
540	alloc_free(saciphers.s);	540	alloc_free(saciphers.s);
541		541
		542	#if OPENSSL_VERSION_NUMBER >= 0x10100005L
		543	stralloc opensslconf = {0};
		544	if (control_readfile(&opensslconf, "control/opensslconf", 0) == -1)
		545	{ SSL_free(myssl); temp_control(); }
		546	if (opensslconf.len) {
		547	SSL_CONF_CTX *cctx = SSL_CONF_CTX_new();
		548	SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE);
		549	SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
		550	SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CERTIFICATE);
		551	SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS);
		552	SSL_CONF_CTX_set_ssl(cctx, myssl);
		553
		554	int i, j, next = 0;
		555	char cmd, arg;
		556	for (i = 0; i < opensslconf.len; i += next) {
		557	cmd = opensslconf.s + i;
		558	next = str_len(cmd) + 1;
		559
		560	j = str_chr(cmd, ' ');
		561	arg = cmd + j;
		562	while (*arg == ' ') ++arg;
		563	cmd[j] = 0;
		564
		565	if (SSL_CONF_cmd(cctx, cmd, arg) <= 0) {
		566	SSL_free(myssl);
		567	out("Zopensslconf \""); out(cmd); out(" "); out(arg);
		568	out("\" failed: "); out(ssl_error());
		569	TLS_QUIT;
		570	}
		571	}
		572
		573	(void)SSL_CONF_CTX_finish(cctx);
		574	}
		575	#endif
		576
542	/* set SNI hostname */	577	/* set SNI hostname */
543	if (partner_fqdn)	578	if (partner_fqdn)
544	SSL_set_tlsext_host_name(myssl, partner_fqdn);	579	SSL_set_tlsext_host_name(myssl, partner_fqdn);
@@ -614,8 +649,12 @@ int tls_init()
614	X509_NAME *subj = X509_get_subject_name(peercert);	649	X509_NAME *subj = X509_get_subject_name(peercert);
615	i = X509_NAME_get_index_by_NID(subj, NID_commonName, -1);	650	i = X509_NAME_get_index_by_NID(subj, NID_commonName, -1);
616	if (i >= 0) {	651	if (i >= 0) {
617	const ASN1_STRING *s = X509_NAME_get_entry(subj, i)->value;	652	X509_NAME_ENTRY *entry = X509_NAME_get_entry(subj, i);
618	if (s) { peer.len = s->length; peer.s = s->data; }	653	ASN1_STRING *s = X509_NAME_ENTRY_get_data(entry);
		654	#if OPENSSL_VERSION_NUMBER < 0x10100005L
		655	#define ASN1_STRING_get0_data ASN1_STRING_data
		656	#endif
		657	if (s) { peer.len = ASN1_STRING_length(s); peer.s = (unsigned char *)ASN1_STRING_get0_data(s); }
619	}	658	}
620	if (peer.len <= 0) {	659	if (peer.len <= 0) {
621	out("ZTLS unable to verify server ");	660	out("ZTLS unable to verify server ");
@@ -668,7 +707,7 @@ int utf8received()
668	if (r == 0) break;	707	if (r == 0) break;
669	if (r == -1) temp_read();	708	if (r == -1) temp_read();
670		709
671	if (ch == '\n') {	710	if (ch == '\n' && receivedline.len) {
672	if (!stralloc_append(&header,"\r")) temp_nomem(); /* received.c does not add '\r' */	711	if (!stralloc_append(&header,"\r")) temp_nomem(); /* received.c does not add '\r' */
673	if (!stralloc_append(&header,"\n")) temp_nomem();	712	if (!stralloc_append(&header,"\n")) temp_nomem();
674	if (case_startb(receivedline.s,5,"Date:")) return 0; /* header to quit asap */	713	if (case_startb(receivedline.s,5,"Date:")) return 0; /* header to quit asap */