X-Git-Url: http://pileus.org/git/?a=blobdiff_plain;f=socket.c;h=58a8e15e807e4258a717933b5603da522c08473f;hb=49268a95ee78bc179fd3439b3f06e9a06c993c92;hp=e338207a0a97a6c476286d3ed8c5996480c6a3d3;hpb=8124d126e847dfeb4037175b22d14d5283978f31;p=~andy%2Ffetchmail

diff --git a/socket.c b/socket.c
index e338207a..58a8e15e 100644
--- a/socket.c
+++ b/socket.c
@@ -133,6 +133,7 @@ static char *const *parse_plugin(const char *plugin, const char *host, const cha
 	argvec = (char **)malloc(s);
 	if (!argvec)
 	{
+		free(plugin_copy);
 		report(stderr, GT_("fetchmail: malloc failed\n"));
 		return NULL;
 	}
@@ -186,6 +187,8 @@ static int handle_plugin(const char *host,
 		if (outlevel >= O_VERBOSE)
 		    report(stderr, GT_("running %s (host %s service %s)\n"), plugin, host, service);
 		argvec = parse_plugin(plugin,host,service);
+		if (argvec == NULL)
+			_exit(EXIT_FAILURE);
 		execvp(*argvec, argvec);
 		report(stderr, GT_("execvp(%s) failed\n"), *argvec);
 		_exit(EXIT_FAILURE);
@@ -375,6 +378,20 @@ va_dcl {
 #include <openssl/x509v3.h>
 #include <openssl/rand.h>
 
+static void report_SSL_errors(FILE *stream)
+{
+    unsigned long err;
+
+    while (0ul != (err = ERR_get_error())) {
+	char *errstr = ERR_error_string(err, NULL);
+	report(stream, GT_("OpenSSL reported: %s\n"), errstr);
+    }
+}
+
+/* override ERR_print_errors_fp to our own implementation */
+#undef ERR_print_errors_fp
+#define ERR_print_errors_fp(stream) report_SSL_errors((stream))
+
 static	SSL_CTX *_ctx[FD_SETSIZE];
 static	SSL *_ssl_context[FD_SETSIZE];
 
@@ -602,7 +619,7 @@ static int SSL_verify_callback( int ok_return, X509_STORE_CTX *ctx, int strict )
 
 	if (outlevel >= O_VERBOSE) {
 		if (depth == 0 && SSLverbose)
-			report(stderr, GT_("Server certificate:\n"));
+			report(stdout, GT_("Server certificate:\n"));
 		else {
 			if (_firstrun) {
 				_firstrun = 0;
@@ -689,7 +706,7 @@ static int SSL_verify_callback( int ok_return, X509_STORE_CTX *ctx, int strict )
 							}
 						}
 					}
-					sk_GENERAL_NAME_free(gens);
+					GENERAL_NAMES_free(gens);
 				}
 				if (name_match(p1, p2)) {
 					matched = 1;
@@ -755,29 +772,44 @@ static int SSL_verify_callback( int ok_return, X509_STORE_CTX *ctx, int strict )
 	} /* if (depth == 0 && !_depth0ck) */
 
 	if (err != X509_V_OK && err != _prev_err && !(_check_fp != 0 && _check_digest && !strict)) {
+		char *tmp;
+		int did_rep_err = 0;
 		_prev_err = err;
-					
+
                 report(stderr, GT_("Server certificate verification error: %s\n"), X509_verify_cert_error_string(err));
                 /* We gave the error code, but maybe we can add some more details for debugging */
 
 		switch (err) {
+		/* actually we do not want to lump these together, but
+		 * since OpenSSL flipped the meaning of these error
+		 * codes in the past, and they do hardly make a
+		 * practical difference because servers need not provide
+		 * the root signing certificate, we don't bother telling
+		 * users the difference:
+		 */
+		case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
 		case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
 			X509_NAME_oneline(issuer, buf, sizeof(buf));
 			buf[sizeof(buf) - 1] = '\0';
-			report(stderr, GT_("unknown issuer (first %d characters): %s\n"), (int)(sizeof(buf)-1), buf);
-			report(stderr, GT_("This error usually happens when the server provides an incomplete certificate "
-						"chain, which is nothing fetchmail could do anything about.  For details, "
-						"please see the README.SSL-SERVER document that comes with fetchmail.\n"));
-			break;
+			report(stderr, GT_("Broken certification chain at: %s\n"), (tmp = sdump(buf, strlen(buf))));
+			xfree(tmp);
+			report(stderr, GT_(	"This could mean that the server did not provide the intermediate CA's certificate(s), "
+						"which is nothing fetchmail could do anything about.  For details, "
+						"please see the README.SSL-SERVER document that ships with fetchmail.\n"));
+			did_rep_err = 1;
+			/* FALLTHROUGH */
 		case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
-		case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
 		case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
-			X509_NAME_oneline(subj, buf, sizeof(buf));
-			buf[sizeof(buf) - 1] = '\0';
-			report(stderr, GT_("This means that the root signing certificate (issued for %s) is not in the "
-						"trusted CA certificate locations, or that c_rehash needs to be run "
+			if (!did_rep_err) {
+			    X509_NAME_oneline(issuer, buf, sizeof(buf));
+			    buf[sizeof(buf) - 1] = '\0';
+			    report(stderr, GT_("Missing trust anchor certificate: %s\n"), (tmp = sdump(buf, strlen(buf))));
+			    xfree(tmp);
+			}
+			report(stderr, GT_(	"This could mean that the root CA's signing certificate is not in the "
+						"trusted CA certificate location, or that c_rehash needs to be run "
 						"on the certificate directory. For details, please "
-						"see the documentation of --sslcertpath and --sslcertfile in the manual page.\n"), buf);
+						"see the documentation of --sslcertpath and --sslcertfile in the manual page.\n"));
 			break;
 		default:
 			break;
@@ -844,6 +876,7 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
 {
         struct stat randstat;
         int i;
+	long sslopts = SSL_OP_ALL;
 
 	SSL_load_error_strings();
 	SSL_library_init();
@@ -874,7 +907,12 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
 	_ssl_context[sock] = NULL;
 	if(myproto) {
 		if(!strcasecmp("ssl2",myproto)) {
+#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0
 			_ctx[sock] = SSL_CTX_new(SSLv2_client_method());
+#else
+			report(stderr, GT_("Your operating system does not support SSLv2.\n"));
+			return -1;
+#endif
 		} else if(!strcasecmp("ssl3",myproto)) {
 			_ctx[sock] = SSL_CTX_new(SSLv3_client_method());
 		} else if(!strcasecmp("tls1",myproto)) {
@@ -882,7 +920,7 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
 		} else if (!strcasecmp("ssl23",myproto)) {
 			myproto = NULL;
 		} else {
-			fprintf(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto);
+			report(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto);
 			myproto = NULL;
 		}
 	}
@@ -894,7 +932,13 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
 		return(-1);
 	}
 
-	SSL_CTX_set_options(_ctx[sock], SSL_OP_ALL);
+	{
+	    char *tmp = getenv("FETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE");
+	    if (tmp == NULL || *tmp == '\0' || strspn(tmp, " \t") == strlen(tmp))
+		sslopts &= ~ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+	}
+
+	SSL_CTX_set_options(_ctx[sock], sslopts);
 
 	if (certck) {
 		SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback);