1 /*
2 * Copyright (c) 2000-2006, 2008, 2009, 2011, 2013-2016 Proofpoint, Inc. and its suppliers.
3 * All rights reserved.
4 *
5 * By using this file, you agree to the terms and conditions set
6 * forth in the LICENSE file which can be found at the top level of
7 * the sendmail distribution.
8 *
9 */
10
11 #include <sendmail.h>
12
13 SM_RCSID("@(#)$Id: tls.c,v 8.127 2013-11-27 02:51:11 gshapiro Exp $")
14
15 #if STARTTLS
16 # include <openssl/err.h>
17 # include <openssl/bio.h>
18 # include <openssl/pem.h>
19 # ifndef HASURANDOMDEV
20 # include <openssl/rand.h>
21 # endif
22 # include <openssl/engine.h>
23 # if _FFR_TLS_ALTNAMES
24 # include <openssl/x509v3.h>
25 # endif
26 # include <tls.h>
27
28 # if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER <= 0x00907000L
29 # error "OpenSSL versions <= 0x00907000L are unsupported."
30 # endif
31
32 # if DANE && OPENSSL_VERSION_NUMBER == 0x30200000L
33 # error OpenSSL 3.2.0 has a bug related to DANE
34 # error see https://github.com/openssl/openssl/pull/22821
35 # endif
36
37 /*
38 ** *SSL version numbers:
39 ** OpenSSL 0.9 - 1.1 (so far), 3.[012]
40 ** LibreSSL 2.0 (0x20000000L - part of "These will never change")
41 */
42
43 # if (OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x20000000L) || OPENSSL_VERSION_NUMBER >= 0x30000000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070000fL)
44 # define MTA_HAVE_DH_set0_pqg 1
45 # define MTA_HAVE_DSA_GENERATE_EX 1
46 # define MTA_HAVE_OPENSSL_init_ssl 1
47 # define MTA_ASN1_STRING_data ASN1_STRING_get0_data
48 # include <openssl/bn.h>
49 # include <openssl/dsa.h>
50 # else
51 # define X509_STORE_CTX_get0_cert(ctx) (ctx)->cert
52 # define MTA_RSA_TMP_CB 1
53 # define MTA_ASN1_STRING_data ASN1_STRING_data
54 # endif
55
56 /* Is this ok or use HAVE_SSL_get1_peer_certificate instead? */
57 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
58 # define MTA_SSL_get_peer_certificate SSL_get1_peer_certificate
59
60 # ifndef HAVE_ERR_get_error_all
61 # define HAVE_ERR_get_error_all 1
62 # endif
63
64 /* use SSL_CTX_set_dh_auto()? which versions provide it? */
65 # define MTA_DH_AUTO 1
66 #else
67 # define MTA_SSL_get_peer_certificate SSL_get_peer_certificate
68 # define MTA_DH_AUTO 0
69 #endif
70
71 #if HAVE_ERR_get_error_all
72 # define MTA_SSL_ERR_get(f, l, d, fl, fct) ERR_get_error_all(f, l, fct, d, fl)
73 #else /* if HAVE_ERR_get_error_line_data ? */
74 # define MTA_SSL_ERR_get(f, l, d, fl, fct) ERR_get_error_line_data(f, l, d, fl)
75 #endif
76
77 # if !TLS_NO_RSA && MTA_RSA_TMP_CB
78 static RSA *rsa_tmp = NULL; /* temporary RSA key */
79 static RSA *tmp_rsa_key __P((SSL *, int, int));
80 # endif
81 static int tls_verify_cb __P((X509_STORE_CTX *, void *));
82
83 static int x509_verify_cb __P((int, X509_STORE_CTX *));
84
85 static void apps_ssl_info_cb __P((const SSL *, int, int));
86 static bool tls_ok_f __P((char *, char *, int));
87 static bool tls_safe_f __P((char *, long, bool));
88 static int tls_verify_log __P((int, X509_STORE_CTX *, const char *));
89
90 int TLSsslidx = -1;
91
92 # if !NO_DH
93 # include <openssl/dh.h>
94 static DH *get_dh512 __P((void));
95
96 static unsigned char dh512_p[] =
97 {
98 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
99 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
100 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
101 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
102 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
103 0x47,0x74,0xE8,0x33
104 };
105 static unsigned char dh512_g[] =
106 {
107 0x02
108 };
109
110 static DH *
get_dh512()111 get_dh512()
112 {
113 DH *dh = NULL;
114 # if MTA_HAVE_DH_set0_pqg
115 BIGNUM *dhp_bn, *dhg_bn;
116 # endif
117
118 if ((dh = DH_new()) == NULL)
119 return NULL;
120 # if MTA_HAVE_DH_set0_pqg
121 dhp_bn = BN_bin2bn(dh512_p, sizeof (dh512_p), NULL);
122 dhg_bn = BN_bin2bn(dh512_g, sizeof (dh512_g), NULL);
123 if (dhp_bn == NULL || dhg_bn == NULL || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
124 DH_free(dh);
125 BN_free(dhp_bn);
126 BN_free(dhg_bn);
127 return NULL;
128 }
129 # else
130 dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
131 dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
132 if ((dh->p == NULL) || (dh->g == NULL))
133 {
134 DH_free(dh);
135 return NULL;
136 }
137 # endif
138 return dh;
139 }
140
141 # if 0
142
143 This is the data from which the C code has been generated:
144
145 -----BEGIN DH PARAMETERS-----
146 MIIBCAKCAQEArDcgcLpxEksQHPlolRKCUJ2szKRziseWV9cUSQNZGxoGw7KkROz4
147 HF9QSbg5axyNIG+QbZYtx0jp3l6/GWq1dLOj27yZkgYgaYgFrvKPiZ2jJ5xETQVH
148 UpZwbjRcyjyWkWYJVsx1aF4F/iY4kT0n/+iGEoimI3C9V3KXTJ2S6jIkyJ6M/CrN
149 EtrDynMlUMGlc7S1ouXVOTrtKeqy3S2L9eBLxVI+sChEijGIfELupdVeXihK006p
150 MgnABPDbkTx6OOtYmSZaGQX+OLW2FPmwvcrzgCz9t9cAsuUcBZv1LeHEqZZttyLU
151 oK0jjSXgFyeU4/NfyA+zuNeWzUL6bHmigwIBAg==
152 -----END DH PARAMETERS-----
153 # endif /* 0 */
154
155 static DH *
156 get_dh2048()
157 {
158 static unsigned char dh2048_p[]={
159 0xAC,0x37,0x20,0x70,0xBA,0x71,0x12,0x4B,0x10,0x1C,0xF9,0x68,
160 0x95,0x12,0x82,0x50,0x9D,0xAC,0xCC,0xA4,0x73,0x8A,0xC7,0x96,
161 0x57,0xD7,0x14,0x49,0x03,0x59,0x1B,0x1A,0x06,0xC3,0xB2,0xA4,
162 0x44,0xEC,0xF8,0x1C,0x5F,0x50,0x49,0xB8,0x39,0x6B,0x1C,0x8D,
163 0x20,0x6F,0x90,0x6D,0x96,0x2D,0xC7,0x48,0xE9,0xDE,0x5E,0xBF,
164 0x19,0x6A,0xB5,0x74,0xB3,0xA3,0xDB,0xBC,0x99,0x92,0x06,0x20,
165 0x69,0x88,0x05,0xAE,0xF2,0x8F,0x89,0x9D,0xA3,0x27,0x9C,0x44,
166 0x4D,0x05,0x47,0x52,0x96,0x70,0x6E,0x34,0x5C,0xCA,0x3C,0x96,
167 0x91,0x66,0x09,0x56,0xCC,0x75,0x68,0x5E,0x05,0xFE,0x26,0x38,
168 0x91,0x3D,0x27,0xFF,0xE8,0x86,0x12,0x88,0xA6,0x23,0x70,0xBD,
169 0x57,0x72,0x97,0x4C,0x9D,0x92,0xEA,0x32,0x24,0xC8,0x9E,0x8C,
170 0xFC,0x2A,0xCD,0x12,0xDA,0xC3,0xCA,0x73,0x25,0x50,0xC1,0xA5,
171 0x73,0xB4,0xB5,0xA2,0xE5,0xD5,0x39,0x3A,0xED,0x29,0xEA,0xB2,
172 0xDD,0x2D,0x8B,0xF5,0xE0,0x4B,0xC5,0x52,0x3E,0xB0,0x28,0x44,
173 0x8A,0x31,0x88,0x7C,0x42,0xEE,0xA5,0xD5,0x5E,0x5E,0x28,0x4A,
174 0xD3,0x4E,0xA9,0x32,0x09,0xC0,0x04,0xF0,0xDB,0x91,0x3C,0x7A,
175 0x38,0xEB,0x58,0x99,0x26,0x5A,0x19,0x05,0xFE,0x38,0xB5,0xB6,
176 0x14,0xF9,0xB0,0xBD,0xCA,0xF3,0x80,0x2C,0xFD,0xB7,0xD7,0x00,
177 0xB2,0xE5,0x1C,0x05,0x9B,0xF5,0x2D,0xE1,0xC4,0xA9,0x96,0x6D,
178 0xB7,0x22,0xD4,0xA0,0xAD,0x23,0x8D,0x25,0xE0,0x17,0x27,0x94,
179 0xE3,0xF3,0x5F,0xC8,0x0F,0xB3,0xB8,0xD7,0x96,0xCD,0x42,0xFA,
180 0x6C,0x79,0xA2,0x83,
181 };
182 static unsigned char dh2048_g[]={ 0x02, };
183 DH *dh;
184 # if MTA_HAVE_DH_set0_pqg
185 BIGNUM *dhp_bn, *dhg_bn;
186 # endif
187
188 if ((dh=DH_new()) == NULL)
189 return(NULL);
190 # if MTA_HAVE_DH_set0_pqg
191 dhp_bn = BN_bin2bn(dh2048_p, sizeof (dh2048_p), NULL);
192 dhg_bn = BN_bin2bn(dh2048_g, sizeof (dh2048_g), NULL);
193 if (dhp_bn == NULL || dhg_bn == NULL || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
194 DH_free(dh);
195 BN_free(dhp_bn);
196 BN_free(dhg_bn);
197 return NULL;
198 }
199 # else
200 dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
201 dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
202 if ((dh->p == NULL) || (dh->g == NULL))
203 {
204 DH_free(dh);
205 return(NULL);
206 }
207 # endif
208 return(dh);
209 }
210 # endif /* !NO_DH */
211
212 /*
213 ** TLS_RAND_INIT -- initialize STARTTLS random generator
214 **
215 ** Parameters:
216 ** randfile -- name of file with random data
217 ** logl -- loglevel
218 **
219 ** Returns:
220 ** success/failure
221 **
222 ** Side Effects:
223 ** initializes PRNG for tls library.
224 */
225
226 # define MIN_RAND_BYTES 128 /* 1024 bits */
227
228 # define RF_OK 0 /* randfile OK */
229 # define RF_MISS 1 /* randfile == NULL || *randfile == '\0' */
230 # define RF_UNKNOWN 2 /* unknown prefix for randfile */
231
232 # define RI_NONE 0 /* no init yet */
233 # define RI_SUCCESS 1 /* init was successful */
234 # define RI_FAIL 2 /* init failed */
235
236 static bool tls_rand_init __P((char *, int));
237
238 static bool
239 tls_rand_init(randfile, logl)
240 char *randfile;
241 int logl;
242 {
243 # ifndef HASURANDOMDEV
244 /* not required if /dev/urandom exists, OpenSSL does it internally */
245
246 bool ok;
247 int randdef;
248 static int done = RI_NONE;
249
250 /*
251 ** initialize PRNG
252 */
253
254 /* did we try this before? if yes: return old value */
255 if (done != RI_NONE)
256 return done == RI_SUCCESS;
257
258 /* set default values */
259 ok = false;
260 done = RI_FAIL;
261 randdef = (SM_IS_EMPTY(randfile)) ? RF_MISS : RF_OK;
262 # if EGD
263 if (randdef == RF_OK && sm_strncasecmp(randfile, "egd:", 4) == 0)
264 {
265 randfile += 4;
266 if (RAND_egd(randfile) < 0)
267 {
268 sm_syslog(LOG_WARNING, NOQID,
269 "STARTTLS: RAND_egd(%s) failed: random number generator not seeded",
270 randfile);
271 }
272 else
273 ok = true;
274 }
275 else
276 # endif /* EGD */
277 /* "else" in #if code above */
278 if (randdef == RF_OK && sm_strncasecmp(randfile, "file:", 5) == 0)
279 {
280 int fd;
281 long sff;
282 struct stat st;
283
284 randfile += 5;
285 sff = SFF_SAFEDIRPATH | SFF_NOWLINK
286 | SFF_NOGWFILES | SFF_NOWWFILES
287 | SFF_NOGRFILES | SFF_NOWRFILES
288 | SFF_MUSTOWN | SFF_ROOTOK | SFF_OPENASROOT;
289 if (DontLockReadFiles)
290 sff |= SFF_NOLOCK;
291 if ((fd = safeopen(randfile, O_RDONLY, 0, sff)) >= 0)
292 {
293 if (fstat(fd, &st) < 0)
294 {
295 if (LogLevel > logl)
296 sm_syslog(LOG_ERR, NOQID,
297 "STARTTLS: can't fstat(%s)",
298 randfile);
299 }
300 else
301 {
302 bool use, problem;
303
304 use = true;
305 problem = false;
306
307 /* max. age of file: 10 minutes */
308 if (st.st_mtime + 600 < curtime())
309 {
310 use = bitnset(DBS_INSUFFICIENTENTROPY,
311 DontBlameSendmail);
312 problem = true;
313 if (LogLevel > logl)
314 sm_syslog(LOG_ERR, NOQID,
315 "STARTTLS: RandFile %s too old: %s",
316 randfile,
317 use ? "unsafe" :
318 "unusable");
319 }
320 if (use && st.st_size < MIN_RAND_BYTES)
321 {
322 use = bitnset(DBS_INSUFFICIENTENTROPY,
323 DontBlameSendmail);
324 problem = true;
325 if (LogLevel > logl)
326 sm_syslog(LOG_ERR, NOQID,
327 "STARTTLS: size(%s) < %d: %s",
328 randfile,
329 MIN_RAND_BYTES,
330 use ? "unsafe" :
331 "unusable");
332 }
333 if (use)
334 ok = RAND_load_file(randfile, -1) >=
335 MIN_RAND_BYTES;
336 if (use && !ok)
337 {
338 if (LogLevel > logl)
339 sm_syslog(LOG_WARNING, NOQID,
340 "STARTTLS: RAND_load_file(%s) failed: random number generator not seeded",
341 randfile);
342 }
343 if (problem)
344 ok = false;
345 }
346 if (ok || bitnset(DBS_INSUFFICIENTENTROPY,
347 DontBlameSendmail))
348 {
349 /* add this even if fstat() failed */
350 RAND_seed((void *) &st, sizeof(st));
351 }
352 (void) close(fd);
353 }
354 else
355 {
356 if (LogLevel > logl)
357 sm_syslog(LOG_WARNING, NOQID,
358 "STARTTLS: Warning: safeopen(%s) failed",
359 randfile);
360 }
361 }
362 else if (randdef == RF_OK)
363 {
364 if (LogLevel > logl)
365 sm_syslog(LOG_WARNING, NOQID,
366 "STARTTLS: Error: no proper random file definition %s",
367 randfile);
368 randdef = RF_UNKNOWN;
369 }
370 if (randdef == RF_MISS)
371 {
372 if (LogLevel > logl)
373 sm_syslog(LOG_WARNING, NOQID,
374 "STARTTLS: Error: missing random file definition");
375 }
376 if (!ok && bitnset(DBS_INSUFFICIENTENTROPY, DontBlameSendmail))
377 {
378 int i;
379 long r;
380 unsigned char buf[MIN_RAND_BYTES];
381
382 /* assert((MIN_RAND_BYTES % sizeof(long)) == 0); */
383 for (i = 0; i <= sizeof(buf) - sizeof(long); i += sizeof(long))
384 {
385 r = get_random();
386 (void) memcpy(buf + i, (void *) &r, sizeof(long));
387 }
388 RAND_seed(buf, sizeof(buf));
389 if (LogLevel > logl)
390 sm_syslog(LOG_WARNING, NOQID,
391 "STARTTLS: Warning: random number generator not properly seeded");
392 ok = true;
393 }
394 done = ok ? RI_SUCCESS : RI_FAIL;
395 return ok;
396 # else /* ! HASURANDOMDEV */
397 return true;
398 # endif /* ! HASURANDOMDEV */
399 }
400
401 /*
402 ** INIT_TLS_LIBRARY -- Calls functions which set up TLS library for global use.
403 **
404 ** Parameters:
405 ** fipsmode -- use FIPS?
406 **
407 ** Returns:
408 ** 0: OK
409 ** <0: perm.fail
410 ** >0: fail but can continue
411 */
412
413 int
414 init_tls_library(fipsmode)
415 bool fipsmode;
416 {
417 bool bv;
418
419 # if _FFR_FIPSMODE
420 if (fipsmode && CertFingerprintAlgorithm == NULL)
421 CertFingerprintAlgorithm = "sha1";
422 # if OPENSSL_VERSION_NUMBER >= 0x30000000L
423 if (LogLevel > 12)
424 sm_syslog(LOG_DEBUG, NOQID,
425 "fipsmode=%d, evp_is_FIPS=%d", fipsmode,
426 EVP_default_properties_is_fips_enabled(NULL));
427 # endif
428 # endif /* _FFR_FIPSMODE */
429
430 /*
431 ** OPENSSL_init_ssl(3): "As of version 1.1.0 OpenSSL will
432 ** automatically allocate all resources that it needs
433 ** so no explicit initialisation is required."
434 */
435
436 # if !MTA_HAVE_OPENSSL_init_ssl
437 /* basic TLS initialization, ignore result for now */
438 SSL_library_init();
439 SSL_load_error_strings();
440 OpenSSL_add_all_algorithms();
441 # endif
442
443 bv = true;
444 if (TLSsslidx < 0)
445 {
446 TLSsslidx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
447 if (TLSsslidx < 0)
448 {
449 if (LogLevel > 0)
450 sm_syslog(LOG_ERR, NOQID,
451 "STARTTLS=init, SSL_get_ex_new_index=%d",
452 TLSsslidx);
453 bv = false;
454 }
455 }
456
457 if (bv)
458 bv = tls_rand_init(RandFile, 7);
459 # if _FFR_FIPSMODE && OPENSSL_VERSION_NUMBER < 0x30000000L
460 if (bv && fipsmode)
461 {
462 if (!FIPS_mode_set(1))
463 {
464 unsigned long err;
465
466 err = ERR_get_error();
467 if (LogLevel > 0)
468 sm_syslog(LOG_ERR, NOQID,
469 "STARTTLS=init, FIPSMode=%s",
470 ERR_error_string(err, NULL));
471 return -1;
472 }
473 else if (LogLevel > 9)
474 {
475 sm_syslog(LOG_INFO, NOQID,
476 "STARTTLS=init, FIPSMode=ok");
477 }
478 }
479 # endif /* _FFR_FIPSMODE && OPENSSL_VERSION_NUMBER < 0x30000000L */
480
481 if (!TLS_set_engine(SSLEngine, true))
482 {
483 if (LogLevel > 0)
484 sm_syslog(LOG_ERR, NOQID,
485 "STARTTLS=init, engine=%s, TLS_set_engine=failed",
486 SSLEngine);
487 return -1;
488 }
489
490 if (bv && CertFingerprintAlgorithm != NULL)
491 {
492 const EVP_MD *md;
493
494 md = EVP_get_digestbyname(CertFingerprintAlgorithm);
495 if (NULL == md)
496 {
497 bv = false;
498 if (LogLevel > 0)
499 sm_syslog(LOG_ERR, NOQID,
500 "STARTTLS=init, CertFingerprintAlgorithm=%s, status=invalid"
501 , CertFingerprintAlgorithm);
502 }
503 else
504 EVP_digest = md;
505 }
506 return bv ? 0 : 1;
507 }
508
509 /*
510 ** TLS_SET_VERIFY -- request client certificate?
511 **
512 ** Parameters:
513 ** ctx -- TLS context
514 ** ssl -- TLS session context
515 ** vrfy -- request certificate?
516 **
517 ** Returns:
518 ** none.
519 **
520 ** Side Effects:
521 ** Sets verification state for TLS
522 **
523 # if TLS_VRFY_PER_CTX
524 ** Notice:
525 ** This is per TLS context, not per TLS structure;
526 ** the former is global, the latter per connection.
527 ** It would be nice to do this per connection, but this
528 ** doesn't work in the current TLS libraries :-(
529 # endif * TLS_VRFY_PER_CTX *
530 */
531
532 void
533 tls_set_verify(ctx, ssl, vrfy)
534 SSL_CTX *ctx;
535 SSL *ssl;
536 bool vrfy;
537 {
538 # if !TLS_VRFY_PER_CTX
539 SSL_set_verify(ssl, vrfy ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL);
540 # else
541 SSL_CTX_set_verify(ctx, vrfy ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
542 NULL);
543 # endif
544 }
545
546 /*
547 ** status in initialization
548 ** these flags keep track of the status of the initialization
549 ** i.e., whether a file exists (_EX) and whether it can be used (_OK)
550 ** [due to permissions]
551 */
552
553 # define TLS_S_NONE 0x00000000 /* none yet */
554 # define TLS_S_CERT_EX 0x00000001 /* cert file exists */
555 # define TLS_S_CERT_OK 0x00000002 /* cert file is ok */
556 # define TLS_S_KEY_EX 0x00000004 /* key file exists */
557 # define TLS_S_KEY_OK 0x00000008 /* key file is ok */
558 # define TLS_S_CERTP_EX 0x00000010 /* CA cert path exists */
559 # define TLS_S_CERTP_OK 0x00000020 /* CA cert path is ok */
560 # define TLS_S_CERTF_EX 0x00000040 /* CA cert file exists */
561 # define TLS_S_CERTF_OK 0x00000080 /* CA cert file is ok */
562 # define TLS_S_CRLF_EX 0x00000100 /* CRL file exists */
563 # define TLS_S_CRLF_OK 0x00000200 /* CRL file is ok */
564
565 # define TLS_S_CERT2_EX 0x00001000 /* 2nd cert file exists */
566 # define TLS_S_CERT2_OK 0x00002000 /* 2nd cert file is ok */
567 # define TLS_S_KEY2_EX 0x00004000 /* 2nd key file exists */
568 # define TLS_S_KEY2_OK 0x00008000 /* 2nd key file is ok */
569
570 # define TLS_S_DH_OK 0x00200000 /* DH cert is ok */
571 # define TLS_S_DHPAR_EX 0x00400000 /* DH param file exists */
572 # define TLS_S_DHPAR_OK 0x00800000 /* DH param file is ok to use */
573
574 /* Type of variable */
575 # define TLS_T_OTHER 0
576 # define TLS_T_SRV 1
577 # define TLS_T_CLT 2
578
579 /*
580 ** TLS_OK_F -- can var be an absolute filename?
581 **
582 ** Parameters:
583 ** var -- filename
584 ** fn -- what is the filename used for?
585 ** type -- type of variable
586 **
587 ** Returns:
588 ** ok?
589 */
590
591 static bool
592 tls_ok_f(var, fn, type)
593 char *var;
594 char *fn;
595 int type;
596 {
597 /* must be absolute pathname */
598 if (var != NULL && *var == '/')
599 return true;
600 if (LogLevel > 12)
601 sm_syslog(LOG_WARNING, NOQID, "STARTTLS: %s%s missing",
602 type == TLS_T_SRV ? "Server" :
603 (type == TLS_T_CLT ? "Client" : ""), fn);
604 return false;
605 }
606 /*
607 ** TLS_SAFE_F -- is a file safe to use?
608 **
609 ** Parameters:
610 ** var -- filename
611 ** sff -- flags for safefile()
612 ** srv -- server side?
613 **
614 ** Returns:
615 ** ok?
616 */
617
618 static bool
619 tls_safe_f(var, sff, srv)
620 char *var;
621 long sff;
622 bool srv;
623 {
624 int ret;
625
626 if ((ret = safefile(var, RunAsUid, RunAsGid, RunAsUserName, sff,
627 S_IRUSR, NULL)) == 0)
628 return true;
629 if (LogLevel > 7)
630 sm_syslog(LOG_WARNING, NOQID, "STARTTLS=%s: file %s unsafe: %s",
631 srv ? "server" : "client", var, sm_errstring(ret));
632 return false;
633 }
634
635 /*
636 ** TLS_OK_F -- macro to simplify calls to tls_ok_f
637 **
638 ** Parameters:
639 ** var -- filename
640 ** fn -- what is the filename used for?
641 ** req -- is the file required?
642 ** st -- status bit to set if ok
643 ** type -- type of variable
644 **
645 ** Side Effects:
646 ** uses r, ok; may change ok and status.
647 **
648 */
649
650 # define TLS_OK_F(var, fn, req, st, type) if (ok) \
651 { \
652 r = tls_ok_f(var, fn, type); \
653 if (r) \
654 status |= st; \
655 else if (req) \
656 ok = false; \
657 }
658
659 /*
660 ** TLS_UNR -- macro to return whether a file should be unreadable
661 **
662 ** Parameters:
663 ** bit -- flag to test
664 ** req -- flags
665 **
666 ** Returns:
667 ** 0/SFF_NORFILES
668 */
669
670 # define TLS_UNR(bit, req) (bitset(bit, req) ? SFF_NORFILES : 0)
671 # define TLS_OUNR(bit, req) (bitset(bit, req) ? SFF_NOWRFILES : 0)
672 # define TLS_KEYSFF(req) \
673 (bitnset(DBS_GROUPREADABLEKEYFILE, DontBlameSendmail) ? \
674 TLS_OUNR(TLS_I_KEY_OUNR, req) : \
675 TLS_UNR(TLS_I_KEY_UNR, req))
676
677 /*
678 ** TLS_SAFE_F -- macro to simplify calls to tls_safe_f
679 **
680 ** Parameters:
681 ** var -- filename
682 ** sff -- flags for safefile()
683 ** req -- is the file required?
684 ** ex -- does the file exist?
685 ** st -- status bit to set if ok
686 ** srv -- server side?
687 **
688 ** Side Effects:
689 ** uses r, ok, ex; may change ok and status.
690 **
691 */
692
693 # define TLS_SAFE_F(var, sff, req, ex, st, srv) if (ex && ok) \
694 { \
695 r = tls_safe_f(var, sff, srv); \
696 if (r) \
697 status |= st; \
698 else if (req) \
699 ok = false; \
700 }
701
702 /*
703 ** LOAD_CERTKEY -- load cert/key for TLS session
704 **
705 ** Parameters:
706 ** ssl -- TLS session context
707 ** srv -- server side?
708 ** certfile -- filename of certificate
709 ** keyfile -- filename of private key
710 **
711 ** Returns:
712 ** succeeded?
713 */
714
715 bool
716 load_certkey(ssl, srv, certfile, keyfile)
717 SSL *ssl;
718 bool srv;
719 char *certfile;
720 char *keyfile;
721 {
722 bool ok;
723 int r;
724 long sff, status;
725 unsigned long req;
726 char *who;
727
728 ok = true;
729 who = srv ? "server" : "client";
730 status = TLS_S_NONE;
731 req = TLS_I_CERT_EX|TLS_I_KEY_EX;
732 TLS_OK_F(certfile, "CertFile", bitset(TLS_I_CERT_EX, req),
733 TLS_S_CERT_EX, srv ? TLS_T_SRV : TLS_T_CLT);
734 TLS_OK_F(keyfile, "KeyFile", bitset(TLS_I_KEY_EX, req),
735 TLS_S_KEY_EX, srv ? TLS_T_SRV : TLS_T_CLT);
736
737 /* certfile etc. must be "safe". */
738 sff = SFF_REGONLY | SFF_SAFEDIRPATH | SFF_NOWLINK
739 | SFF_NOGWFILES | SFF_NOWWFILES
740 | SFF_ROOTOK | SFF_OPENASROOT;
741 if (!bitnset(DBS_CERTOWNER, DontBlameSendmail))
742 sff |= SFF_MUSTOWN;
743 if (DontLockReadFiles)
744 sff |= SFF_NOLOCK;
745
746 TLS_SAFE_F(certfile, sff | TLS_UNR(TLS_I_CERT_UNR, req),
747 bitset(TLS_I_CERT_EX, req),
748 bitset(TLS_S_CERT_EX, status), TLS_S_CERT_OK, srv);
749 TLS_SAFE_F(keyfile, sff | TLS_KEYSFF(req),
750 bitset(TLS_I_KEY_EX, req),
751 bitset(TLS_S_KEY_EX, status), TLS_S_KEY_OK, srv);
752
753 # define SSL_use_cert(ssl, certfile) \
754 SSL_use_certificate_file(ssl, certfile, SSL_FILETYPE_PEM)
755 # define SSL_USE_CERT "SSL_use_certificate_file"
756
757 if (bitset(TLS_S_CERT_OK, status) &&
758 SSL_use_cert(ssl, certfile) <= 0)
759 {
760 if (LogLevel > 7)
761 {
762 sm_syslog(LOG_WARNING, NOQID,
763 "STARTTLS=%s, error: %s(%s) failed",
764 who, SSL_USE_CERT, certfile);
765 tlslogerr(LOG_WARNING, 9, who);
766 }
767 if (bitset(TLS_I_USE_CERT, req))
768 return false;
769 }
770 if (bitset(TLS_S_KEY_OK, status) &&
771 SSL_use_PrivateKey_file(ssl, keyfile, SSL_FILETYPE_PEM) <= 0)
772 {
773 if (LogLevel > 7)
774 {
775 sm_syslog(LOG_WARNING, NOQID,
776 "STARTTLS=%s, error: SSL_use_PrivateKey_file(%s) failed",
777 who, keyfile);
778 tlslogerr(LOG_WARNING, 9, who);
779 }
780 if (bitset(TLS_I_USE_KEY, req))
781 return false;
782 }
783
784 /* check the private key */
785 if (bitset(TLS_S_KEY_OK, status) &&
786 (r = SSL_check_private_key(ssl)) <= 0)
787 {
788 /* Private key does not match the certificate public key */
789 if (LogLevel > 5)
790 {
791 sm_syslog(LOG_WARNING, NOQID,
792 "STARTTLS=%s, error: SSL_check_private_key failed(%s): %d",
793 who, keyfile, r);
794 tlslogerr(LOG_WARNING, 9, who);
795 }
796 if (bitset(TLS_I_USE_KEY, req))
797 return false;
798 }
799
800 return true;
801 }
802
803 /*
804 ** LOAD_CRLFILE -- load a file holding a CRL into the TLS context
805 **
806 ** Parameters:
807 ** ctx -- TLS context
808 ** srv -- server side?
809 ** filename -- filename of CRL
810 **
811 ** Returns:
812 ** succeeded?
813 */
814
815 static bool load_crlfile __P((SSL_CTX *, bool, char *));
816
817 static bool
818 load_crlfile(ctx, srv, filename)
819 SSL_CTX *ctx;
820 bool srv;
821 char *filename;
822 {
823 char *who;
824 BIO *crl_file;
825 X509_CRL *crl;
826 X509_STORE *store;
827
828 who = srv ? "server" : "client";
829 crl_file = BIO_new(BIO_s_file());
830 if (crl_file == NULL)
831 {
832 if (LogLevel > 9)
833 sm_syslog(LOG_WARNING, NOQID,
834 "STARTTLS=%s, error: BIO_new=failed", who);
835 return false;
836 }
837
838 if (BIO_read_filename(crl_file, filename) < 0)
839 {
840 if (LogLevel > 9)
841 sm_syslog(LOG_WARNING, NOQID,
842 "STARTTLS=%s, error: BIO_read_filename(%s)=failed",
843 who, filename);
844
845 /* avoid memory leaks */
846 BIO_free(crl_file);
847 return false;
848 }
849
850 crl = PEM_read_bio_X509_CRL(crl_file, NULL, NULL, NULL);
851 if (crl == NULL)
852 {
853 if (LogLevel > 9)
854 sm_syslog(LOG_WARNING, NOQID,
855 "STARTTLS=%s, error: PEM_read_bio_X509_CRL(%s)=failed",
856 who, filename);
857 BIO_free(crl_file);
858 return true; /* XXX should probably be 'false' */
859 }
860
861 BIO_free(crl_file);
862
863 /* get a pointer to the current certificate validation store */
864 store = SSL_CTX_get_cert_store(ctx); /* does not fail */
865
866 if (X509_STORE_add_crl(store, crl) == 0)
867 {
868 if (LogLevel > 9)
869 sm_syslog(LOG_WARNING, NOQID,
870 "STARTTLS=%s, error: X509_STORE_add_crl=failed",
871 who);
872 X509_CRL_free(crl);
873 return false;
874 }
875
876 X509_CRL_free(crl);
877
878 X509_STORE_set_flags(store,
879 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
880 X509_STORE_set_verify_cb_func(store, x509_verify_cb);
881
882 return true;
883 }
884
885 /*
886 ** LOAD_CRLPATH -- configure the TLS context to lookup CRLs in a directory
887 **
888 ** Parameters:
889 ** ctx -- TLS context
890 ** srv -- server side?
891 ** path -- path of hashed directory of CRLs
892 **
893 ** Returns:
894 ** succeeded?
895 */
896
897 static bool load_crlpath __P((SSL_CTX *, bool, char *));
898
899 static bool
900 load_crlpath(ctx, srv, path)
901 SSL_CTX *ctx;
902 bool srv;
903 char *path;
904 {
905 char *who;
906 X509_STORE *store;
907 X509_LOOKUP *lookup;
908
909 who = srv ? "server" : "client";
910
911 /* get a pointer to the current certificate validation store */
912 store = SSL_CTX_get_cert_store(ctx); /* does not fail */
913
914 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
915 if (lookup == NULL)
916 {
917 if (LogLevel > 9)
918 sm_syslog(LOG_WARNING, NOQID,
919 "STARTTLS=%s, error: X509_STORE_add_lookup(hash)=failed",
920 who);
921 return false;
922 }
923
924 if (X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_PEM) == 0)
925 {
926 if (LogLevel > 9)
927 sm_syslog(LOG_WARNING, NOQID,
928 "STARTTLS=%s, error: X509_LOOKUP_add_dir(%s)=failed",
929 who, path);
930 return false;
931 }
932
933 X509_STORE_set_flags(store,
934 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
935 X509_STORE_set_verify_cb_func(store, x509_verify_cb);
936
937 return true;
938 }
939
940 /*
941 ** INITTLS -- initialize TLS
942 **
943 ** Parameters:
944 ** ctx -- pointer to context
945 ** req -- requirements for initialization (see sendmail.h)
946 ** options -- options
947 ** srv -- server side?
948 ** certfile -- filename of certificate
949 ** keyfile -- filename of private key
950 ** cacertpath -- path to CAs
951 ** cacertfile -- file with CA(s)
952 ** dhparam -- parameters for DH
953 **
954 ** Returns:
955 ** succeeded?
956 */
957
958 /*
959 ** The session_id_context identifies the service that created a session.
960 ** This information is used to distinguish between multiple TLS-based
961 ** servers running on the same server. We use the name of the mail system.
962 ** Note: the session cache is not persistent.
963 */
964
965 static char server_session_id_context[] = "sendmail8";
966
967 /* 0.9.8a and b have a problem with SSL_OP_TLS_BLOCK_PADDING_BUG */
968 # if (OPENSSL_VERSION_NUMBER >= 0x0090800fL)
969 # define SM_SSL_OP_TLS_BLOCK_PADDING_BUG 1
970 # else
971 # define SM_SSL_OP_TLS_BLOCK_PADDING_BUG 0
972 # endif
973
974 bool
975 inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhparam)
976 SSL_CTX **ctx;
977 unsigned long req;
978 unsigned long options;
979 bool srv;
980 char *certfile, *keyfile, *cacertpath, *cacertfile, *dhparam;
981 {
982 # if !NO_DH
983 static DH *dh = NULL;
984 # endif
985 int r;
986 bool ok;
987 long sff, status;
988 char *who;
989 char *cf2, *kf2;
990 # if SM_CONF_SHM && !TLS_NO_RSA && MTA_RSA_TMP_CB
991 extern int ShmId;
992 # endif
993 # if SM_SSL_OP_TLS_BLOCK_PADDING_BUG
994 long rt_version;
995 STACK_OF(SSL_COMP) *comp_methods;
996 # endif
997
998 status = TLS_S_NONE;
999 who = srv ? "server" : "client";
1000 if (ctx == NULL)
1001 {
1002 syserr("STARTTLS=%s, inittls: ctx == NULL", who);
1003 /* NOTREACHED */
1004 SM_ASSERT(ctx != NULL);
1005 }
1006
1007 /* already initialized? (we could re-init...) */
1008 if (*ctx != NULL)
1009 return true;
1010 ok = true;
1011
1012 /*
1013 ** look for a second filename: it must be separated by a ','
1014 ** no blanks allowed (they won't be skipped).
1015 ** we change a global variable here! this change will be undone
1016 ** before return from the function but only if it returns true.
1017 ** this isn't a problem since in a failure case this function
1018 ** won't be called again with the same (overwritten) values.
1019 ** otherwise each return must be replaced with a goto endinittls.
1020 */
1021
1022 cf2 = NULL;
1023 kf2 = NULL;
1024 if (certfile != NULL && (cf2 = strchr(certfile, ',')) != NULL)
1025 {
1026 *cf2++ = '\0';
1027 if (keyfile != NULL && (kf2 = strchr(keyfile, ',')) != NULL)
1028 *kf2++ = '\0';
1029 }
1030
1031 /*
1032 ** Check whether files/paths are defined
1033 */
1034
1035 TLS_OK_F(certfile, "CertFile", bitset(TLS_I_CERT_EX, req),
1036 TLS_S_CERT_EX, srv ? TLS_T_SRV : TLS_T_CLT);
1037 TLS_OK_F(keyfile, "KeyFile", bitset(TLS_I_KEY_EX, req),
1038 TLS_S_KEY_EX, srv ? TLS_T_SRV : TLS_T_CLT);
1039 TLS_OK_F(cacertpath, "CACertPath", bitset(TLS_I_CERTP_EX, req),
1040 TLS_S_CERTP_EX, TLS_T_OTHER);
1041 TLS_OK_F(cacertfile, "CACertFile", bitset(TLS_I_CERTF_EX, req),
1042 TLS_S_CERTF_EX, TLS_T_OTHER);
1043
1044 TLS_OK_F(CRLFile, "CRLFile", bitset(TLS_I_CRLF_EX, req),
1045 TLS_S_CRLF_EX, TLS_T_OTHER);
1046
1047 /*
1048 ** if the second file is specified it must exist
1049 ** XXX: it is possible here to define only one of those files
1050 */
1051
1052 if (cf2 != NULL)
1053 {
1054 TLS_OK_F(cf2, "CertFile", bitset(TLS_I_CERT_EX, req),
1055 TLS_S_CERT2_EX, srv ? TLS_T_SRV : TLS_T_CLT);
1056 }
1057 if (kf2 != NULL)
1058 {
1059 TLS_OK_F(kf2, "KeyFile", bitset(TLS_I_KEY_EX, req),
1060 TLS_S_KEY2_EX, srv ? TLS_T_SRV : TLS_T_CLT);
1061 }
1062
1063 /*
1064 ** valid values for dhparam are (only the first char is checked)
1065 ** none no parameters: don't use DH
1066 ** i use precomputed 2048 bit parameters
1067 ** 512 use precomputed 512 bit parameters
1068 ** 1024 generate 1024 bit parameters
1069 ** 2048 generate 2048 bit parameters
1070 ** /file/name read parameters from /file/name
1071 */
1072
1073 # if MTA_DH_AUTO
1074 # define SET_DH_DFL \
1075 do { \
1076 dhparam = "a"; \
1077 req |= TLS_I_DHAUTO; \
1078 } while (0)
1079 # else
1080 # define SET_DH_DFL \
1081 do { \
1082 dhparam = "I"; \
1083 req |= TLS_I_DHFIXED; \
1084 } while (0)
1085 # endif
1086
1087 if (bitset(TLS_I_TRY_DH, req))
1088 {
1089 if (dhparam != NULL)
1090 {
1091 char c = *dhparam;
1092
1093 # if MTA_DH_AUTO
1094 if (c == 'a')
1095 req |= TLS_I_DHAUTO;
1096 else
1097 # endif
1098 if (c == '1')
1099 req |= TLS_I_DH1024;
1100 else if (c == 'I' || c == 'i')
1101 req |= TLS_I_DHFIXED;
1102 else if (c == '2')
1103 req |= TLS_I_DH2048;
1104 else if (c == '5')
1105 req |= TLS_I_DH512;
1106 else if (c == 'n' || c == 'N')
1107 req &= ~TLS_I_TRY_DH;
1108 else if (c != '/')
1109 {
1110 if (LogLevel > 12)
1111 sm_syslog(LOG_WARNING, NOQID,
1112 "STARTTLS=%s, error: illegal value '%s' for DHParameters",
1113 who, dhparam);
1114 dhparam = NULL;
1115 }
1116 }
1117 if (dhparam == NULL)
1118 SET_DH_DFL;
1119 else if (*dhparam == '/')
1120 {
1121 TLS_OK_F(dhparam, "DHParameters",
1122 bitset(TLS_I_DHPAR_EX, req),
1123 TLS_S_DHPAR_EX, TLS_T_OTHER);
1124 }
1125 }
1126 if (!ok)
1127 return ok;
1128
1129 /* certfile etc. must be "safe". */
1130 sff = SFF_REGONLY | SFF_SAFEDIRPATH | SFF_NOWLINK
1131 | SFF_NOGWFILES | SFF_NOWWFILES
1132 | SFF_ROOTOK | SFF_OPENASROOT;
1133 if (!bitnset(DBS_CERTOWNER, DontBlameSendmail))
1134 sff |= SFF_MUSTOWN;
1135 if (DontLockReadFiles)
1136 sff |= SFF_NOLOCK;
1137
1138 TLS_SAFE_F(certfile, sff | TLS_UNR(TLS_I_CERT_UNR, req),
1139 bitset(TLS_I_CERT_EX, req),
1140 bitset(TLS_S_CERT_EX, status), TLS_S_CERT_OK, srv);
1141 TLS_SAFE_F(keyfile, sff | TLS_KEYSFF(req),
1142 bitset(TLS_I_KEY_EX, req),
1143 bitset(TLS_S_KEY_EX, status), TLS_S_KEY_OK, srv);
1144 TLS_SAFE_F(cacertfile, sff | TLS_UNR(TLS_I_CERTF_UNR, req),
1145 bitset(TLS_I_CERTF_EX, req),
1146 bitset(TLS_S_CERTF_EX, status), TLS_S_CERTF_OK, srv);
1147 if (dhparam != NULL && *dhparam == '/')
1148 {
1149 TLS_SAFE_F(dhparam, sff | TLS_UNR(TLS_I_DHPAR_UNR, req),
1150 bitset(TLS_I_DHPAR_EX, req),
1151 bitset(TLS_S_DHPAR_EX, status), TLS_S_DHPAR_OK, srv);
1152 if (!bitset(TLS_S_DHPAR_OK, status))
1153 SET_DH_DFL;
1154 }
1155 TLS_SAFE_F(CRLFile, sff | TLS_UNR(TLS_I_CRLF_UNR, req),
1156 bitset(TLS_I_CRLF_EX, req),
1157 bitset(TLS_S_CRLF_EX, status), TLS_S_CRLF_OK, srv);
1158 if (!ok)
1159 return ok;
1160 if (cf2 != NULL)
1161 {
1162 TLS_SAFE_F(cf2, sff | TLS_UNR(TLS_I_CERT_UNR, req),
1163 bitset(TLS_I_CERT_EX, req),
1164 bitset(TLS_S_CERT2_EX, status), TLS_S_CERT2_OK, srv);
1165 }
1166 if (kf2 != NULL)
1167 {
1168 TLS_SAFE_F(kf2, sff | TLS_KEYSFF(req),
1169 bitset(TLS_I_KEY_EX, req),
1170 bitset(TLS_S_KEY2_EX, status), TLS_S_KEY2_OK, srv);
1171 }
1172
1173 /* create a method and a new context */
1174 if ((*ctx = SSL_CTX_new(srv ? SSLv23_server_method() :
1175 SSLv23_client_method())) == NULL)
1176 {
1177 if (LogLevel > 7)
1178 sm_syslog(LOG_WARNING, NOQID,
1179 "STARTTLS=%s, error: SSL_CTX_new(SSLv23_%s_method()) failed",
1180 who, who);
1181 tlslogerr(LOG_WARNING, 9, who);
1182 return false;
1183 }
1184
1185 # if _FFR_VRFY_TRUSTED_FIRST
1186 if (!tTd(88, 101))
1187 {
1188 X509_STORE *store;
1189
1190 /* get a pointer to the current certificate validation store */
1191 store = SSL_CTX_get_cert_store(*ctx); /* does not fail */
1192 SM_ASSERT(store != NULL);
1193 X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST);
1194 }
1195 # endif
1196
1197 if (CRLFile != NULL && !load_crlfile(*ctx, srv, CRLFile))
1198 return false;
1199 if (CRLPath != NULL && !load_crlpath(*ctx, srv, CRLPath))
1200 return false;
1201
1202 # if defined(SSL_MODE_AUTO_RETRY) && OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x20000000L
1203 /*
1204 * Turn off blocking I/O handling in OpenSSL: someone turned
1205 * this on by default in 1.1? should we check first?
1206 */
1207 # if _FFR_TESTS
1208 if (LogLevel > 9) {
1209 sff = SSL_CTX_get_mode(*ctx);
1210 if (sff & SSL_MODE_AUTO_RETRY)
1211 sm_syslog(LOG_WARNING, NOQID,
1212 "STARTTLS=%s, SSL_MODE_AUTO_RETRY=set, mode=%#lx",
1213 who, sff);
1214 }
1215
1216 /* hack for testing! */
1217 if (tTd(96, 101) || getenv("SSL_MODE_AUTO_RETRY") != NULL)
1218 SSL_CTX_set_mode(*ctx, SSL_MODE_AUTO_RETRY);
1219 else
1220 # endif /* _FFR_TESTS */
1221 /* "else" in #if code above */
1222 SSL_CTX_clear_mode(*ctx, SSL_MODE_AUTO_RETRY);
1223 # endif /* defined(SSL_MODE_AUTO_RETRY) && OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x20000000L */
1224
1225 # if TLS_NO_RSA
1226 /* turn off backward compatibility, required for no-rsa */
1227 SSL_CTX_set_options(*ctx, SSL_OP_NO_SSLv2);
1228 # endif
1229
1230 # if !TLS_NO_RSA && MTA_RSA_TMP_CB
1231 /*
1232 ** Create a temporary RSA key
1233 ** XXX Maybe we shouldn't create this always (even though it
1234 ** is only at startup).
1235 ** It is a time-consuming operation and it is not always necessary.
1236 ** maybe we should do it only on demand...
1237 */
1238
1239 if (bitset(TLS_I_RSA_TMP, req)
1240 # if SM_CONF_SHM
1241 && ShmId != SM_SHM_NO_ID &&
1242 (rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL,
1243 NULL)) == NULL
1244 # else /* SM_CONF_SHM */
1245 && 0 /* no shared memory: no need to generate key now */
1246 # endif /* SM_CONF_SHM */
1247 )
1248 {
1249 if (LogLevel > 7)
1250 {
1251 sm_syslog(LOG_WARNING, NOQID,
1252 "STARTTLS=%s, error: RSA_generate_key failed",
1253 who);
1254 tlslogerr(LOG_WARNING, 9, who);
1255 }
1256 return false;
1257 }
1258 # endif /* !TLS_NO_RSA && MTA_RSA_TMP_CB */
1259
1260 /*
1261 ** load private key
1262 ** XXX change this for DSA-only version
1263 */
1264
1265 if (bitset(TLS_S_KEY_OK, status) &&
1266 SSL_CTX_use_PrivateKey_file(*ctx, keyfile,
1267 SSL_FILETYPE_PEM) <= 0)
1268 {
1269 if (LogLevel > 7)
1270 {
1271 sm_syslog(LOG_WARNING, NOQID,
1272 "STARTTLS=%s, error: SSL_CTX_use_PrivateKey_file(%s) failed",
1273 who, keyfile);
1274 tlslogerr(LOG_WARNING, 9, who);
1275 }
1276 if (bitset(TLS_I_USE_KEY, req))
1277 return false;
1278 }
1279
1280 # if _FFR_TLS_USE_CERTIFICATE_CHAIN_FILE
1281 # define SSL_CTX_use_cert(ssl_ctx, certfile) \
1282 SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile)
1283 # define SSL_CTX_USE_CERT "SSL_CTX_use_certificate_chain_file"
1284 # else
1285 # define SSL_CTX_use_cert(ssl_ctx, certfile) \
1286 SSL_CTX_use_certificate_file(ssl_ctx, certfile, SSL_FILETYPE_PEM)
1287 # define SSL_CTX_USE_CERT "SSL_CTX_use_certificate_file"
1288 # endif
1289
1290 /* get the certificate file */
1291 if (bitset(TLS_S_CERT_OK, status) &&
1292 SSL_CTX_use_cert(*ctx, certfile) <= 0)
1293 {
1294 if (LogLevel > 7)
1295 {
1296 sm_syslog(LOG_WARNING, NOQID,
1297 "STARTTLS=%s, error: %s(%s) failed",
1298 who, SSL_CTX_USE_CERT, certfile);
1299 tlslogerr(LOG_WARNING, 9, who);
1300 }
1301 if (bitset(TLS_I_USE_CERT, req))
1302 return false;
1303 }
1304
1305 /* check the private key */
1306 if (bitset(TLS_S_KEY_OK, status) &&
1307 (r = SSL_CTX_check_private_key(*ctx)) <= 0)
1308 {
1309 /* Private key does not match the certificate public key */
1310 if (LogLevel > 5)
1311 {
1312 sm_syslog(LOG_WARNING, NOQID,
1313 "STARTTLS=%s, error: SSL_CTX_check_private_key failed(%s): %d",
1314 who, keyfile, r);
1315 tlslogerr(LOG_WARNING, 9, who);
1316 }
1317 if (bitset(TLS_I_USE_KEY, req))
1318 return false;
1319 }
1320
1321 /* XXX this code is pretty much duplicated from above! */
1322
1323 /* load private key */
1324 if (bitset(TLS_S_KEY2_OK, status) &&
1325 SSL_CTX_use_PrivateKey_file(*ctx, kf2, SSL_FILETYPE_PEM) <= 0)
1326 {
1327 if (LogLevel > 7)
1328 {
1329 sm_syslog(LOG_WARNING, NOQID,
1330 "STARTTLS=%s, error: SSL_CTX_use_PrivateKey_file(%s) failed",
1331 who, kf2);
1332 tlslogerr(LOG_WARNING, 9, who);
1333 }
1334 }
1335
1336 /* get the certificate file */
1337 if (bitset(TLS_S_CERT2_OK, status) &&
1338 SSL_CTX_use_cert(*ctx, cf2) <= 0)
1339 {
1340 if (LogLevel > 7)
1341 {
1342 sm_syslog(LOG_WARNING, NOQID,
1343 "STARTTLS=%s, error: %s(%s) failed",
1344 who, SSL_CTX_USE_CERT, cf2);
1345 tlslogerr(LOG_WARNING, 9, who);
1346 }
1347 }
1348
1349 /* also check the private key */
1350 if (bitset(TLS_S_KEY2_OK, status) &&
1351 (r = SSL_CTX_check_private_key(*ctx)) <= 0)
1352 {
1353 /* Private key does not match the certificate public key */
1354 if (LogLevel > 5)
1355 {
1356 sm_syslog(LOG_WARNING, NOQID,
1357 "STARTTLS=%s, error: SSL_CTX_check_private_key 2 failed: %d",
1358 who, r);
1359 tlslogerr(LOG_WARNING, 9, who);
1360 }
1361 }
1362
1363 /* SSL_CTX_set_quiet_shutdown(*ctx, 1); violation of standard? */
1364
1365 # if SM_SSL_OP_TLS_BLOCK_PADDING_BUG
1366
1367 /*
1368 ** In OpenSSL 0.9.8[ab], enabling zlib compression breaks the
1369 ** padding bug work-around, leading to false positives and
1370 ** failed connections. We may not interoperate with systems
1371 ** with the bug, but this is better than breaking on all 0.9.8[ab]
1372 ** systems that have zlib support enabled.
1373 ** Note: this checks the runtime version of the library, not
1374 ** just the compile time version.
1375 */
1376
1377 rt_version = TLS_version_num();
1378 if (rt_version >= 0x00908000L && rt_version <= 0x0090802fL)
1379 {
1380 comp_methods = SSL_COMP_get_compression_methods();
1381 if (comp_methods != NULL && sk_SSL_COMP_num(comp_methods) > 0)
1382 options &= ~SSL_OP_TLS_BLOCK_PADDING_BUG;
1383 }
1384 # endif
1385 SSL_CTX_set_options(*ctx, (long) options);
1386
1387 # if !NO_DH
1388 /* Diffie-Hellman initialization */
1389 if (bitset(TLS_I_TRY_DH, req))
1390 {
1391 # if TLS_EC == 1
1392 EC_KEY *ecdh;
1393 # endif
1394
1395 if (tTd(96, 81))
1396 sm_dprintf("inittls: where=try_dh, req=%#lx, status=%#lx\n",
1397 req, status);
1398 if (bitset(TLS_S_DHPAR_OK, status))
1399 {
1400 BIO *bio;
1401
1402 if ((bio = BIO_new_file(dhparam, "r")) != NULL)
1403 {
1404 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
1405 BIO_free(bio);
1406 if (dh == NULL && LogLevel > 7)
1407 {
1408 unsigned long err;
1409
1410 err = ERR_get_error();
1411 sm_syslog(LOG_WARNING, NOQID,
1412 "STARTTLS=%s, error: cannot read DH parameters(%s): %s",
1413 who, dhparam,
1414 ERR_error_string(err, NULL));
1415 tlslogerr(LOG_WARNING, 9, who);
1416 SET_DH_DFL;
1417 }
1418 }
1419 else
1420 {
1421 if (LogLevel > 5)
1422 {
1423 sm_syslog(LOG_WARNING, NOQID,
1424 "STARTTLS=%s, error: BIO_new_file(%s) failed",
1425 who, dhparam);
1426 tlslogerr(LOG_WARNING, 9, who);
1427 }
1428 }
1429 }
1430 # if MTA_DH_AUTO
1431 if (dh == NULL && bitset(TLS_I_DHAUTO, req))
1432 SSL_CTX_set_dh_auto(*ctx, 1);
1433 else
1434 # endif
1435 if (dh == NULL && bitset(TLS_I_DH1024|TLS_I_DH2048, req))
1436 {
1437 int bits;
1438 DSA *dsa;
1439
1440 bits = bitset(TLS_I_DH2048, req) ? 2048 : 1024;
1441 if (tTd(96, 2))
1442 sm_dprintf("inittls: Generating %d bit DH parameters\n", bits);
1443
1444 # if MTA_HAVE_DSA_GENERATE_EX
1445 dsa = DSA_new();
1446 if (dsa != NULL)
1447 {
1448 r = DSA_generate_parameters_ex(dsa, bits, NULL,
1449 0, NULL, NULL, NULL);
1450 if (r != 0)
1451 dh = DSA_dup_DH(dsa);
1452 }
1453 # else
1454 /* this takes a while! */
1455 dsa = DSA_generate_parameters(bits, NULL, 0, NULL,
1456 NULL, 0, NULL);
1457 dh = DSA_dup_DH(dsa);
1458 # endif
1459 DSA_free(dsa);
1460 }
1461 else if (dh == NULL && bitset(TLS_I_DHFIXED, req))
1462 {
1463 if (tTd(96, 2))
1464 sm_dprintf("inittls: Using precomputed 2048 bit DH parameters\n");
1465 dh = get_dh2048();
1466 }
1467 else if (dh == NULL && bitset(TLS_I_DH512, req))
1468 {
1469 if (tTd(96, 2))
1470 sm_dprintf("inittls: Using precomputed 512 bit DH parameters\n");
1471 dh = get_dh512();
1472 }
1473 if (dh == NULL && !bitset(TLS_I_DHAUTO, req))
1474 {
1475 if (LogLevel > 9)
1476 {
1477 unsigned long err;
1478
1479 err = ERR_get_error();
1480 sm_syslog(LOG_WARNING, NOQID,
1481 "STARTTLS=%s, error: cannot read or set DH parameters(%s): %s",
1482 who, dhparam,
1483 ERR_error_string(err, NULL));
1484 }
1485 if (bitset(TLS_I_REQ_DH, req))
1486 return false;
1487 }
1488 else if (dh != NULL)
1489 {
1490 /* important to avoid small subgroup attacks */
1491 SSL_CTX_set_options(*ctx, SSL_OP_SINGLE_DH_USE);
1492
1493 SSL_CTX_set_tmp_dh(*ctx, dh);
1494 if (LogLevel > 13)
1495 sm_syslog(LOG_INFO, NOQID,
1496 "STARTTLS=%s, Diffie-Hellman init, key=%d bit (%c)",
1497 who, 8 * DH_size(dh), *dhparam);
1498 DH_free(dh);
1499 }
1500
1501 # if TLS_EC == 2
1502 SSL_CTX_set_options(*ctx, SSL_OP_SINGLE_ECDH_USE);
1503 SSL_CTX_set_ecdh_auto(*ctx, 1);
1504 # elif TLS_EC == 1
1505 ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
1506 if (ecdh != NULL)
1507 {
1508 SSL_CTX_set_options(*ctx, SSL_OP_SINGLE_ECDH_USE);
1509 SSL_CTX_set_tmp_ecdh(*ctx, ecdh);
1510 EC_KEY_free(ecdh);
1511 }
1512 else if (LogLevel > 9)
1513 {
1514 sm_syslog(LOG_WARNING, NOQID,
1515 "STARTTLS=%s, EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)=failed, error=%s",
1516 who, ERR_error_string(ERR_get_error(), NULL));
1517 }
1518 # endif /* TLS_EC */
1519
1520 }
1521 # endif /* !NO_DH */
1522
1523 /* XXX do we need this cache here? */
1524 if (bitset(TLS_I_CACHE, req))
1525 {
1526 SSL_CTX_sess_set_cache_size(*ctx, 1);
1527 SSL_CTX_set_timeout(*ctx, 1);
1528 SSL_CTX_set_session_id_context(*ctx,
1529 (void *) &server_session_id_context,
1530 sizeof(server_session_id_context));
1531 (void) SSL_CTX_set_session_cache_mode(*ctx,
1532 SSL_SESS_CACHE_SERVER);
1533 }
1534 else
1535 {
1536 (void) SSL_CTX_set_session_cache_mode(*ctx,
1537 SSL_SESS_CACHE_OFF);
1538 }
1539
1540 /* load certificate locations and default CA paths */
1541 if (bitset(TLS_S_CERTP_EX, status) && bitset(TLS_S_CERTF_EX, status))
1542 {
1543 if ((r = SSL_CTX_load_verify_locations(*ctx, cacertfile,
1544 cacertpath)) == 1)
1545 {
1546 # if !TLS_NO_RSA && MTA_RSA_TMP_CB
1547 if (bitset(TLS_I_RSA_TMP, req))
1548 SSL_CTX_set_tmp_rsa_callback(*ctx, tmp_rsa_key);
1549 # endif
1550
1551 if (srv)
1552 {
1553 SSL_CTX_set_client_CA_list(*ctx,
1554 SSL_load_client_CA_file(cacertfile));
1555 }
1556 }
1557 else
1558 {
1559 /*
1560 ** can't load CA data; do we care?
1561 ** the data is necessary to authenticate the client,
1562 ** which in turn would be necessary
1563 ** if we want to allow relaying based on it.
1564 */
1565
1566 if (LogLevel > 5)
1567 {
1568 sm_syslog(LOG_WARNING, NOQID,
1569 "STARTTLS=%s, error: load verify locs %s, %s failed: %d",
1570 who, cacertpath, cacertfile, r);
1571 tlslogerr(LOG_WARNING,
1572 bitset(TLS_I_VRFY_LOC, req) ? 8 : 9,
1573 who);
1574 }
1575 if (bitset(TLS_I_VRFY_LOC, req))
1576 return false;
1577 }
1578 }
1579
1580 /*
1581 ** XXX currently we could call tls_set_verify()
1582 ** but we hope that that function will later on
1583 ** only set the mode per connection.
1584 */
1585
1586 SSL_CTX_set_verify(*ctx,
1587 bitset(TLS_I_NO_VRFY, req) ? SSL_VERIFY_NONE
1588 : SSL_VERIFY_PEER,
1589 NULL);
1590
1591 /*
1592 ** Always use our callback instead of the builtin version.
1593 ** We have to install our own verify callback:
1594 ** SSL_VERIFY_PEER requests a client cert but even
1595 ** though *FAIL_IF* isn't set, the connection
1596 ** will be aborted if the client presents a cert
1597 ** that is not "liked" (can't be verified?) by
1598 ** the TLS library :-(
1599 */
1600
1601 SSL_CTX_set_cert_verify_callback(*ctx, tls_verify_cb, NULL);
1602
1603 /* XXX: make this dependent on an option? */
1604 if (tTd(96, 9))
1605 SSL_CTX_set_info_callback(*ctx, apps_ssl_info_cb);
1606
1607 /* install our own cipher list */
1608 if (CipherList != NULL && *CipherList != '\0')
1609 {
1610 if (SSL_CTX_set_cipher_list(*ctx, CipherList) <= 0)
1611 {
1612 if (LogLevel > 7)
1613 {
1614 sm_syslog(LOG_WARNING, NOQID,
1615 "STARTTLS=%s, error: SSL_CTX_set_cipher_list(%s) failed, list ignored",
1616 who, CipherList);
1617
1618 tlslogerr(LOG_WARNING, 9, who);
1619 }
1620 /* failure if setting to this list is required? */
1621 }
1622 }
1623
1624 # if MTA_HAVE_TLSv1_3
1625 /* install our own cipher suites */
1626 if (!SM_IS_EMPTY(CipherSuites))
1627 {
1628 if (SSL_CTX_set_ciphersuites(*ctx, CipherSuites) <= 0)
1629 {
1630 if (LogLevel > 7)
1631 {
1632 sm_syslog(LOG_WARNING, NOQID,
1633 "STARTTLS=%s, error: SSL_CTX_set_ciphersuites(%s) failed, suites ignored",
1634 who, CipherSuites);
1635
1636 tlslogerr(LOG_WARNING, 9, who);
1637 }
1638 /* failure if setting to this suites is required? */
1639 }
1640 }
1641 # endif /* MTA_HAVE_TLSv1_3 */
1642
1643 if (LogLevel > 12)
1644 sm_syslog(LOG_INFO, NOQID, "STARTTLS=%s, init=%d", who, ok);
1645
1646 # if 0
1647 /*
1648 ** this label is required if we want to have a "clean" exit
1649 ** see the comments above at the initialization of cf2
1650 */
1651
1652 endinittls:
1653 # endif /* 0 */
1654
1655 /* undo damage to global variables */
1656 if (cf2 != NULL)
1657 *--cf2 = ',';
1658 if (kf2 != NULL)
1659 *--kf2 = ',';
1660
1661 return ok;
1662 }
1663
1664 /*
1665 ** CERT_FP -- get cert fingerprint
1666 **
1667 ** Parameters:
1668 ** cert -- TLS cert
1669 ** evp_digest -- digest algorithm
1670 ** mac -- macro storage
1671 ** macro -- where to store cert fp
1672 **
1673 ** Returns:
1674 ** <=0: cert fp calculation failed
1675 ** >0: cert fp calculation ok
1676 */
1677
1678 static int
1679 cert_fp(cert, evp_digest, mac, macro)
1680 X509 *cert;
1681 const EVP_MD *evp_digest;
1682 MACROS_T *mac;
1683 char *macro;
1684 {
1685 unsigned int n;
1686 int r;
1687 unsigned char md[EVP_MAX_MD_SIZE];
1688 char md5h[EVP_MAX_MD_SIZE * 3];
1689 static const char hexcodes[] = "0123456789ABCDEF";
1690
1691 n = 0;
1692 if ((r = X509_digest(cert, evp_digest, md, &n)) == 0 || n <= 0)
1693 {
1694 macdefine(mac, A_TEMP, macid(macro), "");
1695 return (0 == r) ? 0 : n;
1696 }
1697
1698 SM_ASSERT((n * 3) + 2 < sizeof(md5h));
1699 for (r = 0; r < (int) n; r++)
1700 {
1701 md5h[r * 3] = hexcodes[(md[r] & 0xf0) >> 4];
1702 md5h[(r * 3) + 1] = hexcodes[(md[r] & 0x0f)];
1703 md5h[(r * 3) + 2] = ':';
1704 }
1705 md5h[(n * 3) - 1] = '\0';
1706 macdefine(mac, A_TEMP, macid(macro), md5h);
1707 return 1;
1708 }
1709
1710 /* host for logging */
1711 #define whichhost host == NULL ? "local" : host
1712
1713 # if _FFR_TLS_ALTNAMES
1714
1715 /*
1716 ** CLEARCLASS -- clear the specified class (called from stabapply)
1717 **
1718 ** Parameters:
1719 ** s -- STAB
1720 ** id -- class id
1721 **
1722 ** Returns:
1723 ** none.
1724 */
1725
1726 static void
1727 clearclass(s, id)
1728 STAB *s;
1729 int id;
1730 {
1731 if (s->s_symtype != ST_CLASS)
1732 return;
1733 if (bitnset(bitidx(id), s->s_class))
1734 clrbitn(bitidx(id), s->s_class);
1735 }
1736
1737 /*
1738 ** GETALTNAMES -- set subject_alt_name
1739 **
1740 ** Parameters:
1741 ** cert -- cert
1742 ** srv -- server side?
1743 ** host -- hostname of other side
1744 **
1745 ** Returns:
1746 ** none.
1747 */
1748
1749 static void
1750 getaltnames(cert, srv, host)
1751 X509 *cert;
1752 bool srv;
1753 const char *host;
1754 {
1755 STACK_OF(GENERAL_NAME) *gens;
1756 int i, j, len, r;
1757 const GENERAL_NAME *gn;
1758 char *dnsname, *who;
1759
1760 if (!SetCertAltnames)
1761 return;
1762 who = srv ? "server" : "client";
1763 gens = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0);
1764 if (gens == NULL)
1765 return;
1766
1767 r = sk_GENERAL_NAME_num(gens);
1768 for (i = 0; i < r; i++)
1769 {
1770 gn = sk_GENERAL_NAME_value(gens, i);
1771 if (gn == NULL || gn->type != GEN_DNS)
1772 continue;
1773
1774 /* Ensure data is IA5 */
1775 if (ASN1_STRING_type(gn->d.ia5) != V_ASN1_IA5STRING)
1776 {
1777 if (LogLevel > 6)
1778 sm_syslog(LOG_INFO, NOQID,
1779 "STARTTLS=%s, relay=%.100s, field=AltName, status=value contains non IA5",
1780 who, whichhost);
1781 continue;
1782 }
1783 dnsname = (char *) MTA_ASN1_STRING_data(gn->d.ia5);
1784 if (dnsname == NULL)
1785 continue;
1786 len = ASN1_STRING_length(gn->d.ia5);
1787
1788 /*
1789 ** "remove" trailing NULs (except for one of course),
1790 ** those can happen and are OK (not a sign of an attack)
1791 */
1792
1793 while (len > 0 && '\0' == dnsname[len - 1])
1794 len--;
1795
1796 #define ISPRINT(c) (isascii(c) && isprint(c))
1797
1798 /* just check for printable char for now */
1799 for (j = 0; j < len && ISPRINT(dnsname[j]); j++)
1800 ;
1801 if (dnsname[j] != '\0' || len != j)
1802 continue;
1803
1804 setclass(macid("{cert_altnames}"), xtextify(dnsname, "<>\")"));
1805 if (LogLevel > 14)
1806 sm_syslog(LOG_DEBUG, NOQID,
1807 "STARTTLS=%s, relay=%.100s, AltName=%s",
1808 who, whichhost, xtextify(dnsname, "<>\")"));
1809 }
1810 }
1811 # else
1812 # define getaltnames(cert, srv, host)
1813 # endif /* _FFR_TLS_ALTNAMES */
1814
1815 # if DANE
1816
1817 /*
1818 ** DANE_RES -- get DANE result if possible
1819 **
1820 ** Parameters:
1821 ** ssl -- TLS connection structure
1822 ** dane_vrfy_ctx -- dane verify context
1823 **
1824 ** Returns:
1825 ** SM_SUCCESS: DANE result dane_vrfy_res is valid
1826 ** SM_NOTDONE: DANE checking not enabled
1827 ** <0: some error
1828 */
1829
1830 static int dane_res __P((SSL *, dane_vrfy_ctx_P));
1831
1832 static int
1833 dane_res(ssl, dane_vrfy_ctx)
1834 SSL *ssl;
1835 dane_vrfy_ctx_P dane_vrfy_ctx;
1836 {
1837 # if HAVE_SSL_CTX_dane_enable
1838 int depth, r;
1839 EVP_PKEY *mspki;
1840 uint8_t usage, selector, mtype;
1841 unsigned const char *rr;
1842 size_t rrlen;
1843 # endif
1844
1845 if (NULL == dane_vrfy_ctx)
1846 {
1847 /* can this happen? should it be logged? */
1848 if (tTd(96, 20))
1849 sm_dprintf("ERROR: dane_res: dane_vrfy_ctx=NULL\n");
1850 return SM_NOTDONE;
1851 }
1852 if (tTd(96, 20))
1853 sm_dprintf("dane_res: dane_vrfy_dane_enabled=%d, chk=%#x, res=%d\n",
1854 dane_vrfy_ctx->dane_vrfy_dane_enabled,
1855 dane_vrfy_ctx->dane_vrfy_chk,
1856 dane_vrfy_ctx->dane_vrfy_res);
1857 if (!VRFY_DANE(dane_vrfy_ctx->dane_vrfy_chk))
1858 {
1859 dane_vrfy_ctx->dane_vrfy_res = DANE_VRFY_NONE;
1860 return SM_NOTDONE;
1861 }
1862 if (dane_vrfy_ctx->dane_vrfy_chk & TLSAFLTEMPVRFY)
1863 {
1864 dane_vrfy_ctx->dane_vrfy_res = DANE_VRFY_TEMP;
1865 return SM_SUCCESS;
1866 }
1867 if (!dane_vrfy_ctx->dane_vrfy_dane_enabled)
1868 {
1869 if (DANE_VRFY_NONE == dane_vrfy_ctx->dane_vrfy_res)
1870 return SM_NOTDONE;
1871 return SM_SUCCESS;
1872 }
1873
1874 # if HAVE_SSL_CTX_dane_enable
1875 mspki = NULL;
1876 depth = SSL_get0_dane_authority(ssl, NULL, &mspki);
1877 if (tTd(96, 20))
1878 sm_dprintf("dane_res: SSL_get0_dane_authority() depth=%d\n", depth);
1879
1880 if (depth < 0)
1881 {
1882 dane_vrfy_ctx->dane_vrfy_res = DANE_VRFY_FAIL;
1883 return SM_SUCCESS;
1884 }
1885
1886 dane_vrfy_ctx->dane_vrfy_res = DANE_VRFY_OK;
1887 r = SSL_get0_dane_tlsa(ssl, &usage, &selector, &mtype, &rr, &rrlen);
1888 if (tTd(96, 20))
1889 sm_dprintf("dane_res: SSL_get0_dane_tlsa=%d, status=%s\n", r,
1890 (mspki != NULL) ? "TA_public_key_verified_certificate"
1891 : (depth > 0) ? "matched_TA_certificate"
1892 : "matched_EE_certificate");
1893
1894 if (LogLevel > 11)
1895 {
1896 /* just for logging */
1897 if (r >= 0 && rr != NULL && rrlen > 0)
1898 {
1899 (void) data2hex((unsigned char *)rr, rrlen,
1900 (unsigned char *)dane_vrfy_ctx->dane_vrfy_fp,
1901 sizeof(dane_vrfy_ctx->dane_vrfy_fp));
1902 }
1903
1904 sm_syslog(LOG_DEBUG, NOQID,
1905 "DANE_depth=%d, DANE_res=%d, SSL_get0_dane_tlsa=%d, fp=%s, status=%s",
1906 depth, dane_vrfy_ctx->dane_vrfy_res, r,
1907 dane_vrfy_ctx->dane_vrfy_fp,
1908 (mspki != NULL) ? "TA_public_key_verified_certificate" :
1909 (depth > 0) ? "matched_TA_certificate" : "matched_EE_certificate"
1910 );
1911 }
1912 # else
1913 SM_ASSERT(!dane_vrfy_ctx->dane_vrfy_dane_enabled);
1914 # endif /* HAVE_SSL_CTX_dane_enable */
1915 return SM_SUCCESS;
1916 }
1917 # endif /* DANE */
1918
1919 /*
1920 ** TLS_GET_INFO -- get information about TLS connection
1921 **
1922 ** Parameters:
1923 ** ssl -- TLS session context
1924 ** srv -- server side?
1925 ** host -- hostname of other side
1926 ** mac -- macro storage
1927 ** certreq -- did we ask for a cert?
1928 **
1929 ** Returns:
1930 ** result of authentication.
1931 **
1932 ** Side Effects:
1933 ** sets various TLS related macros.
1934 */
1935
1936 int
1937 tls_get_info(ssl, srv, host, mac, certreq)
1938 SSL *ssl;
1939 bool srv;
1940 char *host;
1941 MACROS_T *mac;
1942 bool certreq;
1943 {
1944 const SSL_CIPHER *c;
1945 int b, r;
1946 long verifyok;
1947 char *s, *who;
1948 char bitstr[16];
1949 X509 *cert;
1950 # if DANE
1951 dane_vrfy_ctx_P dane_vrfy_ctx;
1952 dane_tlsa_P dane_tlsa;
1953 # endif
1954
1955 c = SSL_get_current_cipher(ssl);
1956
1957 /* cast is just workaround for compiler warning */
1958 macdefine(mac, A_TEMP, macid("{cipher}"),
1959 (char *) SSL_CIPHER_get_name(c));
1960 b = SSL_CIPHER_get_bits(c, &r);
1961 (void) sm_snprintf(bitstr, sizeof(bitstr), "%d", b);
1962 macdefine(mac, A_TEMP, macid("{cipher_bits}"), bitstr);
1963 (void) sm_snprintf(bitstr, sizeof(bitstr), "%d", r);
1964 macdefine(mac, A_TEMP, macid("{alg_bits}"), bitstr);
1965 s = (char *) SSL_get_version(ssl);
1966 if (s == NULL)
1967 s = "UNKNOWN";
1968 macdefine(mac, A_TEMP, macid("{tls_version}"), s);
1969
1970 who = srv ? "server" : "client";
1971 cert = MTA_SSL_get_peer_certificate(ssl);
1972 verifyok = SSL_get_verify_result(ssl);
1973 if (LogLevel > 14)
1974 sm_syslog(LOG_INFO, NOQID,
1975 "STARTTLS=%s, get_verify: %ld get_peer: 0x%lx",
1976 who, verifyok, (unsigned long) cert);
1977 # if _FFR_TLS_ALTNAMES
1978 stabapply(clearclass, macid("{cert_altnames}"));
1979 # endif
1980 if (cert != NULL)
1981 {
1982 X509_NAME *subj, *issuer;
1983 char buf[MAXNAME]; /* EAI: not affected */
1984
1985 subj = X509_get_subject_name(cert);
1986 issuer = X509_get_issuer_name(cert);
1987 X509_NAME_oneline(subj, buf, sizeof(buf));
1988 macdefine(mac, A_TEMP, macid("{cert_subject}"),
1989 xtextify(buf, "<>\")"));
1990 X509_NAME_oneline(issuer, buf, sizeof(buf));
1991 macdefine(mac, A_TEMP, macid("{cert_issuer}"),
1992 xtextify(buf, "<>\")"));
1993
1994 # define LL_BADCERT 8
1995
1996 #define CERTFPMACRO (CertFingerprintAlgorithm != NULL ? "{cert_fp}" : "{cert_md5}")
1997
1998 #define CHECK_X509_NAME(which) \
1999 do { \
2000 if (r == -1) \
2001 { \
2002 sm_strlcpy(buf, "BadCertificateUnknown", sizeof(buf)); \
2003 if (LogLevel > LL_BADCERT) \
2004 sm_syslog(LOG_INFO, NOQID, \
2005 "STARTTLS=%s, relay=%.100s, field=%s, status=failed to extract CN", \
2006 who, whichhost, which); \
2007 } \
2008 else if ((size_t)r >= sizeof(buf) - 1) \
2009 { \
2010 sm_strlcpy(buf, "BadCertificateTooLong", sizeof(buf)); \
2011 if (LogLevel > 7) \
2012 sm_syslog(LOG_INFO, NOQID, \
2013 "STARTTLS=%s, relay=%.100s, field=%s, status=CN too long", \
2014 who, whichhost, which); \
2015 } \
2016 else if ((size_t)r > strlen(buf)) \
2017 { \
2018 sm_strlcpy(buf, "BadCertificateContainsNUL", \
2019 sizeof(buf)); \
2020 if (LogLevel > 7) \
2021 sm_syslog(LOG_INFO, NOQID, \
2022 "STARTTLS=%s, relay=%.100s, field=%s, status=CN contains NUL", \
2023 who, whichhost, which); \
2024 } \
2025 } while (0)
2026
2027 r = X509_NAME_get_text_by_NID(subj, NID_commonName, buf,
2028 sizeof buf);
2029 CHECK_X509_NAME("cn_subject");
2030 macdefine(mac, A_TEMP, macid("{cn_subject}"),
2031 xtextify(buf, "<>\")"));
2032 r = X509_NAME_get_text_by_NID(issuer, NID_commonName, buf,
2033 sizeof buf);
2034 CHECK_X509_NAME("cn_issuer");
2035 macdefine(mac, A_TEMP, macid("{cn_issuer}"),
2036 xtextify(buf, "<>\")"));
2037 r = cert_fp(cert, EVP_digest, mac, CERTFPMACRO);
2038 if (r <= 0 && LogLevel > 8)
2039 {
2040 sm_syslog(LOG_WARNING, NOQID,
2041 "STARTTLS=%s, relay=%.100s, X509_digest=%d, CertFingerprintAlgorithm=%s",
2042 who, whichhost, r,
2043 (NULL == CertFingerprintAlgorithm) ? "md5" :
2044 CertFingerprintAlgorithm);
2045 tlslogerr(LOG_WARNING, 8, who);
2046 }
2047 getaltnames(cert, srv, host);
2048 }
2049 else
2050 {
2051 macdefine(mac, A_PERM, macid("{cert_subject}"), "");
2052 macdefine(mac, A_PERM, macid("{cert_issuer}"), "");
2053 macdefine(mac, A_PERM, macid("{cn_subject}"), "");
2054 macdefine(mac, A_PERM, macid("{cn_issuer}"), "");
2055 macdefine(mac, A_TEMP, macid(CERTFPMACRO), "");
2056 }
2057 # if DANE
2058 dane_vrfy_ctx = NULL;
2059 dane_tlsa = NULL;
2060 if (TLSsslidx >= 0)
2061 {
2062 tlsi_ctx_T *tlsi_ctx;
2063
2064 tlsi_ctx = (tlsi_ctx_P) SSL_get_ex_data(ssl, TLSsslidx);
2065 if (tlsi_ctx != NULL)
2066 {
2067 dane_vrfy_ctx = &(tlsi_ctx->tlsi_dvc);
2068 dane_tlsa = dane_get_tlsa(dane_vrfy_ctx);
2069 }
2070 }
2071
2072 # define DANE_VRFY_RES_IS(r) \
2073 ((dane_vrfy_ctx != NULL) && dane_vrfy_ctx->dane_vrfy_res == (r))
2074
2075 if (tTd(96, 10))
2076 sm_dprintf("tls_get_info: verifyok=%d, dane_vrfy_res=%d\n",
2077 (int)verifyok,
2078 (dane_vrfy_ctx != NULL) ? dane_vrfy_ctx->dane_vrfy_res : -999);
2079 if (SM_SUCCESS == dane_res(ssl, dane_vrfy_ctx))
2080 {
2081 if (DANE_VRFY_RES_IS(DANE_VRFY_OK))
2082 {
2083 s = "TRUSTED";
2084 r = TLS_AUTH_OK;
2085 }
2086 else if (DANE_VRFY_RES_IS(DANE_VRFY_TEMP))
2087 {
2088 s = "DANE_TEMP";
2089 r = TLS_AUTH_TEMP;
2090 }
2091 else if (DANE_VRFY_RES_IS(DANE_VRFY_FAIL))
2092 {
2093 if (dane_tlsa != NULL &&
2094 TLSA_IS_FL(dane_tlsa, TLSAFL2MANY))
2095 {
2096 s = "DANE_TEMP";
2097 r = TLS_AUTH_TEMP;
2098 }
2099 else
2100 {
2101 s = "DANE_FAIL";
2102 r = TLS_AUTH_FAIL;
2103 }
2104 }
2105 else {
2106 s = "BOGUS_DANE_RES";
2107 r = TLS_AUTH_FAIL;
2108 }
2109 }
2110 else
2111 # endif /* if DANE */
2112 /* "else" in #if code above */
2113 switch (verifyok)
2114 {
2115 case X509_V_OK:
2116 if (cert != NULL)
2117 {
2118 s = "OK";
2119 r = TLS_AUTH_OK;
2120 }
2121 else
2122 {
2123 s = certreq ? "NO" : "NOT",
2124 r = TLS_AUTH_NO;
2125 }
2126 break;
2127
2128 default:
2129 s = "FAIL";
2130 r = TLS_AUTH_FAIL;
2131 break;
2132 }
2133 macdefine(mac, A_PERM, macid("{verify}"), s);
2134 if (cert != NULL)
2135 X509_free(cert);
2136
2137 /* do some logging */
2138 if (LogLevel > 8)
2139 {
2140 char *vers, *s1, *s2, *cbits, *algbits;
2141
2142 vers = macget(mac, macid("{tls_version}"));
2143 cbits = macget(mac, macid("{cipher_bits}"));
2144 algbits = macget(mac, macid("{alg_bits}"));
2145
2146 /* XXX: use s directly? */
2147 s1 = macget(mac, macid("{verify}"));
2148 s2 = macget(mac, macid("{cipher}"));
2149
2150 # if DANE
2151 # define LOG_DANE_FP \
2152 ('\0' != dane_vrfy_ctx->dane_vrfy_fp[0] && DANE_VRFY_RES_IS(DANE_VRFY_FAIL))
2153 # endif
2154 /* XXX: maybe cut off ident info? */
2155 sm_syslog(LOG_INFO, NOQID,
2156 "STARTTLS=%s, relay=%.100s, version=%.16s, verify=%.16s, cipher=%.64s, bits=%.6s/%.6s%s%s%s%s",
2157 who,
2158 host == NULL ? "local" : host,
2159 vers, s1, s2, /* sm_snprintf() can deal with NULL */
2160 algbits == NULL ? "0" : algbits,
2161 cbits == NULL ? "0" : cbits
2162 # if DANE
2163 , LOG_DANE_FP ? ", pubkey_fp=" : ""
2164 , LOG_DANE_FP ? dane_vrfy_ctx->dane_vrfy_fp : ""
2165 , (dane_tlsa != NULL
2166 && TLSA_IS_FL(dane_tlsa, TLSAFLUNS)
2167 && !TLSA_IS_FL(dane_tlsa, TLSAFLSUP)
2168 && DANE_VRFY_RES_IS(DANE_VRFY_NONE))
2169 ? ONLYUNSUPTLSARR : ""
2170 , (dane_tlsa != NULL
2171 && TLSA_IS_FL(dane_tlsa, TLSAFL2MANY))
2172 && DANE_VRFY_RES_IS(DANE_VRFY_FAIL)
2173 ? ", note=too many TLSA RRs" : ""
2174 # else
2175 , "", "", "", ""
2176 # endif
2177 );
2178 if (LogLevel > 11)
2179 {
2180 /*
2181 ** Maybe run xuntextify on the strings?
2182 ** That is easier to read but makes it maybe a bit
2183 ** more complicated to figure out the right values
2184 ** for the access map...
2185 */
2186
2187 s1 = macget(mac, macid("{cert_subject}"));
2188 s2 = macget(mac, macid("{cert_issuer}"));
2189 sm_syslog(LOG_INFO, NOQID,
2190 "STARTTLS=%s, cert-subject=%.256s, cert-issuer=%.256s, verifymsg=%s",
2191 who, s1, s2,
2192 X509_verify_cert_error_string(verifyok));
2193 }
2194 }
2195 return r;
2196 }
2197
2198 /*
2199 ** ENDTLS -- shut down secure connection
2200 **
2201 ** Parameters:
2202 ** pssl -- pointer to TLS session context
2203 ** who -- server/client (for logging).
2204 **
2205 ** Returns:
2206 ** success? (EX_* code)
2207 */
2208
2209 int
2210 endtls(pssl, who)
2211 SSL **pssl;
2212 const char *who;
2213 {
2214 SSL *ssl;
2215 int ret, r;
2216
2217 SM_REQUIRE(pssl != NULL);
2218 ret = EX_OK;
2219 ssl = *pssl;
2220 if (ssl == NULL)
2221 return ret;
2222
2223 if ((r = SSL_shutdown(ssl)) < 0)
2224 {
2225 if (LogLevel > 11)
2226 {
2227 sm_syslog(LOG_WARNING, NOQID,
2228 "STARTTLS=%s, SSL_shutdown failed: %d",
2229 who, r);
2230 tlslogerr(LOG_WARNING, 11, who);
2231 }
2232 ret = EX_SOFTWARE;
2233 }
2234
2235 /*
2236 ** Bug in OpenSSL (at least up to 0.9.6b):
2237 ** From: Lutz.Jaenicke@aet.TU-Cottbus.DE
2238 ** Message-ID: <20010723152244.A13122@serv01.aet.tu-cottbus.de>
2239 ** To: openssl-users@openssl.org
2240 ** Subject: Re: SSL_shutdown() woes (fwd)
2241 **
2242 ** The side sending the shutdown alert first will
2243 ** not care about the answer of the peer but will
2244 ** immediately return with a return value of "0"
2245 ** (ssl/s3_lib.c:ssl3_shutdown()). SSL_get_error will evaluate
2246 ** the value of "0" and as the shutdown alert of the peer was
2247 ** not received (actually, the program did not even wait for
2248 ** the answer), an SSL_ERROR_SYSCALL is flagged, because this
2249 ** is the default rule in case everything else does not apply.
2250 **
2251 ** For your server the problem is different, because it
2252 ** receives the shutdown first (setting SSL_RECEIVED_SHUTDOWN),
2253 ** then sends its response (SSL_SENT_SHUTDOWN), so for the
2254 ** server the shutdown was successful.
2255 **
2256 ** As is by know, you would have to call SSL_shutdown() once
2257 ** and ignore an SSL_ERROR_SYSCALL returned. Then call
2258 ** SSL_shutdown() again to actually get the server's response.
2259 **
2260 ** In the last discussion, Bodo Moeller concluded that a
2261 ** rewrite of the shutdown code would be necessary, but
2262 ** probably with another API, as the change would not be
2263 ** compatible to the way it is now. Things do not become
2264 ** easier as other programs do not follow the shutdown
2265 ** guidelines anyway, so that a lot error conditions and
2266 ** compitibility issues would have to be caught.
2267 **
2268 ** For now the recommondation is to ignore the error message.
2269 */
2270
2271 else if (r == 0)
2272 {
2273 if (LogLevel > 15)
2274 {
2275 sm_syslog(LOG_WARNING, NOQID,
2276 "STARTTLS=%s, SSL_shutdown not done",
2277 who);
2278 tlslogerr(LOG_WARNING, 15, who);
2279 }
2280 ret = EX_SOFTWARE;
2281 }
2282 SM_SSL_FREE(*pssl);
2283 return ret;
2284 }
2285
2286 # if !TLS_NO_RSA && MTA_RSA_TMP_CB
2287 /*
2288 ** TMP_RSA_KEY -- return temporary RSA key
2289 **
2290 ** Parameters:
2291 ** ssl -- TLS session context
2292 ** export --
2293 ** keylength --
2294 **
2295 ** Returns:
2296 ** temporary RSA key.
2297 */
2298
2299 # ifndef MAX_RSA_TMP_CNT
2300 # define MAX_RSA_TMP_CNT 1000 /* XXX better value? */
2301 # endif
2302
2303 /* ARGUSED0 */
2304 static RSA *
2305 tmp_rsa_key(s, export, keylength)
2306 SSL *s;
2307 int export;
2308 int keylength;
2309 {
2310 # if SM_CONF_SHM
2311 extern int ShmId;
2312 extern int *PRSATmpCnt;
2313
2314 if (ShmId != SM_SHM_NO_ID && rsa_tmp != NULL &&
2315 ++(*PRSATmpCnt) < MAX_RSA_TMP_CNT)
2316 return rsa_tmp;
2317 # endif /* SM_CONF_SHM */
2318
2319 if (rsa_tmp != NULL)
2320 RSA_free(rsa_tmp);
2321 rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, NULL);
2322 if (rsa_tmp == NULL)
2323 {
2324 if (LogLevel > 0)
2325 sm_syslog(LOG_ERR, NOQID,
2326 "STARTTLS=server, tmp_rsa_key: RSA_generate_key failed!");
2327 }
2328 else
2329 {
2330 # if SM_CONF_SHM
2331 # if 0
2332 /*
2333 ** XXX we can't (yet) share the new key...
2334 ** The RSA structure contains pointers hence it can't be
2335 ** easily kept in shared memory. It must be transformed
2336 ** into a continuous memory region first, then stored,
2337 ** and later read out again (each time re-transformed).
2338 */
2339
2340 if (ShmId != SM_SHM_NO_ID)
2341 *PRSATmpCnt = 0;
2342 # endif /* 0 */
2343 # endif /* SM_CONF_SHM */
2344 if (LogLevel > 9)
2345 sm_syslog(LOG_ERR, NOQID,
2346 "STARTTLS=server, tmp_rsa_key: new temp RSA key");
2347 }
2348 return rsa_tmp;
2349 }
2350 # endif /* !TLS_NO_RSA && MTA_RSA_TMP_CB */
2351
2352 /*
2353 ** APPS_SSL_INFO_CB -- info callback for TLS connections
2354 **
2355 ** Parameters:
2356 ** ssl -- TLS session context
2357 ** where -- state in handshake
2358 ** ret -- return code of last operation
2359 **
2360 ** Returns:
2361 ** none.
2362 */
2363
2364 static void
2365 apps_ssl_info_cb(ssl, where, ret)
2366 const SSL *ssl;
2367 int where;
2368 int ret;
2369 {
2370 int w;
2371 char *str;
2372 BIO *bio_err = NULL;
2373
2374 if (LogLevel > 14)
2375 sm_syslog(LOG_INFO, NOQID,
2376 "STARTTLS: info_callback where=0x%x, ret=%d",
2377 where, ret);
2378
2379 w = where & ~SSL_ST_MASK;
2380 if (bio_err == NULL)
2381 bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
2382
2383 if (bitset(SSL_ST_CONNECT, w))
2384 str = "SSL_connect";
2385 else if (bitset(SSL_ST_ACCEPT, w))
2386 str = "SSL_accept";
2387 else
2388 str = "undefined";
2389
2390 if (bitset(SSL_CB_LOOP, where))
2391 {
2392 if (LogLevel > 12)
2393 sm_syslog(LOG_NOTICE, NOQID,
2394 "STARTTLS: %s:%s",
2395 str, SSL_state_string_long(ssl));
2396 }
2397 else if (bitset(SSL_CB_ALERT, where))
2398 {
2399 str = bitset(SSL_CB_READ, where) ? "read" : "write";
2400 if (LogLevel > 12)
2401 sm_syslog(LOG_NOTICE, NOQID,
2402 "STARTTLS: SSL3 alert %s:%s:%s",
2403 str, SSL_alert_type_string_long(ret),
2404 SSL_alert_desc_string_long(ret));
2405 }
2406 else if (bitset(SSL_CB_EXIT, where))
2407 {
2408 if (ret == 0)
2409 {
2410 if (LogLevel > 7)
2411 sm_syslog(LOG_WARNING, NOQID,
2412 "STARTTLS: %s:failed in %s",
2413 str, SSL_state_string_long(ssl));
2414 }
2415 else if (ret < 0)
2416 {
2417 if (LogLevel > 7)
2418 sm_syslog(LOG_WARNING, NOQID,
2419 "STARTTLS: %s:error in %s",
2420 str, SSL_state_string_long(ssl));
2421 }
2422 }
2423 }
2424
2425 /*
2426 ** TLS_VERIFY_LOG -- log verify error for TLS certificates
2427 **
2428 ** Parameters:
2429 ** ok -- verify ok?
2430 ** ctx -- X509 context
2431 ** name -- from where is this called?
2432 **
2433 ** Returns:
2434 ** 1 -- ok
2435 */
2436
2437 static int
2438 tls_verify_log(ok, ctx, name)
2439 int ok;
2440 X509_STORE_CTX *ctx;
2441 const char *name;
2442 {
2443 X509 *cert;
2444 int reason, depth;
2445 char buf[512];
2446
2447 cert = X509_STORE_CTX_get_current_cert(ctx);
2448 reason = X509_STORE_CTX_get_error(ctx);
2449 depth = X509_STORE_CTX_get_error_depth(ctx);
2450 X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
2451 sm_syslog(LOG_INFO, NOQID,
2452 "STARTTLS: %s cert verify: depth=%d %s, state=%d, reason=%s",
2453 name, depth, buf, ok, X509_verify_cert_error_string(reason));
2454 return 1;
2455 }
2456
2457 /*
2458 ** Declaration and access to tlsi_ctx in callbacks.
2459 */
2460
2461 #define SM_DECTLSI \
2462 tlsi_ctx_T *tlsi_ctx; \
2463 SSL *ssl
2464 #define SM_GETTLSI \
2465 do { \
2466 tlsi_ctx = NULL; \
2467 if (TLSsslidx >= 0) \
2468 { \
2469 ssl = (SSL *) X509_STORE_CTX_get_ex_data(ctx, \
2470 SSL_get_ex_data_X509_STORE_CTX_idx()); \
2471 if (ssl != NULL) \
2472 tlsi_ctx = (tlsi_ctx_P) SSL_get_ex_data(ssl, TLSsslidx); \
2473 } \
2474 } \
2475 while (0)
2476
2477 # if DANE
2478
2479 /*
2480 ** DANE_GET_TLSA -- Retrieve TLSA RR for DANE
2481 **
2482 ** Parameters:
2483 ** dane_vrfy_ctx -- dane verify context
2484 **
2485 ** Returns:
2486 ** dane_tlsa if TLSA RR is available
2487 ** NULL otherwise
2488 */
2489
2490 dane_tlsa_P
2491 dane_get_tlsa(dane_vrfy_ctx)
2492 dane_vrfy_ctx_P dane_vrfy_ctx;
2493 {
2494 STAB *s;
2495 dane_tlsa_P dane_tlsa;
2496
2497 dane_tlsa = NULL;
2498 if (NULL == dane_vrfy_ctx)
2499 return NULL;
2500 if (!CHK_DANE(dane_vrfy_ctx->dane_vrfy_chk) ||
2501 dane_vrfy_ctx->dane_vrfy_host == NULL)
2502 return NULL;
2503
2504 gettlsa(dane_vrfy_ctx->dane_vrfy_host, NULL, &s,
2505 TLSAFLNOEXP, 0, dane_vrfy_ctx->dane_vrfy_port);
2506 if (NULL == s)
2507 goto notfound;
2508 dane_tlsa = s->s_tlsa;
2509 if (NULL == dane_tlsa)
2510 goto notfound;
2511 if (!TLSA_HAS_RRs(dane_tlsa))
2512 goto notfound;
2513 if (tTd(96, 4))
2514 sm_dprintf("dane_get_tlsa: chk=%#x, host=%s, n=%d, stat=entry found\n",
2515 dane_vrfy_ctx->dane_vrfy_chk,
2516 dane_vrfy_ctx->dane_vrfy_host, dane_tlsa->dane_tlsa_n);
2517 return dane_tlsa;
2518
2519 notfound:
2520 if (tTd(96, 4))
2521 sm_dprintf("dane_get_tlsa: chk=%#x, host=%s, stat=no valid entry found\n",
2522 dane_vrfy_ctx->dane_vrfy_chk,
2523 dane_vrfy_ctx->dane_vrfy_host);
2524 return NULL;
2525 }
2526
2527 /*
2528 ** DANE_VERIFY -- verify callback for TLS certificates
2529 **
2530 ** Parameters:
2531 ** ctx -- X509 context
2532 ** dane_vrfy_ctx -- callback context
2533 **
2534 ** Returns:
2535 ** DANE_VRFY_{OK,NONE,FAIL}
2536 */
2537
2538 /* NOTE: this only works because the "matching type" is 0, 1, 2 for these! */
2539 static const char *dane_mdalgs[] = { "", "sha256", "sha512" };
2540
2541 static int
2542 dane_verify(ctx, dane_vrfy_ctx)
2543 X509_STORE_CTX *ctx;
2544 dane_vrfy_ctx_P dane_vrfy_ctx;
2545 {
2546 int r, i, ok, mdalg;
2547 X509 *cert;
2548 dane_tlsa_P dane_tlsa;
2549 unsigned char *fp;
2550
2551 dane_tlsa = dane_get_tlsa(dane_vrfy_ctx);
2552 if (dane_tlsa == NULL)
2553 return DANE_VRFY_NONE;
2554
2555 dane_vrfy_ctx->dane_vrfy_fp[0] = '\0';
2556 cert = X509_STORE_CTX_get0_cert(ctx);
2557 if (tTd(96, 8))
2558 sm_dprintf("dane_verify: cert=%p, supported=%d\n",
2559 (void *)cert, TLSA_IS_FL(dane_tlsa, TLSAFLSUP));
2560 if (cert == NULL)
2561 return DANE_VRFY_FAIL;
2562
2563 ok = DANE_VRFY_NONE;
2564 fp = NULL;
2565
2566 /*
2567 ** If the TLSA RRs would be sorted the two loops below could
2568 ** be merged into one and simply change mdalg when it changes
2569 ** in dane_tlsa->dane_tlsa_rr.
2570 */
2571
2572 /* use a different order? */
2573 for (mdalg = 0; mdalg < SM_ARRAY_SIZE(dane_mdalgs); mdalg++)
2574 {
2575 SM_FREE(fp);
2576 r = 0;
2577 for (i = 0; i < dane_tlsa->dane_tlsa_n; i++)
2578 {
2579 unsigned char *p;
2580 int alg;
2581
2582 p = dane_tlsa->dane_tlsa_rr[i];
2583
2584 /* ignore bogus/unsupported TLSA RRs */
2585 alg = dane_tlsa_chk(p, dane_tlsa->dane_tlsa_len[i],
2586 dane_vrfy_ctx->dane_vrfy_host, false);
2587 if (tTd(96, 8))
2588 sm_dprintf("dane_verify: alg=%d, mdalg=%d\n",
2589 alg, mdalg);
2590 if (alg != mdalg)
2591 continue;
2592
2593 if (NULL == fp)
2594 {
2595 r = pubkey_fp(cert, dane_mdalgs[mdalg], &fp);
2596 if (NULL == fp)
2597 return DANE_VRFY_FAIL;
2598 /* or continue? */
2599 }
2600
2601 /* just for logging */
2602 if (r > 0 && fp != NULL)
2603 {
2604 (void) data2hex((unsigned char *)fp, r,
2605 (unsigned char *)dane_vrfy_ctx->dane_vrfy_fp,
2606 sizeof(dane_vrfy_ctx->dane_vrfy_fp));
2607 }
2608
2609 if (tTd(96, 4))
2610 sm_dprintf("dane_verify: alg=%d, r=%d, len=%d\n",
2611 alg, r, dane_tlsa->dane_tlsa_len[i]);
2612 if (r != dane_tlsa->dane_tlsa_len[i] - 3)
2613 continue;
2614 ok = DANE_VRFY_FAIL;
2615
2616 /*
2617 ** Note: Type is NOT checked because only 3-1-x
2618 ** is supported.
2619 */
2620
2621 if (memcmp(p + 3, fp, r) == 0)
2622 {
2623 if (tTd(96, 2))
2624 sm_dprintf("dane_verify: status=match\n");
2625 if (tTd(96, 8))
2626 {
2627 unsigned char hex[DANE_FP_DBG_LEN];
2628
2629 data2hex((unsigned char *)p,
2630 dane_tlsa->dane_tlsa_len[i],
2631 hex, sizeof(hex));
2632 sm_dprintf("dane_verify: pubkey_fp=%s\n"
2633 , hex);
2634 }
2635 dane_vrfy_ctx->dane_vrfy_res = DANE_VRFY_OK;
2636 SM_FREE(fp);
2637 return DANE_VRFY_OK;
2638 }
2639 }
2640 }
2641
2642 SM_FREE(fp);
2643 dane_vrfy_ctx->dane_vrfy_res = ok;
2644 return ok;
2645 }
2646
2647 /*
2648 ** SSL_DANE_ENABLE -- enable using OpenSSL DANE functions for a session
2649 **
2650 ** Parameters:
2651 ** dane_vrfy_ctx -- dane verify context
2652 ** ssl -- TLS connection structure
2653 **
2654 ** Returns:
2655 ** SM_SUCCESS: OpenSSL DANE checking enabled
2656 ** SM_NOTDONE: OpenSSL DANE checking not enabled
2657 ** <0: some error
2658 */
2659
2660 int
2661 ssl_dane_enable(dane_vrfy_ctx, ssl)
2662 dane_vrfy_ctx_P dane_vrfy_ctx;
2663 SSL *ssl;
2664 {
2665 # if HAVE_SSL_CTX_dane_enable
2666 const char *dane_tlsa_domain;
2667 int r, i, usable;
2668 # endif
2669 dane_tlsa_P dane_tlsa;
2670
2671 if (tTd(96, 20))
2672 sm_dprintf("ssl_dane_enable: dane_vrfy_ctx=%p, dane_vrfy_dane_enabled=%d, dane_vrfy_chk=%#x\n",
2673 dane_vrfy_ctx, dane_vrfy_ctx->dane_vrfy_dane_enabled,
2674 dane_vrfy_ctx->dane_vrfy_chk);
2675
2676 dane_tlsa = dane_get_tlsa(dane_vrfy_ctx);
2677 if (tTd(96, 20))
2678 sm_dprintf("ssl_dane_enable: dane_tlsa=%p, n=%d, supported=%d\n",
2679 dane_tlsa, dane_tlsa != NULL ? dane_tlsa->dane_tlsa_n : -999,
2680 dane_tlsa != NULL ? TLSA_IS_FL(dane_tlsa, TLSAFLSUP) : -1);
2681 if (NULL == dane_tlsa || !TLSA_IS_FL(dane_tlsa, TLSAFLSUP))
2682 {
2683 /* no DANE verification possible */
2684 dane_vrfy_ctx->dane_vrfy_chk |= TLSAFLNOVRFY;
2685 return SM_SUCCESS;
2686 }
2687 if (0 == (dane_vrfy_ctx->dane_vrfy_chk & TLSAFLADIP))
2688 {
2689 /* no DANE verification possible */
2690 dane_vrfy_ctx->dane_vrfy_chk |= TLSAFLNOVRFY;
2691 return SM_SUCCESS;
2692 }
2693
2694 if (!dane_vrfy_ctx->dane_vrfy_dane_enabled)
2695 {
2696 # if HAVE_SSL_CTX_dane_enable
2697 dane_vrfy_ctx->dane_vrfy_chk |= TLSAFLTEMPVRFY;
2698 # endif
2699 return SM_NOTDONE;
2700 }
2701
2702 # if HAVE_SSL_CTX_dane_enable
2703 dane_tlsa_domain = !SM_IS_EMPTY(dane_vrfy_ctx->dane_vrfy_sni)
2704 ? dane_vrfy_ctx->dane_vrfy_sni
2705 : dane_vrfy_ctx->dane_vrfy_host;
2706 r = SSL_dane_enable(ssl, dane_tlsa_domain);
2707 # if _FFR_TESTS
2708 if (tTd(90, 102))
2709 {
2710 sm_dprintf("ssl_dane_enable: test=simulate SSL_dane_enable error\n");
2711 # ifdef SSL_F_SSL_DANE_ENABLE
2712 SSLerr(SSL_F_SSL_DANE_ENABLE, ERR_R_MALLOC_FAILURE);
2713 # endif
2714 r = -1; /* -ENOMEM; */
2715 }
2716 # endif /* _FFR_TESTS */
2717 if (r <= 0)
2718 {
2719 # if HAVE_SSL_CTX_dane_enable
2720 dane_vrfy_ctx->dane_vrfy_chk |= TLSAFLTEMPVRFY;
2721 # endif
2722 if (LogLevel > 1)
2723 sm_syslog(LOG_ERR, NOQID,
2724 "STARTTLS=client, SSL_dane_enable=%d", r);
2725 tlslogerr(LOG_ERR, 7, "client");
2726
2727 /* XXX need better error code */
2728 return (r < 0) ? r : -EINVAL;
2729 }
2730 if (LogLevel > 13)
2731 sm_syslog(LOG_DEBUG, NOQID,
2732 "STARTTLS=client, SSL_dane_enable=%d, domain=%s",
2733 r, dane_tlsa_domain);
2734 (void) SSL_dane_set_flags(ssl, DANE_FLAG_NO_DANE_EE_NAMECHECKS);
2735
2736 usable = 0;
2737 for (i = 0; i < dane_tlsa->dane_tlsa_n; i++)
2738 {
2739 const unsigned char *rr;
2740 const char *chk;
2741
2742 rr = (const unsigned char *)dane_tlsa->dane_tlsa_rr[i];
2743 if (NULL == rr)
2744 continue;
2745
2746 /*
2747 ** only DANE-TA(2) or DANE-EE(3)
2748 ** use dane_tlsa_chk() instead?
2749 */
2750
2751 # if _FFR_TESTS
2752 if (tTd(90, 101) && 3 == rr[0] && 1 == rr[1])
2753 {
2754 sm_dprintf("TLSA, type=%d-%d-%d:%02x, status=unsupported_due_to_test",
2755 (int)rr[0], (int)rr[1], (int)rr[2],
2756 (int)rr[3]);
2757 r = 0;
2758 chk = "tlsa_test";
2759 }
2760 else
2761 # endif /* _FFR_TESTS */
2762 if (!(2 == rr[0] || 3 == rr[0]))
2763 {
2764 r = 0;
2765 chk = "tlsa_chk";
2766 }
2767 else
2768 {
2769 r = SSL_dane_tlsa_add(ssl, rr[0], rr[1], rr[2], rr + 3,
2770 (size_t) (dane_tlsa->dane_tlsa_len[i] - 3));
2771 chk = "SSL_dane_tlsa_add";
2772 }
2773 if (r > 0)
2774 usable++;
2775 # if HAVE_SSL_CTX_dane_enable && 0
2776 /* should an error be ignored or cause a temporary failure? */
2777 if (r < 0)
2778 dane_vrfy_ctx->dane_vrfy_chk |= TLSAFLTEMPVRFY;
2779 # endif
2780 else if (LogLevel > ((r < 0) ? 10 : 13))
2781 {
2782 unsigned char hex[DANE_FP_LOG_LEN];
2783
2784 (void) data2hex((unsigned char *)rr + 3,
2785 dane_tlsa->dane_tlsa_len[i] - 3,
2786 hex, sizeof(hex));
2787 sm_syslog(LOG_DEBUG, NOQID,
2788 "STARTTLS=client, %s=%d, type=%d-%d-%d, fp=%s"
2789 , chk, r, rr[0], rr[1], rr[2], hex);
2790 tlslogerr(LOG_DEBUG, (r < 0) ? 13 : 10, "client");
2791 }
2792 if (tTd(96, 20))
2793 {
2794 unsigned char hex[DANE_FP_DBG_LEN];
2795
2796 (void) data2hex((unsigned char *)rr + 3,
2797 dane_tlsa->dane_tlsa_len[i] - 3,
2798 hex, sizeof(hex));
2799 sm_dprintf("ssl_dane_enable: SSL_dane_tlsa_add=%d, u=%d, s=%d, d=%d, len=%d, fp=%s\n"
2800 , r, rr[0], rr[1], rr[2]
2801 , dane_tlsa->dane_tlsa_len[i]-3, hex
2802 );
2803 }
2804 }
2805 if (tTd(96, 20))
2806 sm_dprintf("ssl_dane_enable: usable=%d\n", usable);
2807 if (0 == usable)
2808 {
2809 /* shouldn't happen - checked above! */
2810 if (LogLevel > 1)
2811 sm_syslog(LOG_CRIT, NOQID,
2812 "ERROR: ssl_dane_enable() INCONSISTENY: %d usable TLSA RRs found but \"supported\" flag is set (%d)\n",
2813 usable, TLSA_IS_FL(dane_tlsa, TLSAFLSUP));
2814 dane_vrfy_ctx->dane_vrfy_chk |= TLSAFLNOVRFY;
2815 return SM_SUCCESS;
2816 }
2817 # endif /* HAVE_SSL_CTX_dane_enable */
2818 return SM_SUCCESS;
2819 }
2820 # endif /* DANE */
2821
2822 /*
2823 ** TLS_VERIFY_CB -- verify callback for TLS certificates
2824 **
2825 ** Parameters:
2826 ** ctx -- X509 context
2827 ** cb_ctx -- callback context
2828 **
2829 ** Returns:
2830 ** accept connection?
2831 ** currently: always yes.
2832 */
2833
2834 static int
2835 tls_verify_cb(ctx, cb_ctx)
2836 X509_STORE_CTX *ctx;
2837 void *cb_ctx;
2838 {
2839 int ok;
2840 # if DANE
2841 SM_DECTLSI;
2842 dane_vrfy_ctx_P dane_vrfy_ctx;
2843 # endif
2844
2845 /*
2846 ** SSL_CTX_set_cert_verify_callback(3):
2847 ** callback should return 1 to indicate verification success
2848 ** and 0 to indicate verification failure.
2849 */
2850
2851 # if DANE
2852 SM_GETTLSI;
2853 if (tTd(96, 40))
2854 sm_dprintf("tls_verify_cb: tlsi_ctx=%p, vrfy_chk=%#x\n", tlsi_ctx,
2855 (tlsi_ctx != NULL && (dane_vrfy_ctx = &(tlsi_ctx->tlsi_dvc)) != NULL) ?
2856 dane_vrfy_ctx->dane_vrfy_chk : -1);
2857 if (tlsi_ctx != NULL && (dane_vrfy_ctx = &(tlsi_ctx->tlsi_dvc)) != NULL
2858 && !dane_vrfy_ctx->dane_vrfy_dane_enabled
2859 && (0 == (dane_vrfy_ctx->dane_vrfy_chk & TLSAFLTEMPVRFY))
2860 && VRFY_DANE(dane_vrfy_ctx->dane_vrfy_chk)
2861 )
2862 {
2863 int depth;
2864
2865 depth = X509_STORE_CTX_get_error_depth(ctx);
2866 if (tTd(96, 20))
2867 sm_dprintf("tls_verify_cb: enabled=%d, chk=%#x, depth=%d\n",
2868 dane_vrfy_ctx->dane_vrfy_dane_enabled,
2869 dane_vrfy_ctx->dane_vrfy_chk, depth);
2870
2871 if (0 == depth)
2872 {
2873 ok = dane_verify(ctx, dane_vrfy_ctx);
2874 if (tTd(96, 2))
2875 sm_dprintf("tls_verify_cb: dane_verify=%d, res=%d\n", ok,
2876 dane_vrfy_ctx->dane_vrfy_res);
2877 if (ok != DANE_VRFY_NONE)
2878 return 1;
2879 }
2880 }
2881
2882 if (tTd(96, 10))
2883 sm_dprintf("tls_verify_cb: basic check? enabled=%d, chk=%#x\n",
2884 (tlsi_ctx != NULL && dane_vrfy_ctx != NULL) ?
2885 dane_vrfy_ctx->dane_vrfy_dane_enabled : -1,
2886 (tlsi_ctx != NULL && dane_vrfy_ctx != NULL) ?
2887 dane_vrfy_ctx->dane_vrfy_chk : -1);
2888 # endif /* DANE */
2889
2890 ok = X509_verify_cert(ctx);
2891 if ((LogLevel > 13 && ok <= 0) || LogLevel > 14)
2892 (void) tls_verify_log(ok, ctx, "TLS");
2893 return 1;
2894 }
2895
2896 /*
2897 ** TLSLOGERR -- log the errors from the TLS error stack
2898 **
2899 ** Parameters:
2900 ** priority -- syslog priority
2901 ** ll -- loglevel
2902 ** who -- server/client (for logging).
2903 **
2904 ** Returns:
2905 ** none.
2906 */
2907
2908 void
2909 tlslogerr(priority, ll, who)
2910 int priority;
2911 int ll;
2912 const char *who;
2913 {
2914 unsigned long l;
2915 int line, flags;
2916 char *file, *data;
2917 char buf[256];
2918
2919 if (LogLevel <= ll)
2920 return;
2921 while ((l = MTA_SSL_ERR_get((const char **) &file, &line,
2922 (const char **) &data, &flags, NULL))
2923 != 0)
2924 {
2925 sm_syslog(priority, NOQID,
2926 "STARTTLS=%s: %s:%s:%d:%s", who,
2927 ERR_error_string(l, buf),
2928 file, line,
2929 bitset(ERR_TXT_STRING, flags) ? data : "");
2930 }
2931 }
2932
2933 /*
2934 ** X509_VERIFY_CB -- verify callback
2935 **
2936 ** Parameters:
2937 ** ok -- current result
2938 ** ctx -- X509 context
2939 **
2940 ** Returns:
2941 ** accept connection?
2942 ** currently: always yes.
2943 */
2944
2945 static int
2946 x509_verify_cb(ok, ctx)
2947 int ok;
2948 X509_STORE_CTX *ctx;
2949 {
2950 SM_DECTLSI;
2951
2952 if (ok != 0)
2953 return ok;
2954
2955 SM_GETTLSI;
2956 if (LogLevel > 13)
2957 tls_verify_log(ok, ctx, "X509");
2958 if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL &&
2959 !SM_TLSI_IS(tlsi_ctx, TLSI_FL_CRLREQ))
2960 {
2961 X509_STORE_CTX_set_error(ctx, 0);
2962 return 1; /* override it */
2963 }
2964 return ok;
2965 }
2966
2967 # if !USE_OPENSSL_ENGINE && !defined(OPENSSL_NO_ENGINE)
2968 /*
2969 ** TLS_SET_ENGINE -- set up ENGINE if needed
2970 **
2971 ** Parameters:
2972 ** id -- id for ENGINE
2973 ** isprefork -- called before fork()?
2974 **
2975 ** Returns: (OpenSSL "semantics", reverse it to allow returning error codes)
2976 ** 0: failure
2977 ** !=0: ok
2978 */
2979
2980 int
2981 TLS_set_engine(id, isprefork)
2982 const char *id;
2983 bool isprefork;
2984 {
2985 static bool TLSEngineInitialized = false;
2986 ENGINE *e;
2987 char enginepath[MAXPATHLEN];
2988
2989 /*
2990 ** Todo: put error for logging into a string and log it in error:
2991 */
2992
2993 if (LogLevel > 13)
2994 sm_syslog(LOG_DEBUG, NOQID,
2995 "engine=%s, path=%s, ispre=%d, pre=%d, initialized=%d",
2996 id, SSLEnginePath, isprefork, SSLEngineprefork,
2997 TLSEngineInitialized);
2998 if (TLSEngineInitialized)
2999 return 1;
3000 if (SM_IS_EMPTY(id))
3001 return 1;
3002 # if !defined(ENGINE_METHOD_ALL)
3003 if (LogLevel > 9)
3004 sm_syslog(LOG_NOTICE, NOQID,
3005 "engine=%s, status=engines_not_support", id)
3006 goto error;
3007 # endif
3008
3009 /* is this the "right time" to initialize the engine? */
3010 if (isprefork != SSLEngineprefork)
3011 return 1;
3012
3013 e = NULL;
3014 ENGINE_load_builtin_engines();
3015
3016 if (SSLEnginePath != NULL && *SSLEnginePath != '\0')
3017 {
3018 if ((e = ENGINE_by_id("dynamic")) == NULL)
3019 {
3020 if (LogLevel > 1)
3021 sm_syslog(LOG_ERR, NOQID,
3022 "engine=%s, by_id=failed", "dynamic");
3023 goto error;
3024 }
3025 (void) sm_snprintf(enginepath, sizeof(enginepath),
3026 "%s/lib%s.so", SSLEnginePath, id);
3027
3028 if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", enginepath, 0))
3029 {
3030 if (LogLevel > 1)
3031 sm_syslog(LOG_ERR, NOQID,
3032 "engine=%s, SO_PATH=%s, status=failed",
3033 id, enginepath);
3034 goto error;
3035 }
3036
3037 if (!ENGINE_ctrl_cmd_string(e, "ID", id, 0))
3038 {
3039 if (LogLevel > 1)
3040 sm_syslog(LOG_ERR, NOQID,
3041 "engine=%s, ID=failed", id);
3042 goto error;
3043 }
3044
3045 if (!ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0))
3046 {
3047 if (LogLevel > 1)
3048 sm_syslog(LOG_ERR, NOQID,
3049 "engine=%s, LOAD=failed", id);
3050 goto error;
3051 }
3052 }
3053 else if ((e = ENGINE_by_id(id)) == NULL)
3054 {
3055 if (LogLevel > 1)
3056 sm_syslog(LOG_ERR, NOQID, "engine=%s, by_id=failed",
3057 id);
3058 return 0;
3059 }
3060
3061 if (!ENGINE_init(e))
3062 {
3063 if (LogLevel > 1)
3064 sm_syslog(LOG_ERR, NOQID, "engine=%s, init=failed", id);
3065 goto error;
3066 }
3067 if (!ENGINE_set_default(e, ENGINE_METHOD_ALL))
3068 {
3069 if (LogLevel > 1)
3070 sm_syslog(LOG_ERR, NOQID,
3071 "engine=%s, set_default=failed", id);
3072 goto error;
3073 }
3074 # ifdef ENGINE_CTRL_CHIL_SET_FORKCHECK
3075 if (strcmp(id, "chil") == 0)
3076 ENGINE_ctrl(e, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0);
3077 # endif
3078
3079 /* Free our "structural" reference. */
3080 ENGINE_free(e);
3081 if (LogLevel > 10)
3082 sm_syslog(LOG_INFO, NOQID, "engine=%s, loaded=ok", id);
3083 TLSEngineInitialized = true;
3084 return 1;
3085
3086 error:
3087 tlslogerr(LOG_WARNING, 7, "init");
3088 if (e != NULL)
3089 ENGINE_free(e);
3090 return 0;
3091 }
3092 # endif /* !USE_OPENSSL_ENGINE && !defined(OPENSSL_NO_ENGINE) */
3093 #endif /* STARTTLS */
3094