1 /* 2 * Copyright (c) 2000-2006, 2008, 2009, 2011, 2013 Proofpoint, Inc. and its suppliers. 3 * All rights reserved. 4 * 5 * By using this file, you agree to the terms and conditions set 6 * forth in the LICENSE file which can be found at the top level of 7 * the sendmail distribution. 8 * 9 */ 10 11 #include <sendmail.h> 12 13 SM_RCSID("@(#)$Id: tls.c,v 8.127 2013-11-27 02:51:11 gshapiro Exp $") 14 15 #if STARTTLS 16 # include <openssl/err.h> 17 # include <openssl/bio.h> 18 # include <openssl/pem.h> 19 # if !NO_DH 20 # include <openssl/dh.h> 21 # endif /* !NO_DH */ 22 # ifndef HASURANDOMDEV 23 # include <openssl/rand.h> 24 # endif /* ! HASURANDOMDEV */ 25 # if !TLS_NO_RSA 26 static RSA *rsa_tmp = NULL; /* temporary RSA key */ 27 static RSA *tmp_rsa_key __P((SSL *, int, int)); 28 # endif /* !TLS_NO_RSA */ 29 # if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x00907000L 30 static int tls_verify_cb __P((X509_STORE_CTX *)); 31 # else /* !defined() || OPENSSL_VERSION_NUMBER < 0x00907000L */ 32 static int tls_verify_cb __P((X509_STORE_CTX *, void *)); 33 # endif /* !defined() || OPENSSL_VERSION_NUMBER < 0x00907000L */ 34 35 # if OPENSSL_VERSION_NUMBER > 0x00907000L 36 static int x509_verify_cb __P((int, X509_STORE_CTX *)); 37 # endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */ 38 39 # if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x00907000L 40 # define CONST097 41 # else /* !defined() || OPENSSL_VERSION_NUMBER < 0x00907000L */ 42 # define CONST097 const 43 # endif /* !defined() || OPENSSL_VERSION_NUMBER < 0x00907000L */ 44 static void apps_ssl_info_cb __P((CONST097 SSL *, int , int)); 45 static bool tls_ok_f __P((char *, char *, int)); 46 static bool tls_safe_f __P((char *, long, bool)); 47 static int tls_verify_log __P((int, X509_STORE_CTX *, const char *)); 48 49 # if !NO_DH 50 # if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100001L || \ 51 (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) 52 static int 53 DH_set0_pqg(dh, p, q, g) 54 DH *dh; 55 BIGNUM *p; 56 BIGNUM *q; 57 BIGNUM *g; 58 { 59 dh->p = p; 60 if (q != NULL) 61 dh->q = q; 62 dh->g = g; 63 return 1; /* success */ 64 } 65 # endif /* !defined() || OPENSSL_VERSION_NUMBER < 0x00907000L */ 66 67 static DH *get_dh512 __P((void)); 68 69 static unsigned char dh512_p[] = 70 { 71 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, 72 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F, 73 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3, 74 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12, 75 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C, 76 0x47,0x74,0xE8,0x33 77 }; 78 static unsigned char dh512_g[] = 79 { 80 0x02 81 }; 82 83 static DH * 84 get_dh512() 85 { 86 DH *dh; 87 BIGNUM *dhp_bn, *dhg_bn; 88 89 if ((dh = DH_new()) == NULL) 90 return NULL; 91 dhp_bn = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); 92 dhg_bn = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); 93 if ((dhp_bn == NULL) || (dhg_bn == NULL)) 94 { 95 DH_free(dh); 96 BN_free(dhp_bn); 97 BN_free(dhg_bn); 98 return NULL; 99 } 100 if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) 101 { 102 DH_free(dh); 103 return NULL; 104 } 105 return dh; 106 } 107 108 # if 0 109 110 This is the data from which the C code has been generated: 111 112 -----BEGIN DH PARAMETERS----- 113 MIIBCAKCAQEArDcgcLpxEksQHPlolRKCUJ2szKRziseWV9cUSQNZGxoGw7KkROz4 114 HF9QSbg5axyNIG+QbZYtx0jp3l6/GWq1dLOj27yZkgYgaYgFrvKPiZ2jJ5xETQVH 115 UpZwbjRcyjyWkWYJVsx1aF4F/iY4kT0n/+iGEoimI3C9V3KXTJ2S6jIkyJ6M/CrN 116 EtrDynMlUMGlc7S1ouXVOTrtKeqy3S2L9eBLxVI+sChEijGIfELupdVeXihK006p 117 MgnABPDbkTx6OOtYmSZaGQX+OLW2FPmwvcrzgCz9t9cAsuUcBZv1LeHEqZZttyLU 118 oK0jjSXgFyeU4/NfyA+zuNeWzUL6bHmigwIBAg== 119 -----END DH PARAMETERS----- 120 # endif /* 0 */ 121 122 static DH * 123 get_dh2048() 124 { 125 static unsigned char dh2048_p[] = { 126 0xAC,0x37,0x20,0x70,0xBA,0x71,0x12,0x4B,0x10,0x1C,0xF9,0x68, 127 0x95,0x12,0x82,0x50,0x9D,0xAC,0xCC,0xA4,0x73,0x8A,0xC7,0x96, 128 0x57,0xD7,0x14,0x49,0x03,0x59,0x1B,0x1A,0x06,0xC3,0xB2,0xA4, 129 0x44,0xEC,0xF8,0x1C,0x5F,0x50,0x49,0xB8,0x39,0x6B,0x1C,0x8D, 130 0x20,0x6F,0x90,0x6D,0x96,0x2D,0xC7,0x48,0xE9,0xDE,0x5E,0xBF, 131 0x19,0x6A,0xB5,0x74,0xB3,0xA3,0xDB,0xBC,0x99,0x92,0x06,0x20, 132 0x69,0x88,0x05,0xAE,0xF2,0x8F,0x89,0x9D,0xA3,0x27,0x9C,0x44, 133 0x4D,0x05,0x47,0x52,0x96,0x70,0x6E,0x34,0x5C,0xCA,0x3C,0x96, 134 0x91,0x66,0x09,0x56,0xCC,0x75,0x68,0x5E,0x05,0xFE,0x26,0x38, 135 0x91,0x3D,0x27,0xFF,0xE8,0x86,0x12,0x88,0xA6,0x23,0x70,0xBD, 136 0x57,0x72,0x97,0x4C,0x9D,0x92,0xEA,0x32,0x24,0xC8,0x9E,0x8C, 137 0xFC,0x2A,0xCD,0x12,0xDA,0xC3,0xCA,0x73,0x25,0x50,0xC1,0xA5, 138 0x73,0xB4,0xB5,0xA2,0xE5,0xD5,0x39,0x3A,0xED,0x29,0xEA,0xB2, 139 0xDD,0x2D,0x8B,0xF5,0xE0,0x4B,0xC5,0x52,0x3E,0xB0,0x28,0x44, 140 0x8A,0x31,0x88,0x7C,0x42,0xEE,0xA5,0xD5,0x5E,0x5E,0x28,0x4A, 141 0xD3,0x4E,0xA9,0x32,0x09,0xC0,0x04,0xF0,0xDB,0x91,0x3C,0x7A, 142 0x38,0xEB,0x58,0x99,0x26,0x5A,0x19,0x05,0xFE,0x38,0xB5,0xB6, 143 0x14,0xF9,0xB0,0xBD,0xCA,0xF3,0x80,0x2C,0xFD,0xB7,0xD7,0x00, 144 0xB2,0xE5,0x1C,0x05,0x9B,0xF5,0x2D,0xE1,0xC4,0xA9,0x96,0x6D, 145 0xB7,0x22,0xD4,0xA0,0xAD,0x23,0x8D,0x25,0xE0,0x17,0x27,0x94, 146 0xE3,0xF3,0x5F,0xC8,0x0F,0xB3,0xB8,0xD7,0x96,0xCD,0x42,0xFA, 147 0x6C,0x79,0xA2,0x83, 148 }; 149 static unsigned char dh2048_g[] = { 0x02, }; 150 DH *dh; 151 BIGNUM *dhp_bn, *dhg_bn; 152 153 if ((dh = DH_new()) == NULL) 154 return NULL; 155 dhp_bn = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL); 156 dhg_bn = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL); 157 if ((dhp_bn == NULL) || (dhg_bn == NULL)) 158 { 159 DH_free(dh); 160 BN_free(dhp_bn); 161 BN_free(dhg_bn); 162 return NULL; 163 } 164 if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) 165 { 166 DH_free(dh); 167 return NULL; 168 } 169 return dh; 170 } 171 # endif /* !NO_DH */ 172 173 174 /* 175 ** TLS_RAND_INIT -- initialize STARTTLS random generator 176 ** 177 ** Parameters: 178 ** randfile -- name of file with random data 179 ** logl -- loglevel 180 ** 181 ** Returns: 182 ** success/failure 183 ** 184 ** Side Effects: 185 ** initializes PRNG for tls library. 186 */ 187 188 # define MIN_RAND_BYTES 128 /* 1024 bits */ 189 190 # define RF_OK 0 /* randfile OK */ 191 # define RF_MISS 1 /* randfile == NULL || *randfile == '\0' */ 192 # define RF_UNKNOWN 2 /* unknown prefix for randfile */ 193 194 # define RI_NONE 0 /* no init yet */ 195 # define RI_SUCCESS 1 /* init was successful */ 196 # define RI_FAIL 2 /* init failed */ 197 198 static bool tls_rand_init __P((char *, int)); 199 200 static bool 201 tls_rand_init(randfile, logl) 202 char *randfile; 203 int logl; 204 { 205 # ifndef HASURANDOMDEV 206 /* not required if /dev/urandom exists, OpenSSL does it internally */ 207 208 bool ok; 209 int randdef; 210 static int done = RI_NONE; 211 212 /* 213 ** initialize PRNG 214 */ 215 216 /* did we try this before? if yes: return old value */ 217 if (done != RI_NONE) 218 return done == RI_SUCCESS; 219 220 /* set default values */ 221 ok = false; 222 done = RI_FAIL; 223 randdef = (randfile == NULL || *randfile == '\0') ? RF_MISS : RF_OK; 224 # if EGD 225 if (randdef == RF_OK && sm_strncasecmp(randfile, "egd:", 4) == 0) 226 { 227 randfile += 4; 228 if (RAND_egd(randfile) < 0) 229 { 230 sm_syslog(LOG_WARNING, NOQID, 231 "STARTTLS: RAND_egd(%s) failed: random number generator not seeded", 232 randfile); 233 } 234 else 235 ok = true; 236 } 237 else 238 # endif /* EGD */ 239 if (randdef == RF_OK && sm_strncasecmp(randfile, "file:", 5) == 0) 240 { 241 int fd; 242 long sff; 243 struct stat st; 244 245 randfile += 5; 246 sff = SFF_SAFEDIRPATH | SFF_NOWLINK 247 | SFF_NOGWFILES | SFF_NOWWFILES 248 | SFF_NOGRFILES | SFF_NOWRFILES 249 | SFF_MUSTOWN | SFF_ROOTOK | SFF_OPENASROOT; 250 if (DontLockReadFiles) 251 sff |= SFF_NOLOCK; 252 if ((fd = safeopen(randfile, O_RDONLY, 0, sff)) >= 0) 253 { 254 if (fstat(fd, &st) < 0) 255 { 256 if (LogLevel > logl) 257 sm_syslog(LOG_ERR, NOQID, 258 "STARTTLS: can't fstat(%s)", 259 randfile); 260 } 261 else 262 { 263 bool use, problem; 264 265 use = true; 266 problem = false; 267 268 /* max. age of file: 10 minutes */ 269 if (st.st_mtime + 600 < curtime()) 270 { 271 use = bitnset(DBS_INSUFFICIENTENTROPY, 272 DontBlameSendmail); 273 problem = true; 274 if (LogLevel > logl) 275 sm_syslog(LOG_ERR, NOQID, 276 "STARTTLS: RandFile %s too old: %s", 277 randfile, 278 use ? "unsafe" : 279 "unusable"); 280 } 281 if (use && st.st_size < MIN_RAND_BYTES) 282 { 283 use = bitnset(DBS_INSUFFICIENTENTROPY, 284 DontBlameSendmail); 285 problem = true; 286 if (LogLevel > logl) 287 sm_syslog(LOG_ERR, NOQID, 288 "STARTTLS: size(%s) < %d: %s", 289 randfile, 290 MIN_RAND_BYTES, 291 use ? "unsafe" : 292 "unusable"); 293 } 294 if (use) 295 ok = RAND_load_file(randfile, -1) >= 296 MIN_RAND_BYTES; 297 if (use && !ok) 298 { 299 if (LogLevel > logl) 300 sm_syslog(LOG_WARNING, NOQID, 301 "STARTTLS: RAND_load_file(%s) failed: random number generator not seeded", 302 randfile); 303 } 304 if (problem) 305 ok = false; 306 } 307 if (ok || bitnset(DBS_INSUFFICIENTENTROPY, 308 DontBlameSendmail)) 309 { 310 /* add this even if fstat() failed */ 311 RAND_seed((void *) &st, sizeof(st)); 312 } 313 (void) close(fd); 314 } 315 else 316 { 317 if (LogLevel > logl) 318 sm_syslog(LOG_WARNING, NOQID, 319 "STARTTLS: Warning: safeopen(%s) failed", 320 randfile); 321 } 322 } 323 else if (randdef == RF_OK) 324 { 325 if (LogLevel > logl) 326 sm_syslog(LOG_WARNING, NOQID, 327 "STARTTLS: Error: no proper random file definition %s", 328 randfile); 329 randdef = RF_UNKNOWN; 330 } 331 if (randdef == RF_MISS) 332 { 333 if (LogLevel > logl) 334 sm_syslog(LOG_WARNING, NOQID, 335 "STARTTLS: Error: missing random file definition"); 336 } 337 if (!ok && bitnset(DBS_INSUFFICIENTENTROPY, DontBlameSendmail)) 338 { 339 int i; 340 long r; 341 unsigned char buf[MIN_RAND_BYTES]; 342 343 /* assert((MIN_RAND_BYTES % sizeof(long)) == 0); */ 344 for (i = 0; i <= sizeof(buf) - sizeof(long); i += sizeof(long)) 345 { 346 r = get_random(); 347 (void) memcpy(buf + i, (void *) &r, sizeof(long)); 348 } 349 RAND_seed(buf, sizeof(buf)); 350 if (LogLevel > logl) 351 sm_syslog(LOG_WARNING, NOQID, 352 "STARTTLS: Warning: random number generator not properly seeded"); 353 ok = true; 354 } 355 done = ok ? RI_SUCCESS : RI_FAIL; 356 return ok; 357 # else /* ! HASURANDOMDEV */ 358 return true; 359 # endif /* ! HASURANDOMDEV */ 360 } 361 /* 362 ** INIT_TLS_LIBRARY -- Calls functions which setup TLS library for global use. 363 ** 364 ** Parameters: 365 ** fipsmode -- use FIPS? 366 ** 367 ** Returns: 368 ** succeeded? 369 */ 370 371 bool 372 init_tls_library(fipsmode) 373 bool fipsmode; 374 { 375 bool bv; 376 377 /* basic TLS initialization, ignore result for now */ 378 SSL_library_init(); 379 SSL_load_error_strings(); 380 OpenSSL_add_all_algorithms(); 381 # if 0 382 /* this is currently a macro for SSL_library_init */ 383 SSLeay_add_ssl_algorithms(); 384 # endif /* 0 */ 385 386 bv = tls_rand_init(RandFile, 7); 387 # if _FFR_FIPSMODE 388 if (bv && fipsmode) 389 { 390 if (!FIPS_mode_set(1)) 391 { 392 unsigned long err; 393 394 err = ERR_get_error(); 395 if (LogLevel > 0) 396 sm_syslog(LOG_ERR, NOQID, 397 "STARTTLS=init, FIPSMode=%s", 398 ERR_error_string(err, NULL)); 399 return false; 400 } 401 else 402 { 403 if (LogLevel > 9) 404 sm_syslog(LOG_INFO, NOQID, 405 "STARTTLS=init, FIPSMode=ok"); 406 } 407 } 408 #endif /* _FFR_FIPSMODE */ 409 if (bv && CertFingerprintAlgorithm != NULL) 410 { 411 const EVP_MD *md; 412 413 md = EVP_get_digestbyname(CertFingerprintAlgorithm); 414 if (NULL == md) 415 { 416 bv = false; 417 if (LogLevel > 0) 418 sm_syslog(LOG_ERR, NOQID, 419 "STARTTLS=init, CertFingerprintAlgorithm=%s, status=invalid" 420 , CertFingerprintAlgorithm); 421 } 422 else 423 EVP_digest = md; 424 } 425 return bv; 426 } 427 428 /* 429 ** TLS_SET_VERIFY -- request client certificate? 430 ** 431 ** Parameters: 432 ** ctx -- TLS context 433 ** ssl -- TLS structure 434 ** vrfy -- request certificate? 435 ** 436 ** Returns: 437 ** none. 438 ** 439 ** Side Effects: 440 ** Sets verification state for TLS 441 ** 442 # if TLS_VRFY_PER_CTX 443 ** Notice: 444 ** This is per TLS context, not per TLS structure; 445 ** the former is global, the latter per connection. 446 ** It would be nice to do this per connection, but this 447 ** doesn't work in the current TLS libraries :-( 448 # endif * TLS_VRFY_PER_CTX * 449 */ 450 451 void 452 tls_set_verify(ctx, ssl, vrfy) 453 SSL_CTX *ctx; 454 SSL *ssl; 455 bool vrfy; 456 { 457 # if !TLS_VRFY_PER_CTX 458 SSL_set_verify(ssl, vrfy ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL); 459 # else /* !TLS_VRFY_PER_CTX */ 460 SSL_CTX_set_verify(ctx, vrfy ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, 461 NULL); 462 # endif /* !TLS_VRFY_PER_CTX */ 463 } 464 465 /* 466 ** status in initialization 467 ** these flags keep track of the status of the initialization 468 ** i.e., whether a file exists (_EX) and whether it can be used (_OK) 469 ** [due to permissions] 470 */ 471 472 # define TLS_S_NONE 0x00000000 /* none yet */ 473 # define TLS_S_CERT_EX 0x00000001 /* cert file exists */ 474 # define TLS_S_CERT_OK 0x00000002 /* cert file is ok */ 475 # define TLS_S_KEY_EX 0x00000004 /* key file exists */ 476 # define TLS_S_KEY_OK 0x00000008 /* key file is ok */ 477 # define TLS_S_CERTP_EX 0x00000010 /* CA cert path exists */ 478 # define TLS_S_CERTP_OK 0x00000020 /* CA cert path is ok */ 479 # define TLS_S_CERTF_EX 0x00000040 /* CA cert file exists */ 480 # define TLS_S_CERTF_OK 0x00000080 /* CA cert file is ok */ 481 # define TLS_S_CRLF_EX 0x00000100 /* CRL file exists */ 482 # define TLS_S_CRLF_OK 0x00000200 /* CRL file is ok */ 483 484 # define TLS_S_CERT2_EX 0x00001000 /* 2nd cert file exists */ 485 # define TLS_S_CERT2_OK 0x00002000 /* 2nd cert file is ok */ 486 # define TLS_S_KEY2_EX 0x00004000 /* 2nd key file exists */ 487 # define TLS_S_KEY2_OK 0x00008000 /* 2nd key file is ok */ 488 489 # define TLS_S_DH_OK 0x00200000 /* DH cert is ok */ 490 # define TLS_S_DHPAR_EX 0x00400000 /* DH param file exists */ 491 # define TLS_S_DHPAR_OK 0x00800000 /* DH param file is ok to use */ 492 493 /* Type of variable */ 494 # define TLS_T_OTHER 0 495 # define TLS_T_SRV 1 496 # define TLS_T_CLT 2 497 498 /* 499 ** TLS_OK_F -- can var be an absolute filename? 500 ** 501 ** Parameters: 502 ** var -- filename 503 ** fn -- what is the filename used for? 504 ** type -- type of variable 505 ** 506 ** Returns: 507 ** ok? 508 */ 509 510 static bool 511 tls_ok_f(var, fn, type) 512 char *var; 513 char *fn; 514 int type; 515 { 516 /* must be absolute pathname */ 517 if (var != NULL && *var == '/') 518 return true; 519 if (LogLevel > 12) 520 sm_syslog(LOG_WARNING, NOQID, "STARTTLS: %s%s missing", 521 type == TLS_T_SRV ? "Server" : 522 (type == TLS_T_CLT ? "Client" : ""), fn); 523 return false; 524 } 525 /* 526 ** TLS_SAFE_F -- is a file safe to use? 527 ** 528 ** Parameters: 529 ** var -- filename 530 ** sff -- flags for safefile() 531 ** srv -- server side? 532 ** 533 ** Returns: 534 ** ok? 535 */ 536 537 static bool 538 tls_safe_f(var, sff, srv) 539 char *var; 540 long sff; 541 bool srv; 542 { 543 int ret; 544 545 if ((ret = safefile(var, RunAsUid, RunAsGid, RunAsUserName, sff, 546 S_IRUSR, NULL)) == 0) 547 return true; 548 if (LogLevel > 7) 549 sm_syslog(LOG_WARNING, NOQID, "STARTTLS=%s: file %s unsafe: %s", 550 srv ? "server" : "client", var, sm_errstring(ret)); 551 return false; 552 } 553 554 /* 555 ** TLS_OK_F -- macro to simplify calls to tls_ok_f 556 ** 557 ** Parameters: 558 ** var -- filename 559 ** fn -- what is the filename used for? 560 ** req -- is the file required? 561 ** st -- status bit to set if ok 562 ** type -- type of variable 563 ** 564 ** Side Effects: 565 ** uses r, ok; may change ok and status. 566 ** 567 */ 568 569 # define TLS_OK_F(var, fn, req, st, type) if (ok) \ 570 { \ 571 r = tls_ok_f(var, fn, type); \ 572 if (r) \ 573 status |= st; \ 574 else if (req) \ 575 ok = false; \ 576 } 577 578 /* 579 ** TLS_UNR -- macro to return whether a file should be unreadable 580 ** 581 ** Parameters: 582 ** bit -- flag to test 583 ** req -- flags 584 ** 585 ** Returns: 586 ** 0/SFF_NORFILES 587 */ 588 # define TLS_UNR(bit, req) (bitset(bit, req) ? SFF_NORFILES : 0) 589 # define TLS_OUNR(bit, req) (bitset(bit, req) ? SFF_NOWRFILES : 0) 590 # define TLS_KEYSFF(req) \ 591 (bitnset(DBS_GROUPREADABLEKEYFILE, DontBlameSendmail) ? \ 592 TLS_OUNR(TLS_I_KEY_OUNR, req) : \ 593 TLS_UNR(TLS_I_KEY_UNR, req)) 594 595 /* 596 ** TLS_SAFE_F -- macro to simplify calls to tls_safe_f 597 ** 598 ** Parameters: 599 ** var -- filename 600 ** sff -- flags for safefile() 601 ** req -- is the file required? 602 ** ex -- does the file exist? 603 ** st -- status bit to set if ok 604 ** srv -- server side? 605 ** 606 ** Side Effects: 607 ** uses r, ok, ex; may change ok and status. 608 ** 609 */ 610 611 # define TLS_SAFE_F(var, sff, req, ex, st, srv) if (ex && ok) \ 612 { \ 613 r = tls_safe_f(var, sff, srv); \ 614 if (r) \ 615 status |= st; \ 616 else if (req) \ 617 ok = false; \ 618 } 619 620 # if _FFR_TLS_SE_OPTS 621 /* 622 ** LOAD_CERTKEY -- load cert/key for TLS session 623 ** 624 ** Parameters: 625 ** ssl -- TLS session context 626 ** certfile -- filename of certificate 627 ** keyfile -- filename of private key 628 ** 629 ** Returns: 630 ** succeeded? 631 */ 632 633 bool 634 load_certkey(ssl, srv, certfile, keyfile) 635 SSL *ssl; 636 bool srv; 637 char *certfile; 638 char *keyfile; 639 { 640 bool ok; 641 int r; 642 long sff, status; 643 unsigned long req; 644 char *who; 645 646 ok = true; 647 who = srv ? "server" : "client"; 648 status = TLS_S_NONE; 649 req = TLS_I_CERT_EX|TLS_I_KEY_EX; 650 TLS_OK_F(certfile, "CertFile", bitset(TLS_I_CERT_EX, req), 651 TLS_S_CERT_EX, srv ? TLS_T_SRV : TLS_T_CLT); 652 TLS_OK_F(keyfile, "KeyFile", bitset(TLS_I_KEY_EX, req), 653 TLS_S_KEY_EX, srv ? TLS_T_SRV : TLS_T_CLT); 654 655 /* certfile etc. must be "safe". */ 656 sff = SFF_REGONLY | SFF_SAFEDIRPATH | SFF_NOWLINK 657 | SFF_NOGWFILES | SFF_NOWWFILES 658 | SFF_MUSTOWN | SFF_ROOTOK | SFF_OPENASROOT; 659 if (DontLockReadFiles) 660 sff |= SFF_NOLOCK; 661 662 TLS_SAFE_F(certfile, sff | TLS_UNR(TLS_I_CERT_UNR, req), 663 bitset(TLS_I_CERT_EX, req), 664 bitset(TLS_S_CERT_EX, status), TLS_S_CERT_OK, srv); 665 TLS_SAFE_F(keyfile, sff | TLS_KEYSFF(req), 666 bitset(TLS_I_KEY_EX, req), 667 bitset(TLS_S_KEY_EX, status), TLS_S_KEY_OK, srv); 668 669 # define SSL_use_cert(ssl, certfile) \ 670 SSL_use_certificate_file(ssl, certfile, SSL_FILETYPE_PEM) 671 # define SSL_USE_CERT "SSL_use_certificate_file" 672 673 if (bitset(TLS_S_CERT_OK, status) && 674 SSL_use_cert(ssl, certfile) <= 0) 675 { 676 if (LogLevel > 7) 677 { 678 sm_syslog(LOG_WARNING, NOQID, 679 "STARTTLS=%s, error: %s(%s) failed", 680 who, SSL_USE_CERT, certfile); 681 if (LogLevel > 9) 682 tlslogerr(LOG_WARNING, who); 683 } 684 if (bitset(TLS_I_USE_CERT, req)) 685 return false; 686 } 687 if (bitset(TLS_S_KEY_OK, status) && 688 SSL_use_PrivateKey_file(ssl, keyfile, SSL_FILETYPE_PEM) <= 0) 689 { 690 if (LogLevel > 7) 691 { 692 sm_syslog(LOG_WARNING, NOQID, 693 "STARTTLS=%s, error: SSL_use_PrivateKey_file(%s) failed", 694 who, keyfile); 695 if (LogLevel > 9) 696 tlslogerr(LOG_WARNING, who); 697 } 698 if (bitset(TLS_I_USE_KEY, req)) 699 return false; 700 } 701 702 /* check the private key */ 703 if (bitset(TLS_S_KEY_OK, status) && 704 (r = SSL_check_private_key(ssl)) <= 0) 705 { 706 /* Private key does not match the certificate public key */ 707 if (LogLevel > 5) 708 { 709 sm_syslog(LOG_WARNING, NOQID, 710 "STARTTLS=%s, error: SSL_check_private_key failed(%s): %d", 711 who, keyfile, r); 712 if (LogLevel > 9) 713 tlslogerr(LOG_WARNING, who); 714 } 715 if (bitset(TLS_I_USE_KEY, req)) 716 return false; 717 } 718 719 return true; 720 } 721 # endif /* _FFR_TLS_SE_OPTS */ 722 723 /* 724 ** INITTLS -- initialize TLS 725 ** 726 ** Parameters: 727 ** ctx -- pointer to context 728 ** req -- requirements for initialization (see sendmail.h) 729 ** options -- options 730 ** srv -- server side? 731 ** certfile -- filename of certificate 732 ** keyfile -- filename of private key 733 ** cacertpath -- path to CAs 734 ** cacertfile -- file with CA(s) 735 ** dhparam -- parameters for DH 736 ** 737 ** Returns: 738 ** succeeded? 739 */ 740 741 /* 742 ** The session_id_context identifies the service that created a session. 743 ** This information is used to distinguish between multiple TLS-based 744 ** servers running on the same server. We use the name of the mail system. 745 ** Note: the session cache is not persistent. 746 */ 747 748 static char server_session_id_context[] = "sendmail8"; 749 750 # if !TLS_NO_RSA 751 static RSA * 752 sm_RSA_generate_key(num, e) 753 int num; 754 unsigned long e; 755 { 756 RSA *rsa = NULL; 757 BIGNUM *bn_rsa_r4; 758 759 bn_rsa_r4 = BN_new(); 760 if ((bn_rsa_r4 != NULL) && BN_set_word(bn_rsa_r4, e) && (rsa = RSA_new()) != NULL) 761 { 762 if (!RSA_generate_key_ex(rsa, num, bn_rsa_r4, NULL)) 763 { 764 RSA_free(rsa); 765 rsa = NULL; 766 } 767 } 768 BN_free(bn_rsa_r4); 769 return rsa; 770 } 771 # endif /* !TLS_NO_RSA */ 772 773 /* 0.9.8a and b have a problem with SSL_OP_TLS_BLOCK_PADDING_BUG */ 774 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) 775 # define SM_SSL_OP_TLS_BLOCK_PADDING_BUG 1 776 #else 777 # define SM_SSL_OP_TLS_BLOCK_PADDING_BUG 0 778 #endif 779 780 bool 781 inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhparam) 782 SSL_CTX **ctx; 783 unsigned long req; 784 unsigned long options; 785 bool srv; 786 char *certfile, *keyfile, *cacertpath, *cacertfile, *dhparam; 787 { 788 # if !NO_DH 789 static DH *dh = NULL; 790 # endif /* !NO_DH */ 791 int r; 792 bool ok; 793 long sff, status; 794 char *who; 795 char *cf2, *kf2; 796 # if SM_CONF_SHM 797 extern int ShmId; 798 # endif /* SM_CONF_SHM */ 799 # if OPENSSL_VERSION_NUMBER > 0x00907000L 800 BIO *crl_file; 801 X509_CRL *crl; 802 X509_STORE *store; 803 # endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */ 804 #if SM_SSL_OP_TLS_BLOCK_PADDING_BUG 805 long rt_version; 806 STACK_OF(SSL_COMP) *comp_methods; 807 #endif 808 809 status = TLS_S_NONE; 810 who = srv ? "server" : "client"; 811 if (ctx == NULL) 812 { 813 syserr("STARTTLS=%s, inittls: ctx == NULL", who); 814 /* NOTREACHED */ 815 SM_ASSERT(ctx != NULL); 816 } 817 818 /* already initialized? (we could re-init...) */ 819 if (*ctx != NULL) 820 return true; 821 ok = true; 822 823 /* 824 ** look for a second filename: it must be separated by a ',' 825 ** no blanks allowed (they won't be skipped). 826 ** we change a global variable here! this change will be undone 827 ** before return from the function but only if it returns true. 828 ** this isn't a problem since in a failure case this function 829 ** won't be called again with the same (overwritten) values. 830 ** otherwise each return must be replaced with a goto endinittls. 831 */ 832 833 cf2 = NULL; 834 kf2 = NULL; 835 if (certfile != NULL && (cf2 = strchr(certfile, ',')) != NULL) 836 { 837 *cf2++ = '\0'; 838 if (keyfile != NULL && (kf2 = strchr(keyfile, ',')) != NULL) 839 *kf2++ = '\0'; 840 } 841 842 /* 843 ** Check whether files/paths are defined 844 */ 845 846 TLS_OK_F(certfile, "CertFile", bitset(TLS_I_CERT_EX, req), 847 TLS_S_CERT_EX, srv ? TLS_T_SRV : TLS_T_CLT); 848 TLS_OK_F(keyfile, "KeyFile", bitset(TLS_I_KEY_EX, req), 849 TLS_S_KEY_EX, srv ? TLS_T_SRV : TLS_T_CLT); 850 TLS_OK_F(cacertpath, "CACertPath", bitset(TLS_I_CERTP_EX, req), 851 TLS_S_CERTP_EX, TLS_T_OTHER); 852 TLS_OK_F(cacertfile, "CACertFile", bitset(TLS_I_CERTF_EX, req), 853 TLS_S_CERTF_EX, TLS_T_OTHER); 854 855 # if OPENSSL_VERSION_NUMBER > 0x00907000L 856 TLS_OK_F(CRLFile, "CRLFile", bitset(TLS_I_CRLF_EX, req), 857 TLS_S_CRLF_EX, TLS_T_OTHER); 858 # endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */ 859 860 /* 861 ** if the second file is specified it must exist 862 ** XXX: it is possible here to define only one of those files 863 */ 864 865 if (cf2 != NULL) 866 { 867 TLS_OK_F(cf2, "CertFile", bitset(TLS_I_CERT_EX, req), 868 TLS_S_CERT2_EX, srv ? TLS_T_SRV : TLS_T_CLT); 869 } 870 if (kf2 != NULL) 871 { 872 TLS_OK_F(kf2, "KeyFile", bitset(TLS_I_KEY_EX, req), 873 TLS_S_KEY2_EX, srv ? TLS_T_SRV : TLS_T_CLT); 874 } 875 876 /* 877 ** valid values for dhparam are (only the first char is checked) 878 ** none no parameters: don't use DH 879 ** i use precomputed 2048 bit parameters 880 ** 512 use precomputed 512 bit parameters 881 ** 1024 generate 1024 bit parameters 882 ** 2048 generate 2048 bit parameters 883 ** /file/name read parameters from /file/name 884 */ 885 886 #define SET_DH_DFL \ 887 do { \ 888 dhparam = "I"; \ 889 req |= TLS_I_DHFIXED; \ 890 } while (0) 891 892 if (bitset(TLS_I_TRY_DH, req)) 893 { 894 if (dhparam != NULL) 895 { 896 char c = *dhparam; 897 898 if (c == '1') 899 req |= TLS_I_DH1024; 900 else if (c == 'I' || c == 'i') 901 req |= TLS_I_DHFIXED; 902 else if (c == '2') 903 req |= TLS_I_DH2048; 904 else if (c == '5') 905 req |= TLS_I_DH512; 906 else if (c == 'n' || c == 'N') 907 req &= ~TLS_I_TRY_DH; 908 else if (c != '/') 909 { 910 if (LogLevel > 12) 911 sm_syslog(LOG_WARNING, NOQID, 912 "STARTTLS=%s, error: illegal value '%s' for DHParameters", 913 who, dhparam); 914 dhparam = NULL; 915 } 916 } 917 if (dhparam == NULL) 918 SET_DH_DFL; 919 else if (*dhparam == '/') 920 { 921 TLS_OK_F(dhparam, "DHParameters", 922 bitset(TLS_I_DHPAR_EX, req), 923 TLS_S_DHPAR_EX, TLS_T_OTHER); 924 } 925 } 926 if (!ok) 927 return ok; 928 929 /* certfile etc. must be "safe". */ 930 sff = SFF_REGONLY | SFF_SAFEDIRPATH | SFF_NOWLINK 931 | SFF_NOGWFILES | SFF_NOWWFILES 932 | SFF_MUSTOWN | SFF_ROOTOK | SFF_OPENASROOT; 933 if (DontLockReadFiles) 934 sff |= SFF_NOLOCK; 935 936 TLS_SAFE_F(certfile, sff | TLS_UNR(TLS_I_CERT_UNR, req), 937 bitset(TLS_I_CERT_EX, req), 938 bitset(TLS_S_CERT_EX, status), TLS_S_CERT_OK, srv); 939 TLS_SAFE_F(keyfile, sff | TLS_KEYSFF(req), 940 bitset(TLS_I_KEY_EX, req), 941 bitset(TLS_S_KEY_EX, status), TLS_S_KEY_OK, srv); 942 TLS_SAFE_F(cacertfile, sff | TLS_UNR(TLS_I_CERTF_UNR, req), 943 bitset(TLS_I_CERTF_EX, req), 944 bitset(TLS_S_CERTF_EX, status), TLS_S_CERTF_OK, srv); 945 if (dhparam != NULL && *dhparam == '/') 946 { 947 TLS_SAFE_F(dhparam, sff | TLS_UNR(TLS_I_DHPAR_UNR, req), 948 bitset(TLS_I_DHPAR_EX, req), 949 bitset(TLS_S_DHPAR_EX, status), TLS_S_DHPAR_OK, srv); 950 if (!bitset(TLS_S_DHPAR_OK, status)) 951 SET_DH_DFL; 952 } 953 # if OPENSSL_VERSION_NUMBER > 0x00907000L 954 TLS_SAFE_F(CRLFile, sff | TLS_UNR(TLS_I_CRLF_UNR, req), 955 bitset(TLS_I_CRLF_EX, req), 956 bitset(TLS_S_CRLF_EX, status), TLS_S_CRLF_OK, srv); 957 # endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */ 958 if (!ok) 959 return ok; 960 if (cf2 != NULL) 961 { 962 TLS_SAFE_F(cf2, sff | TLS_UNR(TLS_I_CERT_UNR, req), 963 bitset(TLS_I_CERT_EX, req), 964 bitset(TLS_S_CERT2_EX, status), TLS_S_CERT2_OK, srv); 965 } 966 if (kf2 != NULL) 967 { 968 TLS_SAFE_F(kf2, sff | TLS_KEYSFF(req), 969 bitset(TLS_I_KEY_EX, req), 970 bitset(TLS_S_KEY2_EX, status), TLS_S_KEY2_OK, srv); 971 } 972 973 /* create a method and a new context */ 974 if ((*ctx = SSL_CTX_new(srv ? SSLv23_server_method() : 975 SSLv23_client_method())) == NULL) 976 { 977 if (LogLevel > 7) 978 sm_syslog(LOG_WARNING, NOQID, 979 "STARTTLS=%s, error: SSL_CTX_new(SSLv23_%s_method()) failed", 980 who, who); 981 if (LogLevel > 9) 982 tlslogerr(LOG_WARNING, who); 983 return false; 984 } 985 986 # if OPENSSL_VERSION_NUMBER > 0x00907000L 987 if (CRLFile != NULL) 988 { 989 /* get a pointer to the current certificate validation store */ 990 store = SSL_CTX_get_cert_store(*ctx); /* does not fail */ 991 crl_file = BIO_new(BIO_s_file()); 992 if (crl_file != NULL) 993 { 994 if (BIO_read_filename(crl_file, CRLFile) >= 0) 995 { 996 crl = PEM_read_bio_X509_CRL(crl_file, NULL, 997 NULL, NULL); 998 BIO_free(crl_file); 999 X509_STORE_add_crl(store, crl); 1000 X509_CRL_free(crl); 1001 X509_STORE_set_flags(store, 1002 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); 1003 X509_STORE_set_verify_cb_func(store, 1004 x509_verify_cb); 1005 } 1006 else 1007 { 1008 if (LogLevel > 9) 1009 { 1010 sm_syslog(LOG_WARNING, NOQID, 1011 "STARTTLS=%s, error: PEM_read_bio_X509_CRL(%s)=failed", 1012 who, CRLFile); 1013 } 1014 1015 /* avoid memory leaks */ 1016 BIO_free(crl_file); 1017 return false; 1018 } 1019 1020 } 1021 else if (LogLevel > 9) 1022 sm_syslog(LOG_WARNING, NOQID, 1023 "STARTTLS=%s, error: BIO_new=failed", who); 1024 } 1025 else 1026 store = NULL; 1027 # if _FFR_CRLPATH 1028 if (CRLPath != NULL && store != NULL) 1029 { 1030 X509_LOOKUP *lookup; 1031 1032 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir()); 1033 if (lookup == NULL) 1034 { 1035 if (LogLevel > 9) 1036 { 1037 sm_syslog(LOG_WARNING, NOQID, 1038 "STARTTLS=%s, error: X509_STORE_add_lookup(hash)=failed", 1039 who, CRLFile); 1040 } 1041 return false; 1042 } 1043 X509_LOOKUP_add_dir(lookup, CRLPath, X509_FILETYPE_PEM); 1044 X509_STORE_set_flags(store, 1045 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); 1046 } 1047 # endif /* _FFR_CRLPATH */ 1048 # endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */ 1049 1050 # if TLS_NO_RSA 1051 /* turn off backward compatibility, required for no-rsa */ 1052 SSL_CTX_set_options(*ctx, SSL_OP_NO_SSLv2); 1053 # endif /* TLS_NO_RSA */ 1054 1055 1056 # if !TLS_NO_RSA 1057 /* 1058 ** Create a temporary RSA key 1059 ** XXX Maybe we shouldn't create this always (even though it 1060 ** is only at startup). 1061 ** It is a time-consuming operation and it is not always necessary. 1062 ** maybe we should do it only on demand... 1063 */ 1064 1065 if (bitset(TLS_I_RSA_TMP, req) 1066 # if SM_CONF_SHM 1067 && ShmId != SM_SHM_NO_ID && 1068 (rsa_tmp = sm_RSA_generate_key(RSA_KEYLENGTH, RSA_F4)) == NULL 1069 # else /* SM_CONF_SHM */ 1070 && 0 /* no shared memory: no need to generate key now */ 1071 # endif /* SM_CONF_SHM */ 1072 ) 1073 { 1074 if (LogLevel > 7) 1075 { 1076 sm_syslog(LOG_WARNING, NOQID, 1077 "STARTTLS=%s, error: RSA_generate_key failed", 1078 who); 1079 if (LogLevel > 9) 1080 tlslogerr(LOG_WARNING, who); 1081 } 1082 return false; 1083 } 1084 # endif /* !TLS_NO_RSA */ 1085 1086 /* 1087 ** load private key 1088 ** XXX change this for DSA-only version 1089 */ 1090 1091 if (bitset(TLS_S_KEY_OK, status) && 1092 SSL_CTX_use_PrivateKey_file(*ctx, keyfile, 1093 SSL_FILETYPE_PEM) <= 0) 1094 { 1095 if (LogLevel > 7) 1096 { 1097 sm_syslog(LOG_WARNING, NOQID, 1098 "STARTTLS=%s, error: SSL_CTX_use_PrivateKey_file(%s) failed", 1099 who, keyfile); 1100 if (LogLevel > 9) 1101 tlslogerr(LOG_WARNING, who); 1102 } 1103 if (bitset(TLS_I_USE_KEY, req)) 1104 return false; 1105 } 1106 1107 #if _FFR_TLS_USE_CERTIFICATE_CHAIN_FILE 1108 # define SSL_CTX_use_cert(ssl_ctx, certfile) \ 1109 SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile) 1110 # define SSL_CTX_USE_CERT "SSL_CTX_use_certificate_chain_file" 1111 #else 1112 # define SSL_CTX_use_cert(ssl_ctx, certfile) \ 1113 SSL_CTX_use_certificate_file(ssl_ctx, certfile, SSL_FILETYPE_PEM) 1114 # define SSL_CTX_USE_CERT "SSL_CTX_use_certificate_file" 1115 #endif 1116 1117 /* get the certificate file */ 1118 if (bitset(TLS_S_CERT_OK, status) && 1119 SSL_CTX_use_cert(*ctx, certfile) <= 0) 1120 { 1121 if (LogLevel > 7) 1122 { 1123 sm_syslog(LOG_WARNING, NOQID, 1124 "STARTTLS=%s, error: %s(%s) failed", 1125 who, SSL_CTX_USE_CERT, certfile); 1126 if (LogLevel > 9) 1127 tlslogerr(LOG_WARNING, who); 1128 } 1129 if (bitset(TLS_I_USE_CERT, req)) 1130 return false; 1131 } 1132 1133 /* check the private key */ 1134 if (bitset(TLS_S_KEY_OK, status) && 1135 (r = SSL_CTX_check_private_key(*ctx)) <= 0) 1136 { 1137 /* Private key does not match the certificate public key */ 1138 if (LogLevel > 5) 1139 { 1140 sm_syslog(LOG_WARNING, NOQID, 1141 "STARTTLS=%s, error: SSL_CTX_check_private_key failed(%s): %d", 1142 who, keyfile, r); 1143 if (LogLevel > 9) 1144 tlslogerr(LOG_WARNING, who); 1145 } 1146 if (bitset(TLS_I_USE_KEY, req)) 1147 return false; 1148 } 1149 1150 /* XXX this code is pretty much duplicated from above! */ 1151 1152 /* load private key */ 1153 if (bitset(TLS_S_KEY2_OK, status) && 1154 SSL_CTX_use_PrivateKey_file(*ctx, kf2, SSL_FILETYPE_PEM) <= 0) 1155 { 1156 if (LogLevel > 7) 1157 { 1158 sm_syslog(LOG_WARNING, NOQID, 1159 "STARTTLS=%s, error: SSL_CTX_use_PrivateKey_file(%s) failed", 1160 who, kf2); 1161 if (LogLevel > 9) 1162 tlslogerr(LOG_WARNING, who); 1163 } 1164 } 1165 1166 /* get the certificate file */ 1167 if (bitset(TLS_S_CERT2_OK, status) && 1168 SSL_CTX_use_cert(*ctx, cf2) <= 0) 1169 { 1170 if (LogLevel > 7) 1171 { 1172 sm_syslog(LOG_WARNING, NOQID, 1173 "STARTTLS=%s, error: %s(%s) failed", 1174 who, SSL_CTX_USE_CERT, cf2); 1175 if (LogLevel > 9) 1176 tlslogerr(LOG_WARNING, who); 1177 } 1178 } 1179 1180 /* also check the private key */ 1181 if (bitset(TLS_S_KEY2_OK, status) && 1182 (r = SSL_CTX_check_private_key(*ctx)) <= 0) 1183 { 1184 /* Private key does not match the certificate public key */ 1185 if (LogLevel > 5) 1186 { 1187 sm_syslog(LOG_WARNING, NOQID, 1188 "STARTTLS=%s, error: SSL_CTX_check_private_key 2 failed: %d", 1189 who, r); 1190 if (LogLevel > 9) 1191 tlslogerr(LOG_WARNING, who); 1192 } 1193 } 1194 1195 /* SSL_CTX_set_quiet_shutdown(*ctx, 1); violation of standard? */ 1196 1197 #if SM_SSL_OP_TLS_BLOCK_PADDING_BUG 1198 1199 /* 1200 ** In OpenSSL 0.9.8[ab], enabling zlib compression breaks the 1201 ** padding bug work-around, leading to false positives and 1202 ** failed connections. We may not interoperate with systems 1203 ** with the bug, but this is better than breaking on all 0.9.8[ab] 1204 ** systems that have zlib support enabled. 1205 ** Note: this checks the runtime version of the library, not 1206 ** just the compile time version. 1207 */ 1208 1209 rt_version = SSLeay(); 1210 if (rt_version >= 0x00908000L && rt_version <= 0x0090802fL) 1211 { 1212 comp_methods = SSL_COMP_get_compression_methods(); 1213 if (comp_methods != NULL && sk_SSL_COMP_num(comp_methods) > 0) 1214 options &= ~SSL_OP_TLS_BLOCK_PADDING_BUG; 1215 } 1216 #endif 1217 SSL_CTX_set_options(*ctx, (long) options); 1218 1219 # if !NO_DH 1220 /* Diffie-Hellman initialization */ 1221 if (bitset(TLS_I_TRY_DH, req)) 1222 { 1223 #if _FFR_TLS_EC 1224 EC_KEY *ecdh; 1225 #endif /* _FFR_TLS_EC */ 1226 1227 if (tTd(96, 8)) 1228 sm_dprintf("inittls: req=%#lx, status=%#lx\n", 1229 req, status); 1230 if (bitset(TLS_S_DHPAR_OK, status)) 1231 { 1232 BIO *bio; 1233 1234 if ((bio = BIO_new_file(dhparam, "r")) != NULL) 1235 { 1236 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); 1237 BIO_free(bio); 1238 if (dh == NULL && LogLevel > 7) 1239 { 1240 unsigned long err; 1241 1242 err = ERR_get_error(); 1243 sm_syslog(LOG_WARNING, NOQID, 1244 "STARTTLS=%s, error: cannot read DH parameters(%s): %s", 1245 who, dhparam, 1246 ERR_error_string(err, NULL)); 1247 if (LogLevel > 9) 1248 tlslogerr(LOG_WARNING, who); 1249 SET_DH_DFL; 1250 } 1251 } 1252 else 1253 { 1254 if (LogLevel > 5) 1255 { 1256 sm_syslog(LOG_WARNING, NOQID, 1257 "STARTTLS=%s, error: BIO_new_file(%s) failed", 1258 who, dhparam); 1259 if (LogLevel > 9) 1260 tlslogerr(LOG_WARNING, who); 1261 } 1262 } 1263 } 1264 if (dh == NULL && bitset(TLS_I_DH1024|TLS_I_DH2048, req)) 1265 { 1266 int bits; 1267 DSA *dsa; 1268 1269 bits = bitset(TLS_I_DH2048, req) ? 2048 : 1024; 1270 if (tTd(96, 2)) 1271 sm_dprintf("inittls: Generating %d bit DH parameters\n", bits); 1272 1273 dsa = DSA_new(); 1274 /* this takes a while! */ 1275 (void)DSA_generate_parameters_ex(dsa, bits, NULL, 0, 1276 NULL, NULL, NULL); 1277 dh = DSA_dup_DH(dsa); 1278 DSA_free(dsa); 1279 } 1280 else if (dh == NULL && bitset(TLS_I_DHFIXED, req)) 1281 { 1282 if (tTd(96, 2)) 1283 sm_dprintf("inittls: Using precomputed 2048 bit DH parameters\n"); 1284 dh = get_dh2048(); 1285 } 1286 else if (dh == NULL && bitset(TLS_I_DH512, req)) 1287 { 1288 if (tTd(96, 2)) 1289 sm_dprintf("inittls: Using precomputed 512 bit DH parameters\n"); 1290 dh = get_dh512(); 1291 } 1292 1293 if (dh == NULL) 1294 { 1295 if (LogLevel > 9) 1296 { 1297 unsigned long err; 1298 1299 err = ERR_get_error(); 1300 sm_syslog(LOG_WARNING, NOQID, 1301 "STARTTLS=%s, error: cannot read or set DH parameters(%s): %s", 1302 who, dhparam, 1303 ERR_error_string(err, NULL)); 1304 } 1305 if (bitset(TLS_I_REQ_DH, req)) 1306 return false; 1307 } 1308 else 1309 { 1310 /* important to avoid small subgroup attacks */ 1311 SSL_CTX_set_options(*ctx, SSL_OP_SINGLE_DH_USE); 1312 1313 SSL_CTX_set_tmp_dh(*ctx, dh); 1314 if (LogLevel > 13) 1315 sm_syslog(LOG_INFO, NOQID, 1316 "STARTTLS=%s, Diffie-Hellman init, key=%d bit (%c)", 1317 who, 8 * DH_size(dh), *dhparam); 1318 DH_free(dh); 1319 } 1320 1321 #if _FFR_TLS_EC 1322 ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); 1323 if (ecdh != NULL) 1324 { 1325 SSL_CTX_set_options(*ctx, SSL_OP_SINGLE_ECDH_USE); 1326 SSL_CTX_set_tmp_ecdh(*ctx, ecdh); 1327 EC_KEY_free(ecdh); 1328 } 1329 #endif /* _FFR_TLS_EC */ 1330 1331 } 1332 # endif /* !NO_DH */ 1333 1334 1335 /* XXX do we need this cache here? */ 1336 if (bitset(TLS_I_CACHE, req)) 1337 { 1338 SSL_CTX_sess_set_cache_size(*ctx, 1); 1339 SSL_CTX_set_timeout(*ctx, 1); 1340 SSL_CTX_set_session_id_context(*ctx, 1341 (void *) &server_session_id_context, 1342 sizeof(server_session_id_context)); 1343 (void) SSL_CTX_set_session_cache_mode(*ctx, 1344 SSL_SESS_CACHE_SERVER); 1345 } 1346 else 1347 { 1348 (void) SSL_CTX_set_session_cache_mode(*ctx, 1349 SSL_SESS_CACHE_OFF); 1350 } 1351 1352 /* load certificate locations and default CA paths */ 1353 if (bitset(TLS_S_CERTP_EX, status) && bitset(TLS_S_CERTF_EX, status)) 1354 { 1355 if ((r = SSL_CTX_load_verify_locations(*ctx, cacertfile, 1356 cacertpath)) == 1) 1357 { 1358 # if !TLS_NO_RSA 1359 if (bitset(TLS_I_RSA_TMP, req)) 1360 SSL_CTX_set_tmp_rsa_callback(*ctx, tmp_rsa_key); 1361 # endif /* !TLS_NO_RSA */ 1362 1363 /* 1364 ** We have to install our own verify callback: 1365 ** SSL_VERIFY_PEER requests a client cert but even 1366 ** though *FAIL_IF* isn't set, the connection 1367 ** will be aborted if the client presents a cert 1368 ** that is not "liked" (can't be verified?) by 1369 ** the TLS library :-( 1370 */ 1371 1372 /* 1373 ** XXX currently we could call tls_set_verify() 1374 ** but we hope that that function will later on 1375 ** only set the mode per connection. 1376 */ 1377 SSL_CTX_set_verify(*ctx, 1378 bitset(TLS_I_NO_VRFY, req) ? SSL_VERIFY_NONE 1379 : SSL_VERIFY_PEER, 1380 NULL); 1381 1382 /* install verify callback */ 1383 SSL_CTX_set_cert_verify_callback(*ctx, tls_verify_cb, 1384 NULL); 1385 SSL_CTX_set_client_CA_list(*ctx, 1386 SSL_load_client_CA_file(cacertfile)); 1387 } 1388 else 1389 { 1390 /* 1391 ** can't load CA data; do we care? 1392 ** the data is necessary to authenticate the client, 1393 ** which in turn would be necessary 1394 ** if we want to allow relaying based on it. 1395 */ 1396 if (LogLevel > 5) 1397 { 1398 sm_syslog(LOG_WARNING, NOQID, 1399 "STARTTLS=%s, error: load verify locs %s, %s failed: %d", 1400 who, cacertpath, cacertfile, r); 1401 if (LogLevel > 9) 1402 tlslogerr(LOG_WARNING, who); 1403 } 1404 if (bitset(TLS_I_VRFY_LOC, req)) 1405 return false; 1406 } 1407 } 1408 1409 /* XXX: make this dependent on an option? */ 1410 if (tTd(96, 9)) 1411 SSL_CTX_set_info_callback(*ctx, apps_ssl_info_cb); 1412 1413 /* install our own cipher list */ 1414 if (CipherList != NULL && *CipherList != '\0') 1415 { 1416 if (SSL_CTX_set_cipher_list(*ctx, CipherList) <= 0) 1417 { 1418 if (LogLevel > 7) 1419 { 1420 sm_syslog(LOG_WARNING, NOQID, 1421 "STARTTLS=%s, error: SSL_CTX_set_cipher_list(%s) failed, list ignored", 1422 who, CipherList); 1423 1424 if (LogLevel > 9) 1425 tlslogerr(LOG_WARNING, who); 1426 } 1427 /* failure if setting to this list is required? */ 1428 } 1429 } 1430 1431 if (LogLevel > 12) 1432 sm_syslog(LOG_INFO, NOQID, "STARTTLS=%s, init=%d", who, ok); 1433 1434 # if 0 1435 /* 1436 ** this label is required if we want to have a "clean" exit 1437 ** see the comments above at the initialization of cf2 1438 */ 1439 1440 endinittls: 1441 # endif /* 0 */ 1442 1443 /* undo damage to global variables */ 1444 if (cf2 != NULL) 1445 *--cf2 = ','; 1446 if (kf2 != NULL) 1447 *--kf2 = ','; 1448 1449 return ok; 1450 } 1451 1452 /* 1453 ** CERT_FP -- get cert fingerprint 1454 ** 1455 ** Parameters: 1456 ** cert -- TLS cert 1457 ** mac -- macro storage 1458 ** macro -- where to store cert fp 1459 ** 1460 ** Returns: 1461 ** <=0: cert fp calculation failed 1462 ** >0: cert fp calculation ok 1463 */ 1464 1465 static int 1466 cert_fp(cert, evp_digest, mac, macro) 1467 X509 *cert; 1468 const EVP_MD *evp_digest; 1469 MACROS_T *mac; 1470 char *macro; 1471 { 1472 unsigned int n; 1473 int r; 1474 unsigned char md[EVP_MAX_MD_SIZE]; 1475 char md5h[EVP_MAX_MD_SIZE * 3]; 1476 static const char hexcodes[] = "0123456789ABCDEF"; 1477 1478 n = 0; 1479 if (X509_digest(cert, EVP_digest, md, &n) == 0 || n <= 0) 1480 { 1481 macdefine(mac, A_TEMP, macid(macro), ""); 1482 return 0; 1483 } 1484 1485 SM_ASSERT((n * 3) + 2 < sizeof(md5h)); 1486 for (r = 0; r < (int) n; r++) 1487 { 1488 md5h[r * 3] = hexcodes[(md[r] & 0xf0) >> 4]; 1489 md5h[(r * 3) + 1] = hexcodes[(md[r] & 0x0f)]; 1490 md5h[(r * 3) + 2] = ':'; 1491 } 1492 md5h[(n * 3) - 1] = '\0'; 1493 macdefine(mac, A_TEMP, macid(macro), md5h); 1494 return 1; 1495 } 1496 1497 /* 1498 ** TLS_GET_INFO -- get information about TLS connection 1499 ** 1500 ** Parameters: 1501 ** ssl -- TLS connection structure 1502 ** srv -- server or client 1503 ** host -- hostname of other side 1504 ** mac -- macro storage 1505 ** certreq -- did we ask for a cert? 1506 ** 1507 ** Returns: 1508 ** result of authentication. 1509 ** 1510 ** Side Effects: 1511 ** sets various TLS related macros. 1512 */ 1513 1514 int 1515 tls_get_info(ssl, srv, host, mac, certreq) 1516 SSL *ssl; 1517 bool srv; 1518 char *host; 1519 MACROS_T *mac; 1520 bool certreq; 1521 { 1522 const SSL_CIPHER *c; 1523 int b, r; 1524 long verifyok; 1525 char *s, *who; 1526 char bitstr[16]; 1527 X509 *cert; 1528 1529 c = SSL_get_current_cipher(ssl); 1530 1531 /* cast is just workaround for compiler warning */ 1532 macdefine(mac, A_TEMP, macid("{cipher}"), 1533 (char *) SSL_CIPHER_get_name(c)); 1534 b = SSL_CIPHER_get_bits(c, &r); 1535 (void) sm_snprintf(bitstr, sizeof(bitstr), "%d", b); 1536 macdefine(mac, A_TEMP, macid("{cipher_bits}"), bitstr); 1537 (void) sm_snprintf(bitstr, sizeof(bitstr), "%d", r); 1538 macdefine(mac, A_TEMP, macid("{alg_bits}"), bitstr); 1539 s = (char *) SSL_get_version(ssl); 1540 if (s == NULL) 1541 s = "UNKNOWN"; 1542 macdefine(mac, A_TEMP, macid("{tls_version}"), s); 1543 1544 who = srv ? "server" : "client"; 1545 cert = SSL_get_peer_certificate(ssl); 1546 verifyok = SSL_get_verify_result(ssl); 1547 if (LogLevel > 14) 1548 sm_syslog(LOG_INFO, NOQID, 1549 "STARTTLS=%s, get_verify: %ld get_peer: 0x%lx", 1550 who, verifyok, (unsigned long) cert); 1551 if (cert != NULL) 1552 { 1553 X509_NAME *subj, *issuer; 1554 char buf[MAXNAME]; 1555 1556 subj = X509_get_subject_name(cert); 1557 issuer = X509_get_issuer_name(cert); 1558 X509_NAME_oneline(subj, buf, sizeof(buf)); 1559 macdefine(mac, A_TEMP, macid("{cert_subject}"), 1560 xtextify(buf, "<>\")")); 1561 X509_NAME_oneline(issuer, buf, sizeof(buf)); 1562 macdefine(mac, A_TEMP, macid("{cert_issuer}"), 1563 xtextify(buf, "<>\")")); 1564 1565 # define LL_BADCERT 8 1566 1567 #define CERTFPMACRO (CertFingerprintAlgorithm != NULL ? "{cert_fp}" : "{cert_md5}") 1568 1569 #define CHECK_X509_NAME(which) \ 1570 do { \ 1571 if (r == -1) \ 1572 { \ 1573 sm_strlcpy(buf, "BadCertificateUnknown", sizeof(buf)); \ 1574 if (LogLevel > LL_BADCERT) \ 1575 sm_syslog(LOG_INFO, NOQID, \ 1576 "STARTTLS=%s, relay=%.100s, field=%s, status=failed to extract CN", \ 1577 who, \ 1578 host == NULL ? "local" : host, \ 1579 which); \ 1580 } \ 1581 else if ((size_t)r >= sizeof(buf) - 1) \ 1582 { \ 1583 sm_strlcpy(buf, "BadCertificateTooLong", sizeof(buf)); \ 1584 if (LogLevel > 7) \ 1585 sm_syslog(LOG_INFO, NOQID, \ 1586 "STARTTLS=%s, relay=%.100s, field=%s, status=CN too long", \ 1587 who, \ 1588 host == NULL ? "local" : host, \ 1589 which); \ 1590 } \ 1591 else if ((size_t)r > strlen(buf)) \ 1592 { \ 1593 sm_strlcpy(buf, "BadCertificateContainsNUL", \ 1594 sizeof(buf)); \ 1595 if (LogLevel > 7) \ 1596 sm_syslog(LOG_INFO, NOQID, \ 1597 "STARTTLS=%s, relay=%.100s, field=%s, status=CN contains NUL", \ 1598 who, \ 1599 host == NULL ? "local" : host, \ 1600 which); \ 1601 } \ 1602 } while (0) 1603 1604 r = X509_NAME_get_text_by_NID(subj, NID_commonName, buf, 1605 sizeof buf); 1606 CHECK_X509_NAME("cn_subject"); 1607 macdefine(mac, A_TEMP, macid("{cn_subject}"), 1608 xtextify(buf, "<>\")")); 1609 r = X509_NAME_get_text_by_NID(issuer, NID_commonName, buf, 1610 sizeof buf); 1611 CHECK_X509_NAME("cn_issuer"); 1612 macdefine(mac, A_TEMP, macid("{cn_issuer}"), 1613 xtextify(buf, "<>\")")); 1614 (void) cert_fp(cert, EVP_digest, mac, CERTFPMACRO); 1615 } 1616 else 1617 { 1618 macdefine(mac, A_PERM, macid("{cert_subject}"), ""); 1619 macdefine(mac, A_PERM, macid("{cert_issuer}"), ""); 1620 macdefine(mac, A_PERM, macid("{cn_subject}"), ""); 1621 macdefine(mac, A_PERM, macid("{cn_issuer}"), ""); 1622 macdefine(mac, A_TEMP, macid(CERTFPMACRO), ""); 1623 } 1624 switch (verifyok) 1625 { 1626 case X509_V_OK: 1627 if (cert != NULL) 1628 { 1629 s = "OK"; 1630 r = TLS_AUTH_OK; 1631 } 1632 else 1633 { 1634 s = certreq ? "NO" : "NOT", 1635 r = TLS_AUTH_NO; 1636 } 1637 break; 1638 default: 1639 s = "FAIL"; 1640 r = TLS_AUTH_FAIL; 1641 break; 1642 } 1643 macdefine(mac, A_PERM, macid("{verify}"), s); 1644 if (cert != NULL) 1645 X509_free(cert); 1646 1647 /* do some logging */ 1648 if (LogLevel > 8) 1649 { 1650 char *vers, *s1, *s2, *cbits, *algbits; 1651 1652 vers = macget(mac, macid("{tls_version}")); 1653 cbits = macget(mac, macid("{cipher_bits}")); 1654 algbits = macget(mac, macid("{alg_bits}")); 1655 s1 = macget(mac, macid("{verify}")); 1656 s2 = macget(mac, macid("{cipher}")); 1657 1658 /* XXX: maybe cut off ident info? */ 1659 sm_syslog(LOG_INFO, NOQID, 1660 "STARTTLS=%s, relay=%.100s, version=%.16s, verify=%.16s, cipher=%.64s, bits=%.6s/%.6s", 1661 who, 1662 host == NULL ? "local" : host, 1663 vers, s1, s2, /* sm_snprintf() can deal with NULL */ 1664 algbits == NULL ? "0" : algbits, 1665 cbits == NULL ? "0" : cbits); 1666 if (LogLevel > 11) 1667 { 1668 /* 1669 ** Maybe run xuntextify on the strings? 1670 ** That is easier to read but makes it maybe a bit 1671 ** more complicated to figure out the right values 1672 ** for the access map... 1673 */ 1674 1675 s1 = macget(mac, macid("{cert_subject}")); 1676 s2 = macget(mac, macid("{cert_issuer}")); 1677 sm_syslog(LOG_INFO, NOQID, 1678 "STARTTLS=%s, cert-subject=%.256s, cert-issuer=%.256s, verifymsg=%s", 1679 who, s1, s2, 1680 X509_verify_cert_error_string(verifyok)); 1681 } 1682 } 1683 return r; 1684 } 1685 /* 1686 ** ENDTLS -- shutdown secure connection 1687 ** 1688 ** Parameters: 1689 ** ssl -- SSL connection information. 1690 ** side -- server/client (for logging). 1691 ** 1692 ** Returns: 1693 ** success? (EX_* code) 1694 */ 1695 1696 int 1697 endtls(ssl, side) 1698 SSL *ssl; 1699 char *side; 1700 { 1701 int ret = EX_OK; 1702 1703 if (ssl != NULL) 1704 { 1705 int r; 1706 1707 if ((r = SSL_shutdown(ssl)) < 0) 1708 { 1709 if (LogLevel > 11) 1710 { 1711 sm_syslog(LOG_WARNING, NOQID, 1712 "STARTTLS=%s, SSL_shutdown failed: %d", 1713 side, r); 1714 tlslogerr(LOG_WARNING, side); 1715 } 1716 ret = EX_SOFTWARE; 1717 } 1718 # if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER > 0x0090602fL 1719 1720 /* 1721 ** Bug in OpenSSL (at least up to 0.9.6b): 1722 ** From: Lutz.Jaenicke@aet.TU-Cottbus.DE 1723 ** Message-ID: <20010723152244.A13122@serv01.aet.tu-cottbus.de> 1724 ** To: openssl-users@openssl.org 1725 ** Subject: Re: SSL_shutdown() woes (fwd) 1726 ** 1727 ** The side sending the shutdown alert first will 1728 ** not care about the answer of the peer but will 1729 ** immediately return with a return value of "0" 1730 ** (ssl/s3_lib.c:ssl3_shutdown()). SSL_get_error will evaluate 1731 ** the value of "0" and as the shutdown alert of the peer was 1732 ** not received (actually, the program did not even wait for 1733 ** the answer), an SSL_ERROR_SYSCALL is flagged, because this 1734 ** is the default rule in case everything else does not apply. 1735 ** 1736 ** For your server the problem is different, because it 1737 ** receives the shutdown first (setting SSL_RECEIVED_SHUTDOWN), 1738 ** then sends its response (SSL_SENT_SHUTDOWN), so for the 1739 ** server the shutdown was successfull. 1740 ** 1741 ** As is by know, you would have to call SSL_shutdown() once 1742 ** and ignore an SSL_ERROR_SYSCALL returned. Then call 1743 ** SSL_shutdown() again to actually get the server's response. 1744 ** 1745 ** In the last discussion, Bodo Moeller concluded that a 1746 ** rewrite of the shutdown code would be necessary, but 1747 ** probably with another API, as the change would not be 1748 ** compatible to the way it is now. Things do not become 1749 ** easier as other programs do not follow the shutdown 1750 ** guidelines anyway, so that a lot error conditions and 1751 ** compitibility issues would have to be caught. 1752 ** 1753 ** For now the recommondation is to ignore the error message. 1754 */ 1755 1756 else if (r == 0) 1757 { 1758 if (LogLevel > 15) 1759 { 1760 sm_syslog(LOG_WARNING, NOQID, 1761 "STARTTLS=%s, SSL_shutdown not done", 1762 side); 1763 tlslogerr(LOG_WARNING, side); 1764 } 1765 ret = EX_SOFTWARE; 1766 } 1767 # endif /* !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER > 0x0090602fL */ 1768 SSL_free(ssl); 1769 ssl = NULL; 1770 } 1771 return ret; 1772 } 1773 1774 # if !TLS_NO_RSA 1775 /* 1776 ** TMP_RSA_KEY -- return temporary RSA key 1777 ** 1778 ** Parameters: 1779 ** s -- TLS connection structure 1780 ** export -- 1781 ** keylength -- 1782 ** 1783 ** Returns: 1784 ** temporary RSA key. 1785 */ 1786 1787 # ifndef MAX_RSA_TMP_CNT 1788 # define MAX_RSA_TMP_CNT 1000 /* XXX better value? */ 1789 # endif /* ! MAX_RSA_TMP_CNT */ 1790 1791 /* ARGUSED0 */ 1792 static RSA * 1793 tmp_rsa_key(s, export, keylength) 1794 SSL *s; 1795 int export; 1796 int keylength; 1797 { 1798 # if SM_CONF_SHM 1799 extern int ShmId; 1800 extern int *PRSATmpCnt; 1801 1802 if (ShmId != SM_SHM_NO_ID && rsa_tmp != NULL && 1803 ++(*PRSATmpCnt) < MAX_RSA_TMP_CNT) 1804 return rsa_tmp; 1805 # endif /* SM_CONF_SHM */ 1806 1807 if (rsa_tmp != NULL) 1808 RSA_free(rsa_tmp); 1809 rsa_tmp = sm_RSA_generate_key(RSA_KEYLENGTH, RSA_F4); 1810 if (rsa_tmp == NULL) 1811 { 1812 if (LogLevel > 0) 1813 sm_syslog(LOG_ERR, NOQID, 1814 "STARTTLS=server, tmp_rsa_key: RSA_generate_key failed!"); 1815 } 1816 else 1817 { 1818 # if SM_CONF_SHM 1819 # if 0 1820 /* 1821 ** XXX we can't (yet) share the new key... 1822 ** The RSA structure contains pointers hence it can't be 1823 ** easily kept in shared memory. It must be transformed 1824 ** into a continous memory region first, then stored, 1825 ** and later read out again (each time re-transformed). 1826 */ 1827 1828 if (ShmId != SM_SHM_NO_ID) 1829 *PRSATmpCnt = 0; 1830 # endif /* 0 */ 1831 # endif /* SM_CONF_SHM */ 1832 if (LogLevel > 9) 1833 sm_syslog(LOG_ERR, NOQID, 1834 "STARTTLS=server, tmp_rsa_key: new temp RSA key"); 1835 } 1836 return rsa_tmp; 1837 } 1838 # endif /* !TLS_NO_RSA */ 1839 /* 1840 ** APPS_SSL_INFO_CB -- info callback for TLS connections 1841 ** 1842 ** Parameters: 1843 ** s -- TLS connection structure 1844 ** where -- state in handshake 1845 ** ret -- return code of last operation 1846 ** 1847 ** Returns: 1848 ** none. 1849 */ 1850 1851 static void 1852 apps_ssl_info_cb(s, where, ret) 1853 CONST097 SSL *s; 1854 int where; 1855 int ret; 1856 { 1857 int w; 1858 char *str; 1859 BIO *bio_err = NULL; 1860 1861 if (LogLevel > 14) 1862 sm_syslog(LOG_INFO, NOQID, 1863 "STARTTLS: info_callback where=0x%x, ret=%d", 1864 where, ret); 1865 1866 w = where & ~SSL_ST_MASK; 1867 if (bio_err == NULL) 1868 bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); 1869 1870 if (bitset(SSL_ST_CONNECT, w)) 1871 str = "SSL_connect"; 1872 else if (bitset(SSL_ST_ACCEPT, w)) 1873 str = "SSL_accept"; 1874 else 1875 str = "undefined"; 1876 1877 if (bitset(SSL_CB_LOOP, where)) 1878 { 1879 if (LogLevel > 12) 1880 sm_syslog(LOG_NOTICE, NOQID, 1881 "STARTTLS: %s:%s", 1882 str, SSL_state_string_long(s)); 1883 } 1884 else if (bitset(SSL_CB_ALERT, where)) 1885 { 1886 str = bitset(SSL_CB_READ, where) ? "read" : "write"; 1887 if (LogLevel > 12) 1888 sm_syslog(LOG_NOTICE, NOQID, 1889 "STARTTLS: SSL3 alert %s:%s:%s", 1890 str, SSL_alert_type_string_long(ret), 1891 SSL_alert_desc_string_long(ret)); 1892 } 1893 else if (bitset(SSL_CB_EXIT, where)) 1894 { 1895 if (ret == 0) 1896 { 1897 if (LogLevel > 7) 1898 sm_syslog(LOG_WARNING, NOQID, 1899 "STARTTLS: %s:failed in %s", 1900 str, SSL_state_string_long(s)); 1901 } 1902 else if (ret < 0) 1903 { 1904 if (LogLevel > 7) 1905 sm_syslog(LOG_WARNING, NOQID, 1906 "STARTTLS: %s:error in %s", 1907 str, SSL_state_string_long(s)); 1908 } 1909 } 1910 } 1911 /* 1912 ** TLS_VERIFY_LOG -- log verify error for TLS certificates 1913 ** 1914 ** Parameters: 1915 ** ok -- verify ok? 1916 ** ctx -- x509 context 1917 ** name -- from where is this called? 1918 ** 1919 ** Returns: 1920 ** 1 -- ok 1921 */ 1922 1923 static int 1924 tls_verify_log(ok, ctx, name) 1925 int ok; 1926 X509_STORE_CTX *ctx; 1927 const char *name; 1928 { 1929 X509 *cert; 1930 int reason, depth; 1931 char buf[512]; 1932 1933 cert = X509_STORE_CTX_get_current_cert(ctx); 1934 reason = X509_STORE_CTX_get_error(ctx); 1935 depth = X509_STORE_CTX_get_error_depth(ctx); 1936 X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf)); 1937 sm_syslog(LOG_INFO, NOQID, 1938 "STARTTLS: %s cert verify: depth=%d %s, state=%d, reason=%s", 1939 name, depth, buf, ok, X509_verify_cert_error_string(reason)); 1940 return 1; 1941 } 1942 1943 /* 1944 ** TLS_VERIFY_CB -- verify callback for TLS certificates 1945 ** 1946 ** Parameters: 1947 ** ctx -- x509 context 1948 ** 1949 ** Returns: 1950 ** accept connection? 1951 ** currently: always yes. 1952 */ 1953 1954 static int 1955 # if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x00907000L 1956 tls_verify_cb(ctx) 1957 X509_STORE_CTX *ctx; 1958 # else /* !defined() || OPENSSL_VERSION_NUMBER < 0x00907000L */ 1959 tls_verify_cb(ctx, unused) 1960 X509_STORE_CTX *ctx; 1961 void *unused; 1962 # endif /* !defined() || OPENSSL_VERSION_NUMBER < 0x00907000L */ 1963 { 1964 int ok; 1965 1966 /* 1967 ** man SSL_CTX_set_cert_verify_callback(): 1968 ** callback should return 1 to indicate verification success 1969 ** and 0 to indicate verification failure. 1970 */ 1971 1972 ok = X509_verify_cert(ctx); 1973 if (ok <= 0) 1974 { 1975 if (LogLevel > 13) 1976 return tls_verify_log(ok, ctx, "TLS"); 1977 } 1978 return 1; 1979 } 1980 /* 1981 ** TLSLOGERR -- log the errors from the TLS error stack 1982 ** 1983 ** Parameters: 1984 ** level -- syslog level 1985 ** who -- server/client (for logging). 1986 ** 1987 ** Returns: 1988 ** none. 1989 */ 1990 1991 void 1992 tlslogerr(level, who) 1993 int level; 1994 const char *who; 1995 { 1996 unsigned long l; 1997 int line, flags; 1998 unsigned long es; 1999 char *file, *data; 2000 char buf[256]; 2001 2002 es = CRYPTO_thread_id(); 2003 while ((l = ERR_get_error_line_data((const char **) &file, &line, 2004 (const char **) &data, &flags)) 2005 != 0) 2006 { 2007 sm_syslog(level, NOQID, 2008 "STARTTLS=%s: %lu:%s:%s:%d:%s", who, es, 2009 ERR_error_string(l, buf), 2010 file, line, 2011 bitset(ERR_TXT_STRING, flags) ? data : ""); 2012 } 2013 } 2014 2015 # if OPENSSL_VERSION_NUMBER > 0x00907000L 2016 /* 2017 ** X509_VERIFY_CB -- verify callback 2018 ** 2019 ** Parameters: 2020 ** ctx -- x509 context 2021 ** 2022 ** Returns: 2023 ** accept connection? 2024 ** currently: always yes. 2025 */ 2026 2027 static int 2028 x509_verify_cb(ok, ctx) 2029 int ok; 2030 X509_STORE_CTX *ctx; 2031 { 2032 if (ok == 0) 2033 { 2034 if (LogLevel > 13) 2035 tls_verify_log(ok, ctx, "x509"); 2036 if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL) 2037 { 2038 X509_STORE_CTX_set_error(ctx, 0); 2039 return 1; /* override it */ 2040 } 2041 } 2042 return ok; 2043 } 2044 # endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */ 2045 #endif /* STARTTLS */ 2046