1 /* $NetBSD: smtp_tls_policy.c,v 1.2 2017/02/14 01:16:48 christos Exp $ */ 2 3 /*++ 4 /* NAME 5 /* smtp_tls_policy 3 6 /* SUMMARY 7 /* SMTP_TLS_POLICY structure management 8 /* SYNOPSIS 9 /* #include "smtp.h" 10 /* 11 /* void smtp_tls_list_init() 12 /* 13 /* int smtp_tls_policy_cache_query(why, tls, iter) 14 /* DSN_BUF *why; 15 /* SMTP_TLS_POLICY *tls; 16 /* SMTP_ITERATOR *iter; 17 /* 18 /* void smtp_tls_policy_dummy(tls) 19 /* SMTP_TLS_POLICY *tls; 20 /* 21 /* void smtp_tls_policy_cache_flush() 22 /* DESCRIPTION 23 /* smtp_tls_list_init() initializes lookup tables used by the TLS 24 /* policy engine. 25 /* 26 /* smtp_tls_policy_cache_query() returns a shallow copy of the 27 /* cached SMTP_TLS_POLICY structure for the iterator's 28 /* destination, host, port and DNSSEC validation status. 29 /* This copy is guaranteed to be valid until the next 30 /* smtp_tls_policy_cache_query() or smtp_tls_policy_cache_flush() 31 /* call. The caller can override the TLS security level without 32 /* corrupting the policy cache. 33 /* When any required table or DNS lookups fail, the TLS level 34 /* is set to TLS_LEV_INVALID, the "why" argument is updated 35 /* with the error reason and the result value is zero (false). 36 /* 37 /* smtp_tls_policy_dummy() initializes a trivial, non-cached, 38 /* policy with TLS disabled. 39 /* 40 /* smtp_tls_policy_cache_flush() destroys the TLS policy cache 41 /* and contents. 42 /* 43 /* Arguments: 44 /* .IP why 45 /* A pointer to a DSN_BUF which holds error status information when 46 /* the TLS policy lookup fails. 47 /* .IP tls 48 /* Pointer to TLS policy storage. 49 /* .IP iter 50 /* The literal next-hop or fall-back destination including 51 /* the optional [] and including the :port or :service; 52 /* the name of the remote host after MX and CNAME expansions 53 /* (see smtp_cname_overrides_servername for the handling 54 /* of hostnames that resolve to a CNAME record); 55 /* the printable address of the remote host; 56 /* the remote port in network byte order; 57 /* the DNSSEC validation status of the host name lookup after 58 /* MX and CNAME expansions. 59 /* LICENSE 60 /* .ad 61 /* .fi 62 /* This software is free. You can do with it whatever you want. 63 /* The original author kindly requests that you acknowledge 64 /* the use of his software. 65 /* AUTHOR(S) 66 /* TLS support originally by: 67 /* Lutz Jaenicke 68 /* BTU Cottbus 69 /* Allgemeine Elektrotechnik 70 /* Universitaetsplatz 3-4 71 /* D-03044 Cottbus, Germany 72 /* 73 /* Updated by: 74 /* Wietse Venema 75 /* IBM T.J. Watson Research 76 /* P.O. Box 704 77 /* Yorktown Heights, NY 10598, USA 78 /* 79 /* Viktor Dukhovni 80 /*--*/ 81 82 /* System library. */ 83 84 #include <sys_defs.h> 85 86 #ifdef USE_TLS 87 88 #include <netinet/in.h> /* ntohs() for Solaris or BSD */ 89 #include <arpa/inet.h> /* ntohs() for Linux or BSD */ 90 #include <stdlib.h> 91 #include <string.h> 92 93 #ifdef STRCASECMP_IN_STRINGS_H 94 #include <strings.h> 95 #endif 96 97 /* Utility library. */ 98 99 #include <msg.h> 100 #include <mymalloc.h> 101 #include <vstring.h> 102 #include <stringops.h> 103 #include <valid_utf8_hostname.h> 104 #include <ctable.h> 105 106 /* Global library. */ 107 108 #include <mail_params.h> 109 #include <maps.h> 110 #include <dsn_buf.h> 111 112 /* DNS library. */ 113 114 #include <dns.h> 115 116 /* Application-specific. */ 117 118 #include "smtp.h" 119 120 /* XXX Cache size should scale with [sl]mtp_mx_address_limit. */ 121 #define CACHE_SIZE 20 122 static CTABLE *policy_cache; 123 124 static int global_tls_level(void); 125 static void dane_init(SMTP_TLS_POLICY *, SMTP_ITERATOR *); 126 127 static MAPS *tls_policy; /* lookup table(s) */ 128 static MAPS *tls_per_site; /* lookup table(s) */ 129 130 /* smtp_tls_list_init - initialize per-site policy lists */ 131 132 void smtp_tls_list_init(void) 133 { 134 if (*var_smtp_tls_policy) { 135 tls_policy = maps_create(VAR_LMTP_SMTP(TLS_POLICY), 136 var_smtp_tls_policy, 137 DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX 138 | DICT_FLAG_UTF8_REQUEST); 139 if (*var_smtp_tls_per_site) 140 msg_warn("%s ignored when %s is not empty.", 141 VAR_LMTP_SMTP(TLS_PER_SITE), VAR_LMTP_SMTP(TLS_POLICY)); 142 return; 143 } 144 if (*var_smtp_tls_per_site) { 145 tls_per_site = maps_create(VAR_LMTP_SMTP(TLS_PER_SITE), 146 var_smtp_tls_per_site, 147 DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX 148 | DICT_FLAG_UTF8_REQUEST); 149 } 150 } 151 152 /* policy_name - printable tls policy level */ 153 154 static const char *policy_name(int tls_level) 155 { 156 const char *name = str_tls_level(tls_level); 157 158 if (name == 0) 159 name = "unknown"; 160 return name; 161 } 162 163 #define MARK_INVALID(why, levelp) do { \ 164 dsb_simple((why), "4.7.5", "client TLS configuration problem"); \ 165 *(levelp) = TLS_LEV_INVALID; } while (0) 166 167 /* tls_site_lookup - look up per-site TLS security level */ 168 169 static void tls_site_lookup(SMTP_TLS_POLICY *tls, int *site_level, 170 const char *site_name, const char *site_class) 171 { 172 const char *lookup; 173 174 /* 175 * Look up a non-default policy. In case of multiple lookup results, the 176 * precedence order is a permutation of the TLS enforcement level order: 177 * VERIFY, ENCRYPT, NONE, MAY, NOTFOUND. I.e. we override MAY with a more 178 * specific policy including NONE, otherwise we choose the stronger 179 * enforcement level. 180 */ 181 if ((lookup = maps_find(tls_per_site, site_name, 0)) != 0) { 182 if (!strcasecmp(lookup, "NONE")) { 183 /* NONE overrides MAY or NOTFOUND. */ 184 if (*site_level <= TLS_LEV_MAY) 185 *site_level = TLS_LEV_NONE; 186 } else if (!strcasecmp(lookup, "MAY")) { 187 /* MAY overrides NOTFOUND but not NONE. */ 188 if (*site_level < TLS_LEV_NONE) 189 *site_level = TLS_LEV_MAY; 190 } else if (!strcasecmp(lookup, "MUST_NOPEERMATCH")) { 191 if (*site_level < TLS_LEV_ENCRYPT) 192 *site_level = TLS_LEV_ENCRYPT; 193 } else if (!strcasecmp(lookup, "MUST")) { 194 if (*site_level < TLS_LEV_VERIFY) 195 *site_level = TLS_LEV_VERIFY; 196 } else { 197 msg_warn("%s: unknown TLS policy '%s' for %s %s", 198 tls_per_site->title, lookup, site_class, site_name); 199 MARK_INVALID(tls->why, site_level); 200 return; 201 } 202 } else if (tls_per_site->error) { 203 msg_warn("%s: %s \"%s\": per-site table lookup error", 204 tls_per_site->title, site_class, site_name); 205 dsb_simple(tls->why, "4.3.0", "Temporary lookup error"); 206 *site_level = TLS_LEV_INVALID; 207 return; 208 } 209 return; 210 } 211 212 /* tls_policy_lookup_one - look up destination TLS policy */ 213 214 static void tls_policy_lookup_one(SMTP_TLS_POLICY *tls, int *site_level, 215 const char *site_name, 216 const char *site_class) 217 { 218 const char *lookup; 219 char *policy; 220 char *saved_policy; 221 char *tok; 222 const char *err; 223 char *name; 224 char *val; 225 static VSTRING *cbuf; 226 227 #undef FREE_RETURN 228 #define FREE_RETURN do { myfree(saved_policy); return; } while (0) 229 230 #define INVALID_RETURN(why, levelp) do { \ 231 MARK_INVALID((why), (levelp)); FREE_RETURN; } while (0) 232 233 #define WHERE \ 234 STR(vstring_sprintf(cbuf, "%s, %s \"%s\"", \ 235 tls_policy->title, site_class, site_name)) 236 237 if (cbuf == 0) 238 cbuf = vstring_alloc(10); 239 240 if ((lookup = maps_find(tls_policy, site_name, 0)) == 0) { 241 if (tls_policy->error) { 242 msg_warn("%s: policy table lookup error", WHERE); 243 MARK_INVALID(tls->why, site_level); 244 } 245 return; 246 } 247 saved_policy = policy = mystrdup(lookup); 248 249 if ((tok = mystrtok(&policy, CHARS_COMMA_SP)) == 0) { 250 msg_warn("%s: invalid empty policy", WHERE); 251 INVALID_RETURN(tls->why, site_level); 252 } 253 *site_level = tls_level_lookup(tok); 254 if (*site_level == TLS_LEV_INVALID) { 255 /* tls_level_lookup() logs no warning. */ 256 msg_warn("%s: invalid security level \"%s\"", WHERE, tok); 257 INVALID_RETURN(tls->why, site_level); 258 } 259 260 /* 261 * Warn about ignored attributes when TLS is disabled. 262 */ 263 if (*site_level < TLS_LEV_MAY) { 264 while ((tok = mystrtok(&policy, CHARS_COMMA_SP)) != 0) 265 msg_warn("%s: ignoring attribute \"%s\" with TLS disabled", 266 WHERE, tok); 267 FREE_RETURN; 268 } 269 270 /* 271 * Errors in attributes may have security consequences, don't ignore 272 * errors that can degrade security. 273 */ 274 while ((tok = mystrtok(&policy, CHARS_COMMA_SP)) != 0) { 275 if ((err = split_nameval(tok, &name, &val)) != 0) { 276 msg_warn("%s: malformed attribute/value pair \"%s\": %s", 277 WHERE, tok, err); 278 INVALID_RETURN(tls->why, site_level); 279 } 280 /* Only one instance per policy. */ 281 if (!strcasecmp(name, "ciphers")) { 282 if (*val == 0) { 283 msg_warn("%s: attribute \"%s\" has empty value", WHERE, name); 284 INVALID_RETURN(tls->why, site_level); 285 } 286 if (tls->grade) { 287 msg_warn("%s: attribute \"%s\" is specified multiple times", 288 WHERE, name); 289 INVALID_RETURN(tls->why, site_level); 290 } 291 tls->grade = mystrdup(val); 292 continue; 293 } 294 /* Only one instance per policy. */ 295 if (!strcasecmp(name, "protocols")) { 296 if (tls->protocols) { 297 msg_warn("%s: attribute \"%s\" is specified multiple times", 298 WHERE, name); 299 INVALID_RETURN(tls->why, site_level); 300 } 301 tls->protocols = mystrdup(val); 302 continue; 303 } 304 /* Multiple instances per policy. */ 305 if (!strcasecmp(name, "match")) { 306 if (*val == 0) { 307 msg_warn("%s: attribute \"%s\" has empty value", WHERE, name); 308 INVALID_RETURN(tls->why, site_level); 309 } 310 switch (*site_level) { 311 default: 312 msg_warn("%s: attribute \"%s\" invalid at security level " 313 "\"%s\"", WHERE, name, policy_name(*site_level)); 314 INVALID_RETURN(tls->why, site_level); 315 break; 316 case TLS_LEV_FPRINT: 317 if (!tls->dane) 318 tls->dane = tls_dane_alloc(); 319 tls_dane_add_ee_digests(tls->dane, 320 var_smtp_tls_fpt_dgst, val, "|"); 321 break; 322 case TLS_LEV_VERIFY: 323 case TLS_LEV_SECURE: 324 if (tls->matchargv == 0) 325 tls->matchargv = argv_split(val, ":"); 326 else 327 argv_split_append(tls->matchargv, val, ":"); 328 break; 329 } 330 continue; 331 } 332 /* Only one instance per policy. */ 333 if (!strcasecmp(name, "exclude")) { 334 if (tls->exclusions) { 335 msg_warn("%s: attribute \"%s\" is specified multiple times", 336 WHERE, name); 337 INVALID_RETURN(tls->why, site_level); 338 } 339 tls->exclusions = vstring_strcpy(vstring_alloc(10), val); 340 continue; 341 } 342 /* Multiple instances per policy. */ 343 if (!strcasecmp(name, "tafile")) { 344 /* Only makes sense if we're using CA-based trust */ 345 if (!TLS_MUST_PKIX(*site_level)) { 346 msg_warn("%s: attribute \"%s\" invalid at security level" 347 " \"%s\"", WHERE, name, policy_name(*site_level)); 348 INVALID_RETURN(tls->why, site_level); 349 } 350 if (*val == 0) { 351 msg_warn("%s: attribute \"%s\" has empty value", WHERE, name); 352 INVALID_RETURN(tls->why, site_level); 353 } 354 if (!tls->dane) 355 tls->dane = tls_dane_alloc(); 356 if (!tls_dane_load_trustfile(tls->dane, val)) { 357 INVALID_RETURN(tls->why, site_level); 358 } 359 continue; 360 } 361 msg_warn("%s: invalid attribute name: \"%s\"", WHERE, name); 362 INVALID_RETURN(tls->why, site_level); 363 } 364 365 FREE_RETURN; 366 } 367 368 /* tls_policy_lookup - look up destination TLS policy */ 369 370 static void tls_policy_lookup(SMTP_TLS_POLICY *tls, int *site_level, 371 const char *site_name, 372 const char *site_class) 373 { 374 375 /* 376 * Only one lookup with [nexthop]:port, [nexthop] or nexthop:port These 377 * are never the domain part of localpart@domain, rather they are 378 * explicit nexthops from transport:nexthop, and match only the 379 * corresponding policy. Parent domain matching (below) applies only to 380 * sub-domains of the recipient domain. 381 * 382 * XXX UNIX-domain connections query with the pathname as destination. 383 */ 384 if (!valid_utf8_hostname(var_smtputf8_enable, site_name, DONT_GRIPE)) { 385 tls_policy_lookup_one(tls, site_level, site_name, site_class); 386 return; 387 } 388 do { 389 tls_policy_lookup_one(tls, site_level, site_name, site_class); 390 } while (*site_level == TLS_LEV_NOTFOUND 391 && (site_name = strchr(site_name + 1, '.')) != 0); 392 } 393 394 /* load_tas - load one or more ta files */ 395 396 static int load_tas(TLS_DANE *dane, const char *files) 397 { 398 int ret = 0; 399 char *save = mystrdup(files); 400 char *buf = save; 401 char *file; 402 403 do { 404 if ((file = mystrtok(&buf, CHARS_COMMA_SP)) != 0) 405 ret = tls_dane_load_trustfile(dane, file); 406 } while (file && ret); 407 408 myfree(save); 409 return (ret); 410 } 411 412 /* set_cipher_grade - Set cipher grade and exclusions */ 413 414 static void set_cipher_grade(SMTP_TLS_POLICY *tls) 415 { 416 const char *mand_exclude = ""; 417 const char *also_exclude = ""; 418 419 /* 420 * Use main.cf cipher level if no per-destination value specified. With 421 * mandatory encryption at least encrypt, and with mandatory verification 422 * at least authenticate! 423 */ 424 switch (tls->level) { 425 case TLS_LEV_INVALID: 426 case TLS_LEV_NONE: 427 return; 428 429 case TLS_LEV_MAY: 430 if (tls->grade == 0) 431 tls->grade = mystrdup(var_smtp_tls_ciph); 432 break; 433 434 case TLS_LEV_ENCRYPT: 435 if (tls->grade == 0) 436 tls->grade = mystrdup(var_smtp_tls_mand_ciph); 437 mand_exclude = var_smtp_tls_mand_excl; 438 also_exclude = "eNULL"; 439 break; 440 441 case TLS_LEV_HALF_DANE: 442 case TLS_LEV_DANE: 443 case TLS_LEV_DANE_ONLY: 444 case TLS_LEV_FPRINT: 445 case TLS_LEV_VERIFY: 446 case TLS_LEV_SECURE: 447 if (tls->grade == 0) 448 tls->grade = mystrdup(var_smtp_tls_mand_ciph); 449 mand_exclude = var_smtp_tls_mand_excl; 450 also_exclude = "aNULL"; 451 break; 452 } 453 454 #define ADD_EXCLUDE(vstr, str) \ 455 do { \ 456 if (*(str)) \ 457 vstring_sprintf_append((vstr), "%s%s", \ 458 VSTRING_LEN(vstr) ? " " : "", (str)); \ 459 } while (0) 460 461 /* 462 * The "exclude" policy table attribute overrides main.cf exclusion 463 * lists. 464 */ 465 if (tls->exclusions == 0) { 466 tls->exclusions = vstring_alloc(10); 467 ADD_EXCLUDE(tls->exclusions, var_smtp_tls_excl_ciph); 468 ADD_EXCLUDE(tls->exclusions, mand_exclude); 469 } 470 ADD_EXCLUDE(tls->exclusions, also_exclude); 471 } 472 473 /* policy_create - create SMTP TLS policy cache object (ctable call-back) */ 474 475 static void *policy_create(const char *unused_key, void *context) 476 { 477 SMTP_ITERATOR *iter = (SMTP_ITERATOR *) context; 478 int site_level; 479 const char *dest = STR(iter->dest); 480 const char *host = STR(iter->host); 481 482 /* 483 * Prepare a pristine policy object. 484 */ 485 SMTP_TLS_POLICY *tls = (SMTP_TLS_POLICY *) mymalloc(sizeof(*tls)); 486 487 smtp_tls_policy_init(tls, dsb_create()); 488 489 /* 490 * Compute the per-site TLS enforcement level. For compatibility with the 491 * original TLS patch, this algorithm is gives equal precedence to host 492 * and next-hop policies. 493 */ 494 tls->level = global_tls_level(); 495 site_level = TLS_LEV_NOTFOUND; 496 497 if (tls_policy) { 498 tls_policy_lookup(tls, &site_level, dest, "next-hop destination"); 499 } else if (tls_per_site) { 500 tls_site_lookup(tls, &site_level, dest, "next-hop destination"); 501 if (site_level != TLS_LEV_INVALID 502 && strcasecmp_utf8(dest, host) != 0) 503 tls_site_lookup(tls, &site_level, host, "server hostname"); 504 505 /* 506 * Override a wild-card per-site policy with a more specific global 507 * policy. 508 * 509 * With the original TLS patch, 1) a per-site ENCRYPT could not override 510 * a global VERIFY, and 2) a combined per-site (NONE+MAY) policy 511 * produced inconsistent results: it changed a global VERIFY into 512 * NONE, while producing MAY with all weaker global policy settings. 513 * 514 * With the current implementation, a combined per-site (NONE+MAY) 515 * consistently overrides global policy with NONE, and global policy 516 * can override only a per-site MAY wildcard. That is, specific 517 * policies consistently override wildcard policies, and 518 * (non-wildcard) per-site policies consistently override global 519 * policies. 520 */ 521 if (site_level == TLS_LEV_MAY && tls->level > TLS_LEV_MAY) 522 site_level = tls->level; 523 } 524 switch (site_level) { 525 default: 526 tls->level = site_level; 527 /* FALLTHROUGH */ 528 case TLS_LEV_NOTFOUND: 529 break; 530 case TLS_LEV_INVALID: 531 tls->level = site_level; 532 return ((void *) tls); 533 } 534 535 /* 536 * DANE initialization may change the security level to something else, 537 * so do this early, so that we use the right level below. Note that 538 * "dane-only" changes to "dane" once we obtain the requisite TLSA 539 * records. 540 */ 541 if (TLS_DANE_BASED(tls->level)) 542 dane_init(tls, iter); 543 if (tls->level == TLS_LEV_INVALID) 544 return ((void *) tls); 545 546 /* 547 * Use main.cf protocols setting if not set in per-destination table. 548 */ 549 if (tls->level > TLS_LEV_NONE && tls->protocols == 0) 550 tls->protocols = 551 mystrdup((tls->level == TLS_LEV_MAY) ? 552 var_smtp_tls_proto : var_smtp_tls_mand_proto); 553 554 /* 555 * Compute cipher grade (if set in per-destination table, else 556 * set_cipher() uses main.cf settings) and security level dependent 557 * cipher exclusion list. 558 */ 559 set_cipher_grade(tls); 560 561 /* 562 * Use main.cf cert_match setting if not set in per-destination table. 563 */ 564 switch (tls->level) { 565 case TLS_LEV_INVALID: 566 case TLS_LEV_NONE: 567 case TLS_LEV_MAY: 568 case TLS_LEV_ENCRYPT: 569 case TLS_LEV_HALF_DANE: 570 case TLS_LEV_DANE: 571 case TLS_LEV_DANE_ONLY: 572 break; 573 case TLS_LEV_FPRINT: 574 if (tls->dane == 0) 575 tls->dane = tls_dane_alloc(); 576 if (!TLS_DANE_HASEE(tls->dane)) { 577 tls_dane_add_ee_digests(tls->dane, var_smtp_tls_fpt_dgst, 578 var_smtp_tls_fpt_cmatch, CHARS_COMMA_SP); 579 if (!TLS_DANE_HASEE(tls->dane)) { 580 msg_warn("nexthop domain %s: configured at fingerprint " 581 "security level, but with no fingerprints to match.", 582 dest); 583 MARK_INVALID(tls->why, &tls->level); 584 return ((void *) tls); 585 } 586 } 587 break; 588 case TLS_LEV_VERIFY: 589 case TLS_LEV_SECURE: 590 if (tls->matchargv == 0) 591 tls->matchargv = 592 argv_split(tls->level == TLS_LEV_VERIFY ? 593 var_smtp_tls_vfy_cmatch : var_smtp_tls_sec_cmatch, 594 CHARS_COMMA_SP ":"); 595 if (*var_smtp_tls_tafile) { 596 if (tls->dane == 0) 597 tls->dane = tls_dane_alloc(); 598 if (!TLS_DANE_HASTA(tls->dane) 599 && !load_tas(tls->dane, var_smtp_tls_tafile)) { 600 MARK_INVALID(tls->why, &tls->level); 601 return ((void *) tls); 602 } 603 } 604 break; 605 default: 606 msg_panic("unexpected TLS security level: %d", tls->level); 607 } 608 609 if (msg_verbose && tls->level != global_tls_level()) 610 msg_info("%s TLS level: %s", "effective", policy_name(tls->level)); 611 612 return ((void *) tls); 613 } 614 615 /* policy_delete - free no longer cached policy (ctable call-back) */ 616 617 static void policy_delete(void *item, void *unused_context) 618 { 619 SMTP_TLS_POLICY *tls = (SMTP_TLS_POLICY *) item; 620 621 if (tls->protocols) 622 myfree(tls->protocols); 623 if (tls->grade) 624 myfree(tls->grade); 625 if (tls->exclusions) 626 vstring_free(tls->exclusions); 627 if (tls->matchargv) 628 argv_free(tls->matchargv); 629 if (tls->dane) 630 tls_dane_free(tls->dane); 631 dsb_free(tls->why); 632 633 myfree((void *) tls); 634 } 635 636 /* smtp_tls_policy_cache_query - cached lookup of TLS policy */ 637 638 int smtp_tls_policy_cache_query(DSN_BUF *why, SMTP_TLS_POLICY *tls, 639 SMTP_ITERATOR *iter) 640 { 641 VSTRING *key; 642 643 /* 644 * Create an empty TLS Policy cache on the fly. 645 */ 646 if (policy_cache == 0) 647 policy_cache = 648 ctable_create(CACHE_SIZE, policy_create, policy_delete, (void *) 0); 649 650 /* 651 * Query the TLS Policy cache, with a search key that reflects our shared 652 * values that also appear in other cache and table search keys. 653 */ 654 key = vstring_alloc(100); 655 smtp_key_prefix(key, ":", iter, SMTP_KEY_FLAG_NEXTHOP 656 | SMTP_KEY_FLAG_HOSTNAME 657 | SMTP_KEY_FLAG_PORT); 658 ctable_newcontext(policy_cache, (void *) iter); 659 *tls = *(SMTP_TLS_POLICY *) ctable_locate(policy_cache, STR(key)); 660 vstring_free(key); 661 662 /* 663 * Report errors. Both error and non-error results are cached. We must 664 * therefore copy the cached DSN buffer content to the caller's buffer. 665 */ 666 if (tls->level == TLS_LEV_INVALID) { 667 /* XXX Simplify this by implementing a "copy" primitive. */ 668 dsb_update(why, 669 STR(tls->why->status), STR(tls->why->action), 670 STR(tls->why->mtype), STR(tls->why->mname), 671 STR(tls->why->dtype), STR(tls->why->dtext), 672 "%s", STR(tls->why->reason)); 673 return (0); 674 } else { 675 return (1); 676 } 677 } 678 679 /* smtp_tls_policy_cache_flush - flush TLS policy cache */ 680 681 void smtp_tls_policy_cache_flush(void) 682 { 683 if (policy_cache != 0) { 684 ctable_free(policy_cache); 685 policy_cache = 0; 686 } 687 } 688 689 /* global_tls_level - parse and cache var_smtp_tls_level */ 690 691 static int global_tls_level(void) 692 { 693 static int l = TLS_LEV_NOTFOUND; 694 695 if (l != TLS_LEV_NOTFOUND) 696 return l; 697 698 /* 699 * Compute the global TLS policy. This is the default policy level when 700 * no per-site policy exists. It also is used to override a wild-card 701 * per-site policy. 702 * 703 * We require that the global level is valid on startup. 704 */ 705 if (*var_smtp_tls_level) { 706 if ((l = tls_level_lookup(var_smtp_tls_level)) == TLS_LEV_INVALID) 707 msg_fatal("invalid tls security level: \"%s\"", var_smtp_tls_level); 708 } else if (var_smtp_enforce_tls) 709 l = var_smtp_tls_enforce_peername ? TLS_LEV_VERIFY : TLS_LEV_ENCRYPT; 710 else 711 l = var_smtp_use_tls ? TLS_LEV_MAY : TLS_LEV_NONE; 712 713 if (msg_verbose) 714 msg_info("%s TLS level: %s", "global", policy_name(l)); 715 716 return l; 717 } 718 719 #define NONDANE_CONFIG 0 /* Administrator's fault */ 720 #define NONDANE_DEST 1 /* Remote server's fault */ 721 #define DANE_CANTAUTH 2 /* Remote server's fault */ 722 723 static void PRINTFLIKE(4, 5) dane_incompat(SMTP_TLS_POLICY *tls, 724 SMTP_ITERATOR *iter, 725 int errtype, 726 const char *fmt,...) 727 { 728 va_list ap; 729 730 va_start(ap, fmt); 731 if (tls->level == TLS_LEV_DANE) { 732 tls->level = (errtype == DANE_CANTAUTH) ? TLS_LEV_ENCRYPT : TLS_LEV_MAY; 733 if (errtype == NONDANE_CONFIG) 734 vmsg_warn(fmt, ap); 735 else if (msg_verbose) 736 vmsg_info(fmt, ap); 737 } else { /* dane-only */ 738 if (errtype == NONDANE_CONFIG) { 739 vmsg_warn(fmt, ap); 740 MARK_INVALID(tls->why, &tls->level); 741 } else { 742 tls->level = TLS_LEV_INVALID; 743 vdsb_simple(tls->why, "4.7.5", fmt, ap); 744 } 745 } 746 va_end(ap); 747 } 748 749 /* dane_init - special initialization for "dane" security level */ 750 751 static void dane_init(SMTP_TLS_POLICY *tls, SMTP_ITERATOR *iter) 752 { 753 TLS_DANE *dane; 754 755 if (!iter->port) { 756 msg_warn("%s: the \"dane\" security level is invalid for delivery via" 757 " unix-domain sockets", STR(iter->dest)); 758 MARK_INVALID(tls->why, &tls->level); 759 return; 760 } 761 if (!tls_dane_avail()) { 762 dane_incompat(tls, iter, NONDANE_CONFIG, 763 "%s: %s configured, but no requisite library support", 764 STR(iter->dest), policy_name(tls->level)); 765 return; 766 } 767 if (!(smtp_host_lookup_mask & SMTP_HOST_FLAG_DNS) 768 || smtp_dns_support != SMTP_DNS_DNSSEC) { 769 dane_incompat(tls, iter, NONDANE_CONFIG, 770 "%s: %s configured with dnssec lookups disabled", 771 STR(iter->dest), policy_name(tls->level)); 772 return; 773 } 774 775 /* 776 * If we ignore MX lookup errors, we also ignore DNSSEC security problems 777 * and thus avoid any reasonable expectation that we get the right DANE 778 * key material. 779 */ 780 if (smtp_mode && var_ign_mx_lookup_err) { 781 dane_incompat(tls, iter, NONDANE_CONFIG, 782 "%s: %s configured with MX lookup errors ignored", 783 STR(iter->dest), policy_name(tls->level)); 784 return; 785 } 786 787 /* 788 * This is not optional, code in tls_dane.c assumes that the nexthop 789 * qname is already an fqdn. If we're using these flags to go from qname 790 * to rname, the assumption is invalid. Likewise we cannot add the qname 791 * to certificate name checks, ... 792 */ 793 if (smtp_dns_res_opt & (RES_DEFNAMES | RES_DNSRCH)) { 794 dane_incompat(tls, iter, NONDANE_CONFIG, 795 "%s: dns resolver options incompatible with %s TLS", 796 STR(iter->dest), policy_name(tls->level)); 797 return; 798 } 799 800 /* 801 * When the MX name is present and insecure, DANE may not apply, we then 802 * either fail if DANE is mandatory or use regular opportunistic TLS if 803 * the insecure MX level is "may". 804 */ 805 if (iter->mx && !iter->mx->dnssec_valid 806 && (tls->level == TLS_LEV_DANE_ONLY || 807 smtp_tls_insecure_mx_policy <= TLS_LEV_MAY)) { 808 dane_incompat(tls, iter, NONDANE_DEST, "non DNSSEC destination"); 809 return; 810 } 811 /* When TLSA lookups fail, we defer the message */ 812 if ((dane = tls_dane_resolve(iter->port, "tcp", iter->rr, 813 var_smtp_tls_force_tlsa)) == 0) { 814 tls->level = TLS_LEV_INVALID; 815 dsb_simple(tls->why, "4.7.5", "TLSA lookup error for %s:%u", 816 STR(iter->host), ntohs(iter->port)); 817 return; 818 } 819 if (tls_dane_notfound(dane)) { 820 dane_incompat(tls, iter, NONDANE_DEST, "no TLSA records found"); 821 tls_dane_free(dane); 822 return; 823 } 824 825 /* 826 * Some TLSA records found, but none usable, per 827 * 828 * https://tools.ietf.org/html/draft-ietf-dane-srv-02#section-4 829 * 830 * we MUST use TLS, and SHALL use full PKIX certificate checks. The latter 831 * would be unwise for SMTP: no human present to "click ok" and risk of 832 * non-delivery in most cases exceeds risk of interception. 833 * 834 * We also have a form of Goedel's incompleteness theorem in play: any list 835 * of public root CA certs is either incomplete or inconsistent (for any 836 * given verifier some of the CAs are surely not trustworthy). 837 */ 838 if (tls_dane_unusable(dane)) { 839 dane_incompat(tls, iter, DANE_CANTAUTH, "TLSA records unusable"); 840 tls_dane_free(dane); 841 return; 842 } 843 844 /* 845 * Perhaps downgrade to "encrypt" if MX is insecure. 846 */ 847 if (iter->mx && !iter->mx->dnssec_valid) { 848 if (smtp_tls_insecure_mx_policy == TLS_LEV_ENCRYPT) { 849 dane_incompat(tls, iter, DANE_CANTAUTH, 850 "Verification not possible, MX RRset is insecure"); 851 tls_dane_free(dane); 852 return; 853 } 854 if (tls->level != TLS_LEV_DANE 855 || smtp_tls_insecure_mx_policy != TLS_LEV_DANE) 856 msg_panic("wrong state for insecure MX host DANE policy"); 857 858 /* For correct logging in tls_client_start() */ 859 tls->level = TLS_LEV_HALF_DANE; 860 } 861 862 /* 863 * With DANE trust anchors, peername matching is not configurable. 864 */ 865 if (TLS_DANE_HASTA(dane)) { 866 tls->matchargv = argv_alloc(2); 867 argv_add(tls->matchargv, dane->base_domain, ARGV_END); 868 if (iter->mx) { 869 if (strcmp(iter->mx->qname, iter->mx->rname) == 0) 870 argv_add(tls->matchargv, iter->mx->qname, ARGV_END); 871 else 872 argv_add(tls->matchargv, iter->mx->rname, 873 iter->mx->qname, ARGV_END); 874 } 875 } else if (!TLS_DANE_HASEE(dane)) 876 msg_panic("empty DANE match list"); 877 tls->dane = dane; 878 return; 879 } 880 881 #endif 882