1 /* $NetBSD: tls_misc.c,v 1.4 2022/10/08 16:12:50 christos Exp $ */ 2 3 /*++ 4 /* NAME 5 /* tls_misc 3 6 /* SUMMARY 7 /* miscellaneous TLS support routines 8 /* SYNOPSIS 9 /* .SH Public functions 10 /* .nf 11 /* .na 12 /* #include <tls.h> 13 /* 14 /* void tls_log_summary(role, usage, TLScontext) 15 /* TLS_ROLE role; 16 /* TLS_USAGE usage; 17 /* TLS_SESS_STATE *TLScontext; 18 /* 19 /* const char *tls_compile_version(void) 20 /* 21 /* const char *tls_run_version(void) 22 /* 23 /* const char **tls_pkey_algorithms(void) 24 /* 25 /* void tls_pre_jail_init(TLS_ROLE) 26 /* TLS_ROLE role; 27 /* 28 /* .SH Internal functions 29 /* .nf 30 /* .na 31 /* #define TLS_INTERNAL 32 /* #include <tls.h> 33 /* 34 /* char *var_tls_high_clist; 35 /* char *var_tls_medium_clist; 36 /* char *var_tls_low_clist; 37 /* char *var_tls_export_clist; 38 /* char *var_tls_null_clist; 39 /* char *var_tls_eecdh_auto; 40 /* char *var_tls_eecdh_strong; 41 /* char *var_tls_eecdh_ultra; 42 /* char *var_tls_dane_digests; 43 /* int var_tls_daemon_rand_bytes; 44 /* bool var_tls_append_def_CA; 45 /* bool var_tls_preempt_clist; 46 /* bool var_tls_bc_pkey_fprint; 47 /* bool var_tls_multi_wildcard; 48 /* char *var_tls_mgr_service; 49 /* char *var_tls_tkt_cipher; 50 /* char *var_openssl_path; 51 /* char *var_tls_server_sni_maps; 52 /* bool var_tls_fast_shutdown; 53 /* 54 /* TLS_APPL_STATE *tls_alloc_app_context(ssl_ctx, log_mask) 55 /* SSL_CTX *ssl_ctx; 56 /* int log_mask; 57 /* 58 /* void tls_free_app_context(app_ctx) 59 /* void *app_ctx; 60 /* 61 /* TLS_SESS_STATE *tls_alloc_sess_context(log_mask, namaddr) 62 /* int log_mask; 63 /* const char *namaddr; 64 /* 65 /* void tls_free_context(TLScontext) 66 /* TLS_SESS_STATE *TLScontext; 67 /* 68 /* void tls_check_version() 69 /* 70 /* long tls_bug_bits() 71 /* 72 /* void tls_param_init() 73 /* 74 /* int tls_proto_mask_lims(plist, floor, ceiling) 75 /* const char *plist; 76 /* int *floor; 77 /* int *ceiling; 78 /* 79 /* int tls_cipher_grade(name) 80 /* const char *name; 81 /* 82 /* const char *str_tls_cipher_grade(grade) 83 /* int grade; 84 /* 85 /* const char *tls_set_ciphers(TLScontext, grade, exclusions) 86 /* TLS_SESS_STATE *TLScontext; 87 /* int grade; 88 /* const char *exclusions; 89 /* 90 /* void tls_get_signature_params(TLScontext) 91 /* TLS_SESS_STATE *TLScontext; 92 /* 93 /* void tls_print_errors() 94 /* 95 /* void tls_info_callback(ssl, where, ret) 96 /* const SSL *ssl; /* unused */ 97 /* int where; 98 /* int ret; 99 /* 100 /* long tls_bio_dump_cb(bio, cmd, argp, len, argi, argl, ret, processed) 101 /* BIO *bio; 102 /* int cmd; 103 /* const char *argp; 104 /* size_t len; 105 /* int argi; 106 /* long argl; /* unused */ 107 /* int ret; 108 /* size_t *processed; 109 /* 110 /* int tls_log_mask(log_param, log_level) 111 /* const char *log_param; 112 /* const char *log_level; 113 /* 114 /* void tls_update_app_logmask(app_ctx, log_mask) 115 /* TLS_APPL_STATE *app_ctx; 116 /* int log_mask; 117 /* 118 /* const EVP_MD *tls_validate_digest(dgst) 119 /* const char *dgst; 120 /* DESCRIPTION 121 /* This module implements public and internal routines that 122 /* support the TLS client and server. 123 /* 124 /* tls_log_summary() logs a summary of a completed TLS connection. 125 /* The "role" argument must be TLS_ROLE_CLIENT for outgoing client 126 /* connections, or TLS_ROLE_SERVER for incoming server connections, 127 /* and the "usage" must be TLS_USAGE_NEW or TLS_USAGE_USED. 128 /* 129 /* tls_compile_version() returns a text string description of 130 /* the compile-time TLS library. 131 /* 132 /* tls_run_version() is just tls_compile_version() but with the runtime 133 /* version instead of the compile-time version. 134 /* 135 /* tls_pkey_algorithms() returns a pointer to null-terminated 136 /* array of string constants with the names of the supported 137 /* public-key algorithms. 138 /* 139 /* tls_alloc_app_context() creates an application context that 140 /* holds the SSL context for the application and related cached state. 141 /* 142 /* tls_free_app_context() deallocates the application context and its 143 /* contents (the application context is stored outside the TLS library). 144 /* 145 /* tls_alloc_sess_context() creates an initialized TLS session context 146 /* structure with the specified log mask and peer name[addr]. 147 /* 148 /* tls_free_context() destroys a TLScontext structure 149 /* together with OpenSSL structures that are attached to it. 150 /* 151 /* tls_check_version() logs a warning when the run-time OpenSSL 152 /* library differs in its major, minor or micro number from 153 /* the compile-time OpenSSL headers. 154 /* 155 /* tls_bug_bits() returns the bug compatibility mask appropriate 156 /* for the run-time library. Some of the bug work-arounds are 157 /* not appropriate for some library versions. 158 /* 159 /* tls_param_init() loads main.cf parameters used internally in 160 /* TLS library. Any errors are fatal. 161 /* 162 /* tls_pre_jail_init() opens any tables that need to be opened before 163 /* entering a chroot jail. The "role" parameter must be TLS_ROLE_CLIENT 164 /* for clients and TLS_ROLE_SERVER for servers. Any errors are fatal. 165 /* 166 /* tls_proto_mask_lims() returns a bitmask of excluded protocols, and 167 /* and the protocol version floor/ceiling, given a list (plist) of 168 /* protocols to include or (preceded by a '!') exclude, or constraints 169 /* of the form '>=name', '<=name', '>=hexvalue', '<=hexvalue'. If "plist" 170 /* contains invalid protocol names, TLS_PROTOCOL_INVALID is returned and 171 /* no warning is logged. 172 /* 173 /* tls_cipher_grade() converts a case-insensitive cipher grade 174 /* name (high, medium, low, export, null) to the corresponding 175 /* TLS_CIPHER_ constant. When the input specifies an unrecognized 176 /* grade, tls_cipher_grade() logs no warning, and returns 177 /* TLS_CIPHER_NONE. 178 /* 179 /* str_tls_cipher_grade() converts a cipher grade to a name. 180 /* When the input specifies an undefined grade, str_tls_cipher_grade() 181 /* logs no warning, returns a null pointer. 182 /* 183 /* tls_set_ciphers() applies the requested cipher grade and exclusions 184 /* to the provided TLS session context, returning the resulting cipher 185 /* list string. The return value is the cipherlist used and is 186 /* overwritten upon each call. When the input is invalid, 187 /* tls_set_ciphers() logs a warning, and returns a null result. 188 /* 189 /* tls_get_signature_params() updates the "TLScontext" with handshake 190 /* signature parameters pertaining to TLS 1.3, where the ciphersuite 191 /* no longer describes the asymmetric algorithms employed in the 192 /* handshake, which are negotiated separately. This function 193 /* has no effect for TLS 1.2 and earlier. 194 /* 195 /* tls_print_errors() queries the OpenSSL error stack, 196 /* logs the error messages, and clears the error stack. 197 /* 198 /* tls_info_callback() is a call-back routine for the 199 /* SSL_CTX_set_info_callback() routine. It logs SSL events 200 /* to the Postfix logfile. 201 /* 202 /* tls_bio_dump_cb() is a call-back routine for the 203 /* BIO_set_callback() routine. It logs SSL content to the 204 /* Postfix logfile. 205 /* 206 /* tls_log_mask() converts a TLS log_level value from string 207 /* to mask. The main.cf parameter name is passed along for 208 /* diagnostics. 209 /* 210 /* tls_update_app_logmask() changes the log mask of the 211 /* application TLS context to the new setting. 212 /* 213 /* tls_validate_digest() returns a static handle for the named 214 /* digest algorithm, or NULL on error. 215 /* LICENSE 216 /* .ad 217 /* .fi 218 /* This software is free. You can do with it whatever you want. 219 /* The original author kindly requests that you acknowledge 220 /* the use of his software. 221 /* AUTHOR(S) 222 /* Originally written by: 223 /* Lutz Jaenicke 224 /* BTU Cottbus 225 /* Allgemeine Elektrotechnik 226 /* Universitaetsplatz 3-4 227 /* D-03044 Cottbus, Germany 228 /* 229 /* Updated by: 230 /* Wietse Venema 231 /* IBM T.J. Watson Research 232 /* P.O. Box 704 233 /* Yorktown Heights, NY 10598, USA 234 /* 235 /* Victor Duchovni 236 /* Morgan Stanley 237 /* 238 /* Wietse Venema 239 /* Google, Inc. 240 /* 111 8th Avenue 241 /* New York, NY 10011, USA 242 /*--*/ 243 244 /* System library. */ 245 246 #include <sys_defs.h> 247 #include <ctype.h> 248 #include <string.h> 249 250 /* Utility library. */ 251 252 #include <vstream.h> 253 #include <msg.h> 254 #include <mymalloc.h> 255 #include <vstring.h> 256 #include <stringops.h> 257 #include <argv.h> 258 #include <name_mask.h> 259 #include <name_code.h> 260 #include <dict.h> 261 #include <valid_hostname.h> 262 263 /* 264 * Global library. 265 */ 266 #include <mail_params.h> 267 #include <mail_conf.h> 268 #include <maps.h> 269 270 /* 271 * TLS library. 272 */ 273 #define TLS_INTERNAL 274 #include <tls.h> 275 276 /* Application-specific. */ 277 278 /* 279 * Tunable parameters. 280 */ 281 char *var_tls_high_clist; 282 char *var_tls_medium_clist; 283 char *var_tls_low_clist; 284 char *var_tls_export_clist; 285 char *var_tls_null_clist; 286 int var_tls_daemon_rand_bytes; 287 char *var_tls_eecdh_auto; 288 char *var_tls_eecdh_strong; 289 char *var_tls_eecdh_ultra; 290 char *var_tls_dane_digests; 291 bool var_tls_append_def_CA; 292 char *var_tls_bug_tweaks; 293 char *var_tls_ssl_options; 294 bool var_tls_bc_pkey_fprint; 295 bool var_tls_multi_wildcard; 296 char *var_tls_mgr_service; 297 char *var_tls_tkt_cipher; 298 char *var_openssl_path; 299 char *var_tls_server_sni_maps; 300 bool var_tls_fast_shutdown; 301 bool var_tls_preempt_clist; 302 303 #ifdef USE_TLS 304 305 static MAPS *tls_server_sni_maps; 306 307 /* 308 * Index to attach TLScontext pointers to SSL objects, so that they can be 309 * accessed by call-back routines. 310 */ 311 int TLScontext_index = -1; 312 313 /* 314 * Protocol name <=> mask conversion. 315 */ 316 static const NAME_CODE protocol_table[] = { 317 SSL_TXT_SSLV2, TLS_PROTOCOL_SSLv2, 318 SSL_TXT_SSLV3, TLS_PROTOCOL_SSLv3, 319 SSL_TXT_TLSV1, TLS_PROTOCOL_TLSv1, 320 SSL_TXT_TLSV1_1, TLS_PROTOCOL_TLSv1_1, 321 SSL_TXT_TLSV1_2, TLS_PROTOCOL_TLSv1_2, 322 TLS_PROTOCOL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3, 323 0, TLS_PROTOCOL_INVALID, 324 }; 325 326 /* 327 * Protocol name => numeric version, for MinProtocol and MaxProtocol 328 */ 329 static const NAME_CODE tls_version_table[] = { 330 "None", 0, 331 SSL_TXT_SSLV3, SSL3_VERSION, 332 SSL_TXT_TLSV1, TLS1_VERSION, 333 SSL_TXT_TLSV1_1, TLS1_1_VERSION, 334 SSL_TXT_TLSV1_2, TLS1_2_VERSION, 335 TLS_PROTOCOL_TXT_TLSV1_3, TLS1_3_VERSION, 336 0, -1, 337 }; 338 339 /* 340 * SSL_OP_MUMBLE bug work-around name <=> mask conversion. 341 */ 342 #define NAMEBUG(x) #x, SSL_OP_##x 343 static const LONG_NAME_MASK ssl_bug_tweaks[] = { 344 345 #ifndef SSL_OP_MICROSOFT_SESS_ID_BUG 346 #define SSL_OP_MICROSOFT_SESS_ID_BUG 0 347 #endif 348 NAMEBUG(MICROSOFT_SESS_ID_BUG), 349 350 #ifndef SSL_OP_NETSCAPE_CHALLENGE_BUG 351 #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0 352 #endif 353 NAMEBUG(NETSCAPE_CHALLENGE_BUG), 354 355 #ifndef SSL_OP_LEGACY_SERVER_CONNECT 356 #define SSL_OP_LEGACY_SERVER_CONNECT 0 357 #endif 358 NAMEBUG(LEGACY_SERVER_CONNECT), 359 360 #ifndef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 361 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0 362 #endif 363 NAMEBUG(NETSCAPE_REUSE_CIPHER_CHANGE_BUG), 364 "CVE-2010-4180", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG, 365 366 #ifndef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 367 #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0 368 #endif 369 NAMEBUG(SSLREF2_REUSE_CERT_TYPE_BUG), 370 371 #ifndef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 372 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0 373 #endif 374 NAMEBUG(MICROSOFT_BIG_SSLV3_BUFFER), 375 376 #ifndef SSL_OP_MSIE_SSLV2_RSA_PADDING 377 #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0 378 #endif 379 NAMEBUG(MSIE_SSLV2_RSA_PADDING), 380 "CVE-2005-2969", SSL_OP_MSIE_SSLV2_RSA_PADDING, 381 382 #ifndef SSL_OP_SSLEAY_080_CLIENT_DH_BUG 383 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0 384 #endif 385 NAMEBUG(SSLEAY_080_CLIENT_DH_BUG), 386 387 #ifndef SSL_OP_TLS_D5_BUG 388 #define SSL_OP_TLS_D5_BUG 0 389 #endif 390 NAMEBUG(TLS_D5_BUG), 391 392 #ifndef SSL_OP_TLS_BLOCK_PADDING_BUG 393 #define SSL_OP_TLS_BLOCK_PADDING_BUG 0 394 #endif 395 NAMEBUG(TLS_BLOCK_PADDING_BUG), 396 397 #ifndef SSL_OP_TLS_ROLLBACK_BUG 398 #define SSL_OP_TLS_ROLLBACK_BUG 0 399 #endif 400 NAMEBUG(TLS_ROLLBACK_BUG), 401 402 #ifndef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 403 #define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0 404 #endif 405 NAMEBUG(DONT_INSERT_EMPTY_FRAGMENTS), 406 407 #ifndef SSL_OP_CRYPTOPRO_TLSEXT_BUG 408 #define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0 409 #endif 410 NAMEBUG(CRYPTOPRO_TLSEXT_BUG), 411 412 #ifndef SSL_OP_TLSEXT_PADDING 413 #define SSL_OP_TLSEXT_PADDING 0 414 #endif 415 NAMEBUG(TLSEXT_PADDING), 416 417 #if 0 418 419 /* 420 * XXX: New with OpenSSL 1.1.1, this is turned on implicitly in 421 * SSL_CTX_new() and is not included in SSL_OP_ALL. Allowing users to 422 * disable this would thus be a code change that would require clearing 423 * bug work-around bits in SSL_CTX, after setting SSL_OP_ALL. Since this 424 * is presumably required for TLS 1.3 on today's Internet, the code 425 * change will be done separately later. For now this implicit bug 426 * work-around cannot be disabled via supported Postfix mechanisms. 427 */ 428 #ifndef SSL_OP_ENABLE_MIDDLEBOX_COMPAT 429 #define SSL_OP_ENABLE_MIDDLEBOX_COMPAT 0 430 #endif 431 NAMEBUG(ENABLE_MIDDLEBOX_COMPAT), 432 #endif 433 434 0, 0, 435 }; 436 437 /* 438 * SSL_OP_MUMBLE option name <=> mask conversion for options that are not 439 * (or may in the future not be) in SSL_OP_ALL. These enable optional 440 * behavior, rather than bug interoperability work-arounds. 441 */ 442 #define NAME_SSL_OP(x) #x, SSL_OP_##x 443 static const LONG_NAME_MASK ssl_op_tweaks[] = { 444 445 #ifndef SSL_OP_LEGACY_SERVER_CONNECT 446 #define SSL_OP_LEGACY_SERVER_CONNECT 0 447 #endif 448 NAME_SSL_OP(LEGACY_SERVER_CONNECT), 449 450 #ifndef SSL_OP_NO_TICKET 451 #define SSL_OP_NO_TICKET 0 452 #endif 453 NAME_SSL_OP(NO_TICKET), 454 455 #ifndef SSL_OP_NO_COMPRESSION 456 #define SSL_OP_NO_COMPRESSION 0 457 #endif 458 NAME_SSL_OP(NO_COMPRESSION), 459 460 #ifndef SSL_OP_NO_RENEGOTIATION 461 #define SSL_OP_NO_RENEGOTIATION 0 462 #endif 463 NAME_SSL_OP(NO_RENEGOTIATION), 464 465 #ifndef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 466 #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0 467 #endif 468 NAME_SSL_OP(NO_SESSION_RESUMPTION_ON_RENEGOTIATION), 469 470 #ifndef SSL_OP_PRIORITIZE_CHACHA 471 #define SSL_OP_PRIORITIZE_CHACHA 0 472 #endif 473 NAME_SSL_OP(PRIORITIZE_CHACHA), 474 475 #ifndef SSL_OP_ENABLE_MIDDLEBOX_COMPAT 476 #define SSL_OP_ENABLE_MIDDLEBOX_COMPAT 0 477 #endif 478 NAME_SSL_OP(ENABLE_MIDDLEBOX_COMPAT), 479 480 0, 0, 481 }; 482 483 /* 484 * Once these have been a NOOP long enough, they might some day be removed 485 * from OpenSSL. The defines below will avoid bitrot issues if/when that 486 * happens. 487 */ 488 #ifndef SSL_OP_SINGLE_DH_USE 489 #define SSL_OP_SINGLE_DH_USE 0 490 #endif 491 #ifndef SSL_OP_SINGLE_ECDH_USE 492 #define SSL_OP_SINGLE_ECDH_USE 0 493 #endif 494 495 /* 496 * Ciphersuite name <=> code conversion. 497 */ 498 const NAME_CODE tls_cipher_grade_table[] = { 499 "high", TLS_CIPHER_HIGH, 500 "medium", TLS_CIPHER_MEDIUM, 501 "low", TLS_CIPHER_LOW, 502 "export", TLS_CIPHER_EXPORT, 503 "null", TLS_CIPHER_NULL, 504 "invalid", TLS_CIPHER_NONE, 505 0, TLS_CIPHER_NONE, 506 }; 507 508 /* 509 * Log keyword <=> mask conversion. 510 */ 511 #define TLS_LOG_0 TLS_LOG_NONE 512 #define TLS_LOG_1 TLS_LOG_SUMMARY 513 #define TLS_LOG_2 (TLS_LOG_1 | TLS_LOG_VERBOSE | TLS_LOG_CACHE | TLS_LOG_DEBUG) 514 #define TLS_LOG_3 (TLS_LOG_2 | TLS_LOG_TLSPKTS) 515 #define TLS_LOG_4 (TLS_LOG_3 | TLS_LOG_ALLPKTS) 516 517 static const NAME_MASK tls_log_table[] = { 518 "0", TLS_LOG_0, 519 "none", TLS_LOG_NONE, 520 "1", TLS_LOG_1, 521 "routine", TLS_LOG_1, 522 "2", TLS_LOG_2, 523 "debug", TLS_LOG_2, 524 "3", TLS_LOG_3, 525 "ssl-expert", TLS_LOG_3, 526 "4", TLS_LOG_4, 527 "ssl-developer", TLS_LOG_4, 528 "5", TLS_LOG_4, /* for good measure */ 529 "6", TLS_LOG_4, /* for good measure */ 530 "7", TLS_LOG_4, /* for good measure */ 531 "8", TLS_LOG_4, /* for good measure */ 532 "9", TLS_LOG_4, /* for good measure */ 533 "summary", TLS_LOG_SUMMARY, 534 "untrusted", TLS_LOG_UNTRUSTED, 535 "peercert", TLS_LOG_PEERCERT, 536 "certmatch", TLS_LOG_CERTMATCH, 537 "verbose", TLS_LOG_VERBOSE, /* Postfix TLS library verbose */ 538 "cache", TLS_LOG_CACHE, 539 "dane", TLS_LOG_DANE, /* DANE policy construction */ 540 "ssl-debug", TLS_LOG_DEBUG, /* SSL library debug/verbose */ 541 "ssl-handshake-packet-dump", TLS_LOG_TLSPKTS, 542 "ssl-session-packet-dump", TLS_LOG_TLSPKTS | TLS_LOG_ALLPKTS, 543 0, 0, 544 }; 545 546 /* 547 * Parsed OpenSSL version number. 548 */ 549 typedef struct { 550 int major; 551 int minor; 552 int micro; 553 int patch; 554 int status; 555 } TLS_VINFO; 556 557 /* tls_log_mask - Convert user TLS loglevel to internal log feature mask */ 558 559 int tls_log_mask(const char *log_param, const char *log_level) 560 { 561 int mask; 562 563 mask = name_mask_opt(log_param, tls_log_table, log_level, 564 NAME_MASK_ANY_CASE | NAME_MASK_RETURN); 565 return (mask); 566 } 567 568 /* tls_update_app_logmask - update log level after init */ 569 570 void tls_update_app_logmask(TLS_APPL_STATE *app_ctx, int log_mask) 571 { 572 app_ctx->log_mask = log_mask; 573 } 574 575 /* parse_version - parse TLS protocol version name or hex number */ 576 577 static int parse_tls_version(const char *tok, int *version) 578 { 579 int code = name_code(tls_version_table, NAME_CODE_FLAG_NONE, tok); 580 char *_end; 581 unsigned long ulval; 582 583 if (code != -1) { 584 *version = code; 585 return (0); 586 } 587 errno = 0; 588 ulval = strtoul(tok, &_end, 16); 589 if (*_end != 0 590 || (ulval == ULONG_MAX && errno == ERANGE) 591 || ulval > INT_MAX) 592 return TLS_PROTOCOL_INVALID; 593 594 *version = (int) ulval; 595 return (0); 596 } 597 598 /* tls_proto_mask_lims - protocols to exclude and floor/ceiling */ 599 600 int tls_proto_mask_lims(const char *plist, int *floor, int *ceiling) 601 { 602 char *save; 603 char *tok; 604 char *cp; 605 int code; 606 int exclude = 0; 607 int include = 0; 608 609 #define FREE_AND_RETURN(ptr, res) do { \ 610 myfree(ptr); \ 611 return (res); \ 612 } while (0) 613 614 *floor = *ceiling = 0; 615 616 save = cp = mystrdup(plist); 617 while ((tok = mystrtok(&cp, CHARS_COMMA_SP ":")) != 0) { 618 if (strncmp(tok, ">=", 2) == 0) 619 code = parse_tls_version(tok + 2, floor); 620 else if (strncmp(tok, "<=", 2) == 0) 621 code = parse_tls_version(tok + 2, ceiling); 622 else if (*tok == '!') 623 exclude |= code = 624 name_code(protocol_table, NAME_CODE_FLAG_NONE, ++tok); 625 else 626 include |= code = 627 name_code(protocol_table, NAME_CODE_FLAG_NONE, tok); 628 if (code == TLS_PROTOCOL_INVALID) 629 FREE_AND_RETURN(save, TLS_PROTOCOL_INVALID); 630 } 631 632 /* 633 * When the include list is empty, use only the explicit exclusions. 634 * Otherwise, also exclude the complement of the include list from the 635 * built-in list of known protocols. There is no way to exclude protocols 636 * we don't know about at compile time, and this is unavoidable because 637 * the OpenSSL API works with compile-time *exclusion* bit-masks. 638 */ 639 FREE_AND_RETURN(save, 640 (include ? (exclude | (TLS_KNOWN_PROTOCOLS & ~include)) : exclude)); 641 } 642 643 /* tls_param_init - Load TLS related config parameters */ 644 645 void tls_param_init(void) 646 { 647 /* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */ 648 static const CONFIG_STR_TABLE str_table[] = { 649 VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0, 650 VAR_TLS_MEDIUM_CLIST, DEF_TLS_MEDIUM_CLIST, &var_tls_medium_clist, 1, 0, 651 VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_clist, 1, 0, 652 VAR_TLS_EXPORT_CLIST, DEF_TLS_EXPORT_CLIST, &var_tls_export_clist, 1, 0, 653 VAR_TLS_NULL_CLIST, DEF_TLS_NULL_CLIST, &var_tls_null_clist, 1, 0, 654 VAR_TLS_EECDH_AUTO, DEF_TLS_EECDH_AUTO, &var_tls_eecdh_auto, 1, 0, 655 VAR_TLS_EECDH_STRONG, DEF_TLS_EECDH_STRONG, &var_tls_eecdh_strong, 1, 0, 656 VAR_TLS_EECDH_ULTRA, DEF_TLS_EECDH_ULTRA, &var_tls_eecdh_ultra, 1, 0, 657 VAR_TLS_BUG_TWEAKS, DEF_TLS_BUG_TWEAKS, &var_tls_bug_tweaks, 0, 0, 658 VAR_TLS_SSL_OPTIONS, DEF_TLS_SSL_OPTIONS, &var_tls_ssl_options, 0, 0, 659 VAR_TLS_DANE_DIGESTS, DEF_TLS_DANE_DIGESTS, &var_tls_dane_digests, 1, 0, 660 VAR_TLS_MGR_SERVICE, DEF_TLS_MGR_SERVICE, &var_tls_mgr_service, 1, 0, 661 VAR_TLS_TKT_CIPHER, DEF_TLS_TKT_CIPHER, &var_tls_tkt_cipher, 0, 0, 662 VAR_OPENSSL_PATH, DEF_OPENSSL_PATH, &var_openssl_path, 1, 0, 663 0, 664 }; 665 666 /* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */ 667 static const CONFIG_INT_TABLE int_table[] = { 668 VAR_TLS_DAEMON_RAND_BYTES, DEF_TLS_DAEMON_RAND_BYTES, &var_tls_daemon_rand_bytes, 1, 0, 669 0, 670 }; 671 672 /* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */ 673 static const CONFIG_BOOL_TABLE bool_table[] = { 674 VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA, 675 VAR_TLS_BC_PKEY_FPRINT, DEF_TLS_BC_PKEY_FPRINT, &var_tls_bc_pkey_fprint, 676 VAR_TLS_PREEMPT_CLIST, DEF_TLS_PREEMPT_CLIST, &var_tls_preempt_clist, 677 VAR_TLS_MULTI_WILDCARD, DEF_TLS_MULTI_WILDCARD, &var_tls_multi_wildcard, 678 VAR_TLS_FAST_SHUTDOWN, DEF_TLS_FAST_SHUTDOWN, &var_tls_fast_shutdown, 679 0, 680 }; 681 static int init_done; 682 683 if (init_done) 684 return; 685 init_done = 1; 686 687 get_mail_conf_str_table(str_table); 688 get_mail_conf_int_table(int_table); 689 get_mail_conf_bool_table(bool_table); 690 } 691 692 /* tls_pre_jail_init - Load TLS related pre-jail tables */ 693 694 void tls_pre_jail_init(TLS_ROLE role) 695 { 696 static const CONFIG_STR_TABLE str_table[] = { 697 VAR_TLS_SERVER_SNI_MAPS, DEF_TLS_SERVER_SNI_MAPS, &var_tls_server_sni_maps, 0, 0, 698 0, 699 }; 700 int flags; 701 702 tls_param_init(); 703 704 /* Nothing for clients at this time */ 705 if (role != TLS_ROLE_SERVER) 706 return; 707 708 get_mail_conf_str_table(str_table); 709 if (*var_tls_server_sni_maps == 0) 710 return; 711 712 flags = DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX | DICT_FLAG_SRC_RHS_IS_FILE; 713 tls_server_sni_maps = 714 maps_create(VAR_TLS_SERVER_SNI_MAPS, var_tls_server_sni_maps, flags); 715 } 716 717 /* server_sni_callback - process client's SNI extension */ 718 719 static int server_sni_callback(SSL *ssl, int *alert, void *arg) 720 { 721 SSL_CTX *sni_ctx = (SSL_CTX *) arg; 722 TLS_SESS_STATE *TLScontext = SSL_get_ex_data(ssl, TLScontext_index); 723 const char *sni = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); 724 const char *cp = sni; 725 const char *pem; 726 727 /* SNI is silently ignored when we don't care or is NULL or empty */ 728 if (!sni_ctx || !tls_server_sni_maps || !sni || !*sni) 729 return SSL_TLSEXT_ERR_NOACK; 730 731 if (!valid_hostname(sni, DONT_GRIPE)) { 732 msg_warn("TLS SNI from %s is invalid: %s", 733 TLScontext->namaddr, sni); 734 return SSL_TLSEXT_ERR_NOACK; 735 } 736 737 /* 738 * With TLS 1.3, when the client's proposed key share is not supported by 739 * the server, the server may issue a HelloRetryRequest (HRR), and the 740 * client will then retry with a new key share on a curve supported by 741 * the server. This results in the SNI callback running twice for the 742 * same connection. 743 * 744 * When that happens, The client MUST send the essentially the same hello 745 * message, including the SNI name, and since we've already loaded our 746 * certificate chain, we don't need to do it again! Therefore, if we've 747 * already recorded the peer SNI name, just check that it has not 748 * changed, and return success. 749 */ 750 if (TLScontext->peer_sni) { 751 if (strcmp(sni, TLScontext->peer_sni) == 0) 752 return SSL_TLSEXT_ERR_OK; 753 msg_warn("TLS SNI changed from %s initially %s, %s after hello retry", 754 TLScontext->namaddr, TLScontext->peer_sni, sni); 755 return SSL_TLSEXT_ERR_NOACK; 756 } 757 do { 758 /* Don't silently skip maps opened with the wrong flags. */ 759 pem = maps_file_find(tls_server_sni_maps, cp, 0); 760 } while (!pem 761 && !tls_server_sni_maps->error 762 && (cp = strchr(cp + 1, '.')) != 0); 763 764 if (!pem) { 765 if (tls_server_sni_maps->error) { 766 msg_warn("%s: %s map lookup problem", 767 tls_server_sni_maps->title, sni); 768 *alert = SSL_AD_INTERNAL_ERROR; 769 return SSL_TLSEXT_ERR_ALERT_FATAL; 770 } 771 msg_info("TLS SNI %s from %s not matched, using default chain", 772 sni, TLScontext->namaddr); 773 774 /* 775 * XXX: We could lie and pretend to accept the name, but since we've 776 * previously not implemented the callback (with OpenSSL then 777 * declining the extension), and nothing bad happened, declining it 778 * explicitly should be safe. 779 */ 780 return SSL_TLSEXT_ERR_NOACK; 781 } 782 SSL_set_SSL_CTX(ssl, sni_ctx); 783 if (tls_load_pem_chain(ssl, pem, sni) != 0) { 784 /* errors already logged */ 785 *alert = SSL_AD_INTERNAL_ERROR; 786 return SSL_TLSEXT_ERR_ALERT_FATAL; 787 } 788 TLScontext->peer_sni = mystrdup(sni); 789 return SSL_TLSEXT_ERR_OK; 790 } 791 792 /* tls_set_ciphers - Set SSL context cipher list */ 793 794 const char *tls_set_ciphers(TLS_SESS_STATE *TLScontext, const char *grade, 795 const char *exclusions) 796 { 797 const char *myname = "tls_set_ciphers"; 798 static VSTRING *buf; 799 char *save; 800 char *cp; 801 char *tok; 802 803 if (buf == 0) 804 buf = vstring_alloc(10); 805 VSTRING_RESET(buf); 806 807 switch (tls_cipher_grade(grade)) { 808 case TLS_CIPHER_NONE: 809 msg_warn("%s: invalid cipher grade: \"%s\"", 810 TLScontext->namaddr, grade); 811 return (0); 812 case TLS_CIPHER_HIGH: 813 vstring_strcpy(buf, var_tls_high_clist); 814 break; 815 case TLS_CIPHER_MEDIUM: 816 vstring_strcpy(buf, var_tls_medium_clist); 817 break; 818 case TLS_CIPHER_LOW: 819 vstring_strcpy(buf, var_tls_low_clist); 820 break; 821 case TLS_CIPHER_EXPORT: 822 vstring_strcpy(buf, var_tls_export_clist); 823 break; 824 case TLS_CIPHER_NULL: 825 vstring_strcpy(buf, var_tls_null_clist); 826 break; 827 default: 828 /* Internal error, valid grade, but missing case label. */ 829 msg_panic("%s: unexpected cipher grade: %s", myname, grade); 830 } 831 832 /* 833 * The base lists for each grade can't be empty. 834 */ 835 if (VSTRING_LEN(buf) == 0) 836 msg_panic("%s: empty \"%s\" cipherlist", myname, grade); 837 838 /* 839 * Apply locally-specified exclusions. 840 */ 841 #define CIPHER_SEP CHARS_COMMA_SP ":" 842 if (exclusions != 0) { 843 cp = save = mystrdup(exclusions); 844 while ((tok = mystrtok(&cp, CIPHER_SEP)) != 0) { 845 846 /* 847 * Can't exclude ciphers that start with modifiers. 848 */ 849 if (strchr("!+-@", *tok)) { 850 msg_warn("%s: invalid unary '!+-@' in cipher exclusion: %s", 851 TLScontext->namaddr, tok); 852 return (0); 853 } 854 vstring_sprintf_append(buf, ":!%s", tok); 855 } 856 myfree(save); 857 } 858 ERR_clear_error(); 859 if (SSL_set_cipher_list(TLScontext->con, vstring_str(buf)) == 0) { 860 msg_warn("%s: error setting cipher grade: \"%s\"", 861 TLScontext->namaddr, grade); 862 tls_print_errors(); 863 return (0); 864 } 865 return (vstring_str(buf)); 866 } 867 868 /* ec_curve_name - copy EC key curve group name */ 869 870 #ifndef OPENSSL_NO_EC 871 static char *ec_curve_name(EVP_PKEY *pkey) 872 { 873 char *curve = 0; 874 875 #if OPENSSL_VERSION_PREREQ(3,0) 876 size_t namelen; 877 878 if (EVP_PKEY_get_group_name(pkey, 0, 0, &namelen)) { 879 curve = mymalloc(++namelen); 880 if (!EVP_PKEY_get_group_name(pkey, curve, namelen, 0)) { 881 myfree(curve); 882 curve = 0; 883 } 884 } 885 #else 886 EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(pkey); 887 int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)); 888 const char *tmp = EC_curve_nid2nist(nid); 889 890 if (!tmp) 891 tmp = OBJ_nid2sn(nid); 892 if (tmp) 893 curve = mystrdup(tmp); 894 #endif 895 return (curve); 896 } 897 898 #endif 899 900 /* tls_get_signature_params - TLS 1.3 signature details */ 901 902 void tls_get_signature_params(TLS_SESS_STATE *TLScontext) 903 { 904 const char *kex_name = 0; 905 const char *locl_sig_name = 0; 906 const char *locl_sig_dgst = 0; 907 const char *peer_sig_name = 0; 908 const char *peer_sig_dgst = 0; 909 char *kex_curve = 0; 910 char *locl_sig_curve = 0; 911 char *peer_sig_curve = 0; 912 int nid; 913 SSL *ssl = TLScontext->con; 914 int srvr = SSL_is_server(ssl); 915 EVP_PKEY *dh_pkey = 0; 916 X509 *local_cert; 917 EVP_PKEY *local_pkey = 0; 918 X509 *peer_cert; 919 EVP_PKEY *peer_pkey = 0; 920 921 #define SIG_PROP(c, s, p) (*((s) ? &c->srvr_sig_##p : &c->clnt_sig_##p)) 922 923 if (SSL_version(ssl) < TLS1_3_VERSION) 924 return; 925 926 if (tls_get_peer_dh_pubkey(ssl, &dh_pkey)) { 927 switch (nid = EVP_PKEY_id(dh_pkey)) { 928 default: 929 kex_name = OBJ_nid2sn(EVP_PKEY_type(nid)); 930 break; 931 932 case EVP_PKEY_DH: 933 kex_name = "DHE"; 934 TLScontext->kex_bits = EVP_PKEY_bits(dh_pkey); 935 break; 936 937 #ifndef OPENSSL_NO_EC 938 case EVP_PKEY_EC: 939 kex_name = "ECDHE"; 940 kex_curve = ec_curve_name(dh_pkey); 941 break; 942 #endif 943 } 944 EVP_PKEY_free(dh_pkey); 945 } 946 947 /* 948 * On the client end, the certificate may be preset, but not used, so we 949 * check via SSL_get_signature_nid(). This means that local signature 950 * data on clients requires at least 1.1.1a. 951 */ 952 if (srvr || SSL_get_signature_nid(ssl, &nid)) 953 local_cert = SSL_get_certificate(ssl); 954 else 955 local_cert = 0; 956 957 /* Signature algorithms for the local end of the connection */ 958 if (local_cert) { 959 local_pkey = X509_get0_pubkey(local_cert); 960 961 /* 962 * Override the built-in name for the "ECDSA" algorithms OID, with 963 * the more familiar name. For "RSA" keys report "RSA-PSS", which 964 * must be used with TLS 1.3. 965 */ 966 if ((nid = EVP_PKEY_type(EVP_PKEY_id(local_pkey))) != NID_undef) { 967 switch (nid) { 968 default: 969 locl_sig_name = OBJ_nid2sn(nid); 970 break; 971 972 case EVP_PKEY_RSA: 973 /* For RSA, TLS 1.3 mandates PSS signatures */ 974 locl_sig_name = "RSA-PSS"; 975 SIG_PROP(TLScontext, srvr, bits) = EVP_PKEY_bits(local_pkey); 976 break; 977 978 #ifndef OPENSSL_NO_EC 979 case EVP_PKEY_EC: 980 locl_sig_name = "ECDSA"; 981 locl_sig_curve = ec_curve_name(local_pkey); 982 break; 983 #endif 984 } 985 /* No X509_free(local_cert) */ 986 } 987 988 /* 989 * With Ed25519 and Ed448 there is no pre-signature digest, but the 990 * accessor does not fail, rather we get NID_undef. 991 */ 992 if (SSL_get_signature_nid(ssl, &nid) && nid != NID_undef) 993 locl_sig_dgst = OBJ_nid2sn(nid); 994 } 995 /* Signature algorithms for the peer end of the connection */ 996 if ((peer_cert = TLS_PEEK_PEER_CERT(ssl)) != 0) { 997 peer_pkey = X509_get0_pubkey(peer_cert); 998 999 /* 1000 * Override the built-in name for the "ECDSA" algorithms OID, with 1001 * the more familiar name. For "RSA" keys report "RSA-PSS", which 1002 * must be used with TLS 1.3. 1003 */ 1004 if ((nid = EVP_PKEY_type(EVP_PKEY_id(peer_pkey))) != NID_undef) { 1005 switch (nid) { 1006 default: 1007 peer_sig_name = OBJ_nid2sn(nid); 1008 break; 1009 1010 case EVP_PKEY_RSA: 1011 /* For RSA, TLS 1.3 mandates PSS signatures */ 1012 peer_sig_name = "RSA-PSS"; 1013 SIG_PROP(TLScontext, !srvr, bits) = EVP_PKEY_bits(peer_pkey); 1014 break; 1015 1016 #ifndef OPENSSL_NO_EC 1017 case EVP_PKEY_EC: 1018 peer_sig_name = "ECDSA"; 1019 peer_sig_curve = ec_curve_name(peer_pkey); 1020 break; 1021 #endif 1022 } 1023 } 1024 1025 /* 1026 * With Ed25519 and Ed448 there is no pre-signature digest, but the 1027 * accessor does not fail, rather we get NID_undef. 1028 */ 1029 if (SSL_get_peer_signature_nid(ssl, &nid) && nid != NID_undef) 1030 peer_sig_dgst = OBJ_nid2sn(nid); 1031 1032 TLS_FREE_PEER_CERT(peer_cert); 1033 } 1034 if (kex_name) { 1035 TLScontext->kex_name = mystrdup(kex_name); 1036 TLScontext->kex_curve = kex_curve; 1037 } 1038 if (locl_sig_name) { 1039 SIG_PROP(TLScontext, srvr, name) = mystrdup(locl_sig_name); 1040 SIG_PROP(TLScontext, srvr, curve) = locl_sig_curve; 1041 if (locl_sig_dgst) 1042 SIG_PROP(TLScontext, srvr, dgst) = mystrdup(locl_sig_dgst); 1043 } 1044 if (peer_sig_name) { 1045 SIG_PROP(TLScontext, !srvr, name) = mystrdup(peer_sig_name); 1046 SIG_PROP(TLScontext, !srvr, curve) = peer_sig_curve; 1047 if (peer_sig_dgst) 1048 SIG_PROP(TLScontext, !srvr, dgst) = mystrdup(peer_sig_dgst); 1049 } 1050 } 1051 1052 /* tls_log_summary - TLS loglevel 1 one-liner, embellished with TLS 1.3 details */ 1053 1054 void tls_log_summary(TLS_ROLE role, TLS_USAGE usage, TLS_SESS_STATE *ctx) 1055 { 1056 VSTRING *msg = vstring_alloc(100); 1057 const char *direction = (role == TLS_ROLE_CLIENT) ? "to" : "from"; 1058 const char *sni = (role == TLS_ROLE_CLIENT) ? 0 : ctx->peer_sni; 1059 1060 /* 1061 * When SNI was sent and accepted, the server-side log message now 1062 * includes a "to <sni-name>" detail after the "from <namaddr>" detail 1063 * identifying the remote client. We don't presently log (purportedly) 1064 * accepted SNI on the client side. 1065 */ 1066 vstring_sprintf(msg, "%s TLS connection %s %s %s%s%s: %s" 1067 " with cipher %s (%d/%d bits)", 1068 !TLS_CERT_IS_PRESENT(ctx) ? "Anonymous" : 1069 TLS_CERT_IS_SECURED(ctx) ? "Verified" : 1070 TLS_CERT_IS_TRUSTED(ctx) ? "Trusted" : "Untrusted", 1071 usage == TLS_USAGE_NEW ? "established" : "reused", 1072 direction, ctx->namaddr, sni ? " to " : "", sni ? sni : "", 1073 ctx->protocol, ctx->cipher_name, ctx->cipher_usebits, 1074 ctx->cipher_algbits); 1075 1076 if (ctx->kex_name && *ctx->kex_name) { 1077 vstring_sprintf_append(msg, " key-exchange %s", ctx->kex_name); 1078 if (ctx->kex_curve && *ctx->kex_curve) 1079 vstring_sprintf_append(msg, " (%s)", ctx->kex_curve); 1080 else if (ctx->kex_bits > 0) 1081 vstring_sprintf_append(msg, " (%d bits)", ctx->kex_bits); 1082 } 1083 if (ctx->srvr_sig_name && *ctx->srvr_sig_name) { 1084 vstring_sprintf_append(msg, " server-signature %s", 1085 ctx->srvr_sig_name); 1086 if (ctx->srvr_sig_curve && *ctx->srvr_sig_curve) 1087 vstring_sprintf_append(msg, " (%s)", ctx->srvr_sig_curve); 1088 else if (ctx->srvr_sig_bits > 0) 1089 vstring_sprintf_append(msg, " (%d bits)", ctx->srvr_sig_bits); 1090 if (ctx->srvr_sig_dgst && *ctx->srvr_sig_dgst) 1091 vstring_sprintf_append(msg, " server-digest %s", 1092 ctx->srvr_sig_dgst); 1093 } 1094 if (ctx->clnt_sig_name && *ctx->clnt_sig_name) { 1095 vstring_sprintf_append(msg, " client-signature %s", 1096 ctx->clnt_sig_name); 1097 if (ctx->clnt_sig_curve && *ctx->clnt_sig_curve) 1098 vstring_sprintf_append(msg, " (%s)", ctx->clnt_sig_curve); 1099 else if (ctx->clnt_sig_bits > 0) 1100 vstring_sprintf_append(msg, " (%d bits)", ctx->clnt_sig_bits); 1101 if (ctx->clnt_sig_dgst && *ctx->clnt_sig_dgst) 1102 vstring_sprintf_append(msg, " client-digest %s", 1103 ctx->clnt_sig_dgst); 1104 } 1105 msg_info("%s", vstring_str(msg)); 1106 vstring_free(msg); 1107 } 1108 1109 /* tls_alloc_app_context - allocate TLS application context */ 1110 1111 TLS_APPL_STATE *tls_alloc_app_context(SSL_CTX *ssl_ctx, SSL_CTX *sni_ctx, 1112 int log_mask) 1113 { 1114 TLS_APPL_STATE *app_ctx; 1115 1116 app_ctx = (TLS_APPL_STATE *) mymalloc(sizeof(*app_ctx)); 1117 1118 /* See portability note below with other memset() call. */ 1119 memset((void *) app_ctx, 0, sizeof(*app_ctx)); 1120 app_ctx->ssl_ctx = ssl_ctx; 1121 app_ctx->sni_ctx = sni_ctx; 1122 app_ctx->log_mask = log_mask; 1123 1124 /* See also: cache purging code in tls_set_ciphers(). */ 1125 app_ctx->cache_type = 0; 1126 1127 if (tls_server_sni_maps) { 1128 SSL_CTX_set_tlsext_servername_callback(ssl_ctx, server_sni_callback); 1129 SSL_CTX_set_tlsext_servername_arg(ssl_ctx, (void *) sni_ctx); 1130 } 1131 return (app_ctx); 1132 } 1133 1134 /* tls_free_app_context - Free TLS application context */ 1135 1136 void tls_free_app_context(TLS_APPL_STATE *app_ctx) 1137 { 1138 if (app_ctx->ssl_ctx) 1139 SSL_CTX_free(app_ctx->ssl_ctx); 1140 if (app_ctx->sni_ctx) 1141 SSL_CTX_free(app_ctx->sni_ctx); 1142 if (app_ctx->cache_type) 1143 myfree(app_ctx->cache_type); 1144 myfree((void *) app_ctx); 1145 } 1146 1147 /* tls_alloc_sess_context - allocate TLS session context */ 1148 1149 TLS_SESS_STATE *tls_alloc_sess_context(int log_mask, const char *namaddr) 1150 { 1151 TLS_SESS_STATE *TLScontext; 1152 1153 /* 1154 * PORTABILITY: Do not assume that null pointers are all-zero bits. Use 1155 * explicit assignments to initialize pointers. 1156 * 1157 * See the C language FAQ item 5.17, or if you have time to burn, 1158 * http://www.google.com/search?q=zero+bit+null+pointer 1159 * 1160 * However, it's OK to use memset() to zero integer values. 1161 */ 1162 TLScontext = (TLS_SESS_STATE *) mymalloc(sizeof(TLS_SESS_STATE)); 1163 memset((void *) TLScontext, 0, sizeof(*TLScontext)); 1164 TLScontext->con = 0; 1165 TLScontext->cache_type = 0; 1166 TLScontext->serverid = 0; 1167 TLScontext->peer_CN = 0; 1168 TLScontext->issuer_CN = 0; 1169 TLScontext->peer_sni = 0; 1170 TLScontext->peer_cert_fprint = 0; 1171 TLScontext->peer_pkey_fprint = 0; 1172 TLScontext->protocol = 0; 1173 TLScontext->cipher_name = 0; 1174 TLScontext->kex_name = 0; 1175 TLScontext->kex_curve = 0; 1176 TLScontext->clnt_sig_name = 0; 1177 TLScontext->clnt_sig_curve = 0; 1178 TLScontext->clnt_sig_dgst = 0; 1179 TLScontext->srvr_sig_name = 0; 1180 TLScontext->srvr_sig_curve = 0; 1181 TLScontext->srvr_sig_dgst = 0; 1182 TLScontext->log_mask = log_mask; 1183 TLScontext->namaddr = lowercase(mystrdup(namaddr)); 1184 TLScontext->mdalg = 0; /* Alias for props->mdalg */ 1185 TLScontext->dane = 0; /* Alias for props->dane */ 1186 TLScontext->errordepth = -1; 1187 TLScontext->errorcode = X509_V_OK; 1188 TLScontext->errorcert = 0; 1189 1190 return (TLScontext); 1191 } 1192 1193 /* tls_free_context - deallocate TLScontext and members */ 1194 1195 void tls_free_context(TLS_SESS_STATE *TLScontext) 1196 { 1197 1198 /* 1199 * Free the SSL structure and the BIOs. Warning: the internal_bio is 1200 * connected to the SSL structure and is automatically freed with it. Do 1201 * not free it again (core dump)!! Only free the network_bio. 1202 */ 1203 if (TLScontext->con != 0) 1204 SSL_free(TLScontext->con); 1205 1206 if (TLScontext->namaddr) 1207 myfree(TLScontext->namaddr); 1208 if (TLScontext->serverid) 1209 myfree(TLScontext->serverid); 1210 1211 if (TLScontext->peer_CN) 1212 myfree(TLScontext->peer_CN); 1213 if (TLScontext->issuer_CN) 1214 myfree(TLScontext->issuer_CN); 1215 if (TLScontext->peer_sni) 1216 myfree(TLScontext->peer_sni); 1217 if (TLScontext->peer_cert_fprint) 1218 myfree(TLScontext->peer_cert_fprint); 1219 if (TLScontext->peer_pkey_fprint) 1220 myfree(TLScontext->peer_pkey_fprint); 1221 if (TLScontext->kex_name) 1222 myfree((void *) TLScontext->kex_name); 1223 if (TLScontext->kex_curve) 1224 myfree((void *) TLScontext->kex_curve); 1225 if (TLScontext->clnt_sig_name) 1226 myfree((void *) TLScontext->clnt_sig_name); 1227 if (TLScontext->clnt_sig_curve) 1228 myfree((void *) TLScontext->clnt_sig_curve); 1229 if (TLScontext->clnt_sig_dgst) 1230 myfree((void *) TLScontext->clnt_sig_dgst); 1231 if (TLScontext->srvr_sig_name) 1232 myfree((void *) TLScontext->srvr_sig_name); 1233 if (TLScontext->srvr_sig_curve) 1234 myfree((void *) TLScontext->srvr_sig_curve); 1235 if (TLScontext->srvr_sig_dgst) 1236 myfree((void *) TLScontext->srvr_sig_dgst); 1237 if (TLScontext->errorcert) 1238 X509_free(TLScontext->errorcert); 1239 1240 myfree((void *) TLScontext); 1241 } 1242 1243 /* tls_version_split - Split OpenSSL version number into major, minor, ... */ 1244 1245 static void tls_version_split(unsigned long version, TLS_VINFO *info) 1246 { 1247 1248 /* 1249 * OPENSSL_VERSION_NUMBER(3): 1250 * 1251 * OPENSSL_VERSION_NUMBER is a numeric release version identifier: 1252 * 1253 * MMNNFFPPS: major minor fix patch status 1254 * 1255 * The status nibble has one of the values 0 for development, 1 to e for 1256 * betas 1 to 14, and f for release. Parsed OpenSSL version number. for 1257 * example: 0x1010103f == 1.1.1c. 1258 */ 1259 info->status = version & 0xf; 1260 version >>= 4; 1261 info->patch = version & 0xff; 1262 version >>= 8; 1263 info->micro = version & 0xff; 1264 version >>= 8; 1265 info->minor = version & 0xff; 1266 version >>= 8; 1267 info->major = version & 0xff; 1268 } 1269 1270 /* tls_check_version - Detect mismatch between headers and library. */ 1271 1272 void tls_check_version(void) 1273 { 1274 TLS_VINFO hdr_info; 1275 TLS_VINFO lib_info; 1276 1277 tls_version_split(OPENSSL_VERSION_NUMBER, &hdr_info); 1278 tls_version_split(OpenSSL_version_num(), &lib_info); 1279 1280 /* 1281 * Warn if run-time library is different from compile-time library, 1282 * allowing later run-time "micro" versions starting with 1.1.0. 1283 */ 1284 if (lib_info.major != hdr_info.major 1285 || lib_info.minor != hdr_info.minor 1286 || (lib_info.micro != hdr_info.micro 1287 && (lib_info.micro < hdr_info.micro 1288 || hdr_info.major == 0 1289 || (hdr_info.major == 1 && hdr_info.minor == 0)))) 1290 msg_warn("run-time library vs. compile-time header version mismatch: " 1291 "OpenSSL %d.%d.%d may not be compatible with OpenSSL %d.%d.%d", 1292 lib_info.major, lib_info.minor, lib_info.micro, 1293 hdr_info.major, hdr_info.minor, hdr_info.micro); 1294 } 1295 1296 /* tls_compile_version - compile-time OpenSSL version */ 1297 1298 const char *tls_compile_version(void) 1299 { 1300 return (OPENSSL_VERSION_TEXT); 1301 } 1302 1303 /* tls_run_version - run-time version "major.minor.micro" */ 1304 1305 const char *tls_run_version(void) 1306 { 1307 return (OpenSSL_version(OPENSSL_VERSION)); 1308 } 1309 1310 const char **tls_pkey_algorithms(void) 1311 { 1312 1313 /* 1314 * Return an array, not string, so that the result can be inspected 1315 * without parsing. Sort the result alphabetically, not chronologically. 1316 */ 1317 static const char *algs[] = { 1318 #ifndef OPENSSL_NO_DSA 1319 "dsa", 1320 #endif 1321 #ifndef OPENSSL_NO_ECDSA 1322 "ecdsa", 1323 #endif 1324 #ifndef OPENSSL_NO_RSA 1325 "rsa", 1326 #endif 1327 0, 1328 }; 1329 1330 return (algs); 1331 } 1332 1333 /* tls_bug_bits - SSL bug compatibility bits for this OpenSSL version */ 1334 1335 long tls_bug_bits(void) 1336 { 1337 long bits = SSL_OP_ALL; /* Work around all known bugs */ 1338 1339 /* 1340 * Silently ignore any strings that don't appear in the tweaks table, or 1341 * hex bits that are not in SSL_OP_ALL. 1342 */ 1343 if (*var_tls_bug_tweaks) { 1344 bits &= ~long_name_mask_opt(VAR_TLS_BUG_TWEAKS, ssl_bug_tweaks, 1345 var_tls_bug_tweaks, NAME_MASK_ANY_CASE | 1346 NAME_MASK_NUMBER | NAME_MASK_WARN); 1347 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG 1348 /* Not relevant to SMTP */ 1349 bits &= ~SSL_OP_SAFARI_ECDHE_ECDSA_BUG; 1350 #endif 1351 } 1352 1353 /* 1354 * Allow users to set options not in SSL_OP_ALL, and not already managed 1355 * via other Postfix parameters. 1356 */ 1357 if (*var_tls_ssl_options) { 1358 long enable; 1359 1360 enable = long_name_mask_opt(VAR_TLS_SSL_OPTIONS, ssl_op_tweaks, 1361 var_tls_ssl_options, NAME_MASK_ANY_CASE | 1362 NAME_MASK_NUMBER | NAME_MASK_WARN); 1363 enable &= ~(SSL_OP_ALL | TLS_SSL_OP_MANAGED_BITS); 1364 bits |= enable; 1365 } 1366 1367 /* 1368 * We unconditionally avoid re-use of ephemeral keys, note that we set DH 1369 * keys via a callback, so reuse was never possible, but the ECDH key is 1370 * set statically, so that is potentially subject to reuse. Set both 1371 * options just in case. 1372 */ 1373 bits |= SSL_OP_SINGLE_ECDH_USE | SSL_OP_SINGLE_DH_USE; 1374 return (bits); 1375 } 1376 1377 /* tls_print_errors - print and clear the error stack */ 1378 1379 void tls_print_errors(void) 1380 { 1381 unsigned long err; 1382 char buffer[1024]; /* XXX */ 1383 const char *file; 1384 const char *data; 1385 int line; 1386 int flags; 1387 1388 #if OPENSSL_VERSION_PREREQ(3,0) 1389 /* XXX: We're ignoring the function name, do we want to log it? */ 1390 #define ERRGET(fi, l, d, fl) ERR_get_error_all(fi, l, 0, d, fl) 1391 #else 1392 #define ERRGET(fi, l, d, fl) ERR_get_error_line_data(fi, l, d, fl) 1393 #endif 1394 1395 while ((err = ERRGET(&file, &line, &data, &flags)) != 0) { 1396 ERR_error_string_n(err, buffer, sizeof(buffer)); 1397 if (flags & ERR_TXT_STRING) 1398 msg_warn("TLS library problem: %s:%s:%d:%s:", 1399 buffer, file, line, data); 1400 else 1401 msg_warn("TLS library problem: %s:%s:%d:", buffer, file, line); 1402 } 1403 } 1404 1405 /* tls_info_callback - callback for logging SSL events via Postfix */ 1406 1407 void tls_info_callback(const SSL *s, int where, int ret) 1408 { 1409 char *str; 1410 int w; 1411 1412 /* Adapted from OpenSSL apps/s_cb.c. */ 1413 1414 w = where & ~SSL_ST_MASK; 1415 1416 if (w & SSL_ST_CONNECT) 1417 str = "SSL_connect"; 1418 else if (w & SSL_ST_ACCEPT) 1419 str = "SSL_accept"; 1420 else 1421 str = "unknown"; 1422 1423 if (where & SSL_CB_LOOP) { 1424 msg_info("%s:%s", str, SSL_state_string_long((SSL *) s)); 1425 } else if (where & SSL_CB_ALERT) { 1426 str = (where & SSL_CB_READ) ? "read" : "write"; 1427 if ((ret & 0xff) != SSL3_AD_CLOSE_NOTIFY) 1428 msg_info("SSL3 alert %s:%s:%s", str, 1429 SSL_alert_type_string_long(ret), 1430 SSL_alert_desc_string_long(ret)); 1431 } else if (where & SSL_CB_EXIT) { 1432 if (ret == 0) 1433 msg_info("%s:failed in %s", 1434 str, SSL_state_string_long((SSL *) s)); 1435 else if (ret < 0) { 1436 #ifndef LOG_NON_ERROR_STATES 1437 switch (SSL_get_error((SSL *) s, ret)) { 1438 case SSL_ERROR_WANT_READ: 1439 case SSL_ERROR_WANT_WRITE: 1440 /* Don't log non-error states. */ 1441 break; 1442 default: 1443 #endif 1444 msg_info("%s:error in %s", 1445 str, SSL_state_string_long((SSL *) s)); 1446 #ifndef LOG_NON_ERROR_STATES 1447 } 1448 #endif 1449 } 1450 } 1451 } 1452 1453 /* 1454 * taken from OpenSSL crypto/bio/b_dump.c. 1455 * 1456 * Modified to save a lot of strcpy and strcat by Matti Aarnio. 1457 * 1458 * Rewritten by Wietse to eliminate fixed-size stack buffer, array index 1459 * multiplication and division, sprintf() and strcpy(), and lots of strlen() 1460 * calls. We could make it a little faster by using a fixed-size stack-based 1461 * buffer. 1462 * 1463 * 200412 - use %lx to print pointers, after casting them to unsigned long. 1464 */ 1465 1466 #define TRUNCATE_SPACE_NULL 1467 #define DUMP_WIDTH 16 1468 #define VERT_SPLIT 7 1469 1470 static void tls_dump_buffer(const unsigned char *start, int len) 1471 { 1472 VSTRING *buf = vstring_alloc(100); 1473 const unsigned char *last = start + len - 1; 1474 const unsigned char *row; 1475 const unsigned char *col; 1476 int ch; 1477 1478 #ifdef TRUNCATE_SPACE_NULL 1479 while (last >= start && (*last == ' ' || *last == 0)) 1480 last--; 1481 #endif 1482 1483 for (row = start; row <= last; row += DUMP_WIDTH) { 1484 VSTRING_RESET(buf); 1485 vstring_sprintf(buf, "%04lx ", (unsigned long) (row - start)); 1486 for (col = row; col < row + DUMP_WIDTH; col++) { 1487 if (col > last) { 1488 vstring_strcat(buf, " "); 1489 } else { 1490 ch = *col; 1491 vstring_sprintf_append(buf, "%02x%c", 1492 ch, col - row == VERT_SPLIT ? '|' : ' '); 1493 } 1494 } 1495 VSTRING_ADDCH(buf, ' '); 1496 for (col = row; col < row + DUMP_WIDTH; col++) { 1497 if (col > last) 1498 break; 1499 ch = *col; 1500 if (!ISPRINT(ch)) 1501 ch = '.'; 1502 VSTRING_ADDCH(buf, ch); 1503 if (col - row == VERT_SPLIT) 1504 VSTRING_ADDCH(buf, ' '); 1505 } 1506 VSTRING_TERMINATE(buf); 1507 msg_info("%s", vstring_str(buf)); 1508 } 1509 #ifdef TRUNCATE_SPACE_NULL 1510 if ((last + 1) - start < len) 1511 msg_info("%04lx - <SPACES/NULLS>", 1512 (unsigned long) ((last + 1) - start)); 1513 #endif 1514 vstring_free(buf); 1515 } 1516 1517 /* taken from OpenSSL apps/s_cb.c */ 1518 1519 #if !OPENSSL_VERSION_PREREQ(3,0) 1520 long tls_bio_dump_cb(BIO *bio, int cmd, const char *argp, int argi, 1521 long unused_argl, long ret) 1522 { 1523 if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) { 1524 msg_info("read from %08lX [%08lX] (%d bytes => %ld (0x%lX))", 1525 (unsigned long) bio, (unsigned long) argp, argi, 1526 ret, (unsigned long) ret); 1527 tls_dump_buffer((unsigned char *) argp, (int) ret); 1528 } else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) { 1529 msg_info("write to %08lX [%08lX] (%d bytes => %ld (0x%lX))", 1530 (unsigned long) bio, (unsigned long) argp, argi, 1531 ret, (unsigned long) ret); 1532 tls_dump_buffer((unsigned char *) argp, (int) ret); 1533 } 1534 return (ret); 1535 } 1536 1537 #else 1538 long tls_bio_dump_cb(BIO *bio, int cmd, const char *argp, size_t len, 1539 int argi, long unused_argl, int ret, size_t *processed) 1540 { 1541 size_t bytes = (ret > 0 && processed != NULL) ? *processed : len; 1542 1543 if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) { 1544 if (ret > 0) { 1545 msg_info("read from %08lX [%08lX] (%ld bytes => %ld (0x%lX))", 1546 (unsigned long) bio, (unsigned long) argp, (long) len, 1547 (long) bytes, (long) bytes); 1548 tls_dump_buffer((unsigned char *) argp, (int) bytes); 1549 } else { 1550 msg_info("read from %08lX [%08lX] (%ld bytes => %d)", 1551 (unsigned long) bio, (unsigned long) argp, 1552 (long) len, ret); 1553 } 1554 } else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) { 1555 if (ret > 0) { 1556 msg_info("write to %08lX [%08lX] (%ld bytes => %ld (0x%lX))", 1557 (unsigned long) bio, (unsigned long) argp, (long) len, 1558 (long) bytes, (long) bytes); 1559 tls_dump_buffer((unsigned char *) argp, (int) bytes); 1560 } else { 1561 msg_info("write to %08lX [%08lX] (%ld bytes => %d)", 1562 (unsigned long) bio, (unsigned long) argp, 1563 (long) len, ret); 1564 } 1565 } 1566 return ret; 1567 } 1568 1569 #endif 1570 1571 const EVP_MD *tls_validate_digest(const char *dgst) 1572 { 1573 const EVP_MD *md_alg; 1574 unsigned int md_len; 1575 1576 /* 1577 * If the administrator specifies an unsupported digest algorithm, fail 1578 * now, rather than in the middle of a TLS handshake. 1579 */ 1580 if ((md_alg = EVP_get_digestbyname(dgst)) == 0) { 1581 msg_warn("Digest algorithm \"%s\" not found", dgst); 1582 return (0); 1583 } 1584 1585 /* 1586 * Sanity check: Newer shared libraries may use larger digests. 1587 */ 1588 if ((md_len = EVP_MD_size(md_alg)) > EVP_MAX_MD_SIZE) { 1589 msg_warn("Digest algorithm \"%s\" output size %u too large", 1590 dgst, md_len); 1591 return (0); 1592 } 1593 return md_alg; 1594 } 1595 1596 #else 1597 1598 /* 1599 * Broken linker workaround. 1600 */ 1601 int tls_dummy_for_broken_linkers; 1602 1603 #endif 1604