1 /* $NetBSD: tls_misc.c,v 1.1.1.9 2014/07/06 19:27:54 tron Exp $ */ 2 3 /*++ 4 /* NAME 5 /* tls_misc 3 6 /* SUMMARY 7 /* miscellaneous TLS support routines 8 /* SYNOPSIS 9 /* #define TLS_INTERNAL 10 /* #include <tls.h> 11 /* 12 /* char *var_tls_high_clist; 13 /* char *var_tls_medium_clist; 14 /* char *var_tls_low_clist; 15 /* char *var_tls_export_clist; 16 /* char *var_tls_null_clist; 17 /* char *var_tls_eecdh_strong; 18 /* char *var_tls_eecdh_ultra; 19 /* char *var_tls_dane_agility; 20 /* char *var_tls_dane_digests; 21 /* int var_tls_daemon_rand_bytes; 22 /* bool var_tls_append_def_CA; 23 /* bool var_tls_dane_taa_dgst; 24 /* bool var_tls_preempt_clist; 25 /* bool var_tls_bc_pkey_fprint; 26 /* bool var_tls_multi_wildcard; 27 /* char *var_tls_mgr_service; 28 /* 29 /* TLS_APPL_STATE *tls_alloc_app_context(ssl_ctx, log_mask) 30 /* SSL_CTX *ssl_ctx; 31 /* int log_mask; 32 /* 33 /* void tls_free_app_context(app_ctx) 34 /* void *app_ctx; 35 /* 36 /* TLS_SESS_STATE *tls_alloc_sess_context(log_mask, namaddr) 37 /* int log_mask; 38 /* const char *namaddr; 39 /* 40 /* void tls_free_context(TLScontext) 41 /* TLS_SESS_STATE *TLScontext; 42 /* 43 /* void tls_check_version() 44 /* 45 /* long tls_bug_bits() 46 /* 47 /* void tls_param_init() 48 /* 49 /* int tls_protocol_mask(plist) 50 /* const char *plist; 51 /* 52 /* int tls_cipher_grade(name) 53 /* const char *name; 54 /* 55 /* const char *str_tls_cipher_grade(grade) 56 /* int grade; 57 /* 58 /* const char *tls_set_ciphers(app_ctx, context, grade, exclusions) 59 /* TLS_APPL_STATE *app_ctx; 60 /* const char *context; 61 /* int grade; 62 /* const char *exclusions; 63 /* 64 /* void tls_print_errors() 65 /* 66 /* void tls_info_callback(ssl, where, ret) 67 /* const SSL *ssl; /* unused */ 68 /* int where; 69 /* int ret; 70 /* 71 /* long tls_bio_dump_cb(bio, cmd, argp, argi, argl, ret) 72 /* BIO *bio; 73 /* int cmd; 74 /* const char *argp; 75 /* int argi; 76 /* long argl; /* unused */ 77 /* long ret; 78 /* 79 /* int tls_log_mask(log_param, log_level) 80 /* const char *log_param; 81 /* const char *log_level; 82 /* 83 /* void tls_update_app_logmask(app_ctx, log_mask) 84 /* TLS_APPL_STATE *app_ctx; 85 /* int log_mask; 86 /* 87 /* int tls_validate_digest(dgst) 88 /* const char *dgst; 89 /* DESCRIPTION 90 /* This module implements routines that support the TLS client 91 /* and server internals. 92 /* 93 /* tls_alloc_app_context() creates an application context that 94 /* holds the SSL context for the application and related cached state. 95 /* 96 /* tls_free_app_context() deallocates the application context and its 97 /* contents (the application context is stored outside the TLS library). 98 /* 99 /* tls_alloc_sess_context() creates an initialized TLS session context 100 /* structure with the specified log mask and peer name[addr]. 101 /* 102 /* tls_free_context() destroys a TLScontext structure 103 /* together with OpenSSL structures that are attached to it. 104 /* 105 /* tls_check_version() logs a warning when the run-time OpenSSL 106 /* library differs in its major, minor or micro number from 107 /* the compile-time OpenSSL headers. 108 /* 109 /* tls_bug_bits() returns the bug compatibility mask appropriate 110 /* for the run-time library. Some of the bug work-arounds are 111 /* not appropriate for some library versions. 112 /* 113 /* tls_param_init() loads main.cf parameters used internally in 114 /* TLS library. Any errors are fatal. 115 /* 116 /* tls_protocol_mask() returns a bitmask of excluded protocols, given 117 /* a list (plist) of protocols to include or (preceded by a '!') exclude. 118 /* If "plist" contains invalid protocol names, TLS_PROTOCOL_INVALID is 119 /* returned and no warning is logged. 120 /* 121 /* tls_cipher_grade() converts a case-insensitive cipher grade 122 /* name (high, medium, low, export, null) to the corresponding 123 /* TLS_CIPHER_ constant. When the input specifies an unrecognized 124 /* grade, tls_cipher_grade() logs no warning, and returns 125 /* TLS_CIPHER_NONE. 126 /* 127 /* str_tls_cipher_grade() converts a cipher grade to a name. 128 /* When the input specifies an undefined grade, str_tls_cipher_grade() 129 /* logs no warning, returns a null pointer. 130 /* 131 /* tls_set_ciphers() generates a cipher list from the specified 132 /* grade, minus any ciphers specified via a list of exclusions. 133 /* The cipherlist is applied to the supplied SSL context if it 134 /* is different from the most recently applied value. The return 135 /* value is the cipherlist used and is overwritten upon each call. 136 /* When the input is invalid, tls_set_ciphers() logs a warning with 137 /* the specified context, and returns a null pointer result. 138 /* 139 /* tls_print_errors() queries the OpenSSL error stack, 140 /* logs the error messages, and clears the error stack. 141 /* 142 /* tls_info_callback() is a call-back routine for the 143 /* SSL_CTX_set_info_callback() routine. It logs SSL events 144 /* to the Postfix logfile. 145 /* 146 /* tls_bio_dump_cb() is a call-back routine for the 147 /* BIO_set_callback() routine. It logs SSL content to the 148 /* Postfix logfile. 149 /* 150 /* tls_log_mask() converts a TLS log_level value from string 151 /* to mask. The main.cf parameter name is passed along for 152 /* diagnostics. 153 /* 154 /* tls_update_app_logmask() changes the log mask of the 155 /* application TLS context to the new setting. 156 /* 157 /* tls_validate_digest() returns non-zero if the named digest 158 /* is usable and zero otherwise. 159 /* LICENSE 160 /* .ad 161 /* .fi 162 /* This software is free. You can do with it whatever you want. 163 /* The original author kindly requests that you acknowledge 164 /* the use of his software. 165 /* AUTHOR(S) 166 /* Originally written by: 167 /* Lutz Jaenicke 168 /* BTU Cottbus 169 /* Allgemeine Elektrotechnik 170 /* Universitaetsplatz 3-4 171 /* D-03044 Cottbus, Germany 172 /* 173 /* Updated by: 174 /* Wietse Venema 175 /* IBM T.J. Watson Research 176 /* P.O. Box 704 177 /* Yorktown Heights, NY 10598, USA 178 /* 179 /* Victor Duchovni 180 /* Morgan Stanley 181 /*--*/ 182 183 /* System library. */ 184 185 #include <sys_defs.h> 186 #include <ctype.h> 187 #include <string.h> 188 189 #ifdef USE_TLS 190 191 /* Utility library. */ 192 193 #include <vstream.h> 194 #include <msg.h> 195 #include <mymalloc.h> 196 #include <vstring.h> 197 #include <stringops.h> 198 #include <argv.h> 199 #include <name_mask.h> 200 #include <name_code.h> 201 202 /* 203 * Global library. 204 */ 205 #include <mail_params.h> 206 #include <mail_conf.h> 207 208 /* 209 * TLS library. 210 */ 211 #define TLS_INTERNAL 212 #include <tls.h> 213 214 /* Application-specific. */ 215 216 /* 217 * Tunable parameters. 218 */ 219 char *var_tls_high_clist; 220 char *var_tls_medium_clist; 221 char *var_tls_low_clist; 222 char *var_tls_export_clist; 223 char *var_tls_null_clist; 224 int var_tls_daemon_rand_bytes; 225 char *var_tls_eecdh_strong; 226 char *var_tls_eecdh_ultra; 227 char *var_tls_dane_agility; 228 char *var_tls_dane_digests; 229 bool var_tls_append_def_CA; 230 char *var_tls_bug_tweaks; 231 char *var_tls_ssl_options; 232 bool var_tls_bc_pkey_fprint; 233 bool var_tls_dane_taa_dgst; 234 bool var_tls_multi_wildcard; 235 char *var_tls_mgr_service; 236 237 #ifdef VAR_TLS_PREEMPT_CLIST 238 bool var_tls_preempt_clist; 239 240 #endif 241 242 /* 243 * Index to attach TLScontext pointers to SSL objects, so that they can be 244 * accessed by call-back routines. 245 */ 246 int TLScontext_index = -1; 247 248 /* 249 * Protocol name <=> mask conversion. 250 */ 251 static const NAME_CODE protocol_table[] = { 252 SSL_TXT_SSLV2, TLS_PROTOCOL_SSLv2, 253 SSL_TXT_SSLV3, TLS_PROTOCOL_SSLv3, 254 SSL_TXT_TLSV1, TLS_PROTOCOL_TLSv1, 255 #ifdef SSL_TXT_TLSV1_1 256 SSL_TXT_TLSV1_1, TLS_PROTOCOL_TLSv1_1, 257 #endif 258 #ifdef SSL_TXT_TLSV1_2 259 SSL_TXT_TLSV1_2, TLS_PROTOCOL_TLSv1_2, 260 #endif 261 0, TLS_PROTOCOL_INVALID, 262 }; 263 264 /* 265 * SSL_OP_MUMBLE bug work-around name <=> mask conversion. 266 */ 267 #define NAMEBUG(x) #x, SSL_OP_##x 268 static const LONG_NAME_MASK ssl_bug_tweaks[] = { 269 270 #ifndef SSL_OP_MICROSOFT_SESS_ID_BUG 271 #define SSL_OP_MICROSOFT_SESS_ID_BUG 0 272 #endif 273 NAMEBUG(MICROSOFT_SESS_ID_BUG), 274 275 #ifndef SSL_OP_NETSCAPE_CHALLENGE_BUG 276 #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0 277 #endif 278 NAMEBUG(NETSCAPE_CHALLENGE_BUG), 279 280 #ifndef SSL_OP_LEGACY_SERVER_CONNECT 281 #define SSL_OP_LEGACY_SERVER_CONNECT 0 282 #endif 283 NAMEBUG(LEGACY_SERVER_CONNECT), 284 285 #ifndef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 286 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0 287 #endif 288 NAMEBUG(NETSCAPE_REUSE_CIPHER_CHANGE_BUG), 289 "CVE-2010-4180", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG, 290 291 #ifndef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 292 #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0 293 #endif 294 NAMEBUG(SSLREF2_REUSE_CERT_TYPE_BUG), 295 296 #ifndef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 297 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0 298 #endif 299 NAMEBUG(MICROSOFT_BIG_SSLV3_BUFFER), 300 301 #ifndef SSL_OP_MSIE_SSLV2_RSA_PADDING 302 #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0 303 #endif 304 NAMEBUG(MSIE_SSLV2_RSA_PADDING), 305 "CVE-2005-2969", SSL_OP_MSIE_SSLV2_RSA_PADDING, 306 307 #ifndef SSL_OP_SSLEAY_080_CLIENT_DH_BUG 308 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0 309 #endif 310 NAMEBUG(SSLEAY_080_CLIENT_DH_BUG), 311 312 #ifndef SSL_OP_TLS_D5_BUG 313 #define SSL_OP_TLS_D5_BUG 0 314 #endif 315 NAMEBUG(TLS_D5_BUG), 316 317 #ifndef SSL_OP_TLS_BLOCK_PADDING_BUG 318 #define SSL_OP_TLS_BLOCK_PADDING_BUG 0 319 #endif 320 NAMEBUG(TLS_BLOCK_PADDING_BUG), 321 322 #ifndef SSL_OP_TLS_ROLLBACK_BUG 323 #define SSL_OP_TLS_ROLLBACK_BUG 0 324 #endif 325 NAMEBUG(TLS_ROLLBACK_BUG), 326 327 #ifndef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 328 #define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0 329 #endif 330 NAMEBUG(DONT_INSERT_EMPTY_FRAGMENTS), 331 332 #ifndef SSL_OP_CRYPTOPRO_TLSEXT_BUG 333 #define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0 334 #endif 335 NAMEBUG(CRYPTOPRO_TLSEXT_BUG), 336 0, 0, 337 }; 338 339 /* 340 * SSL_OP_MUMBLE option name <=> mask conversion for options that are not 341 * (or may in the future not be) in SSL_OP_ALL. These enable optional 342 * behavior, rather than bug interoperability work-arounds. 343 */ 344 #define NAME_SSL_OP(x) #x, SSL_OP_##x 345 static const LONG_NAME_MASK ssl_op_tweaks[] = { 346 347 #ifndef SSL_OP_LEGACY_SERVER_CONNECT 348 #define SSL_OP_LEGACY_SERVER_CONNECT 0 349 #endif 350 NAME_SSL_OP(LEGACY_SERVER_CONNECT), 351 352 #ifndef SSL_OP_NO_TICKET 353 #define SSL_OP_NO_TICKET 0 354 #endif 355 NAME_SSL_OP(NO_TICKET), 356 357 #ifndef SSL_OP_NO_COMPRESSION 358 #define SSL_OP_NO_COMPRESSION 0 359 #endif 360 NAME_SSL_OP(NO_COMPRESSION), 361 0, 0, 362 }; 363 364 /* 365 * Ciphersuite name <=> code conversion. 366 */ 367 const NAME_CODE tls_cipher_grade_table[] = { 368 "high", TLS_CIPHER_HIGH, 369 "medium", TLS_CIPHER_MEDIUM, 370 "low", TLS_CIPHER_LOW, 371 "export", TLS_CIPHER_EXPORT, 372 "null", TLS_CIPHER_NULL, 373 "invalid", TLS_CIPHER_NONE, 374 0, TLS_CIPHER_NONE, 375 }; 376 377 /* 378 * Log keyword <=> mask conversion. 379 */ 380 #define TLS_LOG_0 TLS_LOG_NONE 381 #define TLS_LOG_1 TLS_LOG_SUMMARY 382 #define TLS_LOG_2 (TLS_LOG_1 | TLS_LOG_VERBOSE | TLS_LOG_CACHE | TLS_LOG_DEBUG) 383 #define TLS_LOG_3 (TLS_LOG_2 | TLS_LOG_TLSPKTS) 384 #define TLS_LOG_4 (TLS_LOG_3 | TLS_LOG_ALLPKTS) 385 386 static const NAME_MASK tls_log_table[] = { 387 "0", TLS_LOG_0, 388 "none", TLS_LOG_NONE, 389 "1", TLS_LOG_1, 390 "routine", TLS_LOG_1, 391 "2", TLS_LOG_2, 392 "debug", TLS_LOG_2, 393 "3", TLS_LOG_3, 394 "ssl-expert", TLS_LOG_3, 395 "4", TLS_LOG_4, 396 "ssl-developer", TLS_LOG_4, 397 "5", TLS_LOG_4, /* for good measure */ 398 "6", TLS_LOG_4, /* for good measure */ 399 "7", TLS_LOG_4, /* for good measure */ 400 "8", TLS_LOG_4, /* for good measure */ 401 "9", TLS_LOG_4, /* for good measure */ 402 "summary", TLS_LOG_SUMMARY, 403 "untrusted", TLS_LOG_UNTRUSTED, 404 "peercert", TLS_LOG_PEERCERT, 405 "certmatch", TLS_LOG_CERTMATCH, 406 "verbose", TLS_LOG_VERBOSE, /* Postfix TLS library verbose */ 407 "cache", TLS_LOG_CACHE, 408 "ssl-debug", TLS_LOG_DEBUG, /* SSL library debug/verbose */ 409 "ssl-handshake-packet-dump", TLS_LOG_TLSPKTS, 410 "ssl-session-packet-dump", TLS_LOG_TLSPKTS | TLS_LOG_ALLPKTS, 411 0, 0, 412 }; 413 414 /* 415 * Parsed OpenSSL version number. 416 */ 417 typedef struct { 418 int major; 419 int minor; 420 int micro; 421 int patch; 422 int status; 423 } TLS_VINFO; 424 425 /* 426 * OpenSSL adopted the cipher selection patch, so we don't expect any more 427 * broken ciphers other than AES and CAMELLIA. 428 */ 429 typedef struct { 430 const char *ssl_name; 431 const int alg_bits; 432 const char *evp_name; 433 } cipher_probe_t; 434 435 static const cipher_probe_t cipher_probes[] = { 436 "AES", 256, "AES-256-CBC", 437 "CAMELLIA", 256, "CAMELLIA-256-CBC", 438 0, 0, 0, 439 }; 440 441 /* tls_log_mask - Convert user TLS loglevel to internal log feature mask */ 442 443 int tls_log_mask(const char *log_param, const char *log_level) 444 { 445 int mask; 446 447 mask = name_mask_opt(log_param, tls_log_table, log_level, 448 NAME_MASK_ANY_CASE | NAME_MASK_RETURN); 449 return (mask); 450 } 451 452 /* tls_update_app_logmask - update log level after init */ 453 454 void tls_update_app_logmask(TLS_APPL_STATE *app_ctx, int log_mask) 455 { 456 app_ctx->log_mask = log_mask; 457 } 458 459 /* tls_exclude_missing - Append exclusions for missing ciphers */ 460 461 static const char *tls_exclude_missing(SSL_CTX *ctx, VSTRING *buf) 462 { 463 const char *myname = "tls_exclude_missing"; 464 static ARGV *exclude; /* Cached */ 465 SSL *s = 0; 466 ssl_cipher_stack_t *ciphers; 467 SSL_CIPHER *c; 468 const cipher_probe_t *probe; 469 int alg_bits; 470 int num; 471 int i; 472 473 /* 474 * Process a list of probes which specify: 475 * 476 * An SSL cipher-suite name for a family of ciphers that use the same 477 * symmetric algorithm at two or more key sizes, typically 128/256 bits. 478 * 479 * The key size (typically 256) that OpenSSL fails to check, and assumes 480 * available when another key size (typically 128) is usable. 481 * 482 * The OpenSSL name of the symmetric algorithm associated with the SSL 483 * cipher-suite. Typically, this is MUMBLE-256-CBC, where "MUMBLE" is the 484 * name of the SSL cipher-suite that use the MUMBLE symmetric algorithm. 485 * On systems that support the required encryption algorithm, the name is 486 * listed in the output of "openssl list-cipher-algorithms". 487 * 488 * When an encryption algorithm is not available at the given key size but 489 * the corresponding OpenSSL cipher-suite contains ciphers that have have 490 * this key size, the problem ciphers are explicitly disabled in Postfix. 491 * The list is cached in the static "exclude" array. 492 */ 493 if (exclude == 0) { 494 exclude = argv_alloc(1); 495 496 /* 497 * Iterate over the probe list 498 */ 499 for (probe = cipher_probes; probe->ssl_name; ++probe) { 500 /* No exclusions if evp_name is a valid algorithm */ 501 if (EVP_get_cipherbyname(probe->evp_name)) 502 continue; 503 504 /* 505 * Sadly there is no SSL_CTX_get_ciphers() interface, so we are 506 * forced to allocate and free an SSL object. Fatal error if we 507 * can't allocate the SSL object. 508 */ 509 ERR_clear_error(); 510 if (s == 0 && (s = SSL_new(ctx)) == 0) { 511 tls_print_errors(); 512 msg_fatal("%s: error allocating SSL object", myname); 513 } 514 515 /* 516 * Cipher is not supported by libcrypto, nothing to do if also 517 * not supported by libssl. Flush the OpenSSL error stack. 518 * 519 * XXX: There may be additional places in pre-existing code where 520 * SSL errors are generated and ignored, that require a similar 521 * "flush". Better yet, is to always flush before calls that run 522 * tls_print_errors() on failure. 523 * 524 * Contrary to documentation, on SunOS 5.10 SSL_set_cipher_list() 525 * returns success with no ciphers selected, when this happens 526 * SSL_get_ciphers() produces a stack with 0 elements! 527 */ 528 if (SSL_set_cipher_list(s, probe->ssl_name) == 0 529 || (ciphers = SSL_get_ciphers(s)) == 0 530 || (num = sk_SSL_CIPHER_num(ciphers)) == 0) { 531 ERR_clear_error(); /* flush any generated errors */ 532 continue; 533 } 534 for (i = 0; i < num; ++i) { 535 c = sk_SSL_CIPHER_value(ciphers, i); 536 (void) SSL_CIPHER_get_bits(c, &alg_bits); 537 if (alg_bits == probe->alg_bits) 538 argv_add(exclude, SSL_CIPHER_get_name(c), ARGV_END); 539 } 540 } 541 if (s != 0) 542 SSL_free(s); 543 } 544 for (i = 0; i < exclude->argc; ++i) 545 vstring_sprintf_append(buf, ":!%s", exclude->argv[i]); 546 return (vstring_str(buf)); 547 } 548 549 /* tls_apply_cipher_list - update SSL_CTX cipher list */ 550 551 static const char *tls_apply_cipher_list(TLS_APPL_STATE *app_ctx, 552 const char *context, VSTRING *spec) 553 { 554 const char *new = tls_exclude_missing(app_ctx->ssl_ctx, spec); 555 556 ERR_clear_error(); 557 if (SSL_CTX_set_cipher_list(app_ctx->ssl_ctx, new) == 0) { 558 tls_print_errors(); 559 vstring_sprintf(app_ctx->why, "invalid %s cipher list: \"%s\"", 560 context, new); 561 return (0); 562 } 563 return (new); 564 } 565 566 /* tls_protocol_mask - Bitmask of protocols to exclude */ 567 568 int tls_protocol_mask(const char *plist) 569 { 570 char *save; 571 char *tok; 572 char *cp; 573 int code; 574 int exclude = 0; 575 int include = 0; 576 577 #define FREE_AND_RETURN(ptr, res) do { \ 578 myfree(ptr); \ 579 return (res); \ 580 } while (0) 581 582 save = cp = mystrdup(plist); 583 while ((tok = mystrtok(&cp, "\t\n\r ,:")) != 0) { 584 if (*tok == '!') 585 exclude |= code = 586 name_code(protocol_table, NAME_CODE_FLAG_NONE, ++tok); 587 else 588 include |= code = 589 name_code(protocol_table, NAME_CODE_FLAG_NONE, tok); 590 if (code == TLS_PROTOCOL_INVALID) 591 FREE_AND_RETURN(save, TLS_PROTOCOL_INVALID); 592 } 593 594 /* 595 * When the include list is empty, use only the explicit exclusions. 596 * Otherwise, also exclude the complement of the include list from the 597 * built-in list of known protocols. There is no way to exclude protocols 598 * we don't know about at compile time, and this is unavoidable because 599 * the OpenSSL API works with compile-time *exclusion* bit-masks. 600 */ 601 FREE_AND_RETURN(save, 602 (include ? (exclude | (TLS_KNOWN_PROTOCOLS & ~include)) : exclude)); 603 } 604 605 /* tls_param_init - Load TLS related config parameters */ 606 607 void tls_param_init(void) 608 { 609 static const CONFIG_STR_TABLE str_table[] = { 610 VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0, 611 VAR_TLS_MEDIUM_CLIST, DEF_TLS_MEDIUM_CLIST, &var_tls_medium_clist, 1, 0, 612 VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_clist, 1, 0, 613 VAR_TLS_EXPORT_CLIST, DEF_TLS_EXPORT_CLIST, &var_tls_export_clist, 1, 0, 614 VAR_TLS_NULL_CLIST, DEF_TLS_NULL_CLIST, &var_tls_null_clist, 1, 0, 615 VAR_TLS_EECDH_STRONG, DEF_TLS_EECDH_STRONG, &var_tls_eecdh_strong, 1, 0, 616 VAR_TLS_EECDH_ULTRA, DEF_TLS_EECDH_ULTRA, &var_tls_eecdh_ultra, 1, 0, 617 VAR_TLS_BUG_TWEAKS, DEF_TLS_BUG_TWEAKS, &var_tls_bug_tweaks, 0, 0, 618 VAR_TLS_SSL_OPTIONS, DEF_TLS_SSL_OPTIONS, &var_tls_ssl_options, 0, 0, 619 VAR_TLS_DANE_AGILITY, DEF_TLS_DANE_AGILITY, &var_tls_dane_agility, 1, 0, 620 VAR_TLS_DANE_DIGESTS, DEF_TLS_DANE_DIGESTS, &var_tls_dane_digests, 1, 0, 621 VAR_TLS_MGR_SERVICE, DEF_TLS_MGR_SERVICE, &var_tls_mgr_service, 1, 0, 622 0, 623 }; 624 static const CONFIG_INT_TABLE int_table[] = { 625 VAR_TLS_DAEMON_RAND_BYTES, DEF_TLS_DAEMON_RAND_BYTES, &var_tls_daemon_rand_bytes, 1, 0, 626 0, 627 }; 628 static const CONFIG_BOOL_TABLE bool_table[] = { 629 VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA, 630 VAR_TLS_BC_PKEY_FPRINT, DEF_TLS_BC_PKEY_FPRINT, &var_tls_bc_pkey_fprint, 631 VAR_TLS_DANE_TAA_DGST, DEF_TLS_DANE_TAA_DGST, &var_tls_dane_taa_dgst, 632 VAR_TLS_PREEMPT_CLIST, DEF_TLS_PREEMPT_CLIST, &var_tls_preempt_clist, 633 VAR_TLS_MULTI_WILDCARD, DEF_TLS_MULTI_WILDCARD, &var_tls_multi_wildcard, 634 0, 635 }; 636 static int init_done; 637 638 if (init_done) 639 return; 640 init_done = 1; 641 642 get_mail_conf_str_table(str_table); 643 get_mail_conf_int_table(int_table); 644 get_mail_conf_bool_table(bool_table); 645 } 646 647 /* tls_set_ciphers - Set SSL context cipher list */ 648 649 const char *tls_set_ciphers(TLS_APPL_STATE *app_ctx, const char *context, 650 const char *grade, const char *exclusions) 651 { 652 const char *myname = "tls_set_ciphers"; 653 static VSTRING *buf; 654 int new_grade; 655 char *save; 656 char *cp; 657 char *tok; 658 const char *new_list; 659 660 new_grade = tls_cipher_grade(grade); 661 if (new_grade == TLS_CIPHER_NONE) { 662 vstring_sprintf(app_ctx->why, "invalid %s cipher grade: \"%s\"", 663 context, grade); 664 return (0); 665 } 666 if (buf == 0) 667 buf = vstring_alloc(10); 668 VSTRING_RESET(buf); 669 670 /* 671 * Given cached state and identical input, we return the same result. 672 */ 673 if (app_ctx->cipher_list) { 674 if (new_grade == app_ctx->cipher_grade 675 && strcmp(app_ctx->cipher_exclusions, exclusions) == 0) 676 return (app_ctx->cipher_list); 677 678 /* Change required, flush cached state */ 679 app_ctx->cipher_grade = TLS_CIPHER_NONE; 680 681 myfree(app_ctx->cipher_exclusions); 682 app_ctx->cipher_exclusions = 0; 683 684 myfree(app_ctx->cipher_list); 685 app_ctx->cipher_list = 0; 686 } 687 switch (new_grade) { 688 case TLS_CIPHER_HIGH: 689 vstring_strcpy(buf, var_tls_high_clist); 690 break; 691 case TLS_CIPHER_MEDIUM: 692 vstring_strcpy(buf, var_tls_medium_clist); 693 break; 694 case TLS_CIPHER_LOW: 695 vstring_strcpy(buf, var_tls_low_clist); 696 break; 697 case TLS_CIPHER_EXPORT: 698 vstring_strcpy(buf, var_tls_export_clist); 699 break; 700 case TLS_CIPHER_NULL: 701 vstring_strcpy(buf, var_tls_null_clist); 702 break; 703 default: 704 705 /* 706 * The caller MUST provide a valid cipher grade 707 */ 708 msg_panic("invalid %s cipher grade: %d", context, new_grade); 709 } 710 711 /* 712 * The base lists for each grade can't be empty. 713 */ 714 if (VSTRING_LEN(buf) == 0) 715 msg_panic("%s: empty \"%s\" cipherlist", myname, grade); 716 717 /* 718 * Apply locally-specified exclusions. 719 */ 720 #define CIPHER_SEP "\t\n\r ,:" 721 if (exclusions != 0) { 722 cp = save = mystrdup(exclusions); 723 while ((tok = mystrtok(&cp, CIPHER_SEP)) != 0) { 724 725 /* 726 * Can't exclude ciphers that start with modifiers. 727 */ 728 if (strchr("!+-@", *tok)) { 729 vstring_sprintf(app_ctx->why, 730 "invalid unary '!+-@' in %s cipher " 731 "exclusion: \"%s\"", context, tok); 732 return (0); 733 } 734 vstring_sprintf_append(buf, ":!%s", tok); 735 } 736 myfree(save); 737 } 738 if ((new_list = tls_apply_cipher_list(app_ctx, context, buf)) == 0) 739 return (0); 740 741 /* Cache new state */ 742 app_ctx->cipher_grade = new_grade; 743 app_ctx->cipher_exclusions = mystrdup(exclusions); 744 745 return (app_ctx->cipher_list = mystrdup(new_list)); 746 } 747 748 /* tls_alloc_app_context - allocate TLS application context */ 749 750 TLS_APPL_STATE *tls_alloc_app_context(SSL_CTX *ssl_ctx, int log_mask) 751 { 752 TLS_APPL_STATE *app_ctx; 753 754 app_ctx = (TLS_APPL_STATE *) mymalloc(sizeof(*app_ctx)); 755 756 /* See portability note below with other memset() call. */ 757 memset((char *) app_ctx, 0, sizeof(*app_ctx)); 758 app_ctx->ssl_ctx = ssl_ctx; 759 app_ctx->log_mask = log_mask; 760 761 /* See also: cache purging code in tls_set_ciphers(). */ 762 app_ctx->cipher_grade = TLS_CIPHER_NONE; 763 app_ctx->cipher_exclusions = 0; 764 app_ctx->cipher_list = 0; 765 app_ctx->cache_type = 0; 766 app_ctx->why = vstring_alloc(1); 767 768 return (app_ctx); 769 } 770 771 /* tls_free_app_context - Free TLS application context */ 772 773 void tls_free_app_context(TLS_APPL_STATE *app_ctx) 774 { 775 if (app_ctx->ssl_ctx) 776 SSL_CTX_free(app_ctx->ssl_ctx); 777 if (app_ctx->cache_type) 778 myfree(app_ctx->cache_type); 779 /* See also: cache purging code in tls_set_ciphers(). */ 780 if (app_ctx->cipher_exclusions) 781 myfree(app_ctx->cipher_exclusions); 782 if (app_ctx->cipher_list) 783 myfree(app_ctx->cipher_list); 784 if (app_ctx->why) 785 vstring_free(app_ctx->why); 786 myfree((char *) app_ctx); 787 } 788 789 /* tls_alloc_sess_context - allocate TLS session context */ 790 791 TLS_SESS_STATE *tls_alloc_sess_context(int log_mask, const char *namaddr) 792 { 793 TLS_SESS_STATE *TLScontext; 794 795 /* 796 * PORTABILITY: Do not assume that null pointers are all-zero bits. Use 797 * explicit assignments to initialize pointers. 798 * 799 * See the C language FAQ item 5.17, or if you have time to burn, 800 * http://www.google.com/search?q=zero+bit+null+pointer 801 * 802 * However, it's OK to use memset() to zero integer values. 803 */ 804 TLScontext = (TLS_SESS_STATE *) mymalloc(sizeof(TLS_SESS_STATE)); 805 memset((char *) TLScontext, 0, sizeof(*TLScontext)); 806 TLScontext->con = 0; 807 TLScontext->cache_type = 0; 808 TLScontext->serverid = 0; 809 TLScontext->peer_CN = 0; 810 TLScontext->issuer_CN = 0; 811 TLScontext->peer_cert_fprint = 0; 812 TLScontext->peer_pkey_fprint = 0; 813 TLScontext->protocol = 0; 814 TLScontext->cipher_name = 0; 815 TLScontext->log_mask = log_mask; 816 TLScontext->namaddr = lowercase(mystrdup(namaddr)); 817 TLScontext->mdalg = 0; /* Alias for props->mdalg */ 818 TLScontext->dane = 0; /* Alias for props->dane */ 819 TLScontext->errordepth = -1; 820 TLScontext->tadepth = -1; 821 TLScontext->errorcode = X509_V_OK; 822 TLScontext->errorcert = 0; 823 TLScontext->untrusted = 0; 824 TLScontext->trusted = 0; 825 826 return (TLScontext); 827 } 828 829 /* tls_free_context - deallocate TLScontext and members */ 830 831 void tls_free_context(TLS_SESS_STATE *TLScontext) 832 { 833 834 /* 835 * Free the SSL structure and the BIOs. Warning: the internal_bio is 836 * connected to the SSL structure and is automatically freed with it. Do 837 * not free it again (core dump)!! Only free the network_bio. 838 */ 839 if (TLScontext->con != 0) 840 SSL_free(TLScontext->con); 841 842 if (TLScontext->namaddr) 843 myfree(TLScontext->namaddr); 844 if (TLScontext->serverid) 845 myfree(TLScontext->serverid); 846 847 if (TLScontext->peer_CN) 848 myfree(TLScontext->peer_CN); 849 if (TLScontext->issuer_CN) 850 myfree(TLScontext->issuer_CN); 851 if (TLScontext->peer_cert_fprint) 852 myfree(TLScontext->peer_cert_fprint); 853 if (TLScontext->peer_pkey_fprint) 854 myfree(TLScontext->peer_pkey_fprint); 855 if (TLScontext->errorcert) 856 X509_free(TLScontext->errorcert); 857 if (TLScontext->untrusted) 858 sk_X509_pop_free(TLScontext->untrusted, X509_free); 859 if (TLScontext->trusted) 860 sk_X509_pop_free(TLScontext->trusted, X509_free); 861 862 myfree((char *) TLScontext); 863 } 864 865 /* tls_version_split - Split OpenSSL version number into major, minor, ... */ 866 867 static void tls_version_split(long version, TLS_VINFO *info) 868 { 869 870 /* 871 * OPENSSL_VERSION_NUMBER(3): 872 * 873 * OPENSSL_VERSION_NUMBER is a numeric release version identifier: 874 * 875 * MMNNFFPPS: major minor fix patch status 876 * 877 * The status nibble has one of the values 0 for development, 1 to e for 878 * betas 1 to 14, and f for release. Parsed OpenSSL version number. for 879 * example 880 * 881 * 0x000906000 == 0.9.6 dev 0x000906023 == 0.9.6b beta 3 0x00090605f == 882 * 0.9.6e release 883 * 884 * Versions prior to 0.9.3 have identifiers < 0x0930. Versions between 885 * 0.9.3 and 0.9.5 had a version identifier with this interpretation: 886 * 887 * MMNNFFRBB major minor fix final beta/patch 888 * 889 * for example 890 * 891 * 0x000904100 == 0.9.4 release 0x000905000 == 0.9.5 dev 892 * 893 * Version 0.9.5a had an interim interpretation that is like the current 894 * one, except the patch level got the highest bit set, to keep continu- 895 * ity. The number was therefore 0x0090581f. 896 */ 897 898 if (version < 0x0930) { 899 info->status = 0; 900 info->patch = version & 0x0f; 901 version >>= 4; 902 info->micro = version & 0x0f; 903 version >>= 4; 904 info->minor = version & 0x0f; 905 version >>= 4; 906 info->major = version & 0x0f; 907 } else if (version < 0x00905800L) { 908 info->patch = version & 0xff; 909 version >>= 8; 910 info->status = version & 0xf; 911 version >>= 4; 912 info->micro = version & 0xff; 913 version >>= 8; 914 info->minor = version & 0xff; 915 version >>= 8; 916 info->major = version & 0xff; 917 } else { 918 info->status = version & 0xf; 919 version >>= 4; 920 info->patch = version & 0xff; 921 version >>= 8; 922 info->micro = version & 0xff; 923 version >>= 8; 924 info->minor = version & 0xff; 925 version >>= 8; 926 info->major = version & 0xff; 927 if (version < 0x00906000L) 928 info->patch &= ~0x80; 929 } 930 } 931 932 /* tls_check_version - Detect mismatch between headers and library. */ 933 934 void tls_check_version(void) 935 { 936 TLS_VINFO hdr_info; 937 TLS_VINFO lib_info; 938 939 tls_version_split(OPENSSL_VERSION_NUMBER, &hdr_info); 940 tls_version_split(SSLeay(), &lib_info); 941 942 if (lib_info.major != hdr_info.major 943 || lib_info.minor != hdr_info.minor 944 || lib_info.micro != hdr_info.micro) 945 msg_warn("run-time library vs. compile-time header version mismatch: " 946 "OpenSSL %d.%d.%d may not be compatible with OpenSSL %d.%d.%d", 947 lib_info.major, lib_info.minor, lib_info.micro, 948 hdr_info.major, hdr_info.minor, hdr_info.micro); 949 } 950 951 /* tls_bug_bits - SSL bug compatibility bits for this OpenSSL version */ 952 953 long tls_bug_bits(void) 954 { 955 long bits = SSL_OP_ALL; /* Work around all known bugs */ 956 957 #if OPENSSL_VERSION_NUMBER >= 0x00908000L && \ 958 OPENSSL_VERSION_NUMBER < 0x10000000L 959 long lib_version = SSLeay(); 960 961 /* 962 * In OpenSSL 0.9.8[ab], enabling zlib compression breaks the padding bug 963 * work-around, leading to false positives and failed connections. We may 964 * not interoperate with systems with the bug, but this is better than 965 * breaking on all 0.9.8[ab] systems that have zlib support enabled. 966 */ 967 if (lib_version >= 0x00908000L && lib_version <= 0x0090802fL) { 968 ssl_comp_stack_t *comp_methods = SSL_COMP_get_compression_methods(); 969 970 comp_methods = SSL_COMP_get_compression_methods(); 971 if (comp_methods != 0 && sk_SSL_COMP_num(comp_methods) > 0) 972 bits &= ~SSL_OP_TLS_BLOCK_PADDING_BUG; 973 } 974 #endif 975 976 /* 977 * Silently ignore any strings that don't appear in the tweaks table, or 978 * hex bits that are not in SSL_OP_ALL. 979 */ 980 if (*var_tls_bug_tweaks) { 981 bits &= ~long_name_mask_opt(VAR_TLS_BUG_TWEAKS, ssl_bug_tweaks, 982 var_tls_bug_tweaks, NAME_MASK_ANY_CASE | 983 NAME_MASK_NUMBER | NAME_MASK_WARN); 984 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG 985 /* Not relevant to SMTP */ 986 bits &= ~SSL_OP_SAFARI_ECDHE_ECDSA_BUG; 987 #endif 988 } 989 990 /* 991 * Allow users to set options not in SSL_OP_ALL, and not already managed 992 * via other Postfix parameters. 993 */ 994 if (*var_tls_ssl_options) { 995 long enable; 996 997 enable = long_name_mask_opt(VAR_TLS_SSL_OPTIONS, ssl_op_tweaks, 998 var_tls_ssl_options, NAME_MASK_ANY_CASE | 999 NAME_MASK_NUMBER | NAME_MASK_WARN); 1000 enable &= ~(SSL_OP_ALL | TLS_SSL_OP_MANAGED_BITS); 1001 bits |= enable; 1002 } 1003 return (bits); 1004 } 1005 1006 /* tls_print_errors - print and clear the error stack */ 1007 1008 void tls_print_errors(void) 1009 { 1010 unsigned long err; 1011 char buffer[1024]; /* XXX */ 1012 const char *file; 1013 const char *data; 1014 int line; 1015 int flags; 1016 1017 while ((err = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) { 1018 ERR_error_string_n(err, buffer, sizeof(buffer)); 1019 if (flags & ERR_TXT_STRING) 1020 msg_warn("TLS library problem: %s:%s:%d:%s:", 1021 buffer, file, line, data); 1022 else 1023 msg_warn("TLS library problem: %s:%s:%d:", buffer, file, line); 1024 } 1025 } 1026 1027 /* tls_info_callback - callback for logging SSL events via Postfix */ 1028 1029 void tls_info_callback(const SSL *s, int where, int ret) 1030 { 1031 char *str; 1032 int w; 1033 1034 /* Adapted from OpenSSL apps/s_cb.c. */ 1035 1036 w = where & ~SSL_ST_MASK; 1037 1038 if (w & SSL_ST_CONNECT) 1039 str = "SSL_connect"; 1040 else if (w & SSL_ST_ACCEPT) 1041 str = "SSL_accept"; 1042 else 1043 str = "unknown"; 1044 1045 if (where & SSL_CB_LOOP) { 1046 msg_info("%s:%s", str, SSL_state_string_long((SSL *) s)); 1047 } else if (where & SSL_CB_ALERT) { 1048 str = (where & SSL_CB_READ) ? "read" : "write"; 1049 if ((ret & 0xff) != SSL3_AD_CLOSE_NOTIFY) 1050 msg_info("SSL3 alert %s:%s:%s", str, 1051 SSL_alert_type_string_long(ret), 1052 SSL_alert_desc_string_long(ret)); 1053 } else if (where & SSL_CB_EXIT) { 1054 if (ret == 0) 1055 msg_info("%s:failed in %s", 1056 str, SSL_state_string_long((SSL *) s)); 1057 else if (ret < 0) { 1058 #ifndef LOG_NON_ERROR_STATES 1059 switch (SSL_get_error((SSL *) s, ret)) { 1060 case SSL_ERROR_WANT_READ: 1061 case SSL_ERROR_WANT_WRITE: 1062 /* Don't log non-error states. */ 1063 break; 1064 default: 1065 #endif 1066 msg_info("%s:error in %s", 1067 str, SSL_state_string_long((SSL *) s)); 1068 #ifndef LOG_NON_ERROR_STATES 1069 } 1070 #endif 1071 } 1072 } 1073 } 1074 1075 /* 1076 * taken from OpenSSL crypto/bio/b_dump.c. 1077 * 1078 * Modified to save a lot of strcpy and strcat by Matti Aarnio. 1079 * 1080 * Rewritten by Wietse to elimate fixed-size stack buffer, array index 1081 * multiplication and division, sprintf() and strcpy(), and lots of strlen() 1082 * calls. We could make it a little faster by using a fixed-size stack-based 1083 * buffer. 1084 * 1085 * 200412 - use %lx to print pointers, after casting them to unsigned long. 1086 */ 1087 1088 #define TRUNCATE_SPACE_NULL 1089 #define DUMP_WIDTH 16 1090 #define VERT_SPLIT 7 1091 1092 static void tls_dump_buffer(const unsigned char *start, int len) 1093 { 1094 VSTRING *buf = vstring_alloc(100); 1095 const unsigned char *last = start + len - 1; 1096 const unsigned char *row; 1097 const unsigned char *col; 1098 int ch; 1099 1100 #ifdef TRUNCATE_SPACE_NULL 1101 while (last >= start && (*last == ' ' || *last == 0)) 1102 last--; 1103 #endif 1104 1105 for (row = start; row <= last; row += DUMP_WIDTH) { 1106 VSTRING_RESET(buf); 1107 vstring_sprintf(buf, "%04lx ", (unsigned long) (row - start)); 1108 for (col = row; col < row + DUMP_WIDTH; col++) { 1109 if (col > last) { 1110 vstring_strcat(buf, " "); 1111 } else { 1112 ch = *col; 1113 vstring_sprintf_append(buf, "%02x%c", 1114 ch, col - row == VERT_SPLIT ? '|' : ' '); 1115 } 1116 } 1117 VSTRING_ADDCH(buf, ' '); 1118 for (col = row; col < row + DUMP_WIDTH; col++) { 1119 if (col > last) 1120 break; 1121 ch = *col; 1122 if (!ISPRINT(ch)) 1123 ch = '.'; 1124 VSTRING_ADDCH(buf, ch); 1125 if (col - row == VERT_SPLIT) 1126 VSTRING_ADDCH(buf, ' '); 1127 } 1128 VSTRING_TERMINATE(buf); 1129 msg_info("%s", vstring_str(buf)); 1130 } 1131 #ifdef TRUNCATE_SPACE_NULL 1132 if ((last + 1) - start < len) 1133 msg_info("%04lx - <SPACES/NULLS>", 1134 (unsigned long) ((last + 1) - start)); 1135 #endif 1136 vstring_free(buf); 1137 } 1138 1139 /* taken from OpenSSL apps/s_cb.c */ 1140 1141 long tls_bio_dump_cb(BIO *bio, int cmd, const char *argp, int argi, 1142 long unused_argl, long ret) 1143 { 1144 if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) { 1145 msg_info("read from %08lX [%08lX] (%d bytes => %ld (0x%lX))", 1146 (unsigned long) bio, (unsigned long) argp, argi, 1147 ret, (unsigned long) ret); 1148 tls_dump_buffer((unsigned char *) argp, (int) ret); 1149 } else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) { 1150 msg_info("write to %08lX [%08lX] (%d bytes => %ld (0x%lX))", 1151 (unsigned long) bio, (unsigned long) argp, argi, 1152 ret, (unsigned long) ret); 1153 tls_dump_buffer((unsigned char *) argp, (int) ret); 1154 } 1155 return (ret); 1156 } 1157 1158 int tls_validate_digest(const char *dgst) 1159 { 1160 const EVP_MD *md_alg; 1161 unsigned int md_len; 1162 1163 /* 1164 * Register SHA-2 digests, if implemented and not already registered. 1165 * Improves interoperability with clients and servers that prematurely 1166 * deploy SHA-2 certificates. Also facilitates DANE and TA support. 1167 */ 1168 #if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256) 1169 if (!EVP_get_digestbyname(LN_sha224)) 1170 EVP_add_digest(EVP_sha224()); 1171 if (!EVP_get_digestbyname(LN_sha256)) 1172 EVP_add_digest(EVP_sha256()); 1173 #endif 1174 #if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512) 1175 if (!EVP_get_digestbyname(LN_sha384)) 1176 EVP_add_digest(EVP_sha384()); 1177 if (!EVP_get_digestbyname(LN_sha512)) 1178 EVP_add_digest(EVP_sha512()); 1179 #endif 1180 1181 /* 1182 * If the administrator specifies an unsupported digest algorithm, fail 1183 * now, rather than in the middle of a TLS handshake. 1184 */ 1185 if ((md_alg = EVP_get_digestbyname(dgst)) == 0) { 1186 msg_warn("Digest algorithm \"%s\" not found", dgst); 1187 return (0); 1188 } 1189 1190 /* 1191 * Sanity check: Newer shared libraries may use larger digests. 1192 */ 1193 if ((md_len = EVP_MD_size(md_alg)) > EVP_MAX_MD_SIZE) { 1194 msg_warn("Digest algorithm \"%s\" output size %u too large", 1195 dgst, md_len); 1196 return (0); 1197 } 1198 return (1); 1199 } 1200 1201 #else 1202 1203 /* 1204 * Broken linker workaround. 1205 */ 1206 int tls_dummy_for_broken_linkers; 1207 1208 #endif 1209