1 /* $NetBSD: tls_misc.c,v 1.4 2022/10/08 16:12:50 christos Exp $ */
2
3 /*++
4 /* NAME
5 /* tls_misc 3
6 /* SUMMARY
7 /* miscellaneous TLS support routines
8 /* SYNOPSIS
9 /* .SH Public functions
10 /* .nf
11 /* .na
12 /* #include <tls.h>
13 /*
14 /* void tls_log_summary(role, usage, TLScontext)
15 /* TLS_ROLE role;
16 /* TLS_USAGE usage;
17 /* TLS_SESS_STATE *TLScontext;
18 /*
19 /* const char *tls_compile_version(void)
20 /*
21 /* const char *tls_run_version(void)
22 /*
23 /* const char **tls_pkey_algorithms(void)
24 /*
25 /* void tls_pre_jail_init(TLS_ROLE)
26 /* TLS_ROLE role;
27 /*
28 /* .SH Internal functions
29 /* .nf
30 /* .na
31 /* #define TLS_INTERNAL
32 /* #include <tls.h>
33 /*
34 /* char *var_tls_high_clist;
35 /* char *var_tls_medium_clist;
36 /* char *var_tls_low_clist;
37 /* char *var_tls_export_clist;
38 /* char *var_tls_null_clist;
39 /* char *var_tls_eecdh_auto;
40 /* char *var_tls_eecdh_strong;
41 /* char *var_tls_eecdh_ultra;
42 /* char *var_tls_dane_digests;
43 /* int var_tls_daemon_rand_bytes;
44 /* bool var_tls_append_def_CA;
45 /* bool var_tls_preempt_clist;
46 /* bool var_tls_bc_pkey_fprint;
47 /* bool var_tls_multi_wildcard;
48 /* char *var_tls_mgr_service;
49 /* char *var_tls_tkt_cipher;
50 /* char *var_openssl_path;
51 /* char *var_tls_server_sni_maps;
52 /* bool var_tls_fast_shutdown;
53 /*
54 /* TLS_APPL_STATE *tls_alloc_app_context(ssl_ctx, log_mask)
55 /* SSL_CTX *ssl_ctx;
56 /* int log_mask;
57 /*
58 /* void tls_free_app_context(app_ctx)
59 /* void *app_ctx;
60 /*
61 /* TLS_SESS_STATE *tls_alloc_sess_context(log_mask, namaddr)
62 /* int log_mask;
63 /* const char *namaddr;
64 /*
65 /* void tls_free_context(TLScontext)
66 /* TLS_SESS_STATE *TLScontext;
67 /*
68 /* void tls_check_version()
69 /*
70 /* long tls_bug_bits()
71 /*
72 /* void tls_param_init()
73 /*
74 /* int tls_proto_mask_lims(plist, floor, ceiling)
75 /* const char *plist;
76 /* int *floor;
77 /* int *ceiling;
78 /*
79 /* int tls_cipher_grade(name)
80 /* const char *name;
81 /*
82 /* const char *str_tls_cipher_grade(grade)
83 /* int grade;
84 /*
85 /* const char *tls_set_ciphers(TLScontext, grade, exclusions)
86 /* TLS_SESS_STATE *TLScontext;
87 /* int grade;
88 /* const char *exclusions;
89 /*
90 /* void tls_get_signature_params(TLScontext)
91 /* TLS_SESS_STATE *TLScontext;
92 /*
93 /* void tls_print_errors()
94 /*
95 /* void tls_info_callback(ssl, where, ret)
96 /* const SSL *ssl; /* unused */
97 /* int where;
98 /* int ret;
99 /*
100 /* long tls_bio_dump_cb(bio, cmd, argp, len, argi, argl, ret, processed)
101 /* BIO *bio;
102 /* int cmd;
103 /* const char *argp;
104 /* size_t len;
105 /* int argi;
106 /* long argl; /* unused */
107 /* int ret;
108 /* size_t *processed;
109 /*
110 /* int tls_log_mask(log_param, log_level)
111 /* const char *log_param;
112 /* const char *log_level;
113 /*
114 /* void tls_update_app_logmask(app_ctx, log_mask)
115 /* TLS_APPL_STATE *app_ctx;
116 /* int log_mask;
117 /*
118 /* const EVP_MD *tls_validate_digest(dgst)
119 /* const char *dgst;
120 /* DESCRIPTION
121 /* This module implements public and internal routines that
122 /* support the TLS client and server.
123 /*
124 /* tls_log_summary() logs a summary of a completed TLS connection.
125 /* The "role" argument must be TLS_ROLE_CLIENT for outgoing client
126 /* connections, or TLS_ROLE_SERVER for incoming server connections,
127 /* and the "usage" must be TLS_USAGE_NEW or TLS_USAGE_USED.
128 /*
129 /* tls_compile_version() returns a text string description of
130 /* the compile-time TLS library.
131 /*
132 /* tls_run_version() is just tls_compile_version() but with the runtime
133 /* version instead of the compile-time version.
134 /*
135 /* tls_pkey_algorithms() returns a pointer to null-terminated
136 /* array of string constants with the names of the supported
137 /* public-key algorithms.
138 /*
139 /* tls_alloc_app_context() creates an application context that
140 /* holds the SSL context for the application and related cached state.
141 /*
142 /* tls_free_app_context() deallocates the application context and its
143 /* contents (the application context is stored outside the TLS library).
144 /*
145 /* tls_alloc_sess_context() creates an initialized TLS session context
146 /* structure with the specified log mask and peer name[addr].
147 /*
148 /* tls_free_context() destroys a TLScontext structure
149 /* together with OpenSSL structures that are attached to it.
150 /*
151 /* tls_check_version() logs a warning when the run-time OpenSSL
152 /* library differs in its major, minor or micro number from
153 /* the compile-time OpenSSL headers.
154 /*
155 /* tls_bug_bits() returns the bug compatibility mask appropriate
156 /* for the run-time library. Some of the bug work-arounds are
157 /* not appropriate for some library versions.
158 /*
159 /* tls_param_init() loads main.cf parameters used internally in
160 /* TLS library. Any errors are fatal.
161 /*
162 /* tls_pre_jail_init() opens any tables that need to be opened before
163 /* entering a chroot jail. The "role" parameter must be TLS_ROLE_CLIENT
164 /* for clients and TLS_ROLE_SERVER for servers. Any errors are fatal.
165 /*
166 /* tls_proto_mask_lims() returns a bitmask of excluded protocols, and
167 /* and the protocol version floor/ceiling, given a list (plist) of
168 /* protocols to include or (preceded by a '!') exclude, or constraints
169 /* of the form '>=name', '<=name', '>=hexvalue', '<=hexvalue'. If "plist"
170 /* contains invalid protocol names, TLS_PROTOCOL_INVALID is returned and
171 /* no warning is logged.
172 /*
173 /* tls_cipher_grade() converts a case-insensitive cipher grade
174 /* name (high, medium, low, export, null) to the corresponding
175 /* TLS_CIPHER_ constant. When the input specifies an unrecognized
176 /* grade, tls_cipher_grade() logs no warning, and returns
177 /* TLS_CIPHER_NONE.
178 /*
179 /* str_tls_cipher_grade() converts a cipher grade to a name.
180 /* When the input specifies an undefined grade, str_tls_cipher_grade()
181 /* logs no warning, returns a null pointer.
182 /*
183 /* tls_set_ciphers() applies the requested cipher grade and exclusions
184 /* to the provided TLS session context, returning the resulting cipher
185 /* list string. The return value is the cipherlist used and is
186 /* overwritten upon each call. When the input is invalid,
187 /* tls_set_ciphers() logs a warning, and returns a null result.
188 /*
189 /* tls_get_signature_params() updates the "TLScontext" with handshake
190 /* signature parameters pertaining to TLS 1.3, where the ciphersuite
191 /* no longer describes the asymmetric algorithms employed in the
192 /* handshake, which are negotiated separately. This function
193 /* has no effect for TLS 1.2 and earlier.
194 /*
195 /* tls_print_errors() queries the OpenSSL error stack,
196 /* logs the error messages, and clears the error stack.
197 /*
198 /* tls_info_callback() is a call-back routine for the
199 /* SSL_CTX_set_info_callback() routine. It logs SSL events
200 /* to the Postfix logfile.
201 /*
202 /* tls_bio_dump_cb() is a call-back routine for the
203 /* BIO_set_callback() routine. It logs SSL content to the
204 /* Postfix logfile.
205 /*
206 /* tls_log_mask() converts a TLS log_level value from string
207 /* to mask. The main.cf parameter name is passed along for
208 /* diagnostics.
209 /*
210 /* tls_update_app_logmask() changes the log mask of the
211 /* application TLS context to the new setting.
212 /*
213 /* tls_validate_digest() returns a static handle for the named
214 /* digest algorithm, or NULL on error.
215 /* LICENSE
216 /* .ad
217 /* .fi
218 /* This software is free. You can do with it whatever you want.
219 /* The original author kindly requests that you acknowledge
220 /* the use of his software.
221 /* AUTHOR(S)
222 /* Originally written by:
223 /* Lutz Jaenicke
224 /* BTU Cottbus
225 /* Allgemeine Elektrotechnik
226 /* Universitaetsplatz 3-4
227 /* D-03044 Cottbus, Germany
228 /*
229 /* Updated by:
230 /* Wietse Venema
231 /* IBM T.J. Watson Research
232 /* P.O. Box 704
233 /* Yorktown Heights, NY 10598, USA
234 /*
235 /* Victor Duchovni
236 /* Morgan Stanley
237 /*
238 /* Wietse Venema
239 /* Google, Inc.
240 /* 111 8th Avenue
241 /* New York, NY 10011, USA
242 /*--*/
243
244 /* System library. */
245
246 #include <sys_defs.h>
247 #include <ctype.h>
248 #include <string.h>
249
250 /* Utility library. */
251
252 #include <vstream.h>
253 #include <msg.h>
254 #include <mymalloc.h>
255 #include <vstring.h>
256 #include <stringops.h>
257 #include <argv.h>
258 #include <name_mask.h>
259 #include <name_code.h>
260 #include <dict.h>
261 #include <valid_hostname.h>
262
263 /*
264 * Global library.
265 */
266 #include <mail_params.h>
267 #include <mail_conf.h>
268 #include <maps.h>
269
270 /*
271 * TLS library.
272 */
273 #define TLS_INTERNAL
274 #include <tls.h>
275
276 /* Application-specific. */
277
278 /*
279 * Tunable parameters.
280 */
281 char *var_tls_high_clist;
282 char *var_tls_medium_clist;
283 char *var_tls_low_clist;
284 char *var_tls_export_clist;
285 char *var_tls_null_clist;
286 int var_tls_daemon_rand_bytes;
287 char *var_tls_eecdh_auto;
288 char *var_tls_eecdh_strong;
289 char *var_tls_eecdh_ultra;
290 char *var_tls_dane_digests;
291 bool var_tls_append_def_CA;
292 char *var_tls_bug_tweaks;
293 char *var_tls_ssl_options;
294 bool var_tls_bc_pkey_fprint;
295 bool var_tls_multi_wildcard;
296 char *var_tls_mgr_service;
297 char *var_tls_tkt_cipher;
298 char *var_openssl_path;
299 char *var_tls_server_sni_maps;
300 bool var_tls_fast_shutdown;
301 bool var_tls_preempt_clist;
302
303 #ifdef USE_TLS
304
305 static MAPS *tls_server_sni_maps;
306
307 /*
308 * Index to attach TLScontext pointers to SSL objects, so that they can be
309 * accessed by call-back routines.
310 */
311 int TLScontext_index = -1;
312
313 /*
314 * Protocol name <=> mask conversion.
315 */
316 static const NAME_CODE protocol_table[] = {
317 SSL_TXT_SSLV2, TLS_PROTOCOL_SSLv2,
318 SSL_TXT_SSLV3, TLS_PROTOCOL_SSLv3,
319 SSL_TXT_TLSV1, TLS_PROTOCOL_TLSv1,
320 SSL_TXT_TLSV1_1, TLS_PROTOCOL_TLSv1_1,
321 SSL_TXT_TLSV1_2, TLS_PROTOCOL_TLSv1_2,
322 TLS_PROTOCOL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3,
323 0, TLS_PROTOCOL_INVALID,
324 };
325
326 /*
327 * Protocol name => numeric version, for MinProtocol and MaxProtocol
328 */
329 static const NAME_CODE tls_version_table[] = {
330 "None", 0,
331 SSL_TXT_SSLV3, SSL3_VERSION,
332 SSL_TXT_TLSV1, TLS1_VERSION,
333 SSL_TXT_TLSV1_1, TLS1_1_VERSION,
334 SSL_TXT_TLSV1_2, TLS1_2_VERSION,
335 TLS_PROTOCOL_TXT_TLSV1_3, TLS1_3_VERSION,
336 0, -1,
337 };
338
339 /*
340 * SSL_OP_MUMBLE bug work-around name <=> mask conversion.
341 */
342 #define NAMEBUG(x) #x, SSL_OP_##x
343 static const LONG_NAME_MASK ssl_bug_tweaks[] = {
344
345 #ifndef SSL_OP_MICROSOFT_SESS_ID_BUG
346 #define SSL_OP_MICROSOFT_SESS_ID_BUG 0
347 #endif
348 NAMEBUG(MICROSOFT_SESS_ID_BUG),
349
350 #ifndef SSL_OP_NETSCAPE_CHALLENGE_BUG
351 #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0
352 #endif
353 NAMEBUG(NETSCAPE_CHALLENGE_BUG),
354
355 #ifndef SSL_OP_LEGACY_SERVER_CONNECT
356 #define SSL_OP_LEGACY_SERVER_CONNECT 0
357 #endif
358 NAMEBUG(LEGACY_SERVER_CONNECT),
359
360 #ifndef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
361 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0
362 #endif
363 NAMEBUG(NETSCAPE_REUSE_CIPHER_CHANGE_BUG),
364 "CVE-2010-4180", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG,
365
366 #ifndef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
367 #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0
368 #endif
369 NAMEBUG(SSLREF2_REUSE_CERT_TYPE_BUG),
370
371 #ifndef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
372 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0
373 #endif
374 NAMEBUG(MICROSOFT_BIG_SSLV3_BUFFER),
375
376 #ifndef SSL_OP_MSIE_SSLV2_RSA_PADDING
377 #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0
378 #endif
379 NAMEBUG(MSIE_SSLV2_RSA_PADDING),
380 "CVE-2005-2969", SSL_OP_MSIE_SSLV2_RSA_PADDING,
381
382 #ifndef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
383 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0
384 #endif
385 NAMEBUG(SSLEAY_080_CLIENT_DH_BUG),
386
387 #ifndef SSL_OP_TLS_D5_BUG
388 #define SSL_OP_TLS_D5_BUG 0
389 #endif
390 NAMEBUG(TLS_D5_BUG),
391
392 #ifndef SSL_OP_TLS_BLOCK_PADDING_BUG
393 #define SSL_OP_TLS_BLOCK_PADDING_BUG 0
394 #endif
395 NAMEBUG(TLS_BLOCK_PADDING_BUG),
396
397 #ifndef SSL_OP_TLS_ROLLBACK_BUG
398 #define SSL_OP_TLS_ROLLBACK_BUG 0
399 #endif
400 NAMEBUG(TLS_ROLLBACK_BUG),
401
402 #ifndef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
403 #define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0
404 #endif
405 NAMEBUG(DONT_INSERT_EMPTY_FRAGMENTS),
406
407 #ifndef SSL_OP_CRYPTOPRO_TLSEXT_BUG
408 #define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0
409 #endif
410 NAMEBUG(CRYPTOPRO_TLSEXT_BUG),
411
412 #ifndef SSL_OP_TLSEXT_PADDING
413 #define SSL_OP_TLSEXT_PADDING 0
414 #endif
415 NAMEBUG(TLSEXT_PADDING),
416
417 #if 0
418
419 /*
420 * XXX: New with OpenSSL 1.1.1, this is turned on implicitly in
421 * SSL_CTX_new() and is not included in SSL_OP_ALL. Allowing users to
422 * disable this would thus be a code change that would require clearing
423 * bug work-around bits in SSL_CTX, after setting SSL_OP_ALL. Since this
424 * is presumably required for TLS 1.3 on today's Internet, the code
425 * change will be done separately later. For now this implicit bug
426 * work-around cannot be disabled via supported Postfix mechanisms.
427 */
428 #ifndef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
429 #define SSL_OP_ENABLE_MIDDLEBOX_COMPAT 0
430 #endif
431 NAMEBUG(ENABLE_MIDDLEBOX_COMPAT),
432 #endif
433
434 0, 0,
435 };
436
437 /*
438 * SSL_OP_MUMBLE option name <=> mask conversion for options that are not
439 * (or may in the future not be) in SSL_OP_ALL. These enable optional
440 * behavior, rather than bug interoperability work-arounds.
441 */
442 #define NAME_SSL_OP(x) #x, SSL_OP_##x
443 static const LONG_NAME_MASK ssl_op_tweaks[] = {
444
445 #ifndef SSL_OP_LEGACY_SERVER_CONNECT
446 #define SSL_OP_LEGACY_SERVER_CONNECT 0
447 #endif
448 NAME_SSL_OP(LEGACY_SERVER_CONNECT),
449
450 #ifndef SSL_OP_NO_TICKET
451 #define SSL_OP_NO_TICKET 0
452 #endif
453 NAME_SSL_OP(NO_TICKET),
454
455 #ifndef SSL_OP_NO_COMPRESSION
456 #define SSL_OP_NO_COMPRESSION 0
457 #endif
458 NAME_SSL_OP(NO_COMPRESSION),
459
460 #ifndef SSL_OP_NO_RENEGOTIATION
461 #define SSL_OP_NO_RENEGOTIATION 0
462 #endif
463 NAME_SSL_OP(NO_RENEGOTIATION),
464
465 #ifndef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
466 #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0
467 #endif
468 NAME_SSL_OP(NO_SESSION_RESUMPTION_ON_RENEGOTIATION),
469
470 #ifndef SSL_OP_PRIORITIZE_CHACHA
471 #define SSL_OP_PRIORITIZE_CHACHA 0
472 #endif
473 NAME_SSL_OP(PRIORITIZE_CHACHA),
474
475 #ifndef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
476 #define SSL_OP_ENABLE_MIDDLEBOX_COMPAT 0
477 #endif
478 NAME_SSL_OP(ENABLE_MIDDLEBOX_COMPAT),
479
480 0, 0,
481 };
482
483 /*
484 * Once these have been a NOOP long enough, they might some day be removed
485 * from OpenSSL. The defines below will avoid bitrot issues if/when that
486 * happens.
487 */
488 #ifndef SSL_OP_SINGLE_DH_USE
489 #define SSL_OP_SINGLE_DH_USE 0
490 #endif
491 #ifndef SSL_OP_SINGLE_ECDH_USE
492 #define SSL_OP_SINGLE_ECDH_USE 0
493 #endif
494
495 /*
496 * Ciphersuite name <=> code conversion.
497 */
498 const NAME_CODE tls_cipher_grade_table[] = {
499 "high", TLS_CIPHER_HIGH,
500 "medium", TLS_CIPHER_MEDIUM,
501 "low", TLS_CIPHER_LOW,
502 "export", TLS_CIPHER_EXPORT,
503 "null", TLS_CIPHER_NULL,
504 "invalid", TLS_CIPHER_NONE,
505 0, TLS_CIPHER_NONE,
506 };
507
508 /*
509 * Log keyword <=> mask conversion.
510 */
511 #define TLS_LOG_0 TLS_LOG_NONE
512 #define TLS_LOG_1 TLS_LOG_SUMMARY
513 #define TLS_LOG_2 (TLS_LOG_1 | TLS_LOG_VERBOSE | TLS_LOG_CACHE | TLS_LOG_DEBUG)
514 #define TLS_LOG_3 (TLS_LOG_2 | TLS_LOG_TLSPKTS)
515 #define TLS_LOG_4 (TLS_LOG_3 | TLS_LOG_ALLPKTS)
516
517 static const NAME_MASK tls_log_table[] = {
518 "0", TLS_LOG_0,
519 "none", TLS_LOG_NONE,
520 "1", TLS_LOG_1,
521 "routine", TLS_LOG_1,
522 "2", TLS_LOG_2,
523 "debug", TLS_LOG_2,
524 "3", TLS_LOG_3,
525 "ssl-expert", TLS_LOG_3,
526 "4", TLS_LOG_4,
527 "ssl-developer", TLS_LOG_4,
528 "5", TLS_LOG_4, /* for good measure */
529 "6", TLS_LOG_4, /* for good measure */
530 "7", TLS_LOG_4, /* for good measure */
531 "8", TLS_LOG_4, /* for good measure */
532 "9", TLS_LOG_4, /* for good measure */
533 "summary", TLS_LOG_SUMMARY,
534 "untrusted", TLS_LOG_UNTRUSTED,
535 "peercert", TLS_LOG_PEERCERT,
536 "certmatch", TLS_LOG_CERTMATCH,
537 "verbose", TLS_LOG_VERBOSE, /* Postfix TLS library verbose */
538 "cache", TLS_LOG_CACHE,
539 "dane", TLS_LOG_DANE, /* DANE policy construction */
540 "ssl-debug", TLS_LOG_DEBUG, /* SSL library debug/verbose */
541 "ssl-handshake-packet-dump", TLS_LOG_TLSPKTS,
542 "ssl-session-packet-dump", TLS_LOG_TLSPKTS | TLS_LOG_ALLPKTS,
543 0, 0,
544 };
545
546 /*
547 * Parsed OpenSSL version number.
548 */
549 typedef struct {
550 int major;
551 int minor;
552 int micro;
553 int patch;
554 int status;
555 } TLS_VINFO;
556
557 /* tls_log_mask - Convert user TLS loglevel to internal log feature mask */
558
tls_log_mask(const char * log_param,const char * log_level)559 int tls_log_mask(const char *log_param, const char *log_level)
560 {
561 int mask;
562
563 mask = name_mask_opt(log_param, tls_log_table, log_level,
564 NAME_MASK_ANY_CASE | NAME_MASK_RETURN);
565 return (mask);
566 }
567
568 /* tls_update_app_logmask - update log level after init */
569
tls_update_app_logmask(TLS_APPL_STATE * app_ctx,int log_mask)570 void tls_update_app_logmask(TLS_APPL_STATE *app_ctx, int log_mask)
571 {
572 app_ctx->log_mask = log_mask;
573 }
574
575 /* parse_version - parse TLS protocol version name or hex number */
576
parse_tls_version(const char * tok,int * version)577 static int parse_tls_version(const char *tok, int *version)
578 {
579 int code = name_code(tls_version_table, NAME_CODE_FLAG_NONE, tok);
580 char *_end;
581 unsigned long ulval;
582
583 if (code != -1) {
584 *version = code;
585 return (0);
586 }
587 errno = 0;
588 ulval = strtoul(tok, &_end, 16);
589 if (*_end != 0
590 || (ulval == ULONG_MAX && errno == ERANGE)
591 || ulval > INT_MAX)
592 return TLS_PROTOCOL_INVALID;
593
594 *version = (int) ulval;
595 return (0);
596 }
597
598 /* tls_proto_mask_lims - protocols to exclude and floor/ceiling */
599
tls_proto_mask_lims(const char * plist,int * floor,int * ceiling)600 int tls_proto_mask_lims(const char *plist, int *floor, int *ceiling)
601 {
602 char *save;
603 char *tok;
604 char *cp;
605 int code;
606 int exclude = 0;
607 int include = 0;
608
609 #define FREE_AND_RETURN(ptr, res) do { \
610 myfree(ptr); \
611 return (res); \
612 } while (0)
613
614 *floor = *ceiling = 0;
615
616 save = cp = mystrdup(plist);
617 while ((tok = mystrtok(&cp, CHARS_COMMA_SP ":")) != 0) {
618 if (strncmp(tok, ">=", 2) == 0)
619 code = parse_tls_version(tok + 2, floor);
620 else if (strncmp(tok, "<=", 2) == 0)
621 code = parse_tls_version(tok + 2, ceiling);
622 else if (*tok == '!')
623 exclude |= code =
624 name_code(protocol_table, NAME_CODE_FLAG_NONE, ++tok);
625 else
626 include |= code =
627 name_code(protocol_table, NAME_CODE_FLAG_NONE, tok);
628 if (code == TLS_PROTOCOL_INVALID)
629 FREE_AND_RETURN(save, TLS_PROTOCOL_INVALID);
630 }
631
632 /*
633 * When the include list is empty, use only the explicit exclusions.
634 * Otherwise, also exclude the complement of the include list from the
635 * built-in list of known protocols. There is no way to exclude protocols
636 * we don't know about at compile time, and this is unavoidable because
637 * the OpenSSL API works with compile-time *exclusion* bit-masks.
638 */
639 FREE_AND_RETURN(save,
640 (include ? (exclude | (TLS_KNOWN_PROTOCOLS & ~include)) : exclude));
641 }
642
643 /* tls_param_init - Load TLS related config parameters */
644
tls_param_init(void)645 void tls_param_init(void)
646 {
647 /* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */
648 static const CONFIG_STR_TABLE str_table[] = {
649 VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0,
650 VAR_TLS_MEDIUM_CLIST, DEF_TLS_MEDIUM_CLIST, &var_tls_medium_clist, 1, 0,
651 VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_clist, 1, 0,
652 VAR_TLS_EXPORT_CLIST, DEF_TLS_EXPORT_CLIST, &var_tls_export_clist, 1, 0,
653 VAR_TLS_NULL_CLIST, DEF_TLS_NULL_CLIST, &var_tls_null_clist, 1, 0,
654 VAR_TLS_EECDH_AUTO, DEF_TLS_EECDH_AUTO, &var_tls_eecdh_auto, 1, 0,
655 VAR_TLS_EECDH_STRONG, DEF_TLS_EECDH_STRONG, &var_tls_eecdh_strong, 1, 0,
656 VAR_TLS_EECDH_ULTRA, DEF_TLS_EECDH_ULTRA, &var_tls_eecdh_ultra, 1, 0,
657 VAR_TLS_BUG_TWEAKS, DEF_TLS_BUG_TWEAKS, &var_tls_bug_tweaks, 0, 0,
658 VAR_TLS_SSL_OPTIONS, DEF_TLS_SSL_OPTIONS, &var_tls_ssl_options, 0, 0,
659 VAR_TLS_DANE_DIGESTS, DEF_TLS_DANE_DIGESTS, &var_tls_dane_digests, 1, 0,
660 VAR_TLS_MGR_SERVICE, DEF_TLS_MGR_SERVICE, &var_tls_mgr_service, 1, 0,
661 VAR_TLS_TKT_CIPHER, DEF_TLS_TKT_CIPHER, &var_tls_tkt_cipher, 0, 0,
662 VAR_OPENSSL_PATH, DEF_OPENSSL_PATH, &var_openssl_path, 1, 0,
663 0,
664 };
665
666 /* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */
667 static const CONFIG_INT_TABLE int_table[] = {
668 VAR_TLS_DAEMON_RAND_BYTES, DEF_TLS_DAEMON_RAND_BYTES, &var_tls_daemon_rand_bytes, 1, 0,
669 0,
670 };
671
672 /* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */
673 static const CONFIG_BOOL_TABLE bool_table[] = {
674 VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA,
675 VAR_TLS_BC_PKEY_FPRINT, DEF_TLS_BC_PKEY_FPRINT, &var_tls_bc_pkey_fprint,
676 VAR_TLS_PREEMPT_CLIST, DEF_TLS_PREEMPT_CLIST, &var_tls_preempt_clist,
677 VAR_TLS_MULTI_WILDCARD, DEF_TLS_MULTI_WILDCARD, &var_tls_multi_wildcard,
678 VAR_TLS_FAST_SHUTDOWN, DEF_TLS_FAST_SHUTDOWN, &var_tls_fast_shutdown,
679 0,
680 };
681 static int init_done;
682
683 if (init_done)
684 return;
685 init_done = 1;
686
687 get_mail_conf_str_table(str_table);
688 get_mail_conf_int_table(int_table);
689 get_mail_conf_bool_table(bool_table);
690 }
691
692 /* tls_pre_jail_init - Load TLS related pre-jail tables */
693
tls_pre_jail_init(TLS_ROLE role)694 void tls_pre_jail_init(TLS_ROLE role)
695 {
696 static const CONFIG_STR_TABLE str_table[] = {
697 VAR_TLS_SERVER_SNI_MAPS, DEF_TLS_SERVER_SNI_MAPS, &var_tls_server_sni_maps, 0, 0,
698 0,
699 };
700 int flags;
701
702 tls_param_init();
703
704 /* Nothing for clients at this time */
705 if (role != TLS_ROLE_SERVER)
706 return;
707
708 get_mail_conf_str_table(str_table);
709 if (*var_tls_server_sni_maps == 0)
710 return;
711
712 flags = DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX | DICT_FLAG_SRC_RHS_IS_FILE;
713 tls_server_sni_maps =
714 maps_create(VAR_TLS_SERVER_SNI_MAPS, var_tls_server_sni_maps, flags);
715 }
716
717 /* server_sni_callback - process client's SNI extension */
718
server_sni_callback(SSL * ssl,int * alert,void * arg)719 static int server_sni_callback(SSL *ssl, int *alert, void *arg)
720 {
721 SSL_CTX *sni_ctx = (SSL_CTX *) arg;
722 TLS_SESS_STATE *TLScontext = SSL_get_ex_data(ssl, TLScontext_index);
723 const char *sni = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
724 const char *cp = sni;
725 const char *pem;
726
727 /* SNI is silently ignored when we don't care or is NULL or empty */
728 if (!sni_ctx || !tls_server_sni_maps || !sni || !*sni)
729 return SSL_TLSEXT_ERR_NOACK;
730
731 if (!valid_hostname(sni, DONT_GRIPE)) {
732 msg_warn("TLS SNI from %s is invalid: %s",
733 TLScontext->namaddr, sni);
734 return SSL_TLSEXT_ERR_NOACK;
735 }
736
737 /*
738 * With TLS 1.3, when the client's proposed key share is not supported by
739 * the server, the server may issue a HelloRetryRequest (HRR), and the
740 * client will then retry with a new key share on a curve supported by
741 * the server. This results in the SNI callback running twice for the
742 * same connection.
743 *
744 * When that happens, The client MUST send the essentially the same hello
745 * message, including the SNI name, and since we've already loaded our
746 * certificate chain, we don't need to do it again! Therefore, if we've
747 * already recorded the peer SNI name, just check that it has not
748 * changed, and return success.
749 */
750 if (TLScontext->peer_sni) {
751 if (strcmp(sni, TLScontext->peer_sni) == 0)
752 return SSL_TLSEXT_ERR_OK;
753 msg_warn("TLS SNI changed from %s initially %s, %s after hello retry",
754 TLScontext->namaddr, TLScontext->peer_sni, sni);
755 return SSL_TLSEXT_ERR_NOACK;
756 }
757 do {
758 /* Don't silently skip maps opened with the wrong flags. */
759 pem = maps_file_find(tls_server_sni_maps, cp, 0);
760 } while (!pem
761 && !tls_server_sni_maps->error
762 && (cp = strchr(cp + 1, '.')) != 0);
763
764 if (!pem) {
765 if (tls_server_sni_maps->error) {
766 msg_warn("%s: %s map lookup problem",
767 tls_server_sni_maps->title, sni);
768 *alert = SSL_AD_INTERNAL_ERROR;
769 return SSL_TLSEXT_ERR_ALERT_FATAL;
770 }
771 msg_info("TLS SNI %s from %s not matched, using default chain",
772 sni, TLScontext->namaddr);
773
774 /*
775 * XXX: We could lie and pretend to accept the name, but since we've
776 * previously not implemented the callback (with OpenSSL then
777 * declining the extension), and nothing bad happened, declining it
778 * explicitly should be safe.
779 */
780 return SSL_TLSEXT_ERR_NOACK;
781 }
782 SSL_set_SSL_CTX(ssl, sni_ctx);
783 if (tls_load_pem_chain(ssl, pem, sni) != 0) {
784 /* errors already logged */
785 *alert = SSL_AD_INTERNAL_ERROR;
786 return SSL_TLSEXT_ERR_ALERT_FATAL;
787 }
788 TLScontext->peer_sni = mystrdup(sni);
789 return SSL_TLSEXT_ERR_OK;
790 }
791
792 /* tls_set_ciphers - Set SSL context cipher list */
793
tls_set_ciphers(TLS_SESS_STATE * TLScontext,const char * grade,const char * exclusions)794 const char *tls_set_ciphers(TLS_SESS_STATE *TLScontext, const char *grade,
795 const char *exclusions)
796 {
797 const char *myname = "tls_set_ciphers";
798 static VSTRING *buf;
799 char *save;
800 char *cp;
801 char *tok;
802
803 if (buf == 0)
804 buf = vstring_alloc(10);
805 VSTRING_RESET(buf);
806
807 switch (tls_cipher_grade(grade)) {
808 case TLS_CIPHER_NONE:
809 msg_warn("%s: invalid cipher grade: \"%s\"",
810 TLScontext->namaddr, grade);
811 return (0);
812 case TLS_CIPHER_HIGH:
813 vstring_strcpy(buf, var_tls_high_clist);
814 break;
815 case TLS_CIPHER_MEDIUM:
816 vstring_strcpy(buf, var_tls_medium_clist);
817 break;
818 case TLS_CIPHER_LOW:
819 vstring_strcpy(buf, var_tls_low_clist);
820 break;
821 case TLS_CIPHER_EXPORT:
822 vstring_strcpy(buf, var_tls_export_clist);
823 break;
824 case TLS_CIPHER_NULL:
825 vstring_strcpy(buf, var_tls_null_clist);
826 break;
827 default:
828 /* Internal error, valid grade, but missing case label. */
829 msg_panic("%s: unexpected cipher grade: %s", myname, grade);
830 }
831
832 /*
833 * The base lists for each grade can't be empty.
834 */
835 if (VSTRING_LEN(buf) == 0)
836 msg_panic("%s: empty \"%s\" cipherlist", myname, grade);
837
838 /*
839 * Apply locally-specified exclusions.
840 */
841 #define CIPHER_SEP CHARS_COMMA_SP ":"
842 if (exclusions != 0) {
843 cp = save = mystrdup(exclusions);
844 while ((tok = mystrtok(&cp, CIPHER_SEP)) != 0) {
845
846 /*
847 * Can't exclude ciphers that start with modifiers.
848 */
849 if (strchr("!+-@", *tok)) {
850 msg_warn("%s: invalid unary '!+-@' in cipher exclusion: %s",
851 TLScontext->namaddr, tok);
852 return (0);
853 }
854 vstring_sprintf_append(buf, ":!%s", tok);
855 }
856 myfree(save);
857 }
858 ERR_clear_error();
859 if (SSL_set_cipher_list(TLScontext->con, vstring_str(buf)) == 0) {
860 msg_warn("%s: error setting cipher grade: \"%s\"",
861 TLScontext->namaddr, grade);
862 tls_print_errors();
863 return (0);
864 }
865 return (vstring_str(buf));
866 }
867
868 /* ec_curve_name - copy EC key curve group name */
869
870 #ifndef OPENSSL_NO_EC
ec_curve_name(EVP_PKEY * pkey)871 static char *ec_curve_name(EVP_PKEY *pkey)
872 {
873 char *curve = 0;
874
875 #if OPENSSL_VERSION_PREREQ(3,0)
876 size_t namelen;
877
878 if (EVP_PKEY_get_group_name(pkey, 0, 0, &namelen)) {
879 curve = mymalloc(++namelen);
880 if (!EVP_PKEY_get_group_name(pkey, curve, namelen, 0)) {
881 myfree(curve);
882 curve = 0;
883 }
884 }
885 #else
886 EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(pkey);
887 int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));
888 const char *tmp = EC_curve_nid2nist(nid);
889
890 if (!tmp)
891 tmp = OBJ_nid2sn(nid);
892 if (tmp)
893 curve = mystrdup(tmp);
894 #endif
895 return (curve);
896 }
897
898 #endif
899
900 /* tls_get_signature_params - TLS 1.3 signature details */
901
tls_get_signature_params(TLS_SESS_STATE * TLScontext)902 void tls_get_signature_params(TLS_SESS_STATE *TLScontext)
903 {
904 const char *kex_name = 0;
905 const char *locl_sig_name = 0;
906 const char *locl_sig_dgst = 0;
907 const char *peer_sig_name = 0;
908 const char *peer_sig_dgst = 0;
909 char *kex_curve = 0;
910 char *locl_sig_curve = 0;
911 char *peer_sig_curve = 0;
912 int nid;
913 SSL *ssl = TLScontext->con;
914 int srvr = SSL_is_server(ssl);
915 EVP_PKEY *dh_pkey = 0;
916 X509 *local_cert;
917 EVP_PKEY *local_pkey = 0;
918 X509 *peer_cert;
919 EVP_PKEY *peer_pkey = 0;
920
921 #define SIG_PROP(c, s, p) (*((s) ? &c->srvr_sig_##p : &c->clnt_sig_##p))
922
923 if (SSL_version(ssl) < TLS1_3_VERSION)
924 return;
925
926 if (tls_get_peer_dh_pubkey(ssl, &dh_pkey)) {
927 switch (nid = EVP_PKEY_id(dh_pkey)) {
928 default:
929 kex_name = OBJ_nid2sn(EVP_PKEY_type(nid));
930 break;
931
932 case EVP_PKEY_DH:
933 kex_name = "DHE";
934 TLScontext->kex_bits = EVP_PKEY_bits(dh_pkey);
935 break;
936
937 #ifndef OPENSSL_NO_EC
938 case EVP_PKEY_EC:
939 kex_name = "ECDHE";
940 kex_curve = ec_curve_name(dh_pkey);
941 break;
942 #endif
943 }
944 EVP_PKEY_free(dh_pkey);
945 }
946
947 /*
948 * On the client end, the certificate may be preset, but not used, so we
949 * check via SSL_get_signature_nid(). This means that local signature
950 * data on clients requires at least 1.1.1a.
951 */
952 if (srvr || SSL_get_signature_nid(ssl, &nid))
953 local_cert = SSL_get_certificate(ssl);
954 else
955 local_cert = 0;
956
957 /* Signature algorithms for the local end of the connection */
958 if (local_cert) {
959 local_pkey = X509_get0_pubkey(local_cert);
960
961 /*
962 * Override the built-in name for the "ECDSA" algorithms OID, with
963 * the more familiar name. For "RSA" keys report "RSA-PSS", which
964 * must be used with TLS 1.3.
965 */
966 if ((nid = EVP_PKEY_type(EVP_PKEY_id(local_pkey))) != NID_undef) {
967 switch (nid) {
968 default:
969 locl_sig_name = OBJ_nid2sn(nid);
970 break;
971
972 case EVP_PKEY_RSA:
973 /* For RSA, TLS 1.3 mandates PSS signatures */
974 locl_sig_name = "RSA-PSS";
975 SIG_PROP(TLScontext, srvr, bits) = EVP_PKEY_bits(local_pkey);
976 break;
977
978 #ifndef OPENSSL_NO_EC
979 case EVP_PKEY_EC:
980 locl_sig_name = "ECDSA";
981 locl_sig_curve = ec_curve_name(local_pkey);
982 break;
983 #endif
984 }
985 /* No X509_free(local_cert) */
986 }
987
988 /*
989 * With Ed25519 and Ed448 there is no pre-signature digest, but the
990 * accessor does not fail, rather we get NID_undef.
991 */
992 if (SSL_get_signature_nid(ssl, &nid) && nid != NID_undef)
993 locl_sig_dgst = OBJ_nid2sn(nid);
994 }
995 /* Signature algorithms for the peer end of the connection */
996 if ((peer_cert = TLS_PEEK_PEER_CERT(ssl)) != 0) {
997 peer_pkey = X509_get0_pubkey(peer_cert);
998
999 /*
1000 * Override the built-in name for the "ECDSA" algorithms OID, with
1001 * the more familiar name. For "RSA" keys report "RSA-PSS", which
1002 * must be used with TLS 1.3.
1003 */
1004 if ((nid = EVP_PKEY_type(EVP_PKEY_id(peer_pkey))) != NID_undef) {
1005 switch (nid) {
1006 default:
1007 peer_sig_name = OBJ_nid2sn(nid);
1008 break;
1009
1010 case EVP_PKEY_RSA:
1011 /* For RSA, TLS 1.3 mandates PSS signatures */
1012 peer_sig_name = "RSA-PSS";
1013 SIG_PROP(TLScontext, !srvr, bits) = EVP_PKEY_bits(peer_pkey);
1014 break;
1015
1016 #ifndef OPENSSL_NO_EC
1017 case EVP_PKEY_EC:
1018 peer_sig_name = "ECDSA";
1019 peer_sig_curve = ec_curve_name(peer_pkey);
1020 break;
1021 #endif
1022 }
1023 }
1024
1025 /*
1026 * With Ed25519 and Ed448 there is no pre-signature digest, but the
1027 * accessor does not fail, rather we get NID_undef.
1028 */
1029 if (SSL_get_peer_signature_nid(ssl, &nid) && nid != NID_undef)
1030 peer_sig_dgst = OBJ_nid2sn(nid);
1031
1032 TLS_FREE_PEER_CERT(peer_cert);
1033 }
1034 if (kex_name) {
1035 TLScontext->kex_name = mystrdup(kex_name);
1036 TLScontext->kex_curve = kex_curve;
1037 }
1038 if (locl_sig_name) {
1039 SIG_PROP(TLScontext, srvr, name) = mystrdup(locl_sig_name);
1040 SIG_PROP(TLScontext, srvr, curve) = locl_sig_curve;
1041 if (locl_sig_dgst)
1042 SIG_PROP(TLScontext, srvr, dgst) = mystrdup(locl_sig_dgst);
1043 }
1044 if (peer_sig_name) {
1045 SIG_PROP(TLScontext, !srvr, name) = mystrdup(peer_sig_name);
1046 SIG_PROP(TLScontext, !srvr, curve) = peer_sig_curve;
1047 if (peer_sig_dgst)
1048 SIG_PROP(TLScontext, !srvr, dgst) = mystrdup(peer_sig_dgst);
1049 }
1050 }
1051
1052 /* tls_log_summary - TLS loglevel 1 one-liner, embellished with TLS 1.3 details */
1053
tls_log_summary(TLS_ROLE role,TLS_USAGE usage,TLS_SESS_STATE * ctx)1054 void tls_log_summary(TLS_ROLE role, TLS_USAGE usage, TLS_SESS_STATE *ctx)
1055 {
1056 VSTRING *msg = vstring_alloc(100);
1057 const char *direction = (role == TLS_ROLE_CLIENT) ? "to" : "from";
1058 const char *sni = (role == TLS_ROLE_CLIENT) ? 0 : ctx->peer_sni;
1059
1060 /*
1061 * When SNI was sent and accepted, the server-side log message now
1062 * includes a "to <sni-name>" detail after the "from <namaddr>" detail
1063 * identifying the remote client. We don't presently log (purportedly)
1064 * accepted SNI on the client side.
1065 */
1066 vstring_sprintf(msg, "%s TLS connection %s %s %s%s%s: %s"
1067 " with cipher %s (%d/%d bits)",
1068 !TLS_CERT_IS_PRESENT(ctx) ? "Anonymous" :
1069 TLS_CERT_IS_SECURED(ctx) ? "Verified" :
1070 TLS_CERT_IS_TRUSTED(ctx) ? "Trusted" : "Untrusted",
1071 usage == TLS_USAGE_NEW ? "established" : "reused",
1072 direction, ctx->namaddr, sni ? " to " : "", sni ? sni : "",
1073 ctx->protocol, ctx->cipher_name, ctx->cipher_usebits,
1074 ctx->cipher_algbits);
1075
1076 if (ctx->kex_name && *ctx->kex_name) {
1077 vstring_sprintf_append(msg, " key-exchange %s", ctx->kex_name);
1078 if (ctx->kex_curve && *ctx->kex_curve)
1079 vstring_sprintf_append(msg, " (%s)", ctx->kex_curve);
1080 else if (ctx->kex_bits > 0)
1081 vstring_sprintf_append(msg, " (%d bits)", ctx->kex_bits);
1082 }
1083 if (ctx->srvr_sig_name && *ctx->srvr_sig_name) {
1084 vstring_sprintf_append(msg, " server-signature %s",
1085 ctx->srvr_sig_name);
1086 if (ctx->srvr_sig_curve && *ctx->srvr_sig_curve)
1087 vstring_sprintf_append(msg, " (%s)", ctx->srvr_sig_curve);
1088 else if (ctx->srvr_sig_bits > 0)
1089 vstring_sprintf_append(msg, " (%d bits)", ctx->srvr_sig_bits);
1090 if (ctx->srvr_sig_dgst && *ctx->srvr_sig_dgst)
1091 vstring_sprintf_append(msg, " server-digest %s",
1092 ctx->srvr_sig_dgst);
1093 }
1094 if (ctx->clnt_sig_name && *ctx->clnt_sig_name) {
1095 vstring_sprintf_append(msg, " client-signature %s",
1096 ctx->clnt_sig_name);
1097 if (ctx->clnt_sig_curve && *ctx->clnt_sig_curve)
1098 vstring_sprintf_append(msg, " (%s)", ctx->clnt_sig_curve);
1099 else if (ctx->clnt_sig_bits > 0)
1100 vstring_sprintf_append(msg, " (%d bits)", ctx->clnt_sig_bits);
1101 if (ctx->clnt_sig_dgst && *ctx->clnt_sig_dgst)
1102 vstring_sprintf_append(msg, " client-digest %s",
1103 ctx->clnt_sig_dgst);
1104 }
1105 msg_info("%s", vstring_str(msg));
1106 vstring_free(msg);
1107 }
1108
1109 /* tls_alloc_app_context - allocate TLS application context */
1110
tls_alloc_app_context(SSL_CTX * ssl_ctx,SSL_CTX * sni_ctx,int log_mask)1111 TLS_APPL_STATE *tls_alloc_app_context(SSL_CTX *ssl_ctx, SSL_CTX *sni_ctx,
1112 int log_mask)
1113 {
1114 TLS_APPL_STATE *app_ctx;
1115
1116 app_ctx = (TLS_APPL_STATE *) mymalloc(sizeof(*app_ctx));
1117
1118 /* See portability note below with other memset() call. */
1119 memset((void *) app_ctx, 0, sizeof(*app_ctx));
1120 app_ctx->ssl_ctx = ssl_ctx;
1121 app_ctx->sni_ctx = sni_ctx;
1122 app_ctx->log_mask = log_mask;
1123
1124 /* See also: cache purging code in tls_set_ciphers(). */
1125 app_ctx->cache_type = 0;
1126
1127 if (tls_server_sni_maps) {
1128 SSL_CTX_set_tlsext_servername_callback(ssl_ctx, server_sni_callback);
1129 SSL_CTX_set_tlsext_servername_arg(ssl_ctx, (void *) sni_ctx);
1130 }
1131 return (app_ctx);
1132 }
1133
1134 /* tls_free_app_context - Free TLS application context */
1135
tls_free_app_context(TLS_APPL_STATE * app_ctx)1136 void tls_free_app_context(TLS_APPL_STATE *app_ctx)
1137 {
1138 if (app_ctx->ssl_ctx)
1139 SSL_CTX_free(app_ctx->ssl_ctx);
1140 if (app_ctx->sni_ctx)
1141 SSL_CTX_free(app_ctx->sni_ctx);
1142 if (app_ctx->cache_type)
1143 myfree(app_ctx->cache_type);
1144 myfree((void *) app_ctx);
1145 }
1146
1147 /* tls_alloc_sess_context - allocate TLS session context */
1148
tls_alloc_sess_context(int log_mask,const char * namaddr)1149 TLS_SESS_STATE *tls_alloc_sess_context(int log_mask, const char *namaddr)
1150 {
1151 TLS_SESS_STATE *TLScontext;
1152
1153 /*
1154 * PORTABILITY: Do not assume that null pointers are all-zero bits. Use
1155 * explicit assignments to initialize pointers.
1156 *
1157 * See the C language FAQ item 5.17, or if you have time to burn,
1158 * http://www.google.com/search?q=zero+bit+null+pointer
1159 *
1160 * However, it's OK to use memset() to zero integer values.
1161 */
1162 TLScontext = (TLS_SESS_STATE *) mymalloc(sizeof(TLS_SESS_STATE));
1163 memset((void *) TLScontext, 0, sizeof(*TLScontext));
1164 TLScontext->con = 0;
1165 TLScontext->cache_type = 0;
1166 TLScontext->serverid = 0;
1167 TLScontext->peer_CN = 0;
1168 TLScontext->issuer_CN = 0;
1169 TLScontext->peer_sni = 0;
1170 TLScontext->peer_cert_fprint = 0;
1171 TLScontext->peer_pkey_fprint = 0;
1172 TLScontext->protocol = 0;
1173 TLScontext->cipher_name = 0;
1174 TLScontext->kex_name = 0;
1175 TLScontext->kex_curve = 0;
1176 TLScontext->clnt_sig_name = 0;
1177 TLScontext->clnt_sig_curve = 0;
1178 TLScontext->clnt_sig_dgst = 0;
1179 TLScontext->srvr_sig_name = 0;
1180 TLScontext->srvr_sig_curve = 0;
1181 TLScontext->srvr_sig_dgst = 0;
1182 TLScontext->log_mask = log_mask;
1183 TLScontext->namaddr = lowercase(mystrdup(namaddr));
1184 TLScontext->mdalg = 0; /* Alias for props->mdalg */
1185 TLScontext->dane = 0; /* Alias for props->dane */
1186 TLScontext->errordepth = -1;
1187 TLScontext->errorcode = X509_V_OK;
1188 TLScontext->errorcert = 0;
1189
1190 return (TLScontext);
1191 }
1192
1193 /* tls_free_context - deallocate TLScontext and members */
1194
tls_free_context(TLS_SESS_STATE * TLScontext)1195 void tls_free_context(TLS_SESS_STATE *TLScontext)
1196 {
1197
1198 /*
1199 * Free the SSL structure and the BIOs. Warning: the internal_bio is
1200 * connected to the SSL structure and is automatically freed with it. Do
1201 * not free it again (core dump)!! Only free the network_bio.
1202 */
1203 if (TLScontext->con != 0)
1204 SSL_free(TLScontext->con);
1205
1206 if (TLScontext->namaddr)
1207 myfree(TLScontext->namaddr);
1208 if (TLScontext->serverid)
1209 myfree(TLScontext->serverid);
1210
1211 if (TLScontext->peer_CN)
1212 myfree(TLScontext->peer_CN);
1213 if (TLScontext->issuer_CN)
1214 myfree(TLScontext->issuer_CN);
1215 if (TLScontext->peer_sni)
1216 myfree(TLScontext->peer_sni);
1217 if (TLScontext->peer_cert_fprint)
1218 myfree(TLScontext->peer_cert_fprint);
1219 if (TLScontext->peer_pkey_fprint)
1220 myfree(TLScontext->peer_pkey_fprint);
1221 if (TLScontext->kex_name)
1222 myfree((void *) TLScontext->kex_name);
1223 if (TLScontext->kex_curve)
1224 myfree((void *) TLScontext->kex_curve);
1225 if (TLScontext->clnt_sig_name)
1226 myfree((void *) TLScontext->clnt_sig_name);
1227 if (TLScontext->clnt_sig_curve)
1228 myfree((void *) TLScontext->clnt_sig_curve);
1229 if (TLScontext->clnt_sig_dgst)
1230 myfree((void *) TLScontext->clnt_sig_dgst);
1231 if (TLScontext->srvr_sig_name)
1232 myfree((void *) TLScontext->srvr_sig_name);
1233 if (TLScontext->srvr_sig_curve)
1234 myfree((void *) TLScontext->srvr_sig_curve);
1235 if (TLScontext->srvr_sig_dgst)
1236 myfree((void *) TLScontext->srvr_sig_dgst);
1237 if (TLScontext->errorcert)
1238 X509_free(TLScontext->errorcert);
1239
1240 myfree((void *) TLScontext);
1241 }
1242
1243 /* tls_version_split - Split OpenSSL version number into major, minor, ... */
1244
tls_version_split(unsigned long version,TLS_VINFO * info)1245 static void tls_version_split(unsigned long version, TLS_VINFO *info)
1246 {
1247
1248 /*
1249 * OPENSSL_VERSION_NUMBER(3):
1250 *
1251 * OPENSSL_VERSION_NUMBER is a numeric release version identifier:
1252 *
1253 * MMNNFFPPS: major minor fix patch status
1254 *
1255 * The status nibble has one of the values 0 for development, 1 to e for
1256 * betas 1 to 14, and f for release. Parsed OpenSSL version number. for
1257 * example: 0x1010103f == 1.1.1c.
1258 */
1259 info->status = version & 0xf;
1260 version >>= 4;
1261 info->patch = version & 0xff;
1262 version >>= 8;
1263 info->micro = version & 0xff;
1264 version >>= 8;
1265 info->minor = version & 0xff;
1266 version >>= 8;
1267 info->major = version & 0xff;
1268 }
1269
1270 /* tls_check_version - Detect mismatch between headers and library. */
1271
tls_check_version(void)1272 void tls_check_version(void)
1273 {
1274 TLS_VINFO hdr_info;
1275 TLS_VINFO lib_info;
1276
1277 tls_version_split(OPENSSL_VERSION_NUMBER, &hdr_info);
1278 tls_version_split(OpenSSL_version_num(), &lib_info);
1279
1280 /*
1281 * Warn if run-time library is different from compile-time library,
1282 * allowing later run-time "micro" versions starting with 1.1.0.
1283 */
1284 if (lib_info.major != hdr_info.major
1285 || lib_info.minor != hdr_info.minor
1286 || (lib_info.micro != hdr_info.micro
1287 && (lib_info.micro < hdr_info.micro
1288 || hdr_info.major == 0
1289 || (hdr_info.major == 1 && hdr_info.minor == 0))))
1290 msg_warn("run-time library vs. compile-time header version mismatch: "
1291 "OpenSSL %d.%d.%d may not be compatible with OpenSSL %d.%d.%d",
1292 lib_info.major, lib_info.minor, lib_info.micro,
1293 hdr_info.major, hdr_info.minor, hdr_info.micro);
1294 }
1295
1296 /* tls_compile_version - compile-time OpenSSL version */
1297
tls_compile_version(void)1298 const char *tls_compile_version(void)
1299 {
1300 return (OPENSSL_VERSION_TEXT);
1301 }
1302
1303 /* tls_run_version - run-time version "major.minor.micro" */
1304
tls_run_version(void)1305 const char *tls_run_version(void)
1306 {
1307 return (OpenSSL_version(OPENSSL_VERSION));
1308 }
1309
tls_pkey_algorithms(void)1310 const char **tls_pkey_algorithms(void)
1311 {
1312
1313 /*
1314 * Return an array, not string, so that the result can be inspected
1315 * without parsing. Sort the result alphabetically, not chronologically.
1316 */
1317 static const char *algs[] = {
1318 #ifndef OPENSSL_NO_DSA
1319 "dsa",
1320 #endif
1321 #ifndef OPENSSL_NO_ECDSA
1322 "ecdsa",
1323 #endif
1324 #ifndef OPENSSL_NO_RSA
1325 "rsa",
1326 #endif
1327 0,
1328 };
1329
1330 return (algs);
1331 }
1332
1333 /* tls_bug_bits - SSL bug compatibility bits for this OpenSSL version */
1334
tls_bug_bits(void)1335 long tls_bug_bits(void)
1336 {
1337 long bits = SSL_OP_ALL; /* Work around all known bugs */
1338
1339 /*
1340 * Silently ignore any strings that don't appear in the tweaks table, or
1341 * hex bits that are not in SSL_OP_ALL.
1342 */
1343 if (*var_tls_bug_tweaks) {
1344 bits &= ~long_name_mask_opt(VAR_TLS_BUG_TWEAKS, ssl_bug_tweaks,
1345 var_tls_bug_tweaks, NAME_MASK_ANY_CASE |
1346 NAME_MASK_NUMBER | NAME_MASK_WARN);
1347 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
1348 /* Not relevant to SMTP */
1349 bits &= ~SSL_OP_SAFARI_ECDHE_ECDSA_BUG;
1350 #endif
1351 }
1352
1353 /*
1354 * Allow users to set options not in SSL_OP_ALL, and not already managed
1355 * via other Postfix parameters.
1356 */
1357 if (*var_tls_ssl_options) {
1358 long enable;
1359
1360 enable = long_name_mask_opt(VAR_TLS_SSL_OPTIONS, ssl_op_tweaks,
1361 var_tls_ssl_options, NAME_MASK_ANY_CASE |
1362 NAME_MASK_NUMBER | NAME_MASK_WARN);
1363 enable &= ~(SSL_OP_ALL | TLS_SSL_OP_MANAGED_BITS);
1364 bits |= enable;
1365 }
1366
1367 /*
1368 * We unconditionally avoid re-use of ephemeral keys, note that we set DH
1369 * keys via a callback, so reuse was never possible, but the ECDH key is
1370 * set statically, so that is potentially subject to reuse. Set both
1371 * options just in case.
1372 */
1373 bits |= SSL_OP_SINGLE_ECDH_USE | SSL_OP_SINGLE_DH_USE;
1374 return (bits);
1375 }
1376
1377 /* tls_print_errors - print and clear the error stack */
1378
tls_print_errors(void)1379 void tls_print_errors(void)
1380 {
1381 unsigned long err;
1382 char buffer[1024]; /* XXX */
1383 const char *file;
1384 const char *data;
1385 int line;
1386 int flags;
1387
1388 #if OPENSSL_VERSION_PREREQ(3,0)
1389 /* XXX: We're ignoring the function name, do we want to log it? */
1390 #define ERRGET(fi, l, d, fl) ERR_get_error_all(fi, l, 0, d, fl)
1391 #else
1392 #define ERRGET(fi, l, d, fl) ERR_get_error_line_data(fi, l, d, fl)
1393 #endif
1394
1395 while ((err = ERRGET(&file, &line, &data, &flags)) != 0) {
1396 ERR_error_string_n(err, buffer, sizeof(buffer));
1397 if (flags & ERR_TXT_STRING)
1398 msg_warn("TLS library problem: %s:%s:%d:%s:",
1399 buffer, file, line, data);
1400 else
1401 msg_warn("TLS library problem: %s:%s:%d:", buffer, file, line);
1402 }
1403 }
1404
1405 /* tls_info_callback - callback for logging SSL events via Postfix */
1406
tls_info_callback(const SSL * s,int where,int ret)1407 void tls_info_callback(const SSL *s, int where, int ret)
1408 {
1409 char *str;
1410 int w;
1411
1412 /* Adapted from OpenSSL apps/s_cb.c. */
1413
1414 w = where & ~SSL_ST_MASK;
1415
1416 if (w & SSL_ST_CONNECT)
1417 str = "SSL_connect";
1418 else if (w & SSL_ST_ACCEPT)
1419 str = "SSL_accept";
1420 else
1421 str = "unknown";
1422
1423 if (where & SSL_CB_LOOP) {
1424 msg_info("%s:%s", str, SSL_state_string_long((SSL *) s));
1425 } else if (where & SSL_CB_ALERT) {
1426 str = (where & SSL_CB_READ) ? "read" : "write";
1427 if ((ret & 0xff) != SSL3_AD_CLOSE_NOTIFY)
1428 msg_info("SSL3 alert %s:%s:%s", str,
1429 SSL_alert_type_string_long(ret),
1430 SSL_alert_desc_string_long(ret));
1431 } else if (where & SSL_CB_EXIT) {
1432 if (ret == 0)
1433 msg_info("%s:failed in %s",
1434 str, SSL_state_string_long((SSL *) s));
1435 else if (ret < 0) {
1436 #ifndef LOG_NON_ERROR_STATES
1437 switch (SSL_get_error((SSL *) s, ret)) {
1438 case SSL_ERROR_WANT_READ:
1439 case SSL_ERROR_WANT_WRITE:
1440 /* Don't log non-error states. */
1441 break;
1442 default:
1443 #endif
1444 msg_info("%s:error in %s",
1445 str, SSL_state_string_long((SSL *) s));
1446 #ifndef LOG_NON_ERROR_STATES
1447 }
1448 #endif
1449 }
1450 }
1451 }
1452
1453 /*
1454 * taken from OpenSSL crypto/bio/b_dump.c.
1455 *
1456 * Modified to save a lot of strcpy and strcat by Matti Aarnio.
1457 *
1458 * Rewritten by Wietse to eliminate fixed-size stack buffer, array index
1459 * multiplication and division, sprintf() and strcpy(), and lots of strlen()
1460 * calls. We could make it a little faster by using a fixed-size stack-based
1461 * buffer.
1462 *
1463 * 200412 - use %lx to print pointers, after casting them to unsigned long.
1464 */
1465
1466 #define TRUNCATE_SPACE_NULL
1467 #define DUMP_WIDTH 16
1468 #define VERT_SPLIT 7
1469
tls_dump_buffer(const unsigned char * start,int len)1470 static void tls_dump_buffer(const unsigned char *start, int len)
1471 {
1472 VSTRING *buf = vstring_alloc(100);
1473 const unsigned char *last = start + len - 1;
1474 const unsigned char *row;
1475 const unsigned char *col;
1476 int ch;
1477
1478 #ifdef TRUNCATE_SPACE_NULL
1479 while (last >= start && (*last == ' ' || *last == 0))
1480 last--;
1481 #endif
1482
1483 for (row = start; row <= last; row += DUMP_WIDTH) {
1484 VSTRING_RESET(buf);
1485 vstring_sprintf(buf, "%04lx ", (unsigned long) (row - start));
1486 for (col = row; col < row + DUMP_WIDTH; col++) {
1487 if (col > last) {
1488 vstring_strcat(buf, " ");
1489 } else {
1490 ch = *col;
1491 vstring_sprintf_append(buf, "%02x%c",
1492 ch, col - row == VERT_SPLIT ? '|' : ' ');
1493 }
1494 }
1495 VSTRING_ADDCH(buf, ' ');
1496 for (col = row; col < row + DUMP_WIDTH; col++) {
1497 if (col > last)
1498 break;
1499 ch = *col;
1500 if (!ISPRINT(ch))
1501 ch = '.';
1502 VSTRING_ADDCH(buf, ch);
1503 if (col - row == VERT_SPLIT)
1504 VSTRING_ADDCH(buf, ' ');
1505 }
1506 VSTRING_TERMINATE(buf);
1507 msg_info("%s", vstring_str(buf));
1508 }
1509 #ifdef TRUNCATE_SPACE_NULL
1510 if ((last + 1) - start < len)
1511 msg_info("%04lx - <SPACES/NULLS>",
1512 (unsigned long) ((last + 1) - start));
1513 #endif
1514 vstring_free(buf);
1515 }
1516
1517 /* taken from OpenSSL apps/s_cb.c */
1518
1519 #if !OPENSSL_VERSION_PREREQ(3,0)
tls_bio_dump_cb(BIO * bio,int cmd,const char * argp,int argi,long unused_argl,long ret)1520 long tls_bio_dump_cb(BIO *bio, int cmd, const char *argp, int argi,
1521 long unused_argl, long ret)
1522 {
1523 if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) {
1524 msg_info("read from %08lX [%08lX] (%d bytes => %ld (0x%lX))",
1525 (unsigned long) bio, (unsigned long) argp, argi,
1526 ret, (unsigned long) ret);
1527 tls_dump_buffer((unsigned char *) argp, (int) ret);
1528 } else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) {
1529 msg_info("write to %08lX [%08lX] (%d bytes => %ld (0x%lX))",
1530 (unsigned long) bio, (unsigned long) argp, argi,
1531 ret, (unsigned long) ret);
1532 tls_dump_buffer((unsigned char *) argp, (int) ret);
1533 }
1534 return (ret);
1535 }
1536
1537 #else
tls_bio_dump_cb(BIO * bio,int cmd,const char * argp,size_t len,int argi,long unused_argl,int ret,size_t * processed)1538 long tls_bio_dump_cb(BIO *bio, int cmd, const char *argp, size_t len,
1539 int argi, long unused_argl, int ret, size_t *processed)
1540 {
1541 size_t bytes = (ret > 0 && processed != NULL) ? *processed : len;
1542
1543 if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) {
1544 if (ret > 0) {
1545 msg_info("read from %08lX [%08lX] (%ld bytes => %ld (0x%lX))",
1546 (unsigned long) bio, (unsigned long) argp, (long) len,
1547 (long) bytes, (long) bytes);
1548 tls_dump_buffer((unsigned char *) argp, (int) bytes);
1549 } else {
1550 msg_info("read from %08lX [%08lX] (%ld bytes => %d)",
1551 (unsigned long) bio, (unsigned long) argp,
1552 (long) len, ret);
1553 }
1554 } else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) {
1555 if (ret > 0) {
1556 msg_info("write to %08lX [%08lX] (%ld bytes => %ld (0x%lX))",
1557 (unsigned long) bio, (unsigned long) argp, (long) len,
1558 (long) bytes, (long) bytes);
1559 tls_dump_buffer((unsigned char *) argp, (int) bytes);
1560 } else {
1561 msg_info("write to %08lX [%08lX] (%ld bytes => %d)",
1562 (unsigned long) bio, (unsigned long) argp,
1563 (long) len, ret);
1564 }
1565 }
1566 return ret;
1567 }
1568
1569 #endif
1570
tls_validate_digest(const char * dgst)1571 const EVP_MD *tls_validate_digest(const char *dgst)
1572 {
1573 const EVP_MD *md_alg;
1574 unsigned int md_len;
1575
1576 /*
1577 * If the administrator specifies an unsupported digest algorithm, fail
1578 * now, rather than in the middle of a TLS handshake.
1579 */
1580 if ((md_alg = EVP_get_digestbyname(dgst)) == 0) {
1581 msg_warn("Digest algorithm \"%s\" not found", dgst);
1582 return (0);
1583 }
1584
1585 /*
1586 * Sanity check: Newer shared libraries may use larger digests.
1587 */
1588 if ((md_len = EVP_MD_size(md_alg)) > EVP_MAX_MD_SIZE) {
1589 msg_warn("Digest algorithm \"%s\" output size %u too large",
1590 dgst, md_len);
1591 return (0);
1592 }
1593 return md_alg;
1594 }
1595
1596 #else
1597
1598 /*
1599 * Broken linker workaround.
1600 */
1601 int tls_dummy_for_broken_linkers;
1602
1603 #endif
1604