1*fb52cf35Schristos /* $NetBSD: tls_server.c,v 1.11 2022/10/08 16:12:50 christos Exp $ */
241fbaed0Stron
341fbaed0Stron /*++
441fbaed0Stron /* NAME
541fbaed0Stron /* tls_server 3
641fbaed0Stron /* SUMMARY
741fbaed0Stron /* server-side TLS engine
841fbaed0Stron /* SYNOPSIS
941fbaed0Stron /* #include <tls.h>
1041fbaed0Stron /*
1141fbaed0Stron /* TLS_APPL_STATE *tls_server_init(props)
1241fbaed0Stron /* const TLS_SERVER_INIT_PROPS *props;
1341fbaed0Stron /*
1441fbaed0Stron /* TLS_SESS_STATE *tls_server_start(props)
1541fbaed0Stron /* const TLS_SERVER_START_PROPS *props;
1641fbaed0Stron /*
177a77eabbStron /* TLS_SESS_STATE *tls_server_post_accept(TLScontext)
187a77eabbStron /* TLS_SESS_STATE *TLScontext;
197a77eabbStron /*
2041fbaed0Stron /* void tls_server_stop(app_ctx, stream, failure, TLScontext)
2141fbaed0Stron /* TLS_APPL_STATE *app_ctx;
2241fbaed0Stron /* VSTREAM *stream;
2341fbaed0Stron /* int failure;
2441fbaed0Stron /* TLS_SESS_STATE *TLScontext;
2541fbaed0Stron /* DESCRIPTION
2641fbaed0Stron /* This module is the interface between Postfix TLS servers,
2741fbaed0Stron /* the OpenSSL library, and the TLS entropy and cache manager.
2841fbaed0Stron /*
297a77eabbStron /* See "EVENT_DRIVEN APPLICATIONS" below for using this code
307a77eabbStron /* in event-driven programs.
317a77eabbStron /*
3241fbaed0Stron /* tls_server_init() is called once when the SMTP server
3341fbaed0Stron /* initializes.
3441fbaed0Stron /* Certificate details are also decided during this phase,
3541fbaed0Stron /* so that peer-specific behavior is not possible.
3641fbaed0Stron /*
3741fbaed0Stron /* tls_server_start() activates the TLS feature for the VSTREAM
3841fbaed0Stron /* passed as argument. We assume that network buffers are flushed
3941fbaed0Stron /* and the TLS handshake can begin immediately.
4041fbaed0Stron /*
4141fbaed0Stron /* tls_server_stop() sends the "close notify" alert via
4241fbaed0Stron /* SSL_shutdown() to the peer and resets all connection specific
4341fbaed0Stron /* TLS data. As RFC2487 does not specify a separate shutdown, it
4441fbaed0Stron /* is assumed that the underlying TCP connection is shut down
4541fbaed0Stron /* immediately afterwards. Any further writes to the channel will
4641fbaed0Stron /* be discarded, and any further reads will report end-of-file.
4741fbaed0Stron /* If the failure flag is set, no SSL_shutdown() handshake is performed.
4841fbaed0Stron /*
4941fbaed0Stron /* Once the TLS connection is initiated, information about the TLS
5041fbaed0Stron /* state is available via the TLScontext structure:
5141fbaed0Stron /* .IP TLScontext->protocol
5241fbaed0Stron /* the protocol name (SSLv2, SSLv3, TLSv1),
5341fbaed0Stron /* .IP TLScontext->cipher_name
5441fbaed0Stron /* the cipher name (e.g. RC4/MD5),
5541fbaed0Stron /* .IP TLScontext->cipher_usebits
5641fbaed0Stron /* the number of bits actually used (e.g. 40),
5741fbaed0Stron /* .IP TLScontext->cipher_algbits
5841fbaed0Stron /* the number of bits the algorithm is based on (e.g. 128).
5941fbaed0Stron /* .PP
6041fbaed0Stron /* The last two values may differ from each other when export-strength
6141fbaed0Stron /* encryption is used.
6241fbaed0Stron /*
6341fbaed0Stron /* If the peer offered a certificate, part of the certificate data are
6441fbaed0Stron /* available as:
6541fbaed0Stron /* .IP TLScontext->peer_status
6641fbaed0Stron /* A bitmask field that records the status of the peer certificate
6741fbaed0Stron /* verification. One or more of TLS_CERT_FLAG_PRESENT and
6841fbaed0Stron /* TLS_CERT_FLAG_TRUSTED.
6941fbaed0Stron /* .IP TLScontext->peer_CN
7041fbaed0Stron /* Extracted CommonName of the peer, or zero-length string
7141fbaed0Stron /* when information could not be extracted.
7241fbaed0Stron /* .IP TLScontext->issuer_CN
7341fbaed0Stron /* Extracted CommonName of the issuer, or zero-length string
7441fbaed0Stron /* when information could not be extracted.
7560738c95Stron /* .IP TLScontext->peer_cert_fprint
7641fbaed0Stron /* Fingerprint of the certificate, or zero-length string when no peer
7741fbaed0Stron /* certificate is available.
7841fbaed0Stron /* .PP
7941fbaed0Stron /* If no peer certificate is presented the peer_status is set to 0.
807a77eabbStron /* EVENT_DRIVEN APPLICATIONS
817a77eabbStron /* .ad
827a77eabbStron /* .fi
837a77eabbStron /* Event-driven programs manage multiple I/O channels. Such
847a77eabbStron /* programs cannot use the synchronous VSTREAM-over-TLS
857a77eabbStron /* implementation that the current TLS library provides,
867a77eabbStron /* including tls_server_stop() and the underlying tls_stream(3)
877a77eabbStron /* and tls_bio_ops(3) routines.
887a77eabbStron /*
897a77eabbStron /* With the current TLS library implementation, this means
907a77eabbStron /* that the application is responsible for calling and retrying
917a77eabbStron /* SSL_accept(), SSL_read(), SSL_write() and SSL_shutdown().
927a77eabbStron /*
937a77eabbStron /* To maintain control over TLS I/O, an event-driven server
947a77eabbStron /* invokes tls_server_start() with a null VSTREAM argument and
957a77eabbStron /* with an fd argument that specifies the I/O file descriptor.
967a77eabbStron /* Then, tls_server_start() performs all the necessary
977a77eabbStron /* preparations before the TLS handshake and returns a partially
987a77eabbStron /* populated TLS context. The event-driven application is then
997a77eabbStron /* responsible for invoking SSL_accept(), and if successful,
1007a77eabbStron /* for invoking tls_server_post_accept() to finish the work
1017a77eabbStron /* that was started by tls_server_start(). In case of unrecoverable
1027a77eabbStron /* failure, tls_server_post_accept() destroys the TLS context
1037a77eabbStron /* and returns a null pointer value.
10441fbaed0Stron /* LICENSE
10541fbaed0Stron /* .ad
10641fbaed0Stron /* .fi
10741fbaed0Stron /* This software is free. You can do with it whatever you want.
10841fbaed0Stron /* The original author kindly requests that you acknowledge
10941fbaed0Stron /* the use of his software.
11041fbaed0Stron /* AUTHOR(S)
11141fbaed0Stron /* Originally written by:
11241fbaed0Stron /* Lutz Jaenicke
11341fbaed0Stron /* BTU Cottbus
11441fbaed0Stron /* Allgemeine Elektrotechnik
11541fbaed0Stron /* Universitaetsplatz 3-4
11641fbaed0Stron /* D-03044 Cottbus, Germany
11741fbaed0Stron /*
11841fbaed0Stron /* Updated by:
11941fbaed0Stron /* Wietse Venema
12041fbaed0Stron /* IBM T.J. Watson Research
12141fbaed0Stron /* P.O. Box 704
12241fbaed0Stron /* Yorktown Heights, NY 10598, USA
12341fbaed0Stron /*
12441fbaed0Stron /* Victor Duchovni
12541fbaed0Stron /* Morgan Stanley
12641fbaed0Stron /*--*/
12741fbaed0Stron
12841fbaed0Stron /* System library. */
12941fbaed0Stron
13041fbaed0Stron #include <sys_defs.h>
13141fbaed0Stron
13241fbaed0Stron #ifdef USE_TLS
13341fbaed0Stron #include <unistd.h>
13441fbaed0Stron #include <string.h>
13541fbaed0Stron
13641fbaed0Stron /* Utility library. */
13741fbaed0Stron
13841fbaed0Stron #include <mymalloc.h>
13941fbaed0Stron #include <vstring.h>
14041fbaed0Stron #include <vstream.h>
14141fbaed0Stron #include <dict.h>
14241fbaed0Stron #include <stringops.h>
14341fbaed0Stron #include <msg.h>
14441fbaed0Stron #include <hex_code.h>
1457a77eabbStron #include <iostuff.h> /* non-blocking */
14641fbaed0Stron
14741fbaed0Stron /* Global library. */
14841fbaed0Stron
14941fbaed0Stron #include <mail_params.h>
15041fbaed0Stron
15141fbaed0Stron /* TLS library. */
15241fbaed0Stron
15341fbaed0Stron #include <tls_mgr.h>
15441fbaed0Stron #define TLS_INTERNAL
15541fbaed0Stron #include <tls.h>
156*fb52cf35Schristos #if OPENSSL_VERSION_PREREQ(3,0)
157*fb52cf35Schristos #include <openssl/core_names.h> /* EVP_MAC parameters */
158*fb52cf35Schristos #endif
15941fbaed0Stron
16041fbaed0Stron #define STR(x) vstring_str(x)
16141fbaed0Stron #define LEN(x) VSTRING_LEN(x)
16241fbaed0Stron
16341fbaed0Stron /* Application-specific. */
16441fbaed0Stron
16541fbaed0Stron /*
166*fb52cf35Schristos * The session_id_context identifies the service that created a session.
16741fbaed0Stron * This information is used to distinguish between multiple TLS-based
16841fbaed0Stron * servers running on the same server. We use the name of the mail system.
16941fbaed0Stron */
17041fbaed0Stron static const char server_session_id_context[] = "Postfix/TLS";
17141fbaed0Stron
17268e5c67bSchristos #define GET_SID(s, v, lptr) ((v) = SSL_SESSION_get_id((s), (lptr)))
17368e5c67bSchristos
17468e5c67bSchristos typedef const unsigned char *session_id_t;
17568e5c67bSchristos
17641fbaed0Stron /* get_server_session_cb - callback to retrieve session from server cache */
17741fbaed0Stron
get_server_session_cb(SSL * ssl,session_id_t session_id,int session_id_length,int * unused_copy)17868e5c67bSchristos static SSL_SESSION *get_server_session_cb(SSL *ssl, session_id_t session_id,
17941fbaed0Stron int session_id_length,
18041fbaed0Stron int *unused_copy)
18141fbaed0Stron {
18241fbaed0Stron const char *myname = "get_server_session_cb";
18341fbaed0Stron TLS_SESS_STATE *TLScontext;
18441fbaed0Stron VSTRING *cache_id;
18541fbaed0Stron VSTRING *session_data = vstring_alloc(2048);
18641fbaed0Stron SSL_SESSION *session = 0;
18741fbaed0Stron
18841fbaed0Stron if ((TLScontext = SSL_get_ex_data(ssl, TLScontext_index)) == 0)
18941fbaed0Stron msg_panic("%s: null TLScontext in session lookup callback", myname);
19041fbaed0Stron
19141fbaed0Stron #define GEN_CACHE_ID(buf, id, len, service) \
19241fbaed0Stron do { \
193e560aa14Stron buf = vstring_alloc(2 * (len + strlen(service))); \
19441fbaed0Stron hex_encode(buf, (char *) (id), (len)); \
19541fbaed0Stron vstring_sprintf_append(buf, "&s=%s", (service)); \
19668e5c67bSchristos vstring_sprintf_append(buf, "&l=%ld", (long) OpenSSL_version_num()); \
19741fbaed0Stron } while (0)
19841fbaed0Stron
19941fbaed0Stron
20041fbaed0Stron GEN_CACHE_ID(cache_id, session_id, session_id_length, TLScontext->serverid);
20141fbaed0Stron
20256c5febcStron if (TLScontext->log_mask & TLS_LOG_CACHE)
20341fbaed0Stron msg_info("%s: looking up session %s in %s cache", TLScontext->namaddr,
20441fbaed0Stron STR(cache_id), TLScontext->cache_type);
20541fbaed0Stron
20641fbaed0Stron /*
20741fbaed0Stron * Load the session from cache and decode it.
20841fbaed0Stron */
20941fbaed0Stron if (tls_mgr_lookup(TLScontext->cache_type, STR(cache_id),
21041fbaed0Stron session_data) == TLS_MGR_STAT_OK) {
21141fbaed0Stron session = tls_session_activate(STR(session_data), LEN(session_data));
21256c5febcStron if (session && (TLScontext->log_mask & TLS_LOG_CACHE))
21341fbaed0Stron msg_info("%s: reloaded session %s from %s cache",
21441fbaed0Stron TLScontext->namaddr, STR(cache_id),
21541fbaed0Stron TLScontext->cache_type);
21641fbaed0Stron }
21741fbaed0Stron
21841fbaed0Stron /*
21941fbaed0Stron * Clean up.
22041fbaed0Stron */
22141fbaed0Stron vstring_free(cache_id);
22241fbaed0Stron vstring_free(session_data);
22341fbaed0Stron
22441fbaed0Stron return (session);
22541fbaed0Stron }
22641fbaed0Stron
22741fbaed0Stron /* uncache_session - remove session from internal & external cache */
22841fbaed0Stron
uncache_session(SSL_CTX * ctx,TLS_SESS_STATE * TLScontext)22941fbaed0Stron static void uncache_session(SSL_CTX *ctx, TLS_SESS_STATE *TLScontext)
23041fbaed0Stron {
23141fbaed0Stron VSTRING *cache_id;
23241fbaed0Stron SSL_SESSION *session = SSL_get_session(TLScontext->con);
23368e5c67bSchristos const unsigned char *sid;
23468e5c67bSchristos unsigned int sid_length;
23541fbaed0Stron
23641fbaed0Stron SSL_CTX_remove_session(ctx, session);
23741fbaed0Stron
23841fbaed0Stron if (TLScontext->cache_type == 0)
23941fbaed0Stron return;
24041fbaed0Stron
24168e5c67bSchristos GET_SID(session, sid, &sid_length);
24268e5c67bSchristos GEN_CACHE_ID(cache_id, sid, sid_length, TLScontext->serverid);
24341fbaed0Stron
24456c5febcStron if (TLScontext->log_mask & TLS_LOG_CACHE)
24541fbaed0Stron msg_info("%s: remove session %s from %s cache", TLScontext->namaddr,
24641fbaed0Stron STR(cache_id), TLScontext->cache_type);
24741fbaed0Stron
24841fbaed0Stron tls_mgr_delete(TLScontext->cache_type, STR(cache_id));
24941fbaed0Stron vstring_free(cache_id);
25041fbaed0Stron }
25141fbaed0Stron
25241fbaed0Stron /* new_server_session_cb - callback to save session to server cache */
25341fbaed0Stron
new_server_session_cb(SSL * ssl,SSL_SESSION * session)25441fbaed0Stron static int new_server_session_cb(SSL *ssl, SSL_SESSION *session)
25541fbaed0Stron {
25641fbaed0Stron const char *myname = "new_server_session_cb";
25741fbaed0Stron VSTRING *cache_id;
25841fbaed0Stron TLS_SESS_STATE *TLScontext;
25941fbaed0Stron VSTRING *session_data;
26068e5c67bSchristos const unsigned char *sid;
26168e5c67bSchristos unsigned int sid_length;
26241fbaed0Stron
26341fbaed0Stron if ((TLScontext = SSL_get_ex_data(ssl, TLScontext_index)) == 0)
26441fbaed0Stron msg_panic("%s: null TLScontext in new session callback", myname);
26541fbaed0Stron
26668e5c67bSchristos GET_SID(session, sid, &sid_length);
26768e5c67bSchristos GEN_CACHE_ID(cache_id, sid, sid_length, TLScontext->serverid);
26841fbaed0Stron
26956c5febcStron if (TLScontext->log_mask & TLS_LOG_CACHE)
27041fbaed0Stron msg_info("%s: save session %s to %s cache", TLScontext->namaddr,
27141fbaed0Stron STR(cache_id), TLScontext->cache_type);
27241fbaed0Stron
27341fbaed0Stron /*
27441fbaed0Stron * Passivate and save the session state.
27541fbaed0Stron */
27641fbaed0Stron session_data = tls_session_passivate(session);
27741fbaed0Stron if (session_data)
27841fbaed0Stron tls_mgr_update(TLScontext->cache_type, STR(cache_id),
27941fbaed0Stron STR(session_data), LEN(session_data));
28041fbaed0Stron
28141fbaed0Stron /*
28241fbaed0Stron * Clean up.
28341fbaed0Stron */
28441fbaed0Stron if (session_data)
28541fbaed0Stron vstring_free(session_data);
28641fbaed0Stron vstring_free(cache_id);
28741fbaed0Stron SSL_SESSION_free(session); /* 200502 */
28841fbaed0Stron
28941fbaed0Stron return (1);
29041fbaed0Stron }
29141fbaed0Stron
29260738c95Stron #define NOENGINE ((ENGINE *) 0)
29360738c95Stron #define TLS_TKT_NOKEYS -1 /* No keys for encryption */
29460738c95Stron #define TLS_TKT_STALE 0 /* No matching keys for decryption */
29560738c95Stron #define TLS_TKT_ACCEPT 1 /* Ticket decryptable and re-usable */
29660738c95Stron #define TLS_TKT_REISSUE 2 /* Ticket decryptable, not re-usable */
29760738c95Stron
298*fb52cf35Schristos #if defined(SSL_OP_NO_TICKET) && !defined(OPENSSL_NO_TLSEXT)
299*fb52cf35Schristos
300*fb52cf35Schristos #if OPENSSL_VERSION_PREREQ(3,0)
301*fb52cf35Schristos
30260738c95Stron /* ticket_cb - configure tls session ticket encrypt/decrypt context */
30360738c95Stron
ticket_cb(SSL * con,unsigned char name[],unsigned char iv[],EVP_CIPHER_CTX * ctx,EVP_MAC_CTX * hctx,int create)304*fb52cf35Schristos static int ticket_cb(SSL *con, unsigned char name[], unsigned char iv[],
305*fb52cf35Schristos EVP_CIPHER_CTX *ctx, EVP_MAC_CTX *hctx, int create)
306*fb52cf35Schristos {
307*fb52cf35Schristos OSSL_PARAM params[3];
308*fb52cf35Schristos static const EVP_CIPHER *ciph;
309*fb52cf35Schristos TLS_TICKET_KEY *key;
310*fb52cf35Schristos TLS_SESS_STATE *TLScontext = SSL_get_ex_data(con, TLScontext_index);
311*fb52cf35Schristos int timeout = ((int) SSL_CTX_get_timeout(SSL_get_SSL_CTX(con))) / 2;
312*fb52cf35Schristos
313*fb52cf35Schristos if ((!ciph && (ciph = EVP_get_cipherbyname(var_tls_tkt_cipher)) == 0)
314*fb52cf35Schristos || (key = tls_mgr_key(create ? 0 : name, timeout)) == 0
315*fb52cf35Schristos || (create && RAND_bytes(iv, TLS_TICKET_IVLEN) <= 0))
316*fb52cf35Schristos return (create ? TLS_TKT_NOKEYS : TLS_TKT_STALE);
317*fb52cf35Schristos
318*fb52cf35Schristos params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
319*fb52cf35Schristos LN_sha256, 0);
320*fb52cf35Schristos params[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
321*fb52cf35Schristos (char *) key->hmac,
322*fb52cf35Schristos TLS_TICKET_MACLEN);
323*fb52cf35Schristos params[2] = OSSL_PARAM_construct_end();
324*fb52cf35Schristos if (!EVP_MAC_CTX_set_params(hctx, params))
325*fb52cf35Schristos return (create ? TLS_TKT_NOKEYS : TLS_TKT_STALE);
326*fb52cf35Schristos
327*fb52cf35Schristos if (create) {
328*fb52cf35Schristos EVP_EncryptInit_ex(ctx, ciph, NOENGINE, key->bits, iv);
329*fb52cf35Schristos memcpy((void *) name, (void *) key->name, TLS_TICKET_NAMELEN);
330*fb52cf35Schristos if (TLScontext->log_mask & TLS_LOG_CACHE)
331*fb52cf35Schristos msg_info("%s: Issuing session ticket, key expiration: %ld",
332*fb52cf35Schristos TLScontext->namaddr, (long) key->tout);
333*fb52cf35Schristos } else {
334*fb52cf35Schristos EVP_DecryptInit_ex(ctx, ciph, NOENGINE, key->bits, iv);
335*fb52cf35Schristos if (TLScontext->log_mask & TLS_LOG_CACHE)
336*fb52cf35Schristos msg_info("%s: Decrypting session ticket, key expiration: %ld",
337*fb52cf35Schristos TLScontext->namaddr, (long) key->tout);
338*fb52cf35Schristos }
339*fb52cf35Schristos TLScontext->ticketed = 1;
340*fb52cf35Schristos return (TLS_TKT_ACCEPT);
341*fb52cf35Schristos }
342*fb52cf35Schristos
343*fb52cf35Schristos #else /* OPENSSL_VERSION_PREREQ(3,0) */
344*fb52cf35Schristos
345*fb52cf35Schristos /* ticket_cb - configure tls session ticket encrypt/decrypt context */
34660738c95Stron
ticket_cb(SSL * con,unsigned char name[],unsigned char iv[],EVP_CIPHER_CTX * ctx,HMAC_CTX * hctx,int create)34760738c95Stron static int ticket_cb(SSL *con, unsigned char name[], unsigned char iv[],
34860738c95Stron EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int create)
34960738c95Stron {
35060738c95Stron static const EVP_MD *sha256;
35168e5c67bSchristos static const EVP_CIPHER *ciph;
35260738c95Stron TLS_TICKET_KEY *key;
35360738c95Stron TLS_SESS_STATE *TLScontext = SSL_get_ex_data(con, TLScontext_index);
35460738c95Stron int timeout = ((int) SSL_CTX_get_timeout(SSL_get_SSL_CTX(con))) / 2;
35560738c95Stron
35660738c95Stron if ((!sha256 && (sha256 = EVP_sha256()) == 0)
35768e5c67bSchristos || (!ciph && (ciph = EVP_get_cipherbyname(var_tls_tkt_cipher)) == 0)
35860738c95Stron || (key = tls_mgr_key(create ? 0 : name, timeout)) == 0
35960738c95Stron || (create && RAND_bytes(iv, TLS_TICKET_IVLEN) <= 0))
36060738c95Stron return (create ? TLS_TKT_NOKEYS : TLS_TKT_STALE);
36160738c95Stron
36260738c95Stron HMAC_Init_ex(hctx, key->hmac, TLS_TICKET_MACLEN, sha256, NOENGINE);
36360738c95Stron
36460738c95Stron if (create) {
36568e5c67bSchristos EVP_EncryptInit_ex(ctx, ciph, NOENGINE, key->bits, iv);
36668e5c67bSchristos memcpy((void *) name, (void *) key->name, TLS_TICKET_NAMELEN);
36760738c95Stron if (TLScontext->log_mask & TLS_LOG_CACHE)
36860738c95Stron msg_info("%s: Issuing session ticket, key expiration: %ld",
36960738c95Stron TLScontext->namaddr, (long) key->tout);
37060738c95Stron } else {
37168e5c67bSchristos EVP_DecryptInit_ex(ctx, ciph, NOENGINE, key->bits, iv);
37260738c95Stron if (TLScontext->log_mask & TLS_LOG_CACHE)
37360738c95Stron msg_info("%s: Decrypting session ticket, key expiration: %ld",
37460738c95Stron TLScontext->namaddr, (long) key->tout);
37560738c95Stron }
37660738c95Stron TLScontext->ticketed = 1;
37760738c95Stron return (TLS_TKT_ACCEPT);
37860738c95Stron }
37960738c95Stron
380*fb52cf35Schristos #endif /* OPENSSL_VERSION_PREREQ(3,0) */
381*fb52cf35Schristos
382*fb52cf35Schristos #endif /* defined(SSL_OP_NO_TICKET) &&
383*fb52cf35Schristos * !defined(OPENSSL_NO_TLSEXT) */
38460738c95Stron
38541fbaed0Stron /* tls_server_init - initialize the server-side TLS engine */
38641fbaed0Stron
tls_server_init(const TLS_SERVER_INIT_PROPS * props)38741fbaed0Stron TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
38841fbaed0Stron {
38941fbaed0Stron SSL_CTX *server_ctx;
3903c275423Schristos SSL_CTX *sni_ctx;
3913c275423Schristos X509_STORE *cert_store;
39241fbaed0Stron long off = 0;
39341fbaed0Stron int verify_flags = SSL_VERIFY_NONE;
39441fbaed0Stron int cachable;
39560738c95Stron int scache_timeout;
39660738c95Stron int ticketable = 0;
39741fbaed0Stron int protomask;
398*fb52cf35Schristos int min_proto;
399*fb52cf35Schristos int max_proto;
40041fbaed0Stron TLS_APPL_STATE *app_ctx;
40156c5febcStron int log_mask;
40241fbaed0Stron
40356c5febcStron /*
40456c5febcStron * Convert user loglevel to internal logmask.
40556c5febcStron */
40656c5febcStron log_mask = tls_log_mask(props->log_param, props->log_level);
40756c5febcStron
40856c5febcStron if (log_mask & TLS_LOG_VERBOSE)
40941fbaed0Stron msg_info("initializing the server-side TLS engine");
41041fbaed0Stron
41141fbaed0Stron /*
41241fbaed0Stron * Load (mostly cipher related) TLS-library internal main.cf parameters.
41341fbaed0Stron */
41441fbaed0Stron tls_param_init();
41541fbaed0Stron
41641fbaed0Stron /*
41741fbaed0Stron * Detect mismatch between compile-time headers and run-time library.
41841fbaed0Stron */
41941fbaed0Stron tls_check_version();
42041fbaed0Stron
42141fbaed0Stron /*
42241fbaed0Stron * First validate the protocols. If these are invalid, we can't continue.
42341fbaed0Stron */
424*fb52cf35Schristos protomask = tls_proto_mask_lims(props->protocols, &min_proto, &max_proto);
42541fbaed0Stron if (protomask == TLS_PROTOCOL_INVALID) {
42641fbaed0Stron /* tls_protocol_mask() logs no warning. */
42741fbaed0Stron msg_warn("Invalid TLS protocol list \"%s\": disabling TLS support",
42841fbaed0Stron props->protocols);
42941fbaed0Stron return (0);
43041fbaed0Stron }
43141fbaed0Stron
43241fbaed0Stron /*
43341fbaed0Stron * Create an application data index for SSL objects, so that we can
43441fbaed0Stron * attach TLScontext information; this information is needed inside
43541fbaed0Stron * tls_verify_certificate_callback().
43641fbaed0Stron */
43741fbaed0Stron if (TLScontext_index < 0) {
43841fbaed0Stron if ((TLScontext_index = SSL_get_ex_new_index(0, 0, 0, 0, 0)) < 0) {
43941fbaed0Stron msg_warn("Cannot allocate SSL application data index: "
44041fbaed0Stron "disabling TLS support");
44141fbaed0Stron return (0);
44241fbaed0Stron }
44341fbaed0Stron }
44441fbaed0Stron
44541fbaed0Stron /*
44641fbaed0Stron * If the administrator specifies an unsupported digest algorithm, fail
44741fbaed0Stron * now, rather than in the middle of a TLS handshake.
44841fbaed0Stron */
44960738c95Stron if (!tls_validate_digest(props->mdalg)) {
45060738c95Stron msg_warn("disabling TLS support");
45141fbaed0Stron return (0);
45241fbaed0Stron }
45341fbaed0Stron
45441fbaed0Stron /*
45541fbaed0Stron * Initialize the PRNG (Pseudo Random Number Generator) with some seed
45641fbaed0Stron * from external and internal sources. Don't enable TLS without some real
45741fbaed0Stron * entropy.
45841fbaed0Stron */
45941fbaed0Stron if (tls_ext_seed(var_tls_daemon_rand_bytes) < 0) {
46041fbaed0Stron msg_warn("no entropy for TLS key generation: disabling TLS support");
46141fbaed0Stron return (0);
46241fbaed0Stron }
46341fbaed0Stron tls_int_seed();
46441fbaed0Stron
46541fbaed0Stron /*
46641fbaed0Stron * The SSL/TLS specifications require the client to send a message in the
46741fbaed0Stron * oldest specification it understands with the highest level it
46841fbaed0Stron * understands in the message. Netscape communicator can still
46941fbaed0Stron * communicate with SSLv2 servers, so it sends out a SSLv2 client hello.
47041fbaed0Stron * To deal with it, our server must be SSLv2 aware (even if we don't like
47141fbaed0Stron * SSLv2), so we need to have the SSLv23 server here. If we want to limit
47241fbaed0Stron * the protocol level, we can add an option to not use SSLv2/v3/TLSv1
47341fbaed0Stron * later.
47441fbaed0Stron */
47541fbaed0Stron ERR_clear_error();
47668e5c67bSchristos server_ctx = SSL_CTX_new(TLS_server_method());
47768e5c67bSchristos if (server_ctx == 0) {
47841fbaed0Stron msg_warn("cannot allocate server SSL_CTX: disabling TLS support");
47941fbaed0Stron tls_print_errors();
48041fbaed0Stron return (0);
48141fbaed0Stron }
4823c275423Schristos sni_ctx = SSL_CTX_new(TLS_server_method());
4833c275423Schristos if (sni_ctx == 0) {
4843c275423Schristos SSL_CTX_free(server_ctx);
4853c275423Schristos msg_warn("cannot allocate server SNI SSL_CTX: disabling TLS support");
4863c275423Schristos tls_print_errors();
4873c275423Schristos return (0);
4883c275423Schristos }
48968e5c67bSchristos #ifdef SSL_SECOP_PEER
49068e5c67bSchristos /* Backwards compatible security as a base for opportunistic TLS. */
49168e5c67bSchristos SSL_CTX_set_security_level(server_ctx, 0);
4923c275423Schristos SSL_CTX_set_security_level(sni_ctx, 0);
49368e5c67bSchristos #endif
49441fbaed0Stron
49541fbaed0Stron /*
49641fbaed0Stron * See the verify callback in tls_verify.c
49741fbaed0Stron */
49841fbaed0Stron SSL_CTX_set_verify_depth(server_ctx, props->verifydepth + 1);
4993c275423Schristos SSL_CTX_set_verify_depth(sni_ctx, props->verifydepth + 1);
50041fbaed0Stron
50141fbaed0Stron /*
50260738c95Stron * The session cache is implemented by the tlsmgr(8) server.
50360738c95Stron *
50460738c95Stron * XXX 200502 Surprise: when OpenSSL purges an entry from the in-memory
50560738c95Stron * cache, it also attempts to purge the entry from the on-disk cache.
50660738c95Stron * This is undesirable, especially when we set the in-memory cache size
50760738c95Stron * to 1. For this reason we don't allow OpenSSL to purge on-disk cache
50860738c95Stron * entries, and leave it up to the tlsmgr process instead. Found by
50960738c95Stron * Victor Duchovni.
51060738c95Stron */
51160738c95Stron if (tls_mgr_policy(props->cache_type, &cachable,
51260738c95Stron &scache_timeout) != TLS_MGR_STAT_OK)
51360738c95Stron scache_timeout = 0;
51460738c95Stron if (scache_timeout <= 0)
51560738c95Stron cachable = 0;
51660738c95Stron
51760738c95Stron /*
51841fbaed0Stron * Protocol work-arounds, OpenSSL version dependent.
51941fbaed0Stron */
52060738c95Stron off |= tls_bug_bits();
52160738c95Stron
52260738c95Stron /*
52360738c95Stron * Add SSL_OP_NO_TICKET when the timeout is zero or library support is
5243c275423Schristos * incomplete.
52560738c95Stron */
526628c9e10Stron #ifdef SSL_OP_NO_TICKET
5273c275423Schristos #ifndef OPENSSL_NO_TLSEXT
52868e5c67bSchristos ticketable = (*var_tls_tkt_cipher && scache_timeout > 0
52968e5c67bSchristos && !(off & SSL_OP_NO_TICKET));
53068e5c67bSchristos if (ticketable) {
53168e5c67bSchristos const EVP_CIPHER *ciph;
53268e5c67bSchristos
53368e5c67bSchristos if ((ciph = EVP_get_cipherbyname(var_tls_tkt_cipher)) == 0
53468e5c67bSchristos || EVP_CIPHER_mode(ciph) != EVP_CIPH_CBC_MODE
53568e5c67bSchristos || EVP_CIPHER_iv_length(ciph) != TLS_TICKET_IVLEN
53668e5c67bSchristos || EVP_CIPHER_key_length(ciph) < TLS_TICKET_IVLEN
53768e5c67bSchristos || EVP_CIPHER_key_length(ciph) > TLS_TICKET_KEYLEN) {
53868e5c67bSchristos msg_warn("%s: invalid value: %s; session tickets disabled",
53968e5c67bSchristos VAR_TLS_TKT_CIPHER, var_tls_tkt_cipher);
54068e5c67bSchristos ticketable = 0;
54168e5c67bSchristos }
54268e5c67bSchristos }
5433c275423Schristos if (ticketable) {
544*fb52cf35Schristos #if OPENSSL_VERSION_PREREQ(3,0)
545*fb52cf35Schristos SSL_CTX_set_tlsext_ticket_key_evp_cb(server_ctx, ticket_cb);
546*fb52cf35Schristos #else
54760738c95Stron SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_cb);
548*fb52cf35Schristos #endif
5493c275423Schristos
5503c275423Schristos /*
5513c275423Schristos * OpenSSL 1.1.1 introduces support for TLS 1.3, which can issue more
5523c275423Schristos * than one ticket per handshake. While this may be appropriate for
5533c275423Schristos * communication between browsers and webservers, it is not terribly
5543c275423Schristos * useful for MTAs, many of which other than Postfix don't do TLS
5553c275423Schristos * session caching at all, and Postfix has no mechanism for storing
5563c275423Schristos * multiple session tickets, if more than one sent, the second
5573c275423Schristos * clobbers the first. OpenSSL 1.1.1 servers default to issuing two
5583c275423Schristos * tickets for non-resumption handshakes, we reduce this to one. Our
5593c275423Schristos * ticket decryption callback already (since 2.11) asks OpenSSL to
5603c275423Schristos * avoid issuing new tickets when the presented ticket is re-usable.
5613c275423Schristos */
5623c275423Schristos SSL_CTX_set_num_tickets(server_ctx, 1);
5633c275423Schristos }
56460738c95Stron #endif
56560738c95Stron if (!ticketable)
566628c9e10Stron off |= SSL_OP_NO_TICKET;
567628c9e10Stron #endif
56860738c95Stron
56941fbaed0Stron SSL_CTX_set_options(server_ctx, off);
57041fbaed0Stron
57141fbaed0Stron /*
57241fbaed0Stron * Global protocol selection.
57341fbaed0Stron */
57441fbaed0Stron if (protomask != 0)
57568e5c67bSchristos SSL_CTX_set_options(server_ctx, TLS_SSL_OP_PROTOMASK(protomask));
576*fb52cf35Schristos SSL_CTX_set_min_proto_version(server_ctx, min_proto);
577*fb52cf35Schristos SSL_CTX_set_max_proto_version(server_ctx, max_proto);
578*fb52cf35Schristos SSL_CTX_set_min_proto_version(sni_ctx, min_proto);
579*fb52cf35Schristos SSL_CTX_set_max_proto_version(sni_ctx, max_proto);
58041fbaed0Stron
5817a77eabbStron /*
5827a77eabbStron * Some sites may want to give the client less rope. On the other hand,
5837a77eabbStron * this could trigger inter-operability issues, the client should not
5847a77eabbStron * offer ciphers it implements poorly, but this hasn't stopped some
5857a77eabbStron * vendors from getting it wrong.
5867a77eabbStron */
5877a77eabbStron if (var_tls_preempt_clist)
5887a77eabbStron SSL_CTX_set_options(server_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
5897a77eabbStron
5903c275423Schristos /* Done with server_ctx options, clone to sni_ctx */
5913c275423Schristos SSL_CTX_clear_options(sni_ctx, ~0);
5923c275423Schristos SSL_CTX_set_options(sni_ctx, SSL_CTX_get_options(server_ctx));
5933c275423Schristos
59441fbaed0Stron /*
59541fbaed0Stron * Set the call-back routine to debug handshake progress.
59641fbaed0Stron */
5973c275423Schristos if (log_mask & TLS_LOG_DEBUG) {
59841fbaed0Stron SSL_CTX_set_info_callback(server_ctx, tls_info_callback);
5993c275423Schristos SSL_CTX_set_info_callback(sni_ctx, tls_info_callback);
6003c275423Schristos }
60141fbaed0Stron
60241fbaed0Stron /*
60341fbaed0Stron * Load the CA public key certificates for both the server cert and for
60441fbaed0Stron * the verification of client certificates. As provided by OpenSSL we
60541fbaed0Stron * support two types of CA certificate handling: One possibility is to
60641fbaed0Stron * add all CA certificates to one large CAfile, the other possibility is
60741fbaed0Stron * a directory pointed to by CApath, containing separate files for each
60841fbaed0Stron * CA with softlinks named after the hash values of the certificate. The
60941fbaed0Stron * first alternative has the advantage that the file is opened and read
61041fbaed0Stron * at startup time, so that you don't have the hassle to maintain another
61141fbaed0Stron * copy of the CApath directory for chroot-jail.
61241fbaed0Stron */
61341fbaed0Stron if (tls_set_ca_certificate_info(server_ctx,
61441fbaed0Stron props->CAfile, props->CApath) < 0) {
61541fbaed0Stron /* tls_set_ca_certificate_info() already logs a warning. */
61641fbaed0Stron SSL_CTX_free(server_ctx); /* 200411 */
6173c275423Schristos SSL_CTX_free(sni_ctx);
61841fbaed0Stron return (0);
61941fbaed0Stron }
62041fbaed0Stron
62141fbaed0Stron /*
6223c275423Schristos * Upref and share the cert store. Sadly we can't yet use
6233c275423Schristos * SSL_CTX_set1_cert_store(3) which was added in OpenSSL 1.1.0.
6243c275423Schristos */
6253c275423Schristos cert_store = SSL_CTX_get_cert_store(server_ctx);
6263c275423Schristos X509_STORE_up_ref(cert_store);
6273c275423Schristos SSL_CTX_set_cert_store(sni_ctx, cert_store);
6283c275423Schristos
6293c275423Schristos /*
63041fbaed0Stron * Load the server public key certificate and private key from file and
63141fbaed0Stron * check whether the cert matches the key. We can use RSA certificates
63241fbaed0Stron * ("cert") DSA certificates ("dcert") or ECDSA certificates ("eccert").
63341fbaed0Stron * All three can be made available at the same time. The CA certificates
63441fbaed0Stron * for all three are handled in the same setup already finished. Which
63541fbaed0Stron * one is used depends on the cipher negotiated (that is: the first
63641fbaed0Stron * cipher listed by the client which does match the server). A client
63741fbaed0Stron * with RSA only (e.g. Netscape) will use the RSA certificate only. A
63841fbaed0Stron * client with openssl-library will use RSA first if not especially
63941fbaed0Stron * changed in the cipher setup.
64041fbaed0Stron */
64141fbaed0Stron if (tls_set_my_certificate_key_info(server_ctx,
6423c275423Schristos props->chain_files,
64341fbaed0Stron props->cert_file,
64441fbaed0Stron props->key_file,
64541fbaed0Stron props->dcert_file,
64641fbaed0Stron props->dkey_file,
64741fbaed0Stron props->eccert_file,
64841fbaed0Stron props->eckey_file) < 0) {
64941fbaed0Stron /* tls_set_my_certificate_key_info() already logs a warning. */
65041fbaed0Stron SSL_CTX_free(server_ctx); /* 200411 */
6513c275423Schristos SSL_CTX_free(sni_ctx);
65241fbaed0Stron return (0);
65341fbaed0Stron }
65441fbaed0Stron
65541fbaed0Stron /*
65641fbaed0Stron * Diffie-Hellman key generation parameters can either be loaded from
65741fbaed0Stron * files (preferred) or taken from compiled in values. First, set the
65841fbaed0Stron * callback that will select the values when requested, then load the
65941fbaed0Stron * (possibly) available DH parameters from files. We are generous with
66041fbaed0Stron * the error handling, since we do have default values compiled in, so we
66141fbaed0Stron * will not abort but just log the error message.
66241fbaed0Stron */
66341fbaed0Stron if (*props->dh1024_param_file != 0)
664*fb52cf35Schristos tls_set_dh_from_file(props->dh1024_param_file);
665*fb52cf35Schristos tls_tmp_dh(server_ctx, 1);
666*fb52cf35Schristos tls_tmp_dh(sni_ctx, 1);
66741fbaed0Stron
66841fbaed0Stron /*
66941fbaed0Stron * Enable EECDH if available, errors are not fatal, we just keep going
67041fbaed0Stron * with any remaining key-exchange algorithms.
67141fbaed0Stron */
672*fb52cf35Schristos tls_auto_eecdh_curves(server_ctx, var_tls_eecdh_auto);
673*fb52cf35Schristos tls_auto_eecdh_curves(sni_ctx, var_tls_eecdh_auto);
67441fbaed0Stron
67541fbaed0Stron /*
67641fbaed0Stron * If we want to check client certificates, we have to indicate it in
67741fbaed0Stron * advance. By now we only allow to decide on a global basis. If we want
67841fbaed0Stron * to allow certificate based relaying, we must ask the client to provide
67941fbaed0Stron * one with SSL_VERIFY_PEER. The client now can decide, whether it
68041fbaed0Stron * provides one or not. We can enforce a failure of the negotiation with
68141fbaed0Stron * SSL_VERIFY_FAIL_IF_NO_PEER_CERT, if we do not allow a connection
68241fbaed0Stron * without one. In the "server hello" following the initialization by the
68341fbaed0Stron * "client hello" the server must provide a list of CAs it is willing to
68441fbaed0Stron * accept. Some clever clients will then select one from the list of
68541fbaed0Stron * available certificates matching these CAs. Netscape Communicator will
68641fbaed0Stron * present the list of certificates for selecting the one to be sent, or
68741fbaed0Stron * it will issue a warning, if there is no certificate matching the
68841fbaed0Stron * available CAs.
68941fbaed0Stron *
69041fbaed0Stron * With regard to the purpose of the certificate for relaying, we might like
69141fbaed0Stron * a later negotiation, maybe relaying would already be allowed for other
69241fbaed0Stron * reasons, but this would involve severe changes in the internal postfix
69341fbaed0Stron * logic, so we have to live with it the way it is.
69441fbaed0Stron */
69541fbaed0Stron if (props->ask_ccert)
69641fbaed0Stron verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
69741fbaed0Stron SSL_CTX_set_verify(server_ctx, verify_flags,
69841fbaed0Stron tls_verify_certificate_callback);
6993c275423Schristos SSL_CTX_set_verify(sni_ctx, verify_flags,
7003c275423Schristos tls_verify_certificate_callback);
7013c275423Schristos if (props->ask_ccert && *props->CAfile) {
7023c275423Schristos STACK_OF(X509_NAME) *calist = SSL_load_client_CA_file(props->CAfile);
7033c275423Schristos
7043c275423Schristos if (calist == 0) {
7053c275423Schristos /* Not generally critical */
7063c275423Schristos msg_warn("error loading client CA names from: %s",
7073c275423Schristos props->CAfile);
7083c275423Schristos tls_print_errors();
7093c275423Schristos }
7103c275423Schristos SSL_CTX_set_client_CA_list(server_ctx, calist);
7113c275423Schristos
7123c275423Schristos if (calist != 0 && sk_X509_NAME_num(calist) > 0) {
7133c275423Schristos calist = SSL_dup_CA_list(calist);
7143c275423Schristos
7153c275423Schristos if (calist == 0) {
7163c275423Schristos msg_warn("error duplicating client CA names for SNI");
7173c275423Schristos tls_print_errors();
7183c275423Schristos } else {
7193c275423Schristos SSL_CTX_set_client_CA_list(sni_ctx, calist);
7203c275423Schristos }
7213c275423Schristos }
7223c275423Schristos }
72341fbaed0Stron
72441fbaed0Stron /*
72541fbaed0Stron * Initialize our own TLS server handle, before diving into the details
72641fbaed0Stron * of TLS session cache management.
72741fbaed0Stron */
7283c275423Schristos app_ctx = tls_alloc_app_context(server_ctx, sni_ctx, log_mask);
72941fbaed0Stron
73060738c95Stron if (cachable || ticketable || props->set_sessid) {
73141fbaed0Stron
73241fbaed0Stron /*
73341fbaed0Stron * Initialize the session cache.
73441fbaed0Stron *
73541fbaed0Stron * With a large number of concurrent smtpd(8) processes, it is not a
73641fbaed0Stron * good idea to cache multiple large session objects in each process.
73741fbaed0Stron * We set the internal cache size to 1, and don't register a
73841fbaed0Stron * "remove_cb" so as to avoid deleting good sessions from the
73941fbaed0Stron * external cache prematurely (when the internal cache is full,
74041fbaed0Stron * OpenSSL removes sessions from the external cache also)!
74141fbaed0Stron *
74241fbaed0Stron * This makes SSL_CTX_remove_session() not useful for flushing broken
74341fbaed0Stron * sessions from the external cache, so we must delete them directly
74441fbaed0Stron * (not via a callback).
74541fbaed0Stron *
74641fbaed0Stron * Set a session id context to identify to what type of server process
74741fbaed0Stron * created a session. In our case, the context is simply the name of
74841fbaed0Stron * the mail system: "Postfix/TLS".
74941fbaed0Stron */
75041fbaed0Stron SSL_CTX_sess_set_cache_size(server_ctx, 1);
75141fbaed0Stron SSL_CTX_set_session_id_context(server_ctx,
75241fbaed0Stron (void *) &server_session_id_context,
75341fbaed0Stron sizeof(server_session_id_context));
75441fbaed0Stron SSL_CTX_set_session_cache_mode(server_ctx,
75541fbaed0Stron SSL_SESS_CACHE_SERVER |
756*fb52cf35Schristos SSL_SESS_CACHE_NO_INTERNAL |
75741fbaed0Stron SSL_SESS_CACHE_NO_AUTO_CLEAR);
75841fbaed0Stron if (cachable) {
75941fbaed0Stron app_ctx->cache_type = mystrdup(props->cache_type);
76041fbaed0Stron
76141fbaed0Stron SSL_CTX_sess_set_get_cb(server_ctx, get_server_session_cb);
76241fbaed0Stron SSL_CTX_sess_set_new_cb(server_ctx, new_server_session_cb);
76341fbaed0Stron }
76441fbaed0Stron
76541fbaed0Stron /*
76641fbaed0Stron * OpenSSL ignores timed-out sessions. We need to set the internal
76741fbaed0Stron * cache timeout at least as high as the external cache timeout. This
76860738c95Stron * applies even if no internal cache is used. We set the session
76960738c95Stron * lifetime to twice the cache lifetime, which is also the issuing
77060738c95Stron * and retired key validation lifetime of session tickets keys. This
77160738c95Stron * way a session always lasts longer than the server's ability to
77260738c95Stron * decrypt its session ticket. Otherwise, a bug in OpenSSL may fail
77360738c95Stron * to re-issue tickets when sessions decrypt, but are expired.
77441fbaed0Stron */
77560738c95Stron SSL_CTX_set_timeout(server_ctx, 2 * scache_timeout);
77641fbaed0Stron } else {
77741fbaed0Stron
77841fbaed0Stron /*
77941fbaed0Stron * If we have no external cache, disable all caching. No use wasting
78041fbaed0Stron * server memory resources with sessions they are unlikely to be able
78141fbaed0Stron * to reuse.
78241fbaed0Stron */
78341fbaed0Stron SSL_CTX_set_session_cache_mode(server_ctx, SSL_SESS_CACHE_OFF);
78441fbaed0Stron }
78541fbaed0Stron
78641fbaed0Stron return (app_ctx);
78741fbaed0Stron }
78841fbaed0Stron
78941fbaed0Stron /*
79041fbaed0Stron * This is the actual startup routine for a new connection. We expect that
79141fbaed0Stron * the SMTP buffers are flushed and the "220 Ready to start TLS" was sent to
79241fbaed0Stron * the client, so that we can immediately start the TLS handshake process.
79341fbaed0Stron */
tls_server_start(const TLS_SERVER_START_PROPS * props)79441fbaed0Stron TLS_SESS_STATE *tls_server_start(const TLS_SERVER_START_PROPS *props)
79541fbaed0Stron {
79641fbaed0Stron int sts;
79741fbaed0Stron TLS_SESS_STATE *TLScontext;
79841fbaed0Stron const char *cipher_list;
79941fbaed0Stron TLS_APPL_STATE *app_ctx = props->ctx;
80056c5febcStron int log_mask = app_ctx->log_mask;
80141fbaed0Stron
80256c5febcStron /*
80356c5febcStron * Implicitly enable logging of trust chain errors when verified certs
80456c5febcStron * are required.
80556c5febcStron */
80656c5febcStron if (props->requirecert)
80756c5febcStron log_mask |= TLS_LOG_UNTRUSTED;
80856c5febcStron
80956c5febcStron if (log_mask & TLS_LOG_VERBOSE)
81041fbaed0Stron msg_info("setting up TLS connection from %s", props->namaddr);
81141fbaed0Stron
81241fbaed0Stron /*
81341fbaed0Stron * Allocate a new TLScontext for the new connection and get an SSL
81441fbaed0Stron * structure. Add the location of TLScontext to the SSL to later retrieve
81541fbaed0Stron * the information inside the tls_verify_certificate_callback().
81641fbaed0Stron */
81756c5febcStron TLScontext = tls_alloc_sess_context(log_mask, props->namaddr);
81841fbaed0Stron TLScontext->cache_type = app_ctx->cache_type;
81941fbaed0Stron
82041fbaed0Stron ERR_clear_error();
82141fbaed0Stron if ((TLScontext->con = (SSL *) SSL_new(app_ctx->ssl_ctx)) == 0) {
82241fbaed0Stron msg_warn("Could not allocate 'TLScontext->con' with SSL_new()");
82341fbaed0Stron tls_print_errors();
82441fbaed0Stron tls_free_context(TLScontext);
82541fbaed0Stron return (0);
82641fbaed0Stron }
8273c275423Schristos cipher_list = tls_set_ciphers(TLScontext, props->cipher_grade,
8283c275423Schristos props->cipher_exclusions);
8293c275423Schristos if (cipher_list == 0) {
8303c275423Schristos /* already warned */
8313c275423Schristos tls_free_context(TLScontext);
8323c275423Schristos return (0);
8333c275423Schristos }
8343c275423Schristos if (log_mask & TLS_LOG_VERBOSE)
8353c275423Schristos msg_info("%s: TLS cipher list \"%s\"", props->namaddr, cipher_list);
8363c275423Schristos
8373c275423Schristos TLScontext->serverid = mystrdup(props->serverid);
8383c275423Schristos TLScontext->am_server = 1;
8393c275423Schristos TLScontext->stream = props->stream;
8403c275423Schristos TLScontext->mdalg = props->mdalg;
8413c275423Schristos
84241fbaed0Stron if (!SSL_set_ex_data(TLScontext->con, TLScontext_index, TLScontext)) {
84341fbaed0Stron msg_warn("Could not set application data for 'TLScontext->con'");
84441fbaed0Stron tls_print_errors();
84541fbaed0Stron tls_free_context(TLScontext);
84641fbaed0Stron return (0);
84741fbaed0Stron }
84868e5c67bSchristos #ifdef SSL_SECOP_PEER
84968e5c67bSchristos /* When authenticating the peer, use 80-bit plus OpenSSL security level */
85068e5c67bSchristos if (props->requirecert)
85168e5c67bSchristos SSL_set_security_level(TLScontext->con, 1);
85268e5c67bSchristos #endif
85341fbaed0Stron
85441fbaed0Stron /*
85541fbaed0Stron * Before really starting anything, try to seed the PRNG a little bit
85641fbaed0Stron * more.
85741fbaed0Stron */
85841fbaed0Stron tls_int_seed();
85941fbaed0Stron (void) tls_ext_seed(var_tls_daemon_rand_bytes);
86041fbaed0Stron
86141fbaed0Stron /*
8627a77eabbStron * Connect the SSL connection with the network socket.
86341fbaed0Stron */
8647a77eabbStron if (SSL_set_fd(TLScontext->con, props->stream == 0 ? props->fd :
8657a77eabbStron vstream_fileno(props->stream)) != 1) {
8667a77eabbStron msg_info("SSL_set_fd error to %s", props->namaddr);
8677a77eabbStron tls_print_errors();
8687a77eabbStron uncache_session(app_ctx->ssl_ctx, TLScontext);
8697a77eabbStron tls_free_context(TLScontext);
8707a77eabbStron return (0);
8717a77eabbStron }
87241fbaed0Stron
87341fbaed0Stron /*
87441fbaed0Stron * If the debug level selected is high enough, all of the data is dumped:
87556c5febcStron * TLS_LOG_TLSPKTS will dump the SSL negotiation, TLS_LOG_ALLPKTS will
87656c5febcStron * dump everything.
87741fbaed0Stron *
87841fbaed0Stron * We do have an SSL_set_fd() and now suddenly a BIO_ routine is called?
87941fbaed0Stron * Well there is a BIO below the SSL routines that is automatically
88041fbaed0Stron * created for us, so we can use it for debugging purposes.
88141fbaed0Stron */
88256c5febcStron if (log_mask & TLS_LOG_TLSPKTS)
883*fb52cf35Schristos tls_set_bio_callback(SSL_get_rbio(TLScontext->con), tls_bio_dump_cb);
88441fbaed0Stron
88541fbaed0Stron /*
8867a77eabbStron * If we don't trigger the handshake in the library, leave control over
8877a77eabbStron * SSL_accept/read/write/etc with the application.
8887a77eabbStron */
8897a77eabbStron if (props->stream == 0)
8907a77eabbStron return (TLScontext);
8917a77eabbStron
8927a77eabbStron /*
8937a77eabbStron * Turn on non-blocking I/O so that we can enforce timeouts on network
8947a77eabbStron * I/O.
8957a77eabbStron */
8967a77eabbStron non_blocking(vstream_fileno(props->stream), NON_BLOCKING);
8977a77eabbStron
8987a77eabbStron /*
89941fbaed0Stron * Start TLS negotiations. This process is a black box that invokes our
90041fbaed0Stron * call-backs for session caching and certificate verification.
90141fbaed0Stron *
9023c275423Schristos * Error handling: If the SSL handshake fails, we print out an error message
90341fbaed0Stron * and remove all TLS state concerning this session.
90441fbaed0Stron */
90541fbaed0Stron sts = tls_bio_accept(vstream_fileno(props->stream), props->timeout,
90641fbaed0Stron TLScontext);
90741fbaed0Stron if (sts <= 0) {
90856c5febcStron if (ERR_peek_error() != 0) {
90941fbaed0Stron msg_info("SSL_accept error from %s: %d", props->namaddr, sts);
91041fbaed0Stron tls_print_errors();
91156c5febcStron } else if (errno != 0) {
91256c5febcStron msg_info("SSL_accept error from %s: %m", props->namaddr);
91356c5febcStron } else {
91456c5febcStron msg_info("SSL_accept error from %s: lost connection",
91556c5febcStron props->namaddr);
91656c5febcStron }
91741fbaed0Stron tls_free_context(TLScontext);
91841fbaed0Stron return (0);
91941fbaed0Stron }
9207a77eabbStron return (tls_server_post_accept(TLScontext));
9217a77eabbStron }
9227a77eabbStron
9237a77eabbStron /* tls_server_post_accept - post-handshake processing */
9247a77eabbStron
tls_server_post_accept(TLS_SESS_STATE * TLScontext)9257a77eabbStron TLS_SESS_STATE *tls_server_post_accept(TLS_SESS_STATE *TLScontext)
9267a77eabbStron {
9273c275423Schristos const SSL_CIPHER *cipher;
9287a77eabbStron X509 *peer;
9297a77eabbStron char buf[CCERT_BUFSIZ];
9307a77eabbStron
93156c5febcStron /* Turn off packet dump if only dumping the handshake */
93256c5febcStron if ((TLScontext->log_mask & TLS_LOG_ALLPKTS) == 0)
933*fb52cf35Schristos tls_set_bio_callback(SSL_get_rbio(TLScontext->con), 0);
93441fbaed0Stron
93541fbaed0Stron /*
93641fbaed0Stron * The caller may want to know if this session was reused or if a new
93741fbaed0Stron * session was negotiated.
93841fbaed0Stron */
93941fbaed0Stron TLScontext->session_reused = SSL_session_reused(TLScontext->con);
94056c5febcStron if ((TLScontext->log_mask & TLS_LOG_CACHE) && TLScontext->session_reused)
94160738c95Stron msg_info("%s: Reusing old session%s", TLScontext->namaddr,
94260738c95Stron TLScontext->ticketed ? " (RFC 5077 session ticket)" : "");
94341fbaed0Stron
94441fbaed0Stron /*
94541fbaed0Stron * Let's see whether a peer certificate is available and what is the
94641fbaed0Stron * actual information. We want to save it for later use.
94741fbaed0Stron */
948*fb52cf35Schristos peer = TLS_PEEK_PEER_CERT(TLScontext->con);
94941fbaed0Stron if (peer != NULL) {
95041fbaed0Stron TLScontext->peer_status |= TLS_CERT_FLAG_PRESENT;
95141fbaed0Stron if (SSL_get_verify_result(TLScontext->con) == X509_V_OK)
95241fbaed0Stron TLScontext->peer_status |= TLS_CERT_FLAG_TRUSTED;
95341fbaed0Stron
95456c5febcStron if (TLScontext->log_mask & TLS_LOG_VERBOSE) {
95541fbaed0Stron X509_NAME_oneline(X509_get_subject_name(peer),
95641fbaed0Stron buf, sizeof(buf));
95768e5c67bSchristos msg_info("subject=%s", printable(buf, '?'));
95841fbaed0Stron X509_NAME_oneline(X509_get_issuer_name(peer),
95941fbaed0Stron buf, sizeof(buf));
96068e5c67bSchristos msg_info("issuer=%s", printable(buf, '?'));
96141fbaed0Stron }
96241fbaed0Stron TLScontext->peer_CN = tls_peer_CN(peer, TLScontext);
96341fbaed0Stron TLScontext->issuer_CN = tls_issuer_CN(peer, TLScontext);
96460738c95Stron TLScontext->peer_cert_fprint = tls_cert_fprint(peer, TLScontext->mdalg);
96560738c95Stron TLScontext->peer_pkey_fprint = tls_pkey_fprint(peer, TLScontext->mdalg);
96641fbaed0Stron
96756c5febcStron if (TLScontext->log_mask & (TLS_LOG_VERBOSE | TLS_LOG_PEERCERT)) {
96856c5febcStron msg_info("%s: subject_CN=%s, issuer=%s, fingerprint=%s"
96956c5febcStron ", pkey_fingerprint=%s",
9707a77eabbStron TLScontext->namaddr,
97141fbaed0Stron TLScontext->peer_CN, TLScontext->issuer_CN,
97260738c95Stron TLScontext->peer_cert_fprint,
97356c5febcStron TLScontext->peer_pkey_fprint);
97441fbaed0Stron }
975*fb52cf35Schristos TLS_FREE_PEER_CERT(peer);
97668e5c67bSchristos
97768e5c67bSchristos /*
97868e5c67bSchristos * Give them a clue. Problems with trust chain verification are
97968e5c67bSchristos * logged when the session is first negotiated, before the session is
98068e5c67bSchristos * stored into the cache. We don't want mystery failures, so log the
98168e5c67bSchristos * fact the real problem is to be found in the past.
98268e5c67bSchristos */
98368e5c67bSchristos if (!TLS_CERT_IS_TRUSTED(TLScontext)
98468e5c67bSchristos && (TLScontext->log_mask & TLS_LOG_UNTRUSTED)) {
98568e5c67bSchristos if (TLScontext->session_reused == 0)
98668e5c67bSchristos tls_log_verify_error(TLScontext);
98768e5c67bSchristos else
98868e5c67bSchristos msg_info("%s: re-using session with untrusted certificate, "
98968e5c67bSchristos "look for details earlier in the log",
99068e5c67bSchristos TLScontext->namaddr);
99168e5c67bSchristos }
99241fbaed0Stron } else {
99341fbaed0Stron TLScontext->peer_CN = mystrdup("");
99441fbaed0Stron TLScontext->issuer_CN = mystrdup("");
99560738c95Stron TLScontext->peer_cert_fprint = mystrdup("");
99660738c95Stron TLScontext->peer_pkey_fprint = mystrdup("");
99741fbaed0Stron }
99841fbaed0Stron
99941fbaed0Stron /*
100041fbaed0Stron * Finally, collect information about protocol and cipher for logging
100141fbaed0Stron */
100241fbaed0Stron TLScontext->protocol = SSL_get_version(TLScontext->con);
100341fbaed0Stron cipher = SSL_get_current_cipher(TLScontext->con);
100441fbaed0Stron TLScontext->cipher_name = SSL_CIPHER_get_name(cipher);
100541fbaed0Stron TLScontext->cipher_usebits = SSL_CIPHER_get_bits(cipher,
100641fbaed0Stron &(TLScontext->cipher_algbits));
100741fbaed0Stron
100841fbaed0Stron /*
10097a77eabbStron * If the library triggered the SSL handshake, switch to the
10107a77eabbStron * tls_timed_read/write() functions and make the TLScontext available to
10117a77eabbStron * those functions. Otherwise, leave control over SSL_read/write/etc.
10127a77eabbStron * with the application.
101341fbaed0Stron */
10147a77eabbStron if (TLScontext->stream != 0)
10157a77eabbStron tls_stream_start(TLScontext->stream, TLScontext);
101641fbaed0Stron
101741fbaed0Stron /*
10183c275423Schristos * With the handshake done, extract TLS 1.3 signature metadata.
10193c275423Schristos */
10203c275423Schristos tls_get_signature_params(TLScontext);
10213c275423Schristos
10223c275423Schristos /*
102341fbaed0Stron * All the key facts in a single log entry.
102441fbaed0Stron */
102556c5febcStron if (TLScontext->log_mask & TLS_LOG_SUMMARY)
10263c275423Schristos tls_log_summary(TLS_ROLE_SERVER, TLS_USAGE_NEW, TLScontext);
102741fbaed0Stron
102841fbaed0Stron tls_int_seed();
102941fbaed0Stron
103041fbaed0Stron return (TLScontext);
103141fbaed0Stron }
103241fbaed0Stron
103341fbaed0Stron #endif /* USE_TLS */
1034