1 /* $NetBSD: tls_misc.c,v 1.6 2025/02/25 19:15:50 christos Exp $ */
2
3 /*++
4 /* NAME
5 /* tls_misc 3
6 /* SUMMARY
7 /* miscellaneous TLS support routines
8 /* SYNOPSIS
9 /* .SH Public functions
10 /* .nf
11 /* .na
12 /* #include <tls.h>
13 /*
14 /* void tls_log_summary(role, usage, TLScontext)
15 /* TLS_ROLE role;
16 /* TLS_USAGE usage;
17 /* TLS_SESS_STATE *TLScontext;
18 /*
19 /* const char *tls_compile_version(void)
20 /*
21 /* const char *tls_run_version(void)
22 /*
23 /* const char **tls_pkey_algorithms(void)
24 /*
25 /* void tls_pre_jail_init(TLS_ROLE)
26 /* TLS_ROLE role;
27 /*
28 /* .SH Internal functions
29 /* .nf
30 /* .na
31 /* #define TLS_INTERNAL
32 /* #include <tls.h>
33 /*
34 /* char *var_tls_cnf_file;
35 /* char *var_tls_cnf_name;
36 /* char *var_tls_high_clist;
37 /* char *var_tls_medium_clist;
38 /* char *var_tls_null_clist;
39 /* char *var_tls_eecdh_auto;
40 /* char *var_tls_eecdh_strong;
41 /* char *var_tls_eecdh_ultra;
42 /* char *var_tls_ffdhe_auto;
43 /* char *var_tls_dane_digests;
44 /* int var_tls_daemon_rand_bytes;
45 /* bool var_tls_append_def_CA;
46 /* bool var_tls_preempt_clist;
47 /* bool var_tls_bc_pkey_fprint;
48 /* bool var_tls_multi_wildcard;
49 /* char *var_tls_mgr_service;
50 /* char *var_tls_tkt_cipher;
51 /* char *var_openssl_path;
52 /* char *var_tls_server_sni_maps;
53 /* bool var_tls_fast_shutdown;
54 /*
55 /* TLS_APPL_STATE *tls_alloc_app_context(ssl_ctx, log_mask)
56 /* SSL_CTX *ssl_ctx;
57 /* int log_mask;
58 /*
59 /* void tls_free_app_context(app_ctx)
60 /* void *app_ctx;
61 /*
62 /* TLS_SESS_STATE *tls_alloc_sess_context(log_mask, namaddr)
63 /* int log_mask;
64 /* const char *namaddr;
65 /*
66 /* void tls_free_context(TLScontext)
67 /* TLS_SESS_STATE *TLScontext;
68 /*
69 /* void tls_check_version()
70 /*
71 /* long tls_bug_bits()
72 /*
73 /* void tls_param_init()
74 /*
75 /* int tls_library_init(void)
76 /*
77 /* int tls_proto_mask_lims(plist, floor, ceiling)
78 /* const char *plist;
79 /* int *floor;
80 /* int *ceiling;
81 /*
82 /* int tls_cipher_grade(name)
83 /* const char *name;
84 /*
85 /* const char *str_tls_cipher_grade(grade)
86 /* int grade;
87 /*
88 /* const char *tls_set_ciphers(TLScontext, grade, exclusions)
89 /* TLS_SESS_STATE *TLScontext;
90 /* int grade;
91 /* const char *exclusions;
92 /*
93 /* void tls_get_signature_params(TLScontext)
94 /* TLS_SESS_STATE *TLScontext;
95 /*
96 /* void tls_print_errors()
97 /*
98 /* void tls_info_callback(ssl, where, ret)
99 /* const SSL *ssl; /* unused */
100 /* int where;
101 /* int ret;
102 /*
103 /* long tls_bio_dump_cb(bio, cmd, argp, len, argi, argl, ret, processed)
104 /* BIO *bio;
105 /* int cmd;
106 /* const char *argp;
107 /* size_t len;
108 /* int argi;
109 /* long argl; /* unused */
110 /* int ret;
111 /* size_t *processed;
112 /*
113 /* int tls_log_mask(log_param, log_level)
114 /* const char *log_param;
115 /* const char *log_level;
116 /*
117 /* void tls_update_app_logmask(app_ctx, log_mask)
118 /* TLS_APPL_STATE *app_ctx;
119 /* int log_mask;
120 /*
121 /* const EVP_MD *tls_validate_digest(dgst)
122 /* const char *dgst;
123 /*
124 /* void tls_enable_client_rpk(ctx, ssl)
125 /* SSL_CTX *ctx;
126 /* SSL *ssl;
127 /*
128 /* void tls_enable_server_rpk(ctx, ssl)
129 /* SSL_CTX *ctx;
130 /* SSL *ssl;
131 /* DESCRIPTION
132 /* This module implements public and internal routines that
133 /* support the TLS client and server.
134 /*
135 /* tls_log_summary() logs a summary of a completed TLS connection.
136 /* The "role" argument must be TLS_ROLE_CLIENT for outgoing client
137 /* connections, or TLS_ROLE_SERVER for incoming server connections,
138 /* and the "usage" must be TLS_USAGE_NEW or TLS_USAGE_USED.
139 /*
140 /* tls_compile_version() returns a text string description of
141 /* the compile-time TLS library.
142 /*
143 /* tls_run_version() is just tls_compile_version() but with the runtime
144 /* version instead of the compile-time version.
145 /*
146 /* tls_pkey_algorithms() returns a pointer to null-terminated
147 /* array of string constants with the names of the supported
148 /* public-key algorithms.
149 /*
150 /* tls_alloc_app_context() creates an application context that
151 /* holds the SSL context for the application and related cached state.
152 /*
153 /* tls_free_app_context() deallocates the application context and its
154 /* contents (the application context is stored outside the TLS library).
155 /*
156 /* tls_alloc_sess_context() creates an initialized TLS session context
157 /* structure with the specified log mask and peer name[addr].
158 /*
159 /* tls_free_context() destroys a TLScontext structure
160 /* together with OpenSSL structures that are attached to it.
161 /*
162 /* tls_check_version() logs a warning when the run-time OpenSSL
163 /* library differs in its major, minor or micro number from
164 /* the compile-time OpenSSL headers.
165 /*
166 /* tls_bug_bits() returns the bug compatibility mask appropriate
167 /* for the run-time library. Some of the bug work-arounds are
168 /* not appropriate for some library versions.
169 /*
170 /* tls_param_init() loads main.cf parameters used internally in
171 /* TLS library. Any errors are fatal.
172 /*
173 /* tls_library_init() initializes the OpenSSL library, optionally
174 /* loading an OpenSSL configuration file.
175 /*
176 /* tls_pre_jail_init() opens any tables that need to be opened before
177 /* entering a chroot jail. The "role" parameter must be TLS_ROLE_CLIENT
178 /* for clients and TLS_ROLE_SERVER for servers. Any errors are fatal.
179 /*
180 /* tls_proto_mask_lims() returns a bitmask of excluded protocols, and
181 /* and the protocol version floor/ceiling, given a list (plist) of
182 /* protocols to include or (preceded by a '!') exclude, or constraints
183 /* of the form '>=name', '<=name', '>=hexvalue', '<=hexvalue'. If "plist"
184 /* contains invalid protocol names, TLS_PROTOCOL_INVALID is returned and
185 /* no warning is logged.
186 /*
187 /* tls_cipher_grade() converts a case-insensitive cipher grade name (high,
188 /* medium, null) to the corresponding TLS_CIPHER_ constant. When the
189 /* input specifies an unrecognized grade, tls_cipher_grade() logs no
190 /* warning, and returns TLS_CIPHER_NONE.
191 /*
192 /* str_tls_cipher_grade() converts a cipher grade to a name.
193 /* When the input specifies an undefined grade, str_tls_cipher_grade()
194 /* logs no warning, returns a null pointer.
195 /*
196 /* tls_set_ciphers() applies the requested cipher grade and exclusions
197 /* to the provided TLS session context, returning the resulting cipher
198 /* list string. The return value is the cipherlist used and is
199 /* overwritten upon each call. When the input is invalid,
200 /* tls_set_ciphers() logs a warning, and returns a null result.
201 /*
202 /* tls_get_signature_params() updates the "TLScontext" with handshake
203 /* signature parameters pertaining to TLS 1.3, where the ciphersuite
204 /* no longer describes the asymmetric algorithms employed in the
205 /* handshake, which are negotiated separately. This function
206 /* has no effect for TLS 1.2 and earlier.
207 /*
208 /* tls_print_errors() queries the OpenSSL error stack,
209 /* logs the error messages, and clears the error stack.
210 /*
211 /* tls_info_callback() is a call-back routine for the
212 /* SSL_CTX_set_info_callback() routine. It logs SSL events
213 /* to the Postfix logfile.
214 /*
215 /* tls_bio_dump_cb() is a call-back routine for the
216 /* BIO_set_callback() routine. It logs SSL content to the
217 /* Postfix logfile.
218 /*
219 /* tls_log_mask() converts a TLS log_level value from string
220 /* to mask. The main.cf parameter name is passed along for
221 /* diagnostics.
222 /*
223 /* tls_update_app_logmask() changes the log mask of the
224 /* application TLS context to the new setting.
225 /*
226 /* tls_validate_digest() returns a static handle for the named
227 /* digest algorithm, or NULL on error.
228 /*
229 /* tls_enable_client_rpk() enables the use of raw public keys in the
230 /* client to server direction, if supported by the OpenSSL library.
231 /*
232 /* tls_enable_server_rpk() enables the use of raw public keys in the
233 /* server to client direction, if supported by the OpenSSL library.
234 /* LICENSE
235 /* .ad
236 /* .fi
237 /* This software is free. You can do with it whatever you want.
238 /* The original author kindly requests that you acknowledge
239 /* the use of his software.
240 /* AUTHOR(S)
241 /* Originally written by:
242 /* Lutz Jaenicke
243 /* BTU Cottbus
244 /* Allgemeine Elektrotechnik
245 /* Universitaetsplatz 3-4
246 /* D-03044 Cottbus, Germany
247 /*
248 /* Updated by:
249 /* Wietse Venema
250 /* IBM T.J. Watson Research
251 /* P.O. Box 704
252 /* Yorktown Heights, NY 10598, USA
253 /*
254 /* Victor Duchovni
255 /* Morgan Stanley
256 /*
257 /* Wietse Venema
258 /* Google, Inc.
259 /* 111 8th Avenue
260 /* New York, NY 10011, USA
261 /*--*/
262
263 /* System library. */
264
265 #include <sys_defs.h>
266 #include <ctype.h>
267 #include <string.h>
268
269 /* Utility library. */
270
271 #include <vstream.h>
272 #include <msg.h>
273 #include <mymalloc.h>
274 #include <vstring.h>
275 #include <stringops.h>
276 #include <argv.h>
277 #include <name_mask.h>
278 #include <name_code.h>
279 #include <dict.h>
280 #include <valid_hostname.h>
281
282 /*
283 * Global library.
284 */
285 #include <mail_params.h>
286 #include <mail_conf.h>
287 #include <maps.h>
288
289 /*
290 * TLS library.
291 */
292 #define TLS_INTERNAL
293 #include <tls.h>
294
295 /* Application-specific. */
296
297 /*
298 * Tunable parameters.
299 */
300 char *var_tls_cnf_file;
301 char *var_tls_cnf_name;
302 char *var_tls_high_clist;
303 char *var_tls_medium_clist;
304 char *var_tls_low_ignored;
305 char *var_tls_export_ignored;
306 char *var_tls_null_clist;
307 int var_tls_daemon_rand_bytes;
308 char *var_tls_eecdh_auto;
309 char *var_tls_eecdh_strong;
310 char *var_tls_eecdh_ultra;
311 char *var_tls_ffdhe_auto;
312 char *var_tls_dane_digests;
313 bool var_tls_append_def_CA;
314 char *var_tls_bug_tweaks;
315 char *var_tls_ssl_options;
316 bool var_tls_bc_pkey_fprint;
317 bool var_tls_multi_wildcard;
318 char *var_tls_mgr_service;
319 char *var_tls_tkt_cipher;
320 char *var_openssl_path;
321 char *var_tls_server_sni_maps;
322 bool var_tls_fast_shutdown;
323 bool var_tls_preempt_clist;
324
325 #ifdef USE_TLS
326
327 static MAPS *tls_server_sni_maps;
328
329 /*
330 * Index to attach TLScontext pointers to SSL objects, so that they can be
331 * accessed by call-back routines.
332 */
333 int TLScontext_index = -1;
334
335 /*
336 * Protocol name <=> mask conversion.
337 */
338 static const NAME_CODE protocol_table[] = {
339 SSL_TXT_SSLV2, TLS_PROTOCOL_SSLv2,
340 SSL_TXT_SSLV3, TLS_PROTOCOL_SSLv3,
341 SSL_TXT_TLSV1, TLS_PROTOCOL_TLSv1,
342 SSL_TXT_TLSV1_1, TLS_PROTOCOL_TLSv1_1,
343 SSL_TXT_TLSV1_2, TLS_PROTOCOL_TLSv1_2,
344 TLS_PROTOCOL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3,
345 0, TLS_PROTOCOL_INVALID,
346 };
347
348 /*
349 * Protocol name => numeric version, for MinProtocol and MaxProtocol
350 */
351 static const NAME_CODE tls_version_table[] = {
352 "None", 0,
353 SSL_TXT_SSLV3, SSL3_VERSION,
354 SSL_TXT_TLSV1, TLS1_VERSION,
355 SSL_TXT_TLSV1_1, TLS1_1_VERSION,
356 SSL_TXT_TLSV1_2, TLS1_2_VERSION,
357 TLS_PROTOCOL_TXT_TLSV1_3, TLS1_3_VERSION,
358 0, -1,
359 };
360
361 /*
362 * SSL_OP_MUMBLE bug work-around name <=> mask conversion.
363 */
364 #define NAMEBUG(x) #x, SSL_OP_##x
365 static const LONG_NAME_MASK ssl_bug_tweaks[] = {
366
367 #ifndef SSL_OP_MICROSOFT_SESS_ID_BUG
368 #define SSL_OP_MICROSOFT_SESS_ID_BUG 0
369 #endif
370 NAMEBUG(MICROSOFT_SESS_ID_BUG),
371
372 #ifndef SSL_OP_NETSCAPE_CHALLENGE_BUG
373 #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0
374 #endif
375 NAMEBUG(NETSCAPE_CHALLENGE_BUG),
376
377 #ifndef SSL_OP_LEGACY_SERVER_CONNECT
378 #define SSL_OP_LEGACY_SERVER_CONNECT 0
379 #endif
380 NAMEBUG(LEGACY_SERVER_CONNECT),
381
382 #ifndef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
383 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0
384 #endif
385 NAMEBUG(NETSCAPE_REUSE_CIPHER_CHANGE_BUG),
386 "CVE-2010-4180", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG,
387
388 #ifndef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
389 #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0
390 #endif
391 NAMEBUG(SSLREF2_REUSE_CERT_TYPE_BUG),
392
393 #ifndef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
394 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0
395 #endif
396 NAMEBUG(MICROSOFT_BIG_SSLV3_BUFFER),
397
398 #ifndef SSL_OP_MSIE_SSLV2_RSA_PADDING
399 #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0
400 #endif
401 NAMEBUG(MSIE_SSLV2_RSA_PADDING),
402 "CVE-2005-2969", SSL_OP_MSIE_SSLV2_RSA_PADDING,
403
404 #ifndef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
405 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0
406 #endif
407 NAMEBUG(SSLEAY_080_CLIENT_DH_BUG),
408
409 #ifndef SSL_OP_TLS_D5_BUG
410 #define SSL_OP_TLS_D5_BUG 0
411 #endif
412 NAMEBUG(TLS_D5_BUG),
413
414 #ifndef SSL_OP_TLS_BLOCK_PADDING_BUG
415 #define SSL_OP_TLS_BLOCK_PADDING_BUG 0
416 #endif
417 NAMEBUG(TLS_BLOCK_PADDING_BUG),
418
419 #ifndef SSL_OP_TLS_ROLLBACK_BUG
420 #define SSL_OP_TLS_ROLLBACK_BUG 0
421 #endif
422 NAMEBUG(TLS_ROLLBACK_BUG),
423
424 #ifndef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
425 #define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0
426 #endif
427 NAMEBUG(DONT_INSERT_EMPTY_FRAGMENTS),
428
429 #ifndef SSL_OP_CRYPTOPRO_TLSEXT_BUG
430 #define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0
431 #endif
432 NAMEBUG(CRYPTOPRO_TLSEXT_BUG),
433
434 #ifndef SSL_OP_TLSEXT_PADDING
435 #define SSL_OP_TLSEXT_PADDING 0
436 #endif
437 NAMEBUG(TLSEXT_PADDING),
438
439 #if 0
440
441 /*
442 * XXX: New with OpenSSL 1.1.1, this is turned on implicitly in
443 * SSL_CTX_new() and is not included in SSL_OP_ALL. Allowing users to
444 * disable this would thus be a code change that would require clearing
445 * bug work-around bits in SSL_CTX, after setting SSL_OP_ALL. Since this
446 * is presumably required for TLS 1.3 on today's Internet, the code
447 * change will be done separately later. For now this implicit bug
448 * work-around cannot be disabled via supported Postfix mechanisms.
449 */
450 #ifndef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
451 #define SSL_OP_ENABLE_MIDDLEBOX_COMPAT 0
452 #endif
453 NAMEBUG(ENABLE_MIDDLEBOX_COMPAT),
454 #endif
455
456 0, 0,
457 };
458
459 /*
460 * SSL_OP_MUMBLE option name <=> mask conversion for options that are not
461 * (or may in the future not be) in SSL_OP_ALL. These enable optional
462 * behavior, rather than bug interoperability work-arounds.
463 */
464 #define NAME_SSL_OP(x) #x, SSL_OP_##x
465 static const LONG_NAME_MASK ssl_op_tweaks[] = {
466
467 #ifndef SSL_OP_LEGACY_SERVER_CONNECT
468 #define SSL_OP_LEGACY_SERVER_CONNECT 0
469 #endif
470 NAME_SSL_OP(LEGACY_SERVER_CONNECT),
471
472 #ifndef SSL_OP_NO_TICKET
473 #define SSL_OP_NO_TICKET 0
474 #endif
475 NAME_SSL_OP(NO_TICKET),
476
477 #ifndef SSL_OP_NO_COMPRESSION
478 #define SSL_OP_NO_COMPRESSION 0
479 #endif
480 NAME_SSL_OP(NO_COMPRESSION),
481
482 #ifndef SSL_OP_NO_RENEGOTIATION
483 #define SSL_OP_NO_RENEGOTIATION 0
484 #endif
485 NAME_SSL_OP(NO_RENEGOTIATION),
486
487 #ifndef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
488 #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0
489 #endif
490 NAME_SSL_OP(NO_SESSION_RESUMPTION_ON_RENEGOTIATION),
491
492 #ifndef SSL_OP_PRIORITIZE_CHACHA
493 #define SSL_OP_PRIORITIZE_CHACHA 0
494 #endif
495 NAME_SSL_OP(PRIORITIZE_CHACHA),
496
497 #ifndef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
498 #define SSL_OP_ENABLE_MIDDLEBOX_COMPAT 0
499 #endif
500 NAME_SSL_OP(ENABLE_MIDDLEBOX_COMPAT),
501
502 0, 0,
503 };
504
505 /*
506 * Once these have been a NOOP long enough, they might some day be removed
507 * from OpenSSL. The defines below will avoid bitrot issues if/when that
508 * happens.
509 */
510 #ifndef SSL_OP_SINGLE_DH_USE
511 #define SSL_OP_SINGLE_DH_USE 0
512 #endif
513 #ifndef SSL_OP_SINGLE_ECDH_USE
514 #define SSL_OP_SINGLE_ECDH_USE 0
515 #endif
516
517 /*
518 * Ciphersuite name <=> code conversion.
519 */
520 const NAME_CODE tls_cipher_grade_table[] = {
521 "high", TLS_CIPHER_HIGH,
522 "medium", TLS_CIPHER_MEDIUM,
523 "low", TLS_CIPHER_MEDIUM,
524 "export", TLS_CIPHER_MEDIUM,
525 "null", TLS_CIPHER_NULL,
526 "invalid", TLS_CIPHER_NONE,
527 0, TLS_CIPHER_NONE,
528 };
529
530 /*
531 * Log keyword <=> mask conversion.
532 */
533 #define TLS_LOG_0 TLS_LOG_NONE
534 #define TLS_LOG_1 TLS_LOG_SUMMARY
535 #define TLS_LOG_2 (TLS_LOG_1 | TLS_LOG_VERBOSE | TLS_LOG_CACHE | TLS_LOG_DEBUG)
536 #define TLS_LOG_3 (TLS_LOG_2 | TLS_LOG_TLSPKTS)
537 #define TLS_LOG_4 (TLS_LOG_3 | TLS_LOG_ALLPKTS)
538
539 static const NAME_MASK tls_log_table[] = {
540 "0", TLS_LOG_0,
541 "none", TLS_LOG_NONE,
542 "1", TLS_LOG_1,
543 "routine", TLS_LOG_1,
544 "2", TLS_LOG_2,
545 "debug", TLS_LOG_2,
546 "3", TLS_LOG_3,
547 "ssl-expert", TLS_LOG_3,
548 "4", TLS_LOG_4,
549 "ssl-developer", TLS_LOG_4,
550 "5", TLS_LOG_4, /* for good measure */
551 "6", TLS_LOG_4, /* for good measure */
552 "7", TLS_LOG_4, /* for good measure */
553 "8", TLS_LOG_4, /* for good measure */
554 "9", TLS_LOG_4, /* for good measure */
555 "summary", TLS_LOG_SUMMARY,
556 "untrusted", TLS_LOG_UNTRUSTED,
557 "peercert", TLS_LOG_PEERCERT,
558 "certmatch", TLS_LOG_CERTMATCH,
559 "verbose", TLS_LOG_VERBOSE, /* Postfix TLS library verbose */
560 "cache", TLS_LOG_CACHE,
561 "dane", TLS_LOG_DANE, /* DANE policy construction */
562 "ssl-debug", TLS_LOG_DEBUG, /* SSL library debug/verbose */
563 "ssl-handshake-packet-dump", TLS_LOG_TLSPKTS,
564 "ssl-session-packet-dump", TLS_LOG_TLSPKTS | TLS_LOG_ALLPKTS,
565 0, 0,
566 };
567
568 /*
569 * Parsed OpenSSL version number.
570 */
571 typedef struct {
572 int major;
573 int minor;
574 int micro;
575 int patch;
576 int status;
577 } TLS_VINFO;
578
579 /* tls_log_mask - Convert user TLS loglevel to internal log feature mask */
580
tls_log_mask(const char * log_param,const char * log_level)581 int tls_log_mask(const char *log_param, const char *log_level)
582 {
583 int mask;
584
585 mask = name_mask_opt(log_param, tls_log_table, log_level,
586 NAME_MASK_ANY_CASE | NAME_MASK_RETURN);
587 return (mask);
588 }
589
590 /* tls_update_app_logmask - update log level after init */
591
tls_update_app_logmask(TLS_APPL_STATE * app_ctx,int log_mask)592 void tls_update_app_logmask(TLS_APPL_STATE *app_ctx, int log_mask)
593 {
594 app_ctx->log_mask = log_mask;
595 }
596
597 /* parse_version - parse TLS protocol version name or hex number */
598
parse_tls_version(const char * tok,int * version)599 static int parse_tls_version(const char *tok, int *version)
600 {
601 int code = name_code(tls_version_table, NAME_CODE_FLAG_NONE, tok);
602 char *_end;
603 unsigned long ulval;
604
605 if (code != -1) {
606 *version = code;
607 return (0);
608 }
609 errno = 0;
610 ulval = strtoul(tok, &_end, 16);
611 if (*_end != 0
612 || (ulval == ULONG_MAX && errno == ERANGE)
613 || ulval > INT_MAX)
614 return TLS_PROTOCOL_INVALID;
615
616 *version = (int) ulval;
617 return (0);
618 }
619
620 /* tls_proto_mask_lims - protocols to exclude and floor/ceiling */
621
tls_proto_mask_lims(const char * plist,int * floor,int * ceiling)622 int tls_proto_mask_lims(const char *plist, int *floor, int *ceiling)
623 {
624 char *save;
625 char *tok;
626 char *cp;
627 int code;
628 int exclude = 0;
629 int include = 0;
630
631 #define FREE_AND_RETURN(ptr, res) do { \
632 myfree(ptr); \
633 return (res); \
634 } while (0)
635
636 *floor = *ceiling = 0;
637
638 save = cp = mystrdup(plist);
639 while ((tok = mystrtok(&cp, CHARS_COMMA_SP ":")) != 0) {
640 if (strncmp(tok, ">=", 2) == 0)
641 code = parse_tls_version(tok + 2, floor);
642 else if (strncmp(tok, "<=", 2) == 0)
643 code = parse_tls_version(tok + 2, ceiling);
644 else if (*tok == '!')
645 exclude |= code =
646 name_code(protocol_table, NAME_CODE_FLAG_NONE, ++tok);
647 else
648 include |= code =
649 name_code(protocol_table, NAME_CODE_FLAG_NONE, tok);
650 if (code == TLS_PROTOCOL_INVALID)
651 FREE_AND_RETURN(save, TLS_PROTOCOL_INVALID);
652 }
653
654 /*
655 * When the include list is empty, use only the explicit exclusions.
656 * Otherwise, also exclude the complement of the include list from the
657 * built-in list of known protocols. There is no way to exclude protocols
658 * we don't know about at compile time, and this is unavoidable because
659 * the OpenSSL API works with compile-time *exclusion* bit-masks.
660 */
661 FREE_AND_RETURN(save,
662 (include ? (exclude | (TLS_KNOWN_PROTOCOLS & ~include)) : exclude));
663 }
664
665 /* tls_param_init - Load TLS related config parameters */
666
tls_param_init(void)667 void tls_param_init(void)
668 {
669 /* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */
670 static const CONFIG_STR_TABLE str_table[] = {
671 VAR_TLS_CNF_FILE, DEF_TLS_CNF_FILE, &var_tls_cnf_file, 0, 0,
672 VAR_TLS_CNF_NAME, DEF_TLS_CNF_NAME, &var_tls_cnf_name, 0, 0,
673 VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0,
674 VAR_TLS_MEDIUM_CLIST, DEF_TLS_MEDIUM_CLIST, &var_tls_medium_clist, 1, 0,
675 VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_ignored, 0, 0,
676 VAR_TLS_EXPORT_CLIST, DEF_TLS_EXPORT_CLIST, &var_tls_export_ignored, 0, 0,
677 VAR_TLS_NULL_CLIST, DEF_TLS_NULL_CLIST, &var_tls_null_clist, 1, 0,
678 VAR_TLS_EECDH_AUTO, DEF_TLS_EECDH_AUTO, &var_tls_eecdh_auto, 0, 0,
679 VAR_TLS_EECDH_STRONG, DEF_TLS_EECDH_STRONG, &var_tls_eecdh_strong, 0, 0,
680 VAR_TLS_EECDH_ULTRA, DEF_TLS_EECDH_ULTRA, &var_tls_eecdh_ultra, 0, 0,
681 VAR_TLS_FFDHE_AUTO, DEF_TLS_FFDHE_AUTO, &var_tls_ffdhe_auto, 0, 0,
682 VAR_TLS_BUG_TWEAKS, DEF_TLS_BUG_TWEAKS, &var_tls_bug_tweaks, 0, 0,
683 VAR_TLS_SSL_OPTIONS, DEF_TLS_SSL_OPTIONS, &var_tls_ssl_options, 0, 0,
684 VAR_TLS_DANE_DIGESTS, DEF_TLS_DANE_DIGESTS, &var_tls_dane_digests, 1, 0,
685 VAR_TLS_MGR_SERVICE, DEF_TLS_MGR_SERVICE, &var_tls_mgr_service, 1, 0,
686 VAR_TLS_TKT_CIPHER, DEF_TLS_TKT_CIPHER, &var_tls_tkt_cipher, 0, 0,
687 VAR_OPENSSL_PATH, DEF_OPENSSL_PATH, &var_openssl_path, 1, 0,
688 0,
689 };
690
691 /* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */
692 static const CONFIG_INT_TABLE int_table[] = {
693 VAR_TLS_DAEMON_RAND_BYTES, DEF_TLS_DAEMON_RAND_BYTES, &var_tls_daemon_rand_bytes, 1, 0,
694 0,
695 };
696
697 /* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */
698 static const CONFIG_BOOL_TABLE bool_table[] = {
699 VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA,
700 VAR_TLS_BC_PKEY_FPRINT, DEF_TLS_BC_PKEY_FPRINT, &var_tls_bc_pkey_fprint,
701 VAR_TLS_PREEMPT_CLIST, DEF_TLS_PREEMPT_CLIST, &var_tls_preempt_clist,
702 VAR_TLS_MULTI_WILDCARD, DEF_TLS_MULTI_WILDCARD, &var_tls_multi_wildcard,
703 VAR_TLS_FAST_SHUTDOWN, DEF_TLS_FAST_SHUTDOWN, &var_tls_fast_shutdown,
704 0,
705 };
706 static int init_done;
707
708 if (init_done)
709 return;
710 init_done = 1;
711
712 get_mail_conf_str_table(str_table);
713 get_mail_conf_int_table(int_table);
714 get_mail_conf_bool_table(bool_table);
715 }
716
717 /* tls_library_init - perform OpenSSL library initialization */
718
tls_library_init(void)719 int tls_library_init(void)
720 {
721 OPENSSL_INIT_SETTINGS *init_settings;
722 char *conf_name = *var_tls_cnf_name ? var_tls_cnf_name : 0;
723 char *conf_file = 0;
724 unsigned long init_opts = 0;
725
726 #define TLS_LIB_INIT_TODO (-1)
727 #define TLS_LIB_INIT_ERR (0)
728 #define TLS_LIB_INIT_OK (1)
729
730 static int init_res = TLS_LIB_INIT_TODO;
731
732 if (init_res != TLS_LIB_INIT_TODO)
733 return (init_res);
734
735 /*
736 * Backwards compatibility: skip this function unless the Postfix
737 * configuration actually has non-default tls_config_xxx settings.
738 */
739 if (strcmp(var_tls_cnf_file, DEF_TLS_CNF_FILE) == 0
740 && strcmp(var_tls_cnf_name, DEF_TLS_CNF_NAME) == 0) {
741 if (msg_verbose)
742 msg_info("tls_library_init: using backwards-compatible defaults");
743 return (init_res = TLS_LIB_INIT_OK);
744 }
745 if ((init_settings = OPENSSL_INIT_new()) == 0) {
746 msg_warn("error allocating OpenSSL init settings, "
747 "disabling TLS support");
748 return (init_res = TLS_LIB_INIT_ERR);
749 }
750 #define TLS_LIB_INIT_RETURN(x) \
751 do { OPENSSL_INIT_free(init_settings); return (init_res = (x)); } while(0)
752
753 #if OPENSSL_VERSION_NUMBER < 0x1010102fL
754
755 /*
756 * OpenSSL 1.1.0 through 1.1.1a, no support for custom configuration
757 * files, disabling loading of the file, or getting strict error
758 * handling. Thus, the only supported configuration file is "default".
759 */
760 if (strcmp(var_tls_cnf_file, "default") != 0) {
761 msg_warn("non-default %s = %s requires OpenSSL 1.1.1b or later, "
762 "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
763 TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
764 }
765 #else
766 {
767 unsigned long file_flags = 0;
768
769 /*-
770 * OpenSSL 1.1.1b or later:
771 * We can now use a non-default configuration file, or
772 * use none at all. We can also request strict error
773 * reporting.
774 */
775 if (strcmp(var_tls_cnf_file, "none") == 0) {
776 init_opts |= OPENSSL_INIT_NO_LOAD_CONFIG;
777 } else if (strcmp(var_tls_cnf_file, "default") == 0) {
778
779 /*
780 * The default global config file is optional. With "default"
781 * initialization we don't insist on a match for the requested
782 * application name, allowing fallback to the default application
783 * name, even when a non-default application name is specified.
784 * Errors in loading the default configuration are ignored.
785 */
786 conf_file = 0;
787 file_flags |= CONF_MFLAGS_IGNORE_MISSING_FILE;
788 file_flags |= CONF_MFLAGS_DEFAULT_SECTION;
789 file_flags |= CONF_MFLAGS_IGNORE_RETURN_CODES | CONF_MFLAGS_SILENT;
790 } else if (*var_tls_cnf_file == '/') {
791
792 /*
793 * A custom config file must be present, error reporting is
794 * strict and the configuration section for the requested
795 * application name does not fall back to "openssl_conf" when
796 * missing.
797 */
798 conf_file = var_tls_cnf_file;
799 } else {
800 msg_warn("non-default %s = %s is not an absolute pathname, "
801 "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
802 TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
803 }
804
805 OPENSSL_INIT_set_config_file_flags(init_settings, file_flags);
806 }
807 #endif
808
809 if (conf_file)
810 OPENSSL_INIT_set_config_filename(init_settings, conf_file);
811 if (conf_name)
812 OPENSSL_INIT_set_config_appname(init_settings, conf_name);
813
814 if (OPENSSL_init_ssl(init_opts, init_settings) <= 0) {
815 if ((init_opts & OPENSSL_INIT_NO_LOAD_CONFIG) == 0)
816 msg_warn("error loading the '%s' settings from the %s OpenSSL "
817 "configuration file, disabling TLS support",
818 conf_name ? conf_name : "global",
819 conf_file ? conf_file : "default");
820 else
821 msg_warn("error initializing the OpenSSL library, "
822 "disabling TLS support");
823 tls_print_errors();
824 TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
825 }
826 TLS_LIB_INIT_RETURN(TLS_LIB_INIT_OK);
827 }
828
829 /* tls_pre_jail_init - Load TLS related pre-jail tables */
830
tls_pre_jail_init(TLS_ROLE role)831 void tls_pre_jail_init(TLS_ROLE role)
832 {
833 static const CONFIG_STR_TABLE str_table[] = {
834 VAR_TLS_SERVER_SNI_MAPS, DEF_TLS_SERVER_SNI_MAPS, &var_tls_server_sni_maps, 0, 0,
835 0,
836 };
837 int flags;
838
839 tls_param_init();
840
841 /* Nothing for clients at this time */
842 if (role != TLS_ROLE_SERVER)
843 return;
844
845 get_mail_conf_str_table(str_table);
846 if (*var_tls_server_sni_maps == 0)
847 return;
848
849 flags = DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX | DICT_FLAG_SRC_RHS_IS_FILE;
850 tls_server_sni_maps =
851 maps_create(VAR_TLS_SERVER_SNI_MAPS, var_tls_server_sni_maps, flags);
852 }
853
854 /* server_sni_callback - process client's SNI extension */
855
server_sni_callback(SSL * ssl,int * alert,void * arg)856 static int server_sni_callback(SSL *ssl, int *alert, void *arg)
857 {
858 SSL_CTX *sni_ctx = (SSL_CTX *) arg;
859 TLS_SESS_STATE *TLScontext = SSL_get_ex_data(ssl, TLScontext_index);
860 const char *sni = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
861 const char *cp = sni;
862 const char *pem;
863
864 /* SNI is silently ignored when we don't care or is NULL or empty */
865 if (!sni_ctx || !tls_server_sni_maps || !sni || !*sni)
866 return SSL_TLSEXT_ERR_NOACK;
867
868 if (!valid_hostname(sni, DONT_GRIPE)) {
869 msg_warn("TLS SNI from %s is invalid: %s",
870 TLScontext->namaddr, sni);
871 return SSL_TLSEXT_ERR_NOACK;
872 }
873
874 /*
875 * With TLS 1.3, when the client's proposed key share is not supported by
876 * the server, the server may issue a HelloRetryRequest (HRR), and the
877 * client will then retry with a new key share on a curve supported by
878 * the server. This results in the SNI callback running twice for the
879 * same connection.
880 *
881 * When that happens, The client MUST send the essentially the same hello
882 * message, including the SNI name, and since we've already loaded our
883 * certificate chain, we don't need to do it again! Therefore, if we've
884 * already recorded the peer SNI name, just check that it has not
885 * changed, and return success.
886 */
887 if (TLScontext->peer_sni) {
888 if (strcmp(sni, TLScontext->peer_sni) == 0)
889 return SSL_TLSEXT_ERR_OK;
890 msg_warn("TLS SNI changed from %s initially %s, %s after hello retry",
891 TLScontext->namaddr, TLScontext->peer_sni, sni);
892 return SSL_TLSEXT_ERR_NOACK;
893 }
894 do {
895 /* Don't silently skip maps opened with the wrong flags. */
896 pem = maps_file_find(tls_server_sni_maps, cp, 0);
897 } while (!pem
898 && !tls_server_sni_maps->error
899 && (cp = strchr(cp + 1, '.')) != 0);
900
901 if (!pem) {
902 if (tls_server_sni_maps->error) {
903 msg_warn("%s: %s map lookup problem",
904 tls_server_sni_maps->title, sni);
905 *alert = SSL_AD_INTERNAL_ERROR;
906 return SSL_TLSEXT_ERR_ALERT_FATAL;
907 }
908 msg_info("TLS SNI %s from %s not matched, using default chain",
909 sni, TLScontext->namaddr);
910
911 /*
912 * XXX: We could lie and pretend to accept the name, but since we've
913 * previously not implemented the callback (with OpenSSL then
914 * declining the extension), and nothing bad happened, declining it
915 * explicitly should be safe.
916 */
917 return SSL_TLSEXT_ERR_NOACK;
918 }
919 SSL_set_SSL_CTX(ssl, sni_ctx);
920 if (tls_load_pem_chain(ssl, pem, sni) != 0) {
921 /* errors already logged */
922 *alert = SSL_AD_INTERNAL_ERROR;
923 return SSL_TLSEXT_ERR_ALERT_FATAL;
924 }
925 TLScontext->peer_sni = mystrdup(sni);
926 return SSL_TLSEXT_ERR_OK;
927 }
928
929 /* tls_set_ciphers - Set SSL context cipher list */
930
tls_set_ciphers(TLS_SESS_STATE * TLScontext,const char * grade,const char * exclusions)931 const char *tls_set_ciphers(TLS_SESS_STATE *TLScontext, const char *grade,
932 const char *exclusions)
933 {
934 const char *myname = "tls_set_ciphers";
935 static VSTRING *buf;
936 char *save;
937 char *cp;
938 char *tok;
939
940 if (buf == 0)
941 buf = vstring_alloc(10);
942 VSTRING_RESET(buf);
943
944 switch (tls_cipher_grade(grade)) {
945 case TLS_CIPHER_NONE:
946 msg_warn("%s: invalid cipher grade: \"%s\"",
947 TLScontext->namaddr, grade);
948 return (0);
949 case TLS_CIPHER_HIGH:
950 vstring_strcpy(buf, var_tls_high_clist);
951 break;
952 case TLS_CIPHER_MEDIUM:
953 vstring_strcpy(buf, var_tls_medium_clist);
954 break;
955 case TLS_CIPHER_NULL:
956 vstring_strcpy(buf, var_tls_null_clist);
957 break;
958 default:
959 /* Internal error, valid grade, but missing case label. */
960 msg_panic("%s: unexpected cipher grade: %s", myname, grade);
961 }
962
963 /*
964 * The base lists for each grade can't be empty.
965 */
966 if (VSTRING_LEN(buf) == 0)
967 msg_panic("%s: empty \"%s\" cipherlist", myname, grade);
968
969 /*
970 * Apply locally-specified exclusions.
971 */
972 #define CIPHER_SEP CHARS_COMMA_SP ":"
973 if (exclusions != 0) {
974 cp = save = mystrdup(exclusions);
975 while ((tok = mystrtok(&cp, CIPHER_SEP)) != 0) {
976
977 /*
978 * Can't exclude ciphers that start with modifiers.
979 */
980 if (strchr("!+-@", *tok)) {
981 msg_warn("%s: invalid unary '!+-@' in cipher exclusion: %s",
982 TLScontext->namaddr, tok);
983 return (0);
984 }
985 vstring_sprintf_append(buf, ":!%s", tok);
986 }
987 myfree(save);
988 }
989 ERR_clear_error();
990 if (SSL_set_cipher_list(TLScontext->con, vstring_str(buf)) == 0) {
991 msg_warn("%s: error setting cipher grade: \"%s\"",
992 TLScontext->namaddr, grade);
993 tls_print_errors();
994 return (0);
995 }
996 return (vstring_str(buf));
997 }
998
999 /* ec_curve_name - copy EC key curve group name */
1000
1001 #ifndef OPENSSL_NO_EC
ec_curve_name(EVP_PKEY * pkey)1002 static char *ec_curve_name(EVP_PKEY *pkey)
1003 {
1004 char *curve = 0;
1005
1006 #if OPENSSL_VERSION_PREREQ(3,0)
1007 size_t namelen;
1008
1009 if (EVP_PKEY_get_group_name(pkey, 0, 0, &namelen)) {
1010 curve = mymalloc(++namelen);
1011 if (!EVP_PKEY_get_group_name(pkey, curve, namelen, 0)) {
1012 myfree(curve);
1013 curve = 0;
1014 }
1015 }
1016 #else
1017 EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(pkey);
1018 int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));
1019 const char *tmp = EC_curve_nid2nist(nid);
1020
1021 if (!tmp)
1022 tmp = OBJ_nid2sn(nid);
1023 if (tmp)
1024 curve = mystrdup(tmp);
1025 #endif
1026 return (curve);
1027 }
1028
1029 #endif
1030
1031 /* tls_get_signature_params - TLS 1.3 signature details */
1032
tls_get_signature_params(TLS_SESS_STATE * TLScontext)1033 void tls_get_signature_params(TLS_SESS_STATE *TLScontext)
1034 {
1035 const char *kex_name = 0;
1036 const char *locl_sig_name = 0;
1037 const char *locl_sig_dgst = 0;
1038 const char *peer_sig_name = 0;
1039 const char *peer_sig_dgst = 0;
1040 char *kex_curve = 0;
1041 char *locl_sig_curve = 0;
1042 char *peer_sig_curve = 0;
1043 int nid;
1044 SSL *ssl = TLScontext->con;
1045 int srvr = SSL_is_server(ssl);
1046 EVP_PKEY *dh_pkey = 0;
1047 EVP_PKEY *local_pkey = 0;
1048 X509 *peer_cert;
1049 EVP_PKEY *peer_pkey = 0;
1050
1051 #define SIG_PROP(c, s, p) (*((s) ? &c->srvr_sig_##p : &c->clnt_sig_##p))
1052
1053 if (SSL_version(ssl) < TLS1_3_VERSION)
1054 return;
1055
1056 /*
1057 * On the client side, a TLS 1.3 KEM has no server key, just ciphertext
1058 * to decapsulate, but, as of OpenSSL 3.0, the client can still obtain
1059 * the negotiated group name directly.
1060 */
1061 if (!kex_name)
1062 kex_name = TLS_GROUP_NAME(ssl);
1063
1064 if (kex_name == NULL && tls_get_peer_dh_pubkey(ssl, &dh_pkey)) {
1065 switch (nid = EVP_PKEY_id(dh_pkey)) {
1066 default:
1067 kex_name = OBJ_nid2sn(EVP_PKEY_type(nid));
1068 break;
1069
1070 #if defined(EVP_PKEY_KEYMGMT)
1071 case EVP_PKEY_KEYMGMT:
1072 kex_name = EVP_PKEY_get0_type_name(dh_pkey);
1073 TLScontext->kex_bits = 0;
1074 break;
1075 #endif
1076
1077 case EVP_PKEY_DH:
1078 kex_name = "DHE";
1079 TLScontext->kex_bits = EVP_PKEY_bits(dh_pkey);
1080 break;
1081
1082 #ifndef OPENSSL_NO_EC
1083 case EVP_PKEY_EC:
1084 kex_name = "ECDHE";
1085 kex_curve = ec_curve_name(dh_pkey);
1086 break;
1087 #endif
1088 }
1089 }
1090 if (kex_name) {
1091 TLScontext->kex_name = mystrdup(kex_name);
1092 TLScontext->kex_curve = kex_curve;
1093 }
1094 /* Not a problem if NULL */
1095 EVP_PKEY_free(dh_pkey);
1096
1097 /* Resumption makes no use of signature keys or digests */
1098 if (TLScontext->session_reused)
1099 return;
1100
1101 /*
1102 * On the client end, the certificate may be present, but not used, so we
1103 * check via SSL_get_signature_nid(). This means that local signature
1104 * data on clients requires at least 1.1.1a.
1105 */
1106 if (srvr || SSL_get_signature_nid(ssl, &nid)) {
1107 local_pkey = SSL_get_privatekey(ssl);
1108 }
1109 /* Signature algorithms for the local end of the connection */
1110 if (local_pkey) {
1111 #if OPENSSL_VERSION_PREREQ(3,2)
1112 if (srvr)
1113 TLScontext->stoc_rpk = TLSEXT_cert_type_rpk ==
1114 SSL_get_negotiated_server_cert_type(ssl);
1115 else
1116 TLScontext->ctos_rpk = TLSEXT_cert_type_rpk ==
1117 SSL_get_negotiated_client_cert_type(ssl);
1118 #endif
1119
1120 /*
1121 * Override the built-in name for the "ECDSA" algorithms OID, with
1122 * the more familiar name. For "RSA" keys report "RSA-PSS", which
1123 * must be used with TLS 1.3.
1124 */
1125 if ((nid = EVP_PKEY_id(local_pkey)) != NID_undef) {
1126 switch (nid) {
1127 default:
1128 if ((nid = EVP_PKEY_type(nid)) != NID_undef)
1129 locl_sig_name = OBJ_nid2sn(nid);
1130 break;
1131
1132 #if defined(EVP_PKEY_KEYMGMT)
1133 case EVP_PKEY_KEYMGMT:
1134 locl_sig_name = EVP_PKEY_get0_type_name(local_pkey);
1135 break;
1136 #endif
1137
1138 case EVP_PKEY_RSA:
1139 /* For RSA, TLS 1.3 mandates PSS signatures */
1140 locl_sig_name = "RSA-PSS";
1141 SIG_PROP(TLScontext, srvr, bits) = EVP_PKEY_bits(local_pkey);
1142 break;
1143
1144 #ifndef OPENSSL_NO_EC
1145 case EVP_PKEY_EC:
1146 locl_sig_name = "ECDSA";
1147 locl_sig_curve = ec_curve_name(local_pkey);
1148 break;
1149 #endif
1150 }
1151 }
1152
1153 /*
1154 * With Ed25519 and Ed448 there is no pre-signature digest, but the
1155 * accessor does not fail, rather we get NID_undef.
1156 */
1157 if (SSL_get_signature_nid(ssl, &nid) && nid != NID_undef)
1158 locl_sig_dgst = OBJ_nid2sn(nid);
1159
1160 if (locl_sig_name) {
1161 SIG_PROP(TLScontext, srvr, name) = mystrdup(locl_sig_name);
1162 SIG_PROP(TLScontext, srvr, curve) = locl_sig_curve;
1163 if (locl_sig_dgst)
1164 SIG_PROP(TLScontext, srvr, dgst) = mystrdup(locl_sig_dgst);
1165 }
1166 }
1167 peer_cert = TLS_PEEK_PEER_CERT(ssl);
1168 if (peer_cert != 0) {
1169 peer_pkey = X509_get0_pubkey(peer_cert);
1170 }
1171 #if OPENSSL_VERSION_PREREQ(3,2)
1172 else {
1173 peer_pkey = SSL_get0_peer_rpk(ssl);
1174 }
1175 #endif
1176
1177 /* Signature algorithms for the peer end of the connection */
1178 if (peer_pkey != 0) {
1179 #if OPENSSL_VERSION_PREREQ(3,2)
1180 if (srvr)
1181 TLScontext->ctos_rpk = TLSEXT_cert_type_rpk ==
1182 SSL_get_negotiated_client_cert_type(ssl);
1183 else
1184 TLScontext->stoc_rpk = TLSEXT_cert_type_rpk ==
1185 SSL_get_negotiated_server_cert_type(ssl);
1186 #endif
1187
1188 /*
1189 * Override the built-in name for the "ECDSA" algorithms OID, with
1190 * the more familiar name. For "RSA" keys report "RSA-PSS", which
1191 * must be used with TLS 1.3.
1192 */
1193 if ((nid = EVP_PKEY_id(peer_pkey)) != NID_undef) {
1194 switch (nid) {
1195 default:
1196 if ((nid = EVP_PKEY_type(nid)) != NID_undef)
1197 peer_sig_name = OBJ_nid2sn(nid);
1198 break;
1199
1200 #if defined(EVP_PKEY_KEYMGMT)
1201 case EVP_PKEY_KEYMGMT:
1202 peer_sig_name = EVP_PKEY_get0_type_name(peer_pkey);
1203 break;
1204 #endif
1205
1206 case EVP_PKEY_RSA:
1207 /* For RSA, TLS 1.3 mandates PSS signatures */
1208 peer_sig_name = "RSA-PSS";
1209 SIG_PROP(TLScontext, !srvr, bits) = EVP_PKEY_bits(peer_pkey);
1210 break;
1211
1212 #ifndef OPENSSL_NO_EC
1213 case EVP_PKEY_EC:
1214 peer_sig_name = "ECDSA";
1215 peer_sig_curve = ec_curve_name(peer_pkey);
1216 break;
1217 #endif
1218 }
1219 }
1220
1221 /*
1222 * With Ed25519 and Ed448 there is no pre-signature digest, but the
1223 * accessor does not fail, rather we get NID_undef.
1224 */
1225 if (SSL_get_peer_signature_nid(ssl, &nid) && nid != NID_undef)
1226 peer_sig_dgst = OBJ_nid2sn(nid);
1227
1228 if (peer_sig_name) {
1229 SIG_PROP(TLScontext, !srvr, name) = mystrdup(peer_sig_name);
1230 SIG_PROP(TLScontext, !srvr, curve) = peer_sig_curve;
1231 if (peer_sig_dgst)
1232 SIG_PROP(TLScontext, !srvr, dgst) = mystrdup(peer_sig_dgst);
1233 }
1234 }
1235 TLS_FREE_PEER_CERT(peer_cert);
1236 }
1237
1238 /* tls_log_summary - TLS loglevel 1 one-liner, embellished with TLS 1.3 details */
1239
tls_log_summary(TLS_ROLE role,TLS_USAGE usage,TLS_SESS_STATE * ctx)1240 void tls_log_summary(TLS_ROLE role, TLS_USAGE usage, TLS_SESS_STATE *ctx)
1241 {
1242 VSTRING *msg = vstring_alloc(100);
1243 const char *direction = (role == TLS_ROLE_CLIENT) ? "to" : "from";
1244 const char *sni = (role == TLS_ROLE_CLIENT) ? 0 : ctx->peer_sni;
1245
1246 /*
1247 * When SNI was sent and accepted, the server-side log message now
1248 * includes a "to <sni-name>" detail after the "from <namaddr>" detail
1249 * identifying the remote client. We don't presently log (purportedly)
1250 * accepted SNI on the client side.
1251 */
1252 vstring_sprintf(msg, "%s TLS connection %s %s %s%s%s: %s"
1253 " with cipher %s (%d/%d bits)",
1254 !TLS_CRED_IS_PRESENT(ctx) ? "Anonymous" :
1255 TLS_CERT_IS_SECURED(ctx) ? "Verified" :
1256 TLS_CERT_IS_TRUSTED(ctx) ? "Trusted" : "Untrusted",
1257 usage == TLS_USAGE_NEW ? "established" : "reused",
1258 direction, ctx->namaddr, sni ? " to " : "", sni ? sni : "",
1259 ctx->protocol, ctx->cipher_name, ctx->cipher_usebits,
1260 ctx->cipher_algbits);
1261
1262 if (ctx->kex_name && *ctx->kex_name) {
1263 vstring_sprintf_append(msg, " key-exchange %s", ctx->kex_name);
1264 if (ctx->kex_curve && *ctx->kex_curve)
1265 vstring_sprintf_append(msg, " (%s)", ctx->kex_curve);
1266 else if (ctx->kex_bits > 0)
1267 vstring_sprintf_append(msg, " (%d bits)", ctx->kex_bits);
1268 }
1269 if (ctx->srvr_sig_name && *ctx->srvr_sig_name) {
1270 vstring_sprintf_append(msg, " server-signature %s",
1271 ctx->srvr_sig_name);
1272 if (ctx->srvr_sig_curve && *ctx->srvr_sig_curve)
1273 vstring_sprintf_append(msg, " (%s%s)", ctx->srvr_sig_curve,
1274 ctx->stoc_rpk ? " raw public key" : "");
1275 else if (ctx->srvr_sig_bits > 0)
1276 vstring_sprintf_append(msg, " (%d bit%s)", ctx->srvr_sig_bits,
1277 ctx->stoc_rpk ? " raw public key" : "s");
1278 else if (ctx->stoc_rpk)
1279 vstring_sprintf_append(msg, " (raw public key)");
1280 if (ctx->srvr_sig_dgst && *ctx->srvr_sig_dgst)
1281 vstring_sprintf_append(msg, " server-digest %s",
1282 ctx->srvr_sig_dgst);
1283 }
1284 if (ctx->clnt_sig_name && *ctx->clnt_sig_name) {
1285 vstring_sprintf_append(msg, " client-signature %s",
1286 ctx->clnt_sig_name);
1287 if (ctx->clnt_sig_curve && *ctx->clnt_sig_curve)
1288 vstring_sprintf_append(msg, " (%s%s)", ctx->clnt_sig_curve,
1289 ctx->ctos_rpk ? " raw public key" : "");
1290 else if (ctx->clnt_sig_bits > 0)
1291 vstring_sprintf_append(msg, " (%d bit%s)", ctx->clnt_sig_bits,
1292 ctx->ctos_rpk ? " raw public key" : "s");
1293 else if (ctx->ctos_rpk)
1294 vstring_sprintf_append(msg, " (raw public key)");
1295 if (ctx->clnt_sig_dgst && *ctx->clnt_sig_dgst)
1296 vstring_sprintf_append(msg, " client-digest %s",
1297 ctx->clnt_sig_dgst);
1298 }
1299 msg_info("%s", vstring_str(msg));
1300 vstring_free(msg);
1301 }
1302
1303 /* tls_alloc_app_context - allocate TLS application context */
1304
tls_alloc_app_context(SSL_CTX * ssl_ctx,SSL_CTX * sni_ctx,int log_mask)1305 TLS_APPL_STATE *tls_alloc_app_context(SSL_CTX *ssl_ctx, SSL_CTX *sni_ctx,
1306 int log_mask)
1307 {
1308 TLS_APPL_STATE *app_ctx;
1309
1310 app_ctx = (TLS_APPL_STATE *) mymalloc(sizeof(*app_ctx));
1311
1312 /* See portability note below with other memset() call. */
1313 memset((void *) app_ctx, 0, sizeof(*app_ctx));
1314 app_ctx->ssl_ctx = ssl_ctx;
1315 app_ctx->sni_ctx = sni_ctx;
1316 app_ctx->log_mask = log_mask;
1317
1318 /* See also: cache purging code in tls_set_ciphers(). */
1319 app_ctx->cache_type = 0;
1320
1321 if (tls_server_sni_maps) {
1322 SSL_CTX_set_tlsext_servername_callback(ssl_ctx, server_sni_callback);
1323 SSL_CTX_set_tlsext_servername_arg(ssl_ctx, (void *) sni_ctx);
1324 }
1325 return (app_ctx);
1326 }
1327
1328 /* tls_free_app_context - Free TLS application context */
1329
tls_free_app_context(TLS_APPL_STATE * app_ctx)1330 void tls_free_app_context(TLS_APPL_STATE *app_ctx)
1331 {
1332 if (app_ctx->ssl_ctx)
1333 SSL_CTX_free(app_ctx->ssl_ctx);
1334 if (app_ctx->sni_ctx)
1335 SSL_CTX_free(app_ctx->sni_ctx);
1336 if (app_ctx->cache_type)
1337 myfree(app_ctx->cache_type);
1338 myfree((void *) app_ctx);
1339 }
1340
1341 /* tls_alloc_sess_context - allocate TLS session context */
1342
tls_alloc_sess_context(int log_mask,const char * namaddr)1343 TLS_SESS_STATE *tls_alloc_sess_context(int log_mask, const char *namaddr)
1344 {
1345 TLS_SESS_STATE *TLScontext;
1346
1347 /*
1348 * PORTABILITY: Do not assume that null pointers are all-zero bits. Use
1349 * explicit assignments to initialize pointers.
1350 *
1351 * See the C language FAQ item 5.17, or if you have time to burn,
1352 * https://www.google.com/search?q=zero+bit+null+pointer
1353 *
1354 * However, it's OK to use memset() to zero integer values.
1355 */
1356 TLScontext = (TLS_SESS_STATE *) mymalloc(sizeof(TLS_SESS_STATE));
1357 memset((void *) TLScontext, 0, sizeof(*TLScontext));
1358 TLScontext->con = 0;
1359 TLScontext->cache_type = 0;
1360 TLScontext->serverid = 0;
1361 TLScontext->peer_CN = 0;
1362 TLScontext->issuer_CN = 0;
1363 TLScontext->peer_sni = 0;
1364 TLScontext->peer_cert_fprint = 0;
1365 TLScontext->peer_pkey_fprint = 0;
1366 TLScontext->protocol = 0;
1367 TLScontext->cipher_name = 0;
1368 TLScontext->kex_name = 0;
1369 TLScontext->kex_curve = 0;
1370 TLScontext->ctos_rpk = 0;
1371 TLScontext->stoc_rpk = 0;
1372 TLScontext->clnt_sig_name = 0;
1373 TLScontext->clnt_sig_curve = 0;
1374 TLScontext->clnt_sig_dgst = 0;
1375 TLScontext->srvr_sig_name = 0;
1376 TLScontext->srvr_sig_curve = 0;
1377 TLScontext->srvr_sig_dgst = 0;
1378 TLScontext->log_mask = log_mask;
1379 TLScontext->namaddr = lowercase(mystrdup(namaddr));
1380 TLScontext->mdalg = 0; /* Alias for props->mdalg */
1381 TLScontext->dane = 0; /* Alias for props->dane */
1382 TLScontext->errordepth = -1;
1383 TLScontext->errorcode = X509_V_OK;
1384 TLScontext->errorcert = 0;
1385 TLScontext->rpt_reported = 0;
1386 TLScontext->ffail_type = 0;
1387
1388 return (TLScontext);
1389 }
1390
1391 /* tls_free_context - deallocate TLScontext and members */
1392
tls_free_context(TLS_SESS_STATE * TLScontext)1393 void tls_free_context(TLS_SESS_STATE *TLScontext)
1394 {
1395
1396 /*
1397 * Free the SSL structure and the BIOs. Warning: the internal_bio is
1398 * connected to the SSL structure and is automatically freed with it. Do
1399 * not free it again (core dump)!! Only free the network_bio.
1400 */
1401 if (TLScontext->con != 0)
1402 SSL_free(TLScontext->con);
1403
1404 if (TLScontext->namaddr)
1405 myfree(TLScontext->namaddr);
1406 if (TLScontext->serverid)
1407 myfree(TLScontext->serverid);
1408
1409 if (TLScontext->peer_CN)
1410 myfree(TLScontext->peer_CN);
1411 if (TLScontext->issuer_CN)
1412 myfree(TLScontext->issuer_CN);
1413 if (TLScontext->peer_sni)
1414 myfree(TLScontext->peer_sni);
1415 if (TLScontext->peer_cert_fprint)
1416 myfree(TLScontext->peer_cert_fprint);
1417 if (TLScontext->peer_pkey_fprint)
1418 myfree(TLScontext->peer_pkey_fprint);
1419 if (TLScontext->kex_name)
1420 myfree((void *) TLScontext->kex_name);
1421 if (TLScontext->kex_curve)
1422 myfree((void *) TLScontext->kex_curve);
1423 if (TLScontext->clnt_sig_name)
1424 myfree((void *) TLScontext->clnt_sig_name);
1425 if (TLScontext->clnt_sig_curve)
1426 myfree((void *) TLScontext->clnt_sig_curve);
1427 if (TLScontext->clnt_sig_dgst)
1428 myfree((void *) TLScontext->clnt_sig_dgst);
1429 if (TLScontext->srvr_sig_name)
1430 myfree((void *) TLScontext->srvr_sig_name);
1431 if (TLScontext->srvr_sig_curve)
1432 myfree((void *) TLScontext->srvr_sig_curve);
1433 if (TLScontext->srvr_sig_dgst)
1434 myfree((void *) TLScontext->srvr_sig_dgst);
1435 if (TLScontext->errorcert)
1436 X509_free(TLScontext->errorcert);
1437 if (TLScontext->ffail_type)
1438 myfree(TLScontext->ffail_type);
1439
1440 myfree((void *) TLScontext);
1441 }
1442
1443 /* tls_version_split - Split OpenSSL version number into major, minor, ... */
1444
tls_version_split(unsigned long version,TLS_VINFO * info)1445 static void tls_version_split(unsigned long version, TLS_VINFO *info)
1446 {
1447
1448 /*
1449 * OPENSSL_VERSION_NUMBER(3):
1450 *
1451 * OPENSSL_VERSION_NUMBER is a numeric release version identifier:
1452 *
1453 * MMNNFFPPS: major minor fix patch status
1454 *
1455 * The status nibble has one of the values 0 for development, 1 to e for
1456 * betas 1 to 14, and f for release. Parsed OpenSSL version number. for
1457 * example: 0x1010103f == 1.1.1c.
1458 */
1459 info->status = version & 0xf;
1460 version >>= 4;
1461 info->patch = version & 0xff;
1462 version >>= 8;
1463 info->micro = version & 0xff;
1464 version >>= 8;
1465 info->minor = version & 0xff;
1466 version >>= 8;
1467 info->major = version & 0xff;
1468 }
1469
1470 /* tls_check_version - Detect mismatch between headers and library. */
1471
tls_check_version(void)1472 void tls_check_version(void)
1473 {
1474 TLS_VINFO hdr_info;
1475 TLS_VINFO lib_info;
1476 int warn_compat = 0;
1477
1478 tls_version_split(OPENSSL_VERSION_NUMBER, &hdr_info);
1479 tls_version_split(OpenSSL_version_num(), &lib_info);
1480
1481 /*
1482 * Warn if run-time library is different from compile-time library,
1483 * allowing later run-time "micro" versions starting with 1.1.0, and
1484 * later minor numbers starting with 3.0.0.
1485 */
1486 if (hdr_info.major >= 3) {
1487 warn_compat = lib_info.major != hdr_info.major
1488 || lib_info.minor < hdr_info.minor;
1489 } else if (hdr_info.major == 1 && hdr_info.minor != 0) {
1490 warn_compat = lib_info.major != hdr_info.major
1491 || lib_info.minor != hdr_info.minor
1492 || lib_info.micro < hdr_info.micro;
1493 } else {
1494 warn_compat = lib_info.major != hdr_info.major
1495 || lib_info.minor != hdr_info.minor
1496 || lib_info.micro != hdr_info.micro;
1497 }
1498 if (warn_compat)
1499 msg_warn("run-time library vs. compile-time header version mismatch: "
1500 "OpenSSL %d.%d.%d may not be compatible with OpenSSL %d.%d.%d",
1501 lib_info.major, lib_info.minor, lib_info.micro,
1502 hdr_info.major, hdr_info.minor, hdr_info.micro);
1503 }
1504
1505 /* tls_compile_version - compile-time OpenSSL version */
1506
tls_compile_version(void)1507 const char *tls_compile_version(void)
1508 {
1509 return (OPENSSL_VERSION_TEXT);
1510 }
1511
1512 /* tls_run_version - run-time version "major.minor.micro" */
1513
tls_run_version(void)1514 const char *tls_run_version(void)
1515 {
1516 return (OpenSSL_version(OPENSSL_VERSION));
1517 }
1518
tls_pkey_algorithms(void)1519 const char **tls_pkey_algorithms(void)
1520 {
1521
1522 /*
1523 * Return an array, not string, so that the result can be inspected
1524 * without parsing. Sort the result alphabetically, not chronologically.
1525 */
1526 static const char *algs[] = {
1527 #ifndef OPENSSL_NO_DSA
1528 "dsa",
1529 #endif
1530 #ifndef OPENSSL_NO_ECDSA
1531 "ecdsa",
1532 #endif
1533 #ifndef OPENSSL_NO_RSA
1534 "rsa",
1535 #endif
1536 0,
1537 };
1538
1539 return (algs);
1540 }
1541
1542 /* tls_bug_bits - SSL bug compatibility bits for this OpenSSL version */
1543
tls_bug_bits(void)1544 long tls_bug_bits(void)
1545 {
1546 long bits = SSL_OP_ALL; /* Work around all known bugs */
1547
1548 /*
1549 * Silently ignore any strings that don't appear in the tweaks table, or
1550 * hex bits that are not in SSL_OP_ALL.
1551 */
1552 if (*var_tls_bug_tweaks) {
1553 bits &= ~long_name_mask_opt(VAR_TLS_BUG_TWEAKS, ssl_bug_tweaks,
1554 var_tls_bug_tweaks, NAME_MASK_ANY_CASE |
1555 NAME_MASK_NUMBER | NAME_MASK_WARN);
1556 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
1557 /* Not relevant to SMTP */
1558 bits &= ~SSL_OP_SAFARI_ECDHE_ECDSA_BUG;
1559 #endif
1560 }
1561
1562 /*
1563 * Allow users to set options not in SSL_OP_ALL, and not already managed
1564 * via other Postfix parameters.
1565 */
1566 if (*var_tls_ssl_options) {
1567 long enable;
1568
1569 enable = long_name_mask_opt(VAR_TLS_SSL_OPTIONS, ssl_op_tweaks,
1570 var_tls_ssl_options, NAME_MASK_ANY_CASE |
1571 NAME_MASK_NUMBER | NAME_MASK_WARN);
1572 enable &= ~(SSL_OP_ALL | TLS_SSL_OP_MANAGED_BITS);
1573 bits |= enable;
1574 }
1575
1576 /*
1577 * We unconditionally avoid re-use of ephemeral keys, note that we set DH
1578 * keys via a callback, so reuse was never possible, but the ECDH key is
1579 * set statically, so that is potentially subject to reuse. Set both
1580 * options just in case.
1581 */
1582 bits |= SSL_OP_SINGLE_ECDH_USE | SSL_OP_SINGLE_DH_USE;
1583
1584 /*
1585 * Unconditionally disable a CPU resource attack. There's no good reason
1586 * to enable TLS renegotiation in the middle of an SMTP connection.
1587 */
1588 bits |= SSL_OP_NO_RENEGOTIATION;
1589 return (bits);
1590 }
1591
1592 /* tls_print_errors - print and clear the error stack */
1593
tls_print_errors(void)1594 void tls_print_errors(void)
1595 {
1596 unsigned long err;
1597 char buffer[1024]; /* XXX */
1598 const char *file;
1599 const char *data;
1600 int line;
1601 int flags;
1602
1603 #if OPENSSL_VERSION_PREREQ(3,0)
1604 /* XXX: We're ignoring the function name, do we want to log it? */
1605 #define ERRGET(fi, l, d, fl) ERR_get_error_all(fi, l, 0, d, fl)
1606 #else
1607 #define ERRGET(fi, l, d, fl) ERR_get_error_line_data(fi, l, d, fl)
1608 #endif
1609
1610 while ((err = ERRGET(&file, &line, &data, &flags)) != 0) {
1611 ERR_error_string_n(err, buffer, sizeof(buffer));
1612 if (flags & ERR_TXT_STRING)
1613 msg_warn("TLS library problem: %s:%s:%d:%s:",
1614 buffer, file, line, data);
1615 else
1616 msg_warn("TLS library problem: %s:%s:%d:", buffer, file, line);
1617 }
1618 }
1619
1620 /* tls_info_callback - callback for logging SSL events via Postfix */
1621
tls_info_callback(const SSL * s,int where,int ret)1622 void tls_info_callback(const SSL *s, int where, int ret)
1623 {
1624 char *str;
1625 int w;
1626
1627 /* Adapted from OpenSSL apps/s_cb.c. */
1628
1629 w = where & ~SSL_ST_MASK;
1630
1631 if (w & SSL_ST_CONNECT)
1632 str = "SSL_connect";
1633 else if (w & SSL_ST_ACCEPT)
1634 str = "SSL_accept";
1635 else
1636 str = "unknown";
1637
1638 if (where & SSL_CB_LOOP) {
1639 msg_info("%s:%s", str, SSL_state_string_long((SSL *) s));
1640 } else if (where & SSL_CB_ALERT) {
1641 str = (where & SSL_CB_READ) ? "read" : "write";
1642 if ((ret & 0xff) != SSL3_AD_CLOSE_NOTIFY)
1643 msg_info("SSL3 alert %s:%s:%s", str,
1644 SSL_alert_type_string_long(ret),
1645 SSL_alert_desc_string_long(ret));
1646 } else if (where & SSL_CB_EXIT) {
1647 if (ret == 0)
1648 msg_info("%s:failed in %s",
1649 str, SSL_state_string_long((SSL *) s));
1650 else if (ret < 0) {
1651 #ifndef LOG_NON_ERROR_STATES
1652 switch (SSL_get_error((SSL *) s, ret)) {
1653 case SSL_ERROR_WANT_READ:
1654 case SSL_ERROR_WANT_WRITE:
1655 /* Don't log non-error states. */
1656 break;
1657 default:
1658 #endif
1659 msg_info("%s:error in %s",
1660 str, SSL_state_string_long((SSL *) s));
1661 #ifndef LOG_NON_ERROR_STATES
1662 }
1663 #endif
1664 }
1665 }
1666 }
1667
1668 /*
1669 * taken from OpenSSL crypto/bio/b_dump.c.
1670 *
1671 * Modified to save a lot of strcpy and strcat by Matti Aarnio.
1672 *
1673 * Rewritten by Wietse to eliminate fixed-size stack buffer, array index
1674 * multiplication and division, sprintf() and strcpy(), and lots of strlen()
1675 * calls. We could make it a little faster by using a fixed-size stack-based
1676 * buffer.
1677 *
1678 * 200412 - use %lx to print pointers, after casting them to unsigned long.
1679 */
1680
1681 #define TRUNCATE_SPACE_NULL
1682 #define DUMP_WIDTH 16
1683 #define VERT_SPLIT 7
1684
tls_dump_buffer(const unsigned char * start,int len)1685 static void tls_dump_buffer(const unsigned char *start, int len)
1686 {
1687 VSTRING *buf = vstring_alloc(100);
1688 const unsigned char *last = start + len - 1;
1689 const unsigned char *row;
1690 const unsigned char *col;
1691 int ch;
1692
1693 #ifdef TRUNCATE_SPACE_NULL
1694 while (last >= start && (*last == ' ' || *last == 0))
1695 last--;
1696 #endif
1697
1698 for (row = start; row <= last; row += DUMP_WIDTH) {
1699 VSTRING_RESET(buf);
1700 vstring_sprintf(buf, "%04lx ", (unsigned long) (row - start));
1701 for (col = row; col < row + DUMP_WIDTH; col++) {
1702 if (col > last) {
1703 vstring_strcat(buf, " ");
1704 } else {
1705 ch = *col;
1706 vstring_sprintf_append(buf, "%02x%c",
1707 ch, col - row == VERT_SPLIT ? '|' : ' ');
1708 }
1709 }
1710 VSTRING_ADDCH(buf, ' ');
1711 for (col = row; col < row + DUMP_WIDTH; col++) {
1712 if (col > last)
1713 break;
1714 ch = *col;
1715 if (!ISPRINT(ch))
1716 ch = '.';
1717 VSTRING_ADDCH(buf, ch);
1718 if (col - row == VERT_SPLIT)
1719 VSTRING_ADDCH(buf, ' ');
1720 }
1721 VSTRING_TERMINATE(buf);
1722 msg_info("%s", vstring_str(buf));
1723 }
1724 #ifdef TRUNCATE_SPACE_NULL
1725 if ((last + 1) - start < len)
1726 msg_info("%04lx - <SPACES/NULLS>",
1727 (unsigned long) ((last + 1) - start));
1728 #endif
1729 vstring_free(buf);
1730 }
1731
1732 /* taken from OpenSSL apps/s_cb.c */
1733
1734 #if !OPENSSL_VERSION_PREREQ(3,0)
tls_bio_dump_cb(BIO * bio,int cmd,const char * argp,int argi,long unused_argl,long ret)1735 long tls_bio_dump_cb(BIO *bio, int cmd, const char *argp, int argi,
1736 long unused_argl, long ret)
1737 {
1738 if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) {
1739 msg_info("read from %08lX [%08lX] (%d bytes => %ld (0x%lX))",
1740 (unsigned long) bio, (unsigned long) argp, argi,
1741 ret, (unsigned long) ret);
1742 tls_dump_buffer((unsigned char *) argp, (int) ret);
1743 } else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) {
1744 msg_info("write to %08lX [%08lX] (%d bytes => %ld (0x%lX))",
1745 (unsigned long) bio, (unsigned long) argp, argi,
1746 ret, (unsigned long) ret);
1747 tls_dump_buffer((unsigned char *) argp, (int) ret);
1748 }
1749 return (ret);
1750 }
1751
1752 #else
tls_bio_dump_cb(BIO * bio,int cmd,const char * argp,size_t len,int argi,long unused_argl,int ret,size_t * processed)1753 long tls_bio_dump_cb(BIO *bio, int cmd, const char *argp, size_t len,
1754 int argi, long unused_argl, int ret, size_t *processed)
1755 {
1756 size_t bytes = (ret > 0 && processed != NULL) ? *processed : len;
1757
1758 if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) {
1759 if (ret > 0) {
1760 msg_info("read from %08lX [%08lX] (%ld bytes => %ld (0x%lX))",
1761 (unsigned long) bio, (unsigned long) argp, (long) len,
1762 (long) bytes, (long) bytes);
1763 tls_dump_buffer((unsigned char *) argp, (int) bytes);
1764 } else {
1765 msg_info("read from %08lX [%08lX] (%ld bytes => %d)",
1766 (unsigned long) bio, (unsigned long) argp,
1767 (long) len, ret);
1768 }
1769 } else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) {
1770 if (ret > 0) {
1771 msg_info("write to %08lX [%08lX] (%ld bytes => %ld (0x%lX))",
1772 (unsigned long) bio, (unsigned long) argp, (long) len,
1773 (long) bytes, (long) bytes);
1774 tls_dump_buffer((unsigned char *) argp, (int) bytes);
1775 } else {
1776 msg_info("write to %08lX [%08lX] (%ld bytes => %d)",
1777 (unsigned long) bio, (unsigned long) argp,
1778 (long) len, ret);
1779 }
1780 }
1781 return ret;
1782 }
1783
1784 #endif
1785
tls_validate_digest(const char * dgst)1786 const EVP_MD *tls_validate_digest(const char *dgst)
1787 {
1788 const EVP_MD *md_alg;
1789
1790 /*
1791 * If the administrator specifies an unsupported digest algorithm, fail
1792 * now, rather than in the middle of a TLS handshake.
1793 */
1794 if ((md_alg = tls_digest_byname(dgst, NULL)) == 0)
1795 msg_warn("Digest algorithm \"%s\" not found", dgst);
1796 return md_alg;
1797 }
1798
tls_enable_client_rpk(SSL_CTX * ctx,SSL * ssl)1799 void tls_enable_client_rpk(SSL_CTX *ctx, SSL *ssl)
1800 {
1801 #if OPENSSL_VERSION_PREREQ(3,2)
1802 static int warned = 0;
1803 static const unsigned char cert_types_rpk[] = {
1804 TLSEXT_cert_type_rpk,
1805 TLSEXT_cert_type_x509
1806 };
1807
1808 if ((ctx && !SSL_CTX_set1_client_cert_type(ctx, cert_types_rpk,
1809 sizeof(cert_types_rpk))) ||
1810 (ssl && !SSL_set1_client_cert_type(ssl, cert_types_rpk,
1811 sizeof(cert_types_rpk)))) {
1812 if (warned++) {
1813 ERR_clear_error();
1814 return;
1815 }
1816 msg_warn("Failed to enable client to server raw public key support");
1817 tls_print_errors();
1818 }
1819 #endif
1820 }
1821
tls_enable_server_rpk(SSL_CTX * ctx,SSL * ssl)1822 void tls_enable_server_rpk(SSL_CTX *ctx, SSL *ssl)
1823 {
1824 #if OPENSSL_VERSION_PREREQ(3,2)
1825 static int warned = 0;
1826 static const unsigned char cert_types_rpk[] = {
1827 TLSEXT_cert_type_rpk,
1828 TLSEXT_cert_type_x509
1829 };
1830
1831 if ((ctx && !SSL_CTX_set1_server_cert_type(ctx, cert_types_rpk,
1832 sizeof(cert_types_rpk))) ||
1833 (ssl && !SSL_set1_server_cert_type(ssl, cert_types_rpk,
1834 sizeof(cert_types_rpk)))) {
1835 if (warned++) {
1836 ERR_clear_error();
1837 return;
1838 }
1839 msg_warn("Failed to enable server to client raw public key support");
1840 tls_print_errors();
1841 }
1842 #endif
1843 }
1844
1845 #else
1846
1847 /*
1848 * Broken linker workaround.
1849 */
1850 int tls_dummy_for_broken_linkers;
1851
1852 #endif
1853