1/*
2 * Copyright (c) 2000-2006, 2008, 2009, 2011 Sendmail, Inc. and its suppliers.
3 * All rights reserved.
4 *
5 * By using this file, you agree to the terms and conditions set
6 * forth in the LICENSE file which can be found at the top level of
7 * the sendmail distribution.
8 *
9 */
10
11#include <sendmail.h>
12
13SM_RCSID("@(#)$Id: tls.c,v 8.118 2011/03/07 23:20:47 ca Exp $")
14
15#if STARTTLS
16# include <openssl/err.h>
17# include <openssl/bio.h>
18# include <openssl/pem.h>
19# ifndef HASURANDOMDEV
20# include <openssl/rand.h>
21# endif /* ! HASURANDOMDEV */
--- 240 unchanged lines hidden (view full) ---
262# else /* ! HASURANDOMDEV */
263 return true;
264# endif /* ! HASURANDOMDEV */
265}
266/*
267** INIT_TLS_LIBRARY -- Calls functions which setup TLS library for global use.
268**
269** Parameters:
270** none.
271**
272** Returns:
273** succeeded?
274*/
275
276bool
277init_tls_library()
278{
279 /* basic TLS initialization, ignore result for now */
280 SSL_library_init();
281 SSL_load_error_strings();
282# if 0
283 /* this is currently a macro for SSL_library_init */
284 SSLeay_add_ssl_algorithms();
285# endif /* 0 */
286
287 return tls_rand_init(RandFile, 7);
288}
289/*
290** TLS_SET_VERIFY -- request client certificate?
291**
292** Parameters:
293** ctx -- TLS context
294** ssl -- TLS structure
295** vrfy -- require certificate?
--- 408 unchanged lines hidden (view full) ---
704 if ((*ctx = SSL_CTX_new(srv ? SSLv23_server_method() :
705 SSLv23_client_method())) == NULL)
706 {
707 if (LogLevel > 7)
708 sm_syslog(LOG_WARNING, NOQID,
709 "STARTTLS=%s, error: SSL_CTX_new(SSLv23_%s_method()) failed",
710 who, who);
711 if (LogLevel > 9)
712 tlslogerr(who);
713 return false;
714 }
715
716# if OPENSSL_VERSION_NUMBER > 0x00907000L
717 if (CRLFile != NULL)
718 {
719 /* get a pointer to the current certificate validation store */
720 store = SSL_CTX_get_cert_store(*ctx); /* does not fail */
--- 82 unchanged lines hidden (view full) ---
803 )
804 {
805 if (LogLevel > 7)
806 {
807 sm_syslog(LOG_WARNING, NOQID,
808 "STARTTLS=%s, error: RSA_generate_key failed",
809 who);
810 if (LogLevel > 9)
811 tlslogerr(who);
812 }
813 return false;
814 }
815# endif /* !TLS_NO_RSA */
816
817 /*
818 ** load private key
819 ** XXX change this for DSA-only version
--- 4 unchanged lines hidden (view full) ---
824 SSL_FILETYPE_PEM) <= 0)
825 {
826 if (LogLevel > 7)
827 {
828 sm_syslog(LOG_WARNING, NOQID,
829 "STARTTLS=%s, error: SSL_CTX_use_PrivateKey_file(%s) failed",
830 who, keyfile);
831 if (LogLevel > 9)
832 tlslogerr(who);
833 }
834 if (bitset(TLS_I_USE_KEY, req))
835 return false;
836 }
837
838 /* get the certificate file */
839 if (bitset(TLS_S_CERT_OK, status) &&
840 SSL_CTX_use_certificate_file(*ctx, certfile,
841 SSL_FILETYPE_PEM) <= 0)
842 {
843 if (LogLevel > 7)
844 {
845 sm_syslog(LOG_WARNING, NOQID,
846 "STARTTLS=%s, error: SSL_CTX_use_certificate_file(%s) failed",
847 who, certfile);
848 if (LogLevel > 9)
849 tlslogerr(who);
850 }
851 if (bitset(TLS_I_USE_CERT, req))
852 return false;
853 }
854
855 /* check the private key */
856 if (bitset(TLS_S_KEY_OK, status) &&
857 (r = SSL_CTX_check_private_key(*ctx)) <= 0)
858 {
859 /* Private key does not match the certificate public key */
860 if (LogLevel > 5)
861 {
862 sm_syslog(LOG_WARNING, NOQID,
863 "STARTTLS=%s, error: SSL_CTX_check_private_key failed(%s): %d",
864 who, keyfile, r);
865 if (LogLevel > 9)
866 tlslogerr(who);
867 }
868 if (bitset(TLS_I_USE_KEY, req))
869 return false;
870 }
871
872# if _FFR_TLS_1
873 /* XXX this code is pretty much duplicated from above! */
874
875 /* load private key */
876 if (bitset(TLS_S_KEY2_OK, status) &&
877 SSL_CTX_use_PrivateKey_file(*ctx, kf2, SSL_FILETYPE_PEM) <= 0)
878 {
879 if (LogLevel > 7)
880 {
881 sm_syslog(LOG_WARNING, NOQID,
882 "STARTTLS=%s, error: SSL_CTX_use_PrivateKey_file(%s) failed",
883 who, kf2);
884 if (LogLevel > 9)
885 tlslogerr(who);
886 }
887 }
888
889 /* get the certificate file */
890 if (bitset(TLS_S_CERT2_OK, status) &&
891 SSL_CTX_use_certificate_file(*ctx, cf2, SSL_FILETYPE_PEM) <= 0)
892 {
893 if (LogLevel > 7)
894 {
895 sm_syslog(LOG_WARNING, NOQID,
896 "STARTTLS=%s, error: SSL_CTX_use_certificate_file(%s) failed",
897 who, cf2);
898 if (LogLevel > 9)
899 tlslogerr(who);
900 }
901 }
902
903 /* also check the private key */
904 if (bitset(TLS_S_KEY2_OK, status) &&
905 (r = SSL_CTX_check_private_key(*ctx)) <= 0)
906 {
907 /* Private key does not match the certificate public key */
908 if (LogLevel > 5)
909 {
910 sm_syslog(LOG_WARNING, NOQID,
911 "STARTTLS=%s, error: SSL_CTX_check_private_key 2 failed: %d",
912 who, r);
913 if (LogLevel > 9)
914 tlslogerr(who);
915 }
916 }
917# endif /* _FFR_TLS_1 */
918
919 /* SSL_CTX_set_quiet_shutdown(*ctx, 1); violation of standard? */
920
921#if SM_SSL_OP_TLS_BLOCK_PADDING_BUG
922
--- 34 unchanged lines hidden (view full) ---
957 unsigned long err;
958
959 err = ERR_get_error();
960 sm_syslog(LOG_WARNING, NOQID,
961 "STARTTLS=%s, error: cannot read DH parameters(%s): %s",
962 who, dhparam,
963 ERR_error_string(err, NULL));
964 if (LogLevel > 9)
965 tlslogerr(who);
966 }
967 }
968 else
969 {
970 if (LogLevel > 5)
971 {
972 sm_syslog(LOG_WARNING, NOQID,
973 "STARTTLS=%s, error: BIO_new_file(%s) failed",
974 who, dhparam);
975 if (LogLevel > 9)
976 tlslogerr(who);
977 }
978 }
979 }
980 if (dh == NULL && bitset(TLS_I_DH1024, req))
981 {
982 DSA *dsa;
983
984 /* this takes a while! (7-130s on a 450MHz AMD K6-2) */
--- 99 unchanged lines hidden (view full) ---
1084 ** if we want to allow relaying based on it.
1085 */
1086 if (LogLevel > 5)
1087 {
1088 sm_syslog(LOG_WARNING, NOQID,
1089 "STARTTLS=%s, error: load verify locs %s, %s failed: %d",
1090 who, cacertpath, cacertfile, r);
1091 if (LogLevel > 9)
1092 tlslogerr(who);
1093 }
1094 if (bitset(TLS_I_VRFY_LOC, req))
1095 return false;
1096 }
1097 }
1098
1099 /* XXX: make this dependent on an option? */
1100 if (tTd(96, 9))
--- 7 unchanged lines hidden (view full) ---
1108 {
1109 if (LogLevel > 7)
1110 {
1111 sm_syslog(LOG_WARNING, NOQID,
1112 "STARTTLS=%s, error: SSL_CTX_set_cipher_list(%s) failed, list ignored",
1113 who, CipherList);
1114
1115 if (LogLevel > 9)
1116 tlslogerr(who);
1117 }
1118 /* failure if setting to this list is required? */
1119 }
1120 }
1121# endif /* _FFR_TLS_1 */
1122 if (LogLevel > 12)
1123 sm_syslog(LOG_INFO, NOQID, "STARTTLS=%s, init=%d", who, ok);
1124
--- 247 unchanged lines hidden (view full) ---
1372
1373 if ((r = SSL_shutdown(ssl)) < 0)
1374 {
1375 if (LogLevel > 11)
1376 {
1377 sm_syslog(LOG_WARNING, NOQID,
1378 "STARTTLS=%s, SSL_shutdown failed: %d",
1379 side, r);
1380 tlslogerr(side);
1381 }
1382 ret = EX_SOFTWARE;
1383 }
1384# if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER > 0x0090602fL
1385
1386 /*
1387 ** Bug in OpenSSL (at least up to 0.9.6b):
1388 ** From: Lutz.Jaenicke@aet.TU-Cottbus.DE
--- 32 unchanged lines hidden (view full) ---
1421
1422 else if (r == 0)
1423 {
1424 if (LogLevel > 15)
1425 {
1426 sm_syslog(LOG_WARNING, NOQID,
1427 "STARTTLS=%s, SSL_shutdown not done",
1428 side);
1429 tlslogerr(side);
1430 }
1431 ret = EX_SOFTWARE;
1432 }
1433# endif /* !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER > 0x0090602fL */
1434 SSL_free(ssl);
1435 ssl = NULL;
1436 }
1437 return ret;
--- 216 unchanged lines hidden (view full) ---
1654 return tls_verify_log(ok, ctx, "TLS");
1655 }
1656 return 1;
1657}
1658/*
1659** TLSLOGERR -- log the errors from the TLS error stack
1660**
1661** Parameters:
1662** who -- server/client (for logging).
1663**
1664** Returns:
1665** none.
1666*/
1667
1668void
1669tlslogerr(who)
1670 const char *who;
1671{
1672 unsigned long l;
1673 int line, flags;
1674 unsigned long es;
1675 char *file, *data;
1676 char buf[256];
1677# define CP (const char **)
1678
1679 es = CRYPTO_thread_id();
1680 while ((l = ERR_get_error_line_data(CP &file, &line, CP &data, &flags))
1681 != 0)
1682 {
1683 sm_syslog(LOG_WARNING, NOQID,
1684 "STARTTLS=%s: %lu:%s:%s:%d:%s", who, es,
1685 ERR_error_string(l, buf),
1686 file, line,
1687 bitset(ERR_TXT_STRING, flags) ? data : "");
1688 }
1689}
1690
1691# if OPENSSL_VERSION_NUMBER > 0x00907000L
--- 30 unchanged lines hidden ---
2 * Copyright (c) 2000-2006, 2008, 2009, 2011 Sendmail, Inc. and its suppliers.
3 * All rights reserved.
4 *
5 * By using this file, you agree to the terms and conditions set
6 * forth in the LICENSE file which can be found at the top level of
7 * the sendmail distribution.
8 *
9 */
10
11#include <sendmail.h>
12
13SM_RCSID("@(#)$Id: tls.c,v 8.118 2011/03/07 23:20:47 ca Exp $")
14
15#if STARTTLS
16# include <openssl/err.h>
17# include <openssl/bio.h>
18# include <openssl/pem.h>
19# ifndef HASURANDOMDEV
20# include <openssl/rand.h>
21# endif /* ! HASURANDOMDEV */
--- 240 unchanged lines hidden (view full) ---
262# else /* ! HASURANDOMDEV */
263 return true;
264# endif /* ! HASURANDOMDEV */
265}
266/*
267** INIT_TLS_LIBRARY -- Calls functions which setup TLS library for global use.
268**
269** Parameters:
270** none.
271**
272** Returns:
273** succeeded?
274*/
275
276bool
277init_tls_library()
278{
279 /* basic TLS initialization, ignore result for now */
280 SSL_library_init();
281 SSL_load_error_strings();
282# if 0
283 /* this is currently a macro for SSL_library_init */
284 SSLeay_add_ssl_algorithms();
285# endif /* 0 */
286
287 return tls_rand_init(RandFile, 7);
288}
289/*
290** TLS_SET_VERIFY -- request client certificate?
291**
292** Parameters:
293** ctx -- TLS context
294** ssl -- TLS structure
295** vrfy -- require certificate?
--- 408 unchanged lines hidden (view full) ---
704 if ((*ctx = SSL_CTX_new(srv ? SSLv23_server_method() :
705 SSLv23_client_method())) == NULL)
706 {
707 if (LogLevel > 7)
708 sm_syslog(LOG_WARNING, NOQID,
709 "STARTTLS=%s, error: SSL_CTX_new(SSLv23_%s_method()) failed",
710 who, who);
711 if (LogLevel > 9)
712 tlslogerr(who);
713 return false;
714 }
715
716# if OPENSSL_VERSION_NUMBER > 0x00907000L
717 if (CRLFile != NULL)
718 {
719 /* get a pointer to the current certificate validation store */
720 store = SSL_CTX_get_cert_store(*ctx); /* does not fail */
--- 82 unchanged lines hidden (view full) ---
803 )
804 {
805 if (LogLevel > 7)
806 {
807 sm_syslog(LOG_WARNING, NOQID,
808 "STARTTLS=%s, error: RSA_generate_key failed",
809 who);
810 if (LogLevel > 9)
811 tlslogerr(who);
812 }
813 return false;
814 }
815# endif /* !TLS_NO_RSA */
816
817 /*
818 ** load private key
819 ** XXX change this for DSA-only version
--- 4 unchanged lines hidden (view full) ---
824 SSL_FILETYPE_PEM) <= 0)
825 {
826 if (LogLevel > 7)
827 {
828 sm_syslog(LOG_WARNING, NOQID,
829 "STARTTLS=%s, error: SSL_CTX_use_PrivateKey_file(%s) failed",
830 who, keyfile);
831 if (LogLevel > 9)
832 tlslogerr(who);
833 }
834 if (bitset(TLS_I_USE_KEY, req))
835 return false;
836 }
837
838 /* get the certificate file */
839 if (bitset(TLS_S_CERT_OK, status) &&
840 SSL_CTX_use_certificate_file(*ctx, certfile,
841 SSL_FILETYPE_PEM) <= 0)
842 {
843 if (LogLevel > 7)
844 {
845 sm_syslog(LOG_WARNING, NOQID,
846 "STARTTLS=%s, error: SSL_CTX_use_certificate_file(%s) failed",
847 who, certfile);
848 if (LogLevel > 9)
849 tlslogerr(who);
850 }
851 if (bitset(TLS_I_USE_CERT, req))
852 return false;
853 }
854
855 /* check the private key */
856 if (bitset(TLS_S_KEY_OK, status) &&
857 (r = SSL_CTX_check_private_key(*ctx)) <= 0)
858 {
859 /* Private key does not match the certificate public key */
860 if (LogLevel > 5)
861 {
862 sm_syslog(LOG_WARNING, NOQID,
863 "STARTTLS=%s, error: SSL_CTX_check_private_key failed(%s): %d",
864 who, keyfile, r);
865 if (LogLevel > 9)
866 tlslogerr(who);
867 }
868 if (bitset(TLS_I_USE_KEY, req))
869 return false;
870 }
871
872# if _FFR_TLS_1
873 /* XXX this code is pretty much duplicated from above! */
874
875 /* load private key */
876 if (bitset(TLS_S_KEY2_OK, status) &&
877 SSL_CTX_use_PrivateKey_file(*ctx, kf2, SSL_FILETYPE_PEM) <= 0)
878 {
879 if (LogLevel > 7)
880 {
881 sm_syslog(LOG_WARNING, NOQID,
882 "STARTTLS=%s, error: SSL_CTX_use_PrivateKey_file(%s) failed",
883 who, kf2);
884 if (LogLevel > 9)
885 tlslogerr(who);
886 }
887 }
888
889 /* get the certificate file */
890 if (bitset(TLS_S_CERT2_OK, status) &&
891 SSL_CTX_use_certificate_file(*ctx, cf2, SSL_FILETYPE_PEM) <= 0)
892 {
893 if (LogLevel > 7)
894 {
895 sm_syslog(LOG_WARNING, NOQID,
896 "STARTTLS=%s, error: SSL_CTX_use_certificate_file(%s) failed",
897 who, cf2);
898 if (LogLevel > 9)
899 tlslogerr(who);
900 }
901 }
902
903 /* also check the private key */
904 if (bitset(TLS_S_KEY2_OK, status) &&
905 (r = SSL_CTX_check_private_key(*ctx)) <= 0)
906 {
907 /* Private key does not match the certificate public key */
908 if (LogLevel > 5)
909 {
910 sm_syslog(LOG_WARNING, NOQID,
911 "STARTTLS=%s, error: SSL_CTX_check_private_key 2 failed: %d",
912 who, r);
913 if (LogLevel > 9)
914 tlslogerr(who);
915 }
916 }
917# endif /* _FFR_TLS_1 */
918
919 /* SSL_CTX_set_quiet_shutdown(*ctx, 1); violation of standard? */
920
921#if SM_SSL_OP_TLS_BLOCK_PADDING_BUG
922
--- 34 unchanged lines hidden (view full) ---
957 unsigned long err;
958
959 err = ERR_get_error();
960 sm_syslog(LOG_WARNING, NOQID,
961 "STARTTLS=%s, error: cannot read DH parameters(%s): %s",
962 who, dhparam,
963 ERR_error_string(err, NULL));
964 if (LogLevel > 9)
965 tlslogerr(who);
966 }
967 }
968 else
969 {
970 if (LogLevel > 5)
971 {
972 sm_syslog(LOG_WARNING, NOQID,
973 "STARTTLS=%s, error: BIO_new_file(%s) failed",
974 who, dhparam);
975 if (LogLevel > 9)
976 tlslogerr(who);
977 }
978 }
979 }
980 if (dh == NULL && bitset(TLS_I_DH1024, req))
981 {
982 DSA *dsa;
983
984 /* this takes a while! (7-130s on a 450MHz AMD K6-2) */
--- 99 unchanged lines hidden (view full) ---
1084 ** if we want to allow relaying based on it.
1085 */
1086 if (LogLevel > 5)
1087 {
1088 sm_syslog(LOG_WARNING, NOQID,
1089 "STARTTLS=%s, error: load verify locs %s, %s failed: %d",
1090 who, cacertpath, cacertfile, r);
1091 if (LogLevel > 9)
1092 tlslogerr(who);
1093 }
1094 if (bitset(TLS_I_VRFY_LOC, req))
1095 return false;
1096 }
1097 }
1098
1099 /* XXX: make this dependent on an option? */
1100 if (tTd(96, 9))
--- 7 unchanged lines hidden (view full) ---
1108 {
1109 if (LogLevel > 7)
1110 {
1111 sm_syslog(LOG_WARNING, NOQID,
1112 "STARTTLS=%s, error: SSL_CTX_set_cipher_list(%s) failed, list ignored",
1113 who, CipherList);
1114
1115 if (LogLevel > 9)
1116 tlslogerr(who);
1117 }
1118 /* failure if setting to this list is required? */
1119 }
1120 }
1121# endif /* _FFR_TLS_1 */
1122 if (LogLevel > 12)
1123 sm_syslog(LOG_INFO, NOQID, "STARTTLS=%s, init=%d", who, ok);
1124
--- 247 unchanged lines hidden (view full) ---
1372
1373 if ((r = SSL_shutdown(ssl)) < 0)
1374 {
1375 if (LogLevel > 11)
1376 {
1377 sm_syslog(LOG_WARNING, NOQID,
1378 "STARTTLS=%s, SSL_shutdown failed: %d",
1379 side, r);
1380 tlslogerr(side);
1381 }
1382 ret = EX_SOFTWARE;
1383 }
1384# if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER > 0x0090602fL
1385
1386 /*
1387 ** Bug in OpenSSL (at least up to 0.9.6b):
1388 ** From: Lutz.Jaenicke@aet.TU-Cottbus.DE
--- 32 unchanged lines hidden (view full) ---
1421
1422 else if (r == 0)
1423 {
1424 if (LogLevel > 15)
1425 {
1426 sm_syslog(LOG_WARNING, NOQID,
1427 "STARTTLS=%s, SSL_shutdown not done",
1428 side);
1429 tlslogerr(side);
1430 }
1431 ret = EX_SOFTWARE;
1432 }
1433# endif /* !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER > 0x0090602fL */
1434 SSL_free(ssl);
1435 ssl = NULL;
1436 }
1437 return ret;
--- 216 unchanged lines hidden (view full) ---
1654 return tls_verify_log(ok, ctx, "TLS");
1655 }
1656 return 1;
1657}
1658/*
1659** TLSLOGERR -- log the errors from the TLS error stack
1660**
1661** Parameters:
1662** who -- server/client (for logging).
1663**
1664** Returns:
1665** none.
1666*/
1667
1668void
1669tlslogerr(who)
1670 const char *who;
1671{
1672 unsigned long l;
1673 int line, flags;
1674 unsigned long es;
1675 char *file, *data;
1676 char buf[256];
1677# define CP (const char **)
1678
1679 es = CRYPTO_thread_id();
1680 while ((l = ERR_get_error_line_data(CP &file, &line, CP &data, &flags))
1681 != 0)
1682 {
1683 sm_syslog(LOG_WARNING, NOQID,
1684 "STARTTLS=%s: %lu:%s:%s:%d:%s", who, es,
1685 ERR_error_string(l, buf),
1686 file, line,
1687 bitset(ERR_TXT_STRING, flags) ? data : "");
1688 }
1689}
1690
1691# if OPENSSL_VERSION_NUMBER > 0x00907000L
--- 30 unchanged lines hidden ---