tls.c (223067) | tls.c (249729) |
---|---|
1/* | 1/* |
2 * Copyright (c) 2000-2006, 2008, 2009, 2011 Sendmail, Inc. and its suppliers. | 2 * Copyright (c) 2000-2006, 2008, 2009, 2011, 2013 Sendmail, Inc. and its suppliers. |
3 * All rights reserved. 4 * 5 * By using this file, you agree to the terms and conditions set 6 * forth in the LICENSE file which can be found at the top level of 7 * the sendmail distribution. 8 * 9 */ 10 11#include <sendmail.h> 12 | 3 * All rights reserved. 4 * 5 * By using this file, you agree to the terms and conditions set 6 * forth in the LICENSE file which can be found at the top level of 7 * the sendmail distribution. 8 * 9 */ 10 11#include <sendmail.h> 12 |
13SM_RCSID("@(#)$Id: tls.c,v 8.118 2011/03/07 23:20:47 ca Exp $") | 13SM_RCSID("@(#)$Id: tls.c,v 8.121 2013/01/02 23:54:17 ca Exp $") |
14 15#if STARTTLS 16# include <openssl/err.h> 17# include <openssl/bio.h> 18# include <openssl/pem.h> 19# ifndef HASURANDOMDEV 20# include <openssl/rand.h> 21# endif /* ! HASURANDOMDEV */ --- 240 unchanged lines hidden (view full) --- 262# else /* ! HASURANDOMDEV */ 263 return true; 264# endif /* ! HASURANDOMDEV */ 265} 266/* 267** INIT_TLS_LIBRARY -- Calls functions which setup TLS library for global use. 268** 269** Parameters: | 14 15#if STARTTLS 16# include <openssl/err.h> 17# include <openssl/bio.h> 18# include <openssl/pem.h> 19# ifndef HASURANDOMDEV 20# include <openssl/rand.h> 21# endif /* ! HASURANDOMDEV */ --- 240 unchanged lines hidden (view full) --- 262# else /* ! HASURANDOMDEV */ 263 return true; 264# endif /* ! HASURANDOMDEV */ 265} 266/* 267** INIT_TLS_LIBRARY -- Calls functions which setup TLS library for global use. 268** 269** Parameters: |
270** none. | 270** fipsmode -- use FIPS? |
271** 272** Returns: 273** succeeded? 274*/ 275 276bool | 271** 272** Returns: 273** succeeded? 274*/ 275 276bool |
277init_tls_library() | 277init_tls_library(fipsmode) 278 bool fipsmode; |
278{ | 279{ |
280 bool bv; 281 |
|
279 /* basic TLS initialization, ignore result for now */ 280 SSL_library_init(); 281 SSL_load_error_strings(); 282# if 0 283 /* this is currently a macro for SSL_library_init */ 284 SSLeay_add_ssl_algorithms(); 285# endif /* 0 */ 286 | 282 /* basic TLS initialization, ignore result for now */ 283 SSL_library_init(); 284 SSL_load_error_strings(); 285# if 0 286 /* this is currently a macro for SSL_library_init */ 287 SSLeay_add_ssl_algorithms(); 288# endif /* 0 */ 289 |
287 return tls_rand_init(RandFile, 7); | 290 bv = tls_rand_init(RandFile, 7); 291# if _FFR_FIPSMODE 292 if (bv && fipsmode) 293 { 294 if (!FIPS_mode_set(1)) 295 { 296 unsigned long err; 297 298 err = ERR_get_error(); 299 if (LogLevel > 0) 300 sm_syslog(LOG_ERR, NOQID, 301 "STARTTLS=init, FIPSMode=%s", 302 ERR_error_string(err, NULL)); 303 return false; 304 } 305 else 306 { 307 if (LogLevel > 9) 308 sm_syslog(LOG_INFO, NOQID, 309 "STARTTLS=init, FIPSMode=ok"); 310 } 311 } 312#endif /* _FFR_FIPSMODE */ 313 return bv; |
288} 289/* 290** TLS_SET_VERIFY -- request client certificate? 291** 292** Parameters: 293** ctx -- TLS context 294** ssl -- TLS structure 295** vrfy -- require certificate? --- 408 unchanged lines hidden (view full) --- 704 if ((*ctx = SSL_CTX_new(srv ? SSLv23_server_method() : 705 SSLv23_client_method())) == NULL) 706 { 707 if (LogLevel > 7) 708 sm_syslog(LOG_WARNING, NOQID, 709 "STARTTLS=%s, error: SSL_CTX_new(SSLv23_%s_method()) failed", 710 who, who); 711 if (LogLevel > 9) | 314} 315/* 316** TLS_SET_VERIFY -- request client certificate? 317** 318** Parameters: 319** ctx -- TLS context 320** ssl -- TLS structure 321** vrfy -- require certificate? --- 408 unchanged lines hidden (view full) --- 730 if ((*ctx = SSL_CTX_new(srv ? SSLv23_server_method() : 731 SSLv23_client_method())) == NULL) 732 { 733 if (LogLevel > 7) 734 sm_syslog(LOG_WARNING, NOQID, 735 "STARTTLS=%s, error: SSL_CTX_new(SSLv23_%s_method()) failed", 736 who, who); 737 if (LogLevel > 9) |
712 tlslogerr(who); | 738 tlslogerr(LOG_WARNING, who); |
713 return false; 714 } 715 716# if OPENSSL_VERSION_NUMBER > 0x00907000L 717 if (CRLFile != NULL) 718 { 719 /* get a pointer to the current certificate validation store */ 720 store = SSL_CTX_get_cert_store(*ctx); /* does not fail */ --- 82 unchanged lines hidden (view full) --- 803 ) 804 { 805 if (LogLevel > 7) 806 { 807 sm_syslog(LOG_WARNING, NOQID, 808 "STARTTLS=%s, error: RSA_generate_key failed", 809 who); 810 if (LogLevel > 9) | 739 return false; 740 } 741 742# if OPENSSL_VERSION_NUMBER > 0x00907000L 743 if (CRLFile != NULL) 744 { 745 /* get a pointer to the current certificate validation store */ 746 store = SSL_CTX_get_cert_store(*ctx); /* does not fail */ --- 82 unchanged lines hidden (view full) --- 829 ) 830 { 831 if (LogLevel > 7) 832 { 833 sm_syslog(LOG_WARNING, NOQID, 834 "STARTTLS=%s, error: RSA_generate_key failed", 835 who); 836 if (LogLevel > 9) |
811 tlslogerr(who); | 837 tlslogerr(LOG_WARNING, who); |
812 } 813 return false; 814 } 815# endif /* !TLS_NO_RSA */ 816 817 /* 818 ** load private key 819 ** XXX change this for DSA-only version --- 4 unchanged lines hidden (view full) --- 824 SSL_FILETYPE_PEM) <= 0) 825 { 826 if (LogLevel > 7) 827 { 828 sm_syslog(LOG_WARNING, NOQID, 829 "STARTTLS=%s, error: SSL_CTX_use_PrivateKey_file(%s) failed", 830 who, keyfile); 831 if (LogLevel > 9) | 838 } 839 return false; 840 } 841# endif /* !TLS_NO_RSA */ 842 843 /* 844 ** load private key 845 ** XXX change this for DSA-only version --- 4 unchanged lines hidden (view full) --- 850 SSL_FILETYPE_PEM) <= 0) 851 { 852 if (LogLevel > 7) 853 { 854 sm_syslog(LOG_WARNING, NOQID, 855 "STARTTLS=%s, error: SSL_CTX_use_PrivateKey_file(%s) failed", 856 who, keyfile); 857 if (LogLevel > 9) |
832 tlslogerr(who); | 858 tlslogerr(LOG_WARNING, who); |
833 } 834 if (bitset(TLS_I_USE_KEY, req)) 835 return false; 836 } 837 838 /* get the certificate file */ 839 if (bitset(TLS_S_CERT_OK, status) && 840 SSL_CTX_use_certificate_file(*ctx, certfile, 841 SSL_FILETYPE_PEM) <= 0) 842 { 843 if (LogLevel > 7) 844 { 845 sm_syslog(LOG_WARNING, NOQID, 846 "STARTTLS=%s, error: SSL_CTX_use_certificate_file(%s) failed", 847 who, certfile); 848 if (LogLevel > 9) | 859 } 860 if (bitset(TLS_I_USE_KEY, req)) 861 return false; 862 } 863 864 /* get the certificate file */ 865 if (bitset(TLS_S_CERT_OK, status) && 866 SSL_CTX_use_certificate_file(*ctx, certfile, 867 SSL_FILETYPE_PEM) <= 0) 868 { 869 if (LogLevel > 7) 870 { 871 sm_syslog(LOG_WARNING, NOQID, 872 "STARTTLS=%s, error: SSL_CTX_use_certificate_file(%s) failed", 873 who, certfile); 874 if (LogLevel > 9) |
849 tlslogerr(who); | 875 tlslogerr(LOG_WARNING, who); |
850 } 851 if (bitset(TLS_I_USE_CERT, req)) 852 return false; 853 } 854 855 /* check the private key */ 856 if (bitset(TLS_S_KEY_OK, status) && 857 (r = SSL_CTX_check_private_key(*ctx)) <= 0) 858 { 859 /* Private key does not match the certificate public key */ 860 if (LogLevel > 5) 861 { 862 sm_syslog(LOG_WARNING, NOQID, 863 "STARTTLS=%s, error: SSL_CTX_check_private_key failed(%s): %d", 864 who, keyfile, r); 865 if (LogLevel > 9) | 876 } 877 if (bitset(TLS_I_USE_CERT, req)) 878 return false; 879 } 880 881 /* check the private key */ 882 if (bitset(TLS_S_KEY_OK, status) && 883 (r = SSL_CTX_check_private_key(*ctx)) <= 0) 884 { 885 /* Private key does not match the certificate public key */ 886 if (LogLevel > 5) 887 { 888 sm_syslog(LOG_WARNING, NOQID, 889 "STARTTLS=%s, error: SSL_CTX_check_private_key failed(%s): %d", 890 who, keyfile, r); 891 if (LogLevel > 9) |
866 tlslogerr(who); | 892 tlslogerr(LOG_WARNING, who); |
867 } 868 if (bitset(TLS_I_USE_KEY, req)) 869 return false; 870 } 871 872# if _FFR_TLS_1 873 /* XXX this code is pretty much duplicated from above! */ 874 875 /* load private key */ 876 if (bitset(TLS_S_KEY2_OK, status) && 877 SSL_CTX_use_PrivateKey_file(*ctx, kf2, SSL_FILETYPE_PEM) <= 0) 878 { 879 if (LogLevel > 7) 880 { 881 sm_syslog(LOG_WARNING, NOQID, 882 "STARTTLS=%s, error: SSL_CTX_use_PrivateKey_file(%s) failed", 883 who, kf2); 884 if (LogLevel > 9) | 893 } 894 if (bitset(TLS_I_USE_KEY, req)) 895 return false; 896 } 897 898# if _FFR_TLS_1 899 /* XXX this code is pretty much duplicated from above! */ 900 901 /* load private key */ 902 if (bitset(TLS_S_KEY2_OK, status) && 903 SSL_CTX_use_PrivateKey_file(*ctx, kf2, SSL_FILETYPE_PEM) <= 0) 904 { 905 if (LogLevel > 7) 906 { 907 sm_syslog(LOG_WARNING, NOQID, 908 "STARTTLS=%s, error: SSL_CTX_use_PrivateKey_file(%s) failed", 909 who, kf2); 910 if (LogLevel > 9) |
885 tlslogerr(who); | 911 tlslogerr(LOG_WARNING, who); |
886 } 887 } 888 889 /* get the certificate file */ 890 if (bitset(TLS_S_CERT2_OK, status) && 891 SSL_CTX_use_certificate_file(*ctx, cf2, SSL_FILETYPE_PEM) <= 0) 892 { 893 if (LogLevel > 7) 894 { 895 sm_syslog(LOG_WARNING, NOQID, 896 "STARTTLS=%s, error: SSL_CTX_use_certificate_file(%s) failed", 897 who, cf2); 898 if (LogLevel > 9) | 912 } 913 } 914 915 /* get the certificate file */ 916 if (bitset(TLS_S_CERT2_OK, status) && 917 SSL_CTX_use_certificate_file(*ctx, cf2, SSL_FILETYPE_PEM) <= 0) 918 { 919 if (LogLevel > 7) 920 { 921 sm_syslog(LOG_WARNING, NOQID, 922 "STARTTLS=%s, error: SSL_CTX_use_certificate_file(%s) failed", 923 who, cf2); 924 if (LogLevel > 9) |
899 tlslogerr(who); | 925 tlslogerr(LOG_WARNING, who); |
900 } 901 } 902 903 /* also check the private key */ 904 if (bitset(TLS_S_KEY2_OK, status) && 905 (r = SSL_CTX_check_private_key(*ctx)) <= 0) 906 { 907 /* Private key does not match the certificate public key */ 908 if (LogLevel > 5) 909 { 910 sm_syslog(LOG_WARNING, NOQID, 911 "STARTTLS=%s, error: SSL_CTX_check_private_key 2 failed: %d", 912 who, r); 913 if (LogLevel > 9) | 926 } 927 } 928 929 /* also check the private key */ 930 if (bitset(TLS_S_KEY2_OK, status) && 931 (r = SSL_CTX_check_private_key(*ctx)) <= 0) 932 { 933 /* Private key does not match the certificate public key */ 934 if (LogLevel > 5) 935 { 936 sm_syslog(LOG_WARNING, NOQID, 937 "STARTTLS=%s, error: SSL_CTX_check_private_key 2 failed: %d", 938 who, r); 939 if (LogLevel > 9) |
914 tlslogerr(who); | 940 tlslogerr(LOG_WARNING, who); |
915 } 916 } 917# endif /* _FFR_TLS_1 */ 918 919 /* SSL_CTX_set_quiet_shutdown(*ctx, 1); violation of standard? */ 920 921#if SM_SSL_OP_TLS_BLOCK_PADDING_BUG 922 --- 34 unchanged lines hidden (view full) --- 957 unsigned long err; 958 959 err = ERR_get_error(); 960 sm_syslog(LOG_WARNING, NOQID, 961 "STARTTLS=%s, error: cannot read DH parameters(%s): %s", 962 who, dhparam, 963 ERR_error_string(err, NULL)); 964 if (LogLevel > 9) | 941 } 942 } 943# endif /* _FFR_TLS_1 */ 944 945 /* SSL_CTX_set_quiet_shutdown(*ctx, 1); violation of standard? */ 946 947#if SM_SSL_OP_TLS_BLOCK_PADDING_BUG 948 --- 34 unchanged lines hidden (view full) --- 983 unsigned long err; 984 985 err = ERR_get_error(); 986 sm_syslog(LOG_WARNING, NOQID, 987 "STARTTLS=%s, error: cannot read DH parameters(%s): %s", 988 who, dhparam, 989 ERR_error_string(err, NULL)); 990 if (LogLevel > 9) |
965 tlslogerr(who); | 991 tlslogerr(LOG_WARNING, who); |
966 } 967 } 968 else 969 { 970 if (LogLevel > 5) 971 { 972 sm_syslog(LOG_WARNING, NOQID, 973 "STARTTLS=%s, error: BIO_new_file(%s) failed", 974 who, dhparam); 975 if (LogLevel > 9) | 992 } 993 } 994 else 995 { 996 if (LogLevel > 5) 997 { 998 sm_syslog(LOG_WARNING, NOQID, 999 "STARTTLS=%s, error: BIO_new_file(%s) failed", 1000 who, dhparam); 1001 if (LogLevel > 9) |
976 tlslogerr(who); | 1002 tlslogerr(LOG_WARNING, who); |
977 } 978 } 979 } 980 if (dh == NULL && bitset(TLS_I_DH1024, req)) 981 { 982 DSA *dsa; 983 984 /* this takes a while! (7-130s on a 450MHz AMD K6-2) */ --- 99 unchanged lines hidden (view full) --- 1084 ** if we want to allow relaying based on it. 1085 */ 1086 if (LogLevel > 5) 1087 { 1088 sm_syslog(LOG_WARNING, NOQID, 1089 "STARTTLS=%s, error: load verify locs %s, %s failed: %d", 1090 who, cacertpath, cacertfile, r); 1091 if (LogLevel > 9) | 1003 } 1004 } 1005 } 1006 if (dh == NULL && bitset(TLS_I_DH1024, req)) 1007 { 1008 DSA *dsa; 1009 1010 /* this takes a while! (7-130s on a 450MHz AMD K6-2) */ --- 99 unchanged lines hidden (view full) --- 1110 ** if we want to allow relaying based on it. 1111 */ 1112 if (LogLevel > 5) 1113 { 1114 sm_syslog(LOG_WARNING, NOQID, 1115 "STARTTLS=%s, error: load verify locs %s, %s failed: %d", 1116 who, cacertpath, cacertfile, r); 1117 if (LogLevel > 9) |
1092 tlslogerr(who); | 1118 tlslogerr(LOG_WARNING, who); |
1093 } 1094 if (bitset(TLS_I_VRFY_LOC, req)) 1095 return false; 1096 } 1097 } 1098 1099 /* XXX: make this dependent on an option? */ 1100 if (tTd(96, 9)) --- 7 unchanged lines hidden (view full) --- 1108 { 1109 if (LogLevel > 7) 1110 { 1111 sm_syslog(LOG_WARNING, NOQID, 1112 "STARTTLS=%s, error: SSL_CTX_set_cipher_list(%s) failed, list ignored", 1113 who, CipherList); 1114 1115 if (LogLevel > 9) | 1119 } 1120 if (bitset(TLS_I_VRFY_LOC, req)) 1121 return false; 1122 } 1123 } 1124 1125 /* XXX: make this dependent on an option? */ 1126 if (tTd(96, 9)) --- 7 unchanged lines hidden (view full) --- 1134 { 1135 if (LogLevel > 7) 1136 { 1137 sm_syslog(LOG_WARNING, NOQID, 1138 "STARTTLS=%s, error: SSL_CTX_set_cipher_list(%s) failed, list ignored", 1139 who, CipherList); 1140 1141 if (LogLevel > 9) |
1116 tlslogerr(who); | 1142 tlslogerr(LOG_WARNING, who); |
1117 } 1118 /* failure if setting to this list is required? */ 1119 } 1120 } 1121# endif /* _FFR_TLS_1 */ 1122 if (LogLevel > 12) 1123 sm_syslog(LOG_INFO, NOQID, "STARTTLS=%s, init=%d", who, ok); 1124 --- 247 unchanged lines hidden (view full) --- 1372 1373 if ((r = SSL_shutdown(ssl)) < 0) 1374 { 1375 if (LogLevel > 11) 1376 { 1377 sm_syslog(LOG_WARNING, NOQID, 1378 "STARTTLS=%s, SSL_shutdown failed: %d", 1379 side, r); | 1143 } 1144 /* failure if setting to this list is required? */ 1145 } 1146 } 1147# endif /* _FFR_TLS_1 */ 1148 if (LogLevel > 12) 1149 sm_syslog(LOG_INFO, NOQID, "STARTTLS=%s, init=%d", who, ok); 1150 --- 247 unchanged lines hidden (view full) --- 1398 1399 if ((r = SSL_shutdown(ssl)) < 0) 1400 { 1401 if (LogLevel > 11) 1402 { 1403 sm_syslog(LOG_WARNING, NOQID, 1404 "STARTTLS=%s, SSL_shutdown failed: %d", 1405 side, r); |
1380 tlslogerr(side); | 1406 tlslogerr(LOG_WARNING, side); |
1381 } 1382 ret = EX_SOFTWARE; 1383 } 1384# if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER > 0x0090602fL 1385 1386 /* 1387 ** Bug in OpenSSL (at least up to 0.9.6b): 1388 ** From: Lutz.Jaenicke@aet.TU-Cottbus.DE --- 32 unchanged lines hidden (view full) --- 1421 1422 else if (r == 0) 1423 { 1424 if (LogLevel > 15) 1425 { 1426 sm_syslog(LOG_WARNING, NOQID, 1427 "STARTTLS=%s, SSL_shutdown not done", 1428 side); | 1407 } 1408 ret = EX_SOFTWARE; 1409 } 1410# if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER > 0x0090602fL 1411 1412 /* 1413 ** Bug in OpenSSL (at least up to 0.9.6b): 1414 ** From: Lutz.Jaenicke@aet.TU-Cottbus.DE --- 32 unchanged lines hidden (view full) --- 1447 1448 else if (r == 0) 1449 { 1450 if (LogLevel > 15) 1451 { 1452 sm_syslog(LOG_WARNING, NOQID, 1453 "STARTTLS=%s, SSL_shutdown not done", 1454 side); |
1429 tlslogerr(side); | 1455 tlslogerr(LOG_WARNING, side); |
1430 } 1431 ret = EX_SOFTWARE; 1432 } 1433# endif /* !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER > 0x0090602fL */ 1434 SSL_free(ssl); 1435 ssl = NULL; 1436 } 1437 return ret; --- 216 unchanged lines hidden (view full) --- 1654 return tls_verify_log(ok, ctx, "TLS"); 1655 } 1656 return 1; 1657} 1658/* 1659** TLSLOGERR -- log the errors from the TLS error stack 1660** 1661** Parameters: | 1456 } 1457 ret = EX_SOFTWARE; 1458 } 1459# endif /* !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER > 0x0090602fL */ 1460 SSL_free(ssl); 1461 ssl = NULL; 1462 } 1463 return ret; --- 216 unchanged lines hidden (view full) --- 1680 return tls_verify_log(ok, ctx, "TLS"); 1681 } 1682 return 1; 1683} 1684/* 1685** TLSLOGERR -- log the errors from the TLS error stack 1686** 1687** Parameters: |
1688** level -- syslog level |
|
1662** who -- server/client (for logging). 1663** 1664** Returns: 1665** none. 1666*/ 1667 1668void | 1689** who -- server/client (for logging). 1690** 1691** Returns: 1692** none. 1693*/ 1694 1695void |
1669tlslogerr(who) | 1696tlslogerr(level, who) 1697 int level; |
1670 const char *who; 1671{ 1672 unsigned long l; 1673 int line, flags; 1674 unsigned long es; 1675 char *file, *data; 1676 char buf[256]; 1677# define CP (const char **) 1678 1679 es = CRYPTO_thread_id(); 1680 while ((l = ERR_get_error_line_data(CP &file, &line, CP &data, &flags)) 1681 != 0) 1682 { | 1698 const char *who; 1699{ 1700 unsigned long l; 1701 int line, flags; 1702 unsigned long es; 1703 char *file, *data; 1704 char buf[256]; 1705# define CP (const char **) 1706 1707 es = CRYPTO_thread_id(); 1708 while ((l = ERR_get_error_line_data(CP &file, &line, CP &data, &flags)) 1709 != 0) 1710 { |
1683 sm_syslog(LOG_WARNING, NOQID, | 1711 sm_syslog(level, NOQID, |
1684 "STARTTLS=%s: %lu:%s:%s:%d:%s", who, es, 1685 ERR_error_string(l, buf), 1686 file, line, 1687 bitset(ERR_TXT_STRING, flags) ? data : ""); 1688 } 1689} 1690 1691# if OPENSSL_VERSION_NUMBER > 0x00907000L --- 30 unchanged lines hidden --- | 1712 "STARTTLS=%s: %lu:%s:%s:%d:%s", who, es, 1713 ERR_error_string(l, buf), 1714 file, line, 1715 bitset(ERR_TXT_STRING, flags) ? data : ""); 1716 } 1717} 1718 1719# if OPENSSL_VERSION_NUMBER > 0x00907000L --- 30 unchanged lines hidden --- |