contrib/sendmail/src/tls.c

   1 /*
   2  * Copyright (c) 2000-2006, 2008, 2009, 2011, 2013-2016 Proofpoint, Inc. and its suppliers.
   3  *      All rights reserved.
   4  *
   5  * By using this file, you agree to the terms and conditions set
   6  * forth in the LICENSE file which can be found at the top level of
   7  * the sendmail distribution.
   8  *
   9  */
  10
  11 #include <sendmail.h>
  12
  13 SM_RCSID("@(#)$Id: tls.c,v 8.127 2013-11-27 02:51:11 gshapiro Exp $")
  14
  15 #if STARTTLS
  16 # include <openssl/err.h>
  17 # include <openssl/bio.h>
  18 # include <openssl/pem.h>
  19 # ifndef HASURANDOMDEV
  20 #  include <openssl/rand.h>
  21 # endif
  22 # include <openssl/engine.h>
  23 # if _FFR_TLS_ALTNAMES
  24 #  include <openssl/x509v3.h>
  25 # endif
  26 # include <tls.h>
  27
  28 # if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER <= 0x00907000L
  29 #  error "OpenSSL versions <= 0x00907000L are unsupported."
  30 # endif
  31
  32 # if DANE && OPENSSL_VERSION_NUMBER == 0x30200000L
  33 #  error OpenSSL 3.2.0 has a bug related to DANE
  34 #  error see https://github.com/openssl/openssl/pull/22821
  35 # endif
  36
  37 /*
  38 **  *SSL version numbers:
  39 **  OpenSSL 0.9 - 1.1 (so far), 3.[012]
  40 **  LibreSSL 2.0 (0x20000000L - part of "These will never change")
  41 */
  42
  43 # if (OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x20000000L) || OPENSSL_VERSION_NUMBER >= 0x30000000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070000fL)
  44 #  define MTA_HAVE_DH_set0_pqg 1
  45 #  define MTA_HAVE_DSA_GENERATE_EX      1
  46 #  define MTA_HAVE_OPENSSL_init_ssl     1
  47 #  define MTA_ASN1_STRING_data ASN1_STRING_get0_data
  48 #  include <openssl/bn.h>
  49 #  include <openssl/dsa.h>
  50 # else
  51 #  define X509_STORE_CTX_get0_cert(ctx) (ctx)->cert
  52 #  define MTA_RSA_TMP_CB        1
  53 #  define MTA_ASN1_STRING_data ASN1_STRING_data
  54 # endif
  55
  56 /* Is this ok or use HAVE_SSL_get1_peer_certificate instead? */
  57 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
  58 # define MTA_SSL_get_peer_certificate SSL_get1_peer_certificate
  59
  60 # ifndef HAVE_ERR_get_error_all
  61 #  define HAVE_ERR_get_error_all 1
  62 # endif
  63
  64 /* use SSL_CTX_set_dh_auto()?  which versions provide it? */
  65 # define MTA_DH_AUTO    1
  66 #else
  67 # define MTA_SSL_get_peer_certificate SSL_get_peer_certificate
  68 # define MTA_DH_AUTO    0
  69 #endif
  70
  71 #if HAVE_ERR_get_error_all
  72 # define MTA_SSL_ERR_get(f, l, d, fl, fct) ERR_get_error_all(f, l, fct, d, fl)
  73 #else /* if HAVE_ERR_get_error_line_data ? */
  74 # define MTA_SSL_ERR_get(f, l, d, fl, fct) ERR_get_error_line_data(f, l, d, fl)
  75 #endif
  76
  77 # if !TLS_NO_RSA && MTA_RSA_TMP_CB
  78 static RSA *rsa_tmp = NULL;     /* temporary RSA key */
  79 static RSA *tmp_rsa_key __P((SSL *, int, int));
  80 # endif
  81 static int      tls_verify_cb __P((X509_STORE_CTX *, void *));
  82
  83 static int x509_verify_cb __P((int, X509_STORE_CTX *));
  84
  85 static void     apps_ssl_info_cb __P((const SSL *, int, int));
  86 static bool     tls_ok_f __P((char *, char *, int));
  87 static bool     tls_safe_f __P((char *, long, bool));
  88 static int      tls_verify_log __P((int, X509_STORE_CTX *, const char *));
  89
  90 int TLSsslidx = -1;
  91
  92 # if !NO_DH
  93 # include <openssl/dh.h>
  94 static DH *get_dh512 __P((void));
  95
  96 static unsigned char dh512_p[] =
  97 {
  98         0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
  99         0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
 100         0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
 101         0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
 102         0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
 103         0x47,0x74,0xE8,0x33
 104 };
 105 static unsigned char dh512_g[] =
 106 {
 107         0x02
 108 };
 109
 110 static DH *
 111 get_dh512()
 112 {
 113         DH *dh = NULL;
 114 #  if MTA_HAVE_DH_set0_pqg
 115         BIGNUM *dhp_bn, *dhg_bn;
 116 #  endif
 117
 118         if ((dh = DH_new()) == NULL)
 119                 return NULL;
 120 #  if MTA_HAVE_DH_set0_pqg
 121         dhp_bn = BN_bin2bn(dh512_p, sizeof (dh512_p), NULL);
 122         dhg_bn = BN_bin2bn(dh512_g, sizeof (dh512_g), NULL);
 123         if (dhp_bn == NULL || dhg_bn == NULL || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn))  {
 124                 DH_free(dh);
 125                 BN_free(dhp_bn);
 126                 BN_free(dhg_bn);
 127                 return NULL;
 128         }
 129 #  else
 130         dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
 131         dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
 132         if ((dh->p == NULL) || (dh->g == NULL))
 133         {
 134                 DH_free(dh);
 135                 return NULL;
 136         }
 137 #  endif
 138         return dh;
 139 }
 140
 141 #  if 0
 142
 143 This is the data from which the C code has been generated:
 144
 145 -----BEGIN DH PARAMETERS-----
 146 MIIBCAKCAQEArDcgcLpxEksQHPlolRKCUJ2szKRziseWV9cUSQNZGxoGw7KkROz4
 147 HF9QSbg5axyNIG+QbZYtx0jp3l6/GWq1dLOj27yZkgYgaYgFrvKPiZ2jJ5xETQVH
 148 UpZwbjRcyjyWkWYJVsx1aF4F/iY4kT0n/+iGEoimI3C9V3KXTJ2S6jIkyJ6M/CrN
 149 EtrDynMlUMGlc7S1ouXVOTrtKeqy3S2L9eBLxVI+sChEijGIfELupdVeXihK006p
 150 MgnABPDbkTx6OOtYmSZaGQX+OLW2FPmwvcrzgCz9t9cAsuUcBZv1LeHEqZZttyLU
 151 oK0jjSXgFyeU4/NfyA+zuNeWzUL6bHmigwIBAg==
 152 -----END DH PARAMETERS-----
 153 #  endif /* 0 */
 154
 155 static DH *
 156 get_dh2048()
 157 {
 158         static unsigned char dh2048_p[]={
 159                 0xAC,0x37,0x20,0x70,0xBA,0x71,0x12,0x4B,0x10,0x1C,0xF9,0x68,
 160                 0x95,0x12,0x82,0x50,0x9D,0xAC,0xCC,0xA4,0x73,0x8A,0xC7,0x96,
 161                 0x57,0xD7,0x14,0x49,0x03,0x59,0x1B,0x1A,0x06,0xC3,0xB2,0xA4,
 162                 0x44,0xEC,0xF8,0x1C,0x5F,0x50,0x49,0xB8,0x39,0x6B,0x1C,0x8D,
 163                 0x20,0x6F,0x90,0x6D,0x96,0x2D,0xC7,0x48,0xE9,0xDE,0x5E,0xBF,
 164                 0x19,0x6A,0xB5,0x74,0xB3,0xA3,0xDB,0xBC,0x99,0x92,0x06,0x20,
 165                 0x69,0x88,0x05,0xAE,0xF2,0x8F,0x89,0x9D,0xA3,0x27,0x9C,0x44,
 166                 0x4D,0x05,0x47,0x52,0x96,0x70,0x6E,0x34,0x5C,0xCA,0x3C,0x96,
 167                 0x91,0x66,0x09,0x56,0xCC,0x75,0x68,0x5E,0x05,0xFE,0x26,0x38,
 168                 0x91,0x3D,0x27,0xFF,0xE8,0x86,0x12,0x88,0xA6,0x23,0x70,0xBD,
 169                 0x57,0x72,0x97,0x4C,0x9D,0x92,0xEA,0x32,0x24,0xC8,0x9E,0x8C,
 170                 0xFC,0x2A,0xCD,0x12,0xDA,0xC3,0xCA,0x73,0x25,0x50,0xC1,0xA5,
 171                 0x73,0xB4,0xB5,0xA2,0xE5,0xD5,0x39,0x3A,0xED,0x29,0xEA,0xB2,
 172                 0xDD,0x2D,0x8B,0xF5,0xE0,0x4B,0xC5,0x52,0x3E,0xB0,0x28,0x44,
 173                 0x8A,0x31,0x88,0x7C,0x42,0xEE,0xA5,0xD5,0x5E,0x5E,0x28,0x4A,
 174                 0xD3,0x4E,0xA9,0x32,0x09,0xC0,0x04,0xF0,0xDB,0x91,0x3C,0x7A,
 175                 0x38,0xEB,0x58,0x99,0x26,0x5A,0x19,0x05,0xFE,0x38,0xB5,0xB6,
 176                 0x14,0xF9,0xB0,0xBD,0xCA,0xF3,0x80,0x2C,0xFD,0xB7,0xD7,0x00,
 177                 0xB2,0xE5,0x1C,0x05,0x9B,0xF5,0x2D,0xE1,0xC4,0xA9,0x96,0x6D,
 178                 0xB7,0x22,0xD4,0xA0,0xAD,0x23,0x8D,0x25,0xE0,0x17,0x27,0x94,
 179                 0xE3,0xF3,0x5F,0xC8,0x0F,0xB3,0xB8,0xD7,0x96,0xCD,0x42,0xFA,
 180                 0x6C,0x79,0xA2,0x83,
 181                 };
 182         static unsigned char dh2048_g[]={ 0x02, };
 183         DH *dh;
 184 #  if MTA_HAVE_DH_set0_pqg
 185         BIGNUM *dhp_bn, *dhg_bn;
 186 #  endif
 187
 188         if ((dh=DH_new()) == NULL)
 189                 return(NULL);
 190 #  if MTA_HAVE_DH_set0_pqg
 191         dhp_bn = BN_bin2bn(dh2048_p, sizeof (dh2048_p), NULL);
 192         dhg_bn = BN_bin2bn(dh2048_g, sizeof (dh2048_g), NULL);
 193         if (dhp_bn == NULL || dhg_bn == NULL || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn))  {
 194                 DH_free(dh);
 195                 BN_free(dhp_bn);
 196                 BN_free(dhg_bn);
 197                 return NULL;
 198         }
 199 #  else
 200         dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
 201         dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
 202         if ((dh->p == NULL) || (dh->g == NULL))
 203         {
 204                 DH_free(dh);
 205                 return(NULL);
 206         }
 207 #  endif
 208         return(dh);
 209 }
 210 # endif /* !NO_DH */
 211
 212 /*
 213 **  TLS_RAND_INIT -- initialize STARTTLS random generator
 214 **
 215 **      Parameters:
 216 **              randfile -- name of file with random data
 217 **              logl -- loglevel
 218 **
 219 **      Returns:
 220 **              success/failure
 221 **
 222 **      Side Effects:
 223 **              initializes PRNG for tls library.
 224 */
 225
 226 # define MIN_RAND_BYTES 128     /* 1024 bits */
 227
 228 # define RF_OK          0       /* randfile OK */
 229 # define RF_MISS        1       /* randfile == NULL || *randfile == '\0' */
 230 # define RF_UNKNOWN     2       /* unknown prefix for randfile */
 231
 232 # define RI_NONE        0       /* no init yet */
 233 # define RI_SUCCESS     1       /* init was successful */
 234 # define RI_FAIL        2       /* init failed */
 235
 236 static bool     tls_rand_init __P((char *, int));
 237
 238 static bool
 239 tls_rand_init(randfile, logl)
 240         char *randfile;
 241         int logl;
 242 {
 243 # ifndef HASURANDOMDEV
 244         /* not required if /dev/urandom exists, OpenSSL does it internally */
 245
 246         bool ok;
 247         int randdef;
 248         static int done = RI_NONE;
 249
 250         /*
 251         **  initialize PRNG
 252         */
 253
 254         /* did we try this before? if yes: return old value */
 255         if (done != RI_NONE)
 256                 return done == RI_SUCCESS;
 257
 258         /* set default values */
 259         ok = false;
 260         done = RI_FAIL;
 261         randdef = (SM_IS_EMPTY(randfile)) ? RF_MISS : RF_OK;
 262 #  if EGD
 263         if (randdef == RF_OK && sm_strncasecmp(randfile, "egd:", 4) == 0)
 264         {
 265                 randfile += 4;
 266                 if (RAND_egd(randfile) < 0)
 267                 {
 268                         sm_syslog(LOG_WARNING, NOQID,
 269                                   "STARTTLS: RAND_egd(%s) failed: random number generator not seeded",
 270                                    randfile);
 271                 }
 272                 else
 273                         ok = true;
 274         }
 275         else
 276 #  endif /* EGD */
 277         /* "else" in #if code above */
 278         if (randdef == RF_OK && sm_strncasecmp(randfile, "file:", 5) == 0)
 279         {
 280                 int fd;
 281                 long sff;
 282                 struct stat st;
 283
 284                 randfile += 5;
 285                 sff = SFF_SAFEDIRPATH | SFF_NOWLINK
 286                       | SFF_NOGWFILES | SFF_NOWWFILES
 287                       | SFF_NOGRFILES | SFF_NOWRFILES
 288                       | SFF_MUSTOWN | SFF_ROOTOK | SFF_OPENASROOT;
 289                 if (DontLockReadFiles)
 290                         sff |= SFF_NOLOCK;
 291                 if ((fd = safeopen(randfile, O_RDONLY, 0, sff)) >= 0)
 292                 {
 293                         if (fstat(fd, &st) < 0)
 294                         {
 295                                 if (LogLevel > logl)
 296                                         sm_syslog(LOG_ERR, NOQID,
 297                                                   "STARTTLS: can't fstat(%s)",
 298                                                   randfile);
 299                         }
 300                         else
 301                         {
 302                                 bool use, problem;
 303
 304                                 use = true;
 305                                 problem = false;
 306
 307                                 /* max. age of file: 10 minutes */
 308                                 if (st.st_mtime + 600 < curtime())
 309                                 {
 310                                         use = bitnset(DBS_INSUFFICIENTENTROPY,
 311                                                       DontBlameSendmail);
 312                                         problem = true;
 313                                         if (LogLevel > logl)
 314                                                 sm_syslog(LOG_ERR, NOQID,
 315                                                           "STARTTLS: RandFile %s too old: %s",
 316                                                           randfile,
 317                                                           use ? "unsafe" :
 318                                                                 "unusable");
 319                                 }
 320                                 if (use && st.st_size < MIN_RAND_BYTES)
 321                                 {
 322                                         use = bitnset(DBS_INSUFFICIENTENTROPY,
 323                                                       DontBlameSendmail);
 324                                         problem = true;
 325                                         if (LogLevel > logl)
 326                                                 sm_syslog(LOG_ERR, NOQID,
 327                                                           "STARTTLS: size(%s) < %d: %s",
 328                                                           randfile,
 329                                                           MIN_RAND_BYTES,
 330                                                           use ? "unsafe" :
 331                                                                 "unusable");
 332                                 }
 333                                 if (use)
 334                                         ok = RAND_load_file(randfile, -1) >=
 335                                              MIN_RAND_BYTES;
 336                                 if (use && !ok)
 337                                 {
 338                                         if (LogLevel > logl)
 339                                                 sm_syslog(LOG_WARNING, NOQID,
 340                                                           "STARTTLS: RAND_load_file(%s) failed: random number generator not seeded",
 341                                                           randfile);
 342                                 }
 343                                 if (problem)
 344                                         ok = false;
 345                         }
 346                         if (ok || bitnset(DBS_INSUFFICIENTENTROPY,
 347                                           DontBlameSendmail))
 348                         {
 349                                 /* add this even if fstat() failed */
 350                                 RAND_seed((void *) &st, sizeof(st));
 351                         }
 352                         (void) close(fd);
 353                 }
 354                 else
 355                 {
 356                         if (LogLevel > logl)
 357                                 sm_syslog(LOG_WARNING, NOQID,
 358                                           "STARTTLS: Warning: safeopen(%s) failed",
 359                                           randfile);
 360                 }
 361         }
 362         else if (randdef == RF_OK)
 363         {
 364                 if (LogLevel > logl)
 365                         sm_syslog(LOG_WARNING, NOQID,
 366                                   "STARTTLS: Error: no proper random file definition %s",
 367                                   randfile);
 368                 randdef = RF_UNKNOWN;
 369         }
 370         if (randdef == RF_MISS)
 371         {
 372                 if (LogLevel > logl)
 373                         sm_syslog(LOG_WARNING, NOQID,
 374                                   "STARTTLS: Error: missing random file definition");
 375         }
 376         if (!ok && bitnset(DBS_INSUFFICIENTENTROPY, DontBlameSendmail))
 377         {
 378                 int i;
 379                 long r;
 380                 unsigned char buf[MIN_RAND_BYTES];
 381
 382                 /* assert((MIN_RAND_BYTES % sizeof(long)) == 0); */
 383                 for (i = 0; i <= sizeof(buf) - sizeof(long); i += sizeof(long))
 384                 {
 385                         r = get_random();
 386                         (void) memcpy(buf + i, (void *) &r, sizeof(long));
 387                 }
 388                 RAND_seed(buf, sizeof(buf));
 389                 if (LogLevel > logl)
 390                         sm_syslog(LOG_WARNING, NOQID,
 391                                   "STARTTLS: Warning: random number generator not properly seeded");
 392                 ok = true;
 393         }
 394         done = ok ? RI_SUCCESS : RI_FAIL;
 395         return ok;
 396 # else /* ! HASURANDOMDEV */
 397         return true;
 398 # endif /* ! HASURANDOMDEV */
 399 }
 400
 401 /*
 402 **  INIT_TLS_LIBRARY -- Calls functions which set up TLS library for global use.
 403 **
 404 **      Parameters:
 405 **              fipsmode -- use FIPS?
 406 **
 407 **      Returns:
 408 **              0: OK
 409 **              <0: perm.fail
 410 **              >0: fail but can continue
 411 */
 412
 413 int
 414 init_tls_library(fipsmode)
 415         bool fipsmode;
 416 {
 417         bool bv;
 418
 419 # if _FFR_FIPSMODE
 420         if (fipsmode && CertFingerprintAlgorithm == NULL)
 421                 CertFingerprintAlgorithm = "sha1";
 422 #  if OPENSSL_VERSION_NUMBER >= 0x30000000L
 423         if (LogLevel > 12)
 424                 sm_syslog(LOG_DEBUG, NOQID,
 425                         "fipsmode=%d, evp_is_FIPS=%d", fipsmode,
 426                         EVP_default_properties_is_fips_enabled(NULL));
 427 #  endif
 428 # endif /* _FFR_FIPSMODE  */
 429
 430         /*
 431         **  OPENSSL_init_ssl(3): "As of version 1.1.0 OpenSSL will
 432         **  automatically allocate all resources that it needs
 433         **  so no explicit initialisation is required."
 434         */
 435
 436 # if !MTA_HAVE_OPENSSL_init_ssl
 437         /* basic TLS initialization, ignore result for now */
 438         SSL_library_init();
 439         SSL_load_error_strings();
 440         OpenSSL_add_all_algorithms();
 441 # endif
 442
 443         bv = true;
 444         if (TLSsslidx < 0)
 445         {
 446                 TLSsslidx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
 447                 if (TLSsslidx < 0)
 448                 {
 449                         if (LogLevel > 0)
 450                                 sm_syslog(LOG_ERR, NOQID,
 451                                         "STARTTLS=init, SSL_get_ex_new_index=%d",
 452                                         TLSsslidx);
 453                         bv = false;
 454                 }
 455         }
 456
 457         if (bv)
 458                 bv = tls_rand_init(RandFile, 7);
 459 # if _FFR_FIPSMODE && OPENSSL_VERSION_NUMBER < 0x30000000L
 460         if (bv && fipsmode)
 461         {
 462                 if (!FIPS_mode_set(1))
 463                 {
 464                         unsigned long err;
 465
 466                         err = ERR_get_error();
 467                         if (LogLevel > 0)
 468                                 sm_syslog(LOG_ERR, NOQID,
 469                                         "STARTTLS=init, FIPSMode=%s",
 470                                         ERR_error_string(err, NULL));
 471                         return -1;
 472                 }
 473                 else if (LogLevel > 9)
 474                 {
 475                         sm_syslog(LOG_INFO, NOQID,
 476                                 "STARTTLS=init, FIPSMode=ok");
 477                 }
 478         }
 479 # endif /* _FFR_FIPSMODE && OPENSSL_VERSION_NUMBER < 0x30000000L */
 480
 481         if (!TLS_set_engine(SSLEngine, true))
 482         {
 483                 if (LogLevel > 0)
 484                         sm_syslog(LOG_ERR, NOQID,
 485                                   "STARTTLS=init, engine=%s, TLS_set_engine=failed",
 486                                   SSLEngine);
 487                 return -1;
 488         }
 489
 490         if (bv && CertFingerprintAlgorithm != NULL)
 491         {
 492                 const EVP_MD *md;
 493
 494                 md = EVP_get_digestbyname(CertFingerprintAlgorithm);
 495                 if (NULL == md)
 496                 {
 497                         bv = false;
 498                         if (LogLevel > 0)
 499                                 sm_syslog(LOG_ERR, NOQID,
 500                                         "STARTTLS=init, CertFingerprintAlgorithm=%s, status=invalid"
 501                                         , CertFingerprintAlgorithm);
 502                 }
 503                 else
 504                         EVP_digest = md;
 505         }
 506         return bv ? 0 : 1;
 507 }
 508
 509 /*
 510 **  TLS_SET_VERIFY -- request client certificate?
 511 **
 512 **      Parameters:
 513 **              ctx -- TLS context
 514 **              ssl -- TLS session context
 515 **              vrfy -- request certificate?
 516 **
 517 **      Returns:
 518 **              none.
 519 **
 520 **      Side Effects:
 521 **              Sets verification state for TLS
 522 **
 523 # if TLS_VRFY_PER_CTX
 524 **      Notice:
 525 **              This is per TLS context, not per TLS structure;
 526 **              the former is global, the latter per connection.
 527 **              It would be nice to do this per connection, but this
 528 **              doesn't work in the current TLS libraries :-(
 529 # endif * TLS_VRFY_PER_CTX *
 530 */
 531
 532 void
 533 tls_set_verify(ctx, ssl, vrfy)
 534         SSL_CTX *ctx;
 535         SSL *ssl;
 536         bool vrfy;
 537 {
 538 # if !TLS_VRFY_PER_CTX
 539         SSL_set_verify(ssl, vrfy ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL);
 540 # else
 541         SSL_CTX_set_verify(ctx, vrfy ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
 542                         NULL);
 543 # endif
 544 }
 545
 546 /*
 547 **  status in initialization
 548 **  these flags keep track of the status of the initialization
 549 **  i.e., whether a file exists (_EX) and whether it can be used (_OK)
 550 **  [due to permissions]
 551 */
 552
 553 # define TLS_S_NONE     0x00000000      /* none yet */
 554 # define TLS_S_CERT_EX  0x00000001      /* cert file exists */
 555 # define TLS_S_CERT_OK  0x00000002      /* cert file is ok */
 556 # define TLS_S_KEY_EX   0x00000004      /* key file exists */
 557 # define TLS_S_KEY_OK   0x00000008      /* key file is ok */
 558 # define TLS_S_CERTP_EX 0x00000010      /* CA cert path exists */
 559 # define TLS_S_CERTP_OK 0x00000020      /* CA cert path is ok */
 560 # define TLS_S_CERTF_EX 0x00000040      /* CA cert file exists */
 561 # define TLS_S_CERTF_OK 0x00000080      /* CA cert file is ok */
 562 # define TLS_S_CRLF_EX  0x00000100      /* CRL file exists */
 563 # define TLS_S_CRLF_OK  0x00000200      /* CRL file is ok */
 564
 565 # define TLS_S_CERT2_EX 0x00001000      /* 2nd cert file exists */
 566 # define TLS_S_CERT2_OK 0x00002000      /* 2nd cert file is ok */
 567 # define TLS_S_KEY2_EX  0x00004000      /* 2nd key file exists */
 568 # define TLS_S_KEY2_OK  0x00008000      /* 2nd key file is ok */
 569
 570 # define TLS_S_DH_OK    0x00200000      /* DH cert is ok */
 571 # define TLS_S_DHPAR_EX 0x00400000      /* DH param file exists */
 572 # define TLS_S_DHPAR_OK 0x00800000      /* DH param file is ok to use */
 573
 574 /* Type of variable */
 575 # define TLS_T_OTHER    0
 576 # define TLS_T_SRV      1
 577 # define TLS_T_CLT      2
 578
 579 /*
 580 **  TLS_OK_F -- can var be an absolute filename?
 581 **
 582 **      Parameters:
 583 **              var -- filename
 584 **              fn -- what is the filename used for?
 585 **              type -- type of variable
 586 **
 587 **      Returns:
 588 **              ok?
 589 */
 590
 591 static bool
 592 tls_ok_f(var, fn, type)
 593         char *var;
 594         char *fn;
 595         int type;
 596 {
 597         /* must be absolute pathname */
 598         if (var != NULL && *var == '/')
 599                 return true;
 600         if (LogLevel > 12)
 601                 sm_syslog(LOG_WARNING, NOQID, "STARTTLS: %s%s missing",
 602                           type == TLS_T_SRV ? "Server" :
 603                           (type == TLS_T_CLT ? "Client" : ""), fn);
 604         return false;
 605 }
 606 /*
 607 **  TLS_SAFE_F -- is a file safe to use?
 608 **
 609 **      Parameters:
 610 **              var -- filename
 611 **              sff -- flags for safefile()
 612 **              srv -- server side?
 613 **
 614 **      Returns:
 615 **              ok?
 616 */
 617
 618 static bool
 619 tls_safe_f(var, sff, srv)
 620         char *var;
 621         long sff;
 622         bool srv;
 623 {
 624         int ret;
 625
 626         if ((ret = safefile(var, RunAsUid, RunAsGid, RunAsUserName, sff,
 627                             S_IRUSR, NULL)) == 0)
 628                 return true;
 629         if (LogLevel > 7)
 630                 sm_syslog(LOG_WARNING, NOQID, "STARTTLS=%s: file %s unsafe: %s",
 631                           srv ? "server" : "client", var, sm_errstring(ret));
 632         return false;
 633 }
 634
 635 /*
 636 **  TLS_OK_F -- macro to simplify calls to tls_ok_f
 637 **
 638 **      Parameters:
 639 **              var -- filename
 640 **              fn -- what is the filename used for?
 641 **              req -- is the file required?
 642 **              st -- status bit to set if ok
 643 **              type -- type of variable
 644 **
 645 **      Side Effects:
 646 **              uses r, ok; may change ok and status.
 647 **
 648 */
 649
 650 # define TLS_OK_F(var, fn, req, st, type) if (ok) \
 651         { \
 652                 r = tls_ok_f(var, fn, type); \
 653                 if (r) \
 654                         status |= st; \
 655                 else if (req) \
 656                         ok = false; \
 657         }
 658
 659 /*
 660 **  TLS_UNR -- macro to return whether a file should be unreadable
 661 **
 662 **      Parameters:
 663 **              bit -- flag to test
 664 **              req -- flags
 665 **
 666 **      Returns:
 667 **              0/SFF_NORFILES
 668 */
 669
 670 # define TLS_UNR(bit, req)      (bitset(bit, req) ? SFF_NORFILES : 0)
 671 # define TLS_OUNR(bit, req)     (bitset(bit, req) ? SFF_NOWRFILES : 0)
 672 # define TLS_KEYSFF(req)        \
 673         (bitnset(DBS_GROUPREADABLEKEYFILE, DontBlameSendmail) ? \
 674                 TLS_OUNR(TLS_I_KEY_OUNR, req) :                 \
 675                 TLS_UNR(TLS_I_KEY_UNR, req))
 676
 677 /*
 678 **  TLS_SAFE_F -- macro to simplify calls to tls_safe_f
 679 **
 680 **      Parameters:
 681 **              var -- filename
 682 **              sff -- flags for safefile()
 683 **              req -- is the file required?
 684 **              ex -- does the file exist?
 685 **              st -- status bit to set if ok
 686 **              srv -- server side?
 687 **
 688 **      Side Effects:
 689 **              uses r, ok, ex; may change ok and status.
 690 **
 691 */
 692
 693 # define TLS_SAFE_F(var, sff, req, ex, st, srv) if (ex && ok) \
 694         { \
 695                 r = tls_safe_f(var, sff, srv); \
 696                 if (r) \
 697                         status |= st;   \
 698                 else if (req) \
 699                         ok = false;     \
 700         }
 701
 702 /*
 703 **  LOAD_CERTKEY -- load cert/key for TLS session
 704 **
 705 **      Parameters:
 706 **              ssl -- TLS session context
 707 **              srv -- server side?
 708 **              certfile -- filename of certificate
 709 **              keyfile -- filename of private key
 710 **
 711 **      Returns:
 712 **              succeeded?
 713 */
 714
 715 bool
 716 load_certkey(ssl, srv, certfile, keyfile)
 717         SSL *ssl;
 718         bool srv;
 719         char *certfile;
 720         char *keyfile;
 721 {
 722         bool ok;
 723         int r;
 724         long sff, status;
 725         unsigned long req;
 726         char *who;
 727
 728         ok = true;
 729         who = srv ? "server" : "client";
 730         status = TLS_S_NONE;
 731         req = TLS_I_CERT_EX|TLS_I_KEY_EX;
 732         TLS_OK_F(certfile, "CertFile", bitset(TLS_I_CERT_EX, req),
 733                  TLS_S_CERT_EX, srv ? TLS_T_SRV : TLS_T_CLT);
 734         TLS_OK_F(keyfile, "KeyFile", bitset(TLS_I_KEY_EX, req),
 735                  TLS_S_KEY_EX, srv ? TLS_T_SRV : TLS_T_CLT);
 736
 737         /* certfile etc. must be "safe". */
 738         sff = SFF_REGONLY | SFF_SAFEDIRPATH | SFF_NOWLINK
 739              | SFF_NOGWFILES | SFF_NOWWFILES
 740              | SFF_ROOTOK | SFF_OPENASROOT;
 741         if (!bitnset(DBS_CERTOWNER, DontBlameSendmail))
 742                 sff |= SFF_MUSTOWN;
 743         if (DontLockReadFiles)
 744                 sff |= SFF_NOLOCK;
 745
 746         TLS_SAFE_F(certfile, sff | TLS_UNR(TLS_I_CERT_UNR, req),
 747                    bitset(TLS_I_CERT_EX, req),
 748                    bitset(TLS_S_CERT_EX, status), TLS_S_CERT_OK, srv);
 749         TLS_SAFE_F(keyfile, sff | TLS_KEYSFF(req),
 750                    bitset(TLS_I_KEY_EX, req),
 751                    bitset(TLS_S_KEY_EX, status), TLS_S_KEY_OK, srv);
 752
 753 # define SSL_use_cert(ssl, certfile) \
 754         SSL_use_certificate_file(ssl, certfile, SSL_FILETYPE_PEM)
 755 # define SSL_USE_CERT "SSL_use_certificate_file"
 756
 757         if (bitset(TLS_S_CERT_OK, status) &&
 758             SSL_use_cert(ssl, certfile) <= 0)
 759         {
 760                 if (LogLevel > 7)
 761                 {
 762                         sm_syslog(LOG_WARNING, NOQID,
 763                                   "STARTTLS=%s, error: %s(%s) failed",
 764                                   who, SSL_USE_CERT, certfile);
 765                         tlslogerr(LOG_WARNING, 9, who);
 766                 }
 767                 if (bitset(TLS_I_USE_CERT, req))
 768                         return false;
 769         }
 770         if (bitset(TLS_S_KEY_OK, status) &&
 771             SSL_use_PrivateKey_file(ssl, keyfile, SSL_FILETYPE_PEM) <= 0)
 772         {
 773                 if (LogLevel > 7)
 774                 {
 775                         sm_syslog(LOG_WARNING, NOQID,
 776                                   "STARTTLS=%s, error: SSL_use_PrivateKey_file(%s) failed",
 777                                   who, keyfile);
 778                         tlslogerr(LOG_WARNING, 9, who);
 779                 }
 780                 if (bitset(TLS_I_USE_KEY, req))
 781                         return false;
 782         }
 783
 784         /* check the private key */
 785         if (bitset(TLS_S_KEY_OK, status) &&
 786             (r = SSL_check_private_key(ssl)) <= 0)
 787         {
 788                 /* Private key does not match the certificate public key */
 789                 if (LogLevel > 5)
 790                 {
 791                         sm_syslog(LOG_WARNING, NOQID,
 792                                   "STARTTLS=%s, error: SSL_check_private_key failed(%s): %d",
 793                                   who, keyfile, r);
 794                         tlslogerr(LOG_WARNING, 9, who);
 795                 }
 796                 if (bitset(TLS_I_USE_KEY, req))
 797                         return false;
 798         }
 799
 800         return true;
 801 }
 802
 803 /*
 804 **  LOAD_CRLFILE -- load a file holding a CRL into the TLS context
 805 **
 806 **      Parameters:
 807 **              ctx -- TLS context
 808 **              srv -- server side?
 809 **              filename -- filename of CRL
 810 **
 811 **      Returns:
 812 **              succeeded?
 813 */
 814
 815 static bool load_crlfile __P((SSL_CTX *, bool, char *));
 816
 817 static bool
 818 load_crlfile(ctx, srv, filename)
 819         SSL_CTX *ctx;
 820         bool srv;
 821         char *filename;
 822 {
 823         char *who;
 824         BIO *crl_file;
 825         X509_CRL *crl;
 826         X509_STORE *store;
 827
 828         who = srv ? "server" : "client";
 829         crl_file = BIO_new(BIO_s_file());
 830         if (crl_file == NULL)
 831         {
 832                 if (LogLevel > 9)
 833                         sm_syslog(LOG_WARNING, NOQID,
 834                                   "STARTTLS=%s, error: BIO_new=failed", who);
 835                 return false;
 836         }
 837
 838         if (BIO_read_filename(crl_file, filename) < 0)
 839         {
 840                 if (LogLevel > 9)
 841                         sm_syslog(LOG_WARNING, NOQID,
 842                                   "STARTTLS=%s, error: BIO_read_filename(%s)=failed",
 843                                   who, filename);
 844
 845                 /* avoid memory leaks */
 846                 BIO_free(crl_file);
 847                 return false;
 848         }
 849
 850         crl = PEM_read_bio_X509_CRL(crl_file, NULL, NULL, NULL);
 851         if (crl == NULL)
 852         {
 853                 if (LogLevel > 9)
 854                         sm_syslog(LOG_WARNING, NOQID,
 855                                   "STARTTLS=%s, error: PEM_read_bio_X509_CRL(%s)=failed",
 856                                   who, filename);
 857                 BIO_free(crl_file);
 858                 return true;    /* XXX should probably be 'false' */
 859         }
 860
 861         BIO_free(crl_file);
 862
 863         /* get a pointer to the current certificate validation store */
 864         store = SSL_CTX_get_cert_store(ctx);    /* does not fail */
 865
 866         if (X509_STORE_add_crl(store, crl) == 0)
 867         {
 868                 if (LogLevel > 9)
 869                         sm_syslog(LOG_WARNING, NOQID,
 870                                   "STARTTLS=%s, error: X509_STORE_add_crl=failed",
 871                                   who);
 872                 X509_CRL_free(crl);
 873                 return false;
 874         }
 875
 876         X509_CRL_free(crl);
 877
 878         X509_STORE_set_flags(store,
 879                 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
 880         X509_STORE_set_verify_cb_func(store, x509_verify_cb);
 881
 882         return true;
 883 }
 884
 885 /*
 886 **  LOAD_CRLPATH -- configure the TLS context to lookup CRLs in a directory
 887 **
 888 **      Parameters:
 889 **              ctx -- TLS context
 890 **              srv -- server side?
 891 **              path -- path of hashed directory of CRLs
 892 **
 893 **      Returns:
 894 **              succeeded?
 895 */
 896
 897 static bool load_crlpath __P((SSL_CTX *, bool, char *));
 898
 899 static bool
 900 load_crlpath(ctx, srv, path)
 901         SSL_CTX *ctx;
 902         bool srv;
 903         char *path;
 904 {
 905         char *who;
 906         X509_STORE *store;
 907         X509_LOOKUP *lookup;
 908
 909         who = srv ? "server" : "client";
 910
 911         /* get a pointer to the current certificate validation store */
 912         store = SSL_CTX_get_cert_store(ctx);    /* does not fail */
 913
 914         lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
 915         if (lookup == NULL)
 916         {
 917                 if (LogLevel > 9)
 918                         sm_syslog(LOG_WARNING, NOQID,
 919                                   "STARTTLS=%s, error: X509_STORE_add_lookup(hash)=failed",
 920                                   who);
 921                 return false;
 922         }
 923
 924         if (X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_PEM) == 0)
 925         {
 926                 if (LogLevel > 9)
 927                         sm_syslog(LOG_WARNING, NOQID,
 928                                   "STARTTLS=%s, error: X509_LOOKUP_add_dir(%s)=failed",
 929                                   who, path);
 930                 return false;
 931         }
 932
 933         X509_STORE_set_flags(store,
 934                 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
 935         X509_STORE_set_verify_cb_func(store, x509_verify_cb);
 936
 937         return true;
 938 }
 939
 940 /*
 941 **  INITTLS -- initialize TLS
 942 **
 943 **      Parameters:
 944 **              ctx -- pointer to context
 945 **              req -- requirements for initialization (see sendmail.h)
 946 **              options -- options
 947 **              srv -- server side?
 948 **              certfile -- filename of certificate
 949 **              keyfile -- filename of private key
 950 **              cacertpath -- path to CAs
 951 **              cacertfile -- file with CA(s)
 952 **              dhparam -- parameters for DH
 953 **
 954 **      Returns:
 955 **              succeeded?
 956 */
 957
 958 /*
 959 **  The session_id_context identifies the service that created a session.
 960 **  This information is used to distinguish between multiple TLS-based
 961 **  servers running on the same server. We use the name of the mail system.
 962 **  Note: the session cache is not persistent.
 963 */
 964
 965 static char server_session_id_context[] = "sendmail8";
 966
 967 /* 0.9.8a and b have a problem with SSL_OP_TLS_BLOCK_PADDING_BUG */
 968 # if (OPENSSL_VERSION_NUMBER >= 0x0090800fL)
 969 #  define SM_SSL_OP_TLS_BLOCK_PADDING_BUG       1
 970 # else
 971 #  define SM_SSL_OP_TLS_BLOCK_PADDING_BUG       0
 972 # endif
 973
 974 bool
 975 inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhparam)
 976         SSL_CTX **ctx;
 977         unsigned long req;
 978         unsigned long options;
 979         bool srv;
 980         char *certfile, *keyfile, *cacertpath, *cacertfile, *dhparam;
 981 {
 982 # if !NO_DH
 983         static DH *dh = NULL;
 984 # endif
 985         int r;
 986         bool ok;
 987         long sff, status;
 988         char *who;
 989         char *cf2, *kf2;
 990 # if SM_CONF_SHM && !TLS_NO_RSA && MTA_RSA_TMP_CB
 991         extern int ShmId;
 992 # endif
 993 # if SM_SSL_OP_TLS_BLOCK_PADDING_BUG
 994         long rt_version;
 995         STACK_OF(SSL_COMP) *comp_methods;
 996 # endif
 997
 998         status = TLS_S_NONE;
 999         who = srv ? "server" : "client";
1000         if (ctx == NULL)
1001         {
1002                 syserr("STARTTLS=%s, inittls: ctx == NULL", who);
1003                 /* NOTREACHED */
1004                 SM_ASSERT(ctx != NULL);
1005         }
1006
1007         /* already initialized? (we could re-init...) */
1008         if (*ctx != NULL)
1009                 return true;
1010         ok = true;
1011
1012         /*
1013         **  look for a second filename: it must be separated by a ','
1014         **  no blanks allowed (they won't be skipped).
1015         **  we change a global variable here! this change will be undone
1016         **  before return from the function but only if it returns true.
1017         **  this isn't a problem since in a failure case this function
1018         **  won't be called again with the same (overwritten) values.
1019         **  otherwise each return must be replaced with a goto endinittls.
1020         */
1021
1022         cf2 = NULL;
1023         kf2 = NULL;
1024         if (certfile != NULL && (cf2 = strchr(certfile, ',')) != NULL)
1025         {
1026                 *cf2++ = '\0';
1027                 if (keyfile != NULL && (kf2 = strchr(keyfile, ',')) != NULL)
1028                         *kf2++ = '\0';
1029         }
1030
1031         /*
1032         **  Check whether files/paths are defined
1033         */
1034
1035         TLS_OK_F(certfile, "CertFile", bitset(TLS_I_CERT_EX, req),
1036                  TLS_S_CERT_EX, srv ? TLS_T_SRV : TLS_T_CLT);
1037         TLS_OK_F(keyfile, "KeyFile", bitset(TLS_I_KEY_EX, req),
1038                  TLS_S_KEY_EX, srv ? TLS_T_SRV : TLS_T_CLT);
1039         TLS_OK_F(cacertpath, "CACertPath", bitset(TLS_I_CERTP_EX, req),
1040                  TLS_S_CERTP_EX, TLS_T_OTHER);
1041         TLS_OK_F(cacertfile, "CACertFile", bitset(TLS_I_CERTF_EX, req),
1042                  TLS_S_CERTF_EX, TLS_T_OTHER);
1043
1044         TLS_OK_F(CRLFile, "CRLFile", bitset(TLS_I_CRLF_EX, req),
1045                  TLS_S_CRLF_EX, TLS_T_OTHER);
1046
1047         /*
1048         **  if the second file is specified it must exist
1049         **  XXX: it is possible here to define only one of those files
1050         */
1051
1052         if (cf2 != NULL)
1053         {
1054                 TLS_OK_F(cf2, "CertFile", bitset(TLS_I_CERT_EX, req),
1055                          TLS_S_CERT2_EX, srv ? TLS_T_SRV : TLS_T_CLT);
1056         }
1057         if (kf2 != NULL)
1058         {
1059                 TLS_OK_F(kf2, "KeyFile", bitset(TLS_I_KEY_EX, req),
1060                          TLS_S_KEY2_EX, srv ? TLS_T_SRV : TLS_T_CLT);
1061         }
1062
1063         /*
1064         **  valid values for dhparam are (only the first char is checked)
1065         **  none        no parameters: don't use DH
1066         **  i           use precomputed 2048 bit parameters
1067         **  512         use precomputed 512 bit parameters
1068         **  1024        generate 1024 bit parameters
1069         **  2048        generate 2048 bit parameters
1070         **  /file/name  read parameters from /file/name
1071         */
1072
1073 # if MTA_DH_AUTO
1074 #  define SET_DH_DFL    \
1075         do {    \
1076                 dhparam = "a";  \
1077                 req |= TLS_I_DHAUTO;    \
1078         } while (0)
1079 # else
1080 #  define SET_DH_DFL    \
1081         do {    \
1082                 dhparam = "I";  \
1083                 req |= TLS_I_DHFIXED;   \
1084         } while (0)
1085 # endif
1086
1087         if (bitset(TLS_I_TRY_DH, req))
1088         {
1089                 if (dhparam != NULL)
1090                 {
1091                         char c = *dhparam;
1092
1093 # if MTA_DH_AUTO
1094                         if (c == 'a')
1095                                 req |= TLS_I_DHAUTO;
1096                         else
1097 # endif
1098                         if (c == '1')
1099                                 req |= TLS_I_DH1024;
1100                         else if (c == 'I' || c == 'i')
1101                                 req |= TLS_I_DHFIXED;
1102                         else if (c == '2')
1103                                 req |= TLS_I_DH2048;
1104                         else if (c == '5')
1105                                 req |= TLS_I_DH512;
1106                         else if (c == 'n' || c == 'N')
1107                                 req &= ~TLS_I_TRY_DH;
1108                         else if (c != '/')
1109                         {
1110                                 if (LogLevel > 12)
1111                                         sm_syslog(LOG_WARNING, NOQID,
1112                                                   "STARTTLS=%s, error: illegal value '%s' for DHParameters",
1113                                                   who, dhparam);
1114                                 dhparam = NULL;
1115                         }
1116                 }
1117                 if (dhparam == NULL)
1118                         SET_DH_DFL;
1119                 else if (*dhparam == '/')
1120                 {
1121                         TLS_OK_F(dhparam, "DHParameters",
1122                                  bitset(TLS_I_DHPAR_EX, req),
1123                                  TLS_S_DHPAR_EX, TLS_T_OTHER);
1124                 }
1125         }
1126         if (!ok)
1127                 return ok;
1128
1129         /* certfile etc. must be "safe". */
1130         sff = SFF_REGONLY | SFF_SAFEDIRPATH | SFF_NOWLINK
1131              | SFF_NOGWFILES | SFF_NOWWFILES
1132              | SFF_ROOTOK | SFF_OPENASROOT;
1133         if (!bitnset(DBS_CERTOWNER, DontBlameSendmail))
1134                 sff |= SFF_MUSTOWN;
1135         if (DontLockReadFiles)
1136                 sff |= SFF_NOLOCK;
1137
1138         TLS_SAFE_F(certfile, sff | TLS_UNR(TLS_I_CERT_UNR, req),
1139                    bitset(TLS_I_CERT_EX, req),
1140                    bitset(TLS_S_CERT_EX, status), TLS_S_CERT_OK, srv);
1141         TLS_SAFE_F(keyfile, sff | TLS_KEYSFF(req),
1142                    bitset(TLS_I_KEY_EX, req),
1143                    bitset(TLS_S_KEY_EX, status), TLS_S_KEY_OK, srv);
1144         TLS_SAFE_F(cacertfile, sff | TLS_UNR(TLS_I_CERTF_UNR, req),
1145                    bitset(TLS_I_CERTF_EX, req),
1146                    bitset(TLS_S_CERTF_EX, status), TLS_S_CERTF_OK, srv);
1147         if (dhparam != NULL && *dhparam == '/')
1148         {
1149                 TLS_SAFE_F(dhparam, sff | TLS_UNR(TLS_I_DHPAR_UNR, req),
1150                            bitset(TLS_I_DHPAR_EX, req),
1151                            bitset(TLS_S_DHPAR_EX, status), TLS_S_DHPAR_OK, srv);
1152                 if (!bitset(TLS_S_DHPAR_OK, status))
1153                         SET_DH_DFL;
1154         }
1155         TLS_SAFE_F(CRLFile, sff | TLS_UNR(TLS_I_CRLF_UNR, req),
1156                    bitset(TLS_I_CRLF_EX, req),
1157                    bitset(TLS_S_CRLF_EX, status), TLS_S_CRLF_OK, srv);
1158         if (!ok)
1159                 return ok;
1160         if (cf2 != NULL)
1161         {
1162                 TLS_SAFE_F(cf2, sff | TLS_UNR(TLS_I_CERT_UNR, req),
1163                            bitset(TLS_I_CERT_EX, req),
1164                            bitset(TLS_S_CERT2_EX, status), TLS_S_CERT2_OK, srv);
1165         }
1166         if (kf2 != NULL)
1167         {
1168                 TLS_SAFE_F(kf2, sff | TLS_KEYSFF(req),
1169                            bitset(TLS_I_KEY_EX, req),
1170                            bitset(TLS_S_KEY2_EX, status), TLS_S_KEY2_OK, srv);
1171         }
1172
1173         /* create a method and a new context */
1174         if ((*ctx = SSL_CTX_new(srv ? SSLv23_server_method() :
1175                                       SSLv23_client_method())) == NULL)
1176         {
1177                 if (LogLevel > 7)
1178                         sm_syslog(LOG_WARNING, NOQID,
1179                                   "STARTTLS=%s, error: SSL_CTX_new(SSLv23_%s_method()) failed",
1180                                   who, who);
1181                 tlslogerr(LOG_WARNING, 9, who);
1182                 return false;
1183         }
1184
1185 # if _FFR_VRFY_TRUSTED_FIRST
1186         if (!tTd(88, 101))
1187         {
1188                 X509_STORE *store;
1189
1190                 /* get a pointer to the current certificate validation store */
1191                 store = SSL_CTX_get_cert_store(*ctx);   /* does not fail */
1192                 SM_ASSERT(store != NULL);
1193                 X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST);
1194         }
1195 # endif
1196
1197         if (CRLFile != NULL && !load_crlfile(*ctx, srv, CRLFile))
1198                 return false;
1199         if (CRLPath != NULL && !load_crlpath(*ctx, srv, CRLPath))
1200                 return false;
1201
1202 # if defined(SSL_MODE_AUTO_RETRY) && OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x20000000L
1203         /*
1204          *  Turn off blocking I/O handling in OpenSSL: someone turned
1205          *  this on by default in 1.1? should we check first?
1206          */
1207 #  if _FFR_TESTS
1208         if (LogLevel > 9) {
1209                 sff = SSL_CTX_get_mode(*ctx);
1210                 if (sff & SSL_MODE_AUTO_RETRY)
1211                         sm_syslog(LOG_WARNING, NOQID,
1212                                 "STARTTLS=%s, SSL_MODE_AUTO_RETRY=set, mode=%#lx",
1213                                 who, sff);
1214         }
1215
1216         /* hack for testing! */
1217         if (tTd(96, 101) || getenv("SSL_MODE_AUTO_RETRY") != NULL)
1218                 SSL_CTX_set_mode(*ctx, SSL_MODE_AUTO_RETRY);
1219         else
1220 #  endif /* _FFR_TESTS */
1221         /* "else" in #if code above */
1222         SSL_CTX_clear_mode(*ctx, SSL_MODE_AUTO_RETRY);
1223 # endif /* defined(SSL_MODE_AUTO_RETRY) && OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x20000000L */
1224
1225 # if TLS_NO_RSA
1226         /* turn off backward compatibility, required for no-rsa */
1227         SSL_CTX_set_options(*ctx, SSL_OP_NO_SSLv2);
1228 # endif
1229
1230 # if !TLS_NO_RSA && MTA_RSA_TMP_CB
1231         /*
1232         **  Create a temporary RSA key
1233         **  XXX  Maybe we shouldn't create this always (even though it
1234         **  is only at startup).
1235         **  It is a time-consuming operation and it is not always necessary.
1236         **  maybe we should do it only on demand...
1237         */
1238
1239         if (bitset(TLS_I_RSA_TMP, req)
1240 #  if SM_CONF_SHM
1241             && ShmId != SM_SHM_NO_ID &&
1242             (rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL,
1243                                         NULL)) == NULL
1244 #  else /* SM_CONF_SHM */
1245             && 0        /* no shared memory: no need to generate key now */
1246 #  endif /* SM_CONF_SHM */
1247            )
1248         {
1249                 if (LogLevel > 7)
1250                 {
1251                         sm_syslog(LOG_WARNING, NOQID,
1252                                   "STARTTLS=%s, error: RSA_generate_key failed",
1253                                   who);
1254                         tlslogerr(LOG_WARNING, 9, who);
1255                 }
1256                 return false;
1257         }
1258 # endif /* !TLS_NO_RSA && MTA_RSA_TMP_CB */
1259
1260         /*
1261         **  load private key
1262         **  XXX change this for DSA-only version
1263         */
1264
1265         if (bitset(TLS_S_KEY_OK, status) &&
1266             SSL_CTX_use_PrivateKey_file(*ctx, keyfile,
1267                                          SSL_FILETYPE_PEM) <= 0)
1268         {
1269                 if (LogLevel > 7)
1270                 {
1271                         sm_syslog(LOG_WARNING, NOQID,
1272                                   "STARTTLS=%s, error: SSL_CTX_use_PrivateKey_file(%s) failed",
1273                                   who, keyfile);
1274                         tlslogerr(LOG_WARNING, 9, who);
1275                 }
1276                 if (bitset(TLS_I_USE_KEY, req))
1277                         return false;
1278         }
1279
1280 # if _FFR_TLS_USE_CERTIFICATE_CHAIN_FILE
1281 #  define SSL_CTX_use_cert(ssl_ctx, certfile) \
1282         SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile)
1283 #  define SSL_CTX_USE_CERT "SSL_CTX_use_certificate_chain_file"
1284 # else
1285 #  define SSL_CTX_use_cert(ssl_ctx, certfile) \
1286         SSL_CTX_use_certificate_file(ssl_ctx, certfile, SSL_FILETYPE_PEM)
1287 #  define SSL_CTX_USE_CERT "SSL_CTX_use_certificate_file"
1288 # endif
1289
1290         /* get the certificate file */
1291         if (bitset(TLS_S_CERT_OK, status) &&
1292             SSL_CTX_use_cert(*ctx, certfile) <= 0)
1293         {
1294                 if (LogLevel > 7)
1295                 {
1296                         sm_syslog(LOG_WARNING, NOQID,
1297                                   "STARTTLS=%s, error: %s(%s) failed",
1298                                   who, SSL_CTX_USE_CERT, certfile);
1299                         tlslogerr(LOG_WARNING, 9, who);
1300                 }
1301                 if (bitset(TLS_I_USE_CERT, req))
1302                         return false;
1303         }
1304
1305         /* check the private key */
1306         if (bitset(TLS_S_KEY_OK, status) &&
1307             (r = SSL_CTX_check_private_key(*ctx)) <= 0)
1308         {
1309                 /* Private key does not match the certificate public key */
1310                 if (LogLevel > 5)
1311                 {
1312                         sm_syslog(LOG_WARNING, NOQID,
1313                                   "STARTTLS=%s, error: SSL_CTX_check_private_key failed(%s): %d",
1314                                   who, keyfile, r);
1315                         tlslogerr(LOG_WARNING, 9, who);
1316                 }
1317                 if (bitset(TLS_I_USE_KEY, req))
1318                         return false;
1319         }
1320
1321         /* XXX this code is pretty much duplicated from above! */
1322
1323         /* load private key */
1324         if (bitset(TLS_S_KEY2_OK, status) &&
1325             SSL_CTX_use_PrivateKey_file(*ctx, kf2, SSL_FILETYPE_PEM) <= 0)
1326         {
1327                 if (LogLevel > 7)
1328                 {
1329                         sm_syslog(LOG_WARNING, NOQID,
1330                                   "STARTTLS=%s, error: SSL_CTX_use_PrivateKey_file(%s) failed",
1331                                   who, kf2);
1332                         tlslogerr(LOG_WARNING, 9, who);
1333                 }
1334         }
1335
1336         /* get the certificate file */
1337         if (bitset(TLS_S_CERT2_OK, status) &&
1338             SSL_CTX_use_cert(*ctx, cf2) <= 0)
1339         {
1340                 if (LogLevel > 7)
1341                 {
1342                         sm_syslog(LOG_WARNING, NOQID,
1343                                   "STARTTLS=%s, error: %s(%s) failed",
1344                                   who, SSL_CTX_USE_CERT, cf2);
1345                         tlslogerr(LOG_WARNING, 9, who);
1346                 }
1347         }
1348
1349         /* also check the private key */
1350         if (bitset(TLS_S_KEY2_OK, status) &&
1351             (r = SSL_CTX_check_private_key(*ctx)) <= 0)
1352         {
1353                 /* Private key does not match the certificate public key */
1354                 if (LogLevel > 5)
1355                 {
1356                         sm_syslog(LOG_WARNING, NOQID,
1357                                   "STARTTLS=%s, error: SSL_CTX_check_private_key 2 failed: %d",
1358                                   who, r);
1359                         tlslogerr(LOG_WARNING, 9, who);
1360                 }
1361         }
1362
1363         /* SSL_CTX_set_quiet_shutdown(*ctx, 1); violation of standard? */
1364
1365 # if SM_SSL_OP_TLS_BLOCK_PADDING_BUG
1366
1367         /*
1368         **  In OpenSSL 0.9.8[ab], enabling zlib compression breaks the
1369         **  padding bug work-around, leading to false positives and
1370         **  failed connections. We may not interoperate with systems
1371         **  with the bug, but this is better than breaking on all 0.9.8[ab]
1372         **  systems that have zlib support enabled.
1373         **  Note: this checks the runtime version of the library, not
1374         **  just the compile time version.
1375         */
1376
1377         rt_version = TLS_version_num();
1378         if (rt_version >= 0x00908000L && rt_version <= 0x0090802fL)
1379         {
1380                 comp_methods = SSL_COMP_get_compression_methods();
1381                 if (comp_methods != NULL && sk_SSL_COMP_num(comp_methods) > 0)
1382                         options &= ~SSL_OP_TLS_BLOCK_PADDING_BUG;
1383         }
1384 # endif
1385         SSL_CTX_set_options(*ctx, (long) options);
1386
1387 # if !NO_DH
1388         /* Diffie-Hellman initialization */
1389         if (bitset(TLS_I_TRY_DH, req))
1390         {
1391 #  if TLS_EC == 1
1392                 EC_KEY *ecdh;
1393 #  endif
1394
1395                 if (tTd(96, 81))
1396                         sm_dprintf("inittls: where=try_dh, req=%#lx, status=%#lx\n",
1397                                 req, status);
1398                 if (bitset(TLS_S_DHPAR_OK, status))
1399                 {
1400                         BIO *bio;
1401
1402                         if ((bio = BIO_new_file(dhparam, "r")) != NULL)
1403                         {
1404                                 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
1405                                 BIO_free(bio);
1406                                 if (dh == NULL && LogLevel > 7)
1407                                 {
1408                                         unsigned long err;
1409
1410                                         err = ERR_get_error();
1411                                         sm_syslog(LOG_WARNING, NOQID,
1412                                                   "STARTTLS=%s, error: cannot read DH parameters(%s): %s",
1413                                                   who, dhparam,
1414                                                   ERR_error_string(err, NULL));
1415                                         tlslogerr(LOG_WARNING, 9, who);
1416                                         SET_DH_DFL;
1417                                 }
1418                         }
1419                         else
1420                         {
1421                                 if (LogLevel > 5)
1422                                 {
1423                                         sm_syslog(LOG_WARNING, NOQID,
1424                                                   "STARTTLS=%s, error: BIO_new_file(%s) failed",
1425                                                   who, dhparam);
1426                                         tlslogerr(LOG_WARNING, 9, who);
1427                                 }
1428                         }
1429                 }
1430 # if MTA_DH_AUTO
1431                 if (dh == NULL && bitset(TLS_I_DHAUTO, req))
1432                         SSL_CTX_set_dh_auto(*ctx, 1);
1433                 else
1434 # endif
1435                 if (dh == NULL && bitset(TLS_I_DH1024|TLS_I_DH2048, req))
1436                 {
1437                         int bits;
1438                         DSA *dsa;
1439
1440                         bits = bitset(TLS_I_DH2048, req) ? 2048 : 1024;
1441                         if (tTd(96, 2))
1442                                 sm_dprintf("inittls: Generating %d bit DH parameters\n", bits);
1443
1444 #  if MTA_HAVE_DSA_GENERATE_EX
1445                         dsa = DSA_new();
1446                         if (dsa != NULL)
1447                         {
1448                                 r = DSA_generate_parameters_ex(dsa, bits, NULL,
1449                                                         0, NULL, NULL, NULL);
1450                                 if (r != 0)
1451                                         dh = DSA_dup_DH(dsa);
1452                         }
1453 #  else
1454                         /* this takes a while! */
1455                         dsa = DSA_generate_parameters(bits, NULL, 0, NULL,
1456                                                       NULL, 0, NULL);
1457                         dh = DSA_dup_DH(dsa);
1458 #  endif
1459                         DSA_free(dsa);
1460                 }
1461                 else if (dh == NULL && bitset(TLS_I_DHFIXED, req))
1462                 {
1463                         if (tTd(96, 2))
1464                                 sm_dprintf("inittls: Using precomputed 2048 bit DH parameters\n");
1465                         dh = get_dh2048();
1466                 }
1467                 else if (dh == NULL && bitset(TLS_I_DH512, req))
1468                 {
1469                         if (tTd(96, 2))
1470                                 sm_dprintf("inittls: Using precomputed 512 bit DH parameters\n");
1471                         dh = get_dh512();
1472                 }
1473                 if (dh == NULL && !bitset(TLS_I_DHAUTO, req))
1474                 {
1475                         if (LogLevel > 9)
1476                         {
1477                                 unsigned long err;
1478
1479                                 err = ERR_get_error();
1480                                 sm_syslog(LOG_WARNING, NOQID,
1481                                           "STARTTLS=%s, error: cannot read or set DH parameters(%s): %s",
1482                                           who, dhparam,
1483                                           ERR_error_string(err, NULL));
1484                         }
1485                         if (bitset(TLS_I_REQ_DH, req))
1486                                 return false;
1487                 }
1488                 else if (dh != NULL)
1489                 {
1490                         /* important to avoid small subgroup attacks */
1491                         SSL_CTX_set_options(*ctx, SSL_OP_SINGLE_DH_USE);
1492
1493                         SSL_CTX_set_tmp_dh(*ctx, dh);
1494                         if (LogLevel > 13)
1495                                 sm_syslog(LOG_INFO, NOQID,
1496                                           "STARTTLS=%s, Diffie-Hellman init, key=%d bit (%c)",
1497                                           who, 8 * DH_size(dh), *dhparam);
1498                         DH_free(dh);
1499                 }
1500
1501 #  if TLS_EC == 2
1502                 SSL_CTX_set_options(*ctx, SSL_OP_SINGLE_ECDH_USE);
1503                 SSL_CTX_set_ecdh_auto(*ctx, 1);
1504 #  elif TLS_EC == 1
1505                 ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
1506                 if (ecdh != NULL)
1507                 {
1508                         SSL_CTX_set_options(*ctx, SSL_OP_SINGLE_ECDH_USE);
1509                         SSL_CTX_set_tmp_ecdh(*ctx, ecdh);
1510                         EC_KEY_free(ecdh);
1511                 }
1512                 else if (LogLevel > 9)
1513                 {
1514                         sm_syslog(LOG_WARNING, NOQID,
1515                                   "STARTTLS=%s, EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)=failed, error=%s",
1516                                   who, ERR_error_string(ERR_get_error(), NULL));
1517                 }
1518 #  endif /* TLS_EC */
1519
1520         }
1521 # endif /* !NO_DH */
1522
1523         /* XXX do we need this cache here? */
1524         if (bitset(TLS_I_CACHE, req))
1525         {
1526                 SSL_CTX_sess_set_cache_size(*ctx, 1);
1527                 SSL_CTX_set_timeout(*ctx, 1);
1528                 SSL_CTX_set_session_id_context(*ctx,
1529                         (void *) &server_session_id_context,
1530                         sizeof(server_session_id_context));
1531                 (void) SSL_CTX_set_session_cache_mode(*ctx,
1532                                 SSL_SESS_CACHE_SERVER);
1533         }
1534         else
1535         {
1536                 (void) SSL_CTX_set_session_cache_mode(*ctx,
1537                                 SSL_SESS_CACHE_OFF);
1538         }
1539
1540         /* load certificate locations and default CA paths */
1541         if (bitset(TLS_S_CERTP_EX, status) && bitset(TLS_S_CERTF_EX, status))
1542         {
1543                 if ((r = SSL_CTX_load_verify_locations(*ctx, cacertfile,
1544                                                        cacertpath)) == 1)
1545                 {
1546 # if !TLS_NO_RSA && MTA_RSA_TMP_CB
1547                         if (bitset(TLS_I_RSA_TMP, req))
1548                                 SSL_CTX_set_tmp_rsa_callback(*ctx, tmp_rsa_key);
1549 # endif
1550
1551                         if (srv)
1552                         {
1553                                 SSL_CTX_set_client_CA_list(*ctx,
1554                                         SSL_load_client_CA_file(cacertfile));
1555                         }
1556                 }
1557                 else
1558                 {
1559                         /*
1560                         **  can't load CA data; do we care?
1561                         **  the data is necessary to authenticate the client,
1562                         **  which in turn would be necessary
1563                         **  if we want to allow relaying based on it.
1564                         */
1565
1566                         if (LogLevel > 5)
1567                         {
1568                                 sm_syslog(LOG_WARNING, NOQID,
1569                                           "STARTTLS=%s, error: load verify locs %s, %s failed: %d",
1570                                           who, cacertpath, cacertfile, r);
1571                                 tlslogerr(LOG_WARNING,
1572                                         bitset(TLS_I_VRFY_LOC, req) ? 8 : 9,
1573                                         who);
1574                         }
1575                         if (bitset(TLS_I_VRFY_LOC, req))
1576                                 return false;
1577                 }
1578         }
1579
1580         /*
1581         **  XXX currently we could call tls_set_verify()
1582         **  but we hope that that function will later on
1583         **  only set the mode per connection.
1584         */
1585
1586         SSL_CTX_set_verify(*ctx,
1587                 bitset(TLS_I_NO_VRFY, req) ? SSL_VERIFY_NONE
1588                                            : SSL_VERIFY_PEER,
1589                 NULL);
1590
1591         /*
1592         **  Always use our callback instead of the builtin version.
1593         **  We have to install our own verify callback:
1594         **  SSL_VERIFY_PEER requests a client cert but even
1595         **  though *FAIL_IF* isn't set, the connection
1596         **  will be aborted if the client presents a cert
1597         **  that is not "liked" (can't be verified?) by
1598         **  the TLS library :-(
1599         */
1600
1601         SSL_CTX_set_cert_verify_callback(*ctx, tls_verify_cb, NULL);
1602
1603         /* XXX: make this dependent on an option? */
1604         if (tTd(96, 9))
1605                 SSL_CTX_set_info_callback(*ctx, apps_ssl_info_cb);
1606
1607         /* install our own cipher list */
1608         if (CipherList != NULL && *CipherList != '\0')
1609         {
1610                 if (SSL_CTX_set_cipher_list(*ctx, CipherList) <= 0)
1611                 {
1612                         if (LogLevel > 7)
1613                         {
1614                                 sm_syslog(LOG_WARNING, NOQID,
1615                                           "STARTTLS=%s, error: SSL_CTX_set_cipher_list(%s) failed, list ignored",
1616                                           who, CipherList);
1617
1618                                 tlslogerr(LOG_WARNING, 9, who);
1619                         }
1620                         /* failure if setting to this list is required? */
1621                 }
1622         }
1623
1624 # if MTA_HAVE_TLSv1_3
1625         /* install our own cipher suites */
1626         if (!SM_IS_EMPTY(CipherSuites))
1627         {
1628                 if (SSL_CTX_set_ciphersuites(*ctx, CipherSuites) <= 0)
1629                 {
1630                         if (LogLevel > 7)
1631                         {
1632                                 sm_syslog(LOG_WARNING, NOQID,
1633                                           "STARTTLS=%s, error: SSL_CTX_set_ciphersuites(%s) failed, suites ignored",
1634                                           who, CipherSuites);
1635
1636                                 tlslogerr(LOG_WARNING, 9, who);
1637                         }
1638                         /* failure if setting to this suites is required? */
1639                 }
1640         }
1641 # endif /* MTA_HAVE_TLSv1_3 */
1642
1643         if (LogLevel > 12)
1644                 sm_syslog(LOG_INFO, NOQID, "STARTTLS=%s, init=%d", who, ok);
1645
1646 # if 0
1647         /*
1648         **  this label is required if we want to have a "clean" exit
1649         **  see the comments above at the initialization of cf2
1650         */
1651
1652     endinittls:
1653 # endif /* 0 */
1654
1655         /* undo damage to global variables */
1656         if (cf2 != NULL)
1657                 *--cf2 = ',';
1658         if (kf2 != NULL)
1659                 *--kf2 = ',';
1660
1661         return ok;
1662 }
1663
1664 /*
1665 **  CERT_FP -- get cert fingerprint
1666 **
1667 **      Parameters:
1668 **              cert -- TLS cert
1669 **              evp_digest -- digest algorithm
1670 **              mac -- macro storage
1671 **              macro -- where to store cert fp
1672 **
1673 **      Returns:
1674 **              <=0: cert fp calculation failed
1675 **              >0: cert fp calculation ok
1676 */
1677
1678 static int
1679 cert_fp(cert, evp_digest, mac, macro)
1680         X509 *cert;
1681         const EVP_MD *evp_digest;
1682         MACROS_T *mac;
1683         char *macro;
1684 {
1685         unsigned int n;
1686         int r;
1687         unsigned char md[EVP_MAX_MD_SIZE];
1688         char md5h[EVP_MAX_MD_SIZE * 3];
1689         static const char hexcodes[] = "0123456789ABCDEF";
1690
1691         n = 0;
1692         if ((r = X509_digest(cert, evp_digest, md, &n)) == 0 || n <= 0)
1693         {
1694                 macdefine(mac, A_TEMP, macid(macro), "");
1695                 return (0 == r) ? 0 : n;
1696         }
1697
1698         SM_ASSERT((n * 3) + 2 < sizeof(md5h));
1699         for (r = 0; r < (int) n; r++)
1700         {
1701                 md5h[r * 3] = hexcodes[(md[r] & 0xf0) >> 4];
1702                 md5h[(r * 3) + 1] = hexcodes[(md[r] & 0x0f)];
1703                 md5h[(r * 3) + 2] = ':';
1704         }
1705         md5h[(n * 3) - 1] = '\0';
1706         macdefine(mac, A_TEMP, macid(macro), md5h);
1707         return 1;
1708 }
1709
1710 /* host for logging */
1711 #define whichhost       host == NULL ? "local" : host
1712
1713 # if _FFR_TLS_ALTNAMES
1714
1715 /*
1716 **  CLEARCLASS -- clear the specified class (called from stabapply)
1717 **
1718 **      Parameters:
1719 **              s -- STAB
1720 **              id -- class id
1721 **
1722 **      Returns:
1723 **              none.
1724 */
1725
1726 static void
1727 clearclass(s, id)
1728         STAB *s;
1729         int id;
1730 {
1731         if (s->s_symtype != ST_CLASS)
1732                 return;
1733         if (bitnset(bitidx(id), s->s_class))
1734                 clrbitn(bitidx(id), s->s_class);
1735 }
1736
1737 /*
1738 **  GETALTNAMES -- set subject_alt_name
1739 **
1740 **      Parameters:
1741 **              cert -- cert
1742 **              srv -- server side?
1743 **              host -- hostname of other side
1744 **
1745 **      Returns:
1746 **              none.
1747 */
1748
1749 static void
1750 getaltnames(cert, srv, host)
1751         X509 *cert;
1752         bool srv;
1753         const char *host;
1754 {
1755         STACK_OF(GENERAL_NAME) *gens;
1756         int i, j, len, r;
1757         const GENERAL_NAME *gn;
1758         char *dnsname, *who;
1759
1760         if (!SetCertAltnames)
1761                 return;
1762         who = srv ? "server" : "client";
1763         gens = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0);
1764         if (gens == NULL)
1765                 return;
1766
1767         r = sk_GENERAL_NAME_num(gens);
1768         for (i = 0; i < r; i++)
1769         {
1770                 gn = sk_GENERAL_NAME_value(gens, i);
1771                 if (gn == NULL || gn->type != GEN_DNS)
1772                         continue;
1773
1774                 /* Ensure data is IA5 */
1775                 if (ASN1_STRING_type(gn->d.ia5) != V_ASN1_IA5STRING)
1776                 {
1777                         if (LogLevel > 6)
1778                                 sm_syslog(LOG_INFO, NOQID,
1779                                         "STARTTLS=%s, relay=%.100s, field=AltName, status=value contains non IA5",
1780                                         who, whichhost);
1781                         continue;
1782                 }
1783                 dnsname = (char *) MTA_ASN1_STRING_data(gn->d.ia5);
1784                 if (dnsname == NULL)
1785                         continue;
1786                 len = ASN1_STRING_length(gn->d.ia5);
1787
1788                 /*
1789                 **  "remove" trailing NULs (except for one of course),
1790                 **  those can happen and are OK (not a sign of an attack)
1791                 */
1792
1793                 while (len > 0 && '\0' == dnsname[len - 1])
1794                         len--;
1795
1796 #define ISPRINT(c)      (isascii(c) && isprint(c))
1797
1798                 /* just check for printable char for now */
1799                 for (j = 0; j < len && ISPRINT(dnsname[j]); j++)
1800                         ;
1801                 if (dnsname[j] != '\0' || len != j)
1802                         continue;
1803
1804                 setclass(macid("{cert_altnames}"), xtextify(dnsname, "<>\")"));
1805                 if (LogLevel > 14)
1806                         sm_syslog(LOG_DEBUG, NOQID,
1807                                 "STARTTLS=%s, relay=%.100s, AltName=%s",
1808                                 who, whichhost, xtextify(dnsname, "<>\")"));
1809         }
1810 }
1811 # else
1812 #  define getaltnames(cert, srv, host)
1813 # endif /* _FFR_TLS_ALTNAMES */
1814
1815 # if DANE
1816
1817 /*
1818 **  DANE_RES -- get DANE result if possible
1819 **
1820 **      Parameters:
1821 **              ssl -- TLS connection structure
1822 **              dane_vrfy_ctx -- dane verify context
1823 **
1824 **      Returns:
1825 **              SM_SUCCESS: DANE result dane_vrfy_res is valid
1826 **              SM_NOTDONE: DANE checking not enabled
1827 **              <0: some error
1828 */
1829
1830 static int dane_res __P((SSL *, dane_vrfy_ctx_P));
1831
1832 static int
1833 dane_res(ssl, dane_vrfy_ctx)
1834         SSL *ssl;
1835         dane_vrfy_ctx_P dane_vrfy_ctx;
1836 {
1837 #  if HAVE_SSL_CTX_dane_enable
1838         int depth, r;
1839         EVP_PKEY *mspki;
1840         uint8_t usage, selector, mtype;
1841         unsigned const char *rr;
1842         size_t rrlen;
1843 #  endif
1844
1845         if (NULL == dane_vrfy_ctx)
1846         {
1847                 /* can this happen? should it be logged? */
1848                 if (tTd(96, 20))
1849                         sm_dprintf("ERROR: dane_res: dane_vrfy_ctx=NULL\n");
1850                 return SM_NOTDONE;
1851         }
1852         if (tTd(96, 20))
1853                 sm_dprintf("dane_res: dane_vrfy_dane_enabled=%d, chk=%#x, res=%d\n",
1854                         dane_vrfy_ctx->dane_vrfy_dane_enabled,
1855                         dane_vrfy_ctx->dane_vrfy_chk,
1856                         dane_vrfy_ctx->dane_vrfy_res);
1857         if (!VRFY_DANE(dane_vrfy_ctx->dane_vrfy_chk))
1858         {
1859                 dane_vrfy_ctx->dane_vrfy_res = DANE_VRFY_NONE;
1860                 return SM_NOTDONE;
1861         }
1862         if (dane_vrfy_ctx->dane_vrfy_chk & TLSAFLTEMPVRFY)
1863         {
1864                 dane_vrfy_ctx->dane_vrfy_res = DANE_VRFY_TEMP;
1865                 return SM_SUCCESS;
1866         }
1867         if (!dane_vrfy_ctx->dane_vrfy_dane_enabled)
1868         {
1869                 if (DANE_VRFY_NONE == dane_vrfy_ctx->dane_vrfy_res)
1870                         return SM_NOTDONE;
1871                 return SM_SUCCESS;
1872         }
1873
1874 #  if HAVE_SSL_CTX_dane_enable
1875         mspki = NULL;
1876         depth = SSL_get0_dane_authority(ssl, NULL, &mspki);
1877         if (tTd(96, 20))
1878                 sm_dprintf("dane_res: SSL_get0_dane_authority() depth=%d\n", depth);
1879
1880         if (depth < 0)
1881         {
1882                 dane_vrfy_ctx->dane_vrfy_res = DANE_VRFY_FAIL;
1883                 return SM_SUCCESS;
1884         }
1885
1886         dane_vrfy_ctx->dane_vrfy_res = DANE_VRFY_OK;
1887         r = SSL_get0_dane_tlsa(ssl, &usage, &selector, &mtype, &rr, &rrlen);
1888         if (tTd(96, 20))
1889                 sm_dprintf("dane_res: SSL_get0_dane_tlsa=%d, status=%s\n", r,
1890                         (mspki != NULL) ? "TA_public_key_verified_certificate"
1891                         : (depth > 0) ? "matched_TA_certificate"
1892                                 : "matched_EE_certificate");
1893
1894         if (LogLevel > 11)
1895         {
1896                 /* just for logging */
1897                 if (r >= 0 && rr != NULL && rrlen > 0)
1898                 {
1899                         (void) data2hex((unsigned char *)rr, rrlen,
1900                                 (unsigned char *)dane_vrfy_ctx->dane_vrfy_fp,
1901                                 sizeof(dane_vrfy_ctx->dane_vrfy_fp));
1902                 }
1903
1904                 sm_syslog(LOG_DEBUG, NOQID,
1905                         "DANE_depth=%d, DANE_res=%d, SSL_get0_dane_tlsa=%d, fp=%s, status=%s",
1906                         depth, dane_vrfy_ctx->dane_vrfy_res, r,
1907                         dane_vrfy_ctx->dane_vrfy_fp,
1908                         (mspki != NULL) ? "TA_public_key_verified_certificate" :
1909                                 (depth > 0) ? "matched_TA_certificate" : "matched_EE_certificate"
1910                 );
1911         }
1912 #  else
1913         SM_ASSERT(!dane_vrfy_ctx->dane_vrfy_dane_enabled);
1914 #  endif /* HAVE_SSL_CTX_dane_enable */
1915         return SM_SUCCESS;
1916 }
1917 # endif /* DANE */
1918
1919 /*
1920 **  TLS_GET_INFO -- get information about TLS connection
1921 **
1922 **      Parameters:
1923 **              ssl -- TLS session context
1924 **              srv -- server side?
1925 **              host -- hostname of other side
1926 **              mac -- macro storage
1927 **              certreq -- did we ask for a cert?
1928 **
1929 **      Returns:
1930 **              result of authentication.
1931 **
1932 **      Side Effects:
1933 **              sets various TLS related macros.
1934 */
1935
1936 int
1937 tls_get_info(ssl, srv, host, mac, certreq)
1938         SSL *ssl;
1939         bool srv;
1940         char *host;
1941         MACROS_T *mac;
1942         bool certreq;
1943 {
1944         const SSL_CIPHER *c;
1945         int b, r;
1946         long verifyok;
1947         char *s, *who;
1948         char bitstr[16];
1949         X509 *cert;
1950 # if DANE
1951         dane_vrfy_ctx_P dane_vrfy_ctx;
1952         dane_tlsa_P dane_tlsa;
1953 # endif
1954
1955         c = SSL_get_current_cipher(ssl);
1956
1957         /* cast is just workaround for compiler warning */
1958         macdefine(mac, A_TEMP, macid("{cipher}"),
1959                   (char *) SSL_CIPHER_get_name(c));
1960         b = SSL_CIPHER_get_bits(c, &r);
1961         (void) sm_snprintf(bitstr, sizeof(bitstr), "%d", b);
1962         macdefine(mac, A_TEMP, macid("{cipher_bits}"), bitstr);
1963         (void) sm_snprintf(bitstr, sizeof(bitstr), "%d", r);
1964         macdefine(mac, A_TEMP, macid("{alg_bits}"), bitstr);
1965         s = (char *) SSL_get_version(ssl);
1966         if (s == NULL)
1967                 s = "UNKNOWN";
1968         macdefine(mac, A_TEMP, macid("{tls_version}"), s);
1969
1970         who = srv ? "server" : "client";
1971         cert = MTA_SSL_get_peer_certificate(ssl);
1972         verifyok = SSL_get_verify_result(ssl);
1973         if (LogLevel > 14)
1974                 sm_syslog(LOG_INFO, NOQID,
1975                           "STARTTLS=%s, get_verify: %ld get_peer: 0x%lx",
1976                           who, verifyok, (unsigned long) cert);
1977 # if _FFR_TLS_ALTNAMES
1978         stabapply(clearclass, macid("{cert_altnames}"));
1979 # endif
1980         if (cert != NULL)
1981         {
1982                 X509_NAME *subj, *issuer;
1983                 char buf[MAXNAME];      /* EAI: not affected */
1984
1985                 subj = X509_get_subject_name(cert);
1986                 issuer = X509_get_issuer_name(cert);
1987                 X509_NAME_oneline(subj, buf, sizeof(buf));
1988                 macdefine(mac, A_TEMP, macid("{cert_subject}"),
1989                          xtextify(buf, "<>\")"));
1990                 X509_NAME_oneline(issuer, buf, sizeof(buf));
1991                 macdefine(mac, A_TEMP, macid("{cert_issuer}"),
1992                          xtextify(buf, "<>\")"));
1993
1994 #  define LL_BADCERT    8
1995
1996 #define CERTFPMACRO (CertFingerprintAlgorithm != NULL ? "{cert_fp}" : "{cert_md5}")
1997
1998 #define CHECK_X509_NAME(which)  \
1999         do {    \
2000                 if (r == -1)    \
2001                 {               \
2002                         sm_strlcpy(buf, "BadCertificateUnknown", sizeof(buf)); \
2003                         if (LogLevel > LL_BADCERT)      \
2004                                 sm_syslog(LOG_INFO, NOQID,      \
2005                                         "STARTTLS=%s, relay=%.100s, field=%s, status=failed to extract CN",     \
2006                                         who, whichhost, which); \
2007                 }               \
2008                 else if ((size_t)r >= sizeof(buf) - 1)  \
2009                 {               \
2010                         sm_strlcpy(buf, "BadCertificateTooLong", sizeof(buf)); \
2011                         if (LogLevel > 7)       \
2012                                 sm_syslog(LOG_INFO, NOQID,      \
2013                                         "STARTTLS=%s, relay=%.100s, field=%s, status=CN too long",      \
2014                                         who, whichhost, which); \
2015                 }               \
2016                 else if ((size_t)r > strlen(buf))       \
2017                 {               \
2018                         sm_strlcpy(buf, "BadCertificateContainsNUL",    \
2019                                 sizeof(buf));   \
2020                         if (LogLevel > 7)       \
2021                                 sm_syslog(LOG_INFO, NOQID,      \
2022                                         "STARTTLS=%s, relay=%.100s, field=%s, status=CN contains NUL",  \
2023                                         who, whichhost, which); \
2024                 }               \
2025         } while (0)
2026
2027                 r = X509_NAME_get_text_by_NID(subj, NID_commonName, buf,
2028                         sizeof buf);
2029                 CHECK_X509_NAME("cn_subject");
2030                 macdefine(mac, A_TEMP, macid("{cn_subject}"),
2031                          xtextify(buf, "<>\")"));
2032                 r = X509_NAME_get_text_by_NID(issuer, NID_commonName, buf,
2033                         sizeof buf);
2034                 CHECK_X509_NAME("cn_issuer");
2035                 macdefine(mac, A_TEMP, macid("{cn_issuer}"),
2036                          xtextify(buf, "<>\")"));
2037                 r = cert_fp(cert, EVP_digest, mac, CERTFPMACRO);
2038                 if (r <= 0 && LogLevel > 8)
2039                 {
2040                         sm_syslog(LOG_WARNING, NOQID,
2041                                 "STARTTLS=%s, relay=%.100s, X509_digest=%d, CertFingerprintAlgorithm=%s",
2042                                 who, whichhost, r,
2043                                 (NULL == CertFingerprintAlgorithm) ? "md5" :
2044                                 CertFingerprintAlgorithm);
2045                         tlslogerr(LOG_WARNING, 8, who);
2046                 }
2047                 getaltnames(cert, srv, host);
2048         }
2049         else
2050         {
2051                 macdefine(mac, A_PERM, macid("{cert_subject}"), "");
2052                 macdefine(mac, A_PERM, macid("{cert_issuer}"), "");
2053                 macdefine(mac, A_PERM, macid("{cn_subject}"), "");
2054                 macdefine(mac, A_PERM, macid("{cn_issuer}"), "");
2055                 macdefine(mac, A_TEMP, macid(CERTFPMACRO), "");
2056         }
2057 # if DANE
2058         dane_vrfy_ctx = NULL;
2059         dane_tlsa = NULL;
2060         if (TLSsslidx >= 0)
2061         {
2062                 tlsi_ctx_T *tlsi_ctx;
2063
2064                 tlsi_ctx = (tlsi_ctx_P) SSL_get_ex_data(ssl, TLSsslidx);
2065                 if (tlsi_ctx != NULL)
2066                 {
2067                         dane_vrfy_ctx = &(tlsi_ctx->tlsi_dvc);
2068                         dane_tlsa = dane_get_tlsa(dane_vrfy_ctx);
2069                 }
2070         }
2071
2072 #  define DANE_VRFY_RES_IS(r) \
2073         ((dane_vrfy_ctx != NULL) && dane_vrfy_ctx->dane_vrfy_res == (r))
2074
2075         if (tTd(96, 10))
2076                 sm_dprintf("tls_get_info: verifyok=%d, dane_vrfy_res=%d\n",
2077                         (int)verifyok,
2078                         (dane_vrfy_ctx != NULL) ? dane_vrfy_ctx->dane_vrfy_res : -999);
2079         if (SM_SUCCESS == dane_res(ssl, dane_vrfy_ctx))
2080         {
2081                 if (DANE_VRFY_RES_IS(DANE_VRFY_OK))
2082                 {
2083                         s = "TRUSTED";
2084                         r = TLS_AUTH_OK;
2085                 }
2086                 else if (DANE_VRFY_RES_IS(DANE_VRFY_TEMP))
2087                 {
2088                         s = "DANE_TEMP";
2089                         r = TLS_AUTH_TEMP;
2090                 }
2091                 else if (DANE_VRFY_RES_IS(DANE_VRFY_FAIL))
2092                 {
2093                         if (dane_tlsa != NULL &&
2094                             TLSA_IS_FL(dane_tlsa, TLSAFL2MANY))
2095                         {
2096                                 s = "DANE_TEMP";
2097                                 r = TLS_AUTH_TEMP;
2098                         }
2099                         else
2100                         {
2101                                 s = "DANE_FAIL";
2102                                 r = TLS_AUTH_FAIL;
2103                         }
2104                 }
2105                 else {
2106                         s = "BOGUS_DANE_RES";
2107                         r = TLS_AUTH_FAIL;
2108                 }
2109         }
2110         else
2111 # endif /* if DANE */
2112         /* "else" in #if code above */
2113         switch (verifyok)
2114         {
2115           case X509_V_OK:
2116                 if (cert != NULL)
2117                 {
2118                         s = "OK";
2119                         r = TLS_AUTH_OK;
2120                 }
2121                 else
2122                 {
2123                         s = certreq ? "NO" : "NOT",
2124                         r = TLS_AUTH_NO;
2125                 }
2126                 break;
2127
2128           default:
2129                 s = "FAIL";
2130                 r = TLS_AUTH_FAIL;
2131                 break;
2132         }
2133         macdefine(mac, A_PERM, macid("{verify}"), s);
2134         if (cert != NULL)
2135                 X509_free(cert);
2136
2137         /* do some logging */
2138         if (LogLevel > 8)
2139         {
2140                 char *vers, *s1, *s2, *cbits, *algbits;
2141
2142                 vers = macget(mac, macid("{tls_version}"));
2143                 cbits = macget(mac, macid("{cipher_bits}"));
2144                 algbits = macget(mac, macid("{alg_bits}"));
2145
2146                 /* XXX: use s directly? */
2147                 s1 = macget(mac, macid("{verify}"));
2148                 s2 = macget(mac, macid("{cipher}"));
2149
2150 # if DANE
2151 #  define LOG_DANE_FP   \
2152         ('\0' != dane_vrfy_ctx->dane_vrfy_fp[0] && DANE_VRFY_RES_IS(DANE_VRFY_FAIL))
2153 # endif
2154                 /* XXX: maybe cut off ident info? */
2155                 sm_syslog(LOG_INFO, NOQID,
2156                           "STARTTLS=%s, relay=%.100s, version=%.16s, verify=%.16s, cipher=%.64s, bits=%.6s/%.6s%s%s%s%s",
2157                           who,
2158                           host == NULL ? "local" : host,
2159                           vers, s1, s2, /* sm_snprintf() can deal with NULL */
2160                           algbits == NULL ? "0" : algbits,
2161                           cbits == NULL ? "0" : cbits
2162 # if DANE
2163                         , LOG_DANE_FP ? ", pubkey_fp=" : ""
2164                         , LOG_DANE_FP ? dane_vrfy_ctx->dane_vrfy_fp : ""
2165                         , (dane_tlsa != NULL
2166                             && TLSA_IS_FL(dane_tlsa, TLSAFLUNS)
2167                             && !TLSA_IS_FL(dane_tlsa, TLSAFLSUP)
2168                            && DANE_VRFY_RES_IS(DANE_VRFY_NONE))
2169                           ? ONLYUNSUPTLSARR : ""
2170                         , (dane_tlsa != NULL
2171                            && TLSA_IS_FL(dane_tlsa, TLSAFL2MANY))
2172                           && DANE_VRFY_RES_IS(DANE_VRFY_FAIL)
2173                           ? ", note=too many TLSA RRs" : ""
2174 # else
2175                         , "", "", "", ""
2176 # endif
2177                         );
2178                 if (LogLevel > 11)
2179                 {
2180                         /*
2181                         **  Maybe run xuntextify on the strings?
2182                         **  That is easier to read but makes it maybe a bit
2183                         **  more complicated to figure out the right values
2184                         **  for the access map...
2185                         */
2186
2187                         s1 = macget(mac, macid("{cert_subject}"));
2188                         s2 = macget(mac, macid("{cert_issuer}"));
2189                         sm_syslog(LOG_INFO, NOQID,
2190                                   "STARTTLS=%s, cert-subject=%.256s, cert-issuer=%.256s, verifymsg=%s",
2191                                   who, s1, s2,
2192                                   X509_verify_cert_error_string(verifyok));
2193                 }
2194         }
2195         return r;
2196 }
2197
2198 /*
2199 **  ENDTLS -- shut down secure connection
2200 **
2201 **      Parameters:
2202 **              pssl -- pointer to TLS session context
2203 **              who -- server/client (for logging).
2204 **
2205 **      Returns:
2206 **              success? (EX_* code)
2207 */
2208
2209 int
2210 endtls(pssl, who)
2211         SSL **pssl;
2212         const char *who;
2213 {
2214         SSL *ssl;
2215         int ret, r;
2216
2217         SM_REQUIRE(pssl != NULL);
2218         ret = EX_OK;
2219         ssl = *pssl;
2220         if (ssl == NULL)
2221                 return ret;
2222
2223         if ((r = SSL_shutdown(ssl)) < 0)
2224         {
2225                 if (LogLevel > 11)
2226                 {
2227                         sm_syslog(LOG_WARNING, NOQID,
2228                                   "STARTTLS=%s, SSL_shutdown failed: %d",
2229                                   who, r);
2230                         tlslogerr(LOG_WARNING, 11, who);
2231                 }
2232                 ret = EX_SOFTWARE;
2233         }
2234
2235         /*
2236         **  Bug in OpenSSL (at least up to 0.9.6b):
2237         **  From: Lutz.Jaenicke@aet.TU-Cottbus.DE
2238         **  Message-ID: <20010723152244.A13122@serv01.aet.tu-cottbus.de>
2239         **  To: openssl-users@openssl.org
2240         **  Subject: Re: SSL_shutdown() woes (fwd)
2241         **
2242         **  The side sending the shutdown alert first will
2243         **  not care about the answer of the peer but will
2244         **  immediately return with a return value of "0"
2245         **  (ssl/s3_lib.c:ssl3_shutdown()). SSL_get_error will evaluate
2246         **  the value of "0" and as the shutdown alert of the peer was
2247         **  not received (actually, the program did not even wait for
2248         **  the answer), an SSL_ERROR_SYSCALL is flagged, because this
2249         **  is the default rule in case everything else does not apply.
2250         **
2251         **  For your server the problem is different, because it
2252         **  receives the shutdown first (setting SSL_RECEIVED_SHUTDOWN),
2253         **  then sends its response (SSL_SENT_SHUTDOWN), so for the
2254         **  server the shutdown was successful.
2255         **
2256         **  As is by know, you would have to call SSL_shutdown() once
2257         **  and ignore an SSL_ERROR_SYSCALL returned. Then call
2258         **  SSL_shutdown() again to actually get the server's response.
2259         **
2260         **  In the last discussion, Bodo Moeller concluded that a
2261         **  rewrite of the shutdown code would be necessary, but
2262         **  probably with another API, as the change would not be
2263         **  compatible to the way it is now.  Things do not become
2264         **  easier as other programs do not follow the shutdown
2265         **  guidelines anyway, so that a lot error conditions and
2266         **  compitibility issues would have to be caught.
2267         **
2268         **  For now the recommondation is to ignore the error message.
2269         */
2270
2271         else if (r == 0)
2272         {
2273                 if (LogLevel > 15)
2274                 {
2275                         sm_syslog(LOG_WARNING, NOQID,
2276                                   "STARTTLS=%s, SSL_shutdown not done",
2277                                   who);
2278                         tlslogerr(LOG_WARNING, 15, who);
2279                 }
2280                 ret = EX_SOFTWARE;
2281         }
2282         SM_SSL_FREE(*pssl);
2283         return ret;
2284 }
2285
2286 # if !TLS_NO_RSA && MTA_RSA_TMP_CB
2287 /*
2288 **  TMP_RSA_KEY -- return temporary RSA key
2289 **
2290 **      Parameters:
2291 **              ssl -- TLS session context
2292 **              export --
2293 **              keylength --
2294 **
2295 **      Returns:
2296 **              temporary RSA key.
2297 */
2298
2299 #  ifndef MAX_RSA_TMP_CNT
2300 #   define MAX_RSA_TMP_CNT      1000    /* XXX better value? */
2301 #  endif
2302
2303 /* ARGUSED0 */
2304 static RSA *
2305 tmp_rsa_key(s, export, keylength)
2306         SSL *s;
2307         int export;
2308         int keylength;
2309 {
2310 #  if SM_CONF_SHM
2311         extern int ShmId;
2312         extern int *PRSATmpCnt;
2313
2314         if (ShmId != SM_SHM_NO_ID && rsa_tmp != NULL &&
2315             ++(*PRSATmpCnt) < MAX_RSA_TMP_CNT)
2316                 return rsa_tmp;
2317 #  endif /* SM_CONF_SHM */
2318
2319         if (rsa_tmp != NULL)
2320                 RSA_free(rsa_tmp);
2321         rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, NULL);
2322         if (rsa_tmp == NULL)
2323         {
2324                 if (LogLevel > 0)
2325                         sm_syslog(LOG_ERR, NOQID,
2326                                   "STARTTLS=server, tmp_rsa_key: RSA_generate_key failed!");
2327         }
2328         else
2329         {
2330 #  if SM_CONF_SHM
2331 #   if 0
2332                 /*
2333                 **  XXX we can't (yet) share the new key...
2334                 **      The RSA structure contains pointers hence it can't be
2335                 **      easily kept in shared memory.  It must be transformed
2336                 **      into a continuous memory region first, then stored,
2337                 **      and later read out again (each time re-transformed).
2338                 */
2339
2340                 if (ShmId != SM_SHM_NO_ID)
2341                         *PRSATmpCnt = 0;
2342 #   endif /* 0 */
2343 #  endif /* SM_CONF_SHM */
2344                 if (LogLevel > 9)
2345                         sm_syslog(LOG_ERR, NOQID,
2346                                   "STARTTLS=server, tmp_rsa_key: new temp RSA key");
2347         }
2348         return rsa_tmp;
2349 }
2350 # endif /* !TLS_NO_RSA && MTA_RSA_TMP_CB */
2351
2352 /*
2353 **  APPS_SSL_INFO_CB -- info callback for TLS connections
2354 **
2355 **      Parameters:
2356 **              ssl -- TLS session context
2357 **              where -- state in handshake
2358 **              ret -- return code of last operation
2359 **
2360 **      Returns:
2361 **              none.
2362 */
2363
2364 static void
2365 apps_ssl_info_cb(ssl, where, ret)
2366         const SSL *ssl;
2367         int where;
2368         int ret;
2369 {
2370         int w;
2371         char *str;
2372         BIO *bio_err = NULL;
2373
2374         if (LogLevel > 14)
2375                 sm_syslog(LOG_INFO, NOQID,
2376                           "STARTTLS: info_callback where=0x%x, ret=%d",
2377                           where, ret);
2378
2379         w = where & ~SSL_ST_MASK;
2380         if (bio_err == NULL)
2381                 bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
2382
2383         if (bitset(SSL_ST_CONNECT, w))
2384                 str = "SSL_connect";
2385         else if (bitset(SSL_ST_ACCEPT, w))
2386                 str = "SSL_accept";
2387         else
2388                 str = "undefined";
2389
2390         if (bitset(SSL_CB_LOOP, where))
2391         {
2392                 if (LogLevel > 12)
2393                         sm_syslog(LOG_NOTICE, NOQID,
2394                                 "STARTTLS: %s:%s",
2395                                 str, SSL_state_string_long(ssl));
2396         }
2397         else if (bitset(SSL_CB_ALERT, where))
2398         {
2399                 str = bitset(SSL_CB_READ, where) ? "read" : "write";
2400                 if (LogLevel > 12)
2401                         sm_syslog(LOG_NOTICE, NOQID,
2402                                 "STARTTLS: SSL3 alert %s:%s:%s",
2403                                 str, SSL_alert_type_string_long(ret),
2404                                 SSL_alert_desc_string_long(ret));
2405         }
2406         else if (bitset(SSL_CB_EXIT, where))
2407         {
2408                 if (ret == 0)
2409                 {
2410                         if (LogLevel > 7)
2411                                 sm_syslog(LOG_WARNING, NOQID,
2412                                         "STARTTLS: %s:failed in %s",
2413                                         str, SSL_state_string_long(ssl));
2414                 }
2415                 else if (ret < 0)
2416                 {
2417                         if (LogLevel > 7)
2418                                 sm_syslog(LOG_WARNING, NOQID,
2419                                         "STARTTLS: %s:error in %s",
2420                                         str, SSL_state_string_long(ssl));
2421                 }
2422         }
2423 }
2424
2425 /*
2426 **  TLS_VERIFY_LOG -- log verify error for TLS certificates
2427 **
2428 **      Parameters:
2429 **              ok -- verify ok?
2430 **              ctx -- X509 context
2431 **              name -- from where is this called?
2432 **
2433 **      Returns:
2434 **              1 -- ok
2435 */
2436
2437 static int
2438 tls_verify_log(ok, ctx, name)
2439         int ok;
2440         X509_STORE_CTX *ctx;
2441         const char *name;
2442 {
2443         X509 *cert;
2444         int reason, depth;
2445         char buf[512];
2446
2447         cert = X509_STORE_CTX_get_current_cert(ctx);
2448         reason = X509_STORE_CTX_get_error(ctx);
2449         depth = X509_STORE_CTX_get_error_depth(ctx);
2450         X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
2451         sm_syslog(LOG_INFO, NOQID,
2452                   "STARTTLS: %s cert verify: depth=%d %s, state=%d, reason=%s",
2453                   name, depth, buf, ok, X509_verify_cert_error_string(reason));
2454         return 1;
2455 }
2456
2457 /*
2458 **  Declaration and access to tlsi_ctx in callbacks.
2459 */
2460
2461 #define SM_DECTLSI      \
2462         tlsi_ctx_T *tlsi_ctx;   \
2463         SSL *ssl
2464 #define SM_GETTLSI      \
2465         do {            \
2466                 tlsi_ctx = NULL;        \
2467                 if (TLSsslidx >= 0)     \
2468                 {       \
2469                         ssl = (SSL *) X509_STORE_CTX_get_ex_data(ctx,   \
2470                                 SSL_get_ex_data_X509_STORE_CTX_idx());  \
2471                         if (ssl != NULL)        \
2472                                 tlsi_ctx = (tlsi_ctx_P) SSL_get_ex_data(ssl, TLSsslidx);        \
2473                 }       \
2474         }       \
2475         while (0)
2476
2477 # if DANE
2478
2479 /*
2480 **  DANE_GET_TLSA -- Retrieve TLSA RR for DANE
2481 **
2482 **      Parameters:
2483 **              dane_vrfy_ctx -- dane verify context
2484 **
2485 **      Returns:
2486 **              dane_tlsa if TLSA RR is available
2487 **              NULL otherwise
2488 */
2489
2490 dane_tlsa_P
2491 dane_get_tlsa(dane_vrfy_ctx)
2492         dane_vrfy_ctx_P dane_vrfy_ctx;
2493 {
2494         STAB *s;
2495         dane_tlsa_P dane_tlsa;
2496
2497         dane_tlsa = NULL;
2498         if (NULL == dane_vrfy_ctx)
2499                 return NULL;
2500         if (!CHK_DANE(dane_vrfy_ctx->dane_vrfy_chk) ||
2501             dane_vrfy_ctx->dane_vrfy_host == NULL)
2502                 return NULL;
2503
2504         gettlsa(dane_vrfy_ctx->dane_vrfy_host, NULL, &s,
2505                 TLSAFLNOEXP, 0, dane_vrfy_ctx->dane_vrfy_port);
2506         if (NULL == s)
2507                 goto notfound;
2508         dane_tlsa = s->s_tlsa;
2509         if (NULL == dane_tlsa)
2510                 goto notfound;
2511         if (!TLSA_HAS_RRs(dane_tlsa))
2512                 goto notfound;
2513         if (tTd(96, 4))
2514                 sm_dprintf("dane_get_tlsa: chk=%#x, host=%s, n=%d, stat=entry found\n",
2515                         dane_vrfy_ctx->dane_vrfy_chk,
2516                         dane_vrfy_ctx->dane_vrfy_host, dane_tlsa->dane_tlsa_n);
2517         return dane_tlsa;
2518
2519   notfound:
2520         if (tTd(96, 4))
2521                 sm_dprintf("dane_get_tlsa: chk=%#x, host=%s, stat=no valid entry found\n",
2522                         dane_vrfy_ctx->dane_vrfy_chk,
2523                         dane_vrfy_ctx->dane_vrfy_host);
2524         return NULL;
2525 }
2526
2527 /*
2528 **  DANE_VERIFY -- verify callback for TLS certificates
2529 **
2530 **      Parameters:
2531 **              ctx -- X509 context
2532 **              dane_vrfy_ctx -- callback context
2533 **
2534 **      Returns:
2535 **              DANE_VRFY_{OK,NONE,FAIL}
2536 */
2537
2538 /* NOTE: this only works because the "matching type" is 0, 1, 2 for these! */
2539 static const char *dane_mdalgs[] = { "", "sha256", "sha512" };
2540
2541 static int
2542 dane_verify(ctx, dane_vrfy_ctx)
2543         X509_STORE_CTX *ctx;
2544         dane_vrfy_ctx_P dane_vrfy_ctx;
2545 {
2546         int r, i, ok, mdalg;
2547         X509 *cert;
2548         dane_tlsa_P dane_tlsa;
2549         unsigned char *fp;
2550
2551         dane_tlsa = dane_get_tlsa(dane_vrfy_ctx);
2552         if (dane_tlsa == NULL)
2553                 return DANE_VRFY_NONE;
2554
2555         dane_vrfy_ctx->dane_vrfy_fp[0] = '\0';
2556         cert = X509_STORE_CTX_get0_cert(ctx);
2557         if (tTd(96, 8))
2558                 sm_dprintf("dane_verify: cert=%p, supported=%d\n",
2559                         (void *)cert, TLSA_IS_FL(dane_tlsa, TLSAFLSUP));
2560         if (cert == NULL)
2561                 return DANE_VRFY_FAIL;
2562
2563         ok = DANE_VRFY_NONE;
2564         fp = NULL;
2565
2566         /*
2567         **  If the TLSA RRs would be sorted the two loops below could
2568         **  be merged into one and simply change mdalg when it changes
2569         **  in dane_tlsa->dane_tlsa_rr.
2570         */
2571
2572         /* use a different order? */
2573         for (mdalg = 0; mdalg < SM_ARRAY_SIZE(dane_mdalgs); mdalg++)
2574         {
2575                 SM_FREE(fp);
2576                 r = 0;
2577                 for (i = 0; i < dane_tlsa->dane_tlsa_n; i++)
2578                 {
2579                         unsigned char *p;
2580                         int alg;
2581
2582                         p = dane_tlsa->dane_tlsa_rr[i];
2583
2584                         /* ignore bogus/unsupported TLSA RRs */
2585                         alg = dane_tlsa_chk(p, dane_tlsa->dane_tlsa_len[i],
2586                                           dane_vrfy_ctx->dane_vrfy_host, false);
2587                         if (tTd(96, 8))
2588                                 sm_dprintf("dane_verify: alg=%d, mdalg=%d\n",
2589                                         alg, mdalg);
2590                         if (alg != mdalg)
2591                                 continue;
2592
2593                         if (NULL == fp)
2594                         {
2595                                 r = pubkey_fp(cert, dane_mdalgs[mdalg], &fp);
2596                                 if (NULL == fp)
2597                                         return DANE_VRFY_FAIL;
2598                                         /* or continue? */
2599                         }
2600
2601                         /* just for logging */
2602                         if (r > 0 && fp != NULL)
2603                         {
2604                                 (void) data2hex((unsigned char *)fp, r,
2605                                         (unsigned char *)dane_vrfy_ctx->dane_vrfy_fp,
2606                                         sizeof(dane_vrfy_ctx->dane_vrfy_fp));
2607                         }
2608
2609                         if (tTd(96, 4))
2610                                 sm_dprintf("dane_verify: alg=%d, r=%d, len=%d\n",
2611                                         alg, r, dane_tlsa->dane_tlsa_len[i]);
2612                         if (r != dane_tlsa->dane_tlsa_len[i] - 3)
2613                                 continue;
2614                         ok = DANE_VRFY_FAIL;
2615
2616                         /*
2617                         **  Note: Type is NOT checked because only 3-1-x
2618                         **  is supported.
2619                         */
2620
2621                         if (memcmp(p + 3, fp, r) == 0)
2622                         {
2623                                 if (tTd(96, 2))
2624                                         sm_dprintf("dane_verify: status=match\n");
2625                                 if (tTd(96, 8))
2626                                 {
2627                                         unsigned char hex[DANE_FP_DBG_LEN];
2628
2629                                         data2hex((unsigned char *)p,
2630                                                 dane_tlsa->dane_tlsa_len[i],
2631                                                 hex, sizeof(hex));
2632                                         sm_dprintf("dane_verify: pubkey_fp=%s\n"
2633                                                 , hex);
2634                                 }
2635                                 dane_vrfy_ctx->dane_vrfy_res = DANE_VRFY_OK;
2636                                 SM_FREE(fp);
2637                                 return DANE_VRFY_OK;
2638                         }
2639                 }
2640         }
2641
2642         SM_FREE(fp);
2643         dane_vrfy_ctx->dane_vrfy_res = ok;
2644         return ok;
2645 }
2646
2647 /*
2648 **  SSL_DANE_ENABLE -- enable using OpenSSL DANE functions for a session
2649 **
2650 **      Parameters:
2651 **              dane_vrfy_ctx -- dane verify context
2652 **              ssl -- TLS connection structure
2653 **
2654 **      Returns:
2655 **              SM_SUCCESS: OpenSSL DANE checking enabled
2656 **              SM_NOTDONE: OpenSSL DANE checking not enabled
2657 **              <0: some error
2658 */
2659
2660 int
2661 ssl_dane_enable(dane_vrfy_ctx, ssl)
2662         dane_vrfy_ctx_P dane_vrfy_ctx;
2663         SSL *ssl;
2664 {
2665 #  if HAVE_SSL_CTX_dane_enable
2666         const char *dane_tlsa_domain;
2667         int r, i, usable;
2668 #  endif
2669         dane_tlsa_P dane_tlsa;
2670
2671         if (tTd(96, 20))
2672                 sm_dprintf("ssl_dane_enable: dane_vrfy_ctx=%p, dane_vrfy_dane_enabled=%d, dane_vrfy_chk=%#x\n",
2673                         dane_vrfy_ctx, dane_vrfy_ctx->dane_vrfy_dane_enabled,
2674                         dane_vrfy_ctx->dane_vrfy_chk);
2675
2676         dane_tlsa = dane_get_tlsa(dane_vrfy_ctx);
2677         if (tTd(96, 20))
2678                 sm_dprintf("ssl_dane_enable: dane_tlsa=%p, n=%d, supported=%d\n",
2679                         dane_tlsa, dane_tlsa != NULL ? dane_tlsa->dane_tlsa_n : -999,
2680                         dane_tlsa != NULL ? TLSA_IS_FL(dane_tlsa, TLSAFLSUP) : -1);
2681         if (NULL == dane_tlsa || !TLSA_IS_FL(dane_tlsa, TLSAFLSUP))
2682         {
2683                 /* no DANE verification possible */
2684                 dane_vrfy_ctx->dane_vrfy_chk |= TLSAFLNOVRFY;
2685                 return SM_SUCCESS;
2686         }
2687         if (0 == (dane_vrfy_ctx->dane_vrfy_chk & TLSAFLADIP))
2688         {
2689                 /* no DANE verification possible */
2690                 dane_vrfy_ctx->dane_vrfy_chk |= TLSAFLNOVRFY;
2691                 return SM_SUCCESS;
2692         }
2693
2694         if (!dane_vrfy_ctx->dane_vrfy_dane_enabled)
2695         {
2696 #  if HAVE_SSL_CTX_dane_enable
2697                 dane_vrfy_ctx->dane_vrfy_chk |= TLSAFLTEMPVRFY;
2698 #  endif
2699                 return SM_NOTDONE;
2700         }
2701
2702 #  if HAVE_SSL_CTX_dane_enable
2703         dane_tlsa_domain = !SM_IS_EMPTY(dane_vrfy_ctx->dane_vrfy_sni)
2704                                 ? dane_vrfy_ctx->dane_vrfy_sni
2705                                 : dane_vrfy_ctx->dane_vrfy_host;
2706         r = SSL_dane_enable(ssl, dane_tlsa_domain);
2707 #   if _FFR_TESTS
2708         if (tTd(90, 102))
2709         {
2710                 sm_dprintf("ssl_dane_enable: test=simulate SSL_dane_enable error\n");
2711 #    ifdef SSL_F_SSL_DANE_ENABLE
2712                 SSLerr(SSL_F_SSL_DANE_ENABLE, ERR_R_MALLOC_FAILURE);
2713 #    endif
2714                 r = -1; /* -ENOMEM; */
2715         }
2716 #   endif /* _FFR_TESTS */
2717         if (r <= 0)
2718         {
2719 #  if HAVE_SSL_CTX_dane_enable
2720                 dane_vrfy_ctx->dane_vrfy_chk |= TLSAFLTEMPVRFY;
2721 #  endif
2722                 if (LogLevel > 1)
2723                         sm_syslog(LOG_ERR, NOQID,
2724                                 "STARTTLS=client, SSL_dane_enable=%d", r);
2725                 tlslogerr(LOG_ERR, 7, "client");
2726
2727                 /* XXX need better error code */
2728                 return (r < 0) ? r : -EINVAL;
2729         }
2730         if (LogLevel > 13)
2731                 sm_syslog(LOG_DEBUG, NOQID,
2732                         "STARTTLS=client, SSL_dane_enable=%d, domain=%s",
2733                         r, dane_tlsa_domain);
2734         (void) SSL_dane_set_flags(ssl, DANE_FLAG_NO_DANE_EE_NAMECHECKS);
2735
2736         usable = 0;
2737         for (i = 0; i < dane_tlsa->dane_tlsa_n; i++)
2738         {
2739                 const unsigned char *rr;
2740                 const char *chk;
2741
2742                 rr = (const unsigned char *)dane_tlsa->dane_tlsa_rr[i];
2743                 if (NULL == rr)
2744                         continue;
2745
2746                 /*
2747                 **  only DANE-TA(2) or DANE-EE(3)
2748                 **  use dane_tlsa_chk() instead?
2749                 */
2750
2751 # if _FFR_TESTS
2752                 if (tTd(90, 101) && 3 == rr[0] && 1 == rr[1])
2753                 {
2754                         sm_dprintf("TLSA, type=%d-%d-%d:%02x, status=unsupported_due_to_test",
2755                                   (int)rr[0], (int)rr[1], (int)rr[2],
2756                                   (int)rr[3]);
2757                         r = 0;
2758                         chk = "tlsa_test";
2759                 }
2760                 else
2761 # endif /* _FFR_TESTS */
2762                 if (!(2 == rr[0] || 3 == rr[0]))
2763                 {
2764                         r = 0;
2765                         chk = "tlsa_chk";
2766                 }
2767                 else
2768                 {
2769                         r = SSL_dane_tlsa_add(ssl, rr[0], rr[1], rr[2], rr + 3,
2770                                 (size_t) (dane_tlsa->dane_tlsa_len[i] - 3));
2771                         chk = "SSL_dane_tlsa_add";
2772                 }
2773                 if (r > 0)
2774                         usable++;
2775 #  if HAVE_SSL_CTX_dane_enable && 0
2776 /* should an error be ignored or cause a temporary failure? */
2777                 if (r < 0)
2778                         dane_vrfy_ctx->dane_vrfy_chk |= TLSAFLTEMPVRFY;
2779 #  endif
2780                 else if (LogLevel > ((r < 0) ? 10 : 13))
2781                 {
2782                         unsigned char hex[DANE_FP_LOG_LEN];
2783
2784                         (void) data2hex((unsigned char *)rr + 3,
2785                                 dane_tlsa->dane_tlsa_len[i] - 3,
2786                                 hex, sizeof(hex));
2787                         sm_syslog(LOG_DEBUG, NOQID,
2788                                 "STARTTLS=client, %s=%d, type=%d-%d-%d, fp=%s"
2789                                 , chk, r, rr[0], rr[1], rr[2], hex);
2790                         tlslogerr(LOG_DEBUG, (r < 0) ? 13 : 10, "client");
2791                 }
2792                 if (tTd(96, 20))
2793                 {
2794                         unsigned char hex[DANE_FP_DBG_LEN];
2795
2796                         (void) data2hex((unsigned char *)rr + 3,
2797                                 dane_tlsa->dane_tlsa_len[i] - 3,
2798                                 hex, sizeof(hex));
2799                         sm_dprintf("ssl_dane_enable: SSL_dane_tlsa_add=%d, u=%d, s=%d, d=%d, len=%d, fp=%s\n"
2800                                         , r, rr[0], rr[1], rr[2]
2801                                         , dane_tlsa->dane_tlsa_len[i]-3, hex
2802                                         );
2803                 }
2804         }
2805         if (tTd(96, 20))
2806                 sm_dprintf("ssl_dane_enable: usable=%d\n", usable);
2807         if (0 == usable)
2808         {
2809                 /* shouldn't happen - checked above! */
2810                 if (LogLevel > 1)
2811                         sm_syslog(LOG_CRIT, NOQID,
2812                                 "ERROR: ssl_dane_enable() INCONSISTENY: %d usable TLSA RRs found but \"supported\" flag is set (%d)\n",
2813                                 usable, TLSA_IS_FL(dane_tlsa, TLSAFLSUP));
2814                 dane_vrfy_ctx->dane_vrfy_chk |= TLSAFLNOVRFY;
2815                 return SM_SUCCESS;
2816         }
2817 #  endif /* HAVE_SSL_CTX_dane_enable */
2818         return SM_SUCCESS;
2819 }
2820 # endif /* DANE */
2821
2822 /*
2823 **  TLS_VERIFY_CB -- verify callback for TLS certificates
2824 **
2825 **      Parameters:
2826 **              ctx -- X509 context
2827 **              cb_ctx -- callback context
2828 **
2829 **      Returns:
2830 **              accept connection?
2831 **              currently: always yes.
2832 */
2833
2834 static int
2835 tls_verify_cb(ctx, cb_ctx)
2836         X509_STORE_CTX *ctx;
2837         void *cb_ctx;
2838 {
2839         int ok;
2840 # if DANE
2841         SM_DECTLSI;
2842         dane_vrfy_ctx_P dane_vrfy_ctx;
2843 # endif
2844
2845         /*
2846         **  SSL_CTX_set_cert_verify_callback(3):
2847         **  callback should return 1 to indicate verification success
2848         **  and 0 to indicate verification failure.
2849         */
2850
2851 # if DANE
2852         SM_GETTLSI;
2853         if (tTd(96, 40))
2854                 sm_dprintf("tls_verify_cb: tlsi_ctx=%p, vrfy_chk=%#x\n", tlsi_ctx,
2855                         (tlsi_ctx != NULL && (dane_vrfy_ctx = &(tlsi_ctx->tlsi_dvc)) != NULL) ?
2856                         dane_vrfy_ctx->dane_vrfy_chk : -1);
2857         if (tlsi_ctx != NULL && (dane_vrfy_ctx = &(tlsi_ctx->tlsi_dvc)) != NULL
2858             && !dane_vrfy_ctx->dane_vrfy_dane_enabled
2859             && (0 == (dane_vrfy_ctx->dane_vrfy_chk & TLSAFLTEMPVRFY))
2860             && VRFY_DANE(dane_vrfy_ctx->dane_vrfy_chk)
2861         )
2862         {
2863                 int depth;
2864
2865                 depth = X509_STORE_CTX_get_error_depth(ctx);
2866                 if (tTd(96, 20))
2867                         sm_dprintf("tls_verify_cb: enabled=%d, chk=%#x, depth=%d\n",
2868                                 dane_vrfy_ctx->dane_vrfy_dane_enabled,
2869                                 dane_vrfy_ctx->dane_vrfy_chk, depth);
2870
2871                 if (0 == depth)
2872                 {
2873                         ok = dane_verify(ctx, dane_vrfy_ctx);
2874                         if (tTd(96, 2))
2875                                 sm_dprintf("tls_verify_cb: dane_verify=%d, res=%d\n", ok,
2876                                         dane_vrfy_ctx->dane_vrfy_res);
2877                         if (ok != DANE_VRFY_NONE)
2878                                 return 1;
2879                 }
2880         }
2881
2882         if (tTd(96, 10))
2883                 sm_dprintf("tls_verify_cb: basic check? enabled=%d, chk=%#x\n",
2884                         (tlsi_ctx != NULL && dane_vrfy_ctx != NULL) ?
2885                                 dane_vrfy_ctx->dane_vrfy_dane_enabled : -1,
2886                         (tlsi_ctx != NULL && dane_vrfy_ctx != NULL) ?
2887                                 dane_vrfy_ctx->dane_vrfy_chk : -1);
2888 # endif /* DANE */
2889
2890         ok = X509_verify_cert(ctx);
2891         if ((LogLevel > 13 && ok <= 0) || LogLevel > 14)
2892                 (void) tls_verify_log(ok, ctx, "TLS");
2893         return 1;
2894 }
2895
2896 /*
2897 **  TLSLOGERR -- log the errors from the TLS error stack
2898 **
2899 **      Parameters:
2900 **              priority -- syslog priority
2901 **              ll -- loglevel
2902 **              who -- server/client (for logging).
2903 **
2904 **      Returns:
2905 **              none.
2906 */
2907
2908 void
2909 tlslogerr(priority, ll, who)
2910         int priority;
2911         int ll;
2912         const char *who;
2913 {
2914         unsigned long l;
2915         int line, flags;
2916         char *file, *data;
2917         char buf[256];
2918
2919         if (LogLevel <= ll)
2920                 return;
2921         while ((l = MTA_SSL_ERR_get((const char **) &file, &line,
2922                                     (const char **) &data, &flags, NULL))
2923                 != 0)
2924         {
2925                 sm_syslog(priority, NOQID,
2926                           "STARTTLS=%s: %s:%s:%d:%s", who,
2927                           ERR_error_string(l, buf),
2928                           file, line,
2929                           bitset(ERR_TXT_STRING, flags) ? data : "");
2930         }
2931 }
2932
2933 /*
2934 **  X509_VERIFY_CB -- verify callback
2935 **
2936 **      Parameters:
2937 **              ok -- current result
2938 **              ctx -- X509 context
2939 **
2940 **      Returns:
2941 **              accept connection?
2942 **              currently: always yes.
2943 */
2944
2945 static int
2946 x509_verify_cb(ok, ctx)
2947         int ok;
2948         X509_STORE_CTX *ctx;
2949 {
2950         SM_DECTLSI;
2951
2952         if (ok != 0)
2953                 return ok;
2954
2955         SM_GETTLSI;
2956         if (LogLevel > 13)
2957                 tls_verify_log(ok, ctx, "X509");
2958         if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL &&
2959             !SM_TLSI_IS(tlsi_ctx, TLSI_FL_CRLREQ))
2960         {
2961                 X509_STORE_CTX_set_error(ctx, 0);
2962                 return 1;       /* override it */
2963         }
2964         return ok;
2965 }
2966
2967 # if !USE_OPENSSL_ENGINE && !defined(OPENSSL_NO_ENGINE)
2968 /*
2969 **  TLS_SET_ENGINE -- set up ENGINE if needed
2970 **
2971 **      Parameters:
2972 **              id -- id for ENGINE
2973 **              isprefork -- called before fork()?
2974 **
2975 **      Returns: (OpenSSL "semantics", reverse it to allow returning error codes)
2976 **              0: failure
2977 **              !=0: ok
2978 */
2979
2980 int
2981 TLS_set_engine(id, isprefork)
2982         const char *id;
2983         bool isprefork;
2984 {
2985         static bool TLSEngineInitialized = false;
2986         ENGINE *e;
2987         char enginepath[MAXPATHLEN];
2988
2989         /*
2990         **  Todo: put error for logging into a string and log it in error:
2991         */
2992
2993         if (LogLevel > 13)
2994                 sm_syslog(LOG_DEBUG, NOQID,
2995                         "engine=%s, path=%s, ispre=%d, pre=%d, initialized=%d",
2996                         id, SSLEnginePath, isprefork, SSLEngineprefork,
2997                         TLSEngineInitialized);
2998         if (TLSEngineInitialized)
2999                 return 1;
3000         if (SM_IS_EMPTY(id))
3001                 return 1;
3002 #  if !defined(ENGINE_METHOD_ALL)
3003         if (LogLevel > 9)
3004                 sm_syslog(LOG_NOTICE, NOQID,
3005                         "engine=%s, status=engines_not_support", id)
3006         goto error;
3007 #  endif
3008
3009         /* is this the "right time" to initialize the engine? */
3010         if (isprefork != SSLEngineprefork)
3011                 return 1;
3012
3013         e = NULL;
3014         ENGINE_load_builtin_engines();
3015
3016         if (SSLEnginePath != NULL && *SSLEnginePath != '\0')
3017         {
3018                 if ((e = ENGINE_by_id("dynamic")) == NULL)
3019                 {
3020                         if (LogLevel > 1)
3021                                 sm_syslog(LOG_ERR, NOQID,
3022                                         "engine=%s, by_id=failed", "dynamic");
3023                         goto error;
3024                 }
3025                 (void) sm_snprintf(enginepath, sizeof(enginepath),
3026                         "%s/lib%s.so", SSLEnginePath, id);
3027
3028                 if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", enginepath, 0))
3029                 {
3030                         if (LogLevel > 1)
3031                                 sm_syslog(LOG_ERR, NOQID,
3032                                         "engine=%s, SO_PATH=%s, status=failed",
3033                                         id, enginepath);
3034                         goto error;
3035                 }
3036
3037                 if (!ENGINE_ctrl_cmd_string(e, "ID", id, 0))
3038                 {
3039                         if (LogLevel > 1)
3040                                 sm_syslog(LOG_ERR, NOQID,
3041                                         "engine=%s, ID=failed", id);
3042                         goto error;
3043                 }
3044
3045                 if (!ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0))
3046                 {
3047                         if (LogLevel > 1)
3048                                 sm_syslog(LOG_ERR, NOQID,
3049                                         "engine=%s, LOAD=failed", id);
3050                         goto error;
3051                 }
3052         }
3053         else if ((e = ENGINE_by_id(id)) == NULL)
3054         {
3055                 if (LogLevel > 1)
3056                         sm_syslog(LOG_ERR, NOQID, "engine=%s, by_id=failed",
3057                                 id);
3058                 return 0;
3059         }
3060
3061         if (!ENGINE_init(e))
3062         {
3063                 if (LogLevel > 1)
3064                         sm_syslog(LOG_ERR, NOQID, "engine=%s, init=failed", id);
3065                 goto error;
3066         }
3067         if (!ENGINE_set_default(e, ENGINE_METHOD_ALL))
3068         {
3069                 if (LogLevel > 1)
3070                         sm_syslog(LOG_ERR, NOQID,
3071                                 "engine=%s, set_default=failed", id);
3072                 goto error;
3073         }
3074 #  ifdef ENGINE_CTRL_CHIL_SET_FORKCHECK
3075         if (strcmp(id, "chil") == 0)
3076                 ENGINE_ctrl(e, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0);
3077 #  endif
3078
3079         /* Free our "structural" reference. */
3080         ENGINE_free(e);
3081         if (LogLevel > 10)
3082                 sm_syslog(LOG_INFO, NOQID, "engine=%s, loaded=ok", id);
3083         TLSEngineInitialized = true;
3084         return 1;
3085
3086   error:
3087         tlslogerr(LOG_WARNING, 7, "init");
3088         if (e != NULL)
3089                 ENGINE_free(e);
3090         return 0;
3091 }
3092 # endif /* !USE_OPENSSL_ENGINE && !defined(OPENSSL_NO_ENGINE) */
3093 #endif /* STARTTLS */