contrib/sendmail/src/tls.c

   1 /*
   2  * Copyright (c) 2000-2006 Sendmail, Inc. and its suppliers.
   3  *      All rights reserved.
   4  *
   5  * By using this file, you agree to the terms and conditions set
   6  * forth in the LICENSE file which can be found at the top level of
   7  * the sendmail distribution.
   8  *
   9  */
  10
  11 #include <sendmail.h>
  12
  13 SM_RCSID("@(#)$Id: tls.c,v 8.107 2006/10/12 21:35:11 ca Exp $")
  14
  15 #if STARTTLS
  16 #  include <openssl/err.h>
  17 #  include <openssl/bio.h>
  18 #  include <openssl/pem.h>
  19 #  ifndef HASURANDOMDEV
  20 #   include <openssl/rand.h>
  21 #  endif /* ! HASURANDOMDEV */
  22 # if !TLS_NO_RSA
  23 static RSA *rsa_tmp = NULL;     /* temporary RSA key */
  24 static RSA *tmp_rsa_key __P((SSL *, int, int));
  25 # endif /* !TLS_NO_RSA */
  26 #  if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x00907000L
  27 static int      tls_verify_cb __P((X509_STORE_CTX *));
  28 #  else /* !defined() || OPENSSL_VERSION_NUMBER < 0x00907000L */
  29 static int      tls_verify_cb __P((X509_STORE_CTX *, void *));
  30 #  endif /* !defined() || OPENSSL_VERSION_NUMBER < 0x00907000L */
  31
  32 # if OPENSSL_VERSION_NUMBER > 0x00907000L
  33 static int x509_verify_cb __P((int, X509_STORE_CTX *));
  34 # endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
  35
  36 # if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x00907000L
  37 #  define CONST097
  38 # else /* !defined() || OPENSSL_VERSION_NUMBER < 0x00907000L */
  39 #  define CONST097 const
  40 # endif /* !defined() || OPENSSL_VERSION_NUMBER < 0x00907000L */
  41 static void     apps_ssl_info_cb __P((CONST097 SSL *, int , int));
  42 static bool     tls_ok_f __P((char *, char *, int));
  43 static bool     tls_safe_f __P((char *, long, bool));
  44 static int      tls_verify_log __P((int, X509_STORE_CTX *, char *));
  45
  46 # if !NO_DH
  47 static DH *get_dh512 __P((void));
  48
  49 static unsigned char dh512_p[] =
  50 {
  51         0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
  52         0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
  53         0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
  54         0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
  55         0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
  56         0x47,0x74,0xE8,0x33
  57 };
  58 static unsigned char dh512_g[] =
  59 {
  60         0x02
  61 };
  62
  63 static DH *
  64 get_dh512()
  65 {
  66         DH *dh = NULL;
  67
  68         if ((dh = DH_new()) == NULL)
  69                 return NULL;
  70         dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
  71         dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
  72         if ((dh->p == NULL) || (dh->g == NULL))
  73                 return NULL;
  74         return dh;
  75 }
  76 # endif /* !NO_DH */
  77
  78
  79 /*
  80 **  TLS_RAND_INIT -- initialize STARTTLS random generator
  81 **
  82 **      Parameters:
  83 **              randfile -- name of file with random data
  84 **              logl -- loglevel
  85 **
  86 **      Returns:
  87 **              success/failure
  88 **
  89 **      Side Effects:
  90 **              initializes PRNG for tls library.
  91 */
  92
  93 # define MIN_RAND_BYTES 128     /* 1024 bits */
  94
  95 # define RF_OK          0       /* randfile OK */
  96 # define RF_MISS        1       /* randfile == NULL || *randfile == '\0' */
  97 # define RF_UNKNOWN     2       /* unknown prefix for randfile */
  98
  99 # define RI_NONE        0       /* no init yet */
 100 # define RI_SUCCESS     1       /* init was successful */
 101 # define RI_FAIL        2       /* init failed */
 102
 103 static bool     tls_rand_init __P((char *, int));
 104
 105 static bool
 106 tls_rand_init(randfile, logl)
 107         char *randfile;
 108         int logl;
 109 {
 110 # ifndef HASURANDOMDEV
 111         /* not required if /dev/urandom exists, OpenSSL does it internally */
 112
 113         bool ok;
 114         int randdef;
 115         static int done = RI_NONE;
 116
 117         /*
 118         **  initialize PRNG
 119         */
 120
 121         /* did we try this before? if yes: return old value */
 122         if (done != RI_NONE)
 123                 return done == RI_SUCCESS;
 124
 125         /* set default values */
 126         ok = false;
 127         done = RI_FAIL;
 128         randdef = (randfile == NULL || *randfile == '\0') ? RF_MISS : RF_OK;
 129 #   if EGD
 130         if (randdef == RF_OK && sm_strncasecmp(randfile, "egd:", 4) == 0)
 131         {
 132                 randfile += 4;
 133                 if (RAND_egd(randfile) < 0)
 134                 {
 135                         sm_syslog(LOG_WARNING, NOQID,
 136                                   "STARTTLS: RAND_egd(%s) failed: random number generator not seeded",
 137                                    randfile);
 138                 }
 139                 else
 140                         ok = true;
 141         }
 142         else
 143 #   endif /* EGD */
 144         if (randdef == RF_OK && sm_strncasecmp(randfile, "file:", 5) == 0)
 145         {
 146                 int fd;
 147                 long sff;
 148                 struct stat st;
 149
 150                 randfile += 5;
 151                 sff = SFF_SAFEDIRPATH | SFF_NOWLINK
 152                       | SFF_NOGWFILES | SFF_NOWWFILES
 153                       | SFF_NOGRFILES | SFF_NOWRFILES
 154                       | SFF_MUSTOWN | SFF_ROOTOK | SFF_OPENASROOT;
 155                 if (DontLockReadFiles)
 156                         sff |= SFF_NOLOCK;
 157                 if ((fd = safeopen(randfile, O_RDONLY, 0, sff)) >= 0)
 158                 {
 159                         if (fstat(fd, &st) < 0)
 160                         {
 161                                 if (LogLevel > logl)
 162                                         sm_syslog(LOG_ERR, NOQID,
 163                                                   "STARTTLS: can't fstat(%s)",
 164                                                   randfile);
 165                         }
 166                         else
 167                         {
 168                                 bool use, problem;
 169
 170                                 use = true;
 171                                 problem = false;
 172
 173                                 /* max. age of file: 10 minutes */
 174                                 if (st.st_mtime + 600 < curtime())
 175                                 {
 176                                         use = bitnset(DBS_INSUFFICIENTENTROPY,
 177                                                       DontBlameSendmail);
 178                                         problem = true;
 179                                         if (LogLevel > logl)
 180                                                 sm_syslog(LOG_ERR, NOQID,
 181                                                           "STARTTLS: RandFile %s too old: %s",
 182                                                           randfile,
 183                                                           use ? "unsafe" :
 184                                                                 "unusable");
 185                                 }
 186                                 if (use && st.st_size < MIN_RAND_BYTES)
 187                                 {
 188                                         use = bitnset(DBS_INSUFFICIENTENTROPY,
 189                                                       DontBlameSendmail);
 190                                         problem = true;
 191                                         if (LogLevel > logl)
 192                                                 sm_syslog(LOG_ERR, NOQID,
 193                                                           "STARTTLS: size(%s) < %d: %s",
 194                                                           randfile,
 195                                                           MIN_RAND_BYTES,
 196                                                           use ? "unsafe" :
 197                                                                 "unusable");
 198                                 }
 199                                 if (use)
 200                                         ok = RAND_load_file(randfile, -1) >=
 201                                              MIN_RAND_BYTES;
 202                                 if (use && !ok)
 203                                 {
 204                                         if (LogLevel > logl)
 205                                                 sm_syslog(LOG_WARNING, NOQID,
 206                                                           "STARTTLS: RAND_load_file(%s) failed: random number generator not seeded",
 207                                                           randfile);
 208                                 }
 209                                 if (problem)
 210                                         ok = false;
 211                         }
 212                         if (ok || bitnset(DBS_INSUFFICIENTENTROPY,
 213                                           DontBlameSendmail))
 214                         {
 215                                 /* add this even if fstat() failed */
 216                                 RAND_seed((void *) &st, sizeof(st));
 217                         }
 218                         (void) close(fd);
 219                 }
 220                 else
 221                 {
 222                         if (LogLevel > logl)
 223                                 sm_syslog(LOG_WARNING, NOQID,
 224                                           "STARTTLS: Warning: safeopen(%s) failed",
 225                                           randfile);
 226                 }
 227         }
 228         else if (randdef == RF_OK)
 229         {
 230                 if (LogLevel > logl)
 231                         sm_syslog(LOG_WARNING, NOQID,
 232                                   "STARTTLS: Error: no proper random file definition %s",
 233                                   randfile);
 234                 randdef = RF_UNKNOWN;
 235         }
 236         if (randdef == RF_MISS)
 237         {
 238                 if (LogLevel > logl)
 239                         sm_syslog(LOG_WARNING, NOQID,
 240                                   "STARTTLS: Error: missing random file definition");
 241         }
 242         if (!ok && bitnset(DBS_INSUFFICIENTENTROPY, DontBlameSendmail))
 243         {
 244                 int i;
 245                 long r;
 246                 unsigned char buf[MIN_RAND_BYTES];
 247
 248                 /* assert((MIN_RAND_BYTES % sizeof(long)) == 0); */
 249                 for (i = 0; i <= sizeof(buf) - sizeof(long); i += sizeof(long))
 250                 {
 251                         r = get_random();
 252                         (void) memcpy(buf + i, (void *) &r, sizeof(long));
 253                 }
 254                 RAND_seed(buf, sizeof(buf));
 255                 if (LogLevel > logl)
 256                         sm_syslog(LOG_WARNING, NOQID,
 257                                   "STARTTLS: Warning: random number generator not properly seeded");
 258                 ok = true;
 259         }
 260         done = ok ? RI_SUCCESS : RI_FAIL;
 261         return ok;
 262 # else /* ! HASURANDOMDEV */
 263         return true;
 264 # endif /* ! HASURANDOMDEV */
 265 }
 266 /*
 267 **  INIT_TLS_LIBRARY -- Calls functions which setup TLS library for global use.
 268 **
 269 **      Parameters:
 270 **              none.
 271 **
 272 **      Returns:
 273 **              succeeded?
 274 */
 275
 276 bool
 277 init_tls_library()
 278 {
 279         /* basic TLS initialization, ignore result for now */
 280         SSL_library_init();
 281         SSL_load_error_strings();
 282 # if 0
 283         /* this is currently a macro for SSL_library_init */
 284         SSLeay_add_ssl_algorithms();
 285 # endif /* 0 */
 286
 287         return tls_rand_init(RandFile, 7);
 288 }
 289 /*
 290 **  TLS_SET_VERIFY -- request client certificate?
 291 **
 292 **      Parameters:
 293 **              ctx -- TLS context
 294 **              ssl -- TLS structure
 295 **              vrfy -- require certificate?
 296 **
 297 **      Returns:
 298 **              none.
 299 **
 300 **      Side Effects:
 301 **              Sets verification state for TLS
 302 **
 303 # if TLS_VRFY_PER_CTX
 304 **      Notice:
 305 **              This is per TLS context, not per TLS structure;
 306 **              the former is global, the latter per connection.
 307 **              It would be nice to do this per connection, but this
 308 **              doesn't work in the current TLS libraries :-(
 309 # endif * TLS_VRFY_PER_CTX *
 310 */
 311
 312 void
 313 tls_set_verify(ctx, ssl, vrfy)
 314         SSL_CTX *ctx;
 315         SSL *ssl;
 316         bool vrfy;
 317 {
 318 # if !TLS_VRFY_PER_CTX
 319         SSL_set_verify(ssl, vrfy ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL);
 320 # else /* !TLS_VRFY_PER_CTX */
 321         SSL_CTX_set_verify(ctx, vrfy ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
 322                         NULL);
 323 # endif /* !TLS_VRFY_PER_CTX */
 324 }
 325
 326 /*
 327 **  status in initialization
 328 **  these flags keep track of the status of the initialization
 329 **  i.e., whether a file exists (_EX) and whether it can be used (_OK)
 330 **  [due to permissions]
 331 */
 332
 333 # define TLS_S_NONE     0x00000000      /* none yet */
 334 # define TLS_S_CERT_EX  0x00000001      /* cert file exists */
 335 # define TLS_S_CERT_OK  0x00000002      /* cert file is ok */
 336 # define TLS_S_KEY_EX   0x00000004      /* key file exists */
 337 # define TLS_S_KEY_OK   0x00000008      /* key file is ok */
 338 # define TLS_S_CERTP_EX 0x00000010      /* CA cert path exists */
 339 # define TLS_S_CERTP_OK 0x00000020      /* CA cert path is ok */
 340 # define TLS_S_CERTF_EX 0x00000040      /* CA cert file exists */
 341 # define TLS_S_CERTF_OK 0x00000080      /* CA cert file is ok */
 342 # define TLS_S_CRLF_EX  0x00000100      /* CRL file exists */
 343 # define TLS_S_CRLF_OK  0x00000200      /* CRL file is ok */
 344
 345 # if _FFR_TLS_1
 346 #  define TLS_S_CERT2_EX        0x00001000      /* 2nd cert file exists */
 347 #  define TLS_S_CERT2_OK        0x00002000      /* 2nd cert file is ok */
 348 #  define TLS_S_KEY2_EX 0x00004000      /* 2nd key file exists */
 349 #  define TLS_S_KEY2_OK 0x00008000      /* 2nd key file is ok */
 350 # endif /* _FFR_TLS_1 */
 351
 352 # define TLS_S_DH_OK    0x00200000      /* DH cert is ok */
 353 # define TLS_S_DHPAR_EX 0x00400000      /* DH param file exists */
 354 # define TLS_S_DHPAR_OK 0x00800000      /* DH param file is ok to use */
 355
 356 /* Type of variable */
 357 # define TLS_T_OTHER    0
 358 # define TLS_T_SRV      1
 359 # define TLS_T_CLT      2
 360
 361 /*
 362 **  TLS_OK_F -- can var be an absolute filename?
 363 **
 364 **      Parameters:
 365 **              var -- filename
 366 **              fn -- what is the filename used for?
 367 **              type -- type of variable
 368 **
 369 **      Returns:
 370 **              ok?
 371 */
 372
 373 static bool
 374 tls_ok_f(var, fn, type)
 375         char *var;
 376         char *fn;
 377         int type;
 378 {
 379         /* must be absolute pathname */
 380         if (var != NULL && *var == '/')
 381                 return true;
 382         if (LogLevel > 12)
 383                 sm_syslog(LOG_WARNING, NOQID, "STARTTLS: %s%s missing",
 384                           type == TLS_T_SRV ? "Server" :
 385                           (type == TLS_T_CLT ? "Client" : ""), fn);
 386         return false;
 387 }
 388 /*
 389 **  TLS_SAFE_F -- is a file safe to use?
 390 **
 391 **      Parameters:
 392 **              var -- filename
 393 **              sff -- flags for safefile()
 394 **              srv -- server side?
 395 **
 396 **      Returns:
 397 **              ok?
 398 */
 399
 400 static bool
 401 tls_safe_f(var, sff, srv)
 402         char *var;
 403         long sff;
 404         bool srv;
 405 {
 406         int ret;
 407
 408         if ((ret = safefile(var, RunAsUid, RunAsGid, RunAsUserName, sff,
 409                             S_IRUSR, NULL)) == 0)
 410                 return true;
 411         if (LogLevel > 7)
 412                 sm_syslog(LOG_WARNING, NOQID, "STARTTLS=%s: file %s unsafe: %s",
 413                           srv ? "server" : "client", var, sm_errstring(ret));
 414         return false;
 415 }
 416
 417 /*
 418 **  TLS_OK_F -- macro to simplify calls to tls_ok_f
 419 **
 420 **      Parameters:
 421 **              var -- filename
 422 **              fn -- what is the filename used for?
 423 **              req -- is the file required?
 424 **              st -- status bit to set if ok
 425 **              type -- type of variable
 426 **
 427 **      Side Effects:
 428 **              uses r, ok; may change ok and status.
 429 **
 430 */
 431
 432 # define TLS_OK_F(var, fn, req, st, type) if (ok) \
 433         { \
 434                 r = tls_ok_f(var, fn, type); \
 435                 if (r) \
 436                         status |= st; \
 437                 else if (req) \
 438                         ok = false; \
 439         }
 440
 441 /*
 442 **  TLS_UNR -- macro to return whether a file should be unreadable
 443 **
 444 **      Parameters:
 445 **              bit -- flag to test
 446 **              req -- flags
 447 **
 448 **      Returns:
 449 **              0/SFF_NORFILES
 450 */
 451 # define TLS_UNR(bit, req)      (bitset(bit, req) ? SFF_NORFILES : 0)
 452 # define TLS_OUNR(bit, req)     (bitset(bit, req) ? SFF_NOWRFILES : 0)
 453 # define TLS_KEYSFF(req)        \
 454         (bitnset(DBS_GROUPREADABLEKEYFILE, DontBlameSendmail) ? \
 455                 TLS_OUNR(TLS_I_KEY_OUNR, req) :                 \
 456                 TLS_UNR(TLS_I_KEY_UNR, req))
 457
 458 /*
 459 **  TLS_SAFE_F -- macro to simplify calls to tls_safe_f
 460 **
 461 **      Parameters:
 462 **              var -- filename
 463 **              sff -- flags for safefile()
 464 **              req -- is the file required?
 465 **              ex -- does the file exist?
 466 **              st -- status bit to set if ok
 467 **              srv -- server side?
 468 **
 469 **      Side Effects:
 470 **              uses r, ok, ex; may change ok and status.
 471 **
 472 */
 473
 474 # define TLS_SAFE_F(var, sff, req, ex, st, srv) if (ex && ok) \
 475         { \
 476                 r = tls_safe_f(var, sff, srv); \
 477                 if (r) \
 478                         status |= st;   \
 479                 else if (req) \
 480                         ok = false;     \
 481         }
 482
 483 /*
 484 **  INITTLS -- initialize TLS
 485 **
 486 **      Parameters:
 487 **              ctx -- pointer to context
 488 **              req -- requirements for initialization (see sendmail.h)
 489 **              srv -- server side?
 490 **              certfile -- filename of certificate
 491 **              keyfile -- filename of private key
 492 **              cacertpath -- path to CAs
 493 **              cacertfile -- file with CA(s)
 494 **              dhparam -- parameters for DH
 495 **
 496 **      Returns:
 497 **              succeeded?
 498 */
 499
 500 /*
 501 **  The session_id_context identifies the service that created a session.
 502 **  This information is used to distinguish between multiple TLS-based
 503 **  servers running on the same server. We use the name of the mail system.
 504 **  Note: the session cache is not persistent.
 505 */
 506
 507 static char server_session_id_context[] = "sendmail8";
 508
 509 /* 0.9.8a and b have a problem with SSL_OP_TLS_BLOCK_PADDING_BUG */
 510 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL)
 511 # define SM_SSL_OP_TLS_BLOCK_PADDING_BUG        1
 512 #else
 513 # define SM_SSL_OP_TLS_BLOCK_PADDING_BUG        0
 514 #endif
 515
 516 bool
 517 inittls(ctx, req, srv, certfile, keyfile, cacertpath, cacertfile, dhparam)
 518         SSL_CTX **ctx;
 519         unsigned long req;
 520         bool srv;
 521         char *certfile, *keyfile, *cacertpath, *cacertfile, *dhparam;
 522 {
 523 # if !NO_DH
 524         static DH *dh = NULL;
 525 # endif /* !NO_DH */
 526         int r;
 527         bool ok;
 528         long sff, status, options;
 529         char *who;
 530 # if _FFR_TLS_1
 531         char *cf2, *kf2;
 532 # endif /* _FFR_TLS_1 */
 533 #  if SM_CONF_SHM
 534         extern int ShmId;
 535 #  endif /* SM_CONF_SHM */
 536 # if OPENSSL_VERSION_NUMBER > 0x00907000L
 537         BIO *crl_file;
 538         X509_CRL *crl;
 539         X509_STORE *store;
 540 # endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
 541 #if SM_SSL_OP_TLS_BLOCK_PADDING_BUG
 542         long rt_version;
 543         STACK_OF(SSL_COMP) *comp_methods;
 544 #endif
 545
 546         status = TLS_S_NONE;
 547         who = srv ? "server" : "client";
 548         if (ctx == NULL)
 549         {
 550                 syserr("STARTTLS=%s, inittls: ctx == NULL", who);
 551                 /* NOTREACHED */
 552                 SM_ASSERT(ctx != NULL);
 553         }
 554
 555         /* already initialized? (we could re-init...) */
 556         if (*ctx != NULL)
 557                 return true;
 558         ok = true;
 559
 560 # if _FFR_TLS_1
 561         /*
 562         **  look for a second filename: it must be separated by a ','
 563         **  no blanks allowed (they won't be skipped).
 564         **  we change a global variable here! this change will be undone
 565         **  before return from the function but only if it returns true.
 566         **  this isn't a problem since in a failure case this function
 567         **  won't be called again with the same (overwritten) values.
 568         **  otherwise each return must be replaced with a goto endinittls.
 569         */
 570
 571         cf2 = NULL;
 572         kf2 = NULL;
 573         if (certfile != NULL && (cf2 = strchr(certfile, ',')) != NULL)
 574         {
 575                 *cf2++ = '\0';
 576                 if (keyfile != NULL && (kf2 = strchr(keyfile, ',')) != NULL)
 577                         *kf2++ = '\0';
 578         }
 579 # endif /* _FFR_TLS_1 */
 580
 581         /*
 582         **  Check whether files/paths are defined
 583         */
 584
 585         TLS_OK_F(certfile, "CertFile", bitset(TLS_I_CERT_EX, req),
 586                  TLS_S_CERT_EX, srv ? TLS_T_SRV : TLS_T_CLT);
 587         TLS_OK_F(keyfile, "KeyFile", bitset(TLS_I_KEY_EX, req),
 588                  TLS_S_KEY_EX, srv ? TLS_T_SRV : TLS_T_CLT);
 589         TLS_OK_F(cacertpath, "CACertPath", bitset(TLS_I_CERTP_EX, req),
 590                  TLS_S_CERTP_EX, TLS_T_OTHER);
 591         TLS_OK_F(cacertfile, "CACertFile", bitset(TLS_I_CERTF_EX, req),
 592                  TLS_S_CERTF_EX, TLS_T_OTHER);
 593
 594 # if OPENSSL_VERSION_NUMBER > 0x00907000L
 595         TLS_OK_F(CRLFile, "CRLFile", bitset(TLS_I_CRLF_EX, req),
 596                  TLS_S_CRLF_EX, TLS_T_OTHER);
 597 # endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
 598
 599 # if _FFR_TLS_1
 600         /*
 601         **  if the second file is specified it must exist
 602         **  XXX: it is possible here to define only one of those files
 603         */
 604
 605         if (cf2 != NULL)
 606         {
 607                 TLS_OK_F(cf2, "CertFile", bitset(TLS_I_CERT_EX, req),
 608                          TLS_S_CERT2_EX, srv ? TLS_T_SRV : TLS_T_CLT);
 609         }
 610         if (kf2 != NULL)
 611         {
 612                 TLS_OK_F(kf2, "KeyFile", bitset(TLS_I_KEY_EX, req),
 613                          TLS_S_KEY2_EX, srv ? TLS_T_SRV : TLS_T_CLT);
 614         }
 615 # endif /* _FFR_TLS_1 */
 616
 617         /*
 618         **  valid values for dhparam are (only the first char is checked)
 619         **  none        no parameters: don't use DH
 620         **  512         generate 512 bit parameters (fixed)
 621         **  1024        generate 1024 bit parameters
 622         **  /file/name  read parameters from /file/name
 623         **  default is: 1024 for server, 512 for client (OK? XXX)
 624         */
 625
 626         if (bitset(TLS_I_TRY_DH, req))
 627         {
 628                 if (dhparam != NULL)
 629                 {
 630                         char c = *dhparam;
 631
 632                         if (c == '1')
 633                                 req |= TLS_I_DH1024;
 634                         else if (c == '5')
 635                                 req |= TLS_I_DH512;
 636                         else if (c != 'n' && c != 'N' && c != '/')
 637                         {
 638                                 if (LogLevel > 12)
 639                                         sm_syslog(LOG_WARNING, NOQID,
 640                                                   "STARTTLS=%s, error: illegal value '%s' for DHParam",
 641                                                   who, dhparam);
 642                                 dhparam = NULL;
 643                         }
 644                 }
 645                 if (dhparam == NULL)
 646                         dhparam = srv ? "1" : "5";
 647                 else if (*dhparam == '/')
 648                 {
 649                         TLS_OK_F(dhparam, "DHParameters",
 650                                  bitset(TLS_I_DHPAR_EX, req),
 651                                  TLS_S_DHPAR_EX, TLS_T_OTHER);
 652                 }
 653         }
 654         if (!ok)
 655                 return ok;
 656
 657         /* certfile etc. must be "safe". */
 658         sff = SFF_REGONLY | SFF_SAFEDIRPATH | SFF_NOWLINK
 659              | SFF_NOGWFILES | SFF_NOWWFILES
 660              | SFF_MUSTOWN | SFF_ROOTOK | SFF_OPENASROOT;
 661         if (DontLockReadFiles)
 662                 sff |= SFF_NOLOCK;
 663
 664         TLS_SAFE_F(certfile, sff | TLS_UNR(TLS_I_CERT_UNR, req),
 665                    bitset(TLS_I_CERT_EX, req),
 666                    bitset(TLS_S_CERT_EX, status), TLS_S_CERT_OK, srv);
 667         TLS_SAFE_F(keyfile, sff | TLS_KEYSFF(req),
 668                    bitset(TLS_I_KEY_EX, req),
 669                    bitset(TLS_S_KEY_EX, status), TLS_S_KEY_OK, srv);
 670         TLS_SAFE_F(cacertfile, sff | TLS_UNR(TLS_I_CERTF_UNR, req),
 671                    bitset(TLS_I_CERTF_EX, req),
 672                    bitset(TLS_S_CERTF_EX, status), TLS_S_CERTF_OK, srv);
 673         TLS_SAFE_F(dhparam, sff | TLS_UNR(TLS_I_DHPAR_UNR, req),
 674                    bitset(TLS_I_DHPAR_EX, req),
 675                    bitset(TLS_S_DHPAR_EX, status), TLS_S_DHPAR_OK, srv);
 676 # if OPENSSL_VERSION_NUMBER > 0x00907000L
 677         TLS_SAFE_F(CRLFile, sff | TLS_UNR(TLS_I_CRLF_UNR, req),
 678                    bitset(TLS_I_CRLF_EX, req),
 679                    bitset(TLS_S_CRLF_EX, status), TLS_S_CRLF_OK, srv);
 680 # endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
 681         if (!ok)
 682                 return ok;
 683 # if _FFR_TLS_1
 684         if (cf2 != NULL)
 685         {
 686                 TLS_SAFE_F(cf2, sff | TLS_UNR(TLS_I_CERT_UNR, req),
 687                            bitset(TLS_I_CERT_EX, req),
 688                            bitset(TLS_S_CERT2_EX, status), TLS_S_CERT2_OK, srv);
 689         }
 690         if (kf2 != NULL)
 691         {
 692                 TLS_SAFE_F(kf2, sff | TLS_KEYSFF(req),
 693                            bitset(TLS_I_KEY_EX, req),
 694                            bitset(TLS_S_KEY2_EX, status), TLS_S_KEY2_OK, srv);
 695         }
 696 # endif /* _FFR_TLS_1 */
 697
 698         /* create a method and a new context */
 699         if ((*ctx = SSL_CTX_new(srv ? SSLv23_server_method() :
 700                                       SSLv23_client_method())) == NULL)
 701         {
 702                 if (LogLevel > 7)
 703                         sm_syslog(LOG_WARNING, NOQID,
 704                                   "STARTTLS=%s, error: SSL_CTX_new(SSLv23_%s_method()) failed",
 705                                   who, who);
 706                 if (LogLevel > 9)
 707                         tlslogerr(who);
 708                 return false;
 709         }
 710
 711 # if OPENSSL_VERSION_NUMBER > 0x00907000L
 712         if (CRLFile != NULL)
 713         {
 714                 /* get a pointer to the current certificate validation store */
 715                 store = SSL_CTX_get_cert_store(*ctx);   /* does not fail */
 716                 crl_file = BIO_new(BIO_s_file_internal());
 717                 if (crl_file != NULL)
 718                 {
 719                         if (BIO_read_filename(crl_file, CRLFile) >= 0)
 720                         {
 721                                 crl = PEM_read_bio_X509_CRL(crl_file, NULL,
 722                                                         NULL, NULL);
 723                                 BIO_free(crl_file);
 724                                 X509_STORE_add_crl(store, crl);
 725                                 X509_CRL_free(crl);
 726                                 X509_STORE_set_flags(store,
 727                                         X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
 728                                 X509_STORE_set_verify_cb_func(store,
 729                                                 x509_verify_cb);
 730                         }
 731                         else
 732                         {
 733                                 if (LogLevel > 9)
 734                                 {
 735                                         sm_syslog(LOG_WARNING, NOQID,
 736                                                   "STARTTLS=%s, error: PEM_read_bio_X509_CRL(%s)=failed",
 737                                                   who, CRLFile);
 738                                 }
 739
 740                                 /* avoid memory leaks */
 741                                 BIO_free(crl_file);
 742                                 return false;
 743                         }
 744
 745                 }
 746                 else if (LogLevel > 9)
 747                         sm_syslog(LOG_WARNING, NOQID,
 748                                   "STARTTLS=%s, error: BIO_new=failed", who);
 749         }
 750         else
 751                 store = NULL;
 752 #  if _FFR_CRLPATH
 753         if (CRLPath != NULL && store != NULL)
 754         {
 755                 X509_LOOKUP *lookup;
 756
 757                 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
 758                 if (lookup == NULL)
 759                 {
 760                         if (LogLevel > 9)
 761                         {
 762                                 sm_syslog(LOG_WARNING, NOQID,
 763                                           "STARTTLS=%s, error: X509_STORE_add_lookup(hash)=failed",
 764                                           who, CRLFile);
 765                         }
 766                         return false;
 767                 }
 768                 X509_LOOKUP_add_dir(lookup, CRLPath, X509_FILETYPE_PEM);
 769                 X509_STORE_set_flags(store,
 770                         X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
 771         }
 772 #  endif /* _FFR_CRLPATH */
 773 # endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
 774
 775 # if TLS_NO_RSA
 776         /* turn off backward compatibility, required for no-rsa */
 777         SSL_CTX_set_options(*ctx, SSL_OP_NO_SSLv2);
 778 # endif /* TLS_NO_RSA */
 779
 780
 781 # if !TLS_NO_RSA
 782         /*
 783         **  Create a temporary RSA key
 784         **  XXX  Maybe we shouldn't create this always (even though it
 785         **  is only at startup).
 786         **  It is a time-consuming operation and it is not always necessary.
 787         **  maybe we should do it only on demand...
 788         */
 789
 790         if (bitset(TLS_I_RSA_TMP, req)
 791 #   if SM_CONF_SHM
 792             && ShmId != SM_SHM_NO_ID &&
 793             (rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL,
 794                                         NULL)) == NULL
 795 #   else /* SM_CONF_SHM */
 796             && 0        /* no shared memory: no need to generate key now */
 797 #   endif /* SM_CONF_SHM */
 798            )
 799         {
 800                 if (LogLevel > 7)
 801                 {
 802                         sm_syslog(LOG_WARNING, NOQID,
 803                                   "STARTTLS=%s, error: RSA_generate_key failed",
 804                                   who);
 805                         if (LogLevel > 9)
 806                                 tlslogerr(who);
 807                 }
 808                 return false;
 809         }
 810 # endif /* !TLS_NO_RSA */
 811
 812         /*
 813         **  load private key
 814         **  XXX change this for DSA-only version
 815         */
 816
 817         if (bitset(TLS_S_KEY_OK, status) &&
 818             SSL_CTX_use_PrivateKey_file(*ctx, keyfile,
 819                                          SSL_FILETYPE_PEM) <= 0)
 820         {
 821                 if (LogLevel > 7)
 822                 {
 823                         sm_syslog(LOG_WARNING, NOQID,
 824                                   "STARTTLS=%s, error: SSL_CTX_use_PrivateKey_file(%s) failed",
 825                                   who, keyfile);
 826                         if (LogLevel > 9)
 827                                 tlslogerr(who);
 828                 }
 829                 if (bitset(TLS_I_USE_KEY, req))
 830                         return false;
 831         }
 832
 833         /* get the certificate file */
 834         if (bitset(TLS_S_CERT_OK, status) &&
 835             SSL_CTX_use_certificate_file(*ctx, certfile,
 836                                          SSL_FILETYPE_PEM) <= 0)
 837         {
 838                 if (LogLevel > 7)
 839                 {
 840                         sm_syslog(LOG_WARNING, NOQID,
 841                                   "STARTTLS=%s, error: SSL_CTX_use_certificate_file(%s) failed",
 842                                   who, certfile);
 843                         if (LogLevel > 9)
 844                                 tlslogerr(who);
 845                 }
 846                 if (bitset(TLS_I_USE_CERT, req))
 847                         return false;
 848         }
 849
 850         /* check the private key */
 851         if (bitset(TLS_S_KEY_OK, status) &&
 852             (r = SSL_CTX_check_private_key(*ctx)) <= 0)
 853         {
 854                 /* Private key does not match the certificate public key */
 855                 if (LogLevel > 5)
 856                 {
 857                         sm_syslog(LOG_WARNING, NOQID,
 858                                   "STARTTLS=%s, error: SSL_CTX_check_private_key failed(%s): %d",
 859                                   who, keyfile, r);
 860                         if (LogLevel > 9)
 861                                 tlslogerr(who);
 862                 }
 863                 if (bitset(TLS_I_USE_KEY, req))
 864                         return false;
 865         }
 866
 867 # if _FFR_TLS_1
 868         /* XXX this code is pretty much duplicated from above! */
 869
 870         /* load private key */
 871         if (bitset(TLS_S_KEY2_OK, status) &&
 872             SSL_CTX_use_PrivateKey_file(*ctx, kf2, SSL_FILETYPE_PEM) <= 0)
 873         {
 874                 if (LogLevel > 7)
 875                 {
 876                         sm_syslog(LOG_WARNING, NOQID,
 877                                   "STARTTLS=%s, error: SSL_CTX_use_PrivateKey_file(%s) failed",
 878                                   who, kf2);
 879                         if (LogLevel > 9)
 880                                 tlslogerr(who);
 881                 }
 882         }
 883
 884         /* get the certificate file */
 885         if (bitset(TLS_S_CERT2_OK, status) &&
 886             SSL_CTX_use_certificate_file(*ctx, cf2, SSL_FILETYPE_PEM) <= 0)
 887         {
 888                 if (LogLevel > 7)
 889                 {
 890                         sm_syslog(LOG_WARNING, NOQID,
 891                                   "STARTTLS=%s, error: SSL_CTX_use_certificate_file(%s) failed",
 892                                   who, cf2);
 893                         if (LogLevel > 9)
 894                                 tlslogerr(who);
 895                 }
 896         }
 897
 898         /* also check the private key */
 899         if (bitset(TLS_S_KEY2_OK, status) &&
 900             (r = SSL_CTX_check_private_key(*ctx)) <= 0)
 901         {
 902                 /* Private key does not match the certificate public key */
 903                 if (LogLevel > 5)
 904                 {
 905                         sm_syslog(LOG_WARNING, NOQID,
 906                                   "STARTTLS=%s, error: SSL_CTX_check_private_key 2 failed: %d",
 907                                   who, r);
 908                         if (LogLevel > 9)
 909                                 tlslogerr(who);
 910                 }
 911         }
 912 # endif /* _FFR_TLS_1 */
 913
 914         /* SSL_CTX_set_quiet_shutdown(*ctx, 1); violation of standard? */
 915
 916         options = SSL_OP_ALL;   /* bug compatibility? */
 917 #if SM_SSL_OP_TLS_BLOCK_PADDING_BUG
 918
 919         /*
 920         **  In OpenSSL 0.9.8[ab], enabling zlib compression breaks the
 921         **  padding bug work-around, leading to false positives and
 922         **  failed connections. We may not interoperate with systems
 923         **  with the bug, but this is better than breaking on all 0.9.8[ab]
 924         **  systems that have zlib support enabled.
 925         **  Note: this checks the runtime version of the library, not
 926         **  just the compile time version.
 927         */
 928
 929         rt_version = SSLeay();
 930         if (rt_version >= 0x00908000L && rt_version <= 0x0090802fL)
 931         {
 932                 comp_methods = SSL_COMP_get_compression_methods();
 933                 if (comp_methods != NULL && sk_SSL_COMP_num(comp_methods) > 0)
 934                         options &= ~SSL_OP_TLS_BLOCK_PADDING_BUG;
 935         }
 936 #endif
 937         SSL_CTX_set_options(*ctx, options);
 938
 939 # if !NO_DH
 940         /* Diffie-Hellman initialization */
 941         if (bitset(TLS_I_TRY_DH, req))
 942         {
 943                 if (bitset(TLS_S_DHPAR_OK, status))
 944                 {
 945                         BIO *bio;
 946
 947                         if ((bio = BIO_new_file(dhparam, "r")) != NULL)
 948                         {
 949                                 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
 950                                 BIO_free(bio);
 951                                 if (dh == NULL && LogLevel > 7)
 952                                 {
 953                                         unsigned long err;
 954
 955                                         err = ERR_get_error();
 956                                         sm_syslog(LOG_WARNING, NOQID,
 957                                                   "STARTTLS=%s, error: cannot read DH parameters(%s): %s",
 958                                                   who, dhparam,
 959                                                   ERR_error_string(err, NULL));
 960                                         if (LogLevel > 9)
 961                                                 tlslogerr(who);
 962                                 }
 963                         }
 964                         else
 965                         {
 966                                 if (LogLevel > 5)
 967                                 {
 968                                         sm_syslog(LOG_WARNING, NOQID,
 969                                                   "STARTTLS=%s, error: BIO_new_file(%s) failed",
 970                                                   who, dhparam);
 971                                         if (LogLevel > 9)
 972                                                 tlslogerr(who);
 973                                 }
 974                         }
 975                 }
 976                 if (dh == NULL && bitset(TLS_I_DH1024, req))
 977                 {
 978                         DSA *dsa;
 979
 980                         /* this takes a while! (7-130s on a 450MHz AMD K6-2) */
 981                         dsa = DSA_generate_parameters(1024, NULL, 0, NULL,
 982                                                       NULL, 0, NULL);
 983                         dh = DSA_dup_DH(dsa);
 984                         DSA_free(dsa);
 985                 }
 986                 else
 987                 if (dh == NULL && bitset(TLS_I_DH512, req))
 988                         dh = get_dh512();
 989
 990                 if (dh == NULL)
 991                 {
 992                         if (LogLevel > 9)
 993                         {
 994                                 unsigned long err;
 995
 996                                 err = ERR_get_error();
 997                                 sm_syslog(LOG_WARNING, NOQID,
 998                                           "STARTTLS=%s, error: cannot read or set DH parameters(%s): %s",
 999                                           who, dhparam,
1000                                           ERR_error_string(err, NULL));
1001                         }
1002                         if (bitset(TLS_I_REQ_DH, req))
1003                                 return false;
1004                 }
1005                 else
1006                 {
1007                         SSL_CTX_set_tmp_dh(*ctx, dh);
1008
1009                         /* important to avoid small subgroup attacks */
1010                         SSL_CTX_set_options(*ctx, SSL_OP_SINGLE_DH_USE);
1011                         if (LogLevel > 13)
1012                                 sm_syslog(LOG_INFO, NOQID,
1013                                           "STARTTLS=%s, Diffie-Hellman init, key=%d bit (%c)",
1014                                           who, 8 * DH_size(dh), *dhparam);
1015                         DH_free(dh);
1016                 }
1017         }
1018 # endif /* !NO_DH */
1019
1020
1021         /* XXX do we need this cache here? */
1022         if (bitset(TLS_I_CACHE, req))
1023         {
1024                 SSL_CTX_sess_set_cache_size(*ctx, 1);
1025                 SSL_CTX_set_timeout(*ctx, 1);
1026                 SSL_CTX_set_session_id_context(*ctx,
1027                         (void *) &server_session_id_context,
1028                         sizeof(server_session_id_context));
1029                 (void) SSL_CTX_set_session_cache_mode(*ctx,
1030                                 SSL_SESS_CACHE_SERVER);
1031         }
1032         else
1033         {
1034                 (void) SSL_CTX_set_session_cache_mode(*ctx,
1035                                 SSL_SESS_CACHE_OFF);
1036         }
1037
1038         /* load certificate locations and default CA paths */
1039         if (bitset(TLS_S_CERTP_EX, status) && bitset(TLS_S_CERTF_EX, status))
1040         {
1041                 if ((r = SSL_CTX_load_verify_locations(*ctx, cacertfile,
1042                                                        cacertpath)) == 1)
1043                 {
1044 # if !TLS_NO_RSA
1045                         if (bitset(TLS_I_RSA_TMP, req))
1046                                 SSL_CTX_set_tmp_rsa_callback(*ctx, tmp_rsa_key);
1047 # endif /* !TLS_NO_RSA */
1048
1049                         /*
1050                         **  We have to install our own verify callback:
1051                         **  SSL_VERIFY_PEER requests a client cert but even
1052                         **  though *FAIL_IF* isn't set, the connection
1053                         **  will be aborted if the client presents a cert
1054                         **  that is not "liked" (can't be verified?) by
1055                         **  the TLS library :-(
1056                         */
1057
1058                         /*
1059                         **  XXX currently we could call tls_set_verify()
1060                         **  but we hope that that function will later on
1061                         **  only set the mode per connection.
1062                         */
1063                         SSL_CTX_set_verify(*ctx,
1064                                 bitset(TLS_I_NO_VRFY, req) ? SSL_VERIFY_NONE
1065                                                            : SSL_VERIFY_PEER,
1066                                 NULL);
1067
1068                         /* install verify callback */
1069                         SSL_CTX_set_cert_verify_callback(*ctx, tls_verify_cb,
1070                                                          NULL);
1071                         SSL_CTX_set_client_CA_list(*ctx,
1072                                 SSL_load_client_CA_file(cacertfile));
1073                 }
1074                 else
1075                 {
1076                         /*
1077                         **  can't load CA data; do we care?
1078                         **  the data is necessary to authenticate the client,
1079                         **  which in turn would be necessary
1080                         **  if we want to allow relaying based on it.
1081                         */
1082                         if (LogLevel > 5)
1083                         {
1084                                 sm_syslog(LOG_WARNING, NOQID,
1085                                           "STARTTLS=%s, error: load verify locs %s, %s failed: %d",
1086                                           who, cacertpath, cacertfile, r);
1087                                 if (LogLevel > 9)
1088                                         tlslogerr(who);
1089                         }
1090                         if (bitset(TLS_I_VRFY_LOC, req))
1091                                 return false;
1092                 }
1093         }
1094
1095         /* XXX: make this dependent on an option? */
1096         if (tTd(96, 9))
1097                 SSL_CTX_set_info_callback(*ctx, apps_ssl_info_cb);
1098
1099 # if _FFR_TLS_1
1100         /* install our own cipher list */
1101         if (CipherList != NULL && *CipherList != '\0')
1102         {
1103                 if (SSL_CTX_set_cipher_list(*ctx, CipherList) <= 0)
1104                 {
1105                         if (LogLevel > 7)
1106                         {
1107                                 sm_syslog(LOG_WARNING, NOQID,
1108                                           "STARTTLS=%s, error: SSL_CTX_set_cipher_list(%s) failed, list ignored",
1109                                           who, CipherList);
1110
1111                                 if (LogLevel > 9)
1112                                         tlslogerr(who);
1113                         }
1114                         /* failure if setting to this list is required? */
1115                 }
1116         }
1117 # endif /* _FFR_TLS_1 */
1118         if (LogLevel > 12)
1119                 sm_syslog(LOG_INFO, NOQID, "STARTTLS=%s, init=%d", who, ok);
1120
1121 # if _FFR_TLS_1
1122 #  if 0
1123         /*
1124         **  this label is required if we want to have a "clean" exit
1125         **  see the comments above at the initialization of cf2
1126         */
1127
1128     endinittls:
1129 #  endif /* 0 */
1130
1131         /* undo damage to global variables */
1132         if (cf2 != NULL)
1133                 *--cf2 = ',';
1134         if (kf2 != NULL)
1135                 *--kf2 = ',';
1136 # endif /* _FFR_TLS_1 */
1137
1138         return ok;
1139 }
1140 /*
1141 **  TLS_GET_INFO -- get information about TLS connection
1142 **
1143 **      Parameters:
1144 **              ssl -- TLS connection structure
1145 **              srv -- server or client
1146 **              host -- hostname of other side
1147 **              mac -- macro storage
1148 **              certreq -- did we ask for a cert?
1149 **
1150 **      Returns:
1151 **              result of authentication.
1152 **
1153 **      Side Effects:
1154 **              sets macros: {cipher}, {tls_version}, {verify},
1155 **              {cipher_bits}, {alg_bits}, {cert}, {cert_subject},
1156 **              {cert_issuer}, {cn_subject}, {cn_issuer}
1157 */
1158
1159 int
1160 tls_get_info(ssl, srv, host, mac, certreq)
1161         SSL *ssl;
1162         bool srv;
1163         char *host;
1164         MACROS_T *mac;
1165         bool certreq;
1166 {
1167         SSL_CIPHER *c;
1168         int b, r;
1169         long verifyok;
1170         char *s, *who;
1171         char bitstr[16];
1172         X509 *cert;
1173
1174         c = SSL_get_current_cipher(ssl);
1175
1176         /* cast is just workaround for compiler warning */
1177         macdefine(mac, A_TEMP, macid("{cipher}"),
1178                   (char *) SSL_CIPHER_get_name(c));
1179         b = SSL_CIPHER_get_bits(c, &r);
1180         (void) sm_snprintf(bitstr, sizeof(bitstr), "%d", b);
1181         macdefine(mac, A_TEMP, macid("{cipher_bits}"), bitstr);
1182         (void) sm_snprintf(bitstr, sizeof(bitstr), "%d", r);
1183         macdefine(mac, A_TEMP, macid("{alg_bits}"), bitstr);
1184         s = SSL_CIPHER_get_version(c);
1185         if (s == NULL)
1186                 s = "UNKNOWN";
1187         macdefine(mac, A_TEMP, macid("{tls_version}"), s);
1188
1189         who = srv ? "server" : "client";
1190         cert = SSL_get_peer_certificate(ssl);
1191         verifyok = SSL_get_verify_result(ssl);
1192         if (LogLevel > 14)
1193                 sm_syslog(LOG_INFO, NOQID,
1194                           "STARTTLS=%s, get_verify: %ld get_peer: 0x%lx",
1195                           who, verifyok, (unsigned long) cert);
1196         if (cert != NULL)
1197         {
1198                 unsigned int n;
1199                 unsigned char md[EVP_MAX_MD_SIZE];
1200                 char buf[MAXNAME];
1201
1202                 X509_NAME_oneline(X509_get_subject_name(cert),
1203                                   buf, sizeof(buf));
1204                 macdefine(mac, A_TEMP, macid("{cert_subject}"),
1205                          xtextify(buf, "<>\")"));
1206                 X509_NAME_oneline(X509_get_issuer_name(cert),
1207                                   buf, sizeof(buf));
1208                 macdefine(mac, A_TEMP, macid("{cert_issuer}"),
1209                          xtextify(buf, "<>\")"));
1210                 X509_NAME_get_text_by_NID(X509_get_subject_name(cert),
1211                                           NID_commonName, buf, sizeof(buf));
1212                 macdefine(mac, A_TEMP, macid("{cn_subject}"),
1213                          xtextify(buf, "<>\")"));
1214                 X509_NAME_get_text_by_NID(X509_get_issuer_name(cert),
1215                                           NID_commonName, buf, sizeof(buf));
1216                 macdefine(mac, A_TEMP, macid("{cn_issuer}"),
1217                          xtextify(buf, "<>\")"));
1218                 n = 0;
1219                 if (X509_digest(cert, EVP_md5(), md, &n) != 0 && n > 0)
1220                 {
1221                         char md5h[EVP_MAX_MD_SIZE * 3];
1222                         static const char hexcodes[] = "0123456789ABCDEF";
1223
1224                         SM_ASSERT((n * 3) + 2 < sizeof(md5h));
1225                         for (r = 0; r < (int) n; r++)
1226                         {
1227                                 md5h[r * 3] = hexcodes[(md[r] & 0xf0) >> 4];
1228                                 md5h[(r * 3) + 1] = hexcodes[(md[r] & 0x0f)];
1229                                 md5h[(r * 3) + 2] = ':';
1230                         }
1231                         md5h[(n * 3) - 1] = '\0';
1232                         macdefine(mac, A_TEMP, macid("{cert_md5}"), md5h);
1233                 }
1234                 else
1235                         macdefine(mac, A_TEMP, macid("{cert_md5}"), "");
1236         }
1237         else
1238         {
1239                 macdefine(mac, A_PERM, macid("{cert_subject}"), "");
1240                 macdefine(mac, A_PERM, macid("{cert_issuer}"), "");
1241                 macdefine(mac, A_PERM, macid("{cn_subject}"), "");
1242                 macdefine(mac, A_PERM, macid("{cn_issuer}"), "");
1243                 macdefine(mac, A_TEMP, macid("{cert_md5}"), "");
1244         }
1245         switch (verifyok)
1246         {
1247           case X509_V_OK:
1248                 if (cert != NULL)
1249                 {
1250                         s = "OK";
1251                         r = TLS_AUTH_OK;
1252                 }
1253                 else
1254                 {
1255                         s = certreq ? "NO" : "NOT",
1256                         r = TLS_AUTH_NO;
1257                 }
1258                 break;
1259           default:
1260                 s = "FAIL";
1261                 r = TLS_AUTH_FAIL;
1262                 break;
1263         }
1264         macdefine(mac, A_PERM, macid("{verify}"), s);
1265         if (cert != NULL)
1266                 X509_free(cert);
1267
1268         /* do some logging */
1269         if (LogLevel > 8)
1270         {
1271                 char *vers, *s1, *s2, *cbits, *algbits;
1272
1273                 vers = macget(mac, macid("{tls_version}"));
1274                 cbits = macget(mac, macid("{cipher_bits}"));
1275                 algbits = macget(mac, macid("{alg_bits}"));
1276                 s1 = macget(mac, macid("{verify}"));
1277                 s2 = macget(mac, macid("{cipher}"));
1278
1279                 /* XXX: maybe cut off ident info? */
1280                 sm_syslog(LOG_INFO, NOQID,
1281                           "STARTTLS=%s, relay=%.100s, version=%.16s, verify=%.16s, cipher=%.64s, bits=%.6s/%.6s",
1282                           who,
1283                           host == NULL ? "local" : host,
1284                           vers, s1, s2, /* sm_snprintf() can deal with NULL */
1285                           algbits == NULL ? "0" : algbits,
1286                           cbits == NULL ? "0" : cbits);
1287                 if (LogLevel > 11)
1288                 {
1289                         /*
1290                         **  Maybe run xuntextify on the strings?
1291                         **  That is easier to read but makes it maybe a bit
1292                         **  more complicated to figure out the right values
1293                         **  for the access map...
1294                         */
1295
1296                         s1 = macget(mac, macid("{cert_subject}"));
1297                         s2 = macget(mac, macid("{cert_issuer}"));
1298                         sm_syslog(LOG_INFO, NOQID,
1299                                   "STARTTLS=%s, cert-subject=%.256s, cert-issuer=%.256s, verifymsg=%s",
1300                                   who, s1, s2,
1301                                   X509_verify_cert_error_string(verifyok));
1302                 }
1303         }
1304         return r;
1305 }
1306 /*
1307 **  ENDTLS -- shutdown secure connection
1308 **
1309 **      Parameters:
1310 **              ssl -- SSL connection information.
1311 **              side -- server/client (for logging).
1312 **
1313 **      Returns:
1314 **              success? (EX_* code)
1315 */
1316
1317 int
1318 endtls(ssl, side)
1319         SSL *ssl;
1320         char *side;
1321 {
1322         int ret = EX_OK;
1323
1324         if (ssl != NULL)
1325         {
1326                 int r;
1327
1328                 if ((r = SSL_shutdown(ssl)) < 0)
1329                 {
1330                         if (LogLevel > 11)
1331                         {
1332                                 sm_syslog(LOG_WARNING, NOQID,
1333                                           "STARTTLS=%s, SSL_shutdown failed: %d",
1334                                           side, r);
1335                                 tlslogerr(side);
1336                         }
1337                         ret = EX_SOFTWARE;
1338                 }
1339 # if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER > 0x0090602fL
1340
1341                 /*
1342                 **  Bug in OpenSSL (at least up to 0.9.6b):
1343                 **  From: Lutz.Jaenicke@aet.TU-Cottbus.DE
1344                 **  Message-ID: <20010723152244.A13122@serv01.aet.tu-cottbus.de>
1345                 **  To: openssl-users@openssl.org
1346                 **  Subject: Re: SSL_shutdown() woes (fwd)
1347                 **
1348                 **  The side sending the shutdown alert first will
1349                 **  not care about the answer of the peer but will
1350                 **  immediately return with a return value of "0"
1351                 **  (ssl/s3_lib.c:ssl3_shutdown()). SSL_get_error will evaluate
1352                 **  the value of "0" and as the shutdown alert of the peer was
1353                 **  not received (actually, the program did not even wait for
1354                 **  the answer), an SSL_ERROR_SYSCALL is flagged, because this
1355                 **  is the default rule in case everything else does not apply.
1356                 **
1357                 **  For your server the problem is different, because it
1358                 **  receives the shutdown first (setting SSL_RECEIVED_SHUTDOWN),
1359                 **  then sends its response (SSL_SENT_SHUTDOWN), so for the
1360                 **  server the shutdown was successfull.
1361                 **
1362                 **  As is by know, you would have to call SSL_shutdown() once
1363                 **  and ignore an SSL_ERROR_SYSCALL returned. Then call
1364                 **  SSL_shutdown() again to actually get the server's response.
1365                 **
1366                 **  In the last discussion, Bodo Moeller concluded that a
1367                 **  rewrite of the shutdown code would be necessary, but
1368                 **  probably with another API, as the change would not be
1369                 **  compatible to the way it is now.  Things do not become
1370                 **  easier as other programs do not follow the shutdown
1371                 **  guidelines anyway, so that a lot error conditions and
1372                 **  compitibility issues would have to be caught.
1373                 **
1374                 **  For now the recommondation is to ignore the error message.
1375                 */
1376
1377                 else if (r == 0)
1378                 {
1379                         if (LogLevel > 15)
1380                         {
1381                                 sm_syslog(LOG_WARNING, NOQID,
1382                                           "STARTTLS=%s, SSL_shutdown not done",
1383                                           side);
1384                                 tlslogerr(side);
1385                         }
1386                         ret = EX_SOFTWARE;
1387                 }
1388 # endif /* !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER > 0x0090602fL */
1389                 SSL_free(ssl);
1390                 ssl = NULL;
1391         }
1392         return ret;
1393 }
1394
1395 # if !TLS_NO_RSA
1396 /*
1397 **  TMP_RSA_KEY -- return temporary RSA key
1398 **
1399 **      Parameters:
1400 **              s -- TLS connection structure
1401 **              export --
1402 **              keylength --
1403 **
1404 **      Returns:
1405 **              temporary RSA key.
1406 */
1407
1408 #   ifndef MAX_RSA_TMP_CNT
1409 #    define MAX_RSA_TMP_CNT     1000    /* XXX better value? */
1410 #   endif /* ! MAX_RSA_TMP_CNT */
1411
1412 /* ARGUSED0 */
1413 static RSA *
1414 tmp_rsa_key(s, export, keylength)
1415         SSL *s;
1416         int export;
1417         int keylength;
1418 {
1419 #   if SM_CONF_SHM
1420         extern int ShmId;
1421         extern int *PRSATmpCnt;
1422
1423         if (ShmId != SM_SHM_NO_ID && rsa_tmp != NULL &&
1424             ++(*PRSATmpCnt) < MAX_RSA_TMP_CNT)
1425                 return rsa_tmp;
1426 #   endif /* SM_CONF_SHM */
1427
1428         if (rsa_tmp != NULL)
1429                 RSA_free(rsa_tmp);
1430         rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, NULL);
1431         if (rsa_tmp == NULL)
1432         {
1433                 if (LogLevel > 0)
1434                         sm_syslog(LOG_ERR, NOQID,
1435                                   "STARTTLS=server, tmp_rsa_key: RSA_generate_key failed!");
1436         }
1437         else
1438         {
1439 #   if SM_CONF_SHM
1440 #    if 0
1441                 /*
1442                 **  XXX we can't (yet) share the new key...
1443                 **      The RSA structure contains pointers hence it can't be
1444                 **      easily kept in shared memory.  It must be transformed
1445                 **      into a continous memory region first, then stored,
1446                 **      and later read out again (each time re-transformed).
1447                 */
1448
1449                 if (ShmId != SM_SHM_NO_ID)
1450                         *PRSATmpCnt = 0;
1451 #    endif /* 0 */
1452 #   endif /* SM_CONF_SHM */
1453                 if (LogLevel > 9)
1454                         sm_syslog(LOG_ERR, NOQID,
1455                                   "STARTTLS=server, tmp_rsa_key: new temp RSA key");
1456         }
1457         return rsa_tmp;
1458 }
1459 # endif /* !TLS_NO_RSA */
1460 /*
1461 **  APPS_SSL_INFO_CB -- info callback for TLS connections
1462 **
1463 **      Parameters:
1464 **              s -- TLS connection structure
1465 **              where -- state in handshake
1466 **              ret -- return code of last operation
1467 **
1468 **      Returns:
1469 **              none.
1470 */
1471
1472 static void
1473 apps_ssl_info_cb(s, where, ret)
1474         CONST097 SSL *s;
1475         int where;
1476         int ret;
1477 {
1478         int w;
1479         char *str;
1480         BIO *bio_err = NULL;
1481
1482         if (LogLevel > 14)
1483                 sm_syslog(LOG_INFO, NOQID,
1484                           "STARTTLS: info_callback where=0x%x, ret=%d",
1485                           where, ret);
1486
1487         w = where & ~SSL_ST_MASK;
1488         if (bio_err == NULL)
1489                 bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
1490
1491         if (bitset(SSL_ST_CONNECT, w))
1492                 str = "SSL_connect";
1493         else if (bitset(SSL_ST_ACCEPT, w))
1494                 str = "SSL_accept";
1495         else
1496                 str = "undefined";
1497
1498         if (bitset(SSL_CB_LOOP, where))
1499         {
1500                 if (LogLevel > 12)
1501                         sm_syslog(LOG_NOTICE, NOQID,
1502                                 "STARTTLS: %s:%s",
1503                                 str, SSL_state_string_long(s));
1504         }
1505         else if (bitset(SSL_CB_ALERT, where))
1506         {
1507                 str = bitset(SSL_CB_READ, where) ? "read" : "write";
1508                 if (LogLevel > 12)
1509                         sm_syslog(LOG_NOTICE, NOQID,
1510                                 "STARTTLS: SSL3 alert %s:%s:%s",
1511                                 str, SSL_alert_type_string_long(ret),
1512                                 SSL_alert_desc_string_long(ret));
1513         }
1514         else if (bitset(SSL_CB_EXIT, where))
1515         {
1516                 if (ret == 0)
1517                 {
1518                         if (LogLevel > 7)
1519                                 sm_syslog(LOG_WARNING, NOQID,
1520                                         "STARTTLS: %s:failed in %s",
1521                                         str, SSL_state_string_long(s));
1522                 }
1523                 else if (ret < 0)
1524                 {
1525                         if (LogLevel > 7)
1526                                 sm_syslog(LOG_WARNING, NOQID,
1527                                         "STARTTLS: %s:error in %s",
1528                                         str, SSL_state_string_long(s));
1529                 }
1530         }
1531 }
1532 /*
1533 **  TLS_VERIFY_LOG -- log verify error for TLS certificates
1534 **
1535 **      Parameters:
1536 **              ok -- verify ok?
1537 **              ctx -- x509 context
1538 **
1539 **      Returns:
1540 **              0 -- fatal error
1541 **              1 -- ok
1542 */
1543
1544 static int
1545 tls_verify_log(ok, ctx, name)
1546         int ok;
1547         X509_STORE_CTX *ctx;
1548         char *name;
1549 {
1550         SSL *ssl;
1551         X509 *cert;
1552         int reason, depth;
1553         char buf[512];
1554
1555         cert = X509_STORE_CTX_get_current_cert(ctx);
1556         reason = X509_STORE_CTX_get_error(ctx);
1557         depth = X509_STORE_CTX_get_error_depth(ctx);
1558         ssl = (SSL *) X509_STORE_CTX_get_ex_data(ctx,
1559                         SSL_get_ex_data_X509_STORE_CTX_idx());
1560
1561         if (ssl == NULL)
1562         {
1563                 /* internal error */
1564                 sm_syslog(LOG_ERR, NOQID,
1565                           "STARTTLS: internal error: tls_verify_cb: ssl == NULL");
1566                 return 0;
1567         }
1568
1569         X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
1570         sm_syslog(LOG_INFO, NOQID,
1571                   "STARTTLS: %s cert verify: depth=%d %s, state=%d, reason=%s",
1572                   name, depth, buf, ok, X509_verify_cert_error_string(reason));
1573         return 1;
1574 }
1575
1576 /*
1577 **  TLS_VERIFY_CB -- verify callback for TLS certificates
1578 **
1579 **      Parameters:
1580 **              ctx -- x509 context
1581 **
1582 **      Returns:
1583 **              accept connection?
1584 **              currently: always yes.
1585 */
1586
1587 static int
1588 #  if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x00907000L
1589 tls_verify_cb(ctx)
1590         X509_STORE_CTX *ctx;
1591 #  else /* !defined() || OPENSSL_VERSION_NUMBER < 0x00907000L */
1592 tls_verify_cb(ctx, unused)
1593         X509_STORE_CTX *ctx;
1594         void *unused;
1595 #  endif /* !defined() || OPENSSL_VERSION_NUMBER < 0x00907000L */
1596 {
1597         int ok;
1598
1599         ok = X509_verify_cert(ctx);
1600         if (ok == 0)
1601         {
1602                 if (LogLevel > 13)
1603                         return tls_verify_log(ok, ctx, "TLS");
1604                 return 1;       /* override it */
1605         }
1606         return ok;
1607 }
1608 /*
1609 **  TLSLOGERR -- log the errors from the TLS error stack
1610 **
1611 **      Parameters:
1612 **              who -- server/client (for logging).
1613 **
1614 **      Returns:
1615 **              none.
1616 */
1617
1618 void
1619 tlslogerr(who)
1620         const char *who;
1621 {
1622         unsigned long l;
1623         int line, flags;
1624         unsigned long es;
1625         char *file, *data;
1626         char buf[256];
1627 #  define CP (const char **)
1628
1629         es = CRYPTO_thread_id();
1630         while ((l = ERR_get_error_line_data(CP &file, &line, CP &data, &flags))
1631                 != 0)
1632         {
1633                 sm_syslog(LOG_WARNING, NOQID,
1634                           "STARTTLS=%s: %lu:%s:%s:%d:%s", who, es,
1635                           ERR_error_string(l, buf),
1636                           file, line,
1637                           bitset(ERR_TXT_STRING, flags) ? data : "");
1638         }
1639 }
1640
1641 # if OPENSSL_VERSION_NUMBER > 0x00907000L
1642 /*
1643 **  X509_VERIFY_CB -- verify callback
1644 **
1645 **      Parameters:
1646 **              ctx -- x509 context
1647 **
1648 **      Returns:
1649 **              accept connection?
1650 **              currently: always yes.
1651 */
1652
1653 static int
1654 x509_verify_cb(ok, ctx)
1655         int ok;
1656         X509_STORE_CTX *ctx;
1657 {
1658         if (ok == 0)
1659         {
1660                 if (LogLevel > 13)
1661                         tls_verify_log(ok, ctx, "x509");
1662                 if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL)
1663                 {
1664                         ctx->error = 0;
1665                         return 1;       /* override it */
1666                 }
1667         }
1668         return ok;
1669 }
1670 # endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1671 #endif /* STARTTLS */