| blob | 64c055997be311674e6cc4ec85d120729051db8f |
1 /* $NetBSD: tls_server.c,v 1.1.1.1 2009/06/23 10:08:57 tron Exp $ */
3 /*++
4 /* NAME
5 /* tls_server 3
6 /* SUMMARY
7 /* server-side TLS engine
8 /* SYNOPSIS
9 /* #include <tls.h>
10 /*
11 /* TLS_APPL_STATE *tls_server_init(props)
12 /* const TLS_SERVER_INIT_PROPS *props;
13 /*
14 /* TLS_SESS_STATE *tls_server_start(props)
15 /* const TLS_SERVER_START_PROPS *props;
16 /*
17 /* void tls_server_stop(app_ctx, stream, failure, TLScontext)
18 /* TLS_APPL_STATE *app_ctx;
19 /* VSTREAM *stream;
20 /* int failure;
21 /* TLS_SESS_STATE *TLScontext;
22 /* DESCRIPTION
23 /* This module is the interface between Postfix TLS servers,
24 /* the OpenSSL library, and the TLS entropy and cache manager.
25 /*
26 /* tls_server_init() is called once when the SMTP server
27 /* initializes.
28 /* Certificate details are also decided during this phase,
29 /* so that peer-specific behavior is not possible.
30 /*
31 /* tls_server_start() activates the TLS feature for the VSTREAM
32 /* passed as argument. We assume that network buffers are flushed
33 /* and the TLS handshake can begin immediately.
34 /*
35 /* tls_server_stop() sends the "close notify" alert via
36 /* SSL_shutdown() to the peer and resets all connection specific
37 /* TLS data. As RFC2487 does not specify a separate shutdown, it
38 /* is assumed that the underlying TCP connection is shut down
39 /* immediately afterwards. Any further writes to the channel will
40 /* be discarded, and any further reads will report end-of-file.
41 /* If the failure flag is set, no SSL_shutdown() handshake is performed.
42 /*
43 /* Once the TLS connection is initiated, information about the TLS
44 /* state is available via the TLScontext structure:
45 /* .IP TLScontext->protocol
46 /* the protocol name (SSLv2, SSLv3, TLSv1),
47 /* .IP TLScontext->cipher_name
48 /* the cipher name (e.g. RC4/MD5),
49 /* .IP TLScontext->cipher_usebits
50 /* the number of bits actually used (e.g. 40),
51 /* .IP TLScontext->cipher_algbits
52 /* the number of bits the algorithm is based on (e.g. 128).
53 /* .PP
54 /* The last two values may differ from each other when export-strength
55 /* encryption is used.
56 /*
57 /* If the peer offered a certificate, part of the certificate data are
58 /* available as:
59 /* .IP TLScontext->peer_status
60 /* A bitmask field that records the status of the peer certificate
61 /* verification. One or more of TLS_CERT_FLAG_PRESENT and
62 /* TLS_CERT_FLAG_TRUSTED.
63 /* .IP TLScontext->peer_CN
64 /* Extracted CommonName of the peer, or zero-length string
65 /* when information could not be extracted.
66 /* .IP TLScontext->issuer_CN
67 /* Extracted CommonName of the issuer, or zero-length string
68 /* when information could not be extracted.
69 /* .IP TLScontext->peer_fingerprint
70 /* Fingerprint of the certificate, or zero-length string when no peer
71 /* certificate is available.
72 /* .PP
73 /* If no peer certificate is presented the peer_status is set to 0.
74 /* LICENSE
75 /* .ad
76 /* .fi
77 /* This software is free. You can do with it whatever you want.
78 /* The original author kindly requests that you acknowledge
79 /* the use of his software.
80 /* AUTHOR(S)
81 /* Originally written by:
82 /* Lutz Jaenicke
83 /* BTU Cottbus
84 /* Allgemeine Elektrotechnik
85 /* Universitaetsplatz 3-4
86 /* D-03044 Cottbus, Germany
87 /*
88 /* Updated by:
89 /* Wietse Venema
90 /* IBM T.J. Watson Research
91 /* P.O. Box 704
92 /* Yorktown Heights, NY 10598, USA
93 /*
94 /* Victor Duchovni
95 /* Morgan Stanley
96 /*--*/
98 /* System library. */
100 #include <sys_defs.h>
102 #ifdef USE_TLS
103 #include <unistd.h>
104 #include <string.h>
106 /* Utility library. */
108 #include <mymalloc.h>
109 #include <vstring.h>
110 #include <vstream.h>
111 #include <dict.h>
112 #include <stringops.h>
113 #include <msg.h>
114 #include <hex_code.h>
116 /* Global library. */
118 #include <mail_params.h>
120 /* TLS library. */
122 #include <tls_mgr.h>
123 #define TLS_INTERNAL
124 #include <tls.h>
126 #define STR(x) vstring_str(x)
127 #define LEN(x) VSTRING_LEN(x)
129 /* Application-specific. */
131 /*
132 * The session_id_context indentifies the service that created a session.
133 * This information is used to distinguish between multiple TLS-based
134 * servers running on the same server. We use the name of the mail system.
135 */
138 /* get_server_session_cb - callback to retrieve session from server cache */
143 {
153 #define GEN_CACHE_ID(buf, id, len, service) \
154 do { \
155 buf = vstring_alloc(2 * (len) + 1 + strlen(service) + 3); \
156 hex_encode(buf, (char *) (id), (len)); \
158 } while (0)
167 /*
168 * Load the session from cache and decode it.
169 */
177 }
179 /*
180 * Clean up.
181 */
186 }
188 /* uncache_session - remove session from internal & external cache */
191 {
209 }
211 /* new_server_session_cb - callback to save session to server cache */
214 {
230 /*
231 * Passivate and save the session state.
232 */
238 /*
239 * Clean up.
240 */
247 }
249 /* tls_server_init - initialize the server-side TLS engine */
252 {
265 /*
266 * Load (mostly cipher related) TLS-library internal main.cf parameters.
267 */
270 /*
271 * Detect mismatch between compile-time headers and run-time library.
272 */
275 /*
276 * Initialize the OpenSSL library by the book! To start with, we must
277 * initialize the algorithms. We want cleartext error messages instead of
278 * just error codes, so we load the error_strings.
279 */
283 /*
284 * First validate the protocols. If these are invalid, we can't continue.
285 */
288 /* tls_protocol_mask() logs no warning. */
292 }
294 /*
295 * Create an application data index for SSL objects, so that we can
296 * attach TLScontext information; this information is needed inside
297 * tls_verify_certificate_callback().
298 */
304 }
305 }
307 /*
308 * If the administrator specifies an unsupported digest algorithm, fail
309 * now, rather than in the middle of a TLS handshake.
310 */
315 }
317 /*
318 * Sanity check: Newer shared libraries may use larger digests.
319 */
324 }
326 /*
327 * Initialize the PRNG (Pseudo Random Number Generator) with some seed
328 * from external and internal sources. Don't enable TLS without some real
329 * entropy.
330 */
334 }
337 /*
338 * The SSL/TLS specifications require the client to send a message in the
339 * oldest specification it understands with the highest level it
340 * understands in the message. Netscape communicator can still
341 * communicate with SSLv2 servers, so it sends out a SSLv2 client hello.
342 * To deal with it, our server must be SSLv2 aware (even if we don't like
343 * SSLv2), so we need to have the SSLv23 server here. If we want to limit
344 * the protocol level, we can add an option to not use SSLv2/v3/TLSv1
345 * later.
346 */
352 }
354 /*
355 * See the verify callback in tls_verify.c
356 */
359 /*
360 * Protocol work-arounds, OpenSSL version dependent.
361 */
365 /*
366 * Global protocol selection.
367 */
374 /*
375 * Set the call-back routine to debug handshake progress.
376 */
380 /*
381 * Load the CA public key certificates for both the server cert and for
382 * the verification of client certificates. As provided by OpenSSL we
383 * support two types of CA certificate handling: One possibility is to
384 * add all CA certificates to one large CAfile, the other possibility is
385 * a directory pointed to by CApath, containing separate files for each
386 * CA with softlinks named after the hash values of the certificate. The
387 * first alternative has the advantage that the file is opened and read
388 * at startup time, so that you don't have the hassle to maintain another
389 * copy of the CApath directory for chroot-jail.
390 */
393 /* tls_set_ca_certificate_info() already logs a warning. */
396 }
398 /*
399 * Load the server public key certificate and private key from file and
400 * check whether the cert matches the key. We can use RSA certificates
401 * ("cert") DSA certificates ("dcert") or ECDSA certificates ("eccert").
402 * All three can be made available at the same time. The CA certificates
403 * for all three are handled in the same setup already finished. Which
404 * one is used depends on the cipher negotiated (that is: the first
405 * cipher listed by the client which does match the server). A client
406 * with RSA only (e.g. Netscape) will use the RSA certificate only. A
407 * client with openssl-library will use RSA first if not especially
408 * changed in the cipher setup.
409 */
417 /* tls_set_my_certificate_key_info() already logs a warning. */
420 }
422 /*
423 * According to the OpenSSL documentation, temporary RSA key is needed
424 * export ciphers are in use. We have to provide one, so well, we just do
425 * it.
426 */
429 /*
430 * Diffie-Hellman key generation parameters can either be loaded from
431 * files (preferred) or taken from compiled in values. First, set the
432 * callback that will select the values when requested, then load the
433 * (possibly) available DH parameters from files. We are generous with
434 * the error handling, since we do have default values compiled in, so we
435 * will not abort but just log the error message.
436 */
443 /*
444 * Enable EECDH if available, errors are not fatal, we just keep going
445 * with any remaining key-exchange algorithms.
446 */
449 /*
450 * If we want to check client certificates, we have to indicate it in
451 * advance. By now we only allow to decide on a global basis. If we want
452 * to allow certificate based relaying, we must ask the client to provide
453 * one with SSL_VERIFY_PEER. The client now can decide, whether it
454 * provides one or not. We can enforce a failure of the negotiation with
455 * SSL_VERIFY_FAIL_IF_NO_PEER_CERT, if we do not allow a connection
456 * without one. In the "server hello" following the initialization by the
457 * "client hello" the server must provide a list of CAs it is willing to
458 * accept. Some clever clients will then select one from the list of
459 * available certificates matching these CAs. Netscape Communicator will
460 * present the list of certificates for selecting the one to be sent, or
461 * it will issue a warning, if there is no certificate matching the
462 * available CAs.
463 *
464 * With regard to the purpose of the certificate for relaying, we might like
465 * a later negotiation, maybe relaying would already be allowed for other
466 * reasons, but this would involve severe changes in the internal postfix
467 * logic, so we have to live with it the way it is.
468 */
472 tls_verify_certificate_callback);
477 /*
478 * Initialize our own TLS server handle, before diving into the details
479 * of TLS session cache management.
480 */
483 /*
484 * The session cache is implemented by the tlsmgr(8) server.
485 *
486 * XXX 200502 Surprise: when OpenSSL purges an entry from the in-memory
487 * cache, it also attempts to purge the entry from the on-disk cache.
488 * This is undesirable, especially when we set the in-memory cache size
489 * to 1. For this reason we don't allow OpenSSL to purge on-disk cache
490 * entries, and leave it up to the tlsmgr process instead. Found by
491 * Victor Duchovni.
492 */
499 /*
500 * Initialize the session cache.
501 *
502 * With a large number of concurrent smtpd(8) processes, it is not a
503 * good idea to cache multiple large session objects in each process.
504 * We set the internal cache size to 1, and don't register a
505 * "remove_cb" so as to avoid deleting good sessions from the
506 * external cache prematurely (when the internal cache is full,
507 * OpenSSL removes sessions from the external cache also)!
508 *
509 * This makes SSL_CTX_remove_session() not useful for flushing broken
510 * sessions from the external cache, so we must delete them directly
511 * (not via a callback).
512 *
513 * Set a session id context to identify to what type of server process
514 * created a session. In our case, the context is simply the name of
515 * the mail system: "Postfix/TLS".
516 */
522 SSL_SESS_CACHE_SERVER |
523 SSL_SESS_CACHE_NO_AUTO_CLEAR);
529 }
531 /*
532 * OpenSSL ignores timed-out sessions. We need to set the internal
533 * cache timeout at least as high as the external cache timeout. This
534 * applies even if no internal cache is used.
535 */
539 /*
540 * If we have no external cache, disable all caching. No use wasting
541 * server memory resources with sessions they are unlikely to be able
542 * to reuse.
543 */
545 }
548 }
550 /*
551 * This is the actual startup routine for a new connection. We expect that
552 * the SMTP buffers are flushed and the "220 Ready to start TLS" was sent to
553 * the client, so that we can immediately start the TLS handshake process.
554 */
556 {
574 }
578 /*
579 * Allocate a new TLScontext for the new connection and get an SSL
580 * structure. Add the location of TLScontext to the SSL to later retrieve
581 * the information inside the tls_verify_certificate_callback().
582 */
595 }
601 }
603 /*
604 * The TLS connection is realized by a BIO_pair, so obtain the pair.
605 *
606 * XXX There is no need to store the internal_bio handle in the TLScontext
607 * structure. It will be attached to and destroyed with TLScontext->con.
608 * The network_bio, however, needs to be freed explicitly, so we need to
609 * store its handle in TLScontext.
610 */
617 }
619 /*
620 * Before really starting anything, try to seed the PRNG a little bit
621 * more.
622 */
626 /*
627 * Initialize the SSL connection to accept state. This should not be
628 * necessary anymore since 0.9.3, but the call is still in the library
629 * and maintaining compatibility never hurts.
630 */
633 /*
634 * Connect the SSL connection with the Postfix side of the BIO-pair for
635 * reading and writing.
636 */
640 /*
641 * If the debug level selected is high enough, all of the data is dumped:
642 * 3 will dump the SSL negotiation, 4 will dump everything.
643 *
644 * We do have an SSL_set_fd() and now suddenly a BIO_ routine is called?
645 * Well there is a BIO below the SSL routines that is automatically
646 * created for us, so we can use it for debugging purposes.
647 */
651 /*
652 * Start TLS negotiations. This process is a black box that invokes our
653 * call-backs for session caching and certificate verification.
654 *
655 * Error handling: If the SSL handhake fails, we print out an error message
656 * and remove all TLS state concerning this session.
657 */
659 TLScontext);
665 }
666 /* Only loglevel==4 dumps everything */
670 /*
671 * The caller may want to know if this session was reused or if a new
672 * session was negotiated.
673 */
678 /*
679 * Let's see whether a peer certificate is available and what is the
680 * actual information. We want to save it for later use.
681 */
695 }
706 }
712 }
714 /*
715 * Finally, collect information about protocol and cipher for logging
716 */
723 /*
724 * The TLS engine is active. Switch to the tls_timed_read/write()
725 * functions and make the TLScontext available to those functions.
726 */
729 /*
730 * All the key facts in a single log entry.
731 */
742 }