X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/723fe533c452eb258a5a7e0b808d714bbbc7cb01..01a4a5c5cbaa40ca618d3e233991ce183b551477:/src/src/tls-openssl.c diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 4de3cad51..7c66775c0 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -38,6 +38,13 @@ functions from the OpenSSL library. */ #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) # define EXIM_HAVE_OPENSSL_TLSEXT #endif +#if OPENSSL_VERSION_NUMBER >= 0x010100000L +# define EXIM_HAVE_OPENSSL_CHECKHOST +#endif +#if OPENSSL_VERSION_NUMBER >= 0x010000000L \ + && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L +# define EXIM_HAVE_OPENSSL_CHECKHOST +#endif #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP) # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile" @@ -116,10 +123,7 @@ typedef struct tls_ext_ctx_cb { uschar *server_cipher_list; /* only passed down to tls_error: */ host_item *host; - -#ifdef EXPERIMENTAL_CERTNAMES uschar * verify_cert_hostnames; -#endif #ifdef EXPERIMENTAL_EVENT uschar * event_action; #endif @@ -165,7 +169,7 @@ Returns: OK/DEFER/FAIL */ static int -tls_error(uschar *prefix, host_item *host, uschar *msg) +tls_error(uschar * prefix, const host_item * host, uschar * msg) { if (!msg) { @@ -287,8 +291,11 @@ verify_callback(int state, X509_STORE_CTX *x509ctx, { X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx); int depth = X509_STORE_CTX_get_error_depth(x509ctx); -uschar * ev; static uschar txt[256]; +#ifdef EXPERIMENTAL_EVENT +uschar * ev; +uschar * yield; +#endif X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt)); @@ -298,7 +305,6 @@ if (state == 0) depth, X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), txt); - tlsp->certificate_verified = FALSE; *calledp = TRUE; if (!*optionalp) { @@ -328,13 +334,15 @@ else if (depth != 0) if (ev) { tlsp->peercert = X509_dup(cert); - if (event_raise(ev, US"tls:cert", string_sprintf("%d", depth)) == DEFER) + if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth)))) { log_write(0, LOG_MAIN, "SSL verify denied by event-action: " - "depth=%d cert=%s", depth, txt); - tlsp->certificate_verified = FALSE; + "depth=%d cert=%s: %s", depth, txt, yield); *calledp = TRUE; - return 0; /* reject */ + if (!*optionalp) + return 0; /* reject */ + DEBUG(D_tls) debug_printf("Event-action verify failure overridden " + "(host in tls_try_verify_hosts)\n"); } X509_free(tlsp->peercert); tlsp->peercert = NULL; @@ -343,21 +351,21 @@ else if (depth != 0) } else { -#ifdef EXPERIMENTAL_CERTNAMES uschar * verify_cert_hostnames; -#endif tlsp->peerdn = txt; tlsp->peercert = X509_dup(cert); -#ifdef EXPERIMENTAL_CERTNAMES if ( tlsp == &tls_out && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames))) /* client, wanting hostname check */ -# if OPENSSL_VERSION_NUMBER >= 0x010100000L || OPENSSL_VERSION_NUMBER >= 0x010002000L +# if EXIM_HAVE_OPENSSL_CHECKHOST # ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0 +# endif +# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS +# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0 # endif { int sep = 0; @@ -366,7 +374,8 @@ else int rc; while ((name = string_nextinlist(&list, &sep, NULL, 0))) if ((rc = X509_check_host(cert, name, 0, - X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS))) + X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS + | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS))) { if (rc < 0) { @@ -379,7 +388,11 @@ else { log_write(0, LOG_MAIN, "SSL verify error: certificate name mismatch: \"%s\"\n", txt); - return 0; /* reject */ + *calledp = TRUE; + if (!*optionalp) + return 0; /* reject */ + DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in " + "tls_try_verify_hosts)\n"); } } # else @@ -387,21 +400,26 @@ else { log_write(0, LOG_MAIN, "SSL verify error: certificate name mismatch: \"%s\"\n", txt); - return 0; /* reject */ + *calledp = TRUE; + if (!*optionalp) + return 0; /* reject */ + DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in " + "tls_try_verify_hosts)\n"); } # endif -#endif /*EXPERIMENTAL_CERTNAMES*/ #ifdef EXPERIMENTAL_EVENT ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action; if (ev) - if (event_raise(ev, US"tls:cert", US"0") == DEFER) + if ((yield = event_raise(ev, US"tls:cert", US"0"))) { log_write(0, LOG_MAIN, "SSL verify denied by event-action: " - "depth=0 cert=%s", txt); - tlsp->certificate_verified = FALSE; + "depth=0 cert=%s: %s", txt, yield); *calledp = TRUE; - return 0; /* reject */ + if (!*optionalp) + return 0; /* reject */ + DEBUG(D_tls) debug_printf("Event-action verify failure overridden " + "(host in tls_try_verify_hosts)\n"); } #endif @@ -439,6 +457,7 @@ X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx); static uschar txt[256]; #ifdef EXPERIMENTAL_EVENT int depth = X509_STORE_CTX_get_error_depth(x509ctx); +uschar * yield; #endif X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt)); @@ -450,11 +469,11 @@ tls_out.peercert = X509_dup(cert); #ifdef EXPERIMENTAL_EVENT if (client_static_cbinfo->event_action) { - if (event_raise(client_static_cbinfo->event_action, - US"tls:cert", string_sprintf("%d", depth)) == DEFER) + if ((yield = event_raise(client_static_cbinfo->event_action, + US"tls:cert", string_sprintf("%d", depth)))) { log_write(0, LOG_MAIN, "DANE verify denied by event-action: " - "depth=%d cert=%s", depth, txt); + "depth=%d cert=%s: %s", depth, txt, yield); tls_out.certificate_verified = FALSE; return 0; /* reject */ } @@ -515,7 +534,7 @@ Returns: TRUE if OK (nothing to set up, or setup worked) */ static BOOL -init_dh(SSL_CTX *sctx, uschar *dhparam, host_item *host) +init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host) { BIO *bio; DH *dh; @@ -1263,9 +1282,7 @@ else /* client */ # endif #endif -#ifdef EXPERIMENTAL_CERTNAMES cbinfo->verify_cert_hostnames = NULL; -#endif /* Set up the RSA callback */ @@ -1646,10 +1663,7 @@ return OK; static int tls_client_basic_ctx_init(SSL_CTX * ctx, - host_item * host, smtp_transport_options_block * ob -#ifdef EXPERIMENTAL_CERTNAMES - , tls_ext_ctx_cb * cbinfo -#endif + host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo ) { int rc; @@ -1657,35 +1671,25 @@ int rc; set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only the specified host patterns if one of them is defined */ -if ((!ob->tls_verify_hosts && !ob->tls_try_verify_hosts) || - (verify_check_host(&ob->tls_verify_hosts) == OK)) - { - if ((rc = setup_certs(ctx, ob->tls_verify_certificates, - ob->tls_crl, host, FALSE, verify_callback_client)) != OK) - return rc; +if ( (!ob->tls_verify_hosts && !ob->tls_try_verify_hosts) + || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK) + ) client_verify_optional = FALSE; +else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK) + client_verify_optional = TRUE; +else + return OK; -#ifdef EXPERIMENTAL_CERTNAMES - if (ob->tls_verify_cert_hostnames) - { - if (!expand_check(ob->tls_verify_cert_hostnames, - US"tls_verify_cert_hostnames", - &cbinfo->verify_cert_hostnames)) - return FAIL; - if (cbinfo->verify_cert_hostnames) - DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n", - cbinfo->verify_cert_hostnames); - } -#endif - } -else if (verify_check_host(&ob->tls_try_verify_hosts) == OK) +if ((rc = setup_certs(ctx, ob->tls_verify_certificates, + ob->tls_crl, host, client_verify_optional, verify_callback_client)) != OK) + return rc; + +if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK) { - if ((rc = setup_certs(ctx, ob->tls_verify_certificates, - ob->tls_crl, host, TRUE, verify_callback_client)) != OK) - return rc; - client_verify_optional = TRUE; + cbinfo->verify_cert_hostnames = host->name; + DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n", + cbinfo->verify_cert_hostnames); } - return OK; } @@ -1808,15 +1812,15 @@ tls_out.tlsa_usage = 0; } # endif - if ((require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp, - NULL, host->name, host->address, NULL) == OK)) + if ((require_ocsp = + verify_check_given_host(&ob->hosts_require_ocsp, host) == OK)) request_ocsp = TRUE; else # ifdef EXPERIMENTAL_DANE if (!request_ocsp) # endif - request_ocsp = verify_check_this_host(&ob->hosts_request_ocsp, - NULL, host->name, host->address, NULL) == OK; + request_ocsp = + verify_check_given_host(&ob->hosts_request_ocsp, host) == OK; } #endif @@ -1851,7 +1855,9 @@ if (expciphers != NULL) #ifdef EXPERIMENTAL_DANE if (tlsa_dnsa) { - SSL_CTX_set_verify(client_ctx, SSL_VERIFY_PEER, verify_callback_client_dane); + SSL_CTX_set_verify(client_ctx, + SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, + verify_callback_client_dane); if (!DANESSL_library_init()) return tls_error(US"library init", host, NULL); @@ -1862,11 +1868,8 @@ else #endif - if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob -#ifdef EXPERIMENTAL_CERTNAMES - , client_static_cbinfo -#endif - )) != OK) + if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob, client_static_cbinfo)) + != OK) return rc; if ((client_ssl = SSL_new(client_ctx)) == NULL) @@ -1917,11 +1920,9 @@ if (request_ocsp) { /* Re-eval now $tls_out_tlsa_usage is populated. If this means we avoid the OCSP request, we wasted the setup cost in tls_init(). */ - require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp, - NULL, host->name, host->address, NULL) == OK; - request_ocsp = require_ocsp ? TRUE - : verify_check_this_host(&ob->hosts_request_ocsp, - NULL, host->name, host->address, NULL) == OK; + require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK; + request_ocsp = require_ocsp + || verify_check_given_host(&ob->hosts_request_ocsp, host) == OK; } } # endif