X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/ef2e5890df09193717f9d345ffaaa406e2d8aae7..2ead369f8435918f3f15408b9394e580bcaf0910:/src/src/tls-openssl.c diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 0c7772921..7bf62f504 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1009,7 +1009,7 @@ if (ev) old_cert = tlsp->peercert; tlsp->peercert = X509_dup(cert); /* NB we do not bother setting peerdn */ - if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth)))) + if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth), &errno))) { log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: " "depth=%d cert=%s: %s", @@ -1446,7 +1446,7 @@ supply_response: ocsp_resplist ** op = &state->u_ocsp.server.olist, * oentry; while (oentry = *op) op = &oentry->next; - *op = oentry = store_get(sizeof(ocsp_resplist), FALSE); + *op = oentry = store_get(sizeof(ocsp_resplist), GET_UNTAINTED); oentry->next = NULL; oentry->resp = resp; } @@ -2174,7 +2174,7 @@ DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername, /* Make the extension value available for expansion */ store_pool = POOL_PERM; -tls_in.sni = string_copy_taint(US servername, TRUE); +tls_in.sni = string_copy_taint(US servername, GET_TAINTED); store_pool = old_pool; if (!reexpand_tls_files_for_sni) @@ -2460,7 +2460,7 @@ if (!(bs = OCSP_response_get1_basic(rsp))) STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses; #endif - DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE); + DEBUG(D_tls) bp = BIO_new(BIO_s_mem()); /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */ @@ -2475,9 +2475,12 @@ if (!(bs = OCSP_response_get1_basic(rsp))) if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN, "Received TLS cert status response, itself unverifiable: %s", ERR_reason_error_string(ERR_peek_error())); - BIO_printf(bp, "OCSP response verify failure\n"); - ERR_print_errors(bp); - OCSP_RESPONSE_print(bp, rsp, 0); + DEBUG(D_tls) + { + BIO_printf(bp, "OCSP response verify failure\n"); + ERR_print_errors(bp); + OCSP_RESPONSE_print(bp, rsp, 0); + } goto failed; } else @@ -2515,8 +2518,11 @@ if (!(bs = OCSP_response_get1_basic(rsp))) status = OCSP_single_get0_status(single, &reason, &rev, &thisupd, &nextupd); - DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd); - DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd); + DEBUG(D_tls) + { + time_print(bp, "This OCSP Update", thisupd); + if (nextupd) time_print(bp, "Next OCSP Update", nextupd); + } if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE)) { @@ -2555,6 +2561,11 @@ if (!(bs = OCSP_response_get1_basic(rsp))) tls_out.ocsp = OCSP_FAILED; i = cbinfo->u_ocsp.client.verify_required ? 0 : 1; good: + { + uschar * s = NULL; + int len = (int) BIO_get_mem_data(bp, CSS &s); + if (len > 0) debug_printf("%.*s", len, s); + } BIO_free(bp); } @@ -3130,6 +3141,21 @@ return OK; +static void +tls_dump_keylog(SSL * ssl) +{ +#ifdef EXIM_HAVE_OPENSSL_KEYLOG + BIO * bp = BIO_new(BIO_s_mem()); + uschar * s = NULL; + int len; + SSL_SESSION_print_keylog(bp, SSL_get_session(ssl)); + len = (int) BIO_get_mem_data(bp, CSS &s); + if (len > 0) debug_printf("%.*s", len, s); + BIO_free(bp); +#endif +} + + /************************************************* * Start a TLS session in a server * *************************************************/ @@ -3311,10 +3337,10 @@ if (rc <= 0) case SSL_ERROR_ZERO_RETURN: DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n"); (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr); - (void) event_raise(event_action, US"tls:fail:connect", *errstr); + (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL); if (SSL_get_shutdown(ssl) == SSL_RECEIVED_SHUTDOWN) - SSL_shutdown(ssl); + SSL_shutdown(ssl); tls_close(NULL, TLS_NO_SHUTDOWN); return FAIL; @@ -3331,7 +3357,7 @@ if (rc <= 0) || r == SSL_R_UNKNOWN_PROTOCOL || r == SSL_R_UNSUPPORTED_PROTOCOL) s = string_sprintf("(%s)", SSL_get_version(ssl)); (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : s, errstr); - (void) event_raise(event_action, US"tls:fail:connect", *errstr); + (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL); return FAIL; } @@ -3342,7 +3368,7 @@ if (rc <= 0) if (!errno) { *errstr = US"SSL_accept: TCP connection closed by peer"; - (void) event_raise(event_action, US"tls:fail:connect", *errstr); + (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL); return FAIL; } DEBUG(D_tls) debug_printf(" - syscall %s\n", strerror(errno)); @@ -3351,7 +3377,7 @@ if (rc <= 0) sigalrm_seen ? US"timed out" : ERR_peek_error() ? NULL : string_sprintf("ret %d", error), errstr); - (void) event_raise(event_action, US"tls:fail:connect", *errstr); + (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL); return FAIL; } } @@ -3413,13 +3439,7 @@ DEBUG(D_tls) if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf))) debug_printf("Shared ciphers: %s\n", buf); -#ifdef EXIM_HAVE_OPENSSL_KEYLOG - { - BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE); - SSL_SESSION_print_keylog(bp, SSL_get_session(ssl)); - BIO_free(bp); - } -#endif + tls_dump_keylog(ssl); #ifdef EXIM_HAVE_SESSION_TICKET { @@ -3444,9 +3464,9 @@ See description in https://paquier.xyz/postgresql-2/channel-binding-openssl/ */ size_t len = SSL_get_peer_finished(ssl, &c, 0); int old_pool = store_pool; - SSL_get_peer_finished(ssl, s = store_get((int)len, FALSE), len); + SSL_get_peer_finished(ssl, s = store_get((int)len, GET_UNTAINTED), len); store_pool = POOL_PERM; - tls_in.channelbinding = b64encode_taint(CUS s, (int)len, FALSE); + tls_in.channelbinding = b64encode_taint(CUS s, (int)len, GET_UNTAINTED); store_pool = old_pool; DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage %p\n", tls_in.channelbinding); } @@ -3682,7 +3702,7 @@ if (SSL_SESSION_is_resumable(ss)) /* 1.1.1 */ { int len = i2d_SSL_SESSION(ss, NULL); int dlen = sizeof(dbdata_tls_session) + len; - dbdata_tls_session * dt = store_get(dlen, TRUE); + dbdata_tls_session * dt = store_get(dlen, GET_TAINTED); uschar * s = dt->session; open_db dbblock, * dbm_file; @@ -3787,7 +3807,7 @@ else but it's little extra code complexity in the client. */ const uschar * list = exp_alpn; - uschar * p = store_get(Ustrlen(exp_alpn), is_tainted(exp_alpn)), * s, * t; + uschar * p = store_get(Ustrlen(exp_alpn), exp_alpn), * s, * t; int sep = 0; uschar len; @@ -3841,7 +3861,7 @@ BOOL require_ocsp = FALSE; rc = store_pool; store_pool = POOL_PERM; -exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx), FALSE); +exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx), GET_UNTAINTED); exim_client_ctx->corked = NULL; store_pool = rc; @@ -4080,13 +4100,7 @@ if (rc <= 0) DEBUG(D_tls) { debug_printf("SSL_connect succeeded\n"); -#ifdef EXIM_HAVE_OPENSSL_KEYLOG - { - BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE); - SSL_SESSION_print_keylog(bp, SSL_get_session(exim_client_ctx->ssl)); - BIO_free(bp); - } -#endif + tls_dump_keylog(exim_client_ctx->ssl); } #ifndef DISABLE_TLS_RESUME @@ -4133,9 +4147,9 @@ tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl); size_t len = SSL_get_finished(exim_client_ctx->ssl, &c, 0); int old_pool = store_pool; - SSL_get_finished(exim_client_ctx->ssl, s = store_get((int)len, TRUE), len); + SSL_get_finished(exim_client_ctx->ssl, s = store_get((int)len, GET_TAINTED), len); store_pool = POOL_PERM; - tlsp->channelbinding = b64encode_taint(CUS s, (int)len, TRUE); + tlsp->channelbinding = b64encode_taint(CUS s, (int)len, GET_TAINTED); store_pool = old_pool; DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage %p %p\n", tlsp->channelbinding, tlsp); } @@ -4505,19 +4519,25 @@ int * fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock; if (*fdp < 0) return; /* TLS was not active */ -if (do_shutdown) +if (do_shutdown > TLS_NO_SHUTDOWN) { int rc; DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n", - do_shutdown > 1 ? " (with response-wait)" : ""); + do_shutdown > TLS_SHUTDOWN_NOWAIT ? " (with response-wait)" : ""); tls_write(ct_ctx, NULL, 0, FALSE); /* flush write buffer */ - if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */ - && do_shutdown > 1) + if ( ( do_shutdown >= TLS_SHUTDOWN_WONLY + || (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */ + ) + && do_shutdown > TLS_SHUTDOWN_NOWAIT + ) { +#ifdef EXIM_TCP_CORK + (void) setsockopt(*fdp, IPPROTO_TCP, EXIM_TCP_CORK, US &off, sizeof(off)); +#endif ALARM(2); - rc = SSL_shutdown(*sslp); /* wait for response */ + rc = SSL_shutdown(*sslp); /* wait for response */ ALARM_CLR(0); } @@ -4568,8 +4588,8 @@ Returns: NULL on success, or error message uschar * tls_validate_require_cipher(void) { -SSL_CTX *ctx; -uschar *s, *expciphers, *err; +SSL_CTX * ctx; +uschar * expciphers, * err; tls_openssl_init(); @@ -4621,21 +4641,22 @@ number/string, and the version date remains unchanged. The _build_ date will change, so we can more usefully assist with version diagnosis by also reporting the build date. -Arguments: a FILE* to print the results to -Returns: nothing +Arguments: string to append to +Returns: string */ -void -tls_version_report(FILE *f) +gstring * +tls_version_report(gstring * g) { -fprintf(f, "Library version: OpenSSL: Compile: %s\n" - " Runtime: %s\n" - " : %s\n", - OPENSSL_VERSION_TEXT, - SSLeay_version(SSLEAY_VERSION), - SSLeay_version(SSLEAY_BUILT_ON)); -/* third line is 38 characters for the %s and the line is 73 chars long; -the OpenSSL output includes a "built on: " prefix already. */ +return string_fmt_append(g, + "Library version: OpenSSL: Compile: %s\n" + " Runtime: %s\n" + " : %s\n", + OPENSSL_VERSION_TEXT, + SSLeay_version(SSLEAY_VERSION), + SSLeay_version(SSLEAY_BUILT_ON)); + /* third line is 38 characters for the %s and the line is 73 chars long; + the OpenSSL output includes a "built on: " prefix already. */ }