18
18
/* bool var_tls_append_def_CA;
19
19
/* bool var_tls_preempt_clist;
21
/* TLS_APPL_STATE *tls_alloc_app_context(ssl_ctx)
21
/* TLS_APPL_STATE *tls_alloc_app_context(ssl_ctx, log_mask)
22
22
/* SSL_CTX *ssl_ctx;
24
25
/* void tls_free_app_context(app_ctx)
27
/* TLS_SESS_STATE *tls_alloc_sess_context(log_level, namaddr)
28
/* TLS_SESS_STATE *tls_alloc_sess_context(log_mask, namaddr)
29
30
/* const char *namaddr;
31
32
/* void tls_free_context(TLScontext)
67
68
/* long argl; /* unused */
71
/* int tls_log_mask(log_param, log_level)
72
/* const char *log_param;
73
/* const char *log_level;
70
75
/* This module implements routines that support the TLS client
71
76
/* and server internals.
126
131
/* tls_bio_dump_cb() is a call-back routine for the
127
132
/* BIO_set_callback() routine. It logs SSL content to the
128
133
/* Postfix logfile.
135
/* tls_log_mask() converts a TLS log_level value from string
136
/* to mask. The main.cf parameter name is passed along for
306
* Log keyword <=> mask conversion.
308
#define TLS_LOG_0 TLS_LOG_NONE
309
#define TLS_LOG_1 TLS_LOG_SUMMARY
310
#define TLS_LOG_2 (TLS_LOG_1 | TLS_LOG_VERBOSE | TLS_LOG_CACHE | TLS_LOG_DEBUG)
311
#define TLS_LOG_3 (TLS_LOG_2 | TLS_LOG_TLSPKTS)
312
#define TLS_LOG_4 (TLS_LOG_3 | TLS_LOG_ALLPKTS)
314
static const NAME_MASK tls_log_table[] = {
316
"none", TLS_LOG_NONE,
318
"routine", TLS_LOG_1,
322
"ssl-expert", TLS_LOG_3,
324
"ssl-developer", TLS_LOG_4,
325
"5", TLS_LOG_4, /* for good measure */
326
"6", TLS_LOG_4, /* for good measure */
327
"7", TLS_LOG_4, /* for good measure */
328
"8", TLS_LOG_4, /* for good measure */
329
"9", TLS_LOG_4, /* for good measure */
330
"summary", TLS_LOG_SUMMARY,
331
"untrusted", TLS_LOG_UNTRUSTED,
332
"peercert", TLS_LOG_PEERCERT,
333
"certmatch", TLS_LOG_CERTMATCH,
334
"verbose", TLS_LOG_VERBOSE, /* Postfix TLS library verbose */
335
"cache", TLS_LOG_CACHE,
336
"ssl-debug", TLS_LOG_DEBUG, /* SSL library debug/verbose */
337
"ssl-handshake-packet-dump", TLS_LOG_TLSPKTS,
338
"ssl-session-packet-dump", TLS_LOG_TLSPKTS | TLS_LOG_ALLPKTS,
297
343
* Parsed OpenSSL version number.
369
/* tls_log_mask - Convert user TLS loglevel to internal log feature mask */
371
int tls_log_mask(const char *log_param, const char *log_level)
375
mask = name_mask_opt(log_param, tls_log_table, log_level,
376
NAME_MASK_ANY_CASE | NAME_MASK_RETURN);
323
380
/* tls_exclude_missing - Append exclusions for missing ciphers */
325
382
static const char *tls_exclude_missing(SSL_CTX *ctx, VSTRING *buf)
603
660
/* tls_alloc_app_context - allocate TLS application context */
605
TLS_APPL_STATE *tls_alloc_app_context(SSL_CTX *ssl_ctx)
662
TLS_APPL_STATE *tls_alloc_app_context(SSL_CTX *ssl_ctx, int log_mask)
607
664
TLS_APPL_STATE *app_ctx;
609
666
app_ctx = (TLS_APPL_STATE *) mymalloc(sizeof(*app_ctx));
668
/* See portability note below with other memset() call. */
611
669
memset((char *) app_ctx, 0, sizeof(*app_ctx));
612
670
app_ctx->ssl_ctx = ssl_ctx;
671
app_ctx->log_mask = log_mask;
614
673
/* See also: cache purging code in tls_set_ciphers(). */
615
674
app_ctx->cipher_grade = TLS_CIPHER_NONE;
642
701
/* tls_alloc_sess_context - allocate TLS session context */
644
TLS_SESS_STATE *tls_alloc_sess_context(int log_level, const char *namaddr)
703
TLS_SESS_STATE *tls_alloc_sess_context(int log_mask, const char *namaddr)
646
705
TLS_SESS_STATE *TLScontext;
662
721
TLScontext->peer_CN = 0;
663
722
TLScontext->issuer_CN = 0;
664
723
TLScontext->peer_fingerprint = 0;
724
TLScontext->peer_pkey_fprint = 0;
665
725
TLScontext->protocol = 0;
666
726
TLScontext->cipher_name = 0;
667
TLScontext->log_level = log_level;
727
TLScontext->log_mask = log_mask;
668
728
TLScontext->namaddr = lowercase(mystrdup(namaddr));
669
729
TLScontext->fpt_dgst = 0;
695
755
myfree(TLScontext->issuer_CN);
696
756
if (TLScontext->peer_fingerprint)
697
757
myfree(TLScontext->peer_fingerprint);
758
if (TLScontext->peer_pkey_fprint)
759
myfree(TLScontext->peer_pkey_fprint);
698
760
if (TLScontext->fpt_dgst)
699
761
myfree(TLScontext->fpt_dgst);
773
835
void tls_check_version(void)
778
tls_version_split(OPENSSL_VERSION_NUMBER, &hdr_info);
779
tls_version_split(SSLeay(), &lib_info);
781
if (lib_info.major != hdr_info.major
782
|| lib_info.minor != hdr_info.minor
783
|| lib_info.micro != hdr_info.micro)
784
msg_warn("run-time library vs. compile-time header version mismatch: "
785
"OpenSSL %d.%d.%d may not be compatible with OpenSSL %d.%d.%d",
786
lib_info.major, lib_info.minor, lib_info.micro,
787
hdr_info.major, hdr_info.minor, hdr_info.micro);
837
/* Debian will change the soname if openssl is ever incompatible. */
790
840
/* tls_bug_bits - SSL bug compatibility bits for this OpenSSL version */