From 8442641ee685d02b15ccfdc7290dda2674b8472e Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 20 Sep 2018 18:19:33 +0100 Subject: Builtin macros for OpenSSL options --- src/OS/Makefile-Base | 4 + src/src/macro_predef.c | 3 + src/src/macro_predef.h | 3 + src/src/readconf.c | 7 +- src/src/tls-openssl.c | 245 ++++++++++++++++++++++++++++--------------------- src/src/tls.c | 10 ++ 6 files changed, 164 insertions(+), 108 deletions(-) (limited to 'src') diff --git a/src/OS/Makefile-Base b/src/OS/Makefile-Base index 8d191caac..fed3134cf 100644 --- a/src/OS/Makefile-Base +++ b/src/OS/Makefile-Base @@ -130,6 +130,7 @@ MACRO_HSRC = macro_predef.h os.h globals.h config.h \ OBJ_MACRO = macro_predef.o \ macro-globals.o macro-readconf.o macro-route.o macro-transport.o macro-drtables.o \ + macro-tls.o \ macro-appendfile.o macro-autoreply.o macro-lmtp.o macro-pipe.o macro-queuefile.o \ macro-smtp.o macro-accept.o macro-dnslookup.o macro-ipliteral.o macro-iplookup.o \ macro-manualroute.o macro-queryprogram.o macro-redirect.o \ @@ -157,6 +158,9 @@ macro-transport.o: transport.c macro-drtables.o : drtables.c @echo "$(CC) -DMACRO_PREDEF drtables.c" $(FE)$(CC) -c $(CFLAGS) -DMACRO_PREDEF $(INCLUDE) -o $@ drtables.c +macro-tls.o: tls.c + @echo "$(CC) -DMACRO_PREDEF tls.c" + $(FE)$(CC) -c $(CFLAGS) -DMACRO_PREDEF $(INCLUDE) -o $@ tls.c macro-appendfile.o : transports/appendfile.c @echo "$(CC) -DMACRO_PREDEF transports/appendfile.c" $(FE)$(CC) -c $(CFLAGS) -DMACRO_PREDEF $(INCLUDE) -o $@ transports/appendfile.c diff --git a/src/src/macro_predef.c b/src/src/macro_predef.c index 0a22eec2f..9f5700ebf 100644 --- a/src/src/macro_predef.c +++ b/src/src/macro_predef.c @@ -285,6 +285,9 @@ options_routers(); options_transports(); options_auths(); options_logging(); +#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) +options_tls(); +#endif } static void diff --git a/src/src/macro_predef.h b/src/src/macro_predef.h index 7eeaa9692..f265750ca 100644 --- a/src/src/macro_predef.h +++ b/src/src/macro_predef.h @@ -20,4 +20,7 @@ extern void options_transports(void); extern void options_auths(void); extern void options_logging(void); extern void params_dkim(void); +#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) +extern void options_tls(void); +#endif diff --git a/src/src/readconf.c b/src/src/readconf.c index 1f0e41d44..b4474757a 100644 --- a/src/src/readconf.c +++ b/src/src/readconf.c @@ -15,6 +15,9 @@ implementation of the conditional .ifdef etc. */ # include "macro_predef.h" #endif +#define READCONF_DEBUG if (FALSE) /* Change to TRUE to enable */ + + static uschar * syslog_facility_str; static void fn_smtp_receive_timeout(const uschar *, const uschar *); @@ -627,7 +630,7 @@ macro_create(const uschar * name, const uschar * val, BOOL command_line) { macro_item * m = store_get(sizeof(macro_item)); -/* fprintf(stderr, "%s: '%s' '%s'\n", __FUNCTION__, name, val); */ +READCONF_DEBUG fprintf(stderr, "%s: '%s' '%s'\n", __FUNCTION__, name, val); m->next = NULL; m->command_line = command_line; m->namelen = Ustrlen(name); @@ -820,7 +823,7 @@ if (*s) for (m = *s == '_' ? macros : macros_user; m; m = m->next) { int moveby; -/* fprintf(stderr, "%s: matched '%s' in '%s'\n", __FUNCTION__, m->name, ss); */ + READCONF_DEBUG fprintf(stderr, "%s: matched '%s' in '%s'\n", __FUNCTION__, m->name, ss); /* Expand the buffer if necessary */ while (*newlen - m->namelen + m->replen + 1 > big_buffer_size) diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index e225386db..81372cfaa 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -51,7 +51,7 @@ functions from the OpenSSL library. */ # define EXIM_HAVE_RAND_PSEUDO #endif #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256) -# define EXIM_HAVE_SHA256 /*MMMM*/ +# define EXIM_HAVE_SHA256 #endif /* @@ -82,7 +82,7 @@ functions from the OpenSSL library. */ || LIBRESSL_VERSION_NUMBER >= 0x20010000L # if !defined(OPENSSL_NO_ECDH) # if OPENSSL_VERSION_NUMBER >= 0x0090800fL -# define EXIM_HAVE_ECDH /*MMMM*/ +# define EXIM_HAVE_ECDH # endif # if OPENSSL_VERSION_NUMBER >= 0x10002000L # define EXIM_HAVE_OPENSSL_EC_NIST2NID @@ -99,6 +99,142 @@ functions from the OpenSSL library. */ # include #endif +/************************************************* +* OpenSSL option parse * +*************************************************/ + +typedef struct exim_openssl_option { + uschar *name; + long value; +} exim_openssl_option; +/* We could use a macro to expand, but we need the ifdef and not all the +options document which version they were introduced in. Policylet: include +all options unless explicitly for DTLS, let the administrator choose which +to apply. + +This list is current as of: + ==> 1.0.1b <== +Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev +Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev +*/ +static exim_openssl_option exim_openssl_options[] = { +/* KEEP SORTED ALPHABETICALLY! */ +#ifdef SSL_OP_ALL + { US"all", SSL_OP_ALL }, +#endif +#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION + { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION }, +#endif +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE }, +#endif +#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS + { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS }, +#endif +#ifdef SSL_OP_EPHEMERAL_RSA + { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA }, +#endif +#ifdef SSL_OP_LEGACY_SERVER_CONNECT + { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT }, +#endif +#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER + { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER }, +#endif +#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG + { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG }, +#endif +#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING + { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING }, +#endif +#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG + { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG }, +#endif +#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG + { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG }, +#endif +#ifdef SSL_OP_NO_COMPRESSION + { US"no_compression", SSL_OP_NO_COMPRESSION }, +#endif +#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION + { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION }, +#endif +#ifdef SSL_OP_NO_SSLv2 + { US"no_sslv2", SSL_OP_NO_SSLv2 }, +#endif +#ifdef SSL_OP_NO_SSLv3 + { US"no_sslv3", SSL_OP_NO_SSLv3 }, +#endif +#ifdef SSL_OP_NO_TICKET + { US"no_ticket", SSL_OP_NO_TICKET }, +#endif +#ifdef SSL_OP_NO_TLSv1 + { US"no_tlsv1", SSL_OP_NO_TLSv1 }, +#endif +#ifdef SSL_OP_NO_TLSv1_1 +#if SSL_OP_NO_TLSv1_1 == 0x00000400L + /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */ +#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring +#else + { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 }, +#endif +#endif +#ifdef SSL_OP_NO_TLSv1_2 + { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 }, +#endif +#ifdef SSL_OP_NO_TLSv1_3 + { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 }, +#endif +#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG + { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG }, +#endif +#ifdef SSL_OP_SINGLE_DH_USE + { US"single_dh_use", SSL_OP_SINGLE_DH_USE }, +#endif +#ifdef SSL_OP_SINGLE_ECDH_USE + { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE }, +#endif +#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG + { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG }, +#endif +#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG + { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG }, +#endif +#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG + { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG }, +#endif +#ifdef SSL_OP_TLS_D5_BUG + { US"tls_d5_bug", SSL_OP_TLS_D5_BUG }, +#endif +#ifdef SSL_OP_TLS_ROLLBACK_BUG + { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG }, +#endif +}; + +#ifndef MACRO_PREDEF +static int exim_openssl_options_size = nelem(exim_openssl_options); +#endif + +#ifdef MACRO_PREDEF +void +options_tls(void) +{ +struct exim_openssl_option * o; +uschar buf[64]; + +for (o = exim_openssl_options; + o < exim_openssl_options + nelem(exim_openssl_options); o++) + { + /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1 + being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */ + + spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name); + builtin_macro_create(buf); + } +} +#else + +/******************************************************************************/ + /* Structure for collecting random data for seeding. */ typedef struct randstuff { @@ -3061,110 +3197,6 @@ Arguments: Returns success or failure in parsing */ -struct exim_openssl_option { - uschar *name; - long value; -}; -/* We could use a macro to expand, but we need the ifdef and not all the -options document which version they were introduced in. Policylet: include -all options unless explicitly for DTLS, let the administrator choose which -to apply. - -This list is current as of: - ==> 1.0.1b <== -Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev -*/ -static struct exim_openssl_option exim_openssl_options[] = { -/* KEEP SORTED ALPHABETICALLY! */ -#ifdef SSL_OP_ALL - { US"all", SSL_OP_ALL }, -#endif -#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION - { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION }, -#endif -#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE - { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE }, -#endif -#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS - { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS }, -#endif -#ifdef SSL_OP_EPHEMERAL_RSA - { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA }, -#endif -#ifdef SSL_OP_LEGACY_SERVER_CONNECT - { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT }, -#endif -#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER - { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER }, -#endif -#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG - { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG }, -#endif -#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING - { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING }, -#endif -#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG - { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG }, -#endif -#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG - { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG }, -#endif -#ifdef SSL_OP_NO_COMPRESSION - { US"no_compression", SSL_OP_NO_COMPRESSION }, -#endif -#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION - { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION }, -#endif -#ifdef SSL_OP_NO_SSLv2 - { US"no_sslv2", SSL_OP_NO_SSLv2 }, -#endif -#ifdef SSL_OP_NO_SSLv3 - { US"no_sslv3", SSL_OP_NO_SSLv3 }, -#endif -#ifdef SSL_OP_NO_TICKET - { US"no_ticket", SSL_OP_NO_TICKET }, -#endif -#ifdef SSL_OP_NO_TLSv1 - { US"no_tlsv1", SSL_OP_NO_TLSv1 }, -#endif -#ifdef SSL_OP_NO_TLSv1_1 -#if SSL_OP_NO_TLSv1_1 == 0x00000400L - /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */ -#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring -#else - { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 }, -#endif -#endif -#ifdef SSL_OP_NO_TLSv1_2 - { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 }, -#endif -#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG - { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG }, -#endif -#ifdef SSL_OP_SINGLE_DH_USE - { US"single_dh_use", SSL_OP_SINGLE_DH_USE }, -#endif -#ifdef SSL_OP_SINGLE_ECDH_USE - { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE }, -#endif -#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG - { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG }, -#endif -#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG - { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG }, -#endif -#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG - { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG }, -#endif -#ifdef SSL_OP_TLS_D5_BUG - { US"tls_d5_bug", SSL_OP_TLS_D5_BUG }, -#endif -#ifdef SSL_OP_TLS_ROLLBACK_BUG - { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG }, -#endif -}; -static int exim_openssl_options_size = - sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option); static BOOL @@ -3265,6 +3297,7 @@ for (s=option_spec; *s != '\0'; /**/) return TRUE; } +#endif /*!MACRO_PREDEF*/ /* vi: aw ai sw=2 */ /* End of tls-openssl.c */ diff --git a/src/src/tls.c b/src/src/tls.c index b0b15f847..f79bc3193 100644 --- a/src/src/tls.c +++ b/src/src/tls.c @@ -19,6 +19,15 @@ functions from the OpenSSL or GNU TLS libraries. */ #include "exim.h" #include "transports/smtp.h" +#if defined(MACRO_PREDEF) && defined(SUPPORT_TLS) +# ifndef USE_GNUTLS +# include "macro_predef.h" +# include "tls-openssl.c" +# endif +#endif + +#ifndef MACRO_PREDEF + /* This module is compiled only when it is specifically requested in the build-time configuration. However, some compilers don't like compiling empty modules, so keep them happy with a dummy when skipping the rest. Make it @@ -355,6 +364,7 @@ else if ((subjdn = tls_cert_subject(cert, NULL))) return FALSE; } #endif /*SUPPORT_TLS*/ +#endif /*!MACRO_PREDEF*/ /* vi: aw ai sw=2 */ -- cgit v1.2.3