projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add main option exim_version
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
b10c87b3 5/* Copyright (c) University of Cambridge 1995 - 2019 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
f5d78688
JH		 8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
059ec3d9
PH		 10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
10ca4f1c
JH		 25#ifndef OPENSSL_NO_ECDH
26# include <openssl/ec.h>
27#endif
f2de3a33 28#ifndef DISABLE_OCSP
e51c7be2 29# include <openssl/ocsp.h>
3f7eeb86 30#endif
c0635b6d 31#ifdef SUPPORT_DANE
05e796ad 32# include "danessl.h"
85098ee7
JH		 33#endif
34
3f7eeb86 35
f2de3a33
JH		 36#ifndef DISABLE_OCSP
37# define EXIM_OCSP_SKEW_SECONDS (300L)
38# define EXIM_OCSP_MAX_AGE (-1L)
3f7eeb86 39#endif
059ec3d9 40
3bcbbbe2 41#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
e51c7be2 42# define EXIM_HAVE_OPENSSL_TLSEXT
3bcbbbe2 43#endif
c8dfb21d
JH		 44#if OPENSSL_VERSION_NUMBER >= 0x00908000L
45# define EXIM_HAVE_RSA_GENKEY_EX
46#endif
47#if OPENSSL_VERSION_NUMBER >= 0x10100000L
48# define EXIM_HAVE_OCSP_RESP_COUNT
49#else
50# define EXIM_HAVE_EPHEM_RSA_KEX
51# define EXIM_HAVE_RAND_PSEUDO
52#endif
53#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
8442641e 54# define EXIM_HAVE_SHA256
c8dfb21d 55#endif
34e3241d 56
d7978c0f
JH		 57/* X509_check_host provides sane certificate hostname checking, but was added
58to OpenSSL late, after other projects forked off the code-base. So in
59addition to guarding against the base version number, beware that LibreSSL
60does not (at this time) support this function.
61
62If LibreSSL gains a different API, perhaps via libtls, then we'll probably
63opt to disentangle and ask a LibreSSL user to provide glue for a third
64crypto provider for libtls instead of continuing to tie the OpenSSL glue
65into even twistier knots. If LibreSSL gains the same API, we can just
66change this guard and punt the issue for a while longer. */
67
34e3241d
PP		 68#ifndef LIBRESSL_VERSION_NUMBER
69# if OPENSSL_VERSION_NUMBER >= 0x010100000L
70# define EXIM_HAVE_OPENSSL_CHECKHOST
8420742d 71# define EXIM_HAVE_OPENSSL_DH_BITS
7a8b9519 72# define EXIM_HAVE_OPENSSL_TLS_METHOD
f20cfa4a 73# define EXIM_HAVE_OPENSSL_KEYLOG
f1be21cf 74# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
b10c87b3 75# define EXIM_HAVE_SESSION_TICKET
e570d136 76# define EXIM_HAVE_OPESSL_TRACE
7434882d
JH		 77# else
78# define EXIM_NEED_OPENSSL_INIT
34e3241d
PP		 79# endif
80# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
2dfb468b 81 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
34e3241d
PP		 82# define EXIM_HAVE_OPENSSL_CHECKHOST
83# endif
11aa88b0 84#endif
10ca4f1c 85
11aa88b0
RA		 86#if !defined(LIBRESSL_VERSION_NUMBER) \
87 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
10ca4f1c
JH		 88# if !defined(OPENSSL_NO_ECDH)
89# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
8442641e 90# define EXIM_HAVE_ECDH
10ca4f1c
JH		 91# endif
92# if OPENSSL_VERSION_NUMBER >= 0x10002000L
10ca4f1c
JH		 93# define EXIM_HAVE_OPENSSL_EC_NIST2NID
94# endif
95# endif
2dfb468b 96#endif
3bcbbbe2 97
8a40db1c
JH		 98#ifndef LIBRESSL_VERSION_NUMBER
99# if OPENSSL_VERSION_NUMBER >= 0x010101000L
100# define OPENSSL_HAVE_KEYLOG_CB
d7f31bb6 101# define OPENSSL_HAVE_NUM_TICKETS
f1be21cf 102# define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
8a40db1c
JH		 103# endif
104#endif
105
67791ce4
JH		 106#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
107# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
108# define DISABLE_OCSP
109#endif
43e2db44
JH		 110
111#ifdef EXPERIMENTAL_TLS_RESUME
112# if OPENSSL_VERSION_NUMBER < 0x0101010L
113# error OpenSSL version too old for session-resumption
114# endif
115#endif
67791ce4 116
a6510420
JH		 117#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
118# include <openssl/x509v3.h>
119#endif
120
f1be21cf
JH		 121#ifndef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
122# ifndef EXIM_HAVE_OPENSSL_CIPHER_GET_ID
123# define SSL_CIPHER_get_id(c) (c->id)
124# endif
dca6d121
JH		 125# ifndef MACRO_PREDEF
126# include "tls-cipher-stdname.c"
127# endif
f1be21cf
JH		 128#endif
129
8442641e
JH		 130/*************************************************
131* OpenSSL option parse *
132*************************************************/
133
134typedef struct exim_openssl_option {
135 uschar *name;
136 long value;
137} exim_openssl_option;
138/* We could use a macro to expand, but we need the ifdef and not all the
139options document which version they were introduced in. Policylet: include
140all options unless explicitly for DTLS, let the administrator choose which
141to apply.
142
143This list is current as of:
144 ==> 1.0.1b <==
145Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
146Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
147*/
148static exim_openssl_option exim_openssl_options[] = {
149/* KEEP SORTED ALPHABETICALLY! */
150#ifdef SSL_OP_ALL
151 { US"all", SSL_OP_ALL },
152#endif
153#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
154 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
155#endif
156#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
157 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
158#endif
159#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
160 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
161#endif
162#ifdef SSL_OP_EPHEMERAL_RSA
163 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
164#endif
165#ifdef SSL_OP_LEGACY_SERVER_CONNECT
166 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
167#endif
168#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
169 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
170#endif
171#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
172 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
173#endif
174#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
175 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
176#endif
177#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
178 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
179#endif
180#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
181 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
182#endif
183#ifdef SSL_OP_NO_COMPRESSION
184 { US"no_compression", SSL_OP_NO_COMPRESSION },
185#endif
186#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
187 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
188#endif
189#ifdef SSL_OP_NO_SSLv2
190 { US"no_sslv2", SSL_OP_NO_SSLv2 },
191#endif
192#ifdef SSL_OP_NO_SSLv3
193 { US"no_sslv3", SSL_OP_NO_SSLv3 },
194#endif
195#ifdef SSL_OP_NO_TICKET
196 { US"no_ticket", SSL_OP_NO_TICKET },
197#endif
198#ifdef SSL_OP_NO_TLSv1
199 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
200#endif
201#ifdef SSL_OP_NO_TLSv1_1
202#if SSL_OP_NO_TLSv1_1 == 0x00000400L
203 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
204#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
205#else
206 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
207#endif
208#endif
209#ifdef SSL_OP_NO_TLSv1_2
210 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
211#endif
212#ifdef SSL_OP_NO_TLSv1_3
213 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
214#endif
215#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
216 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
217#endif
218#ifdef SSL_OP_SINGLE_DH_USE
219 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
220#endif
221#ifdef SSL_OP_SINGLE_ECDH_USE
222 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
223#endif
224#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
225 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
226#endif
227#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
228 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
229#endif
230#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
231 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
232#endif
233#ifdef SSL_OP_TLS_D5_BUG
234 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
235#endif
236#ifdef SSL_OP_TLS_ROLLBACK_BUG
237 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
238#endif
239};
240
241#ifndef MACRO_PREDEF
242static int exim_openssl_options_size = nelem(exim_openssl_options);
243#endif
244
245#ifdef MACRO_PREDEF
246void
247options_tls(void)
248{
8442641e
JH		 249uschar buf[64];
250
d7978c0f 251for (struct exim_openssl_option * o = exim_openssl_options;
8442641e
JH		 252 o < exim_openssl_options + nelem(exim_openssl_options); o++)
253 {
254 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
255 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
256
257 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
258 builtin_macro_create(buf);
259 }
b10c87b3
JH		 260
261# ifdef EXPERIMENTAL_TLS_RESUME
262builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
263# endif
8442641e
JH		 264}
265#else
266
267/******************************************************************************/
268
059ec3d9
PH		 269/* Structure for collecting random data for seeding. */
270
271typedef struct randstuff {
9e3331ea
TK		 272 struct timeval tv;
273 pid_t p;
059ec3d9
PH		 274} randstuff;
275
276/* Local static variables */
277
a2ff477a
JH		 278static BOOL client_verify_callback_called = FALSE;
279static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH		 280static const uschar *sid_ctx = US"exim";
281
d4f09789
PP		 282/* We have three different contexts to care about.
283
284Simple case: client, `client_ctx`
285 As a client, we can be doing a callout or cut-through delivery while receiving
286 a message. So we have a client context, which should have options initialised
74f1a423
JH		 287 from the SMTP Transport. We may also concurrently want to make TLS connections
288 to utility daemons, so client-contexts are allocated and passed around in call
289 args rather than using a gobal.
d4f09789
PP		 290
291Server:
292 There are two cases: with and without ServerNameIndication from the client.
293 Given TLS SNI, we can be using different keys, certs and various other
294 configuration settings, because they're re-expanded with $tls_sni set. This
295 allows vhosting with TLS. This SNI is sent in the handshake.
296 A client might not send SNI, so we need a fallback, and an initial setup too.
297 So as a server, we start out using `server_ctx`.
298 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
299 `server_sni` from `server_ctx` and then initialise settings by re-expanding
300 configuration.
301*/
302
74f1a423
JH		 303typedef struct {
304 SSL_CTX * ctx;
305 SSL * ssl;
c09dbcfb 306 gstring * corked;
74f1a423
JH		 307} exim_openssl_client_tls_ctx;
308
817d9f57 309static SSL_CTX *server_ctx = NULL;
817d9f57 310static SSL *server_ssl = NULL;
389ca47a 311
35731706 312#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57 313static SSL_CTX *server_sni = NULL;
35731706 314#endif
059ec3d9
PH		 315
316static char ssl_errstring[256];
317
b10c87b3 318static int ssl_session_timeout = 3600;
a2ff477a
JH		 319static BOOL client_verify_optional = FALSE;
320static BOOL server_verify_optional = FALSE;
059ec3d9 321
f5d78688 322static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH		 323
324
7be682ca 325typedef struct tls_ext_ctx_cb {
b10c87b3 326 tls_support * tlsp;
7be682ca
PP		 327 uschar *certificate;
328 uschar *privatekey;
f5d78688 329 BOOL is_server;
a6510420 330#ifndef DISABLE_OCSP
c3033f13 331 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
f5d78688
JH		 332 union {
333 struct {
334 uschar *file;
335 uschar *file_expanded;
336 OCSP_RESPONSE *response;
337 } server;
338 struct {
44662487
JH		 339 X509_STORE *verify_store; /* non-null if status requested */
340 BOOL verify_required;
f5d78688
JH		 341 } client;
342 } u_ocsp;
3f7eeb86 343#endif
7be682ca
PP		 344 uschar *dhparam;
345 /* these are cached from first expand */
346 uschar *server_cipher_list;
347 /* only passed down to tls_error: */
348 host_item *host;
55414b25 349 const uschar * verify_cert_hostnames;
0cbf2b82 350#ifndef DISABLE_EVENT
a7538db1
JH		 351 uschar * event_action;
352#endif
7be682ca
PP		 353} tls_ext_ctx_cb;
354
355/* should figure out a cleanup of API to handle state preserved per
356implementation, for various reasons, which can be void * in the APIs.
357For now, we hack around it. */
b10c87b3 358tls_ext_ctx_cb *client_static_cbinfo = NULL; /*XXX should not use static; multiple concurrent clients! */
817d9f57 359tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP		 360
361static int
983207c1 362setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 363 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
059ec3d9 364
3f7eeb86 365/* Callbacks */
3bcbbbe2 366#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 367static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 368#endif
f2de3a33 369#ifndef DISABLE_OCSP
f5d78688 370static int tls_server_stapling_cb(SSL *s, void *arg);
3f7eeb86
PP		 371#endif
372
059ec3d9 373
b10c87b3 374
4d93129f 375/* Daemon-called, before every connection, key create/rotate */
b10c87b3
JH		 376#ifdef EXPERIMENTAL_TLS_RESUME
377static void tk_init(void);
378static int tls_exdata_idx = -1;
379#endif
380
381void
382tls_daemon_init(void)
383{
384#ifdef EXPERIMENTAL_TLS_RESUME
385tk_init();
386#endif
387return;
388}
389
390
059ec3d9
PH		 391/*************************************************
392* Handle TLS error *
393*************************************************/
394
395/* Called from lots of places when errors occur before actually starting to do
396the TLS handshake, that is, while the session is still in clear. Always returns
397DEFER for a server and FAIL for a client so that most calls can use "return
398tls_error(...)" to do this processing and then give an appropriate return. A
399single function is used for both server and client, because it is called from
400some shared functions.
401
402Argument:
403 prefix text to include in the logged error
404 host NULL if setting up a server;
405 the connected host if setting up a client
7199e1ee 406 msg error message or NULL if we should ask OpenSSL
cf0c6164 407 errstr pointer to output error message
059ec3d9
PH		 408
409Returns: OK/DEFER/FAIL
410*/
411
412static int
cf0c6164 413tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
059ec3d9 414{
c562fd30 415if (!msg)
7199e1ee 416 {
0abc5a13 417 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
cf0c6164 418 msg = US ssl_errstring;
7199e1ee
TF		 419 }
420
5a2a0989
JH		 421msg = string_sprintf("(%s): %s", prefix, msg);
422DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
423if (errstr) *errstr = msg;
cf0c6164 424return host ? FAIL : DEFER;
059ec3d9
PH		 425}
426
427
428
429/*************************************************
430* Callback to generate RSA key *
431*************************************************/
432
433/*
434Arguments:
3ae79556 435 s SSL connection (not used)
059ec3d9
PH		 436 export not used
437 keylength keylength
438
439Returns: pointer to generated key
440*/
441
442static RSA *
443rsa_callback(SSL *s, int export, int keylength)
444{
445RSA *rsa_key;
c8dfb21d
JH		 446#ifdef EXIM_HAVE_RSA_GENKEY_EX
447BIGNUM *bn = BN_new();
448#endif
449
059ec3d9
PH		 450export = export; /* Shut picky compilers up */
451DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
c8dfb21d
JH		 452
453#ifdef EXIM_HAVE_RSA_GENKEY_EX
454if ( !BN_set_word(bn, (unsigned long)RSA_F4)
f2cb6292 455 || !(rsa_key = RSA_new())
c8dfb21d
JH		 456 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
457 )
458#else
23bb6982 459if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
c8dfb21d
JH		 460#endif
461
059ec3d9 462 {
0abc5a13 463 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
059ec3d9
PH		 464 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
465 ssl_errstring);
466 return NULL;
467 }
468return rsa_key;
469}
470
471
472
f5d78688 473/* Extreme debug
f2de3a33 474#ifndef DISABLE_OCSP
f5d78688
JH		 475void
476x509_store_dump_cert_s_names(X509_STORE * store)
477{
478STACK_OF(X509_OBJECT) * roots= store->objs;
f5d78688
JH		 479static uschar name[256];
480
d7978c0f 481for (int i= 0; i < sk_X509_OBJECT_num(roots); i++)
f5d78688
JH		 482 {
483 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
484 if(tmp_obj->type == X509_LU_X509)
485 {
70e384dd
JH		 486 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
487 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
488 {
489 name[sizeof(name)-1] = '\0';
490 debug_printf(" %s\n", name);
491 }
f5d78688
JH		 492 }
493 }
494}
495#endif
496*/
497
059ec3d9 498
0cbf2b82 499#ifndef DISABLE_EVENT
f69979cf
JH		 500static int
501verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
502 BOOL *calledp, const BOOL *optionalp, const uschar * what)
503{
504uschar * ev;
505uschar * yield;
506X509 * old_cert;
507
508ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
509if (ev)
510 {
aaba7d03 511 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
f69979cf
JH		 512 old_cert = tlsp->peercert;
513 tlsp->peercert = X509_dup(cert);
514 /* NB we do not bother setting peerdn */
515 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
516 {
517 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
518 "depth=%d cert=%s: %s",
519 tlsp == &tls_out ? deliver_host_address : sender_host_address,
520 what, depth, dn, yield);
521 *calledp = TRUE;
522 if (!*optionalp)
523 {
524 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
525 return 1; /* reject (leaving peercert set) */
526 }
527 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
528 "(host in tls_try_verify_hosts)\n");
4a1bd6b9 529 tlsp->verify_override = TRUE;
f69979cf
JH		 530 }
531 X509_free(tlsp->peercert);
532 tlsp->peercert = old_cert;
533 }
534return 0;
535}
536#endif
537
059ec3d9
PH		 538/*************************************************
539* Callback for verification *
540*************************************************/
541
542/* The SSL library does certificate verification if set up to do so. This
543callback has the current yes/no state is in "state". If verification succeeded,
f69979cf
JH		 544we set the certificate-verified flag. If verification failed, what happens
545depends on whether the client is required to present a verifiable certificate
546or not.
059ec3d9
PH		 547
548If verification is optional, we change the state to yes, but still log the
549verification error. For some reason (it really would help to have proper
550documentation of OpenSSL), this callback function then gets called again, this
f69979cf
JH		 551time with state = 1. We must take care not to set the private verified flag on
552the second time through.
059ec3d9
PH		 553
554Note: this function is not called if the client fails to present a certificate
555when asked. We get here only if a certificate has been received. Handling of
556optional verification for this case is done when requesting SSL to verify, by
557setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
558
a7538db1
JH		 559May be called multiple times for different issues with a certificate, even
560for a given "depth" in the certificate chain.
561
059ec3d9 562Arguments:
f2f2c91b
JH		 563 preverify_ok current yes/no state as 1/0
564 x509ctx certificate information.
565 tlsp per-direction (client vs. server) support data
566 calledp has-been-called flag
567 optionalp verification-is-optional flag
059ec3d9 568
f2f2c91b 569Returns: 0 if verification should fail, otherwise 1
059ec3d9
PH		 570*/
571
572static int
70e384dd
JH		 573verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
574 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
059ec3d9 575{
421aff85 576X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
a7538db1 577int depth = X509_STORE_CTX_get_error_depth(x509ctx);
f69979cf 578uschar dn[256];
059ec3d9 579
70e384dd
JH		 580if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
581 {
582 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
583 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
584 tlsp == &tls_out ? deliver_host_address : sender_host_address);
585 return 0;
586 }
f69979cf 587dn[sizeof(dn)-1] = '\0';
059ec3d9 588
f2f2c91b 589if (preverify_ok == 0)
059ec3d9 590 {
f77197ae
JH		 591 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
592 *verify_mode, sender_host_address)
593 : US"";
594 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
595 tlsp == &tls_out ? deliver_host_address : sender_host_address,
596 extra, depth,
597 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
a2ff477a 598 *calledp = TRUE;
9d1c15ef
JH		 599 if (!*optionalp)
600 {
f69979cf
JH		 601 if (!tlsp->peercert)
602 tlsp->peercert = X509_dup(cert); /* record failing cert */
603 return 0; /* reject */
9d1c15ef 604 }
059ec3d9
PH		 605 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
606 "tls_try_verify_hosts)\n");
4a1bd6b9 607 tlsp->verify_override = TRUE;
059ec3d9
PH		 608 }
609
a7538db1 610else if (depth != 0)
059ec3d9 611 {
f69979cf 612 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
f2de3a33 613#ifndef DISABLE_OCSP
f5d78688
JH		 614 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
615 { /* client, wanting stapling */
616 /* Add the server cert's signing chain as the one
617 for the verification of the OCSP stapled information. */
94431adb 618
f5d78688 619 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
421aff85 620 cert))
f5d78688 621 ERR_clear_error();
c3033f13 622 sk_X509_push(client_static_cbinfo->verify_stack, cert);
f5d78688 623 }
a7538db1 624#endif
0cbf2b82 625#ifndef DISABLE_EVENT
f69979cf
JH		 626 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
627 return 0; /* reject, with peercert set */
f5d78688 628#endif
059ec3d9
PH		 629 }
630else
631 {
55414b25 632 const uschar * verify_cert_hostnames;
e51c7be2 633
e51c7be2
JH		 634 if ( tlsp == &tls_out
635 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
afdb5e9c 636 /* client, wanting hostname check */
e51c7be2 637 {
f69979cf 638
740f36d4 639#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
f69979cf
JH		 640# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
641# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
642# endif
643# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
644# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
645# endif
e51c7be2 646 int sep = 0;
55414b25 647 const uschar * list = verify_cert_hostnames;
e51c7be2 648 uschar * name;
d8e7834a
JH		 649 int rc;
650 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
f40d5be3 651 if ((rc = X509_check_host(cert, CCS name, 0,
8d692470 652 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
740f36d4
JH		 653 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
654 NULL)))
d8e7834a
JH		 655 {
656 if (rc < 0)
657 {
93a6fce2 658 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
f77197ae 659 tlsp == &tls_out ? deliver_host_address : sender_host_address);
d8e7834a
JH		 660 name = NULL;
661 }
e51c7be2 662 break;
d8e7834a 663 }
e51c7be2 664 if (!name)
f69979cf 665#else
e51c7be2 666 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
f69979cf 667#endif
e51c7be2 668 {
f77197ae
JH		 669 uschar * extra = verify_mode
670 ? string_sprintf(" (during %c-verify for [%s])",
671 *verify_mode, sender_host_address)
672 : US"";
e51c7be2 673 log_write(0, LOG_MAIN,
f77197ae
JH		 674 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
675 tlsp == &tls_out ? deliver_host_address : sender_host_address,
676 extra, dn, verify_cert_hostnames);
a3ef7310
JH		 677 *calledp = TRUE;
678 if (!*optionalp)
f69979cf
JH		 679 {
680 if (!tlsp->peercert)
681 tlsp->peercert = X509_dup(cert); /* record failing cert */
682 return 0; /* reject */
683 }
4a1bd6b9 684 DEBUG(D_tls) debug_printf("SSL verify name failure overridden (host in "
a3ef7310 685 "tls_try_verify_hosts)\n");
4a1bd6b9 686 tlsp->verify_override = TRUE;
e51c7be2 687 }
f69979cf 688 }
e51c7be2 689
0cbf2b82 690#ifndef DISABLE_EVENT
f69979cf
JH		 691 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
692 return 0; /* reject, with peercert set */
e51c7be2
JH		 693#endif
694
93dcb1c2 695 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
f69979cf 696 *calledp ? "" : " authenticated", dn);
93dcb1c2 697 *calledp = TRUE;
059ec3d9
PH		 698 }
699
a7538db1 700return 1; /* accept, at least for this level */
059ec3d9
PH		 701}
702
a2ff477a 703static int
f2f2c91b 704verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 705{
f2f2c91b
JH		 706return verify_callback(preverify_ok, x509ctx, &tls_out,
707 &client_verify_callback_called, &client_verify_optional);
a2ff477a
JH		 708}
709
710static int
f2f2c91b 711verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 712{
f2f2c91b
JH		 713return verify_callback(preverify_ok, x509ctx, &tls_in,
714 &server_verify_callback_called, &server_verify_optional);
a2ff477a
JH		 715}
716
059ec3d9 717
c0635b6d 718#ifdef SUPPORT_DANE
53a7196b 719
e5cccda9
JH		 720/* This gets called *by* the dane library verify callback, which interposes
721itself.
722*/
723static int
f2f2c91b 724verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
e5cccda9
JH		 725{
726X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
f69979cf 727uschar dn[256];
83b27293 728int depth = X509_STORE_CTX_get_error_depth(x509ctx);
5c75db2e 729#ifndef DISABLE_EVENT
f69979cf 730BOOL dummy_called, optional = FALSE;
83b27293 731#endif
e5cccda9 732
70e384dd
JH		 733if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
734 {
735 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
736 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
737 deliver_host_address);
738 return 0;
739 }
f69979cf 740dn[sizeof(dn)-1] = '\0';
e5cccda9 741
f2f2c91b
JH		 742DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
743 preverify_ok ? "ok":"BAD", depth, dn);
e5cccda9 744
0cbf2b82 745#ifndef DISABLE_EVENT
f69979cf
JH		 746 if (verify_event(&tls_out, cert, depth, dn,
747 &dummy_called, &optional, US"DANE"))
748 return 0; /* reject, with peercert set */
83b27293
JH		 749#endif
750
f2f2c91b 751if (preverify_ok == 1)
6fbf3599 752 {
4a1bd6b9 753 tls_out.dane_verified = TRUE;
6fbf3599
JH		 754#ifndef DISABLE_OCSP
755 if (client_static_cbinfo->u_ocsp.client.verify_store)
756 { /* client, wanting stapling */
757 /* Add the server cert's signing chain as the one
758 for the verification of the OCSP stapled information. */
759
760 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
761 cert))
762 ERR_clear_error();
763 sk_X509_push(client_static_cbinfo->verify_stack, cert);
764 }
765#endif
766 }
f2f2c91b
JH		 767else
768 {
769 int err = X509_STORE_CTX_get_error(x509ctx);
770 DEBUG(D_tls)
771 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
3c51463e 772 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
f2f2c91b
JH		 773 preverify_ok = 1;
774 }
775return preverify_ok;
e5cccda9 776}
53a7196b 777
c0635b6d 778#endif /*SUPPORT_DANE*/
e5cccda9 779
059ec3d9
PH		 780
781/*************************************************
782* Information callback *
783*************************************************/
784
785/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP		 786are doing. We copy the string to the debugging output when TLS debugging has
787been requested.
059ec3d9
PH		 788
789Arguments:
790 s the SSL connection
791 where
792 ret
793
794Returns: nothing
795*/
796
797static void
798info_callback(SSL *s, int where, int ret)
799{
0abc5a13
JH		 800DEBUG(D_tls)
801 {
802 const uschar * str;
803
804 if (where & SSL_ST_CONNECT)
48224640 805 str = US"SSL_connect";
0abc5a13 806 else if (where & SSL_ST_ACCEPT)
48224640 807 str = US"SSL_accept";
0abc5a13 808 else
48224640 809 str = US"SSL info (undefined)";
0abc5a13
JH		 810
811 if (where & SSL_CB_LOOP)
812 debug_printf("%s: %s\n", str, SSL_state_string_long(s));
813 else if (where & SSL_CB_ALERT)
814 debug_printf("SSL3 alert %s:%s:%s\n",
48224640 815 str = where & SSL_CB_READ ? US"read" : US"write",
0abc5a13
JH		 816 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
817 else if (where & SSL_CB_EXIT)
818 if (ret == 0)
819 debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
820 else if (ret < 0)
821 debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
822 else if (where & SSL_CB_HANDSHAKE_START)
823 debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
824 else if (where & SSL_CB_HANDSHAKE_DONE)
825 debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
826 }
059ec3d9
PH		 827}
828
8238bc7b 829#ifdef OPENSSL_HAVE_KEYLOG_CB
8a40db1c
JH		 830static void
831keylog_callback(const SSL *ssl, const char *line)
832{
833DEBUG(D_tls) debug_printf("%.200s\n", line);
834}
8238bc7b 835#endif
8a40db1c 836
059ec3d9 837
b10c87b3
JH		 838#ifdef EXPERIMENTAL_TLS_RESUME
839/* Manage the keysets used for encrypting the session tickets, on the server. */
840
841typedef struct { /* Session ticket encryption key */
842 uschar name[16];
843
844 const EVP_CIPHER * aes_cipher;
4d93129f 845 uschar aes_key[32]; /* size needed depends on cipher. aes_128 implies 128/8 = 16? */
b10c87b3
JH		 846 const EVP_MD * hmac_hash;
847 uschar hmac_key[16];
848 time_t renew;
849 time_t expire;
850} exim_stek;
851
4d93129f
JH		 852static exim_stek exim_tk; /* current key */
853static exim_stek exim_tk_old; /* previous key */
b10c87b3
JH		 854
855static void
856tk_init(void)
857{
4d93129f
JH		 858time_t t = time(NULL);
859
b10c87b3
JH		 860if (exim_tk.name[0])
861 {
4d93129f 862 if (exim_tk.renew >= t) return;
b10c87b3
JH		 863 exim_tk_old = exim_tk;
864 }
865
866if (f.running_in_test_harness) ssl_session_timeout = 6;
867
868DEBUG(D_tls) debug_printf("OpenSSL: %s STEK\n", exim_tk.name[0] ? "rotating" : "creating");
869if (RAND_bytes(exim_tk.aes_key, sizeof(exim_tk.aes_key)) <= 0) return;
870if (RAND_bytes(exim_tk.hmac_key, sizeof(exim_tk.hmac_key)) <= 0) return;
871if (RAND_bytes(exim_tk.name+1, sizeof(exim_tk.name)-1) <= 0) return;
872
873exim_tk.name[0] = 'E';
4d93129f 874exim_tk.aes_cipher = EVP_aes_256_cbc();
b10c87b3 875exim_tk.hmac_hash = EVP_sha256();
4d93129f
JH		 876exim_tk.expire = t + ssl_session_timeout;
877exim_tk.renew = t + ssl_session_timeout/2;
b10c87b3
JH		 878}
879
880static exim_stek *
881tk_current(void)
882{
883if (!exim_tk.name[0]) return NULL;
884return &exim_tk;
885}
886
887static exim_stek *
888tk_find(const uschar * name)
889{
890return memcmp(name, exim_tk.name, sizeof(exim_tk.name)) == 0 ? &exim_tk
891 : memcmp(name, exim_tk_old.name, sizeof(exim_tk_old.name)) == 0 ? &exim_tk_old
892 : NULL;
893}
894
895/* Callback for session tickets, on server */
896static int
897ticket_key_callback(SSL * ssl, uschar key_name[16],
898 uschar * iv, EVP_CIPHER_CTX * ctx, HMAC_CTX * hctx, int enc)
899{
900tls_support * tlsp = server_static_cbinfo->tlsp;
901exim_stek * key;
902
903if (enc)
904 {
905 DEBUG(D_tls) debug_printf("ticket_key_callback: create new session\n");
906 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
907
908 if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0)
909 return -1; /* insufficient random */
910
911 if (!(key = tk_current())) /* current key doesn't exist or isn't valid */
912 return 0; /* key couldn't be created */
913 memcpy(key_name, key->name, 16);
914 DEBUG(D_tls) debug_printf("STEK expire %ld\n", key->expire - time(NULL));
915
916 /*XXX will want these dependent on the ssl session strength */
917 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
918 key->hmac_hash, NULL);
919 EVP_EncryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
920
921 DEBUG(D_tls) debug_printf("ticket created\n");
922 return 1;
923 }
924else
925 {
926 time_t now = time(NULL);
927
928 DEBUG(D_tls) debug_printf("ticket_key_callback: retrieve session\n");
929 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
930
931 if (!(key = tk_find(key_name)) || key->expire < now)
932 {
933 DEBUG(D_tls)
934 {
935 debug_printf("ticket not usable (%s)\n", key ? "expired" : "not found");
936 if (key) debug_printf("STEK expire %ld\n", key->expire - now);
937 }
938 return 0;
939 }
940
941 HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
942 key->hmac_hash, NULL);
943 EVP_DecryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
944
945 DEBUG(D_tls) debug_printf("ticket usable, STEK expire %ld\n", key->expire - now);
946 return key->renew < now ? 2 : 1;
947 }
948}
949#endif
950
951
059ec3d9
PH		 952
953/*************************************************
954* Initialize for DH *
955*************************************************/
956
957/* If dhparam is set, expand it, and load up the parameters for DH encryption.
958
959Arguments:
038597d2 960 sctx The current SSL CTX (inbound or outbound)
a799883d 961 dhparam DH parameter file or fixed parameter identity string
7199e1ee 962 host connected host, if client; NULL if server
cf0c6164 963 errstr error string pointer
059ec3d9
PH		 964
965Returns: TRUE if OK (nothing to set up, or setup worked)
966*/
967
968static BOOL
cf0c6164 969init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
059ec3d9 970{
059ec3d9
PH		 971BIO *bio;
972DH *dh;
973uschar *dhexpanded;
a799883d 974const char *pem;
6600985a 975int dh_bitsize;
059ec3d9 976
cf0c6164 977if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
059ec3d9
PH		 978 return FALSE;
979
0df4ab80 980if (!dhexpanded || !*dhexpanded)
a799883d 981 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
a799883d 982else if (dhexpanded[0] == '/')
059ec3d9 983 {
0df4ab80 984 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
059ec3d9 985 {
7199e1ee 986 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
cf0c6164 987 host, US strerror(errno), errstr);
a799883d 988 return FALSE;
059ec3d9 989 }
a799883d
PP		 990 }
991else
992 {
993 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 994 {
a799883d
PP		 995 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
996 return TRUE;
059ec3d9 997 }
a799883d 998
0df4ab80 999 if (!(pem = std_dh_prime_named(dhexpanded)))
a799883d
PP		 1000 {
1001 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
cf0c6164 1002 host, US strerror(errno), errstr);
a799883d
PP		 1003 return FALSE;
1004 }
1005 bio = BIO_new_mem_buf(CS pem, -1);
1006 }
1007
0df4ab80 1008if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
a799883d 1009 {
059ec3d9 1010 BIO_free(bio);
a799883d 1011 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
cf0c6164 1012 host, NULL, errstr);
a799883d
PP		 1013 return FALSE;
1014 }
1015
6600985a
PP		 1016/* note: our default limit of 2236 is not a multiple of 8; the limit comes from
1017 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
1018 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
1019 * If someone wants to dance at the edge, then they can raise the limit or use
1020 * current libraries. */
1021#ifdef EXIM_HAVE_OPENSSL_DH_BITS
1022/* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
1023 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
1024dh_bitsize = DH_bits(dh);
1025#else
1026dh_bitsize = 8 * DH_size(dh);
1027#endif
1028
a799883d
PP		 1029/* Even if it is larger, we silently return success rather than cause things
1030 * to fail out, so that a too-large DH will not knock out all TLS; it's a
1031 * debatable choice. */
6600985a 1032if (dh_bitsize > tls_dh_max_bits)
a799883d
PP		 1033 {
1034 DEBUG(D_tls)
170f4904 1035 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
6600985a 1036 dh_bitsize, tls_dh_max_bits);
a799883d
PP		 1037 }
1038else
1039 {
1040 SSL_CTX_set_tmp_dh(sctx, dh);
1041 DEBUG(D_tls)
1042 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
6600985a 1043 dhexpanded ? dhexpanded : US"default", dh_bitsize);
059ec3d9
PH		 1044 }
1045
a799883d
PP		 1046DH_free(dh);
1047BIO_free(bio);
1048
1049return TRUE;
059ec3d9
PH		 1050}
1051
1052
1053
1054
038597d2
PP		 1055/*************************************************
1056* Initialize for ECDH *
1057*************************************************/
1058
1059/* Load parameters for ECDH encryption.
1060
1061For now, we stick to NIST P-256 because: it's simple and easy to configure;
1062it avoids any patent issues that might bite redistributors; despite events in
1063the news and concerns over curve choices, we're not cryptographers, we're not
1064pretending to be, and this is "good enough" to be better than no support,
1065protecting against most adversaries. Given another year or two, there might
1066be sufficient clarity about a "right" way forward to let us make an informed
1067decision, instead of a knee-jerk reaction.
1068
1069Longer-term, we should look at supporting both various named curves and
1070external files generated with "openssl ecparam", much as we do for init_dh().
1071We should also support "none" as a value, to explicitly avoid initialisation.
1072
1073Patches welcome.
1074
1075Arguments:
1076 sctx The current SSL CTX (inbound or outbound)
1077 host connected host, if client; NULL if server
cf0c6164 1078 errstr error string pointer
038597d2
PP		 1079
1080Returns: TRUE if OK (nothing to set up, or setup worked)
1081*/
1082
1083static BOOL
cf0c6164 1084init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
038597d2 1085{
63f0dbe0
JH		 1086#ifdef OPENSSL_NO_ECDH
1087return TRUE;
1088#else
1089
10ca4f1c
JH		 1090EC_KEY * ecdh;
1091uschar * exp_curve;
1092int nid;
1093BOOL rv;
1094
038597d2
PP		 1095if (host) /* No ECDH setup for clients, only for servers */
1096 return TRUE;
1097
10ca4f1c 1098# ifndef EXIM_HAVE_ECDH
038597d2
PP		 1099DEBUG(D_tls)
1100 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
1101return TRUE;
038597d2 1102# else
10ca4f1c 1103
cf0c6164 1104if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
10ca4f1c
JH		 1105 return FALSE;
1106if (!exp_curve || !*exp_curve)
1107 return TRUE;
1108
8e53a4fc 1109/* "auto" needs to be handled carefully.
4c04137d 1110 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
8e53a4fc 1111 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
4c04137d 1112 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
8e53a4fc
HSHR		 1113 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
1114 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
1115 */
10ca4f1c 1116if (Ustrcmp(exp_curve, "auto") == 0)
038597d2 1117 {
8e53a4fc 1118#if OPENSSL_VERSION_NUMBER < 0x10002000L
10ca4f1c 1119 DEBUG(D_tls) debug_printf(
8e53a4fc 1120 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
78a3bbd5 1121 exp_curve = US"prime256v1";
8e53a4fc
HSHR		 1122#else
1123# if defined SSL_CTRL_SET_ECDH_AUTO
1124 DEBUG(D_tls) debug_printf(
1125 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
10ca4f1c
JH		 1126 SSL_CTX_set_ecdh_auto(sctx, 1);
1127 return TRUE;
8e53a4fc
HSHR		 1128# else
1129 DEBUG(D_tls) debug_printf(
1130 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
1131 return TRUE;
1132# endif
1133#endif
10ca4f1c 1134 }
038597d2 1135
10ca4f1c
JH		 1136DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
1137if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
1138# ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
1139 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
1140# endif
1141 )
1142 {
cf0c6164
JH		 1143 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
1144 host, NULL, errstr);
10ca4f1c
JH		 1145 return FALSE;
1146 }
038597d2 1147
10ca4f1c
JH		 1148if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
1149 {
cf0c6164 1150 tls_error(US"Unable to create ec curve", host, NULL, errstr);
10ca4f1c 1151 return FALSE;
038597d2 1152 }
10ca4f1c
JH		 1153
1154/* The "tmp" in the name here refers to setting a temporary key
1155not to the stability of the interface. */
1156
1157if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
cf0c6164 1158 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
10ca4f1c
JH		 1159else
1160 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
1161
1162EC_KEY_free(ecdh);
1163return !rv;
1164
1165# endif /*EXIM_HAVE_ECDH*/
1166#endif /*OPENSSL_NO_ECDH*/
038597d2
PP		 1167}
1168
1169
1170
1171
f2de3a33 1172#ifndef DISABLE_OCSP
3f7eeb86
PP		 1173/*************************************************
1174* Load OCSP information into state *
1175*************************************************/
f5d78688 1176/* Called to load the server OCSP response from the given file into memory, once
3f7eeb86
PP		 1177caller has determined this is needed. Checks validity. Debugs a message
1178if invalid.
1179
1180ASSUMES: single response, for single cert.
1181
1182Arguments:
1183 sctx the SSL_CTX* to update
1184 cbinfo various parts of session state
1185 expanded the filename putatively holding an OCSP response
1186
1187*/
1188
1189static void
f5d78688 1190ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
3f7eeb86 1191{
ee5b1e28
JH		 1192BIO * bio;
1193OCSP_RESPONSE * resp;
1194OCSP_BASICRESP * basic_response;
1195OCSP_SINGLERESP * single_response;
1196ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
ee5b1e28 1197STACK_OF(X509) * sk;
3f7eeb86
PP		 1198unsigned long verify_flags;
1199int status, reason, i;
1200
f5d78688
JH		 1201cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
1202if (cbinfo->u_ocsp.server.response)
3f7eeb86 1203 {
f5d78688
JH		 1204 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
1205 cbinfo->u_ocsp.server.response = NULL;
3f7eeb86
PP		 1206 }
1207
ee5b1e28 1208if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
3f7eeb86
PP		 1209 {
1210 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
f5d78688 1211 cbinfo->u_ocsp.server.file_expanded);
3f7eeb86
PP		 1212 return;
1213 }
1214
1215resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1216BIO_free(bio);
1217if (!resp)
1218 {
1219 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1220 return;
1221 }
1222
ee5b1e28 1223if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
3f7eeb86
PP		 1224 {
1225 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1226 OCSP_response_status_str(status), status);
f5d78688 1227 goto bad;
3f7eeb86
PP		 1228 }
1229
ee5b1e28 1230if (!(basic_response = OCSP_response_get1_basic(resp)))
3f7eeb86
PP		 1231 {
1232 DEBUG(D_tls)
1233 debug_printf("OCSP response parse error: unable to extract basic response.\n");
f5d78688 1234 goto bad;
3f7eeb86
PP		 1235 }
1236
c3033f13 1237sk = cbinfo->verify_stack;
3f7eeb86
PP		 1238verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1239
1240/* May need to expose ability to adjust those flags?
1241OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1242OCSP_TRUSTOTHER OCSP_NOINTERN */
1243
4c04137d 1244/* This does a full verify on the OCSP proof before we load it for serving
ee5b1e28
JH		 1245up; possibly overkill - just date-checks might be nice enough.
1246
1247OCSP_basic_verify takes a "store" arg, but does not
1248use it for the chain verification, which is all we do
1249when OCSP_NOVERIFY is set. The content from the wire
1250"basic_response" and a cert-stack "sk" are all that is used.
1251
c3033f13
JH		 1252We have a stack, loaded in setup_certs() if tls_verify_certificates
1253was a file (not a directory, or "system"). It is unfortunate we
1254cannot used the connection context store, as that would neatly
1255handle the "system" case too, but there seems to be no library
1256function for getting a stack from a store.
e3555426 1257[ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
c3033f13
JH		 1258We do not free the stack since it could be needed a second time for
1259SNI handling.
1260
4c04137d 1261Separately we might try to replace using OCSP_basic_verify() - which seems to not
5ec37a55 1262be a public interface into the OpenSSL library (there's no manual entry) -
ee5b1e28 1263But what with? We also use OCSP_basic_verify in the client stapling callback.
4c04137d 1264And there we NEED it; we must verify that status... unless the
ee5b1e28
JH		 1265library does it for us anyway? */
1266
1267if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
3f7eeb86 1268 {
ee5b1e28
JH		 1269 DEBUG(D_tls)
1270 {
0abc5a13 1271 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3f7eeb86 1272 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
f5d78688
JH		 1273 }
1274 goto bad;
3f7eeb86
PP		 1275 }
1276
1277/* Here's the simplifying assumption: there's only one response, for the
1278one certificate we use, and nothing for anything else in a chain. If this
1279proves false, we need to extract a cert id from our issued cert
1280(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1281right cert in the stack and then calls OCSP_single_get0_status()).
1282
1283I'm hoping to avoid reworking a bunch more of how we handle state here. */
ee5b1e28
JH		 1284
1285if (!(single_response = OCSP_resp_get0(basic_response, 0)))
3f7eeb86
PP		 1286 {
1287 DEBUG(D_tls)
1288 debug_printf("Unable to get first response from OCSP basic response.\n");
f5d78688 1289 goto bad;
3f7eeb86
PP		 1290 }
1291
1292status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
f5d78688 1293if (status != V_OCSP_CERTSTATUS_GOOD)
3f7eeb86 1294 {
f5d78688
JH		 1295 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1296 OCSP_cert_status_str(status), status,
1297 OCSP_crl_reason_str(reason), reason);
1298 goto bad;
3f7eeb86
PP		 1299 }
1300
1301if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1302 {
1303 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
f5d78688 1304 goto bad;
3f7eeb86
PP		 1305 }
1306
f5d78688 1307supply_response:
47195144 1308 cbinfo->u_ocsp.server.response = resp; /*XXX stack?*/
f5d78688
JH		 1309return;
1310
1311bad:
8768d548 1312 if (f.running_in_test_harness)
018058b2
JH		 1313 {
1314 extern char ** environ;
d7978c0f 1315 if (environ) for (uschar ** p = USS environ; *p; p++)
018058b2
JH		 1316 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1317 {
1318 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1319 goto supply_response;
1320 }
1321 }
f5d78688 1322return;
3f7eeb86 1323}
f2de3a33 1324#endif /*!DISABLE_OCSP*/
3f7eeb86
PP		 1325
1326
1327
1328
23bb6982
JH		 1329/* Create and install a selfsigned certificate, for use in server mode */
1330
1331static int
cf0c6164 1332tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
23bb6982
JH		 1333{
1334X509 * x509 = NULL;
1335EVP_PKEY * pkey;
1336RSA * rsa;
1337X509_NAME * name;
1338uschar * where;
1339
1340where = US"allocating pkey";
1341if (!(pkey = EVP_PKEY_new()))
1342 goto err;
1343
1344where = US"allocating cert";
1345if (!(x509 = X509_new()))
1346 goto err;
1347
1348where = US"generating pkey";
6aac3239 1349if (!(rsa = rsa_callback(NULL, 0, 2048)))
23bb6982
JH		 1350 goto err;
1351
4c04137d 1352where = US"assigning pkey";
23bb6982
JH		 1353if (!EVP_PKEY_assign_RSA(pkey, rsa))
1354 goto err;
1355
1356X509_set_version(x509, 2); /* N+1 - version 3 */
1613fd68 1357ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
23bb6982
JH		 1358X509_gmtime_adj(X509_get_notBefore(x509), 0);
1359X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1360X509_set_pubkey(x509, pkey);
1361
1362name = X509_get_subject_name(x509);
1363X509_NAME_add_entry_by_txt(name, "C",
4dc2379a 1364 MBSTRING_ASC, CUS "UK", -1, -1, 0);
23bb6982 1365X509_NAME_add_entry_by_txt(name, "O",
4dc2379a 1366 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
23bb6982 1367X509_NAME_add_entry_by_txt(name, "CN",
4dc2379a 1368 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
23bb6982
JH		 1369X509_set_issuer_name(x509, name);
1370
1371where = US"signing cert";
1372if (!X509_sign(x509, pkey, EVP_md5()))
1373 goto err;
1374
1375where = US"installing selfsign cert";
1376if (!SSL_CTX_use_certificate(sctx, x509))
1377 goto err;
1378
1379where = US"installing selfsign key";
1380if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1381 goto err;
1382
1383return OK;
1384
1385err:
cf0c6164 1386 (void) tls_error(where, NULL, NULL, errstr);
23bb6982
JH		 1387 if (x509) X509_free(x509);
1388 if (pkey) EVP_PKEY_free(pkey);
1389 return DEFER;
1390}
1391
1392
1393
1394
ba86e143
JH		 1395static int
1396tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1397 uschar ** errstr)
1398{
1399DEBUG(D_tls) debug_printf("tls_certificate file %s\n", file);
1400if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1401 return tls_error(string_sprintf(
1402 "SSL_CTX_use_certificate_chain_file file=%s", file),
1403 cbinfo->host, NULL, errstr);
1404return 0;
1405}
1406
1407static int
1408tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1409 uschar ** errstr)
1410{
1411DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", file);
1412if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1413 return tls_error(string_sprintf(
1414 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1415return 0;
1416}
1417
1418
7be682ca
PP		 1419/*************************************************
1420* Expand key and cert file specs *
1421*************************************************/
1422
f5d78688 1423/* Called once during tls_init and possibly again during TLS setup, for a
7be682ca
PP		 1424new context, if Server Name Indication was used and tls_sni was seen in
1425the certificate string.
1426
1427Arguments:
1428 sctx the SSL_CTX* to update
1429 cbinfo various parts of session state
cf0c6164 1430 errstr error string pointer
7be682ca
PP		 1431
1432Returns: OK/DEFER/FAIL
1433*/
1434
1435static int
cf0c6164
JH		 1436tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1437 uschar ** errstr)
7be682ca
PP		 1438{
1439uschar *expanded;
1440
23bb6982 1441if (!cbinfo->certificate)
7be682ca 1442 {
ba86e143 1443 if (!cbinfo->is_server) /* client */
23bb6982 1444 return OK;
afdb5e9c 1445 /* server */
cf0c6164 1446 if (tls_install_selfsign(sctx, errstr) != OK)
23bb6982 1447 return DEFER;
7be682ca 1448 }
23bb6982
JH		 1449else
1450 {
ba86e143
JH		 1451 int err;
1452
23bb6982
JH		 1453 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1454 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1455 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1456 )
1457 reexpand_tls_files_for_sni = TRUE;
7be682ca 1458
cf0c6164 1459 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
23bb6982
JH		 1460 return DEFER;
1461
ba86e143
JH		 1462 if (expanded)
1463 if (cbinfo->is_server)
1464 {
1465 const uschar * file_list = expanded;
1466 int sep = 0;
1467 uschar * file;
1468
1469 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1470 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1471 return err;
1472 }
1473 else /* would there ever be a need for multiple client certs? */
1474 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1475 return err;
7be682ca 1476
5a2a0989
JH		 1477 if ( cbinfo->privatekey
1478 && !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
23bb6982 1479 return DEFER;
7be682ca 1480
23bb6982
JH		 1481 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1482 of the expansion is an empty string, ignore it also, and assume the private
1483 key is in the same file as the certificate. */
1484
1485 if (expanded && *expanded)
ba86e143
JH		 1486 if (cbinfo->is_server)
1487 {
1488 const uschar * file_list = expanded;
1489 int sep = 0;
1490 uschar * file;
1491
1492 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1493 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1494 return err;
1495 }
1496 else /* would there ever be a need for multiple client certs? */
1497 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1498 return err;
7be682ca
PP		 1499 }
1500
f2de3a33 1501#ifndef DISABLE_OCSP
f40d5be3 1502if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
3f7eeb86 1503 {
47195144 1504 /*XXX stack*/
cf0c6164 1505 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
3f7eeb86
PP		 1506 return DEFER;
1507
f40d5be3 1508 if (expanded && *expanded)
3f7eeb86
PP		 1509 {
1510 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
f40d5be3
JH		 1511 if ( cbinfo->u_ocsp.server.file_expanded
1512 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
3f7eeb86 1513 {
f40d5be3
JH		 1514 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1515 }
1516 else
f40d5be3 1517 ocsp_load_response(sctx, cbinfo, expanded);
3f7eeb86
PP		 1518 }
1519 }
1520#endif
1521
7be682ca
PP		 1522return OK;
1523}
1524
1525
1526
1527
1528/*************************************************
1529* Callback to handle SNI *
1530*************************************************/
1531
1532/* Called when acting as server during the TLS session setup if a Server Name
1533Indication extension was sent by the client.
1534
1535API documentation is OpenSSL s_server.c implementation.
1536
1537Arguments:
1538 s SSL* of the current session
1539 ad unknown (part of OpenSSL API) (unused)
1540 arg Callback of "our" registered data
1541
1542Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
b10c87b3
JH		 1543
1544XXX might need to change to using ClientHello callback,
1545per https://www.openssl.org/docs/manmaster/man3/SSL_client_hello_cb_fn.html
7be682ca
PP		 1546*/
1547
3bcbbbe2 1548#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca
PP		 1549static int
1550tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1551{
1552const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 1553tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 1554int rc;
3f0945ff 1555int old_pool = store_pool;
cf0c6164 1556uschar * dummy_errstr;
7be682ca
PP		 1557
1558if (!servername)
1559 return SSL_TLSEXT_ERR_OK;
1560
3f0945ff 1561DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP		 1562 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1563
1564/* Make the extension value available for expansion */
3f0945ff 1565store_pool = POOL_PERM;
817d9f57 1566tls_in.sni = string_copy(US servername);
3f0945ff 1567store_pool = old_pool;
7be682ca
PP		 1568
1569if (!reexpand_tls_files_for_sni)
1570 return SSL_TLSEXT_ERR_OK;
1571
1572/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1573not confident that memcpy wouldn't break some internal reference counting.
1574Especially since there's a references struct member, which would be off. */
1575
7a8b9519
JH		 1576#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1577if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1578#else
0df4ab80 1579if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
7a8b9519 1580#endif
7be682ca 1581 {
0abc5a13 1582 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
7be682ca 1583 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
5a2a0989 1584 goto bad;
7be682ca
PP		 1585 }
1586
1587/* Not sure how many of these are actually needed, since SSL object
1588already exists. Might even need this selfsame callback, for reneg? */
1589
817d9f57
JH		 1590SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1591SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1592SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1593SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1594SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1595SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
038597d2 1596
cf0c6164
JH		 1597if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1598 || !init_ecdh(server_sni, NULL, &dummy_errstr)
038597d2 1599 )
5a2a0989 1600 goto bad;
038597d2 1601
ca954d7f
JH		 1602if ( cbinfo->server_cipher_list
1603 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
5a2a0989 1604 goto bad;
ca954d7f 1605
f2de3a33 1606#ifndef DISABLE_OCSP
f5d78688 1607if (cbinfo->u_ocsp.server.file)
3f7eeb86 1608 {
f5d78688 1609 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
14c7b357 1610 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
3f7eeb86
PP		 1611 }
1612#endif
7be682ca 1613
c3033f13 1614if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
cf0c6164 1615 verify_callback_server, &dummy_errstr)) != OK)
5a2a0989 1616 goto bad;
7be682ca 1617
3f7eeb86
PP		 1618/* do this after setup_certs, because this can require the certs for verifying
1619OCSP information. */
cf0c6164 1620if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
5a2a0989 1621 goto bad;
a799883d 1622
7be682ca 1623DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 1624SSL_set_SSL_CTX(s, server_sni);
7be682ca 1625return SSL_TLSEXT_ERR_OK;
5a2a0989
JH		 1626
1627bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
7be682ca 1628}
3bcbbbe2 1629#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP		 1630
1631
1632
1633
f2de3a33 1634#ifndef DISABLE_OCSP
f5d78688 1635
3f7eeb86
PP		 1636/*************************************************
1637* Callback to handle OCSP Stapling *
1638*************************************************/
1639
1640/* Called when acting as server during the TLS session setup if the client
1641requests OCSP information with a Certificate Status Request.
1642
1643Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1644project.
1645
1646*/
1647
1648static int
f5d78688 1649tls_server_stapling_cb(SSL *s, void *arg)
3f7eeb86
PP		 1650{
1651const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
47195144 1652uschar *response_der; /*XXX blob */
3f7eeb86
PP		 1653int response_der_len;
1654
47195144
JH		 1655/*XXX stack: use SSL_get_certificate() to see which cert; from that work
1656out which ocsp blob to send. Unfortunately, SSL_get_certificate is known
1657buggy in current OpenSSL; it returns the last cert loaded always rather than
1658the one actually presented. So we can't support a stack of OCSP proofs at
1659this time. */
1660
af4a1bca 1661DEBUG(D_tls)
b3ef41c9 1662 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
f5d78688
JH		 1663 cbinfo->u_ocsp.server.response ? "have" : "lack");
1664
44662487 1665tls_in.ocsp = OCSP_NOT_RESP;
f5d78688 1666if (!cbinfo->u_ocsp.server.response)
3f7eeb86
PP		 1667 return SSL_TLSEXT_ERR_NOACK;
1668
1669response_der = NULL;
47195144 1670response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, /*XXX stack*/
44662487 1671 &response_der);
3f7eeb86
PP		 1672if (response_der_len <= 0)
1673 return SSL_TLSEXT_ERR_NOACK;
1674
5e55c7a9 1675SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
44662487 1676tls_in.ocsp = OCSP_VFIED;
3f7eeb86
PP		 1677return SSL_TLSEXT_ERR_OK;
1678}
1679
3f7eeb86 1680
f5d78688
JH		 1681static void
1682time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1683{
1684BIO_printf(bp, "\t%s: ", str);
1685ASN1_GENERALIZEDTIME_print(bp, time);
1686BIO_puts(bp, "\n");
1687}
1688
1689static int
1690tls_client_stapling_cb(SSL *s, void *arg)
1691{
1692tls_ext_ctx_cb * cbinfo = arg;
1693const unsigned char * p;
1694int len;
1695OCSP_RESPONSE * rsp;
1696OCSP_BASICRESP * bs;
1697int i;
1698
1699DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1700len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1701if(!p)
1702 {
44662487 1703 /* Expect this when we requested ocsp but got none */
6c6d6e48 1704 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
44662487 1705 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
f5d78688
JH		 1706 else
1707 DEBUG(D_tls) debug_printf(" null\n");
44662487 1708 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 1709 }
018058b2 1710
f5d78688
JH		 1711if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1712 {
018058b2 1713 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1714 if (LOGGING(tls_cipher))
1eca31ca 1715 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
f5d78688
JH		 1716 else
1717 DEBUG(D_tls) debug_printf(" parse error\n");
1718 return 0;
1719 }
1720
1721if(!(bs = OCSP_response_get1_basic(rsp)))
1722 {
018058b2 1723 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1724 if (LOGGING(tls_cipher))
1eca31ca 1725 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
f5d78688
JH		 1726 else
1727 DEBUG(D_tls) debug_printf(" error parsing response\n");
1728 OCSP_RESPONSE_free(rsp);
1729 return 0;
1730 }
1731
1732/* We'd check the nonce here if we'd put one in the request. */
1733/* However that would defeat cacheability on the server so we don't. */
1734
f5d78688
JH		 1735/* This section of code reworked from OpenSSL apps source;
1736 The OpenSSL Project retains copyright:
1737 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1738*/
1739 {
1740 BIO * bp = NULL;
f5d78688
JH		 1741 int status, reason;
1742 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1743
57887ecc 1744 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
f5d78688
JH		 1745
1746 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1747
1748 /* Use the chain that verified the server cert to verify the stapled info */
1749 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1750
c3033f13 1751 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
44662487 1752 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
f5d78688 1753 {
018058b2 1754 tls_out.ocsp = OCSP_FAILED;
57887ecc
JH		 1755 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1756 "Received TLS cert status response, itself unverifiable: %s",
1757 ERR_reason_error_string(ERR_peek_error()));
f5d78688
JH		 1758 BIO_printf(bp, "OCSP response verify failure\n");
1759 ERR_print_errors(bp);
57887ecc 1760 OCSP_RESPONSE_print(bp, rsp, 0);
c8dfb21d 1761 goto failed;
f5d78688
JH		 1762 }
1763
1764 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1765
c8dfb21d
JH		 1766 /*XXX So we have a good stapled OCSP status. How do we know
1767 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1768 OCSP_resp_find_status() which matches on a cert id, which presumably
1769 we should use. Making an id needs OCSP_cert_id_new(), which takes
1770 issuerName, issuerKey, serialNumber. Are they all in the cert?
1771
1772 For now, carry on blindly accepting the resp. */
1773
f5d78688 1774 {
f5d78688
JH		 1775 OCSP_SINGLERESP * single;
1776
c8dfb21d
JH		 1777#ifdef EXIM_HAVE_OCSP_RESP_COUNT
1778 if (OCSP_resp_count(bs) != 1)
1779#else
1780 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
f5d78688 1781 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
c8dfb21d 1782#endif
f5d78688 1783 {
018058b2 1784 tls_out.ocsp = OCSP_FAILED;
44662487
JH		 1785 log_write(0, LOG_MAIN, "OCSP stapling "
1786 "with multiple responses not handled");
c8dfb21d 1787 goto failed;
f5d78688
JH		 1788 }
1789 single = OCSP_resp_get0(bs, 0);
44662487
JH		 1790 status = OCSP_single_get0_status(single, &reason, &rev,
1791 &thisupd, &nextupd);
f5d78688
JH		 1792 }
1793
f5d78688
JH		 1794 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1795 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
44662487
JH		 1796 if (!OCSP_check_validity(thisupd, nextupd,
1797 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
f5d78688 1798 {
018058b2 1799 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH		 1800 DEBUG(D_tls) ERR_print_errors(bp);
1801 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
f5d78688 1802 }
44662487 1803 else
f5d78688 1804 {
44662487
JH		 1805 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1806 OCSP_cert_status_str(status));
1807 switch(status)
1808 {
1809 case V_OCSP_CERTSTATUS_GOOD:
44662487 1810 tls_out.ocsp = OCSP_VFIED;
018058b2 1811 i = 1;
c8dfb21d 1812 goto good;
44662487 1813 case V_OCSP_CERTSTATUS_REVOKED:
018058b2 1814 tls_out.ocsp = OCSP_FAILED;
44662487
JH		 1815 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1816 reason != -1 ? "; reason: " : "",
1817 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1818 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
44662487
JH		 1819 break;
1820 default:
018058b2 1821 tls_out.ocsp = OCSP_FAILED;
44662487
JH		 1822 log_write(0, LOG_MAIN,
1823 "Server certificate status unknown, in OCSP stapling");
44662487
JH		 1824 break;
1825 }
f5d78688 1826 }
c8dfb21d
JH		 1827 failed:
1828 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1829 good:
f5d78688
JH		 1830 BIO_free(bp);
1831 }
1832
1833OCSP_RESPONSE_free(rsp);
1834return i;
1835}
f2de3a33 1836#endif /*!DISABLE_OCSP*/
3f7eeb86
PP		 1837
1838
059ec3d9
PH		 1839/*************************************************
1840* Initialize for TLS *
1841*************************************************/
1842
e51c7be2
JH		 1843/* Called from both server and client code, to do preliminary initialization
1844of the library. We allocate and return a context structure.
059ec3d9
PH		 1845
1846Arguments:
946ecbe0 1847 ctxp returned SSL context
059ec3d9
PH		 1848 host connected host, if client; NULL if server
1849 dhparam DH parameter file
1850 certificate certificate file
1851 privatekey private key
f5d78688 1852 ocsp_file file of stapling info (server); flag for require ocsp (client)
059ec3d9 1853 addr address if client; NULL if server (for some randomness)
946ecbe0 1854 cbp place to put allocated callback context
cf0c6164 1855 errstr error string pointer
059ec3d9
PH		 1856
1857Returns: OK/DEFER/FAIL
1858*/
1859
1860static int
817d9f57 1861tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86 1862 uschar *privatekey,
f2de3a33 1863#ifndef DISABLE_OCSP
47195144 1864 uschar *ocsp_file, /*XXX stack, in server*/
3f7eeb86 1865#endif
b10c87b3
JH		 1866 address_item *addr, tls_ext_ctx_cb ** cbp,
1867 tls_support * tlsp,
1868 uschar ** errstr)
059ec3d9 1869{
7006ee24 1870SSL_CTX * ctx;
77bb000f 1871long init_options;
7be682ca 1872int rc;
a7538db1 1873tls_ext_ctx_cb * cbinfo;
7be682ca
PP		 1874
1875cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
b10c87b3 1876cbinfo->tlsp = tlsp;
7be682ca
PP		 1877cbinfo->certificate = certificate;
1878cbinfo->privatekey = privatekey;
a6510420 1879cbinfo->is_server = host==NULL;
f2de3a33 1880#ifndef DISABLE_OCSP
c3033f13 1881cbinfo->verify_stack = NULL;
a6510420 1882if (!host)
f5d78688
JH		 1883 {
1884 cbinfo->u_ocsp.server.file = ocsp_file;
1885 cbinfo->u_ocsp.server.file_expanded = NULL;
1886 cbinfo->u_ocsp.server.response = NULL;
1887 }
1888else
1889 cbinfo->u_ocsp.client.verify_store = NULL;
3f7eeb86 1890#endif
7be682ca 1891cbinfo->dhparam = dhparam;
0df4ab80 1892cbinfo->server_cipher_list = NULL;
7be682ca 1893cbinfo->host = host;
0cbf2b82 1894#ifndef DISABLE_EVENT
a7538db1
JH		 1895cbinfo->event_action = NULL;
1896#endif
77bb000f 1897
7434882d 1898#ifdef EXIM_NEED_OPENSSL_INIT
059ec3d9
PH		 1899SSL_load_error_strings(); /* basic set up */
1900OpenSSL_add_ssl_algorithms();
7434882d 1901#endif
059ec3d9 1902
c8dfb21d 1903#ifdef EXIM_HAVE_SHA256
77bb000f 1904/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK		 1905list of available digests. */
1906EVP_add_digest(EVP_sha256());
cf1ef1a9 1907#endif
a0475b69 1908
f0f5a555
PP		 1909/* Create a context.
1910The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1911negotiation in the different methods; as far as I can tell, the only
1912*_{server,client}_method which allows negotiation is SSLv23, which exists even
1913when OpenSSL is built without SSLv2 support.
1914By disabling with openssl_options, we can let admins re-enable with the
1915existing knob. */
059ec3d9 1916
7a8b9519
JH		 1917#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1918if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1919#else
7006ee24 1920if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
7a8b9519 1921#endif
7006ee24 1922 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
059ec3d9
PH		 1923
1924/* It turns out that we need to seed the random number generator this early in
1925order to get the full complement of ciphers to work. It took me roughly a day
1926of work to discover this by experiment.
1927
1928On systems that have /dev/urandom, SSL may automatically seed itself from
1929there. Otherwise, we have to make something up as best we can. Double check
1930afterwards. */
1931
1932if (!RAND_status())
1933 {
1934 randstuff r;
9e3331ea 1935 gettimeofday(&r.tv, NULL);
059ec3d9
PH		 1936 r.p = getpid();
1937
5903c6ff
JH		 1938 RAND_seed(US (&r), sizeof(r));
1939 RAND_seed(US big_buffer, big_buffer_size);
1940 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
059ec3d9
PH		 1941
1942 if (!RAND_status())
7199e1ee 1943 return tls_error(US"RAND_status", host,
cf0c6164 1944 US"unable to seed random number generator", errstr);
059ec3d9
PH		 1945 }
1946
1947/* Set up the information callback, which outputs if debugging is at a suitable
1948level. */
1949
b10c87b3
JH		 1950DEBUG(D_tls)
1951 {
1952 SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
e570d136
JH		 1953#if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
1954 /* this needs a debug build of OpenSSL */
b10c87b3
JH		 1955 SSL_CTX_set_msg_callback(ctx, (void (*)())SSL_trace);
1956#endif
8a40db1c 1957#ifdef OPENSSL_HAVE_KEYLOG_CB
b10c87b3 1958 SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
8a40db1c 1959#endif
b10c87b3 1960 }
059ec3d9 1961
c80c5570 1962/* Automatically re-try reads/writes after renegotiation. */
7006ee24 1963(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
c80c5570 1964
77bb000f
PP		 1965/* Apply administrator-supplied work-arounds.
1966Historically we applied just one requested option,
1967SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1968moved to an administrator-controlled list of options to specify and
1969grandfathered in the first one as the default value for "openssl_options".
059ec3d9 1970
77bb000f
PP		 1971No OpenSSL version number checks: the options we accept depend upon the
1972availability of the option value macros from OpenSSL. */
059ec3d9 1973
7006ee24 1974if (!tls_openssl_options_parse(openssl_options, &init_options))
cf0c6164 1975 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
77bb000f 1976
b10c87b3
JH		 1977#ifdef EXPERIMENTAL_TLS_RESUME
1978tlsp->resumption = RESUME_SUPPORTED;
1979#endif
77bb000f
PP		 1980if (init_options)
1981 {
b10c87b3
JH		 1982#ifdef EXPERIMENTAL_TLS_RESUME
1983 /* Should the server offer session resumption? */
1984 if (!host && verify_check_host(&tls_resumption_hosts) == OK)
1985 {
1986 DEBUG(D_tls) debug_printf("tls_resumption_hosts overrides openssl_options\n");
1987 init_options &= ~SSL_OP_NO_TICKET;
1988 tlsp->resumption |= RESUME_SERVER_TICKET; /* server will give ticket on request */
1989 tlsp->host_resumable = TRUE;
1990 }
1991#endif
1992
77bb000f 1993 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
7006ee24 1994 if (!(SSL_CTX_set_options(ctx, init_options)))
77bb000f 1995 return tls_error(string_sprintf(
cf0c6164 1996 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
77bb000f
PP		 1997 }
1998else
1999 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9 2000
a28050f8
JH		 2001/* We'd like to disable session cache unconditionally, but foolish Outlook
2002Express clients then give up the first TLS connection and make a second one
2003(which works). Only when there is an IMAP service on the same machine.
2004Presumably OE is trying to use the cache for A on B. Leave it enabled for
2005now, until we work out a decent way of presenting control to the config. It
2006will never be used because we use a new context every time. */
2007#ifdef notdef
7006ee24 2008(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
a28050f8 2009#endif
7006ee24 2010
059ec3d9 2011/* Initialize with DH parameters if supplied */
10ca4f1c 2012/* Initialize ECDH temp key parameter selection */
059ec3d9 2013
7006ee24
JH		 2014if ( !init_dh(ctx, dhparam, host, errstr)
2015 || !init_ecdh(ctx, host, errstr)
038597d2
PP		 2016 )
2017 return DEFER;
059ec3d9 2018
3f7eeb86 2019/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 2020
7006ee24 2021if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
23bb6982 2022 return rc;
c91535f3 2023
c3033f13
JH		 2024/* If we need to handle SNI or OCSP, do so */
2025
3bcbbbe2 2026#ifdef EXIM_HAVE_OPENSSL_TLSEXT
c3033f13
JH		 2027# ifndef DISABLE_OCSP
2028 if (!(cbinfo->verify_stack = sk_X509_new_null()))
2029 {
2030 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
2031 return FAIL;
2032 }
2033# endif
2034
7a8b9519 2035if (!host) /* server */
3f0945ff 2036 {
f2de3a33 2037# ifndef DISABLE_OCSP
f5d78688 2038 /* We check u_ocsp.server.file, not server.response, because we care about if
3f7eeb86
PP		 2039 the option exists, not what the current expansion might be, as SNI might
2040 change the certificate and OCSP file in use between now and the time the
2041 callback is invoked. */
f5d78688 2042 if (cbinfo->u_ocsp.server.file)
3f7eeb86 2043 {
7006ee24
JH		 2044 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
2045 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
3f7eeb86 2046 }
f5d78688 2047# endif
3f0945ff
PP		 2048 /* We always do this, so that $tls_sni is available even if not used in
2049 tls_certificate */
7006ee24
JH		 2050 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
2051 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
3f0945ff 2052 }
f2de3a33 2053# ifndef DISABLE_OCSP
f5d78688
JH		 2054else /* client */
2055 if(ocsp_file) /* wanting stapling */
2056 {
2057 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
2058 {
2059 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
2060 return FAIL;
2061 }
7006ee24
JH		 2062 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
2063 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
f5d78688
JH		 2064 }
2065# endif
7be682ca 2066#endif
059ec3d9 2067
e51c7be2 2068cbinfo->verify_cert_hostnames = NULL;
e51c7be2 2069
c8dfb21d 2070#ifdef EXIM_HAVE_EPHEM_RSA_KEX
059ec3d9 2071/* Set up the RSA callback */
7006ee24 2072SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
c8dfb21d 2073#endif
059ec3d9 2074
b10c87b3
JH		 2075/* Finally, set the session cache timeout, and we are done.
2076The period appears to be also used for (server-generated) session tickets */
059ec3d9 2077
7006ee24 2078SSL_CTX_set_timeout(ctx, ssl_session_timeout);
059ec3d9 2079DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 2080
817d9f57 2081*cbp = cbinfo;
7006ee24 2082*ctxp = ctx;
7be682ca 2083
059ec3d9
PH		 2084return OK;
2085}
2086
2087
2088
2089
2090/*************************************************
2091* Get name of cipher in use *
2092*************************************************/
2093
817d9f57 2094/*
059ec3d9 2095Argument: pointer to an SSL structure for the connection
817d9f57 2096 pointer to number of bits for cipher
f1be21cf 2097Returns: pointer to allocated string in perm-pool
059ec3d9
PH		 2098*/
2099
f1be21cf
JH		 2100static uschar *
2101construct_cipher_name(SSL * ssl, int * bits)
059ec3d9 2102{
f1be21cf 2103int pool = store_pool;
7a8b9519 2104/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
57b3a7f5
PP		 2105yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
2106the accessor functions use const in the prototype. */
059ec3d9 2107
7a8b9519
JH		 2108const uschar * ver = CUS SSL_get_version(ssl);
2109const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
f1be21cf 2110uschar * s;
059ec3d9 2111
817d9f57 2112SSL_CIPHER_get_bits(c, bits);
059ec3d9 2113
f1be21cf
JH		 2114store_pool = POOL_PERM;
2115s = string_sprintf("%s:%s:%u", ver, SSL_CIPHER_get_name(c), *bits);
2116store_pool = pool;
2117DEBUG(D_tls) debug_printf("Cipher: %s\n", s);
2118return s;
2119}
2120
059ec3d9 2121
f1be21cf
JH		 2122/* Get IETF-standard name for ciphersuite.
2123Argument: pointer to an SSL structure for the connection
2124Returns: pointer to string
2125*/
2126
2127static const uschar *
2128cipher_stdname_ssl(SSL * ssl)
2129{
2130#ifdef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
2131return CUS SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl));
2132#else
2133ushort id = 0xffff & SSL_CIPHER_get_id(SSL_get_current_cipher(ssl));
2134return cipher_stdname(id >> 8, id & 0xff);
2135#endif
059ec3d9
PH		 2136}
2137
2138
f69979cf 2139static void
70e384dd 2140peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
f69979cf
JH		 2141{
2142/*XXX we might consider a list-of-certs variable for the cert chain.
2143SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
2144in list-handling functions, also consider the difference between the entire
2145chain and the elements sent by the peer. */
2146
70e384dd
JH		 2147tlsp->peerdn = NULL;
2148
f69979cf
JH		 2149/* Will have already noted peercert on a verify fail; possibly not the leaf */
2150if (!tlsp->peercert)
2151 tlsp->peercert = SSL_get_peer_certificate(ssl);
2152/* Beware anonymous ciphers which lead to server_cert being NULL */
2153if (tlsp->peercert)
70e384dd
JH		 2154 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
2155 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
2156 else
2157 {
4a1bd6b9
JH		 2158 int oldpool = store_pool;
2159
2160 peerdn[siz-1] = '\0'; /* paranoia */
2161 store_pool = POOL_PERM;
2162 tlsp->peerdn = string_copy(peerdn);
2163 store_pool = oldpool;
2164
2165 /* We used to set CV in the cert-verify callbacks (either plain or dane)
2166 but they don't get called on session-resumption. So use the official
2167 interface, which uses the resumed value. Unfortunately this claims verified
2168 when it actually failed but we're in try-verify mode, due to us wanting the
2169 knowlege that it failed so needing to have the callback and forcing a
2170 permissive return. If we don't force it, the TLS startup is failed.
2171 Hence the verify_override bodge - though still a problem for resumption. */
2172
2173 if (!tlsp->verify_override)
2174 tlsp->certificate_verified = SSL_get_verify_result(ssl) == X509_V_OK;
70e384dd 2175 }
f69979cf
JH		 2176}
2177
2178
059ec3d9
PH		 2179
2180
2181
2182/*************************************************
2183* Set up for verifying certificates *
2184*************************************************/
2185
0e8aed8a 2186#ifndef DISABLE_OCSP
c3033f13
JH		 2187/* Load certs from file, return TRUE on success */
2188
2189static BOOL
2190chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
2191{
2192BIO * bp;
2193X509 * x;
2194
dec766a1
WB		 2195while (sk_X509_num(verify_stack) > 0)
2196 X509_free(sk_X509_pop(verify_stack));
2197
c3033f13
JH		 2198if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
2199while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
2200 sk_X509_push(verify_stack, x);
2201BIO_free(bp);
2202return TRUE;
2203}
0e8aed8a 2204#endif
c3033f13
JH		 2205
2206
2207
dec766a1
WB		 2208/* Called by both client and server startup; on the server possibly
2209repeated after a Server Name Indication.
059ec3d9
PH		 2210
2211Arguments:
7be682ca 2212 sctx SSL_CTX* to initialise
059ec3d9
PH		 2213 certs certs file or NULL
2214 crl CRL file or NULL
2215 host NULL in a server; the remote host in a client
2216 optional TRUE if called from a server for a host in tls_try_verify_hosts;
2217 otherwise passed as FALSE
983207c1 2218 cert_vfy_cb Callback function for certificate verification
cf0c6164 2219 errstr error string pointer
059ec3d9
PH		 2220
2221Returns: OK/DEFER/FAIL
2222*/
2223
2224static int
983207c1 2225setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 2226 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
059ec3d9
PH		 2227{
2228uschar *expcerts, *expcrl;
2229
cf0c6164 2230if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
059ec3d9 2231 return DEFER;
57cc2785 2232DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
059ec3d9 2233
10a831a3 2234if (expcerts && *expcerts)
059ec3d9 2235 {
10a831a3
JH		 2236 /* Tell the library to use its compiled-in location for the system default
2237 CA bundle. Then add the ones specified in the config, if any. */
cb1d7830 2238
10a831a3 2239 if (!SSL_CTX_set_default_verify_paths(sctx))
cf0c6164 2240 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
10a831a3
JH		 2241
2242 if (Ustrcmp(expcerts, "system") != 0)
059ec3d9 2243 {
cb1d7830
JH		 2244 struct stat statbuf;
2245
cb1d7830
JH		 2246 if (Ustat(expcerts, &statbuf) < 0)
2247 {
2248 log_write(0, LOG_MAIN|LOG_PANIC,
2249 "failed to stat %s for certificates", expcerts);
2250 return DEFER;
2251 }
059ec3d9 2252 else
059ec3d9 2253 {
cb1d7830
JH		 2254 uschar *file, *dir;
2255 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
2256 { file = NULL; dir = expcerts; }
2257 else
c3033f13
JH		 2258 {
2259 file = expcerts; dir = NULL;
2260#ifndef DISABLE_OCSP
2261 /* In the server if we will be offering an OCSP proof, load chain from
2262 file for verifying the OCSP proof at load time. */
2263
2264 if ( !host
2265 && statbuf.st_size > 0
2266 && server_static_cbinfo->u_ocsp.server.file
2267 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2268 )
2269 {
2270 log_write(0, LOG_MAIN|LOG_PANIC,
57887ecc 2271 "failed to load cert chain from %s", file);
c3033f13
JH		 2272 return DEFER;
2273 }
2274#endif
2275 }
cb1d7830
JH		 2276
2277 /* If a certificate file is empty, the next function fails with an
2278 unhelpful error message. If we skip it, we get the correct behaviour (no
2279 certificates are recognized, but the error message is still misleading (it
c3033f13 2280 says no certificate was supplied). But this is better. */
cb1d7830 2281
f2f2c91b
JH		 2282 if ( (!file || statbuf.st_size > 0)
2283 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
cf0c6164 2284 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
cb1d7830
JH		 2285
2286 /* Load the list of CAs for which we will accept certs, for sending
2287 to the client. This is only for the one-file tls_verify_certificates
2288 variant.
d7978c0f
JH		 2289 If a list isn't loaded into the server, but some verify locations are set,
2290 the server end appears to make a wildcard request for client certs.
10a831a3 2291 Meanwhile, the client library as default behaviour *ignores* the list
cb1d7830
JH		 2292 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2293 Because of this, and that the dir variant is likely only used for
d7978c0f
JH		 2294 the public-CA bundle (not for a private CA), not worth fixing. */
2295
f2f2c91b 2296 if (file)
cb1d7830 2297 {
2009ecca 2298 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
dec766a1
WB		 2299
2300 SSL_CTX_set_client_CA_list(sctx, names);
f2f2c91b 2301 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
cb1d7830 2302 sk_X509_NAME_num(names));
cb1d7830 2303 }
059ec3d9
PH		 2304 }
2305 }
2306
2307 /* Handle a certificate revocation list. */
2308
10a831a3 2309#if OPENSSL_VERSION_NUMBER > 0x00907000L
059ec3d9 2310
8b417f2c 2311 /* This bit of code is now the version supplied by Lars Mainka. (I have
10a831a3 2312 merely reformatted it into the Exim code style.)
8b417f2c 2313
10a831a3
JH		 2314 "From here I changed the code to add support for multiple crl's
2315 in pem format in one file or to support hashed directory entries in
2316 pem format instead of a file. This method now uses the library function
2317 X509_STORE_load_locations to add the CRL location to the SSL context.
2318 OpenSSL will then handle the verify against CA certs and CRLs by
2319 itself in the verify callback." */
8b417f2c 2320
cf0c6164 2321 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
10a831a3 2322 if (expcrl && *expcrl)
059ec3d9 2323 {
8b417f2c
PH		 2324 struct stat statbufcrl;
2325 if (Ustat(expcrl, &statbufcrl) < 0)
2326 {
2327 log_write(0, LOG_MAIN|LOG_PANIC,
2328 "failed to stat %s for certificates revocation lists", expcrl);
2329 return DEFER;
2330 }
2331 else
059ec3d9 2332 {
8b417f2c
PH		 2333 /* is it a file or directory? */
2334 uschar *file, *dir;
7be682ca 2335 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 2336 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 2337 {
8b417f2c
PH		 2338 file = NULL;
2339 dir = expcrl;
2340 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH		 2341 }
2342 else
2343 {
8b417f2c
PH		 2344 file = expcrl;
2345 dir = NULL;
2346 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 2347 }
8b417f2c 2348 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
cf0c6164 2349 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
8b417f2c
PH		 2350
2351 /* setting the flags to check against the complete crl chain */
2352
2353 X509_STORE_set_flags(cvstore,
2354 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 2355 }
059ec3d9
PH		 2356 }
2357
10a831a3 2358#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
059ec3d9
PH		 2359
2360 /* If verification is optional, don't fail if no certificate */
2361
7be682ca 2362 SSL_CTX_set_verify(sctx,
5a2a0989 2363 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
983207c1 2364 cert_vfy_cb);
059ec3d9
PH		 2365 }
2366
2367return OK;
2368}
2369
2370
2371
2372/*************************************************
2373* Start a TLS session in a server *
2374*************************************************/
2375
2376/* This is called when Exim is running as a server, after having received
2377the STARTTLS command. It must respond to that command, and then negotiate
2378a TLS session.
2379
2380Arguments:
2381 require_ciphers allowed ciphers
cf0c6164 2382 errstr pointer to error message
059ec3d9
PH		 2383
2384Returns: OK on success
2385 DEFER for errors before the start of the negotiation
4c04137d 2386 FAIL for errors during the negotiation; the server can't
059ec3d9
PH		 2387 continue running.
2388*/
2389
2390int
cf0c6164 2391tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH		 2392{
2393int rc;
cf0c6164
JH		 2394uschar * expciphers;
2395tls_ext_ctx_cb * cbinfo;
f69979cf 2396static uschar peerdn[256];
059ec3d9
PH		 2397
2398/* Check for previous activation */
2399
74f1a423 2400if (tls_in.active.sock >= 0)
059ec3d9 2401 {
cf0c6164 2402 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
925ac8e4 2403 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH		 2404 return FAIL;
2405 }
2406
2407/* Initialize the SSL library. If it fails, it will already have logged
2408the error. */
2409
817d9f57 2410rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
f2de3a33 2411#ifndef DISABLE_OCSP
47195144 2412 tls_ocsp_file, /*XXX stack*/
3f7eeb86 2413#endif
b10c87b3 2414 NULL, &server_static_cbinfo, &tls_in, errstr);
059ec3d9 2415if (rc != OK) return rc;
817d9f57 2416cbinfo = server_static_cbinfo;
059ec3d9 2417
cf0c6164 2418if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
059ec3d9
PH		 2419 return FAIL;
2420
2421/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP		 2422were historically separated by underscores. So that I can use either form in my
2423tests, and also for general convenience, we turn underscores into hyphens here.
0c3807a8
JH		 2424
2425XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2426for TLS 1.3 . Since we do not call it at present we get the default list:
2427TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
17c76198 2428*/
059ec3d9 2429
c3033f13 2430if (expciphers)
059ec3d9 2431 {
b10c87b3 2432 for (uschar * s = expciphers; *s; s++ ) if (*s == '_') *s = '-';
059ec3d9 2433 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 2434 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
cf0c6164 2435 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
7be682ca 2436 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH		 2437 }
2438
2439/* If this is a host for which certificate verification is mandatory or
2440optional, set up appropriately. */
2441
817d9f57 2442tls_in.certificate_verified = FALSE;
c0635b6d 2443#ifdef SUPPORT_DANE
53a7196b
JH		 2444tls_in.dane_verified = FALSE;
2445#endif
a2ff477a 2446server_verify_callback_called = FALSE;
059ec3d9
PH		 2447
2448if (verify_check_host(&tls_verify_hosts) == OK)
2449 {
983207c1 2450 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2451 FALSE, verify_callback_server, errstr);
059ec3d9 2452 if (rc != OK) return rc;
a2ff477a 2453 server_verify_optional = FALSE;
059ec3d9
PH		 2454 }
2455else if (verify_check_host(&tls_try_verify_hosts) == OK)
2456 {
983207c1 2457 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2458 TRUE, verify_callback_server, errstr);
059ec3d9 2459 if (rc != OK) return rc;
a2ff477a 2460 server_verify_optional = TRUE;
059ec3d9
PH		 2461 }
2462
b10c87b3
JH		 2463#ifdef EXPERIMENTAL_TLS_RESUME
2464SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_key_callback);
2465/* despite working, appears to always return failure, so ignoring */
2466#endif
2467#ifdef OPENSSL_HAVE_NUM_TICKETS
2468# ifdef EXPERIMENTAL_TLS_RESUME
2469SSL_CTX_set_num_tickets(server_ctx, tls_in.host_resumable ? 1 : 0);
2470# else
2471SSL_CTX_set_num_tickets(server_ctx, 0); /* send no TLS1.3 stateful-tickets */
2472# endif
2473#endif
2474
2475
059ec3d9
PH		 2476/* Prepare for new connection */
2477
cf0c6164
JH		 2478if (!(server_ssl = SSL_new(server_ctx)))
2479 return tls_error(US"SSL_new", NULL, NULL, errstr);
da3ad30d
PP		 2480
2481/* Warning: we used to SSL_clear(ssl) here, it was removed.
2482 *
2483 * With the SSL_clear(), we get strange interoperability bugs with
2484 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2485 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2486 *
2487 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2488 * session shutdown. In this case, we have a brand new object and there's no
2489 * obvious reason to immediately clear it. I'm guessing that this was
2490 * originally added because of incomplete initialisation which the clear fixed,
2491 * in some historic release.
2492 */
059ec3d9
PH		 2493
2494/* Set context and tell client to go ahead, except in the case of TLS startup
2495on connection, where outputting anything now upsets the clients and tends to
2496make them disconnect. We need to have an explicit fflush() here, to force out
2497the response. Other smtp_printf() calls do not need it, because in non-TLS
2498mode, the fflush() happens when smtp_getc() is called. */
2499
817d9f57
JH		 2500SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2501if (!tls_in.on_connect)
059ec3d9 2502 {
925ac8e4 2503 smtp_printf("220 TLS go ahead\r\n", FALSE);
059ec3d9
PH		 2504 fflush(smtp_out);
2505 }
2506
2507/* Now negotiate the TLS session. We put our own timer on it, since it seems
2508that the OpenSSL library doesn't. */
2509
817d9f57
JH		 2510SSL_set_wfd(server_ssl, fileno(smtp_out));
2511SSL_set_rfd(server_ssl, fileno(smtp_in));
2512SSL_set_accept_state(server_ssl);
059ec3d9
PH		 2513
2514DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2515
2516sigalrm_seen = FALSE;
c2a1bba0 2517if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
817d9f57 2518rc = SSL_accept(server_ssl);
c2a1bba0 2519ALARM_CLR(0);
059ec3d9
PH		 2520
2521if (rc <= 0)
2522 {
cf0c6164 2523 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
059ec3d9
PH		 2524 return FAIL;
2525 }
2526
2527DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
25fa0868 2528ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
b10c87b3
JH		 2529 anon-authentication ciphersuite negotiated. */
2530
2531#ifdef EXPERIMENTAL_TLS_RESUME
2532if (SSL_session_reused(server_ssl))
2533 {
2534 tls_in.resumption |= RESUME_USED;
2535 DEBUG(D_tls) debug_printf("Session reused\n");
2536 }
2537#endif
059ec3d9
PH		 2538
2539/* TLS has been set up. Adjust the input functions to read via TLS,
2540and initialize things. */
2541
f69979cf
JH		 2542peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2543
f1be21cf
JH		 2544tls_in.cipher = construct_cipher_name(server_ssl, &tls_in.bits);
2545tls_in.cipher_stdname = cipher_stdname_ssl(server_ssl);
2546
059ec3d9
PH		 2547DEBUG(D_tls)
2548 {
2549 uschar buf[2048];
f1be21cf 2550 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)))
059ec3d9 2551 debug_printf("Shared ciphers: %s\n", buf);
f20cfa4a
JH		 2552
2553#ifdef EXIM_HAVE_OPENSSL_KEYLOG
2554 {
10ed27e0 2555 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
f20cfa4a 2556 SSL_SESSION_print_keylog(bp, SSL_get_session(server_ssl));
f20cfa4a
JH		 2557 BIO_free(bp);
2558 }
2559#endif
b10c87b3
JH		 2560
2561#ifdef EXIM_HAVE_SESSION_TICKET
2562 {
2563 SSL_SESSION * ss = SSL_get_session(server_ssl);
40618fb6 2564 if (SSL_SESSION_has_ticket(ss)) /* 1.1.0 */
b10c87b3
JH		 2565 debug_printf("The session has a ticket, life %lu seconds\n",
2566 SSL_SESSION_get_ticket_lifetime_hint(ss));
2567 }
2568#endif
059ec3d9
PH		 2569 }
2570
9d1c15ef
JH		 2571/* Record the certificate we presented */
2572 {
2573 X509 * crt = SSL_get_certificate(server_ssl);
2574 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2575 }
059ec3d9 2576
817d9f57
JH		 2577/* Only used by the server-side tls (tls_in), including tls_getc.
2578 Client-side (tls_out) reads (seem to?) go via
2579 smtp_read_response()/ip_recv().
2580 Hence no need to duplicate for _in and _out.
2581 */
b808677c 2582if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9 2583ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
8b77d27a 2584ssl_xfer_eof = ssl_xfer_error = FALSE;
059ec3d9
PH		 2585
2586receive_getc = tls_getc;
0d81dabc 2587receive_getbuf = tls_getbuf;
584e96c6 2588receive_get_cache = tls_get_cache;
059ec3d9
PH		 2589receive_ungetc = tls_ungetc;
2590receive_feof = tls_feof;
2591receive_ferror = tls_ferror;
58eb016e 2592receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2593
74f1a423
JH		 2594tls_in.active.sock = fileno(smtp_out);
2595tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
059ec3d9
PH		 2596return OK;
2597}
2598
2599
2600
2601
043b1248
JH		 2602static int
2603tls_client_basic_ctx_init(SSL_CTX * ctx,
cf0c6164
JH		 2604 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2605 uschar ** errstr)
043b1248
JH		 2606{
2607int rc;
94431adb 2608/* stick to the old behaviour for compatibility if tls_verify_certificates is
043b1248
JH		 2609 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2610 the specified host patterns if one of them is defined */
2611
610ff438
JH		 2612if ( ( !ob->tls_verify_hosts
2613 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2614 )
3c07dd2d 2615 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
aa2a70ba 2616 )
043b1248 2617 client_verify_optional = FALSE;
3c07dd2d 2618else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
aa2a70ba
JH		 2619 client_verify_optional = TRUE;
2620else
2621 return OK;
2622
2623if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
cf0c6164
JH		 2624 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2625 errstr)) != OK)
aa2a70ba 2626 return rc;
043b1248 2627
3c07dd2d 2628if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
043b1248 2629 {
4af0d74a 2630 cbinfo->verify_cert_hostnames =
8c5d388a 2631#ifdef SUPPORT_I18N
4af0d74a
JH		 2632 string_domain_utf8_to_alabel(host->name, NULL);
2633#else
2634 host->name;
2635#endif
aa2a70ba
JH		 2636 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2637 cbinfo->verify_cert_hostnames);
043b1248 2638 }
043b1248
JH		 2639return OK;
2640}
059ec3d9 2641
fde080a4 2642
c0635b6d 2643#ifdef SUPPORT_DANE
fde080a4 2644static int
cf0c6164 2645dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
fde080a4 2646{
fde080a4
JH		 2647dns_scan dnss;
2648const char * hostnames[2] = { CS host->name, NULL };
2649int found = 0;
2650
2651if (DANESSL_init(ssl, NULL, hostnames) != 1)
cf0c6164 2652 return tls_error(US"hostnames load", host, NULL, errstr);
fde080a4 2653
d7978c0f 2654for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
fde080a4 2655 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1b76ad22 2656 ) if (rr->type == T_TLSA && rr->size > 3)
fde080a4 2657 {
c3033f13 2658 const uschar * p = rr->data;
fde080a4
JH		 2659 uint8_t usage, selector, mtype;
2660 const char * mdname;
2661
fde080a4 2662 usage = *p++;
133d2546
JH		 2663
2664 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2665 if (usage != 2 && usage != 3) continue;
2666
fde080a4
JH		 2667 selector = *p++;
2668 mtype = *p++;
2669
2670 switch (mtype)
2671 {
133d2546
JH		 2672 default: continue; /* Only match-types 0, 1, 2 are supported */
2673 case 0: mdname = NULL; break;
2674 case 1: mdname = "sha256"; break;
2675 case 2: mdname = "sha512"; break;
fde080a4
JH		 2676 }
2677
133d2546 2678 found++;
fde080a4
JH		 2679 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2680 {
2681 default:
cf0c6164 2682 return tls_error(US"tlsa load", host, NULL, errstr);
c035b645 2683 case 0: /* action not taken */
fde080a4
JH		 2684 case 1: break;
2685 }
594706ea
JH		 2686
2687 tls_out.tlsa_usage |= 1<<usage;
fde080a4
JH		 2688 }
2689
2690if (found)
2691 return OK;
2692
133d2546 2693log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
6ebd79ec 2694return DEFER;
fde080a4 2695}
c0635b6d 2696#endif /*SUPPORT_DANE*/
fde080a4
JH		 2697
2698
2699
b10c87b3
JH		 2700#ifdef EXPERIMENTAL_TLS_RESUME
2701/* On the client, get any stashed session for the given IP from hints db
2702and apply it to the ssl-connection for attempted resumption. */
2703
2704static void
2705tls_retrieve_session(tls_support * tlsp, SSL * ssl, const uschar * key)
2706{
2707tlsp->resumption |= RESUME_SUPPORTED;
2708if (tlsp->host_resumable)
2709 {
2710 dbdata_tls_session * dt;
2711 int len;
2712 open_db dbblock, * dbm_file;
2713
2714 tlsp->resumption |= RESUME_CLIENT_REQUESTED;
2715 DEBUG(D_tls) debug_printf("checking for resumable session for %s\n", key);
2716 if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
2717 {
2718 /* key for the db is the IP */
2719 if ((dt = dbfn_read_with_length(dbm_file, key, &len)))
2720 {
2721 SSL_SESSION * ss = NULL;
2722 const uschar * sess_asn1 = dt->session;
2723
2724 len -= sizeof(dbdata_tls_session);
2725 if (!(d2i_SSL_SESSION(&ss, &sess_asn1, (long)len)))
2726 {
2727 DEBUG(D_tls)
2728 {
2729 ERR_error_string_n(ERR_get_error(),
2730 ssl_errstring, sizeof(ssl_errstring));
2731 debug_printf("decoding session: %s\n", ssl_errstring);
2732 }
2733 }
2734 else if (!SSL_set_session(ssl, ss))
2735 {
2736 DEBUG(D_tls)
2737 {
2738 ERR_error_string_n(ERR_get_error(),
2739 ssl_errstring, sizeof(ssl_errstring));
2740 debug_printf("applying session to ssl: %s\n", ssl_errstring);
2741 }
2742 }
2743 else
2744 {
2745 DEBUG(D_tls) debug_printf("good session\n");
2746 tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
2747 }
2748 }
2749 else
2750 DEBUG(D_tls) debug_printf("no session record\n");
2751 dbfn_close(dbm_file);
2752 }
2753 }
2754}
2755
2756
2757/* On the client, save the session for later resumption */
2758
2759static int
2760tls_save_session_cb(SSL * ssl, SSL_SESSION * ss)
2761{
2762tls_ext_ctx_cb * cbinfo = SSL_get_ex_data(ssl, tls_exdata_idx);
2763tls_support * tlsp;
2764
2765DEBUG(D_tls) debug_printf("tls_save_session_cb\n");
2766
2767if (!cbinfo || !(tlsp = cbinfo->tlsp)->host_resumable) return 0;
2768
40618fb6
JH		 2769# ifdef OPENSSL_HAVE_NUM_TICKETS
2770if (SSL_SESSION_is_resumable(ss)) /* 1.1.1 */
2771# endif
b10c87b3
JH		 2772 {
2773 int len = i2d_SSL_SESSION(ss, NULL);
2774 int dlen = sizeof(dbdata_tls_session) + len;
2775 dbdata_tls_session * dt = store_get(dlen);
2776 uschar * s = dt->session;
2777 open_db dbblock, * dbm_file;
2778
2779 DEBUG(D_tls) debug_printf("session is resumable\n");
2780 tlsp->resumption |= RESUME_SERVER_TICKET; /* server gave us a ticket */
2781
2782 len = i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */
2783
2784 if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
2785 {
2786 const uschar * key = cbinfo->host->address;
2787 dbfn_delete(dbm_file, key);
2788 dbfn_write(dbm_file, key, dt, dlen);
2789 dbfn_close(dbm_file);
2790 DEBUG(D_tls) debug_printf("wrote session (len %u) to db\n",
2791 (unsigned)dlen);
2792 }
2793 }
b10c87b3
JH		 2794return 1;
2795}
2796
2797
2798static void
2799tls_client_ctx_resume_prehandshake(
2800 exim_openssl_client_tls_ctx * exim_client_ctx, tls_support * tlsp,
2801 smtp_transport_options_block * ob, host_item * host)
2802{
2803/* Should the client request a session resumption ticket? */
2804if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
2805 {
2806 tlsp->host_resumable = TRUE;
2807
2808 SSL_CTX_set_session_cache_mode(exim_client_ctx->ctx,
2809 SSL_SESS_CACHE_CLIENT
2810 | SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_NO_AUTO_CLEAR);
2811 SSL_CTX_sess_set_new_cb(exim_client_ctx->ctx, tls_save_session_cb);
2812 }
2813}
2814
2815static BOOL
2816tls_client_ssl_resume_prehandshake(SSL * ssl, tls_support * tlsp,
2817 host_item * host, uschar ** errstr)
2818{
2819if (tlsp->host_resumable)
2820 {
2821 DEBUG(D_tls)
2822 debug_printf("tls_resumption_hosts overrides openssl_options, enabling tickets\n");
2823 SSL_clear_options(ssl, SSL_OP_NO_TICKET);
2824
2825 tls_exdata_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
2826 if (!SSL_set_ex_data(ssl, tls_exdata_idx, client_static_cbinfo))
2827 {
2828 tls_error(US"set ex_data", host, NULL, errstr);
2829 return FALSE;
2830 }
2831 debug_printf("tls_exdata_idx %d cbinfo %p\n", tls_exdata_idx, client_static_cbinfo);
2832 }
2833
2834tlsp->resumption = RESUME_SUPPORTED;
2835/* Pick up a previous session, saved on an old ticket */
2836tls_retrieve_session(tlsp, ssl, host->address);
2837return TRUE;
2838}
2839
2840static void
2841tls_client_resume_posthandshake(exim_openssl_client_tls_ctx * exim_client_ctx,
2842 tls_support * tlsp)
2843{
2844if (SSL_session_reused(exim_client_ctx->ssl))
2845 {
2846 DEBUG(D_tls) debug_printf("The session was reused\n");
2847 tlsp->resumption |= RESUME_USED;
2848 }
2849}
2850#endif /* EXPERIMENTAL_TLS_RESUME */
2851
2852
059ec3d9
PH		 2853/*************************************************
2854* Start a TLS session in a client *
2855*************************************************/
2856
2857/* Called from the smtp transport after STARTTLS has been accepted.
2858
c05bdbd6
JH		 2859Arguments:
2860 cctx connection context
2861 conn_args connection details
2862 cookie datum for randomness; can be NULL
2863 tlsp record details of TLS channel configuration here; must be non-NULL
2864 errstr error string pointer
2865
2866Returns: TRUE for success with TLS session context set in connection context,
2867 FALSE on error
059ec3d9
PH		 2868*/
2869
c05bdbd6
JH		 2870BOOL
2871tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
2872 void * cookie, tls_support * tlsp, uschar ** errstr)
059ec3d9 2873{
c05bdbd6
JH		 2874host_item * host = conn_args->host; /* for msgs and option-tests */
2875transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
afdb5e9c
JH		 2876smtp_transport_options_block * ob = tb
2877 ? (smtp_transport_options_block *)tb->options_block
2878 : &smtp_transport_option_defaults;
74f1a423 2879exim_openssl_client_tls_ctx * exim_client_ctx;
868f5672 2880uschar * expciphers;
059ec3d9 2881int rc;
c05bdbd6 2882static uschar peerdn[256];
043b1248
JH		 2883
2884#ifndef DISABLE_OCSP
043b1248 2885BOOL request_ocsp = FALSE;
6634ac8d 2886BOOL require_ocsp = FALSE;
043b1248 2887#endif
043b1248 2888
74f1a423
JH		 2889rc = store_pool;
2890store_pool = POOL_PERM;
2891exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx));
c09dbcfb 2892exim_client_ctx->corked = NULL;
74f1a423
JH		 2893store_pool = rc;
2894
c0635b6d 2895#ifdef SUPPORT_DANE
74f1a423 2896tlsp->tlsa_usage = 0;
043b1248
JH		 2897#endif
2898
f2de3a33 2899#ifndef DISABLE_OCSP
043b1248 2900 {
c0635b6d 2901# ifdef SUPPORT_DANE
c05bdbd6 2902 if ( conn_args->dane
4f59c424
JH		 2903 && ob->hosts_request_ocsp[0] == '*'
2904 && ob->hosts_request_ocsp[1] == '\0'
2905 )
2906 {
2907 /* Unchanged from default. Use a safer one under DANE */
2908 request_ocsp = TRUE;
2909 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2910 " {= {4}{$tls_out_tlsa_usage}} } "
2911 " {*}{}}";
2912 }
2913# endif
2914
5130845b 2915 if ((require_ocsp =
3c07dd2d 2916 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
fca41d5a
JH		 2917 request_ocsp = TRUE;
2918 else
c0635b6d 2919# ifdef SUPPORT_DANE
4f59c424 2920 if (!request_ocsp)
fca41d5a 2921# endif
5130845b 2922 request_ocsp =
3c07dd2d 2923 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
043b1248 2924 }
f5d78688 2925#endif
059ec3d9 2926
74f1a423 2927rc = tls_init(&exim_client_ctx->ctx, host, NULL,
65867078 2928 ob->tls_certificate, ob->tls_privatekey,
f2de3a33 2929#ifndef DISABLE_OCSP
44662487 2930 (void *)(long)request_ocsp,
3f7eeb86 2931#endif
b10c87b3 2932 cookie, &client_static_cbinfo, tlsp, errstr);
c05bdbd6 2933if (rc != OK) return FALSE;
059ec3d9 2934
74f1a423 2935tlsp->certificate_verified = FALSE;
a2ff477a 2936client_verify_callback_called = FALSE;
059ec3d9 2937
5ec37a55
PP		 2938expciphers = NULL;
2939#ifdef SUPPORT_DANE
c05bdbd6 2940if (conn_args->dane)
5ec37a55
PP		 2941 {
2942 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
2943 other failures should be treated as problems. */
2944 if (ob->dane_require_tls_ciphers &&
2945 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2946 &expciphers, errstr))
c05bdbd6 2947 return FALSE;
5ec37a55
PP		 2948 if (expciphers && *expciphers == '\0')
2949 expciphers = NULL;
2950 }
2951#endif
2952if (!expciphers &&
2953 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2954 &expciphers, errstr))
c05bdbd6 2955 return FALSE;
059ec3d9
PH		 2956
2957/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2958are separated by underscores. So that I can use either form in my tests, and
2959also for general convenience, we turn underscores into hyphens here. */
2960
cf0c6164 2961if (expciphers)
059ec3d9
PH		 2962 {
2963 uschar *s = expciphers;
cf0c6164 2964 while (*s) { if (*s == '_') *s = '-'; s++; }
059ec3d9 2965 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
74f1a423
JH		 2966 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
2967 {
2968 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
c05bdbd6 2969 return FALSE;
74f1a423 2970 }
059ec3d9
PH		 2971 }
2972
c0635b6d 2973#ifdef SUPPORT_DANE
c05bdbd6 2974if (conn_args->dane)
a63be306 2975 {
74f1a423 2976 SSL_CTX_set_verify(exim_client_ctx->ctx,
02af313d
JH		 2977 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2978 verify_callback_client_dane);
e5cccda9 2979
043b1248 2980 if (!DANESSL_library_init())
74f1a423
JH		 2981 {
2982 tls_error(US"library init", host, NULL, errstr);
c05bdbd6 2983 return FALSE;
74f1a423
JH		 2984 }
2985 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
2986 {
2987 tls_error(US"context init", host, NULL, errstr);
c05bdbd6 2988 return FALSE;
74f1a423 2989 }
043b1248
JH		 2990 }
2991else
e51c7be2 2992
043b1248
JH		 2993#endif
2994
74f1a423
JH		 2995 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
2996 client_static_cbinfo, errstr) != OK)
c05bdbd6 2997 return FALSE;
059ec3d9 2998
b10c87b3
JH		 2999#ifdef EXPERIMENTAL_TLS_RESUME
3000tls_client_ctx_resume_prehandshake(exim_client_ctx, tlsp, ob, host);
3001#endif
3002
3003
74f1a423
JH		 3004if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
3005 {
3006 tls_error(US"SSL_new", host, NULL, errstr);
c05bdbd6 3007 return FALSE;
74f1a423
JH		 3008 }
3009SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
b10c87b3
JH		 3010
3011#ifdef EXPERIMENTAL_TLS_RESUME
3012if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host,
3013 errstr))
3014 return FALSE;
3015#endif
3016
c05bdbd6 3017SSL_set_fd(exim_client_ctx->ssl, cctx->sock);
74f1a423 3018SSL_set_connect_state(exim_client_ctx->ssl);
059ec3d9 3019
65867078 3020if (ob->tls_sni)
3f0945ff 3021 {
74f1a423 3022 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
c05bdbd6 3023 return FALSE;
74f1a423 3024 if (!tlsp->sni)
2c9a0e86
PP		 3025 {
3026 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
3027 }
74f1a423
JH		 3028 else if (!Ustrlen(tlsp->sni))
3029 tlsp->sni = NULL;
3f0945ff
PP		 3030 else
3031 {
35731706 3032#ifdef EXIM_HAVE_OPENSSL_TLSEXT
74f1a423
JH		 3033 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
3034 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
35731706 3035#else
66802652 3036 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
74f1a423 3037 tlsp->sni);
35731706 3038#endif
3f0945ff
PP		 3039 }
3040 }
3041
c0635b6d 3042#ifdef SUPPORT_DANE
c05bdbd6
JH		 3043if (conn_args->dane)
3044 if (dane_tlsa_load(exim_client_ctx->ssl, host, &conn_args->tlsa_dnsa, errstr) != OK)
3045 return FALSE;
594706ea
JH		 3046#endif
3047
f2de3a33 3048#ifndef DISABLE_OCSP
f5d78688
JH		 3049/* Request certificate status at connection-time. If the server
3050does OCSP stapling we will get the callback (set in tls_init()) */
c0635b6d 3051# ifdef SUPPORT_DANE
594706ea
JH		 3052if (request_ocsp)
3053 {
3054 const uschar * s;
41afb5cb
JH		 3055 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
3056 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
594706ea
JH		 3057 )
3058 { /* Re-eval now $tls_out_tlsa_usage is populated. If
3059 this means we avoid the OCSP request, we wasted the setup
3060 cost in tls_init(). */
3c07dd2d 3061 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
5130845b 3062 request_ocsp = require_ocsp
3c07dd2d 3063 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
594706ea
JH		 3064 }
3065 }
b50c8b84
JH		 3066# endif
3067
44662487
JH		 3068if (request_ocsp)
3069 {
74f1a423 3070 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
44662487 3071 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
74f1a423 3072 tlsp->ocsp = OCSP_NOT_RESP;
44662487 3073 }
f5d78688
JH		 3074#endif
3075
0cbf2b82 3076#ifndef DISABLE_EVENT
afdb5e9c 3077client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
a7538db1 3078#endif
043b1248 3079
059ec3d9
PH		 3080/* There doesn't seem to be a built-in timeout on connection. */
3081
3082DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
3083sigalrm_seen = FALSE;
c2a1bba0 3084ALARM(ob->command_timeout);
74f1a423 3085rc = SSL_connect(exim_client_ctx->ssl);
c2a1bba0 3086ALARM_CLR(0);
059ec3d9 3087
c0635b6d 3088#ifdef SUPPORT_DANE
c05bdbd6 3089if (conn_args->dane)
74f1a423 3090 DANESSL_cleanup(exim_client_ctx->ssl);
043b1248
JH		 3091#endif
3092
059ec3d9 3093if (rc <= 0)
74f1a423
JH		 3094 {
3095 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
c05bdbd6 3096 return FALSE;
74f1a423 3097 }
059ec3d9 3098
f20cfa4a
JH		 3099DEBUG(D_tls)
3100 {
3101 debug_printf("SSL_connect succeeded\n");
3102#ifdef EXIM_HAVE_OPENSSL_KEYLOG
3103 {
10ed27e0
JH		 3104 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
3105 SSL_SESSION_print_keylog(bp, SSL_get_session(exim_client_ctx->ssl));
3106 BIO_free(bp);
f20cfa4a
JH		 3107 }
3108#endif
3109 }
059ec3d9 3110
b10c87b3
JH		 3111#ifdef EXPERIMENTAL_TLS_RESUME
3112tls_client_resume_posthandshake(exim_client_ctx, tlsp);
3113#endif
3114
74f1a423 3115peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
059ec3d9 3116
f1be21cf
JH		 3117tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, &tlsp->bits);
3118tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);
059ec3d9 3119
9d1c15ef
JH		 3120/* Record the certificate we presented */
3121 {
74f1a423
JH		 3122 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
3123 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
9d1c15ef
JH		 3124 }
3125
c05bdbd6 3126tlsp->active.sock = cctx->sock;
74f1a423 3127tlsp->active.tls_ctx = exim_client_ctx;
c05bdbd6
JH		 3128cctx->tls_ctx = exim_client_ctx;
3129return TRUE;
059ec3d9
PH		 3130}
3131
3132
3133
3134
3135
0d81dabc
JH		 3136static BOOL
3137tls_refill(unsigned lim)
3138{
3139int error;
3140int inbytes;
3141
3142DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
3143 ssl_xfer_buffer, ssl_xfer_buffer_size);
3144
c2a1bba0 3145if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
0d81dabc
JH		 3146inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
3147 MIN(ssl_xfer_buffer_size, lim));
3148error = SSL_get_error(server_ssl, inbytes);
c2a1bba0 3149if (smtp_receive_timeout > 0) ALARM_CLR(0);
9723f966
JH		 3150
3151if (had_command_timeout) /* set by signal handler */
3152 smtp_command_timeout_exit(); /* does not return */
3153if (had_command_sigterm)
3154 smtp_command_sigterm_exit();
3155if (had_data_timeout)
3156 smtp_data_timeout_exit();
3157if (had_data_sigint)
3158 smtp_data_sigint_exit();
0d81dabc
JH		 3159
3160/* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
3161closed down, not that the socket itself has been closed down. Revert to
3162non-SSL handling. */
3163
74f1a423 3164switch(error)
0d81dabc 3165 {
74f1a423
JH		 3166 case SSL_ERROR_NONE:
3167 break;
3168
3169 case SSL_ERROR_ZERO_RETURN:
3170 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
0d81dabc 3171
74f1a423
JH		 3172 receive_getc = smtp_getc;
3173 receive_getbuf = smtp_getbuf;
3174 receive_get_cache = smtp_get_cache;
3175 receive_ungetc = smtp_ungetc;
3176 receive_feof = smtp_feof;
3177 receive_ferror = smtp_ferror;
3178 receive_smtp_buffered = smtp_buffered;
0d81dabc 3179
74f1a423
JH		 3180 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
3181 SSL_shutdown(server_ssl);
dec766a1 3182
37f0ce65 3183#ifndef DISABLE_OCSP
74f1a423
JH		 3184 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
3185 server_static_cbinfo->verify_stack = NULL;
37f0ce65 3186#endif
74f1a423
JH		 3187 SSL_free(server_ssl);
3188 SSL_CTX_free(server_ctx);
3189 server_ctx = NULL;
3190 server_ssl = NULL;
3191 tls_in.active.sock = -1;
3192 tls_in.active.tls_ctx = NULL;
3193 tls_in.bits = 0;
3194 tls_in.cipher = NULL;
3195 tls_in.peerdn = NULL;
3196 tls_in.sni = NULL;
0d81dabc 3197
74f1a423 3198 return FALSE;
0d81dabc 3199
74f1a423
JH		 3200 /* Handle genuine errors */
3201 case SSL_ERROR_SSL:
0abc5a13 3202 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
74f1a423
JH		 3203 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
3204 ssl_xfer_error = TRUE;
3205 return FALSE;
0d81dabc 3206
74f1a423
JH		 3207 default:
3208 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
3209 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
3210 debug_printf(" - syscall %s\n", strerror(errno));
3211 ssl_xfer_error = TRUE;
3212 return FALSE;
0d81dabc
JH		 3213 }
3214
3215#ifndef DISABLE_DKIM
3216dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
3217#endif
3218ssl_xfer_buffer_hwm = inbytes;
3219ssl_xfer_buffer_lwm = 0;
3220return TRUE;
3221}
3222
3223
059ec3d9
PH		 3224/*************************************************
3225* TLS version of getc *
3226*************************************************/
3227
3228/* This gets the next byte from the TLS input buffer. If the buffer is empty,
3229it refills the buffer via the SSL reading function.
3230
bd8fbe36 3231Arguments: lim Maximum amount to read/buffer
059ec3d9 3232Returns: the next character or EOF
817d9f57
JH		 3233
3234Only used by the server-side TLS.
059ec3d9
PH		 3235*/
3236
3237int
bd8fbe36 3238tls_getc(unsigned lim)
059ec3d9
PH		 3239{
3240if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
0d81dabc
JH		 3241 if (!tls_refill(lim))
3242 return ssl_xfer_error ? EOF : smtp_getc(lim);
059ec3d9 3243
0d81dabc 3244/* Something in the buffer; return next uschar */
059ec3d9 3245
0d81dabc
JH		 3246return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
3247}
059ec3d9 3248
0d81dabc
JH		 3249uschar *
3250tls_getbuf(unsigned * len)
3251{
3252unsigned size;
3253uschar * buf;
ba084640 3254
0d81dabc
JH		 3255if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
3256 if (!tls_refill(*len))
059ec3d9 3257 {
0d81dabc
JH		 3258 if (!ssl_xfer_error) return smtp_getbuf(len);
3259 *len = 0;
3260 return NULL;
059ec3d9 3261 }
c80c5570 3262
0d81dabc
JH		 3263if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
3264 size = *len;
3265buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
3266ssl_xfer_buffer_lwm += size;
3267*len = size;
3268return buf;
059ec3d9
PH		 3269}
3270
0d81dabc 3271
584e96c6
JH		 3272void
3273tls_get_cache()
3274{
9960d1e5 3275#ifndef DISABLE_DKIM
584e96c6
JH		 3276int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
3277if (n > 0)
3278 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
584e96c6 3279#endif
9960d1e5 3280}
584e96c6 3281
059ec3d9 3282
925ac8e4
JH		 3283BOOL
3284tls_could_read(void)
3285{
a5ffa9b4 3286return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
925ac8e4
JH		 3287}
3288
059ec3d9
PH		 3289
3290/*************************************************
3291* Read bytes from TLS channel *
3292*************************************************/
3293
3294/*
3295Arguments:
74f1a423 3296 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH		 3297 buff buffer of data
3298 len size of buffer
3299
3300Returns: the number of bytes read
afdb5e9c 3301 -1 after a failed read, including EOF
817d9f57
JH		 3302
3303Only used by the client-side TLS.
059ec3d9
PH		 3304*/
3305
3306int
74f1a423 3307tls_read(void * ct_ctx, uschar *buff, size_t len)
059ec3d9 3308{
74f1a423 3309SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
059ec3d9
PH		 3310int inbytes;
3311int error;
3312
389ca47a 3313DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
c80c5570 3314 buff, (unsigned int)len);
059ec3d9 3315
389ca47a
JH		 3316inbytes = SSL_read(ssl, CS buff, len);
3317error = SSL_get_error(ssl, inbytes);
059ec3d9
PH		 3318
3319if (error == SSL_ERROR_ZERO_RETURN)
3320 {
3321 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
3322 return -1;
3323 }
3324else if (error != SSL_ERROR_NONE)
059ec3d9 3325 return -1;
059ec3d9
PH		 3326
3327return inbytes;
3328}
3329
3330
3331
3332
3333
3334/*************************************************
3335* Write bytes down TLS channel *
3336*************************************************/
3337
3338/*
3339Arguments:
74f1a423 3340 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH		 3341 buff buffer of data
3342 len number of bytes
925ac8e4 3343 more further data expected soon
059ec3d9
PH		 3344
3345Returns: the number of bytes after a successful write,
3346 -1 after a failed write
817d9f57
JH		 3347
3348Used by both server-side and client-side TLS.
059ec3d9
PH		 3349*/
3350
3351int
74f1a423 3352tls_write(void * ct_ctx, const uschar *buff, size_t len, BOOL more)
059ec3d9 3353{
ac35befe 3354size_t olen = len;
d7978c0f 3355int outbytes, error;
c09dbcfb
JH		 3356SSL * ssl = ct_ctx
3357 ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
3358static gstring * server_corked = NULL;
3359gstring ** corkedp = ct_ctx
3360 ? &((exim_openssl_client_tls_ctx *)ct_ctx)->corked : &server_corked;
3361gstring * corked = *corkedp;
a5ffa9b4 3362
ef698bf6 3363DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
b93be52e 3364 buff, (unsigned long)len, more ? ", more" : "");
a5ffa9b4
JH		 3365
3366/* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
3367"more" is notified. This hack is only ok if small amounts are involved AND only
3368one stream does it, in one context (i.e. no store reset). Currently it is used
c09dbcfb
JH		 3369for the responses to the received SMTP MAIL , RCPT, DATA sequence, only.
3370We support callouts done by the server process by using a separate client
3371context for the stashed information. */
ac35befe
JH		 3372/* + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
3373a store reset there, so use POOL_PERM. */
3374/* + if CHUNKING, cmds EHLO,MAIL,RCPT(s),BDAT */
a5ffa9b4 3375
ac35befe 3376if ((more || corked))
a5ffa9b4 3377 {
ee8b8090
JH		 3378#ifdef EXPERIMENTAL_PIPE_CONNECT
3379 int save_pool = store_pool;
3380 store_pool = POOL_PERM;
3381#endif
3382
acec9514 3383 corked = string_catn(corked, buff, len);
ee8b8090
JH		 3384
3385#ifdef EXPERIMENTAL_PIPE_CONNECT
3386 store_pool = save_pool;
3387#endif
3388
a5ffa9b4 3389 if (more)
c09dbcfb
JH		 3390 {
3391 *corkedp = corked;
a5ffa9b4 3392 return len;
c09dbcfb 3393 }
acec9514
JH		 3394 buff = CUS corked->s;
3395 len = corked->ptr;
c09dbcfb 3396 *corkedp = NULL;
a5ffa9b4 3397 }
059ec3d9 3398
d7978c0f 3399for (int left = len; left > 0;)
059ec3d9 3400 {
74f1a423 3401 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
059ec3d9
PH		 3402 outbytes = SSL_write(ssl, CS buff, left);
3403 error = SSL_get_error(ssl, outbytes);
3404 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
3405 switch (error)
3406 {
3407 case SSL_ERROR_SSL:
0abc5a13 3408 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
96f5fe4c
JH		 3409 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
3410 return -1;
059ec3d9
PH		 3411
3412 case SSL_ERROR_NONE:
96f5fe4c
JH		 3413 left -= outbytes;
3414 buff += outbytes;
3415 break;
059ec3d9
PH		 3416
3417 case SSL_ERROR_ZERO_RETURN:
96f5fe4c
JH		 3418 log_write(0, LOG_MAIN, "SSL channel closed on write");
3419 return -1;
059ec3d9 3420
817d9f57 3421 case SSL_ERROR_SYSCALL:
96f5fe4c
JH		 3422 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
3423 sender_fullhost ? sender_fullhost : US"<unknown>",
3424 strerror(errno));
3425 return -1;
817d9f57 3426
059ec3d9 3427 default:
96f5fe4c
JH		 3428 log_write(0, LOG_MAIN, "SSL_write error %d", error);
3429 return -1;
059ec3d9
PH		 3430 }
3431 }
ac35befe 3432return olen;
059ec3d9
PH		 3433}
3434
3435
3436
3437/*************************************************
3438* Close down a TLS session *
3439*************************************************/
3440
3441/* This is also called from within a delivery subprocess forked from the
3442daemon, to shut down the TLS library, without actually doing a shutdown (which
3443would tamper with the SSL session in the parent process).
3444
dec766a1 3445Arguments:
74f1a423 3446 ct_ctx client TLS context pointer, or NULL for the one global server context
dec766a1
WB		 3447 shutdown 1 if TLS close-alert is to be sent,
3448 2 if also response to be waited for
3449
059ec3d9 3450Returns: nothing
817d9f57
JH		 3451
3452Used by both server-side and client-side TLS.
059ec3d9
PH		 3453*/
3454
3455void
74f1a423 3456tls_close(void * ct_ctx, int shutdown)
059ec3d9 3457{
74f1a423
JH		 3458exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
3459SSL_CTX **ctxp = o_ctx ? &o_ctx->ctx : &server_ctx;
3460SSL **sslp = o_ctx ? &o_ctx->ssl : &server_ssl;
3461int *fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
817d9f57
JH		 3462
3463if (*fdp < 0) return; /* TLS was not active */
059ec3d9
PH		 3464
3465if (shutdown)
3466 {
dec766a1
WB		 3467 int rc;
3468 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3469 shutdown > 1 ? " (with response-wait)" : "");
3470
3471 if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
3472 && shutdown > 1)
3473 {
c2a1bba0 3474 ALARM(2);
dec766a1 3475 rc = SSL_shutdown(*sslp); /* wait for response */
c2a1bba0 3476 ALARM_CLR(0);
dec766a1
WB		 3477 }
3478
3479 if (rc < 0) DEBUG(D_tls)
3480 {
0abc5a13 3481 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
dec766a1
WB		 3482 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
3483 }
3484 }
3485
37f0ce65 3486#ifndef DISABLE_OCSP
74f1a423 3487if (!o_ctx) /* server side */
dec766a1
WB		 3488 {
3489 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
dec766a1 3490 server_static_cbinfo->verify_stack = NULL;
059ec3d9 3491 }
37f0ce65 3492#endif
059ec3d9 3493
dec766a1 3494SSL_CTX_free(*ctxp);
817d9f57 3495SSL_free(*sslp);
dec766a1 3496*ctxp = NULL;
817d9f57 3497*sslp = NULL;
817d9f57 3498*fdp = -1;
059ec3d9
PH		 3499}
3500
36f12725
NM		 3501
3502
3503
3375e053
PP		 3504/*************************************************
3505* Let tls_require_ciphers be checked at startup *
3506*************************************************/
3507
3508/* The tls_require_ciphers option, if set, must be something which the
3509library can parse.
3510
3511Returns: NULL on success, or error message
3512*/
3513
3514uschar *
3515tls_validate_require_cipher(void)
3516{
3517SSL_CTX *ctx;
3518uschar *s, *expciphers, *err;
3519
3520/* this duplicates from tls_init(), we need a better "init just global
3521state, for no specific purpose" singleton function of our own */
3522
7434882d 3523#ifdef EXIM_NEED_OPENSSL_INIT
3375e053
PP		 3524SSL_load_error_strings();
3525OpenSSL_add_ssl_algorithms();
7434882d 3526#endif
3375e053
PP		 3527#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
3528/* SHA256 is becoming ever more popular. This makes sure it gets added to the
3529list of available digests. */
3530EVP_add_digest(EVP_sha256());
3531#endif
3532
3533if (!(tls_require_ciphers && *tls_require_ciphers))
3534 return NULL;
3535
cf0c6164
JH		 3536if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3537 &err))
3375e053
PP		 3538 return US"failed to expand tls_require_ciphers";
3539
3540if (!(expciphers && *expciphers))
3541 return NULL;
3542
3543/* normalisation ripped from above */
3544s = expciphers;
3545while (*s != 0) { if (*s == '_') *s = '-'; s++; }
3546
3547err = NULL;
3548
7a8b9519
JH		 3549#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
3550if (!(ctx = SSL_CTX_new(TLS_server_method())))
3551#else
3552if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
3553#endif
3375e053 3554 {
0abc5a13 3555 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3375e053
PP		 3556 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
3557 }
3558
3559DEBUG(D_tls)
3560 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3561
3562if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
3563 {
0abc5a13 3564 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
cf0c6164
JH		 3565 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
3566 expciphers, ssl_errstring);
3375e053
PP		 3567 }
3568
3569SSL_CTX_free(ctx);
3570
3571return err;
3572}
3573
3574
3575
3576
36f12725
NM		 3577/*************************************************
3578* Report the library versions. *
3579*************************************************/
3580
3581/* There have historically been some issues with binary compatibility in
3582OpenSSL libraries; if Exim (like many other applications) is built against
3583one version of OpenSSL but the run-time linker picks up another version,
3584it can result in serious failures, including crashing with a SIGSEGV. So
3585report the version found by the compiler and the run-time version.
3586
f64a1e23
PP		 3587Note: some OS vendors backport security fixes without changing the version
3588number/string, and the version date remains unchanged. The _build_ date
3589will change, so we can more usefully assist with version diagnosis by also
3590reporting the build date.
3591
36f12725
NM		 3592Arguments: a FILE* to print the results to
3593Returns: nothing
3594*/
3595
3596void
3597tls_version_report(FILE *f)
3598{
754a0503 3599fprintf(f, "Library version: OpenSSL: Compile: %s\n"
f64a1e23
PP		 3600 " Runtime: %s\n"
3601 " : %s\n",
754a0503 3602 OPENSSL_VERSION_TEXT,
f64a1e23
PP		 3603 SSLeay_version(SSLEAY_VERSION),
3604 SSLeay_version(SSLEAY_BUILT_ON));
3605/* third line is 38 characters for the %s and the line is 73 chars long;
3606the OpenSSL output includes a "built on: " prefix already. */
36f12725
NM		 3607}
3608
9e3331ea
TK		 3609
3610
3611
3612/*************************************************
17c76198 3613* Random number generation *
9e3331ea
TK		 3614*************************************************/
3615
3616/* Pseudo-random number generation. The result is not expected to be
3617cryptographically strong but not so weak that someone will shoot themselves
3618in the foot using it as a nonce in input in some email header scheme or
3619whatever weirdness they'll twist this into. The result should handle fork()
3620and avoid repeating sequences. OpenSSL handles that for us.
3621
3622Arguments:
3623 max range maximum
3624Returns a random number in range [0, max-1]
3625*/
3626
3627int
17c76198 3628vaguely_random_number(int max)
9e3331ea
TK		 3629{
3630unsigned int r;
3631int i, needed_len;
de6135a0
PP		 3632static pid_t pidlast = 0;
3633pid_t pidnow;
9e3331ea
TK		 3634uschar smallbuf[sizeof(r)];
3635
3636if (max <= 1)
3637 return 0;
3638
de6135a0
PP		 3639pidnow = getpid();
3640if (pidnow != pidlast)
3641 {
3642 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
3643 is unique for each thread", this doesn't apparently apply across processes,
3644 so our own warning from vaguely_random_number_fallback() applies here too.
3645 Fix per PostgreSQL. */
3646 if (pidlast != 0)
3647 RAND_cleanup();
3648 pidlast = pidnow;
3649 }
3650
9e3331ea
TK		 3651/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
3652if (!RAND_status())
3653 {
3654 randstuff r;
3655 gettimeofday(&r.tv, NULL);
3656 r.p = getpid();
3657
5903c6ff 3658 RAND_seed(US (&r), sizeof(r));
9e3331ea
TK		 3659 }
3660/* We're after pseudo-random, not random; if we still don't have enough data
3661in the internal PRNG then our options are limited. We could sleep and hope
3662for entropy to come along (prayer technique) but if the system is so depleted
3663in the first place then something is likely to just keep taking it. Instead,
3664we'll just take whatever little bit of pseudo-random we can still manage to
3665get. */
3666
3667needed_len = sizeof(r);
3668/* Don't take 8 times more entropy than needed if int is 8 octets and we were
3669asked for a number less than 10. */
3670for (r = max, i = 0; r; ++i)
3671 r >>= 1;
3672i = (i + 7) / 8;
3673if (i < needed_len)
3674 needed_len = i;
3675
c8dfb21d 3676#ifdef EXIM_HAVE_RAND_PSEUDO
9e3331ea 3677/* We do not care if crypto-strong */
17c76198 3678i = RAND_pseudo_bytes(smallbuf, needed_len);
c8dfb21d
JH		 3679#else
3680i = RAND_bytes(smallbuf, needed_len);
3681#endif
3682
17c76198
PP		 3683if (i < 0)
3684 {
3685 DEBUG(D_all)
3686 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
3687 return vaguely_random_number_fallback(max);
3688 }
3689
9e3331ea 3690r = 0;
d7978c0f
JH		 3691for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3692 r = 256 * r + *p;
9e3331ea
TK		 3693
3694/* We don't particularly care about weighted results; if someone wants
3695smooth distribution and cares enough then they should submit a patch then. */
3696return r % max;
3697}
3698
77bb000f
PP		 3699
3700
3701
3702/*************************************************
3703* OpenSSL option parse *
3704*************************************************/
3705
3706/* Parse one option for tls_openssl_options_parse below
3707
3708Arguments:
3709 name one option name
3710 value place to store a value for it
3711Returns success or failure in parsing
3712*/
3713
77bb000f 3714
c80c5570 3715
77bb000f
PP		 3716static BOOL
3717tls_openssl_one_option_parse(uschar *name, long *value)
3718{
3719int first = 0;
3720int last = exim_openssl_options_size;
3721while (last > first)
3722 {
3723 int middle = (first + last)/2;
3724 int c = Ustrcmp(name, exim_openssl_options[middle].name);
3725 if (c == 0)
3726 {
3727 *value = exim_openssl_options[middle].value;
3728 return TRUE;
3729 }
3730 else if (c > 0)
3731 first = middle + 1;
3732 else
3733 last = middle;
3734 }
3735return FALSE;
3736}
3737
3738
3739
3740
3741/*************************************************
3742* OpenSSL option parsing logic *
3743*************************************************/
3744
3745/* OpenSSL has a number of compatibility options which an administrator might
3746reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3747we look like log_selector.
3748
3749Arguments:
3750 option_spec the administrator-supplied string of options
3751 results ptr to long storage for the options bitmap
3752Returns success or failure
3753*/
3754
3755BOOL
3756tls_openssl_options_parse(uschar *option_spec, long *results)
3757{
3758long result, item;
d7978c0f 3759uschar *end;
77bb000f
PP		 3760uschar keep_c;
3761BOOL adding, item_parsed;
3762
b10c87b3 3763/* Server: send no (<= TLS1.2) session tickets */
7006ee24 3764result = SSL_OP_NO_TICKET;
b10c87b3 3765
b1770b6e 3766/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
da3ad30d 3767 * from default because it increases BEAST susceptibility. */
f0f5a555
PP		 3768#ifdef SSL_OP_NO_SSLv2
3769result |= SSL_OP_NO_SSLv2;
3770#endif
b10c87b3
JH		 3771#ifdef SSL_OP_NO_SSLv3
3772result |= SSL_OP_NO_SSLv3;
3773#endif
a57b6200
JH		 3774#ifdef SSL_OP_SINGLE_DH_USE
3775result |= SSL_OP_SINGLE_DH_USE;
3776#endif
77bb000f 3777
7006ee24 3778if (!option_spec)
77bb000f
PP		 3779 {
3780 *results = result;
3781 return TRUE;
3782 }
3783
b10c87b3 3784for (uschar * s = option_spec; *s; /**/)
77bb000f
PP		 3785 {
3786 while (isspace(*s)) ++s;
3787 if (*s == '\0')
3788 break;
3789 if (*s != '+' && *s != '-')
3790 {
3791 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
0e944a0d 3792 "+ or - expected but found \"%s\"\n", s);
77bb000f
PP		 3793 return FALSE;
3794 }
3795 adding = *s++ == '+';
3796 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
3797 keep_c = *end;
3798 *end = '\0';
3799 item_parsed = tls_openssl_one_option_parse(s, &item);
96f5fe4c 3800 *end = keep_c;
77bb000f
PP		 3801 if (!item_parsed)
3802 {
0e944a0d 3803 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
77bb000f
PP		 3804 return FALSE;
3805 }
f97ca6d1
JH		 3806 DEBUG(D_tls) debug_printf("openssl option, %s %8lx: %lx (%s)\n",
3807 adding ? "adding to " : "removing from", result, item, s);
77bb000f
PP		 3808 if (adding)
3809 result |= item;
3810 else
3811 result &= ~item;
77bb000f
PP		 3812 s = end;
3813 }
3814
3815*results = result;
3816return TRUE;
3817}
3818
8442641e 3819#endif /*!MACRO_PREDEF*/
9d1c15ef
JH		 3820/* vi: aw ai sw=2
3821*/
059ec3d9 3822/* End of tls-openssl.c */
Unnamed repository; edit this file 'description' to name the repository.