projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Use DH_bits for OpenSSL 1.1.0
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
d4e5e70b 5/* Copyright (c) University of Cambridge 1995 - 2017 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
f5d78688
JH		 8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
059ec3d9
PH		 10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
10ca4f1c
JH		 25#ifndef OPENSSL_NO_ECDH
26# include <openssl/ec.h>
27#endif
f2de3a33 28#ifndef DISABLE_OCSP
e51c7be2 29# include <openssl/ocsp.h>
3f7eeb86 30#endif
85098ee7
JH		 31#ifdef EXPERIMENTAL_DANE
32# include <danessl.h>
33#endif
34
3f7eeb86 35
f2de3a33
JH		 36#ifndef DISABLE_OCSP
37# define EXIM_OCSP_SKEW_SECONDS (300L)
38# define EXIM_OCSP_MAX_AGE (-1L)
3f7eeb86 39#endif
059ec3d9 40
3bcbbbe2 41#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
e51c7be2 42# define EXIM_HAVE_OPENSSL_TLSEXT
3bcbbbe2 43#endif
c8dfb21d
JH		 44#if OPENSSL_VERSION_NUMBER >= 0x00908000L
45# define EXIM_HAVE_RSA_GENKEY_EX
46#endif
47#if OPENSSL_VERSION_NUMBER >= 0x10100000L
48# define EXIM_HAVE_OCSP_RESP_COUNT
6600985a 49# define EXIM_HAVE_OPENSSL_DH_BITS
c8dfb21d
JH		 50#else
51# define EXIM_HAVE_EPHEM_RSA_KEX
52# define EXIM_HAVE_RAND_PSEUDO
53#endif
54#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
55# define EXIM_HAVE_SHA256
56#endif
34e3241d
PP		 57
58/*
59 * X509_check_host provides sane certificate hostname checking, but was added
60 * to OpenSSL late, after other projects forked off the code-base. So in
61 * addition to guarding against the base version number, beware that LibreSSL
62 * does not (at this time) support this function.
63 *
64 * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
65 * opt to disentangle and ask a LibreSSL user to provide glue for a third
66 * crypto provider for libtls instead of continuing to tie the OpenSSL glue
67 * into even twistier knots. If LibreSSL gains the same API, we can just
68 * change this guard and punt the issue for a while longer.
69 */
70#ifndef LIBRESSL_VERSION_NUMBER
71# if OPENSSL_VERSION_NUMBER >= 0x010100000L
72# define EXIM_HAVE_OPENSSL_CHECKHOST
73# endif
74# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
2dfb468b 75 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
34e3241d
PP		 76# define EXIM_HAVE_OPENSSL_CHECKHOST
77# endif
11aa88b0 78#endif
10ca4f1c 79
11aa88b0
RA		 80#if !defined(LIBRESSL_VERSION_NUMBER) \
81 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
10ca4f1c
JH		 82# if !defined(OPENSSL_NO_ECDH)
83# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
84# define EXIM_HAVE_ECDH
85# endif
86# if OPENSSL_VERSION_NUMBER >= 0x10002000L
10ca4f1c
JH		 87# define EXIM_HAVE_OPENSSL_EC_NIST2NID
88# endif
89# endif
2dfb468b 90#endif
3bcbbbe2 91
67791ce4
JH		 92#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
93# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
94# define DISABLE_OCSP
95#endif
96
059ec3d9
PH		 97/* Structure for collecting random data for seeding. */
98
99typedef struct randstuff {
9e3331ea
TK		 100 struct timeval tv;
101 pid_t p;
059ec3d9
PH		 102} randstuff;
103
104/* Local static variables */
105
a2ff477a
JH		 106static BOOL client_verify_callback_called = FALSE;
107static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH		 108static const uschar *sid_ctx = US"exim";
109
d4f09789
PP		 110/* We have three different contexts to care about.
111
112Simple case: client, `client_ctx`
113 As a client, we can be doing a callout or cut-through delivery while receiving
114 a message. So we have a client context, which should have options initialised
115 from the SMTP Transport.
116
117Server:
118 There are two cases: with and without ServerNameIndication from the client.
119 Given TLS SNI, we can be using different keys, certs and various other
120 configuration settings, because they're re-expanded with $tls_sni set. This
121 allows vhosting with TLS. This SNI is sent in the handshake.
122 A client might not send SNI, so we need a fallback, and an initial setup too.
123 So as a server, we start out using `server_ctx`.
124 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
125 `server_sni` from `server_ctx` and then initialise settings by re-expanding
126 configuration.
127*/
128
817d9f57
JH		 129static SSL_CTX *client_ctx = NULL;
130static SSL_CTX *server_ctx = NULL;
131static SSL *client_ssl = NULL;
132static SSL *server_ssl = NULL;
389ca47a 133
35731706 134#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57 135static SSL_CTX *server_sni = NULL;
35731706 136#endif
059ec3d9
PH		 137
138static char ssl_errstring[256];
139
140static int ssl_session_timeout = 200;
a2ff477a
JH		 141static BOOL client_verify_optional = FALSE;
142static BOOL server_verify_optional = FALSE;
059ec3d9 143
f5d78688 144static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH		 145
146
7be682ca
PP		 147typedef struct tls_ext_ctx_cb {
148 uschar *certificate;
149 uschar *privatekey;
f2de3a33 150#ifndef DISABLE_OCSP
f5d78688 151 BOOL is_server;
c3033f13 152 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
f5d78688
JH		 153 union {
154 struct {
155 uschar *file;
156 uschar *file_expanded;
157 OCSP_RESPONSE *response;
158 } server;
159 struct {
44662487
JH		 160 X509_STORE *verify_store; /* non-null if status requested */
161 BOOL verify_required;
f5d78688
JH		 162 } client;
163 } u_ocsp;
3f7eeb86 164#endif
7be682ca
PP		 165 uschar *dhparam;
166 /* these are cached from first expand */
167 uschar *server_cipher_list;
168 /* only passed down to tls_error: */
169 host_item *host;
55414b25 170 const uschar * verify_cert_hostnames;
0cbf2b82 171#ifndef DISABLE_EVENT
a7538db1
JH		 172 uschar * event_action;
173#endif
7be682ca
PP		 174} tls_ext_ctx_cb;
175
176/* should figure out a cleanup of API to handle state preserved per
177implementation, for various reasons, which can be void * in the APIs.
178For now, we hack around it. */
817d9f57
JH		 179tls_ext_ctx_cb *client_static_cbinfo = NULL;
180tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP		 181
182static int
983207c1 183setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 184 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
059ec3d9 185
3f7eeb86 186/* Callbacks */
3bcbbbe2 187#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 188static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 189#endif
f2de3a33 190#ifndef DISABLE_OCSP
f5d78688 191static int tls_server_stapling_cb(SSL *s, void *arg);
3f7eeb86
PP		 192#endif
193
059ec3d9
PH		 194
195/*************************************************
196* Handle TLS error *
197*************************************************/
198
199/* Called from lots of places when errors occur before actually starting to do
200the TLS handshake, that is, while the session is still in clear. Always returns
201DEFER for a server and FAIL for a client so that most calls can use "return
202tls_error(...)" to do this processing and then give an appropriate return. A
203single function is used for both server and client, because it is called from
204some shared functions.
205
206Argument:
207 prefix text to include in the logged error
208 host NULL if setting up a server;
209 the connected host if setting up a client
7199e1ee 210 msg error message or NULL if we should ask OpenSSL
cf0c6164 211 errstr pointer to output error message
059ec3d9
PH		 212
213Returns: OK/DEFER/FAIL
214*/
215
216static int
cf0c6164 217tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
059ec3d9 218{
c562fd30 219if (!msg)
7199e1ee
TF		 220 {
221 ERR_error_string(ERR_get_error(), ssl_errstring);
cf0c6164 222 msg = US ssl_errstring;
7199e1ee
TF		 223 }
224
cf0c6164
JH		 225if (errstr) *errstr = string_sprintf("(%s): %s", prefix, msg);
226return host ? FAIL : DEFER;
059ec3d9
PH		 227}
228
229
230
c8dfb21d 231#ifdef EXIM_HAVE_EPHEM_RSA_KEX
059ec3d9
PH		 232/*************************************************
233* Callback to generate RSA key *
234*************************************************/
235
236/*
237Arguments:
238 s SSL connection
239 export not used
240 keylength keylength
241
242Returns: pointer to generated key
243*/
244
245static RSA *
246rsa_callback(SSL *s, int export, int keylength)
247{
248RSA *rsa_key;
c8dfb21d
JH		 249#ifdef EXIM_HAVE_RSA_GENKEY_EX
250BIGNUM *bn = BN_new();
251#endif
252
059ec3d9
PH		 253export = export; /* Shut picky compilers up */
254DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
c8dfb21d
JH		 255
256#ifdef EXIM_HAVE_RSA_GENKEY_EX
257if ( !BN_set_word(bn, (unsigned long)RSA_F4)
f2cb6292 258 || !(rsa_key = RSA_new())
c8dfb21d
JH		 259 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
260 )
261#else
23bb6982 262if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
c8dfb21d
JH		 263#endif
264
059ec3d9
PH		 265 {
266 ERR_error_string(ERR_get_error(), ssl_errstring);
267 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
268 ssl_errstring);
269 return NULL;
270 }
271return rsa_key;
272}
c8dfb21d 273#endif
059ec3d9
PH		 274
275
276
f5d78688 277/* Extreme debug
f2de3a33 278#ifndef DISABLE_OCSP
f5d78688
JH		 279void
280x509_store_dump_cert_s_names(X509_STORE * store)
281{
282STACK_OF(X509_OBJECT) * roots= store->objs;
283int i;
284static uschar name[256];
285
286for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
287 {
288 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
289 if(tmp_obj->type == X509_LU_X509)
290 {
291 X509 * current_cert= tmp_obj->data.x509;
292 X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name));
f69979cf 293 name[sizeof(name)-1] = '\0';
f5d78688
JH		 294 debug_printf(" %s\n", name);
295 }
296 }
297}
298#endif
299*/
300
059ec3d9 301
0cbf2b82 302#ifndef DISABLE_EVENT
f69979cf
JH		 303static int
304verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
305 BOOL *calledp, const BOOL *optionalp, const uschar * what)
306{
307uschar * ev;
308uschar * yield;
309X509 * old_cert;
310
311ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
312if (ev)
313 {
aaba7d03 314 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
f69979cf
JH		 315 old_cert = tlsp->peercert;
316 tlsp->peercert = X509_dup(cert);
317 /* NB we do not bother setting peerdn */
318 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
319 {
320 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
321 "depth=%d cert=%s: %s",
322 tlsp == &tls_out ? deliver_host_address : sender_host_address,
323 what, depth, dn, yield);
324 *calledp = TRUE;
325 if (!*optionalp)
326 {
327 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
328 return 1; /* reject (leaving peercert set) */
329 }
330 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
331 "(host in tls_try_verify_hosts)\n");
332 }
333 X509_free(tlsp->peercert);
334 tlsp->peercert = old_cert;
335 }
336return 0;
337}
338#endif
339
059ec3d9
PH		 340/*************************************************
341* Callback for verification *
342*************************************************/
343
344/* The SSL library does certificate verification if set up to do so. This
345callback has the current yes/no state is in "state". If verification succeeded,
f69979cf
JH		 346we set the certificate-verified flag. If verification failed, what happens
347depends on whether the client is required to present a verifiable certificate
348or not.
059ec3d9
PH		 349
350If verification is optional, we change the state to yes, but still log the
351verification error. For some reason (it really would help to have proper
352documentation of OpenSSL), this callback function then gets called again, this
f69979cf
JH		 353time with state = 1. We must take care not to set the private verified flag on
354the second time through.
059ec3d9
PH		 355
356Note: this function is not called if the client fails to present a certificate
357when asked. We get here only if a certificate has been received. Handling of
358optional verification for this case is done when requesting SSL to verify, by
359setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
360
a7538db1
JH		 361May be called multiple times for different issues with a certificate, even
362for a given "depth" in the certificate chain.
363
059ec3d9 364Arguments:
f2f2c91b
JH		 365 preverify_ok current yes/no state as 1/0
366 x509ctx certificate information.
367 tlsp per-direction (client vs. server) support data
368 calledp has-been-called flag
369 optionalp verification-is-optional flag
059ec3d9 370
f2f2c91b 371Returns: 0 if verification should fail, otherwise 1
059ec3d9
PH		 372*/
373
374static int
f2f2c91b 375verify_callback(int preverify_ok, X509_STORE_CTX *x509ctx,
421aff85 376 tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
059ec3d9 377{
421aff85 378X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
a7538db1 379int depth = X509_STORE_CTX_get_error_depth(x509ctx);
f69979cf 380uschar dn[256];
059ec3d9 381
f69979cf
JH		 382X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
383dn[sizeof(dn)-1] = '\0';
059ec3d9 384
f2f2c91b 385if (preverify_ok == 0)
059ec3d9 386 {
4c01d6ab
JH		 387 log_write(0, LOG_MAIN, "[%s] SSL verify error: depth=%d error=%s cert=%s",
388 tlsp == &tls_out ? deliver_host_address : sender_host_address,
a7538db1 389 depth,
421aff85 390 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)),
f69979cf 391 dn);
a2ff477a 392 *calledp = TRUE;
9d1c15ef
JH		 393 if (!*optionalp)
394 {
f69979cf
JH		 395 if (!tlsp->peercert)
396 tlsp->peercert = X509_dup(cert); /* record failing cert */
397 return 0; /* reject */
9d1c15ef 398 }
059ec3d9
PH		 399 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
400 "tls_try_verify_hosts)\n");
059ec3d9
PH		 401 }
402
a7538db1 403else if (depth != 0)
059ec3d9 404 {
f69979cf 405 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
f2de3a33 406#ifndef DISABLE_OCSP
f5d78688
JH		 407 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
408 { /* client, wanting stapling */
409 /* Add the server cert's signing chain as the one
410 for the verification of the OCSP stapled information. */
94431adb 411
f5d78688 412 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
421aff85 413 cert))
f5d78688 414 ERR_clear_error();
c3033f13 415 sk_X509_push(client_static_cbinfo->verify_stack, cert);
f5d78688 416 }
a7538db1 417#endif
0cbf2b82 418#ifndef DISABLE_EVENT
f69979cf
JH		 419 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
420 return 0; /* reject, with peercert set */
f5d78688 421#endif
059ec3d9
PH		 422 }
423else
424 {
55414b25 425 const uschar * verify_cert_hostnames;
e51c7be2 426
e51c7be2
JH		 427 if ( tlsp == &tls_out
428 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
429 /* client, wanting hostname check */
e51c7be2 430 {
f69979cf 431
740f36d4 432#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
f69979cf
JH		 433# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
434# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
435# endif
436# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
437# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
438# endif
e51c7be2 439 int sep = 0;
55414b25 440 const uschar * list = verify_cert_hostnames;
e51c7be2 441 uschar * name;
d8e7834a
JH		 442 int rc;
443 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
f40d5be3 444 if ((rc = X509_check_host(cert, CCS name, 0,
8d692470 445 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
740f36d4
JH		 446 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
447 NULL)))
d8e7834a
JH		 448 {
449 if (rc < 0)
450 {
93a6fce2 451 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
8cfd0f7b 452 deliver_host_address);
d8e7834a
JH		 453 name = NULL;
454 }
e51c7be2 455 break;
d8e7834a 456 }
e51c7be2 457 if (!name)
f69979cf 458#else
e51c7be2 459 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
f69979cf 460#endif
e51c7be2
JH		 461 {
462 log_write(0, LOG_MAIN,
b999c483
JH		 463 "[%s] SSL verify error: certificate name mismatch: "
464 "DN=\"%s\" H=\"%s\"",
465 deliver_host_address, dn, verify_cert_hostnames);
a3ef7310
JH		 466 *calledp = TRUE;
467 if (!*optionalp)
f69979cf
JH		 468 {
469 if (!tlsp->peercert)
470 tlsp->peercert = X509_dup(cert); /* record failing cert */
471 return 0; /* reject */
472 }
a3ef7310
JH		 473 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
474 "tls_try_verify_hosts)\n");
e51c7be2 475 }
f69979cf 476 }
e51c7be2 477
0cbf2b82 478#ifndef DISABLE_EVENT
f69979cf
JH		 479 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
480 return 0; /* reject, with peercert set */
e51c7be2
JH		 481#endif
482
93dcb1c2 483 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
f69979cf 484 *calledp ? "" : " authenticated", dn);
93dcb1c2
JH		 485 if (!*calledp) tlsp->certificate_verified = TRUE;
486 *calledp = TRUE;
059ec3d9
PH		 487 }
488
a7538db1 489return 1; /* accept, at least for this level */
059ec3d9
PH		 490}
491
a2ff477a 492static int
f2f2c91b 493verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 494{
f2f2c91b
JH		 495return verify_callback(preverify_ok, x509ctx, &tls_out,
496 &client_verify_callback_called, &client_verify_optional);
a2ff477a
JH		 497}
498
499static int
f2f2c91b 500verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 501{
f2f2c91b
JH		 502return verify_callback(preverify_ok, x509ctx, &tls_in,
503 &server_verify_callback_called, &server_verify_optional);
a2ff477a
JH		 504}
505
059ec3d9 506
e5cccda9 507#ifdef EXPERIMENTAL_DANE
53a7196b 508
e5cccda9
JH		 509/* This gets called *by* the dane library verify callback, which interposes
510itself.
511*/
512static int
f2f2c91b 513verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
e5cccda9
JH		 514{
515X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
f69979cf 516uschar dn[256];
83b27293 517int depth = X509_STORE_CTX_get_error_depth(x509ctx);
5c75db2e 518#ifndef DISABLE_EVENT
f69979cf 519BOOL dummy_called, optional = FALSE;
83b27293 520#endif
e5cccda9 521
f69979cf
JH		 522X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
523dn[sizeof(dn)-1] = '\0';
e5cccda9 524
f2f2c91b
JH		 525DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
526 preverify_ok ? "ok":"BAD", depth, dn);
e5cccda9 527
0cbf2b82 528#ifndef DISABLE_EVENT
f69979cf
JH		 529 if (verify_event(&tls_out, cert, depth, dn,
530 &dummy_called, &optional, US"DANE"))
531 return 0; /* reject, with peercert set */
83b27293
JH		 532#endif
533
f2f2c91b 534if (preverify_ok == 1)
53a7196b 535 tls_out.dane_verified =
e5cccda9 536 tls_out.certificate_verified = TRUE;
f2f2c91b
JH		 537else
538 {
539 int err = X509_STORE_CTX_get_error(x509ctx);
540 DEBUG(D_tls)
541 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
3c51463e 542 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
f2f2c91b
JH		 543 preverify_ok = 1;
544 }
545return preverify_ok;
e5cccda9 546}
53a7196b
JH		 547
548#endif /*EXPERIMENTAL_DANE*/
e5cccda9 549
059ec3d9
PH		 550
551/*************************************************
552* Information callback *
553*************************************************/
554
555/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP		 556are doing. We copy the string to the debugging output when TLS debugging has
557been requested.
059ec3d9
PH		 558
559Arguments:
560 s the SSL connection
561 where
562 ret
563
564Returns: nothing
565*/
566
567static void
568info_callback(SSL *s, int where, int ret)
569{
570where = where;
571ret = ret;
572DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
573}
574
575
576
577/*************************************************
578* Initialize for DH *
579*************************************************/
580
581/* If dhparam is set, expand it, and load up the parameters for DH encryption.
582
583Arguments:
038597d2 584 sctx The current SSL CTX (inbound or outbound)
a799883d 585 dhparam DH parameter file or fixed parameter identity string
7199e1ee 586 host connected host, if client; NULL if server
cf0c6164 587 errstr error string pointer
059ec3d9
PH		 588
589Returns: TRUE if OK (nothing to set up, or setup worked)
590*/
591
592static BOOL
cf0c6164 593init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
059ec3d9 594{
059ec3d9
PH		 595BIO *bio;
596DH *dh;
597uschar *dhexpanded;
a799883d 598const char *pem;
6600985a 599int dh_bitsize;
059ec3d9 600
cf0c6164 601if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
059ec3d9
PH		 602 return FALSE;
603
0df4ab80 604if (!dhexpanded || !*dhexpanded)
a799883d 605 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
a799883d 606else if (dhexpanded[0] == '/')
059ec3d9 607 {
0df4ab80 608 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
059ec3d9 609 {
7199e1ee 610 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
cf0c6164 611 host, US strerror(errno), errstr);
a799883d 612 return FALSE;
059ec3d9 613 }
a799883d
PP		 614 }
615else
616 {
617 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 618 {
a799883d
PP		 619 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
620 return TRUE;
059ec3d9 621 }
a799883d 622
0df4ab80 623 if (!(pem = std_dh_prime_named(dhexpanded)))
a799883d
PP		 624 {
625 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
cf0c6164 626 host, US strerror(errno), errstr);
a799883d
PP		 627 return FALSE;
628 }
629 bio = BIO_new_mem_buf(CS pem, -1);
630 }
631
0df4ab80 632if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
a799883d 633 {
059ec3d9 634 BIO_free(bio);
a799883d 635 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
cf0c6164 636 host, NULL, errstr);
a799883d
PP		 637 return FALSE;
638 }
639
6600985a
PP		 640/* note: our default limit of 2236 is not a multiple of 8; the limit comes from
641 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
642 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
643 * If someone wants to dance at the edge, then they can raise the limit or use
644 * current libraries. */
645#ifdef EXIM_HAVE_OPENSSL_DH_BITS
646/* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
647 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
648dh_bitsize = DH_bits(dh);
649#else
650dh_bitsize = 8 * DH_size(dh);
651#endif
652
a799883d
PP		 653/* Even if it is larger, we silently return success rather than cause things
654 * to fail out, so that a too-large DH will not knock out all TLS; it's a
655 * debatable choice. */
6600985a 656if (dh_bitsize > tls_dh_max_bits)
a799883d
PP		 657 {
658 DEBUG(D_tls)
170f4904 659 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
6600985a 660 dh_bitsize, tls_dh_max_bits);
a799883d
PP		 661 }
662else
663 {
664 SSL_CTX_set_tmp_dh(sctx, dh);
665 DEBUG(D_tls)
666 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
6600985a 667 dhexpanded ? dhexpanded : US"default", dh_bitsize);
059ec3d9
PH		 668 }
669
a799883d
PP		 670DH_free(dh);
671BIO_free(bio);
672
673return TRUE;
059ec3d9
PH		 674}
675
676
677
678
038597d2
PP		 679/*************************************************
680* Initialize for ECDH *
681*************************************************/
682
683/* Load parameters for ECDH encryption.
684
685For now, we stick to NIST P-256 because: it's simple and easy to configure;
686it avoids any patent issues that might bite redistributors; despite events in
687the news and concerns over curve choices, we're not cryptographers, we're not
688pretending to be, and this is "good enough" to be better than no support,
689protecting against most adversaries. Given another year or two, there might
690be sufficient clarity about a "right" way forward to let us make an informed
691decision, instead of a knee-jerk reaction.
692
693Longer-term, we should look at supporting both various named curves and
694external files generated with "openssl ecparam", much as we do for init_dh().
695We should also support "none" as a value, to explicitly avoid initialisation.
696
697Patches welcome.
698
699Arguments:
700 sctx The current SSL CTX (inbound or outbound)
701 host connected host, if client; NULL if server
cf0c6164 702 errstr error string pointer
038597d2
PP		 703
704Returns: TRUE if OK (nothing to set up, or setup worked)
705*/
706
707static BOOL
cf0c6164 708init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
038597d2 709{
63f0dbe0
JH		 710#ifdef OPENSSL_NO_ECDH
711return TRUE;
712#else
713
10ca4f1c
JH		 714EC_KEY * ecdh;
715uschar * exp_curve;
716int nid;
717BOOL rv;
718
038597d2
PP		 719if (host) /* No ECDH setup for clients, only for servers */
720 return TRUE;
721
10ca4f1c 722# ifndef EXIM_HAVE_ECDH
038597d2
PP		 723DEBUG(D_tls)
724 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
725return TRUE;
038597d2 726# else
10ca4f1c 727
cf0c6164 728if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
10ca4f1c
JH		 729 return FALSE;
730if (!exp_curve || !*exp_curve)
731 return TRUE;
732
8e53a4fc 733/* "auto" needs to be handled carefully.
4c04137d 734 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
8e53a4fc 735 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
4c04137d 736 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
8e53a4fc
HSHR		 737 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
738 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
739 */
10ca4f1c 740if (Ustrcmp(exp_curve, "auto") == 0)
038597d2 741 {
8e53a4fc 742#if OPENSSL_VERSION_NUMBER < 0x10002000L
10ca4f1c 743 DEBUG(D_tls) debug_printf(
8e53a4fc 744 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
78a3bbd5 745 exp_curve = US"prime256v1";
8e53a4fc
HSHR		 746#else
747# if defined SSL_CTRL_SET_ECDH_AUTO
748 DEBUG(D_tls) debug_printf(
749 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
10ca4f1c
JH		 750 SSL_CTX_set_ecdh_auto(sctx, 1);
751 return TRUE;
8e53a4fc
HSHR		 752# else
753 DEBUG(D_tls) debug_printf(
754 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
755 return TRUE;
756# endif
757#endif
10ca4f1c 758 }
038597d2 759
10ca4f1c
JH		 760DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
761if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
762# ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
763 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
764# endif
765 )
766 {
cf0c6164
JH		 767 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
768 host, NULL, errstr);
10ca4f1c
JH		 769 return FALSE;
770 }
038597d2 771
10ca4f1c
JH		 772if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
773 {
cf0c6164 774 tls_error(US"Unable to create ec curve", host, NULL, errstr);
10ca4f1c 775 return FALSE;
038597d2 776 }
10ca4f1c
JH		 777
778/* The "tmp" in the name here refers to setting a temporary key
779not to the stability of the interface. */
780
781if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
cf0c6164 782 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
10ca4f1c
JH		 783else
784 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
785
786EC_KEY_free(ecdh);
787return !rv;
788
789# endif /*EXIM_HAVE_ECDH*/
790#endif /*OPENSSL_NO_ECDH*/
038597d2
PP		 791}
792
793
794
795
f2de3a33 796#ifndef DISABLE_OCSP
3f7eeb86
PP		 797/*************************************************
798* Load OCSP information into state *
799*************************************************/
f5d78688 800/* Called to load the server OCSP response from the given file into memory, once
3f7eeb86
PP		 801caller has determined this is needed. Checks validity. Debugs a message
802if invalid.
803
804ASSUMES: single response, for single cert.
805
806Arguments:
807 sctx the SSL_CTX* to update
808 cbinfo various parts of session state
809 expanded the filename putatively holding an OCSP response
810
811*/
812
813static void
f5d78688 814ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
3f7eeb86 815{
ee5b1e28
JH		 816BIO * bio;
817OCSP_RESPONSE * resp;
818OCSP_BASICRESP * basic_response;
819OCSP_SINGLERESP * single_response;
820ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
ee5b1e28 821STACK_OF(X509) * sk;
3f7eeb86
PP		 822unsigned long verify_flags;
823int status, reason, i;
824
f5d78688
JH		 825cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
826if (cbinfo->u_ocsp.server.response)
3f7eeb86 827 {
f5d78688
JH		 828 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
829 cbinfo->u_ocsp.server.response = NULL;
3f7eeb86
PP		 830 }
831
ee5b1e28 832if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
3f7eeb86
PP		 833 {
834 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
f5d78688 835 cbinfo->u_ocsp.server.file_expanded);
3f7eeb86
PP		 836 return;
837 }
838
839resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
840BIO_free(bio);
841if (!resp)
842 {
843 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
844 return;
845 }
846
ee5b1e28 847if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
3f7eeb86
PP		 848 {
849 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
850 OCSP_response_status_str(status), status);
f5d78688 851 goto bad;
3f7eeb86
PP		 852 }
853
ee5b1e28 854if (!(basic_response = OCSP_response_get1_basic(resp)))
3f7eeb86
PP		 855 {
856 DEBUG(D_tls)
857 debug_printf("OCSP response parse error: unable to extract basic response.\n");
f5d78688 858 goto bad;
3f7eeb86
PP		 859 }
860
c3033f13 861sk = cbinfo->verify_stack;
3f7eeb86
PP		 862verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
863
864/* May need to expose ability to adjust those flags?
865OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
866OCSP_TRUSTOTHER OCSP_NOINTERN */
867
4c04137d 868/* This does a full verify on the OCSP proof before we load it for serving
ee5b1e28
JH		 869up; possibly overkill - just date-checks might be nice enough.
870
871OCSP_basic_verify takes a "store" arg, but does not
872use it for the chain verification, which is all we do
873when OCSP_NOVERIFY is set. The content from the wire
874"basic_response" and a cert-stack "sk" are all that is used.
875
c3033f13
JH		 876We have a stack, loaded in setup_certs() if tls_verify_certificates
877was a file (not a directory, or "system"). It is unfortunate we
878cannot used the connection context store, as that would neatly
879handle the "system" case too, but there seems to be no library
880function for getting a stack from a store.
e3555426 881[ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
c3033f13
JH		 882We do not free the stack since it could be needed a second time for
883SNI handling.
884
4c04137d 885Separately we might try to replace using OCSP_basic_verify() - which seems to not
ee5b1e28
JH		 886be a public interface into the OpenSSL library (there's no manual entry) -
887But what with? We also use OCSP_basic_verify in the client stapling callback.
4c04137d 888And there we NEED it; we must verify that status... unless the
ee5b1e28
JH		 889library does it for us anyway? */
890
891if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
3f7eeb86 892 {
ee5b1e28
JH		 893 DEBUG(D_tls)
894 {
3f7eeb86
PP		 895 ERR_error_string(ERR_get_error(), ssl_errstring);
896 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
f5d78688
JH		 897 }
898 goto bad;
3f7eeb86
PP		 899 }
900
901/* Here's the simplifying assumption: there's only one response, for the
902one certificate we use, and nothing for anything else in a chain. If this
903proves false, we need to extract a cert id from our issued cert
904(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
905right cert in the stack and then calls OCSP_single_get0_status()).
906
907I'm hoping to avoid reworking a bunch more of how we handle state here. */
ee5b1e28
JH		 908
909if (!(single_response = OCSP_resp_get0(basic_response, 0)))
3f7eeb86
PP		 910 {
911 DEBUG(D_tls)
912 debug_printf("Unable to get first response from OCSP basic response.\n");
f5d78688 913 goto bad;
3f7eeb86
PP		 914 }
915
916status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
f5d78688 917if (status != V_OCSP_CERTSTATUS_GOOD)
3f7eeb86 918 {
f5d78688
JH		 919 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
920 OCSP_cert_status_str(status), status,
921 OCSP_crl_reason_str(reason), reason);
922 goto bad;
3f7eeb86
PP		 923 }
924
925if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
926 {
927 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
f5d78688 928 goto bad;
3f7eeb86
PP		 929 }
930
f5d78688 931supply_response:
018058b2 932 cbinfo->u_ocsp.server.response = resp;
f5d78688
JH		 933return;
934
935bad:
018058b2
JH		 936 if (running_in_test_harness)
937 {
938 extern char ** environ;
939 uschar ** p;
bc3c7bb7 940 if (environ) for (p = USS environ; *p != NULL; p++)
018058b2
JH		 941 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
942 {
943 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
944 goto supply_response;
945 }
946 }
f5d78688 947return;
3f7eeb86 948}
f2de3a33 949#endif /*!DISABLE_OCSP*/
3f7eeb86
PP		 950
951
952
953
23bb6982
JH		 954/* Create and install a selfsigned certificate, for use in server mode */
955
956static int
cf0c6164 957tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
23bb6982
JH		 958{
959X509 * x509 = NULL;
960EVP_PKEY * pkey;
961RSA * rsa;
962X509_NAME * name;
963uschar * where;
964
965where = US"allocating pkey";
966if (!(pkey = EVP_PKEY_new()))
967 goto err;
968
969where = US"allocating cert";
970if (!(x509 = X509_new()))
971 goto err;
972
973where = US"generating pkey";
974 /* deprecated, use RSA_generate_key_ex() */
975if (!(rsa = RSA_generate_key(1024, RSA_F4, NULL, NULL)))
976 goto err;
977
4c04137d 978where = US"assigning pkey";
23bb6982
JH		 979if (!EVP_PKEY_assign_RSA(pkey, rsa))
980 goto err;
981
982X509_set_version(x509, 2); /* N+1 - version 3 */
983ASN1_INTEGER_set(X509_get_serialNumber(x509), 0);
984X509_gmtime_adj(X509_get_notBefore(x509), 0);
985X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
986X509_set_pubkey(x509, pkey);
987
988name = X509_get_subject_name(x509);
989X509_NAME_add_entry_by_txt(name, "C",
4dc2379a 990 MBSTRING_ASC, CUS "UK", -1, -1, 0);
23bb6982 991X509_NAME_add_entry_by_txt(name, "O",
4dc2379a 992 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
23bb6982 993X509_NAME_add_entry_by_txt(name, "CN",
4dc2379a 994 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
23bb6982
JH		 995X509_set_issuer_name(x509, name);
996
997where = US"signing cert";
998if (!X509_sign(x509, pkey, EVP_md5()))
999 goto err;
1000
1001where = US"installing selfsign cert";
1002if (!SSL_CTX_use_certificate(sctx, x509))
1003 goto err;
1004
1005where = US"installing selfsign key";
1006if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1007 goto err;
1008
1009return OK;
1010
1011err:
cf0c6164 1012 (void) tls_error(where, NULL, NULL, errstr);
23bb6982
JH		 1013 if (x509) X509_free(x509);
1014 if (pkey) EVP_PKEY_free(pkey);
1015 return DEFER;
1016}
1017
1018
1019
1020
7be682ca
PP		 1021/*************************************************
1022* Expand key and cert file specs *
1023*************************************************/
1024
f5d78688 1025/* Called once during tls_init and possibly again during TLS setup, for a
7be682ca
PP		 1026new context, if Server Name Indication was used and tls_sni was seen in
1027the certificate string.
1028
1029Arguments:
1030 sctx the SSL_CTX* to update
1031 cbinfo various parts of session state
cf0c6164 1032 errstr error string pointer
7be682ca
PP		 1033
1034Returns: OK/DEFER/FAIL
1035*/
1036
1037static int
cf0c6164
JH		 1038tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1039 uschar ** errstr)
7be682ca
PP		 1040{
1041uschar *expanded;
1042
23bb6982 1043if (!cbinfo->certificate)
7be682ca 1044 {
23bb6982
JH		 1045 if (cbinfo->host) /* client */
1046 return OK;
1047 /* server */
cf0c6164 1048 if (tls_install_selfsign(sctx, errstr) != OK)
23bb6982 1049 return DEFER;
7be682ca 1050 }
23bb6982
JH		 1051else
1052 {
1053 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1054 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1055 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1056 )
1057 reexpand_tls_files_for_sni = TRUE;
7be682ca 1058
cf0c6164 1059 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
23bb6982
JH		 1060 return DEFER;
1061
1062 if (expanded != NULL)
1063 {
1064 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
1065 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
1066 return tls_error(string_sprintf(
1067 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
cf0c6164 1068 cbinfo->host, NULL, errstr);
23bb6982 1069 }
7be682ca 1070
23bb6982 1071 if (cbinfo->privatekey != NULL &&
cf0c6164 1072 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
23bb6982 1073 return DEFER;
7be682ca 1074
23bb6982
JH		 1075 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1076 of the expansion is an empty string, ignore it also, and assume the private
1077 key is in the same file as the certificate. */
1078
1079 if (expanded && *expanded)
1080 {
1081 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
1082 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
1083 return tls_error(string_sprintf(
cf0c6164 1084 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL, errstr);
23bb6982 1085 }
7be682ca
PP		 1086 }
1087
f2de3a33 1088#ifndef DISABLE_OCSP
f40d5be3 1089if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
3f7eeb86 1090 {
cf0c6164 1091 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
3f7eeb86
PP		 1092 return DEFER;
1093
f40d5be3 1094 if (expanded && *expanded)
3f7eeb86
PP		 1095 {
1096 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
f40d5be3
JH		 1097 if ( cbinfo->u_ocsp.server.file_expanded
1098 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
3f7eeb86 1099 {
f40d5be3
JH		 1100 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1101 }
1102 else
f40d5be3 1103 ocsp_load_response(sctx, cbinfo, expanded);
3f7eeb86
PP		 1104 }
1105 }
1106#endif
1107
7be682ca
PP		 1108return OK;
1109}
1110
1111
1112
1113
1114/*************************************************
1115* Callback to handle SNI *
1116*************************************************/
1117
1118/* Called when acting as server during the TLS session setup if a Server Name
1119Indication extension was sent by the client.
1120
1121API documentation is OpenSSL s_server.c implementation.
1122
1123Arguments:
1124 s SSL* of the current session
1125 ad unknown (part of OpenSSL API) (unused)
1126 arg Callback of "our" registered data
1127
1128Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1129*/
1130
3bcbbbe2 1131#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca
PP		 1132static int
1133tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1134{
1135const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 1136tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 1137int rc;
3f0945ff 1138int old_pool = store_pool;
cf0c6164 1139uschar * dummy_errstr;
7be682ca
PP		 1140
1141if (!servername)
1142 return SSL_TLSEXT_ERR_OK;
1143
3f0945ff 1144DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP		 1145 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1146
1147/* Make the extension value available for expansion */
3f0945ff 1148store_pool = POOL_PERM;
817d9f57 1149tls_in.sni = string_copy(US servername);
3f0945ff 1150store_pool = old_pool;
7be682ca
PP		 1151
1152if (!reexpand_tls_files_for_sni)
1153 return SSL_TLSEXT_ERR_OK;
1154
1155/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1156not confident that memcpy wouldn't break some internal reference counting.
1157Especially since there's a references struct member, which would be off. */
1158
0df4ab80 1159if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
7be682ca
PP		 1160 {
1161 ERR_error_string(ERR_get_error(), ssl_errstring);
1162 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1163 return SSL_TLSEXT_ERR_NOACK;
1164 }
1165
1166/* Not sure how many of these are actually needed, since SSL object
1167already exists. Might even need this selfsame callback, for reneg? */
1168
817d9f57
JH		 1169SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1170SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1171SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1172SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1173SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1174SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
038597d2 1175
cf0c6164
JH		 1176if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1177 || !init_ecdh(server_sni, NULL, &dummy_errstr)
038597d2
PP		 1178 )
1179 return SSL_TLSEXT_ERR_NOACK;
1180
7be682ca 1181if (cbinfo->server_cipher_list)
817d9f57 1182 SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
f2de3a33 1183#ifndef DISABLE_OCSP
f5d78688 1184if (cbinfo->u_ocsp.server.file)
3f7eeb86 1185 {
f5d78688 1186 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
14c7b357 1187 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
3f7eeb86
PP		 1188 }
1189#endif
7be682ca 1190
c3033f13 1191if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
cf0c6164 1192 verify_callback_server, &dummy_errstr)) != OK)
c3033f13 1193 return SSL_TLSEXT_ERR_NOACK;
7be682ca 1194
3f7eeb86
PP		 1195/* do this after setup_certs, because this can require the certs for verifying
1196OCSP information. */
cf0c6164 1197if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
0df4ab80 1198 return SSL_TLSEXT_ERR_NOACK;
a799883d 1199
7be682ca 1200DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 1201SSL_set_SSL_CTX(s, server_sni);
7be682ca
PP		 1202
1203return SSL_TLSEXT_ERR_OK;
1204}
3bcbbbe2 1205#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP		 1206
1207
1208
1209
f2de3a33 1210#ifndef DISABLE_OCSP
f5d78688 1211
3f7eeb86
PP		 1212/*************************************************
1213* Callback to handle OCSP Stapling *
1214*************************************************/
1215
1216/* Called when acting as server during the TLS session setup if the client
1217requests OCSP information with a Certificate Status Request.
1218
1219Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1220project.
1221
1222*/
1223
1224static int
f5d78688 1225tls_server_stapling_cb(SSL *s, void *arg)
3f7eeb86
PP		 1226{
1227const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1228uschar *response_der;
1229int response_der_len;
1230
af4a1bca 1231DEBUG(D_tls)
b3ef41c9 1232 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
f5d78688
JH		 1233 cbinfo->u_ocsp.server.response ? "have" : "lack");
1234
44662487 1235tls_in.ocsp = OCSP_NOT_RESP;
f5d78688 1236if (!cbinfo->u_ocsp.server.response)
3f7eeb86
PP		 1237 return SSL_TLSEXT_ERR_NOACK;
1238
1239response_der = NULL;
44662487
JH		 1240response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response,
1241 &response_der);
3f7eeb86
PP		 1242if (response_der_len <= 0)
1243 return SSL_TLSEXT_ERR_NOACK;
1244
5e55c7a9 1245SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
44662487 1246tls_in.ocsp = OCSP_VFIED;
3f7eeb86
PP		 1247return SSL_TLSEXT_ERR_OK;
1248}
1249
3f7eeb86 1250
f5d78688
JH		 1251static void
1252time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1253{
1254BIO_printf(bp, "\t%s: ", str);
1255ASN1_GENERALIZEDTIME_print(bp, time);
1256BIO_puts(bp, "\n");
1257}
1258
1259static int
1260tls_client_stapling_cb(SSL *s, void *arg)
1261{
1262tls_ext_ctx_cb * cbinfo = arg;
1263const unsigned char * p;
1264int len;
1265OCSP_RESPONSE * rsp;
1266OCSP_BASICRESP * bs;
1267int i;
1268
1269DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1270len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1271if(!p)
1272 {
44662487 1273 /* Expect this when we requested ocsp but got none */
6c6d6e48 1274 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
44662487 1275 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
f5d78688
JH		 1276 else
1277 DEBUG(D_tls) debug_printf(" null\n");
44662487 1278 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 1279 }
018058b2 1280
f5d78688
JH		 1281if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1282 {
018058b2 1283 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1284 if (LOGGING(tls_cipher))
1eca31ca 1285 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
f5d78688
JH		 1286 else
1287 DEBUG(D_tls) debug_printf(" parse error\n");
1288 return 0;
1289 }
1290
1291if(!(bs = OCSP_response_get1_basic(rsp)))
1292 {
018058b2 1293 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1294 if (LOGGING(tls_cipher))
1eca31ca 1295 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
f5d78688
JH		 1296 else
1297 DEBUG(D_tls) debug_printf(" error parsing response\n");
1298 OCSP_RESPONSE_free(rsp);
1299 return 0;
1300 }
1301
1302/* We'd check the nonce here if we'd put one in the request. */
1303/* However that would defeat cacheability on the server so we don't. */
1304
f5d78688
JH		 1305/* This section of code reworked from OpenSSL apps source;
1306 The OpenSSL Project retains copyright:
1307 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1308*/
1309 {
1310 BIO * bp = NULL;
f5d78688
JH		 1311 int status, reason;
1312 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1313
1314 DEBUG(D_tls) bp = BIO_new_fp(stderr, BIO_NOCLOSE);
1315
1316 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1317
1318 /* Use the chain that verified the server cert to verify the stapled info */
1319 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1320
c3033f13 1321 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
44662487 1322 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
f5d78688 1323 {
018058b2 1324 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1325 if (LOGGING(tls_cipher))
1eca31ca 1326 log_write(0, LOG_MAIN, "Received TLS cert status response, itself unverifiable");
f5d78688
JH		 1327 BIO_printf(bp, "OCSP response verify failure\n");
1328 ERR_print_errors(bp);
c8dfb21d 1329 goto failed;
f5d78688
JH		 1330 }
1331
1332 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1333
c8dfb21d
JH		 1334 /*XXX So we have a good stapled OCSP status. How do we know
1335 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1336 OCSP_resp_find_status() which matches on a cert id, which presumably
1337 we should use. Making an id needs OCSP_cert_id_new(), which takes
1338 issuerName, issuerKey, serialNumber. Are they all in the cert?
1339
1340 For now, carry on blindly accepting the resp. */
1341
f5d78688 1342 {
f5d78688
JH		 1343 OCSP_SINGLERESP * single;
1344
c8dfb21d
JH		 1345#ifdef EXIM_HAVE_OCSP_RESP_COUNT
1346 if (OCSP_resp_count(bs) != 1)
1347#else
1348 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
f5d78688 1349 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
c8dfb21d 1350#endif
f5d78688 1351 {
018058b2 1352 tls_out.ocsp = OCSP_FAILED;
44662487
JH		 1353 log_write(0, LOG_MAIN, "OCSP stapling "
1354 "with multiple responses not handled");
c8dfb21d 1355 goto failed;
f5d78688
JH		 1356 }
1357 single = OCSP_resp_get0(bs, 0);
44662487
JH		 1358 status = OCSP_single_get0_status(single, &reason, &rev,
1359 &thisupd, &nextupd);
f5d78688
JH		 1360 }
1361
f5d78688
JH		 1362 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1363 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
44662487
JH		 1364 if (!OCSP_check_validity(thisupd, nextupd,
1365 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
f5d78688 1366 {
018058b2 1367 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH		 1368 DEBUG(D_tls) ERR_print_errors(bp);
1369 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
f5d78688 1370 }
44662487 1371 else
f5d78688 1372 {
44662487
JH		 1373 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1374 OCSP_cert_status_str(status));
1375 switch(status)
1376 {
1377 case V_OCSP_CERTSTATUS_GOOD:
44662487 1378 tls_out.ocsp = OCSP_VFIED;
018058b2 1379 i = 1;
c8dfb21d 1380 goto good;
44662487 1381 case V_OCSP_CERTSTATUS_REVOKED:
018058b2 1382 tls_out.ocsp = OCSP_FAILED;
44662487
JH		 1383 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1384 reason != -1 ? "; reason: " : "",
1385 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1386 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
44662487
JH		 1387 break;
1388 default:
018058b2 1389 tls_out.ocsp = OCSP_FAILED;
44662487
JH		 1390 log_write(0, LOG_MAIN,
1391 "Server certificate status unknown, in OCSP stapling");
44662487
JH		 1392 break;
1393 }
f5d78688 1394 }
c8dfb21d
JH		 1395 failed:
1396 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1397 good:
f5d78688
JH		 1398 BIO_free(bp);
1399 }
1400
1401OCSP_RESPONSE_free(rsp);
1402return i;
1403}
f2de3a33 1404#endif /*!DISABLE_OCSP*/
3f7eeb86
PP		 1405
1406
059ec3d9
PH		 1407/*************************************************
1408* Initialize for TLS *
1409*************************************************/
1410
e51c7be2
JH		 1411/* Called from both server and client code, to do preliminary initialization
1412of the library. We allocate and return a context structure.
059ec3d9
PH		 1413
1414Arguments:
946ecbe0 1415 ctxp returned SSL context
059ec3d9
PH		 1416 host connected host, if client; NULL if server
1417 dhparam DH parameter file
1418 certificate certificate file
1419 privatekey private key
f5d78688 1420 ocsp_file file of stapling info (server); flag for require ocsp (client)
059ec3d9 1421 addr address if client; NULL if server (for some randomness)
946ecbe0 1422 cbp place to put allocated callback context
cf0c6164 1423 errstr error string pointer
059ec3d9
PH		 1424
1425Returns: OK/DEFER/FAIL
1426*/
1427
1428static int
817d9f57 1429tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86 1430 uschar *privatekey,
f2de3a33 1431#ifndef DISABLE_OCSP
3f7eeb86
PP		 1432 uschar *ocsp_file,
1433#endif
cf0c6164 1434 address_item *addr, tls_ext_ctx_cb ** cbp, uschar ** errstr)
059ec3d9 1435{
7006ee24 1436SSL_CTX * ctx;
77bb000f 1437long init_options;
7be682ca 1438int rc;
a7538db1 1439tls_ext_ctx_cb * cbinfo;
7be682ca
PP		 1440
1441cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1442cbinfo->certificate = certificate;
1443cbinfo->privatekey = privatekey;
f2de3a33 1444#ifndef DISABLE_OCSP
c3033f13 1445cbinfo->verify_stack = NULL;
f5d78688
JH		 1446if ((cbinfo->is_server = host==NULL))
1447 {
1448 cbinfo->u_ocsp.server.file = ocsp_file;
1449 cbinfo->u_ocsp.server.file_expanded = NULL;
1450 cbinfo->u_ocsp.server.response = NULL;
1451 }
1452else
1453 cbinfo->u_ocsp.client.verify_store = NULL;
3f7eeb86 1454#endif
7be682ca 1455cbinfo->dhparam = dhparam;
0df4ab80 1456cbinfo->server_cipher_list = NULL;
7be682ca 1457cbinfo->host = host;
0cbf2b82 1458#ifndef DISABLE_EVENT
a7538db1
JH		 1459cbinfo->event_action = NULL;
1460#endif
77bb000f 1461
059ec3d9
PH		 1462SSL_load_error_strings(); /* basic set up */
1463OpenSSL_add_ssl_algorithms();
1464
c8dfb21d 1465#ifdef EXIM_HAVE_SHA256
77bb000f 1466/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK		 1467list of available digests. */
1468EVP_add_digest(EVP_sha256());
cf1ef1a9 1469#endif
a0475b69 1470
f0f5a555
PP		 1471/* Create a context.
1472The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1473negotiation in the different methods; as far as I can tell, the only
1474*_{server,client}_method which allows negotiation is SSLv23, which exists even
1475when OpenSSL is built without SSLv2 support.
1476By disabling with openssl_options, we can let admins re-enable with the
1477existing knob. */
059ec3d9 1478
7006ee24
JH		 1479if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
1480 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
059ec3d9
PH		 1481
1482/* It turns out that we need to seed the random number generator this early in
1483order to get the full complement of ciphers to work. It took me roughly a day
1484of work to discover this by experiment.
1485
1486On systems that have /dev/urandom, SSL may automatically seed itself from
1487there. Otherwise, we have to make something up as best we can. Double check
1488afterwards. */
1489
1490if (!RAND_status())
1491 {
1492 randstuff r;
9e3331ea 1493 gettimeofday(&r.tv, NULL);
059ec3d9
PH		 1494 r.p = getpid();
1495
1496 RAND_seed((uschar *)(&r), sizeof(r));
1497 RAND_seed((uschar *)big_buffer, big_buffer_size);
1498 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
1499
1500 if (!RAND_status())
7199e1ee 1501 return tls_error(US"RAND_status", host,
cf0c6164 1502 US"unable to seed random number generator", errstr);
059ec3d9
PH		 1503 }
1504
1505/* Set up the information callback, which outputs if debugging is at a suitable
1506level. */
1507
7006ee24 1508DEBUG(D_tls) SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
059ec3d9 1509
c80c5570 1510/* Automatically re-try reads/writes after renegotiation. */
7006ee24 1511(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
c80c5570 1512
77bb000f
PP		 1513/* Apply administrator-supplied work-arounds.
1514Historically we applied just one requested option,
1515SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1516moved to an administrator-controlled list of options to specify and
1517grandfathered in the first one as the default value for "openssl_options".
059ec3d9 1518
77bb000f
PP		 1519No OpenSSL version number checks: the options we accept depend upon the
1520availability of the option value macros from OpenSSL. */
059ec3d9 1521
7006ee24 1522if (!tls_openssl_options_parse(openssl_options, &init_options))
cf0c6164 1523 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
77bb000f
PP		 1524
1525if (init_options)
1526 {
1527 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
7006ee24 1528 if (!(SSL_CTX_set_options(ctx, init_options)))
77bb000f 1529 return tls_error(string_sprintf(
cf0c6164 1530 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
77bb000f
PP		 1531 }
1532else
1533 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9 1534
7006ee24
JH		 1535/* Disable session cache unconditionally */
1536
1537(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
1538
059ec3d9 1539/* Initialize with DH parameters if supplied */
10ca4f1c 1540/* Initialize ECDH temp key parameter selection */
059ec3d9 1541
7006ee24
JH		 1542if ( !init_dh(ctx, dhparam, host, errstr)
1543 || !init_ecdh(ctx, host, errstr)
038597d2
PP		 1544 )
1545 return DEFER;
059ec3d9 1546
3f7eeb86 1547/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 1548
7006ee24 1549if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
23bb6982 1550 return rc;
c91535f3 1551
c3033f13
JH		 1552/* If we need to handle SNI or OCSP, do so */
1553
3bcbbbe2 1554#ifdef EXIM_HAVE_OPENSSL_TLSEXT
c3033f13
JH		 1555# ifndef DISABLE_OCSP
1556 if (!(cbinfo->verify_stack = sk_X509_new_null()))
1557 {
1558 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
1559 return FAIL;
1560 }
1561# endif
1562
f5d78688 1563if (host == NULL) /* server */
3f0945ff 1564 {
f2de3a33 1565# ifndef DISABLE_OCSP
f5d78688 1566 /* We check u_ocsp.server.file, not server.response, because we care about if
3f7eeb86
PP		 1567 the option exists, not what the current expansion might be, as SNI might
1568 change the certificate and OCSP file in use between now and the time the
1569 callback is invoked. */
f5d78688 1570 if (cbinfo->u_ocsp.server.file)
3f7eeb86 1571 {
7006ee24
JH		 1572 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
1573 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
3f7eeb86 1574 }
f5d78688 1575# endif
3f0945ff
PP		 1576 /* We always do this, so that $tls_sni is available even if not used in
1577 tls_certificate */
7006ee24
JH		 1578 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
1579 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
3f0945ff 1580 }
f2de3a33 1581# ifndef DISABLE_OCSP
f5d78688
JH		 1582else /* client */
1583 if(ocsp_file) /* wanting stapling */
1584 {
1585 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1586 {
1587 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1588 return FAIL;
1589 }
7006ee24
JH		 1590 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
1591 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
f5d78688
JH		 1592 }
1593# endif
7be682ca 1594#endif
059ec3d9 1595
e51c7be2 1596cbinfo->verify_cert_hostnames = NULL;
e51c7be2 1597
c8dfb21d 1598#ifdef EXIM_HAVE_EPHEM_RSA_KEX
059ec3d9 1599/* Set up the RSA callback */
7006ee24 1600SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
c8dfb21d 1601#endif
059ec3d9
PH		 1602
1603/* Finally, set the timeout, and we are done */
1604
7006ee24 1605SSL_CTX_set_timeout(ctx, ssl_session_timeout);
059ec3d9 1606DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 1607
817d9f57 1608*cbp = cbinfo;
7006ee24 1609*ctxp = ctx;
7be682ca 1610
059ec3d9
PH		 1611return OK;
1612}
1613
1614
1615
1616
1617/*************************************************
1618* Get name of cipher in use *
1619*************************************************/
1620
817d9f57 1621/*
059ec3d9 1622Argument: pointer to an SSL structure for the connection
817d9f57
JH		 1623 buffer to use for answer
1624 size of buffer
1625 pointer to number of bits for cipher
059ec3d9
PH		 1626Returns: nothing
1627*/
1628
1629static void
817d9f57 1630construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
059ec3d9 1631{
57b3a7f5
PP		 1632/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
1633yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1634the accessor functions use const in the prototype. */
1635const SSL_CIPHER *c;
d9784128 1636const uschar *ver;
059ec3d9 1637
d9784128 1638ver = (const uschar *)SSL_get_version(ssl);
059ec3d9 1639
57b3a7f5 1640c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
817d9f57 1641SSL_CIPHER_get_bits(c, bits);
059ec3d9 1642
817d9f57
JH		 1643string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1644 SSL_CIPHER_get_name(c), *bits);
059ec3d9
PH		 1645
1646DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1647}
1648
1649
f69979cf
JH		 1650static void
1651peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned bsize)
1652{
1653/*XXX we might consider a list-of-certs variable for the cert chain.
1654SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1655in list-handling functions, also consider the difference between the entire
1656chain and the elements sent by the peer. */
1657
1658/* Will have already noted peercert on a verify fail; possibly not the leaf */
1659if (!tlsp->peercert)
1660 tlsp->peercert = SSL_get_peer_certificate(ssl);
1661/* Beware anonymous ciphers which lead to server_cert being NULL */
1662if (tlsp->peercert)
1663 {
1664 X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, bsize);
1665 peerdn[bsize-1] = '\0';
1666 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1667 }
1668else
1669 tlsp->peerdn = NULL;
1670}
1671
1672
059ec3d9
PH		 1673
1674
1675
1676/*************************************************
1677* Set up for verifying certificates *
1678*************************************************/
1679
c3033f13
JH		 1680/* Load certs from file, return TRUE on success */
1681
1682static BOOL
1683chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
1684{
1685BIO * bp;
1686X509 * x;
1687
1688if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
1689while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
1690 sk_X509_push(verify_stack, x);
1691BIO_free(bp);
1692return TRUE;
1693}
1694
1695
1696
059ec3d9
PH		 1697/* Called by both client and server startup
1698
1699Arguments:
7be682ca 1700 sctx SSL_CTX* to initialise
059ec3d9
PH		 1701 certs certs file or NULL
1702 crl CRL file or NULL
1703 host NULL in a server; the remote host in a client
1704 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1705 otherwise passed as FALSE
983207c1 1706 cert_vfy_cb Callback function for certificate verification
cf0c6164 1707 errstr error string pointer
059ec3d9
PH		 1708
1709Returns: OK/DEFER/FAIL
1710*/
1711
1712static int
983207c1 1713setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 1714 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
059ec3d9
PH		 1715{
1716uschar *expcerts, *expcrl;
1717
cf0c6164 1718if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
059ec3d9 1719 return DEFER;
57cc2785 1720DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
059ec3d9 1721
10a831a3 1722if (expcerts && *expcerts)
059ec3d9 1723 {
10a831a3
JH		 1724 /* Tell the library to use its compiled-in location for the system default
1725 CA bundle. Then add the ones specified in the config, if any. */
cb1d7830 1726
10a831a3 1727 if (!SSL_CTX_set_default_verify_paths(sctx))
cf0c6164 1728 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
10a831a3
JH		 1729
1730 if (Ustrcmp(expcerts, "system") != 0)
059ec3d9 1731 {
cb1d7830
JH		 1732 struct stat statbuf;
1733
cb1d7830
JH		 1734 if (Ustat(expcerts, &statbuf) < 0)
1735 {
1736 log_write(0, LOG_MAIN|LOG_PANIC,
1737 "failed to stat %s for certificates", expcerts);
1738 return DEFER;
1739 }
059ec3d9 1740 else
059ec3d9 1741 {
cb1d7830
JH		 1742 uschar *file, *dir;
1743 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1744 { file = NULL; dir = expcerts; }
1745 else
c3033f13
JH		 1746 {
1747 file = expcerts; dir = NULL;
1748#ifndef DISABLE_OCSP
1749 /* In the server if we will be offering an OCSP proof, load chain from
1750 file for verifying the OCSP proof at load time. */
1751
1752 if ( !host
1753 && statbuf.st_size > 0
1754 && server_static_cbinfo->u_ocsp.server.file
1755 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
1756 )
1757 {
1758 log_write(0, LOG_MAIN|LOG_PANIC,
1759 "failed to load cert hain from %s", file);
1760 return DEFER;
1761 }
1762#endif
1763 }
cb1d7830
JH		 1764
1765 /* If a certificate file is empty, the next function fails with an
1766 unhelpful error message. If we skip it, we get the correct behaviour (no
1767 certificates are recognized, but the error message is still misleading (it
c3033f13 1768 says no certificate was supplied). But this is better. */
cb1d7830 1769
f2f2c91b
JH		 1770 if ( (!file || statbuf.st_size > 0)
1771 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
cf0c6164 1772 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
cb1d7830
JH		 1773
1774 /* Load the list of CAs for which we will accept certs, for sending
1775 to the client. This is only for the one-file tls_verify_certificates
1776 variant.
1777 If a list isn't loaded into the server, but
1778 some verify locations are set, the server end appears to make
4c04137d 1779 a wildcard request for client certs.
10a831a3 1780 Meanwhile, the client library as default behaviour *ignores* the list
cb1d7830
JH		 1781 we send over the wire - see man SSL_CTX_set_client_cert_cb.
1782 Because of this, and that the dir variant is likely only used for
1783 the public-CA bundle (not for a private CA), not worth fixing.
1784 */
f2f2c91b 1785 if (file)
cb1d7830
JH		 1786 {
1787 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
f2f2c91b
JH		 1788
1789 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
cb1d7830
JH		 1790 sk_X509_NAME_num(names));
1791 SSL_CTX_set_client_CA_list(sctx, names);
1792 }
059ec3d9
PH		 1793 }
1794 }
1795
1796 /* Handle a certificate revocation list. */
1797
10a831a3 1798#if OPENSSL_VERSION_NUMBER > 0x00907000L
059ec3d9 1799
8b417f2c 1800 /* This bit of code is now the version supplied by Lars Mainka. (I have
10a831a3 1801 merely reformatted it into the Exim code style.)
8b417f2c 1802
10a831a3
JH		 1803 "From here I changed the code to add support for multiple crl's
1804 in pem format in one file or to support hashed directory entries in
1805 pem format instead of a file. This method now uses the library function
1806 X509_STORE_load_locations to add the CRL location to the SSL context.
1807 OpenSSL will then handle the verify against CA certs and CRLs by
1808 itself in the verify callback." */
8b417f2c 1809
cf0c6164 1810 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
10a831a3 1811 if (expcrl && *expcrl)
059ec3d9 1812 {
8b417f2c
PH		 1813 struct stat statbufcrl;
1814 if (Ustat(expcrl, &statbufcrl) < 0)
1815 {
1816 log_write(0, LOG_MAIN|LOG_PANIC,
1817 "failed to stat %s for certificates revocation lists", expcrl);
1818 return DEFER;
1819 }
1820 else
059ec3d9 1821 {
8b417f2c
PH		 1822 /* is it a file or directory? */
1823 uschar *file, *dir;
7be682ca 1824 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 1825 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 1826 {
8b417f2c
PH		 1827 file = NULL;
1828 dir = expcrl;
1829 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH		 1830 }
1831 else
1832 {
8b417f2c
PH		 1833 file = expcrl;
1834 dir = NULL;
1835 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 1836 }
8b417f2c 1837 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
cf0c6164 1838 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
8b417f2c
PH		 1839
1840 /* setting the flags to check against the complete crl chain */
1841
1842 X509_STORE_set_flags(cvstore,
1843 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 1844 }
059ec3d9
PH		 1845 }
1846
10a831a3 1847#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
059ec3d9
PH		 1848
1849 /* If verification is optional, don't fail if no certificate */
1850
7be682ca 1851 SSL_CTX_set_verify(sctx,
059ec3d9 1852 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
983207c1 1853 cert_vfy_cb);
059ec3d9
PH		 1854 }
1855
1856return OK;
1857}
1858
1859
1860
1861/*************************************************
1862* Start a TLS session in a server *
1863*************************************************/
1864
1865/* This is called when Exim is running as a server, after having received
1866the STARTTLS command. It must respond to that command, and then negotiate
1867a TLS session.
1868
1869Arguments:
1870 require_ciphers allowed ciphers
cf0c6164 1871 errstr pointer to error message
059ec3d9
PH		 1872
1873Returns: OK on success
1874 DEFER for errors before the start of the negotiation
4c04137d 1875 FAIL for errors during the negotiation; the server can't
059ec3d9
PH		 1876 continue running.
1877*/
1878
1879int
cf0c6164 1880tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH		 1881{
1882int rc;
cf0c6164
JH		 1883uschar * expciphers;
1884tls_ext_ctx_cb * cbinfo;
f69979cf 1885static uschar peerdn[256];
817d9f57 1886static uschar cipherbuf[256];
059ec3d9
PH		 1887
1888/* Check for previous activation */
1889
817d9f57 1890if (tls_in.active >= 0)
059ec3d9 1891 {
cf0c6164 1892 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
925ac8e4 1893 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH		 1894 return FAIL;
1895 }
1896
1897/* Initialize the SSL library. If it fails, it will already have logged
1898the error. */
1899
817d9f57 1900rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
f2de3a33 1901#ifndef DISABLE_OCSP
3f7eeb86
PP		 1902 tls_ocsp_file,
1903#endif
cf0c6164 1904 NULL, &server_static_cbinfo, errstr);
059ec3d9 1905if (rc != OK) return rc;
817d9f57 1906cbinfo = server_static_cbinfo;
059ec3d9 1907
cf0c6164 1908if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
059ec3d9
PH		 1909 return FAIL;
1910
1911/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP		 1912were historically separated by underscores. So that I can use either form in my
1913tests, and also for general convenience, we turn underscores into hyphens here.
1914*/
059ec3d9 1915
c3033f13 1916if (expciphers)
059ec3d9 1917 {
c3033f13 1918 uschar * s = expciphers;
059ec3d9
PH		 1919 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1920 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 1921 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
cf0c6164 1922 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
7be682ca 1923 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH		 1924 }
1925
1926/* If this is a host for which certificate verification is mandatory or
1927optional, set up appropriately. */
1928
817d9f57 1929tls_in.certificate_verified = FALSE;
53a7196b
JH		 1930#ifdef EXPERIMENTAL_DANE
1931tls_in.dane_verified = FALSE;
1932#endif
a2ff477a 1933server_verify_callback_called = FALSE;
059ec3d9
PH		 1934
1935if (verify_check_host(&tls_verify_hosts) == OK)
1936 {
983207c1 1937 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
cf0c6164 1938 FALSE, verify_callback_server, errstr);
059ec3d9 1939 if (rc != OK) return rc;
a2ff477a 1940 server_verify_optional = FALSE;
059ec3d9
PH		 1941 }
1942else if (verify_check_host(&tls_try_verify_hosts) == OK)
1943 {
983207c1 1944 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
cf0c6164 1945 TRUE, verify_callback_server, errstr);
059ec3d9 1946 if (rc != OK) return rc;
a2ff477a 1947 server_verify_optional = TRUE;
059ec3d9
PH		 1948 }
1949
1950/* Prepare for new connection */
1951
cf0c6164
JH		 1952if (!(server_ssl = SSL_new(server_ctx)))
1953 return tls_error(US"SSL_new", NULL, NULL, errstr);
da3ad30d
PP		 1954
1955/* Warning: we used to SSL_clear(ssl) here, it was removed.
1956 *
1957 * With the SSL_clear(), we get strange interoperability bugs with
1958 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1959 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1960 *
1961 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1962 * session shutdown. In this case, we have a brand new object and there's no
1963 * obvious reason to immediately clear it. I'm guessing that this was
1964 * originally added because of incomplete initialisation which the clear fixed,
1965 * in some historic release.
1966 */
059ec3d9
PH		 1967
1968/* Set context and tell client to go ahead, except in the case of TLS startup
1969on connection, where outputting anything now upsets the clients and tends to
1970make them disconnect. We need to have an explicit fflush() here, to force out
1971the response. Other smtp_printf() calls do not need it, because in non-TLS
1972mode, the fflush() happens when smtp_getc() is called. */
1973
817d9f57
JH		 1974SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
1975if (!tls_in.on_connect)
059ec3d9 1976 {
925ac8e4 1977 smtp_printf("220 TLS go ahead\r\n", FALSE);
059ec3d9
PH		 1978 fflush(smtp_out);
1979 }
1980
1981/* Now negotiate the TLS session. We put our own timer on it, since it seems
1982that the OpenSSL library doesn't. */
1983
817d9f57
JH		 1984SSL_set_wfd(server_ssl, fileno(smtp_out));
1985SSL_set_rfd(server_ssl, fileno(smtp_in));
1986SSL_set_accept_state(server_ssl);
059ec3d9
PH		 1987
1988DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1989
1990sigalrm_seen = FALSE;
1991if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
817d9f57 1992rc = SSL_accept(server_ssl);
059ec3d9
PH		 1993alarm(0);
1994
1995if (rc <= 0)
1996 {
cf0c6164 1997 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
059ec3d9
PH		 1998 return FAIL;
1999 }
2000
2001DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
2002
2003/* TLS has been set up. Adjust the input functions to read via TLS,
2004and initialize things. */
2005
f69979cf
JH		 2006peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2007
817d9f57
JH		 2008construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
2009tls_in.cipher = cipherbuf;
059ec3d9
PH		 2010
2011DEBUG(D_tls)
2012 {
2013 uschar buf[2048];
817d9f57 2014 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
059ec3d9
PH		 2015 debug_printf("Shared ciphers: %s\n", buf);
2016 }
2017
9d1c15ef
JH		 2018/* Record the certificate we presented */
2019 {
2020 X509 * crt = SSL_get_certificate(server_ssl);
2021 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2022 }
059ec3d9 2023
817d9f57
JH		 2024/* Only used by the server-side tls (tls_in), including tls_getc.
2025 Client-side (tls_out) reads (seem to?) go via
2026 smtp_read_response()/ip_recv().
2027 Hence no need to duplicate for _in and _out.
2028 */
059ec3d9
PH		 2029ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
2030ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
2031ssl_xfer_eof = ssl_xfer_error = 0;
2032
2033receive_getc = tls_getc;
0d81dabc 2034receive_getbuf = tls_getbuf;
584e96c6 2035receive_get_cache = tls_get_cache;
059ec3d9
PH		 2036receive_ungetc = tls_ungetc;
2037receive_feof = tls_feof;
2038receive_ferror = tls_ferror;
58eb016e 2039receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2040
817d9f57 2041tls_in.active = fileno(smtp_out);
059ec3d9
PH		 2042return OK;
2043}
2044
2045
2046
2047
043b1248
JH		 2048static int
2049tls_client_basic_ctx_init(SSL_CTX * ctx,
cf0c6164
JH		 2050 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2051 uschar ** errstr)
043b1248
JH		 2052{
2053int rc;
94431adb 2054/* stick to the old behaviour for compatibility if tls_verify_certificates is
043b1248
JH		 2055 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2056 the specified host patterns if one of them is defined */
2057
610ff438
JH		 2058if ( ( !ob->tls_verify_hosts
2059 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2060 )
5130845b 2061 || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK)
aa2a70ba 2062 )
043b1248 2063 client_verify_optional = FALSE;
5130845b 2064else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
aa2a70ba
JH		 2065 client_verify_optional = TRUE;
2066else
2067 return OK;
2068
2069if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
cf0c6164
JH		 2070 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2071 errstr)) != OK)
aa2a70ba 2072 return rc;
043b1248 2073
5130845b 2074if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
043b1248 2075 {
4af0d74a 2076 cbinfo->verify_cert_hostnames =
8c5d388a 2077#ifdef SUPPORT_I18N
4af0d74a
JH		 2078 string_domain_utf8_to_alabel(host->name, NULL);
2079#else
2080 host->name;
2081#endif
aa2a70ba
JH		 2082 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2083 cbinfo->verify_cert_hostnames);
043b1248 2084 }
043b1248
JH		 2085return OK;
2086}
059ec3d9 2087
fde080a4
JH		 2088
2089#ifdef EXPERIMENTAL_DANE
fde080a4 2090static int
cf0c6164 2091dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
fde080a4
JH		 2092{
2093dns_record * rr;
2094dns_scan dnss;
2095const char * hostnames[2] = { CS host->name, NULL };
2096int found = 0;
2097
2098if (DANESSL_init(ssl, NULL, hostnames) != 1)
cf0c6164 2099 return tls_error(US"hostnames load", host, NULL, errstr);
fde080a4
JH		 2100
2101for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
2102 rr;
2103 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2104 ) if (rr->type == T_TLSA)
2105 {
c3033f13 2106 const uschar * p = rr->data;
fde080a4
JH		 2107 uint8_t usage, selector, mtype;
2108 const char * mdname;
2109
fde080a4 2110 usage = *p++;
133d2546
JH		 2111
2112 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2113 if (usage != 2 && usage != 3) continue;
2114
fde080a4
JH		 2115 selector = *p++;
2116 mtype = *p++;
2117
2118 switch (mtype)
2119 {
133d2546
JH		 2120 default: continue; /* Only match-types 0, 1, 2 are supported */
2121 case 0: mdname = NULL; break;
2122 case 1: mdname = "sha256"; break;
2123 case 2: mdname = "sha512"; break;
fde080a4
JH		 2124 }
2125
133d2546 2126 found++;
fde080a4
JH		 2127 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2128 {
2129 default:
cf0c6164 2130 return tls_error(US"tlsa load", host, NULL, errstr);
c035b645 2131 case 0: /* action not taken */
fde080a4
JH		 2132 case 1: break;
2133 }
594706ea
JH		 2134
2135 tls_out.tlsa_usage |= 1<<usage;
fde080a4
JH		 2136 }
2137
2138if (found)
2139 return OK;
2140
133d2546 2141log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
6ebd79ec 2142return DEFER;
fde080a4
JH		 2143}
2144#endif /*EXPERIMENTAL_DANE*/
2145
2146
2147
059ec3d9
PH		 2148/*************************************************
2149* Start a TLS session in a client *
2150*************************************************/
2151
2152/* Called from the smtp transport after STARTTLS has been accepted.
2153
2154Argument:
2155 fd the fd of the connection
2156 host connected host (for messages)
83da1223 2157 addr the first address
a7538db1 2158 tb transport (always smtp)
0e66b3b6 2159 tlsa_dnsa tlsa lookup, if DANE, else null
cf0c6164 2160 errstr error string pointer
059ec3d9
PH		 2161
2162Returns: OK on success
2163 FAIL otherwise - note that tls_error() will not give DEFER
2164 because this is not a server
2165*/
2166
2167int
f5d78688 2168tls_client_start(int fd, host_item *host, address_item *addr,
cf0c6164 2169 transport_instance * tb,
0e66b3b6 2170#ifdef EXPERIMENTAL_DANE
cf0c6164 2171 dns_answer * tlsa_dnsa,
0e66b3b6 2172#endif
cf0c6164 2173 uschar ** errstr)
059ec3d9 2174{
a7538db1
JH		 2175smtp_transport_options_block * ob =
2176 (smtp_transport_options_block *)tb->options_block;
f69979cf 2177static uschar peerdn[256];
868f5672 2178uschar * expciphers;
059ec3d9 2179int rc;
817d9f57 2180static uschar cipherbuf[256];
043b1248
JH		 2181
2182#ifndef DISABLE_OCSP
043b1248 2183BOOL request_ocsp = FALSE;
6634ac8d 2184BOOL require_ocsp = FALSE;
043b1248 2185#endif
043b1248
JH		 2186
2187#ifdef EXPERIMENTAL_DANE
594706ea 2188tls_out.tlsa_usage = 0;
043b1248
JH		 2189#endif
2190
f2de3a33 2191#ifndef DISABLE_OCSP
043b1248 2192 {
4f59c424
JH		 2193# ifdef EXPERIMENTAL_DANE
2194 if ( tlsa_dnsa
2195 && ob->hosts_request_ocsp[0] == '*'
2196 && ob->hosts_request_ocsp[1] == '\0'
2197 )
2198 {
2199 /* Unchanged from default. Use a safer one under DANE */
2200 request_ocsp = TRUE;
2201 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2202 " {= {4}{$tls_out_tlsa_usage}} } "
2203 " {*}{}}";
2204 }
2205# endif
2206
5130845b
JH		 2207 if ((require_ocsp =
2208 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK))
fca41d5a
JH		 2209 request_ocsp = TRUE;
2210 else
fca41d5a 2211# ifdef EXPERIMENTAL_DANE
4f59c424 2212 if (!request_ocsp)
fca41d5a 2213# endif
5130845b
JH		 2214 request_ocsp =
2215 verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
043b1248 2216 }
f5d78688 2217#endif
059ec3d9 2218
65867078
JH		 2219rc = tls_init(&client_ctx, host, NULL,
2220 ob->tls_certificate, ob->tls_privatekey,
f2de3a33 2221#ifndef DISABLE_OCSP
44662487 2222 (void *)(long)request_ocsp,
3f7eeb86 2223#endif
cf0c6164 2224 addr, &client_static_cbinfo, errstr);
059ec3d9
PH		 2225if (rc != OK) return rc;
2226
817d9f57 2227tls_out.certificate_verified = FALSE;
a2ff477a 2228client_verify_callback_called = FALSE;
059ec3d9 2229
65867078 2230if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
cf0c6164 2231 &expciphers, errstr))
059ec3d9
PH		 2232 return FAIL;
2233
2234/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2235are separated by underscores. So that I can use either form in my tests, and
2236also for general convenience, we turn underscores into hyphens here. */
2237
cf0c6164 2238if (expciphers)
059ec3d9
PH		 2239 {
2240 uschar *s = expciphers;
cf0c6164 2241 while (*s) { if (*s == '_') *s = '-'; s++; }
059ec3d9 2242 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 2243 if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
cf0c6164 2244 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
059ec3d9
PH		 2245 }
2246
043b1248 2247#ifdef EXPERIMENTAL_DANE
0e66b3b6 2248if (tlsa_dnsa)
a63be306 2249 {
02af313d
JH		 2250 SSL_CTX_set_verify(client_ctx,
2251 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2252 verify_callback_client_dane);
e5cccda9 2253
043b1248 2254 if (!DANESSL_library_init())
cf0c6164 2255 return tls_error(US"library init", host, NULL, errstr);
043b1248 2256 if (DANESSL_CTX_init(client_ctx) <= 0)
cf0c6164 2257 return tls_error(US"context init", host, NULL, errstr);
043b1248
JH		 2258 }
2259else
e51c7be2 2260
043b1248
JH		 2261#endif
2262
cf0c6164
JH		 2263 if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob,
2264 client_static_cbinfo, errstr)) != OK)
65867078 2265 return rc;
059ec3d9 2266
65867078 2267if ((client_ssl = SSL_new(client_ctx)) == NULL)
cf0c6164 2268 return tls_error(US"SSL_new", host, NULL, errstr);
817d9f57
JH		 2269SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
2270SSL_set_fd(client_ssl, fd);
2271SSL_set_connect_state(client_ssl);
059ec3d9 2272
65867078 2273if (ob->tls_sni)
3f0945ff 2274 {
cf0c6164 2275 if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni, errstr))
3f0945ff 2276 return FAIL;
cf0c6164 2277 if (!tls_out.sni)
2c9a0e86
PP		 2278 {
2279 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2280 }
ec4b68e5 2281 else if (!Ustrlen(tls_out.sni))
817d9f57 2282 tls_out.sni = NULL;
3f0945ff
PP		 2283 else
2284 {
35731706 2285#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57
JH		 2286 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
2287 SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
35731706 2288#else
66802652 2289 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
02d9264f 2290 tls_out.sni);
35731706 2291#endif
3f0945ff
PP		 2292 }
2293 }
2294
594706ea 2295#ifdef EXPERIMENTAL_DANE
0e66b3b6 2296if (tlsa_dnsa)
cf0c6164 2297 if ((rc = dane_tlsa_load(client_ssl, host, tlsa_dnsa, errstr)) != OK)
594706ea
JH		 2298 return rc;
2299#endif
2300
f2de3a33 2301#ifndef DISABLE_OCSP
f5d78688
JH		 2302/* Request certificate status at connection-time. If the server
2303does OCSP stapling we will get the callback (set in tls_init()) */
b50c8b84 2304# ifdef EXPERIMENTAL_DANE
594706ea
JH		 2305if (request_ocsp)
2306 {
2307 const uschar * s;
41afb5cb
JH		 2308 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2309 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
594706ea
JH		 2310 )
2311 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2312 this means we avoid the OCSP request, we wasted the setup
2313 cost in tls_init(). */
5130845b
JH		 2314 require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
2315 request_ocsp = require_ocsp
2316 || verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
594706ea
JH		 2317 }
2318 }
b50c8b84
JH		 2319# endif
2320
44662487
JH		 2321if (request_ocsp)
2322 {
f5d78688 2323 SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
44662487
JH		 2324 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
2325 tls_out.ocsp = OCSP_NOT_RESP;
2326 }
f5d78688
JH		 2327#endif
2328
0cbf2b82 2329#ifndef DISABLE_EVENT
774ef2d7 2330client_static_cbinfo->event_action = tb->event_action;
a7538db1 2331#endif
043b1248 2332
059ec3d9
PH		 2333/* There doesn't seem to be a built-in timeout on connection. */
2334
2335DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2336sigalrm_seen = FALSE;
65867078 2337alarm(ob->command_timeout);
817d9f57 2338rc = SSL_connect(client_ssl);
059ec3d9
PH		 2339alarm(0);
2340
043b1248 2341#ifdef EXPERIMENTAL_DANE
0e66b3b6 2342if (tlsa_dnsa)
fde080a4 2343 DANESSL_cleanup(client_ssl);
043b1248
JH		 2344#endif
2345
059ec3d9 2346if (rc <= 0)
cf0c6164
JH		 2347 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL,
2348 errstr);
059ec3d9
PH		 2349
2350DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2351
f69979cf 2352peer_cert(client_ssl, &tls_out, peerdn, sizeof(peerdn));
059ec3d9 2353
817d9f57
JH		 2354construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
2355tls_out.cipher = cipherbuf;
059ec3d9 2356
9d1c15ef
JH		 2357/* Record the certificate we presented */
2358 {
2359 X509 * crt = SSL_get_certificate(client_ssl);
2360 tls_out.ourcert = crt ? X509_dup(crt) : NULL;
2361 }
2362
817d9f57 2363tls_out.active = fd;
059ec3d9
PH		 2364return OK;
2365}
2366
2367
2368
2369
2370
0d81dabc
JH		 2371static BOOL
2372tls_refill(unsigned lim)
2373{
2374int error;
2375int inbytes;
2376
2377DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2378 ssl_xfer_buffer, ssl_xfer_buffer_size);
2379
2380if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2381inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
2382 MIN(ssl_xfer_buffer_size, lim));
2383error = SSL_get_error(server_ssl, inbytes);
2384alarm(0);
2385
2386/* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2387closed down, not that the socket itself has been closed down. Revert to
2388non-SSL handling. */
2389
2390if (error == SSL_ERROR_ZERO_RETURN)
2391 {
2392 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2393
2394 receive_getc = smtp_getc;
2395 receive_getbuf = smtp_getbuf;
2396 receive_get_cache = smtp_get_cache;
2397 receive_ungetc = smtp_ungetc;
2398 receive_feof = smtp_feof;
2399 receive_ferror = smtp_ferror;
2400 receive_smtp_buffered = smtp_buffered;
2401
2402 SSL_free(server_ssl);
2403 server_ssl = NULL;
2404 tls_in.active = -1;
2405 tls_in.bits = 0;
2406 tls_in.cipher = NULL;
2407 tls_in.peerdn = NULL;
2408 tls_in.sni = NULL;
2409
2410 return FALSE;
2411 }
2412
2413/* Handle genuine errors */
2414
2415else if (error == SSL_ERROR_SSL)
2416 {
2417 ERR_error_string(ERR_get_error(), ssl_errstring);
2418 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2419 ssl_xfer_error = 1;
2420 return FALSE;
2421 }
2422
2423else if (error != SSL_ERROR_NONE)
2424 {
2425 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2426 ssl_xfer_error = 1;
2427 return FALSE;
2428 }
2429
2430#ifndef DISABLE_DKIM
2431dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2432#endif
2433ssl_xfer_buffer_hwm = inbytes;
2434ssl_xfer_buffer_lwm = 0;
2435return TRUE;
2436}
2437
2438
059ec3d9
PH		 2439/*************************************************
2440* TLS version of getc *
2441*************************************************/
2442
2443/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2444it refills the buffer via the SSL reading function.
2445
bd8fbe36 2446Arguments: lim Maximum amount to read/buffer
059ec3d9 2447Returns: the next character or EOF
817d9f57
JH		 2448
2449Only used by the server-side TLS.
059ec3d9
PH		 2450*/
2451
2452int
bd8fbe36 2453tls_getc(unsigned lim)
059ec3d9
PH		 2454{
2455if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
0d81dabc
JH		 2456 if (!tls_refill(lim))
2457 return ssl_xfer_error ? EOF : smtp_getc(lim);
059ec3d9 2458
0d81dabc 2459/* Something in the buffer; return next uschar */
059ec3d9 2460
0d81dabc
JH		 2461return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2462}
059ec3d9 2463
0d81dabc
JH		 2464uschar *
2465tls_getbuf(unsigned * len)
2466{
2467unsigned size;
2468uschar * buf;
ba084640 2469
0d81dabc
JH		 2470if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2471 if (!tls_refill(*len))
059ec3d9 2472 {
0d81dabc
JH		 2473 if (!ssl_xfer_error) return smtp_getbuf(len);
2474 *len = 0;
2475 return NULL;
059ec3d9 2476 }
c80c5570 2477
0d81dabc
JH		 2478if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
2479 size = *len;
2480buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
2481ssl_xfer_buffer_lwm += size;
2482*len = size;
2483return buf;
059ec3d9
PH		 2484}
2485
0d81dabc 2486
584e96c6
JH		 2487void
2488tls_get_cache()
2489{
9960d1e5 2490#ifndef DISABLE_DKIM
584e96c6
JH		 2491int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
2492if (n > 0)
2493 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
584e96c6 2494#endif
9960d1e5 2495}
584e96c6 2496
059ec3d9 2497
925ac8e4
JH		 2498BOOL
2499tls_could_read(void)
2500{
a5ffa9b4 2501return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
925ac8e4
JH		 2502}
2503
059ec3d9
PH		 2504
2505/*************************************************
2506* Read bytes from TLS channel *
2507*************************************************/
2508
2509/*
2510Arguments:
2511 buff buffer of data
2512 len size of buffer
2513
2514Returns: the number of bytes read
2515 -1 after a failed read
817d9f57
JH		 2516
2517Only used by the client-side TLS.
059ec3d9
PH		 2518*/
2519
2520int
389ca47a 2521tls_read(BOOL is_server, uschar *buff, size_t len)
059ec3d9 2522{
389ca47a 2523SSL *ssl = is_server ? server_ssl : client_ssl;
059ec3d9
PH		 2524int inbytes;
2525int error;
2526
389ca47a 2527DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
c80c5570 2528 buff, (unsigned int)len);
059ec3d9 2529
389ca47a
JH		 2530inbytes = SSL_read(ssl, CS buff, len);
2531error = SSL_get_error(ssl, inbytes);
059ec3d9
PH		 2532
2533if (error == SSL_ERROR_ZERO_RETURN)
2534 {
2535 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2536 return -1;
2537 }
2538else if (error != SSL_ERROR_NONE)
059ec3d9 2539 return -1;
059ec3d9
PH		 2540
2541return inbytes;
2542}
2543
2544
2545
2546
2547
2548/*************************************************
2549* Write bytes down TLS channel *
2550*************************************************/
2551
2552/*
2553Arguments:
817d9f57 2554 is_server channel specifier
059ec3d9
PH		 2555 buff buffer of data
2556 len number of bytes
925ac8e4 2557 more further data expected soon
059ec3d9
PH		 2558
2559Returns: the number of bytes after a successful write,
2560 -1 after a failed write
817d9f57
JH		 2561
2562Used by both server-side and client-side TLS.
059ec3d9
PH		 2563*/
2564
2565int
925ac8e4 2566tls_write(BOOL is_server, const uschar *buff, size_t len, BOOL more)
059ec3d9 2567{
a5ffa9b4 2568int outbytes, error, left;
817d9f57 2569SSL *ssl = is_server ? server_ssl : client_ssl;
a5ffa9b4
JH		 2570static uschar * corked = NULL;
2571static int c_size = 0, c_len = 0;
2572
2573DEBUG(D_tls) debug_printf("%s(%p, %d%s)\n", __FUNCTION__,
2574 buff, left, more ? ", more" : "");
2575
2576/* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
2577"more" is notified. This hack is only ok if small amounts are involved AND only
2578one stream does it, in one context (i.e. no store reset). Currently it is used
2579for the responses to the received SMTP MAIL , RCPT, DATA sequence, only. */
2580
2581if (is_server && (more || corked))
2582 {
2583 corked = string_catn(corked, &c_size, &c_len, buff, len);
2584 if (more)
2585 return len;
2586 buff = CUS corked;
2587 len = c_len;
2588 corked = NULL; c_size = c_len = 0;
2589 }
059ec3d9 2590
a5ffa9b4 2591for (left = len; left > 0;)
059ec3d9 2592 {
c80c5570 2593 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
059ec3d9
PH		 2594 outbytes = SSL_write(ssl, CS buff, left);
2595 error = SSL_get_error(ssl, outbytes);
2596 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2597 switch (error)
2598 {
2599 case SSL_ERROR_SSL:
96f5fe4c
JH		 2600 ERR_error_string(ERR_get_error(), ssl_errstring);
2601 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2602 return -1;
059ec3d9
PH		 2603
2604 case SSL_ERROR_NONE:
96f5fe4c
JH		 2605 left -= outbytes;
2606 buff += outbytes;
2607 break;
059ec3d9
PH		 2608
2609 case SSL_ERROR_ZERO_RETURN:
96f5fe4c
JH		 2610 log_write(0, LOG_MAIN, "SSL channel closed on write");
2611 return -1;
059ec3d9 2612
817d9f57 2613 case SSL_ERROR_SYSCALL:
96f5fe4c
JH		 2614 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2615 sender_fullhost ? sender_fullhost : US"<unknown>",
2616 strerror(errno));
2617 return -1;
817d9f57 2618
059ec3d9 2619 default:
96f5fe4c
JH		 2620 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2621 return -1;
059ec3d9
PH		 2622 }
2623 }
2624return len;
2625}
2626
2627
2628
2629/*************************************************
2630* Close down a TLS session *
2631*************************************************/
2632
2633/* This is also called from within a delivery subprocess forked from the
2634daemon, to shut down the TLS library, without actually doing a shutdown (which
2635would tamper with the SSL session in the parent process).
2636
2637Arguments: TRUE if SSL_shutdown is to be called
2638Returns: nothing
817d9f57
JH		 2639
2640Used by both server-side and client-side TLS.
059ec3d9
PH		 2641*/
2642
2643void
817d9f57 2644tls_close(BOOL is_server, BOOL shutdown)
059ec3d9 2645{
817d9f57 2646SSL **sslp = is_server ? &server_ssl : &client_ssl;
389ca47a 2647int *fdp = is_server ? &tls_in.active : &tls_out.active;
817d9f57
JH		 2648
2649if (*fdp < 0) return; /* TLS was not active */
059ec3d9
PH		 2650
2651if (shutdown)
2652 {
ec8b777a 2653 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
817d9f57 2654 SSL_shutdown(*sslp);
059ec3d9
PH		 2655 }
2656
817d9f57
JH		 2657SSL_free(*sslp);
2658*sslp = NULL;
059ec3d9 2659
817d9f57 2660*fdp = -1;
059ec3d9
PH		 2661}
2662
36f12725
NM		 2663
2664
2665
3375e053
PP		 2666/*************************************************
2667* Let tls_require_ciphers be checked at startup *
2668*************************************************/
2669
2670/* The tls_require_ciphers option, if set, must be something which the
2671library can parse.
2672
2673Returns: NULL on success, or error message
2674*/
2675
2676uschar *
2677tls_validate_require_cipher(void)
2678{
2679SSL_CTX *ctx;
2680uschar *s, *expciphers, *err;
2681
2682/* this duplicates from tls_init(), we need a better "init just global
2683state, for no specific purpose" singleton function of our own */
2684
2685SSL_load_error_strings();
2686OpenSSL_add_ssl_algorithms();
2687#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
2688/* SHA256 is becoming ever more popular. This makes sure it gets added to the
2689list of available digests. */
2690EVP_add_digest(EVP_sha256());
2691#endif
2692
2693if (!(tls_require_ciphers && *tls_require_ciphers))
2694 return NULL;
2695
cf0c6164
JH		 2696if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
2697 &err))
3375e053
PP		 2698 return US"failed to expand tls_require_ciphers";
2699
2700if (!(expciphers && *expciphers))
2701 return NULL;
2702
2703/* normalisation ripped from above */
2704s = expciphers;
2705while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2706
2707err = NULL;
2708
2709ctx = SSL_CTX_new(SSLv23_server_method());
2710if (!ctx)
2711 {
2712 ERR_error_string(ERR_get_error(), ssl_errstring);
2713 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
2714 }
2715
2716DEBUG(D_tls)
2717 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2718
2719if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
2720 {
2721 ERR_error_string(ERR_get_error(), ssl_errstring);
cf0c6164
JH		 2722 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
2723 expciphers, ssl_errstring);
3375e053
PP		 2724 }
2725
2726SSL_CTX_free(ctx);
2727
2728return err;
2729}
2730
2731
2732
2733
36f12725
NM		 2734/*************************************************
2735* Report the library versions. *
2736*************************************************/
2737
2738/* There have historically been some issues with binary compatibility in
2739OpenSSL libraries; if Exim (like many other applications) is built against
2740one version of OpenSSL but the run-time linker picks up another version,
2741it can result in serious failures, including crashing with a SIGSEGV. So
2742report the version found by the compiler and the run-time version.
2743
f64a1e23
PP		 2744Note: some OS vendors backport security fixes without changing the version
2745number/string, and the version date remains unchanged. The _build_ date
2746will change, so we can more usefully assist with version diagnosis by also
2747reporting the build date.
2748
36f12725
NM		 2749Arguments: a FILE* to print the results to
2750Returns: nothing
2751*/
2752
2753void
2754tls_version_report(FILE *f)
2755{
754a0503 2756fprintf(f, "Library version: OpenSSL: Compile: %s\n"
f64a1e23
PP		 2757 " Runtime: %s\n"
2758 " : %s\n",
754a0503 2759 OPENSSL_VERSION_TEXT,
f64a1e23
PP		 2760 SSLeay_version(SSLEAY_VERSION),
2761 SSLeay_version(SSLEAY_BUILT_ON));
2762/* third line is 38 characters for the %s and the line is 73 chars long;
2763the OpenSSL output includes a "built on: " prefix already. */
36f12725
NM		 2764}
2765
9e3331ea
TK		 2766
2767
2768
2769/*************************************************
17c76198 2770* Random number generation *
9e3331ea
TK		 2771*************************************************/
2772
2773/* Pseudo-random number generation. The result is not expected to be
2774cryptographically strong but not so weak that someone will shoot themselves
2775in the foot using it as a nonce in input in some email header scheme or
2776whatever weirdness they'll twist this into. The result should handle fork()
2777and avoid repeating sequences. OpenSSL handles that for us.
2778
2779Arguments:
2780 max range maximum
2781Returns a random number in range [0, max-1]
2782*/
2783
2784int
17c76198 2785vaguely_random_number(int max)
9e3331ea
TK		 2786{
2787unsigned int r;
2788int i, needed_len;
de6135a0
PP		 2789static pid_t pidlast = 0;
2790pid_t pidnow;
9e3331ea
TK		 2791uschar *p;
2792uschar smallbuf[sizeof(r)];
2793
2794if (max <= 1)
2795 return 0;
2796
de6135a0
PP		 2797pidnow = getpid();
2798if (pidnow != pidlast)
2799 {
2800 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
2801 is unique for each thread", this doesn't apparently apply across processes,
2802 so our own warning from vaguely_random_number_fallback() applies here too.
2803 Fix per PostgreSQL. */
2804 if (pidlast != 0)
2805 RAND_cleanup();
2806 pidlast = pidnow;
2807 }
2808
9e3331ea
TK		 2809/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
2810if (!RAND_status())
2811 {
2812 randstuff r;
2813 gettimeofday(&r.tv, NULL);
2814 r.p = getpid();
2815
2816 RAND_seed((uschar *)(&r), sizeof(r));
2817 }
2818/* We're after pseudo-random, not random; if we still don't have enough data
2819in the internal PRNG then our options are limited. We could sleep and hope
2820for entropy to come along (prayer technique) but if the system is so depleted
2821in the first place then something is likely to just keep taking it. Instead,
2822we'll just take whatever little bit of pseudo-random we can still manage to
2823get. */
2824
2825needed_len = sizeof(r);
2826/* Don't take 8 times more entropy than needed if int is 8 octets and we were
2827asked for a number less than 10. */
2828for (r = max, i = 0; r; ++i)
2829 r >>= 1;
2830i = (i + 7) / 8;
2831if (i < needed_len)
2832 needed_len = i;
2833
c8dfb21d 2834#ifdef EXIM_HAVE_RAND_PSEUDO
9e3331ea 2835/* We do not care if crypto-strong */
17c76198 2836i = RAND_pseudo_bytes(smallbuf, needed_len);
c8dfb21d
JH		 2837#else
2838i = RAND_bytes(smallbuf, needed_len);
2839#endif
2840
17c76198
PP		 2841if (i < 0)
2842 {
2843 DEBUG(D_all)
2844 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
2845 return vaguely_random_number_fallback(max);
2846 }
2847
9e3331ea
TK		 2848r = 0;
2849for (p = smallbuf; needed_len; --needed_len, ++p)
2850 {
2851 r *= 256;
2852 r += *p;
2853 }
2854
2855/* We don't particularly care about weighted results; if someone wants
2856smooth distribution and cares enough then they should submit a patch then. */
2857return r % max;
2858}
2859
77bb000f
PP		 2860
2861
2862
2863/*************************************************
2864* OpenSSL option parse *
2865*************************************************/
2866
2867/* Parse one option for tls_openssl_options_parse below
2868
2869Arguments:
2870 name one option name
2871 value place to store a value for it
2872Returns success or failure in parsing
2873*/
2874
2875struct exim_openssl_option {
2876 uschar *name;
2877 long value;
2878};
2879/* We could use a macro to expand, but we need the ifdef and not all the
2880options document which version they were introduced in. Policylet: include
2881all options unless explicitly for DTLS, let the administrator choose which
2882to apply.
2883
2884This list is current as of:
e2fbf4a2
PP		 2885 ==> 1.0.1b <==
2886Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
2887*/
77bb000f
PP		 2888static struct exim_openssl_option exim_openssl_options[] = {
2889/* KEEP SORTED ALPHABETICALLY! */
2890#ifdef SSL_OP_ALL
73a46702 2891 { US"all", SSL_OP_ALL },
77bb000f
PP		 2892#endif
2893#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
73a46702 2894 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
77bb000f
PP		 2895#endif
2896#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
73a46702 2897 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
77bb000f
PP		 2898#endif
2899#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
73a46702 2900 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
77bb000f
PP		 2901#endif
2902#ifdef SSL_OP_EPHEMERAL_RSA
73a46702 2903 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
77bb000f
PP		 2904#endif
2905#ifdef SSL_OP_LEGACY_SERVER_CONNECT
73a46702 2906 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
77bb000f
PP		 2907#endif
2908#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
73a46702 2909 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
77bb000f
PP		 2910#endif
2911#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
73a46702 2912 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
77bb000f
PP		 2913#endif
2914#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
73a46702 2915 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
77bb000f
PP		 2916#endif
2917#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
73a46702 2918 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
77bb000f
PP		 2919#endif
2920#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
73a46702 2921 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
77bb000f 2922#endif
c80c5570
PP		 2923#ifdef SSL_OP_NO_COMPRESSION
2924 { US"no_compression", SSL_OP_NO_COMPRESSION },
2925#endif
77bb000f 2926#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
73a46702 2927 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
77bb000f 2928#endif
c0c7b2da
PP		 2929#ifdef SSL_OP_NO_SSLv2
2930 { US"no_sslv2", SSL_OP_NO_SSLv2 },
2931#endif
2932#ifdef SSL_OP_NO_SSLv3
2933 { US"no_sslv3", SSL_OP_NO_SSLv3 },
2934#endif
2935#ifdef SSL_OP_NO_TICKET
2936 { US"no_ticket", SSL_OP_NO_TICKET },
2937#endif
2938#ifdef SSL_OP_NO_TLSv1
2939 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
2940#endif
c80c5570
PP		 2941#ifdef SSL_OP_NO_TLSv1_1
2942#if SSL_OP_NO_TLSv1_1 == 0x00000400L
2943 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
2944#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
2945#else
2946 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
2947#endif
2948#endif
2949#ifdef SSL_OP_NO_TLSv1_2
2950 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
2951#endif
e2fbf4a2
PP		 2952#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
2953 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
2954#endif
77bb000f 2955#ifdef SSL_OP_SINGLE_DH_USE
73a46702 2956 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
77bb000f
PP		 2957#endif
2958#ifdef SSL_OP_SINGLE_ECDH_USE
73a46702 2959 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
77bb000f
PP		 2960#endif
2961#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
73a46702 2962 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
77bb000f
PP		 2963#endif
2964#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
73a46702 2965 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
77bb000f
PP		 2966#endif
2967#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
73a46702 2968 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
77bb000f
PP		 2969#endif
2970#ifdef SSL_OP_TLS_D5_BUG
73a46702 2971 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
77bb000f
PP		 2972#endif
2973#ifdef SSL_OP_TLS_ROLLBACK_BUG
73a46702 2974 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
77bb000f
PP		 2975#endif
2976};
2977static int exim_openssl_options_size =
2978 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
2979
c80c5570 2980
77bb000f
PP		 2981static BOOL
2982tls_openssl_one_option_parse(uschar *name, long *value)
2983{
2984int first = 0;
2985int last = exim_openssl_options_size;
2986while (last > first)
2987 {
2988 int middle = (first + last)/2;
2989 int c = Ustrcmp(name, exim_openssl_options[middle].name);
2990 if (c == 0)
2991 {
2992 *value = exim_openssl_options[middle].value;
2993 return TRUE;
2994 }
2995 else if (c > 0)
2996 first = middle + 1;
2997 else
2998 last = middle;
2999 }
3000return FALSE;
3001}
3002
3003
3004
3005
3006/*************************************************
3007* OpenSSL option parsing logic *
3008*************************************************/
3009
3010/* OpenSSL has a number of compatibility options which an administrator might
3011reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3012we look like log_selector.
3013
3014Arguments:
3015 option_spec the administrator-supplied string of options
3016 results ptr to long storage for the options bitmap
3017Returns success or failure
3018*/
3019
3020BOOL
3021tls_openssl_options_parse(uschar *option_spec, long *results)
3022{
3023long result, item;
3024uschar *s, *end;
3025uschar keep_c;
3026BOOL adding, item_parsed;
3027
7006ee24 3028result = SSL_OP_NO_TICKET;
b1770b6e 3029/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
da3ad30d 3030 * from default because it increases BEAST susceptibility. */
f0f5a555
PP		 3031#ifdef SSL_OP_NO_SSLv2
3032result |= SSL_OP_NO_SSLv2;
3033#endif
a57b6200
JH		 3034#ifdef SSL_OP_SINGLE_DH_USE
3035result |= SSL_OP_SINGLE_DH_USE;
3036#endif
77bb000f 3037
7006ee24 3038if (!option_spec)
77bb000f
PP		 3039 {
3040 *results = result;
3041 return TRUE;
3042 }
3043
3044for (s=option_spec; *s != '\0'; /**/)
3045 {
3046 while (isspace(*s)) ++s;
3047 if (*s == '\0')
3048 break;
3049 if (*s != '+' && *s != '-')
3050 {
3051 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
0e944a0d 3052 "+ or - expected but found \"%s\"\n", s);
77bb000f
PP		 3053 return FALSE;
3054 }
3055 adding = *s++ == '+';
3056 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
3057 keep_c = *end;
3058 *end = '\0';
3059 item_parsed = tls_openssl_one_option_parse(s, &item);
96f5fe4c 3060 *end = keep_c;
77bb000f
PP		 3061 if (!item_parsed)
3062 {
0e944a0d 3063 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
77bb000f
PP		 3064 return FALSE;
3065 }
3066 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
3067 adding ? "adding" : "removing", result, item, s);
3068 if (adding)
3069 result |= item;
3070 else
3071 result &= ~item;
77bb000f
PP		 3072 s = end;
3073 }
3074
3075*results = result;
3076return TRUE;
3077}
3078
9d1c15ef
JH		 3079/* vi: aw ai sw=2
3080*/
059ec3d9 3081/* End of tls-openssl.c */
Unnamed repository; edit this file 'description' to name the repository.