projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
TLS SNI support for OpenSSL ($tls_sni)
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
0a49a7a4 5/* Copyright (c) University of Cambridge 1995 - 2009 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
8/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
9library. It is #included into the tls.c file when that library is used. The
10code herein is based on a patch that was originally contributed by Steve
11Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
12
13No cryptographic code is included in Exim. All this module does is to call
14functions from the OpenSSL library. */
15
16
17/* Heading stuff */
18
19#include <openssl/lhash.h>
20#include <openssl/ssl.h>
21#include <openssl/err.h>
22#include <openssl/rand.h>
23
24/* Structure for collecting random data for seeding. */
25
26typedef struct randstuff {
9e3331ea
TK		 27 struct timeval tv;
28 pid_t p;
059ec3d9
PH		 29} randstuff;
30
31/* Local static variables */
32
33static BOOL verify_callback_called = FALSE;
34static const uschar *sid_ctx = US"exim";
35
36static SSL_CTX *ctx = NULL;
7be682ca 37static SSL_CTX *ctx_sni = NULL;
059ec3d9
PH		 38static SSL *ssl = NULL;
39
40static char ssl_errstring[256];
41
42static int ssl_session_timeout = 200;
43static BOOL verify_optional = FALSE;
44
7be682ca 45static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH		 46
47
7be682ca
PP		 48typedef struct tls_ext_ctx_cb {
49 uschar *certificate;
50 uschar *privatekey;
51 uschar *dhparam;
52 /* these are cached from first expand */
53 uschar *server_cipher_list;
54 /* only passed down to tls_error: */
55 host_item *host;
56} tls_ext_ctx_cb;
57
58/* should figure out a cleanup of API to handle state preserved per
59implementation, for various reasons, which can be void * in the APIs.
60For now, we hack around it. */
61tls_ext_ctx_cb *static_cbinfo = NULL;
62
63static int
64setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional);
059ec3d9
PH		 65
66
67/*************************************************
68* Handle TLS error *
69*************************************************/
70
71/* Called from lots of places when errors occur before actually starting to do
72the TLS handshake, that is, while the session is still in clear. Always returns
73DEFER for a server and FAIL for a client so that most calls can use "return
74tls_error(...)" to do this processing and then give an appropriate return. A
75single function is used for both server and client, because it is called from
76some shared functions.
77
78Argument:
79 prefix text to include in the logged error
80 host NULL if setting up a server;
81 the connected host if setting up a client
7199e1ee 82 msg error message or NULL if we should ask OpenSSL
059ec3d9
PH		 83
84Returns: OK/DEFER/FAIL
85*/
86
87static int
7199e1ee 88tls_error(uschar *prefix, host_item *host, uschar *msg)
059ec3d9 89{
7199e1ee
TF		 90if (msg == NULL)
91 {
92 ERR_error_string(ERR_get_error(), ssl_errstring);
5ca6d115 93 msg = (uschar *)ssl_errstring;
7199e1ee
TF		 94 }
95
059ec3d9
PH		 96if (host == NULL)
97 {
7199e1ee 98 uschar *conn_info = smtp_get_connection_info();
5ca6d115 99 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
7199e1ee
TF		 100 conn_info += 5;
101 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
102 conn_info, prefix, msg);
059ec3d9
PH		 103 return DEFER;
104 }
105else
106 {
107 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
7199e1ee 108 host->name, host->address, prefix, msg);
059ec3d9
PH		 109 return FAIL;
110 }
111}
112
113
114
115/*************************************************
116* Callback to generate RSA key *
117*************************************************/
118
119/*
120Arguments:
121 s SSL connection
122 export not used
123 keylength keylength
124
125Returns: pointer to generated key
126*/
127
128static RSA *
129rsa_callback(SSL *s, int export, int keylength)
130{
131RSA *rsa_key;
132export = export; /* Shut picky compilers up */
133DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
134rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
135if (rsa_key == NULL)
136 {
137 ERR_error_string(ERR_get_error(), ssl_errstring);
138 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
139 ssl_errstring);
140 return NULL;
141 }
142return rsa_key;
143}
144
145
146
147
148/*************************************************
149* Callback for verification *
150*************************************************/
151
152/* The SSL library does certificate verification if set up to do so. This
153callback has the current yes/no state is in "state". If verification succeeded,
154we set up the tls_peerdn string. If verification failed, what happens depends
155on whether the client is required to present a verifiable certificate or not.
156
157If verification is optional, we change the state to yes, but still log the
158verification error. For some reason (it really would help to have proper
159documentation of OpenSSL), this callback function then gets called again, this
160time with state = 1. In fact, that's useful, because we can set up the peerdn
161value, but we must take care not to set the private verified flag on the second
162time through.
163
164Note: this function is not called if the client fails to present a certificate
165when asked. We get here only if a certificate has been received. Handling of
166optional verification for this case is done when requesting SSL to verify, by
167setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
168
169Arguments:
170 state current yes/no state as 1/0
171 x509ctx certificate information.
172
173Returns: 1 if verified, 0 if not
174*/
175
176static int
177verify_callback(int state, X509_STORE_CTX *x509ctx)
178{
179static uschar txt[256];
180
181X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
182 CS txt, sizeof(txt));
183
184if (state == 0)
185 {
186 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
187 x509ctx->error_depth,
188 X509_verify_cert_error_string(x509ctx->error),
189 txt);
190 tls_certificate_verified = FALSE;
191 verify_callback_called = TRUE;
192 if (!verify_optional) return 0; /* reject */
193 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
194 "tls_try_verify_hosts)\n");
195 return 1; /* accept */
196 }
197
198if (x509ctx->error_depth != 0)
199 {
200 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
201 x509ctx->error_depth, txt);
202 }
203else
204 {
205 DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
206 verify_callback_called? "" : " authenticated", txt);
207 tls_peerdn = txt;
208 }
209
059ec3d9
PH		 210if (!verify_callback_called) tls_certificate_verified = TRUE;
211verify_callback_called = TRUE;
212
213return 1; /* accept */
214}
215
216
217
218/*************************************************
219* Information callback *
220*************************************************/
221
222/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP		 223are doing. We copy the string to the debugging output when TLS debugging has
224been requested.
059ec3d9
PH		 225
226Arguments:
227 s the SSL connection
228 where
229 ret
230
231Returns: nothing
232*/
233
234static void
235info_callback(SSL *s, int where, int ret)
236{
237where = where;
238ret = ret;
239DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
240}
241
242
243
244/*************************************************
245* Initialize for DH *
246*************************************************/
247
248/* If dhparam is set, expand it, and load up the parameters for DH encryption.
249
250Arguments:
251 dhparam DH parameter file
7199e1ee 252 host connected host, if client; NULL if server
059ec3d9
PH		 253
254Returns: TRUE if OK (nothing to set up, or setup worked)
255*/
256
257static BOOL
7199e1ee 258init_dh(uschar *dhparam, host_item *host)
059ec3d9
PH		 259{
260BOOL yield = TRUE;
261BIO *bio;
262DH *dh;
263uschar *dhexpanded;
264
265if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
266 return FALSE;
267
268if (dhexpanded == NULL) return TRUE;
269
270if ((bio = BIO_new_file(CS dhexpanded, "r")) == NULL)
271 {
7199e1ee 272 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
5ca6d115 273 host, (uschar *)strerror(errno));
059ec3d9
PH		 274 yield = FALSE;
275 }
276else
277 {
278 if ((dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)) == NULL)
279 {
7199e1ee
TF		 280 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
281 host, NULL);
059ec3d9
PH		 282 yield = FALSE;
283 }
284 else
285 {
286 SSL_CTX_set_tmp_dh(ctx, dh);
287 DEBUG(D_tls)
288 debug_printf("Diffie-Hellman initialized from %s with %d-bit key\n",
289 dhexpanded, 8*DH_size(dh));
290 DH_free(dh);
291 }
292 BIO_free(bio);
293 }
294
295return yield;
296}
297
298
299
300
7be682ca
PP		 301/*************************************************
302* Expand key and cert file specs *
303*************************************************/
304
305/* Called once during tls_init and possibly againt during TLS setup, for a
306new context, if Server Name Indication was used and tls_sni was seen in
307the certificate string.
308
309Arguments:
310 sctx the SSL_CTX* to update
311 cbinfo various parts of session state
312
313Returns: OK/DEFER/FAIL
314*/
315
316static int
317tls_expand_session_files(SSL_CTX *sctx, const tls_ext_ctx_cb *cbinfo)
318{
319uschar *expanded;
320
321if (cbinfo->certificate == NULL)
322 return OK;
323
324if (Ustrstr(cbinfo->certificate, US"tls_sni"))
325 reexpand_tls_files_for_sni = TRUE;
326
327if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
328 return DEFER;
329
330if (expanded != NULL)
331 {
332 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
333 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
334 return tls_error(string_sprintf(
335 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
336 cbinfo->host, NULL);
337 }
338
339if (cbinfo->privatekey != NULL &&
340 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
341 return DEFER;
342
343/* If expansion was forced to fail, key_expanded will be NULL. If the result
344of the expansion is an empty string, ignore it also, and assume the private
345key is in the same file as the certificate. */
346
347if (expanded != NULL && *expanded != 0)
348 {
349 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
350 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
351 return tls_error(string_sprintf(
352 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
353 }
354
355return OK;
356}
357
358
359
360
361/*************************************************
362* Callback to handle SNI *
363*************************************************/
364
365/* Called when acting as server during the TLS session setup if a Server Name
366Indication extension was sent by the client.
367
368API documentation is OpenSSL s_server.c implementation.
369
370Arguments:
371 s SSL* of the current session
372 ad unknown (part of OpenSSL API) (unused)
373 arg Callback of "our" registered data
374
375Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
376*/
377
378static int
379tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
380/* pre-declared for SSL_CTX_set_tlsext_servername_callback call within func */
381
382static int
383tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
384{
385const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
386const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
387int rc;
388
389if (!servername)
390 return SSL_TLSEXT_ERR_OK;
391
392DEBUG(D_tls) debug_printf("TLS SNI: %s%s\n", servername,
393 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
394
395/* Make the extension value available for expansion */
396tls_sni = servername;
397
398if (!reexpand_tls_files_for_sni)
399 return SSL_TLSEXT_ERR_OK;
400
401/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
402not confident that memcpy wouldn't break some internal reference counting.
403Especially since there's a references struct member, which would be off. */
404
405ctx_sni = SSL_CTX_new(SSLv23_server_method());
406if (!ctx_sni)
407 {
408 ERR_error_string(ERR_get_error(), ssl_errstring);
409 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
410 return SSL_TLSEXT_ERR_NOACK;
411 }
412
413/* Not sure how many of these are actually needed, since SSL object
414already exists. Might even need this selfsame callback, for reneg? */
415
416SSL_CTX_set_info_callback(ctx_sni, SSL_CTX_get_info_callback(ctx));
417SSL_CTX_set_mode(ctx_sni, SSL_CTX_get_mode(ctx));
418SSL_CTX_set_options(ctx_sni, SSL_CTX_get_options(ctx));
419SSL_CTX_set_timeout(ctx_sni, SSL_CTX_get_timeout(ctx));
420SSL_CTX_set_tlsext_servername_callback(ctx_sni, tls_servername_cb);
421SSL_CTX_set_tlsext_servername_arg(ctx_sni, cbinfo);
422if (cbinfo->server_cipher_list)
423 SSL_CTX_set_cipher_list(ctx_sni, CS cbinfo->server_cipher_list);
424
425rc = tls_expand_session_files(ctx_sni, cbinfo);
426if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
427
428rc = setup_certs(ctx_sni, tls_verify_certificates, tls_crl, NULL, FALSE);
429if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
430
431DEBUG(D_tls) debug_printf("Switching SSL context.\n");
432SSL_set_SSL_CTX(s, ctx_sni);
433
434return SSL_TLSEXT_ERR_OK;
435}
436
437
438
439
059ec3d9
PH		 440/*************************************************
441* Initialize for TLS *
442*************************************************/
443
444/* Called from both server and client code, to do preliminary initialization of
445the library.
446
447Arguments:
448 host connected host, if client; NULL if server
449 dhparam DH parameter file
450 certificate certificate file
451 privatekey private key
452 addr address if client; NULL if server (for some randomness)
453
454Returns: OK/DEFER/FAIL
455*/
456
457static int
c91535f3
PH		 458tls_init(host_item *host, uschar *dhparam, uschar *certificate,
459 uschar *privatekey, address_item *addr)
059ec3d9 460{
77bb000f 461long init_options;
7be682ca 462int rc;
77bb000f 463BOOL okay;
7be682ca
PP		 464tls_ext_ctx_cb *cbinfo;
465
466cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
467cbinfo->certificate = certificate;
468cbinfo->privatekey = privatekey;
469cbinfo->dhparam = dhparam;
470cbinfo->host = host;
77bb000f 471
059ec3d9
PH		 472SSL_load_error_strings(); /* basic set up */
473OpenSSL_add_ssl_algorithms();
474
388d6564 475#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
77bb000f 476/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK		 477list of available digests. */
478EVP_add_digest(EVP_sha256());
cf1ef1a9 479#endif
a0475b69 480
059ec3d9
PH		 481/* Create a context */
482
483ctx = SSL_CTX_new((host == NULL)?
484 SSLv23_server_method() : SSLv23_client_method());
485
7199e1ee 486if (ctx == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
059ec3d9
PH		 487
488/* It turns out that we need to seed the random number generator this early in
489order to get the full complement of ciphers to work. It took me roughly a day
490of work to discover this by experiment.
491
492On systems that have /dev/urandom, SSL may automatically seed itself from
493there. Otherwise, we have to make something up as best we can. Double check
494afterwards. */
495
496if (!RAND_status())
497 {
498 randstuff r;
9e3331ea 499 gettimeofday(&r.tv, NULL);
059ec3d9
PH		 500 r.p = getpid();
501
502 RAND_seed((uschar *)(&r), sizeof(r));
503 RAND_seed((uschar *)big_buffer, big_buffer_size);
504 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
505
506 if (!RAND_status())
7199e1ee 507 return tls_error(US"RAND_status", host,
5ca6d115 508 US"unable to seed random number generator");
059ec3d9
PH		 509 }
510
511/* Set up the information callback, which outputs if debugging is at a suitable
512level. */
513
58c01c94 514SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
059ec3d9 515
c80c5570
PP		 516/* Automatically re-try reads/writes after renegotiation. */
517(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
518
77bb000f
PP		 519/* Apply administrator-supplied work-arounds.
520Historically we applied just one requested option,
521SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
522moved to an administrator-controlled list of options to specify and
523grandfathered in the first one as the default value for "openssl_options".
059ec3d9 524
77bb000f
PP		 525No OpenSSL version number checks: the options we accept depend upon the
526availability of the option value macros from OpenSSL. */
059ec3d9 527
77bb000f
PP		 528okay = tls_openssl_options_parse(openssl_options, &init_options);
529if (!okay)
73a46702 530 return tls_error(US"openssl_options parsing failed", host, NULL);
77bb000f
PP		 531
532if (init_options)
533 {
534 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
535 if (!(SSL_CTX_set_options(ctx, init_options)))
536 return tls_error(string_sprintf(
537 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
538 }
539else
540 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9
PH		 541
542/* Initialize with DH parameters if supplied */
543
7199e1ee 544if (!init_dh(dhparam, host)) return DEFER;
059ec3d9
PH		 545
546/* Set up certificate and key */
547
7be682ca
PP		 548rc = tls_expand_session_files(ctx, cbinfo);
549if (rc != OK) return rc;
c91535f3 550
7be682ca
PP		 551/* If we need to handle SNI, do so */
552#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
553/* We always do this, so that $tls_sni is available even if not used in
554tls_certificate */
555SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
556SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
557#endif
059ec3d9
PH		 558
559/* Set up the RSA callback */
560
561SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
562
563/* Finally, set the timeout, and we are done */
564
565SSL_CTX_set_timeout(ctx, ssl_session_timeout);
566DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca
PP		 567
568static_cbinfo = cbinfo;
569
059ec3d9
PH		 570return OK;
571}
572
573
574
575
576/*************************************************
577* Get name of cipher in use *
578*************************************************/
579
580/* The answer is left in a static buffer, and tls_cipher is set to point
581to it.
582
583Argument: pointer to an SSL structure for the connection
584Returns: nothing
585*/
586
587static void
588construct_cipher_name(SSL *ssl)
589{
590static uschar cipherbuf[256];
57b3a7f5
PP		 591/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
592yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
593the accessor functions use const in the prototype. */
594const SSL_CIPHER *c;
059ec3d9 595uschar *ver;
059ec3d9
PH		 596
597switch (ssl->session->ssl_version)
598 {
599 case SSL2_VERSION:
600 ver = US"SSLv2";
601 break;
602
603 case SSL3_VERSION:
604 ver = US"SSLv3";
605 break;
606
607 case TLS1_VERSION:
608 ver = US"TLSv1";
609 break;
610
c80c5570
PP		 611#ifdef TLS1_1_VERSION
612 case TLS1_1_VERSION:
613 ver = US"TLSv1.1";
614 break;
615#endif
616
617#ifdef TLS1_2_VERSION
618 case TLS1_2_VERSION:
619 ver = US"TLSv1.2";
620 break;
621#endif
622
059ec3d9
PH		 623 default:
624 ver = US"UNKNOWN";
625 }
626
57b3a7f5 627c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
edc33b5f 628SSL_CIPHER_get_bits(c, &tls_bits);
059ec3d9
PH		 629
630string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver,
edc33b5f 631 SSL_CIPHER_get_name(c), tls_bits);
059ec3d9
PH		 632tls_cipher = cipherbuf;
633
634DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
635}
636
637
638
639
640
641/*************************************************
642* Set up for verifying certificates *
643*************************************************/
644
645/* Called by both client and server startup
646
647Arguments:
7be682ca 648 sctx SSL_CTX* to initialise
059ec3d9
PH		 649 certs certs file or NULL
650 crl CRL file or NULL
651 host NULL in a server; the remote host in a client
652 optional TRUE if called from a server for a host in tls_try_verify_hosts;
653 otherwise passed as FALSE
654
655Returns: OK/DEFER/FAIL
656*/
657
658static int
7be682ca 659setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional)
059ec3d9
PH		 660{
661uschar *expcerts, *expcrl;
662
663if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
664 return DEFER;
665
666if (expcerts != NULL)
667 {
668 struct stat statbuf;
7be682ca 669 if (!SSL_CTX_set_default_verify_paths(sctx))
7199e1ee 670 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
059ec3d9
PH		 671
672 if (Ustat(expcerts, &statbuf) < 0)
673 {
674 log_write(0, LOG_MAIN|LOG_PANIC,
675 "failed to stat %s for certificates", expcerts);
676 return DEFER;
677 }
678 else
679 {
680 uschar *file, *dir;
681 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
682 { file = NULL; dir = expcerts; }
683 else
684 { file = expcerts; dir = NULL; }
685
686 /* If a certificate file is empty, the next function fails with an
687 unhelpful error message. If we skip it, we get the correct behaviour (no
688 certificates are recognized, but the error message is still misleading (it
689 says no certificate was supplied.) But this is better. */
690
691 if ((file == NULL || statbuf.st_size > 0) &&
7be682ca 692 !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
7199e1ee 693 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
059ec3d9
PH		 694
695 if (file != NULL)
696 {
7be682ca 697 SSL_CTX_set_client_CA_list(sctx, SSL_load_client_CA_file(CS file));
059ec3d9
PH		 698 }
699 }
700
701 /* Handle a certificate revocation list. */
702
703 #if OPENSSL_VERSION_NUMBER > 0x00907000L
704
8b417f2c
PH		 705 /* This bit of code is now the version supplied by Lars Mainka. (I have
706 * merely reformatted it into the Exim code style.)
707
708 * "From here I changed the code to add support for multiple crl's
709 * in pem format in one file or to support hashed directory entries in
710 * pem format instead of a file. This method now uses the library function
711 * X509_STORE_load_locations to add the CRL location to the SSL context.
712 * OpenSSL will then handle the verify against CA certs and CRLs by
713 * itself in the verify callback." */
714
059ec3d9
PH		 715 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
716 if (expcrl != NULL && *expcrl != 0)
717 {
8b417f2c
PH		 718 struct stat statbufcrl;
719 if (Ustat(expcrl, &statbufcrl) < 0)
720 {
721 log_write(0, LOG_MAIN|LOG_PANIC,
722 "failed to stat %s for certificates revocation lists", expcrl);
723 return DEFER;
724 }
725 else
059ec3d9 726 {
8b417f2c
PH		 727 /* is it a file or directory? */
728 uschar *file, *dir;
7be682ca 729 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 730 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 731 {
8b417f2c
PH		 732 file = NULL;
733 dir = expcrl;
734 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH		 735 }
736 else
737 {
8b417f2c
PH		 738 file = expcrl;
739 dir = NULL;
740 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 741 }
8b417f2c 742 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
7199e1ee 743 return tls_error(US"X509_STORE_load_locations", host, NULL);
8b417f2c
PH		 744
745 /* setting the flags to check against the complete crl chain */
746
747 X509_STORE_set_flags(cvstore,
748 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 749 }
059ec3d9
PH		 750 }
751
752 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
753
754 /* If verification is optional, don't fail if no certificate */
755
7be682ca 756 SSL_CTX_set_verify(sctx,
059ec3d9
PH		 757 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
758 verify_callback);
759 }
760
761return OK;
762}
763
764
765
766/*************************************************
767* Start a TLS session in a server *
768*************************************************/
769
770/* This is called when Exim is running as a server, after having received
771the STARTTLS command. It must respond to that command, and then negotiate
772a TLS session.
773
774Arguments:
775 require_ciphers allowed ciphers
83da1223
PH		 776 ------------------------------------------------------
777 require_mac list of allowed MACs ) Not used
778 require_kx list of allowed key_exchange methods ) for
779 require_proto list of allowed protocols ) OpenSSL
780 ------------------------------------------------------
059ec3d9
PH		 781
782Returns: OK on success
783 DEFER for errors before the start of the negotiation
784 FAIL for errors during the negotation; the server can't
785 continue running.
786*/
787
788int
83da1223
PH		 789tls_server_start(uschar *require_ciphers, uschar *require_mac,
790 uschar *require_kx, uschar *require_proto)
059ec3d9
PH		 791{
792int rc;
793uschar *expciphers;
7be682ca 794tls_ext_ctx_cb *cbinfo;
059ec3d9
PH		 795
796/* Check for previous activation */
797
798if (tls_active >= 0)
799 {
5ca6d115 800 tls_error(US"STARTTLS received after TLS started", NULL, US"");
059ec3d9
PH		 801 smtp_printf("554 Already in TLS\r\n");
802 return FAIL;
803 }
804
805/* Initialize the SSL library. If it fails, it will already have logged
806the error. */
807
808rc = tls_init(NULL, tls_dhparam, tls_certificate, tls_privatekey, NULL);
809if (rc != OK) return rc;
7be682ca 810cbinfo = static_cbinfo;
059ec3d9
PH		 811
812if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
813 return FAIL;
814
815/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
816are separated by underscores. So that I can use either form in my tests, and
817also for general convenience, we turn underscores into hyphens here. */
818
819if (expciphers != NULL)
820 {
821 uschar *s = expciphers;
822 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
823 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
824 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
7199e1ee 825 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
7be682ca 826 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH		 827 }
828
829/* If this is a host for which certificate verification is mandatory or
830optional, set up appropriately. */
831
832tls_certificate_verified = FALSE;
833verify_callback_called = FALSE;
834
835if (verify_check_host(&tls_verify_hosts) == OK)
836 {
7be682ca 837 rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, FALSE);
059ec3d9
PH		 838 if (rc != OK) return rc;
839 verify_optional = FALSE;
840 }
841else if (verify_check_host(&tls_try_verify_hosts) == OK)
842 {
7be682ca 843 rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, TRUE);
059ec3d9
PH		 844 if (rc != OK) return rc;
845 verify_optional = TRUE;
846 }
847
848/* Prepare for new connection */
849
7199e1ee 850if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
da3ad30d
PP		 851
852/* Warning: we used to SSL_clear(ssl) here, it was removed.
853 *
854 * With the SSL_clear(), we get strange interoperability bugs with
855 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
856 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
857 *
858 * The SSL_clear() call is to let an existing SSL* be reused, typically after
859 * session shutdown. In this case, we have a brand new object and there's no
860 * obvious reason to immediately clear it. I'm guessing that this was
861 * originally added because of incomplete initialisation which the clear fixed,
862 * in some historic release.
863 */
059ec3d9
PH		 864
865/* Set context and tell client to go ahead, except in the case of TLS startup
866on connection, where outputting anything now upsets the clients and tends to
867make them disconnect. We need to have an explicit fflush() here, to force out
868the response. Other smtp_printf() calls do not need it, because in non-TLS
869mode, the fflush() happens when smtp_getc() is called. */
870
871SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
872if (!tls_on_connect)
873 {
874 smtp_printf("220 TLS go ahead\r\n");
875 fflush(smtp_out);
876 }
877
878/* Now negotiate the TLS session. We put our own timer on it, since it seems
879that the OpenSSL library doesn't. */
880
56f5d9bd
PH		 881SSL_set_wfd(ssl, fileno(smtp_out));
882SSL_set_rfd(ssl, fileno(smtp_in));
059ec3d9
PH		 883SSL_set_accept_state(ssl);
884
885DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
886
887sigalrm_seen = FALSE;
888if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
889rc = SSL_accept(ssl);
890alarm(0);
891
892if (rc <= 0)
893 {
7199e1ee 894 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
77bb000f
PP		 895 if (ERR_get_error() == 0)
896 log_write(0, LOG_MAIN,
a053d125 897 "TLS client disconnected cleanly (rejected our certificate?)");
059ec3d9
PH		 898 return FAIL;
899 }
900
901DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
902
903/* TLS has been set up. Adjust the input functions to read via TLS,
904and initialize things. */
905
906construct_cipher_name(ssl);
907
908DEBUG(D_tls)
909 {
910 uschar buf[2048];
911 if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)) != NULL)
912 debug_printf("Shared ciphers: %s\n", buf);
913 }
914
915
916ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
917ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
918ssl_xfer_eof = ssl_xfer_error = 0;
919
920receive_getc = tls_getc;
921receive_ungetc = tls_ungetc;
922receive_feof = tls_feof;
923receive_ferror = tls_ferror;
58eb016e 924receive_smtp_buffered = tls_smtp_buffered;
059ec3d9
PH		 925
926tls_active = fileno(smtp_out);
927return OK;
928}
929
930
931
932
933
934/*************************************************
935* Start a TLS session in a client *
936*************************************************/
937
938/* Called from the smtp transport after STARTTLS has been accepted.
939
940Argument:
941 fd the fd of the connection
942 host connected host (for messages)
83da1223 943 addr the first address
059ec3d9
PH		 944 dhparam DH parameter file
945 certificate certificate file
946 privatekey private key file
947 verify_certs file for certificate verify
948 crl file containing CRL
949 require_ciphers list of allowed ciphers
83da1223
PH		 950 ------------------------------------------------------
951 require_mac list of allowed MACs ) Not used
952 require_kx list of allowed key_exchange methods ) for
953 require_proto list of allowed protocols ) OpenSSL
954 ------------------------------------------------------
955 timeout startup timeout
059ec3d9
PH		 956
957Returns: OK on success
958 FAIL otherwise - note that tls_error() will not give DEFER
959 because this is not a server
960*/
961
962int
963tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
964 uschar *certificate, uschar *privatekey, uschar *verify_certs, uschar *crl,
83da1223
PH		 965 uschar *require_ciphers, uschar *require_mac, uschar *require_kx,
966 uschar *require_proto, int timeout)
059ec3d9
PH		 967{
968static uschar txt[256];
969uschar *expciphers;
970X509* server_cert;
971int rc;
972
973rc = tls_init(host, dhparam, certificate, privatekey, addr);
974if (rc != OK) return rc;
975
976tls_certificate_verified = FALSE;
977verify_callback_called = FALSE;
978
979if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
980 return FAIL;
981
982/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
983are separated by underscores. So that I can use either form in my tests, and
984also for general convenience, we turn underscores into hyphens here. */
985
986if (expciphers != NULL)
987 {
988 uschar *s = expciphers;
989 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
990 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
991 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
7199e1ee 992 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
059ec3d9
PH		 993 }
994
7be682ca 995rc = setup_certs(ctx, verify_certs, crl, host, FALSE);
059ec3d9
PH		 996if (rc != OK) return rc;
997
7199e1ee 998if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
059ec3d9
PH		 999SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
1000SSL_set_fd(ssl, fd);
1001SSL_set_connect_state(ssl);
1002
1003/* There doesn't seem to be a built-in timeout on connection. */
1004
1005DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
1006sigalrm_seen = FALSE;
1007alarm(timeout);
1008rc = SSL_connect(ssl);
1009alarm(0);
1010
1011if (rc <= 0)
7199e1ee 1012 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
059ec3d9
PH		 1013
1014DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
1015
453a6645 1016/* Beware anonymous ciphers which lead to server_cert being NULL */
059ec3d9 1017server_cert = SSL_get_peer_certificate (ssl);
453a6645
PP		 1018if (server_cert)
1019 {
1020 tls_peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
1021 CS txt, sizeof(txt));
1022 tls_peerdn = txt;
1023 }
1024else
1025 tls_peerdn = NULL;
059ec3d9
PH		 1026
1027construct_cipher_name(ssl); /* Sets tls_cipher */
1028
1029tls_active = fd;
1030return OK;
1031}
1032
1033
1034
1035
1036
1037/*************************************************
1038* TLS version of getc *
1039*************************************************/
1040
1041/* This gets the next byte from the TLS input buffer. If the buffer is empty,
1042it refills the buffer via the SSL reading function.
1043
1044Arguments: none
1045Returns: the next character or EOF
1046*/
1047
1048int
1049tls_getc(void)
1050{
1051if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
1052 {
1053 int error;
1054 int inbytes;
1055
c80c5570
PP		 1056 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
1057 ssl_xfer_buffer, ssl_xfer_buffer_size);
059ec3d9
PH		 1058
1059 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1060 inbytes = SSL_read(ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
1061 error = SSL_get_error(ssl, inbytes);
1062 alarm(0);
1063
1064 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
1065 closed down, not that the socket itself has been closed down. Revert to
1066 non-SSL handling. */
1067
1068 if (error == SSL_ERROR_ZERO_RETURN)
1069 {
1070 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1071
1072 receive_getc = smtp_getc;
1073 receive_ungetc = smtp_ungetc;
1074 receive_feof = smtp_feof;
1075 receive_ferror = smtp_ferror;
58eb016e 1076 receive_smtp_buffered = smtp_buffered;
059ec3d9
PH		 1077
1078 SSL_free(ssl);
1079 ssl = NULL;
1080 tls_active = -1;
1081 tls_cipher = NULL;
1082 tls_peerdn = NULL;
1083
1084 return smtp_getc();
1085 }
1086
1087 /* Handle genuine errors */
1088
ba084640
PP		 1089 else if (error == SSL_ERROR_SSL)
1090 {
1091 ERR_error_string(ERR_get_error(), ssl_errstring);
89dd51cd 1092 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
ba084640
PP		 1093 ssl_xfer_error = 1;
1094 return EOF;
1095 }
1096
059ec3d9
PH		 1097 else if (error != SSL_ERROR_NONE)
1098 {
1099 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
1100 ssl_xfer_error = 1;
1101 return EOF;
1102 }
c80c5570 1103
80a47a2c
TK		 1104#ifndef DISABLE_DKIM
1105 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
1106#endif
059ec3d9
PH		 1107 ssl_xfer_buffer_hwm = inbytes;
1108 ssl_xfer_buffer_lwm = 0;
1109 }
1110
1111/* Something in the buffer; return next uschar */
1112
1113return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
1114}
1115
1116
1117
1118/*************************************************
1119* Read bytes from TLS channel *
1120*************************************************/
1121
1122/*
1123Arguments:
1124 buff buffer of data
1125 len size of buffer
1126
1127Returns: the number of bytes read
1128 -1 after a failed read
1129*/
1130
1131int
1132tls_read(uschar *buff, size_t len)
1133{
1134int inbytes;
1135int error;
1136
c80c5570
PP		 1137DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
1138 buff, (unsigned int)len);
059ec3d9
PH		 1139
1140inbytes = SSL_read(ssl, CS buff, len);
1141error = SSL_get_error(ssl, inbytes);
1142
1143if (error == SSL_ERROR_ZERO_RETURN)
1144 {
1145 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1146 return -1;
1147 }
1148else if (error != SSL_ERROR_NONE)
1149 {
1150 return -1;
1151 }
1152
1153return inbytes;
1154}
1155
1156
1157
1158
1159
1160/*************************************************
1161* Write bytes down TLS channel *
1162*************************************************/
1163
1164/*
1165Arguments:
1166 buff buffer of data
1167 len number of bytes
1168
1169Returns: the number of bytes after a successful write,
1170 -1 after a failed write
1171*/
1172
1173int
1174tls_write(const uschar *buff, size_t len)
1175{
1176int outbytes;
1177int error;
1178int left = len;
1179
c80c5570 1180DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
059ec3d9
PH		 1181while (left > 0)
1182 {
c80c5570 1183 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
059ec3d9
PH		 1184 outbytes = SSL_write(ssl, CS buff, left);
1185 error = SSL_get_error(ssl, outbytes);
1186 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
1187 switch (error)
1188 {
1189 case SSL_ERROR_SSL:
1190 ERR_error_string(ERR_get_error(), ssl_errstring);
1191 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
1192 return -1;
1193
1194 case SSL_ERROR_NONE:
1195 left -= outbytes;
1196 buff += outbytes;
1197 break;
1198
1199 case SSL_ERROR_ZERO_RETURN:
1200 log_write(0, LOG_MAIN, "SSL channel closed on write");
1201 return -1;
1202
1203 default:
1204 log_write(0, LOG_MAIN, "SSL_write error %d", error);
1205 return -1;
1206 }
1207 }
1208return len;
1209}
1210
1211
1212
1213/*************************************************
1214* Close down a TLS session *
1215*************************************************/
1216
1217/* This is also called from within a delivery subprocess forked from the
1218daemon, to shut down the TLS library, without actually doing a shutdown (which
1219would tamper with the SSL session in the parent process).
1220
1221Arguments: TRUE if SSL_shutdown is to be called
1222Returns: nothing
1223*/
1224
1225void
1226tls_close(BOOL shutdown)
1227{
1228if (tls_active < 0) return; /* TLS was not active */
1229
1230if (shutdown)
1231 {
1232 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
1233 SSL_shutdown(ssl);
1234 }
1235
1236SSL_free(ssl);
1237ssl = NULL;
1238
1239tls_active = -1;
1240}
1241
36f12725
NM		 1242
1243
1244
1245/*************************************************
1246* Report the library versions. *
1247*************************************************/
1248
1249/* There have historically been some issues with binary compatibility in
1250OpenSSL libraries; if Exim (like many other applications) is built against
1251one version of OpenSSL but the run-time linker picks up another version,
1252it can result in serious failures, including crashing with a SIGSEGV. So
1253report the version found by the compiler and the run-time version.
1254
1255Arguments: a FILE* to print the results to
1256Returns: nothing
1257*/
1258
1259void
1260tls_version_report(FILE *f)
1261{
754a0503
PP		 1262fprintf(f, "Library version: OpenSSL: Compile: %s\n"
1263 " Runtime: %s\n",
1264 OPENSSL_VERSION_TEXT,
1265 SSLeay_version(SSLEAY_VERSION));
36f12725
NM		 1266}
1267
9e3331ea
TK		 1268
1269
1270
1271/*************************************************
1272* Pseudo-random number generation *
1273*************************************************/
1274
1275/* Pseudo-random number generation. The result is not expected to be
1276cryptographically strong but not so weak that someone will shoot themselves
1277in the foot using it as a nonce in input in some email header scheme or
1278whatever weirdness they'll twist this into. The result should handle fork()
1279and avoid repeating sequences. OpenSSL handles that for us.
1280
1281Arguments:
1282 max range maximum
1283Returns a random number in range [0, max-1]
1284*/
1285
1286int
1287pseudo_random_number(int max)
1288{
1289unsigned int r;
1290int i, needed_len;
1291uschar *p;
1292uschar smallbuf[sizeof(r)];
1293
1294if (max <= 1)
1295 return 0;
1296
1297/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
1298if (!RAND_status())
1299 {
1300 randstuff r;
1301 gettimeofday(&r.tv, NULL);
1302 r.p = getpid();
1303
1304 RAND_seed((uschar *)(&r), sizeof(r));
1305 }
1306/* We're after pseudo-random, not random; if we still don't have enough data
1307in the internal PRNG then our options are limited. We could sleep and hope
1308for entropy to come along (prayer technique) but if the system is so depleted
1309in the first place then something is likely to just keep taking it. Instead,
1310we'll just take whatever little bit of pseudo-random we can still manage to
1311get. */
1312
1313needed_len = sizeof(r);
1314/* Don't take 8 times more entropy than needed if int is 8 octets and we were
1315asked for a number less than 10. */
1316for (r = max, i = 0; r; ++i)
1317 r >>= 1;
1318i = (i + 7) / 8;
1319if (i < needed_len)
1320 needed_len = i;
1321
1322/* We do not care if crypto-strong */
1323(void) RAND_pseudo_bytes(smallbuf, needed_len);
1324r = 0;
1325for (p = smallbuf; needed_len; --needed_len, ++p)
1326 {
1327 r *= 256;
1328 r += *p;
1329 }
1330
1331/* We don't particularly care about weighted results; if someone wants
1332smooth distribution and cares enough then they should submit a patch then. */
1333return r % max;
1334}
1335
77bb000f
PP		 1336
1337
1338
1339/*************************************************
1340* OpenSSL option parse *
1341*************************************************/
1342
1343/* Parse one option for tls_openssl_options_parse below
1344
1345Arguments:
1346 name one option name
1347 value place to store a value for it
1348Returns success or failure in parsing
1349*/
1350
1351struct exim_openssl_option {
1352 uschar *name;
1353 long value;
1354};
1355/* We could use a macro to expand, but we need the ifdef and not all the
1356options document which version they were introduced in. Policylet: include
1357all options unless explicitly for DTLS, let the administrator choose which
1358to apply.
1359
1360This list is current as of:
c80c5570 1361 ==> 1.0.1b <== */
77bb000f
PP		 1362static struct exim_openssl_option exim_openssl_options[] = {
1363/* KEEP SORTED ALPHABETICALLY! */
1364#ifdef SSL_OP_ALL
73a46702 1365 { US"all", SSL_OP_ALL },
77bb000f
PP		 1366#endif
1367#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
73a46702 1368 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
77bb000f
PP		 1369#endif
1370#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
73a46702 1371 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
77bb000f
PP		 1372#endif
1373#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
73a46702 1374 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
77bb000f
PP		 1375#endif
1376#ifdef SSL_OP_EPHEMERAL_RSA
73a46702 1377 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
77bb000f
PP		 1378#endif
1379#ifdef SSL_OP_LEGACY_SERVER_CONNECT
73a46702 1380 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
77bb000f
PP		 1381#endif
1382#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
73a46702 1383 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
77bb000f
PP		 1384#endif
1385#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
73a46702 1386 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
77bb000f
PP		 1387#endif
1388#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
73a46702 1389 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
77bb000f
PP		 1390#endif
1391#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
73a46702 1392 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
77bb000f
PP		 1393#endif
1394#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
73a46702 1395 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
77bb000f 1396#endif
c80c5570
PP		 1397#ifdef SSL_OP_NO_COMPRESSION
1398 { US"no_compression", SSL_OP_NO_COMPRESSION },
1399#endif
77bb000f 1400#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
73a46702 1401 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
77bb000f 1402#endif
c0c7b2da
PP		 1403#ifdef SSL_OP_NO_SSLv2
1404 { US"no_sslv2", SSL_OP_NO_SSLv2 },
1405#endif
1406#ifdef SSL_OP_NO_SSLv3
1407 { US"no_sslv3", SSL_OP_NO_SSLv3 },
1408#endif
1409#ifdef SSL_OP_NO_TICKET
1410 { US"no_ticket", SSL_OP_NO_TICKET },
1411#endif
1412#ifdef SSL_OP_NO_TLSv1
1413 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
1414#endif
c80c5570
PP		 1415#ifdef SSL_OP_NO_TLSv1_1
1416#if SSL_OP_NO_TLSv1_1 == 0x00000400L
1417 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
1418#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
1419#else
1420 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
1421#endif
1422#endif
1423#ifdef SSL_OP_NO_TLSv1_2
1424 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
1425#endif
77bb000f 1426#ifdef SSL_OP_SINGLE_DH_USE
73a46702 1427 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
77bb000f
PP		 1428#endif
1429#ifdef SSL_OP_SINGLE_ECDH_USE
73a46702 1430 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
77bb000f
PP		 1431#endif
1432#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
73a46702 1433 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
77bb000f
PP		 1434#endif
1435#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
73a46702 1436 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
77bb000f
PP		 1437#endif
1438#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
73a46702 1439 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
77bb000f
PP		 1440#endif
1441#ifdef SSL_OP_TLS_D5_BUG
73a46702 1442 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
77bb000f
PP		 1443#endif
1444#ifdef SSL_OP_TLS_ROLLBACK_BUG
73a46702 1445 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
77bb000f
PP		 1446#endif
1447};
1448static int exim_openssl_options_size =
1449 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
1450
c80c5570 1451
77bb000f
PP		 1452static BOOL
1453tls_openssl_one_option_parse(uschar *name, long *value)
1454{
1455int first = 0;
1456int last = exim_openssl_options_size;
1457while (last > first)
1458 {
1459 int middle = (first + last)/2;
1460 int c = Ustrcmp(name, exim_openssl_options[middle].name);
1461 if (c == 0)
1462 {
1463 *value = exim_openssl_options[middle].value;
1464 return TRUE;
1465 }
1466 else if (c > 0)
1467 first = middle + 1;
1468 else
1469 last = middle;
1470 }
1471return FALSE;
1472}
1473
1474
1475
1476
1477/*************************************************
1478* OpenSSL option parsing logic *
1479*************************************************/
1480
1481/* OpenSSL has a number of compatibility options which an administrator might
1482reasonably wish to set. Interpret a list similarly to decode_bits(), so that
1483we look like log_selector.
1484
1485Arguments:
1486 option_spec the administrator-supplied string of options
1487 results ptr to long storage for the options bitmap
1488Returns success or failure
1489*/
1490
1491BOOL
1492tls_openssl_options_parse(uschar *option_spec, long *results)
1493{
1494long result, item;
1495uschar *s, *end;
1496uschar keep_c;
1497BOOL adding, item_parsed;
1498
0e944a0d 1499result = 0L;
da3ad30d
PP		 1500/* Prior to 4.78 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
1501 * from default because it increases BEAST susceptibility. */
77bb000f
PP		 1502
1503if (option_spec == NULL)
1504 {
1505 *results = result;
1506 return TRUE;
1507 }
1508
1509for (s=option_spec; *s != '\0'; /**/)
1510 {
1511 while (isspace(*s)) ++s;
1512 if (*s == '\0')
1513 break;
1514 if (*s != '+' && *s != '-')
1515 {
1516 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
0e944a0d 1517 "+ or - expected but found \"%s\"\n", s);
77bb000f
PP		 1518 return FALSE;
1519 }
1520 adding = *s++ == '+';
1521 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
1522 keep_c = *end;
1523 *end = '\0';
1524 item_parsed = tls_openssl_one_option_parse(s, &item);
1525 if (!item_parsed)
1526 {
0e944a0d 1527 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
77bb000f
PP		 1528 return FALSE;
1529 }
1530 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
1531 adding ? "adding" : "removing", result, item, s);
1532 if (adding)
1533 result |= item;
1534 else
1535 result &= ~item;
1536 *end = keep_c;
1537 s = end;
1538 }
1539
1540*results = result;
1541return TRUE;
1542}
1543
059ec3d9 1544/* End of tls-openssl.c */
Unnamed repository; edit this file 'description' to name the repository.