projects / exim.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
Revert "Build: tidying"
[exim.git] / src / src / tls-openssl.c
... / ...
CommitLineData
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
5/* Copyright (c) University of Cambridge 1995 - 2017 */
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
25#ifndef OPENSSL_NO_ECDH
26# include <openssl/ec.h>
27#endif
28#ifndef DISABLE_OCSP
29# include <openssl/ocsp.h>
30#endif
31#ifdef EXPERIMENTAL_DANE
32# include "danessl.h"
33#endif
34
35
36#ifndef DISABLE_OCSP
37# define EXIM_OCSP_SKEW_SECONDS (300L)
38# define EXIM_OCSP_MAX_AGE (-1L)
39#endif
40
41#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
42# define EXIM_HAVE_OPENSSL_TLSEXT
43#endif
44#if OPENSSL_VERSION_NUMBER >= 0x00908000L
45# define EXIM_HAVE_RSA_GENKEY_EX
46#endif
47#if OPENSSL_VERSION_NUMBER >= 0x10100000L
48# define EXIM_HAVE_OCSP_RESP_COUNT
49#else
50# define EXIM_HAVE_EPHEM_RSA_KEX
51# define EXIM_HAVE_RAND_PSEUDO
52#endif
53#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
54# define EXIM_HAVE_SHA256
55#endif
56
57/*
58 * X509_check_host provides sane certificate hostname checking, but was added
59 * to OpenSSL late, after other projects forked off the code-base. So in
60 * addition to guarding against the base version number, beware that LibreSSL
61 * does not (at this time) support this function.
62 *
63 * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
64 * opt to disentangle and ask a LibreSSL user to provide glue for a third
65 * crypto provider for libtls instead of continuing to tie the OpenSSL glue
66 * into even twistier knots. If LibreSSL gains the same API, we can just
67 * change this guard and punt the issue for a while longer.
68 */
69#ifndef LIBRESSL_VERSION_NUMBER
70# if OPENSSL_VERSION_NUMBER >= 0x010100000L
71# define EXIM_HAVE_OPENSSL_CHECKHOST
72# define EXIM_HAVE_OPENSSL_DH_BITS
73# endif
74# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
75 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
76# define EXIM_HAVE_OPENSSL_CHECKHOST
77# endif
78#endif
79
80#if !defined(LIBRESSL_VERSION_NUMBER) \
81 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
82# if !defined(OPENSSL_NO_ECDH)
83# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
84# define EXIM_HAVE_ECDH
85# endif
86# if OPENSSL_VERSION_NUMBER >= 0x10002000L
87# define EXIM_HAVE_OPENSSL_EC_NIST2NID
88# endif
89# endif
90#endif
91
92#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
93# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
94# define DISABLE_OCSP
95#endif
96
97/* Structure for collecting random data for seeding. */
98
99typedef struct randstuff {
100 struct timeval tv;
101 pid_t p;
102} randstuff;
103
104/* Local static variables */
105
106static BOOL client_verify_callback_called = FALSE;
107static BOOL server_verify_callback_called = FALSE;
108static const uschar *sid_ctx = US"exim";
109
110/* We have three different contexts to care about.
111
112Simple case: client, `client_ctx`
113 As a client, we can be doing a callout or cut-through delivery while receiving
114 a message. So we have a client context, which should have options initialised
115 from the SMTP Transport.
116
117Server:
118 There are two cases: with and without ServerNameIndication from the client.
119 Given TLS SNI, we can be using different keys, certs and various other
120 configuration settings, because they're re-expanded with $tls_sni set. This
121 allows vhosting with TLS. This SNI is sent in the handshake.
122 A client might not send SNI, so we need a fallback, and an initial setup too.
123 So as a server, we start out using `server_ctx`.
124 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
125 `server_sni` from `server_ctx` and then initialise settings by re-expanding
126 configuration.
127*/
128
129static SSL_CTX *client_ctx = NULL;
130static SSL_CTX *server_ctx = NULL;
131static SSL *client_ssl = NULL;
132static SSL *server_ssl = NULL;
133
134#ifdef EXIM_HAVE_OPENSSL_TLSEXT
135static SSL_CTX *server_sni = NULL;
136#endif
137
138static char ssl_errstring[256];
139
140static int ssl_session_timeout = 200;
141static BOOL client_verify_optional = FALSE;
142static BOOL server_verify_optional = FALSE;
143
144static BOOL reexpand_tls_files_for_sni = FALSE;
145
146
147typedef struct tls_ext_ctx_cb {
148 uschar *certificate;
149 uschar *privatekey;
150#ifndef DISABLE_OCSP
151 BOOL is_server;
152 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
153 union {
154 struct {
155 uschar *file;
156 uschar *file_expanded;
157 OCSP_RESPONSE *response;
158 } server;
159 struct {
160 X509_STORE *verify_store; /* non-null if status requested */
161 BOOL verify_required;
162 } client;
163 } u_ocsp;
164#endif
165 uschar *dhparam;
166 /* these are cached from first expand */
167 uschar *server_cipher_list;
168 /* only passed down to tls_error: */
169 host_item *host;
170 const uschar * verify_cert_hostnames;
171#ifndef DISABLE_EVENT
172 uschar * event_action;
173#endif
174} tls_ext_ctx_cb;
175
176/* should figure out a cleanup of API to handle state preserved per
177implementation, for various reasons, which can be void * in the APIs.
178For now, we hack around it. */
179tls_ext_ctx_cb *client_static_cbinfo = NULL;
180tls_ext_ctx_cb *server_static_cbinfo = NULL;
181
182static int
183setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
184 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
185
186/* Callbacks */
187#ifdef EXIM_HAVE_OPENSSL_TLSEXT
188static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
189#endif
190#ifndef DISABLE_OCSP
191static int tls_server_stapling_cb(SSL *s, void *arg);
192#endif
193
194
195/*************************************************
196* Handle TLS error *
197*************************************************/
198
199/* Called from lots of places when errors occur before actually starting to do
200the TLS handshake, that is, while the session is still in clear. Always returns
201DEFER for a server and FAIL for a client so that most calls can use "return
202tls_error(...)" to do this processing and then give an appropriate return. A
203single function is used for both server and client, because it is called from
204some shared functions.
205
206Argument:
207 prefix text to include in the logged error
208 host NULL if setting up a server;
209 the connected host if setting up a client
210 msg error message or NULL if we should ask OpenSSL
211 errstr pointer to output error message
212
213Returns: OK/DEFER/FAIL
214*/
215
216static int
217tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
218{
219if (!msg)
220 {
221 ERR_error_string(ERR_get_error(), ssl_errstring);
222 msg = US ssl_errstring;
223 }
224
225if (errstr) *errstr = string_sprintf("(%s): %s", prefix, msg);
226return host ? FAIL : DEFER;
227}
228
229
230
231#ifdef EXIM_HAVE_EPHEM_RSA_KEX
232/*************************************************
233* Callback to generate RSA key *
234*************************************************/
235
236/*
237Arguments:
238 s SSL connection
239 export not used
240 keylength keylength
241
242Returns: pointer to generated key
243*/
244
245static RSA *
246rsa_callback(SSL *s, int export, int keylength)
247{
248RSA *rsa_key;
249#ifdef EXIM_HAVE_RSA_GENKEY_EX
250BIGNUM *bn = BN_new();
251#endif
252
253export = export; /* Shut picky compilers up */
254DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
255
256#ifdef EXIM_HAVE_RSA_GENKEY_EX
257if ( !BN_set_word(bn, (unsigned long)RSA_F4)
258 || !(rsa_key = RSA_new())
259 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
260 )
261#else
262if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
263#endif
264
265 {
266 ERR_error_string(ERR_get_error(), ssl_errstring);
267 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
268 ssl_errstring);
269 return NULL;
270 }
271return rsa_key;
272}
273#endif
274
275
276
277/* Extreme debug
278#ifndef DISABLE_OCSP
279void
280x509_store_dump_cert_s_names(X509_STORE * store)
281{
282STACK_OF(X509_OBJECT) * roots= store->objs;
283int i;
284static uschar name[256];
285
286for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
287 {
288 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
289 if(tmp_obj->type == X509_LU_X509)
290 {
291 X509 * current_cert= tmp_obj->data.x509;
292 X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name));
293 name[sizeof(name)-1] = '\0';
294 debug_printf(" %s\n", name);
295 }
296 }
297}
298#endif
299*/
300
301
302#ifndef DISABLE_EVENT
303static int
304verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
305 BOOL *calledp, const BOOL *optionalp, const uschar * what)
306{
307uschar * ev;
308uschar * yield;
309X509 * old_cert;
310
311ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
312if (ev)
313 {
314 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
315 old_cert = tlsp->peercert;
316 tlsp->peercert = X509_dup(cert);
317 /* NB we do not bother setting peerdn */
318 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
319 {
320 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
321 "depth=%d cert=%s: %s",
322 tlsp == &tls_out ? deliver_host_address : sender_host_address,
323 what, depth, dn, yield);
324 *calledp = TRUE;
325 if (!*optionalp)
326 {
327 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
328 return 1; /* reject (leaving peercert set) */
329 }
330 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
331 "(host in tls_try_verify_hosts)\n");
332 }
333 X509_free(tlsp->peercert);
334 tlsp->peercert = old_cert;
335 }
336return 0;
337}
338#endif
339
340/*************************************************
341* Callback for verification *
342*************************************************/
343
344/* The SSL library does certificate verification if set up to do so. This
345callback has the current yes/no state is in "state". If verification succeeded,
346we set the certificate-verified flag. If verification failed, what happens
347depends on whether the client is required to present a verifiable certificate
348or not.
349
350If verification is optional, we change the state to yes, but still log the
351verification error. For some reason (it really would help to have proper
352documentation of OpenSSL), this callback function then gets called again, this
353time with state = 1. We must take care not to set the private verified flag on
354the second time through.
355
356Note: this function is not called if the client fails to present a certificate
357when asked. We get here only if a certificate has been received. Handling of
358optional verification for this case is done when requesting SSL to verify, by
359setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
360
361May be called multiple times for different issues with a certificate, even
362for a given "depth" in the certificate chain.
363
364Arguments:
365 preverify_ok current yes/no state as 1/0
366 x509ctx certificate information.
367 tlsp per-direction (client vs. server) support data
368 calledp has-been-called flag
369 optionalp verification-is-optional flag
370
371Returns: 0 if verification should fail, otherwise 1
372*/
373
374static int
375verify_callback(int preverify_ok, X509_STORE_CTX *x509ctx,
376 tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
377{
378X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
379int depth = X509_STORE_CTX_get_error_depth(x509ctx);
380uschar dn[256];
381
382X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
383dn[sizeof(dn)-1] = '\0';
384
385if (preverify_ok == 0)
386 {
387 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
388 *verify_mode, sender_host_address)
389 : US"";
390 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
391 tlsp == &tls_out ? deliver_host_address : sender_host_address,
392 extra, depth,
393 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
394 *calledp = TRUE;
395 if (!*optionalp)
396 {
397 if (!tlsp->peercert)
398 tlsp->peercert = X509_dup(cert); /* record failing cert */
399 return 0; /* reject */
400 }
401 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
402 "tls_try_verify_hosts)\n");
403 }
404
405else if (depth != 0)
406 {
407 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
408#ifndef DISABLE_OCSP
409 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
410 { /* client, wanting stapling */
411 /* Add the server cert's signing chain as the one
412 for the verification of the OCSP stapled information. */
413
414 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
415 cert))
416 ERR_clear_error();
417 sk_X509_push(client_static_cbinfo->verify_stack, cert);
418 }
419#endif
420#ifndef DISABLE_EVENT
421 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
422 return 0; /* reject, with peercert set */
423#endif
424 }
425else
426 {
427 const uschar * verify_cert_hostnames;
428
429 if ( tlsp == &tls_out
430 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
431 /* client, wanting hostname check */
432 {
433
434#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
435# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
436# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
437# endif
438# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
439# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
440# endif
441 int sep = 0;
442 const uschar * list = verify_cert_hostnames;
443 uschar * name;
444 int rc;
445 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
446 if ((rc = X509_check_host(cert, CCS name, 0,
447 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
448 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
449 NULL)))
450 {
451 if (rc < 0)
452 {
453 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
454 tlsp == &tls_out ? deliver_host_address : sender_host_address);
455 name = NULL;
456 }
457 break;
458 }
459 if (!name)
460#else
461 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
462#endif
463 {
464 uschar * extra = verify_mode
465 ? string_sprintf(" (during %c-verify for [%s])",
466 *verify_mode, sender_host_address)
467 : US"";
468 log_write(0, LOG_MAIN,
469 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
470 tlsp == &tls_out ? deliver_host_address : sender_host_address,
471 extra, dn, verify_cert_hostnames);
472 *calledp = TRUE;
473 if (!*optionalp)
474 {
475 if (!tlsp->peercert)
476 tlsp->peercert = X509_dup(cert); /* record failing cert */
477 return 0; /* reject */
478 }
479 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
480 "tls_try_verify_hosts)\n");
481 }
482 }
483
484#ifndef DISABLE_EVENT
485 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
486 return 0; /* reject, with peercert set */
487#endif
488
489 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
490 *calledp ? "" : " authenticated", dn);
491 if (!*calledp) tlsp->certificate_verified = TRUE;
492 *calledp = TRUE;
493 }
494
495return 1; /* accept, at least for this level */
496}
497
498static int
499verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
500{
501return verify_callback(preverify_ok, x509ctx, &tls_out,
502 &client_verify_callback_called, &client_verify_optional);
503}
504
505static int
506verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
507{
508return verify_callback(preverify_ok, x509ctx, &tls_in,
509 &server_verify_callback_called, &server_verify_optional);
510}
511
512
513#ifdef EXPERIMENTAL_DANE
514
515/* This gets called *by* the dane library verify callback, which interposes
516itself.
517*/
518static int
519verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
520{
521X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
522uschar dn[256];
523int depth = X509_STORE_CTX_get_error_depth(x509ctx);
524#ifndef DISABLE_EVENT
525BOOL dummy_called, optional = FALSE;
526#endif
527
528X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
529dn[sizeof(dn)-1] = '\0';
530
531DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
532 preverify_ok ? "ok":"BAD", depth, dn);
533
534#ifndef DISABLE_EVENT
535 if (verify_event(&tls_out, cert, depth, dn,
536 &dummy_called, &optional, US"DANE"))
537 return 0; /* reject, with peercert set */
538#endif
539
540if (preverify_ok == 1)
541 tls_out.dane_verified =
542 tls_out.certificate_verified = TRUE;
543else
544 {
545 int err = X509_STORE_CTX_get_error(x509ctx);
546 DEBUG(D_tls)
547 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
548 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
549 preverify_ok = 1;
550 }
551return preverify_ok;
552}
553
554#endif /*EXPERIMENTAL_DANE*/
555
556
557/*************************************************
558* Information callback *
559*************************************************/
560
561/* The SSL library functions call this from time to time to indicate what they
562are doing. We copy the string to the debugging output when TLS debugging has
563been requested.
564
565Arguments:
566 s the SSL connection
567 where
568 ret
569
570Returns: nothing
571*/
572
573static void
574info_callback(SSL *s, int where, int ret)
575{
576where = where;
577ret = ret;
578DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
579}
580
581
582
583/*************************************************
584* Initialize for DH *
585*************************************************/
586
587/* If dhparam is set, expand it, and load up the parameters for DH encryption.
588
589Arguments:
590 sctx The current SSL CTX (inbound or outbound)
591 dhparam DH parameter file or fixed parameter identity string
592 host connected host, if client; NULL if server
593 errstr error string pointer
594
595Returns: TRUE if OK (nothing to set up, or setup worked)
596*/
597
598static BOOL
599init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
600{
601BIO *bio;
602DH *dh;
603uschar *dhexpanded;
604const char *pem;
605int dh_bitsize;
606
607if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
608 return FALSE;
609
610if (!dhexpanded || !*dhexpanded)
611 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
612else if (dhexpanded[0] == '/')
613 {
614 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
615 {
616 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
617 host, US strerror(errno), errstr);
618 return FALSE;
619 }
620 }
621else
622 {
623 if (Ustrcmp(dhexpanded, "none") == 0)
624 {
625 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
626 return TRUE;
627 }
628
629 if (!(pem = std_dh_prime_named(dhexpanded)))
630 {
631 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
632 host, US strerror(errno), errstr);
633 return FALSE;
634 }
635 bio = BIO_new_mem_buf(CS pem, -1);
636 }
637
638if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
639 {
640 BIO_free(bio);
641 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
642 host, NULL, errstr);
643 return FALSE;
644 }
645
646/* note: our default limit of 2236 is not a multiple of 8; the limit comes from
647 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
648 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
649 * If someone wants to dance at the edge, then they can raise the limit or use
650 * current libraries. */
651#ifdef EXIM_HAVE_OPENSSL_DH_BITS
652/* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
653 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
654dh_bitsize = DH_bits(dh);
655#else
656dh_bitsize = 8 * DH_size(dh);
657#endif
658
659/* Even if it is larger, we silently return success rather than cause things
660 * to fail out, so that a too-large DH will not knock out all TLS; it's a
661 * debatable choice. */
662if (dh_bitsize > tls_dh_max_bits)
663 {
664 DEBUG(D_tls)
665 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
666 dh_bitsize, tls_dh_max_bits);
667 }
668else
669 {
670 SSL_CTX_set_tmp_dh(sctx, dh);
671 DEBUG(D_tls)
672 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
673 dhexpanded ? dhexpanded : US"default", dh_bitsize);
674 }
675
676DH_free(dh);
677BIO_free(bio);
678
679return TRUE;
680}
681
682
683
684
685/*************************************************
686* Initialize for ECDH *
687*************************************************/
688
689/* Load parameters for ECDH encryption.
690
691For now, we stick to NIST P-256 because: it's simple and easy to configure;
692it avoids any patent issues that might bite redistributors; despite events in
693the news and concerns over curve choices, we're not cryptographers, we're not
694pretending to be, and this is "good enough" to be better than no support,
695protecting against most adversaries. Given another year or two, there might
696be sufficient clarity about a "right" way forward to let us make an informed
697decision, instead of a knee-jerk reaction.
698
699Longer-term, we should look at supporting both various named curves and
700external files generated with "openssl ecparam", much as we do for init_dh().
701We should also support "none" as a value, to explicitly avoid initialisation.
702
703Patches welcome.
704
705Arguments:
706 sctx The current SSL CTX (inbound or outbound)
707 host connected host, if client; NULL if server
708 errstr error string pointer
709
710Returns: TRUE if OK (nothing to set up, or setup worked)
711*/
712
713static BOOL
714init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
715{
716#ifdef OPENSSL_NO_ECDH
717return TRUE;
718#else
719
720EC_KEY * ecdh;
721uschar * exp_curve;
722int nid;
723BOOL rv;
724
725if (host) /* No ECDH setup for clients, only for servers */
726 return TRUE;
727
728# ifndef EXIM_HAVE_ECDH
729DEBUG(D_tls)
730 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
731return TRUE;
732# else
733
734if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
735 return FALSE;
736if (!exp_curve || !*exp_curve)
737 return TRUE;
738
739/* "auto" needs to be handled carefully.
740 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
741 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
742 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
743 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
744 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
745 */
746if (Ustrcmp(exp_curve, "auto") == 0)
747 {
748#if OPENSSL_VERSION_NUMBER < 0x10002000L
749 DEBUG(D_tls) debug_printf(
750 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
751 exp_curve = US"prime256v1";
752#else
753# if defined SSL_CTRL_SET_ECDH_AUTO
754 DEBUG(D_tls) debug_printf(
755 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
756 SSL_CTX_set_ecdh_auto(sctx, 1);
757 return TRUE;
758# else
759 DEBUG(D_tls) debug_printf(
760 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
761 return TRUE;
762# endif
763#endif
764 }
765
766DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
767if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
768# ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
769 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
770# endif
771 )
772 {
773 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
774 host, NULL, errstr);
775 return FALSE;
776 }
777
778if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
779 {
780 tls_error(US"Unable to create ec curve", host, NULL, errstr);
781 return FALSE;
782 }
783
784/* The "tmp" in the name here refers to setting a temporary key
785not to the stability of the interface. */
786
787if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
788 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
789else
790 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
791
792EC_KEY_free(ecdh);
793return !rv;
794
795# endif /*EXIM_HAVE_ECDH*/
796#endif /*OPENSSL_NO_ECDH*/
797}
798
799
800
801
802#ifndef DISABLE_OCSP
803/*************************************************
804* Load OCSP information into state *
805*************************************************/
806/* Called to load the server OCSP response from the given file into memory, once
807caller has determined this is needed. Checks validity. Debugs a message
808if invalid.
809
810ASSUMES: single response, for single cert.
811
812Arguments:
813 sctx the SSL_CTX* to update
814 cbinfo various parts of session state
815 expanded the filename putatively holding an OCSP response
816
817*/
818
819static void
820ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
821{
822BIO * bio;
823OCSP_RESPONSE * resp;
824OCSP_BASICRESP * basic_response;
825OCSP_SINGLERESP * single_response;
826ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
827STACK_OF(X509) * sk;
828unsigned long verify_flags;
829int status, reason, i;
830
831cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
832if (cbinfo->u_ocsp.server.response)
833 {
834 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
835 cbinfo->u_ocsp.server.response = NULL;
836 }
837
838if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
839 {
840 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
841 cbinfo->u_ocsp.server.file_expanded);
842 return;
843 }
844
845resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
846BIO_free(bio);
847if (!resp)
848 {
849 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
850 return;
851 }
852
853if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
854 {
855 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
856 OCSP_response_status_str(status), status);
857 goto bad;
858 }
859
860if (!(basic_response = OCSP_response_get1_basic(resp)))
861 {
862 DEBUG(D_tls)
863 debug_printf("OCSP response parse error: unable to extract basic response.\n");
864 goto bad;
865 }
866
867sk = cbinfo->verify_stack;
868verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
869
870/* May need to expose ability to adjust those flags?
871OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
872OCSP_TRUSTOTHER OCSP_NOINTERN */
873
874/* This does a full verify on the OCSP proof before we load it for serving
875up; possibly overkill - just date-checks might be nice enough.
876
877OCSP_basic_verify takes a "store" arg, but does not
878use it for the chain verification, which is all we do
879when OCSP_NOVERIFY is set. The content from the wire
880"basic_response" and a cert-stack "sk" are all that is used.
881
882We have a stack, loaded in setup_certs() if tls_verify_certificates
883was a file (not a directory, or "system"). It is unfortunate we
884cannot used the connection context store, as that would neatly
885handle the "system" case too, but there seems to be no library
886function for getting a stack from a store.
887[ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
888We do not free the stack since it could be needed a second time for
889SNI handling.
890
891Separately we might try to replace using OCSP_basic_verify() - which seems to not
892be a public interface into the OpenSSL library (there's no manual entry) -
893But what with? We also use OCSP_basic_verify in the client stapling callback.
894And there we NEED it; we must verify that status... unless the
895library does it for us anyway? */
896
897if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
898 {
899 DEBUG(D_tls)
900 {
901 ERR_error_string(ERR_get_error(), ssl_errstring);
902 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
903 }
904 goto bad;
905 }
906
907/* Here's the simplifying assumption: there's only one response, for the
908one certificate we use, and nothing for anything else in a chain. If this
909proves false, we need to extract a cert id from our issued cert
910(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
911right cert in the stack and then calls OCSP_single_get0_status()).
912
913I'm hoping to avoid reworking a bunch more of how we handle state here. */
914
915if (!(single_response = OCSP_resp_get0(basic_response, 0)))
916 {
917 DEBUG(D_tls)
918 debug_printf("Unable to get first response from OCSP basic response.\n");
919 goto bad;
920 }
921
922status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
923if (status != V_OCSP_CERTSTATUS_GOOD)
924 {
925 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
926 OCSP_cert_status_str(status), status,
927 OCSP_crl_reason_str(reason), reason);
928 goto bad;
929 }
930
931if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
932 {
933 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
934 goto bad;
935 }
936
937supply_response:
938 cbinfo->u_ocsp.server.response = resp;
939return;
940
941bad:
942 if (running_in_test_harness)
943 {
944 extern char ** environ;
945 uschar ** p;
946 if (environ) for (p = USS environ; *p != NULL; p++)
947 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
948 {
949 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
950 goto supply_response;
951 }
952 }
953return;
954}
955#endif /*!DISABLE_OCSP*/
956
957
958
959
960/* Create and install a selfsigned certificate, for use in server mode */
961
962static int
963tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
964{
965X509 * x509 = NULL;
966EVP_PKEY * pkey;
967RSA * rsa;
968X509_NAME * name;
969uschar * where;
970
971where = US"allocating pkey";
972if (!(pkey = EVP_PKEY_new()))
973 goto err;
974
975where = US"allocating cert";
976if (!(x509 = X509_new()))
977 goto err;
978
979where = US"generating pkey";
980 /* deprecated, use RSA_generate_key_ex() */
981if (!(rsa = RSA_generate_key(1024, RSA_F4, NULL, NULL)))
982 goto err;
983
984where = US"assigning pkey";
985if (!EVP_PKEY_assign_RSA(pkey, rsa))
986 goto err;
987
988X509_set_version(x509, 2); /* N+1 - version 3 */
989ASN1_INTEGER_set(X509_get_serialNumber(x509), 0);
990X509_gmtime_adj(X509_get_notBefore(x509), 0);
991X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
992X509_set_pubkey(x509, pkey);
993
994name = X509_get_subject_name(x509);
995X509_NAME_add_entry_by_txt(name, "C",
996 MBSTRING_ASC, CUS "UK", -1, -1, 0);
997X509_NAME_add_entry_by_txt(name, "O",
998 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
999X509_NAME_add_entry_by_txt(name, "CN",
1000 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
1001X509_set_issuer_name(x509, name);
1002
1003where = US"signing cert";
1004if (!X509_sign(x509, pkey, EVP_md5()))
1005 goto err;
1006
1007where = US"installing selfsign cert";
1008if (!SSL_CTX_use_certificate(sctx, x509))
1009 goto err;
1010
1011where = US"installing selfsign key";
1012if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1013 goto err;
1014
1015return OK;
1016
1017err:
1018 (void) tls_error(where, NULL, NULL, errstr);
1019 if (x509) X509_free(x509);
1020 if (pkey) EVP_PKEY_free(pkey);
1021 return DEFER;
1022}
1023
1024
1025
1026
1027/*************************************************
1028* Expand key and cert file specs *
1029*************************************************/
1030
1031/* Called once during tls_init and possibly again during TLS setup, for a
1032new context, if Server Name Indication was used and tls_sni was seen in
1033the certificate string.
1034
1035Arguments:
1036 sctx the SSL_CTX* to update
1037 cbinfo various parts of session state
1038 errstr error string pointer
1039
1040Returns: OK/DEFER/FAIL
1041*/
1042
1043static int
1044tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1045 uschar ** errstr)
1046{
1047uschar *expanded;
1048
1049if (!cbinfo->certificate)
1050 {
1051 if (cbinfo->host) /* client */
1052 return OK;
1053 /* server */
1054 if (tls_install_selfsign(sctx, errstr) != OK)
1055 return DEFER;
1056 }
1057else
1058 {
1059 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1060 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1061 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1062 )
1063 reexpand_tls_files_for_sni = TRUE;
1064
1065 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
1066 return DEFER;
1067
1068 if (expanded != NULL)
1069 {
1070 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
1071 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
1072 return tls_error(string_sprintf(
1073 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
1074 cbinfo->host, NULL, errstr);
1075 }
1076
1077 if (cbinfo->privatekey != NULL &&
1078 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
1079 return DEFER;
1080
1081 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1082 of the expansion is an empty string, ignore it also, and assume the private
1083 key is in the same file as the certificate. */
1084
1085 if (expanded && *expanded)
1086 {
1087 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
1088 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
1089 return tls_error(string_sprintf(
1090 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL, errstr);
1091 }
1092 }
1093
1094#ifndef DISABLE_OCSP
1095if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
1096 {
1097 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
1098 return DEFER;
1099
1100 if (expanded && *expanded)
1101 {
1102 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
1103 if ( cbinfo->u_ocsp.server.file_expanded
1104 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
1105 {
1106 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1107 }
1108 else
1109 ocsp_load_response(sctx, cbinfo, expanded);
1110 }
1111 }
1112#endif
1113
1114return OK;
1115}
1116
1117
1118
1119
1120/*************************************************
1121* Callback to handle SNI *
1122*************************************************/
1123
1124/* Called when acting as server during the TLS session setup if a Server Name
1125Indication extension was sent by the client.
1126
1127API documentation is OpenSSL s_server.c implementation.
1128
1129Arguments:
1130 s SSL* of the current session
1131 ad unknown (part of OpenSSL API) (unused)
1132 arg Callback of "our" registered data
1133
1134Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1135*/
1136
1137#ifdef EXIM_HAVE_OPENSSL_TLSEXT
1138static int
1139tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1140{
1141const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1142tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1143int rc;
1144int old_pool = store_pool;
1145uschar * dummy_errstr;
1146
1147if (!servername)
1148 return SSL_TLSEXT_ERR_OK;
1149
1150DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
1151 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1152
1153/* Make the extension value available for expansion */
1154store_pool = POOL_PERM;
1155tls_in.sni = string_copy(US servername);
1156store_pool = old_pool;
1157
1158if (!reexpand_tls_files_for_sni)
1159 return SSL_TLSEXT_ERR_OK;
1160
1161/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1162not confident that memcpy wouldn't break some internal reference counting.
1163Especially since there's a references struct member, which would be off. */
1164
1165if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
1166 {
1167 ERR_error_string(ERR_get_error(), ssl_errstring);
1168 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1169 return SSL_TLSEXT_ERR_NOACK;
1170 }
1171
1172/* Not sure how many of these are actually needed, since SSL object
1173already exists. Might even need this selfsame callback, for reneg? */
1174
1175SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1176SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1177SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1178SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1179SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1180SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
1181
1182if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1183 || !init_ecdh(server_sni, NULL, &dummy_errstr)
1184 )
1185 return SSL_TLSEXT_ERR_NOACK;
1186
1187if (cbinfo->server_cipher_list)
1188 SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
1189#ifndef DISABLE_OCSP
1190if (cbinfo->u_ocsp.server.file)
1191 {
1192 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
1193 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
1194 }
1195#endif
1196
1197if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
1198 verify_callback_server, &dummy_errstr)) != OK)
1199 return SSL_TLSEXT_ERR_NOACK;
1200
1201/* do this after setup_certs, because this can require the certs for verifying
1202OCSP information. */
1203if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
1204 return SSL_TLSEXT_ERR_NOACK;
1205
1206DEBUG(D_tls) debug_printf("Switching SSL context.\n");
1207SSL_set_SSL_CTX(s, server_sni);
1208
1209return SSL_TLSEXT_ERR_OK;
1210}
1211#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
1212
1213
1214
1215
1216#ifndef DISABLE_OCSP
1217
1218/*************************************************
1219* Callback to handle OCSP Stapling *
1220*************************************************/
1221
1222/* Called when acting as server during the TLS session setup if the client
1223requests OCSP information with a Certificate Status Request.
1224
1225Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1226project.
1227
1228*/
1229
1230static int
1231tls_server_stapling_cb(SSL *s, void *arg)
1232{
1233const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1234uschar *response_der;
1235int response_der_len;
1236
1237DEBUG(D_tls)
1238 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
1239 cbinfo->u_ocsp.server.response ? "have" : "lack");
1240
1241tls_in.ocsp = OCSP_NOT_RESP;
1242if (!cbinfo->u_ocsp.server.response)
1243 return SSL_TLSEXT_ERR_NOACK;
1244
1245response_der = NULL;
1246response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response,
1247 &response_der);
1248if (response_der_len <= 0)
1249 return SSL_TLSEXT_ERR_NOACK;
1250
1251SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
1252tls_in.ocsp = OCSP_VFIED;
1253return SSL_TLSEXT_ERR_OK;
1254}
1255
1256
1257static void
1258time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1259{
1260BIO_printf(bp, "\t%s: ", str);
1261ASN1_GENERALIZEDTIME_print(bp, time);
1262BIO_puts(bp, "\n");
1263}
1264
1265static int
1266tls_client_stapling_cb(SSL *s, void *arg)
1267{
1268tls_ext_ctx_cb * cbinfo = arg;
1269const unsigned char * p;
1270int len;
1271OCSP_RESPONSE * rsp;
1272OCSP_BASICRESP * bs;
1273int i;
1274
1275DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1276len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1277if(!p)
1278 {
1279 /* Expect this when we requested ocsp but got none */
1280 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
1281 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
1282 else
1283 DEBUG(D_tls) debug_printf(" null\n");
1284 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1285 }
1286
1287if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1288 {
1289 tls_out.ocsp = OCSP_FAILED;
1290 if (LOGGING(tls_cipher))
1291 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
1292 else
1293 DEBUG(D_tls) debug_printf(" parse error\n");
1294 return 0;
1295 }
1296
1297if(!(bs = OCSP_response_get1_basic(rsp)))
1298 {
1299 tls_out.ocsp = OCSP_FAILED;
1300 if (LOGGING(tls_cipher))
1301 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
1302 else
1303 DEBUG(D_tls) debug_printf(" error parsing response\n");
1304 OCSP_RESPONSE_free(rsp);
1305 return 0;
1306 }
1307
1308/* We'd check the nonce here if we'd put one in the request. */
1309/* However that would defeat cacheability on the server so we don't. */
1310
1311/* This section of code reworked from OpenSSL apps source;
1312 The OpenSSL Project retains copyright:
1313 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1314*/
1315 {
1316 BIO * bp = NULL;
1317 int status, reason;
1318 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1319
1320 DEBUG(D_tls) bp = BIO_new_fp(stderr, BIO_NOCLOSE);
1321
1322 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1323
1324 /* Use the chain that verified the server cert to verify the stapled info */
1325 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1326
1327 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
1328 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
1329 {
1330 tls_out.ocsp = OCSP_FAILED;
1331 if (LOGGING(tls_cipher))
1332 log_write(0, LOG_MAIN, "Received TLS cert status response, itself unverifiable");
1333 BIO_printf(bp, "OCSP response verify failure\n");
1334 ERR_print_errors(bp);
1335 goto failed;
1336 }
1337
1338 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1339
1340 /*XXX So we have a good stapled OCSP status. How do we know
1341 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1342 OCSP_resp_find_status() which matches on a cert id, which presumably
1343 we should use. Making an id needs OCSP_cert_id_new(), which takes
1344 issuerName, issuerKey, serialNumber. Are they all in the cert?
1345
1346 For now, carry on blindly accepting the resp. */
1347
1348 {
1349 OCSP_SINGLERESP * single;
1350
1351#ifdef EXIM_HAVE_OCSP_RESP_COUNT
1352 if (OCSP_resp_count(bs) != 1)
1353#else
1354 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1355 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
1356#endif
1357 {
1358 tls_out.ocsp = OCSP_FAILED;
1359 log_write(0, LOG_MAIN, "OCSP stapling "
1360 "with multiple responses not handled");
1361 goto failed;
1362 }
1363 single = OCSP_resp_get0(bs, 0);
1364 status = OCSP_single_get0_status(single, &reason, &rev,
1365 &thisupd, &nextupd);
1366 }
1367
1368 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1369 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
1370 if (!OCSP_check_validity(thisupd, nextupd,
1371 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1372 {
1373 tls_out.ocsp = OCSP_FAILED;
1374 DEBUG(D_tls) ERR_print_errors(bp);
1375 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
1376 }
1377 else
1378 {
1379 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1380 OCSP_cert_status_str(status));
1381 switch(status)
1382 {
1383 case V_OCSP_CERTSTATUS_GOOD:
1384 tls_out.ocsp = OCSP_VFIED;
1385 i = 1;
1386 goto good;
1387 case V_OCSP_CERTSTATUS_REVOKED:
1388 tls_out.ocsp = OCSP_FAILED;
1389 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1390 reason != -1 ? "; reason: " : "",
1391 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1392 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
1393 break;
1394 default:
1395 tls_out.ocsp = OCSP_FAILED;
1396 log_write(0, LOG_MAIN,
1397 "Server certificate status unknown, in OCSP stapling");
1398 break;
1399 }
1400 }
1401 failed:
1402 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1403 good:
1404 BIO_free(bp);
1405 }
1406
1407OCSP_RESPONSE_free(rsp);
1408return i;
1409}
1410#endif /*!DISABLE_OCSP*/
1411
1412
1413/*************************************************
1414* Initialize for TLS *
1415*************************************************/
1416
1417/* Called from both server and client code, to do preliminary initialization
1418of the library. We allocate and return a context structure.
1419
1420Arguments:
1421 ctxp returned SSL context
1422 host connected host, if client; NULL if server
1423 dhparam DH parameter file
1424 certificate certificate file
1425 privatekey private key
1426 ocsp_file file of stapling info (server); flag for require ocsp (client)
1427 addr address if client; NULL if server (for some randomness)
1428 cbp place to put allocated callback context
1429 errstr error string pointer
1430
1431Returns: OK/DEFER/FAIL
1432*/
1433
1434static int
1435tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
1436 uschar *privatekey,
1437#ifndef DISABLE_OCSP
1438 uschar *ocsp_file,
1439#endif
1440 address_item *addr, tls_ext_ctx_cb ** cbp, uschar ** errstr)
1441{
1442SSL_CTX * ctx;
1443long init_options;
1444int rc;
1445tls_ext_ctx_cb * cbinfo;
1446
1447cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1448cbinfo->certificate = certificate;
1449cbinfo->privatekey = privatekey;
1450#ifndef DISABLE_OCSP
1451cbinfo->verify_stack = NULL;
1452if ((cbinfo->is_server = host==NULL))
1453 {
1454 cbinfo->u_ocsp.server.file = ocsp_file;
1455 cbinfo->u_ocsp.server.file_expanded = NULL;
1456 cbinfo->u_ocsp.server.response = NULL;
1457 }
1458else
1459 cbinfo->u_ocsp.client.verify_store = NULL;
1460#endif
1461cbinfo->dhparam = dhparam;
1462cbinfo->server_cipher_list = NULL;
1463cbinfo->host = host;
1464#ifndef DISABLE_EVENT
1465cbinfo->event_action = NULL;
1466#endif
1467
1468SSL_load_error_strings(); /* basic set up */
1469OpenSSL_add_ssl_algorithms();
1470
1471#ifdef EXIM_HAVE_SHA256
1472/* SHA256 is becoming ever more popular. This makes sure it gets added to the
1473list of available digests. */
1474EVP_add_digest(EVP_sha256());
1475#endif
1476
1477/* Create a context.
1478The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1479negotiation in the different methods; as far as I can tell, the only
1480*_{server,client}_method which allows negotiation is SSLv23, which exists even
1481when OpenSSL is built without SSLv2 support.
1482By disabling with openssl_options, we can let admins re-enable with the
1483existing knob. */
1484
1485if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
1486 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
1487
1488/* It turns out that we need to seed the random number generator this early in
1489order to get the full complement of ciphers to work. It took me roughly a day
1490of work to discover this by experiment.
1491
1492On systems that have /dev/urandom, SSL may automatically seed itself from
1493there. Otherwise, we have to make something up as best we can. Double check
1494afterwards. */
1495
1496if (!RAND_status())
1497 {
1498 randstuff r;
1499 gettimeofday(&r.tv, NULL);
1500 r.p = getpid();
1501
1502 RAND_seed(US (&r), sizeof(r));
1503 RAND_seed(US big_buffer, big_buffer_size);
1504 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
1505
1506 if (!RAND_status())
1507 return tls_error(US"RAND_status", host,
1508 US"unable to seed random number generator", errstr);
1509 }
1510
1511/* Set up the information callback, which outputs if debugging is at a suitable
1512level. */
1513
1514DEBUG(D_tls) SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
1515
1516/* Automatically re-try reads/writes after renegotiation. */
1517(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
1518
1519/* Apply administrator-supplied work-arounds.
1520Historically we applied just one requested option,
1521SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1522moved to an administrator-controlled list of options to specify and
1523grandfathered in the first one as the default value for "openssl_options".
1524
1525No OpenSSL version number checks: the options we accept depend upon the
1526availability of the option value macros from OpenSSL. */
1527
1528if (!tls_openssl_options_parse(openssl_options, &init_options))
1529 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
1530
1531if (init_options)
1532 {
1533 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
1534 if (!(SSL_CTX_set_options(ctx, init_options)))
1535 return tls_error(string_sprintf(
1536 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
1537 }
1538else
1539 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
1540
1541/* Disable session cache unconditionally */
1542
1543(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
1544
1545/* Initialize with DH parameters if supplied */
1546/* Initialize ECDH temp key parameter selection */
1547
1548if ( !init_dh(ctx, dhparam, host, errstr)
1549 || !init_ecdh(ctx, host, errstr)
1550 )
1551 return DEFER;
1552
1553/* Set up certificate and key (and perhaps OCSP info) */
1554
1555if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
1556 return rc;
1557
1558/* If we need to handle SNI or OCSP, do so */
1559
1560#ifdef EXIM_HAVE_OPENSSL_TLSEXT
1561# ifndef DISABLE_OCSP
1562 if (!(cbinfo->verify_stack = sk_X509_new_null()))
1563 {
1564 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
1565 return FAIL;
1566 }
1567# endif
1568
1569if (host == NULL) /* server */
1570 {
1571# ifndef DISABLE_OCSP
1572 /* We check u_ocsp.server.file, not server.response, because we care about if
1573 the option exists, not what the current expansion might be, as SNI might
1574 change the certificate and OCSP file in use between now and the time the
1575 callback is invoked. */
1576 if (cbinfo->u_ocsp.server.file)
1577 {
1578 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
1579 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
1580 }
1581# endif
1582 /* We always do this, so that $tls_sni is available even if not used in
1583 tls_certificate */
1584 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
1585 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
1586 }
1587# ifndef DISABLE_OCSP
1588else /* client */
1589 if(ocsp_file) /* wanting stapling */
1590 {
1591 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1592 {
1593 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1594 return FAIL;
1595 }
1596 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
1597 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
1598 }
1599# endif
1600#endif
1601
1602cbinfo->verify_cert_hostnames = NULL;
1603
1604#ifdef EXIM_HAVE_EPHEM_RSA_KEX
1605/* Set up the RSA callback */
1606SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
1607#endif
1608
1609/* Finally, set the timeout, and we are done */
1610
1611SSL_CTX_set_timeout(ctx, ssl_session_timeout);
1612DEBUG(D_tls) debug_printf("Initialized TLS\n");
1613
1614*cbp = cbinfo;
1615*ctxp = ctx;
1616
1617return OK;
1618}
1619
1620
1621
1622
1623/*************************************************
1624* Get name of cipher in use *
1625*************************************************/
1626
1627/*
1628Argument: pointer to an SSL structure for the connection
1629 buffer to use for answer
1630 size of buffer
1631 pointer to number of bits for cipher
1632Returns: nothing
1633*/
1634
1635static void
1636construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
1637{
1638/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
1639yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1640the accessor functions use const in the prototype. */
1641const SSL_CIPHER *c;
1642const uschar *ver;
1643
1644ver = (const uschar *)SSL_get_version(ssl);
1645
1646c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
1647SSL_CIPHER_get_bits(c, bits);
1648
1649string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1650 SSL_CIPHER_get_name(c), *bits);
1651
1652DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1653}
1654
1655
1656static void
1657peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned bsize)
1658{
1659/*XXX we might consider a list-of-certs variable for the cert chain.
1660SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1661in list-handling functions, also consider the difference between the entire
1662chain and the elements sent by the peer. */
1663
1664/* Will have already noted peercert on a verify fail; possibly not the leaf */
1665if (!tlsp->peercert)
1666 tlsp->peercert = SSL_get_peer_certificate(ssl);
1667/* Beware anonymous ciphers which lead to server_cert being NULL */
1668if (tlsp->peercert)
1669 {
1670 X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, bsize);
1671 peerdn[bsize-1] = '\0';
1672 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1673 }
1674else
1675 tlsp->peerdn = NULL;
1676}
1677
1678
1679
1680
1681
1682/*************************************************
1683* Set up for verifying certificates *
1684*************************************************/
1685
1686/* Load certs from file, return TRUE on success */
1687
1688static BOOL
1689chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
1690{
1691BIO * bp;
1692X509 * x;
1693
1694if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
1695while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
1696 sk_X509_push(verify_stack, x);
1697BIO_free(bp);
1698return TRUE;
1699}
1700
1701
1702
1703/* Called by both client and server startup
1704
1705Arguments:
1706 sctx SSL_CTX* to initialise
1707 certs certs file or NULL
1708 crl CRL file or NULL
1709 host NULL in a server; the remote host in a client
1710 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1711 otherwise passed as FALSE
1712 cert_vfy_cb Callback function for certificate verification
1713 errstr error string pointer
1714
1715Returns: OK/DEFER/FAIL
1716*/
1717
1718static int
1719setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
1720 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
1721{
1722uschar *expcerts, *expcrl;
1723
1724if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
1725 return DEFER;
1726DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
1727
1728if (expcerts && *expcerts)
1729 {
1730 /* Tell the library to use its compiled-in location for the system default
1731 CA bundle. Then add the ones specified in the config, if any. */
1732
1733 if (!SSL_CTX_set_default_verify_paths(sctx))
1734 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
1735
1736 if (Ustrcmp(expcerts, "system") != 0)
1737 {
1738 struct stat statbuf;
1739
1740 if (Ustat(expcerts, &statbuf) < 0)
1741 {
1742 log_write(0, LOG_MAIN|LOG_PANIC,
1743 "failed to stat %s for certificates", expcerts);
1744 return DEFER;
1745 }
1746 else
1747 {
1748 uschar *file, *dir;
1749 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1750 { file = NULL; dir = expcerts; }
1751 else
1752 {
1753 file = expcerts; dir = NULL;
1754#ifndef DISABLE_OCSP
1755 /* In the server if we will be offering an OCSP proof, load chain from
1756 file for verifying the OCSP proof at load time. */
1757
1758 if ( !host
1759 && statbuf.st_size > 0
1760 && server_static_cbinfo->u_ocsp.server.file
1761 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
1762 )
1763 {
1764 log_write(0, LOG_MAIN|LOG_PANIC,
1765 "failed to load cert hain from %s", file);
1766 return DEFER;
1767 }
1768#endif
1769 }
1770
1771 /* If a certificate file is empty, the next function fails with an
1772 unhelpful error message. If we skip it, we get the correct behaviour (no
1773 certificates are recognized, but the error message is still misleading (it
1774 says no certificate was supplied). But this is better. */
1775
1776 if ( (!file || statbuf.st_size > 0)
1777 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
1778 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
1779
1780 /* Load the list of CAs for which we will accept certs, for sending
1781 to the client. This is only for the one-file tls_verify_certificates
1782 variant.
1783 If a list isn't loaded into the server, but
1784 some verify locations are set, the server end appears to make
1785 a wildcard request for client certs.
1786 Meanwhile, the client library as default behaviour *ignores* the list
1787 we send over the wire - see man SSL_CTX_set_client_cert_cb.
1788 Because of this, and that the dir variant is likely only used for
1789 the public-CA bundle (not for a private CA), not worth fixing.
1790 */
1791 if (file)
1792 {
1793 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
1794
1795 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
1796 sk_X509_NAME_num(names));
1797 SSL_CTX_set_client_CA_list(sctx, names);
1798 }
1799 }
1800 }
1801
1802 /* Handle a certificate revocation list. */
1803
1804#if OPENSSL_VERSION_NUMBER > 0x00907000L
1805
1806 /* This bit of code is now the version supplied by Lars Mainka. (I have
1807 merely reformatted it into the Exim code style.)
1808
1809 "From here I changed the code to add support for multiple crl's
1810 in pem format in one file or to support hashed directory entries in
1811 pem format instead of a file. This method now uses the library function
1812 X509_STORE_load_locations to add the CRL location to the SSL context.
1813 OpenSSL will then handle the verify against CA certs and CRLs by
1814 itself in the verify callback." */
1815
1816 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
1817 if (expcrl && *expcrl)
1818 {
1819 struct stat statbufcrl;
1820 if (Ustat(expcrl, &statbufcrl) < 0)
1821 {
1822 log_write(0, LOG_MAIN|LOG_PANIC,
1823 "failed to stat %s for certificates revocation lists", expcrl);
1824 return DEFER;
1825 }
1826 else
1827 {
1828 /* is it a file or directory? */
1829 uschar *file, *dir;
1830 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
1831 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
1832 {
1833 file = NULL;
1834 dir = expcrl;
1835 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
1836 }
1837 else
1838 {
1839 file = expcrl;
1840 dir = NULL;
1841 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
1842 }
1843 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
1844 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
1845
1846 /* setting the flags to check against the complete crl chain */
1847
1848 X509_STORE_set_flags(cvstore,
1849 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
1850 }
1851 }
1852
1853#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1854
1855 /* If verification is optional, don't fail if no certificate */
1856
1857 SSL_CTX_set_verify(sctx,
1858 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
1859 cert_vfy_cb);
1860 }
1861
1862return OK;
1863}
1864
1865
1866
1867/*************************************************
1868* Start a TLS session in a server *
1869*************************************************/
1870
1871/* This is called when Exim is running as a server, after having received
1872the STARTTLS command. It must respond to that command, and then negotiate
1873a TLS session.
1874
1875Arguments:
1876 require_ciphers allowed ciphers
1877 errstr pointer to error message
1878
1879Returns: OK on success
1880 DEFER for errors before the start of the negotiation
1881 FAIL for errors during the negotiation; the server can't
1882 continue running.
1883*/
1884
1885int
1886tls_server_start(const uschar * require_ciphers, uschar ** errstr)
1887{
1888int rc;
1889uschar * expciphers;
1890tls_ext_ctx_cb * cbinfo;
1891static uschar peerdn[256];
1892static uschar cipherbuf[256];
1893
1894/* Check for previous activation */
1895
1896if (tls_in.active >= 0)
1897 {
1898 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
1899 smtp_printf("554 Already in TLS\r\n", FALSE);
1900 return FAIL;
1901 }
1902
1903/* Initialize the SSL library. If it fails, it will already have logged
1904the error. */
1905
1906rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
1907#ifndef DISABLE_OCSP
1908 tls_ocsp_file,
1909#endif
1910 NULL, &server_static_cbinfo, errstr);
1911if (rc != OK) return rc;
1912cbinfo = server_static_cbinfo;
1913
1914if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
1915 return FAIL;
1916
1917/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1918were historically separated by underscores. So that I can use either form in my
1919tests, and also for general convenience, we turn underscores into hyphens here.
1920*/
1921
1922if (expciphers)
1923 {
1924 uschar * s = expciphers;
1925 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1926 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1927 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
1928 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
1929 cbinfo->server_cipher_list = expciphers;
1930 }
1931
1932/* If this is a host for which certificate verification is mandatory or
1933optional, set up appropriately. */
1934
1935tls_in.certificate_verified = FALSE;
1936#ifdef EXPERIMENTAL_DANE
1937tls_in.dane_verified = FALSE;
1938#endif
1939server_verify_callback_called = FALSE;
1940
1941if (verify_check_host(&tls_verify_hosts) == OK)
1942 {
1943 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1944 FALSE, verify_callback_server, errstr);
1945 if (rc != OK) return rc;
1946 server_verify_optional = FALSE;
1947 }
1948else if (verify_check_host(&tls_try_verify_hosts) == OK)
1949 {
1950 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1951 TRUE, verify_callback_server, errstr);
1952 if (rc != OK) return rc;
1953 server_verify_optional = TRUE;
1954 }
1955
1956/* Prepare for new connection */
1957
1958if (!(server_ssl = SSL_new(server_ctx)))
1959 return tls_error(US"SSL_new", NULL, NULL, errstr);
1960
1961/* Warning: we used to SSL_clear(ssl) here, it was removed.
1962 *
1963 * With the SSL_clear(), we get strange interoperability bugs with
1964 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1965 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1966 *
1967 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1968 * session shutdown. In this case, we have a brand new object and there's no
1969 * obvious reason to immediately clear it. I'm guessing that this was
1970 * originally added because of incomplete initialisation which the clear fixed,
1971 * in some historic release.
1972 */
1973
1974/* Set context and tell client to go ahead, except in the case of TLS startup
1975on connection, where outputting anything now upsets the clients and tends to
1976make them disconnect. We need to have an explicit fflush() here, to force out
1977the response. Other smtp_printf() calls do not need it, because in non-TLS
1978mode, the fflush() happens when smtp_getc() is called. */
1979
1980SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
1981if (!tls_in.on_connect)
1982 {
1983 smtp_printf("220 TLS go ahead\r\n", FALSE);
1984 fflush(smtp_out);
1985 }
1986
1987/* Now negotiate the TLS session. We put our own timer on it, since it seems
1988that the OpenSSL library doesn't. */
1989
1990SSL_set_wfd(server_ssl, fileno(smtp_out));
1991SSL_set_rfd(server_ssl, fileno(smtp_in));
1992SSL_set_accept_state(server_ssl);
1993
1994DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1995
1996sigalrm_seen = FALSE;
1997if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1998rc = SSL_accept(server_ssl);
1999alarm(0);
2000
2001if (rc <= 0)
2002 {
2003 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2004 return FAIL;
2005 }
2006
2007DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
2008
2009/* TLS has been set up. Adjust the input functions to read via TLS,
2010and initialize things. */
2011
2012peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2013
2014construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
2015tls_in.cipher = cipherbuf;
2016
2017DEBUG(D_tls)
2018 {
2019 uschar buf[2048];
2020 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
2021 debug_printf("Shared ciphers: %s\n", buf);
2022 }
2023
2024/* Record the certificate we presented */
2025 {
2026 X509 * crt = SSL_get_certificate(server_ssl);
2027 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2028 }
2029
2030/* Only used by the server-side tls (tls_in), including tls_getc.
2031 Client-side (tls_out) reads (seem to?) go via
2032 smtp_read_response()/ip_recv().
2033 Hence no need to duplicate for _in and _out.
2034 */
2035ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
2036ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
2037ssl_xfer_eof = ssl_xfer_error = 0;
2038
2039receive_getc = tls_getc;
2040receive_getbuf = tls_getbuf;
2041receive_get_cache = tls_get_cache;
2042receive_ungetc = tls_ungetc;
2043receive_feof = tls_feof;
2044receive_ferror = tls_ferror;
2045receive_smtp_buffered = tls_smtp_buffered;
2046
2047tls_in.active = fileno(smtp_out);
2048return OK;
2049}
2050
2051
2052
2053
2054static int
2055tls_client_basic_ctx_init(SSL_CTX * ctx,
2056 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2057 uschar ** errstr)
2058{
2059int rc;
2060/* stick to the old behaviour for compatibility if tls_verify_certificates is
2061 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2062 the specified host patterns if one of them is defined */
2063
2064if ( ( !ob->tls_verify_hosts
2065 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2066 )
2067 || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK)
2068 )
2069 client_verify_optional = FALSE;
2070else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
2071 client_verify_optional = TRUE;
2072else
2073 return OK;
2074
2075if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
2076 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2077 errstr)) != OK)
2078 return rc;
2079
2080if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
2081 {
2082 cbinfo->verify_cert_hostnames =
2083#ifdef SUPPORT_I18N
2084 string_domain_utf8_to_alabel(host->name, NULL);
2085#else
2086 host->name;
2087#endif
2088 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2089 cbinfo->verify_cert_hostnames);
2090 }
2091return OK;
2092}
2093
2094
2095#ifdef EXPERIMENTAL_DANE
2096static int
2097dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
2098{
2099dns_record * rr;
2100dns_scan dnss;
2101const char * hostnames[2] = { CS host->name, NULL };
2102int found = 0;
2103
2104if (DANESSL_init(ssl, NULL, hostnames) != 1)
2105 return tls_error(US"hostnames load", host, NULL, errstr);
2106
2107for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
2108 rr;
2109 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2110 ) if (rr->type == T_TLSA)
2111 {
2112 const uschar * p = rr->data;
2113 uint8_t usage, selector, mtype;
2114 const char * mdname;
2115
2116 usage = *p++;
2117
2118 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2119 if (usage != 2 && usage != 3) continue;
2120
2121 selector = *p++;
2122 mtype = *p++;
2123
2124 switch (mtype)
2125 {
2126 default: continue; /* Only match-types 0, 1, 2 are supported */
2127 case 0: mdname = NULL; break;
2128 case 1: mdname = "sha256"; break;
2129 case 2: mdname = "sha512"; break;
2130 }
2131
2132 found++;
2133 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2134 {
2135 default:
2136 return tls_error(US"tlsa load", host, NULL, errstr);
2137 case 0: /* action not taken */
2138 case 1: break;
2139 }
2140
2141 tls_out.tlsa_usage |= 1<<usage;
2142 }
2143
2144if (found)
2145 return OK;
2146
2147log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
2148return DEFER;
2149}
2150#endif /*EXPERIMENTAL_DANE*/
2151
2152
2153
2154/*************************************************
2155* Start a TLS session in a client *
2156*************************************************/
2157
2158/* Called from the smtp transport after STARTTLS has been accepted.
2159
2160Argument:
2161 fd the fd of the connection
2162 host connected host (for messages)
2163 addr the first address
2164 tb transport (always smtp)
2165 tlsa_dnsa tlsa lookup, if DANE, else null
2166 errstr error string pointer
2167
2168Returns: OK on success
2169 FAIL otherwise - note that tls_error() will not give DEFER
2170 because this is not a server
2171*/
2172
2173int
2174tls_client_start(int fd, host_item *host, address_item *addr,
2175 transport_instance * tb,
2176#ifdef EXPERIMENTAL_DANE
2177 dns_answer * tlsa_dnsa,
2178#endif
2179 uschar ** errstr)
2180{
2181smtp_transport_options_block * ob =
2182 (smtp_transport_options_block *)tb->options_block;
2183static uschar peerdn[256];
2184uschar * expciphers;
2185int rc;
2186static uschar cipherbuf[256];
2187
2188#ifndef DISABLE_OCSP
2189BOOL request_ocsp = FALSE;
2190BOOL require_ocsp = FALSE;
2191#endif
2192
2193#ifdef EXPERIMENTAL_DANE
2194tls_out.tlsa_usage = 0;
2195#endif
2196
2197#ifndef DISABLE_OCSP
2198 {
2199# ifdef EXPERIMENTAL_DANE
2200 if ( tlsa_dnsa
2201 && ob->hosts_request_ocsp[0] == '*'
2202 && ob->hosts_request_ocsp[1] == '\0'
2203 )
2204 {
2205 /* Unchanged from default. Use a safer one under DANE */
2206 request_ocsp = TRUE;
2207 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2208 " {= {4}{$tls_out_tlsa_usage}} } "
2209 " {*}{}}";
2210 }
2211# endif
2212
2213 if ((require_ocsp =
2214 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK))
2215 request_ocsp = TRUE;
2216 else
2217# ifdef EXPERIMENTAL_DANE
2218 if (!request_ocsp)
2219# endif
2220 request_ocsp =
2221 verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2222 }
2223#endif
2224
2225rc = tls_init(&client_ctx, host, NULL,
2226 ob->tls_certificate, ob->tls_privatekey,
2227#ifndef DISABLE_OCSP
2228 (void *)(long)request_ocsp,
2229#endif
2230 addr, &client_static_cbinfo, errstr);
2231if (rc != OK) return rc;
2232
2233tls_out.certificate_verified = FALSE;
2234client_verify_callback_called = FALSE;
2235
2236if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2237 &expciphers, errstr))
2238 return FAIL;
2239
2240/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2241are separated by underscores. So that I can use either form in my tests, and
2242also for general convenience, we turn underscores into hyphens here. */
2243
2244if (expciphers)
2245 {
2246 uschar *s = expciphers;
2247 while (*s) { if (*s == '_') *s = '-'; s++; }
2248 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2249 if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
2250 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
2251 }
2252
2253#ifdef EXPERIMENTAL_DANE
2254if (tlsa_dnsa)
2255 {
2256 SSL_CTX_set_verify(client_ctx,
2257 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2258 verify_callback_client_dane);
2259
2260 if (!DANESSL_library_init())
2261 return tls_error(US"library init", host, NULL, errstr);
2262 if (DANESSL_CTX_init(client_ctx) <= 0)
2263 return tls_error(US"context init", host, NULL, errstr);
2264 }
2265else
2266
2267#endif
2268
2269 if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob,
2270 client_static_cbinfo, errstr)) != OK)
2271 return rc;
2272
2273if ((client_ssl = SSL_new(client_ctx)) == NULL)
2274 return tls_error(US"SSL_new", host, NULL, errstr);
2275SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
2276SSL_set_fd(client_ssl, fd);
2277SSL_set_connect_state(client_ssl);
2278
2279if (ob->tls_sni)
2280 {
2281 if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni, errstr))
2282 return FAIL;
2283 if (!tls_out.sni)
2284 {
2285 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2286 }
2287 else if (!Ustrlen(tls_out.sni))
2288 tls_out.sni = NULL;
2289 else
2290 {
2291#ifdef EXIM_HAVE_OPENSSL_TLSEXT
2292 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
2293 SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
2294#else
2295 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
2296 tls_out.sni);
2297#endif
2298 }
2299 }
2300
2301#ifdef EXPERIMENTAL_DANE
2302if (tlsa_dnsa)
2303 if ((rc = dane_tlsa_load(client_ssl, host, tlsa_dnsa, errstr)) != OK)
2304 return rc;
2305#endif
2306
2307#ifndef DISABLE_OCSP
2308/* Request certificate status at connection-time. If the server
2309does OCSP stapling we will get the callback (set in tls_init()) */
2310# ifdef EXPERIMENTAL_DANE
2311if (request_ocsp)
2312 {
2313 const uschar * s;
2314 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2315 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2316 )
2317 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2318 this means we avoid the OCSP request, we wasted the setup
2319 cost in tls_init(). */
2320 require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
2321 request_ocsp = require_ocsp
2322 || verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2323 }
2324 }
2325# endif
2326
2327if (request_ocsp)
2328 {
2329 SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
2330 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
2331 tls_out.ocsp = OCSP_NOT_RESP;
2332 }
2333#endif
2334
2335#ifndef DISABLE_EVENT
2336client_static_cbinfo->event_action = tb->event_action;
2337#endif
2338
2339/* There doesn't seem to be a built-in timeout on connection. */
2340
2341DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2342sigalrm_seen = FALSE;
2343alarm(ob->command_timeout);
2344rc = SSL_connect(client_ssl);
2345alarm(0);
2346
2347#ifdef EXPERIMENTAL_DANE
2348if (tlsa_dnsa)
2349 DANESSL_cleanup(client_ssl);
2350#endif
2351
2352if (rc <= 0)
2353 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL,
2354 errstr);
2355
2356DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2357
2358peer_cert(client_ssl, &tls_out, peerdn, sizeof(peerdn));
2359
2360construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
2361tls_out.cipher = cipherbuf;
2362
2363/* Record the certificate we presented */
2364 {
2365 X509 * crt = SSL_get_certificate(client_ssl);
2366 tls_out.ourcert = crt ? X509_dup(crt) : NULL;
2367 }
2368
2369tls_out.active = fd;
2370return OK;
2371}
2372
2373
2374
2375
2376
2377static BOOL
2378tls_refill(unsigned lim)
2379{
2380int error;
2381int inbytes;
2382
2383DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2384 ssl_xfer_buffer, ssl_xfer_buffer_size);
2385
2386if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2387inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
2388 MIN(ssl_xfer_buffer_size, lim));
2389error = SSL_get_error(server_ssl, inbytes);
2390alarm(0);
2391
2392/* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2393closed down, not that the socket itself has been closed down. Revert to
2394non-SSL handling. */
2395
2396if (error == SSL_ERROR_ZERO_RETURN)
2397 {
2398 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2399
2400 receive_getc = smtp_getc;
2401 receive_getbuf = smtp_getbuf;
2402 receive_get_cache = smtp_get_cache;
2403 receive_ungetc = smtp_ungetc;
2404 receive_feof = smtp_feof;
2405 receive_ferror = smtp_ferror;
2406 receive_smtp_buffered = smtp_buffered;
2407
2408 SSL_free(server_ssl);
2409 server_ssl = NULL;
2410 tls_in.active = -1;
2411 tls_in.bits = 0;
2412 tls_in.cipher = NULL;
2413 tls_in.peerdn = NULL;
2414 tls_in.sni = NULL;
2415
2416 return FALSE;
2417 }
2418
2419/* Handle genuine errors */
2420
2421else if (error == SSL_ERROR_SSL)
2422 {
2423 ERR_error_string(ERR_get_error(), ssl_errstring);
2424 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2425 ssl_xfer_error = 1;
2426 return FALSE;
2427 }
2428
2429else if (error != SSL_ERROR_NONE)
2430 {
2431 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2432 ssl_xfer_error = 1;
2433 return FALSE;
2434 }
2435
2436#ifndef DISABLE_DKIM
2437dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2438#endif
2439ssl_xfer_buffer_hwm = inbytes;
2440ssl_xfer_buffer_lwm = 0;
2441return TRUE;
2442}
2443
2444
2445/*************************************************
2446* TLS version of getc *
2447*************************************************/
2448
2449/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2450it refills the buffer via the SSL reading function.
2451
2452Arguments: lim Maximum amount to read/buffer
2453Returns: the next character or EOF
2454
2455Only used by the server-side TLS.
2456*/
2457
2458int
2459tls_getc(unsigned lim)
2460{
2461if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2462 if (!tls_refill(lim))
2463 return ssl_xfer_error ? EOF : smtp_getc(lim);
2464
2465/* Something in the buffer; return next uschar */
2466
2467return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2468}
2469
2470uschar *
2471tls_getbuf(unsigned * len)
2472{
2473unsigned size;
2474uschar * buf;
2475
2476if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2477 if (!tls_refill(*len))
2478 {
2479 if (!ssl_xfer_error) return smtp_getbuf(len);
2480 *len = 0;
2481 return NULL;
2482 }
2483
2484if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
2485 size = *len;
2486buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
2487ssl_xfer_buffer_lwm += size;
2488*len = size;
2489return buf;
2490}
2491
2492
2493void
2494tls_get_cache()
2495{
2496#ifndef DISABLE_DKIM
2497int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
2498if (n > 0)
2499 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
2500#endif
2501}
2502
2503
2504BOOL
2505tls_could_read(void)
2506{
2507return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
2508}
2509
2510
2511/*************************************************
2512* Read bytes from TLS channel *
2513*************************************************/
2514
2515/*
2516Arguments:
2517 buff buffer of data
2518 len size of buffer
2519
2520Returns: the number of bytes read
2521 -1 after a failed read
2522
2523Only used by the client-side TLS.
2524*/
2525
2526int
2527tls_read(BOOL is_server, uschar *buff, size_t len)
2528{
2529SSL *ssl = is_server ? server_ssl : client_ssl;
2530int inbytes;
2531int error;
2532
2533DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
2534 buff, (unsigned int)len);
2535
2536inbytes = SSL_read(ssl, CS buff, len);
2537error = SSL_get_error(ssl, inbytes);
2538
2539if (error == SSL_ERROR_ZERO_RETURN)
2540 {
2541 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2542 return -1;
2543 }
2544else if (error != SSL_ERROR_NONE)
2545 return -1;
2546
2547return inbytes;
2548}
2549
2550
2551
2552
2553
2554/*************************************************
2555* Write bytes down TLS channel *
2556*************************************************/
2557
2558/*
2559Arguments:
2560 is_server channel specifier
2561 buff buffer of data
2562 len number of bytes
2563 more further data expected soon
2564
2565Returns: the number of bytes after a successful write,
2566 -1 after a failed write
2567
2568Used by both server-side and client-side TLS.
2569*/
2570
2571int
2572tls_write(BOOL is_server, const uschar *buff, size_t len, BOOL more)
2573{
2574int outbytes, error, left;
2575SSL *ssl = is_server ? server_ssl : client_ssl;
2576static gstring * corked = NULL;
2577
2578DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
2579 buff, (unsigned long)len, more ? ", more" : "");
2580
2581/* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
2582"more" is notified. This hack is only ok if small amounts are involved AND only
2583one stream does it, in one context (i.e. no store reset). Currently it is used
2584for the responses to the received SMTP MAIL , RCPT, DATA sequence, only. */
2585
2586if (is_server && (more || corked))
2587 {
2588 corked = string_catn(corked, buff, len);
2589 if (more)
2590 return len;
2591 buff = CUS corked->s;
2592 len = corked->ptr;
2593 corked = NULL;
2594 }
2595
2596for (left = len; left > 0;)
2597 {
2598 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
2599 outbytes = SSL_write(ssl, CS buff, left);
2600 error = SSL_get_error(ssl, outbytes);
2601 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2602 switch (error)
2603 {
2604 case SSL_ERROR_SSL:
2605 ERR_error_string(ERR_get_error(), ssl_errstring);
2606 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2607 return -1;
2608
2609 case SSL_ERROR_NONE:
2610 left -= outbytes;
2611 buff += outbytes;
2612 break;
2613
2614 case SSL_ERROR_ZERO_RETURN:
2615 log_write(0, LOG_MAIN, "SSL channel closed on write");
2616 return -1;
2617
2618 case SSL_ERROR_SYSCALL:
2619 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2620 sender_fullhost ? sender_fullhost : US"<unknown>",
2621 strerror(errno));
2622 return -1;
2623
2624 default:
2625 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2626 return -1;
2627 }
2628 }
2629return len;
2630}
2631
2632
2633
2634/*************************************************
2635* Close down a TLS session *
2636*************************************************/
2637
2638/* This is also called from within a delivery subprocess forked from the
2639daemon, to shut down the TLS library, without actually doing a shutdown (which
2640would tamper with the SSL session in the parent process).
2641
2642Arguments: TRUE if SSL_shutdown is to be called
2643Returns: nothing
2644
2645Used by both server-side and client-side TLS.
2646*/
2647
2648void
2649tls_close(BOOL is_server, BOOL shutdown)
2650{
2651SSL **sslp = is_server ? &server_ssl : &client_ssl;
2652int *fdp = is_server ? &tls_in.active : &tls_out.active;
2653
2654if (*fdp < 0) return; /* TLS was not active */
2655
2656if (shutdown)
2657 {
2658 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
2659 SSL_shutdown(*sslp);
2660 }
2661
2662SSL_free(*sslp);
2663*sslp = NULL;
2664
2665*fdp = -1;
2666}
2667
2668
2669
2670
2671/*************************************************
2672* Let tls_require_ciphers be checked at startup *
2673*************************************************/
2674
2675/* The tls_require_ciphers option, if set, must be something which the
2676library can parse.
2677
2678Returns: NULL on success, or error message
2679*/
2680
2681uschar *
2682tls_validate_require_cipher(void)
2683{
2684SSL_CTX *ctx;
2685uschar *s, *expciphers, *err;
2686
2687/* this duplicates from tls_init(), we need a better "init just global
2688state, for no specific purpose" singleton function of our own */
2689
2690SSL_load_error_strings();
2691OpenSSL_add_ssl_algorithms();
2692#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
2693/* SHA256 is becoming ever more popular. This makes sure it gets added to the
2694list of available digests. */
2695EVP_add_digest(EVP_sha256());
2696#endif
2697
2698if (!(tls_require_ciphers && *tls_require_ciphers))
2699 return NULL;
2700
2701if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
2702 &err))
2703 return US"failed to expand tls_require_ciphers";
2704
2705if (!(expciphers && *expciphers))
2706 return NULL;
2707
2708/* normalisation ripped from above */
2709s = expciphers;
2710while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2711
2712err = NULL;
2713
2714ctx = SSL_CTX_new(SSLv23_server_method());
2715if (!ctx)
2716 {
2717 ERR_error_string(ERR_get_error(), ssl_errstring);
2718 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
2719 }
2720
2721DEBUG(D_tls)
2722 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2723
2724if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
2725 {
2726 ERR_error_string(ERR_get_error(), ssl_errstring);
2727 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
2728 expciphers, ssl_errstring);
2729 }
2730
2731SSL_CTX_free(ctx);
2732
2733return err;
2734}
2735
2736
2737
2738
2739/*************************************************
2740* Report the library versions. *
2741*************************************************/
2742
2743/* There have historically been some issues with binary compatibility in
2744OpenSSL libraries; if Exim (like many other applications) is built against
2745one version of OpenSSL but the run-time linker picks up another version,
2746it can result in serious failures, including crashing with a SIGSEGV. So
2747report the version found by the compiler and the run-time version.
2748
2749Note: some OS vendors backport security fixes without changing the version
2750number/string, and the version date remains unchanged. The _build_ date
2751will change, so we can more usefully assist with version diagnosis by also
2752reporting the build date.
2753
2754Arguments: a FILE* to print the results to
2755Returns: nothing
2756*/
2757
2758void
2759tls_version_report(FILE *f)
2760{
2761fprintf(f, "Library version: OpenSSL: Compile: %s\n"
2762 " Runtime: %s\n"
2763 " : %s\n",
2764 OPENSSL_VERSION_TEXT,
2765 SSLeay_version(SSLEAY_VERSION),
2766 SSLeay_version(SSLEAY_BUILT_ON));
2767/* third line is 38 characters for the %s and the line is 73 chars long;
2768the OpenSSL output includes a "built on: " prefix already. */
2769}
2770
2771
2772
2773
2774/*************************************************
2775* Random number generation *
2776*************************************************/
2777
2778/* Pseudo-random number generation. The result is not expected to be
2779cryptographically strong but not so weak that someone will shoot themselves
2780in the foot using it as a nonce in input in some email header scheme or
2781whatever weirdness they'll twist this into. The result should handle fork()
2782and avoid repeating sequences. OpenSSL handles that for us.
2783
2784Arguments:
2785 max range maximum
2786Returns a random number in range [0, max-1]
2787*/
2788
2789int
2790vaguely_random_number(int max)
2791{
2792unsigned int r;
2793int i, needed_len;
2794static pid_t pidlast = 0;
2795pid_t pidnow;
2796uschar *p;
2797uschar smallbuf[sizeof(r)];
2798
2799if (max <= 1)
2800 return 0;
2801
2802pidnow = getpid();
2803if (pidnow != pidlast)
2804 {
2805 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
2806 is unique for each thread", this doesn't apparently apply across processes,
2807 so our own warning from vaguely_random_number_fallback() applies here too.
2808 Fix per PostgreSQL. */
2809 if (pidlast != 0)
2810 RAND_cleanup();
2811 pidlast = pidnow;
2812 }
2813
2814/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
2815if (!RAND_status())
2816 {
2817 randstuff r;
2818 gettimeofday(&r.tv, NULL);
2819 r.p = getpid();
2820
2821 RAND_seed(US (&r), sizeof(r));
2822 }
2823/* We're after pseudo-random, not random; if we still don't have enough data
2824in the internal PRNG then our options are limited. We could sleep and hope
2825for entropy to come along (prayer technique) but if the system is so depleted
2826in the first place then something is likely to just keep taking it. Instead,
2827we'll just take whatever little bit of pseudo-random we can still manage to
2828get. */
2829
2830needed_len = sizeof(r);
2831/* Don't take 8 times more entropy than needed if int is 8 octets and we were
2832asked for a number less than 10. */
2833for (r = max, i = 0; r; ++i)
2834 r >>= 1;
2835i = (i + 7) / 8;
2836if (i < needed_len)
2837 needed_len = i;
2838
2839#ifdef EXIM_HAVE_RAND_PSEUDO
2840/* We do not care if crypto-strong */
2841i = RAND_pseudo_bytes(smallbuf, needed_len);
2842#else
2843i = RAND_bytes(smallbuf, needed_len);
2844#endif
2845
2846if (i < 0)
2847 {
2848 DEBUG(D_all)
2849 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
2850 return vaguely_random_number_fallback(max);
2851 }
2852
2853r = 0;
2854for (p = smallbuf; needed_len; --needed_len, ++p)
2855 {
2856 r *= 256;
2857 r += *p;
2858 }
2859
2860/* We don't particularly care about weighted results; if someone wants
2861smooth distribution and cares enough then they should submit a patch then. */
2862return r % max;
2863}
2864
2865
2866
2867
2868/*************************************************
2869* OpenSSL option parse *
2870*************************************************/
2871
2872/* Parse one option for tls_openssl_options_parse below
2873
2874Arguments:
2875 name one option name
2876 value place to store a value for it
2877Returns success or failure in parsing
2878*/
2879
2880struct exim_openssl_option {
2881 uschar *name;
2882 long value;
2883};
2884/* We could use a macro to expand, but we need the ifdef and not all the
2885options document which version they were introduced in. Policylet: include
2886all options unless explicitly for DTLS, let the administrator choose which
2887to apply.
2888
2889This list is current as of:
2890 ==> 1.0.1b <==
2891Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
2892*/
2893static struct exim_openssl_option exim_openssl_options[] = {
2894/* KEEP SORTED ALPHABETICALLY! */
2895#ifdef SSL_OP_ALL
2896 { US"all", SSL_OP_ALL },
2897#endif
2898#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
2899 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
2900#endif
2901#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
2902 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
2903#endif
2904#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
2905 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
2906#endif
2907#ifdef SSL_OP_EPHEMERAL_RSA
2908 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
2909#endif
2910#ifdef SSL_OP_LEGACY_SERVER_CONNECT
2911 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
2912#endif
2913#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
2914 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
2915#endif
2916#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
2917 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
2918#endif
2919#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
2920 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
2921#endif
2922#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
2923 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
2924#endif
2925#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
2926 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
2927#endif
2928#ifdef SSL_OP_NO_COMPRESSION
2929 { US"no_compression", SSL_OP_NO_COMPRESSION },
2930#endif
2931#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2932 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
2933#endif
2934#ifdef SSL_OP_NO_SSLv2
2935 { US"no_sslv2", SSL_OP_NO_SSLv2 },
2936#endif
2937#ifdef SSL_OP_NO_SSLv3
2938 { US"no_sslv3", SSL_OP_NO_SSLv3 },
2939#endif
2940#ifdef SSL_OP_NO_TICKET
2941 { US"no_ticket", SSL_OP_NO_TICKET },
2942#endif
2943#ifdef SSL_OP_NO_TLSv1
2944 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
2945#endif
2946#ifdef SSL_OP_NO_TLSv1_1
2947#if SSL_OP_NO_TLSv1_1 == 0x00000400L
2948 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
2949#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
2950#else
2951 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
2952#endif
2953#endif
2954#ifdef SSL_OP_NO_TLSv1_2
2955 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
2956#endif
2957#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
2958 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
2959#endif
2960#ifdef SSL_OP_SINGLE_DH_USE
2961 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
2962#endif
2963#ifdef SSL_OP_SINGLE_ECDH_USE
2964 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
2965#endif
2966#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
2967 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
2968#endif
2969#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
2970 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
2971#endif
2972#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
2973 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
2974#endif
2975#ifdef SSL_OP_TLS_D5_BUG
2976 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
2977#endif
2978#ifdef SSL_OP_TLS_ROLLBACK_BUG
2979 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
2980#endif
2981};
2982static int exim_openssl_options_size =
2983 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
2984
2985
2986static BOOL
2987tls_openssl_one_option_parse(uschar *name, long *value)
2988{
2989int first = 0;
2990int last = exim_openssl_options_size;
2991while (last > first)
2992 {
2993 int middle = (first + last)/2;
2994 int c = Ustrcmp(name, exim_openssl_options[middle].name);
2995 if (c == 0)
2996 {
2997 *value = exim_openssl_options[middle].value;
2998 return TRUE;
2999 }
3000 else if (c > 0)
3001 first = middle + 1;
3002 else
3003 last = middle;
3004 }
3005return FALSE;
3006}
3007
3008
3009
3010
3011/*************************************************
3012* OpenSSL option parsing logic *
3013*************************************************/
3014
3015/* OpenSSL has a number of compatibility options which an administrator might
3016reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3017we look like log_selector.
3018
3019Arguments:
3020 option_spec the administrator-supplied string of options
3021 results ptr to long storage for the options bitmap
3022Returns success or failure
3023*/
3024
3025BOOL
3026tls_openssl_options_parse(uschar *option_spec, long *results)
3027{
3028long result, item;
3029uschar *s, *end;
3030uschar keep_c;
3031BOOL adding, item_parsed;
3032
3033result = SSL_OP_NO_TICKET;
3034/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
3035 * from default because it increases BEAST susceptibility. */
3036#ifdef SSL_OP_NO_SSLv2
3037result |= SSL_OP_NO_SSLv2;
3038#endif
3039#ifdef SSL_OP_SINGLE_DH_USE
3040result |= SSL_OP_SINGLE_DH_USE;
3041#endif
3042
3043if (!option_spec)
3044 {
3045 *results = result;
3046 return TRUE;
3047 }
3048
3049for (s=option_spec; *s != '\0'; /**/)
3050 {
3051 while (isspace(*s)) ++s;
3052 if (*s == '\0')
3053 break;
3054 if (*s != '+' && *s != '-')
3055 {
3056 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
3057 "+ or - expected but found \"%s\"\n", s);
3058 return FALSE;
3059 }
3060 adding = *s++ == '+';
3061 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
3062 keep_c = *end;
3063 *end = '\0';
3064 item_parsed = tls_openssl_one_option_parse(s, &item);
3065 *end = keep_c;
3066 if (!item_parsed)
3067 {
3068 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
3069 return FALSE;
3070 }
3071 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
3072 adding ? "adding" : "removing", result, item, s);
3073 if (adding)
3074 result |= item;
3075 else
3076 result &= ~item;
3077 s = end;
3078 }
3079
3080*results = result;
3081return TRUE;
3082}
3083
3084/* vi: aw ai sw=2
3085*/
3086/* End of tls-openssl.c */
Unnamed repository; edit this file 'description' to name the repository.