projects / exim.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
Feature compile-guard
[exim.git] / src / src / tls-openssl.c
... / ...
CommitLineData
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
5/* Copyright (c) University of Cambridge 1995 - 2014 */
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
25#ifndef DISABLE_OCSP
26# include <openssl/ocsp.h>
27#endif
28#ifdef EXPERIMENTAL_DANE
29# include <danessl.h>
30#endif
31
32
33#ifndef DISABLE_OCSP
34# define EXIM_OCSP_SKEW_SECONDS (300L)
35# define EXIM_OCSP_MAX_AGE (-1L)
36#endif
37
38#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
39# define EXIM_HAVE_OPENSSL_TLSEXT
40#endif
41
42#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
43# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
44# define DISABLE_OCSP
45#endif
46
47/* Structure for collecting random data for seeding. */
48
49typedef struct randstuff {
50 struct timeval tv;
51 pid_t p;
52} randstuff;
53
54/* Local static variables */
55
56static BOOL client_verify_callback_called = FALSE;
57static BOOL server_verify_callback_called = FALSE;
58static const uschar *sid_ctx = US"exim";
59
60/* We have three different contexts to care about.
61
62Simple case: client, `client_ctx`
63 As a client, we can be doing a callout or cut-through delivery while receiving
64 a message. So we have a client context, which should have options initialised
65 from the SMTP Transport.
66
67Server:
68 There are two cases: with and without ServerNameIndication from the client.
69 Given TLS SNI, we can be using different keys, certs and various other
70 configuration settings, because they're re-expanded with $tls_sni set. This
71 allows vhosting with TLS. This SNI is sent in the handshake.
72 A client might not send SNI, so we need a fallback, and an initial setup too.
73 So as a server, we start out using `server_ctx`.
74 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
75 `server_sni` from `server_ctx` and then initialise settings by re-expanding
76 configuration.
77*/
78
79static SSL_CTX *client_ctx = NULL;
80static SSL_CTX *server_ctx = NULL;
81static SSL *client_ssl = NULL;
82static SSL *server_ssl = NULL;
83
84#ifdef EXIM_HAVE_OPENSSL_TLSEXT
85static SSL_CTX *server_sni = NULL;
86#endif
87
88static char ssl_errstring[256];
89
90static int ssl_session_timeout = 200;
91static BOOL client_verify_optional = FALSE;
92static BOOL server_verify_optional = FALSE;
93
94static BOOL reexpand_tls_files_for_sni = FALSE;
95
96
97typedef struct tls_ext_ctx_cb {
98 uschar *certificate;
99 uschar *privatekey;
100#ifndef DISABLE_OCSP
101 BOOL is_server;
102 union {
103 struct {
104 uschar *file;
105 uschar *file_expanded;
106 OCSP_RESPONSE *response;
107 } server;
108 struct {
109 X509_STORE *verify_store; /* non-null if status requested */
110 BOOL verify_required;
111 } client;
112 } u_ocsp;
113#endif
114 uschar *dhparam;
115 /* these are cached from first expand */
116 uschar *server_cipher_list;
117 /* only passed down to tls_error: */
118 host_item *host;
119
120#ifdef EXPERIMENTAL_CERTNAMES
121 uschar * verify_cert_hostnames;
122#endif
123} tls_ext_ctx_cb;
124
125/* should figure out a cleanup of API to handle state preserved per
126implementation, for various reasons, which can be void * in the APIs.
127For now, we hack around it. */
128tls_ext_ctx_cb *client_static_cbinfo = NULL;
129tls_ext_ctx_cb *server_static_cbinfo = NULL;
130
131static int
132setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
133 int (*cert_vfy_cb)(int, X509_STORE_CTX *) );
134
135/* Callbacks */
136#ifdef EXIM_HAVE_OPENSSL_TLSEXT
137static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
138#endif
139#ifndef DISABLE_OCSP
140static int tls_server_stapling_cb(SSL *s, void *arg);
141#endif
142
143
144/*************************************************
145* Handle TLS error *
146*************************************************/
147
148/* Called from lots of places when errors occur before actually starting to do
149the TLS handshake, that is, while the session is still in clear. Always returns
150DEFER for a server and FAIL for a client so that most calls can use "return
151tls_error(...)" to do this processing and then give an appropriate return. A
152single function is used for both server and client, because it is called from
153some shared functions.
154
155Argument:
156 prefix text to include in the logged error
157 host NULL if setting up a server;
158 the connected host if setting up a client
159 msg error message or NULL if we should ask OpenSSL
160
161Returns: OK/DEFER/FAIL
162*/
163
164static int
165tls_error(uschar *prefix, host_item *host, uschar *msg)
166{
167if (msg == NULL)
168 {
169 ERR_error_string(ERR_get_error(), ssl_errstring);
170 msg = (uschar *)ssl_errstring;
171 }
172
173if (host == NULL)
174 {
175 uschar *conn_info = smtp_get_connection_info();
176 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
177 conn_info += 5;
178 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
179 conn_info, prefix, msg);
180 return DEFER;
181 }
182else
183 {
184 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
185 host->name, host->address, prefix, msg);
186 return FAIL;
187 }
188}
189
190
191
192/*************************************************
193* Callback to generate RSA key *
194*************************************************/
195
196/*
197Arguments:
198 s SSL connection
199 export not used
200 keylength keylength
201
202Returns: pointer to generated key
203*/
204
205static RSA *
206rsa_callback(SSL *s, int export, int keylength)
207{
208RSA *rsa_key;
209export = export; /* Shut picky compilers up */
210DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
211rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
212if (rsa_key == NULL)
213 {
214 ERR_error_string(ERR_get_error(), ssl_errstring);
215 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
216 ssl_errstring);
217 return NULL;
218 }
219return rsa_key;
220}
221
222
223
224/* Extreme debug
225#ifndef DISABLE_OCSP
226void
227x509_store_dump_cert_s_names(X509_STORE * store)
228{
229STACK_OF(X509_OBJECT) * roots= store->objs;
230int i;
231static uschar name[256];
232
233for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
234 {
235 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
236 if(tmp_obj->type == X509_LU_X509)
237 {
238 X509 * current_cert= tmp_obj->data.x509;
239 X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name));
240 debug_printf(" %s\n", name);
241 }
242 }
243}
244#endif
245*/
246
247
248/*************************************************
249* Callback for verification *
250*************************************************/
251
252/* The SSL library does certificate verification if set up to do so. This
253callback has the current yes/no state is in "state". If verification succeeded,
254we set up the tls_peerdn string. If verification failed, what happens depends
255on whether the client is required to present a verifiable certificate or not.
256
257If verification is optional, we change the state to yes, but still log the
258verification error. For some reason (it really would help to have proper
259documentation of OpenSSL), this callback function then gets called again, this
260time with state = 1. In fact, that's useful, because we can set up the peerdn
261value, but we must take care not to set the private verified flag on the second
262time through.
263
264Note: this function is not called if the client fails to present a certificate
265when asked. We get here only if a certificate has been received. Handling of
266optional verification for this case is done when requesting SSL to verify, by
267setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
268
269Arguments:
270 state current yes/no state as 1/0
271 x509ctx certificate information.
272 client TRUE for client startup, FALSE for server startup
273
274Returns: 1 if verified, 0 if not
275*/
276
277static int
278verify_callback(int state, X509_STORE_CTX *x509ctx,
279 tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
280{
281X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
282static uschar txt[256];
283
284X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt));
285
286if (state == 0)
287 {
288 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
289 X509_STORE_CTX_get_error_depth(x509ctx),
290 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)),
291 txt);
292 tlsp->certificate_verified = FALSE;
293 *calledp = TRUE;
294 if (!*optionalp)
295 {
296 tlsp->peercert = X509_dup(cert);
297 return 0; /* reject */
298 }
299 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
300 "tls_try_verify_hosts)\n");
301 }
302
303else if (X509_STORE_CTX_get_error_depth(x509ctx) != 0)
304 {
305 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n",
306 X509_STORE_CTX_get_error_depth(x509ctx), txt);
307#ifndef DISABLE_OCSP
308 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
309 { /* client, wanting stapling */
310 /* Add the server cert's signing chain as the one
311 for the verification of the OCSP stapled information. */
312
313 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
314 cert))
315 ERR_clear_error();
316 }
317#endif
318 }
319else
320 {
321#ifdef EXPERIMENTAL_CERTNAMES
322 uschar * verify_cert_hostnames;
323#endif
324
325 tlsp->peerdn = txt;
326 tlsp->peercert = X509_dup(cert);
327
328#ifdef EXPERIMENTAL_CERTNAMES
329 if ( tlsp == &tls_out
330 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
331 /* client, wanting hostname check */
332
333# if OPENSSL_VERSION_NUMBER >= 0x010100000L || OPENSSL_VERSION_NUMBER >= 0x010002000L
334# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
335# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
336# endif
337 {
338 int sep = 0;
339 uschar * list = verify_cert_hostnames;
340 uschar * name;
341 int rc;
342 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
343 if ((rc = X509_check_host(cert, name, 0,
344 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS)))
345 {
346 if (rc < 0)
347 {
348 log_write(0, LOG_MAIN, "SSL verify error: internal error\n");
349 name = NULL;
350 }
351 break;
352 }
353 if (!name)
354 {
355 log_write(0, LOG_MAIN,
356 "SSL verify error: certificate name mismatch: \"%s\"\n", txt);
357 return 0; /* reject */
358 }
359 }
360# else
361 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
362 {
363 log_write(0, LOG_MAIN,
364 "SSL verify error: certificate name mismatch: \"%s\"\n", txt);
365 return 0; /* reject */
366 }
367# endif
368#endif /*EXPERIMENTAL_CERTNAMES*/
369
370 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
371 *calledp ? "" : " authenticated", txt);
372 if (!*calledp) tlsp->certificate_verified = TRUE;
373 *calledp = TRUE;
374 }
375
376return 1; /* accept */
377}
378
379static int
380verify_callback_client(int state, X509_STORE_CTX *x509ctx)
381{
382return verify_callback(state, x509ctx, &tls_out, &client_verify_callback_called, &client_verify_optional);
383}
384
385static int
386verify_callback_server(int state, X509_STORE_CTX *x509ctx)
387{
388return verify_callback(state, x509ctx, &tls_in, &server_verify_callback_called, &server_verify_optional);
389}
390
391
392#ifdef EXPERIMENTAL_DANE
393
394/* This gets called *by* the dane library verify callback, which interposes
395itself.
396*/
397static int
398verify_callback_client_dane(int state, X509_STORE_CTX * x509ctx)
399{
400X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
401static uschar txt[256];
402
403X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt));
404
405DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s\n", txt);
406tls_out.peerdn = txt;
407tls_out.peercert = X509_dup(cert);
408
409if (state == 1)
410 tls_out.dane_verified =
411 tls_out.certificate_verified = TRUE;
412return 1;
413}
414
415#endif /*EXPERIMENTAL_DANE*/
416
417
418/*************************************************
419* Information callback *
420*************************************************/
421
422/* The SSL library functions call this from time to time to indicate what they
423are doing. We copy the string to the debugging output when TLS debugging has
424been requested.
425
426Arguments:
427 s the SSL connection
428 where
429 ret
430
431Returns: nothing
432*/
433
434static void
435info_callback(SSL *s, int where, int ret)
436{
437where = where;
438ret = ret;
439DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
440}
441
442
443
444/*************************************************
445* Initialize for DH *
446*************************************************/
447
448/* If dhparam is set, expand it, and load up the parameters for DH encryption.
449
450Arguments:
451 dhparam DH parameter file or fixed parameter identity string
452 host connected host, if client; NULL if server
453
454Returns: TRUE if OK (nothing to set up, or setup worked)
455*/
456
457static BOOL
458init_dh(SSL_CTX *sctx, uschar *dhparam, host_item *host)
459{
460BIO *bio;
461DH *dh;
462uschar *dhexpanded;
463const char *pem;
464
465if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
466 return FALSE;
467
468if (!dhexpanded || !*dhexpanded)
469 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
470else if (dhexpanded[0] == '/')
471 {
472 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
473 {
474 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
475 host, US strerror(errno));
476 return FALSE;
477 }
478 }
479else
480 {
481 if (Ustrcmp(dhexpanded, "none") == 0)
482 {
483 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
484 return TRUE;
485 }
486
487 if (!(pem = std_dh_prime_named(dhexpanded)))
488 {
489 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
490 host, US strerror(errno));
491 return FALSE;
492 }
493 bio = BIO_new_mem_buf(CS pem, -1);
494 }
495
496if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
497 {
498 BIO_free(bio);
499 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
500 host, NULL);
501 return FALSE;
502 }
503
504/* Even if it is larger, we silently return success rather than cause things
505 * to fail out, so that a too-large DH will not knock out all TLS; it's a
506 * debatable choice. */
507if ((8*DH_size(dh)) > tls_dh_max_bits)
508 {
509 DEBUG(D_tls)
510 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d",
511 8*DH_size(dh), tls_dh_max_bits);
512 }
513else
514 {
515 SSL_CTX_set_tmp_dh(sctx, dh);
516 DEBUG(D_tls)
517 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
518 dhexpanded ? dhexpanded : US"default", 8*DH_size(dh));
519 }
520
521DH_free(dh);
522BIO_free(bio);
523
524return TRUE;
525}
526
527
528
529
530#ifndef DISABLE_OCSP
531/*************************************************
532* Load OCSP information into state *
533*************************************************/
534
535/* Called to load the server OCSP response from the given file into memory, once
536caller has determined this is needed. Checks validity. Debugs a message
537if invalid.
538
539ASSUMES: single response, for single cert.
540
541Arguments:
542 sctx the SSL_CTX* to update
543 cbinfo various parts of session state
544 expanded the filename putatively holding an OCSP response
545
546*/
547
548static void
549ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
550{
551BIO *bio;
552OCSP_RESPONSE *resp;
553OCSP_BASICRESP *basic_response;
554OCSP_SINGLERESP *single_response;
555ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
556X509_STORE *store;
557unsigned long verify_flags;
558int status, reason, i;
559
560cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
561if (cbinfo->u_ocsp.server.response)
562 {
563 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
564 cbinfo->u_ocsp.server.response = NULL;
565 }
566
567bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb");
568if (!bio)
569 {
570 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
571 cbinfo->u_ocsp.server.file_expanded);
572 return;
573 }
574
575resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
576BIO_free(bio);
577if (!resp)
578 {
579 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
580 return;
581 }
582
583status = OCSP_response_status(resp);
584if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
585 {
586 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
587 OCSP_response_status_str(status), status);
588 goto bad;
589 }
590
591basic_response = OCSP_response_get1_basic(resp);
592if (!basic_response)
593 {
594 DEBUG(D_tls)
595 debug_printf("OCSP response parse error: unable to extract basic response.\n");
596 goto bad;
597 }
598
599store = SSL_CTX_get_cert_store(sctx);
600verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
601
602/* May need to expose ability to adjust those flags?
603OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
604OCSP_TRUSTOTHER OCSP_NOINTERN */
605
606i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
607if (i <= 0)
608 {
609 DEBUG(D_tls) {
610 ERR_error_string(ERR_get_error(), ssl_errstring);
611 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
612 }
613 goto bad;
614 }
615
616/* Here's the simplifying assumption: there's only one response, for the
617one certificate we use, and nothing for anything else in a chain. If this
618proves false, we need to extract a cert id from our issued cert
619(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
620right cert in the stack and then calls OCSP_single_get0_status()).
621
622I'm hoping to avoid reworking a bunch more of how we handle state here. */
623single_response = OCSP_resp_get0(basic_response, 0);
624if (!single_response)
625 {
626 DEBUG(D_tls)
627 debug_printf("Unable to get first response from OCSP basic response.\n");
628 goto bad;
629 }
630
631status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
632if (status != V_OCSP_CERTSTATUS_GOOD)
633 {
634 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
635 OCSP_cert_status_str(status), status,
636 OCSP_crl_reason_str(reason), reason);
637 goto bad;
638 }
639
640if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
641 {
642 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
643 goto bad;
644 }
645
646supply_response:
647 cbinfo->u_ocsp.server.response = resp;
648return;
649
650bad:
651 if (running_in_test_harness)
652 {
653 extern char ** environ;
654 uschar ** p;
655 for (p = USS environ; *p != NULL; p++)
656 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
657 {
658 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
659 goto supply_response;
660 }
661 }
662return;
663}
664#endif /*!DISABLE_OCSP*/
665
666
667
668
669/*************************************************
670* Expand key and cert file specs *
671*************************************************/
672
673/* Called once during tls_init and possibly again during TLS setup, for a
674new context, if Server Name Indication was used and tls_sni was seen in
675the certificate string.
676
677Arguments:
678 sctx the SSL_CTX* to update
679 cbinfo various parts of session state
680
681Returns: OK/DEFER/FAIL
682*/
683
684static int
685tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
686{
687uschar *expanded;
688
689if (cbinfo->certificate == NULL)
690 return OK;
691
692if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
693 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
694 Ustrstr(cbinfo->certificate, US"tls_out_sni")
695 )
696 reexpand_tls_files_for_sni = TRUE;
697
698if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
699 return DEFER;
700
701if (expanded != NULL)
702 {
703 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
704 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
705 return tls_error(string_sprintf(
706 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
707 cbinfo->host, NULL);
708 }
709
710if (cbinfo->privatekey != NULL &&
711 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
712 return DEFER;
713
714/* If expansion was forced to fail, key_expanded will be NULL. If the result
715of the expansion is an empty string, ignore it also, and assume the private
716key is in the same file as the certificate. */
717
718if (expanded != NULL && *expanded != 0)
719 {
720 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
721 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
722 return tls_error(string_sprintf(
723 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
724 }
725
726#ifndef DISABLE_OCSP
727if (cbinfo->is_server && cbinfo->u_ocsp.server.file != NULL)
728 {
729 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded))
730 return DEFER;
731
732 if (expanded != NULL && *expanded != 0)
733 {
734 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
735 if (cbinfo->u_ocsp.server.file_expanded &&
736 (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
737 {
738 DEBUG(D_tls)
739 debug_printf("tls_ocsp_file value unchanged, using existing values.\n");
740 } else {
741 ocsp_load_response(sctx, cbinfo, expanded);
742 }
743 }
744 }
745#endif
746
747return OK;
748}
749
750
751
752
753/*************************************************
754* Callback to handle SNI *
755*************************************************/
756
757/* Called when acting as server during the TLS session setup if a Server Name
758Indication extension was sent by the client.
759
760API documentation is OpenSSL s_server.c implementation.
761
762Arguments:
763 s SSL* of the current session
764 ad unknown (part of OpenSSL API) (unused)
765 arg Callback of "our" registered data
766
767Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
768*/
769
770#ifdef EXIM_HAVE_OPENSSL_TLSEXT
771static int
772tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
773{
774const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
775tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
776int rc;
777int old_pool = store_pool;
778
779if (!servername)
780 return SSL_TLSEXT_ERR_OK;
781
782DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
783 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
784
785/* Make the extension value available for expansion */
786store_pool = POOL_PERM;
787tls_in.sni = string_copy(US servername);
788store_pool = old_pool;
789
790if (!reexpand_tls_files_for_sni)
791 return SSL_TLSEXT_ERR_OK;
792
793/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
794not confident that memcpy wouldn't break some internal reference counting.
795Especially since there's a references struct member, which would be off. */
796
797if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
798 {
799 ERR_error_string(ERR_get_error(), ssl_errstring);
800 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
801 return SSL_TLSEXT_ERR_NOACK;
802 }
803
804/* Not sure how many of these are actually needed, since SSL object
805already exists. Might even need this selfsame callback, for reneg? */
806
807SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
808SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
809SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
810SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
811SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
812SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
813if (cbinfo->server_cipher_list)
814 SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
815#ifndef DISABLE_OCSP
816if (cbinfo->u_ocsp.server.file)
817 {
818 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
819 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
820 }
821#endif
822
823rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE, verify_callback_server);
824if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
825
826/* do this after setup_certs, because this can require the certs for verifying
827OCSP information. */
828rc = tls_expand_session_files(server_sni, cbinfo);
829if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
830
831if (!init_dh(server_sni, cbinfo->dhparam, NULL))
832 return SSL_TLSEXT_ERR_NOACK;
833
834DEBUG(D_tls) debug_printf("Switching SSL context.\n");
835SSL_set_SSL_CTX(s, server_sni);
836
837return SSL_TLSEXT_ERR_OK;
838}
839#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
840
841
842
843
844#ifndef DISABLE_OCSP
845
846/*************************************************
847* Callback to handle OCSP Stapling *
848*************************************************/
849
850/* Called when acting as server during the TLS session setup if the client
851requests OCSP information with a Certificate Status Request.
852
853Documentation via openssl s_server.c and the Apache patch from the OpenSSL
854project.
855
856*/
857
858static int
859tls_server_stapling_cb(SSL *s, void *arg)
860{
861const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
862uschar *response_der;
863int response_der_len;
864
865DEBUG(D_tls)
866 debug_printf("Received TLS status request (OCSP stapling); %s response.",
867 cbinfo->u_ocsp.server.response ? "have" : "lack");
868
869tls_in.ocsp = OCSP_NOT_RESP;
870if (!cbinfo->u_ocsp.server.response)
871 return SSL_TLSEXT_ERR_NOACK;
872
873response_der = NULL;
874response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response,
875 &response_der);
876if (response_der_len <= 0)
877 return SSL_TLSEXT_ERR_NOACK;
878
879SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
880tls_in.ocsp = OCSP_VFIED;
881return SSL_TLSEXT_ERR_OK;
882}
883
884
885static void
886time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
887{
888BIO_printf(bp, "\t%s: ", str);
889ASN1_GENERALIZEDTIME_print(bp, time);
890BIO_puts(bp, "\n");
891}
892
893static int
894tls_client_stapling_cb(SSL *s, void *arg)
895{
896tls_ext_ctx_cb * cbinfo = arg;
897const unsigned char * p;
898int len;
899OCSP_RESPONSE * rsp;
900OCSP_BASICRESP * bs;
901int i;
902
903DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
904len = SSL_get_tlsext_status_ocsp_resp(s, &p);
905if(!p)
906 {
907 /* Expect this when we requested ocsp but got none */
908 if ( cbinfo->u_ocsp.client.verify_required
909 && log_extra_selector & LX_tls_cipher)
910 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
911 else
912 DEBUG(D_tls) debug_printf(" null\n");
913 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
914 }
915
916if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
917 {
918 tls_out.ocsp = OCSP_FAILED;
919 if (log_extra_selector & LX_tls_cipher)
920 log_write(0, LOG_MAIN, "Received TLS status response, parse error");
921 else
922 DEBUG(D_tls) debug_printf(" parse error\n");
923 return 0;
924 }
925
926if(!(bs = OCSP_response_get1_basic(rsp)))
927 {
928 tls_out.ocsp = OCSP_FAILED;
929 if (log_extra_selector & LX_tls_cipher)
930 log_write(0, LOG_MAIN, "Received TLS status response, error parsing response");
931 else
932 DEBUG(D_tls) debug_printf(" error parsing response\n");
933 OCSP_RESPONSE_free(rsp);
934 return 0;
935 }
936
937/* We'd check the nonce here if we'd put one in the request. */
938/* However that would defeat cacheability on the server so we don't. */
939
940/* This section of code reworked from OpenSSL apps source;
941 The OpenSSL Project retains copyright:
942 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
943*/
944 {
945 BIO * bp = NULL;
946 int status, reason;
947 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
948
949 DEBUG(D_tls) bp = BIO_new_fp(stderr, BIO_NOCLOSE);
950
951 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
952
953 /* Use the chain that verified the server cert to verify the stapled info */
954 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
955
956 if ((i = OCSP_basic_verify(bs, NULL,
957 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
958 {
959 tls_out.ocsp = OCSP_FAILED;
960 BIO_printf(bp, "OCSP response verify failure\n");
961 ERR_print_errors(bp);
962 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
963 goto out;
964 }
965
966 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
967
968 {
969 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
970 OCSP_SINGLERESP * single;
971
972 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
973 {
974 tls_out.ocsp = OCSP_FAILED;
975 log_write(0, LOG_MAIN, "OCSP stapling "
976 "with multiple responses not handled");
977 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
978 goto out;
979 }
980 single = OCSP_resp_get0(bs, 0);
981 status = OCSP_single_get0_status(single, &reason, &rev,
982 &thisupd, &nextupd);
983 }
984
985 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
986 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
987 if (!OCSP_check_validity(thisupd, nextupd,
988 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
989 {
990 tls_out.ocsp = OCSP_FAILED;
991 DEBUG(D_tls) ERR_print_errors(bp);
992 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
993 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
994 }
995 else
996 {
997 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
998 OCSP_cert_status_str(status));
999 switch(status)
1000 {
1001 case V_OCSP_CERTSTATUS_GOOD:
1002 tls_out.ocsp = OCSP_VFIED;
1003 i = 1;
1004 break;
1005 case V_OCSP_CERTSTATUS_REVOKED:
1006 tls_out.ocsp = OCSP_FAILED;
1007 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1008 reason != -1 ? "; reason: " : "",
1009 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1010 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
1011 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1012 break;
1013 default:
1014 tls_out.ocsp = OCSP_FAILED;
1015 log_write(0, LOG_MAIN,
1016 "Server certificate status unknown, in OCSP stapling");
1017 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1018 break;
1019 }
1020 }
1021 out:
1022 BIO_free(bp);
1023 }
1024
1025OCSP_RESPONSE_free(rsp);
1026return i;
1027}
1028#endif /*!DISABLE_OCSP*/
1029
1030
1031/*************************************************
1032* Initialize for TLS *
1033*************************************************/
1034
1035/* Called from both server and client code, to do preliminary initialization
1036of the library. We allocate and return a context structure.
1037
1038Arguments:
1039 ctxp returned SSL context
1040 host connected host, if client; NULL if server
1041 dhparam DH parameter file
1042 certificate certificate file
1043 privatekey private key
1044 ocsp_file file of stapling info (server); flag for require ocsp (client)
1045 addr address if client; NULL if server (for some randomness)
1046 cbp place to put allocated callback context
1047
1048Returns: OK/DEFER/FAIL
1049*/
1050
1051static int
1052tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
1053 uschar *privatekey,
1054#ifndef DISABLE_OCSP
1055 uschar *ocsp_file,
1056#endif
1057 address_item *addr, tls_ext_ctx_cb ** cbp)
1058{
1059long init_options;
1060int rc;
1061BOOL okay;
1062tls_ext_ctx_cb *cbinfo;
1063
1064cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1065cbinfo->certificate = certificate;
1066cbinfo->privatekey = privatekey;
1067#ifndef DISABLE_OCSP
1068if ((cbinfo->is_server = host==NULL))
1069 {
1070 cbinfo->u_ocsp.server.file = ocsp_file;
1071 cbinfo->u_ocsp.server.file_expanded = NULL;
1072 cbinfo->u_ocsp.server.response = NULL;
1073 }
1074else
1075 cbinfo->u_ocsp.client.verify_store = NULL;
1076#endif
1077cbinfo->dhparam = dhparam;
1078cbinfo->server_cipher_list = NULL;
1079cbinfo->host = host;
1080
1081SSL_load_error_strings(); /* basic set up */
1082OpenSSL_add_ssl_algorithms();
1083
1084#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
1085/* SHA256 is becoming ever more popular. This makes sure it gets added to the
1086list of available digests. */
1087EVP_add_digest(EVP_sha256());
1088#endif
1089
1090/* Create a context.
1091The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1092negotiation in the different methods; as far as I can tell, the only
1093*_{server,client}_method which allows negotiation is SSLv23, which exists even
1094when OpenSSL is built without SSLv2 support.
1095By disabling with openssl_options, we can let admins re-enable with the
1096existing knob. */
1097
1098*ctxp = SSL_CTX_new((host == NULL)?
1099 SSLv23_server_method() : SSLv23_client_method());
1100
1101if (*ctxp == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
1102
1103/* It turns out that we need to seed the random number generator this early in
1104order to get the full complement of ciphers to work. It took me roughly a day
1105of work to discover this by experiment.
1106
1107On systems that have /dev/urandom, SSL may automatically seed itself from
1108there. Otherwise, we have to make something up as best we can. Double check
1109afterwards. */
1110
1111if (!RAND_status())
1112 {
1113 randstuff r;
1114 gettimeofday(&r.tv, NULL);
1115 r.p = getpid();
1116
1117 RAND_seed((uschar *)(&r), sizeof(r));
1118 RAND_seed((uschar *)big_buffer, big_buffer_size);
1119 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
1120
1121 if (!RAND_status())
1122 return tls_error(US"RAND_status", host,
1123 US"unable to seed random number generator");
1124 }
1125
1126/* Set up the information callback, which outputs if debugging is at a suitable
1127level. */
1128
1129SSL_CTX_set_info_callback(*ctxp, (void (*)())info_callback);
1130
1131/* Automatically re-try reads/writes after renegotiation. */
1132(void) SSL_CTX_set_mode(*ctxp, SSL_MODE_AUTO_RETRY);
1133
1134/* Apply administrator-supplied work-arounds.
1135Historically we applied just one requested option,
1136SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1137moved to an administrator-controlled list of options to specify and
1138grandfathered in the first one as the default value for "openssl_options".
1139
1140No OpenSSL version number checks: the options we accept depend upon the
1141availability of the option value macros from OpenSSL. */
1142
1143okay = tls_openssl_options_parse(openssl_options, &init_options);
1144if (!okay)
1145 return tls_error(US"openssl_options parsing failed", host, NULL);
1146
1147if (init_options)
1148 {
1149 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
1150 if (!(SSL_CTX_set_options(*ctxp, init_options)))
1151 return tls_error(string_sprintf(
1152 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
1153 }
1154else
1155 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
1156
1157/* Initialize with DH parameters if supplied */
1158
1159if (!init_dh(*ctxp, dhparam, host)) return DEFER;
1160
1161/* Set up certificate and key (and perhaps OCSP info) */
1162
1163rc = tls_expand_session_files(*ctxp, cbinfo);
1164if (rc != OK) return rc;
1165
1166/* If we need to handle SNI, do so */
1167#ifdef EXIM_HAVE_OPENSSL_TLSEXT
1168if (host == NULL) /* server */
1169 {
1170# ifndef DISABLE_OCSP
1171 /* We check u_ocsp.server.file, not server.response, because we care about if
1172 the option exists, not what the current expansion might be, as SNI might
1173 change the certificate and OCSP file in use between now and the time the
1174 callback is invoked. */
1175 if (cbinfo->u_ocsp.server.file)
1176 {
1177 SSL_CTX_set_tlsext_status_cb(server_ctx, tls_server_stapling_cb);
1178 SSL_CTX_set_tlsext_status_arg(server_ctx, cbinfo);
1179 }
1180# endif
1181 /* We always do this, so that $tls_sni is available even if not used in
1182 tls_certificate */
1183 SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb);
1184 SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo);
1185 }
1186# ifndef DISABLE_OCSP
1187else /* client */
1188 if(ocsp_file) /* wanting stapling */
1189 {
1190 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1191 {
1192 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1193 return FAIL;
1194 }
1195 SSL_CTX_set_tlsext_status_cb(*ctxp, tls_client_stapling_cb);
1196 SSL_CTX_set_tlsext_status_arg(*ctxp, cbinfo);
1197 }
1198# endif
1199#endif
1200
1201#ifdef EXPERIMENTAL_CERTNAMES
1202cbinfo->verify_cert_hostnames = NULL;
1203#endif
1204
1205/* Set up the RSA callback */
1206
1207SSL_CTX_set_tmp_rsa_callback(*ctxp, rsa_callback);
1208
1209/* Finally, set the timeout, and we are done */
1210
1211SSL_CTX_set_timeout(*ctxp, ssl_session_timeout);
1212DEBUG(D_tls) debug_printf("Initialized TLS\n");
1213
1214*cbp = cbinfo;
1215
1216return OK;
1217}
1218
1219
1220
1221
1222/*************************************************
1223* Get name of cipher in use *
1224*************************************************/
1225
1226/*
1227Argument: pointer to an SSL structure for the connection
1228 buffer to use for answer
1229 size of buffer
1230 pointer to number of bits for cipher
1231Returns: nothing
1232*/
1233
1234static void
1235construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
1236{
1237/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
1238yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1239the accessor functions use const in the prototype. */
1240const SSL_CIPHER *c;
1241const uschar *ver;
1242
1243ver = (const uschar *)SSL_get_version(ssl);
1244
1245c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
1246SSL_CIPHER_get_bits(c, bits);
1247
1248string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1249 SSL_CIPHER_get_name(c), *bits);
1250
1251DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1252}
1253
1254
1255
1256
1257
1258/*************************************************
1259* Set up for verifying certificates *
1260*************************************************/
1261
1262/* Called by both client and server startup
1263
1264Arguments:
1265 sctx SSL_CTX* to initialise
1266 certs certs file or NULL
1267 crl CRL file or NULL
1268 host NULL in a server; the remote host in a client
1269 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1270 otherwise passed as FALSE
1271 cert_vfy_cb Callback function for certificate verification
1272
1273Returns: OK/DEFER/FAIL
1274*/
1275
1276static int
1277setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
1278 int (*cert_vfy_cb)(int, X509_STORE_CTX *) )
1279{
1280uschar *expcerts, *expcrl;
1281
1282if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
1283 return DEFER;
1284
1285if (expcerts != NULL && *expcerts != '\0')
1286 {
1287 struct stat statbuf;
1288 if (!SSL_CTX_set_default_verify_paths(sctx))
1289 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
1290
1291 if (Ustat(expcerts, &statbuf) < 0)
1292 {
1293 log_write(0, LOG_MAIN|LOG_PANIC,
1294 "failed to stat %s for certificates", expcerts);
1295 return DEFER;
1296 }
1297 else
1298 {
1299 uschar *file, *dir;
1300 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1301 { file = NULL; dir = expcerts; }
1302 else
1303 { file = expcerts; dir = NULL; }
1304
1305 /* If a certificate file is empty, the next function fails with an
1306 unhelpful error message. If we skip it, we get the correct behaviour (no
1307 certificates are recognized, but the error message is still misleading (it
1308 says no certificate was supplied.) But this is better. */
1309
1310 if ((file == NULL || statbuf.st_size > 0) &&
1311 !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
1312 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
1313
1314 if (file != NULL)
1315 {
1316 SSL_CTX_set_client_CA_list(sctx, SSL_load_client_CA_file(CS file));
1317 }
1318 }
1319
1320 /* Handle a certificate revocation list. */
1321
1322 #if OPENSSL_VERSION_NUMBER > 0x00907000L
1323
1324 /* This bit of code is now the version supplied by Lars Mainka. (I have
1325 * merely reformatted it into the Exim code style.)
1326
1327 * "From here I changed the code to add support for multiple crl's
1328 * in pem format in one file or to support hashed directory entries in
1329 * pem format instead of a file. This method now uses the library function
1330 * X509_STORE_load_locations to add the CRL location to the SSL context.
1331 * OpenSSL will then handle the verify against CA certs and CRLs by
1332 * itself in the verify callback." */
1333
1334 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
1335 if (expcrl != NULL && *expcrl != 0)
1336 {
1337 struct stat statbufcrl;
1338 if (Ustat(expcrl, &statbufcrl) < 0)
1339 {
1340 log_write(0, LOG_MAIN|LOG_PANIC,
1341 "failed to stat %s for certificates revocation lists", expcrl);
1342 return DEFER;
1343 }
1344 else
1345 {
1346 /* is it a file or directory? */
1347 uschar *file, *dir;
1348 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
1349 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
1350 {
1351 file = NULL;
1352 dir = expcrl;
1353 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
1354 }
1355 else
1356 {
1357 file = expcrl;
1358 dir = NULL;
1359 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
1360 }
1361 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
1362 return tls_error(US"X509_STORE_load_locations", host, NULL);
1363
1364 /* setting the flags to check against the complete crl chain */
1365
1366 X509_STORE_set_flags(cvstore,
1367 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
1368 }
1369 }
1370
1371 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1372
1373 /* If verification is optional, don't fail if no certificate */
1374
1375 SSL_CTX_set_verify(sctx,
1376 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
1377 cert_vfy_cb);
1378 }
1379
1380return OK;
1381}
1382
1383
1384
1385/*************************************************
1386* Start a TLS session in a server *
1387*************************************************/
1388
1389/* This is called when Exim is running as a server, after having received
1390the STARTTLS command. It must respond to that command, and then negotiate
1391a TLS session.
1392
1393Arguments:
1394 require_ciphers allowed ciphers
1395
1396Returns: OK on success
1397 DEFER for errors before the start of the negotiation
1398 FAIL for errors during the negotation; the server can't
1399 continue running.
1400*/
1401
1402int
1403tls_server_start(const uschar *require_ciphers)
1404{
1405int rc;
1406uschar *expciphers;
1407tls_ext_ctx_cb *cbinfo;
1408static uschar cipherbuf[256];
1409
1410/* Check for previous activation */
1411
1412if (tls_in.active >= 0)
1413 {
1414 tls_error(US"STARTTLS received after TLS started", NULL, US"");
1415 smtp_printf("554 Already in TLS\r\n");
1416 return FAIL;
1417 }
1418
1419/* Initialize the SSL library. If it fails, it will already have logged
1420the error. */
1421
1422rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
1423#ifndef DISABLE_OCSP
1424 tls_ocsp_file,
1425#endif
1426 NULL, &server_static_cbinfo);
1427if (rc != OK) return rc;
1428cbinfo = server_static_cbinfo;
1429
1430if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1431 return FAIL;
1432
1433/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1434were historically separated by underscores. So that I can use either form in my
1435tests, and also for general convenience, we turn underscores into hyphens here.
1436*/
1437
1438if (expciphers != NULL)
1439 {
1440 uschar *s = expciphers;
1441 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1442 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1443 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
1444 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
1445 cbinfo->server_cipher_list = expciphers;
1446 }
1447
1448/* If this is a host for which certificate verification is mandatory or
1449optional, set up appropriately. */
1450
1451tls_in.certificate_verified = FALSE;
1452#ifdef EXPERIMENTAL_DANE
1453tls_in.dane_verified = FALSE;
1454#endif
1455server_verify_callback_called = FALSE;
1456
1457if (verify_check_host(&tls_verify_hosts) == OK)
1458 {
1459 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1460 FALSE, verify_callback_server);
1461 if (rc != OK) return rc;
1462 server_verify_optional = FALSE;
1463 }
1464else if (verify_check_host(&tls_try_verify_hosts) == OK)
1465 {
1466 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1467 TRUE, verify_callback_server);
1468 if (rc != OK) return rc;
1469 server_verify_optional = TRUE;
1470 }
1471
1472/* Prepare for new connection */
1473
1474if ((server_ssl = SSL_new(server_ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
1475
1476/* Warning: we used to SSL_clear(ssl) here, it was removed.
1477 *
1478 * With the SSL_clear(), we get strange interoperability bugs with
1479 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1480 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1481 *
1482 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1483 * session shutdown. In this case, we have a brand new object and there's no
1484 * obvious reason to immediately clear it. I'm guessing that this was
1485 * originally added because of incomplete initialisation which the clear fixed,
1486 * in some historic release.
1487 */
1488
1489/* Set context and tell client to go ahead, except in the case of TLS startup
1490on connection, where outputting anything now upsets the clients and tends to
1491make them disconnect. We need to have an explicit fflush() here, to force out
1492the response. Other smtp_printf() calls do not need it, because in non-TLS
1493mode, the fflush() happens when smtp_getc() is called. */
1494
1495SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
1496if (!tls_in.on_connect)
1497 {
1498 smtp_printf("220 TLS go ahead\r\n");
1499 fflush(smtp_out);
1500 }
1501
1502/* Now negotiate the TLS session. We put our own timer on it, since it seems
1503that the OpenSSL library doesn't. */
1504
1505SSL_set_wfd(server_ssl, fileno(smtp_out));
1506SSL_set_rfd(server_ssl, fileno(smtp_in));
1507SSL_set_accept_state(server_ssl);
1508
1509DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1510
1511sigalrm_seen = FALSE;
1512if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1513rc = SSL_accept(server_ssl);
1514alarm(0);
1515
1516if (rc <= 0)
1517 {
1518 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
1519 if (ERR_get_error() == 0)
1520 log_write(0, LOG_MAIN,
1521 "TLS client disconnected cleanly (rejected our certificate?)");
1522 return FAIL;
1523 }
1524
1525DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
1526
1527/* TLS has been set up. Adjust the input functions to read via TLS,
1528and initialize things. */
1529
1530construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
1531tls_in.cipher = cipherbuf;
1532
1533DEBUG(D_tls)
1534 {
1535 uschar buf[2048];
1536 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
1537 debug_printf("Shared ciphers: %s\n", buf);
1538 }
1539
1540/* Record the certificate we presented */
1541 {
1542 X509 * crt = SSL_get_certificate(server_ssl);
1543 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
1544 }
1545
1546/* Only used by the server-side tls (tls_in), including tls_getc.
1547 Client-side (tls_out) reads (seem to?) go via
1548 smtp_read_response()/ip_recv().
1549 Hence no need to duplicate for _in and _out.
1550 */
1551ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1552ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
1553ssl_xfer_eof = ssl_xfer_error = 0;
1554
1555receive_getc = tls_getc;
1556receive_ungetc = tls_ungetc;
1557receive_feof = tls_feof;
1558receive_ferror = tls_ferror;
1559receive_smtp_buffered = tls_smtp_buffered;
1560
1561tls_in.active = fileno(smtp_out);
1562return OK;
1563}
1564
1565
1566
1567
1568static int
1569tls_client_basic_ctx_init(SSL_CTX * ctx,
1570 host_item * host, smtp_transport_options_block * ob
1571#ifdef EXPERIMENTAL_CERTNAMES
1572 , tls_ext_ctx_cb * cbinfo
1573#endif
1574 )
1575{
1576int rc;
1577/* stick to the old behaviour for compatibility if tls_verify_certificates is
1578 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
1579 the specified host patterns if one of them is defined */
1580
1581if ((!ob->tls_verify_hosts && !ob->tls_try_verify_hosts) ||
1582 (verify_check_host(&ob->tls_verify_hosts) == OK))
1583 {
1584 if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
1585 ob->tls_crl, host, FALSE, verify_callback_client)) != OK)
1586 return rc;
1587 client_verify_optional = FALSE;
1588
1589#ifdef EXPERIMENTAL_CERTNAMES
1590 if (ob->tls_verify_cert_hostnames)
1591 {
1592 if (!expand_check(ob->tls_verify_cert_hostnames,
1593 US"tls_verify_cert_hostnames",
1594 &cbinfo->verify_cert_hostnames))
1595 return FAIL;
1596 if (cbinfo->verify_cert_hostnames)
1597 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
1598 cbinfo->verify_cert_hostnames);
1599 }
1600#endif
1601 }
1602else if (verify_check_host(&ob->tls_try_verify_hosts) == OK)
1603 {
1604 if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
1605 ob->tls_crl, host, TRUE, verify_callback_client)) != OK)
1606 return rc;
1607 client_verify_optional = TRUE;
1608 }
1609
1610return OK;
1611}
1612
1613
1614#ifdef EXPERIMENTAL_DANE
1615static int
1616tlsa_lookup(host_item * host, dns_answer * dnsa,
1617 BOOL dane_required, BOOL * dane)
1618{
1619/* move this out to host.c given the similarity to dns_lookup() ? */
1620uschar buffer[300];
1621uschar * fullname = buffer;
1622
1623/* TLSA lookup string */
1624(void)sprintf(CS buffer, "_%d._tcp.%.256s", host->port, host->name);
1625
1626switch (dns_lookup(dnsa, buffer, T_TLSA, &fullname))
1627 {
1628 case DNS_AGAIN:
1629 return DEFER; /* just defer this TLS'd conn */
1630
1631 default:
1632 case DNS_FAIL:
1633 if (dane_required)
1634 {
1635 log_write(0, LOG_MAIN, "DANE error: TLSA lookup failed");
1636 return FAIL;
1637 }
1638 break;
1639
1640 case DNS_SUCCEED:
1641 if (!dns_is_secure(dnsa))
1642 {
1643 log_write(0, LOG_MAIN, "DANE error: TLSA lookup not DNSSEC");
1644 return DEFER;
1645 }
1646 *dane = TRUE;
1647 break;
1648 }
1649return OK;
1650}
1651
1652
1653static int
1654dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa)
1655{
1656dns_record * rr;
1657dns_scan dnss;
1658const char * hostnames[2] = { CS host->name, NULL };
1659int found = 0;
1660
1661if (DANESSL_init(ssl, NULL, hostnames) != 1)
1662 return tls_error(US"hostnames load", host, NULL);
1663
1664for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
1665 rr;
1666 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1667 ) if (rr->type == T_TLSA)
1668 {
1669 uschar * p = rr->data;
1670 uint8_t usage, selector, mtype;
1671 const char * mdname;
1672
1673 found++;
1674 usage = *p++;
1675 selector = *p++;
1676 mtype = *p++;
1677
1678 switch (mtype)
1679 {
1680 default:
1681 log_write(0, LOG_MAIN,
1682 "DANE error: TLSA record w/bad mtype 0x%x", mtype);
1683 return FAIL;
1684 case 0: mdname = NULL; break;
1685 case 1: mdname = "sha256"; break;
1686 case 2: mdname = "sha512"; break;
1687 }
1688
1689 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
1690 {
1691 default:
1692 case 0: /* action not taken */
1693 return tls_error(US"tlsa load", host, NULL);
1694 case 1: break;
1695 }
1696
1697 tls_out.tlsa_usage |= 1<<usage;
1698 }
1699
1700if (found)
1701 return OK;
1702
1703log_write(0, LOG_MAIN, "DANE error: No TLSA records");
1704return FAIL;
1705}
1706#endif /*EXPERIMENTAL_DANE*/
1707
1708
1709
1710/*************************************************
1711* Start a TLS session in a client *
1712*************************************************/
1713
1714/* Called from the smtp transport after STARTTLS has been accepted.
1715
1716Argument:
1717 fd the fd of the connection
1718 host connected host (for messages)
1719 addr the first address
1720 ob smtp transport options
1721
1722Returns: OK on success
1723 FAIL otherwise - note that tls_error() will not give DEFER
1724 because this is not a server
1725*/
1726
1727int
1728tls_client_start(int fd, host_item *host, address_item *addr,
1729 void *v_ob)
1730{
1731smtp_transport_options_block * ob = v_ob;
1732static uschar txt[256];
1733uschar * expciphers;
1734X509 * server_cert;
1735int rc;
1736static uschar cipherbuf[256];
1737
1738#ifndef DISABLE_OCSP
1739BOOL request_ocsp = FALSE;
1740BOOL require_ocsp = FALSE;
1741#endif
1742#ifdef EXPERIMENTAL_DANE
1743dns_answer tlsa_dnsa;
1744BOOL dane = FALSE;
1745BOOL dane_required;
1746#endif
1747
1748#ifdef EXPERIMENTAL_DANE
1749tls_out.dane_verified = FALSE;
1750tls_out.tlsa_usage = 0;
1751dane_required = verify_check_this_host(&ob->hosts_require_dane, NULL,
1752 host->name, host->address, NULL) == OK;
1753
1754if (host->dnssec == DS_YES)
1755 {
1756 if( dane_required
1757 || verify_check_this_host(&ob->hosts_try_dane, NULL,
1758 host->name, host->address, NULL) == OK
1759 )
1760 if ((rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK)
1761 return rc;
1762 }
1763else if (dane_required)
1764 {
1765 /*XXX a shame we only find this after making tcp & smtp connection */
1766 /* move the test earlier? */
1767 log_write(0, LOG_MAIN, "DANE error: previous lookup not DNSSEC");
1768 return FAIL;
1769 }
1770#endif
1771
1772#ifndef DISABLE_OCSP
1773 {
1774 require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
1775 NULL, host->name, host->address, NULL) == OK;
1776 request_ocsp = require_ocsp ? TRUE
1777 : verify_check_this_host(&ob->hosts_request_ocsp,
1778 NULL, host->name, host->address, NULL) == OK;
1779 }
1780#endif
1781
1782rc = tls_init(&client_ctx, host, NULL,
1783 ob->tls_certificate, ob->tls_privatekey,
1784#ifndef DISABLE_OCSP
1785 (void *)(long)request_ocsp,
1786#endif
1787 addr, &client_static_cbinfo);
1788if (rc != OK) return rc;
1789
1790tls_out.certificate_verified = FALSE;
1791client_verify_callback_called = FALSE;
1792
1793if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
1794 &expciphers))
1795 return FAIL;
1796
1797/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1798are separated by underscores. So that I can use either form in my tests, and
1799also for general convenience, we turn underscores into hyphens here. */
1800
1801if (expciphers != NULL)
1802 {
1803 uschar *s = expciphers;
1804 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1805 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1806 if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
1807 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
1808 }
1809
1810#ifdef EXPERIMENTAL_DANE
1811if (dane)
1812 {
1813 SSL_CTX_set_verify(client_ctx, SSL_VERIFY_PEER, verify_callback_client_dane);
1814
1815 if (!DANESSL_library_init())
1816 return tls_error(US"library init", host, NULL);
1817 if (DANESSL_CTX_init(client_ctx) <= 0)
1818 return tls_error(US"context init", host, NULL);
1819 }
1820else
1821
1822#endif
1823
1824 if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob
1825#ifdef EXPERIMENTAL_CERTNAMES
1826 , client_static_cbinfo
1827#endif
1828 )) != OK)
1829 return rc;
1830
1831if ((client_ssl = SSL_new(client_ctx)) == NULL)
1832 return tls_error(US"SSL_new", host, NULL);
1833SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
1834SSL_set_fd(client_ssl, fd);
1835SSL_set_connect_state(client_ssl);
1836
1837if (ob->tls_sni)
1838 {
1839 if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni))
1840 return FAIL;
1841 if (tls_out.sni == NULL)
1842 {
1843 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
1844 }
1845 else if (!Ustrlen(tls_out.sni))
1846 tls_out.sni = NULL;
1847 else
1848 {
1849#ifdef EXIM_HAVE_OPENSSL_TLSEXT
1850 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
1851 SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
1852#else
1853 DEBUG(D_tls)
1854 debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
1855 tls_out.sni);
1856#endif
1857 }
1858 }
1859
1860#ifdef EXPERIMENTAL_DANE
1861if (dane)
1862 if ((rc = dane_tlsa_load(client_ssl, host, &tlsa_dnsa)) != OK)
1863 return rc;
1864#endif
1865
1866#ifndef DISABLE_OCSP
1867/* Request certificate status at connection-time. If the server
1868does OCSP stapling we will get the callback (set in tls_init()) */
1869# ifdef EXPERIMENTAL_DANE
1870if (request_ocsp)
1871 {
1872 const uschar * s;
1873 if ( (s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage")
1874 || (s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage")
1875 )
1876 { /* Re-eval now $tls_out_tlsa_usage is populated. If
1877 this means we avoid the OCSP request, we wasted the setup
1878 cost in tls_init(). */
1879 require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
1880 NULL, host->name, host->address, NULL) == OK;
1881 request_ocsp = require_ocsp ? TRUE
1882 : verify_check_this_host(&ob->hosts_request_ocsp,
1883 NULL, host->name, host->address, NULL) == OK;
1884 }
1885 }
1886# endif
1887
1888if (request_ocsp)
1889 {
1890 SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
1891 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
1892 tls_out.ocsp = OCSP_NOT_RESP;
1893 }
1894#endif
1895
1896
1897/* There doesn't seem to be a built-in timeout on connection. */
1898
1899DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
1900sigalrm_seen = FALSE;
1901alarm(ob->command_timeout);
1902rc = SSL_connect(client_ssl);
1903alarm(0);
1904
1905#ifdef EXPERIMENTAL_DANE
1906if (dane)
1907 DANESSL_cleanup(client_ssl);
1908#endif
1909
1910if (rc <= 0)
1911 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
1912
1913DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
1914
1915/* Beware anonymous ciphers which lead to server_cert being NULL */
1916/*XXX server_cert is never freed... use X509_free() */
1917server_cert = SSL_get_peer_certificate (client_ssl);
1918if (server_cert)
1919 {
1920 tls_out.peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
1921 CS txt, sizeof(txt));
1922 tls_out.peerdn = txt; /*XXX a static buffer... */
1923 }
1924else
1925 tls_out.peerdn = NULL;
1926
1927construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
1928tls_out.cipher = cipherbuf;
1929
1930/* Record the certificate we presented */
1931 {
1932 X509 * crt = SSL_get_certificate(client_ssl);
1933 tls_out.ourcert = crt ? X509_dup(crt) : NULL;
1934 }
1935
1936tls_out.active = fd;
1937return OK;
1938}
1939
1940
1941
1942
1943
1944/*************************************************
1945* TLS version of getc *
1946*************************************************/
1947
1948/* This gets the next byte from the TLS input buffer. If the buffer is empty,
1949it refills the buffer via the SSL reading function.
1950
1951Arguments: none
1952Returns: the next character or EOF
1953
1954Only used by the server-side TLS.
1955*/
1956
1957int
1958tls_getc(void)
1959{
1960if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
1961 {
1962 int error;
1963 int inbytes;
1964
1965 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
1966 ssl_xfer_buffer, ssl_xfer_buffer_size);
1967
1968 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1969 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
1970 error = SSL_get_error(server_ssl, inbytes);
1971 alarm(0);
1972
1973 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
1974 closed down, not that the socket itself has been closed down. Revert to
1975 non-SSL handling. */
1976
1977 if (error == SSL_ERROR_ZERO_RETURN)
1978 {
1979 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1980
1981 receive_getc = smtp_getc;
1982 receive_ungetc = smtp_ungetc;
1983 receive_feof = smtp_feof;
1984 receive_ferror = smtp_ferror;
1985 receive_smtp_buffered = smtp_buffered;
1986
1987 SSL_free(server_ssl);
1988 server_ssl = NULL;
1989 tls_in.active = -1;
1990 tls_in.bits = 0;
1991 tls_in.cipher = NULL;
1992 tls_in.peerdn = NULL;
1993 tls_in.sni = NULL;
1994
1995 return smtp_getc();
1996 }
1997
1998 /* Handle genuine errors */
1999
2000 else if (error == SSL_ERROR_SSL)
2001 {
2002 ERR_error_string(ERR_get_error(), ssl_errstring);
2003 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2004 ssl_xfer_error = 1;
2005 return EOF;
2006 }
2007
2008 else if (error != SSL_ERROR_NONE)
2009 {
2010 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2011 ssl_xfer_error = 1;
2012 return EOF;
2013 }
2014
2015#ifndef DISABLE_DKIM
2016 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2017#endif
2018 ssl_xfer_buffer_hwm = inbytes;
2019 ssl_xfer_buffer_lwm = 0;
2020 }
2021
2022/* Something in the buffer; return next uschar */
2023
2024return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2025}
2026
2027
2028
2029/*************************************************
2030* Read bytes from TLS channel *
2031*************************************************/
2032
2033/*
2034Arguments:
2035 buff buffer of data
2036 len size of buffer
2037
2038Returns: the number of bytes read
2039 -1 after a failed read
2040
2041Only used by the client-side TLS.
2042*/
2043
2044int
2045tls_read(BOOL is_server, uschar *buff, size_t len)
2046{
2047SSL *ssl = is_server ? server_ssl : client_ssl;
2048int inbytes;
2049int error;
2050
2051DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
2052 buff, (unsigned int)len);
2053
2054inbytes = SSL_read(ssl, CS buff, len);
2055error = SSL_get_error(ssl, inbytes);
2056
2057if (error == SSL_ERROR_ZERO_RETURN)
2058 {
2059 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2060 return -1;
2061 }
2062else if (error != SSL_ERROR_NONE)
2063 {
2064 return -1;
2065 }
2066
2067return inbytes;
2068}
2069
2070
2071
2072
2073
2074/*************************************************
2075* Write bytes down TLS channel *
2076*************************************************/
2077
2078/*
2079Arguments:
2080 is_server channel specifier
2081 buff buffer of data
2082 len number of bytes
2083
2084Returns: the number of bytes after a successful write,
2085 -1 after a failed write
2086
2087Used by both server-side and client-side TLS.
2088*/
2089
2090int
2091tls_write(BOOL is_server, const uschar *buff, size_t len)
2092{
2093int outbytes;
2094int error;
2095int left = len;
2096SSL *ssl = is_server ? server_ssl : client_ssl;
2097
2098DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
2099while (left > 0)
2100 {
2101 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
2102 outbytes = SSL_write(ssl, CS buff, left);
2103 error = SSL_get_error(ssl, outbytes);
2104 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2105 switch (error)
2106 {
2107 case SSL_ERROR_SSL:
2108 ERR_error_string(ERR_get_error(), ssl_errstring);
2109 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2110 return -1;
2111
2112 case SSL_ERROR_NONE:
2113 left -= outbytes;
2114 buff += outbytes;
2115 break;
2116
2117 case SSL_ERROR_ZERO_RETURN:
2118 log_write(0, LOG_MAIN, "SSL channel closed on write");
2119 return -1;
2120
2121 case SSL_ERROR_SYSCALL:
2122 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2123 sender_fullhost ? sender_fullhost : US"<unknown>",
2124 strerror(errno));
2125
2126 default:
2127 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2128 return -1;
2129 }
2130 }
2131return len;
2132}
2133
2134
2135
2136/*************************************************
2137* Close down a TLS session *
2138*************************************************/
2139
2140/* This is also called from within a delivery subprocess forked from the
2141daemon, to shut down the TLS library, without actually doing a shutdown (which
2142would tamper with the SSL session in the parent process).
2143
2144Arguments: TRUE if SSL_shutdown is to be called
2145Returns: nothing
2146
2147Used by both server-side and client-side TLS.
2148*/
2149
2150void
2151tls_close(BOOL is_server, BOOL shutdown)
2152{
2153SSL **sslp = is_server ? &server_ssl : &client_ssl;
2154int *fdp = is_server ? &tls_in.active : &tls_out.active;
2155
2156if (*fdp < 0) return; /* TLS was not active */
2157
2158if (shutdown)
2159 {
2160 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
2161 SSL_shutdown(*sslp);
2162 }
2163
2164SSL_free(*sslp);
2165*sslp = NULL;
2166
2167*fdp = -1;
2168}
2169
2170
2171
2172
2173/*************************************************
2174* Let tls_require_ciphers be checked at startup *
2175*************************************************/
2176
2177/* The tls_require_ciphers option, if set, must be something which the
2178library can parse.
2179
2180Returns: NULL on success, or error message
2181*/
2182
2183uschar *
2184tls_validate_require_cipher(void)
2185{
2186SSL_CTX *ctx;
2187uschar *s, *expciphers, *err;
2188
2189/* this duplicates from tls_init(), we need a better "init just global
2190state, for no specific purpose" singleton function of our own */
2191
2192SSL_load_error_strings();
2193OpenSSL_add_ssl_algorithms();
2194#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
2195/* SHA256 is becoming ever more popular. This makes sure it gets added to the
2196list of available digests. */
2197EVP_add_digest(EVP_sha256());
2198#endif
2199
2200if (!(tls_require_ciphers && *tls_require_ciphers))
2201 return NULL;
2202
2203if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
2204 return US"failed to expand tls_require_ciphers";
2205
2206if (!(expciphers && *expciphers))
2207 return NULL;
2208
2209/* normalisation ripped from above */
2210s = expciphers;
2211while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2212
2213err = NULL;
2214
2215ctx = SSL_CTX_new(SSLv23_server_method());
2216if (!ctx)
2217 {
2218 ERR_error_string(ERR_get_error(), ssl_errstring);
2219 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
2220 }
2221
2222DEBUG(D_tls)
2223 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2224
2225if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
2226 {
2227 ERR_error_string(ERR_get_error(), ssl_errstring);
2228 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed", expciphers);
2229 }
2230
2231SSL_CTX_free(ctx);
2232
2233return err;
2234}
2235
2236
2237
2238
2239/*************************************************
2240* Report the library versions. *
2241*************************************************/
2242
2243/* There have historically been some issues with binary compatibility in
2244OpenSSL libraries; if Exim (like many other applications) is built against
2245one version of OpenSSL but the run-time linker picks up another version,
2246it can result in serious failures, including crashing with a SIGSEGV. So
2247report the version found by the compiler and the run-time version.
2248
2249Note: some OS vendors backport security fixes without changing the version
2250number/string, and the version date remains unchanged. The _build_ date
2251will change, so we can more usefully assist with version diagnosis by also
2252reporting the build date.
2253
2254Arguments: a FILE* to print the results to
2255Returns: nothing
2256*/
2257
2258void
2259tls_version_report(FILE *f)
2260{
2261fprintf(f, "Library version: OpenSSL: Compile: %s\n"
2262 " Runtime: %s\n"
2263 " : %s\n",
2264 OPENSSL_VERSION_TEXT,
2265 SSLeay_version(SSLEAY_VERSION),
2266 SSLeay_version(SSLEAY_BUILT_ON));
2267/* third line is 38 characters for the %s and the line is 73 chars long;
2268the OpenSSL output includes a "built on: " prefix already. */
2269}
2270
2271
2272
2273
2274/*************************************************
2275* Random number generation *
2276*************************************************/
2277
2278/* Pseudo-random number generation. The result is not expected to be
2279cryptographically strong but not so weak that someone will shoot themselves
2280in the foot using it as a nonce in input in some email header scheme or
2281whatever weirdness they'll twist this into. The result should handle fork()
2282and avoid repeating sequences. OpenSSL handles that for us.
2283
2284Arguments:
2285 max range maximum
2286Returns a random number in range [0, max-1]
2287*/
2288
2289int
2290vaguely_random_number(int max)
2291{
2292unsigned int r;
2293int i, needed_len;
2294static pid_t pidlast = 0;
2295pid_t pidnow;
2296uschar *p;
2297uschar smallbuf[sizeof(r)];
2298
2299if (max <= 1)
2300 return 0;
2301
2302pidnow = getpid();
2303if (pidnow != pidlast)
2304 {
2305 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
2306 is unique for each thread", this doesn't apparently apply across processes,
2307 so our own warning from vaguely_random_number_fallback() applies here too.
2308 Fix per PostgreSQL. */
2309 if (pidlast != 0)
2310 RAND_cleanup();
2311 pidlast = pidnow;
2312 }
2313
2314/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
2315if (!RAND_status())
2316 {
2317 randstuff r;
2318 gettimeofday(&r.tv, NULL);
2319 r.p = getpid();
2320
2321 RAND_seed((uschar *)(&r), sizeof(r));
2322 }
2323/* We're after pseudo-random, not random; if we still don't have enough data
2324in the internal PRNG then our options are limited. We could sleep and hope
2325for entropy to come along (prayer technique) but if the system is so depleted
2326in the first place then something is likely to just keep taking it. Instead,
2327we'll just take whatever little bit of pseudo-random we can still manage to
2328get. */
2329
2330needed_len = sizeof(r);
2331/* Don't take 8 times more entropy than needed if int is 8 octets and we were
2332asked for a number less than 10. */
2333for (r = max, i = 0; r; ++i)
2334 r >>= 1;
2335i = (i + 7) / 8;
2336if (i < needed_len)
2337 needed_len = i;
2338
2339/* We do not care if crypto-strong */
2340i = RAND_pseudo_bytes(smallbuf, needed_len);
2341if (i < 0)
2342 {
2343 DEBUG(D_all)
2344 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
2345 return vaguely_random_number_fallback(max);
2346 }
2347
2348r = 0;
2349for (p = smallbuf; needed_len; --needed_len, ++p)
2350 {
2351 r *= 256;
2352 r += *p;
2353 }
2354
2355/* We don't particularly care about weighted results; if someone wants
2356smooth distribution and cares enough then they should submit a patch then. */
2357return r % max;
2358}
2359
2360
2361
2362
2363/*************************************************
2364* OpenSSL option parse *
2365*************************************************/
2366
2367/* Parse one option for tls_openssl_options_parse below
2368
2369Arguments:
2370 name one option name
2371 value place to store a value for it
2372Returns success or failure in parsing
2373*/
2374
2375struct exim_openssl_option {
2376 uschar *name;
2377 long value;
2378};
2379/* We could use a macro to expand, but we need the ifdef and not all the
2380options document which version they were introduced in. Policylet: include
2381all options unless explicitly for DTLS, let the administrator choose which
2382to apply.
2383
2384This list is current as of:
2385 ==> 1.0.1b <==
2386Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
2387*/
2388static struct exim_openssl_option exim_openssl_options[] = {
2389/* KEEP SORTED ALPHABETICALLY! */
2390#ifdef SSL_OP_ALL
2391 { US"all", SSL_OP_ALL },
2392#endif
2393#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
2394 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
2395#endif
2396#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
2397 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
2398#endif
2399#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
2400 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
2401#endif
2402#ifdef SSL_OP_EPHEMERAL_RSA
2403 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
2404#endif
2405#ifdef SSL_OP_LEGACY_SERVER_CONNECT
2406 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
2407#endif
2408#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
2409 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
2410#endif
2411#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
2412 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
2413#endif
2414#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
2415 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
2416#endif
2417#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
2418 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
2419#endif
2420#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
2421 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
2422#endif
2423#ifdef SSL_OP_NO_COMPRESSION
2424 { US"no_compression", SSL_OP_NO_COMPRESSION },
2425#endif
2426#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2427 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
2428#endif
2429#ifdef SSL_OP_NO_SSLv2
2430 { US"no_sslv2", SSL_OP_NO_SSLv2 },
2431#endif
2432#ifdef SSL_OP_NO_SSLv3
2433 { US"no_sslv3", SSL_OP_NO_SSLv3 },
2434#endif
2435#ifdef SSL_OP_NO_TICKET
2436 { US"no_ticket", SSL_OP_NO_TICKET },
2437#endif
2438#ifdef SSL_OP_NO_TLSv1
2439 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
2440#endif
2441#ifdef SSL_OP_NO_TLSv1_1
2442#if SSL_OP_NO_TLSv1_1 == 0x00000400L
2443 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
2444#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
2445#else
2446 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
2447#endif
2448#endif
2449#ifdef SSL_OP_NO_TLSv1_2
2450 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
2451#endif
2452#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
2453 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
2454#endif
2455#ifdef SSL_OP_SINGLE_DH_USE
2456 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
2457#endif
2458#ifdef SSL_OP_SINGLE_ECDH_USE
2459 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
2460#endif
2461#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
2462 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
2463#endif
2464#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
2465 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
2466#endif
2467#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
2468 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
2469#endif
2470#ifdef SSL_OP_TLS_D5_BUG
2471 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
2472#endif
2473#ifdef SSL_OP_TLS_ROLLBACK_BUG
2474 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
2475#endif
2476};
2477static int exim_openssl_options_size =
2478 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
2479
2480
2481static BOOL
2482tls_openssl_one_option_parse(uschar *name, long *value)
2483{
2484int first = 0;
2485int last = exim_openssl_options_size;
2486while (last > first)
2487 {
2488 int middle = (first + last)/2;
2489 int c = Ustrcmp(name, exim_openssl_options[middle].name);
2490 if (c == 0)
2491 {
2492 *value = exim_openssl_options[middle].value;
2493 return TRUE;
2494 }
2495 else if (c > 0)
2496 first = middle + 1;
2497 else
2498 last = middle;
2499 }
2500return FALSE;
2501}
2502
2503
2504
2505
2506/*************************************************
2507* OpenSSL option parsing logic *
2508*************************************************/
2509
2510/* OpenSSL has a number of compatibility options which an administrator might
2511reasonably wish to set. Interpret a list similarly to decode_bits(), so that
2512we look like log_selector.
2513
2514Arguments:
2515 option_spec the administrator-supplied string of options
2516 results ptr to long storage for the options bitmap
2517Returns success or failure
2518*/
2519
2520BOOL
2521tls_openssl_options_parse(uschar *option_spec, long *results)
2522{
2523long result, item;
2524uschar *s, *end;
2525uschar keep_c;
2526BOOL adding, item_parsed;
2527
2528result = 0L;
2529/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
2530 * from default because it increases BEAST susceptibility. */
2531#ifdef SSL_OP_NO_SSLv2
2532result |= SSL_OP_NO_SSLv2;
2533#endif
2534
2535if (option_spec == NULL)
2536 {
2537 *results = result;
2538 return TRUE;
2539 }
2540
2541for (s=option_spec; *s != '\0'; /**/)
2542 {
2543 while (isspace(*s)) ++s;
2544 if (*s == '\0')
2545 break;
2546 if (*s != '+' && *s != '-')
2547 {
2548 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
2549 "+ or - expected but found \"%s\"\n", s);
2550 return FALSE;
2551 }
2552 adding = *s++ == '+';
2553 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
2554 keep_c = *end;
2555 *end = '\0';
2556 item_parsed = tls_openssl_one_option_parse(s, &item);
2557 if (!item_parsed)
2558 {
2559 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
2560 return FALSE;
2561 }
2562 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
2563 adding ? "adding" : "removing", result, item, s);
2564 if (adding)
2565 result |= item;
2566 else
2567 result &= ~item;
2568 *end = keep_c;
2569 s = end;
2570 }
2571
2572*results = result;
2573return TRUE;
2574}
2575
2576/* vi: aw ai sw=2
2577*/
2578/* End of tls-openssl.c */
Unnamed repository; edit this file 'description' to name the repository.