projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Use C99 initialisations for iterators
[exim.git] / src / src / tls-openssl.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Portions Copyright (c) The OpenSSL Project 1999 */
9
10 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11 library. It is #included into the tls.c file when that library is used. The
12 code herein is based on a patch that was originally contributed by Steve
13 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15 No cryptographic code is included in Exim. All this module does is to call
16 functions from the OpenSSL library. */
17
18
19 /* Heading stuff */
20
21 #include <openssl/lhash.h>
22 #include <openssl/ssl.h>
23 #include <openssl/err.h>
24 #include <openssl/rand.h>
25 #ifndef OPENSSL_NO_ECDH
26 # include <openssl/ec.h>
27 #endif
28 #ifndef DISABLE_OCSP
29 # include <openssl/ocsp.h>
30 #endif
31 #ifdef SUPPORT_DANE
32 # include "danessl.h"
33 #endif
34
35
36 #ifndef DISABLE_OCSP
37 # define EXIM_OCSP_SKEW_SECONDS (300L)
38 # define EXIM_OCSP_MAX_AGE (-1L)
39 #endif
40
41 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
42 # define EXIM_HAVE_OPENSSL_TLSEXT
43 #endif
44 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
45 # define EXIM_HAVE_RSA_GENKEY_EX
46 #endif
47 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
48 # define EXIM_HAVE_OCSP_RESP_COUNT
49 #else
50 # define EXIM_HAVE_EPHEM_RSA_KEX
51 # define EXIM_HAVE_RAND_PSEUDO
52 #endif
53 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
54 # define EXIM_HAVE_SHA256
55 #endif
56
57 /* X509_check_host provides sane certificate hostname checking, but was added
58 to OpenSSL late, after other projects forked off the code-base. So in
59 addition to guarding against the base version number, beware that LibreSSL
60 does not (at this time) support this function.
61
62 If LibreSSL gains a different API, perhaps via libtls, then we'll probably
63 opt to disentangle and ask a LibreSSL user to provide glue for a third
64 crypto provider for libtls instead of continuing to tie the OpenSSL glue
65 into even twistier knots. If LibreSSL gains the same API, we can just
66 change this guard and punt the issue for a while longer. */
67
68 #ifndef LIBRESSL_VERSION_NUMBER
69 # if OPENSSL_VERSION_NUMBER >= 0x010100000L
70 # define EXIM_HAVE_OPENSSL_CHECKHOST
71 # define EXIM_HAVE_OPENSSL_DH_BITS
72 # define EXIM_HAVE_OPENSSL_TLS_METHOD
73 # else
74 # define EXIM_NEED_OPENSSL_INIT
75 # endif
76 # if OPENSSL_VERSION_NUMBER >= 0x010000000L \
77 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
78 # define EXIM_HAVE_OPENSSL_CHECKHOST
79 # endif
80 #endif
81
82 #if !defined(LIBRESSL_VERSION_NUMBER) \
83 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
84 # if !defined(OPENSSL_NO_ECDH)
85 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
86 # define EXIM_HAVE_ECDH
87 # endif
88 # if OPENSSL_VERSION_NUMBER >= 0x10002000L
89 # define EXIM_HAVE_OPENSSL_EC_NIST2NID
90 # endif
91 # endif
92 #endif
93
94 #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
95 # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
96 # define DISABLE_OCSP
97 #endif
98
99 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
100 # include <openssl/x509v3.h>
101 #endif
102
103 /*************************************************
104 * OpenSSL option parse *
105 *************************************************/
106
107 typedef struct exim_openssl_option {
108 uschar *name;
109 long value;
110 } exim_openssl_option;
111 /* We could use a macro to expand, but we need the ifdef and not all the
112 options document which version they were introduced in. Policylet: include
113 all options unless explicitly for DTLS, let the administrator choose which
114 to apply.
115
116 This list is current as of:
117 ==> 1.0.1b <==
118 Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
119 Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
120 */
121 static exim_openssl_option exim_openssl_options[] = {
122 /* KEEP SORTED ALPHABETICALLY! */
123 #ifdef SSL_OP_ALL
124 { US"all", SSL_OP_ALL },
125 #endif
126 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
127 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
128 #endif
129 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
130 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
131 #endif
132 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
133 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
134 #endif
135 #ifdef SSL_OP_EPHEMERAL_RSA
136 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
137 #endif
138 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
139 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
140 #endif
141 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
142 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
143 #endif
144 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
145 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
146 #endif
147 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
148 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
149 #endif
150 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
151 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
152 #endif
153 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
154 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
155 #endif
156 #ifdef SSL_OP_NO_COMPRESSION
157 { US"no_compression", SSL_OP_NO_COMPRESSION },
158 #endif
159 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
160 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
161 #endif
162 #ifdef SSL_OP_NO_SSLv2
163 { US"no_sslv2", SSL_OP_NO_SSLv2 },
164 #endif
165 #ifdef SSL_OP_NO_SSLv3
166 { US"no_sslv3", SSL_OP_NO_SSLv3 },
167 #endif
168 #ifdef SSL_OP_NO_TICKET
169 { US"no_ticket", SSL_OP_NO_TICKET },
170 #endif
171 #ifdef SSL_OP_NO_TLSv1
172 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
173 #endif
174 #ifdef SSL_OP_NO_TLSv1_1
175 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
176 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
177 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
178 #else
179 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
180 #endif
181 #endif
182 #ifdef SSL_OP_NO_TLSv1_2
183 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
184 #endif
185 #ifdef SSL_OP_NO_TLSv1_3
186 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
187 #endif
188 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
189 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
190 #endif
191 #ifdef SSL_OP_SINGLE_DH_USE
192 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
193 #endif
194 #ifdef SSL_OP_SINGLE_ECDH_USE
195 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
196 #endif
197 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
198 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
199 #endif
200 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
201 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
202 #endif
203 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
204 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
205 #endif
206 #ifdef SSL_OP_TLS_D5_BUG
207 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
208 #endif
209 #ifdef SSL_OP_TLS_ROLLBACK_BUG
210 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
211 #endif
212 };
213
214 #ifndef MACRO_PREDEF
215 static int exim_openssl_options_size = nelem(exim_openssl_options);
216 #endif
217
218 #ifdef MACRO_PREDEF
219 void
220 options_tls(void)
221 {
222 uschar buf[64];
223
224 for (struct exim_openssl_option * o = exim_openssl_options;
225 o < exim_openssl_options + nelem(exim_openssl_options); o++)
226 {
227 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
228 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
229
230 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
231 builtin_macro_create(buf);
232 }
233 }
234 #else
235
236 /******************************************************************************/
237
238 /* Structure for collecting random data for seeding. */
239
240 typedef struct randstuff {
241 struct timeval tv;
242 pid_t p;
243 } randstuff;
244
245 /* Local static variables */
246
247 static BOOL client_verify_callback_called = FALSE;
248 static BOOL server_verify_callback_called = FALSE;
249 static const uschar *sid_ctx = US"exim";
250
251 /* We have three different contexts to care about.
252
253 Simple case: client, `client_ctx`
254 As a client, we can be doing a callout or cut-through delivery while receiving
255 a message. So we have a client context, which should have options initialised
256 from the SMTP Transport. We may also concurrently want to make TLS connections
257 to utility daemons, so client-contexts are allocated and passed around in call
258 args rather than using a gobal.
259
260 Server:
261 There are two cases: with and without ServerNameIndication from the client.
262 Given TLS SNI, we can be using different keys, certs and various other
263 configuration settings, because they're re-expanded with $tls_sni set. This
264 allows vhosting with TLS. This SNI is sent in the handshake.
265 A client might not send SNI, so we need a fallback, and an initial setup too.
266 So as a server, we start out using `server_ctx`.
267 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
268 `server_sni` from `server_ctx` and then initialise settings by re-expanding
269 configuration.
270 */
271
272 typedef struct {
273 SSL_CTX * ctx;
274 SSL * ssl;
275 } exim_openssl_client_tls_ctx;
276
277 static SSL_CTX *server_ctx = NULL;
278 static SSL *server_ssl = NULL;
279
280 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
281 static SSL_CTX *server_sni = NULL;
282 #endif
283
284 static char ssl_errstring[256];
285
286 static int ssl_session_timeout = 200;
287 static BOOL client_verify_optional = FALSE;
288 static BOOL server_verify_optional = FALSE;
289
290 static BOOL reexpand_tls_files_for_sni = FALSE;
291
292
293 typedef struct tls_ext_ctx_cb {
294 uschar *certificate;
295 uschar *privatekey;
296 BOOL is_server;
297 #ifndef DISABLE_OCSP
298 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
299 union {
300 struct {
301 uschar *file;
302 uschar *file_expanded;
303 OCSP_RESPONSE *response;
304 } server;
305 struct {
306 X509_STORE *verify_store; /* non-null if status requested */
307 BOOL verify_required;
308 } client;
309 } u_ocsp;
310 #endif
311 uschar *dhparam;
312 /* these are cached from first expand */
313 uschar *server_cipher_list;
314 /* only passed down to tls_error: */
315 host_item *host;
316 const uschar * verify_cert_hostnames;
317 #ifndef DISABLE_EVENT
318 uschar * event_action;
319 #endif
320 } tls_ext_ctx_cb;
321
322 /* should figure out a cleanup of API to handle state preserved per
323 implementation, for various reasons, which can be void * in the APIs.
324 For now, we hack around it. */
325 tls_ext_ctx_cb *client_static_cbinfo = NULL;
326 tls_ext_ctx_cb *server_static_cbinfo = NULL;
327
328 static int
329 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
330 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
331
332 /* Callbacks */
333 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
334 static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
335 #endif
336 #ifndef DISABLE_OCSP
337 static int tls_server_stapling_cb(SSL *s, void *arg);
338 #endif
339
340
341 /*************************************************
342 * Handle TLS error *
343 *************************************************/
344
345 /* Called from lots of places when errors occur before actually starting to do
346 the TLS handshake, that is, while the session is still in clear. Always returns
347 DEFER for a server and FAIL for a client so that most calls can use "return
348 tls_error(...)" to do this processing and then give an appropriate return. A
349 single function is used for both server and client, because it is called from
350 some shared functions.
351
352 Argument:
353 prefix text to include in the logged error
354 host NULL if setting up a server;
355 the connected host if setting up a client
356 msg error message or NULL if we should ask OpenSSL
357 errstr pointer to output error message
358
359 Returns: OK/DEFER/FAIL
360 */
361
362 static int
363 tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
364 {
365 if (!msg)
366 {
367 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
368 msg = US ssl_errstring;
369 }
370
371 msg = string_sprintf("(%s): %s", prefix, msg);
372 DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
373 if (errstr) *errstr = msg;
374 return host ? FAIL : DEFER;
375 }
376
377
378
379 /*************************************************
380 * Callback to generate RSA key *
381 *************************************************/
382
383 /*
384 Arguments:
385 s SSL connection (not used)
386 export not used
387 keylength keylength
388
389 Returns: pointer to generated key
390 */
391
392 static RSA *
393 rsa_callback(SSL *s, int export, int keylength)
394 {
395 RSA *rsa_key;
396 #ifdef EXIM_HAVE_RSA_GENKEY_EX
397 BIGNUM *bn = BN_new();
398 #endif
399
400 export = export; /* Shut picky compilers up */
401 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
402
403 #ifdef EXIM_HAVE_RSA_GENKEY_EX
404 if ( !BN_set_word(bn, (unsigned long)RSA_F4)
405 || !(rsa_key = RSA_new())
406 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
407 )
408 #else
409 if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
410 #endif
411
412 {
413 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
414 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
415 ssl_errstring);
416 return NULL;
417 }
418 return rsa_key;
419 }
420
421
422
423 /* Extreme debug
424 #ifndef DISABLE_OCSP
425 void
426 x509_store_dump_cert_s_names(X509_STORE * store)
427 {
428 STACK_OF(X509_OBJECT) * roots= store->objs;
429 static uschar name[256];
430
431 for (int i= 0; i < sk_X509_OBJECT_num(roots); i++)
432 {
433 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
434 if(tmp_obj->type == X509_LU_X509)
435 {
436 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
437 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
438 {
439 name[sizeof(name)-1] = '\0';
440 debug_printf(" %s\n", name);
441 }
442 }
443 }
444 }
445 #endif
446 */
447
448
449 #ifndef DISABLE_EVENT
450 static int
451 verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
452 BOOL *calledp, const BOOL *optionalp, const uschar * what)
453 {
454 uschar * ev;
455 uschar * yield;
456 X509 * old_cert;
457
458 ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
459 if (ev)
460 {
461 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
462 old_cert = tlsp->peercert;
463 tlsp->peercert = X509_dup(cert);
464 /* NB we do not bother setting peerdn */
465 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
466 {
467 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
468 "depth=%d cert=%s: %s",
469 tlsp == &tls_out ? deliver_host_address : sender_host_address,
470 what, depth, dn, yield);
471 *calledp = TRUE;
472 if (!*optionalp)
473 {
474 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
475 return 1; /* reject (leaving peercert set) */
476 }
477 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
478 "(host in tls_try_verify_hosts)\n");
479 }
480 X509_free(tlsp->peercert);
481 tlsp->peercert = old_cert;
482 }
483 return 0;
484 }
485 #endif
486
487 /*************************************************
488 * Callback for verification *
489 *************************************************/
490
491 /* The SSL library does certificate verification if set up to do so. This
492 callback has the current yes/no state is in "state". If verification succeeded,
493 we set the certificate-verified flag. If verification failed, what happens
494 depends on whether the client is required to present a verifiable certificate
495 or not.
496
497 If verification is optional, we change the state to yes, but still log the
498 verification error. For some reason (it really would help to have proper
499 documentation of OpenSSL), this callback function then gets called again, this
500 time with state = 1. We must take care not to set the private verified flag on
501 the second time through.
502
503 Note: this function is not called if the client fails to present a certificate
504 when asked. We get here only if a certificate has been received. Handling of
505 optional verification for this case is done when requesting SSL to verify, by
506 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
507
508 May be called multiple times for different issues with a certificate, even
509 for a given "depth" in the certificate chain.
510
511 Arguments:
512 preverify_ok current yes/no state as 1/0
513 x509ctx certificate information.
514 tlsp per-direction (client vs. server) support data
515 calledp has-been-called flag
516 optionalp verification-is-optional flag
517
518 Returns: 0 if verification should fail, otherwise 1
519 */
520
521 static int
522 verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
523 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
524 {
525 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
526 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
527 uschar dn[256];
528
529 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
530 {
531 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
532 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
533 tlsp == &tls_out ? deliver_host_address : sender_host_address);
534 return 0;
535 }
536 dn[sizeof(dn)-1] = '\0';
537
538 if (preverify_ok == 0)
539 {
540 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
541 *verify_mode, sender_host_address)
542 : US"";
543 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
544 tlsp == &tls_out ? deliver_host_address : sender_host_address,
545 extra, depth,
546 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
547 *calledp = TRUE;
548 if (!*optionalp)
549 {
550 if (!tlsp->peercert)
551 tlsp->peercert = X509_dup(cert); /* record failing cert */
552 return 0; /* reject */
553 }
554 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
555 "tls_try_verify_hosts)\n");
556 }
557
558 else if (depth != 0)
559 {
560 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
561 #ifndef DISABLE_OCSP
562 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
563 { /* client, wanting stapling */
564 /* Add the server cert's signing chain as the one
565 for the verification of the OCSP stapled information. */
566
567 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
568 cert))
569 ERR_clear_error();
570 sk_X509_push(client_static_cbinfo->verify_stack, cert);
571 }
572 #endif
573 #ifndef DISABLE_EVENT
574 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
575 return 0; /* reject, with peercert set */
576 #endif
577 }
578 else
579 {
580 const uschar * verify_cert_hostnames;
581
582 if ( tlsp == &tls_out
583 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
584 /* client, wanting hostname check */
585 {
586
587 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
588 # ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
589 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
590 # endif
591 # ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
592 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
593 # endif
594 int sep = 0;
595 const uschar * list = verify_cert_hostnames;
596 uschar * name;
597 int rc;
598 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
599 if ((rc = X509_check_host(cert, CCS name, 0,
600 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
601 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
602 NULL)))
603 {
604 if (rc < 0)
605 {
606 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
607 tlsp == &tls_out ? deliver_host_address : sender_host_address);
608 name = NULL;
609 }
610 break;
611 }
612 if (!name)
613 #else
614 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
615 #endif
616 {
617 uschar * extra = verify_mode
618 ? string_sprintf(" (during %c-verify for [%s])",
619 *verify_mode, sender_host_address)
620 : US"";
621 log_write(0, LOG_MAIN,
622 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
623 tlsp == &tls_out ? deliver_host_address : sender_host_address,
624 extra, dn, verify_cert_hostnames);
625 *calledp = TRUE;
626 if (!*optionalp)
627 {
628 if (!tlsp->peercert)
629 tlsp->peercert = X509_dup(cert); /* record failing cert */
630 return 0; /* reject */
631 }
632 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
633 "tls_try_verify_hosts)\n");
634 }
635 }
636
637 #ifndef DISABLE_EVENT
638 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
639 return 0; /* reject, with peercert set */
640 #endif
641
642 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
643 *calledp ? "" : " authenticated", dn);
644 if (!*calledp) tlsp->certificate_verified = TRUE;
645 *calledp = TRUE;
646 }
647
648 return 1; /* accept, at least for this level */
649 }
650
651 static int
652 verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
653 {
654 return verify_callback(preverify_ok, x509ctx, &tls_out,
655 &client_verify_callback_called, &client_verify_optional);
656 }
657
658 static int
659 verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
660 {
661 return verify_callback(preverify_ok, x509ctx, &tls_in,
662 &server_verify_callback_called, &server_verify_optional);
663 }
664
665
666 #ifdef SUPPORT_DANE
667
668 /* This gets called *by* the dane library verify callback, which interposes
669 itself.
670 */
671 static int
672 verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
673 {
674 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
675 uschar dn[256];
676 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
677 #ifndef DISABLE_EVENT
678 BOOL dummy_called, optional = FALSE;
679 #endif
680
681 if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
682 {
683 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
684 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
685 deliver_host_address);
686 return 0;
687 }
688 dn[sizeof(dn)-1] = '\0';
689
690 DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
691 preverify_ok ? "ok":"BAD", depth, dn);
692
693 #ifndef DISABLE_EVENT
694 if (verify_event(&tls_out, cert, depth, dn,
695 &dummy_called, &optional, US"DANE"))
696 return 0; /* reject, with peercert set */
697 #endif
698
699 if (preverify_ok == 1)
700 {
701 tls_out.dane_verified = tls_out.certificate_verified = TRUE;
702 #ifndef DISABLE_OCSP
703 if (client_static_cbinfo->u_ocsp.client.verify_store)
704 { /* client, wanting stapling */
705 /* Add the server cert's signing chain as the one
706 for the verification of the OCSP stapled information. */
707
708 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
709 cert))
710 ERR_clear_error();
711 sk_X509_push(client_static_cbinfo->verify_stack, cert);
712 }
713 #endif
714 }
715 else
716 {
717 int err = X509_STORE_CTX_get_error(x509ctx);
718 DEBUG(D_tls)
719 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
720 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
721 preverify_ok = 1;
722 }
723 return preverify_ok;
724 }
725
726 #endif /*SUPPORT_DANE*/
727
728
729 /*************************************************
730 * Information callback *
731 *************************************************/
732
733 /* The SSL library functions call this from time to time to indicate what they
734 are doing. We copy the string to the debugging output when TLS debugging has
735 been requested.
736
737 Arguments:
738 s the SSL connection
739 where
740 ret
741
742 Returns: nothing
743 */
744
745 static void
746 info_callback(SSL *s, int where, int ret)
747 {
748 DEBUG(D_tls)
749 {
750 const uschar * str;
751
752 if (where & SSL_ST_CONNECT)
753 str = US"SSL_connect";
754 else if (where & SSL_ST_ACCEPT)
755 str = US"SSL_accept";
756 else
757 str = US"SSL info (undefined)";
758
759 if (where & SSL_CB_LOOP)
760 debug_printf("%s: %s\n", str, SSL_state_string_long(s));
761 else if (where & SSL_CB_ALERT)
762 debug_printf("SSL3 alert %s:%s:%s\n",
763 str = where & SSL_CB_READ ? US"read" : US"write",
764 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
765 else if (where & SSL_CB_EXIT)
766 if (ret == 0)
767 debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
768 else if (ret < 0)
769 debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
770 else if (where & SSL_CB_HANDSHAKE_START)
771 debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
772 else if (where & SSL_CB_HANDSHAKE_DONE)
773 debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
774 }
775 }
776
777
778
779 /*************************************************
780 * Initialize for DH *
781 *************************************************/
782
783 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
784
785 Arguments:
786 sctx The current SSL CTX (inbound or outbound)
787 dhparam DH parameter file or fixed parameter identity string
788 host connected host, if client; NULL if server
789 errstr error string pointer
790
791 Returns: TRUE if OK (nothing to set up, or setup worked)
792 */
793
794 static BOOL
795 init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
796 {
797 BIO *bio;
798 DH *dh;
799 uschar *dhexpanded;
800 const char *pem;
801 int dh_bitsize;
802
803 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
804 return FALSE;
805
806 if (!dhexpanded || !*dhexpanded)
807 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
808 else if (dhexpanded[0] == '/')
809 {
810 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
811 {
812 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
813 host, US strerror(errno), errstr);
814 return FALSE;
815 }
816 }
817 else
818 {
819 if (Ustrcmp(dhexpanded, "none") == 0)
820 {
821 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
822 return TRUE;
823 }
824
825 if (!(pem = std_dh_prime_named(dhexpanded)))
826 {
827 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
828 host, US strerror(errno), errstr);
829 return FALSE;
830 }
831 bio = BIO_new_mem_buf(CS pem, -1);
832 }
833
834 if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
835 {
836 BIO_free(bio);
837 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
838 host, NULL, errstr);
839 return FALSE;
840 }
841
842 /* note: our default limit of 2236 is not a multiple of 8; the limit comes from
843 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
844 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
845 * If someone wants to dance at the edge, then they can raise the limit or use
846 * current libraries. */
847 #ifdef EXIM_HAVE_OPENSSL_DH_BITS
848 /* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
849 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
850 dh_bitsize = DH_bits(dh);
851 #else
852 dh_bitsize = 8 * DH_size(dh);
853 #endif
854
855 /* Even if it is larger, we silently return success rather than cause things
856 * to fail out, so that a too-large DH will not knock out all TLS; it's a
857 * debatable choice. */
858 if (dh_bitsize > tls_dh_max_bits)
859 {
860 DEBUG(D_tls)
861 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
862 dh_bitsize, tls_dh_max_bits);
863 }
864 else
865 {
866 SSL_CTX_set_tmp_dh(sctx, dh);
867 DEBUG(D_tls)
868 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
869 dhexpanded ? dhexpanded : US"default", dh_bitsize);
870 }
871
872 DH_free(dh);
873 BIO_free(bio);
874
875 return TRUE;
876 }
877
878
879
880
881 /*************************************************
882 * Initialize for ECDH *
883 *************************************************/
884
885 /* Load parameters for ECDH encryption.
886
887 For now, we stick to NIST P-256 because: it's simple and easy to configure;
888 it avoids any patent issues that might bite redistributors; despite events in
889 the news and concerns over curve choices, we're not cryptographers, we're not
890 pretending to be, and this is "good enough" to be better than no support,
891 protecting against most adversaries. Given another year or two, there might
892 be sufficient clarity about a "right" way forward to let us make an informed
893 decision, instead of a knee-jerk reaction.
894
895 Longer-term, we should look at supporting both various named curves and
896 external files generated with "openssl ecparam", much as we do for init_dh().
897 We should also support "none" as a value, to explicitly avoid initialisation.
898
899 Patches welcome.
900
901 Arguments:
902 sctx The current SSL CTX (inbound or outbound)
903 host connected host, if client; NULL if server
904 errstr error string pointer
905
906 Returns: TRUE if OK (nothing to set up, or setup worked)
907 */
908
909 static BOOL
910 init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
911 {
912 #ifdef OPENSSL_NO_ECDH
913 return TRUE;
914 #else
915
916 EC_KEY * ecdh;
917 uschar * exp_curve;
918 int nid;
919 BOOL rv;
920
921 if (host) /* No ECDH setup for clients, only for servers */
922 return TRUE;
923
924 # ifndef EXIM_HAVE_ECDH
925 DEBUG(D_tls)
926 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
927 return TRUE;
928 # else
929
930 if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
931 return FALSE;
932 if (!exp_curve || !*exp_curve)
933 return TRUE;
934
935 /* "auto" needs to be handled carefully.
936 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
937 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
938 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
939 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
940 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
941 */
942 if (Ustrcmp(exp_curve, "auto") == 0)
943 {
944 #if OPENSSL_VERSION_NUMBER < 0x10002000L
945 DEBUG(D_tls) debug_printf(
946 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
947 exp_curve = US"prime256v1";
948 #else
949 # if defined SSL_CTRL_SET_ECDH_AUTO
950 DEBUG(D_tls) debug_printf(
951 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
952 SSL_CTX_set_ecdh_auto(sctx, 1);
953 return TRUE;
954 # else
955 DEBUG(D_tls) debug_printf(
956 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
957 return TRUE;
958 # endif
959 #endif
960 }
961
962 DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
963 if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
964 # ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
965 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
966 # endif
967 )
968 {
969 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
970 host, NULL, errstr);
971 return FALSE;
972 }
973
974 if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
975 {
976 tls_error(US"Unable to create ec curve", host, NULL, errstr);
977 return FALSE;
978 }
979
980 /* The "tmp" in the name here refers to setting a temporary key
981 not to the stability of the interface. */
982
983 if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
984 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
985 else
986 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
987
988 EC_KEY_free(ecdh);
989 return !rv;
990
991 # endif /*EXIM_HAVE_ECDH*/
992 #endif /*OPENSSL_NO_ECDH*/
993 }
994
995
996
997
998 #ifndef DISABLE_OCSP
999 /*************************************************
1000 * Load OCSP information into state *
1001 *************************************************/
1002 /* Called to load the server OCSP response from the given file into memory, once
1003 caller has determined this is needed. Checks validity. Debugs a message
1004 if invalid.
1005
1006 ASSUMES: single response, for single cert.
1007
1008 Arguments:
1009 sctx the SSL_CTX* to update
1010 cbinfo various parts of session state
1011 expanded the filename putatively holding an OCSP response
1012
1013 */
1014
1015 static void
1016 ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
1017 {
1018 BIO * bio;
1019 OCSP_RESPONSE * resp;
1020 OCSP_BASICRESP * basic_response;
1021 OCSP_SINGLERESP * single_response;
1022 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
1023 STACK_OF(X509) * sk;
1024 unsigned long verify_flags;
1025 int status, reason, i;
1026
1027 cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
1028 if (cbinfo->u_ocsp.server.response)
1029 {
1030 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
1031 cbinfo->u_ocsp.server.response = NULL;
1032 }
1033
1034 if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
1035 {
1036 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
1037 cbinfo->u_ocsp.server.file_expanded);
1038 return;
1039 }
1040
1041 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1042 BIO_free(bio);
1043 if (!resp)
1044 {
1045 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1046 return;
1047 }
1048
1049 if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
1050 {
1051 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1052 OCSP_response_status_str(status), status);
1053 goto bad;
1054 }
1055
1056 if (!(basic_response = OCSP_response_get1_basic(resp)))
1057 {
1058 DEBUG(D_tls)
1059 debug_printf("OCSP response parse error: unable to extract basic response.\n");
1060 goto bad;
1061 }
1062
1063 sk = cbinfo->verify_stack;
1064 verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1065
1066 /* May need to expose ability to adjust those flags?
1067 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1068 OCSP_TRUSTOTHER OCSP_NOINTERN */
1069
1070 /* This does a full verify on the OCSP proof before we load it for serving
1071 up; possibly overkill - just date-checks might be nice enough.
1072
1073 OCSP_basic_verify takes a "store" arg, but does not
1074 use it for the chain verification, which is all we do
1075 when OCSP_NOVERIFY is set. The content from the wire
1076 "basic_response" and a cert-stack "sk" are all that is used.
1077
1078 We have a stack, loaded in setup_certs() if tls_verify_certificates
1079 was a file (not a directory, or "system"). It is unfortunate we
1080 cannot used the connection context store, as that would neatly
1081 handle the "system" case too, but there seems to be no library
1082 function for getting a stack from a store.
1083 [ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
1084 We do not free the stack since it could be needed a second time for
1085 SNI handling.
1086
1087 Separately we might try to replace using OCSP_basic_verify() - which seems to not
1088 be a public interface into the OpenSSL library (there's no manual entry) -
1089 But what with? We also use OCSP_basic_verify in the client stapling callback.
1090 And there we NEED it; we must verify that status... unless the
1091 library does it for us anyway? */
1092
1093 if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
1094 {
1095 DEBUG(D_tls)
1096 {
1097 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1098 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
1099 }
1100 goto bad;
1101 }
1102
1103 /* Here's the simplifying assumption: there's only one response, for the
1104 one certificate we use, and nothing for anything else in a chain. If this
1105 proves false, we need to extract a cert id from our issued cert
1106 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1107 right cert in the stack and then calls OCSP_single_get0_status()).
1108
1109 I'm hoping to avoid reworking a bunch more of how we handle state here. */
1110
1111 if (!(single_response = OCSP_resp_get0(basic_response, 0)))
1112 {
1113 DEBUG(D_tls)
1114 debug_printf("Unable to get first response from OCSP basic response.\n");
1115 goto bad;
1116 }
1117
1118 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
1119 if (status != V_OCSP_CERTSTATUS_GOOD)
1120 {
1121 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1122 OCSP_cert_status_str(status), status,
1123 OCSP_crl_reason_str(reason), reason);
1124 goto bad;
1125 }
1126
1127 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1128 {
1129 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
1130 goto bad;
1131 }
1132
1133 supply_response:
1134 cbinfo->u_ocsp.server.response = resp; /*XXX stack?*/
1135 return;
1136
1137 bad:
1138 if (f.running_in_test_harness)
1139 {
1140 extern char ** environ;
1141 if (environ) for (uschar ** p = USS environ; *p; p++)
1142 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1143 {
1144 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1145 goto supply_response;
1146 }
1147 }
1148 return;
1149 }
1150 #endif /*!DISABLE_OCSP*/
1151
1152
1153
1154
1155 /* Create and install a selfsigned certificate, for use in server mode */
1156
1157 static int
1158 tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
1159 {
1160 X509 * x509 = NULL;
1161 EVP_PKEY * pkey;
1162 RSA * rsa;
1163 X509_NAME * name;
1164 uschar * where;
1165
1166 where = US"allocating pkey";
1167 if (!(pkey = EVP_PKEY_new()))
1168 goto err;
1169
1170 where = US"allocating cert";
1171 if (!(x509 = X509_new()))
1172 goto err;
1173
1174 where = US"generating pkey";
1175 if (!(rsa = rsa_callback(NULL, 0, 2048)))
1176 goto err;
1177
1178 where = US"assigning pkey";
1179 if (!EVP_PKEY_assign_RSA(pkey, rsa))
1180 goto err;
1181
1182 X509_set_version(x509, 2); /* N+1 - version 3 */
1183 ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
1184 X509_gmtime_adj(X509_get_notBefore(x509), 0);
1185 X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1186 X509_set_pubkey(x509, pkey);
1187
1188 name = X509_get_subject_name(x509);
1189 X509_NAME_add_entry_by_txt(name, "C",
1190 MBSTRING_ASC, CUS "UK", -1, -1, 0);
1191 X509_NAME_add_entry_by_txt(name, "O",
1192 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
1193 X509_NAME_add_entry_by_txt(name, "CN",
1194 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
1195 X509_set_issuer_name(x509, name);
1196
1197 where = US"signing cert";
1198 if (!X509_sign(x509, pkey, EVP_md5()))
1199 goto err;
1200
1201 where = US"installing selfsign cert";
1202 if (!SSL_CTX_use_certificate(sctx, x509))
1203 goto err;
1204
1205 where = US"installing selfsign key";
1206 if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1207 goto err;
1208
1209 return OK;
1210
1211 err:
1212 (void) tls_error(where, NULL, NULL, errstr);
1213 if (x509) X509_free(x509);
1214 if (pkey) EVP_PKEY_free(pkey);
1215 return DEFER;
1216 }
1217
1218
1219
1220
1221 static int
1222 tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1223 uschar ** errstr)
1224 {
1225 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", file);
1226 if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1227 return tls_error(string_sprintf(
1228 "SSL_CTX_use_certificate_chain_file file=%s", file),
1229 cbinfo->host, NULL, errstr);
1230 return 0;
1231 }
1232
1233 static int
1234 tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1235 uschar ** errstr)
1236 {
1237 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", file);
1238 if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1239 return tls_error(string_sprintf(
1240 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1241 return 0;
1242 }
1243
1244
1245 /*************************************************
1246 * Expand key and cert file specs *
1247 *************************************************/
1248
1249 /* Called once during tls_init and possibly again during TLS setup, for a
1250 new context, if Server Name Indication was used and tls_sni was seen in
1251 the certificate string.
1252
1253 Arguments:
1254 sctx the SSL_CTX* to update
1255 cbinfo various parts of session state
1256 errstr error string pointer
1257
1258 Returns: OK/DEFER/FAIL
1259 */
1260
1261 static int
1262 tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1263 uschar ** errstr)
1264 {
1265 uschar *expanded;
1266
1267 if (!cbinfo->certificate)
1268 {
1269 if (!cbinfo->is_server) /* client */
1270 return OK;
1271 /* server */
1272 if (tls_install_selfsign(sctx, errstr) != OK)
1273 return DEFER;
1274 }
1275 else
1276 {
1277 int err;
1278
1279 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1280 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1281 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1282 )
1283 reexpand_tls_files_for_sni = TRUE;
1284
1285 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
1286 return DEFER;
1287
1288 if (expanded)
1289 if (cbinfo->is_server)
1290 {
1291 const uschar * file_list = expanded;
1292 int sep = 0;
1293 uschar * file;
1294
1295 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1296 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1297 return err;
1298 }
1299 else /* would there ever be a need for multiple client certs? */
1300 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1301 return err;
1302
1303 if ( cbinfo->privatekey
1304 && !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
1305 return DEFER;
1306
1307 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1308 of the expansion is an empty string, ignore it also, and assume the private
1309 key is in the same file as the certificate. */
1310
1311 if (expanded && *expanded)
1312 if (cbinfo->is_server)
1313 {
1314 const uschar * file_list = expanded;
1315 int sep = 0;
1316 uschar * file;
1317
1318 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1319 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1320 return err;
1321 }
1322 else /* would there ever be a need for multiple client certs? */
1323 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1324 return err;
1325 }
1326
1327 #ifndef DISABLE_OCSP
1328 if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
1329 {
1330 /*XXX stack*/
1331 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
1332 return DEFER;
1333
1334 if (expanded && *expanded)
1335 {
1336 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
1337 if ( cbinfo->u_ocsp.server.file_expanded
1338 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
1339 {
1340 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1341 }
1342 else
1343 ocsp_load_response(sctx, cbinfo, expanded);
1344 }
1345 }
1346 #endif
1347
1348 return OK;
1349 }
1350
1351
1352
1353
1354 /*************************************************
1355 * Callback to handle SNI *
1356 *************************************************/
1357
1358 /* Called when acting as server during the TLS session setup if a Server Name
1359 Indication extension was sent by the client.
1360
1361 API documentation is OpenSSL s_server.c implementation.
1362
1363 Arguments:
1364 s SSL* of the current session
1365 ad unknown (part of OpenSSL API) (unused)
1366 arg Callback of "our" registered data
1367
1368 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1369 */
1370
1371 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1372 static int
1373 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1374 {
1375 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1376 tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1377 int rc;
1378 int old_pool = store_pool;
1379 uschar * dummy_errstr;
1380
1381 if (!servername)
1382 return SSL_TLSEXT_ERR_OK;
1383
1384 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
1385 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1386
1387 /* Make the extension value available for expansion */
1388 store_pool = POOL_PERM;
1389 tls_in.sni = string_copy(US servername);
1390 store_pool = old_pool;
1391
1392 if (!reexpand_tls_files_for_sni)
1393 return SSL_TLSEXT_ERR_OK;
1394
1395 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1396 not confident that memcpy wouldn't break some internal reference counting.
1397 Especially since there's a references struct member, which would be off. */
1398
1399 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1400 if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1401 #else
1402 if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
1403 #endif
1404 {
1405 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
1406 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1407 goto bad;
1408 }
1409
1410 /* Not sure how many of these are actually needed, since SSL object
1411 already exists. Might even need this selfsame callback, for reneg? */
1412
1413 SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1414 SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1415 SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1416 SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1417 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1418 SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
1419
1420 if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1421 || !init_ecdh(server_sni, NULL, &dummy_errstr)
1422 )
1423 goto bad;
1424
1425 if ( cbinfo->server_cipher_list
1426 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
1427 goto bad;
1428
1429 #ifndef DISABLE_OCSP
1430 if (cbinfo->u_ocsp.server.file)
1431 {
1432 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
1433 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
1434 }
1435 #endif
1436
1437 if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
1438 verify_callback_server, &dummy_errstr)) != OK)
1439 goto bad;
1440
1441 /* do this after setup_certs, because this can require the certs for verifying
1442 OCSP information. */
1443 if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
1444 goto bad;
1445
1446 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
1447 SSL_set_SSL_CTX(s, server_sni);
1448 return SSL_TLSEXT_ERR_OK;
1449
1450 bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
1451 }
1452 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
1453
1454
1455
1456
1457 #ifndef DISABLE_OCSP
1458
1459 /*************************************************
1460 * Callback to handle OCSP Stapling *
1461 *************************************************/
1462
1463 /* Called when acting as server during the TLS session setup if the client
1464 requests OCSP information with a Certificate Status Request.
1465
1466 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1467 project.
1468
1469 */
1470
1471 static int
1472 tls_server_stapling_cb(SSL *s, void *arg)
1473 {
1474 const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1475 uschar *response_der; /*XXX blob */
1476 int response_der_len;
1477
1478 /*XXX stack: use SSL_get_certificate() to see which cert; from that work
1479 out which ocsp blob to send. Unfortunately, SSL_get_certificate is known
1480 buggy in current OpenSSL; it returns the last cert loaded always rather than
1481 the one actually presented. So we can't support a stack of OCSP proofs at
1482 this time. */
1483
1484 DEBUG(D_tls)
1485 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
1486 cbinfo->u_ocsp.server.response ? "have" : "lack");
1487
1488 tls_in.ocsp = OCSP_NOT_RESP;
1489 if (!cbinfo->u_ocsp.server.response)
1490 return SSL_TLSEXT_ERR_NOACK;
1491
1492 response_der = NULL;
1493 response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, /*XXX stack*/
1494 &response_der);
1495 if (response_der_len <= 0)
1496 return SSL_TLSEXT_ERR_NOACK;
1497
1498 SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
1499 tls_in.ocsp = OCSP_VFIED;
1500 return SSL_TLSEXT_ERR_OK;
1501 }
1502
1503
1504 static void
1505 time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1506 {
1507 BIO_printf(bp, "\t%s: ", str);
1508 ASN1_GENERALIZEDTIME_print(bp, time);
1509 BIO_puts(bp, "\n");
1510 }
1511
1512 static int
1513 tls_client_stapling_cb(SSL *s, void *arg)
1514 {
1515 tls_ext_ctx_cb * cbinfo = arg;
1516 const unsigned char * p;
1517 int len;
1518 OCSP_RESPONSE * rsp;
1519 OCSP_BASICRESP * bs;
1520 int i;
1521
1522 DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1523 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1524 if(!p)
1525 {
1526 /* Expect this when we requested ocsp but got none */
1527 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
1528 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
1529 else
1530 DEBUG(D_tls) debug_printf(" null\n");
1531 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1532 }
1533
1534 if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1535 {
1536 tls_out.ocsp = OCSP_FAILED;
1537 if (LOGGING(tls_cipher))
1538 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
1539 else
1540 DEBUG(D_tls) debug_printf(" parse error\n");
1541 return 0;
1542 }
1543
1544 if(!(bs = OCSP_response_get1_basic(rsp)))
1545 {
1546 tls_out.ocsp = OCSP_FAILED;
1547 if (LOGGING(tls_cipher))
1548 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
1549 else
1550 DEBUG(D_tls) debug_printf(" error parsing response\n");
1551 OCSP_RESPONSE_free(rsp);
1552 return 0;
1553 }
1554
1555 /* We'd check the nonce here if we'd put one in the request. */
1556 /* However that would defeat cacheability on the server so we don't. */
1557
1558 /* This section of code reworked from OpenSSL apps source;
1559 The OpenSSL Project retains copyright:
1560 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1561 */
1562 {
1563 BIO * bp = NULL;
1564 int status, reason;
1565 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1566
1567 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
1568
1569 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1570
1571 /* Use the chain that verified the server cert to verify the stapled info */
1572 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1573
1574 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
1575 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
1576 {
1577 tls_out.ocsp = OCSP_FAILED;
1578 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1579 "Received TLS cert status response, itself unverifiable: %s",
1580 ERR_reason_error_string(ERR_peek_error()));
1581 BIO_printf(bp, "OCSP response verify failure\n");
1582 ERR_print_errors(bp);
1583 OCSP_RESPONSE_print(bp, rsp, 0);
1584 goto failed;
1585 }
1586
1587 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1588
1589 /*XXX So we have a good stapled OCSP status. How do we know
1590 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1591 OCSP_resp_find_status() which matches on a cert id, which presumably
1592 we should use. Making an id needs OCSP_cert_id_new(), which takes
1593 issuerName, issuerKey, serialNumber. Are they all in the cert?
1594
1595 For now, carry on blindly accepting the resp. */
1596
1597 {
1598 OCSP_SINGLERESP * single;
1599
1600 #ifdef EXIM_HAVE_OCSP_RESP_COUNT
1601 if (OCSP_resp_count(bs) != 1)
1602 #else
1603 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1604 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
1605 #endif
1606 {
1607 tls_out.ocsp = OCSP_FAILED;
1608 log_write(0, LOG_MAIN, "OCSP stapling "
1609 "with multiple responses not handled");
1610 goto failed;
1611 }
1612 single = OCSP_resp_get0(bs, 0);
1613 status = OCSP_single_get0_status(single, &reason, &rev,
1614 &thisupd, &nextupd);
1615 }
1616
1617 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1618 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
1619 if (!OCSP_check_validity(thisupd, nextupd,
1620 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1621 {
1622 tls_out.ocsp = OCSP_FAILED;
1623 DEBUG(D_tls) ERR_print_errors(bp);
1624 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
1625 }
1626 else
1627 {
1628 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1629 OCSP_cert_status_str(status));
1630 switch(status)
1631 {
1632 case V_OCSP_CERTSTATUS_GOOD:
1633 tls_out.ocsp = OCSP_VFIED;
1634 i = 1;
1635 goto good;
1636 case V_OCSP_CERTSTATUS_REVOKED:
1637 tls_out.ocsp = OCSP_FAILED;
1638 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1639 reason != -1 ? "; reason: " : "",
1640 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1641 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
1642 break;
1643 default:
1644 tls_out.ocsp = OCSP_FAILED;
1645 log_write(0, LOG_MAIN,
1646 "Server certificate status unknown, in OCSP stapling");
1647 break;
1648 }
1649 }
1650 failed:
1651 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1652 good:
1653 BIO_free(bp);
1654 }
1655
1656 OCSP_RESPONSE_free(rsp);
1657 return i;
1658 }
1659 #endif /*!DISABLE_OCSP*/
1660
1661
1662 /*************************************************
1663 * Initialize for TLS *
1664 *************************************************/
1665
1666 /* Called from both server and client code, to do preliminary initialization
1667 of the library. We allocate and return a context structure.
1668
1669 Arguments:
1670 ctxp returned SSL context
1671 host connected host, if client; NULL if server
1672 dhparam DH parameter file
1673 certificate certificate file
1674 privatekey private key
1675 ocsp_file file of stapling info (server); flag for require ocsp (client)
1676 addr address if client; NULL if server (for some randomness)
1677 cbp place to put allocated callback context
1678 errstr error string pointer
1679
1680 Returns: OK/DEFER/FAIL
1681 */
1682
1683 static int
1684 tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
1685 uschar *privatekey,
1686 #ifndef DISABLE_OCSP
1687 uschar *ocsp_file, /*XXX stack, in server*/
1688 #endif
1689 address_item *addr, tls_ext_ctx_cb ** cbp, uschar ** errstr)
1690 {
1691 SSL_CTX * ctx;
1692 long init_options;
1693 int rc;
1694 tls_ext_ctx_cb * cbinfo;
1695
1696 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1697 cbinfo->certificate = certificate;
1698 cbinfo->privatekey = privatekey;
1699 cbinfo->is_server = host==NULL;
1700 #ifndef DISABLE_OCSP
1701 cbinfo->verify_stack = NULL;
1702 if (!host)
1703 {
1704 cbinfo->u_ocsp.server.file = ocsp_file;
1705 cbinfo->u_ocsp.server.file_expanded = NULL;
1706 cbinfo->u_ocsp.server.response = NULL;
1707 }
1708 else
1709 cbinfo->u_ocsp.client.verify_store = NULL;
1710 #endif
1711 cbinfo->dhparam = dhparam;
1712 cbinfo->server_cipher_list = NULL;
1713 cbinfo->host = host;
1714 #ifndef DISABLE_EVENT
1715 cbinfo->event_action = NULL;
1716 #endif
1717
1718 #ifdef EXIM_NEED_OPENSSL_INIT
1719 SSL_load_error_strings(); /* basic set up */
1720 OpenSSL_add_ssl_algorithms();
1721 #endif
1722
1723 #ifdef EXIM_HAVE_SHA256
1724 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
1725 list of available digests. */
1726 EVP_add_digest(EVP_sha256());
1727 #endif
1728
1729 /* Create a context.
1730 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1731 negotiation in the different methods; as far as I can tell, the only
1732 *_{server,client}_method which allows negotiation is SSLv23, which exists even
1733 when OpenSSL is built without SSLv2 support.
1734 By disabling with openssl_options, we can let admins re-enable with the
1735 existing knob. */
1736
1737 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1738 if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1739 #else
1740 if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
1741 #endif
1742 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
1743
1744 /* It turns out that we need to seed the random number generator this early in
1745 order to get the full complement of ciphers to work. It took me roughly a day
1746 of work to discover this by experiment.
1747
1748 On systems that have /dev/urandom, SSL may automatically seed itself from
1749 there. Otherwise, we have to make something up as best we can. Double check
1750 afterwards. */
1751
1752 if (!RAND_status())
1753 {
1754 randstuff r;
1755 gettimeofday(&r.tv, NULL);
1756 r.p = getpid();
1757
1758 RAND_seed(US (&r), sizeof(r));
1759 RAND_seed(US big_buffer, big_buffer_size);
1760 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
1761
1762 if (!RAND_status())
1763 return tls_error(US"RAND_status", host,
1764 US"unable to seed random number generator", errstr);
1765 }
1766
1767 /* Set up the information callback, which outputs if debugging is at a suitable
1768 level. */
1769
1770 DEBUG(D_tls) SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
1771
1772 /* Automatically re-try reads/writes after renegotiation. */
1773 (void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
1774
1775 /* Apply administrator-supplied work-arounds.
1776 Historically we applied just one requested option,
1777 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1778 moved to an administrator-controlled list of options to specify and
1779 grandfathered in the first one as the default value for "openssl_options".
1780
1781 No OpenSSL version number checks: the options we accept depend upon the
1782 availability of the option value macros from OpenSSL. */
1783
1784 if (!tls_openssl_options_parse(openssl_options, &init_options))
1785 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
1786
1787 if (init_options)
1788 {
1789 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
1790 if (!(SSL_CTX_set_options(ctx, init_options)))
1791 return tls_error(string_sprintf(
1792 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
1793 }
1794 else
1795 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
1796
1797 /* We'd like to disable session cache unconditionally, but foolish Outlook
1798 Express clients then give up the first TLS connection and make a second one
1799 (which works). Only when there is an IMAP service on the same machine.
1800 Presumably OE is trying to use the cache for A on B. Leave it enabled for
1801 now, until we work out a decent way of presenting control to the config. It
1802 will never be used because we use a new context every time. */
1803 #ifdef notdef
1804 (void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
1805 #endif
1806
1807 /* Initialize with DH parameters if supplied */
1808 /* Initialize ECDH temp key parameter selection */
1809
1810 if ( !init_dh(ctx, dhparam, host, errstr)
1811 || !init_ecdh(ctx, host, errstr)
1812 )
1813 return DEFER;
1814
1815 /* Set up certificate and key (and perhaps OCSP info) */
1816
1817 if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
1818 return rc;
1819
1820 /* If we need to handle SNI or OCSP, do so */
1821
1822 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1823 # ifndef DISABLE_OCSP
1824 if (!(cbinfo->verify_stack = sk_X509_new_null()))
1825 {
1826 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
1827 return FAIL;
1828 }
1829 # endif
1830
1831 if (!host) /* server */
1832 {
1833 # ifndef DISABLE_OCSP
1834 /* We check u_ocsp.server.file, not server.response, because we care about if
1835 the option exists, not what the current expansion might be, as SNI might
1836 change the certificate and OCSP file in use between now and the time the
1837 callback is invoked. */
1838 if (cbinfo->u_ocsp.server.file)
1839 {
1840 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
1841 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
1842 }
1843 # endif
1844 /* We always do this, so that $tls_sni is available even if not used in
1845 tls_certificate */
1846 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
1847 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
1848 }
1849 # ifndef DISABLE_OCSP
1850 else /* client */
1851 if(ocsp_file) /* wanting stapling */
1852 {
1853 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1854 {
1855 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1856 return FAIL;
1857 }
1858 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
1859 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
1860 }
1861 # endif
1862 #endif
1863
1864 cbinfo->verify_cert_hostnames = NULL;
1865
1866 #ifdef EXIM_HAVE_EPHEM_RSA_KEX
1867 /* Set up the RSA callback */
1868 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
1869 #endif
1870
1871 /* Finally, set the timeout, and we are done */
1872
1873 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
1874 DEBUG(D_tls) debug_printf("Initialized TLS\n");
1875
1876 *cbp = cbinfo;
1877 *ctxp = ctx;
1878
1879 return OK;
1880 }
1881
1882
1883
1884
1885 /*************************************************
1886 * Get name of cipher in use *
1887 *************************************************/
1888
1889 /*
1890 Argument: pointer to an SSL structure for the connection
1891 buffer to use for answer
1892 size of buffer
1893 pointer to number of bits for cipher
1894 Returns: nothing
1895 */
1896
1897 static void
1898 construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
1899 {
1900 /* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
1901 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1902 the accessor functions use const in the prototype. */
1903
1904 const uschar * ver = CUS SSL_get_version(ssl);
1905 const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
1906
1907 SSL_CIPHER_get_bits(c, bits);
1908
1909 string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1910 SSL_CIPHER_get_name(c), *bits);
1911
1912 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1913 }
1914
1915
1916 static void
1917 peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
1918 {
1919 /*XXX we might consider a list-of-certs variable for the cert chain.
1920 SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1921 in list-handling functions, also consider the difference between the entire
1922 chain and the elements sent by the peer. */
1923
1924 tlsp->peerdn = NULL;
1925
1926 /* Will have already noted peercert on a verify fail; possibly not the leaf */
1927 if (!tlsp->peercert)
1928 tlsp->peercert = SSL_get_peer_certificate(ssl);
1929 /* Beware anonymous ciphers which lead to server_cert being NULL */
1930 if (tlsp->peercert)
1931 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
1932 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
1933 else
1934 {
1935 peerdn[siz-1] = '\0';
1936 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1937 }
1938 }
1939
1940
1941
1942
1943
1944 /*************************************************
1945 * Set up for verifying certificates *
1946 *************************************************/
1947
1948 #ifndef DISABLE_OCSP
1949 /* Load certs from file, return TRUE on success */
1950
1951 static BOOL
1952 chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
1953 {
1954 BIO * bp;
1955 X509 * x;
1956
1957 while (sk_X509_num(verify_stack) > 0)
1958 X509_free(sk_X509_pop(verify_stack));
1959
1960 if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
1961 while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
1962 sk_X509_push(verify_stack, x);
1963 BIO_free(bp);
1964 return TRUE;
1965 }
1966 #endif
1967
1968
1969
1970 /* Called by both client and server startup; on the server possibly
1971 repeated after a Server Name Indication.
1972
1973 Arguments:
1974 sctx SSL_CTX* to initialise
1975 certs certs file or NULL
1976 crl CRL file or NULL
1977 host NULL in a server; the remote host in a client
1978 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1979 otherwise passed as FALSE
1980 cert_vfy_cb Callback function for certificate verification
1981 errstr error string pointer
1982
1983 Returns: OK/DEFER/FAIL
1984 */
1985
1986 static int
1987 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
1988 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
1989 {
1990 uschar *expcerts, *expcrl;
1991
1992 if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
1993 return DEFER;
1994 DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
1995
1996 if (expcerts && *expcerts)
1997 {
1998 /* Tell the library to use its compiled-in location for the system default
1999 CA bundle. Then add the ones specified in the config, if any. */
2000
2001 if (!SSL_CTX_set_default_verify_paths(sctx))
2002 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
2003
2004 if (Ustrcmp(expcerts, "system") != 0)
2005 {
2006 struct stat statbuf;
2007
2008 if (Ustat(expcerts, &statbuf) < 0)
2009 {
2010 log_write(0, LOG_MAIN|LOG_PANIC,
2011 "failed to stat %s for certificates", expcerts);
2012 return DEFER;
2013 }
2014 else
2015 {
2016 uschar *file, *dir;
2017 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
2018 { file = NULL; dir = expcerts; }
2019 else
2020 {
2021 file = expcerts; dir = NULL;
2022 #ifndef DISABLE_OCSP
2023 /* In the server if we will be offering an OCSP proof, load chain from
2024 file for verifying the OCSP proof at load time. */
2025
2026 if ( !host
2027 && statbuf.st_size > 0
2028 && server_static_cbinfo->u_ocsp.server.file
2029 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2030 )
2031 {
2032 log_write(0, LOG_MAIN|LOG_PANIC,
2033 "failed to load cert chain from %s", file);
2034 return DEFER;
2035 }
2036 #endif
2037 }
2038
2039 /* If a certificate file is empty, the next function fails with an
2040 unhelpful error message. If we skip it, we get the correct behaviour (no
2041 certificates are recognized, but the error message is still misleading (it
2042 says no certificate was supplied). But this is better. */
2043
2044 if ( (!file || statbuf.st_size > 0)
2045 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
2046 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
2047
2048 /* Load the list of CAs for which we will accept certs, for sending
2049 to the client. This is only for the one-file tls_verify_certificates
2050 variant.
2051 If a list isn't loaded into the server, but some verify locations are set,
2052 the server end appears to make a wildcard request for client certs.
2053 Meanwhile, the client library as default behaviour *ignores* the list
2054 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2055 Because of this, and that the dir variant is likely only used for
2056 the public-CA bundle (not for a private CA), not worth fixing. */
2057
2058 if (file)
2059 {
2060 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
2061
2062 SSL_CTX_set_client_CA_list(sctx, names);
2063 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
2064 sk_X509_NAME_num(names));
2065 }
2066 }
2067 }
2068
2069 /* Handle a certificate revocation list. */
2070
2071 #if OPENSSL_VERSION_NUMBER > 0x00907000L
2072
2073 /* This bit of code is now the version supplied by Lars Mainka. (I have
2074 merely reformatted it into the Exim code style.)
2075
2076 "From here I changed the code to add support for multiple crl's
2077 in pem format in one file or to support hashed directory entries in
2078 pem format instead of a file. This method now uses the library function
2079 X509_STORE_load_locations to add the CRL location to the SSL context.
2080 OpenSSL will then handle the verify against CA certs and CRLs by
2081 itself in the verify callback." */
2082
2083 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
2084 if (expcrl && *expcrl)
2085 {
2086 struct stat statbufcrl;
2087 if (Ustat(expcrl, &statbufcrl) < 0)
2088 {
2089 log_write(0, LOG_MAIN|LOG_PANIC,
2090 "failed to stat %s for certificates revocation lists", expcrl);
2091 return DEFER;
2092 }
2093 else
2094 {
2095 /* is it a file or directory? */
2096 uschar *file, *dir;
2097 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
2098 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
2099 {
2100 file = NULL;
2101 dir = expcrl;
2102 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
2103 }
2104 else
2105 {
2106 file = expcrl;
2107 dir = NULL;
2108 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
2109 }
2110 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
2111 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
2112
2113 /* setting the flags to check against the complete crl chain */
2114
2115 X509_STORE_set_flags(cvstore,
2116 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
2117 }
2118 }
2119
2120 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
2121
2122 /* If verification is optional, don't fail if no certificate */
2123
2124 SSL_CTX_set_verify(sctx,
2125 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
2126 cert_vfy_cb);
2127 }
2128
2129 return OK;
2130 }
2131
2132
2133
2134 /*************************************************
2135 * Start a TLS session in a server *
2136 *************************************************/
2137
2138 /* This is called when Exim is running as a server, after having received
2139 the STARTTLS command. It must respond to that command, and then negotiate
2140 a TLS session.
2141
2142 Arguments:
2143 require_ciphers allowed ciphers
2144 errstr pointer to error message
2145
2146 Returns: OK on success
2147 DEFER for errors before the start of the negotiation
2148 FAIL for errors during the negotiation; the server can't
2149 continue running.
2150 */
2151
2152 int
2153 tls_server_start(const uschar * require_ciphers, uschar ** errstr)
2154 {
2155 int rc;
2156 uschar * expciphers;
2157 tls_ext_ctx_cb * cbinfo;
2158 static uschar peerdn[256];
2159 static uschar cipherbuf[256];
2160
2161 /* Check for previous activation */
2162
2163 if (tls_in.active.sock >= 0)
2164 {
2165 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
2166 smtp_printf("554 Already in TLS\r\n", FALSE);
2167 return FAIL;
2168 }
2169
2170 /* Initialize the SSL library. If it fails, it will already have logged
2171 the error. */
2172
2173 rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
2174 #ifndef DISABLE_OCSP
2175 tls_ocsp_file, /*XXX stack*/
2176 #endif
2177 NULL, &server_static_cbinfo, errstr);
2178 if (rc != OK) return rc;
2179 cbinfo = server_static_cbinfo;
2180
2181 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
2182 return FAIL;
2183
2184 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2185 were historically separated by underscores. So that I can use either form in my
2186 tests, and also for general convenience, we turn underscores into hyphens here.
2187
2188 XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2189 for TLS 1.3 . Since we do not call it at present we get the default list:
2190 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
2191 */
2192
2193 if (expciphers)
2194 {
2195 uschar * s = expciphers;
2196 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2197 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2198 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
2199 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
2200 cbinfo->server_cipher_list = expciphers;
2201 }
2202
2203 /* If this is a host for which certificate verification is mandatory or
2204 optional, set up appropriately. */
2205
2206 tls_in.certificate_verified = FALSE;
2207 #ifdef SUPPORT_DANE
2208 tls_in.dane_verified = FALSE;
2209 #endif
2210 server_verify_callback_called = FALSE;
2211
2212 if (verify_check_host(&tls_verify_hosts) == OK)
2213 {
2214 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2215 FALSE, verify_callback_server, errstr);
2216 if (rc != OK) return rc;
2217 server_verify_optional = FALSE;
2218 }
2219 else if (verify_check_host(&tls_try_verify_hosts) == OK)
2220 {
2221 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
2222 TRUE, verify_callback_server, errstr);
2223 if (rc != OK) return rc;
2224 server_verify_optional = TRUE;
2225 }
2226
2227 /* Prepare for new connection */
2228
2229 if (!(server_ssl = SSL_new(server_ctx)))
2230 return tls_error(US"SSL_new", NULL, NULL, errstr);
2231
2232 /* Warning: we used to SSL_clear(ssl) here, it was removed.
2233 *
2234 * With the SSL_clear(), we get strange interoperability bugs with
2235 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2236 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2237 *
2238 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2239 * session shutdown. In this case, we have a brand new object and there's no
2240 * obvious reason to immediately clear it. I'm guessing that this was
2241 * originally added because of incomplete initialisation which the clear fixed,
2242 * in some historic release.
2243 */
2244
2245 /* Set context and tell client to go ahead, except in the case of TLS startup
2246 on connection, where outputting anything now upsets the clients and tends to
2247 make them disconnect. We need to have an explicit fflush() here, to force out
2248 the response. Other smtp_printf() calls do not need it, because in non-TLS
2249 mode, the fflush() happens when smtp_getc() is called. */
2250
2251 SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2252 if (!tls_in.on_connect)
2253 {
2254 smtp_printf("220 TLS go ahead\r\n", FALSE);
2255 fflush(smtp_out);
2256 }
2257
2258 /* Now negotiate the TLS session. We put our own timer on it, since it seems
2259 that the OpenSSL library doesn't. */
2260
2261 SSL_set_wfd(server_ssl, fileno(smtp_out));
2262 SSL_set_rfd(server_ssl, fileno(smtp_in));
2263 SSL_set_accept_state(server_ssl);
2264
2265 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2266
2267 sigalrm_seen = FALSE;
2268 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
2269 rc = SSL_accept(server_ssl);
2270 ALARM_CLR(0);
2271
2272 if (rc <= 0)
2273 {
2274 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2275 return FAIL;
2276 }
2277
2278 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
2279 ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
2280 anon-authentication ciphersuite negociated. */
2281
2282 /* TLS has been set up. Adjust the input functions to read via TLS,
2283 and initialize things. */
2284
2285 peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2286
2287 construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
2288 tls_in.cipher = cipherbuf;
2289
2290 DEBUG(D_tls)
2291 {
2292 uschar buf[2048];
2293 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
2294 debug_printf("Shared ciphers: %s\n", buf);
2295 }
2296
2297 /* Record the certificate we presented */
2298 {
2299 X509 * crt = SSL_get_certificate(server_ssl);
2300 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2301 }
2302
2303 /* Only used by the server-side tls (tls_in), including tls_getc.
2304 Client-side (tls_out) reads (seem to?) go via
2305 smtp_read_response()/ip_recv().
2306 Hence no need to duplicate for _in and _out.
2307 */
2308 if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
2309 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
2310 ssl_xfer_eof = ssl_xfer_error = FALSE;
2311
2312 receive_getc = tls_getc;
2313 receive_getbuf = tls_getbuf;
2314 receive_get_cache = tls_get_cache;
2315 receive_ungetc = tls_ungetc;
2316 receive_feof = tls_feof;
2317 receive_ferror = tls_ferror;
2318 receive_smtp_buffered = tls_smtp_buffered;
2319
2320 tls_in.active.sock = fileno(smtp_out);
2321 tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
2322 return OK;
2323 }
2324
2325
2326
2327
2328 static int
2329 tls_client_basic_ctx_init(SSL_CTX * ctx,
2330 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2331 uschar ** errstr)
2332 {
2333 int rc;
2334 /* stick to the old behaviour for compatibility if tls_verify_certificates is
2335 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2336 the specified host patterns if one of them is defined */
2337
2338 if ( ( !ob->tls_verify_hosts
2339 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2340 )
2341 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
2342 )
2343 client_verify_optional = FALSE;
2344 else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
2345 client_verify_optional = TRUE;
2346 else
2347 return OK;
2348
2349 if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
2350 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2351 errstr)) != OK)
2352 return rc;
2353
2354 if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
2355 {
2356 cbinfo->verify_cert_hostnames =
2357 #ifdef SUPPORT_I18N
2358 string_domain_utf8_to_alabel(host->name, NULL);
2359 #else
2360 host->name;
2361 #endif
2362 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2363 cbinfo->verify_cert_hostnames);
2364 }
2365 return OK;
2366 }
2367
2368
2369 #ifdef SUPPORT_DANE
2370 static int
2371 dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
2372 {
2373 dns_scan dnss;
2374 const char * hostnames[2] = { CS host->name, NULL };
2375 int found = 0;
2376
2377 if (DANESSL_init(ssl, NULL, hostnames) != 1)
2378 return tls_error(US"hostnames load", host, NULL, errstr);
2379
2380 for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
2381 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2382 ) if (rr->type == T_TLSA && rr->size > 3)
2383 {
2384 const uschar * p = rr->data;
2385 uint8_t usage, selector, mtype;
2386 const char * mdname;
2387
2388 usage = *p++;
2389
2390 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2391 if (usage != 2 && usage != 3) continue;
2392
2393 selector = *p++;
2394 mtype = *p++;
2395
2396 switch (mtype)
2397 {
2398 default: continue; /* Only match-types 0, 1, 2 are supported */
2399 case 0: mdname = NULL; break;
2400 case 1: mdname = "sha256"; break;
2401 case 2: mdname = "sha512"; break;
2402 }
2403
2404 found++;
2405 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2406 {
2407 default:
2408 return tls_error(US"tlsa load", host, NULL, errstr);
2409 case 0: /* action not taken */
2410 case 1: break;
2411 }
2412
2413 tls_out.tlsa_usage |= 1<<usage;
2414 }
2415
2416 if (found)
2417 return OK;
2418
2419 log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
2420 return DEFER;
2421 }
2422 #endif /*SUPPORT_DANE*/
2423
2424
2425
2426 /*************************************************
2427 * Start a TLS session in a client *
2428 *************************************************/
2429
2430 /* Called from the smtp transport after STARTTLS has been accepted.
2431
2432 Argument:
2433 fd the fd of the connection
2434 host connected host (for messages and option-tests)
2435 addr the first address (for some randomness; can be NULL)
2436 tb transport (always smtp)
2437 tlsa_dnsa tlsa lookup, if DANE, else null
2438 tlsp record details of channel configuration here; must be non-NULL
2439 errstr error string pointer
2440
2441 Returns: Pointer to TLS session context, or NULL on error
2442 */
2443
2444 void *
2445 tls_client_start(int fd, host_item *host, address_item *addr,
2446 transport_instance * tb,
2447 #ifdef SUPPORT_DANE
2448 dns_answer * tlsa_dnsa,
2449 #endif
2450 tls_support * tlsp, uschar ** errstr)
2451 {
2452 smtp_transport_options_block * ob = tb
2453 ? (smtp_transport_options_block *)tb->options_block
2454 : &smtp_transport_option_defaults;
2455 exim_openssl_client_tls_ctx * exim_client_ctx;
2456 static uschar peerdn[256];
2457 uschar * expciphers;
2458 int rc;
2459 static uschar cipherbuf[256];
2460
2461 #ifndef DISABLE_OCSP
2462 BOOL request_ocsp = FALSE;
2463 BOOL require_ocsp = FALSE;
2464 #endif
2465
2466 rc = store_pool;
2467 store_pool = POOL_PERM;
2468 exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx));
2469 store_pool = rc;
2470
2471 #ifdef SUPPORT_DANE
2472 tlsp->tlsa_usage = 0;
2473 #endif
2474
2475 #ifndef DISABLE_OCSP
2476 {
2477 # ifdef SUPPORT_DANE
2478 if ( tlsa_dnsa
2479 && ob->hosts_request_ocsp[0] == '*'
2480 && ob->hosts_request_ocsp[1] == '\0'
2481 )
2482 {
2483 /* Unchanged from default. Use a safer one under DANE */
2484 request_ocsp = TRUE;
2485 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2486 " {= {4}{$tls_out_tlsa_usage}} } "
2487 " {*}{}}";
2488 }
2489 # endif
2490
2491 if ((require_ocsp =
2492 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
2493 request_ocsp = TRUE;
2494 else
2495 # ifdef SUPPORT_DANE
2496 if (!request_ocsp)
2497 # endif
2498 request_ocsp =
2499 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2500 }
2501 #endif
2502
2503 rc = tls_init(&exim_client_ctx->ctx, host, NULL,
2504 ob->tls_certificate, ob->tls_privatekey,
2505 #ifndef DISABLE_OCSP
2506 (void *)(long)request_ocsp,
2507 #endif
2508 addr, &client_static_cbinfo, errstr);
2509 if (rc != OK) return NULL;
2510
2511 tlsp->certificate_verified = FALSE;
2512 client_verify_callback_called = FALSE;
2513
2514 expciphers = NULL;
2515 #ifdef SUPPORT_DANE
2516 if (tlsa_dnsa)
2517 {
2518 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
2519 other failures should be treated as problems. */
2520 if (ob->dane_require_tls_ciphers &&
2521 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2522 &expciphers, errstr))
2523 return NULL;
2524 if (expciphers && *expciphers == '\0')
2525 expciphers = NULL;
2526 }
2527 #endif
2528 if (!expciphers &&
2529 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2530 &expciphers, errstr))
2531 return NULL;
2532
2533 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2534 are separated by underscores. So that I can use either form in my tests, and
2535 also for general convenience, we turn underscores into hyphens here. */
2536
2537 if (expciphers)
2538 {
2539 uschar *s = expciphers;
2540 while (*s) { if (*s == '_') *s = '-'; s++; }
2541 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2542 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
2543 {
2544 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
2545 return NULL;
2546 }
2547 }
2548
2549 #ifdef SUPPORT_DANE
2550 if (tlsa_dnsa)
2551 {
2552 SSL_CTX_set_verify(exim_client_ctx->ctx,
2553 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2554 verify_callback_client_dane);
2555
2556 if (!DANESSL_library_init())
2557 {
2558 tls_error(US"library init", host, NULL, errstr);
2559 return NULL;
2560 }
2561 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
2562 {
2563 tls_error(US"context init", host, NULL, errstr);
2564 return NULL;
2565 }
2566 }
2567 else
2568
2569 #endif
2570
2571 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
2572 client_static_cbinfo, errstr) != OK)
2573 return NULL;
2574
2575 if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
2576 {
2577 tls_error(US"SSL_new", host, NULL, errstr);
2578 return NULL;
2579 }
2580 SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
2581 SSL_set_fd(exim_client_ctx->ssl, fd);
2582 SSL_set_connect_state(exim_client_ctx->ssl);
2583
2584 if (ob->tls_sni)
2585 {
2586 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
2587 return NULL;
2588 if (!tlsp->sni)
2589 {
2590 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2591 }
2592 else if (!Ustrlen(tlsp->sni))
2593 tlsp->sni = NULL;
2594 else
2595 {
2596 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2597 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
2598 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
2599 #else
2600 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
2601 tlsp->sni);
2602 #endif
2603 }
2604 }
2605
2606 #ifdef SUPPORT_DANE
2607 if (tlsa_dnsa)
2608 if (dane_tlsa_load(exim_client_ctx->ssl, host, tlsa_dnsa, errstr) != OK)
2609 return NULL;
2610 #endif
2611
2612 #ifndef DISABLE_OCSP
2613 /* Request certificate status at connection-time. If the server
2614 does OCSP stapling we will get the callback (set in tls_init()) */
2615 # ifdef SUPPORT_DANE
2616 if (request_ocsp)
2617 {
2618 const uschar * s;
2619 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2620 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2621 )
2622 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2623 this means we avoid the OCSP request, we wasted the setup
2624 cost in tls_init(). */
2625 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
2626 request_ocsp = require_ocsp
2627 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
2628 }
2629 }
2630 # endif
2631
2632 if (request_ocsp)
2633 {
2634 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
2635 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
2636 tlsp->ocsp = OCSP_NOT_RESP;
2637 }
2638 #endif
2639
2640 #ifndef DISABLE_EVENT
2641 client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
2642 #endif
2643
2644 /* There doesn't seem to be a built-in timeout on connection. */
2645
2646 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2647 sigalrm_seen = FALSE;
2648 ALARM(ob->command_timeout);
2649 rc = SSL_connect(exim_client_ctx->ssl);
2650 ALARM_CLR(0);
2651
2652 #ifdef SUPPORT_DANE
2653 if (tlsa_dnsa)
2654 DANESSL_cleanup(exim_client_ctx->ssl);
2655 #endif
2656
2657 if (rc <= 0)
2658 {
2659 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
2660 return NULL;
2661 }
2662
2663 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2664
2665 peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
2666
2667 construct_cipher_name(exim_client_ctx->ssl, cipherbuf, sizeof(cipherbuf), &tlsp->bits);
2668 tlsp->cipher = cipherbuf;
2669
2670 /* Record the certificate we presented */
2671 {
2672 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
2673 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
2674 }
2675
2676 tlsp->active.sock = fd;
2677 tlsp->active.tls_ctx = exim_client_ctx;
2678 return exim_client_ctx;
2679 }
2680
2681
2682
2683
2684
2685 static BOOL
2686 tls_refill(unsigned lim)
2687 {
2688 int error;
2689 int inbytes;
2690
2691 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2692 ssl_xfer_buffer, ssl_xfer_buffer_size);
2693
2694 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
2695 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
2696 MIN(ssl_xfer_buffer_size, lim));
2697 error = SSL_get_error(server_ssl, inbytes);
2698 if (smtp_receive_timeout > 0) ALARM_CLR(0);
2699
2700 if (had_command_timeout) /* set by signal handler */
2701 smtp_command_timeout_exit(); /* does not return */
2702 if (had_command_sigterm)
2703 smtp_command_sigterm_exit();
2704 if (had_data_timeout)
2705 smtp_data_timeout_exit();
2706 if (had_data_sigint)
2707 smtp_data_sigint_exit();
2708
2709 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2710 closed down, not that the socket itself has been closed down. Revert to
2711 non-SSL handling. */
2712
2713 switch(error)
2714 {
2715 case SSL_ERROR_NONE:
2716 break;
2717
2718 case SSL_ERROR_ZERO_RETURN:
2719 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2720
2721 receive_getc = smtp_getc;
2722 receive_getbuf = smtp_getbuf;
2723 receive_get_cache = smtp_get_cache;
2724 receive_ungetc = smtp_ungetc;
2725 receive_feof = smtp_feof;
2726 receive_ferror = smtp_ferror;
2727 receive_smtp_buffered = smtp_buffered;
2728
2729 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
2730 SSL_shutdown(server_ssl);
2731
2732 #ifndef DISABLE_OCSP
2733 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
2734 server_static_cbinfo->verify_stack = NULL;
2735 #endif
2736 SSL_free(server_ssl);
2737 SSL_CTX_free(server_ctx);
2738 server_ctx = NULL;
2739 server_ssl = NULL;
2740 tls_in.active.sock = -1;
2741 tls_in.active.tls_ctx = NULL;
2742 tls_in.bits = 0;
2743 tls_in.cipher = NULL;
2744 tls_in.peerdn = NULL;
2745 tls_in.sni = NULL;
2746
2747 return FALSE;
2748
2749 /* Handle genuine errors */
2750 case SSL_ERROR_SSL:
2751 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
2752 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2753 ssl_xfer_error = TRUE;
2754 return FALSE;
2755
2756 default:
2757 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2758 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
2759 debug_printf(" - syscall %s\n", strerror(errno));
2760 ssl_xfer_error = TRUE;
2761 return FALSE;
2762 }
2763
2764 #ifndef DISABLE_DKIM
2765 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2766 #endif
2767 ssl_xfer_buffer_hwm = inbytes;
2768 ssl_xfer_buffer_lwm = 0;
2769 return TRUE;
2770 }
2771
2772
2773 /*************************************************
2774 * TLS version of getc *
2775 *************************************************/
2776
2777 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
2778 it refills the buffer via the SSL reading function.
2779
2780 Arguments: lim Maximum amount to read/buffer
2781 Returns: the next character or EOF
2782
2783 Only used by the server-side TLS.
2784 */
2785
2786 int
2787 tls_getc(unsigned lim)
2788 {
2789 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2790 if (!tls_refill(lim))
2791 return ssl_xfer_error ? EOF : smtp_getc(lim);
2792
2793 /* Something in the buffer; return next uschar */
2794
2795 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2796 }
2797
2798 uschar *
2799 tls_getbuf(unsigned * len)
2800 {
2801 unsigned size;
2802 uschar * buf;
2803
2804 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2805 if (!tls_refill(*len))
2806 {
2807 if (!ssl_xfer_error) return smtp_getbuf(len);
2808 *len = 0;
2809 return NULL;
2810 }
2811
2812 if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
2813 size = *len;
2814 buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
2815 ssl_xfer_buffer_lwm += size;
2816 *len = size;
2817 return buf;
2818 }
2819
2820
2821 void
2822 tls_get_cache()
2823 {
2824 #ifndef DISABLE_DKIM
2825 int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
2826 if (n > 0)
2827 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
2828 #endif
2829 }
2830
2831
2832 BOOL
2833 tls_could_read(void)
2834 {
2835 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
2836 }
2837
2838
2839 /*************************************************
2840 * Read bytes from TLS channel *
2841 *************************************************/
2842
2843 /*
2844 Arguments:
2845 ct_ctx client context pointer, or NULL for the one global server context
2846 buff buffer of data
2847 len size of buffer
2848
2849 Returns: the number of bytes read
2850 -1 after a failed read, including EOF
2851
2852 Only used by the client-side TLS.
2853 */
2854
2855 int
2856 tls_read(void * ct_ctx, uschar *buff, size_t len)
2857 {
2858 SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
2859 int inbytes;
2860 int error;
2861
2862 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
2863 buff, (unsigned int)len);
2864
2865 inbytes = SSL_read(ssl, CS buff, len);
2866 error = SSL_get_error(ssl, inbytes);
2867
2868 if (error == SSL_ERROR_ZERO_RETURN)
2869 {
2870 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2871 return -1;
2872 }
2873 else if (error != SSL_ERROR_NONE)
2874 return -1;
2875
2876 return inbytes;
2877 }
2878
2879
2880
2881
2882
2883 /*************************************************
2884 * Write bytes down TLS channel *
2885 *************************************************/
2886
2887 /*
2888 Arguments:
2889 ct_ctx client context pointer, or NULL for the one global server context
2890 buff buffer of data
2891 len number of bytes
2892 more further data expected soon
2893
2894 Returns: the number of bytes after a successful write,
2895 -1 after a failed write
2896
2897 Used by both server-side and client-side TLS.
2898 */
2899
2900 int
2901 tls_write(void * ct_ctx, const uschar *buff, size_t len, BOOL more)
2902 {
2903 int outbytes, error;
2904 SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
2905 static gstring * corked = NULL;
2906
2907 DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
2908 buff, (unsigned long)len, more ? ", more" : "");
2909
2910 /* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
2911 "more" is notified. This hack is only ok if small amounts are involved AND only
2912 one stream does it, in one context (i.e. no store reset). Currently it is used
2913 for the responses to the received SMTP MAIL , RCPT, DATA sequence, only. */
2914 /*XXX + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
2915 a store reset there. */
2916
2917 if (!ct_ctx && (more || corked))
2918 {
2919 #ifdef EXPERIMENTAL_PIPE_CONNECT
2920 int save_pool = store_pool;
2921 store_pool = POOL_PERM;
2922 #endif
2923
2924 corked = string_catn(corked, buff, len);
2925
2926 #ifdef EXPERIMENTAL_PIPE_CONNECT
2927 store_pool = save_pool;
2928 #endif
2929
2930 if (more)
2931 return len;
2932 buff = CUS corked->s;
2933 len = corked->ptr;
2934 corked = NULL;
2935 }
2936
2937 for (int left = len; left > 0;)
2938 {
2939 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
2940 outbytes = SSL_write(ssl, CS buff, left);
2941 error = SSL_get_error(ssl, outbytes);
2942 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2943 switch (error)
2944 {
2945 case SSL_ERROR_SSL:
2946 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
2947 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2948 return -1;
2949
2950 case SSL_ERROR_NONE:
2951 left -= outbytes;
2952 buff += outbytes;
2953 break;
2954
2955 case SSL_ERROR_ZERO_RETURN:
2956 log_write(0, LOG_MAIN, "SSL channel closed on write");
2957 return -1;
2958
2959 case SSL_ERROR_SYSCALL:
2960 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2961 sender_fullhost ? sender_fullhost : US"<unknown>",
2962 strerror(errno));
2963 return -1;
2964
2965 default:
2966 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2967 return -1;
2968 }
2969 }
2970 return len;
2971 }
2972
2973
2974
2975 /*************************************************
2976 * Close down a TLS session *
2977 *************************************************/
2978
2979 /* This is also called from within a delivery subprocess forked from the
2980 daemon, to shut down the TLS library, without actually doing a shutdown (which
2981 would tamper with the SSL session in the parent process).
2982
2983 Arguments:
2984 ct_ctx client TLS context pointer, or NULL for the one global server context
2985 shutdown 1 if TLS close-alert is to be sent,
2986 2 if also response to be waited for
2987
2988 Returns: nothing
2989
2990 Used by both server-side and client-side TLS.
2991 */
2992
2993 void
2994 tls_close(void * ct_ctx, int shutdown)
2995 {
2996 exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
2997 SSL_CTX **ctxp = o_ctx ? &o_ctx->ctx : &server_ctx;
2998 SSL **sslp = o_ctx ? &o_ctx->ssl : &server_ssl;
2999 int *fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
3000
3001 if (*fdp < 0) return; /* TLS was not active */
3002
3003 if (shutdown)
3004 {
3005 int rc;
3006 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3007 shutdown > 1 ? " (with response-wait)" : "");
3008
3009 if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
3010 && shutdown > 1)
3011 {
3012 ALARM(2);
3013 rc = SSL_shutdown(*sslp); /* wait for response */
3014 ALARM_CLR(0);
3015 }
3016
3017 if (rc < 0) DEBUG(D_tls)
3018 {
3019 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3020 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
3021 }
3022 }
3023
3024 #ifndef DISABLE_OCSP
3025 if (!o_ctx) /* server side */
3026 {
3027 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
3028 server_static_cbinfo->verify_stack = NULL;
3029 }
3030 #endif
3031
3032 SSL_CTX_free(*ctxp);
3033 SSL_free(*sslp);
3034 *ctxp = NULL;
3035 *sslp = NULL;
3036 *fdp = -1;
3037 }
3038
3039
3040
3041
3042 /*************************************************
3043 * Let tls_require_ciphers be checked at startup *
3044 *************************************************/
3045
3046 /* The tls_require_ciphers option, if set, must be something which the
3047 library can parse.
3048
3049 Returns: NULL on success, or error message
3050 */
3051
3052 uschar *
3053 tls_validate_require_cipher(void)
3054 {
3055 SSL_CTX *ctx;
3056 uschar *s, *expciphers, *err;
3057
3058 /* this duplicates from tls_init(), we need a better "init just global
3059 state, for no specific purpose" singleton function of our own */
3060
3061 #ifdef EXIM_NEED_OPENSSL_INIT
3062 SSL_load_error_strings();
3063 OpenSSL_add_ssl_algorithms();
3064 #endif
3065 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
3066 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
3067 list of available digests. */
3068 EVP_add_digest(EVP_sha256());
3069 #endif
3070
3071 if (!(tls_require_ciphers && *tls_require_ciphers))
3072 return NULL;
3073
3074 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3075 &err))
3076 return US"failed to expand tls_require_ciphers";
3077
3078 if (!(expciphers && *expciphers))
3079 return NULL;
3080
3081 /* normalisation ripped from above */
3082 s = expciphers;
3083 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
3084
3085 err = NULL;
3086
3087 #ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
3088 if (!(ctx = SSL_CTX_new(TLS_server_method())))
3089 #else
3090 if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
3091 #endif
3092 {
3093 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3094 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
3095 }
3096
3097 DEBUG(D_tls)
3098 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3099
3100 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
3101 {
3102 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3103 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
3104 expciphers, ssl_errstring);
3105 }
3106
3107 SSL_CTX_free(ctx);
3108
3109 return err;
3110 }
3111
3112
3113
3114
3115 /*************************************************
3116 * Report the library versions. *
3117 *************************************************/
3118
3119 /* There have historically been some issues with binary compatibility in
3120 OpenSSL libraries; if Exim (like many other applications) is built against
3121 one version of OpenSSL but the run-time linker picks up another version,
3122 it can result in serious failures, including crashing with a SIGSEGV. So
3123 report the version found by the compiler and the run-time version.
3124
3125 Note: some OS vendors backport security fixes without changing the version
3126 number/string, and the version date remains unchanged. The _build_ date
3127 will change, so we can more usefully assist with version diagnosis by also
3128 reporting the build date.
3129
3130 Arguments: a FILE* to print the results to
3131 Returns: nothing
3132 */
3133
3134 void
3135 tls_version_report(FILE *f)
3136 {
3137 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
3138 " Runtime: %s\n"
3139 " : %s\n",
3140 OPENSSL_VERSION_TEXT,
3141 SSLeay_version(SSLEAY_VERSION),
3142 SSLeay_version(SSLEAY_BUILT_ON));
3143 /* third line is 38 characters for the %s and the line is 73 chars long;
3144 the OpenSSL output includes a "built on: " prefix already. */
3145 }
3146
3147
3148
3149
3150 /*************************************************
3151 * Random number generation *
3152 *************************************************/
3153
3154 /* Pseudo-random number generation. The result is not expected to be
3155 cryptographically strong but not so weak that someone will shoot themselves
3156 in the foot using it as a nonce in input in some email header scheme or
3157 whatever weirdness they'll twist this into. The result should handle fork()
3158 and avoid repeating sequences. OpenSSL handles that for us.
3159
3160 Arguments:
3161 max range maximum
3162 Returns a random number in range [0, max-1]
3163 */
3164
3165 int
3166 vaguely_random_number(int max)
3167 {
3168 unsigned int r;
3169 int i, needed_len;
3170 static pid_t pidlast = 0;
3171 pid_t pidnow;
3172 uschar smallbuf[sizeof(r)];
3173
3174 if (max <= 1)
3175 return 0;
3176
3177 pidnow = getpid();
3178 if (pidnow != pidlast)
3179 {
3180 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
3181 is unique for each thread", this doesn't apparently apply across processes,
3182 so our own warning from vaguely_random_number_fallback() applies here too.
3183 Fix per PostgreSQL. */
3184 if (pidlast != 0)
3185 RAND_cleanup();
3186 pidlast = pidnow;
3187 }
3188
3189 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
3190 if (!RAND_status())
3191 {
3192 randstuff r;
3193 gettimeofday(&r.tv, NULL);
3194 r.p = getpid();
3195
3196 RAND_seed(US (&r), sizeof(r));
3197 }
3198 /* We're after pseudo-random, not random; if we still don't have enough data
3199 in the internal PRNG then our options are limited. We could sleep and hope
3200 for entropy to come along (prayer technique) but if the system is so depleted
3201 in the first place then something is likely to just keep taking it. Instead,
3202 we'll just take whatever little bit of pseudo-random we can still manage to
3203 get. */
3204
3205 needed_len = sizeof(r);
3206 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
3207 asked for a number less than 10. */
3208 for (r = max, i = 0; r; ++i)
3209 r >>= 1;
3210 i = (i + 7) / 8;
3211 if (i < needed_len)
3212 needed_len = i;
3213
3214 #ifdef EXIM_HAVE_RAND_PSEUDO
3215 /* We do not care if crypto-strong */
3216 i = RAND_pseudo_bytes(smallbuf, needed_len);
3217 #else
3218 i = RAND_bytes(smallbuf, needed_len);
3219 #endif
3220
3221 if (i < 0)
3222 {
3223 DEBUG(D_all)
3224 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
3225 return vaguely_random_number_fallback(max);
3226 }
3227
3228 r = 0;
3229 for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
3230 r = 256 * r + *p;
3231
3232 /* We don't particularly care about weighted results; if someone wants
3233 smooth distribution and cares enough then they should submit a patch then. */
3234 return r % max;
3235 }
3236
3237
3238
3239
3240 /*************************************************
3241 * OpenSSL option parse *
3242 *************************************************/
3243
3244 /* Parse one option for tls_openssl_options_parse below
3245
3246 Arguments:
3247 name one option name
3248 value place to store a value for it
3249 Returns success or failure in parsing
3250 */
3251
3252
3253
3254 static BOOL
3255 tls_openssl_one_option_parse(uschar *name, long *value)
3256 {
3257 int first = 0;
3258 int last = exim_openssl_options_size;
3259 while (last > first)
3260 {
3261 int middle = (first + last)/2;
3262 int c = Ustrcmp(name, exim_openssl_options[middle].name);
3263 if (c == 0)
3264 {
3265 *value = exim_openssl_options[middle].value;
3266 return TRUE;
3267 }
3268 else if (c > 0)
3269 first = middle + 1;
3270 else
3271 last = middle;
3272 }
3273 return FALSE;
3274 }
3275
3276
3277
3278
3279 /*************************************************
3280 * OpenSSL option parsing logic *
3281 *************************************************/
3282
3283 /* OpenSSL has a number of compatibility options which an administrator might
3284 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3285 we look like log_selector.
3286
3287 Arguments:
3288 option_spec the administrator-supplied string of options
3289 results ptr to long storage for the options bitmap
3290 Returns success or failure
3291 */
3292
3293 BOOL
3294 tls_openssl_options_parse(uschar *option_spec, long *results)
3295 {
3296 long result, item;
3297 uschar *end;
3298 uschar keep_c;
3299 BOOL adding, item_parsed;
3300
3301 result = SSL_OP_NO_TICKET;
3302 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
3303 * from default because it increases BEAST susceptibility. */
3304 #ifdef SSL_OP_NO_SSLv2
3305 result |= SSL_OP_NO_SSLv2;
3306 #endif
3307 #ifdef SSL_OP_SINGLE_DH_USE
3308 result |= SSL_OP_SINGLE_DH_USE;
3309 #endif
3310
3311 if (!option_spec)
3312 {
3313 *results = result;
3314 return TRUE;
3315 }
3316
3317 for (uschar * s = option_spec; *s != '\0'; /**/)
3318 {
3319 while (isspace(*s)) ++s;
3320 if (*s == '\0')
3321 break;
3322 if (*s != '+' && *s != '-')
3323 {
3324 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
3325 "+ or - expected but found \"%s\"\n", s);
3326 return FALSE;
3327 }
3328 adding = *s++ == '+';
3329 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
3330 keep_c = *end;
3331 *end = '\0';
3332 item_parsed = tls_openssl_one_option_parse(s, &item);
3333 *end = keep_c;
3334 if (!item_parsed)
3335 {
3336 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
3337 return FALSE;
3338 }
3339 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
3340 adding ? "adding" : "removing", result, item, s);
3341 if (adding)
3342 result |= item;
3343 else
3344 result &= ~item;
3345 s = end;
3346 }
3347
3348 *results = result;
3349 return TRUE;
3350 }
3351
3352 #endif /*!MACRO_PREDEF*/
3353 /* vi: aw ai sw=2
3354 */
3355 /* End of tls-openssl.c */
Unnamed repository; edit this file 'description' to name the repository.