projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch '4.next'
[exim.git] / src / src / tls-openssl.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2017 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Portions Copyright (c) The OpenSSL Project 1999 */
9
10 /* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11 library. It is #included into the tls.c file when that library is used. The
12 code herein is based on a patch that was originally contributed by Steve
13 Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15 No cryptographic code is included in Exim. All this module does is to call
16 functions from the OpenSSL library. */
17
18
19 /* Heading stuff */
20
21 #include <openssl/lhash.h>
22 #include <openssl/ssl.h>
23 #include <openssl/err.h>
24 #include <openssl/rand.h>
25 #ifndef OPENSSL_NO_ECDH
26 # include <openssl/ec.h>
27 #endif
28 #ifndef DISABLE_OCSP
29 # include <openssl/ocsp.h>
30 #endif
31 #ifdef EXPERIMENTAL_DANE
32 # include "danessl.h"
33 #endif
34
35
36 #ifndef DISABLE_OCSP
37 # define EXIM_OCSP_SKEW_SECONDS (300L)
38 # define EXIM_OCSP_MAX_AGE (-1L)
39 #endif
40
41 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
42 # define EXIM_HAVE_OPENSSL_TLSEXT
43 #endif
44 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
45 # define EXIM_HAVE_RSA_GENKEY_EX
46 #endif
47 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
48 # define EXIM_HAVE_OCSP_RESP_COUNT
49 #else
50 # define EXIM_HAVE_EPHEM_RSA_KEX
51 # define EXIM_HAVE_RAND_PSEUDO
52 #endif
53 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
54 # define EXIM_HAVE_SHA256
55 #endif
56
57 /*
58 * X509_check_host provides sane certificate hostname checking, but was added
59 * to OpenSSL late, after other projects forked off the code-base. So in
60 * addition to guarding against the base version number, beware that LibreSSL
61 * does not (at this time) support this function.
62 *
63 * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
64 * opt to disentangle and ask a LibreSSL user to provide glue for a third
65 * crypto provider for libtls instead of continuing to tie the OpenSSL glue
66 * into even twistier knots. If LibreSSL gains the same API, we can just
67 * change this guard and punt the issue for a while longer.
68 */
69 #ifndef LIBRESSL_VERSION_NUMBER
70 # if OPENSSL_VERSION_NUMBER >= 0x010100000L
71 # define EXIM_HAVE_OPENSSL_CHECKHOST
72 # define EXIM_HAVE_OPENSSL_DH_BITS
73 # endif
74 # if OPENSSL_VERSION_NUMBER >= 0x010000000L \
75 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
76 # define EXIM_HAVE_OPENSSL_CHECKHOST
77 # endif
78 #endif
79
80 #if !defined(LIBRESSL_VERSION_NUMBER) \
81 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
82 # if !defined(OPENSSL_NO_ECDH)
83 # if OPENSSL_VERSION_NUMBER >= 0x0090800fL
84 # define EXIM_HAVE_ECDH
85 # endif
86 # if OPENSSL_VERSION_NUMBER >= 0x10002000L
87 # define EXIM_HAVE_OPENSSL_EC_NIST2NID
88 # endif
89 # endif
90 #endif
91
92 #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
93 # warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
94 # define DISABLE_OCSP
95 #endif
96
97 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
98 # include <openssl/x509v3.h>
99 #endif
100
101 /* Structure for collecting random data for seeding. */
102
103 typedef struct randstuff {
104 struct timeval tv;
105 pid_t p;
106 } randstuff;
107
108 /* Local static variables */
109
110 static BOOL client_verify_callback_called = FALSE;
111 static BOOL server_verify_callback_called = FALSE;
112 static const uschar *sid_ctx = US"exim";
113
114 /* We have three different contexts to care about.
115
116 Simple case: client, `client_ctx`
117 As a client, we can be doing a callout or cut-through delivery while receiving
118 a message. So we have a client context, which should have options initialised
119 from the SMTP Transport.
120
121 Server:
122 There are two cases: with and without ServerNameIndication from the client.
123 Given TLS SNI, we can be using different keys, certs and various other
124 configuration settings, because they're re-expanded with $tls_sni set. This
125 allows vhosting with TLS. This SNI is sent in the handshake.
126 A client might not send SNI, so we need a fallback, and an initial setup too.
127 So as a server, we start out using `server_ctx`.
128 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
129 `server_sni` from `server_ctx` and then initialise settings by re-expanding
130 configuration.
131 */
132
133 static SSL_CTX *client_ctx = NULL;
134 static SSL_CTX *server_ctx = NULL;
135 static SSL *client_ssl = NULL;
136 static SSL *server_ssl = NULL;
137
138 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
139 static SSL_CTX *server_sni = NULL;
140 #endif
141
142 static char ssl_errstring[256];
143
144 static int ssl_session_timeout = 200;
145 static BOOL client_verify_optional = FALSE;
146 static BOOL server_verify_optional = FALSE;
147
148 static BOOL reexpand_tls_files_for_sni = FALSE;
149
150
151 typedef struct tls_ext_ctx_cb {
152 uschar *certificate;
153 uschar *privatekey;
154 BOOL is_server;
155 #ifndef DISABLE_OCSP
156 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
157 union {
158 struct {
159 uschar *file;
160 uschar *file_expanded;
161 OCSP_RESPONSE *response;
162 } server;
163 struct {
164 X509_STORE *verify_store; /* non-null if status requested */
165 BOOL verify_required;
166 } client;
167 } u_ocsp;
168 #endif
169 uschar *dhparam;
170 /* these are cached from first expand */
171 uschar *server_cipher_list;
172 /* only passed down to tls_error: */
173 host_item *host;
174 const uschar * verify_cert_hostnames;
175 #ifndef DISABLE_EVENT
176 uschar * event_action;
177 #endif
178 } tls_ext_ctx_cb;
179
180 /* should figure out a cleanup of API to handle state preserved per
181 implementation, for various reasons, which can be void * in the APIs.
182 For now, we hack around it. */
183 tls_ext_ctx_cb *client_static_cbinfo = NULL;
184 tls_ext_ctx_cb *server_static_cbinfo = NULL;
185
186 static int
187 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
188 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
189
190 /* Callbacks */
191 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
192 static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
193 #endif
194 #ifndef DISABLE_OCSP
195 static int tls_server_stapling_cb(SSL *s, void *arg);
196 #endif
197
198
199 /*************************************************
200 * Handle TLS error *
201 *************************************************/
202
203 /* Called from lots of places when errors occur before actually starting to do
204 the TLS handshake, that is, while the session is still in clear. Always returns
205 DEFER for a server and FAIL for a client so that most calls can use "return
206 tls_error(...)" to do this processing and then give an appropriate return. A
207 single function is used for both server and client, because it is called from
208 some shared functions.
209
210 Argument:
211 prefix text to include in the logged error
212 host NULL if setting up a server;
213 the connected host if setting up a client
214 msg error message or NULL if we should ask OpenSSL
215 errstr pointer to output error message
216
217 Returns: OK/DEFER/FAIL
218 */
219
220 static int
221 tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
222 {
223 if (!msg)
224 {
225 ERR_error_string(ERR_get_error(), ssl_errstring);
226 msg = US ssl_errstring;
227 }
228
229 if (errstr) *errstr = string_sprintf("(%s): %s", prefix, msg);
230 return host ? FAIL : DEFER;
231 }
232
233
234
235 /*************************************************
236 * Callback to generate RSA key *
237 *************************************************/
238
239 /*
240 Arguments:
241 s SSL connection (not used)
242 export not used
243 keylength keylength
244
245 Returns: pointer to generated key
246 */
247
248 static RSA *
249 rsa_callback(SSL *s, int export, int keylength)
250 {
251 RSA *rsa_key;
252 #ifdef EXIM_HAVE_RSA_GENKEY_EX
253 BIGNUM *bn = BN_new();
254 #endif
255
256 export = export; /* Shut picky compilers up */
257 DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
258
259 #ifdef EXIM_HAVE_RSA_GENKEY_EX
260 if ( !BN_set_word(bn, (unsigned long)RSA_F4)
261 || !(rsa_key = RSA_new())
262 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
263 )
264 #else
265 if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
266 #endif
267
268 {
269 ERR_error_string(ERR_get_error(), ssl_errstring);
270 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
271 ssl_errstring);
272 return NULL;
273 }
274 return rsa_key;
275 }
276
277
278
279 /* Extreme debug
280 #ifndef DISABLE_OCSP
281 void
282 x509_store_dump_cert_s_names(X509_STORE * store)
283 {
284 STACK_OF(X509_OBJECT) * roots= store->objs;
285 int i;
286 static uschar name[256];
287
288 for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
289 {
290 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
291 if(tmp_obj->type == X509_LU_X509)
292 {
293 X509 * current_cert= tmp_obj->data.x509;
294 X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name));
295 name[sizeof(name)-1] = '\0';
296 debug_printf(" %s\n", name);
297 }
298 }
299 }
300 #endif
301 */
302
303
304 #ifndef DISABLE_EVENT
305 static int
306 verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
307 BOOL *calledp, const BOOL *optionalp, const uschar * what)
308 {
309 uschar * ev;
310 uschar * yield;
311 X509 * old_cert;
312
313 ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
314 if (ev)
315 {
316 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
317 old_cert = tlsp->peercert;
318 tlsp->peercert = X509_dup(cert);
319 /* NB we do not bother setting peerdn */
320 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
321 {
322 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
323 "depth=%d cert=%s: %s",
324 tlsp == &tls_out ? deliver_host_address : sender_host_address,
325 what, depth, dn, yield);
326 *calledp = TRUE;
327 if (!*optionalp)
328 {
329 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
330 return 1; /* reject (leaving peercert set) */
331 }
332 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
333 "(host in tls_try_verify_hosts)\n");
334 }
335 X509_free(tlsp->peercert);
336 tlsp->peercert = old_cert;
337 }
338 return 0;
339 }
340 #endif
341
342 /*************************************************
343 * Callback for verification *
344 *************************************************/
345
346 /* The SSL library does certificate verification if set up to do so. This
347 callback has the current yes/no state is in "state". If verification succeeded,
348 we set the certificate-verified flag. If verification failed, what happens
349 depends on whether the client is required to present a verifiable certificate
350 or not.
351
352 If verification is optional, we change the state to yes, but still log the
353 verification error. For some reason (it really would help to have proper
354 documentation of OpenSSL), this callback function then gets called again, this
355 time with state = 1. We must take care not to set the private verified flag on
356 the second time through.
357
358 Note: this function is not called if the client fails to present a certificate
359 when asked. We get here only if a certificate has been received. Handling of
360 optional verification for this case is done when requesting SSL to verify, by
361 setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
362
363 May be called multiple times for different issues with a certificate, even
364 for a given "depth" in the certificate chain.
365
366 Arguments:
367 preverify_ok current yes/no state as 1/0
368 x509ctx certificate information.
369 tlsp per-direction (client vs. server) support data
370 calledp has-been-called flag
371 optionalp verification-is-optional flag
372
373 Returns: 0 if verification should fail, otherwise 1
374 */
375
376 static int
377 verify_callback(int preverify_ok, X509_STORE_CTX *x509ctx,
378 tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
379 {
380 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
381 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
382 uschar dn[256];
383
384 X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
385 dn[sizeof(dn)-1] = '\0';
386
387 if (preverify_ok == 0)
388 {
389 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
390 *verify_mode, sender_host_address)
391 : US"";
392 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
393 tlsp == &tls_out ? deliver_host_address : sender_host_address,
394 extra, depth,
395 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
396 *calledp = TRUE;
397 if (!*optionalp)
398 {
399 if (!tlsp->peercert)
400 tlsp->peercert = X509_dup(cert); /* record failing cert */
401 return 0; /* reject */
402 }
403 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
404 "tls_try_verify_hosts)\n");
405 }
406
407 else if (depth != 0)
408 {
409 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
410 #ifndef DISABLE_OCSP
411 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
412 { /* client, wanting stapling */
413 /* Add the server cert's signing chain as the one
414 for the verification of the OCSP stapled information. */
415
416 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
417 cert))
418 ERR_clear_error();
419 sk_X509_push(client_static_cbinfo->verify_stack, cert);
420 }
421 #endif
422 #ifndef DISABLE_EVENT
423 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
424 return 0; /* reject, with peercert set */
425 #endif
426 }
427 else
428 {
429 const uschar * verify_cert_hostnames;
430
431 if ( tlsp == &tls_out
432 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
433 /* client, wanting hostname check */
434 {
435
436 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
437 # ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
438 # define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
439 # endif
440 # ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
441 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
442 # endif
443 int sep = 0;
444 const uschar * list = verify_cert_hostnames;
445 uschar * name;
446 int rc;
447 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
448 if ((rc = X509_check_host(cert, CCS name, 0,
449 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
450 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
451 NULL)))
452 {
453 if (rc < 0)
454 {
455 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
456 tlsp == &tls_out ? deliver_host_address : sender_host_address);
457 name = NULL;
458 }
459 break;
460 }
461 if (!name)
462 #else
463 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
464 #endif
465 {
466 uschar * extra = verify_mode
467 ? string_sprintf(" (during %c-verify for [%s])",
468 *verify_mode, sender_host_address)
469 : US"";
470 log_write(0, LOG_MAIN,
471 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
472 tlsp == &tls_out ? deliver_host_address : sender_host_address,
473 extra, dn, verify_cert_hostnames);
474 *calledp = TRUE;
475 if (!*optionalp)
476 {
477 if (!tlsp->peercert)
478 tlsp->peercert = X509_dup(cert); /* record failing cert */
479 return 0; /* reject */
480 }
481 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
482 "tls_try_verify_hosts)\n");
483 }
484 }
485
486 #ifndef DISABLE_EVENT
487 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
488 return 0; /* reject, with peercert set */
489 #endif
490
491 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
492 *calledp ? "" : " authenticated", dn);
493 if (!*calledp) tlsp->certificate_verified = TRUE;
494 *calledp = TRUE;
495 }
496
497 return 1; /* accept, at least for this level */
498 }
499
500 static int
501 verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
502 {
503 return verify_callback(preverify_ok, x509ctx, &tls_out,
504 &client_verify_callback_called, &client_verify_optional);
505 }
506
507 static int
508 verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
509 {
510 return verify_callback(preverify_ok, x509ctx, &tls_in,
511 &server_verify_callback_called, &server_verify_optional);
512 }
513
514
515 #ifdef EXPERIMENTAL_DANE
516
517 /* This gets called *by* the dane library verify callback, which interposes
518 itself.
519 */
520 static int
521 verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
522 {
523 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
524 uschar dn[256];
525 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
526 #ifndef DISABLE_EVENT
527 BOOL dummy_called, optional = FALSE;
528 #endif
529
530 X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
531 dn[sizeof(dn)-1] = '\0';
532
533 DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
534 preverify_ok ? "ok":"BAD", depth, dn);
535
536 #ifndef DISABLE_EVENT
537 if (verify_event(&tls_out, cert, depth, dn,
538 &dummy_called, &optional, US"DANE"))
539 return 0; /* reject, with peercert set */
540 #endif
541
542 if (preverify_ok == 1)
543 tls_out.dane_verified =
544 tls_out.certificate_verified = TRUE;
545 else
546 {
547 int err = X509_STORE_CTX_get_error(x509ctx);
548 DEBUG(D_tls)
549 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
550 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
551 preverify_ok = 1;
552 }
553 return preverify_ok;
554 }
555
556 #endif /*EXPERIMENTAL_DANE*/
557
558
559 /*************************************************
560 * Information callback *
561 *************************************************/
562
563 /* The SSL library functions call this from time to time to indicate what they
564 are doing. We copy the string to the debugging output when TLS debugging has
565 been requested.
566
567 Arguments:
568 s the SSL connection
569 where
570 ret
571
572 Returns: nothing
573 */
574
575 static void
576 info_callback(SSL *s, int where, int ret)
577 {
578 where = where;
579 ret = ret;
580 DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
581 }
582
583
584
585 /*************************************************
586 * Initialize for DH *
587 *************************************************/
588
589 /* If dhparam is set, expand it, and load up the parameters for DH encryption.
590
591 Arguments:
592 sctx The current SSL CTX (inbound or outbound)
593 dhparam DH parameter file or fixed parameter identity string
594 host connected host, if client; NULL if server
595 errstr error string pointer
596
597 Returns: TRUE if OK (nothing to set up, or setup worked)
598 */
599
600 static BOOL
601 init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
602 {
603 BIO *bio;
604 DH *dh;
605 uschar *dhexpanded;
606 const char *pem;
607 int dh_bitsize;
608
609 if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
610 return FALSE;
611
612 if (!dhexpanded || !*dhexpanded)
613 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
614 else if (dhexpanded[0] == '/')
615 {
616 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
617 {
618 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
619 host, US strerror(errno), errstr);
620 return FALSE;
621 }
622 }
623 else
624 {
625 if (Ustrcmp(dhexpanded, "none") == 0)
626 {
627 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
628 return TRUE;
629 }
630
631 if (!(pem = std_dh_prime_named(dhexpanded)))
632 {
633 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
634 host, US strerror(errno), errstr);
635 return FALSE;
636 }
637 bio = BIO_new_mem_buf(CS pem, -1);
638 }
639
640 if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
641 {
642 BIO_free(bio);
643 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
644 host, NULL, errstr);
645 return FALSE;
646 }
647
648 /* note: our default limit of 2236 is not a multiple of 8; the limit comes from
649 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
650 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
651 * If someone wants to dance at the edge, then they can raise the limit or use
652 * current libraries. */
653 #ifdef EXIM_HAVE_OPENSSL_DH_BITS
654 /* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
655 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
656 dh_bitsize = DH_bits(dh);
657 #else
658 dh_bitsize = 8 * DH_size(dh);
659 #endif
660
661 /* Even if it is larger, we silently return success rather than cause things
662 * to fail out, so that a too-large DH will not knock out all TLS; it's a
663 * debatable choice. */
664 if (dh_bitsize > tls_dh_max_bits)
665 {
666 DEBUG(D_tls)
667 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
668 dh_bitsize, tls_dh_max_bits);
669 }
670 else
671 {
672 SSL_CTX_set_tmp_dh(sctx, dh);
673 DEBUG(D_tls)
674 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
675 dhexpanded ? dhexpanded : US"default", dh_bitsize);
676 }
677
678 DH_free(dh);
679 BIO_free(bio);
680
681 return TRUE;
682 }
683
684
685
686
687 /*************************************************
688 * Initialize for ECDH *
689 *************************************************/
690
691 /* Load parameters for ECDH encryption.
692
693 For now, we stick to NIST P-256 because: it's simple and easy to configure;
694 it avoids any patent issues that might bite redistributors; despite events in
695 the news and concerns over curve choices, we're not cryptographers, we're not
696 pretending to be, and this is "good enough" to be better than no support,
697 protecting against most adversaries. Given another year or two, there might
698 be sufficient clarity about a "right" way forward to let us make an informed
699 decision, instead of a knee-jerk reaction.
700
701 Longer-term, we should look at supporting both various named curves and
702 external files generated with "openssl ecparam", much as we do for init_dh().
703 We should also support "none" as a value, to explicitly avoid initialisation.
704
705 Patches welcome.
706
707 Arguments:
708 sctx The current SSL CTX (inbound or outbound)
709 host connected host, if client; NULL if server
710 errstr error string pointer
711
712 Returns: TRUE if OK (nothing to set up, or setup worked)
713 */
714
715 static BOOL
716 init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
717 {
718 #ifdef OPENSSL_NO_ECDH
719 return TRUE;
720 #else
721
722 EC_KEY * ecdh;
723 uschar * exp_curve;
724 int nid;
725 BOOL rv;
726
727 if (host) /* No ECDH setup for clients, only for servers */
728 return TRUE;
729
730 # ifndef EXIM_HAVE_ECDH
731 DEBUG(D_tls)
732 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
733 return TRUE;
734 # else
735
736 if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
737 return FALSE;
738 if (!exp_curve || !*exp_curve)
739 return TRUE;
740
741 /* "auto" needs to be handled carefully.
742 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
743 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
744 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
745 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
746 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
747 */
748 if (Ustrcmp(exp_curve, "auto") == 0)
749 {
750 #if OPENSSL_VERSION_NUMBER < 0x10002000L
751 DEBUG(D_tls) debug_printf(
752 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
753 exp_curve = US"prime256v1";
754 #else
755 # if defined SSL_CTRL_SET_ECDH_AUTO
756 DEBUG(D_tls) debug_printf(
757 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
758 SSL_CTX_set_ecdh_auto(sctx, 1);
759 return TRUE;
760 # else
761 DEBUG(D_tls) debug_printf(
762 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
763 return TRUE;
764 # endif
765 #endif
766 }
767
768 DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
769 if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
770 # ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
771 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
772 # endif
773 )
774 {
775 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
776 host, NULL, errstr);
777 return FALSE;
778 }
779
780 if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
781 {
782 tls_error(US"Unable to create ec curve", host, NULL, errstr);
783 return FALSE;
784 }
785
786 /* The "tmp" in the name here refers to setting a temporary key
787 not to the stability of the interface. */
788
789 if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
790 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
791 else
792 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
793
794 EC_KEY_free(ecdh);
795 return !rv;
796
797 # endif /*EXIM_HAVE_ECDH*/
798 #endif /*OPENSSL_NO_ECDH*/
799 }
800
801
802
803
804 #ifndef DISABLE_OCSP
805 /*************************************************
806 * Load OCSP information into state *
807 *************************************************/
808 /* Called to load the server OCSP response from the given file into memory, once
809 caller has determined this is needed. Checks validity. Debugs a message
810 if invalid.
811
812 ASSUMES: single response, for single cert.
813
814 Arguments:
815 sctx the SSL_CTX* to update
816 cbinfo various parts of session state
817 expanded the filename putatively holding an OCSP response
818
819 */
820
821 static void
822 ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
823 {
824 BIO * bio;
825 OCSP_RESPONSE * resp;
826 OCSP_BASICRESP * basic_response;
827 OCSP_SINGLERESP * single_response;
828 ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
829 STACK_OF(X509) * sk;
830 unsigned long verify_flags;
831 int status, reason, i;
832
833 cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
834 if (cbinfo->u_ocsp.server.response)
835 {
836 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
837 cbinfo->u_ocsp.server.response = NULL;
838 }
839
840 if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
841 {
842 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
843 cbinfo->u_ocsp.server.file_expanded);
844 return;
845 }
846
847 resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
848 BIO_free(bio);
849 if (!resp)
850 {
851 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
852 return;
853 }
854
855 if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
856 {
857 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
858 OCSP_response_status_str(status), status);
859 goto bad;
860 }
861
862 if (!(basic_response = OCSP_response_get1_basic(resp)))
863 {
864 DEBUG(D_tls)
865 debug_printf("OCSP response parse error: unable to extract basic response.\n");
866 goto bad;
867 }
868
869 sk = cbinfo->verify_stack;
870 verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
871
872 /* May need to expose ability to adjust those flags?
873 OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
874 OCSP_TRUSTOTHER OCSP_NOINTERN */
875
876 /* This does a full verify on the OCSP proof before we load it for serving
877 up; possibly overkill - just date-checks might be nice enough.
878
879 OCSP_basic_verify takes a "store" arg, but does not
880 use it for the chain verification, which is all we do
881 when OCSP_NOVERIFY is set. The content from the wire
882 "basic_response" and a cert-stack "sk" are all that is used.
883
884 We have a stack, loaded in setup_certs() if tls_verify_certificates
885 was a file (not a directory, or "system"). It is unfortunate we
886 cannot used the connection context store, as that would neatly
887 handle the "system" case too, but there seems to be no library
888 function for getting a stack from a store.
889 [ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
890 We do not free the stack since it could be needed a second time for
891 SNI handling.
892
893 Separately we might try to replace using OCSP_basic_verify() - which seems to not
894 be a public interface into the OpenSSL library (there's no manual entry) -
895 But what with? We also use OCSP_basic_verify in the client stapling callback.
896 And there we NEED it; we must verify that status... unless the
897 library does it for us anyway? */
898
899 if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
900 {
901 DEBUG(D_tls)
902 {
903 ERR_error_string(ERR_get_error(), ssl_errstring);
904 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
905 }
906 goto bad;
907 }
908
909 /* Here's the simplifying assumption: there's only one response, for the
910 one certificate we use, and nothing for anything else in a chain. If this
911 proves false, we need to extract a cert id from our issued cert
912 (tls_certificate) and use that for OCSP_resp_find_status() (which finds the
913 right cert in the stack and then calls OCSP_single_get0_status()).
914
915 I'm hoping to avoid reworking a bunch more of how we handle state here. */
916
917 if (!(single_response = OCSP_resp_get0(basic_response, 0)))
918 {
919 DEBUG(D_tls)
920 debug_printf("Unable to get first response from OCSP basic response.\n");
921 goto bad;
922 }
923
924 status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
925 if (status != V_OCSP_CERTSTATUS_GOOD)
926 {
927 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
928 OCSP_cert_status_str(status), status,
929 OCSP_crl_reason_str(reason), reason);
930 goto bad;
931 }
932
933 if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
934 {
935 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
936 goto bad;
937 }
938
939 supply_response:
940 cbinfo->u_ocsp.server.response = resp; /*XXX stack?*/
941 return;
942
943 bad:
944 if (running_in_test_harness)
945 {
946 extern char ** environ;
947 uschar ** p;
948 if (environ) for (p = USS environ; *p; p++)
949 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
950 {
951 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
952 goto supply_response;
953 }
954 }
955 return;
956 }
957 #endif /*!DISABLE_OCSP*/
958
959
960
961
962 /* Create and install a selfsigned certificate, for use in server mode */
963
964 static int
965 tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
966 {
967 X509 * x509 = NULL;
968 EVP_PKEY * pkey;
969 RSA * rsa;
970 X509_NAME * name;
971 uschar * where;
972
973 where = US"allocating pkey";
974 if (!(pkey = EVP_PKEY_new()))
975 goto err;
976
977 where = US"allocating cert";
978 if (!(x509 = X509_new()))
979 goto err;
980
981 where = US"generating pkey";
982 if (!(rsa = rsa_callback(NULL, 0, 1024)))
983 goto err;
984
985 where = US"assigning pkey";
986 if (!EVP_PKEY_assign_RSA(pkey, rsa))
987 goto err;
988
989 X509_set_version(x509, 2); /* N+1 - version 3 */
990 ASN1_INTEGER_set(X509_get_serialNumber(x509), 0);
991 X509_gmtime_adj(X509_get_notBefore(x509), 0);
992 X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
993 X509_set_pubkey(x509, pkey);
994
995 name = X509_get_subject_name(x509);
996 X509_NAME_add_entry_by_txt(name, "C",
997 MBSTRING_ASC, CUS "UK", -1, -1, 0);
998 X509_NAME_add_entry_by_txt(name, "O",
999 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
1000 X509_NAME_add_entry_by_txt(name, "CN",
1001 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
1002 X509_set_issuer_name(x509, name);
1003
1004 where = US"signing cert";
1005 if (!X509_sign(x509, pkey, EVP_md5()))
1006 goto err;
1007
1008 where = US"installing selfsign cert";
1009 if (!SSL_CTX_use_certificate(sctx, x509))
1010 goto err;
1011
1012 where = US"installing selfsign key";
1013 if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1014 goto err;
1015
1016 return OK;
1017
1018 err:
1019 (void) tls_error(where, NULL, NULL, errstr);
1020 if (x509) X509_free(x509);
1021 if (pkey) EVP_PKEY_free(pkey);
1022 return DEFER;
1023 }
1024
1025
1026
1027
1028 static int
1029 tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1030 uschar ** errstr)
1031 {
1032 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", file);
1033 if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1034 return tls_error(string_sprintf(
1035 "SSL_CTX_use_certificate_chain_file file=%s", file),
1036 cbinfo->host, NULL, errstr);
1037 return 0;
1038 }
1039
1040 static int
1041 tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1042 uschar ** errstr)
1043 {
1044 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", file);
1045 if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1046 return tls_error(string_sprintf(
1047 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1048 return 0;
1049 }
1050
1051
1052 /*************************************************
1053 * Expand key and cert file specs *
1054 *************************************************/
1055
1056 /* Called once during tls_init and possibly again during TLS setup, for a
1057 new context, if Server Name Indication was used and tls_sni was seen in
1058 the certificate string.
1059
1060 Arguments:
1061 sctx the SSL_CTX* to update
1062 cbinfo various parts of session state
1063 errstr error string pointer
1064
1065 Returns: OK/DEFER/FAIL
1066 */
1067
1068 static int
1069 tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1070 uschar ** errstr)
1071 {
1072 uschar *expanded;
1073
1074 if (!cbinfo->certificate)
1075 {
1076 if (!cbinfo->is_server) /* client */
1077 return OK;
1078 /* server */
1079 if (tls_install_selfsign(sctx, errstr) != OK)
1080 return DEFER;
1081 }
1082 else
1083 {
1084 int err;
1085
1086 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1087 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1088 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1089 )
1090 reexpand_tls_files_for_sni = TRUE;
1091
1092 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
1093 return DEFER;
1094
1095 if (expanded)
1096 if (cbinfo->is_server)
1097 {
1098 const uschar * file_list = expanded;
1099 int sep = 0;
1100 uschar * file;
1101
1102 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1103 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1104 return err;
1105 }
1106 else /* would there ever be a need for multiple client certs? */
1107 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1108 return err;
1109
1110 if (cbinfo->privatekey != NULL &&
1111 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
1112 return DEFER;
1113
1114 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1115 of the expansion is an empty string, ignore it also, and assume the private
1116 key is in the same file as the certificate. */
1117
1118 if (expanded && *expanded)
1119 if (cbinfo->is_server)
1120 {
1121 const uschar * file_list = expanded;
1122 int sep = 0;
1123 uschar * file;
1124
1125 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1126 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1127 return err;
1128 }
1129 else /* would there ever be a need for multiple client certs? */
1130 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1131 return err;
1132 }
1133
1134 #ifndef DISABLE_OCSP
1135 if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
1136 {
1137 /*XXX stack*/
1138 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
1139 return DEFER;
1140
1141 if (expanded && *expanded)
1142 {
1143 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
1144 if ( cbinfo->u_ocsp.server.file_expanded
1145 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
1146 {
1147 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1148 }
1149 else
1150 ocsp_load_response(sctx, cbinfo, expanded);
1151 }
1152 }
1153 #endif
1154
1155 return OK;
1156 }
1157
1158
1159
1160
1161 /*************************************************
1162 * Callback to handle SNI *
1163 *************************************************/
1164
1165 /* Called when acting as server during the TLS session setup if a Server Name
1166 Indication extension was sent by the client.
1167
1168 API documentation is OpenSSL s_server.c implementation.
1169
1170 Arguments:
1171 s SSL* of the current session
1172 ad unknown (part of OpenSSL API) (unused)
1173 arg Callback of "our" registered data
1174
1175 Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1176 */
1177
1178 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1179 static int
1180 tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1181 {
1182 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
1183 tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1184 int rc;
1185 int old_pool = store_pool;
1186 uschar * dummy_errstr;
1187
1188 if (!servername)
1189 return SSL_TLSEXT_ERR_OK;
1190
1191 DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
1192 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1193
1194 /* Make the extension value available for expansion */
1195 store_pool = POOL_PERM;
1196 tls_in.sni = string_copy(US servername);
1197 store_pool = old_pool;
1198
1199 if (!reexpand_tls_files_for_sni)
1200 return SSL_TLSEXT_ERR_OK;
1201
1202 /* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1203 not confident that memcpy wouldn't break some internal reference counting.
1204 Especially since there's a references struct member, which would be off. */
1205
1206 if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
1207 {
1208 ERR_error_string(ERR_get_error(), ssl_errstring);
1209 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1210 return SSL_TLSEXT_ERR_NOACK;
1211 }
1212
1213 /* Not sure how many of these are actually needed, since SSL object
1214 already exists. Might even need this selfsame callback, for reneg? */
1215
1216 SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1217 SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1218 SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1219 SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1220 SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1221 SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
1222
1223 if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1224 || !init_ecdh(server_sni, NULL, &dummy_errstr)
1225 )
1226 return SSL_TLSEXT_ERR_NOACK;
1227
1228 if (cbinfo->server_cipher_list)
1229 SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
1230 #ifndef DISABLE_OCSP
1231 if (cbinfo->u_ocsp.server.file)
1232 {
1233 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
1234 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
1235 }
1236 #endif
1237
1238 if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
1239 verify_callback_server, &dummy_errstr)) != OK)
1240 return SSL_TLSEXT_ERR_NOACK;
1241
1242 /* do this after setup_certs, because this can require the certs for verifying
1243 OCSP information. */
1244 if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
1245 return SSL_TLSEXT_ERR_NOACK;
1246
1247 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
1248 SSL_set_SSL_CTX(s, server_sni);
1249
1250 return SSL_TLSEXT_ERR_OK;
1251 }
1252 #endif /* EXIM_HAVE_OPENSSL_TLSEXT */
1253
1254
1255
1256
1257 #ifndef DISABLE_OCSP
1258
1259 /*************************************************
1260 * Callback to handle OCSP Stapling *
1261 *************************************************/
1262
1263 /* Called when acting as server during the TLS session setup if the client
1264 requests OCSP information with a Certificate Status Request.
1265
1266 Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1267 project.
1268
1269 */
1270
1271 static int
1272 tls_server_stapling_cb(SSL *s, void *arg)
1273 {
1274 const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1275 uschar *response_der; /*XXX blob */
1276 int response_der_len;
1277
1278 /*XXX stack: use SSL_get_certificate() to see which cert; from that work
1279 out which ocsp blob to send. Unfortunately, SSL_get_certificate is known
1280 buggy in current OpenSSL; it returns the last cert loaded always rather than
1281 the one actually presented. So we can't support a stack of OCSP proofs at
1282 this time. */
1283
1284 DEBUG(D_tls)
1285 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
1286 cbinfo->u_ocsp.server.response ? "have" : "lack");
1287
1288 tls_in.ocsp = OCSP_NOT_RESP;
1289 if (!cbinfo->u_ocsp.server.response)
1290 return SSL_TLSEXT_ERR_NOACK;
1291
1292 response_der = NULL;
1293 response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, /*XXX stack*/
1294 &response_der);
1295 if (response_der_len <= 0)
1296 return SSL_TLSEXT_ERR_NOACK;
1297
1298 SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
1299 tls_in.ocsp = OCSP_VFIED;
1300 return SSL_TLSEXT_ERR_OK;
1301 }
1302
1303
1304 static void
1305 time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1306 {
1307 BIO_printf(bp, "\t%s: ", str);
1308 ASN1_GENERALIZEDTIME_print(bp, time);
1309 BIO_puts(bp, "\n");
1310 }
1311
1312 static int
1313 tls_client_stapling_cb(SSL *s, void *arg)
1314 {
1315 tls_ext_ctx_cb * cbinfo = arg;
1316 const unsigned char * p;
1317 int len;
1318 OCSP_RESPONSE * rsp;
1319 OCSP_BASICRESP * bs;
1320 int i;
1321
1322 DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1323 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1324 if(!p)
1325 {
1326 /* Expect this when we requested ocsp but got none */
1327 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
1328 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
1329 else
1330 DEBUG(D_tls) debug_printf(" null\n");
1331 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1332 }
1333
1334 if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1335 {
1336 tls_out.ocsp = OCSP_FAILED;
1337 if (LOGGING(tls_cipher))
1338 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
1339 else
1340 DEBUG(D_tls) debug_printf(" parse error\n");
1341 return 0;
1342 }
1343
1344 if(!(bs = OCSP_response_get1_basic(rsp)))
1345 {
1346 tls_out.ocsp = OCSP_FAILED;
1347 if (LOGGING(tls_cipher))
1348 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
1349 else
1350 DEBUG(D_tls) debug_printf(" error parsing response\n");
1351 OCSP_RESPONSE_free(rsp);
1352 return 0;
1353 }
1354
1355 /* We'd check the nonce here if we'd put one in the request. */
1356 /* However that would defeat cacheability on the server so we don't. */
1357
1358 /* This section of code reworked from OpenSSL apps source;
1359 The OpenSSL Project retains copyright:
1360 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1361 */
1362 {
1363 BIO * bp = NULL;
1364 int status, reason;
1365 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1366
1367 DEBUG(D_tls) bp = BIO_new_fp(stderr, BIO_NOCLOSE);
1368
1369 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1370
1371 /* Use the chain that verified the server cert to verify the stapled info */
1372 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1373
1374 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
1375 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
1376 {
1377 tls_out.ocsp = OCSP_FAILED;
1378 if (LOGGING(tls_cipher))
1379 log_write(0, LOG_MAIN, "Received TLS cert status response, itself unverifiable");
1380 BIO_printf(bp, "OCSP response verify failure\n");
1381 ERR_print_errors(bp);
1382 goto failed;
1383 }
1384
1385 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1386
1387 /*XXX So we have a good stapled OCSP status. How do we know
1388 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1389 OCSP_resp_find_status() which matches on a cert id, which presumably
1390 we should use. Making an id needs OCSP_cert_id_new(), which takes
1391 issuerName, issuerKey, serialNumber. Are they all in the cert?
1392
1393 For now, carry on blindly accepting the resp. */
1394
1395 {
1396 OCSP_SINGLERESP * single;
1397
1398 #ifdef EXIM_HAVE_OCSP_RESP_COUNT
1399 if (OCSP_resp_count(bs) != 1)
1400 #else
1401 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1402 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
1403 #endif
1404 {
1405 tls_out.ocsp = OCSP_FAILED;
1406 log_write(0, LOG_MAIN, "OCSP stapling "
1407 "with multiple responses not handled");
1408 goto failed;
1409 }
1410 single = OCSP_resp_get0(bs, 0);
1411 status = OCSP_single_get0_status(single, &reason, &rev,
1412 &thisupd, &nextupd);
1413 }
1414
1415 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1416 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
1417 if (!OCSP_check_validity(thisupd, nextupd,
1418 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1419 {
1420 tls_out.ocsp = OCSP_FAILED;
1421 DEBUG(D_tls) ERR_print_errors(bp);
1422 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
1423 }
1424 else
1425 {
1426 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1427 OCSP_cert_status_str(status));
1428 switch(status)
1429 {
1430 case V_OCSP_CERTSTATUS_GOOD:
1431 tls_out.ocsp = OCSP_VFIED;
1432 i = 1;
1433 goto good;
1434 case V_OCSP_CERTSTATUS_REVOKED:
1435 tls_out.ocsp = OCSP_FAILED;
1436 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1437 reason != -1 ? "; reason: " : "",
1438 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1439 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
1440 break;
1441 default:
1442 tls_out.ocsp = OCSP_FAILED;
1443 log_write(0, LOG_MAIN,
1444 "Server certificate status unknown, in OCSP stapling");
1445 break;
1446 }
1447 }
1448 failed:
1449 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1450 good:
1451 BIO_free(bp);
1452 }
1453
1454 OCSP_RESPONSE_free(rsp);
1455 return i;
1456 }
1457 #endif /*!DISABLE_OCSP*/
1458
1459
1460 /*************************************************
1461 * Initialize for TLS *
1462 *************************************************/
1463
1464 /* Called from both server and client code, to do preliminary initialization
1465 of the library. We allocate and return a context structure.
1466
1467 Arguments:
1468 ctxp returned SSL context
1469 host connected host, if client; NULL if server
1470 dhparam DH parameter file
1471 certificate certificate file
1472 privatekey private key
1473 ocsp_file file of stapling info (server); flag for require ocsp (client)
1474 addr address if client; NULL if server (for some randomness)
1475 cbp place to put allocated callback context
1476 errstr error string pointer
1477
1478 Returns: OK/DEFER/FAIL
1479 */
1480
1481 static int
1482 tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
1483 uschar *privatekey,
1484 #ifndef DISABLE_OCSP
1485 uschar *ocsp_file, /*XXX stack, in server*/
1486 #endif
1487 address_item *addr, tls_ext_ctx_cb ** cbp, uschar ** errstr)
1488 {
1489 SSL_CTX * ctx;
1490 long init_options;
1491 int rc;
1492 tls_ext_ctx_cb * cbinfo;
1493
1494 cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1495 cbinfo->certificate = certificate;
1496 cbinfo->privatekey = privatekey;
1497 cbinfo->is_server = host==NULL;
1498 #ifndef DISABLE_OCSP
1499 cbinfo->verify_stack = NULL;
1500 if (!host)
1501 {
1502 cbinfo->u_ocsp.server.file = ocsp_file;
1503 cbinfo->u_ocsp.server.file_expanded = NULL;
1504 cbinfo->u_ocsp.server.response = NULL;
1505 }
1506 else
1507 cbinfo->u_ocsp.client.verify_store = NULL;
1508 #endif
1509 cbinfo->dhparam = dhparam;
1510 cbinfo->server_cipher_list = NULL;
1511 cbinfo->host = host;
1512 #ifndef DISABLE_EVENT
1513 cbinfo->event_action = NULL;
1514 #endif
1515
1516 SSL_load_error_strings(); /* basic set up */
1517 OpenSSL_add_ssl_algorithms();
1518
1519 #ifdef EXIM_HAVE_SHA256
1520 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
1521 list of available digests. */
1522 EVP_add_digest(EVP_sha256());
1523 #endif
1524
1525 /* Create a context.
1526 The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1527 negotiation in the different methods; as far as I can tell, the only
1528 *_{server,client}_method which allows negotiation is SSLv23, which exists even
1529 when OpenSSL is built without SSLv2 support.
1530 By disabling with openssl_options, we can let admins re-enable with the
1531 existing knob. */
1532
1533 if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
1534 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
1535
1536 /* It turns out that we need to seed the random number generator this early in
1537 order to get the full complement of ciphers to work. It took me roughly a day
1538 of work to discover this by experiment.
1539
1540 On systems that have /dev/urandom, SSL may automatically seed itself from
1541 there. Otherwise, we have to make something up as best we can. Double check
1542 afterwards. */
1543
1544 if (!RAND_status())
1545 {
1546 randstuff r;
1547 gettimeofday(&r.tv, NULL);
1548 r.p = getpid();
1549
1550 RAND_seed(US (&r), sizeof(r));
1551 RAND_seed(US big_buffer, big_buffer_size);
1552 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
1553
1554 if (!RAND_status())
1555 return tls_error(US"RAND_status", host,
1556 US"unable to seed random number generator", errstr);
1557 }
1558
1559 /* Set up the information callback, which outputs if debugging is at a suitable
1560 level. */
1561
1562 DEBUG(D_tls) SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
1563
1564 /* Automatically re-try reads/writes after renegotiation. */
1565 (void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
1566
1567 /* Apply administrator-supplied work-arounds.
1568 Historically we applied just one requested option,
1569 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1570 moved to an administrator-controlled list of options to specify and
1571 grandfathered in the first one as the default value for "openssl_options".
1572
1573 No OpenSSL version number checks: the options we accept depend upon the
1574 availability of the option value macros from OpenSSL. */
1575
1576 if (!tls_openssl_options_parse(openssl_options, &init_options))
1577 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
1578
1579 if (init_options)
1580 {
1581 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
1582 if (!(SSL_CTX_set_options(ctx, init_options)))
1583 return tls_error(string_sprintf(
1584 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
1585 }
1586 else
1587 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
1588
1589 /* Disable session cache unconditionally */
1590
1591 (void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
1592
1593 /* Initialize with DH parameters if supplied */
1594 /* Initialize ECDH temp key parameter selection */
1595
1596 if ( !init_dh(ctx, dhparam, host, errstr)
1597 || !init_ecdh(ctx, host, errstr)
1598 )
1599 return DEFER;
1600
1601 /* Set up certificate and key (and perhaps OCSP info) */
1602
1603 if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
1604 return rc;
1605
1606 /* If we need to handle SNI or OCSP, do so */
1607
1608 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
1609 # ifndef DISABLE_OCSP
1610 if (!(cbinfo->verify_stack = sk_X509_new_null()))
1611 {
1612 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
1613 return FAIL;
1614 }
1615 # endif
1616
1617 if (host == NULL) /* server */
1618 {
1619 # ifndef DISABLE_OCSP
1620 /* We check u_ocsp.server.file, not server.response, because we care about if
1621 the option exists, not what the current expansion might be, as SNI might
1622 change the certificate and OCSP file in use between now and the time the
1623 callback is invoked. */
1624 if (cbinfo->u_ocsp.server.file)
1625 {
1626 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
1627 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
1628 }
1629 # endif
1630 /* We always do this, so that $tls_sni is available even if not used in
1631 tls_certificate */
1632 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
1633 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
1634 }
1635 # ifndef DISABLE_OCSP
1636 else /* client */
1637 if(ocsp_file) /* wanting stapling */
1638 {
1639 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1640 {
1641 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1642 return FAIL;
1643 }
1644 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
1645 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
1646 }
1647 # endif
1648 #endif
1649
1650 cbinfo->verify_cert_hostnames = NULL;
1651
1652 #ifdef EXIM_HAVE_EPHEM_RSA_KEX
1653 /* Set up the RSA callback */
1654 SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
1655 #endif
1656
1657 /* Finally, set the timeout, and we are done */
1658
1659 SSL_CTX_set_timeout(ctx, ssl_session_timeout);
1660 DEBUG(D_tls) debug_printf("Initialized TLS\n");
1661
1662 *cbp = cbinfo;
1663 *ctxp = ctx;
1664
1665 return OK;
1666 }
1667
1668
1669
1670
1671 /*************************************************
1672 * Get name of cipher in use *
1673 *************************************************/
1674
1675 /*
1676 Argument: pointer to an SSL structure for the connection
1677 buffer to use for answer
1678 size of buffer
1679 pointer to number of bits for cipher
1680 Returns: nothing
1681 */
1682
1683 static void
1684 construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
1685 {
1686 /* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
1687 yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1688 the accessor functions use const in the prototype. */
1689 const SSL_CIPHER *c;
1690 const uschar *ver;
1691
1692 ver = (const uschar *)SSL_get_version(ssl);
1693
1694 c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
1695 SSL_CIPHER_get_bits(c, bits);
1696
1697 string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1698 SSL_CIPHER_get_name(c), *bits);
1699
1700 DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1701 }
1702
1703
1704 static void
1705 peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned bsize)
1706 {
1707 /*XXX we might consider a list-of-certs variable for the cert chain.
1708 SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1709 in list-handling functions, also consider the difference between the entire
1710 chain and the elements sent by the peer. */
1711
1712 /* Will have already noted peercert on a verify fail; possibly not the leaf */
1713 if (!tlsp->peercert)
1714 tlsp->peercert = SSL_get_peer_certificate(ssl);
1715 /* Beware anonymous ciphers which lead to server_cert being NULL */
1716 if (tlsp->peercert)
1717 {
1718 X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, bsize);
1719 peerdn[bsize-1] = '\0';
1720 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1721 }
1722 else
1723 tlsp->peerdn = NULL;
1724 }
1725
1726
1727
1728
1729
1730 /*************************************************
1731 * Set up for verifying certificates *
1732 *************************************************/
1733
1734 /* Load certs from file, return TRUE on success */
1735
1736 static BOOL
1737 chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
1738 {
1739 BIO * bp;
1740 X509 * x;
1741
1742 if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
1743 while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
1744 sk_X509_push(verify_stack, x);
1745 BIO_free(bp);
1746 return TRUE;
1747 }
1748
1749
1750
1751 /* Called by both client and server startup
1752
1753 Arguments:
1754 sctx SSL_CTX* to initialise
1755 certs certs file or NULL
1756 crl CRL file or NULL
1757 host NULL in a server; the remote host in a client
1758 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1759 otherwise passed as FALSE
1760 cert_vfy_cb Callback function for certificate verification
1761 errstr error string pointer
1762
1763 Returns: OK/DEFER/FAIL
1764 */
1765
1766 static int
1767 setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
1768 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
1769 {
1770 uschar *expcerts, *expcrl;
1771
1772 if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
1773 return DEFER;
1774 DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
1775
1776 if (expcerts && *expcerts)
1777 {
1778 /* Tell the library to use its compiled-in location for the system default
1779 CA bundle. Then add the ones specified in the config, if any. */
1780
1781 if (!SSL_CTX_set_default_verify_paths(sctx))
1782 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
1783
1784 if (Ustrcmp(expcerts, "system") != 0)
1785 {
1786 struct stat statbuf;
1787
1788 if (Ustat(expcerts, &statbuf) < 0)
1789 {
1790 log_write(0, LOG_MAIN|LOG_PANIC,
1791 "failed to stat %s for certificates", expcerts);
1792 return DEFER;
1793 }
1794 else
1795 {
1796 uschar *file, *dir;
1797 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1798 { file = NULL; dir = expcerts; }
1799 else
1800 {
1801 file = expcerts; dir = NULL;
1802 #ifndef DISABLE_OCSP
1803 /* In the server if we will be offering an OCSP proof, load chain from
1804 file for verifying the OCSP proof at load time. */
1805
1806 if ( !host
1807 && statbuf.st_size > 0
1808 && server_static_cbinfo->u_ocsp.server.file
1809 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
1810 )
1811 {
1812 log_write(0, LOG_MAIN|LOG_PANIC,
1813 "failed to load cert hain from %s", file);
1814 return DEFER;
1815 }
1816 #endif
1817 }
1818
1819 /* If a certificate file is empty, the next function fails with an
1820 unhelpful error message. If we skip it, we get the correct behaviour (no
1821 certificates are recognized, but the error message is still misleading (it
1822 says no certificate was supplied). But this is better. */
1823
1824 if ( (!file || statbuf.st_size > 0)
1825 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
1826 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
1827
1828 /* Load the list of CAs for which we will accept certs, for sending
1829 to the client. This is only for the one-file tls_verify_certificates
1830 variant.
1831 If a list isn't loaded into the server, but
1832 some verify locations are set, the server end appears to make
1833 a wildcard request for client certs.
1834 Meanwhile, the client library as default behaviour *ignores* the list
1835 we send over the wire - see man SSL_CTX_set_client_cert_cb.
1836 Because of this, and that the dir variant is likely only used for
1837 the public-CA bundle (not for a private CA), not worth fixing.
1838 */
1839 if (file)
1840 {
1841 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
1842
1843 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
1844 sk_X509_NAME_num(names));
1845 SSL_CTX_set_client_CA_list(sctx, names);
1846 }
1847 }
1848 }
1849
1850 /* Handle a certificate revocation list. */
1851
1852 #if OPENSSL_VERSION_NUMBER > 0x00907000L
1853
1854 /* This bit of code is now the version supplied by Lars Mainka. (I have
1855 merely reformatted it into the Exim code style.)
1856
1857 "From here I changed the code to add support for multiple crl's
1858 in pem format in one file or to support hashed directory entries in
1859 pem format instead of a file. This method now uses the library function
1860 X509_STORE_load_locations to add the CRL location to the SSL context.
1861 OpenSSL will then handle the verify against CA certs and CRLs by
1862 itself in the verify callback." */
1863
1864 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
1865 if (expcrl && *expcrl)
1866 {
1867 struct stat statbufcrl;
1868 if (Ustat(expcrl, &statbufcrl) < 0)
1869 {
1870 log_write(0, LOG_MAIN|LOG_PANIC,
1871 "failed to stat %s for certificates revocation lists", expcrl);
1872 return DEFER;
1873 }
1874 else
1875 {
1876 /* is it a file or directory? */
1877 uschar *file, *dir;
1878 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
1879 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
1880 {
1881 file = NULL;
1882 dir = expcrl;
1883 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
1884 }
1885 else
1886 {
1887 file = expcrl;
1888 dir = NULL;
1889 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
1890 }
1891 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
1892 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
1893
1894 /* setting the flags to check against the complete crl chain */
1895
1896 X509_STORE_set_flags(cvstore,
1897 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
1898 }
1899 }
1900
1901 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1902
1903 /* If verification is optional, don't fail if no certificate */
1904
1905 SSL_CTX_set_verify(sctx,
1906 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
1907 cert_vfy_cb);
1908 }
1909
1910 return OK;
1911 }
1912
1913
1914
1915 /*************************************************
1916 * Start a TLS session in a server *
1917 *************************************************/
1918
1919 /* This is called when Exim is running as a server, after having received
1920 the STARTTLS command. It must respond to that command, and then negotiate
1921 a TLS session.
1922
1923 Arguments:
1924 require_ciphers allowed ciphers
1925 errstr pointer to error message
1926
1927 Returns: OK on success
1928 DEFER for errors before the start of the negotiation
1929 FAIL for errors during the negotiation; the server can't
1930 continue running.
1931 */
1932
1933 int
1934 tls_server_start(const uschar * require_ciphers, uschar ** errstr)
1935 {
1936 int rc;
1937 uschar * expciphers;
1938 tls_ext_ctx_cb * cbinfo;
1939 static uschar peerdn[256];
1940 static uschar cipherbuf[256];
1941
1942 /* Check for previous activation */
1943
1944 if (tls_in.active >= 0)
1945 {
1946 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
1947 smtp_printf("554 Already in TLS\r\n", FALSE);
1948 return FAIL;
1949 }
1950
1951 /* Initialize the SSL library. If it fails, it will already have logged
1952 the error. */
1953
1954 rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
1955 #ifndef DISABLE_OCSP
1956 tls_ocsp_file, /*XXX stack*/
1957 #endif
1958 NULL, &server_static_cbinfo, errstr);
1959 if (rc != OK) return rc;
1960 cbinfo = server_static_cbinfo;
1961
1962 if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
1963 return FAIL;
1964
1965 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1966 were historically separated by underscores. So that I can use either form in my
1967 tests, and also for general convenience, we turn underscores into hyphens here.
1968 */
1969
1970 if (expciphers)
1971 {
1972 uschar * s = expciphers;
1973 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1974 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1975 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
1976 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
1977 cbinfo->server_cipher_list = expciphers;
1978 }
1979
1980 /* If this is a host for which certificate verification is mandatory or
1981 optional, set up appropriately. */
1982
1983 tls_in.certificate_verified = FALSE;
1984 #ifdef EXPERIMENTAL_DANE
1985 tls_in.dane_verified = FALSE;
1986 #endif
1987 server_verify_callback_called = FALSE;
1988
1989 if (verify_check_host(&tls_verify_hosts) == OK)
1990 {
1991 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1992 FALSE, verify_callback_server, errstr);
1993 if (rc != OK) return rc;
1994 server_verify_optional = FALSE;
1995 }
1996 else if (verify_check_host(&tls_try_verify_hosts) == OK)
1997 {
1998 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1999 TRUE, verify_callback_server, errstr);
2000 if (rc != OK) return rc;
2001 server_verify_optional = TRUE;
2002 }
2003
2004 /* Prepare for new connection */
2005
2006 if (!(server_ssl = SSL_new(server_ctx)))
2007 return tls_error(US"SSL_new", NULL, NULL, errstr);
2008
2009 /* Warning: we used to SSL_clear(ssl) here, it was removed.
2010 *
2011 * With the SSL_clear(), we get strange interoperability bugs with
2012 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2013 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2014 *
2015 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2016 * session shutdown. In this case, we have a brand new object and there's no
2017 * obvious reason to immediately clear it. I'm guessing that this was
2018 * originally added because of incomplete initialisation which the clear fixed,
2019 * in some historic release.
2020 */
2021
2022 /* Set context and tell client to go ahead, except in the case of TLS startup
2023 on connection, where outputting anything now upsets the clients and tends to
2024 make them disconnect. We need to have an explicit fflush() here, to force out
2025 the response. Other smtp_printf() calls do not need it, because in non-TLS
2026 mode, the fflush() happens when smtp_getc() is called. */
2027
2028 SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2029 if (!tls_in.on_connect)
2030 {
2031 smtp_printf("220 TLS go ahead\r\n", FALSE);
2032 fflush(smtp_out);
2033 }
2034
2035 /* Now negotiate the TLS session. We put our own timer on it, since it seems
2036 that the OpenSSL library doesn't. */
2037
2038 SSL_set_wfd(server_ssl, fileno(smtp_out));
2039 SSL_set_rfd(server_ssl, fileno(smtp_in));
2040 SSL_set_accept_state(server_ssl);
2041
2042 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2043
2044 sigalrm_seen = FALSE;
2045 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2046 rc = SSL_accept(server_ssl);
2047 alarm(0);
2048
2049 if (rc <= 0)
2050 {
2051 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
2052 return FAIL;
2053 }
2054
2055 DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
2056
2057 /* TLS has been set up. Adjust the input functions to read via TLS,
2058 and initialize things. */
2059
2060 peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2061
2062 construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
2063 tls_in.cipher = cipherbuf;
2064
2065 DEBUG(D_tls)
2066 {
2067 uschar buf[2048];
2068 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
2069 debug_printf("Shared ciphers: %s\n", buf);
2070 }
2071
2072 /* Record the certificate we presented */
2073 {
2074 X509 * crt = SSL_get_certificate(server_ssl);
2075 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2076 }
2077
2078 /* Only used by the server-side tls (tls_in), including tls_getc.
2079 Client-side (tls_out) reads (seem to?) go via
2080 smtp_read_response()/ip_recv().
2081 Hence no need to duplicate for _in and _out.
2082 */
2083 ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
2084 ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
2085 ssl_xfer_eof = ssl_xfer_error = 0;
2086
2087 receive_getc = tls_getc;
2088 receive_getbuf = tls_getbuf;
2089 receive_get_cache = tls_get_cache;
2090 receive_ungetc = tls_ungetc;
2091 receive_feof = tls_feof;
2092 receive_ferror = tls_ferror;
2093 receive_smtp_buffered = tls_smtp_buffered;
2094
2095 tls_in.active = fileno(smtp_out);
2096 return OK;
2097 }
2098
2099
2100
2101
2102 static int
2103 tls_client_basic_ctx_init(SSL_CTX * ctx,
2104 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2105 uschar ** errstr)
2106 {
2107 int rc;
2108 /* stick to the old behaviour for compatibility if tls_verify_certificates is
2109 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2110 the specified host patterns if one of them is defined */
2111
2112 if ( ( !ob->tls_verify_hosts
2113 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2114 )
2115 || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK)
2116 )
2117 client_verify_optional = FALSE;
2118 else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
2119 client_verify_optional = TRUE;
2120 else
2121 return OK;
2122
2123 if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
2124 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2125 errstr)) != OK)
2126 return rc;
2127
2128 if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
2129 {
2130 cbinfo->verify_cert_hostnames =
2131 #ifdef SUPPORT_I18N
2132 string_domain_utf8_to_alabel(host->name, NULL);
2133 #else
2134 host->name;
2135 #endif
2136 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2137 cbinfo->verify_cert_hostnames);
2138 }
2139 return OK;
2140 }
2141
2142
2143 #ifdef EXPERIMENTAL_DANE
2144 static int
2145 dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
2146 {
2147 dns_record * rr;
2148 dns_scan dnss;
2149 const char * hostnames[2] = { CS host->name, NULL };
2150 int found = 0;
2151
2152 if (DANESSL_init(ssl, NULL, hostnames) != 1)
2153 return tls_error(US"hostnames load", host, NULL, errstr);
2154
2155 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
2156 rr;
2157 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
2158 ) if (rr->type == T_TLSA)
2159 {
2160 const uschar * p = rr->data;
2161 uint8_t usage, selector, mtype;
2162 const char * mdname;
2163
2164 usage = *p++;
2165
2166 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2167 if (usage != 2 && usage != 3) continue;
2168
2169 selector = *p++;
2170 mtype = *p++;
2171
2172 switch (mtype)
2173 {
2174 default: continue; /* Only match-types 0, 1, 2 are supported */
2175 case 0: mdname = NULL; break;
2176 case 1: mdname = "sha256"; break;
2177 case 2: mdname = "sha512"; break;
2178 }
2179
2180 found++;
2181 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2182 {
2183 default:
2184 return tls_error(US"tlsa load", host, NULL, errstr);
2185 case 0: /* action not taken */
2186 case 1: break;
2187 }
2188
2189 tls_out.tlsa_usage |= 1<<usage;
2190 }
2191
2192 if (found)
2193 return OK;
2194
2195 log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
2196 return DEFER;
2197 }
2198 #endif /*EXPERIMENTAL_DANE*/
2199
2200
2201
2202 /*************************************************
2203 * Start a TLS session in a client *
2204 *************************************************/
2205
2206 /* Called from the smtp transport after STARTTLS has been accepted.
2207
2208 Argument:
2209 fd the fd of the connection
2210 host connected host (for messages)
2211 addr the first address
2212 tb transport (always smtp)
2213 tlsa_dnsa tlsa lookup, if DANE, else null
2214 errstr error string pointer
2215
2216 Returns: OK on success
2217 FAIL otherwise - note that tls_error() will not give DEFER
2218 because this is not a server
2219 */
2220
2221 int
2222 tls_client_start(int fd, host_item *host, address_item *addr,
2223 transport_instance * tb,
2224 #ifdef EXPERIMENTAL_DANE
2225 dns_answer * tlsa_dnsa,
2226 #endif
2227 uschar ** errstr)
2228 {
2229 smtp_transport_options_block * ob =
2230 (smtp_transport_options_block *)tb->options_block;
2231 static uschar peerdn[256];
2232 uschar * expciphers;
2233 int rc;
2234 static uschar cipherbuf[256];
2235
2236 #ifndef DISABLE_OCSP
2237 BOOL request_ocsp = FALSE;
2238 BOOL require_ocsp = FALSE;
2239 #endif
2240
2241 #ifdef EXPERIMENTAL_DANE
2242 tls_out.tlsa_usage = 0;
2243 #endif
2244
2245 #ifndef DISABLE_OCSP
2246 {
2247 # ifdef EXPERIMENTAL_DANE
2248 if ( tlsa_dnsa
2249 && ob->hosts_request_ocsp[0] == '*'
2250 && ob->hosts_request_ocsp[1] == '\0'
2251 )
2252 {
2253 /* Unchanged from default. Use a safer one under DANE */
2254 request_ocsp = TRUE;
2255 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2256 " {= {4}{$tls_out_tlsa_usage}} } "
2257 " {*}{}}";
2258 }
2259 # endif
2260
2261 if ((require_ocsp =
2262 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK))
2263 request_ocsp = TRUE;
2264 else
2265 # ifdef EXPERIMENTAL_DANE
2266 if (!request_ocsp)
2267 # endif
2268 request_ocsp =
2269 verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2270 }
2271 #endif
2272
2273 rc = tls_init(&client_ctx, host, NULL,
2274 ob->tls_certificate, ob->tls_privatekey,
2275 #ifndef DISABLE_OCSP
2276 (void *)(long)request_ocsp,
2277 #endif
2278 addr, &client_static_cbinfo, errstr);
2279 if (rc != OK) return rc;
2280
2281 tls_out.certificate_verified = FALSE;
2282 client_verify_callback_called = FALSE;
2283
2284 if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2285 &expciphers, errstr))
2286 return FAIL;
2287
2288 /* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2289 are separated by underscores. So that I can use either form in my tests, and
2290 also for general convenience, we turn underscores into hyphens here. */
2291
2292 if (expciphers)
2293 {
2294 uschar *s = expciphers;
2295 while (*s) { if (*s == '_') *s = '-'; s++; }
2296 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
2297 if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
2298 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
2299 }
2300
2301 #ifdef EXPERIMENTAL_DANE
2302 if (tlsa_dnsa)
2303 {
2304 SSL_CTX_set_verify(client_ctx,
2305 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2306 verify_callback_client_dane);
2307
2308 if (!DANESSL_library_init())
2309 return tls_error(US"library init", host, NULL, errstr);
2310 if (DANESSL_CTX_init(client_ctx) <= 0)
2311 return tls_error(US"context init", host, NULL, errstr);
2312 }
2313 else
2314
2315 #endif
2316
2317 if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob,
2318 client_static_cbinfo, errstr)) != OK)
2319 return rc;
2320
2321 if ((client_ssl = SSL_new(client_ctx)) == NULL)
2322 return tls_error(US"SSL_new", host, NULL, errstr);
2323 SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
2324 SSL_set_fd(client_ssl, fd);
2325 SSL_set_connect_state(client_ssl);
2326
2327 if (ob->tls_sni)
2328 {
2329 if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni, errstr))
2330 return FAIL;
2331 if (!tls_out.sni)
2332 {
2333 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2334 }
2335 else if (!Ustrlen(tls_out.sni))
2336 tls_out.sni = NULL;
2337 else
2338 {
2339 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
2340 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
2341 SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
2342 #else
2343 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
2344 tls_out.sni);
2345 #endif
2346 }
2347 }
2348
2349 #ifdef EXPERIMENTAL_DANE
2350 if (tlsa_dnsa)
2351 if ((rc = dane_tlsa_load(client_ssl, host, tlsa_dnsa, errstr)) != OK)
2352 return rc;
2353 #endif
2354
2355 #ifndef DISABLE_OCSP
2356 /* Request certificate status at connection-time. If the server
2357 does OCSP stapling we will get the callback (set in tls_init()) */
2358 # ifdef EXPERIMENTAL_DANE
2359 if (request_ocsp)
2360 {
2361 const uschar * s;
2362 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2363 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2364 )
2365 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2366 this means we avoid the OCSP request, we wasted the setup
2367 cost in tls_init(). */
2368 require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
2369 request_ocsp = require_ocsp
2370 || verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
2371 }
2372 }
2373 # endif
2374
2375 if (request_ocsp)
2376 {
2377 SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
2378 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
2379 tls_out.ocsp = OCSP_NOT_RESP;
2380 }
2381 #endif
2382
2383 #ifndef DISABLE_EVENT
2384 client_static_cbinfo->event_action = tb->event_action;
2385 #endif
2386
2387 /* There doesn't seem to be a built-in timeout on connection. */
2388
2389 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2390 sigalrm_seen = FALSE;
2391 alarm(ob->command_timeout);
2392 rc = SSL_connect(client_ssl);
2393 alarm(0);
2394
2395 #ifdef EXPERIMENTAL_DANE
2396 if (tlsa_dnsa)
2397 DANESSL_cleanup(client_ssl);
2398 #endif
2399
2400 if (rc <= 0)
2401 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL,
2402 errstr);
2403
2404 DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2405
2406 peer_cert(client_ssl, &tls_out, peerdn, sizeof(peerdn));
2407
2408 construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
2409 tls_out.cipher = cipherbuf;
2410
2411 /* Record the certificate we presented */
2412 {
2413 X509 * crt = SSL_get_certificate(client_ssl);
2414 tls_out.ourcert = crt ? X509_dup(crt) : NULL;
2415 }
2416
2417 tls_out.active = fd;
2418 return OK;
2419 }
2420
2421
2422
2423
2424
2425 static BOOL
2426 tls_refill(unsigned lim)
2427 {
2428 int error;
2429 int inbytes;
2430
2431 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2432 ssl_xfer_buffer, ssl_xfer_buffer_size);
2433
2434 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2435 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
2436 MIN(ssl_xfer_buffer_size, lim));
2437 error = SSL_get_error(server_ssl, inbytes);
2438 alarm(0);
2439
2440 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2441 closed down, not that the socket itself has been closed down. Revert to
2442 non-SSL handling. */
2443
2444 if (error == SSL_ERROR_ZERO_RETURN)
2445 {
2446 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2447
2448 receive_getc = smtp_getc;
2449 receive_getbuf = smtp_getbuf;
2450 receive_get_cache = smtp_get_cache;
2451 receive_ungetc = smtp_ungetc;
2452 receive_feof = smtp_feof;
2453 receive_ferror = smtp_ferror;
2454 receive_smtp_buffered = smtp_buffered;
2455
2456 SSL_free(server_ssl);
2457 server_ssl = NULL;
2458 tls_in.active = -1;
2459 tls_in.bits = 0;
2460 tls_in.cipher = NULL;
2461 tls_in.peerdn = NULL;
2462 tls_in.sni = NULL;
2463
2464 return FALSE;
2465 }
2466
2467 /* Handle genuine errors */
2468
2469 else if (error == SSL_ERROR_SSL)
2470 {
2471 ERR_error_string(ERR_get_error(), ssl_errstring);
2472 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2473 ssl_xfer_error = 1;
2474 return FALSE;
2475 }
2476
2477 else if (error != SSL_ERROR_NONE)
2478 {
2479 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2480 ssl_xfer_error = 1;
2481 return FALSE;
2482 }
2483
2484 #ifndef DISABLE_DKIM
2485 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2486 #endif
2487 ssl_xfer_buffer_hwm = inbytes;
2488 ssl_xfer_buffer_lwm = 0;
2489 return TRUE;
2490 }
2491
2492
2493 /*************************************************
2494 * TLS version of getc *
2495 *************************************************/
2496
2497 /* This gets the next byte from the TLS input buffer. If the buffer is empty,
2498 it refills the buffer via the SSL reading function.
2499
2500 Arguments: lim Maximum amount to read/buffer
2501 Returns: the next character or EOF
2502
2503 Only used by the server-side TLS.
2504 */
2505
2506 int
2507 tls_getc(unsigned lim)
2508 {
2509 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2510 if (!tls_refill(lim))
2511 return ssl_xfer_error ? EOF : smtp_getc(lim);
2512
2513 /* Something in the buffer; return next uschar */
2514
2515 return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2516 }
2517
2518 uschar *
2519 tls_getbuf(unsigned * len)
2520 {
2521 unsigned size;
2522 uschar * buf;
2523
2524 if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2525 if (!tls_refill(*len))
2526 {
2527 if (!ssl_xfer_error) return smtp_getbuf(len);
2528 *len = 0;
2529 return NULL;
2530 }
2531
2532 if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
2533 size = *len;
2534 buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
2535 ssl_xfer_buffer_lwm += size;
2536 *len = size;
2537 return buf;
2538 }
2539
2540
2541 void
2542 tls_get_cache()
2543 {
2544 #ifndef DISABLE_DKIM
2545 int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
2546 if (n > 0)
2547 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
2548 #endif
2549 }
2550
2551
2552 BOOL
2553 tls_could_read(void)
2554 {
2555 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
2556 }
2557
2558
2559 /*************************************************
2560 * Read bytes from TLS channel *
2561 *************************************************/
2562
2563 /*
2564 Arguments:
2565 buff buffer of data
2566 len size of buffer
2567
2568 Returns: the number of bytes read
2569 -1 after a failed read
2570
2571 Only used by the client-side TLS.
2572 */
2573
2574 int
2575 tls_read(BOOL is_server, uschar *buff, size_t len)
2576 {
2577 SSL *ssl = is_server ? server_ssl : client_ssl;
2578 int inbytes;
2579 int error;
2580
2581 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
2582 buff, (unsigned int)len);
2583
2584 inbytes = SSL_read(ssl, CS buff, len);
2585 error = SSL_get_error(ssl, inbytes);
2586
2587 if (error == SSL_ERROR_ZERO_RETURN)
2588 {
2589 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2590 return -1;
2591 }
2592 else if (error != SSL_ERROR_NONE)
2593 return -1;
2594
2595 return inbytes;
2596 }
2597
2598
2599
2600
2601
2602 /*************************************************
2603 * Write bytes down TLS channel *
2604 *************************************************/
2605
2606 /*
2607 Arguments:
2608 is_server channel specifier
2609 buff buffer of data
2610 len number of bytes
2611 more further data expected soon
2612
2613 Returns: the number of bytes after a successful write,
2614 -1 after a failed write
2615
2616 Used by both server-side and client-side TLS.
2617 */
2618
2619 int
2620 tls_write(BOOL is_server, const uschar *buff, size_t len, BOOL more)
2621 {
2622 int outbytes, error, left;
2623 SSL *ssl = is_server ? server_ssl : client_ssl;
2624 static gstring * corked = NULL;
2625
2626 DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
2627 buff, (unsigned long)len, more ? ", more" : "");
2628
2629 /* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
2630 "more" is notified. This hack is only ok if small amounts are involved AND only
2631 one stream does it, in one context (i.e. no store reset). Currently it is used
2632 for the responses to the received SMTP MAIL , RCPT, DATA sequence, only. */
2633
2634 if (is_server && (more || corked))
2635 {
2636 corked = string_catn(corked, buff, len);
2637 if (more)
2638 return len;
2639 buff = CUS corked->s;
2640 len = corked->ptr;
2641 corked = NULL;
2642 }
2643
2644 for (left = len; left > 0;)
2645 {
2646 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
2647 outbytes = SSL_write(ssl, CS buff, left);
2648 error = SSL_get_error(ssl, outbytes);
2649 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2650 switch (error)
2651 {
2652 case SSL_ERROR_SSL:
2653 ERR_error_string(ERR_get_error(), ssl_errstring);
2654 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2655 return -1;
2656
2657 case SSL_ERROR_NONE:
2658 left -= outbytes;
2659 buff += outbytes;
2660 break;
2661
2662 case SSL_ERROR_ZERO_RETURN:
2663 log_write(0, LOG_MAIN, "SSL channel closed on write");
2664 return -1;
2665
2666 case SSL_ERROR_SYSCALL:
2667 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2668 sender_fullhost ? sender_fullhost : US"<unknown>",
2669 strerror(errno));
2670 return -1;
2671
2672 default:
2673 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2674 return -1;
2675 }
2676 }
2677 return len;
2678 }
2679
2680
2681
2682 /*************************************************
2683 * Close down a TLS session *
2684 *************************************************/
2685
2686 /* This is also called from within a delivery subprocess forked from the
2687 daemon, to shut down the TLS library, without actually doing a shutdown (which
2688 would tamper with the SSL session in the parent process).
2689
2690 Arguments: TRUE if SSL_shutdown is to be called
2691 Returns: nothing
2692
2693 Used by both server-side and client-side TLS.
2694 */
2695
2696 void
2697 tls_close(BOOL is_server, BOOL shutdown)
2698 {
2699 SSL **sslp = is_server ? &server_ssl : &client_ssl;
2700 int *fdp = is_server ? &tls_in.active : &tls_out.active;
2701
2702 if (*fdp < 0) return; /* TLS was not active */
2703
2704 if (shutdown)
2705 {
2706 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
2707 SSL_shutdown(*sslp);
2708 }
2709
2710 SSL_free(*sslp);
2711 *sslp = NULL;
2712
2713 *fdp = -1;
2714 }
2715
2716
2717
2718
2719 /*************************************************
2720 * Let tls_require_ciphers be checked at startup *
2721 *************************************************/
2722
2723 /* The tls_require_ciphers option, if set, must be something which the
2724 library can parse.
2725
2726 Returns: NULL on success, or error message
2727 */
2728
2729 uschar *
2730 tls_validate_require_cipher(void)
2731 {
2732 SSL_CTX *ctx;
2733 uschar *s, *expciphers, *err;
2734
2735 /* this duplicates from tls_init(), we need a better "init just global
2736 state, for no specific purpose" singleton function of our own */
2737
2738 SSL_load_error_strings();
2739 OpenSSL_add_ssl_algorithms();
2740 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
2741 /* SHA256 is becoming ever more popular. This makes sure it gets added to the
2742 list of available digests. */
2743 EVP_add_digest(EVP_sha256());
2744 #endif
2745
2746 if (!(tls_require_ciphers && *tls_require_ciphers))
2747 return NULL;
2748
2749 if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
2750 &err))
2751 return US"failed to expand tls_require_ciphers";
2752
2753 if (!(expciphers && *expciphers))
2754 return NULL;
2755
2756 /* normalisation ripped from above */
2757 s = expciphers;
2758 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2759
2760 err = NULL;
2761
2762 ctx = SSL_CTX_new(SSLv23_server_method());
2763 if (!ctx)
2764 {
2765 ERR_error_string(ERR_get_error(), ssl_errstring);
2766 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
2767 }
2768
2769 DEBUG(D_tls)
2770 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2771
2772 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
2773 {
2774 ERR_error_string(ERR_get_error(), ssl_errstring);
2775 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
2776 expciphers, ssl_errstring);
2777 }
2778
2779 SSL_CTX_free(ctx);
2780
2781 return err;
2782 }
2783
2784
2785
2786
2787 /*************************************************
2788 * Report the library versions. *
2789 *************************************************/
2790
2791 /* There have historically been some issues with binary compatibility in
2792 OpenSSL libraries; if Exim (like many other applications) is built against
2793 one version of OpenSSL but the run-time linker picks up another version,
2794 it can result in serious failures, including crashing with a SIGSEGV. So
2795 report the version found by the compiler and the run-time version.
2796
2797 Note: some OS vendors backport security fixes without changing the version
2798 number/string, and the version date remains unchanged. The _build_ date
2799 will change, so we can more usefully assist with version diagnosis by also
2800 reporting the build date.
2801
2802 Arguments: a FILE* to print the results to
2803 Returns: nothing
2804 */
2805
2806 void
2807 tls_version_report(FILE *f)
2808 {
2809 fprintf(f, "Library version: OpenSSL: Compile: %s\n"
2810 " Runtime: %s\n"
2811 " : %s\n",
2812 OPENSSL_VERSION_TEXT,
2813 SSLeay_version(SSLEAY_VERSION),
2814 SSLeay_version(SSLEAY_BUILT_ON));
2815 /* third line is 38 characters for the %s and the line is 73 chars long;
2816 the OpenSSL output includes a "built on: " prefix already. */
2817 }
2818
2819
2820
2821
2822 /*************************************************
2823 * Random number generation *
2824 *************************************************/
2825
2826 /* Pseudo-random number generation. The result is not expected to be
2827 cryptographically strong but not so weak that someone will shoot themselves
2828 in the foot using it as a nonce in input in some email header scheme or
2829 whatever weirdness they'll twist this into. The result should handle fork()
2830 and avoid repeating sequences. OpenSSL handles that for us.
2831
2832 Arguments:
2833 max range maximum
2834 Returns a random number in range [0, max-1]
2835 */
2836
2837 int
2838 vaguely_random_number(int max)
2839 {
2840 unsigned int r;
2841 int i, needed_len;
2842 static pid_t pidlast = 0;
2843 pid_t pidnow;
2844 uschar *p;
2845 uschar smallbuf[sizeof(r)];
2846
2847 if (max <= 1)
2848 return 0;
2849
2850 pidnow = getpid();
2851 if (pidnow != pidlast)
2852 {
2853 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
2854 is unique for each thread", this doesn't apparently apply across processes,
2855 so our own warning from vaguely_random_number_fallback() applies here too.
2856 Fix per PostgreSQL. */
2857 if (pidlast != 0)
2858 RAND_cleanup();
2859 pidlast = pidnow;
2860 }
2861
2862 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
2863 if (!RAND_status())
2864 {
2865 randstuff r;
2866 gettimeofday(&r.tv, NULL);
2867 r.p = getpid();
2868
2869 RAND_seed(US (&r), sizeof(r));
2870 }
2871 /* We're after pseudo-random, not random; if we still don't have enough data
2872 in the internal PRNG then our options are limited. We could sleep and hope
2873 for entropy to come along (prayer technique) but if the system is so depleted
2874 in the first place then something is likely to just keep taking it. Instead,
2875 we'll just take whatever little bit of pseudo-random we can still manage to
2876 get. */
2877
2878 needed_len = sizeof(r);
2879 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
2880 asked for a number less than 10. */
2881 for (r = max, i = 0; r; ++i)
2882 r >>= 1;
2883 i = (i + 7) / 8;
2884 if (i < needed_len)
2885 needed_len = i;
2886
2887 #ifdef EXIM_HAVE_RAND_PSEUDO
2888 /* We do not care if crypto-strong */
2889 i = RAND_pseudo_bytes(smallbuf, needed_len);
2890 #else
2891 i = RAND_bytes(smallbuf, needed_len);
2892 #endif
2893
2894 if (i < 0)
2895 {
2896 DEBUG(D_all)
2897 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
2898 return vaguely_random_number_fallback(max);
2899 }
2900
2901 r = 0;
2902 for (p = smallbuf; needed_len; --needed_len, ++p)
2903 {
2904 r *= 256;
2905 r += *p;
2906 }
2907
2908 /* We don't particularly care about weighted results; if someone wants
2909 smooth distribution and cares enough then they should submit a patch then. */
2910 return r % max;
2911 }
2912
2913
2914
2915
2916 /*************************************************
2917 * OpenSSL option parse *
2918 *************************************************/
2919
2920 /* Parse one option for tls_openssl_options_parse below
2921
2922 Arguments:
2923 name one option name
2924 value place to store a value for it
2925 Returns success or failure in parsing
2926 */
2927
2928 struct exim_openssl_option {
2929 uschar *name;
2930 long value;
2931 };
2932 /* We could use a macro to expand, but we need the ifdef and not all the
2933 options document which version they were introduced in. Policylet: include
2934 all options unless explicitly for DTLS, let the administrator choose which
2935 to apply.
2936
2937 This list is current as of:
2938 ==> 1.0.1b <==
2939 Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
2940 */
2941 static struct exim_openssl_option exim_openssl_options[] = {
2942 /* KEEP SORTED ALPHABETICALLY! */
2943 #ifdef SSL_OP_ALL
2944 { US"all", SSL_OP_ALL },
2945 #endif
2946 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
2947 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
2948 #endif
2949 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
2950 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
2951 #endif
2952 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
2953 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
2954 #endif
2955 #ifdef SSL_OP_EPHEMERAL_RSA
2956 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
2957 #endif
2958 #ifdef SSL_OP_LEGACY_SERVER_CONNECT
2959 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
2960 #endif
2961 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
2962 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
2963 #endif
2964 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
2965 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
2966 #endif
2967 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
2968 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
2969 #endif
2970 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
2971 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
2972 #endif
2973 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
2974 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
2975 #endif
2976 #ifdef SSL_OP_NO_COMPRESSION
2977 { US"no_compression", SSL_OP_NO_COMPRESSION },
2978 #endif
2979 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2980 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
2981 #endif
2982 #ifdef SSL_OP_NO_SSLv2
2983 { US"no_sslv2", SSL_OP_NO_SSLv2 },
2984 #endif
2985 #ifdef SSL_OP_NO_SSLv3
2986 { US"no_sslv3", SSL_OP_NO_SSLv3 },
2987 #endif
2988 #ifdef SSL_OP_NO_TICKET
2989 { US"no_ticket", SSL_OP_NO_TICKET },
2990 #endif
2991 #ifdef SSL_OP_NO_TLSv1
2992 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
2993 #endif
2994 #ifdef SSL_OP_NO_TLSv1_1
2995 #if SSL_OP_NO_TLSv1_1 == 0x00000400L
2996 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
2997 #warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
2998 #else
2999 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
3000 #endif
3001 #endif
3002 #ifdef SSL_OP_NO_TLSv1_2
3003 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
3004 #endif
3005 #ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
3006 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
3007 #endif
3008 #ifdef SSL_OP_SINGLE_DH_USE
3009 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
3010 #endif
3011 #ifdef SSL_OP_SINGLE_ECDH_USE
3012 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
3013 #endif
3014 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
3015 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
3016 #endif
3017 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
3018 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
3019 #endif
3020 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
3021 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
3022 #endif
3023 #ifdef SSL_OP_TLS_D5_BUG
3024 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
3025 #endif
3026 #ifdef SSL_OP_TLS_ROLLBACK_BUG
3027 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
3028 #endif
3029 };
3030 static int exim_openssl_options_size =
3031 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
3032
3033
3034 static BOOL
3035 tls_openssl_one_option_parse(uschar *name, long *value)
3036 {
3037 int first = 0;
3038 int last = exim_openssl_options_size;
3039 while (last > first)
3040 {
3041 int middle = (first + last)/2;
3042 int c = Ustrcmp(name, exim_openssl_options[middle].name);
3043 if (c == 0)
3044 {
3045 *value = exim_openssl_options[middle].value;
3046 return TRUE;
3047 }
3048 else if (c > 0)
3049 first = middle + 1;
3050 else
3051 last = middle;
3052 }
3053 return FALSE;
3054 }
3055
3056
3057
3058
3059 /*************************************************
3060 * OpenSSL option parsing logic *
3061 *************************************************/
3062
3063 /* OpenSSL has a number of compatibility options which an administrator might
3064 reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3065 we look like log_selector.
3066
3067 Arguments:
3068 option_spec the administrator-supplied string of options
3069 results ptr to long storage for the options bitmap
3070 Returns success or failure
3071 */
3072
3073 BOOL
3074 tls_openssl_options_parse(uschar *option_spec, long *results)
3075 {
3076 long result, item;
3077 uschar *s, *end;
3078 uschar keep_c;
3079 BOOL adding, item_parsed;
3080
3081 result = SSL_OP_NO_TICKET;
3082 /* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
3083 * from default because it increases BEAST susceptibility. */
3084 #ifdef SSL_OP_NO_SSLv2
3085 result |= SSL_OP_NO_SSLv2;
3086 #endif
3087 #ifdef SSL_OP_SINGLE_DH_USE
3088 result |= SSL_OP_SINGLE_DH_USE;
3089 #endif
3090
3091 if (!option_spec)
3092 {
3093 *results = result;
3094 return TRUE;
3095 }
3096
3097 for (s=option_spec; *s != '\0'; /**/)
3098 {
3099 while (isspace(*s)) ++s;
3100 if (*s == '\0')
3101 break;
3102 if (*s != '+' && *s != '-')
3103 {
3104 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
3105 "+ or - expected but found \"%s\"\n", s);
3106 return FALSE;
3107 }
3108 adding = *s++ == '+';
3109 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
3110 keep_c = *end;
3111 *end = '\0';
3112 item_parsed = tls_openssl_one_option_parse(s, &item);
3113 *end = keep_c;
3114 if (!item_parsed)
3115 {
3116 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
3117 return FALSE;
3118 }
3119 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
3120 adding ? "adding" : "removing", result, item, s);
3121 if (adding)
3122 result |= item;
3123 else
3124 result &= ~item;
3125 s = end;
3126 }
3127
3128 *results = result;
3129 return TRUE;
3130 }
3131
3132 /* vi: aw ai sw=2
3133 */
3134 /* End of tls-openssl.c */
Unnamed repository; edit this file 'description' to name the repository.