TLS: Enable ECDHE on OpenSSL, just the NIST P-256 curve. Bug 1397
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
5a66c31b 5/* Copyright (c) University of Cambridge 1995 - 2014 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
f5d78688
JH
8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
059ec3d9
PH
10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
f2de3a33 25#ifndef DISABLE_OCSP
e51c7be2 26# include <openssl/ocsp.h>
3f7eeb86 27#endif
85098ee7
JH
28#ifdef EXPERIMENTAL_DANE
29# include <danessl.h>
30#endif
31
3f7eeb86 32
f2de3a33
JH
33#ifndef DISABLE_OCSP
34# define EXIM_OCSP_SKEW_SECONDS (300L)
35# define EXIM_OCSP_MAX_AGE (-1L)
3f7eeb86 36#endif
059ec3d9 37
3bcbbbe2 38#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
e51c7be2 39# define EXIM_HAVE_OPENSSL_TLSEXT
3bcbbbe2 40#endif
2dfb468b
JH
41#if OPENSSL_VERSION_NUMBER >= 0x010100000L
42# define EXIM_HAVE_OPENSSL_CHECKHOST
43#endif
44#if OPENSSL_VERSION_NUMBER >= 0x010000000L \
45 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
46# define EXIM_HAVE_OPENSSL_CHECKHOST
47#endif
3bcbbbe2 48
67791ce4
JH
49#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
50# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
51# define DISABLE_OCSP
52#endif
53
059ec3d9
PH
54/* Structure for collecting random data for seeding. */
55
56typedef struct randstuff {
9e3331ea
TK
57 struct timeval tv;
58 pid_t p;
059ec3d9
PH
59} randstuff;
60
61/* Local static variables */
62
a2ff477a
JH
63static BOOL client_verify_callback_called = FALSE;
64static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH
65static const uschar *sid_ctx = US"exim";
66
d4f09789
PP
67/* We have three different contexts to care about.
68
69Simple case: client, `client_ctx`
70 As a client, we can be doing a callout or cut-through delivery while receiving
71 a message. So we have a client context, which should have options initialised
72 from the SMTP Transport.
73
74Server:
75 There are two cases: with and without ServerNameIndication from the client.
76 Given TLS SNI, we can be using different keys, certs and various other
77 configuration settings, because they're re-expanded with $tls_sni set. This
78 allows vhosting with TLS. This SNI is sent in the handshake.
79 A client might not send SNI, so we need a fallback, and an initial setup too.
80 So as a server, we start out using `server_ctx`.
81 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
82 `server_sni` from `server_ctx` and then initialise settings by re-expanding
83 configuration.
84*/
85
817d9f57
JH
86static SSL_CTX *client_ctx = NULL;
87static SSL_CTX *server_ctx = NULL;
88static SSL *client_ssl = NULL;
89static SSL *server_ssl = NULL;
389ca47a 90
35731706 91#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57 92static SSL_CTX *server_sni = NULL;
35731706 93#endif
059ec3d9
PH
94
95static char ssl_errstring[256];
96
97static int ssl_session_timeout = 200;
a2ff477a
JH
98static BOOL client_verify_optional = FALSE;
99static BOOL server_verify_optional = FALSE;
059ec3d9 100
f5d78688 101static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH
102
103
7be682ca
PP
104typedef struct tls_ext_ctx_cb {
105 uschar *certificate;
106 uschar *privatekey;
f2de3a33 107#ifndef DISABLE_OCSP
f5d78688
JH
108 BOOL is_server;
109 union {
110 struct {
111 uschar *file;
112 uschar *file_expanded;
113 OCSP_RESPONSE *response;
114 } server;
115 struct {
44662487
JH
116 X509_STORE *verify_store; /* non-null if status requested */
117 BOOL verify_required;
f5d78688
JH
118 } client;
119 } u_ocsp;
3f7eeb86 120#endif
7be682ca
PP
121 uschar *dhparam;
122 /* these are cached from first expand */
123 uschar *server_cipher_list;
124 /* only passed down to tls_error: */
125 host_item *host;
55414b25 126 const uschar * verify_cert_hostnames;
774ef2d7 127#ifdef EXPERIMENTAL_EVENT
a7538db1
JH
128 uschar * event_action;
129#endif
7be682ca
PP
130} tls_ext_ctx_cb;
131
132/* should figure out a cleanup of API to handle state preserved per
133implementation, for various reasons, which can be void * in the APIs.
134For now, we hack around it. */
817d9f57
JH
135tls_ext_ctx_cb *client_static_cbinfo = NULL;
136tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP
137
138static int
983207c1
JH
139setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
140 int (*cert_vfy_cb)(int, X509_STORE_CTX *) );
059ec3d9 141
3f7eeb86 142/* Callbacks */
3bcbbbe2 143#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 144static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 145#endif
f2de3a33 146#ifndef DISABLE_OCSP
f5d78688 147static int tls_server_stapling_cb(SSL *s, void *arg);
3f7eeb86
PP
148#endif
149
059ec3d9
PH
150
151/*************************************************
152* Handle TLS error *
153*************************************************/
154
155/* Called from lots of places when errors occur before actually starting to do
156the TLS handshake, that is, while the session is still in clear. Always returns
157DEFER for a server and FAIL for a client so that most calls can use "return
158tls_error(...)" to do this processing and then give an appropriate return. A
159single function is used for both server and client, because it is called from
160some shared functions.
161
162Argument:
163 prefix text to include in the logged error
164 host NULL if setting up a server;
165 the connected host if setting up a client
7199e1ee 166 msg error message or NULL if we should ask OpenSSL
059ec3d9
PH
167
168Returns: OK/DEFER/FAIL
169*/
170
171static int
b8b1b5cb 172tls_error(uschar * prefix, const host_item * host, uschar * msg)
059ec3d9 173{
c562fd30 174if (!msg)
7199e1ee
TF
175 {
176 ERR_error_string(ERR_get_error(), ssl_errstring);
5ca6d115 177 msg = (uschar *)ssl_errstring;
7199e1ee
TF
178 }
179
c562fd30
JH
180if (host)
181 {
182 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection (%s): %s",
183 host->name, host->address, prefix, msg);
184 return FAIL;
185 }
186else
059ec3d9 187 {
7199e1ee 188 uschar *conn_info = smtp_get_connection_info();
5ca6d115 189 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
7199e1ee 190 conn_info += 5;
c562fd30 191 /* I'd like to get separated H= here, but too hard for now */
7199e1ee
TF
192 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
193 conn_info, prefix, msg);
059ec3d9
PH
194 return DEFER;
195 }
059ec3d9
PH
196}
197
198
199
200/*************************************************
201* Callback to generate RSA key *
202*************************************************/
203
204/*
205Arguments:
206 s SSL connection
207 export not used
208 keylength keylength
209
210Returns: pointer to generated key
211*/
212
213static RSA *
214rsa_callback(SSL *s, int export, int keylength)
215{
216RSA *rsa_key;
217export = export; /* Shut picky compilers up */
218DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
219rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
220if (rsa_key == NULL)
221 {
222 ERR_error_string(ERR_get_error(), ssl_errstring);
223 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
224 ssl_errstring);
225 return NULL;
226 }
227return rsa_key;
228}
229
230
231
f5d78688 232/* Extreme debug
f2de3a33 233#ifndef DISABLE_OCSP
f5d78688
JH
234void
235x509_store_dump_cert_s_names(X509_STORE * store)
236{
237STACK_OF(X509_OBJECT) * roots= store->objs;
238int i;
239static uschar name[256];
240
241for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
242 {
243 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
244 if(tmp_obj->type == X509_LU_X509)
245 {
246 X509 * current_cert= tmp_obj->data.x509;
247 X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name));
f69979cf 248 name[sizeof(name)-1] = '\0';
f5d78688
JH
249 debug_printf(" %s\n", name);
250 }
251 }
252}
253#endif
254*/
255
059ec3d9 256
f69979cf
JH
257#ifdef EXPERIMENTAL_EVENT
258static int
259verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
260 BOOL *calledp, const BOOL *optionalp, const uschar * what)
261{
262uschar * ev;
263uschar * yield;
264X509 * old_cert;
265
266ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
267if (ev)
268 {
269 old_cert = tlsp->peercert;
270 tlsp->peercert = X509_dup(cert);
271 /* NB we do not bother setting peerdn */
272 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
273 {
274 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
275 "depth=%d cert=%s: %s",
276 tlsp == &tls_out ? deliver_host_address : sender_host_address,
277 what, depth, dn, yield);
278 *calledp = TRUE;
279 if (!*optionalp)
280 {
281 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
282 return 1; /* reject (leaving peercert set) */
283 }
284 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
285 "(host in tls_try_verify_hosts)\n");
286 }
287 X509_free(tlsp->peercert);
288 tlsp->peercert = old_cert;
289 }
290return 0;
291}
292#endif
293
059ec3d9
PH
294/*************************************************
295* Callback for verification *
296*************************************************/
297
298/* The SSL library does certificate verification if set up to do so. This
299callback has the current yes/no state is in "state". If verification succeeded,
f69979cf
JH
300we set the certificate-verified flag. If verification failed, what happens
301depends on whether the client is required to present a verifiable certificate
302or not.
059ec3d9
PH
303
304If verification is optional, we change the state to yes, but still log the
305verification error. For some reason (it really would help to have proper
306documentation of OpenSSL), this callback function then gets called again, this
f69979cf
JH
307time with state = 1. We must take care not to set the private verified flag on
308the second time through.
059ec3d9
PH
309
310Note: this function is not called if the client fails to present a certificate
311when asked. We get here only if a certificate has been received. Handling of
312optional verification for this case is done when requesting SSL to verify, by
313setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
314
a7538db1
JH
315May be called multiple times for different issues with a certificate, even
316for a given "depth" in the certificate chain.
317
059ec3d9
PH
318Arguments:
319 state current yes/no state as 1/0
320 x509ctx certificate information.
a2ff477a 321 client TRUE for client startup, FALSE for server startup
059ec3d9
PH
322
323Returns: 1 if verified, 0 if not
324*/
325
326static int
421aff85
JH
327verify_callback(int state, X509_STORE_CTX *x509ctx,
328 tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
059ec3d9 329{
421aff85 330X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
a7538db1 331int depth = X509_STORE_CTX_get_error_depth(x509ctx);
f69979cf 332uschar dn[256];
059ec3d9 333
f69979cf
JH
334X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
335dn[sizeof(dn)-1] = '\0';
059ec3d9
PH
336
337if (state == 0)
338 {
4c01d6ab
JH
339 log_write(0, LOG_MAIN, "[%s] SSL verify error: depth=%d error=%s cert=%s",
340 tlsp == &tls_out ? deliver_host_address : sender_host_address,
a7538db1 341 depth,
421aff85 342 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)),
f69979cf 343 dn);
a2ff477a 344 *calledp = TRUE;
9d1c15ef
JH
345 if (!*optionalp)
346 {
f69979cf
JH
347 if (!tlsp->peercert)
348 tlsp->peercert = X509_dup(cert); /* record failing cert */
349 return 0; /* reject */
9d1c15ef 350 }
059ec3d9
PH
351 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
352 "tls_try_verify_hosts)\n");
059ec3d9
PH
353 }
354
a7538db1 355else if (depth != 0)
059ec3d9 356 {
f69979cf 357 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
f2de3a33 358#ifndef DISABLE_OCSP
f5d78688
JH
359 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
360 { /* client, wanting stapling */
361 /* Add the server cert's signing chain as the one
362 for the verification of the OCSP stapled information. */
363
364 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
421aff85 365 cert))
f5d78688
JH
366 ERR_clear_error();
367 }
368#endif
774ef2d7 369#ifdef EXPERIMENTAL_EVENT
f69979cf
JH
370 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
371 return 0; /* reject, with peercert set */
a7538db1 372#endif
059ec3d9
PH
373 }
374else
375 {
55414b25 376 const uschar * verify_cert_hostnames;
e51c7be2 377
e51c7be2
JH
378 if ( tlsp == &tls_out
379 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
380 /* client, wanting hostname check */
e51c7be2 381 {
f69979cf 382
740f36d4 383#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
f69979cf
JH
384# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
385# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
386# endif
387# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
388# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
389# endif
e51c7be2 390 int sep = 0;
55414b25 391 const uschar * list = verify_cert_hostnames;
e51c7be2 392 uschar * name;
d8e7834a
JH
393 int rc;
394 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
395 if ((rc = X509_check_host(cert, name, 0,
8d692470 396 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
740f36d4
JH
397 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
398 NULL)))
d8e7834a
JH
399 {
400 if (rc < 0)
401 {
93a6fce2 402 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
4c01d6ab 403 tlsp == &tls_out ? deliver_host_address : sender_host_address);
d8e7834a
JH
404 name = NULL;
405 }
e51c7be2 406 break;
d8e7834a 407 }
e51c7be2 408 if (!name)
f69979cf 409#else
e51c7be2 410 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
f69979cf 411#endif
e51c7be2
JH
412 {
413 log_write(0, LOG_MAIN,
93a6fce2 414 "[%s] SSL verify error: certificate name mismatch: \"%s\"",
4c01d6ab 415 tlsp == &tls_out ? deliver_host_address : sender_host_address,
f69979cf 416 dn);
a3ef7310
JH
417 *calledp = TRUE;
418 if (!*optionalp)
f69979cf
JH
419 {
420 if (!tlsp->peercert)
421 tlsp->peercert = X509_dup(cert); /* record failing cert */
422 return 0; /* reject */
423 }
a3ef7310
JH
424 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
425 "tls_try_verify_hosts)\n");
e51c7be2 426 }
f69979cf 427 }
e51c7be2 428
774ef2d7 429#ifdef EXPERIMENTAL_EVENT
f69979cf
JH
430 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
431 return 0; /* reject, with peercert set */
e51c7be2
JH
432#endif
433
93dcb1c2 434 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
f69979cf 435 *calledp ? "" : " authenticated", dn);
93dcb1c2
JH
436 if (!*calledp) tlsp->certificate_verified = TRUE;
437 *calledp = TRUE;
059ec3d9
PH
438 }
439
a7538db1 440return 1; /* accept, at least for this level */
059ec3d9
PH
441}
442
a2ff477a
JH
443static int
444verify_callback_client(int state, X509_STORE_CTX *x509ctx)
445{
f5d78688 446return verify_callback(state, x509ctx, &tls_out, &client_verify_callback_called, &client_verify_optional);
a2ff477a
JH
447}
448
449static int
450verify_callback_server(int state, X509_STORE_CTX *x509ctx)
451{
f5d78688 452return verify_callback(state, x509ctx, &tls_in, &server_verify_callback_called, &server_verify_optional);
a2ff477a
JH
453}
454
059ec3d9 455
e5cccda9 456#ifdef EXPERIMENTAL_DANE
53a7196b 457
e5cccda9
JH
458/* This gets called *by* the dane library verify callback, which interposes
459itself.
460*/
461static int
462verify_callback_client_dane(int state, X509_STORE_CTX * x509ctx)
463{
464X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
f69979cf 465uschar dn[256];
774ef2d7 466#ifdef EXPERIMENTAL_EVENT
83b27293 467int depth = X509_STORE_CTX_get_error_depth(x509ctx);
f69979cf 468BOOL dummy_called, optional = FALSE;
83b27293 469#endif
e5cccda9 470
f69979cf
JH
471X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
472dn[sizeof(dn)-1] = '\0';
e5cccda9 473
f69979cf 474DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s\n", dn);
e5cccda9 475
774ef2d7 476#ifdef EXPERIMENTAL_EVENT
f69979cf
JH
477 if (verify_event(&tls_out, cert, depth, dn,
478 &dummy_called, &optional, US"DANE"))
479 return 0; /* reject, with peercert set */
83b27293
JH
480#endif
481
e5cccda9 482if (state == 1)
53a7196b 483 tls_out.dane_verified =
e5cccda9
JH
484 tls_out.certificate_verified = TRUE;
485return 1;
486}
53a7196b
JH
487
488#endif /*EXPERIMENTAL_DANE*/
e5cccda9 489
059ec3d9
PH
490
491/*************************************************
492* Information callback *
493*************************************************/
494
495/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP
496are doing. We copy the string to the debugging output when TLS debugging has
497been requested.
059ec3d9
PH
498
499Arguments:
500 s the SSL connection
501 where
502 ret
503
504Returns: nothing
505*/
506
507static void
508info_callback(SSL *s, int where, int ret)
509{
510where = where;
511ret = ret;
512DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
513}
514
515
516
517/*************************************************
518* Initialize for DH *
519*************************************************/
520
521/* If dhparam is set, expand it, and load up the parameters for DH encryption.
522
523Arguments:
038597d2 524 sctx The current SSL CTX (inbound or outbound)
a799883d 525 dhparam DH parameter file or fixed parameter identity string
7199e1ee 526 host connected host, if client; NULL if server
059ec3d9
PH
527
528Returns: TRUE if OK (nothing to set up, or setup worked)
529*/
530
531static BOOL
b8b1b5cb 532init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host)
059ec3d9 533{
059ec3d9
PH
534BIO *bio;
535DH *dh;
536uschar *dhexpanded;
a799883d 537const char *pem;
059ec3d9
PH
538
539if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
540 return FALSE;
541
0df4ab80 542if (!dhexpanded || !*dhexpanded)
a799883d 543 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
a799883d 544else if (dhexpanded[0] == '/')
059ec3d9 545 {
0df4ab80 546 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
059ec3d9 547 {
7199e1ee 548 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
a799883d
PP
549 host, US strerror(errno));
550 return FALSE;
059ec3d9 551 }
a799883d
PP
552 }
553else
554 {
555 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 556 {
a799883d
PP
557 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
558 return TRUE;
059ec3d9 559 }
a799883d 560
0df4ab80 561 if (!(pem = std_dh_prime_named(dhexpanded)))
a799883d
PP
562 {
563 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
564 host, US strerror(errno));
565 return FALSE;
566 }
567 bio = BIO_new_mem_buf(CS pem, -1);
568 }
569
0df4ab80 570if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
a799883d 571 {
059ec3d9 572 BIO_free(bio);
a799883d
PP
573 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
574 host, NULL);
575 return FALSE;
576 }
577
578/* Even if it is larger, we silently return success rather than cause things
579 * to fail out, so that a too-large DH will not knock out all TLS; it's a
580 * debatable choice. */
581if ((8*DH_size(dh)) > tls_dh_max_bits)
582 {
583 DEBUG(D_tls)
584 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d",
585 8*DH_size(dh), tls_dh_max_bits);
586 }
587else
588 {
589 SSL_CTX_set_tmp_dh(sctx, dh);
590 DEBUG(D_tls)
591 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
592 dhexpanded ? dhexpanded : US"default", 8*DH_size(dh));
059ec3d9
PH
593 }
594
a799883d
PP
595DH_free(dh);
596BIO_free(bio);
597
598return TRUE;
059ec3d9
PH
599}
600
601
602
603
038597d2
PP
604/*************************************************
605* Initialize for ECDH *
606*************************************************/
607
608/* Load parameters for ECDH encryption.
609
610For now, we stick to NIST P-256 because: it's simple and easy to configure;
611it avoids any patent issues that might bite redistributors; despite events in
612the news and concerns over curve choices, we're not cryptographers, we're not
613pretending to be, and this is "good enough" to be better than no support,
614protecting against most adversaries. Given another year or two, there might
615be sufficient clarity about a "right" way forward to let us make an informed
616decision, instead of a knee-jerk reaction.
617
618Longer-term, we should look at supporting both various named curves and
619external files generated with "openssl ecparam", much as we do for init_dh().
620We should also support "none" as a value, to explicitly avoid initialisation.
621
622Patches welcome.
623
624Arguments:
625 sctx The current SSL CTX (inbound or outbound)
626 host connected host, if client; NULL if server
627
628Returns: TRUE if OK (nothing to set up, or setup worked)
629*/
630
631static BOOL
632init_ecdh(SSL_CTX *sctx, host_item *host)
633{
634if (host) /* No ECDH setup for clients, only for servers */
635 return TRUE;
636
637#ifndef SSL_CTX_set_tmp_ecdh
638/* No elliptic curve API in OpenSSL, skip it */
639DEBUG(D_tls)
640 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
641return TRUE;
642#else
643# ifndef NID_X9_62_prime256v1
644/* For now, stick to NIST P-256 to get "something" running.
645If that's not available, bail */
646DEBUG(D_tls)
647 debug_printf("NIST P-256 EC curve not available, skipping ECDH setup\n");
648return TRUE;
649# else
650 {
651 EC_KEY * ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
652 BOOL rv;
653
654 /* The "tmp" in the name here refers to setting a tempoary key
655 not to the stability of the interface. */
656
657 if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) != 0))
658 {
659 DEBUG(D_tls) debug_printf("ECDH: enable NIST P-256 curve\n");
660 }
661 else
662 tls_error(US"Error enabling NIST P-256 curve", host, NULL);
663 EC_KEY_free(ecdh);
664 return rv;
665 }
666# endif
667#endif
668}
669
670
671
672
f2de3a33 673#ifndef DISABLE_OCSP
3f7eeb86
PP
674/*************************************************
675* Load OCSP information into state *
676*************************************************/
677
f5d78688 678/* Called to load the server OCSP response from the given file into memory, once
3f7eeb86
PP
679caller has determined this is needed. Checks validity. Debugs a message
680if invalid.
681
682ASSUMES: single response, for single cert.
683
684Arguments:
685 sctx the SSL_CTX* to update
686 cbinfo various parts of session state
687 expanded the filename putatively holding an OCSP response
688
689*/
690
691static void
f5d78688 692ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
3f7eeb86
PP
693{
694BIO *bio;
695OCSP_RESPONSE *resp;
696OCSP_BASICRESP *basic_response;
697OCSP_SINGLERESP *single_response;
698ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
699X509_STORE *store;
700unsigned long verify_flags;
701int status, reason, i;
702
f5d78688
JH
703cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
704if (cbinfo->u_ocsp.server.response)
3f7eeb86 705 {
f5d78688
JH
706 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
707 cbinfo->u_ocsp.server.response = NULL;
3f7eeb86
PP
708 }
709
f5d78688 710bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb");
3f7eeb86
PP
711if (!bio)
712 {
713 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
f5d78688 714 cbinfo->u_ocsp.server.file_expanded);
3f7eeb86
PP
715 return;
716 }
717
718resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
719BIO_free(bio);
720if (!resp)
721 {
722 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
723 return;
724 }
725
726status = OCSP_response_status(resp);
727if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
728 {
729 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
730 OCSP_response_status_str(status), status);
f5d78688 731 goto bad;
3f7eeb86
PP
732 }
733
734basic_response = OCSP_response_get1_basic(resp);
735if (!basic_response)
736 {
737 DEBUG(D_tls)
738 debug_printf("OCSP response parse error: unable to extract basic response.\n");
f5d78688 739 goto bad;
3f7eeb86
PP
740 }
741
742store = SSL_CTX_get_cert_store(sctx);
743verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
744
745/* May need to expose ability to adjust those flags?
746OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
747OCSP_TRUSTOTHER OCSP_NOINTERN */
748
749i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
750if (i <= 0)
751 {
752 DEBUG(D_tls) {
753 ERR_error_string(ERR_get_error(), ssl_errstring);
754 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
f5d78688
JH
755 }
756 goto bad;
3f7eeb86
PP
757 }
758
759/* Here's the simplifying assumption: there's only one response, for the
760one certificate we use, and nothing for anything else in a chain. If this
761proves false, we need to extract a cert id from our issued cert
762(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
763right cert in the stack and then calls OCSP_single_get0_status()).
764
765I'm hoping to avoid reworking a bunch more of how we handle state here. */
766single_response = OCSP_resp_get0(basic_response, 0);
767if (!single_response)
768 {
769 DEBUG(D_tls)
770 debug_printf("Unable to get first response from OCSP basic response.\n");
f5d78688 771 goto bad;
3f7eeb86
PP
772 }
773
774status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
f5d78688 775if (status != V_OCSP_CERTSTATUS_GOOD)
3f7eeb86 776 {
f5d78688
JH
777 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
778 OCSP_cert_status_str(status), status,
779 OCSP_crl_reason_str(reason), reason);
780 goto bad;
3f7eeb86
PP
781 }
782
783if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
784 {
785 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
f5d78688 786 goto bad;
3f7eeb86
PP
787 }
788
f5d78688 789supply_response:
018058b2 790 cbinfo->u_ocsp.server.response = resp;
f5d78688
JH
791return;
792
793bad:
018058b2
JH
794 if (running_in_test_harness)
795 {
796 extern char ** environ;
797 uschar ** p;
798 for (p = USS environ; *p != NULL; p++)
799 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
800 {
801 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
802 goto supply_response;
803 }
804 }
f5d78688 805return;
3f7eeb86 806}
f2de3a33 807#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
808
809
810
811
059ec3d9 812/*************************************************
7be682ca
PP
813* Expand key and cert file specs *
814*************************************************/
815
f5d78688 816/* Called once during tls_init and possibly again during TLS setup, for a
7be682ca
PP
817new context, if Server Name Indication was used and tls_sni was seen in
818the certificate string.
819
820Arguments:
821 sctx the SSL_CTX* to update
822 cbinfo various parts of session state
823
824Returns: OK/DEFER/FAIL
825*/
826
827static int
3f7eeb86 828tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
7be682ca
PP
829{
830uschar *expanded;
831
832if (cbinfo->certificate == NULL)
833 return OK;
834
d9b2312b
JH
835if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
836 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
837 Ustrstr(cbinfo->certificate, US"tls_out_sni")
838 )
7be682ca
PP
839 reexpand_tls_files_for_sni = TRUE;
840
841if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
842 return DEFER;
843
844if (expanded != NULL)
845 {
846 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
847 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
848 return tls_error(string_sprintf(
849 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
850 cbinfo->host, NULL);
851 }
852
853if (cbinfo->privatekey != NULL &&
854 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
855 return DEFER;
856
857/* If expansion was forced to fail, key_expanded will be NULL. If the result
858of the expansion is an empty string, ignore it also, and assume the private
859key is in the same file as the certificate. */
860
861if (expanded != NULL && *expanded != 0)
862 {
863 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
864 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
865 return tls_error(string_sprintf(
866 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
867 }
868
f2de3a33 869#ifndef DISABLE_OCSP
f5d78688 870if (cbinfo->is_server && cbinfo->u_ocsp.server.file != NULL)
3f7eeb86 871 {
f5d78688 872 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded))
3f7eeb86
PP
873 return DEFER;
874
875 if (expanded != NULL && *expanded != 0)
876 {
877 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
f5d78688
JH
878 if (cbinfo->u_ocsp.server.file_expanded &&
879 (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
3f7eeb86
PP
880 {
881 DEBUG(D_tls)
882 debug_printf("tls_ocsp_file value unchanged, using existing values.\n");
883 } else {
884 ocsp_load_response(sctx, cbinfo, expanded);
885 }
886 }
887 }
888#endif
889
7be682ca
PP
890return OK;
891}
892
893
894
895
896/*************************************************
897* Callback to handle SNI *
898*************************************************/
899
900/* Called when acting as server during the TLS session setup if a Server Name
901Indication extension was sent by the client.
902
903API documentation is OpenSSL s_server.c implementation.
904
905Arguments:
906 s SSL* of the current session
907 ad unknown (part of OpenSSL API) (unused)
908 arg Callback of "our" registered data
909
910Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
911*/
912
3bcbbbe2 913#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 914static int
7be682ca
PP
915tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
916{
917const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 918tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 919int rc;
3f0945ff 920int old_pool = store_pool;
7be682ca
PP
921
922if (!servername)
923 return SSL_TLSEXT_ERR_OK;
924
3f0945ff 925DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP
926 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
927
928/* Make the extension value available for expansion */
3f0945ff 929store_pool = POOL_PERM;
817d9f57 930tls_in.sni = string_copy(US servername);
3f0945ff 931store_pool = old_pool;
7be682ca
PP
932
933if (!reexpand_tls_files_for_sni)
934 return SSL_TLSEXT_ERR_OK;
935
936/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
937not confident that memcpy wouldn't break some internal reference counting.
938Especially since there's a references struct member, which would be off. */
939
0df4ab80 940if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
7be682ca
PP
941 {
942 ERR_error_string(ERR_get_error(), ssl_errstring);
943 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
944 return SSL_TLSEXT_ERR_NOACK;
945 }
946
947/* Not sure how many of these are actually needed, since SSL object
948already exists. Might even need this selfsame callback, for reneg? */
949
817d9f57
JH
950SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
951SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
952SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
953SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
954SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
955SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
038597d2
PP
956
957if ( !init_dh(server_sni, cbinfo->dhparam, NULL)
958 || !init_ecdh(server_sni, NULL)
959 )
960 return SSL_TLSEXT_ERR_NOACK;
961
7be682ca 962if (cbinfo->server_cipher_list)
817d9f57 963 SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
f2de3a33 964#ifndef DISABLE_OCSP
f5d78688 965if (cbinfo->u_ocsp.server.file)
3f7eeb86 966 {
f5d78688 967 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
14c7b357 968 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
3f7eeb86
PP
969 }
970#endif
7be682ca 971
983207c1 972rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE, verify_callback_server);
7be682ca
PP
973if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
974
3f7eeb86
PP
975/* do this after setup_certs, because this can require the certs for verifying
976OCSP information. */
038597d2 977if ((rc = tls_expand_session_files(server_sni, cbinfo)) != OK)
0df4ab80 978 return SSL_TLSEXT_ERR_NOACK;
a799883d 979
7be682ca 980DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 981SSL_set_SSL_CTX(s, server_sni);
7be682ca
PP
982
983return SSL_TLSEXT_ERR_OK;
984}
3bcbbbe2 985#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP
986
987
988
989
f2de3a33 990#ifndef DISABLE_OCSP
f5d78688 991
3f7eeb86
PP
992/*************************************************
993* Callback to handle OCSP Stapling *
994*************************************************/
995
996/* Called when acting as server during the TLS session setup if the client
997requests OCSP information with a Certificate Status Request.
998
999Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1000project.
1001
1002*/
1003
1004static int
f5d78688 1005tls_server_stapling_cb(SSL *s, void *arg)
3f7eeb86
PP
1006{
1007const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1008uschar *response_der;
1009int response_der_len;
1010
af4a1bca
JH
1011DEBUG(D_tls)
1012 debug_printf("Received TLS status request (OCSP stapling); %s response.",
f5d78688
JH
1013 cbinfo->u_ocsp.server.response ? "have" : "lack");
1014
44662487 1015tls_in.ocsp = OCSP_NOT_RESP;
f5d78688 1016if (!cbinfo->u_ocsp.server.response)
3f7eeb86
PP
1017 return SSL_TLSEXT_ERR_NOACK;
1018
1019response_der = NULL;
44662487
JH
1020response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response,
1021 &response_der);
3f7eeb86
PP
1022if (response_der_len <= 0)
1023 return SSL_TLSEXT_ERR_NOACK;
1024
5e55c7a9 1025SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
44662487 1026tls_in.ocsp = OCSP_VFIED;
3f7eeb86
PP
1027return SSL_TLSEXT_ERR_OK;
1028}
1029
3f7eeb86 1030
f5d78688
JH
1031static void
1032time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1033{
1034BIO_printf(bp, "\t%s: ", str);
1035ASN1_GENERALIZEDTIME_print(bp, time);
1036BIO_puts(bp, "\n");
1037}
1038
1039static int
1040tls_client_stapling_cb(SSL *s, void *arg)
1041{
1042tls_ext_ctx_cb * cbinfo = arg;
1043const unsigned char * p;
1044int len;
1045OCSP_RESPONSE * rsp;
1046OCSP_BASICRESP * bs;
1047int i;
1048
1049DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1050len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1051if(!p)
1052 {
44662487
JH
1053 /* Expect this when we requested ocsp but got none */
1054 if ( cbinfo->u_ocsp.client.verify_required
1055 && log_extra_selector & LX_tls_cipher)
1056 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
f5d78688
JH
1057 else
1058 DEBUG(D_tls) debug_printf(" null\n");
44662487 1059 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 1060 }
018058b2 1061
f5d78688
JH
1062if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1063 {
018058b2 1064 tls_out.ocsp = OCSP_FAILED;
f5d78688 1065 if (log_extra_selector & LX_tls_cipher)
1eca31ca 1066 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
f5d78688
JH
1067 else
1068 DEBUG(D_tls) debug_printf(" parse error\n");
1069 return 0;
1070 }
1071
1072if(!(bs = OCSP_response_get1_basic(rsp)))
1073 {
018058b2 1074 tls_out.ocsp = OCSP_FAILED;
f5d78688 1075 if (log_extra_selector & LX_tls_cipher)
1eca31ca 1076 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
f5d78688
JH
1077 else
1078 DEBUG(D_tls) debug_printf(" error parsing response\n");
1079 OCSP_RESPONSE_free(rsp);
1080 return 0;
1081 }
1082
1083/* We'd check the nonce here if we'd put one in the request. */
1084/* However that would defeat cacheability on the server so we don't. */
1085
f5d78688
JH
1086/* This section of code reworked from OpenSSL apps source;
1087 The OpenSSL Project retains copyright:
1088 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1089*/
1090 {
1091 BIO * bp = NULL;
f5d78688
JH
1092 int status, reason;
1093 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1094
1095 DEBUG(D_tls) bp = BIO_new_fp(stderr, BIO_NOCLOSE);
1096
1097 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1098
1099 /* Use the chain that verified the server cert to verify the stapled info */
1100 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1101
44662487
JH
1102 if ((i = OCSP_basic_verify(bs, NULL,
1103 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
f5d78688 1104 {
018058b2 1105 tls_out.ocsp = OCSP_FAILED;
1eca31ca
JH
1106 if (log_extra_selector & LX_tls_cipher)
1107 log_write(0, LOG_MAIN, "Received TLS cert status response, itself unverifiable");
f5d78688
JH
1108 BIO_printf(bp, "OCSP response verify failure\n");
1109 ERR_print_errors(bp);
44662487 1110 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688
JH
1111 goto out;
1112 }
1113
1114 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1115
1116 {
1117 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1118 OCSP_SINGLERESP * single;
1119
1120 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
1121 {
018058b2 1122 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1123 log_write(0, LOG_MAIN, "OCSP stapling "
1124 "with multiple responses not handled");
1125 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688
JH
1126 goto out;
1127 }
1128 single = OCSP_resp_get0(bs, 0);
44662487
JH
1129 status = OCSP_single_get0_status(single, &reason, &rev,
1130 &thisupd, &nextupd);
f5d78688
JH
1131 }
1132
f5d78688
JH
1133 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1134 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
44662487
JH
1135 if (!OCSP_check_validity(thisupd, nextupd,
1136 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
f5d78688 1137 {
018058b2 1138 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH
1139 DEBUG(D_tls) ERR_print_errors(bp);
1140 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
44662487 1141 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 1142 }
44662487 1143 else
f5d78688 1144 {
44662487
JH
1145 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1146 OCSP_cert_status_str(status));
1147 switch(status)
1148 {
1149 case V_OCSP_CERTSTATUS_GOOD:
44662487 1150 tls_out.ocsp = OCSP_VFIED;
018058b2 1151 i = 1;
44662487
JH
1152 break;
1153 case V_OCSP_CERTSTATUS_REVOKED:
018058b2 1154 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1155 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1156 reason != -1 ? "; reason: " : "",
1157 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1158 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
1159 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1160 break;
1161 default:
018058b2 1162 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1163 log_write(0, LOG_MAIN,
1164 "Server certificate status unknown, in OCSP stapling");
1165 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1166 break;
1167 }
f5d78688
JH
1168 }
1169 out:
1170 BIO_free(bp);
1171 }
1172
1173OCSP_RESPONSE_free(rsp);
1174return i;
1175}
f2de3a33 1176#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1177
1178
7be682ca 1179/*************************************************
059ec3d9
PH
1180* Initialize for TLS *
1181*************************************************/
1182
e51c7be2
JH
1183/* Called from both server and client code, to do preliminary initialization
1184of the library. We allocate and return a context structure.
059ec3d9
PH
1185
1186Arguments:
946ecbe0 1187 ctxp returned SSL context
059ec3d9
PH
1188 host connected host, if client; NULL if server
1189 dhparam DH parameter file
1190 certificate certificate file
1191 privatekey private key
f5d78688 1192 ocsp_file file of stapling info (server); flag for require ocsp (client)
059ec3d9 1193 addr address if client; NULL if server (for some randomness)
946ecbe0 1194 cbp place to put allocated callback context
059ec3d9
PH
1195
1196Returns: OK/DEFER/FAIL
1197*/
1198
1199static int
817d9f57 1200tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86 1201 uschar *privatekey,
f2de3a33 1202#ifndef DISABLE_OCSP
3f7eeb86
PP
1203 uschar *ocsp_file,
1204#endif
817d9f57 1205 address_item *addr, tls_ext_ctx_cb ** cbp)
059ec3d9 1206{
77bb000f 1207long init_options;
7be682ca 1208int rc;
77bb000f 1209BOOL okay;
a7538db1 1210tls_ext_ctx_cb * cbinfo;
7be682ca
PP
1211
1212cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1213cbinfo->certificate = certificate;
1214cbinfo->privatekey = privatekey;
f2de3a33 1215#ifndef DISABLE_OCSP
f5d78688
JH
1216if ((cbinfo->is_server = host==NULL))
1217 {
1218 cbinfo->u_ocsp.server.file = ocsp_file;
1219 cbinfo->u_ocsp.server.file_expanded = NULL;
1220 cbinfo->u_ocsp.server.response = NULL;
1221 }
1222else
1223 cbinfo->u_ocsp.client.verify_store = NULL;
3f7eeb86 1224#endif
7be682ca 1225cbinfo->dhparam = dhparam;
0df4ab80 1226cbinfo->server_cipher_list = NULL;
7be682ca 1227cbinfo->host = host;
774ef2d7 1228#ifdef EXPERIMENTAL_EVENT
a7538db1
JH
1229cbinfo->event_action = NULL;
1230#endif
77bb000f 1231
059ec3d9
PH
1232SSL_load_error_strings(); /* basic set up */
1233OpenSSL_add_ssl_algorithms();
1234
388d6564 1235#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
77bb000f 1236/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK
1237list of available digests. */
1238EVP_add_digest(EVP_sha256());
cf1ef1a9 1239#endif
a0475b69 1240
f0f5a555
PP
1241/* Create a context.
1242The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1243negotiation in the different methods; as far as I can tell, the only
1244*_{server,client}_method which allows negotiation is SSLv23, which exists even
1245when OpenSSL is built without SSLv2 support.
1246By disabling with openssl_options, we can let admins re-enable with the
1247existing knob. */
059ec3d9 1248
817d9f57 1249*ctxp = SSL_CTX_new((host == NULL)?
059ec3d9
PH
1250 SSLv23_server_method() : SSLv23_client_method());
1251
817d9f57 1252if (*ctxp == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
059ec3d9
PH
1253
1254/* It turns out that we need to seed the random number generator this early in
1255order to get the full complement of ciphers to work. It took me roughly a day
1256of work to discover this by experiment.
1257
1258On systems that have /dev/urandom, SSL may automatically seed itself from
1259there. Otherwise, we have to make something up as best we can. Double check
1260afterwards. */
1261
1262if (!RAND_status())
1263 {
1264 randstuff r;
9e3331ea 1265 gettimeofday(&r.tv, NULL);
059ec3d9
PH
1266 r.p = getpid();
1267
1268 RAND_seed((uschar *)(&r), sizeof(r));
1269 RAND_seed((uschar *)big_buffer, big_buffer_size);
1270 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
1271
1272 if (!RAND_status())
7199e1ee 1273 return tls_error(US"RAND_status", host,
5ca6d115 1274 US"unable to seed random number generator");
059ec3d9
PH
1275 }
1276
1277/* Set up the information callback, which outputs if debugging is at a suitable
1278level. */
1279
f69979cf 1280DEBUG(D_tls) SSL_CTX_set_info_callback(*ctxp, (void (*)())info_callback);
059ec3d9 1281
c80c5570 1282/* Automatically re-try reads/writes after renegotiation. */
817d9f57 1283(void) SSL_CTX_set_mode(*ctxp, SSL_MODE_AUTO_RETRY);
c80c5570 1284
77bb000f
PP
1285/* Apply administrator-supplied work-arounds.
1286Historically we applied just one requested option,
1287SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1288moved to an administrator-controlled list of options to specify and
1289grandfathered in the first one as the default value for "openssl_options".
059ec3d9 1290
77bb000f
PP
1291No OpenSSL version number checks: the options we accept depend upon the
1292availability of the option value macros from OpenSSL. */
059ec3d9 1293
77bb000f
PP
1294okay = tls_openssl_options_parse(openssl_options, &init_options);
1295if (!okay)
73a46702 1296 return tls_error(US"openssl_options parsing failed", host, NULL);
77bb000f
PP
1297
1298if (init_options)
1299 {
1300 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
817d9f57 1301 if (!(SSL_CTX_set_options(*ctxp, init_options)))
77bb000f
PP
1302 return tls_error(string_sprintf(
1303 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
1304 }
1305else
1306 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9
PH
1307
1308/* Initialize with DH parameters if supplied */
1309
038597d2
PP
1310if ( !init_dh(*ctxp, dhparam, host)
1311 || !init_ecdh(*ctxp, host)
1312 )
1313 return DEFER;
059ec3d9 1314
3f7eeb86 1315/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 1316
817d9f57 1317rc = tls_expand_session_files(*ctxp, cbinfo);
7be682ca 1318if (rc != OK) return rc;
c91535f3 1319
7be682ca 1320/* If we need to handle SNI, do so */
3bcbbbe2 1321#ifdef EXIM_HAVE_OPENSSL_TLSEXT
f5d78688 1322if (host == NULL) /* server */
3f0945ff 1323 {
f2de3a33 1324# ifndef DISABLE_OCSP
f5d78688 1325 /* We check u_ocsp.server.file, not server.response, because we care about if
3f7eeb86
PP
1326 the option exists, not what the current expansion might be, as SNI might
1327 change the certificate and OCSP file in use between now and the time the
1328 callback is invoked. */
f5d78688 1329 if (cbinfo->u_ocsp.server.file)
3f7eeb86 1330 {
f5d78688 1331 SSL_CTX_set_tlsext_status_cb(server_ctx, tls_server_stapling_cb);
5e55c7a9 1332 SSL_CTX_set_tlsext_status_arg(server_ctx, cbinfo);
3f7eeb86 1333 }
f5d78688 1334# endif
3f0945ff
PP
1335 /* We always do this, so that $tls_sni is available even if not used in
1336 tls_certificate */
817d9f57
JH
1337 SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb);
1338 SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo);
3f0945ff 1339 }
f2de3a33 1340# ifndef DISABLE_OCSP
f5d78688
JH
1341else /* client */
1342 if(ocsp_file) /* wanting stapling */
1343 {
1344 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1345 {
1346 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1347 return FAIL;
1348 }
1349 SSL_CTX_set_tlsext_status_cb(*ctxp, tls_client_stapling_cb);
1350 SSL_CTX_set_tlsext_status_arg(*ctxp, cbinfo);
1351 }
1352# endif
7be682ca 1353#endif
059ec3d9 1354
e51c7be2 1355cbinfo->verify_cert_hostnames = NULL;
e51c7be2 1356
059ec3d9
PH
1357/* Set up the RSA callback */
1358
817d9f57 1359SSL_CTX_set_tmp_rsa_callback(*ctxp, rsa_callback);
059ec3d9
PH
1360
1361/* Finally, set the timeout, and we are done */
1362
817d9f57 1363SSL_CTX_set_timeout(*ctxp, ssl_session_timeout);
059ec3d9 1364DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 1365
817d9f57 1366*cbp = cbinfo;
7be682ca 1367
059ec3d9
PH
1368return OK;
1369}
1370
1371
1372
1373
1374/*************************************************
1375* Get name of cipher in use *
1376*************************************************/
1377
817d9f57 1378/*
059ec3d9 1379Argument: pointer to an SSL structure for the connection
817d9f57
JH
1380 buffer to use for answer
1381 size of buffer
1382 pointer to number of bits for cipher
059ec3d9
PH
1383Returns: nothing
1384*/
1385
1386static void
817d9f57 1387construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
059ec3d9 1388{
57b3a7f5
PP
1389/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
1390yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1391the accessor functions use const in the prototype. */
1392const SSL_CIPHER *c;
d9784128 1393const uschar *ver;
059ec3d9 1394
d9784128 1395ver = (const uschar *)SSL_get_version(ssl);
059ec3d9 1396
57b3a7f5 1397c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
817d9f57 1398SSL_CIPHER_get_bits(c, bits);
059ec3d9 1399
817d9f57
JH
1400string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1401 SSL_CIPHER_get_name(c), *bits);
059ec3d9
PH
1402
1403DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1404}
1405
1406
f69979cf
JH
1407static void
1408peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned bsize)
1409{
1410/*XXX we might consider a list-of-certs variable for the cert chain.
1411SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1412in list-handling functions, also consider the difference between the entire
1413chain and the elements sent by the peer. */
1414
1415/* Will have already noted peercert on a verify fail; possibly not the leaf */
1416if (!tlsp->peercert)
1417 tlsp->peercert = SSL_get_peer_certificate(ssl);
1418/* Beware anonymous ciphers which lead to server_cert being NULL */
1419if (tlsp->peercert)
1420 {
1421 X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, bsize);
1422 peerdn[bsize-1] = '\0';
1423 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1424 }
1425else
1426 tlsp->peerdn = NULL;
1427}
1428
1429
059ec3d9
PH
1430
1431
1432
1433/*************************************************
1434* Set up for verifying certificates *
1435*************************************************/
1436
1437/* Called by both client and server startup
1438
1439Arguments:
7be682ca 1440 sctx SSL_CTX* to initialise
059ec3d9
PH
1441 certs certs file or NULL
1442 crl CRL file or NULL
1443 host NULL in a server; the remote host in a client
1444 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1445 otherwise passed as FALSE
983207c1 1446 cert_vfy_cb Callback function for certificate verification
059ec3d9
PH
1447
1448Returns: OK/DEFER/FAIL
1449*/
1450
1451static int
983207c1
JH
1452setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
1453 int (*cert_vfy_cb)(int, X509_STORE_CTX *) )
059ec3d9
PH
1454{
1455uschar *expcerts, *expcrl;
1456
1457if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
1458 return DEFER;
1459
26e72755 1460if (expcerts != NULL && *expcerts != '\0')
059ec3d9 1461 {
cb1d7830 1462 if (Ustrcmp(expcerts, "system") == 0)
059ec3d9 1463 {
cb1d7830
JH
1464 /* Tell the library to use its compiled-in location for the system default
1465 CA bundle, only */
1466
1467 if (!SSL_CTX_set_default_verify_paths(sctx))
1468 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
059ec3d9
PH
1469 }
1470 else
1471 {
cb1d7830
JH
1472 struct stat statbuf;
1473
1474 /* Tell the library to use its compiled-in location for the system default
1475 CA bundle. Those given by the exim config are additional to these */
1476
1477 if (!SSL_CTX_set_default_verify_paths(sctx))
1478 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
1479
1480 if (Ustat(expcerts, &statbuf) < 0)
1481 {
1482 log_write(0, LOG_MAIN|LOG_PANIC,
1483 "failed to stat %s for certificates", expcerts);
1484 return DEFER;
1485 }
059ec3d9 1486 else
059ec3d9 1487 {
cb1d7830
JH
1488 uschar *file, *dir;
1489 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1490 { file = NULL; dir = expcerts; }
1491 else
1492 { file = expcerts; dir = NULL; }
1493
1494 /* If a certificate file is empty, the next function fails with an
1495 unhelpful error message. If we skip it, we get the correct behaviour (no
1496 certificates are recognized, but the error message is still misleading (it
1497 says no certificate was supplied.) But this is better. */
1498
1499 if ((file == NULL || statbuf.st_size > 0) &&
1500 !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
1501 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
1502
1503 /* Load the list of CAs for which we will accept certs, for sending
1504 to the client. This is only for the one-file tls_verify_certificates
1505 variant.
1506 If a list isn't loaded into the server, but
1507 some verify locations are set, the server end appears to make
1508 a wildcard reqest for client certs.
1509 Meanwhile, the client library as deafult behaviour *ignores* the list
1510 we send over the wire - see man SSL_CTX_set_client_cert_cb.
1511 Because of this, and that the dir variant is likely only used for
1512 the public-CA bundle (not for a private CA), not worth fixing.
1513 */
1514 if (file != NULL)
1515 {
1516 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
1517 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
1518 sk_X509_NAME_num(names));
1519 SSL_CTX_set_client_CA_list(sctx, names);
1520 }
059ec3d9
PH
1521 }
1522 }
1523
1524 /* Handle a certificate revocation list. */
1525
1526 #if OPENSSL_VERSION_NUMBER > 0x00907000L
1527
8b417f2c
PH
1528 /* This bit of code is now the version supplied by Lars Mainka. (I have
1529 * merely reformatted it into the Exim code style.)
1530
1531 * "From here I changed the code to add support for multiple crl's
1532 * in pem format in one file or to support hashed directory entries in
1533 * pem format instead of a file. This method now uses the library function
1534 * X509_STORE_load_locations to add the CRL location to the SSL context.
1535 * OpenSSL will then handle the verify against CA certs and CRLs by
1536 * itself in the verify callback." */
1537
059ec3d9
PH
1538 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
1539 if (expcrl != NULL && *expcrl != 0)
1540 {
8b417f2c
PH
1541 struct stat statbufcrl;
1542 if (Ustat(expcrl, &statbufcrl) < 0)
1543 {
1544 log_write(0, LOG_MAIN|LOG_PANIC,
1545 "failed to stat %s for certificates revocation lists", expcrl);
1546 return DEFER;
1547 }
1548 else
059ec3d9 1549 {
8b417f2c
PH
1550 /* is it a file or directory? */
1551 uschar *file, *dir;
7be682ca 1552 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 1553 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 1554 {
8b417f2c
PH
1555 file = NULL;
1556 dir = expcrl;
1557 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
1558 }
1559 else
1560 {
8b417f2c
PH
1561 file = expcrl;
1562 dir = NULL;
1563 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 1564 }
8b417f2c 1565 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
7199e1ee 1566 return tls_error(US"X509_STORE_load_locations", host, NULL);
8b417f2c
PH
1567
1568 /* setting the flags to check against the complete crl chain */
1569
1570 X509_STORE_set_flags(cvstore,
1571 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 1572 }
059ec3d9
PH
1573 }
1574
1575 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1576
1577 /* If verification is optional, don't fail if no certificate */
1578
7be682ca 1579 SSL_CTX_set_verify(sctx,
059ec3d9 1580 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
983207c1 1581 cert_vfy_cb);
059ec3d9
PH
1582 }
1583
1584return OK;
1585}
1586
1587
1588
1589/*************************************************
1590* Start a TLS session in a server *
1591*************************************************/
1592
1593/* This is called when Exim is running as a server, after having received
1594the STARTTLS command. It must respond to that command, and then negotiate
1595a TLS session.
1596
1597Arguments:
1598 require_ciphers allowed ciphers
1599
1600Returns: OK on success
1601 DEFER for errors before the start of the negotiation
1602 FAIL for errors during the negotation; the server can't
1603 continue running.
1604*/
1605
1606int
17c76198 1607tls_server_start(const uschar *require_ciphers)
059ec3d9
PH
1608{
1609int rc;
1610uschar *expciphers;
7be682ca 1611tls_ext_ctx_cb *cbinfo;
f69979cf 1612static uschar peerdn[256];
817d9f57 1613static uschar cipherbuf[256];
059ec3d9
PH
1614
1615/* Check for previous activation */
1616
817d9f57 1617if (tls_in.active >= 0)
059ec3d9 1618 {
5ca6d115 1619 tls_error(US"STARTTLS received after TLS started", NULL, US"");
059ec3d9
PH
1620 smtp_printf("554 Already in TLS\r\n");
1621 return FAIL;
1622 }
1623
1624/* Initialize the SSL library. If it fails, it will already have logged
1625the error. */
1626
817d9f57 1627rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
f2de3a33 1628#ifndef DISABLE_OCSP
3f7eeb86
PP
1629 tls_ocsp_file,
1630#endif
817d9f57 1631 NULL, &server_static_cbinfo);
059ec3d9 1632if (rc != OK) return rc;
817d9f57 1633cbinfo = server_static_cbinfo;
059ec3d9
PH
1634
1635if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1636 return FAIL;
1637
1638/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP
1639were historically separated by underscores. So that I can use either form in my
1640tests, and also for general convenience, we turn underscores into hyphens here.
1641*/
059ec3d9
PH
1642
1643if (expciphers != NULL)
1644 {
1645 uschar *s = expciphers;
1646 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1647 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 1648 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
7199e1ee 1649 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
7be682ca 1650 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH
1651 }
1652
1653/* If this is a host for which certificate verification is mandatory or
1654optional, set up appropriately. */
1655
817d9f57 1656tls_in.certificate_verified = FALSE;
53a7196b
JH
1657#ifdef EXPERIMENTAL_DANE
1658tls_in.dane_verified = FALSE;
1659#endif
a2ff477a 1660server_verify_callback_called = FALSE;
059ec3d9
PH
1661
1662if (verify_check_host(&tls_verify_hosts) == OK)
1663 {
983207c1
JH
1664 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1665 FALSE, verify_callback_server);
059ec3d9 1666 if (rc != OK) return rc;
a2ff477a 1667 server_verify_optional = FALSE;
059ec3d9
PH
1668 }
1669else if (verify_check_host(&tls_try_verify_hosts) == OK)
1670 {
983207c1
JH
1671 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1672 TRUE, verify_callback_server);
059ec3d9 1673 if (rc != OK) return rc;
a2ff477a 1674 server_verify_optional = TRUE;
059ec3d9
PH
1675 }
1676
1677/* Prepare for new connection */
1678
817d9f57 1679if ((server_ssl = SSL_new(server_ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
da3ad30d
PP
1680
1681/* Warning: we used to SSL_clear(ssl) here, it was removed.
1682 *
1683 * With the SSL_clear(), we get strange interoperability bugs with
1684 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1685 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1686 *
1687 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1688 * session shutdown. In this case, we have a brand new object and there's no
1689 * obvious reason to immediately clear it. I'm guessing that this was
1690 * originally added because of incomplete initialisation which the clear fixed,
1691 * in some historic release.
1692 */
059ec3d9
PH
1693
1694/* Set context and tell client to go ahead, except in the case of TLS startup
1695on connection, where outputting anything now upsets the clients and tends to
1696make them disconnect. We need to have an explicit fflush() here, to force out
1697the response. Other smtp_printf() calls do not need it, because in non-TLS
1698mode, the fflush() happens when smtp_getc() is called. */
1699
817d9f57
JH
1700SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
1701if (!tls_in.on_connect)
059ec3d9
PH
1702 {
1703 smtp_printf("220 TLS go ahead\r\n");
1704 fflush(smtp_out);
1705 }
1706
1707/* Now negotiate the TLS session. We put our own timer on it, since it seems
1708that the OpenSSL library doesn't. */
1709
817d9f57
JH
1710SSL_set_wfd(server_ssl, fileno(smtp_out));
1711SSL_set_rfd(server_ssl, fileno(smtp_in));
1712SSL_set_accept_state(server_ssl);
059ec3d9
PH
1713
1714DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1715
1716sigalrm_seen = FALSE;
1717if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
817d9f57 1718rc = SSL_accept(server_ssl);
059ec3d9
PH
1719alarm(0);
1720
1721if (rc <= 0)
1722 {
7199e1ee 1723 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
77bb000f
PP
1724 if (ERR_get_error() == 0)
1725 log_write(0, LOG_MAIN,
a053d125 1726 "TLS client disconnected cleanly (rejected our certificate?)");
059ec3d9
PH
1727 return FAIL;
1728 }
1729
1730DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
1731
1732/* TLS has been set up. Adjust the input functions to read via TLS,
1733and initialize things. */
1734
f69979cf
JH
1735peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
1736
817d9f57
JH
1737construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
1738tls_in.cipher = cipherbuf;
059ec3d9
PH
1739
1740DEBUG(D_tls)
1741 {
1742 uschar buf[2048];
817d9f57 1743 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
059ec3d9
PH
1744 debug_printf("Shared ciphers: %s\n", buf);
1745 }
1746
9d1c15ef
JH
1747/* Record the certificate we presented */
1748 {
1749 X509 * crt = SSL_get_certificate(server_ssl);
1750 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
1751 }
059ec3d9 1752
817d9f57
JH
1753/* Only used by the server-side tls (tls_in), including tls_getc.
1754 Client-side (tls_out) reads (seem to?) go via
1755 smtp_read_response()/ip_recv().
1756 Hence no need to duplicate for _in and _out.
1757 */
059ec3d9
PH
1758ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1759ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
1760ssl_xfer_eof = ssl_xfer_error = 0;
1761
1762receive_getc = tls_getc;
1763receive_ungetc = tls_ungetc;
1764receive_feof = tls_feof;
1765receive_ferror = tls_ferror;
58eb016e 1766receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 1767
817d9f57 1768tls_in.active = fileno(smtp_out);
059ec3d9
PH
1769return OK;
1770}
1771
1772
1773
1774
043b1248
JH
1775static int
1776tls_client_basic_ctx_init(SSL_CTX * ctx,
01a4a5c5 1777 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo
043b1248
JH
1778 )
1779{
1780int rc;
1781/* stick to the old behaviour for compatibility if tls_verify_certificates is
1782 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
1783 the specified host patterns if one of them is defined */
1784
610ff438
JH
1785if ( ( !ob->tls_verify_hosts
1786 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
1787 )
5130845b 1788 || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK)
aa2a70ba 1789 )
043b1248 1790 client_verify_optional = FALSE;
5130845b 1791else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
aa2a70ba
JH
1792 client_verify_optional = TRUE;
1793else
1794 return OK;
1795
1796if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
1797 ob->tls_crl, host, client_verify_optional, verify_callback_client)) != OK)
1798 return rc;
043b1248 1799
5130845b 1800if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
043b1248 1801 {
4af0d74a
JH
1802 cbinfo->verify_cert_hostnames =
1803#ifdef EXPERIMENTAL_INTERNATIONAL
1804 string_domain_utf8_to_alabel(host->name, NULL);
1805#else
1806 host->name;
1807#endif
aa2a70ba
JH
1808 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
1809 cbinfo->verify_cert_hostnames);
043b1248 1810 }
043b1248
JH
1811return OK;
1812}
059ec3d9 1813
fde080a4
JH
1814
1815#ifdef EXPERIMENTAL_DANE
1816static int
fde080a4
JH
1817dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa)
1818{
1819dns_record * rr;
1820dns_scan dnss;
1821const char * hostnames[2] = { CS host->name, NULL };
1822int found = 0;
1823
1824if (DANESSL_init(ssl, NULL, hostnames) != 1)
1825 return tls_error(US"hostnames load", host, NULL);
1826
1827for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
1828 rr;
1829 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1830 ) if (rr->type == T_TLSA)
1831 {
1832 uschar * p = rr->data;
1833 uint8_t usage, selector, mtype;
1834 const char * mdname;
1835
fde080a4 1836 usage = *p++;
133d2546
JH
1837
1838 /* Only DANE-TA(2) and DANE-EE(3) are supported */
1839 if (usage != 2 && usage != 3) continue;
1840
fde080a4
JH
1841 selector = *p++;
1842 mtype = *p++;
1843
1844 switch (mtype)
1845 {
133d2546
JH
1846 default: continue; /* Only match-types 0, 1, 2 are supported */
1847 case 0: mdname = NULL; break;
1848 case 1: mdname = "sha256"; break;
1849 case 2: mdname = "sha512"; break;
fde080a4
JH
1850 }
1851
133d2546 1852 found++;
fde080a4
JH
1853 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
1854 {
1855 default:
1856 case 0: /* action not taken */
1857 return tls_error(US"tlsa load", host, NULL);
1858 case 1: break;
1859 }
594706ea
JH
1860
1861 tls_out.tlsa_usage |= 1<<usage;
fde080a4
JH
1862 }
1863
1864if (found)
1865 return OK;
1866
133d2546 1867log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
6ebd79ec 1868return DEFER;
fde080a4
JH
1869}
1870#endif /*EXPERIMENTAL_DANE*/
1871
1872
1873
059ec3d9
PH
1874/*************************************************
1875* Start a TLS session in a client *
1876*************************************************/
1877
1878/* Called from the smtp transport after STARTTLS has been accepted.
1879
1880Argument:
1881 fd the fd of the connection
1882 host connected host (for messages)
83da1223 1883 addr the first address
a7538db1 1884 tb transport (always smtp)
0e66b3b6 1885 tlsa_dnsa tlsa lookup, if DANE, else null
059ec3d9
PH
1886
1887Returns: OK on success
1888 FAIL otherwise - note that tls_error() will not give DEFER
1889 because this is not a server
1890*/
1891
1892int
f5d78688 1893tls_client_start(int fd, host_item *host, address_item *addr,
0e66b3b6
JH
1894 transport_instance *tb
1895#ifdef EXPERIMENTAL_DANE
1896 , dns_answer * tlsa_dnsa
1897#endif
1898 )
059ec3d9 1899{
a7538db1
JH
1900smtp_transport_options_block * ob =
1901 (smtp_transport_options_block *)tb->options_block;
f69979cf 1902static uschar peerdn[256];
868f5672 1903uschar * expciphers;
059ec3d9 1904int rc;
817d9f57 1905static uschar cipherbuf[256];
043b1248
JH
1906
1907#ifndef DISABLE_OCSP
043b1248 1908BOOL request_ocsp = FALSE;
6634ac8d 1909BOOL require_ocsp = FALSE;
043b1248 1910#endif
043b1248
JH
1911
1912#ifdef EXPERIMENTAL_DANE
594706ea 1913tls_out.tlsa_usage = 0;
043b1248
JH
1914#endif
1915
f2de3a33 1916#ifndef DISABLE_OCSP
043b1248 1917 {
4f59c424
JH
1918# ifdef EXPERIMENTAL_DANE
1919 if ( tlsa_dnsa
1920 && ob->hosts_request_ocsp[0] == '*'
1921 && ob->hosts_request_ocsp[1] == '\0'
1922 )
1923 {
1924 /* Unchanged from default. Use a safer one under DANE */
1925 request_ocsp = TRUE;
1926 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
1927 " {= {4}{$tls_out_tlsa_usage}} } "
1928 " {*}{}}";
1929 }
1930# endif
1931
5130845b
JH
1932 if ((require_ocsp =
1933 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK))
fca41d5a
JH
1934 request_ocsp = TRUE;
1935 else
fca41d5a 1936# ifdef EXPERIMENTAL_DANE
4f59c424 1937 if (!request_ocsp)
fca41d5a 1938# endif
5130845b
JH
1939 request_ocsp =
1940 verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
043b1248 1941 }
f5d78688 1942#endif
059ec3d9 1943
65867078
JH
1944rc = tls_init(&client_ctx, host, NULL,
1945 ob->tls_certificate, ob->tls_privatekey,
f2de3a33 1946#ifndef DISABLE_OCSP
44662487 1947 (void *)(long)request_ocsp,
3f7eeb86 1948#endif
817d9f57 1949 addr, &client_static_cbinfo);
059ec3d9
PH
1950if (rc != OK) return rc;
1951
817d9f57 1952tls_out.certificate_verified = FALSE;
a2ff477a 1953client_verify_callback_called = FALSE;
059ec3d9 1954
65867078
JH
1955if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
1956 &expciphers))
059ec3d9
PH
1957 return FAIL;
1958
1959/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1960are separated by underscores. So that I can use either form in my tests, and
1961also for general convenience, we turn underscores into hyphens here. */
1962
1963if (expciphers != NULL)
1964 {
1965 uschar *s = expciphers;
1966 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1967 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 1968 if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
7199e1ee 1969 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
059ec3d9
PH
1970 }
1971
043b1248 1972#ifdef EXPERIMENTAL_DANE
0e66b3b6 1973if (tlsa_dnsa)
a63be306 1974 {
02af313d
JH
1975 SSL_CTX_set_verify(client_ctx,
1976 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1977 verify_callback_client_dane);
e5cccda9 1978
043b1248 1979 if (!DANESSL_library_init())
b4161d10 1980 return tls_error(US"library init", host, NULL);
043b1248 1981 if (DANESSL_CTX_init(client_ctx) <= 0)
b4161d10 1982 return tls_error(US"context init", host, NULL);
043b1248
JH
1983 }
1984else
e51c7be2 1985
043b1248
JH
1986#endif
1987
01a4a5c5
JH
1988 if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob, client_static_cbinfo))
1989 != OK)
65867078 1990 return rc;
059ec3d9 1991
65867078
JH
1992if ((client_ssl = SSL_new(client_ctx)) == NULL)
1993 return tls_error(US"SSL_new", host, NULL);
817d9f57
JH
1994SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
1995SSL_set_fd(client_ssl, fd);
1996SSL_set_connect_state(client_ssl);
059ec3d9 1997
65867078 1998if (ob->tls_sni)
3f0945ff 1999 {
65867078 2000 if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni))
3f0945ff 2001 return FAIL;
ec4b68e5 2002 if (tls_out.sni == NULL)
2c9a0e86
PP
2003 {
2004 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2005 }
ec4b68e5 2006 else if (!Ustrlen(tls_out.sni))
817d9f57 2007 tls_out.sni = NULL;
3f0945ff
PP
2008 else
2009 {
35731706 2010#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57
JH
2011 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
2012 SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
35731706
PP
2013#else
2014 DEBUG(D_tls)
2015 debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
02d9264f 2016 tls_out.sni);
35731706 2017#endif
3f0945ff
PP
2018 }
2019 }
2020
594706ea 2021#ifdef EXPERIMENTAL_DANE
0e66b3b6
JH
2022if (tlsa_dnsa)
2023 if ((rc = dane_tlsa_load(client_ssl, host, tlsa_dnsa)) != OK)
594706ea
JH
2024 return rc;
2025#endif
2026
f2de3a33 2027#ifndef DISABLE_OCSP
f5d78688
JH
2028/* Request certificate status at connection-time. If the server
2029does OCSP stapling we will get the callback (set in tls_init()) */
b50c8b84 2030# ifdef EXPERIMENTAL_DANE
44662487
JH
2031if (request_ocsp)
2032 {
594706ea 2033 const uschar * s;
41afb5cb
JH
2034 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2035 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
594706ea
JH
2036 )
2037 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2038 this means we avoid the OCSP request, we wasted the setup
2039 cost in tls_init(). */
5130845b
JH
2040 require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
2041 request_ocsp = require_ocsp
2042 || verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
594706ea
JH
2043 }
2044 }
b50c8b84
JH
2045# endif
2046
594706ea
JH
2047if (request_ocsp)
2048 {
f5d78688 2049 SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
44662487
JH
2050 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
2051 tls_out.ocsp = OCSP_NOT_RESP;
2052 }
f5d78688
JH
2053#endif
2054
774ef2d7
JH
2055#ifdef EXPERIMENTAL_EVENT
2056client_static_cbinfo->event_action = tb->event_action;
a7538db1 2057#endif
043b1248 2058
059ec3d9
PH
2059/* There doesn't seem to be a built-in timeout on connection. */
2060
2061DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2062sigalrm_seen = FALSE;
65867078 2063alarm(ob->command_timeout);
817d9f57 2064rc = SSL_connect(client_ssl);
059ec3d9
PH
2065alarm(0);
2066
043b1248 2067#ifdef EXPERIMENTAL_DANE
0e66b3b6 2068if (tlsa_dnsa)
fde080a4 2069 DANESSL_cleanup(client_ssl);
043b1248
JH
2070#endif
2071
059ec3d9 2072if (rc <= 0)
7199e1ee 2073 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
059ec3d9
PH
2074
2075DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2076
f69979cf 2077peer_cert(client_ssl, &tls_out, peerdn, sizeof(peerdn));
059ec3d9 2078
817d9f57
JH
2079construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
2080tls_out.cipher = cipherbuf;
059ec3d9 2081
9d1c15ef
JH
2082/* Record the certificate we presented */
2083 {
2084 X509 * crt = SSL_get_certificate(client_ssl);
2085 tls_out.ourcert = crt ? X509_dup(crt) : NULL;
2086 }
2087
817d9f57 2088tls_out.active = fd;
059ec3d9
PH
2089return OK;
2090}
2091
2092
2093
2094
2095
2096/*************************************************
2097* TLS version of getc *
2098*************************************************/
2099
2100/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2101it refills the buffer via the SSL reading function.
2102
2103Arguments: none
2104Returns: the next character or EOF
817d9f57
JH
2105
2106Only used by the server-side TLS.
059ec3d9
PH
2107*/
2108
2109int
2110tls_getc(void)
2111{
2112if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2113 {
2114 int error;
2115 int inbytes;
2116
817d9f57 2117 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
c80c5570 2118 ssl_xfer_buffer, ssl_xfer_buffer_size);
059ec3d9
PH
2119
2120 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
817d9f57
JH
2121 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
2122 error = SSL_get_error(server_ssl, inbytes);
059ec3d9
PH
2123 alarm(0);
2124
2125 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2126 closed down, not that the socket itself has been closed down. Revert to
2127 non-SSL handling. */
2128
2129 if (error == SSL_ERROR_ZERO_RETURN)
2130 {
2131 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2132
2133 receive_getc = smtp_getc;
2134 receive_ungetc = smtp_ungetc;
2135 receive_feof = smtp_feof;
2136 receive_ferror = smtp_ferror;
58eb016e 2137 receive_smtp_buffered = smtp_buffered;
059ec3d9 2138
817d9f57
JH
2139 SSL_free(server_ssl);
2140 server_ssl = NULL;
2141 tls_in.active = -1;
2142 tls_in.bits = 0;
2143 tls_in.cipher = NULL;
2144 tls_in.peerdn = NULL;
2145 tls_in.sni = NULL;
059ec3d9
PH
2146
2147 return smtp_getc();
2148 }
2149
2150 /* Handle genuine errors */
2151
ba084640
PP
2152 else if (error == SSL_ERROR_SSL)
2153 {
2154 ERR_error_string(ERR_get_error(), ssl_errstring);
89dd51cd 2155 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
ba084640
PP
2156 ssl_xfer_error = 1;
2157 return EOF;
2158 }
2159
059ec3d9
PH
2160 else if (error != SSL_ERROR_NONE)
2161 {
2162 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2163 ssl_xfer_error = 1;
2164 return EOF;
2165 }
c80c5570 2166
80a47a2c
TK
2167#ifndef DISABLE_DKIM
2168 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2169#endif
059ec3d9
PH
2170 ssl_xfer_buffer_hwm = inbytes;
2171 ssl_xfer_buffer_lwm = 0;
2172 }
2173
2174/* Something in the buffer; return next uschar */
2175
2176return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2177}
2178
2179
2180
2181/*************************************************
2182* Read bytes from TLS channel *
2183*************************************************/
2184
2185/*
2186Arguments:
2187 buff buffer of data
2188 len size of buffer
2189
2190Returns: the number of bytes read
2191 -1 after a failed read
817d9f57
JH
2192
2193Only used by the client-side TLS.
059ec3d9
PH
2194*/
2195
2196int
389ca47a 2197tls_read(BOOL is_server, uschar *buff, size_t len)
059ec3d9 2198{
389ca47a 2199SSL *ssl = is_server ? server_ssl : client_ssl;
059ec3d9
PH
2200int inbytes;
2201int error;
2202
389ca47a 2203DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
c80c5570 2204 buff, (unsigned int)len);
059ec3d9 2205
389ca47a
JH
2206inbytes = SSL_read(ssl, CS buff, len);
2207error = SSL_get_error(ssl, inbytes);
059ec3d9
PH
2208
2209if (error == SSL_ERROR_ZERO_RETURN)
2210 {
2211 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2212 return -1;
2213 }
2214else if (error != SSL_ERROR_NONE)
2215 {
2216 return -1;
2217 }
2218
2219return inbytes;
2220}
2221
2222
2223
2224
2225
2226/*************************************************
2227* Write bytes down TLS channel *
2228*************************************************/
2229
2230/*
2231Arguments:
817d9f57 2232 is_server channel specifier
059ec3d9
PH
2233 buff buffer of data
2234 len number of bytes
2235
2236Returns: the number of bytes after a successful write,
2237 -1 after a failed write
817d9f57
JH
2238
2239Used by both server-side and client-side TLS.
059ec3d9
PH
2240*/
2241
2242int
817d9f57 2243tls_write(BOOL is_server, const uschar *buff, size_t len)
059ec3d9
PH
2244{
2245int outbytes;
2246int error;
2247int left = len;
817d9f57 2248SSL *ssl = is_server ? server_ssl : client_ssl;
059ec3d9 2249
c80c5570 2250DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
059ec3d9
PH
2251while (left > 0)
2252 {
c80c5570 2253 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
059ec3d9
PH
2254 outbytes = SSL_write(ssl, CS buff, left);
2255 error = SSL_get_error(ssl, outbytes);
2256 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2257 switch (error)
2258 {
2259 case SSL_ERROR_SSL:
2260 ERR_error_string(ERR_get_error(), ssl_errstring);
2261 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2262 return -1;
2263
2264 case SSL_ERROR_NONE:
2265 left -= outbytes;
2266 buff += outbytes;
2267 break;
2268
2269 case SSL_ERROR_ZERO_RETURN:
2270 log_write(0, LOG_MAIN, "SSL channel closed on write");
2271 return -1;
2272
817d9f57
JH
2273 case SSL_ERROR_SYSCALL:
2274 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2275 sender_fullhost ? sender_fullhost : US"<unknown>",
2276 strerror(errno));
2277
059ec3d9
PH
2278 default:
2279 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2280 return -1;
2281 }
2282 }
2283return len;
2284}
2285
2286
2287
2288/*************************************************
2289* Close down a TLS session *
2290*************************************************/
2291
2292/* This is also called from within a delivery subprocess forked from the
2293daemon, to shut down the TLS library, without actually doing a shutdown (which
2294would tamper with the SSL session in the parent process).
2295
2296Arguments: TRUE if SSL_shutdown is to be called
2297Returns: nothing
817d9f57
JH
2298
2299Used by both server-side and client-side TLS.
059ec3d9
PH
2300*/
2301
2302void
817d9f57 2303tls_close(BOOL is_server, BOOL shutdown)
059ec3d9 2304{
817d9f57 2305SSL **sslp = is_server ? &server_ssl : &client_ssl;
389ca47a 2306int *fdp = is_server ? &tls_in.active : &tls_out.active;
817d9f57
JH
2307
2308if (*fdp < 0) return; /* TLS was not active */
059ec3d9
PH
2309
2310if (shutdown)
2311 {
2312 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
817d9f57 2313 SSL_shutdown(*sslp);
059ec3d9
PH
2314 }
2315
817d9f57
JH
2316SSL_free(*sslp);
2317*sslp = NULL;
059ec3d9 2318
817d9f57 2319*fdp = -1;
059ec3d9
PH
2320}
2321
36f12725
NM
2322
2323
2324
2325/*************************************************
3375e053
PP
2326* Let tls_require_ciphers be checked at startup *
2327*************************************************/
2328
2329/* The tls_require_ciphers option, if set, must be something which the
2330library can parse.
2331
2332Returns: NULL on success, or error message
2333*/
2334
2335uschar *
2336tls_validate_require_cipher(void)
2337{
2338SSL_CTX *ctx;
2339uschar *s, *expciphers, *err;
2340
2341/* this duplicates from tls_init(), we need a better "init just global
2342state, for no specific purpose" singleton function of our own */
2343
2344SSL_load_error_strings();
2345OpenSSL_add_ssl_algorithms();
2346#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
2347/* SHA256 is becoming ever more popular. This makes sure it gets added to the
2348list of available digests. */
2349EVP_add_digest(EVP_sha256());
2350#endif
2351
2352if (!(tls_require_ciphers && *tls_require_ciphers))
2353 return NULL;
2354
2355if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
2356 return US"failed to expand tls_require_ciphers";
2357
2358if (!(expciphers && *expciphers))
2359 return NULL;
2360
2361/* normalisation ripped from above */
2362s = expciphers;
2363while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2364
2365err = NULL;
2366
2367ctx = SSL_CTX_new(SSLv23_server_method());
2368if (!ctx)
2369 {
2370 ERR_error_string(ERR_get_error(), ssl_errstring);
2371 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
2372 }
2373
2374DEBUG(D_tls)
2375 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2376
2377if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
2378 {
2379 ERR_error_string(ERR_get_error(), ssl_errstring);
2380 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed", expciphers);
2381 }
2382
2383SSL_CTX_free(ctx);
2384
2385return err;
2386}
2387
2388
2389
2390
2391/*************************************************
36f12725
NM
2392* Report the library versions. *
2393*************************************************/
2394
2395/* There have historically been some issues with binary compatibility in
2396OpenSSL libraries; if Exim (like many other applications) is built against
2397one version of OpenSSL but the run-time linker picks up another version,
2398it can result in serious failures, including crashing with a SIGSEGV. So
2399report the version found by the compiler and the run-time version.
2400
f64a1e23
PP
2401Note: some OS vendors backport security fixes without changing the version
2402number/string, and the version date remains unchanged. The _build_ date
2403will change, so we can more usefully assist with version diagnosis by also
2404reporting the build date.
2405
36f12725
NM
2406Arguments: a FILE* to print the results to
2407Returns: nothing
2408*/
2409
2410void
2411tls_version_report(FILE *f)
2412{
754a0503 2413fprintf(f, "Library version: OpenSSL: Compile: %s\n"
f64a1e23
PP
2414 " Runtime: %s\n"
2415 " : %s\n",
754a0503 2416 OPENSSL_VERSION_TEXT,
f64a1e23
PP
2417 SSLeay_version(SSLEAY_VERSION),
2418 SSLeay_version(SSLEAY_BUILT_ON));
2419/* third line is 38 characters for the %s and the line is 73 chars long;
2420the OpenSSL output includes a "built on: " prefix already. */
36f12725
NM
2421}
2422
9e3331ea
TK
2423
2424
2425
2426/*************************************************
17c76198 2427* Random number generation *
9e3331ea
TK
2428*************************************************/
2429
2430/* Pseudo-random number generation. The result is not expected to be
2431cryptographically strong but not so weak that someone will shoot themselves
2432in the foot using it as a nonce in input in some email header scheme or
2433whatever weirdness they'll twist this into. The result should handle fork()
2434and avoid repeating sequences. OpenSSL handles that for us.
2435
2436Arguments:
2437 max range maximum
2438Returns a random number in range [0, max-1]
2439*/
2440
2441int
17c76198 2442vaguely_random_number(int max)
9e3331ea
TK
2443{
2444unsigned int r;
2445int i, needed_len;
de6135a0
PP
2446static pid_t pidlast = 0;
2447pid_t pidnow;
9e3331ea
TK
2448uschar *p;
2449uschar smallbuf[sizeof(r)];
2450
2451if (max <= 1)
2452 return 0;
2453
de6135a0
PP
2454pidnow = getpid();
2455if (pidnow != pidlast)
2456 {
2457 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
2458 is unique for each thread", this doesn't apparently apply across processes,
2459 so our own warning from vaguely_random_number_fallback() applies here too.
2460 Fix per PostgreSQL. */
2461 if (pidlast != 0)
2462 RAND_cleanup();
2463 pidlast = pidnow;
2464 }
2465
9e3331ea
TK
2466/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
2467if (!RAND_status())
2468 {
2469 randstuff r;
2470 gettimeofday(&r.tv, NULL);
2471 r.p = getpid();
2472
2473 RAND_seed((uschar *)(&r), sizeof(r));
2474 }
2475/* We're after pseudo-random, not random; if we still don't have enough data
2476in the internal PRNG then our options are limited. We could sleep and hope
2477for entropy to come along (prayer technique) but if the system is so depleted
2478in the first place then something is likely to just keep taking it. Instead,
2479we'll just take whatever little bit of pseudo-random we can still manage to
2480get. */
2481
2482needed_len = sizeof(r);
2483/* Don't take 8 times more entropy than needed if int is 8 octets and we were
2484asked for a number less than 10. */
2485for (r = max, i = 0; r; ++i)
2486 r >>= 1;
2487i = (i + 7) / 8;
2488if (i < needed_len)
2489 needed_len = i;
2490
2491/* We do not care if crypto-strong */
17c76198
PP
2492i = RAND_pseudo_bytes(smallbuf, needed_len);
2493if (i < 0)
2494 {
2495 DEBUG(D_all)
2496 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
2497 return vaguely_random_number_fallback(max);
2498 }
2499
9e3331ea
TK
2500r = 0;
2501for (p = smallbuf; needed_len; --needed_len, ++p)
2502 {
2503 r *= 256;
2504 r += *p;
2505 }
2506
2507/* We don't particularly care about weighted results; if someone wants
2508smooth distribution and cares enough then they should submit a patch then. */
2509return r % max;
2510}
2511
77bb000f
PP
2512
2513
2514
2515/*************************************************
2516* OpenSSL option parse *
2517*************************************************/
2518
2519/* Parse one option for tls_openssl_options_parse below
2520
2521Arguments:
2522 name one option name
2523 value place to store a value for it
2524Returns success or failure in parsing
2525*/
2526
2527struct exim_openssl_option {
2528 uschar *name;
2529 long value;
2530};
2531/* We could use a macro to expand, but we need the ifdef and not all the
2532options document which version they were introduced in. Policylet: include
2533all options unless explicitly for DTLS, let the administrator choose which
2534to apply.
2535
2536This list is current as of:
e2fbf4a2
PP
2537 ==> 1.0.1b <==
2538Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
2539*/
77bb000f
PP
2540static struct exim_openssl_option exim_openssl_options[] = {
2541/* KEEP SORTED ALPHABETICALLY! */
2542#ifdef SSL_OP_ALL
73a46702 2543 { US"all", SSL_OP_ALL },
77bb000f
PP
2544#endif
2545#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
73a46702 2546 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
77bb000f
PP
2547#endif
2548#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
73a46702 2549 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
77bb000f
PP
2550#endif
2551#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
73a46702 2552 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
77bb000f
PP
2553#endif
2554#ifdef SSL_OP_EPHEMERAL_RSA
73a46702 2555 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
77bb000f
PP
2556#endif
2557#ifdef SSL_OP_LEGACY_SERVER_CONNECT
73a46702 2558 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
77bb000f
PP
2559#endif
2560#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
73a46702 2561 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
77bb000f
PP
2562#endif
2563#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
73a46702 2564 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
77bb000f
PP
2565#endif
2566#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
73a46702 2567 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
77bb000f
PP
2568#endif
2569#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
73a46702 2570 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
77bb000f
PP
2571#endif
2572#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
73a46702 2573 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
77bb000f 2574#endif
c80c5570
PP
2575#ifdef SSL_OP_NO_COMPRESSION
2576 { US"no_compression", SSL_OP_NO_COMPRESSION },
2577#endif
77bb000f 2578#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
73a46702 2579 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
77bb000f 2580#endif
c0c7b2da
PP
2581#ifdef SSL_OP_NO_SSLv2
2582 { US"no_sslv2", SSL_OP_NO_SSLv2 },
2583#endif
2584#ifdef SSL_OP_NO_SSLv3
2585 { US"no_sslv3", SSL_OP_NO_SSLv3 },
2586#endif
2587#ifdef SSL_OP_NO_TICKET
2588 { US"no_ticket", SSL_OP_NO_TICKET },
2589#endif
2590#ifdef SSL_OP_NO_TLSv1
2591 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
2592#endif
c80c5570
PP
2593#ifdef SSL_OP_NO_TLSv1_1
2594#if SSL_OP_NO_TLSv1_1 == 0x00000400L
2595 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
2596#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
2597#else
2598 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
2599#endif
2600#endif
2601#ifdef SSL_OP_NO_TLSv1_2
2602 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
2603#endif
e2fbf4a2
PP
2604#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
2605 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
2606#endif
77bb000f 2607#ifdef SSL_OP_SINGLE_DH_USE
73a46702 2608 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
77bb000f
PP
2609#endif
2610#ifdef SSL_OP_SINGLE_ECDH_USE
73a46702 2611 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
77bb000f
PP
2612#endif
2613#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
73a46702 2614 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
77bb000f
PP
2615#endif
2616#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
73a46702 2617 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
77bb000f
PP
2618#endif
2619#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
73a46702 2620 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
77bb000f
PP
2621#endif
2622#ifdef SSL_OP_TLS_D5_BUG
73a46702 2623 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
77bb000f
PP
2624#endif
2625#ifdef SSL_OP_TLS_ROLLBACK_BUG
73a46702 2626 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
77bb000f
PP
2627#endif
2628};
2629static int exim_openssl_options_size =
2630 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
2631
c80c5570 2632
77bb000f
PP
2633static BOOL
2634tls_openssl_one_option_parse(uschar *name, long *value)
2635{
2636int first = 0;
2637int last = exim_openssl_options_size;
2638while (last > first)
2639 {
2640 int middle = (first + last)/2;
2641 int c = Ustrcmp(name, exim_openssl_options[middle].name);
2642 if (c == 0)
2643 {
2644 *value = exim_openssl_options[middle].value;
2645 return TRUE;
2646 }
2647 else if (c > 0)
2648 first = middle + 1;
2649 else
2650 last = middle;
2651 }
2652return FALSE;
2653}
2654
2655
2656
2657
2658/*************************************************
2659* OpenSSL option parsing logic *
2660*************************************************/
2661
2662/* OpenSSL has a number of compatibility options which an administrator might
2663reasonably wish to set. Interpret a list similarly to decode_bits(), so that
2664we look like log_selector.
2665
2666Arguments:
2667 option_spec the administrator-supplied string of options
2668 results ptr to long storage for the options bitmap
2669Returns success or failure
2670*/
2671
2672BOOL
2673tls_openssl_options_parse(uschar *option_spec, long *results)
2674{
2675long result, item;
2676uschar *s, *end;
2677uschar keep_c;
2678BOOL adding, item_parsed;
2679
0e944a0d 2680result = 0L;
b1770b6e 2681/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
da3ad30d 2682 * from default because it increases BEAST susceptibility. */
f0f5a555
PP
2683#ifdef SSL_OP_NO_SSLv2
2684result |= SSL_OP_NO_SSLv2;
2685#endif
77bb000f
PP
2686
2687if (option_spec == NULL)
2688 {
2689 *results = result;
2690 return TRUE;
2691 }
2692
2693for (s=option_spec; *s != '\0'; /**/)
2694 {
2695 while (isspace(*s)) ++s;
2696 if (*s == '\0')
2697 break;
2698 if (*s != '+' && *s != '-')
2699 {
2700 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
0e944a0d 2701 "+ or - expected but found \"%s\"\n", s);
77bb000f
PP
2702 return FALSE;
2703 }
2704 adding = *s++ == '+';
2705 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
2706 keep_c = *end;
2707 *end = '\0';
2708 item_parsed = tls_openssl_one_option_parse(s, &item);
2709 if (!item_parsed)
2710 {
0e944a0d 2711 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
77bb000f
PP
2712 return FALSE;
2713 }
2714 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
2715 adding ? "adding" : "removing", result, item, s);
2716 if (adding)
2717 result |= item;
2718 else
2719 result &= ~item;
2720 *end = keep_c;
2721 s = end;
2722 }
2723
2724*results = result;
2725return TRUE;
2726}
2727
9d1c15ef
JH
2728/* vi: aw ai sw=2
2729*/
059ec3d9 2730/* End of tls-openssl.c */