Testsuite: GnuTLS version variances
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
f5d78688
JH
8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
059ec3d9
PH
10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
10ca4f1c
JH
25#ifndef OPENSSL_NO_ECDH
26# include <openssl/ec.h>
27#endif
f2de3a33 28#ifndef DISABLE_OCSP
e51c7be2 29# include <openssl/ocsp.h>
3f7eeb86 30#endif
c0635b6d 31#ifdef SUPPORT_DANE
05e796ad 32# include "danessl.h"
85098ee7
JH
33#endif
34
3f7eeb86 35
f2de3a33
JH
36#ifndef DISABLE_OCSP
37# define EXIM_OCSP_SKEW_SECONDS (300L)
38# define EXIM_OCSP_MAX_AGE (-1L)
3f7eeb86 39#endif
059ec3d9 40
3bcbbbe2 41#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
e51c7be2 42# define EXIM_HAVE_OPENSSL_TLSEXT
3bcbbbe2 43#endif
c8dfb21d
JH
44#if OPENSSL_VERSION_NUMBER >= 0x00908000L
45# define EXIM_HAVE_RSA_GENKEY_EX
46#endif
47#if OPENSSL_VERSION_NUMBER >= 0x10100000L
48# define EXIM_HAVE_OCSP_RESP_COUNT
49#else
50# define EXIM_HAVE_EPHEM_RSA_KEX
51# define EXIM_HAVE_RAND_PSEUDO
52#endif
53#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
8442641e 54# define EXIM_HAVE_SHA256
c8dfb21d 55#endif
34e3241d 56
d7978c0f
JH
57/* X509_check_host provides sane certificate hostname checking, but was added
58to OpenSSL late, after other projects forked off the code-base. So in
59addition to guarding against the base version number, beware that LibreSSL
60does not (at this time) support this function.
61
62If LibreSSL gains a different API, perhaps via libtls, then we'll probably
63opt to disentangle and ask a LibreSSL user to provide glue for a third
64crypto provider for libtls instead of continuing to tie the OpenSSL glue
65into even twistier knots. If LibreSSL gains the same API, we can just
66change this guard and punt the issue for a while longer. */
67
34e3241d
PP
68#ifndef LIBRESSL_VERSION_NUMBER
69# if OPENSSL_VERSION_NUMBER >= 0x010100000L
70# define EXIM_HAVE_OPENSSL_CHECKHOST
8420742d 71# define EXIM_HAVE_OPENSSL_DH_BITS
7a8b9519 72# define EXIM_HAVE_OPENSSL_TLS_METHOD
f20cfa4a 73# define EXIM_HAVE_OPENSSL_KEYLOG
f1be21cf 74# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
7434882d
JH
75# else
76# define EXIM_NEED_OPENSSL_INIT
34e3241d
PP
77# endif
78# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
2dfb468b 79 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
34e3241d
PP
80# define EXIM_HAVE_OPENSSL_CHECKHOST
81# endif
11aa88b0 82#endif
10ca4f1c 83
11aa88b0
RA
84#if !defined(LIBRESSL_VERSION_NUMBER) \
85 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
10ca4f1c
JH
86# if !defined(OPENSSL_NO_ECDH)
87# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
8442641e 88# define EXIM_HAVE_ECDH
10ca4f1c
JH
89# endif
90# if OPENSSL_VERSION_NUMBER >= 0x10002000L
10ca4f1c
JH
91# define EXIM_HAVE_OPENSSL_EC_NIST2NID
92# endif
93# endif
2dfb468b 94#endif
3bcbbbe2 95
8a40db1c
JH
96#ifndef LIBRESSL_VERSION_NUMBER
97# if OPENSSL_VERSION_NUMBER >= 0x010101000L
98# define OPENSSL_HAVE_KEYLOG_CB
d7f31bb6 99# define OPENSSL_HAVE_NUM_TICKETS
f1be21cf 100# define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
8a40db1c
JH
101# endif
102#endif
103
67791ce4
JH
104#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
105# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
106# define DISABLE_OCSP
107#endif
108
a6510420
JH
109#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
110# include <openssl/x509v3.h>
111#endif
112
f1be21cf
JH
113#ifndef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
114# ifndef EXIM_HAVE_OPENSSL_CIPHER_GET_ID
115# define SSL_CIPHER_get_id(c) (c->id)
116# endif
dca6d121
JH
117# ifndef MACRO_PREDEF
118# include "tls-cipher-stdname.c"
119# endif
f1be21cf
JH
120#endif
121
8442641e
JH
122/*************************************************
123* OpenSSL option parse *
124*************************************************/
125
126typedef struct exim_openssl_option {
127 uschar *name;
128 long value;
129} exim_openssl_option;
130/* We could use a macro to expand, but we need the ifdef and not all the
131options document which version they were introduced in. Policylet: include
132all options unless explicitly for DTLS, let the administrator choose which
133to apply.
134
135This list is current as of:
136 ==> 1.0.1b <==
137Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
138Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
139*/
140static exim_openssl_option exim_openssl_options[] = {
141/* KEEP SORTED ALPHABETICALLY! */
142#ifdef SSL_OP_ALL
143 { US"all", SSL_OP_ALL },
144#endif
145#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
146 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
147#endif
148#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
149 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
150#endif
151#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
152 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
153#endif
154#ifdef SSL_OP_EPHEMERAL_RSA
155 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
156#endif
157#ifdef SSL_OP_LEGACY_SERVER_CONNECT
158 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
159#endif
160#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
161 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
162#endif
163#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
164 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
165#endif
166#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
167 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
168#endif
169#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
170 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
171#endif
172#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
173 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
174#endif
175#ifdef SSL_OP_NO_COMPRESSION
176 { US"no_compression", SSL_OP_NO_COMPRESSION },
177#endif
178#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
179 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
180#endif
181#ifdef SSL_OP_NO_SSLv2
182 { US"no_sslv2", SSL_OP_NO_SSLv2 },
183#endif
184#ifdef SSL_OP_NO_SSLv3
185 { US"no_sslv3", SSL_OP_NO_SSLv3 },
186#endif
187#ifdef SSL_OP_NO_TICKET
188 { US"no_ticket", SSL_OP_NO_TICKET },
189#endif
190#ifdef SSL_OP_NO_TLSv1
191 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
192#endif
193#ifdef SSL_OP_NO_TLSv1_1
194#if SSL_OP_NO_TLSv1_1 == 0x00000400L
195 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
196#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
197#else
198 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
199#endif
200#endif
201#ifdef SSL_OP_NO_TLSv1_2
202 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
203#endif
204#ifdef SSL_OP_NO_TLSv1_3
205 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
206#endif
207#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
208 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
209#endif
210#ifdef SSL_OP_SINGLE_DH_USE
211 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
212#endif
213#ifdef SSL_OP_SINGLE_ECDH_USE
214 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
215#endif
216#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
217 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
218#endif
219#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
220 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
221#endif
222#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
223 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
224#endif
225#ifdef SSL_OP_TLS_D5_BUG
226 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
227#endif
228#ifdef SSL_OP_TLS_ROLLBACK_BUG
229 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
230#endif
231};
232
233#ifndef MACRO_PREDEF
234static int exim_openssl_options_size = nelem(exim_openssl_options);
235#endif
236
237#ifdef MACRO_PREDEF
238void
239options_tls(void)
240{
8442641e
JH
241uschar buf[64];
242
d7978c0f 243for (struct exim_openssl_option * o = exim_openssl_options;
8442641e
JH
244 o < exim_openssl_options + nelem(exim_openssl_options); o++)
245 {
246 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
247 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
248
249 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
250 builtin_macro_create(buf);
251 }
252}
253#else
254
255/******************************************************************************/
256
059ec3d9
PH
257/* Structure for collecting random data for seeding. */
258
259typedef struct randstuff {
9e3331ea
TK
260 struct timeval tv;
261 pid_t p;
059ec3d9
PH
262} randstuff;
263
264/* Local static variables */
265
a2ff477a
JH
266static BOOL client_verify_callback_called = FALSE;
267static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH
268static const uschar *sid_ctx = US"exim";
269
d4f09789
PP
270/* We have three different contexts to care about.
271
272Simple case: client, `client_ctx`
273 As a client, we can be doing a callout or cut-through delivery while receiving
274 a message. So we have a client context, which should have options initialised
74f1a423
JH
275 from the SMTP Transport. We may also concurrently want to make TLS connections
276 to utility daemons, so client-contexts are allocated and passed around in call
277 args rather than using a gobal.
d4f09789
PP
278
279Server:
280 There are two cases: with and without ServerNameIndication from the client.
281 Given TLS SNI, we can be using different keys, certs and various other
282 configuration settings, because they're re-expanded with $tls_sni set. This
283 allows vhosting with TLS. This SNI is sent in the handshake.
284 A client might not send SNI, so we need a fallback, and an initial setup too.
285 So as a server, we start out using `server_ctx`.
286 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
287 `server_sni` from `server_ctx` and then initialise settings by re-expanding
288 configuration.
289*/
290
74f1a423
JH
291typedef struct {
292 SSL_CTX * ctx;
293 SSL * ssl;
c09dbcfb 294 gstring * corked;
74f1a423
JH
295} exim_openssl_client_tls_ctx;
296
817d9f57 297static SSL_CTX *server_ctx = NULL;
817d9f57 298static SSL *server_ssl = NULL;
389ca47a 299
35731706 300#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57 301static SSL_CTX *server_sni = NULL;
35731706 302#endif
059ec3d9
PH
303
304static char ssl_errstring[256];
305
306static int ssl_session_timeout = 200;
a2ff477a
JH
307static BOOL client_verify_optional = FALSE;
308static BOOL server_verify_optional = FALSE;
059ec3d9 309
f5d78688 310static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH
311
312
7be682ca
PP
313typedef struct tls_ext_ctx_cb {
314 uschar *certificate;
315 uschar *privatekey;
f5d78688 316 BOOL is_server;
a6510420 317#ifndef DISABLE_OCSP
c3033f13 318 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
f5d78688
JH
319 union {
320 struct {
321 uschar *file;
322 uschar *file_expanded;
323 OCSP_RESPONSE *response;
324 } server;
325 struct {
44662487
JH
326 X509_STORE *verify_store; /* non-null if status requested */
327 BOOL verify_required;
f5d78688
JH
328 } client;
329 } u_ocsp;
3f7eeb86 330#endif
7be682ca
PP
331 uschar *dhparam;
332 /* these are cached from first expand */
333 uschar *server_cipher_list;
334 /* only passed down to tls_error: */
335 host_item *host;
55414b25 336 const uschar * verify_cert_hostnames;
0cbf2b82 337#ifndef DISABLE_EVENT
a7538db1
JH
338 uschar * event_action;
339#endif
7be682ca
PP
340} tls_ext_ctx_cb;
341
342/* should figure out a cleanup of API to handle state preserved per
343implementation, for various reasons, which can be void * in the APIs.
344For now, we hack around it. */
817d9f57
JH
345tls_ext_ctx_cb *client_static_cbinfo = NULL;
346tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP
347
348static int
983207c1 349setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 350 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
059ec3d9 351
3f7eeb86 352/* Callbacks */
3bcbbbe2 353#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 354static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 355#endif
f2de3a33 356#ifndef DISABLE_OCSP
f5d78688 357static int tls_server_stapling_cb(SSL *s, void *arg);
3f7eeb86
PP
358#endif
359
059ec3d9
PH
360
361/*************************************************
362* Handle TLS error *
363*************************************************/
364
365/* Called from lots of places when errors occur before actually starting to do
366the TLS handshake, that is, while the session is still in clear. Always returns
367DEFER for a server and FAIL for a client so that most calls can use "return
368tls_error(...)" to do this processing and then give an appropriate return. A
369single function is used for both server and client, because it is called from
370some shared functions.
371
372Argument:
373 prefix text to include in the logged error
374 host NULL if setting up a server;
375 the connected host if setting up a client
7199e1ee 376 msg error message or NULL if we should ask OpenSSL
cf0c6164 377 errstr pointer to output error message
059ec3d9
PH
378
379Returns: OK/DEFER/FAIL
380*/
381
382static int
cf0c6164 383tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
059ec3d9 384{
c562fd30 385if (!msg)
7199e1ee 386 {
0abc5a13 387 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
cf0c6164 388 msg = US ssl_errstring;
7199e1ee
TF
389 }
390
5a2a0989
JH
391msg = string_sprintf("(%s): %s", prefix, msg);
392DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
393if (errstr) *errstr = msg;
cf0c6164 394return host ? FAIL : DEFER;
059ec3d9
PH
395}
396
397
398
399/*************************************************
400* Callback to generate RSA key *
401*************************************************/
402
403/*
404Arguments:
3ae79556 405 s SSL connection (not used)
059ec3d9
PH
406 export not used
407 keylength keylength
408
409Returns: pointer to generated key
410*/
411
412static RSA *
413rsa_callback(SSL *s, int export, int keylength)
414{
415RSA *rsa_key;
c8dfb21d
JH
416#ifdef EXIM_HAVE_RSA_GENKEY_EX
417BIGNUM *bn = BN_new();
418#endif
419
059ec3d9
PH
420export = export; /* Shut picky compilers up */
421DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
c8dfb21d
JH
422
423#ifdef EXIM_HAVE_RSA_GENKEY_EX
424if ( !BN_set_word(bn, (unsigned long)RSA_F4)
f2cb6292 425 || !(rsa_key = RSA_new())
c8dfb21d
JH
426 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
427 )
428#else
23bb6982 429if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
c8dfb21d
JH
430#endif
431
059ec3d9 432 {
0abc5a13 433 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
059ec3d9
PH
434 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
435 ssl_errstring);
436 return NULL;
437 }
438return rsa_key;
439}
440
441
442
f5d78688 443/* Extreme debug
f2de3a33 444#ifndef DISABLE_OCSP
f5d78688
JH
445void
446x509_store_dump_cert_s_names(X509_STORE * store)
447{
448STACK_OF(X509_OBJECT) * roots= store->objs;
f5d78688
JH
449static uschar name[256];
450
d7978c0f 451for (int i= 0; i < sk_X509_OBJECT_num(roots); i++)
f5d78688
JH
452 {
453 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
454 if(tmp_obj->type == X509_LU_X509)
455 {
70e384dd
JH
456 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
457 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
458 {
459 name[sizeof(name)-1] = '\0';
460 debug_printf(" %s\n", name);
461 }
f5d78688
JH
462 }
463 }
464}
465#endif
466*/
467
059ec3d9 468
0cbf2b82 469#ifndef DISABLE_EVENT
f69979cf
JH
470static int
471verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
472 BOOL *calledp, const BOOL *optionalp, const uschar * what)
473{
474uschar * ev;
475uschar * yield;
476X509 * old_cert;
477
478ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
479if (ev)
480 {
aaba7d03 481 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
f69979cf
JH
482 old_cert = tlsp->peercert;
483 tlsp->peercert = X509_dup(cert);
484 /* NB we do not bother setting peerdn */
485 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
486 {
487 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
488 "depth=%d cert=%s: %s",
489 tlsp == &tls_out ? deliver_host_address : sender_host_address,
490 what, depth, dn, yield);
491 *calledp = TRUE;
492 if (!*optionalp)
493 {
494 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
495 return 1; /* reject (leaving peercert set) */
496 }
497 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
498 "(host in tls_try_verify_hosts)\n");
499 }
500 X509_free(tlsp->peercert);
501 tlsp->peercert = old_cert;
502 }
503return 0;
504}
505#endif
506
059ec3d9
PH
507/*************************************************
508* Callback for verification *
509*************************************************/
510
511/* The SSL library does certificate verification if set up to do so. This
512callback has the current yes/no state is in "state". If verification succeeded,
f69979cf
JH
513we set the certificate-verified flag. If verification failed, what happens
514depends on whether the client is required to present a verifiable certificate
515or not.
059ec3d9
PH
516
517If verification is optional, we change the state to yes, but still log the
518verification error. For some reason (it really would help to have proper
519documentation of OpenSSL), this callback function then gets called again, this
f69979cf
JH
520time with state = 1. We must take care not to set the private verified flag on
521the second time through.
059ec3d9
PH
522
523Note: this function is not called if the client fails to present a certificate
524when asked. We get here only if a certificate has been received. Handling of
525optional verification for this case is done when requesting SSL to verify, by
526setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
527
a7538db1
JH
528May be called multiple times for different issues with a certificate, even
529for a given "depth" in the certificate chain.
530
059ec3d9 531Arguments:
f2f2c91b
JH
532 preverify_ok current yes/no state as 1/0
533 x509ctx certificate information.
534 tlsp per-direction (client vs. server) support data
535 calledp has-been-called flag
536 optionalp verification-is-optional flag
059ec3d9 537
f2f2c91b 538Returns: 0 if verification should fail, otherwise 1
059ec3d9
PH
539*/
540
541static int
70e384dd
JH
542verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
543 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
059ec3d9 544{
421aff85 545X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
a7538db1 546int depth = X509_STORE_CTX_get_error_depth(x509ctx);
f69979cf 547uschar dn[256];
059ec3d9 548
70e384dd
JH
549if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
550 {
551 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
552 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
553 tlsp == &tls_out ? deliver_host_address : sender_host_address);
554 return 0;
555 }
f69979cf 556dn[sizeof(dn)-1] = '\0';
059ec3d9 557
f2f2c91b 558if (preverify_ok == 0)
059ec3d9 559 {
f77197ae
JH
560 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
561 *verify_mode, sender_host_address)
562 : US"";
563 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
564 tlsp == &tls_out ? deliver_host_address : sender_host_address,
565 extra, depth,
566 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
a2ff477a 567 *calledp = TRUE;
9d1c15ef
JH
568 if (!*optionalp)
569 {
f69979cf
JH
570 if (!tlsp->peercert)
571 tlsp->peercert = X509_dup(cert); /* record failing cert */
572 return 0; /* reject */
9d1c15ef 573 }
059ec3d9
PH
574 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
575 "tls_try_verify_hosts)\n");
059ec3d9
PH
576 }
577
a7538db1 578else if (depth != 0)
059ec3d9 579 {
f69979cf 580 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
f2de3a33 581#ifndef DISABLE_OCSP
f5d78688
JH
582 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
583 { /* client, wanting stapling */
584 /* Add the server cert's signing chain as the one
585 for the verification of the OCSP stapled information. */
94431adb 586
f5d78688 587 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
421aff85 588 cert))
f5d78688 589 ERR_clear_error();
c3033f13 590 sk_X509_push(client_static_cbinfo->verify_stack, cert);
f5d78688
JH
591 }
592#endif
0cbf2b82 593#ifndef DISABLE_EVENT
f69979cf
JH
594 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
595 return 0; /* reject, with peercert set */
a7538db1 596#endif
059ec3d9
PH
597 }
598else
599 {
55414b25 600 const uschar * verify_cert_hostnames;
e51c7be2 601
e51c7be2
JH
602 if ( tlsp == &tls_out
603 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
afdb5e9c 604 /* client, wanting hostname check */
e51c7be2 605 {
f69979cf 606
740f36d4 607#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
f69979cf
JH
608# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
609# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
610# endif
611# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
612# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
613# endif
e51c7be2 614 int sep = 0;
55414b25 615 const uschar * list = verify_cert_hostnames;
e51c7be2 616 uschar * name;
d8e7834a
JH
617 int rc;
618 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
f40d5be3 619 if ((rc = X509_check_host(cert, CCS name, 0,
8d692470 620 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
740f36d4
JH
621 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
622 NULL)))
d8e7834a
JH
623 {
624 if (rc < 0)
625 {
93a6fce2 626 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
f77197ae 627 tlsp == &tls_out ? deliver_host_address : sender_host_address);
d8e7834a
JH
628 name = NULL;
629 }
e51c7be2 630 break;
d8e7834a 631 }
e51c7be2 632 if (!name)
f69979cf 633#else
e51c7be2 634 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
f69979cf 635#endif
e51c7be2 636 {
f77197ae
JH
637 uschar * extra = verify_mode
638 ? string_sprintf(" (during %c-verify for [%s])",
639 *verify_mode, sender_host_address)
640 : US"";
e51c7be2 641 log_write(0, LOG_MAIN,
f77197ae
JH
642 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
643 tlsp == &tls_out ? deliver_host_address : sender_host_address,
644 extra, dn, verify_cert_hostnames);
a3ef7310
JH
645 *calledp = TRUE;
646 if (!*optionalp)
f69979cf
JH
647 {
648 if (!tlsp->peercert)
649 tlsp->peercert = X509_dup(cert); /* record failing cert */
650 return 0; /* reject */
651 }
a3ef7310
JH
652 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
653 "tls_try_verify_hosts)\n");
e51c7be2 654 }
f69979cf 655 }
e51c7be2 656
0cbf2b82 657#ifndef DISABLE_EVENT
f69979cf
JH
658 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
659 return 0; /* reject, with peercert set */
e51c7be2
JH
660#endif
661
93dcb1c2 662 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
f69979cf 663 *calledp ? "" : " authenticated", dn);
93dcb1c2
JH
664 if (!*calledp) tlsp->certificate_verified = TRUE;
665 *calledp = TRUE;
059ec3d9
PH
666 }
667
a7538db1 668return 1; /* accept, at least for this level */
059ec3d9
PH
669}
670
a2ff477a 671static int
f2f2c91b 672verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 673{
f2f2c91b
JH
674return verify_callback(preverify_ok, x509ctx, &tls_out,
675 &client_verify_callback_called, &client_verify_optional);
a2ff477a
JH
676}
677
678static int
f2f2c91b 679verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 680{
f2f2c91b
JH
681return verify_callback(preverify_ok, x509ctx, &tls_in,
682 &server_verify_callback_called, &server_verify_optional);
a2ff477a
JH
683}
684
059ec3d9 685
c0635b6d 686#ifdef SUPPORT_DANE
53a7196b 687
e5cccda9
JH
688/* This gets called *by* the dane library verify callback, which interposes
689itself.
690*/
691static int
f2f2c91b 692verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
e5cccda9
JH
693{
694X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
f69979cf 695uschar dn[256];
83b27293 696int depth = X509_STORE_CTX_get_error_depth(x509ctx);
5c75db2e 697#ifndef DISABLE_EVENT
f69979cf 698BOOL dummy_called, optional = FALSE;
83b27293 699#endif
e5cccda9 700
70e384dd
JH
701if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
702 {
703 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
704 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
705 deliver_host_address);
706 return 0;
707 }
f69979cf 708dn[sizeof(dn)-1] = '\0';
e5cccda9 709
f2f2c91b
JH
710DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
711 preverify_ok ? "ok":"BAD", depth, dn);
e5cccda9 712
0cbf2b82 713#ifndef DISABLE_EVENT
f69979cf
JH
714 if (verify_event(&tls_out, cert, depth, dn,
715 &dummy_called, &optional, US"DANE"))
716 return 0; /* reject, with peercert set */
83b27293
JH
717#endif
718
f2f2c91b 719if (preverify_ok == 1)
6fbf3599
JH
720 {
721 tls_out.dane_verified = tls_out.certificate_verified = TRUE;
722#ifndef DISABLE_OCSP
723 if (client_static_cbinfo->u_ocsp.client.verify_store)
724 { /* client, wanting stapling */
725 /* Add the server cert's signing chain as the one
726 for the verification of the OCSP stapled information. */
727
728 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
729 cert))
730 ERR_clear_error();
731 sk_X509_push(client_static_cbinfo->verify_stack, cert);
732 }
733#endif
734 }
f2f2c91b
JH
735else
736 {
737 int err = X509_STORE_CTX_get_error(x509ctx);
738 DEBUG(D_tls)
739 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
3c51463e 740 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
f2f2c91b
JH
741 preverify_ok = 1;
742 }
743return preverify_ok;
e5cccda9 744}
53a7196b 745
c0635b6d 746#endif /*SUPPORT_DANE*/
e5cccda9 747
059ec3d9
PH
748
749/*************************************************
750* Information callback *
751*************************************************/
752
753/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP
754are doing. We copy the string to the debugging output when TLS debugging has
755been requested.
059ec3d9
PH
756
757Arguments:
758 s the SSL connection
759 where
760 ret
761
762Returns: nothing
763*/
764
765static void
766info_callback(SSL *s, int where, int ret)
767{
0abc5a13
JH
768DEBUG(D_tls)
769 {
770 const uschar * str;
771
772 if (where & SSL_ST_CONNECT)
48224640 773 str = US"SSL_connect";
0abc5a13 774 else if (where & SSL_ST_ACCEPT)
48224640 775 str = US"SSL_accept";
0abc5a13 776 else
48224640 777 str = US"SSL info (undefined)";
0abc5a13
JH
778
779 if (where & SSL_CB_LOOP)
780 debug_printf("%s: %s\n", str, SSL_state_string_long(s));
781 else if (where & SSL_CB_ALERT)
782 debug_printf("SSL3 alert %s:%s:%s\n",
48224640 783 str = where & SSL_CB_READ ? US"read" : US"write",
0abc5a13
JH
784 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
785 else if (where & SSL_CB_EXIT)
786 if (ret == 0)
787 debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
788 else if (ret < 0)
789 debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
790 else if (where & SSL_CB_HANDSHAKE_START)
791 debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
792 else if (where & SSL_CB_HANDSHAKE_DONE)
793 debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
794 }
059ec3d9
PH
795}
796
8238bc7b 797#ifdef OPENSSL_HAVE_KEYLOG_CB
8a40db1c
JH
798static void
799keylog_callback(const SSL *ssl, const char *line)
800{
801DEBUG(D_tls) debug_printf("%.200s\n", line);
802}
8238bc7b 803#endif
8a40db1c 804
059ec3d9
PH
805
806
807/*************************************************
808* Initialize for DH *
809*************************************************/
810
811/* If dhparam is set, expand it, and load up the parameters for DH encryption.
812
813Arguments:
038597d2 814 sctx The current SSL CTX (inbound or outbound)
a799883d 815 dhparam DH parameter file or fixed parameter identity string
7199e1ee 816 host connected host, if client; NULL if server
cf0c6164 817 errstr error string pointer
059ec3d9
PH
818
819Returns: TRUE if OK (nothing to set up, or setup worked)
820*/
821
822static BOOL
cf0c6164 823init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
059ec3d9 824{
059ec3d9
PH
825BIO *bio;
826DH *dh;
827uschar *dhexpanded;
a799883d 828const char *pem;
6600985a 829int dh_bitsize;
059ec3d9 830
cf0c6164 831if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
059ec3d9
PH
832 return FALSE;
833
0df4ab80 834if (!dhexpanded || !*dhexpanded)
a799883d 835 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
a799883d 836else if (dhexpanded[0] == '/')
059ec3d9 837 {
0df4ab80 838 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
059ec3d9 839 {
7199e1ee 840 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
cf0c6164 841 host, US strerror(errno), errstr);
a799883d 842 return FALSE;
059ec3d9 843 }
a799883d
PP
844 }
845else
846 {
847 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 848 {
a799883d
PP
849 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
850 return TRUE;
059ec3d9 851 }
a799883d 852
0df4ab80 853 if (!(pem = std_dh_prime_named(dhexpanded)))
a799883d
PP
854 {
855 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
cf0c6164 856 host, US strerror(errno), errstr);
a799883d
PP
857 return FALSE;
858 }
859 bio = BIO_new_mem_buf(CS pem, -1);
860 }
861
0df4ab80 862if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
a799883d 863 {
059ec3d9 864 BIO_free(bio);
a799883d 865 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
cf0c6164 866 host, NULL, errstr);
a799883d
PP
867 return FALSE;
868 }
869
6600985a
PP
870/* note: our default limit of 2236 is not a multiple of 8; the limit comes from
871 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
872 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
873 * If someone wants to dance at the edge, then they can raise the limit or use
874 * current libraries. */
875#ifdef EXIM_HAVE_OPENSSL_DH_BITS
876/* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
877 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
878dh_bitsize = DH_bits(dh);
879#else
880dh_bitsize = 8 * DH_size(dh);
881#endif
882
a799883d
PP
883/* Even if it is larger, we silently return success rather than cause things
884 * to fail out, so that a too-large DH will not knock out all TLS; it's a
885 * debatable choice. */
6600985a 886if (dh_bitsize > tls_dh_max_bits)
a799883d
PP
887 {
888 DEBUG(D_tls)
170f4904 889 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
6600985a 890 dh_bitsize, tls_dh_max_bits);
a799883d
PP
891 }
892else
893 {
894 SSL_CTX_set_tmp_dh(sctx, dh);
895 DEBUG(D_tls)
896 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
6600985a 897 dhexpanded ? dhexpanded : US"default", dh_bitsize);
059ec3d9
PH
898 }
899
a799883d
PP
900DH_free(dh);
901BIO_free(bio);
902
903return TRUE;
059ec3d9
PH
904}
905
906
907
908
038597d2
PP
909/*************************************************
910* Initialize for ECDH *
911*************************************************/
912
913/* Load parameters for ECDH encryption.
914
915For now, we stick to NIST P-256 because: it's simple and easy to configure;
916it avoids any patent issues that might bite redistributors; despite events in
917the news and concerns over curve choices, we're not cryptographers, we're not
918pretending to be, and this is "good enough" to be better than no support,
919protecting against most adversaries. Given another year or two, there might
920be sufficient clarity about a "right" way forward to let us make an informed
921decision, instead of a knee-jerk reaction.
922
923Longer-term, we should look at supporting both various named curves and
924external files generated with "openssl ecparam", much as we do for init_dh().
925We should also support "none" as a value, to explicitly avoid initialisation.
926
927Patches welcome.
928
929Arguments:
930 sctx The current SSL CTX (inbound or outbound)
931 host connected host, if client; NULL if server
cf0c6164 932 errstr error string pointer
038597d2
PP
933
934Returns: TRUE if OK (nothing to set up, or setup worked)
935*/
936
937static BOOL
cf0c6164 938init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
038597d2 939{
63f0dbe0
JH
940#ifdef OPENSSL_NO_ECDH
941return TRUE;
942#else
943
10ca4f1c
JH
944EC_KEY * ecdh;
945uschar * exp_curve;
946int nid;
947BOOL rv;
948
038597d2
PP
949if (host) /* No ECDH setup for clients, only for servers */
950 return TRUE;
951
10ca4f1c 952# ifndef EXIM_HAVE_ECDH
038597d2
PP
953DEBUG(D_tls)
954 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
955return TRUE;
038597d2 956# else
10ca4f1c 957
cf0c6164 958if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
10ca4f1c
JH
959 return FALSE;
960if (!exp_curve || !*exp_curve)
961 return TRUE;
962
8e53a4fc 963/* "auto" needs to be handled carefully.
4c04137d 964 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
8e53a4fc 965 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
4c04137d 966 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
8e53a4fc
HSHR
967 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
968 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
969 */
10ca4f1c 970if (Ustrcmp(exp_curve, "auto") == 0)
038597d2 971 {
8e53a4fc 972#if OPENSSL_VERSION_NUMBER < 0x10002000L
10ca4f1c 973 DEBUG(D_tls) debug_printf(
8e53a4fc 974 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
78a3bbd5 975 exp_curve = US"prime256v1";
8e53a4fc
HSHR
976#else
977# if defined SSL_CTRL_SET_ECDH_AUTO
978 DEBUG(D_tls) debug_printf(
979 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
10ca4f1c
JH
980 SSL_CTX_set_ecdh_auto(sctx, 1);
981 return TRUE;
8e53a4fc
HSHR
982# else
983 DEBUG(D_tls) debug_printf(
984 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
985 return TRUE;
986# endif
987#endif
10ca4f1c 988 }
038597d2 989
10ca4f1c
JH
990DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
991if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
992# ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
993 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
994# endif
995 )
996 {
cf0c6164
JH
997 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
998 host, NULL, errstr);
10ca4f1c
JH
999 return FALSE;
1000 }
038597d2 1001
10ca4f1c
JH
1002if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
1003 {
cf0c6164 1004 tls_error(US"Unable to create ec curve", host, NULL, errstr);
10ca4f1c 1005 return FALSE;
038597d2 1006 }
10ca4f1c
JH
1007
1008/* The "tmp" in the name here refers to setting a temporary key
1009not to the stability of the interface. */
1010
1011if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
cf0c6164 1012 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
10ca4f1c
JH
1013else
1014 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
1015
1016EC_KEY_free(ecdh);
1017return !rv;
1018
1019# endif /*EXIM_HAVE_ECDH*/
1020#endif /*OPENSSL_NO_ECDH*/
038597d2
PP
1021}
1022
1023
1024
1025
f2de3a33 1026#ifndef DISABLE_OCSP
3f7eeb86
PP
1027/*************************************************
1028* Load OCSP information into state *
1029*************************************************/
f5d78688 1030/* Called to load the server OCSP response from the given file into memory, once
3f7eeb86
PP
1031caller has determined this is needed. Checks validity. Debugs a message
1032if invalid.
1033
1034ASSUMES: single response, for single cert.
1035
1036Arguments:
1037 sctx the SSL_CTX* to update
1038 cbinfo various parts of session state
1039 expanded the filename putatively holding an OCSP response
1040
1041*/
1042
1043static void
f5d78688 1044ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
3f7eeb86 1045{
ee5b1e28
JH
1046BIO * bio;
1047OCSP_RESPONSE * resp;
1048OCSP_BASICRESP * basic_response;
1049OCSP_SINGLERESP * single_response;
1050ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
ee5b1e28 1051STACK_OF(X509) * sk;
3f7eeb86
PP
1052unsigned long verify_flags;
1053int status, reason, i;
1054
f5d78688
JH
1055cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
1056if (cbinfo->u_ocsp.server.response)
3f7eeb86 1057 {
f5d78688
JH
1058 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
1059 cbinfo->u_ocsp.server.response = NULL;
3f7eeb86
PP
1060 }
1061
ee5b1e28 1062if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
3f7eeb86
PP
1063 {
1064 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
f5d78688 1065 cbinfo->u_ocsp.server.file_expanded);
3f7eeb86
PP
1066 return;
1067 }
1068
1069resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1070BIO_free(bio);
1071if (!resp)
1072 {
1073 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1074 return;
1075 }
1076
ee5b1e28 1077if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
3f7eeb86
PP
1078 {
1079 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1080 OCSP_response_status_str(status), status);
f5d78688 1081 goto bad;
3f7eeb86
PP
1082 }
1083
ee5b1e28 1084if (!(basic_response = OCSP_response_get1_basic(resp)))
3f7eeb86
PP
1085 {
1086 DEBUG(D_tls)
1087 debug_printf("OCSP response parse error: unable to extract basic response.\n");
f5d78688 1088 goto bad;
3f7eeb86
PP
1089 }
1090
c3033f13 1091sk = cbinfo->verify_stack;
3f7eeb86
PP
1092verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1093
1094/* May need to expose ability to adjust those flags?
1095OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1096OCSP_TRUSTOTHER OCSP_NOINTERN */
1097
4c04137d 1098/* This does a full verify on the OCSP proof before we load it for serving
ee5b1e28
JH
1099up; possibly overkill - just date-checks might be nice enough.
1100
1101OCSP_basic_verify takes a "store" arg, but does not
1102use it for the chain verification, which is all we do
1103when OCSP_NOVERIFY is set. The content from the wire
1104"basic_response" and a cert-stack "sk" are all that is used.
1105
c3033f13
JH
1106We have a stack, loaded in setup_certs() if tls_verify_certificates
1107was a file (not a directory, or "system"). It is unfortunate we
1108cannot used the connection context store, as that would neatly
1109handle the "system" case too, but there seems to be no library
1110function for getting a stack from a store.
e3555426 1111[ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
c3033f13
JH
1112We do not free the stack since it could be needed a second time for
1113SNI handling.
1114
4c04137d 1115Separately we might try to replace using OCSP_basic_verify() - which seems to not
5ec37a55 1116be a public interface into the OpenSSL library (there's no manual entry) -
ee5b1e28 1117But what with? We also use OCSP_basic_verify in the client stapling callback.
4c04137d 1118And there we NEED it; we must verify that status... unless the
ee5b1e28
JH
1119library does it for us anyway? */
1120
1121if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
3f7eeb86 1122 {
ee5b1e28
JH
1123 DEBUG(D_tls)
1124 {
0abc5a13 1125 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3f7eeb86 1126 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
f5d78688
JH
1127 }
1128 goto bad;
3f7eeb86
PP
1129 }
1130
1131/* Here's the simplifying assumption: there's only one response, for the
1132one certificate we use, and nothing for anything else in a chain. If this
1133proves false, we need to extract a cert id from our issued cert
1134(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1135right cert in the stack and then calls OCSP_single_get0_status()).
1136
1137I'm hoping to avoid reworking a bunch more of how we handle state here. */
ee5b1e28
JH
1138
1139if (!(single_response = OCSP_resp_get0(basic_response, 0)))
3f7eeb86
PP
1140 {
1141 DEBUG(D_tls)
1142 debug_printf("Unable to get first response from OCSP basic response.\n");
f5d78688 1143 goto bad;
3f7eeb86
PP
1144 }
1145
1146status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
f5d78688 1147if (status != V_OCSP_CERTSTATUS_GOOD)
3f7eeb86 1148 {
f5d78688
JH
1149 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1150 OCSP_cert_status_str(status), status,
1151 OCSP_crl_reason_str(reason), reason);
1152 goto bad;
3f7eeb86
PP
1153 }
1154
1155if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1156 {
1157 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
f5d78688 1158 goto bad;
3f7eeb86
PP
1159 }
1160
f5d78688 1161supply_response:
47195144 1162 cbinfo->u_ocsp.server.response = resp; /*XXX stack?*/
f5d78688
JH
1163return;
1164
1165bad:
8768d548 1166 if (f.running_in_test_harness)
018058b2
JH
1167 {
1168 extern char ** environ;
d7978c0f 1169 if (environ) for (uschar ** p = USS environ; *p; p++)
018058b2
JH
1170 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1171 {
1172 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1173 goto supply_response;
1174 }
1175 }
f5d78688 1176return;
3f7eeb86 1177}
f2de3a33 1178#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1179
1180
1181
1182
23bb6982
JH
1183/* Create and install a selfsigned certificate, for use in server mode */
1184
1185static int
cf0c6164 1186tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
23bb6982
JH
1187{
1188X509 * x509 = NULL;
1189EVP_PKEY * pkey;
1190RSA * rsa;
1191X509_NAME * name;
1192uschar * where;
1193
1194where = US"allocating pkey";
1195if (!(pkey = EVP_PKEY_new()))
1196 goto err;
1197
1198where = US"allocating cert";
1199if (!(x509 = X509_new()))
1200 goto err;
1201
1202where = US"generating pkey";
6aac3239 1203if (!(rsa = rsa_callback(NULL, 0, 2048)))
23bb6982
JH
1204 goto err;
1205
4c04137d 1206where = US"assigning pkey";
23bb6982
JH
1207if (!EVP_PKEY_assign_RSA(pkey, rsa))
1208 goto err;
1209
1210X509_set_version(x509, 2); /* N+1 - version 3 */
1613fd68 1211ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
23bb6982
JH
1212X509_gmtime_adj(X509_get_notBefore(x509), 0);
1213X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1214X509_set_pubkey(x509, pkey);
1215
1216name = X509_get_subject_name(x509);
1217X509_NAME_add_entry_by_txt(name, "C",
4dc2379a 1218 MBSTRING_ASC, CUS "UK", -1, -1, 0);
23bb6982 1219X509_NAME_add_entry_by_txt(name, "O",
4dc2379a 1220 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
23bb6982 1221X509_NAME_add_entry_by_txt(name, "CN",
4dc2379a 1222 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
23bb6982
JH
1223X509_set_issuer_name(x509, name);
1224
1225where = US"signing cert";
1226if (!X509_sign(x509, pkey, EVP_md5()))
1227 goto err;
1228
1229where = US"installing selfsign cert";
1230if (!SSL_CTX_use_certificate(sctx, x509))
1231 goto err;
1232
1233where = US"installing selfsign key";
1234if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1235 goto err;
1236
1237return OK;
1238
1239err:
cf0c6164 1240 (void) tls_error(where, NULL, NULL, errstr);
23bb6982
JH
1241 if (x509) X509_free(x509);
1242 if (pkey) EVP_PKEY_free(pkey);
1243 return DEFER;
1244}
1245
1246
1247
1248
ba86e143
JH
1249static int
1250tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1251 uschar ** errstr)
1252{
1253DEBUG(D_tls) debug_printf("tls_certificate file %s\n", file);
1254if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1255 return tls_error(string_sprintf(
1256 "SSL_CTX_use_certificate_chain_file file=%s", file),
1257 cbinfo->host, NULL, errstr);
1258return 0;
1259}
1260
1261static int
1262tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1263 uschar ** errstr)
1264{
1265DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", file);
1266if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1267 return tls_error(string_sprintf(
1268 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1269return 0;
1270}
1271
1272
059ec3d9 1273/*************************************************
7be682ca
PP
1274* Expand key and cert file specs *
1275*************************************************/
1276
f5d78688 1277/* Called once during tls_init and possibly again during TLS setup, for a
7be682ca
PP
1278new context, if Server Name Indication was used and tls_sni was seen in
1279the certificate string.
1280
1281Arguments:
1282 sctx the SSL_CTX* to update
1283 cbinfo various parts of session state
cf0c6164 1284 errstr error string pointer
7be682ca
PP
1285
1286Returns: OK/DEFER/FAIL
1287*/
1288
1289static int
cf0c6164
JH
1290tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1291 uschar ** errstr)
7be682ca
PP
1292{
1293uschar *expanded;
1294
23bb6982 1295if (!cbinfo->certificate)
7be682ca 1296 {
ba86e143 1297 if (!cbinfo->is_server) /* client */
23bb6982 1298 return OK;
afdb5e9c 1299 /* server */
cf0c6164 1300 if (tls_install_selfsign(sctx, errstr) != OK)
23bb6982 1301 return DEFER;
7be682ca 1302 }
23bb6982
JH
1303else
1304 {
ba86e143
JH
1305 int err;
1306
23bb6982
JH
1307 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1308 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1309 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1310 )
1311 reexpand_tls_files_for_sni = TRUE;
7be682ca 1312
cf0c6164 1313 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
23bb6982
JH
1314 return DEFER;
1315
ba86e143
JH
1316 if (expanded)
1317 if (cbinfo->is_server)
1318 {
1319 const uschar * file_list = expanded;
1320 int sep = 0;
1321 uschar * file;
1322
1323 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1324 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1325 return err;
1326 }
1327 else /* would there ever be a need for multiple client certs? */
1328 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1329 return err;
7be682ca 1330
5a2a0989
JH
1331 if ( cbinfo->privatekey
1332 && !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
23bb6982 1333 return DEFER;
7be682ca 1334
23bb6982
JH
1335 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1336 of the expansion is an empty string, ignore it also, and assume the private
1337 key is in the same file as the certificate. */
1338
1339 if (expanded && *expanded)
ba86e143
JH
1340 if (cbinfo->is_server)
1341 {
1342 const uschar * file_list = expanded;
1343 int sep = 0;
1344 uschar * file;
1345
1346 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1347 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1348 return err;
1349 }
1350 else /* would there ever be a need for multiple client certs? */
1351 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1352 return err;
7be682ca
PP
1353 }
1354
f2de3a33 1355#ifndef DISABLE_OCSP
f40d5be3 1356if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
3f7eeb86 1357 {
47195144 1358 /*XXX stack*/
cf0c6164 1359 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
3f7eeb86
PP
1360 return DEFER;
1361
f40d5be3 1362 if (expanded && *expanded)
3f7eeb86
PP
1363 {
1364 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
f40d5be3
JH
1365 if ( cbinfo->u_ocsp.server.file_expanded
1366 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
3f7eeb86 1367 {
f40d5be3
JH
1368 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1369 }
1370 else
f40d5be3 1371 ocsp_load_response(sctx, cbinfo, expanded);
3f7eeb86
PP
1372 }
1373 }
1374#endif
1375
7be682ca
PP
1376return OK;
1377}
1378
1379
1380
1381
1382/*************************************************
1383* Callback to handle SNI *
1384*************************************************/
1385
1386/* Called when acting as server during the TLS session setup if a Server Name
1387Indication extension was sent by the client.
1388
1389API documentation is OpenSSL s_server.c implementation.
1390
1391Arguments:
1392 s SSL* of the current session
1393 ad unknown (part of OpenSSL API) (unused)
1394 arg Callback of "our" registered data
1395
1396Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1397*/
1398
3bcbbbe2 1399#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 1400static int
7be682ca
PP
1401tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1402{
1403const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 1404tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 1405int rc;
3f0945ff 1406int old_pool = store_pool;
cf0c6164 1407uschar * dummy_errstr;
7be682ca
PP
1408
1409if (!servername)
1410 return SSL_TLSEXT_ERR_OK;
1411
3f0945ff 1412DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP
1413 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1414
1415/* Make the extension value available for expansion */
3f0945ff 1416store_pool = POOL_PERM;
817d9f57 1417tls_in.sni = string_copy(US servername);
3f0945ff 1418store_pool = old_pool;
7be682ca
PP
1419
1420if (!reexpand_tls_files_for_sni)
1421 return SSL_TLSEXT_ERR_OK;
1422
1423/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1424not confident that memcpy wouldn't break some internal reference counting.
1425Especially since there's a references struct member, which would be off. */
1426
7a8b9519
JH
1427#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1428if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1429#else
0df4ab80 1430if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
7a8b9519 1431#endif
7be682ca 1432 {
0abc5a13 1433 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
7be682ca 1434 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
5a2a0989 1435 goto bad;
7be682ca
PP
1436 }
1437
1438/* Not sure how many of these are actually needed, since SSL object
1439already exists. Might even need this selfsame callback, for reneg? */
1440
817d9f57
JH
1441SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1442SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1443SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1444SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1445SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1446SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
038597d2 1447
cf0c6164
JH
1448if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1449 || !init_ecdh(server_sni, NULL, &dummy_errstr)
038597d2 1450 )
5a2a0989 1451 goto bad;
038597d2 1452
ca954d7f
JH
1453if ( cbinfo->server_cipher_list
1454 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
5a2a0989 1455 goto bad;
ca954d7f 1456
f2de3a33 1457#ifndef DISABLE_OCSP
f5d78688 1458if (cbinfo->u_ocsp.server.file)
3f7eeb86 1459 {
f5d78688 1460 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
14c7b357 1461 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
3f7eeb86
PP
1462 }
1463#endif
7be682ca 1464
c3033f13 1465if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
cf0c6164 1466 verify_callback_server, &dummy_errstr)) != OK)
5a2a0989 1467 goto bad;
7be682ca 1468
3f7eeb86
PP
1469/* do this after setup_certs, because this can require the certs for verifying
1470OCSP information. */
cf0c6164 1471if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
5a2a0989 1472 goto bad;
a799883d 1473
7be682ca 1474DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 1475SSL_set_SSL_CTX(s, server_sni);
7be682ca 1476return SSL_TLSEXT_ERR_OK;
5a2a0989
JH
1477
1478bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
7be682ca 1479}
3bcbbbe2 1480#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP
1481
1482
1483
1484
f2de3a33 1485#ifndef DISABLE_OCSP
f5d78688 1486
3f7eeb86
PP
1487/*************************************************
1488* Callback to handle OCSP Stapling *
1489*************************************************/
1490
1491/* Called when acting as server during the TLS session setup if the client
1492requests OCSP information with a Certificate Status Request.
1493
1494Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1495project.
1496
1497*/
1498
1499static int
f5d78688 1500tls_server_stapling_cb(SSL *s, void *arg)
3f7eeb86
PP
1501{
1502const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
47195144 1503uschar *response_der; /*XXX blob */
3f7eeb86
PP
1504int response_der_len;
1505
47195144
JH
1506/*XXX stack: use SSL_get_certificate() to see which cert; from that work
1507out which ocsp blob to send. Unfortunately, SSL_get_certificate is known
1508buggy in current OpenSSL; it returns the last cert loaded always rather than
1509the one actually presented. So we can't support a stack of OCSP proofs at
1510this time. */
1511
af4a1bca 1512DEBUG(D_tls)
b3ef41c9 1513 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
f5d78688
JH
1514 cbinfo->u_ocsp.server.response ? "have" : "lack");
1515
44662487 1516tls_in.ocsp = OCSP_NOT_RESP;
f5d78688 1517if (!cbinfo->u_ocsp.server.response)
3f7eeb86
PP
1518 return SSL_TLSEXT_ERR_NOACK;
1519
1520response_der = NULL;
47195144 1521response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, /*XXX stack*/
44662487 1522 &response_der);
3f7eeb86
PP
1523if (response_der_len <= 0)
1524 return SSL_TLSEXT_ERR_NOACK;
1525
5e55c7a9 1526SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
44662487 1527tls_in.ocsp = OCSP_VFIED;
3f7eeb86
PP
1528return SSL_TLSEXT_ERR_OK;
1529}
1530
3f7eeb86 1531
f5d78688
JH
1532static void
1533time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1534{
1535BIO_printf(bp, "\t%s: ", str);
1536ASN1_GENERALIZEDTIME_print(bp, time);
1537BIO_puts(bp, "\n");
1538}
1539
1540static int
1541tls_client_stapling_cb(SSL *s, void *arg)
1542{
1543tls_ext_ctx_cb * cbinfo = arg;
1544const unsigned char * p;
1545int len;
1546OCSP_RESPONSE * rsp;
1547OCSP_BASICRESP * bs;
1548int i;
1549
1550DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1551len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1552if(!p)
1553 {
44662487 1554 /* Expect this when we requested ocsp but got none */
6c6d6e48 1555 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
44662487 1556 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
f5d78688
JH
1557 else
1558 DEBUG(D_tls) debug_printf(" null\n");
44662487 1559 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 1560 }
018058b2 1561
f5d78688
JH
1562if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1563 {
018058b2 1564 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1565 if (LOGGING(tls_cipher))
1eca31ca 1566 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
f5d78688
JH
1567 else
1568 DEBUG(D_tls) debug_printf(" parse error\n");
1569 return 0;
1570 }
1571
1572if(!(bs = OCSP_response_get1_basic(rsp)))
1573 {
018058b2 1574 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1575 if (LOGGING(tls_cipher))
1eca31ca 1576 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
f5d78688
JH
1577 else
1578 DEBUG(D_tls) debug_printf(" error parsing response\n");
1579 OCSP_RESPONSE_free(rsp);
1580 return 0;
1581 }
1582
1583/* We'd check the nonce here if we'd put one in the request. */
1584/* However that would defeat cacheability on the server so we don't. */
1585
f5d78688
JH
1586/* This section of code reworked from OpenSSL apps source;
1587 The OpenSSL Project retains copyright:
1588 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1589*/
1590 {
1591 BIO * bp = NULL;
f5d78688
JH
1592 int status, reason;
1593 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1594
57887ecc 1595 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
f5d78688
JH
1596
1597 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1598
1599 /* Use the chain that verified the server cert to verify the stapled info */
1600 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1601
c3033f13 1602 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
44662487 1603 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
f5d78688 1604 {
018058b2 1605 tls_out.ocsp = OCSP_FAILED;
57887ecc
JH
1606 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1607 "Received TLS cert status response, itself unverifiable: %s",
1608 ERR_reason_error_string(ERR_peek_error()));
f5d78688
JH
1609 BIO_printf(bp, "OCSP response verify failure\n");
1610 ERR_print_errors(bp);
57887ecc 1611 OCSP_RESPONSE_print(bp, rsp, 0);
c8dfb21d 1612 goto failed;
f5d78688
JH
1613 }
1614
1615 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1616
c8dfb21d
JH
1617 /*XXX So we have a good stapled OCSP status. How do we know
1618 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1619 OCSP_resp_find_status() which matches on a cert id, which presumably
1620 we should use. Making an id needs OCSP_cert_id_new(), which takes
1621 issuerName, issuerKey, serialNumber. Are they all in the cert?
1622
1623 For now, carry on blindly accepting the resp. */
1624
f5d78688 1625 {
f5d78688
JH
1626 OCSP_SINGLERESP * single;
1627
c8dfb21d
JH
1628#ifdef EXIM_HAVE_OCSP_RESP_COUNT
1629 if (OCSP_resp_count(bs) != 1)
1630#else
1631 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
f5d78688 1632 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
c8dfb21d 1633#endif
f5d78688 1634 {
018058b2 1635 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1636 log_write(0, LOG_MAIN, "OCSP stapling "
1637 "with multiple responses not handled");
c8dfb21d 1638 goto failed;
f5d78688
JH
1639 }
1640 single = OCSP_resp_get0(bs, 0);
44662487
JH
1641 status = OCSP_single_get0_status(single, &reason, &rev,
1642 &thisupd, &nextupd);
f5d78688
JH
1643 }
1644
f5d78688
JH
1645 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1646 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
44662487
JH
1647 if (!OCSP_check_validity(thisupd, nextupd,
1648 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
f5d78688 1649 {
018058b2 1650 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH
1651 DEBUG(D_tls) ERR_print_errors(bp);
1652 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
f5d78688 1653 }
44662487 1654 else
f5d78688 1655 {
44662487
JH
1656 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1657 OCSP_cert_status_str(status));
1658 switch(status)
1659 {
1660 case V_OCSP_CERTSTATUS_GOOD:
44662487 1661 tls_out.ocsp = OCSP_VFIED;
018058b2 1662 i = 1;
c8dfb21d 1663 goto good;
44662487 1664 case V_OCSP_CERTSTATUS_REVOKED:
018058b2 1665 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1666 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1667 reason != -1 ? "; reason: " : "",
1668 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1669 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
44662487
JH
1670 break;
1671 default:
018058b2 1672 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1673 log_write(0, LOG_MAIN,
1674 "Server certificate status unknown, in OCSP stapling");
44662487
JH
1675 break;
1676 }
f5d78688 1677 }
c8dfb21d
JH
1678 failed:
1679 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1680 good:
f5d78688
JH
1681 BIO_free(bp);
1682 }
1683
1684OCSP_RESPONSE_free(rsp);
1685return i;
1686}
f2de3a33 1687#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1688
1689
7be682ca 1690/*************************************************
059ec3d9
PH
1691* Initialize for TLS *
1692*************************************************/
1693
e51c7be2
JH
1694/* Called from both server and client code, to do preliminary initialization
1695of the library. We allocate and return a context structure.
059ec3d9
PH
1696
1697Arguments:
946ecbe0 1698 ctxp returned SSL context
059ec3d9
PH
1699 host connected host, if client; NULL if server
1700 dhparam DH parameter file
1701 certificate certificate file
1702 privatekey private key
f5d78688 1703 ocsp_file file of stapling info (server); flag for require ocsp (client)
059ec3d9 1704 addr address if client; NULL if server (for some randomness)
946ecbe0 1705 cbp place to put allocated callback context
cf0c6164 1706 errstr error string pointer
059ec3d9
PH
1707
1708Returns: OK/DEFER/FAIL
1709*/
1710
1711static int
817d9f57 1712tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86 1713 uschar *privatekey,
f2de3a33 1714#ifndef DISABLE_OCSP
47195144 1715 uschar *ocsp_file, /*XXX stack, in server*/
3f7eeb86 1716#endif
cf0c6164 1717 address_item *addr, tls_ext_ctx_cb ** cbp, uschar ** errstr)
059ec3d9 1718{
7006ee24 1719SSL_CTX * ctx;
77bb000f 1720long init_options;
7be682ca 1721int rc;
a7538db1 1722tls_ext_ctx_cb * cbinfo;
7be682ca
PP
1723
1724cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1725cbinfo->certificate = certificate;
1726cbinfo->privatekey = privatekey;
a6510420 1727cbinfo->is_server = host==NULL;
f2de3a33 1728#ifndef DISABLE_OCSP
c3033f13 1729cbinfo->verify_stack = NULL;
a6510420 1730if (!host)
f5d78688
JH
1731 {
1732 cbinfo->u_ocsp.server.file = ocsp_file;
1733 cbinfo->u_ocsp.server.file_expanded = NULL;
1734 cbinfo->u_ocsp.server.response = NULL;
1735 }
1736else
1737 cbinfo->u_ocsp.client.verify_store = NULL;
3f7eeb86 1738#endif
7be682ca 1739cbinfo->dhparam = dhparam;
0df4ab80 1740cbinfo->server_cipher_list = NULL;
7be682ca 1741cbinfo->host = host;
0cbf2b82 1742#ifndef DISABLE_EVENT
a7538db1
JH
1743cbinfo->event_action = NULL;
1744#endif
77bb000f 1745
7434882d 1746#ifdef EXIM_NEED_OPENSSL_INIT
059ec3d9
PH
1747SSL_load_error_strings(); /* basic set up */
1748OpenSSL_add_ssl_algorithms();
7434882d 1749#endif
059ec3d9 1750
c8dfb21d 1751#ifdef EXIM_HAVE_SHA256
77bb000f 1752/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK
1753list of available digests. */
1754EVP_add_digest(EVP_sha256());
cf1ef1a9 1755#endif
a0475b69 1756
f0f5a555
PP
1757/* Create a context.
1758The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1759negotiation in the different methods; as far as I can tell, the only
1760*_{server,client}_method which allows negotiation is SSLv23, which exists even
1761when OpenSSL is built without SSLv2 support.
1762By disabling with openssl_options, we can let admins re-enable with the
1763existing knob. */
059ec3d9 1764
7a8b9519
JH
1765#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1766if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1767#else
7006ee24 1768if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
7a8b9519 1769#endif
7006ee24 1770 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
059ec3d9
PH
1771
1772/* It turns out that we need to seed the random number generator this early in
1773order to get the full complement of ciphers to work. It took me roughly a day
1774of work to discover this by experiment.
1775
1776On systems that have /dev/urandom, SSL may automatically seed itself from
1777there. Otherwise, we have to make something up as best we can. Double check
1778afterwards. */
1779
1780if (!RAND_status())
1781 {
1782 randstuff r;
9e3331ea 1783 gettimeofday(&r.tv, NULL);
059ec3d9
PH
1784 r.p = getpid();
1785
5903c6ff
JH
1786 RAND_seed(US (&r), sizeof(r));
1787 RAND_seed(US big_buffer, big_buffer_size);
1788 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
059ec3d9
PH
1789
1790 if (!RAND_status())
7199e1ee 1791 return tls_error(US"RAND_status", host,
cf0c6164 1792 US"unable to seed random number generator", errstr);
059ec3d9
PH
1793 }
1794
1795/* Set up the information callback, which outputs if debugging is at a suitable
1796level. */
1797
7006ee24 1798DEBUG(D_tls) SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
8a40db1c
JH
1799#ifdef OPENSSL_HAVE_KEYLOG_CB
1800DEBUG(D_tls) SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
1801#endif
059ec3d9 1802
c80c5570 1803/* Automatically re-try reads/writes after renegotiation. */
7006ee24 1804(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
c80c5570 1805
77bb000f
PP
1806/* Apply administrator-supplied work-arounds.
1807Historically we applied just one requested option,
1808SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1809moved to an administrator-controlled list of options to specify and
1810grandfathered in the first one as the default value for "openssl_options".
059ec3d9 1811
77bb000f
PP
1812No OpenSSL version number checks: the options we accept depend upon the
1813availability of the option value macros from OpenSSL. */
059ec3d9 1814
7006ee24 1815if (!tls_openssl_options_parse(openssl_options, &init_options))
cf0c6164 1816 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
77bb000f
PP
1817
1818if (init_options)
1819 {
1820 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
7006ee24 1821 if (!(SSL_CTX_set_options(ctx, init_options)))
77bb000f 1822 return tls_error(string_sprintf(
cf0c6164 1823 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
77bb000f
PP
1824 }
1825else
1826 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9 1827
d7f31bb6
JH
1828#ifdef OPENSSL_HAVE_NUM_TICKETS
1829SSL_CTX_set_num_tickets(ctx, 0); /* send no TLS1.3 stateful-tickets */
1830#endif
1831
a28050f8
JH
1832/* We'd like to disable session cache unconditionally, but foolish Outlook
1833Express clients then give up the first TLS connection and make a second one
1834(which works). Only when there is an IMAP service on the same machine.
1835Presumably OE is trying to use the cache for A on B. Leave it enabled for
1836now, until we work out a decent way of presenting control to the config. It
1837will never be used because we use a new context every time. */
1838#ifdef notdef
7006ee24 1839(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
a28050f8 1840#endif
7006ee24 1841
059ec3d9 1842/* Initialize with DH parameters if supplied */
10ca4f1c 1843/* Initialize ECDH temp key parameter selection */
059ec3d9 1844
7006ee24
JH
1845if ( !init_dh(ctx, dhparam, host, errstr)
1846 || !init_ecdh(ctx, host, errstr)
038597d2
PP
1847 )
1848 return DEFER;
059ec3d9 1849
3f7eeb86 1850/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 1851
7006ee24 1852if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
23bb6982 1853 return rc;
c91535f3 1854
c3033f13
JH
1855/* If we need to handle SNI or OCSP, do so */
1856
3bcbbbe2 1857#ifdef EXIM_HAVE_OPENSSL_TLSEXT
c3033f13
JH
1858# ifndef DISABLE_OCSP
1859 if (!(cbinfo->verify_stack = sk_X509_new_null()))
1860 {
1861 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
1862 return FAIL;
1863 }
1864# endif
1865
7a8b9519 1866if (!host) /* server */
3f0945ff 1867 {
f2de3a33 1868# ifndef DISABLE_OCSP
f5d78688 1869 /* We check u_ocsp.server.file, not server.response, because we care about if
3f7eeb86
PP
1870 the option exists, not what the current expansion might be, as SNI might
1871 change the certificate and OCSP file in use between now and the time the
1872 callback is invoked. */
f5d78688 1873 if (cbinfo->u_ocsp.server.file)
3f7eeb86 1874 {
7006ee24
JH
1875 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
1876 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
3f7eeb86 1877 }
f5d78688 1878# endif
3f0945ff
PP
1879 /* We always do this, so that $tls_sni is available even if not used in
1880 tls_certificate */
7006ee24
JH
1881 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
1882 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
3f0945ff 1883 }
f2de3a33 1884# ifndef DISABLE_OCSP
f5d78688
JH
1885else /* client */
1886 if(ocsp_file) /* wanting stapling */
1887 {
1888 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1889 {
1890 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1891 return FAIL;
1892 }
7006ee24
JH
1893 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
1894 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
f5d78688
JH
1895 }
1896# endif
7be682ca 1897#endif
059ec3d9 1898
e51c7be2 1899cbinfo->verify_cert_hostnames = NULL;
e51c7be2 1900
c8dfb21d 1901#ifdef EXIM_HAVE_EPHEM_RSA_KEX
059ec3d9 1902/* Set up the RSA callback */
7006ee24 1903SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
c8dfb21d 1904#endif
059ec3d9
PH
1905
1906/* Finally, set the timeout, and we are done */
1907
7006ee24 1908SSL_CTX_set_timeout(ctx, ssl_session_timeout);
059ec3d9 1909DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 1910
817d9f57 1911*cbp = cbinfo;
7006ee24 1912*ctxp = ctx;
7be682ca 1913
059ec3d9
PH
1914return OK;
1915}
1916
1917
1918
1919
1920/*************************************************
1921* Get name of cipher in use *
1922*************************************************/
1923
817d9f57 1924/*
059ec3d9 1925Argument: pointer to an SSL structure for the connection
817d9f57 1926 pointer to number of bits for cipher
f1be21cf 1927Returns: pointer to allocated string in perm-pool
059ec3d9
PH
1928*/
1929
f1be21cf
JH
1930static uschar *
1931construct_cipher_name(SSL * ssl, int * bits)
059ec3d9 1932{
f1be21cf 1933int pool = store_pool;
7a8b9519 1934/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
57b3a7f5
PP
1935yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1936the accessor functions use const in the prototype. */
059ec3d9 1937
7a8b9519
JH
1938const uschar * ver = CUS SSL_get_version(ssl);
1939const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
f1be21cf 1940uschar * s;
059ec3d9 1941
817d9f57 1942SSL_CIPHER_get_bits(c, bits);
059ec3d9 1943
f1be21cf
JH
1944store_pool = POOL_PERM;
1945s = string_sprintf("%s:%s:%u", ver, SSL_CIPHER_get_name(c), *bits);
1946store_pool = pool;
1947DEBUG(D_tls) debug_printf("Cipher: %s\n", s);
1948return s;
1949}
1950
059ec3d9 1951
f1be21cf
JH
1952/* Get IETF-standard name for ciphersuite.
1953Argument: pointer to an SSL structure for the connection
1954Returns: pointer to string
1955*/
1956
1957static const uschar *
1958cipher_stdname_ssl(SSL * ssl)
1959{
1960#ifdef EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
1961return CUS SSL_CIPHER_standard_name(SSL_get_current_cipher(ssl));
1962#else
1963ushort id = 0xffff & SSL_CIPHER_get_id(SSL_get_current_cipher(ssl));
1964return cipher_stdname(id >> 8, id & 0xff);
1965#endif
059ec3d9
PH
1966}
1967
1968
f69979cf 1969static void
70e384dd 1970peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
f69979cf
JH
1971{
1972/*XXX we might consider a list-of-certs variable for the cert chain.
1973SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1974in list-handling functions, also consider the difference between the entire
1975chain and the elements sent by the peer. */
1976
70e384dd
JH
1977tlsp->peerdn = NULL;
1978
f69979cf
JH
1979/* Will have already noted peercert on a verify fail; possibly not the leaf */
1980if (!tlsp->peercert)
1981 tlsp->peercert = SSL_get_peer_certificate(ssl);
1982/* Beware anonymous ciphers which lead to server_cert being NULL */
1983if (tlsp->peercert)
70e384dd
JH
1984 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
1985 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
1986 else
1987 {
1988 peerdn[siz-1] = '\0';
1989 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1990 }
f69979cf
JH
1991}
1992
1993
059ec3d9
PH
1994
1995
1996
1997/*************************************************
1998* Set up for verifying certificates *
1999*************************************************/
2000
0e8aed8a 2001#ifndef DISABLE_OCSP
c3033f13
JH
2002/* Load certs from file, return TRUE on success */
2003
2004static BOOL
2005chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
2006{
2007BIO * bp;
2008X509 * x;
2009
dec766a1
WB
2010while (sk_X509_num(verify_stack) > 0)
2011 X509_free(sk_X509_pop(verify_stack));
2012
c3033f13
JH
2013if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
2014while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
2015 sk_X509_push(verify_stack, x);
2016BIO_free(bp);
2017return TRUE;
2018}
0e8aed8a 2019#endif
c3033f13
JH
2020
2021
2022
dec766a1
WB
2023/* Called by both client and server startup; on the server possibly
2024repeated after a Server Name Indication.
059ec3d9
PH
2025
2026Arguments:
7be682ca 2027 sctx SSL_CTX* to initialise
059ec3d9
PH
2028 certs certs file or NULL
2029 crl CRL file or NULL
2030 host NULL in a server; the remote host in a client
2031 optional TRUE if called from a server for a host in tls_try_verify_hosts;
2032 otherwise passed as FALSE
983207c1 2033 cert_vfy_cb Callback function for certificate verification
cf0c6164 2034 errstr error string pointer
059ec3d9
PH
2035
2036Returns: OK/DEFER/FAIL
2037*/
2038
2039static int
983207c1 2040setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 2041 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
059ec3d9
PH
2042{
2043uschar *expcerts, *expcrl;
2044
cf0c6164 2045if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
059ec3d9 2046 return DEFER;
57cc2785 2047DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
059ec3d9 2048
10a831a3 2049if (expcerts && *expcerts)
059ec3d9 2050 {
10a831a3
JH
2051 /* Tell the library to use its compiled-in location for the system default
2052 CA bundle. Then add the ones specified in the config, if any. */
cb1d7830 2053
10a831a3 2054 if (!SSL_CTX_set_default_verify_paths(sctx))
cf0c6164 2055 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
10a831a3
JH
2056
2057 if (Ustrcmp(expcerts, "system") != 0)
059ec3d9 2058 {
cb1d7830
JH
2059 struct stat statbuf;
2060
cb1d7830
JH
2061 if (Ustat(expcerts, &statbuf) < 0)
2062 {
2063 log_write(0, LOG_MAIN|LOG_PANIC,
2064 "failed to stat %s for certificates", expcerts);
2065 return DEFER;
2066 }
059ec3d9 2067 else
059ec3d9 2068 {
cb1d7830
JH
2069 uschar *file, *dir;
2070 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
2071 { file = NULL; dir = expcerts; }
2072 else
c3033f13
JH
2073 {
2074 file = expcerts; dir = NULL;
2075#ifndef DISABLE_OCSP
2076 /* In the server if we will be offering an OCSP proof, load chain from
2077 file for verifying the OCSP proof at load time. */
2078
2079 if ( !host
2080 && statbuf.st_size > 0
2081 && server_static_cbinfo->u_ocsp.server.file
2082 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2083 )
2084 {
2085 log_write(0, LOG_MAIN|LOG_PANIC,
57887ecc 2086 "failed to load cert chain from %s", file);
c3033f13
JH
2087 return DEFER;
2088 }
2089#endif
2090 }
cb1d7830
JH
2091
2092 /* If a certificate file is empty, the next function fails with an
2093 unhelpful error message. If we skip it, we get the correct behaviour (no
2094 certificates are recognized, but the error message is still misleading (it
c3033f13 2095 says no certificate was supplied). But this is better. */
cb1d7830 2096
f2f2c91b
JH
2097 if ( (!file || statbuf.st_size > 0)
2098 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
cf0c6164 2099 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
cb1d7830
JH
2100
2101 /* Load the list of CAs for which we will accept certs, for sending
2102 to the client. This is only for the one-file tls_verify_certificates
2103 variant.
d7978c0f
JH
2104 If a list isn't loaded into the server, but some verify locations are set,
2105 the server end appears to make a wildcard request for client certs.
10a831a3 2106 Meanwhile, the client library as default behaviour *ignores* the list
cb1d7830
JH
2107 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2108 Because of this, and that the dir variant is likely only used for
d7978c0f
JH
2109 the public-CA bundle (not for a private CA), not worth fixing. */
2110
f2f2c91b 2111 if (file)
cb1d7830 2112 {
2009ecca 2113 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
dec766a1
WB
2114
2115 SSL_CTX_set_client_CA_list(sctx, names);
f2f2c91b 2116 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
cb1d7830 2117 sk_X509_NAME_num(names));
cb1d7830 2118 }
059ec3d9
PH
2119 }
2120 }
2121
2122 /* Handle a certificate revocation list. */
2123
10a831a3 2124#if OPENSSL_VERSION_NUMBER > 0x00907000L
059ec3d9 2125
8b417f2c 2126 /* This bit of code is now the version supplied by Lars Mainka. (I have
10a831a3 2127 merely reformatted it into the Exim code style.)
8b417f2c 2128
10a831a3
JH
2129 "From here I changed the code to add support for multiple crl's
2130 in pem format in one file or to support hashed directory entries in
2131 pem format instead of a file. This method now uses the library function
2132 X509_STORE_load_locations to add the CRL location to the SSL context.
2133 OpenSSL will then handle the verify against CA certs and CRLs by
2134 itself in the verify callback." */
8b417f2c 2135
cf0c6164 2136 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
10a831a3 2137 if (expcrl && *expcrl)
059ec3d9 2138 {
8b417f2c
PH
2139 struct stat statbufcrl;
2140 if (Ustat(expcrl, &statbufcrl) < 0)
2141 {
2142 log_write(0, LOG_MAIN|LOG_PANIC,
2143 "failed to stat %s for certificates revocation lists", expcrl);
2144 return DEFER;
2145 }
2146 else
059ec3d9 2147 {
8b417f2c
PH
2148 /* is it a file or directory? */
2149 uschar *file, *dir;
7be682ca 2150 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 2151 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 2152 {
8b417f2c
PH
2153 file = NULL;
2154 dir = expcrl;
2155 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
2156 }
2157 else
2158 {
8b417f2c
PH
2159 file = expcrl;
2160 dir = NULL;
2161 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 2162 }
8b417f2c 2163 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
cf0c6164 2164 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
8b417f2c
PH
2165
2166 /* setting the flags to check against the complete crl chain */
2167
2168 X509_STORE_set_flags(cvstore,
2169 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 2170 }
059ec3d9
PH
2171 }
2172
10a831a3 2173#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
059ec3d9
PH
2174
2175 /* If verification is optional, don't fail if no certificate */
2176
7be682ca 2177 SSL_CTX_set_verify(sctx,
5a2a0989 2178 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
983207c1 2179 cert_vfy_cb);
059ec3d9
PH
2180 }
2181
2182return OK;
2183}
2184
2185
2186
2187/*************************************************
2188* Start a TLS session in a server *
2189*************************************************/
2190
2191/* This is called when Exim is running as a server, after having received
2192the STARTTLS command. It must respond to that command, and then negotiate
2193a TLS session.
2194
2195Arguments:
2196 require_ciphers allowed ciphers
cf0c6164 2197 errstr pointer to error message
059ec3d9
PH
2198
2199Returns: OK on success
2200 DEFER for errors before the start of the negotiation
4c04137d 2201 FAIL for errors during the negotiation; the server can't
059ec3d9
PH
2202 continue running.
2203*/
2204
2205int
cf0c6164 2206tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH
2207{
2208int rc;
cf0c6164
JH
2209uschar * expciphers;
2210tls_ext_ctx_cb * cbinfo;
f69979cf 2211static uschar peerdn[256];
059ec3d9
PH
2212
2213/* Check for previous activation */
2214
74f1a423 2215if (tls_in.active.sock >= 0)
059ec3d9 2216 {
cf0c6164 2217 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
925ac8e4 2218 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH
2219 return FAIL;
2220 }
2221
2222/* Initialize the SSL library. If it fails, it will already have logged
2223the error. */
2224
817d9f57 2225rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
f2de3a33 2226#ifndef DISABLE_OCSP
47195144 2227 tls_ocsp_file, /*XXX stack*/
3f7eeb86 2228#endif
cf0c6164 2229 NULL, &server_static_cbinfo, errstr);
059ec3d9 2230if (rc != OK) return rc;
817d9f57 2231cbinfo = server_static_cbinfo;
059ec3d9 2232
cf0c6164 2233if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
059ec3d9
PH
2234 return FAIL;
2235
2236/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP
2237were historically separated by underscores. So that I can use either form in my
2238tests, and also for general convenience, we turn underscores into hyphens here.
0c3807a8
JH
2239
2240XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2241for TLS 1.3 . Since we do not call it at present we get the default list:
2242TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
17c76198 2243*/
059ec3d9 2244
c3033f13 2245if (expciphers)
059ec3d9 2246 {
c3033f13 2247 uschar * s = expciphers;
059ec3d9
PH
2248 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2249 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 2250 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
cf0c6164 2251 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
7be682ca 2252 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH
2253 }
2254
2255/* If this is a host for which certificate verification is mandatory or
2256optional, set up appropriately. */
2257
817d9f57 2258tls_in.certificate_verified = FALSE;
c0635b6d 2259#ifdef SUPPORT_DANE
53a7196b
JH
2260tls_in.dane_verified = FALSE;
2261#endif
a2ff477a 2262server_verify_callback_called = FALSE;
059ec3d9
PH
2263
2264if (verify_check_host(&tls_verify_hosts) == OK)
2265 {
983207c1 2266 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2267 FALSE, verify_callback_server, errstr);
059ec3d9 2268 if (rc != OK) return rc;
a2ff477a 2269 server_verify_optional = FALSE;
059ec3d9
PH
2270 }
2271else if (verify_check_host(&tls_try_verify_hosts) == OK)
2272 {
983207c1 2273 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2274 TRUE, verify_callback_server, errstr);
059ec3d9 2275 if (rc != OK) return rc;
a2ff477a 2276 server_verify_optional = TRUE;
059ec3d9
PH
2277 }
2278
2279/* Prepare for new connection */
2280
cf0c6164
JH
2281if (!(server_ssl = SSL_new(server_ctx)))
2282 return tls_error(US"SSL_new", NULL, NULL, errstr);
da3ad30d
PP
2283
2284/* Warning: we used to SSL_clear(ssl) here, it was removed.
2285 *
2286 * With the SSL_clear(), we get strange interoperability bugs with
2287 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2288 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2289 *
2290 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2291 * session shutdown. In this case, we have a brand new object and there's no
2292 * obvious reason to immediately clear it. I'm guessing that this was
2293 * originally added because of incomplete initialisation which the clear fixed,
2294 * in some historic release.
2295 */
059ec3d9
PH
2296
2297/* Set context and tell client to go ahead, except in the case of TLS startup
2298on connection, where outputting anything now upsets the clients and tends to
2299make them disconnect. We need to have an explicit fflush() here, to force out
2300the response. Other smtp_printf() calls do not need it, because in non-TLS
2301mode, the fflush() happens when smtp_getc() is called. */
2302
817d9f57
JH
2303SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2304if (!tls_in.on_connect)
059ec3d9 2305 {
925ac8e4 2306 smtp_printf("220 TLS go ahead\r\n", FALSE);
059ec3d9
PH
2307 fflush(smtp_out);
2308 }
2309
2310/* Now negotiate the TLS session. We put our own timer on it, since it seems
2311that the OpenSSL library doesn't. */
2312
817d9f57
JH
2313SSL_set_wfd(server_ssl, fileno(smtp_out));
2314SSL_set_rfd(server_ssl, fileno(smtp_in));
2315SSL_set_accept_state(server_ssl);
059ec3d9
PH
2316
2317DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2318
2319sigalrm_seen = FALSE;
c2a1bba0 2320if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
817d9f57 2321rc = SSL_accept(server_ssl);
c2a1bba0 2322ALARM_CLR(0);
059ec3d9
PH
2323
2324if (rc <= 0)
2325 {
cf0c6164 2326 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
059ec3d9
PH
2327 return FAIL;
2328 }
2329
2330DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
25fa0868
JH
2331ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
2332 anon-authentication ciphersuite negociated. */
059ec3d9
PH
2333
2334/* TLS has been set up. Adjust the input functions to read via TLS,
2335and initialize things. */
2336
f69979cf
JH
2337peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2338
f1be21cf
JH
2339tls_in.cipher = construct_cipher_name(server_ssl, &tls_in.bits);
2340tls_in.cipher_stdname = cipher_stdname_ssl(server_ssl);
2341
059ec3d9
PH
2342DEBUG(D_tls)
2343 {
2344 uschar buf[2048];
f1be21cf 2345 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)))
059ec3d9 2346 debug_printf("Shared ciphers: %s\n", buf);
f20cfa4a
JH
2347
2348#ifdef EXIM_HAVE_OPENSSL_KEYLOG
2349 {
10ed27e0 2350 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
f20cfa4a 2351 SSL_SESSION_print_keylog(bp, SSL_get_session(server_ssl));
f20cfa4a
JH
2352 BIO_free(bp);
2353 }
2354#endif
059ec3d9
PH
2355 }
2356
9d1c15ef
JH
2357/* Record the certificate we presented */
2358 {
2359 X509 * crt = SSL_get_certificate(server_ssl);
2360 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2361 }
059ec3d9 2362
817d9f57
JH
2363/* Only used by the server-side tls (tls_in), including tls_getc.
2364 Client-side (tls_out) reads (seem to?) go via
2365 smtp_read_response()/ip_recv().
2366 Hence no need to duplicate for _in and _out.
2367 */
b808677c 2368if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9 2369ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
8b77d27a 2370ssl_xfer_eof = ssl_xfer_error = FALSE;
059ec3d9
PH
2371
2372receive_getc = tls_getc;
0d81dabc 2373receive_getbuf = tls_getbuf;
584e96c6 2374receive_get_cache = tls_get_cache;
059ec3d9
PH
2375receive_ungetc = tls_ungetc;
2376receive_feof = tls_feof;
2377receive_ferror = tls_ferror;
58eb016e 2378receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2379
74f1a423
JH
2380tls_in.active.sock = fileno(smtp_out);
2381tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
059ec3d9
PH
2382return OK;
2383}
2384
2385
2386
2387
043b1248
JH
2388static int
2389tls_client_basic_ctx_init(SSL_CTX * ctx,
cf0c6164
JH
2390 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2391 uschar ** errstr)
043b1248
JH
2392{
2393int rc;
94431adb 2394/* stick to the old behaviour for compatibility if tls_verify_certificates is
043b1248
JH
2395 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2396 the specified host patterns if one of them is defined */
2397
610ff438
JH
2398if ( ( !ob->tls_verify_hosts
2399 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2400 )
3c07dd2d 2401 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
aa2a70ba 2402 )
043b1248 2403 client_verify_optional = FALSE;
3c07dd2d 2404else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
aa2a70ba
JH
2405 client_verify_optional = TRUE;
2406else
2407 return OK;
2408
2409if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
cf0c6164
JH
2410 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2411 errstr)) != OK)
aa2a70ba 2412 return rc;
043b1248 2413
3c07dd2d 2414if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
043b1248 2415 {
4af0d74a 2416 cbinfo->verify_cert_hostnames =
8c5d388a 2417#ifdef SUPPORT_I18N
4af0d74a
JH
2418 string_domain_utf8_to_alabel(host->name, NULL);
2419#else
2420 host->name;
2421#endif
aa2a70ba
JH
2422 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2423 cbinfo->verify_cert_hostnames);
043b1248 2424 }
043b1248
JH
2425return OK;
2426}
059ec3d9 2427
fde080a4 2428
c0635b6d 2429#ifdef SUPPORT_DANE
fde080a4 2430static int
cf0c6164 2431dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
fde080a4 2432{
fde080a4
JH
2433dns_scan dnss;
2434const char * hostnames[2] = { CS host->name, NULL };
2435int found = 0;
2436
2437if (DANESSL_init(ssl, NULL, hostnames) != 1)
cf0c6164 2438 return tls_error(US"hostnames load", host, NULL, errstr);
fde080a4 2439
d7978c0f 2440for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
fde080a4 2441 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1b76ad22 2442 ) if (rr->type == T_TLSA && rr->size > 3)
fde080a4 2443 {
c3033f13 2444 const uschar * p = rr->data;
fde080a4
JH
2445 uint8_t usage, selector, mtype;
2446 const char * mdname;
2447
fde080a4 2448 usage = *p++;
133d2546
JH
2449
2450 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2451 if (usage != 2 && usage != 3) continue;
2452
fde080a4
JH
2453 selector = *p++;
2454 mtype = *p++;
2455
2456 switch (mtype)
2457 {
133d2546
JH
2458 default: continue; /* Only match-types 0, 1, 2 are supported */
2459 case 0: mdname = NULL; break;
2460 case 1: mdname = "sha256"; break;
2461 case 2: mdname = "sha512"; break;
fde080a4
JH
2462 }
2463
133d2546 2464 found++;
fde080a4
JH
2465 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2466 {
2467 default:
cf0c6164 2468 return tls_error(US"tlsa load", host, NULL, errstr);
c035b645 2469 case 0: /* action not taken */
fde080a4
JH
2470 case 1: break;
2471 }
594706ea
JH
2472
2473 tls_out.tlsa_usage |= 1<<usage;
fde080a4
JH
2474 }
2475
2476if (found)
2477 return OK;
2478
133d2546 2479log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
6ebd79ec 2480return DEFER;
fde080a4 2481}
c0635b6d 2482#endif /*SUPPORT_DANE*/
fde080a4
JH
2483
2484
2485
059ec3d9
PH
2486/*************************************************
2487* Start a TLS session in a client *
2488*************************************************/
2489
2490/* Called from the smtp transport after STARTTLS has been accepted.
2491
c05bdbd6
JH
2492Arguments:
2493 cctx connection context
2494 conn_args connection details
2495 cookie datum for randomness; can be NULL
2496 tlsp record details of TLS channel configuration here; must be non-NULL
2497 errstr error string pointer
2498
2499Returns: TRUE for success with TLS session context set in connection context,
2500 FALSE on error
059ec3d9
PH
2501*/
2502
c05bdbd6
JH
2503BOOL
2504tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
2505 void * cookie, tls_support * tlsp, uschar ** errstr)
059ec3d9 2506{
c05bdbd6
JH
2507host_item * host = conn_args->host; /* for msgs and option-tests */
2508transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
afdb5e9c
JH
2509smtp_transport_options_block * ob = tb
2510 ? (smtp_transport_options_block *)tb->options_block
2511 : &smtp_transport_option_defaults;
74f1a423 2512exim_openssl_client_tls_ctx * exim_client_ctx;
868f5672 2513uschar * expciphers;
059ec3d9 2514int rc;
c05bdbd6 2515static uschar peerdn[256];
043b1248
JH
2516
2517#ifndef DISABLE_OCSP
043b1248 2518BOOL request_ocsp = FALSE;
6634ac8d 2519BOOL require_ocsp = FALSE;
043b1248 2520#endif
043b1248 2521
74f1a423
JH
2522rc = store_pool;
2523store_pool = POOL_PERM;
2524exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx));
c09dbcfb 2525exim_client_ctx->corked = NULL;
74f1a423
JH
2526store_pool = rc;
2527
c0635b6d 2528#ifdef SUPPORT_DANE
74f1a423 2529tlsp->tlsa_usage = 0;
043b1248
JH
2530#endif
2531
f2de3a33 2532#ifndef DISABLE_OCSP
043b1248 2533 {
c0635b6d 2534# ifdef SUPPORT_DANE
c05bdbd6 2535 if ( conn_args->dane
4f59c424
JH
2536 && ob->hosts_request_ocsp[0] == '*'
2537 && ob->hosts_request_ocsp[1] == '\0'
2538 )
2539 {
2540 /* Unchanged from default. Use a safer one under DANE */
2541 request_ocsp = TRUE;
2542 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2543 " {= {4}{$tls_out_tlsa_usage}} } "
2544 " {*}{}}";
2545 }
2546# endif
2547
5130845b 2548 if ((require_ocsp =
3c07dd2d 2549 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
fca41d5a
JH
2550 request_ocsp = TRUE;
2551 else
c0635b6d 2552# ifdef SUPPORT_DANE
4f59c424 2553 if (!request_ocsp)
fca41d5a 2554# endif
5130845b 2555 request_ocsp =
3c07dd2d 2556 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
043b1248 2557 }
f5d78688 2558#endif
059ec3d9 2559
74f1a423 2560rc = tls_init(&exim_client_ctx->ctx, host, NULL,
65867078 2561 ob->tls_certificate, ob->tls_privatekey,
f2de3a33 2562#ifndef DISABLE_OCSP
44662487 2563 (void *)(long)request_ocsp,
3f7eeb86 2564#endif
c05bdbd6
JH
2565 cookie, &client_static_cbinfo, errstr);
2566if (rc != OK) return FALSE;
059ec3d9 2567
74f1a423 2568tlsp->certificate_verified = FALSE;
a2ff477a 2569client_verify_callback_called = FALSE;
059ec3d9 2570
5ec37a55
PP
2571expciphers = NULL;
2572#ifdef SUPPORT_DANE
c05bdbd6 2573if (conn_args->dane)
5ec37a55
PP
2574 {
2575 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
2576 other failures should be treated as problems. */
2577 if (ob->dane_require_tls_ciphers &&
2578 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2579 &expciphers, errstr))
c05bdbd6 2580 return FALSE;
5ec37a55
PP
2581 if (expciphers && *expciphers == '\0')
2582 expciphers = NULL;
2583 }
2584#endif
2585if (!expciphers &&
2586 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2587 &expciphers, errstr))
c05bdbd6 2588 return FALSE;
059ec3d9
PH
2589
2590/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2591are separated by underscores. So that I can use either form in my tests, and
2592also for general convenience, we turn underscores into hyphens here. */
2593
cf0c6164 2594if (expciphers)
059ec3d9
PH
2595 {
2596 uschar *s = expciphers;
cf0c6164 2597 while (*s) { if (*s == '_') *s = '-'; s++; }
059ec3d9 2598 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
74f1a423
JH
2599 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
2600 {
2601 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
c05bdbd6 2602 return FALSE;
74f1a423 2603 }
059ec3d9
PH
2604 }
2605
c0635b6d 2606#ifdef SUPPORT_DANE
c05bdbd6 2607if (conn_args->dane)
a63be306 2608 {
74f1a423 2609 SSL_CTX_set_verify(exim_client_ctx->ctx,
02af313d
JH
2610 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2611 verify_callback_client_dane);
e5cccda9 2612
043b1248 2613 if (!DANESSL_library_init())
74f1a423
JH
2614 {
2615 tls_error(US"library init", host, NULL, errstr);
c05bdbd6 2616 return FALSE;
74f1a423
JH
2617 }
2618 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
2619 {
2620 tls_error(US"context init", host, NULL, errstr);
c05bdbd6 2621 return FALSE;
74f1a423 2622 }
043b1248
JH
2623 }
2624else
e51c7be2 2625
043b1248
JH
2626#endif
2627
74f1a423
JH
2628 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
2629 client_static_cbinfo, errstr) != OK)
c05bdbd6 2630 return FALSE;
059ec3d9 2631
74f1a423
JH
2632if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
2633 {
2634 tls_error(US"SSL_new", host, NULL, errstr);
c05bdbd6 2635 return FALSE;
74f1a423
JH
2636 }
2637SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
c05bdbd6 2638SSL_set_fd(exim_client_ctx->ssl, cctx->sock);
74f1a423 2639SSL_set_connect_state(exim_client_ctx->ssl);
059ec3d9 2640
65867078 2641if (ob->tls_sni)
3f0945ff 2642 {
74f1a423 2643 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
c05bdbd6 2644 return FALSE;
74f1a423 2645 if (!tlsp->sni)
2c9a0e86
PP
2646 {
2647 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2648 }
74f1a423
JH
2649 else if (!Ustrlen(tlsp->sni))
2650 tlsp->sni = NULL;
3f0945ff
PP
2651 else
2652 {
35731706 2653#ifdef EXIM_HAVE_OPENSSL_TLSEXT
74f1a423
JH
2654 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
2655 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
35731706 2656#else
66802652 2657 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
74f1a423 2658 tlsp->sni);
35731706 2659#endif
3f0945ff
PP
2660 }
2661 }
2662
c0635b6d 2663#ifdef SUPPORT_DANE
c05bdbd6
JH
2664if (conn_args->dane)
2665 if (dane_tlsa_load(exim_client_ctx->ssl, host, &conn_args->tlsa_dnsa, errstr) != OK)
2666 return FALSE;
594706ea
JH
2667#endif
2668
f2de3a33 2669#ifndef DISABLE_OCSP
f5d78688
JH
2670/* Request certificate status at connection-time. If the server
2671does OCSP stapling we will get the callback (set in tls_init()) */
c0635b6d 2672# ifdef SUPPORT_DANE
44662487
JH
2673if (request_ocsp)
2674 {
594706ea 2675 const uschar * s;
41afb5cb
JH
2676 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2677 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
594706ea
JH
2678 )
2679 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2680 this means we avoid the OCSP request, we wasted the setup
2681 cost in tls_init(). */
3c07dd2d 2682 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
5130845b 2683 request_ocsp = require_ocsp
3c07dd2d 2684 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
594706ea
JH
2685 }
2686 }
b50c8b84
JH
2687# endif
2688
594706ea
JH
2689if (request_ocsp)
2690 {
74f1a423 2691 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
44662487 2692 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
74f1a423 2693 tlsp->ocsp = OCSP_NOT_RESP;
44662487 2694 }
f5d78688
JH
2695#endif
2696
0cbf2b82 2697#ifndef DISABLE_EVENT
afdb5e9c 2698client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
a7538db1 2699#endif
043b1248 2700
059ec3d9
PH
2701/* There doesn't seem to be a built-in timeout on connection. */
2702
2703DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2704sigalrm_seen = FALSE;
c2a1bba0 2705ALARM(ob->command_timeout);
74f1a423 2706rc = SSL_connect(exim_client_ctx->ssl);
c2a1bba0 2707ALARM_CLR(0);
059ec3d9 2708
c0635b6d 2709#ifdef SUPPORT_DANE
c05bdbd6 2710if (conn_args->dane)
74f1a423 2711 DANESSL_cleanup(exim_client_ctx->ssl);
043b1248
JH
2712#endif
2713
059ec3d9 2714if (rc <= 0)
74f1a423
JH
2715 {
2716 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
c05bdbd6 2717 return FALSE;
74f1a423 2718 }
059ec3d9 2719
f20cfa4a
JH
2720DEBUG(D_tls)
2721 {
2722 debug_printf("SSL_connect succeeded\n");
2723#ifdef EXIM_HAVE_OPENSSL_KEYLOG
2724 {
10ed27e0
JH
2725 BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
2726 SSL_SESSION_print_keylog(bp, SSL_get_session(exim_client_ctx->ssl));
2727 BIO_free(bp);
f20cfa4a
JH
2728 }
2729#endif
2730 }
059ec3d9 2731
74f1a423 2732peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
059ec3d9 2733
f1be21cf
JH
2734tlsp->cipher = construct_cipher_name(exim_client_ctx->ssl, &tlsp->bits);
2735tlsp->cipher_stdname = cipher_stdname_ssl(exim_client_ctx->ssl);
059ec3d9 2736
9d1c15ef
JH
2737/* Record the certificate we presented */
2738 {
74f1a423
JH
2739 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
2740 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
9d1c15ef
JH
2741 }
2742
c05bdbd6 2743tlsp->active.sock = cctx->sock;
74f1a423 2744tlsp->active.tls_ctx = exim_client_ctx;
c05bdbd6
JH
2745cctx->tls_ctx = exim_client_ctx;
2746return TRUE;
059ec3d9
PH
2747}
2748
2749
2750
2751
2752
0d81dabc
JH
2753static BOOL
2754tls_refill(unsigned lim)
2755{
2756int error;
2757int inbytes;
2758
2759DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2760 ssl_xfer_buffer, ssl_xfer_buffer_size);
2761
c2a1bba0 2762if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
0d81dabc
JH
2763inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
2764 MIN(ssl_xfer_buffer_size, lim));
2765error = SSL_get_error(server_ssl, inbytes);
c2a1bba0 2766if (smtp_receive_timeout > 0) ALARM_CLR(0);
9723f966
JH
2767
2768if (had_command_timeout) /* set by signal handler */
2769 smtp_command_timeout_exit(); /* does not return */
2770if (had_command_sigterm)
2771 smtp_command_sigterm_exit();
2772if (had_data_timeout)
2773 smtp_data_timeout_exit();
2774if (had_data_sigint)
2775 smtp_data_sigint_exit();
0d81dabc
JH
2776
2777/* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2778closed down, not that the socket itself has been closed down. Revert to
2779non-SSL handling. */
2780
74f1a423 2781switch(error)
0d81dabc 2782 {
74f1a423
JH
2783 case SSL_ERROR_NONE:
2784 break;
2785
2786 case SSL_ERROR_ZERO_RETURN:
2787 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
0d81dabc 2788
74f1a423
JH
2789 receive_getc = smtp_getc;
2790 receive_getbuf = smtp_getbuf;
2791 receive_get_cache = smtp_get_cache;
2792 receive_ungetc = smtp_ungetc;
2793 receive_feof = smtp_feof;
2794 receive_ferror = smtp_ferror;
2795 receive_smtp_buffered = smtp_buffered;
0d81dabc 2796
74f1a423
JH
2797 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
2798 SSL_shutdown(server_ssl);
dec766a1 2799
37f0ce65 2800#ifndef DISABLE_OCSP
74f1a423
JH
2801 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
2802 server_static_cbinfo->verify_stack = NULL;
37f0ce65 2803#endif
74f1a423
JH
2804 SSL_free(server_ssl);
2805 SSL_CTX_free(server_ctx);
2806 server_ctx = NULL;
2807 server_ssl = NULL;
2808 tls_in.active.sock = -1;
2809 tls_in.active.tls_ctx = NULL;
2810 tls_in.bits = 0;
2811 tls_in.cipher = NULL;
2812 tls_in.peerdn = NULL;
2813 tls_in.sni = NULL;
0d81dabc 2814
74f1a423 2815 return FALSE;
0d81dabc 2816
74f1a423
JH
2817 /* Handle genuine errors */
2818 case SSL_ERROR_SSL:
0abc5a13 2819 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
74f1a423
JH
2820 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2821 ssl_xfer_error = TRUE;
2822 return FALSE;
0d81dabc 2823
74f1a423
JH
2824 default:
2825 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2826 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
2827 debug_printf(" - syscall %s\n", strerror(errno));
2828 ssl_xfer_error = TRUE;
2829 return FALSE;
0d81dabc
JH
2830 }
2831
2832#ifndef DISABLE_DKIM
2833dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2834#endif
2835ssl_xfer_buffer_hwm = inbytes;
2836ssl_xfer_buffer_lwm = 0;
2837return TRUE;
2838}
2839
2840
059ec3d9
PH
2841/*************************************************
2842* TLS version of getc *
2843*************************************************/
2844
2845/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2846it refills the buffer via the SSL reading function.
2847
bd8fbe36 2848Arguments: lim Maximum amount to read/buffer
059ec3d9 2849Returns: the next character or EOF
817d9f57
JH
2850
2851Only used by the server-side TLS.
059ec3d9
PH
2852*/
2853
2854int
bd8fbe36 2855tls_getc(unsigned lim)
059ec3d9
PH
2856{
2857if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
0d81dabc
JH
2858 if (!tls_refill(lim))
2859 return ssl_xfer_error ? EOF : smtp_getc(lim);
059ec3d9 2860
0d81dabc 2861/* Something in the buffer; return next uschar */
059ec3d9 2862
0d81dabc
JH
2863return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2864}
059ec3d9 2865
0d81dabc
JH
2866uschar *
2867tls_getbuf(unsigned * len)
2868{
2869unsigned size;
2870uschar * buf;
ba084640 2871
0d81dabc
JH
2872if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2873 if (!tls_refill(*len))
059ec3d9 2874 {
0d81dabc
JH
2875 if (!ssl_xfer_error) return smtp_getbuf(len);
2876 *len = 0;
2877 return NULL;
059ec3d9 2878 }
c80c5570 2879
0d81dabc
JH
2880if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
2881 size = *len;
2882buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
2883ssl_xfer_buffer_lwm += size;
2884*len = size;
2885return buf;
059ec3d9
PH
2886}
2887
0d81dabc 2888
584e96c6
JH
2889void
2890tls_get_cache()
2891{
9960d1e5 2892#ifndef DISABLE_DKIM
584e96c6
JH
2893int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
2894if (n > 0)
2895 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
584e96c6 2896#endif
9960d1e5 2897}
584e96c6 2898
059ec3d9 2899
925ac8e4
JH
2900BOOL
2901tls_could_read(void)
2902{
a5ffa9b4 2903return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
925ac8e4
JH
2904}
2905
059ec3d9
PH
2906
2907/*************************************************
2908* Read bytes from TLS channel *
2909*************************************************/
2910
2911/*
2912Arguments:
74f1a423 2913 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH
2914 buff buffer of data
2915 len size of buffer
2916
2917Returns: the number of bytes read
afdb5e9c 2918 -1 after a failed read, including EOF
817d9f57
JH
2919
2920Only used by the client-side TLS.
059ec3d9
PH
2921*/
2922
2923int
74f1a423 2924tls_read(void * ct_ctx, uschar *buff, size_t len)
059ec3d9 2925{
74f1a423 2926SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
059ec3d9
PH
2927int inbytes;
2928int error;
2929
389ca47a 2930DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
c80c5570 2931 buff, (unsigned int)len);
059ec3d9 2932
389ca47a
JH
2933inbytes = SSL_read(ssl, CS buff, len);
2934error = SSL_get_error(ssl, inbytes);
059ec3d9
PH
2935
2936if (error == SSL_ERROR_ZERO_RETURN)
2937 {
2938 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2939 return -1;
2940 }
2941else if (error != SSL_ERROR_NONE)
059ec3d9 2942 return -1;
059ec3d9
PH
2943
2944return inbytes;
2945}
2946
2947
2948
2949
2950
2951/*************************************************
2952* Write bytes down TLS channel *
2953*************************************************/
2954
2955/*
2956Arguments:
74f1a423 2957 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH
2958 buff buffer of data
2959 len number of bytes
925ac8e4 2960 more further data expected soon
059ec3d9
PH
2961
2962Returns: the number of bytes after a successful write,
2963 -1 after a failed write
817d9f57
JH
2964
2965Used by both server-side and client-side TLS.
059ec3d9
PH
2966*/
2967
2968int
74f1a423 2969tls_write(void * ct_ctx, const uschar *buff, size_t len, BOOL more)
059ec3d9 2970{
ac35befe 2971size_t olen = len;
d7978c0f 2972int outbytes, error;
c09dbcfb
JH
2973SSL * ssl = ct_ctx
2974 ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
2975static gstring * server_corked = NULL;
2976gstring ** corkedp = ct_ctx
2977 ? &((exim_openssl_client_tls_ctx *)ct_ctx)->corked : &server_corked;
2978gstring * corked = *corkedp;
a5ffa9b4 2979
ef698bf6 2980DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
b93be52e 2981 buff, (unsigned long)len, more ? ", more" : "");
a5ffa9b4
JH
2982
2983/* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
2984"more" is notified. This hack is only ok if small amounts are involved AND only
2985one stream does it, in one context (i.e. no store reset). Currently it is used
c09dbcfb
JH
2986for the responses to the received SMTP MAIL , RCPT, DATA sequence, only.
2987We support callouts done by the server process by using a separate client
2988context for the stashed information. */
ac35befe
JH
2989/* + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
2990a store reset there, so use POOL_PERM. */
2991/* + if CHUNKING, cmds EHLO,MAIL,RCPT(s),BDAT */
a5ffa9b4 2992
ac35befe 2993if ((more || corked))
a5ffa9b4 2994 {
ee8b8090
JH
2995#ifdef EXPERIMENTAL_PIPE_CONNECT
2996 int save_pool = store_pool;
2997 store_pool = POOL_PERM;
2998#endif
2999
acec9514 3000 corked = string_catn(corked, buff, len);
ee8b8090
JH
3001
3002#ifdef EXPERIMENTAL_PIPE_CONNECT
3003 store_pool = save_pool;
3004#endif
3005
a5ffa9b4 3006 if (more)
c09dbcfb
JH
3007 {
3008 *corkedp = corked;
a5ffa9b4 3009 return len;
c09dbcfb 3010 }
acec9514
JH
3011 buff = CUS corked->s;
3012 len = corked->ptr;
c09dbcfb 3013 *corkedp = NULL;
a5ffa9b4 3014 }
059ec3d9 3015
d7978c0f 3016for (int left = len; left > 0;)
059ec3d9 3017 {
74f1a423 3018 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
059ec3d9
PH
3019 outbytes = SSL_write(ssl, CS buff, left);
3020 error = SSL_get_error(ssl, outbytes);
3021 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
3022 switch (error)
3023 {
3024 case SSL_ERROR_SSL:
0abc5a13 3025 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
96f5fe4c
JH
3026 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
3027 return -1;
059ec3d9
PH
3028
3029 case SSL_ERROR_NONE:
96f5fe4c
JH
3030 left -= outbytes;
3031 buff += outbytes;
3032 break;
059ec3d9
PH
3033
3034 case SSL_ERROR_ZERO_RETURN:
96f5fe4c
JH
3035 log_write(0, LOG_MAIN, "SSL channel closed on write");
3036 return -1;
059ec3d9 3037
817d9f57 3038 case SSL_ERROR_SYSCALL:
96f5fe4c
JH
3039 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
3040 sender_fullhost ? sender_fullhost : US"<unknown>",
3041 strerror(errno));
3042 return -1;
817d9f57 3043
059ec3d9 3044 default:
96f5fe4c
JH
3045 log_write(0, LOG_MAIN, "SSL_write error %d", error);
3046 return -1;
059ec3d9
PH
3047 }
3048 }
ac35befe 3049return olen;
059ec3d9
PH
3050}
3051
3052
3053
3054/*************************************************
3055* Close down a TLS session *
3056*************************************************/
3057
3058/* This is also called from within a delivery subprocess forked from the
3059daemon, to shut down the TLS library, without actually doing a shutdown (which
3060would tamper with the SSL session in the parent process).
3061
dec766a1 3062Arguments:
74f1a423 3063 ct_ctx client TLS context pointer, or NULL for the one global server context
dec766a1
WB
3064 shutdown 1 if TLS close-alert is to be sent,
3065 2 if also response to be waited for
3066
059ec3d9 3067Returns: nothing
817d9f57
JH
3068
3069Used by both server-side and client-side TLS.
059ec3d9
PH
3070*/
3071
3072void
74f1a423 3073tls_close(void * ct_ctx, int shutdown)
059ec3d9 3074{
74f1a423
JH
3075exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
3076SSL_CTX **ctxp = o_ctx ? &o_ctx->ctx : &server_ctx;
3077SSL **sslp = o_ctx ? &o_ctx->ssl : &server_ssl;
3078int *fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
817d9f57
JH
3079
3080if (*fdp < 0) return; /* TLS was not active */
059ec3d9
PH
3081
3082if (shutdown)
3083 {
dec766a1
WB
3084 int rc;
3085 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3086 shutdown > 1 ? " (with response-wait)" : "");
3087
3088 if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
3089 && shutdown > 1)
3090 {
c2a1bba0 3091 ALARM(2);
dec766a1 3092 rc = SSL_shutdown(*sslp); /* wait for response */
c2a1bba0 3093 ALARM_CLR(0);
dec766a1
WB
3094 }
3095
3096 if (rc < 0) DEBUG(D_tls)
3097 {
0abc5a13 3098 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
dec766a1
WB
3099 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
3100 }
3101 }
3102
37f0ce65 3103#ifndef DISABLE_OCSP
74f1a423 3104if (!o_ctx) /* server side */
dec766a1
WB
3105 {
3106 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
dec766a1 3107 server_static_cbinfo->verify_stack = NULL;
059ec3d9 3108 }
37f0ce65 3109#endif
059ec3d9 3110
dec766a1 3111SSL_CTX_free(*ctxp);
817d9f57 3112SSL_free(*sslp);
dec766a1 3113*ctxp = NULL;
817d9f57 3114*sslp = NULL;
817d9f57 3115*fdp = -1;
059ec3d9
PH
3116}
3117
36f12725
NM
3118
3119
3120
3121/*************************************************
3375e053
PP
3122* Let tls_require_ciphers be checked at startup *
3123*************************************************/
3124
3125/* The tls_require_ciphers option, if set, must be something which the
3126library can parse.
3127
3128Returns: NULL on success, or error message
3129*/
3130
3131uschar *
3132tls_validate_require_cipher(void)
3133{
3134SSL_CTX *ctx;
3135uschar *s, *expciphers, *err;
3136
3137/* this duplicates from tls_init(), we need a better "init just global
3138state, for no specific purpose" singleton function of our own */
3139
7434882d 3140#ifdef EXIM_NEED_OPENSSL_INIT
3375e053
PP
3141SSL_load_error_strings();
3142OpenSSL_add_ssl_algorithms();
7434882d 3143#endif
3375e053
PP
3144#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
3145/* SHA256 is becoming ever more popular. This makes sure it gets added to the
3146list of available digests. */
3147EVP_add_digest(EVP_sha256());
3148#endif
3149
3150if (!(tls_require_ciphers && *tls_require_ciphers))
3151 return NULL;
3152
cf0c6164
JH
3153if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3154 &err))
3375e053
PP
3155 return US"failed to expand tls_require_ciphers";
3156
3157if (!(expciphers && *expciphers))
3158 return NULL;
3159
3160/* normalisation ripped from above */
3161s = expciphers;
3162while (*s != 0) { if (*s == '_') *s = '-'; s++; }
3163
3164err = NULL;
3165
7a8b9519
JH
3166#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
3167if (!(ctx = SSL_CTX_new(TLS_server_method())))
3168#else
3169if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
3170#endif
3375e053 3171 {
0abc5a13 3172 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3375e053
PP
3173 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
3174 }
3175
3176DEBUG(D_tls)
3177 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3178
3179if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
3180 {
0abc5a13 3181 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
cf0c6164
JH
3182 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
3183 expciphers, ssl_errstring);
3375e053
PP
3184 }
3185
3186SSL_CTX_free(ctx);
3187
3188return err;
3189}
3190
3191
3192
3193
3194/*************************************************
36f12725
NM
3195* Report the library versions. *
3196*************************************************/
3197
3198/* There have historically been some issues with binary compatibility in
3199OpenSSL libraries; if Exim (like many other applications) is built against
3200one version of OpenSSL but the run-time linker picks up another version,
3201it can result in serious failures, including crashing with a SIGSEGV. So
3202report the version found by the compiler and the run-time version.
3203
f64a1e23
PP
3204Note: some OS vendors backport security fixes without changing the version
3205number/string, and the version date remains unchanged. The _build_ date
3206will change, so we can more usefully assist with version diagnosis by also
3207reporting the build date.
3208
36f12725
NM
3209Arguments: a FILE* to print the results to
3210Returns: nothing
3211*/
3212
3213void
3214tls_version_report(FILE *f)
3215{
754a0503 3216fprintf(f, "Library version: OpenSSL: Compile: %s\n"
f64a1e23
PP
3217 " Runtime: %s\n"
3218 " : %s\n",
754a0503 3219 OPENSSL_VERSION_TEXT,
f64a1e23
PP
3220 SSLeay_version(SSLEAY_VERSION),
3221 SSLeay_version(SSLEAY_BUILT_ON));
3222/* third line is 38 characters for the %s and the line is 73 chars long;
3223the OpenSSL output includes a "built on: " prefix already. */
36f12725
NM
3224}
3225
9e3331ea
TK
3226
3227
3228
3229/*************************************************
17c76198 3230* Random number generation *
9e3331ea
TK
3231*************************************************/
3232
3233/* Pseudo-random number generation. The result is not expected to be
3234cryptographically strong but not so weak that someone will shoot themselves
3235in the foot using it as a nonce in input in some email header scheme or
3236whatever weirdness they'll twist this into. The result should handle fork()
3237and avoid repeating sequences. OpenSSL handles that for us.
3238
3239Arguments:
3240 max range maximum
3241Returns a random number in range [0, max-1]
3242*/
3243
3244int
17c76198 3245vaguely_random_number(int max)
9e3331ea
TK
3246{
3247unsigned int r;
3248int i, needed_len;
de6135a0
PP
3249static pid_t pidlast = 0;
3250pid_t pidnow;
9e3331ea
TK
3251uschar smallbuf[sizeof(r)];
3252
3253if (max <= 1)
3254 return 0;
3255
de6135a0
PP
3256pidnow = getpid();
3257if (pidnow != pidlast)
3258 {
3259