minor tidying
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
3386088d 5/* Copyright (c) University of Cambridge 1995 - 2015 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
f5d78688
JH
8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
059ec3d9
PH
10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
f2de3a33 25#ifndef DISABLE_OCSP
e51c7be2 26# include <openssl/ocsp.h>
3f7eeb86 27#endif
85098ee7
JH
28#ifdef EXPERIMENTAL_DANE
29# include <danessl.h>
30#endif
31
3f7eeb86 32
f2de3a33
JH
33#ifndef DISABLE_OCSP
34# define EXIM_OCSP_SKEW_SECONDS (300L)
35# define EXIM_OCSP_MAX_AGE (-1L)
3f7eeb86 36#endif
059ec3d9 37
3bcbbbe2 38#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
e51c7be2 39# define EXIM_HAVE_OPENSSL_TLSEXT
3bcbbbe2 40#endif
34e3241d
PP
41
42/*
43 * X509_check_host provides sane certificate hostname checking, but was added
44 * to OpenSSL late, after other projects forked off the code-base. So in
45 * addition to guarding against the base version number, beware that LibreSSL
46 * does not (at this time) support this function.
47 *
48 * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
49 * opt to disentangle and ask a LibreSSL user to provide glue for a third
50 * crypto provider for libtls instead of continuing to tie the OpenSSL glue
51 * into even twistier knots. If LibreSSL gains the same API, we can just
52 * change this guard and punt the issue for a while longer.
53 */
54#ifndef LIBRESSL_VERSION_NUMBER
55# if OPENSSL_VERSION_NUMBER >= 0x010100000L
56# define EXIM_HAVE_OPENSSL_CHECKHOST
57# endif
58# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
2dfb468b 59 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
34e3241d
PP
60# define EXIM_HAVE_OPENSSL_CHECKHOST
61# endif
2dfb468b 62#endif
3bcbbbe2 63
67791ce4
JH
64#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
65# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
66# define DISABLE_OCSP
67#endif
68
059ec3d9
PH
69/* Structure for collecting random data for seeding. */
70
71typedef struct randstuff {
9e3331ea
TK
72 struct timeval tv;
73 pid_t p;
059ec3d9
PH
74} randstuff;
75
76/* Local static variables */
77
a2ff477a
JH
78static BOOL client_verify_callback_called = FALSE;
79static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH
80static const uschar *sid_ctx = US"exim";
81
d4f09789
PP
82/* We have three different contexts to care about.
83
84Simple case: client, `client_ctx`
85 As a client, we can be doing a callout or cut-through delivery while receiving
86 a message. So we have a client context, which should have options initialised
87 from the SMTP Transport.
88
89Server:
90 There are two cases: with and without ServerNameIndication from the client.
91 Given TLS SNI, we can be using different keys, certs and various other
92 configuration settings, because they're re-expanded with $tls_sni set. This
93 allows vhosting with TLS. This SNI is sent in the handshake.
94 A client might not send SNI, so we need a fallback, and an initial setup too.
95 So as a server, we start out using `server_ctx`.
96 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
97 `server_sni` from `server_ctx` and then initialise settings by re-expanding
98 configuration.
99*/
100
817d9f57
JH
101static SSL_CTX *client_ctx = NULL;
102static SSL_CTX *server_ctx = NULL;
103static SSL *client_ssl = NULL;
104static SSL *server_ssl = NULL;
389ca47a 105
35731706 106#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57 107static SSL_CTX *server_sni = NULL;
35731706 108#endif
059ec3d9
PH
109
110static char ssl_errstring[256];
111
112static int ssl_session_timeout = 200;
a2ff477a
JH
113static BOOL client_verify_optional = FALSE;
114static BOOL server_verify_optional = FALSE;
059ec3d9 115
f5d78688 116static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH
117
118
7be682ca
PP
119typedef struct tls_ext_ctx_cb {
120 uschar *certificate;
121 uschar *privatekey;
f2de3a33 122#ifndef DISABLE_OCSP
f5d78688
JH
123 BOOL is_server;
124 union {
125 struct {
126 uschar *file;
127 uschar *file_expanded;
128 OCSP_RESPONSE *response;
129 } server;
130 struct {
44662487
JH
131 X509_STORE *verify_store; /* non-null if status requested */
132 BOOL verify_required;
f5d78688
JH
133 } client;
134 } u_ocsp;
3f7eeb86 135#endif
7be682ca
PP
136 uschar *dhparam;
137 /* these are cached from first expand */
138 uschar *server_cipher_list;
139 /* only passed down to tls_error: */
140 host_item *host;
55414b25 141 const uschar * verify_cert_hostnames;
774ef2d7 142#ifdef EXPERIMENTAL_EVENT
a7538db1
JH
143 uschar * event_action;
144#endif
7be682ca
PP
145} tls_ext_ctx_cb;
146
147/* should figure out a cleanup of API to handle state preserved per
148implementation, for various reasons, which can be void * in the APIs.
149For now, we hack around it. */
817d9f57
JH
150tls_ext_ctx_cb *client_static_cbinfo = NULL;
151tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP
152
153static int
983207c1
JH
154setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
155 int (*cert_vfy_cb)(int, X509_STORE_CTX *) );
059ec3d9 156
3f7eeb86 157/* Callbacks */
3bcbbbe2 158#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 159static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 160#endif
f2de3a33 161#ifndef DISABLE_OCSP
f5d78688 162static int tls_server_stapling_cb(SSL *s, void *arg);
3f7eeb86
PP
163#endif
164
059ec3d9
PH
165
166/*************************************************
167* Handle TLS error *
168*************************************************/
169
170/* Called from lots of places when errors occur before actually starting to do
171the TLS handshake, that is, while the session is still in clear. Always returns
172DEFER for a server and FAIL for a client so that most calls can use "return
173tls_error(...)" to do this processing and then give an appropriate return. A
174single function is used for both server and client, because it is called from
175some shared functions.
176
177Argument:
178 prefix text to include in the logged error
179 host NULL if setting up a server;
180 the connected host if setting up a client
7199e1ee 181 msg error message or NULL if we should ask OpenSSL
059ec3d9
PH
182
183Returns: OK/DEFER/FAIL
184*/
185
186static int
b8b1b5cb 187tls_error(uschar * prefix, const host_item * host, uschar * msg)
059ec3d9 188{
c562fd30 189if (!msg)
7199e1ee
TF
190 {
191 ERR_error_string(ERR_get_error(), ssl_errstring);
5ca6d115 192 msg = (uschar *)ssl_errstring;
7199e1ee
TF
193 }
194
c562fd30
JH
195if (host)
196 {
197 log_write(0, LOG_MAIN, "H=%s [%s] TLS error on connection (%s): %s",
198 host->name, host->address, prefix, msg);
199 return FAIL;
200 }
201else
059ec3d9 202 {
7199e1ee 203 uschar *conn_info = smtp_get_connection_info();
5ca6d115 204 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
7199e1ee 205 conn_info += 5;
c562fd30 206 /* I'd like to get separated H= here, but too hard for now */
7199e1ee
TF
207 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
208 conn_info, prefix, msg);
059ec3d9
PH
209 return DEFER;
210 }
059ec3d9
PH
211}
212
213
214
215/*************************************************
216* Callback to generate RSA key *
217*************************************************/
218
219/*
220Arguments:
221 s SSL connection
222 export not used
223 keylength keylength
224
225Returns: pointer to generated key
226*/
227
228static RSA *
229rsa_callback(SSL *s, int export, int keylength)
230{
231RSA *rsa_key;
232export = export; /* Shut picky compilers up */
233DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
234rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
235if (rsa_key == NULL)
236 {
237 ERR_error_string(ERR_get_error(), ssl_errstring);
238 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
239 ssl_errstring);
240 return NULL;
241 }
242return rsa_key;
243}
244
245
246
f5d78688 247/* Extreme debug
f2de3a33 248#ifndef DISABLE_OCSP
f5d78688
JH
249void
250x509_store_dump_cert_s_names(X509_STORE * store)
251{
252STACK_OF(X509_OBJECT) * roots= store->objs;
253int i;
254static uschar name[256];
255
256for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
257 {
258 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
259 if(tmp_obj->type == X509_LU_X509)
260 {
261 X509 * current_cert= tmp_obj->data.x509;
262 X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name));
f69979cf 263 name[sizeof(name)-1] = '\0';
f5d78688
JH
264 debug_printf(" %s\n", name);
265 }
266 }
267}
268#endif
269*/
270
059ec3d9 271
f69979cf
JH
272#ifdef EXPERIMENTAL_EVENT
273static int
274verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
275 BOOL *calledp, const BOOL *optionalp, const uschar * what)
276{
277uschar * ev;
278uschar * yield;
279X509 * old_cert;
280
281ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
282if (ev)
283 {
284 old_cert = tlsp->peercert;
285 tlsp->peercert = X509_dup(cert);
286 /* NB we do not bother setting peerdn */
287 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
288 {
289 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
290 "depth=%d cert=%s: %s",
291 tlsp == &tls_out ? deliver_host_address : sender_host_address,
292 what, depth, dn, yield);
293 *calledp = TRUE;
294 if (!*optionalp)
295 {
296 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
297 return 1; /* reject (leaving peercert set) */
298 }
299 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
300 "(host in tls_try_verify_hosts)\n");
301 }
302 X509_free(tlsp->peercert);
303 tlsp->peercert = old_cert;
304 }
305return 0;
306}
307#endif
308
059ec3d9
PH
309/*************************************************
310* Callback for verification *
311*************************************************/
312
313/* The SSL library does certificate verification if set up to do so. This
314callback has the current yes/no state is in "state". If verification succeeded,
f69979cf
JH
315we set the certificate-verified flag. If verification failed, what happens
316depends on whether the client is required to present a verifiable certificate
317or not.
059ec3d9
PH
318
319If verification is optional, we change the state to yes, but still log the
320verification error. For some reason (it really would help to have proper
321documentation of OpenSSL), this callback function then gets called again, this
f69979cf
JH
322time with state = 1. We must take care not to set the private verified flag on
323the second time through.
059ec3d9
PH
324
325Note: this function is not called if the client fails to present a certificate
326when asked. We get here only if a certificate has been received. Handling of
327optional verification for this case is done when requesting SSL to verify, by
328setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
329
a7538db1
JH
330May be called multiple times for different issues with a certificate, even
331for a given "depth" in the certificate chain.
332
059ec3d9
PH
333Arguments:
334 state current yes/no state as 1/0
335 x509ctx certificate information.
a2ff477a 336 client TRUE for client startup, FALSE for server startup
059ec3d9
PH
337
338Returns: 1 if verified, 0 if not
339*/
340
341static int
421aff85
JH
342verify_callback(int state, X509_STORE_CTX *x509ctx,
343 tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
059ec3d9 344{
421aff85 345X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
a7538db1 346int depth = X509_STORE_CTX_get_error_depth(x509ctx);
f69979cf 347uschar dn[256];
059ec3d9 348
f69979cf
JH
349X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
350dn[sizeof(dn)-1] = '\0';
059ec3d9
PH
351
352if (state == 0)
353 {
4c01d6ab
JH
354 log_write(0, LOG_MAIN, "[%s] SSL verify error: depth=%d error=%s cert=%s",
355 tlsp == &tls_out ? deliver_host_address : sender_host_address,
a7538db1 356 depth,
421aff85 357 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)),
f69979cf 358 dn);
a2ff477a 359 *calledp = TRUE;
9d1c15ef
JH
360 if (!*optionalp)
361 {
f69979cf
JH
362 if (!tlsp->peercert)
363 tlsp->peercert = X509_dup(cert); /* record failing cert */
364 return 0; /* reject */
9d1c15ef 365 }
059ec3d9
PH
366 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
367 "tls_try_verify_hosts)\n");
059ec3d9
PH
368 }
369
a7538db1 370else if (depth != 0)
059ec3d9 371 {
f69979cf 372 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
f2de3a33 373#ifndef DISABLE_OCSP
f5d78688
JH
374 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
375 { /* client, wanting stapling */
376 /* Add the server cert's signing chain as the one
377 for the verification of the OCSP stapled information. */
378
379 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
421aff85 380 cert))
f5d78688
JH
381 ERR_clear_error();
382 }
383#endif
774ef2d7 384#ifdef EXPERIMENTAL_EVENT
f69979cf
JH
385 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
386 return 0; /* reject, with peercert set */
a7538db1 387#endif
059ec3d9
PH
388 }
389else
390 {
55414b25 391 const uschar * verify_cert_hostnames;
e51c7be2 392
e51c7be2
JH
393 if ( tlsp == &tls_out
394 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
395 /* client, wanting hostname check */
e51c7be2 396 {
f69979cf 397
740f36d4 398#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
f69979cf
JH
399# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
400# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
401# endif
402# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
403# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
404# endif
e51c7be2 405 int sep = 0;
55414b25 406 const uschar * list = verify_cert_hostnames;
e51c7be2 407 uschar * name;
d8e7834a
JH
408 int rc;
409 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
410 if ((rc = X509_check_host(cert, name, 0,
8d692470 411 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
740f36d4
JH
412 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
413 NULL)))
d8e7834a
JH
414 {
415 if (rc < 0)
416 {
93a6fce2 417 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
4c01d6ab 418 tlsp == &tls_out ? deliver_host_address : sender_host_address);
d8e7834a
JH
419 name = NULL;
420 }
e51c7be2 421 break;
d8e7834a 422 }
e51c7be2 423 if (!name)
f69979cf 424#else
e51c7be2 425 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
f69979cf 426#endif
e51c7be2
JH
427 {
428 log_write(0, LOG_MAIN,
93a6fce2 429 "[%s] SSL verify error: certificate name mismatch: \"%s\"",
4c01d6ab 430 tlsp == &tls_out ? deliver_host_address : sender_host_address,
f69979cf 431 dn);
a3ef7310
JH
432 *calledp = TRUE;
433 if (!*optionalp)
f69979cf
JH
434 {
435 if (!tlsp->peercert)
436 tlsp->peercert = X509_dup(cert); /* record failing cert */
437 return 0; /* reject */
438 }
a3ef7310
JH
439 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
440 "tls_try_verify_hosts)\n");
e51c7be2 441 }
f69979cf 442 }
e51c7be2 443
774ef2d7 444#ifdef EXPERIMENTAL_EVENT
f69979cf
JH
445 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
446 return 0; /* reject, with peercert set */
e51c7be2
JH
447#endif
448
93dcb1c2 449 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
f69979cf 450 *calledp ? "" : " authenticated", dn);
93dcb1c2
JH
451 if (!*calledp) tlsp->certificate_verified = TRUE;
452 *calledp = TRUE;
059ec3d9
PH
453 }
454
a7538db1 455return 1; /* accept, at least for this level */
059ec3d9
PH
456}
457
a2ff477a
JH
458static int
459verify_callback_client(int state, X509_STORE_CTX *x509ctx)
460{
f5d78688 461return verify_callback(state, x509ctx, &tls_out, &client_verify_callback_called, &client_verify_optional);
a2ff477a
JH
462}
463
464static int
465verify_callback_server(int state, X509_STORE_CTX *x509ctx)
466{
f5d78688 467return verify_callback(state, x509ctx, &tls_in, &server_verify_callback_called, &server_verify_optional);
a2ff477a
JH
468}
469
059ec3d9 470
e5cccda9 471#ifdef EXPERIMENTAL_DANE
53a7196b 472
e5cccda9
JH
473/* This gets called *by* the dane library verify callback, which interposes
474itself.
475*/
476static int
477verify_callback_client_dane(int state, X509_STORE_CTX * x509ctx)
478{
479X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
f69979cf 480uschar dn[256];
774ef2d7 481#ifdef EXPERIMENTAL_EVENT
83b27293 482int depth = X509_STORE_CTX_get_error_depth(x509ctx);
f69979cf 483BOOL dummy_called, optional = FALSE;
83b27293 484#endif
e5cccda9 485
f69979cf
JH
486X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
487dn[sizeof(dn)-1] = '\0';
e5cccda9 488
f69979cf 489DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s\n", dn);
e5cccda9 490
774ef2d7 491#ifdef EXPERIMENTAL_EVENT
f69979cf
JH
492 if (verify_event(&tls_out, cert, depth, dn,
493 &dummy_called, &optional, US"DANE"))
494 return 0; /* reject, with peercert set */
83b27293
JH
495#endif
496
e5cccda9 497if (state == 1)
53a7196b 498 tls_out.dane_verified =
e5cccda9
JH
499 tls_out.certificate_verified = TRUE;
500return 1;
501}
53a7196b
JH
502
503#endif /*EXPERIMENTAL_DANE*/
e5cccda9 504
059ec3d9
PH
505
506/*************************************************
507* Information callback *
508*************************************************/
509
510/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP
511are doing. We copy the string to the debugging output when TLS debugging has
512been requested.
059ec3d9
PH
513
514Arguments:
515 s the SSL connection
516 where
517 ret
518
519Returns: nothing
520*/
521
522static void
523info_callback(SSL *s, int where, int ret)
524{
525where = where;
526ret = ret;
527DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
528}
529
530
531
532/*************************************************
533* Initialize for DH *
534*************************************************/
535
536/* If dhparam is set, expand it, and load up the parameters for DH encryption.
537
538Arguments:
038597d2 539 sctx The current SSL CTX (inbound or outbound)
a799883d 540 dhparam DH parameter file or fixed parameter identity string
7199e1ee 541 host connected host, if client; NULL if server
059ec3d9
PH
542
543Returns: TRUE if OK (nothing to set up, or setup worked)
544*/
545
546static BOOL
b8b1b5cb 547init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host)
059ec3d9 548{
059ec3d9
PH
549BIO *bio;
550DH *dh;
551uschar *dhexpanded;
a799883d 552const char *pem;
059ec3d9
PH
553
554if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
555 return FALSE;
556
0df4ab80 557if (!dhexpanded || !*dhexpanded)
a799883d 558 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
a799883d 559else if (dhexpanded[0] == '/')
059ec3d9 560 {
0df4ab80 561 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
059ec3d9 562 {
7199e1ee 563 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
a799883d
PP
564 host, US strerror(errno));
565 return FALSE;
059ec3d9 566 }
a799883d
PP
567 }
568else
569 {
570 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 571 {
a799883d
PP
572 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
573 return TRUE;
059ec3d9 574 }
a799883d 575
0df4ab80 576 if (!(pem = std_dh_prime_named(dhexpanded)))
a799883d
PP
577 {
578 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
579 host, US strerror(errno));
580 return FALSE;
581 }
582 bio = BIO_new_mem_buf(CS pem, -1);
583 }
584
0df4ab80 585if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
a799883d 586 {
059ec3d9 587 BIO_free(bio);
a799883d
PP
588 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
589 host, NULL);
590 return FALSE;
591 }
592
593/* Even if it is larger, we silently return success rather than cause things
594 * to fail out, so that a too-large DH will not knock out all TLS; it's a
595 * debatable choice. */
596if ((8*DH_size(dh)) > tls_dh_max_bits)
597 {
598 DEBUG(D_tls)
599 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d",
600 8*DH_size(dh), tls_dh_max_bits);
601 }
602else
603 {
604 SSL_CTX_set_tmp_dh(sctx, dh);
605 DEBUG(D_tls)
606 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
607 dhexpanded ? dhexpanded : US"default", 8*DH_size(dh));
059ec3d9
PH
608 }
609
a799883d
PP
610DH_free(dh);
611BIO_free(bio);
612
613return TRUE;
059ec3d9
PH
614}
615
616
617
618
038597d2
PP
619/*************************************************
620* Initialize for ECDH *
621*************************************************/
622
623/* Load parameters for ECDH encryption.
624
625For now, we stick to NIST P-256 because: it's simple and easy to configure;
626it avoids any patent issues that might bite redistributors; despite events in
627the news and concerns over curve choices, we're not cryptographers, we're not
628pretending to be, and this is "good enough" to be better than no support,
629protecting against most adversaries. Given another year or two, there might
630be sufficient clarity about a "right" way forward to let us make an informed
631decision, instead of a knee-jerk reaction.
632
633Longer-term, we should look at supporting both various named curves and
634external files generated with "openssl ecparam", much as we do for init_dh().
635We should also support "none" as a value, to explicitly avoid initialisation.
636
637Patches welcome.
638
639Arguments:
640 sctx The current SSL CTX (inbound or outbound)
641 host connected host, if client; NULL if server
642
643Returns: TRUE if OK (nothing to set up, or setup worked)
644*/
645
646static BOOL
647init_ecdh(SSL_CTX *sctx, host_item *host)
648{
649if (host) /* No ECDH setup for clients, only for servers */
650 return TRUE;
651
652#ifndef SSL_CTX_set_tmp_ecdh
653/* No elliptic curve API in OpenSSL, skip it */
654DEBUG(D_tls)
655 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
656return TRUE;
657#else
658# ifndef NID_X9_62_prime256v1
659/* For now, stick to NIST P-256 to get "something" running.
660If that's not available, bail */
661DEBUG(D_tls)
662 debug_printf("NIST P-256 EC curve not available, skipping ECDH setup\n");
663return TRUE;
664# else
665 {
666 EC_KEY * ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
667 BOOL rv;
668
669 /* The "tmp" in the name here refers to setting a tempoary key
670 not to the stability of the interface. */
671
672 if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) != 0))
673 {
674 DEBUG(D_tls) debug_printf("ECDH: enable NIST P-256 curve\n");
675 }
676 else
677 tls_error(US"Error enabling NIST P-256 curve", host, NULL);
678 EC_KEY_free(ecdh);
679 return rv;
680 }
681# endif
682#endif
683}
684
685
686
687
f2de3a33 688#ifndef DISABLE_OCSP
3f7eeb86
PP
689/*************************************************
690* Load OCSP information into state *
691*************************************************/
692
f5d78688 693/* Called to load the server OCSP response from the given file into memory, once
3f7eeb86
PP
694caller has determined this is needed. Checks validity. Debugs a message
695if invalid.
696
697ASSUMES: single response, for single cert.
698
699Arguments:
700 sctx the SSL_CTX* to update
701 cbinfo various parts of session state
702 expanded the filename putatively holding an OCSP response
703
704*/
705
706static void
f5d78688 707ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
3f7eeb86
PP
708{
709BIO *bio;
710OCSP_RESPONSE *resp;
711OCSP_BASICRESP *basic_response;
712OCSP_SINGLERESP *single_response;
713ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
714X509_STORE *store;
715unsigned long verify_flags;
716int status, reason, i;
717
f5d78688
JH
718cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
719if (cbinfo->u_ocsp.server.response)
3f7eeb86 720 {
f5d78688
JH
721 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
722 cbinfo->u_ocsp.server.response = NULL;
3f7eeb86
PP
723 }
724
f5d78688 725bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb");
3f7eeb86
PP
726if (!bio)
727 {
728 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
f5d78688 729 cbinfo->u_ocsp.server.file_expanded);
3f7eeb86
PP
730 return;
731 }
732
733resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
734BIO_free(bio);
735if (!resp)
736 {
737 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
738 return;
739 }
740
741status = OCSP_response_status(resp);
742if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
743 {
744 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
745 OCSP_response_status_str(status), status);
f5d78688 746 goto bad;
3f7eeb86
PP
747 }
748
749basic_response = OCSP_response_get1_basic(resp);
750if (!basic_response)
751 {
752 DEBUG(D_tls)
753 debug_printf("OCSP response parse error: unable to extract basic response.\n");
f5d78688 754 goto bad;
3f7eeb86
PP
755 }
756
757store = SSL_CTX_get_cert_store(sctx);
758verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
759
760/* May need to expose ability to adjust those flags?
761OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
762OCSP_TRUSTOTHER OCSP_NOINTERN */
763
764i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
765if (i <= 0)
766 {
767 DEBUG(D_tls) {
768 ERR_error_string(ERR_get_error(), ssl_errstring);
769 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
f5d78688
JH
770 }
771 goto bad;
3f7eeb86
PP
772 }
773
774/* Here's the simplifying assumption: there's only one response, for the
775one certificate we use, and nothing for anything else in a chain. If this
776proves false, we need to extract a cert id from our issued cert
777(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
778right cert in the stack and then calls OCSP_single_get0_status()).
779
780I'm hoping to avoid reworking a bunch more of how we handle state here. */
781single_response = OCSP_resp_get0(basic_response, 0);
782if (!single_response)
783 {
784 DEBUG(D_tls)
785 debug_printf("Unable to get first response from OCSP basic response.\n");
f5d78688 786 goto bad;
3f7eeb86
PP
787 }
788
789status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
f5d78688 790if (status != V_OCSP_CERTSTATUS_GOOD)
3f7eeb86 791 {
f5d78688
JH
792 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
793 OCSP_cert_status_str(status), status,
794 OCSP_crl_reason_str(reason), reason);
795 goto bad;
3f7eeb86
PP
796 }
797
798if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
799 {
800 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
f5d78688 801 goto bad;
3f7eeb86
PP
802 }
803
f5d78688 804supply_response:
018058b2 805 cbinfo->u_ocsp.server.response = resp;
f5d78688
JH
806return;
807
808bad:
018058b2
JH
809 if (running_in_test_harness)
810 {
811 extern char ** environ;
812 uschar ** p;
813 for (p = USS environ; *p != NULL; p++)
814 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
815 {
816 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
817 goto supply_response;
818 }
819 }
f5d78688 820return;
3f7eeb86 821}
f2de3a33 822#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
823
824
825
826
059ec3d9 827/*************************************************
7be682ca
PP
828* Expand key and cert file specs *
829*************************************************/
830
f5d78688 831/* Called once during tls_init and possibly again during TLS setup, for a
7be682ca
PP
832new context, if Server Name Indication was used and tls_sni was seen in
833the certificate string.
834
835Arguments:
836 sctx the SSL_CTX* to update
837 cbinfo various parts of session state
838
839Returns: OK/DEFER/FAIL
840*/
841
842static int
3f7eeb86 843tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
7be682ca
PP
844{
845uschar *expanded;
846
847if (cbinfo->certificate == NULL)
848 return OK;
849
d9b2312b
JH
850if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
851 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
852 Ustrstr(cbinfo->certificate, US"tls_out_sni")
853 )
7be682ca
PP
854 reexpand_tls_files_for_sni = TRUE;
855
856if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
857 return DEFER;
858
859if (expanded != NULL)
860 {
861 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
862 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
863 return tls_error(string_sprintf(
864 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
865 cbinfo->host, NULL);
866 }
867
868if (cbinfo->privatekey != NULL &&
869 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
870 return DEFER;
871
872/* If expansion was forced to fail, key_expanded will be NULL. If the result
873of the expansion is an empty string, ignore it also, and assume the private
874key is in the same file as the certificate. */
875
876if (expanded != NULL && *expanded != 0)
877 {
878 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
879 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
880 return tls_error(string_sprintf(
881 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
882 }
883
f2de3a33 884#ifndef DISABLE_OCSP
f5d78688 885if (cbinfo->is_server && cbinfo->u_ocsp.server.file != NULL)
3f7eeb86 886 {
f5d78688 887 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded))
3f7eeb86
PP
888 return DEFER;
889
890 if (expanded != NULL && *expanded != 0)
891 {
892 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
f5d78688
JH
893 if (cbinfo->u_ocsp.server.file_expanded &&
894 (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
3f7eeb86
PP
895 {
896 DEBUG(D_tls)
897 debug_printf("tls_ocsp_file value unchanged, using existing values.\n");
898 } else {
899 ocsp_load_response(sctx, cbinfo, expanded);
900 }
901 }
902 }
903#endif
904
7be682ca
PP
905return OK;
906}
907
908
909
910
911/*************************************************
912* Callback to handle SNI *
913*************************************************/
914
915/* Called when acting as server during the TLS session setup if a Server Name
916Indication extension was sent by the client.
917
918API documentation is OpenSSL s_server.c implementation.
919
920Arguments:
921 s SSL* of the current session
922 ad unknown (part of OpenSSL API) (unused)
923 arg Callback of "our" registered data
924
925Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
926*/
927
3bcbbbe2 928#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 929static int
7be682ca
PP
930tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
931{
932const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 933tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 934int rc;
3f0945ff 935int old_pool = store_pool;
7be682ca
PP
936
937if (!servername)
938 return SSL_TLSEXT_ERR_OK;
939
3f0945ff 940DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP
941 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
942
943/* Make the extension value available for expansion */
3f0945ff 944store_pool = POOL_PERM;
817d9f57 945tls_in.sni = string_copy(US servername);
3f0945ff 946store_pool = old_pool;
7be682ca
PP
947
948if (!reexpand_tls_files_for_sni)
949 return SSL_TLSEXT_ERR_OK;
950
951/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
952not confident that memcpy wouldn't break some internal reference counting.
953Especially since there's a references struct member, which would be off. */
954
0df4ab80 955if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
7be682ca
PP
956 {
957 ERR_error_string(ERR_get_error(), ssl_errstring);
958 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
959 return SSL_TLSEXT_ERR_NOACK;
960 }
961
962/* Not sure how many of these are actually needed, since SSL object
963already exists. Might even need this selfsame callback, for reneg? */
964
817d9f57
JH
965SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
966SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
967SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
968SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
969SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
970SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
038597d2
PP
971
972if ( !init_dh(server_sni, cbinfo->dhparam, NULL)
973 || !init_ecdh(server_sni, NULL)
974 )
975 return SSL_TLSEXT_ERR_NOACK;
976
7be682ca 977if (cbinfo->server_cipher_list)
817d9f57 978 SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
f2de3a33 979#ifndef DISABLE_OCSP
f5d78688 980if (cbinfo->u_ocsp.server.file)
3f7eeb86 981 {
f5d78688 982 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
14c7b357 983 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
3f7eeb86
PP
984 }
985#endif
7be682ca 986
983207c1 987rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE, verify_callback_server);
7be682ca
PP
988if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
989
3f7eeb86
PP
990/* do this after setup_certs, because this can require the certs for verifying
991OCSP information. */
038597d2 992if ((rc = tls_expand_session_files(server_sni, cbinfo)) != OK)
0df4ab80 993 return SSL_TLSEXT_ERR_NOACK;
a799883d 994
7be682ca 995DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 996SSL_set_SSL_CTX(s, server_sni);
7be682ca
PP
997
998return SSL_TLSEXT_ERR_OK;
999}
3bcbbbe2 1000#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP
1001
1002
1003
1004
f2de3a33 1005#ifndef DISABLE_OCSP
f5d78688 1006
3f7eeb86
PP
1007/*************************************************
1008* Callback to handle OCSP Stapling *
1009*************************************************/
1010
1011/* Called when acting as server during the TLS session setup if the client
1012requests OCSP information with a Certificate Status Request.
1013
1014Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1015project.
1016
1017*/
1018
1019static int
f5d78688 1020tls_server_stapling_cb(SSL *s, void *arg)
3f7eeb86
PP
1021{
1022const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
1023uschar *response_der;
1024int response_der_len;
1025
af4a1bca 1026DEBUG(D_tls)
b3ef41c9 1027 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
f5d78688
JH
1028 cbinfo->u_ocsp.server.response ? "have" : "lack");
1029
44662487 1030tls_in.ocsp = OCSP_NOT_RESP;
f5d78688 1031if (!cbinfo->u_ocsp.server.response)
3f7eeb86
PP
1032 return SSL_TLSEXT_ERR_NOACK;
1033
1034response_der = NULL;
44662487
JH
1035response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response,
1036 &response_der);
3f7eeb86
PP
1037if (response_der_len <= 0)
1038 return SSL_TLSEXT_ERR_NOACK;
1039
5e55c7a9 1040SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
44662487 1041tls_in.ocsp = OCSP_VFIED;
3f7eeb86
PP
1042return SSL_TLSEXT_ERR_OK;
1043}
1044
3f7eeb86 1045
f5d78688
JH
1046static void
1047time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1048{
1049BIO_printf(bp, "\t%s: ", str);
1050ASN1_GENERALIZEDTIME_print(bp, time);
1051BIO_puts(bp, "\n");
1052}
1053
1054static int
1055tls_client_stapling_cb(SSL *s, void *arg)
1056{
1057tls_ext_ctx_cb * cbinfo = arg;
1058const unsigned char * p;
1059int len;
1060OCSP_RESPONSE * rsp;
1061OCSP_BASICRESP * bs;
1062int i;
1063
1064DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1065len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1066if(!p)
1067 {
44662487
JH
1068 /* Expect this when we requested ocsp but got none */
1069 if ( cbinfo->u_ocsp.client.verify_required
1070 && log_extra_selector & LX_tls_cipher)
1071 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
f5d78688
JH
1072 else
1073 DEBUG(D_tls) debug_printf(" null\n");
44662487 1074 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 1075 }
018058b2 1076
f5d78688
JH
1077if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1078 {
018058b2 1079 tls_out.ocsp = OCSP_FAILED;
f5d78688 1080 if (log_extra_selector & LX_tls_cipher)
1eca31ca 1081 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
f5d78688
JH
1082 else
1083 DEBUG(D_tls) debug_printf(" parse error\n");
1084 return 0;
1085 }
1086
1087if(!(bs = OCSP_response_get1_basic(rsp)))
1088 {
018058b2 1089 tls_out.ocsp = OCSP_FAILED;
f5d78688 1090 if (log_extra_selector & LX_tls_cipher)
1eca31ca 1091 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
f5d78688
JH
1092 else
1093 DEBUG(D_tls) debug_printf(" error parsing response\n");
1094 OCSP_RESPONSE_free(rsp);
1095 return 0;
1096 }
1097
1098/* We'd check the nonce here if we'd put one in the request. */
1099/* However that would defeat cacheability on the server so we don't. */
1100
f5d78688
JH
1101/* This section of code reworked from OpenSSL apps source;
1102 The OpenSSL Project retains copyright:
1103 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1104*/
1105 {
1106 BIO * bp = NULL;
f5d78688
JH
1107 int status, reason;
1108 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1109
1110 DEBUG(D_tls) bp = BIO_new_fp(stderr, BIO_NOCLOSE);
1111
1112 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1113
1114 /* Use the chain that verified the server cert to verify the stapled info */
1115 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1116
44662487
JH
1117 if ((i = OCSP_basic_verify(bs, NULL,
1118 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
f5d78688 1119 {
018058b2 1120 tls_out.ocsp = OCSP_FAILED;
1eca31ca
JH
1121 if (log_extra_selector & LX_tls_cipher)
1122 log_write(0, LOG_MAIN, "Received TLS cert status response, itself unverifiable");
f5d78688
JH
1123 BIO_printf(bp, "OCSP response verify failure\n");
1124 ERR_print_errors(bp);
44662487 1125 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688
JH
1126 goto out;
1127 }
1128
1129 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1130
1131 {
1132 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
1133 OCSP_SINGLERESP * single;
1134
1135 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
1136 {
018058b2 1137 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1138 log_write(0, LOG_MAIN, "OCSP stapling "
1139 "with multiple responses not handled");
1140 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688
JH
1141 goto out;
1142 }
1143 single = OCSP_resp_get0(bs, 0);
44662487
JH
1144 status = OCSP_single_get0_status(single, &reason, &rev,
1145 &thisupd, &nextupd);
f5d78688
JH
1146 }
1147
f5d78688
JH
1148 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1149 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
44662487
JH
1150 if (!OCSP_check_validity(thisupd, nextupd,
1151 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
f5d78688 1152 {
018058b2 1153 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH
1154 DEBUG(D_tls) ERR_print_errors(bp);
1155 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
44662487 1156 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 1157 }
44662487 1158 else
f5d78688 1159 {
44662487
JH
1160 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1161 OCSP_cert_status_str(status));
1162 switch(status)
1163 {
1164 case V_OCSP_CERTSTATUS_GOOD:
44662487 1165 tls_out.ocsp = OCSP_VFIED;
018058b2 1166 i = 1;
44662487
JH
1167 break;
1168 case V_OCSP_CERTSTATUS_REVOKED:
018058b2 1169 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1170 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1171 reason != -1 ? "; reason: " : "",
1172 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1173 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
1174 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1175 break;
1176 default:
018058b2 1177 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1178 log_write(0, LOG_MAIN,
1179 "Server certificate status unknown, in OCSP stapling");
1180 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1181 break;
1182 }
f5d78688
JH
1183 }
1184 out:
1185 BIO_free(bp);
1186 }
1187
1188OCSP_RESPONSE_free(rsp);
1189return i;
1190}
f2de3a33 1191#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1192
1193
7be682ca 1194/*************************************************
059ec3d9
PH
1195* Initialize for TLS *
1196*************************************************/
1197
e51c7be2
JH
1198/* Called from both server and client code, to do preliminary initialization
1199of the library. We allocate and return a context structure.
059ec3d9
PH
1200
1201Arguments:
946ecbe0 1202 ctxp returned SSL context
059ec3d9
PH
1203 host connected host, if client; NULL if server
1204 dhparam DH parameter file
1205 certificate certificate file
1206 privatekey private key
f5d78688 1207 ocsp_file file of stapling info (server); flag for require ocsp (client)
059ec3d9 1208 addr address if client; NULL if server (for some randomness)
946ecbe0 1209 cbp place to put allocated callback context
059ec3d9
PH
1210
1211Returns: OK/DEFER/FAIL
1212*/
1213
1214static int
817d9f57 1215tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86 1216 uschar *privatekey,
f2de3a33 1217#ifndef DISABLE_OCSP
3f7eeb86
PP
1218 uschar *ocsp_file,
1219#endif
817d9f57 1220 address_item *addr, tls_ext_ctx_cb ** cbp)
059ec3d9 1221{
77bb000f 1222long init_options;
7be682ca 1223int rc;
77bb000f 1224BOOL okay;
a7538db1 1225tls_ext_ctx_cb * cbinfo;
7be682ca
PP
1226
1227cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1228cbinfo->certificate = certificate;
1229cbinfo->privatekey = privatekey;
f2de3a33 1230#ifndef DISABLE_OCSP
f5d78688
JH
1231if ((cbinfo->is_server = host==NULL))
1232 {
1233 cbinfo->u_ocsp.server.file = ocsp_file;
1234 cbinfo->u_ocsp.server.file_expanded = NULL;
1235 cbinfo->u_ocsp.server.response = NULL;
1236 }
1237else
1238 cbinfo->u_ocsp.client.verify_store = NULL;
3f7eeb86 1239#endif
7be682ca 1240cbinfo->dhparam = dhparam;
0df4ab80 1241cbinfo->server_cipher_list = NULL;
7be682ca 1242cbinfo->host = host;
774ef2d7 1243#ifdef EXPERIMENTAL_EVENT
a7538db1
JH
1244cbinfo->event_action = NULL;
1245#endif
77bb000f 1246
059ec3d9
PH
1247SSL_load_error_strings(); /* basic set up */
1248OpenSSL_add_ssl_algorithms();
1249
388d6564 1250#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
77bb000f 1251/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK
1252list of available digests. */
1253EVP_add_digest(EVP_sha256());
cf1ef1a9 1254#endif
a0475b69 1255
f0f5a555
PP
1256/* Create a context.
1257The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1258negotiation in the different methods; as far as I can tell, the only
1259*_{server,client}_method which allows negotiation is SSLv23, which exists even
1260when OpenSSL is built without SSLv2 support.
1261By disabling with openssl_options, we can let admins re-enable with the
1262existing knob. */
059ec3d9 1263
817d9f57 1264*ctxp = SSL_CTX_new((host == NULL)?
059ec3d9
PH
1265 SSLv23_server_method() : SSLv23_client_method());
1266
817d9f57 1267if (*ctxp == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
059ec3d9
PH
1268
1269/* It turns out that we need to seed the random number generator this early in
1270order to get the full complement of ciphers to work. It took me roughly a day
1271of work to discover this by experiment.
1272
1273On systems that have /dev/urandom, SSL may automatically seed itself from
1274there. Otherwise, we have to make something up as best we can. Double check
1275afterwards. */
1276
1277if (!RAND_status())
1278 {
1279 randstuff r;
9e3331ea 1280 gettimeofday(&r.tv, NULL);
059ec3d9
PH
1281 r.p = getpid();
1282
1283 RAND_seed((uschar *)(&r), sizeof(r));
1284 RAND_seed((uschar *)big_buffer, big_buffer_size);
1285 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
1286
1287 if (!RAND_status())
7199e1ee 1288 return tls_error(US"RAND_status", host,
5ca6d115 1289 US"unable to seed random number generator");
059ec3d9
PH
1290 }
1291
1292/* Set up the information callback, which outputs if debugging is at a suitable
1293level. */
1294
f69979cf 1295DEBUG(D_tls) SSL_CTX_set_info_callback(*ctxp, (void (*)())info_callback);
059ec3d9 1296
c80c5570 1297/* Automatically re-try reads/writes after renegotiation. */
817d9f57 1298(void) SSL_CTX_set_mode(*ctxp, SSL_MODE_AUTO_RETRY);
c80c5570 1299
77bb000f
PP
1300/* Apply administrator-supplied work-arounds.
1301Historically we applied just one requested option,
1302SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1303moved to an administrator-controlled list of options to specify and
1304grandfathered in the first one as the default value for "openssl_options".
059ec3d9 1305
77bb000f
PP
1306No OpenSSL version number checks: the options we accept depend upon the
1307availability of the option value macros from OpenSSL. */
059ec3d9 1308
77bb000f
PP
1309okay = tls_openssl_options_parse(openssl_options, &init_options);
1310if (!okay)
73a46702 1311 return tls_error(US"openssl_options parsing failed", host, NULL);
77bb000f
PP
1312
1313if (init_options)
1314 {
1315 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
817d9f57 1316 if (!(SSL_CTX_set_options(*ctxp, init_options)))
77bb000f
PP
1317 return tls_error(string_sprintf(
1318 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
1319 }
1320else
1321 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9
PH
1322
1323/* Initialize with DH parameters if supplied */
1324
038597d2
PP
1325if ( !init_dh(*ctxp, dhparam, host)
1326 || !init_ecdh(*ctxp, host)
1327 )
1328 return DEFER;
059ec3d9 1329
3f7eeb86 1330/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 1331
817d9f57 1332rc = tls_expand_session_files(*ctxp, cbinfo);
7be682ca 1333if (rc != OK) return rc;
c91535f3 1334
7be682ca 1335/* If we need to handle SNI, do so */
3bcbbbe2 1336#ifdef EXIM_HAVE_OPENSSL_TLSEXT
f5d78688 1337if (host == NULL) /* server */
3f0945ff 1338 {
f2de3a33 1339# ifndef DISABLE_OCSP
f5d78688 1340 /* We check u_ocsp.server.file, not server.response, because we care about if
3f7eeb86
PP
1341 the option exists, not what the current expansion might be, as SNI might
1342 change the certificate and OCSP file in use between now and the time the
1343 callback is invoked. */
f5d78688 1344 if (cbinfo->u_ocsp.server.file)
3f7eeb86 1345 {
f5d78688 1346 SSL_CTX_set_tlsext_status_cb(server_ctx, tls_server_stapling_cb);
5e55c7a9 1347 SSL_CTX_set_tlsext_status_arg(server_ctx, cbinfo);
3f7eeb86 1348 }
f5d78688 1349# endif
3f0945ff
PP
1350 /* We always do this, so that $tls_sni is available even if not used in
1351 tls_certificate */
817d9f57
JH
1352 SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb);
1353 SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo);
3f0945ff 1354 }
f2de3a33 1355# ifndef DISABLE_OCSP
f5d78688
JH
1356else /* client */
1357 if(ocsp_file) /* wanting stapling */
1358 {
1359 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1360 {
1361 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1362 return FAIL;
1363 }
1364 SSL_CTX_set_tlsext_status_cb(*ctxp, tls_client_stapling_cb);
1365 SSL_CTX_set_tlsext_status_arg(*ctxp, cbinfo);
1366 }
1367# endif
7be682ca 1368#endif
059ec3d9 1369
e51c7be2 1370cbinfo->verify_cert_hostnames = NULL;
e51c7be2 1371
059ec3d9
PH
1372/* Set up the RSA callback */
1373
817d9f57 1374SSL_CTX_set_tmp_rsa_callback(*ctxp, rsa_callback);
059ec3d9
PH
1375
1376/* Finally, set the timeout, and we are done */
1377
817d9f57 1378SSL_CTX_set_timeout(*ctxp, ssl_session_timeout);
059ec3d9 1379DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 1380
817d9f57 1381*cbp = cbinfo;
7be682ca 1382
059ec3d9
PH
1383return OK;
1384}
1385
1386
1387
1388
1389/*************************************************
1390* Get name of cipher in use *
1391*************************************************/
1392
817d9f57 1393/*
059ec3d9 1394Argument: pointer to an SSL structure for the connection
817d9f57
JH
1395 buffer to use for answer
1396 size of buffer
1397 pointer to number of bits for cipher
059ec3d9
PH
1398Returns: nothing
1399*/
1400
1401static void
817d9f57 1402construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
059ec3d9 1403{
57b3a7f5
PP
1404/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
1405yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1406the accessor functions use const in the prototype. */
1407const SSL_CIPHER *c;
d9784128 1408const uschar *ver;
059ec3d9 1409
d9784128 1410ver = (const uschar *)SSL_get_version(ssl);
059ec3d9 1411
57b3a7f5 1412c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
817d9f57 1413SSL_CIPHER_get_bits(c, bits);
059ec3d9 1414
817d9f57
JH
1415string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1416 SSL_CIPHER_get_name(c), *bits);
059ec3d9
PH
1417
1418DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1419}
1420
1421
f69979cf
JH
1422static void
1423peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned bsize)
1424{
1425/*XXX we might consider a list-of-certs variable for the cert chain.
1426SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1427in list-handling functions, also consider the difference between the entire
1428chain and the elements sent by the peer. */
1429
1430/* Will have already noted peercert on a verify fail; possibly not the leaf */
1431if (!tlsp->peercert)
1432 tlsp->peercert = SSL_get_peer_certificate(ssl);
1433/* Beware anonymous ciphers which lead to server_cert being NULL */
1434if (tlsp->peercert)
1435 {
1436 X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, bsize);
1437 peerdn[bsize-1] = '\0';
1438 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1439 }
1440else
1441 tlsp->peerdn = NULL;
1442}
1443
1444
059ec3d9
PH
1445
1446
1447
1448/*************************************************
1449* Set up for verifying certificates *
1450*************************************************/
1451
1452/* Called by both client and server startup
1453
1454Arguments:
7be682ca 1455 sctx SSL_CTX* to initialise
059ec3d9
PH
1456 certs certs file or NULL
1457 crl CRL file or NULL
1458 host NULL in a server; the remote host in a client
1459 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1460 otherwise passed as FALSE
983207c1 1461 cert_vfy_cb Callback function for certificate verification
059ec3d9
PH
1462
1463Returns: OK/DEFER/FAIL
1464*/
1465
1466static int
983207c1
JH
1467setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
1468 int (*cert_vfy_cb)(int, X509_STORE_CTX *) )
059ec3d9
PH
1469{
1470uschar *expcerts, *expcrl;
1471
1472if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
1473 return DEFER;
1474
26e72755 1475if (expcerts != NULL && *expcerts != '\0')
059ec3d9 1476 {
cb1d7830 1477 if (Ustrcmp(expcerts, "system") == 0)
059ec3d9 1478 {
cb1d7830
JH
1479 /* Tell the library to use its compiled-in location for the system default
1480 CA bundle, only */
1481
1482 if (!SSL_CTX_set_default_verify_paths(sctx))
1483 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
059ec3d9
PH
1484 }
1485 else
1486 {
cb1d7830
JH
1487 struct stat statbuf;
1488
1489 /* Tell the library to use its compiled-in location for the system default
1490 CA bundle. Those given by the exim config are additional to these */
1491
1492 if (!SSL_CTX_set_default_verify_paths(sctx))
1493 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
1494
1495 if (Ustat(expcerts, &statbuf) < 0)
1496 {
1497 log_write(0, LOG_MAIN|LOG_PANIC,
1498 "failed to stat %s for certificates", expcerts);
1499 return DEFER;
1500 }
059ec3d9 1501 else
059ec3d9 1502 {
cb1d7830
JH
1503 uschar *file, *dir;
1504 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1505 { file = NULL; dir = expcerts; }
1506 else
1507 { file = expcerts; dir = NULL; }
1508
1509 /* If a certificate file is empty, the next function fails with an
1510 unhelpful error message. If we skip it, we get the correct behaviour (no
1511 certificates are recognized, but the error message is still misleading (it
1512 says no certificate was supplied.) But this is better. */
1513
1514 if ((file == NULL || statbuf.st_size > 0) &&
1515 !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
1516 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
1517
1518 /* Load the list of CAs for which we will accept certs, for sending
1519 to the client. This is only for the one-file tls_verify_certificates
1520 variant.
1521 If a list isn't loaded into the server, but
1522 some verify locations are set, the server end appears to make
1523 a wildcard reqest for client certs.
1524 Meanwhile, the client library as deafult behaviour *ignores* the list
1525 we send over the wire - see man SSL_CTX_set_client_cert_cb.
1526 Because of this, and that the dir variant is likely only used for
1527 the public-CA bundle (not for a private CA), not worth fixing.
1528 */
1529 if (file != NULL)
1530 {
1531 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
1532 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
1533 sk_X509_NAME_num(names));
1534 SSL_CTX_set_client_CA_list(sctx, names);
1535 }
059ec3d9
PH
1536 }
1537 }
1538
1539 /* Handle a certificate revocation list. */
1540
1541 #if OPENSSL_VERSION_NUMBER > 0x00907000L
1542
8b417f2c
PH
1543 /* This bit of code is now the version supplied by Lars Mainka. (I have
1544 * merely reformatted it into the Exim code style.)
1545
1546 * "From here I changed the code to add support for multiple crl's
1547 * in pem format in one file or to support hashed directory entries in
1548 * pem format instead of a file. This method now uses the library function
1549 * X509_STORE_load_locations to add the CRL location to the SSL context.
1550 * OpenSSL will then handle the verify against CA certs and CRLs by
1551 * itself in the verify callback." */
1552
059ec3d9
PH
1553 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
1554 if (expcrl != NULL && *expcrl != 0)
1555 {
8b417f2c
PH
1556 struct stat statbufcrl;
1557 if (Ustat(expcrl, &statbufcrl) < 0)
1558 {
1559 log_write(0, LOG_MAIN|LOG_PANIC,
1560 "failed to stat %s for certificates revocation lists", expcrl);
1561 return DEFER;
1562 }
1563 else
059ec3d9 1564 {
8b417f2c
PH
1565 /* is it a file or directory? */
1566 uschar *file, *dir;
7be682ca 1567 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 1568 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 1569 {
8b417f2c
PH
1570 file = NULL;
1571 dir = expcrl;
1572 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
1573 }
1574 else
1575 {
8b417f2c
PH
1576 file = expcrl;
1577 dir = NULL;
1578 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 1579 }
8b417f2c 1580 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
7199e1ee 1581 return tls_error(US"X509_STORE_load_locations", host, NULL);
8b417f2c
PH
1582
1583 /* setting the flags to check against the complete crl chain */
1584
1585 X509_STORE_set_flags(cvstore,
1586 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 1587 }
059ec3d9
PH
1588 }
1589
1590 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1591
1592 /* If verification is optional, don't fail if no certificate */
1593
7be682ca 1594 SSL_CTX_set_verify(sctx,
059ec3d9 1595 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
983207c1 1596 cert_vfy_cb);
059ec3d9
PH
1597 }
1598
1599return OK;
1600}
1601
1602
1603
1604/*************************************************
1605* Start a TLS session in a server *
1606*************************************************/
1607
1608/* This is called when Exim is running as a server, after having received
1609the STARTTLS command. It must respond to that command, and then negotiate
1610a TLS session.
1611
1612Arguments:
1613 require_ciphers allowed ciphers
1614
1615Returns: OK on success
1616 DEFER for errors before the start of the negotiation
1617 FAIL for errors during the negotation; the server can't
1618 continue running.
1619*/
1620
1621int
17c76198 1622tls_server_start(const uschar *require_ciphers)
059ec3d9
PH
1623{
1624int rc;
1625uschar *expciphers;
7be682ca 1626tls_ext_ctx_cb *cbinfo;
f69979cf 1627static uschar peerdn[256];
817d9f57 1628static uschar cipherbuf[256];
059ec3d9
PH
1629
1630/* Check for previous activation */
1631
817d9f57 1632if (tls_in.active >= 0)
059ec3d9 1633 {
5ca6d115 1634 tls_error(US"STARTTLS received after TLS started", NULL, US"");
059ec3d9
PH
1635 smtp_printf("554 Already in TLS\r\n");
1636 return FAIL;
1637 }
1638
1639/* Initialize the SSL library. If it fails, it will already have logged
1640the error. */
1641
817d9f57 1642rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
f2de3a33 1643#ifndef DISABLE_OCSP
3f7eeb86
PP
1644 tls_ocsp_file,
1645#endif
817d9f57 1646 NULL, &server_static_cbinfo);
059ec3d9 1647if (rc != OK) return rc;
817d9f57 1648cbinfo = server_static_cbinfo;
059ec3d9
PH
1649
1650if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1651 return FAIL;
1652
1653/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP
1654were historically separated by underscores. So that I can use either form in my
1655tests, and also for general convenience, we turn underscores into hyphens here.
1656*/
059ec3d9
PH
1657
1658if (expciphers != NULL)
1659 {
1660 uschar *s = expciphers;
1661 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1662 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 1663 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
7199e1ee 1664 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
7be682ca 1665 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH
1666 }
1667
1668/* If this is a host for which certificate verification is mandatory or
1669optional, set up appropriately. */
1670
817d9f57 1671tls_in.certificate_verified = FALSE;
53a7196b
JH
1672#ifdef EXPERIMENTAL_DANE
1673tls_in.dane_verified = FALSE;
1674#endif
a2ff477a 1675server_verify_callback_called = FALSE;
059ec3d9
PH
1676
1677if (verify_check_host(&tls_verify_hosts) == OK)
1678 {
983207c1
JH
1679 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1680 FALSE, verify_callback_server);
059ec3d9 1681 if (rc != OK) return rc;
a2ff477a 1682 server_verify_optional = FALSE;
059ec3d9
PH
1683 }
1684else if (verify_check_host(&tls_try_verify_hosts) == OK)
1685 {
983207c1
JH
1686 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
1687 TRUE, verify_callback_server);
059ec3d9 1688 if (rc != OK) return rc;
a2ff477a 1689 server_verify_optional = TRUE;
059ec3d9
PH
1690 }
1691
1692/* Prepare for new connection */
1693
817d9f57 1694if ((server_ssl = SSL_new(server_ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
da3ad30d
PP
1695
1696/* Warning: we used to SSL_clear(ssl) here, it was removed.
1697 *
1698 * With the SSL_clear(), we get strange interoperability bugs with
1699 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1700 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1701 *
1702 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1703 * session shutdown. In this case, we have a brand new object and there's no
1704 * obvious reason to immediately clear it. I'm guessing that this was
1705 * originally added because of incomplete initialisation which the clear fixed,
1706 * in some historic release.
1707 */
059ec3d9
PH
1708
1709/* Set context and tell client to go ahead, except in the case of TLS startup
1710on connection, where outputting anything now upsets the clients and tends to
1711make them disconnect. We need to have an explicit fflush() here, to force out
1712the response. Other smtp_printf() calls do not need it, because in non-TLS
1713mode, the fflush() happens when smtp_getc() is called. */
1714
817d9f57
JH
1715SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
1716if (!tls_in.on_connect)
059ec3d9
PH
1717 {
1718 smtp_printf("220 TLS go ahead\r\n");
1719 fflush(smtp_out);
1720 }
1721
1722/* Now negotiate the TLS session. We put our own timer on it, since it seems
1723that the OpenSSL library doesn't. */
1724
817d9f57
JH
1725SSL_set_wfd(server_ssl, fileno(smtp_out));
1726SSL_set_rfd(server_ssl, fileno(smtp_in));
1727SSL_set_accept_state(server_ssl);
059ec3d9
PH
1728
1729DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1730
1731sigalrm_seen = FALSE;
1732if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
817d9f57 1733rc = SSL_accept(server_ssl);
059ec3d9
PH
1734alarm(0);
1735
1736if (rc <= 0)
1737 {
7199e1ee 1738 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
77bb000f
PP
1739 if (ERR_get_error() == 0)
1740 log_write(0, LOG_MAIN,
a053d125 1741 "TLS client disconnected cleanly (rejected our certificate?)");
059ec3d9
PH
1742 return FAIL;
1743 }
1744
1745DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
1746
1747/* TLS has been set up. Adjust the input functions to read via TLS,
1748and initialize things. */
1749
f69979cf
JH
1750peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
1751
817d9f57
JH
1752construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
1753tls_in.cipher = cipherbuf;
059ec3d9
PH
1754
1755DEBUG(D_tls)
1756 {
1757 uschar buf[2048];
817d9f57 1758 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
059ec3d9
PH
1759 debug_printf("Shared ciphers: %s\n", buf);
1760 }
1761
9d1c15ef
JH
1762/* Record the certificate we presented */
1763 {
1764 X509 * crt = SSL_get_certificate(server_ssl);
1765 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
1766 }
059ec3d9 1767
817d9f57
JH
1768/* Only used by the server-side tls (tls_in), including tls_getc.
1769 Client-side (tls_out) reads (seem to?) go via
1770 smtp_read_response()/ip_recv().
1771 Hence no need to duplicate for _in and _out.
1772 */
059ec3d9
PH
1773ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1774ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
1775ssl_xfer_eof = ssl_xfer_error = 0;
1776
1777receive_getc = tls_getc;
1778receive_ungetc = tls_ungetc;
1779receive_feof = tls_feof;
1780receive_ferror = tls_ferror;
58eb016e 1781receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 1782
817d9f57 1783tls_in.active = fileno(smtp_out);
059ec3d9
PH
1784return OK;
1785}
1786
1787
1788
1789
043b1248
JH
1790static int
1791tls_client_basic_ctx_init(SSL_CTX * ctx,
01a4a5c5 1792 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo
043b1248
JH
1793 )
1794{
1795int rc;
1796/* stick to the old behaviour for compatibility if tls_verify_certificates is
1797 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
1798 the specified host patterns if one of them is defined */
1799
610ff438
JH
1800if ( ( !ob->tls_verify_hosts
1801 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
1802 )
5130845b 1803 || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK)
aa2a70ba 1804 )
043b1248 1805 client_verify_optional = FALSE;
5130845b 1806else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
aa2a70ba
JH
1807 client_verify_optional = TRUE;
1808else
1809 return OK;
1810
1811if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
1812 ob->tls_crl, host, client_verify_optional, verify_callback_client)) != OK)
1813 return rc;
043b1248 1814
5130845b 1815if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
043b1248 1816 {
4af0d74a
JH
1817 cbinfo->verify_cert_hostnames =
1818#ifdef EXPERIMENTAL_INTERNATIONAL
1819 string_domain_utf8_to_alabel(host->name, NULL);
1820#else
1821 host->name;
1822#endif
aa2a70ba
JH
1823 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
1824 cbinfo->verify_cert_hostnames);
043b1248 1825 }
043b1248
JH
1826return OK;
1827}
059ec3d9 1828
fde080a4
JH
1829
1830#ifdef EXPERIMENTAL_DANE
1831static int
fde080a4
JH
1832dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa)
1833{
1834dns_record * rr;
1835dns_scan dnss;
1836const char * hostnames[2] = { CS host->name, NULL };
1837int found = 0;
1838
1839if (DANESSL_init(ssl, NULL, hostnames) != 1)
1840 return tls_error(US"hostnames load", host, NULL);
1841
1842for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
1843 rr;
1844 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1845 ) if (rr->type == T_TLSA)
1846 {
1847 uschar * p = rr->data;
1848 uint8_t usage, selector, mtype;
1849 const char * mdname;
1850
fde080a4 1851 usage = *p++;
133d2546
JH
1852
1853 /* Only DANE-TA(2) and DANE-EE(3) are supported */
1854 if (usage != 2 && usage != 3) continue;
1855
fde080a4
JH
1856 selector = *p++;
1857 mtype = *p++;
1858
1859 switch (mtype)
1860 {
133d2546
JH
1861 default: continue; /* Only match-types 0, 1, 2 are supported */
1862 case 0: mdname = NULL; break;
1863 case 1: mdname = "sha256"; break;
1864 case 2: mdname = "sha512"; break;
fde080a4
JH
1865 }
1866
133d2546 1867 found++;
fde080a4
JH
1868 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
1869 {
1870 default:
1871 case 0: /* action not taken */
1872 return tls_error(US"tlsa load", host, NULL);
1873 case 1: break;
1874 }
594706ea
JH
1875
1876 tls_out.tlsa_usage |= 1<<usage;
fde080a4
JH
1877 }
1878
1879if (found)
1880 return OK;
1881
133d2546 1882log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
6ebd79ec 1883return DEFER;
fde080a4
JH
1884}
1885#endif /*EXPERIMENTAL_DANE*/
1886
1887
1888
059ec3d9
PH
1889/*************************************************
1890* Start a TLS session in a client *
1891*************************************************/
1892
1893/* Called from the smtp transport after STARTTLS has been accepted.
1894
1895Argument:
1896 fd the fd of the connection
1897 host connected host (for messages)
83da1223 1898 addr the first address
a7538db1 1899 tb transport (always smtp)
0e66b3b6 1900 tlsa_dnsa tlsa lookup, if DANE, else null
059ec3d9
PH
1901
1902Returns: OK on success
1903 FAIL otherwise - note that tls_error() will not give DEFER
1904 because this is not a server
1905*/
1906
1907int
f5d78688 1908tls_client_start(int fd, host_item *host, address_item *addr,
0e66b3b6
JH
1909 transport_instance *tb
1910#ifdef EXPERIMENTAL_DANE
1911 , dns_answer * tlsa_dnsa
1912#endif
1913 )
059ec3d9 1914{
a7538db1
JH
1915smtp_transport_options_block * ob =
1916 (smtp_transport_options_block *)tb->options_block;
f69979cf 1917static uschar peerdn[256];
868f5672 1918uschar * expciphers;
059ec3d9 1919int rc;
817d9f57 1920static uschar cipherbuf[256];
043b1248
JH
1921
1922#ifndef DISABLE_OCSP
043b1248 1923BOOL request_ocsp = FALSE;
6634ac8d 1924BOOL require_ocsp = FALSE;
043b1248 1925#endif
043b1248
JH
1926
1927#ifdef EXPERIMENTAL_DANE
594706ea 1928tls_out.tlsa_usage = 0;
043b1248
JH
1929#endif
1930
f2de3a33 1931#ifndef DISABLE_OCSP
043b1248 1932 {
4f59c424
JH
1933# ifdef EXPERIMENTAL_DANE
1934 if ( tlsa_dnsa
1935 && ob->hosts_request_ocsp[0] == '*'
1936 && ob->hosts_request_ocsp[1] == '\0'
1937 )
1938 {
1939 /* Unchanged from default. Use a safer one under DANE */
1940 request_ocsp = TRUE;
1941 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
1942 " {= {4}{$tls_out_tlsa_usage}} } "
1943 " {*}{}}";
1944 }
1945# endif
1946
5130845b
JH
1947 if ((require_ocsp =
1948 verify_check_given_host(&ob->hosts_require_ocsp, host) == OK))
fca41d5a
JH
1949 request_ocsp = TRUE;
1950 else
fca41d5a 1951# ifdef EXPERIMENTAL_DANE
4f59c424 1952 if (!request_ocsp)
fca41d5a 1953# endif
5130845b
JH
1954 request_ocsp =
1955 verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
043b1248 1956 }
f5d78688 1957#endif
059ec3d9 1958
65867078
JH
1959rc = tls_init(&client_ctx, host, NULL,
1960 ob->tls_certificate, ob->tls_privatekey,
f2de3a33 1961#ifndef DISABLE_OCSP
44662487 1962 (void *)(long)request_ocsp,
3f7eeb86 1963#endif
817d9f57 1964 addr, &client_static_cbinfo);
059ec3d9
PH
1965if (rc != OK) return rc;
1966
817d9f57 1967tls_out.certificate_verified = FALSE;
a2ff477a 1968client_verify_callback_called = FALSE;
059ec3d9 1969
65867078
JH
1970if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
1971 &expciphers))
059ec3d9
PH
1972 return FAIL;
1973
1974/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1975are separated by underscores. So that I can use either form in my tests, and
1976also for general convenience, we turn underscores into hyphens here. */
1977
1978if (expciphers != NULL)
1979 {
1980 uschar *s = expciphers;
1981 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1982 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 1983 if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
7199e1ee 1984 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
059ec3d9
PH
1985 }
1986
043b1248 1987#ifdef EXPERIMENTAL_DANE
0e66b3b6 1988if (tlsa_dnsa)
a63be306 1989 {
02af313d
JH
1990 SSL_CTX_set_verify(client_ctx,
1991 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1992 verify_callback_client_dane);
e5cccda9 1993
043b1248 1994 if (!DANESSL_library_init())
b4161d10 1995 return tls_error(US"library init", host, NULL);
043b1248 1996 if (DANESSL_CTX_init(client_ctx) <= 0)
b4161d10 1997 return tls_error(US"context init", host, NULL);
043b1248
JH
1998 }
1999else
e51c7be2 2000
043b1248
JH
2001#endif
2002
01a4a5c5
JH
2003 if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob, client_static_cbinfo))
2004 != OK)
65867078 2005 return rc;
059ec3d9 2006
65867078
JH
2007if ((client_ssl = SSL_new(client_ctx)) == NULL)
2008 return tls_error(US"SSL_new", host, NULL);
817d9f57
JH
2009SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
2010SSL_set_fd(client_ssl, fd);
2011SSL_set_connect_state(client_ssl);
059ec3d9 2012
65867078 2013if (ob->tls_sni)
3f0945ff 2014 {
65867078 2015 if (!expand_check(ob->tls_sni, US"tls_sni", &tls_out.sni))
3f0945ff 2016 return FAIL;
ec4b68e5 2017 if (tls_out.sni == NULL)
2c9a0e86
PP
2018 {
2019 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2020 }
ec4b68e5 2021 else if (!Ustrlen(tls_out.sni))
817d9f57 2022 tls_out.sni = NULL;
3f0945ff
PP
2023 else
2024 {
35731706 2025#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57
JH
2026 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
2027 SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
35731706
PP
2028#else
2029 DEBUG(D_tls)
2030 debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
02d9264f 2031 tls_out.sni);
35731706 2032#endif
3f0945ff
PP
2033 }
2034 }
2035
594706ea 2036#ifdef EXPERIMENTAL_DANE
0e66b3b6
JH
2037if (tlsa_dnsa)
2038 if ((rc = dane_tlsa_load(client_ssl, host, tlsa_dnsa)) != OK)
594706ea
JH
2039 return rc;
2040#endif
2041
f2de3a33 2042#ifndef DISABLE_OCSP
f5d78688
JH
2043/* Request certificate status at connection-time. If the server
2044does OCSP stapling we will get the callback (set in tls_init()) */
b50c8b84 2045# ifdef EXPERIMENTAL_DANE
44662487
JH
2046if (request_ocsp)
2047 {
594706ea 2048 const uschar * s;
41afb5cb
JH
2049 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2050 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
594706ea
JH
2051 )
2052 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2053 this means we avoid the OCSP request, we wasted the setup
2054 cost in tls_init(). */
5130845b
JH
2055 require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
2056 request_ocsp = require_ocsp
2057 || verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
594706ea
JH
2058 }
2059 }
b50c8b84
JH
2060# endif
2061
594706ea
JH
2062if (request_ocsp)
2063 {
f5d78688 2064 SSL_set_tlsext_status_type(client_ssl, TLSEXT_STATUSTYPE_ocsp);
44662487
JH
2065 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
2066 tls_out.ocsp = OCSP_NOT_RESP;
2067 }
f5d78688
JH
2068#endif
2069
774ef2d7
JH
2070#ifdef EXPERIMENTAL_EVENT
2071client_static_cbinfo->event_action = tb->event_action;
a7538db1 2072#endif
043b1248 2073
059ec3d9
PH
2074/* There doesn't seem to be a built-in timeout on connection. */
2075
2076DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2077sigalrm_seen = FALSE;
65867078 2078alarm(ob->command_timeout);
817d9f57 2079rc = SSL_connect(client_ssl);
059ec3d9
PH
2080alarm(0);
2081
043b1248 2082#ifdef EXPERIMENTAL_DANE
0e66b3b6 2083if (tlsa_dnsa)
fde080a4 2084 DANESSL_cleanup(client_ssl);
043b1248
JH
2085#endif
2086
059ec3d9 2087if (rc <= 0)
7199e1ee 2088 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
059ec3d9
PH
2089
2090DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2091
f69979cf 2092peer_cert(client_ssl, &tls_out, peerdn, sizeof(peerdn));
059ec3d9 2093
817d9f57
JH
2094construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
2095tls_out.cipher = cipherbuf;
059ec3d9 2096
9d1c15ef
JH
2097/* Record the certificate we presented */
2098 {
2099 X509 * crt = SSL_get_certificate(client_ssl);
2100 tls_out.ourcert = crt ? X509_dup(crt) : NULL;
2101 }
2102
817d9f57 2103tls_out.active = fd;
059ec3d9
PH
2104return OK;
2105}
2106
2107
2108
2109
2110
2111/*************************************************
2112* TLS version of getc *
2113*************************************************/
2114
2115/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2116it refills the buffer via the SSL reading function.
2117
2118Arguments: none
2119Returns: the next character or EOF
817d9f57
JH
2120
2121Only used by the server-side TLS.
059ec3d9
PH
2122*/
2123
2124int
2125tls_getc(void)
2126{
2127if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2128 {
2129 int error;
2130 int inbytes;
2131
817d9f57 2132 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
c80c5570 2133 ssl_xfer_buffer, ssl_xfer_buffer_size);
059ec3d9
PH
2134
2135 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
817d9f57
JH
2136 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
2137 error = SSL_get_error(server_ssl, inbytes);
059ec3d9
PH
2138 alarm(0);
2139
2140 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2141 closed down, not that the socket itself has been closed down. Revert to
2142 non-SSL handling. */
2143
2144 if (error == SSL_ERROR_ZERO_RETURN)
2145 {
2146 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2147
2148 receive_getc = smtp_getc;
2149 receive_ungetc = smtp_ungetc;
2150 receive_feof = smtp_feof;
2151 receive_ferror = smtp_ferror;
58eb016e 2152 receive_smtp_buffered = smtp_buffered;
059ec3d9 2153
817d9f57
JH
2154 SSL_free(server_ssl);
2155 server_ssl = NULL;
2156 tls_in.active = -1;
2157 tls_in.bits = 0;
2158 tls_in.cipher = NULL;
2159 tls_in.peerdn = NULL;
2160 tls_in.sni = NULL;
059ec3d9
PH
2161
2162 return smtp_getc();
2163 }
2164
2165 /* Handle genuine errors */
2166
ba084640
PP
2167 else if (error == SSL_ERROR_SSL)
2168 {
2169 ERR_error_string(ERR_get_error(), ssl_errstring);
89dd51cd 2170 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
ba084640
PP
2171 ssl_xfer_error = 1;
2172 return EOF;
2173 }
2174
059ec3d9
PH
2175 else if (error != SSL_ERROR_NONE)
2176 {
2177 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2178 ssl_xfer_error = 1;
2179 return EOF;
2180 }
c80c5570 2181
80a47a2c
TK
2182#ifndef DISABLE_DKIM
2183 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2184#endif
059ec3d9
PH
2185 ssl_xfer_buffer_hwm = inbytes;
2186 ssl_xfer_buffer_lwm = 0;
2187 }
2188
2189/* Something in the buffer; return next uschar */
2190
2191return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2192}
2193
2194
2195
2196/*************************************************
2197* Read bytes from TLS channel *
2198*************************************************/
2199
2200/*
2201Arguments:
2202 buff buffer of data
2203 len size of buffer
2204
2205Returns: the number of bytes read
2206 -1 after a failed read
817d9f57
JH
2207
2208Only used by the client-side TLS.
059ec3d9
PH
2209*/
2210
2211int
389ca47a 2212tls_read(BOOL is_server, uschar *buff, size_t len)
059ec3d9 2213{
389ca47a 2214SSL *ssl = is_server ? server_ssl : client_ssl;
059ec3d9
PH
2215int inbytes;
2216int error;
2217
389ca47a 2218DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
c80c5570 2219 buff, (unsigned int)len);
059ec3d9 2220
389ca47a
JH
2221inbytes = SSL_read(ssl, CS buff, len);
2222error = SSL_get_error(ssl, inbytes);
059ec3d9
PH
2223
2224if (error == SSL_ERROR_ZERO_RETURN)
2225 {
2226 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2227 return -1;
2228 }
2229else if (error != SSL_ERROR_NONE)
2230 {
2231 return -1;
2232 }
2233
2234return inbytes;
2235}
2236
2237
2238
2239
2240
2241/*************************************************
2242* Write bytes down TLS channel *
2243*************************************************/
2244
2245/*
2246Arguments:
817d9f57 2247 is_server channel specifier
059ec3d9
PH
2248 buff buffer of data
2249 len number of bytes
2250
2251Returns: the number of bytes after a successful write,
2252 -1 after a failed write
817d9f57
JH
2253
2254Used by both server-side and client-side TLS.
059ec3d9
PH
2255*/
2256
2257int
817d9f57 2258tls_write(BOOL is_server, const uschar *buff, size_t len)
059ec3d9
PH
2259{
2260int outbytes;
2261int error;
2262int left = len;
817d9f57 2263SSL *ssl = is_server ? server_ssl : client_ssl;
059ec3d9 2264
c80c5570 2265DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
059ec3d9
PH
2266while (left > 0)
2267 {
c80c5570 2268 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
059ec3d9
PH
2269 outbytes = SSL_write(ssl, CS buff, left);
2270 error = SSL_get_error(ssl, outbytes);
2271 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2272 switch (error)
2273 {
2274 case SSL_ERROR_SSL:
2275 ERR_error_string(ERR_get_error(), ssl_errstring);
2276 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2277 return -1;
2278
2279 case SSL_ERROR_NONE:
2280 left -= outbytes;
2281 buff += outbytes;
2282 break;
2283
2284 case SSL_ERROR_ZERO_RETURN:
2285 log_write(0, LOG_MAIN, "SSL channel closed on write");
2286 return -1;
2287
817d9f57
JH
2288 case SSL_ERROR_SYSCALL:
2289 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2290 sender_fullhost ? sender_fullhost : US"<unknown>",
2291 strerror(errno));
2292
059ec3d9
PH
2293 default:
2294 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2295 return -1;
2296 }
2297 }
2298return len;
2299}
2300
2301
2302
2303/*************************************************
2304* Close down a TLS session *
2305*************************************************/
2306
2307/* This is also called from within a delivery subprocess forked from the
2308daemon, to shut down the TLS library, without actually doing a shutdown (which
2309would tamper with the SSL session in the parent process).
2310
2311Arguments: TRUE if SSL_shutdown is to be called
2312Returns: nothing
817d9f57
JH
2313
2314Used by both server-side and client-side TLS.
059ec3d9
PH
2315*/
2316
2317void
817d9f57 2318tls_close(BOOL is_server, BOOL shutdown)
059ec3d9 2319{
817d9f57 2320SSL **sslp = is_server ? &server_ssl : &client_ssl;
389ca47a 2321int *fdp = is_server ? &tls_in.active : &tls_out.active;
817d9f57
JH
2322
2323if (*fdp < 0) return; /* TLS was not active */
059ec3d9
PH
2324
2325if (shutdown)
2326 {
2327 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
817d9f57 2328 SSL_shutdown(*sslp);
059ec3d9
PH
2329 }
2330
817d9f57
JH
2331SSL_free(*sslp);
2332*sslp = NULL;
059ec3d9 2333
817d9f57 2334*fdp = -1;
059ec3d9
PH
2335}
2336
36f12725
NM
2337
2338
2339
2340/*************************************************
3375e053
PP
2341* Let tls_require_ciphers be checked at startup *
2342*************************************************/
2343
2344/* The tls_require_ciphers option, if set, must be something which the
2345library can parse.
2346
2347Returns: NULL on success, or error message
2348*/
2349
2350uschar *
2351tls_validate_require_cipher(void)
2352{
2353SSL_CTX *ctx;
2354uschar *s, *expciphers, *err;
2355
2356/* this duplicates from tls_init(), we need a better "init just global
2357state, for no specific purpose" singleton function of our own */
2358
2359SSL_load_error_strings();
2360OpenSSL_add_ssl_algorithms();
2361#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
2362/* SHA256 is becoming ever more popular. This makes sure it gets added to the
2363list of available digests. */
2364EVP_add_digest(EVP_sha256());
2365#endif
2366
2367if (!(tls_require_ciphers && *tls_require_ciphers))
2368 return NULL;
2369
2370if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
2371 return US"failed to expand tls_require_ciphers";
2372
2373if (!(expciphers && *expciphers))
2374 return NULL;
2375
2376/* normalisation ripped from above */
2377s = expciphers;
2378while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2379
2380err = NULL;
2381
2382ctx = SSL_CTX_new(SSLv23_server_method());
2383if (!ctx)
2384 {
2385 ERR_error_string(ERR_get_error(), ssl_errstring);
2386 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
2387 }
2388
2389DEBUG(D_tls)
2390 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
2391
2392if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
2393 {
2394 ERR_error_string(ERR_get_error(), ssl_errstring);
2395 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed", expciphers);
2396 }
2397
2398SSL_CTX_free(ctx);
2399
2400return err;
2401}
2402
2403
2404
2405
2406/*************************************************
36f12725
NM
2407* Report the library versions. *
2408*************************************************/
2409
2410/* There have historically been some issues with binary compatibility in
2411OpenSSL libraries; if Exim (like many other applications) is built against
2412one version of OpenSSL but the run-time linker picks up another version,
2413it can result in serious failures, including crashing with a SIGSEGV. So
2414report the version found by the compiler and the run-time version.
2415
f64a1e23
PP
2416Note: some OS vendors backport security fixes without changing the version
2417number/string, and the version date remains unchanged. The _build_ date
2418will change, so we can more usefully assist with version diagnosis by also
2419reporting the build date.
2420
36f12725
NM
2421Arguments: a FILE* to print the results to
2422Returns: nothing
2423*/
2424
2425void
2426tls_version_report(FILE *f)
2427{
754a0503 2428fprintf(f, "Library version: OpenSSL: Compile: %s\n"
f64a1e23
PP
2429 " Runtime: %s\n"
2430 " : %s\n",
754a0503 2431 OPENSSL_VERSION_TEXT,
f64a1e23
PP
2432 SSLeay_version(SSLEAY_VERSION),
2433 SSLeay_version(SSLEAY_BUILT_ON));
2434/* third line is 38 characters for the %s and the line is 73 chars long;
2435the OpenSSL output includes a "built on: " prefix already. */
36f12725
NM
2436}
2437
9e3331ea
TK
2438
2439
2440
2441/*************************************************
17c76198 2442* Random number generation *
9e3331ea
TK
2443*************************************************/
2444
2445/* Pseudo-random number generation. The result is not expected to be
2446cryptographically strong but not so weak that someone will shoot themselves
2447in the foot using it as a nonce in input in some email header scheme or
2448whatever weirdness they'll twist this into. The result should handle fork()
2449and avoid repeating sequences. OpenSSL handles that for us.
2450
2451Arguments:
2452 max range maximum
2453Returns a random number in range [0, max-1]
2454*/
2455
2456int
17c76198 2457vaguely_random_number(int max)
9e3331ea
TK
2458{
2459unsigned int r;
2460int i, needed_len;
de6135a0
PP
2461static pid_t pidlast = 0;
2462pid_t pidnow;
9e3331ea
TK
2463uschar *p;
2464uschar smallbuf[sizeof(r)];
2465
2466if (max <= 1)
2467 return 0;
2468
de6135a0
PP
2469pidnow = getpid();
2470if (pidnow != pidlast)
2471 {
2472 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
2473 is unique for each thread", this doesn't apparently apply across processes,
2474 so our own warning from vaguely_random_number_fallback() applies here too.
2475 Fix per PostgreSQL. */
2476 if (pidlast != 0)
2477 RAND_cleanup();
2478 pidlast = pidnow;
2479 }
2480
9e3331ea
TK
2481/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
2482if (!RAND_status())
2483 {
2484 randstuff r;
2485 gettimeofday(&r.tv, NULL);
2486 r.p = getpid();
2487
2488 RAND_seed((uschar *)(&r), sizeof(r));
2489 }
2490/* We're after pseudo-random, not random; if we still don't have enough data
2491in the internal PRNG then our options are limited. We could sleep and hope
2492for entropy to come along (prayer technique) but if the system is so depleted
2493in the first place then something is likely to just keep taking it. Instead,
2494we'll just take whatever little bit of pseudo-random we can still manage to
2495get. */
2496
2497needed_len = sizeof(r);
2498/* Don't take 8 times more entropy than needed if int is 8 octets and we were
2499asked for a number less than 10. */
2500for (r = max, i = 0; r; ++i)
2501 r >>= 1;
2502i = (i + 7) / 8;
2503if (i < needed_len)
2504 needed_len = i;
2505
2506/* We do not care if crypto-strong */
17c76198
PP
2507i = RAND_pseudo_bytes(smallbuf, needed_len);
2508if (i < 0)
2509 {
2510 DEBUG(D_all)
2511 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
2512 return vaguely_random_number_fallback(max);
2513 }
2514
9e3331ea
TK
2515r = 0;
2516for (p = smallbuf; needed_len; --needed_len, ++p)
2517 {
2518 r *= 256;
2519 r += *p;
2520 }
2521
2522/* We don't particularly care about weighted results; if someone wants
2523smooth distribution and cares enough then they should submit a patch then. */
2524return r % max;
2525}
2526
77bb000f
PP
2527
2528
2529
2530/*************************************************
2531* OpenSSL option parse *
2532*************************************************/
2533
2534/* Parse one option for tls_openssl_options_parse below
2535
2536Arguments:
2537 name one option name
2538 value place to store a value for it
2539Returns success or failure in parsing
2540*/
2541
2542struct exim_openssl_option {
2543 uschar *name;
2544 long value;
2545};
2546/* We could use a macro to expand, but we need the ifdef and not all the
2547options document which version they were introduced in. Policylet: include
2548all options unless explicitly for DTLS, let the administrator choose which
2549to apply.
2550
2551This list is current as of:
e2fbf4a2
PP
2552 ==> 1.0.1b <==
2553Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
2554*/
77bb000f
PP
2555static struct exim_openssl_option exim_openssl_options[] = {
2556/* KEEP SORTED ALPHABETICALLY! */
2557#ifdef SSL_OP_ALL
73a46702 2558 { US"all", SSL_OP_ALL },
77bb000f
PP
2559#endif
2560#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
73a46702 2561 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
77bb000f
PP
2562#endif
2563#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
73a46702 2564 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
77bb000f
PP
2565#endif
2566#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
73a46702 2567 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
77bb000f
PP
2568#endif
2569#ifdef SSL_OP_EPHEMERAL_RSA
73a46702 2570 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
77bb000f
PP
2571#endif
2572#ifdef SSL_OP_LEGACY_SERVER_CONNECT
73a46702 2573 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
77bb000f
PP
2574#endif
2575#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
73a46702 2576 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
77bb000f
PP
2577#endif
2578#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
73a46702 2579 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
77bb000f
PP
2580#endif
2581#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
73a46702 2582 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
77bb000f
PP
2583#endif
2584#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
73a46702 2585 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
77bb000f
PP
2586#endif
2587#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
73a46702 2588 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
77bb000f 2589#endif
c80c5570
PP
2590#ifdef SSL_OP_NO_COMPRESSION
2591 { US"no_compression", SSL_OP_NO_COMPRESSION },
2592#endif
77bb000f 2593#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
73a46702 2594 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
77bb000f 2595#endif
c0c7b2da
PP
2596#ifdef SSL_OP_NO_SSLv2
2597 { US"no_sslv2", SSL_OP_NO_SSLv2 },
2598#endif
2599#ifdef SSL_OP_NO_SSLv3
2600 { US"no_sslv3", SSL_OP_NO_SSLv3 },
2601#endif
2602#ifdef SSL_OP_NO_TICKET
2603 { US"no_ticket", SSL_OP_NO_TICKET },
2604#endif
2605#ifdef SSL_OP_NO_TLSv1
2606 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
2607#endif
c80c5570
PP
2608#ifdef SSL_OP_NO_TLSv1_1
2609#if SSL_OP_NO_TLSv1_1 == 0x00000400L
2610 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
2611#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
2612#else
2613 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
2614#endif
2615#endif
2616#ifdef SSL_OP_NO_TLSv1_2
2617 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
2618#endif
e2fbf4a2
PP
2619#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
2620 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
2621#endif
77bb000f 2622#ifdef SSL_OP_SINGLE_DH_USE
73a46702 2623 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
77bb000f
PP
2624#endif
2625#ifdef SSL_OP_SINGLE_ECDH_USE
73a46702 2626 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
77bb000f
PP
2627#endif
2628#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
73a46702 2629 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
77bb000f
PP
2630#endif
2631#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
73a46702 2632 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
77bb000f
PP
2633#endif
2634#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
73a46702 2635 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
77bb000f
PP
2636#endif
2637#ifdef SSL_OP_TLS_D5_BUG
73a46702 2638 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
77bb000f
PP
2639#endif
2640#ifdef SSL_OP_TLS_ROLLBACK_BUG
73a46702 2641 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
77bb000f
PP
2642#endif
2643};
2644static int exim_openssl_options_size =
2645 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
2646
c80c5570 2647
77bb000f
PP
2648static BOOL
2649tls_openssl_one_option_parse(uschar *name, long *value)
2650{
2651int first = 0;
2652int last = exim_openssl_options_size;
2653while (last > first)
2654 {
2655 int middle = (first + last)/2;
2656 int c = Ustrcmp(name, exim_openssl_options[middle].name);
2657 if (c == 0)
2658 {
2659 *value = exim_openssl_options[middle].value;
2660 return TRUE;
2661 }
2662 else if (c > 0)
2663 first = middle + 1;
2664 else
2665 last = middle;
2666 }
2667return FALSE;
2668}
2669
2670
2671
2672
2673/*************************************************
2674* OpenSSL option parsing logic *
2675*************************************************/
2676
2677/* OpenSSL has a number of compatibility options which an administrator might
2678reasonably wish to set. Interpret a list similarly to decode_bits(), so that
2679we look like log_selector.
2680
2681Arguments:
2682 option_spec the administrator-supplied string of options
2683 results ptr to long storage for the options bitmap
2684Returns success or failure
2685*/
2686
2687BOOL
2688tls_openssl_options_parse(uschar *option_spec, long *results)
2689{
2690long result, item;
2691uschar *s, *end;
2692uschar keep_c;
2693BOOL adding, item_parsed;
2694
0e944a0d 2695result = 0L;
b1770b6e 2696/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
da3ad30d 2697 * from default because it increases BEAST susceptibility. */
f0f5a555
PP
2698#ifdef SSL_OP_NO_SSLv2
2699result |= SSL_OP_NO_SSLv2;
2700#endif
77bb000f
PP
2701
2702if (option_spec == NULL)
2703 {
2704 *results = result;
2705 return TRUE;
2706 }
2707
2708for (s=option_spec; *s != '\0'; /**/)
2709 {
2710 while (isspace(*s)) ++s;
2711 if (*s == '\0')
2712 break;
2713 if (*s != '+' && *s != '-')
2714 {
2715 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
0e944a0d 2716 "+ or - expected but found \"%s\"\n", s);
77bb000f
PP
2717 return FALSE;
2718 }
2719 adding = *s++ == '+';
2720 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
2721 keep_c = *end;
2722 *end = '\0';
2723 item_parsed = tls_openssl_one_option_parse(s, &item);
2724 if (!item_parsed)
2725 {
0e944a0d 2726 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
77bb000f
PP
2727 return FALSE;
2728 }
2729 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
2730 adding ? "adding" : "removing", result, item, s);
2731 if (adding)
2732 result |= item;
2733 else
2734 result &= ~item;
2735 *end = keep_c;
2736 s = end;
2737 }
2738
2739*results = result;
2740return TRUE;
2741}
2742
9d1c15ef
JH
2743/* vi: aw ai sw=2
2744*/
059ec3d9 2745/* End of tls-openssl.c */