Testsuite: tidying
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
f5d78688
JH
8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
059ec3d9
PH
10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
10ca4f1c
JH
25#ifndef OPENSSL_NO_ECDH
26# include <openssl/ec.h>
27#endif
f2de3a33 28#ifndef DISABLE_OCSP
e51c7be2 29# include <openssl/ocsp.h>
3f7eeb86 30#endif
c0635b6d 31#ifdef SUPPORT_DANE
05e796ad 32# include "danessl.h"
85098ee7
JH
33#endif
34
3f7eeb86 35
f2de3a33
JH
36#ifndef DISABLE_OCSP
37# define EXIM_OCSP_SKEW_SECONDS (300L)
38# define EXIM_OCSP_MAX_AGE (-1L)
3f7eeb86 39#endif
059ec3d9 40
3bcbbbe2 41#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
e51c7be2 42# define EXIM_HAVE_OPENSSL_TLSEXT
3bcbbbe2 43#endif
c8dfb21d
JH
44#if OPENSSL_VERSION_NUMBER >= 0x00908000L
45# define EXIM_HAVE_RSA_GENKEY_EX
46#endif
47#if OPENSSL_VERSION_NUMBER >= 0x10100000L
48# define EXIM_HAVE_OCSP_RESP_COUNT
49#else
50# define EXIM_HAVE_EPHEM_RSA_KEX
51# define EXIM_HAVE_RAND_PSEUDO
52#endif
53#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
8442641e 54# define EXIM_HAVE_SHA256
c8dfb21d 55#endif
34e3241d
PP
56
57/*
58 * X509_check_host provides sane certificate hostname checking, but was added
59 * to OpenSSL late, after other projects forked off the code-base. So in
60 * addition to guarding against the base version number, beware that LibreSSL
61 * does not (at this time) support this function.
62 *
63 * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
64 * opt to disentangle and ask a LibreSSL user to provide glue for a third
65 * crypto provider for libtls instead of continuing to tie the OpenSSL glue
66 * into even twistier knots. If LibreSSL gains the same API, we can just
67 * change this guard and punt the issue for a while longer.
68 */
69#ifndef LIBRESSL_VERSION_NUMBER
70# if OPENSSL_VERSION_NUMBER >= 0x010100000L
71# define EXIM_HAVE_OPENSSL_CHECKHOST
8420742d 72# define EXIM_HAVE_OPENSSL_DH_BITS
7a8b9519 73# define EXIM_HAVE_OPENSSL_TLS_METHOD
34e3241d
PP
74# endif
75# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
2dfb468b 76 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
34e3241d
PP
77# define EXIM_HAVE_OPENSSL_CHECKHOST
78# endif
11aa88b0 79#endif
10ca4f1c 80
11aa88b0
RA
81#if !defined(LIBRESSL_VERSION_NUMBER) \
82 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
10ca4f1c
JH
83# if !defined(OPENSSL_NO_ECDH)
84# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
8442641e 85# define EXIM_HAVE_ECDH
10ca4f1c
JH
86# endif
87# if OPENSSL_VERSION_NUMBER >= 0x10002000L
10ca4f1c
JH
88# define EXIM_HAVE_OPENSSL_EC_NIST2NID
89# endif
90# endif
2dfb468b 91#endif
3bcbbbe2 92
67791ce4
JH
93#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
94# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
95# define DISABLE_OCSP
96#endif
97
a6510420
JH
98#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
99# include <openssl/x509v3.h>
100#endif
101
8442641e
JH
102/*************************************************
103* OpenSSL option parse *
104*************************************************/
105
106typedef struct exim_openssl_option {
107 uschar *name;
108 long value;
109} exim_openssl_option;
110/* We could use a macro to expand, but we need the ifdef and not all the
111options document which version they were introduced in. Policylet: include
112all options unless explicitly for DTLS, let the administrator choose which
113to apply.
114
115This list is current as of:
116 ==> 1.0.1b <==
117Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
118Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
119*/
120static exim_openssl_option exim_openssl_options[] = {
121/* KEEP SORTED ALPHABETICALLY! */
122#ifdef SSL_OP_ALL
123 { US"all", SSL_OP_ALL },
124#endif
125#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
126 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
127#endif
128#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
129 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
130#endif
131#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
132 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
133#endif
134#ifdef SSL_OP_EPHEMERAL_RSA
135 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
136#endif
137#ifdef SSL_OP_LEGACY_SERVER_CONNECT
138 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
139#endif
140#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
141 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
142#endif
143#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
144 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
145#endif
146#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
147 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
148#endif
149#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
150 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
151#endif
152#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
153 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
154#endif
155#ifdef SSL_OP_NO_COMPRESSION
156 { US"no_compression", SSL_OP_NO_COMPRESSION },
157#endif
158#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
159 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
160#endif
161#ifdef SSL_OP_NO_SSLv2
162 { US"no_sslv2", SSL_OP_NO_SSLv2 },
163#endif
164#ifdef SSL_OP_NO_SSLv3
165 { US"no_sslv3", SSL_OP_NO_SSLv3 },
166#endif
167#ifdef SSL_OP_NO_TICKET
168 { US"no_ticket", SSL_OP_NO_TICKET },
169#endif
170#ifdef SSL_OP_NO_TLSv1
171 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
172#endif
173#ifdef SSL_OP_NO_TLSv1_1
174#if SSL_OP_NO_TLSv1_1 == 0x00000400L
175 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
176#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
177#else
178 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
179#endif
180#endif
181#ifdef SSL_OP_NO_TLSv1_2
182 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
183#endif
184#ifdef SSL_OP_NO_TLSv1_3
185 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
186#endif
187#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
188 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
189#endif
190#ifdef SSL_OP_SINGLE_DH_USE
191 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
192#endif
193#ifdef SSL_OP_SINGLE_ECDH_USE
194 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
195#endif
196#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
197 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
198#endif
199#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
200 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
201#endif
202#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
203 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
204#endif
205#ifdef SSL_OP_TLS_D5_BUG
206 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
207#endif
208#ifdef SSL_OP_TLS_ROLLBACK_BUG
209 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
210#endif
211};
212
213#ifndef MACRO_PREDEF
214static int exim_openssl_options_size = nelem(exim_openssl_options);
215#endif
216
217#ifdef MACRO_PREDEF
218void
219options_tls(void)
220{
221struct exim_openssl_option * o;
222uschar buf[64];
223
224for (o = exim_openssl_options;
225 o < exim_openssl_options + nelem(exim_openssl_options); o++)
226 {
227 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
228 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
229
230 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
231 builtin_macro_create(buf);
232 }
233}
234#else
235
236/******************************************************************************/
237
059ec3d9
PH
238/* Structure for collecting random data for seeding. */
239
240typedef struct randstuff {
9e3331ea
TK
241 struct timeval tv;
242 pid_t p;
059ec3d9
PH
243} randstuff;
244
245/* Local static variables */
246
a2ff477a
JH
247static BOOL client_verify_callback_called = FALSE;
248static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH
249static const uschar *sid_ctx = US"exim";
250
d4f09789
PP
251/* We have three different contexts to care about.
252
253Simple case: client, `client_ctx`
254 As a client, we can be doing a callout or cut-through delivery while receiving
255 a message. So we have a client context, which should have options initialised
74f1a423
JH
256 from the SMTP Transport. We may also concurrently want to make TLS connections
257 to utility daemons, so client-contexts are allocated and passed around in call
258 args rather than using a gobal.
d4f09789
PP
259
260Server:
261 There are two cases: with and without ServerNameIndication from the client.
262 Given TLS SNI, we can be using different keys, certs and various other
263 configuration settings, because they're re-expanded with $tls_sni set. This
264 allows vhosting with TLS. This SNI is sent in the handshake.
265 A client might not send SNI, so we need a fallback, and an initial setup too.
266 So as a server, we start out using `server_ctx`.
267 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
268 `server_sni` from `server_ctx` and then initialise settings by re-expanding
269 configuration.
270*/
271
74f1a423
JH
272typedef struct {
273 SSL_CTX * ctx;
274 SSL * ssl;
275} exim_openssl_client_tls_ctx;
276
817d9f57 277static SSL_CTX *server_ctx = NULL;
817d9f57 278static SSL *server_ssl = NULL;
389ca47a 279
35731706 280#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57 281static SSL_CTX *server_sni = NULL;
35731706 282#endif
059ec3d9
PH
283
284static char ssl_errstring[256];
285
286static int ssl_session_timeout = 200;
a2ff477a
JH
287static BOOL client_verify_optional = FALSE;
288static BOOL server_verify_optional = FALSE;
059ec3d9 289
f5d78688 290static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH
291
292
7be682ca
PP
293typedef struct tls_ext_ctx_cb {
294 uschar *certificate;
295 uschar *privatekey;
f5d78688 296 BOOL is_server;
a6510420 297#ifndef DISABLE_OCSP
c3033f13 298 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
f5d78688
JH
299 union {
300 struct {
301 uschar *file;
302 uschar *file_expanded;
303 OCSP_RESPONSE *response;
304 } server;
305 struct {
44662487
JH
306 X509_STORE *verify_store; /* non-null if status requested */
307 BOOL verify_required;
f5d78688
JH
308 } client;
309 } u_ocsp;
3f7eeb86 310#endif
7be682ca
PP
311 uschar *dhparam;
312 /* these are cached from first expand */
313 uschar *server_cipher_list;
314 /* only passed down to tls_error: */
315 host_item *host;
55414b25 316 const uschar * verify_cert_hostnames;
0cbf2b82 317#ifndef DISABLE_EVENT
a7538db1
JH
318 uschar * event_action;
319#endif
7be682ca
PP
320} tls_ext_ctx_cb;
321
322/* should figure out a cleanup of API to handle state preserved per
323implementation, for various reasons, which can be void * in the APIs.
324For now, we hack around it. */
817d9f57
JH
325tls_ext_ctx_cb *client_static_cbinfo = NULL;
326tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP
327
328static int
983207c1 329setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 330 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
059ec3d9 331
3f7eeb86 332/* Callbacks */
3bcbbbe2 333#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 334static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 335#endif
f2de3a33 336#ifndef DISABLE_OCSP
f5d78688 337static int tls_server_stapling_cb(SSL *s, void *arg);
3f7eeb86
PP
338#endif
339
059ec3d9
PH
340
341/*************************************************
342* Handle TLS error *
343*************************************************/
344
345/* Called from lots of places when errors occur before actually starting to do
346the TLS handshake, that is, while the session is still in clear. Always returns
347DEFER for a server and FAIL for a client so that most calls can use "return
348tls_error(...)" to do this processing and then give an appropriate return. A
349single function is used for both server and client, because it is called from
350some shared functions.
351
352Argument:
353 prefix text to include in the logged error
354 host NULL if setting up a server;
355 the connected host if setting up a client
7199e1ee 356 msg error message or NULL if we should ask OpenSSL
cf0c6164 357 errstr pointer to output error message
059ec3d9
PH
358
359Returns: OK/DEFER/FAIL
360*/
361
362static int
cf0c6164 363tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
059ec3d9 364{
c562fd30 365if (!msg)
7199e1ee
TF
366 {
367 ERR_error_string(ERR_get_error(), ssl_errstring);
cf0c6164 368 msg = US ssl_errstring;
7199e1ee
TF
369 }
370
cf0c6164
JH
371if (errstr) *errstr = string_sprintf("(%s): %s", prefix, msg);
372return host ? FAIL : DEFER;
059ec3d9
PH
373}
374
375
376
377/*************************************************
378* Callback to generate RSA key *
379*************************************************/
380
381/*
382Arguments:
3ae79556 383 s SSL connection (not used)
059ec3d9
PH
384 export not used
385 keylength keylength
386
387Returns: pointer to generated key
388*/
389
390static RSA *
391rsa_callback(SSL *s, int export, int keylength)
392{
393RSA *rsa_key;
c8dfb21d
JH
394#ifdef EXIM_HAVE_RSA_GENKEY_EX
395BIGNUM *bn = BN_new();
396#endif
397
059ec3d9
PH
398export = export; /* Shut picky compilers up */
399DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
c8dfb21d
JH
400
401#ifdef EXIM_HAVE_RSA_GENKEY_EX
402if ( !BN_set_word(bn, (unsigned long)RSA_F4)
f2cb6292 403 || !(rsa_key = RSA_new())
c8dfb21d
JH
404 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
405 )
406#else
23bb6982 407if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
c8dfb21d
JH
408#endif
409
059ec3d9
PH
410 {
411 ERR_error_string(ERR_get_error(), ssl_errstring);
412 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
413 ssl_errstring);
414 return NULL;
415 }
416return rsa_key;
417}
418
419
420
f5d78688 421/* Extreme debug
f2de3a33 422#ifndef DISABLE_OCSP
f5d78688
JH
423void
424x509_store_dump_cert_s_names(X509_STORE * store)
425{
426STACK_OF(X509_OBJECT) * roots= store->objs;
427int i;
428static uschar name[256];
429
430for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
431 {
432 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
433 if(tmp_obj->type == X509_LU_X509)
434 {
70e384dd
JH
435 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
436 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
437 {
438 name[sizeof(name)-1] = '\0';
439 debug_printf(" %s\n", name);
440 }
f5d78688
JH
441 }
442 }
443}
444#endif
445*/
446
059ec3d9 447
0cbf2b82 448#ifndef DISABLE_EVENT
f69979cf
JH
449static int
450verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
451 BOOL *calledp, const BOOL *optionalp, const uschar * what)
452{
453uschar * ev;
454uschar * yield;
455X509 * old_cert;
456
457ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
458if (ev)
459 {
aaba7d03 460 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
f69979cf
JH
461 old_cert = tlsp->peercert;
462 tlsp->peercert = X509_dup(cert);
463 /* NB we do not bother setting peerdn */
464 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
465 {
466 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
467 "depth=%d cert=%s: %s",
468 tlsp == &tls_out ? deliver_host_address : sender_host_address,
469 what, depth, dn, yield);
470 *calledp = TRUE;
471 if (!*optionalp)
472 {
473 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
474 return 1; /* reject (leaving peercert set) */
475 }
476 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
477 "(host in tls_try_verify_hosts)\n");
478 }
479 X509_free(tlsp->peercert);
480 tlsp->peercert = old_cert;
481 }
482return 0;
483}
484#endif
485
059ec3d9
PH
486/*************************************************
487* Callback for verification *
488*************************************************/
489
490/* The SSL library does certificate verification if set up to do so. This
491callback has the current yes/no state is in "state". If verification succeeded,
f69979cf
JH
492we set the certificate-verified flag. If verification failed, what happens
493depends on whether the client is required to present a verifiable certificate
494or not.
059ec3d9
PH
495
496If verification is optional, we change the state to yes, but still log the
497verification error. For some reason (it really would help to have proper
498documentation of OpenSSL), this callback function then gets called again, this
f69979cf
JH
499time with state = 1. We must take care not to set the private verified flag on
500the second time through.
059ec3d9
PH
501
502Note: this function is not called if the client fails to present a certificate
503when asked. We get here only if a certificate has been received. Handling of
504optional verification for this case is done when requesting SSL to verify, by
505setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
506
a7538db1
JH
507May be called multiple times for different issues with a certificate, even
508for a given "depth" in the certificate chain.
509
059ec3d9 510Arguments:
f2f2c91b
JH
511 preverify_ok current yes/no state as 1/0
512 x509ctx certificate information.
513 tlsp per-direction (client vs. server) support data
514 calledp has-been-called flag
515 optionalp verification-is-optional flag
059ec3d9 516
f2f2c91b 517Returns: 0 if verification should fail, otherwise 1
059ec3d9
PH
518*/
519
520static int
70e384dd
JH
521verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
522 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
059ec3d9 523{
421aff85 524X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
a7538db1 525int depth = X509_STORE_CTX_get_error_depth(x509ctx);
f69979cf 526uschar dn[256];
059ec3d9 527
70e384dd
JH
528if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
529 {
530 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
531 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
532 tlsp == &tls_out ? deliver_host_address : sender_host_address);
533 return 0;
534 }
f69979cf 535dn[sizeof(dn)-1] = '\0';
059ec3d9 536
f2f2c91b 537if (preverify_ok == 0)
059ec3d9 538 {
f77197ae
JH
539 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
540 *verify_mode, sender_host_address)
541 : US"";
542 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
543 tlsp == &tls_out ? deliver_host_address : sender_host_address,
544 extra, depth,
545 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
a2ff477a 546 *calledp = TRUE;
9d1c15ef
JH
547 if (!*optionalp)
548 {
f69979cf
JH
549 if (!tlsp->peercert)
550 tlsp->peercert = X509_dup(cert); /* record failing cert */
551 return 0; /* reject */
9d1c15ef 552 }
059ec3d9
PH
553 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
554 "tls_try_verify_hosts)\n");
059ec3d9
PH
555 }
556
a7538db1 557else if (depth != 0)
059ec3d9 558 {
f69979cf 559 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
f2de3a33 560#ifndef DISABLE_OCSP
f5d78688
JH
561 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
562 { /* client, wanting stapling */
563 /* Add the server cert's signing chain as the one
564 for the verification of the OCSP stapled information. */
94431adb 565
f5d78688 566 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
421aff85 567 cert))
f5d78688 568 ERR_clear_error();
c3033f13 569 sk_X509_push(client_static_cbinfo->verify_stack, cert);
f5d78688
JH
570 }
571#endif
0cbf2b82 572#ifndef DISABLE_EVENT
f69979cf
JH
573 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
574 return 0; /* reject, with peercert set */
a7538db1 575#endif
059ec3d9
PH
576 }
577else
578 {
55414b25 579 const uschar * verify_cert_hostnames;
e51c7be2 580
e51c7be2
JH
581 if ( tlsp == &tls_out
582 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
afdb5e9c 583 /* client, wanting hostname check */
e51c7be2 584 {
f69979cf 585
740f36d4 586#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
f69979cf
JH
587# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
588# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
589# endif
590# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
591# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
592# endif
e51c7be2 593 int sep = 0;
55414b25 594 const uschar * list = verify_cert_hostnames;
e51c7be2 595 uschar * name;
d8e7834a
JH
596 int rc;
597 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
f40d5be3 598 if ((rc = X509_check_host(cert, CCS name, 0,
8d692470 599 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
740f36d4
JH
600 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
601 NULL)))
d8e7834a
JH
602 {
603 if (rc < 0)
604 {
93a6fce2 605 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
f77197ae 606 tlsp == &tls_out ? deliver_host_address : sender_host_address);
d8e7834a
JH
607 name = NULL;
608 }
e51c7be2 609 break;
d8e7834a 610 }
e51c7be2 611 if (!name)
f69979cf 612#else
e51c7be2 613 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
f69979cf 614#endif
e51c7be2 615 {
f77197ae
JH
616 uschar * extra = verify_mode
617 ? string_sprintf(" (during %c-verify for [%s])",
618 *verify_mode, sender_host_address)
619 : US"";
e51c7be2 620 log_write(0, LOG_MAIN,
f77197ae
JH
621 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
622 tlsp == &tls_out ? deliver_host_address : sender_host_address,
623 extra, dn, verify_cert_hostnames);
a3ef7310
JH
624 *calledp = TRUE;
625 if (!*optionalp)
f69979cf
JH
626 {
627 if (!tlsp->peercert)
628 tlsp->peercert = X509_dup(cert); /* record failing cert */
629 return 0; /* reject */
630 }
a3ef7310
JH
631 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
632 "tls_try_verify_hosts)\n");
e51c7be2 633 }
f69979cf 634 }
e51c7be2 635
0cbf2b82 636#ifndef DISABLE_EVENT
f69979cf
JH
637 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
638 return 0; /* reject, with peercert set */
e51c7be2
JH
639#endif
640
93dcb1c2 641 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
f69979cf 642 *calledp ? "" : " authenticated", dn);
93dcb1c2
JH
643 if (!*calledp) tlsp->certificate_verified = TRUE;
644 *calledp = TRUE;
059ec3d9
PH
645 }
646
a7538db1 647return 1; /* accept, at least for this level */
059ec3d9
PH
648}
649
a2ff477a 650static int
f2f2c91b 651verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 652{
f2f2c91b
JH
653return verify_callback(preverify_ok, x509ctx, &tls_out,
654 &client_verify_callback_called, &client_verify_optional);
a2ff477a
JH
655}
656
657static int
f2f2c91b 658verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 659{
f2f2c91b
JH
660return verify_callback(preverify_ok, x509ctx, &tls_in,
661 &server_verify_callback_called, &server_verify_optional);
a2ff477a
JH
662}
663
059ec3d9 664
c0635b6d 665#ifdef SUPPORT_DANE
53a7196b 666
e5cccda9
JH
667/* This gets called *by* the dane library verify callback, which interposes
668itself.
669*/
670static int
f2f2c91b 671verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
e5cccda9
JH
672{
673X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
f69979cf 674uschar dn[256];
83b27293 675int depth = X509_STORE_CTX_get_error_depth(x509ctx);
5c75db2e 676#ifndef DISABLE_EVENT
f69979cf 677BOOL dummy_called, optional = FALSE;
83b27293 678#endif
e5cccda9 679
70e384dd
JH
680if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
681 {
682 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
683 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
684 deliver_host_address);
685 return 0;
686 }
f69979cf 687dn[sizeof(dn)-1] = '\0';
e5cccda9 688
f2f2c91b
JH
689DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
690 preverify_ok ? "ok":"BAD", depth, dn);
e5cccda9 691
0cbf2b82 692#ifndef DISABLE_EVENT
f69979cf
JH
693 if (verify_event(&tls_out, cert, depth, dn,
694 &dummy_called, &optional, US"DANE"))
695 return 0; /* reject, with peercert set */
83b27293
JH
696#endif
697
f2f2c91b 698if (preverify_ok == 1)
6fbf3599
JH
699 {
700 tls_out.dane_verified = tls_out.certificate_verified = TRUE;
701#ifndef DISABLE_OCSP
702 if (client_static_cbinfo->u_ocsp.client.verify_store)
703 { /* client, wanting stapling */
704 /* Add the server cert's signing chain as the one
705 for the verification of the OCSP stapled information. */
706
707 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
708 cert))
709 ERR_clear_error();
710 sk_X509_push(client_static_cbinfo->verify_stack, cert);
711 }
712#endif
713 }
f2f2c91b
JH
714else
715 {
716 int err = X509_STORE_CTX_get_error(x509ctx);
717 DEBUG(D_tls)
718 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
3c51463e 719 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
f2f2c91b
JH
720 preverify_ok = 1;
721 }
722return preverify_ok;
e5cccda9 723}
53a7196b 724
c0635b6d 725#endif /*SUPPORT_DANE*/
e5cccda9 726
059ec3d9
PH
727
728/*************************************************
729* Information callback *
730*************************************************/
731
732/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP
733are doing. We copy the string to the debugging output when TLS debugging has
734been requested.
059ec3d9
PH
735
736Arguments:
737 s the SSL connection
738 where
739 ret
740
741Returns: nothing
742*/
743
744static void
745info_callback(SSL *s, int where, int ret)
746{
747where = where;
748ret = ret;
749DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
750}
751
752
753
754/*************************************************
755* Initialize for DH *
756*************************************************/
757
758/* If dhparam is set, expand it, and load up the parameters for DH encryption.
759
760Arguments:
038597d2 761 sctx The current SSL CTX (inbound or outbound)
a799883d 762 dhparam DH parameter file or fixed parameter identity string
7199e1ee 763 host connected host, if client; NULL if server
cf0c6164 764 errstr error string pointer
059ec3d9
PH
765
766Returns: TRUE if OK (nothing to set up, or setup worked)
767*/
768
769static BOOL
cf0c6164 770init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
059ec3d9 771{
059ec3d9
PH
772BIO *bio;
773DH *dh;
774uschar *dhexpanded;
a799883d 775const char *pem;
6600985a 776int dh_bitsize;
059ec3d9 777
cf0c6164 778if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
059ec3d9
PH
779 return FALSE;
780
0df4ab80 781if (!dhexpanded || !*dhexpanded)
a799883d 782 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
a799883d 783else if (dhexpanded[0] == '/')
059ec3d9 784 {
0df4ab80 785 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
059ec3d9 786 {
7199e1ee 787 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
cf0c6164 788 host, US strerror(errno), errstr);
a799883d 789 return FALSE;
059ec3d9 790 }
a799883d
PP
791 }
792else
793 {
794 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 795 {
a799883d
PP
796 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
797 return TRUE;
059ec3d9 798 }
a799883d 799
0df4ab80 800 if (!(pem = std_dh_prime_named(dhexpanded)))
a799883d
PP
801 {
802 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
cf0c6164 803 host, US strerror(errno), errstr);
a799883d
PP
804 return FALSE;
805 }
806 bio = BIO_new_mem_buf(CS pem, -1);
807 }
808
0df4ab80 809if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
a799883d 810 {
059ec3d9 811 BIO_free(bio);
a799883d 812 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
cf0c6164 813 host, NULL, errstr);
a799883d
PP
814 return FALSE;
815 }
816
6600985a
PP
817/* note: our default limit of 2236 is not a multiple of 8; the limit comes from
818 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
819 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
820 * If someone wants to dance at the edge, then they can raise the limit or use
821 * current libraries. */
822#ifdef EXIM_HAVE_OPENSSL_DH_BITS
823/* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
824 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
825dh_bitsize = DH_bits(dh);
826#else
827dh_bitsize = 8 * DH_size(dh);
828#endif
829
a799883d
PP
830/* Even if it is larger, we silently return success rather than cause things
831 * to fail out, so that a too-large DH will not knock out all TLS; it's a
832 * debatable choice. */
6600985a 833if (dh_bitsize > tls_dh_max_bits)
a799883d
PP
834 {
835 DEBUG(D_tls)
170f4904 836 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
6600985a 837 dh_bitsize, tls_dh_max_bits);
a799883d
PP
838 }
839else
840 {
841 SSL_CTX_set_tmp_dh(sctx, dh);
842 DEBUG(D_tls)
843 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
6600985a 844 dhexpanded ? dhexpanded : US"default", dh_bitsize);
059ec3d9
PH
845 }
846
a799883d
PP
847DH_free(dh);
848BIO_free(bio);
849
850return TRUE;
059ec3d9
PH
851}
852
853
854
855
038597d2
PP
856/*************************************************
857* Initialize for ECDH *
858*************************************************/
859
860/* Load parameters for ECDH encryption.
861
862For now, we stick to NIST P-256 because: it's simple and easy to configure;
863it avoids any patent issues that might bite redistributors; despite events in
864the news and concerns over curve choices, we're not cryptographers, we're not
865pretending to be, and this is "good enough" to be better than no support,
866protecting against most adversaries. Given another year or two, there might
867be sufficient clarity about a "right" way forward to let us make an informed
868decision, instead of a knee-jerk reaction.
869
870Longer-term, we should look at supporting both various named curves and
871external files generated with "openssl ecparam", much as we do for init_dh().
872We should also support "none" as a value, to explicitly avoid initialisation.
873
874Patches welcome.
875
876Arguments:
877 sctx The current SSL CTX (inbound or outbound)
878 host connected host, if client; NULL if server
cf0c6164 879 errstr error string pointer
038597d2
PP
880
881Returns: TRUE if OK (nothing to set up, or setup worked)
882*/
883
884static BOOL
cf0c6164 885init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
038597d2 886{
63f0dbe0
JH
887#ifdef OPENSSL_NO_ECDH
888return TRUE;
889#else
890
10ca4f1c
JH
891EC_KEY * ecdh;
892uschar * exp_curve;
893int nid;
894BOOL rv;
895
038597d2
PP
896if (host) /* No ECDH setup for clients, only for servers */
897 return TRUE;
898
10ca4f1c 899# ifndef EXIM_HAVE_ECDH
038597d2
PP
900DEBUG(D_tls)
901 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
902return TRUE;
038597d2 903# else
10ca4f1c 904
cf0c6164 905if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
10ca4f1c
JH
906 return FALSE;
907if (!exp_curve || !*exp_curve)
908 return TRUE;
909
8e53a4fc 910/* "auto" needs to be handled carefully.
4c04137d 911 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
8e53a4fc 912 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
4c04137d 913 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
8e53a4fc
HSHR
914 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
915 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
916 */
10ca4f1c 917if (Ustrcmp(exp_curve, "auto") == 0)
038597d2 918 {
8e53a4fc 919#if OPENSSL_VERSION_NUMBER < 0x10002000L
10ca4f1c 920 DEBUG(D_tls) debug_printf(
8e53a4fc 921 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
78a3bbd5 922 exp_curve = US"prime256v1";
8e53a4fc
HSHR
923#else
924# if defined SSL_CTRL_SET_ECDH_AUTO
925 DEBUG(D_tls) debug_printf(
926 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
10ca4f1c
JH
927 SSL_CTX_set_ecdh_auto(sctx, 1);
928 return TRUE;
8e53a4fc
HSHR
929# else
930 DEBUG(D_tls) debug_printf(
931 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
932 return TRUE;
933# endif
934#endif
10ca4f1c 935 }
038597d2 936
10ca4f1c
JH
937DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
938if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
939# ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
940 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
941# endif
942 )
943 {
cf0c6164
JH
944 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
945 host, NULL, errstr);
10ca4f1c
JH
946 return FALSE;
947 }
038597d2 948
10ca4f1c
JH
949if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
950 {
cf0c6164 951 tls_error(US"Unable to create ec curve", host, NULL, errstr);
10ca4f1c 952 return FALSE;
038597d2 953 }
10ca4f1c
JH
954
955/* The "tmp" in the name here refers to setting a temporary key
956not to the stability of the interface. */
957
958if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
cf0c6164 959 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
10ca4f1c
JH
960else
961 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
962
963EC_KEY_free(ecdh);
964return !rv;
965
966# endif /*EXIM_HAVE_ECDH*/
967#endif /*OPENSSL_NO_ECDH*/
038597d2
PP
968}
969
970
971
972
f2de3a33 973#ifndef DISABLE_OCSP
3f7eeb86
PP
974/*************************************************
975* Load OCSP information into state *
976*************************************************/
f5d78688 977/* Called to load the server OCSP response from the given file into memory, once
3f7eeb86
PP
978caller has determined this is needed. Checks validity. Debugs a message
979if invalid.
980
981ASSUMES: single response, for single cert.
982
983Arguments:
984 sctx the SSL_CTX* to update
985 cbinfo various parts of session state
986 expanded the filename putatively holding an OCSP response
987
988*/
989
990static void
f5d78688 991ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
3f7eeb86 992{
ee5b1e28
JH
993BIO * bio;
994OCSP_RESPONSE * resp;
995OCSP_BASICRESP * basic_response;
996OCSP_SINGLERESP * single_response;
997ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
ee5b1e28 998STACK_OF(X509) * sk;
3f7eeb86
PP
999unsigned long verify_flags;
1000int status, reason, i;
1001
f5d78688
JH
1002cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
1003if (cbinfo->u_ocsp.server.response)
3f7eeb86 1004 {
f5d78688
JH
1005 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
1006 cbinfo->u_ocsp.server.response = NULL;
3f7eeb86
PP
1007 }
1008
ee5b1e28 1009if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
3f7eeb86
PP
1010 {
1011 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
f5d78688 1012 cbinfo->u_ocsp.server.file_expanded);
3f7eeb86
PP
1013 return;
1014 }
1015
1016resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1017BIO_free(bio);
1018if (!resp)
1019 {
1020 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1021 return;
1022 }
1023
ee5b1e28 1024if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
3f7eeb86
PP
1025 {
1026 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1027 OCSP_response_status_str(status), status);
f5d78688 1028 goto bad;
3f7eeb86
PP
1029 }
1030
ee5b1e28 1031if (!(basic_response = OCSP_response_get1_basic(resp)))
3f7eeb86
PP
1032 {
1033 DEBUG(D_tls)
1034 debug_printf("OCSP response parse error: unable to extract basic response.\n");
f5d78688 1035 goto bad;
3f7eeb86
PP
1036 }
1037
c3033f13 1038sk = cbinfo->verify_stack;
3f7eeb86
PP
1039verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1040
1041/* May need to expose ability to adjust those flags?
1042OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1043OCSP_TRUSTOTHER OCSP_NOINTERN */
1044
4c04137d 1045/* This does a full verify on the OCSP proof before we load it for serving
ee5b1e28
JH
1046up; possibly overkill - just date-checks might be nice enough.
1047
1048OCSP_basic_verify takes a "store" arg, but does not
1049use it for the chain verification, which is all we do
1050when OCSP_NOVERIFY is set. The content from the wire
1051"basic_response" and a cert-stack "sk" are all that is used.
1052
c3033f13
JH
1053We have a stack, loaded in setup_certs() if tls_verify_certificates
1054was a file (not a directory, or "system"). It is unfortunate we
1055cannot used the connection context store, as that would neatly
1056handle the "system" case too, but there seems to be no library
1057function for getting a stack from a store.
e3555426 1058[ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
c3033f13
JH
1059We do not free the stack since it could be needed a second time for
1060SNI handling.
1061
4c04137d 1062Separately we might try to replace using OCSP_basic_verify() - which seems to not
5ec37a55 1063be a public interface into the OpenSSL library (there's no manual entry) -
ee5b1e28 1064But what with? We also use OCSP_basic_verify in the client stapling callback.
4c04137d 1065And there we NEED it; we must verify that status... unless the
ee5b1e28
JH
1066library does it for us anyway? */
1067
1068if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
3f7eeb86 1069 {
ee5b1e28
JH
1070 DEBUG(D_tls)
1071 {
3f7eeb86
PP
1072 ERR_error_string(ERR_get_error(), ssl_errstring);
1073 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
f5d78688
JH
1074 }
1075 goto bad;
3f7eeb86
PP
1076 }
1077
1078/* Here's the simplifying assumption: there's only one response, for the
1079one certificate we use, and nothing for anything else in a chain. If this
1080proves false, we need to extract a cert id from our issued cert
1081(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1082right cert in the stack and then calls OCSP_single_get0_status()).
1083
1084I'm hoping to avoid reworking a bunch more of how we handle state here. */
ee5b1e28
JH
1085
1086if (!(single_response = OCSP_resp_get0(basic_response, 0)))
3f7eeb86
PP
1087 {
1088 DEBUG(D_tls)
1089 debug_printf("Unable to get first response from OCSP basic response.\n");
f5d78688 1090 goto bad;
3f7eeb86
PP
1091 }
1092
1093status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
f5d78688 1094if (status != V_OCSP_CERTSTATUS_GOOD)
3f7eeb86 1095 {
f5d78688
JH
1096 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1097 OCSP_cert_status_str(status), status,
1098 OCSP_crl_reason_str(reason), reason);
1099 goto bad;
3f7eeb86
PP
1100 }
1101
1102if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1103 {
1104 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
f5d78688 1105 goto bad;
3f7eeb86
PP
1106 }
1107
f5d78688 1108supply_response:
47195144 1109 cbinfo->u_ocsp.server.response = resp; /*XXX stack?*/
f5d78688
JH
1110return;
1111
1112bad:
8768d548 1113 if (f.running_in_test_harness)
018058b2
JH
1114 {
1115 extern char ** environ;
1116 uschar ** p;
47195144 1117 if (environ) for (p = USS environ; *p; p++)
018058b2
JH
1118 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1119 {
1120 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1121 goto supply_response;
1122 }
1123 }
f5d78688 1124return;
3f7eeb86 1125}
f2de3a33 1126#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1127
1128
1129
1130
23bb6982
JH
1131/* Create and install a selfsigned certificate, for use in server mode */
1132
1133static int
cf0c6164 1134tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
23bb6982
JH
1135{
1136X509 * x509 = NULL;
1137EVP_PKEY * pkey;
1138RSA * rsa;
1139X509_NAME * name;
1140uschar * where;
1141
1142where = US"allocating pkey";
1143if (!(pkey = EVP_PKEY_new()))
1144 goto err;
1145
1146where = US"allocating cert";
1147if (!(x509 = X509_new()))
1148 goto err;
1149
1150where = US"generating pkey";
3ae79556 1151if (!(rsa = rsa_callback(NULL, 0, 1024)))
23bb6982
JH
1152 goto err;
1153
4c04137d 1154where = US"assigning pkey";
23bb6982
JH
1155if (!EVP_PKEY_assign_RSA(pkey, rsa))
1156 goto err;
1157
1158X509_set_version(x509, 2); /* N+1 - version 3 */
1613fd68 1159ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
23bb6982
JH
1160X509_gmtime_adj(X509_get_notBefore(x509), 0);
1161X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1162X509_set_pubkey(x509, pkey);
1163
1164name = X509_get_subject_name(x509);
1165X509_NAME_add_entry_by_txt(name, "C",
4dc2379a 1166 MBSTRING_ASC, CUS "UK", -1, -1, 0);
23bb6982 1167X509_NAME_add_entry_by_txt(name, "O",
4dc2379a 1168 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
23bb6982 1169X509_NAME_add_entry_by_txt(name, "CN",
4dc2379a 1170 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
23bb6982
JH
1171X509_set_issuer_name(x509, name);
1172
1173where = US"signing cert";
1174if (!X509_sign(x509, pkey, EVP_md5()))
1175 goto err;
1176
1177where = US"installing selfsign cert";
1178if (!SSL_CTX_use_certificate(sctx, x509))
1179 goto err;
1180
1181where = US"installing selfsign key";
1182if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1183 goto err;
1184
1185return OK;
1186
1187err:
cf0c6164 1188 (void) tls_error(where, NULL, NULL, errstr);
23bb6982
JH
1189 if (x509) X509_free(x509);
1190 if (pkey) EVP_PKEY_free(pkey);
1191 return DEFER;
1192}
1193
1194
1195
1196
ba86e143
JH
1197static int
1198tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1199 uschar ** errstr)
1200{
1201DEBUG(D_tls) debug_printf("tls_certificate file %s\n", file);
1202if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1203 return tls_error(string_sprintf(
1204 "SSL_CTX_use_certificate_chain_file file=%s", file),
1205 cbinfo->host, NULL, errstr);
1206return 0;
1207}
1208
1209static int
1210tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1211 uschar ** errstr)
1212{
1213DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", file);
1214if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1215 return tls_error(string_sprintf(
1216 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1217return 0;
1218}
1219
1220
059ec3d9 1221/*************************************************
7be682ca
PP
1222* Expand key and cert file specs *
1223*************************************************/
1224
f5d78688 1225/* Called once during tls_init and possibly again during TLS setup, for a
7be682ca
PP
1226new context, if Server Name Indication was used and tls_sni was seen in
1227the certificate string.
1228
1229Arguments:
1230 sctx the SSL_CTX* to update
1231 cbinfo various parts of session state
cf0c6164 1232 errstr error string pointer
7be682ca
PP
1233
1234Returns: OK/DEFER/FAIL
1235*/
1236
1237static int
cf0c6164
JH
1238tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1239 uschar ** errstr)
7be682ca
PP
1240{
1241uschar *expanded;
1242
23bb6982 1243if (!cbinfo->certificate)
7be682ca 1244 {
ba86e143 1245 if (!cbinfo->is_server) /* client */
23bb6982 1246 return OK;
afdb5e9c 1247 /* server */
cf0c6164 1248 if (tls_install_selfsign(sctx, errstr) != OK)
23bb6982 1249 return DEFER;
7be682ca 1250 }
23bb6982
JH
1251else
1252 {
ba86e143
JH
1253 int err;
1254
23bb6982
JH
1255 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1256 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1257 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1258 )
1259 reexpand_tls_files_for_sni = TRUE;
7be682ca 1260
cf0c6164 1261 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
23bb6982
JH
1262 return DEFER;
1263
ba86e143
JH
1264 if (expanded)
1265 if (cbinfo->is_server)
1266 {
1267 const uschar * file_list = expanded;
1268 int sep = 0;
1269 uschar * file;
1270
1271 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1272 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1273 return err;
1274 }
1275 else /* would there ever be a need for multiple client certs? */
1276 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1277 return err;
7be682ca 1278
23bb6982 1279 if (cbinfo->privatekey != NULL &&
cf0c6164 1280 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
23bb6982 1281 return DEFER;
7be682ca 1282
23bb6982
JH
1283 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1284 of the expansion is an empty string, ignore it also, and assume the private
1285 key is in the same file as the certificate. */
1286
1287 if (expanded && *expanded)
ba86e143
JH
1288 if (cbinfo->is_server)
1289 {
1290 const uschar * file_list = expanded;
1291 int sep = 0;
1292 uschar * file;
1293
1294 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1295 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1296 return err;
1297 }
1298 else /* would there ever be a need for multiple client certs? */
1299 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1300 return err;
7be682ca
PP
1301 }
1302
f2de3a33 1303#ifndef DISABLE_OCSP
f40d5be3 1304if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
3f7eeb86 1305 {
47195144 1306 /*XXX stack*/
cf0c6164 1307 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
3f7eeb86
PP
1308 return DEFER;
1309
f40d5be3 1310 if (expanded && *expanded)
3f7eeb86
PP
1311 {
1312 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
f40d5be3
JH
1313 if ( cbinfo->u_ocsp.server.file_expanded
1314 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
3f7eeb86 1315 {
f40d5be3
JH
1316 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1317 }
1318 else
f40d5be3 1319 ocsp_load_response(sctx, cbinfo, expanded);
3f7eeb86
PP
1320 }
1321 }
1322#endif
1323
7be682ca
PP
1324return OK;
1325}
1326
1327
1328
1329
1330/*************************************************
1331* Callback to handle SNI *
1332*************************************************/
1333
1334/* Called when acting as server during the TLS session setup if a Server Name
1335Indication extension was sent by the client.
1336
1337API documentation is OpenSSL s_server.c implementation.
1338
1339Arguments:
1340 s SSL* of the current session
1341 ad unknown (part of OpenSSL API) (unused)
1342 arg Callback of "our" registered data
1343
1344Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1345*/
1346
3bcbbbe2 1347#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 1348static int
7be682ca
PP
1349tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1350{
1351const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 1352tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 1353int rc;
3f0945ff 1354int old_pool = store_pool;
cf0c6164 1355uschar * dummy_errstr;
7be682ca
PP
1356
1357if (!servername)
1358 return SSL_TLSEXT_ERR_OK;
1359
3f0945ff 1360DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP
1361 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1362
1363/* Make the extension value available for expansion */
3f0945ff 1364store_pool = POOL_PERM;
817d9f57 1365tls_in.sni = string_copy(US servername);
3f0945ff 1366store_pool = old_pool;
7be682ca
PP
1367
1368if (!reexpand_tls_files_for_sni)
1369 return SSL_TLSEXT_ERR_OK;
1370
1371/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1372not confident that memcpy wouldn't break some internal reference counting.
1373Especially since there's a references struct member, which would be off. */
1374
7a8b9519
JH
1375#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1376if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1377#else
0df4ab80 1378if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
7a8b9519 1379#endif
7be682ca
PP
1380 {
1381 ERR_error_string(ERR_get_error(), ssl_errstring);
1382 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
1383 return SSL_TLSEXT_ERR_NOACK;
1384 }
1385
1386/* Not sure how many of these are actually needed, since SSL object
1387already exists. Might even need this selfsame callback, for reneg? */
1388
817d9f57
JH
1389SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1390SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1391SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1392SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1393SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1394SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
038597d2 1395
cf0c6164
JH
1396if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1397 || !init_ecdh(server_sni, NULL, &dummy_errstr)
038597d2
PP
1398 )
1399 return SSL_TLSEXT_ERR_NOACK;
1400
ca954d7f
JH
1401if ( cbinfo->server_cipher_list
1402 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
1403 return SSL_TLSEXT_ERR_NOACK;
1404
f2de3a33 1405#ifndef DISABLE_OCSP
f5d78688 1406if (cbinfo->u_ocsp.server.file)
3f7eeb86 1407 {
f5d78688 1408 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
14c7b357 1409 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
3f7eeb86
PP
1410 }
1411#endif
7be682ca 1412
c3033f13 1413if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
cf0c6164 1414 verify_callback_server, &dummy_errstr)) != OK)
c3033f13 1415 return SSL_TLSEXT_ERR_NOACK;
7be682ca 1416
3f7eeb86
PP
1417/* do this after setup_certs, because this can require the certs for verifying
1418OCSP information. */
cf0c6164 1419if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
0df4ab80 1420 return SSL_TLSEXT_ERR_NOACK;
a799883d 1421
7be682ca 1422DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 1423SSL_set_SSL_CTX(s, server_sni);
7be682ca
PP
1424
1425return SSL_TLSEXT_ERR_OK;
1426}
3bcbbbe2 1427#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP
1428
1429
1430
1431
f2de3a33 1432#ifndef DISABLE_OCSP
f5d78688 1433
3f7eeb86
PP
1434/*************************************************
1435* Callback to handle OCSP Stapling *
1436*************************************************/
1437
1438/* Called when acting as server during the TLS session setup if the client
1439requests OCSP information with a Certificate Status Request.
1440
1441Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1442project.
1443
1444*/
1445
1446static int
f5d78688 1447tls_server_stapling_cb(SSL *s, void *arg)
3f7eeb86
PP
1448{
1449const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
47195144 1450uschar *response_der; /*XXX blob */
3f7eeb86
PP
1451int response_der_len;
1452
47195144
JH
1453/*XXX stack: use SSL_get_certificate() to see which cert; from that work
1454out which ocsp blob to send. Unfortunately, SSL_get_certificate is known
1455buggy in current OpenSSL; it returns the last cert loaded always rather than
1456the one actually presented. So we can't support a stack of OCSP proofs at
1457this time. */
1458
af4a1bca 1459DEBUG(D_tls)
b3ef41c9 1460 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
f5d78688
JH
1461 cbinfo->u_ocsp.server.response ? "have" : "lack");
1462
44662487 1463tls_in.ocsp = OCSP_NOT_RESP;
f5d78688 1464if (!cbinfo->u_ocsp.server.response)
3f7eeb86
PP
1465 return SSL_TLSEXT_ERR_NOACK;
1466
1467response_der = NULL;
47195144 1468response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, /*XXX stack*/
44662487 1469 &response_der);
3f7eeb86
PP
1470if (response_der_len <= 0)
1471 return SSL_TLSEXT_ERR_NOACK;
1472
5e55c7a9 1473SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
44662487 1474tls_in.ocsp = OCSP_VFIED;
3f7eeb86
PP
1475return SSL_TLSEXT_ERR_OK;
1476}
1477
3f7eeb86 1478
f5d78688
JH
1479static void
1480time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1481{
1482BIO_printf(bp, "\t%s: ", str);
1483ASN1_GENERALIZEDTIME_print(bp, time);
1484BIO_puts(bp, "\n");
1485}
1486
1487static int
1488tls_client_stapling_cb(SSL *s, void *arg)
1489{
1490tls_ext_ctx_cb * cbinfo = arg;
1491const unsigned char * p;
1492int len;
1493OCSP_RESPONSE * rsp;
1494OCSP_BASICRESP * bs;
1495int i;
1496
1497DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1498len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1499if(!p)
1500 {
44662487 1501 /* Expect this when we requested ocsp but got none */
6c6d6e48 1502 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
44662487 1503 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
f5d78688
JH
1504 else
1505 DEBUG(D_tls) debug_printf(" null\n");
44662487 1506 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 1507 }
018058b2 1508
f5d78688
JH
1509if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1510 {
018058b2 1511 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1512 if (LOGGING(tls_cipher))
1eca31ca 1513 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
f5d78688
JH
1514 else
1515 DEBUG(D_tls) debug_printf(" parse error\n");
1516 return 0;
1517 }
1518
1519if(!(bs = OCSP_response_get1_basic(rsp)))
1520 {
018058b2 1521 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1522 if (LOGGING(tls_cipher))
1eca31ca 1523 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
f5d78688
JH
1524 else
1525 DEBUG(D_tls) debug_printf(" error parsing response\n");
1526 OCSP_RESPONSE_free(rsp);
1527 return 0;
1528 }
1529
1530/* We'd check the nonce here if we'd put one in the request. */
1531/* However that would defeat cacheability on the server so we don't. */
1532
f5d78688
JH
1533/* This section of code reworked from OpenSSL apps source;
1534 The OpenSSL Project retains copyright:
1535 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1536*/
1537 {
1538 BIO * bp = NULL;
f5d78688
JH
1539 int status, reason;
1540 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1541
57887ecc 1542 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
f5d78688
JH
1543
1544 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1545
1546 /* Use the chain that verified the server cert to verify the stapled info */
1547 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1548
c3033f13 1549 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
44662487 1550 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
f5d78688 1551 {
018058b2 1552 tls_out.ocsp = OCSP_FAILED;
57887ecc
JH
1553 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1554 "Received TLS cert status response, itself unverifiable: %s",
1555 ERR_reason_error_string(ERR_peek_error()));
f5d78688
JH
1556 BIO_printf(bp, "OCSP response verify failure\n");
1557 ERR_print_errors(bp);
57887ecc 1558 OCSP_RESPONSE_print(bp, rsp, 0);
c8dfb21d 1559 goto failed;
f5d78688
JH
1560 }
1561
1562 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1563
c8dfb21d
JH
1564 /*XXX So we have a good stapled OCSP status. How do we know
1565 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1566 OCSP_resp_find_status() which matches on a cert id, which presumably
1567 we should use. Making an id needs OCSP_cert_id_new(), which takes
1568 issuerName, issuerKey, serialNumber. Are they all in the cert?
1569
1570 For now, carry on blindly accepting the resp. */
1571
f5d78688 1572 {
f5d78688
JH
1573 OCSP_SINGLERESP * single;
1574
c8dfb21d
JH
1575#ifdef EXIM_HAVE_OCSP_RESP_COUNT
1576 if (OCSP_resp_count(bs) != 1)
1577#else
1578 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
f5d78688 1579 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
c8dfb21d 1580#endif
f5d78688 1581 {
018058b2 1582 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1583 log_write(0, LOG_MAIN, "OCSP stapling "
1584 "with multiple responses not handled");
c8dfb21d 1585 goto failed;
f5d78688
JH
1586 }
1587 single = OCSP_resp_get0(bs, 0);
44662487
JH
1588 status = OCSP_single_get0_status(single, &reason, &rev,
1589 &thisupd, &nextupd);
f5d78688
JH
1590 }
1591
f5d78688
JH
1592 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1593 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
44662487
JH
1594 if (!OCSP_check_validity(thisupd, nextupd,
1595 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
f5d78688 1596 {
018058b2 1597 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH
1598 DEBUG(D_tls) ERR_print_errors(bp);
1599 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
f5d78688 1600 }
44662487 1601 else
f5d78688 1602 {
44662487
JH
1603 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1604 OCSP_cert_status_str(status));
1605 switch(status)
1606 {
1607 case V_OCSP_CERTSTATUS_GOOD:
44662487 1608 tls_out.ocsp = OCSP_VFIED;
018058b2 1609 i = 1;
c8dfb21d 1610 goto good;
44662487 1611 case V_OCSP_CERTSTATUS_REVOKED:
018058b2 1612 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1613 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1614 reason != -1 ? "; reason: " : "",
1615 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1616 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
44662487
JH
1617 break;
1618 default:
018058b2 1619 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1620 log_write(0, LOG_MAIN,
1621 "Server certificate status unknown, in OCSP stapling");
44662487
JH
1622 break;
1623 }
f5d78688 1624 }
c8dfb21d
JH
1625 failed:
1626 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1627 good:
f5d78688
JH
1628 BIO_free(bp);
1629 }
1630
1631OCSP_RESPONSE_free(rsp);
1632return i;
1633}
f2de3a33 1634#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1635
1636
7be682ca 1637/*************************************************
059ec3d9
PH
1638* Initialize for TLS *
1639*************************************************/
1640
e51c7be2
JH
1641/* Called from both server and client code, to do preliminary initialization
1642of the library. We allocate and return a context structure.
059ec3d9
PH
1643
1644Arguments:
946ecbe0 1645 ctxp returned SSL context
059ec3d9
PH
1646 host connected host, if client; NULL if server
1647 dhparam DH parameter file
1648 certificate certificate file
1649 privatekey private key
f5d78688 1650 ocsp_file file of stapling info (server); flag for require ocsp (client)
059ec3d9 1651 addr address if client; NULL if server (for some randomness)
946ecbe0 1652 cbp place to put allocated callback context
cf0c6164 1653 errstr error string pointer
059ec3d9
PH
1654
1655Returns: OK/DEFER/FAIL
1656*/
1657
1658static int
817d9f57 1659tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86 1660 uschar *privatekey,
f2de3a33 1661#ifndef DISABLE_OCSP
47195144 1662 uschar *ocsp_file, /*XXX stack, in server*/
3f7eeb86 1663#endif
cf0c6164 1664 address_item *addr, tls_ext_ctx_cb ** cbp, uschar ** errstr)
059ec3d9 1665{
7006ee24 1666SSL_CTX * ctx;
77bb000f 1667long init_options;
7be682ca 1668int rc;
a7538db1 1669tls_ext_ctx_cb * cbinfo;
7be682ca
PP
1670
1671cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1672cbinfo->certificate = certificate;
1673cbinfo->privatekey = privatekey;
a6510420 1674cbinfo->is_server = host==NULL;
f2de3a33 1675#ifndef DISABLE_OCSP
c3033f13 1676cbinfo->verify_stack = NULL;
a6510420 1677if (!host)
f5d78688
JH
1678 {
1679 cbinfo->u_ocsp.server.file = ocsp_file;
1680 cbinfo->u_ocsp.server.file_expanded = NULL;
1681 cbinfo->u_ocsp.server.response = NULL;
1682 }
1683else
1684 cbinfo->u_ocsp.client.verify_store = NULL;
3f7eeb86 1685#endif
7be682ca 1686cbinfo->dhparam = dhparam;
0df4ab80 1687cbinfo->server_cipher_list = NULL;
7be682ca 1688cbinfo->host = host;
0cbf2b82 1689#ifndef DISABLE_EVENT
a7538db1
JH
1690cbinfo->event_action = NULL;
1691#endif
77bb000f 1692
059ec3d9
PH
1693SSL_load_error_strings(); /* basic set up */
1694OpenSSL_add_ssl_algorithms();
1695
c8dfb21d 1696#ifdef EXIM_HAVE_SHA256
77bb000f 1697/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK
1698list of available digests. */
1699EVP_add_digest(EVP_sha256());
cf1ef1a9 1700#endif
a0475b69 1701
f0f5a555
PP
1702/* Create a context.
1703The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1704negotiation in the different methods; as far as I can tell, the only
1705*_{server,client}_method which allows negotiation is SSLv23, which exists even
1706when OpenSSL is built without SSLv2 support.
1707By disabling with openssl_options, we can let admins re-enable with the
1708existing knob. */
059ec3d9 1709
7a8b9519
JH
1710#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1711if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1712#else
7006ee24 1713if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
7a8b9519 1714#endif
7006ee24 1715 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
059ec3d9
PH
1716
1717/* It turns out that we need to seed the random number generator this early in
1718order to get the full complement of ciphers to work. It took me roughly a day
1719of work to discover this by experiment.
1720
1721On systems that have /dev/urandom, SSL may automatically seed itself from
1722there. Otherwise, we have to make something up as best we can. Double check
1723afterwards. */
1724
1725if (!RAND_status())
1726 {
1727 randstuff r;
9e3331ea 1728 gettimeofday(&r.tv, NULL);
059ec3d9
PH
1729 r.p = getpid();
1730
5903c6ff
JH
1731 RAND_seed(US (&r), sizeof(r));
1732 RAND_seed(US big_buffer, big_buffer_size);
1733 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
059ec3d9
PH
1734
1735 if (!RAND_status())
7199e1ee 1736 return tls_error(US"RAND_status", host,
cf0c6164 1737 US"unable to seed random number generator", errstr);
059ec3d9
PH
1738 }
1739
1740/* Set up the information callback, which outputs if debugging is at a suitable
1741level. */
1742
7006ee24 1743DEBUG(D_tls) SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
059ec3d9 1744
c80c5570 1745/* Automatically re-try reads/writes after renegotiation. */
7006ee24 1746(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
c80c5570 1747
77bb000f
PP
1748/* Apply administrator-supplied work-arounds.
1749Historically we applied just one requested option,
1750SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1751moved to an administrator-controlled list of options to specify and
1752grandfathered in the first one as the default value for "openssl_options".
059ec3d9 1753
77bb000f
PP
1754No OpenSSL version number checks: the options we accept depend upon the
1755availability of the option value macros from OpenSSL. */
059ec3d9 1756
7006ee24 1757if (!tls_openssl_options_parse(openssl_options, &init_options))
cf0c6164 1758 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
77bb000f
PP
1759
1760if (init_options)
1761 {
1762 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
7006ee24 1763 if (!(SSL_CTX_set_options(ctx, init_options)))
77bb000f 1764 return tls_error(string_sprintf(
cf0c6164 1765 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
77bb000f
PP
1766 }
1767else
1768 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9 1769
a28050f8
JH
1770/* We'd like to disable session cache unconditionally, but foolish Outlook
1771Express clients then give up the first TLS connection and make a second one
1772(which works). Only when there is an IMAP service on the same machine.
1773Presumably OE is trying to use the cache for A on B. Leave it enabled for
1774now, until we work out a decent way of presenting control to the config. It
1775will never be used because we use a new context every time. */
1776#ifdef notdef
7006ee24 1777(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
a28050f8 1778#endif
7006ee24 1779
059ec3d9 1780/* Initialize with DH parameters if supplied */
10ca4f1c 1781/* Initialize ECDH temp key parameter selection */
059ec3d9 1782
7006ee24
JH
1783if ( !init_dh(ctx, dhparam, host, errstr)
1784 || !init_ecdh(ctx, host, errstr)
038597d2
PP
1785 )
1786 return DEFER;
059ec3d9 1787
3f7eeb86 1788/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 1789
7006ee24 1790if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
23bb6982 1791 return rc;
c91535f3 1792
c3033f13
JH
1793/* If we need to handle SNI or OCSP, do so */
1794
3bcbbbe2 1795#ifdef EXIM_HAVE_OPENSSL_TLSEXT
c3033f13
JH
1796# ifndef DISABLE_OCSP
1797 if (!(cbinfo->verify_stack = sk_X509_new_null()))
1798 {
1799 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
1800 return FAIL;
1801 }
1802# endif
1803
7a8b9519 1804if (!host) /* server */
3f0945ff 1805 {
f2de3a33 1806# ifndef DISABLE_OCSP
f5d78688 1807 /* We check u_ocsp.server.file, not server.response, because we care about if
3f7eeb86
PP
1808 the option exists, not what the current expansion might be, as SNI might
1809 change the certificate and OCSP file in use between now and the time the
1810 callback is invoked. */
f5d78688 1811 if (cbinfo->u_ocsp.server.file)
3f7eeb86 1812 {
7006ee24
JH
1813 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
1814 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
3f7eeb86 1815 }
f5d78688 1816# endif
3f0945ff
PP
1817 /* We always do this, so that $tls_sni is available even if not used in
1818 tls_certificate */
7006ee24
JH
1819 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
1820 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
3f0945ff 1821 }
f2de3a33 1822# ifndef DISABLE_OCSP
f5d78688
JH
1823else /* client */
1824 if(ocsp_file) /* wanting stapling */
1825 {
1826 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1827 {
1828 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1829 return FAIL;
1830 }
7006ee24
JH
1831 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
1832 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
f5d78688
JH
1833 }
1834# endif
7be682ca 1835#endif
059ec3d9 1836
e51c7be2 1837cbinfo->verify_cert_hostnames = NULL;
e51c7be2 1838
c8dfb21d 1839#ifdef EXIM_HAVE_EPHEM_RSA_KEX
059ec3d9 1840/* Set up the RSA callback */
7006ee24 1841SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
c8dfb21d 1842#endif
059ec3d9
PH
1843
1844/* Finally, set the timeout, and we are done */
1845
7006ee24 1846SSL_CTX_set_timeout(ctx, ssl_session_timeout);
059ec3d9 1847DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 1848
817d9f57 1849*cbp = cbinfo;
7006ee24 1850*ctxp = ctx;
7be682ca 1851
059ec3d9
PH
1852return OK;
1853}
1854
1855
1856
1857
1858/*************************************************
1859* Get name of cipher in use *
1860*************************************************/
1861
817d9f57 1862/*
059ec3d9 1863Argument: pointer to an SSL structure for the connection
817d9f57
JH
1864 buffer to use for answer
1865 size of buffer
1866 pointer to number of bits for cipher
059ec3d9
PH
1867Returns: nothing
1868*/
1869
1870static void
817d9f57 1871construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
059ec3d9 1872{
7a8b9519 1873/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
57b3a7f5
PP
1874yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1875the accessor functions use const in the prototype. */
059ec3d9 1876
7a8b9519
JH
1877const uschar * ver = CUS SSL_get_version(ssl);
1878const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
059ec3d9 1879
817d9f57 1880SSL_CIPHER_get_bits(c, bits);
059ec3d9 1881
817d9f57
JH
1882string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1883 SSL_CIPHER_get_name(c), *bits);
059ec3d9
PH
1884
1885DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1886}
1887
1888
f69979cf 1889static void
70e384dd 1890peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
f69979cf
JH
1891{
1892/*XXX we might consider a list-of-certs variable for the cert chain.
1893SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1894in list-handling functions, also consider the difference between the entire
1895chain and the elements sent by the peer. */
1896
70e384dd
JH
1897tlsp->peerdn = NULL;
1898
f69979cf
JH
1899/* Will have already noted peercert on a verify fail; possibly not the leaf */
1900if (!tlsp->peercert)
1901 tlsp->peercert = SSL_get_peer_certificate(ssl);
1902/* Beware anonymous ciphers which lead to server_cert being NULL */
1903if (tlsp->peercert)
70e384dd
JH
1904 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
1905 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
1906 else
1907 {
1908 peerdn[siz-1] = '\0';
1909 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1910 }
f69979cf
JH
1911}
1912
1913
059ec3d9
PH
1914
1915
1916
1917/*************************************************
1918* Set up for verifying certificates *
1919*************************************************/
1920
0e8aed8a 1921#ifndef DISABLE_OCSP
c3033f13
JH
1922/* Load certs from file, return TRUE on success */
1923
1924static BOOL
1925chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
1926{
1927BIO * bp;
1928X509 * x;
1929
dec766a1
WB
1930while (sk_X509_num(verify_stack) > 0)
1931 X509_free(sk_X509_pop(verify_stack));
1932
c3033f13
JH
1933if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
1934while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
1935 sk_X509_push(verify_stack, x);
1936BIO_free(bp);
1937return TRUE;
1938}
0e8aed8a 1939#endif
c3033f13
JH
1940
1941
1942
dec766a1
WB
1943/* Called by both client and server startup; on the server possibly
1944repeated after a Server Name Indication.
059ec3d9
PH
1945
1946Arguments:
7be682ca 1947 sctx SSL_CTX* to initialise
059ec3d9
PH
1948 certs certs file or NULL
1949 crl CRL file or NULL
1950 host NULL in a server; the remote host in a client
1951 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1952 otherwise passed as FALSE
983207c1 1953 cert_vfy_cb Callback function for certificate verification
cf0c6164 1954 errstr error string pointer
059ec3d9
PH
1955
1956Returns: OK/DEFER/FAIL
1957*/
1958
1959static int
983207c1 1960setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 1961 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
059ec3d9
PH
1962{
1963uschar *expcerts, *expcrl;
1964
cf0c6164 1965if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
059ec3d9 1966 return DEFER;
57cc2785 1967DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
059ec3d9 1968
10a831a3 1969if (expcerts && *expcerts)
059ec3d9 1970 {
10a831a3
JH
1971 /* Tell the library to use its compiled-in location for the system default
1972 CA bundle. Then add the ones specified in the config, if any. */
cb1d7830 1973
10a831a3 1974 if (!SSL_CTX_set_default_verify_paths(sctx))
cf0c6164 1975 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
10a831a3
JH
1976
1977 if (Ustrcmp(expcerts, "system") != 0)
059ec3d9 1978 {
cb1d7830
JH
1979 struct stat statbuf;
1980
cb1d7830
JH
1981 if (Ustat(expcerts, &statbuf) < 0)
1982 {
1983 log_write(0, LOG_MAIN|LOG_PANIC,
1984 "failed to stat %s for certificates", expcerts);
1985 return DEFER;
1986 }
059ec3d9 1987 else
059ec3d9 1988 {
cb1d7830
JH
1989 uschar *file, *dir;
1990 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
1991 { file = NULL; dir = expcerts; }
1992 else
c3033f13
JH
1993 {
1994 file = expcerts; dir = NULL;
1995#ifndef DISABLE_OCSP
1996 /* In the server if we will be offering an OCSP proof, load chain from
1997 file for verifying the OCSP proof at load time. */
1998
1999 if ( !host
2000 && statbuf.st_size > 0
2001 && server_static_cbinfo->u_ocsp.server.file
2002 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2003 )
2004 {
2005 log_write(0, LOG_MAIN|LOG_PANIC,
57887ecc 2006 "failed to load cert chain from %s", file);
c3033f13
JH
2007 return DEFER;
2008 }
2009#endif
2010 }
cb1d7830
JH
2011
2012 /* If a certificate file is empty, the next function fails with an
2013 unhelpful error message. If we skip it, we get the correct behaviour (no
2014 certificates are recognized, but the error message is still misleading (it
c3033f13 2015 says no certificate was supplied). But this is better. */
cb1d7830 2016
f2f2c91b
JH
2017 if ( (!file || statbuf.st_size > 0)
2018 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
cf0c6164 2019 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
cb1d7830
JH
2020
2021 /* Load the list of CAs for which we will accept certs, for sending
2022 to the client. This is only for the one-file tls_verify_certificates
2023 variant.
2024 If a list isn't loaded into the server, but
2025 some verify locations are set, the server end appears to make
4c04137d 2026 a wildcard request for client certs.
10a831a3 2027 Meanwhile, the client library as default behaviour *ignores* the list
cb1d7830
JH
2028 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2029 Because of this, and that the dir variant is likely only used for
2030 the public-CA bundle (not for a private CA), not worth fixing.
2031 */
f2f2c91b 2032 if (file)
cb1d7830 2033 {
2009ecca 2034 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
dec766a1
WB
2035
2036 SSL_CTX_set_client_CA_list(sctx, names);
f2f2c91b 2037 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
cb1d7830 2038 sk_X509_NAME_num(names));
cb1d7830 2039 }
059ec3d9
PH
2040 }
2041 }
2042
2043 /* Handle a certificate revocation list. */
2044
10a831a3 2045#if OPENSSL_VERSION_NUMBER > 0x00907000L
059ec3d9 2046
8b417f2c 2047 /* This bit of code is now the version supplied by Lars Mainka. (I have
10a831a3 2048 merely reformatted it into the Exim code style.)
8b417f2c 2049
10a831a3
JH
2050 "From here I changed the code to add support for multiple crl's
2051 in pem format in one file or to support hashed directory entries in
2052 pem format instead of a file. This method now uses the library function
2053 X509_STORE_load_locations to add the CRL location to the SSL context.
2054 OpenSSL will then handle the verify against CA certs and CRLs by
2055 itself in the verify callback." */
8b417f2c 2056
cf0c6164 2057 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
10a831a3 2058 if (expcrl && *expcrl)
059ec3d9 2059 {
8b417f2c
PH
2060 struct stat statbufcrl;
2061 if (Ustat(expcrl, &statbufcrl) < 0)
2062 {
2063 log_write(0, LOG_MAIN|LOG_PANIC,
2064 "failed to stat %s for certificates revocation lists", expcrl);
2065 return DEFER;
2066 }
2067 else
059ec3d9 2068 {
8b417f2c
PH
2069 /* is it a file or directory? */
2070 uschar *file, *dir;
7be682ca 2071 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 2072 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 2073 {
8b417f2c
PH
2074 file = NULL;
2075 dir = expcrl;
2076 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
2077 }
2078 else
2079 {
8b417f2c
PH
2080 file = expcrl;
2081 dir = NULL;
2082 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 2083 }
8b417f2c 2084 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
cf0c6164 2085 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
8b417f2c
PH
2086
2087 /* setting the flags to check against the complete crl chain */
2088
2089 X509_STORE_set_flags(cvstore,
2090 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 2091 }
059ec3d9
PH
2092 }
2093
10a831a3 2094#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
059ec3d9
PH
2095
2096 /* If verification is optional, don't fail if no certificate */
2097
7be682ca 2098 SSL_CTX_set_verify(sctx,
059ec3d9 2099 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
983207c1 2100 cert_vfy_cb);
059ec3d9
PH
2101 }
2102
2103return OK;
2104}
2105
2106
2107
2108/*************************************************
2109* Start a TLS session in a server *
2110*************************************************/
2111
2112/* This is called when Exim is running as a server, after having received
2113the STARTTLS command. It must respond to that command, and then negotiate
2114a TLS session.
2115
2116Arguments:
2117 require_ciphers allowed ciphers
cf0c6164 2118 errstr pointer to error message
059ec3d9
PH
2119
2120Returns: OK on success
2121 DEFER for errors before the start of the negotiation
4c04137d 2122 FAIL for errors during the negotiation; the server can't
059ec3d9
PH
2123 continue running.
2124*/
2125
2126int
cf0c6164 2127tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH
2128{
2129int rc;
cf0c6164
JH
2130uschar * expciphers;
2131tls_ext_ctx_cb * cbinfo;
f69979cf 2132static uschar peerdn[256];
817d9f57 2133static uschar cipherbuf[256];
059ec3d9
PH
2134
2135/* Check for previous activation */
2136
74f1a423 2137if (tls_in.active.sock >= 0)
059ec3d9 2138 {
cf0c6164 2139 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
925ac8e4 2140 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH
2141 return FAIL;
2142 }
2143
2144/* Initialize the SSL library. If it fails, it will already have logged
2145the error. */
2146
817d9f57 2147rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
f2de3a33 2148#ifndef DISABLE_OCSP
47195144 2149 tls_ocsp_file, /*XXX stack*/
3f7eeb86 2150#endif
cf0c6164 2151 NULL, &server_static_cbinfo, errstr);
059ec3d9 2152if (rc != OK) return rc;
817d9f57 2153cbinfo = server_static_cbinfo;
059ec3d9 2154
cf0c6164 2155if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
059ec3d9
PH
2156 return FAIL;
2157
2158/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP
2159were historically separated by underscores. So that I can use either form in my
2160tests, and also for general convenience, we turn underscores into hyphens here.
0c3807a8
JH
2161
2162XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2163for TLS 1.3 . Since we do not call it at present we get the default list:
2164TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
17c76198 2165*/
059ec3d9 2166
c3033f13 2167if (expciphers)
059ec3d9 2168 {
c3033f13 2169 uschar * s = expciphers;
059ec3d9
PH
2170 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2171 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 2172 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
cf0c6164 2173 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
7be682ca 2174 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH
2175 }
2176
2177/* If this is a host for which certificate verification is mandatory or
2178optional, set up appropriately. */
2179
817d9f57 2180tls_in.certificate_verified = FALSE;
c0635b6d 2181#ifdef SUPPORT_DANE
53a7196b
JH
2182tls_in.dane_verified = FALSE;
2183#endif
a2ff477a 2184server_verify_callback_called = FALSE;
059ec3d9
PH
2185
2186if (verify_check_host(&tls_verify_hosts) == OK)
2187 {
983207c1 2188 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2189 FALSE, verify_callback_server, errstr);
059ec3d9 2190 if (rc != OK) return rc;
a2ff477a 2191 server_verify_optional = FALSE;
059ec3d9
PH
2192 }
2193else if (verify_check_host(&tls_try_verify_hosts) == OK)
2194 {
983207c1 2195 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2196 TRUE, verify_callback_server, errstr);
059ec3d9 2197 if (rc != OK) return rc;
a2ff477a 2198 server_verify_optional = TRUE;
059ec3d9
PH
2199 }
2200
2201/* Prepare for new connection */
2202
cf0c6164
JH
2203if (!(server_ssl = SSL_new(server_ctx)))
2204 return tls_error(US"SSL_new", NULL, NULL, errstr);
da3ad30d
PP
2205
2206/* Warning: we used to SSL_clear(ssl) here, it was removed.
2207 *
2208 * With the SSL_clear(), we get strange interoperability bugs with
2209 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2210 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2211 *
2212 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2213 * session shutdown. In this case, we have a brand new object and there's no
2214 * obvious reason to immediately clear it. I'm guessing that this was
2215 * originally added because of incomplete initialisation which the clear fixed,
2216 * in some historic release.
2217 */
059ec3d9
PH
2218
2219/* Set context and tell client to go ahead, except in the case of TLS startup
2220on connection, where outputting anything now upsets the clients and tends to
2221make them disconnect. We need to have an explicit fflush() here, to force out
2222the response. Other smtp_printf() calls do not need it, because in non-TLS
2223mode, the fflush() happens when smtp_getc() is called. */
2224
817d9f57
JH
2225SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2226if (!tls_in.on_connect)
059ec3d9 2227 {
925ac8e4 2228 smtp_printf("220 TLS go ahead\r\n", FALSE);
059ec3d9
PH
2229 fflush(smtp_out);
2230 }
2231
2232/* Now negotiate the TLS session. We put our own timer on it, since it seems
2233that the OpenSSL library doesn't. */
2234
817d9f57
JH
2235SSL_set_wfd(server_ssl, fileno(smtp_out));
2236SSL_set_rfd(server_ssl, fileno(smtp_in));
2237SSL_set_accept_state(server_ssl);
059ec3d9
PH
2238
2239DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2240
2241sigalrm_seen = FALSE;
2242if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
817d9f57 2243rc = SSL_accept(server_ssl);
059ec3d9
PH
2244alarm(0);
2245
2246if (rc <= 0)
2247 {
cf0c6164 2248 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
059ec3d9
PH
2249 return FAIL;
2250 }
2251
2252DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
2253
2254/* TLS has been set up. Adjust the input functions to read via TLS,
2255and initialize things. */
2256
f69979cf
JH
2257peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2258
817d9f57
JH
2259construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
2260tls_in.cipher = cipherbuf;
059ec3d9
PH
2261
2262DEBUG(D_tls)
2263 {
2264 uschar buf[2048];
817d9f57 2265 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
059ec3d9
PH
2266 debug_printf("Shared ciphers: %s\n", buf);
2267 }
2268
9d1c15ef
JH
2269/* Record the certificate we presented */
2270 {
2271 X509 * crt = SSL_get_certificate(server_ssl);
2272 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2273 }
059ec3d9 2274
817d9f57
JH
2275/* Only used by the server-side tls (tls_in), including tls_getc.
2276 Client-side (tls_out) reads (seem to?) go via
2277 smtp_read_response()/ip_recv().
2278 Hence no need to duplicate for _in and _out.
2279 */
b808677c 2280if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9 2281ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
8b77d27a 2282ssl_xfer_eof = ssl_xfer_error = FALSE;
059ec3d9
PH
2283
2284receive_getc = tls_getc;
0d81dabc 2285receive_getbuf = tls_getbuf;
584e96c6 2286receive_get_cache = tls_get_cache;
059ec3d9
PH
2287receive_ungetc = tls_ungetc;
2288receive_feof = tls_feof;
2289receive_ferror = tls_ferror;
58eb016e 2290receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2291
74f1a423
JH
2292tls_in.active.sock = fileno(smtp_out);
2293tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
059ec3d9
PH
2294return OK;
2295}
2296
2297
2298
2299
043b1248
JH
2300static int
2301tls_client_basic_ctx_init(SSL_CTX * ctx,
cf0c6164
JH
2302 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2303 uschar ** errstr)
043b1248
JH
2304{
2305int rc;
94431adb 2306/* stick to the old behaviour for compatibility if tls_verify_certificates is
043b1248
JH
2307 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2308 the specified host patterns if one of them is defined */
2309
610ff438
JH
2310if ( ( !ob->tls_verify_hosts
2311 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2312 )
3c07dd2d 2313 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
aa2a70ba 2314 )
043b1248 2315 client_verify_optional = FALSE;
3c07dd2d 2316else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
aa2a70ba
JH
2317 client_verify_optional = TRUE;
2318else
2319 return OK;
2320
2321if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
cf0c6164
JH
2322 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2323 errstr)) != OK)
aa2a70ba 2324 return rc;
043b1248 2325
3c07dd2d 2326if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
043b1248 2327 {
4af0d74a 2328 cbinfo->verify_cert_hostnames =
8c5d388a 2329#ifdef SUPPORT_I18N
4af0d74a
JH
2330 string_domain_utf8_to_alabel(host->name, NULL);
2331#else
2332 host->name;
2333#endif
aa2a70ba
JH
2334 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2335 cbinfo->verify_cert_hostnames);
043b1248 2336 }
043b1248
JH
2337return OK;
2338}
059ec3d9 2339
fde080a4 2340
c0635b6d 2341#ifdef SUPPORT_DANE
fde080a4 2342static int
cf0c6164 2343dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
fde080a4
JH
2344{
2345dns_record * rr;
2346dns_scan dnss;
2347const char * hostnames[2] = { CS host->name, NULL };
2348int found = 0;
2349
2350if (DANESSL_init(ssl, NULL, hostnames) != 1)
cf0c6164 2351 return tls_error(US"hostnames load", host, NULL, errstr);
fde080a4
JH
2352
2353for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
2354 rr;
2355 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1b76ad22 2356 ) if (rr->type == T_TLSA && rr->size > 3)
fde080a4 2357 {
c3033f13 2358 const uschar * p = rr->data;
fde080a4
JH
2359 uint8_t usage, selector, mtype;
2360 const char * mdname;
2361
fde080a4 2362 usage = *p++;
133d2546
JH
2363
2364 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2365 if (usage != 2 && usage != 3) continue;
2366
fde080a4
JH
2367 selector = *p++;
2368 mtype = *p++;
2369
2370 switch (mtype)
2371 {
133d2546
JH
2372 default: continue; /* Only match-types 0, 1, 2 are supported */
2373 case 0: mdname = NULL; break;
2374 case 1: mdname = "sha256"; break;
2375 case 2: mdname = "sha512"; break;
fde080a4
JH
2376 }
2377
133d2546 2378 found++;
fde080a4
JH
2379 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2380 {
2381 default:
cf0c6164 2382 return tls_error(US"tlsa load", host, NULL, errstr);
c035b645 2383 case 0: /* action not taken */
fde080a4
JH
2384 case 1: break;
2385 }
594706ea
JH
2386
2387 tls_out.tlsa_usage |= 1<<usage;
fde080a4
JH
2388 }
2389
2390if (found)
2391 return OK;
2392
133d2546 2393log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
6ebd79ec 2394return DEFER;
fde080a4 2395}
c0635b6d 2396#endif /*SUPPORT_DANE*/
fde080a4
JH
2397
2398
2399
059ec3d9
PH
2400/*************************************************
2401* Start a TLS session in a client *
2402*************************************************/
2403
2404/* Called from the smtp transport after STARTTLS has been accepted.
2405
2406Argument:
2407 fd the fd of the connection
afdb5e9c
JH
2408 host connected host (for messages and option-tests)
2409 addr the first address (for some randomness; can be NULL)
a7538db1 2410 tb transport (always smtp)
0e66b3b6 2411 tlsa_dnsa tlsa lookup, if DANE, else null
afdb5e9c 2412 tlsp record details of channel configuration here; must be non-NULL
cf0c6164 2413 errstr error string pointer
059ec3d9 2414
74f1a423 2415Returns: Pointer to TLS session context, or NULL on error
059ec3d9
PH
2416*/
2417
74f1a423 2418void *
f5d78688 2419tls_client_start(int fd, host_item *host, address_item *addr,
cf0c6164 2420 transport_instance * tb,
c0635b6d 2421#ifdef SUPPORT_DANE
cf0c6164 2422 dns_answer * tlsa_dnsa,
0e66b3b6 2423#endif
74f1a423 2424 tls_support * tlsp, uschar ** errstr)
059ec3d9 2425{
afdb5e9c
JH
2426smtp_transport_options_block * ob = tb
2427 ? (smtp_transport_options_block *)tb->options_block
2428 : &smtp_transport_option_defaults;
74f1a423 2429exim_openssl_client_tls_ctx * exim_client_ctx;
f69979cf 2430static uschar peerdn[256];
868f5672 2431uschar * expciphers;
059ec3d9 2432int rc;
817d9f57 2433static uschar cipherbuf[256];
043b1248
JH
2434
2435#ifndef DISABLE_OCSP
043b1248 2436BOOL request_ocsp = FALSE;
6634ac8d 2437BOOL require_ocsp = FALSE;
043b1248 2438#endif
043b1248 2439
74f1a423
JH
2440rc = store_pool;
2441store_pool = POOL_PERM;
2442exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx));
2443store_pool = rc;
2444
c0635b6d 2445#ifdef SUPPORT_DANE
74f1a423 2446tlsp->tlsa_usage = 0;
043b1248
JH
2447#endif
2448
f2de3a33 2449#ifndef DISABLE_OCSP
043b1248 2450 {
c0635b6d 2451# ifdef SUPPORT_DANE
4f59c424
JH
2452 if ( tlsa_dnsa
2453 && ob->hosts_request_ocsp[0] == '*'
2454 && ob->hosts_request_ocsp[1] == '\0'
2455 )
2456 {
2457 /* Unchanged from default. Use a safer one under DANE */
2458 request_ocsp = TRUE;
2459 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2460 " {= {4}{$tls_out_tlsa_usage}} } "
2461 " {*}{}}";
2462 }
2463# endif
2464
5130845b 2465 if ((require_ocsp =
3c07dd2d 2466 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
fca41d5a
JH
2467 request_ocsp = TRUE;
2468 else
c0635b6d 2469# ifdef SUPPORT_DANE
4f59c424 2470 if (!request_ocsp)
fca41d5a 2471# endif
5130845b 2472 request_ocsp =
3c07dd2d 2473 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
043b1248 2474 }
f5d78688 2475#endif
059ec3d9 2476
74f1a423 2477rc = tls_init(&exim_client_ctx->ctx, host, NULL,
65867078 2478 ob->tls_certificate, ob->tls_privatekey,
f2de3a33 2479#ifndef DISABLE_OCSP
44662487 2480 (void *)(long)request_ocsp,
3f7eeb86 2481#endif
cf0c6164 2482 addr, &client_static_cbinfo, errstr);
74f1a423 2483if (rc != OK) return NULL;
059ec3d9 2484
74f1a423 2485tlsp->certificate_verified = FALSE;
a2ff477a 2486client_verify_callback_called = FALSE;
059ec3d9 2487
5ec37a55
PP
2488expciphers = NULL;
2489#ifdef SUPPORT_DANE
2490if (tlsa_dnsa)
2491 {
2492 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
2493 other failures should be treated as problems. */
2494 if (ob->dane_require_tls_ciphers &&
2495 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2496 &expciphers, errstr))
74f1a423 2497 return NULL;
5ec37a55
PP
2498 if (expciphers && *expciphers == '\0')
2499 expciphers = NULL;
2500 }
2501#endif
2502if (!expciphers &&
2503 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2504 &expciphers, errstr))
74f1a423 2505 return NULL;
059ec3d9
PH
2506
2507/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2508are separated by underscores. So that I can use either form in my tests, and
2509also for general convenience, we turn underscores into hyphens here. */
2510
cf0c6164 2511if (expciphers)
059ec3d9
PH
2512 {
2513 uschar *s = expciphers;
cf0c6164 2514 while (*s) { if (*s == '_') *s = '-'; s++; }
059ec3d9 2515 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
74f1a423
JH
2516 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
2517 {
2518 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
2519 return NULL;
2520 }
059ec3d9
PH
2521 }
2522
c0635b6d 2523#ifdef SUPPORT_DANE
0e66b3b6 2524if (tlsa_dnsa)
a63be306 2525 {
74f1a423 2526 SSL_CTX_set_verify(exim_client_ctx->ctx,
02af313d
JH
2527 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2528 verify_callback_client_dane);
e5cccda9 2529
043b1248 2530 if (!DANESSL_library_init())
74f1a423
JH
2531 {
2532 tls_error(US"library init", host, NULL, errstr);
2533 return NULL;
2534 }
2535 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
2536 {
2537 tls_error(US"context init", host, NULL, errstr);
2538 return NULL;
2539 }
043b1248
JH
2540 }
2541else
e51c7be2 2542
043b1248
JH
2543#endif
2544
74f1a423
JH
2545 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
2546 client_static_cbinfo, errstr) != OK)
2547 return NULL;
059ec3d9 2548
74f1a423
JH
2549if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
2550 {
2551 tls_error(US"SSL_new", host, NULL, errstr);
2552 return NULL;
2553 }
2554SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
2555SSL_set_fd(exim_client_ctx->ssl, fd);
2556SSL_set_connect_state(exim_client_ctx->ssl);
059ec3d9 2557
65867078 2558if (ob->tls_sni)
3f0945ff 2559 {
74f1a423
JH
2560 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
2561 return NULL;
2562 if (!tlsp->sni)
2c9a0e86
PP
2563 {
2564 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2565 }
74f1a423
JH
2566 else if (!Ustrlen(tlsp->sni))
2567 tlsp->sni = NULL;
3f0945ff
PP
2568 else
2569 {
35731706 2570#ifdef EXIM_HAVE_OPENSSL_TLSEXT
74f1a423
JH
2571 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
2572 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
35731706 2573#else
66802652 2574 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
74f1a423 2575 tlsp->sni);
35731706 2576#endif
3f0945ff
PP
2577 }
2578 }
2579
c0635b6d 2580#ifdef SUPPORT_DANE
0e66b3b6 2581if (tlsa_dnsa)
74f1a423
JH
2582 if (dane_tlsa_load(exim_client_ctx->ssl, host, tlsa_dnsa, errstr) != OK)
2583 return NULL;
594706ea
JH
2584#endif
2585
f2de3a33 2586#ifndef DISABLE_OCSP
f5d78688
JH
2587/* Request certificate status at connection-time. If the server
2588does OCSP stapling we will get the callback (set in tls_init()) */
c0635b6d 2589# ifdef SUPPORT_DANE
44662487
JH
2590if (request_ocsp)
2591 {
594706ea 2592 const uschar * s;
41afb5cb
JH
2593 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2594 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
594706ea
JH
2595 )
2596 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2597 this means we avoid the OCSP request, we wasted the setup
2598 cost in tls_init(). */
3c07dd2d 2599 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
5130845b 2600 request_ocsp = require_ocsp
3c07dd2d 2601 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
594706ea
JH
2602 }
2603 }
b50c8b84
JH
2604# endif
2605
594706ea
JH
2606if (request_ocsp)
2607 {
74f1a423 2608 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
44662487 2609 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
74f1a423 2610 tlsp->ocsp = OCSP_NOT_RESP;
44662487 2611 }
f5d78688
JH
2612#endif
2613
0cbf2b82 2614#ifndef DISABLE_EVENT
afdb5e9c 2615client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
a7538db1 2616#endif
043b1248 2617
059ec3d9
PH
2618/* There doesn't seem to be a built-in timeout on connection. */
2619
2620DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2621sigalrm_seen = FALSE;
65867078 2622alarm(ob->command_timeout);
74f1a423 2623rc = SSL_connect(exim_client_ctx->ssl);
059ec3d9
PH
2624alarm(0);
2625
c0635b6d 2626#ifdef SUPPORT_DANE
0e66b3b6 2627if (tlsa_dnsa)
74f1a423 2628 DANESSL_cleanup(exim_client_ctx->ssl);
043b1248
JH
2629#endif
2630
059ec3d9 2631if (rc <= 0)
74f1a423
JH
2632 {
2633 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
2634 return NULL;
2635 }
059ec3d9
PH
2636
2637DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2638
74f1a423 2639peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
059ec3d9 2640
74f1a423
JH
2641construct_cipher_name(exim_client_ctx->ssl, cipherbuf, sizeof(cipherbuf), &tlsp->bits);
2642tlsp->cipher = cipherbuf;
059ec3d9 2643
9d1c15ef
JH
2644/* Record the certificate we presented */
2645 {
74f1a423
JH
2646 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
2647 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
9d1c15ef
JH
2648 }
2649
74f1a423
JH
2650tlsp->active.sock = fd;
2651tlsp->active.tls_ctx = exim_client_ctx;
2652return exim_client_ctx;
059ec3d9
PH
2653}
2654
2655
2656
2657
2658
0d81dabc
JH
2659static BOOL
2660tls_refill(unsigned lim)
2661{
2662int error;
2663int inbytes;
2664
2665DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2666 ssl_xfer_buffer, ssl_xfer_buffer_size);
2667
2668if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
2669inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
2670 MIN(ssl_xfer_buffer_size, lim));
2671error = SSL_get_error(server_ssl, inbytes);
9723f966
JH
2672if (smtp_receive_timeout > 0) alarm(0);
2673
2674if (had_command_timeout) /* set by signal handler */
2675 smtp_command_timeout_exit(); /* does not return */
2676if (had_command_sigterm)
2677 smtp_command_sigterm_exit();
2678if (had_data_timeout)
2679 smtp_data_timeout_exit();
2680if (had_data_sigint)
2681 smtp_data_sigint_exit();
0d81dabc
JH
2682
2683/* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2684closed down, not that the socket itself has been closed down. Revert to
2685non-SSL handling. */
2686
74f1a423 2687switch(error)
0d81dabc 2688 {
74f1a423
JH
2689 case SSL_ERROR_NONE:
2690 break;
2691
2692 case SSL_ERROR_ZERO_RETURN:
2693 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
0d81dabc 2694
74f1a423
JH
2695 receive_getc = smtp_getc;
2696 receive_getbuf = smtp_getbuf;
2697 receive_get_cache = smtp_get_cache;
2698 receive_ungetc = smtp_ungetc;
2699 receive_feof = smtp_feof;
2700 receive_ferror = smtp_ferror;
2701 receive_smtp_buffered = smtp_buffered;
0d81dabc 2702
74f1a423
JH
2703 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
2704 SSL_shutdown(server_ssl);
dec766a1 2705
37f0ce65 2706#ifndef DISABLE_OCSP
74f1a423
JH
2707 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
2708 server_static_cbinfo->verify_stack = NULL;
37f0ce65 2709#endif
74f1a423
JH
2710 SSL_free(server_ssl);
2711 SSL_CTX_free(server_ctx);
2712 server_ctx = NULL;
2713 server_ssl = NULL;
2714 tls_in.active.sock = -1;
2715 tls_in.active.tls_ctx = NULL;
2716 tls_in.bits = 0;
2717 tls_in.cipher = NULL;
2718 tls_in.peerdn = NULL;
2719 tls_in.sni = NULL;
0d81dabc 2720
74f1a423 2721 return FALSE;
0d81dabc 2722
74f1a423
JH
2723 /* Handle genuine errors */
2724 case SSL_ERROR_SSL:
2725 ERR_error_string(ERR_get_error(), ssl_errstring);
2726 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2727 ssl_xfer_error = TRUE;
2728 return FALSE;
0d81dabc 2729
74f1a423
JH
2730 default:
2731 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2732 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
2733 debug_printf(" - syscall %s\n", strerror(errno));
2734 ssl_xfer_error = TRUE;
2735 return FALSE;
0d81dabc
JH
2736 }
2737
2738#ifndef DISABLE_DKIM
2739dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2740#endif
2741ssl_xfer_buffer_hwm = inbytes;
2742ssl_xfer_buffer_lwm = 0;
2743return TRUE;
2744}
2745
2746
059ec3d9
PH
2747/*************************************************
2748* TLS version of getc *
2749*************************************************/
2750
2751/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2752it refills the buffer via the SSL reading function.
2753
bd8fbe36 2754Arguments: lim Maximum amount to read/buffer
059ec3d9 2755Returns: the next character or EOF
817d9f57
JH
2756
2757Only used by the server-side TLS.
059ec3d9
PH
2758*/
2759
2760int
bd8fbe36 2761tls_getc(unsigned lim)
059ec3d9
PH
2762{
2763if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
0d81dabc
JH
2764 if (!tls_refill(lim))
2765 return ssl_xfer_error ? EOF : smtp_getc(lim);
059ec3d9 2766
0d81dabc 2767/* Something in the buffer; return next uschar */
059ec3d9 2768
0d81dabc
JH
2769return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2770}
059ec3d9 2771
0d81dabc
JH
2772uschar *
2773tls_getbuf(unsigned * len)
2774{
2775unsigned size;
2776uschar * buf;
ba084640 2777
0d81dabc
JH
2778if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2779 if (!tls_refill(*len))
059ec3d9 2780 {
0d81dabc
JH
2781 if (!ssl_xfer_error) return smtp_getbuf(len);
2782 *len = 0;
2783 return NULL;
059ec3d9 2784 }
c80c5570 2785
0d81dabc
JH
2786if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
2787 size = *len;
2788buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
2789ssl_xfer_buffer_lwm += size;
2790*len = size;
2791return buf;
059ec3d9
PH
2792}
2793
0d81dabc 2794
584e96c6
JH
2795void
2796tls_get_cache()
2797{
9960d1e5 2798#ifndef DISABLE_DKIM
584e96c6
JH
2799int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
2800if (n > 0)
2801 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
584e96c6 2802#endif
9960d1e5 2803}
584e96c6 2804
059ec3d9 2805
925ac8e4
JH
2806BOOL
2807tls_could_read(void)
2808{
a5ffa9b4 2809return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
925ac8e4
JH
2810}
2811
059ec3d9
PH
2812
2813/*************************************************
2814* Read bytes from TLS channel *
2815*************************************************/
2816
2817/*
2818Arguments:
74f1a423 2819 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH
2820 buff buffer of data
2821 len size of buffer
2822
2823Returns: the number of bytes read
afdb5e9c 2824 -1 after a failed read, including EOF
817d9f57
JH
2825
2826Only used by the client-side TLS.
059ec3d9
PH
2827*/
2828
2829int
74f1a423 2830tls_read(void * ct_ctx, uschar *buff, size_t len)
059ec3d9 2831{
74f1a423 2832SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
059ec3d9
PH
2833int inbytes;
2834int error;
2835
389ca47a 2836DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
c80c5570 2837 buff, (unsigned int)len);
059ec3d9 2838
389ca47a
JH
2839inbytes = SSL_read(ssl, CS buff, len);
2840error = SSL_get_error(ssl, inbytes);
059ec3d9
PH
2841
2842if (error == SSL_ERROR_ZERO_RETURN)
2843 {
2844 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2845 return -1;
2846 }
2847else if (error != SSL_ERROR_NONE)
059ec3d9 2848 return -1;
059ec3d9
PH
2849
2850return inbytes;
2851}
2852
2853
2854
2855
2856
2857/*************************************************
2858* Write bytes down TLS channel *
2859*************************************************/
2860
2861/*
2862Arguments:
74f1a423 2863 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH
2864 buff buffer of data
2865 len number of bytes
925ac8e4 2866 more further data expected soon
059ec3d9
PH
2867
2868Returns: the number of bytes after a successful write,
2869 -1 after a failed write
817d9f57
JH
2870
2871Used by both server-side and client-side TLS.
059ec3d9
PH
2872*/
2873
2874int
74f1a423 2875tls_write(void * ct_ctx, const uschar *buff, size_t len, BOOL more)
059ec3d9 2876{
a5ffa9b4 2877int outbytes, error, left;
74f1a423 2878SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
acec9514 2879static gstring * corked = NULL;
a5ffa9b4 2880
ef698bf6 2881DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
b93be52e 2882 buff, (unsigned long)len, more ? ", more" : "");
a5ffa9b4
JH
2883
2884/* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
2885"more" is notified. This hack is only ok if small amounts are involved AND only
2886one stream does it, in one context (i.e. no store reset). Currently it is used
2887for the responses to the received SMTP MAIL , RCPT, DATA sequence, only. */
2888
74f1a423 2889if (!ct_ctx && (more || corked))
a5ffa9b4 2890 {
acec9514 2891 corked = string_catn(corked, buff, len);
a5ffa9b4
JH
2892 if (more)
2893 return len;
acec9514
JH
2894 buff = CUS corked->s;
2895 len = corked->ptr;
2896 corked = NULL;
a5ffa9b4 2897 }
059ec3d9 2898
a5ffa9b4 2899for (left = len; left > 0;)
059ec3d9 2900 {
74f1a423 2901 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
059ec3d9
PH
2902 outbytes = SSL_write(ssl, CS buff, left);
2903 error = SSL_get_error(ssl, outbytes);
2904 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2905 switch (error)
2906 {
2907 case SSL_ERROR_SSL:
96f5fe4c
JH
2908 ERR_error_string(ERR_get_error(), ssl_errstring);
2909 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2910 return -1;
059ec3d9
PH
2911
2912 case SSL_ERROR_NONE:
96f5fe4c
JH
2913 left -= outbytes;
2914 buff += outbytes;
2915 break;
059ec3d9
PH
2916
2917 case SSL_ERROR_ZERO_RETURN:
96f5fe4c
JH
2918 log_write(0, LOG_MAIN, "SSL channel closed on write");
2919 return -1;
059ec3d9 2920
817d9f57 2921 case SSL_ERROR_SYSCALL:
96f5fe4c
JH
2922 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2923 sender_fullhost ? sender_fullhost : US"<unknown>",
2924 strerror(errno));
2925 return -1;
817d9f57 2926
059ec3d9 2927 default:
96f5fe4c
JH
2928 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2929 return -1;
059ec3d9
PH
2930 }
2931 }
2932return len;
2933}
2934
2935
2936
2937/*************************************************
2938* Close down a TLS session *
2939*************************************************/
2940
2941/* This is also called from within a delivery subprocess forked from the
2942daemon, to shut down the TLS library, without actually doing a shutdown (which
2943would tamper with the SSL session in the parent process).
2944
dec766a1 2945Arguments:
74f1a423 2946 ct_ctx client TLS context pointer, or NULL for the one global server context
dec766a1
WB
2947 shutdown 1 if TLS close-alert is to be sent,
2948 2 if also response to be waited for
2949
059ec3d9 2950Returns: nothing
817d9f57
JH
2951
2952Used by both server-side and client-side TLS.
059ec3d9
PH
2953*/
2954
2955void
74f1a423 2956tls_close(void * ct_ctx, int shutdown)
059ec3d9 2957{
74f1a423
JH
2958exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
2959SSL_CTX **ctxp = o_ctx ? &o_ctx->ctx : &server_ctx;
2960SSL **sslp = o_ctx ? &o_ctx->ssl : &server_ssl;
2961int *fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
817d9f57
JH
2962
2963if (*fdp < 0) return; /* TLS was not active */
059ec3d9
PH
2964
2965if (shutdown)
2966 {
dec766a1
WB
2967 int rc;
2968 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
2969 shutdown > 1 ? " (with response-wait)" : "");
2970
2971 if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
2972 && shutdown > 1)
2973 {
2974 alarm(2);
2975 rc = SSL_shutdown(*sslp); /* wait for response */
2976 alarm(0);
2977 }
2978
2979 if (rc < 0) DEBUG(D_tls)
2980 {
2981 ERR_error_string(ERR_get_error(), ssl_errstring);
2982 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
2983 }
2984 }
2985
37f0ce65 2986#ifndef DISABLE_OCSP
74f1a423 2987if (!o_ctx) /* server side */
dec766a1
WB
2988 {
2989 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
dec766a1 2990 server_static_cbinfo->verify_stack = NULL;
059ec3d9 2991 }
37f0ce65 2992#endif
059ec3d9 2993
dec766a1 2994SSL_CTX_free(*ctxp);
817d9f57 2995SSL_free(*sslp);
dec766a1 2996*ctxp = NULL;
817d9f57 2997*sslp = NULL;
817d9f57 2998*fdp = -1;
059ec3d9
PH
2999}
3000
36f12725
NM
3001
3002
3003
3004/*************************************************
3375e053
PP
3005* Let tls_require_ciphers be checked at startup *
3006*************************************************/
3007
3008/* The tls_require_ciphers option, if set, must be something which the
3009library can parse.
3010
3011Returns: NULL on success, or error message
3012*/
3013
3014uschar *
3015tls_validate_require_cipher(void)
3016{
3017SSL_CTX *ctx;
3018uschar *s, *expciphers, *err;
3019
3020/* this duplicates from tls_init(), we need a better "init just global
3021state, for no specific purpose" singleton function of our own */
3022
3023SSL_load_error_strings();
3024OpenSSL_add_ssl_algorithms();
3025#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
3026/* SHA256 is becoming ever more popular. This makes sure it gets added to the
3027list of available digests. */
3028EVP_add_digest(EVP_sha256());
3029#endif
3030
3031if (!(tls_require_ciphers && *tls_require_ciphers))
3032 return NULL;
3033
cf0c6164
JH
3034if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3035 &err))
3375e053
PP
3036 return US"failed to expand tls_require_ciphers";
3037
3038if (!(expciphers && *expciphers))
3039 return NULL;
3040
3041/* normalisation ripped from above */
3042s = expciphers;
3043while (*s != 0) { if (*s == '_') *s = '-'; s++; }
3044
3045err = NULL;
3046
7a8b9519
JH
3047#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
3048if (!(ctx = SSL_CTX_new(TLS_server_method())))
3049#else
3050if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
3051#endif
3375e053
PP
3052 {
3053 ERR_error_string(ERR_get_error(), ssl_errstring);
3054 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
3055 }
3056
3057DEBUG(D_tls)
3058 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3059
3060if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
3061 {
3062 ERR_error_string(ERR_get_error(), ssl_errstring);
cf0c6164
JH
3063 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
3064 expciphers, ssl_errstring);
3375e053
PP
3065 }
3066
3067SSL_CTX_free(ctx);
3068
3069return err;
3070}
3071
3072
3073
3074
3075/*************************************************
36f12725
NM
3076* Report the library versions. *
3077*************************************************/
3078
3079/* There have historically been some issues with binary compatibility in
3080OpenSSL libraries; if Exim (like many other applications) is built against
3081one version of OpenSSL but the run-time linker picks up another version,
3082it can result in serious failures, including crashing with a SIGSEGV. So
3083report the version found by the compiler and the run-time version.
3084
f64a1e23
PP
3085Note: some OS vendors backport security fixes without changing the version
3086number/string, and the version date remains unchanged. The _build_ date
3087will change, so we can more usefully assist with version diagnosis by also
3088reporting the build date.
3089
36f12725
NM
3090Arguments: a FILE* to print the results to
3091Returns: nothing
3092*/
3093
3094void
3095tls_version_report(FILE *f)
3096{
754a0503 3097fprintf(f, "Library version: OpenSSL: Compile: %s\n"
f64a1e23
PP
3098 " Runtime: %s\n"
3099 " : %s\n",
754a0503 3100 OPENSSL_VERSION_TEXT,
f64a1e23
PP
3101 SSLeay_version(SSLEAY_VERSION),
3102 SSLeay_version(SSLEAY_BUILT_ON));
3103/* third line is 38 characters for the %s and the line is 73 chars long;
3104the OpenSSL output includes a "built on: " prefix already. */
36f12725
NM
3105}
3106
9e3331ea
TK
3107
3108
3109
3110/*************************************************
17c76198 3111* Random number generation *
9e3331ea
TK
3112*************************************************/
3113
3114/* Pseudo-random number generation. The result is not expected to be
3115cryptographically strong but not so weak that someone will shoot themselves
3116in the foot using it as a nonce in input in some email header scheme or
3117whatever weirdness they'll twist this into. The result should handle fork()
3118and avoid repeating sequences. OpenSSL handles that for us.
3119
3120Arguments:
3121 max range maximum
3122Returns a random number in range [0, max-1]
3123*/
3124
3125int
17c76198 3126vaguely_random_number(int max)
9e3331ea
TK
3127{
3128unsigned int r;
3129int i, needed_len;
de6135a0
PP
3130static pid_t pidlast = 0;
3131pid_t pidnow;
9e3331ea
TK
3132uschar *p;
3133uschar smallbuf[sizeof(r)];
3134
3135if (max <= 1)
3136 return 0;
3137
de6135a0
PP
3138pidnow = getpid();
3139if (pidnow != pidlast)
3140 {
3141 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
3142 is unique for each thread", this doesn't apparently apply across processes,
3143 so our own warning from vaguely_random_number_fallback() applies here too.
3144 Fix per PostgreSQL. */
3145 if (pidlast != 0)
3146 RAND_cleanup();
3147 pidlast = pidnow;
3148 }
3149
9e3331ea
TK
3150/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
3151if (!RAND_status())
3152 {
3153 randstuff r;
3154 gettimeofday(&r.tv, NULL);
3155 r.p = getpid();
3156
5903c6ff 3157 RAND_seed(US (&r), sizeof(r));
9e3331ea
TK
3158 }
3159/* We're after pseudo-random, not random; if we still don't have enough data
3160in the internal PRNG then our options are limited. We could sleep and hope
3161for entropy to come along (prayer technique) but if the system is so depleted
3162in the first place then something is likely to just keep taking it. Instead,
3163we'll just take whatever little bit of pseudo-random we can still manage to
3164get. */
3165
3166needed_len = sizeof(r);
3167/* Don't take 8 times more entropy than needed if int is 8 octets and we were
3168asked for a number less than 10. */
3169for (r = max, i = 0; r; ++i)
3170 r >>= 1;
3171i = (i + 7) / 8;
3172if (i < needed_len)
3173 needed_len = i;
3174
c8dfb21d 3175#ifdef EXIM_HAVE_RAND_PSEUDO
9e3331ea 3176/* We do not care if crypto-strong */
17c76198 3177i = RAND_pseudo_bytes(smallbuf, needed_len);
c8dfb21d
JH
3178#else
3179i = RAND_bytes(smallbuf, needed_len);
3180#endif
3181
17c76198
PP
3182if (i < 0)
3183 {
3184 DEBUG(D_all)
3185 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
3186 return vaguely_random_number_fallback(max);
3187 }
3188
9e3331ea
TK
3189r = 0;
3190for (p = smallbuf; needed_len; --needed_len, ++p)
3191 {
3192 r *= 256;
3193 r += *p;
3194 }
3195
3196/* We don't particularly care about weighted results; if someone wants
3197smooth distribution and cares enough then they should submit a patch then. */
3198return r % max;
3199}
3200
77bb000f
PP
3201
3202
3203
3204/*************************************************
3205* OpenSSL option parse *
3206*************************************************/
3207
3208/* Parse one option for tls_openssl_options_parse below
3209
3210Arguments:
3211 name one option name
3212 value place to store a value for it
3213Returns success or failure in parsing
3214*/
3215
77bb000f 3216
c80c5570 3217
77bb000f
PP
3218static BOOL
3219tls_openssl_one_option_parse(uschar *name, long *value)
3220{
3221int first = 0;
3222int last = exim_openssl_options_size;
3223while (last > first)
3224 {
3225 int middle = (first + last)/2;
3226 int c = Ustrcmp(name, exim_openssl_options[middle].name);
3227 if (c == 0)
3228 {
3229 *value = exim_openssl_options[middle].value;
3230 return TRUE;
3231 }
3232 else if (c > 0)
3233 first = middle + 1;
3234 else
3235 last = middle;
3236 }
3237return FALSE;
3238}
3239
3240
3241
3242
3243/*************************************************
3244* OpenSSL option parsing logic *
3245*************************************************/
3246
3247/* OpenSSL has a number of compatibility options which an administrator might
3248reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3249we look like log_selector.
3250
3251Arguments:
3252 option_spec the administrator-supplied string of options
3253 results ptr to long storage for the options bitmap
3254Returns success or failure
3255*/
3256
3257BOOL
3258tls_openssl_options_parse(uschar *option_spec, long *results)
3259{
3260long result, item;
3261uschar *s, *end;
3262uschar keep_c;
3263BOOL adding, item_parsed;
3264
7006ee24 3265result = SSL_OP_NO_TICKET;
b1770b6e 3266/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
da3ad30d 3267 * from default because it increases BEAST susceptibility. */
f0f5a555
PP
3268#ifdef SSL_OP_NO_SSLv2
3269result |= SSL_OP_NO_SSLv2;
3270#endif
a57b6200
JH
3271#ifdef SSL_OP_SINGLE_DH_USE
3272result |= SSL_OP_SINGLE_DH_USE;
3273#endif
77bb000f 3274
7006ee24 3275if (!option_spec)
77bb000f
PP
3276 {
3277 *results = result;
3278 return TRUE;
3279 }
3280
3281for (s=option_spec; *s != '\0'; /**/)
3282 {
3283 while (isspace(*s)) ++s;
3284 if (*s == '\0')
3285 break;
3286 if (*s != '+' && *s != '-')
3287 {
3288 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
0e944a0d 3289 "+ or - expected but found \"%s\"\n", s);
77bb000f
PP
3290 return FALSE;
3291 }
3292 adding = *s++ == '+';
3293 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
3294 keep_c = *end;
3295 *end = '\0';
3296 item_parsed = tls_openssl_one_option_parse(s, &item);
96f5fe4c 3297 *end = keep_c;
77bb000f
PP
3298 if (!item_parsed)
3299 {
0e944a0d 3300 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
77bb000f
PP
3301 return FALSE;
3302 }
3303 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
3304 adding ? "adding" : "removing", result, item, s);
3305 if (adding)
3306 result |= item;
3307 else
3308 result &= ~item;
77bb000f
PP
3309 s = end;
3310 }
3311
3312*results = result;
3313return TRUE;
3314}
3315
8442641e 3316#endif /*!MACRO_PREDEF*/
9d1c15ef
JH
3317/* vi: aw ai sw=2
3318*/
059ec3d9 3319/* End of tls-openssl.c */