OpenSSL: clear any leftover errors from the stack after SSL_accept succeeds
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
f5d78688
JH
8/* Portions Copyright (c) The OpenSSL Project 1999 */
9
059ec3d9
PH
10/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
11library. It is #included into the tls.c file when that library is used. The
12code herein is based on a patch that was originally contributed by Steve
13Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
14
15No cryptographic code is included in Exim. All this module does is to call
16functions from the OpenSSL library. */
17
18
19/* Heading stuff */
20
21#include <openssl/lhash.h>
22#include <openssl/ssl.h>
23#include <openssl/err.h>
24#include <openssl/rand.h>
10ca4f1c
JH
25#ifndef OPENSSL_NO_ECDH
26# include <openssl/ec.h>
27#endif
f2de3a33 28#ifndef DISABLE_OCSP
e51c7be2 29# include <openssl/ocsp.h>
3f7eeb86 30#endif
c0635b6d 31#ifdef SUPPORT_DANE
05e796ad 32# include "danessl.h"
85098ee7
JH
33#endif
34
3f7eeb86 35
f2de3a33
JH
36#ifndef DISABLE_OCSP
37# define EXIM_OCSP_SKEW_SECONDS (300L)
38# define EXIM_OCSP_MAX_AGE (-1L)
3f7eeb86 39#endif
059ec3d9 40
3bcbbbe2 41#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
e51c7be2 42# define EXIM_HAVE_OPENSSL_TLSEXT
3bcbbbe2 43#endif
c8dfb21d
JH
44#if OPENSSL_VERSION_NUMBER >= 0x00908000L
45# define EXIM_HAVE_RSA_GENKEY_EX
46#endif
47#if OPENSSL_VERSION_NUMBER >= 0x10100000L
48# define EXIM_HAVE_OCSP_RESP_COUNT
49#else
50# define EXIM_HAVE_EPHEM_RSA_KEX
51# define EXIM_HAVE_RAND_PSEUDO
52#endif
53#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
8442641e 54# define EXIM_HAVE_SHA256
c8dfb21d 55#endif
34e3241d
PP
56
57/*
58 * X509_check_host provides sane certificate hostname checking, but was added
59 * to OpenSSL late, after other projects forked off the code-base. So in
60 * addition to guarding against the base version number, beware that LibreSSL
61 * does not (at this time) support this function.
62 *
63 * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
64 * opt to disentangle and ask a LibreSSL user to provide glue for a third
65 * crypto provider for libtls instead of continuing to tie the OpenSSL glue
66 * into even twistier knots. If LibreSSL gains the same API, we can just
67 * change this guard and punt the issue for a while longer.
68 */
69#ifndef LIBRESSL_VERSION_NUMBER
70# if OPENSSL_VERSION_NUMBER >= 0x010100000L
71# define EXIM_HAVE_OPENSSL_CHECKHOST
8420742d 72# define EXIM_HAVE_OPENSSL_DH_BITS
7a8b9519 73# define EXIM_HAVE_OPENSSL_TLS_METHOD
7434882d
JH
74# else
75# define EXIM_NEED_OPENSSL_INIT
34e3241d
PP
76# endif
77# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
2dfb468b 78 && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
34e3241d
PP
79# define EXIM_HAVE_OPENSSL_CHECKHOST
80# endif
11aa88b0 81#endif
10ca4f1c 82
11aa88b0
RA
83#if !defined(LIBRESSL_VERSION_NUMBER) \
84 || LIBRESSL_VERSION_NUMBER >= 0x20010000L
10ca4f1c
JH
85# if !defined(OPENSSL_NO_ECDH)
86# if OPENSSL_VERSION_NUMBER >= 0x0090800fL
8442641e 87# define EXIM_HAVE_ECDH
10ca4f1c
JH
88# endif
89# if OPENSSL_VERSION_NUMBER >= 0x10002000L
10ca4f1c
JH
90# define EXIM_HAVE_OPENSSL_EC_NIST2NID
91# endif
92# endif
2dfb468b 93#endif
3bcbbbe2 94
67791ce4
JH
95#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
96# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
97# define DISABLE_OCSP
98#endif
99
a6510420
JH
100#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
101# include <openssl/x509v3.h>
102#endif
103
8442641e
JH
104/*************************************************
105* OpenSSL option parse *
106*************************************************/
107
108typedef struct exim_openssl_option {
109 uschar *name;
110 long value;
111} exim_openssl_option;
112/* We could use a macro to expand, but we need the ifdef and not all the
113options document which version they were introduced in. Policylet: include
114all options unless explicitly for DTLS, let the administrator choose which
115to apply.
116
117This list is current as of:
118 ==> 1.0.1b <==
119Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
120Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
121*/
122static exim_openssl_option exim_openssl_options[] = {
123/* KEEP SORTED ALPHABETICALLY! */
124#ifdef SSL_OP_ALL
125 { US"all", SSL_OP_ALL },
126#endif
127#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
128 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
129#endif
130#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
131 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
132#endif
133#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
134 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
135#endif
136#ifdef SSL_OP_EPHEMERAL_RSA
137 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
138#endif
139#ifdef SSL_OP_LEGACY_SERVER_CONNECT
140 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
141#endif
142#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
143 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
144#endif
145#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
146 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
147#endif
148#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
149 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
150#endif
151#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
152 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
153#endif
154#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
155 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
156#endif
157#ifdef SSL_OP_NO_COMPRESSION
158 { US"no_compression", SSL_OP_NO_COMPRESSION },
159#endif
160#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
161 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
162#endif
163#ifdef SSL_OP_NO_SSLv2
164 { US"no_sslv2", SSL_OP_NO_SSLv2 },
165#endif
166#ifdef SSL_OP_NO_SSLv3
167 { US"no_sslv3", SSL_OP_NO_SSLv3 },
168#endif
169#ifdef SSL_OP_NO_TICKET
170 { US"no_ticket", SSL_OP_NO_TICKET },
171#endif
172#ifdef SSL_OP_NO_TLSv1
173 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
174#endif
175#ifdef SSL_OP_NO_TLSv1_1
176#if SSL_OP_NO_TLSv1_1 == 0x00000400L
177 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
178#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
179#else
180 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
181#endif
182#endif
183#ifdef SSL_OP_NO_TLSv1_2
184 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
185#endif
186#ifdef SSL_OP_NO_TLSv1_3
187 { US"no_tlsv1_3", SSL_OP_NO_TLSv1_3 },
188#endif
189#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
190 { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
191#endif
192#ifdef SSL_OP_SINGLE_DH_USE
193 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
194#endif
195#ifdef SSL_OP_SINGLE_ECDH_USE
196 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
197#endif
198#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
199 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
200#endif
201#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
202 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
203#endif
204#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
205 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
206#endif
207#ifdef SSL_OP_TLS_D5_BUG
208 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
209#endif
210#ifdef SSL_OP_TLS_ROLLBACK_BUG
211 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
212#endif
213};
214
215#ifndef MACRO_PREDEF
216static int exim_openssl_options_size = nelem(exim_openssl_options);
217#endif
218
219#ifdef MACRO_PREDEF
220void
221options_tls(void)
222{
223struct exim_openssl_option * o;
224uschar buf[64];
225
226for (o = exim_openssl_options;
227 o < exim_openssl_options + nelem(exim_openssl_options); o++)
228 {
229 /* Trailing X is workaround for problem with _OPT_OPENSSL_NO_TLSV1
230 being a ".ifdef _OPT_OPENSSL_NO_TLSV1_3" match */
231
232 spf(buf, sizeof(buf), US"_OPT_OPENSSL_%T_X", o->name);
233 builtin_macro_create(buf);
234 }
235}
236#else
237
238/******************************************************************************/
239
059ec3d9
PH
240/* Structure for collecting random data for seeding. */
241
242typedef struct randstuff {
9e3331ea
TK
243 struct timeval tv;
244 pid_t p;
059ec3d9
PH
245} randstuff;
246
247/* Local static variables */
248
a2ff477a
JH
249static BOOL client_verify_callback_called = FALSE;
250static BOOL server_verify_callback_called = FALSE;
059ec3d9
PH
251static const uschar *sid_ctx = US"exim";
252
d4f09789
PP
253/* We have three different contexts to care about.
254
255Simple case: client, `client_ctx`
256 As a client, we can be doing a callout or cut-through delivery while receiving
257 a message. So we have a client context, which should have options initialised
74f1a423
JH
258 from the SMTP Transport. We may also concurrently want to make TLS connections
259 to utility daemons, so client-contexts are allocated and passed around in call
260 args rather than using a gobal.
d4f09789
PP
261
262Server:
263 There are two cases: with and without ServerNameIndication from the client.
264 Given TLS SNI, we can be using different keys, certs and various other
265 configuration settings, because they're re-expanded with $tls_sni set. This
266 allows vhosting with TLS. This SNI is sent in the handshake.
267 A client might not send SNI, so we need a fallback, and an initial setup too.
268 So as a server, we start out using `server_ctx`.
269 If SNI is sent by the client, then we as server, mid-negotiation, try to clone
270 `server_sni` from `server_ctx` and then initialise settings by re-expanding
271 configuration.
272*/
273
74f1a423
JH
274typedef struct {
275 SSL_CTX * ctx;
276 SSL * ssl;
277} exim_openssl_client_tls_ctx;
278
817d9f57 279static SSL_CTX *server_ctx = NULL;
817d9f57 280static SSL *server_ssl = NULL;
389ca47a 281
35731706 282#ifdef EXIM_HAVE_OPENSSL_TLSEXT
817d9f57 283static SSL_CTX *server_sni = NULL;
35731706 284#endif
059ec3d9
PH
285
286static char ssl_errstring[256];
287
288static int ssl_session_timeout = 200;
a2ff477a
JH
289static BOOL client_verify_optional = FALSE;
290static BOOL server_verify_optional = FALSE;
059ec3d9 291
f5d78688 292static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH
293
294
7be682ca
PP
295typedef struct tls_ext_ctx_cb {
296 uschar *certificate;
297 uschar *privatekey;
f5d78688 298 BOOL is_server;
a6510420 299#ifndef DISABLE_OCSP
c3033f13 300 STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
f5d78688
JH
301 union {
302 struct {
303 uschar *file;
304 uschar *file_expanded;
305 OCSP_RESPONSE *response;
306 } server;
307 struct {
44662487
JH
308 X509_STORE *verify_store; /* non-null if status requested */
309 BOOL verify_required;
f5d78688
JH
310 } client;
311 } u_ocsp;
3f7eeb86 312#endif
7be682ca
PP
313 uschar *dhparam;
314 /* these are cached from first expand */
315 uschar *server_cipher_list;
316 /* only passed down to tls_error: */
317 host_item *host;
55414b25 318 const uschar * verify_cert_hostnames;
0cbf2b82 319#ifndef DISABLE_EVENT
a7538db1
JH
320 uschar * event_action;
321#endif
7be682ca
PP
322} tls_ext_ctx_cb;
323
324/* should figure out a cleanup of API to handle state preserved per
325implementation, for various reasons, which can be void * in the APIs.
326For now, we hack around it. */
817d9f57
JH
327tls_ext_ctx_cb *client_static_cbinfo = NULL;
328tls_ext_ctx_cb *server_static_cbinfo = NULL;
7be682ca
PP
329
330static int
983207c1 331setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 332 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr );
059ec3d9 333
3f7eeb86 334/* Callbacks */
3bcbbbe2 335#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 336static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 337#endif
f2de3a33 338#ifndef DISABLE_OCSP
f5d78688 339static int tls_server_stapling_cb(SSL *s, void *arg);
3f7eeb86
PP
340#endif
341
059ec3d9
PH
342
343/*************************************************
344* Handle TLS error *
345*************************************************/
346
347/* Called from lots of places when errors occur before actually starting to do
348the TLS handshake, that is, while the session is still in clear. Always returns
349DEFER for a server and FAIL for a client so that most calls can use "return
350tls_error(...)" to do this processing and then give an appropriate return. A
351single function is used for both server and client, because it is called from
352some shared functions.
353
354Argument:
355 prefix text to include in the logged error
356 host NULL if setting up a server;
357 the connected host if setting up a client
7199e1ee 358 msg error message or NULL if we should ask OpenSSL
cf0c6164 359 errstr pointer to output error message
059ec3d9
PH
360
361Returns: OK/DEFER/FAIL
362*/
363
364static int
cf0c6164 365tls_error(uschar * prefix, const host_item * host, uschar * msg, uschar ** errstr)
059ec3d9 366{
c562fd30 367if (!msg)
7199e1ee 368 {
0abc5a13 369 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
cf0c6164 370 msg = US ssl_errstring;
7199e1ee
TF
371 }
372
5a2a0989
JH
373msg = string_sprintf("(%s): %s", prefix, msg);
374DEBUG(D_tls) debug_printf("TLS error '%s'\n", msg);
375if (errstr) *errstr = msg;
cf0c6164 376return host ? FAIL : DEFER;
059ec3d9
PH
377}
378
379
380
381/*************************************************
382* Callback to generate RSA key *
383*************************************************/
384
385/*
386Arguments:
3ae79556 387 s SSL connection (not used)
059ec3d9
PH
388 export not used
389 keylength keylength
390
391Returns: pointer to generated key
392*/
393
394static RSA *
395rsa_callback(SSL *s, int export, int keylength)
396{
397RSA *rsa_key;
c8dfb21d
JH
398#ifdef EXIM_HAVE_RSA_GENKEY_EX
399BIGNUM *bn = BN_new();
400#endif
401
059ec3d9
PH
402export = export; /* Shut picky compilers up */
403DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
c8dfb21d
JH
404
405#ifdef EXIM_HAVE_RSA_GENKEY_EX
406if ( !BN_set_word(bn, (unsigned long)RSA_F4)
f2cb6292 407 || !(rsa_key = RSA_new())
c8dfb21d
JH
408 || !RSA_generate_key_ex(rsa_key, keylength, bn, NULL)
409 )
410#else
23bb6982 411if (!(rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL)))
c8dfb21d
JH
412#endif
413
059ec3d9 414 {
0abc5a13 415 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
059ec3d9
PH
416 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
417 ssl_errstring);
418 return NULL;
419 }
420return rsa_key;
421}
422
423
424
f5d78688 425/* Extreme debug
f2de3a33 426#ifndef DISABLE_OCSP
f5d78688
JH
427void
428x509_store_dump_cert_s_names(X509_STORE * store)
429{
430STACK_OF(X509_OBJECT) * roots= store->objs;
431int i;
432static uschar name[256];
433
434for(i= 0; i<sk_X509_OBJECT_num(roots); i++)
435 {
436 X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i);
437 if(tmp_obj->type == X509_LU_X509)
438 {
70e384dd
JH
439 X509_NAME * sn = X509_get_subject_name(tmp_obj->data.x509);
440 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
441 {
442 name[sizeof(name)-1] = '\0';
443 debug_printf(" %s\n", name);
444 }
f5d78688
JH
445 }
446 }
447}
448#endif
449*/
450
059ec3d9 451
0cbf2b82 452#ifndef DISABLE_EVENT
f69979cf
JH
453static int
454verify_event(tls_support * tlsp, X509 * cert, int depth, const uschar * dn,
455 BOOL *calledp, const BOOL *optionalp, const uschar * what)
456{
457uschar * ev;
458uschar * yield;
459X509 * old_cert;
460
461ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
462if (ev)
463 {
aaba7d03 464 DEBUG(D_tls) debug_printf("verify_event: %s %d\n", what, depth);
f69979cf
JH
465 old_cert = tlsp->peercert;
466 tlsp->peercert = X509_dup(cert);
467 /* NB we do not bother setting peerdn */
468 if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
469 {
470 log_write(0, LOG_MAIN, "[%s] %s verify denied by event-action: "
471 "depth=%d cert=%s: %s",
472 tlsp == &tls_out ? deliver_host_address : sender_host_address,
473 what, depth, dn, yield);
474 *calledp = TRUE;
475 if (!*optionalp)
476 {
477 if (old_cert) tlsp->peercert = old_cert; /* restore 1st failing cert */
478 return 1; /* reject (leaving peercert set) */
479 }
480 DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
481 "(host in tls_try_verify_hosts)\n");
482 }
483 X509_free(tlsp->peercert);
484 tlsp->peercert = old_cert;
485 }
486return 0;
487}
488#endif
489
059ec3d9
PH
490/*************************************************
491* Callback for verification *
492*************************************************/
493
494/* The SSL library does certificate verification if set up to do so. This
495callback has the current yes/no state is in "state". If verification succeeded,
f69979cf
JH
496we set the certificate-verified flag. If verification failed, what happens
497depends on whether the client is required to present a verifiable certificate
498or not.
059ec3d9
PH
499
500If verification is optional, we change the state to yes, but still log the
501verification error. For some reason (it really would help to have proper
502documentation of OpenSSL), this callback function then gets called again, this
f69979cf
JH
503time with state = 1. We must take care not to set the private verified flag on
504the second time through.
059ec3d9
PH
505
506Note: this function is not called if the client fails to present a certificate
507when asked. We get here only if a certificate has been received. Handling of
508optional verification for this case is done when requesting SSL to verify, by
509setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
510
a7538db1
JH
511May be called multiple times for different issues with a certificate, even
512for a given "depth" in the certificate chain.
513
059ec3d9 514Arguments:
f2f2c91b
JH
515 preverify_ok current yes/no state as 1/0
516 x509ctx certificate information.
517 tlsp per-direction (client vs. server) support data
518 calledp has-been-called flag
519 optionalp verification-is-optional flag
059ec3d9 520
f2f2c91b 521Returns: 0 if verification should fail, otherwise 1
059ec3d9
PH
522*/
523
524static int
70e384dd
JH
525verify_callback(int preverify_ok, X509_STORE_CTX * x509ctx,
526 tls_support * tlsp, BOOL * calledp, BOOL * optionalp)
059ec3d9 527{
421aff85 528X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
a7538db1 529int depth = X509_STORE_CTX_get_error_depth(x509ctx);
f69979cf 530uschar dn[256];
059ec3d9 531
70e384dd
JH
532if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
533 {
534 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
535 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
536 tlsp == &tls_out ? deliver_host_address : sender_host_address);
537 return 0;
538 }
f69979cf 539dn[sizeof(dn)-1] = '\0';
059ec3d9 540
f2f2c91b 541if (preverify_ok == 0)
059ec3d9 542 {
f77197ae
JH
543 uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
544 *verify_mode, sender_host_address)
545 : US"";
546 log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
547 tlsp == &tls_out ? deliver_host_address : sender_host_address,
548 extra, depth,
549 X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
a2ff477a 550 *calledp = TRUE;
9d1c15ef
JH
551 if (!*optionalp)
552 {
f69979cf
JH
553 if (!tlsp->peercert)
554 tlsp->peercert = X509_dup(cert); /* record failing cert */
555 return 0; /* reject */
9d1c15ef 556 }
059ec3d9
PH
557 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
558 "tls_try_verify_hosts)\n");
059ec3d9
PH
559 }
560
a7538db1 561else if (depth != 0)
059ec3d9 562 {
f69979cf 563 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", depth, dn);
f2de3a33 564#ifndef DISABLE_OCSP
f5d78688
JH
565 if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
566 { /* client, wanting stapling */
567 /* Add the server cert's signing chain as the one
568 for the verification of the OCSP stapled information. */
94431adb 569
f5d78688 570 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
421aff85 571 cert))
f5d78688 572 ERR_clear_error();
c3033f13 573 sk_X509_push(client_static_cbinfo->verify_stack, cert);
f5d78688
JH
574 }
575#endif
0cbf2b82 576#ifndef DISABLE_EVENT
f69979cf
JH
577 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
578 return 0; /* reject, with peercert set */
a7538db1 579#endif
059ec3d9
PH
580 }
581else
582 {
55414b25 583 const uschar * verify_cert_hostnames;
e51c7be2 584
e51c7be2
JH
585 if ( tlsp == &tls_out
586 && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
afdb5e9c 587 /* client, wanting hostname check */
e51c7be2 588 {
f69979cf 589
740f36d4 590#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
f69979cf
JH
591# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
592# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
593# endif
594# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
595# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
596# endif
e51c7be2 597 int sep = 0;
55414b25 598 const uschar * list = verify_cert_hostnames;
e51c7be2 599 uschar * name;
d8e7834a
JH
600 int rc;
601 while ((name = string_nextinlist(&list, &sep, NULL, 0)))
f40d5be3 602 if ((rc = X509_check_host(cert, CCS name, 0,
8d692470 603 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
740f36d4
JH
604 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
605 NULL)))
d8e7834a
JH
606 {
607 if (rc < 0)
608 {
93a6fce2 609 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
f77197ae 610 tlsp == &tls_out ? deliver_host_address : sender_host_address);
d8e7834a
JH
611 name = NULL;
612 }
e51c7be2 613 break;
d8e7834a 614 }
e51c7be2 615 if (!name)
f69979cf 616#else
e51c7be2 617 if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
f69979cf 618#endif
e51c7be2 619 {
f77197ae
JH
620 uschar * extra = verify_mode
621 ? string_sprintf(" (during %c-verify for [%s])",
622 *verify_mode, sender_host_address)
623 : US"";
e51c7be2 624 log_write(0, LOG_MAIN,
f77197ae
JH
625 "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
626 tlsp == &tls_out ? deliver_host_address : sender_host_address,
627 extra, dn, verify_cert_hostnames);
a3ef7310
JH
628 *calledp = TRUE;
629 if (!*optionalp)
f69979cf
JH
630 {
631 if (!tlsp->peercert)
632 tlsp->peercert = X509_dup(cert); /* record failing cert */
633 return 0; /* reject */
634 }
a3ef7310
JH
635 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
636 "tls_try_verify_hosts)\n");
e51c7be2 637 }
f69979cf 638 }
e51c7be2 639
0cbf2b82 640#ifndef DISABLE_EVENT
f69979cf
JH
641 if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
642 return 0; /* reject, with peercert set */
e51c7be2
JH
643#endif
644
93dcb1c2 645 DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
f69979cf 646 *calledp ? "" : " authenticated", dn);
93dcb1c2
JH
647 if (!*calledp) tlsp->certificate_verified = TRUE;
648 *calledp = TRUE;
059ec3d9
PH
649 }
650
a7538db1 651return 1; /* accept, at least for this level */
059ec3d9
PH
652}
653
a2ff477a 654static int
f2f2c91b 655verify_callback_client(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 656{
f2f2c91b
JH
657return verify_callback(preverify_ok, x509ctx, &tls_out,
658 &client_verify_callback_called, &client_verify_optional);
a2ff477a
JH
659}
660
661static int
f2f2c91b 662verify_callback_server(int preverify_ok, X509_STORE_CTX *x509ctx)
a2ff477a 663{
f2f2c91b
JH
664return verify_callback(preverify_ok, x509ctx, &tls_in,
665 &server_verify_callback_called, &server_verify_optional);
a2ff477a
JH
666}
667
059ec3d9 668
c0635b6d 669#ifdef SUPPORT_DANE
53a7196b 670
e5cccda9
JH
671/* This gets called *by* the dane library verify callback, which interposes
672itself.
673*/
674static int
f2f2c91b 675verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
e5cccda9
JH
676{
677X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
f69979cf 678uschar dn[256];
83b27293 679int depth = X509_STORE_CTX_get_error_depth(x509ctx);
5c75db2e 680#ifndef DISABLE_EVENT
f69979cf 681BOOL dummy_called, optional = FALSE;
83b27293 682#endif
e5cccda9 683
70e384dd
JH
684if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)))
685 {
686 DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n");
687 log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
688 deliver_host_address);
689 return 0;
690 }
f69979cf 691dn[sizeof(dn)-1] = '\0';
e5cccda9 692
f2f2c91b
JH
693DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
694 preverify_ok ? "ok":"BAD", depth, dn);
e5cccda9 695
0cbf2b82 696#ifndef DISABLE_EVENT
f69979cf
JH
697 if (verify_event(&tls_out, cert, depth, dn,
698 &dummy_called, &optional, US"DANE"))
699 return 0; /* reject, with peercert set */
83b27293
JH
700#endif
701
f2f2c91b 702if (preverify_ok == 1)
6fbf3599
JH
703 {
704 tls_out.dane_verified = tls_out.certificate_verified = TRUE;
705#ifndef DISABLE_OCSP
706 if (client_static_cbinfo->u_ocsp.client.verify_store)
707 { /* client, wanting stapling */
708 /* Add the server cert's signing chain as the one
709 for the verification of the OCSP stapled information. */
710
711 if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
712 cert))
713 ERR_clear_error();
714 sk_X509_push(client_static_cbinfo->verify_stack, cert);
715 }
716#endif
717 }
f2f2c91b
JH
718else
719 {
720 int err = X509_STORE_CTX_get_error(x509ctx);
721 DEBUG(D_tls)
722 debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
3c51463e 723 if (err == X509_V_ERR_APPLICATION_VERIFICATION)
f2f2c91b
JH
724 preverify_ok = 1;
725 }
726return preverify_ok;
e5cccda9 727}
53a7196b 728
c0635b6d 729#endif /*SUPPORT_DANE*/
e5cccda9 730
059ec3d9
PH
731
732/*************************************************
733* Information callback *
734*************************************************/
735
736/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP
737are doing. We copy the string to the debugging output when TLS debugging has
738been requested.
059ec3d9
PH
739
740Arguments:
741 s the SSL connection
742 where
743 ret
744
745Returns: nothing
746*/
747
748static void
749info_callback(SSL *s, int where, int ret)
750{
0abc5a13
JH
751DEBUG(D_tls)
752 {
753 const uschar * str;
754
755 if (where & SSL_ST_CONNECT)
48224640 756 str = US"SSL_connect";
0abc5a13 757 else if (where & SSL_ST_ACCEPT)
48224640 758 str = US"SSL_accept";
0abc5a13 759 else
48224640 760 str = US"SSL info (undefined)";
0abc5a13
JH
761
762 if (where & SSL_CB_LOOP)
763 debug_printf("%s: %s\n", str, SSL_state_string_long(s));
764 else if (where & SSL_CB_ALERT)
765 debug_printf("SSL3 alert %s:%s:%s\n",
48224640 766 str = where & SSL_CB_READ ? US"read" : US"write",
0abc5a13
JH
767 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
768 else if (where & SSL_CB_EXIT)
769 if (ret == 0)
770 debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
771 else if (ret < 0)
772 debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
773 else if (where & SSL_CB_HANDSHAKE_START)
774 debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
775 else if (where & SSL_CB_HANDSHAKE_DONE)
776 debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
777 }
059ec3d9
PH
778}
779
780
781
782/*************************************************
783* Initialize for DH *
784*************************************************/
785
786/* If dhparam is set, expand it, and load up the parameters for DH encryption.
787
788Arguments:
038597d2 789 sctx The current SSL CTX (inbound or outbound)
a799883d 790 dhparam DH parameter file or fixed parameter identity string
7199e1ee 791 host connected host, if client; NULL if server
cf0c6164 792 errstr error string pointer
059ec3d9
PH
793
794Returns: TRUE if OK (nothing to set up, or setup worked)
795*/
796
797static BOOL
cf0c6164 798init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host, uschar ** errstr)
059ec3d9 799{
059ec3d9
PH
800BIO *bio;
801DH *dh;
802uschar *dhexpanded;
a799883d 803const char *pem;
6600985a 804int dh_bitsize;
059ec3d9 805
cf0c6164 806if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded, errstr))
059ec3d9
PH
807 return FALSE;
808
0df4ab80 809if (!dhexpanded || !*dhexpanded)
a799883d 810 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
a799883d 811else if (dhexpanded[0] == '/')
059ec3d9 812 {
0df4ab80 813 if (!(bio = BIO_new_file(CS dhexpanded, "r")))
059ec3d9 814 {
7199e1ee 815 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
cf0c6164 816 host, US strerror(errno), errstr);
a799883d 817 return FALSE;
059ec3d9 818 }
a799883d
PP
819 }
820else
821 {
822 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 823 {
a799883d
PP
824 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
825 return TRUE;
059ec3d9 826 }
a799883d 827
0df4ab80 828 if (!(pem = std_dh_prime_named(dhexpanded)))
a799883d
PP
829 {
830 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
cf0c6164 831 host, US strerror(errno), errstr);
a799883d
PP
832 return FALSE;
833 }
834 bio = BIO_new_mem_buf(CS pem, -1);
835 }
836
0df4ab80 837if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL)))
a799883d 838 {
059ec3d9 839 BIO_free(bio);
a799883d 840 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
cf0c6164 841 host, NULL, errstr);
a799883d
PP
842 return FALSE;
843 }
844
6600985a
PP
845/* note: our default limit of 2236 is not a multiple of 8; the limit comes from
846 * an NSS limit, and the GnuTLS APIs handle bit-sizes fine, so we went with
847 * 2236. But older OpenSSL can only report in bytes (octets), not bits.
848 * If someone wants to dance at the edge, then they can raise the limit or use
849 * current libraries. */
850#ifdef EXIM_HAVE_OPENSSL_DH_BITS
851/* Added in commit 26c79d5641d; `git describe --contains` says OpenSSL_1_1_0-pre1~1022
852 * This predates OpenSSL_1_1_0 (before a, b, ...) so is in all 1.1.0 */
853dh_bitsize = DH_bits(dh);
854#else
855dh_bitsize = 8 * DH_size(dh);
856#endif
857
a799883d
PP
858/* Even if it is larger, we silently return success rather than cause things
859 * to fail out, so that a too-large DH will not knock out all TLS; it's a
860 * debatable choice. */
6600985a 861if (dh_bitsize > tls_dh_max_bits)
a799883d
PP
862 {
863 DEBUG(D_tls)
170f4904 864 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d\n",
6600985a 865 dh_bitsize, tls_dh_max_bits);
a799883d
PP
866 }
867else
868 {
869 SSL_CTX_set_tmp_dh(sctx, dh);
870 DEBUG(D_tls)
871 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
6600985a 872 dhexpanded ? dhexpanded : US"default", dh_bitsize);
059ec3d9
PH
873 }
874
a799883d
PP
875DH_free(dh);
876BIO_free(bio);
877
878return TRUE;
059ec3d9
PH
879}
880
881
882
883
038597d2
PP
884/*************************************************
885* Initialize for ECDH *
886*************************************************/
887
888/* Load parameters for ECDH encryption.
889
890For now, we stick to NIST P-256 because: it's simple and easy to configure;
891it avoids any patent issues that might bite redistributors; despite events in
892the news and concerns over curve choices, we're not cryptographers, we're not
893pretending to be, and this is "good enough" to be better than no support,
894protecting against most adversaries. Given another year or two, there might
895be sufficient clarity about a "right" way forward to let us make an informed
896decision, instead of a knee-jerk reaction.
897
898Longer-term, we should look at supporting both various named curves and
899external files generated with "openssl ecparam", much as we do for init_dh().
900We should also support "none" as a value, to explicitly avoid initialisation.
901
902Patches welcome.
903
904Arguments:
905 sctx The current SSL CTX (inbound or outbound)
906 host connected host, if client; NULL if server
cf0c6164 907 errstr error string pointer
038597d2
PP
908
909Returns: TRUE if OK (nothing to set up, or setup worked)
910*/
911
912static BOOL
cf0c6164 913init_ecdh(SSL_CTX * sctx, host_item * host, uschar ** errstr)
038597d2 914{
63f0dbe0
JH
915#ifdef OPENSSL_NO_ECDH
916return TRUE;
917#else
918
10ca4f1c
JH
919EC_KEY * ecdh;
920uschar * exp_curve;
921int nid;
922BOOL rv;
923
038597d2
PP
924if (host) /* No ECDH setup for clients, only for servers */
925 return TRUE;
926
10ca4f1c 927# ifndef EXIM_HAVE_ECDH
038597d2
PP
928DEBUG(D_tls)
929 debug_printf("No OpenSSL API to define ECDH parameters, skipping\n");
930return TRUE;
038597d2 931# else
10ca4f1c 932
cf0c6164 933if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve, errstr))
10ca4f1c
JH
934 return FALSE;
935if (!exp_curve || !*exp_curve)
936 return TRUE;
937
8e53a4fc 938/* "auto" needs to be handled carefully.
4c04137d 939 * OpenSSL < 1.0.2: we do not select anything, but fallback to prime256v1
8e53a4fc 940 * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto
4c04137d 941 * (openssl/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
8e53a4fc
HSHR
942 * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
943 * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
944 */
10ca4f1c 945if (Ustrcmp(exp_curve, "auto") == 0)
038597d2 946 {
8e53a4fc 947#if OPENSSL_VERSION_NUMBER < 0x10002000L
10ca4f1c 948 DEBUG(D_tls) debug_printf(
8e53a4fc 949 "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
78a3bbd5 950 exp_curve = US"prime256v1";
8e53a4fc
HSHR
951#else
952# if defined SSL_CTRL_SET_ECDH_AUTO
953 DEBUG(D_tls) debug_printf(
954 "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
10ca4f1c
JH
955 SSL_CTX_set_ecdh_auto(sctx, 1);
956 return TRUE;
8e53a4fc
HSHR
957# else
958 DEBUG(D_tls) debug_printf(
959 "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
960 return TRUE;
961# endif
962#endif
10ca4f1c 963 }
038597d2 964
10ca4f1c
JH
965DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
966if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef
967# ifdef EXIM_HAVE_OPENSSL_EC_NIST2NID
968 && (nid = EC_curve_nist2nid(CCS exp_curve)) == NID_undef
969# endif
970 )
971 {
cf0c6164
JH
972 tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
973 host, NULL, errstr);
10ca4f1c
JH
974 return FALSE;
975 }
038597d2 976
10ca4f1c
JH
977if (!(ecdh = EC_KEY_new_by_curve_name(nid)))
978 {
cf0c6164 979 tls_error(US"Unable to create ec curve", host, NULL, errstr);
10ca4f1c 980 return FALSE;
038597d2 981 }
10ca4f1c
JH
982
983/* The "tmp" in the name here refers to setting a temporary key
984not to the stability of the interface. */
985
986if ((rv = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
cf0c6164 987 tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), host, NULL, errstr);
10ca4f1c
JH
988else
989 DEBUG(D_tls) debug_printf("ECDH: enabled '%s' curve\n", exp_curve);
990
991EC_KEY_free(ecdh);
992return !rv;
993
994# endif /*EXIM_HAVE_ECDH*/
995#endif /*OPENSSL_NO_ECDH*/
038597d2
PP
996}
997
998
999
1000
f2de3a33 1001#ifndef DISABLE_OCSP
3f7eeb86
PP
1002/*************************************************
1003* Load OCSP information into state *
1004*************************************************/
f5d78688 1005/* Called to load the server OCSP response from the given file into memory, once
3f7eeb86
PP
1006caller has determined this is needed. Checks validity. Debugs a message
1007if invalid.
1008
1009ASSUMES: single response, for single cert.
1010
1011Arguments:
1012 sctx the SSL_CTX* to update
1013 cbinfo various parts of session state
1014 expanded the filename putatively holding an OCSP response
1015
1016*/
1017
1018static void
f5d78688 1019ocsp_load_response(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo, const uschar *expanded)
3f7eeb86 1020{
ee5b1e28
JH
1021BIO * bio;
1022OCSP_RESPONSE * resp;
1023OCSP_BASICRESP * basic_response;
1024OCSP_SINGLERESP * single_response;
1025ASN1_GENERALIZEDTIME * rev, * thisupd, * nextupd;
ee5b1e28 1026STACK_OF(X509) * sk;
3f7eeb86
PP
1027unsigned long verify_flags;
1028int status, reason, i;
1029
f5d78688
JH
1030cbinfo->u_ocsp.server.file_expanded = string_copy(expanded);
1031if (cbinfo->u_ocsp.server.response)
3f7eeb86 1032 {
f5d78688
JH
1033 OCSP_RESPONSE_free(cbinfo->u_ocsp.server.response);
1034 cbinfo->u_ocsp.server.response = NULL;
3f7eeb86
PP
1035 }
1036
ee5b1e28 1037if (!(bio = BIO_new_file(CS cbinfo->u_ocsp.server.file_expanded, "rb")))
3f7eeb86
PP
1038 {
1039 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
f5d78688 1040 cbinfo->u_ocsp.server.file_expanded);
3f7eeb86
PP
1041 return;
1042 }
1043
1044resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
1045BIO_free(bio);
1046if (!resp)
1047 {
1048 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
1049 return;
1050 }
1051
ee5b1e28 1052if ((status = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
3f7eeb86
PP
1053 {
1054 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
1055 OCSP_response_status_str(status), status);
f5d78688 1056 goto bad;
3f7eeb86
PP
1057 }
1058
ee5b1e28 1059if (!(basic_response = OCSP_response_get1_basic(resp)))
3f7eeb86
PP
1060 {
1061 DEBUG(D_tls)
1062 debug_printf("OCSP response parse error: unable to extract basic response.\n");
f5d78688 1063 goto bad;
3f7eeb86
PP
1064 }
1065
c3033f13 1066sk = cbinfo->verify_stack;
3f7eeb86
PP
1067verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
1068
1069/* May need to expose ability to adjust those flags?
1070OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
1071OCSP_TRUSTOTHER OCSP_NOINTERN */
1072
4c04137d 1073/* This does a full verify on the OCSP proof before we load it for serving
ee5b1e28
JH
1074up; possibly overkill - just date-checks might be nice enough.
1075
1076OCSP_basic_verify takes a "store" arg, but does not
1077use it for the chain verification, which is all we do
1078when OCSP_NOVERIFY is set. The content from the wire
1079"basic_response" and a cert-stack "sk" are all that is used.
1080
c3033f13
JH
1081We have a stack, loaded in setup_certs() if tls_verify_certificates
1082was a file (not a directory, or "system"). It is unfortunate we
1083cannot used the connection context store, as that would neatly
1084handle the "system" case too, but there seems to be no library
1085function for getting a stack from a store.
e3555426 1086[ In OpenSSL 1.1 - ? X509_STORE_CTX_get0_chain(ctx) ? ]
c3033f13
JH
1087We do not free the stack since it could be needed a second time for
1088SNI handling.
1089
4c04137d 1090Separately we might try to replace using OCSP_basic_verify() - which seems to not
5ec37a55 1091be a public interface into the OpenSSL library (there's no manual entry) -
ee5b1e28 1092But what with? We also use OCSP_basic_verify in the client stapling callback.
4c04137d 1093And there we NEED it; we must verify that status... unless the
ee5b1e28
JH
1094library does it for us anyway? */
1095
1096if ((i = OCSP_basic_verify(basic_response, sk, NULL, verify_flags)) < 0)
3f7eeb86 1097 {
ee5b1e28
JH
1098 DEBUG(D_tls)
1099 {
0abc5a13 1100 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3f7eeb86 1101 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
f5d78688
JH
1102 }
1103 goto bad;
3f7eeb86
PP
1104 }
1105
1106/* Here's the simplifying assumption: there's only one response, for the
1107one certificate we use, and nothing for anything else in a chain. If this
1108proves false, we need to extract a cert id from our issued cert
1109(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
1110right cert in the stack and then calls OCSP_single_get0_status()).
1111
1112I'm hoping to avoid reworking a bunch more of how we handle state here. */
ee5b1e28
JH
1113
1114if (!(single_response = OCSP_resp_get0(basic_response, 0)))
3f7eeb86
PP
1115 {
1116 DEBUG(D_tls)
1117 debug_printf("Unable to get first response from OCSP basic response.\n");
f5d78688 1118 goto bad;
3f7eeb86
PP
1119 }
1120
1121status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
f5d78688 1122if (status != V_OCSP_CERTSTATUS_GOOD)
3f7eeb86 1123 {
f5d78688
JH
1124 DEBUG(D_tls) debug_printf("OCSP response bad cert status: %s (%d) %s (%d)\n",
1125 OCSP_cert_status_str(status), status,
1126 OCSP_crl_reason_str(reason), reason);
1127 goto bad;
3f7eeb86
PP
1128 }
1129
1130if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
1131 {
1132 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
f5d78688 1133 goto bad;
3f7eeb86
PP
1134 }
1135
f5d78688 1136supply_response:
47195144 1137 cbinfo->u_ocsp.server.response = resp; /*XXX stack?*/
f5d78688
JH
1138return;
1139
1140bad:
8768d548 1141 if (f.running_in_test_harness)
018058b2
JH
1142 {
1143 extern char ** environ;
1144 uschar ** p;
47195144 1145 if (environ) for (p = USS environ; *p; p++)
018058b2
JH
1146 if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
1147 {
1148 DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
1149 goto supply_response;
1150 }
1151 }
f5d78688 1152return;
3f7eeb86 1153}
f2de3a33 1154#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1155
1156
1157
1158
23bb6982
JH
1159/* Create and install a selfsigned certificate, for use in server mode */
1160
1161static int
cf0c6164 1162tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr)
23bb6982
JH
1163{
1164X509 * x509 = NULL;
1165EVP_PKEY * pkey;
1166RSA * rsa;
1167X509_NAME * name;
1168uschar * where;
1169
1170where = US"allocating pkey";
1171if (!(pkey = EVP_PKEY_new()))
1172 goto err;
1173
1174where = US"allocating cert";
1175if (!(x509 = X509_new()))
1176 goto err;
1177
1178where = US"generating pkey";
6aac3239 1179if (!(rsa = rsa_callback(NULL, 0, 2048)))
23bb6982
JH
1180 goto err;
1181
4c04137d 1182where = US"assigning pkey";
23bb6982
JH
1183if (!EVP_PKEY_assign_RSA(pkey, rsa))
1184 goto err;
1185
1186X509_set_version(x509, 2); /* N+1 - version 3 */
1613fd68 1187ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
23bb6982
JH
1188X509_gmtime_adj(X509_get_notBefore(x509), 0);
1189X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */
1190X509_set_pubkey(x509, pkey);
1191
1192name = X509_get_subject_name(x509);
1193X509_NAME_add_entry_by_txt(name, "C",
4dc2379a 1194 MBSTRING_ASC, CUS "UK", -1, -1, 0);
23bb6982 1195X509_NAME_add_entry_by_txt(name, "O",
4dc2379a 1196 MBSTRING_ASC, CUS "Exim Developers", -1, -1, 0);
23bb6982 1197X509_NAME_add_entry_by_txt(name, "CN",
4dc2379a 1198 MBSTRING_ASC, CUS smtp_active_hostname, -1, -1, 0);
23bb6982
JH
1199X509_set_issuer_name(x509, name);
1200
1201where = US"signing cert";
1202if (!X509_sign(x509, pkey, EVP_md5()))
1203 goto err;
1204
1205where = US"installing selfsign cert";
1206if (!SSL_CTX_use_certificate(sctx, x509))
1207 goto err;
1208
1209where = US"installing selfsign key";
1210if (!SSL_CTX_use_PrivateKey(sctx, pkey))
1211 goto err;
1212
1213return OK;
1214
1215err:
cf0c6164 1216 (void) tls_error(where, NULL, NULL, errstr);
23bb6982
JH
1217 if (x509) X509_free(x509);
1218 if (pkey) EVP_PKEY_free(pkey);
1219 return DEFER;
1220}
1221
1222
1223
1224
ba86e143
JH
1225static int
1226tls_add_certfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1227 uschar ** errstr)
1228{
1229DEBUG(D_tls) debug_printf("tls_certificate file %s\n", file);
1230if (!SSL_CTX_use_certificate_chain_file(sctx, CS file))
1231 return tls_error(string_sprintf(
1232 "SSL_CTX_use_certificate_chain_file file=%s", file),
1233 cbinfo->host, NULL, errstr);
1234return 0;
1235}
1236
1237static int
1238tls_add_pkeyfile(SSL_CTX * sctx, tls_ext_ctx_cb * cbinfo, uschar * file,
1239 uschar ** errstr)
1240{
1241DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", file);
1242if (!SSL_CTX_use_PrivateKey_file(sctx, CS file, SSL_FILETYPE_PEM))
1243 return tls_error(string_sprintf(
1244 "SSL_CTX_use_PrivateKey_file file=%s", file), cbinfo->host, NULL, errstr);
1245return 0;
1246}
1247
1248
059ec3d9 1249/*************************************************
7be682ca
PP
1250* Expand key and cert file specs *
1251*************************************************/
1252
f5d78688 1253/* Called once during tls_init and possibly again during TLS setup, for a
7be682ca
PP
1254new context, if Server Name Indication was used and tls_sni was seen in
1255the certificate string.
1256
1257Arguments:
1258 sctx the SSL_CTX* to update
1259 cbinfo various parts of session state
cf0c6164 1260 errstr error string pointer
7be682ca
PP
1261
1262Returns: OK/DEFER/FAIL
1263*/
1264
1265static int
cf0c6164
JH
1266tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo,
1267 uschar ** errstr)
7be682ca
PP
1268{
1269uschar *expanded;
1270
23bb6982 1271if (!cbinfo->certificate)
7be682ca 1272 {
ba86e143 1273 if (!cbinfo->is_server) /* client */
23bb6982 1274 return OK;
afdb5e9c 1275 /* server */
cf0c6164 1276 if (tls_install_selfsign(sctx, errstr) != OK)
23bb6982 1277 return DEFER;
7be682ca 1278 }
23bb6982
JH
1279else
1280 {
ba86e143
JH
1281 int err;
1282
23bb6982
JH
1283 if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
1284 Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
1285 Ustrstr(cbinfo->certificate, US"tls_out_sni")
1286 )
1287 reexpand_tls_files_for_sni = TRUE;
7be682ca 1288
cf0c6164 1289 if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded, errstr))
23bb6982
JH
1290 return DEFER;
1291
ba86e143
JH
1292 if (expanded)
1293 if (cbinfo->is_server)
1294 {
1295 const uschar * file_list = expanded;
1296 int sep = 0;
1297 uschar * file;
1298
1299 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1300 if ((err = tls_add_certfile(sctx, cbinfo, file, errstr)))
1301 return err;
1302 }
1303 else /* would there ever be a need for multiple client certs? */
1304 if ((err = tls_add_certfile(sctx, cbinfo, expanded, errstr)))
1305 return err;
7be682ca 1306
5a2a0989
JH
1307 if ( cbinfo->privatekey
1308 && !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded, errstr))
23bb6982 1309 return DEFER;
7be682ca 1310
23bb6982
JH
1311 /* If expansion was forced to fail, key_expanded will be NULL. If the result
1312 of the expansion is an empty string, ignore it also, and assume the private
1313 key is in the same file as the certificate. */
1314
1315 if (expanded && *expanded)
ba86e143
JH
1316 if (cbinfo->is_server)
1317 {
1318 const uschar * file_list = expanded;
1319 int sep = 0;
1320 uschar * file;
1321
1322 while (file = string_nextinlist(&file_list, &sep, NULL, 0))
1323 if ((err = tls_add_pkeyfile(sctx, cbinfo, file, errstr)))
1324 return err;
1325 }
1326 else /* would there ever be a need for multiple client certs? */
1327 if ((err = tls_add_pkeyfile(sctx, cbinfo, expanded, errstr)))
1328 return err;
7be682ca
PP
1329 }
1330
f2de3a33 1331#ifndef DISABLE_OCSP
f40d5be3 1332if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
3f7eeb86 1333 {
47195144 1334 /*XXX stack*/
cf0c6164 1335 if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded, errstr))
3f7eeb86
PP
1336 return DEFER;
1337
f40d5be3 1338 if (expanded && *expanded)
3f7eeb86
PP
1339 {
1340 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
f40d5be3
JH
1341 if ( cbinfo->u_ocsp.server.file_expanded
1342 && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
3f7eeb86 1343 {
f40d5be3
JH
1344 DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
1345 }
1346 else
f40d5be3 1347 ocsp_load_response(sctx, cbinfo, expanded);
3f7eeb86
PP
1348 }
1349 }
1350#endif
1351
7be682ca
PP
1352return OK;
1353}
1354
1355
1356
1357
1358/*************************************************
1359* Callback to handle SNI *
1360*************************************************/
1361
1362/* Called when acting as server during the TLS session setup if a Server Name
1363Indication extension was sent by the client.
1364
1365API documentation is OpenSSL s_server.c implementation.
1366
1367Arguments:
1368 s SSL* of the current session
1369 ad unknown (part of OpenSSL API) (unused)
1370 arg Callback of "our" registered data
1371
1372Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
1373*/
1374
3bcbbbe2 1375#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 1376static int
7be682ca
PP
1377tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
1378{
1379const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 1380tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 1381int rc;
3f0945ff 1382int old_pool = store_pool;
cf0c6164 1383uschar * dummy_errstr;
7be682ca
PP
1384
1385if (!servername)
1386 return SSL_TLSEXT_ERR_OK;
1387
3f0945ff 1388DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP
1389 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
1390
1391/* Make the extension value available for expansion */
3f0945ff 1392store_pool = POOL_PERM;
817d9f57 1393tls_in.sni = string_copy(US servername);
3f0945ff 1394store_pool = old_pool;
7be682ca
PP
1395
1396if (!reexpand_tls_files_for_sni)
1397 return SSL_TLSEXT_ERR_OK;
1398
1399/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
1400not confident that memcpy wouldn't break some internal reference counting.
1401Especially since there's a references struct member, which would be off. */
1402
7a8b9519
JH
1403#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1404if (!(server_sni = SSL_CTX_new(TLS_server_method())))
1405#else
0df4ab80 1406if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
7a8b9519 1407#endif
7be682ca 1408 {
0abc5a13 1409 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
7be682ca 1410 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
5a2a0989 1411 goto bad;
7be682ca
PP
1412 }
1413
1414/* Not sure how many of these are actually needed, since SSL object
1415already exists. Might even need this selfsame callback, for reneg? */
1416
817d9f57
JH
1417SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
1418SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
1419SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
1420SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
1421SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
1422SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
038597d2 1423
cf0c6164
JH
1424if ( !init_dh(server_sni, cbinfo->dhparam, NULL, &dummy_errstr)
1425 || !init_ecdh(server_sni, NULL, &dummy_errstr)
038597d2 1426 )
5a2a0989 1427 goto bad;
038597d2 1428
ca954d7f
JH
1429if ( cbinfo->server_cipher_list
1430 && !SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list))
5a2a0989 1431 goto bad;
ca954d7f 1432
f2de3a33 1433#ifndef DISABLE_OCSP
f5d78688 1434if (cbinfo->u_ocsp.server.file)
3f7eeb86 1435 {
f5d78688 1436 SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
14c7b357 1437 SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);
3f7eeb86
PP
1438 }
1439#endif
7be682ca 1440
c3033f13 1441if ((rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
cf0c6164 1442 verify_callback_server, &dummy_errstr)) != OK)
5a2a0989 1443 goto bad;
7be682ca 1444
3f7eeb86
PP
1445/* do this after setup_certs, because this can require the certs for verifying
1446OCSP information. */
cf0c6164 1447if ((rc = tls_expand_session_files(server_sni, cbinfo, &dummy_errstr)) != OK)
5a2a0989 1448 goto bad;
a799883d 1449
7be682ca 1450DEBUG(D_tls) debug_printf("Switching SSL context.\n");
817d9f57 1451SSL_set_SSL_CTX(s, server_sni);
7be682ca 1452return SSL_TLSEXT_ERR_OK;
5a2a0989
JH
1453
1454bad: return SSL_TLSEXT_ERR_ALERT_FATAL;
7be682ca 1455}
3bcbbbe2 1456#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP
1457
1458
1459
1460
f2de3a33 1461#ifndef DISABLE_OCSP
f5d78688 1462
3f7eeb86
PP
1463/*************************************************
1464* Callback to handle OCSP Stapling *
1465*************************************************/
1466
1467/* Called when acting as server during the TLS session setup if the client
1468requests OCSP information with a Certificate Status Request.
1469
1470Documentation via openssl s_server.c and the Apache patch from the OpenSSL
1471project.
1472
1473*/
1474
1475static int
f5d78688 1476tls_server_stapling_cb(SSL *s, void *arg)
3f7eeb86
PP
1477{
1478const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
47195144 1479uschar *response_der; /*XXX blob */
3f7eeb86
PP
1480int response_der_len;
1481
47195144
JH
1482/*XXX stack: use SSL_get_certificate() to see which cert; from that work
1483out which ocsp blob to send. Unfortunately, SSL_get_certificate is known
1484buggy in current OpenSSL; it returns the last cert loaded always rather than
1485the one actually presented. So we can't support a stack of OCSP proofs at
1486this time. */
1487
af4a1bca 1488DEBUG(D_tls)
b3ef41c9 1489 debug_printf("Received TLS status request (OCSP stapling); %s response\n",
f5d78688
JH
1490 cbinfo->u_ocsp.server.response ? "have" : "lack");
1491
44662487 1492tls_in.ocsp = OCSP_NOT_RESP;
f5d78688 1493if (!cbinfo->u_ocsp.server.response)
3f7eeb86
PP
1494 return SSL_TLSEXT_ERR_NOACK;
1495
1496response_der = NULL;
47195144 1497response_der_len = i2d_OCSP_RESPONSE(cbinfo->u_ocsp.server.response, /*XXX stack*/
44662487 1498 &response_der);
3f7eeb86
PP
1499if (response_der_len <= 0)
1500 return SSL_TLSEXT_ERR_NOACK;
1501
5e55c7a9 1502SSL_set_tlsext_status_ocsp_resp(server_ssl, response_der, response_der_len);
44662487 1503tls_in.ocsp = OCSP_VFIED;
3f7eeb86
PP
1504return SSL_TLSEXT_ERR_OK;
1505}
1506
3f7eeb86 1507
f5d78688
JH
1508static void
1509time_print(BIO * bp, const char * str, ASN1_GENERALIZEDTIME * time)
1510{
1511BIO_printf(bp, "\t%s: ", str);
1512ASN1_GENERALIZEDTIME_print(bp, time);
1513BIO_puts(bp, "\n");
1514}
1515
1516static int
1517tls_client_stapling_cb(SSL *s, void *arg)
1518{
1519tls_ext_ctx_cb * cbinfo = arg;
1520const unsigned char * p;
1521int len;
1522OCSP_RESPONSE * rsp;
1523OCSP_BASICRESP * bs;
1524int i;
1525
1526DEBUG(D_tls) debug_printf("Received TLS status response (OCSP stapling):");
1527len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1528if(!p)
1529 {
44662487 1530 /* Expect this when we requested ocsp but got none */
6c6d6e48 1531 if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
44662487 1532 log_write(0, LOG_MAIN, "Received TLS status callback, null content");
f5d78688
JH
1533 else
1534 DEBUG(D_tls) debug_printf(" null\n");
44662487 1535 return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
f5d78688 1536 }
018058b2 1537
f5d78688
JH
1538if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
1539 {
018058b2 1540 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1541 if (LOGGING(tls_cipher))
1eca31ca 1542 log_write(0, LOG_MAIN, "Received TLS cert status response, parse error");
f5d78688
JH
1543 else
1544 DEBUG(D_tls) debug_printf(" parse error\n");
1545 return 0;
1546 }
1547
1548if(!(bs = OCSP_response_get1_basic(rsp)))
1549 {
018058b2 1550 tls_out.ocsp = OCSP_FAILED;
6c6d6e48 1551 if (LOGGING(tls_cipher))
1eca31ca 1552 log_write(0, LOG_MAIN, "Received TLS cert status response, error parsing response");
f5d78688
JH
1553 else
1554 DEBUG(D_tls) debug_printf(" error parsing response\n");
1555 OCSP_RESPONSE_free(rsp);
1556 return 0;
1557 }
1558
1559/* We'd check the nonce here if we'd put one in the request. */
1560/* However that would defeat cacheability on the server so we don't. */
1561
f5d78688
JH
1562/* This section of code reworked from OpenSSL apps source;
1563 The OpenSSL Project retains copyright:
1564 Copyright (c) 1999 The OpenSSL Project. All rights reserved.
1565*/
1566 {
1567 BIO * bp = NULL;
f5d78688
JH
1568 int status, reason;
1569 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1570
57887ecc 1571 DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
f5d78688
JH
1572
1573 /*OCSP_RESPONSE_print(bp, rsp, 0); extreme debug: stapling content */
1574
1575 /* Use the chain that verified the server cert to verify the stapled info */
1576 /* DEBUG(D_tls) x509_store_dump_cert_s_names(cbinfo->u_ocsp.client.verify_store); */
1577
c3033f13 1578 if ((i = OCSP_basic_verify(bs, cbinfo->verify_stack,
44662487 1579 cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
f5d78688 1580 {
018058b2 1581 tls_out.ocsp = OCSP_FAILED;
57887ecc
JH
1582 if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
1583 "Received TLS cert status response, itself unverifiable: %s",
1584 ERR_reason_error_string(ERR_peek_error()));
f5d78688
JH
1585 BIO_printf(bp, "OCSP response verify failure\n");
1586 ERR_print_errors(bp);
57887ecc 1587 OCSP_RESPONSE_print(bp, rsp, 0);
c8dfb21d 1588 goto failed;
f5d78688
JH
1589 }
1590
1591 BIO_printf(bp, "OCSP response well-formed and signed OK\n");
1592
c8dfb21d
JH
1593 /*XXX So we have a good stapled OCSP status. How do we know
1594 it is for the cert of interest? OpenSSL 1.1.0 has a routine
1595 OCSP_resp_find_status() which matches on a cert id, which presumably
1596 we should use. Making an id needs OCSP_cert_id_new(), which takes
1597 issuerName, issuerKey, serialNumber. Are they all in the cert?
1598
1599 For now, carry on blindly accepting the resp. */
1600
f5d78688 1601 {
f5d78688
JH
1602 OCSP_SINGLERESP * single;
1603
c8dfb21d
JH
1604#ifdef EXIM_HAVE_OCSP_RESP_COUNT
1605 if (OCSP_resp_count(bs) != 1)
1606#else
1607 STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
f5d78688 1608 if (sk_OCSP_SINGLERESP_num(sresp) != 1)
c8dfb21d 1609#endif
f5d78688 1610 {
018058b2 1611 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1612 log_write(0, LOG_MAIN, "OCSP stapling "
1613 "with multiple responses not handled");
c8dfb21d 1614 goto failed;
f5d78688
JH
1615 }
1616 single = OCSP_resp_get0(bs, 0);
44662487
JH
1617 status = OCSP_single_get0_status(single, &reason, &rev,
1618 &thisupd, &nextupd);
f5d78688
JH
1619 }
1620
f5d78688
JH
1621 DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
1622 DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
44662487
JH
1623 if (!OCSP_check_validity(thisupd, nextupd,
1624 EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
f5d78688 1625 {
018058b2 1626 tls_out.ocsp = OCSP_FAILED;
f5d78688
JH
1627 DEBUG(D_tls) ERR_print_errors(bp);
1628 log_write(0, LOG_MAIN, "Server OSCP dates invalid");
f5d78688 1629 }
44662487 1630 else
f5d78688 1631 {
44662487
JH
1632 DEBUG(D_tls) BIO_printf(bp, "Certificate status: %s\n",
1633 OCSP_cert_status_str(status));
1634 switch(status)
1635 {
1636 case V_OCSP_CERTSTATUS_GOOD:
44662487 1637 tls_out.ocsp = OCSP_VFIED;
018058b2 1638 i = 1;
c8dfb21d 1639 goto good;
44662487 1640 case V_OCSP_CERTSTATUS_REVOKED:
018058b2 1641 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1642 log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
1643 reason != -1 ? "; reason: " : "",
1644 reason != -1 ? OCSP_crl_reason_str(reason) : "");
1645 DEBUG(D_tls) time_print(bp, "Revocation Time", rev);
44662487
JH
1646 break;
1647 default:
018058b2 1648 tls_out.ocsp = OCSP_FAILED;
44662487
JH
1649 log_write(0, LOG_MAIN,
1650 "Server certificate status unknown, in OCSP stapling");
44662487
JH
1651 break;
1652 }
f5d78688 1653 }
c8dfb21d
JH
1654 failed:
1655 i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
1656 good:
f5d78688
JH
1657 BIO_free(bp);
1658 }
1659
1660OCSP_RESPONSE_free(rsp);
1661return i;
1662}
f2de3a33 1663#endif /*!DISABLE_OCSP*/
3f7eeb86
PP
1664
1665
7be682ca 1666/*************************************************
059ec3d9
PH
1667* Initialize for TLS *
1668*************************************************/
1669
e51c7be2
JH
1670/* Called from both server and client code, to do preliminary initialization
1671of the library. We allocate and return a context structure.
059ec3d9
PH
1672
1673Arguments:
946ecbe0 1674 ctxp returned SSL context
059ec3d9
PH
1675 host connected host, if client; NULL if server
1676 dhparam DH parameter file
1677 certificate certificate file
1678 privatekey private key
f5d78688 1679 ocsp_file file of stapling info (server); flag for require ocsp (client)
059ec3d9 1680 addr address if client; NULL if server (for some randomness)
946ecbe0 1681 cbp place to put allocated callback context
cf0c6164 1682 errstr error string pointer
059ec3d9
PH
1683
1684Returns: OK/DEFER/FAIL
1685*/
1686
1687static int
817d9f57 1688tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86 1689 uschar *privatekey,
f2de3a33 1690#ifndef DISABLE_OCSP
47195144 1691 uschar *ocsp_file, /*XXX stack, in server*/
3f7eeb86 1692#endif
cf0c6164 1693 address_item *addr, tls_ext_ctx_cb ** cbp, uschar ** errstr)
059ec3d9 1694{
7006ee24 1695SSL_CTX * ctx;
77bb000f 1696long init_options;
7be682ca 1697int rc;
a7538db1 1698tls_ext_ctx_cb * cbinfo;
7be682ca
PP
1699
1700cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
1701cbinfo->certificate = certificate;
1702cbinfo->privatekey = privatekey;
a6510420 1703cbinfo->is_server = host==NULL;
f2de3a33 1704#ifndef DISABLE_OCSP
c3033f13 1705cbinfo->verify_stack = NULL;
a6510420 1706if (!host)
f5d78688
JH
1707 {
1708 cbinfo->u_ocsp.server.file = ocsp_file;
1709 cbinfo->u_ocsp.server.file_expanded = NULL;
1710 cbinfo->u_ocsp.server.response = NULL;
1711 }
1712else
1713 cbinfo->u_ocsp.client.verify_store = NULL;
3f7eeb86 1714#endif
7be682ca 1715cbinfo->dhparam = dhparam;
0df4ab80 1716cbinfo->server_cipher_list = NULL;
7be682ca 1717cbinfo->host = host;
0cbf2b82 1718#ifndef DISABLE_EVENT
a7538db1
JH
1719cbinfo->event_action = NULL;
1720#endif
77bb000f 1721
7434882d 1722#ifdef EXIM_NEED_OPENSSL_INIT
059ec3d9
PH
1723SSL_load_error_strings(); /* basic set up */
1724OpenSSL_add_ssl_algorithms();
7434882d 1725#endif
059ec3d9 1726
c8dfb21d 1727#ifdef EXIM_HAVE_SHA256
77bb000f 1728/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK
1729list of available digests. */
1730EVP_add_digest(EVP_sha256());
cf1ef1a9 1731#endif
a0475b69 1732
f0f5a555
PP
1733/* Create a context.
1734The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
1735negotiation in the different methods; as far as I can tell, the only
1736*_{server,client}_method which allows negotiation is SSLv23, which exists even
1737when OpenSSL is built without SSLv2 support.
1738By disabling with openssl_options, we can let admins re-enable with the
1739existing knob. */
059ec3d9 1740
7a8b9519
JH
1741#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
1742if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
1743#else
7006ee24 1744if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
7a8b9519 1745#endif
7006ee24 1746 return tls_error(US"SSL_CTX_new", host, NULL, errstr);
059ec3d9
PH
1747
1748/* It turns out that we need to seed the random number generator this early in
1749order to get the full complement of ciphers to work. It took me roughly a day
1750of work to discover this by experiment.
1751
1752On systems that have /dev/urandom, SSL may automatically seed itself from
1753there. Otherwise, we have to make something up as best we can. Double check
1754afterwards. */
1755
1756if (!RAND_status())
1757 {
1758 randstuff r;
9e3331ea 1759 gettimeofday(&r.tv, NULL);
059ec3d9
PH
1760 r.p = getpid();
1761
5903c6ff
JH
1762 RAND_seed(US (&r), sizeof(r));
1763 RAND_seed(US big_buffer, big_buffer_size);
1764 if (addr != NULL) RAND_seed(US addr, sizeof(addr));
059ec3d9
PH
1765
1766 if (!RAND_status())
7199e1ee 1767 return tls_error(US"RAND_status", host,
cf0c6164 1768 US"unable to seed random number generator", errstr);
059ec3d9
PH
1769 }
1770
1771/* Set up the information callback, which outputs if debugging is at a suitable
1772level. */
1773
7006ee24 1774DEBUG(D_tls) SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
059ec3d9 1775
c80c5570 1776/* Automatically re-try reads/writes after renegotiation. */
7006ee24 1777(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
c80c5570 1778
77bb000f
PP
1779/* Apply administrator-supplied work-arounds.
1780Historically we applied just one requested option,
1781SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
1782moved to an administrator-controlled list of options to specify and
1783grandfathered in the first one as the default value for "openssl_options".
059ec3d9 1784
77bb000f
PP
1785No OpenSSL version number checks: the options we accept depend upon the
1786availability of the option value macros from OpenSSL. */
059ec3d9 1787
7006ee24 1788if (!tls_openssl_options_parse(openssl_options, &init_options))
cf0c6164 1789 return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
77bb000f
PP
1790
1791if (init_options)
1792 {
1793 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
7006ee24 1794 if (!(SSL_CTX_set_options(ctx, init_options)))
77bb000f 1795 return tls_error(string_sprintf(
cf0c6164 1796 "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
77bb000f
PP
1797 }
1798else
1799 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9 1800
a28050f8
JH
1801/* We'd like to disable session cache unconditionally, but foolish Outlook
1802Express clients then give up the first TLS connection and make a second one
1803(which works). Only when there is an IMAP service on the same machine.
1804Presumably OE is trying to use the cache for A on B. Leave it enabled for
1805now, until we work out a decent way of presenting control to the config. It
1806will never be used because we use a new context every time. */
1807#ifdef notdef
7006ee24 1808(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
a28050f8 1809#endif
7006ee24 1810
059ec3d9 1811/* Initialize with DH parameters if supplied */
10ca4f1c 1812/* Initialize ECDH temp key parameter selection */
059ec3d9 1813
7006ee24
JH
1814if ( !init_dh(ctx, dhparam, host, errstr)
1815 || !init_ecdh(ctx, host, errstr)
038597d2
PP
1816 )
1817 return DEFER;
059ec3d9 1818
3f7eeb86 1819/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 1820
7006ee24 1821if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
23bb6982 1822 return rc;
c91535f3 1823
c3033f13
JH
1824/* If we need to handle SNI or OCSP, do so */
1825
3bcbbbe2 1826#ifdef EXIM_HAVE_OPENSSL_TLSEXT
c3033f13
JH
1827# ifndef DISABLE_OCSP
1828 if (!(cbinfo->verify_stack = sk_X509_new_null()))
1829 {
1830 DEBUG(D_tls) debug_printf("failed to create stack for stapling verify\n");
1831 return FAIL;
1832 }
1833# endif
1834
7a8b9519 1835if (!host) /* server */
3f0945ff 1836 {
f2de3a33 1837# ifndef DISABLE_OCSP
f5d78688 1838 /* We check u_ocsp.server.file, not server.response, because we care about if
3f7eeb86
PP
1839 the option exists, not what the current expansion might be, as SNI might
1840 change the certificate and OCSP file in use between now and the time the
1841 callback is invoked. */
f5d78688 1842 if (cbinfo->u_ocsp.server.file)
3f7eeb86 1843 {
7006ee24
JH
1844 SSL_CTX_set_tlsext_status_cb(ctx, tls_server_stapling_cb);
1845 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
3f7eeb86 1846 }
f5d78688 1847# endif
3f0945ff
PP
1848 /* We always do this, so that $tls_sni is available even if not used in
1849 tls_certificate */
7006ee24
JH
1850 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
1851 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
3f0945ff 1852 }
f2de3a33 1853# ifndef DISABLE_OCSP
f5d78688
JH
1854else /* client */
1855 if(ocsp_file) /* wanting stapling */
1856 {
1857 if (!(cbinfo->u_ocsp.client.verify_store = X509_STORE_new()))
1858 {
1859 DEBUG(D_tls) debug_printf("failed to create store for stapling verify\n");
1860 return FAIL;
1861 }
7006ee24
JH
1862 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
1863 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
f5d78688
JH
1864 }
1865# endif
7be682ca 1866#endif
059ec3d9 1867
e51c7be2 1868cbinfo->verify_cert_hostnames = NULL;
e51c7be2 1869
c8dfb21d 1870#ifdef EXIM_HAVE_EPHEM_RSA_KEX
059ec3d9 1871/* Set up the RSA callback */
7006ee24 1872SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
c8dfb21d 1873#endif
059ec3d9
PH
1874
1875/* Finally, set the timeout, and we are done */
1876
7006ee24 1877SSL_CTX_set_timeout(ctx, ssl_session_timeout);
059ec3d9 1878DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca 1879
817d9f57 1880*cbp = cbinfo;
7006ee24 1881*ctxp = ctx;
7be682ca 1882
059ec3d9
PH
1883return OK;
1884}
1885
1886
1887
1888
1889/*************************************************
1890* Get name of cipher in use *
1891*************************************************/
1892
817d9f57 1893/*
059ec3d9 1894Argument: pointer to an SSL structure for the connection
817d9f57
JH
1895 buffer to use for answer
1896 size of buffer
1897 pointer to number of bits for cipher
059ec3d9
PH
1898Returns: nothing
1899*/
1900
1901static void
817d9f57 1902construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
059ec3d9 1903{
7a8b9519 1904/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
57b3a7f5
PP
1905yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
1906the accessor functions use const in the prototype. */
059ec3d9 1907
7a8b9519
JH
1908const uschar * ver = CUS SSL_get_version(ssl);
1909const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
059ec3d9 1910
817d9f57 1911SSL_CIPHER_get_bits(c, bits);
059ec3d9 1912
817d9f57
JH
1913string_format(cipherbuf, bsize, "%s:%s:%u", ver,
1914 SSL_CIPHER_get_name(c), *bits);
059ec3d9
PH
1915
1916DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
1917}
1918
1919
f69979cf 1920static void
70e384dd 1921peer_cert(SSL * ssl, tls_support * tlsp, uschar * peerdn, unsigned siz)
f69979cf
JH
1922{
1923/*XXX we might consider a list-of-certs variable for the cert chain.
1924SSL_get_peer_cert_chain(SSL*). We'd need a new variable type and support
1925in list-handling functions, also consider the difference between the entire
1926chain and the elements sent by the peer. */
1927
70e384dd
JH
1928tlsp->peerdn = NULL;
1929
f69979cf
JH
1930/* Will have already noted peercert on a verify fail; possibly not the leaf */
1931if (!tlsp->peercert)
1932 tlsp->peercert = SSL_get_peer_certificate(ssl);
1933/* Beware anonymous ciphers which lead to server_cert being NULL */
1934if (tlsp->peercert)
70e384dd
JH
1935 if (!X509_NAME_oneline(X509_get_subject_name(tlsp->peercert), CS peerdn, siz))
1936 { DEBUG(D_tls) debug_printf("X509_NAME_oneline() error\n"); }
1937 else
1938 {
1939 peerdn[siz-1] = '\0';
1940 tlsp->peerdn = peerdn; /*XXX a static buffer... */
1941 }
f69979cf
JH
1942}
1943
1944
059ec3d9
PH
1945
1946
1947
1948/*************************************************
1949* Set up for verifying certificates *
1950*************************************************/
1951
0e8aed8a 1952#ifndef DISABLE_OCSP
c3033f13
JH
1953/* Load certs from file, return TRUE on success */
1954
1955static BOOL
1956chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
1957{
1958BIO * bp;
1959X509 * x;
1960
dec766a1
WB
1961while (sk_X509_num(verify_stack) > 0)
1962 X509_free(sk_X509_pop(verify_stack));
1963
c3033f13
JH
1964if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
1965while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
1966 sk_X509_push(verify_stack, x);
1967BIO_free(bp);
1968return TRUE;
1969}
0e8aed8a 1970#endif
c3033f13
JH
1971
1972
1973
dec766a1
WB
1974/* Called by both client and server startup; on the server possibly
1975repeated after a Server Name Indication.
059ec3d9
PH
1976
1977Arguments:
7be682ca 1978 sctx SSL_CTX* to initialise
059ec3d9
PH
1979 certs certs file or NULL
1980 crl CRL file or NULL
1981 host NULL in a server; the remote host in a client
1982 optional TRUE if called from a server for a host in tls_try_verify_hosts;
1983 otherwise passed as FALSE
983207c1 1984 cert_vfy_cb Callback function for certificate verification
cf0c6164 1985 errstr error string pointer
059ec3d9
PH
1986
1987Returns: OK/DEFER/FAIL
1988*/
1989
1990static int
983207c1 1991setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
cf0c6164 1992 int (*cert_vfy_cb)(int, X509_STORE_CTX *), uschar ** errstr)
059ec3d9
PH
1993{
1994uschar *expcerts, *expcrl;
1995
cf0c6164 1996if (!expand_check(certs, US"tls_verify_certificates", &expcerts, errstr))
059ec3d9 1997 return DEFER;
57cc2785 1998DEBUG(D_tls) debug_printf("tls_verify_certificates: %s\n", expcerts);
059ec3d9 1999
10a831a3 2000if (expcerts && *expcerts)
059ec3d9 2001 {
10a831a3
JH
2002 /* Tell the library to use its compiled-in location for the system default
2003 CA bundle. Then add the ones specified in the config, if any. */
cb1d7830 2004
10a831a3 2005 if (!SSL_CTX_set_default_verify_paths(sctx))
cf0c6164 2006 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL, errstr);
10a831a3
JH
2007
2008 if (Ustrcmp(expcerts, "system") != 0)
059ec3d9 2009 {
cb1d7830
JH
2010 struct stat statbuf;
2011
cb1d7830
JH
2012 if (Ustat(expcerts, &statbuf) < 0)
2013 {
2014 log_write(0, LOG_MAIN|LOG_PANIC,
2015 "failed to stat %s for certificates", expcerts);
2016 return DEFER;
2017 }
059ec3d9 2018 else
059ec3d9 2019 {
cb1d7830
JH
2020 uschar *file, *dir;
2021 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
2022 { file = NULL; dir = expcerts; }
2023 else
c3033f13
JH
2024 {
2025 file = expcerts; dir = NULL;
2026#ifndef DISABLE_OCSP
2027 /* In the server if we will be offering an OCSP proof, load chain from
2028 file for verifying the OCSP proof at load time. */
2029
2030 if ( !host
2031 && statbuf.st_size > 0
2032 && server_static_cbinfo->u_ocsp.server.file
2033 && !chain_from_pem_file(file, server_static_cbinfo->verify_stack)
2034 )
2035 {
2036 log_write(0, LOG_MAIN|LOG_PANIC,
57887ecc 2037 "failed to load cert chain from %s", file);
c3033f13
JH
2038 return DEFER;
2039 }
2040#endif
2041 }
cb1d7830
JH
2042
2043 /* If a certificate file is empty, the next function fails with an
2044 unhelpful error message. If we skip it, we get the correct behaviour (no
2045 certificates are recognized, but the error message is still misleading (it
c3033f13 2046 says no certificate was supplied). But this is better. */
cb1d7830 2047
f2f2c91b
JH
2048 if ( (!file || statbuf.st_size > 0)
2049 && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
cf0c6164 2050 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
cb1d7830
JH
2051
2052 /* Load the list of CAs for which we will accept certs, for sending
2053 to the client. This is only for the one-file tls_verify_certificates
2054 variant.
2055 If a list isn't loaded into the server, but
2056 some verify locations are set, the server end appears to make
4c04137d 2057 a wildcard request for client certs.
10a831a3 2058 Meanwhile, the client library as default behaviour *ignores* the list
cb1d7830
JH
2059 we send over the wire - see man SSL_CTX_set_client_cert_cb.
2060 Because of this, and that the dir variant is likely only used for
2061 the public-CA bundle (not for a private CA), not worth fixing.
2062 */
f2f2c91b 2063 if (file)
cb1d7830 2064 {
2009ecca 2065 STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
dec766a1
WB
2066
2067 SSL_CTX_set_client_CA_list(sctx, names);
f2f2c91b 2068 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
cb1d7830 2069 sk_X509_NAME_num(names));
cb1d7830 2070 }
059ec3d9
PH
2071 }
2072 }
2073
2074 /* Handle a certificate revocation list. */
2075
10a831a3 2076#if OPENSSL_VERSION_NUMBER > 0x00907000L
059ec3d9 2077
8b417f2c 2078 /* This bit of code is now the version supplied by Lars Mainka. (I have
10a831a3 2079 merely reformatted it into the Exim code style.)
8b417f2c 2080
10a831a3
JH
2081 "From here I changed the code to add support for multiple crl's
2082 in pem format in one file or to support hashed directory entries in
2083 pem format instead of a file. This method now uses the library function
2084 X509_STORE_load_locations to add the CRL location to the SSL context.
2085 OpenSSL will then handle the verify against CA certs and CRLs by
2086 itself in the verify callback." */
8b417f2c 2087
cf0c6164 2088 if (!expand_check(crl, US"tls_crl", &expcrl, errstr)) return DEFER;
10a831a3 2089 if (expcrl && *expcrl)
059ec3d9 2090 {
8b417f2c
PH
2091 struct stat statbufcrl;
2092 if (Ustat(expcrl, &statbufcrl) < 0)
2093 {
2094 log_write(0, LOG_MAIN|LOG_PANIC,
2095 "failed to stat %s for certificates revocation lists", expcrl);
2096 return DEFER;
2097 }
2098 else
059ec3d9 2099 {
8b417f2c
PH
2100 /* is it a file or directory? */
2101 uschar *file, *dir;
7be682ca 2102 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 2103 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 2104 {
8b417f2c
PH
2105 file = NULL;
2106 dir = expcrl;
2107 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
2108 }
2109 else
2110 {
8b417f2c
PH
2111 file = expcrl;
2112 dir = NULL;
2113 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 2114 }
8b417f2c 2115 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
cf0c6164 2116 return tls_error(US"X509_STORE_load_locations", host, NULL, errstr);
8b417f2c
PH
2117
2118 /* setting the flags to check against the complete crl chain */
2119
2120 X509_STORE_set_flags(cvstore,
2121 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 2122 }
059ec3d9
PH
2123 }
2124
10a831a3 2125#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
059ec3d9
PH
2126
2127 /* If verification is optional, don't fail if no certificate */
2128
7be682ca 2129 SSL_CTX_set_verify(sctx,
5a2a0989 2130 SSL_VERIFY_PEER | (optional ? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
983207c1 2131 cert_vfy_cb);
059ec3d9
PH
2132 }
2133
2134return OK;
2135}
2136
2137
2138
2139/*************************************************
2140* Start a TLS session in a server *
2141*************************************************/
2142
2143/* This is called when Exim is running as a server, after having received
2144the STARTTLS command. It must respond to that command, and then negotiate
2145a TLS session.
2146
2147Arguments:
2148 require_ciphers allowed ciphers
cf0c6164 2149 errstr pointer to error message
059ec3d9
PH
2150
2151Returns: OK on success
2152 DEFER for errors before the start of the negotiation
4c04137d 2153 FAIL for errors during the negotiation; the server can't
059ec3d9
PH
2154 continue running.
2155*/
2156
2157int
cf0c6164 2158tls_server_start(const uschar * require_ciphers, uschar ** errstr)
059ec3d9
PH
2159{
2160int rc;
cf0c6164
JH
2161uschar * expciphers;
2162tls_ext_ctx_cb * cbinfo;
f69979cf 2163static uschar peerdn[256];
817d9f57 2164static uschar cipherbuf[256];
059ec3d9
PH
2165
2166/* Check for previous activation */
2167
74f1a423 2168if (tls_in.active.sock >= 0)
059ec3d9 2169 {
cf0c6164 2170 tls_error(US"STARTTLS received after TLS started", NULL, US"", errstr);
925ac8e4 2171 smtp_printf("554 Already in TLS\r\n", FALSE);
059ec3d9
PH
2172 return FAIL;
2173 }
2174
2175/* Initialize the SSL library. If it fails, it will already have logged
2176the error. */
2177
817d9f57 2178rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
f2de3a33 2179#ifndef DISABLE_OCSP
47195144 2180 tls_ocsp_file, /*XXX stack*/
3f7eeb86 2181#endif
cf0c6164 2182 NULL, &server_static_cbinfo, errstr);
059ec3d9 2183if (rc != OK) return rc;
817d9f57 2184cbinfo = server_static_cbinfo;
059ec3d9 2185
cf0c6164 2186if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers, errstr))
059ec3d9
PH
2187 return FAIL;
2188
2189/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP
2190were historically separated by underscores. So that I can use either form in my
2191tests, and also for general convenience, we turn underscores into hyphens here.
0c3807a8
JH
2192
2193XXX SSL_CTX_set_cipher_list() is replaced by SSL_CTX_set_ciphersuites()
2194for TLS 1.3 . Since we do not call it at present we get the default list:
2195TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
17c76198 2196*/
059ec3d9 2197
c3033f13 2198if (expciphers)
059ec3d9 2199 {
c3033f13 2200 uschar * s = expciphers;
059ec3d9
PH
2201 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
2202 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
817d9f57 2203 if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
cf0c6164 2204 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL, errstr);
7be682ca 2205 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH
2206 }
2207
2208/* If this is a host for which certificate verification is mandatory or
2209optional, set up appropriately. */
2210
817d9f57 2211tls_in.certificate_verified = FALSE;
c0635b6d 2212#ifdef SUPPORT_DANE
53a7196b
JH
2213tls_in.dane_verified = FALSE;
2214#endif
a2ff477a 2215server_verify_callback_called = FALSE;
059ec3d9
PH
2216
2217if (verify_check_host(&tls_verify_hosts) == OK)
2218 {
983207c1 2219 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2220 FALSE, verify_callback_server, errstr);
059ec3d9 2221 if (rc != OK) return rc;
a2ff477a 2222 server_verify_optional = FALSE;
059ec3d9
PH
2223 }
2224else if (verify_check_host(&tls_try_verify_hosts) == OK)
2225 {
983207c1 2226 rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
afdb5e9c 2227 TRUE, verify_callback_server, errstr);
059ec3d9 2228 if (rc != OK) return rc;
a2ff477a 2229 server_verify_optional = TRUE;
059ec3d9
PH
2230 }
2231
2232/* Prepare for new connection */
2233
cf0c6164
JH
2234if (!(server_ssl = SSL_new(server_ctx)))
2235 return tls_error(US"SSL_new", NULL, NULL, errstr);
da3ad30d
PP
2236
2237/* Warning: we used to SSL_clear(ssl) here, it was removed.
2238 *
2239 * With the SSL_clear(), we get strange interoperability bugs with
2240 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
2241 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
2242 *
2243 * The SSL_clear() call is to let an existing SSL* be reused, typically after
2244 * session shutdown. In this case, we have a brand new object and there's no
2245 * obvious reason to immediately clear it. I'm guessing that this was
2246 * originally added because of incomplete initialisation which the clear fixed,
2247 * in some historic release.
2248 */
059ec3d9
PH
2249
2250/* Set context and tell client to go ahead, except in the case of TLS startup
2251on connection, where outputting anything now upsets the clients and tends to
2252make them disconnect. We need to have an explicit fflush() here, to force out
2253the response. Other smtp_printf() calls do not need it, because in non-TLS
2254mode, the fflush() happens when smtp_getc() is called. */
2255
817d9f57
JH
2256SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
2257if (!tls_in.on_connect)
059ec3d9 2258 {
925ac8e4 2259 smtp_printf("220 TLS go ahead\r\n", FALSE);
059ec3d9
PH
2260 fflush(smtp_out);
2261 }
2262
2263/* Now negotiate the TLS session. We put our own timer on it, since it seems
2264that the OpenSSL library doesn't. */
2265
817d9f57
JH
2266SSL_set_wfd(server_ssl, fileno(smtp_out));
2267SSL_set_rfd(server_ssl, fileno(smtp_in));
2268SSL_set_accept_state(server_ssl);
059ec3d9
PH
2269
2270DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
2271
2272sigalrm_seen = FALSE;
c2a1bba0 2273if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
817d9f57 2274rc = SSL_accept(server_ssl);
c2a1bba0 2275ALARM_CLR(0);
059ec3d9
PH
2276
2277if (rc <= 0)
2278 {
cf0c6164 2279 (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
059ec3d9
PH
2280 return FAIL;
2281 }
2282
2283DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
25fa0868
JH
2284ERR_clear_error(); /* Even success can leave errors in the stack. Seen with
2285 anon-authentication ciphersuite negociated. */
059ec3d9
PH
2286
2287/* TLS has been set up. Adjust the input functions to read via TLS,
2288and initialize things. */
2289
f69979cf
JH
2290peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
2291
817d9f57
JH
2292construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
2293tls_in.cipher = cipherbuf;
059ec3d9
PH
2294
2295DEBUG(D_tls)
2296 {
2297 uschar buf[2048];
817d9f57 2298 if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
059ec3d9
PH
2299 debug_printf("Shared ciphers: %s\n", buf);
2300 }
2301
9d1c15ef
JH
2302/* Record the certificate we presented */
2303 {
2304 X509 * crt = SSL_get_certificate(server_ssl);
2305 tls_in.ourcert = crt ? X509_dup(crt) : NULL;
2306 }
059ec3d9 2307
817d9f57
JH
2308/* Only used by the server-side tls (tls_in), including tls_getc.
2309 Client-side (tls_out) reads (seem to?) go via
2310 smtp_read_response()/ip_recv().
2311 Hence no need to duplicate for _in and _out.
2312 */
b808677c 2313if (!ssl_xfer_buffer) ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
059ec3d9 2314ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
8b77d27a 2315ssl_xfer_eof = ssl_xfer_error = FALSE;
059ec3d9
PH
2316
2317receive_getc = tls_getc;
0d81dabc 2318receive_getbuf = tls_getbuf;
584e96c6 2319receive_get_cache = tls_get_cache;
059ec3d9
PH
2320receive_ungetc = tls_ungetc;
2321receive_feof = tls_feof;
2322receive_ferror = tls_ferror;
58eb016e 2323receive_smtp_buffered = tls_smtp_buffered;
059ec3d9 2324
74f1a423
JH
2325tls_in.active.sock = fileno(smtp_out);
2326tls_in.active.tls_ctx = NULL; /* not using explicit ctx for server-side */
059ec3d9
PH
2327return OK;
2328}
2329
2330
2331
2332
043b1248
JH
2333static int
2334tls_client_basic_ctx_init(SSL_CTX * ctx,
cf0c6164
JH
2335 host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo,
2336 uschar ** errstr)
043b1248
JH
2337{
2338int rc;
94431adb 2339/* stick to the old behaviour for compatibility if tls_verify_certificates is
043b1248
JH
2340 set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
2341 the specified host patterns if one of them is defined */
2342
610ff438
JH
2343if ( ( !ob->tls_verify_hosts
2344 && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
2345 )
3c07dd2d 2346 || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
aa2a70ba 2347 )
043b1248 2348 client_verify_optional = FALSE;
3c07dd2d 2349else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
aa2a70ba
JH
2350 client_verify_optional = TRUE;
2351else
2352 return OK;
2353
2354if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
cf0c6164
JH
2355 ob->tls_crl, host, client_verify_optional, verify_callback_client,
2356 errstr)) != OK)
aa2a70ba 2357 return rc;
043b1248 2358
3c07dd2d 2359if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
043b1248 2360 {
4af0d74a 2361 cbinfo->verify_cert_hostnames =
8c5d388a 2362#ifdef SUPPORT_I18N
4af0d74a
JH
2363 string_domain_utf8_to_alabel(host->name, NULL);
2364#else
2365 host->name;
2366#endif
aa2a70ba
JH
2367 DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
2368 cbinfo->verify_cert_hostnames);
043b1248 2369 }
043b1248
JH
2370return OK;
2371}
059ec3d9 2372
fde080a4 2373
c0635b6d 2374#ifdef SUPPORT_DANE
fde080a4 2375static int
cf0c6164 2376dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr)
fde080a4
JH
2377{
2378dns_record * rr;
2379dns_scan dnss;
2380const char * hostnames[2] = { CS host->name, NULL };
2381int found = 0;
2382
2383if (DANESSL_init(ssl, NULL, hostnames) != 1)
cf0c6164 2384 return tls_error(US"hostnames load", host, NULL, errstr);
fde080a4
JH
2385
2386for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
2387 rr;
2388 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1b76ad22 2389 ) if (rr->type == T_TLSA && rr->size > 3)
fde080a4 2390 {
c3033f13 2391 const uschar * p = rr->data;
fde080a4
JH
2392 uint8_t usage, selector, mtype;
2393 const char * mdname;
2394
fde080a4 2395 usage = *p++;
133d2546
JH
2396
2397 /* Only DANE-TA(2) and DANE-EE(3) are supported */
2398 if (usage != 2 && usage != 3) continue;
2399
fde080a4
JH
2400 selector = *p++;
2401 mtype = *p++;
2402
2403 switch (mtype)
2404 {
133d2546
JH
2405 default: continue; /* Only match-types 0, 1, 2 are supported */
2406 case 0: mdname = NULL; break;
2407 case 1: mdname = "sha256"; break;
2408 case 2: mdname = "sha512"; break;
fde080a4
JH
2409 }
2410
133d2546 2411 found++;
fde080a4
JH
2412 switch (DANESSL_add_tlsa(ssl, usage, selector, mdname, p, rr->size - 3))
2413 {
2414 default:
cf0c6164 2415 return tls_error(US"tlsa load", host, NULL, errstr);
c035b645 2416 case 0: /* action not taken */
fde080a4
JH
2417 case 1: break;
2418 }
594706ea
JH
2419
2420 tls_out.tlsa_usage |= 1<<usage;
fde080a4
JH
2421 }
2422
2423if (found)
2424 return OK;
2425
133d2546 2426log_write(0, LOG_MAIN, "DANE error: No usable TLSA records");
6ebd79ec 2427return DEFER;
fde080a4 2428}
c0635b6d 2429#endif /*SUPPORT_DANE*/
fde080a4
JH
2430
2431
2432
059ec3d9
PH
2433/*************************************************
2434* Start a TLS session in a client *
2435*************************************************/
2436
2437/* Called from the smtp transport after STARTTLS has been accepted.
2438
2439Argument:
2440 fd the fd of the connection
afdb5e9c
JH
2441 host connected host (for messages and option-tests)
2442 addr the first address (for some randomness; can be NULL)
a7538db1 2443 tb transport (always smtp)
0e66b3b6 2444 tlsa_dnsa tlsa lookup, if DANE, else null
afdb5e9c 2445 tlsp record details of channel configuration here; must be non-NULL
cf0c6164 2446 errstr error string pointer
059ec3d9 2447
74f1a423 2448Returns: Pointer to TLS session context, or NULL on error
059ec3d9
PH
2449*/
2450
74f1a423 2451void *
f5d78688 2452tls_client_start(int fd, host_item *host, address_item *addr,
cf0c6164 2453 transport_instance * tb,
c0635b6d 2454#ifdef SUPPORT_DANE
cf0c6164 2455 dns_answer * tlsa_dnsa,
0e66b3b6 2456#endif
74f1a423 2457 tls_support * tlsp, uschar ** errstr)
059ec3d9 2458{
afdb5e9c
JH
2459smtp_transport_options_block * ob = tb
2460 ? (smtp_transport_options_block *)tb->options_block
2461 : &smtp_transport_option_defaults;
74f1a423 2462exim_openssl_client_tls_ctx * exim_client_ctx;
f69979cf 2463static uschar peerdn[256];
868f5672 2464uschar * expciphers;
059ec3d9 2465int rc;
817d9f57 2466static uschar cipherbuf[256];
043b1248
JH
2467
2468#ifndef DISABLE_OCSP
043b1248 2469BOOL request_ocsp = FALSE;
6634ac8d 2470BOOL require_ocsp = FALSE;
043b1248 2471#endif
043b1248 2472
74f1a423
JH
2473rc = store_pool;
2474store_pool = POOL_PERM;
2475exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx));
2476store_pool = rc;
2477
c0635b6d 2478#ifdef SUPPORT_DANE
74f1a423 2479tlsp->tlsa_usage = 0;
043b1248
JH
2480#endif
2481
f2de3a33 2482#ifndef DISABLE_OCSP
043b1248 2483 {
c0635b6d 2484# ifdef SUPPORT_DANE
4f59c424
JH
2485 if ( tlsa_dnsa
2486 && ob->hosts_request_ocsp[0] == '*'
2487 && ob->hosts_request_ocsp[1] == '\0'
2488 )
2489 {
2490 /* Unchanged from default. Use a safer one under DANE */
2491 request_ocsp = TRUE;
2492 ob->hosts_request_ocsp = US"${if or { {= {0}{$tls_out_tlsa_usage}} "
2493 " {= {4}{$tls_out_tlsa_usage}} } "
2494 " {*}{}}";
2495 }
2496# endif
2497
5130845b 2498 if ((require_ocsp =
3c07dd2d 2499 verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK))
fca41d5a
JH
2500 request_ocsp = TRUE;
2501 else
c0635b6d 2502# ifdef SUPPORT_DANE
4f59c424 2503 if (!request_ocsp)
fca41d5a 2504# endif
5130845b 2505 request_ocsp =
3c07dd2d 2506 verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
043b1248 2507 }
f5d78688 2508#endif
059ec3d9 2509
74f1a423 2510rc = tls_init(&exim_client_ctx->ctx, host, NULL,
65867078 2511 ob->tls_certificate, ob->tls_privatekey,
f2de3a33 2512#ifndef DISABLE_OCSP
44662487 2513 (void *)(long)request_ocsp,
3f7eeb86 2514#endif
cf0c6164 2515 addr, &client_static_cbinfo, errstr);
74f1a423 2516if (rc != OK) return NULL;
059ec3d9 2517
74f1a423 2518tlsp->certificate_verified = FALSE;
a2ff477a 2519client_verify_callback_called = FALSE;
059ec3d9 2520
5ec37a55
PP
2521expciphers = NULL;
2522#ifdef SUPPORT_DANE
2523if (tlsa_dnsa)
2524 {
2525 /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
2526 other failures should be treated as problems. */
2527 if (ob->dane_require_tls_ciphers &&
2528 !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
2529 &expciphers, errstr))
74f1a423 2530 return NULL;
5ec37a55
PP
2531 if (expciphers && *expciphers == '\0')
2532 expciphers = NULL;
2533 }
2534#endif
2535if (!expciphers &&
2536 !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
2537 &expciphers, errstr))
74f1a423 2538 return NULL;
059ec3d9
PH
2539
2540/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
2541are separated by underscores. So that I can use either form in my tests, and
2542also for general convenience, we turn underscores into hyphens here. */
2543
cf0c6164 2544if (expciphers)
059ec3d9
PH
2545 {
2546 uschar *s = expciphers;
cf0c6164 2547 while (*s) { if (*s == '_') *s = '-'; s++; }
059ec3d9 2548 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
74f1a423
JH
2549 if (!SSL_CTX_set_cipher_list(exim_client_ctx->ctx, CS expciphers))
2550 {
2551 tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr);
2552 return NULL;
2553 }
059ec3d9
PH
2554 }
2555
c0635b6d 2556#ifdef SUPPORT_DANE
0e66b3b6 2557if (tlsa_dnsa)
a63be306 2558 {
74f1a423 2559 SSL_CTX_set_verify(exim_client_ctx->ctx,
02af313d
JH
2560 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
2561 verify_callback_client_dane);
e5cccda9 2562
043b1248 2563 if (!DANESSL_library_init())
74f1a423
JH
2564 {
2565 tls_error(US"library init", host, NULL, errstr);
2566 return NULL;
2567 }
2568 if (DANESSL_CTX_init(exim_client_ctx->ctx) <= 0)
2569 {
2570 tls_error(US"context init", host, NULL, errstr);
2571 return NULL;
2572 }
043b1248
JH
2573 }
2574else
e51c7be2 2575
043b1248
JH
2576#endif
2577
74f1a423
JH
2578 if (tls_client_basic_ctx_init(exim_client_ctx->ctx, host, ob,
2579 client_static_cbinfo, errstr) != OK)
2580 return NULL;
059ec3d9 2581
74f1a423
JH
2582if (!(exim_client_ctx->ssl = SSL_new(exim_client_ctx->ctx)))
2583 {
2584 tls_error(US"SSL_new", host, NULL, errstr);
2585 return NULL;
2586 }
2587SSL_set_session_id_context(exim_client_ctx->ssl, sid_ctx, Ustrlen(sid_ctx));
2588SSL_set_fd(exim_client_ctx->ssl, fd);
2589SSL_set_connect_state(exim_client_ctx->ssl);
059ec3d9 2590
65867078 2591if (ob->tls_sni)
3f0945ff 2592 {
74f1a423
JH
2593 if (!expand_check(ob->tls_sni, US"tls_sni", &tlsp->sni, errstr))
2594 return NULL;
2595 if (!tlsp->sni)
2c9a0e86
PP
2596 {
2597 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
2598 }
74f1a423
JH
2599 else if (!Ustrlen(tlsp->sni))
2600 tlsp->sni = NULL;
3f0945ff
PP
2601 else
2602 {
35731706 2603#ifdef EXIM_HAVE_OPENSSL_TLSEXT
74f1a423
JH
2604 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tlsp->sni);
2605 SSL_set_tlsext_host_name(exim_client_ctx->ssl, tlsp->sni);
35731706 2606#else
66802652 2607 log_write(0, LOG_MAIN, "SNI unusable with this OpenSSL library version; ignoring \"%s\"\n",
74f1a423 2608 tlsp->sni);
35731706 2609#endif
3f0945ff
PP
2610 }
2611 }
2612
c0635b6d 2613#ifdef SUPPORT_DANE
0e66b3b6 2614if (tlsa_dnsa)
74f1a423
JH
2615 if (dane_tlsa_load(exim_client_ctx->ssl, host, tlsa_dnsa, errstr) != OK)
2616 return NULL;
594706ea
JH
2617#endif
2618
f2de3a33 2619#ifndef DISABLE_OCSP
f5d78688
JH
2620/* Request certificate status at connection-time. If the server
2621does OCSP stapling we will get the callback (set in tls_init()) */
c0635b6d 2622# ifdef SUPPORT_DANE
44662487
JH
2623if (request_ocsp)
2624 {
594706ea 2625 const uschar * s;
41afb5cb
JH
2626 if ( ((s = ob->hosts_require_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
2627 || ((s = ob->hosts_request_ocsp) && Ustrstr(s, US"tls_out_tlsa_usage"))
594706ea
JH
2628 )
2629 { /* Re-eval now $tls_out_tlsa_usage is populated. If
2630 this means we avoid the OCSP request, we wasted the setup
2631 cost in tls_init(). */
3c07dd2d 2632 require_ocsp = verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
5130845b 2633 request_ocsp = require_ocsp
3c07dd2d 2634 || verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
594706ea
JH
2635 }
2636 }
b50c8b84
JH
2637# endif
2638
594706ea
JH
2639if (request_ocsp)
2640 {
74f1a423 2641 SSL_set_tlsext_status_type(exim_client_ctx->ssl, TLSEXT_STATUSTYPE_ocsp);
44662487 2642 client_static_cbinfo->u_ocsp.client.verify_required = require_ocsp;
74f1a423 2643 tlsp->ocsp = OCSP_NOT_RESP;
44662487 2644 }
f5d78688
JH
2645#endif
2646
0cbf2b82 2647#ifndef DISABLE_EVENT
afdb5e9c 2648client_static_cbinfo->event_action = tb ? tb->event_action : NULL;
a7538db1 2649#endif
043b1248 2650
059ec3d9
PH
2651/* There doesn't seem to be a built-in timeout on connection. */
2652
2653DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
2654sigalrm_seen = FALSE;
c2a1bba0 2655ALARM(ob->command_timeout);
74f1a423 2656rc = SSL_connect(exim_client_ctx->ssl);
c2a1bba0 2657ALARM_CLR(0);
059ec3d9 2658
c0635b6d 2659#ifdef SUPPORT_DANE
0e66b3b6 2660if (tlsa_dnsa)
74f1a423 2661 DANESSL_cleanup(exim_client_ctx->ssl);
043b1248
JH
2662#endif
2663
059ec3d9 2664if (rc <= 0)
74f1a423
JH
2665 {
2666 tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL, errstr);
2667 return NULL;
2668 }
059ec3d9
PH
2669
2670DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
2671
74f1a423 2672peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));
059ec3d9 2673
74f1a423
JH
2674construct_cipher_name(exim_client_ctx->ssl, cipherbuf, sizeof(cipherbuf), &tlsp->bits);
2675tlsp->cipher = cipherbuf;
059ec3d9 2676
9d1c15ef
JH
2677/* Record the certificate we presented */
2678 {
74f1a423
JH
2679 X509 * crt = SSL_get_certificate(exim_client_ctx->ssl);
2680 tlsp->ourcert = crt ? X509_dup(crt) : NULL;
9d1c15ef
JH
2681 }
2682
74f1a423
JH
2683tlsp->active.sock = fd;
2684tlsp->active.tls_ctx = exim_client_ctx;
2685return exim_client_ctx;
059ec3d9
PH
2686}
2687
2688
2689
2690
2691
0d81dabc
JH
2692static BOOL
2693tls_refill(unsigned lim)
2694{
2695int error;
2696int inbytes;
2697
2698DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
2699 ssl_xfer_buffer, ssl_xfer_buffer_size);
2700
c2a1bba0 2701if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
0d81dabc
JH
2702inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
2703 MIN(ssl_xfer_buffer_size, lim));
2704error = SSL_get_error(server_ssl, inbytes);
c2a1bba0 2705if (smtp_receive_timeout > 0) ALARM_CLR(0);
9723f966
JH
2706
2707if (had_command_timeout) /* set by signal handler */
2708 smtp_command_timeout_exit(); /* does not return */
2709if (had_command_sigterm)
2710 smtp_command_sigterm_exit();
2711if (had_data_timeout)
2712 smtp_data_timeout_exit();
2713if (had_data_sigint)
2714 smtp_data_sigint_exit();
0d81dabc
JH
2715
2716/* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
2717closed down, not that the socket itself has been closed down. Revert to
2718non-SSL handling. */
2719
74f1a423 2720switch(error)
0d81dabc 2721 {
74f1a423
JH
2722 case SSL_ERROR_NONE:
2723 break;
2724
2725 case SSL_ERROR_ZERO_RETURN:
2726 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
0d81dabc 2727
74f1a423
JH
2728 receive_getc = smtp_getc;
2729 receive_getbuf = smtp_getbuf;
2730 receive_get_cache = smtp_get_cache;
2731 receive_ungetc = smtp_ungetc;
2732 receive_feof = smtp_feof;
2733 receive_ferror = smtp_ferror;
2734 receive_smtp_buffered = smtp_buffered;
0d81dabc 2735
74f1a423
JH
2736 if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
2737 SSL_shutdown(server_ssl);
dec766a1 2738
37f0ce65 2739#ifndef DISABLE_OCSP
74f1a423
JH
2740 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
2741 server_static_cbinfo->verify_stack = NULL;
37f0ce65 2742#endif
74f1a423
JH
2743 SSL_free(server_ssl);
2744 SSL_CTX_free(server_ctx);
2745 server_ctx = NULL;
2746 server_ssl = NULL;
2747 tls_in.active.sock = -1;
2748 tls_in.active.tls_ctx = NULL;
2749 tls_in.bits = 0;
2750 tls_in.cipher = NULL;
2751 tls_in.peerdn = NULL;
2752 tls_in.sni = NULL;
0d81dabc 2753
74f1a423 2754 return FALSE;
0d81dabc 2755
74f1a423
JH
2756 /* Handle genuine errors */
2757 case SSL_ERROR_SSL:
0abc5a13 2758 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
74f1a423
JH
2759 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
2760 ssl_xfer_error = TRUE;
2761 return FALSE;
0d81dabc 2762
74f1a423
JH
2763 default:
2764 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
2765 DEBUG(D_tls) if (error == SSL_ERROR_SYSCALL)
2766 debug_printf(" - syscall %s\n", strerror(errno));
2767 ssl_xfer_error = TRUE;
2768 return FALSE;
0d81dabc
JH
2769 }
2770
2771#ifndef DISABLE_DKIM
2772dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
2773#endif
2774ssl_xfer_buffer_hwm = inbytes;
2775ssl_xfer_buffer_lwm = 0;
2776return TRUE;
2777}
2778
2779
059ec3d9
PH
2780/*************************************************
2781* TLS version of getc *
2782*************************************************/
2783
2784/* This gets the next byte from the TLS input buffer. If the buffer is empty,
2785it refills the buffer via the SSL reading function.
2786
bd8fbe36 2787Arguments: lim Maximum amount to read/buffer
059ec3d9 2788Returns: the next character or EOF
817d9f57
JH
2789
2790Only used by the server-side TLS.
059ec3d9
PH
2791*/
2792
2793int
bd8fbe36 2794tls_getc(unsigned lim)
059ec3d9
PH
2795{
2796if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
0d81dabc
JH
2797 if (!tls_refill(lim))
2798 return ssl_xfer_error ? EOF : smtp_getc(lim);
059ec3d9 2799
0d81dabc 2800/* Something in the buffer; return next uschar */
059ec3d9 2801
0d81dabc
JH
2802return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
2803}
059ec3d9 2804
0d81dabc
JH
2805uschar *
2806tls_getbuf(unsigned * len)
2807{
2808unsigned size;
2809uschar * buf;
ba084640 2810
0d81dabc
JH
2811if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
2812 if (!tls_refill(*len))
059ec3d9 2813 {
0d81dabc
JH
2814 if (!ssl_xfer_error) return smtp_getbuf(len);
2815 *len = 0;
2816 return NULL;
059ec3d9 2817 }
c80c5570 2818
0d81dabc
JH
2819if ((size = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm) > *len)
2820 size = *len;
2821buf = &ssl_xfer_buffer[ssl_xfer_buffer_lwm];
2822ssl_xfer_buffer_lwm += size;
2823*len = size;
2824return buf;
059ec3d9
PH
2825}
2826
0d81dabc 2827
584e96c6
JH
2828void
2829tls_get_cache()
2830{
9960d1e5 2831#ifndef DISABLE_DKIM
584e96c6
JH
2832int n = ssl_xfer_buffer_hwm - ssl_xfer_buffer_lwm;
2833if (n > 0)
2834 dkim_exim_verify_feed(ssl_xfer_buffer+ssl_xfer_buffer_lwm, n);
584e96c6 2835#endif
9960d1e5 2836}
584e96c6 2837
059ec3d9 2838
925ac8e4
JH
2839BOOL
2840tls_could_read(void)
2841{
a5ffa9b4 2842return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm || SSL_pending(server_ssl) > 0;
925ac8e4
JH
2843}
2844
059ec3d9
PH
2845
2846/*************************************************
2847* Read bytes from TLS channel *
2848*************************************************/
2849
2850/*
2851Arguments:
74f1a423 2852 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH
2853 buff buffer of data
2854 len size of buffer
2855
2856Returns: the number of bytes read
afdb5e9c 2857 -1 after a failed read, including EOF
817d9f57
JH
2858
2859Only used by the client-side TLS.
059ec3d9
PH
2860*/
2861
2862int
74f1a423 2863tls_read(void * ct_ctx, uschar *buff, size_t len)
059ec3d9 2864{
74f1a423 2865SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
059ec3d9
PH
2866int inbytes;
2867int error;
2868
389ca47a 2869DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
c80c5570 2870 buff, (unsigned int)len);
059ec3d9 2871
389ca47a
JH
2872inbytes = SSL_read(ssl, CS buff, len);
2873error = SSL_get_error(ssl, inbytes);
059ec3d9
PH
2874
2875if (error == SSL_ERROR_ZERO_RETURN)
2876 {
2877 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
2878 return -1;
2879 }
2880else if (error != SSL_ERROR_NONE)
059ec3d9 2881 return -1;
059ec3d9
PH
2882
2883return inbytes;
2884}
2885
2886
2887
2888
2889
2890/*************************************************
2891* Write bytes down TLS channel *
2892*************************************************/
2893
2894/*
2895Arguments:
74f1a423 2896 ct_ctx client context pointer, or NULL for the one global server context
059ec3d9
PH
2897 buff buffer of data
2898 len number of bytes
925ac8e4 2899 more further data expected soon
059ec3d9
PH
2900
2901Returns: the number of bytes after a successful write,
2902 -1 after a failed write
817d9f57
JH
2903
2904Used by both server-side and client-side TLS.
059ec3d9
PH
2905*/
2906
2907int
74f1a423 2908tls_write(void * ct_ctx, const uschar *buff, size_t len, BOOL more)
059ec3d9 2909{
a5ffa9b4 2910int outbytes, error, left;
74f1a423 2911SSL * ssl = ct_ctx ? ((exim_openssl_client_tls_ctx *)ct_ctx)->ssl : server_ssl;
acec9514 2912static gstring * corked = NULL;
a5ffa9b4 2913
ef698bf6 2914DEBUG(D_tls) debug_printf("%s(%p, %lu%s)\n", __FUNCTION__,
b93be52e 2915 buff, (unsigned long)len, more ? ", more" : "");
a5ffa9b4
JH
2916
2917/* Lacking a CORK or MSG_MORE facility (such as GnuTLS has) we copy data when
2918"more" is notified. This hack is only ok if small amounts are involved AND only
2919one stream does it, in one context (i.e. no store reset). Currently it is used
2920for the responses to the received SMTP MAIL , RCPT, DATA sequence, only. */
ee8b8090
JH
2921/*XXX + if PIPE_COMMAND, banner & ehlo-resp for smmtp-on-connect. Suspect there's
2922a store reset there. */
a5ffa9b4 2923
74f1a423 2924if (!ct_ctx && (more || corked))
a5ffa9b4 2925 {
ee8b8090
JH
2926#ifdef EXPERIMENTAL_PIPE_CONNECT
2927 int save_pool = store_pool;
2928 store_pool = POOL_PERM;
2929#endif
2930
acec9514 2931 corked = string_catn(corked, buff, len);
ee8b8090
JH
2932
2933#ifdef EXPERIMENTAL_PIPE_CONNECT
2934 store_pool = save_pool;
2935#endif
2936
a5ffa9b4
JH
2937 if (more)
2938 return len;
acec9514
JH
2939 buff = CUS corked->s;
2940 len = corked->ptr;
2941 corked = NULL;
a5ffa9b4 2942 }
059ec3d9 2943
a5ffa9b4 2944for (left = len; left > 0;)
059ec3d9 2945 {
74f1a423 2946 DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
059ec3d9
PH
2947 outbytes = SSL_write(ssl, CS buff, left);
2948 error = SSL_get_error(ssl, outbytes);
2949 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
2950 switch (error)
2951 {
2952 case SSL_ERROR_SSL:
0abc5a13 2953 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
96f5fe4c
JH
2954 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
2955 return -1;
059ec3d9
PH
2956
2957 case SSL_ERROR_NONE:
96f5fe4c
JH
2958 left -= outbytes;
2959 buff += outbytes;
2960 break;
059ec3d9
PH
2961
2962 case SSL_ERROR_ZERO_RETURN:
96f5fe4c
JH
2963 log_write(0, LOG_MAIN, "SSL channel closed on write");
2964 return -1;
059ec3d9 2965
817d9f57 2966 case SSL_ERROR_SYSCALL:
96f5fe4c
JH
2967 log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
2968 sender_fullhost ? sender_fullhost : US"<unknown>",
2969 strerror(errno));
2970 return -1;
817d9f57 2971
059ec3d9 2972 default:
96f5fe4c
JH
2973 log_write(0, LOG_MAIN, "SSL_write error %d", error);
2974 return -1;
059ec3d9
PH
2975 }
2976 }
2977return len;
2978}
2979
2980
2981
2982/*************************************************
2983* Close down a TLS session *
2984*************************************************/
2985
2986/* This is also called from within a delivery subprocess forked from the
2987daemon, to shut down the TLS library, without actually doing a shutdown (which
2988would tamper with the SSL session in the parent process).
2989
dec766a1 2990Arguments:
74f1a423 2991 ct_ctx client TLS context pointer, or NULL for the one global server context
dec766a1
WB
2992 shutdown 1 if TLS close-alert is to be sent,
2993 2 if also response to be waited for
2994
059ec3d9 2995Returns: nothing
817d9f57
JH
2996
2997Used by both server-side and client-side TLS.
059ec3d9
PH
2998*/
2999
3000void
74f1a423 3001tls_close(void * ct_ctx, int shutdown)
059ec3d9 3002{
74f1a423
JH
3003exim_openssl_client_tls_ctx * o_ctx = ct_ctx;
3004SSL_CTX **ctxp = o_ctx ? &o_ctx->ctx : &server_ctx;
3005SSL **sslp = o_ctx ? &o_ctx->ssl : &server_ssl;
3006int *fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock;
817d9f57
JH
3007
3008if (*fdp < 0) return; /* TLS was not active */
059ec3d9
PH
3009
3010if (shutdown)
3011 {
dec766a1
WB
3012 int rc;
3013 DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
3014 shutdown > 1 ? " (with response-wait)" : "");
3015
3016 if ( (rc = SSL_shutdown(*sslp)) == 0 /* send "close notify" alert */
3017 && shutdown > 1)
3018 {
c2a1bba0 3019 ALARM(2);
dec766a1 3020 rc = SSL_shutdown(*sslp); /* wait for response */
c2a1bba0 3021 ALARM_CLR(0);
dec766a1
WB
3022 }
3023
3024 if (rc < 0) DEBUG(D_tls)
3025 {
0abc5a13 3026 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
dec766a1
WB
3027 debug_printf("SSL_shutdown: %s\n", ssl_errstring);
3028 }
3029 }
3030
37f0ce65 3031#ifndef DISABLE_OCSP
74f1a423 3032if (!o_ctx) /* server side */
dec766a1
WB
3033 {
3034 sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
dec766a1 3035 server_static_cbinfo->verify_stack = NULL;
059ec3d9 3036 }
37f0ce65 3037#endif
059ec3d9 3038
dec766a1 3039SSL_CTX_free(*ctxp);
817d9f57 3040SSL_free(*sslp);
dec766a1 3041*ctxp = NULL;
817d9f57 3042*sslp = NULL;
817d9f57 3043*fdp = -1;
059ec3d9
PH
3044}
3045
36f12725
NM
3046
3047
3048
3049/*************************************************
3375e053
PP
3050* Let tls_require_ciphers be checked at startup *
3051*************************************************/
3052
3053/* The tls_require_ciphers option, if set, must be something which the
3054library can parse.
3055
3056Returns: NULL on success, or error message
3057*/
3058
3059uschar *
3060tls_validate_require_cipher(void)
3061{
3062SSL_CTX *ctx;
3063uschar *s, *expciphers, *err;
3064
3065/* this duplicates from tls_init(), we need a better "init just global
3066state, for no specific purpose" singleton function of our own */
3067
7434882d 3068#ifdef EXIM_NEED_OPENSSL_INIT
3375e053
PP
3069SSL_load_error_strings();
3070OpenSSL_add_ssl_algorithms();
7434882d 3071#endif
3375e053
PP
3072#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
3073/* SHA256 is becoming ever more popular. This makes sure it gets added to the
3074list of available digests. */
3075EVP_add_digest(EVP_sha256());
3076#endif
3077
3078if (!(tls_require_ciphers && *tls_require_ciphers))
3079 return NULL;
3080
cf0c6164
JH
3081if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers,
3082 &err))
3375e053
PP
3083 return US"failed to expand tls_require_ciphers";
3084
3085if (!(expciphers && *expciphers))
3086 return NULL;
3087
3088/* normalisation ripped from above */
3089s = expciphers;
3090while (*s != 0) { if (*s == '_') *s = '-'; s++; }
3091
3092err = NULL;
3093
7a8b9519
JH
3094#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
3095if (!(ctx = SSL_CTX_new(TLS_server_method())))
3096#else
3097if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
3098#endif
3375e053 3099 {
0abc5a13 3100 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
3375e053
PP
3101 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
3102 }
3103
3104DEBUG(D_tls)
3105 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
3106
3107if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
3108 {
0abc5a13 3109 ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
cf0c6164
JH
3110 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed: %s",
3111 expciphers, ssl_errstring);
3375e053
PP
3112 }
3113
3114SSL_CTX_free(ctx);
3115
3116return err;
3117}
3118
3119
3120
3121
3122/*************************************************
36f12725
NM
3123* Report the library versions. *
3124*************************************************/
3125
3126/* There have historically been some issues with binary compatibility in
3127OpenSSL libraries; if Exim (like many other applications) is built against
3128one version of OpenSSL but the run-time linker picks up another version,
3129it can result in serious failures, including crashing with a SIGSEGV. So
3130report the version found by the compiler and the run-time version.
3131
f64a1e23
PP
3132Note: some OS vendors backport security fixes without changing the version
3133number/string, and the version date remains unchanged. The _build_ date
3134will change, so we can more usefully assist with version diagnosis by also
3135reporting the build date.
3136
36f12725
NM
3137Arguments: a FILE* to print the results to
3138Returns: nothing
3139*/
3140
3141void
3142tls_version_report(FILE *f)
3143{
754a0503 3144fprintf(f, "Library version: OpenSSL: Compile: %s\n"
f64a1e23
PP
3145 " Runtime: %s\n"
3146 " : %s\n",
754a0503 3147 OPENSSL_VERSION_TEXT,
f64a1e23
PP
3148 SSLeay_version(SSLEAY_VERSION),
3149 SSLeay_version(SSLEAY_BUILT_ON));
3150/* third line is 38 characters for the %s and the line is 73 chars long;
3151the OpenSSL output includes a "built on: " prefix already. */
36f12725
NM
3152}
3153
9e3331ea
TK
3154
3155
3156
3157/*************************************************
17c76198 3158* Random number generation *
9e3331ea
TK
3159*************************************************/
3160
3161/* Pseudo-random number generation. The result is not expected to be
3162cryptographically strong but not so weak that someone will shoot themselves
3163in the foot using it as a nonce in input in some email header scheme or
3164whatever weirdness they'll twist this into. The result should handle fork()
3165and avoid repeating sequences. OpenSSL handles that for us.
3166
3167Arguments:
3168 max range maximum
3169Returns a random number in range [0, max-1]
3170*/
3171
3172int
17c76198 3173vaguely_random_number(int max)
9e3331ea
TK
3174{
3175unsigned int r;
3176int i, needed_len;
de6135a0
PP
3177static pid_t pidlast = 0;
3178pid_t pidnow;
9e3331ea
TK
3179uschar *p;
3180uschar smallbuf[sizeof(r)];
3181
3182if (max <= 1)
3183 return 0;
3184
de6135a0
PP
3185pidnow = getpid();
3186if (pidnow != pidlast)
3187 {
3188 /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
3189 is unique for each thread", this doesn't apparently apply across processes,
3190 so our own warning from vaguely_random_number_fallback() applies here too.
3191 Fix per PostgreSQL. */
3192 if (pidlast != 0)
3193 RAND_cleanup();
3194 pidlast = pidnow;
3195 }
3196
9e3331ea
TK
3197/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
3198if (!RAND_status())
3199 {
3200 randstuff r;
3201 gettimeofday(&r.tv, NULL);
3202 r.p = getpid();
3203
5903c6ff 3204 RAND_seed(US (&r), sizeof(r));
9e3331ea
TK
3205 }
3206/* We're after pseudo-random, not random; if we still don't have enough data
3207in the internal PRNG then our options are limited. We could sleep and hope
3208for entropy to come along (prayer technique) but if the system is so depleted
3209in the first place then something is likely to just keep taking it. Instead,
3210we'll just take whatever little bit of pseudo-random we can still manage to
3211get. */
3212
3213needed_len = sizeof(r);
3214/* Don't take 8 times more entropy than needed if int is 8 octets and we were
3215asked for a number less than 10. */
3216for (r = max, i = 0; r; ++i)
3217 r >>= 1;
3218i = (i + 7) / 8;
3219if (i < needed_len)
3220 needed_len = i;
3221
c8dfb21d 3222#ifdef EXIM_HAVE_RAND_PSEUDO
9e3331ea 3223/* We do not care if crypto-strong */
17c76198 3224i = RAND_pseudo_bytes(smallbuf, needed_len);
c8dfb21d
JH
3225#else
3226i = RAND_bytes(smallbuf, needed_len);
3227#endif
3228
17c76198
PP
3229if (i < 0)
3230 {
3231 DEBUG(D_all)
3232 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
3233 return vaguely_random_number_fallback(max);
3234 }
3235
9e3331ea
TK
3236r = 0;
3237for (p = smallbuf; needed_len; --needed_len, ++p)
3238 {
3239 r *= 256;
3240 r += *p;
3241 }
3242
3243/* We don't particularly care about weighted results; if someone wants
3244smooth distribution and cares enough then they should submit a patch then. */
3245return r % max;
3246}
3247
77bb000f
PP
3248
3249
3250
3251/*************************************************
3252* OpenSSL option parse *
3253*************************************************/
3254
3255/* Parse one option for tls_openssl_options_parse below
3256
3257Arguments:
3258 name one option name
3259 value place to store a value for it
3260Returns success or failure in parsing
3261*/
3262
77bb000f 3263
c80c5570 3264
77bb000f
PP
3265static BOOL
3266tls_openssl_one_option_parse(uschar *name, long *value)
3267{
3268int first = 0;
3269int last = exim_openssl_options_size;
3270while (last > first)
3271 {
3272 int middle = (first + last)/2;
3273 int c = Ustrcmp(name, exim_openssl_options[middle].name);
3274 if (c == 0)
3275 {
3276 *value = exim_openssl_options[middle].value;
3277 return TRUE;
3278 }
3279 else if (c > 0)
3280 first = middle + 1;
3281 else
3282 last = middle;
3283 }
3284return FALSE;
3285}
3286
3287
3288
3289
3290/*************************************************
3291* OpenSSL option parsing logic *
3292*************************************************/
3293
3294/* OpenSSL has a number of compatibility options which an administrator might
3295reasonably wish to set. Interpret a list similarly to decode_bits(), so that
3296we look like log_selector.