BUGFIX: forced-fail smtp option tls_sni would dereference NULL
[exim.git] / src / src / tls-openssl.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
c4ceed07 5/* Copyright (c) University of Cambridge 1995 - 2012 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* This module provides the TLS (aka SSL) support for Exim using the OpenSSL
9library. It is #included into the tls.c file when that library is used. The
10code herein is based on a patch that was originally contributed by Steve
11Haslam. It was adapted from stunnel, a GPL program by Michal Trojnara.
12
13No cryptographic code is included in Exim. All this module does is to call
14functions from the OpenSSL library. */
15
16
17/* Heading stuff */
18
19#include <openssl/lhash.h>
20#include <openssl/ssl.h>
21#include <openssl/err.h>
22#include <openssl/rand.h>
3f7eeb86
PP
23#ifdef EXPERIMENTAL_OCSP
24#include <openssl/ocsp.h>
25#endif
26
27#ifdef EXPERIMENTAL_OCSP
28#define EXIM_OCSP_SKEW_SECONDS (300L)
29#define EXIM_OCSP_MAX_AGE (-1L)
30#endif
059ec3d9 31
3bcbbbe2
PP
32#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
33#define EXIM_HAVE_OPENSSL_TLSEXT
34#endif
35
059ec3d9
PH
36/* Structure for collecting random data for seeding. */
37
38typedef struct randstuff {
9e3331ea
TK
39 struct timeval tv;
40 pid_t p;
059ec3d9
PH
41} randstuff;
42
43/* Local static variables */
44
45static BOOL verify_callback_called = FALSE;
46static const uschar *sid_ctx = US"exim";
47
48static SSL_CTX *ctx = NULL;
35731706 49#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 50static SSL_CTX *ctx_sni = NULL;
35731706 51#endif
059ec3d9
PH
52static SSL *ssl = NULL;
53
54static char ssl_errstring[256];
55
56static int ssl_session_timeout = 200;
57static BOOL verify_optional = FALSE;
58
7be682ca 59static BOOL reexpand_tls_files_for_sni = FALSE;
059ec3d9
PH
60
61
7be682ca
PP
62typedef struct tls_ext_ctx_cb {
63 uschar *certificate;
64 uschar *privatekey;
3f7eeb86
PP
65#ifdef EXPERIMENTAL_OCSP
66 uschar *ocsp_file;
67 uschar *ocsp_file_expanded;
68 OCSP_RESPONSE *ocsp_response;
69#endif
7be682ca
PP
70 uschar *dhparam;
71 /* these are cached from first expand */
72 uschar *server_cipher_list;
73 /* only passed down to tls_error: */
74 host_item *host;
75} tls_ext_ctx_cb;
76
77/* should figure out a cleanup of API to handle state preserved per
78implementation, for various reasons, which can be void * in the APIs.
79For now, we hack around it. */
80tls_ext_ctx_cb *static_cbinfo = NULL;
81
82static int
83setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional);
059ec3d9 84
3f7eeb86 85/* Callbacks */
3bcbbbe2 86#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f7eeb86 87static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
3bcbbbe2 88#endif
3f7eeb86
PP
89#ifdef EXPERIMENTAL_OCSP
90static int tls_stapling_cb(SSL *s, void *arg);
91#endif
92
059ec3d9
PH
93
94/*************************************************
95* Handle TLS error *
96*************************************************/
97
98/* Called from lots of places when errors occur before actually starting to do
99the TLS handshake, that is, while the session is still in clear. Always returns
100DEFER for a server and FAIL for a client so that most calls can use "return
101tls_error(...)" to do this processing and then give an appropriate return. A
102single function is used for both server and client, because it is called from
103some shared functions.
104
105Argument:
106 prefix text to include in the logged error
107 host NULL if setting up a server;
108 the connected host if setting up a client
7199e1ee 109 msg error message or NULL if we should ask OpenSSL
059ec3d9
PH
110
111Returns: OK/DEFER/FAIL
112*/
113
114static int
7199e1ee 115tls_error(uschar *prefix, host_item *host, uschar *msg)
059ec3d9 116{
7199e1ee
TF
117if (msg == NULL)
118 {
119 ERR_error_string(ERR_get_error(), ssl_errstring);
5ca6d115 120 msg = (uschar *)ssl_errstring;
7199e1ee
TF
121 }
122
059ec3d9
PH
123if (host == NULL)
124 {
7199e1ee 125 uschar *conn_info = smtp_get_connection_info();
5ca6d115 126 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0)
7199e1ee
TF
127 conn_info += 5;
128 log_write(0, LOG_MAIN, "TLS error on %s (%s): %s",
129 conn_info, prefix, msg);
059ec3d9
PH
130 return DEFER;
131 }
132else
133 {
134 log_write(0, LOG_MAIN, "TLS error on connection to %s [%s] (%s): %s",
7199e1ee 135 host->name, host->address, prefix, msg);
059ec3d9
PH
136 return FAIL;
137 }
138}
139
140
141
142/*************************************************
143* Callback to generate RSA key *
144*************************************************/
145
146/*
147Arguments:
148 s SSL connection
149 export not used
150 keylength keylength
151
152Returns: pointer to generated key
153*/
154
155static RSA *
156rsa_callback(SSL *s, int export, int keylength)
157{
158RSA *rsa_key;
159export = export; /* Shut picky compilers up */
160DEBUG(D_tls) debug_printf("Generating %d bit RSA key...\n", keylength);
161rsa_key = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
162if (rsa_key == NULL)
163 {
164 ERR_error_string(ERR_get_error(), ssl_errstring);
165 log_write(0, LOG_MAIN|LOG_PANIC, "TLS error (RSA_generate_key): %s",
166 ssl_errstring);
167 return NULL;
168 }
169return rsa_key;
170}
171
172
173
174
175/*************************************************
176* Callback for verification *
177*************************************************/
178
179/* The SSL library does certificate verification if set up to do so. This
180callback has the current yes/no state is in "state". If verification succeeded,
181we set up the tls_peerdn string. If verification failed, what happens depends
182on whether the client is required to present a verifiable certificate or not.
183
184If verification is optional, we change the state to yes, but still log the
185verification error. For some reason (it really would help to have proper
186documentation of OpenSSL), this callback function then gets called again, this
187time with state = 1. In fact, that's useful, because we can set up the peerdn
188value, but we must take care not to set the private verified flag on the second
189time through.
190
191Note: this function is not called if the client fails to present a certificate
192when asked. We get here only if a certificate has been received. Handling of
193optional verification for this case is done when requesting SSL to verify, by
194setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the non-optional case.
195
196Arguments:
197 state current yes/no state as 1/0
198 x509ctx certificate information.
199
200Returns: 1 if verified, 0 if not
201*/
202
203static int
204verify_callback(int state, X509_STORE_CTX *x509ctx)
205{
206static uschar txt[256];
207
208X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
209 CS txt, sizeof(txt));
210
211if (state == 0)
212 {
213 log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
214 x509ctx->error_depth,
215 X509_verify_cert_error_string(x509ctx->error),
216 txt);
217 tls_certificate_verified = FALSE;
218 verify_callback_called = TRUE;
219 if (!verify_optional) return 0; /* reject */
220 DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
221 "tls_try_verify_hosts)\n");
222 return 1; /* accept */
223 }
224
225if (x509ctx->error_depth != 0)
226 {
227 DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
228 x509ctx->error_depth, txt);
229 }
230else
231 {
232 DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
233 verify_callback_called? "" : " authenticated", txt);
234 tls_peerdn = txt;
235 }
236
059ec3d9
PH
237if (!verify_callback_called) tls_certificate_verified = TRUE;
238verify_callback_called = TRUE;
239
240return 1; /* accept */
241}
242
243
244
245/*************************************************
246* Information callback *
247*************************************************/
248
249/* The SSL library functions call this from time to time to indicate what they
7be682ca
PP
250are doing. We copy the string to the debugging output when TLS debugging has
251been requested.
059ec3d9
PH
252
253Arguments:
254 s the SSL connection
255 where
256 ret
257
258Returns: nothing
259*/
260
261static void
262info_callback(SSL *s, int where, int ret)
263{
264where = where;
265ret = ret;
266DEBUG(D_tls) debug_printf("SSL info: %s\n", SSL_state_string_long(s));
267}
268
269
270
271/*************************************************
272* Initialize for DH *
273*************************************************/
274
275/* If dhparam is set, expand it, and load up the parameters for DH encryption.
276
277Arguments:
a799883d 278 dhparam DH parameter file or fixed parameter identity string
7199e1ee 279 host connected host, if client; NULL if server
059ec3d9
PH
280
281Returns: TRUE if OK (nothing to set up, or setup worked)
282*/
283
284static BOOL
a799883d 285init_dh(SSL_CTX *sctx, uschar *dhparam, host_item *host)
059ec3d9 286{
059ec3d9
PH
287BIO *bio;
288DH *dh;
289uschar *dhexpanded;
a799883d 290const char *pem;
059ec3d9
PH
291
292if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded))
293 return FALSE;
294
a799883d 295if (dhexpanded == NULL || *dhexpanded == '\0')
059ec3d9 296 {
a799883d 297 bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1);
059ec3d9 298 }
a799883d 299else if (dhexpanded[0] == '/')
059ec3d9 300 {
a799883d
PP
301 bio = BIO_new_file(CS dhexpanded, "r");
302 if (bio == NULL)
059ec3d9 303 {
7199e1ee 304 tls_error(string_sprintf("could not read dhparams file %s", dhexpanded),
a799883d
PP
305 host, US strerror(errno));
306 return FALSE;
059ec3d9 307 }
a799883d
PP
308 }
309else
310 {
311 if (Ustrcmp(dhexpanded, "none") == 0)
059ec3d9 312 {
a799883d
PP
313 DEBUG(D_tls) debug_printf("Requested no DH parameters.\n");
314 return TRUE;
059ec3d9 315 }
a799883d
PP
316
317 pem = std_dh_prime_named(dhexpanded);
318 if (!pem)
319 {
320 tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded),
321 host, US strerror(errno));
322 return FALSE;
323 }
324 bio = BIO_new_mem_buf(CS pem, -1);
325 }
326
327dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
328if (dh == NULL)
329 {
059ec3d9 330 BIO_free(bio);
a799883d
PP
331 tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded),
332 host, NULL);
333 return FALSE;
334 }
335
336/* Even if it is larger, we silently return success rather than cause things
337 * to fail out, so that a too-large DH will not knock out all TLS; it's a
338 * debatable choice. */
339if ((8*DH_size(dh)) > tls_dh_max_bits)
340 {
341 DEBUG(D_tls)
342 debug_printf("dhparams file %d bits, is > tls_dh_max_bits limit of %d",
343 8*DH_size(dh), tls_dh_max_bits);
344 }
345else
346 {
347 SSL_CTX_set_tmp_dh(sctx, dh);
348 DEBUG(D_tls)
349 debug_printf("Diffie-Hellman initialized from %s with %d-bit prime\n",
350 dhexpanded ? dhexpanded : US"default", 8*DH_size(dh));
059ec3d9
PH
351 }
352
a799883d
PP
353DH_free(dh);
354BIO_free(bio);
355
356return TRUE;
059ec3d9
PH
357}
358
359
360
361
3f7eeb86
PP
362#ifdef EXPERIMENTAL_OCSP
363/*************************************************
364* Load OCSP information into state *
365*************************************************/
366
367/* Called to load the OCSP response from the given file into memory, once
368caller has determined this is needed. Checks validity. Debugs a message
369if invalid.
370
371ASSUMES: single response, for single cert.
372
373Arguments:
374 sctx the SSL_CTX* to update
375 cbinfo various parts of session state
376 expanded the filename putatively holding an OCSP response
377
378*/
379
380static void
381ocsp_load_response(SSL_CTX *sctx,
382 tls_ext_ctx_cb *cbinfo,
383 const uschar *expanded)
384{
385BIO *bio;
386OCSP_RESPONSE *resp;
387OCSP_BASICRESP *basic_response;
388OCSP_SINGLERESP *single_response;
389ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
390X509_STORE *store;
391unsigned long verify_flags;
392int status, reason, i;
393
394cbinfo->ocsp_file_expanded = string_copy(expanded);
395if (cbinfo->ocsp_response)
396 {
397 OCSP_RESPONSE_free(cbinfo->ocsp_response);
398 cbinfo->ocsp_response = NULL;
399 }
400
401bio = BIO_new_file(CS cbinfo->ocsp_file_expanded, "rb");
402if (!bio)
403 {
404 DEBUG(D_tls) debug_printf("Failed to open OCSP response file \"%s\"\n",
405 cbinfo->ocsp_file_expanded);
406 return;
407 }
408
409resp = d2i_OCSP_RESPONSE_bio(bio, NULL);
410BIO_free(bio);
411if (!resp)
412 {
413 DEBUG(D_tls) debug_printf("Error reading OCSP response.\n");
414 return;
415 }
416
417status = OCSP_response_status(resp);
418if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
419 {
420 DEBUG(D_tls) debug_printf("OCSP response not valid: %s (%d)\n",
421 OCSP_response_status_str(status), status);
422 return;
423 }
424
425basic_response = OCSP_response_get1_basic(resp);
426if (!basic_response)
427 {
428 DEBUG(D_tls)
429 debug_printf("OCSP response parse error: unable to extract basic response.\n");
430 return;
431 }
432
433store = SSL_CTX_get_cert_store(sctx);
434verify_flags = OCSP_NOVERIFY; /* check sigs, but not purpose */
435
436/* May need to expose ability to adjust those flags?
437OCSP_NOSIGS OCSP_NOVERIFY OCSP_NOCHAIN OCSP_NOCHECKS OCSP_NOEXPLICIT
438OCSP_TRUSTOTHER OCSP_NOINTERN */
439
440i = OCSP_basic_verify(basic_response, NULL, store, verify_flags);
441if (i <= 0)
442 {
443 DEBUG(D_tls) {
444 ERR_error_string(ERR_get_error(), ssl_errstring);
445 debug_printf("OCSP response verify failure: %s\n", US ssl_errstring);
446 }
447 return;
448 }
449
450/* Here's the simplifying assumption: there's only one response, for the
451one certificate we use, and nothing for anything else in a chain. If this
452proves false, we need to extract a cert id from our issued cert
453(tls_certificate) and use that for OCSP_resp_find_status() (which finds the
454right cert in the stack and then calls OCSP_single_get0_status()).
455
456I'm hoping to avoid reworking a bunch more of how we handle state here. */
457single_response = OCSP_resp_get0(basic_response, 0);
458if (!single_response)
459 {
460 DEBUG(D_tls)
461 debug_printf("Unable to get first response from OCSP basic response.\n");
462 return;
463 }
464
465status = OCSP_single_get0_status(single_response, &reason, &rev, &thisupd, &nextupd);
466/* how does this status differ from the one above? */
467if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
468 {
469 DEBUG(D_tls) debug_printf("OCSP response not valid (take 2): %s (%d)\n",
470 OCSP_response_status_str(status), status);
471 return;
472 }
473
474if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
475 {
476 DEBUG(D_tls) debug_printf("OCSP status invalid times.\n");
477 return;
478 }
479
480cbinfo->ocsp_response = resp;
481}
482#endif
483
484
485
486
059ec3d9 487/*************************************************
7be682ca
PP
488* Expand key and cert file specs *
489*************************************************/
490
491/* Called once during tls_init and possibly againt during TLS setup, for a
492new context, if Server Name Indication was used and tls_sni was seen in
493the certificate string.
494
495Arguments:
496 sctx the SSL_CTX* to update
497 cbinfo various parts of session state
498
499Returns: OK/DEFER/FAIL
500*/
501
502static int
3f7eeb86 503tls_expand_session_files(SSL_CTX *sctx, tls_ext_ctx_cb *cbinfo)
7be682ca
PP
504{
505uschar *expanded;
506
507if (cbinfo->certificate == NULL)
508 return OK;
509
510if (Ustrstr(cbinfo->certificate, US"tls_sni"))
511 reexpand_tls_files_for_sni = TRUE;
512
513if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
514 return DEFER;
515
516if (expanded != NULL)
517 {
518 DEBUG(D_tls) debug_printf("tls_certificate file %s\n", expanded);
519 if (!SSL_CTX_use_certificate_chain_file(sctx, CS expanded))
520 return tls_error(string_sprintf(
521 "SSL_CTX_use_certificate_chain_file file=%s", expanded),
522 cbinfo->host, NULL);
523 }
524
525if (cbinfo->privatekey != NULL &&
526 !expand_check(cbinfo->privatekey, US"tls_privatekey", &expanded))
527 return DEFER;
528
529/* If expansion was forced to fail, key_expanded will be NULL. If the result
530of the expansion is an empty string, ignore it also, and assume the private
531key is in the same file as the certificate. */
532
533if (expanded != NULL && *expanded != 0)
534 {
535 DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
536 if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
537 return tls_error(string_sprintf(
538 "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
539 }
540
3f7eeb86
PP
541#ifdef EXPERIMENTAL_OCSP
542if (cbinfo->ocsp_file != NULL)
543 {
544 if (!expand_check(cbinfo->ocsp_file, US"tls_ocsp_file", &expanded))
545 return DEFER;
546
547 if (expanded != NULL && *expanded != 0)
548 {
549 DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
550 if (cbinfo->ocsp_file_expanded &&
551 (Ustrcmp(expanded, cbinfo->ocsp_file_expanded) == 0))
552 {
553 DEBUG(D_tls)
554 debug_printf("tls_ocsp_file value unchanged, using existing values.\n");
555 } else {
556 ocsp_load_response(sctx, cbinfo, expanded);
557 }
558 }
559 }
560#endif
561
7be682ca
PP
562return OK;
563}
564
565
566
567
568/*************************************************
569* Callback to handle SNI *
570*************************************************/
571
572/* Called when acting as server during the TLS session setup if a Server Name
573Indication extension was sent by the client.
574
575API documentation is OpenSSL s_server.c implementation.
576
577Arguments:
578 s SSL* of the current session
579 ad unknown (part of OpenSSL API) (unused)
580 arg Callback of "our" registered data
581
582Returns: SSL_TLSEXT_ERR_{OK,ALERT_WARNING,ALERT_FATAL,NOACK}
583*/
584
3bcbbbe2 585#ifdef EXIM_HAVE_OPENSSL_TLSEXT
7be682ca 586static int
7be682ca
PP
587tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
588{
589const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
3f7eeb86 590tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
7be682ca 591int rc;
3f0945ff 592int old_pool = store_pool;
7be682ca
PP
593
594if (!servername)
595 return SSL_TLSEXT_ERR_OK;
596
3f0945ff 597DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
7be682ca
PP
598 reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");
599
600/* Make the extension value available for expansion */
3f0945ff
PP
601store_pool = POOL_PERM;
602tls_sni = string_copy(US servername);
603store_pool = old_pool;
7be682ca
PP
604
605if (!reexpand_tls_files_for_sni)
606 return SSL_TLSEXT_ERR_OK;
607
608/* Can't find an SSL_CTX_clone() or equivalent, so we do it manually;
609not confident that memcpy wouldn't break some internal reference counting.
610Especially since there's a references struct member, which would be off. */
611
612ctx_sni = SSL_CTX_new(SSLv23_server_method());
613if (!ctx_sni)
614 {
615 ERR_error_string(ERR_get_error(), ssl_errstring);
616 DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
617 return SSL_TLSEXT_ERR_NOACK;
618 }
619
620/* Not sure how many of these are actually needed, since SSL object
621already exists. Might even need this selfsame callback, for reneg? */
622
623SSL_CTX_set_info_callback(ctx_sni, SSL_CTX_get_info_callback(ctx));
624SSL_CTX_set_mode(ctx_sni, SSL_CTX_get_mode(ctx));
625SSL_CTX_set_options(ctx_sni, SSL_CTX_get_options(ctx));
626SSL_CTX_set_timeout(ctx_sni, SSL_CTX_get_timeout(ctx));
627SSL_CTX_set_tlsext_servername_callback(ctx_sni, tls_servername_cb);
628SSL_CTX_set_tlsext_servername_arg(ctx_sni, cbinfo);
629if (cbinfo->server_cipher_list)
630 SSL_CTX_set_cipher_list(ctx_sni, CS cbinfo->server_cipher_list);
3f7eeb86
PP
631#ifdef EXPERIMENTAL_OCSP
632if (cbinfo->ocsp_file)
633 {
634 SSL_CTX_set_tlsext_status_cb(ctx_sni, tls_stapling_cb);
635 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
636 }
637#endif
7be682ca 638
3f7eeb86 639rc = setup_certs(ctx_sni, tls_verify_certificates, tls_crl, NULL, FALSE);
7be682ca
PP
640if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
641
3f7eeb86
PP
642/* do this after setup_certs, because this can require the certs for verifying
643OCSP information. */
644rc = tls_expand_session_files(ctx_sni, cbinfo);
7be682ca
PP
645if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
646
a799883d
PP
647rc = init_dh(ctx_sni, cbinfo->dhparam, NULL);
648if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
649
7be682ca
PP
650DEBUG(D_tls) debug_printf("Switching SSL context.\n");
651SSL_set_SSL_CTX(s, ctx_sni);
652
653return SSL_TLSEXT_ERR_OK;
654}
3bcbbbe2 655#endif /* EXIM_HAVE_OPENSSL_TLSEXT */
7be682ca
PP
656
657
658
659
3f7eeb86
PP
660#ifdef EXPERIMENTAL_OCSP
661/*************************************************
662* Callback to handle OCSP Stapling *
663*************************************************/
664
665/* Called when acting as server during the TLS session setup if the client
666requests OCSP information with a Certificate Status Request.
667
668Documentation via openssl s_server.c and the Apache patch from the OpenSSL
669project.
670
671*/
672
673static int
674tls_stapling_cb(SSL *s, void *arg)
675{
676const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
677uschar *response_der;
678int response_der_len;
679
680DEBUG(D_tls) debug_printf("Received TLS status request (OCSP stapling); %s response.\n",
681 cbinfo->ocsp_response ? "have" : "lack");
682if (!cbinfo->ocsp_response)
683 return SSL_TLSEXT_ERR_NOACK;
684
685response_der = NULL;
686response_der_len = i2d_OCSP_RESPONSE(cbinfo->ocsp_response, &response_der);
687if (response_der_len <= 0)
688 return SSL_TLSEXT_ERR_NOACK;
689
690SSL_set_tlsext_status_ocsp_resp(ssl, response_der, response_der_len);
691return SSL_TLSEXT_ERR_OK;
692}
693
694#endif /* EXPERIMENTAL_OCSP */
695
696
697
698
7be682ca 699/*************************************************
059ec3d9
PH
700* Initialize for TLS *
701*************************************************/
702
703/* Called from both server and client code, to do preliminary initialization of
704the library.
705
706Arguments:
707 host connected host, if client; NULL if server
708 dhparam DH parameter file
709 certificate certificate file
710 privatekey private key
711 addr address if client; NULL if server (for some randomness)
712
713Returns: OK/DEFER/FAIL
714*/
715
716static int
c91535f3 717tls_init(host_item *host, uschar *dhparam, uschar *certificate,
3f7eeb86
PP
718 uschar *privatekey,
719#ifdef EXPERIMENTAL_OCSP
720 uschar *ocsp_file,
721#endif
722 address_item *addr)
059ec3d9 723{
77bb000f 724long init_options;
7be682ca 725int rc;
77bb000f 726BOOL okay;
7be682ca
PP
727tls_ext_ctx_cb *cbinfo;
728
729cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
730cbinfo->certificate = certificate;
731cbinfo->privatekey = privatekey;
3f7eeb86
PP
732#ifdef EXPERIMENTAL_OCSP
733cbinfo->ocsp_file = ocsp_file;
734#endif
7be682ca
PP
735cbinfo->dhparam = dhparam;
736cbinfo->host = host;
77bb000f 737
059ec3d9
PH
738SSL_load_error_strings(); /* basic set up */
739OpenSSL_add_ssl_algorithms();
740
388d6564 741#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
77bb000f 742/* SHA256 is becoming ever more popular. This makes sure it gets added to the
a0475b69
TK
743list of available digests. */
744EVP_add_digest(EVP_sha256());
cf1ef1a9 745#endif
a0475b69 746
f0f5a555
PP
747/* Create a context.
748The OpenSSL docs in 1.0.1b have not been updated to clarify TLS variant
749negotiation in the different methods; as far as I can tell, the only
750*_{server,client}_method which allows negotiation is SSLv23, which exists even
751when OpenSSL is built without SSLv2 support.
752By disabling with openssl_options, we can let admins re-enable with the
753existing knob. */
059ec3d9
PH
754
755ctx = SSL_CTX_new((host == NULL)?
756 SSLv23_server_method() : SSLv23_client_method());
757
7199e1ee 758if (ctx == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
059ec3d9
PH
759
760/* It turns out that we need to seed the random number generator this early in
761order to get the full complement of ciphers to work. It took me roughly a day
762of work to discover this by experiment.
763
764On systems that have /dev/urandom, SSL may automatically seed itself from
765there. Otherwise, we have to make something up as best we can. Double check
766afterwards. */
767
768if (!RAND_status())
769 {
770 randstuff r;
9e3331ea 771 gettimeofday(&r.tv, NULL);
059ec3d9
PH
772 r.p = getpid();
773
774 RAND_seed((uschar *)(&r), sizeof(r));
775 RAND_seed((uschar *)big_buffer, big_buffer_size);
776 if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
777
778 if (!RAND_status())
7199e1ee 779 return tls_error(US"RAND_status", host,
5ca6d115 780 US"unable to seed random number generator");
059ec3d9
PH
781 }
782
783/* Set up the information callback, which outputs if debugging is at a suitable
784level. */
785
58c01c94 786SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
059ec3d9 787
c80c5570
PP
788/* Automatically re-try reads/writes after renegotiation. */
789(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
790
77bb000f
PP
791/* Apply administrator-supplied work-arounds.
792Historically we applied just one requested option,
793SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, but when bug 994 requested a second, we
794moved to an administrator-controlled list of options to specify and
795grandfathered in the first one as the default value for "openssl_options".
059ec3d9 796
77bb000f
PP
797No OpenSSL version number checks: the options we accept depend upon the
798availability of the option value macros from OpenSSL. */
059ec3d9 799
77bb000f
PP
800okay = tls_openssl_options_parse(openssl_options, &init_options);
801if (!okay)
73a46702 802 return tls_error(US"openssl_options parsing failed", host, NULL);
77bb000f
PP
803
804if (init_options)
805 {
806 DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
807 if (!(SSL_CTX_set_options(ctx, init_options)))
808 return tls_error(string_sprintf(
809 "SSL_CTX_set_option(%#lx)", init_options), host, NULL);
810 }
811else
812 DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
059ec3d9
PH
813
814/* Initialize with DH parameters if supplied */
815
a799883d 816if (!init_dh(ctx, dhparam, host)) return DEFER;
059ec3d9 817
3f7eeb86 818/* Set up certificate and key (and perhaps OCSP info) */
059ec3d9 819
7be682ca
PP
820rc = tls_expand_session_files(ctx, cbinfo);
821if (rc != OK) return rc;
c91535f3 822
7be682ca 823/* If we need to handle SNI, do so */
3bcbbbe2 824#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f0945ff
PP
825if (host == NULL)
826 {
3f7eeb86
PP
827#ifdef EXPERIMENTAL_OCSP
828 /* We check ocsp_file, not ocsp_response, because we care about if
829 the option exists, not what the current expansion might be, as SNI might
830 change the certificate and OCSP file in use between now and the time the
831 callback is invoked. */
832 if (cbinfo->ocsp_file)
833 {
834 SSL_CTX_set_tlsext_status_cb(ctx, tls_stapling_cb);
835 SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
836 }
837#endif
3f0945ff
PP
838 /* We always do this, so that $tls_sni is available even if not used in
839 tls_certificate */
840 SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
841 SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
842 }
7be682ca 843#endif
059ec3d9
PH
844
845/* Set up the RSA callback */
846
847SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
848
849/* Finally, set the timeout, and we are done */
850
851SSL_CTX_set_timeout(ctx, ssl_session_timeout);
852DEBUG(D_tls) debug_printf("Initialized TLS\n");
7be682ca
PP
853
854static_cbinfo = cbinfo;
855
059ec3d9
PH
856return OK;
857}
858
859
860
861
862/*************************************************
863* Get name of cipher in use *
864*************************************************/
865
866/* The answer is left in a static buffer, and tls_cipher is set to point
867to it.
868
869Argument: pointer to an SSL structure for the connection
870Returns: nothing
871*/
872
873static void
874construct_cipher_name(SSL *ssl)
875{
876static uschar cipherbuf[256];
57b3a7f5
PP
877/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
878yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
879the accessor functions use const in the prototype. */
880const SSL_CIPHER *c;
059ec3d9 881uschar *ver;
059ec3d9
PH
882
883switch (ssl->session->ssl_version)
884 {
885 case SSL2_VERSION:
886 ver = US"SSLv2";
887 break;
888
889 case SSL3_VERSION:
890 ver = US"SSLv3";
891 break;
892
893 case TLS1_VERSION:
894 ver = US"TLSv1";
895 break;
896
c80c5570
PP
897#ifdef TLS1_1_VERSION
898 case TLS1_1_VERSION:
899 ver = US"TLSv1.1";
900 break;
901#endif
902
903#ifdef TLS1_2_VERSION
904 case TLS1_2_VERSION:
905 ver = US"TLSv1.2";
906 break;
907#endif
908
059ec3d9
PH
909 default:
910 ver = US"UNKNOWN";
911 }
912
57b3a7f5 913c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
edc33b5f 914SSL_CIPHER_get_bits(c, &tls_bits);
059ec3d9
PH
915
916string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver,
edc33b5f 917 SSL_CIPHER_get_name(c), tls_bits);
059ec3d9
PH
918tls_cipher = cipherbuf;
919
920DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
921}
922
923
924
925
926
927/*************************************************
928* Set up for verifying certificates *
929*************************************************/
930
931/* Called by both client and server startup
932
933Arguments:
7be682ca 934 sctx SSL_CTX* to initialise
059ec3d9
PH
935 certs certs file or NULL
936 crl CRL file or NULL
937 host NULL in a server; the remote host in a client
938 optional TRUE if called from a server for a host in tls_try_verify_hosts;
939 otherwise passed as FALSE
940
941Returns: OK/DEFER/FAIL
942*/
943
944static int
7be682ca 945setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional)
059ec3d9
PH
946{
947uschar *expcerts, *expcrl;
948
949if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
950 return DEFER;
951
952if (expcerts != NULL)
953 {
954 struct stat statbuf;
7be682ca 955 if (!SSL_CTX_set_default_verify_paths(sctx))
7199e1ee 956 return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
059ec3d9
PH
957
958 if (Ustat(expcerts, &statbuf) < 0)
959 {
960 log_write(0, LOG_MAIN|LOG_PANIC,
961 "failed to stat %s for certificates", expcerts);
962 return DEFER;
963 }
964 else
965 {
966 uschar *file, *dir;
967 if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
968 { file = NULL; dir = expcerts; }
969 else
970 { file = expcerts; dir = NULL; }
971
972 /* If a certificate file is empty, the next function fails with an
973 unhelpful error message. If we skip it, we get the correct behaviour (no
974 certificates are recognized, but the error message is still misleading (it
975 says no certificate was supplied.) But this is better. */
976
977 if ((file == NULL || statbuf.st_size > 0) &&
7be682ca 978 !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
7199e1ee 979 return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
059ec3d9
PH
980
981 if (file != NULL)
982 {
7be682ca 983 SSL_CTX_set_client_CA_list(sctx, SSL_load_client_CA_file(CS file));
059ec3d9
PH
984 }
985 }
986
987 /* Handle a certificate revocation list. */
988
989 #if OPENSSL_VERSION_NUMBER > 0x00907000L
990
8b417f2c
PH
991 /* This bit of code is now the version supplied by Lars Mainka. (I have
992 * merely reformatted it into the Exim code style.)
993
994 * "From here I changed the code to add support for multiple crl's
995 * in pem format in one file or to support hashed directory entries in
996 * pem format instead of a file. This method now uses the library function
997 * X509_STORE_load_locations to add the CRL location to the SSL context.
998 * OpenSSL will then handle the verify against CA certs and CRLs by
999 * itself in the verify callback." */
1000
059ec3d9
PH
1001 if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
1002 if (expcrl != NULL && *expcrl != 0)
1003 {
8b417f2c
PH
1004 struct stat statbufcrl;
1005 if (Ustat(expcrl, &statbufcrl) < 0)
1006 {
1007 log_write(0, LOG_MAIN|LOG_PANIC,
1008 "failed to stat %s for certificates revocation lists", expcrl);
1009 return DEFER;
1010 }
1011 else
059ec3d9 1012 {
8b417f2c
PH
1013 /* is it a file or directory? */
1014 uschar *file, *dir;
7be682ca 1015 X509_STORE *cvstore = SSL_CTX_get_cert_store(sctx);
8b417f2c 1016 if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR)
059ec3d9 1017 {
8b417f2c
PH
1018 file = NULL;
1019 dir = expcrl;
1020 DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n", dir);
059ec3d9
PH
1021 }
1022 else
1023 {
8b417f2c
PH
1024 file = expcrl;
1025 dir = NULL;
1026 DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n", file);
059ec3d9 1027 }
8b417f2c 1028 if (X509_STORE_load_locations(cvstore, CS file, CS dir) == 0)
7199e1ee 1029 return tls_error(US"X509_STORE_load_locations", host, NULL);
8b417f2c
PH
1030
1031 /* setting the flags to check against the complete crl chain */
1032
1033 X509_STORE_set_flags(cvstore,
1034 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
059ec3d9 1035 }
059ec3d9
PH
1036 }
1037
1038 #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
1039
1040 /* If verification is optional, don't fail if no certificate */
1041
7be682ca 1042 SSL_CTX_set_verify(sctx,
059ec3d9
PH
1043 SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
1044 verify_callback);
1045 }
1046
1047return OK;
1048}
1049
1050
1051
1052/*************************************************
1053* Start a TLS session in a server *
1054*************************************************/
1055
1056/* This is called when Exim is running as a server, after having received
1057the STARTTLS command. It must respond to that command, and then negotiate
1058a TLS session.
1059
1060Arguments:
1061 require_ciphers allowed ciphers
1062
1063Returns: OK on success
1064 DEFER for errors before the start of the negotiation
1065 FAIL for errors during the negotation; the server can't
1066 continue running.
1067*/
1068
1069int
17c76198 1070tls_server_start(const uschar *require_ciphers)
059ec3d9
PH
1071{
1072int rc;
1073uschar *expciphers;
7be682ca 1074tls_ext_ctx_cb *cbinfo;
059ec3d9
PH
1075
1076/* Check for previous activation */
1077
1078if (tls_active >= 0)
1079 {
5ca6d115 1080 tls_error(US"STARTTLS received after TLS started", NULL, US"");
059ec3d9
PH
1081 smtp_printf("554 Already in TLS\r\n");
1082 return FAIL;
1083 }
1084
1085/* Initialize the SSL library. If it fails, it will already have logged
1086the error. */
1087
3f7eeb86
PP
1088rc = tls_init(NULL, tls_dhparam, tls_certificate, tls_privatekey,
1089#ifdef EXPERIMENTAL_OCSP
1090 tls_ocsp_file,
1091#endif
1092 NULL);
059ec3d9 1093if (rc != OK) return rc;
7be682ca 1094cbinfo = static_cbinfo;
059ec3d9
PH
1095
1096if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1097 return FAIL;
1098
1099/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
17c76198
PP
1100were historically separated by underscores. So that I can use either form in my
1101tests, and also for general convenience, we turn underscores into hyphens here.
1102*/
059ec3d9
PH
1103
1104if (expciphers != NULL)
1105 {
1106 uschar *s = expciphers;
1107 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1108 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1109 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
7199e1ee 1110 return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
7be682ca 1111 cbinfo->server_cipher_list = expciphers;
059ec3d9
PH
1112 }
1113
1114/* If this is a host for which certificate verification is mandatory or
1115optional, set up appropriately. */
1116
1117tls_certificate_verified = FALSE;
1118verify_callback_called = FALSE;
1119
1120if (verify_check_host(&tls_verify_hosts) == OK)
1121 {
7be682ca 1122 rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, FALSE);
059ec3d9
PH
1123 if (rc != OK) return rc;
1124 verify_optional = FALSE;
1125 }
1126else if (verify_check_host(&tls_try_verify_hosts) == OK)
1127 {
7be682ca 1128 rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, TRUE);
059ec3d9
PH
1129 if (rc != OK) return rc;
1130 verify_optional = TRUE;
1131 }
1132
1133/* Prepare for new connection */
1134
7199e1ee 1135if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
da3ad30d
PP
1136
1137/* Warning: we used to SSL_clear(ssl) here, it was removed.
1138 *
1139 * With the SSL_clear(), we get strange interoperability bugs with
1140 * OpenSSL 1.0.1b and TLS1.1/1.2. It looks as though this may be a bug in
1141 * OpenSSL itself, as a clear should not lead to inability to follow protocols.
1142 *
1143 * The SSL_clear() call is to let an existing SSL* be reused, typically after
1144 * session shutdown. In this case, we have a brand new object and there's no
1145 * obvious reason to immediately clear it. I'm guessing that this was
1146 * originally added because of incomplete initialisation which the clear fixed,
1147 * in some historic release.
1148 */
059ec3d9
PH
1149
1150/* Set context and tell client to go ahead, except in the case of TLS startup
1151on connection, where outputting anything now upsets the clients and tends to
1152make them disconnect. We need to have an explicit fflush() here, to force out
1153the response. Other smtp_printf() calls do not need it, because in non-TLS
1154mode, the fflush() happens when smtp_getc() is called. */
1155
1156SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
1157if (!tls_on_connect)
1158 {
1159 smtp_printf("220 TLS go ahead\r\n");
1160 fflush(smtp_out);
1161 }
1162
1163/* Now negotiate the TLS session. We put our own timer on it, since it seems
1164that the OpenSSL library doesn't. */
1165
56f5d9bd
PH
1166SSL_set_wfd(ssl, fileno(smtp_out));
1167SSL_set_rfd(ssl, fileno(smtp_in));
059ec3d9
PH
1168SSL_set_accept_state(ssl);
1169
1170DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
1171
1172sigalrm_seen = FALSE;
1173if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1174rc = SSL_accept(ssl);
1175alarm(0);
1176
1177if (rc <= 0)
1178 {
7199e1ee 1179 tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
77bb000f
PP
1180 if (ERR_get_error() == 0)
1181 log_write(0, LOG_MAIN,
a053d125 1182 "TLS client disconnected cleanly (rejected our certificate?)");
059ec3d9
PH
1183 return FAIL;
1184 }
1185
1186DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
1187
1188/* TLS has been set up. Adjust the input functions to read via TLS,
1189and initialize things. */
1190
1191construct_cipher_name(ssl);
1192
1193DEBUG(D_tls)
1194 {
1195 uschar buf[2048];
1196 if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)) != NULL)
1197 debug_printf("Shared ciphers: %s\n", buf);
1198 }
1199
1200
1201ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
1202ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
1203ssl_xfer_eof = ssl_xfer_error = 0;
1204
1205receive_getc = tls_getc;
1206receive_ungetc = tls_ungetc;
1207receive_feof = tls_feof;
1208receive_ferror = tls_ferror;
58eb016e 1209receive_smtp_buffered = tls_smtp_buffered;
059ec3d9
PH
1210
1211tls_active = fileno(smtp_out);
1212return OK;
1213}
1214
1215
1216
1217
1218
1219/*************************************************
1220* Start a TLS session in a client *
1221*************************************************/
1222
1223/* Called from the smtp transport after STARTTLS has been accepted.
1224
1225Argument:
1226 fd the fd of the connection
1227 host connected host (for messages)
83da1223 1228 addr the first address
059ec3d9
PH
1229 dhparam DH parameter file
1230 certificate certificate file
1231 privatekey private key file
3f0945ff 1232 sni TLS SNI to send to remote host
059ec3d9
PH
1233 verify_certs file for certificate verify
1234 crl file containing CRL
1235 require_ciphers list of allowed ciphers
83da1223 1236 timeout startup timeout
059ec3d9
PH
1237
1238Returns: OK on success
1239 FAIL otherwise - note that tls_error() will not give DEFER
1240 because this is not a server
1241*/
1242
1243int
1244tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
3f0945ff
PP
1245 uschar *certificate, uschar *privatekey, uschar *sni,
1246 uschar *verify_certs, uschar *crl,
17c76198 1247 uschar *require_ciphers, int timeout)
059ec3d9
PH
1248{
1249static uschar txt[256];
1250uschar *expciphers;
1251X509* server_cert;
1252int rc;
1253
3f7eeb86
PP
1254rc = tls_init(host, dhparam, certificate, privatekey,
1255#ifdef EXPERIMENTAL_OCSP
1256 NULL,
1257#endif
1258 addr);
059ec3d9
PH
1259if (rc != OK) return rc;
1260
1261tls_certificate_verified = FALSE;
1262verify_callback_called = FALSE;
1263
1264if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
1265 return FAIL;
1266
1267/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
1268are separated by underscores. So that I can use either form in my tests, and
1269also for general convenience, we turn underscores into hyphens here. */
1270
1271if (expciphers != NULL)
1272 {
1273 uschar *s = expciphers;
1274 while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1275 DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
1276 if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
7199e1ee 1277 return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
059ec3d9
PH
1278 }
1279
7be682ca 1280rc = setup_certs(ctx, verify_certs, crl, host, FALSE);
059ec3d9
PH
1281if (rc != OK) return rc;
1282
7199e1ee 1283if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
059ec3d9
PH
1284SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
1285SSL_set_fd(ssl, fd);
1286SSL_set_connect_state(ssl);
1287
3f0945ff
PP
1288if (sni)
1289 {
1290 if (!expand_check(sni, US"tls_sni", &tls_sni))
1291 return FAIL;
2c9a0e86
PP
1292 if (tls_sni == NULL)
1293 {
1294 DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
1295 }
1296 else if (!Ustrlen(tls_sni))
3f0945ff
PP
1297 tls_sni = NULL;
1298 else
1299 {
35731706 1300#ifdef EXIM_HAVE_OPENSSL_TLSEXT
3f0945ff
PP
1301 DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_sni);
1302 SSL_set_tlsext_host_name(ssl, tls_sni);
35731706
PP
1303#else
1304 DEBUG(D_tls)
1305 debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
1306 tls_sni);
1307#endif
3f0945ff
PP
1308 }
1309 }
1310
059ec3d9
PH
1311/* There doesn't seem to be a built-in timeout on connection. */
1312
1313DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
1314sigalrm_seen = FALSE;
1315alarm(timeout);
1316rc = SSL_connect(ssl);
1317alarm(0);
1318
1319if (rc <= 0)
7199e1ee 1320 return tls_error(US"SSL_connect", host, sigalrm_seen ? US"timed out" : NULL);
059ec3d9
PH
1321
1322DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
1323
453a6645 1324/* Beware anonymous ciphers which lead to server_cert being NULL */
059ec3d9 1325server_cert = SSL_get_peer_certificate (ssl);
453a6645
PP
1326if (server_cert)
1327 {
1328 tls_peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
1329 CS txt, sizeof(txt));
1330 tls_peerdn = txt;
1331 }
1332else
1333 tls_peerdn = NULL;
059ec3d9
PH
1334
1335construct_cipher_name(ssl); /* Sets tls_cipher */
1336
1337tls_active = fd;
1338return OK;
1339}
1340
1341
1342
1343
1344
1345/*************************************************
1346* TLS version of getc *
1347*************************************************/
1348
1349/* This gets the next byte from the TLS input buffer. If the buffer is empty,
1350it refills the buffer via the SSL reading function.
1351
1352Arguments: none
1353Returns: the next character or EOF
1354*/
1355
1356int
1357tls_getc(void)
1358{
1359if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
1360 {
1361 int error;
1362 int inbytes;
1363
c80c5570
PP
1364 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
1365 ssl_xfer_buffer, ssl_xfer_buffer_size);
059ec3d9
PH
1366
1367 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
1368 inbytes = SSL_read(ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
1369 error = SSL_get_error(ssl, inbytes);
1370 alarm(0);
1371
1372 /* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
1373 closed down, not that the socket itself has been closed down. Revert to
1374 non-SSL handling. */
1375
1376 if (error == SSL_ERROR_ZERO_RETURN)
1377 {
1378 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1379
1380 receive_getc = smtp_getc;
1381 receive_ungetc = smtp_ungetc;
1382 receive_feof = smtp_feof;
1383 receive_ferror = smtp_ferror;
58eb016e 1384 receive_smtp_buffered = smtp_buffered;
059ec3d9
PH
1385
1386 SSL_free(ssl);
1387 ssl = NULL;
1388 tls_active = -1;
3f0945ff 1389 tls_bits = 0;
059ec3d9
PH
1390 tls_cipher = NULL;
1391 tls_peerdn = NULL;
3f0945ff 1392 tls_sni = NULL;
059ec3d9
PH
1393
1394 return smtp_getc();
1395 }
1396
1397 /* Handle genuine errors */
1398
ba084640
PP
1399 else if (error == SSL_ERROR_SSL)
1400 {
1401 ERR_error_string(ERR_get_error(), ssl_errstring);
89dd51cd 1402 log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
ba084640
PP
1403 ssl_xfer_error = 1;
1404 return EOF;
1405 }
1406
059ec3d9
PH
1407 else if (error != SSL_ERROR_NONE)
1408 {
1409 DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);
1410 ssl_xfer_error = 1;
1411 return EOF;
1412 }
c80c5570 1413
80a47a2c
TK
1414#ifndef DISABLE_DKIM
1415 dkim_exim_verify_feed(ssl_xfer_buffer, inbytes);
1416#endif
059ec3d9
PH
1417 ssl_xfer_buffer_hwm = inbytes;
1418 ssl_xfer_buffer_lwm = 0;
1419 }
1420
1421/* Something in the buffer; return next uschar */
1422
1423return ssl_xfer_buffer[ssl_xfer_buffer_lwm++];
1424}
1425
1426
1427
1428/*************************************************
1429* Read bytes from TLS channel *
1430*************************************************/
1431
1432/*
1433Arguments:
1434 buff buffer of data
1435 len size of buffer
1436
1437Returns: the number of bytes read
1438 -1 after a failed read
1439*/
1440
1441int
1442tls_read(uschar *buff, size_t len)
1443{
1444int inbytes;
1445int error;
1446
c80c5570
PP
1447DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
1448 buff, (unsigned int)len);
059ec3d9
PH
1449
1450inbytes = SSL_read(ssl, CS buff, len);
1451error = SSL_get_error(ssl, inbytes);
1452
1453if (error == SSL_ERROR_ZERO_RETURN)
1454 {
1455 DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
1456 return -1;
1457 }
1458else if (error != SSL_ERROR_NONE)
1459 {
1460 return -1;
1461 }
1462
1463return inbytes;
1464}
1465
1466
1467
1468
1469
1470/*************************************************
1471* Write bytes down TLS channel *
1472*************************************************/
1473
1474/*
1475Arguments:
1476 buff buffer of data
1477 len number of bytes
1478
1479Returns: the number of bytes after a successful write,
1480 -1 after a failed write
1481*/
1482
1483int
1484tls_write(const uschar *buff, size_t len)
1485{
1486int outbytes;
1487int error;
1488int left = len;
1489
c80c5570 1490DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
059ec3d9
PH
1491while (left > 0)
1492 {
c80c5570 1493 DEBUG(D_tls) debug_printf("SSL_write(SSL, %p, %d)\n", buff, left);
059ec3d9
PH
1494 outbytes = SSL_write(ssl, CS buff, left);
1495 error = SSL_get_error(ssl, outbytes);
1496 DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);
1497 switch (error)
1498 {
1499 case SSL_ERROR_SSL:
1500 ERR_error_string(ERR_get_error(), ssl_errstring);
1501 log_write(0, LOG_MAIN, "TLS error (SSL_write): %s", ssl_errstring);
1502 return -1;
1503
1504 case SSL_ERROR_NONE:
1505 left -= outbytes;
1506 buff += outbytes;
1507 break;
1508
1509 case SSL_ERROR_ZERO_RETURN:
1510 log_write(0, LOG_MAIN, "SSL channel closed on write");
1511 return -1;
1512
1513 default:
1514 log_write(0, LOG_MAIN, "SSL_write error %d", error);
1515 return -1;
1516 }
1517 }
1518return len;
1519}
1520
1521
1522
1523/*************************************************
1524* Close down a TLS session *
1525*************************************************/
1526
1527/* This is also called from within a delivery subprocess forked from the
1528daemon, to shut down the TLS library, without actually doing a shutdown (which
1529would tamper with the SSL session in the parent process).
1530
1531Arguments: TRUE if SSL_shutdown is to be called
1532Returns: nothing
1533*/
1534
1535void
1536tls_close(BOOL shutdown)
1537{
1538if (tls_active < 0) return; /* TLS was not active */
1539
1540if (shutdown)
1541 {
1542 DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
1543 SSL_shutdown(ssl);
1544 }
1545
1546SSL_free(ssl);
1547ssl = NULL;
1548
1549tls_active = -1;
1550}
1551
36f12725
NM
1552
1553
1554
1555/*************************************************
3375e053
PP
1556* Let tls_require_ciphers be checked at startup *
1557*************************************************/
1558
1559/* The tls_require_ciphers option, if set, must be something which the
1560library can parse.
1561
1562Returns: NULL on success, or error message
1563*/
1564
1565uschar *
1566tls_validate_require_cipher(void)
1567{
1568SSL_CTX *ctx;
1569uschar *s, *expciphers, *err;
1570
1571/* this duplicates from tls_init(), we need a better "init just global
1572state, for no specific purpose" singleton function of our own */
1573
1574SSL_load_error_strings();
1575OpenSSL_add_ssl_algorithms();
1576#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
1577/* SHA256 is becoming ever more popular. This makes sure it gets added to the
1578list of available digests. */
1579EVP_add_digest(EVP_sha256());
1580#endif
1581
1582if (!(tls_require_ciphers && *tls_require_ciphers))
1583 return NULL;
1584
1585if (!expand_check(tls_require_ciphers, US"tls_require_ciphers", &expciphers))
1586 return US"failed to expand tls_require_ciphers";
1587
1588if (!(expciphers && *expciphers))
1589 return NULL;
1590
1591/* normalisation ripped from above */
1592s = expciphers;
1593while (*s != 0) { if (*s == '_') *s = '-'; s++; }
1594
1595err = NULL;
1596
1597ctx = SSL_CTX_new(SSLv23_server_method());
1598if (!ctx)
1599 {
1600 ERR_error_string(ERR_get_error(), ssl_errstring);
1601 return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);
1602 }
1603
1604DEBUG(D_tls)
1605 debug_printf("tls_require_ciphers expands to \"%s\"\n", expciphers);
1606
1607if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
1608 {
1609 ERR_error_string(ERR_get_error(), ssl_errstring);
1610 err = string_sprintf("SSL_CTX_set_cipher_list(%s) failed", expciphers);
1611 }
1612
1613SSL_CTX_free(ctx);
1614
1615return err;
1616}
1617
1618
1619
1620
1621/*************************************************
36f12725
NM
1622* Report the library versions. *
1623*************************************************/
1624
1625/* There have historically been some issues with binary compatibility in
1626OpenSSL libraries; if Exim (like many other applications) is built against
1627one version of OpenSSL but the run-time linker picks up another version,
1628it can result in serious failures, including crashing with a SIGSEGV. So
1629report the version found by the compiler and the run-time version.
1630
1631Arguments: a FILE* to print the results to
1632Returns: nothing
1633*/
1634
1635void
1636tls_version_report(FILE *f)
1637{
754a0503
PP
1638fprintf(f, "Library version: OpenSSL: Compile: %s\n"
1639 " Runtime: %s\n",
1640 OPENSSL_VERSION_TEXT,
1641 SSLeay_version(SSLEAY_VERSION));
36f12725
NM
1642}
1643
9e3331ea
TK
1644
1645
1646
1647/*************************************************
17c76198 1648* Random number generation *
9e3331ea
TK
1649*************************************************/
1650
1651/* Pseudo-random number generation. The result is not expected to be
1652cryptographically strong but not so weak that someone will shoot themselves
1653in the foot using it as a nonce in input in some email header scheme or
1654whatever weirdness they'll twist this into. The result should handle fork()
1655and avoid repeating sequences. OpenSSL handles that for us.
1656
1657Arguments:
1658 max range maximum
1659Returns a random number in range [0, max-1]
1660*/
1661
1662int
17c76198 1663vaguely_random_number(int max)
9e3331ea
TK
1664{
1665unsigned int r;
1666int i, needed_len;
1667uschar *p;
1668uschar smallbuf[sizeof(r)];
1669
1670if (max <= 1)
1671 return 0;
1672
1673/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
1674if (!RAND_status())
1675 {
1676 randstuff r;
1677 gettimeofday(&r.tv, NULL);
1678 r.p = getpid();
1679
1680 RAND_seed((uschar *)(&r), sizeof(r));
1681 }
1682/* We're after pseudo-random, not random; if we still don't have enough data
1683in the internal PRNG then our options are limited. We could sleep and hope
1684for entropy to come along (prayer technique) but if the system is so depleted
1685in the first place then something is likely to just keep taking it. Instead,
1686we'll just take whatever little bit of pseudo-random we can still manage to
1687get. */
1688
1689needed_len = sizeof(r);
1690/* Don't take 8 times more entropy than needed if int is 8 octets and we were
1691asked for a number less than 10. */
1692for (r = max, i = 0; r; ++i)
1693 r >>= 1;
1694i = (i + 7) / 8;
1695if (i < needed_len)
1696 needed_len = i;
1697
1698/* We do not care if crypto-strong */
17c76198
PP
1699i = RAND_pseudo_bytes(smallbuf, needed_len);
1700if (i < 0)
1701 {
1702 DEBUG(D_all)
1703 debug_printf("OpenSSL RAND_pseudo_bytes() not supported by RAND method, using fallback.\n");
1704 return vaguely_random_number_fallback(max);
1705 }
1706
9e3331ea
TK
1707r = 0;
1708for (p = smallbuf; needed_len; --needed_len, ++p)
1709 {
1710 r *= 256;
1711 r += *p;
1712 }
1713
1714/* We don't particularly care about weighted results; if someone wants
1715smooth distribution and cares enough then they should submit a patch then. */
1716return r % max;
1717}
1718
77bb000f
PP
1719
1720
1721
1722/*************************************************
1723* OpenSSL option parse *
1724*************************************************/
1725
1726/* Parse one option for tls_openssl_options_parse below
1727
1728Arguments:
1729 name one option name
1730 value place to store a value for it
1731Returns success or failure in parsing
1732*/
1733
1734struct exim_openssl_option {
1735 uschar *name;
1736 long value;
1737};
1738/* We could use a macro to expand, but we need the ifdef and not all the
1739options document which version they were introduced in. Policylet: include
1740all options unless explicitly for DTLS, let the administrator choose which
1741to apply.
1742
1743This list is current as of:
c80c5570 1744 ==> 1.0.1b <== */
77bb000f
PP
1745static struct exim_openssl_option exim_openssl_options[] = {
1746/* KEEP SORTED ALPHABETICALLY! */
1747#ifdef SSL_OP_ALL
73a46702 1748 { US"all", SSL_OP_ALL },
77bb000f
PP
1749#endif
1750#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
73a46702 1751 { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
77bb000f
PP
1752#endif
1753#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
73a46702 1754 { US"cipher_server_preference", SSL_OP_CIPHER_SERVER_PREFERENCE },
77bb000f
PP
1755#endif
1756#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
73a46702 1757 { US"dont_insert_empty_fragments", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS },
77bb000f
PP
1758#endif
1759#ifdef SSL_OP_EPHEMERAL_RSA
73a46702 1760 { US"ephemeral_rsa", SSL_OP_EPHEMERAL_RSA },
77bb000f
PP
1761#endif
1762#ifdef SSL_OP_LEGACY_SERVER_CONNECT
73a46702 1763 { US"legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT },
77bb000f
PP
1764#endif
1765#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
73a46702 1766 { US"microsoft_big_sslv3_buffer", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER },
77bb000f
PP
1767#endif
1768#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
73a46702 1769 { US"microsoft_sess_id_bug", SSL_OP_MICROSOFT_SESS_ID_BUG },
77bb000f
PP
1770#endif
1771#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
73a46702 1772 { US"msie_sslv2_rsa_padding", SSL_OP_MSIE_SSLV2_RSA_PADDING },
77bb000f
PP
1773#endif
1774#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
73a46702 1775 { US"netscape_challenge_bug", SSL_OP_NETSCAPE_CHALLENGE_BUG },
77bb000f
PP
1776#endif
1777#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
73a46702 1778 { US"netscape_reuse_cipher_change_bug", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
77bb000f 1779#endif
c80c5570
PP
1780#ifdef SSL_OP_NO_COMPRESSION
1781 { US"no_compression", SSL_OP_NO_COMPRESSION },
1782#endif
77bb000f 1783#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
73a46702 1784 { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
77bb000f 1785#endif
c0c7b2da
PP
1786#ifdef SSL_OP_NO_SSLv2
1787 { US"no_sslv2", SSL_OP_NO_SSLv2 },
1788#endif
1789#ifdef SSL_OP_NO_SSLv3
1790 { US"no_sslv3", SSL_OP_NO_SSLv3 },
1791#endif
1792#ifdef SSL_OP_NO_TICKET
1793 { US"no_ticket", SSL_OP_NO_TICKET },
1794#endif
1795#ifdef SSL_OP_NO_TLSv1
1796 { US"no_tlsv1", SSL_OP_NO_TLSv1 },
1797#endif
c80c5570
PP
1798#ifdef SSL_OP_NO_TLSv1_1
1799#if SSL_OP_NO_TLSv1_1 == 0x00000400L
1800 /* Error in chosen value in 1.0.1a; see first item in CHANGES for 1.0.1b */
1801#warning OpenSSL 1.0.1a uses a bad value for SSL_OP_NO_TLSv1_1, ignoring
1802#else
1803 { US"no_tlsv1_1", SSL_OP_NO_TLSv1_1 },
1804#endif
1805#endif
1806#ifdef SSL_OP_NO_TLSv1_2
1807 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
1808#endif
77bb000f 1809#ifdef SSL_OP_SINGLE_DH_USE
73a46702 1810 { US"single_dh_use", SSL_OP_SINGLE_DH_USE },
77bb000f
PP
1811#endif
1812#ifdef SSL_OP_SINGLE_ECDH_USE
73a46702 1813 { US"single_ecdh_use", SSL_OP_SINGLE_ECDH_USE },
77bb000f
PP
1814#endif
1815#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
73a46702 1816 { US"ssleay_080_client_dh_bug", SSL_OP_SSLEAY_080_CLIENT_DH_BUG },
77bb000f
PP
1817#endif
1818#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
73a46702 1819 { US"sslref2_reuse_cert_type_bug", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG },
77bb000f
PP
1820#endif
1821#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
73a46702 1822 { US"tls_block_padding_bug", SSL_OP_TLS_BLOCK_PADDING_BUG },
77bb000f
PP
1823#endif
1824#ifdef SSL_OP_TLS_D5_BUG
73a46702 1825 { US"tls_d5_bug", SSL_OP_TLS_D5_BUG },
77bb000f
PP
1826#endif
1827#ifdef SSL_OP_TLS_ROLLBACK_BUG
73a46702 1828 { US"tls_rollback_bug", SSL_OP_TLS_ROLLBACK_BUG },
77bb000f
PP
1829#endif
1830};
1831static int exim_openssl_options_size =
1832 sizeof(exim_openssl_options)/sizeof(struct exim_openssl_option);
1833
c80c5570 1834
77bb000f
PP
1835static BOOL
1836tls_openssl_one_option_parse(uschar *name, long *value)
1837{
1838int first = 0;
1839int last = exim_openssl_options_size;
1840while (last > first)
1841 {
1842 int middle = (first + last)/2;
1843 int c = Ustrcmp(name, exim_openssl_options[middle].name);
1844 if (c == 0)
1845 {
1846 *value = exim_openssl_options[middle].value;
1847 return TRUE;
1848 }
1849 else if (c > 0)
1850 first = middle + 1;
1851 else
1852 last = middle;
1853 }
1854return FALSE;
1855}
1856
1857
1858
1859
1860/*************************************************
1861* OpenSSL option parsing logic *
1862*************************************************/
1863
1864/* OpenSSL has a number of compatibility options which an administrator might
1865reasonably wish to set. Interpret a list similarly to decode_bits(), so that
1866we look like log_selector.
1867
1868Arguments:
1869 option_spec the administrator-supplied string of options
1870 results ptr to long storage for the options bitmap
1871Returns success or failure
1872*/
1873
1874BOOL
1875tls_openssl_options_parse(uschar *option_spec, long *results)
1876{
1877long result, item;
1878uschar *s, *end;
1879uschar keep_c;
1880BOOL adding, item_parsed;
1881
0e944a0d 1882result = 0L;
b1770b6e 1883/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed
da3ad30d 1884 * from default because it increases BEAST susceptibility. */
f0f5a555
PP
1885#ifdef SSL_OP_NO_SSLv2
1886result |= SSL_OP_NO_SSLv2;
1887#endif
77bb000f
PP
1888
1889if (option_spec == NULL)
1890 {
1891 *results = result;
1892 return TRUE;
1893 }
1894
1895for (s=option_spec; *s != '\0'; /**/)
1896 {
1897 while (isspace(*s)) ++s;
1898 if (*s == '\0')
1899 break;
1900 if (*s != '+' && *s != '-')
1901 {
1902 DEBUG(D_tls) debug_printf("malformed openssl option setting: "
0e944a0d 1903 "+ or - expected but found \"%s\"\n", s);
77bb000f
PP
1904 return FALSE;
1905 }
1906 adding = *s++ == '+';
1907 for (end = s; (*end != '\0') && !isspace(*end); ++end) /**/ ;
1908 keep_c = *end;
1909 *end = '\0';
1910 item_parsed = tls_openssl_one_option_parse(s, &item);
1911 if (!item_parsed)
1912 {
0e944a0d 1913 DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
77bb000f
PP
1914 return FALSE;
1915 }
1916 DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",
1917 adding ? "adding" : "removing", result, item, s);
1918 if (adding)
1919 result |= item;
1920 else
1921 result &= ~item;
1922 *end = keep_c;
1923 s = end;
1924 }
1925
1926*results = result;
1927return TRUE;
1928}
1929
059ec3d9 1930/* End of tls-openssl.c */